util: detect systemd-nspawn without relying on ns cgroup tree

diff --git a/man/systemd.unit.xml b/man/systemd.unit.xml
index f4764f95579960208ff3f165ef3b709fa3223a55..9066e66cc2d6c5d908fb76526e961b39eb828ea8 100644 (file)
--- a/man/systemd.unit.xml
+++ b/man/systemd.unit.xml
@@ -746,18 +746,22 @@
                                 whether it is a specific
                                 implementation. Takes either boolean
                                 value to check if being executed in
-                                any virtual environment or one of the
+                                any virtual environment or one of
                                 <varname>qemu</varname>,
                                 <varname>kvm</varname>,
                                 <varname>vmware</varname>,
                                 <varname>microsoft</varname>,
                                 <varname>oracle</varname>,
                                 <varname>xen</varname>,
-                                <varname>pidns</varname>,
-                                <varname>openvz</varname> to test
-                                against a specific implementation. The
-                                test may be negated by prepending an
-                                exclamation mark.
+                                <varname>openvz</varname>,
+                                <varname>lxc</varname>,
+                                <varname>systemd-nspawn</varname>,
+                                <varname>pidns</varname> to test
+                                against a specific implementation. If
+                                multiple virtualization technologies
+                                are nested only the innermost is
+                                considered. The test may be negated by
+                                prepending an exclamation mark.
                                 <varname>ConditionSecurity=</varname>
                                 may be used to check whether the given
                                 security module is enabled on the
@@ -788,7 +792,8 @@
                                 pipe symbol must be passed first, the
                                 exclamation second. Except for
                                 <varname>ConditionPathIsSymbolicLink=</varname>,
-                                all path checks follow symlinks.</para></listitem>
+                                all path checks follow
+                                symlinks.</para></listitem>
                         </varlistentry>
 
                         <varlistentry>

diff --git a/src/detect-virt.c b/src/detect-virt.c
index 57f0176668d0b07d15ce26d3f944cd5d2422fcf3..324f182c7e5cae3fd36355b4a93d664892b7c5f3 100644 (file)
--- a/src/detect-virt.c
+++ b/src/detect-virt.c
@@ -34,7 +34,8 @@ int main(int argc, char *argv[]) {
          * to detect whether we are being run in a virtualized
          * environment or not */
 
-        if ((r = detect_virtualization(&id)) < 0) {
+        r = detect_virtualization(&id);
+        if (r < 0) {
                 log_error("Failed to check for virtualization: %s", strerror(-r));
                 return EXIT_FAILURE;
         }

diff --git a/src/util.c b/src/util.c
index 36c8938c2f7d932f26ef0344aa6eabad97a655db..33b6fd48098da4626791be19a91ba1b448fec49e 100644 (file)
--- a/src/util.c
+++ b/src/util.c
@@ -4384,7 +4384,7 @@ int detect_vm(const char **id) {
 
         if (hypervisor) {
                 if (id)
-                        *id = "other";
+                        *id = "other-vm";
 
                 return 1;
         }
@@ -4421,7 +4421,51 @@ int detect_container(const char **id) {
                 return 1;
         }
 
-        if ((f = fopen("/proc/self/cgroup", "re"))) {
+        f = fopen("/proc/1/environ", "re");
+        if (f) {
+                bool done = false;
+
+                do {
+                        char line[LINE_MAX];
+                        unsigned i;
+
+                        for (i = 0; i < sizeof(line)-1; i++) {
+                                int c;
+
+                                c = getc(f);
+                                if (_unlikely_(c == EOF)) {
+                                        done = true;
+                                        break;
+                                } else if (c == 0)
+                                        break;
+
+                                line[i] = c;
+                        }
+                        line[i] = 0;
+
+                        if (streq(line, "container=lxc")) {
+                                fclose(f);
+                                *id = "lxc";
+                                return 1;
+
+                        } else if (streq(line, "container=systemd-nspawn")) {
+                                fclose(f);
+                                *id = "systemd-nspawn";
+                                return 1;
+
+                        } else if (startswith(line, "container=")) {
+                                fclose(f);
+                                *id = "other-container";
+                                return 1;
+                        }
+
+                } while (!done);
+
+                fclose(f);
+        }
+
+        f = fopen("/proc/self/cgroup", "re");
+        if (f) {
 
                 for (;;) {
                         char line[LINE_MAX], *p;
@@ -4429,7 +4473,8 @@ int detect_container(const char **id) {
                         if (!fgets(line, sizeof(line), f))
                                 break;
 
-                        if (!(p = strchr(strstrip(line), ':')))
+                        p = strchr(strstrip(line), ':');
+                        if (!p)
                                 continue;
 
                         if (strncmp(p, ":ns:", 4))