deprecate RunningInUserNS(), migrate to github.com/moby/sys/userns

The userns package in libcontainer was integrated into the moby/sys/user
module at commit 3778ae603c706494fd1e2c2faf83b406e38d687d.

The userns package is used in many places, and currently either depends
on runc/libcontainer, or on containerd, both of which have a complex
dependency tree. This patch is part of a series of patches to unify the
implementations, and to migrate toward that implementation to simplify
the dependency tree.

[3778ae603c706494fd1e2c2faf83b406e38d687d]: opencontainers/runc@3778ae6

Signed-off-by: Sebastiaan van Stijn <[email protected]>

cgroup1/subsystem.go

@@ -20,8 +20,8 @@ import (
 	"fmt"
 	"os"
 
-	"github.com/containerd/cgroups/v3"
 	v1 "github.com/containerd/cgroups/v3/cgroup1/stats"
+	"github.com/moby/sys/user/userns"
 	specs "github.com/opencontainers/runtime-spec/specs-go"
 )
 
@@ -60,7 +60,7 @@ func Subsystems() []Name {
 		Blkio,
 		Rdma,
 	}
-	if !cgroups.RunningInUserNS() {
+	if !userns.RunningInUserNS() {
 		n = append(n, Devices)
 	}
 	if _, err := os.Stat("/sys/kernel/mm/hugepages"); err == nil {

cgroup1/utils.go

@@ -28,6 +28,7 @@ import (
 
 	"github.com/containerd/cgroups/v3"
 	units "github.com/docker/go-units"
+	"github.com/moby/sys/user/userns"
 	specs "github.com/opencontainers/runtime-spec/specs-go"
 )
 
@@ -53,7 +54,7 @@ func defaults(root string) ([]Subsystem, error) {
 	}
 	// only add the devices cgroup if we are not in a user namespace
 	// because modifications are not allowed
-	if !cgroups.RunningInUserNS() {
+	if !userns.RunningInUserNS() {
 		s = append(s, NewDevices(root))
 	}
 	// add the hugetlb cgroup if error wasn't due to missing hugetlb

go.mod

@@ -8,6 +8,7 @@ require (
 	github.com/coreos/go-systemd/v22 v22.3.2
 	github.com/docker/go-units v0.5.0
 	github.com/godbus/dbus/v5 v5.0.4
+	github.com/moby/sys/user v0.2.0
 	github.com/opencontainers/runtime-spec v1.0.2
 	github.com/stretchr/testify v1.8.4
 	go.uber.org/goleak v1.1.12

go.sum

@@ -22,6 +22,8 @@ github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/moby/sys/user v0.2.0 h1:OnpapJsRp25vkhw8TFG6OLJODNh/3rEwRWtJ3kakwRM=
+github.com/moby/sys/user v0.2.0/go.mod h1:RYstrcWOJpVh+6qzUqp2bU3eaRpdiQeKGlKitaH0PM8=
 github.com/opencontainers/runtime-spec v1.0.2 h1:UfAcuLBJB9Coz72x1hgl8O5RVzTdNiaglX6v2DM6FI0=
 github.com/opencontainers/runtime-spec v1.0.2/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=

utils.go

@@ -25,12 +25,11 @@ import (
 	"strings"
 	"sync"
 
+	"github.com/moby/sys/user/userns"
 	"golang.org/x/sys/unix"
 )
 
 var (
-	nsOnce    sync.Once
-	inUserNS  bool
 	checkMode sync.Once
 	cgMode    CGMode
 )
@@ -77,35 +76,10 @@ func Mode() CGMode {
 
 // RunningInUserNS detects whether we are currently running in a user namespace.
 // Copied from github.com/lxc/lxd/shared/util.go
+//
+// Deprecated: use [userns.RunningInUserNS].
 func RunningInUserNS() bool {
-	nsOnce.Do(func() {
-		file, err := os.Open("/proc/self/uid_map")
-		if err != nil {
-			// This kernel-provided file only exists if user namespaces are supported
-			return
-		}
-		defer file.Close()
-
-		buf := bufio.NewReader(file)
-		l, _, err := buf.ReadLine()
-		if err != nil {
-			return
-		}
-
-		line := string(l)
-		var a, b, c int64
-		fmt.Sscanf(line, "%d %d %d", &a, &b, &c)
-
-		/*
-		 * We assume we are in the initial user namespace if we have a full
-		 * range - 4294967295 uids starting at uid 0.
-		 */
-		if a == 0 && b == 0 && c == 4294967295 {
-			return
-		}
-		inUserNS = true
-	})
-	return inUserNS
+	return userns.RunningInUserNS()
 }
 
 // ParseCgroupFileUnified returns legacy subsystem paths as the first value,