technocloud-public/nginx-unit
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Isolation: Rename NXT_HAVE_CLONE -> NXT_HAVE_LINUX_NS.

Browse Source 
Due to the need to replace our use of clone/__NR_clone on Linux with
fork(2)/unshare(2) for enabling Linux namespaces(7) to keep the
pthreads(7) API working.  Let's rename NXT_HAVE_CLONE to
NXT_HAVE_LINUX_NS, i.e name it after the feature, not how it's
implemented, then in future if we change how we do namespaces again we
don't have to rename this.

Reviewed-by: Alejandro Colomar <alx@nginx.com>
Signed-off-by: Andrew Clayton <a.clayton@nginx.com>
This commit is contained in:
Andrew Clayton
2022-11-18 23:42:44 +00:00
parent 763396b8be
commit 3ecdd2c69c
8 changed files with 25 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
auto/isolation
View File

@@ -4,7 +4,7 @@
# Linux clone syscall. # Linux clone syscall.
NXT_ISOLATION=NO NXT_ISOLATION=NO
NXT_HAVE_CLONE=NO NXT_HAVE_LINUX_NS=NO
NXT_HAVE_CLONE_NEWUSER=NO NXT_HAVE_CLONE_NEWUSER=NO
NXT_HAVE_MOUNT=NO NXT_HAVE_MOUNT=NO
NXT_HAVE_UNMOUNT=NO NXT_HAVE_UNMOUNT=NO
@@ -12,21 +12,21 @@ NXT_HAVE_ROOTFS=NO
nsflags="USER NS PID NET UTS CGROUP" nsflags="USER NS PID NET UTS CGROUP"
nxt_feature="clone(2)" nxt_feature="Linux unshare()"
nxt_feature_name=NXT_HAVE_CLONE nxt_feature_name=NXT_HAVE_LINUX_NS
nxt_feature_run=no nxt_feature_run=no
nxt_feature_incs= nxt_feature_incs=
nxt_feature_libs= nxt_feature_libs=
nxt_feature_test="#include <sys/wait.h> nxt_feature_test="#define _GNU_SOURCE
#include <sys/syscall.h> #include <sched.h>
int main(void) { int main(void) {
return SYS_clone | SIGCHLD; return unshare(0);
}" }"
. auto/feature . auto/feature
if [ $nxt_found = yes ]; then if [ $nxt_found = yes ]; then
NXT_HAVE_CLONE=YES NXT_HAVE_LINUX_NS=YES
# Test all isolation flags # Test all isolation flags
for flag in $nsflags; do for flag in $nsflags; do

2
auto/sources
View File

@@ -299,7 +299,7 @@ if [ "$NXT_HAVE_HPUX_SENDFILE" = "YES" \
fi fi
if [ "$NXT_HAVE_CLONE" = "YES" ]; then if [ "$NXT_HAVE_LINUX_NS" = "YES" ]; then
NXT_LIB_SRCS="$NXT_LIB_SRCS $NXT_LIB_CLONE_SRCS" NXT_LIB_SRCS="$NXT_LIB_SRCS $NXT_LIB_CLONE_SRCS"
fi fi

2
src/nxt_clone.c
View File

@@ -8,7 +8,7 @@
#include <nxt_conf.h> #include <nxt_conf.h>
#include <nxt_clone.h> #include <nxt_clone.h>
#if (NXT_HAVE_CLONE) #if (NXT_HAVE_LINUX_NS)
pid_t pid_t
nxt_clone(nxt_int_t flags) nxt_clone(nxt_int_t flags)

6
src/nxt_credential.c
View File

@@ -286,7 +286,7 @@ nxt_credential_setuid(nxt_task_t *task, nxt_credential_t *uc)
if (setuid(uc->uid) != 0) { if (setuid(uc->uid) != 0) {
#if (NXT_HAVE_CLONE) #if (NXT_HAVE_LINUX_NS)
if (nxt_errno == EINVAL) { if (nxt_errno == EINVAL) {
nxt_log(task, NXT_LOG_ERR, "The uid %d (user \"%s\") isn't " nxt_log(task, NXT_LOG_ERR, "The uid %d (user \"%s\") isn't "
"valid in the application namespace.", uc->uid, uc->user); "valid in the application namespace.", uc->uid, uc->user);
@@ -314,7 +314,7 @@ nxt_credential_setgids(nxt_task_t *task, nxt_credential_t *uc)
if (setgid(uc->base_gid) != 0) { if (setgid(uc->base_gid) != 0) {
#if (NXT_HAVE_CLONE) #if (NXT_HAVE_LINUX_NS)
if (nxt_errno == EINVAL) { if (nxt_errno == EINVAL) {
nxt_log(task, NXT_LOG_ERR, "The gid %d isn't valid in the " nxt_log(task, NXT_LOG_ERR, "The gid %d isn't valid in the "
"application namespace.", uc->base_gid); "application namespace.", uc->base_gid);
@@ -333,7 +333,7 @@ nxt_credential_setgids(nxt_task_t *task, nxt_credential_t *uc)
if (nxt_slow_path(uc->ngroups > 0 if (nxt_slow_path(uc->ngroups > 0
&& setgroups(uc->ngroups, uc->gids) != 0)) { && setgroups(uc->ngroups, uc->gids) != 0)) {
#if (NXT_HAVE_CLONE) #if (NXT_HAVE_LINUX_NS)
if (nxt_errno == EINVAL) { if (nxt_errno == EINVAL) {
nxt_log(task, NXT_LOG_ERR, "The user \"%s\" (uid: %d) has " nxt_log(task, NXT_LOG_ERR, "The user \"%s\" (uid: %d) has "
"supplementary group ids not valid in the application " "supplementary group ids not valid in the application "

8
src/nxt_isolation.c
View File

@@ -21,7 +21,7 @@ static nxt_int_t nxt_isolation_set_cgroup(nxt_task_t *task,
nxt_conf_value_t *isolation, nxt_process_t *process); nxt_conf_value_t *isolation, nxt_process_t *process);
#endif #endif
#if (NXT_HAVE_CLONE) #if (NXT_HAVE_LINUX_NS)
static nxt_int_t nxt_isolation_set_namespaces(nxt_task_t *task, static nxt_int_t nxt_isolation_set_namespaces(nxt_task_t *task,
nxt_conf_value_t *isolation, nxt_process_t *process); nxt_conf_value_t *isolation, nxt_process_t *process);
static nxt_int_t nxt_isolation_clone_flags(nxt_task_t *task, static nxt_int_t nxt_isolation_clone_flags(nxt_task_t *task,
@@ -169,7 +169,7 @@ nxt_isolation_set(nxt_task_t *task, nxt_conf_value_t *isolation,
} }
#endif #endif
#if (NXT_HAVE_CLONE) #if (NXT_HAVE_LINUX_NS)
if (nxt_slow_path(nxt_isolation_set_namespaces(task, isolation, process) if (nxt_slow_path(nxt_isolation_set_namespaces(task, isolation, process)
!= NXT_OK)) != NXT_OK))
{ {
@@ -247,7 +247,7 @@ nxt_isolation_set_cgroup(nxt_task_t *task, nxt_conf_value_t *isolation,
#endif #endif
#if (NXT_HAVE_CLONE) #if (NXT_HAVE_LINUX_NS)
static nxt_int_t static nxt_int_t
nxt_isolation_set_namespaces(nxt_task_t *task, nxt_conf_value_t *isolation, nxt_isolation_set_namespaces(nxt_task_t *task, nxt_conf_value_t *isolation,
@@ -409,7 +409,7 @@ nxt_isolation_vldt_creds(nxt_task_t *task, nxt_process_t *process)
#endif #endif
#if (NXT_HAVE_CLONE) #if (NXT_HAVE_LINUX_NS)
static nxt_int_t static nxt_int_t
nxt_isolation_clone_flags(nxt_task_t *task, nxt_conf_value_t *namespaces, nxt_isolation_clone_flags(nxt_task_t *task, nxt_conf_value_t *namespaces,

2
src/nxt_main_process.c
View File

@@ -556,7 +556,7 @@ nxt_main_process_created_handler(nxt_task_t *task, nxt_port_recv_msg_t *msg)
nxt_assert(process != NULL); nxt_assert(process != NULL);
nxt_assert(process->state == NXT_PROCESS_STATE_CREATING); nxt_assert(process->state == NXT_PROCESS_STATE_CREATING);
#if (NXT_HAVE_CLONE && NXT_HAVE_CLONE_NEWUSER) #if (NXT_HAVE_LINUX_NS && NXT_HAVE_CLONE_NEWUSER)
if (nxt_is_clone_flag_set(process->isolation.clone.flags, NEWUSER)) { if (nxt_is_clone_flag_set(process->isolation.clone.flags, NEWUSER)) {
if (nxt_slow_path(nxt_clone_credential_map(task, process->pid, if (nxt_slow_path(nxt_clone_credential_map(task, process->pid,
process->user_cred, process->user_cred,

10
src/nxt_process.c
View File

@@ -7,7 +7,7 @@
#include <nxt_main.h> #include <nxt_main.h>
#include <nxt_cgroup.h> #include <nxt_cgroup.h>
#if (NXT_HAVE_CLONE) #if (NXT_HAVE_LINUX_NS)
#include <nxt_clone.h> #include <nxt_clone.h>
#endif #endif
@@ -18,7 +18,7 @@
#endif #endif
#if (NXT_HAVE_CLONE) && (NXT_HAVE_CLONE_NEWPID) #if (NXT_HAVE_LINUX_NS) && (NXT_HAVE_CLONE_NEWPID)
#define nxt_is_pid_isolated(process) \ #define nxt_is_pid_isolated(process) \
nxt_is_clone_flag_set(process->isolation.clone.flags, NEWPID) nxt_is_clone_flag_set(process->isolation.clone.flags, NEWPID)
#else #else
@@ -318,7 +318,7 @@ nxt_process_create(nxt_task_t *task, nxt_process_t *process)
nxt_pid_t pid; nxt_pid_t pid;
nxt_runtime_t *rt; nxt_runtime_t *rt;
#if (NXT_HAVE_CLONE) #if (NXT_HAVE_LINUX_NS)
pid = nxt_clone(SIGCHLD | process->isolation.clone.flags); pid = nxt_clone(SIGCHLD | process->isolation.clone.flags);
if (nxt_slow_path(pid < 0)) { if (nxt_slow_path(pid < 0)) {
nxt_alert(task, "clone() failed for %s %E", process->name, nxt_errno); nxt_alert(task, "clone() failed for %s %E", process->name, nxt_errno);
@@ -355,7 +355,7 @@ nxt_process_create(nxt_task_t *task, nxt_process_t *process)
/* Parent. */ /* Parent. */
#if (NXT_HAVE_CLONE) #if (NXT_HAVE_LINUX_NS)
nxt_debug(task, "clone(%s): %PI", process->name, pid); nxt_debug(task, "clone(%s): %PI", process->name, pid);
#else #else
nxt_debug(task, "fork(%s): %PI", process->name, pid); nxt_debug(task, "fork(%s): %PI", process->name, pid);
@@ -781,7 +781,7 @@ nxt_process_apply_creds(nxt_task_t *task, nxt_process_t *process)
cap_setid = rt->capabilities.setid; cap_setid = rt->capabilities.setid;
#if (NXT_HAVE_CLONE && NXT_HAVE_CLONE_NEWUSER) #if (NXT_HAVE_LINUX_NS && NXT_HAVE_CLONE_NEWUSER)
if (!cap_setid if (!cap_setid
&& nxt_is_clone_flag_set(process->isolation.clone.flags, NEWUSER)) && nxt_is_clone_flag_set(process->isolation.clone.flags, NEWUSER))
{ {

6
src/nxt_process.h
View File

@@ -7,13 +7,13 @@
#ifndef _NXT_PROCESS_H_INCLUDED_ #ifndef _NXT_PROCESS_H_INCLUDED_
#define _NXT_PROCESS_H_INCLUDED_ #define _NXT_PROCESS_H_INCLUDED_
#if (NXT_HAVE_CLONE) #if (NXT_HAVE_LINUX_NS)
#include <unistd.h> #include <unistd.h>
#include <nxt_clone.h> #include <nxt_clone.h>
#endif #endif
#if (NXT_HAVE_CLONE) #if (NXT_HAVE_LINUX_NS)
/* /*
* Old glibc wrapper for getpid(2) returns a cached pid invalidated only by * Old glibc wrapper for getpid(2) returns a cached pid invalidated only by
* fork(2) calls. As we use clone(2) for container, it returns the wrong pid. * fork(2) calls. As we use clone(2) for container, it returns the wrong pid.
@@ -100,7 +100,7 @@ typedef struct {
nxt_cgroup_t cgroup; nxt_cgroup_t cgroup;
#endif #endif
#if (NXT_HAVE_CLONE) #if (NXT_HAVE_LINUX_NS)
nxt_clone_t clone; nxt_clone_t clone;
#endif #endif