osctld: configure resource limits on container processes

Resource limits configured using `osctl ct prlimits` have to be
configured on processes switched to unprivileged users, otherwise LXC
cannot configure those limits if they exceed the default values.

Resource limits have to be configured also for `osctl ct attach` and
`osctl ct su` processes.

.build_id

@@ -1 +1 @@
-18.09.0.build20181116172621
+18.09.0.build20181116172721

os/packages/osctl/Gemfile

@@ -1,2 +1,2 @@
 source 'https://rubygems.vpsfree.cz'
-gem 'osctl', '18.09.0.build20181116172621'
+gem 'osctl', '18.09.0.build20181116172721'

os/packages/osctl/Gemfile.lock

@@ -6,15 +6,15 @@ GEM
     highline (1.7.10)
     ipaddress (0.8.3)
     json (2.1.0)
-    libosctl (18.09.0.build20181116172621)
+    libosctl (18.09.0.build20181116172721)
       require_all (~> 2.0.0)
-    osctl (18.09.0.build20181116172621)
+    osctl (18.09.0.build20181116172721)
       curses
       gli (~> 2.17.1)
       highline (~> 1.7.10)
       ipaddress (~> 0.8.3)
       json
-      libosctl (= 18.09.0.build20181116172621)
+      libosctl (= 18.09.0.build20181116172721)
       rainbow (~> 3.0.0)
       require_all (~> 2.0.0)
       ruby-progressbar (~> 1.9.0)
@@ -26,7 +26,7 @@ PLATFORMS
   ruby
 
 DEPENDENCIES
-  osctl (= 18.09.0.build20181116172621)
+  osctl (= 18.09.0.build20181116172721)
 
 BUNDLED WITH
    1.16.3

os/packages/osctl/gemset.nix

@@ -43,19 +43,19 @@
     dependencies = ["require_all"];
     source = {
       remotes = ["https://rubygems.vpsfree.cz"];
-      sha256 = "0kk7v1zafjrji9dj6frvph9qgdrqly8y8yw70xkhamdh0dcjv152";
+      sha256 = "0bkj9ylx59sx8rfqks7wfj9xgilw0bwrkyprhdwhmmg3xs2dc3bx";
       type = "gem";
     };
-    version = "18.09.0.build20181116172621";
+    version = "18.09.0.build20181116172721";
   };
   osctl = {
     dependencies = ["curses" "gli" "highline" "ipaddress" "json" "libosctl" "rainbow" "require_all" "ruby-progressbar"];
     source = {
       remotes = ["https://rubygems.vpsfree.cz"];
-      sha256 = "0384n277r380bkpvvgbkzk6dzg9fvp8syzb5v7fqhlpb8y6cyqdi";
+      sha256 = "0idz0vh81mhv48w5lzsqv95v4q9fgslqapn7m0vp307w6882xha6";
       type = "gem";
     };
-    version = "18.09.0.build20181116172621";
+    version = "18.09.0.build20181116172721";
   };
   rainbow = {
     source = {

os/packages/osctld/Gemfile

@@ -1,2 +1,2 @@
 source 'https://rubygems.vpsfree.cz'
-gem 'osctld', '18.09.0.build20181116172621'
+gem 'osctld', '18.09.0.build20181116172721'

os/packages/osctld/Gemfile.lock

@@ -6,29 +6,29 @@ GEM
     gli (2.17.2)
     ipaddress (0.8.3)
     json (2.1.0)
-    libosctl (18.09.0.build20181116172621)
+    libosctl (18.09.0.build20181116172721)
       require_all (~> 2.0.0)
     netlinkrb (0.18.vpsadminos.0)
-    osctl-repo (18.09.0.build20181116172621)
+    osctl-repo (18.09.0.build20181116172721)
       filelock
       gli (~> 2.17.1)
       json
-      libosctl (= 18.09.0.build20181116172621)
+      libosctl (= 18.09.0.build20181116172721)
       require_all (~> 2.0.0)
-    osctld (18.09.0.build20181116172621)
+    osctld (18.09.0.build20181116172721)
       concurrent-ruby (~> 1.0.5)
       ipaddress (~> 0.8.3)
       json
-      libosctl (= 18.09.0.build20181116172621)
+      libosctl (= 18.09.0.build20181116172721)
       netlinkrb (= 0.18.vpsadminos.0)
-      osctl-repo (= 18.09.0.build20181116172621)
-      osup (= 18.09.0.build20181116172621)
+      osctl-repo (= 18.09.0.build20181116172721)
+      osup (= 18.09.0.build20181116172721)
       require_all (~> 2.0.0)
       ruby-lxc (= 1.2.3)
-    osup (18.09.0.build20181116172621)
+    osup (18.09.0.build20181116172721)
       gli (~> 2.17.1)
       json
-      libosctl (= 18.09.0.build20181116172621)
+      libosctl (= 18.09.0.build20181116172721)
       require_all (~> 2.0.0)
     require_all (2.0.0)
     ruby-lxc (1.2.3)
@@ -37,7 +37,7 @@ PLATFORMS
   ruby
 
 DEPENDENCIES
-  osctld (= 18.09.0.build20181116172621)
+  osctld (= 18.09.0.build20181116172721)
 
 BUNDLED WITH
    1.16.3

os/packages/osctld/gemset.nix

@@ -43,10 +43,10 @@
     dependencies = ["require_all"];
     source = {
       remotes = ["https://rubygems.vpsfree.cz"];
-      sha256 = "0kk7v1zafjrji9dj6frvph9qgdrqly8y8yw70xkhamdh0dcjv152";
+      sha256 = "0bkj9ylx59sx8rfqks7wfj9xgilw0bwrkyprhdwhmmg3xs2dc3bx";
       type = "gem";
     };
-    version = "18.09.0.build20181116172621";
+    version = "18.09.0.build20181116172721";
   };
   netlinkrb = {
     source = {
@@ -60,28 +60,28 @@
     dependencies = ["filelock" "gli" "json" "libosctl" "require_all"];
     source = {
       remotes = ["https://rubygems.vpsfree.cz"];
-      sha256 = "0mghxd0j6iy5b777hmbq3h0g26j10yvvg2whw3b2hn322bh6l6j1";
+      sha256 = "1waz7d7cl6xmvkqihm1gf1vkkgvw0yrr45lvrkva59rsyjkh3wsy";
       type = "gem";
     };
-    version = "18.09.0.build20181116172621";
+    version = "18.09.0.build20181116172721";
   };
   osctld = {
     dependencies = ["concurrent-ruby" "ipaddress" "json" "libosctl" "netlinkrb" "osctl-repo" "osup" "require_all" "ruby-lxc"];
     source = {
       remotes = ["https://rubygems.vpsfree.cz"];
-      sha256 = "02yb1837v7kbxinl51jlxsrjgb5q8lhjig94fpmcwscsdh3rd02b";
+      sha256 = "06f4a4w8mjnpbmq4yzbh9ccmhcacci9mr29dsnbzj2jjgfm3pnlm";
       type = "gem";
     };
-    version = "18.09.0.build20181116172621";
+    version = "18.09.0.build20181116172721";
   };
   osup = {
     dependencies = ["gli" "json" "libosctl" "require_all"];
     source = {
       remotes = ["https://rubygems.vpsfree.cz"];
-      sha256 = "0vj90ig2rvrwqhmrc8bkzz7nac429zqnp2fj70dq9s2h6j6mjdyv";
+      sha256 = "0v2ls6d3jdd6falz6gpk9s1mzilmymb8c2kq01bn2ra25kig12fg";
       type = "gem";
     };
-    version = "18.09.0.build20181116172621";
+    version = "18.09.0.build20181116172721";
   };
   require_all = {
     source = {

os/packages/osup/Gemfile

@@ -1,2 +1,2 @@
 source 'https://rubygems.vpsfree.cz'
-gem 'osup', '18.09.0.build20181116172621'
+gem 'osup', '18.09.0.build20181116172721'

os/packages/osup/Gemfile.lock

@@ -3,20 +3,20 @@ GEM
   specs:
     gli (2.17.2)
     json (2.1.0)
-    libosctl (18.09.0.build20181116172621)
+    libosctl (18.09.0.build20181116172721)
       require_all (~> 2.0.0)
-    osup (18.09.0.build20181116172621)
+    osup (18.09.0.build20181116172721)
       gli (~> 2.17.1)
       json
-      libosctl (= 18.09.0.build20181116172621)
+      libosctl (= 18.09.0.build20181116172721)
       require_all (~> 2.0.0)
     require_all (2.0.0)
 
 PLATFORMS
   ruby
 
 DEPENDENCIES
-  osup (= 18.09.0.build20181116172621)
+  osup (= 18.09.0.build20181116172721)
 
 BUNDLED WITH
    1.16.3

os/packages/osup/gemset.nix

@@ -19,19 +19,19 @@
     dependencies = ["require_all"];
     source = {
       remotes = ["https://rubygems.vpsfree.cz"];
-      sha256 = "0kk7v1zafjrji9dj6frvph9qgdrqly8y8yw70xkhamdh0dcjv152";
+      sha256 = "0bkj9ylx59sx8rfqks7wfj9xgilw0bwrkyprhdwhmmg3xs2dc3bx";
       type = "gem";
     };
-    version = "18.09.0.build20181116172621";
+    version = "18.09.0.build20181116172721";
   };
   osup = {
     dependencies = ["gli" "json" "libosctl" "require_all"];
     source = {
       remotes = ["https://rubygems.vpsfree.cz"];
-      sha256 = "0vj90ig2rvrwqhmrc8bkzz7nac429zqnp2fj70dq9s2h6j6mjdyv";
+      sha256 = "0v2ls6d3jdd6falz6gpk9s1mzilmymb8c2kq01bn2ra25kig12fg";
       type = "gem";
     };
-    version = "18.09.0.build20181116172621";
+    version = "18.09.0.build20181116172721";
   };
   require_all = {
     source = {

os/packages/svctl/Gemfile

@@ -1,2 +1,2 @@
 source 'https://rubygems.vpsfree.cz'
-gem 'svctl', '18.09.0.build20181116172621'
+gem 'svctl', '18.09.0.build20181116172721'

os/packages/svctl/Gemfile.lock

@@ -2,18 +2,18 @@ GEM
   remote: https://rubygems.vpsfree.cz/
   specs:
     gli (2.17.2)
-    libosctl (18.09.0.build20181116172621)
+    libosctl (18.09.0.build20181116172721)
       require_all (~> 2.0.0)
     require_all (2.0.0)
-    svctl (18.09.0.build20181116172621)
+    svctl (18.09.0.build20181116172721)
       gli (~> 2.17.1)
-      libosctl (= 18.09.0.build20181116172621)
+      libosctl (= 18.09.0.build20181116172721)
 
 PLATFORMS
   ruby
 
 DEPENDENCIES
-  svctl (= 18.09.0.build20181116172621)
+  svctl (= 18.09.0.build20181116172721)
 
 BUNDLED WITH
    1.16.3

os/packages/svctl/gemset.nix

@@ -11,10 +11,10 @@
     dependencies = ["require_all"];
     source = {
       remotes = ["https://rubygems.vpsfree.cz"];
-      sha256 = "0kk7v1zafjrji9dj6frvph9qgdrqly8y8yw70xkhamdh0dcjv152";
+      sha256 = "0bkj9ylx59sx8rfqks7wfj9xgilw0bwrkyprhdwhmmg3xs2dc3bx";
       type = "gem";
     };
-    version = "18.09.0.build20181116172621";
+    version = "18.09.0.build20181116172721";
   };
   require_all = {
     source = {
@@ -28,9 +28,9 @@
     dependencies = ["gli" "libosctl"];
     source = {
       remotes = ["https://rubygems.vpsfree.cz"];
-      sha256 = "1kmha18nciayy0gn1j4g884rxypws7kz62fbc06ynclx61v987md";
+      sha256 = "1z5qllv8jvlc739hlcgi9qvkdsr84y6v4v0la3hlc37izsb0rf7y";
       type = "gem";
     };
-    version = "18.09.0.build20181116172621";
+    version = "18.09.0.build20181116172721";
   };
 }

osctl/lib/osctl/cli/container.rb

@@ -387,22 +387,14 @@ def console
     def attach
       require_args!('id')
 
-      shell = osctld_call(
+      cmd = osctld_call(
         :ct_attach,
         id: args[0],
         pool: gopts[:pool],
-        user_shell: opts['user-shell']
+        user_shell: opts['user-shell'],
       )
 
-      pid = Process.fork do
-        shell[:env].each do |k, v|
-          ENV[k.to_s] = v
-        end
-
-        Process.exec(*shell[:cmd])
-      end
-
-      Process.wait(pid)
+      handle_ct_attach(cmd)
     end
 
     def exec
@@ -451,15 +443,7 @@ def su
       require_args!('id')
 
       cmd = osctld_call(:ct_su, id: args[0], pool: gopts[:pool])
-      pid = Process.fork do
-        cmd[:env].each do |k, v|
-          ENV[k.to_s] = v
-        end
-
-        Process.exec(*cmd[:cmd])
-      end
-
-      Process.wait(pid)
+      handle_ct_attach(cmd)
     end
 
     def set_autostart
@@ -1278,5 +1262,28 @@ def handle_exec_response(c)
         raise GLI::CustomExit.new('executed command failed', resp[:exitstatus])
       end
     end
+
+    def handle_ct_attach(cmd)
+      f = Tempfile.create(['osctl-ct-attach-settings', '.json'], '/tmp')
+      f.puts(cmd[:settings].to_json)
+      f.close
+
+      pid = Process.fork do
+        cmd[:env].each do |k, v|
+          ENV[k.to_s] = v
+        end
+
+        Process.exec(cmd[:cmd], f.path, '--', *cmd[:args])
+      end
+
+      Process.wait(pid)
+
+    ensure
+      begin
+        f && File.unlink(f.path)
+      rescue Errno::ENOENT
+        # pass
+      end
+    end
   end
 end

osctld/lib/osctld/cli/exec.rb

@@ -1,10 +1,24 @@
+require 'libosctl'
+
 module OsCtld
   class Cli::Exec
     def self.run
-      sysuser, ugid, homedir, cgroup, *args = ARGV
+      if ARGV.size < 3 || ARGV[1] != '--'
+        warn "Usage: <settings file> -- <command> [arguments...]"
+        exit(false)
+      end
+
+      OsCtl::Lib::Logger.setup(:none)
+      cfg = JSON.parse(File.read(ARGV[0]), symbolize_names: true)
 
-      SwitchUser.switch_to(sysuser, ugid.to_i, homedir, cgroup)
-      Process.exec(*args)
+      SwitchUser.apply_prlimits(Process.pid, cfg[:prlimits])
+      SwitchUser.switch_to(
+        cfg[:user],
+        cfg[:ugid],
+        cfg[:homedir],
+        cfg[:cgroup_path]
+      )
+      Process.exec(*ARGV[2..-1])
     end
   end
 end

osctld/lib/osctld/commands/container/start.rb

@@ -120,13 +120,13 @@ def start_now(ct)
       ]
 
       progress('Starting container')
-      pid = Process.fork do
-        SwitchUser.switch_to(
-          ct.user.sysusername,
-          ct.user.ugid,
-          ct.user.homedir,
-          ct.cgroup_path
-        )
+      pid = SwitchUser.fork_and_switch_to(
+        ct.user.sysusername,
+        ct.user.ugid,
+        ct.user.homedir,
+        ct.cgroup_path,
+        prlimits: ct.prlimits.export,
+      ) do
         Process.spawn(*cmd, pgroup: true, in: :close, out: :close, err: :close)
       end
 
@@ -138,7 +138,11 @@ def start_now(ct)
         log(:warn, ct, "Unable to connect to tty0")
       end
 
-      Process.wait(pid)
+      begin
+        Process.wait(pid)
+      rescue Errno::ECHILD
+        log(:warn, 'sad panda')
+      end
 
       :wait
     end