commit 21941417791a87b84fa06452402dc9e1fe9c6a23
parent 069cd4aec2a2fb1f7454a5e821d0d50677779c8f
Author: ccx <ccx@te2000.cz>
Date: Sun, 24 Mar 2024 23:53:04 +0000
Remove inbox outside run/inbox; extra scripts for generic
Diffstat:
5 files changed, 42 insertions(+), 24 deletions(-)
diff --git a/service_scripts/alsa/run b/service_scripts/alsa/run
@@ -10,8 +10,7 @@ backtick -in CONTAINER_USER_HOME { homeof $CONTAINER_USER }
multisubstitute {
importas -i -u CONTAINER_USER_HOME CONTAINER_USER_HOME
define CONTAINER_TMPFS /run/containers/${CONTAINER_NAME}.${CONTAINER_USER}
-# define CONTAINER_DATA /mnt/volumes/containers/user/${CONTAINER_USER}/${CONTAINER_NAME}
- define -s tmpfs_dirs "home run tmp inbox run/inbox tmp/.X11-unix"
+ define -s tmpfs_dirs "home run tmp run/inbox run/shm tmp/.X11-unix"
importas -D ns -s -C -u CONTAINER_MNT_DIRS CONTAINER_MNT_DIRS
}
@@ -23,6 +22,8 @@ foreground {
redirfd -w 1 /run/cgroup/containers/${CONTAINER_USER}/${CONTAINER_NAME}/cgroup.procs
printf "%s" ${NS_PID}
}
+unexport NS_PID
+export HOST ${CONTAINER_NAME}
if { rm -rf ${CONTAINER_TMPFS} }
if { mkdir -p ${CONTAINER_TMPFS}/${tmpfs_dirs} ${CONTAINER_TMPFS}/mnt/${CONTAINER_MNT_DIRS} }
@@ -33,33 +34,49 @@ if { chown root:${CONTAINER_USER} ${CONTAINER_TMPFS}/${tmpfs_dirs} }
if { redirfd -w 1 ${CONTAINER_TMPFS}/run/resolv.conf printf "nameserver 127.0.0.1\n" }
if { chown ${CONTAINER_USER}:${CONTAINER_USER} ${CONTAINER_TMPFS}/run/resolv.conf }
-if { mount -a -T data/fstab }
-
# Put UID/GID/GIDLIST into environment for use by s6-applyuidgid below
s6-envuidgid ${CONTAINER_USER}
+unshare -m -u -i # new mount, UTS and IPC namespaces
+
+if { mount -a -T data/fstab }
+
# Run user's setup script (optional)
if {
ifelse { test -x ${CONTAINER_USER_HOME}/container-setup } {
env HOME=${CONTAINER_USER_HOME} USER=${CONTAINER_USER}
- applyuidgid-caps -U ""
+ s6-applyuidgid -U
${CONTAINER_USER_HOME}/container-setup ${CONTAINER_TMPFS} ${CONTAINER_NAME}
}
}
-#multisubstitute { importas -i UID UID importas -i GID GID }
-env
- HOST=${CONTAINER_NAME}
- #RUN_CHOWN=${UID}:${GID}
- NS_EXTRA="if { mount -o bind,ro /dev/snd dev/snd } if { mount -o bind,ro /etc/passwd etc/passwd } if { mount -o bind,ro /etc/group etc/group }"
-
unshare -n # make new network namespace
if { ip addr add 127.0.0.1/8 dev lo }
if { ip addr add ::1/128 dev lo }
if { ip link set lo up }
-# Put UID/GID/GIDLIST into environment for use by s6-applyuidgid below
+
emptyenv -c
-ns_run data/root
+ns_run_unshared data/root {
+ # pre pivot-root commands
+ if { mount -o bind,ro /etc/passwd ./etc/passwd }
+ if { mount -o bind,ro /etc/group ./etc/group }
+
+ if { mount -o bind,ro /dev/snd dev/snd }
+}
+
+# This runs with changed / so use absolute paths before dropping privs
/mnt/ns/bin/applyuidgid-caps -U ""
-env HOME=${CONTAINER_USER_HOME} USER=${CONTAINER_USER}
-${CONTAINER_USER_HOME}/run/init
+/mnt/ns/bin/busybox env HOME=${CONTAINER_USER_HOME} USER=${CONTAINER_USER}
+/mnt/ns/bin/foreground {
+ cat /proc/self/mountinfo
+}
+/mnt/ns/bin/ifelse { test -x ${CONTAINER_USER_HOME}/run/init } {
+ ${CONTAINER_USER_HOME}/run/init
+}
+/mnt/ns/bin/foreground {
+ /mnt/ns/bin/if -n {
+ /mnt/ns/bin/busybox stat /mnt/init/init
+ }
+ /mnt/ns/bin/busybox ls -lhA /mnt/init /mnt
+}
+/mnt/init/init
diff --git a/service_scripts/generic/run b/service_scripts/generic/run
@@ -7,11 +7,15 @@ multisubstitute {
importas -i -u CONTAINER_USER CONTAINER_USER
}
backtick -in CONTAINER_USER_HOME { homeof $CONTAINER_USER }
+backtick -D "true" PREPARE_RUN { realpath data/run.prepare }
+backtick -D "exec" PID1_EXEC { realpath data/exec.pid1 }
multisubstitute {
importas -i -u CONTAINER_USER_HOME CONTAINER_USER_HOME
define CONTAINER_TMPFS /run/containers/${CONTAINER_NAME}.${CONTAINER_USER}
- define -s tmpfs_dirs "home run tmp inbox run/inbox tmp/.X11-unix"
+ define -s tmpfs_dirs "home run tmp run/inbox run/shm tmp/.X11-unix"
importas -D ns -s -C -u CONTAINER_MNT_DIRS CONTAINER_MNT_DIRS
+ importas -i -u PREPARE_RUN PREPARE_RUN
+ importas -i -u PID1_EXEC PID1_EXEC
}
getpid NS_PID
@@ -52,15 +56,13 @@ if {
}
}
+$PID1_EXEC
emptyenv -c
ns_run_unshared data/root {
# pre pivot-root commands
- # /dev/shm -> /run/shm
- if { mkdir ./run/shm }
- if { chmod 1777 ./run/shm }
-
if { mount -o bind,ro /etc/passwd ./etc/passwd }
if { mount -o bind,ro /etc/group ./etc/group }
+ $PREPARE_RUN
}
# This runs with changed / so use absolute paths before dropping privs
@@ -77,6 +79,5 @@ ns_run_unshared data/root {
/mnt/ns/bin/busybox stat /mnt/init/init
}
/mnt/ns/bin/busybox ls -lhA /mnt/init /mnt
-
}
/mnt/init/init
diff --git a/service_scripts/sysroot/run b/service_scripts/sysroot/run
@@ -10,7 +10,7 @@ backtick -in CONTAINER_USER_HOME { homeof $CONTAINER_USER }
multisubstitute {
importas -i -u CONTAINER_USER_HOME CONTAINER_USER_HOME
define CONTAINER_TMPFS /run/containers/${CONTAINER_NAME}.sysroot
- define -s tmpfs_dirs "home run tmp inbox run/inbox tmp/.X11-unix"
+ define -s tmpfs_dirs "home run tmp run/inbox run/shm tmp/.X11-unix"
}
getpid NS_PID
diff --git a/service_scripts/xorg/run b/service_scripts/xorg/run
@@ -13,7 +13,7 @@ backtick -in CONTAINER_USER_HOME { homeof $CONTAINER_USER }
multisubstitute {
importas -i -u CONTAINER_USER_HOME CONTAINER_USER_HOME
define CONTAINER_TMPFS /run/containers/${CONTAINER_NAME}.${CONTAINER_USER}
- define -s tmpfs_dirs "run tmp inbox run/inbox tmp/.X11-unix"
+ define -s tmpfs_dirs "run tmp run/inbox run/shm tmp/.X11-unix"
importas -D ns -s -C -u CONTAINER_MNT_DIRS CONTAINER_MNT_DIRS
}
diff --git a/service_scripts/xsession/run b/service_scripts/xsession/run
@@ -11,7 +11,7 @@ multisubstitute {
importas -i -u CONTAINER_USER_HOME CONTAINER_USER_HOME
importas -i -u vtN vtN
define CONTAINER_TMPFS /run/containers/${CONTAINER_NAME}.${CONTAINER_USER}
- define -s tmpfs_dirs "home run tmp inbox run/inbox tmp/.X11-unix"
+ define -s tmpfs_dirs "home run tmp run/inbox run/shm tmp/.X11-unix"
importas -D ns -s -C -u CONTAINER_MNT_DIRS CONTAINER_MNT_DIRS
}
export HOST X${vtN}
