machine: enter target PID namespace when adding a live mount

machinectl fails since 21935150a0c42b91a322105f6a9129116bfc8e2e as it's now
mounting onto a file descriptor in a target namespace, without joining the
target's PID namespace.
Note that it's not enough to setns CLONE_NEWPID, but a double-fork is required
as well, as implemented by namespace_fork().

Add a test case to TEST-13-NSPAWN to cover this use case.

(cherry picked from commit 98f654fdeab1e1b6df2be76e29e4ccbb6624898d)

Gbp-Pq: Name machine-enter-target-PID-namespace-when-adding-a-live-mou.patch

diff --git a/src/shared/mount-util.c b/src/shared/mount-util.c
index 368c5f01d2dc03e4b133fba3999b2ab92d7b5d0d..2e374cc67db45bed77b6e0ccb4a13327076c4c89 100644 (file)
--- a/src/shared/mount-util.c
+++ b/src/shared/mount-util.c
@@ -757,7 +757,7 @@ int bind_mount_in_namespace(
                 bool make_file_or_directory) {
 
         _cleanup_close_pair_ int errno_pipe_fd[2] = { -1, -1 };
-        _cleanup_close_ int self_mntns_fd = -1, mntns_fd = -1, root_fd = -1;
+        _cleanup_close_ int self_mntns_fd = -1, mntns_fd = -1, root_fd = -1, pidns_fd = -1;
         char mount_slave[] = "/tmp/propagate.XXXXXX", *mount_tmp, *mount_outside, *p;
         bool mount_slave_created = false, mount_slave_mounted = false,
                 mount_tmp_created = false, mount_tmp_mounted = false,
@@ -773,7 +773,7 @@ int bind_mount_in_namespace(
         assert(src);
         assert(dest);
 
-        r = namespace_open(target, NULL, &mntns_fd, NULL, NULL, &root_fd);
+        r = namespace_open(target, &pidns_fd, &mntns_fd, NULL, NULL, &root_fd);
         if (r < 0)
                 return log_debug_errno(r, "Failed to retrieve FDs of the target process' namespace: %m");
 
@@ -898,7 +898,7 @@ int bind_mount_in_namespace(
         }
 
         r = namespace_fork("(sd-bindmnt)", "(sd-bindmnt-inner)", NULL, 0, FORK_RESET_SIGNALS|FORK_DEATHSIG,
-                           -1, mntns_fd, -1, -1, root_fd, &child);
+                           pidns_fd, mntns_fd, -1, -1, root_fd, &child);
         if (r < 0)
                 goto finish;
         if (r == 0) {

diff --git a/test/create-busybox-container b/test/create-busybox-container
index 5ded42950a94efd1ff3c7a1c72c03ff2a16f4e79..b2b7b262940b2a9de85e56a0af8911cf866d7c58 100755 (executable)
--- a/test/create-busybox-container
+++ b/test/create-busybox-container
@@ -28,6 +28,9 @@ ln -s busybox "$root/bin/cat"
 ln -s busybox "$root/bin/tr"
 ln -s busybox "$root/bin/ps"
 ln -s busybox "$root/bin/ip"
+ln -s busybox "$root/bin/seq"
+ln -s busybox "$root/bin/sleep"
+ln -s busybox "$root/bin/test"
 
 mkdir -p "$root/sbin"
 cat <<'EOF' >"$root/sbin/init"

diff --git a/test/units/testsuite-13.sh b/test/units/testsuite-13.sh
index 969ca4a8d9e6a854f2d8996371ba3134a16fe5b4..1844323d2f17f40ac5e339f1190a4ef9be71fd6c 100755 (executable)
--- a/test/units/testsuite-13.sh
+++ b/test/units/testsuite-13.sh
@@ -93,6 +93,29 @@ if echo test >> /run/host/os-release; then exit 1; fi
     fi
 }
 
+function check_machinectl_bind {
+    local _cmd='for i in $(seq 1 20); do if test -f /tmp/marker; then exit 0; fi; sleep 0.5; done; exit 1;'
+
+    cat <<EOF > /run/systemd/system/nspawn_machinectl_bind.service
+[Service]
+Type=notify
+ExecStart=systemd-nspawn $SUSE_OPTS -D /testsuite-13.nc-container --notify-ready=no /bin/sh -x -e -c "$_cmd"
+EOF
+
+    systemctl start nspawn_machinectl_bind.service
+
+    touch /tmp/marker
+
+    machinectl bind --mkdir testsuite-13.nc-container /tmp/marker
+
+    while systemctl show -P SubState nspawn_machinectl_bind.service | grep -q running
+    do
+        sleep 0.1
+    done
+
+    return $(systemctl show -P ExecMainStatus nspawn_machinectl_bind.service)
+}
+
 function run {
     if [[ "$1" = "yes" && "$is_v2_supported" = "no" ]]; then
         printf "Unified cgroup hierarchy is not supported. Skipping.\n" >&2
@@ -186,4 +209,6 @@ for api_vfs_writable in yes no network; do
     run yes yes $api_vfs_writable
 done
 
+check_machinectl_bind
+
 touch /testok