1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
6 #include <linux/loop.h>
7 #include <linux/magic.h>
11 #include <sys/ioctl.h>
15 #include "alloc-util.h"
16 #include "blockdev-util.h"
17 #include "btrfs-util.h"
19 #include "chattr-util.h"
21 #include "dirent-util.h"
22 #include "discover-image.h"
23 #include "dissect-image.h"
26 #include "extension-util.h"
30 #include "hostname-setup.h"
31 #include "id128-util.h"
32 #include "initrd-util.h"
33 #include "lock-util.h"
35 #include "loop-util.h"
38 #include "nulstr-util.h"
40 #include "path-util.h"
42 #include "stat-util.h"
43 #include "string-table.h"
44 #include "string-util.h"
46 #include "time-util.h"
49 #include "xattr-util.h"
51 const char* const image_search_path
[_IMAGE_CLASS_MAX
] = {
52 [IMAGE_MACHINE
] = "/etc/machines\0" /* only place symlinks here */
53 "/run/machines\0" /* and here too */
54 "/var/lib/machines\0" /* the main place for images */
55 "/var/lib/container\0" /* legacy */
56 "/usr/local/lib/machines\0"
57 "/usr/lib/machines\0",
59 [IMAGE_PORTABLE
] = "/etc/portables\0" /* only place symlinks here */
60 "/run/portables\0" /* and here too */
61 "/var/lib/portables\0" /* the main place for images */
62 "/usr/local/lib/portables\0"
63 "/usr/lib/portables\0",
65 /* Note that we don't allow storing extensions under /usr/, unlike with other image types. That's
66 * because extension images are supposed to extend /usr/, so you get into recursive races, especially
67 * with directory-based extensions, as the kernel's OverlayFS explicitly checks for this and errors
68 * out with -ELOOP if it finds that a lowerdir= is a child of another lowerdir=. */
69 [IMAGE_SYSEXT
] = "/etc/extensions\0" /* only place symlinks here */
70 "/run/extensions\0" /* and here too */
71 "/var/lib/extensions\0", /* the main place for images */
73 [IMAGE_CONFEXT
] = "/run/confexts\0" /* only place symlinks here */
74 "/var/lib/confexts\0" /* the main place for images */
75 "/usr/local/lib/confexts\0"
76 "/usr/lib/confexts\0",
79 /* Inside the initrd, use a slightly different set of search path (i.e. include .extra/sysext/ and
80 * .extra/confext/ in extension search dir) */
81 static const char* const image_search_path_initrd
[_IMAGE_CLASS_MAX
] = {
82 /* (entries that aren't listed here will get the same search path as for the non initrd-case) */
84 [IMAGE_SYSEXT
] = "/etc/extensions\0" /* only place symlinks here */
85 "/run/extensions\0" /* and here too */
86 "/var/lib/extensions\0" /* the main place for images */
87 "/.extra/sysext\0", /* put sysext picked up by systemd-stub last, since not trusted */
89 [IMAGE_CONFEXT
] = "/run/confexts\0" /* only place symlinks here */
90 "/var/lib/confexts\0" /* the main place for images */
91 "/usr/local/lib/confexts\0"
92 "/.extra/confext\0", /* put confext picked up by systemd-stub last, since not trusted */
95 static const char* image_class_suffix_table
[_IMAGE_CLASS_MAX
] = {
96 [IMAGE_SYSEXT
] = ".sysext",
97 [IMAGE_CONFEXT
] = ".confext",
100 DEFINE_PRIVATE_STRING_TABLE_LOOKUP_TO_STRING(image_class_suffix
, ImageClass
);
102 static const char *const image_root_table
[_IMAGE_CLASS_MAX
] = {
103 [IMAGE_MACHINE
] = "/var/lib/machines",
104 [IMAGE_PORTABLE
] = "/var/lib/portables",
105 [IMAGE_SYSEXT
] = "/var/lib/extensions",
106 [IMAGE_CONFEXT
] = "/var/lib/confexts",
109 DEFINE_STRING_TABLE_LOOKUP_TO_STRING(image_root
, ImageClass
);
111 static Image
*image_free(Image
*i
) {
118 strv_free(i
->machine_info
);
119 strv_free(i
->os_release
);
120 strv_free(i
->sysext_release
);
121 strv_free(i
->confext_release
);
126 DEFINE_TRIVIAL_REF_UNREF_FUNC(Image
, image
, image_free
);
127 DEFINE_HASH_OPS_WITH_VALUE_DESTRUCTOR(image_hash_ops
, char, string_hash_func
, string_compare_func
,
130 static char **image_settings_path(Image
*image
) {
131 _cleanup_strv_free_
char **l
= NULL
;
132 _cleanup_free_
char *fn
= NULL
;
142 fn
= strjoin(image
->name
, ".nspawn");
146 FOREACH_STRING(s
, "/etc/systemd/nspawn", "/run/systemd/nspawn") {
147 l
[i
] = path_join(s
, fn
);
154 r
= file_in_same_dir(image
->path
, fn
, l
+ i
);
158 log_debug_errno(r
, "Failed to generate .nspawn settings path from image path, ignoring: %m");
165 static int image_roothash_path(Image
*image
, char **ret
) {
166 _cleanup_free_
char *fn
= NULL
;
170 fn
= strjoin(image
->name
, ".roothash");
174 return file_in_same_dir(image
->path
, fn
, ret
);
177 static int image_new(
182 const char *filename
,
188 _cleanup_(image_unrefp
) Image
*i
= NULL
;
191 assert(t
< _IMAGE_TYPE_MAX
);
204 .read_only
= read_only
,
208 .usage_exclusive
= UINT64_MAX
,
210 .limit_exclusive
= UINT64_MAX
,
213 i
->name
= strdup(pretty
);
217 i
->path
= path_join(path
, filename
);
221 path_simplify(i
->path
);
228 static int extract_image_basename(
230 const char *class_suffix
, /* e.g. ".sysext" (this is an optional suffix) */
231 char **format_suffixes
, /* e.g. ".raw" (one of these will be required) */
235 _cleanup_free_
char *name
= NULL
, *suffix
= NULL
;
240 r
= path_extract_filename(path
, &name
);
244 if (format_suffixes
) {
245 char *e
= endswith_strv(name
, format_suffixes
);
246 if (!e
) /* Format suffix is required */
259 char *e
= endswith(name
, class_suffix
);
260 if (e
) { /* Class suffix is optional */
262 _cleanup_free_
char *j
= strjoin(e
, suffix
);
266 free_and_replace(suffix
, j
);
273 if (!image_name_is_valid(name
))
277 *ret_suffix
= TAKE_PTR(suffix
);
280 *ret_basename
= TAKE_PTR(name
);
285 static int image_update_quota(Image
*i
, int fd
) {
286 _cleanup_close_
int fd_close
= -EBADF
;
291 if (IMAGE_IS_VENDOR(i
) || IMAGE_IS_HOST(i
))
294 if (i
->type
!= IMAGE_SUBVOLUME
)
298 fd_close
= open(i
->path
, O_CLOEXEC
|O_NOCTTY
|O_DIRECTORY
);
304 r
= btrfs_quota_scan_ongoing(fd
);
310 BtrfsQuotaInfo quota
;
311 r
= btrfs_subvol_get_subtree_quota_fd(fd
, 0, "a
);
315 i
->usage
= quota
.referenced
;
316 i
->usage_exclusive
= quota
.exclusive
;
317 i
->limit
= quota
.referenced_max
;
318 i
->limit_exclusive
= quota
.exclusive_max
;
323 static int image_make(
328 const char *filename
,
329 const struct stat
*st
,
332 _cleanup_free_
char *pretty_buffer
= NULL
, *parent
= NULL
;
337 assert(dfd
>= 0 || dfd
== AT_FDCWD
);
338 assert(path
|| dfd
== AT_FDCWD
);
341 /* We explicitly *do* follow symlinks here, since we want to allow symlinking trees, raw files and block
342 * devices into /var/lib/machines/, and treat them normally.
344 * This function returns -ENOENT if we can't find the image after all, and -EMEDIUMTYPE if it's not a file we
348 if (fstatat(dfd
, filename
, &stbuf
, 0) < 0)
356 (void) safe_getcwd(&parent
);
358 (void) fd_get_path(dfd
, &parent
);
362 (path
&& path_startswith(path
, "/usr")) ||
363 (faccessat(dfd
, filename
, W_OK
, AT_EACCESS
) < 0 && errno
== EROFS
);
365 if (S_ISDIR(st
->st_mode
)) {
366 _cleanup_close_
int fd
= -EBADF
;
367 unsigned file_attr
= 0;
374 r
= extract_image_basename(
376 image_class_suffix_to_string(c
),
377 /* format_suffix= */ NULL
,
379 /* ret_suffix= */ NULL
);
383 pretty
= pretty_buffer
;
386 fd
= openat(dfd
, filename
, O_CLOEXEC
|O_NOCTTY
|O_DIRECTORY
);
390 if (btrfs_might_be_subvol(st
)) {
392 r
= fd_is_fs_type(fd
, BTRFS_SUPER_MAGIC
);
396 BtrfsSubvolInfo info
;
398 /* It's a btrfs subvolume */
400 r
= btrfs_subvol_get_info_fd(fd
, 0, &info
);
404 r
= image_new(IMAGE_SUBVOLUME
,
409 info
.read_only
|| read_only
,
416 (void) image_update_quota(*ret
, fd
);
421 /* Get directory creation time (not available everywhere, but that's OK */
422 (void) fd_getcrtime(fd
, &crtime
);
424 /* If the IMMUTABLE bit is set, we consider the directory read-only. Since the ioctl is not
425 * supported everywhere we ignore failures. */
426 (void) read_attr_fd(fd
, &file_attr
);
428 /* It's just a normal directory. */
429 r
= image_new(IMAGE_DIRECTORY
,
434 read_only
|| (file_attr
& FS_IMMUTABLE_FL
),
436 0, /* we don't use mtime of stat() here, since it's not the time of last change of the tree, but only of the top-level dir */
443 } else if (S_ISREG(st
->st_mode
) && endswith(filename
, ".raw")) {
446 /* It's a RAW disk image */
451 (void) fd_getcrtime_at(dfd
, filename
, AT_SYMLINK_FOLLOW
, &crtime
);
454 r
= extract_image_basename(
456 image_class_suffix_to_string(c
),
459 /* ret_suffix= */ NULL
);
463 pretty
= pretty_buffer
;
466 r
= image_new(IMAGE_RAW
,
471 !(st
->st_mode
& 0222) || read_only
,
473 timespec_load(&st
->st_mtim
),
478 (*ret
)->usage
= (*ret
)->usage_exclusive
= st
->st_blocks
* 512;
479 (*ret
)->limit
= (*ret
)->limit_exclusive
= st
->st_size
;
483 } else if (S_ISBLK(st
->st_mode
)) {
484 _cleanup_close_
int block_fd
= -EBADF
;
485 uint64_t size
= UINT64_MAX
;
493 r
= extract_image_basename(
495 /* class_suffix= */ NULL
,
496 /* format_suffix= */ NULL
,
498 /* ret_suffix= */ NULL
);
502 pretty
= pretty_buffer
;
505 block_fd
= openat(dfd
, filename
, O_RDONLY
|O_NONBLOCK
|O_CLOEXEC
|O_NOCTTY
);
507 log_debug_errno(errno
, "Failed to open block device %s/%s, ignoring: %m", path
?: strnull(parent
), filename
);
509 /* Refresh stat data after opening the node */
510 if (fstat(block_fd
, &stbuf
) < 0)
514 if (!S_ISBLK(st
->st_mode
)) /* Verify that what we opened is actually what we think it is */
520 if (ioctl(block_fd
, BLKROGET
, &state
) < 0)
521 log_debug_errno(errno
, "Failed to issue BLKROGET on device %s/%s, ignoring: %m", path
?: strnull(parent
), filename
);
526 r
= blockdev_get_device_size(block_fd
, &size
);
528 log_debug_errno(r
, "Failed to issue BLKGETSIZE64 on device %s/%s, ignoring: %m", path
?: strnull(parent
), filename
);
530 block_fd
= safe_close(block_fd
);
533 r
= image_new(IMAGE_BLOCK
,
538 !(st
->st_mode
& 0222) || read_only
,
545 if (!IN_SET(size
, 0, UINT64_MAX
))
546 (*ret
)->usage
= (*ret
)->usage_exclusive
= (*ret
)->limit
= (*ret
)->limit_exclusive
= size
;
554 static const char *pick_image_search_path(ImageClass
class) {
555 if (class < 0 || class >= _IMAGE_CLASS_MAX
)
558 /* Use the initrd search path if there is one, otherwise use the common one */
559 return in_initrd() && image_search_path_initrd
[class] ? image_search_path_initrd
[class] : image_search_path
[class];
562 static char **make_possible_filenames(ImageClass
class, const char *image_name
) {
563 _cleanup_strv_free_
char **l
= NULL
;
567 FOREACH_STRING(v_suffix
, "", ".v")
568 FOREACH_STRING(format_suffix
, "", ".raw") {
569 _cleanup_free_
char *j
= NULL
;
570 const char *class_suffix
;
572 class_suffix
= image_class_suffix_to_string(class);
574 j
= strjoin(image_name
, class_suffix
, format_suffix
, v_suffix
);
578 if (strv_consume(&l
, TAKE_PTR(j
)) < 0)
582 j
= strjoin(image_name
, format_suffix
, v_suffix
);
586 if (strv_consume(&l
, TAKE_PTR(j
)) < 0)
593 int image_find(ImageClass
class,
601 assert(class < _IMAGE_CLASS_MAX
);
604 /* There are no images with invalid names */
605 if (!image_name_is_valid(name
))
608 _cleanup_strv_free_
char **names
= make_possible_filenames(class, name
);
612 NULSTR_FOREACH(path
, pick_image_search_path(class)) {
613 _cleanup_free_
char *resolved
= NULL
;
614 _cleanup_closedir_
DIR *d
= NULL
;
618 r
= chase_and_opendir(path
, root
, CHASE_PREFIX_ROOT
, &resolved
, &d
);
624 /* As mentioned above, we follow symlinks on this fstatat(), because we want to permit people
625 * to symlink block devices into the search path. (For now, we disable that when operating
626 * relative to some root directory.) */
627 flags
= root
? AT_SYMLINK_NOFOLLOW
: 0;
629 STRV_FOREACH(n
, names
) {
630 _cleanup_free_
char *fname_buf
= NULL
;
631 const char *fname
= *n
;
633 if (fstatat(dirfd(d
), fname
, &st
, flags
) < 0) {
637 continue; /* Vanished while we were looking at it */
640 if (endswith(fname
, ".raw")) {
641 if (!S_ISREG(st
.st_mode
)) {
642 log_debug("Ignoring non-regular file '%s' with .raw suffix.", fname
);
646 } else if (endswith(fname
, ".v")) {
648 if (!S_ISDIR(st
.st_mode
)) {
649 log_debug("Ignoring non-directory file '%s' with .v suffix.", fname
);
653 _cleanup_free_
char *suffix
= NULL
;
654 suffix
= strdup(ASSERT_PTR(startswith(fname
, name
)));
658 *ASSERT_PTR(endswith(suffix
, ".v")) = 0;
660 _cleanup_free_
char *vp
= path_join(resolved
, fname
);
664 PickFilter filter
= {
665 .type_mask
= endswith(suffix
, ".raw") ? (UINT32_C(1) << DT_REG
) | (UINT32_C(1) << DT_BLK
) : (UINT32_C(1) << DT_DIR
),
667 .architecture
= _ARCHITECTURE_INVALID
,
668 .suffix
= STRV_MAKE(suffix
),
671 _cleanup_(pick_result_done
) PickResult result
= PICK_RESULT_NULL
;
673 /* toplevel_fd= */ AT_FDCWD
,
676 PICK_ARCHITECTURE
|PICK_TRIES
,
679 log_debug_errno(r
, "Failed to pick versioned image on '%s', skipping: %m", vp
);
683 log_debug("Found versioned directory '%s', without matching entry, skipping: %m", vp
);
687 /* Refresh the stat data for the discovered target */
690 _cleanup_free_
char *bn
= NULL
;
691 r
= path_extract_filename(result
.path
, &bn
);
693 log_debug_errno(r
, "Failed to extract basename of image path '%s', skipping: %m", result
.path
);
697 fname_buf
= path_join(fname
, bn
);
703 } else if (!S_ISDIR(st
.st_mode
) && !S_ISBLK(st
.st_mode
)) {
704 log_debug("Ignoring non-directory and non-block device file '%s' without suffix.", fname
);
708 r
= image_make(class, name
, dirfd(d
), resolved
, fname
, &st
, ret
);
709 if (IN_SET(r
, -ENOENT
, -EMEDIUMTYPE
))
715 (*ret
)->discoverable
= true;
721 if (class == IMAGE_MACHINE
&& streq(name
, ".host")) {
722 r
= image_make(class, ".host", AT_FDCWD
, NULL
, empty_to_root(root
), NULL
, ret
);
727 (*ret
)->discoverable
= true;
735 int image_from_path(const char *path
, Image
**ret
) {
737 /* Note that we don't set the 'discoverable' field of the returned object, because we don't check here whether
738 * the image is in the image search path. And if it is we don't know if the path we used is actually not
739 * overridden by another, different image earlier in the search path */
741 if (path_equal(path
, "/"))
742 return image_make(IMAGE_MACHINE
, ".host", AT_FDCWD
, NULL
, "/", NULL
, ret
);
744 return image_make(_IMAGE_CLASS_INVALID
, NULL
, AT_FDCWD
, NULL
, path
, NULL
, ret
);
747 int image_find_harder(ImageClass
class, const char *name_or_path
, const char *root
, Image
**ret
) {
748 if (image_name_is_valid(name_or_path
))
749 return image_find(class, name_or_path
, root
, ret
);
751 return image_from_path(name_or_path
, ret
);
762 assert(class < _IMAGE_CLASS_MAX
);
765 NULSTR_FOREACH(path
, pick_image_search_path(class)) {
766 _cleanup_free_
char *resolved
= NULL
;
767 _cleanup_closedir_
DIR *d
= NULL
;
769 r
= chase_and_opendir(path
, root
, CHASE_PREFIX_ROOT
, &resolved
, &d
);
775 FOREACH_DIRENT_ALL(de
, d
, return -errno
) {
776 _cleanup_free_
char *pretty
= NULL
, *fname_buf
= NULL
;
777 _cleanup_(image_unrefp
) Image
*image
= NULL
;
778 const char *fname
= de
->d_name
;
782 if (dot_or_dot_dot(fname
))
785 /* As mentioned above, we follow symlinks on this fstatat(), because we want to
786 * permit people to symlink block devices into the search path. */
787 flags
= root
? AT_SYMLINK_NOFOLLOW
: 0;
788 if (fstatat(dirfd(d
), fname
, &st
, flags
) < 0) {
795 if (S_ISREG(st
.st_mode
)) {
796 r
= extract_image_basename(
798 image_class_suffix_to_string(class),
803 log_debug_errno(r
, "Skipping directory entry '%s', which doesn't look like an image.", fname
);
806 } else if (S_ISDIR(st
.st_mode
)) {
809 v
= endswith(fname
, ".v");
811 _cleanup_free_
char *suffix
= NULL
, *nov
= NULL
;
813 nov
= strndup(fname
, v
- fname
); /* Chop off the .v */
817 r
= extract_image_basename(
819 image_class_suffix_to_string(class),
820 STRV_MAKE(".raw", ""),
824 log_debug_errno(r
, "Skipping directory entry '%s', which doesn't look like a versioned image.", fname
);
828 _cleanup_free_
char *vp
= path_join(resolved
, fname
);
832 PickFilter filter
= {
833 .type_mask
= endswith(suffix
, ".raw") ? (UINT32_C(1) << DT_REG
) | (UINT32_C(1) << DT_BLK
) : (UINT32_C(1) << DT_DIR
),
835 .architecture
= _ARCHITECTURE_INVALID
,
836 .suffix
= STRV_MAKE(suffix
),
839 _cleanup_(pick_result_done
) PickResult result
= PICK_RESULT_NULL
;
841 /* toplevel_fd= */ AT_FDCWD
,
844 PICK_ARCHITECTURE
|PICK_TRIES
,
847 log_debug_errno(r
, "Failed to pick versioned image on '%s', skipping: %m", vp
);
851 log_debug("Found versioned directory '%s', without matching entry, skipping: %m", vp
);
855 /* Refresh the stat data for the discovered target */
858 _cleanup_free_
char *bn
= NULL
;
859 r
= path_extract_filename(result
.path
, &bn
);
861 log_debug_errno(r
, "Failed to extract basename of image path '%s', skipping: %m", result
.path
);
865 fname_buf
= path_join(fname
, bn
);
871 r
= extract_image_basename(
873 image_class_suffix_to_string(class),
874 /* format_suffix= */ NULL
,
876 /* ret_suffix= */ NULL
);
878 log_debug_errno(r
, "Skipping directory entry '%s', which doesn't look like an image.", fname
);
883 } else if (S_ISBLK(st
.st_mode
)) {
884 r
= extract_image_basename(
886 /* class_suffix= */ NULL
,
887 /* format_suffix= */ NULL
,
889 /* ret_v_suffix= */ NULL
);
891 log_debug_errno(r
, "Skipping directory entry '%s', which doesn't look like an image.", fname
);
895 log_debug("Skipping directory entry '%s', which is neither regular file, directory nor block device.", fname
);
899 if (hashmap_contains(h
, pretty
))
902 r
= image_make(class, pretty
, dirfd(d
), resolved
, fname
, &st
, &image
);
903 if (IN_SET(r
, -ENOENT
, -EMEDIUMTYPE
))
908 image
->discoverable
= true;
910 r
= hashmap_put(h
, image
->name
, image
);
918 if (class == IMAGE_MACHINE
&& !hashmap_contains(h
, ".host")) {
919 _cleanup_(image_unrefp
) Image
*image
= NULL
;
921 r
= image_make(IMAGE_MACHINE
, ".host", AT_FDCWD
, NULL
, empty_to_root("/"), NULL
, &image
);
925 image
->discoverable
= true;
927 r
= hashmap_put(h
, image
->name
, image
);
937 int image_remove(Image
*i
) {
938 _cleanup_(release_lock_file
) LockFile global_lock
= LOCK_FILE_INIT
, local_lock
= LOCK_FILE_INIT
;
939 _cleanup_strv_free_
char **settings
= NULL
;
940 _cleanup_free_
char *roothash
= NULL
;
945 if (IMAGE_IS_VENDOR(i
) || IMAGE_IS_HOST(i
))
948 settings
= image_settings_path(i
);
952 r
= image_roothash_path(i
, &roothash
);
956 /* Make sure we don't interfere with a running nspawn */
957 r
= image_path_lock(i
->path
, LOCK_EX
|LOCK_NB
, &global_lock
, &local_lock
);
963 case IMAGE_SUBVOLUME
:
965 /* Let's unlink first, maybe it is a symlink? If that works we are happy. Otherwise, let's get out the
967 if (unlink(i
->path
) < 0) {
968 r
= btrfs_subvol_remove(i
->path
, BTRFS_REMOVE_RECURSIVE
|BTRFS_REMOVE_QUOTA
);
975 case IMAGE_DIRECTORY
:
976 /* Allow deletion of read-only directories */
977 (void) chattr_path(i
->path
, 0, FS_IMMUTABLE_FL
, NULL
);
978 r
= rm_rf(i
->path
, REMOVE_ROOT
|REMOVE_PHYSICAL
|REMOVE_SUBVOLUME
);
986 /* If this is inside of /dev, then it's a real block device, hence let's not touch the device node
987 * itself (but let's remove the stuff stored alongside it). If it's anywhere else, let's try to unlink
988 * the thing (it's most likely a symlink after all). */
990 if (path_startswith(i
->path
, "/dev"))
995 if (unlink(i
->path
) < 0)
1003 STRV_FOREACH(j
, settings
)
1004 if (unlink(*j
) < 0 && errno
!= ENOENT
)
1005 log_debug_errno(errno
, "Failed to unlink %s, ignoring: %m", *j
);
1007 if (unlink(roothash
) < 0 && errno
!= ENOENT
)
1008 log_debug_errno(errno
, "Failed to unlink %s, ignoring: %m", roothash
);
1013 static int rename_auxiliary_file(const char *path
, const char *new_name
, const char *suffix
) {
1014 _cleanup_free_
char *fn
= NULL
, *rs
= NULL
;
1017 fn
= strjoin(new_name
, suffix
);
1021 r
= file_in_same_dir(path
, fn
, &rs
);
1025 return rename_noreplace(AT_FDCWD
, path
, AT_FDCWD
, rs
);
1028 int image_rename(Image
*i
, const char *new_name
) {
1029 _cleanup_(release_lock_file
) LockFile global_lock
= LOCK_FILE_INIT
, local_lock
= LOCK_FILE_INIT
, name_lock
= LOCK_FILE_INIT
;
1030 _cleanup_free_
char *new_path
= NULL
, *nn
= NULL
, *roothash
= NULL
;
1031 _cleanup_strv_free_
char **settings
= NULL
;
1032 unsigned file_attr
= 0;
1037 if (!image_name_is_valid(new_name
))
1040 if (IMAGE_IS_VENDOR(i
) || IMAGE_IS_HOST(i
))
1043 settings
= image_settings_path(i
);
1047 r
= image_roothash_path(i
, &roothash
);
1051 /* Make sure we don't interfere with a running nspawn */
1052 r
= image_path_lock(i
->path
, LOCK_EX
|LOCK_NB
, &global_lock
, &local_lock
);
1056 /* Make sure nobody takes the new name, between the time we
1057 * checked it is currently unused in all search paths, and the
1058 * time we take possession of it */
1059 r
= image_name_lock(new_name
, LOCK_EX
|LOCK_NB
, &name_lock
);
1063 r
= image_find(IMAGE_MACHINE
, new_name
, NULL
, NULL
);
1071 case IMAGE_DIRECTORY
:
1072 /* Turn of the immutable bit while we rename the image, so that we can rename it */
1073 (void) read_attr_at(AT_FDCWD
, i
->path
, &file_attr
);
1075 if (file_attr
& FS_IMMUTABLE_FL
)
1076 (void) chattr_path(i
->path
, 0, FS_IMMUTABLE_FL
, NULL
);
1079 case IMAGE_SUBVOLUME
:
1080 r
= file_in_same_dir(i
->path
, new_name
, &new_path
);
1085 /* Refuse renaming raw block devices in /dev, the names are picked by udev after all. */
1086 if (path_startswith(i
->path
, "/dev"))
1089 r
= file_in_same_dir(i
->path
, new_name
, &new_path
);
1095 fn
= strjoina(new_name
, ".raw");
1097 r
= file_in_same_dir(i
->path
, fn
, &new_path
);
1107 nn
= strdup(new_name
);
1111 r
= rename_noreplace(AT_FDCWD
, i
->path
, AT_FDCWD
, new_path
);
1115 /* Restore the immutable bit, if it was set before */
1116 if (file_attr
& FS_IMMUTABLE_FL
)
1117 (void) chattr_path(new_path
, FS_IMMUTABLE_FL
, FS_IMMUTABLE_FL
, NULL
);
1119 free_and_replace(i
->path
, new_path
);
1120 free_and_replace(i
->name
, nn
);
1122 STRV_FOREACH(j
, settings
) {
1123 r
= rename_auxiliary_file(*j
, new_name
, ".nspawn");
1124 if (r
< 0 && r
!= -ENOENT
)
1125 log_debug_errno(r
, "Failed to rename settings file %s, ignoring: %m", *j
);
1128 r
= rename_auxiliary_file(roothash
, new_name
, ".roothash");
1129 if (r
< 0 && r
!= -ENOENT
)
1130 log_debug_errno(r
, "Failed to rename roothash file %s, ignoring: %m", roothash
);
1135 static int clone_auxiliary_file(const char *path
, const char *new_name
, const char *suffix
) {
1136 _cleanup_free_
char *fn
= NULL
, *rs
= NULL
;
1139 fn
= strjoin(new_name
, suffix
);
1143 r
= file_in_same_dir(path
, fn
, &rs
);
1147 return copy_file_atomic(path
, rs
, 0664, COPY_REFLINK
);
1150 int image_clone(Image
*i
, const char *new_name
, bool read_only
) {
1151 _cleanup_(release_lock_file
) LockFile name_lock
= LOCK_FILE_INIT
;
1152 _cleanup_strv_free_
char **settings
= NULL
;
1153 _cleanup_free_
char *roothash
= NULL
;
1154 const char *new_path
;
1159 if (!image_name_is_valid(new_name
))
1162 settings
= image_settings_path(i
);
1166 r
= image_roothash_path(i
, &roothash
);
1170 /* Make sure nobody takes the new name, between the time we
1171 * checked it is currently unused in all search paths, and the
1172 * time we take possession of it */
1173 r
= image_name_lock(new_name
, LOCK_EX
|LOCK_NB
, &name_lock
);
1177 r
= image_find(IMAGE_MACHINE
, new_name
, NULL
, NULL
);
1185 case IMAGE_SUBVOLUME
:
1186 case IMAGE_DIRECTORY
:
1187 /* If we can we'll always try to create a new btrfs subvolume here, even if the source is a plain
1190 new_path
= strjoina("/var/lib/machines/", new_name
);
1192 r
= btrfs_subvol_snapshot_at(AT_FDCWD
, i
->path
, AT_FDCWD
, new_path
,
1193 (read_only
? BTRFS_SNAPSHOT_READ_ONLY
: 0) |
1194 BTRFS_SNAPSHOT_FALLBACK_COPY
|
1195 BTRFS_SNAPSHOT_FALLBACK_DIRECTORY
|
1196 BTRFS_SNAPSHOT_FALLBACK_IMMUTABLE
|
1197 BTRFS_SNAPSHOT_RECURSIVE
|
1198 BTRFS_SNAPSHOT_QUOTA
);
1200 /* Enable "subtree" quotas for the copy, if we didn't copy any quota from the source. */
1201 (void) btrfs_subvol_auto_qgroup(new_path
, 0, true);
1206 new_path
= strjoina("/var/lib/machines/", new_name
, ".raw");
1208 r
= copy_file_atomic(i
->path
, new_path
, read_only
? 0444 : 0644,
1209 COPY_REFLINK
|COPY_CRTIME
|COPY_NOCOW_AFTER
);
1220 STRV_FOREACH(j
, settings
) {
1221 r
= clone_auxiliary_file(*j
, new_name
, ".nspawn");
1222 if (r
< 0 && r
!= -ENOENT
)
1223 log_debug_errno(r
, "Failed to clone settings %s, ignoring: %m", *j
);
1226 r
= clone_auxiliary_file(roothash
, new_name
, ".roothash");
1227 if (r
< 0 && r
!= -ENOENT
)
1228 log_debug_errno(r
, "Failed to clone root hash file %s, ignoring: %m", roothash
);
1233 int image_read_only(Image
*i
, bool b
) {
1234 _cleanup_(release_lock_file
) LockFile global_lock
= LOCK_FILE_INIT
, local_lock
= LOCK_FILE_INIT
;
1239 if (IMAGE_IS_VENDOR(i
) || IMAGE_IS_HOST(i
))
1242 /* Make sure we don't interfere with a running nspawn */
1243 r
= image_path_lock(i
->path
, LOCK_EX
|LOCK_NB
, &global_lock
, &local_lock
);
1249 case IMAGE_SUBVOLUME
:
1251 /* Note that we set the flag only on the top-level
1252 * subvolume of the image. */
1254 r
= btrfs_subvol_set_read_only(i
->path
, b
);
1260 case IMAGE_DIRECTORY
:
1261 /* For simple directory trees we cannot use the access
1262 mode of the top-level directory, since it has an
1263 effect on the container itself. However, we can
1264 use the "immutable" flag, to at least make the
1265 top-level directory read-only. It's not as good as
1266 a read-only subvolume, but at least something, and
1267 we can read the value back. */
1269 r
= chattr_path(i
->path
, b
? FS_IMMUTABLE_FL
: 0, FS_IMMUTABLE_FL
, NULL
);
1278 if (stat(i
->path
, &st
) < 0)
1281 if (chmod(i
->path
, (st
.st_mode
& 0444) | (b
? 0000 : 0200)) < 0)
1284 /* If the images is now read-only, it's a good time to
1285 * defrag it, given that no write patterns will
1286 * fragment it again. */
1288 (void) btrfs_defrag(i
->path
);
1293 _cleanup_close_
int fd
= -EBADF
;
1297 fd
= open(i
->path
, O_CLOEXEC
|O_RDONLY
|O_NONBLOCK
|O_NOCTTY
);
1301 if (fstat(fd
, &st
) < 0)
1303 if (!S_ISBLK(st
.st_mode
))
1306 if (ioctl(fd
, BLKROSET
, &state
) < 0)
1320 static void make_lock_dir(void) {
1321 (void) mkdir_p("/run/systemd/nspawn", 0755);
1322 (void) mkdir("/run/systemd/nspawn/locks", 0700);
1325 int image_path_lock(
1328 LockFile
*ret_global
,
1329 LockFile
*ret_local
) {
1331 _cleanup_free_
char *p
= NULL
;
1332 LockFile t
= LOCK_FILE_INIT
;
1340 /* Locks an image path. This actually creates two locks: one "local" one, next to the image path
1341 * itself, which might be shared via NFS. And another "global" one, in /run, that uses the
1342 * device/inode number. This has the benefit that we can even lock a tree that is a mount point,
1345 if (!path_is_absolute(path
))
1348 switch (operation
& (LOCK_SH
|LOCK_EX
)) {
1359 if (getenv_bool("SYSTEMD_NSPAWN_LOCK") == 0) {
1360 *ret_local
= LOCK_FILE_INIT
;
1362 *ret_global
= LOCK_FILE_INIT
;
1366 /* Prohibit taking exclusive locks on the host image. We can't allow this, since we ourselves are
1367 * running off it after all, and we don't want any images to manipulate the host image. We make an
1368 * exception for shared locks however: we allow those (and make them NOPs since there's no point in
1369 * taking them if there can't be exclusive locks). Strictly speaking these are questionable as well,
1370 * since it means changes made to the host might propagate to the container as they happen (and a
1371 * shared lock kinda suggests that no changes happen at all while it is in place), but it's too
1372 * useful not to allow read-only containers off the host root, hence let's support this, and trust
1373 * the user to do the right thing with this. */
1374 if (path_equal(path
, "/")) {
1378 *ret_local
= LOCK_FILE_INIT
;
1380 *ret_global
= LOCK_FILE_INIT
;
1385 if (stat(path
, &st
) >= 0) {
1386 if (S_ISBLK(st
.st_mode
))
1387 r
= asprintf(&p
, "/run/systemd/nspawn/locks/block-%u:%u", major(st
.st_rdev
), minor(st
.st_rdev
));
1388 else if (S_ISDIR(st
.st_mode
) || S_ISREG(st
.st_mode
))
1389 r
= asprintf(&p
, "/run/systemd/nspawn/locks/inode-%lu:%lu", (unsigned long) st
.st_dev
, (unsigned long) st
.st_ino
);
1397 /* For block devices we don't need the "local" lock, as the major/minor lock above should be
1398 * sufficient, since block devices are host local anyway. */
1399 if (!path_startswith(path
, "/dev/")) {
1400 r
= make_lock_file_for(path
, operation
, &t
);
1402 if (!exclusive
&& r
== -EROFS
)
1403 log_debug_errno(r
, "Failed to create shared lock for '%s', ignoring: %m", path
);
1412 r
= make_lock_file(p
, operation
, ret_global
);
1414 release_lock_file(&t
);
1417 } else if (ret_global
)
1418 *ret_global
= LOCK_FILE_INIT
;
1424 int image_set_limit(Image
*i
, uint64_t referenced_max
) {
1429 if (IMAGE_IS_VENDOR(i
) || IMAGE_IS_HOST(i
))
1432 if (i
->type
!= IMAGE_SUBVOLUME
)
1435 /* We set the quota both for the subvolume as well as for the
1436 * subtree. The latter is mostly for historical reasons, since
1437 * we didn't use to have a concept of subtree quota, and hence
1438 * only modified the subvolume quota. */
1440 (void) btrfs_qgroup_set_limit(i
->path
, 0, referenced_max
);
1441 (void) btrfs_subvol_auto_qgroup(i
->path
, 0, true);
1442 r
= btrfs_subvol_set_subtree_quota_limit(i
->path
, 0, referenced_max
);
1446 (void) image_update_quota(i
, -EBADF
);
1450 int image_read_metadata(Image
*i
, const ImagePolicy
*image_policy
) {
1451 _cleanup_(release_lock_file
) LockFile global_lock
= LOCK_FILE_INIT
, local_lock
= LOCK_FILE_INIT
;
1456 r
= image_path_lock(i
->path
, LOCK_SH
|LOCK_NB
, &global_lock
, &local_lock
);
1462 case IMAGE_SUBVOLUME
:
1463 case IMAGE_DIRECTORY
: {
1464 _cleanup_strv_free_
char **machine_info
= NULL
, **os_release
= NULL
, **sysext_release
= NULL
, **confext_release
= NULL
;
1465 _cleanup_free_
char *hostname
= NULL
, *path
= NULL
;
1466 sd_id128_t machine_id
= SD_ID128_NULL
;
1468 if (i
->class == IMAGE_SYSEXT
) {
1469 r
= extension_has_forbidden_content(i
->path
);
1473 return log_debug_errno(SYNTHETIC_ERRNO(ENOMEDIUM
),
1474 "Conflicting content found in image %s, refusing.",
1478 r
= chase("/etc/hostname", i
->path
, CHASE_PREFIX_ROOT
|CHASE_TRAIL_SLASH
, &path
, NULL
);
1479 if (r
< 0 && r
!= -ENOENT
)
1480 log_debug_errno(r
, "Failed to chase /etc/hostname in image %s: %m", i
->name
);
1482 r
= read_etc_hostname(path
, &hostname
);
1484 log_debug_errno(r
, "Failed to read /etc/hostname of image %s: %m", i
->name
);
1489 r
= id128_get_machine(i
->path
, &machine_id
);
1491 log_debug_errno(r
, "Failed to read machine ID in image %s, ignoring: %m", i
->name
);
1493 r
= chase("/etc/machine-info", i
->path
, CHASE_PREFIX_ROOT
|CHASE_TRAIL_SLASH
, &path
, NULL
);
1494 if (r
< 0 && r
!= -ENOENT
)
1495 log_debug_errno(r
, "Failed to chase /etc/machine-info in image %s: %m", i
->name
);
1497 r
= load_env_file_pairs(NULL
, path
, &machine_info
);
1499 log_debug_errno(r
, "Failed to parse machine-info data of %s: %m", i
->name
);
1502 r
= load_os_release_pairs(i
->path
, &os_release
);
1504 log_debug_errno(r
, "Failed to read os-release in image, ignoring: %m");
1506 r
= load_extension_release_pairs(i
->path
, IMAGE_SYSEXT
, i
->name
, /* relax_extension_release_check= */ false, &sysext_release
);
1508 log_debug_errno(r
, "Failed to read sysext-release in image, ignoring: %m");
1510 r
= load_extension_release_pairs(i
->path
, IMAGE_CONFEXT
, i
->name
, /* relax_extension_release_check= */ false, &confext_release
);
1512 log_debug_errno(r
, "Failed to read confext-release in image, ignoring: %m");
1514 free_and_replace(i
->hostname
, hostname
);
1515 i
->machine_id
= machine_id
;
1516 strv_free_and_replace(i
->machine_info
, machine_info
);
1517 strv_free_and_replace(i
->os_release
, os_release
);
1518 strv_free_and_replace(i
->sysext_release
, sysext_release
);
1519 strv_free_and_replace(i
->confext_release
, confext_release
);
1525 _cleanup_(loop_device_unrefp
) LoopDevice
*d
= NULL
;
1526 _cleanup_(dissected_image_unrefp
) DissectedImage
*m
= NULL
;
1527 DissectImageFlags flags
=
1528 DISSECT_IMAGE_GENERIC_ROOT
|
1529 DISSECT_IMAGE_REQUIRE_ROOT
|
1530 DISSECT_IMAGE_RELAX_VAR_CHECK
|
1531 DISSECT_IMAGE_READ_ONLY
|
1532 DISSECT_IMAGE_USR_NO_ROOT
|
1533 DISSECT_IMAGE_ADD_PARTITION_DEVICES
|
1534 DISSECT_IMAGE_PIN_PARTITION_DEVICES
|
1535 DISSECT_IMAGE_VALIDATE_OS
|
1536 DISSECT_IMAGE_VALIDATE_OS_EXT
|
1537 DISSECT_IMAGE_ALLOW_USERSPACE_VERITY
;
1539 r
= loop_device_make_by_path(
1542 /* sector_size= */ UINT32_MAX
,
1549 r
= dissect_loop_device(
1552 /* mount_options= */ NULL
,
1559 r
= dissected_image_acquire_metadata(
1561 /* userns_fd= */ -EBADF
,
1566 free_and_replace(i
->hostname
, m
->hostname
);
1567 i
->machine_id
= m
->machine_id
;
1568 strv_free_and_replace(i
->machine_info
, m
->machine_info
);
1569 strv_free_and_replace(i
->os_release
, m
->os_release
);
1570 strv_free_and_replace(i
->sysext_release
, m
->sysext_release
);
1571 strv_free_and_replace(i
->confext_release
, m
->confext_release
);
1580 i
->metadata_valid
= true;
1585 int image_name_lock(const char *name
, int operation
, LockFile
*ret
) {
1591 /* Locks an image name, regardless of the precise path used. */
1593 if (streq(name
, ".host"))
1596 if (!image_name_is_valid(name
))
1599 if (getenv_bool("SYSTEMD_NSPAWN_LOCK") == 0) {
1600 *ret
= (LockFile
) LOCK_FILE_INIT
;
1606 p
= strjoina("/run/systemd/nspawn/locks/name-", name
);
1607 return make_lock_file(p
, operation
, ret
);
1610 bool image_in_search_path(
1613 const char *image
) {
1617 NULSTR_FOREACH(path
, pick_image_search_path(class)) {
1621 if (!empty_or_root(root
)) {
1622 q
= path_startswith(path
, root
);
1628 p
= path_startswith(q
, path
);
1632 /* Make sure there's a filename following */
1633 k
= strcspn(p
, "/");
1639 /* Accept trailing slashes */
1640 if (p
[strspn(p
, "/")] == 0)
1647 int image_to_json(const struct Image
*img
, sd_json_variant
**ret
) {
1650 return sd_json_buildo(
1652 SD_JSON_BUILD_PAIR_STRING("Type", image_type_to_string(img
->type
)),
1653 SD_JSON_BUILD_PAIR_STRING("Class", image_class_to_string(img
->class)),
1654 SD_JSON_BUILD_PAIR_STRING("Name", img
->name
),
1655 SD_JSON_BUILD_PAIR_CONDITION(!!img
->path
, "Path", SD_JSON_BUILD_STRING(img
->path
)),
1656 SD_JSON_BUILD_PAIR_BOOLEAN("ReadOnly", img
->read_only
),
1657 SD_JSON_BUILD_PAIR_CONDITION(img
->crtime
!= 0, "CreationTimestamp", SD_JSON_BUILD_UNSIGNED(img
->crtime
)),
1658 SD_JSON_BUILD_PAIR_CONDITION(img
->mtime
!= 0, "ModificationTimestamp", SD_JSON_BUILD_UNSIGNED(img
->mtime
)),
1659 SD_JSON_BUILD_PAIR_CONDITION(img
->usage
!= UINT64_MAX
, "Usage", SD_JSON_BUILD_UNSIGNED(img
->usage
)),
1660 SD_JSON_BUILD_PAIR_CONDITION(img
->usage_exclusive
!= UINT64_MAX
, "UsageExclusive", SD_JSON_BUILD_UNSIGNED(img
->usage_exclusive
)),
1661 SD_JSON_BUILD_PAIR_CONDITION(img
->limit
!= UINT64_MAX
, "Limit", SD_JSON_BUILD_UNSIGNED(img
->limit
)),
1662 SD_JSON_BUILD_PAIR_CONDITION(img
->limit_exclusive
!= UINT64_MAX
, "LimitExclusive", SD_JSON_BUILD_UNSIGNED(img
->limit_exclusive
)));
1665 static const char* const image_type_table
[_IMAGE_TYPE_MAX
] = {
1666 [IMAGE_DIRECTORY
] = "directory",
1667 [IMAGE_SUBVOLUME
] = "subvolume",
1668 [IMAGE_RAW
] = "raw",
1669 [IMAGE_BLOCK
] = "block",
1672 DEFINE_STRING_TABLE_LOOKUP(image_type
, ImageType
);