From: Lennart Poettering <lennart@poettering.net>
Date: Fri, 14 Aug 2020 17:58:37 +0000 (+0200)
Subject: nspawn: provide $container and $container_uuid in /run/host too
X-Git-Tag: v247-rc1~393^2~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0f48ba7b8489770629f1b951a859e719666616ce;p=thirdparty%2Fsystemd.git

nspawn: provide $container and $container_uuid in /run/host too

This has the major benefit that the entire payload of the container can
access these files there. Previously, we'd set them only as env vars,
but that meant only PID 1 could read them directly or other privileged
payload code with access to /run/1/environ.
---

diff --git a/src/basic/virt.c b/src/basic/virt.c
index 4c2280cfd61..212b3b7039c 100644
--- a/src/basic/virt.c
+++ b/src/basic/virt.c
@@ -491,6 +491,16 @@ int detect_container(void) {
                 }
         }
 
+        /* The container manager might have placed this in the /run/host hierarchy for us, which is best
+         * because we can be consumed just like that, without special privileges. */
+        r = read_one_line_file("/run/host/container-manager", &m);
+        if (r > 0) {
+                e = m;
+                goto translate_name;
+        }
+        if (!IN_SET(r, -ENOENT, 0))
+                return log_debug_errno(r, "Failed to read /run/systemd/container: %m");
+
         if (getpid_cached() == 1) {
                 /* If we are PID 1 we can just check our own environment variable, and that's authoritative.
                  * We distinguish three cases:
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index c263b0ff708..3ad88298553 100644
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -3564,6 +3564,14 @@ static int outer_child(
         if (r < 0)
                 return r;
 
+        /* The same stuff as the $container env var, but nicely readable for the entire payload */
+        p = prefix_roota(directory, "/run/host/container-manager");
+        (void) write_string_file(p, arg_container_service_name, WRITE_STRING_FILE_CREATE);
+
+        /* The same stuff as the $container_uuid env var */
+        p = prefix_roota(directory, "/run/host/container-uuid");
+        (void) write_string_filef(p, WRITE_STRING_FILE_CREATE, SD_ID128_UUID_FORMAT_STR, SD_ID128_FORMAT_VAL(arg_uuid));
+
         if (!arg_use_cgns) {
                 r = mount_cgroups(
                                 directory,