passt/test/nstool.c, branch 2025_12_15.b40f5cd Plug A Simple Socket Transport test: Make nstool hold robust against interruptions to control clients 2024-11-07T11:47:30+00:00 David Gibson david@gibson.dropbear.id.au 2024-11-06T03:03:22+00:00 1699083f291ca8e639d0711eff59c61eecdf02c1 Currently nstool die()s on essentially any error. In most cases that's fine for our purposes. However, it's a problem when in "hold" mode and getting an IO error on an accept()ed socket. This could just indicate that the control client aborted prematurely, in which case we don't want to kill of the namespace we're holding. Adjust these to print an error, close() the control client socket and carry on. In addition, we need to explicitly ignore SIGPIPE in order not to be killed by an abruptly closed client connection. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Currently nstool die()s on essentially any error.  In most cases that's
fine for our purposes.  However, it's a problem when in "hold" mode and
getting an IO error on an accept()ed socket.  This could just indicate that
the control client aborted prematurely, in which case we don't want to
kill of the namespace we're holding.

Adjust these to print an error, close() the control client socket and
carry on.  In addition, we need to explicitly ignore SIGPIPE in order not
to be killed by an abruptly closed client connection.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
test: Rename propagating signal handler 2024-11-07T11:47:27+00:00 David Gibson david@gibson.dropbear.id.au 2024-11-06T03:03:21+00:00 b456ee1b53171c46b6f25c1c43d9fc17f6116745 nstool in "exec" mode will propagate some signals (specifically SIGTERM) to the process in the namespace it executes. The signal handler which accomplishes this is called simply sig_handler(). However, it turns out we're going to need some other signal handlers, so rename this to the more specific sig_propagate(). Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
nstool in "exec" mode will propagate some signals (specifically SIGTERM) to
the process in the namespace it executes.  The signal handler which
accomplishes this is called simply sig_handler().  However, it turns out
we're going to need some other signal handlers, so rename this to the more
specific sig_propagate().

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
nstool: Propagate SIGTERM to processes executed in the namespace 2024-08-07T07:16:48+00:00 David Gibson david@gibson.dropbear.id.au 2024-08-05T12:36:41+00:00 755f9fd91125c65361c81d8aa9e8af2cfd7adc6d Particularly in shell it's sometimes natural to save the pid from a process run and later kill it. If doing this with nstool exec, however, it will kill nstool itself, not the program it is running, which isn't usually what you want or expect. Address this by having nstool propagate SIGTERM to its child process. It may make sense to propagate some other signals, but some introduce extra complications, so we'll worry about them when and if it seems useful. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Particularly in shell it's sometimes natural to save the pid from a process
run and later kill it.  If doing this with nstool exec, however, it will
kill nstool itself, not the program it is running, which isn't usually what
you want or expect.

Address this by having nstool propagate SIGTERM to its child process.  It
may make sense to propagate some other signals, but some introduce extra
complications, so we'll worry about them when and if it seems useful.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
nstool: Fix some trivial typos 2024-08-07T07:16:45+00:00 David Gibson david@gibson.dropbear.id.au 2024-08-05T12:36:40+00:00 5ca61c2f34cdcadb486ad1e186aeb9c7df8c132e Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
test/nstool: Fix fd leak in accept() loop 2023-05-23T15:06:32+00:00 David Gibson david@gibson.dropbear.id.au 2023-05-23T02:25:43+00:00 e3b19530e4a689f9f8e417ebf737dfca2340342b nstool loops on accept(), but failed to close the accepted socket fds before continuing on. So, with repeated commands it would eventually die with an EMFILE. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
nstool loops on accept(), but failed to close the accepted socket fds
before continuing on.  So, with repeated commands it would eventually die
with an EMFILE.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
test/nstool: Provide useful error if given a path that's too long 2023-05-23T15:06:29+00:00 David Gibson david@gibson.dropbear.id.au 2023-05-23T02:25:42+00:00 527c822a3bd5536fd6bd52d2821925b8a05c99fb Normal filesystem paths can be very long (PATH_MAX is around 8k), however Unix domain sockets can only use relatively short paths (UNIX_PATH_MAX is 108 on Linux). Currently nstool will simply truncate paths that are too long, leading to difficult to understand failures. Make such failures clearer, with an explicit error message if given a path that's too long. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
Normal filesystem paths can be very long (PATH_MAX is around 8k), however
Unix domain sockets can only use relatively short paths (UNIX_PATH_MAX is
108 on Linux).  Currently nstool will simply truncate paths that are too
long, leading to difficult to understand failures.

Make such failures clearer, with an explicit error message if given a path
that's too long.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
nstool: Enter holder's cwd when changing mount ns with nstool exec 2023-04-07T23:12:12+00:00 David Gibson david@gibson.dropbear.id.au 2023-04-06T03:28:19+00:00 1a3ade90371f7e9490e8f3be0aff83f2e178c327 If we enter a mount namespace with nstool exec our working directory will be changed to / in the new mount ns. This is surprising if we haven't actually altered any mounts yet in the new ns. Instead, change the working directory to match that of the holder process in this situation. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
If we enter a mount namespace with nstool exec our working directory will
be changed to / in the new mount ns.  This is surprising if we haven't
actually altered any mounts yet in the new ns.  Instead, change the working
directory to match that of the holder process in this situation.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
nstool: Advertise the holder's cwd (in its mountns) across the socket 2023-04-07T23:12:10+00:00 David Gibson david@gibson.dropbear.id.au 2023-04-06T03:28:18+00:00 98031bee73b30ec82a4bc5f078175061d6157b4f This is possible useful in nstool info and has further uses for nstool exec. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
This is possible useful in nstool info and has further uses for nstool
exec.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
nstool: Add --keep-caps option to nstool exec 2023-04-07T23:12:03+00:00 David Gibson david@gibson.dropbear.id.au 2023-04-06T03:28:15+00:00 329149d51a7f8132beefcafc688812e2926607e1 This allows you to run commands within a user namespace with the privilege that comes from owning that userns. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
This allows you to run commands within a user namespace with the
privilege that comes from owning that userns.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
nstool: Add nstool exec command to execute commands in an nstool namespace 2023-04-07T23:12:01+00:00 David Gibson david@gibson.dropbear.id.au 2023-04-06T03:28:14+00:00 0b669446482e110719b3935aa4819396dea4d1ab This combines nstool info -pw <sock> with nsenter with various options for a more convenient and less verbose of entering existing nstool managed namespaces. Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> 
This combines nstool info -pw <sock> with nsenter with various options for
a more convenient and less verbose of entering existing nstool managed
namespaces.

Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>