[pve-devel] [PATCH v3 container] fix #4192: revamp check for systemd version

Leo Nunner l.nunner at proxmox.com
Thu Sep 15 13:52:28 CEST 2022 

Instead of iterating through several folders, it might just be easier to
check the objdump output of /sbin/init and getting the version from there.
Resolving the /sbin/init symlink happens inside the chroot, but the
objdump from the host system is used, as to not run any untrusted
executables.

Signed-off-by: Leo Nunner <l.nunner at proxmox.com>
---
I think putting the subroutine to resolve the /sbin/init symlink into
Setup.pm makes the most sense, since this isn't realy a task for the
plugin.

 src/PVE/LXC/Setup.pm           | 18 +++++++++++++++++-
 src/PVE/LXC/Setup/Alpine.pm    |  2 +-
 src/PVE/LXC/Setup/Base.pm      | 34 ++++++++++++++++++----------------
 src/PVE/LXC/Setup/Devuan.pm    |  2 +-
 src/PVE/LXC/Setup/Plugin.pm    |  2 +-
 src/PVE/LXC/Setup/Unmanaged.pm |  2 +-
 6 files changed, 39 insertions(+), 21 deletions(-)

diff --git a/src/PVE/LXC/Setup.pm b/src/PVE/LXC/Setup.pm
index b72a18e..fe6f0db 100644
--- a/src/PVE/LXC/Setup.pm
+++ b/src/PVE/LXC/Setup.pm
@@ -285,7 +285,7 @@ sub post_create_hook {
 sub unified_cgroupv2_support {
     my ($self) = @_;
 
-    return $self->protected_call(sub { $self->{plugin}->unified_cgroupv2_support() });
+    return $self->{plugin}->unified_cgroupv2_support($self->get_ct_init_path());
 }
 
 # os-release(5):
@@ -335,4 +335,20 @@ sub get_ct_os_release {
     return &$parse_os_release($data);
 }
 
+# Checks whether /sbin/init is a symlink, and if it is, 
+# resolves it to the actual binary
+sub get_ct_init_path { 
+    my ($self) = @_;
+
+    my $init = $self->protected_call(sub {
+	my $init_path = "/sbin/init";
+	if($self->{plugin}->ct_is_symlink($init_path)) {
+    	    $init_path = $self->{plugin}->ct_readlink($init_path);
+	}
+	return $init_path;
+    });
+
+    return $init;
+}
+
 1;
diff --git a/src/PVE/LXC/Setup/Alpine.pm b/src/PVE/LXC/Setup/Alpine.pm
index b56d895..87d72be 100644
--- a/src/PVE/LXC/Setup/Alpine.pm
+++ b/src/PVE/LXC/Setup/Alpine.pm
@@ -102,7 +102,7 @@ sub setup_network {
 
 # non systemd based containers work with pure cgroupv2
 sub unified_cgroupv2_support {
-    my ($self) = @_;
+    my ($self, $init) = @_;
 
     return 1;
 }
diff --git a/src/PVE/LXC/Setup/Base.pm b/src/PVE/LXC/Setup/Base.pm
index cc12914..09155cf 100644
--- a/src/PVE/LXC/Setup/Base.pm
+++ b/src/PVE/LXC/Setup/Base.pm
@@ -514,40 +514,42 @@ sub clear_machine_id {
     }
 }
 
-# tries to guess the systemd (major) version based on the existence of
-# (/usr)?/lib/systemd/libsystemd-shared<version>.so. It was introduced in v231.
+# tries to guess the systemd (major) version based on the
+# libsystemd-shared<version>.so linked with /sbin/init
 sub get_systemd_version {
-    my ($self) = @_;
+    my ($self, $init) = @_;
 
-    my $sd_lib_dir = $self->ct_is_directory("/lib/systemd") ?
-	"/lib/systemd" : "/usr/lib/systemd";
-    my $libsd = PVE::Tools::dir_glob_regex($sd_lib_dir, "libsystemd-shared-.+\.so");
-    if (defined($libsd) && $libsd =~ /libsystemd-shared-(\d+)(?:\..*)?\.so/) {
-	return $1;
-    }
+    my $version = undef;
+    PVE::Tools::run_command(
+	['objdump', '-p', $self->{rootdir}.$init],
+	outfunc => sub {
+	    my $line = shift;
+	    if ($line =~ /libsystemd-shared-(\d+)(?:\.[a-zA-Z0-9]*)?\.so:$/) {
+		$version = $1;
+	    }},
+	errmsg => "objdump on $init failed",
+    );
 
-    return undef;
+    return $version;
 }
 
 sub unified_cgroupv2_support {
-    my ($self) = @_;
+    my ($self, $init) = @_;
 
     # https://www.freedesktop.org/software/systemd/man/systemd.html
     # systemd is installed as symlink to /sbin/init
-    my $systemd = $self->ct_readlink('/sbin/init');
-
     # assume non-systemd init will run with unified cgroupv2
-    if (!defined($systemd) || $systemd !~ m@/systemd$@) {
+    if (!defined($init) || $init !~ m@/systemd$@) {
 	return 1;
     }
 
     # systemd version 232 (e.g. debian stretch) supports the unified hierarchy
-    my $sdver = $self->get_systemd_version();
+    my $sdver = $self->get_systemd_version($init);
     if (!defined($sdver) || $sdver < 232) {
 	return 0;
     }
 
-    return 1
+    return 1;
 }
 
 sub ssh_host_key_types_to_generate {
diff --git a/src/PVE/LXC/Setup/Devuan.pm b/src/PVE/LXC/Setup/Devuan.pm
index 3e15bb2..059f145 100644
--- a/src/PVE/LXC/Setup/Devuan.pm
+++ b/src/PVE/LXC/Setup/Devuan.pm
@@ -42,7 +42,7 @@ sub new {
 
 # non systemd based containers work with pure cgroupv2
 sub unified_cgroupv2_support {
-    my ($self) = @_;
+    my ($self, $init) = @_;
 
     return 1;
 }
diff --git a/src/PVE/LXC/Setup/Plugin.pm b/src/PVE/LXC/Setup/Plugin.pm
index 8458ad8..7024856 100644
--- a/src/PVE/LXC/Setup/Plugin.pm
+++ b/src/PVE/LXC/Setup/Plugin.pm
@@ -48,7 +48,7 @@ sub set_user_password {
 }
 
 sub unified_cgroupv2_support {
-    my ($self) = @_;
+    my ($self, $init) = @_;
     croak "implement me in sub-class\n";
 }
 
diff --git a/src/PVE/LXC/Setup/Unmanaged.pm b/src/PVE/LXC/Setup/Unmanaged.pm
index 3b9febf..280af04 100644
--- a/src/PVE/LXC/Setup/Unmanaged.pm
+++ b/src/PVE/LXC/Setup/Unmanaged.pm
@@ -45,7 +45,7 @@ sub set_user_password {
 }
 
 sub unified_cgroupv2_support {
-    my ($self) = @_;
+    my ($self, $init) = @_;
     return 1; # faking it won't normally hurt ;-)
 }
 
-- 
2.30.2

More information about the pve-devel mailing list