runc: introduce oci-systemd-hook

To support running "OS containers" aka systemd as the entry point under runc, we provide the oci-systemd-hook. By adding this to the pre-start and stop hook points, coupled with the proper config.json, you can start systemd controlled containers via runc. Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
author: Bruce Ashfield <bruce.ashfield@windriver.com> 2016-11-08 15:14:51 -0500
committer: Bruce Ashfield <bruce.ashfield@windriver.com> 2016-11-21 15:58:33 -0500
commit: 013fe63f17b2e25ba06744c7db436ca0ab01285f (patch)
tree: 2340e69d15fe5ddff9c1c364e5c67f0416dbe680
parent: 66997c4dcfc5cabd0b357ea46d6ac15ec3163c51 (diff)
download: meta-virtualization-013fe63f17b2e25ba06744c7db436ca0ab01285f.tar.gz
3 files changed, 100 insertions, 0 deletions
diff --git a/recipes-containers/oci-systemd-hook/oci-systemd-hook/0001-configure-drop-selinux-support.patch b/recipes-containers/oci-systemd-hook/oci-systemd-hook/0001-configure-drop-selinux-support.patch
new file mode 100644
index 00000000..510126e4
--- /dev/null
+++ b/recipes-containers/oci-systemd-hook/oci-systemd-hook/0001-configure-drop-selinux-support.patch
@@ -0,0 +1,25 @@
+From 12c263703a0b0ae92566de7e5440fce7b59cd9be Mon Sep 17 00:00:00 2001
+From: Bruce Ashfield <bruce.ashfield@windriver.com>
+Date: Tue, 8 Nov 2016 13:16:19 -0500
+Subject: [PATCH] configure: drop selinux support
+Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
+---
+ configure.ac | 1 -
+ 1 file changed, 1 deletion(-)
+diff --git a/configure.ac b/configure.ac
+index c1275acb253d..eaba7fbb57e2 100644
+--- a/configure.ac
+++ b/configure.ac
+@@ -8,7 +8,6 @@ AC_USE_SYSTEM_EXTENSIONS
+ AC_SYS_LARGEFILE
+ 
+ PKG_CHECK_MODULES([YAJL], [yajl >= 2.0.0])
+-PKG_CHECK_MODULES([SELINUX], [libselinux >= 2.0.0])
+ PKG_CHECK_MODULES([LIBMOUNT], [mount >= 2.23.0])
+ 
+ AC_MSG_CHECKING([whether to disable argument checking])
+-- 
+2.4.0.53.g8440f74
diff --git a/recipes-containers/oci-systemd-hook/oci-systemd-hook/0001-selinux-drop-selinux-support.patch b/recipes-containers/oci-systemd-hook/oci-systemd-hook/0001-selinux-drop-selinux-support.patch
new file mode 100644
index 00000000..507cd08e
--- /dev/null
+++ b/recipes-containers/oci-systemd-hook/oci-systemd-hook/0001-selinux-drop-selinux-support.patch
@@ -0,0 +1,40 @@
+From 9b66394c712ec0d0fcb2052baa7f590621a53461 Mon Sep 17 00:00:00 2001
+From: Bruce Ashfield <bruce.ashfield@windriver.com>
+Date: Tue, 8 Nov 2016 13:15:46 -0500
+Subject: [PATCH] selinux: drop selinux support
+Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
+---
+ src/systemdhook.c | 9 ---------
+ 1 file changed, 9 deletions(-)
+diff --git a/src/systemdhook.c b/src/systemdhook.c
+index 274e5b910699..b9e8f1be376a 100644
+--- a/src/systemdhook.c
+++ b/src/systemdhook.c
+@@ -14,7 +14,6 @@
+ #include <errno.h>
+ #include <inttypes.h>
+ #include <linux/limits.h>
+-#include <selinux/selinux.h>
+ #include <yajl/yajl_tree.h>
+ 
+ #include "config.h"
+@@ -538,14 +537,6 @@ static int prestart(const char *rootfs,
+                        }
+                }
+ 
+-               if (strcmp("", mount_label)) {
+-                       rc = setfilecon(journal_dir, (security_context_t)mount_label);
+-                       if (rc < 0) {
+-                               pr_perror("Failed to set journal dir selinux context");
+-                               return -1;
+-                       }
+-               }
+-
+                if (makepath(cont_journal_dir, 0755) == -1) {
+                        if (errno != EEXIST) {
+                                pr_perror("Failed to mkdir container journal dir: %s", cont_journal_dir);
+-- 
+2.4.0.53.g8440f74
diff --git a/recipes-containers/oci-systemd-hook/oci-systemd-hook_git.bb b/recipes-containers/oci-systemd-hook/oci-systemd-hook_git.bb
new file mode 100644
index 00000000..872872a1
--- /dev/null
+++ b/recipes-containers/oci-systemd-hook/oci-systemd-hook_git.bb
@@ -0,0 +1,35 @@
+DESCRIPTION = "OCI systemd hook enables users to run systemd in docker and OCI"
+SECTION = "console/utils"
+LICENSE = "GPLv3"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=d32239bcb673463ab874e80d47fae504"
+PRIORITY = "optional"
+DEPENDS = "yajl util-linux"
+SRCREV = "ca515c1f399bd0b16e94b7c34aa1ef20498beca6"
+SRC_URI = "git://github.com/projectatomic/oci-systemd-hook \
+           file://0001-selinux-drop-selinux-support.patch \
+           file://0001-configure-drop-selinux-support.patch \
+"
+PV = "0.0.1+git${SRCPV}"
+S = "${WORKDIR}/git"
+inherit autotools pkgconfig
+PACKAGECONFIG ??= ""
+PACKAGECONFIG[selinux] = ",,libselinux"
+EXTRA_OECONF += "--libexecdir=${libexecdir}/oci/hooks.d"
+# nothing to compile, we do it all in the install task
+do_compile[noexec] = "1"
+do_install() {
+    # Avoid building docs, and other artifacts by surgically calling the
+    # semi-internal target of "install-exec-am"
+    oe_runmake 'DESTDIR=${D}' install-exec-am
+}
+FILES_${PN} += "${libexecdir}/oci/hooks.d/"
author	Bruce Ashfield <bruce.ashfield@windriver.com>	2016-11-08 15:14:51 -0500
committer	Bruce Ashfield <bruce.ashfield@windriver.com>	2016-11-21 15:58:33 -0500
commit	013fe63f17b2e25ba06744c7db436ca0ab01285f (patch)
tree	2340e69d15fe5ddff9c1c364e5c67f0416dbe680
parent	66997c4dcfc5cabd0b357ea46d6ac15ec3163c51 (diff)
download	meta-virtualization-013fe63f17b2e25ba06744c7db436ca0ab01285f.tar.gz

diff --git a/recipes-containers/oci-systemd-hook/oci-systemd-hook/0001-configure-drop-selinux-support.patch b/recipes-containers/oci-systemd-hook/oci-systemd-hook/0001-configure-drop-selinux-support.patch new file mode 100644 index 00000000..510126e4 --- /dev/null +++ b/recipes-containers/oci-systemd-hook/oci-systemd-hook/0001-configure-drop-selinux-support.patch
@@ -0,0 +1,25 @@
	1	From 12c263703a0b0ae92566de7e5440fce7b59cd9be Mon Sep 17 00:00:00 2001
	2	From: Bruce Ashfield <bruce.ashfield@windriver.com>
	3	Date: Tue, 8 Nov 2016 13:16:19 -0500
	4	Subject: [PATCH] configure: drop selinux support
	5
	6	Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
	7	---
	8	configure.ac \| 1 -
	9	1 file changed, 1 deletion(-)
	10
	11	diff --git a/configure.ac b/configure.ac
	12	index c1275acb253d..eaba7fbb57e2 100644
	13	--- a/configure.ac
	14	+++ b/configure.ac
	15	@@ -8,7 +8,6 @@ AC_USE_SYSTEM_EXTENSIONS
	16	AC_SYS_LARGEFILE
	17
	18	PKG_CHECK_MODULES([YAJL], [yajl >= 2.0.0])
	19	-PKG_CHECK_MODULES([SELINUX], [libselinux >= 2.0.0])
	20	PKG_CHECK_MODULES([LIBMOUNT], [mount >= 2.23.0])
	21
	22	AC_MSG_CHECKING([whether to disable argument checking])
	23	--
	24	2.4.0.53.g8440f74
	25


diff --git a/recipes-containers/oci-systemd-hook/oci-systemd-hook/0001-selinux-drop-selinux-support.patch b/recipes-containers/oci-systemd-hook/oci-systemd-hook/0001-selinux-drop-selinux-support.patch new file mode 100644 index 00000000..507cd08e --- /dev/null +++ b/recipes-containers/oci-systemd-hook/oci-systemd-hook/0001-selinux-drop-selinux-support.patch
@@ -0,0 +1,40 @@
	1	From 9b66394c712ec0d0fcb2052baa7f590621a53461 Mon Sep 17 00:00:00 2001
	2	From: Bruce Ashfield <bruce.ashfield@windriver.com>
	3	Date: Tue, 8 Nov 2016 13:15:46 -0500
	4	Subject: [PATCH] selinux: drop selinux support
	5
	6	Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
	7	---
	8	src/systemdhook.c \| 9 ---------
	9	1 file changed, 9 deletions(-)
	10
	11	diff --git a/src/systemdhook.c b/src/systemdhook.c
	12	index 274e5b910699..b9e8f1be376a 100644
	13	--- a/src/systemdhook.c
	14	+++ b/src/systemdhook.c
	15	@@ -14,7 +14,6 @@
	16	#include <errno.h>
	17	#include <inttypes.h>
	18	#include <linux/limits.h>
	19	-#include <selinux/selinux.h>
	20	#include <yajl/yajl_tree.h>
	21
	22	#include "config.h"
	23	@@ -538,14 +537,6 @@ static int prestart(const char *rootfs,
	24	}
	25	}
	26
	27	- if (strcmp("", mount_label)) {
	28	- rc = setfilecon(journal_dir, (security_context_t)mount_label);
	29	- if (rc < 0) {
	30	- pr_perror("Failed to set journal dir selinux context");
	31	- return -1;
	32	- }
	33	- }
	34	-
	35	if (makepath(cont_journal_dir, 0755) == -1) {
	36	if (errno != EEXIST) {
	37	pr_perror("Failed to mkdir container journal dir: %s", cont_journal_dir);
	38	--
	39	2.4.0.53.g8440f74
	40


diff --git a/recipes-containers/oci-systemd-hook/oci-systemd-hook_git.bb b/recipes-containers/oci-systemd-hook/oci-systemd-hook_git.bb new file mode 100644 index 00000000..872872a1 --- /dev/null +++ b/recipes-containers/oci-systemd-hook/oci-systemd-hook_git.bb
@@ -0,0 +1,35 @@
	1	DESCRIPTION = "OCI systemd hook enables users to run systemd in docker and OCI"
	2	SECTION = "console/utils"
	3	LICENSE = "GPLv3"
	4	LIC_FILES_CHKSUM = "file://LICENSE;md5=d32239bcb673463ab874e80d47fae504"
	5	PRIORITY = "optional"
	6
	7	DEPENDS = "yajl util-linux"
	8
	9	SRCREV = "ca515c1f399bd0b16e94b7c34aa1ef20498beca6"
	10	SRC_URI = "git://github.com/projectatomic/oci-systemd-hook \
	11	file://0001-selinux-drop-selinux-support.patch \
	12	file://0001-configure-drop-selinux-support.patch \
	13	"
	14
	15	PV = "0.0.1+git${SRCPV}"
	16	S = "${WORKDIR}/git"
	17
	18	inherit autotools pkgconfig
	19
	20	PACKAGECONFIG ??= ""
	21	PACKAGECONFIG[selinux] = ",,libselinux"
	22
	23	EXTRA_OECONF += "--libexecdir=${libexecdir}/oci/hooks.d"
	24
	25	# nothing to compile, we do it all in the install task
	26	do_compile[noexec] = "1"
	27
	28	do_install() {
	29	# Avoid building docs, and other artifacts by surgically calling the
	30	# semi-internal target of "install-exec-am"
	31	oe_runmake 'DESTDIR=${D}' install-exec-am
	32	}
	33
	34	FILES_${PN} += "${libexecdir}/oci/hooks.d/"
	35