1 files changed, 27 insertions, 0 deletions
diff --git a/meta/classes-global/sanity.bbclass b/meta/classes-global/sanity.bbclass
index 180c6b77d8..72dab0fea2 100644
--- a/meta/classes-global/sanity.bbclass
+++ b/meta/classes-global/sanity.bbclass
@@ -475,6 +475,29 @@ def check_wsl(d):
            bb.warn("You are running bitbake under WSLv2, this works properly but you should optimize your VHDX file eventually to avoid running out of storage space")
    return None
+def check_userns():
+    """
+    Check that user namespaces are functional, as they're used for network isolation.
+    """
+    # There is a known failure case with AppAmrmor where the unshare() call
+    # succeeds (at which point the uid is nobody) but writing to the uid_map
+    # fails (so the uid isn't reset back to the user's uid). We can detect this.
+    parentuid = os.getuid()
+    pid = os.fork()
+    if not pid:
+        try:
+            bb.utils.disable_network()
+        except:
+            pass
+        os._exit(parentuid != os.getuid())
+    ret = os.waitpid(pid, 0)[1]
+    if ret:
+        bb.fatal("User namespaces are not usable by BitBake, possibly due to AppArmor.\n"
+                 "See https://discourse.ubuntu.com/t/ubuntu-24-04-lts-noble-numbat-release-notes/39890#unprivileged-user-namespace-restrictions for more information.")
 # Require at least gcc version 8.0
 #
 # This can be fixed on CentOS-7 with devtoolset-6+
@@ -495,12 +518,15 @@ def check_gcc_version(sanity_data):
 # Tar version 1.24 and onwards handle overwriting symlinks correctly
 # but earlier versions do not; this needs to work properly for sstate
 # Version 1.28 is needed so opkg-build works correctly when reproducible builds are enabled
+# Gtar is assumed at to be used as tar in poky
 def check_tar_version(sanity_data):
    import subprocess
    try:
        result = subprocess.check_output(["tar", "--version"], stderr=subprocess.STDOUT).decode('utf-8')
    except subprocess.CalledProcessError as e:
        return "Unable to execute tar --version, exit code %d\n%s\n" % (e.returncode, e.output)
+    if not "GNU" in result:
+        return "Your version of tar is not gtar. Please install gtar (you could use the project's buildtools-tarball from our last release or use scripts/install-buildtools).\n"
    version = result.split()[3]
    if bb.utils.vercmp_string_op(version, "1.28", "<"):
        return "Your version of tar is older than 1.28 and does not have the support needed to enable reproducible builds. Please install a newer version of tar (you could use the project's buildtools-tarball from our last release or use scripts/install-buildtools).\n"
@@ -638,6 +664,7 @@ def check_sanity_version_change(status, d):
    status.addresult(check_git_version(d))
    status.addresult(check_perl_modules(d))
    status.addresult(check_wsl(d))
+    status.addresult(check_userns())
    missing = ""

diff --git a/meta/classes-global/sanity.bbclass b/meta/classes-global/sanity.bbclass index 180c6b77d8..72dab0fea2 100644 --- a/meta/classes-global/sanity.bbclass +++ b/meta/classes-global/sanity.bbclass
@@ -475,6 +475,29 @@ def check_wsl(d):
475	bb.warn("You are running bitbake under WSLv2, this works properly but you should optimize your VHDX file eventually to avoid running out of storage space")	475	bb.warn("You are running bitbake under WSLv2, this works properly but you should optimize your VHDX file eventually to avoid running out of storage space")
476	return None	476	return None
477		477
		478	def check_userns():
		479	"""
		480	Check that user namespaces are functional, as they're used for network isolation.
		481	"""
		482
		483	# There is a known failure case with AppAmrmor where the unshare() call
		484	# succeeds (at which point the uid is nobody) but writing to the uid_map
		485	# fails (so the uid isn't reset back to the user's uid). We can detect this.
		486	parentuid = os.getuid()
		487	pid = os.fork()
		488	if not pid:
		489	try:
		490	bb.utils.disable_network()
		491	except:
		492	pass
		493	os._exit(parentuid != os.getuid())
		494
		495	ret = os.waitpid(pid, 0)[1]
		496	if ret:
		497	bb.fatal("User namespaces are not usable by BitBake, possibly due to AppArmor.\n"
		498	"See https://discourse.ubuntu.com/t/ubuntu-24-04-lts-noble-numbat-release-notes/39890#unprivileged-user-namespace-restrictions for more information.")
		499
		500
478	# Require at least gcc version 8.0	501	# Require at least gcc version 8.0
479	#	502	#
480	# This can be fixed on CentOS-7 with devtoolset-6+	503	# This can be fixed on CentOS-7 with devtoolset-6+
@@ -495,12 +518,15 @@ def check_gcc_version(sanity_data):
495	# Tar version 1.24 and onwards handle overwriting symlinks correctly	518	# Tar version 1.24 and onwards handle overwriting symlinks correctly
496	# but earlier versions do not; this needs to work properly for sstate	519	# but earlier versions do not; this needs to work properly for sstate
497	# Version 1.28 is needed so opkg-build works correctly when reproducible builds are enabled	520	# Version 1.28 is needed so opkg-build works correctly when reproducible builds are enabled
		521	# Gtar is assumed at to be used as tar in poky
498	def check_tar_version(sanity_data):	522	def check_tar_version(sanity_data):
499	import subprocess	523	import subprocess
500	try:	524	try:
501	result = subprocess.check_output(["tar", "--version"], stderr=subprocess.STDOUT).decode('utf-8')	525	result = subprocess.check_output(["tar", "--version"], stderr=subprocess.STDOUT).decode('utf-8')
502	except subprocess.CalledProcessError as e:	526	except subprocess.CalledProcessError as e:
503	return "Unable to execute tar --version, exit code %d\n%s\n" % (e.returncode, e.output)	527	return "Unable to execute tar --version, exit code %d\n%s\n" % (e.returncode, e.output)
		528	if not "GNU" in result:
		529	return "Your version of tar is not gtar. Please install gtar (you could use the project's buildtools-tarball from our last release or use scripts/install-buildtools).\n"
504	version = result.split()[3]	530	version = result.split()[3]
505	if bb.utils.vercmp_string_op(version, "1.28", "<"):	531	if bb.utils.vercmp_string_op(version, "1.28", "<"):
506	return "Your version of tar is older than 1.28 and does not have the support needed to enable reproducible builds. Please install a newer version of tar (you could use the project's buildtools-tarball from our last release or use scripts/install-buildtools).\n"	532	return "Your version of tar is older than 1.28 and does not have the support needed to enable reproducible builds. Please install a newer version of tar (you could use the project's buildtools-tarball from our last release or use scripts/install-buildtools).\n"
@@ -638,6 +664,7 @@ def check_sanity_version_change(status, d):
638	status.addresult(check_git_version(d))	664	status.addresult(check_git_version(d))
639	status.addresult(check_perl_modules(d))	665	status.addresult(check_perl_modules(d))
640	status.addresult(check_wsl(d))	666	status.addresult(check_wsl(d))
		667	status.addresult(check_userns())
641		668
642	missing = ""	669	missing = ""
643		670