From fdd25311706bd32580ec4d43211cdf4665d2f9de Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Wed, 28 May 2014 18:37:11 +0800 Subject: virt: rework container detection logic Instead of accessing /proc/1/environ directly, trying to read the $container variable from it, let's make PID 1 save the contents of that variable to /run/systemd/container. This allows us to detect containers without the need for CAP_SYS_PTRACE, which allows us to drop it from a number of daemons and from the file capabilities of systemd-detect-virt. Also, don't consider chroot a container technology anymore. After all, we don't consider file system namespaces container technology anymore, and hence chroot() should be considered a container even less. --- src/core/main.c | 12 ++++++++++++ src/shared/virt.c | 48 ++++++++++++++++++++++++++++++------------------ 2 files changed, 42 insertions(+), 18 deletions(-) (limited to 'src') diff --git a/src/core/main.c b/src/core/main.c index 77cc2fbbdd..d5d1ee2b0c 100644 --- a/src/core/main.c +++ b/src/core/main.c @@ -1261,6 +1261,16 @@ static int status_welcome(void) { isempty(pretty_name) ? "Linux" : pretty_name); } +static int write_container_id(void) { + const char *c; + + c = getenv("container"); + if (isempty(c)) + return 0; + + return write_string_file("/run/systemd/container", c); +} + int main(int argc, char *argv[]) { Manager *m = NULL; int r, retval = EXIT_FAILURE; @@ -1544,6 +1554,8 @@ int main(int argc, char *argv[]) { if (virtualization) log_info("Detected virtualization '%s'.", virtualization); + write_container_id(); + log_info("Detected architecture '%s'.", architecture_to_string(uname_architecture())); if (in_initrd()) diff --git a/src/shared/virt.c b/src/shared/virt.c index 0db0514dd3..1e227c5fbd 100644 --- a/src/shared/virt.c +++ b/src/shared/virt.c @@ -217,8 +217,8 @@ int detect_container(const char **id) { static thread_local int cached_found = -1; static thread_local const char *cached_id = NULL; - _cleanup_free_ char *e = NULL; - const char *_id = NULL; + _cleanup_free_ char *m = NULL; + const char *_id = NULL, *e = NULL; int r; if (_likely_(cached_found >= 0)) { @@ -229,17 +229,6 @@ int detect_container(const char **id) { return cached_found; } - /* Unfortunately many of these operations require root access - * in one way or another */ - - r = running_in_chroot(); - if (r < 0) - return r; - if (r > 0) { - _id = "chroot"; - goto finish; - } - /* /proc/vz exists in container and outside of the container, * /proc/bc only outside of the container. */ if (access("/proc/vz", F_OK) >= 0 && @@ -249,11 +238,32 @@ int detect_container(const char **id) { goto finish; } - r = getenv_for_pid(1, "container", &e); - if (r < 0) - return r; - if (r == 0) - goto finish; + if (getpid() == 1) { + /* If we are PID 1 we can just check our own + * environment variable */ + + e = getenv("container"); + if (isempty(e)) { + r = 0; + goto finish; + } + } else { + + /* Otherwise, PID 1 dropped this information into a + * file in /run. This is better than accessing + * /proc/1/environ, since we don't need CAP_SYS_PTRACE + * for that. */ + + r = read_one_line_file("/run/systemd/container", &m); + if (r == -ENOENT) { + r = 0; + goto finish; + } + if (r < 0) + return r; + + e = m; + } /* We only recognize a selected few here, since we want to * enforce a redacted namespace */ @@ -266,6 +276,8 @@ int detect_container(const char **id) { else _id = "other"; + r = 1; + finish: cached_found = r; -- cgit v1.2.3-54-g00ecf