ml/init/ml-service.conf - mirrors/cros/chromiumos/platform2 - Git at Google

 # Copyright 2018 The Chromium OS Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.

 description     "Chrome OS Machine Learning service"
 author          "chromium-os-dev@chromium.org"

 # This daemon is started by D-Bus service activation configured in
 # ml/dbus/org.chromium.MachineLearning.service and
 # ml/dbus/org.chromium.MachineLearning.AdaptiveCharging.service
 stop on stopping system-services
 expect fork

 import TASK
 export TASK
 instance ${TASK}

 pre-start script
   logger -t "${UPSTART_JOB}" "Pre-start ml-service task=${TASK}"

   mkdir -m 0755 -p /var/lib/ml_service/metrics
   chown -R ml-service:ml-service /var/lib/ml_service

   # TASK can be "mojo_service" for a general ml-service or "adaptive_charging"
   # for adaptive charging dbus service.
   if [ "${TASK}" != "mojo_service" -a "${TASK}" != "adaptive_charging" ]; then
     logger -t "${UPSTART_JOB}" "ERROR: unknown TASK ${TASK}, quit."
     stop
     exit 0
   fi

   # Check if system-services is still running before starting ml-service.
   # This is to prevent new dbus-activated instances from getting started once
   # the system is beginning to shut down.
   if ! initctl status system-services | grep -q running; then
     logger -t "${UPSTART_JOB}" "ERROR: system services not running, quit."
     stop
     exit 0
   fi
 end script

 script
   if [ "${TASK}" = "mojo_service" ]; then
     # --profile=minimalistic-mountns Mount namespace with basic mounts
     #     includes /var/empty, /, /proc (RO), /dev/log, /tmp (tmpfs)
     # -b /var/lib/ml_service for ml_service metrics
     # -b /var/lib/metrics for uma metrics
     # -k /run/imageloader with MS_BIND|MS_REC to pick up any new DLC package
     #    mounts
     # We have to use nested minijail to enable correct userns set-up: the outer
     # minijail mainly does the mounting and the inner minijail set up the
     # userns. Also we have remount "/proc" by making it writable because we need
     # to write to /proc/[pid]/uid_map etc.
     # The uid/gid 20106 is for ml-service's control process.
     # The uid/gid 20177 is for bootstrapping DBus connection because DBus
     # requires the process connecting to it to have the same euid inside and
     # outside of the userns.
     exec minijail0 -n -p -l -r -v -N -i -I --uts -Kslave \
       --profile=minimalistic-mountns \
       -k 'proc,/proc,proc,MS_NOSUID|MS_NODEV|MS_NOEXEC' \
       -k tmpfs,/var,tmpfs \
       -k tmpfs,/run,tmpfs \
       -k '/run/imageloader,/run/imageloader,none,MS_BIND|MS_REC' \
       -b /run/dbus \
       -b /var/lib/ml_service,,1 \
       -b /var/lib/metrics,,1 \
       -- /sbin/minijail0 -Kslave -U -I -v -M"0 20106 1,20177 20177 1" \
         -m"0 20106 1,20177 20177 1" \
         -k 'proc,/proc,proc,MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_RDONLY' \
         -S /usr/share/policy/ml_service-seccomp.policy \
         -- /usr/bin/ml_service --task=mojo_service

   elif [ "${TASK}" = "adaptive_charging" ]; then
     # adaptive_charging doesn't require a nested minijail.
     # TODO(alanlxl): customize seccomp to make it run in a tighter sandbox.
     exec minijail0 -e -i -n -p -l --uts -c 0 \
       --profile=minimalistic-mountns \
       -k tmpfs,/var,tmpfs \
       -k tmpfs,/run,tmpfs \
       -b /run/dbus \
       -b /var/lib/ml_service,,1 \
       -b /var/lib/metrics,,1 \
       -S /usr/share/policy/ml_service-seccomp.policy \
       -u ml-service -g ml-service \
       -- /usr/bin/ml_service --task=adaptive_charging
   fi
 end script

 post-start script
   local dbus_interface
   if [ "${TASK}" = "mojo_service" ]; then
     dbus_interface="org.chromium.MachineLearning"
   elif [ "${TASK}" = "adaptive_charging" ]; then
     dbus_interface="org.chromium.MachineLearning.AdaptiveCharging"
   fi

   logger -t "${UPSTART_JOB}" "Post-start ml-service task=${TASK}"
   # Wait for daemon to claim its D-Bus name before transitioning to started.
   exec minijail0 -u ml-service -g ml-service /usr/bin/gdbus \
       wait --system --timeout 15 ${dbus_interface}
 end script

 post-stop exec logger -t "${UPSTART_JOB}" "Post-stop ml-service task=${TASK}"
	# Copyright 2018 The Chromium OS Authors. All rights reserved.
	# Use of this source code is governed by a BSD-style license that can be
	# found in the LICENSE file.

	description "Chrome OS Machine Learning service"
	author "chromium-os-dev@chromium.org"

	# This daemon is started by D-Bus service activation configured in
	# ml/dbus/org.chromium.MachineLearning.service and
	# ml/dbus/org.chromium.MachineLearning.AdaptiveCharging.service
	stop on stopping system-services
	expect fork

	import TASK
	export TASK
	instance ${TASK}

	pre-start script
	logger -t "${UPSTART_JOB}" "Pre-start ml-service task=${TASK}"

	mkdir -m 0755 -p /var/lib/ml_service/metrics
	chown -R ml-service:ml-service /var/lib/ml_service

	# TASK can be "mojo_service" for a general ml-service or "adaptive_charging"
	# for adaptive charging dbus service.
	if [ "${TASK}" != "mojo_service" -a "${TASK}" != "adaptive_charging" ]; then
	logger -t "${UPSTART_JOB}" "ERROR: unknown TASK ${TASK}, quit."
	stop
	exit 0
	fi

	# Check if system-services is still running before starting ml-service.
	# This is to prevent new dbus-activated instances from getting started once
	# the system is beginning to shut down.
	if ! initctl status system-services \| grep -q running; then
	logger -t "${UPSTART_JOB}" "ERROR: system services not running, quit."
	stop
	exit 0
	fi
	end script

	script
	if [ "${TASK}" = "mojo_service" ]; then
	# --profile=minimalistic-mountns Mount namespace with basic mounts
	# includes /var/empty, /, /proc (RO), /dev/log, /tmp (tmpfs)
	# -b /var/lib/ml_service for ml_service metrics
	# -b /var/lib/metrics for uma metrics
	# -k /run/imageloader with MS_BIND\|MS_REC to pick up any new DLC package
	# mounts
	# We have to use nested minijail to enable correct userns set-up: the outer
	# minijail mainly does the mounting and the inner minijail set up the
	# userns. Also we have remount "/proc" by making it writable because we need
	# to write to /proc/[pid]/uid_map etc.
	# The uid/gid 20106 is for ml-service's control process.
	# The uid/gid 20177 is for bootstrapping DBus connection because DBus
	# requires the process connecting to it to have the same euid inside and
	# outside of the userns.
	exec minijail0 -n -p -l -r -v -N -i -I --uts -Kslave \
	--profile=minimalistic-mountns \
	-k 'proc,/proc,proc,MS_NOSUID\|MS_NODEV\|MS_NOEXEC' \
	-k tmpfs,/var,tmpfs \
	-k tmpfs,/run,tmpfs \
	-k '/run/imageloader,/run/imageloader,none,MS_BIND\|MS_REC' \
	-b /run/dbus \
	-b /var/lib/ml_service,,1 \
	-b /var/lib/metrics,,1 \
	-- /sbin/minijail0 -Kslave -U -I -v -M"0 20106 1,20177 20177 1" \
	-m"0 20106 1,20177 20177 1" \
	-k 'proc,/proc,proc,MS_NOSUID\|MS_NODEV\|MS_NOEXEC\|MS_RDONLY' \
	-S /usr/share/policy/ml_service-seccomp.policy \
	-- /usr/bin/ml_service --task=mojo_service

	elif [ "${TASK}" = "adaptive_charging" ]; then
	# adaptive_charging doesn't require a nested minijail.
	# TODO(alanlxl): customize seccomp to make it run in a tighter sandbox.
	exec minijail0 -e -i -n -p -l --uts -c 0 \
	--profile=minimalistic-mountns \
	-k tmpfs,/var,tmpfs \
	-k tmpfs,/run,tmpfs \
	-b /run/dbus \
	-b /var/lib/ml_service,,1 \
	-b /var/lib/metrics,,1 \
	-S /usr/share/policy/ml_service-seccomp.policy \
	-u ml-service -g ml-service \
	-- /usr/bin/ml_service --task=adaptive_charging
	fi
	end script

	post-start script
	local dbus_interface
	if [ "${TASK}" = "mojo_service" ]; then
	dbus_interface="org.chromium.MachineLearning"
	elif [ "${TASK}" = "adaptive_charging" ]; then
	dbus_interface="org.chromium.MachineLearning.AdaptiveCharging"
	fi

	logger -t "${UPSTART_JOB}" "Post-start ml-service task=${TASK}"
	# Wait for daemon to claim its D-Bus name before transitioning to started.
	exec minijail0 -u ml-service -g ml-service /usr/bin/gdbus \
	wait --system --timeout 15 ${dbus_interface}
	end script

	post-stop exec logger -t "${UPSTART_JOB}" "Post-stop ml-service task=${TASK}"