mount /dev/console

Author: elijah-wright

vminitd/Sources/vmexec/ExecCommand.swift

@@ -21,6 +21,10 @@ import LCShim
 import Logging
 import Musl
 
+#if canImport(Glibc)
+import Glibc
+#endif
+
 struct ExecCommand: ParsableCommand {
     static let configuration = CommandConfiguration(
         commandName: "exec",
@@ -75,6 +79,7 @@ struct ExecCommand: ParsableCommand {
 
         let childPipe = Pipe()
         try childPipe.setCloexec()
+        var hostFd: Int32 = -1
         let processID = fork()
 
         guard processID != -1 else {
@@ -93,11 +98,45 @@ struct ExecCommand: ParsableCommand {
                 throw App.Errno(stage: "setsid()")
             }
 
+            if process.terminal {
+                var containerFd: Int32 = 0
+                var ws = winsize(ws_row: 40, ws_col: 120, ws_xpixel: 0, ws_ypixel: 0)
+                guard openpty(&hostFd, &containerFd, nil, nil, &ws) == 0 else {
+                    throw App.Errno(stage: "openpty()")
+                }
+
+                guard dup3(containerFd, 0, 0) != -1 else {
+                    throw App.Errno(stage: "dup3(slave->stdin)")
+                }
+                guard dup3(containerFd, 1, 0) != -1 else {
+                    throw App.Errno(stage: "dup3(slave->stdout)")
+                }
+                guard dup3(containerFd, 2, 0) != -1 else {
+                    throw App.Errno(stage: "dup3(slave->stderr)")
+                }
+                _ = close(containerFd)
+
+                guard ioctl(0, UInt(TIOCSCTTY), 0) != -1 else {
+                    throw App.Errno(stage: "setctty()")
+                }
+            }
+
+            var fdCopy = hostFd
+            let fdData = Data(bytes: &fdCopy, count: MemoryLayout.size(ofValue: fdCopy))
+            try childPipe.fileHandleForWriting.write(contentsOf: fdData)
+            try childPipe.fileHandleForWriting.close()
+
+            var ackBuf: UInt8 = 0
+            _ = read(4, &ackBuf, 1)
+            close(4)
+            close(hostFd)
+
             // Apply O_CLOEXEC to all file descriptors except stdio.
             // This ensures that all unwanted fds we may have accidentally
             // inherited are marked close-on-exec so they stay out of the
             // container.
             try App.applyCloseExecOnFDs()
+
             try App.setRLimits(rlimits: process.rlimits)
 
             // Change stdio to be owned by the requested user.
@@ -106,12 +145,6 @@ struct ExecCommand: ParsableCommand {
             // Set uid, gid, and supplementary groups
             try App.setPermissions(user: process.user)
 
-            if process.terminal {
-                guard ioctl(0, UInt(TIOCSCTTY), 0) != -1 else {
-                    throw App.Errno(stage: "setctty()")
-                }
-            }
-
             try App.exec(process: process)
         } else {  // parent process
             try childPipe.fileHandleForWriting.close()
@@ -120,9 +153,9 @@ struct ExecCommand: ParsableCommand {
             _ = try childPipe.fileHandleForReading.readToEnd()
             try childPipe.fileHandleForReading.close()
 
-            // send our child's pid to our parent before we exit.
-            var childPid = processID
-            let data = Data(bytes: &childPid, count: MemoryLayout.size(ofValue: childPid))
+            // send our child's pid and the host fd to our parent before we exit.
+            var payload = [Int32(processID), hostFd]
+            let data = Data(bytes: &payload, count: MemoryLayout<Int32>.size * 2)
 
             try syncfd.write(contentsOf: data)
             try syncfd.close()

vminitd/Sources/vmexec/Mount.swift

@@ -18,9 +18,6 @@ import ContainerizationOCI
 import ContainerizationOS
 import Foundation
 import Musl
-#if canImport(Glibc)
-import Glibc
-#endif
 
 struct ContainerMount {
     private let mounts: [ContainerizationOCI.Mount]
@@ -38,7 +35,7 @@ struct ContainerMount {
         }
     }
 
-    func configureConsole(process: ContainerizationOCI.Process) throws {
+    func configureConsole() throws {
         let ptmx = self.rootfs.standardizingPath.appendingPathComponent("/dev/ptmx")
 
         guard remove(ptmx) == 0 else {
@@ -47,29 +44,6 @@ struct ContainerMount {
         guard symlink("pts/ptmx", ptmx) == 0 else {
             throw App.Errno(stage: "symlink(pts/ptmx)")
         }
-
-        if process.terminal {
-            var buf = [CChar](repeating: 0, count: 4096)
-            let len = readlink("/proc/self/fd/0", &buf, buf.count - 1)
-            if len != -1 {
-                buf[Int(len)] = 0
-                let ptyPath = String(cString: buf)
-
-                let console = self.rootfs.standardizingPath.appendingPathComponent("/dev/console")
-
-                if access(console, F_OK) != 0 {
-                    let fd = open(console, O_RDWR | O_CREAT, mode_t(UInt16(0o600)))
-                    if fd == -1 {
-                        throw App.erno(stage: "open(/dev/console)")
-                    }
-                    close(fd)
-                }
-
-                if mount(ptyPath, console, "", UInt(MS_BIND), nil) != 0 {
-                    throw App.Errno(stage: "mount(/dev/console)")
-                }
-            }
-        }
     }
 
     private func mkdirAll(_ name: String, _ perm: Int16) throws {

vminitd/Sources/vmexec/RunCommand.swift

@@ -21,6 +21,14 @@ import LCShim
 import Logging
 import Musl
 
+#if canImport(Musl)
+import Musl
+private let _ptsname = Musl.ptsname
+#elseif canImport(Glibc)
+import Glibc
+private let _ptsname = Glibc.ptsname
+#endif
+
 struct RunCommand: ParsableCommand {
     static let configuration = CommandConfiguration(
         commandName: "run",
@@ -39,10 +47,10 @@ struct RunCommand: ParsableCommand {
         try execInNamespace(spec: ociSpec, log: log)
     }
 
-    private func childRootSetup(rootfs: ContainerizationOCI.Root, mounts: [ContainerizationOCI.Mount], process: ContainerizationOCI.Process, log: Logger) throws {
+    private func childRootSetup(rootfs: ContainerizationOCI.Root, mounts: [ContainerizationOCI.Mount], log: Logger) throws {
         // setup rootfs
         try prepareRoot(rootfs: rootfs.path)
-        try mountRootfs(rootfs: rootfs.path, mounts: mounts, process: process)
+        try mountRootfs(rootfs: rootfs.path, mounts: mounts)
         try setDevSymlinks(rootfs: rootfs.path)
 
         try pivotRoot(rootfs: rootfs.path)
@@ -68,6 +76,7 @@ struct RunCommand: ParsableCommand {
 
         let childPipe = Pipe()
         try childPipe.setCloexec()
+        var hostFd: Int32 = -1
         let processID = fork()
 
         guard processID != -1 else {
@@ -90,7 +99,36 @@ struct RunCommand: ParsableCommand {
                 throw App.Errno(stage: "setsid()")
             }
 
-            try childRootSetup(rootfs: root, mounts: spec.mounts, log: log, process: process)
+            try childRootSetup(rootfs: root, mounts: spec.mounts, log: log)
+
+            if process.terminal {
+                let containerMount = ContainerMount(rootfs: root.path, mounts: spec.mounts)
+                try containerMount.configureConsole()
+                var containerFd: Int32 = 0
+                var ws = winsize(ws_row: 40, ws_col: 120, ws_xpixel: 0, ws_ypixel: 0)
+                guard openpty(&hostFd, &containerFd, nil, nil, &ws) == 0 else {
+                    throw App.Errno(stage: "openpty()")
+                }
+
+                guard dup3(containerFd, 0, 0) != -1 else {
+                    throw App.Errno(stage: "dup3(slave->stdin)")
+                }
+                guard dup3(containerFd, 1, 0) != -1 else {
+                    throw App.Errno(stage: "dup3(slave->stdout)")
+                }
+                guard dup3(containerFd, 2, 0) != -1 else {
+                    throw App.Errno(stage: "dup3(slave->stderr)")
+                }
+                _ = close(containerFd)
+
+                guard ioctl(0, UInt(TIOCSCTTY), 0) != -1 else {
+                    throw App.Errno(stage: "setctty()")
+                }
+
+                if let cPtr = _ptsname(hostFd) {
+                    mountConsole(path: String(cString: cPtr))
+                }
+            }
 
             if !spec.hostname.isEmpty {
                 let errCode = spec.hostname.withCString { ptr in
@@ -101,6 +139,16 @@ struct RunCommand: ParsableCommand {
                 }
             }
 
+            var fdCopy = hostFd
+            var fdData = Data(bytes: &fdCopy, count: MemoryLayout.size(ofValue: fdCopy))
+            try childPipe.fileHandleForWriting.write(contentsOf: fdData)
+            try childPipe.fileHandleForWriting.close()
+
+            var ackBuf: UInt8 = 0
+            _ = read(4, &ackBuf, 1)
+            close(4)
+            close(hostFd)
+
             // Apply O_CLOEXEC to all file descriptors except stdio.
             // This ensures that all unwanted fds we may have accidentally
             // inherited are marked close-on-exec so they stay out of the
@@ -115,12 +163,6 @@ struct RunCommand: ParsableCommand {
             // Set uid, gid, and supplementary groups.
             try App.setPermissions(user: process.user)
 
-            if process.terminal {
-                guard ioctl(0, UInt(TIOCSCTTY), 0) != -1 else {
-                    throw App.Errno(stage: "setctty()")
-                }
-            }
-
             try App.exec(process: process)
         } else {  // parent process
             try childPipe.fileHandleForWriting.close()
@@ -129,19 +171,18 @@ struct RunCommand: ParsableCommand {
             _ = try childPipe.fileHandleForReading.readToEnd()
             try childPipe.fileHandleForReading.close()
 
-            // send our child's pid to our parent before we exit.
-            var childPid = processID
-            let data = Data(bytes: &childPid, count: MemoryLayout.size(ofValue: childPid))
+            // send our child's pid and the host fd to our parent before we exit.
+            var payload = [Int32(processID), hostFd]
+            let data = Data(bytes: &payload, count: MemoryLayout<Int32>.size * 2)
 
             try syncfd.write(contentsOf: data)
             try syncfd.close()
         }
     }
 
-    private func mountRootfs(rootfs: String, mounts: [ContainerizationOCI.Mount], process: ContainerizationOCI.Process) throws {
+    private func mountRootfs(rootfs: String, mounts: [ContainerizationOCI.Mount]) throws {
         let containerMount = ContainerMount(rootfs: rootfs, mounts: mounts)
         try containerMount.mountToRootfs()
-        try containerMount.configureConsole(process)
     }
 
     private func prepareRoot(rootfs: String) throws {
@@ -256,4 +297,15 @@ struct RunCommand: ParsableCommand {
         _ = cStringCopy.initialize(from: cString)
         return UnsafeMutablePointer(cStringCopy.baseAddress)
     }
+
+    private func mountConsole(path: String) {
+        let console = "/dev/console"
+        if access(console, F_OK) != 0 {
+            let fd = open(console, O_RDWR | O_CREAT, mode_t(UInt16(0o600)))
+            if fd != -1 {
+                close(fd)
+            }
+        }
+        _ = mount(path, console, "", UInt(MS_BIND), nil)
+    }
 }

vminitd/Sources/vminitd/ManagedProcess.swift

@@ -31,6 +31,8 @@ final class ManagedProcess: Sendable {
     private let lock: Mutex<State>
     private let syncfd: Pipe
     private let owningPid: Int32?
+    private let ack: FileHandle
+    private let terminal: Bool
 
     private struct State {
         init(io: IO) {
@@ -53,6 +55,7 @@ final class ManagedProcess: Sendable {
     // swiftlint: disable type_name
     protocol IO {
         func start() throws
+        func attach(pid: Int32, fd: Int32) throws
         func closeAfterExec() throws
         func resize(size: Terminal.Size) throws
         func close() throws
@@ -75,11 +78,16 @@ final class ManagedProcess: Sendable {
         Self.localizeLogger(log: &log, id: id)
         self.log = log
         self.owningPid = owningPid
+        self.terminal = stdio.terminal
 
         let syncfd = Pipe()
         try syncfd.setCloexec()
         self.syncfd = syncfd
 
+        let ackPipe = Pipe()
+        try ackPipe.setCloexec()
+        self.ack = ackPipe.fileHandleForWriting
+
         let args: [String]
         if let owningPid {
             args = [
@@ -96,7 +104,7 @@ final class ManagedProcess: Sendable {
         var process = Command(
             "/sbin/vmexec",
             arguments: args,
-            extraFiles: [syncfd.fileHandleForWriting]
+            extraFiles: [syncfd.fileHandleForWriting, ackPipe.fileHandleForReading]
         )
 
         var io: IO
@@ -118,11 +126,6 @@ final class ManagedProcess: Sendable {
             )
         }
 
-        log.info("starting io")
-
-        // Setup IO early. We expect the host to be listening already.
-        try io.start()
-
         self.process = process
         self.lock = Mutex(State(io: io))
     }
@@ -137,6 +140,10 @@ extension ManagedProcess {
                     "id": "\(id)"
                 ])
 
+            if !self.terminal {
+                try $0.io.start()
+            }
+
             // Start the underlying process.
             try process.start()
 
@@ -148,20 +155,41 @@ extension ManagedProcess {
                 throw ContainerizationError(.internalError, message: "no pid data from sync pipe")
             }
 
+            guard piddata.count >= MemoryLayout<Int32>.size else {
+                throw ContainerizationError(.internalError, message: "invalid payload")
+            }
+
             let i = piddata.withUnsafeBytes { ptr in
                 ptr.load(as: Int32.self)
             }
 
-            log.info("got back pid data \(i)")
+            var fd: Int32 = -1
+            if piddata.count >= MemoryLayout<Int32>.size * 2 {
+                fd = piddata.withUnsafeBytes { ptr in
+                    ptr.load(fromByteOffset: MemoryLayout<Int32>.size, as: Int32.self)
+                }
+            }
+
+            log.info("got back pid data \(i), fd \(fd)")
             $0.pid = i
 
+            if self.terminal {
+                guard fd != -1 else {
+                    throw ContainerizationError(.internalError, message: "vmexec did not return pty fd")
+                }
+                try self.terminal.attach(pid: i, fd: fd)
+            }
+
             log.debug(
                 "started managed process",
                 metadata: [
                     "pid": "\(i)",
                     "id": "\(id)",
                 ])
 
+            try self.ack.write(contentsOf: Data([0]))
+            try self.ack.close()
+
             return i
         }
     }