diff options
Diffstat (limited to 'external/meta-virtualization/recipes-containers/oci-systemd-hook')
4 files changed, 182 insertions, 0 deletions
diff --git a/external/meta-virtualization/recipes-containers/oci-systemd-hook/oci-systemd-hook/0001-Add-additional-cgroup-mounts-from-root-NS-automatica.patch b/external/meta-virtualization/recipes-containers/oci-systemd-hook/oci-systemd-hook/0001-Add-additional-cgroup-mounts-from-root-NS-automatica.patch new file mode 100644 index 00000000..753a77d1 --- /dev/null +++ b/external/meta-virtualization/recipes-containers/oci-systemd-hook/oci-systemd-hook/0001-Add-additional-cgroup-mounts-from-root-NS-automatica.patch @@ -0,0 +1,76 @@ +From f59cddcedd6535e0b809ec9b4e95672d34b41a16 Mon Sep 17 00:00:00 2001 +From: Jason Wessel <jason.wessel@windriver.com> +Date: Tue, 14 Nov 2017 07:41:41 -0800 +Subject: [PATCH] Add additional cgroup mounts from root NS automatically + +Signed-off-by: Jason Wessel <jason.wessel@windriver.com> +--- + src/systemdhook.c | 45 +++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 45 insertions(+) + +diff --git a/src/systemdhook.c b/src/systemdhook.c +index 78575ef..f735484 100644 +--- a/src/systemdhook.c ++++ b/src/systemdhook.c +@@ -238,6 +238,11 @@ static char *get_process_cgroup_subsystem_path(int pid, const char *subsystem) { + static int mount_cgroup(const char *rootfs, const char *options, char *systemd_path) + { + _cleanup_free_ char *cgroup_path = NULL; ++ char *spath, *dpath; ++ DIR *dir; ++ struct dirent *d; ++ char link[80]; ++ int got; + + if (asprintf(&cgroup_path, "%s/%s", rootfs, CGROUP_ROOT) < 0) { + pr_perror("Failed to create path for %s", CGROUP_ROOT); +@@ -256,6 +261,46 @@ static int mount_cgroup(const char *rootfs, const char *options, char *systemd_p + pr_perror("Failed to mkdir new dest: %s", systemd_path); + return -1; + } ++ /* Create all additional cgroup mounts which are in the root namespace */ ++ dir = opendir(CGROUP_ROOT); ++ if (!dir) { ++ pr_perror("Failed to open %s", CGROUP_ROOT); ++ return -1; ++ } ++ /* Skip "." and ".." */ ++ readdir(dir); ++ readdir(dir); ++ while ((d = readdir(dir))) { ++ /* Systemd is already handled above */ ++ if (strcmp(d->d_name, "systemd") == 0) { ++ continue; ++ } ++ if (asprintf(&spath, "%s/%s", CGROUP_ROOT, d->d_name) < 0) { ++ pr_perror("Failed to create path for %s", d->d_name); ++ return -1; ++ } ++ if (asprintf(&dpath, "%s%s/%s", rootfs, CGROUP_ROOT, d->d_name) < 0) { ++ pr_perror("Failed to create path for %s", d->d_name); ++ return -1; ++ } ++ got = readlink(spath, link, sizeof(link) - 1); ++ if (got > 0) { ++ link[got] = '\0'; ++ symlink(link, dpath); ++ } else { ++ if ((makepath(dpath, 0755) == -1) && (errno != EEXIST)) { ++ pr_perror("Failed to mkdir new dest: %s", dpath); ++ return -1; ++ } ++ if (bind_mount(spath, dpath, false)) { ++ pr_perror("Failed to bind mount %s on %s", spath, dpath); ++ return -1; ++ } ++ } ++ free(spath); ++ free(dpath); ++ } ++ closedir(dir); + if (mount(cgroup_path, cgroup_path, "bind", MS_REMOUNT|MS_BIND|MS_RDONLY, "") == -1) { + pr_perror("Failed to remount %s readonly", cgroup_path); + return -1; +-- +2.11.0 + diff --git a/external/meta-virtualization/recipes-containers/oci-systemd-hook/oci-systemd-hook/0001-configure-drop-selinux-support.patch b/external/meta-virtualization/recipes-containers/oci-systemd-hook/oci-systemd-hook/0001-configure-drop-selinux-support.patch new file mode 100644 index 00000000..510126e4 --- /dev/null +++ b/external/meta-virtualization/recipes-containers/oci-systemd-hook/oci-systemd-hook/0001-configure-drop-selinux-support.patch @@ -0,0 +1,25 @@ +From 12c263703a0b0ae92566de7e5440fce7b59cd9be Mon Sep 17 00:00:00 2001 +From: Bruce Ashfield <bruce.ashfield@windriver.com> +Date: Tue, 8 Nov 2016 13:16:19 -0500 +Subject: [PATCH] configure: drop selinux support + +Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com> +--- + configure.ac | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/configure.ac b/configure.ac +index c1275acb253d..eaba7fbb57e2 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -8,7 +8,6 @@ AC_USE_SYSTEM_EXTENSIONS + AC_SYS_LARGEFILE + + PKG_CHECK_MODULES([YAJL], [yajl >= 2.0.0]) +-PKG_CHECK_MODULES([SELINUX], [libselinux >= 2.0.0]) + PKG_CHECK_MODULES([LIBMOUNT], [mount >= 2.23.0]) + + AC_MSG_CHECKING([whether to disable argument checking]) +-- +2.4.0.53.g8440f74 + diff --git a/external/meta-virtualization/recipes-containers/oci-systemd-hook/oci-systemd-hook/0001-selinux-drop-selinux-support.patch b/external/meta-virtualization/recipes-containers/oci-systemd-hook/oci-systemd-hook/0001-selinux-drop-selinux-support.patch new file mode 100644 index 00000000..5016f6e7 --- /dev/null +++ b/external/meta-virtualization/recipes-containers/oci-systemd-hook/oci-systemd-hook/0001-selinux-drop-selinux-support.patch @@ -0,0 +1,45 @@ +From 9b66394c712ec0d0fcb2052baa7f590621a53461 Mon Sep 17 00:00:00 2001 +From: Bruce Ashfield <bruce.ashfield@windriver.com> +Date: Tue, 8 Nov 2016 13:15:46 -0500 +Subject: [PATCH] selinux: drop selinux support + +Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com> +--- + src/systemdhook.c | 12 ------------ + 1 file changed, 12 deletions(-) + +--- a/src/systemdhook.c ++++ b/src/systemdhook.c +@@ -16,7 +16,6 @@ + #include <errno.h> + #include <inttypes.h> + #include <linux/limits.h> +-#include <selinux/selinux.h> + #include <yajl/yajl_tree.h> + #include <stdbool.h> + +@@ -129,9 +128,6 @@ static int chperm(const char *path, cons + closedir(dir); + return -1; + } +- if (setfilecon (full_path, label) < 0) { +- pr_perror("Failed to set context %s on %s", label, full_path); +- } + + if (doChown) { + /* Change uid and gid to something the container can handle */ +@@ -496,14 +492,6 @@ static int prestart(const char *rootfs, + return -1; + } + } +- +- if (strcmp("", mount_label)) { +- rc = setfilecon(journal_dir, (security_context_t)mount_label); +- if (rc < 0) { +- pr_perror("Failed to set journal dir selinux context"); +- return -1; +- } +- } + + /* Attempt to creare /var/log/journal inside of rootfs, + if successful, or directory exists, mount tmpfs on top of diff --git a/external/meta-virtualization/recipes-containers/oci-systemd-hook/oci-systemd-hook_git.bb b/external/meta-virtualization/recipes-containers/oci-systemd-hook/oci-systemd-hook_git.bb new file mode 100644 index 00000000..e07b7410 --- /dev/null +++ b/external/meta-virtualization/recipes-containers/oci-systemd-hook/oci-systemd-hook_git.bb @@ -0,0 +1,36 @@ +DESCRIPTION = "OCI systemd hook enables users to run systemd in docker and OCI" +SECTION = "console/utils" +LICENSE = "GPLv3" +LIC_FILES_CHKSUM = "file://LICENSE;md5=d32239bcb673463ab874e80d47fae504" +PRIORITY = "optional" + +DEPENDS = "yajl util-linux" + +SRCREV = "1ac958a4197a9ea52174812fc7d7d036af8140d3" +SRC_URI = "git://github.com/projectatomic/oci-systemd-hook \ + file://0001-selinux-drop-selinux-support.patch \ + file://0001-configure-drop-selinux-support.patch \ + file://0001-Add-additional-cgroup-mounts-from-root-NS-automatica.patch \ +" + +PV = "0.0.1+git${SRCPV}" +S = "${WORKDIR}/git" + +inherit autotools pkgconfig + +PACKAGECONFIG ??= "" +PACKAGECONFIG[selinux] = ",,libselinux" + +EXTRA_OECONF += "--libexecdir=${libexecdir}/oci/hooks.d" + +# nothing to compile, we do it all in the install task +do_compile[noexec] = "1" + +do_install() { + # Avoid building docs, and other artifacts by surgically calling the + # semi-internal target of "install-exec-am" + oe_runmake 'DESTDIR=${D}' install-exec-am +} + +FILES_${PN} += "${libexecdir}/oci/hooks.d/" + |