1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2010 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
25 #include <sys/types.h>
26 #include <sys/syscall.h>
27 #include <sys/mount.h>
33 #include <sys/prctl.h>
36 #include <sys/signalfd.h>
40 #include <sys/socket.h>
41 #include <linux/netlink.h>
43 #include <linux/veth.h>
44 #include <sys/personality.h>
45 #include <linux/loop.h>
50 #include <selinux/selinux.h>
58 #include <blkid/blkid.h>
61 #include "sd-daemon.h"
71 #include "cgroup-util.h"
73 #include "path-util.h"
74 #include "loopback-setup.h"
75 #include "dev-setup.h"
80 #include "bus-error.h"
82 #include "bus-kernel.h"
85 #include "rtnl-util.h"
86 #include "udev-util.h"
87 #include "blkid-util.h"
89 #include "siphash24.h"
91 #include "base-filesystem.h"
93 #include "event-util.h"
94 #include "capability.h"
96 #include "btrfs-util.h"
97 #include "machine-image.h"
99 #include "in-addr-util.h"
101 #include "local-addresses.h"
104 #include "seccomp-util.h"
107 typedef struct ExposePort
{
110 uint16_t container_port
;
111 LIST_FIELDS(struct ExposePort
, ports
);
114 typedef enum ContainerStatus
{
115 CONTAINER_TERMINATED
,
119 typedef enum LinkJournal
{
126 typedef enum Volatile
{
132 static char *arg_directory
= NULL
;
133 static char *arg_template
= NULL
;
134 static char *arg_user
= NULL
;
135 static sd_id128_t arg_uuid
= {};
136 static char *arg_machine
= NULL
;
137 static const char *arg_selinux_context
= NULL
;
138 static const char *arg_selinux_apifs_context
= NULL
;
139 static const char *arg_slice
= NULL
;
140 static bool arg_private_network
= false;
141 static bool arg_read_only
= false;
142 static bool arg_boot
= false;
143 static bool arg_ephemeral
= false;
144 static LinkJournal arg_link_journal
= LINK_AUTO
;
145 static bool arg_link_journal_try
= false;
146 static uint64_t arg_retain
=
147 (1ULL << CAP_CHOWN
) |
148 (1ULL << CAP_DAC_OVERRIDE
) |
149 (1ULL << CAP_DAC_READ_SEARCH
) |
150 (1ULL << CAP_FOWNER
) |
151 (1ULL << CAP_FSETID
) |
152 (1ULL << CAP_IPC_OWNER
) |
154 (1ULL << CAP_LEASE
) |
155 (1ULL << CAP_LINUX_IMMUTABLE
) |
156 (1ULL << CAP_NET_BIND_SERVICE
) |
157 (1ULL << CAP_NET_BROADCAST
) |
158 (1ULL << CAP_NET_RAW
) |
159 (1ULL << CAP_SETGID
) |
160 (1ULL << CAP_SETFCAP
) |
161 (1ULL << CAP_SETPCAP
) |
162 (1ULL << CAP_SETUID
) |
163 (1ULL << CAP_SYS_ADMIN
) |
164 (1ULL << CAP_SYS_CHROOT
) |
165 (1ULL << CAP_SYS_NICE
) |
166 (1ULL << CAP_SYS_PTRACE
) |
167 (1ULL << CAP_SYS_TTY_CONFIG
) |
168 (1ULL << CAP_SYS_RESOURCE
) |
169 (1ULL << CAP_SYS_BOOT
) |
170 (1ULL << CAP_AUDIT_WRITE
) |
171 (1ULL << CAP_AUDIT_CONTROL
) |
173 static char **arg_bind
= NULL
;
174 static char **arg_bind_ro
= NULL
;
175 static char **arg_tmpfs
= NULL
;
176 static char **arg_setenv
= NULL
;
177 static bool arg_quiet
= false;
178 static bool arg_share_system
= false;
179 static bool arg_register
= true;
180 static bool arg_keep_unit
= false;
181 static char **arg_network_interfaces
= NULL
;
182 static char **arg_network_macvlan
= NULL
;
183 static char **arg_network_ipvlan
= NULL
;
184 static bool arg_network_veth
= false;
185 static const char *arg_network_bridge
= NULL
;
186 static unsigned long arg_personality
= 0xffffffffLU
;
187 static char *arg_image
= NULL
;
188 static Volatile arg_volatile
= VOLATILE_NO
;
189 static ExposePort
*arg_expose_ports
= NULL
;
191 static void help(void) {
192 printf("%s [OPTIONS...] [PATH] [ARGUMENTS...]\n\n"
193 "Spawn a minimal namespace container for debugging, testing and building.\n\n"
194 " -h --help Show this help\n"
195 " --version Print version string\n"
196 " -q --quiet Do not show status information\n"
197 " -D --directory=PATH Root directory for the container\n"
198 " --template=PATH Initialize root directory from template directory,\n"
200 " -x --ephemeral Run container with snapshot of root directory, and\n"
201 " remove it after exit\n"
202 " -i --image=PATH File system device or disk image for the container\n"
203 " -b --boot Boot up full system (i.e. invoke init)\n"
204 " -u --user=USER Run the command under specified user or uid\n"
205 " -M --machine=NAME Set the machine name for the container\n"
206 " --uuid=UUID Set a specific machine UUID for the container\n"
207 " -S --slice=SLICE Place the container in the specified slice\n"
208 " --private-network Disable network in container\n"
209 " --network-interface=INTERFACE\n"
210 " Assign an existing network interface to the\n"
212 " --network-macvlan=INTERFACE\n"
213 " Create a macvlan network interface based on an\n"
214 " existing network interface to the container\n"
215 " --network-ipvlan=INTERFACE\n"
216 " Create a ipvlan network interface based on an\n"
217 " existing network interface to the container\n"
218 " -n --network-veth Add a virtual ethernet connection between host\n"
220 " --network-bridge=INTERFACE\n"
221 " Add a virtual ethernet connection between host\n"
222 " and container and add it to an existing bridge on\n"
224 " -p --port=[PROTOCOL:]HOSTPORT[:CONTAINERPORT]\n"
225 " Expose a container IP port on the host\n"
226 " -Z --selinux-context=SECLABEL\n"
227 " Set the SELinux security context to be used by\n"
228 " processes in the container\n"
229 " -L --selinux-apifs-context=SECLABEL\n"
230 " Set the SELinux security context to be used by\n"
231 " API/tmpfs file systems in the container\n"
232 " --capability=CAP In addition to the default, retain specified\n"
234 " --drop-capability=CAP Drop the specified capability from the default set\n"
235 " --link-journal=MODE Link up guest journal, one of no, auto, guest, host,\n"
236 " try-guest, try-host\n"
237 " -j Equivalent to --link-journal=try-guest\n"
238 " --read-only Mount the root directory read-only\n"
239 " --bind=PATH[:PATH] Bind mount a file or directory from the host into\n"
241 " --bind-ro=PATH[:PATH] Similar, but creates a read-only bind mount\n"
242 " --tmpfs=PATH:[OPTIONS] Mount an empty tmpfs to the specified directory\n"
243 " --setenv=NAME=VALUE Pass an environment variable to PID 1\n"
244 " --share-system Share system namespaces with host\n"
245 " --register=BOOLEAN Register container as machine\n"
246 " --keep-unit Do not register a scope for the machine, reuse\n"
247 " the service unit nspawn is running in\n"
248 " --volatile[=MODE] Run the system in volatile mode\n"
249 , program_invocation_short_name
);
252 static int set_sanitized_path(char **b
, const char *path
) {
258 p
= canonicalize_file_name(path
);
263 p
= path_make_absolute_cwd(path
);
269 *b
= path_kill_slashes(p
);
273 static int parse_argv(int argc
, char *argv
[]) {
290 ARG_NETWORK_INTERFACE
,
299 static const struct option options
[] = {
300 { "help", no_argument
, NULL
, 'h' },
301 { "version", no_argument
, NULL
, ARG_VERSION
},
302 { "directory", required_argument
, NULL
, 'D' },
303 { "template", required_argument
, NULL
, ARG_TEMPLATE
},
304 { "ephemeral", no_argument
, NULL
, 'x' },
305 { "user", required_argument
, NULL
, 'u' },
306 { "private-network", no_argument
, NULL
, ARG_PRIVATE_NETWORK
},
307 { "boot", no_argument
, NULL
, 'b' },
308 { "uuid", required_argument
, NULL
, ARG_UUID
},
309 { "read-only", no_argument
, NULL
, ARG_READ_ONLY
},
310 { "capability", required_argument
, NULL
, ARG_CAPABILITY
},
311 { "drop-capability", required_argument
, NULL
, ARG_DROP_CAPABILITY
},
312 { "link-journal", required_argument
, NULL
, ARG_LINK_JOURNAL
},
313 { "bind", required_argument
, NULL
, ARG_BIND
},
314 { "bind-ro", required_argument
, NULL
, ARG_BIND_RO
},
315 { "tmpfs", required_argument
, NULL
, ARG_TMPFS
},
316 { "machine", required_argument
, NULL
, 'M' },
317 { "slice", required_argument
, NULL
, 'S' },
318 { "setenv", required_argument
, NULL
, ARG_SETENV
},
319 { "selinux-context", required_argument
, NULL
, 'Z' },
320 { "selinux-apifs-context", required_argument
, NULL
, 'L' },
321 { "quiet", no_argument
, NULL
, 'q' },
322 { "share-system", no_argument
, NULL
, ARG_SHARE_SYSTEM
},
323 { "register", required_argument
, NULL
, ARG_REGISTER
},
324 { "keep-unit", no_argument
, NULL
, ARG_KEEP_UNIT
},
325 { "network-interface", required_argument
, NULL
, ARG_NETWORK_INTERFACE
},
326 { "network-macvlan", required_argument
, NULL
, ARG_NETWORK_MACVLAN
},
327 { "network-ipvlan", required_argument
, NULL
, ARG_NETWORK_IPVLAN
},
328 { "network-veth", no_argument
, NULL
, 'n' },
329 { "network-bridge", required_argument
, NULL
, ARG_NETWORK_BRIDGE
},
330 { "personality", required_argument
, NULL
, ARG_PERSONALITY
},
331 { "image", required_argument
, NULL
, 'i' },
332 { "volatile", optional_argument
, NULL
, ARG_VOLATILE
},
333 { "port", required_argument
, NULL
, 'p' },
338 uint64_t plus
= 0, minus
= 0;
343 while ((c
= getopt_long(argc
, argv
, "+hD:u:bL:M:jS:Z:qi:xp:n", options
, NULL
)) >= 0)
352 puts(PACKAGE_STRING
);
353 puts(SYSTEMD_FEATURES
);
357 r
= set_sanitized_path(&arg_directory
, optarg
);
359 return log_error_errno(r
, "Invalid root directory: %m");
364 r
= set_sanitized_path(&arg_template
, optarg
);
366 return log_error_errno(r
, "Invalid template directory: %m");
371 r
= set_sanitized_path(&arg_image
, optarg
);
373 return log_error_errno(r
, "Invalid image path: %m");
378 arg_ephemeral
= true;
383 arg_user
= strdup(optarg
);
389 case ARG_NETWORK_BRIDGE
:
390 arg_network_bridge
= optarg
;
395 arg_network_veth
= true;
396 arg_private_network
= true;
399 case ARG_NETWORK_INTERFACE
:
400 if (strv_extend(&arg_network_interfaces
, optarg
) < 0)
403 arg_private_network
= true;
406 case ARG_NETWORK_MACVLAN
:
407 if (strv_extend(&arg_network_macvlan
, optarg
) < 0)
410 arg_private_network
= true;
413 case ARG_NETWORK_IPVLAN
:
414 if (strv_extend(&arg_network_ipvlan
, optarg
) < 0)
419 case ARG_PRIVATE_NETWORK
:
420 arg_private_network
= true;
428 r
= sd_id128_from_string(optarg
, &arg_uuid
);
430 log_error("Invalid UUID: %s", optarg
);
440 if (isempty(optarg
)) {
444 if (!machine_name_is_valid(optarg
)) {
445 log_error("Invalid machine name: %s", optarg
);
449 r
= free_and_strdup(&arg_machine
, optarg
);
457 arg_selinux_context
= optarg
;
461 arg_selinux_apifs_context
= optarg
;
465 arg_read_only
= true;
469 case ARG_DROP_CAPABILITY
: {
470 const char *state
, *word
;
473 FOREACH_WORD_SEPARATOR(word
, length
, optarg
, ",", state
) {
474 _cleanup_free_
char *t
;
476 t
= strndup(word
, length
);
480 if (streq(t
, "all")) {
481 if (c
== ARG_CAPABILITY
)
482 plus
= (uint64_t) -1;
484 minus
= (uint64_t) -1;
488 cap
= capability_from_name(t
);
490 log_error("Failed to parse capability %s.", t
);
494 if (c
== ARG_CAPABILITY
)
495 plus
|= 1ULL << (uint64_t) cap
;
497 minus
|= 1ULL << (uint64_t) cap
;
505 arg_link_journal
= LINK_GUEST
;
506 arg_link_journal_try
= true;
509 case ARG_LINK_JOURNAL
:
510 if (streq(optarg
, "auto")) {
511 arg_link_journal
= LINK_AUTO
;
512 arg_link_journal_try
= false;
513 } else if (streq(optarg
, "no")) {
514 arg_link_journal
= LINK_NO
;
515 arg_link_journal_try
= false;
516 } else if (streq(optarg
, "guest")) {
517 arg_link_journal
= LINK_GUEST
;
518 arg_link_journal_try
= false;
519 } else if (streq(optarg
, "host")) {
520 arg_link_journal
= LINK_HOST
;
521 arg_link_journal_try
= false;
522 } else if (streq(optarg
, "try-guest")) {
523 arg_link_journal
= LINK_GUEST
;
524 arg_link_journal_try
= true;
525 } else if (streq(optarg
, "try-host")) {
526 arg_link_journal
= LINK_HOST
;
527 arg_link_journal_try
= true;
529 log_error("Failed to parse link journal mode %s", optarg
);
537 _cleanup_free_
char *a
= NULL
, *b
= NULL
;
541 x
= c
== ARG_BIND
? &arg_bind
: &arg_bind_ro
;
543 e
= strchr(optarg
, ':');
545 a
= strndup(optarg
, e
- optarg
);
555 if (!path_is_absolute(a
) || !path_is_absolute(b
)) {
556 log_error("Invalid bind mount specification: %s", optarg
);
560 r
= strv_extend(x
, a
);
564 r
= strv_extend(x
, b
);
572 _cleanup_free_
char *a
= NULL
, *b
= NULL
;
575 e
= strchr(optarg
, ':');
577 a
= strndup(optarg
, e
- optarg
);
581 b
= strdup("mode=0755");
587 if (!path_is_absolute(a
)) {
588 log_error("Invalid tmpfs specification: %s", optarg
);
592 r
= strv_push(&arg_tmpfs
, a
);
598 r
= strv_push(&arg_tmpfs
, b
);
610 if (!env_assignment_is_valid(optarg
)) {
611 log_error("Environment variable assignment '%s' is not valid.", optarg
);
615 n
= strv_env_set(arg_setenv
, optarg
);
619 strv_free(arg_setenv
);
628 case ARG_SHARE_SYSTEM
:
629 arg_share_system
= true;
633 r
= parse_boolean(optarg
);
635 log_error("Failed to parse --register= argument: %s", optarg
);
643 arg_keep_unit
= true;
646 case ARG_PERSONALITY
:
648 arg_personality
= personality_from_string(optarg
);
649 if (arg_personality
== 0xffffffffLU
) {
650 log_error("Unknown or unsupported personality '%s'.", optarg
);
659 arg_volatile
= VOLATILE_YES
;
661 r
= parse_boolean(optarg
);
663 if (streq(optarg
, "state"))
664 arg_volatile
= VOLATILE_STATE
;
666 log_error("Failed to parse --volatile= argument: %s", optarg
);
670 arg_volatile
= r
? VOLATILE_YES
: VOLATILE_NO
;
676 const char *split
, *e
;
677 uint16_t container_port
, host_port
;
681 if ((e
= startswith(optarg
, "tcp:")))
682 protocol
= IPPROTO_TCP
;
683 else if ((e
= startswith(optarg
, "udp:")))
684 protocol
= IPPROTO_UDP
;
687 protocol
= IPPROTO_TCP
;
690 split
= strchr(e
, ':');
692 char v
[split
- e
+ 1];
694 memcpy(v
, e
, split
- e
);
697 r
= safe_atou16(v
, &host_port
);
698 if (r
< 0 || host_port
<= 0) {
699 log_error("Failed to parse host port: %s", optarg
);
703 r
= safe_atou16(split
+ 1, &container_port
);
705 r
= safe_atou16(e
, &container_port
);
706 host_port
= container_port
;
709 if (r
< 0 || container_port
<= 0) {
710 log_error("Failed to parse host port: %s", optarg
);
714 LIST_FOREACH(ports
, p
, arg_expose_ports
) {
715 if (p
->protocol
== protocol
&& p
->host_port
== host_port
) {
716 log_error("Duplicate port specification: %s", optarg
);
721 p
= new(ExposePort
, 1);
725 p
->protocol
= protocol
;
726 p
->host_port
= host_port
;
727 p
->container_port
= container_port
;
729 LIST_PREPEND(ports
, arg_expose_ports
, p
);
738 assert_not_reached("Unhandled option");
741 if (arg_share_system
)
742 arg_register
= false;
744 if (arg_boot
&& arg_share_system
) {
745 log_error("--boot and --share-system may not be combined.");
749 if (arg_keep_unit
&& cg_pid_get_owner_uid(0, NULL
) >= 0) {
750 log_error("--keep-unit may not be used when invoked from a user session.");
754 if (arg_directory
&& arg_image
) {
755 log_error("--directory= and --image= may not be combined.");
759 if (arg_template
&& arg_image
) {
760 log_error("--template= and --image= may not be combined.");
764 if (arg_template
&& !(arg_directory
|| arg_machine
)) {
765 log_error("--template= needs --directory= or --machine=.");
769 if (arg_ephemeral
&& arg_template
) {
770 log_error("--ephemeral and --template= may not be combined.");
774 if (arg_ephemeral
&& arg_image
) {
775 log_error("--ephemeral and --image= may not be combined.");
779 if (arg_ephemeral
&& !IN_SET(arg_link_journal
, LINK_NO
, LINK_AUTO
)) {
780 log_error("--ephemeral and --link-journal= may not be combined.");
784 if (arg_volatile
!= VOLATILE_NO
&& arg_read_only
) {
785 log_error("Cannot combine --read-only with --volatile. Note that --volatile already implies a read-only base hierarchy.");
789 if (arg_expose_ports
&& !arg_private_network
) {
790 log_error("Cannot use --port= without private networking.");
794 arg_retain
= (arg_retain
| plus
| (arg_private_network
? 1ULL << CAP_NET_ADMIN
: 0)) & ~minus
;
799 static int mount_all(const char *dest
) {
801 typedef struct MountPoint
{
810 static const MountPoint mount_table
[] = {
811 { "proc", "/proc", "proc", NULL
, MS_NOSUID
|MS_NOEXEC
|MS_NODEV
, true },
812 { "/proc/sys", "/proc/sys", NULL
, NULL
, MS_BIND
, true }, /* Bind mount first */
813 { NULL
, "/proc/sys", NULL
, NULL
, MS_BIND
|MS_RDONLY
|MS_REMOUNT
, true }, /* Then, make it r/o */
814 { "sysfs", "/sys", "sysfs", NULL
, MS_RDONLY
|MS_NOSUID
|MS_NOEXEC
|MS_NODEV
, true },
815 { "tmpfs", "/dev", "tmpfs", "mode=755", MS_NOSUID
|MS_STRICTATIME
, true },
816 { "devpts", "/dev/pts", "devpts","newinstance,ptmxmode=0666,mode=620,gid=" STRINGIFY(TTY_GID
), MS_NOSUID
|MS_NOEXEC
, true },
817 { "tmpfs", "/dev/shm", "tmpfs", "mode=1777", MS_NOSUID
|MS_NODEV
|MS_STRICTATIME
, true },
818 { "tmpfs", "/run", "tmpfs", "mode=755", MS_NOSUID
|MS_NODEV
|MS_STRICTATIME
, true },
819 { "tmpfs", "/tmp", "tmpfs", "mode=1777", MS_STRICTATIME
, true },
821 { "/sys/fs/selinux", "/sys/fs/selinux", NULL
, NULL
, MS_BIND
, false }, /* Bind mount first */
822 { NULL
, "/sys/fs/selinux", NULL
, NULL
, MS_BIND
|MS_RDONLY
|MS_REMOUNT
, false }, /* Then, make it r/o */
829 for (k
= 0; k
< ELEMENTSOF(mount_table
); k
++) {
830 _cleanup_free_
char *where
= NULL
;
832 _cleanup_free_
char *options
= NULL
;
837 where
= strjoin(dest
, "/", mount_table
[k
].where
, NULL
);
841 t
= path_is_mount_point(where
, true);
843 log_error_errno(t
, "Failed to detect whether %s is a mount point: %m", where
);
851 /* Skip this entry if it is not a remount. */
852 if (mount_table
[k
].what
&& t
> 0)
855 t
= mkdir_p(where
, 0755);
857 if (mount_table
[k
].fatal
) {
858 log_error_errno(t
, "Failed to create directory %s: %m", where
);
863 log_warning_errno(t
, "Failed to create directory %s: %m", where
);
869 if (arg_selinux_apifs_context
&&
870 (streq_ptr(mount_table
[k
].what
, "tmpfs") || streq_ptr(mount_table
[k
].what
, "devpts"))) {
871 options
= strjoin(mount_table
[k
].options
, ",context=\"", arg_selinux_apifs_context
, "\"", NULL
);
878 o
= mount_table
[k
].options
;
881 if (mount(mount_table
[k
].what
,
884 mount_table
[k
].flags
,
887 if (mount_table
[k
].fatal
) {
888 log_error_errno(errno
, "mount(%s) failed: %m", where
);
893 log_warning_errno(errno
, "mount(%s) failed: %m", where
);
900 static int mount_binds(const char *dest
, char **l
, bool ro
) {
903 STRV_FOREACH_PAIR(x
, y
, l
) {
904 _cleanup_free_
char *where
= NULL
;
905 struct stat source_st
, dest_st
;
908 if (stat(*x
, &source_st
) < 0)
909 return log_error_errno(errno
, "Failed to stat %s: %m", *x
);
911 where
= strappend(dest
, *y
);
915 r
= stat(where
, &dest_st
);
917 if (S_ISDIR(source_st
.st_mode
) && !S_ISDIR(dest_st
.st_mode
)) {
918 log_error("Cannot bind mount directory %s on file %s.", *x
, where
);
921 if (!S_ISDIR(source_st
.st_mode
) && S_ISDIR(dest_st
.st_mode
)) {
922 log_error("Cannot bind mount file %s on directory %s.", *x
, where
);
925 } else if (errno
== ENOENT
) {
926 r
= mkdir_parents_label(where
, 0755);
928 return log_error_errno(r
, "Failed to bind mount %s: %m", *x
);
930 log_error_errno(errno
, "Failed to bind mount %s: %m", *x
);
934 /* Create the mount point. Any non-directory file can be
935 * mounted on any non-directory file (regular, fifo, socket,
938 if (S_ISDIR(source_st
.st_mode
)) {
939 r
= mkdir_label(where
, 0755);
940 if (r
< 0 && errno
!= EEXIST
)
941 return log_error_errno(r
, "Failed to create mount point %s: %m", where
);
945 return log_error_errno(r
, "Failed to create mount point %s: %m", where
);
948 if (mount(*x
, where
, "bind", MS_BIND
, NULL
) < 0)
949 return log_error_errno(errno
, "mount(%s) failed: %m", where
);
952 r
= bind_remount_recursive(where
, true);
954 return log_error_errno(r
, "Read-Only bind mount failed: %m");
961 static int mount_cgroup_hierarchy(const char *dest
, const char *controller
, const char *hierarchy
, bool read_only
) {
965 to
= strjoina(dest
, "/sys/fs/cgroup/", hierarchy
);
967 r
= path_is_mount_point(to
, false);
969 return log_error_errno(r
, "Failed to determine if %s is mounted already: %m", to
);
975 /* The superblock mount options of the mount point need to be
976 * identical to the hosts', and hence writable... */
977 if (mount("cgroup", to
, "cgroup", MS_NOSUID
|MS_NOEXEC
|MS_NODEV
, controller
) < 0)
978 return log_error_errno(errno
, "Failed to mount to %s: %m", to
);
980 /* ... hence let's only make the bind mount read-only, not the
983 if (mount(NULL
, to
, NULL
, MS_BIND
|MS_REMOUNT
|MS_NOSUID
|MS_NOEXEC
|MS_NODEV
|MS_RDONLY
, NULL
) < 0)
984 return log_error_errno(errno
, "Failed to remount %s read-only: %m", to
);
989 static int mount_cgroup(const char *dest
) {
990 _cleanup_set_free_free_ Set
*controllers
= NULL
;
991 _cleanup_free_
char *own_cgroup_path
= NULL
;
992 const char *cgroup_root
, *systemd_root
, *systemd_own
;
995 controllers
= set_new(&string_hash_ops
);
999 r
= cg_kernel_controllers(controllers
);
1001 return log_error_errno(r
, "Failed to determine cgroup controllers: %m");
1003 r
= cg_pid_get_path(NULL
, 0, &own_cgroup_path
);
1005 return log_error_errno(r
, "Failed to determine our own cgroup path: %m");
1007 cgroup_root
= strjoina(dest
, "/sys/fs/cgroup");
1008 if (mount("tmpfs", cgroup_root
, "tmpfs", MS_NOSUID
|MS_NOEXEC
|MS_NODEV
|MS_STRICTATIME
, "mode=755") < 0)
1009 return log_error_errno(errno
, "Failed to mount tmpfs to /sys/fs/cgroup: %m");
1012 _cleanup_free_
char *controller
= NULL
, *origin
= NULL
, *combined
= NULL
;
1014 controller
= set_steal_first(controllers
);
1018 origin
= strappend("/sys/fs/cgroup/", controller
);
1022 r
= readlink_malloc(origin
, &combined
);
1024 /* Not a symbolic link, but directly a single cgroup hierarchy */
1026 r
= mount_cgroup_hierarchy(dest
, controller
, controller
, true);
1031 return log_error_errno(r
, "Failed to read link %s: %m", origin
);
1033 _cleanup_free_
char *target
= NULL
;
1035 target
= strjoin(dest
, "/sys/fs/cgroup/", controller
, NULL
);
1039 /* A symbolic link, a combination of controllers in one hierarchy */
1041 if (!filename_is_valid(combined
)) {
1042 log_warning("Ignoring invalid combined hierarchy %s.", combined
);
1046 r
= mount_cgroup_hierarchy(dest
, combined
, combined
, true);
1050 if (symlink(combined
, target
) < 0)
1051 return log_error_errno(errno
, "Failed to create symlink for combined hierarchy: %m");
1055 r
= mount_cgroup_hierarchy(dest
, "name=systemd,xattr", "systemd", false);
1059 /* Make our own cgroup a (writable) bind mount */
1060 systemd_own
= strjoina(dest
, "/sys/fs/cgroup/systemd", own_cgroup_path
);
1061 if (mount(systemd_own
, systemd_own
, NULL
, MS_BIND
, NULL
) < 0)
1062 return log_error_errno(errno
, "Failed to turn %s into a bind mount: %m", own_cgroup_path
);
1064 /* And then remount the systemd cgroup root read-only */
1065 systemd_root
= strjoina(dest
, "/sys/fs/cgroup/systemd");
1066 if (mount(NULL
, systemd_root
, NULL
, MS_BIND
|MS_REMOUNT
|MS_NOSUID
|MS_NOEXEC
|MS_NODEV
|MS_RDONLY
, NULL
) < 0)
1067 return log_error_errno(errno
, "Failed to mount cgroup root read-only: %m");
1069 if (mount(NULL
, cgroup_root
, NULL
, MS_REMOUNT
|MS_NOSUID
|MS_NOEXEC
|MS_NODEV
|MS_STRICTATIME
|MS_RDONLY
, "mode=755") < 0)
1070 return log_error_errno(errno
, "Failed to remount %s read-only: %m", cgroup_root
);
1075 static int mount_tmpfs(const char *dest
) {
1078 STRV_FOREACH_PAIR(i
, o
, arg_tmpfs
) {
1079 _cleanup_free_
char *where
= NULL
;
1082 where
= strappend(dest
, *i
);
1086 r
= mkdir_label(where
, 0755);
1087 if (r
< 0 && r
!= -EEXIST
)
1088 return log_error_errno(r
, "Creating mount point for tmpfs %s failed: %m", where
);
1090 if (mount("tmpfs", where
, "tmpfs", MS_NODEV
|MS_STRICTATIME
, *o
) < 0)
1091 return log_error_errno(errno
, "tmpfs mount to %s failed: %m", where
);
1097 static int setup_timezone(const char *dest
) {
1098 _cleanup_free_
char *where
= NULL
, *p
= NULL
, *q
= NULL
, *check
= NULL
, *what
= NULL
;
1104 /* Fix the timezone, if possible */
1105 r
= readlink_malloc("/etc/localtime", &p
);
1107 log_warning("/etc/localtime is not a symlink, not updating container timezone.");
1111 z
= path_startswith(p
, "../usr/share/zoneinfo/");
1113 z
= path_startswith(p
, "/usr/share/zoneinfo/");
1115 log_warning("/etc/localtime does not point into /usr/share/zoneinfo/, not updating container timezone.");
1119 where
= strappend(dest
, "/etc/localtime");
1123 r
= readlink_malloc(where
, &q
);
1125 y
= path_startswith(q
, "../usr/share/zoneinfo/");
1127 y
= path_startswith(q
, "/usr/share/zoneinfo/");
1129 /* Already pointing to the right place? Then do nothing .. */
1130 if (y
&& streq(y
, z
))
1134 check
= strjoin(dest
, "/usr/share/zoneinfo/", z
, NULL
);
1138 if (access(check
, F_OK
) < 0) {
1139 log_warning("Timezone %s does not exist in container, not updating container timezone.", z
);
1143 what
= strappend("../usr/share/zoneinfo/", z
);
1147 r
= mkdir_parents(where
, 0755);
1149 log_error_errno(r
, "Failed to create directory for timezone info %s in container: %m", where
);
1155 if (r
< 0 && errno
!= ENOENT
) {
1156 log_error_errno(errno
, "Failed to remove existing timezone info %s in container: %m", where
);
1161 if (symlink(what
, where
) < 0) {
1162 log_error_errno(errno
, "Failed to correct timezone of container: %m");
1169 static int setup_resolv_conf(const char *dest
) {
1170 _cleanup_free_
char *where
= NULL
;
1175 if (arg_private_network
)
1178 /* Fix resolv.conf, if possible */
1179 where
= strappend(dest
, "/etc/resolv.conf");
1183 /* We don't really care for the results of this really. If it
1184 * fails, it fails, but meh... */
1185 r
= mkdir_parents(where
, 0755);
1187 log_warning_errno(r
, "Failed to create parent directory for resolv.conf %s: %m", where
);
1192 r
= copy_file("/etc/resolv.conf", where
, O_TRUNC
|O_NOFOLLOW
, 0644, 0);
1194 log_warning_errno(r
, "Failed to copy /etc/resolv.conf to %s: %m", where
);
1202 static int setup_volatile_state(const char *directory
) {
1208 if (arg_volatile
!= VOLATILE_STATE
)
1211 /* --volatile=state means we simply overmount /var
1212 with a tmpfs, and the rest read-only. */
1214 r
= bind_remount_recursive(directory
, true);
1216 return log_error_errno(r
, "Failed to remount %s read-only: %m", directory
);
1218 p
= strjoina(directory
, "/var");
1220 if (r
< 0 && errno
!= EEXIST
)
1221 return log_error_errno(errno
, "Failed to create %s: %m", directory
);
1223 if (mount("tmpfs", p
, "tmpfs", MS_STRICTATIME
, "mode=755") < 0)
1224 return log_error_errno(errno
, "Failed to mount tmpfs to /var: %m");
1229 static int setup_volatile(const char *directory
) {
1230 bool tmpfs_mounted
= false, bind_mounted
= false;
1231 char template[] = "/tmp/nspawn-volatile-XXXXXX";
1237 if (arg_volatile
!= VOLATILE_YES
)
1240 /* --volatile=yes means we mount a tmpfs to the root dir, and
1241 the original /usr to use inside it, and that read-only. */
1243 if (!mkdtemp(template))
1244 return log_error_errno(errno
, "Failed to create temporary directory: %m");
1246 if (mount("tmpfs", template, "tmpfs", MS_STRICTATIME
, "mode=755") < 0) {
1247 log_error_errno(errno
, "Failed to mount tmpfs for root directory: %m");
1252 tmpfs_mounted
= true;
1254 f
= strjoina(directory
, "/usr");
1255 t
= strjoina(template, "/usr");
1258 if (r
< 0 && errno
!= EEXIST
) {
1259 log_error_errno(errno
, "Failed to create %s: %m", t
);
1264 if (mount(f
, t
, "bind", MS_BIND
|MS_REC
, NULL
) < 0) {
1265 log_error_errno(errno
, "Failed to create /usr bind mount: %m");
1270 bind_mounted
= true;
1272 r
= bind_remount_recursive(t
, true);
1274 log_error_errno(r
, "Failed to remount %s read-only: %m", t
);
1278 if (mount(template, directory
, NULL
, MS_MOVE
, NULL
) < 0) {
1279 log_error_errno(errno
, "Failed to move root mount: %m");
1297 static char* id128_format_as_uuid(sd_id128_t id
, char s
[37]) {
1300 "%02x%02x%02x%02x-%02x%02x-%02x%02x-%02x%02x-%02x%02x%02x%02x%02x%02x",
1301 SD_ID128_FORMAT_VAL(id
));
1306 static int setup_boot_id(const char *dest
) {
1307 _cleanup_free_
char *from
= NULL
, *to
= NULL
;
1308 sd_id128_t rnd
= {};
1314 if (arg_share_system
)
1317 /* Generate a new randomized boot ID, so that each boot-up of
1318 * the container gets a new one */
1320 from
= strappend(dest
, "/dev/proc-sys-kernel-random-boot-id");
1321 to
= strappend(dest
, "/proc/sys/kernel/random/boot_id");
1325 r
= sd_id128_randomize(&rnd
);
1327 return log_error_errno(r
, "Failed to generate random boot id: %m");
1329 id128_format_as_uuid(rnd
, as_uuid
);
1331 r
= write_string_file(from
, as_uuid
);
1333 return log_error_errno(r
, "Failed to write boot id: %m");
1335 if (mount(from
, to
, "bind", MS_BIND
, NULL
) < 0) {
1336 log_error_errno(errno
, "Failed to bind mount boot id: %m");
1338 } else if (mount(from
, to
, "bind", MS_BIND
|MS_REMOUNT
|MS_RDONLY
, NULL
))
1339 log_warning_errno(errno
, "Failed to make boot id read-only: %m");
1345 static int copy_devnodes(const char *dest
) {
1347 static const char devnodes
[] =
1358 _cleanup_umask_ mode_t u
;
1364 NULSTR_FOREACH(d
, devnodes
) {
1365 _cleanup_free_
char *from
= NULL
, *to
= NULL
;
1368 from
= strappend("/dev/", d
);
1369 to
= strjoin(dest
, "/dev/", d
, NULL
);
1373 if (stat(from
, &st
) < 0) {
1375 if (errno
!= ENOENT
)
1376 return log_error_errno(errno
, "Failed to stat %s: %m", from
);
1378 } else if (!S_ISCHR(st
.st_mode
) && !S_ISBLK(st
.st_mode
)) {
1380 log_error("%s is not a char or block device, cannot copy", from
);
1384 r
= mkdir_parents(to
, 0775);
1386 log_error_errno(r
, "Failed to create parent directory of %s: %m", to
);
1390 if (mknod(to
, st
.st_mode
, st
.st_rdev
) < 0)
1391 return log_error_errno(errno
, "mknod(%s) failed: %m", to
);
1398 static int setup_ptmx(const char *dest
) {
1399 _cleanup_free_
char *p
= NULL
;
1401 p
= strappend(dest
, "/dev/ptmx");
1405 if (symlink("pts/ptmx", p
) < 0)
1406 return log_error_errno(errno
, "Failed to create /dev/ptmx symlink: %m");
1411 static int setup_dev_console(const char *dest
, const char *console
) {
1412 _cleanup_umask_ mode_t u
;
1422 if (stat("/dev/null", &st
) < 0)
1423 return log_error_errno(errno
, "Failed to stat /dev/null: %m");
1425 r
= chmod_and_chown(console
, 0600, 0, 0);
1427 return log_error_errno(r
, "Failed to correct access mode for TTY: %m");
1429 /* We need to bind mount the right tty to /dev/console since
1430 * ptys can only exist on pts file systems. To have something
1431 * to bind mount things on we create a device node first, and
1432 * use /dev/null for that since we the cgroups device policy
1433 * allows us to create that freely, while we cannot create
1434 * /dev/console. (Note that the major minor doesn't actually
1435 * matter here, since we mount it over anyway). */
1437 to
= strjoina(dest
, "/dev/console");
1438 if (mknod(to
, (st
.st_mode
& ~07777) | 0600, st
.st_rdev
) < 0)
1439 return log_error_errno(errno
, "mknod() for /dev/console failed: %m");
1441 if (mount(console
, to
, "bind", MS_BIND
, NULL
) < 0)
1442 return log_error_errno(errno
, "Bind mount for /dev/console failed: %m");
1447 static int setup_kmsg(const char *dest
, int kmsg_socket
) {
1448 _cleanup_free_
char *from
= NULL
, *to
= NULL
;
1449 _cleanup_umask_ mode_t u
;
1452 struct cmsghdr cmsghdr
;
1453 uint8_t buf
[CMSG_SPACE(sizeof(int))];
1455 struct msghdr mh
= {
1456 .msg_control
= &control
,
1457 .msg_controllen
= sizeof(control
),
1459 struct cmsghdr
*cmsg
;
1462 assert(kmsg_socket
>= 0);
1466 /* We create the kmsg FIFO as /dev/kmsg, but immediately
1467 * delete it after bind mounting it to /proc/kmsg. While FIFOs
1468 * on the reading side behave very similar to /proc/kmsg,
1469 * their writing side behaves differently from /dev/kmsg in
1470 * that writing blocks when nothing is reading. In order to
1471 * avoid any problems with containers deadlocking due to this
1472 * we simply make /dev/kmsg unavailable to the container. */
1473 if (asprintf(&from
, "%s/dev/kmsg", dest
) < 0 ||
1474 asprintf(&to
, "%s/proc/kmsg", dest
) < 0)
1477 if (mkfifo(from
, 0600) < 0)
1478 return log_error_errno(errno
, "mkfifo() for /dev/kmsg failed: %m");
1480 r
= chmod_and_chown(from
, 0600, 0, 0);
1482 return log_error_errno(r
, "Failed to correct access mode for /dev/kmsg: %m");
1484 if (mount(from
, to
, "bind", MS_BIND
, NULL
) < 0)
1485 return log_error_errno(errno
, "Bind mount for /proc/kmsg failed: %m");
1487 fd
= open(from
, O_RDWR
|O_NDELAY
|O_CLOEXEC
);
1489 return log_error_errno(errno
, "Failed to open fifo: %m");
1491 cmsg
= CMSG_FIRSTHDR(&mh
);
1492 cmsg
->cmsg_level
= SOL_SOCKET
;
1493 cmsg
->cmsg_type
= SCM_RIGHTS
;
1494 cmsg
->cmsg_len
= CMSG_LEN(sizeof(int));
1495 memcpy(CMSG_DATA(cmsg
), &fd
, sizeof(int));
1497 mh
.msg_controllen
= cmsg
->cmsg_len
;
1499 /* Store away the fd in the socket, so that it stays open as
1500 * long as we run the child */
1501 k
= sendmsg(kmsg_socket
, &mh
, MSG_NOSIGNAL
);
1505 return log_error_errno(errno
, "Failed to send FIFO fd: %m");
1507 /* And now make the FIFO unavailable as /dev/kmsg... */
1512 static int send_rtnl(int send_fd
) {
1514 struct cmsghdr cmsghdr
;
1515 uint8_t buf
[CMSG_SPACE(sizeof(int))];
1517 struct msghdr mh
= {
1518 .msg_control
= &control
,
1519 .msg_controllen
= sizeof(control
),
1521 struct cmsghdr
*cmsg
;
1522 _cleanup_close_
int fd
= -1;
1525 assert(send_fd
>= 0);
1527 if (!arg_expose_ports
)
1530 fd
= socket(PF_NETLINK
, SOCK_RAW
|SOCK_CLOEXEC
|SOCK_NONBLOCK
, NETLINK_ROUTE
);
1532 return log_error_errno(errno
, "failed to allocate container netlink: %m");
1534 cmsg
= CMSG_FIRSTHDR(&mh
);
1535 cmsg
->cmsg_level
= SOL_SOCKET
;
1536 cmsg
->cmsg_type
= SCM_RIGHTS
;
1537 cmsg
->cmsg_len
= CMSG_LEN(sizeof(int));
1538 memcpy(CMSG_DATA(cmsg
), &fd
, sizeof(int));
1540 mh
.msg_controllen
= cmsg
->cmsg_len
;
1542 /* Store away the fd in the socket, so that it stays open as
1543 * long as we run the child */
1544 k
= sendmsg(send_fd
, &mh
, MSG_NOSIGNAL
);
1546 return log_error_errno(errno
, "Failed to send netlink fd: %m");
1551 static int flush_ports(union in_addr_union
*exposed
) {
1553 int r
, af
= AF_INET
;
1557 if (!arg_expose_ports
)
1560 if (in_addr_is_null(af
, exposed
))
1563 log_debug("Lost IP address.");
1565 LIST_FOREACH(ports
, p
, arg_expose_ports
) {
1566 r
= fw_add_local_dnat(false,
1577 log_warning_errno(r
, "Failed to modify firewall: %m");
1580 *exposed
= IN_ADDR_NULL
;
1584 static int expose_ports(sd_rtnl
*rtnl
, union in_addr_union
*exposed
) {
1585 _cleanup_free_
struct local_address
*addresses
= NULL
;
1586 _cleanup_free_
char *pretty
= NULL
;
1587 union in_addr_union new_exposed
;
1590 int af
= AF_INET
, r
;
1594 /* Invoked each time an address is added or removed inside the
1597 if (!arg_expose_ports
)
1600 r
= local_addresses(rtnl
, 0, af
, &addresses
);
1602 return log_error_errno(r
, "Failed to enumerate local addresses: %m");
1605 addresses
[0].family
== af
&&
1606 addresses
[0].scope
< RT_SCOPE_LINK
;
1609 return flush_ports(exposed
);
1611 new_exposed
= addresses
[0].address
;
1612 if (in_addr_equal(af
, exposed
, &new_exposed
))
1615 in_addr_to_string(af
, &new_exposed
, &pretty
);
1616 log_debug("New container IP is %s.", strna(pretty
));
1618 LIST_FOREACH(ports
, p
, arg_expose_ports
) {
1620 r
= fw_add_local_dnat(true,
1629 in_addr_is_null(af
, exposed
) ? NULL
: exposed
);
1631 log_warning_errno(r
, "Failed to modify firewall: %m");
1634 *exposed
= new_exposed
;
1638 static int on_address_change(sd_rtnl
*rtnl
, sd_rtnl_message
*m
, void *userdata
) {
1639 union in_addr_union
*exposed
= userdata
;
1645 expose_ports(rtnl
, exposed
);
1649 static int watch_rtnl(sd_event
*event
, int recv_fd
, union in_addr_union
*exposed
, sd_rtnl
**ret
) {
1651 struct cmsghdr cmsghdr
;
1652 uint8_t buf
[CMSG_SPACE(sizeof(int))];
1654 struct msghdr mh
= {
1655 .msg_control
= &control
,
1656 .msg_controllen
= sizeof(control
),
1658 struct cmsghdr
*cmsg
;
1659 _cleanup_rtnl_unref_ sd_rtnl
*rtnl
= NULL
;
1664 assert(recv_fd
>= 0);
1667 if (!arg_expose_ports
)
1670 k
= recvmsg(recv_fd
, &mh
, MSG_NOSIGNAL
);
1672 return log_error_errno(errno
, "Failed to recv netlink fd: %m");
1674 cmsg
= CMSG_FIRSTHDR(&mh
);
1675 assert(cmsg
->cmsg_level
== SOL_SOCKET
);
1676 assert(cmsg
->cmsg_type
== SCM_RIGHTS
);
1677 assert(cmsg
->cmsg_len
== CMSG_LEN(sizeof(int)));
1678 memcpy(&fd
, CMSG_DATA(cmsg
), sizeof(int));
1680 r
= sd_rtnl_open_fd(&rtnl
, fd
, 1, RTNLGRP_IPV4_IFADDR
);
1683 return log_error_errno(r
, "Failed to create rtnl object: %m");
1686 r
= sd_rtnl_add_match(rtnl
, RTM_NEWADDR
, on_address_change
, exposed
);
1688 return log_error_errno(r
, "Failed to subscribe to RTM_NEWADDR messages: %m");
1690 r
= sd_rtnl_add_match(rtnl
, RTM_DELADDR
, on_address_change
, exposed
);
1692 return log_error_errno(r
, "Failed to subscribe to RTM_DELADDR messages: %m");
1694 r
= sd_rtnl_attach_event(rtnl
, event
, 0);
1696 return log_error_errno(r
, "Failed to add to even loop: %m");
1704 static int setup_hostname(void) {
1706 if (arg_share_system
)
1709 if (sethostname_idempotent(arg_machine
) < 0)
1715 static int setup_journal(const char *directory
) {
1716 sd_id128_t machine_id
, this_id
;
1717 _cleanup_free_
char *p
= NULL
, *b
= NULL
, *q
= NULL
, *d
= NULL
;
1721 /* Don't link journals in ephemeral mode */
1725 p
= strappend(directory
, "/etc/machine-id");
1729 r
= read_one_line_file(p
, &b
);
1730 if (r
== -ENOENT
&& arg_link_journal
== LINK_AUTO
)
1733 return log_error_errno(r
, "Failed to read machine ID from %s: %m", p
);
1736 if (isempty(id
) && arg_link_journal
== LINK_AUTO
)
1739 /* Verify validity */
1740 r
= sd_id128_from_string(id
, &machine_id
);
1742 return log_error_errno(r
, "Failed to parse machine ID from %s: %m", p
);
1744 r
= sd_id128_get_machine(&this_id
);
1746 return log_error_errno(r
, "Failed to retrieve machine ID: %m");
1748 if (sd_id128_equal(machine_id
, this_id
)) {
1749 log_full(arg_link_journal
== LINK_AUTO
? LOG_WARNING
: LOG_ERR
,
1750 "Host and machine ids are equal (%s): refusing to link journals", id
);
1751 if (arg_link_journal
== LINK_AUTO
)
1756 if (arg_link_journal
== LINK_NO
)
1760 p
= strappend("/var/log/journal/", id
);
1761 q
= strjoin(directory
, "/var/log/journal/", id
, NULL
);
1765 if (path_is_mount_point(p
, false) > 0) {
1766 if (arg_link_journal
!= LINK_AUTO
) {
1767 log_error("%s: already a mount point, refusing to use for journal", p
);
1774 if (path_is_mount_point(q
, false) > 0) {
1775 if (arg_link_journal
!= LINK_AUTO
) {
1776 log_error("%s: already a mount point, refusing to use for journal", q
);
1783 r
= readlink_and_make_absolute(p
, &d
);
1785 if ((arg_link_journal
== LINK_GUEST
||
1786 arg_link_journal
== LINK_AUTO
) &&
1789 r
= mkdir_p(q
, 0755);
1791 log_warning_errno(errno
, "Failed to create directory %s: %m", q
);
1796 return log_error_errno(errno
, "Failed to remove symlink %s: %m", p
);
1797 } else if (r
== -EINVAL
) {
1799 if (arg_link_journal
== LINK_GUEST
&&
1802 if (errno
== ENOTDIR
) {
1803 log_error("%s already exists and is neither a symlink nor a directory", p
);
1806 log_error_errno(errno
, "Failed to remove %s: %m", p
);
1810 } else if (r
!= -ENOENT
) {
1811 log_error_errno(errno
, "readlink(%s) failed: %m", p
);
1815 if (arg_link_journal
== LINK_GUEST
) {
1817 if (symlink(q
, p
) < 0) {
1818 if (arg_link_journal_try
) {
1819 log_debug_errno(errno
, "Failed to symlink %s to %s, skipping journal setup: %m", q
, p
);
1822 log_error_errno(errno
, "Failed to symlink %s to %s: %m", q
, p
);
1827 r
= mkdir_p(q
, 0755);
1829 log_warning_errno(errno
, "Failed to create directory %s: %m", q
);
1833 if (arg_link_journal
== LINK_HOST
) {
1834 /* don't create parents here -- if the host doesn't have
1835 * permanent journal set up, don't force it here */
1838 if (arg_link_journal_try
) {
1839 log_debug_errno(errno
, "Failed to create %s, skipping journal setup: %m", p
);
1842 log_error_errno(errno
, "Failed to create %s: %m", p
);
1847 } else if (access(p
, F_OK
) < 0)
1850 if (dir_is_empty(q
) == 0)
1851 log_warning("%s is not empty, proceeding anyway.", q
);
1853 r
= mkdir_p(q
, 0755);
1855 log_error_errno(errno
, "Failed to create %s: %m", q
);
1859 if (mount(p
, q
, "bind", MS_BIND
, NULL
) < 0)
1860 return log_error_errno(errno
, "Failed to bind mount journal from host into guest: %m");
1865 static int drop_capabilities(void) {
1866 return capability_bounding_set_drop(~arg_retain
, false);
1869 static int register_machine(pid_t pid
, int local_ifindex
) {
1870 _cleanup_bus_error_free_ sd_bus_error error
= SD_BUS_ERROR_NULL
;
1871 _cleanup_bus_close_unref_ sd_bus
*bus
= NULL
;
1877 r
= sd_bus_default_system(&bus
);
1879 return log_error_errno(r
, "Failed to open system bus: %m");
1881 if (arg_keep_unit
) {
1882 r
= sd_bus_call_method(
1884 "org.freedesktop.machine1",
1885 "/org/freedesktop/machine1",
1886 "org.freedesktop.machine1.Manager",
1887 "RegisterMachineWithNetwork",
1892 SD_BUS_MESSAGE_APPEND_ID128(arg_uuid
),
1896 strempty(arg_directory
),
1897 local_ifindex
> 0 ? 1 : 0, local_ifindex
);
1899 _cleanup_bus_message_unref_ sd_bus_message
*m
= NULL
;
1901 r
= sd_bus_message_new_method_call(
1904 "org.freedesktop.machine1",
1905 "/org/freedesktop/machine1",
1906 "org.freedesktop.machine1.Manager",
1907 "CreateMachineWithNetwork");
1909 return log_error_errno(r
, "Failed to create message: %m");
1911 r
= sd_bus_message_append(
1915 SD_BUS_MESSAGE_APPEND_ID128(arg_uuid
),
1919 strempty(arg_directory
),
1920 local_ifindex
> 0 ? 1 : 0, local_ifindex
);
1922 return log_error_errno(r
, "Failed to append message arguments: %m");
1924 r
= sd_bus_message_open_container(m
, 'a', "(sv)");
1926 return log_error_errno(r
, "Failed to open container: %m");
1928 if (!isempty(arg_slice
)) {
1929 r
= sd_bus_message_append(m
, "(sv)", "Slice", "s", arg_slice
);
1931 return log_error_errno(r
, "Failed to append slice: %m");
1934 r
= sd_bus_message_append(m
, "(sv)", "DevicePolicy", "s", "strict");
1936 return log_error_errno(r
, "Failed to add device policy: %m");
1938 r
= sd_bus_message_append(m
, "(sv)", "DeviceAllow", "a(ss)", 9,
1939 /* Allow the container to
1940 * access and create the API
1941 * device nodes, so that
1942 * PrivateDevices= in the
1943 * container can work
1948 "/dev/random", "rwm",
1949 "/dev/urandom", "rwm",
1951 "/dev/net/tun", "rwm",
1952 /* Allow the container
1953 * access to ptys. However,
1955 * container to ever create
1956 * these device nodes. */
1957 "/dev/pts/ptmx", "rw",
1960 return log_error_errno(r
, "Failed to add device whitelist: %m");
1962 r
= sd_bus_message_close_container(m
);
1964 return log_error_errno(r
, "Failed to close container: %m");
1966 r
= sd_bus_call(bus
, m
, 0, &error
, NULL
);
1970 log_error("Failed to register machine: %s", bus_error_message(&error
, r
));
1977 static int terminate_machine(pid_t pid
) {
1978 _cleanup_bus_error_free_ sd_bus_error error
= SD_BUS_ERROR_NULL
;
1979 _cleanup_bus_message_unref_ sd_bus_message
*reply
= NULL
;
1980 _cleanup_bus_close_unref_ sd_bus
*bus
= NULL
;
1987 r
= sd_bus_default_system(&bus
);
1989 return log_error_errno(r
, "Failed to open system bus: %m");
1991 r
= sd_bus_call_method(
1993 "org.freedesktop.machine1",
1994 "/org/freedesktop/machine1",
1995 "org.freedesktop.machine1.Manager",
2002 /* Note that the machine might already have been
2003 * cleaned up automatically, hence don't consider it a
2004 * failure if we cannot get the machine object. */
2005 log_debug("Failed to get machine: %s", bus_error_message(&error
, r
));
2009 r
= sd_bus_message_read(reply
, "o", &path
);
2011 return bus_log_parse_error(r
);
2013 r
= sd_bus_call_method(
2015 "org.freedesktop.machine1",
2017 "org.freedesktop.machine1.Machine",
2023 log_debug("Failed to terminate machine: %s", bus_error_message(&error
, r
));
2030 static int reset_audit_loginuid(void) {
2031 _cleanup_free_
char *p
= NULL
;
2034 if (arg_share_system
)
2037 r
= read_one_line_file("/proc/self/loginuid", &p
);
2041 return log_error_errno(r
, "Failed to read /proc/self/loginuid: %m");
2043 /* Already reset? */
2044 if (streq(p
, "4294967295"))
2047 r
= write_string_file("/proc/self/loginuid", "4294967295");
2049 log_error("Failed to reset audit login UID. This probably means that your kernel is too\n"
2050 "old and you have audit enabled. Note that the auditing subsystem is known to\n"
2051 "be incompatible with containers on old kernels. Please make sure to upgrade\n"
2052 "your kernel or to off auditing with 'audit=0' on the kernel command line before\n"
2053 "using systemd-nspawn. Sleeping for 5s... (%s)\n", strerror(-r
));
2061 #define HOST_HASH_KEY SD_ID128_MAKE(1a,37,6f,c7,46,ec,45,0b,ad,a3,d5,31,06,60,5d,b1)
2062 #define CONTAINER_HASH_KEY SD_ID128_MAKE(c3,c4,f9,19,b5,57,b2,1c,e6,cf,14,27,03,9c,ee,a2)
2063 #define MACVLAN_HASH_KEY SD_ID128_MAKE(00,13,6d,bc,66,83,44,81,bb,0c,f9,51,1f,24,a6,6f)
2065 static int generate_mac(struct ether_addr
*mac
, sd_id128_t hash_key
, uint64_t idx
) {
2071 l
= strlen(arg_machine
);
2072 sz
= sizeof(sd_id128_t
) + l
;
2078 /* fetch some persistent data unique to the host */
2079 r
= sd_id128_get_machine((sd_id128_t
*) v
);
2083 /* combine with some data unique (on this host) to this
2084 * container instance */
2085 i
= mempcpy(v
+ sizeof(sd_id128_t
), arg_machine
, l
);
2088 memcpy(i
, &idx
, sizeof(idx
));
2091 /* Let's hash the host machine ID plus the container name. We
2092 * use a fixed, but originally randomly created hash key here. */
2093 siphash24(result
, v
, sz
, hash_key
.bytes
);
2095 assert_cc(ETH_ALEN
<= sizeof(result
));
2096 memcpy(mac
->ether_addr_octet
, result
, ETH_ALEN
);
2098 /* see eth_random_addr in the kernel */
2099 mac
->ether_addr_octet
[0] &= 0xfe; /* clear multicast bit */
2100 mac
->ether_addr_octet
[0] |= 0x02; /* set local assignment bit (IEEE802) */
2105 static int setup_veth(pid_t pid
, char iface_name
[IFNAMSIZ
], int *ifi
) {
2106 _cleanup_rtnl_message_unref_ sd_rtnl_message
*m
= NULL
;
2107 _cleanup_rtnl_unref_ sd_rtnl
*rtnl
= NULL
;
2108 struct ether_addr mac_host
, mac_container
;
2111 if (!arg_private_network
)
2114 if (!arg_network_veth
)
2117 /* Use two different interface name prefixes depending whether
2118 * we are in bridge mode or not. */
2119 snprintf(iface_name
, IFNAMSIZ
- 1, "%s-%s",
2120 arg_network_bridge
? "vb" : "ve", arg_machine
);
2122 r
= generate_mac(&mac_container
, CONTAINER_HASH_KEY
, 0);
2124 return log_error_errno(r
, "Failed to generate predictable MAC address for container side: %m");
2126 r
= generate_mac(&mac_host
, HOST_HASH_KEY
, 0);
2128 return log_error_errno(r
, "Failed to generate predictable MAC address for host side: %m");
2130 r
= sd_rtnl_open(&rtnl
, 0);
2132 return log_error_errno(r
, "Failed to connect to netlink: %m");
2134 r
= sd_rtnl_message_new_link(rtnl
, &m
, RTM_NEWLINK
, 0);
2136 return log_error_errno(r
, "Failed to allocate netlink message: %m");
2138 r
= sd_rtnl_message_append_string(m
, IFLA_IFNAME
, iface_name
);
2140 return log_error_errno(r
, "Failed to add netlink interface name: %m");
2142 r
= sd_rtnl_message_append_ether_addr(m
, IFLA_ADDRESS
, &mac_host
);
2144 return log_error_errno(r
, "Failed to add netlink MAC address: %m");
2146 r
= sd_rtnl_message_open_container(m
, IFLA_LINKINFO
);
2148 return log_error_errno(r
, "Failed to open netlink container: %m");
2150 r
= sd_rtnl_message_open_container_union(m
, IFLA_INFO_DATA
, "veth");
2152 return log_error_errno(r
, "Failed to open netlink container: %m");
2154 r
= sd_rtnl_message_open_container(m
, VETH_INFO_PEER
);
2156 return log_error_errno(r
, "Failed to open netlink container: %m");
2158 r
= sd_rtnl_message_append_string(m
, IFLA_IFNAME
, "host0");
2160 return log_error_errno(r
, "Failed to add netlink interface name: %m");
2162 r
= sd_rtnl_message_append_ether_addr(m
, IFLA_ADDRESS
, &mac_container
);
2164 return log_error_errno(r
, "Failed to add netlink MAC address: %m");
2166 r
= sd_rtnl_message_append_u32(m
, IFLA_NET_NS_PID
, pid
);
2168 return log_error_errno(r
, "Failed to add netlink namespace field: %m");
2170 r
= sd_rtnl_message_close_container(m
);
2172 return log_error_errno(r
, "Failed to close netlink container: %m");
2174 r
= sd_rtnl_message_close_container(m
);
2176 return log_error_errno(r
, "Failed to close netlink container: %m");
2178 r
= sd_rtnl_message_close_container(m
);
2180 return log_error_errno(r
, "Failed to close netlink container: %m");
2182 r
= sd_rtnl_call(rtnl
, m
, 0, NULL
);
2184 return log_error_errno(r
, "Failed to add new veth interfaces: %m");
2186 i
= (int) if_nametoindex(iface_name
);
2188 return log_error_errno(errno
, "Failed to resolve interface %s: %m", iface_name
);
2195 static int setup_bridge(const char veth_name
[], int *ifi
) {
2196 _cleanup_rtnl_message_unref_ sd_rtnl_message
*m
= NULL
;
2197 _cleanup_rtnl_unref_ sd_rtnl
*rtnl
= NULL
;
2200 if (!arg_private_network
)
2203 if (!arg_network_veth
)
2206 if (!arg_network_bridge
)
2209 bridge
= (int) if_nametoindex(arg_network_bridge
);
2211 return log_error_errno(errno
, "Failed to resolve interface %s: %m", arg_network_bridge
);
2215 r
= sd_rtnl_open(&rtnl
, 0);
2217 return log_error_errno(r
, "Failed to connect to netlink: %m");
2219 r
= sd_rtnl_message_new_link(rtnl
, &m
, RTM_SETLINK
, 0);
2221 return log_error_errno(r
, "Failed to allocate netlink message: %m");
2223 r
= sd_rtnl_message_link_set_flags(m
, IFF_UP
, IFF_UP
);
2225 return log_error_errno(r
, "Failed to set IFF_UP flag: %m");
2227 r
= sd_rtnl_message_append_string(m
, IFLA_IFNAME
, veth_name
);
2229 return log_error_errno(r
, "Failed to add netlink interface name field: %m");
2231 r
= sd_rtnl_message_append_u32(m
, IFLA_MASTER
, bridge
);
2233 return log_error_errno(r
, "Failed to add netlink master field: %m");
2235 r
= sd_rtnl_call(rtnl
, m
, 0, NULL
);
2237 return log_error_errno(r
, "Failed to add veth interface to bridge: %m");
2242 static int parse_interface(struct udev
*udev
, const char *name
) {
2243 _cleanup_udev_device_unref_
struct udev_device
*d
= NULL
;
2244 char ifi_str
[2 + DECIMAL_STR_MAX(int)];
2247 ifi
= (int) if_nametoindex(name
);
2249 return log_error_errno(errno
, "Failed to resolve interface %s: %m", name
);
2251 sprintf(ifi_str
, "n%i", ifi
);
2252 d
= udev_device_new_from_device_id(udev
, ifi_str
);
2254 return log_error_errno(errno
, "Failed to get udev device for interface %s: %m", name
);
2256 if (udev_device_get_is_initialized(d
) <= 0) {
2257 log_error("Network interface %s is not initialized yet.", name
);
2264 static int move_network_interfaces(pid_t pid
) {
2265 _cleanup_udev_unref_
struct udev
*udev
= NULL
;
2266 _cleanup_rtnl_unref_ sd_rtnl
*rtnl
= NULL
;
2270 if (!arg_private_network
)
2273 if (strv_isempty(arg_network_interfaces
))
2276 r
= sd_rtnl_open(&rtnl
, 0);
2278 return log_error_errno(r
, "Failed to connect to netlink: %m");
2282 log_error("Failed to connect to udev.");
2286 STRV_FOREACH(i
, arg_network_interfaces
) {
2287 _cleanup_rtnl_message_unref_ sd_rtnl_message
*m
= NULL
;
2290 ifi
= parse_interface(udev
, *i
);
2294 r
= sd_rtnl_message_new_link(rtnl
, &m
, RTM_SETLINK
, ifi
);
2296 return log_error_errno(r
, "Failed to allocate netlink message: %m");
2298 r
= sd_rtnl_message_append_u32(m
, IFLA_NET_NS_PID
, pid
);
2300 return log_error_errno(r
, "Failed to append namespace PID to netlink message: %m");
2302 r
= sd_rtnl_call(rtnl
, m
, 0, NULL
);
2304 return log_error_errno(r
, "Failed to move interface %s to namespace: %m", *i
);
2310 static int setup_macvlan(pid_t pid
) {
2311 _cleanup_udev_unref_
struct udev
*udev
= NULL
;
2312 _cleanup_rtnl_unref_ sd_rtnl
*rtnl
= NULL
;
2317 if (!arg_private_network
)
2320 if (strv_isempty(arg_network_macvlan
))
2323 r
= sd_rtnl_open(&rtnl
, 0);
2325 return log_error_errno(r
, "Failed to connect to netlink: %m");
2329 log_error("Failed to connect to udev.");
2333 STRV_FOREACH(i
, arg_network_macvlan
) {
2334 _cleanup_rtnl_message_unref_ sd_rtnl_message
*m
= NULL
;
2335 _cleanup_free_
char *n
= NULL
;
2336 struct ether_addr mac
;
2339 ifi
= parse_interface(udev
, *i
);
2343 r
= generate_mac(&mac
, MACVLAN_HASH_KEY
, idx
++);
2345 return log_error_errno(r
, "Failed to create MACVLAN MAC address: %m");
2347 r
= sd_rtnl_message_new_link(rtnl
, &m
, RTM_NEWLINK
, 0);
2349 return log_error_errno(r
, "Failed to allocate netlink message: %m");
2351 r
= sd_rtnl_message_append_u32(m
, IFLA_LINK
, ifi
);
2353 return log_error_errno(r
, "Failed to add netlink interface index: %m");
2355 n
= strappend("mv-", *i
);
2359 strshorten(n
, IFNAMSIZ
-1);
2361 r
= sd_rtnl_message_append_string(m
, IFLA_IFNAME
, n
);
2363 return log_error_errno(r
, "Failed to add netlink interface name: %m");
2365 r
= sd_rtnl_message_append_ether_addr(m
, IFLA_ADDRESS
, &mac
);
2367 return log_error_errno(r
, "Failed to add netlink MAC address: %m");
2369 r
= sd_rtnl_message_append_u32(m
, IFLA_NET_NS_PID
, pid
);
2371 return log_error_errno(r
, "Failed to add netlink namespace field: %m");
2373 r
= sd_rtnl_message_open_container(m
, IFLA_LINKINFO
);
2375 return log_error_errno(r
, "Failed to open netlink container: %m");
2377 r
= sd_rtnl_message_open_container_union(m
, IFLA_INFO_DATA
, "macvlan");
2379 return log_error_errno(r
, "Failed to open netlink container: %m");
2381 r
= sd_rtnl_message_append_u32(m
, IFLA_MACVLAN_MODE
, MACVLAN_MODE_BRIDGE
);
2383 return log_error_errno(r
, "Failed to append macvlan mode: %m");
2385 r
= sd_rtnl_message_close_container(m
);
2387 return log_error_errno(r
, "Failed to close netlink container: %m");
2389 r
= sd_rtnl_message_close_container(m
);
2391 return log_error_errno(r
, "Failed to close netlink container: %m");
2393 r
= sd_rtnl_call(rtnl
, m
, 0, NULL
);
2395 return log_error_errno(r
, "Failed to add new macvlan interfaces: %m");
2401 static int setup_ipvlan(pid_t pid
) {
2402 _cleanup_udev_unref_
struct udev
*udev
= NULL
;
2403 _cleanup_rtnl_unref_ sd_rtnl
*rtnl
= NULL
;
2407 if (!arg_private_network
)
2410 if (strv_isempty(arg_network_ipvlan
))
2413 r
= sd_rtnl_open(&rtnl
, 0);
2415 return log_error_errno(r
, "Failed to connect to netlink: %m");
2419 log_error("Failed to connect to udev.");
2423 STRV_FOREACH(i
, arg_network_ipvlan
) {
2424 _cleanup_rtnl_message_unref_ sd_rtnl_message
*m
= NULL
;
2425 _cleanup_free_
char *n
= NULL
;
2428 ifi
= parse_interface(udev
, *i
);
2432 r
= sd_rtnl_message_new_link(rtnl
, &m
, RTM_NEWLINK
, 0);
2434 return log_error_errno(r
, "Failed to allocate netlink message: %m");
2436 r
= sd_rtnl_message_append_u32(m
, IFLA_LINK
, ifi
);
2438 return log_error_errno(r
, "Failed to add netlink interface index: %m");
2440 n
= strappend("iv-", *i
);
2444 strshorten(n
, IFNAMSIZ
-1);
2446 r
= sd_rtnl_message_append_string(m
, IFLA_IFNAME
, n
);
2448 return log_error_errno(r
, "Failed to add netlink interface name: %m");
2450 r
= sd_rtnl_message_append_u32(m
, IFLA_NET_NS_PID
, pid
);
2452 return log_error_errno(r
, "Failed to add netlink namespace field: %m");
2454 r
= sd_rtnl_message_open_container(m
, IFLA_LINKINFO
);
2456 return log_error_errno(r
, "Failed to open netlink container: %m");
2458 r
= sd_rtnl_message_open_container_union(m
, IFLA_INFO_DATA
, "ipvlan");
2460 return log_error_errno(r
, "Failed to open netlink container: %m");
2462 r
= sd_rtnl_message_append_u16(m
, IFLA_IPVLAN_MODE
, IPVLAN_MODE_L2
);
2464 return log_error_errno(r
, "Failed to add ipvlan mode: %m");
2466 r
= sd_rtnl_message_close_container(m
);
2468 return log_error_errno(r
, "Failed to close netlink container: %m");
2470 r
= sd_rtnl_message_close_container(m
);
2472 return log_error_errno(r
, "Failed to close netlink container: %m");
2474 r
= sd_rtnl_call(rtnl
, m
, 0, NULL
);
2476 return log_error_errno(r
, "Failed to add new ipvlan interfaces: %m");
2482 static int setup_seccomp(void) {
2485 static const int blacklist
[] = {
2486 SCMP_SYS(kexec_load
),
2487 SCMP_SYS(open_by_handle_at
),
2494 static const int kmod_blacklist
[] = {
2495 SCMP_SYS(init_module
),
2496 SCMP_SYS(finit_module
),
2497 SCMP_SYS(delete_module
),
2500 scmp_filter_ctx seccomp
;
2504 seccomp
= seccomp_init(SCMP_ACT_ALLOW
);
2508 r
= seccomp_add_secondary_archs(seccomp
);
2510 log_error_errno(r
, "Failed to add secondary archs to seccomp filter: %m");
2514 for (i
= 0; i
< ELEMENTSOF(blacklist
); i
++) {
2515 r
= seccomp_rule_add(seccomp
, SCMP_ACT_ERRNO(EPERM
), blacklist
[i
], 0);
2517 continue; /* unknown syscall */
2519 log_error_errno(r
, "Failed to block syscall: %m");
2524 /* If the CAP_SYS_MODULE capability is not requested then
2525 * we'll block the kmod syscalls too */
2526 if (!(arg_retain
& (1ULL << CAP_SYS_MODULE
))) {
2527 for (i
= 0; i
< ELEMENTSOF(kmod_blacklist
); i
++) {
2528 r
= seccomp_rule_add(seccomp
, SCMP_ACT_ERRNO(EPERM
), kmod_blacklist
[i
], 0);
2530 continue; /* unknown syscall */
2532 log_error_errno(r
, "Failed to block syscall: %m");
2539 Audit is broken in containers, much of the userspace audit
2540 hookup will fail if running inside a container. We don't
2541 care and just turn off creation of audit sockets.
2543 This will make socket(AF_NETLINK, *, NETLINK_AUDIT) fail
2544 with EAFNOSUPPORT which audit userspace uses as indication
2545 that audit is disabled in the kernel.
2548 r
= seccomp_rule_add(
2550 SCMP_ACT_ERRNO(EAFNOSUPPORT
),
2553 SCMP_A0(SCMP_CMP_EQ
, AF_NETLINK
),
2554 SCMP_A2(SCMP_CMP_EQ
, NETLINK_AUDIT
));
2556 log_error_errno(r
, "Failed to add audit seccomp rule: %m");
2560 r
= seccomp_attr_set(seccomp
, SCMP_FLTATR_CTL_NNP
, 0);
2562 log_error_errno(r
, "Failed to unset NO_NEW_PRIVS: %m");
2566 r
= seccomp_load(seccomp
);
2568 log_error_errno(r
, "Failed to install seccomp audit filter: %m");
2571 seccomp_release(seccomp
);
2579 static int setup_propagate(const char *root
) {
2582 (void) mkdir_p("/run/systemd/nspawn/", 0755);
2583 (void) mkdir_p("/run/systemd/nspawn/propagate", 0600);
2584 p
= strjoina("/run/systemd/nspawn/propagate/", arg_machine
);
2585 (void) mkdir_p(p
, 0600);
2587 q
= strjoina(root
, "/run/systemd/nspawn/incoming");
2588 mkdir_parents(q
, 0755);
2591 if (mount(p
, q
, NULL
, MS_BIND
, NULL
) < 0)
2592 return log_error_errno(errno
, "Failed to install propagation bind mount.");
2594 if (mount(NULL
, q
, NULL
, MS_BIND
|MS_REMOUNT
|MS_RDONLY
, NULL
) < 0)
2595 return log_error_errno(errno
, "Failed to make propagation mount read-only");
2600 static int setup_image(char **device_path
, int *loop_nr
) {
2601 struct loop_info64 info
= {
2602 .lo_flags
= LO_FLAGS_AUTOCLEAR
|LO_FLAGS_PARTSCAN
2604 _cleanup_close_
int fd
= -1, control
= -1, loop
= -1;
2605 _cleanup_free_
char* loopdev
= NULL
;
2609 assert(device_path
);
2613 fd
= open(arg_image
, O_CLOEXEC
|(arg_read_only
? O_RDONLY
: O_RDWR
)|O_NONBLOCK
|O_NOCTTY
);
2615 return log_error_errno(errno
, "Failed to open %s: %m", arg_image
);
2617 if (fstat(fd
, &st
) < 0)
2618 return log_error_errno(errno
, "Failed to stat %s: %m", arg_image
);
2620 if (S_ISBLK(st
.st_mode
)) {
2623 p
= strdup(arg_image
);
2637 if (!S_ISREG(st
.st_mode
)) {
2638 log_error_errno(errno
, "%s is not a regular file or block device: %m", arg_image
);
2642 control
= open("/dev/loop-control", O_RDWR
|O_CLOEXEC
|O_NOCTTY
|O_NONBLOCK
);
2644 return log_error_errno(errno
, "Failed to open /dev/loop-control: %m");
2646 nr
= ioctl(control
, LOOP_CTL_GET_FREE
);
2648 return log_error_errno(errno
, "Failed to allocate loop device: %m");
2650 if (asprintf(&loopdev
, "/dev/loop%i", nr
) < 0)
2653 loop
= open(loopdev
, O_CLOEXEC
|(arg_read_only
? O_RDONLY
: O_RDWR
)|O_NONBLOCK
|O_NOCTTY
);
2655 return log_error_errno(errno
, "Failed to open loop device %s: %m", loopdev
);
2657 if (ioctl(loop
, LOOP_SET_FD
, fd
) < 0)
2658 return log_error_errno(errno
, "Failed to set loopback file descriptor on %s: %m", loopdev
);
2661 info
.lo_flags
|= LO_FLAGS_READ_ONLY
;
2663 if (ioctl(loop
, LOOP_SET_STATUS64
, &info
) < 0)
2664 return log_error_errno(errno
, "Failed to set loopback settings on %s: %m", loopdev
);
2666 *device_path
= loopdev
;
2677 #define PARTITION_TABLE_BLURB \
2678 "Note that the disk image needs to either contain only a single MBR partition of\n" \
2679 "type 0x83 that is marked bootable, or a sinlge GPT partition of type" \
2680 "0FC63DAF-8483-4772-8E79-3D69D8477DE4 or follow\n" \
2681 " http://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/\n" \
2682 "to be bootable with systemd-nspawn."
2684 static int dissect_image(
2686 char **root_device
, bool *root_device_rw
,
2687 char **home_device
, bool *home_device_rw
,
2688 char **srv_device
, bool *srv_device_rw
,
2692 int home_nr
= -1, srv_nr
= -1;
2693 #ifdef GPT_ROOT_NATIVE
2696 #ifdef GPT_ROOT_SECONDARY
2697 int secondary_root_nr
= -1;
2699 _cleanup_free_
char *home
= NULL
, *root
= NULL
, *secondary_root
= NULL
, *srv
= NULL
, *generic
= NULL
;
2700 _cleanup_udev_enumerate_unref_
struct udev_enumerate
*e
= NULL
;
2701 _cleanup_udev_device_unref_
struct udev_device
*d
= NULL
;
2702 _cleanup_blkid_free_probe_ blkid_probe b
= NULL
;
2703 _cleanup_udev_unref_
struct udev
*udev
= NULL
;
2704 struct udev_list_entry
*first
, *item
;
2705 bool home_rw
= true, root_rw
= true, secondary_root_rw
= true, srv_rw
= true, generic_rw
= true;
2706 bool is_gpt
, is_mbr
, multiple_generic
= false;
2707 const char *pttype
= NULL
;
2714 assert(root_device
);
2715 assert(home_device
);
2720 b
= blkid_new_probe();
2725 r
= blkid_probe_set_device(b
, fd
, 0, 0);
2730 log_error_errno(errno
, "Failed to set device on blkid probe: %m");
2734 blkid_probe_enable_partitions(b
, 1);
2735 blkid_probe_set_partitions_flags(b
, BLKID_PARTS_ENTRY_DETAILS
);
2738 r
= blkid_do_safeprobe(b
);
2739 if (r
== -2 || r
== 1) {
2740 log_error("Failed to identify any partition table on\n"
2742 PARTITION_TABLE_BLURB
, arg_image
);
2744 } else if (r
!= 0) {
2747 log_error_errno(errno
, "Failed to probe: %m");
2751 blkid_probe_lookup_value(b
, "PTTYPE", &pttype
, NULL
);
2753 is_gpt
= streq_ptr(pttype
, "gpt");
2754 is_mbr
= streq_ptr(pttype
, "dos");
2756 if (!is_gpt
&& !is_mbr
) {
2757 log_error("No GPT or MBR partition table discovered on\n"
2759 PARTITION_TABLE_BLURB
, arg_image
);
2764 pl
= blkid_probe_get_partitions(b
);
2769 log_error("Failed to list partitions of %s", arg_image
);
2777 if (fstat(fd
, &st
) < 0)
2778 return log_error_errno(errno
, "Failed to stat block device: %m");
2780 d
= udev_device_new_from_devnum(udev
, 'b', st
.st_rdev
);
2788 log_error("Kernel partitions never appeared.");
2792 e
= udev_enumerate_new(udev
);
2796 r
= udev_enumerate_add_match_parent(e
, d
);
2800 r
= udev_enumerate_scan_devices(e
);
2802 return log_error_errno(r
, "Failed to scan for partition devices of %s: %m", arg_image
);
2804 /* Count the partitions enumerated by the kernel */
2806 first
= udev_enumerate_get_list_entry(e
);
2807 udev_list_entry_foreach(item
, first
)
2810 /* Count the partitions enumerated by blkid */
2811 m
= blkid_partlist_numof_partitions(pl
);
2815 log_error("blkid and kernel partition list do not match.");
2821 /* The kernel has probed fewer partitions than
2822 * blkid? Maybe the kernel prober is still
2823 * running or it got EBUSY because udev
2824 * already opened the device. Let's reprobe
2825 * the device, which is a synchronous call
2826 * that waits until probing is complete. */
2828 for (j
= 0; j
< 20; j
++) {
2830 r
= ioctl(fd
, BLKRRPART
, 0);
2833 if (r
>= 0 || r
!= -EBUSY
)
2836 /* If something else has the device
2837 * open, such as an udev rule, the
2838 * ioctl will return EBUSY. Since
2839 * there's no way to wait until it
2840 * isn't busy anymore, let's just wait
2841 * a bit, and try again.
2843 * This is really something they
2844 * should fix in the kernel! */
2846 usleep(50 * USEC_PER_MSEC
);
2850 return log_error_errno(r
, "Failed to reread partition table: %m");
2853 e
= udev_enumerate_unref(e
);
2856 first
= udev_enumerate_get_list_entry(e
);
2857 udev_list_entry_foreach(item
, first
) {
2858 _cleanup_udev_device_unref_
struct udev_device
*q
;
2860 unsigned long long flags
;
2866 q
= udev_device_new_from_syspath(udev
, udev_list_entry_get_name(item
));
2871 log_error_errno(errno
, "Failed to get partition device of %s: %m", arg_image
);
2875 qn
= udev_device_get_devnum(q
);
2879 if (st
.st_rdev
== qn
)
2882 node
= udev_device_get_devnode(q
);
2886 pp
= blkid_partlist_devno_to_partition(pl
, qn
);
2890 flags
= blkid_partition_get_flags(pp
);
2892 nr
= blkid_partition_get_partno(pp
);
2900 if (flags
& GPT_FLAG_NO_AUTO
)
2903 stype
= blkid_partition_get_type_string(pp
);
2907 if (sd_id128_from_string(stype
, &type_id
) < 0)
2910 if (sd_id128_equal(type_id
, GPT_HOME
)) {
2912 if (home
&& nr
>= home_nr
)
2916 home_rw
= !(flags
& GPT_FLAG_READ_ONLY
);
2918 r
= free_and_strdup(&home
, node
);
2922 } else if (sd_id128_equal(type_id
, GPT_SRV
)) {
2924 if (srv
&& nr
>= srv_nr
)
2928 srv_rw
= !(flags
& GPT_FLAG_READ_ONLY
);
2930 r
= free_and_strdup(&srv
, node
);
2934 #ifdef GPT_ROOT_NATIVE
2935 else if (sd_id128_equal(type_id
, GPT_ROOT_NATIVE
)) {
2937 if (root
&& nr
>= root_nr
)
2941 root_rw
= !(flags
& GPT_FLAG_READ_ONLY
);
2943 r
= free_and_strdup(&root
, node
);
2948 #ifdef GPT_ROOT_SECONDARY
2949 else if (sd_id128_equal(type_id
, GPT_ROOT_SECONDARY
)) {
2951 if (secondary_root
&& nr
>= secondary_root_nr
)
2954 secondary_root_nr
= nr
;
2955 secondary_root_rw
= !(flags
& GPT_FLAG_READ_ONLY
);
2957 r
= free_and_strdup(&secondary_root
, node
);
2962 else if (sd_id128_equal(type_id
, GPT_LINUX_GENERIC
)) {
2965 multiple_generic
= true;
2967 generic_rw
= !(flags
& GPT_FLAG_READ_ONLY
);
2969 r
= free_and_strdup(&generic
, node
);
2975 } else if (is_mbr
) {
2978 if (flags
!= 0x80) /* Bootable flag */
2981 type
= blkid_partition_get_type(pp
);
2982 if (type
!= 0x83) /* Linux partition */
2986 multiple_generic
= true;
2990 r
= free_and_strdup(&root
, node
);
2998 *root_device
= root
;
3001 *root_device_rw
= root_rw
;
3003 } else if (secondary_root
) {
3004 *root_device
= secondary_root
;
3005 secondary_root
= NULL
;
3007 *root_device_rw
= secondary_root_rw
;
3009 } else if (generic
) {
3011 /* There were no partitions with precise meanings
3012 * around, but we found generic partitions. In this
3013 * case, if there's only one, we can go ahead and boot
3014 * it, otherwise we bail out, because we really cannot
3015 * make any sense of it. */
3017 if (multiple_generic
) {
3018 log_error("Identified multiple bootable Linux partitions on\n"
3020 PARTITION_TABLE_BLURB
, arg_image
);
3024 *root_device
= generic
;
3027 *root_device_rw
= generic_rw
;
3030 log_error("Failed to identify root partition in disk image\n"
3032 PARTITION_TABLE_BLURB
, arg_image
);
3037 *home_device
= home
;
3040 *home_device_rw
= home_rw
;
3047 *srv_device_rw
= srv_rw
;
3052 log_error("--image= is not supported, compiled without blkid support.");
3057 static int mount_device(const char *what
, const char *where
, const char *directory
, bool rw
) {
3059 _cleanup_blkid_free_probe_ blkid_probe b
= NULL
;
3060 const char *fstype
, *p
;
3070 p
= strjoina(where
, directory
);
3075 b
= blkid_new_probe_from_filename(what
);
3079 log_error_errno(errno
, "Failed to allocate prober for %s: %m", what
);
3083 blkid_probe_enable_superblocks(b
, 1);
3084 blkid_probe_set_superblocks_flags(b
, BLKID_SUBLKS_TYPE
);
3087 r
= blkid_do_safeprobe(b
);
3088 if (r
== -1 || r
== 1) {
3089 log_error("Cannot determine file system type of %s", what
);
3091 } else if (r
!= 0) {
3094 log_error_errno(errno
, "Failed to probe %s: %m", what
);
3099 if (blkid_probe_lookup_value(b
, "TYPE", &fstype
, NULL
) < 0) {
3102 log_error("Failed to determine file system type of %s", what
);
3106 if (streq(fstype
, "crypto_LUKS")) {
3107 log_error("nspawn currently does not support LUKS disk images.");
3111 if (mount(what
, p
, fstype
, MS_NODEV
|(rw
? 0 : MS_RDONLY
), NULL
) < 0)
3112 return log_error_errno(errno
, "Failed to mount %s: %m", what
);
3116 log_error("--image= is not supported, compiled without blkid support.");
3121 static int mount_devices(
3123 const char *root_device
, bool root_device_rw
,
3124 const char *home_device
, bool home_device_rw
,
3125 const char *srv_device
, bool srv_device_rw
) {
3131 r
= mount_device(root_device
, arg_directory
, NULL
, root_device_rw
);
3133 return log_error_errno(r
, "Failed to mount root directory: %m");
3137 r
= mount_device(home_device
, arg_directory
, "/home", home_device_rw
);
3139 return log_error_errno(r
, "Failed to mount home directory: %m");
3143 r
= mount_device(srv_device
, arg_directory
, "/srv", srv_device_rw
);
3145 return log_error_errno(r
, "Failed to mount server data directory: %m");
3151 static void loop_remove(int nr
, int *image_fd
) {
3152 _cleanup_close_
int control
= -1;
3158 if (image_fd
&& *image_fd
>= 0) {
3159 r
= ioctl(*image_fd
, LOOP_CLR_FD
);
3161 log_debug_errno(errno
, "Failed to close loop image: %m");
3162 *image_fd
= safe_close(*image_fd
);
3165 control
= open("/dev/loop-control", O_RDWR
|O_CLOEXEC
|O_NOCTTY
|O_NONBLOCK
);
3167 log_warning_errno(errno
, "Failed to open /dev/loop-control: %m");
3171 r
= ioctl(control
, LOOP_CTL_REMOVE
, nr
);
3173 log_debug_errno(errno
, "Failed to remove loop %d: %m", nr
);
3176 static int spawn_getent(const char *database
, const char *key
, pid_t
*rpid
) {
3184 if (pipe2(pipe_fds
, O_CLOEXEC
) < 0)
3185 return log_error_errno(errno
, "Failed to allocate pipe: %m");
3189 return log_error_errno(errno
, "Failed to fork getent child: %m");
3190 else if (pid
== 0) {
3192 char *empty_env
= NULL
;
3194 if (dup3(pipe_fds
[1], STDOUT_FILENO
, 0) < 0)
3195 _exit(EXIT_FAILURE
);
3197 if (pipe_fds
[0] > 2)
3198 safe_close(pipe_fds
[0]);
3199 if (pipe_fds
[1] > 2)
3200 safe_close(pipe_fds
[1]);
3202 nullfd
= open("/dev/null", O_RDWR
);
3204 _exit(EXIT_FAILURE
);
3206 if (dup3(nullfd
, STDIN_FILENO
, 0) < 0)
3207 _exit(EXIT_FAILURE
);
3209 if (dup3(nullfd
, STDERR_FILENO
, 0) < 0)
3210 _exit(EXIT_FAILURE
);
3215 reset_all_signal_handlers();
3216 close_all_fds(NULL
, 0);
3218 execle("/usr/bin/getent", "getent", database
, key
, NULL
, &empty_env
);
3219 execle("/bin/getent", "getent", database
, key
, NULL
, &empty_env
);
3220 _exit(EXIT_FAILURE
);
3223 pipe_fds
[1] = safe_close(pipe_fds
[1]);
3230 static int change_uid_gid(char **_home
) {
3231 char line
[LINE_MAX
], *x
, *u
, *g
, *h
;
3232 const char *word
, *state
;
3233 _cleanup_free_ uid_t
*uids
= NULL
;
3234 _cleanup_free_
char *home
= NULL
;
3235 _cleanup_fclose_
FILE *f
= NULL
;
3236 _cleanup_close_
int fd
= -1;
3237 unsigned n_uids
= 0;
3246 if (!arg_user
|| streq(arg_user
, "root") || streq(arg_user
, "0")) {
3247 /* Reset everything fully to 0, just in case */
3249 if (setgroups(0, NULL
) < 0)
3250 return log_error_errno(errno
, "setgroups() failed: %m");
3252 if (setresgid(0, 0, 0) < 0)
3253 return log_error_errno(errno
, "setregid() failed: %m");
3255 if (setresuid(0, 0, 0) < 0)
3256 return log_error_errno(errno
, "setreuid() failed: %m");
3262 /* First, get user credentials */
3263 fd
= spawn_getent("passwd", arg_user
, &pid
);
3267 f
= fdopen(fd
, "r");
3272 if (!fgets(line
, sizeof(line
), f
)) {
3275 log_error("Failed to resolve user %s.", arg_user
);
3279 log_error_errno(errno
, "Failed to read from getent: %m");
3285 wait_for_terminate_and_warn("getent passwd", pid
, true);
3287 x
= strchr(line
, ':');
3289 log_error("/etc/passwd entry has invalid user field.");
3293 u
= strchr(x
+1, ':');
3295 log_error("/etc/passwd entry has invalid password field.");
3302 log_error("/etc/passwd entry has invalid UID field.");
3310 log_error("/etc/passwd entry has invalid GID field.");
3315 h
= strchr(x
+1, ':');
3317 log_error("/etc/passwd entry has invalid GECOS field.");
3324 log_error("/etc/passwd entry has invalid home directory field.");
3330 r
= parse_uid(u
, &uid
);
3332 log_error("Failed to parse UID of user.");
3336 r
= parse_gid(g
, &gid
);
3338 log_error("Failed to parse GID of user.");
3346 /* Second, get group memberships */
3347 fd
= spawn_getent("initgroups", arg_user
, &pid
);
3352 f
= fdopen(fd
, "r");
3357 if (!fgets(line
, sizeof(line
), f
)) {
3359 log_error("Failed to resolve user %s.", arg_user
);
3363 log_error_errno(errno
, "Failed to read from getent: %m");
3369 wait_for_terminate_and_warn("getent initgroups", pid
, true);
3371 /* Skip over the username and subsequent separator whitespace */
3373 x
+= strcspn(x
, WHITESPACE
);
3374 x
+= strspn(x
, WHITESPACE
);
3376 FOREACH_WORD(word
, l
, x
, state
) {
3382 if (!GREEDY_REALLOC(uids
, sz
, n_uids
+1))
3385 r
= parse_uid(c
, &uids
[n_uids
++]);
3387 log_error("Failed to parse group data from getent.");
3392 r
= mkdir_parents(home
, 0775);
3394 return log_error_errno(r
, "Failed to make home root directory: %m");
3396 r
= mkdir_safe(home
, 0755, uid
, gid
);
3397 if (r
< 0 && r
!= -EEXIST
)
3398 return log_error_errno(r
, "Failed to make home directory: %m");
3400 fchown(STDIN_FILENO
, uid
, gid
);
3401 fchown(STDOUT_FILENO
, uid
, gid
);
3402 fchown(STDERR_FILENO
, uid
, gid
);
3404 if (setgroups(n_uids
, uids
) < 0)
3405 return log_error_errno(errno
, "Failed to set auxiliary groups: %m");
3407 if (setresgid(gid
, gid
, gid
) < 0)
3408 return log_error_errno(errno
, "setregid() failed: %m");
3410 if (setresuid(uid
, uid
, uid
) < 0)
3411 return log_error_errno(errno
, "setreuid() failed: %m");
3423 * < 0 : wait_for_terminate() failed to get the state of the
3424 * container, the container was terminated by a signal, or
3425 * failed for an unknown reason. No change is made to the
3426 * container argument.
3427 * > 0 : The program executed in the container terminated with an
3428 * error. The exit code of the program executed in the
3429 * container is returned. The container argument has been set
3430 * to CONTAINER_TERMINATED.
3431 * 0 : The container is being rebooted, has been shut down or exited
3432 * successfully. The container argument has been set to either
3433 * CONTAINER_TERMINATED or CONTAINER_REBOOTED.
3435 * That is, success is indicated by a return value of zero, and an
3436 * error is indicated by a non-zero value.
3438 static int wait_for_container(pid_t pid
, ContainerStatus
*container
) {
3442 r
= wait_for_terminate(pid
, &status
);
3444 return log_warning_errno(r
, "Failed to wait for container: %m");
3446 switch (status
.si_code
) {
3449 if (status
.si_status
== 0) {
3450 log_full(arg_quiet
? LOG_DEBUG
: LOG_INFO
, "Container %s exited successfully.", arg_machine
);
3453 log_full(arg_quiet
? LOG_DEBUG
: LOG_INFO
, "Container %s failed with error code %i.", arg_machine
, status
.si_status
);
3455 *container
= CONTAINER_TERMINATED
;
3456 return status
.si_status
;
3459 if (status
.si_status
== SIGINT
) {
3461 log_full(arg_quiet
? LOG_DEBUG
: LOG_INFO
, "Container %s has been shut down.", arg_machine
);
3462 *container
= CONTAINER_TERMINATED
;
3465 } else if (status
.si_status
== SIGHUP
) {
3467 log_full(arg_quiet
? LOG_DEBUG
: LOG_INFO
, "Container %s is being rebooted.", arg_machine
);
3468 *container
= CONTAINER_REBOOTED
;
3472 /* CLD_KILLED fallthrough */
3475 log_error("Container %s terminated by signal %s.", arg_machine
, signal_to_string(status
.si_status
));
3479 log_error("Container %s failed due to unknown reason.", arg_machine
);
3486 static void nop_handler(int sig
) {}
3488 static int on_orderly_shutdown(sd_event_source
*s
, const struct signalfd_siginfo
*si
, void *userdata
) {
3491 pid
= PTR_TO_UINT32(userdata
);
3493 if (kill(pid
, SIGRTMIN
+3) >= 0) {
3494 log_info("Trying to halt container. Send SIGTERM again to trigger immediate termination.");
3495 sd_event_source_set_userdata(s
, NULL
);
3500 sd_event_exit(sd_event_source_get_event(s
), 0);
3504 static int determine_names(void) {
3507 if (!arg_image
&& !arg_directory
) {
3509 _cleanup_(image_unrefp
) Image
*i
= NULL
;
3511 r
= image_find(arg_machine
, &i
);
3513 return log_error_errno(r
, "Failed to find image for machine '%s': %m", arg_machine
);
3515 log_error("No image for machine '%s': %m", arg_machine
);
3519 if (i
->type
== IMAGE_RAW
)
3520 r
= set_sanitized_path(&arg_image
, i
->path
);
3522 r
= set_sanitized_path(&arg_directory
, i
->path
);
3524 return log_error_errno(r
, "Invalid image directory: %m");
3526 arg_read_only
= arg_read_only
|| i
->read_only
;
3528 arg_directory
= get_current_dir_name();
3530 if (!arg_directory
&& !arg_machine
) {
3531 log_error("Failed to determine path, please use -D or -i.");
3537 if (arg_directory
&& path_equal(arg_directory
, "/"))
3538 arg_machine
= gethostname_malloc();
3540 arg_machine
= strdup(basename(arg_image
?: arg_directory
));
3545 hostname_cleanup(arg_machine
, false);
3546 if (!machine_name_is_valid(arg_machine
)) {
3547 log_error("Failed to determine machine name automatically, please use -M.");
3551 if (arg_ephemeral
) {
3554 /* Add a random suffix when this is an
3555 * ephemeral machine, so that we can run many
3556 * instances at once without manually having
3557 * to specify -M each time. */
3559 if (asprintf(&b
, "%s-%016" PRIx64
, arg_machine
, random_u64()) < 0)
3570 int main(int argc
, char *argv
[]) {
3572 _cleanup_free_
char *device_path
= NULL
, *root_device
= NULL
, *home_device
= NULL
, *srv_device
= NULL
, *console
= NULL
;
3573 bool root_device_rw
= true, home_device_rw
= true, srv_device_rw
= true;
3574 _cleanup_close_
int master
= -1, image_fd
= -1;
3575 _cleanup_fdset_free_ FDSet
*fds
= NULL
;
3576 int r
, n_fd_passed
, loop_nr
= -1;
3577 char veth_name
[IFNAMSIZ
];
3578 bool secondary
= false, remove_subvol
= false;
3579 sigset_t mask
, mask_chld
;
3581 int ret
= EXIT_SUCCESS
;
3582 union in_addr_union exposed
= {};
3583 _cleanup_release_lock_file_ LockFile tree_global_lock
= LOCK_FILE_INIT
, tree_local_lock
= LOCK_FILE_INIT
;
3585 log_parse_environment();
3588 r
= parse_argv(argc
, argv
);
3592 r
= determine_names();
3596 if (geteuid() != 0) {
3597 log_error("Need to be root.");
3602 if (sd_booted() <= 0) {
3603 log_error("Not running on a systemd system.");
3609 n_fd_passed
= sd_listen_fds(false);
3610 if (n_fd_passed
> 0) {
3611 r
= fdset_new_listen_fds(&fds
, false);
3613 log_error_errno(r
, "Failed to collect file descriptors: %m");
3617 fdset_close_others(fds
);
3620 if (arg_directory
) {
3623 if (path_equal(arg_directory
, "/") && !arg_ephemeral
) {
3624 log_error("Spawning container on root directory is not supported. Consider using --ephemeral.");
3629 if (arg_ephemeral
) {
3632 /* If the specified path is a mount point we
3633 * generate the new snapshot immediately
3634 * inside it under a random name. However if
3635 * the specified is not a mount point we
3636 * create the new snapshot in the parent
3637 * directory, just next to it. */
3638 r
= path_is_mount_point(arg_directory
, false);
3640 log_error_errno(r
, "Failed to determine whether directory %s is mount point: %m", arg_directory
);
3644 r
= tempfn_random_child(arg_directory
, &np
);
3646 r
= tempfn_random(arg_directory
, &np
);
3648 log_error_errno(r
, "Failed to generate name for snapshot: %m");
3652 r
= image_path_lock(np
, (arg_read_only
? LOCK_SH
: LOCK_EX
) | LOCK_NB
, &tree_global_lock
, &tree_local_lock
);
3654 log_error_errno(r
, "Failed to lock %s: %m", np
);
3658 r
= btrfs_subvol_snapshot(arg_directory
, np
, arg_read_only
, true);
3661 log_error_errno(r
, "Failed to create snapshot %s from %s: %m", np
, arg_directory
);
3665 free(arg_directory
);
3668 remove_subvol
= true;
3671 r
= image_path_lock(arg_directory
, (arg_read_only
? LOCK_SH
: LOCK_EX
) | LOCK_NB
, &tree_global_lock
, &tree_local_lock
);
3673 log_error_errno(r
, "Directory tree %s is currently busy.", arg_directory
);
3677 log_error_errno(r
, "Failed to lock %s: %m", arg_directory
);
3682 r
= btrfs_subvol_snapshot(arg_template
, arg_directory
, arg_read_only
, true);
3685 log_info("Directory %s already exists, not populating from template %s.", arg_directory
, arg_template
);
3687 log_error_errno(r
, "Couldn't create snapshot %s from %s: %m", arg_directory
, arg_template
);
3691 log_info("Populated %s from template %s.", arg_directory
, arg_template
);
3697 if (path_is_os_tree(arg_directory
) <= 0) {
3698 log_error("Directory %s doesn't look like an OS root directory (os-release file is missing). Refusing.", arg_directory
);
3705 p
= strjoina(arg_directory
,
3706 argc
> optind
&& path_is_absolute(argv
[optind
]) ? argv
[optind
] : "/usr/bin/");
3707 if (access(p
, F_OK
) < 0) {
3708 log_error("Directory %s lacks the binary to execute or doesn't look like a binary tree. Refusing.", arg_directory
);
3715 char template[] = "/tmp/nspawn-root-XXXXXX";
3718 assert(!arg_template
);
3720 r
= image_path_lock(arg_image
, (arg_read_only
? LOCK_SH
: LOCK_EX
) | LOCK_NB
, &tree_global_lock
, &tree_local_lock
);
3722 r
= log_error_errno(r
, "Disk image %s is currently busy.", arg_image
);
3726 r
= log_error_errno(r
, "Failed to create image lock: %m");
3730 if (!mkdtemp(template)) {
3731 log_error_errno(errno
, "Failed to create temporary directory: %m");
3736 arg_directory
= strdup(template);
3737 if (!arg_directory
) {
3742 image_fd
= setup_image(&device_path
, &loop_nr
);
3748 r
= dissect_image(image_fd
,
3749 &root_device
, &root_device_rw
,
3750 &home_device
, &home_device_rw
,
3751 &srv_device
, &srv_device_rw
,
3757 master
= posix_openpt(O_RDWR
|O_NOCTTY
|O_CLOEXEC
|O_NDELAY
);
3759 r
= log_error_errno(errno
, "Failed to acquire pseudo tty: %m");
3763 r
= ptsname_malloc(master
, &console
);
3765 r
= log_error_errno(r
, "Failed to determine tty name: %m");
3770 log_info("Spawning container %s on %s.\nPress ^] three times within 1s to kill container.",
3771 arg_machine
, arg_image
?: arg_directory
);
3773 if (unlockpt(master
) < 0) {
3774 r
= log_error_errno(errno
, "Failed to unlock tty: %m");
3778 assert_se(sigemptyset(&mask
) == 0);
3779 sigset_add_many(&mask
, SIGCHLD
, SIGWINCH
, SIGTERM
, SIGINT
, -1);
3780 assert_se(sigprocmask(SIG_BLOCK
, &mask
, NULL
) == 0);
3782 assert_se(sigemptyset(&mask_chld
) == 0);
3783 assert_se(sigaddset(&mask_chld
, SIGCHLD
) == 0);
3786 _cleanup_close_pair_
int kmsg_socket_pair
[2] = { -1, -1 }, rtnl_socket_pair
[2] = { -1, -1 };
3787 ContainerStatus container_status
;
3788 _cleanup_(barrier_destroy
) Barrier barrier
= BARRIER_NULL
;
3789 struct sigaction sa
= {
3790 .sa_handler
= nop_handler
,
3791 .sa_flags
= SA_NOCLDSTOP
,
3794 r
= barrier_create(&barrier
);
3796 log_error_errno(r
, "Cannot initialize IPC barrier: %m");
3800 if (socketpair(AF_UNIX
, SOCK_DGRAM
|SOCK_CLOEXEC
, 0, kmsg_socket_pair
) < 0) {
3801 r
= log_error_errno(errno
, "Failed to create kmsg socket pair: %m");
3805 if (socketpair(AF_UNIX
, SOCK_DGRAM
|SOCK_CLOEXEC
, 0, rtnl_socket_pair
) < 0) {
3806 r
= log_error_errno(errno
, "Failed to create rtnl socket pair: %m");
3810 /* Child can be killed before execv(), so handle SIGCHLD
3811 * in order to interrupt parent's blocking calls and
3812 * give it a chance to call wait() and terminate. */
3813 r
= sigprocmask(SIG_UNBLOCK
, &mask_chld
, NULL
);
3815 r
= log_error_errno(errno
, "Failed to change the signal mask: %m");
3819 r
= sigaction(SIGCHLD
, &sa
, NULL
);
3821 r
= log_error_errno(errno
, "Failed to install SIGCHLD handler: %m");
3825 pid
= raw_clone(SIGCHLD
|CLONE_NEWNS
|
3826 (arg_share_system
? 0 : CLONE_NEWIPC
|CLONE_NEWPID
|CLONE_NEWUTS
)|
3827 (arg_private_network
? CLONE_NEWNET
: 0), NULL
);
3829 if (errno
== EINVAL
)
3830 r
= log_error_errno(errno
, "clone() failed, do you have namespace support enabled in your kernel? (You need UTS, IPC, PID and NET namespacing built in): %m");
3832 r
= log_error_errno(errno
, "clone() failed: %m");
3839 _cleanup_free_
char *home
= NULL
;
3841 const char *envp
[] = {
3842 "PATH=" DEFAULT_PATH_SPLIT_USR
,
3843 "container=systemd-nspawn", /* LXC sets container=lxc, so follow the scheme here */
3848 NULL
, /* container_uuid */
3849 NULL
, /* LISTEN_FDS */
3850 NULL
, /* LISTEN_PID */
3855 barrier_set_role(&barrier
, BARRIER_CHILD
);
3857 envp
[n_env
] = strv_find_prefix(environ
, "TERM=");
3861 master
= safe_close(master
);
3863 close_nointr(STDIN_FILENO
);
3864 close_nointr(STDOUT_FILENO
);
3865 close_nointr(STDERR_FILENO
);
3867 kmsg_socket_pair
[0] = safe_close(kmsg_socket_pair
[0]);
3868 rtnl_socket_pair
[0] = safe_close(rtnl_socket_pair
[0]);
3870 reset_all_signal_handlers();
3871 reset_signal_mask();
3873 r
= open_terminal(console
, O_RDWR
);
3874 if (r
!= STDIN_FILENO
) {
3880 log_error_errno(r
, "Failed to open console: %m");
3881 _exit(EXIT_FAILURE
);
3884 if (dup2(STDIN_FILENO
, STDOUT_FILENO
) != STDOUT_FILENO
||
3885 dup2(STDIN_FILENO
, STDERR_FILENO
) != STDERR_FILENO
) {
3886 log_error_errno(errno
, "Failed to duplicate console: %m");
3887 _exit(EXIT_FAILURE
);
3891 log_error_errno(errno
, "setsid() failed: %m");
3892 _exit(EXIT_FAILURE
);
3895 if (reset_audit_loginuid() < 0)
3896 _exit(EXIT_FAILURE
);
3898 if (prctl(PR_SET_PDEATHSIG
, SIGKILL
) < 0) {
3899 log_error_errno(errno
, "PR_SET_PDEATHSIG failed: %m");
3900 _exit(EXIT_FAILURE
);
3903 /* Mark everything as slave, so that we still
3904 * receive mounts from the real root, but don't
3905 * propagate mounts to the real root. */
3906 if (mount(NULL
, "/", NULL
, MS_SLAVE
|MS_REC
, NULL
) < 0) {
3907 log_error_errno(errno
, "MS_SLAVE|MS_REC failed: %m");
3908 _exit(EXIT_FAILURE
);
3911 if (mount_devices(arg_directory
,
3912 root_device
, root_device_rw
,
3913 home_device
, home_device_rw
,
3914 srv_device
, srv_device_rw
) < 0)
3915 _exit(EXIT_FAILURE
);
3917 /* Turn directory into bind mount */
3918 if (mount(arg_directory
, arg_directory
, "bind", MS_BIND
|MS_REC
, NULL
) < 0) {
3919 log_error_errno(errno
, "Failed to make bind mount: %m");
3920 _exit(EXIT_FAILURE
);
3923 r
= setup_volatile(arg_directory
);
3925 _exit(EXIT_FAILURE
);
3927 if (setup_volatile_state(arg_directory
) < 0)
3928 _exit(EXIT_FAILURE
);
3930 r
= base_filesystem_create(arg_directory
);
3932 _exit(EXIT_FAILURE
);
3934 if (arg_read_only
) {
3935 r
= bind_remount_recursive(arg_directory
, true);
3937 log_error_errno(r
, "Failed to make tree read-only: %m");
3938 _exit(EXIT_FAILURE
);
3942 if (mount_all(arg_directory
) < 0)
3943 _exit(EXIT_FAILURE
);
3945 if (copy_devnodes(arg_directory
) < 0)
3946 _exit(EXIT_FAILURE
);
3948 if (setup_ptmx(arg_directory
) < 0)
3949 _exit(EXIT_FAILURE
);
3951 dev_setup(arg_directory
);
3953 if (setup_propagate(arg_directory
) < 0)
3954 _exit(EXIT_FAILURE
);
3956 if (setup_seccomp() < 0)
3957 _exit(EXIT_FAILURE
);
3959 if (setup_dev_console(arg_directory
, console
) < 0)
3960 _exit(EXIT_FAILURE
);
3962 if (setup_kmsg(arg_directory
, kmsg_socket_pair
[1]) < 0)
3963 _exit(EXIT_FAILURE
);
3964 kmsg_socket_pair
[1] = safe_close(kmsg_socket_pair
[1]);
3966 if (send_rtnl(rtnl_socket_pair
[1]) < 0)
3967 _exit(EXIT_FAILURE
);
3968 rtnl_socket_pair
[1] = safe_close(rtnl_socket_pair
[1]);
3970 /* Tell the parent that we are ready, and that
3971 * it can cgroupify us to that we lack access
3972 * to certain devices and resources. */
3973 (void) barrier_place(&barrier
);
3975 if (setup_boot_id(arg_directory
) < 0)
3976 _exit(EXIT_FAILURE
);
3978 if (setup_timezone(arg_directory
) < 0)
3979 _exit(EXIT_FAILURE
);
3981 if (setup_resolv_conf(arg_directory
) < 0)
3982 _exit(EXIT_FAILURE
);
3984 if (setup_journal(arg_directory
) < 0)
3985 _exit(EXIT_FAILURE
);
3987 if (mount_binds(arg_directory
, arg_bind
, false) < 0)
3988 _exit(EXIT_FAILURE
);
3990 if (mount_binds(arg_directory
, arg_bind_ro
, true) < 0)
3991 _exit(EXIT_FAILURE
);
3993 if (mount_tmpfs(arg_directory
) < 0)
3994 _exit(EXIT_FAILURE
);
3996 /* Wait until we are cgroup-ified, so that we
3997 * can mount the right cgroup path writable */
3998 (void) barrier_sync_next(&barrier
);
4000 if (mount_cgroup(arg_directory
) < 0)
4001 _exit(EXIT_FAILURE
);
4003 if (chdir(arg_directory
) < 0) {
4004 log_error_errno(errno
, "chdir(%s) failed: %m", arg_directory
);
4005 _exit(EXIT_FAILURE
);
4008 if (mount(arg_directory
, "/", NULL
, MS_MOVE
, NULL
) < 0) {
4009 log_error_errno(errno
, "mount(MS_MOVE) failed: %m");
4010 _exit(EXIT_FAILURE
);
4013 if (chroot(".") < 0) {
4014 log_error_errno(errno
, "chroot() failed: %m");
4015 _exit(EXIT_FAILURE
);
4018 if (chdir("/") < 0) {
4019 log_error_errno(errno
, "chdir() failed: %m");
4020 _exit(EXIT_FAILURE
);
4025 if (arg_private_network
)
4028 if (drop_capabilities() < 0) {
4029 log_error_errno(errno
, "drop_capabilities() failed: %m");
4030 _exit(EXIT_FAILURE
);
4033 r
= change_uid_gid(&home
);
4035 _exit(EXIT_FAILURE
);
4037 if ((asprintf((char**)(envp
+ n_env
++), "HOME=%s", home
? home
: "/root") < 0) ||
4038 (asprintf((char**)(envp
+ n_env
++), "USER=%s", arg_user
? arg_user
: "root") < 0) ||
4039 (asprintf((char**)(envp
+ n_env
++), "LOGNAME=%s", arg_user
? arg_user
: "root") < 0)) {
4041 _exit(EXIT_FAILURE
);
4044 if (!sd_id128_equal(arg_uuid
, SD_ID128_NULL
)) {
4047 if (asprintf((char**)(envp
+ n_env
++), "container_uuid=%s", id128_format_as_uuid(arg_uuid
, as_uuid
)) < 0) {
4049 _exit(EXIT_FAILURE
);
4053 if (fdset_size(fds
) > 0) {
4054 r
= fdset_cloexec(fds
, false);
4056 log_error_errno(r
, "Failed to unset O_CLOEXEC for file descriptors.");
4057 _exit(EXIT_FAILURE
);
4060 if ((asprintf((char **)(envp
+ n_env
++), "LISTEN_FDS=%u", n_fd_passed
) < 0) ||
4061 (asprintf((char **)(envp
+ n_env
++), "LISTEN_PID=1") < 0)) {
4063 _exit(EXIT_FAILURE
);
4069 if (arg_personality
!= 0xffffffffLU
) {
4070 if (personality(arg_personality
) < 0) {
4071 log_error_errno(errno
, "personality() failed: %m");
4072 _exit(EXIT_FAILURE
);
4074 } else if (secondary
) {
4075 if (personality(PER_LINUX32
) < 0) {
4076 log_error_errno(errno
, "personality() failed: %m");
4077 _exit(EXIT_FAILURE
);
4082 if (arg_selinux_context
)
4083 if (setexeccon((security_context_t
) arg_selinux_context
) < 0) {
4084 log_error_errno(errno
, "setexeccon(\"%s\") failed: %m", arg_selinux_context
);
4085 _exit(EXIT_FAILURE
);
4089 if (!strv_isempty(arg_setenv
)) {
4092 n
= strv_env_merge(2, envp
, arg_setenv
);
4095 _exit(EXIT_FAILURE
);
4100 env_use
= (char**) envp
;
4102 /* Wait until the parent is ready with the setup, too... */
4103 if (!barrier_place_and_sync(&barrier
))
4104 _exit(EXIT_FAILURE
);
4110 /* Automatically search for the init system */
4112 l
= 1 + argc
- optind
;
4113 a
= newa(char*, l
+ 1);
4114 memcpy(a
+ 1, argv
+ optind
, l
* sizeof(char*));
4116 a
[0] = (char*) "/usr/lib/systemd/systemd";
4117 execve(a
[0], a
, env_use
);
4119 a
[0] = (char*) "/lib/systemd/systemd";
4120 execve(a
[0], a
, env_use
);
4122 a
[0] = (char*) "/sbin/init";
4123 execve(a
[0], a
, env_use
);
4124 } else if (argc
> optind
)
4125 execvpe(argv
[optind
], argv
+ optind
, env_use
);
4127 chdir(home
? home
: "/root");
4128 execle("/bin/bash", "-bash", NULL
, env_use
);
4129 execle("/bin/sh", "-sh", NULL
, env_use
);
4132 log_error_errno(errno
, "execv() failed: %m");
4133 _exit(EXIT_FAILURE
);
4136 barrier_set_role(&barrier
, BARRIER_PARENT
);
4140 kmsg_socket_pair
[1] = safe_close(kmsg_socket_pair
[1]);
4141 rtnl_socket_pair
[1] = safe_close(rtnl_socket_pair
[1]);
4143 /* Wait for the most basic Child-setup to be done,
4144 * before we add hardware to it, and place it in a
4146 if (barrier_sync_next(&barrier
)) {
4149 r
= move_network_interfaces(pid
);
4153 r
= setup_veth(pid
, veth_name
, &ifi
);
4157 r
= setup_bridge(veth_name
, &ifi
);
4161 r
= setup_macvlan(pid
);
4165 r
= setup_ipvlan(pid
);
4169 r
= register_machine(pid
, ifi
);
4173 /* Block SIGCHLD here, before notifying child.
4174 * process_pty() will handle it with the other signals. */
4175 r
= sigprocmask(SIG_BLOCK
, &mask_chld
, NULL
);
4179 /* Reset signal to default */
4180 r
= default_signals(SIGCHLD
, -1);
4184 /* Notify the child that the parent is ready with all
4185 * its setup, and that the child can now hand over
4186 * control to the code to run inside the container. */
4187 (void) barrier_place(&barrier
);
4189 /* And wait that the child is completely ready now. */
4190 if (barrier_place_and_sync(&barrier
)) {
4191 _cleanup_event_unref_ sd_event
*event
= NULL
;
4192 _cleanup_(pty_forward_freep
) PTYForward
*forward
= NULL
;
4193 _cleanup_rtnl_unref_ sd_rtnl
*rtnl
= NULL
;
4198 "STATUS=Container running.\n"
4199 "X_NSPAWN_LEADER_PID=" PID_FMT
, pid
);
4201 r
= sd_event_new(&event
);
4203 log_error_errno(r
, "Failed to get default event source: %m");
4208 /* Try to kill the init system on SIGINT or SIGTERM */
4209 sd_event_add_signal(event
, NULL
, SIGINT
, on_orderly_shutdown
, UINT32_TO_PTR(pid
));
4210 sd_event_add_signal(event
, NULL
, SIGTERM
, on_orderly_shutdown
, UINT32_TO_PTR(pid
));
4212 /* Immediately exit */
4213 sd_event_add_signal(event
, NULL
, SIGINT
, NULL
, NULL
);
4214 sd_event_add_signal(event
, NULL
, SIGTERM
, NULL
, NULL
);
4217 /* simply exit on sigchld */
4218 sd_event_add_signal(event
, NULL
, SIGCHLD
, NULL
, NULL
);
4220 if (arg_expose_ports
) {
4221 r
= watch_rtnl(event
, rtnl_socket_pair
[0], &exposed
, &rtnl
);
4225 (void) expose_ports(rtnl
, &exposed
);
4228 rtnl_socket_pair
[0] = safe_close(rtnl_socket_pair
[0]);
4230 r
= pty_forward_new(event
, master
, true, &forward
);
4232 log_error_errno(r
, "Failed to create PTY forwarder: %m");
4236 r
= sd_event_loop(event
);
4238 log_error_errno(r
, "Failed to run event loop: %m");
4242 pty_forward_get_last_char(forward
, &last_char
);
4244 forward
= pty_forward_free(forward
);
4246 if (!arg_quiet
&& last_char
!= '\n')
4249 /* Kill if it is not dead yet anyway */
4250 terminate_machine(pid
);
4254 /* Normally redundant, but better safe than sorry */
4257 r
= wait_for_container(pid
, &container_status
);
4261 /* We failed to wait for the container, or the
4262 * container exited abnormally */
4264 else if (r
> 0 || container_status
== CONTAINER_TERMINATED
){
4265 /* The container exited with a non-zero
4266 * status, or with zero status and no reboot
4272 /* CONTAINER_REBOOTED, loop again */
4274 if (arg_keep_unit
) {
4275 /* Special handling if we are running as a
4276 * service: instead of simply restarting the
4277 * machine we want to restart the entire
4278 * service, so let's inform systemd about this
4279 * with the special exit code 133. The service
4280 * file uses RestartForceExitStatus=133 so
4281 * that this results in a full nspawn
4282 * restart. This is necessary since we might
4283 * have cgroup parameters set we want to have
4290 flush_ports(&exposed
);
4296 "STATUS=Terminating...");
4298 loop_remove(loop_nr
, &image_fd
);
4303 if (remove_subvol
&& arg_directory
) {
4306 k
= btrfs_subvol_remove(arg_directory
);
4308 log_warning_errno(k
, "Cannot remove subvolume '%s', ignoring: %m", arg_directory
);
4314 p
= strjoina("/run/systemd/nspawn/propagate/", arg_machine
);
4315 (void) rm_rf(p
, false, true, false);
4318 free(arg_directory
);
4323 strv_free(arg_setenv
);
4324 strv_free(arg_network_interfaces
);
4325 strv_free(arg_network_macvlan
);
4326 strv_free(arg_network_ipvlan
);
4327 strv_free(arg_bind
);
4328 strv_free(arg_bind_ro
);
4329 strv_free(arg_tmpfs
);
4331 flush_ports(&exposed
);
4333 while (arg_expose_ports
) {
4334 ExposePort
*p
= arg_expose_ports
;
4335 LIST_REMOVE(ports
, arg_expose_ports
, p
);
4339 return r
< 0 ? EXIT_FAILURE
: ret
;