| Age | Commit message (Collapse) | Author |
|---|
|
then read message
There's no EOF generated for AF_UNIX/SOCK_DGRAM sockets, hence let's
wait for the child first to see if it succeeded, only then read the socket.
|
|
|
|
the container's namespace
setns(CLONE_NEWPID) only applies to child processes, hence let's fork
once after joining the container's namespace.
|
|
bus also switch over PID namespace
This is necessary to ensure that kdbus can collect creds of the
destination namespace when connecting.
|
|
Previously we'd open the connection in the originating namespace, which
meant most peers of the bus would not be able to make sense of the
PID/UID/... identity of us since we didn't exist in the namespace they
run in. However they require this identity for privilege decisions,
hence disallowing access to anything from the host.
Instead, when connecting to a container, create a temporary subprocess,
make it join the container's namespace and then connect from there to
the kdbus instance. This is similar to how we do it for socket
conections already.
THis also unifies the namespacing code used by machinectl and the bus
APIs.
|
|
This adds the new library call sd_journal_open_container() and a new
"-M" switch to journalctl. Particular care is taken that journalctl's
"-b" switch resolves to the current boot ID of the container, not the
host.
|
|
|
|
Also, unify the transport logic a bit, since we reuse the same scheme in
many of our client tools.
|
|
Also, add support for this to machinectl, so that we can enumerate the
machines that run inside a container. We must go deeper!
|
