New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chrootenv: rewrite on top of GLib #33139
Conversation
9307ec2
to
be611fd
Compare
I feel confident about new code and will merge on 31st if no one has any issues with it. I should note that none of the changes to chrootenv are breaking |
|
||
else if (WIFSIGNALED(status)) | ||
kill(getpid(), WTERMSIG(status)); | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is not obvious that the equivalent of return EX_OSERR;
of the old version is unneeded in the new version: the signal that terminated the child process may be ignored by default and not terminate chrootenv.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If signal is ignored, chrootenv will return 0. This seems to be logical behavior.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If the child overrode the default of ignoring a signal and died on receiving it, it did not exit cleanly and chrootenv should not return 0.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You are right, it's better to return 1 in this case. I've added it, see ac40a57.
a0d1430
to
430476a
Compare
What do you think about documenting what this code is for and how it (roughly) works. I think each piece of code should explain why it is needed. So, what problem does this code solve? Looking at the older version, there were some comments that helps the reader understand what is happening. |
There are only two comments that still apply, specifically "Create new mount and user namespaces" and "Map users and groups to the parent namespace". I don't think these are particularly useful to keep around, because people who know about mount and user namespaces probably know about
Setting up a chroot to ultimately run programs that assume a FHS-compliant environment. |
That at the very least should be included in the code header. |
I'll add something like it to |
According to docs it seems This seems inappropriate for at least the error path that prints messages to the user about running Maybe make a pass with this in mind, or instead adjust the g_perr macro to just log and exit instead? |
|
Not to bikeshed but I can't help but wonder how much of benefit glib brings here compared to C++ or something (g_autofree patterns, etc.)? Regardless I'd appreciate, if for my curiosity if nothing else, a mention of the role glib plays in obtaining the improvements in this PR or to what extent they're orthogonal? |
I think C++ is a bad language because it's very complex.
|
Okay, thanks for the comments and consideration of abort. LGTM review-wise. |
Thanks for reviewing it! |
#include <unistd.h> | ||
|
||
#define g_perr(s, err) g_error("%s#L%d: %s: %s", __func__, __LINE__, s, g_strerror(err)) | ||
#define g_perrno(s) g_perr(s, errno) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
g_
is a glib namespace, you should not define names starting with g_
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure, and names themselves are misleading (perror
doesn't abort). I've pushed a new version with fail
and fail_if
macros: I think that separates concerns much better than previously used error macros, and names are much more straightforward. fail_if
also cuts some boilerplate.
a1182bd
to
37da1a8
Compare
Changes: * doesn't handle root user separately * doesn't chdir("/") which makes using it seamless * only bind mounts, doesn't symlink (i.e. files) Incidentally, fixes NixOS#33106. It's about two times shorter than the previous version, and much easier to read/follow through. It uses GLib quite heavily, along with RAII (available in GCC/Clang).
37da1a8
to
4b1cf5a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have not tested the code itself, but the rest looks good to me.
@Mic92: Thanks for mentioning |
@orivej: Thanks for the review! I still want to implement a different order of messages in case of failed |
Changes:
chdir("/")
which makes using it seamlessIncidentally, it fixes #33106.
It's about two times shorter than the previous version (it's even shorter than the Ruby version), and much, much easier to read/follow through. It uses GLib quite heavily, along with RAII (available in GCC/Clang).
Symlinking already happens in init script, so it's redundant to have it in this code. It has only been in chrootenv for a week, and I might reintroduce it back later.
About closure size: Steam itself uses GLib, so it won't result in a larger closure for most chrootenv users. It's also likely to be required by other programs. I've tested Steam, and of course, it still works.
/cc @Mic92 @dezgeg @srhb @pbogdan