[thirdparty/man-pages.git] / man2 / pivot_root.2

.\" Copyright (C) 2000 by Werner Almesberger
.\" and Copyright (C) 2019 Michael Kerrisk <mtk.manpages@gmail.com>
.\"
.\" %%%LICENSE_START(GPL_NOVERSION_ONELINE)
.\" May be distributed under GPL
.\" %%%LICENSE_END
.\"
.\" Written 2000-02-23 by Werner Almesberger
.\" Modified 2004-06-17 Michael Kerrisk <mtk.manpages@gmail.com>
.\"
.TH PIVOT_ROOT 2 2019-08-02 "Linux" "Linux Programmer's Manual"
.SH NAME
pivot_root \- change the root filesystem
.SH SYNOPSIS
.BI "int pivot_root(const char *" new_root ", const char *" put_old );
.PP
.IR Note :
There is no glibc wrapper for this system call; see NOTES.
.SH DESCRIPTION
.BR pivot_root ()
changes the root filesystem in the mount namespace of the calling process.
More precisely, it moves the root filesystem to the
directory \fIput_old\fP and makes \fInew_root\fP the new root filesystem.
The calling process must have the
.B CAP_SYS_ADMIN
capability in the user namespace that owns the caller's mount namespace.
.PP
.BR pivot_root ()
may or may not change the current root and the current
working directory of any processes or threads that
use the old root directory and which are in
the same mount namespace as the caller of
.BR pivot_root ().
The caller of
.BR pivot_root ()
must ensure that processes with root or current working directory
at the old root operate correctly in either case.
An easy way to ensure this is to change their
root and current working directory to \fInew_root\fP before invoking
.BR pivot_root ().
.PP
The paragraph above is intentionally vague because the implementation of
.BR pivot_root ()
may change in the future
(or so it was thought when this system call was first added).
However,
the behavior on this point has remained consistent since
.BR pivot_root ()
was first implemented:
.BR pivot_root ()
changes the root directory and the current working directory
of each process or thread in the same mount namespace to
.I new_root
if they point to the old root directory.
This is necessary in order to prevent kernel threads from keeping the old
root directory busy with their root and current working directory,
even if they never access
the filesystem in any way.
Perhaps one day there may be a mechanism for
kernel threads to explicitly relinquish any access to the filesystem,
such that this fairly intrusive mechanism can be removed from
.BR pivot_root ().
.PP
Note that this also applies to the calling process:
.BR pivot_root ()
may or may not affect its current working directory.
It is therefore recommended to call
\fBchdir("/")\fP immediately after
.BR pivot_root ().
.PP
The following restrictions apply to \fInew_root\fP and \fIput_old\fP:
.IP \- 3
They must be directories.
.IP \-
\fInew_root\fP and \fIput_old\fP must not be on the same filesystem as
the current root.
.IP \-
\fIput_old\fP must be underneath \fInew_root\fP, that is, adding a nonzero
number of \fI/..\fP to the string pointed to by \fIput_old\fP must yield
the same directory as \fInew_root\fP.
.IP \-
.I new_root
must be a mount point.
(If it is not otherwise a mount point, it suffices to bind mount
.I new_root
on top of itself.)
.IP \-
The propagation type of
.I new_root
and its parent mount must not be
.BR MS_SHARED ;
similarly, if
.I put_old
is an existing mount point, its propagation type must not be
.BR MS_SHARED .
.PP
See also
.BR pivot_root (8)
for additional usage examples.
.PP
If the current root is not a mount point (e.g., after an earlier
.BR chroot (2)
or
.BR pivot_root ()),
then the mount point of the filesystem containing the current root directory
(i.e., not the directory itself) is mounted on \fIput_old\fP.
.SH RETURN VALUE
On success, zero is returned.
On error, \-1 is returned, and
\fIerrno\fP is set appropriately.
.SH ERRORS
.BR pivot_root ()
may fail with any of the same errors as
.BR stat (2).
Additionally, it may fail with the following errors:
.TP
.B EBUSY
\fInew_root\fP or \fIput_old\fP are on the current root filesystem,
or a filesystem is already mounted on \fIput_old\fP.
.TP
.B EINVAL
.I new_root
is not a mount point.
.TP
.B EINVAL
\fIput_old\fP is not underneath \fInew_root\fP.
.TP
.B EINVAL
The current root is on the rootfs (initial ramfs) filesystem; see NOTES.
.TP
.B EINVAL
Either the mount point at
.IR new_root ,
or the parent mount of that mount point,
has propagation type
.BR MS_SHARED .
.TP
.B EINVAL
.I put_old
is a mount point and has the propagation type
.BR MS_SHARED .
.TP
.B ENOTDIR
\fInew_root\fP or \fIput_old\fP is not a directory.
.TP
.B EPERM
The calling process does not have the
.B CAP_SYS_ADMIN
capability.
.SH VERSIONS
.BR pivot_root ()
was introduced in Linux 2.3.41.
.SH CONFORMING TO
.BR pivot_root ()
is Linux-specific and hence is not portable.
.SH NOTES
Glibc does not provide a wrapper for this system call; call it using
.BR syscall (2).
.PP
.BR pivot_root ()
allows the caller to switch to a new root filesystem while at the same time
placing the old root mount at a location under
.I new_root
from where it can subsequently be unmounted.
(The fact that it moves all processes that have a root directory
or current working directory on the old root filesystem to the
new root filesystem frees the old root filesystem of users,
allowing it to be unmounted more easily.)
A typical use of
.BR pivot_root ()
is during system startup, when the
system mounts a temporary root filesystem (e.g., an \fBinitrd\fP), then
mounts the real root filesystem, and eventually turns the latter into
the current root of all relevant processes or threads.
A modern use is to set up a root filesystem during
the creation of a container.
.PP
The rootfs (initial ramfs) cannot be
.BR pivot_root ()ed.
The recommended method of changing the root filesystem in this case is
to delete everything in rootfs, overmount rootfs with the new root, attach
.IR stdin / stdout / stderr
to the new
.IR /dev/console ,
and exec the new
.BR init (1).
Helper programs for this process exist; see
.BR switch_root (8).
.SH BUGS
.BR pivot_root ()
should not have to change root and current working directory of other
processes in the system.
.PP
Some of the more obscure uses of
.BR pivot_root ()
may quickly lead to
insanity.
.SH EXAMPLE
.PP
The program below demonstrates the use of
.BR pivot_root ()
inside a mount namespace that is created using
.BR clone (2).
After pivoting to the root directory named in the program's
first command-line argument, the child created by
.BR clone (2)
then executes the program named in the remaining command-line arguments.
.PP
We demonstrate the program by creating a directory that will serve as
the new root filesystem and placing a copy of the (statically linked)
.BR busybox (1)
executable in that directory.
.PP
.in +4n
.EX
$ \fBmkdir /tmp/rootfs\fP
$ \fBls \-id /tmp/rootfs\fP    # Show inode number of new root directory
319459 /tmp/rootfs
$ \fBcp $(which busybox) /tmp/rootfs\fP
$ \fBPS1='bbsh$ ' sudo ./pivot_root_demo /tmp/rootfs /busybox sh\fP
bbsh$ \fBPATH=/\fP
bbsh$ \fBbusybox ln busybox ln\fP
bbsh$ \fBln busybox echo\fP
bbsh$ \fBln busybox ls\fP
bbsh$ \fBls\fP
busybox  echo     ln       ls
bbsh$ \fBls \-id /\fP          # Compare with inode number above
319459 /
bbsh$ \fBecho \(aqhello world\(aq\fP
hello world
.EE
.in
.SS Program source
\&
.PP
.EX
/* pivot_root_demo.c */

#define _GNU_SOURCE
#include <sched.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/wait.h>
#include <sys/syscall.h>
#include <sys/mount.h>
#include <sys/stat.h>
#include <limits.h>

#define errExit(msg)    do { perror(msg); exit(EXIT_FAILURE); \e
                        } while (0)

static int
pivot_root(const char *new_root, const char *put_old)
{
    return syscall(SYS_pivot_root, new_root, put_old);
}

#define STACK_SIZE (1024 * 1024)

static int              /* Startup function for cloned child */
child(void *arg)
{
    char **args = arg;
    char *new_root = args[0];
    const char *put_old = "/oldrootfs";
    char path[PATH_MAX];

    /* Ensure that \(aqnew_root\(aq and its parent mount don\(aqt have
       shared propagation (which would cause pivot_root() to
       return an error), and prevent propagation of mount
       events to the initial mount namespace */

    if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL) == 1)
        errExit("mount\-MS_PRIVATE");

    /* Ensure that \(aqnew_root\(aq is a mount point */

    if (mount(new_root, new_root, NULL, MS_BIND, NULL) == \-1)
        errExit("mount\-MS_BIND");

    /* Create directory to which old root will be pivoted */

    snprintf(path, sizeof(path), "%s/%s", new_root, put_old);
    if (mkdir(path, 0777) == \-1)
        errExit("mkdir");

    /* And pivot the root filesystem */

    if (pivot_root(new_root, path) == \-1)
        errExit("pivot_root");

    /* Switch the current working working directory to "/" */

    if (chdir("/") == \-1)
        errExit("chdir");

    /* Unmount old root and remove mount point */

    if (umount2(put_old, MNT_DETACH) == \-1)
        perror("umount2");
    if (rmdir(put_old) == \-1)
        perror("rmdir");

    /* Execute the command specified in argv[1]... */

    execv(args[1], &args[1]);
    errExit("execv");
}

int
main(int argc, char *argv[])
{
    /* Create a child process in a new mount namespace */

    char *stack = malloc(STACK_SIZE);
    if (stack == NULL)
        errExit("malloc");

    if (clone(child, stack + STACK_SIZE,
                CLONE_NEWNS | SIGCHLD, &argv[1]) == \-1)
        errExit("clone");

    /* Parent falls through to here; wait for child */

    if (wait(NULL) == \-1)
        errExit("wait");

    exit(EXIT_SUCCESS);
}
.EE
.SH SEE ALSO
.BR chdir (2),
.BR chroot (2),
.BR mount (2),
.BR stat (2),
.BR initrd (4),
.BR mount_namespaces (7),
.BR pivot_root (8),
.BR switch_root (8)