Initial applications isolation support using Linux namespaces.

2019-09-19 15:25:23 +03:00
parent 6346e641ee
commit c554941b4f
21 changed files with 1467 additions and 201 deletions
--- a/auto/capability
+++ b/auto/capability
@@ -0,0 +1,19 @@
+
+# Copyright (C) Igor Sysoev
+# Copyright (C) NGINX, Inc.
+
+# Linux capability
+
+nxt_feature="Linux capability"
+nxt_feature_name=NXT_HAVE_LINUX_CAPABILITY
+nxt_feature_test="#include <linux/capability.h>
+                  #include <unistd.h>
+                  #include <sys/syscall.h>
+
+                  int main() {
+                      struct __user_cap_header_struct hdr;
+                      hdr.version = _LINUX_CAPABILITY_VERSION;
+                      syscall(SYS_capget, &hdr, 0);
+                      return 0;
+                  }"
+. auto/feature
--- a/auto/isolation
+++ b/auto/isolation
@@ -0,0 +1,52 @@
+# Copyright (C) Igor Sysoev
+# Copyright (C) NGINX, Inc.
+
+# Linux clone syscall.
+
+NXT_ISOLATION=NO
+NXT_HAVE_CLONE=NO
+
+nsflags="USER NS PID NET UTS CGROUP"
+
+nxt_feature="clone(2)"
+nxt_feature_name=NXT_HAVE_CLONE
+nxt_feature_run=no
+nxt_feature_incs=
+nxt_feature_libs=
+nxt_feature_test="#include <sys/wait.h>
+                  #include <sys/syscall.h>
+
+                  int main() {
+                      return __NR_clone | SIGCHLD;
+                  }"
+. auto/feature
+
+if [ $nxt_found = yes ]; then
+    NXT_HAVE_CLONE=YES
+
+    # Test all isolation flags
+    for flag in $nsflags; do
+        nxt_feature="CLONE_NEW${flag}"
+        nxt_feature_name=NXT_HAVE_CLONE_NEW${flag}
+        nxt_feature_run=no
+        nxt_feature_incs=
+        nxt_feature_libs=
+        nxt_feature_test="#define _GNU_SOURCE
+                          #include <sys/wait.h>
+                          #include <sys/syscall.h>
+                          #include <sched.h>
+
+                          int main() {
+                              return CLONE_NEW$flag;
+                         }"
+        . auto/feature
+
+        if [ $nxt_found = yes ]; then
+            if [ "$NXT_ISOLATION" = "NO" ]; then
+                NXT_ISOLATION=$flag
+            else
+                NXT_ISOLATION="$NXT_ISOLATION $flag"
+            fi
+        fi
+    done
+fi
--- a/auto/sources
+++ b/auto/sources
@@ -71,6 +71,7 @@ NXT_LIB_SRCS=" \
    src/nxt_upstream_round_robin.c \
    src/nxt_http_parse.c \
    src/nxt_app_log.c \
+    src/nxt_capability.c \
    src/nxt_runtime.c \
    src/nxt_conf.c \
    src/nxt_conf_validation.c \
@@ -132,6 +133,7 @@ NXT_LIB_SOLARIS_SENDFILEV_SRCS="src/nxt_solaris_sendfilev.c"
 NXT_LIB_MACOSX_SENDFILE_SRCS="src/nxt_macosx_sendfile.c"
 NXT_LIB_AIX_SEND_FILE_SRCS="src/nxt_aix_send_file.c"
 NXT_LIB_HPUX_SENDFILE_SRCS="src/nxt_hpux_sendfile.c"
+NXT_LIB_CLONE_SRCS="src/nxt_clone.c"

 NXT_TEST_BUILD_DEPS="src/nxt_test_build.h"
 NXT_TEST_BUILD_SRCS="src/nxt_test_build.c"
@@ -257,6 +259,11 @@ if [ "$NXT_HAVE_HPUX_SENDFILE" = "YES" \
 fi


+if [ "$NXT_HAVE_CLONE" = "YES" ]; then
+    NXT_LIB_SRCS="$NXT_LIB_SRCS $NXT_LIB_CLONE_SRCS"
+fi
+
+
 if [ "$NXT_TEST_BUILD" = "YES" ]; then
    NXT_LIB_SRCS="$NXT_LIB_SRCS $NXT_TEST_BUILD_SRCS"
 fi
--- a/auto/summary
+++ b/auto/summary
@@ -26,6 +26,8 @@ Unit configuration summary:
  Unix domain sockets support: $NXT_UNIX_DOMAIN
  TLS support: ............... $NXT_OPENSSL

+  process isolation: ......... $NXT_ISOLATION
+
  debug logging: ............. $NXT_DEBUG

 END