1 /* SPDX-License-Identifier: LGPL-2.1+ */
10 #include <linux/loop.h>
14 #include <selinux/selinux.h>
21 #include <sys/personality.h>
22 #include <sys/prctl.h>
23 #include <sys/types.h>
28 #include "sd-daemon.h"
31 #include "alloc-util.h"
33 #include "base-filesystem.h"
34 #include "blkid-util.h"
35 #include "btrfs-util.h"
36 #include "bus-error.h"
39 #include "capability-util.h"
40 #include "cgroup-util.h"
42 #include "cpu-set-util.h"
43 #include "dev-setup.h"
44 #include "dissect-image.h"
49 #include "format-util.h"
52 #include "hexdecoct.h"
53 #include "hostname-util.h"
54 #include "id128-util.h"
56 #include "loop-util.h"
57 #include "loopback-setup.h"
58 #include "machine-image.h"
60 #include "main-func.h"
63 #include "mount-util.h"
64 #include "mountpoint-util.h"
65 #include "namespace-util.h"
66 #include "netlink-util.h"
67 #include "nspawn-cgroup.h"
68 #include "nspawn-def.h"
69 #include "nspawn-expose-ports.h"
70 #include "nspawn-mount.h"
71 #include "nspawn-network.h"
72 #include "nspawn-oci.h"
73 #include "nspawn-patch-uid.h"
74 #include "nspawn-register.h"
75 #include "nspawn-seccomp.h"
76 #include "nspawn-settings.h"
77 #include "nspawn-setuid.h"
78 #include "nspawn-stub-pid1.h"
79 #include "nulstr-util.h"
82 #include "parse-util.h"
83 #include "path-util.h"
84 #include "pretty-print.h"
85 #include "process-util.h"
87 #include "random-util.h"
88 #include "raw-clone.h"
89 #include "rlimit-util.h"
92 #include "seccomp-util.h"
94 #include "selinux-util.h"
95 #include "signal-util.h"
96 #include "socket-util.h"
97 #include "stat-util.h"
98 #include "stdio-util.h"
99 #include "string-table.h"
100 #include "string-util.h"
102 #include "sysctl-util.h"
103 #include "terminal-util.h"
104 #include "tmpfile-util.h"
105 #include "umask-util.h"
106 #include "user-util.h"
110 #define STATIC_RESOLV_CONF "/lib/systemd/resolv.conf"
112 #define STATIC_RESOLV_CONF "/usr/lib/systemd/resolv.conf"
115 /* nspawn is listening on the socket at the path in the constant nspawn_notify_socket_path
116 * nspawn_notify_socket_path is relative to the container
117 * the init process in the container pid can send messages to nspawn following the sd_notify(3) protocol */
118 #define NSPAWN_NOTIFY_SOCKET_PATH "/run/systemd/nspawn/notify"
120 #define EXIT_FORCE_RESTART 133
122 typedef enum ContainerStatus
{
123 CONTAINER_TERMINATED
,
127 static char *arg_directory
= NULL
;
128 static char *arg_template
= NULL
;
129 static char *arg_chdir
= NULL
;
130 static char *arg_pivot_root_new
= NULL
;
131 static char *arg_pivot_root_old
= NULL
;
132 static char *arg_user
= NULL
;
133 static uid_t arg_uid
= UID_INVALID
;
134 static gid_t arg_gid
= GID_INVALID
;
135 static gid_t
* arg_supplementary_gids
= NULL
;
136 static size_t arg_n_supplementary_gids
= 0;
137 static sd_id128_t arg_uuid
= {};
138 static char *arg_machine
= NULL
; /* The name used by the host to refer to this */
139 static char *arg_hostname
= NULL
; /* The name the payload sees by default */
140 static const char *arg_selinux_context
= NULL
;
141 static const char *arg_selinux_apifs_context
= NULL
;
142 static char *arg_slice
= NULL
;
143 static bool arg_private_network
= false;
144 static bool arg_read_only
= false;
145 static StartMode arg_start_mode
= START_PID1
;
146 static bool arg_ephemeral
= false;
147 static LinkJournal arg_link_journal
= LINK_AUTO
;
148 static bool arg_link_journal_try
= false;
149 static uint64_t arg_caps_retain
=
150 (1ULL << CAP_AUDIT_CONTROL
) |
151 (1ULL << CAP_AUDIT_WRITE
) |
152 (1ULL << CAP_CHOWN
) |
153 (1ULL << CAP_DAC_OVERRIDE
) |
154 (1ULL << CAP_DAC_READ_SEARCH
) |
155 (1ULL << CAP_FOWNER
) |
156 (1ULL << CAP_FSETID
) |
157 (1ULL << CAP_IPC_OWNER
) |
159 (1ULL << CAP_LEASE
) |
160 (1ULL << CAP_LINUX_IMMUTABLE
) |
161 (1ULL << CAP_MKNOD
) |
162 (1ULL << CAP_NET_BIND_SERVICE
) |
163 (1ULL << CAP_NET_BROADCAST
) |
164 (1ULL << CAP_NET_RAW
) |
165 (1ULL << CAP_SETFCAP
) |
166 (1ULL << CAP_SETGID
) |
167 (1ULL << CAP_SETPCAP
) |
168 (1ULL << CAP_SETUID
) |
169 (1ULL << CAP_SYS_ADMIN
) |
170 (1ULL << CAP_SYS_BOOT
) |
171 (1ULL << CAP_SYS_CHROOT
) |
172 (1ULL << CAP_SYS_NICE
) |
173 (1ULL << CAP_SYS_PTRACE
) |
174 (1ULL << CAP_SYS_RESOURCE
) |
175 (1ULL << CAP_SYS_TTY_CONFIG
);
176 static CapabilityQuintet arg_full_capabilities
= CAPABILITY_QUINTET_NULL
;
177 static CustomMount
*arg_custom_mounts
= NULL
;
178 static size_t arg_n_custom_mounts
= 0;
179 static char **arg_setenv
= NULL
;
180 static bool arg_quiet
= false;
181 static bool arg_register
= true;
182 static bool arg_keep_unit
= false;
183 static char **arg_network_interfaces
= NULL
;
184 static char **arg_network_macvlan
= NULL
;
185 static char **arg_network_ipvlan
= NULL
;
186 static bool arg_network_veth
= false;
187 static char **arg_network_veth_extra
= NULL
;
188 static char *arg_network_bridge
= NULL
;
189 static char *arg_network_zone
= NULL
;
190 static char *arg_network_namespace_path
= NULL
;
191 static PagerFlags arg_pager_flags
= 0;
192 static unsigned long arg_personality
= PERSONALITY_INVALID
;
193 static char *arg_image
= NULL
;
194 static char *arg_oci_bundle
= NULL
;
195 static VolatileMode arg_volatile_mode
= VOLATILE_NO
;
196 static ExposePort
*arg_expose_ports
= NULL
;
197 static char **arg_property
= NULL
;
198 static sd_bus_message
*arg_property_message
= NULL
;
199 static UserNamespaceMode arg_userns_mode
= USER_NAMESPACE_NO
;
200 static uid_t arg_uid_shift
= UID_INVALID
, arg_uid_range
= 0x10000U
;
201 static bool arg_userns_chown
= false;
202 static int arg_kill_signal
= 0;
203 static CGroupUnified arg_unified_cgroup_hierarchy
= CGROUP_UNIFIED_UNKNOWN
;
204 static SettingsMask arg_settings_mask
= 0;
205 static int arg_settings_trusted
= -1;
206 static char **arg_parameters
= NULL
;
207 static const char *arg_container_service_name
= "systemd-nspawn";
208 static bool arg_notify_ready
= false;
209 static bool arg_use_cgns
= true;
210 static unsigned long arg_clone_ns_flags
= CLONE_NEWIPC
|CLONE_NEWPID
|CLONE_NEWUTS
;
211 static MountSettingsMask arg_mount_settings
= MOUNT_APPLY_APIVFS_RO
|MOUNT_APPLY_TMPFS_TMP
;
212 static void *arg_root_hash
= NULL
;
213 static size_t arg_root_hash_size
= 0;
214 static char **arg_syscall_whitelist
= NULL
;
215 static char **arg_syscall_blacklist
= NULL
;
217 static scmp_filter_ctx arg_seccomp
= NULL
;
219 static struct rlimit
*arg_rlimit
[_RLIMIT_MAX
] = {};
220 static bool arg_no_new_privileges
= false;
221 static int arg_oom_score_adjust
= 0;
222 static bool arg_oom_score_adjust_set
= false;
223 static cpu_set_t
*arg_cpuset
= NULL
;
224 static unsigned arg_cpuset_ncpus
= 0;
225 static ResolvConfMode arg_resolv_conf
= RESOLV_CONF_AUTO
;
226 static TimezoneMode arg_timezone
= TIMEZONE_AUTO
;
227 static unsigned arg_console_width
= (unsigned) -1, arg_console_height
= (unsigned) -1;
228 static DeviceNode
* arg_extra_nodes
= NULL
;
229 static size_t arg_n_extra_nodes
= 0;
230 static char **arg_sysctl
= NULL
;
231 static ConsoleMode arg_console_mode
= _CONSOLE_MODE_INVALID
;
233 STATIC_DESTRUCTOR_REGISTER(arg_directory
, freep
);
234 STATIC_DESTRUCTOR_REGISTER(arg_template
, freep
);
235 STATIC_DESTRUCTOR_REGISTER(arg_chdir
, freep
);
236 STATIC_DESTRUCTOR_REGISTER(arg_pivot_root_new
, freep
);
237 STATIC_DESTRUCTOR_REGISTER(arg_pivot_root_old
, freep
);
238 STATIC_DESTRUCTOR_REGISTER(arg_user
, freep
);
239 STATIC_DESTRUCTOR_REGISTER(arg_supplementary_gids
, freep
);
240 STATIC_DESTRUCTOR_REGISTER(arg_machine
, freep
);
241 STATIC_DESTRUCTOR_REGISTER(arg_hostname
, freep
);
242 STATIC_DESTRUCTOR_REGISTER(arg_slice
, freep
);
243 STATIC_DESTRUCTOR_REGISTER(arg_setenv
, strv_freep
);
244 STATIC_DESTRUCTOR_REGISTER(arg_network_interfaces
, strv_freep
);
245 STATIC_DESTRUCTOR_REGISTER(arg_network_macvlan
, strv_freep
);
246 STATIC_DESTRUCTOR_REGISTER(arg_network_ipvlan
, strv_freep
);
247 STATIC_DESTRUCTOR_REGISTER(arg_network_veth_extra
, strv_freep
);
248 STATIC_DESTRUCTOR_REGISTER(arg_network_bridge
, freep
);
249 STATIC_DESTRUCTOR_REGISTER(arg_network_zone
, freep
);
250 STATIC_DESTRUCTOR_REGISTER(arg_network_namespace_path
, freep
);
251 STATIC_DESTRUCTOR_REGISTER(arg_image
, freep
);
252 STATIC_DESTRUCTOR_REGISTER(arg_oci_bundle
, freep
);
253 STATIC_DESTRUCTOR_REGISTER(arg_property
, strv_freep
);
254 STATIC_DESTRUCTOR_REGISTER(arg_property_message
, sd_bus_message_unrefp
);
255 STATIC_DESTRUCTOR_REGISTER(arg_parameters
, strv_freep
);
256 STATIC_DESTRUCTOR_REGISTER(arg_root_hash
, freep
);
257 STATIC_DESTRUCTOR_REGISTER(arg_syscall_whitelist
, strv_freep
);
258 STATIC_DESTRUCTOR_REGISTER(arg_syscall_blacklist
, strv_freep
);
260 STATIC_DESTRUCTOR_REGISTER(arg_seccomp
, seccomp_releasep
);
262 STATIC_DESTRUCTOR_REGISTER(arg_cpuset
, CPU_FREEp
);
263 STATIC_DESTRUCTOR_REGISTER(arg_sysctl
, strv_freep
);
265 static int help(void) {
266 _cleanup_free_
char *link
= NULL
;
269 (void) pager_open(arg_pager_flags
);
271 r
= terminal_urlify_man("systemd-nspawn", "1", &link
);
275 printf("%1$s [OPTIONS...] [PATH] [ARGUMENTS...]\n\n"
276 "Spawn a command or OS in a light-weight container.\n\n"
277 " -h --help Show this help\n"
278 " --version Print version string\n"
279 " -q --quiet Do not show status information\n"
280 " --no-pager Do not pipe output into a pager\n"
281 " --settings=BOOLEAN Load additional settings from .nspawn file\n\n"
283 " -D --directory=PATH Root directory for the container\n"
284 " --template=PATH Initialize root directory from template directory,\n"
286 " -x --ephemeral Run container with snapshot of root directory, and\n"
287 " remove it after exit\n"
288 " -i --image=PATH Root file system disk image (or device node) for\n"
290 " --oci-bundle=PATH OCI bundle directory\n"
291 " --read-only Mount the root directory read-only\n"
292 " --volatile[=MODE] Run the system in volatile mode\n"
293 " --root-hash=HASH Specify verity root hash for root disk image\n"
294 " --pivot-root=PATH[:PATH]\n"
295 " Pivot root to given directory in the container\n\n"
296 "%3$sExecution:%4$s\n"
297 " -a --as-pid2 Maintain a stub init as PID1, invoke binary as PID2\n"
298 " -b --boot Boot up full system (i.e. invoke init)\n"
299 " --chdir=PATH Set working directory in the container\n"
300 " -E --setenv=NAME=VALUE Pass an environment variable to PID 1\n"
301 " -u --user=USER Run the command under specified user or UID\n"
302 " --kill-signal=SIGNAL Select signal to use for shutting down PID 1\n"
303 " --notify-ready=BOOLEAN Receive notifications from the child init process\n\n"
304 "%3$sSystem Identity:%4$s\n"
305 " -M --machine=NAME Set the machine name for the container\n"
306 " --hostname=NAME Override the hostname for the container\n"
307 " --uuid=UUID Set a specific machine UUID for the container\n\n"
308 "%3$sProperties:%4$s\n"
309 " -S --slice=SLICE Place the container in the specified slice\n"
310 " --property=NAME=VALUE Set scope unit property\n"
311 " --register=BOOLEAN Register container as machine\n"
312 " --keep-unit Do not register a scope for the machine, reuse\n"
313 " the service unit nspawn is running in\n\n"
314 "%3$sUser Namespacing:%4$s\n"
315 " -U --private-users=pick Run within user namespace, autoselect UID/GID range\n"
316 " --private-users[=UIDBASE[:NUIDS]]\n"
317 " Similar, but with user configured UID/GID range\n"
318 " --private-users-chown Adjust OS tree ownership to private UID/GID range\n\n"
319 "%3$sNetworking:%4$s\n"
320 " --private-network Disable network in container\n"
321 " --network-interface=INTERFACE\n"
322 " Assign an existing network interface to the\n"
324 " --network-macvlan=INTERFACE\n"
325 " Create a macvlan network interface based on an\n"
326 " existing network interface to the container\n"
327 " --network-ipvlan=INTERFACE\n"
328 " Create a ipvlan network interface based on an\n"
329 " existing network interface to the container\n"
330 " -n --network-veth Add a virtual Ethernet connection between host\n"
332 " --network-veth-extra=HOSTIF[:CONTAINERIF]\n"
333 " Add an additional virtual Ethernet link between\n"
334 " host and container\n"
335 " --network-bridge=INTERFACE\n"
336 " Add a virtual Ethernet connection to the container\n"
337 " and attach it to an existing bridge on the host\n"
338 " --network-zone=NAME Similar, but attach the new interface to an\n"
339 " an automatically managed bridge interface\n"
340 " --network-namespace-path=PATH\n"
341 " Set network namespace to the one represented by\n"
342 " the specified kernel namespace file node\n"
343 " -p --port=[PROTOCOL:]HOSTPORT[:CONTAINERPORT]\n"
344 " Expose a container IP port on the host\n\n"
345 "%3$sSecurity:%4$s\n"
346 " --capability=CAP In addition to the default, retain specified\n"
348 " --drop-capability=CAP Drop the specified capability from the default set\n"
349 " --no-new-privileges Set PR_SET_NO_NEW_PRIVS flag for container payload\n"
350 " --system-call-filter=LIST|~LIST\n"
351 " Permit/prohibit specific system calls\n"
352 " -Z --selinux-context=SECLABEL\n"
353 " Set the SELinux security context to be used by\n"
354 " processes in the container\n"
355 " -L --selinux-apifs-context=SECLABEL\n"
356 " Set the SELinux security context to be used by\n"
357 " API/tmpfs file systems in the container\n\n"
358 "%3$sResources:%4$s\n"
359 " --rlimit=NAME=LIMIT Set a resource limit for the payload\n"
360 " --oom-score-adjust=VALUE\n"
361 " Adjust the OOM score value for the payload\n"
362 " --cpu-affinity=CPUS Adjust the CPU affinity of the container\n"
363 " --personality=ARCH Pick personality for this container\n\n"
364 "%3$sIntegration:%4$s\n"
365 " --resolv-conf=MODE Select mode of /etc/resolv.conf initialization\n"
366 " --timezone=MODE Select mode of /etc/localtime initialization\n"
367 " --link-journal=MODE Link up guest journal, one of no, auto, guest, \n"
368 " host, try-guest, try-host\n"
369 " -j Equivalent to --link-journal=try-guest\n\n"
371 " --bind=PATH[:PATH[:OPTIONS]]\n"
372 " Bind mount a file or directory from the host into\n"
374 " --bind-ro=PATH[:PATH[:OPTIONS]\n"
375 " Similar, but creates a read-only bind mount\n"
376 " --inaccessible=PATH Over-mount file node with inaccessible node to mask\n"
378 " --tmpfs=PATH:[OPTIONS] Mount an empty tmpfs to the specified directory\n"
379 " --overlay=PATH[:PATH...]:PATH\n"
380 " Create an overlay mount from the host to \n"
382 " --overlay-ro=PATH[:PATH...]:PATH\n"
383 " Similar, but creates a read-only overlay mount\n\n"
384 "%3$sInput/Output:%4$s\n"
385 " --console=MODE Select how stdin/stdout/stderr and /dev/console are\n"
386 " set up for the container.\n"
387 " -P --pipe Equivalent to --console=pipe\n"
388 "\nSee the %2$s for details.\n"
389 , program_invocation_short_name
391 , ansi_underline(), ansi_normal());
396 static int custom_mount_check_all(void) {
399 for (i
= 0; i
< arg_n_custom_mounts
; i
++) {
400 CustomMount
*m
= &arg_custom_mounts
[i
];
402 if (path_equal(m
->destination
, "/") && arg_userns_mode
!= USER_NAMESPACE_NO
) {
403 if (arg_userns_chown
)
404 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
405 "--private-users-chown may not be combined with custom root mounts.");
406 else if (arg_uid_shift
== UID_INVALID
)
407 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
408 "--private-users with automatic UID shift may not be combined with custom root mounts.");
415 static int detect_unified_cgroup_hierarchy_from_environment(void) {
419 /* Allow the user to control whether the unified hierarchy is used */
420 e
= getenv("UNIFIED_CGROUP_HIERARCHY");
422 r
= parse_boolean(e
);
424 return log_error_errno(r
, "Failed to parse $UNIFIED_CGROUP_HIERARCHY.");
426 arg_unified_cgroup_hierarchy
= CGROUP_UNIFIED_ALL
;
428 arg_unified_cgroup_hierarchy
= CGROUP_UNIFIED_NONE
;
434 static int detect_unified_cgroup_hierarchy_from_image(const char *directory
) {
437 /* Let's inherit the mode to use from the host system, but let's take into consideration what systemd in the
438 * image actually supports. */
439 r
= cg_all_unified();
441 return log_error_errno(r
, "Failed to determine whether we are in all unified mode.");
443 /* Unified cgroup hierarchy support was added in 230. Unfortunately the detection
444 * routine only detects 231, so we'll have a false negative here for 230. */
445 r
= systemd_installation_has_version(directory
, 230);
447 return log_error_errno(r
, "Failed to determine systemd version in container: %m");
449 arg_unified_cgroup_hierarchy
= CGROUP_UNIFIED_ALL
;
451 arg_unified_cgroup_hierarchy
= CGROUP_UNIFIED_NONE
;
452 } else if (cg_unified_controller(SYSTEMD_CGROUP_CONTROLLER
) > 0) {
453 /* Mixed cgroup hierarchy support was added in 233 */
454 r
= systemd_installation_has_version(directory
, 233);
456 return log_error_errno(r
, "Failed to determine systemd version in container: %m");
458 arg_unified_cgroup_hierarchy
= CGROUP_UNIFIED_SYSTEMD
;
460 arg_unified_cgroup_hierarchy
= CGROUP_UNIFIED_NONE
;
462 arg_unified_cgroup_hierarchy
= CGROUP_UNIFIED_NONE
;
464 log_debug("Using %s hierarchy for container.",
465 arg_unified_cgroup_hierarchy
== CGROUP_UNIFIED_NONE
? "legacy" :
466 arg_unified_cgroup_hierarchy
== CGROUP_UNIFIED_SYSTEMD
? "hybrid" : "unified");
471 static void parse_share_ns_env(const char *name
, unsigned long ns_flag
) {
474 r
= getenv_bool(name
);
478 log_warning_errno(r
, "Failed to parse %s from environment, defaulting to false.", name
);
480 arg_clone_ns_flags
= (arg_clone_ns_flags
& ~ns_flag
) | (r
> 0 ? 0 : ns_flag
);
481 arg_settings_mask
|= SETTING_CLONE_NS_FLAGS
;
484 static void parse_mount_settings_env(void) {
488 r
= getenv_bool("SYSTEMD_NSPAWN_TMPFS_TMP");
490 SET_FLAG(arg_mount_settings
, MOUNT_APPLY_TMPFS_TMP
, r
> 0);
491 else if (r
!= -ENXIO
)
492 log_warning_errno(r
, "Failed to parse $SYSTEMD_NSPAWN_TMPFS_TMP, ignoring: %m");
494 e
= getenv("SYSTEMD_NSPAWN_API_VFS_WRITABLE");
498 if (streq(e
, "network")) {
499 arg_mount_settings
|= MOUNT_APPLY_APIVFS_RO
|MOUNT_APPLY_APIVFS_NETNS
;
503 r
= parse_boolean(e
);
505 log_warning_errno(r
, "Failed to parse SYSTEMD_NSPAWN_API_VFS_WRITABLE from environment, ignoring.");
509 SET_FLAG(arg_mount_settings
, MOUNT_APPLY_APIVFS_RO
, r
== 0);
510 SET_FLAG(arg_mount_settings
, MOUNT_APPLY_APIVFS_NETNS
, false);
513 static void parse_environment(void) {
517 parse_share_ns_env("SYSTEMD_NSPAWN_SHARE_NS_IPC", CLONE_NEWIPC
);
518 parse_share_ns_env("SYSTEMD_NSPAWN_SHARE_NS_PID", CLONE_NEWPID
);
519 parse_share_ns_env("SYSTEMD_NSPAWN_SHARE_NS_UTS", CLONE_NEWUTS
);
520 parse_share_ns_env("SYSTEMD_NSPAWN_SHARE_SYSTEM", CLONE_NEWIPC
|CLONE_NEWPID
|CLONE_NEWUTS
);
522 parse_mount_settings_env();
524 /* SYSTEMD_NSPAWN_USE_CGNS=0 can be used to disable CLONE_NEWCGROUP use,
525 * even if it is supported. If not supported, it has no effect. */
526 if (!cg_ns_supported())
527 arg_use_cgns
= false;
529 r
= getenv_bool("SYSTEMD_NSPAWN_USE_CGNS");
532 log_warning_errno(r
, "Failed to parse $SYSTEMD_NSPAWN_USE_CGNS, ignoring: %m");
536 arg_use_cgns
= r
> 0;
537 arg_settings_mask
|= SETTING_USE_CGNS
;
541 e
= getenv("SYSTEMD_NSPAWN_CONTAINER_SERVICE");
543 arg_container_service_name
= e
;
545 detect_unified_cgroup_hierarchy_from_environment();
548 static int parse_argv(int argc
, char *argv
[]) {
566 ARG_NETWORK_INTERFACE
,
571 ARG_NETWORK_VETH_EXTRA
,
572 ARG_NETWORK_NAMESPACE_PATH
,
582 ARG_PRIVATE_USERS_CHOWN
,
585 ARG_SYSTEM_CALL_FILTER
,
588 ARG_NO_NEW_PRIVILEGES
,
589 ARG_OOM_SCORE_ADJUST
,
599 static const struct option options
[] = {
600 { "help", no_argument
, NULL
, 'h' },
601 { "version", no_argument
, NULL
, ARG_VERSION
},
602 { "directory", required_argument
, NULL
, 'D' },
603 { "template", required_argument
, NULL
, ARG_TEMPLATE
},
604 { "ephemeral", no_argument
, NULL
, 'x' },
605 { "user", required_argument
, NULL
, 'u' },
606 { "private-network", no_argument
, NULL
, ARG_PRIVATE_NETWORK
},
607 { "as-pid2", no_argument
, NULL
, 'a' },
608 { "boot", no_argument
, NULL
, 'b' },
609 { "uuid", required_argument
, NULL
, ARG_UUID
},
610 { "read-only", no_argument
, NULL
, ARG_READ_ONLY
},
611 { "capability", required_argument
, NULL
, ARG_CAPABILITY
},
612 { "drop-capability", required_argument
, NULL
, ARG_DROP_CAPABILITY
},
613 { "no-new-privileges", required_argument
, NULL
, ARG_NO_NEW_PRIVILEGES
},
614 { "link-journal", required_argument
, NULL
, ARG_LINK_JOURNAL
},
615 { "bind", required_argument
, NULL
, ARG_BIND
},
616 { "bind-ro", required_argument
, NULL
, ARG_BIND_RO
},
617 { "tmpfs", required_argument
, NULL
, ARG_TMPFS
},
618 { "overlay", required_argument
, NULL
, ARG_OVERLAY
},
619 { "overlay-ro", required_argument
, NULL
, ARG_OVERLAY_RO
},
620 { "inaccessible", required_argument
, NULL
, ARG_INACCESSIBLE
},
621 { "machine", required_argument
, NULL
, 'M' },
622 { "hostname", required_argument
, NULL
, ARG_HOSTNAME
},
623 { "slice", required_argument
, NULL
, 'S' },
624 { "setenv", required_argument
, NULL
, 'E' },
625 { "selinux-context", required_argument
, NULL
, 'Z' },
626 { "selinux-apifs-context", required_argument
, NULL
, 'L' },
627 { "quiet", no_argument
, NULL
, 'q' },
628 { "share-system", no_argument
, NULL
, ARG_SHARE_SYSTEM
}, /* not documented */
629 { "register", required_argument
, NULL
, ARG_REGISTER
},
630 { "keep-unit", no_argument
, NULL
, ARG_KEEP_UNIT
},
631 { "network-interface", required_argument
, NULL
, ARG_NETWORK_INTERFACE
},
632 { "network-macvlan", required_argument
, NULL
, ARG_NETWORK_MACVLAN
},
633 { "network-ipvlan", required_argument
, NULL
, ARG_NETWORK_IPVLAN
},
634 { "network-veth", no_argument
, NULL
, 'n' },
635 { "network-veth-extra", required_argument
, NULL
, ARG_NETWORK_VETH_EXTRA
},
636 { "network-bridge", required_argument
, NULL
, ARG_NETWORK_BRIDGE
},
637 { "network-zone", required_argument
, NULL
, ARG_NETWORK_ZONE
},
638 { "network-namespace-path", required_argument
, NULL
, ARG_NETWORK_NAMESPACE_PATH
},
639 { "personality", required_argument
, NULL
, ARG_PERSONALITY
},
640 { "image", required_argument
, NULL
, 'i' },
641 { "volatile", optional_argument
, NULL
, ARG_VOLATILE
},
642 { "port", required_argument
, NULL
, 'p' },
643 { "property", required_argument
, NULL
, ARG_PROPERTY
},
644 { "private-users", optional_argument
, NULL
, ARG_PRIVATE_USERS
},
645 { "private-users-chown", optional_argument
, NULL
, ARG_PRIVATE_USERS_CHOWN
},
646 { "kill-signal", required_argument
, NULL
, ARG_KILL_SIGNAL
},
647 { "settings", required_argument
, NULL
, ARG_SETTINGS
},
648 { "chdir", required_argument
, NULL
, ARG_CHDIR
},
649 { "pivot-root", required_argument
, NULL
, ARG_PIVOT_ROOT
},
650 { "notify-ready", required_argument
, NULL
, ARG_NOTIFY_READY
},
651 { "root-hash", required_argument
, NULL
, ARG_ROOT_HASH
},
652 { "system-call-filter", required_argument
, NULL
, ARG_SYSTEM_CALL_FILTER
},
653 { "rlimit", required_argument
, NULL
, ARG_RLIMIT
},
654 { "oom-score-adjust", required_argument
, NULL
, ARG_OOM_SCORE_ADJUST
},
655 { "cpu-affinity", required_argument
, NULL
, ARG_CPU_AFFINITY
},
656 { "resolv-conf", required_argument
, NULL
, ARG_RESOLV_CONF
},
657 { "timezone", required_argument
, NULL
, ARG_TIMEZONE
},
658 { "console", required_argument
, NULL
, ARG_CONSOLE
},
659 { "pipe", no_argument
, NULL
, ARG_PIPE
},
660 { "oci-bundle", required_argument
, NULL
, ARG_OCI_BUNDLE
},
661 { "no-pager", no_argument
, NULL
, ARG_NO_PAGER
},
667 uint64_t plus
= 0, minus
= 0;
668 bool mask_all_settings
= false, mask_no_settings
= false;
673 while ((c
= getopt_long(argc
, argv
, "+hD:u:abL:M:jS:Z:qi:xp:nUE:P", options
, NULL
)) >= 0)
683 r
= parse_path_argument_and_warn(optarg
, false, &arg_directory
);
687 arg_settings_mask
|= SETTING_DIRECTORY
;
691 r
= parse_path_argument_and_warn(optarg
, false, &arg_template
);
695 arg_settings_mask
|= SETTING_DIRECTORY
;
699 r
= parse_path_argument_and_warn(optarg
, false, &arg_image
);
703 arg_settings_mask
|= SETTING_DIRECTORY
;
707 r
= parse_path_argument_and_warn(optarg
, false, &arg_oci_bundle
);
714 arg_ephemeral
= true;
715 arg_settings_mask
|= SETTING_EPHEMERAL
;
719 r
= free_and_strdup(&arg_user
, optarg
);
723 arg_settings_mask
|= SETTING_USER
;
726 case ARG_NETWORK_ZONE
: {
729 j
= strappend("vz-", optarg
);
733 if (!ifname_valid(j
)) {
734 log_error("Network zone name not valid: %s", j
);
739 free_and_replace(arg_network_zone
, j
);
741 arg_network_veth
= true;
742 arg_private_network
= true;
743 arg_settings_mask
|= SETTING_NETWORK
;
747 case ARG_NETWORK_BRIDGE
:
749 if (!ifname_valid(optarg
))
750 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
751 "Bridge interface name not valid: %s", optarg
);
753 r
= free_and_strdup(&arg_network_bridge
, optarg
);
759 arg_network_veth
= true;
760 arg_private_network
= true;
761 arg_settings_mask
|= SETTING_NETWORK
;
764 case ARG_NETWORK_VETH_EXTRA
:
765 r
= veth_extra_parse(&arg_network_veth_extra
, optarg
);
767 return log_error_errno(r
, "Failed to parse --network-veth-extra= parameter: %s", optarg
);
769 arg_private_network
= true;
770 arg_settings_mask
|= SETTING_NETWORK
;
773 case ARG_NETWORK_INTERFACE
:
774 if (!ifname_valid(optarg
))
775 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
776 "Network interface name not valid: %s", optarg
);
778 if (strv_extend(&arg_network_interfaces
, optarg
) < 0)
781 arg_private_network
= true;
782 arg_settings_mask
|= SETTING_NETWORK
;
785 case ARG_NETWORK_MACVLAN
:
787 if (!ifname_valid(optarg
))
788 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
789 "MACVLAN network interface name not valid: %s", optarg
);
791 if (strv_extend(&arg_network_macvlan
, optarg
) < 0)
794 arg_private_network
= true;
795 arg_settings_mask
|= SETTING_NETWORK
;
798 case ARG_NETWORK_IPVLAN
:
800 if (!ifname_valid(optarg
))
801 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
802 "IPVLAN network interface name not valid: %s", optarg
);
804 if (strv_extend(&arg_network_ipvlan
, optarg
) < 0)
808 case ARG_PRIVATE_NETWORK
:
809 arg_private_network
= true;
810 arg_settings_mask
|= SETTING_NETWORK
;
813 case ARG_NETWORK_NAMESPACE_PATH
:
814 r
= parse_path_argument_and_warn(optarg
, false, &arg_network_namespace_path
);
818 arg_settings_mask
|= SETTING_NETWORK
;
822 if (arg_start_mode
== START_PID2
)
823 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
824 "--boot and --as-pid2 may not be combined.");
826 arg_start_mode
= START_BOOT
;
827 arg_settings_mask
|= SETTING_START_MODE
;
831 if (arg_start_mode
== START_BOOT
)
832 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
833 "--boot and --as-pid2 may not be combined.");
835 arg_start_mode
= START_PID2
;
836 arg_settings_mask
|= SETTING_START_MODE
;
840 r
= sd_id128_from_string(optarg
, &arg_uuid
);
842 return log_error_errno(r
, "Invalid UUID: %s", optarg
);
844 if (sd_id128_is_null(arg_uuid
))
845 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
846 "Machine UUID may not be all zeroes.");
848 arg_settings_mask
|= SETTING_MACHINE_ID
;
852 r
= free_and_strdup(&arg_slice
, optarg
);
856 arg_settings_mask
|= SETTING_SLICE
;
861 arg_machine
= mfree(arg_machine
);
863 if (!machine_name_is_valid(optarg
))
864 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
865 "Invalid machine name: %s", optarg
);
867 r
= free_and_strdup(&arg_machine
, optarg
);
875 arg_hostname
= mfree(arg_hostname
);
877 if (!hostname_is_valid(optarg
, false))
878 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
879 "Invalid hostname: %s", optarg
);
881 r
= free_and_strdup(&arg_hostname
, optarg
);
886 arg_settings_mask
|= SETTING_HOSTNAME
;
890 arg_selinux_context
= optarg
;
894 arg_selinux_apifs_context
= optarg
;
898 arg_read_only
= true;
899 arg_settings_mask
|= SETTING_READ_ONLY
;
903 case ARG_DROP_CAPABILITY
: {
906 _cleanup_free_
char *t
= NULL
;
908 r
= extract_first_word(&p
, &t
, ",", 0);
910 return log_error_errno(r
, "Failed to parse capability %s.", t
);
914 if (streq(t
, "all")) {
915 if (c
== ARG_CAPABILITY
)
916 plus
= (uint64_t) -1;
918 minus
= (uint64_t) -1;
920 r
= capability_from_name(t
);
922 return log_error_errno(r
, "Failed to parse capability %s.", t
);
924 if (c
== ARG_CAPABILITY
)
931 arg_settings_mask
|= SETTING_CAPABILITY
;
935 case ARG_NO_NEW_PRIVILEGES
:
936 r
= parse_boolean(optarg
);
938 return log_error_errno(r
, "Failed to parse --no-new-privileges= argument: %s", optarg
);
940 arg_no_new_privileges
= r
;
941 arg_settings_mask
|= SETTING_NO_NEW_PRIVILEGES
;
945 arg_link_journal
= LINK_GUEST
;
946 arg_link_journal_try
= true;
947 arg_settings_mask
|= SETTING_LINK_JOURNAL
;
950 case ARG_LINK_JOURNAL
:
951 r
= parse_link_journal(optarg
, &arg_link_journal
, &arg_link_journal_try
);
953 return log_error_errno(r
, "Failed to parse link journal mode %s", optarg
);
955 arg_settings_mask
|= SETTING_LINK_JOURNAL
;
960 r
= bind_mount_parse(&arg_custom_mounts
, &arg_n_custom_mounts
, optarg
, c
== ARG_BIND_RO
);
962 return log_error_errno(r
, "Failed to parse --bind(-ro)= argument %s: %m", optarg
);
964 arg_settings_mask
|= SETTING_CUSTOM_MOUNTS
;
968 r
= tmpfs_mount_parse(&arg_custom_mounts
, &arg_n_custom_mounts
, optarg
);
970 return log_error_errno(r
, "Failed to parse --tmpfs= argument %s: %m", optarg
);
972 arg_settings_mask
|= SETTING_CUSTOM_MOUNTS
;
977 r
= overlay_mount_parse(&arg_custom_mounts
, &arg_n_custom_mounts
, optarg
, c
== ARG_OVERLAY_RO
);
978 if (r
== -EADDRNOTAVAIL
)
979 return log_error_errno(r
, "--overlay(-ro)= needs at least two colon-separated directories specified.");
981 return log_error_errno(r
, "Failed to parse --overlay(-ro)= argument %s: %m", optarg
);
983 arg_settings_mask
|= SETTING_CUSTOM_MOUNTS
;
986 case ARG_INACCESSIBLE
:
987 r
= inaccessible_mount_parse(&arg_custom_mounts
, &arg_n_custom_mounts
, optarg
);
989 return log_error_errno(r
, "Failed to parse --inaccessible= argument %s: %m", optarg
);
991 arg_settings_mask
|= SETTING_CUSTOM_MOUNTS
;
997 if (!env_assignment_is_valid(optarg
))
998 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
999 "Environment variable assignment '%s' is not valid.", optarg
);
1001 n
= strv_env_set(arg_setenv
, optarg
);
1005 strv_free_and_replace(arg_setenv
, n
);
1006 arg_settings_mask
|= SETTING_ENVIRONMENT
;
1014 case ARG_SHARE_SYSTEM
:
1015 /* We don't officially support this anymore, except for compat reasons. People should use the
1016 * $SYSTEMD_NSPAWN_SHARE_* environment variables instead. */
1017 log_warning("Please do not use --share-system anymore, use $SYSTEMD_NSPAWN_SHARE_* instead.");
1018 arg_clone_ns_flags
= 0;
1022 r
= parse_boolean(optarg
);
1024 log_error("Failed to parse --register= argument: %s", optarg
);
1032 arg_keep_unit
= true;
1035 case ARG_PERSONALITY
:
1037 arg_personality
= personality_from_string(optarg
);
1038 if (arg_personality
== PERSONALITY_INVALID
)
1039 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
1040 "Unknown or unsupported personality '%s'.", optarg
);
1042 arg_settings_mask
|= SETTING_PERSONALITY
;
1048 arg_volatile_mode
= VOLATILE_YES
;
1049 else if (streq(optarg
, "help")) {
1050 DUMP_STRING_TABLE(volatile_mode
, VolatileMode
, _VOLATILE_MODE_MAX
);
1055 m
= volatile_mode_from_string(optarg
);
1057 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
1058 "Failed to parse --volatile= argument: %s", optarg
);
1060 arg_volatile_mode
= m
;
1063 arg_settings_mask
|= SETTING_VOLATILE_MODE
;
1067 r
= expose_port_parse(&arg_expose_ports
, optarg
);
1069 return log_error_errno(r
, "Duplicate port specification: %s", optarg
);
1071 return log_error_errno(r
, "Failed to parse host port %s: %m", optarg
);
1073 arg_settings_mask
|= SETTING_EXPOSE_PORTS
;
1077 if (strv_extend(&arg_property
, optarg
) < 0)
1082 case ARG_PRIVATE_USERS
: {
1087 else if (!in_charset(optarg
, DIGITS
))
1088 /* do *not* parse numbers as booleans */
1089 boolean
= parse_boolean(optarg
);
1091 if (boolean
== false) {
1092 /* no: User namespacing off */
1093 arg_userns_mode
= USER_NAMESPACE_NO
;
1094 arg_uid_shift
= UID_INVALID
;
1095 arg_uid_range
= UINT32_C(0x10000);
1096 } else if (boolean
== true) {
1097 /* yes: User namespacing on, UID range is read from root dir */
1098 arg_userns_mode
= USER_NAMESPACE_FIXED
;
1099 arg_uid_shift
= UID_INVALID
;
1100 arg_uid_range
= UINT32_C(0x10000);
1101 } else if (streq(optarg
, "pick")) {
1102 /* pick: User namespacing on, UID range is picked randomly */
1103 arg_userns_mode
= USER_NAMESPACE_PICK
;
1104 arg_uid_shift
= UID_INVALID
;
1105 arg_uid_range
= UINT32_C(0x10000);
1107 _cleanup_free_
char *buffer
= NULL
;
1108 const char *range
, *shift
;
1110 /* anything else: User namespacing on, UID range is explicitly configured */
1112 range
= strchr(optarg
, ':');
1114 buffer
= strndup(optarg
, range
- optarg
);
1120 r
= safe_atou32(range
, &arg_uid_range
);
1122 return log_error_errno(r
, "Failed to parse UID range \"%s\": %m", range
);
1126 r
= parse_uid(shift
, &arg_uid_shift
);
1128 return log_error_errno(r
, "Failed to parse UID \"%s\": %m", optarg
);
1130 arg_userns_mode
= USER_NAMESPACE_FIXED
;
1133 if (arg_uid_range
<= 0)
1134 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
1135 "UID range cannot be 0.");
1137 arg_settings_mask
|= SETTING_USERNS
;
1142 if (userns_supported()) {
1143 arg_userns_mode
= USER_NAMESPACE_PICK
;
1144 arg_uid_shift
= UID_INVALID
;
1145 arg_uid_range
= UINT32_C(0x10000);
1147 arg_settings_mask
|= SETTING_USERNS
;
1152 case ARG_PRIVATE_USERS_CHOWN
:
1153 arg_userns_chown
= true;
1155 arg_settings_mask
|= SETTING_USERNS
;
1158 case ARG_KILL_SIGNAL
:
1159 if (streq(optarg
, "help")) {
1160 DUMP_STRING_TABLE(signal
, int, _NSIG
);
1164 arg_kill_signal
= signal_from_string(optarg
);
1165 if (arg_kill_signal
< 0)
1166 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
1167 "Cannot parse signal: %s", optarg
);
1169 arg_settings_mask
|= SETTING_KILL_SIGNAL
;
1174 /* no → do not read files
1175 * yes → read files, do not override cmdline, trust only subset
1176 * override → read files, override cmdline, trust only subset
1177 * trusted → read files, do not override cmdline, trust all
1180 r
= parse_boolean(optarg
);
1182 if (streq(optarg
, "trusted")) {
1183 mask_all_settings
= false;
1184 mask_no_settings
= false;
1185 arg_settings_trusted
= true;
1187 } else if (streq(optarg
, "override")) {
1188 mask_all_settings
= false;
1189 mask_no_settings
= true;
1190 arg_settings_trusted
= -1;
1192 return log_error_errno(r
, "Failed to parse --settings= argument: %s", optarg
);
1195 mask_all_settings
= false;
1196 mask_no_settings
= false;
1197 arg_settings_trusted
= -1;
1200 mask_all_settings
= true;
1201 mask_no_settings
= false;
1202 arg_settings_trusted
= false;
1208 if (!path_is_absolute(optarg
))
1209 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
1210 "Working directory %s is not an absolute path.", optarg
);
1212 r
= free_and_strdup(&arg_chdir
, optarg
);
1216 arg_settings_mask
|= SETTING_WORKING_DIRECTORY
;
1219 case ARG_PIVOT_ROOT
:
1220 r
= pivot_root_parse(&arg_pivot_root_new
, &arg_pivot_root_old
, optarg
);
1222 return log_error_errno(r
, "Failed to parse --pivot-root= argument %s: %m", optarg
);
1224 arg_settings_mask
|= SETTING_PIVOT_ROOT
;
1227 case ARG_NOTIFY_READY
:
1228 r
= parse_boolean(optarg
);
1230 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
1231 "%s is not a valid notify mode. Valid modes are: yes, no, and ready.", optarg
);
1232 arg_notify_ready
= r
;
1233 arg_settings_mask
|= SETTING_NOTIFY_READY
;
1236 case ARG_ROOT_HASH
: {
1240 r
= unhexmem(optarg
, strlen(optarg
), &k
, &l
);
1242 return log_error_errno(r
, "Failed to parse root hash: %s", optarg
);
1243 if (l
< sizeof(sd_id128_t
)) {
1245 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Root hash must be at least 128bit long: %s", optarg
);
1248 free(arg_root_hash
);
1250 arg_root_hash_size
= l
;
1254 case ARG_SYSTEM_CALL_FILTER
: {
1258 negative
= optarg
[0] == '~';
1259 items
= negative
? optarg
+ 1 : optarg
;
1262 _cleanup_free_
char *word
= NULL
;
1264 r
= extract_first_word(&items
, &word
, NULL
, 0);
1270 return log_error_errno(r
, "Failed to parse system call filter: %m");
1273 r
= strv_extend(&arg_syscall_blacklist
, word
);
1275 r
= strv_extend(&arg_syscall_whitelist
, word
);
1280 arg_settings_mask
|= SETTING_SYSCALL_FILTER
;
1289 if (streq(optarg
, "help")) {
1290 DUMP_STRING_TABLE(rlimit
, int, _RLIMIT_MAX
);
1294 eq
= strchr(optarg
, '=');
1296 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
1297 "--rlimit= expects an '=' assignment.");
1299 name
= strndup(optarg
, eq
- optarg
);
1303 rl
= rlimit_from_string_harder(name
);
1305 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
1306 "Unknown resource limit: %s", name
);
1308 if (!arg_rlimit
[rl
]) {
1309 arg_rlimit
[rl
] = new0(struct rlimit
, 1);
1310 if (!arg_rlimit
[rl
])
1314 r
= rlimit_parse(rl
, eq
+ 1, arg_rlimit
[rl
]);
1316 return log_error_errno(r
, "Failed to parse resource limit: %s", eq
+ 1);
1318 arg_settings_mask
|= SETTING_RLIMIT_FIRST
<< rl
;
1322 case ARG_OOM_SCORE_ADJUST
:
1323 r
= parse_oom_score_adjust(optarg
, &arg_oom_score_adjust
);
1325 return log_error_errno(r
, "Failed to parse --oom-score-adjust= parameter: %s", optarg
);
1327 arg_oom_score_adjust_set
= true;
1328 arg_settings_mask
|= SETTING_OOM_SCORE_ADJUST
;
1331 case ARG_CPU_AFFINITY
: {
1332 _cleanup_cpu_free_ cpu_set_t
*cpuset
= NULL
;
1334 r
= parse_cpu_set(optarg
, &cpuset
);
1336 return log_error_errno(r
, "Failed to parse CPU affinity mask: %s", optarg
);
1339 CPU_FREE(arg_cpuset
);
1341 arg_cpuset
= TAKE_PTR(cpuset
);
1342 arg_cpuset_ncpus
= r
;
1343 arg_settings_mask
|= SETTING_CPU_AFFINITY
;
1347 case ARG_RESOLV_CONF
:
1348 if (streq(optarg
, "help")) {
1349 DUMP_STRING_TABLE(resolv_conf_mode
, ResolvConfMode
, _RESOLV_CONF_MODE_MAX
);
1353 arg_resolv_conf
= resolv_conf_mode_from_string(optarg
);
1354 if (arg_resolv_conf
< 0)
1355 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
1356 "Failed to parse /etc/resolv.conf mode: %s", optarg
);
1358 arg_settings_mask
|= SETTING_RESOLV_CONF
;
1362 if (streq(optarg
, "help")) {
1363 DUMP_STRING_TABLE(timezone_mode
, TimezoneMode
, _TIMEZONE_MODE_MAX
);
1367 arg_timezone
= timezone_mode_from_string(optarg
);
1368 if (arg_timezone
< 0)
1369 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
1370 "Failed to parse /etc/localtime mode: %s", optarg
);
1372 arg_settings_mask
|= SETTING_TIMEZONE
;
1376 if (streq(optarg
, "interactive"))
1377 arg_console_mode
= CONSOLE_INTERACTIVE
;
1378 else if (streq(optarg
, "read-only"))
1379 arg_console_mode
= CONSOLE_READ_ONLY
;
1380 else if (streq(optarg
, "passive"))
1381 arg_console_mode
= CONSOLE_PASSIVE
;
1382 else if (streq(optarg
, "pipe"))
1383 arg_console_mode
= CONSOLE_PIPE
;
1384 else if (streq(optarg
, "help"))
1385 puts("interactive\n"
1390 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Unknown console mode: %s", optarg
);
1392 arg_settings_mask
|= SETTING_CONSOLE_MODE
;
1397 arg_console_mode
= CONSOLE_PIPE
;
1398 arg_settings_mask
|= SETTING_CONSOLE_MODE
;
1402 arg_pager_flags
|= PAGER_DISABLE
;
1409 assert_not_reached("Unhandled option");
1412 if (argc
> optind
) {
1413 strv_free(arg_parameters
);
1414 arg_parameters
= strv_copy(argv
+ optind
);
1415 if (!arg_parameters
)
1418 arg_settings_mask
|= SETTING_START_MODE
;
1421 if (arg_ephemeral
&& arg_template
&& !arg_directory
)
1422 /* User asked for ephemeral execution but specified --template= instead of --directory=. Semantically
1423 * such an invocation makes some sense, see https://github.com/systemd/systemd/issues/3667. Let's
1424 * accept this here, and silently make "--ephemeral --template=" equivalent to "--ephemeral
1426 arg_directory
= TAKE_PTR(arg_template
);
1428 arg_caps_retain
= (arg_caps_retain
| plus
| (arg_private_network
? UINT64_C(1) << CAP_NET_ADMIN
: 0)) & ~minus
;
1430 /* Make sure to parse environment before we reset the settings mask below */
1431 parse_environment();
1433 /* Load all settings from .nspawn files */
1434 if (mask_no_settings
)
1435 arg_settings_mask
= 0;
1437 /* Don't load any settings from .nspawn files */
1438 if (mask_all_settings
)
1439 arg_settings_mask
= _SETTINGS_MASK_ALL
;
1444 static int verify_arguments(void) {
1447 if (arg_userns_mode
!= USER_NAMESPACE_NO
)
1448 arg_mount_settings
|= MOUNT_USE_USERNS
;
1450 if (arg_private_network
)
1451 arg_mount_settings
|= MOUNT_APPLY_APIVFS_NETNS
;
1453 if (!(arg_clone_ns_flags
& CLONE_NEWPID
) ||
1454 !(arg_clone_ns_flags
& CLONE_NEWUTS
)) {
1455 arg_register
= false;
1456 if (arg_start_mode
!= START_PID1
)
1457 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "--boot cannot be used without namespacing.");
1460 if (arg_userns_mode
== USER_NAMESPACE_PICK
)
1461 arg_userns_chown
= true;
1463 if (arg_start_mode
== START_BOOT
&& arg_kill_signal
<= 0)
1464 arg_kill_signal
= SIGRTMIN
+3;
1466 if (arg_volatile_mode
!= VOLATILE_NO
) /* Make sure all file systems contained in the image are mounted read-only if we are in volatile mode */
1467 arg_read_only
= true;
1469 if (arg_keep_unit
&& arg_register
&& cg_pid_get_owner_uid(0, NULL
) >= 0)
1470 /* Save the user from accidentally registering either user-$SESSION.scope or user@.service.
1471 * The latter is not technically a user session, but we don't need to labour the point. */
1472 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "--keep-unit --register=yes may not be used when invoked from a user session.");
1474 if (arg_directory
&& arg_image
)
1475 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "--directory= and --image= may not be combined.");
1477 if (arg_template
&& arg_image
)
1478 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "--template= and --image= may not be combined.");
1480 if (arg_template
&& !(arg_directory
|| arg_machine
))
1481 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "--template= needs --directory= or --machine=.");
1483 if (arg_ephemeral
&& arg_template
)
1484 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "--ephemeral and --template= may not be combined.");
1486 if (arg_ephemeral
&& !IN_SET(arg_link_journal
, LINK_NO
, LINK_AUTO
))
1487 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "--ephemeral and --link-journal= may not be combined.");
1489 if (arg_userns_mode
!= USER_NAMESPACE_NO
&& !userns_supported())
1490 return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP
), "--private-users= is not supported, kernel compiled without user namespace support.");
1492 if (arg_userns_chown
&& arg_read_only
)
1493 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
1494 "--read-only and --private-users-chown may not be combined.");
1496 /* We don't support --private-users-chown together with any of the volatile modes since we couldn't
1497 * change the read-only part of the tree (i.e. /usr) anyway, or because it would trigger a massive
1498 * copy-up (in case of overlay) making the entire excercise pointless. */
1499 if (arg_userns_chown
&& arg_volatile_mode
!= VOLATILE_NO
)
1500 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "--volatile= and --private-users-chown may not be combined.");
1502 /* If --network-namespace-path is given with any other network-related option, we need to error out,
1503 * to avoid conflicts between different network options. */
1504 if (arg_network_namespace_path
&&
1505 (arg_network_interfaces
|| arg_network_macvlan
||
1506 arg_network_ipvlan
|| arg_network_veth_extra
||
1507 arg_network_bridge
|| arg_network_zone
||
1508 arg_network_veth
|| arg_private_network
))
1509 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "--network-namespace-path= cannot be combined with other network options.");
1511 if (arg_network_bridge
&& arg_network_zone
)
1512 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
1513 "--network-bridge= and --network-zone= may not be combined.");
1515 if (arg_userns_mode
!= USER_NAMESPACE_NO
&& (arg_mount_settings
& MOUNT_APPLY_APIVFS_NETNS
) && !arg_private_network
)
1516 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Invalid namespacing settings. Mounting sysfs with --private-users requires --private-network.");
1518 if (arg_userns_mode
!= USER_NAMESPACE_NO
&& !(arg_mount_settings
& MOUNT_APPLY_APIVFS_RO
))
1519 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Cannot combine --private-users with read-write mounts.");
1521 if (arg_expose_ports
&& !arg_private_network
)
1522 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Cannot use --port= without private networking.");
1525 if (arg_expose_ports
)
1526 return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP
), "--port= is not supported, compiled without libiptc support.");
1529 r
= custom_mount_check_all();
1536 static int userns_lchown(const char *p
, uid_t uid
, gid_t gid
) {
1539 if (arg_userns_mode
== USER_NAMESPACE_NO
)
1542 if (uid
== UID_INVALID
&& gid
== GID_INVALID
)
1545 if (uid
!= UID_INVALID
) {
1546 uid
+= arg_uid_shift
;
1548 if (uid
< arg_uid_shift
|| uid
>= arg_uid_shift
+ arg_uid_range
)
1552 if (gid
!= GID_INVALID
) {
1553 gid
+= (gid_t
) arg_uid_shift
;
1555 if (gid
< (gid_t
) arg_uid_shift
|| gid
>= (gid_t
) (arg_uid_shift
+ arg_uid_range
))
1559 if (lchown(p
, uid
, gid
) < 0)
1565 static int userns_mkdir(const char *root
, const char *path
, mode_t mode
, uid_t uid
, gid_t gid
) {
1569 q
= prefix_roota(root
, path
);
1570 r
= mkdir_errno_wrapper(q
, mode
);
1576 return userns_lchown(q
, uid
, gid
);
1579 static const char *timezone_from_path(const char *path
) {
1580 return PATH_STARTSWITH_SET(
1582 "../usr/share/zoneinfo/",
1583 "/usr/share/zoneinfo/");
1586 static bool etc_writable(void) {
1587 return !arg_read_only
|| IN_SET(arg_volatile_mode
, VOLATILE_YES
, VOLATILE_OVERLAY
);
1590 static int setup_timezone(const char *dest
) {
1591 _cleanup_free_
char *p
= NULL
, *etc
= NULL
;
1592 const char *where
, *check
;
1598 if (IN_SET(arg_timezone
, TIMEZONE_AUTO
, TIMEZONE_SYMLINK
)) {
1599 r
= readlink_malloc("/etc/localtime", &p
);
1600 if (r
== -ENOENT
&& arg_timezone
== TIMEZONE_AUTO
)
1601 m
= etc_writable() ? TIMEZONE_DELETE
: TIMEZONE_OFF
;
1602 else if (r
== -EINVAL
&& arg_timezone
== TIMEZONE_AUTO
) /* regular file? */
1603 m
= etc_writable() ? TIMEZONE_COPY
: TIMEZONE_BIND
;
1605 log_warning_errno(r
, "Failed to read host's /etc/localtime symlink, not updating container timezone: %m");
1606 /* To handle warning, delete /etc/localtime and replace it with a symbolic link to a time zone data
1610 * ln -s /usr/share/zoneinfo/UTC /etc/localtime
1613 } else if (arg_timezone
== TIMEZONE_AUTO
)
1614 m
= etc_writable() ? TIMEZONE_SYMLINK
: TIMEZONE_BIND
;
1620 if (m
== TIMEZONE_OFF
)
1623 r
= chase_symlinks("/etc", dest
, CHASE_PREFIX_ROOT
, &etc
);
1625 log_warning_errno(r
, "Failed to resolve /etc path in container, ignoring: %m");
1629 where
= strjoina(etc
, "/localtime");
1633 case TIMEZONE_DELETE
:
1634 if (unlink(where
) < 0)
1635 log_full_errno(errno
== ENOENT
? LOG_DEBUG
: LOG_WARNING
, errno
, "Failed to remove '%s', ignoring: %m", where
);
1639 case TIMEZONE_SYMLINK
: {
1640 _cleanup_free_
char *q
= NULL
;
1641 const char *z
, *what
;
1643 z
= timezone_from_path(p
);
1645 log_warning("/etc/localtime does not point into /usr/share/zoneinfo/, not updating container timezone.");
1649 r
= readlink_malloc(where
, &q
);
1650 if (r
>= 0 && streq_ptr(timezone_from_path(q
), z
))
1651 return 0; /* Already pointing to the right place? Then do nothing .. */
1653 check
= strjoina(dest
, "/usr/share/zoneinfo/", z
);
1654 r
= chase_symlinks(check
, dest
, 0, NULL
);
1656 log_debug_errno(r
, "Timezone %s does not exist (or is not accessible) in container, not creating symlink: %m", z
);
1658 if (unlink(where
) < 0 && errno
!= ENOENT
) {
1659 log_full_errno(IN_SET(errno
, EROFS
, EACCES
, EPERM
) ? LOG_DEBUG
: LOG_WARNING
, /* Don't complain on read-only images */
1660 errno
, "Failed to remove existing timezone info %s in container, ignoring: %m", where
);
1664 what
= strjoina("../usr/share/zoneinfo/", z
);
1665 if (symlink(what
, where
) < 0) {
1666 log_full_errno(IN_SET(errno
, EROFS
, EACCES
, EPERM
) ? LOG_DEBUG
: LOG_WARNING
,
1667 errno
, "Failed to correct timezone of container, ignoring: %m");
1677 case TIMEZONE_BIND
: {
1678 _cleanup_free_
char *resolved
= NULL
;
1681 found
= chase_symlinks(where
, dest
, CHASE_NONEXISTENT
, &resolved
);
1683 log_warning_errno(found
, "Failed to resolve /etc/localtime path in container, ignoring: %m");
1687 if (found
== 0) /* missing? */
1688 (void) touch(resolved
);
1690 r
= mount_verbose(LOG_WARNING
, "/etc/localtime", resolved
, NULL
, MS_BIND
, NULL
);
1692 return mount_verbose(LOG_ERR
, NULL
, resolved
, NULL
, MS_BIND
|MS_REMOUNT
|MS_RDONLY
|MS_NOSUID
|MS_NODEV
, NULL
);
1698 /* If mounting failed, try to copy */
1699 r
= copy_file_atomic("/etc/localtime", where
, 0644, 0, 0, COPY_REFLINK
|COPY_REPLACE
);
1701 log_full_errno(IN_SET(r
, -EROFS
, -EACCES
, -EPERM
) ? LOG_DEBUG
: LOG_WARNING
, r
,
1702 "Failed to copy /etc/localtime to %s, ignoring: %m", where
);
1709 assert_not_reached("unexpected mode");
1712 /* Fix permissions of the symlink or file copy we just created */
1713 r
= userns_lchown(where
, 0, 0);
1715 log_warning_errno(r
, "Failed to chown /etc/localtime, ignoring: %m");
1720 static int have_resolv_conf(const char *path
) {
1723 if (access(path
, F_OK
) < 0) {
1724 if (errno
== ENOENT
)
1727 return log_debug_errno(errno
, "Failed to determine whether '%s' is available: %m", path
);
1733 static int resolved_listening(void) {
1734 _cleanup_(sd_bus_error_free
) sd_bus_error error
= SD_BUS_ERROR_NULL
;
1735 _cleanup_(sd_bus_flush_close_unrefp
) sd_bus
*bus
= NULL
;
1736 _cleanup_free_
char *dns_stub_listener_mode
= NULL
;
1739 /* Check if resolved is listening */
1741 r
= sd_bus_open_system(&bus
);
1743 return log_debug_errno(r
, "Failed to open system bus: %m");
1745 r
= bus_name_has_owner(bus
, "org.freedesktop.resolve1", NULL
);
1747 return log_debug_errno(r
, "Failed to check whether the 'org.freedesktop.resolve1' bus name is taken: %m");
1751 r
= sd_bus_get_property_string(bus
,
1752 "org.freedesktop.resolve1",
1753 "/org/freedesktop/resolve1",
1754 "org.freedesktop.resolve1.Manager",
1757 &dns_stub_listener_mode
);
1759 return log_debug_errno(r
, "Failed to query DNSStubListener property: %s", bus_error_message(&error
, r
));
1761 return STR_IN_SET(dns_stub_listener_mode
, "udp", "yes");
1764 static int setup_resolv_conf(const char *dest
) {
1765 _cleanup_free_
char *etc
= NULL
;
1766 const char *where
, *what
;
1772 if (arg_resolv_conf
== RESOLV_CONF_AUTO
) {
1773 if (arg_private_network
)
1774 m
= RESOLV_CONF_OFF
;
1775 else if (have_resolv_conf(STATIC_RESOLV_CONF
) > 0 && resolved_listening() > 0)
1776 m
= etc_writable() ? RESOLV_CONF_COPY_STATIC
: RESOLV_CONF_BIND_STATIC
;
1777 else if (have_resolv_conf("/etc/resolv.conf") > 0)
1778 m
= etc_writable() ? RESOLV_CONF_COPY_HOST
: RESOLV_CONF_BIND_HOST
;
1780 m
= etc_writable() ? RESOLV_CONF_DELETE
: RESOLV_CONF_OFF
;
1782 m
= arg_resolv_conf
;
1784 if (m
== RESOLV_CONF_OFF
)
1787 r
= chase_symlinks("/etc", dest
, CHASE_PREFIX_ROOT
, &etc
);
1789 log_warning_errno(r
, "Failed to resolve /etc path in container, ignoring: %m");
1793 where
= strjoina(etc
, "/resolv.conf");
1795 if (m
== RESOLV_CONF_DELETE
) {
1796 if (unlink(where
) < 0)
1797 log_full_errno(errno
== ENOENT
? LOG_DEBUG
: LOG_WARNING
, errno
, "Failed to remove '%s', ignoring: %m", where
);
1802 if (IN_SET(m
, RESOLV_CONF_BIND_STATIC
, RESOLV_CONF_COPY_STATIC
))
1803 what
= STATIC_RESOLV_CONF
;
1805 what
= "/etc/resolv.conf";
1807 if (IN_SET(m
, RESOLV_CONF_BIND_HOST
, RESOLV_CONF_BIND_STATIC
)) {
1808 _cleanup_free_
char *resolved
= NULL
;
1811 found
= chase_symlinks(where
, dest
, CHASE_NONEXISTENT
, &resolved
);
1813 log_warning_errno(found
, "Failed to resolve /etc/resolv.conf path in container, ignoring: %m");
1817 if (found
== 0) /* missing? */
1818 (void) touch(resolved
);
1820 r
= mount_verbose(LOG_WARNING
, what
, resolved
, NULL
, MS_BIND
, NULL
);
1822 return mount_verbose(LOG_ERR
, NULL
, resolved
, NULL
, MS_BIND
|MS_REMOUNT
|MS_RDONLY
|MS_NOSUID
|MS_NODEV
, NULL
);
1825 /* If that didn't work, let's copy the file */
1826 r
= copy_file(what
, where
, O_TRUNC
|O_NOFOLLOW
, 0644, 0, 0, COPY_REFLINK
);
1828 /* If the file already exists as symlink, let's suppress the warning, under the assumption that
1829 * resolved or something similar runs inside and the symlink points there.
1831 * If the disk image is read-only, there's also no point in complaining.
1833 log_full_errno(!IN_SET(RESOLV_CONF_COPY_HOST
, RESOLV_CONF_COPY_STATIC
) && IN_SET(r
, -ELOOP
, -EROFS
, -EACCES
, -EPERM
) ? LOG_DEBUG
: LOG_WARNING
, r
,
1834 "Failed to copy /etc/resolv.conf to %s, ignoring: %m", where
);
1838 r
= userns_lchown(where
, 0, 0);
1840 log_warning_errno(r
, "Failed to chown /etc/resolv.conf, ignoring: %m");
1845 static int setup_boot_id(void) {
1846 _cleanup_(unlink_and_freep
) char *from
= NULL
;
1847 _cleanup_free_
char *path
= NULL
;
1848 sd_id128_t rnd
= SD_ID128_NULL
;
1852 /* Generate a new randomized boot ID, so that each boot-up of
1853 * the container gets a new one */
1855 r
= tempfn_random_child(NULL
, "proc-sys-kernel-random-boot-id", &path
);
1857 return log_error_errno(r
, "Failed to generate random boot ID path: %m");
1859 r
= sd_id128_randomize(&rnd
);
1861 return log_error_errno(r
, "Failed to generate random boot id: %m");
1863 r
= id128_write(path
, ID128_UUID
, rnd
, false);
1865 return log_error_errno(r
, "Failed to write boot id: %m");
1867 from
= TAKE_PTR(path
);
1868 to
= "/proc/sys/kernel/random/boot_id";
1870 r
= mount_verbose(LOG_ERR
, from
, to
, NULL
, MS_BIND
, NULL
);
1874 return mount_verbose(LOG_ERR
, NULL
, to
, NULL
, MS_BIND
|MS_REMOUNT
|MS_RDONLY
|MS_NOSUID
|MS_NOEXEC
|MS_NODEV
, NULL
);
1877 static int copy_devnodes(const char *dest
) {
1878 static const char devnodes
[] =
1887 _cleanup_umask_ mode_t u
;
1895 /* Create /dev/net, so that we can create /dev/net/tun in it */
1896 if (userns_mkdir(dest
, "/dev/net", 0755, 0, 0) < 0)
1897 return log_error_errno(r
, "Failed to create /dev/net directory: %m");
1899 NULSTR_FOREACH(d
, devnodes
) {
1900 _cleanup_free_
char *from
= NULL
, *to
= NULL
;
1903 from
= strappend("/dev/", d
);
1907 to
= prefix_root(dest
, from
);
1911 if (stat(from
, &st
) < 0) {
1913 if (errno
!= ENOENT
)
1914 return log_error_errno(errno
, "Failed to stat %s: %m", from
);
1916 } else if (!S_ISCHR(st
.st_mode
) && !S_ISBLK(st
.st_mode
))
1917 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
1918 "%s is not a char or block device, cannot copy.", from
);
1920 _cleanup_free_
char *sl
= NULL
, *prefixed
= NULL
, *dn
= NULL
, *t
= NULL
;
1922 if (mknod(to
, st
.st_mode
, st
.st_rdev
) < 0) {
1923 /* Explicitly warn the user when /dev is already populated. */
1924 if (errno
== EEXIST
)
1925 log_notice("%s/dev is pre-mounted and pre-populated. If a pre-mounted /dev is provided it needs to be an unpopulated file system.", dest
);
1927 return log_error_errno(errno
, "mknod(%s) failed: %m", to
);
1929 /* Some systems abusively restrict mknod but allow bind mounts. */
1932 return log_error_errno(r
, "touch (%s) failed: %m", to
);
1933 r
= mount_verbose(LOG_DEBUG
, from
, to
, NULL
, MS_BIND
, NULL
);
1935 return log_error_errno(r
, "Both mknod and bind mount (%s) failed: %m", to
);
1938 r
= userns_lchown(to
, 0, 0);
1940 return log_error_errno(r
, "chown() of device node %s failed: %m", to
);
1942 dn
= strjoin("/dev/", S_ISCHR(st
.st_mode
) ? "char" : "block");
1946 r
= userns_mkdir(dest
, dn
, 0755, 0, 0);
1948 return log_error_errno(r
, "Failed to create '%s': %m", dn
);
1950 if (asprintf(&sl
, "%s/%u:%u", dn
, major(st
.st_rdev
), minor(st
.st_rdev
)) < 0)
1953 prefixed
= prefix_root(dest
, sl
);
1957 t
= strjoin("../", d
);
1961 if (symlink(t
, prefixed
) < 0)
1962 log_debug_errno(errno
, "Failed to symlink '%s' to '%s': %m", t
, prefixed
);
1969 static int make_extra_nodes(const char *dest
) {
1970 _cleanup_umask_ mode_t u
;
1976 for (i
= 0; i
< arg_n_extra_nodes
; i
++) {
1977 _cleanup_free_
char *path
= NULL
;
1978 DeviceNode
*n
= arg_extra_nodes
+ i
;
1980 path
= prefix_root(dest
, n
->path
);
1984 if (mknod(path
, n
->mode
, S_ISCHR(n
->mode
) || S_ISBLK(n
->mode
) ? makedev(n
->major
, n
->minor
) : 0) < 0)
1985 return log_error_errno(errno
, "Failed to create device node '%s': %m", path
);
1987 r
= chmod_and_chown(path
, n
->mode
, n
->uid
, n
->gid
);
1989 return log_error_errno(r
, "Failed to adjust device node ownership of '%s': %m", path
);
1995 static int setup_pts(const char *dest
) {
1996 _cleanup_free_
char *options
= NULL
;
2001 if (arg_selinux_apifs_context
)
2002 (void) asprintf(&options
,
2003 "newinstance,ptmxmode=0666,mode=620,gid=" GID_FMT
",context=\"%s\"",
2004 arg_uid_shift
+ TTY_GID
,
2005 arg_selinux_apifs_context
);
2008 (void) asprintf(&options
,
2009 "newinstance,ptmxmode=0666,mode=620,gid=" GID_FMT
,
2010 arg_uid_shift
+ TTY_GID
);
2015 /* Mount /dev/pts itself */
2016 p
= prefix_roota(dest
, "/dev/pts");
2017 r
= mkdir_errno_wrapper(p
, 0755);
2019 return log_error_errno(r
, "Failed to create /dev/pts: %m");
2021 r
= mount_verbose(LOG_ERR
, "devpts", p
, "devpts", MS_NOSUID
|MS_NOEXEC
, options
);
2024 r
= userns_lchown(p
, 0, 0);
2026 return log_error_errno(r
, "Failed to chown /dev/pts: %m");
2028 /* Create /dev/ptmx symlink */
2029 p
= prefix_roota(dest
, "/dev/ptmx");
2030 if (symlink("pts/ptmx", p
) < 0)
2031 return log_error_errno(errno
, "Failed to create /dev/ptmx symlink: %m");
2032 r
= userns_lchown(p
, 0, 0);
2034 return log_error_errno(r
, "Failed to chown /dev/ptmx: %m");
2036 /* And fix /dev/pts/ptmx ownership */
2037 p
= prefix_roota(dest
, "/dev/pts/ptmx");
2038 r
= userns_lchown(p
, 0, 0);
2040 return log_error_errno(r
, "Failed to chown /dev/pts/ptmx: %m");
2045 static int setup_dev_console(const char *dest
, const char *console
) {
2046 _cleanup_umask_ mode_t u
;
2057 r
= chmod_and_chown(console
, 0600, arg_uid_shift
, arg_uid_shift
);
2059 return log_error_errno(r
, "Failed to correct access mode for TTY: %m");
2061 /* We need to bind mount the right tty to /dev/console since
2062 * ptys can only exist on pts file systems. To have something
2063 * to bind mount things on we create a empty regular file. */
2065 to
= prefix_roota(dest
, "/dev/console");
2068 return log_error_errno(r
, "touch() for /dev/console failed: %m");
2070 return mount_verbose(LOG_ERR
, console
, to
, NULL
, MS_BIND
, NULL
);
2073 static int setup_keyring(void) {
2074 key_serial_t keyring
;
2076 /* Allocate a new session keyring for the container. This makes sure the keyring of the session systemd-nspawn
2077 * was invoked from doesn't leak into the container. Note that by default we block keyctl() and request_key()
2078 * anyway via seccomp so doing this operation isn't strictly necessary, but in case people explicitly whitelist
2079 * these system calls let's make sure we don't leak anything into the container. */
2081 keyring
= keyctl(KEYCTL_JOIN_SESSION_KEYRING
, 0, 0, 0, 0);
2082 if (keyring
== -1) {
2083 if (errno
== ENOSYS
)
2084 log_debug_errno(errno
, "Kernel keyring not supported, ignoring.");
2085 else if (IN_SET(errno
, EACCES
, EPERM
))
2086 log_debug_errno(errno
, "Kernel keyring access prohibited, ignoring.");
2088 return log_error_errno(errno
, "Setting up kernel keyring failed: %m");
2094 static int setup_kmsg(int kmsg_socket
) {
2095 _cleanup_(unlink_and_freep
) char *from
= NULL
;
2096 _cleanup_free_
char *fifo
= NULL
;
2097 _cleanup_close_
int fd
= -1;
2098 _cleanup_umask_ mode_t u
;
2102 assert(kmsg_socket
>= 0);
2106 /* We create the kmsg FIFO as as temporary file in /tmp, but immediately delete it after bind mounting it to
2107 * /proc/kmsg. While FIFOs on the reading side behave very similar to /proc/kmsg, their writing side behaves
2108 * differently from /dev/kmsg in that writing blocks when nothing is reading. In order to avoid any problems
2109 * with containers deadlocking due to this we simply make /dev/kmsg unavailable to the container. */
2111 r
= tempfn_random_child(NULL
, "proc-kmsg", &fifo
);
2113 return log_error_errno(r
, "Failed to generate kmsg path: %m");
2115 if (mkfifo(fifo
, 0600) < 0)
2116 return log_error_errno(errno
, "mkfifo() for /run/kmsg failed: %m");
2118 from
= TAKE_PTR(fifo
);
2121 r
= mount_verbose(LOG_ERR
, from
, to
, NULL
, MS_BIND
, NULL
);
2125 fd
= open(from
, O_RDWR
|O_NONBLOCK
|O_CLOEXEC
);
2127 return log_error_errno(errno
, "Failed to open fifo: %m");
2129 /* Store away the fd in the socket, so that it stays open as long as we run the child */
2130 r
= send_one_fd(kmsg_socket
, fd
, 0);
2132 return log_error_errno(r
, "Failed to send FIFO fd: %m");
2137 static int on_address_change(sd_netlink
*rtnl
, sd_netlink_message
*m
, void *userdata
) {
2138 union in_addr_union
*exposed
= userdata
;
2144 expose_port_execute(rtnl
, arg_expose_ports
, exposed
);
2148 static int setup_hostname(void) {
2151 if ((arg_clone_ns_flags
& CLONE_NEWUTS
) == 0)
2154 r
= sethostname_idempotent(arg_hostname
?: arg_machine
);
2156 return log_error_errno(r
, "Failed to set hostname: %m");
2161 static int setup_journal(const char *directory
) {
2162 _cleanup_free_
char *d
= NULL
;
2163 const char *dirname
, *p
, *q
;
2169 /* Don't link journals in ephemeral mode */
2173 if (arg_link_journal
== LINK_NO
)
2176 try = arg_link_journal_try
|| arg_link_journal
== LINK_AUTO
;
2178 r
= sd_id128_get_machine(&this_id
);
2180 return log_error_errno(r
, "Failed to retrieve machine ID: %m");
2182 if (sd_id128_equal(arg_uuid
, this_id
)) {
2183 log_full(try ? LOG_WARNING
: LOG_ERR
,
2184 "Host and machine ids are equal (%s): refusing to link journals", sd_id128_to_string(arg_uuid
, id
));
2190 FOREACH_STRING(dirname
, "/var", "/var/log", "/var/log/journal") {
2191 r
= userns_mkdir(directory
, dirname
, 0755, 0, 0);
2193 bool ignore
= r
== -EROFS
&& try;
2194 log_full_errno(ignore
? LOG_DEBUG
: LOG_ERR
, r
,
2195 "Failed to create %s%s: %m", dirname
, ignore
? ", ignoring" : "");
2196 return ignore
? 0 : r
;
2200 (void) sd_id128_to_string(arg_uuid
, id
);
2202 p
= strjoina("/var/log/journal/", id
);
2203 q
= prefix_roota(directory
, p
);
2205 if (path_is_mount_point(p
, NULL
, 0) > 0) {
2209 return log_error_errno(SYNTHETIC_ERRNO(EEXIST
),
2210 "%s: already a mount point, refusing to use for journal", p
);
2213 if (path_is_mount_point(q
, NULL
, 0) > 0) {
2217 return log_error_errno(SYNTHETIC_ERRNO(EEXIST
),
2218 "%s: already a mount point, refusing to use for journal", q
);
2221 r
= readlink_and_make_absolute(p
, &d
);
2223 if (IN_SET(arg_link_journal
, LINK_GUEST
, LINK_AUTO
) &&
2226 r
= userns_mkdir(directory
, p
, 0755, 0, 0);
2228 log_warning_errno(r
, "Failed to create directory %s: %m", q
);
2233 return log_error_errno(errno
, "Failed to remove symlink %s: %m", p
);
2234 } else if (r
== -EINVAL
) {
2236 if (arg_link_journal
== LINK_GUEST
&&
2239 if (errno
== ENOTDIR
) {
2240 log_error("%s already exists and is neither a symlink nor a directory", p
);
2243 return log_error_errno(errno
, "Failed to remove %s: %m", p
);
2245 } else if (r
!= -ENOENT
)
2246 return log_error_errno(r
, "readlink(%s) failed: %m", p
);
2248 if (arg_link_journal
== LINK_GUEST
) {
2250 if (symlink(q
, p
) < 0) {
2252 log_debug_errno(errno
, "Failed to symlink %s to %s, skipping journal setup: %m", q
, p
);
2255 return log_error_errno(errno
, "Failed to symlink %s to %s: %m", q
, p
);
2258 r
= userns_mkdir(directory
, p
, 0755, 0, 0);
2260 log_warning_errno(r
, "Failed to create directory %s: %m", q
);
2264 if (arg_link_journal
== LINK_HOST
) {
2265 /* don't create parents here — if the host doesn't have
2266 * permanent journal set up, don't force it here */
2268 r
= mkdir_errno_wrapper(p
, 0755);
2269 if (r
< 0 && r
!= -EEXIST
) {
2271 log_debug_errno(r
, "Failed to create %s, skipping journal setup: %m", p
);
2274 return log_error_errno(r
, "Failed to create %s: %m", p
);
2277 } else if (access(p
, F_OK
) < 0)
2280 if (dir_is_empty(q
) == 0)
2281 log_warning("%s is not empty, proceeding anyway.", q
);
2283 r
= userns_mkdir(directory
, p
, 0755, 0, 0);
2285 return log_error_errno(r
, "Failed to create %s: %m", q
);
2287 r
= mount_verbose(LOG_DEBUG
, p
, q
, NULL
, MS_BIND
, NULL
);
2289 return log_error_errno(errno
, "Failed to bind mount journal from host into guest: %m");
2294 static int drop_capabilities(uid_t uid
) {
2295 CapabilityQuintet q
;
2297 /* Let's initialize all five capability sets to something valid. If the quintet was configured via
2298 * OCI use that, but fill in missing bits. If it wasn't then derive the quintet in full from
2299 * arg_caps_retain. */
2301 if (capability_quintet_is_set(&arg_full_capabilities
)) {
2302 q
= arg_full_capabilities
;
2304 if (q
.bounding
== (uint64_t) -1)
2305 q
.bounding
= uid
== 0 ? arg_caps_retain
: 0;
2307 if (q
.effective
== (uint64_t) -1)
2308 q
.effective
= uid
== 0 ? q
.bounding
: 0;
2310 if (q
.inheritable
== (uint64_t) -1)
2311 q
.inheritable
= uid
== 0 ? q
.bounding
: 0;
2313 if (q
.permitted
== (uint64_t) -1)
2314 q
.permitted
= uid
== 0 ? q
.bounding
: 0;
2316 if (q
.ambient
== (uint64_t) -1 && ambient_capabilities_supported())
2319 q
= (CapabilityQuintet
) {
2320 .bounding
= arg_caps_retain
,
2321 .effective
= uid
== 0 ? arg_caps_retain
: 0,
2322 .inheritable
= uid
== 0 ? arg_caps_retain
: 0,
2323 .permitted
= uid
== 0 ? arg_caps_retain
: 0,
2324 .ambient
= ambient_capabilities_supported() ? 0 : (uint64_t) -1,
2327 return capability_quintet_enforce(&q
);
2330 static int reset_audit_loginuid(void) {
2331 _cleanup_free_
char *p
= NULL
;
2334 if ((arg_clone_ns_flags
& CLONE_NEWPID
) == 0)
2337 r
= read_one_line_file("/proc/self/loginuid", &p
);
2341 return log_error_errno(r
, "Failed to read /proc/self/loginuid: %m");
2343 /* Already reset? */
2344 if (streq(p
, "4294967295"))
2347 r
= write_string_file("/proc/self/loginuid", "4294967295", WRITE_STRING_FILE_DISABLE_BUFFER
);
2350 "Failed to reset audit login UID. This probably means that your kernel is too\n"
2351 "old and you have audit enabled. Note that the auditing subsystem is known to\n"
2352 "be incompatible with containers on old kernels. Please make sure to upgrade\n"
2353 "your kernel or to off auditing with 'audit=0' on the kernel command line before\n"
2354 "using systemd-nspawn. Sleeping for 5s... (%m)");
2362 static int setup_propagate(const char *root
) {
2366 (void) mkdir_p("/run/systemd/nspawn/", 0755);
2367 (void) mkdir_p("/run/systemd/nspawn/propagate", 0600);
2368 p
= strjoina("/run/systemd/nspawn/propagate/", arg_machine
);
2369 (void) mkdir_p(p
, 0600);
2371 r
= userns_mkdir(root
, "/run/systemd", 0755, 0, 0);
2373 return log_error_errno(r
, "Failed to create /run/systemd: %m");
2375 r
= userns_mkdir(root
, "/run/systemd/nspawn", 0755, 0, 0);
2377 return log_error_errno(r
, "Failed to create /run/systemd/nspawn: %m");
2379 r
= userns_mkdir(root
, "/run/systemd/nspawn/incoming", 0600, 0, 0);
2381 return log_error_errno(r
, "Failed to create /run/systemd/nspawn/incoming: %m");
2383 q
= prefix_roota(root
, "/run/systemd/nspawn/incoming");
2384 r
= mount_verbose(LOG_ERR
, p
, q
, NULL
, MS_BIND
, NULL
);
2388 r
= mount_verbose(LOG_ERR
, NULL
, q
, NULL
, MS_BIND
|MS_REMOUNT
|MS_RDONLY
, NULL
);
2392 /* machined will MS_MOVE into that directory, and that's only
2393 * supported for non-shared mounts. */
2394 return mount_verbose(LOG_ERR
, NULL
, q
, NULL
, MS_SLAVE
, NULL
);
2397 static int setup_machine_id(const char *directory
) {
2398 const char *etc_machine_id
;
2402 /* If the UUID in the container is already set, then that's what counts, and we use. If it isn't set, and the
2403 * caller passed --uuid=, then we'll pass it in the $container_uuid env var to PID 1 of the container. The
2404 * assumption is that PID 1 will then write it to /etc/machine-id to make it persistent. If --uuid= is not
2405 * passed we generate a random UUID, and pass it via $container_uuid. In effect this means that /etc/machine-id
2406 * in the container and our idea of the container UUID will always be in sync (at least if PID 1 in the
2407 * container behaves nicely). */
2409 etc_machine_id
= prefix_roota(directory
, "/etc/machine-id");
2411 r
= id128_read(etc_machine_id
, ID128_PLAIN
, &id
);
2413 if (!IN_SET(r
, -ENOENT
, -ENOMEDIUM
)) /* If the file is missing or empty, we don't mind */
2414 return log_error_errno(r
, "Failed to read machine ID from container image: %m");
2416 if (sd_id128_is_null(arg_uuid
)) {
2417 r
= sd_id128_randomize(&arg_uuid
);
2419 return log_error_errno(r
, "Failed to acquire randomized machine UUID: %m");
2422 if (sd_id128_is_null(id
))
2423 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
2424 "Machine ID in container image is zero, refusing.");
2432 static int recursive_chown(const char *directory
, uid_t shift
, uid_t range
) {
2437 if (arg_userns_mode
== USER_NAMESPACE_NO
|| !arg_userns_chown
)
2440 r
= path_patch_uid(directory
, arg_uid_shift
, arg_uid_range
);
2441 if (r
== -EOPNOTSUPP
)
2442 return log_error_errno(r
, "Automatic UID/GID adjusting is only supported for UID/GID ranges starting at multiples of 2^16 with a range of 2^16.");
2444 return log_error_errno(r
, "Upper 16 bits of root directory UID and GID do not match.");
2446 return log_error_errno(r
, "Failed to adjust UID/GID shift of OS tree: %m");
2448 log_debug("Root directory of image is already owned by the right UID/GID range, skipping recursive chown operation.");
2450 log_debug("Patched directory tree to match UID/GID range.");
2457 * < 0 : wait_for_terminate() failed to get the state of the
2458 * container, the container was terminated by a signal, or
2459 * failed for an unknown reason. No change is made to the
2460 * container argument.
2461 * > 0 : The program executed in the container terminated with an
2462 * error. The exit code of the program executed in the
2463 * container is returned. The container argument has been set
2464 * to CONTAINER_TERMINATED.
2465 * 0 : The container is being rebooted, has been shut down or exited
2466 * successfully. The container argument has been set to either
2467 * CONTAINER_TERMINATED or CONTAINER_REBOOTED.
2469 * That is, success is indicated by a return value of zero, and an
2470 * error is indicated by a non-zero value.
2472 static int wait_for_container(pid_t pid
, ContainerStatus
*container
) {
2476 r
= wait_for_terminate(pid
, &status
);
2478 return log_warning_errno(r
, "Failed to wait for container: %m");
2480 switch (status
.si_code
) {
2483 if (status
.si_status
== 0)
2484 log_full(arg_quiet
? LOG_DEBUG
: LOG_INFO
, "Container %s exited successfully.", arg_machine
);
2486 log_full(arg_quiet
? LOG_DEBUG
: LOG_INFO
, "Container %s failed with error code %i.", arg_machine
, status
.si_status
);
2488 *container
= CONTAINER_TERMINATED
;
2489 return status
.si_status
;
2492 if (status
.si_status
== SIGINT
) {
2493 log_full(arg_quiet
? LOG_DEBUG
: LOG_INFO
, "Container %s has been shut down.", arg_machine
);
2494 *container
= CONTAINER_TERMINATED
;
2497 } else if (status
.si_status
== SIGHUP
) {
2498 log_full(arg_quiet
? LOG_DEBUG
: LOG_INFO
, "Container %s is being rebooted.", arg_machine
);
2499 *container
= CONTAINER_REBOOTED
;
2505 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
2506 "Container %s terminated by signal %s.", arg_machine
, signal_to_string(status
.si_status
));
2509 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
2510 "Container %s failed due to unknown reason.", arg_machine
);
2514 static int on_orderly_shutdown(sd_event_source
*s
, const struct signalfd_siginfo
*si
, void *userdata
) {
2517 pid
= PTR_TO_PID(userdata
);
2519 if (kill(pid
, arg_kill_signal
) >= 0) {
2520 log_info("Trying to halt container. Send SIGTERM again to trigger immediate termination.");
2521 sd_event_source_set_userdata(s
, NULL
);
2526 sd_event_exit(sd_event_source_get_event(s
), 0);
2530 static int on_sigchld(sd_event_source
*s
, const struct signalfd_siginfo
*ssi
, void *userdata
) {
2536 pid
= PTR_TO_PID(userdata
);
2541 if (waitid(P_ALL
, 0, &si
, WNOHANG
|WNOWAIT
|WEXITED
) < 0)
2542 return log_error_errno(errno
, "Failed to waitid(): %m");
2543 if (si
.si_pid
== 0) /* No pending children. */
2545 if (si
.si_pid
== pid
) {
2546 /* The main process we care for has exited. Return from
2547 * signal handler but leave the zombie. */
2548 sd_event_exit(sd_event_source_get_event(s
), 0);
2552 /* Reap all other children. */
2553 (void) waitid(P_PID
, si
.si_pid
, &si
, WNOHANG
|WEXITED
);
2559 static int on_request_stop(sd_bus_message
*m
, void *userdata
, sd_bus_error
*error
) {
2564 pid
= PTR_TO_PID(userdata
);
2566 if (arg_kill_signal
> 0) {
2567 log_info("Container termination requested. Attempting to halt container.");
2568 (void) kill(pid
, arg_kill_signal
);
2570 log_info("Container termination requested. Exiting.");
2571 sd_event_exit(sd_bus_get_event(sd_bus_message_get_bus(m
)), 0);
2577 static int determine_names(void) {
2580 if (arg_template
&& !arg_directory
&& arg_machine
) {
2582 /* If --template= was specified then we should not
2583 * search for a machine, but instead create a new one
2584 * in /var/lib/machine. */
2586 arg_directory
= strjoin("/var/lib/machines/", arg_machine
);
2591 if (!arg_image
&& !arg_directory
) {
2593 _cleanup_(image_unrefp
) Image
*i
= NULL
;
2595 r
= image_find(IMAGE_MACHINE
, arg_machine
, &i
);
2597 return log_error_errno(r
, "No image for machine '%s'.", arg_machine
);
2599 return log_error_errno(r
, "Failed to find image for machine '%s': %m", arg_machine
);
2601 if (IN_SET(i
->type
, IMAGE_RAW
, IMAGE_BLOCK
))
2602 r
= free_and_strdup(&arg_image
, i
->path
);
2604 r
= free_and_strdup(&arg_directory
, i
->path
);
2609 arg_read_only
= arg_read_only
|| i
->read_only
;
2611 r
= safe_getcwd(&arg_directory
);
2613 return log_error_errno(r
, "Failed to determine current directory: %m");
2616 if (!arg_directory
&& !arg_image
)
2617 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Failed to determine path, please use -D or -i.");
2621 if (arg_directory
&& path_equal(arg_directory
, "/"))
2622 arg_machine
= gethostname_malloc();
2627 arg_machine
= strdup(basename(arg_image
));
2629 /* Truncate suffix if there is one */
2630 e
= endswith(arg_machine
, ".raw");
2634 arg_machine
= strdup(basename(arg_directory
));
2639 hostname_cleanup(arg_machine
);
2640 if (!machine_name_is_valid(arg_machine
))
2641 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Failed to determine machine name automatically, please use -M.");
2643 if (arg_ephemeral
) {
2646 /* Add a random suffix when this is an
2647 * ephemeral machine, so that we can run many
2648 * instances at once without manually having
2649 * to specify -M each time. */
2651 if (asprintf(&b
, "%s-%016" PRIx64
, arg_machine
, random_u64()) < 0)
2662 static int chase_symlinks_and_update(char **p
, unsigned flags
) {
2671 r
= chase_symlinks(*p
, NULL
, flags
, &chased
);
2673 return log_error_errno(r
, "Failed to resolve path %s: %m", *p
);
2675 free_and_replace(*p
, chased
);
2676 return r
; /* r might be an fd here in case we ever use CHASE_OPEN in flags */
2679 static int determine_uid_shift(const char *directory
) {
2682 if (arg_userns_mode
== USER_NAMESPACE_NO
) {
2687 if (arg_uid_shift
== UID_INVALID
) {
2690 r
= stat(directory
, &st
);
2692 return log_error_errno(errno
, "Failed to determine UID base of %s: %m", directory
);
2694 arg_uid_shift
= st
.st_uid
& UINT32_C(0xffff0000);
2696 if (arg_uid_shift
!= (st
.st_gid
& UINT32_C(0xffff0000)))
2697 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
2698 "UID and GID base of %s don't match.", directory
);
2700 arg_uid_range
= UINT32_C(0x10000);
2703 if (arg_uid_shift
> (uid_t
) -1 - arg_uid_range
)
2704 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
2705 "UID base too high for UID range.");
2710 static unsigned long effective_clone_ns_flags(void) {
2711 unsigned long flags
= arg_clone_ns_flags
;
2713 if (arg_private_network
)
2714 flags
|= CLONE_NEWNET
;
2716 flags
|= CLONE_NEWCGROUP
;
2717 if (arg_userns_mode
!= USER_NAMESPACE_NO
)
2718 flags
|= CLONE_NEWUSER
;
2723 static int patch_sysctl(void) {
2725 /* This table is inspired by runc's sysctl() function */
2726 static const struct {
2729 unsigned long clone_flags
;
2731 { "kernel.hostname", false, CLONE_NEWUTS
},
2732 { "kernel.domainname", false, CLONE_NEWUTS
},
2733 { "kernel.msgmax", false, CLONE_NEWIPC
},
2734 { "kernel.msgmnb", false, CLONE_NEWIPC
},
2735 { "kernel.msgmni", false, CLONE_NEWIPC
},
2736 { "kernel.sem", false, CLONE_NEWIPC
},
2737 { "kernel.shmall", false, CLONE_NEWIPC
},
2738 { "kernel.shmmax", false, CLONE_NEWIPC
},
2739 { "kernel.shmmni", false, CLONE_NEWIPC
},
2740 { "fs.mqueue.", true, CLONE_NEWIPC
},
2741 { "net.", true, CLONE_NEWNET
},
2744 unsigned long flags
;
2748 flags
= effective_clone_ns_flags();
2750 STRV_FOREACH_PAIR(k
, v
, arg_sysctl
) {
2754 for (i
= 0; i
< ELEMENTSOF(safe_sysctl
); i
++) {
2756 if (!FLAGS_SET(flags
, safe_sysctl
[i
].clone_flags
))
2759 if (safe_sysctl
[i
].prefix
)
2760 good
= startswith(*k
, safe_sysctl
[i
].key
);
2762 good
= streq(*k
, safe_sysctl
[i
].key
);
2769 return log_error_errno(SYNTHETIC_ERRNO(EPERM
), "Refusing to write to sysctl '%s', as it is not safe in the selected namespaces.", *k
);
2771 r
= sysctl_write(*k
, *v
);
2773 return log_error_errno(r
, "Failed to write sysctl '%s': %m", *k
);
2779 static int inner_child(
2781 const char *directory
,
2787 _cleanup_free_
char *home
= NULL
;
2790 const char *envp
[] = {
2791 "PATH=" DEFAULT_PATH_COMPAT
,
2792 NULL
, /* container */
2797 NULL
, /* container_uuid */
2798 NULL
, /* LISTEN_FDS */
2799 NULL
, /* LISTEN_PID */
2800 NULL
, /* NOTIFY_SOCKET */
2803 const char *exec_target
;
2804 _cleanup_strv_free_
char **env_use
= NULL
;
2805 int r
, which_failed
;
2807 /* This is the "inner" child process, i.e. the one forked off by the "outer" child process, which is the one
2808 * the container manager itself forked off. At the time of clone() it gained its own CLONE_NEWNS, CLONE_NEWPID,
2809 * CLONE_NEWUTS, CLONE_NEWIPC, CLONE_NEWUSER namespaces. Note that it has its own CLONE_NEWNS namespace,
2810 * separate from the CLONE_NEWNS created for the "outer" child, and also separate from the host's CLONE_NEWNS
2811 * namespace. The reason for having two levels of CLONE_NEWNS namespaces is that the "inner" one is owned by
2812 * the CLONE_NEWUSER namespace of the container, while the "outer" one is owned by the host's CLONE_NEWUSER
2815 * Note at this point we have no CLONE_NEWNET namespace yet. We'll acquire that one later through
2816 * unshare(). See below. */
2820 assert(kmsg_socket
>= 0);
2822 log_debug("Inner child is initializing.");
2824 if (arg_userns_mode
!= USER_NAMESPACE_NO
) {
2825 /* Tell the parent, that it now can write the UID map. */
2826 (void) barrier_place(barrier
); /* #1 */
2828 /* Wait until the parent wrote the UID map */
2829 if (!barrier_place_and_sync(barrier
)) /* #2 */
2830 return log_error_errno(SYNTHETIC_ERRNO(ESRCH
),
2831 "Parent died too early");
2834 r
= reset_uid_gid();
2836 return log_error_errno(r
, "Couldn't become new root: %m");
2839 arg_mount_settings
| MOUNT_IN_USERNS
,
2841 arg_selinux_apifs_context
);
2845 if (!arg_network_namespace_path
&& arg_private_network
) {
2846 r
= unshare(CLONE_NEWNET
);
2848 return log_error_errno(errno
, "Failed to unshare network namespace: %m");
2850 /* Tell the parent that it can setup network interfaces. */
2851 (void) barrier_place(barrier
); /* #3 */
2854 r
= mount_sysfs(NULL
, arg_mount_settings
);
2858 /* Wait until we are cgroup-ified, so that we
2859 * can mount the right cgroup path writable */
2860 if (!barrier_place_and_sync(barrier
)) /* #4 */
2861 return log_error_errno(SYNTHETIC_ERRNO(ESRCH
),
2862 "Parent died too early");
2865 r
= unshare(CLONE_NEWCGROUP
);
2867 return log_error_errno(errno
, "Failed to unshare cgroup namespace: %m");
2870 arg_unified_cgroup_hierarchy
,
2871 arg_userns_mode
!= USER_NAMESPACE_NO
,
2874 arg_selinux_apifs_context
,
2879 r
= mount_systemd_cgroup_writable("", arg_unified_cgroup_hierarchy
);
2884 r
= setup_boot_id();
2888 r
= setup_kmsg(kmsg_socket
);
2891 kmsg_socket
= safe_close(kmsg_socket
);
2896 arg_n_custom_mounts
,
2900 arg_selinux_apifs_context
,
2906 return log_error_errno(errno
, "setsid() failed: %m");
2908 if (arg_private_network
)
2911 if (arg_expose_ports
) {
2912 r
= expose_port_send_rtnl(rtnl_socket
);
2915 rtnl_socket
= safe_close(rtnl_socket
);
2922 if (arg_oom_score_adjust_set
) {
2923 r
= set_oom_score_adjust(arg_oom_score_adjust
);
2925 return log_error_errno(r
, "Failed to adjust OOM score: %m");
2929 if (sched_setaffinity(0, CPU_ALLOC_SIZE(arg_cpuset_ncpus
), arg_cpuset
) < 0)
2930 return log_error_errno(errno
, "Failed to set CPU affinity: %m");
2932 (void) setup_hostname();
2934 if (arg_personality
!= PERSONALITY_INVALID
) {
2935 r
= safe_personality(arg_personality
);
2937 return log_error_errno(r
, "personality() failed: %m");
2938 } else if (secondary
) {
2939 r
= safe_personality(PER_LINUX32
);
2941 return log_error_errno(r
, "personality() failed: %m");
2944 r
= setrlimit_closest_all((const struct rlimit
*const*) arg_rlimit
, &which_failed
);
2946 return log_error_errno(r
, "Failed to apply resource limit RLIMIT_%s: %m", rlimit_to_string(which_failed
));
2951 if (is_seccomp_available()) {
2953 r
= seccomp_load(arg_seccomp
);
2954 if (IN_SET(r
, -EPERM
, -EACCES
))
2955 return log_error_errno(r
, "Failed to install seccomp filter: %m");
2957 log_debug_errno(r
, "Failed to install seccomp filter: %m");
2962 r
= setup_seccomp(arg_caps_retain
, arg_syscall_whitelist
, arg_syscall_blacklist
);
2968 if (arg_selinux_context
)
2969 if (setexeccon(arg_selinux_context
) < 0)
2970 return log_error_errno(errno
, "setexeccon(\"%s\") failed: %m", arg_selinux_context
);
2973 /* Make sure we keep the caps across the uid/gid dropping, so that we can retain some selected caps
2974 * if we need to later on. */
2975 if (prctl(PR_SET_KEEPCAPS
, 1) < 0)
2976 return log_error_errno(errno
, "Failed to set PR_SET_KEEPCAPS: %m");
2978 if (uid_is_valid(arg_uid
) || gid_is_valid(arg_gid
))
2979 r
= change_uid_gid_raw(arg_uid
, arg_gid
, arg_supplementary_gids
, arg_n_supplementary_gids
);
2981 r
= change_uid_gid(arg_user
, &home
);
2985 r
= drop_capabilities(getuid());
2987 return log_error_errno(r
, "Dropping capabilities failed: %m");
2989 if (arg_no_new_privileges
)
2990 if (prctl(PR_SET_NO_NEW_PRIVS
, 1, 0, 0, 0) < 0)
2991 return log_error_errno(errno
, "Failed to disable new privileges: %m");
2993 /* LXC sets container=lxc, so follow the scheme here */
2994 envp
[n_env
++] = strjoina("container=", arg_container_service_name
);
2996 envp
[n_env
] = strv_find_prefix(environ
, "TERM=");
3000 if (home
|| !uid_is_valid(arg_uid
) || arg_uid
== 0)
3001 if (asprintf((char**)(envp
+ n_env
++), "HOME=%s", home
?: "/root") < 0)
3004 if (arg_user
|| !uid_is_valid(arg_uid
) || arg_uid
== 0)
3005 if (asprintf((char**)(envp
+ n_env
++), "USER=%s", arg_user
?: "root") < 0 ||
3006 asprintf((char**)(envp
+ n_env
++), "LOGNAME=%s", arg_user
? arg_user
: "root") < 0)
3009 assert(!sd_id128_is_null(arg_uuid
));
3011 if (asprintf((char**)(envp
+ n_env
++), "container_uuid=%s", id128_to_uuid_string(arg_uuid
, as_uuid
)) < 0)
3014 if (fdset_size(fds
) > 0) {
3015 r
= fdset_cloexec(fds
, false);
3017 return log_error_errno(r
, "Failed to unset O_CLOEXEC for file descriptors.");
3019 if ((asprintf((char **)(envp
+ n_env
++), "LISTEN_FDS=%u", fdset_size(fds
)) < 0) ||
3020 (asprintf((char **)(envp
+ n_env
++), "LISTEN_PID=1") < 0))
3023 if (asprintf((char **)(envp
+ n_env
++), "NOTIFY_SOCKET=%s", NSPAWN_NOTIFY_SOCKET_PATH
) < 0)
3026 env_use
= strv_env_merge(2, envp
, arg_setenv
);
3030 /* Let the parent know that we are ready and
3031 * wait until the parent is ready with the
3033 if (!barrier_place_and_sync(barrier
)) /* #5 */
3034 return log_error_errno(SYNTHETIC_ERRNO(ESRCH
),
3035 "Parent died too early");
3038 if (chdir(arg_chdir
) < 0)
3039 return log_error_errno(errno
, "Failed to change to specified working directory %s: %m", arg_chdir
);
3041 if (arg_start_mode
== START_PID2
) {
3042 r
= stub_pid1(arg_uuid
);
3047 log_debug("Inner child completed, invoking payload.");
3049 /* Now, explicitly close the log, so that we then can close all remaining fds. Closing the log explicitly first
3050 * has the benefit that the logging subsystem knows about it, and is thus ready to be reopened should we need
3051 * it again. Note that the other fds closed here are at least the locking and barrier fds. */
3053 log_set_open_when_needed(true);
3055 (void) fdset_close_others(fds
);
3057 if (arg_start_mode
== START_BOOT
) {
3061 /* Automatically search for the init system */
3063 m
= strv_length(arg_parameters
);
3064 a
= newa(char*, m
+ 2);
3065 memcpy_safe(a
+ 1, arg_parameters
, m
* sizeof(char*));
3068 a
[0] = (char*) "/usr/lib/systemd/systemd";
3069 execve(a
[0], a
, env_use
);
3071 a
[0] = (char*) "/lib/systemd/systemd";
3072 execve(a
[0], a
, env_use
);
3074 a
[0] = (char*) "/sbin/init";
3075 execve(a
[0], a
, env_use
);
3077 exec_target
= "/usr/lib/systemd/systemd, /lib/systemd/systemd, /sbin/init";
3078 } else if (!strv_isempty(arg_parameters
)) {
3079 const char *dollar_path
;
3081 exec_target
= arg_parameters
[0];
3083 /* Use the user supplied search $PATH if there is one, or DEFAULT_PATH_COMPAT if not to search the
3085 dollar_path
= strv_env_get(env_use
, "PATH");
3087 if (putenv((char*) dollar_path
) != 0)
3088 return log_error_errno(errno
, "Failed to update $PATH: %m");
3091 execvpe(arg_parameters
[0], arg_parameters
, env_use
);
3094 /* If we cannot change the directory, we'll end up in /, that is expected. */
3095 (void) chdir(home
?: "/root");
3097 execle("/bin/bash", "-bash", NULL
, env_use
);
3098 execle("/bin/sh", "-sh", NULL
, env_use
);
3100 exec_target
= "/bin/bash, /bin/sh";
3103 return log_error_errno(errno
, "execv(%s) failed: %m", exec_target
);
3106 static int setup_sd_notify_child(void) {
3107 _cleanup_close_
int fd
= -1;
3108 union sockaddr_union sa
= {
3109 .un
.sun_family
= AF_UNIX
,
3110 .un
.sun_path
= NSPAWN_NOTIFY_SOCKET_PATH
,
3114 fd
= socket(AF_UNIX
, SOCK_DGRAM
|SOCK_CLOEXEC
|SOCK_NONBLOCK
, 0);
3116 return log_error_errno(errno
, "Failed to allocate notification socket: %m");
3118 (void) mkdir_parents(NSPAWN_NOTIFY_SOCKET_PATH
, 0755);
3119 (void) sockaddr_un_unlink(&sa
.un
);
3121 r
= bind(fd
, &sa
.sa
, SOCKADDR_UN_LEN(sa
.un
));
3123 return log_error_errno(errno
, "bind(" NSPAWN_NOTIFY_SOCKET_PATH
") failed: %m");
3125 r
= userns_lchown(NSPAWN_NOTIFY_SOCKET_PATH
, 0, 0);
3127 return log_error_errno(r
, "Failed to chown " NSPAWN_NOTIFY_SOCKET_PATH
": %m");
3129 r
= setsockopt_int(fd
, SOL_SOCKET
, SO_PASSCRED
, true);
3131 return log_error_errno(r
, "SO_PASSCRED failed: %m");
3136 static int outer_child(
3138 const char *directory
,
3139 const char *console
,
3140 DissectedImage
*dissected_image
,
3147 int uid_shift_socket
,
3148 int unified_cgroup_hierarchy_socket
,
3152 _cleanup_close_
int fd
= -1;
3157 /* This is the "outer" child process, i.e the one forked off by the container manager itself. It already has
3158 * its own CLONE_NEWNS namespace (which was created by the clone()). It still lives in the host's CLONE_NEWPID,
3159 * CLONE_NEWUTS, CLONE_NEWIPC, CLONE_NEWUSER and CLONE_NEWNET namespaces. After it completed a number of
3160 * initializations a second child (the "inner" one) is forked off it, and it exits. */
3164 assert(pid_socket
>= 0);
3165 assert(uuid_socket
>= 0);
3166 assert(notify_socket
>= 0);
3167 assert(kmsg_socket
>= 0);
3169 log_debug("Outer child is initializing.");
3171 if (prctl(PR_SET_PDEATHSIG
, SIGKILL
) < 0)
3172 return log_error_errno(errno
, "PR_SET_PDEATHSIG failed: %m");
3174 if (arg_console_mode
!= CONSOLE_PIPE
) {
3179 terminal
= open_terminal(console
, O_RDWR
);
3181 return log_error_errno(terminal
, "Failed to open console: %m");
3183 /* Make sure we can continue logging to the original stderr, even if stderr points elsewhere now */
3184 r
= log_dup_console();
3186 return log_error_errno(r
, "Failed to duplicate stderr: %m");
3188 r
= rearrange_stdio(terminal
, terminal
, terminal
); /* invalidates 'terminal' on success and failure */
3190 return log_error_errno(r
, "Failed to move console to stdin/stdout/stderr: %m");
3193 r
= reset_audit_loginuid();
3197 /* Mark everything as slave, so that we still
3198 * receive mounts from the real root, but don't
3199 * propagate mounts to the real root. */
3200 r
= mount_verbose(LOG_ERR
, NULL
, "/", NULL
, MS_SLAVE
|MS_REC
, NULL
);
3204 if (dissected_image
) {
3205 /* If we are operating on a disk image, then mount its root directory now, but leave out the rest. We
3206 * can read the UID shift from it if we need to. Further down we'll mount the rest, but then with the
3207 * uid shift known. That way we can mount VFAT file systems shifted to the right place right away. This
3208 * makes sure ESP partitions and userns are compatible. */
3210 r
= dissected_image_mount(dissected_image
, directory
, arg_uid_shift
,
3211 DISSECT_IMAGE_MOUNT_ROOT_ONLY
|DISSECT_IMAGE_DISCARD_ON_LOOP
|
3212 (arg_read_only
? DISSECT_IMAGE_READ_ONLY
: 0)|
3213 (arg_start_mode
== START_BOOT
? DISSECT_IMAGE_VALIDATE_OS
: 0));
3218 r
= determine_uid_shift(directory
);
3222 if (arg_userns_mode
!= USER_NAMESPACE_NO
) {
3223 /* Let the parent know which UID shift we read from the image */
3224 l
= send(uid_shift_socket
, &arg_uid_shift
, sizeof(arg_uid_shift
), MSG_NOSIGNAL
);
3226 return log_error_errno(errno
, "Failed to send UID shift: %m");
3227 if (l
!= sizeof(arg_uid_shift
))
3228 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
3229 "Short write while sending UID shift.");
3231 if (arg_userns_mode
== USER_NAMESPACE_PICK
) {
3232 /* When we are supposed to pick the UID shift, the parent will check now whether the UID shift
3233 * we just read from the image is available. If yes, it will send the UID shift back to us, if
3234 * not it will pick a different one, and send it back to us. */
3236 l
= recv(uid_shift_socket
, &arg_uid_shift
, sizeof(arg_uid_shift
), 0);
3238 return log_error_errno(errno
, "Failed to recv UID shift: %m");
3239 if (l
!= sizeof(arg_uid_shift
))
3240 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
3241 "Short read while receiving UID shift.");
3244 log_full(arg_quiet
? LOG_DEBUG
: LOG_INFO
,
3245 "Selected user namespace base " UID_FMT
" and range " UID_FMT
".", arg_uid_shift
, arg_uid_range
);
3248 if (!dissected_image
) {
3249 /* Turn directory into bind mount */
3250 r
= mount_verbose(LOG_ERR
, directory
, directory
, NULL
, MS_BIND
|MS_REC
, NULL
);
3255 r
= setup_pivot_root(
3258 arg_pivot_root_old
);
3262 r
= setup_volatile_mode(
3265 arg_userns_mode
!= USER_NAMESPACE_NO
,
3268 arg_selinux_context
);
3272 if (dissected_image
) {
3273 /* Now we know the uid shift, let's now mount everything else that might be in the image. */
3274 r
= dissected_image_mount(dissected_image
, directory
, arg_uid_shift
,
3275 DISSECT_IMAGE_MOUNT_NON_ROOT_ONLY
|DISSECT_IMAGE_DISCARD_ON_LOOP
|(arg_read_only
? DISSECT_IMAGE_READ_ONLY
: 0));
3280 if (arg_unified_cgroup_hierarchy
== CGROUP_UNIFIED_UNKNOWN
) {
3281 /* OK, we don't know yet which cgroup mode to use yet. Let's figure it out, and tell the parent. */
3283 r
= detect_unified_cgroup_hierarchy_from_image(directory
);
3287 l
= send(unified_cgroup_hierarchy_socket
, &arg_unified_cgroup_hierarchy
, sizeof(arg_unified_cgroup_hierarchy
), MSG_NOSIGNAL
);
3289 return log_error_errno(errno
, "Failed to send cgroup mode: %m");
3290 if (l
!= sizeof(arg_unified_cgroup_hierarchy
))
3291 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
3292 "Short write while sending cgroup mode.");
3294 unified_cgroup_hierarchy_socket
= safe_close(unified_cgroup_hierarchy_socket
);
3297 /* Mark everything as shared so our mounts get propagated down. This is
3298 * required to make new bind mounts available in systemd services
3299 * inside the containter that create a new mount namespace.
3300 * See https://github.com/systemd/systemd/issues/3860
3301 * Further submounts (such as /dev) done after this will inherit the
3302 * shared propagation mode. */
3303 r
= mount_verbose(LOG_ERR
, NULL
, directory
, NULL
, MS_SHARED
|MS_REC
, NULL
);
3307 r
= recursive_chown(directory
, arg_uid_shift
, arg_uid_range
);
3311 r
= base_filesystem_create(directory
, arg_uid_shift
, (gid_t
) arg_uid_shift
);
3315 if (arg_read_only
&& arg_volatile_mode
== VOLATILE_NO
) {
3316 r
= bind_remount_recursive(directory
, MS_RDONLY
, MS_RDONLY
, NULL
);
3318 return log_error_errno(r
, "Failed to make tree read-only: %m");
3321 r
= mount_all(directory
,
3324 arg_selinux_apifs_context
);
3328 r
= copy_devnodes(directory
);
3332 r
= make_extra_nodes(directory
);
3336 (void) dev_setup(directory
, arg_uid_shift
, arg_uid_shift
);
3337 (void) make_inaccessible_nodes(directory
, arg_uid_shift
, arg_uid_shift
);
3339 r
= setup_pts(directory
);
3343 r
= setup_propagate(directory
);
3347 r
= setup_dev_console(directory
, console
);
3351 r
= setup_keyring();
3355 r
= setup_timezone(directory
);
3359 r
= setup_resolv_conf(directory
);
3363 r
= setup_machine_id(directory
);
3367 r
= setup_journal(directory
);
3374 arg_n_custom_mounts
,
3375 arg_userns_mode
!= USER_NAMESPACE_NO
,
3378 arg_selinux_apifs_context
,
3383 if (!arg_use_cgns
) {
3386 arg_unified_cgroup_hierarchy
,
3387 arg_userns_mode
!= USER_NAMESPACE_NO
,
3390 arg_selinux_apifs_context
,
3396 r
= mount_move_root(directory
);
3398 return log_error_errno(r
, "Failed to move root directory: %m");
3400 fd
= setup_sd_notify_child();
3404 pid
= raw_clone(SIGCHLD
|CLONE_NEWNS
|
3405 arg_clone_ns_flags
|
3406 (arg_userns_mode
!= USER_NAMESPACE_NO
? CLONE_NEWUSER
: 0));
3408 return log_error_errno(errno
, "Failed to fork inner child: %m");
3410 pid_socket
= safe_close(pid_socket
);
3411 uuid_socket
= safe_close(uuid_socket
);
3412 notify_socket
= safe_close(notify_socket
);
3413 uid_shift_socket
= safe_close(uid_shift_socket
);
3415 /* The inner child has all namespaces that are
3416 * requested, so that we all are owned by the user if
3417 * user namespaces are turned on. */
3419 if (arg_network_namespace_path
) {
3420 r
= namespace_enter(-1, -1, netns_fd
, -1, -1);
3422 return log_error_errno(r
, "Failed to join network namespace: %m");
3425 r
= inner_child(barrier
, directory
, secondary
, kmsg_socket
, rtnl_socket
, fds
);
3427 _exit(EXIT_FAILURE
);
3429 _exit(EXIT_SUCCESS
);
3432 l
= send(pid_socket
, &pid
, sizeof(pid
), MSG_NOSIGNAL
);
3434 return log_error_errno(errno
, "Failed to send PID: %m");
3435 if (l
!= sizeof(pid
))
3436 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
3437 "Short write while sending PID.");
3439 l
= send(uuid_socket
, &arg_uuid
, sizeof(arg_uuid
), MSG_NOSIGNAL
);
3441 return log_error_errno(errno
, "Failed to send machine ID: %m");
3442 if (l
!= sizeof(arg_uuid
))
3443 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
3444 "Short write while sending machine ID.");
3446 l
= send_one_fd(notify_socket
, fd
, 0);
3448 return log_error_errno(errno
, "Failed to send notify fd: %m");
3450 pid_socket
= safe_close(pid_socket
);
3451 uuid_socket
= safe_close(uuid_socket
);
3452 notify_socket
= safe_close(notify_socket
);
3453 kmsg_socket
= safe_close(kmsg_socket
);
3454 rtnl_socket
= safe_close(rtnl_socket
);
3455 netns_fd
= safe_close(netns_fd
);
3460 static int uid_shift_pick(uid_t
*shift
, LockFile
*ret_lock_file
) {
3461 bool tried_hashed
= false;
3462 unsigned n_tries
= 100;
3467 assert(ret_lock_file
);
3468 assert(arg_userns_mode
== USER_NAMESPACE_PICK
);
3469 assert(arg_uid_range
== 0x10000U
);
3473 (void) mkdir("/run/systemd/nspawn-uid", 0755);
3476 char lock_path
[STRLEN("/run/systemd/nspawn-uid/") + DECIMAL_STR_MAX(uid_t
) + 1];
3477 _cleanup_(release_lock_file
) LockFile lf
= LOCK_FILE_INIT
;
3482 if (candidate
< CONTAINER_UID_BASE_MIN
|| candidate
> CONTAINER_UID_BASE_MAX
)
3484 if ((candidate
& UINT32_C(0xFFFF)) != 0)
3487 xsprintf(lock_path
, "/run/systemd/nspawn-uid/" UID_FMT
, candidate
);
3488 r
= make_lock_file(lock_path
, LOCK_EX
|LOCK_NB
, &lf
);
3489 if (r
== -EBUSY
) /* Range already taken by another nspawn instance */
3494 /* Make some superficial checks whether the range is currently known in the user database */
3495 if (getpwuid(candidate
))
3497 if (getpwuid(candidate
+ UINT32_C(0xFFFE)))
3499 if (getgrgid(candidate
))
3501 if (getgrgid(candidate
+ UINT32_C(0xFFFE)))
3504 *ret_lock_file
= lf
;
3505 lf
= (struct LockFile
) LOCK_FILE_INIT
;
3510 if (arg_machine
&& !tried_hashed
) {
3511 /* Try to hash the base from the container name */
3513 static const uint8_t hash_key
[] = {
3514 0xe1, 0x56, 0xe0, 0xf0, 0x4a, 0xf0, 0x41, 0xaf,
3515 0x96, 0x41, 0xcf, 0x41, 0x33, 0x94, 0xff, 0x72
3518 candidate
= (uid_t
) siphash24(arg_machine
, strlen(arg_machine
), hash_key
);
3520 tried_hashed
= true;
3522 random_bytes(&candidate
, sizeof(candidate
));
3524 candidate
= (candidate
% (CONTAINER_UID_BASE_MAX
- CONTAINER_UID_BASE_MIN
)) + CONTAINER_UID_BASE_MIN
;
3525 candidate
&= (uid_t
) UINT32_C(0xFFFF0000);
3529 static int setup_uid_map(pid_t pid
) {
3530 char uid_map
[STRLEN("/proc//uid_map") + DECIMAL_STR_MAX(uid_t
) + 1], line
[DECIMAL_STR_MAX(uid_t
)*3+3+1];
3535 xsprintf(uid_map
, "/proc/" PID_FMT
"/uid_map", pid
);
3536 xsprintf(line
, UID_FMT
" " UID_FMT
" " UID_FMT
"\n", 0, arg_uid_shift
, arg_uid_range
);
3537 r
= write_string_file(uid_map
, line
, WRITE_STRING_FILE_DISABLE_BUFFER
);
3539 return log_error_errno(r
, "Failed to write UID map: %m");
3541 /* We always assign the same UID and GID ranges */
3542 xsprintf(uid_map
, "/proc/" PID_FMT
"/gid_map", pid
);
3543 r
= write_string_file(uid_map
, line
, WRITE_STRING_FILE_DISABLE_BUFFER
);
3545 return log_error_errno(r
, "Failed to write GID map: %m");
3550 static int nspawn_dispatch_notify_fd(sd_event_source
*source
, int fd
, uint32_t revents
, void *userdata
) {
3551 char buf
[NOTIFY_BUFFER_MAX
+1];
3553 struct iovec iovec
= {
3555 .iov_len
= sizeof(buf
)-1,
3558 struct cmsghdr cmsghdr
;
3559 uint8_t buf
[CMSG_SPACE(sizeof(struct ucred
)) +
3560 CMSG_SPACE(sizeof(int) * NOTIFY_FD_MAX
)];
3562 struct msghdr msghdr
= {
3565 .msg_control
= &control
,
3566 .msg_controllen
= sizeof(control
),
3568 struct cmsghdr
*cmsg
;
3569 struct ucred
*ucred
= NULL
;
3571 pid_t inner_child_pid
;
3572 _cleanup_strv_free_
char **tags
= NULL
;
3576 inner_child_pid
= PTR_TO_PID(userdata
);
3578 if (revents
!= EPOLLIN
) {
3579 log_warning("Got unexpected poll event for notify fd.");
3583 n
= recvmsg(fd
, &msghdr
, MSG_DONTWAIT
|MSG_CMSG_CLOEXEC
);
3585 if (IN_SET(errno
, EAGAIN
, EINTR
))
3588 return log_warning_errno(errno
, "Couldn't read notification socket: %m");
3590 cmsg_close_all(&msghdr
);
3592 CMSG_FOREACH(cmsg
, &msghdr
) {
3593 if (cmsg
->cmsg_level
== SOL_SOCKET
&&
3594 cmsg
->cmsg_type
== SCM_CREDENTIALS
&&
3595 cmsg
->cmsg_len
== CMSG_LEN(sizeof(struct ucred
))) {
3597 ucred
= (struct ucred
*) CMSG_DATA(cmsg
);
3601 if (!ucred
|| ucred
->pid
!= inner_child_pid
) {
3602 log_debug("Received notify message without valid credentials. Ignoring.");
3606 if ((size_t) n
>= sizeof(buf
)) {
3607 log_warning("Received notify message exceeded maximum size. Ignoring.");
3612 tags
= strv_split(buf
, "\n\r");
3616 if (strv_find(tags
, "READY=1"))
3617 (void) sd_notifyf(false, "READY=1\n");
3619 p
= strv_find_startswith(tags
, "STATUS=");
3621 (void) sd_notifyf(false, "STATUS=Container running: %s", p
);
3626 static int setup_sd_notify_parent(sd_event
*event
, int fd
, pid_t
*inner_child_pid
, sd_event_source
**notify_event_source
) {
3629 r
= sd_event_add_io(event
, notify_event_source
, fd
, EPOLLIN
, nspawn_dispatch_notify_fd
, inner_child_pid
);
3631 return log_error_errno(r
, "Failed to allocate notify event source: %m");
3633 (void) sd_event_source_set_description(*notify_event_source
, "nspawn-notify");
3638 static int merge_settings(Settings
*settings
, const char *path
) {
3644 /* Copy over bits from the settings, unless they have been explicitly masked by command line switches. Note
3645 * that this steals the fields of the Settings* structure, and hence modifies it. */
3647 if ((arg_settings_mask
& SETTING_START_MODE
) == 0 &&
3648 settings
->start_mode
>= 0) {
3649 arg_start_mode
= settings
->start_mode
;
3650 strv_free_and_replace(arg_parameters
, settings
->parameters
);
3653 if ((arg_settings_mask
& SETTING_EPHEMERAL
) == 0)
3654 arg_ephemeral
= settings
->ephemeral
;
3656 if ((arg_settings_mask
& SETTING_DIRECTORY
) == 0 &&
3659 if (!arg_settings_trusted
)
3660 log_warning("Ignoring root directory setting, file %s is not trusted.", path
);
3662 free_and_replace(arg_directory
, settings
->root
);
3665 if ((arg_settings_mask
& SETTING_PIVOT_ROOT
) == 0 &&
3666 settings
->pivot_root_new
) {
3667 free_and_replace(arg_pivot_root_new
, settings
->pivot_root_new
);
3668 free_and_replace(arg_pivot_root_old
, settings
->pivot_root_old
);
3671 if ((arg_settings_mask
& SETTING_WORKING_DIRECTORY
) == 0 &&
3672 settings
->working_directory
)
3673 free_and_replace(arg_chdir
, settings
->working_directory
);
3675 if ((arg_settings_mask
& SETTING_ENVIRONMENT
) == 0 &&
3676 settings
->environment
)
3677 strv_free_and_replace(arg_setenv
, settings
->environment
);
3679 if ((arg_settings_mask
& SETTING_USER
) == 0) {
3682 free_and_replace(arg_user
, settings
->user
);
3684 if (uid_is_valid(settings
->uid
))
3685 arg_uid
= settings
->uid
;
3686 if (gid_is_valid(settings
->gid
))
3687 arg_gid
= settings
->gid
;
3688 if (settings
->n_supplementary_gids
> 0) {
3689 free_and_replace(arg_supplementary_gids
, settings
->supplementary_gids
);
3690 arg_n_supplementary_gids
= settings
->n_supplementary_gids
;
3694 if ((arg_settings_mask
& SETTING_CAPABILITY
) == 0) {
3695 uint64_t plus
, minus
;
3697 /* Note that we copy both the simple plus/minus caps here, and the full quintet from the
3698 * Settings structure */
3700 plus
= settings
->capability
;
3701 minus
= settings
->drop_capability
;
3703 if ((arg_settings_mask
& SETTING_NETWORK
) == 0) {
3704 if (settings_private_network(settings
))
3705 plus
|= UINT64_C(1) << CAP_NET_ADMIN
;
3707 minus
|= UINT64_C(1) << CAP_NET_ADMIN
;
3710 if (!arg_settings_trusted
&& plus
!= 0) {
3711 if (settings
->capability
!= 0)
3712 log_warning("Ignoring Capability= setting, file %s is not trusted.", path
);
3714 arg_caps_retain
|= plus
;
3716 arg_caps_retain
&= ~minus
;
3718 /* Copy the full capabilities over too */
3719 if (capability_quintet_is_set(&settings
->full_capabilities
)) {
3720 if (!arg_settings_trusted
)
3721 log_warning("Ignoring capabilitiy settings, file %s is not trusted.", path
);
3723 arg_full_capabilities
= settings
->full_capabilities
;
3727 if ((arg_settings_mask
& SETTING_KILL_SIGNAL
) == 0 &&
3728 settings
->kill_signal
> 0)
3729 arg_kill_signal
= settings
->kill_signal
;
3731 if ((arg_settings_mask
& SETTING_PERSONALITY
) == 0 &&
3732 settings
->personality
!= PERSONALITY_INVALID
)
3733 arg_personality
= settings
->personality
;
3735 if ((arg_settings_mask
& SETTING_MACHINE_ID
) == 0 &&
3736 !sd_id128_is_null(settings
->machine_id
)) {
3738 if (!arg_settings_trusted
)
3739 log_warning("Ignoring MachineID= setting, file %s is not trusted.", path
);
3741 arg_uuid
= settings
->machine_id
;
3744 if ((arg_settings_mask
& SETTING_READ_ONLY
) == 0 &&
3745 settings
->read_only
>= 0)
3746 arg_read_only
= settings
->read_only
;
3748 if ((arg_settings_mask
& SETTING_VOLATILE_MODE
) == 0 &&
3749 settings
->volatile_mode
!= _VOLATILE_MODE_INVALID
)
3750 arg_volatile_mode
= settings
->volatile_mode
;
3752 if ((arg_settings_mask
& SETTING_CUSTOM_MOUNTS
) == 0 &&
3753 settings
->n_custom_mounts
> 0) {
3755 if (!arg_settings_trusted
)
3756 log_warning("Ignoring TemporaryFileSystem=, Bind= and BindReadOnly= settings, file %s is not trusted.", path
);
3758 custom_mount_free_all(arg_custom_mounts
, arg_n_custom_mounts
);
3759 arg_custom_mounts
= TAKE_PTR(settings
->custom_mounts
);
3760 arg_n_custom_mounts
= settings
->n_custom_mounts
;
3761 settings
->n_custom_mounts
= 0;
3765 if ((arg_settings_mask
& SETTING_NETWORK
) == 0 &&
3766 (settings
->private_network
>= 0 ||
3767 settings
->network_veth
>= 0 ||
3768 settings
->network_bridge
||
3769 settings
->network_zone
||
3770 settings
->network_interfaces
||
3771 settings
->network_macvlan
||
3772 settings
->network_ipvlan
||
3773 settings
->network_veth_extra
||
3774 settings
->network_namespace_path
)) {
3776 if (!arg_settings_trusted
)
3777 log_warning("Ignoring network settings, file %s is not trusted.", path
);
3779 arg_network_veth
= settings_network_veth(settings
);
3780 arg_private_network
= settings_private_network(settings
);
3782 strv_free_and_replace(arg_network_interfaces
, settings
->network_interfaces
);
3783 strv_free_and_replace(arg_network_macvlan
, settings
->network_macvlan
);
3784 strv_free_and_replace(arg_network_ipvlan
, settings
->network_ipvlan
);
3785 strv_free_and_replace(arg_network_veth_extra
, settings
->network_veth_extra
);
3787 free_and_replace(arg_network_bridge
, settings
->network_bridge
);
3788 free_and_replace(arg_network_zone
, settings
->network_zone
);
3790 free_and_replace(arg_network_namespace_path
, settings
->network_namespace_path
);
3794 if ((arg_settings_mask
& SETTING_EXPOSE_PORTS
) == 0 &&
3795 settings
->expose_ports
) {
3797 if (!arg_settings_trusted
)
3798 log_warning("Ignoring Port= setting, file %s is not trusted.", path
);
3800 expose_port_free_all(arg_expose_ports
);
3801 arg_expose_ports
= TAKE_PTR(settings
->expose_ports
);
3805 if ((arg_settings_mask
& SETTING_USERNS
) == 0 &&
3806 settings
->userns_mode
!= _USER_NAMESPACE_MODE_INVALID
) {
3808 if (!arg_settings_trusted
)
3809 log_warning("Ignoring PrivateUsers= and PrivateUsersChown= settings, file %s is not trusted.", path
);
3811 arg_userns_mode
= settings
->userns_mode
;
3812 arg_uid_shift
= settings
->uid_shift
;
3813 arg_uid_range
= settings
->uid_range
;
3814 arg_userns_chown
= settings
->userns_chown
;
3818 if ((arg_settings_mask
& SETTING_NOTIFY_READY
) == 0)
3819 arg_notify_ready
= settings
->notify_ready
;
3821 if ((arg_settings_mask
& SETTING_SYSCALL_FILTER
) == 0) {
3823 if (!arg_settings_trusted
&& !strv_isempty(settings
->syscall_whitelist
))
3824 log_warning("Ignoring SystemCallFilter= settings, file %s is not trusted.", path
);
3826 strv_free_and_replace(arg_syscall_whitelist
, settings
->syscall_whitelist
);
3827 strv_free_and_replace(arg_syscall_blacklist
, settings
->syscall_blacklist
);
3831 if (!arg_settings_trusted
&& settings
->seccomp
)
3832 log_warning("Ignoring SECCOMP filter, file %s is not trusted.", path
);
3834 seccomp_release(arg_seccomp
);
3835 arg_seccomp
= TAKE_PTR(settings
->seccomp
);
3840 for (rl
= 0; rl
< _RLIMIT_MAX
; rl
++) {
3841 if ((arg_settings_mask
& (SETTING_RLIMIT_FIRST
<< rl
)))
3844 if (!settings
->rlimit
[rl
])
3847 if (!arg_settings_trusted
) {
3848 log_warning("Ignoring Limit%s= setting, file '%s' is not trusted.", rlimit_to_string(rl
), path
);
3852 free_and_replace(arg_rlimit
[rl
], settings
->rlimit
[rl
]);
3855 if ((arg_settings_mask
& SETTING_HOSTNAME
) == 0 &&
3857 free_and_replace(arg_hostname
, settings
->hostname
);
3859 if ((arg_settings_mask
& SETTING_NO_NEW_PRIVILEGES
) == 0 &&
3860 settings
->no_new_privileges
>= 0)
3861 arg_no_new_privileges
= settings
->no_new_privileges
;
3863 if ((arg_settings_mask
& SETTING_OOM_SCORE_ADJUST
) == 0 &&
3864 settings
->oom_score_adjust_set
) {
3866 if (!arg_settings_trusted
)
3867 log_warning("Ignoring OOMScoreAdjust= setting, file '%s' is not trusted.", path
);
3869 arg_oom_score_adjust
= settings
->oom_score_adjust
;
3870 arg_oom_score_adjust_set
= true;
3874 if ((arg_settings_mask
& SETTING_CPU_AFFINITY
) == 0 &&
3877 if (!arg_settings_trusted
)
3878 log_warning("Ignoring CPUAffinity= setting, file '%s' is not trusted.", path
);
3881 CPU_FREE(arg_cpuset
);
3882 arg_cpuset
= TAKE_PTR(settings
->cpuset
);
3883 arg_cpuset_ncpus
= settings
->cpuset_ncpus
;
3887 if ((arg_settings_mask
& SETTING_RESOLV_CONF
) == 0 &&
3888 settings
->resolv_conf
!= _RESOLV_CONF_MODE_INVALID
)
3889 arg_resolv_conf
= settings
->resolv_conf
;
3891 if ((arg_settings_mask
& SETTING_LINK_JOURNAL
) == 0 &&
3892 settings
->link_journal
!= _LINK_JOURNAL_INVALID
) {
3894 if (!arg_settings_trusted
)
3895 log_warning("Ignoring journal link setting, file '%s' is not trusted.", path
);
3897 arg_link_journal
= settings
->link_journal
;
3898 arg_link_journal_try
= settings
->link_journal_try
;
3902 if ((arg_settings_mask
& SETTING_TIMEZONE
) == 0 &&
3903 settings
->timezone
!= _TIMEZONE_MODE_INVALID
)
3904 arg_timezone
= settings
->timezone
;
3906 if ((arg_settings_mask
& SETTING_SLICE
) == 0 &&
3909 if (!arg_settings_trusted
)
3910 log_warning("Ignoring slice setting, file '%s' is not trusted.", path
);
3912 free_and_replace(arg_slice
, settings
->slice
);
3915 if ((arg_settings_mask
& SETTING_USE_CGNS
) == 0 &&
3916 settings
->use_cgns
>= 0) {
3918 if (!arg_settings_trusted
)
3919 log_warning("Ignoring cgroup namespace setting, file '%s' is not trusted.", path
);
3921 arg_use_cgns
= settings
->use_cgns
;
3924 if ((arg_settings_mask
& SETTING_CLONE_NS_FLAGS
) == 0 &&
3925 settings
->clone_ns_flags
!= (unsigned long) -1) {
3927 if (!arg_settings_trusted
)
3928 log_warning("Ignoring namespace setting, file '%s' is not trusted.", path
);
3930 arg_clone_ns_flags
= settings
->clone_ns_flags
;
3933 if ((arg_settings_mask
& SETTING_CONSOLE_MODE
) == 0 &&
3934 settings
->console_mode
>= 0) {
3936 if (!arg_settings_trusted
)
3937 log_warning("Ignoring console mode setting, file '%s' is not trusted.", path
);
3939 arg_console_mode
= settings
->console_mode
;
3942 /* The following properties can only be set through the OCI settings logic, not from the command line, hence we
3943 * don't consult arg_settings_mask for them. */
3945 sd_bus_message_unref(arg_property_message
);
3946 arg_property_message
= TAKE_PTR(settings
->properties
);
3948 arg_console_width
= settings
->console_width
;
3949 arg_console_height
= settings
->console_height
;
3951 device_node_array_free(arg_extra_nodes
, arg_n_extra_nodes
);
3952 arg_extra_nodes
= TAKE_PTR(settings
->extra_nodes
);
3953 arg_n_extra_nodes
= settings
->n_extra_nodes
;
3958 static int load_settings(void) {
3959 _cleanup_(settings_freep
) Settings
*settings
= NULL
;
3960 _cleanup_fclose_
FILE *f
= NULL
;
3961 _cleanup_free_
char *p
= NULL
;
3968 /* If all settings are masked, there's no point in looking for
3969 * the settings file */
3970 if ((arg_settings_mask
& _SETTINGS_MASK_ALL
) == _SETTINGS_MASK_ALL
)
3973 fn
= strjoina(arg_machine
, ".nspawn");
3975 /* We first look in the admin's directories in /etc and /run */
3976 FOREACH_STRING(i
, "/etc/systemd/nspawn", "/run/systemd/nspawn") {
3977 _cleanup_free_
char *j
= NULL
;
3979 j
= strjoin(i
, "/", fn
);
3987 /* By default, we trust configuration from /etc and /run */
3988 if (arg_settings_trusted
< 0)
3989 arg_settings_trusted
= true;
3994 if (errno
!= ENOENT
)
3995 return log_error_errno(errno
, "Failed to open %s: %m", j
);
3999 /* After that, let's look for a file next to the
4000 * actual image we shall boot. */
4003 p
= file_in_same_dir(arg_image
, fn
);
4006 } else if (arg_directory
) {
4007 p
= file_in_same_dir(arg_directory
, fn
);
4014 if (!f
&& errno
!= ENOENT
)
4015 return log_error_errno(errno
, "Failed to open %s: %m", p
);
4017 /* By default, we do not trust configuration from /var/lib/machines */
4018 if (arg_settings_trusted
< 0)
4019 arg_settings_trusted
= false;
4026 log_debug("Settings are trusted: %s", yes_no(arg_settings_trusted
));
4028 r
= settings_load(f
, p
, &settings
);
4032 return merge_settings(settings
, p
);
4035 static int load_oci_bundle(void) {
4036 _cleanup_(settings_freep
) Settings
*settings
= NULL
;
4039 if (!arg_oci_bundle
)
4042 /* By default let's trust OCI bundles */
4043 if (arg_settings_trusted
< 0)
4044 arg_settings_trusted
= true;
4046 r
= oci_load(NULL
, arg_oci_bundle
, &settings
);
4050 return merge_settings(settings
, arg_oci_bundle
);
4053 static int run_container(int master
,
4054 const char* console
,
4055 DissectedImage
*dissected_image
,
4058 char veth_name
[IFNAMSIZ
], bool *veth_created
,
4059 union in_addr_union
*exposed
,
4060 pid_t
*pid
, int *ret
) {
4062 static const struct sigaction sa
= {
4063 .sa_handler
= nop_signal_handler
,
4064 .sa_flags
= SA_NOCLDSTOP
|SA_RESTART
,
4067 _cleanup_(release_lock_file
) LockFile uid_shift_lock
= LOCK_FILE_INIT
;
4068 _cleanup_close_
int etc_passwd_lock
= -1;
4069 _cleanup_close_pair_
int
4070 kmsg_socket_pair
[2] = { -1, -1 },
4071 rtnl_socket_pair
[2] = { -1, -1 },
4072 pid_socket_pair
[2] = { -1, -1 },
4073 uuid_socket_pair
[2] = { -1, -1 },
4074 notify_socket_pair
[2] = { -1, -1 },
4075 uid_shift_socket_pair
[2] = { -1, -1 },
4076 unified_cgroup_hierarchy_socket_pair
[2] = { -1, -1};
4078 _cleanup_close_
int notify_socket
= -1;
4079 _cleanup_(barrier_destroy
) Barrier barrier
= BARRIER_NULL
;
4080 _cleanup_(sd_event_source_unrefp
) sd_event_source
*notify_event_source
= NULL
;
4081 _cleanup_(sd_event_unrefp
) sd_event
*event
= NULL
;
4082 _cleanup_(pty_forward_freep
) PTYForward
*forward
= NULL
;
4083 _cleanup_(sd_netlink_unrefp
) sd_netlink
*rtnl
= NULL
;
4084 _cleanup_(sd_bus_flush_close_unrefp
) sd_bus
*bus
= NULL
;
4085 ContainerStatus container_status
= 0;
4089 _cleanup_close_
int netns_fd
= -1;
4091 assert_se(sigemptyset(&mask_chld
) == 0);
4092 assert_se(sigaddset(&mask_chld
, SIGCHLD
) == 0);
4094 if (arg_userns_mode
== USER_NAMESPACE_PICK
) {
4095 /* When we shall pick the UID/GID range, let's first lock /etc/passwd, so that we can safely
4096 * check with getpwuid() if the specific user already exists. Note that /etc might be
4097 * read-only, in which case this will fail with EROFS. But that's really OK, as in that case we
4098 * can be reasonably sure that no users are going to be added. Note that getpwuid() checks are
4099 * really just an extra safety net. We kinda assume that the UID range we allocate from is
4102 etc_passwd_lock
= take_etc_passwd_lock(NULL
);
4103 if (etc_passwd_lock
< 0 && etc_passwd_lock
!= -EROFS
)
4104 return log_error_errno(etc_passwd_lock
, "Failed to take /etc/passwd lock: %m");
4107 r
= barrier_create(&barrier
);
4109 return log_error_errno(r
, "Cannot initialize IPC barrier: %m");
4111 if (socketpair(AF_UNIX
, SOCK_SEQPACKET
|SOCK_CLOEXEC
, 0, kmsg_socket_pair
) < 0)
4112 return log_error_errno(errno
, "Failed to create kmsg socket pair: %m");
4114 if (socketpair(AF_UNIX
, SOCK_SEQPACKET
|SOCK_CLOEXEC
, 0, rtnl_socket_pair
) < 0)
4115 return log_error_errno(errno
, "Failed to create rtnl socket pair: %m");
4117 if (socketpair(AF_UNIX
, SOCK_SEQPACKET
|SOCK_CLOEXEC
, 0, pid_socket_pair
) < 0)
4118 return log_error_errno(errno
, "Failed to create pid socket pair: %m");
4120 if (socketpair(AF_UNIX
, SOCK_SEQPACKET
|SOCK_CLOEXEC
, 0, uuid_socket_pair
) < 0)
4121 return log_error_errno(errno
, "Failed to create id socket pair: %m");
4123 if (socketpair(AF_UNIX
, SOCK_SEQPACKET
|SOCK_CLOEXEC
, 0, notify_socket_pair
) < 0)
4124 return log_error_errno(errno
, "Failed to create notify socket pair: %m");
4126 if (arg_userns_mode
!= USER_NAMESPACE_NO
)
4127 if (socketpair(AF_UNIX
, SOCK_SEQPACKET
|SOCK_CLOEXEC
, 0, uid_shift_socket_pair
) < 0)
4128 return log_error_errno(errno
, "Failed to create uid shift socket pair: %m");
4130 if (arg_unified_cgroup_hierarchy
== CGROUP_UNIFIED_UNKNOWN
)
4131 if (socketpair(AF_UNIX
, SOCK_SEQPACKET
|SOCK_CLOEXEC
, 0, unified_cgroup_hierarchy_socket_pair
) < 0)
4132 return log_error_errno(errno
, "Failed to create unified cgroup socket pair: %m");
4134 /* Child can be killed before execv(), so handle SIGCHLD in order to interrupt
4135 * parent's blocking calls and give it a chance to call wait() and terminate. */
4136 r
= sigprocmask(SIG_UNBLOCK
, &mask_chld
, NULL
);
4138 return log_error_errno(errno
, "Failed to change the signal mask: %m");
4140 r
= sigaction(SIGCHLD
, &sa
, NULL
);
4142 return log_error_errno(errno
, "Failed to install SIGCHLD handler: %m");
4144 if (arg_network_namespace_path
) {
4145 netns_fd
= open(arg_network_namespace_path
, O_RDONLY
|O_NOCTTY
|O_CLOEXEC
);
4147 return log_error_errno(errno
, "Cannot open file %s: %m", arg_network_namespace_path
);
4149 r
= fd_is_network_ns(netns_fd
);
4151 log_debug_errno(r
, "Cannot determine if passed network namespace path '%s' really refers to a network namespace, assuming it does.", arg_network_namespace_path
);
4153 return log_error_errno(r
, "Failed to check %s fs type: %m", arg_network_namespace_path
);
4155 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
4156 "Path %s doesn't refer to a network namespace, refusing.", arg_network_namespace_path
);
4159 *pid
= raw_clone(SIGCHLD
|CLONE_NEWNS
);
4161 return log_error_errno(errno
, "clone() failed%s: %m",
4163 ", do you have namespace support enabled in your kernel? (You need UTS, IPC, PID and NET namespacing built in)" : "");
4166 /* The outer child only has a file system namespace. */
4167 barrier_set_role(&barrier
, BARRIER_CHILD
);
4169 master
= safe_close(master
);
4171 kmsg_socket_pair
[0] = safe_close(kmsg_socket_pair
[0]);
4172 rtnl_socket_pair
[0] = safe_close(rtnl_socket_pair
[0]);
4173 pid_socket_pair
[0] = safe_close(pid_socket_pair
[0]);
4174 uuid_socket_pair
[0] = safe_close(uuid_socket_pair
[0]);
4175 notify_socket_pair
[0] = safe_close(notify_socket_pair
[0]);
4176 uid_shift_socket_pair
[0] = safe_close(uid_shift_socket_pair
[0]);
4177 unified_cgroup_hierarchy_socket_pair
[0] = safe_close(unified_cgroup_hierarchy_socket_pair
[0]);
4179 (void) reset_all_signal_handlers();
4180 (void) reset_signal_mask();
4182 r
= outer_child(&barrier
,
4188 uuid_socket_pair
[1],
4189 notify_socket_pair
[1],
4190 kmsg_socket_pair
[1],
4191 rtnl_socket_pair
[1],
4192 uid_shift_socket_pair
[1],
4193 unified_cgroup_hierarchy_socket_pair
[1],
4197 _exit(EXIT_FAILURE
);
4199 _exit(EXIT_SUCCESS
);
4202 barrier_set_role(&barrier
, BARRIER_PARENT
);
4206 kmsg_socket_pair
[1] = safe_close(kmsg_socket_pair
[1]);
4207 rtnl_socket_pair
[1] = safe_close(rtnl_socket_pair
[1]);
4208 pid_socket_pair
[1] = safe_close(pid_socket_pair
[1]);
4209 uuid_socket_pair
[1] = safe_close(uuid_socket_pair
[1]);
4210 notify_socket_pair
[1] = safe_close(notify_socket_pair
[1]);
4211 uid_shift_socket_pair
[1] = safe_close(uid_shift_socket_pair
[1]);
4212 unified_cgroup_hierarchy_socket_pair
[1] = safe_close(unified_cgroup_hierarchy_socket_pair
[1]);
4214 if (arg_userns_mode
!= USER_NAMESPACE_NO
) {
4215 /* The child just let us know the UID shift it might have read from the image. */
4216 l
= recv(uid_shift_socket_pair
[0], &arg_uid_shift
, sizeof arg_uid_shift
, 0);
4218 return log_error_errno(errno
, "Failed to read UID shift: %m");
4219 if (l
!= sizeof arg_uid_shift
)
4220 return log_error_errno(SYNTHETIC_ERRNO(EIO
), "Short read while reading UID shift.");
4222 if (arg_userns_mode
== USER_NAMESPACE_PICK
) {
4223 /* If we are supposed to pick the UID shift, let's try to use the shift read from the
4224 * image, but if that's already in use, pick a new one, and report back to the child,
4225 * which one we now picked. */
4227 r
= uid_shift_pick(&arg_uid_shift
, &uid_shift_lock
);
4229 return log_error_errno(r
, "Failed to pick suitable UID/GID range: %m");
4231 l
= send(uid_shift_socket_pair
[0], &arg_uid_shift
, sizeof arg_uid_shift
, MSG_NOSIGNAL
);
4233 return log_error_errno(errno
, "Failed to send UID shift: %m");
4234 if (l
!= sizeof arg_uid_shift
)
4235 return log_error_errno(SYNTHETIC_ERRNO(EIO
), "Short write while writing UID shift.");
4239 if (arg_unified_cgroup_hierarchy
== CGROUP_UNIFIED_UNKNOWN
) {
4240 /* The child let us know the support cgroup mode it might have read from the image. */
4241 l
= recv(unified_cgroup_hierarchy_socket_pair
[0], &arg_unified_cgroup_hierarchy
, sizeof(arg_unified_cgroup_hierarchy
), 0);
4243 return log_error_errno(errno
, "Failed to read cgroup mode: %m");
4244 if (l
!= sizeof(arg_unified_cgroup_hierarchy
))
4245 return log_error_errno(SYNTHETIC_ERRNO(EIO
), "Short read while reading cgroup mode (%zu bytes).%s",
4246 l
, l
== 0 ? " The child is most likely dead." : "");
4249 /* Wait for the outer child. */
4250 r
= wait_for_terminate_and_check("(sd-namespace)", *pid
, WAIT_LOG_ABNORMAL
);
4253 if (r
!= EXIT_SUCCESS
)
4256 /* And now retrieve the PID of the inner child. */
4257 l
= recv(pid_socket_pair
[0], pid
, sizeof *pid
, 0);
4259 return log_error_errno(errno
, "Failed to read inner child PID: %m");
4260 if (l
!= sizeof *pid
)
4261 return log_error_errno(SYNTHETIC_ERRNO(EIO
), "Short read while reading inner child PID.");
4263 /* We also retrieve container UUID in case it was generated by outer child */
4264 l
= recv(uuid_socket_pair
[0], &arg_uuid
, sizeof arg_uuid
, 0);
4266 return log_error_errno(errno
, "Failed to read container machine ID: %m");
4267 if (l
!= sizeof(arg_uuid
))
4268 return log_error_errno(SYNTHETIC_ERRNO(EIO
), "Short read while reading container machined ID.");
4270 /* We also retrieve the socket used for notifications generated by outer child */
4271 notify_socket
= receive_one_fd(notify_socket_pair
[0], 0);
4272 if (notify_socket
< 0)
4273 return log_error_errno(notify_socket
,
4274 "Failed to receive notification socket from the outer child: %m");
4276 log_debug("Init process invoked as PID "PID_FMT
, *pid
);
4278 if (arg_userns_mode
!= USER_NAMESPACE_NO
) {
4279 if (!barrier_place_and_sync(&barrier
)) /* #1 */
4280 return log_error_errno(SYNTHETIC_ERRNO(ESRCH
), "Child died too early.");
4282 r
= setup_uid_map(*pid
);
4286 (void) barrier_place(&barrier
); /* #2 */
4289 if (arg_private_network
) {
4290 if (!arg_network_namespace_path
) {
4291 /* Wait until the child has unshared its network namespace. */
4292 if (!barrier_place_and_sync(&barrier
)) /* #3 */
4293 return log_error_errno(SYNTHETIC_ERRNO(ESRCH
), "Child died too early");
4296 r
= move_network_interfaces(*pid
, arg_network_interfaces
);
4300 if (arg_network_veth
) {
4301 r
= setup_veth(arg_machine
, *pid
, veth_name
,
4302 arg_network_bridge
|| arg_network_zone
);
4308 if (arg_network_bridge
) {
4309 /* Add the interface to a bridge */
4310 r
= setup_bridge(veth_name
, arg_network_bridge
, false);
4315 } else if (arg_network_zone
) {
4316 /* Add the interface to a bridge, possibly creating it */
4317 r
= setup_bridge(veth_name
, arg_network_zone
, true);
4325 r
= setup_veth_extra(arg_machine
, *pid
, arg_network_veth_extra
);
4329 /* We created the primary and extra veth links now; let's remember this, so that we know to
4330 remove them later on. Note that we don't bother with removing veth links that were created
4331 here when their setup failed half-way, because in that case the kernel should be able to
4332 remove them on its own, since they cannot be referenced by anything yet. */
4333 *veth_created
= true;
4335 r
= setup_macvlan(arg_machine
, *pid
, arg_network_macvlan
);
4339 r
= setup_ipvlan(arg_machine
, *pid
, arg_network_ipvlan
);
4344 if (arg_register
|| !arg_keep_unit
) {
4345 r
= sd_bus_default_system(&bus
);
4347 return log_error_errno(r
, "Failed to open system bus: %m");
4349 r
= sd_bus_set_close_on_exit(bus
, false);
4351 return log_error_errno(r
, "Failed to disable close-on-exit behaviour: %m");
4354 if (!arg_keep_unit
) {
4355 /* When a new scope is created for this container, then we'll be registered as its controller, in which
4356 * case PID 1 will send us a friendly RequestStop signal, when it is asked to terminate the
4357 * scope. Let's hook into that, and cleanly shut down the container, and print a friendly message. */
4359 r
= sd_bus_match_signal_async(
4362 "org.freedesktop.systemd1",
4364 "org.freedesktop.systemd1.Scope",
4366 on_request_stop
, NULL
, PID_TO_PTR(*pid
));
4368 return log_error_errno(r
, "Failed to request RequestStop match: %m");
4372 r
= register_machine(
4380 arg_custom_mounts
, arg_n_custom_mounts
,
4383 arg_property_message
,
4385 arg_container_service_name
);
4389 } else if (!arg_keep_unit
) {
4395 arg_custom_mounts
, arg_n_custom_mounts
,
4398 arg_property_message
);
4402 } else if (arg_slice
|| arg_property
)
4403 log_notice("Machine and scope registration turned off, --slice= and --property= settings will have no effect.");
4405 r
= create_subcgroup(*pid
, arg_keep_unit
, arg_unified_cgroup_hierarchy
);
4409 r
= sync_cgroup(*pid
, arg_unified_cgroup_hierarchy
, arg_uid_shift
);
4413 r
= chown_cgroup(*pid
, arg_unified_cgroup_hierarchy
, arg_uid_shift
);
4417 /* Notify the child that the parent is ready with all
4418 * its setup (including cgroup-ification), and that
4419 * the child can now hand over control to the code to
4420 * run inside the container. */
4421 (void) barrier_place(&barrier
); /* #4 */
4423 /* Block SIGCHLD here, before notifying child.
4424 * process_pty() will handle it with the other signals. */
4425 assert_se(sigprocmask(SIG_BLOCK
, &mask_chld
, NULL
) >= 0);
4427 /* Reset signal to default */
4428 r
= default_signals(SIGCHLD
, -1);
4430 return log_error_errno(r
, "Failed to reset SIGCHLD: %m");
4432 r
= sd_event_new(&event
);
4434 return log_error_errno(r
, "Failed to get default event source: %m");
4436 (void) sd_event_set_watchdog(event
, true);
4439 r
= sd_bus_attach_event(bus
, event
, 0);
4441 return log_error_errno(r
, "Failed to attach bus to event loop: %m");
4444 r
= setup_sd_notify_parent(event
, notify_socket
, PID_TO_PTR(*pid
), ¬ify_event_source
);
4448 /* Let the child know that we are ready and wait that the child is completely ready now. */
4449 if (!barrier_place_and_sync(&barrier
)) /* #5 */
4450 return log_error_errno(SYNTHETIC_ERRNO(ESRCH
), "Child died too early.");
4452 /* At this point we have made use of the UID we picked, and thus nss-mymachines
4453 * will make them appear in getpwuid(), thus we can release the /etc/passwd lock. */
4454 etc_passwd_lock
= safe_close(etc_passwd_lock
);
4456 (void) sd_notifyf(false,
4457 "STATUS=Container running.\n"
4458 "X_NSPAWN_LEADER_PID=" PID_FMT
, *pid
);
4459 if (!arg_notify_ready
)
4460 (void) sd_notify(false, "READY=1\n");
4462 if (arg_kill_signal
> 0) {
4463 /* Try to kill the init system on SIGINT or SIGTERM */
4464 (void) sd_event_add_signal(event
, NULL
, SIGINT
, on_orderly_shutdown
, PID_TO_PTR(*pid
));
4465 (void) sd_event_add_signal(event
, NULL
, SIGTERM
, on_orderly_shutdown
, PID_TO_PTR(*pid
));
4467 /* Immediately exit */
4468 (void) sd_event_add_signal(event
, NULL
, SIGINT
, NULL
, NULL
);
4469 (void) sd_event_add_signal(event
, NULL
, SIGTERM
, NULL
, NULL
);
4472 /* Exit when the child exits */
4473 (void) sd_event_add_signal(event
, NULL
, SIGCHLD
, on_sigchld
, PID_TO_PTR(*pid
));
4475 if (arg_expose_ports
) {
4476 r
= expose_port_watch_rtnl(event
, rtnl_socket_pair
[0], on_address_change
, exposed
, &rtnl
);
4480 (void) expose_port_execute(rtnl
, arg_expose_ports
, exposed
);
4483 rtnl_socket_pair
[0] = safe_close(rtnl_socket_pair
[0]);
4485 if (IN_SET(arg_console_mode
, CONSOLE_INTERACTIVE
, CONSOLE_READ_ONLY
)) {
4486 assert(master
>= 0);
4488 r
= pty_forward_new(event
, master
,
4489 PTY_FORWARD_IGNORE_VHANGUP
| (arg_console_mode
== CONSOLE_READ_ONLY
? PTY_FORWARD_READ_ONLY
: 0),
4492 return log_error_errno(r
, "Failed to create PTY forwarder: %m");
4494 if (arg_console_width
!= (unsigned) -1 || arg_console_height
!= (unsigned) -1)
4495 (void) pty_forward_set_width_height(forward
, arg_console_width
, arg_console_height
);
4498 r
= sd_event_loop(event
);
4500 return log_error_errno(r
, "Failed to run event loop: %m");
4505 (void) pty_forward_get_last_char(forward
, &last_char
);
4506 forward
= pty_forward_free(forward
);
4508 if (!arg_quiet
&& last_char
!= '\n')
4512 /* Kill if it is not dead yet anyway */
4515 terminate_machine(bus
, arg_machine
);
4516 else if (!arg_keep_unit
)
4517 terminate_scope(bus
, arg_machine
);
4520 /* Normally redundant, but better safe than sorry */
4521 (void) kill(*pid
, SIGKILL
);
4523 r
= wait_for_container(*pid
, &container_status
);
4527 /* We failed to wait for the container, or the container exited abnormally. */
4529 if (r
> 0 || container_status
== CONTAINER_TERMINATED
) {
4530 /* r > 0 → The container exited with a non-zero status.
4531 * As a special case, we need to replace 133 with a different value,
4532 * because 133 is special-cased in the service file to reboot the container.
4533 * otherwise → The container exited with zero status and a reboot was not requested.
4535 if (r
== EXIT_FORCE_RESTART
)
4536 r
= EXIT_FAILURE
; /* replace 133 with the general failure code */
4538 return 0; /* finito */
4541 /* CONTAINER_REBOOTED, loop again */
4543 if (arg_keep_unit
) {
4544 /* Special handling if we are running as a service: instead of simply
4545 * restarting the machine we want to restart the entire service, so let's
4546 * inform systemd about this with the special exit code 133. The service
4547 * file uses RestartForceExitStatus=133 so that this results in a full
4548 * nspawn restart. This is necessary since we might have cgroup parameters
4549 * set we want to have flushed out. */
4550 *ret
= EXIT_FORCE_RESTART
;
4551 return 0; /* finito */
4554 expose_port_flush(arg_expose_ports
, exposed
);
4556 (void) remove_veth_links(veth_name
, arg_network_veth_extra
);
4557 *veth_created
= false;
4558 return 1; /* loop again */
4561 static int initialize_rlimits(void) {
4562 /* The default resource limits the kernel passes to PID 1, as per kernel 4.16. Let's pass our container payload
4563 * the same values as the kernel originally passed to PID 1, in order to minimize differences between host and
4564 * container execution environments. */
4566 static const struct rlimit kernel_defaults
[_RLIMIT_MAX
] = {
4567 [RLIMIT_AS
] = { RLIM_INFINITY
, RLIM_INFINITY
},
4568 [RLIMIT_CORE
] = { 0, RLIM_INFINITY
},
4569 [RLIMIT_CPU
] = { RLIM_INFINITY
, RLIM_INFINITY
},
4570 [RLIMIT_DATA
] = { RLIM_INFINITY
, RLIM_INFINITY
},
4571 [RLIMIT_FSIZE
] = { RLIM_INFINITY
, RLIM_INFINITY
},
4572 [RLIMIT_LOCKS
] = { RLIM_INFINITY
, RLIM_INFINITY
},
4573 [RLIMIT_MEMLOCK
] = { 65536, 65536 },
4574 [RLIMIT_MSGQUEUE
] = { 819200, 819200 },
4575 [RLIMIT_NICE
] = { 0, 0 },
4576 [RLIMIT_NOFILE
] = { 1024, 4096 },
4577 [RLIMIT_RSS
] = { RLIM_INFINITY
, RLIM_INFINITY
},
4578 [RLIMIT_RTPRIO
] = { 0, 0 },
4579 [RLIMIT_RTTIME
] = { RLIM_INFINITY
, RLIM_INFINITY
},
4580 [RLIMIT_STACK
] = { 8388608, RLIM_INFINITY
},
4582 /* The kernel scales the default for RLIMIT_NPROC and RLIMIT_SIGPENDING based on the system's amount of
4583 * RAM. To provide best compatibility we'll read these limits off PID 1 instead of hardcoding them
4584 * here. This is safe as we know that PID 1 doesn't change these two limits and thus the original
4585 * kernel's initialization should still be valid during runtime — at least if PID 1 is systemd. Note
4586 * that PID 1 changes a number of other resource limits during early initialization which is why we
4587 * don't read the other limits from PID 1 but prefer the static table above. */
4592 for (rl
= 0; rl
< _RLIMIT_MAX
; rl
++) {
4593 /* Let's only fill in what the user hasn't explicitly configured anyway */
4594 if ((arg_settings_mask
& (SETTING_RLIMIT_FIRST
<< rl
)) == 0) {
4595 const struct rlimit
*v
;
4596 struct rlimit buffer
;
4598 if (IN_SET(rl
, RLIMIT_NPROC
, RLIMIT_SIGPENDING
)) {
4599 /* For these two let's read the limits off PID 1. See above for an explanation. */
4601 if (prlimit(1, rl
, NULL
, &buffer
) < 0)
4602 return log_error_errno(errno
, "Failed to read resource limit RLIMIT_%s of PID 1: %m", rlimit_to_string(rl
));
4606 v
= kernel_defaults
+ rl
;
4608 arg_rlimit
[rl
] = newdup(struct rlimit
, v
, 1);
4609 if (!arg_rlimit
[rl
])
4613 if (DEBUG_LOGGING
) {
4614 _cleanup_free_
char *k
= NULL
;
4616 (void) rlimit_format(arg_rlimit
[rl
], &k
);
4617 log_debug("Setting RLIMIT_%s to %s.", rlimit_to_string(rl
), k
);
4624 static int run(int argc
, char *argv
[]) {
4625 _cleanup_free_
char *console
= NULL
;
4626 _cleanup_close_
int master
= -1;
4627 _cleanup_fdset_free_ FDSet
*fds
= NULL
;
4628 int r
, n_fd_passed
, ret
= EXIT_SUCCESS
;
4629 char veth_name
[IFNAMSIZ
] = "";
4630 bool secondary
= false, remove_directory
= false, remove_image
= false;
4632 union in_addr_union exposed
= {};
4633 _cleanup_(release_lock_file
) LockFile tree_global_lock
= LOCK_FILE_INIT
, tree_local_lock
= LOCK_FILE_INIT
;
4634 bool veth_created
= false, remove_tmprootdir
= false;
4635 char tmprootdir
[] = "/tmp/nspawn-root-XXXXXX";
4636 _cleanup_(loop_device_unrefp
) LoopDevice
*loop
= NULL
;
4637 _cleanup_(decrypted_image_unrefp
) DecryptedImage
*decrypted_image
= NULL
;
4638 _cleanup_(dissected_image_unrefp
) DissectedImage
*dissected_image
= NULL
;
4640 log_parse_environment();
4643 r
= parse_argv(argc
, argv
);
4651 r
= initialize_rlimits();
4655 r
= load_oci_bundle();
4659 r
= determine_names();
4663 r
= load_settings();
4667 r
= cg_unified_flush();
4669 log_error_errno(r
, "Failed to determine whether the unified cgroups hierarchy is used: %m");
4673 r
= verify_arguments();
4677 r
= detect_unified_cgroup_hierarchy_from_environment();
4681 /* Ignore SIGPIPE here, because we use splice() on the ptyfwd stuff and that will generate SIGPIPE if
4682 * the result is closed. Note that the container payload child will reset signal mask+handler anyway,
4683 * so just turning this off here means we only turn it off in nspawn itself, not any children. */
4684 (void) ignore_signals(SIGPIPE
, -1);
4686 n_fd_passed
= sd_listen_fds(false);
4687 if (n_fd_passed
> 0) {
4688 r
= fdset_new_listen_fds(&fds
, false);
4690 log_error_errno(r
, "Failed to collect file descriptors: %m");
4695 /* The "default" umask. This is appropriate for most file and directory
4696 * operations performed by nspawn, and is the umask that will be used for
4697 * the child. Functions like copy_devnodes() change the umask temporarily. */
4700 if (arg_directory
) {
4703 if (path_equal(arg_directory
, "/") && !arg_ephemeral
) {
4704 log_error("Spawning container on root directory is not supported. Consider using --ephemeral.");
4709 if (arg_ephemeral
) {
4710 _cleanup_free_
char *np
= NULL
;
4712 r
= chase_symlinks_and_update(&arg_directory
, 0);
4716 /* If the specified path is a mount point we
4717 * generate the new snapshot immediately
4718 * inside it under a random name. However if
4719 * the specified is not a mount point we
4720 * create the new snapshot in the parent
4721 * directory, just next to it. */
4722 r
= path_is_mount_point(arg_directory
, NULL
, 0);
4724 log_error_errno(r
, "Failed to determine whether directory %s is mount point: %m", arg_directory
);
4728 r
= tempfn_random_child(arg_directory
, "machine.", &np
);
4730 r
= tempfn_random(arg_directory
, "machine.", &np
);
4732 log_error_errno(r
, "Failed to generate name for directory snapshot: %m");
4736 r
= image_path_lock(np
, (arg_read_only
? LOCK_SH
: LOCK_EX
) | LOCK_NB
, &tree_global_lock
, &tree_local_lock
);
4738 log_error_errno(r
, "Failed to lock %s: %m", np
);
4742 r
= btrfs_subvol_snapshot(arg_directory
, np
,
4743 (arg_read_only
? BTRFS_SNAPSHOT_READ_ONLY
: 0) |
4744 BTRFS_SNAPSHOT_FALLBACK_COPY
|
4745 BTRFS_SNAPSHOT_FALLBACK_DIRECTORY
|
4746 BTRFS_SNAPSHOT_RECURSIVE
|
4747 BTRFS_SNAPSHOT_QUOTA
);
4749 log_error_errno(r
, "Failed to create snapshot %s from %s: %m", np
, arg_directory
);
4753 free_and_replace(arg_directory
, np
);
4755 remove_directory
= true;
4758 r
= chase_symlinks_and_update(&arg_directory
, arg_template
? CHASE_NONEXISTENT
: 0);
4762 r
= image_path_lock(arg_directory
, (arg_read_only
? LOCK_SH
: LOCK_EX
) | LOCK_NB
, &tree_global_lock
, &tree_local_lock
);
4764 log_error_errno(r
, "Directory tree %s is currently busy.", arg_directory
);
4768 log_error_errno(r
, "Failed to lock %s: %m", arg_directory
);
4773 r
= chase_symlinks_and_update(&arg_template
, 0);
4777 r
= btrfs_subvol_snapshot(arg_template
, arg_directory
,
4778 (arg_read_only
? BTRFS_SNAPSHOT_READ_ONLY
: 0) |
4779 BTRFS_SNAPSHOT_FALLBACK_COPY
|
4780 BTRFS_SNAPSHOT_FALLBACK_DIRECTORY
|
4781 BTRFS_SNAPSHOT_FALLBACK_IMMUTABLE
|
4782 BTRFS_SNAPSHOT_RECURSIVE
|
4783 BTRFS_SNAPSHOT_QUOTA
);
4785 log_full(arg_quiet
? LOG_DEBUG
: LOG_INFO
,
4786 "Directory %s already exists, not populating from template %s.", arg_directory
, arg_template
);
4788 log_error_errno(r
, "Couldn't create snapshot %s from %s: %m", arg_directory
, arg_template
);
4791 log_full(arg_quiet
? LOG_DEBUG
: LOG_INFO
,
4792 "Populated %s from template %s.", arg_directory
, arg_template
);
4796 if (arg_start_mode
== START_BOOT
) {
4799 if (arg_pivot_root_new
)
4800 p
= prefix_roota(arg_directory
, arg_pivot_root_new
);
4804 if (path_is_os_tree(p
) <= 0) {
4805 log_error("Directory %s doesn't look like an OS root directory (os-release file is missing). Refusing.", p
);
4812 if (arg_pivot_root_new
)
4813 p
= prefix_roota(arg_directory
, arg_pivot_root_new
);
4817 q
= strjoina(p
, "/usr/");
4819 if (laccess(q
, F_OK
) < 0) {
4820 log_error("Directory %s doesn't look like it has an OS tree. Refusing.", p
);
4828 assert(!arg_template
);
4830 r
= chase_symlinks_and_update(&arg_image
, 0);
4834 if (arg_ephemeral
) {
4835 _cleanup_free_
char *np
= NULL
;
4837 r
= tempfn_random(arg_image
, "machine.", &np
);
4839 log_error_errno(r
, "Failed to generate name for image snapshot: %m");
4843 r
= image_path_lock(np
, (arg_read_only
? LOCK_SH
: LOCK_EX
) | LOCK_NB
, &tree_global_lock
, &tree_local_lock
);
4845 r
= log_error_errno(r
, "Failed to create image lock: %m");
4849 r
= copy_file(arg_image
, np
, O_EXCL
, arg_read_only
? 0400 : 0600, FS_NOCOW_FL
, FS_NOCOW_FL
, COPY_REFLINK
|COPY_CRTIME
);
4851 r
= log_error_errno(r
, "Failed to copy image file: %m");
4855 free_and_replace(arg_image
, np
);
4857 remove_image
= true;
4859 r
= image_path_lock(arg_image
, (arg_read_only
? LOCK_SH
: LOCK_EX
) | LOCK_NB
, &tree_global_lock
, &tree_local_lock
);
4861 r
= log_error_errno(r
, "Disk image %s is currently busy.", arg_image
);
4865 r
= log_error_errno(r
, "Failed to create image lock: %m");
4869 if (!arg_root_hash
) {
4870 r
= root_hash_load(arg_image
, &arg_root_hash
, &arg_root_hash_size
);
4872 log_error_errno(r
, "Failed to load root hash file for %s: %m", arg_image
);
4878 if (!mkdtemp(tmprootdir
)) {
4879 r
= log_error_errno(errno
, "Failed to create temporary directory: %m");
4883 remove_tmprootdir
= true;
4885 arg_directory
= strdup(tmprootdir
);
4886 if (!arg_directory
) {
4891 r
= loop_device_make_by_path(arg_image
, arg_read_only
? O_RDONLY
: O_RDWR
, &loop
);
4893 log_error_errno(r
, "Failed to set up loopback block device: %m");
4897 r
= dissect_image_and_warn(
4900 arg_root_hash
, arg_root_hash_size
,
4901 DISSECT_IMAGE_REQUIRE_ROOT
,
4904 /* dissected_image_and_warn() already printed a brief error message. Extend on that with more details */
4905 log_notice("Note that the disk image needs to\n"
4906 " a) either contain only a single MBR partition of type 0x83 that is marked bootable\n"
4907 " b) or contain a single GPT partition of type 0FC63DAF-8483-4772-8E79-3D69D8477DE4\n"
4908 " c) or follow http://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/\n"
4909 " d) or contain a file system without a partition table\n"
4910 "in order to be bootable with systemd-nspawn.");
4916 if (!arg_root_hash
&& dissected_image
->can_verity
)
4917 log_notice("Note: image %s contains verity information, but no root hash specified! Proceeding without integrity checking.", arg_image
);
4919 r
= dissected_image_decrypt_interactively(dissected_image
, NULL
, arg_root_hash
, arg_root_hash_size
, 0, &decrypted_image
);
4923 /* Now that we mounted the image, let's try to remove it again, if it is ephemeral */
4924 if (remove_image
&& unlink(arg_image
) >= 0)
4925 remove_image
= false;
4928 r
= custom_mount_prepare_all(arg_directory
, arg_custom_mounts
, arg_n_custom_mounts
);
4932 if (arg_console_mode
< 0)
4934 isatty(STDIN_FILENO
) > 0 &&
4935 isatty(STDOUT_FILENO
) > 0 ? CONSOLE_INTERACTIVE
: CONSOLE_READ_ONLY
;
4937 if (arg_console_mode
== CONSOLE_PIPE
) /* if we pass STDERR on to the container, don't add our own logs into it too */
4940 if (arg_console_mode
!= CONSOLE_PIPE
) {
4941 master
= posix_openpt(O_RDWR
|O_NOCTTY
|O_CLOEXEC
|O_NONBLOCK
);
4943 r
= log_error_errno(errno
, "Failed to acquire pseudo tty: %m");
4947 r
= ptsname_malloc(master
, &console
);
4949 r
= log_error_errno(r
, "Failed to determine tty name: %m");
4953 if (arg_selinux_apifs_context
) {
4954 r
= mac_selinux_apply(console
, arg_selinux_apifs_context
);
4959 if (unlockpt(master
) < 0) {
4960 r
= log_error_errno(errno
, "Failed to unlock tty: %m");
4966 log_info("Spawning container %s on %s.\nPress ^] three times within 1s to kill container.",
4967 arg_machine
, arg_image
?: arg_directory
);
4969 assert_se(sigprocmask_many(SIG_BLOCK
, NULL
, SIGCHLD
, SIGWINCH
, SIGTERM
, SIGINT
, -1) >= 0);
4971 if (prctl(PR_SET_CHILD_SUBREAPER
, 1, 0, 0, 0) < 0) {
4972 r
= log_error_errno(errno
, "Failed to become subreaper: %m");
4977 r
= run_container(master
,
4982 veth_name
, &veth_created
,
4990 (void) sd_notify(false,
4991 r
== 0 && ret
== EXIT_FORCE_RESTART
? "STOPPING=1\nSTATUS=Restarting..." :
4992 "STOPPING=1\nSTATUS=Terminating...");
4995 (void) kill(pid
, SIGKILL
);
4997 /* Try to flush whatever is still queued in the pty */
4999 (void) copy_bytes(master
, STDOUT_FILENO
, (uint64_t) -1, 0);
5000 master
= safe_close(master
);
5004 (void) wait_for_terminate(pid
, NULL
);
5008 if (remove_directory
&& arg_directory
) {
5011 k
= rm_rf(arg_directory
, REMOVE_ROOT
|REMOVE_PHYSICAL
|REMOVE_SUBVOLUME
);
5013 log_warning_errno(k
, "Cannot remove '%s', ignoring: %m", arg_directory
);
5016 if (remove_image
&& arg_image
) {
5017 if (unlink(arg_image
) < 0)
5018 log_warning_errno(errno
, "Can't remove image file '%s', ignoring: %m", arg_image
);
5021 if (remove_tmprootdir
) {
5022 if (rmdir(tmprootdir
) < 0)
5023 log_debug_errno(errno
, "Can't remove temporary root directory '%s', ignoring: %m", tmprootdir
);
5029 p
= strjoina("/run/systemd/nspawn/propagate/", arg_machine
);
5030 (void) rm_rf(p
, REMOVE_ROOT
);
5033 expose_port_flush(arg_expose_ports
, &exposed
);
5036 (void) remove_veth_links(veth_name
, arg_network_veth_extra
);
5037 (void) remove_bridge(arg_network_zone
);
5039 custom_mount_free_all(arg_custom_mounts
, arg_n_custom_mounts
);
5040 expose_port_free_all(arg_expose_ports
);
5041 rlimit_free_all(arg_rlimit
);
5042 device_node_array_free(arg_extra_nodes
, arg_n_extra_nodes
);
5050 DEFINE_MAIN_FUNCTION_WITH_POSITIVE_FAILURE(run
);