vm_tools/init/vm_cicerone.conf - mirrors/cros/chromiumos/platform2 - Git at Google

 # Copyright 2018 The Chromium OS Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.

 description    "Start the VM container communication service"
 author         "chromium-os-dev@chromium.org"

 # Starts the service that communicates with containers running inside of VMs.
 # This sends/receives message into/from the container.
 start on started vm_concierge
 stop on stopped vm_concierge
 respawn
 expect fork

 # Force gRPC to use poll instead of epoll.
 # TODO(crbug.com/987390): Remove once epoll1 poller is removed or fixed.
 env GRPC_POLL_STRATEGY=poll

 # Force gRPC to use the native resolver instead of ares.
 # TODO(crbug.com/1044665): Remove once gRPC doesn't use ares resolver for vsock.
 env GRPC_DNS_RESOLVER=native

 pre-start script
   # Set the iptables rules to allow the container inside a VM to communicate
   # back with the host over gRPC. Ports are defined in:
   # src/platform2/vm_tools/common/constants.h
   #
   # Open port for garcon.
   iptables -A INPUT -p tcp --dport 8889 -i vmtap+ -j ACCEPT -w
 end script

 post-stop script
   # Close port for garcon.
   iptables -D INPUT -p tcp --dport 8889 -i vmtap+ -j ACCEPT -w
 end script

 # Launch this process jailed with a new IPC namespace, new PID
 # namespace, new cgroup namespace, new network namespace, new UTS
 # namespace, no new privileges, drop all caps, new mount namespace,
 # remount /proc, launch as user/group vm_cicerone, inherit
 # supplementary groups for vm_cicerone, set up seccomp-bpf. The new
 # mount namespace is a slave of the main namespace so we can inherit
 # the mounts of new cryptohomes as sessions are started and ended,
 # which is required to write crash reports into those cryptohomes.
 #
 # We run as init in the new PID namespace so we don't have to keep a
 # minijail process around.
 exec minijail0 -l -p -N -e --uts -n -c 0 \
      -v -Kslave \
      -k 'proc,/proc,proc,MS_RDONLY|MS_NOSUID|MS_NODEV|MS_NOEXEC' \
      -u vm_cicerone -g vm_cicerone -G \
      -i -I \
      -S /usr/share/policy/vm_cicerone-seccomp.policy -- /usr/bin/vm_cicerone
	# Copyright 2018 The Chromium OS Authors. All rights reserved.
	# Use of this source code is governed by a BSD-style license that can be
	# found in the LICENSE file.

	description "Start the VM container communication service"
	author "chromium-os-dev@chromium.org"

	# Starts the service that communicates with containers running inside of VMs.
	# This sends/receives message into/from the container.
	start on started vm_concierge
	stop on stopped vm_concierge
	respawn
	expect fork

	# Force gRPC to use poll instead of epoll.
	# TODO(crbug.com/987390): Remove once epoll1 poller is removed or fixed.
	env GRPC_POLL_STRATEGY=poll

	# Force gRPC to use the native resolver instead of ares.
	# TODO(crbug.com/1044665): Remove once gRPC doesn't use ares resolver for vsock.
	env GRPC_DNS_RESOLVER=native

	pre-start script
	# Set the iptables rules to allow the container inside a VM to communicate
	# back with the host over gRPC. Ports are defined in:
	# src/platform2/vm_tools/common/constants.h
	#
	# Open port for garcon.
	iptables -A INPUT -p tcp --dport 8889 -i vmtap+ -j ACCEPT -w
	end script

	post-stop script
	# Close port for garcon.
	iptables -D INPUT -p tcp --dport 8889 -i vmtap+ -j ACCEPT -w
	end script

	# Launch this process jailed with a new IPC namespace, new PID
	# namespace, new cgroup namespace, new network namespace, new UTS
	# namespace, no new privileges, drop all caps, new mount namespace,
	# remount /proc, launch as user/group vm_cicerone, inherit
	# supplementary groups for vm_cicerone, set up seccomp-bpf. The new
	# mount namespace is a slave of the main namespace so we can inherit
	# the mounts of new cryptohomes as sessions are started and ended,
	# which is required to write crash reports into those cryptohomes.
	#
	# We run as init in the new PID namespace so we don't have to keep a
	# minijail process around.
	exec minijail0 -l -p -N -e --uts -n -c 0 \
	-v -Kslave \
	-k 'proc,/proc,proc,MS_RDONLY\|MS_NOSUID\|MS_NODEV\|MS_NOEXEC' \
	-u vm_cicerone -g vm_cicerone -G \
	-i -I \
	-S /usr/share/policy/vm_cicerone-seccomp.policy -- /usr/bin/vm_cicerone