diff options
author | Yu Watanabe <watanabe.yu+github@gmail.com> | 2021-01-21 13:16:59 +0900 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-01-21 13:16:59 +0900 |
commit | 33f7b61ca59f9e002ee79bacd498a36eab20e6e9 (patch) | |
tree | c31f7b52e7b104d6d34fc0d06c560736599a9cc1 | |
parent | 9807fdc1da8e037ddedfa4e2c6d2728b6e60051e (diff) | |
parent | fe239c7d7d6227209234100f4e0a36dd952a5587 (diff) | |
download | systemd-33f7b61ca59f9e002ee79bacd498a36eab20e6e9.tar.gz |
Merge pull request #18329 from poettering/notify-chroot
chroot/sd_notify() fixes
-rw-r--r-- | man/systemd.exec.xml | 14 | ||||
-rw-r--r-- | src/core/execute.c | 1 | ||||
-rw-r--r-- | src/core/execute.h | 2 | ||||
-rw-r--r-- | src/core/namespace.c | 20 | ||||
-rw-r--r-- | src/core/namespace.h | 1 | ||||
-rw-r--r-- | src/core/service.c | 5 | ||||
-rw-r--r-- | src/portable/profile/default/service.conf | 2 | ||||
-rw-r--r-- | src/portable/profile/nonetwork/service.conf | 2 | ||||
-rw-r--r-- | src/portable/profile/strict/service.conf | 2 | ||||
-rw-r--r-- | src/portable/profile/trusted/service.conf | 1 | ||||
-rw-r--r-- | src/test/test-namespace.c | 1 | ||||
-rw-r--r-- | src/test/test-ns.c | 1 |
12 files changed, 40 insertions, 12 deletions
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 663b15fa60..8f00ef555e 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -117,6 +117,20 @@ <para>The <varname>MountAPIVFS=</varname> and <varname>PrivateUsers=</varname> settings are particularly useful in conjunction with <varname>RootDirectory=</varname>. For details, see below.</para> + <para>If <varname>RootDirectory=</varname>/<varname>RootImage=</varname> are used together with + <varname>NotifyAccess=</varname> the notification socket is automatically mounted from the host into + the root environment, to ensure the notification interface can work correctly.</para> + + <para>Note that services using <varname>RootDirectory=</varname>/<varname>RootImage=</varname> will + not be able to log via the syslog or journal protocols to the host logging infrastructure, unless the + relevant sockets are mounted from the host, specifically:</para> + + <example> + <title>Mounting logging sockets into root environment</title> + + <programlisting>BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout</programlisting> + </example> + <xi:include href="system-only.xml" xpointer="singular"/></listitem> </varlistentry> diff --git a/src/core/execute.c b/src/core/execute.c index 38235ec77e..c56a4ef03b 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -3223,6 +3223,7 @@ static int apply_mount_namespace( context->root_verity, propagate_dir, incoming_dir, + root_dir || root_image ? params->notify_socket : NULL, DISSECT_IMAGE_DISCARD_ON_LOOP|DISSECT_IMAGE_RELAX_VAR_CHECK|DISSECT_IMAGE_FSCK, error_path); diff --git a/src/core/execute.h b/src/core/execute.h index 2da4699df1..f8231ba773 100644 --- a/src/core/execute.h +++ b/src/core/execute.h @@ -384,6 +384,8 @@ struct ExecParameters { /* An fd that is closed by the execve(), and thus will result in EOF when the execve() is done */ int exec_fd; + + const char *notify_socket; }; #include "unit.h" diff --git a/src/core/namespace.c b/src/core/namespace.c index 4b5519e11b..12d9e4c867 100644 --- a/src/core/namespace.c +++ b/src/core/namespace.c @@ -1302,7 +1302,8 @@ static size_t namespace_calculate_mounts( const char* var_tmp_dir, const char *creds_path, const char* log_namespace, - bool setup_propagate) { + bool setup_propagate, + const char* notify_socket) { size_t protect_home_cnt; size_t protect_system_cnt = @@ -1329,7 +1330,6 @@ static size_t namespace_calculate_mounts( n_bind_mounts + n_mount_images + n_temporary_filesystems + - (setup_propagate ? 1 : 0) + /* /run/systemd/incoming */ ns_info->private_dev + (ns_info->protect_kernel_tunables ? ELEMENTSOF(protect_kernel_tunables_table) : 0) + (ns_info->protect_kernel_modules ? ELEMENTSOF(protect_kernel_modules_table) : 0) + @@ -1339,7 +1339,9 @@ static size_t namespace_calculate_mounts( (ns_info->protect_hostname ? 2 : 0) + (namespace_info_mount_apivfs(ns_info) ? ELEMENTSOF(apivfs_table) : 0) + (creds_path ? 2 : 1) + - !!log_namespace; + !!log_namespace + + setup_propagate + /* /run/systemd/incoming */ + !!notify_socket; } static void normalize_mounts(const char *root_directory, MountEntry *mounts, size_t *n_mounts) { @@ -1491,6 +1493,7 @@ int setup_namespace( const char *verity_data_path, const char *propagate_dir, const char *incoming_dir, + const char *notify_socket, DissectImageFlags dissect_image_flags, char **error_path) { @@ -1593,7 +1596,8 @@ int setup_namespace( tmp_dir, var_tmp_dir, creds_path, log_namespace, - setup_propagate); + setup_propagate, + notify_socket); if (n_mounts > 0) { m = mounts = new0(MountEntry, n_mounts); @@ -1771,6 +1775,14 @@ int setup_namespace( .read_only = true, }; + if (notify_socket) + *(m++) = (MountEntry) { + .path_const = notify_socket, + .source_const = notify_socket, + .mode = BIND_MOUNT, + .read_only = true, + }; + assert(mounts + n_mounts == m); /* Prepend the root directory where that's necessary */ diff --git a/src/core/namespace.h b/src/core/namespace.h index 91ee44cd51..8e07dd37bc 100644 --- a/src/core/namespace.h +++ b/src/core/namespace.h @@ -129,6 +129,7 @@ int setup_namespace( const char *root_verity, const char *propagate_dir, const char *incoming_dir, + const char *notify_socket, DissectImageFlags dissected_image_flags, char **error_path); diff --git a/src/core/service.c b/src/core/service.c index b1a4d0bf18..dbb50a9240 100644 --- a/src/core/service.c +++ b/src/core/service.c @@ -1474,10 +1474,13 @@ static int service_spawn( if (!our_env) return -ENOMEM; - if (service_exec_needs_notify_socket(s, flags)) + if (service_exec_needs_notify_socket(s, flags)) { if (asprintf(our_env + n_env++, "NOTIFY_SOCKET=%s", UNIT(s)->manager->notify_socket) < 0) return -ENOMEM; + exec_params.notify_socket = UNIT(s)->manager->notify_socket; + } + if (s->main_pid > 0) if (asprintf(our_env + n_env++, "MAINPID="PID_FMT, s->main_pid) < 0) return -ENOMEM; diff --git a/src/portable/profile/default/service.conf b/src/portable/profile/default/service.conf index 792be50229..230aa60781 100644 --- a/src/portable/profile/default/service.conf +++ b/src/portable/profile/default/service.conf @@ -2,8 +2,6 @@ [Service] MountAPIVFS=yes -TemporaryFileSystem=/run -BindReadOnlyPaths=/run/systemd/notify BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout BindReadOnlyPaths=/etc/machine-id BindReadOnlyPaths=/etc/resolv.conf diff --git a/src/portable/profile/nonetwork/service.conf b/src/portable/profile/nonetwork/service.conf index c81cebe03f..cd7f75c2e3 100644 --- a/src/portable/profile/nonetwork/service.conf +++ b/src/portable/profile/nonetwork/service.conf @@ -2,8 +2,6 @@ [Service] MountAPIVFS=yes -TemporaryFileSystem=/run -BindReadOnlyPaths=/run/systemd/notify BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout BindReadOnlyPaths=/etc/machine-id BindReadOnlyPaths=/run/dbus/system_bus_socket diff --git a/src/portable/profile/strict/service.conf b/src/portable/profile/strict/service.conf index d10fb5a1e8..f924e1096f 100644 --- a/src/portable/profile/strict/service.conf +++ b/src/portable/profile/strict/service.conf @@ -2,8 +2,6 @@ [Service] MountAPIVFS=yes -TemporaryFileSystem=/run -BindReadOnlyPaths=/run/systemd/notify BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout BindReadOnlyPaths=/etc/machine-id DynamicUser=yes diff --git a/src/portable/profile/trusted/service.conf b/src/portable/profile/trusted/service.conf index 9a6af70b93..cb859c4e27 100644 --- a/src/portable/profile/trusted/service.conf +++ b/src/portable/profile/trusted/service.conf @@ -2,6 +2,5 @@ [Service] MountAPIVFS=yes -BindPaths=/run BindReadOnlyPaths=/etc/machine-id BindReadOnlyPaths=/etc/resolv.conf diff --git a/src/test/test-namespace.c b/src/test/test-namespace.c index d92bcacfad..461dde5fa9 100644 --- a/src/test/test-namespace.c +++ b/src/test/test-namespace.c @@ -174,6 +174,7 @@ static void test_protect_kernel_logs(void) { NULL, NULL, NULL, + NULL, 0, NULL); assert_se(r == 0); diff --git a/src/test/test-ns.c b/src/test/test-ns.c index 88bdb437de..3b5836e980 100644 --- a/src/test/test-ns.c +++ b/src/test/test-ns.c @@ -89,6 +89,7 @@ int main(int argc, char *argv[]) { NULL, NULL, NULL, + NULL, 0, NULL); if (r < 0) { |