Merge pull request #25224 from michael-holzheu/PR-TestRunSeccompUnconfinedCloneUserns-check

TestRunSeccompUnconfinedCloneUserns: Check for unprivileged_userns_clone

integration-cli/docker_cli_run_unix_test.go

@@ -1032,7 +1032,7 @@ func (s *DockerSuite) TestRunSeccompProfileDenyCloneUserns(c *check.C) {
 // TestRunSeccompUnconfinedCloneUserns checks that
 // 'docker run --security-opt seccomp=unconfined syscall-test' allows creating a userns.
 func (s *DockerSuite) TestRunSeccompUnconfinedCloneUserns(c *check.C) {
-	testRequires(c, SameHostDaemon, seccompEnabled, UserNamespaceInKernel, NotUserNamespace)
+	testRequires(c, SameHostDaemon, seccompEnabled, UserNamespaceInKernel, NotUserNamespace, unprivilegedUsernsClone)
 
 	// make sure running w privileged is ok
 	runCmd := exec.Command(dockerBinary, "run", "--security-opt", "seccomp=unconfined", "syscall-test", "userns-test", "id")

integration-cli/requirements_unix.go

@@ -3,6 +3,9 @@
 package main
 
 import (
+	"io/ioutil"
+	"strings"
+
 	"github.com/docker/docker/pkg/sysinfo"
 )
 
@@ -99,6 +102,16 @@ var (
 		},
 		"Test requires that bridge-nf-call-ip6tables support be enabled in the daemon.",
 	}
+	unprivilegedUsernsClone = testRequirement{
+		func() bool {
+			content, err := ioutil.ReadFile("/proc/sys/kernel/unprivileged_userns_clone")
+			if err == nil && strings.Contains(string(content), "0") {
+				return false
+			}
+			return true
+		},
+		"Test cannot be run with 'sysctl kernel.unprivileged_userns_clone' = 0",
+	}
 )
 
 func init() {