Add user namespace preflight check to VM creation

Surface a clear error at startup when unprivileged user namespaces are
disabled (kernel.unprivileged_userns_clone=0) instead of failing with a
cryptic EPERM during VM creation. Uses propolis's UserNamespaceCheck
via WithPreflightChecks, which appends to the default checker.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: JAORMX

pkg/infra/vm/preflight_linux.go

@@ -0,0 +1,15 @@
+// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.
+// SPDX-License-Identifier: Apache-2.0
+
+//go:build linux
+
+package vm
+
+import "github.com/stacklok/propolis/preflight"
+
+// extraPreflightChecks returns additional preflight checks for Linux hosts.
+// Currently this adds a user namespace availability check, which catches
+// kernel.unprivileged_userns_clone=0 before VM creation fails with EPERM.
+func extraPreflightChecks() []preflight.Check {
+	return []preflight.Check{preflight.UserNamespaceCheck()}
+}

pkg/infra/vm/preflight_linux_test.go

@@ -0,0 +1,37 @@
+// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.
+// SPDX-License-Identifier: Apache-2.0
+
+//go:build linux
+
+package vm
+
+import (
+	"testing"
+)
+
+func TestExtraPreflightChecks(t *testing.T) {
+	t.Parallel()
+
+	checks := extraPreflightChecks()
+
+	t.Run("returns exactly one check", func(t *testing.T) {
+		t.Parallel()
+		if got := len(checks); got != 1 {
+			t.Fatalf("expected 1 check, got %d", got)
+		}
+	})
+
+	t.Run("check is named userns", func(t *testing.T) {
+		t.Parallel()
+		if got := checks[0].Name; got != "userns" {
+			t.Fatalf("expected check name %q, got %q", "userns", got)
+		}
+	})
+
+	t.Run("check is required", func(t *testing.T) {
+		t.Parallel()
+		if !checks[0].Required {
+			t.Fatal("expected userns check to be required")
+		}
+	})
+}

pkg/infra/vm/preflight_other.go

@@ -0,0 +1,14 @@
+// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.
+// SPDX-License-Identifier: Apache-2.0
+
+//go:build !linux
+
+package vm
+
+import "github.com/stacklok/propolis/preflight"
+
+// extraPreflightChecks returns nil on non-Linux platforms where user
+// namespace checks are not applicable.
+func extraPreflightChecks() []preflight.Check {
+	return nil
+}

pkg/infra/vm/propolis.go

@@ -149,6 +149,11 @@ func (p *PropolisProvider) CreateVM(ctx context.Context, env *environment.Enviro
 			propolis.WithLogLevel(p.logLevel))
 	}
 
+	if checks := extraPreflightChecks(); len(checks) > 0 {
+		propolisOpts = append(propolisOpts,
+			propolis.WithPreflightChecks(checks...))
+	}
+
 	propolisOpts = append(propolisOpts, propolis.WithBackend(
 		libkrun.NewBackend(p.buildBackendOpts(opts)...),
 	))