2 This file is part of systemd.
4 Copyright 2010 Lennart Poettering
6 systemd is free software; you can redistribute it and/or modify it
7 under the terms of the GNU Lesser General Public License as published by
8 the Free Software Foundation; either version 2.1 of the License, or
9 (at your option) any later version.
11 systemd is distributed in the hope that it will be useful, but
12 WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 Lesser General Public License for more details.
16 You should have received a copy of the GNU Lesser General Public License
17 along with systemd; If not, see <http://www.gnu.org/licenses/>.
21 #include <blkid/blkid.h>
26 #include <linux/loop.h>
33 #include <selinux/selinux.h>
40 #include <sys/mount.h>
41 #include <sys/personality.h>
42 #include <sys/prctl.h>
43 #include <sys/types.h>
46 #include "sd-daemon.h"
49 #include "alloc-util.h"
51 #include "base-filesystem.h"
52 #include "blkid-util.h"
53 #include "btrfs-util.h"
55 #include "capability-util.h"
56 #include "cgroup-util.h"
58 #include "dev-setup.h"
63 #include "formats-util.h"
66 #include "hostname-util.h"
68 #include "loopback-setup.h"
69 #include "machine-id-setup.h"
70 #include "machine-image.h"
74 #include "mount-util.h"
75 #include "netlink-util.h"
76 #include "nspawn-cgroup.h"
77 #include "nspawn-expose-ports.h"
78 #include "nspawn-mount.h"
79 #include "nspawn-network.h"
80 #include "nspawn-patch-uid.h"
81 #include "nspawn-register.h"
82 #include "nspawn-settings.h"
83 #include "nspawn-setuid.h"
84 #include "nspawn-stub-pid1.h"
85 #include "parse-util.h"
86 #include "path-util.h"
87 #include "process-util.h"
89 #include "random-util.h"
92 #include "seccomp-util.h"
94 #include "selinux-util.h"
95 #include "signal-util.h"
96 #include "socket-util.h"
97 #include "stat-util.h"
98 #include "stdio-util.h"
99 #include "string-util.h"
101 #include "terminal-util.h"
102 #include "udev-util.h"
103 #include "umask-util.h"
104 #include "user-util.h"
107 /* Note that devpts's gid= parameter parses GIDs as signed values, hence we stay away from the upper half of the 32bit
109 #define UID_SHIFT_PICK_MIN ((uid_t) UINT32_C(0x00080000))
110 #define UID_SHIFT_PICK_MAX ((uid_t) UINT32_C(0x6FFF0000))
112 typedef enum ContainerStatus
{
113 CONTAINER_TERMINATED
,
117 typedef enum LinkJournal
{
124 static char *arg_directory
= NULL
;
125 static char *arg_template
= NULL
;
126 static char *arg_chdir
= NULL
;
127 static char *arg_user
= NULL
;
128 static sd_id128_t arg_uuid
= {};
129 static char *arg_machine
= NULL
;
130 static const char *arg_selinux_context
= NULL
;
131 static const char *arg_selinux_apifs_context
= NULL
;
132 static const char *arg_slice
= NULL
;
133 static bool arg_private_network
= false;
134 static bool arg_read_only
= false;
135 static StartMode arg_start_mode
= START_PID1
;
136 static bool arg_ephemeral
= false;
137 static LinkJournal arg_link_journal
= LINK_AUTO
;
138 static bool arg_link_journal_try
= false;
139 static uint64_t arg_retain
=
140 (1ULL << CAP_CHOWN
) |
141 (1ULL << CAP_DAC_OVERRIDE
) |
142 (1ULL << CAP_DAC_READ_SEARCH
) |
143 (1ULL << CAP_FOWNER
) |
144 (1ULL << CAP_FSETID
) |
145 (1ULL << CAP_IPC_OWNER
) |
147 (1ULL << CAP_LEASE
) |
148 (1ULL << CAP_LINUX_IMMUTABLE
) |
149 (1ULL << CAP_NET_BIND_SERVICE
) |
150 (1ULL << CAP_NET_BROADCAST
) |
151 (1ULL << CAP_NET_RAW
) |
152 (1ULL << CAP_SETGID
) |
153 (1ULL << CAP_SETFCAP
) |
154 (1ULL << CAP_SETPCAP
) |
155 (1ULL << CAP_SETUID
) |
156 (1ULL << CAP_SYS_ADMIN
) |
157 (1ULL << CAP_SYS_CHROOT
) |
158 (1ULL << CAP_SYS_NICE
) |
159 (1ULL << CAP_SYS_PTRACE
) |
160 (1ULL << CAP_SYS_TTY_CONFIG
) |
161 (1ULL << CAP_SYS_RESOURCE
) |
162 (1ULL << CAP_SYS_BOOT
) |
163 (1ULL << CAP_AUDIT_WRITE
) |
164 (1ULL << CAP_AUDIT_CONTROL
) |
166 static CustomMount
*arg_custom_mounts
= NULL
;
167 static unsigned arg_n_custom_mounts
= 0;
168 static char **arg_setenv
= NULL
;
169 static bool arg_quiet
= false;
170 static bool arg_share_system
= false;
171 static bool arg_register
= true;
172 static bool arg_keep_unit
= false;
173 static char **arg_network_interfaces
= NULL
;
174 static char **arg_network_macvlan
= NULL
;
175 static char **arg_network_ipvlan
= NULL
;
176 static bool arg_network_veth
= false;
177 static char **arg_network_veth_extra
= NULL
;
178 static char *arg_network_bridge
= NULL
;
179 static unsigned long arg_personality
= PERSONALITY_INVALID
;
180 static char *arg_image
= NULL
;
181 static VolatileMode arg_volatile_mode
= VOLATILE_NO
;
182 static ExposePort
*arg_expose_ports
= NULL
;
183 static char **arg_property
= NULL
;
184 static UserNamespaceMode arg_userns_mode
= USER_NAMESPACE_NO
;
185 static uid_t arg_uid_shift
= UID_INVALID
, arg_uid_range
= 0x10000U
;
186 static bool arg_userns_chown
= false;
187 static int arg_kill_signal
= 0;
188 static bool arg_unified_cgroup_hierarchy
= false;
189 static SettingsMask arg_settings_mask
= 0;
190 static int arg_settings_trusted
= -1;
191 static char **arg_parameters
= NULL
;
192 static const char *arg_container_service_name
= "systemd-nspawn";
194 static void help(void) {
195 printf("%s [OPTIONS...] [PATH] [ARGUMENTS...]\n\n"
196 "Spawn a minimal namespace container for debugging, testing and building.\n\n"
197 " -h --help Show this help\n"
198 " --version Print version string\n"
199 " -q --quiet Do not show status information\n"
200 " -D --directory=PATH Root directory for the container\n"
201 " --template=PATH Initialize root directory from template directory,\n"
203 " -x --ephemeral Run container with snapshot of root directory, and\n"
204 " remove it after exit\n"
205 " -i --image=PATH File system device or disk image for the container\n"
206 " -a --as-pid2 Maintain a stub init as PID1, invoke binary as PID2\n"
207 " -b --boot Boot up full system (i.e. invoke init)\n"
208 " --chdir=PATH Set working directory in the container\n"
209 " -u --user=USER Run the command under specified user or uid\n"
210 " -M --machine=NAME Set the machine name for the container\n"
211 " --uuid=UUID Set a specific machine UUID for the container\n"
212 " -S --slice=SLICE Place the container in the specified slice\n"
213 " --property=NAME=VALUE Set scope unit property\n"
214 " -U --private-users=pick Run within user namespace, pick UID/GID range automatically\n"
215 " --private-users[=UIDBASE[:NUIDS]]\n"
216 " Run within user namespace, user configured UID/GID range\n"
217 " --private-user-chown Adjust OS tree file ownership for private UID/GID range\n"
218 " --private-network Disable network in container\n"
219 " --network-interface=INTERFACE\n"
220 " Assign an existing network interface to the\n"
222 " --network-macvlan=INTERFACE\n"
223 " Create a macvlan network interface based on an\n"
224 " existing network interface to the container\n"
225 " --network-ipvlan=INTERFACE\n"
226 " Create a ipvlan network interface based on an\n"
227 " existing network interface to the container\n"
228 " -n --network-veth Add a virtual Ethernet connection between host\n"
230 " --network-veth-extra=HOSTIF[:CONTAINERIF]\n"
231 " Add an additional virtual Ethernet link between\n"
232 " host and container\n"
233 " --network-bridge=INTERFACE\n"
234 " Add a virtual Ethernet connection between host\n"
235 " and container and add it to an existing bridge on\n"
237 " -p --port=[PROTOCOL:]HOSTPORT[:CONTAINERPORT]\n"
238 " Expose a container IP port on the host\n"
239 " -Z --selinux-context=SECLABEL\n"
240 " Set the SELinux security context to be used by\n"
241 " processes in the container\n"
242 " -L --selinux-apifs-context=SECLABEL\n"
243 " Set the SELinux security context to be used by\n"
244 " API/tmpfs file systems in the container\n"
245 " --capability=CAP In addition to the default, retain specified\n"
247 " --drop-capability=CAP Drop the specified capability from the default set\n"
248 " --kill-signal=SIGNAL Select signal to use for shutting down PID 1\n"
249 " --link-journal=MODE Link up guest journal, one of no, auto, guest, \n"
250 " host, try-guest, try-host\n"
251 " -j Equivalent to --link-journal=try-guest\n"
252 " --read-only Mount the root directory read-only\n"
253 " --bind=PATH[:PATH[:OPTIONS]]\n"
254 " Bind mount a file or directory from the host into\n"
256 " --bind-ro=PATH[:PATH[:OPTIONS]\n"
257 " Similar, but creates a read-only bind mount\n"
258 " --tmpfs=PATH:[OPTIONS] Mount an empty tmpfs to the specified directory\n"
259 " --overlay=PATH[:PATH...]:PATH\n"
260 " Create an overlay mount from the host to \n"
262 " --overlay-ro=PATH[:PATH...]:PATH\n"
263 " Similar, but creates a read-only overlay mount\n"
264 " -E --setenv=NAME=VALUE Pass an environment variable to PID 1\n"
265 " --share-system Share system namespaces with host\n"
266 " --register=BOOLEAN Register container as machine\n"
267 " --keep-unit Do not register a scope for the machine, reuse\n"
268 " the service unit nspawn is running in\n"
269 " --volatile[=MODE] Run the system in volatile mode\n"
270 " --settings=BOOLEAN Load additional settings from .nspawn file\n"
271 , program_invocation_short_name
);
275 static int custom_mounts_prepare(void) {
279 /* Ensure the mounts are applied prefix first. */
280 qsort_safe(arg_custom_mounts
, arg_n_custom_mounts
, sizeof(CustomMount
), custom_mount_compare
);
282 /* Allocate working directories for the overlay file systems that need it */
283 for (i
= 0; i
< arg_n_custom_mounts
; i
++) {
284 CustomMount
*m
= &arg_custom_mounts
[i
];
286 if (path_equal(m
->destination
, "/") && arg_userns_mode
!= USER_NAMESPACE_NO
) {
288 if (arg_userns_chown
) {
289 log_error("--private-users-chown may not be combined with custom root mounts.");
291 } else if (arg_uid_shift
== UID_INVALID
) {
292 log_error("--private-users with automatic UID shift may not be combined with custom root mounts.");
297 if (m
->type
!= CUSTOM_MOUNT_OVERLAY
)
306 r
= tempfn_random(m
->source
, NULL
, &m
->work_dir
);
308 return log_error_errno(r
, "Failed to generate work directory from %s: %m", m
->source
);
314 static int detect_unified_cgroup_hierarchy(void) {
318 /* Allow the user to control whether the unified hierarchy is used */
319 e
= getenv("UNIFIED_CGROUP_HIERARCHY");
321 r
= parse_boolean(e
);
323 return log_error_errno(r
, "Failed to parse $UNIFIED_CGROUP_HIERARCHY.");
325 arg_unified_cgroup_hierarchy
= r
;
329 /* Otherwise inherit the default from the host system */
332 return log_error_errno(r
, "Failed to determine whether the unified cgroups hierarchy is used: %m");
334 arg_unified_cgroup_hierarchy
= r
;
338 static int parse_argv(int argc
, char *argv
[]) {
356 ARG_NETWORK_INTERFACE
,
360 ARG_NETWORK_VETH_EXTRA
,
369 ARG_PRIVATE_USERS_CHOWN
,
372 static const struct option options
[] = {
373 { "help", no_argument
, NULL
, 'h' },
374 { "version", no_argument
, NULL
, ARG_VERSION
},
375 { "directory", required_argument
, NULL
, 'D' },
376 { "template", required_argument
, NULL
, ARG_TEMPLATE
},
377 { "ephemeral", no_argument
, NULL
, 'x' },
378 { "user", required_argument
, NULL
, 'u' },
379 { "private-network", no_argument
, NULL
, ARG_PRIVATE_NETWORK
},
380 { "as-pid2", no_argument
, NULL
, 'a' },
381 { "boot", no_argument
, NULL
, 'b' },
382 { "uuid", required_argument
, NULL
, ARG_UUID
},
383 { "read-only", no_argument
, NULL
, ARG_READ_ONLY
},
384 { "capability", required_argument
, NULL
, ARG_CAPABILITY
},
385 { "drop-capability", required_argument
, NULL
, ARG_DROP_CAPABILITY
},
386 { "link-journal", required_argument
, NULL
, ARG_LINK_JOURNAL
},
387 { "bind", required_argument
, NULL
, ARG_BIND
},
388 { "bind-ro", required_argument
, NULL
, ARG_BIND_RO
},
389 { "tmpfs", required_argument
, NULL
, ARG_TMPFS
},
390 { "overlay", required_argument
, NULL
, ARG_OVERLAY
},
391 { "overlay-ro", required_argument
, NULL
, ARG_OVERLAY_RO
},
392 { "machine", required_argument
, NULL
, 'M' },
393 { "slice", required_argument
, NULL
, 'S' },
394 { "setenv", required_argument
, NULL
, 'E' },
395 { "selinux-context", required_argument
, NULL
, 'Z' },
396 { "selinux-apifs-context", required_argument
, NULL
, 'L' },
397 { "quiet", no_argument
, NULL
, 'q' },
398 { "share-system", no_argument
, NULL
, ARG_SHARE_SYSTEM
},
399 { "register", required_argument
, NULL
, ARG_REGISTER
},
400 { "keep-unit", no_argument
, NULL
, ARG_KEEP_UNIT
},
401 { "network-interface", required_argument
, NULL
, ARG_NETWORK_INTERFACE
},
402 { "network-macvlan", required_argument
, NULL
, ARG_NETWORK_MACVLAN
},
403 { "network-ipvlan", required_argument
, NULL
, ARG_NETWORK_IPVLAN
},
404 { "network-veth", no_argument
, NULL
, 'n' },
405 { "network-veth-extra", required_argument
, NULL
, ARG_NETWORK_VETH_EXTRA
},
406 { "network-bridge", required_argument
, NULL
, ARG_NETWORK_BRIDGE
},
407 { "personality", required_argument
, NULL
, ARG_PERSONALITY
},
408 { "image", required_argument
, NULL
, 'i' },
409 { "volatile", optional_argument
, NULL
, ARG_VOLATILE
},
410 { "port", required_argument
, NULL
, 'p' },
411 { "property", required_argument
, NULL
, ARG_PROPERTY
},
412 { "private-users", optional_argument
, NULL
, ARG_PRIVATE_USERS
},
413 { "private-users-chown", optional_argument
, NULL
, ARG_PRIVATE_USERS_CHOWN
},
414 { "kill-signal", required_argument
, NULL
, ARG_KILL_SIGNAL
},
415 { "settings", required_argument
, NULL
, ARG_SETTINGS
},
416 { "chdir", required_argument
, NULL
, ARG_CHDIR
},
422 uint64_t plus
= 0, minus
= 0;
423 bool mask_all_settings
= false, mask_no_settings
= false;
428 while ((c
= getopt_long(argc
, argv
, "+hD:u:abL:M:jS:Z:qi:xp:nU", options
, NULL
)) >= 0)
440 r
= parse_path_argument_and_warn(optarg
, false, &arg_directory
);
446 r
= parse_path_argument_and_warn(optarg
, false, &arg_template
);
452 r
= parse_path_argument_and_warn(optarg
, false, &arg_image
);
458 arg_ephemeral
= true;
462 r
= free_and_strdup(&arg_user
, optarg
);
466 arg_settings_mask
|= SETTING_USER
;
469 case ARG_NETWORK_BRIDGE
:
470 r
= free_and_strdup(&arg_network_bridge
, optarg
);
477 arg_network_veth
= true;
478 arg_private_network
= true;
479 arg_settings_mask
|= SETTING_NETWORK
;
482 case ARG_NETWORK_VETH_EXTRA
:
483 r
= veth_extra_parse(&arg_network_veth_extra
, optarg
);
485 return log_error_errno(r
, "Failed to parse --network-veth-extra= parameter: %s", optarg
);
487 arg_private_network
= true;
488 arg_settings_mask
|= SETTING_NETWORK
;
491 case ARG_NETWORK_INTERFACE
:
492 if (strv_extend(&arg_network_interfaces
, optarg
) < 0)
495 arg_private_network
= true;
496 arg_settings_mask
|= SETTING_NETWORK
;
499 case ARG_NETWORK_MACVLAN
:
500 if (strv_extend(&arg_network_macvlan
, optarg
) < 0)
503 arg_private_network
= true;
504 arg_settings_mask
|= SETTING_NETWORK
;
507 case ARG_NETWORK_IPVLAN
:
508 if (strv_extend(&arg_network_ipvlan
, optarg
) < 0)
513 case ARG_PRIVATE_NETWORK
:
514 arg_private_network
= true;
515 arg_settings_mask
|= SETTING_NETWORK
;
519 if (arg_start_mode
== START_PID2
) {
520 log_error("--boot and --as-pid2 may not be combined.");
524 arg_start_mode
= START_BOOT
;
525 arg_settings_mask
|= SETTING_START_MODE
;
529 if (arg_start_mode
== START_BOOT
) {
530 log_error("--boot and --as-pid2 may not be combined.");
534 arg_start_mode
= START_PID2
;
535 arg_settings_mask
|= SETTING_START_MODE
;
539 r
= sd_id128_from_string(optarg
, &arg_uuid
);
541 log_error("Invalid UUID: %s", optarg
);
545 arg_settings_mask
|= SETTING_MACHINE_ID
;
554 arg_machine
= mfree(arg_machine
);
556 if (!machine_name_is_valid(optarg
)) {
557 log_error("Invalid machine name: %s", optarg
);
561 r
= free_and_strdup(&arg_machine
, optarg
);
569 arg_selinux_context
= optarg
;
573 arg_selinux_apifs_context
= optarg
;
577 arg_read_only
= true;
578 arg_settings_mask
|= SETTING_READ_ONLY
;
582 case ARG_DROP_CAPABILITY
: {
585 _cleanup_free_
char *t
= NULL
;
587 r
= extract_first_word(&p
, &t
, ",", 0);
589 return log_error_errno(r
, "Failed to parse capability %s.", t
);
594 if (streq(t
, "all")) {
595 if (c
== ARG_CAPABILITY
)
596 plus
= (uint64_t) -1;
598 minus
= (uint64_t) -1;
602 cap
= capability_from_name(t
);
604 log_error("Failed to parse capability %s.", t
);
608 if (c
== ARG_CAPABILITY
)
609 plus
|= 1ULL << (uint64_t) cap
;
611 minus
|= 1ULL << (uint64_t) cap
;
615 arg_settings_mask
|= SETTING_CAPABILITY
;
620 arg_link_journal
= LINK_GUEST
;
621 arg_link_journal_try
= true;
624 case ARG_LINK_JOURNAL
:
625 if (streq(optarg
, "auto")) {
626 arg_link_journal
= LINK_AUTO
;
627 arg_link_journal_try
= false;
628 } else if (streq(optarg
, "no")) {
629 arg_link_journal
= LINK_NO
;
630 arg_link_journal_try
= false;
631 } else if (streq(optarg
, "guest")) {
632 arg_link_journal
= LINK_GUEST
;
633 arg_link_journal_try
= false;
634 } else if (streq(optarg
, "host")) {
635 arg_link_journal
= LINK_HOST
;
636 arg_link_journal_try
= false;
637 } else if (streq(optarg
, "try-guest")) {
638 arg_link_journal
= LINK_GUEST
;
639 arg_link_journal_try
= true;
640 } else if (streq(optarg
, "try-host")) {
641 arg_link_journal
= LINK_HOST
;
642 arg_link_journal_try
= true;
644 log_error("Failed to parse link journal mode %s", optarg
);
652 r
= bind_mount_parse(&arg_custom_mounts
, &arg_n_custom_mounts
, optarg
, c
== ARG_BIND_RO
);
654 return log_error_errno(r
, "Failed to parse --bind(-ro)= argument %s: %m", optarg
);
656 arg_settings_mask
|= SETTING_CUSTOM_MOUNTS
;
660 r
= tmpfs_mount_parse(&arg_custom_mounts
, &arg_n_custom_mounts
, optarg
);
662 return log_error_errno(r
, "Failed to parse --tmpfs= argument %s: %m", optarg
);
664 arg_settings_mask
|= SETTING_CUSTOM_MOUNTS
;
668 case ARG_OVERLAY_RO
: {
669 _cleanup_free_
char *upper
= NULL
, *destination
= NULL
;
670 _cleanup_strv_free_
char **lower
= NULL
;
675 r
= strv_split_extract(&lower
, optarg
, ":", EXTRACT_DONT_COALESCE_SEPARATORS
);
679 log_error("Invalid overlay specification: %s", optarg
);
683 STRV_FOREACH(i
, lower
) {
684 if (!path_is_absolute(*i
)) {
685 log_error("Overlay path %s is not absolute.", *i
);
693 log_error("--overlay= needs at least two colon-separated directories specified.");
698 /* If two parameters are specified,
699 * the first one is the lower, the
700 * second one the upper directory. And
701 * we'll also define the destination
702 * mount point the same as the upper. */
706 destination
= strdup(upper
);
711 upper
= lower
[n
- 2];
712 destination
= lower
[n
- 1];
716 m
= custom_mount_add(&arg_custom_mounts
, &arg_n_custom_mounts
, CUSTOM_MOUNT_OVERLAY
);
720 m
->destination
= destination
;
723 m
->read_only
= c
== ARG_OVERLAY_RO
;
725 upper
= destination
= NULL
;
728 arg_settings_mask
|= SETTING_CUSTOM_MOUNTS
;
735 if (!env_assignment_is_valid(optarg
)) {
736 log_error("Environment variable assignment '%s' is not valid.", optarg
);
740 n
= strv_env_set(arg_setenv
, optarg
);
744 strv_free(arg_setenv
);
747 arg_settings_mask
|= SETTING_ENVIRONMENT
;
755 case ARG_SHARE_SYSTEM
:
756 arg_share_system
= true;
760 r
= parse_boolean(optarg
);
762 log_error("Failed to parse --register= argument: %s", optarg
);
770 arg_keep_unit
= true;
773 case ARG_PERSONALITY
:
775 arg_personality
= personality_from_string(optarg
);
776 if (arg_personality
== PERSONALITY_INVALID
) {
777 log_error("Unknown or unsupported personality '%s'.", optarg
);
781 arg_settings_mask
|= SETTING_PERSONALITY
;
787 arg_volatile_mode
= VOLATILE_YES
;
791 m
= volatile_mode_from_string(optarg
);
793 log_error("Failed to parse --volatile= argument: %s", optarg
);
796 arg_volatile_mode
= m
;
799 arg_settings_mask
|= SETTING_VOLATILE_MODE
;
803 r
= expose_port_parse(&arg_expose_ports
, optarg
);
805 return log_error_errno(r
, "Duplicate port specification: %s", optarg
);
807 return log_error_errno(r
, "Failed to parse host port %s: %m", optarg
);
809 arg_settings_mask
|= SETTING_EXPOSE_PORTS
;
813 if (strv_extend(&arg_property
, optarg
) < 0)
818 case ARG_PRIVATE_USERS
:
820 r
= optarg
? parse_boolean(optarg
) : 1;
822 /* no: User namespacing off */
823 arg_userns_mode
= USER_NAMESPACE_NO
;
824 arg_uid_shift
= UID_INVALID
;
825 arg_uid_range
= UINT32_C(0x10000);
827 /* yes: User namespacing on, UID range is read from root dir */
828 arg_userns_mode
= USER_NAMESPACE_FIXED
;
829 arg_uid_shift
= UID_INVALID
;
830 arg_uid_range
= UINT32_C(0x10000);
831 } else if (streq(optarg
, "pick")) {
832 /* pick: User namespacing on, UID range is picked randomly */
833 arg_userns_mode
= USER_NAMESPACE_PICK
;
834 arg_uid_shift
= UID_INVALID
;
835 arg_uid_range
= UINT32_C(0x10000);
837 _cleanup_free_
char *buffer
= NULL
;
838 const char *range
, *shift
;
840 /* anything else: User namespacing on, UID range is explicitly configured */
842 range
= strchr(optarg
, ':');
844 buffer
= strndup(optarg
, range
- optarg
);
850 if (safe_atou32(range
, &arg_uid_range
) < 0 || arg_uid_range
<= 0) {
851 log_error("Failed to parse UID range: %s", range
);
857 if (parse_uid(shift
, &arg_uid_shift
) < 0) {
858 log_error("Failed to parse UID: %s", optarg
);
862 arg_userns_mode
= USER_NAMESPACE_FIXED
;
865 arg_settings_mask
|= SETTING_USERNS
;
869 arg_userns_mode
= USER_NAMESPACE_PICK
;
870 arg_uid_shift
= UID_INVALID
;
871 arg_uid_range
= UINT32_C(0x10000);
873 arg_settings_mask
|= SETTING_USERNS
;
876 case ARG_PRIVATE_USERS_CHOWN
:
877 arg_userns_chown
= true;
879 arg_settings_mask
|= SETTING_USERNS
;
882 case ARG_KILL_SIGNAL
:
883 arg_kill_signal
= signal_from_string_try_harder(optarg
);
884 if (arg_kill_signal
< 0) {
885 log_error("Cannot parse signal: %s", optarg
);
889 arg_settings_mask
|= SETTING_KILL_SIGNAL
;
894 /* no → do not read files
895 * yes → read files, do not override cmdline, trust only subset
896 * override → read files, override cmdline, trust only subset
897 * trusted → read files, do not override cmdline, trust all
900 r
= parse_boolean(optarg
);
902 if (streq(optarg
, "trusted")) {
903 mask_all_settings
= false;
904 mask_no_settings
= false;
905 arg_settings_trusted
= true;
907 } else if (streq(optarg
, "override")) {
908 mask_all_settings
= false;
909 mask_no_settings
= true;
910 arg_settings_trusted
= -1;
912 return log_error_errno(r
, "Failed to parse --settings= argument: %s", optarg
);
915 mask_all_settings
= false;
916 mask_no_settings
= false;
917 arg_settings_trusted
= -1;
920 mask_all_settings
= true;
921 mask_no_settings
= false;
922 arg_settings_trusted
= false;
928 if (!path_is_absolute(optarg
)) {
929 log_error("Working directory %s is not an absolute path.", optarg
);
933 r
= free_and_strdup(&arg_chdir
, optarg
);
937 arg_settings_mask
|= SETTING_WORKING_DIRECTORY
;
944 assert_not_reached("Unhandled option");
947 if (arg_share_system
)
948 arg_register
= false;
950 if (arg_userns_mode
== USER_NAMESPACE_PICK
)
951 arg_userns_chown
= true;
953 if (arg_start_mode
!= START_PID1
&& arg_share_system
) {
954 log_error("--boot and --share-system may not be combined.");
958 if (arg_keep_unit
&& cg_pid_get_owner_uid(0, NULL
) >= 0) {
959 log_error("--keep-unit may not be used when invoked from a user session.");
963 if (arg_directory
&& arg_image
) {
964 log_error("--directory= and --image= may not be combined.");
968 if (arg_template
&& arg_image
) {
969 log_error("--template= and --image= may not be combined.");
973 if (arg_template
&& !(arg_directory
|| arg_machine
)) {
974 log_error("--template= needs --directory= or --machine=.");
978 if (arg_ephemeral
&& arg_template
) {
979 log_error("--ephemeral and --template= may not be combined.");
983 if (arg_ephemeral
&& arg_image
) {
984 log_error("--ephemeral and --image= may not be combined.");
988 if (arg_ephemeral
&& !IN_SET(arg_link_journal
, LINK_NO
, LINK_AUTO
)) {
989 log_error("--ephemeral and --link-journal= may not be combined.");
993 if (arg_userns_mode
!= USER_NAMESPACE_NO
&& access("/proc/self/uid_map", F_OK
) < 0) {
994 log_error("--private-users= is not supported, kernel compiled without user namespace support.");
998 if (arg_userns_chown
&& arg_read_only
) {
999 log_error("--read-only and --private-users-chown may not be combined.");
1003 if (argc
> optind
) {
1004 arg_parameters
= strv_copy(argv
+ optind
);
1005 if (!arg_parameters
)
1008 arg_settings_mask
|= SETTING_START_MODE
;
1011 /* Load all settings from .nspawn files */
1012 if (mask_no_settings
)
1013 arg_settings_mask
= 0;
1015 /* Don't load any settings from .nspawn files */
1016 if (mask_all_settings
)
1017 arg_settings_mask
= _SETTINGS_MASK_ALL
;
1019 arg_retain
= (arg_retain
| plus
| (arg_private_network
? 1ULL << CAP_NET_ADMIN
: 0)) & ~minus
;
1021 r
= detect_unified_cgroup_hierarchy();
1025 e
= getenv("SYSTEMD_NSPAWN_CONTAINER_SERVICE");
1027 arg_container_service_name
= e
;
1032 static int verify_arguments(void) {
1034 if (arg_volatile_mode
!= VOLATILE_NO
&& arg_read_only
) {
1035 log_error("Cannot combine --read-only with --volatile. Note that --volatile already implies a read-only base hierarchy.");
1039 if (arg_expose_ports
&& !arg_private_network
) {
1040 log_error("Cannot use --port= without private networking.");
1044 #ifndef HAVE_LIBIPTC
1045 if (arg_expose_ports
) {
1046 log_error("--port= is not supported, compiled without libiptc support.");
1051 if (arg_start_mode
== START_BOOT
&& arg_kill_signal
<= 0)
1052 arg_kill_signal
= SIGRTMIN
+3;
1057 static int userns_lchown(const char *p
, uid_t uid
, gid_t gid
) {
1060 if (arg_userns_mode
== USER_NAMESPACE_NO
)
1063 if (uid
== UID_INVALID
&& gid
== GID_INVALID
)
1066 if (uid
!= UID_INVALID
) {
1067 uid
+= arg_uid_shift
;
1069 if (uid
< arg_uid_shift
|| uid
>= arg_uid_shift
+ arg_uid_range
)
1073 if (gid
!= GID_INVALID
) {
1074 gid
+= (gid_t
) arg_uid_shift
;
1076 if (gid
< (gid_t
) arg_uid_shift
|| gid
>= (gid_t
) (arg_uid_shift
+ arg_uid_range
))
1080 if (lchown(p
, uid
, gid
) < 0)
1086 static int userns_mkdir(const char *root
, const char *path
, mode_t mode
, uid_t uid
, gid_t gid
) {
1089 q
= prefix_roota(root
, path
);
1090 if (mkdir(q
, mode
) < 0) {
1091 if (errno
== EEXIST
)
1096 return userns_lchown(q
, uid
, gid
);
1099 static int setup_timezone(const char *dest
) {
1100 _cleanup_free_
char *p
= NULL
, *q
= NULL
;
1101 const char *where
, *check
, *what
;
1107 /* Fix the timezone, if possible */
1108 r
= readlink_malloc("/etc/localtime", &p
);
1110 log_warning("/etc/localtime is not a symlink, not updating container timezone.");
1114 z
= path_startswith(p
, "../usr/share/zoneinfo/");
1116 z
= path_startswith(p
, "/usr/share/zoneinfo/");
1118 log_warning("/etc/localtime does not point into /usr/share/zoneinfo/, not updating container timezone.");
1122 where
= prefix_roota(dest
, "/etc/localtime");
1123 r
= readlink_malloc(where
, &q
);
1125 y
= path_startswith(q
, "../usr/share/zoneinfo/");
1127 y
= path_startswith(q
, "/usr/share/zoneinfo/");
1129 /* Already pointing to the right place? Then do nothing .. */
1130 if (y
&& streq(y
, z
))
1134 check
= strjoina("/usr/share/zoneinfo/", z
);
1135 check
= prefix_roota(dest
, check
);
1136 if (laccess(check
, F_OK
) < 0) {
1137 log_warning("Timezone %s does not exist in container, not updating container timezone.", z
);
1142 if (r
< 0 && errno
!= ENOENT
) {
1143 log_error_errno(errno
, "Failed to remove existing timezone info %s in container: %m", where
);
1147 what
= strjoina("../usr/share/zoneinfo/", z
);
1148 if (symlink(what
, where
) < 0) {
1149 log_error_errno(errno
, "Failed to correct timezone of container: %m");
1153 r
= userns_lchown(where
, 0, 0);
1155 return log_warning_errno(r
, "Failed to chown /etc/localtime: %m");
1160 static int setup_resolv_conf(const char *dest
) {
1161 const char *where
= NULL
;
1166 if (arg_private_network
)
1169 /* Fix resolv.conf, if possible */
1170 where
= prefix_roota(dest
, "/etc/resolv.conf");
1172 r
= copy_file("/etc/resolv.conf", where
, O_TRUNC
|O_NOFOLLOW
, 0644, 0);
1174 /* If the file already exists as symlink, let's
1175 * suppress the warning, under the assumption that
1176 * resolved or something similar runs inside and the
1177 * symlink points there.
1179 * If the disk image is read-only, there's also no
1180 * point in complaining.
1182 log_full_errno(IN_SET(r
, -ELOOP
, -EROFS
) ? LOG_DEBUG
: LOG_WARNING
, r
,
1183 "Failed to copy /etc/resolv.conf to %s: %m", where
);
1187 r
= userns_lchown(where
, 0, 0);
1189 log_warning_errno(r
, "Failed to chown /etc/resolv.conf: %m");
1194 static char* id128_format_as_uuid(sd_id128_t id
, char s
[37]) {
1198 "%02x%02x%02x%02x-%02x%02x-%02x%02x-%02x%02x-%02x%02x%02x%02x%02x%02x",
1199 SD_ID128_FORMAT_VAL(id
));
1204 static int setup_boot_id(const char *dest
) {
1205 const char *from
, *to
;
1206 sd_id128_t rnd
= {};
1210 if (arg_share_system
)
1213 /* Generate a new randomized boot ID, so that each boot-up of
1214 * the container gets a new one */
1216 from
= prefix_roota(dest
, "/run/proc-sys-kernel-random-boot-id");
1217 to
= prefix_roota(dest
, "/proc/sys/kernel/random/boot_id");
1219 r
= sd_id128_randomize(&rnd
);
1221 return log_error_errno(r
, "Failed to generate random boot id: %m");
1223 id128_format_as_uuid(rnd
, as_uuid
);
1225 r
= write_string_file(from
, as_uuid
, WRITE_STRING_FILE_CREATE
);
1227 return log_error_errno(r
, "Failed to write boot id: %m");
1229 if (mount(from
, to
, NULL
, MS_BIND
, NULL
) < 0)
1230 r
= log_error_errno(errno
, "Failed to bind mount boot id: %m");
1231 else if (mount(NULL
, to
, NULL
, MS_BIND
|MS_REMOUNT
|MS_RDONLY
|MS_NOSUID
|MS_NODEV
, NULL
) < 0)
1232 log_warning_errno(errno
, "Failed to make boot id read-only: %m");
1238 static int copy_devnodes(const char *dest
) {
1240 static const char devnodes
[] =
1251 _cleanup_umask_ mode_t u
;
1257 /* Create /dev/net, so that we can create /dev/net/tun in it */
1258 if (userns_mkdir(dest
, "/dev/net", 0755, 0, 0) < 0)
1259 return log_error_errno(r
, "Failed to create /dev/net directory: %m");
1261 NULSTR_FOREACH(d
, devnodes
) {
1262 _cleanup_free_
char *from
= NULL
, *to
= NULL
;
1265 from
= strappend("/dev/", d
);
1266 to
= prefix_root(dest
, from
);
1268 if (stat(from
, &st
) < 0) {
1270 if (errno
!= ENOENT
)
1271 return log_error_errno(errno
, "Failed to stat %s: %m", from
);
1273 } else if (!S_ISCHR(st
.st_mode
) && !S_ISBLK(st
.st_mode
)) {
1275 log_error("%s is not a char or block device, cannot copy.", from
);
1279 if (mknod(to
, st
.st_mode
, st
.st_rdev
) < 0) {
1281 return log_error_errno(errno
, "mknod(%s) failed: %m", to
);
1283 /* Some systems abusively restrict mknod but
1284 * allow bind mounts. */
1287 return log_error_errno(r
, "touch (%s) failed: %m", to
);
1288 if (mount(from
, to
, NULL
, MS_BIND
, NULL
) < 0)
1289 return log_error_errno(errno
, "Both mknod and bind mount (%s) failed: %m", to
);
1292 r
= userns_lchown(to
, 0, 0);
1294 return log_error_errno(r
, "chown() of device node %s failed: %m", to
);
1301 static int setup_pts(const char *dest
) {
1302 _cleanup_free_
char *options
= NULL
;
1307 if (arg_selinux_apifs_context
)
1308 (void) asprintf(&options
,
1309 "newinstance,ptmxmode=0666,mode=620,gid=" GID_FMT
",context=\"%s\"",
1310 arg_uid_shift
+ TTY_GID
,
1311 arg_selinux_apifs_context
);
1314 (void) asprintf(&options
,
1315 "newinstance,ptmxmode=0666,mode=620,gid=" GID_FMT
,
1316 arg_uid_shift
+ TTY_GID
);
1321 /* Mount /dev/pts itself */
1322 p
= prefix_roota(dest
, "/dev/pts");
1323 if (mkdir(p
, 0755) < 0)
1324 return log_error_errno(errno
, "Failed to create /dev/pts: %m");
1325 if (mount("devpts", p
, "devpts", MS_NOSUID
|MS_NOEXEC
, options
) < 0)
1326 return log_error_errno(errno
, "Failed to mount /dev/pts: %m");
1327 r
= userns_lchown(p
, 0, 0);
1329 return log_error_errno(r
, "Failed to chown /dev/pts: %m");
1331 /* Create /dev/ptmx symlink */
1332 p
= prefix_roota(dest
, "/dev/ptmx");
1333 if (symlink("pts/ptmx", p
) < 0)
1334 return log_error_errno(errno
, "Failed to create /dev/ptmx symlink: %m");
1335 r
= userns_lchown(p
, 0, 0);
1337 return log_error_errno(r
, "Failed to chown /dev/ptmx: %m");
1339 /* And fix /dev/pts/ptmx ownership */
1340 p
= prefix_roota(dest
, "/dev/pts/ptmx");
1341 r
= userns_lchown(p
, 0, 0);
1343 return log_error_errno(r
, "Failed to chown /dev/pts/ptmx: %m");
1348 static int setup_dev_console(const char *dest
, const char *console
) {
1349 _cleanup_umask_ mode_t u
;
1358 r
= chmod_and_chown(console
, 0600, arg_uid_shift
, arg_uid_shift
);
1360 return log_error_errno(r
, "Failed to correct access mode for TTY: %m");
1362 /* We need to bind mount the right tty to /dev/console since
1363 * ptys can only exist on pts file systems. To have something
1364 * to bind mount things on we create a empty regular file. */
1366 to
= prefix_roota(dest
, "/dev/console");
1369 return log_error_errno(r
, "touch() for /dev/console failed: %m");
1371 if (mount(console
, to
, NULL
, MS_BIND
, NULL
) < 0)
1372 return log_error_errno(errno
, "Bind mount for /dev/console failed: %m");
1377 static int setup_kmsg(const char *dest
, int kmsg_socket
) {
1378 const char *from
, *to
;
1379 _cleanup_umask_ mode_t u
;
1382 assert(kmsg_socket
>= 0);
1386 /* We create the kmsg FIFO as /run/kmsg, but immediately
1387 * delete it after bind mounting it to /proc/kmsg. While FIFOs
1388 * on the reading side behave very similar to /proc/kmsg,
1389 * their writing side behaves differently from /dev/kmsg in
1390 * that writing blocks when nothing is reading. In order to
1391 * avoid any problems with containers deadlocking due to this
1392 * we simply make /dev/kmsg unavailable to the container. */
1393 from
= prefix_roota(dest
, "/run/kmsg");
1394 to
= prefix_roota(dest
, "/proc/kmsg");
1396 if (mkfifo(from
, 0600) < 0)
1397 return log_error_errno(errno
, "mkfifo() for /run/kmsg failed: %m");
1398 if (mount(from
, to
, NULL
, MS_BIND
, NULL
) < 0)
1399 return log_error_errno(errno
, "Bind mount for /proc/kmsg failed: %m");
1401 fd
= open(from
, O_RDWR
|O_NDELAY
|O_CLOEXEC
);
1403 return log_error_errno(errno
, "Failed to open fifo: %m");
1405 /* Store away the fd in the socket, so that it stays open as
1406 * long as we run the child */
1407 r
= send_one_fd(kmsg_socket
, fd
, 0);
1411 return log_error_errno(r
, "Failed to send FIFO fd: %m");
1413 /* And now make the FIFO unavailable as /run/kmsg... */
1414 (void) unlink(from
);
1419 static int on_address_change(sd_netlink
*rtnl
, sd_netlink_message
*m
, void *userdata
) {
1420 union in_addr_union
*exposed
= userdata
;
1426 expose_port_execute(rtnl
, arg_expose_ports
, exposed
);
1430 static int setup_hostname(void) {
1432 if (arg_share_system
)
1435 if (sethostname_idempotent(arg_machine
) < 0)
1441 static int setup_journal(const char *directory
) {
1443 _cleanup_free_
char *d
= NULL
;
1449 /* Don't link journals in ephemeral mode */
1453 if (arg_link_journal
== LINK_NO
)
1456 try = arg_link_journal_try
|| arg_link_journal
== LINK_AUTO
;
1458 r
= sd_id128_get_machine(&this_id
);
1460 return log_error_errno(r
, "Failed to retrieve machine ID: %m");
1462 if (sd_id128_equal(arg_uuid
, this_id
)) {
1463 log_full(try ? LOG_WARNING
: LOG_ERR
,
1464 "Host and machine ids are equal (%s): refusing to link journals", id
);
1470 r
= userns_mkdir(directory
, "/var", 0755, 0, 0);
1472 return log_error_errno(r
, "Failed to create /var: %m");
1474 r
= userns_mkdir(directory
, "/var/log", 0755, 0, 0);
1476 return log_error_errno(r
, "Failed to create /var/log: %m");
1478 r
= userns_mkdir(directory
, "/var/log/journal", 0755, 0, 0);
1480 return log_error_errno(r
, "Failed to create /var/log/journal: %m");
1482 (void) sd_id128_to_string(arg_uuid
, id
);
1484 p
= strjoina("/var/log/journal/", id
);
1485 q
= prefix_roota(directory
, p
);
1487 if (path_is_mount_point(p
, 0) > 0) {
1491 log_error("%s: already a mount point, refusing to use for journal", p
);
1495 if (path_is_mount_point(q
, 0) > 0) {
1499 log_error("%s: already a mount point, refusing to use for journal", q
);
1503 r
= readlink_and_make_absolute(p
, &d
);
1505 if ((arg_link_journal
== LINK_GUEST
||
1506 arg_link_journal
== LINK_AUTO
) &&
1509 r
= userns_mkdir(directory
, p
, 0755, 0, 0);
1511 log_warning_errno(r
, "Failed to create directory %s: %m", q
);
1516 return log_error_errno(errno
, "Failed to remove symlink %s: %m", p
);
1517 } else if (r
== -EINVAL
) {
1519 if (arg_link_journal
== LINK_GUEST
&&
1522 if (errno
== ENOTDIR
) {
1523 log_error("%s already exists and is neither a symlink nor a directory", p
);
1526 return log_error_errno(errno
, "Failed to remove %s: %m", p
);
1528 } else if (r
!= -ENOENT
)
1529 return log_error_errno(r
, "readlink(%s) failed: %m", p
);
1531 if (arg_link_journal
== LINK_GUEST
) {
1533 if (symlink(q
, p
) < 0) {
1535 log_debug_errno(errno
, "Failed to symlink %s to %s, skipping journal setup: %m", q
, p
);
1538 return log_error_errno(errno
, "Failed to symlink %s to %s: %m", q
, p
);
1541 r
= userns_mkdir(directory
, p
, 0755, 0, 0);
1543 log_warning_errno(r
, "Failed to create directory %s: %m", q
);
1547 if (arg_link_journal
== LINK_HOST
) {
1548 /* don't create parents here — if the host doesn't have
1549 * permanent journal set up, don't force it here */
1551 if (mkdir(p
, 0755) < 0 && errno
!= EEXIST
) {
1553 log_debug_errno(errno
, "Failed to create %s, skipping journal setup: %m", p
);
1556 return log_error_errno(errno
, "Failed to create %s: %m", p
);
1559 } else if (access(p
, F_OK
) < 0)
1562 if (dir_is_empty(q
) == 0)
1563 log_warning("%s is not empty, proceeding anyway.", q
);
1565 r
= userns_mkdir(directory
, p
, 0755, 0, 0);
1567 return log_error_errno(r
, "Failed to create %s: %m", q
);
1569 if (mount(p
, q
, NULL
, MS_BIND
, NULL
) < 0)
1570 return log_error_errno(errno
, "Failed to bind mount journal from host into guest: %m");
1575 static int drop_capabilities(void) {
1576 return capability_bounding_set_drop(arg_retain
, false);
1579 static int reset_audit_loginuid(void) {
1580 _cleanup_free_
char *p
= NULL
;
1583 if (arg_share_system
)
1586 r
= read_one_line_file("/proc/self/loginuid", &p
);
1590 return log_error_errno(r
, "Failed to read /proc/self/loginuid: %m");
1592 /* Already reset? */
1593 if (streq(p
, "4294967295"))
1596 r
= write_string_file("/proc/self/loginuid", "4294967295", 0);
1599 "Failed to reset audit login UID. This probably means that your kernel is too\n"
1600 "old and you have audit enabled. Note that the auditing subsystem is known to\n"
1601 "be incompatible with containers on old kernels. Please make sure to upgrade\n"
1602 "your kernel or to off auditing with 'audit=0' on the kernel command line before\n"
1603 "using systemd-nspawn. Sleeping for 5s... (%m)");
1611 static int setup_seccomp(void) {
1614 static const struct {
1615 uint64_t capability
;
1618 { CAP_SYS_RAWIO
, SCMP_SYS(iopl
) },
1619 { CAP_SYS_RAWIO
, SCMP_SYS(ioperm
) },
1620 { CAP_SYS_BOOT
, SCMP_SYS(kexec_load
) },
1621 { CAP_SYS_ADMIN
, SCMP_SYS(swapon
) },
1622 { CAP_SYS_ADMIN
, SCMP_SYS(swapoff
) },
1623 { CAP_SYS_ADMIN
, SCMP_SYS(open_by_handle_at
) },
1624 { CAP_SYS_MODULE
, SCMP_SYS(init_module
) },
1625 { CAP_SYS_MODULE
, SCMP_SYS(finit_module
) },
1626 { CAP_SYS_MODULE
, SCMP_SYS(delete_module
) },
1627 { CAP_SYSLOG
, SCMP_SYS(syslog
) },
1630 scmp_filter_ctx seccomp
;
1634 seccomp
= seccomp_init(SCMP_ACT_ALLOW
);
1638 r
= seccomp_add_secondary_archs(seccomp
);
1640 log_error_errno(r
, "Failed to add secondary archs to seccomp filter: %m");
1644 for (i
= 0; i
< ELEMENTSOF(blacklist
); i
++) {
1645 if (arg_retain
& (1ULL << blacklist
[i
].capability
))
1648 r
= seccomp_rule_add(seccomp
, SCMP_ACT_ERRNO(EPERM
), blacklist
[i
].syscall_num
, 0);
1650 continue; /* unknown syscall */
1652 log_error_errno(r
, "Failed to block syscall: %m");
1659 Audit is broken in containers, much of the userspace audit
1660 hookup will fail if running inside a container. We don't
1661 care and just turn off creation of audit sockets.
1663 This will make socket(AF_NETLINK, *, NETLINK_AUDIT) fail
1664 with EAFNOSUPPORT which audit userspace uses as indication
1665 that audit is disabled in the kernel.
1668 r
= seccomp_rule_add(
1670 SCMP_ACT_ERRNO(EAFNOSUPPORT
),
1673 SCMP_A0(SCMP_CMP_EQ
, AF_NETLINK
),
1674 SCMP_A2(SCMP_CMP_EQ
, NETLINK_AUDIT
));
1676 log_error_errno(r
, "Failed to add audit seccomp rule: %m");
1680 r
= seccomp_attr_set(seccomp
, SCMP_FLTATR_CTL_NNP
, 0);
1682 log_error_errno(r
, "Failed to unset NO_NEW_PRIVS: %m");
1686 r
= seccomp_load(seccomp
);
1688 log_debug_errno(r
, "Kernel is probably not configured with CONFIG_SECCOMP. Disabling seccomp audit filter: %m");
1693 log_error_errno(r
, "Failed to install seccomp audit filter: %m");
1698 seccomp_release(seccomp
);
1706 static int setup_propagate(const char *root
) {
1710 (void) mkdir_p("/run/systemd/nspawn/", 0755);
1711 (void) mkdir_p("/run/systemd/nspawn/propagate", 0600);
1712 p
= strjoina("/run/systemd/nspawn/propagate/", arg_machine
);
1713 (void) mkdir_p(p
, 0600);
1715 r
= userns_mkdir(root
, "/run/systemd", 0755, 0, 0);
1717 return log_error_errno(r
, "Failed to create /run/systemd: %m");
1719 r
= userns_mkdir(root
, "/run/systemd/nspawn", 0755, 0, 0);
1721 return log_error_errno(r
, "Failed to create /run/systemd/nspawn: %m");
1723 r
= userns_mkdir(root
, "/run/systemd/nspawn/incoming", 0600, 0, 0);
1725 return log_error_errno(r
, "Failed to create /run/systemd/nspawn/incoming: %m");
1727 q
= prefix_roota(root
, "/run/systemd/nspawn/incoming");
1728 if (mount(p
, q
, NULL
, MS_BIND
, NULL
) < 0)
1729 return log_error_errno(errno
, "Failed to install propagation bind mount.");
1731 if (mount(NULL
, q
, NULL
, MS_BIND
|MS_REMOUNT
|MS_RDONLY
, NULL
) < 0)
1732 return log_error_errno(errno
, "Failed to make propagation mount read-only");
1737 static int setup_image(char **device_path
, int *loop_nr
) {
1738 struct loop_info64 info
= {
1739 .lo_flags
= LO_FLAGS_AUTOCLEAR
|LO_FLAGS_PARTSCAN
1741 _cleanup_close_
int fd
= -1, control
= -1, loop
= -1;
1742 _cleanup_free_
char* loopdev
= NULL
;
1746 assert(device_path
);
1750 fd
= open(arg_image
, O_CLOEXEC
|(arg_read_only
? O_RDONLY
: O_RDWR
)|O_NONBLOCK
|O_NOCTTY
);
1752 return log_error_errno(errno
, "Failed to open %s: %m", arg_image
);
1754 if (fstat(fd
, &st
) < 0)
1755 return log_error_errno(errno
, "Failed to stat %s: %m", arg_image
);
1757 if (S_ISBLK(st
.st_mode
)) {
1760 p
= strdup(arg_image
);
1774 if (!S_ISREG(st
.st_mode
)) {
1775 log_error("%s is not a regular file or block device.", arg_image
);
1779 control
= open("/dev/loop-control", O_RDWR
|O_CLOEXEC
|O_NOCTTY
|O_NONBLOCK
);
1781 return log_error_errno(errno
, "Failed to open /dev/loop-control: %m");
1783 nr
= ioctl(control
, LOOP_CTL_GET_FREE
);
1785 return log_error_errno(errno
, "Failed to allocate loop device: %m");
1787 if (asprintf(&loopdev
, "/dev/loop%i", nr
) < 0)
1790 loop
= open(loopdev
, O_CLOEXEC
|(arg_read_only
? O_RDONLY
: O_RDWR
)|O_NONBLOCK
|O_NOCTTY
);
1792 return log_error_errno(errno
, "Failed to open loop device %s: %m", loopdev
);
1794 if (ioctl(loop
, LOOP_SET_FD
, fd
) < 0)
1795 return log_error_errno(errno
, "Failed to set loopback file descriptor on %s: %m", loopdev
);
1798 info
.lo_flags
|= LO_FLAGS_READ_ONLY
;
1800 if (ioctl(loop
, LOOP_SET_STATUS64
, &info
) < 0)
1801 return log_error_errno(errno
, "Failed to set loopback settings on %s: %m", loopdev
);
1803 *device_path
= loopdev
;
1814 #define PARTITION_TABLE_BLURB \
1815 "Note that the disk image needs to either contain only a single MBR partition of\n" \
1816 "type 0x83 that is marked bootable, or a single GPT partition of type " \
1817 "0FC63DAF-8483-4772-8E79-3D69D8477DE4 or follow\n" \
1818 " http://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/\n" \
1819 "to be bootable with systemd-nspawn."
1821 static int dissect_image(
1823 char **root_device
, bool *root_device_rw
,
1824 char **home_device
, bool *home_device_rw
,
1825 char **srv_device
, bool *srv_device_rw
,
1829 int home_nr
= -1, srv_nr
= -1;
1830 #ifdef GPT_ROOT_NATIVE
1833 #ifdef GPT_ROOT_SECONDARY
1834 int secondary_root_nr
= -1;
1836 _cleanup_free_
char *home
= NULL
, *root
= NULL
, *secondary_root
= NULL
, *srv
= NULL
, *generic
= NULL
;
1837 _cleanup_udev_enumerate_unref_
struct udev_enumerate
*e
= NULL
;
1838 _cleanup_udev_device_unref_
struct udev_device
*d
= NULL
;
1839 _cleanup_blkid_free_probe_ blkid_probe b
= NULL
;
1840 _cleanup_udev_unref_
struct udev
*udev
= NULL
;
1841 struct udev_list_entry
*first
, *item
;
1842 bool home_rw
= true, root_rw
= true, secondary_root_rw
= true, srv_rw
= true, generic_rw
= true;
1843 bool is_gpt
, is_mbr
, multiple_generic
= false;
1844 const char *pttype
= NULL
;
1851 assert(root_device
);
1852 assert(home_device
);
1857 b
= blkid_new_probe();
1862 r
= blkid_probe_set_device(b
, fd
, 0, 0);
1867 return log_error_errno(errno
, "Failed to set device on blkid probe: %m");
1870 blkid_probe_enable_partitions(b
, 1);
1871 blkid_probe_set_partitions_flags(b
, BLKID_PARTS_ENTRY_DETAILS
);
1874 r
= blkid_do_safeprobe(b
);
1875 if (r
== -2 || r
== 1) {
1876 log_error("Failed to identify any partition table on\n"
1878 PARTITION_TABLE_BLURB
, arg_image
);
1880 } else if (r
!= 0) {
1883 return log_error_errno(errno
, "Failed to probe: %m");
1886 (void) blkid_probe_lookup_value(b
, "PTTYPE", &pttype
, NULL
);
1888 is_gpt
= streq_ptr(pttype
, "gpt");
1889 is_mbr
= streq_ptr(pttype
, "dos");
1891 if (!is_gpt
&& !is_mbr
) {
1892 log_error("No GPT or MBR partition table discovered on\n"
1894 PARTITION_TABLE_BLURB
, arg_image
);
1899 pl
= blkid_probe_get_partitions(b
);
1904 log_error("Failed to list partitions of %s", arg_image
);
1912 if (fstat(fd
, &st
) < 0)
1913 return log_error_errno(errno
, "Failed to stat block device: %m");
1915 d
= udev_device_new_from_devnum(udev
, 'b', st
.st_rdev
);
1923 log_error("Kernel partitions never appeared.");
1927 e
= udev_enumerate_new(udev
);
1931 r
= udev_enumerate_add_match_parent(e
, d
);
1935 r
= udev_enumerate_scan_devices(e
);
1937 return log_error_errno(r
, "Failed to scan for partition devices of %s: %m", arg_image
);
1939 /* Count the partitions enumerated by the kernel */
1941 first
= udev_enumerate_get_list_entry(e
);
1942 udev_list_entry_foreach(item
, first
)
1945 /* Count the partitions enumerated by blkid */
1946 m
= blkid_partlist_numof_partitions(pl
);
1950 log_error("blkid and kernel partition list do not match.");
1956 /* The kernel has probed fewer partitions than
1957 * blkid? Maybe the kernel prober is still
1958 * running or it got EBUSY because udev
1959 * already opened the device. Let's reprobe
1960 * the device, which is a synchronous call
1961 * that waits until probing is complete. */
1963 for (j
= 0; j
< 20; j
++) {
1965 r
= ioctl(fd
, BLKRRPART
, 0);
1968 if (r
>= 0 || r
!= -EBUSY
)
1971 /* If something else has the device
1972 * open, such as an udev rule, the
1973 * ioctl will return EBUSY. Since
1974 * there's no way to wait until it
1975 * isn't busy anymore, let's just wait
1976 * a bit, and try again.
1978 * This is really something they
1979 * should fix in the kernel! */
1981 usleep(50 * USEC_PER_MSEC
);
1985 return log_error_errno(r
, "Failed to reread partition table: %m");
1988 e
= udev_enumerate_unref(e
);
1991 first
= udev_enumerate_get_list_entry(e
);
1992 udev_list_entry_foreach(item
, first
) {
1993 _cleanup_udev_device_unref_
struct udev_device
*q
;
1995 unsigned long long flags
;
2001 q
= udev_device_new_from_syspath(udev
, udev_list_entry_get_name(item
));
2006 return log_error_errno(errno
, "Failed to get partition device of %s: %m", arg_image
);
2009 qn
= udev_device_get_devnum(q
);
2013 if (st
.st_rdev
== qn
)
2016 node
= udev_device_get_devnode(q
);
2020 pp
= blkid_partlist_devno_to_partition(pl
, qn
);
2024 flags
= blkid_partition_get_flags(pp
);
2026 nr
= blkid_partition_get_partno(pp
);
2034 if (flags
& GPT_FLAG_NO_AUTO
)
2037 stype
= blkid_partition_get_type_string(pp
);
2041 if (sd_id128_from_string(stype
, &type_id
) < 0)
2044 if (sd_id128_equal(type_id
, GPT_HOME
)) {
2046 if (home
&& nr
>= home_nr
)
2050 home_rw
= !(flags
& GPT_FLAG_READ_ONLY
);
2052 r
= free_and_strdup(&home
, node
);
2056 } else if (sd_id128_equal(type_id
, GPT_SRV
)) {
2058 if (srv
&& nr
>= srv_nr
)
2062 srv_rw
= !(flags
& GPT_FLAG_READ_ONLY
);
2064 r
= free_and_strdup(&srv
, node
);
2068 #ifdef GPT_ROOT_NATIVE
2069 else if (sd_id128_equal(type_id
, GPT_ROOT_NATIVE
)) {
2071 if (root
&& nr
>= root_nr
)
2075 root_rw
= !(flags
& GPT_FLAG_READ_ONLY
);
2077 r
= free_and_strdup(&root
, node
);
2082 #ifdef GPT_ROOT_SECONDARY
2083 else if (sd_id128_equal(type_id
, GPT_ROOT_SECONDARY
)) {
2085 if (secondary_root
&& nr
>= secondary_root_nr
)
2088 secondary_root_nr
= nr
;
2089 secondary_root_rw
= !(flags
& GPT_FLAG_READ_ONLY
);
2091 r
= free_and_strdup(&secondary_root
, node
);
2096 else if (sd_id128_equal(type_id
, GPT_LINUX_GENERIC
)) {
2099 multiple_generic
= true;
2101 generic_rw
= !(flags
& GPT_FLAG_READ_ONLY
);
2103 r
= free_and_strdup(&generic
, node
);
2109 } else if (is_mbr
) {
2112 if (flags
!= 0x80) /* Bootable flag */
2115 type
= blkid_partition_get_type(pp
);
2116 if (type
!= 0x83) /* Linux partition */
2120 multiple_generic
= true;
2124 r
= free_and_strdup(&root
, node
);
2132 *root_device
= root
;
2135 *root_device_rw
= root_rw
;
2137 } else if (secondary_root
) {
2138 *root_device
= secondary_root
;
2139 secondary_root
= NULL
;
2141 *root_device_rw
= secondary_root_rw
;
2143 } else if (generic
) {
2145 /* There were no partitions with precise meanings
2146 * around, but we found generic partitions. In this
2147 * case, if there's only one, we can go ahead and boot
2148 * it, otherwise we bail out, because we really cannot
2149 * make any sense of it. */
2151 if (multiple_generic
) {
2152 log_error("Identified multiple bootable Linux partitions on\n"
2154 PARTITION_TABLE_BLURB
, arg_image
);
2158 *root_device
= generic
;
2161 *root_device_rw
= generic_rw
;
2164 log_error("Failed to identify root partition in disk image\n"
2166 PARTITION_TABLE_BLURB
, arg_image
);
2171 *home_device
= home
;
2174 *home_device_rw
= home_rw
;
2181 *srv_device_rw
= srv_rw
;
2186 log_error("--image= is not supported, compiled without blkid support.");
2191 static int mount_device(const char *what
, const char *where
, const char *directory
, bool rw
) {
2193 _cleanup_blkid_free_probe_ blkid_probe b
= NULL
;
2194 const char *fstype
, *p
;
2204 p
= strjoina(where
, directory
);
2209 b
= blkid_new_probe_from_filename(what
);
2213 return log_error_errno(errno
, "Failed to allocate prober for %s: %m", what
);
2216 blkid_probe_enable_superblocks(b
, 1);
2217 blkid_probe_set_superblocks_flags(b
, BLKID_SUBLKS_TYPE
);
2220 r
= blkid_do_safeprobe(b
);
2221 if (r
== -1 || r
== 1) {
2222 log_error("Cannot determine file system type of %s", what
);
2224 } else if (r
!= 0) {
2227 return log_error_errno(errno
, "Failed to probe %s: %m", what
);
2231 if (blkid_probe_lookup_value(b
, "TYPE", &fstype
, NULL
) < 0) {
2234 log_error("Failed to determine file system type of %s", what
);
2238 if (streq(fstype
, "crypto_LUKS")) {
2239 log_error("nspawn currently does not support LUKS disk images.");
2243 if (mount(what
, p
, fstype
, MS_NODEV
|(rw
? 0 : MS_RDONLY
), NULL
) < 0)
2244 return log_error_errno(errno
, "Failed to mount %s: %m", what
);
2248 log_error("--image= is not supported, compiled without blkid support.");
2253 static int setup_machine_id(const char *directory
) {
2255 const char *etc_machine_id
, *t
;
2256 _cleanup_free_
char *s
= NULL
;
2258 etc_machine_id
= prefix_roota(directory
, "/etc/machine-id");
2260 r
= read_one_line_file(etc_machine_id
, &s
);
2262 return log_error_errno(r
, "Failed to read machine ID from %s: %m", etc_machine_id
);
2267 r
= sd_id128_from_string(t
, &arg_uuid
);
2269 return log_error_errno(r
, "Failed to parse machine ID from %s: %m", etc_machine_id
);
2271 if (sd_id128_is_null(arg_uuid
)) {
2272 r
= sd_id128_randomize(&arg_uuid
);
2274 return log_error_errno(r
, "Failed to generate random machine ID: %m");
2278 r
= machine_id_setup(directory
, arg_uuid
);
2280 return log_error_errno(r
, "Failed to setup machine ID: %m");
2285 static int recursive_chown(const char *directory
, uid_t shift
, uid_t range
) {
2290 if (arg_userns_mode
== USER_NAMESPACE_NO
|| !arg_userns_chown
)
2293 r
= path_patch_uid(directory
, arg_uid_shift
, arg_uid_range
);
2294 if (r
== -EOPNOTSUPP
)
2295 return log_error_errno(r
, "Automatic UID/GID adjusting is only supported for UID/GID ranges starting at multiples of 2^16 with a range of 2^16.");
2297 return log_error_errno(r
, "Upper 16 bits of root directory UID and GID do not match.");
2299 return log_error_errno(r
, "Failed to adjust UID/GID shift of OS tree: %m");
2301 log_debug("Root directory of image is already owned by the right UID/GID range, skipping recursive chown operation.");
2303 log_debug("Patched directory tree to match UID/GID range.");
2308 static int mount_devices(
2310 const char *root_device
, bool root_device_rw
,
2311 const char *home_device
, bool home_device_rw
,
2312 const char *srv_device
, bool srv_device_rw
) {
2318 r
= mount_device(root_device
, arg_directory
, NULL
, root_device_rw
);
2320 return log_error_errno(r
, "Failed to mount root directory: %m");
2324 r
= mount_device(home_device
, arg_directory
, "/home", home_device_rw
);
2326 return log_error_errno(r
, "Failed to mount home directory: %m");
2330 r
= mount_device(srv_device
, arg_directory
, "/srv", srv_device_rw
);
2332 return log_error_errno(r
, "Failed to mount server data directory: %m");
2338 static void loop_remove(int nr
, int *image_fd
) {
2339 _cleanup_close_
int control
= -1;
2345 if (image_fd
&& *image_fd
>= 0) {
2346 r
= ioctl(*image_fd
, LOOP_CLR_FD
);
2348 log_debug_errno(errno
, "Failed to close loop image: %m");
2349 *image_fd
= safe_close(*image_fd
);
2352 control
= open("/dev/loop-control", O_RDWR
|O_CLOEXEC
|O_NOCTTY
|O_NONBLOCK
);
2354 log_warning_errno(errno
, "Failed to open /dev/loop-control: %m");
2358 r
= ioctl(control
, LOOP_CTL_REMOVE
, nr
);
2360 log_debug_errno(errno
, "Failed to remove loop %d: %m", nr
);
2365 * < 0 : wait_for_terminate() failed to get the state of the
2366 * container, the container was terminated by a signal, or
2367 * failed for an unknown reason. No change is made to the
2368 * container argument.
2369 * > 0 : The program executed in the container terminated with an
2370 * error. The exit code of the program executed in the
2371 * container is returned. The container argument has been set
2372 * to CONTAINER_TERMINATED.
2373 * 0 : The container is being rebooted, has been shut down or exited
2374 * successfully. The container argument has been set to either
2375 * CONTAINER_TERMINATED or CONTAINER_REBOOTED.
2377 * That is, success is indicated by a return value of zero, and an
2378 * error is indicated by a non-zero value.
2380 static int wait_for_container(pid_t pid
, ContainerStatus
*container
) {
2384 r
= wait_for_terminate(pid
, &status
);
2386 return log_warning_errno(r
, "Failed to wait for container: %m");
2388 switch (status
.si_code
) {
2391 if (status
.si_status
== 0) {
2392 log_full(arg_quiet
? LOG_DEBUG
: LOG_INFO
, "Container %s exited successfully.", arg_machine
);
2395 log_full(arg_quiet
? LOG_DEBUG
: LOG_INFO
, "Container %s failed with error code %i.", arg_machine
, status
.si_status
);
2397 *container
= CONTAINER_TERMINATED
;
2398 return status
.si_status
;
2401 if (status
.si_status
== SIGINT
) {
2403 log_full(arg_quiet
? LOG_DEBUG
: LOG_INFO
, "Container %s has been shut down.", arg_machine
);
2404 *container
= CONTAINER_TERMINATED
;
2407 } else if (status
.si_status
== SIGHUP
) {
2409 log_full(arg_quiet
? LOG_DEBUG
: LOG_INFO
, "Container %s is being rebooted.", arg_machine
);
2410 *container
= CONTAINER_REBOOTED
;
2414 /* CLD_KILLED fallthrough */
2417 log_error("Container %s terminated by signal %s.", arg_machine
, signal_to_string(status
.si_status
));
2421 log_error("Container %s failed due to unknown reason.", arg_machine
);
2428 static int on_orderly_shutdown(sd_event_source
*s
, const struct signalfd_siginfo
*si
, void *userdata
) {
2431 pid
= PTR_TO_PID(userdata
);
2433 if (kill(pid
, arg_kill_signal
) >= 0) {
2434 log_info("Trying to halt container. Send SIGTERM again to trigger immediate termination.");
2435 sd_event_source_set_userdata(s
, NULL
);
2440 sd_event_exit(sd_event_source_get_event(s
), 0);
2444 static int determine_names(void) {
2447 if (arg_template
&& !arg_directory
&& arg_machine
) {
2449 /* If --template= was specified then we should not
2450 * search for a machine, but instead create a new one
2451 * in /var/lib/machine. */
2453 arg_directory
= strjoin("/var/lib/machines/", arg_machine
, NULL
);
2458 if (!arg_image
&& !arg_directory
) {
2460 _cleanup_(image_unrefp
) Image
*i
= NULL
;
2462 r
= image_find(arg_machine
, &i
);
2464 return log_error_errno(r
, "Failed to find image for machine '%s': %m", arg_machine
);
2466 log_error("No image for machine '%s': %m", arg_machine
);
2470 if (i
->type
== IMAGE_RAW
)
2471 r
= free_and_strdup(&arg_image
, i
->path
);
2473 r
= free_and_strdup(&arg_directory
, i
->path
);
2475 return log_error_errno(r
, "Invalid image directory: %m");
2478 arg_read_only
= arg_read_only
|| i
->read_only
;
2480 arg_directory
= get_current_dir_name();
2482 if (!arg_directory
&& !arg_machine
) {
2483 log_error("Failed to determine path, please use -D or -i.");
2489 if (arg_directory
&& path_equal(arg_directory
, "/"))
2490 arg_machine
= gethostname_malloc();
2492 arg_machine
= strdup(basename(arg_image
?: arg_directory
));
2497 hostname_cleanup(arg_machine
);
2498 if (!machine_name_is_valid(arg_machine
)) {
2499 log_error("Failed to determine machine name automatically, please use -M.");
2503 if (arg_ephemeral
) {
2506 /* Add a random suffix when this is an
2507 * ephemeral machine, so that we can run many
2508 * instances at once without manually having
2509 * to specify -M each time. */
2511 if (asprintf(&b
, "%s-%016" PRIx64
, arg_machine
, random_u64()) < 0)
2522 static int determine_uid_shift(const char *directory
) {
2525 if (arg_userns_mode
== USER_NAMESPACE_NO
) {
2530 if (arg_uid_shift
== UID_INVALID
) {
2533 r
= stat(directory
, &st
);
2535 return log_error_errno(errno
, "Failed to determine UID base of %s: %m", directory
);
2537 arg_uid_shift
= st
.st_uid
& UINT32_C(0xffff0000);
2539 if (arg_uid_shift
!= (st
.st_gid
& UINT32_C(0xffff0000))) {
2540 log_error("UID and GID base of %s don't match.", directory
);
2544 arg_uid_range
= UINT32_C(0x10000);
2547 if (arg_uid_shift
> (uid_t
) -1 - arg_uid_range
) {
2548 log_error("UID base too high for UID range.");
2555 static int inner_child(
2557 const char *directory
,
2563 _cleanup_free_
char *home
= NULL
;
2566 const char *envp
[] = {
2567 "PATH=" DEFAULT_PATH_SPLIT_USR
,
2568 NULL
, /* container */
2573 NULL
, /* container_uuid */
2574 NULL
, /* LISTEN_FDS */
2575 NULL
, /* LISTEN_PID */
2579 _cleanup_strv_free_
char **env_use
= NULL
;
2584 assert(kmsg_socket
>= 0);
2588 if (arg_userns_mode
!= USER_NAMESPACE_NO
) {
2589 /* Tell the parent, that it now can write the UID map. */
2590 (void) barrier_place(barrier
); /* #1 */
2592 /* Wait until the parent wrote the UID map */
2593 if (!barrier_place_and_sync(barrier
)) { /* #2 */
2594 log_error("Parent died too early");
2600 arg_userns_mode
!= USER_NAMESPACE_NO
,
2602 arg_private_network
,
2605 arg_selinux_apifs_context
);
2610 r
= mount_sysfs(NULL
);
2614 /* Wait until we are cgroup-ified, so that we
2615 * can mount the right cgroup path writable */
2616 if (!barrier_place_and_sync(barrier
)) { /* #3 */
2617 log_error("Parent died too early");
2621 r
= mount_systemd_cgroup_writable("", arg_unified_cgroup_hierarchy
);
2625 r
= reset_uid_gid();
2627 return log_error_errno(r
, "Couldn't become new root: %m");
2629 r
= setup_boot_id(NULL
);
2633 r
= setup_kmsg(NULL
, kmsg_socket
);
2636 kmsg_socket
= safe_close(kmsg_socket
);
2641 return log_error_errno(errno
, "setsid() failed: %m");
2643 if (arg_private_network
)
2646 if (arg_expose_ports
) {
2647 r
= expose_port_send_rtnl(rtnl_socket
);
2650 rtnl_socket
= safe_close(rtnl_socket
);
2653 r
= drop_capabilities();
2655 return log_error_errno(r
, "drop_capabilities() failed: %m");
2659 if (arg_personality
!= PERSONALITY_INVALID
) {
2660 if (personality(arg_personality
) < 0)
2661 return log_error_errno(errno
, "personality() failed: %m");
2662 } else if (secondary
) {
2663 if (personality(PER_LINUX32
) < 0)
2664 return log_error_errno(errno
, "personality() failed: %m");
2668 if (arg_selinux_context
)
2669 if (setexeccon((security_context_t
) arg_selinux_context
) < 0)
2670 return log_error_errno(errno
, "setexeccon(\"%s\") failed: %m", arg_selinux_context
);
2673 r
= change_uid_gid(arg_user
, &home
);
2677 /* LXC sets container=lxc, so follow the scheme here */
2678 envp
[n_env
++] = strjoina("container=", arg_container_service_name
);
2680 envp
[n_env
] = strv_find_prefix(environ
, "TERM=");
2684 if ((asprintf((char**)(envp
+ n_env
++), "HOME=%s", home
? home
: "/root") < 0) ||
2685 (asprintf((char**)(envp
+ n_env
++), "USER=%s", arg_user
? arg_user
: "root") < 0) ||
2686 (asprintf((char**)(envp
+ n_env
++), "LOGNAME=%s", arg_user
? arg_user
: "root") < 0))
2689 assert(!sd_id128_equal(arg_uuid
, SD_ID128_NULL
));
2691 if (asprintf((char**)(envp
+ n_env
++), "container_uuid=%s", id128_format_as_uuid(arg_uuid
, as_uuid
)) < 0)
2694 if (fdset_size(fds
) > 0) {
2695 r
= fdset_cloexec(fds
, false);
2697 return log_error_errno(r
, "Failed to unset O_CLOEXEC for file descriptors.");
2699 if ((asprintf((char **)(envp
+ n_env
++), "LISTEN_FDS=%u", fdset_size(fds
)) < 0) ||
2700 (asprintf((char **)(envp
+ n_env
++), "LISTEN_PID=1") < 0))
2704 env_use
= strv_env_merge(2, envp
, arg_setenv
);
2708 /* Let the parent know that we are ready and
2709 * wait until the parent is ready with the
2711 if (!barrier_place_and_sync(barrier
)) { /* #4 */
2712 log_error("Parent died too early");
2717 if (chdir(arg_chdir
) < 0)
2718 return log_error_errno(errno
, "Failed to change to specified working directory %s: %m", arg_chdir
);
2720 if (arg_start_mode
== START_PID2
) {
2726 /* Now, explicitly close the log, so that we
2727 * then can close all remaining fds. Closing
2728 * the log explicitly first has the benefit
2729 * that the logging subsystem knows about it,
2730 * and is thus ready to be reopened should we
2731 * need it again. Note that the other fds
2732 * closed here are at least the locking and
2735 (void) fdset_close_others(fds
);
2737 if (arg_start_mode
== START_BOOT
) {
2741 /* Automatically search for the init system */
2743 m
= strv_length(arg_parameters
);
2744 a
= newa(char*, m
+ 2);
2745 memcpy_safe(a
+ 1, arg_parameters
, m
* sizeof(char*));
2748 a
[0] = (char*) "/usr/lib/systemd/systemd";
2749 execve(a
[0], a
, env_use
);
2751 a
[0] = (char*) "/lib/systemd/systemd";
2752 execve(a
[0], a
, env_use
);
2754 a
[0] = (char*) "/sbin/init";
2755 execve(a
[0], a
, env_use
);
2756 } else if (!strv_isempty(arg_parameters
))
2757 execvpe(arg_parameters
[0], arg_parameters
, env_use
);
2760 /* If we cannot change the directory, we'll end up in /, that is expected. */
2761 (void) chdir(home
?: "/root");
2763 execle("/bin/bash", "-bash", NULL
, env_use
);
2764 execle("/bin/sh", "-sh", NULL
, env_use
);
2769 return log_error_errno(r
, "execv() failed: %m");
2772 static int outer_child(
2774 const char *directory
,
2775 const char *console
,
2776 const char *root_device
, bool root_device_rw
,
2777 const char *home_device
, bool home_device_rw
,
2778 const char *srv_device
, bool srv_device_rw
,
2785 int uid_shift_socket
,
2795 assert(pid_socket
>= 0);
2796 assert(uuid_socket
>= 0);
2797 assert(kmsg_socket
>= 0);
2801 if (prctl(PR_SET_PDEATHSIG
, SIGKILL
) < 0)
2802 return log_error_errno(errno
, "PR_SET_PDEATHSIG failed: %m");
2805 close_nointr(STDIN_FILENO
);
2806 close_nointr(STDOUT_FILENO
);
2807 close_nointr(STDERR_FILENO
);
2809 r
= open_terminal(console
, O_RDWR
);
2810 if (r
!= STDIN_FILENO
) {
2816 return log_error_errno(r
, "Failed to open console: %m");
2819 if (dup2(STDIN_FILENO
, STDOUT_FILENO
) != STDOUT_FILENO
||
2820 dup2(STDIN_FILENO
, STDERR_FILENO
) != STDERR_FILENO
)
2821 return log_error_errno(errno
, "Failed to duplicate console: %m");
2824 r
= reset_audit_loginuid();
2828 /* Mark everything as slave, so that we still
2829 * receive mounts from the real root, but don't
2830 * propagate mounts to the real root. */
2831 if (mount(NULL
, "/", NULL
, MS_SLAVE
|MS_REC
, NULL
) < 0)
2832 return log_error_errno(errno
, "MS_SLAVE|MS_REC failed: %m");
2834 r
= mount_devices(directory
,
2835 root_device
, root_device_rw
,
2836 home_device
, home_device_rw
,
2837 srv_device
, srv_device_rw
);
2841 r
= determine_uid_shift(directory
);
2845 if (arg_userns_mode
!= USER_NAMESPACE_NO
) {
2846 /* Let the parent know which UID shift we read from the image */
2847 l
= send(uid_shift_socket
, &arg_uid_shift
, sizeof(arg_uid_shift
), MSG_NOSIGNAL
);
2849 return log_error_errno(errno
, "Failed to send UID shift: %m");
2850 if (l
!= sizeof(arg_uid_shift
)) {
2851 log_error("Short write while sending UID shift.");
2855 if (arg_userns_mode
== USER_NAMESPACE_PICK
) {
2856 /* When we are supposed to pick the UID shift, the parent will check now whether the UID shift
2857 * we just read from the image is available. If yes, it will send the UID shift back to us, if
2858 * not it will pick a different one, and send it back to us. */
2860 l
= recv(uid_shift_socket
, &arg_uid_shift
, sizeof(arg_uid_shift
), 0);
2862 return log_error_errno(errno
, "Failed to recv UID shift: %m");
2863 if (l
!= sizeof(arg_uid_shift
)) {
2864 log_error("Short read while recieving UID shift.");
2869 log_info("Selected user namespace base " UID_FMT
" and range " UID_FMT
".", arg_uid_shift
, arg_uid_range
);
2872 /* Turn directory into bind mount */
2873 if (mount(directory
, directory
, NULL
, MS_BIND
|MS_REC
, NULL
) < 0)
2874 return log_error_errno(errno
, "Failed to make bind mount: %m");
2876 r
= recursive_chown(directory
, arg_uid_shift
, arg_uid_range
);
2883 arg_userns_mode
!= USER_NAMESPACE_NO
,
2886 arg_selinux_context
);
2890 r
= setup_volatile_state(
2893 arg_userns_mode
!= USER_NAMESPACE_NO
,
2896 arg_selinux_context
);
2900 r
= base_filesystem_create(directory
, arg_uid_shift
, (gid_t
) arg_uid_shift
);
2904 if (arg_read_only
) {
2905 r
= bind_remount_recursive(directory
, true);
2907 return log_error_errno(r
, "Failed to make tree read-only: %m");
2910 r
= mount_all(directory
,
2911 arg_userns_mode
!= USER_NAMESPACE_NO
,
2913 arg_private_network
,
2916 arg_selinux_apifs_context
);
2920 r
= copy_devnodes(directory
);
2924 dev_setup(directory
, arg_uid_shift
, arg_uid_shift
);
2926 r
= setup_pts(directory
);
2930 r
= setup_propagate(directory
);
2934 r
= setup_dev_console(directory
, console
);
2938 r
= setup_seccomp();
2942 r
= setup_timezone(directory
);
2946 r
= setup_resolv_conf(directory
);
2950 r
= setup_machine_id(directory
);
2954 r
= setup_journal(directory
);
2961 arg_n_custom_mounts
,
2962 arg_userns_mode
!= USER_NAMESPACE_NO
,
2965 arg_selinux_apifs_context
);
2971 arg_unified_cgroup_hierarchy
,
2972 arg_userns_mode
!= USER_NAMESPACE_NO
,
2975 arg_selinux_apifs_context
);
2979 r
= mount_move_root(directory
);
2981 return log_error_errno(r
, "Failed to move root directory: %m");
2983 pid
= raw_clone(SIGCHLD
|CLONE_NEWNS
|
2984 (arg_share_system
? 0 : CLONE_NEWIPC
|CLONE_NEWPID
|CLONE_NEWUTS
) |
2985 (arg_private_network
? CLONE_NEWNET
: 0) |
2986 (arg_userns_mode
!= USER_NAMESPACE_NO
? CLONE_NEWUSER
: 0),
2989 return log_error_errno(errno
, "Failed to fork inner child: %m");
2991 pid_socket
= safe_close(pid_socket
);
2992 uuid_socket
= safe_close(uuid_socket
);
2993 uid_shift_socket
= safe_close(uid_shift_socket
);
2995 /* The inner child has all namespaces that are
2996 * requested, so that we all are owned by the user if
2997 * user namespaces are turned on. */
2999 r
= inner_child(barrier
, directory
, secondary
, kmsg_socket
, rtnl_socket
, fds
);
3001 _exit(EXIT_FAILURE
);
3003 _exit(EXIT_SUCCESS
);
3006 l
= send(pid_socket
, &pid
, sizeof(pid
), MSG_NOSIGNAL
);
3008 return log_error_errno(errno
, "Failed to send PID: %m");
3009 if (l
!= sizeof(pid
)) {
3010 log_error("Short write while sending PID.");
3014 l
= send(uuid_socket
, &arg_uuid
, sizeof(arg_uuid
), MSG_NOSIGNAL
);
3016 return log_error_errno(errno
, "Failed to send machine ID: %m");
3017 if (l
!= sizeof(arg_uuid
)) {
3018 log_error("Short write while sending machine ID.");
3022 pid_socket
= safe_close(pid_socket
);
3023 uuid_socket
= safe_close(uuid_socket
);
3024 kmsg_socket
= safe_close(kmsg_socket
);
3025 rtnl_socket
= safe_close(rtnl_socket
);
3030 static int uid_shift_pick(uid_t
*shift
, LockFile
*ret_lock_file
) {
3031 unsigned n_tries
= 100;
3036 assert(ret_lock_file
);
3037 assert(arg_userns_mode
== USER_NAMESPACE_PICK
);
3038 assert(arg_uid_range
== 0x10000U
);
3042 (void) mkdir("/run/systemd/nspawn-uid", 0755);
3045 char lock_path
[strlen("/run/systemd/nspawn-uid/") + DECIMAL_STR_MAX(uid_t
) + 1];
3046 _cleanup_release_lock_file_ LockFile lf
= LOCK_FILE_INIT
;
3051 if (candidate
< UID_SHIFT_PICK_MIN
|| candidate
> UID_SHIFT_PICK_MAX
)
3053 if ((candidate
& UINT32_C(0xFFFF)) != 0)
3056 xsprintf(lock_path
, "/run/systemd/nspawn-uid/" UID_FMT
, candidate
);
3057 r
= make_lock_file(lock_path
, LOCK_EX
|LOCK_NB
, &lf
);
3058 if (r
== -EBUSY
) /* Range already taken by another nspawn instance */
3063 /* Make some superficial checks whether the range is currently known in the user database */
3064 if (getpwuid(candidate
))
3066 if (getpwuid(candidate
+ UINT32_C(0xFFFE)))
3068 if (getgrgid(candidate
))
3070 if (getgrgid(candidate
+ UINT32_C(0xFFFE)))
3073 *ret_lock_file
= lf
;
3074 lf
= (struct LockFile
) LOCK_FILE_INIT
;
3079 random_bytes(&candidate
, sizeof(candidate
));
3080 candidate
= (candidate
% (UID_SHIFT_PICK_MAX
- UID_SHIFT_PICK_MIN
)) + UID_SHIFT_PICK_MIN
;
3081 candidate
&= (uid_t
) UINT32_C(0xFFFF0000);
3085 static int setup_uid_map(pid_t pid
) {
3086 char uid_map
[strlen("/proc//uid_map") + DECIMAL_STR_MAX(uid_t
) + 1], line
[DECIMAL_STR_MAX(uid_t
)*3+3+1];
3091 xsprintf(uid_map
, "/proc/" PID_FMT
"/uid_map", pid
);
3092 xsprintf(line
, UID_FMT
" " UID_FMT
" " UID_FMT
"\n", 0, arg_uid_shift
, arg_uid_range
);
3093 r
= write_string_file(uid_map
, line
, 0);
3095 return log_error_errno(r
, "Failed to write UID map: %m");
3097 /* We always assign the same UID and GID ranges */
3098 xsprintf(uid_map
, "/proc/" PID_FMT
"/gid_map", pid
);
3099 r
= write_string_file(uid_map
, line
, 0);
3101 return log_error_errno(r
, "Failed to write GID map: %m");
3106 static int load_settings(void) {
3107 _cleanup_(settings_freep
) Settings
*settings
= NULL
;
3108 _cleanup_fclose_
FILE *f
= NULL
;
3109 _cleanup_free_
char *p
= NULL
;
3113 /* If all settings are masked, there's no point in looking for
3114 * the settings file */
3115 if ((arg_settings_mask
& _SETTINGS_MASK_ALL
) == _SETTINGS_MASK_ALL
)
3118 fn
= strjoina(arg_machine
, ".nspawn");
3120 /* We first look in the admin's directories in /etc and /run */
3121 FOREACH_STRING(i
, "/etc/systemd/nspawn", "/run/systemd/nspawn") {
3122 _cleanup_free_
char *j
= NULL
;
3124 j
= strjoin(i
, "/", fn
, NULL
);
3133 /* By default, we trust configuration from /etc and /run */
3134 if (arg_settings_trusted
< 0)
3135 arg_settings_trusted
= true;
3140 if (errno
!= ENOENT
)
3141 return log_error_errno(errno
, "Failed to open %s: %m", j
);
3145 /* After that, let's look for a file next to the
3146 * actual image we shall boot. */
3149 p
= file_in_same_dir(arg_image
, fn
);
3152 } else if (arg_directory
) {
3153 p
= file_in_same_dir(arg_directory
, fn
);
3160 if (!f
&& errno
!= ENOENT
)
3161 return log_error_errno(errno
, "Failed to open %s: %m", p
);
3163 /* By default, we do not trust configuration from /var/lib/machines */
3164 if (arg_settings_trusted
< 0)
3165 arg_settings_trusted
= false;
3172 log_debug("Settings are trusted: %s", yes_no(arg_settings_trusted
));
3174 r
= settings_load(f
, p
, &settings
);
3178 /* Copy over bits from the settings, unless they have been
3179 * explicitly masked by command line switches. */
3181 if ((arg_settings_mask
& SETTING_START_MODE
) == 0 &&
3182 settings
->start_mode
>= 0) {
3183 arg_start_mode
= settings
->start_mode
;
3185 strv_free(arg_parameters
);
3186 arg_parameters
= settings
->parameters
;
3187 settings
->parameters
= NULL
;
3190 if ((arg_settings_mask
& SETTING_WORKING_DIRECTORY
) == 0 &&
3191 settings
->working_directory
) {
3193 arg_chdir
= settings
->working_directory
;
3194 settings
->working_directory
= NULL
;
3197 if ((arg_settings_mask
& SETTING_ENVIRONMENT
) == 0 &&
3198 settings
->environment
) {
3199 strv_free(arg_setenv
);
3200 arg_setenv
= settings
->environment
;
3201 settings
->environment
= NULL
;
3204 if ((arg_settings_mask
& SETTING_USER
) == 0 &&
3207 arg_user
= settings
->user
;
3208 settings
->user
= NULL
;
3211 if ((arg_settings_mask
& SETTING_CAPABILITY
) == 0) {
3214 plus
= settings
->capability
;
3215 if (settings_private_network(settings
))
3216 plus
|= (1ULL << CAP_NET_ADMIN
);
3218 if (!arg_settings_trusted
&& plus
!= 0) {
3219 if (settings
->capability
!= 0)
3220 log_warning("Ignoring Capability= setting, file %s is not trusted.", p
);
3224 arg_retain
&= ~settings
->drop_capability
;
3227 if ((arg_settings_mask
& SETTING_KILL_SIGNAL
) == 0 &&
3228 settings
->kill_signal
> 0)
3229 arg_kill_signal
= settings
->kill_signal
;
3231 if ((arg_settings_mask
& SETTING_PERSONALITY
) == 0 &&
3232 settings
->personality
!= PERSONALITY_INVALID
)
3233 arg_personality
= settings
->personality
;
3235 if ((arg_settings_mask
& SETTING_MACHINE_ID
) == 0 &&
3236 !sd_id128_is_null(settings
->machine_id
)) {
3238 if (!arg_settings_trusted
)
3239 log_warning("Ignoring MachineID= setting, file %s is not trusted.", p
);
3241 arg_uuid
= settings
->machine_id
;
3244 if ((arg_settings_mask
& SETTING_READ_ONLY
) == 0 &&
3245 settings
->read_only
>= 0)
3246 arg_read_only
= settings
->read_only
;
3248 if ((arg_settings_mask
& SETTING_VOLATILE_MODE
) == 0 &&
3249 settings
->volatile_mode
!= _VOLATILE_MODE_INVALID
)
3250 arg_volatile_mode
= settings
->volatile_mode
;
3252 if ((arg_settings_mask
& SETTING_CUSTOM_MOUNTS
) == 0 &&
3253 settings
->n_custom_mounts
> 0) {
3255 if (!arg_settings_trusted
)
3256 log_warning("Ignoring TemporaryFileSystem=, Bind= and BindReadOnly= settings, file %s is not trusted.", p
);
3258 custom_mount_free_all(arg_custom_mounts
, arg_n_custom_mounts
);
3259 arg_custom_mounts
= settings
->custom_mounts
;
3260 arg_n_custom_mounts
= settings
->n_custom_mounts
;
3262 settings
->custom_mounts
= NULL
;
3263 settings
->n_custom_mounts
= 0;
3267 if ((arg_settings_mask
& SETTING_NETWORK
) == 0 &&
3268 (settings
->private_network
>= 0 ||
3269 settings
->network_veth
>= 0 ||
3270 settings
->network_bridge
||
3271 settings
->network_interfaces
||
3272 settings
->network_macvlan
||
3273 settings
->network_ipvlan
||
3274 settings
->network_veth_extra
)) {
3276 if (!arg_settings_trusted
)
3277 log_warning("Ignoring network settings, file %s is not trusted.", p
);
3279 arg_network_veth
= settings_network_veth(settings
);
3280 arg_private_network
= settings_private_network(settings
);
3282 strv_free(arg_network_interfaces
);
3283 arg_network_interfaces
= settings
->network_interfaces
;
3284 settings
->network_interfaces
= NULL
;
3286 strv_free(arg_network_macvlan
);
3287 arg_network_macvlan
= settings
->network_macvlan
;
3288 settings
->network_macvlan
= NULL
;
3290 strv_free(arg_network_ipvlan
);
3291 arg_network_ipvlan
= settings
->network_ipvlan
;
3292 settings
->network_ipvlan
= NULL
;
3294 strv_free(arg_network_veth_extra
);
3295 arg_network_veth_extra
= settings
->network_veth_extra
;
3296 settings
->network_veth_extra
= NULL
;
3298 free(arg_network_bridge
);
3299 arg_network_bridge
= settings
->network_bridge
;
3300 settings
->network_bridge
= NULL
;
3304 if ((arg_settings_mask
& SETTING_EXPOSE_PORTS
) == 0 &&
3305 settings
->expose_ports
) {
3307 if (!arg_settings_trusted
)
3308 log_warning("Ignoring Port= setting, file %s is not trusted.", p
);
3310 expose_port_free_all(arg_expose_ports
);
3311 arg_expose_ports
= settings
->expose_ports
;
3312 settings
->expose_ports
= NULL
;
3316 if ((arg_settings_mask
& SETTING_USERNS
) == 0 &&
3317 settings
->userns_mode
!= _USER_NAMESPACE_MODE_INVALID
) {
3319 if (!arg_settings_trusted
)
3320 log_warning("Ignoring PrivateUsers= and PrivateUsersChown= settings, file %s is not trusted.", p
);
3322 arg_userns_mode
= settings
->userns_mode
;
3323 arg_uid_shift
= settings
->uid_shift
;
3324 arg_uid_range
= settings
->uid_range
;
3325 arg_userns_chown
= settings
->userns_chown
;
3332 int main(int argc
, char *argv
[]) {
3334 _cleanup_free_
char *device_path
= NULL
, *root_device
= NULL
, *home_device
= NULL
, *srv_device
= NULL
, *console
= NULL
;
3335 bool root_device_rw
= true, home_device_rw
= true, srv_device_rw
= true;
3336 _cleanup_close_
int master
= -1, image_fd
= -1;
3337 _cleanup_fdset_free_ FDSet
*fds
= NULL
;
3338 int r
, n_fd_passed
, loop_nr
= -1;
3339 char veth_name
[IFNAMSIZ
];
3340 bool secondary
= false, remove_subvol
= false;
3343 int ret
= EXIT_SUCCESS
;
3344 union in_addr_union exposed
= {};
3345 _cleanup_release_lock_file_ LockFile tree_global_lock
= LOCK_FILE_INIT
, tree_local_lock
= LOCK_FILE_INIT
;
3348 log_parse_environment();
3351 /* Make sure rename_process() in the stub init process can work */
3355 r
= parse_argv(argc
, argv
);
3359 if (geteuid() != 0) {
3360 log_error("Need to be root.");
3364 r
= determine_names();
3368 r
= load_settings();
3372 r
= verify_arguments();
3376 n_fd_passed
= sd_listen_fds(false);
3377 if (n_fd_passed
> 0) {
3378 r
= fdset_new_listen_fds(&fds
, false);
3380 log_error_errno(r
, "Failed to collect file descriptors: %m");
3385 if (arg_directory
) {
3388 if (path_equal(arg_directory
, "/") && !arg_ephemeral
) {
3389 log_error("Spawning container on root directory is not supported. Consider using --ephemeral.");
3394 if (arg_ephemeral
) {
3395 _cleanup_free_
char *np
= NULL
;
3397 /* If the specified path is a mount point we
3398 * generate the new snapshot immediately
3399 * inside it under a random name. However if
3400 * the specified is not a mount point we
3401 * create the new snapshot in the parent
3402 * directory, just next to it. */
3403 r
= path_is_mount_point(arg_directory
, 0);
3405 log_error_errno(r
, "Failed to determine whether directory %s is mount point: %m", arg_directory
);
3409 r
= tempfn_random_child(arg_directory
, "machine.", &np
);
3411 r
= tempfn_random(arg_directory
, "machine.", &np
);
3413 log_error_errno(r
, "Failed to generate name for snapshot: %m");
3417 r
= image_path_lock(np
, (arg_read_only
? LOCK_SH
: LOCK_EX
) | LOCK_NB
, &tree_global_lock
, &tree_local_lock
);
3419 log_error_errno(r
, "Failed to lock %s: %m", np
);
3423 r
= btrfs_subvol_snapshot(arg_directory
, np
, (arg_read_only
? BTRFS_SNAPSHOT_READ_ONLY
: 0) | BTRFS_SNAPSHOT_FALLBACK_COPY
| BTRFS_SNAPSHOT_RECURSIVE
| BTRFS_SNAPSHOT_QUOTA
);
3425 log_error_errno(r
, "Failed to create snapshot %s from %s: %m", np
, arg_directory
);
3429 free(arg_directory
);
3433 remove_subvol
= true;
3436 r
= image_path_lock(arg_directory
, (arg_read_only
? LOCK_SH
: LOCK_EX
) | LOCK_NB
, &tree_global_lock
, &tree_local_lock
);
3438 log_error_errno(r
, "Directory tree %s is currently busy.", arg_directory
);
3442 log_error_errno(r
, "Failed to lock %s: %m", arg_directory
);
3447 r
= btrfs_subvol_snapshot(arg_template
, arg_directory
, (arg_read_only
? BTRFS_SNAPSHOT_READ_ONLY
: 0) | BTRFS_SNAPSHOT_FALLBACK_COPY
| BTRFS_SNAPSHOT_RECURSIVE
| BTRFS_SNAPSHOT_QUOTA
);
3450 log_info("Directory %s already exists, not populating from template %s.", arg_directory
, arg_template
);
3452 log_error_errno(r
, "Couldn't create snapshot %s from %s: %m", arg_directory
, arg_template
);
3456 log_info("Populated %s from template %s.", arg_directory
, arg_template
);
3461 if (arg_start_mode
== START_BOOT
) {
3462 if (path_is_os_tree(arg_directory
) <= 0) {
3463 log_error("Directory %s doesn't look like an OS root directory (os-release file is missing). Refusing.", arg_directory
);
3470 p
= strjoina(arg_directory
, "/usr/");
3471 if (laccess(p
, F_OK
) < 0) {
3472 log_error("Directory %s doesn't look like it has an OS tree. Refusing.", arg_directory
);
3479 char template[] = "/tmp/nspawn-root-XXXXXX";
3482 assert(!arg_template
);
3484 r
= image_path_lock(arg_image
, (arg_read_only
? LOCK_SH
: LOCK_EX
) | LOCK_NB
, &tree_global_lock
, &tree_local_lock
);
3486 r
= log_error_errno(r
, "Disk image %s is currently busy.", arg_image
);
3490 r
= log_error_errno(r
, "Failed to create image lock: %m");
3494 if (!mkdtemp(template)) {
3495 log_error_errno(errno
, "Failed to create temporary directory: %m");
3500 arg_directory
= strdup(template);
3501 if (!arg_directory
) {
3506 image_fd
= setup_image(&device_path
, &loop_nr
);
3512 r
= dissect_image(image_fd
,
3513 &root_device
, &root_device_rw
,
3514 &home_device
, &home_device_rw
,
3515 &srv_device
, &srv_device_rw
,
3521 r
= custom_mounts_prepare();
3526 isatty(STDIN_FILENO
) > 0 &&
3527 isatty(STDOUT_FILENO
) > 0;
3529 master
= posix_openpt(O_RDWR
|O_NOCTTY
|O_CLOEXEC
|O_NDELAY
);
3531 r
= log_error_errno(errno
, "Failed to acquire pseudo tty: %m");
3535 r
= ptsname_malloc(master
, &console
);
3537 r
= log_error_errno(r
, "Failed to determine tty name: %m");
3541 if (arg_selinux_apifs_context
) {
3542 r
= mac_selinux_apply(console
, arg_selinux_apifs_context
);
3547 if (unlockpt(master
) < 0) {
3548 r
= log_error_errno(errno
, "Failed to unlock tty: %m");
3553 log_info("Spawning container %s on %s.\nPress ^] three times within 1s to kill container.",
3554 arg_machine
, arg_image
?: arg_directory
);
3556 assert_se(sigprocmask_many(SIG_BLOCK
, NULL
, SIGCHLD
, SIGWINCH
, SIGTERM
, SIGINT
, -1) >= 0);
3558 assert_se(sigemptyset(&mask_chld
) == 0);
3559 assert_se(sigaddset(&mask_chld
, SIGCHLD
) == 0);
3561 if (prctl(PR_SET_CHILD_SUBREAPER
, 1) < 0) {
3562 r
= log_error_errno(errno
, "Failed to become subreaper: %m");
3567 static const struct sigaction sa
= {
3568 .sa_handler
= nop_signal_handler
,
3569 .sa_flags
= SA_NOCLDSTOP
,
3572 _cleanup_release_lock_file_ LockFile uid_shift_lock
= LOCK_FILE_INIT
;
3573 _cleanup_close_
int etc_passwd_lock
= -1;
3574 _cleanup_close_pair_
int
3575 kmsg_socket_pair
[2] = { -1, -1 },
3576 rtnl_socket_pair
[2] = { -1, -1 },
3577 pid_socket_pair
[2] = { -1, -1 },
3578 uuid_socket_pair
[2] = { -1, -1 },
3579 uid_shift_socket_pair
[2] = { -1, -1 };
3580 _cleanup_(barrier_destroy
) Barrier barrier
= BARRIER_NULL
;
3581 _cleanup_(sd_event_unrefp
) sd_event
*event
= NULL
;
3582 _cleanup_(pty_forward_freep
) PTYForward
*forward
= NULL
;
3583 _cleanup_(sd_netlink_unrefp
) sd_netlink
*rtnl
= NULL
;
3584 ContainerStatus container_status
;
3589 if (arg_userns_mode
== USER_NAMESPACE_PICK
) {
3590 /* When we shall pick the UID/GID range, let's first lock /etc/passwd, so that we can safely
3591 * check with getpwuid() if the specific user already exists. Note that /etc might be
3592 * read-only, in which case this will fail with EROFS. But that's really OK, as in that case we
3593 * can be reasonably sure that no users are going to be added. Note that getpwuid() checks are
3594 * really just an extra safety net. We kinda assume that the UID range we allocate from is
3597 etc_passwd_lock
= take_etc_passwd_lock(NULL
);
3598 if (etc_passwd_lock
< 0 && etc_passwd_lock
!= -EROFS
) {
3599 log_error_errno(r
, "Failed to take /etc/passwd lock: %m");
3604 r
= barrier_create(&barrier
);
3606 log_error_errno(r
, "Cannot initialize IPC barrier: %m");
3610 if (socketpair(AF_UNIX
, SOCK_SEQPACKET
|SOCK_CLOEXEC
, 0, kmsg_socket_pair
) < 0) {
3611 r
= log_error_errno(errno
, "Failed to create kmsg socket pair: %m");
3615 if (socketpair(AF_UNIX
, SOCK_SEQPACKET
|SOCK_CLOEXEC
, 0, rtnl_socket_pair
) < 0) {
3616 r
= log_error_errno(errno
, "Failed to create rtnl socket pair: %m");
3620 if (socketpair(AF_UNIX
, SOCK_SEQPACKET
|SOCK_CLOEXEC
, 0, pid_socket_pair
) < 0) {
3621 r
= log_error_errno(errno
, "Failed to create pid socket pair: %m");
3625 if (socketpair(AF_UNIX
, SOCK_SEQPACKET
|SOCK_CLOEXEC
, 0, uuid_socket_pair
) < 0) {
3626 r
= log_error_errno(errno
, "Failed to create id socket pair: %m");
3630 if (arg_userns_mode
!= USER_NAMESPACE_NO
)
3631 if (socketpair(AF_UNIX
, SOCK_SEQPACKET
|SOCK_CLOEXEC
, 0, uid_shift_socket_pair
) < 0) {
3632 r
= log_error_errno(errno
, "Failed to create uid shift socket pair: %m");
3636 /* Child can be killed before execv(), so handle SIGCHLD
3637 * in order to interrupt parent's blocking calls and
3638 * give it a chance to call wait() and terminate. */
3639 r
= sigprocmask(SIG_UNBLOCK
, &mask_chld
, NULL
);
3641 r
= log_error_errno(errno
, "Failed to change the signal mask: %m");
3645 r
= sigaction(SIGCHLD
, &sa
, NULL
);
3647 r
= log_error_errno(errno
, "Failed to install SIGCHLD handler: %m");
3651 pid
= raw_clone(SIGCHLD
|CLONE_NEWNS
, NULL
);
3653 if (errno
== EINVAL
)
3654 r
= log_error_errno(errno
, "clone() failed, do you have namespace support enabled in your kernel? (You need UTS, IPC, PID and NET namespacing built in): %m");
3656 r
= log_error_errno(errno
, "clone() failed: %m");
3662 /* The outer child only has a file system namespace. */
3663 barrier_set_role(&barrier
, BARRIER_CHILD
);
3665 master
= safe_close(master
);
3667 kmsg_socket_pair
[0] = safe_close(kmsg_socket_pair
[0]);
3668 rtnl_socket_pair
[0] = safe_close(rtnl_socket_pair
[0]);
3669 pid_socket_pair
[0] = safe_close(pid_socket_pair
[0]);
3670 uuid_socket_pair
[0] = safe_close(uuid_socket_pair
[0]);
3671 uid_shift_socket_pair
[0] = safe_close(uid_shift_socket_pair
[0]);
3673 (void) reset_all_signal_handlers();
3674 (void) reset_signal_mask();
3676 r
= outer_child(&barrier
,
3679 root_device
, root_device_rw
,
3680 home_device
, home_device_rw
,
3681 srv_device
, srv_device_rw
,
3685 uuid_socket_pair
[1],
3686 kmsg_socket_pair
[1],
3687 rtnl_socket_pair
[1],
3688 uid_shift_socket_pair
[1],
3691 _exit(EXIT_FAILURE
);
3693 _exit(EXIT_SUCCESS
);
3696 barrier_set_role(&barrier
, BARRIER_PARENT
);
3698 fds
= fdset_free(fds
);
3700 kmsg_socket_pair
[1] = safe_close(kmsg_socket_pair
[1]);
3701 rtnl_socket_pair
[1] = safe_close(rtnl_socket_pair
[1]);
3702 pid_socket_pair
[1] = safe_close(pid_socket_pair
[1]);
3703 uuid_socket_pair
[1] = safe_close(uuid_socket_pair
[1]);
3704 uid_shift_socket_pair
[1] = safe_close(uid_shift_socket_pair
[1]);
3706 if (arg_userns_mode
!= USER_NAMESPACE_NO
) {
3707 /* The child just let us know the UID shift it might have read from the image. */
3708 l
= recv(uid_shift_socket_pair
[0], &arg_uid_shift
, sizeof(arg_uid_shift
), 0);
3710 r
= log_error_errno(errno
, "Failed to read UID shift: %m");
3713 if (l
!= sizeof(arg_uid_shift
)) {
3714 log_error("Short read while reading UID shift.");
3719 if (arg_userns_mode
== USER_NAMESPACE_PICK
) {
3720 /* If we are supposed to pick the UID shift, let's try to use the shift read from the
3721 * image, but if that's already in use, pick a new one, and report back to the child,
3722 * which one we now picked. */
3724 r
= uid_shift_pick(&arg_uid_shift
, &uid_shift_lock
);
3726 log_error_errno(r
, "Failed to pick suitable UID/GID range: %m");
3730 l
= send(uid_shift_socket_pair
[0], &arg_uid_shift
, sizeof(arg_uid_shift
), MSG_NOSIGNAL
);
3732 r
= log_error_errno(errno
, "Failed to send UID shift: %m");
3735 if (l
!= sizeof(arg_uid_shift
)) {
3736 log_error("Short write while writing UID shift.");
3743 /* Wait for the outer child. */
3744 r
= wait_for_terminate_and_warn("namespace helper", pid
, NULL
);
3753 /* And now retrieve the PID of the inner child. */
3754 l
= recv(pid_socket_pair
[0], &pid
, sizeof(pid
), 0);
3756 r
= log_error_errno(errno
, "Failed to read inner child PID: %m");
3759 if (l
!= sizeof(pid
)) {
3760 log_error("Short read while reading inner child PID.");
3765 /* We also retrieve container UUID in case it was generated by outer child */
3766 l
= recv(uuid_socket_pair
[0], &arg_uuid
, sizeof(arg_uuid
), 0);
3768 r
= log_error_errno(errno
, "Failed to read container machine ID: %m");
3771 if (l
!= sizeof(arg_uuid
)) {
3772 log_error("Short read while reading container machined ID.");
3777 log_debug("Init process invoked as PID " PID_FMT
, pid
);
3779 if (arg_userns_mode
!= USER_NAMESPACE_NO
) {
3780 if (!barrier_place_and_sync(&barrier
)) { /* #1 */
3781 log_error("Child died too early.");
3786 r
= setup_uid_map(pid
);
3790 (void) barrier_place(&barrier
); /* #2 */
3793 if (arg_private_network
) {
3795 r
= move_network_interfaces(pid
, arg_network_interfaces
);
3799 if (arg_network_veth
) {
3800 r
= setup_veth(arg_machine
, pid
, veth_name
, !!arg_network_bridge
);
3806 if (arg_network_bridge
) {
3807 r
= setup_bridge(veth_name
, arg_network_bridge
);
3815 r
= setup_veth_extra(arg_machine
, pid
, arg_network_veth_extra
);
3819 r
= setup_macvlan(arg_machine
, pid
, arg_network_macvlan
);
3823 r
= setup_ipvlan(arg_machine
, pid
, arg_network_ipvlan
);
3829 r
= register_machine(
3836 arg_custom_mounts
, arg_n_custom_mounts
,
3840 arg_container_service_name
);
3845 r
= sync_cgroup(pid
, arg_unified_cgroup_hierarchy
);
3849 if (arg_keep_unit
) {
3850 r
= create_subcgroup(pid
, arg_unified_cgroup_hierarchy
);
3855 r
= chown_cgroup(pid
, arg_uid_shift
);
3859 /* Notify the child that the parent is ready with all
3860 * its setup (including cgroup-ification), and that
3861 * the child can now hand over control to the code to
3862 * run inside the container. */
3863 (void) barrier_place(&barrier
); /* #3 */
3865 /* Block SIGCHLD here, before notifying child.
3866 * process_pty() will handle it with the other signals. */
3867 assert_se(sigprocmask(SIG_BLOCK
, &mask_chld
, NULL
) >= 0);
3869 /* Reset signal to default */
3870 r
= default_signals(SIGCHLD
, -1);
3872 log_error_errno(r
, "Failed to reset SIGCHLD: %m");
3876 /* Let the child know that we are ready and wait that the child is completely ready now. */
3877 if (!barrier_place_and_sync(&barrier
)) { /* #4 */
3878 log_error("Child died too early.");
3883 /* At this point we have made use of the UID we picked, and thus nss-mymachines will make them appear
3884 * in getpwuid(), thus we can release the /etc/passwd lock. */
3885 etc_passwd_lock
= safe_close(etc_passwd_lock
);
3889 "STATUS=Container running.\n"
3890 "X_NSPAWN_LEADER_PID=" PID_FMT
, pid
);
3892 r
= sd_event_new(&event
);
3894 log_error_errno(r
, "Failed to get default event source: %m");
3898 if (arg_kill_signal
> 0) {
3899 /* Try to kill the init system on SIGINT or SIGTERM */
3900 sd_event_add_signal(event
, NULL
, SIGINT
, on_orderly_shutdown
, PID_TO_PTR(pid
));
3901 sd_event_add_signal(event
, NULL
, SIGTERM
, on_orderly_shutdown
, PID_TO_PTR(pid
));
3903 /* Immediately exit */
3904 sd_event_add_signal(event
, NULL
, SIGINT
, NULL
, NULL
);
3905 sd_event_add_signal(event
, NULL
, SIGTERM
, NULL
, NULL
);
3908 /* simply exit on sigchld */
3909 sd_event_add_signal(event
, NULL
, SIGCHLD
, NULL
, NULL
);
3911 if (arg_expose_ports
) {
3912 r
= expose_port_watch_rtnl(event
, rtnl_socket_pair
[0], on_address_change
, &exposed
, &rtnl
);
3916 (void) expose_port_execute(rtnl
, arg_expose_ports
, &exposed
);
3919 rtnl_socket_pair
[0] = safe_close(rtnl_socket_pair
[0]);
3921 r
= pty_forward_new(event
, master
, PTY_FORWARD_IGNORE_VHANGUP
| (interactive
? 0 : PTY_FORWARD_READ_ONLY
), &forward
);
3923 log_error_errno(r
, "Failed to create PTY forwarder: %m");
3927 r
= sd_event_loop(event
);
3929 log_error_errno(r
, "Failed to run event loop: %m");
3933 pty_forward_get_last_char(forward
, &last_char
);
3935 forward
= pty_forward_free(forward
);
3937 if (!arg_quiet
&& last_char
!= '\n')
3940 /* Kill if it is not dead yet anyway */
3941 if (arg_register
&& !arg_keep_unit
)
3942 terminate_machine(pid
);
3944 /* Normally redundant, but better safe than sorry */
3947 r
= wait_for_container(pid
, &container_status
);
3951 /* We failed to wait for the container, or the
3952 * container exited abnormally */
3954 else if (r
> 0 || container_status
== CONTAINER_TERMINATED
) {
3955 /* The container exited with a non-zero
3956 * status, or with zero status and no reboot
3962 /* CONTAINER_REBOOTED, loop again */
3964 if (arg_keep_unit
) {
3965 /* Special handling if we are running as a
3966 * service: instead of simply restarting the
3967 * machine we want to restart the entire
3968 * service, so let's inform systemd about this
3969 * with the special exit code 133. The service
3970 * file uses RestartForceExitStatus=133 so
3971 * that this results in a full nspawn
3972 * restart. This is necessary since we might
3973 * have cgroup parameters set we want to have
3980 expose_port_flush(arg_expose_ports
, &exposed
);
3986 "STATUS=Terminating...");
3991 /* Try to flush whatever is still queued in the pty */
3993 (void) copy_bytes(master
, STDOUT_FILENO
, (uint64_t) -1, false);
3995 loop_remove(loop_nr
, &image_fd
);
3997 if (remove_subvol
&& arg_directory
) {
4000 k
= btrfs_subvol_remove(arg_directory
, BTRFS_REMOVE_RECURSIVE
|BTRFS_REMOVE_QUOTA
);
4002 log_warning_errno(k
, "Cannot remove subvolume '%s', ignoring: %m", arg_directory
);
4008 p
= strjoina("/run/systemd/nspawn/propagate/", arg_machine
);
4009 (void) rm_rf(p
, REMOVE_ROOT
);
4012 expose_port_flush(arg_expose_ports
, &exposed
);
4014 free(arg_directory
);
4020 strv_free(arg_setenv
);
4021 free(arg_network_bridge
);
4022 strv_free(arg_network_interfaces
);
4023 strv_free(arg_network_macvlan
);
4024 strv_free(arg_network_ipvlan
);
4025 strv_free(arg_network_veth_extra
);
4026 strv_free(arg_parameters
);
4027 custom_mount_free_all(arg_custom_mounts
, arg_n_custom_mounts
);
4028 expose_port_free_all(arg_expose_ports
);
4030 return r
< 0 ? EXIT_FAILURE
: ret
;