Merge pull request #2493 from kinvolk/iaguis/cap_sys_admin

stage1: replace appexec with pure systemd
rkt · Apr 26, 2016 · 98da3e5 · 98da3e5
2 parents 8a6e511 + ef65bab
commit 98da3e5
Show file tree

Hide file tree

Showing 19 changed files with 309 additions and 108 deletions.
diff --git a/Documentation/devel/stage1-implementors-guide.md b/Documentation/devel/stage1-implementors-guide.md
@@ -77,8 +77,8 @@ Stage 1 must write the host PIDs of the pod's process #1 and that process's pare
 4. executes the resolved entrypoint relative to `/var/lib/rkt/pods/run/$uuid/stage1/rootfs`
 
 In the bundled rkt stage 1, the entrypoint is a statically-linked C program found at `/enter` within the stage 1 ACI rootfs.
-This program enters the namespaces of the systemd-nspawn container's PID 1 before executing the `/appexec` program.
-`appexec` then `chroot`s into the ACI's rootfs, loading the application and its environment.
+This program enters the namespaces of the systemd-nspawn container's PID 1 before executing the `/enterexec` program.
+`enterexec` then `chroot`s into the ACI's rootfs, loading the application and its environment.
 
 An alternative stage 1 would need to do whatever is appropriate for entering the application environment created by its own `coreos.com/rkt/stage1/run` entrypoint.
 

diff --git a/pkg/fileutil/fileutil.go b/pkg/fileutil/fileutil.go
@@ -225,3 +225,14 @@ func DirSize(path string) (int64, error) {
 
 	return 0, nil
 }
+
+// IsExecutable checks if the given path points to an executable file by
+// checking the executable bit. Inspired by os.exec.LookPath()
+func IsExecutable(path string) bool {
+	d, err := os.Stat(path)
+	if err == nil {
+		m := d.Mode()
+		return !m.IsDir() && m&0111 != 0
+	}
+	return false
+}
diff --git a/stage1/enter/enter.c b/stage1/enter/enter.c
@@ -131,15 +131,15 @@ int main(int argc, char *argv[])
 		"Unable to fork");
 
 /* some stuff make the argv->args copy less cryptic */
-#define APPEXEC_ARGV_FWD_OFFSET	8
+#define ENTEREXEC_ARGV_FWD_OFFSET	8
 
 	if(child == 0) {
 		char		root[PATH_MAX];
 		char		env[PATH_MAX];
-		char		*args[APPEXEC_ARGV_FWD_OFFSET + argc - optind + 1 /* NULL terminator */];
+		char		*args[ENTEREXEC_ARGV_FWD_OFFSET + argc - optind + 1 /* NULL terminator */];
 		int		argsind;
 
-		/* Child goes on to execute /appexec */
+		/* Child goes on to execute /enterexec */
 
 		exit_if(snprintf(root, sizeof(root),
 				 "/opt/stage2/%s/rootfs", appname) == sizeof(root),
@@ -149,15 +149,15 @@ int main(int argc, char *argv[])
 				 "/rkt/env/%s", appname) == sizeof(env),
 			"Env path overflow");
 
-		args[0] = "/appexec";
+		args[0] = "/enterexec";
 		args[1] = root;
 		args[2] = "/";	/* TODO(vc): plumb this into app.WorkingDirectory */
 		args[3] = env;
 		args[4] = "0"; /* uid */
 		args[5] = "0"; /* gid */
 		args[6] = "-e"; /* entering phase */
 		args[7] = "--";
-		argsind = APPEXEC_ARGV_FWD_OFFSET;
+		argsind = ENTEREXEC_ARGV_FWD_OFFSET;
 		while (optind < argc)
 			args[argsind++] = argv[optind++];
 

diff --git a/stage1/enter_kvm/enter_kvm.go b/stage1/enter_kvm/enter_kvm.go
@@ -181,11 +181,11 @@ func getPodDefaultIP(workDir string) (string, error) {
 	return "", fmt.Errorf("pod has no default network!")
 }
 
-func getAppexecArgs() []string {
+func getEnterexecArgs() []string {
 	// Documentation/devel/stage1-implementors-guide.md#arguments-1
 	// also from ../enter/enter.c
 	args := []string{
-		"/appexec",
+		"/enterexec",
 		fmt.Sprintf("/opt/stage2/%s/rootfs", appName),
 		"/", // as in ../enter/enter.c - this should be app.WorkingDirectory
 		fmt.Sprintf("/rkt/env/%s", appName),
@@ -230,7 +230,7 @@ func execSSH() error {
 		"-o", "LogLevel=quiet", // do not log minor informations
 		podDefaultIP,
 	}
-	args = append(args, getAppexecArgs()...)
+	args = append(args, getEnterexecArgs()...)
 
 	// this should not return in case of success
 	err = syscall.Exec(sshPath, args, os.Environ())

diff --git a/stage1/appexec/elf.h → stage1/enterexec/elf.h b/stage1/appexec/elf.h → stage1/enterexec/elf.h
diff --git a/stage1/appexec/appexec.c → stage1/enterexec/enterexec.c b/stage1/appexec/appexec.c → stage1/enterexec/enterexec.c
diff --git a/stage1/appexec/appexec.mk → stage1/enterexec/enterexec.mk b/stage1/appexec/appexec.mk → stage1/enterexec/enterexec.mk
diff --git a/stage1/init/common/path.go b/stage1/init/common/path.go
@@ -43,15 +43,28 @@ func ServiceUnitPath(root string, appName types.ACName) string {
 	return filepath.Join(common.Stage1RootfsPath(root), UnitsDir, ServiceUnitName(appName))
 }
 
-// RelEnvFilePath returns the path to the environment file for the given app name
-// relative to the pod's root.
-func RelEnvFilePath(appName types.ACName) string {
+// RelEnvFilePathEnterexec returns the path to the environment file for the given
+// app name relative to the pod's root to be parsed by enterexec.
+func RelEnvFilePathEnterexec(appName types.ACName) string {
 	return filepath.Join(envDir, appName.String())
 }
 
-// EnvFilePath returns the path to the environment file for the given app name.
-func EnvFilePath(root string, appName types.ACName) string {
-	return filepath.Join(common.Stage1RootfsPath(root), RelEnvFilePath(appName))
+// EnvFilePathEnterexec returns the path to the environment file for the given
+// app name to be parsed by enterexec.
+func EnvFilePathEnterexec(root string, appName types.ACName) string {
+	return filepath.Join(common.Stage1RootfsPath(root), RelEnvFilePathEnterexec(appName))
+}
+
+// RelEnvFilePathSystemd returns the path to the environment file for the given
+// app name relative to the pod's root to be parsed by systemd.
+func RelEnvFilePathSystemd(appName types.ACName) string {
+	return filepath.Join(envDir, appName.String()) + "-systemd"
+}
+
+// EnvFilePathSystemd returns the path to the environment file for the given
+// app name to be parsed by systemd.
+func EnvFilePathSystemd(root string, appName types.ACName) string {
+	return EnvFilePathEnterexec(root, appName) + "-systemd"
 }
 
 // ServiceWantPath returns the systemd default.target want symlink path for the