[systemd-commits] 4 commits - TODO src/core src/login src/shared src/test
Lennart Poettering
lennart at kemper.freedesktop.org
Mon Apr 15 12:59:12 PDT 2013
TODO | 3 ++
src/core/cgroup.c | 52 +++++++++++++++++++++++----------------------
src/core/unit.c | 2 -
src/login/logind-session.c | 4 +--
src/login/logind-user.c | 4 +--
src/shared/audit.c | 9 +++++++
src/shared/cgroup-label.c | 6 ++---
src/shared/cgroup-util.h | 2 -
src/test/test-cgroup.c | 8 +++---
9 files changed, 52 insertions(+), 38 deletions(-)
New commits:
commit 9a3ef988b8442360500e7df4db3ff27d2f13de10
Author: Lennart Poettering <lennart at poettering.net>
Date: Mon Apr 15 21:55:12 2013 +0200
audit: since nspawn now sets CAP_AUDIT_CONTROL for containers we cannot user this anymore to skip audit session ID retrieval
As audit is still broken in containers we need a reliable way how we can
determine whether the audit data we read from 7proc is actually useful.
Previously we used CAP_AUDIT_CONTROL for this, since nspawn removed that
from the nspawn container. This has changed a while back however, which
means we used audit data of host system in the container.
This adds an explicit container check to the audit calls, so that all
audit data is turned off in containers.
This should fix session creation with pam_systemd/logind in nspawn containers.
diff --git a/src/shared/audit.c b/src/shared/audit.c
index 138ca1d..97560cc 100644
--- a/src/shared/audit.c
+++ b/src/shared/audit.c
@@ -34,6 +34,7 @@
#include "util.h"
#include "log.h"
#include "fileio.h"
+#include "virt.h"
int audit_session_from_pid(pid_t pid, uint32_t *id) {
char *s;
@@ -45,6 +46,10 @@ int audit_session_from_pid(pid_t pid, uint32_t *id) {
if (have_effective_cap(CAP_AUDIT_CONTROL) <= 0)
return -ENOENT;
+ /* Audit doesn't support containers right now */
+ if (detect_container(NULL) > 0)
+ return -ENOTSUP;
+
if (pid == 0)
r = read_one_line_file("/proc/self/sessionid", &s);
else {
@@ -90,6 +95,10 @@ int audit_loginuid_from_pid(pid_t pid, uid_t *uid) {
if (have_effective_cap(CAP_AUDIT_CONTROL) <= 0)
return -ENOENT;
+ /* Audit doesn't support containers right now */
+ if (detect_container(NULL) > 0)
+ return -ENOTSUP;
+
if (pid == 0)
r = read_one_line_file("/proc/self/loginuid", &s);
else {
commit 7a9ec5c9027d919839ab6e286ede753caa164241
Author: Lennart Poettering <lennart at poettering.net>
Date: Mon Apr 15 21:55:07 2013 +0200
core: let's make our log messages proper sentences with full stops
diff --git a/src/core/unit.c b/src/core/unit.c
index 63e42b2..b4fc095 100644
--- a/src/core/unit.c
+++ b/src/core/unit.c
@@ -1456,7 +1456,7 @@ void unit_notify(Unit *u, UnitActiveState os, UnitActiveState ns, bool reload_su
if (ns != os && ns == UNIT_FAILED) {
log_struct_unit(LOG_NOTICE,
u->id,
- "MESSAGE=Unit %s entered failed state", u->id,
+ "MESSAGE=Unit %s entered failed state.", u->id,
NULL);
unit_trigger_on_failure(u);
}
commit a32360f1a5a85c12f00e9dfb7353280067cccb5b
Author: Lennart Poettering <lennart at poettering.net>
Date: Mon Apr 15 21:52:56 2013 +0200
core: always create /user and /machine top-level cgroup dirs
This allows clients to put inotify watches on these trees to watch for
state changes, without having to wait until these dirs are created.
This introduces the new top-level /machine cgroup dir as canonical
location where OS containers and VMs shall be located (as discussed with
the libvirt folks).
diff --git a/src/core/cgroup.c b/src/core/cgroup.c
index b07bd7e..a248252 100644
--- a/src/core/cgroup.c
+++ b/src/core/cgroup.c
@@ -40,7 +40,7 @@ int cgroup_bonding_realize(CGroupBonding *b) {
assert(b->path);
assert(b->controller);
- r = cg_create(b->controller, b->path);
+ r = cg_create(b->controller, b->path, NULL);
if (r < 0) {
log_warning("Failed to create cgroup %s:%s: %s", b->controller, b->path, strerror(-r));
return r;
@@ -319,9 +319,9 @@ int cgroup_bonding_is_empty_list(CGroupBonding *first) {
}
int manager_setup_cgroup(Manager *m) {
- char *current = NULL, *path = NULL;
+ _cleanup_free_ char *current = NULL, *path = NULL;
int r;
- char suffix[32];
+ char suffix[sizeof("/systemd-") + DECIMAL_STR_MAX(pid_t)];
assert(m);
@@ -335,7 +335,7 @@ int manager_setup_cgroup(Manager *m) {
r = cg_get_by_pid(SYSTEMD_CGROUP_CONTROLLER, 0, ¤t);
if (r < 0) {
log_error("Cannot determine cgroup we are running in: %s", strerror(-r));
- goto finish;
+ return r;
}
if (m->running_as == SYSTEMD_SYSTEM)
@@ -354,35 +354,35 @@ int manager_setup_cgroup(Manager *m) {
} else {
/* We need a new root cgroup */
m->cgroup_hierarchy = NULL;
- if (asprintf(&m->cgroup_hierarchy, "%s%s", streq(current, "/") ? "" : current, suffix) < 0) {
- r = log_oom();
- goto finish;
- }
+ if (asprintf(&m->cgroup_hierarchy, "%s%s", streq(current, "/") ? "" : current, suffix) < 0)
+ return log_oom();
}
/* 2. Show data */
r = cg_get_path(SYSTEMD_CGROUP_CONTROLLER, m->cgroup_hierarchy, NULL, &path);
if (r < 0) {
log_error("Cannot find cgroup mount point: %s", strerror(-r));
- goto finish;
+ return r;
}
log_debug("Using cgroup controller " SYSTEMD_CGROUP_CONTROLLER ". File system hierarchy is at %s.", path);
/* 3. Install agent */
- r = cg_install_release_agent(SYSTEMD_CGROUP_CONTROLLER, SYSTEMD_CGROUP_AGENT_PATH);
- if (r < 0)
- log_warning("Failed to install release agent, ignoring: %s", strerror(-r));
- else if (r > 0)
- log_debug("Installed release agent.");
- else
- log_debug("Release agent already installed.");
+ if (m->running_as == SYSTEMD_SYSTEM) {
+ r = cg_install_release_agent(SYSTEMD_CGROUP_CONTROLLER, SYSTEMD_CGROUP_AGENT_PATH);
+ if (r < 0)
+ log_warning("Failed to install release agent, ignoring: %s", strerror(-r));
+ else if (r > 0)
+ log_debug("Installed release agent.");
+ else
+ log_debug("Release agent already installed.");
+ }
/* 4. Realize the group */
r = cg_create_and_attach(SYSTEMD_CGROUP_CONTROLLER, m->cgroup_hierarchy, 0);
if (r < 0) {
log_error("Failed to create root cgroup hierarchy: %s", strerror(-r));
- goto finish;
+ return r;
}
/* 5. And pin it, so that it cannot be unmounted */
@@ -392,19 +392,21 @@ int manager_setup_cgroup(Manager *m) {
m->pin_cgroupfs_fd = open(path, O_RDONLY|O_CLOEXEC|O_DIRECTORY|O_NOCTTY|O_NONBLOCK);
if (r < 0) {
log_error("Failed to open pin file: %m");
- r = -errno;
- goto finish;
+ return -errno;
}
- log_debug("Created root group.");
-
+ /* 6. Remove non-existing controllers from the default controllers list */
cg_shorten_controllers(m->default_controllers);
-finish:
- free(current);
- free(path);
+ /* 7. Let's create the user and machine hierarchies
+ * right-away, so that people can inotify on them, if they
+ * wish, without this being racy. */
+ if (m->running_as == SYSTEMD_SYSTEM) {
+ cg_create(SYSTEMD_CGROUP_CONTROLLER, m->cgroup_hierarchy, "../user");
+ cg_create(SYSTEMD_CGROUP_CONTROLLER, m->cgroup_hierarchy, "../machine");
+ }
- return r;
+ return 0;
}
void manager_shutdown_cgroup(Manager *m, bool delete) {
diff --git a/src/login/logind-session.c b/src/login/logind-session.c
index e2f41d3..da7ce42 100644
--- a/src/login/logind-session.c
+++ b/src/login/logind-session.c
@@ -442,9 +442,9 @@ static int session_create_one_group(Session *s, const char *controller, const ch
if (s->leader > 0) {
r = cg_create_and_attach(controller, path, s->leader);
if (r < 0)
- r = cg_create(controller, path);
+ r = cg_create(controller, path, NULL);
} else
- r = cg_create(controller, path);
+ r = cg_create(controller, path, NULL);
if (r < 0)
return r;
diff --git a/src/login/logind-user.c b/src/login/logind-user.c
index 411215a..4b0ac5e 100644
--- a/src/login/logind-user.c
+++ b/src/login/logind-user.c
@@ -320,7 +320,7 @@ static int user_create_cgroup(User *u) {
} else
p = u->cgroup_path;
- r = cg_create(SYSTEMD_CGROUP_CONTROLLER, p);
+ r = cg_create(SYSTEMD_CGROUP_CONTROLLER, p, NULL);
if (r < 0) {
log_error("Failed to create cgroup "SYSTEMD_CGROUP_CONTROLLER":%s: %s", p, strerror(-r));
free(p);
@@ -335,7 +335,7 @@ static int user_create_cgroup(User *u) {
if (strv_contains(u->manager->reset_controllers, *k))
continue;
- r = cg_create(*k, p);
+ r = cg_create(*k, p, NULL);
if (r < 0)
log_warning("Failed to create cgroup %s:%s: %s", *k, p, strerror(-r));
}
diff --git a/src/shared/cgroup-label.c b/src/shared/cgroup-label.c
index 995e4c5..a0b486e 100644
--- a/src/shared/cgroup-label.c
+++ b/src/shared/cgroup-label.c
@@ -36,14 +36,14 @@
#include "util.h"
#include "mkdir.h"
-int cg_create(const char *controller, const char *path) {
+int cg_create(const char *controller, const char *path, const char *suffix) {
_cleanup_free_ char *fs = NULL;
int r;
assert(controller);
assert(path);
- r = cg_get_path_and_check(controller, path, NULL, &fs);
+ r = cg_get_path_and_check(controller, path, suffix, &fs);
if (r < 0)
return r;
@@ -69,7 +69,7 @@ int cg_create_and_attach(const char *controller, const char *path, pid_t pid) {
assert(path);
assert(pid >= 0);
- r = cg_create(controller, path);
+ r = cg_create(controller, path, NULL);
if (r < 0)
return r;
diff --git a/src/shared/cgroup-util.h b/src/shared/cgroup-util.h
index 123f72c..274380a 100644
--- a/src/shared/cgroup-util.h
+++ b/src/shared/cgroup-util.h
@@ -55,7 +55,7 @@ int cg_trim(const char *controller, const char *path, bool delete_root);
int cg_rmdir(const char *controller, const char *path, bool honour_sticky);
int cg_delete(const char *controller, const char *path);
-int cg_create(const char *controller, const char *path);
+int cg_create(const char *controller, const char *path, const char *suffix);
int cg_attach(const char *controller, const char *path, pid_t pid);
int cg_create_and_attach(const char *controller, const char *path, pid_t pid);
diff --git a/src/test/test-cgroup.c b/src/test/test-cgroup.c
index 96aca1f..2f7cc9b 100644
--- a/src/test/test-cgroup.c
+++ b/src/test/test-cgroup.c
@@ -31,10 +31,10 @@ int main(int argc, char*argv[]) {
char *path;
char *c, *p;
- assert_se(cg_create(SYSTEMD_CGROUP_CONTROLLER, "/test-a") == 0);
- assert_se(cg_create(SYSTEMD_CGROUP_CONTROLLER, "/test-a") == 0);
- assert_se(cg_create(SYSTEMD_CGROUP_CONTROLLER, "/test-b") == 0);
- assert_se(cg_create(SYSTEMD_CGROUP_CONTROLLER, "/test-b/test-c") == 0);
+ assert_se(cg_create(SYSTEMD_CGROUP_CONTROLLER, "/test-a", NULL) == 0);
+ assert_se(cg_create(SYSTEMD_CGROUP_CONTROLLER, "/test-a", NULL) == 0);
+ assert_se(cg_create(SYSTEMD_CGROUP_CONTROLLER, "/test-b", NULL) == 0);
+ assert_se(cg_create(SYSTEMD_CGROUP_CONTROLLER, "/test-b/test-c", NULL) == 0);
assert_se(cg_create_and_attach(SYSTEMD_CGROUP_CONTROLLER, "/test-b", 0) == 0);
assert_se(cg_get_by_pid(SYSTEMD_CGROUP_CONTROLLER, getpid(), &path) == 0);
commit a53824ea7466bee2c5e6ac9a11b58b79adceb98b
Author: Lennart Poettering <lennart at poettering.net>
Date: Mon Apr 15 21:52:21 2013 +0200
update TODO
diff --git a/TODO b/TODO
index 5d0898e..38179db 100644
--- a/TODO
+++ b/TODO
@@ -38,6 +38,9 @@ Fedora 19:
Features:
+* explicitly disallow changing the cgroup path of units in the
+ name=systemd hierarchy, unless it is outside of /system
+
* add 'set -e' to scripts in test/
* make test in test/ work with separate output dir
More information about the systemd-commits
mailing list