Update gvisor updater

Signed-off-by: Tommy <contact@tommytran.io>
2025-11-04 11:08:35 +01:00 · 2024-06-28 22:45:25 -07:00
parent bb8041a73a
commit b2df161d15
3 changed files with 36 additions and 77 deletions
--- a/etc/systemd/system/gvisor-updater.service
+++ b/etc/systemd/system/gvisor-updater.service
@@ -1,50 +0,0 @@
-[Unit]
-Description=Update gVisor
-After=network-online.target
-Before=docker.service
-
-[Service]
-Type=oneshot
-RuntimeDirectory=gvisor-updater
-WorkingDirectory=/run/gvisor-updater
-ExecStart=/usr/bin/sleep 5
-ExecStart=/usr/bin/curl -sS -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/runsc
-ExecStart=/usr/bin/curl -sS -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/runsc.sha512
-ExecStart=/usr/bin/curl -sS -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/containerd-shim-runsc-v1
-ExecStart=/usr/bin/curl -sS -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/containerd-shim-runsc-v1.sha512
-ExecStart=/usr/bin/sha512sum -c runsc.sha512 -c containerd-shim-runsc-v1.sha512
-ExecStart=/usr/bin/rm -f runsc.sha512 containerd-shim-runsc-v1.sha512
-ExecStart=+/usr/bin/chown root:root runsc containerd-shim-runsc-v1
-ExecStart=+/usr/bin/chmod a+rx runsc containerd-shim-runsc-v1
-ExecStart=+/usr/bin/mv runsc containerd-shim-runsc-v1 /var/usrlocal/bin
-ExecStart=+/usr/bin/chcon system_u:object_r:container_runtime_exec_t:s0 /var/usrlocal/bin/runsc
-
-DynamicUser=true
-CapabilityBoundingSet=
-LockPersonality=true
-MemoryDenyWriteExecute=true
-NoNewPrivileges=true
-PrivateDevices=true
-PrivateIPC=true
-PrivateTmp=true
-ProcSubset=pid
-ProtectClock=true
-ProtectControlGroups=true
-ProtectHome=true
-ProtectHostname=true
-ProtectKernelLogs=true
-ProtectKernelModules=true
-ProtectKernelTunables=true
-ProtectProc=invisible
-ProtectSystem=strict
-RestrictAddressFamilies=
-RestrictNamespaces=true
-RestrictRealtime=true
-RestrictSUIDSGID=true
-RuntimeDirectoryMode=700
-SystemCallArchitectures=native
-SystemCallFilter=@system-service
-SystemCallFilter=~@obsolete
-
-[Install]
-WantedBy=multi-user.target
--- a/x86-QEMU-Docker.ign
+++ b/x86-QEMU-Docker.ign
@@ -229,12 +229,7 @@
        "name": "postinst2.service"
      },
      {
-        "contents": "[Unit]\nDescription=Download gVisor\nAfter=network-online.target\nBefore=docker.service\n\n[Service]\nUser=unpriv\nWorkingDirectory=/var/home/unpriv\nType=oneshot\nExecStart=/usr/bin/sleep 5\nExecStart=/usr/bin/curl -sS -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/runsc\nExecStart=/usr/bin/curl -sS -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/runsc.sha512\nExecStart=/usr/bin/curl -sS -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/containerd-shim-runsc-v1\nExecStart=/usr/bin/curl -sS -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/containerd-shim-runsc-v1.sha512\n\n[Install]\nWantedBy=multi-user.target\n",
-        "enabled": true,
-        "name": "gvisor-downloader.service"
-      },
-      {
-        "contents": "[Unit]\nDescription=Copy gVisor to the correct location\nAfter=gvisor-downloader.service\n\n[Service]\nWorkingDirectory=/var/home/unpriv\nType=oneshot\nExecStart=/usr/bin/sha512sum -c runsc.sha512 -c containerd-shim-runsc-v1.sha512\nExecStart=/usr/bin/rm -f runsc.sha512 containerd-shim-runsc-v1.sha512\nExecStart=/usr/bin/chown root:root runsc containerd-shim-runsc-v1\nExecStart=/usr/bin/chmod a+rx runsc containerd-shim-runsc-v1\nExecStart=/usr/bin/mv runsc containerd-shim-runsc-v1 /var/usrlocal/bin\nExecStart=/usr/bin/chcon system_u:object_r:container_runtime_exec_t:s0 /var/usrlocal/bin/runsc\n\n[Install]\nWantedBy=multi-user.target\n",
+        "contents": "[Unit]\nDescription=Update gVisor\nAfter=network-online.target\nBefore=docker.service\n\n[Service]\nType=oneshot\nRuntimeDirectory=gvisor-updater\nWorkingDirectory=/run/gvisor-updater\nExecStart=/usr/bin/sleep 5\nExecStart=/usr/bin/curl -sS -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/runsc\nExecStart=/usr/bin/curl -sS -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/runsc.sha512\nExecStart=/usr/bin/curl -sS -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/containerd-shim-runsc-v1\nExecStart=/usr/bin/curl -sS -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/containerd-shim-runsc-v1.sha512\nExecStart=/usr/bin/sha512sum -c runsc.sha512 -c containerd-shim-runsc-v1.sha512\nExecStart=/usr/bin/rm -f runsc.sha512 containerd-shim-runsc-v1.sha512\nExecStart=+/usr/bin/chown root:root runsc containerd-shim-runsc-v1\nExecStart=+/usr/bin/chmod a+rx runsc containerd-shim-runsc-v1\nExecStart=+/usr/bin/mv runsc containerd-shim-runsc-v1 /var/usrlocal/bin\nExecStart=+/usr/bin/chcon system_u:object_r:container_runtime_exec_t:s0 /var/usrlocal/bin/runsc\n\nDynamicUser=true\nCapabilityBoundingSet=\nLockPersonality=true\nMemoryDenyWriteExecute=true\nNoNewPrivileges=true\nPrivateDevices=true\nPrivateIPC=true\nPrivateTmp=true\nProcSubset=pid\nProtectClock=true\nProtectControlGroups=true\nProtectHome=true\nProtectHostname=true\nProtectKernelLogs=true\nProtectKernelModules=true\nProtectKernelTunables=true\nProtectProc=invisible\nProtectSystem=strict\nRestrictAddressFamilies=\nRestrictNamespaces=true\nRestrictRealtime=true\nRestrictSUIDSGID=true\nRuntimeDirectoryMode=700\nSystemCallArchitectures=native\nSystemCallFilter=@system-service\nSystemCallFilter=~@obsolete\n\n[Install]\nWantedBy=multi-user.target\n",
        "enabled": true,
        "name": "gvisor-updater.service"
      },
--- a/x86-QEMU-Docker.yml
+++ b/x86-QEMU-Docker.yml
@@ -81,42 +81,56 @@ systemd:

        [Install]
        WantedBy=multi-user.target
-    - name: gvisor-downloader.service
+    - name: gvisor-updater.service
      enabled: true
      contents: |
        [Unit]
-        Description=Download gVisor
+        Description=Update gVisor
        After=network-online.target
        Before=docker.service

        [Service]
-        User=unpriv
-        WorkingDirectory=/var/home/unpriv
        Type=oneshot
+        RuntimeDirectory=gvisor-updater
+        WorkingDirectory=/run/gvisor-updater
        ExecStart=/usr/bin/sleep 5
        ExecStart=/usr/bin/curl -sS -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/runsc
        ExecStart=/usr/bin/curl -sS -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/runsc.sha512
        ExecStart=/usr/bin/curl -sS -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/containerd-shim-runsc-v1
        ExecStart=/usr/bin/curl -sS -O https://storage.googleapis.com/gvisor/releases/release/latest/x86_64/containerd-shim-runsc-v1.sha512
-
-        [Install]
-        WantedBy=multi-user.target
-    - name: gvisor-updater.service
-      enabled: true
-      contents: |
-        [Unit]
-        Description=Copy gVisor to the correct location
-        After=gvisor-downloader.service
-
-        [Service]
-        WorkingDirectory=/var/home/unpriv
-        Type=oneshot
        ExecStart=/usr/bin/sha512sum -c runsc.sha512 -c containerd-shim-runsc-v1.sha512
        ExecStart=/usr/bin/rm -f runsc.sha512 containerd-shim-runsc-v1.sha512
-        ExecStart=/usr/bin/chown root:root runsc containerd-shim-runsc-v1
-        ExecStart=/usr/bin/chmod a+rx runsc containerd-shim-runsc-v1
-        ExecStart=/usr/bin/mv runsc containerd-shim-runsc-v1 /var/usrlocal/bin
-        ExecStart=/usr/bin/chcon system_u:object_r:container_runtime_exec_t:s0 /var/usrlocal/bin/runsc
+        ExecStart=+/usr/bin/chown root:root runsc containerd-shim-runsc-v1
+        ExecStart=+/usr/bin/chmod a+rx runsc containerd-shim-runsc-v1
+        ExecStart=+/usr/bin/mv runsc containerd-shim-runsc-v1 /var/usrlocal/bin
+        ExecStart=+/usr/bin/chcon system_u:object_r:container_runtime_exec_t:s0 /var/usrlocal/bin/runsc
+
+        DynamicUser=true
+        CapabilityBoundingSet=
+        LockPersonality=true
+        MemoryDenyWriteExecute=true
+        NoNewPrivileges=true
+        PrivateDevices=true
+        PrivateIPC=true
+        PrivateTmp=true
+        ProcSubset=pid
+        ProtectClock=true
+        ProtectControlGroups=true
+        ProtectHome=true
+        ProtectHostname=true
+        ProtectKernelLogs=true
+        ProtectKernelModules=true
+        ProtectKernelTunables=true
+        ProtectProc=invisible
+        ProtectSystem=strict
+        RestrictAddressFamilies=
+        RestrictNamespaces=true
+        RestrictRealtime=true
+        RestrictSUIDSGID=true
+        RuntimeDirectoryMode=700
+        SystemCallArchitectures=native
+        SystemCallFilter=@system-service
+        SystemCallFilter=~@obsolete

        [Install]
        WantedBy=multi-user.target