commit 1ebc1659d60b747b4f6fda78a39bc28e60318ee9
parent 00d1a374ff5d9f969a8da0a7f5709dc75e167418
Author: ccx <ccx@te2000.cz>
Date: Sat, 20 Jul 2024 23:10:43 +0000
Unify /dev setup
Diffstat:
3 files changed, 4 insertions(+), 55 deletions(-)
diff --git a/sbin/container_sysroot_run b/sbin/container_sysroot_run
@@ -8,7 +8,7 @@ backtick -in CONTAINER_USER_HOME { homeof $CONTAINER_USER }
multisubstitute {
importas -i -u CONTAINER_USER_HOME CONTAINER_USER_HOME
define CONTAINER_TMPFS /run/containers/${CONTAINER_NAME}.sysroot
- define -s tmpfs_dirs "home run tmp run/inbox tmp/.X11-unix"
+ define -s tmpfs_dirs "home run tmp run/inbox run/shm tmp/.X11-unix"
}
getpid NS_PID
diff --git a/sbin/ns_run b/sbin/ns_run
@@ -33,7 +33,7 @@ multisubstitute {
# check we are PID1 (in a new PID namespace)
getpid PID
ifelse {
- importas -D "" NS_NO_PID1 NS_NO_PID1
+ importas -D "" NS_NO_PID1 NS_NO_PID1
importas -i PID PID
test -z ${NS_NO_PID1} -a 1 -ne $PID
} {
@@ -75,58 +75,10 @@ backtick -i NS_FINAL_SCRIPT {
if { mount -o rbind $1 $NS_ROOT }
cd $NS_ROOT
-## this will be better handled by NS_EXTRA script
-## and perhaps /etc/resolv.conf -> /run/resolv.conf symlink
-# foreground { cp /etc/resolv.conf etc/ }
-
-# /proc
-if { mount -t proc proc proc }
-
-# /dev
-if { s6-mount -nwt tmpfs -o nosuid,dev,mode=0755 dev dev }
-if { mknod -m 666 dev/null c 1 3 }
-if { mknod -m 666 dev/full c 1 7 }
-if { mknod -m 666 dev/ptmx c 5 2 }
-if { mknod -m 644 dev/random c 1 8 }
-if { mknod -m 644 dev/urandom c 1 9 }
-if { mknod -m 666 dev/zero c 1 5 }
-if { mknod -m 666 dev/tty c 5 0 }
-if { s6-ln -sf /proc/self/fd dev/fd }
-if { s6-ln -sf /proc/self/fd/0 dev/stdin }
-if { s6-ln -sf /proc/self/fd/1 dev/stout }
-if { s6-ln -sf /proc/self/fd/2 dev/stderr }
-
-# shm, pts and mqueue are provided below
-# also have some convenience dirs in place for optionally bind-mounting them
-if {
- mkdir
-
-# dev/shm
- run/shm
-
- dev/pts
- dev/mqueue
-
- dev/block
- dev/bus
- dev/char
- dev/dri
- dev/input
- dev/loop
- dev/net
- dev/snd
- dev/usb
-
-}
-if { mount -t devpts devpts dev/pts }
-#if { s6-mount -nwt tmpfs -o nosuid,nodev,mode=1777 shm dev/shm }
-if { s6-ln -sf ../run/shm dev/shm }
-if { chmod 1777 run/shm }
-if { s6-mount -nwt mqueue -o nosuid,nodev,noexec mqueue dev/mqueue }
-# leave /dev read-write for now, so stuff can be added by scripts below
+if { ns_run_mounts . }
# mountpoint for privileged operations and pivot_root
-if { s6-mount -nwt tmpfs -o nosuid,nodev,mode=700 mnt_ns $NS_TMPFS }
+if { s6-mount -nwt tmpfs -o nosuid,nodev,mode=711 mnt_ns $NS_TMPFS }
if { mkdir ${NS_TMPFS}/oldroot ${NS_TMPFS}/bin }
#if { s6-hiercopy $NS_BIN ${NS_TMPFS}/bin }
if { s6-mount -n -o bind,ro $NS_BIN ${NS_TMPFS}/bin }
diff --git a/sbin/ns_run_unshared b/sbin/ns_run_unshared
@@ -8,9 +8,6 @@
## Environment variables used:
## HOST - hostname to set
## NS_ROOT - where to bind-mount the root directory
-## NS_EXTRA - extra execline script to run after setting up the namespaces
-## and mounting essential filesystems but before entering it
-## and unmounting host filesystem
## NS_FSTAB - file with extra mounts to perform after running above script
## NS_TMPFS - place to store binaries in the container that are run
## before dropping privs, relative path from new root
