check if unprivileged_userns_clone exists before writing

[zalsader]

This addresses the issue in https://github.com/nestybox/sysbox/issues/780

[zalsader]

I updated the PR based on your comment.

Also: don't we need to check if /proc/sys/user/max_user_namespaces exists and if it's set to 0, set it to 1. IOW, I understood that in newer Ubuntu kernels, /proc/sys/kernel/unprivileged_userns_clone was replaced with /proc/sys/user/max_user_namespaces.

It could make sense to address this, but note that sysbox-runc errors if userns is not configured. I don't think setting max_user_namespaces to 1 is the idiomatic approach, I believe that letting the sysadmin see a configuration error (from runc) then choose the appropriate value would be better.

[ctalledo]

It could make sense to address this, but note that sysbox-runc errors if userns is not configured. I don't think setting max_user_namespaces to 1 is the idiomatic approach, I believe that letting the sysadmin see a configuration error (from runc) then choose the appropriate value would be better.

That's fair, although to be honest a user may have a hard time figuring out what to program in max_user_namespaces. The number has to be at least equal to the number max Sysbox containers the user expects to deploy on a given host concurrently (and probably larger since Sysbox is not the only thing that uses user-namespaces ... I believe Chrome does too).

Out of curiosity, what's the default value for max_user_namespaces in your host?

[zalsader]

Thank you!

I got a different answer on each machine. a t2.micro machine had 3782 while a c6a.8xlarge had 251640

[ctalledo]

I got a different answer on each machine. a t2.micro machine had 3782 while a c6a.8xlarge had 251640

Perfect ... both of those seem large enough, so it's likely a user won't even have to configure them. Thanks again!