test: enable unpriv user namespaces

These are disabled by default in some distros; we would like to test
rootless, however.

Signed-off-by: Casey Callendrello <c1@caseyc.net>

test_linux.sh

@@ -1,4 +1,4 @@
-#!/usr/bin/env sh
+#!/usr/bin/env bash
 #
 # Run CNI plugin tests.
 # 
@@ -18,6 +18,23 @@ testrun() {
     sudo -E sh -c "umask 0; PATH=${GOPATH}/bin:$(pwd)/bin:${PATH} go test -race $*"
 }
 
+ensure_sysctl() {
+    local key
+    local val
+    local existing
+
+    key="$1"
+    val="$2"
+    existing="$(sysctl -ben "$key")"
+
+    sysctl -r 
+
+    if [ "$val" -ne "$existing" ]; then
+        echo "sudo sysctl -we '$key'='$val'"
+        sudo sysctl -we "$key"="$val"
+    fi
+}
+
 COVERALLS=${COVERALLS:-""}
 
 if [ -n "${COVERALLS}" ]; then
@@ -40,4 +57,7 @@ done
 
 # Run the pkg/ns tests as non root user
 mkdir -p /tmp/cni-rootless
+ensure_sysctl kernel.unprivileged_userns_clone 1 
+ensure_sysctl kernel.apparmor_restrict_unprivileged_userns 0
+
 (export XDG_RUNTIME_DIR=/tmp/cni-rootless; cd pkg/ns/; unshare -rmn go test)