From 7cc5ef5f1811c539ae7f20255c2a093f413cc64f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Tue, 21 May 2019 20:02:34 +0200 Subject: [PATCH] pid1: improve message when setting up namespace fails I covered the most obvious paths: those where there's a clear problem with a path specified by the user. Prints something like this (at error level): May 21 20:00:01.040418 systemd[125871]: bad-workdir.service: Failed to set up mount namespacing: /run/systemd/unit-root/etc/tomcat9/Catalina: No such file or directory May 21 20:00:01.040456 systemd[125871]: bad-workdir.service: Failed at step NAMESPACE spawning /bin/true: No such file or directory Fixes #10972. --- src/core/execute.c | 13 +++++++++---- src/core/namespace.c | 20 ++++++++++++++++---- src/core/namespace.h | 3 ++- src/test/test-ns.c | 3 ++- 4 files changed, 29 insertions(+), 10 deletions(-) diff --git a/src/core/execute.c b/src/core/execute.c index a8b6c92873..9975de1ff5 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -2406,7 +2406,8 @@ static int apply_mount_namespace( const ExecCommand *command, const ExecContext *context, const ExecParameters *params, - const ExecRuntime *runtime) { + const ExecRuntime *runtime, + char **error_path) { _cleanup_strv_free_ char **empty_directories = NULL; char *tmp = NULL, *var = NULL; @@ -2482,7 +2483,8 @@ static int apply_mount_namespace( needs_sandboxing ? context->protect_home : PROTECT_HOME_NO, needs_sandboxing ? context->protect_system : PROTECT_SYSTEM_NO, context->mount_flags, - DISSECT_IMAGE_DISCARD_ON_LOOP); + DISSECT_IMAGE_DISCARD_ON_LOOP, + error_path); bind_mount_free_many(bind_mounts, n_bind_mounts); @@ -3319,10 +3321,13 @@ static int exec_child( needs_mount_namespace = exec_needs_mount_namespace(context, params, runtime); if (needs_mount_namespace) { - r = apply_mount_namespace(unit, command, context, params, runtime); + _cleanup_free_ char *error_path = NULL; + + r = apply_mount_namespace(unit, command, context, params, runtime, &error_path); if (r < 0) { *exit_status = EXIT_NAMESPACE; - return log_unit_error_errno(unit, r, "Failed to set up mount namespacing: %m"); + return log_unit_error_errno(unit, r, "Failed to set up mount namespacing%s%s: %m", + error_path ? ": " : "", strempty(error_path)); } } diff --git a/src/core/namespace.c b/src/core/namespace.c index 8475145f06..ec7af3ab1c 100644 --- a/src/core/namespace.c +++ b/src/core/namespace.c @@ -1187,7 +1187,8 @@ int setup_namespace( ProtectHome protect_home, ProtectSystem protect_system, unsigned long mount_flags, - DissectImageFlags dissect_image_flags) { + DissectImageFlags dissect_image_flags, + char **error_path) { _cleanup_(loop_device_unrefp) LoopDevice *loop_device = NULL; _cleanup_(decrypted_image_unrefp) DecryptedImage *decrypted_image = NULL; @@ -1440,6 +1441,8 @@ int setup_namespace( proc_self_mountinfo = fopen("/proc/self/mountinfo", "re"); if (!proc_self_mountinfo) { r = log_debug_errno(errno, "Failed to open /proc/self/mountinfo: %m"); + if (error_path) + *error_path = strdup("/proc/self/mountinfo"); goto finish; } @@ -1453,8 +1456,11 @@ int setup_namespace( continue; r = follow_symlink(root, m); - if (r < 0) + if (r < 0) { + if (error_path && mount_entry_path(m)) + *error_path = strdup(mount_entry_path(m)); goto finish; + } if (r == 0) { /* We hit a symlinked mount point. The entry got rewritten and might point to a * very different place now. Let's normalize the changed list, and start from @@ -1465,8 +1471,11 @@ int setup_namespace( } r = apply_mount(root, m); - if (r < 0) + if (r < 0) { + if (error_path && mount_entry_path(m)) + *error_path = strdup(mount_entry_path(m)); goto finish; + } m->applied = true; } @@ -1490,8 +1499,11 @@ int setup_namespace( /* Second round, flip the ro bits if necessary. */ for (m = mounts; m < mounts + n_mounts; ++m) { r = make_read_only(m, blacklist, proc_self_mountinfo); - if (r < 0) + if (r < 0) { + if (error_path && mount_entry_path(m)) + *error_path = strdup(mount_entry_path(m)); goto finish; + } } } diff --git a/src/core/namespace.h b/src/core/namespace.h index 022bdb6142..73fcb3fc82 100644 --- a/src/core/namespace.h +++ b/src/core/namespace.h @@ -86,7 +86,8 @@ int setup_namespace( ProtectHome protect_home, ProtectSystem protect_system, unsigned long mount_flags, - DissectImageFlags dissected_image_flags); + DissectImageFlags dissected_image_flags, + char **error_path); int setup_tmp_dirs( const char *id, diff --git a/src/test/test-ns.c b/src/test/test-ns.c index d3dbb54ca1..e9233a1643 100644 --- a/src/test/test-ns.c +++ b/src/test/test-ns.c @@ -75,7 +75,8 @@ int main(int argc, char *argv[]) { PROTECT_HOME_NO, PROTECT_SYSTEM_NO, 0, - 0); + 0, + NULL); if (r < 0) { log_error_errno(r, "Failed to setup namespace: %m");