Improve enter-machine scripts for nspawn containers to unset most environment variables.

2015-05-27 21:11:36 -04:00 · 2015-05-27 21:11:36 -04:00 · 9ce43e55f8
parent 672a783d3a
commit 9ce43e55f8
3 changed files with 16 additions and 10 deletions
--- a/config-joey.hs
+++ b/config-joey.hs
@ -134,10 +134,10 @@ orca = standardSystem "orca.kitenet.net" Unstable "amd64"
 	! Docker.docked (GitAnnexBuilder.standardAutoBuilderContainer dockerImage "amd64" 15 "2h")
 	! Docker.docked (GitAnnexBuilder.standardAutoBuilderContainer dockerImage "i386" 45 "2h")
 	! Docker.docked (GitAnnexBuilder.androidAutoBuilderContainer dockerImage (Cron.Times "1 1 * * *") "3h")
 	! Docker.docked (GitAnnexBuilder.armelCompanionContainer dockerImage)
 	! Docker.docked (GitAnnexBuilder.armelAutoBuilderContainer dockerImage (Cron.Times "1 3 * * *") "5h")
 	& Docker.garbageCollected -- `period` Daily
 	& Systemd.nspawned (GitAnnexBuilder.standardAutoBuilderContainerNspawn "amd64" 15 "2h")
 	& Docker.docked (GitAnnexBuilder.armelCompanionContainer dockerImage)
 	& Docker.docked (GitAnnexBuilder.armelAutoBuilderContainer dockerImage (Cron.Times "1 3 * * *") "5h")
 	& Apt.buildDep ["git-annex"] `period` Daily
 -- This is not a complete description of kite, since it's a
--- a/debian/changelog
+++ b/debian/changelog
@ -7,6 +7,8 @@ propellor (2.5.0) UNRELEASED; urgency=medium
  * Export CommandParam, boolSystem, safeSystem and shellEscape from
    Propellor.Property.Cmd, so they are available for use in constricting
    your own Properties when using propellor as a library.
  * Improve enter-machine scripts for nspawn containers to unset most
    environment variables.
 -- Joey Hess <id@joeyh.name>  Thu, 07 May 2015 12:08:34 -0400
--- a/src/Propellor/Property/Systemd.hs
+++ b/src/Propellor/Property/Systemd.hs
@ -215,15 +215,19 @@ enterScript c@(Container name _ _) = setup <!> teardown
  where
 	setup = combineProperties ("generated " ++ enterScriptFile c)
 		[ scriptfile `File.hasContent`
-			[ "#!/bin/sh"
+			[ "#!/usr/bin/perl"
 			, "# Generated by propellor"
-			, "pid=\"$(machinectl show " ++ shellEscape name ++ " -p Leader | cut -d= -f2)\" || true"
+			, "my $pid=`machinectl show " ++ shellEscape name ++ " -p Leader | cut -d= -f2`;"
-			, "if [ -n \"$pid\" ]; then"
+			, "chomp $pid;"
-			, "\tnsenter -p -u -n -i -m -t \"$pid\" \"$@\""
+			, "if (length $pid) {"
-			, "else"
+			, "\tforeach my $var (keys %ENV) {"
-			, "\techo container not running >&2"
+			, "\t\tdelete $var unless $var eq 'PATH' || $var eq 'TERM';"
-			, "\texit 1"
+			, "\t}"
-			, "fi"
+			, "\texec('nsenter', '-p', '-u', '-n', '-i', '-m', '-t', $pid, @ARGV);"
 			, "} else {"
 			, "\tdie 'container not running';"
 			, "}"
 			, "exit(1);"
 			]
 		, scriptfile `File.mode` combineModes (readModes ++ executeModes)
 		]