From 7a1ab780c4de9eba20c6800a51b5cdeae1d19790 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Fri, 1 Jul 2016 19:57:21 -0700 Subject: [PATCH 1/9] execute: normalize connect_logger_as() parameters slightly All other functions in execute.c that need the unit id take a Unit* parameter as first argument. Let's change connect_logger_as() to follow a similar logic. --- src/core/execute.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/core/execute.c b/src/core/execute.c index 05dc1aaec1..40466ad53c 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -290,10 +290,10 @@ static int connect_journal_socket(int fd, uid_t uid, gid_t gid) { } static int connect_logger_as( + Unit *unit, const ExecContext *context, ExecOutput output, const char *ident, - const char *unit_id, int nfd, uid_t uid, gid_t gid) { @@ -329,7 +329,7 @@ static int connect_logger_as( "%i\n" "%i\n", context->syslog_identifier ? context->syslog_identifier : ident, - unit_id, + unit->id, context->syslog_priority, !!context->syslog_level_prefix, output == EXEC_OUTPUT_SYSLOG || output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE, @@ -544,7 +544,7 @@ static int setup_output( case EXEC_OUTPUT_KMSG_AND_CONSOLE: case EXEC_OUTPUT_JOURNAL: case EXEC_OUTPUT_JOURNAL_AND_CONSOLE: - r = connect_logger_as(context, o, ident, unit->id, fileno, uid, gid); + r = connect_logger_as(unit, context, o, ident, fileno, uid, gid); if (r < 0) { log_unit_error_errno(unit, r, "Failed to connect %s to the journal socket, ignoring: %m", fileno == STDOUT_FILENO ? "stdout" : "stderr"); r = open_null_as(O_WRONLY, fileno); From 9ce93478809de9a421b4a710c7c9de55ecf15187 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Fri, 1 Jul 2016 19:58:14 -0700 Subject: [PATCH 2/9] core: normalize header inclusion in execute.h a bit We don't actually need any functionality from cgroup.h in execute.h, hence don't include that. However, we do need the Unit structure from unit.h, hence include that, and move it as late as possible, since it needs the definitions from execute.h. --- src/core/execute.h | 6 +++--- src/core/scope.h | 2 ++ 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/src/core/execute.h b/src/core/execute.h index 73b8a119b0..189c4d0999 100644 --- a/src/core/execute.h +++ b/src/core/execute.h @@ -30,6 +30,7 @@ typedef struct ExecParameters ExecParameters; #include #include +#include "cgroup-util.h" #include "fdset.h" #include "list.h" #include "missing.h" @@ -203,9 +204,6 @@ struct ExecContext { bool no_new_privileges_set:1; }; -#include "cgroup-util.h" -#include "cgroup.h" - struct ExecParameters { char **argv; char **environment; @@ -236,6 +234,8 @@ struct ExecParameters { int stderr_fd; }; +#include "unit.h" + int exec_spawn(Unit *unit, ExecCommand *command, const ExecContext *context, diff --git a/src/core/scope.h b/src/core/scope.h index 2dc86325c5..713b8b9f02 100644 --- a/src/core/scope.h +++ b/src/core/scope.h @@ -21,7 +21,9 @@ typedef struct Scope Scope; +#include "cgroup.h" #include "kill.h" +#include "unit.h" typedef enum ScopeResult { SCOPE_SUCCESS, From 8d36b53a2d08966a3025bd24e51c154be375a61f Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Thu, 14 Jul 2016 12:20:29 +0200 Subject: [PATCH 3/9] units: fix TasksMax=16384 for systemd-nspawn@.service When a container scope is allocated via machined it gets 16K set already since cf7d1a30e44bf380027a2e73f9bf13f423a33cc1. Make sure when a container is run as system service it gets the same values. --- units/systemd-nspawn@.service.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/units/systemd-nspawn@.service.in b/units/systemd-nspawn@.service.in index ea28941507..eb318b1faf 100644 --- a/units/systemd-nspawn@.service.in +++ b/units/systemd-nspawn@.service.in @@ -20,7 +20,7 @@ RestartForceExitStatus=133 SuccessExitStatus=133 Slice=machine.slice Delegate=yes -TasksMax=8192 +TasksMax=16384 # Enforce a strict device policy, similar to the one nspawn configures # when it allocates its own scope unit. Make sure to keep these From 00d0fd0619a8651a6fb65c056eddfc87ff8f56ca Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Thu, 14 Jul 2016 12:24:59 +0200 Subject: [PATCH 4/9] conf-parser: minor coding style improvements --- src/shared/conf-parser.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/shared/conf-parser.c b/src/shared/conf-parser.c index 83be79a4f5..d85ab5441e 100644 --- a/src/shared/conf-parser.c +++ b/src/shared/conf-parser.c @@ -708,6 +708,7 @@ int config_parse_strv(const char *unit, void *userdata) { char ***sv = data; + int r; assert(filename); assert(lvalue); @@ -721,18 +722,19 @@ int config_parse_strv(const char *unit, * we actually fill in a real empty array here rather * than NULL, since some code wants to know if * something was set at all... */ - empty = strv_new(NULL, NULL); + empty = new0(char*, 1); if (!empty) return log_oom(); strv_free(*sv); *sv = empty; + return 0; } for (;;) { char *word = NULL; - int r; + r = extract_first_word(&rvalue, &word, WHITESPACE, EXTRACT_QUOTES|EXTRACT_RETAIN_ESCAPE); if (r == 0) break; From 065d31c3601a80dffd278f43619773682ac35b29 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Thu, 14 Jul 2016 12:25:32 +0200 Subject: [PATCH 5/9] nspawn: document why the uid shift range is the way it is --- src/nspawn/nspawn.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index e4be0a2251..32e40f5d21 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -101,9 +101,11 @@ #include "util.h" /* Note that devpts's gid= parameter parses GIDs as signed values, hence we stay away from the upper half of the 32bit - * UID range here */ + * UID range here. We leave a bit of room at the lower end and a lot of room at the upper end, so that other subsystems + * may have their own allocation ranges too. */ #define UID_SHIFT_PICK_MIN ((uid_t) UINT32_C(0x00080000)) #define UID_SHIFT_PICK_MAX ((uid_t) UINT32_C(0x6FFF0000)) + /* nspawn is listening on the socket at the path in the constant nspawn_notify_socket_path * nspawn_notify_socket_path is relative to the container * the init process in the container pid can send messages to nspawn following the sd_notify(3) protocol */ From 1ddc1272e7ea6d68b7e966a6c5e37f84a1810bd8 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Thu, 14 Jul 2016 16:53:13 +0200 Subject: [PATCH 6/9] nspawn: when netns is on, mount /proc/sys/net writable Normally we make all of /proc/sys read-only in a container, but if we do have netns enabled we can make /proc/sys/net writable, as things are virtualized then. --- src/nspawn/nspawn-mount.c | 23 ++++++++++++----------- src/nspawn/nspawn.c | 1 - 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/src/nspawn/nspawn-mount.c b/src/nspawn/nspawn-mount.c index 9f4903c842..85e2c943e3 100644 --- a/src/nspawn/nspawn-mount.c +++ b/src/nspawn/nspawn-mount.c @@ -297,18 +297,19 @@ int mount_all(const char *dest, } MountPoint; static const MountPoint mount_table[] = { - { "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, true, true, false }, - { "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND, true, true, false }, /* Bind mount first */ - { NULL, "/proc/sys", NULL, NULL, MS_BIND|MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REMOUNT, true, true, false }, /* Then, make it r/o */ - { "tmpfs", "/sys", "tmpfs", "mode=755", MS_NOSUID|MS_NOEXEC|MS_NODEV, true, false, true }, - { "sysfs", "/sys", "sysfs", NULL, MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV, true, false, false }, - { "tmpfs", "/dev", "tmpfs", "mode=755", MS_NOSUID|MS_STRICTATIME, true, false, false }, - { "tmpfs", "/dev/shm", "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV|MS_STRICTATIME, true, false, false }, - { "tmpfs", "/run", "tmpfs", "mode=755", MS_NOSUID|MS_NODEV|MS_STRICTATIME, true, false, false }, - { "tmpfs", "/tmp", "tmpfs", "mode=1777", MS_STRICTATIME, true, false, false }, + { "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, true, true, false }, + { "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND, true, true, false }, /* Bind mount first ...*/ + { "/proc/sys/net", "/proc/sys/net", NULL, NULL, MS_BIND, true, true, true }, /* (except for this) */ + { NULL, "/proc/sys", NULL, NULL, MS_BIND|MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REMOUNT, true, true, false }, /* ... then, make it r/o */ + { "tmpfs", "/sys", "tmpfs", "mode=755", MS_NOSUID|MS_NOEXEC|MS_NODEV, true, false, true }, + { "sysfs", "/sys", "sysfs", NULL, MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV, true, false, false }, + { "tmpfs", "/dev", "tmpfs", "mode=755", MS_NOSUID|MS_STRICTATIME, true, false, false }, + { "tmpfs", "/dev/shm", "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV|MS_STRICTATIME, true, false, false }, + { "tmpfs", "/run", "tmpfs", "mode=755", MS_NOSUID|MS_NODEV|MS_STRICTATIME, true, false, false }, + { "tmpfs", "/tmp", "tmpfs", "mode=1777", MS_STRICTATIME, true, false, false }, #ifdef HAVE_SELINUX - { "/sys/fs/selinux", "/sys/fs/selinux", NULL, NULL, MS_BIND, false, false, false }, /* Bind mount first */ - { NULL, "/sys/fs/selinux", NULL, NULL, MS_BIND|MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REMOUNT, false, false, false }, /* Then, make it r/o */ + { "/sys/fs/selinux", "/sys/fs/selinux", NULL, NULL, MS_BIND, false, false, false }, /* Bind mount first */ + { NULL, "/sys/fs/selinux", NULL, NULL, MS_BIND|MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REMOUNT, false, false, false }, /* Then, make it r/o */ #endif }; diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index 32e40f5d21..6c8263d3d5 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -279,7 +279,6 @@ static void help(void) { , program_invocation_short_name); } - static int custom_mounts_prepare(void) { unsigned i; int r; From fe048ce56ab430a73e7118df87cb9f0f3488be26 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Thu, 14 Jul 2016 12:28:54 +0200 Subject: [PATCH 7/9] namespace: add a (void) cast --- src/core/namespace.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/core/namespace.c b/src/core/namespace.c index 8df82c031c..02ec81f71c 100644 --- a/src/core/namespace.c +++ b/src/core/namespace.c @@ -641,7 +641,7 @@ int setup_netns(int netns_storage_socket[2]) { } fail: - lockf(netns_storage_socket[0], F_ULOCK, 0); + (void) lockf(netns_storage_socket[0], F_ULOCK, 0); return r; } From 33df919d5c4de51b88244d2e82ffe5c9c8abe950 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Thu, 14 Jul 2016 13:12:01 +0200 Subject: [PATCH 8/9] execute: make sure JoinsNamespaceOf= doesn't leak ns fds to executed processes --- src/core/execute.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/core/execute.c b/src/core/execute.c index 40466ad53c..7c178b97c3 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -3062,7 +3062,7 @@ int exec_runtime_make(ExecRuntime **rt, ExecContext *c, const char *id) { return r; if (c->private_network && (*rt)->netns_storage_socket[0] < 0) { - if (socketpair(AF_UNIX, SOCK_DGRAM, 0, (*rt)->netns_storage_socket) < 0) + if (socketpair(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0, (*rt)->netns_storage_socket) < 0) return -errno; } From c0f81393d137a258a5c255755c08b498860a5241 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Thu, 14 Jul 2016 19:16:19 +0200 Subject: [PATCH 9/9] basic: fix macro definition in nss-util.h Fix a copy/paste mistake. --- src/basic/nss-util.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/basic/nss-util.h b/src/basic/nss-util.h index bf7c4854fc..e7844fff96 100644 --- a/src/basic/nss-util.h +++ b/src/basic/nss-util.h @@ -137,7 +137,7 @@ enum nss_status _nss_##module##_getpwnam_r( \ struct passwd *pwd, \ char *buffer, size_t buflen, \ int *errnop) _public_; \ -enum nss_status _nss_mymachines_getpwuid_r( \ +enum nss_status _nss_##module##_getpwuid_r( \ uid_t uid, \ struct passwd *pwd, \ char *buffer, size_t buflen, \