feat: systemd unit acties via podman-helper Unix socket
start/stop/restart van systemd units gaan nu via de host-helper
(/run/podman-helper.sock) in plaats van directe systemctl subprocess
vanuit de container. Hiermee wordt de user namespace isolatie omzeild
die D-Bus calls vanuit de container onbetrouwbaar maakt.
- common.py: _helper_call(action, unit) toegevoegd
- app_system.py: /{action}/{unit} route gebruikt helper voor start/stop/restart
- app_containers.py: container_action() gebruikt helper
- daemon-reload en is-active blijven subprocess (read-only, werkt al)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -1,7 +1,35 @@
|
||||
import json
|
||||
import socket
|
||||
import subprocess
|
||||
|
||||
from fastapi import HTTPException
|
||||
|
||||
HELPER_SOCKET = "/run/podman-helper.sock"
|
||||
|
||||
|
||||
def _helper_call(action: str, unit: str) -> tuple[int, str]:
|
||||
"""Stuur start/stop/restart naar de host-helper via Unix socket.
|
||||
Returntype identiek aan run(): (returncode, output)."""
|
||||
payload = json.dumps({"action": action, "unit": unit}).encode()
|
||||
try:
|
||||
with socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) as s:
|
||||
s.settimeout(35)
|
||||
s.connect(HELPER_SOCKET)
|
||||
s.sendall(payload)
|
||||
s.shutdown(socket.SHUT_WR)
|
||||
data = b""
|
||||
while True:
|
||||
chunk = s.recv(4096)
|
||||
if not chunk:
|
||||
break
|
||||
data += chunk
|
||||
resp = json.loads(data.decode())
|
||||
if resp.get("ok"):
|
||||
return 0, resp.get("output", "")
|
||||
return 1, resp.get("error", "mislukt")
|
||||
except Exception as e:
|
||||
return 1, f"helper niet bereikbaar: {e}"
|
||||
|
||||
|
||||
def run(cmd):
|
||||
try:
|
||||
|
||||
Reference in New Issue
Block a user