diff options
| author | Joey Hess <joeyh@joeyh.name> | 2015-05-27 21:11:36 -0400 |
|---|---|---|
| committer | Joey Hess <joeyh@joeyh.name> | 2015-05-27 21:11:36 -0400 |
| commit | 9ce43e55f8db84ac1111ad29f0c134814f805fed (patch) | |
| tree | f94c6ba350e2a07c5aeeabe17e0a60f6f9896038 | |
| parent | 672a783d3a2804ceeb6f179f37042eba5248f4c1 (diff) | |
Improve enter-machine scripts for nspawn containers to unset most environment variables.
| -rw-r--r-- | config-joey.hs | 4 | ||||
| -rw-r--r-- | debian/changelog | 2 | ||||
| -rw-r--r-- | src/Propellor/Property/Systemd.hs | 20 |
3 files changed, 16 insertions, 10 deletions
diff --git a/config-joey.hs b/config-joey.hs index 013be113..e01af471 100644 --- a/config-joey.hs +++ b/config-joey.hs @@ -134,10 +134,10 @@ orca = standardSystem "orca.kitenet.net" Unstable "amd64" ! Docker.docked (GitAnnexBuilder.standardAutoBuilderContainer dockerImage "amd64" 15 "2h") ! Docker.docked (GitAnnexBuilder.standardAutoBuilderContainer dockerImage "i386" 45 "2h") ! Docker.docked (GitAnnexBuilder.androidAutoBuilderContainer dockerImage (Cron.Times "1 1 * * *") "3h") + ! Docker.docked (GitAnnexBuilder.armelCompanionContainer dockerImage) + ! Docker.docked (GitAnnexBuilder.armelAutoBuilderContainer dockerImage (Cron.Times "1 3 * * *") "5h") & Docker.garbageCollected -- `period` Daily & Systemd.nspawned (GitAnnexBuilder.standardAutoBuilderContainerNspawn "amd64" 15 "2h") - & Docker.docked (GitAnnexBuilder.armelCompanionContainer dockerImage) - & Docker.docked (GitAnnexBuilder.armelAutoBuilderContainer dockerImage (Cron.Times "1 3 * * *") "5h") & Apt.buildDep ["git-annex"] `period` Daily -- This is not a complete description of kite, since it's a diff --git a/debian/changelog b/debian/changelog index 96a9f745..5d70582e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -7,6 +7,8 @@ propellor (2.5.0) UNRELEASED; urgency=medium * Export CommandParam, boolSystem, safeSystem and shellEscape from Propellor.Property.Cmd, so they are available for use in constricting your own Properties when using propellor as a library. + * Improve enter-machine scripts for nspawn containers to unset most + environment variables. -- Joey Hess <id@joeyh.name> Thu, 07 May 2015 12:08:34 -0400 diff --git a/src/Propellor/Property/Systemd.hs b/src/Propellor/Property/Systemd.hs index 78a99963..b19c08bc 100644 --- a/src/Propellor/Property/Systemd.hs +++ b/src/Propellor/Property/Systemd.hs @@ -215,15 +215,19 @@ enterScript c@(Container name _ _) = setup <!> teardown where setup = combineProperties ("generated " ++ enterScriptFile c) [ scriptfile `File.hasContent` - [ "#!/bin/sh" + [ "#!/usr/bin/perl" , "# Generated by propellor" - , "pid=\"$(machinectl show " ++ shellEscape name ++ " -p Leader | cut -d= -f2)\" || true" - , "if [ -n \"$pid\" ]; then" - , "\tnsenter -p -u -n -i -m -t \"$pid\" \"$@\"" - , "else" - , "\techo container not running >&2" - , "\texit 1" - , "fi" + , "my $pid=`machinectl show " ++ shellEscape name ++ " -p Leader | cut -d= -f2`;" + , "chomp $pid;" + , "if (length $pid) {" + , "\tforeach my $var (keys %ENV) {" + , "\t\tdelete $var unless $var eq 'PATH' || $var eq 'TERM';" + , "\t}" + , "\texec('nsenter', '-p', '-u', '-n', '-i', '-m', '-t', $pid, @ARGV);" + , "} else {" + , "\tdie 'container not running';" + , "}" + , "exit(1);" ] , scriptfile `File.mode` combineModes (readModes ++ executeModes) ] |