From: Luca Boccassi <luca.boccassi@gmail.com>
Date: Thu, 21 Nov 2024 00:47:39 +0000 (+0000)
Subject: detect-virt: check the inode number of the pid namespace
X-Git-Tag: v257-rc3~30^2~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=193bf42ab0721384570bb6913e5f38385a9105e7;p=thirdparty%2Fsystemd.git

detect-virt: check the inode number of the pid namespace

The indoe number of root pid namespace is hardcoded in the kernel to
0xEFFFFFFC since 3.8, so check the inode number of our pid namespace
if all else fails. If it's not 0xEFFFFFFC then we are in a pid
namespace, hence a container environment.

Fixes https://github.com/systemd/systemd/issues/35249

[Reworked by Lennart, to make use of namespace_is_init()]
---

diff --git a/src/basic/virt.c b/src/basic/virt.c
index fd0c3537916..7792d64f16b 100644
--- a/src/basic/virt.c
+++ b/src/basic/virt.c
@@ -645,6 +645,16 @@ static int running_in_cgroupns(void) {
         }
 }
 
+static int running_in_pidns(void) {
+        int r;
+
+        r = namespace_is_init(NAMESPACE_PID);
+        if (r < 0)
+                return log_debug_errno(r, "Failed to test if in root PID namespace, ignoring: %m");
+
+        return !r;
+}
+
 static Virtualization detect_container_files(void) {
         static const struct {
                 const char *file_path;
@@ -790,12 +800,21 @@ check_files:
 
         r = running_in_cgroupns();
         if (r > 0) {
+                log_debug("Running in a cgroup namespace, assuming unknown container manager.");
                 v = VIRTUALIZATION_CONTAINER_OTHER;
                 goto finish;
         }
         if (r < 0)
                 log_debug_errno(r, "Failed to detect cgroup namespace: %m");
 
+        /* Finally, the root pid namespace has an hardcoded inode number of 0xEFFFFFFC since kernel 3.8, so
+         * if all else fails we can check the inode number of our pid namespace and compare it. */
+        if (running_in_pidns() > 0) {
+                log_debug("Running in a pid namespace, assuming unknown container manager.");
+                v = VIRTUALIZATION_CONTAINER_OTHER;
+                goto finish;
+        }
+
         /* If none of that worked, give up, assume no container manager. */
         v = VIRTUALIZATION_NONE;
         goto finish;
diff --git a/test/units/TEST-74-AUX-UTILS.detect-virt.sh b/test/units/TEST-74-AUX-UTILS.detect-virt.sh
index fe1db4d2aa2..a1539d9b44f 100755
--- a/test/units/TEST-74-AUX-UTILS.detect-virt.sh
+++ b/test/units/TEST-74-AUX-UTILS.detect-virt.sh
@@ -5,3 +5,7 @@ set -o pipefail
 
 SYSTEMD_IN_CHROOT=1 systemd-detect-virt --chroot
 (! SYSTEMD_IN_CHROOT=0 systemd-detect-virt --chroot)
+
+if ! systemd-detect-virt -c; then
+    unshare --mount-proc --fork --user --pid systemd-detect-virt --container
+fi