| # Copyright 2018 The Chromium OS Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| description "Start the VM container communication service" |
| author "chromium-os-dev@chromium.org" |
| |
| # Starts the service that communicates with containers running inside of VMs. |
| # This sends/receives message into/from the container. |
| start on started vm_concierge |
| stop on stopped vm_concierge |
| respawn |
| |
| # Force gRPC to use poll instead of epoll. |
| # TODO(crbug.com/987390): Remove once epoll1 poller is removed or fixed. |
| env GRPC_POLL_STRATEGY=poll |
| |
| # Force gRPC to use the native resolver instead of ares. |
| # TODO(crbug.com/1044665): Remove once gRPC doesn't use ares resolver for vsock. |
| env GRPC_DNS_RESOLVER=native |
| |
| pre-start script |
| # Set the iptables rules to allow the container inside a VM to communicate |
| # back with the host over gRPC. Ports are defined in: |
| # src/platform2/vm_tools/common/constants.h |
| # |
| # Open port for garcon. |
| iptables -A INPUT -p tcp --dport 8889 -i vmtap+ -j ACCEPT -w |
| end script |
| |
| post-stop script |
| # Close port for garcon. |
| iptables -D INPUT -p tcp --dport 8889 -i vmtap+ -j ACCEPT -w |
| end script |
| |
| # Launch this process jailed with a new IPC namespace, new PID |
| # namespace, remount /proc, new mount namespace, no new privileges, |
| # drop all caps, launch as user/group vm_cicerone, set up seccomp-bpf, |
| # inherit supplementary groups for vm_cicerone. The new mount |
| # namespace is a slave of the main namespace so we can inherit the |
| # mounts of new cryptohomes as sessions are started and ended, which |
| # is required to write crash reports into those cryptohomes. |
| exec minijail0 -l -p -r -v -n -c 0 -u vm_cicerone -g vm_cicerone -G -Kslave \ |
| -S /usr/share/policy/vm_cicerone-seccomp.policy -- /usr/bin/vm_cicerone |