mirror of
https://github.com/opencontainers/runc.git
synced 2026-07-11 06:03:57 +08:00
memfd-bind: fixup systemd unit file and README
The example of starting memfd-bind via systemd in README did not work for me (Fedora 40, systemd 255): # systemctl status memfd-bind@/usr/bin/runc Invalid unit name "memfd-bind@/usr/bin/runc" escaped as "memfd-bind@-usr-bin-runc" (maybe you should use systemd-escape?). ○ memfd-bind@-usr-bin-runc.service Loaded: bad-setting (Reason: Unit memfd-bind@-usr-bin-runc.service has a bad unit file setting.) Active: inactive (dead) Docs: https://github.com/opencontainers/runc So, let's use systemd-escape -p ("path") in the README example, and use %f in the systemd unit file to prepend the slash to the filename. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
This commit is contained in:
@@ -25,7 +25,7 @@ The provided `memfd-bind@.service` file can be used to get systemd to manage
|
|||||||
this daemon. You can supply the path like so:
|
this daemon. You can supply the path like so:
|
||||||
|
|
||||||
```
|
```
|
||||||
% systemctl start memfd-bind@/usr/bin/runc
|
% systemctl start memfd-bind@$(systemd-escape -p /usr/bin/runc)
|
||||||
```
|
```
|
||||||
|
|
||||||
Thus, there are three ways of protecting against CVE-2019-5736, in order of how
|
Thus, there are three ways of protecting against CVE-2019-5736, in order of how
|
||||||
|
|||||||
@@ -1,11 +1,11 @@
|
|||||||
[Unit]
|
[Unit]
|
||||||
Description=Manage memfd-bind of %I
|
Description=Manage memfd-bind of %f
|
||||||
Documentation=https://github.com/opencontainers/runc
|
Documentation=https://github.com/opencontainers/runc
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
Type=simple
|
Type=simple
|
||||||
ExecStart=memfd-bind "%I"
|
ExecStart=memfd-bind "%f"
|
||||||
ExecStop=memfd-bind --cleanup "%I"
|
ExecStop=memfd-bind --cleanup "%f"
|
||||||
|
|
||||||
[Install]
|
[Install]
|
||||||
WantedBy=multi-user.target
|
WantedBy=multi-user.target
|
||||||
|
|||||||
Reference in New Issue
Block a user