Hi Daniel,

On 1/4/20 9:07, Daniel Abrecht via Dng wrote:
Hi,

What's the point of trying to detect if eudev is run in a container?
Is it just to not start it in that case?
Would it just fail to start in them otherwise?
Is that actually a problem?
And could eudev not just be uninstalled in a container?

I don't know. But, as far as i know, this question arises from the developers of runit.


In any case, I don't like the idea of doing hacks like looking at inode numbers or trying to determine if there is a container or not. In addition to this don't like the Idea of checking for being in a container in general.

Instead, I would check for reasons why it doesn't work in a container, choose a sensible thing to check for out of those reasons, and then check for that.

In this case, I would assume the following, although I haven't checked:
 1) the container hypervisor (lxc/lxc, docker, libvirt-lxc, etc.) is responsible for managing/creating device files  2) eudev exists for managing/creating device files in other kinds of systems
 3) device files can't be created in a container
 4) 3. is due to the container hypervisor removing the cap_mknod capability from containers

Given those assumptions, I think the sensible thing would be to either check for the mknod capability, or check if device nodes can't be created in /dev/ due to a lack of permissions. I think that's closer to the reason why one may not want to start eudev than trying to checking if we're in a container

Eudev already has a function regarding these funcionalities:

[...]

        if (getpid() == 1) {
                /* If we are PID 1 we can just check our own
                 * environment variable */

                e = getenv("container");
                if (isempty(e)) {
                        r = 0;
                        goto finish;
                }
        } else {

                /* Otherwise, PID 1 dropped this information into a
                 * file in UDEV_ROOT_RUN. This is better than accessing
                 * /proc/1/environ, since we don't need CAP_SYS_PTRACE
                 * for that. */

                <cut> ** THIS PART DEPENDS SOMEHOW ON SYSTEMD ** <\cut>

        }

        /* We only recognize a selected few here, since we want to
         * enforce a redacted namespace */
        if (streq(e, "lxc"))
                _id ="lxc";
        else if (streq(e, "lxc-libvirt"))
                _id = "lxc-libvirt";
        else if (streq(e, "systemd-nspawn"))
                _id = "systemd-nspawn";
        else if (streq(e, "docker"))
                _id = "docker";
        else
                _id = "other";

[...]

Have a look at the code of:

int detect_container(const char **id) { ... }

in the file "virt.c":

https://github.com/gentoo/eudev/blob/master/src/shared/virt.c <https://github.com/gentoo/eudev/blob/master/src/shared/virt.c>

Cheers,

Aitor.









_______________________________________________
Dng mailing list
[email protected]
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

Reply via email to