diff options
| author | Bruce Ashfield <bruce.ashfield@gmail.com> | 2019-07-03 13:18:08 +0000 |
|---|---|---|
| committer | Bruce Ashfield <bruce.ashfield@gmail.com> | 2019-07-12 14:50:34 +0000 |
| commit | 7394c154a92f9b4e2f8b65af74d8b5533ad7746d (patch) | |
| tree | bec4e54c4bbba29ae34994b809696ae51769b0f3 | |
| parent | cf875d9ee95f853140e20f7e04902339af1a81b0 (diff) | |
| download | meta-virtualization-7394c154a92f9b4e2f8b65af74d8b5533ad7746d.tar.gz | |
containers: update oci-systemd-hook to 0.2.0
Updating to the latest oci-systemd-hook version. We also refresh the
patches, specifically the selinux patch, for the updated context.
The additional cgroups mount patch needed to be tweaks for new
required parameters, but is otherwise unchanged.
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
3 files changed, 31 insertions, 26 deletions
diff --git a/recipes-containers/oci-systemd-hook/oci-systemd-hook/0001-Add-additional-cgroup-mounts-from-root-NS-automatica.patch b/recipes-containers/oci-systemd-hook/oci-systemd-hook/0001-Add-additional-cgroup-mounts-from-root-NS-automatica.patch index 753a77d1..b1299f50 100644 --- a/recipes-containers/oci-systemd-hook/oci-systemd-hook/0001-Add-additional-cgroup-mounts-from-root-NS-automatica.patch +++ b/recipes-containers/oci-systemd-hook/oci-systemd-hook/0001-Add-additional-cgroup-mounts-from-root-NS-automatica.patch | |||
| @@ -1,6 +1,6 @@ | |||
| 1 | From f59cddcedd6535e0b809ec9b4e95672d34b41a16 Mon Sep 17 00:00:00 2001 | 1 | From f9c640fa1d4c14dfbd2bc40af91cb446ad373075 Mon Sep 17 00:00:00 2001 |
| 2 | From: Jason Wessel <jason.wessel@windriver.com> | 2 | From: Jason Wessel <jason.wessel@windriver.com> |
| 3 | Date: Tue, 14 Nov 2017 07:41:41 -0800 | 3 | Date: Tue, 2 Jul 2019 20:51:08 +0000 |
| 4 | Subject: [PATCH] Add additional cgroup mounts from root NS automatically | 4 | Subject: [PATCH] Add additional cgroup mounts from root NS automatically |
| 5 | 5 | ||
| 6 | Signed-off-by: Jason Wessel <jason.wessel@windriver.com> | 6 | Signed-off-by: Jason Wessel <jason.wessel@windriver.com> |
| @@ -9,11 +9,11 @@ Signed-off-by: Jason Wessel <jason.wessel@windriver.com> | |||
| 9 | 1 file changed, 45 insertions(+) | 9 | 1 file changed, 45 insertions(+) |
| 10 | 10 | ||
| 11 | diff --git a/src/systemdhook.c b/src/systemdhook.c | 11 | diff --git a/src/systemdhook.c b/src/systemdhook.c |
| 12 | index 78575ef..f735484 100644 | 12 | index 87a3585..5220c54 100644 |
| 13 | --- a/src/systemdhook.c | 13 | --- a/src/systemdhook.c |
| 14 | +++ b/src/systemdhook.c | 14 | +++ b/src/systemdhook.c |
| 15 | @@ -238,6 +238,11 @@ static char *get_process_cgroup_subsystem_path(int pid, const char *subsystem) { | 15 | @@ -281,6 +281,11 @@ static char *get_process_cgroup_subsystem_path(const char *id, int pid, const ch |
| 16 | static int mount_cgroup(const char *rootfs, const char *options, char *systemd_path) | 16 | static int mount_cgroup(const char *id, const char *rootfs, const char *options, char *systemd_path) |
| 17 | { | 17 | { |
| 18 | _cleanup_free_ char *cgroup_path = NULL; | 18 | _cleanup_free_ char *cgroup_path = NULL; |
| 19 | + char *spath, *dpath; | 19 | + char *spath, *dpath; |
| @@ -23,9 +23,9 @@ index 78575ef..f735484 100644 | |||
| 23 | + int got; | 23 | + int got; |
| 24 | 24 | ||
| 25 | if (asprintf(&cgroup_path, "%s/%s", rootfs, CGROUP_ROOT) < 0) { | 25 | if (asprintf(&cgroup_path, "%s/%s", rootfs, CGROUP_ROOT) < 0) { |
| 26 | pr_perror("Failed to create path for %s", CGROUP_ROOT); | 26 | pr_perror("%s: Failed to create path for %s", id, CGROUP_ROOT); |
| 27 | @@ -256,6 +261,46 @@ static int mount_cgroup(const char *rootfs, const char *options, char *systemd_p | 27 | @@ -290,6 +295,46 @@ static int mount_cgroup(const char *id, const char *rootfs, const char *options, |
| 28 | pr_perror("Failed to mkdir new dest: %s", systemd_path); | 28 | pr_perror("%s: Failed to mkdir new dest: %s", id, cgroup_path); |
| 29 | return -1; | 29 | return -1; |
| 30 | } | 30 | } |
| 31 | + /* Create all additional cgroup mounts which are in the root namespace */ | 31 | + /* Create all additional cgroup mounts which are in the root namespace */ |
| @@ -59,7 +59,7 @@ index 78575ef..f735484 100644 | |||
| 59 | + pr_perror("Failed to mkdir new dest: %s", dpath); | 59 | + pr_perror("Failed to mkdir new dest: %s", dpath); |
| 60 | + return -1; | 60 | + return -1; |
| 61 | + } | 61 | + } |
| 62 | + if (bind_mount(spath, dpath, false)) { | 62 | + if (bind_mount(id, spath, dpath, false)) { |
| 63 | + pr_perror("Failed to bind mount %s on %s", spath, dpath); | 63 | + pr_perror("Failed to bind mount %s on %s", spath, dpath); |
| 64 | + return -1; | 64 | + return -1; |
| 65 | + } | 65 | + } |
| @@ -68,9 +68,9 @@ index 78575ef..f735484 100644 | |||
| 68 | + free(dpath); | 68 | + free(dpath); |
| 69 | + } | 69 | + } |
| 70 | + closedir(dir); | 70 | + closedir(dir); |
| 71 | if (mount(cgroup_path, cgroup_path, "bind", MS_REMOUNT|MS_BIND|MS_RDONLY, "") == -1) { | 71 | /* Mount tmpfs at new cgroup directory */ |
| 72 | pr_perror("Failed to remount %s readonly", cgroup_path); | 72 | if (mount("tmpfs", cgroup_path, "tmpfs", MS_NODEV|MS_NOSUID, options) == -1) { |
| 73 | return -1; | 73 | pr_perror("%s: Failed to mount tmpfs at %s", id, cgroup_path); |
| 74 | -- | 74 | -- |
| 75 | 2.11.0 | 75 | 2.19.1 |
| 76 | 76 | ||
diff --git a/recipes-containers/oci-systemd-hook/oci-systemd-hook/0001-selinux-drop-selinux-support.patch b/recipes-containers/oci-systemd-hook/oci-systemd-hook/0001-selinux-drop-selinux-support.patch index 5016f6e7..a3ec57df 100644 --- a/recipes-containers/oci-systemd-hook/oci-systemd-hook/0001-selinux-drop-selinux-support.patch +++ b/recipes-containers/oci-systemd-hook/oci-systemd-hook/0001-selinux-drop-selinux-support.patch | |||
| @@ -8,9 +8,11 @@ Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com> | |||
| 8 | src/systemdhook.c | 12 ------------ | 8 | src/systemdhook.c | 12 ------------ |
| 9 | 1 file changed, 12 deletions(-) | 9 | 1 file changed, 12 deletions(-) |
| 10 | 10 | ||
| 11 | --- a/src/systemdhook.c | 11 | Index: git/src/systemdhook.c |
| 12 | +++ b/src/systemdhook.c | 12 | =================================================================== |
| 13 | @@ -16,7 +16,6 @@ | 13 | --- git.orig/src/systemdhook.c |
| 14 | +++ git/src/systemdhook.c | ||
| 15 | @@ -17,7 +17,6 @@ | ||
| 14 | #include <errno.h> | 16 | #include <errno.h> |
| 15 | #include <inttypes.h> | 17 | #include <inttypes.h> |
| 16 | #include <linux/limits.h> | 18 | #include <linux/limits.h> |
| @@ -18,25 +20,28 @@ Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com> | |||
| 18 | #include <yajl/yajl_tree.h> | 20 | #include <yajl/yajl_tree.h> |
| 19 | #include <stdbool.h> | 21 | #include <stdbool.h> |
| 20 | 22 | ||
| 21 | @@ -129,9 +128,6 @@ static int chperm(const char *path, cons | 23 | @@ -166,12 +165,6 @@ |
| 22 | closedir(dir); | 24 | closedir(dir); |
| 23 | return -1; | 25 | return -1; |
| 24 | } | 26 | } |
| 25 | - if (setfilecon (full_path, label) < 0) { | 27 | - if (label != NULL && (strcmp("", label))) { |
| 26 | - pr_perror("Failed to set context %s on %s", label, full_path); | 28 | - if ((is_selinux_enabled() > 0) && (setfilecon (full_path, label) < 0)) { |
| 29 | - pr_perror("%s: Failed to set context %s on %s", id, label, full_path); | ||
| 30 | - } | ||
| 27 | - } | 31 | - } |
| 28 | 32 | - | |
| 29 | if (doChown) { | 33 | if (doChown) { |
| 30 | /* Change uid and gid to something the container can handle */ | 34 | /* Change uid and gid to something the container can handle */ |
| 31 | @@ -496,14 +492,6 @@ static int prestart(const char *rootfs, | 35 | if (chown(full_path, uid, gid) < 0 ) { |
| 36 | @@ -557,14 +550,6 @@ | ||
| 32 | return -1; | 37 | return -1; |
| 33 | } | 38 | } |
| 34 | } | 39 | } |
| 35 | - | 40 | - |
| 36 | - if (strcmp("", mount_label)) { | 41 | - if (strcmp("", mount_label)) { |
| 37 | - rc = setfilecon(journal_dir, (security_context_t)mount_label); | 42 | - if ((is_selinux_enabled() > 0) && |
| 38 | - if (rc < 0) { | 43 | - (setfilecon(journal_dir, (security_context_t)mount_label) < 0)) { |
| 39 | - pr_perror("Failed to set journal dir selinux context"); | 44 | - pr_perror("%s: Failed to set journal dir selinux context", id); |
| 40 | - return -1; | 45 | - return -1; |
| 41 | - } | 46 | - } |
| 42 | - } | 47 | - } |
diff --git a/recipes-containers/oci-systemd-hook/oci-systemd-hook_git.bb b/recipes-containers/oci-systemd-hook/oci-systemd-hook_git.bb index e07b7410..6734bffe 100644 --- a/recipes-containers/oci-systemd-hook/oci-systemd-hook_git.bb +++ b/recipes-containers/oci-systemd-hook/oci-systemd-hook_git.bb | |||
| @@ -6,14 +6,14 @@ PRIORITY = "optional" | |||
| 6 | 6 | ||
| 7 | DEPENDS = "yajl util-linux" | 7 | DEPENDS = "yajl util-linux" |
| 8 | 8 | ||
| 9 | SRCREV = "1ac958a4197a9ea52174812fc7d7d036af8140d3" | 9 | SRCREV = "05e692346ca73e022754332a7da641230dae2ffe" |
| 10 | SRC_URI = "git://github.com/projectatomic/oci-systemd-hook \ | 10 | SRC_URI = "git://github.com/projectatomic/oci-systemd-hook \ |
| 11 | file://0001-selinux-drop-selinux-support.patch \ | 11 | file://0001-selinux-drop-selinux-support.patch \ |
| 12 | file://0001-configure-drop-selinux-support.patch \ | 12 | file://0001-configure-drop-selinux-support.patch \ |
| 13 | file://0001-Add-additional-cgroup-mounts-from-root-NS-automatica.patch \ | 13 | file://0001-Add-additional-cgroup-mounts-from-root-NS-automatica.patch \ |
| 14 | " | 14 | " |
| 15 | 15 | ||
| 16 | PV = "0.0.1+git${SRCPV}" | 16 | PV = "0.2.0+git${SRCPV}" |
| 17 | S = "${WORKDIR}/git" | 17 | S = "${WORKDIR}/git" |
| 18 | 18 | ||
| 19 | inherit autotools pkgconfig | 19 | inherit autotools pkgconfig |