[systemd-devel] [PATCH 1/2] nspawn: --populate to run static binaries on empty target directory

Shawn Landden shawn at churchofgit.com
Mon Dec 2 09:41:45 PST 2013


On Mon, Dec 2, 2013 at 8:27 AM, Lennart Poettering
<lennart at poettering.net> wrote:
> On Sat, 30.11.13 10:20, Shawn Landden (shawn at churchofgit.com) wrote:
>
>> nspawn has been called "chroot on steroids".
>>
>> Continue that tradition by supporting target directories that
>> are not root directories.
>>
>> This patch handles the simple case: a static binary.
>
> Hmm, I am not sure how I feel about this. This appears a bit too
> specific for me, and given the requirement for static binaries this is
> also so limited.
The next patch is the series adds support for dynamic libraries. This patch
also doesn't need bind mounts, and it executes through /proc/self/fd/%n, but
support for one-file scripts and dynamic libraries in the next patch does
require bind mounts. I feel you don't really understand my patch. :/
I'll sum up what I'm doing:

If --populate is passed, analyze the executable, which opens it and set the
exec path to /proc/self/fd/%n. If executable is static this is all you
have to do.

If it has a shebang, analyze that. If either the shebang or executable
is dynamic,
test if the linker is the GNU linker, and if it is have the linker
tell use what libraries the
executable needs. Then bind mount the linker, shebang (if there is one), and
libraries into the target.

Unmount these when the machine shuts down.
>
> I wonder if we can find a different way to support this, without adding
> high-level switches to nspawn itself.
>
> For example, couldn't extending "--bind=" a bit to also support bind
> mounting files (in contrast to just directories the way it currently
> does) already gets us 90% of the way? And then do the rest 10% by adding
> an example how to use this to bind mount static binaries from the host
> into the container to the example in the man page? Allowing bind
> mounting of files has been on the TODO list for a while anyway...
>
> Something like:
>
> # systemd-nspawn -D /srv/mycontainer --bind=/usr/bin/populate-container:/tmp/populate-container /tmp/populate-container
>
> This of course wouldn't check if the file executed is staticall linked,
> but the user should quickly get an error about missing .sos if it isn't?
No, the linker would be missing, and the user would get "execvpe()
failed: No such file or directory",
which is confusing.
>
>>          assert_se(sigemptyset(&mask) == 0);
>> @@ -1164,7 +1195,7 @@ int main(int argc, char *argv[]) {
>>                          gid_t gid = (gid_t) -1;
>>                          unsigned n_env = 2;
>>                          const char *envp[] = {
>> -                                "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
>> +                                DEFAULT_PATH_SPLIT_USR,
>
> This bit looks like like something we really should do though. Could you
> isolate this out and resubmit, please?

>
>> +#define DEFAULT_PATH_SPLIT_USR "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
>> +
>>  #ifdef HAVE_SPLIT_USR
>> -#  define DEFAULT_PATH "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
>> +#  define DEFAULT_PATH DEFAULT_PATH_SPLIT_USR
>>  #else
>>  #  define DEFAULT_PATH "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin"
>>  #endif
>> @@ -51,6 +53,7 @@ int path_is_mount_point(const char *path, bool allow_symlink);
>>  int path_is_read_only_fs(const char *path);
>>  int path_is_os_tree(const char *path);
>
> And this too, of course...
>
> Lennart
>
> --
> Lennart Poettering, Red Hat
> _______________________________________________
> systemd-devel mailing list
> systemd-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/systemd-devel


More information about the systemd-devel mailing list