commit c5211028134b392558802279cba0f035e4f20391
parent a05bc26da0271aa4d63745e7d59e2c38223ccc09
Author: ccx <ccx@te2000.cz>
Date: Fri, 22 Mar 2024 00:28:00 +0000
ns_run_unshared for generic containers
Diffstat:
2 files changed, 20 insertions(+), 12 deletions(-)
diff --git a/service_scripts/generic/run b/service_scripts/generic/run
@@ -10,7 +10,6 @@ backtick -in CONTAINER_USER_HOME { homeof $CONTAINER_USER }
multisubstitute {
importas -i -u CONTAINER_USER_HOME CONTAINER_USER_HOME
define CONTAINER_TMPFS /run/containers/${CONTAINER_NAME}.${CONTAINER_USER}
-# define CONTAINER_DATA /mnt/volumes/containers/user/${CONTAINER_USER}/${CONTAINER_NAME}
define -s tmpfs_dirs "home run tmp inbox run/inbox tmp/.X11-unix"
importas -D ns -s -C -u CONTAINER_MNT_DIRS CONTAINER_MNT_DIRS
}
@@ -23,21 +22,25 @@ foreground {
redirfd -w 1 /run/cgroup/containers/${CONTAINER_USER}/${CONTAINER_NAME}/cgroup.procs
printf "%s" ${NS_PID}
}
+unexport NS_PID
+export HOST=${CONTAINER_NAME}
if { rm -rf ${CONTAINER_TMPFS} }
if { mkdir -p ${CONTAINER_TMPFS}/${tmpfs_dirs} ${CONTAINER_TMPFS}/mnt/${CONTAINER_MNT_DIRS} }
if { chmod 1770 ${CONTAINER_TMPFS}/${tmpfs_dirs} }
if { chown root:${CONTAINER_USER} ${CONTAINER_TMPFS}/${tmpfs_dirs} }
-#
+
# Create default resolv.conf
if { redirfd -w 1 ${CONTAINER_TMPFS}/run/resolv.conf printf "nameserver 127.0.0.1\n" }
if { chown ${CONTAINER_USER}:${CONTAINER_USER} ${CONTAINER_TMPFS}/run/resolv.conf }
-if { mount -a -T data/fstab }
-
# Put UID/GID/GIDLIST into environment for use by s6-applyuidgid below
s6-envuidgid ${CONTAINER_USER}
+unshare -m -u -i # new mount, UTS and IPC namespaces
+
+if { mount -a -T data/fstab }
+
# Run user's setup script (optional)
if {
ifelse { test -x ${CONTAINER_USER_HOME}/container-setup } {
@@ -47,13 +50,18 @@ if {
}
}
-env
- HOST=${CONTAINER_NAME}
- #RUN_CHOWN=${UID}:${GID}
- NS_EXTRA="if { mount -o bind,ro /etc/passwd etc/passwd } if { mount -o bind,ro /etc/group etc/group }"
-
emptyenv -c
-ns_run data/root
+ns_run_unshared data/root {
+ # pre pivot-root commands
+ # /dev/shm -> /run/shm
+ if { mkdir ./run/shm }
+ if { chmod 1777 ./run/shm }
+
+ if { mount -o bind,ro /etc/passwd ./etc/passwd }
+ if { mount -o bind,ro /etc/group ./etc/group }
+}
+
+# This runs with changed / so use absolute paths before dropping privs
/mnt/ns/bin/applyuidgid-caps -U ""
env HOME=${CONTAINER_USER_HOME} USER=${CONTAINER_USER}
-${CONTAINER_USER_HOME}/run/init
+/run/init
diff --git a/service_scripts/xsession/run b/service_scripts/xsession/run
@@ -11,7 +11,6 @@ multisubstitute {
importas -i -u CONTAINER_USER_HOME CONTAINER_USER_HOME
importas -i -u vtN vtN
define CONTAINER_TMPFS /run/containers/${CONTAINER_NAME}.${CONTAINER_USER}
-# define CONTAINER_DATA /mnt/volumes/containers/user/${CONTAINER_USER}/${CONTAINER_NAME}
define -s tmpfs_dirs "home run tmp inbox run/inbox tmp/.X11-unix"
importas -D ns -s -C -u CONTAINER_MNT_DIRS CONTAINER_MNT_DIRS
}
@@ -25,6 +24,7 @@ foreground {
redirfd -w 1 /run/cgroup/containers/${CONTAINER_USER}/${CONTAINER_NAME}/cgroup.procs
printf "%s" ${NS_PID}
}
+unexport NS_PID
if { rm -rf ${CONTAINER_TMPFS} }
if { mkdir -p ${CONTAINER_TMPFS}/${tmpfs_dirs} ${CONTAINER_TMPFS}/mnt/${CONTAINER_MNT_DIRS} }
