This commit is part of clone3 clean up. As part of clean up we will

remove tests/ui/command/command-create-pidfd.rs . But it contains very useful comment, so let's move the comment to library/std/src/sys/pal/unix/rand.rs , which contains another instance of the same Docker problem
2024-01-24 15:22:00 +03:00 · 2024-01-24 15:22:00 +03:00 · 57f9d1f01a
commit 57f9d1f01a
parent f6ee4bf384
2 changed files with 12 additions and 11 deletions
--- a/library/std/src/sys/pal/unix/rand.rs
+++ b/library/std/src/sys/pal/unix/rand.rs
@ -106,7 +106,18 @@ mod imp {
                    // supported on the current kernel.
                    //
                    // Also fall back in case it is disabled by something like
-                    // seccomp or inside of virtual machines.
+                    // seccomp or inside of docker.
+                    //
+                    // If the `getrandom` syscall is not implemented in the current kernel version it should return an
+                    // `ENOSYS` error. Docker also blocks the whole syscall inside unprivileged containers, and
+                    // returns `EPERM` (instead of `ENOSYS`) when a program tries to invoke the syscall. Because of
+                    // that we need to check for *both* `ENOSYS` and `EPERM`.
+                    //
+                    // Note that Docker's behavior is breaking other projects (notably glibc), so they're planning
+                    // to update their filtering to return `ENOSYS` in a future release:
+                    //
+                    //     https://github.com/moby/moby/issues/42680
+                    //
                    GETRANDOM_UNAVAILABLE.store(true, Ordering::Relaxed);
                    return false;
                } else if err == libc::EAGAIN {
--- a/tests/ui/command/command-create-pidfd.rs
+++ b/tests/ui/command/command-create-pidfd.rs
@ -16,16 +16,6 @@ fn has_clone3() -> bool {
        .then(|| Error::last_os_error())
        .expect("probe syscall should not succeed");

-    // If the `clone3` syscall is not implemented in the current kernel version it should return an
-    // `ENOSYS` error. Docker also blocks the whole syscall inside unprivileged containers, and
-    // returns `EPERM` (instead of `ENOSYS`) when a program tries to invoke the syscall. Because of
-    // that we need to check for *both* `ENOSYS` and `EPERM`.
-    //
-    // Note that Docker's behavior is breaking other projects (notably glibc), so they're planning
-    // to update their filtering to return `ENOSYS` in a future release:
-    //
-    //     https://github.com/moby/moby/issues/42680
-    //
    err.raw_os_error() != Some(libc::ENOSYS) && err.raw_os_error() != Some(libc::EPERM)
 }