hrr_rb_lxns 0.2.1 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 22886b993b258c672b8f37d59c51108e40027365f5932fe5ae841ec4ccfe4735
-  data.tar.gz: 0e04c670687c4575bec9e874d5f0748e280452f387ebe9ea7cbd9a06a82823ad
+  metadata.gz: c2638d4c8b3db4d56a38f2eb038b9079f8449e20645a875a2a3c11c31099716a
+  data.tar.gz: 1b92b52c8db60ba8ebd6b5f517a74daf8125986fc52c1719c51416875ec015d7
 SHA512:
-  metadata.gz: b55815a702403feff42698e15b8ada181bf32ac2da3362331b8cf87ccc8f5413462896f1a63181a3736954f743659f4e0d56004919c5bfbbb8774559a6211a92
-  data.tar.gz: 114b6d13402c24de77662525bfee59c6d3f7e02b680a76903f3810238cdd2ac91ce99cd5096dcbb22e195d9287d7252ecf1b86a6476c170eea1903abf2c3e98e
+  metadata.gz: 73a2767cf322ee5ba66f2187e81e5878a4233e11baa32c8a24ee87b1ecede422a52cada11f263af2bcd34c2a9d219e25be467b668fb8e6a7b37591b668bbe2de
+  data.tar.gz: c674dbbabb9c3708255dab0480acd8c8be21fe8c0635fc68c694441c2d14b7845b513b3a85074adb10123b941555a0dd3ca7ede5abf16302aa797e4cfccfaaf6

data/README.md

@@ -23,7 +23,7 @@ Or install it yourself as:
 
 ## Usage
 
-hrr_rb_lxns provides unshare and setns wrappers.
+hrr_rb_lxns provides unshare and setns wrappers, and namespace files information collector.
 
 ### Unshare
 
@@ -78,6 +78,28 @@ else
 end
 ```
 
+HrrRbLxns.unshare also supports mapping UIDs and/or GIDs for user namespace. When `:map_gid` option is specified, the method also writes `deny\n` in /proc/PID/setgroups.
+
+```ruby
+options = {:map_uid => [[0, 0, 1], [1, 10000, 1000]]}
+HrrRbLxns.unshare HrrRbLxns::NEWUSER, options         # => 0
+File.read("/proc/self/uid_map").gsub(/ +/, " ")       # => " 0 0 1\n 1 10000 1000\n"
+
+options = {:map_uid => "0 0 1", :map_gid => "0 0 1"}
+HrrRbLxns.unshare HrrRbLxns::NEWUSER, options         # => 0
+File.read("/proc/self/uid_map").gsub(/ +/, " ")       # => " 0 0 1\n"
+File.read("/proc/self/setgroups")                     # => "deny\n"
+File.read("/proc/self/gid_map").gsub(/ +/, " ")       # => " 0 0 1\n"
+```
+
+Time namespace provides per-namespace monotonic and boottime clocks. The clock offsets can be set by `:monotonic` and `:boottime` options.
+
+```ruby
+options = {:monotonic => 123.456, :boottime => "123.456"}
+HrrRbLxns.unshare HrrRbLxns::NEWTIME, options          # => 0
+File.read("/proc/self/timens_offsets").gsub(/ +/, " ") # => "monotonic 123 456000000\nboottime 123 456000000\n"
+```
+
 ### Setns
 
 HrrRbLxns.setns method wraps around setns(2) system call. The system call associate the caller process's namespace to an existing one, which is disassociated by some other process.
@@ -110,6 +132,22 @@ system "ip netns add ns0"
 HrrRbLxns.setns HrrRbLxns::NETNET, nil, {network: "/run/netns/ns0"}
 ```
 
+### Files
+
+HrrRbLxns.files Collects the caller process's or a specific process's namespace files information, which are the file path and its inode number.
+
+```ruby
+# Collects the caller process's namespace files information
+files = HrrRbLxns.files
+# Collects a specific process's namespace files information
+files = HrrRbLxns.files 12345
+
+# Then, paths and their inode numbers are accesible
+files.uts.path    # => "/proc/12345/ns/uts"
+files[:ipc].ino   # => 4026531839
+files["net"].ino  # => 4026531840
+```
+
 ## Note
 
 Some of the namespace operations are not multi-thread friendly. The library expects that only main thread is running before unshare or setns operation.

data/ext/hrr_rb_lxns/hrr_rb_lxns.c

@@ -2,6 +2,7 @@
 #define _GNU_SOURCE 1
 #include <sched.h>
 #include <linux/version.h>
+#include <time.h>
 
 VALUE rb_mHrrRbLxns;
 VALUE rb_mHrrRbLxnsConst;
@@ -117,4 +118,12 @@ Init_hrr_rb_lxns(void)
   /* Represents time namespace. */
   rb_define_const(rb_mHrrRbLxnsConst, "NEWTIME", INT2FIX(CLONE_NEWTIME));
 #endif
+#ifdef CLOCK_MONOTONIC
+  /* Represents monotonic clock. */
+  rb_define_const(rb_mHrrRbLxnsConst, "MONOTONIC", INT2FIX(CLOCK_MONOTONIC));
+#endif
+#ifdef CLOCK_BOOTTIME
+  /* Represents boottime clock. */
+  rb_define_const(rb_mHrrRbLxnsConst, "BOOTTIME", INT2FIX(CLOCK_BOOTTIME));
+#endif
 }

data/lib/hrr_rb_lxns/files/file.rb

@@ -0,0 +1,33 @@
+module HrrRbLxns
+  class Files
+
+    # A class that takes a path to a namespace file and collects then keeps its inode.
+    #
+    # @example
+    #   file = HrrRbLxns::Files::File.new "/proc/12345/ns/uts"
+    #   file.path # => "/proc/12345/ns/uts"
+    #   file.ino  # => 4026531839
+    #
+    class File
+
+      # Returns the file information of attribute :path.
+      #
+      # @return [String] The path to the namespace file.
+      #
+      attr_reader :path
+
+      # Returns the file information of attribute :ino.
+      #
+      # @return [Integer,nil] The inode number of the namespace file. If the path is not valid, then ino is nil.
+      #
+      attr_reader :ino
+
+      # @param path [String] The path to a namespace file.
+      #
+      def initialize path
+        @path = path
+        @ino  = ::File.exist?(path) ? ::File.stat(path).ino : nil
+      end
+    end
+  end
+end

data/lib/hrr_rb_lxns/files.rb

@@ -0,0 +1,130 @@
+module HrrRbLxns
+
+  # Represents namespace files information in /proc/PID/ns/ directory of a process.
+  #
+  # @example
+  #   # Collects the caller process's or a specific process's namespace files information
+  #   files = HrrRbLxns::Files.new
+  #   files = HrrRbLxns::Files.new 12345
+  #
+  #   # Each namespace file is accessible as a method or a Hash-like key
+  #   files.uts.path    # => "/proc/12345/ns/uts"
+  #   files[:uts].path  # => "/proc/12345/ns/uts"
+  #   files["uts"].path # => "/proc/12345/ns/uts"
+  class Files
+    include Enumerable
+
+    # Returns the file information of attribute :mnt.
+    #
+    # @return [HrrRbLxns::Files::File]
+    #
+    attr_reader :mnt
+
+    # Returns the file information of attribute :uts.
+    #
+    # @return [HrrRbLxns::Files::File]
+    #
+    attr_reader :uts
+
+    # Returns the file information of attribute :ipc.
+    #
+    # @return [HrrRbLxns::Files::File]
+    #
+    attr_reader :ipc
+
+    # Returns the file information of attribute :net.
+    #
+    # @return [HrrRbLxns::Files::File]
+    #
+    attr_reader :net
+
+    # Returns the file information of attribute :pid.
+    #
+    # @return [HrrRbLxns::Files::File]
+    #
+    attr_reader :pid
+
+    # Returns the file information of attribute :pid_for_children.
+    #
+    # @return [HrrRbLxns::Files::File]
+    #
+    attr_reader :pid_for_children
+
+    # Returns the file information of attribute :user.
+    #
+    # @return [HrrRbLxns::Files::File]
+    #
+    attr_reader :user
+
+    # Returns the file information of attribute :cgroup.
+    #
+    # @return [HrrRbLxns::Files::File]
+    #
+    attr_reader :cgroup
+
+    # Returns the file information of attribute :time.
+    #
+    # @return [HrrRbLxns::Files::File]
+    #
+    attr_reader :time
+
+    # Returns the file information of attribute :time_for_children.
+    #
+    # @return [HrrRbLxns::Files::File]
+    #
+    attr_reader :time_for_children
+
+    # @param pid [Integer,String] The pid of a process to collect namespace files information. If nil, assumes that it is the caller process.
+    #
+    def initialize pid="self"
+      @mnt               = File.new "/proc/#{pid}/ns/mnt"
+      @uts               = File.new "/proc/#{pid}/ns/uts"
+      @ipc               = File.new "/proc/#{pid}/ns/ipc"
+      @net               = File.new "/proc/#{pid}/ns/net"
+      @pid               = File.new "/proc/#{pid}/ns/pid"
+      @pid_for_children  = File.new "/proc/#{pid}/ns/pid_for_children"
+      @user              = File.new "/proc/#{pid}/ns/user"
+      @cgroup            = File.new "/proc/#{pid}/ns/cgroup"
+      @time              = File.new "/proc/#{pid}/ns/time"
+      @time_for_children = File.new "/proc/#{pid}/ns/time_for_children"
+    end
+
+    # Returns the file information of the specified key.
+    #
+    # @example
+    #   files = HrrRbLxns::Files.new 12345
+    #   files[:uts].path  # => "/proc/12345/ns/uts"
+    #   files["uts"].path # => "/proc/12345/ns/uts"
+    #
+    # @param key [Symbol,String] The namespace file name, which is :mnt, :uts, pid, :pid_for_children, ....
+    # @return [HrrRbLxns::Files::File]
+    #
+    def [] key
+      __send__ key
+    end
+
+    # Calls the given block once for each key with associated file information.
+    # If no block is given, an Enumerator is returned.
+    #
+    # @example
+    #   files = HrrRbLxns::Files.new 12345
+    #   files.each do |type, namespace_file|
+    #     # at first iteration
+    #     type                # => :cgroup
+    #     namespace_file.path # => "/proc/12345/ns/cgroup"
+    #   end
+    #
+    def each
+      keys_with_files = [:mnt, :uts, :ipc, :net, :pid, :pid_for_children, :user, :cgroup, :time, :time_for_children].map{ |key| [key, __send__(key)] }
+      if block_given?
+        keys_with_files.each do |kv|
+          yield kv
+        end
+      else
+        keys_with_files.each
+      end
+    end
+  end
+end
+
+require "hrr_rb_lxns/files/file"

data/lib/hrr_rb_lxns/version.rb

@@ -1,3 +1,3 @@
 module HrrRbLxns
-  VERSION = "0.2.1"
+  VERSION = "0.3.0"
 end

data/lib/hrr_rb_lxns.rb

@@ -1,5 +1,6 @@
 require "hrr_rb_lxns/version"
 require "hrr_rb_lxns/hrr_rb_lxns"
+require "hrr_rb_lxns/files"
 require "hrr_rb_mount"
 
 # Utilities working with Linux namespaces for CRuby.
@@ -9,6 +10,20 @@ module HrrRbLxns
   module Constants
   end
 
+  # Collects namespace files information in /proc/PID/ns/ directory of a process.
+  #
+  # @example
+  #   # Collects the caller process's or a specific process's namespace files information
+  #   files = HrrRbLxns.files
+  #   files = HrrRbLxns.files 12345
+  #   files.uts.path # => "/proc/12345/ns/uts"
+  #
+  # @param pid [Integer,String] The pid of a process to collect namespace files information. If nil, assumes that it is the caller process.
+  # @return [HrrRbLxns::Files]
+  def self.files pid="self"
+    Files.new pid
+  end
+
   # A wrapper around unshare(2) system call.
   #
   # @example
@@ -44,18 +59,26 @@ module HrrRbLxns
   # @option options [String] :cgroup  A persistent cgroup namespace to be created by bind mount.
   # @option options [String] :time    A persistent time namespace to be created by bind mount.
   # @option options [Boolean] :fork If specified, the caller process forks after unshare.
+  # @option options [String,Array<String>,Array<#to_i>,Array<Array<#to_i>>] :map_uid If specified, the caller process writes UID map in /proc/PID/uid_map.
+  # @option options [String,Array<String>,Array<#to_i>,Array<Array<#to_i>>] :map_gid If specified, the caller process writes deny in /proc/PID/setgroups and GID map in /proc/PID/gid_map.
+  # @option options [Numeric,String] :monotonic If specified, writes monotonic offset in /proc/PID/timens_offsets.
+  # @option options [Numeric,String] :boottime If specified, writes boottime offset in /proc/PID/timens_offsets.
   # @return [Integer, nil] Usually 0. If :fork is specified in options, then PID of the child process in parent, nil in child (as same as Kernel.#fork).
   # @raise [ArgumentError] When given flags argument is not appropriate.
+  # @raise [TypeError] When map_uid and/or map_gid value is not appropriate.
   # @raise [Errno::EXXX] In case unshare(2) system call failed.
   def self.unshare flags, options={}
     _flags = interpret_flags flags
     bind_ns_files_from_child(_flags, options) do
-      if fork? options
-        __unshare__ _flags
-        fork
-      else
-        __unshare__ _flags
+      ret = nil
+      map_uid_gid_from_child(_flags, options) do
+        ret = __unshare__ _flags
+        set_timens_offsets(_flags, options)
       end
+      if fork?(options)
+        ret = fork
+      end
+      ret
     end
   end
 
@@ -109,15 +132,35 @@ module HrrRbLxns
     _flags = interpret_flags flags
     nstype_file_h = get_nstype_file_h _flags, pid, options
     do_setns nstype_file_h
+    return 0
   end
 
   private
 
   def self.interpret_flags arg
     case arg
-    when Integer then arg
-    when String  then chars_to_flags arg
-    else raise TypeError, "unsupported flags: #{arg.inspect}"
+    when Integer
+      check_flags arg
+      arg
+    when String
+      chars_to_flags arg
+    else
+      raise TypeError, "unsupported flags: #{arg.inspect}"
+    end
+  end
+
+  def self.check_flags flags
+    valid_flags = 0
+    valid_flags += NEWIPC    if const_defined?(:NEWIPC)
+    valid_flags += NEWNS     if const_defined?(:NEWNS)
+    valid_flags += NEWNET    if const_defined?(:NEWNET)
+    valid_flags += NEWPID    if const_defined?(:NEWPID)
+    valid_flags += NEWUTS    if const_defined?(:NEWUTS)
+    valid_flags += NEWUSER   if const_defined?(:NEWUSER)
+    valid_flags += NEWCGROUP if const_defined?(:NEWCGROUP)
+    valid_flags += NEWTIME   if const_defined?(:NEWTIME)
+    unless (flags - (flags & valid_flags)).zero?
+      raise ArgumentError, "unsupported flags are set"
     end
   end
 
@@ -214,12 +257,133 @@ module HrrRbLxns
     end
   end
 
+  def self.map_uid_gid? flags, options
+    const_defined?(:NEWUSER) && (flags & NEWUSER).zero?.! && (options.has_key?(:map_uid) || options.has_key?(:map_gid))
+  end
+
+  # This method calls fork and the child process writes into /proc/PID/uid_map, /proc/PID/gid_map, and /proc/PID/setgroups.
+  def self.map_uid_gid_from_child flags, options
+    if map_uid_gid? flags, options
+      pid_to_map = Process.pid
+      IO.pipe do |io_r, io_w|
+        if pid = fork
+          begin
+            ret = yield
+          rescue Exception
+            Process.kill "KILL", pid
+            Process.waitpid pid
+            raise
+          else
+            io_w.write "1"
+            io_w.close
+            Process.waitpid pid
+            raise Marshal.load(io_r.read) unless $?.to_i.zero?
+            ret
+          end
+        else
+          begin
+            io_r.read 1
+            map_uid_gid options, pid_to_map
+          rescue Exception => e
+            io_w.write Marshal.dump(e)
+            exit! false
+          else
+            exit! true
+          end
+        end
+      end
+    else
+      yield
+    end
+  end
+
+  def self.map_uid_gid options, pid
+    if options.has_key?(:map_uid)
+      write_id_map options[:map_uid], pid, "uid"
+    end
+    if options.has_key?(:map_gid)
+      deny_setgroups pid
+      write_id_map options[:map_gid], pid, "gid"
+    end
+  end
+
+  def self.write_id_map mapping, pid, type
+    path = "/proc/#{pid}/#{type}_map"
+    _mapping = case mapping
+               when String # "0 0 1", "0 0 1\n1 10000 1000\n"
+                 mapping.chomp
+               when Array
+                 if mapping.all?{|e| e.respond_to?(:match?) && e.match?(/^\d+ \d+ \d+$/)} # ["0 0 1", "1 10000 1000"]
+                   mapping.join("\n")
+                 elsif mapping.all?{|e| e.respond_to?(:to_i)} # [0, 0, 1], ["0", "0", "1"]
+                   mapping.map(&:to_i).join(" ")
+                 elsif mapping.all?{|e| e.respond_to?(:all?) && e.all?{ |e2| e2.respond_to?(:to_i)}} # [[0, 0, 1], ["1", "10000", "1000"]]
+                   mapping.map{|e| e.map(&:to_i).join(" ")}.join("\n")
+                 else
+                   raise TypeError, "map_#{type}"
+                 end
+               else
+                 raise TypeError, "map_#{type}"
+               end
+    File.open(path, "w") do |f|
+      f.puts _mapping
+    end
+  end
+
+  def self.deny_setgroups pid
+    File.open("/proc/#{pid}/setgroups", "w") do |f|
+      f.puts "deny"
+    end
+  end
+
+  def self.set_timens_offsets? flags, options
+    const_defined?(:NEWTIME) && (flags & NEWTIME).zero?.! && (options.has_key?(:monotonic) || options.has_key?(:boottime))
+  end
+
+  def self.set_timens_offsets(flags, options)
+    if set_timens_offsets? flags, options
+      File.open("/proc/self/timens_offsets", "w") do |f|
+        [
+          [MONOTONIC, :monotonic],
+          [BOOTTIME,  :boottime ],
+        ].each do |clk_id, key|
+          if options.has_key? key
+            offset_secs     = options[key].to_i
+            offset_nanosecs = ((Rational(options[key]) - offset_secs) * 10**9).to_i
+            f.puts "#{clk_id} #{offset_secs} #{offset_nanosecs}"
+          end
+        end
+      end
+    end
+  end
+
   def self.do_setns nstype_file_h
-    nstype_file_h.map{ |nstype, file|
-      File.open(file, File::RDONLY) do |f|
-        __setns__ f.fileno, nstype
+    list_without_user = nstype_file_h.keys - [NEWUSER]
+    success = {}
+    error = {}
+    nstype_fileobj_h = {}
+    begin
+      nstype_file_h.each do |nstype, file|
+        nstype_fileobj_h[nstype] = File.open(file, File::RDONLY)
       end
-    }.max or 0
+      (list_without_user + [NEWUSER] + list_without_user).each do |nstype|
+        next unless nstype_file_h.has_key? nstype
+        begin
+          next if success.has_key? nstype
+          fileobj = nstype_fileobj_h[nstype]
+          __setns__ fileobj.fileno, nstype
+        rescue
+          raise if error.has_key? nstype
+          error[nstype] = true
+        else
+          success[nstype] = true
+        end
+      end
+    ensure
+      nstype_fileobj_h.each do |nstype, fileobj|
+        fileobj.close
+      end
+    end
   end
 
   def self.get_nstype_file_h flags, pid, options

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: hrr_rb_lxns
 version: !ruby/object:Gem::Version
-  version: 0.2.1
+  version: 0.3.0
 platform: ruby
 authors:
 - hirura
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-05-02 00:00:00.000000000 Z
+date: 2020-05-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: hrr_rb_mount
@@ -47,6 +47,8 @@ files:
 - ext/hrr_rb_lxns/hrr_rb_lxns.h
 - hrr_rb_lxns.gemspec
 - lib/hrr_rb_lxns.rb
+- lib/hrr_rb_lxns/files.rb
+- lib/hrr_rb_lxns/files/file.rb
 - lib/hrr_rb_lxns/version.rb
 homepage: https://github.com/hirura/hrr_rb_lxns
 licenses: