#include "service.h"
#include "instance.h"
+#define UJAIL_BIN_PATH "/sbin/ujail"
enum {
INSTANCE_ATTR_COMMAND,
INSTANCE_ATTR_RELOADSIG,
INSTANCE_ATTR_TERMTIMEOUT,
INSTANCE_ATTR_FACILITY,
+ INSTANCE_ATTR_EXTROOT,
+ INSTANCE_ATTR_OVERLAYDIR,
+ INSTANCE_ATTR_TMPOVERLAYSIZE,
__INSTANCE_ATTR_MAX
};
[INSTANCE_ATTR_RELOADSIG] = { "reload_signal", BLOBMSG_TYPE_INT32 },
[INSTANCE_ATTR_TERMTIMEOUT] = { "term_timeout", BLOBMSG_TYPE_INT32 },
[INSTANCE_ATTR_FACILITY] = { "facility", BLOBMSG_TYPE_STRING },
+ [INSTANCE_ATTR_EXTROOT] = { "extroot", BLOBMSG_TYPE_STRING },
+ [INSTANCE_ATTR_OVERLAYDIR] = { "overlaydir", BLOBMSG_TYPE_STRING },
+ [INSTANCE_ATTR_TMPOVERLAYSIZE] = { "tmpoverlaysize", BLOBMSG_TYPE_STRING },
};
enum {
JAIL_ATTR_LOG,
JAIL_ATTR_RONLY,
JAIL_ATTR_MOUNT,
+ JAIL_ATTR_NETNS,
+ JAIL_ATTR_USERNS,
+ JAIL_ATTR_CGROUPSNS,
+ JAIL_ATTR_REQUIREJAIL,
__JAIL_ATTR_MAX,
};
[JAIL_ATTR_LOG] = { "log", BLOBMSG_TYPE_BOOL },
[JAIL_ATTR_RONLY] = { "ronly", BLOBMSG_TYPE_BOOL },
[JAIL_ATTR_MOUNT] = { "mount", BLOBMSG_TYPE_TABLE },
+ [JAIL_ATTR_NETNS] = { "netns", BLOBMSG_TYPE_BOOL },
+ [JAIL_ATTR_USERNS] = { "userns", BLOBMSG_TYPE_BOOL },
+ [JAIL_ATTR_CGROUPSNS] = { "cgroupsns", BLOBMSG_TYPE_BOOL },
+ [JAIL_ATTR_REQUIREJAIL] = { "requirejail", BLOBMSG_TYPE_BOOL },
};
struct instance_netdev {
struct jail *jail = &in->jail;
int argc = 0;
- argv[argc++] = "/sbin/ujail";
+ argv[argc++] = UJAIL_BIN_PATH;
if (jail->name) {
argv[argc++] = "-n";
if (jail->ronly)
argv[argc++] = "-o";
+ if (jail->netns)
+ argv[argc++] = "-N";
+
+ if (jail->userns)
+ argv[argc++] = "-f";
+
+ if (jail->cgroupsns)
+ argv[argc++] = "-F";
+
+ if (in->extroot) {
+ argv[argc++] = "-R";
+ argv[argc++] = in->extroot;
+ }
+
+ if (in->overlaydir) {
+ argv[argc++] = "-O";
+ argv[argc++] = in->overlaydir;
+ }
+
+ if (in->tmpoverlaysize) {
+ argv[argc++] = "-T";
+ argv[argc++] = in->tmpoverlaysize;
+ }
+
+ if (in->require_jail)
+ argv[argc++] = "-E";
+
blobmsg_list_for_each(&jail->mount, var) {
const char *type = blobmsg_data(var->data);
if (!in->pidfile)
return 0;
if (unlink(in->pidfile)) {
- ERROR("Failed to removed pidfile: %s: %m\n", in->pidfile);
+ ERROR("Failed to remove pidfile: %s: %m\n", in->pidfile);
return 1;
}
return 0;
service_stopped(s);
}
+static int
+instance_exit_code(int ret)
+{
+ if (WIFEXITED(ret)) {
+ return WEXITSTATUS(ret);
+ }
+
+ if (WIFSIGNALED(ret)) {
+ return SIGNALLED_OFFSET + WTERMSIG(ret);
+ }
+
+ if (WIFSTOPPED(ret)) {
+ return WSTOPSIG(ret);
+ }
+
+ return 1;
+}
+
static void
instance_exit(struct uloop_process *p, int ret)
{
DEBUG(2, "Instance %s::%s exit with error code %d after %ld seconds\n", in->srv->name, in->name, ret, runtime);
+ in->exit_code = instance_exit_code(ret);
uloop_timeout_cancel(&in->timeout);
service_event("instance.stop", in->srv->name, in->name);
{
struct blob_attr *tb[__JAIL_ATTR_MAX];
struct jail *jail = &in->jail;
- struct stat s;
-
- if (stat("/sbin/ujail", &s))
- return 0;
blobmsg_parse(jail_attr, __JAIL_ATTR_MAX, tb,
blobmsg_data(attr), blobmsg_data_len(attr));
jail->argc = 2;
+ if (tb[JAIL_ATTR_REQUIREJAIL]) {
+ in->require_jail = true;
+ jail->argc++;
+ }
if (tb[JAIL_ATTR_NAME]) {
jail->name = strdup(blobmsg_get_string(tb[JAIL_ATTR_NAME]));
jail->argc += 2;
jail->ronly = blobmsg_get_bool(tb[JAIL_ATTR_RONLY]);
jail->argc++;
}
+ if (tb[JAIL_ATTR_NETNS]) {
+ jail->netns = blobmsg_get_bool(tb[JAIL_ATTR_NETNS]);
+ jail->argc++;
+ }
+ if (tb[JAIL_ATTR_USERNS]) {
+ jail->userns = blobmsg_get_bool(tb[JAIL_ATTR_USERNS]);
+ jail->argc++;
+ }
+ if (tb[JAIL_ATTR_CGROUPSNS]) {
+ jail->cgroupsns = blobmsg_get_bool(tb[JAIL_ATTR_CGROUPSNS]);
+ jail->argc++;
+ }
+
if (tb[JAIL_ATTR_MOUNT]) {
struct blob_attr *cur;
int rem;
if (in->group)
jail->argc += 2;
+ if (in->extroot)
+ jail->argc += 2;
+
+ if (in->overlaydir)
+ jail->argc += 2;
+
+ if (in->tmpoverlaysize)
+ jail->argc += 2;
+
if (in->no_new_privs)
jail->argc++;
- return 1;
+ return true;
}
static bool
{
struct blob_attr *tb[__INSTANCE_ATTR_MAX];
struct blob_attr *cur, *cur2;
- int rem;
+ struct stat s;
+ int rem, r;
blobmsg_parse(instance_attr, __INSTANCE_ATTR_MAX, tb,
blobmsg_data(in->config), blobmsg_data_len(in->config));
if (!in->trace && tb[INSTANCE_ATTR_SECCOMP])
in->seccomp = strdup(blobmsg_get_string(tb[INSTANCE_ATTR_SECCOMP]));
+ if (tb[INSTANCE_ATTR_EXTROOT])
+ in->extroot = strdup(blobmsg_get_string(tb[INSTANCE_ATTR_EXTROOT]));
+
+ if (tb[INSTANCE_ATTR_OVERLAYDIR])
+ in->overlaydir = strdup(blobmsg_get_string(tb[INSTANCE_ATTR_OVERLAYDIR]));
+
+ if (tb[INSTANCE_ATTR_TMPOVERLAYSIZE])
+ in->tmpoverlaysize = strdup(blobmsg_get_string(tb[INSTANCE_ATTR_TMPOVERLAYSIZE]));
+
if (tb[INSTANCE_ATTR_PIDFILE]) {
char *pidfile = blobmsg_get_string(tb[INSTANCE_ATTR_PIDFILE]);
if (pidfile)
if (!in->trace && tb[INSTANCE_ATTR_JAIL])
in->has_jail = instance_jail_parse(in, tb[INSTANCE_ATTR_JAIL]);
+ if (in->has_jail) {
+ r = stat(UJAIL_BIN_PATH, &s);
+ if (r < 0) {
+ if (in->require_jail) {
+ ERROR("Cannot jail service %s::%s. %s: %m (%d)\n",
+ in->srv->name, in->name, UJAIL_BIN_PATH, r);
+ return false;
+ }
+ DEBUG(2, "unable to find %s: %m (%d)\n", UJAIL_BIN_PATH, r);
+ in->has_jail = false;
+ }
+ }
+
if (tb[INSTANCE_ATTR_STDOUT] && blobmsg_get_bool(tb[INSTANCE_ATTR_STDOUT]))
in->_stdout.fd.fd = -1;
static void
instance_config_move_strdup(char **dst, char *src)
{
- if (!*dst)
- return;
-
- free(*dst);
- *dst = NULL;
+ if (*dst) {
+ free(*dst);
+ *dst = NULL;
+ }
if (!src)
return;
free(in->config);
free(in->user);
free(in->group);
+ free(in->extroot);
+ free(in->overlaydir);
+ free(in->tmpoverlaysize);
free(in->jail.name);
free(in->jail.hostname);
free(in->seccomp);
in->proc.cb = instance_exit;
in->term_timeout = 5;
in->syslog_facility = LOG_DAEMON;
+ in->exit_code = 0;
+ in->require_jail = false;
in->_stdout.fd.fd = -2;
in->_stdout.stream.string_data = true;
if (in->command)
blobmsg_add_blob(b, in->command);
blobmsg_add_u32(b, "term_timeout", in->term_timeout);
+ if (!in->proc.pending)
+ blobmsg_add_u32(b, "exit_code", in->exit_code);
if (!avl_is_empty(&in->errors.avl)) {
struct blobmsg_list_node *var;
blobmsg_add_string(b, "name", in->jail.name);
if (in->jail.hostname)
blobmsg_add_string(b, "hostname", in->jail.hostname);
+
blobmsg_add_u8(b, "procfs", in->jail.procfs);
blobmsg_add_u8(b, "sysfs", in->jail.sysfs);
blobmsg_add_u8(b, "ubus", in->jail.ubus);
blobmsg_add_u8(b, "log", in->jail.log);
blobmsg_add_u8(b, "ronly", in->jail.ronly);
+ blobmsg_add_u8(b, "netns", in->jail.netns);
+ blobmsg_add_u8(b, "userns", in->jail.userns);
+ blobmsg_add_u8(b, "cgroupsns", in->jail.cgroupsns);
blobmsg_close_table(b, r);
if (!avl_is_empty(&in->jail.mount.avl)) {
struct blobmsg_list_node *var;
}
}
+ if (in->extroot)
+ blobmsg_add_string(b, "extroot", in->extroot);
+ if (in->overlaydir)
+ blobmsg_add_string(b, "overlaydir", in->overlaydir);
+ if (in->tmpoverlaysize)
+ blobmsg_add_string(b, "tmpoverlaysize", in->tmpoverlaysize);
+
if (verbose && in->trigger)
blobmsg_add_blob(b, in->trigger);
projects / oweals / procd.git / blobdiff