From 4467c80b95a2ed36fb38678d180fc9c4efbba3c9 Mon Sep 17 00:00:00 2001
From: Phil Estes <estesp@linux.vnet.ibm.com>
Date: Fri, 12 Aug 2016 16:31:01 -0400
Subject: [PATCH] Use real chroot if daemon is running in a user namespace

The namespace unshare+pivot root is not possible when running inside a
user namespace, so fallback to the original "real" chroot code.

Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
Upstream-commit: dc950567c105153c0a2f8b40d16b989bbddcdb3c
Component: engine
---
 components/engine/pkg/chrootarchive/chroot_linux.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/components/engine/pkg/chrootarchive/chroot_linux.go b/components/engine/pkg/chrootarchive/chroot_linux.go
index cefbef9df4..7153b48798 100644
--- a/components/engine/pkg/chrootarchive/chroot_linux.go
+++ b/components/engine/pkg/chrootarchive/chroot_linux.go
@@ -8,6 +8,7 @@ import (
 	"syscall"
 
 	"github.com/docker/docker/pkg/mount"
+	rsystem "github.com/opencontainers/runc/libcontainer/system"
 )
 
 // chroot on linux uses pivot_root instead of chroot
@@ -17,6 +18,10 @@ import (
 // Old root is removed after the call to pivot_root so it is no longer available under the new root.
 // This is similar to how libcontainer sets up a container's rootfs
 func chroot(path string) (err error) {
+	// if the engine is running in a user namespace we need to use actual chroot
+	if rsystem.RunningInUserNS() {
+		return realChroot(path)
+	}
 	if err := syscall.Unshare(syscall.CLONE_NEWNS); err != nil {
 		return fmt.Errorf("Error creating mount namespace before pivot: %v", err)
 	}