Hi Daniel,
On 1/4/20 9:07, Daniel Abrecht via Dng wrote:
> Hi,
>
> What's the point of trying to detect if eudev is run in a container?
> Is it just to not start it in that case?
> Would it just fail to start in them otherwise?
> Is that actually a problem?
> And could eudev not just be uninstalled in a container?
I don't know. But, as far as i know, this question arises from the
developers of runit.
> In any case, I don't like the idea of doing hacks like looking at
> inode numbers or trying to determine if there is a container or not.
> In addition to this don't like the Idea of checking for being in a
> container in general.
>
> Instead, I would check for reasons why it doesn't work in a container,
> choose a sensible thing to check for out of those reasons, and then
> check for that.
>
> In this case, I would assume the following, although I haven't checked:
> 1) the container hypervisor (lxc/lxc, docker, libvirt-lxc, etc.) is
> responsible for managing/creating device files
> 2) eudev exists for managing/creating device files in other kinds of
> systems
> 3) device files can't be created in a container
> 4) 3. is due to the container hypervisor removing the cap_mknod
> capability from containers
>
> Given those assumptions, I think the sensible thing would be to either
> check for the mknod capability, or check if device nodes can't be
> created in /dev/ due to a lack of permissions. I think that's closer
> to the reason why one may not want to start eudev than trying to
> checking if we're in a container
Eudev already has a function regarding these funcionalities:
[...]
if (getpid() == 1) {
/* If we are PID 1 we can just check our own
* environment variable */
e = getenv("container");
if (isempty(e)) {
r = 0;
goto finish;
}
} else {
/* Otherwise, PID 1 dropped this information into a
* file in UDEV_ROOT_RUN. This is better than accessing
* /proc/1/environ, since we don't need CAP_SYS_PTRACE
* for that. */
<cut> ** THIS PART DEPENDS SOMEHOW ON SYSTEMD ** <\cut>
}
/* We only recognize a selected few here, since we want to
* enforce a redacted namespace */
if (streq(e, "lxc"))
_id ="lxc";
else if (streq(e, "lxc-libvirt"))
_id = "lxc-libvirt";
else if (streq(e, "systemd-nspawn"))
_id = "systemd-nspawn";
else if (streq(e, "docker"))
_id = "docker";
else
_id = "other";
[...]
Have a look at the code of:
int detect_container(const char **id) { ... }
in the file "virt.c":
https://github.com/gentoo/eudev/blob/master/src/shared/virt.c
<
https://github.com/gentoo/eudev/blob/master/src/shared/virt.c>
Cheers,
Aitor.