Merge pull request #16566 from poettering/nspawn-osrelease-fixes
nspawn: os-release reorganization, second try
This commit is contained in:
commit
e128723dae
2
NEWS
2
NEWS
|
@ -546,7 +546,7 @@ CHANGES WITH 246:
|
||||||
has been extended by a set of environment variables that expose
|
has been extended by a set of environment variables that expose
|
||||||
select fields from the host's os-release file to the container
|
select fields from the host's os-release file to the container
|
||||||
payload. Similarly, host's os-release files can be mounted into the
|
payload. Similarly, host's os-release files can be mounted into the
|
||||||
container underneath /run/hosts. Together, those mechanisms provide a
|
container underneath /run/host. Together, those mechanisms provide a
|
||||||
standardized way to expose information about the host to the
|
standardized way to expose information about the host to the
|
||||||
container payload. Both interfaces are implemented in systemd-nspawn.
|
container payload. Both interfaces are implemented in systemd-nspawn.
|
||||||
|
|
||||||
|
|
4
TODO
4
TODO
|
@ -17,6 +17,10 @@ Janitorial Clean-ups:
|
||||||
|
|
||||||
Features:
|
Features:
|
||||||
|
|
||||||
|
* nspawn: move "incoming mount" directory to /run/host, move "inaccessible"
|
||||||
|
nodes to /run/host, move notify socket (for sd_notify() between payload and
|
||||||
|
container manager)
|
||||||
|
|
||||||
* cryptsetup: if keyfile specified in crypttab is AF_UNIX socket, connect to it
|
* cryptsetup: if keyfile specified in crypttab is AF_UNIX socket, connect to it
|
||||||
and read from it (like we do elsewhere with READ_FULL_FILE_CONNECT_SOCKET)
|
and read from it (like we do elsewhere with READ_FULL_FILE_CONNECT_SOCKET)
|
||||||
|
|
||||||
|
|
|
@ -342,10 +342,9 @@
|
||||||
|
|
||||||
<para>Container and sandbox runtime managers may make the host's
|
<para>Container and sandbox runtime managers may make the host's
|
||||||
identification data available to applications by providing the host's
|
identification data available to applications by providing the host's
|
||||||
<filename>/etc/os-release</filename> and
|
<filename>/etc/os-release</filename> (if available, otherwise
|
||||||
<filename>/usr/lib/os-release</filename> as respectively
|
<filename>/usr/lib/os-release</filename> as a fallback) as
|
||||||
<filename>/run/host/etc/os-release</filename> and
|
<filename>/run/host/os-release</filename>.</para>
|
||||||
<filename>/run/host/usr/lib/os-release</filename>.</para>
|
|
||||||
</refsect1>
|
</refsect1>
|
||||||
|
|
||||||
<refsect1>
|
<refsect1>
|
||||||
|
|
|
@ -1,3 +1,4 @@
|
||||||
|
/* SPDX-License-Identifier: LGPL-2.1+ */
|
||||||
#pragma once
|
#pragma once
|
||||||
|
|
||||||
#include <sys/types.h>
|
#include <sys/types.h>
|
||||||
|
|
|
@ -563,15 +563,16 @@ int mount_all(const char *dest,
|
||||||
MOUNT_FATAL|MOUNT_MKDIR },
|
MOUNT_FATAL|MOUNT_MKDIR },
|
||||||
{ "tmpfs", "/run", "tmpfs", "mode=755" TMPFS_LIMITS_RUN, MS_NOSUID|MS_NODEV|MS_STRICTATIME,
|
{ "tmpfs", "/run", "tmpfs", "mode=755" TMPFS_LIMITS_RUN, MS_NOSUID|MS_NODEV|MS_STRICTATIME,
|
||||||
MOUNT_FATAL|MOUNT_MKDIR },
|
MOUNT_FATAL|MOUNT_MKDIR },
|
||||||
{ "/usr/lib/os-release", "/run/host/usr/lib/os-release", NULL, NULL, MS_BIND,
|
{ "/run/host", "/run/host", NULL, NULL, MS_BIND,
|
||||||
MOUNT_FATAL|MOUNT_MKDIR|MOUNT_TOUCH }, /* As per kernel interface requirements, bind mount first (creating mount points) and make read-only later */
|
MOUNT_FATAL|MOUNT_MKDIR|MOUNT_PREFIX_ROOT }, /* Prepare this so that we can make it read-only when we are done */
|
||||||
{ NULL, "/run/host/usr/lib/os-release", NULL, NULL, MS_BIND|MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REMOUNT,
|
{ "/etc/os-release", "/run/host/os-release", NULL, NULL, MS_BIND,
|
||||||
0 },
|
MOUNT_TOUCH }, /* As per kernel interface requirements, bind mount first (creating mount points) and make read-only later */
|
||||||
{ "/etc/os-release", "/run/host/etc/os-release", NULL, NULL, MS_BIND,
|
{ "/usr/lib/os-release", "/run/host/os-release", NULL, NULL, MS_BIND,
|
||||||
MOUNT_MKDIR|MOUNT_TOUCH },
|
MOUNT_FATAL }, /* If /etc/os-release doesn't exist use the version in /usr/lib as fallback */
|
||||||
{ NULL, "/run/host/etc/os-release", NULL, NULL, MS_BIND|MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REMOUNT,
|
{ NULL, "/run/host/os-release", NULL, NULL, MS_BIND|MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REMOUNT,
|
||||||
0 },
|
MOUNT_FATAL },
|
||||||
|
{ NULL, "/run/host", NULL, NULL, MS_BIND|MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REMOUNT,
|
||||||
|
MOUNT_FATAL|MOUNT_IN_USERNS },
|
||||||
#if HAVE_SELINUX
|
#if HAVE_SELINUX
|
||||||
{ "/sys/fs/selinux", "/sys/fs/selinux", NULL, NULL, MS_BIND,
|
{ "/sys/fs/selinux", "/sys/fs/selinux", NULL, NULL, MS_BIND,
|
||||||
MOUNT_MKDIR }, /* Bind mount first (mkdir/chown the mount point in case /sys/ is mounted as minimal skeleton tmpfs) */
|
MOUNT_MKDIR }, /* Bind mount first (mkdir/chown the mount point in case /sys/ is mounted as minimal skeleton tmpfs) */
|
||||||
|
@ -589,9 +590,9 @@ int mount_all(const char *dest,
|
||||||
int r;
|
int r;
|
||||||
|
|
||||||
for (k = 0; k < ELEMENTSOF(mount_table); k++) {
|
for (k = 0; k < ELEMENTSOF(mount_table); k++) {
|
||||||
_cleanup_free_ char *where = NULL, *options = NULL;
|
_cleanup_free_ char *where = NULL, *options = NULL, *prefixed = NULL;
|
||||||
const char *o;
|
|
||||||
bool fatal = FLAGS_SET(mount_table[k].mount_settings, MOUNT_FATAL);
|
bool fatal = FLAGS_SET(mount_table[k].mount_settings, MOUNT_FATAL);
|
||||||
|
const char *o;
|
||||||
|
|
||||||
if (in_userns != FLAGS_SET(mount_table[k].mount_settings, MOUNT_IN_USERNS))
|
if (in_userns != FLAGS_SET(mount_table[k].mount_settings, MOUNT_IN_USERNS))
|
||||||
continue;
|
continue;
|
||||||
|
@ -616,20 +617,9 @@ int mount_all(const char *dest,
|
||||||
return log_error_errno(r, "Failed to detect whether %s is a mount point: %m", where);
|
return log_error_errno(r, "Failed to detect whether %s is a mount point: %m", where);
|
||||||
if (r > 0)
|
if (r > 0)
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
/* Shortcut for optional bind mounts: if the source can't be found skip ahead to avoid creating
|
|
||||||
* empty and unused directories. */
|
|
||||||
if (!fatal && FLAGS_SET(mount_table[k].mount_settings, MOUNT_MKDIR) && FLAGS_SET(mount_table[k].flags, MS_BIND)) {
|
|
||||||
r = access(mount_table[k].what, F_OK);
|
|
||||||
if (r < 0) {
|
|
||||||
if (errno == ENOENT)
|
|
||||||
continue;
|
|
||||||
return log_error_errno(errno, "Failed to stat %s: %m", mount_table[k].what);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if (FLAGS_SET(mount_table[k].mount_settings, MOUNT_MKDIR)) {
|
if ((mount_table[k].mount_settings & (MOUNT_MKDIR|MOUNT_TOUCH)) != 0) {
|
||||||
uid_t u = (use_userns && !in_userns) ? uid_shift : UID_INVALID;
|
uid_t u = (use_userns && !in_userns) ? uid_shift : UID_INVALID;
|
||||||
|
|
||||||
if (FLAGS_SET(mount_table[k].mount_settings, MOUNT_TOUCH))
|
if (FLAGS_SET(mount_table[k].mount_settings, MOUNT_TOUCH))
|
||||||
|
@ -647,13 +637,17 @@ int mount_all(const char *dest,
|
||||||
if (r != -EROFS)
|
if (r != -EROFS)
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
if (FLAGS_SET(mount_table[k].mount_settings, MOUNT_TOUCH)) {
|
}
|
||||||
r = touch(where);
|
|
||||||
if (r < 0 && r != -EEXIST) {
|
if (FLAGS_SET(mount_table[k].mount_settings, MOUNT_TOUCH)) {
|
||||||
if (fatal)
|
r = touch(where);
|
||||||
return log_error_errno(r, "Failed to create mount point %s: %m", where);
|
if (r < 0 && r != -EEXIST) {
|
||||||
log_debug_errno(r, "Failed to create mount point %s: %m", where);
|
if (fatal && r != -EROFS)
|
||||||
}
|
return log_error_errno(r, "Failed to create file %s: %m", where);
|
||||||
|
|
||||||
|
log_debug_errno(r, "Failed to create file %s: %m", where);
|
||||||
|
if (r != -EROFS)
|
||||||
|
continue;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -666,8 +660,18 @@ int mount_all(const char *dest,
|
||||||
o = options;
|
o = options;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (FLAGS_SET(mount_table[k].mount_settings, MOUNT_PREFIX_ROOT)) {
|
||||||
|
/* Optionally prefix the mount source with the root dir. This is useful in bind
|
||||||
|
* mounts to be created within the container image before we transition into it. Note
|
||||||
|
* that MOUNT_IN_USERNS is run after we transitioned hence prefixing is not ncessary
|
||||||
|
* for those. */
|
||||||
|
r = chase_symlinks(mount_table[k].what, dest, CHASE_PREFIX_ROOT, &prefixed, NULL);
|
||||||
|
if (r < 0)
|
||||||
|
return log_error_errno(r, "Failed to resolve %s/%s: %m", dest, mount_table[k].what);
|
||||||
|
}
|
||||||
|
|
||||||
r = mount_verbose(fatal ? LOG_ERR : LOG_DEBUG,
|
r = mount_verbose(fatal ? LOG_ERR : LOG_DEBUG,
|
||||||
mount_table[k].what,
|
prefixed ?: mount_table[k].what,
|
||||||
where,
|
where,
|
||||||
mount_table[k].type,
|
mount_table[k].type,
|
||||||
mount_table[k].flags,
|
mount_table[k].flags,
|
||||||
|
|
|
@ -18,6 +18,7 @@ typedef enum MountSettingsMask {
|
||||||
MOUNT_NON_ROOT_ONLY = 1 << 7, /* if set, only non-root mounts are mounted */
|
MOUNT_NON_ROOT_ONLY = 1 << 7, /* if set, only non-root mounts are mounted */
|
||||||
MOUNT_MKDIR = 1 << 8, /* if set, make directory to mount over first */
|
MOUNT_MKDIR = 1 << 8, /* if set, make directory to mount over first */
|
||||||
MOUNT_TOUCH = 1 << 9, /* if set, touch file to mount over first */
|
MOUNT_TOUCH = 1 << 9, /* if set, touch file to mount over first */
|
||||||
|
MOUNT_PREFIX_ROOT = 1 << 10,/* if set, prefix the source path with the container's root directory */
|
||||||
} MountSettingsMask;
|
} MountSettingsMask;
|
||||||
|
|
||||||
typedef enum CustomMountType {
|
typedef enum CustomMountType {
|
||||||
|
|
|
@ -695,17 +695,28 @@ static int install_chroot_dropin(
|
||||||
if (!text)
|
if (!text)
|
||||||
return -ENOMEM;
|
return -ENOMEM;
|
||||||
|
|
||||||
if (endswith(m->name, ".service"))
|
if (endswith(m->name, ".service")) {
|
||||||
|
const char *os_release_source;
|
||||||
|
|
||||||
|
if (access("/etc/os-release", F_OK) < 0) {
|
||||||
|
if (errno != ENOENT)
|
||||||
|
return log_debug_errno(errno, "Failed to check if /etc/os-release exists: %m");
|
||||||
|
|
||||||
|
os_release_source = "/usr/lib/os-release";
|
||||||
|
} else
|
||||||
|
os_release_source = "/etc/os-release";
|
||||||
|
|
||||||
if (!strextend(&text,
|
if (!strextend(&text,
|
||||||
"\n"
|
"\n"
|
||||||
"[Service]\n",
|
"[Service]\n",
|
||||||
IN_SET(type, IMAGE_DIRECTORY, IMAGE_SUBVOLUME) ? "RootDirectory=" : "RootImage=", image_path, "\n"
|
IN_SET(type, IMAGE_DIRECTORY, IMAGE_SUBVOLUME) ? "RootDirectory=" : "RootImage=", image_path, "\n"
|
||||||
"Environment=PORTABLE=", basename(image_path), "\n"
|
"Environment=PORTABLE=", basename(image_path), "\n"
|
||||||
"BindReadOnlyPaths=-/etc/os-release:/run/host/etc/os-release /usr/lib/os-release:/run/host/usr/lib/os-release\n"
|
"BindReadOnlyPaths=", os_release_source, ":/run/host/os-release\n"
|
||||||
"LogExtraFields=PORTABLE=", basename(image_path), "\n",
|
"LogExtraFields=PORTABLE=", basename(image_path), "\n",
|
||||||
NULL))
|
NULL))
|
||||||
|
|
||||||
return -ENOMEM;
|
return -ENOMEM;
|
||||||
|
}
|
||||||
|
|
||||||
r = write_string_file(dropin, text, WRITE_STRING_FILE_CREATE|WRITE_STRING_FILE_ATOMIC);
|
r = write_string_file(dropin, text, WRITE_STRING_FILE_CREATE|WRITE_STRING_FILE_ATOMIC);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
|
|
|
@ -66,12 +66,25 @@ if [ -n "${ID:+set}" ] && [ "${ID}" != "${container_host_id}" ]; then exit 1; fi
|
||||||
if [ -n "${VERSION_ID:+set}" ] && [ "${VERSION_ID}" != "${container_host_version_id}" ]; then exit 1; fi
|
if [ -n "${VERSION_ID:+set}" ] && [ "${VERSION_ID}" != "${container_host_version_id}" ]; then exit 1; fi
|
||||||
if [ -n "${BUILD_ID:+set}" ] && [ "${BUILD_ID}" != "${container_host_build_id}" ]; then exit 1; fi
|
if [ -n "${BUILD_ID:+set}" ] && [ "${BUILD_ID}" != "${container_host_build_id}" ]; then exit 1; fi
|
||||||
if [ -n "${VARIANT_ID:+set}" ] && [ "${VARIANT_ID}" != "${container_host_variant_id}" ]; then exit 1; fi
|
if [ -n "${VARIANT_ID:+set}" ] && [ "${VARIANT_ID}" != "${container_host_variant_id}" ]; then exit 1; fi
|
||||||
cd /tmp; (cd /run/host/usr/lib; md5sum os-release) | md5sum -c
|
cd /tmp; (cd /run/host; md5sum os-release) | md5sum -c
|
||||||
if echo test >> /run/host/usr/lib/os-release; then exit 1; fi
|
if echo test >> /run/host/os-release; then exit 1; fi
|
||||||
if echo test >> /run/host/etc/os-release; then exit 1; fi
|
|
||||||
'
|
'
|
||||||
|
|
||||||
systemd-nspawn --register=no -D /testsuite-13.nc-container --bind=/etc/os-release:/tmp/os-release /bin/sh -x -e -c "$_cmd"
|
local _os_release_source="/etc/os-release"
|
||||||
|
if [ ! -r "${_os_release_source}" ]; then
|
||||||
|
_os_release_source="/usr/lib/os-release"
|
||||||
|
elif [ -L "${_os_release_source}" ] && rm /etc/os-release; then
|
||||||
|
# Ensure that /etc always wins if available
|
||||||
|
cp /usr/lib/os-release /etc
|
||||||
|
echo MARKER=1 >> /etc/os-release
|
||||||
|
fi
|
||||||
|
|
||||||
|
systemd-nspawn --register=no -D /testsuite-13.nc-container --bind="${_os_release_source}":/tmp/os-release /bin/sh -x -e -c "$_cmd"
|
||||||
|
|
||||||
|
if grep -q MARKER /etc/os-release; then
|
||||||
|
rm /etc/os-release
|
||||||
|
ln -s ../usr/lib/os-release /etc/os-release
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
function run {
|
function run {
|
||||||
|
|
Loading…
Reference in New Issue