From 895498236e6dc649e9a5c85e4af2a10f2c515a65 Mon Sep 17 00:00:00 2001 From: Mildred Ki'Lya Date: Mon, 27 May 2019 14:33:10 +0200 Subject: [PATCH 1/4] Add --init option to enable or not the init system The --init option is available at container creation or recreation. When enabled, a PID namespace is created for the init system to work properly and toolbox shells will not be able to access the host PID namespace. --- doc/toolbox-create.1.md | 6 ++++++ doc/toolbox-init-container.1.md | 5 +++++ toolbox | 28 ++++++++++++++++++++++++---- 3 files changed, 35 insertions(+), 4 deletions(-) diff --git a/doc/toolbox-create.1.md b/doc/toolbox-create.1.md index ef53802a6..f85a819fc 100644 --- a/doc/toolbox-create.1.md +++ b/doc/toolbox-create.1.md @@ -5,6 +5,7 @@ toolbox\-create - Create a new toolbox container ## SYNOPSIS **toolbox create** [*--candidate-registry*] + [*--init*] [*--container NAME* | *-c NAME*] [*--image NAME* | *-i NAME*] [*--release RELEASE* | *-r RELEASE*] @@ -35,6 +36,11 @@ Pull the base image from `candidate-registry.fedoraproject.org`. This is useful for testing newly built images before they have moved to the stable registry at `registry.fedoraproject.org`. +**--init** + +Initialize container with system init running inside. It allows to run system +daemons inside but prevents accessing host daemons using systemd. + **--container** NAME, **-c** NAME Assign a different NAME to the toolbox container. This is useful for creating diff --git a/doc/toolbox-init-container.1.md b/doc/toolbox-init-container.1.md index ce3bc2fb8..d6d6bf6e2 100644 --- a/doc/toolbox-init-container.1.md +++ b/doc/toolbox-init-container.1.md @@ -11,6 +11,7 @@ toolbox\-init\-container - Initialize a running container *--shell SHELL* *--uid UID* *--user USER* + *--init* ## DESCRIPTION @@ -53,6 +54,10 @@ Create a user inside the toolbox container whose numerical user ID is UID. Create a user inside the toolbox container whose login name is LOGIN. +**--init** + +Run init inside container. + ## SEE ALSO `podman(1)`, `podman-create(1)`, `podman-start(1)` diff --git a/toolbox b/toolbox index f0dcceb65..613fa9ba9 100755 --- a/toolbox +++ b/toolbox @@ -72,6 +72,7 @@ toolbox_image="" toolbox_runtime_directory="$XDG_RUNTIME_DIR"/toolbox user_id_real=$(id -ru 2>&3) verbose=false +init=false LGC='\033[1;32m' # Light Green Color @@ -1059,6 +1060,14 @@ create() spinner_directory="" fi + if $init; then + pid_ns="" + init_option="--init" + else + pid_ns="--pid host" + init_option="" + fi + # shellcheck disable=SC2086 $podman_command create \ --dns none \ @@ -1071,7 +1080,7 @@ create() --name $toolbox_container \ --network host \ --no-hosts \ - --pid host \ + $pid_ns \ --privileged \ --security-opt label=disable \ $ulimit_host \ @@ -1095,6 +1104,7 @@ create() --volume /var:/run/host/var:rslave \ "$base_toolbox_image_full" \ toolbox --verbose init-container \ + $init_option \ --home "$HOME" \ $home_link \ $media_link \ @@ -1346,9 +1356,13 @@ EOF return 1 fi - echo "$base_toolbox_command: going to sleep" >&3 - - exec sleep +Inf + if $init; then + echo "$base_toolbox_command: starting /sbin/init" >&3 + exec /sbin/init + else + echo "$base_toolbox_command: going to sleep" >&3 + sleep +Inf + fi } @@ -2290,6 +2304,9 @@ if [ -f /run/.containerenv ] 2>&3; then exit_if_missing_argument --user "$1" init_container_user="$1" ;; + --init ) + init=true + ;; * ) exit_if_unrecognized_option "$1" esac @@ -2337,6 +2354,9 @@ case $op in --candidate-registry ) registry=$registry_candidate ;; + --init ) + init=true + ;; -c | --container ) shift exit_if_missing_argument --container "$1" From 3d0609e296c25389b54ebe3be1e45a761aae84ea Mon Sep 17 00:00:00 2001 From: Mildred Ki'Lya Date: Mon, 27 May 2019 16:53:15 +0200 Subject: [PATCH 2/4] Mount /run as tmpfs before sharing files from the host to the toolbox. It ensures that /run is a tmpfs, and in case when systemd is running as init system, systemd will avoid re-mounting it, causing /run/host and other bind-mounts to be shadowed. --- toolbox | 1 + 1 file changed, 1 insertion(+) diff --git a/toolbox b/toolbox index 613fa9ba9..4623f2213 100755 --- a/toolbox +++ b/toolbox @@ -1070,6 +1070,7 @@ create() # shellcheck disable=SC2086 $podman_command create \ + --tmpfs /run \ --dns none \ --env TOOLBOX_PATH="$TOOLBOX_PATH" \ --group-add "$group_for_sudo" \ From 53159c1e186d600e223b088fac8a9efb1b1c5bd4 Mon Sep 17 00:00:00 2001 From: Mildred Ki'Lya Date: Mon, 27 May 2019 18:47:28 +0200 Subject: [PATCH 3/4] Remove dBus access to the host system when running an init When running an init, the dBus socket must point to the toolbox system and not the host. --- toolbox | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/toolbox b/toolbox index 4623f2213..61ace2aa1 100755 --- a/toolbox +++ b/toolbox @@ -1063,9 +1063,11 @@ create() if $init; then pid_ns="" init_option="--init" + system_dbus_bind="" else pid_ns="--pid host" init_option="" + system_dbus_bind="--volume $dbus_system_bus_path:$dbus_system_bus_path" fi # shellcheck disable=SC2086 @@ -1094,7 +1096,7 @@ create() --volume "$TOOLBOX_PATH":/usr/bin/toolbox:ro \ --volume "$XDG_RUNTIME_DIR":"$XDG_RUNTIME_DIR" \ --volume "$XDG_RUNTIME_DIR"/.flatpak-helper/monitor:/run/host/monitor \ - --volume "$dbus_system_bus_path":"$dbus_system_bus_path" \ + $system_dbus_bind \ --volume "$home_canonical":"$home_canonical":rslave \ --volume /etc:/run/host/etc \ --volume /dev:/dev:rslave \ From f9f6c7d5f673595b24cfaf8b6eb53b135a2f5d16 Mon Sep 17 00:00:00 2001 From: Mildred Ki'Lya Date: Thu, 28 Nov 2019 12:05:56 +0100 Subject: [PATCH 4/4] Check container initialized using container name This is necessary when the pid namespace is unshared because the PID is not the same inside and out of the container. --- doc/toolbox-init-container.1.md | 5 +++++ toolbox | 35 ++++++++++++++------------------- 2 files changed, 20 insertions(+), 20 deletions(-) diff --git a/doc/toolbox-init-container.1.md b/doc/toolbox-init-container.1.md index d6d6bf6e2..c9b2e3bfc 100644 --- a/doc/toolbox-init-container.1.md +++ b/doc/toolbox-init-container.1.md @@ -11,6 +11,7 @@ toolbox\-init\-container - Initialize a running container *--shell SHELL* *--uid UID* *--user USER* + *--name TOOLBOX_NAME* *--init* ## DESCRIPTION @@ -54,6 +55,10 @@ Create a user inside the toolbox container whose numerical user ID is UID. Create a user inside the toolbox container whose login name is LOGIN. +**--name TOOLBOX_NAME** + +Set the toolbox name, required for initialization. + **--init** Run init inside container. diff --git a/toolbox b/toolbox index 61ace2aa1..519db9e3b 100755 --- a/toolbox +++ b/toolbox @@ -1108,6 +1108,7 @@ create() "$base_toolbox_image_full" \ toolbox --verbose init-container \ $init_option \ + --name $toolbox_container \ --home "$HOME" \ $home_link \ $media_link \ @@ -1159,6 +1160,8 @@ init_container() init_container_shell="$5" init_container_uid="$6" init_container_user="$7" + init_container_name="$8" + init_container_init="$9" if [ "$XDG_RUNTIME_DIR" = "" ] 2>&3; then echo "$base_toolbox_command: XDG_RUNTIME_DIR is unset" >&3 @@ -1169,7 +1172,7 @@ init_container() toolbox_runtime_directory="$XDG_RUNTIME_DIR"/toolbox fi - init_container_initialized_stamp="$toolbox_runtime_directory"/container-initialized-"$$" + init_container_initialized_stamp="$toolbox_runtime_directory"/container-initialized-"$init_container_name" echo "$base_toolbox_command: creating /run/.toolboxenv" >&3 @@ -1359,7 +1362,7 @@ EOF return 1 fi - if $init; then + if $init_container_init; then echo "$base_toolbox_command: starting /sbin/init" >&3 exec /sbin/init else @@ -1506,22 +1509,7 @@ run() if [ "$entry_point" = "toolbox" ] 2>&3; then echo "$base_toolbox_command: waiting for container $toolbox_container to finish initializing" >&3 - if ! entry_point_pid=$($podman_command inspect --format "{{.State.Pid}}" --type container "$toolbox_container" 2>&3); then - echo "$base_toolbox_command: failed to inspect entry point PID of container $toolbox_container" >&2 - exit 1 - fi - - if ! is_integer "$entry_point_pid"; then - echo "$base_toolbox_command: failed to parse entry point PID of container $toolbox_container" >&2 - exit 1 - fi - - if [ "$entry_point_pid" -le 0 ] 2>&3; then - echo "$base_toolbox_command: invalid entry point PID of container $toolbox_container" >&2 - exit 1 - fi - - container_initialized_stamp="$toolbox_runtime_directory/container-initialized-$entry_point_pid" + container_initialized_stamp="$toolbox_runtime_directory/container-initialized-$toolbox_container" container_initialized_timeout=25 #s i=0 @@ -2307,8 +2295,13 @@ if [ -f /run/.containerenv ] 2>&3; then exit_if_missing_argument --user "$1" init_container_user="$1" ;; + --name ) + shift + exit_if_missing_argument --name "$1" + init_container_name="$1" + ;; --init ) - init=true + init_container_init=true ;; * ) exit_if_unrecognized_option "$1" @@ -2322,7 +2315,9 @@ if [ -f /run/.containerenv ] 2>&3; then "$init_container_monitor_host" \ "$init_container_shell" \ "$init_container_uid" \ - "$init_container_user" + "$init_container_user" \ + "$init_container_name" \ + "$init_container_init" exit "$?" ;; reset )