blob: 7b5661a4b05dc83af20ece9d67a1fd332c4a6de5 [file] [log] [blame]
# Copyright 2018 The Chromium OS Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
description "Start the VM container communication service"
author ""
# Starts the service that communicates with containers running inside of VMs.
# This sends/receives message into/from the container.
start on started vm_concierge
stop on stopped vm_concierge
# Force gRPC to use poll instead of epoll.
# TODO( Remove once epoll1 poller is removed or fixed.
# Force gRPC to use the native resolver instead of ares.
# TODO( Remove once gRPC doesn't use ares resolver for vsock.
pre-start script
# Set the iptables rules to allow the container inside a VM to communicate
# back with the host over gRPC. Ports are defined in:
# src/platform2/vm_tools/common/constants.h
# Open port for garcon.
iptables -A INPUT -p tcp --dport 8889 -i vmtap+ -j ACCEPT -w
end script
post-stop script
# Close port for garcon.
iptables -D INPUT -p tcp --dport 8889 -i vmtap+ -j ACCEPT -w
end script
# Launch this process jailed with a new IPC namespace, new PID
# namespace, remount /proc, new mount namespace, no new privileges,
# drop all caps, launch as user/group vm_cicerone, set up seccomp-bpf,
# inherit supplementary groups for vm_cicerone. The new mount
# namespace is a slave of the main namespace so we can inherit the
# mounts of new cryptohomes as sessions are started and ended, which
# is required to write crash reports into those cryptohomes.
exec minijail0 -l -p -r -v -n -c 0 -u vm_cicerone -g vm_cicerone -G -Kslave \
-S /usr/share/policy/vm_cicerone-seccomp.policy -- /usr/bin/vm_cicerone