forked from opencontainers/runc
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix systemd-notify when using a different PID namespace
The current support of systemd-notify has a race condition as the message send to the systemd notify socket might be dropped if the sender process is not running by the time systemd checks for the sender of the datagram. A proper fix of this in systemd would require changes to the kernel to maintain the cgroup of the sender process when it is dead (but it is not probably going to happen...) Generally, the solution to this issue is to specify the PID in the message itself so that systemd has not to guess the sender, but this wouldn't work when running in a PID namespace as the container will pass the PID known in its namespace (something like PID=1,2,3..) and systemd running on the host is not able to map it to the runc service. The proposed solution is to have a proxy in runc that forwards the messages to the host systemd. Example of this issue: projectatomic/atomic-system-containers#24 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
- Loading branch information
Showing
5 changed files
with
122 additions
and
16 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,81 @@ | ||
// +build linux | ||
|
||
package main | ||
|
||
import ( | ||
"fmt" | ||
"net" | ||
"path/filepath" | ||
|
||
"github.com/Sirupsen/logrus" | ||
"github.com/opencontainers/runtime-spec/specs-go" | ||
"github.com/urfave/cli" | ||
) | ||
|
||
type notifySocket struct { | ||
socket *net.UnixConn | ||
host string | ||
socketPath string | ||
} | ||
|
||
func newNotifySocket(context *cli.Context, notifySocketHost string, id string) *notifySocket { | ||
if notifySocketHost == "" { | ||
return nil | ||
} | ||
|
||
root := filepath.Join(context.GlobalString("root"), id) | ||
path := filepath.Join(root, "notify.sock") | ||
|
||
notifySocket := ¬ifySocket{ | ||
socket: nil, | ||
host: notifySocketHost, | ||
socketPath: path, | ||
} | ||
|
||
return notifySocket | ||
} | ||
|
||
func (ns *notifySocket) Close() error { | ||
return ns.socket.Close() | ||
} | ||
|
||
// If systemd is supporting sd_notify protocol, this function will add support | ||
// for sd_notify protocol from within the container. | ||
func (s *notifySocket) setupSpec(context *cli.Context, spec *specs.Spec) { | ||
mount := specs.Mount{Destination: s.host, Type: "bind", Source: s.socketPath, Options: []string{"bind"}} | ||
spec.Mounts = append(spec.Mounts, mount) | ||
spec.Process.Env = append(spec.Process.Env, fmt.Sprintf("NOTIFY_SOCKET=%s", s.host)) | ||
} | ||
|
||
func (s *notifySocket) setupSocket() error { | ||
addr := net.UnixAddr{ | ||
Name: s.socketPath, | ||
Net: "unixgram", | ||
} | ||
|
||
socket, err := net.ListenUnixgram("unixgram", &addr) | ||
if err != nil { | ||
return err | ||
} | ||
|
||
s.socket = socket | ||
return nil | ||
} | ||
|
||
func (notifySocket *notifySocket) run() { | ||
buf := make([]byte, 512) | ||
notifySocketHostAddr := net.UnixAddr{Name: notifySocket.host, Net: "unixgram"} | ||
client, err := net.DialUnix("unixgram", nil, ¬ifySocketHostAddr) | ||
if err != nil { | ||
logrus.Error(err) | ||
return | ||
} | ||
for { | ||
r, err := notifySocket.socket.Read(buf) | ||
if err != nil { | ||
break | ||
} | ||
|
||
client.Write(buf[0:r]) | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters