1 files changed, 24 insertions, 0 deletions
diff --git a/meta/classes-global/sanity.bbclass b/meta/classes-global/sanity.bbclass
index 1d242f0f0a..72dab0fea2 100644
--- a/meta/classes-global/sanity.bbclass
+++ b/meta/classes-global/sanity.bbclass
@@ -475,6 +475,29 @@ def check_wsl(d):
            bb.warn("You are running bitbake under WSLv2, this works properly but you should optimize your VHDX file eventually to avoid running out of storage space")
    return None
+def check_userns():
+    """
+    Check that user namespaces are functional, as they're used for network isolation.
+    """
+    # There is a known failure case with AppAmrmor where the unshare() call
+    # succeeds (at which point the uid is nobody) but writing to the uid_map
+    # fails (so the uid isn't reset back to the user's uid). We can detect this.
+    parentuid = os.getuid()
+    pid = os.fork()
+    if not pid:
+        try:
+            bb.utils.disable_network()
+        except:
+            pass
+        os._exit(parentuid != os.getuid())
+    ret = os.waitpid(pid, 0)[1]
+    if ret:
+        bb.fatal("User namespaces are not usable by BitBake, possibly due to AppArmor.\n"
+                 "See https://discourse.ubuntu.com/t/ubuntu-24-04-lts-noble-numbat-release-notes/39890#unprivileged-user-namespace-restrictions for more information.")
 # Require at least gcc version 8.0
 #
 # This can be fixed on CentOS-7 with devtoolset-6+
@@ -641,6 +664,7 @@ def check_sanity_version_change(status, d):
    status.addresult(check_git_version(d))
    status.addresult(check_perl_modules(d))
    status.addresult(check_wsl(d))
+    status.addresult(check_userns())
    missing = ""

diff --git a/meta/classes-global/sanity.bbclass b/meta/classes-global/sanity.bbclass index 1d242f0f0a..72dab0fea2 100644 --- a/meta/classes-global/sanity.bbclass +++ b/meta/classes-global/sanity.bbclass
@@ -475,6 +475,29 @@ def check_wsl(d):
475	bb.warn("You are running bitbake under WSLv2, this works properly but you should optimize your VHDX file eventually to avoid running out of storage space")	475	bb.warn("You are running bitbake under WSLv2, this works properly but you should optimize your VHDX file eventually to avoid running out of storage space")
476	return None	476	return None
477		477
		478	def check_userns():
		479	"""
		480	Check that user namespaces are functional, as they're used for network isolation.
		481	"""
		482
		483	# There is a known failure case with AppAmrmor where the unshare() call
		484	# succeeds (at which point the uid is nobody) but writing to the uid_map
		485	# fails (so the uid isn't reset back to the user's uid). We can detect this.
		486	parentuid = os.getuid()
		487	pid = os.fork()
		488	if not pid:
		489	try:
		490	bb.utils.disable_network()
		491	except:
		492	pass
		493	os._exit(parentuid != os.getuid())
		494
		495	ret = os.waitpid(pid, 0)[1]
		496	if ret:
		497	bb.fatal("User namespaces are not usable by BitBake, possibly due to AppArmor.\n"
		498	"See https://discourse.ubuntu.com/t/ubuntu-24-04-lts-noble-numbat-release-notes/39890#unprivileged-user-namespace-restrictions for more information.")
		499
		500
478	# Require at least gcc version 8.0	501	# Require at least gcc version 8.0
479	#	502	#
480	# This can be fixed on CentOS-7 with devtoolset-6+	503	# This can be fixed on CentOS-7 with devtoolset-6+
@@ -641,6 +664,7 @@ def check_sanity_version_change(status, d):
641	status.addresult(check_git_version(d))	664	status.addresult(check_git_version(d))
642	status.addresult(check_perl_modules(d))	665	status.addresult(check_perl_modules(d))
643	status.addresult(check_wsl(d))	666	status.addresult(check_wsl(d))
		667	status.addresult(check_userns())
644		668
645	missing = ""	669	missing = ""
646		670