summaryrefslogtreecommitdiffhomepage
path: root/auto
diff options
context:
space:
mode:
authorTiago de Bem Natel de Moura <t.nateldemoura@f5.com>2019-09-19 15:25:23 +0300
committerTiago de Bem Natel de Moura <t.nateldemoura@f5.com>2019-09-19 15:25:23 +0300
commitc554941b4f826d83d92d5ca8d7713bea4167896e (patch)
tree86afb0a5efc790e1852124426acb73d8164341af /auto
parent6346e641eef4aacf92e81e0f1ea4f42ed1e62834 (diff)
downloadunit-c554941b4f826d83d92d5ca8d7713bea4167896e.tar.gz
unit-c554941b4f826d83d92d5ca8d7713bea4167896e.tar.bz2
Initial applications isolation support using Linux namespaces.
Diffstat (limited to 'auto')
-rw-r--r--auto/capability19
-rw-r--r--auto/isolation52
-rw-r--r--auto/sources7
-rw-r--r--auto/summary2
4 files changed, 80 insertions, 0 deletions
diff --git a/auto/capability b/auto/capability
new file mode 100644
index 00000000..48777665
--- /dev/null
+++ b/auto/capability
@@ -0,0 +1,19 @@
+
+# Copyright (C) Igor Sysoev
+# Copyright (C) NGINX, Inc.
+
+# Linux capability
+
+nxt_feature="Linux capability"
+nxt_feature_name=NXT_HAVE_LINUX_CAPABILITY
+nxt_feature_test="#include <linux/capability.h>
+ #include <unistd.h>
+ #include <sys/syscall.h>
+
+ int main() {
+ struct __user_cap_header_struct hdr;
+ hdr.version = _LINUX_CAPABILITY_VERSION;
+ syscall(SYS_capget, &hdr, 0);
+ return 0;
+ }"
+. auto/feature
diff --git a/auto/isolation b/auto/isolation
new file mode 100644
index 00000000..c26a4991
--- /dev/null
+++ b/auto/isolation
@@ -0,0 +1,52 @@
+# Copyright (C) Igor Sysoev
+# Copyright (C) NGINX, Inc.
+
+# Linux clone syscall.
+
+NXT_ISOLATION=NO
+NXT_HAVE_CLONE=NO
+
+nsflags="USER NS PID NET UTS CGROUP"
+
+nxt_feature="clone(2)"
+nxt_feature_name=NXT_HAVE_CLONE
+nxt_feature_run=no
+nxt_feature_incs=
+nxt_feature_libs=
+nxt_feature_test="#include <sys/wait.h>
+ #include <sys/syscall.h>
+
+ int main() {
+ return __NR_clone | SIGCHLD;
+ }"
+. auto/feature
+
+if [ $nxt_found = yes ]; then
+ NXT_HAVE_CLONE=YES
+
+ # Test all isolation flags
+ for flag in $nsflags; do
+ nxt_feature="CLONE_NEW${flag}"
+ nxt_feature_name=NXT_HAVE_CLONE_NEW${flag}
+ nxt_feature_run=no
+ nxt_feature_incs=
+ nxt_feature_libs=
+ nxt_feature_test="#define _GNU_SOURCE
+ #include <sys/wait.h>
+ #include <sys/syscall.h>
+ #include <sched.h>
+
+ int main() {
+ return CLONE_NEW$flag;
+ }"
+ . auto/feature
+
+ if [ $nxt_found = yes ]; then
+ if [ "$NXT_ISOLATION" = "NO" ]; then
+ NXT_ISOLATION=$flag
+ else
+ NXT_ISOLATION="$NXT_ISOLATION $flag"
+ fi
+ fi
+ done
+fi
diff --git a/auto/sources b/auto/sources
index 8ac8fb19..858eaa8c 100644
--- a/auto/sources
+++ b/auto/sources
@@ -71,6 +71,7 @@ NXT_LIB_SRCS=" \
src/nxt_upstream_round_robin.c \
src/nxt_http_parse.c \
src/nxt_app_log.c \
+ src/nxt_capability.c \
src/nxt_runtime.c \
src/nxt_conf.c \
src/nxt_conf_validation.c \
@@ -132,6 +133,7 @@ NXT_LIB_SOLARIS_SENDFILEV_SRCS="src/nxt_solaris_sendfilev.c"
NXT_LIB_MACOSX_SENDFILE_SRCS="src/nxt_macosx_sendfile.c"
NXT_LIB_AIX_SEND_FILE_SRCS="src/nxt_aix_send_file.c"
NXT_LIB_HPUX_SENDFILE_SRCS="src/nxt_hpux_sendfile.c"
+NXT_LIB_CLONE_SRCS="src/nxt_clone.c"
NXT_TEST_BUILD_DEPS="src/nxt_test_build.h"
NXT_TEST_BUILD_SRCS="src/nxt_test_build.c"
@@ -257,6 +259,11 @@ if [ "$NXT_HAVE_HPUX_SENDFILE" = "YES" \
fi
+if [ "$NXT_HAVE_CLONE" = "YES" ]; then
+ NXT_LIB_SRCS="$NXT_LIB_SRCS $NXT_LIB_CLONE_SRCS"
+fi
+
+
if [ "$NXT_TEST_BUILD" = "YES" ]; then
NXT_LIB_SRCS="$NXT_LIB_SRCS $NXT_TEST_BUILD_SRCS"
fi
diff --git a/auto/summary b/auto/summary
index 1c9df4b1..59267f6c 100644
--- a/auto/summary
+++ b/auto/summary
@@ -26,6 +26,8 @@ Unit configuration summary:
Unix domain sockets support: $NXT_UNIX_DOMAIN
TLS support: ............... $NXT_OPENSSL
+ process isolation: ......... $NXT_ISOLATION
+
debug logging: ............. $NXT_DEBUG
END
generated by cgit (git 2.34.1) at 2024-11-16 22:43:14 +0000