From 45d2baa5a4ea09c9e44ebd9822c4b52c2f76fbab Mon Sep 17 00:00:00 2001
From: "Enrico Weigelt, metux IT consult" <info@metux.net>
Date: Thu, 27 May 2021 11:40:46 +0200
Subject: [PATCH] make systemd and its dependencies optional via 'no_systemd'
 build tag

Running under systemd requires lots of special code that contributes
to ca. 10 percent (ca. 1 MB) to the binary size. This is only needed on
targets that might run systemd - there're dozens of distros, let alone
embedded/edge devices or special images (eg. cluster worker nodes) that
do not and never will run systemd, thus do not need that code at all.

It's not just about reducing memory consumption, but also having over
10.000 lines of code less to audit.

In order not to change default behaviour, introducing an inverse build tag,
'no_systemd', for explicitly opting out from systemd special handlings.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
---
 README.md                |  7 ++++---
 rootless_linux.go        |  3 +--
 utils_linux.go           |  9 +--------
 utils_linux_nosystemd.go | 16 ++++++++++++++++
 utils_linux_systemd.go   | 22 ++++++++++++++++++++++
 5 files changed, 44 insertions(+), 13 deletions(-)
 create mode 100644 utils_linux_nosystemd.go
 create mode 100644 utils_linux_systemd.go

diff --git a/README.md b/README.md
index b209c7dcd55..893f66acf2e 100644
--- a/README.md
+++ b/README.md
@@ -65,9 +65,10 @@ e.g. to disable seccomp:
 make BUILDTAGS=""
 ```
 
-| Build Tag | Feature                            | Enabled by default | Dependency |
-|-----------|------------------------------------|--------------------|------------|
-| seccomp   | Syscall filtering                  | yes                | libseccomp |
+| Build Tag  | Feature                            | Enabled by default | Dependency |
+|------------|------------------------------------|--------------------|------------|
+| seccomp    | Syscall filtering                  | yes                | libseccomp |
+| no_systemd | disable systemd dependencies       | no                 | systemd    |
 
 The following build tags were used earlier, but are now obsoleted:
  - **nokmem** (since runc v1.0.0-rc94 kernel memory settings are ignored)
diff --git a/rootless_linux.go b/rootless_linux.go
index a1f54858635..128a979bc02 100644
--- a/rootless_linux.go
+++ b/rootless_linux.go
@@ -3,7 +3,6 @@ package main
 import (
 	"os"
 
-	"github.com/opencontainers/runc/libcontainer/cgroups/systemd"
 	"github.com/opencontainers/runc/libcontainer/userns"
 	"github.com/sirupsen/logrus"
 	"github.com/urfave/cli"
@@ -37,7 +36,7 @@ func shouldUseRootlessCgroupManager(context *cli.Context) (bool, error) {
 	// On error, we assume we are root. An error may happen during shelling out to `busctl` CLI,
 	// mostly when $DBUS_SESSION_BUS_ADDRESS is unset.
 	if context.GlobalBool("systemd-cgroup") {
-		ownerUID, err := systemd.DetectUID()
+		ownerUID, err := sdDetectUID()
 		if err != nil {
 			logrus.WithError(err).Debug("failed to get the OwnerUID value, assuming the value to be 0")
 			ownerUID = 0
diff --git a/utils_linux.go b/utils_linux.go
index 0f787cb3387..a02d8732b73 100644
--- a/utils_linux.go
+++ b/utils_linux.go
@@ -8,7 +8,6 @@ import (
 	"path/filepath"
 	"strconv"
 
-	"github.com/coreos/go-systemd/v22/activation"
 	"github.com/opencontainers/runtime-spec/specs-go"
 	selinux "github.com/opencontainers/selinux/go-selinux"
 	"github.com/sirupsen/logrus"
@@ -372,17 +371,11 @@ func startContainer(context *cli.Context, action CtAct, criuOpts *libcontainer.C
 		}
 	}
 
-	// Support on-demand socket activation by passing file descriptors into the container init process.
-	listenFDs := []*os.File{}
-	if os.Getenv("LISTEN_FDS") != "" {
-		listenFDs = activation.Files(false)
-	}
-
 	r := &runner{
 		enableSubreaper: !context.Bool("no-subreaper"),
 		shouldDestroy:   !context.Bool("keep"),
 		container:       container,
-		listenFDs:       listenFDs,
+		listenFDs:       sdGetListenFDs(),
 		notifySocket:    notifySocket,
 		consoleSocket:   context.String("console-socket"),
 		detach:          context.Bool("detach"),
diff --git a/utils_linux_nosystemd.go b/utils_linux_nosystemd.go
new file mode 100644
index 00000000000..bc0b1e0653f
--- /dev/null
+++ b/utils_linux_nosystemd.go
@@ -0,0 +1,16 @@
+// +build linux,no_systemd
+
+package main
+
+import (
+	"errors"
+	"os"
+)
+
+func sdGetListenFDs() ([]*os.File) {
+	return nil
+}
+
+func sdDetectUID() (int, error) {
+	return -1, errors.New("no lennartix")
+}
diff --git a/utils_linux_systemd.go b/utils_linux_systemd.go
new file mode 100644
index 00000000000..829d6695569
--- /dev/null
+++ b/utils_linux_systemd.go
@@ -0,0 +1,22 @@
+// +build linux,!no_systemd
+
+package main
+
+import (
+	"os"
+	"github.com/coreos/go-systemd/v22/activation"
+	"github.com/opencontainers/runc/libcontainer/cgroups/systemd"
+)
+
+func sdGetListenFDs() []*os.File {
+	// Support on-demand socket activation by passing file descriptors into the container init process.
+	listenFDs := []*os.File{}
+	if os.Getenv("LISTEN_FDS") != "" {
+		listenFDs = activation.Files(false)
+	}
+	return listenFDs
+}
+
+func sdDetectUID() (int, error) {
+	return systemd.DetectUID()
+}