unbit
commented
6 years ago Hi @bjne feel free to add a new hook (they are pretty low-cost), i will be happy to merge it.
Moving the current ones in other phases will break compatibility.
Thanks
Open bjne opened 6 years ago
unbit
commented
6 years ago Hi @bjne feel free to add a new hook (they are pretty low-cost), i will be happy to merge it.
Moving the current ones in other phases will break compatibility.
Thanks
bjne
commented
6 years ago Hi. What do you think about #1734, from what I can understand it should not break anything :)
bjne
commented
6 years ago A related issue is the following:
post_jail exec does not currently work if one unshares pid namespace, because the first program executed becomes pid1, and the next execution will fail because of the way Linux by default handles that pid1 is nonexistant.
The refork-post-jail switch does not help here, since it reforks after all the hooks are run. The current way to solve this is imho unnessesarly complex, needing:
unshare = fs,net,uts refork-post-jail = true hook-post-jail = exec:ip addr add... unshare2 = pid
Could the refork-post-jail be run before the post-jail-hooks?
bjne
commented
6 years ago @unbit: care to comment on this?
I am experiencing problems with initialization of tuntap network device due to fact that it is not currently possible to execute network configuration commands between plugin post_jail hooks and pivot_root.
Would it make sense to move the plugin initialization post_jail to before uwsgi_hooks_run(uwsgi.hook_post_jail) or introduce a new phase?
The way it currently works forces me to have (unneeded) network configuration binaries/libraries in my new_root