commit: 3ffe8430672993cfc0d8d0b3abdf4d777cf3fdc1 Author: Mike Gilbert <floppym <AT> gentoo <DOT> org> AuthorDate: Thu Apr 5 20:11:52 2018 +0000 Commit: Mike Gilbert <floppym <AT> gentoo <DOT> org> CommitDate: Thu Apr 5 20:11:52 2018 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3ffe8430
sys-apps/systemd: fix regression in nspawn network setup Closes: https://bugs.gentoo.org/652396 Package-Manager: Portage-2.3.24, Repoman-2.3.6_p81 sys-apps/systemd/files/238-nspawn-wait.patch | 83 ++++++++++++++++++++++ ...systemd-238-r3.ebuild => systemd-238-r4.ebuild} | 1 + 2 files changed, 84 insertions(+) diff --git a/sys-apps/systemd/files/238-nspawn-wait.patch b/sys-apps/systemd/files/238-nspawn-wait.patch new file mode 100644 index 00000000000..a740e893345 --- /dev/null +++ b/sys-apps/systemd/files/238-nspawn-wait.patch @@ -0,0 +1,83 @@ +From 7511655807e90aa33ea7b71991401a79ec36bb41 Mon Sep 17 00:00:00 2001 +From: Philip Sequeira <phseq...@gmail.com> +Date: Thu, 5 Apr 2018 14:04:27 +0000 +Subject: [PATCH] nspawn: wait for network namespace creation before interface + setup (#8633) + +Otherwise, network interfaces can be "moved" into the container's +namespace while it's still the same as the host namespace, in which case +e.g. host0 for a veth ends up on the host side instead of inside the +container. + +Regression introduced in 0441378080489e4ab6704cd0a2d78cb1ceaca899. + +Fixes #8599. +--- + src/nspawn/nspawn.c | 19 +++++++++++++++---- + 1 file changed, 15 insertions(+), 4 deletions(-) + +diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c +index 810f1247ea2..a5bc50c1f4c 100644 +--- a/src/nspawn/nspawn.c ++++ b/src/nspawn/nspawn.c +@@ -2329,6 +2329,9 @@ static int inner_child( + r = unshare(CLONE_NEWNET); + if (r < 0) + return log_error_errno(errno, "Failed to unshare network namespace: %m"); ++ ++ /* Tell the parent that it can setup network interfaces. */ ++ (void) barrier_place(barrier); /* #3 */ + } + + r = mount_sysfs(NULL, arg_mount_settings); +@@ -2337,7 +2340,7 @@ static int inner_child( + + /* Wait until we are cgroup-ified, so that we + * can mount the right cgroup path writable */ +- if (!barrier_place_and_sync(barrier)) { /* #3 */ ++ if (!barrier_place_and_sync(barrier)) { /* #4 */ + log_error("Parent died too early"); + return -ESRCH; + } +@@ -2448,7 +2451,7 @@ static int inner_child( + /* Let the parent know that we are ready and + * wait until the parent is ready with the + * setup, too... */ +- if (!barrier_place_and_sync(barrier)) { /* #4 */ ++ if (!barrier_place_and_sync(barrier)) { /* #5 */ + log_error("Parent died too early"); + return -ESRCH; + } +@@ -3533,6 +3536,14 @@ static int run(int master, + + if (arg_private_network) { + ++ if (!arg_network_namespace_path) { ++ /* Wait until the child has unshared its network namespace. */ ++ if (!barrier_place_and_sync(&barrier)) { /* #3 */ ++ log_error("Child died too early"); ++ return -ESRCH; ++ } ++ } ++ + r = move_network_interfaces(*pid, arg_network_interfaces); + if (r < 0) + return r; +@@ -3656,7 +3667,7 @@ static int run(int master, + * its setup (including cgroup-ification), and that + * the child can now hand over control to the code to + * run inside the container. */ +- (void) barrier_place(&barrier); /* #3 */ ++ (void) barrier_place(&barrier); /* #4 */ + + /* Block SIGCHLD here, before notifying child. + * process_pty() will handle it with the other signals. */ +@@ -3684,7 +3695,7 @@ static int run(int master, + return r; + + /* Let the child know that we are ready and wait that the child is completely ready now. */ +- if (!barrier_place_and_sync(&barrier)) { /* #4 */ ++ if (!barrier_place_and_sync(&barrier)) { /* #5 */ + log_error("Child died too early."); + return -ESRCH; + } diff --git a/sys-apps/systemd/systemd-238-r3.ebuild b/sys-apps/systemd/systemd-238-r4.ebuild similarity index 99% rename from sys-apps/systemd/systemd-238-r3.ebuild rename to sys-apps/systemd/systemd-238-r4.ebuild index b68ed0bf92a..0aca5fbb302 100644 --- a/sys-apps/systemd/systemd-238-r3.ebuild +++ b/sys-apps/systemd/systemd-238-r4.ebuild @@ -155,6 +155,7 @@ src_prepare() { PATCHES+=( "${FILESDIR}/238-libmount-include.patch" "${FILESDIR}/238-initctl.patch" + "${FILESDIR}/238-nspawn-wait.patch" ) if ! use vanilla; then
