[thirdparty/systemd.git] / src / shared / machine-image.c

/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/

/***
  This file is part of systemd.

  Copyright 2013 Lennart Poettering

  systemd is free software; you can redistribute it and/or modify it
  under the terms of the GNU Lesser General Public License as published by
  the Free Software Foundation; either version 2.1 of the License, or
  (at your option) any later version.

  systemd is distributed in the hope that it will be useful, but
  WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  Lesser General Public License for more details.

  You should have received a copy of the GNU Lesser General Public License
  along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/

#include <sys/statfs.h>
#include <linux/fs.h>
#include <fcntl.h>

#include "utf8.h"
#include "btrfs-util.h"
#include "path-util.h"
#include "copy.h"
#include "mkdir.h"
#include "rm-rf.h"
#include "machine-image.h"

static const char image_search_path[] =
        "/var/lib/machines\0"
        "/var/lib/container\0" /* legacy */
        "/usr/local/lib/machines\0"
        "/usr/lib/machines\0";

Image *image_unref(Image *i) {
        if (!i)
                return NULL;

        free(i->name);
        free(i->path);
        free(i);
        return NULL;
}

static int image_new(
                ImageType t,
                const char *pretty,
                const char *path,
                const char *filename,
                bool read_only,
                usec_t crtime,
                usec_t mtime,
                Image **ret) {

        _cleanup_(image_unrefp) Image *i = NULL;

        assert(t >= 0);
        assert(t < _IMAGE_TYPE_MAX);
        assert(pretty);
        assert(filename);
        assert(ret);

        i = new0(Image, 1);
        if (!i)
                return -ENOMEM;

        i->type = t;
        i->read_only = read_only;
        i->crtime = crtime;
        i->mtime = mtime;
        i->usage = i->usage_exclusive = (uint64_t) -1;
        i->limit = i->limit_exclusive = (uint64_t) -1;

        i->name = strdup(pretty);
        if (!i->name)
                return -ENOMEM;

        if (path)
                i->path = strjoin(path, "/", filename, NULL);
        else
                i->path = strdup(filename);

        if (!i->path)
                return -ENOMEM;

        path_kill_slashes(i->path);

        *ret = i;
        i = NULL;

        return 0;
}

static int image_make(
                const char *pretty,
                int dfd,
                const char *path,
                const char *filename,
                Image **ret) {

        struct stat st;
        bool read_only;
        int r;

        assert(filename);

        /* We explicitly *do* follow symlinks here, since we want to
         * allow symlinking trees into /var/lib/machines/, and treat
         * them normally. */

        if (fstatat(dfd, filename, &st, 0) < 0)
                return -errno;

        read_only =
                (path && path_startswith(path, "/usr")) ||
                (faccessat(dfd, filename, W_OK, AT_EACCESS) < 0 && errno == EROFS);

        if (S_ISDIR(st.st_mode)) {
                _cleanup_close_ int fd = -1;
                unsigned file_attr = 0;

                if (!ret)
                        return 1;

                if (!pretty)
                        pretty = filename;

                fd = openat(dfd, filename, O_CLOEXEC|O_NOCTTY|O_DIRECTORY);
                if (fd < 0)
                        return -errno;

                /* btrfs subvolumes have inode 256 */
                if (st.st_ino == 256) {

                        r = btrfs_is_filesystem(fd);
                        if (r < 0)
                                return r;
                        if (r) {
                                BtrfsSubvolInfo info;
                                BtrfsQuotaInfo quota;

                                /* It's a btrfs subvolume */

                                r = btrfs_subvol_get_info_fd(fd, &info);
                                if (r < 0)
                                        return r;

                                r = image_new(IMAGE_SUBVOLUME,
                                              pretty,
                                              path,
                                              filename,
                                              info.read_only || read_only,
                                              info.otime,
                                              0,
                                              ret);
                                if (r < 0)
                                        return r;

                                r = btrfs_subvol_get_quota_fd(fd, &quota);
                                if (r >= 0) {
                                        (*ret)->usage = quota.referenced;
                                        (*ret)->usage_exclusive = quota.exclusive;

                                        (*ret)->limit = quota.referenced_max;
                                        (*ret)->limit_exclusive = quota.exclusive_max;
                                }

                                return 1;
                        }
                }

                /* If the IMMUTABLE bit is set, we consider the
                 * directory read-only. Since the ioctl is not
                 * supported everywhere we ignore failures. */
                (void) read_attr_fd(fd, &file_attr);

                /* It's just a normal directory. */
                r = image_new(IMAGE_DIRECTORY,
                              pretty,
                              path,
                              filename,
                              read_only || (file_attr & FS_IMMUTABLE_FL),
                              0,
                              0,
                              ret);
                if (r < 0)
                        return r;

                return 1;

        } else if (S_ISREG(st.st_mode) && endswith(filename, ".raw")) {
                usec_t crtime = 0;

                /* It's a RAW disk image */

                if (!ret)
                        return 1;

                fd_getcrtime_at(dfd, filename, &crtime, 0);

                if (!pretty)
                        pretty = strndupa(filename, strlen(filename) - 4);

                r = image_new(IMAGE_RAW,
                              pretty,
                              path,
                              filename,
                              !(st.st_mode & 0222) || read_only,
                              crtime,
                              timespec_load(&st.st_mtim),
                              ret);
                if (r < 0)
                        return r;

                (*ret)->usage = (*ret)->usage_exclusive = st.st_blocks * 512;
                (*ret)->limit = (*ret)->limit_exclusive = st.st_size;

                return 1;
        }

        return 0;
}

int image_find(const char *name, Image **ret) {
        const char *path;
        int r;

        assert(name);

        /* There are no images with invalid names */
        if (!image_name_is_valid(name))
                return 0;

        NULSTR_FOREACH(path, image_search_path) {
                _cleanup_closedir_ DIR *d = NULL;

                d = opendir(path);
                if (!d) {
                        if (errno == ENOENT)
                                continue;

                        return -errno;
                }

                r = image_make(NULL, dirfd(d), path, name, ret);
                if (r == 0 || r == -ENOENT) {
                        _cleanup_free_ char *raw = NULL;

                        raw = strappend(name, ".raw");
                        if (!raw)
                                return -ENOMEM;

                        r = image_make(NULL, dirfd(d), path, raw, ret);
                        if (r == 0 || r == -ENOENT)
                                continue;
                }
                if (r < 0)
                        return r;

                return 1;
        }

        if (streq(name, ".host"))
                return image_make(".host", AT_FDCWD, NULL, "/", ret);

        return 0;
};

int image_discover(Hashmap *h) {
        const char *path;
        int r;

        assert(h);

        NULSTR_FOREACH(path, image_search_path) {
                _cleanup_closedir_ DIR *d = NULL;
                struct dirent *de;

                d = opendir(path);
                if (!d) {
                        if (errno == ENOENT)
                                continue;

                        return -errno;
                }

                FOREACH_DIRENT_ALL(de, d, return -errno) {
                        _cleanup_(image_unrefp) Image *image = NULL;

                        if (!image_name_is_valid(de->d_name))
                                continue;

                        if (hashmap_contains(h, de->d_name))
                                continue;

                        r = image_make(NULL, dirfd(d), path, de->d_name, &image);
                        if (r == 0 || r == -ENOENT)
                                continue;
                        if (r < 0)
                                return r;

                        r = hashmap_put(h, image->name, image);
                        if (r < 0)
                                return r;

                        image = NULL;
                }
        }

        if (!hashmap_contains(h, ".host")) {
                _cleanup_(image_unrefp) Image *image = NULL;

                r = image_make(".host", AT_FDCWD, NULL, "/", &image);
                if (r < 0)
                        return r;

                r = hashmap_put(h, image->name, image);
                if (r < 0)
                        return r;

                image = NULL;

        }

        return 0;
}

void image_hashmap_free(Hashmap *map) {
        Image *i;

        while ((i = hashmap_steal_first(map)))
                image_unref(i);

        hashmap_free(map);
}

int image_remove(Image *i) {
        _cleanup_release_lock_file_ LockFile global_lock = LOCK_FILE_INIT, local_lock = LOCK_FILE_INIT;
        int r;

        assert(i);

        if (path_equal(i->path, "/") ||
            path_startswith(i->path, "/usr"))
                return -EROFS;

        /* Make sure we don't interfere with a running nspawn */
        r = image_path_lock(i->path, LOCK_EX|LOCK_NB, &global_lock, &local_lock);
        if (r < 0)
                return r;

        switch (i->type) {

        case IMAGE_SUBVOLUME:
                return btrfs_subvol_remove(i->path, true);

        case IMAGE_DIRECTORY:
                /* Allow deletion of read-only directories */
                (void) chattr_path(i->path, false, FS_IMMUTABLE_FL);
                return rm_rf(i->path, REMOVE_ROOT|REMOVE_PHYSICAL|REMOVE_SUBVOLUME);

        case IMAGE_RAW:
                if (unlink(i->path) < 0)
                        return -errno;

                return 0;

        default:
                return -EOPNOTSUPP;
        }
}

int image_rename(Image *i, const char *new_name) {
        _cleanup_release_lock_file_ LockFile global_lock = LOCK_FILE_INIT, local_lock = LOCK_FILE_INIT, name_lock = LOCK_FILE_INIT;
        _cleanup_free_ char *new_path = NULL, *nn = NULL;
        unsigned file_attr = 0;
        int r;

        assert(i);

        if (!image_name_is_valid(new_name))
                return -EINVAL;

        if (path_equal(i->path, "/") ||
            path_startswith(i->path, "/usr"))
                return -EROFS;

        /* Make sure we don't interfere with a running nspawn */
        r = image_path_lock(i->path, LOCK_EX|LOCK_NB, &global_lock, &local_lock);
        if (r < 0)
                return r;

        /* Make sure nobody takes the new name, between the time we
         * checked it is currently unused in all search paths, and the
         * time we take possesion of it */
        r = image_name_lock(new_name, LOCK_EX|LOCK_NB, &name_lock);
        if (r < 0)
                return r;

        r = image_find(new_name, NULL);
        if (r < 0)
                return r;
        if (r > 0)
                return -EEXIST;

        switch (i->type) {

        case IMAGE_DIRECTORY:
                /* Turn of the immutable bit while we rename the image, so that we can rename it */
                (void) read_attr_path(i->path, &file_attr);

                if (file_attr & FS_IMMUTABLE_FL)
                        (void) chattr_path(i->path, false, FS_IMMUTABLE_FL);

                /* fall through */

        case IMAGE_SUBVOLUME:
                new_path = file_in_same_dir(i->path, new_name);
                break;

        case IMAGE_RAW: {
                const char *fn;

                fn = strjoina(new_name, ".raw");
                new_path = file_in_same_dir(i->path, fn);
                break;
        }

        default:
                return -EOPNOTSUPP;
        }

        if (!new_path)
                return -ENOMEM;

        nn = strdup(new_name);
        if (!nn)
                return -ENOMEM;

        r = rename_noreplace(AT_FDCWD, i->path, AT_FDCWD, new_path);
        if (r < 0)
                return r;

        /* Restore the immutable bit, if it was set before */
        if (file_attr & FS_IMMUTABLE_FL)
                (void) chattr_path(new_path, true, FS_IMMUTABLE_FL);

        free(i->path);
        i->path = new_path;
        new_path = NULL;

        free(i->name);
        i->name = nn;
        nn = NULL;

        return 0;
}

int image_clone(Image *i, const char *new_name, bool read_only) {
        _cleanup_release_lock_file_ LockFile name_lock = LOCK_FILE_INIT;
        const char *new_path;
        int r;

        assert(i);

        if (!image_name_is_valid(new_name))
                return -EINVAL;

        /* Make sure nobody takes the new name, between the time we
         * checked it is currently unused in all search paths, and the
         * time we take possesion of it */
        r = image_name_lock(new_name, LOCK_EX|LOCK_NB, &name_lock);
        if (r < 0)
                return r;

        r = image_find(new_name, NULL);
        if (r < 0)
                return r;
        if (r > 0)
                return -EEXIST;

        switch (i->type) {

        case IMAGE_SUBVOLUME:
        case IMAGE_DIRECTORY:
                new_path = strjoina("/var/lib/machines/", new_name);

                r = btrfs_subvol_snapshot(i->path, new_path, (read_only ? BTRFS_SNAPSHOT_READ_ONLY : 0) | BTRFS_SNAPSHOT_FALLBACK_COPY | BTRFS_SNAPSHOT_RECURSIVE);
                break;

        case IMAGE_RAW:
                new_path = strjoina("/var/lib/machines/", new_name, ".raw");

                r = copy_file_atomic(i->path, new_path, read_only ? 0444 : 0644, false, FS_NOCOW_FL);
                break;

        default:
                return -EOPNOTSUPP;
        }

        if (r < 0)
                return r;

        return 0;
}

int image_read_only(Image *i, bool b) {
        _cleanup_release_lock_file_ LockFile global_lock = LOCK_FILE_INIT, local_lock = LOCK_FILE_INIT;
        int r;
        assert(i);

        if (path_equal(i->path, "/") ||
            path_startswith(i->path, "/usr"))
                return -EROFS;

        /* Make sure we don't interfere with a running nspawn */
        r = image_path_lock(i->path, LOCK_EX|LOCK_NB, &global_lock, &local_lock);
        if (r < 0)
                return r;

        switch (i->type) {

        case IMAGE_SUBVOLUME:
                r = btrfs_subvol_set_read_only(i->path, b);
                if (r < 0)
                        return r;

                break;

        case IMAGE_DIRECTORY:
                /* For simple directory trees we cannot use the access
                   mode of the top-level directory, since it has an
                   effect on the container itself.  However, we can
                   use the "immutable" flag, to at least make the
                   top-level directory read-only. It's not as good as
                   a read-only subvolume, but at least something, and
                   we can read the value back.*/

                r = chattr_path(i->path, b, FS_IMMUTABLE_FL);
                if (r < 0)
                        return r;

                break;

        case IMAGE_RAW: {
                struct stat st;

                if (stat(i->path, &st) < 0)
                        return -errno;

                if (chmod(i->path, (st.st_mode & 0444) | (b ? 0000 : 0200)) < 0)
                        return -errno;

                /* If the images is now read-only, it's a good time to
                 * defrag it, given that no write patterns will
                 * fragment it again. */
                if (b)
                        (void) btrfs_defrag(i->path);
                break;
        }

        default:
                return -EOPNOTSUPP;
        }

        return 0;
}

int image_path_lock(const char *path, int operation, LockFile *global, LockFile *local) {
        _cleanup_free_ char *p = NULL;
        LockFile t = LOCK_FILE_INIT;
        struct stat st;
        int r;

        assert(path);
        assert(global);
        assert(local);

        /* Locks an image path. This actually creates two locks: one
         * "local" one, next to the image path itself, which might be
         * shared via NFS. And another "global" one, in /run, that
         * uses the device/inode number. This has the benefit that we
         * can even lock a tree that is a mount point, correctly. */

        if (path_equal(path, "/"))
                return -EBUSY;

        if (!path_is_absolute(path))
                return -EINVAL;

        if (stat(path, &st) >= 0) {
                if (asprintf(&p, "/run/systemd/nspawn/locks/inode-%lu:%lu", (unsigned long) st.st_dev, (unsigned long) st.st_ino) < 0)
                        return -ENOMEM;
        }

        r = make_lock_file_for(path, operation, &t);
        if (r < 0)
                return r;

        if (p) {
                mkdir_p("/run/systemd/nspawn/locks", 0700);

                r = make_lock_file(p, operation, global);
                if (r < 0) {
                        release_lock_file(&t);
                        return r;
                }
        }

        *local = t;
        return 0;
}

int image_set_limit(Image *i, uint64_t referenced_max) {
        assert(i);

        if (path_equal(i->path, "/") ||
            path_startswith(i->path, "/usr"))
                return -EROFS;

        if (i->type != IMAGE_SUBVOLUME)
                return -EOPNOTSUPP;

        return btrfs_quota_limit(i->path, referenced_max);
}

int image_name_lock(const char *name, int operation, LockFile *ret) {
        const char *p;

        assert(name);
        assert(ret);

        /* Locks an image name, regardless of the precise path used. */

        if (!image_name_is_valid(name))
                return -EINVAL;

        if (streq(name, ".host"))
                return -EBUSY;

        mkdir_p("/run/systemd/nspawn/locks", 0700);
        p = strjoina("/run/systemd/nspawn/locks/name-", name);

        return make_lock_file(p, operation, ret);
}

bool image_name_is_valid(const char *s) {
        if (!filename_is_valid(s))
                return false;

        if (string_has_cc(s, NULL))
                return false;

        if (!utf8_is_valid(s))
                return false;

        /* Temporary files for atomically creating new files */
        if (startswith(s, ".#"))
                return false;

        return true;
}

static const char* const image_type_table[_IMAGE_TYPE_MAX] = {
        [IMAGE_DIRECTORY] = "directory",
        [IMAGE_SUBVOLUME] = "subvolume",
        [IMAGE_RAW] = "raw",
};

DEFINE_STRING_TABLE_LOOKUP(image_type, ImageType);
Commit	Line	Data
cd61c3bf LP	1	/-- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil --/
	2
	3	/***
	4	This file is part of systemd.
	5
	6	Copyright 2013 Lennart Poettering
	7
	8	systemd is free software; you can redistribute it and/or modify it
	9	under the terms of the GNU Lesser General Public License as published by
	10	the Free Software Foundation; either version 2.1 of the License, or
	11	(at your option) any later version.
	12
	13	systemd is distributed in the hope that it will be useful, but
	14	WITHOUT ANY WARRANTY; without even the implied warranty of
	15	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	16	Lesser General Public License for more details.
	17
	18	You should have received a copy of the GNU Lesser General Public License
	19	along with systemd; If not, see <http://www.gnu.org/licenses/>.
	20	***/
	21
	22	#include <sys/statfs.h>
f2068bcc	23	#include <linux/fs.h>
ebd93cb6	24	#include <fcntl.h>
cd61c3bf	25
cd61c3bf LP	26	#include "utf8.h"
cd61c3bf LP	27	#include "btrfs-util.h"
ebeccf9e	28	#include "path-util.h"
ebd93cb6	29	#include "copy.h"
30535c16	30	#include "mkdir.h"
c6878637	31	#include "rm-rf.h"
003dffde	32	#include "machine-image.h"
cd61c3bf	33
c2ce6a3d	34	static const char image_search_path[] =
42c6f2c9	35	"/var/lib/machines\0"
7d105503	36	"/var/lib/container\0" /* legacy */
42c6f2c9 LP	37	"/usr/local/lib/machines\0"
42c6f2c9 LP	38	"/usr/lib/machines\0";
c2ce6a3d	39
cd61c3bf LP	40	Image image_unref(Image i) {
	41	if (!i)
	42	return NULL;
	43
	44	free(i->name);
	45	free(i->path);
	46	free(i);
	47	return NULL;
	48	}
	49
c2ce6a3d	50	static int image_new(
cd61c3bf	51	ImageType t,
5fc7f358	52	const char *pretty,
cd61c3bf	53	const char *path,
5fc7f358	54	const char *filename,
cd61c3bf	55	bool read_only,
10f9c755	56	usec_t crtime,
cd61c3bf	57	usec_t mtime,
c2ce6a3d	58	Image **ret) {
cd61c3bf LP	59
cd61c3bf LP	60	_cleanup_(image_unrefp) Image *i = NULL;
cd61c3bf	61
cd61c3bf LP	62	assert(t >= 0);
cd61c3bf LP	63	assert(t < _IMAGE_TYPE_MAX);
5fc7f358 LP	64	assert(pretty);
5fc7f358 LP	65	assert(filename);
c2ce6a3d	66	assert(ret);
cd61c3bf	67
c2ce6a3d	68	i = new0(Image, 1);
cd61c3bf LP	69	if (!i)
	70	return -ENOMEM;
	71
	72	i->type = t;
	73	i->read_only = read_only;
10f9c755	74	i->crtime = crtime;
cd61c3bf	75	i->mtime = mtime;
c19de711	76	i->usage = i->usage_exclusive = (uint64_t) -1;
b6b18498	77	i->limit = i->limit_exclusive = (uint64_t) -1;
cd61c3bf	78
5fc7f358	79	i->name = strdup(pretty);
cd61c3bf LP	80	if (!i->name)
	81	return -ENOMEM;
	82
5fc7f358 LP	83	if (path)
	84	i->path = strjoin(path, "/", filename, NULL);
	85	else
	86	i->path = strdup(filename);
ebeccf9e	87
5fc7f358 LP	88	if (!i->path)
	89	return -ENOMEM;
	90
	91	path_kill_slashes(i->path);
cd61c3bf	92
c2ce6a3d	93	*ret = i;
cd61c3bf	94	i = NULL;
c2ce6a3d	95
cd61c3bf LP	96	return 0;
	97	}
	98
5fc7f358 LP	99	static int image_make(
	100	const char *pretty,
	101	int dfd,
	102	const char *path,
	103	const char *filename,
	104	Image **ret) {
	105
c2ce6a3d	106	struct stat st;
5fc7f358	107	bool read_only;
cd61c3bf LP	108	int r;
cd61c3bf LP	109
5fc7f358	110	assert(filename);
cd61c3bf	111
c2ce6a3d	112	/* We explicitly do follow symlinks here, since we want to
5f129649	113	* allow symlinking trees into /var/lib/machines/, and treat
c2ce6a3d	114	* them normally. */
cd61c3bf	115
5fc7f358	116	if (fstatat(dfd, filename, &st, 0) < 0)
c2ce6a3d	117	return -errno;
cd61c3bf	118
5fc7f358 LP	119	read_only =
5fc7f358 LP	120	(path && path_startswith(path, "/usr")) \|\|
08ff5529	121	(faccessat(dfd, filename, W_OK, AT_EACCESS) < 0 && errno == EROFS);
86e339c8	122
c2ce6a3d	123	if (S_ISDIR(st.st_mode)) {
01b72568 LP	124	_cleanup_close_ int fd = -1;
01b72568 LP	125	unsigned file_attr = 0;
cd61c3bf	126
c2ce6a3d LP	127	if (!ret)
c2ce6a3d LP	128	return 1;
cd61c3bf	129
5fc7f358 LP	130	if (!pretty)
	131	pretty = filename;
	132
01b72568 LP	133	fd = openat(dfd, filename, O_CLOEXEC\|O_NOCTTY\|O_DIRECTORY);
	134	if (fd < 0)
	135	return -errno;
	136
c2ce6a3d LP	137	/* btrfs subvolumes have inode 256 */
c2ce6a3d LP	138	if (st.st_ino == 256) {
cd61c3bf	139
21222ea5 LP	140	r = btrfs_is_filesystem(fd);
	141	if (r < 0)
	142	return r;
	143	if (r) {
10f9c755	144	BtrfsSubvolInfo info;
b6b18498	145	BtrfsQuotaInfo quota;
cd61c3bf	146
c2ce6a3d	147	/* It's a btrfs subvolume */
cd61c3bf	148
10f9c755 LP	149	r = btrfs_subvol_get_info_fd(fd, &info);
	150	if (r < 0)
	151	return r;
c2ce6a3d LP	152
c2ce6a3d LP	153	r = image_new(IMAGE_SUBVOLUME,
5fc7f358	154	pretty,
c2ce6a3d	155	path,
5fc7f358 LP	156	filename,
5fc7f358 LP	157	info.read_only \|\| read_only,
10f9c755	158	info.otime,
c2ce6a3d	159	0,
c2ce6a3d LP	160	ret);
	161	if (r < 0)
	162	return r;
	163
b6b18498 LP	164	r = btrfs_subvol_get_quota_fd(fd, &quota);
b6b18498 LP	165	if (r >= 0) {
cb81cd80	166	(*ret)->usage = quota.referenced;
c19de711	167	(*ret)->usage_exclusive = quota.exclusive;
b6b18498	168
cb81cd80	169	(*ret)->limit = quota.referenced_max;
b6b18498 LP	170	(*ret)->limit_exclusive = quota.exclusive_max;
	171	}
	172
c2ce6a3d	173	return 1;
cd61c3bf	174	}
c2ce6a3d	175	}
cd61c3bf	176
01b72568 LP	177	/* If the IMMUTABLE bit is set, we consider the
	178	* directory read-only. Since the ioctl is not
	179	* supported everywhere we ignore failures. */
	180	(void) read_attr_fd(fd, &file_attr);
cd61c3bf	181
01b72568	182	/* It's just a normal directory. */
c2ce6a3d	183	r = image_new(IMAGE_DIRECTORY,
5fc7f358	184	pretty,
c2ce6a3d	185	path,
5fc7f358	186	filename,
01b72568	187	read_only \|\| (file_attr & FS_IMMUTABLE_FL),
c2ce6a3d LP	188	0,
	189	0,
	190	ret);
	191	if (r < 0)
	192	return r;
cd61c3bf	193
c2ce6a3d	194	return 1;
cd61c3bf	195
aceac2f0	196	} else if (S_ISREG(st.st_mode) && endswith(filename, ".raw")) {
10f9c755	197	usec_t crtime = 0;
cd61c3bf	198
aceac2f0	199	/* It's a RAW disk image */
cd61c3bf	200
c2ce6a3d LP	201	if (!ret)
c2ce6a3d LP	202	return 1;
cd61c3bf	203
5fc7f358	204	fd_getcrtime_at(dfd, filename, &crtime, 0);
10f9c755	205
5fc7f358 LP	206	if (!pretty)
5fc7f358 LP	207	pretty = strndupa(filename, strlen(filename) - 4);
10f9c755	208
aceac2f0	209	r = image_new(IMAGE_RAW,
5fc7f358	210	pretty,
c2ce6a3d	211	path,
5fc7f358 LP	212	filename,
5fc7f358 LP	213	!(st.st_mode & 0222) \|\| read_only,
10f9c755	214	crtime,
c2ce6a3d	215	timespec_load(&st.st_mtim),
c2ce6a3d LP	216	ret);
	217	if (r < 0)
	218	return r;
cd61c3bf	219
c19de711	220	(ret)->usage = (ret)->usage_exclusive = st.st_blocks * 512;
b6b18498 LP	221	(ret)->limit = (ret)->limit_exclusive = st.st_size;
b6b18498 LP	222
c2ce6a3d LP	223	return 1;
c2ce6a3d LP	224	}
cd61c3bf	225
c2ce6a3d LP	226	return 0;
c2ce6a3d LP	227	}
cd61c3bf	228
c2ce6a3d LP	229	int image_find(const char name, Image *ret) {
	230	const char *path;
	231	int r;
cd61c3bf	232
c2ce6a3d	233	assert(name);
cd61c3bf	234
c2ce6a3d LP	235	/* There are no images with invalid names */
	236	if (!image_name_is_valid(name))
	237	return 0;
cd61c3bf	238
c2ce6a3d LP	239	NULSTR_FOREACH(path, image_search_path) {
c2ce6a3d LP	240	_cleanup_closedir_ DIR *d = NULL;
cd61c3bf	241
c2ce6a3d LP	242	d = opendir(path);
	243	if (!d) {
	244	if (errno == ENOENT)
	245	continue;
cd61c3bf	246
c2ce6a3d LP	247	return -errno;
c2ce6a3d LP	248	}
cd61c3bf	249
5fc7f358 LP	250	r = image_make(NULL, dirfd(d), path, name, ret);
5fc7f358 LP	251	if (r == 0 \|\| r == -ENOENT) {
aceac2f0	252	_cleanup_free_ char *raw = NULL;
5fc7f358	253
aceac2f0 LP	254	raw = strappend(name, ".raw");
aceac2f0 LP	255	if (!raw)
5fc7f358 LP	256	return -ENOMEM;
5fc7f358 LP	257
aceac2f0	258	r = image_make(NULL, dirfd(d), path, raw, ret);
5fc7f358 LP	259	if (r == 0 \|\| r == -ENOENT)
	260	continue;
	261	}
c2ce6a3d LP	262	if (r < 0)
c2ce6a3d LP	263	return r;
cd61c3bf	264
c2ce6a3d LP	265	return 1;
	266	}
	267
5fc7f358	268	if (streq(name, ".host"))
27c88c4e	269	return image_make(".host", AT_FDCWD, NULL, "/", ret);
5fc7f358	270
c2ce6a3d LP	271	return 0;
	272	};
	273
	274	int image_discover(Hashmap *h) {
	275	const char *path;
	276	int r;
	277
	278	assert(h);
	279
	280	NULSTR_FOREACH(path, image_search_path) {
	281	_cleanup_closedir_ DIR *d = NULL;
	282	struct dirent *de;
	283
	284	d = opendir(path);
	285	if (!d) {
	286	if (errno == ENOENT)
a67a4c8c	287	continue;
c2ce6a3d LP	288
	289	return -errno;
	290	}
	291
	292	FOREACH_DIRENT_ALL(de, d, return -errno) {
	293	_cleanup_(image_unrefp) Image *image = NULL;
	294
	295	if (!image_name_is_valid(de->d_name))
	296	continue;
	297
	298	if (hashmap_contains(h, de->d_name))
	299	continue;
	300
5fc7f358	301	r = image_make(NULL, dirfd(d), path, de->d_name, &image);
c2ce6a3d LP	302	if (r == 0 \|\| r == -ENOENT)
	303	continue;
	304	if (r < 0)
	305	return r;
	306
	307	r = hashmap_put(h, image->name, image);
	308	if (r < 0)
	309	return r;
	310
	311	image = NULL;
cd61c3bf LP	312	}
	313	}
	314
5fc7f358 LP	315	if (!hashmap_contains(h, ".host")) {
	316	_cleanup_(image_unrefp) Image *image = NULL;
	317
	318	r = image_make(".host", AT_FDCWD, NULL, "/", &image);
	319	if (r < 0)
	320	return r;
	321
	322	r = hashmap_put(h, image->name, image);
	323	if (r < 0)
	324	return r;
	325
	326	image = NULL;
	327
	328	}
	329
cd61c3bf LP	330	return 0;
	331	}
	332
	333	void image_hashmap_free(Hashmap *map) {
	334	Image *i;
	335
	336	while ((i = hashmap_steal_first(map)))
	337	image_unref(i);
	338
	339	hashmap_free(map);
	340	}
	341
08682124	342	int image_remove(Image *i) {
30535c16 LP	343	_cleanup_release_lock_file_ LockFile global_lock = LOCK_FILE_INIT, local_lock = LOCK_FILE_INIT;
	344	int r;
	345
08682124 LP	346	assert(i);
	347
	348	if (path_equal(i->path, "/") \|\|
	349	path_startswith(i->path, "/usr"))
	350	return -EROFS;
	351
30535c16 LP	352	/* Make sure we don't interfere with a running nspawn */
	353	r = image_path_lock(i->path, LOCK_EX\|LOCK_NB, &global_lock, &local_lock);
	354	if (r < 0)
	355	return r;
	356
ebd93cb6 LP	357	switch (i->type) {
	358
	359	case IMAGE_SUBVOLUME:
d9e2daaf	360	return btrfs_subvol_remove(i->path, true);
ebd93cb6 LP	361
ebd93cb6 LP	362	case IMAGE_DIRECTORY:
01b72568 LP	363	/* Allow deletion of read-only directories */
01b72568 LP	364	(void) chattr_path(i->path, false, FS_IMMUTABLE_FL);
41d1ed05	365	return rm_rf(i->path, REMOVE_ROOT\|REMOVE_PHYSICAL\|REMOVE_SUBVOLUME);
01b72568	366
aceac2f0	367	case IMAGE_RAW:
41d1ed05 LP	368	if (unlink(i->path) < 0)
	369	return -errno;
	370
	371	return 0;
ebd93cb6 LP	372
ebd93cb6 LP	373	default:
15411c0c	374	return -EOPNOTSUPP;
ebd93cb6 LP	375	}
	376	}
	377
	378	int image_rename(Image i, const char new_name) {
30535c16	379	_cleanup_release_lock_file_ LockFile global_lock = LOCK_FILE_INIT, local_lock = LOCK_FILE_INIT, name_lock = LOCK_FILE_INIT;
ebd93cb6	380	_cleanup_free_ char new_path = NULL, nn = NULL;
01b72568	381	unsigned file_attr = 0;
ebd93cb6 LP	382	int r;
	383
	384	assert(i);
	385
	386	if (!image_name_is_valid(new_name))
	387	return -EINVAL;
	388
	389	if (path_equal(i->path, "/") \|\|
	390	path_startswith(i->path, "/usr"))
	391	return -EROFS;
	392
30535c16 LP	393	/* Make sure we don't interfere with a running nspawn */
	394	r = image_path_lock(i->path, LOCK_EX\|LOCK_NB, &global_lock, &local_lock);
	395	if (r < 0)
	396	return r;
	397
	398	/* Make sure nobody takes the new name, between the time we
	399	* checked it is currently unused in all search paths, and the
	400	* time we take possesion of it */
	401	r = image_name_lock(new_name, LOCK_EX\|LOCK_NB, &name_lock);
	402	if (r < 0)
	403	return r;
	404
ebd93cb6 LP	405	r = image_find(new_name, NULL);
	406	if (r < 0)
	407	return r;
	408	if (r > 0)
	409	return -EEXIST;
	410
	411	switch (i->type) {
	412
ebd93cb6	413	case IMAGE_DIRECTORY:
01b72568 LP	414	/* Turn of the immutable bit while we rename the image, so that we can rename it */
	415	(void) read_attr_path(i->path, &file_attr);
	416
	417	if (file_attr & FS_IMMUTABLE_FL)
	418	(void) chattr_path(i->path, false, FS_IMMUTABLE_FL);
	419
	420	/* fall through */
	421
	422	case IMAGE_SUBVOLUME:
ebd93cb6 LP	423	new_path = file_in_same_dir(i->path, new_name);
	424	break;
	425
aceac2f0	426	case IMAGE_RAW: {
ebd93cb6 LP	427	const char *fn;
ebd93cb6 LP	428
63c372cb	429	fn = strjoina(new_name, ".raw");
ebd93cb6 LP	430	new_path = file_in_same_dir(i->path, fn);
	431	break;
	432	}
	433
	434	default:
15411c0c	435	return -EOPNOTSUPP;
ebd93cb6 LP	436	}
	437
	438	if (!new_path)
	439	return -ENOMEM;
	440
	441	nn = strdup(new_name);
	442	if (!nn)
	443	return -ENOMEM;
	444
f85ef957 AC	445	r = rename_noreplace(AT_FDCWD, i->path, AT_FDCWD, new_path);
	446	if (r < 0)
	447	return r;
ebd93cb6	448
01b72568 LP	449	/* Restore the immutable bit, if it was set before */
	450	if (file_attr & FS_IMMUTABLE_FL)
	451	(void) chattr_path(new_path, true, FS_IMMUTABLE_FL);
	452
ebd93cb6 LP	453	free(i->path);
	454	i->path = new_path;
	455	new_path = NULL;
	456
	457	free(i->name);
	458	i->name = nn;
	459	nn = NULL;
	460
	461	return 0;
	462	}
	463
	464	int image_clone(Image i, const char new_name, bool read_only) {
30535c16	465	_cleanup_release_lock_file_ LockFile name_lock = LOCK_FILE_INIT;
ebd93cb6 LP	466	const char *new_path;
	467	int r;
	468
	469	assert(i);
	470
	471	if (!image_name_is_valid(new_name))
	472	return -EINVAL;
	473
30535c16 LP	474	/* Make sure nobody takes the new name, between the time we
	475	* checked it is currently unused in all search paths, and the
	476	* time we take possesion of it */
	477	r = image_name_lock(new_name, LOCK_EX\|LOCK_NB, &name_lock);
	478	if (r < 0)
	479	return r;
	480
ebd93cb6 LP	481	r = image_find(new_name, NULL);
	482	if (r < 0)
	483	return r;
	484	if (r > 0)
	485	return -EEXIST;
	486
	487	switch (i->type) {
	488
	489	case IMAGE_SUBVOLUME:
	490	case IMAGE_DIRECTORY:
63c372cb	491	new_path = strjoina("/var/lib/machines/", new_name);
ebd93cb6	492
f70a17f8	493	r = btrfs_subvol_snapshot(i->path, new_path, (read_only ? BTRFS_SNAPSHOT_READ_ONLY : 0) \| BTRFS_SNAPSHOT_FALLBACK_COPY \| BTRFS_SNAPSHOT_RECURSIVE);
ebd93cb6 LP	494	break;
ebd93cb6 LP	495
aceac2f0	496	case IMAGE_RAW:
63c372cb	497	new_path = strjoina("/var/lib/machines/", new_name, ".raw");
ebd93cb6	498
f2068bcc	499	r = copy_file_atomic(i->path, new_path, read_only ? 0444 : 0644, false, FS_NOCOW_FL);
ebd93cb6 LP	500	break;
	501
	502	default:
15411c0c	503	return -EOPNOTSUPP;
ebd93cb6 LP	504	}
	505
	506	if (r < 0)
	507	return r;
	508
	509	return 0;
	510	}
	511
	512	int image_read_only(Image *i, bool b) {
30535c16	513	_cleanup_release_lock_file_ LockFile global_lock = LOCK_FILE_INIT, local_lock = LOCK_FILE_INIT;
ebd93cb6 LP	514	int r;
	515	assert(i);
	516
	517	if (path_equal(i->path, "/") \|\|
	518	path_startswith(i->path, "/usr"))
	519	return -EROFS;
	520
30535c16 LP	521	/* Make sure we don't interfere with a running nspawn */
	522	r = image_path_lock(i->path, LOCK_EX\|LOCK_NB, &global_lock, &local_lock);
	523	if (r < 0)
	524	return r;
	525
ebd93cb6 LP	526	switch (i->type) {
	527
	528	case IMAGE_SUBVOLUME:
	529	r = btrfs_subvol_set_read_only(i->path, b);
	530	if (r < 0)
	531	return r;
01b72568 LP	532
	533	break;
	534
	535	case IMAGE_DIRECTORY:
	536	/* For simple directory trees we cannot use the access
	537	mode of the top-level directory, since it has an
	538	effect on the container itself. However, we can
	539	use the "immutable" flag, to at least make the
	540	top-level directory read-only. It's not as good as
	541	a read-only subvolume, but at least something, and
	542	we can read the value back.*/
	543
	544	r = chattr_path(i->path, b, FS_IMMUTABLE_FL);
	545	if (r < 0)
	546	return r;
	547
ebd93cb6 LP	548	break;
ebd93cb6 LP	549
aceac2f0	550	case IMAGE_RAW: {
ebd93cb6 LP	551	struct stat st;
	552
	553	if (stat(i->path, &st) < 0)
	554	return -errno;
	555
	556	if (chmod(i->path, (st.st_mode & 0444) \| (b ? 0000 : 0200)) < 0)
	557	return -errno;
f2068bcc LP	558
	559	/* If the images is now read-only, it's a good time to
	560	* defrag it, given that no write patterns will
	561	* fragment it again. */
	562	if (b)
	563	(void) btrfs_defrag(i->path);
ebd93cb6 LP	564	break;
	565	}
	566
ebd93cb6	567	default:
15411c0c	568	return -EOPNOTSUPP;
ebd93cb6 LP	569	}
	570
	571	return 0;
08682124 LP	572	}
08682124 LP	573
30535c16 LP	574	int image_path_lock(const char path, int operation, LockFile global, LockFile *local) {
	575	_cleanup_free_ char *p = NULL;
	576	LockFile t = LOCK_FILE_INIT;
	577	struct stat st;
	578	int r;
	579
	580	assert(path);
	581	assert(global);
	582	assert(local);
	583
	584	/* Locks an image path. This actually creates two locks: one
	585	* "local" one, next to the image path itself, which might be
	586	* shared via NFS. And another "global" one, in /run, that
	587	* uses the device/inode number. This has the benefit that we
	588	* can even lock a tree that is a mount point, correctly. */
	589
	590	if (path_equal(path, "/"))
	591	return -EBUSY;
	592
	593	if (!path_is_absolute(path))
	594	return -EINVAL;
	595
	596	if (stat(path, &st) >= 0) {
	597	if (asprintf(&p, "/run/systemd/nspawn/locks/inode-%lu:%lu", (unsigned long) st.st_dev, (unsigned long) st.st_ino) < 0)
	598	return -ENOMEM;
	599	}
	600
	601	r = make_lock_file_for(path, operation, &t);
	602	if (r < 0)
	603	return r;
	604
	605	if (p) {
7e7cddb2	606	mkdir_p("/run/systemd/nspawn/locks", 0700);
30535c16 LP	607
	608	r = make_lock_file(p, operation, global);
	609	if (r < 0) {
	610	release_lock_file(&t);
	611	return r;
	612	}
	613	}
	614
	615	*local = t;
	616	return 0;
	617	}
	618
cb81cd80	619	int image_set_limit(Image *i, uint64_t referenced_max) {
d6ce17c7 LP	620	assert(i);
	621
	622	if (path_equal(i->path, "/") \|\|
	623	path_startswith(i->path, "/usr"))
	624	return -EROFS;
	625
	626	if (i->type != IMAGE_SUBVOLUME)
15411c0c	627	return -EOPNOTSUPP;
d6ce17c7	628
cb81cd80	629	return btrfs_quota_limit(i->path, referenced_max);
d6ce17c7 LP	630	}
d6ce17c7 LP	631
30535c16 LP	632	int image_name_lock(const char name, int operation, LockFile ret) {
	633	const char *p;
	634
	635	assert(name);
	636	assert(ret);
	637
	638	/* Locks an image name, regardless of the precise path used. */
	639
	640	if (!image_name_is_valid(name))
	641	return -EINVAL;
	642
	643	if (streq(name, ".host"))
	644	return -EBUSY;
	645
7e7cddb2	646	mkdir_p("/run/systemd/nspawn/locks", 0700);
63c372cb	647	p = strjoina("/run/systemd/nspawn/locks/name-", name);
30535c16 LP	648
	649	return make_lock_file(p, operation, ret);
	650	}
	651
	652	bool image_name_is_valid(const char *s) {
	653	if (!filename_is_valid(s))
	654	return false;
	655
	656	if (string_has_cc(s, NULL))
	657	return false;
	658
	659	if (!utf8_is_valid(s))
	660	return false;
	661
	662	/* Temporary files for atomically creating new files */
	663	if (startswith(s, ".#"))
	664	return false;
	665
	666	return true;
	667	}
	668
cd61c3bf LP	669	static const char* const image_type_table[_IMAGE_TYPE_MAX] = {
	670	[IMAGE_DIRECTORY] = "directory",
	671	[IMAGE_SUBVOLUME] = "subvolume",
aceac2f0	672	[IMAGE_RAW] = "raw",
cd61c3bf LP	673	};
	674
	675	DEFINE_STRING_TABLE_LOOKUP(image_type, ImageType);