| # Copyright 2018 The Chromium OS Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| description "Chrome OS Machine Learning service" |
| author "chromium-os-dev@chromium.org" |
| |
| # This daemon is started by D-Bus service activation configured in |
| # ml/dbus/org.chromium.MachineLearning.service and |
| # ml/dbus/org.chromium.MachineLearning.AdaptiveCharging.service |
| stop on stopping system-services |
| expect fork |
| |
| import TASK |
| export TASK |
| instance ${TASK} |
| |
| pre-start script |
| logger -t "${UPSTART_JOB}" "Pre-start ml-service task=${TASK}" |
| |
| mkdir -m 0755 -p /var/lib/ml_service/metrics |
| chown -R ml-service:ml-service /var/lib/ml_service |
| |
| # TASK can be "mojo_service" for a general ml-service or "adaptive_charging" |
| # for adaptive charging dbus service. |
| if [ "${TASK}" != "mojo_service" -a "${TASK}" != "adaptive_charging" ]; then |
| logger -t "${UPSTART_JOB}" "ERROR: unknown TASK ${TASK}, quit." |
| stop |
| exit 0 |
| fi |
| |
| # Check if system-services is still running before starting ml-service. |
| # This is to prevent new dbus-activated instances from getting started once |
| # the system is beginning to shut down. |
| if ! initctl status system-services | grep -q running; then |
| logger -t "${UPSTART_JOB}" "ERROR: system services not running, quit." |
| stop |
| exit 0 |
| fi |
| end script |
| |
| script |
| if [ "${TASK}" = "mojo_service" ]; then |
| # --profile=minimalistic-mountns Mount namespace with basic mounts |
| # includes /var/empty, /, /proc (RO), /dev/log, /tmp (tmpfs) |
| # -b /var/lib/ml_service for ml_service metrics |
| # -b /var/lib/metrics for uma metrics |
| # -k /run/imageloader with MS_BIND|MS_REC to pick up any new DLC package |
| # mounts |
| # We have to use nested minijail to enable correct userns set-up: the outer |
| # minijail mainly does the mounting and the inner minijail set up the |
| # userns. Also we have remount "/proc" by making it writable because we need |
| # to write to /proc/[pid]/uid_map etc. |
| # The uid/gid 20106 is for ml-service's control process. |
| # The uid/gid 20177 is for bootstrapping DBus connection because DBus |
| # requires the process connecting to it to have the same euid inside and |
| # outside of the userns. |
| exec minijail0 -n -p -l -r -v -N -i -I --uts -Kslave \ |
| --profile=minimalistic-mountns \ |
| -k 'proc,/proc,proc,MS_NOSUID|MS_NODEV|MS_NOEXEC' \ |
| -k tmpfs,/var,tmpfs \ |
| -k tmpfs,/run,tmpfs \ |
| -k '/run/imageloader,/run/imageloader,none,MS_BIND|MS_REC' \ |
| -b /run/dbus \ |
| -b /var/lib/ml_service,,1 \ |
| -b /var/lib/metrics,,1 \ |
| -- /sbin/minijail0 -Kslave -U -I -v -M"0 20106 1,20177 20177 1" \ |
| -m"0 20106 1,20177 20177 1" \ |
| -k 'proc,/proc,proc,MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_RDONLY' \ |
| -S /usr/share/policy/ml_service-seccomp.policy \ |
| -- /usr/bin/ml_service --task=mojo_service |
| |
| elif [ "${TASK}" = "adaptive_charging" ]; then |
| # adaptive_charging doesn't require a nested minijail. |
| # TODO(alanlxl): customize seccomp to make it run in a tighter sandbox. |
| exec minijail0 -e -i -n -p -l --uts -c 0 \ |
| --profile=minimalistic-mountns \ |
| -k tmpfs,/var,tmpfs \ |
| -k tmpfs,/run,tmpfs \ |
| -b /run/dbus \ |
| -b /var/lib/ml_service,,1 \ |
| -b /var/lib/metrics,,1 \ |
| -S /usr/share/policy/ml_service-seccomp.policy \ |
| -u ml-service -g ml-service \ |
| -- /usr/bin/ml_service --task=adaptive_charging |
| fi |
| end script |
| |
| post-start script |
| local dbus_interface |
| if [ "${TASK}" = "mojo_service" ]; then |
| dbus_interface="org.chromium.MachineLearning" |
| elif [ "${TASK}" = "adaptive_charging" ]; then |
| dbus_interface="org.chromium.MachineLearning.AdaptiveCharging" |
| fi |
| |
| logger -t "${UPSTART_JOB}" "Post-start ml-service task=${TASK}" |
| # Wait for daemon to claim its D-Bus name before transitioning to started. |
| exec minijail0 -u ml-service -g ml-service /usr/bin/gdbus \ |
| wait --system --timeout 15 ${dbus_interface} |
| end script |
| |
| post-stop exec logger -t "${UPSTART_JOB}" "Post-stop ml-service task=${TASK}" |