| # Copyright 2018 The Chromium OS Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| description "Start the VM container communication service" |
| author "chromium-os-dev@chromium.org" |
| |
| # Starts the service that communicates with containers running inside of VMs. |
| # This sends/receives message into/from the container. |
| start on started vm_concierge |
| stop on stopped vm_concierge |
| respawn |
| expect fork |
| |
| # Force gRPC to use poll instead of epoll. |
| # TODO(crbug.com/987390): Remove once epoll1 poller is removed or fixed. |
| env GRPC_POLL_STRATEGY=poll |
| |
| # Force gRPC to use the native resolver instead of ares. |
| # TODO(crbug.com/1044665): Remove once gRPC doesn't use ares resolver for vsock. |
| env GRPC_DNS_RESOLVER=native |
| |
| pre-start script |
| # Set the iptables rules to allow the container inside a VM to communicate |
| # back with the host over gRPC. Ports are defined in: |
| # src/platform2/vm_tools/common/constants.h |
| # |
| # Open port for garcon. |
| iptables -A INPUT -p tcp --dport 8889 -i vmtap+ -j ACCEPT -w |
| end script |
| |
| post-stop script |
| # Close port for garcon. |
| iptables -D INPUT -p tcp --dport 8889 -i vmtap+ -j ACCEPT -w |
| end script |
| |
| # Launch this process jailed with a new IPC namespace, new PID |
| # namespace, new cgroup namespace, new network namespace, new UTS |
| # namespace, no new privileges, drop all caps, new mount namespace, |
| # remount /proc, launch as user/group vm_cicerone, inherit |
| # supplementary groups for vm_cicerone, set up seccomp-bpf. The new |
| # mount namespace is a slave of the main namespace so we can inherit |
| # the mounts of new cryptohomes as sessions are started and ended, |
| # which is required to write crash reports into those cryptohomes. |
| # |
| # We run as init in the new PID namespace so we don't have to keep a |
| # minijail process around. |
| exec minijail0 -l -p -N -e --uts -n -c 0 \ |
| -v -Kslave \ |
| -k 'proc,/proc,proc,MS_RDONLY|MS_NOSUID|MS_NODEV|MS_NOEXEC' \ |
| -u vm_cicerone -g vm_cicerone -G \ |
| -i -I \ |
| -S /usr/share/policy/vm_cicerone-seccomp.policy -- /usr/bin/vm_cicerone |