diff options
| author | Christian Grothoff <christian@grothoff.org> | 2020-02-17 21:15:26 +0100 |
|---|---|---|
| committer | Christian Grothoff <christian@grothoff.org> | 2020-02-17 21:15:26 +0100 |
| commit | be061b4da9a8850412c216bdf49589e6951527c5 (patch) | |
| tree | 07683c5d5181c0b515a906295b0553d164e7aa00 | |
| parent | 114060fb686285de9dc9b39acbd739ea9c9d7e15 (diff) | |
| download | deployment-be061b4da9a8850412c216bdf49589e6951527c5.tar.gz deployment-be061b4da9a8850412c216bdf49589e6951527c5.tar.bz2 deployment-be061b4da9a8850412c216bdf49589e6951527c5.zip | |
fix netjail comments, handle failing commands better
| -rwxr-xr-x | netjail/netjail-privdrop.sh | 7 | ||||
| -rwxr-xr-x | netjail/netjail.sh | 9 |
2 files changed, 6 insertions, 10 deletions
diff --git a/netjail/netjail-privdrop.sh b/netjail/netjail-privdrop.sh index 4ea2a3e..816bdf8 100755 --- a/netjail/netjail-privdrop.sh +++ b/netjail/netjail-privdrop.sh @@ -6,9 +6,8 @@ # Used by buildslaves to avoid port conflicts. # # First argument ($1) must be a unique number (unique amongst -# all users of the script) between 2 and 254 to be used in -# the IP address for routing the traffic of the network -# namespace to the Internet. +# all users of the script) to be used in +# the name of the virtual network devices and the namespace itself. # # The remaining arguments are the command (and arguments to the # command) to be run in the network namespace (i.e. 'make check'). @@ -37,8 +36,10 @@ ME=${SUDO_USER:?must run in sudo} # Execute target program as the original user. # We should already be in a PID namespace, but we still need to mount proc. +set +e unshare --mount-proc -- sudo -u "$ME" -- "$@" ret=$? +set -e # Release the lease dhclient --no-pid -r || false diff --git a/netjail/netjail.sh b/netjail/netjail.sh index 17dd095..136390b 100755 --- a/netjail/netjail.sh +++ b/netjail/netjail.sh @@ -5,12 +5,7 @@ # Shell script for to setup one instance of a network namespace. # Used by buildslaves to avoid port conflicts. # -# First argument ($1) must be a unique number (unique amongst -# all users of the script) between 2 and 254 to be used in -# the IP address for routing the traffic of the network -# namespace to the Internet. -# -# The remaining arguments are the command (and arguments to the +# The arguments are the command (and arguments to the # command) to be run in the network namespace (i.e. 'make check'). # @@ -41,5 +36,5 @@ ip link set "$TAP" netns "$NSNAME" ip link set dev "$BRTAP" up # Execute netjail-privdrop in a process namespace, but do not mount proc yet, -# so that we can still "nsenter" the root NS to drop the +# so that we can still "nsenter" the root NS to drop the exec unshare -fp --kill-child -- ip netns exec "$NSNAME" netjail-privdrop.sh "$NSUID" "$@" |