From 008f87e9886426bd3f98efced35c498cc80da13b Mon Sep 17 00:00:00 2001 From: Laurent Bercot Date: Sat, 7 Mar 2015 10:24:12 +0000 Subject: [PATCH 1/5] - Initial changes discussed with Gorka - Dependencies: latest execline/s6/s6-portable-utils at this time - Interactive CMDs should now work properly with or without terminals. If not, play with s6-setsid a bit more. - The scandir is now in /var/run/s6/service, because it gets written into at run-time - User service directories are now listed in /etc/services.d and will be *copied* to /var/run/s6/service during init-stage2 - Yeah, I really hate writing to /, and you should hate it, too. - Init order: * our own services in /etc/s6/service are copied to /var/run/s6/service (stage 1) * s6-svscan is run * scripts in /etc/cont-init.d are run (stage 2) * services in /etc/services.d are copied to /var/run/s6/service and picked up by s6-svscan * If a CMD was given, it is run. i.e. the whole stage 2 is executed whether a CMD was given or not, so CMDs are always executed in a properly initted environment. - Since all the user stuff is started in stage 2, we can guarantee all the dependencies for stage 1, so no fix-attrs in stage 1. Stage 1 is now extremely short, as it should be. - Can't escape the fix-attrs in stage 2 though, but provided a chunk of execline to do the functionality. (Probably very slow.) - Plus a bunch of tiny fixes, mostly cosmetic. --- overlay-rootfs/etc/fix-attrs.d/00-base | 26 ----- overlay-rootfs/etc/s6/.s6-init/init-stage1 | 59 ---------- overlay-rootfs/etc/s6/.s6-init/init-stage2 | 34 ------ overlay-rootfs/etc/s6/.s6-init/init-stage3 | 54 --------- overlay-rootfs/etc/s6/.s6-svscan/finish | 2 - .../default/env/S6_FDHOLDER_RETRIEVE_REGEX | 1 - .../uid/default/env/S6_FDHOLDER_STORE_REGEX | 1 - overlay-rootfs/etc/s6/fdholderd/run | 2 - overlay-rootfs/etc/s6/init/env/PATH | 1 + overlay-rootfs/etc/s6/init/fix-attrs.txt | 4 + overlay-rootfs/etc/s6/init/init-stage1 | 69 +++++++++++ overlay-rootfs/etc/s6/init/init-stage2 | 109 ++++++++++++++++++ overlay-rootfs/etc/s6/init/init-stage3 | 37 ++++++ .../etc/s6/{ => service}/.s6-svscan/crash | 5 - .../etc/s6/service/.s6-svscan/finish | 2 + .../etc/s6/service/s6-fdholderd/log/run | 4 + .../s6-fdholderd/rules/uid/0}/allow | 0 .../rules/uid/0/env/S6_FDHOLDER_GETDUMP | 1 + .../rules/uid/0/env/S6_FDHOLDER_LIST | 1 + .../uid/0/env/S6_FDHOLDER_RETRIEVE_REGEX | 1 + .../rules/uid/0/env/S6_FDHOLDER_SETDUMP | 1 + .../rules/uid/0/env/S6_FDHOLDER_STORE_REGEX | 1 + .../s6-fdholderd/rules/uid/default/allow} | 0 .../rules/uid/default/env/S6_FDHOLDER_LIST | 1 + .../etc/s6/service/s6-fdholderd/run | 5 + .../etc/s6/service/s6-svscan-log/run | 5 + overlay-rootfs/init | 5 +- overlay-rootfs/usr/bin/with-contenv | 9 +- overlay-rootfs/usr/bin/with-notifywhenup | 5 +- 29 files changed, 250 insertions(+), 195 deletions(-) delete mode 100644 overlay-rootfs/etc/fix-attrs.d/00-base delete mode 100644 overlay-rootfs/etc/s6/.s6-init/init-stage1 delete mode 100644 overlay-rootfs/etc/s6/.s6-init/init-stage2 delete mode 100644 overlay-rootfs/etc/s6/.s6-init/init-stage3 delete mode 100644 overlay-rootfs/etc/s6/.s6-svscan/finish delete mode 100644 overlay-rootfs/etc/s6/fdholderd/rules/uid/default/env/S6_FDHOLDER_RETRIEVE_REGEX delete mode 100644 overlay-rootfs/etc/s6/fdholderd/rules/uid/default/env/S6_FDHOLDER_STORE_REGEX delete mode 100644 overlay-rootfs/etc/s6/fdholderd/run create mode 100644 overlay-rootfs/etc/s6/init/env/PATH create mode 100644 overlay-rootfs/etc/s6/init/fix-attrs.txt create mode 100755 overlay-rootfs/etc/s6/init/init-stage1 create mode 100755 overlay-rootfs/etc/s6/init/init-stage2 create mode 100755 overlay-rootfs/etc/s6/init/init-stage3 rename overlay-rootfs/etc/s6/{ => service}/.s6-svscan/crash (79%) mode change 100644 => 100755 create mode 100755 overlay-rootfs/etc/s6/service/.s6-svscan/finish create mode 100755 overlay-rootfs/etc/s6/service/s6-fdholderd/log/run rename overlay-rootfs/etc/s6/{fdholderd/rules/uid/default => service/s6-fdholderd/rules/uid/0}/allow (100%) create mode 100644 overlay-rootfs/etc/s6/service/s6-fdholderd/rules/uid/0/env/S6_FDHOLDER_GETDUMP create mode 100644 overlay-rootfs/etc/s6/service/s6-fdholderd/rules/uid/0/env/S6_FDHOLDER_LIST create mode 100644 overlay-rootfs/etc/s6/service/s6-fdholderd/rules/uid/0/env/S6_FDHOLDER_RETRIEVE_REGEX create mode 100644 overlay-rootfs/etc/s6/service/s6-fdholderd/rules/uid/0/env/S6_FDHOLDER_SETDUMP create mode 100644 overlay-rootfs/etc/s6/service/s6-fdholderd/rules/uid/0/env/S6_FDHOLDER_STORE_REGEX rename overlay-rootfs/etc/s6/{fdholderd/rules/uid/default/env/S6_FDHOLDER_LIST => service/s6-fdholderd/rules/uid/default/allow} (100%) create mode 100644 overlay-rootfs/etc/s6/service/s6-fdholderd/rules/uid/default/env/S6_FDHOLDER_LIST create mode 100755 overlay-rootfs/etc/s6/service/s6-fdholderd/run create mode 100755 overlay-rootfs/etc/s6/service/s6-svscan-log/run mode change 100644 => 100755 overlay-rootfs/init diff --git a/overlay-rootfs/etc/fix-attrs.d/00-base b/overlay-rootfs/etc/fix-attrs.d/00-base deleted file mode 100644 index 85b5de0..0000000 --- a/overlay-rootfs/etc/fix-attrs.d/00-base +++ /dev/null @@ -1,26 +0,0 @@ -[ - { - "path": "/etc/fix-attrs.d/*", - "attr": "root:root:0600" - }, - { - "path": "/etc/s6/*/finish", - "attr": "root:root:0700" - }, - { - "path": "/etc/s6/*/run", - "attr": "root:root:0700" - }, - { - "path": "/etc/s6/*/log/run", - "attr": "root:root:0700" - }, - { - "path": "/etc/cont-init.d/*", - "attr": "root:root:0700" - }, - { - "path": "/etc/s6/.s6-svscan/crash", - "attr": "root:root:0700" - } -] diff --git a/overlay-rootfs/etc/s6/.s6-init/init-stage1 b/overlay-rootfs/etc/s6/.s6-init/init-stage1 deleted file mode 100644 index 789fba8..0000000 --- a/overlay-rootfs/etc/s6/.s6-init/init-stage1 +++ /dev/null @@ -1,59 +0,0 @@ -#!/usr/bin/execlineb - -## -## dump environment into files and a bash script -## - -# base for file and path -define contenvsdir /etc/container_environment - -# assure folder does exist -foreground { mkdir -p ${contenvsdir} } - -foreground { - forbacktickx i { - pipeline { s6-env } s6-cut -d"=" -f1 - } - import i import ${i} - foreground { - redirfd -w 1 ${contenvsdir}/${i} - s6-echo ${${i}} - } -} - -## -## fix attributes (ownership and permissions) -## - -foreground { s6-echo "[fix-attrs] fixing file attributes (ownership & permission)..." } -foreground { - forbacktickx i { - find /etc/fix-attrs.d -maxdepth 1 -type f ! -name ".*" ! -path /etc/fix-attrs.d - } - import i - foreground { s6-echo "[fix-attrs] ${i}: applying..." } - foreground { fix-attrs fix ${i} } - foreground { s6-echo "[fix-attrs] ${i}: done." } -} -foreground { s6-echo "[fix-attrs] done." } - -# i don't know why but, it seems like 'fix-attrs' is not freeing file -# handles and therefore files which were accesed/modified cannot be used -# for execution. We flush all the dirty system buffers, and blocks until -# they're clean. -foreground { s6-sync } - -## -## fork the "init-stage2" script -## - -background -{ - elgetpositionals - /etc/s6/.s6-init/init-stage2 $@ -} -unexport ! - -# start stage 2. -s6-envdir ${contenvsdir} -s6-svscan -t0 /etc/s6 diff --git a/overlay-rootfs/etc/s6/.s6-init/init-stage2 b/overlay-rootfs/etc/s6/.s6-init/init-stage2 deleted file mode 100644 index 4879d44..0000000 --- a/overlay-rootfs/etc/s6/.s6-init/init-stage2 +++ /dev/null @@ -1,34 +0,0 @@ -#!/usr/bin/execlineb - -# this file is executed (not as process 1!) as soon as s6-svscan -# starts. It should perform all the remaining one-time initialization -# tasks. - -if -nt -{ - elgetpositionals - ifelse { s6-test $# -ne 0 } - { foreground { $@ } s6-svscanctl -t /etc/s6 } - - ## - ## cont-init.d - ## - - foreground { s6-echo "[cont-init.d] executing container initialization scripts..." } - foreground { - forbacktickx i { - find /etc/cont-init.d -maxdepth 1 -type f ! -name ".*" ! -path /etc/cont-init.d - } - import i - foreground { s6-echo "[cont-init.d] ${i}: executing..." } - foreground { with-contenv ${i} } - foreground { s6-echo "[cont-init.d] ${i}: done." } - } - foreground { s6-echo "[cont-init.d] done." } -} - -# if anything in the if -nt { } block fails, control jumps here. -# no need to do much because there's already an operational getty running. - -redirfd -w 1 /dev/console -s6-echo "\n!!!!!\ninit-stage2 failed, please log in and investigate.\n!!!!!" diff --git a/overlay-rootfs/etc/s6/.s6-init/init-stage3 b/overlay-rootfs/etc/s6/.s6-init/init-stage3 deleted file mode 100644 index 630f569..0000000 --- a/overlay-rootfs/etc/s6/.s6-init/init-stage3 +++ /dev/null @@ -1,54 +0,0 @@ -#!/usr/bin/execlineb -S0 - -# This is the shutdown script, running as process 1. - -foreground { - forbacktickx i { find /etc/s6 -maxdepth 1 -type d ! -name ".*" ! -path /etc/s6 } - import i - foreground { - if { s6-test -f ${i}/finish } - foreground { s6-echo "[s6-finish] executing ${i}/finish ..." } - foreground { ${i}/finish } - foreground { s6-echo "[s6-finish] done." } - } -} - -# Make sure we have no open handle to anywhere else than /dev/console - -cd / -redirfd -w 1 /dev/console -fdmove -c 2 1 - -# Sync before TERM'n - -foreground { s6-echo "[s6-finish] syncing disks." } -foreground { s6-sync } - -# Even if s6-svscan properly brought all the services down -# before exec'ing into this script, users might have launched -# background nohup processes, so we have to kill everything. - -foreground { s6-echo "[s6-finish] sending all processes the TERM signal." } -foreground { s6-nuke -th } -foreground { s6-sleep 1 } -foreground { s6-echo "[s6-finish] sending all processes the KILL signal." } -foreground { s6-nuke -k } - -# Close stdin here cause we wanted to pipe to echo in order to -# get timestamped lines. - -fdclose 0 - -# Yes, it helps. - -foreground { s6-echo "[s6-finish] syncing disks." } -foreground { s6-sync } - -# Here, s6-nuke sends a SIGKILL to every process on the system. -# It kills itself, but not before the SIGKILL has been broadcast. -# The "foreground" process runs as process 1, so it survives, -# and execs into the rest of the script when s6-nuke dies. - -# Reap the huge army of zombies we just created - -wait { } diff --git a/overlay-rootfs/etc/s6/.s6-svscan/finish b/overlay-rootfs/etc/s6/.s6-svscan/finish deleted file mode 100644 index 4e64a60..0000000 --- a/overlay-rootfs/etc/s6/.s6-svscan/finish +++ /dev/null @@ -1,2 +0,0 @@ -#!/usr/bin/execlineb -/etc/s6/.s6-init/init-stage3 diff --git a/overlay-rootfs/etc/s6/fdholderd/rules/uid/default/env/S6_FDHOLDER_RETRIEVE_REGEX b/overlay-rootfs/etc/s6/fdholderd/rules/uid/default/env/S6_FDHOLDER_RETRIEVE_REGEX deleted file mode 100644 index 8452c8c..0000000 --- a/overlay-rootfs/etc/s6/fdholderd/rules/uid/default/env/S6_FDHOLDER_RETRIEVE_REGEX +++ /dev/null @@ -1 +0,0 @@ -^.*$ \ No newline at end of file diff --git a/overlay-rootfs/etc/s6/fdholderd/rules/uid/default/env/S6_FDHOLDER_STORE_REGEX b/overlay-rootfs/etc/s6/fdholderd/rules/uid/default/env/S6_FDHOLDER_STORE_REGEX deleted file mode 100644 index 8452c8c..0000000 --- a/overlay-rootfs/etc/s6/fdholderd/rules/uid/default/env/S6_FDHOLDER_STORE_REGEX +++ /dev/null @@ -1 +0,0 @@ -^.*$ \ No newline at end of file diff --git a/overlay-rootfs/etc/s6/fdholderd/run b/overlay-rootfs/etc/s6/fdholderd/run deleted file mode 100644 index 4613be2..0000000 --- a/overlay-rootfs/etc/s6/fdholderd/run +++ /dev/null @@ -1,2 +0,0 @@ -#!/usr/bin/execlineb -s6-notifywhenup s6-fdholder-daemon -1 -i /etc/s6/fdholderd/rules /etc/s6/fdholderd/socket \ No newline at end of file diff --git a/overlay-rootfs/etc/s6/init/env/PATH b/overlay-rootfs/etc/s6/init/env/PATH new file mode 100644 index 0000000..fc77125 --- /dev/null +++ b/overlay-rootfs/etc/s6/init/env/PATH @@ -0,0 +1 @@ +/usr/bin:/bin diff --git a/overlay-rootfs/etc/s6/init/fix-attrs.txt b/overlay-rootfs/etc/s6/init/fix-attrs.txt new file mode 100644 index 0000000..309d41e --- /dev/null +++ b/overlay-rootfs/etc/s6/init/fix-attrs.txt @@ -0,0 +1,4 @@ +/etc/services.d/*/run false root 0755 0755 +/etc/services.d/*/finish false root 0755 0755 +/etc/services.d/*/log/run false root 0755 0755 +/etc/services.d/*/log/finish false root 0755 0755 diff --git a/overlay-rootfs/etc/s6/init/init-stage1 b/overlay-rootfs/etc/s6/init/init-stage1 new file mode 100755 index 0000000..8762a3c --- /dev/null +++ b/overlay-rootfs/etc/s6/init/init-stage1 @@ -0,0 +1,69 @@ +#!/usr/bin/execlineb -S0 + +## +## dump environment into an envdir +## + +/usr/bin/if { /usr/bin/s6-mkdir -pm 0755 -- /var/run/s6/container_environment } +/usr/bin/if { /usr/bin/s6-dumpenv -- /var/run/s6/container_environment } + + +## +## run everything else with only the environment defined in +## /etc/s6/init/env. Programs can get back the container +## environment by using "with-contenv program". +## + +/usr/bin/exec -c -- +/usr/bin/s6-envdir /etc/s6/init/env +/usr/bin/exec -- + + +## +## ensure our vital fifo exists +## + +if { s6-mkfifo -m 0600 -- /var/run/s6/uncaught-logs-fifo } + + +## +## init the scandir with our base services +## + +if { s6-rmrf /var/run/s6/service } +if { s6-hiercopy /etc/s6/service /var/run/s6/service } + + +## +## fork the "init-stage2" script +## + +background +{ + # add some environment + s6-envdir -- /etc/s6/init/env-stage2 + + # block until the supervision tree is running + redirfd -w 3 /var/run/s6/uncaught-logs-fifo + fdclose 3 + + # run the script + /etc/s6/init/init-stage2 $@ +} +unexport ! + + +## +## run the rest of stage 1 with sanitized descriptors +## + +redirfd -r 0 /dev/null +redirfd -wnb 1 /var/run/s6/uncaught-logs-fifo +fdmove -c 2 1 + + +## +## start the supervision tree +## + +s6-svscan -t0 /var/run/s6/service diff --git a/overlay-rootfs/etc/s6/init/init-stage2 b/overlay-rootfs/etc/s6/init/init-stage2 new file mode 100755 index 0000000..c08ce14 --- /dev/null +++ b/overlay-rootfs/etc/s6/init/init-stage2 @@ -0,0 +1,109 @@ +#!/usr/bin/execlineb -S0 + +# This file is executed (not as process 1!) as soon as s6-svscan +# starts, with the original stdin/out/err, but NOT the original +# environment. +# Purpose of this file: to perform all the one-time initialization tasks. + +if -nt +{ + if + { + redirfd -w 1 /var/run/s6/uncaught-logs-fifo + fdmove -c 2 1 + + + ## + ## Ensure owners and permissions are correct + ## + + if + { + export recfunction "\ + foreground { s6-envuidgid \\${3} s6-chown -U -- \\${1} } + ifelse -- { if { s6-\\${2} } s6-test -d \\${1} } + { + foreground { s6-chmod \\${5} \\${1} } + forbacktickx -0 subfile { s6-ls -0 \\${1} } + multisubstitute + { + import -u subfile + import fn + } + execlineb -S5 -c \\${recfunction} \\${1}/${subfile} true \\${3} \\${4} \\${5 + } + s6-chmod \\${4} \\${1}" + + if { s6-test -f ${1} } + redirfd -r 0 ${1} + forstdin -d"\n" -- line + import -u line + if { s6-test -n ${line} } + multidefine -0 -Cd" \t" -- ${line} { globex recurse user fmode dmode } + elglob -0 -- files ${globex} + forx -p -- file { ${files} } + multisubstitute + { + import -u file + import recfunction + } + execlineb -S5 -c ${recfunction} ${file} ${recurse} ${user} ${fmode} ${dmode} + } + + + ## + ## cont-init.d: one-time init scripts + ## + + if { s6-echo "[cont-init.d] executing container initialization scripts..." } + if + { + pipeline { s6-ls -0 -- /etc/cont-init.d } + pipeline { s6-sort -0 -- } + forstdin -0 -- i + import -u i + if { s6-echo -n -- "[cont-init.d] executing ${i}... " } + foreground { with-contenv /etc/cont-init.d/${i} } + import -u ? s6-echo -- " ... exited ${?}" + } + if { s6-echo -- "[cont-init.d] done." } + + + ## + ## services.d: long-lived processes to be supervised + ## + + if { s6-echo "[services.d] starting services" } + if + { + pipeline { s6-ls -0 -- /etc/services.d } + forstdin -0 -- i + import -u i + if { s6-test -d /etc/services.d/${i} } + s6-hiercopy /etc/services.d/${i} /var/run/s6/service/${i} + } + if { s6-svscanctl -a /var/run/s6/service } + if { s6-echo -- "[services.d] done." } + + } + + + ## + ## The init is complete. If the user has given a CMD, run it now, then + ## kill everything when it exits. + ## + + if -t { s6-test $# -ne 0 } + foreground { s6-setsid -gq -- with-contenv $@ } + foreground { import -u ? s6-echo "${1} exited ${?}. Stopping the supervision tree." } + foreground { s6-svscanctl -t /var/run/s6/service } + + # Race condition here, but it's ok: the sync in stage 3 takes ages, + # and if we get killed by the SIGTERM instead of the SIGKILL, meh, who cares. + + # Wait to be nuked + s6-pause -hqbait +} + +# if anything in the if -nt { } block fails, control jumps here. +s6-echo -- "\n!!!!!\n init-stage2 failed.\n Logs are in /var/log/s6/uncaught-logs\n!!!!!" diff --git a/overlay-rootfs/etc/s6/init/init-stage3 b/overlay-rootfs/etc/s6/init/init-stage3 new file mode 100755 index 0000000..b374627 --- /dev/null +++ b/overlay-rootfs/etc/s6/init/init-stage3 @@ -0,0 +1,37 @@ +#!/usr/bin/execlineb -S0 + +# This is the shutdown script, running as process 1. + +cd / + + +# Sync before TERM'n + +foreground { s6-echo "[s6-finish] syncing disks." } +foreground { s6-sync } + + +# Kill everything, gently. + +foreground { s6-echo "[s6-finish] sending all processes the TERM signal." } +foreground { s6-nuke -th } # foreground is process 1: it survives +foreground +{ + with-contenv + /usr/bin/import -u -D 3000 S6_KILL_GRACETIME + /usr/bin/s6-sleep -m -- ${S6_KILL_GRACETIME} +} + +# Last message, then close our pipes and give the logger some time. +foreground { s6-echo "[s6-finish] sending all processes the KILL signal and exiting." } +fdclose 1 fdclose 2 +s6-sleep -m 200 + +# Kill everything, brutally. +foreground { s6-nuke -k } # foreground is process 1: it survives again + + +# Reap all the zombies then sync, and we're done. + +wait { } +s6-sync diff --git a/overlay-rootfs/etc/s6/.s6-svscan/crash b/overlay-rootfs/etc/s6/service/.s6-svscan/crash old mode 100644 new mode 100755 similarity index 79% rename from overlay-rootfs/etc/s6/.s6-svscan/crash rename to overlay-rootfs/etc/s6/service/.s6-svscan/crash index bbf9977..2c5a327 --- a/overlay-rootfs/etc/s6/.s6-svscan/crash +++ b/overlay-rootfs/etc/s6/service/.s6-svscan/crash @@ -3,11 +3,6 @@ # This file is run when an unrecoverable error happens # to s6-svscan. Edit it to suit your needs. -cd / -redirfd -r 0 /dev/console -redirfd -w 1 /dev/console fdmove -c 2 1 - foreground { s6-echo "s6-svscan panicked! Dropping to a root shell.\n" } - /bin/sh -i diff --git a/overlay-rootfs/etc/s6/service/.s6-svscan/finish b/overlay-rootfs/etc/s6/service/.s6-svscan/finish new file mode 100755 index 0000000..994a322 --- /dev/null +++ b/overlay-rootfs/etc/s6/service/.s6-svscan/finish @@ -0,0 +1,2 @@ +#!/usr/bin/execlineb -S0 +/etc/s6/init/init-stage3 $@ diff --git a/overlay-rootfs/etc/s6/service/s6-fdholderd/log/run b/overlay-rootfs/etc/s6/service/s6-fdholderd/log/run new file mode 100755 index 0000000..c465890 --- /dev/null +++ b/overlay-rootfs/etc/s6/service/s6-fdholderd/log/run @@ -0,0 +1,4 @@ +#!/usr/bin/execlineb -P +s6-setuidgid nobody +exec -c -- +s6-log -- t /var/log/s6-fdholderd diff --git a/overlay-rootfs/etc/s6/fdholderd/rules/uid/default/allow b/overlay-rootfs/etc/s6/service/s6-fdholderd/rules/uid/0/allow similarity index 100% rename from overlay-rootfs/etc/s6/fdholderd/rules/uid/default/allow rename to overlay-rootfs/etc/s6/service/s6-fdholderd/rules/uid/0/allow diff --git a/overlay-rootfs/etc/s6/service/s6-fdholderd/rules/uid/0/env/S6_FDHOLDER_GETDUMP b/overlay-rootfs/etc/s6/service/s6-fdholderd/rules/uid/0/env/S6_FDHOLDER_GETDUMP new file mode 100644 index 0000000..8b13789 --- /dev/null +++ b/overlay-rootfs/etc/s6/service/s6-fdholderd/rules/uid/0/env/S6_FDHOLDER_GETDUMP @@ -0,0 +1 @@ + diff --git a/overlay-rootfs/etc/s6/service/s6-fdholderd/rules/uid/0/env/S6_FDHOLDER_LIST b/overlay-rootfs/etc/s6/service/s6-fdholderd/rules/uid/0/env/S6_FDHOLDER_LIST new file mode 100644 index 0000000..8b13789 --- /dev/null +++ b/overlay-rootfs/etc/s6/service/s6-fdholderd/rules/uid/0/env/S6_FDHOLDER_LIST @@ -0,0 +1 @@ + diff --git a/overlay-rootfs/etc/s6/service/s6-fdholderd/rules/uid/0/env/S6_FDHOLDER_RETRIEVE_REGEX b/overlay-rootfs/etc/s6/service/s6-fdholderd/rules/uid/0/env/S6_FDHOLDER_RETRIEVE_REGEX new file mode 100644 index 0000000..8b13789 --- /dev/null +++ b/overlay-rootfs/etc/s6/service/s6-fdholderd/rules/uid/0/env/S6_FDHOLDER_RETRIEVE_REGEX @@ -0,0 +1 @@ + diff --git a/overlay-rootfs/etc/s6/service/s6-fdholderd/rules/uid/0/env/S6_FDHOLDER_SETDUMP b/overlay-rootfs/etc/s6/service/s6-fdholderd/rules/uid/0/env/S6_FDHOLDER_SETDUMP new file mode 100644 index 0000000..8b13789 --- /dev/null +++ b/overlay-rootfs/etc/s6/service/s6-fdholderd/rules/uid/0/env/S6_FDHOLDER_SETDUMP @@ -0,0 +1 @@ + diff --git a/overlay-rootfs/etc/s6/service/s6-fdholderd/rules/uid/0/env/S6_FDHOLDER_STORE_REGEX b/overlay-rootfs/etc/s6/service/s6-fdholderd/rules/uid/0/env/S6_FDHOLDER_STORE_REGEX new file mode 100644 index 0000000..8b13789 --- /dev/null +++ b/overlay-rootfs/etc/s6/service/s6-fdholderd/rules/uid/0/env/S6_FDHOLDER_STORE_REGEX @@ -0,0 +1 @@ + diff --git a/overlay-rootfs/etc/s6/fdholderd/rules/uid/default/env/S6_FDHOLDER_LIST b/overlay-rootfs/etc/s6/service/s6-fdholderd/rules/uid/default/allow similarity index 100% rename from overlay-rootfs/etc/s6/fdholderd/rules/uid/default/env/S6_FDHOLDER_LIST rename to overlay-rootfs/etc/s6/service/s6-fdholderd/rules/uid/default/allow diff --git a/overlay-rootfs/etc/s6/service/s6-fdholderd/rules/uid/default/env/S6_FDHOLDER_LIST b/overlay-rootfs/etc/s6/service/s6-fdholderd/rules/uid/default/env/S6_FDHOLDER_LIST new file mode 100644 index 0000000..8b13789 --- /dev/null +++ b/overlay-rootfs/etc/s6/service/s6-fdholderd/rules/uid/default/env/S6_FDHOLDER_LIST @@ -0,0 +1 @@ + diff --git a/overlay-rootfs/etc/s6/service/s6-fdholderd/run b/overlay-rootfs/etc/s6/service/s6-fdholderd/run new file mode 100755 index 0000000..d83e5b4 --- /dev/null +++ b/overlay-rootfs/etc/s6/service/s6-fdholderd/run @@ -0,0 +1,5 @@ +#!/usr/bin/execlineb -P +s6-notifywhenup +s6-envuidgid daemon +exec -c -- +s6-fdholder-daemon -U -1 -i rules -- /var/run/s6/fdholderd-socket diff --git a/overlay-rootfs/etc/s6/service/s6-svscan-log/run b/overlay-rootfs/etc/s6/service/s6-svscan-log/run new file mode 100755 index 0000000..73a28c3 --- /dev/null +++ b/overlay-rootfs/etc/s6/service/s6-svscan-log/run @@ -0,0 +1,5 @@ +#!/usr/bin/execlineb -P +redirfd -rnb 0 /var/run/s6/uncaught-logs-fifo +s6-setuidgid nobody +exec -c +s6-log -bp -- t /var/log/s6-uncaught-logs diff --git a/overlay-rootfs/init b/overlay-rootfs/init old mode 100644 new mode 100755 index aec130d..fdce1a6 --- a/overlay-rootfs/init +++ b/overlay-rootfs/init @@ -1,3 +1,2 @@ -#!/usr/bin/execlineb -elgetpositionals -/etc/s6/.s6-init/init-stage1 $@ +#!/usr/bin/execlineb -S0 +/etc/s6/init/init-stage1 $@ diff --git a/overlay-rootfs/usr/bin/with-contenv b/overlay-rootfs/usr/bin/with-contenv index 7be4eff..2ba5915 100644 --- a/overlay-rootfs/usr/bin/with-contenv +++ b/overlay-rootfs/usr/bin/with-contenv @@ -1,6 +1,5 @@ -#!/usr/bin/execlineb - -elgetpositionals -emptyenv -s6-envdir /etc/container_environment +#!/usr/bin/execlineb -S0 +/usr/bin/exec -c -- +/usr/bin/s6-envdir -fn -- /var/run/s6/container_environment +/usr/bin/exec -- $@ diff --git a/overlay-rootfs/usr/bin/with-notifywhenup b/overlay-rootfs/usr/bin/with-notifywhenup index 1cf7d54..06a8c3f 100644 --- a/overlay-rootfs/usr/bin/with-notifywhenup +++ b/overlay-rootfs/usr/bin/with-notifywhenup @@ -1,5 +1,4 @@ #!/usr/bin/execlineb -S0 - -s6-notifywhenup -foreground { printf "\n" } +foreground { s6-notifywhenup -f s6-echo } +unexport ? $@ From 144b04801781b2ec8bb6205feda05a21989a2faf Mon Sep 17 00:00:00 2001 From: Laurent Bercot Date: Sun, 8 Mar 2015 04:54:37 +0000 Subject: [PATCH 2/5] - make a fix-attrs binary (it reads the fix descriptions on stdin) - modify init-stage2 to use it properly, by reading everything in /etc/fix-attrs.d - the original fix descriptions are now a file in /etc/fix-attrs.d - minor fixes/changes to init-stage2 - make /usr/bin/with-* executable (!) --- .../00-runscripts} | 0 overlay-rootfs/etc/s6/init/init-stage2 | 46 ++++++------------- overlay-rootfs/usr/bin/fix-attrs | 30 ++++++++++++ overlay-rootfs/usr/bin/with-contenv | 0 overlay-rootfs/usr/bin/with-notifywhenup | 0 5 files changed, 43 insertions(+), 33 deletions(-) rename overlay-rootfs/etc/{s6/init/fix-attrs.txt => fix-attrs.d/00-runscripts} (100%) create mode 100755 overlay-rootfs/usr/bin/fix-attrs mode change 100644 => 100755 overlay-rootfs/usr/bin/with-contenv mode change 100644 => 100755 overlay-rootfs/usr/bin/with-notifywhenup diff --git a/overlay-rootfs/etc/s6/init/fix-attrs.txt b/overlay-rootfs/etc/fix-attrs.d/00-runscripts similarity index 100% rename from overlay-rootfs/etc/s6/init/fix-attrs.txt rename to overlay-rootfs/etc/fix-attrs.d/00-runscripts diff --git a/overlay-rootfs/etc/s6/init/init-stage2 b/overlay-rootfs/etc/s6/init/init-stage2 index c08ce14..cd678ec 100755 --- a/overlay-rootfs/etc/s6/init/init-stage2 +++ b/overlay-rootfs/etc/s6/init/init-stage2 @@ -14,41 +14,21 @@ if -nt ## - ## Ensure owners and permissions are correct + ## fix-attrs.d: ensure owners and permissions are correct ## + if { s6-echo "[fix-attrs.d] applying owners & permissions fixes..." } if { - export recfunction "\ - foreground { s6-envuidgid \\${3} s6-chown -U -- \\${1} } - ifelse -- { if { s6-\\${2} } s6-test -d \\${1} } - { - foreground { s6-chmod \\${5} \\${1} } - forbacktickx -0 subfile { s6-ls -0 \\${1} } - multisubstitute - { - import -u subfile - import fn - } - execlineb -S5 -c \\${recfunction} \\${1}/${subfile} true \\${3} \\${4} \\${5 - } - s6-chmod \\${4} \\${1}" - - if { s6-test -f ${1} } - redirfd -r 0 ${1} - forstdin -d"\n" -- line - import -u line - if { s6-test -n ${line} } - multidefine -0 -Cd" \t" -- ${line} { globex recurse user fmode dmode } - elglob -0 -- files ${globex} - forx -p -- file { ${files} } - multisubstitute - { - import -u file - import recfunction - } - execlineb -S5 -c ${recfunction} ${file} ${recurse} ${user} ${fmode} ${dmode} + pipeline { s6-ls -0 -- /etc/fix-attrs.d } + pipeline { s6-sort -0 -- } + forstdin -0 -- i + import -u i + if { s6-echo -n -- "[fix-attrs.d] applying ${i}... " } + foreground { redirfd -r 0 /etc/fix-attrs.d/${i} fix-attrs } + import -u ? s6-echo -- " exited ${?}" } + if { s6-echo -- "[fix-attrs.d] done." } ## @@ -77,7 +57,7 @@ if -nt if { pipeline { s6-ls -0 -- /etc/services.d } - forstdin -0 -- i + forstdin -0 -p -- i import -u i if { s6-test -d /etc/services.d/${i} } s6-hiercopy /etc/services.d/${i} /var/run/s6/service/${i} @@ -102,8 +82,8 @@ if -nt # and if we get killed by the SIGTERM instead of the SIGKILL, meh, who cares. # Wait to be nuked - s6-pause -hqbait + s6-pause -th } # if anything in the if -nt { } block fails, control jumps here. -s6-echo -- "\n!!!!!\n init-stage2 failed.\n Logs are in /var/log/s6/uncaught-logs\n!!!!!" +s6-echo -- "\n!!!!!\n init-stage2 failed.\n Logs are in /var/log/s6-uncaught-logs\n!!!!!" diff --git a/overlay-rootfs/usr/bin/fix-attrs b/overlay-rootfs/usr/bin/fix-attrs new file mode 100755 index 0000000..f4a8e47 --- /dev/null +++ b/overlay-rootfs/usr/bin/fix-attrs @@ -0,0 +1,30 @@ +#!/usr/bin/execlineb -P + +/usr/bin/export PATH /usr/bin:/bin +/usr/bin/export recfunction "\ +foreground { s6-envuidgid ${3} s6-chown -U -- ${1} } +ifelse -- { if { s6-${2} } s6-test -d ${1} } +{ + foreground { s6-chmod ${5} ${1} } + forbacktickx -0 subfile { s6-ls -0 ${1} } + multisubstitute + { + import -u subfile + import recfunction + } + execlineb -S5 -c ${recfunction} ${1}/${subfile} true ${3} ${4} ${5} +} +s6-chmod ${4} ${1}" + +forstdin -d"\n" -- line +import -u line +if { s6-test -n ${line} } +multidefine -0 -Cd" \t" -- ${line} { globex recurse user fmode dmode } +elglob -0 -- files ${globex} +forx -p -- file { ${files} } +multisubstitute +{ + import -u file + import recfunction +} +execlineb -S5 -c ${recfunction} ${file} ${recurse} ${user} ${fmode} ${dmode} diff --git a/overlay-rootfs/usr/bin/with-contenv b/overlay-rootfs/usr/bin/with-contenv old mode 100644 new mode 100755 diff --git a/overlay-rootfs/usr/bin/with-notifywhenup b/overlay-rootfs/usr/bin/with-notifywhenup old mode 100644 new mode 100755 From 3733da04efef3f04a1a22a7a2b46df72069a9bce Mon Sep 17 00:00:00 2001 From: Laurent Bercot Date: Tue, 10 Mar 2015 14:43:56 +0000 Subject: [PATCH 3/5] Add /usr/sbin and /sbin to the stage 1 PATH --- overlay-rootfs/etc/s6/init/env/PATH | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/overlay-rootfs/etc/s6/init/env/PATH b/overlay-rootfs/etc/s6/init/env/PATH index fc77125..d46ff70 100644 --- a/overlay-rootfs/etc/s6/init/env/PATH +++ b/overlay-rootfs/etc/s6/init/env/PATH @@ -1 +1 @@ -/usr/bin:/bin +/usr/bin:/usr/sbin:/bin:/sbin From 7205f494eb1162fcd57af7d76b162c330069947a Mon Sep 17 00:00:00 2001 From: Laurent Bercot Date: Tue, 10 Mar 2015 15:18:38 +0000 Subject: [PATCH 4/5] Pull latest files from Gorka's repo --- Dockerfile | 4 ++-- rootfs/build-latest | 48 ++++++++++++++++++++++++++++---------------- rootfs/build-wrapper | 4 ++++ 3 files changed, 37 insertions(+), 19 deletions(-) mode change 100644 => 100755 rootfs/build-latest create mode 100755 rootfs/build-wrapper diff --git a/Dockerfile b/Dockerfile index 272b225..7e29691 100644 --- a/Dockerfile +++ b/Dockerfile @@ -6,9 +6,9 @@ ENV DEBIAN_FRONTEND noninteractive RUN apt-get update && apt-get install -y curl COPY rootfs / -RUN chmod +x /build-latest +RUN chmod +x /build-* ENV OVERLAY_ROOTFS_PATH /overlay-rootfs COPY overlay-rootfs $OVERLAY_ROOTFS_PATH -CMD [ "/build-latest" ] +CMD [ "/build-wrapper" ] diff --git a/rootfs/build-latest b/rootfs/build-latest old mode 100644 new mode 100755 index 605c26e..d601da8 --- a/rootfs/build-latest +++ b/rootfs/build-latest @@ -1,11 +1,13 @@ -#!/bin/bash +#!/usr/bin/env bash +set -e +set -x ## ## PARAMS ## OVERLAY_ROOTFS_PATH=${1:-/overlay-rootfs} -RELEASE_VERSION=${2:-1.5.0} +RELEASE_VERSION=${2:-1.6.0} outputs=( linux @@ -51,8 +53,10 @@ for package in "${packages[@]}"; do curl -R -L -O https://github.com/just-containers/skaware-builder/releases/download/v$RELEASE_VERSION/$file done -# fix-attrs -curl -R -L -o /tmp/fix-attrs https://github.com/glerchundi/fix-attrs/releases/download/v0.4.0/fix-attrs-0.4.0-linux-amd64 +# strace (if we want to debug) +if [ -n "$DEBUG" ]; then + curl -R -L -o /tmp/strace http://landley.net/aboriginal/downloads/binaries/extras/strace-x86_64 +fi ## ## OVERLAYS @@ -69,9 +73,6 @@ do # copy overlay files cp -a $OVERLAY_ROOTFS_PATH/. $overlaypath/ - # create cont-init.d directory always - mkdir -p $overlaypath/etc/cont-init.d - # skarnet versions manifest packages=($(get_packages_with_versions_from_manifest "manifest-$output.txt")) @@ -81,19 +82,32 @@ do tar xvfz /tmp/$package-linux-amd64-bin.tar.gz -C $overlaypath done - # install fix-attrs - cp /tmp/fix-attrs $overlaypath/usr/bin/fix-attrs + # create must exist directories + mkdir -p $overlaypath/etc/s6/init/env-stage2 + mkdir -p $overlaypath/etc/{cont-init.d,fix-attrs.d,services.d} + mkdir -p $overlaypath/var/log/{s6-uncaught-logs,s6-fdholderd} + + # copy strace & fix permissions + if [ -n "$DEBUG" ]; then + cp /tmp/strace $overlaypath/usr/bin/strace + chmod 0755 $overlaypath/usr/bin/strace + fi + + # fix fix-attrs perms + chmod 0755 $overlaypath/usr/bin/fix-attrs - # fix perms - chmod +x $overlaypath/init \ - $overlaypath/etc/s6/.s6-svscan/finish \ - $overlaypath/etc/s6/.s6-init/init-stage* \ - $overlaypath/usr/bin/fix-attrs + # fix init perms + chmod 0755 $overlaypath/init + chmod 0755 $overlaypath/etc/s6/init/init-stage* + chmod 0755 $overlaypath/etc/s6/service/.s6-svscan/{crash,finish} + chmod 0755 $overlaypath/etc/s6/service/s6-fdholderd/run + chmod 0755 $overlaypath/etc/s6/service/s6-svscan-log/run - ## - ## DIST! - ## + # fix log folder perms + chmod 2700 $overlaypath/var/log/{s6-uncaught-logs,s6-fdholderd} + chown nobody:nogroup $overlaypath/var/log/{s6-uncaught-logs,s6-fdholderd} + # dist! mkdir -p /dist tar -zcvf /dist/s6-overlay-$RELEASE_VERSION-$output-amd64.tar.gz -C $overlaypath ./ done diff --git a/rootfs/build-wrapper b/rootfs/build-wrapper new file mode 100755 index 0000000..ca4542d --- /dev/null +++ b/rootfs/build-wrapper @@ -0,0 +1,4 @@ +#!/usr/bin/env bash + +rm -f /dist/* +/build-latest 2>&1 | tee "/dist/build-latest-$(date +'%Y%m%d%H%M%S').log" From 58d0e33d2c74bc89413563807136f3a15f6556b8 Mon Sep 17 00:00:00 2001 From: Laurent Bercot Date: Tue, 10 Mar 2015 15:20:01 +0000 Subject: [PATCH 5/5] keep PATH to run s6-fdholder-daemon --- overlay-rootfs/etc/s6/service/s6-fdholderd/run | 1 - 1 file changed, 1 deletion(-) diff --git a/overlay-rootfs/etc/s6/service/s6-fdholderd/run b/overlay-rootfs/etc/s6/service/s6-fdholderd/run index d83e5b4..9f1f292 100755 --- a/overlay-rootfs/etc/s6/service/s6-fdholderd/run +++ b/overlay-rootfs/etc/s6/service/s6-fdholderd/run @@ -1,5 +1,4 @@ #!/usr/bin/execlineb -P s6-notifywhenup s6-envuidgid daemon -exec -c -- s6-fdholder-daemon -U -1 -i rules -- /var/run/s6/fdholderd-socket