Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cmd/snap-confine: use snap-discard-ns ns to discard stale namespaces #6147

Merged
merged 6 commits into from Nov 27, 2018
Merged

cmd/snap-confine: use snap-discard-ns ns to discard stale namespaces #6147

merged 6 commits into from Nov 27, 2018

Conversation

zyga
Copy link
Collaborator

@zyga zyga commented Nov 14, 2018

During startup snap-confine may decide to discard a preserved mount
namespace that became stale. This used to involve unmounting one file.
Then we realized we had a bug because the .fstab file was not unlinked.
With the introduction of per-user mount namespaces we need to do a little
bit more. Instead of duplicating this logic or providing library code
I believe the easiest way is to execute snap-discard-ns itself.

The same patch contains a small refactoring for opening internal tools.

Signed-off-by: Zygmunt Krynicki me@zygoon.pl

@zyga
Copy link
Collaborator Author

zyga commented Nov 14, 2018

NOTE: this depends on #6150 and #6145

This was referenced Nov 14, 2018
Merged
Merged
@zyga

This comment has been minimized.

Sign in to view
@zyga
cmd/snap-confine: use snap-discard-ns ns to discard stale namespaces.
90a4d79 
During startup snap-confine may decide to discard a preserved mount
namespace that became stale. This used to involve unmounting one file.
Then we realized we had a bug because the .fstab file was not unlinked.
With the introduction of per-user mount namespaces we need to do a little
bit more. Instead of duplicating this logic or providing library code
I believe the easiest way is to execute snap-discard-ns itself.

The same patch contains a small refactoring for opening internal tools.

Signed-off-by: Zygmunt Krynicki <me@zygoon.pl>
@zyga zyga changed the title cmd/snap-confine: use snap-discard-ns ns to discard stale namespaces. cmd/snap-confine: use snap-discard-ns ns to discard stale namespaces Nov 21, 2018
bboozzoo
bboozzoo reviewed Nov 22, 2018
View reviewed changes
cmd/snap-confine/ns-support.c
@@ -307,18 +307,59 @@ enum sc_discard_vote {
SC_DISCARD_YES = 2,
};

static void call_snap_discard_ns(int snap_discard_ns_fd, const char *snap_name)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any chance this could get unified into a single function with sc_setup_mount_profiles?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, not sure why? Can you explain please?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Discussed on IRC. In the hope of saving time between iterations, we'll treat it as a proposal for refactoring to be revisited later.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To clarify what the discussion included, the part where snap-confine forks, execs and waits could be factored out to a new helper. The leftovers, argument and environment handling, would stay in the current functions.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I did this refactoring but it turned out to be larger than I hoped. I will propose this separately next.

chipaca
chipaca reviewed Nov 26, 2018
View reviewed changes
Copy link
Contributor

@chipaca chipaca left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks good. Couple of q's.

cmd/snap-confine/ns-support.c Outdated Show resolved Hide resolved
cmd/snap-confine/snap-confine.apparmor.in Outdated Show resolved Hide resolved
cmd/snap-confine/ns-support.c Outdated Show resolved Hide resolved
@zyga
cmd/snap-confine: pass O_EXCL when we expect to create files
fcdadc6 
Signed-off-by: Zygmunt Krynicki <me@zygoon.pl>
@zyga
cmd/snap-confine: tweak error message
86b55d6 
Signed-off-by: Zygmunt Krynicki <me@zygoon.pl>
@zyga
Merge branch 'master' of github.com:snapcore/snapd into feature/user-…
1924825 
…mount-ns-9
@zyga
cmd/snap-confine: tighten the apparmor profile
e2cc147 
Signed-off-by: Zygmunt Krynicki <me@zygoon.pl>
chipaca
chipaca approved these changes Nov 27, 2018
View reviewed changes
cmd/snap-confine/ns-support.c Outdated Show resolved Hide resolved
@zyga
cmd/snap-confine: just open, don't check
1478a75 
Signed-off-by: Zygmunt Krynicki <me@zygoon.pl>
stolowski
stolowski approved these changes Nov 27, 2018
View reviewed changes
Copy link
Contributor

@stolowski stolowski left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, +1

@mvo5 mvo5 merged commit a073671 into snapcore:master Nov 27, 2018
@zyga zyga deleted the feature/user-mount-ns-9 branch December 3, 2018 17:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bboozzoo bboozzoo bboozzoo left review comments

@stolowski stolowski stolowski approved these changes

@mvo5 mvo5 mvo5 approved these changes

@chipaca chipaca chipaca approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
5 participants
@zyga @bboozzoo @stolowski @mvo5 @chipaca