Commit Graph

364 Commits

Author SHA1 Message Date
Daniel Golle
25cb37bc00
procd: update to git HEAD
df251c2 uxc: move mountpoint of persistent config to /var/run/uxc
 e5b38fd trace: free memory allocated by blobmsg_format_json_indent()

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-08-30 20:36:11 +01:00
Daniel Golle
76f46f4105
procd: update to git HEAD
8a8306d uxc.c: fix coverity resource leak warning
 7f2398e jail: devices: create parent folder when creating devices
 0603c8d jail: return to hook callback instead of just calling it
 3edb7eb jail: check return value when opening console
 af048a3 jail: use portable sizeof(void *)
 6010bd3 utils: make sure read() string is 0 terminated
 f6daca3 uxc: free string returned by blobmsg_format_json_indent()
 51f1cd2 trace: free string returned by blobmsg_format_json_indent()
 d716cb5 trace: handle open() return value and make sure string is terminated
 b824a89 jail: preload: avoid NULL-dereference in case things go wrong
 167dc24 jail: protect against strcat buffer overflows

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-08-24 18:49:46 +01:00
Daniel Golle
5c13177c55
procd: add missing dependency and fix empty mount triggers
procd.sh:
 Instead of triggering on every mount.add event, there should be no
 mount trigger at all in case none of the directories passed to
 procd_add_*_mount_trigger() are located on a mountpoint configured in
 /etc/config/fstab.

uxc:
 add missing dependency on rpcd.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-08-15 18:08:37 +01:00
Daniel Golle
09fccdb99e
procd: update to git HEAD
040fecc system: fix issues reported by Coverity
 48f481b service: make sure string read is null terminated
 16dbc2a uxc: fix a bunch of issues discovered by Coverity
 ff9002f uxc: fix help output
 104b49d uxc: support config in uvol

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-08-15 15:44:05 +01:00
Daniel Golle
1235e2ee3b
procd: update to git HEAD
48638ad hotplug-dispatch: yet another rare memory leak disovered by Coverity
 459b3e8 jail: fix several issues discovered by Coverity
 2562e2b ujail-console: add missing error handling discovered by coverity

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-08-14 19:20:05 +01:00
Daniel Golle
5181af5585
procd: update to git HEAD
9f233f5 system: make rootfs type accessible through board call

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-08-13 04:46:29 +01:00
Daniel Golle
80be893d2b
procd: change procd_add_start_mount_trigger to do restart
Change procd_add_start_mount_trigger to procd_add_restart_mount_trigger
and make it call 'restart' instead of 'start'.
This is more useful as it allows to handle both cases, intial start of
a services as well as restarting services. Calling 'restart' on a
service which has not yet been started has the same result as calling
'start'.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-08-08 15:26:28 +01:00
Daniel Golle
46a65f927c
procd: update to git HEAD and add new script helpers
e10de28 jail: cgroups-bpf: fix compile with musl 1.2
 f5d9b14 hotplug-dispatch: fix rare memory leaks in error paths

Add new init script helpers:
 procd_add_start_mount_trigger
 procd_add_reload_mount_trigger
 procd_get_mountpoints

Both trigger helpers expect a list of paths which are checked against
the mount targets configured in /etc/config/fstab and a trigger for all
mountpoints covered by the list of paths is setup.

procd_get_mountpoints is useful to find out if and which mountpoints
are covered by a list of paths.

Example:
  DATADIRS="/mnt/data/foo /mnt/data/bar /etc/foo/baz /var/lib/doe"

  start_service() {
    [ "$_BOOT" = "1" ] &&
      [ "$(procd_get_mountpoints $DATADIRS)" ] && return 0

    procd_open_instance
    # ...
    procd_close_instance
  }

  boot() {
    _BOOT=1 start
  }

  service_triggers() {
    procd_add_start_mount_trigger $DATADIRS
  }

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-08-05 03:46:21 +01:00
Daniel Golle
edb6bc1990
procd: update to git HEAD
Fix build on glibc targets and address a bunch of compiler warnings.

 93fc089 jail: cgroups-bpf: don't use sys/reg.h when building with glibc
 548d057 jail: don't ignore return value of seteuid()
 220b716 jail: ignore return value when creating default /dev symlinks
 78d5baa hotplug-dispatch: don't ignore asprintf() return value
 736aee5 uxc: always handle asprintf() return value
 2b20456 hotplug-dispatch: replace wrongly used assert()
 bfc86a2 jail: cgroups: replace wrongly used assert()
 516bdf2 jail: don't ignore return value of write()

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-08-04 19:12:44 +01:00
Hauke Mehrtens
e11be055f1 procd: update to git HEAD
f26233e watchdog: Add an info message if the watchdog reset the system

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-07-25 14:51:43 +02:00
Daniel Golle
1ed9fc663e
procd: update to git HEAD
772292e uxc: don't restart containers when mount shows up
 3a9d910 uxc: resolve volume UUIDs by name of UCI fstab section

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-07-25 00:58:40 +01:00
Daniel Golle
cda668e046
procd: update to git HEAD
9bd1b7f jail: refactor directory handling for rootfs and overlaydir

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-07-18 19:12:08 +01:00
Daniel Golle
c1a3eff3ac
procd: update to git HEAD
0545905 jail: make use of realpath() for rootfs and overlaydir

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-07-17 22:11:50 +01:00
Daniel Golle
b1b16bddb0
procd: update to git HEAD
0ee73b2 uxc: implement support for rootfs overlay in containers
 b0a8ea1 jail: do not hack /etc/resolv.conf on container rootfs
 92aba53 jail: increase max additional env records to 64
 15997e6 jail: allow rootfs to be a symbolic link
 0114c6f jail: open() extroot folder before mounting
 ed96eda uxc: check for required blockd mounts

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-07-15 18:22:24 +01:00
Daniel Golle
f46a38a1ac
procd: update to git HEAD
2dcefbd jail: add support for cgroup devices as in OCI run-time spec

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-07-10 23:01:05 +01:00
Leonardo Mörlein
b993b68b6c build: introduce $(MKHASH)
Before this commit, it was assumed that mkhash is in the PATH. While
this was fine for the normal build workflow, this led to some issues if

    make TOPDIR="$(pwd)" -C "$pkgdir" compile

was called manually. In most of the cases, I just saw warnings like this:

    make: Entering directory '/home/.../package/gluon-status-page'
    bash: line 1: mkhash: command not found
    bash: line 1: mkhash: command not found
    bash: line 1: mkhash: command not found
    bash: line 1: mkhash: command not found
    bash: line 1: mkhash: command not found
    bash: line 1: mkhash: command not found
    bash: line 1: mkhash: command not found
    bash: line 1: mkhash: command not found
    [...]

While these were only warnings and the package still compiled sucessfully,
I also observed that some package even fail to build because of this.

After applying this commit, the variable $(MKHASH) is introduced. This
variable points to $(STAGING_DIR_HOST)/bin/mkhash, which is always the
correct path.

Signed-off-by: Leonardo Mörlein <me@irrelefant.net>
2021-05-13 15:13:15 +02:00
Daniel Golle
b607e7df34
procd: update to git HEAD
021ece8 procd: Use /dev/console for serial console if exists

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-05-05 13:18:50 +01:00
Daniel Golle
241ce95d63
procd: update to git HEAD
7ee4563 procd: Adding support to detect Pantavisor Container Platform

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-03-21 13:36:58 +00:00
Daniel Golle
6801ecd91b
procd: update to git HEAD
Enable seccomp features on Aarch64.

 3e88c6f jail/seccomp: add support for aarch64
 c23d8bf trace: fix build on aarch64

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-03-19 22:33:27 +00:00
Daniel Golle
ffeb37047e
procd: update to git HEAD
945d0d7 utils: fix C style in header file
 2cfc26f inittab: detect active console from kernel if no console= specified

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-03-08 00:11:55 +00:00
Daniel Golle
1cd4a02c8e
procd: update to git HEAD
64e9f3a procd: fix compilation with newer musl

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-03-02 19:16:10 +00:00
Daniel Golle
5f1bd95278
procd: update to git HEAD
2be57ed cosmetics: provide compatible system info on Aarch64
 37eed13 system: expose if system was booted from initramfs

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-02-23 13:16:23 +00:00
Daniel Golle
3010f16f44 procd: add hotplug-call dispatcher ubus objects
Add per-subsystem ubus objects exposing hotplug-call.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-02-08 00:57:14 +00:00
Daniel Golle
740af59b9c procd: update to git HEAD
0aee1c3 hotplug.c: set nl_pid to zero
 d6dda31 procd: fix compiler warning
 92c8e8f jail: remove duplicate check for hook file permissions
 0a74c06 jail: only output BPF instr. table header if debugging
 fd18379 jail: cgroups: fix uninitialized variabl

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-02-02 13:29:36 +00:00
Daniel Golle
54239ccfe7 procd: update to git HEAD
111416d jail: remove unreachable code
 7f12c89 treewide: replace local mkdir_p implementations

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-12-12 23:34:10 +00:00
Sven Roederer
13961da6ce procd: also depend on jshn
fixes "file no found" error on stripped down images, caused by prod.sh:43.

Signed-off-by: Sven Roederer <devel-sven@geroedel.de>
2020-12-05 22:18:07 -10:00
Daniel Golle
4dc5b64760 procd: output warning if user 'ubus' doesn't exist
6acc48c early: fall-back to run ubus as root if user can't be found

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-12-04 14:41:26 +00:00
Daniel Golle
c71500fd45 procd: update to git HEAD
f3c3563 jail: improve seccomp BPF generator
 f67a66f jail: always call cgroups_free()
 4625350 jail: seccomp: improve code readability

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-11-30 10:39:15 +00:00
Daniel Golle
8cf0ac3f1f procd: update to git HEAD
3019f50 jail: leak less memory
 7e01453 jail: fix segfault on missing name and refactor
 5abee8f jail: fix and simplify userns uid/gid maps from OCI
 4ba72ec jail: relax /etc/resolv.conf creation
 db5ef86 jail: don't use NULL arguments for mount syscall
 19ac9df jail: don't fail if can't mount-bind /etc/resolv.conf
 acf36f2 jail: seteuid before clone(CLONE_NEWUSER)
 e40828f jail: fix typo in usage output
 b87984b jail: don't attempt to mount /sys with noatime
 b275b11 jail: enter existing cgroups namespace if given
 31e0a46 jail: properly initialize timens_fd

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-11-27 01:23:43 +00:00
Daniel Golle
2eb0d711a4 procd: update to git HEAD
d4d78db uxc: also delete procd runtime state on 'delete'
 e935c0c jail: add 'debug' extern variable to preload_seccomp

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-11-23 00:32:48 +00:00
Daniel Golle
8262c99fc3 procd: update to git HEAD
04a2edd uxc: make force-delete kill container process
 be6da62 seccomp: silence 'unknown syscall' warnings
 b22e625 jail: cgroup hack: rewrite cgroup -> cgroup2
 df7fa7b uxc: fix incomplete commit

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-11-22 03:24:33 +00:00
Daniel Golle
62a3430f9b procd: drop legacy seccomp support, switch to OCI parsers
d8f36f5 seccomp: specifying architectures is optional
 d352e6e seccomp: switch to new OCI compliant parser
 c110405 trace: switch to OCI seccomp JSON output

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-11-17 13:12:37 +00:00
Daniel Golle
9867d08e07 procd: bump to git HEAD
b0de894 jail: fix capabilities

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-11-07 06:03:49 +00:00
Daniel Golle
c8a81ada58 procd: bump to git HEAD
2f381fe jail: guard boolean blobmsg attributes
 602b8fa jail: add option for pidfile
 bba6de7 jail: handle mount propagation flags
 6963d50 jail: relax seccomp unknown syscall handling
 e1fcfdc jail: add support for absolute root path in OCI spec
 257f29b jail: don't fail if maskedPath cannot be found
 75f2374 uxc: mimic runc cmdline by using getopt_long

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-11-05 02:17:25 +00:00
Daniel Golle
ccb283c71c procd: ujail fixes
ec461ff jail: mount more stuff read-only
33b799b ujail: elf: work around GCC bug on MIPS64

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-10-25 12:41:44 +00:00
Daniel Golle
a2def3663a procd: jail: clean up capability handling and non-root ubusd
Unify capability handling to only use OCI spec parsers even for ujail
slim containers which previously supposedly used their own format.

 80c9516 cgroups: restrict allowed keys in 'unified' section
 5ade567 cgroups: memory controller fixes
 3121467 early: run ubusd non-root as user ubus, group ubus
 12a5b97 jail: adapt to new ubus socket path
 788d144 instance: actually wire up capabilities filename
 ebc5a7f jail: nuke old capabilities code in favour of reusing OCI code
 6c5233a jail: capabilities: apply in two phases

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-10-21 15:22:30 +01:00
Daniel Golle
74dfe25d41 procd: remove duplicate confguration menu
Fixes: 962e73c1a4 ("procd: add selinux variant")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-08-13 14:07:18 +01:00
Paul Spooren
962e73c1a4 procd: add selinux variant
This commit adds a `selinux` variant to `procd` allowing to load an
SELinux policy at boot.

Signed-off-by: Paul Spooren <mail@aparcar.org>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-08-13 09:53:50 +01:00
Thomas Petazzoni
12178be465 procd: add SELinux support
This commit adds a patch to procd to support loading the SELinux
policy early at boot time, and adjusts the procd package to use this
SELinux support when libselinux is enabled.

The procd patch has been submitted separately [1]: obviously the
intent is to have it merged in the procd Git repository rather than
have it in OpenWrt itself.

[1] http://lists.infradead.org/pipermail/openwrt-devel/2019-November/025791.html

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[rebase, add commit message]
Signed-off-by: W. Michael Petullo <mike@flyn.org>
[split commit into openwrt.git and procd.git]
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-08-10 09:54:50 +01:00
Daniel Golle
48f2596e78 procd: update to git HEAD
47a9f0d service: add method to query available container features
 afbaba9 initd: attempt to mount cgroup2
 ead60fe jail: use pidns semantics also for timens
 759e9f8 jail: make use of BLOBMSG_CAST_INT64 for OCI rlimits
 83053b6 instance: add instances into unified cgroup hierarchy
 16159bb jail: parse OCI cgroups resources
 282ff0c jail: only free cgroups if they were allocated
 ab55357 jail: fix freeing cgroups avl

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-08-06 16:17:37 +01:00
Daniel Golle
728a0c68d1 Revert "procd: update to git HEAD"
This reverts commit e0e607f0d0.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-08-06 16:17:37 +01:00
Daniel Golle
e0e607f0d0 procd: update to git HEAD
47a9f0d service: add method to query available container features
 afbaba9 initd: attempt to mount cgroup2
 ead60fe jail: use pidns semantics also for timens
 759e9f8 jail: make use of BLOBMSG_CAST_INT64 for OCI rlimits
 83053b6 instance: add instances into unified cgroup hierarchy
 16159bb jail: parse OCI cgroups resources

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-08-06 15:27:51 +01:00
Daniel Golle
d15b6e4895 procd: update to git HEAD
28be011 instance: make sure values are not inherited from previous runs
 2ae5cbc uxc: remove debugging left-over

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-07-30 17:16:53 +01:00
Daniel Golle
a15ed964cf procd: update to git HEAD
c3ca99f jail: serialize hook execution
 8ff8970 jail: add some remaining OCI features
 9d5fa0a uxc: behave more like a compliant OCI run-time
 1274033 uxc: fix create operation
 2d811a4 jail: add 'kill' method to container.%s object
 08133b8 uxc: use new container.%s kill ubus API

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-07-29 10:33:19 +01:00
Daniel Golle
98b60b3efa procd: jail: fix build on glibc and uclibc
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-07-25 16:54:40 +01:00
Daniel Golle
114e5255c4 procd: update to git HEAD
48777de rcS: cast format string to int64_t
 a4df90f jail: fix wrong format for 32-bit
 c482c5d jail: add support for referencing existing namespaces

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-07-25 16:07:59 +01:00
Daniel Golle
5aedd5a110 procd: bump to git HEAD once again
Further complete OCI container support in ujail:
 f5f305e jail: move /tmp/resolv.conf.d to /dev/resolv.conf.d
 6f078ae jail: add support for defining devices
 686cf7a jail: actually apply filesystem-specific mount options
 f91009a jail: refactor default mounts into new structure
 66ae2d9 jail: re-implement /proc/sys/net read-write in netns hack

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-07-20 04:39:11 +01:00
Daniel Golle
211548c523 procd: update to git HEAD
9eddf0f jail: fix hooks
 1b1286b jail: parse and apply OCI sysctl values
 c049047 jail: implement OCI user additionalGIDs
 0e1920c jail: read and apply umask from OCI if defined
 1c46cc3 jail: parse and apply POSIX rlimits
 76adac5 jail: /proc/$pid/oom_score_adj to OCI defined oomScoreAdj

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-07-19 19:35:47 +01:00
Daniel Golle
bae4204e34 procd: bump to git HEAD
8d5208f jail: fix false return in case of nofail mount
 b41f76b procd: fix compile if procd-ujail is not selected
 86a5105 jail: fs: fix build on uClibc-ng
 bfce7d1 jail: fix some more mount options
 268126a jail: add support for maskedPaths and readonlyPaths

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-07-17 12:00:00 +01:00
Daniel Bailey
5792f6a104 procd: allow optional watchdog instance parameter
Optional instance watchdog timeout and watchdog mode can be set by
adding: procd_set_param $mode $timeout

$mode is an integer [0-1] representing instance watchdog mode of
operation:
0 = disabled
1 = passive mode, client must periodically poke watchdog via ubus

$timeout is an integer representing how often, in seconds, the watchdog must be poked.

Signed-off-by: Daniel Bailey <danielb@meshplusplus.com>
2020-07-14 00:25:02 +01:00