container

#!/usr/bin/env ruby

require 'bundler/setup'
require 'childprocess'

require_relative 'lib_c'

HOSTNAME = 'container'.freeze

def must(exit_code)
  unless exit_code == 0
    $stderr.puts caller
    abort "exit code: #{exit_code}; errno: #{Fiddle.last_error}"
  end
end

def cg
  cgroups = Pathname.new('/sys/fs/cgroup/')
  pids = cgroups.join('pids')
  FileUtils.mkdir_p(pids.join('james'), mode: 0755)
  File.write(pids.join('james/pids.max'), '20', perm: 0700)
  # Removes the new cgroup in place after the container exits
  File.write(pids.join('james/notify_on_release'), '1', perm: 0700)
  File.write(pids.join('james/cgroup.procs'), Process.pid.to_s, perm: 0700)
end

def run(*args)
  puts "run: Running #{args.inspect} as PID #{Process.pid}"

  process = ChildProcess.build(__FILE__, 'child', *args)
  process.io.inherit!
  process.start
  process.wait

  abort "run: exit code #{process.exit_code}" unless process.exit_code == 0
end

def child(*args)
  puts "child: Running #{args.inspect} as PID #{Process.pid}"

  must(LibC.unshare(LibC::CLONE_NEWUTS | LibC::CLONE_NEWPID | LibC::CLONE_NEWNS))
  must(LibC.sethostname(HOSTNAME, HOSTNAME.length))

  process = ChildProcess.build(__FILE__, 'grandchild', *args)
  process.io.inherit!
  process.start
  process.wait

  abort "child: exit code #{process.exit_code}" unless process.exit_code == 0
end

def grandchild(*args)
  puts "grandchild: Running #{args.inspect} as PID #{Process.pid}"

  cg

  must(LibC.mount('none', '/', Fiddle::NULL, LibC::MS_REC | LibC::MS_PRIVATE, Fiddle::NULL))
  Dir.chroot('/home/ubuntu/ubuntufs')
  must(LibC.mount('proc', '/proc', 'proc', 0, Fiddle::NULL))

  begin
    process = ChildProcess.build(*args)
    process.io.inherit!
    process.cwd = '/'
    process.start
    process.wait

    abort "grandchild: exit code #{process.exit_code}" unless process.exit_code == 0
  ensure
    must(LibC.umount('/proc'))
  end
end

args = ARGV
type = args.shift
case type
when 'run'
  run(*args)
when 'child'
  child(*args)
when 'grandchild'
  grandchild(*args)
else
  abort "Unknown type: #{type}"
end