Merge a2bc7476fb into b7eefa1996

detect-virt: check the inode number of the pid namespace
The indoe number of root pid namespace is hardcoded in the kernel to 0xEFFFFFFC since 3.8, so check the inode number of our pid namespace if all else fails. If it's not 0xEFFFFFFC then we are in a pid namespace, hence a container environment. Fixes https://github.com/systemd/systemd/issues/35249
2024-11-21 14:32:25 +09:00 · 2024-11-21 01:18:34 +00:00
2 changed files with 13 additions and 22 deletions
--- a/src/basic/virt.c
+++ b/src/basic/virt.c
@ -24,10 +24,6 @@
 #include "uid-range.h"
 #include "virt.h"

-/* Root namespace inode number, as per include/linux/proc_ns.h in the kernel source tree, since v3.8:
- * https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=98f842e675f96ffac96e6c50315790912b2812be */
-#define PROC_PID_INIT_INO UINT64_C(0xEFFFFFFC)
-
 enum {
      SMBIOS_VM_BIT_SET,
      SMBIOS_VM_BIT_UNSET,
@ -649,20 +645,6 @@ static int running_in_cgroupns(void) {
        }
 }

-static int running_in_pidns(void) {
-        _cleanup_close_ int pidns_fd = -EBADF;
-        struct stat st;
-
-        pidns_fd = namespace_open_by_type(NAMESPACE_PID);
-        if (pidns_fd < 0)
-                return log_debug_errno(pidns_fd, "Failed to open PID namespace, ignoring: %m");
-
-        if (fstat(pidns_fd, &st) < 0)
-                return log_debug_errno(errno, "Failed to fstat pid namespace fd, ignoring: %m");
-
-        return (uint64_t) st.st_ino != PROC_PID_INIT_INO;
-}
-
 static Virtualization detect_container_files(void) {
        static const struct {
                const char *file_path;
@ -692,6 +674,7 @@ static Virtualization detect_container_files(void) {
 Virtualization detect_container(void) {
        static thread_local Virtualization cached_found = _VIRTUALIZATION_INVALID;
        _cleanup_free_ char *m = NULL, *o = NULL, *p = NULL;
+        _cleanup_close_ int pidns_fd = -EBADF;
        const char *e = NULL;
        Virtualization v;
        int r;
@ -816,10 +799,19 @@ check_files:

        /* Finally, the root pid namespace has an hardcoded inode number of 0xEFFFFFFC since kernel 3.8, so
         * if all else fails we can check the inode number of our pid namespace and compare it. */
-        if (running_in_pidns() > 0) {
+        pidns_fd = namespace_open_by_type(NAMESPACE_PID);
+        if (pidns_fd < 0)
+                log_debug_errno(pidns_fd, "Failed to open PID namespace, ignoring: %m");
+        else {
+                struct stat st;
+
+                if (fstat(pidns_fd, &st) < 0)
+                        log_debug_errno(errno, "Failed to fstat pid namespace fd, ignoring: %m");
+                else if ((uint64_t) st.st_ino != 0xEFFFFFFC) {
                        v = VIRTUALIZATION_CONTAINER_OTHER;
                        goto finish;
                }
+        }

        /* If none of that worked, give up, assume no container manager. */
        v = VIRTUALIZATION_NONE;
--- a/test/TEST-74-AUX-UTILS/test.sh
+++ b/test/TEST-74-AUX-UTILS/test.sh
@ -4,7 +4,6 @@ set -e

 TEST_DESCRIPTION="Tests for auxiliary utilities"
 NSPAWN_ARGUMENTS="--private-network"
-TEST_NO_NSPAWN=1

 # shellcheck source=test/test-functions
 . "${TEST_BASE_DIR:?}/test-functions"