]> git.ipfire.org Git - thirdparty/systemd.git/blame_incremental - src/shared/discover-image.c
projects / thirdparty / systemd.git / blame_incremental
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (non-incremental) | history | HEAD
Revert "TEST-55-OOMD: Verify that ExecStopPost= runs on oom-kill"
[thirdparty/systemd.git] / src / shared / discover-image.c
... / ...
CommitLineData
1/* SPDX-License-Identifier: LGPL-2.1-or-later */
2
3#include <fcntl.h>
4#include <linux/loop.h>
5#include <linux/magic.h>
6#include <stdio.h>
7#include <sys/file.h>
8#include <sys/ioctl.h>
9#include <sys/stat.h>
10#include <sys/sysmacros.h>
11#include <unistd.h>
12
13#include "sd-json.h"
14#include "sd-path.h"
15
16#include "alloc-util.h"
17#include "blockdev-util.h"
18#include "btrfs-util.h"
19#include "chase.h"
20#include "chattr-util.h"
21#include "copy.h"
22#include "dirent-util.h"
23#include "discover-image.h"
24#include "dissect-image.h"
25#include "env-file.h"
26#include "env-util.h"
27#include "extension-util.h"
28#include "fd-util.h"
29#include "fs-util.h"
30#include "hashmap.h"
31#include "hostname-setup.h"
32#include "id128-util.h"
33#include "initrd-util.h"
34#include "lock-util.h"
35#include "log.h"
36#include "loop-util.h"
37#include "mkdir.h"
38#include "nulstr-util.h"
39#include "os-util.h"
40#include "path-util.h"
41#include "rm-rf.h"
42#include "runtime-scope.h"
43#include "stat-util.h"
44#include "string-table.h"
45#include "string-util.h"
46#include "strv.h"
47#include "time-util.h"
48#include "vpick.h"
49#include "xattr-util.h"
50
51const char* const image_search_path[_IMAGE_CLASS_MAX] = {
52 [IMAGE_MACHINE] = "/etc/machines\0" /* only place symlinks here */
53 "/run/machines\0" /* and here too */
54 "/var/lib/machines\0" /* the main place for images */
55 "/var/lib/container\0" /* legacy */
56 "/usr/local/lib/machines\0"
57 "/usr/lib/machines\0",
58
59 [IMAGE_PORTABLE] = "/etc/portables\0" /* only place symlinks here */
60 "/run/portables\0" /* and here too */
61 "/var/lib/portables\0" /* the main place for images */
62 "/usr/local/lib/portables\0"
63 "/usr/lib/portables\0",
64
65 /* Note that we don't allow storing extensions under /usr/, unlike with other image types. That's
66 * because extension images are supposed to extend /usr/, so you get into recursive races, especially
67 * with directory-based extensions, as the kernel's OverlayFS explicitly checks for this and errors
68 * out with -ELOOP if it finds that a lowerdir= is a child of another lowerdir=. */
69 [IMAGE_SYSEXT] = "/etc/extensions\0" /* only place symlinks here */
70 "/run/extensions\0" /* and here too */
71 "/var/lib/extensions\0", /* the main place for images */
72
73 [IMAGE_CONFEXT] = "/run/confexts\0" /* only place symlinks here */
74 "/var/lib/confexts\0" /* the main place for images */
75 "/usr/local/lib/confexts\0"
76 "/usr/lib/confexts\0",
77};
78
79/* Inside the initrd, use a slightly different set of search path (i.e. include .extra/sysext/,
80 * /.extra/global_sysext, .extra/confext/, and /.extra/global_confext in extension search dir) */
81static const char* const image_search_path_initrd[_IMAGE_CLASS_MAX] = {
82 /* (entries that aren't listed here will get the same search path as for the non initrd-case) */
83
84 [IMAGE_SYSEXT] = "/etc/extensions\0" /* only place symlinks here */
85 "/run/extensions\0" /* and here too */
86 "/var/lib/extensions\0" /* the main place for images */
87 "/.extra/sysext\0" /* put sysext (per-UKI and global) picked up by systemd-stub */
88 "/.extra/global_sysext\0", /* last, since not trusted */
89
90 [IMAGE_CONFEXT] = "/run/confexts\0" /* only place symlinks here */
91 "/var/lib/confexts\0" /* the main place for images */
92 "/usr/local/lib/confexts\0"
93 "/.extra/confext\0" /* put confext (per-UKI and global) picked up by systemd-stub */
94 "/.extra/global_confext\0", /* last, since not trusted. */
95};
96
97static const char* image_class_suffix_table[_IMAGE_CLASS_MAX] = {
98 [IMAGE_SYSEXT] = ".sysext",
99 [IMAGE_CONFEXT] = ".confext",
100};
101
102DEFINE_PRIVATE_STRING_TABLE_LOOKUP_TO_STRING(image_class_suffix, ImageClass);
103
104static const char *const image_root_table[_IMAGE_CLASS_MAX] = {
105 [IMAGE_MACHINE] = "/var/lib/machines",
106 [IMAGE_PORTABLE] = "/var/lib/portables",
107 [IMAGE_SYSEXT] = "/var/lib/extensions",
108 [IMAGE_CONFEXT] = "/var/lib/confexts",
109};
110
111DEFINE_STRING_TABLE_LOOKUP_TO_STRING(image_root, ImageClass);
112
113static const char *const image_root_runtime_table[_IMAGE_CLASS_MAX] = {
114 [IMAGE_MACHINE] = "/run/machines",
115 [IMAGE_PORTABLE] = "/run/portables",
116 [IMAGE_SYSEXT] = "/run/extensions",
117 [IMAGE_CONFEXT] = "/run/confexts",
118};
119
120DEFINE_STRING_TABLE_LOOKUP_TO_STRING(image_root_runtime, ImageClass);
121
122static Image* image_free(Image *i) {
123 assert(i);
124
125 free(i->name);
126 free(i->path);
127
128 free(i->hostname);
129 strv_free(i->machine_info);
130 strv_free(i->os_release);
131 strv_free(i->sysext_release);
132 strv_free(i->confext_release);
133
134 return mfree(i);
135}
136
137DEFINE_TRIVIAL_REF_UNREF_FUNC(Image, image, image_free);
138DEFINE_HASH_OPS_WITH_VALUE_DESTRUCTOR(image_hash_ops, char, string_hash_func, string_compare_func,
139 Image, image_unref);
140
141static char** image_settings_path(Image *image) {
142 _cleanup_strv_free_ char **l = NULL;
143 _cleanup_free_ char *fn = NULL;
144 size_t i = 0;
145 int r;
146
147 assert(image);
148
149 l = new0(char*, 4);
150 if (!l)
151 return NULL;
152
153 fn = strjoin(image->name, ".nspawn");
154 if (!fn)
155 return NULL;
156
157 FOREACH_STRING(s, "/etc/systemd/nspawn", "/run/systemd/nspawn") {
158 l[i] = path_join(s, fn);
159 if (!l[i])
160 return NULL;
161
162 i++;
163 }
164
165 r = file_in_same_dir(image->path, fn, l + i);
166 if (r == -ENOMEM)
167 return NULL;
168 if (r < 0)
169 log_debug_errno(r, "Failed to generate .nspawn settings path from image path, ignoring: %m");
170
171 strv_uniq(l);
172
173 return TAKE_PTR(l);
174}
175
176static int image_roothash_path(Image *image, char **ret) {
177 _cleanup_free_ char *fn = NULL;
178
179 assert(image);
180
181 fn = strjoin(image->name, ".roothash");
182 if (!fn)
183 return -ENOMEM;
184
185 return file_in_same_dir(image->path, fn, ret);
186}
187
188static int image_new(
189 ImageType t,
190 ImageClass c,
191 const char *pretty,
192 const char *path,
193 const char *filename,
194 bool read_only,
195 usec_t crtime,
196 usec_t mtime,
197 Image **ret) {
198
199 _cleanup_(image_unrefp) Image *i = NULL;
200
201 assert(t >= 0);
202 assert(t < _IMAGE_TYPE_MAX);
203 assert(pretty);
204 assert(filename);
205 assert(ret);
206
207 i = new(Image, 1);
208 if (!i)
209 return -ENOMEM;
210
211 *i = (Image) {
212 .n_ref = 1,
213 .type = t,
214 .class = c,
215 .read_only = read_only,
216 .crtime = crtime,
217 .mtime = mtime,
218 .usage = UINT64_MAX,
219 .usage_exclusive = UINT64_MAX,
220 .limit = UINT64_MAX,
221 .limit_exclusive = UINT64_MAX,
222 };
223
224 i->name = strdup(pretty);
225 if (!i->name)
226 return -ENOMEM;
227
228 i->path = path_join(path, filename);
229 if (!i->path)
230 return -ENOMEM;
231
232 path_simplify(i->path);
233
234 *ret = TAKE_PTR(i);
235
236 return 0;
237}
238
239static int extract_image_basename(
240 const char *path,
241 const char *class_suffix, /* e.g. ".sysext" (this is an optional suffix) */
242 char **format_suffixes, /* e.g. ".raw" (one of these will be required) */
243 char **ret_basename,
244 char **ret_suffix) {
245
246 _cleanup_free_ char *name = NULL, *suffix = NULL;
247 int r;
248
249 assert(path);
250
251 r = path_extract_filename(path, &name);
252 if (r < 0)
253 return r;
254
255 if (format_suffixes) {
256 char *e = endswith_strv(name, format_suffixes);
257 if (!e) /* Format suffix is required */
258 return -EINVAL;
259
260 if (ret_suffix) {
261 suffix = strdup(e);
262 if (!suffix)
263 return -ENOMEM;
264 }
265
266 *e = 0;
267 }
268
269 if (class_suffix) {
270 char *e = endswith(name, class_suffix);
271 if (e) { /* Class suffix is optional */
272 if (ret_suffix) {
273 _cleanup_free_ char *j = strjoin(e, suffix);
274 if (!j)
275 return -ENOMEM;
276
277 free_and_replace(suffix, j);
278 }
279
280 *e = 0;
281 }
282 }
283
284 if (!image_name_is_valid(name))
285 return -EINVAL;
286
287 if (ret_suffix)
288 *ret_suffix = TAKE_PTR(suffix);
289
290 if (ret_basename)
291 *ret_basename = TAKE_PTR(name);
292
293 return 0;
294}
295
296static int image_update_quota(Image *i, int fd) {
297 _cleanup_close_ int fd_close = -EBADF;
298 int r;
299
300 assert(i);
301
302 if (image_is_vendor(i) || image_is_host(i))
303 return -EROFS;
304
305 if (i->type != IMAGE_SUBVOLUME)
306 return -EOPNOTSUPP;
307
308 if (fd < 0) {
309 fd_close = open(i->path, O_CLOEXEC|O_DIRECTORY);
310 if (fd_close < 0)
311 return -errno;
312 fd = fd_close;
313 } else {
314 /* Convert from O_PATH to proper fd, if needed */
315 fd = fd_reopen_condition(fd, O_CLOEXEC|O_DIRECTORY, O_PATH, &fd_close);
316 if (fd < 0)
317 return fd;
318 }
319
320 r = btrfs_quota_scan_ongoing(fd);
321 if (r < 0)
322 return r;
323 if (r > 0)
324 return 0;
325
326 BtrfsQuotaInfo quota;
327 r = btrfs_subvol_get_subtree_quota_fd(fd, 0, &quota);
328 if (r < 0)
329 return r;
330
331 i->usage = quota.referenced;
332 i->usage_exclusive = quota.exclusive;
333 i->limit = quota.referenced_max;
334 i->limit_exclusive = quota.exclusive_max;
335
336 return 1;
337}
338
339static int image_make(
340 ImageClass c,
341 const char *pretty,
342 int dir_fd,
343 const char *dir_path,
344 const char *filename,
345 int fd, /* O_PATH fd */
346 const struct stat *st,
347 Image **ret) {
348
349 _cleanup_free_ char *pretty_buffer = NULL;
350 bool read_only;
351 int r;
352
353 assert(dir_fd >= 0 || dir_fd == AT_FDCWD);
354 assert(dir_path || dir_fd == AT_FDCWD);
355 assert(filename);
356
357 /* We explicitly *do* follow symlinks here, since we want to allow symlinking trees, raw files and block
358 * devices into /var/lib/machines/, and treat them normally.
359 *
360 * This function returns -ENOENT if we can't find the image after all, and -EMEDIUMTYPE if it's not a file we
361 * recognize. */
362
363 _cleanup_close_ int _fd = -EBADF;
364 if (fd < 0) {
365 /* If we didn't get an fd passed in, then let's pin it via O_PATH now */
366 _fd = openat(dir_fd, filename, O_PATH|O_CLOEXEC);
367 if (_fd < 0)
368 return -errno;
369
370 fd = _fd;
371 st = NULL; /* refresh stat() data now that we have the inode pinned */
372 }
373
374 struct stat stbuf;
375 if (!st) {
376 if (fstat(fd, &stbuf) < 0)
377 return -errno;
378
379 st = &stbuf;
380 }
381
382 _cleanup_free_ char *parent = NULL;
383 if (!dir_path) {
384 (void) fd_get_path(dir_fd, &parent);
385 dir_path = parent;
386 }
387
388 read_only =
389 (dir_path && path_startswith(dir_path, "/usr")) ||
390 (faccessat(fd, "", W_OK, AT_EACCESS|AT_EMPTY_PATH) < 0 && errno == EROFS);
391
392 if (S_ISDIR(st->st_mode)) {
393 unsigned file_attr = 0;
394 usec_t crtime = 0;
395
396 if (!ret)
397 return 0;
398
399 if (!pretty) {
400 r = extract_image_basename(
401 filename,
402 image_class_suffix_to_string(c),
403 /* format_suffixes= */ NULL,
404 &pretty_buffer,
405 /* ret_suffix= */ NULL);
406 if (r < 0)
407 return r;
408
409 pretty = pretty_buffer;
410 }
411
412 if (btrfs_might_be_subvol(st)) {
413
414 r = fd_is_fs_type(fd, BTRFS_SUPER_MAGIC);
415 if (r < 0)
416 return r;
417 if (r > 0) {
418 BtrfsSubvolInfo info;
419
420 /* It's a btrfs subvolume */
421
422 r = btrfs_subvol_get_info_fd(fd, 0, &info);
423 if (r < 0)
424 return r;
425
426 r = image_new(IMAGE_SUBVOLUME,
427 c,
428 pretty,
429 dir_path,
430 filename,
431 info.read_only || read_only,
432 info.otime,
433 info.ctime,
434 ret);
435 if (r < 0)
436 return r;
437
438 (void) image_update_quota(*ret, fd);
439 return 0;
440 }
441 }
442
443 /* Get directory creation time (not available everywhere, but that's OK */
444 (void) fd_getcrtime(fd, &crtime);
445
446 /* If the IMMUTABLE bit is set, we consider the directory read-only. Since the ioctl is not
447 * supported everywhere we ignore failures. */
448 (void) read_attr_fd(fd, &file_attr);
449
450 /* It's just a normal directory. */
451 r = image_new(IMAGE_DIRECTORY,
452 c,
453 pretty,
454 dir_path,
455 filename,
456 read_only || (file_attr & FS_IMMUTABLE_FL),
457 crtime,
458 0, /* we don't use mtime of stat() here, since it's not the time of last change of the tree, but only of the top-level dir */
459 ret);
460 if (r < 0)
461 return r;
462
463 return 0;
464
465 } else if (S_ISREG(st->st_mode) && endswith(filename, ".raw")) {
466 usec_t crtime = 0;
467
468 /* It's a RAW disk image */
469
470 if (!ret)
471 return 0;
472
473 (void) fd_getcrtime(fd, &crtime);
474
475 if (!pretty) {
476 r = extract_image_basename(
477 filename,
478 image_class_suffix_to_string(c),
479 STRV_MAKE(".raw"),
480 &pretty_buffer,
481 /* ret_suffix= */ NULL);
482 if (r < 0)
483 return r;
484
485 pretty = pretty_buffer;
486 }
487
488 r = image_new(IMAGE_RAW,
489 c,
490 pretty,
491 dir_path,
492 filename,
493 !(st->st_mode & 0222) || read_only,
494 crtime,
495 timespec_load(&st->st_mtim),
496 ret);
497 if (r < 0)
498 return r;
499
500 (*ret)->usage = (*ret)->usage_exclusive = st->st_blocks * 512;
501 (*ret)->limit = (*ret)->limit_exclusive = st->st_size;
502
503 return 0;
504
505 } else if (S_ISBLK(st->st_mode)) {
506 uint64_t size = UINT64_MAX;
507
508 /* A block device */
509
510 if (!ret)
511 return 0;
512
513 if (!pretty) {
514 r = extract_image_basename(
515 filename,
516 /* class_suffix= */ NULL,
517 /* format_suffix= */ NULL,
518 &pretty_buffer,
519 /* ret_suffix= */ NULL);
520 if (r < 0)
521 return r;
522
523 pretty = pretty_buffer;
524 }
525
526 _cleanup_close_ int block_fd = fd_reopen(fd, O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_NOCTTY);
527 if (block_fd < 0)
528 log_debug_errno(errno, "Failed to open block device %s/%s, ignoring: %m", strnull(dir_path), filename);
529 else {
530 if (!read_only) {
531 int state = 0;
532
533 if (ioctl(block_fd, BLKROGET, &state) < 0)
534 log_debug_errno(errno, "Failed to issue BLKROGET on device %s/%s, ignoring: %m", strnull(dir_path), filename);
535 else if (state)
536 read_only = true;
537 }
538
539 r = blockdev_get_device_size(block_fd, &size);
540 if (r < 0)
541 log_debug_errno(r, "Failed to issue BLKGETSIZE64 on device %s/%s, ignoring: %m", strnull(dir_path), filename);
542
543 block_fd = safe_close(block_fd);
544 }
545
546 r = image_new(IMAGE_BLOCK,
547 c,
548 pretty,
549 dir_path,
550 filename,
551 !(st->st_mode & 0222) || read_only,
552 0,
553 0,
554 ret);
555 if (r < 0)
556 return r;
557
558 if (!IN_SET(size, 0, UINT64_MAX))
559 (*ret)->usage = (*ret)->usage_exclusive = (*ret)->limit = (*ret)->limit_exclusive = size;
560
561 return 0;
562 }
563
564 return -EMEDIUMTYPE;
565}
566
567static int pick_image_search_path(
568 RuntimeScope scope,
569 ImageClass class,
570 char ***ret) {
571
572 int r;
573
574 assert(scope < _RUNTIME_SCOPE_MAX && scope != RUNTIME_SCOPE_GLOBAL);
575 assert(class < _IMAGE_CLASS_MAX);
576 assert(ret);
577
578 if (class < 0) {
579 *ret = NULL;
580 return 0;
581 }
582
583 if (scope < 0) {
584 _cleanup_strv_free_ char **a = NULL, **b = NULL;
585
586 r = pick_image_search_path(RUNTIME_SCOPE_USER, class, &a);
587 if (r < 0)
588 return r;
589
590 r = pick_image_search_path(RUNTIME_SCOPE_SYSTEM, class, &b);
591 if (r < 0)
592 return r;
593
594 r = strv_extend_strv(&a, b, /* filter_duplicates= */ false);
595 if (r < 0)
596 return r;
597
598 *ret = TAKE_PTR(a);
599 return 0;
600 }
601
602 switch (scope) {
603
604 case RUNTIME_SCOPE_SYSTEM: {
605 const char *ns;
606 /* Use the initrd search path if there is one, otherwise use the common one */
607 ns = in_initrd() && image_search_path_initrd[class] ?
608 image_search_path_initrd[class] :
609 image_search_path[class];
610 if (!ns)
611 break;
612
613 _cleanup_strv_free_ char **search = strv_split_nulstr(ns);
614 if (!search)
615 return -ENOMEM;
616
617 *ret = TAKE_PTR(search);
618 return 0;
619 }
620
621 case RUNTIME_SCOPE_USER: {
622 if (class != IMAGE_MACHINE)
623 break;
624
625 static const uint64_t dirs[] = {
626 SD_PATH_USER_RUNTIME,
627 SD_PATH_USER_STATE_PRIVATE,
628 SD_PATH_USER_LIBRARY_PRIVATE,
629 };
630
631 _cleanup_strv_free_ char **search = NULL;
632 FOREACH_ELEMENT(d, dirs) {
633 _cleanup_free_ char *p = NULL;
634
635 r = sd_path_lookup(*d, "machines", &p);
636 if (r == -ENXIO) /* No XDG_RUNTIME_DIR set */
637 continue;
638 if (r < 0)
639 return r;
640
641 r = strv_consume(&search, TAKE_PTR(p));
642 if (r < 0)
643 return r;
644 }
645
646 *ret = TAKE_PTR(search);
647 return 0;
648 }
649
650 default:
651 assert_not_reached();
652 }
653
654 *ret = NULL;
655 return 0;
656}
657
658static char** make_possible_filenames(ImageClass class, const char *image_name) {
659 _cleanup_strv_free_ char **l = NULL;
660
661 assert(image_name);
662
663 FOREACH_STRING(v_suffix, "", ".v")
664 FOREACH_STRING(format_suffix, "", ".raw") {
665 _cleanup_free_ char *j = NULL;
666 const char *class_suffix;
667
668 class_suffix = image_class_suffix_to_string(class);
669 if (class_suffix) {
670 j = strjoin(image_name, class_suffix, format_suffix, v_suffix);
671 if (!j)
672 return NULL;
673
674 if (strv_consume(&l, TAKE_PTR(j)) < 0)
675 return NULL;
676 }
677
678 j = strjoin(image_name, format_suffix, v_suffix);
679 if (!j)
680 return NULL;
681
682 if (strv_consume(&l, TAKE_PTR(j)) < 0)
683 return NULL;
684 }
685
686 return TAKE_PTR(l);
687}
688
689int image_find(RuntimeScope scope,
690 ImageClass class,
691 const char *name,
692 const char *root,
693 Image **ret) {
694
695 /* As mentioned above, we follow symlinks on this fstatat(), because we want to permit people to
696 * symlink block devices into the search path. (For now, we disable that when operating relative to
697 * some root directory.) */
698 int open_flags = root ? O_NOFOLLOW : 0, r;
699
700 assert(scope < _RUNTIME_SCOPE_MAX && scope != RUNTIME_SCOPE_GLOBAL);
701 assert(class >= 0);
702 assert(class < _IMAGE_CLASS_MAX);
703 assert(name);
704
705 /* There are no images with invalid names */
706 if (!image_name_is_valid(name))
707 return -ENOENT;
708
709 _cleanup_strv_free_ char **names = make_possible_filenames(class, name);
710 if (!names)
711 return -ENOMEM;
712
713 _cleanup_strv_free_ char **search = NULL;
714 r = pick_image_search_path(scope, class, &search);
715 if (r < 0)
716 return r;
717
718 STRV_FOREACH(path, search) {
719 _cleanup_free_ char *resolved = NULL;
720 _cleanup_closedir_ DIR *d = NULL;
721
722 r = chase_and_opendir(*path, root, CHASE_PREFIX_ROOT, &resolved, &d);
723 if (r == -ENOENT)
724 continue;
725 if (r < 0)
726 return r;
727
728 STRV_FOREACH(n, names) {
729 _cleanup_free_ char *fname_buf = NULL;
730 const char *fname = *n;
731
732 _cleanup_close_ int fd = openat(dirfd(d), fname, O_PATH|O_CLOEXEC|open_flags);
733 if (fd < 0) {
734 if (errno != ENOENT)
735 return -errno;
736
737 continue;
738 }
739
740 struct stat st;
741 if (fstat(fd, &st) < 0)
742 return -errno;
743
744 if (endswith(fname, ".raw")) {
745 if (!S_ISREG(st.st_mode)) {
746 log_debug("Ignoring non-regular file '%s' with .raw suffix.", fname);
747 continue;
748 }
749
750 } else if (endswith(fname, ".v")) {
751
752 if (!S_ISDIR(st.st_mode)) {
753 log_debug("Ignoring non-directory file '%s' with .v suffix.", fname);
754 continue;
755 }
756
757 _cleanup_free_ char *suffix = NULL;
758 suffix = strdup(ASSERT_PTR(startswith(fname, name)));
759 if (!suffix)
760 return -ENOMEM;
761
762 *ASSERT_PTR(endswith(suffix, ".v")) = 0;
763
764 _cleanup_free_ char *vp = path_join(resolved, fname);
765 if (!vp)
766 return -ENOMEM;
767
768 PickFilter filter = {
769 .type_mask = endswith(suffix, ".raw") ? (UINT32_C(1) << DT_REG) | (UINT32_C(1) << DT_BLK) : (UINT32_C(1) << DT_DIR),
770 .basename = name,
771 .architecture = _ARCHITECTURE_INVALID,
772 .suffix = STRV_MAKE(suffix),
773 };
774
775 _cleanup_(pick_result_done) PickResult result = PICK_RESULT_NULL;
776 r = path_pick(root,
777 /* toplevel_fd= */ AT_FDCWD,
778 vp,
779 &filter,
780 PICK_ARCHITECTURE|PICK_TRIES,
781 &result);
782 if (r < 0) {
783 log_debug_errno(r, "Failed to pick versioned image on '%s', skipping: %m", vp);
784 continue;
785 }
786 if (!result.path) {
787 log_debug("Found versioned directory '%s', without matching entry, skipping: %m", vp);
788 continue;
789 }
790
791 /* Refresh the stat data for the discovered target */
792 st = result.st;
793 fd = safe_close(fd);
794
795 _cleanup_free_ char *bn = NULL;
796 r = path_extract_filename(result.path, &bn);
797 if (r < 0) {
798 log_debug_errno(r, "Failed to extract basename of image path '%s', skipping: %m", result.path);
799 continue;
800 }
801
802 fname_buf = path_join(fname, bn);
803 if (!fname_buf)
804 return log_oom();
805
806 fname = fname_buf;
807
808 } else if (!S_ISDIR(st.st_mode) && !S_ISBLK(st.st_mode)) {
809 log_debug("Ignoring non-directory and non-block device file '%s' without suffix.", fname);
810 continue;
811 }
812
813 r = image_make(class, name, dirfd(d), resolved, fname, fd, &st, ret);
814 if (IN_SET(r, -ENOENT, -EMEDIUMTYPE))
815 continue;
816 if (r < 0)
817 return r;
818
819 if (ret)
820 (*ret)->discoverable = true;
821
822 return 1;
823 }
824 }
825
826 if (scope == RUNTIME_SCOPE_SYSTEM && class == IMAGE_MACHINE && streq(name, ".host")) {
827 r = image_make(class,
828 ".host",
829 /* dir_fd= */ AT_FDCWD,
830 /* dir_path= */ NULL,
831 /* filename= */ empty_to_root(root),
832 /* fd= */ -EBADF,
833 /* st= */ NULL,
834 ret);
835 if (r < 0)
836 return r;
837
838 if (ret)
839 (*ret)->discoverable = true;
840
841 return 1;
842 }
843
844 return -ENOENT;
845};
846
847int image_from_path(const char *path, Image **ret) {
848
849 /* Note that we don't set the 'discoverable' field of the returned object, because we don't check here whether
850 * the image is in the image search path. And if it is we don't know if the path we used is actually not
851 * overridden by another, different image earlier in the search path */
852
853 if (path_equal(path, "/"))
854 return image_make(
855 IMAGE_MACHINE,
856 ".host",
857 /* dir_fd= */ AT_FDCWD,
858 /* dir_path= */ NULL,
859 /* filename= */ "/",
860 /* fd= */ -EBADF,
861 /* st= */ NULL,
862 ret);
863
864 return image_make(
865 _IMAGE_CLASS_INVALID,
866 /* pretty= */ NULL,
867 /* dir_fd= */ AT_FDCWD,
868 /* dir_path= */ NULL,
869 /* filename= */ path,
870 /* fd= */ -EBADF,
871 /* st= */ NULL,
872 ret);
873}
874
875int image_find_harder(
876 RuntimeScope scope,
877 ImageClass class,
878 const char *name_or_path,
879 const char *root,
880 Image **ret) {
881
882 if (image_name_is_valid(name_or_path))
883 return image_find(scope, class, name_or_path, root, ret);
884
885 return image_from_path(name_or_path, ret);
886}
887
888int image_discover(
889 RuntimeScope scope,
890 ImageClass class,
891 const char *root,
892 Hashmap **images) {
893
894 /* As mentioned above, we follow symlinks on this fstatat(), because we want to permit people to
895 * symlink block devices into the search path. (For now, we disable that when operating relative to
896 * some root directory.) */
897 int open_flags = root ? O_NOFOLLOW : 0, r;
898
899 assert(scope < _RUNTIME_SCOPE_MAX && scope != RUNTIME_SCOPE_GLOBAL);
900 assert(class >= 0);
901 assert(class < _IMAGE_CLASS_MAX);
902 assert(images);
903
904 _cleanup_strv_free_ char **search = NULL;
905 r = pick_image_search_path(scope, class, &search);
906 if (r < 0)
907 return r;
908
909 STRV_FOREACH(path, search) {
910 _cleanup_free_ char *resolved = NULL;
911 _cleanup_closedir_ DIR *d = NULL;
912
913 r = chase_and_opendir(*path, root, CHASE_PREFIX_ROOT, &resolved, &d);
914 if (r == -ENOENT)
915 continue;
916 if (r < 0)
917 return r;
918
919 FOREACH_DIRENT_ALL(de, d, return -errno) {
920 _cleanup_free_ char *pretty = NULL, *fname_buf = NULL;
921 _cleanup_(image_unrefp) Image *image = NULL;
922 const char *fname = de->d_name;
923
924 if (dot_or_dot_dot(fname))
925 continue;
926
927 _cleanup_close_ int fd = openat(dirfd(d), fname, O_PATH|O_CLOEXEC|open_flags);
928 if (fd < 0) {
929 if (errno != ENOENT)
930 return -errno;
931
932 continue; /* Vanished while we were looking at it */
933 }
934
935 struct stat st;
936 if (fstat(fd, &st) < 0)
937 return -errno;
938
939 if (S_ISREG(st.st_mode)) {
940 r = extract_image_basename(
941 fname,
942 image_class_suffix_to_string(class),
943 STRV_MAKE(".raw"),
944 &pretty,
945 /* ret_suffix= */ NULL);
946 if (r < 0) {
947 log_debug_errno(r, "Skipping directory entry '%s', which doesn't look like an image.", fname);
948 continue;
949 }
950 } else if (S_ISDIR(st.st_mode)) {
951 const char *v;
952
953 v = endswith(fname, ".v");
954 if (v) {
955 _cleanup_free_ char *suffix = NULL, *nov = NULL;
956
957 nov = strndup(fname, v - fname); /* Chop off the .v */
958 if (!nov)
959 return -ENOMEM;
960
961 r = extract_image_basename(
962 nov,
963 image_class_suffix_to_string(class),
964 STRV_MAKE(".raw", ""),
965 &pretty,
966 &suffix);
967 if (r < 0) {
968 log_debug_errno(r, "Skipping directory entry '%s', which doesn't look like a versioned image.", fname);
969 continue;
970 }
971
972 _cleanup_free_ char *vp = path_join(resolved, fname);
973 if (!vp)
974 return -ENOMEM;
975
976 PickFilter filter = {
977 .type_mask = endswith(suffix, ".raw") ? (UINT32_C(1) << DT_REG) | (UINT32_C(1) << DT_BLK) : (UINT32_C(1) << DT_DIR),
978 .basename = pretty,
979 .architecture = _ARCHITECTURE_INVALID,
980 .suffix = STRV_MAKE(suffix),
981 };
982
983 _cleanup_(pick_result_done) PickResult result = PICK_RESULT_NULL;
984 r = path_pick(root,
985 /* toplevel_fd= */ AT_FDCWD,
986 vp,
987 &filter,
988 PICK_ARCHITECTURE|PICK_TRIES,
989 &result);
990 if (r < 0) {
991 log_debug_errno(r, "Failed to pick versioned image on '%s', skipping: %m", vp);
992 continue;
993 }
994 if (!result.path) {
995 log_debug("Found versioned directory '%s', without matching entry, skipping: %m", vp);
996 continue;
997 }
998
999 /* Refresh the stat data for the discovered target */
1000 st = result.st;
1001 fd = safe_close(fd);
1002
1003 _cleanup_free_ char *bn = NULL;
1004 r = path_extract_filename(result.path, &bn);
1005 if (r < 0) {
1006 log_debug_errno(r, "Failed to extract basename of image path '%s', skipping: %m", result.path);
1007 continue;
1008 }
1009
1010 fname_buf = path_join(fname, bn);
1011 if (!fname_buf)
1012 return log_oom();
1013
1014 fname = fname_buf;
1015 } else {
1016 r = extract_image_basename(
1017 fname,
1018 image_class_suffix_to_string(class),
1019 /* format_suffixes= */ NULL,
1020 &pretty,
1021 /* ret_suffix= */ NULL);
1022 if (r < 0) {
1023 log_debug_errno(r, "Skipping directory entry '%s', which doesn't look like an image.", fname);
1024 continue;
1025 }
1026 }
1027
1028 } else if (S_ISBLK(st.st_mode)) {
1029 r = extract_image_basename(
1030 fname,
1031 /* class_suffix= */ NULL,
1032 /* format_suffix= */ NULL,
1033 &pretty,
1034 /* ret_suffix= */ NULL);
1035 if (r < 0) {
1036 log_debug_errno(r, "Skipping directory entry '%s', which doesn't look like an image.", fname);
1037 continue;
1038 }
1039 } else {
1040 log_debug("Skipping directory entry '%s', which is neither regular file, directory nor block device.", fname);
1041 continue;
1042 }
1043
1044 if (hashmap_contains(*images, pretty))
1045 continue;
1046
1047 r = image_make(class, pretty, dirfd(d), resolved, fname, fd, &st, &image);
1048 if (IN_SET(r, -ENOENT, -EMEDIUMTYPE))
1049 continue;
1050 if (r < 0)
1051 return r;
1052
1053 image->discoverable = true;
1054
1055 r = hashmap_ensure_put(images, &image_hash_ops, image->name, image);
1056 if (r < 0)
1057 return r;
1058
1059 TAKE_PTR(image);
1060 }
1061 }
1062
1063 if (scope == RUNTIME_SCOPE_SYSTEM && class == IMAGE_MACHINE && !hashmap_contains(*images, ".host")) {
1064 _cleanup_(image_unrefp) Image *image = NULL;
1065
1066 r = image_make(IMAGE_MACHINE,
1067 ".host",
1068 /* dir_fd= */ AT_FDCWD,
1069 /* dir_path= */ NULL,
1070 empty_to_root(root),
1071 /* fd= */ -EBADF,
1072 /* st= */ NULL,
1073 &image);
1074 if (r < 0)
1075 return r;
1076
1077 image->discoverable = true;
1078
1079 r = hashmap_ensure_put(images, &image_hash_ops, image->name, image);
1080 if (r < 0)
1081 return r;
1082
1083 image = NULL;
1084 }
1085
1086 return 0;
1087}
1088
1089int image_remove(Image *i) {
1090 _cleanup_(release_lock_file) LockFile global_lock = LOCK_FILE_INIT, local_lock = LOCK_FILE_INIT;
1091 _cleanup_strv_free_ char **settings = NULL;
1092 _cleanup_free_ char *roothash = NULL;
1093 int r;
1094
1095 assert(i);
1096
1097 if (image_is_vendor(i) || image_is_host(i))
1098 return -EROFS;
1099
1100 settings = image_settings_path(i);
1101 if (!settings)
1102 return -ENOMEM;
1103
1104 r = image_roothash_path(i, &roothash);
1105 if (r < 0)
1106 return r;
1107
1108 /* Make sure we don't interfere with a running nspawn */
1109 r = image_path_lock(i->path, LOCK_EX|LOCK_NB, &global_lock, &local_lock);
1110 if (r < 0)
1111 return r;
1112
1113 switch (i->type) {
1114
1115 case IMAGE_SUBVOLUME:
1116
1117 /* Let's unlink first, maybe it is a symlink? If that works we are happy. Otherwise, let's get out the
1118 * big guns */
1119 if (unlink(i->path) < 0) {
1120 r = btrfs_subvol_remove(i->path, BTRFS_REMOVE_RECURSIVE|BTRFS_REMOVE_QUOTA);
1121 if (r < 0)
1122 return r;
1123 }
1124
1125 break;
1126
1127 case IMAGE_DIRECTORY:
1128 /* Allow deletion of read-only directories */
1129 (void) chattr_path(i->path, 0, FS_IMMUTABLE_FL);
1130 r = rm_rf(i->path, REMOVE_ROOT|REMOVE_PHYSICAL|REMOVE_SUBVOLUME);
1131 if (r < 0)
1132 return r;
1133
1134 break;
1135
1136 case IMAGE_BLOCK:
1137
1138 /* If this is inside of /dev, then it's a real block device, hence let's not touch the device node
1139 * itself (but let's remove the stuff stored alongside it). If it's anywhere else, let's try to unlink
1140 * the thing (it's most likely a symlink after all). */
1141
1142 if (path_startswith(i->path, "/dev"))
1143 break;
1144
1145 _fallthrough_;
1146 case IMAGE_RAW:
1147 if (unlink(i->path) < 0)
1148 return -errno;
1149 break;
1150
1151 default:
1152 return -EOPNOTSUPP;
1153 }
1154
1155 STRV_FOREACH(j, settings)
1156 if (unlink(*j) < 0 && errno != ENOENT)
1157 log_debug_errno(errno, "Failed to unlink %s, ignoring: %m", *j);
1158
1159 if (unlink(roothash) < 0 && errno != ENOENT)
1160 log_debug_errno(errno, "Failed to unlink %s, ignoring: %m", roothash);
1161
1162 return 0;
1163}
1164
1165static int rename_auxiliary_file(const char *path, const char *new_name, const char *suffix) {
1166 _cleanup_free_ char *fn = NULL, *rs = NULL;
1167 int r;
1168
1169 fn = strjoin(new_name, suffix);
1170 if (!fn)
1171 return -ENOMEM;
1172
1173 r = file_in_same_dir(path, fn, &rs);
1174 if (r < 0)
1175 return r;
1176
1177 return rename_noreplace(AT_FDCWD, path, AT_FDCWD, rs);
1178}
1179
1180int image_rename(Image *i, const char *new_name, RuntimeScope scope) {
1181 _cleanup_(release_lock_file) LockFile global_lock = LOCK_FILE_INIT, local_lock = LOCK_FILE_INIT, name_lock = LOCK_FILE_INIT;
1182 _cleanup_free_ char *new_path = NULL, *nn = NULL, *roothash = NULL;
1183 _cleanup_strv_free_ char **settings = NULL;
1184 unsigned file_attr = 0;
1185 int r;
1186
1187 assert(i);
1188
1189 if (!image_name_is_valid(new_name))
1190 return -EINVAL;
1191
1192 if (image_is_vendor(i) || image_is_host(i))
1193 return -EROFS;
1194
1195 settings = image_settings_path(i);
1196 if (!settings)
1197 return -ENOMEM;
1198
1199 r = image_roothash_path(i, &roothash);
1200 if (r < 0)
1201 return r;
1202
1203 /* Make sure we don't interfere with a running nspawn */
1204 r = image_path_lock(i->path, LOCK_EX|LOCK_NB, &global_lock, &local_lock);
1205 if (r < 0)
1206 return r;
1207
1208 /* Make sure nobody takes the new name, between the time we
1209 * checked it is currently unused in all search paths, and the
1210 * time we take possession of it */
1211 r = image_name_lock(new_name, LOCK_EX|LOCK_NB, &name_lock);
1212 if (r < 0)
1213 return r;
1214
1215 r = image_find(scope, IMAGE_MACHINE, new_name, NULL, NULL);
1216 if (r >= 0)
1217 return -EEXIST;
1218 if (r != -ENOENT)
1219 return r;
1220
1221 switch (i->type) {
1222
1223 case IMAGE_DIRECTORY:
1224 /* Turn of the immutable bit while we rename the image, so that we can rename it */
1225 (void) read_attr_at(AT_FDCWD, i->path, &file_attr);
1226
1227 if (file_attr & FS_IMMUTABLE_FL)
1228 (void) chattr_path(i->path, 0, FS_IMMUTABLE_FL);
1229
1230 _fallthrough_;
1231 case IMAGE_SUBVOLUME:
1232 r = file_in_same_dir(i->path, new_name, &new_path);
1233 break;
1234
1235 case IMAGE_BLOCK:
1236
1237 /* Refuse renaming raw block devices in /dev, the names are picked by udev after all. */
1238 if (path_startswith(i->path, "/dev"))
1239 return -EROFS;
1240
1241 r = file_in_same_dir(i->path, new_name, &new_path);
1242 break;
1243
1244 case IMAGE_RAW: {
1245 const char *fn;
1246
1247 fn = strjoina(new_name, ".raw");
1248
1249 r = file_in_same_dir(i->path, fn, &new_path);
1250 break;
1251 }
1252
1253 default:
1254 return -EOPNOTSUPP;
1255 }
1256 if (r < 0)
1257 return r;
1258
1259 nn = strdup(new_name);
1260 if (!nn)
1261 return -ENOMEM;
1262
1263 r = rename_noreplace(AT_FDCWD, i->path, AT_FDCWD, new_path);
1264 if (r < 0)
1265 return r;
1266
1267 /* Restore the immutable bit, if it was set before */
1268 if (file_attr & FS_IMMUTABLE_FL)
1269 (void) chattr_path(new_path, FS_IMMUTABLE_FL, FS_IMMUTABLE_FL);
1270
1271 free_and_replace(i->path, new_path);
1272 free_and_replace(i->name, nn);
1273
1274 STRV_FOREACH(j, settings) {
1275 r = rename_auxiliary_file(*j, new_name, ".nspawn");
1276 if (r < 0 && r != -ENOENT)
1277 log_debug_errno(r, "Failed to rename settings file %s, ignoring: %m", *j);
1278 }
1279
1280 r = rename_auxiliary_file(roothash, new_name, ".roothash");
1281 if (r < 0 && r != -ENOENT)
1282 log_debug_errno(r, "Failed to rename roothash file %s, ignoring: %m", roothash);
1283
1284 return 0;
1285}
1286
1287static int clone_auxiliary_file(const char *path, const char *new_name, const char *suffix) {
1288 _cleanup_free_ char *fn = NULL, *rs = NULL;
1289 int r;
1290
1291 fn = strjoin(new_name, suffix);
1292 if (!fn)
1293 return -ENOMEM;
1294
1295 r = file_in_same_dir(path, fn, &rs);
1296 if (r < 0)
1297 return r;
1298
1299 return copy_file_atomic(path, rs, 0664, COPY_REFLINK);
1300}
1301
1302int image_clone(Image *i, const char *new_name, bool read_only, RuntimeScope scope) {
1303 _cleanup_(release_lock_file) LockFile name_lock = LOCK_FILE_INIT;
1304 _cleanup_strv_free_ char **settings = NULL;
1305 _cleanup_free_ char *roothash = NULL;
1306 const char *new_path;
1307 int r;
1308
1309 assert(i);
1310
1311 if (!image_name_is_valid(new_name))
1312 return -EINVAL;
1313
1314 settings = image_settings_path(i);
1315 if (!settings)
1316 return -ENOMEM;
1317
1318 r = image_roothash_path(i, &roothash);
1319 if (r < 0)
1320 return r;
1321
1322 /* Make sure nobody takes the new name, between the time we
1323 * checked it is currently unused in all search paths, and the
1324 * time we take possession of it */
1325 r = image_name_lock(new_name, LOCK_EX|LOCK_NB, &name_lock);
1326 if (r < 0)
1327 return r;
1328
1329 r = image_find(scope, IMAGE_MACHINE, new_name, NULL, NULL);
1330 if (r >= 0)
1331 return -EEXIST;
1332 if (r != -ENOENT)
1333 return r;
1334
1335 switch (i->type) {
1336
1337 case IMAGE_SUBVOLUME:
1338 case IMAGE_DIRECTORY:
1339 /* If we can we'll always try to create a new btrfs subvolume here, even if the source is a plain
1340 * directory. */
1341
1342 new_path = strjoina("/var/lib/machines/", new_name);
1343
1344 r = btrfs_subvol_snapshot_at(AT_FDCWD, i->path, AT_FDCWD, new_path,
1345 (read_only ? BTRFS_SNAPSHOT_READ_ONLY : 0) |
1346 BTRFS_SNAPSHOT_FALLBACK_COPY |
1347 BTRFS_SNAPSHOT_FALLBACK_DIRECTORY |
1348 BTRFS_SNAPSHOT_FALLBACK_IMMUTABLE |
1349 BTRFS_SNAPSHOT_RECURSIVE |
1350 BTRFS_SNAPSHOT_QUOTA);
1351 if (r >= 0)
1352 /* Enable "subtree" quotas for the copy, if we didn't copy any quota from the source. */
1353 (void) btrfs_subvol_auto_qgroup(new_path, 0, true);
1354
1355 break;
1356
1357 case IMAGE_RAW:
1358 new_path = strjoina("/var/lib/machines/", new_name, ".raw");
1359
1360 r = copy_file_atomic(i->path, new_path, read_only ? 0444 : 0644,
1361 COPY_REFLINK|COPY_CRTIME|COPY_NOCOW_AFTER);
1362 break;
1363
1364 case IMAGE_BLOCK:
1365 default:
1366 return -EOPNOTSUPP;
1367 }
1368
1369 if (r < 0)
1370 return r;
1371
1372 STRV_FOREACH(j, settings) {
1373 r = clone_auxiliary_file(*j, new_name, ".nspawn");
1374 if (r < 0 && r != -ENOENT)
1375 log_debug_errno(r, "Failed to clone settings %s, ignoring: %m", *j);
1376 }
1377
1378 r = clone_auxiliary_file(roothash, new_name, ".roothash");
1379 if (r < 0 && r != -ENOENT)
1380 log_debug_errno(r, "Failed to clone root hash file %s, ignoring: %m", roothash);
1381
1382 return 0;
1383}
1384
1385int image_read_only(Image *i, bool b) {
1386 _cleanup_(release_lock_file) LockFile global_lock = LOCK_FILE_INIT, local_lock = LOCK_FILE_INIT;
1387 int r;
1388
1389 assert(i);
1390
1391 if (image_is_vendor(i) || image_is_host(i))
1392 return -EROFS;
1393
1394 /* Make sure we don't interfere with a running nspawn */
1395 r = image_path_lock(i->path, LOCK_EX|LOCK_NB, &global_lock, &local_lock);
1396 if (r < 0)
1397 return r;
1398
1399 switch (i->type) {
1400
1401 case IMAGE_SUBVOLUME:
1402
1403 /* Note that we set the flag only on the top-level
1404 * subvolume of the image. */
1405
1406 r = btrfs_subvol_set_read_only(i->path, b);
1407 if (r < 0)
1408 return r;
1409
1410 break;
1411
1412 case IMAGE_DIRECTORY:
1413 /* For simple directory trees we cannot use the access
1414 mode of the top-level directory, since it has an
1415 effect on the container itself. However, we can
1416 use the "immutable" flag, to at least make the
1417 top-level directory read-only. It's not as good as
1418 a read-only subvolume, but at least something, and
1419 we can read the value back. */
1420
1421 r = chattr_path(i->path, b ? FS_IMMUTABLE_FL : 0, FS_IMMUTABLE_FL);
1422 if (r < 0)
1423 return r;
1424
1425 break;
1426
1427 case IMAGE_RAW: {
1428 struct stat st;
1429
1430 if (stat(i->path, &st) < 0)
1431 return -errno;
1432
1433 if (chmod(i->path, (st.st_mode & 0444) | (b ? 0000 : 0200)) < 0)
1434 return -errno;
1435
1436 /* If the images is now read-only, it's a good time to
1437 * defrag it, given that no write patterns will
1438 * fragment it again. */
1439 if (b)
1440 (void) btrfs_defrag(i->path);
1441 break;
1442 }
1443
1444 case IMAGE_BLOCK: {
1445 _cleanup_close_ int fd = -EBADF;
1446 struct stat st;
1447 int state = b;
1448
1449 fd = open(i->path, O_CLOEXEC|O_RDONLY|O_NONBLOCK|O_NOCTTY);
1450 if (fd < 0)
1451 return -errno;
1452
1453 if (fstat(fd, &st) < 0)
1454 return -errno;
1455 if (!S_ISBLK(st.st_mode))
1456 return -ENOTTY;
1457
1458 if (ioctl(fd, BLKROSET, &state) < 0)
1459 return -errno;
1460
1461 break;
1462 }
1463
1464 default:
1465 return -EOPNOTSUPP;
1466 }
1467
1468 i->read_only = b;
1469 return 0;
1470}
1471
1472static void make_lock_dir(void) {
1473 (void) mkdir_p("/run/systemd/nspawn", 0755);
1474 (void) mkdir("/run/systemd/nspawn/locks", 0700);
1475}
1476
1477int image_path_lock(
1478 const char *path,
1479 int operation,
1480 LockFile *ret_global,
1481 LockFile *ret_local) {
1482
1483 _cleanup_free_ char *p = NULL;
1484 LockFile t = LOCK_FILE_INIT;
1485 struct stat st;
1486 bool exclusive;
1487 int r;
1488
1489 assert(path);
1490 assert(ret_local);
1491
1492 /* Locks an image path. This actually creates two locks: one "local" one, next to the image path
1493 * itself, which might be shared via NFS. And another "global" one, in /run, that uses the
1494 * device/inode number. This has the benefit that we can even lock a tree that is a mount point,
1495 * correctly. */
1496
1497 if (!path_is_absolute(path))
1498 return -EINVAL;
1499
1500 switch (operation & (LOCK_SH|LOCK_EX)) {
1501 case LOCK_SH:
1502 exclusive = false;
1503 break;
1504 case LOCK_EX:
1505 exclusive = true;
1506 break;
1507 default:
1508 return -EINVAL;
1509 }
1510
1511 if (getenv_bool("SYSTEMD_NSPAWN_LOCK") == 0) {
1512 *ret_local = LOCK_FILE_INIT;
1513 if (ret_global)
1514 *ret_global = LOCK_FILE_INIT;
1515 return 0;
1516 }
1517
1518 /* Prohibit taking exclusive locks on the host image. We can't allow this, since we ourselves are
1519 * running off it after all, and we don't want any images to manipulate the host image. We make an
1520 * exception for shared locks however: we allow those (and make them NOPs since there's no point in
1521 * taking them if there can't be exclusive locks). Strictly speaking these are questionable as well,
1522 * since it means changes made to the host might propagate to the container as they happen (and a
1523 * shared lock kinda suggests that no changes happen at all while it is in place), but it's too
1524 * useful not to allow read-only containers off the host root, hence let's support this, and trust
1525 * the user to do the right thing with this. */
1526 if (path_equal(path, "/")) {
1527 if (exclusive)
1528 return -EBUSY;
1529
1530 *ret_local = LOCK_FILE_INIT;
1531 if (ret_global)
1532 *ret_global = LOCK_FILE_INIT;
1533 return 0;
1534 }
1535
1536 if (ret_global) {
1537 if (stat(path, &st) >= 0) {
1538 if (S_ISBLK(st.st_mode))
1539 r = asprintf(&p, "/run/systemd/nspawn/locks/block-%u:%u", major(st.st_rdev), minor(st.st_rdev));
1540 else if (S_ISDIR(st.st_mode) || S_ISREG(st.st_mode))
1541 r = asprintf(&p, "/run/systemd/nspawn/locks/inode-%lu:%lu", (unsigned long) st.st_dev, (unsigned long) st.st_ino);
1542 else
1543 return -ENOTTY;
1544 if (r < 0)
1545 return -ENOMEM;
1546 }
1547 }
1548
1549 /* For block devices we don't need the "local" lock, as the major/minor lock above should be
1550 * sufficient, since block devices are host local anyway. */
1551 if (!path_startswith(path, "/dev/")) {
1552 r = make_lock_file_for(path, operation, &t);
1553 if (r < 0) {
1554 if (!exclusive && r == -EROFS)
1555 log_debug_errno(r, "Failed to create shared lock for '%s', ignoring: %m", path);
1556 else
1557 return r;
1558 }
1559 }
1560
1561 if (p) {
1562 make_lock_dir();
1563
1564 r = make_lock_file(p, operation, ret_global);
1565 if (r < 0) {
1566 release_lock_file(&t);
1567 return r;
1568 }
1569 } else if (ret_global)
1570 *ret_global = LOCK_FILE_INIT;
1571
1572 *ret_local = t;
1573 return 0;
1574}
1575
1576int image_set_limit(Image *i, uint64_t referenced_max) {
1577 int r;
1578
1579 assert(i);
1580
1581 if (image_is_vendor(i) || image_is_host(i))
1582 return -EROFS;
1583
1584 if (i->type != IMAGE_SUBVOLUME)
1585 return -EOPNOTSUPP;
1586
1587 /* We set the quota both for the subvolume as well as for the
1588 * subtree. The latter is mostly for historical reasons, since
1589 * we didn't use to have a concept of subtree quota, and hence
1590 * only modified the subvolume quota. */
1591
1592 (void) btrfs_qgroup_set_limit(i->path, 0, referenced_max);
1593 (void) btrfs_subvol_auto_qgroup(i->path, 0, true);
1594 r = btrfs_subvol_set_subtree_quota_limit(i->path, 0, referenced_max);
1595 if (r < 0)
1596 return r;
1597
1598 (void) image_update_quota(i, -EBADF);
1599 return 0;
1600}
1601
1602int image_set_pool_limit(ImageClass class, uint64_t referenced_max) {
1603 const char *dir;
1604 int r;
1605
1606 assert(class >= 0 && class < _IMAGE_CLASS_MAX);
1607
1608 dir = image_root_to_string(class);
1609
1610 r = btrfs_qgroup_set_limit(dir, /* qgroupid = */ 0, referenced_max);
1611 if (ERRNO_IS_NEG_NOT_SUPPORTED(r))
1612 return r;
1613 if (r < 0)
1614 log_debug_errno(r, "Failed to set limit on btrfs quota group for '%s', ignoring: %m", dir);
1615
1616 r = btrfs_subvol_set_subtree_quota_limit(dir, /* subvol_id = */ 0, referenced_max);
1617 if (ERRNO_IS_NEG_NOT_SUPPORTED(r))
1618 return r;
1619 if (r < 0)
1620 return log_debug_errno(r, "Failed to set subtree quota limit for '%s': %m", dir);
1621
1622 return 0;
1623}
1624
1625int image_read_metadata(Image *i, const ImagePolicy *image_policy) {
1626 _cleanup_(release_lock_file) LockFile global_lock = LOCK_FILE_INIT, local_lock = LOCK_FILE_INIT;
1627 int r;
1628
1629 assert(i);
1630
1631 r = image_path_lock(i->path, LOCK_SH|LOCK_NB, &global_lock, &local_lock);
1632 if (r < 0)
1633 return r;
1634
1635 switch (i->type) {
1636
1637 case IMAGE_SUBVOLUME:
1638 case IMAGE_DIRECTORY: {
1639 _cleanup_strv_free_ char **machine_info = NULL, **os_release = NULL, **sysext_release = NULL, **confext_release = NULL;
1640 _cleanup_free_ char *hostname = NULL, *path = NULL;
1641 sd_id128_t machine_id = SD_ID128_NULL;
1642
1643 if (i->class == IMAGE_SYSEXT) {
1644 r = extension_has_forbidden_content(i->path);
1645 if (r < 0)
1646 return r;
1647 if (r > 0)
1648 return log_debug_errno(SYNTHETIC_ERRNO(ENOMEDIUM),
1649 "Conflicting content found in image %s, refusing.",
1650 i->name);
1651 }
1652
1653 r = chase("/etc/hostname", i->path, CHASE_PREFIX_ROOT|CHASE_TRAIL_SLASH, &path, NULL);
1654 if (r < 0 && r != -ENOENT)
1655 log_debug_errno(r, "Failed to chase /etc/hostname in image %s: %m", i->name);
1656 else if (r >= 0) {
1657 r = read_etc_hostname(path, /* substitute_wildcards= */ false, &hostname);
1658 if (r < 0)
1659 log_debug_errno(r, "Failed to read /etc/hostname of image %s: %m", i->name);
1660 }
1661
1662 path = mfree(path);
1663
1664 r = id128_get_machine(i->path, &machine_id);
1665 if (r < 0)
1666 log_debug_errno(r, "Failed to read machine ID in image %s, ignoring: %m", i->name);
1667
1668 r = chase("/etc/machine-info", i->path, CHASE_PREFIX_ROOT|CHASE_TRAIL_SLASH, &path, NULL);
1669 if (r < 0 && r != -ENOENT)
1670 log_debug_errno(r, "Failed to chase /etc/machine-info in image %s: %m", i->name);
1671 else if (r >= 0) {
1672 r = load_env_file_pairs(NULL, path, &machine_info);
1673 if (r < 0)
1674 log_debug_errno(r, "Failed to parse machine-info data of %s: %m", i->name);
1675 }
1676
1677 r = load_os_release_pairs(i->path, &os_release);
1678 if (r < 0)
1679 log_debug_errno(r, "Failed to read os-release in image, ignoring: %m");
1680
1681 r = load_extension_release_pairs(i->path, IMAGE_SYSEXT, i->name, /* relax_extension_release_check= */ false, &sysext_release);
1682 if (r < 0)
1683 log_debug_errno(r, "Failed to read sysext-release in image, ignoring: %m");
1684
1685 r = load_extension_release_pairs(i->path, IMAGE_CONFEXT, i->name, /* relax_extension_release_check= */ false, &confext_release);
1686 if (r < 0)
1687 log_debug_errno(r, "Failed to read confext-release in image, ignoring: %m");
1688
1689 free_and_replace(i->hostname, hostname);
1690 i->machine_id = machine_id;
1691 strv_free_and_replace(i->machine_info, machine_info);
1692 strv_free_and_replace(i->os_release, os_release);
1693 strv_free_and_replace(i->sysext_release, sysext_release);
1694 strv_free_and_replace(i->confext_release, confext_release);
1695 break;
1696 }
1697
1698 case IMAGE_RAW:
1699 case IMAGE_BLOCK: {
1700 _cleanup_(loop_device_unrefp) LoopDevice *d = NULL;
1701 _cleanup_(dissected_image_unrefp) DissectedImage *m = NULL;
1702 DissectImageFlags flags =
1703 DISSECT_IMAGE_GENERIC_ROOT |
1704 DISSECT_IMAGE_REQUIRE_ROOT |
1705 DISSECT_IMAGE_RELAX_VAR_CHECK |
1706 DISSECT_IMAGE_READ_ONLY |
1707 DISSECT_IMAGE_USR_NO_ROOT |
1708 DISSECT_IMAGE_ADD_PARTITION_DEVICES |
1709 DISSECT_IMAGE_PIN_PARTITION_DEVICES |
1710 DISSECT_IMAGE_VALIDATE_OS |
1711 DISSECT_IMAGE_VALIDATE_OS_EXT |
1712 DISSECT_IMAGE_ALLOW_USERSPACE_VERITY;
1713
1714 r = loop_device_make_by_path(
1715 i->path,
1716 O_RDONLY,
1717 /* sector_size= */ UINT32_MAX,
1718 LO_FLAGS_PARTSCAN,
1719 LOCK_SH,
1720 &d);
1721 if (r < 0)
1722 return r;
1723
1724 r = dissect_loop_device(
1725 d,
1726 /* verity= */ NULL,
1727 /* mount_options= */ NULL,
1728 image_policy,
1729 /* image_filter= */ NULL,
1730 flags,
1731 &m);
1732 if (r < 0)
1733 return r;
1734
1735 r = dissected_image_acquire_metadata(
1736 m,
1737 /* userns_fd= */ -EBADF,
1738 flags);
1739 if (r < 0)
1740 return r;
1741
1742 free_and_replace(i->hostname, m->hostname);
1743 i->machine_id = m->machine_id;
1744 strv_free_and_replace(i->machine_info, m->machine_info);
1745 strv_free_and_replace(i->os_release, m->os_release);
1746 strv_free_and_replace(i->sysext_release, m->sysext_release);
1747 strv_free_and_replace(i->confext_release, m->confext_release);
1748
1749 break;
1750 }
1751
1752 default:
1753 return -EOPNOTSUPP;
1754 }
1755
1756 i->metadata_valid = true;
1757
1758 return 0;
1759}
1760
1761int image_name_lock(const char *name, int operation, LockFile *ret) {
1762 const char *p;
1763
1764 assert(name);
1765 assert(ret);
1766
1767 /* Locks an image name, regardless of the precise path used. */
1768
1769 if (streq(name, ".host"))
1770 return -EBUSY;
1771
1772 if (!image_name_is_valid(name))
1773 return -EINVAL;
1774
1775 if (getenv_bool("SYSTEMD_NSPAWN_LOCK") == 0) {
1776 *ret = (LockFile) LOCK_FILE_INIT;
1777 return 0;
1778 }
1779
1780 make_lock_dir();
1781
1782 p = strjoina("/run/systemd/nspawn/locks/name-", name);
1783 return make_lock_file(p, operation, ret);
1784}
1785
1786bool image_in_search_path(
1787 RuntimeScope scope,
1788 ImageClass class,
1789 const char *root,
1790 const char *image) {
1791
1792 int r;
1793
1794 assert(scope < _RUNTIME_SCOPE_MAX && scope != RUNTIME_SCOPE_GLOBAL);
1795 assert(class >= 0);
1796 assert(class < _IMAGE_CLASS_MAX);
1797 assert(image);
1798
1799 _cleanup_strv_free_ char **search = NULL;
1800 r = pick_image_search_path(scope, class, &search);
1801 if (r < 0)
1802 return r;
1803
1804 STRV_FOREACH(path, search) {
1805 const char *p, *q;
1806 size_t k;
1807
1808 if (!empty_or_root(root)) {
1809 q = path_startswith(*path, root);
1810 if (!q)
1811 continue;
1812 } else
1813 q = *path;
1814
1815 p = path_startswith(q, *path);
1816 if (!p)
1817 continue;
1818
1819 /* Make sure there's a filename following */
1820 k = strcspn(p, "/");
1821 if (k == 0)
1822 continue;
1823
1824 p += k;
1825
1826 /* Accept trailing slashes */
1827 if (p[strspn(p, "/")] == 0)
1828 return true;
1829 }
1830
1831 return false;
1832}
1833
1834bool image_is_vendor(const struct Image *i) {
1835 assert(i);
1836
1837 return i->path && path_startswith(i->path, "/usr");
1838}
1839
1840bool image_is_host(const struct Image *i) {
1841 assert(i);
1842
1843 if (i->name && streq(i->name, ".host"))
1844 return true;
1845
1846 if (i->path && path_equal(i->path, "/"))
1847 return true;
1848
1849 return false;
1850}
1851
1852int image_to_json(const struct Image *img, sd_json_variant **ret) {
1853 assert(img);
1854
1855 return sd_json_buildo(
1856 ret,
1857 SD_JSON_BUILD_PAIR_STRING("Type", image_type_to_string(img->type)),
1858 SD_JSON_BUILD_PAIR_STRING("Class", image_class_to_string(img->class)),
1859 SD_JSON_BUILD_PAIR_STRING("Name", img->name),
1860 SD_JSON_BUILD_PAIR_CONDITION(!!img->path, "Path", SD_JSON_BUILD_STRING(img->path)),
1861 SD_JSON_BUILD_PAIR_BOOLEAN("ReadOnly", img->read_only),
1862 SD_JSON_BUILD_PAIR_CONDITION(img->crtime != 0, "CreationTimestamp", SD_JSON_BUILD_UNSIGNED(img->crtime)),
1863 SD_JSON_BUILD_PAIR_CONDITION(img->mtime != 0, "ModificationTimestamp", SD_JSON_BUILD_UNSIGNED(img->mtime)),
1864 SD_JSON_BUILD_PAIR_CONDITION(img->usage != UINT64_MAX, "Usage", SD_JSON_BUILD_UNSIGNED(img->usage)),
1865 SD_JSON_BUILD_PAIR_CONDITION(img->usage_exclusive != UINT64_MAX, "UsageExclusive", SD_JSON_BUILD_UNSIGNED(img->usage_exclusive)),
1866 SD_JSON_BUILD_PAIR_CONDITION(img->limit != UINT64_MAX, "Limit", SD_JSON_BUILD_UNSIGNED(img->limit)),
1867 SD_JSON_BUILD_PAIR_CONDITION(img->limit_exclusive != UINT64_MAX, "LimitExclusive", SD_JSON_BUILD_UNSIGNED(img->limit_exclusive)));
1868}
1869
1870static const char* const image_type_table[_IMAGE_TYPE_MAX] = {
1871 [IMAGE_DIRECTORY] = "directory",
1872 [IMAGE_SUBVOLUME] = "subvolume",
1873 [IMAGE_RAW] = "raw",
1874 [IMAGE_BLOCK] = "block",
1875};
1876
1877DEFINE_STRING_TABLE_LOOKUP(image_type, ImageType);
Unnamed repository; edit this file 'description' to name the repository.