blob: 45ccca79a3b28199088b136c8a2d131fe33a71d0 [file] [log] [blame]
# Copyright 2018 The ChromiumOS Authors
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
description "Start the VM container communication service"
author ""
# Starts the service that communicates with containers running inside of VMs.
# This sends/receives message into/from the container.
start on started vm_concierge
stop on stopped vm_concierge
expect fork
# VM cicerone is a restartable daemon.
oom score -100
# Force gRPC to use the native resolver instead of ares.
# TODO( Remove once gRPC doesn't use ares resolver for vsock.
pre-start script
# Set the iptables rules to allow the container inside a VM to communicate
# back with the host over gRPC. Ports are defined in:
# src/platform2/vm_tools/common/constants.h
# Open port for garcon.
iptables -A INPUT -p tcp --dport 8889 -i vmtap+ -j ACCEPT -w
end script
post-stop script
# Close port for garcon.
iptables -D INPUT -p tcp --dport 8889 -i vmtap+ -j ACCEPT -w
end script
# Launch this process jailed with a new IPC namespace, new PID
# namespace, new cgroup namespace, new network namespace, new UTS
# namespace, no new privileges, drop all caps, new mount namespace,
# remount /proc, launch as user/group vm_cicerone, inherit
# supplementary groups for vm_cicerone, set up seccomp-bpf. The new
# mount namespace is a slave of the main namespace so we can inherit
# the mounts of new cryptohomes as sessions are started and ended,
# which is required to write crash reports into those cryptohomes.
# We run as init in the new PID namespace so we don't have to keep a
# minijail process around.
exec minijail0 -l -p -N -e --uts -n -c 0 \
-v -Kslave \
-u vm_cicerone -g vm_cicerone -G \
-i -I \
-S /usr/share/policy/vm_cicerone-seccomp.policy -- /usr/bin/vm_cicerone