diff options
author | Yu Watanabe <watanabe.yu+github@gmail.com> | 2019-10-23 22:03:53 +0900 |
---|---|---|
committer | GitHub <noreply@github.com> | 2019-10-23 22:03:53 +0900 |
commit | c0c8886141c7d7acbc6691ee8e905e754914e93d (patch) | |
tree | 83ef9c3419efc7e0aa6ad19c36bfa3b9f1caaed2 | |
parent | 510c4bb31f030a4a5a0dd7525a2012d55b58fe2a (diff) | |
parent | 7a25ba554ac032d39b4f90f6e9fc9de194b97cdf (diff) | |
download | systemd-c0c8886141c7d7acbc6691ee8e905e754914e93d.tar.gz |
Merge pull request #13825 from keszybz/nspawn-console-help
nspawn: fix handling of --console=help
-rw-r--r-- | man/systemd-nspawn.xml | 48 | ||||
-rw-r--r-- | src/nspawn/nspawn.c | 49 |
2 files changed, 55 insertions, 42 deletions
diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml index db3f10c3a2..c0427aa42f 100644 --- a/man/systemd-nspawn.xml +++ b/man/systemd-nspawn.xml @@ -1296,30 +1296,32 @@ <varlistentry> <term><option>--console=</option><replaceable>MODE</replaceable></term> - <listitem><para>Configures how to set up standard input, output and error output for the container payload, as - well as the <filename>/dev/console</filename> device for the container. Takes one of - <option>interactive</option>, <option>read-only</option>, <option>passive</option> or <option>pipe</option>. If - <option>interactive</option> a pseudo-TTY is allocated and made available as <filename>/dev/console</filename> - in the container. It is then bi-directionally connected to the standard input and output passed to - <command>systemd-nspawn</command>. <option>read-only</option> is similar but only the output of the container - is propagated and no input from the caller is read. In <option>passive</option> mode a pseudo TTY is allocated, - but it is not connected anywhere. Finally, in <option>pipe</option> mode no pseudo TTY is allocated, but the - passed standard input, output and error output file descriptors are passed on — as they are — to the container - payload. In this mode <filename>/dev/console</filename> will not exist in the container. Note that in this mode - the container payload generally cannot be a full init system as init systems tend to require - <filename>/dev/console</filename> to be available. On the other hand, in this mode container invocations can be - used within shell pipelines. This is because intermediary pseudo TTYs do not permit independent bidirectional - propagation of the end-of-file (EOF) condition, which is necessary for shell pipelines to work - correctly.</para> - - <para>Note that the <option>pipe</option> mode should be used carefully, as passing arbitrary file descriptors - to less trusted container payloads might open up unwanted interfaces for access by the container payload. For - example, if a passed file descriptor refers to a TTY of some form, APIs such as <constant>TIOCSTI</constant> - may be used to synthesize input that might be used for escaping the container. Hence <option>pipe</option> mode - should only be used if the payload is sufficiently trusted or when the standard input/output/error output file - descriptors are known safe, for example pipes. Defaults to <option>interactive</option> if + <listitem><para>Configures how to set up standard input, output and error output for the container + payload, as well as the <filename>/dev/console</filename> device for the container. Takes one of + <option>interactive</option>, <option>read-only</option>, <option>passive</option>, or + <option>pipe</option>. If <option>interactive</option>, a pseudo-TTY is allocated and made available + as <filename>/dev/console</filename> in the container. It is then bi-directionally connected to the + standard input and output passed to <command>systemd-nspawn</command>. <option>read-only</option> is + similar but only the output of the container is propagated and no input from the caller is read. If + <option>passive</option>, a pseudo TTY is allocated, but it is not connected anywhere. Finally, in + <option>pipe</option> mode no pseudo TTY is allocated, but the standard input, output and error + output file descriptors passed to <command>systemd-nspawn</command> are passed on — as they are — to + the container payload, see the following paragraph. Defaults to <option>interactive</option> if <command>systemd-nspawn</command> is invoked from a terminal, and <option>read-only</option> - otherwise.</para></listitem> + otherwise.</para> + + <para>In <option>pipe</option> mode, <filename>/dev/console</filename> will not exist in the + container. This means that the container payload generally cannot be a full init system as init + systems tend to require <filename>/dev/console</filename> to be available. On the other hand, in this + mode container invocations can be used within shell pipelines. This is because intermediary pseudo + TTYs do not permit independent bidirectional propagation of the end-of-file (EOF) condition, which is + necessary for shell pipelines to work correctly. <emphasis>Note that the <option>pipe</option> mode + should be used carefully</emphasis>, as passing arbitrary file descriptors to less trusted container + payloads might open up unwanted interfaces for access by the container payload. For example, if a + passed file descriptor refers to a TTY of some form, APIs such as <constant>TIOCSTI</constant> may be + used to synthesize input that might be used for escaping the container. Hence <option>pipe</option> + mode should only be used if the payload is sufficiently trusted or when the standard + input/output/error output file descriptors are known safe, for example pipes.</para></listitem> </varlistentry> <varlistentry> diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index 0cd960157c..40a7de981a 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -261,6 +261,30 @@ STATIC_DESTRUCTOR_REGISTER(arg_seccomp, seccomp_releasep); STATIC_DESTRUCTOR_REGISTER(arg_cpu_set, cpu_set_reset); STATIC_DESTRUCTOR_REGISTER(arg_sysctl, strv_freep); +static int handle_arg_console(const char *arg) { + if (streq(arg, "help")) { + puts("interactive\n" + "read-only\n" + "passive\n" + "pipe"); + return 0; + } + + if (streq(arg, "interactive")) + arg_console_mode = CONSOLE_INTERACTIVE; + else if (streq(arg, "read-only")) + arg_console_mode = CONSOLE_READ_ONLY; + else if (streq(arg, "passive")) + arg_console_mode = CONSOLE_PASSIVE; + else if (streq(arg, "pipe")) + arg_console_mode = CONSOLE_PIPE; + else + return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Unknown console mode: %s", optarg); + + arg_settings_mask |= SETTING_CONSOLE_MODE; + return 1; +} + static int help(void) { _cleanup_free_ char *link = NULL; int r; @@ -1389,29 +1413,16 @@ static int parse_argv(int argc, char *argv[]) { break; case ARG_CONSOLE: - if (streq(optarg, "interactive")) - arg_console_mode = CONSOLE_INTERACTIVE; - else if (streq(optarg, "read-only")) - arg_console_mode = CONSOLE_READ_ONLY; - else if (streq(optarg, "passive")) - arg_console_mode = CONSOLE_PASSIVE; - else if (streq(optarg, "pipe")) - arg_console_mode = CONSOLE_PIPE; - else if (streq(optarg, "help")) - puts("interactive\n" - "read-only\n" - "passive\n" - "pipe"); - else - return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Unknown console mode: %s", optarg); - - arg_settings_mask |= SETTING_CONSOLE_MODE; + r = handle_arg_console(optarg); + if (r <= 0) + return r; break; case 'P': case ARG_PIPE: - arg_console_mode = CONSOLE_PIPE; - arg_settings_mask |= SETTING_CONSOLE_MODE; + r = handle_arg_console("pipe"); + if (r <= 0) + return r; break; case ARG_NO_PAGER: |