Re: Adding capability control into the `run' script comparison page

From: Guillermo <gdiazhartusch_at_gmail.com>
Date: Wed, 7 Dec 2016 23:48:11 -0300

2016-12-07 6:26 GMT-03:00 Jean Louis:
>
> On Wed, Dec 07, 2016 at 09:14:00AM +0000, Jonathan de Boyne Pollard wrote:
>> [...]
>> To anyone running the service manager and bundles from nosh version 1.28 or
>> later on Linux: You are encouraged to look at your control group hierarchy,
>> with a tool like "systemd-cgls /", with the "cgroup" field of the ps
>> command, or by simply listing your /sys/fs/cgroup/ hierarchy. You are in
>> for an interesting surprise.
> [...]
>
> Please be more detailed, I am interested, but due to not using
> systemd, I ahve nothing in /sys/fs/cgroup
>
> What is the interesting surprise, explained?

nosh 1.28 and later includes a move-to-control-group chainloading
utility [1], and its systemd unit file conversion tool inserts a
move-to-control-group invocation in the resulting bundle directory's
scripts.

I suppose the interesting suprise is that as consequence, when a
service definition gets 'imported' to nosh from a unit file (and this
covers pretty much everything in the nosh-bundles* binary packages),
the corresponding service gets placed in a cgroup of its own when
launched by nosh's service manager:

test$ cat my-test-svc.service

[Unit]
Description=My test service

[Service]
User=test
ExecStart=/home/test/my-test-svc-binary
RestartSec=1

test$ system-control convert-systemd-units --no-systemd-quirks
./my-test-svc.service
test$ ls -l my-test-svc/*

my-test-svc/after:
total 0
lrwxrwxrwx 1 test test 34 Dec 7 22:25 basic ->
/etc/service-bundles/targets/basic

my-test-svc/before:
total 0
lrwxrwxrwx 1 test test 37 Dec 7 22:25 shutdown ->
/etc/service-bundles/targets/shutdown

my-test-svc/conflicts:
total 0

my-test-svc/required-by:
total 0

my-test-svc/service:
total 16
-rwxr-xr-x 1 test test 105 Dec 7 22:25 restart
-rwxr-xr-x 1 test test 183 Dec 7 22:25 run
-rwxr-xr-x 1 test test 66 Dec 7 22:25 start
-rwxr-xr-x 1 test test 65 Dec 7 22:25 stop

my-test-svc/stopped-by:
total 0
lrwxrwxrwx 1 test test 37 Dec 7 22:25 shutdown ->
/etc/service-bundles/targets/shutdown

my-test-svc/wanted-by:
total 0

my-test-svc/wants:
total 0
lrwxrwxrwx 1 test test 34 Dec 7 22:25 basic ->
/etc/service-bundles/targets/basic

test$ system-control cat ./my-test-svc

start:#!/bin/nosh
start:#Start file generated from ./my-test-svc.service
start:true
stop:#!/bin/nosh
stop:#Stop file generated from ./my-test-svc.service
stop:true
run:#!/bin/nosh
run:#Run file generated from ./my-test-svc.service
run:#My test service
run:move-to-control-group my-test-svc.service
run:setuidgid test
run:/home/test/my-test-svc-binary
restart:#!/bin/sh
restart:#Restart file generated from ./my-test-svc.service
restart:sleep 1
restart:exec true # ignore script arguments

root# mkdir /sys/fs/cgroup/systemd
root# mount -t cgroup -o rw,nosuid,nodev,noexec,name=systemd systemd
/sys/fs/cgroup/systemd
root# system-control start ./my-test-svc

test$ service-status my-test-svc

my-test-svc:
 State : running since 2016-12-07 22:35:37 -0300; 7m 48s ago
 Main PID: 1499
  Started: exit 0
 Config : enabled

test$ ps -eo pid,ppid,euser,cgroup,args

  PID PPID EUSER CGROUP COMMAND
 [...]
 1446 1 root - service-manager
 1499 1446 test 6:name=systemd:/my-test-svc /home/test/my-test-svc-binary

Process 'my-test-svc-binary' is in cgroup 'my-test-svc.service' and
its parent process (PID 1446) is a process supervisor, as expected.

test$ ls -l /sys/fs/cgroup/systemd

total 0
drwxr-xr-x 2 root root 0 Dec 7 22:13 basic.target
-rw-r--r-- 1 root root 0 Dec 7 22:06 cgroup.clone_children
-rw-r--r-- 1 root root 0 Dec 7 22:06 cgroup.procs
-r--r--r-- 1 root root 0 Dec 7 22:06 cgroup.sane_behavior
drwxr-xr-x 2 root root 0 Dec 7 22:13 local-fs-pre.target
drwxr-xr-x 2 root root 0 Dec 7 22:13 local-fs.target
drwxr-xr-x 2 root root 0 Dec 7 22:35 my-test-svc.service
-rw-r--r-- 1 root root 0 Dec 7 22:06 notify_on_release
-rw-r--r-- 1 root root 0 Dec 7 22:06 release_agent
drwxr-xr-x 2 root root 0 Dec 7 22:13 swapauto.target
drwxr-xr-x 2 root root 0 Dec 7 22:13 swaplate.target
drwxr-xr-x 2 root root 0 Dec 7 22:13 sysinit.target
-rw-r--r-- 1 root root 0 Dec 7 22:06 tasks

(/sys/fs/cgroup itself is a tmpfs on my machine)

G.

[1] http://jdebp.eu/Softwares/nosh/guide/move-to-control-group.html
Received on Thu Dec 08 2016 - 02:48:11 UTC

This archive was generated by hypermail 2.3.0 : Sun May 09 2021 - 19:44:19 UTC