1 /* SPDX-License-Identifier: LGPL-2.1+ */
10 #include <linux/loop.h>
14 #include <selinux/selinux.h>
21 #include <sys/personality.h>
22 #include <sys/prctl.h>
23 #include <sys/types.h>
28 #include "sd-daemon.h"
31 #include "alloc-util.h"
33 #include "base-filesystem.h"
34 #include "blkid-util.h"
35 #include "btrfs-util.h"
36 #include "bus-error.h"
39 #include "capability-util.h"
40 #include "cgroup-util.h"
42 #include "cpu-set-util.h"
43 #include "dev-setup.h"
44 #include "dissect-image.h"
49 #include "format-util.h"
52 #include "hexdecoct.h"
53 #include "hostname-util.h"
54 #include "id128-util.h"
56 #include "loop-util.h"
57 #include "loopback-setup.h"
58 #include "machine-image.h"
60 #include "main-func.h"
63 #include "mount-util.h"
64 #include "mountpoint-util.h"
65 #include "namespace-util.h"
66 #include "netlink-util.h"
67 #include "nspawn-cgroup.h"
68 #include "nspawn-def.h"
69 #include "nspawn-expose-ports.h"
70 #include "nspawn-mount.h"
71 #include "nspawn-network.h"
72 #include "nspawn-oci.h"
73 #include "nspawn-patch-uid.h"
74 #include "nspawn-register.h"
75 #include "nspawn-seccomp.h"
76 #include "nspawn-settings.h"
77 #include "nspawn-setuid.h"
78 #include "nspawn-stub-pid1.h"
79 #include "nulstr-util.h"
82 #include "parse-util.h"
83 #include "path-util.h"
84 #include "pretty-print.h"
85 #include "process-util.h"
87 #include "random-util.h"
88 #include "raw-clone.h"
89 #include "rlimit-util.h"
92 #include "seccomp-util.h"
94 #include "selinux-util.h"
95 #include "signal-util.h"
96 #include "socket-util.h"
97 #include "stat-util.h"
98 #include "stdio-util.h"
99 #include "string-table.h"
100 #include "string-util.h"
102 #include "sysctl-util.h"
103 #include "terminal-util.h"
104 #include "tmpfile-util.h"
105 #include "umask-util.h"
106 #include "user-util.h"
110 #define STATIC_RESOLV_CONF "/lib/systemd/resolv.conf"
112 #define STATIC_RESOLV_CONF "/usr/lib/systemd/resolv.conf"
115 /* nspawn is listening on the socket at the path in the constant nspawn_notify_socket_path
116 * nspawn_notify_socket_path is relative to the container
117 * the init process in the container pid can send messages to nspawn following the sd_notify(3) protocol */
118 #define NSPAWN_NOTIFY_SOCKET_PATH "/run/systemd/nspawn/notify"
120 #define EXIT_FORCE_RESTART 133
122 typedef enum ContainerStatus
{
123 CONTAINER_TERMINATED
,
127 static char *arg_directory
= NULL
;
128 static char *arg_template
= NULL
;
129 static char *arg_chdir
= NULL
;
130 static char *arg_pivot_root_new
= NULL
;
131 static char *arg_pivot_root_old
= NULL
;
132 static char *arg_user
= NULL
;
133 static uid_t arg_uid
= UID_INVALID
;
134 static gid_t arg_gid
= GID_INVALID
;
135 static gid_t
* arg_supplementary_gids
= NULL
;
136 static size_t arg_n_supplementary_gids
= 0;
137 static sd_id128_t arg_uuid
= {};
138 static char *arg_machine
= NULL
; /* The name used by the host to refer to this */
139 static char *arg_hostname
= NULL
; /* The name the payload sees by default */
140 static const char *arg_selinux_context
= NULL
;
141 static const char *arg_selinux_apifs_context
= NULL
;
142 static char *arg_slice
= NULL
;
143 static bool arg_private_network
= false;
144 static bool arg_read_only
= false;
145 static StartMode arg_start_mode
= START_PID1
;
146 static bool arg_ephemeral
= false;
147 static LinkJournal arg_link_journal
= LINK_AUTO
;
148 static bool arg_link_journal_try
= false;
149 static uint64_t arg_caps_retain
=
150 (1ULL << CAP_AUDIT_CONTROL
) |
151 (1ULL << CAP_AUDIT_WRITE
) |
152 (1ULL << CAP_CHOWN
) |
153 (1ULL << CAP_DAC_OVERRIDE
) |
154 (1ULL << CAP_DAC_READ_SEARCH
) |
155 (1ULL << CAP_FOWNER
) |
156 (1ULL << CAP_FSETID
) |
157 (1ULL << CAP_IPC_OWNER
) |
159 (1ULL << CAP_LEASE
) |
160 (1ULL << CAP_LINUX_IMMUTABLE
) |
161 (1ULL << CAP_MKNOD
) |
162 (1ULL << CAP_NET_BIND_SERVICE
) |
163 (1ULL << CAP_NET_BROADCAST
) |
164 (1ULL << CAP_NET_RAW
) |
165 (1ULL << CAP_SETFCAP
) |
166 (1ULL << CAP_SETGID
) |
167 (1ULL << CAP_SETPCAP
) |
168 (1ULL << CAP_SETUID
) |
169 (1ULL << CAP_SYS_ADMIN
) |
170 (1ULL << CAP_SYS_BOOT
) |
171 (1ULL << CAP_SYS_CHROOT
) |
172 (1ULL << CAP_SYS_NICE
) |
173 (1ULL << CAP_SYS_PTRACE
) |
174 (1ULL << CAP_SYS_RESOURCE
) |
175 (1ULL << CAP_SYS_TTY_CONFIG
);
176 static CapabilityQuintet arg_full_capabilities
= CAPABILITY_QUINTET_NULL
;
177 static CustomMount
*arg_custom_mounts
= NULL
;
178 static size_t arg_n_custom_mounts
= 0;
179 static char **arg_setenv
= NULL
;
180 static bool arg_quiet
= false;
181 static bool arg_register
= true;
182 static bool arg_keep_unit
= false;
183 static char **arg_network_interfaces
= NULL
;
184 static char **arg_network_macvlan
= NULL
;
185 static char **arg_network_ipvlan
= NULL
;
186 static bool arg_network_veth
= false;
187 static char **arg_network_veth_extra
= NULL
;
188 static char *arg_network_bridge
= NULL
;
189 static char *arg_network_zone
= NULL
;
190 static char *arg_network_namespace_path
= NULL
;
191 static PagerFlags arg_pager_flags
= 0;
192 static unsigned long arg_personality
= PERSONALITY_INVALID
;
193 static char *arg_image
= NULL
;
194 static char *arg_oci_bundle
= NULL
;
195 static VolatileMode arg_volatile_mode
= VOLATILE_NO
;
196 static ExposePort
*arg_expose_ports
= NULL
;
197 static char **arg_property
= NULL
;
198 static sd_bus_message
*arg_property_message
= NULL
;
199 static UserNamespaceMode arg_userns_mode
= USER_NAMESPACE_NO
;
200 static uid_t arg_uid_shift
= UID_INVALID
, arg_uid_range
= 0x10000U
;
201 static bool arg_userns_chown
= false;
202 static int arg_kill_signal
= 0;
203 static CGroupUnified arg_unified_cgroup_hierarchy
= CGROUP_UNIFIED_UNKNOWN
;
204 static SettingsMask arg_settings_mask
= 0;
205 static int arg_settings_trusted
= -1;
206 static char **arg_parameters
= NULL
;
207 static const char *arg_container_service_name
= "systemd-nspawn";
208 static bool arg_notify_ready
= false;
209 static bool arg_use_cgns
= true;
210 static unsigned long arg_clone_ns_flags
= CLONE_NEWIPC
|CLONE_NEWPID
|CLONE_NEWUTS
;
211 static MountSettingsMask arg_mount_settings
= MOUNT_APPLY_APIVFS_RO
|MOUNT_APPLY_TMPFS_TMP
;
212 static void *arg_root_hash
= NULL
;
213 static size_t arg_root_hash_size
= 0;
214 static char **arg_syscall_whitelist
= NULL
;
215 static char **arg_syscall_blacklist
= NULL
;
217 static scmp_filter_ctx arg_seccomp
= NULL
;
219 static struct rlimit
*arg_rlimit
[_RLIMIT_MAX
] = {};
220 static bool arg_no_new_privileges
= false;
221 static int arg_oom_score_adjust
= 0;
222 static bool arg_oom_score_adjust_set
= false;
223 static cpu_set_t
*arg_cpuset
= NULL
;
224 static unsigned arg_cpuset_ncpus
= 0;
225 static ResolvConfMode arg_resolv_conf
= RESOLV_CONF_AUTO
;
226 static TimezoneMode arg_timezone
= TIMEZONE_AUTO
;
227 static unsigned arg_console_width
= (unsigned) -1, arg_console_height
= (unsigned) -1;
228 static DeviceNode
* arg_extra_nodes
= NULL
;
229 static size_t arg_n_extra_nodes
= 0;
230 static char **arg_sysctl
= NULL
;
231 static ConsoleMode arg_console_mode
= _CONSOLE_MODE_INVALID
;
233 STATIC_DESTRUCTOR_REGISTER(arg_directory
, freep
);
234 STATIC_DESTRUCTOR_REGISTER(arg_template
, freep
);
235 STATIC_DESTRUCTOR_REGISTER(arg_chdir
, freep
);
236 STATIC_DESTRUCTOR_REGISTER(arg_pivot_root_new
, freep
);
237 STATIC_DESTRUCTOR_REGISTER(arg_pivot_root_old
, freep
);
238 STATIC_DESTRUCTOR_REGISTER(arg_user
, freep
);
239 STATIC_DESTRUCTOR_REGISTER(arg_supplementary_gids
, freep
);
240 STATIC_DESTRUCTOR_REGISTER(arg_machine
, freep
);
241 STATIC_DESTRUCTOR_REGISTER(arg_hostname
, freep
);
242 STATIC_DESTRUCTOR_REGISTER(arg_slice
, freep
);
243 STATIC_DESTRUCTOR_REGISTER(arg_setenv
, strv_freep
);
244 STATIC_DESTRUCTOR_REGISTER(arg_network_interfaces
, strv_freep
);
245 STATIC_DESTRUCTOR_REGISTER(arg_network_macvlan
, strv_freep
);
246 STATIC_DESTRUCTOR_REGISTER(arg_network_ipvlan
, strv_freep
);
247 STATIC_DESTRUCTOR_REGISTER(arg_network_veth_extra
, strv_freep
);
248 STATIC_DESTRUCTOR_REGISTER(arg_network_bridge
, freep
);
249 STATIC_DESTRUCTOR_REGISTER(arg_network_zone
, freep
);
250 STATIC_DESTRUCTOR_REGISTER(arg_network_namespace_path
, freep
);
251 STATIC_DESTRUCTOR_REGISTER(arg_image
, freep
);
252 STATIC_DESTRUCTOR_REGISTER(arg_oci_bundle
, freep
);
253 STATIC_DESTRUCTOR_REGISTER(arg_property
, strv_freep
);
254 STATIC_DESTRUCTOR_REGISTER(arg_property_message
, sd_bus_message_unrefp
);
255 STATIC_DESTRUCTOR_REGISTER(arg_parameters
, strv_freep
);
256 STATIC_DESTRUCTOR_REGISTER(arg_root_hash
, freep
);
257 STATIC_DESTRUCTOR_REGISTER(arg_syscall_whitelist
, strv_freep
);
258 STATIC_DESTRUCTOR_REGISTER(arg_syscall_blacklist
, strv_freep
);
260 STATIC_DESTRUCTOR_REGISTER(arg_seccomp
, seccomp_releasep
);
262 STATIC_DESTRUCTOR_REGISTER(arg_cpuset
, CPU_FREEp
);
263 STATIC_DESTRUCTOR_REGISTER(arg_sysctl
, strv_freep
);
265 static int help(void) {
266 _cleanup_free_
char *link
= NULL
;
269 (void) pager_open(arg_pager_flags
);
271 r
= terminal_urlify_man("systemd-nspawn", "1", &link
);
275 printf("%1$s [OPTIONS...] [PATH] [ARGUMENTS...]\n\n"
276 "Spawn a command or OS in a light-weight container.\n\n"
277 " -h --help Show this help\n"
278 " --version Print version string\n"
279 " -q --quiet Do not show status information\n"
280 " --no-pager Do not pipe output into a pager\n"
281 " --settings=BOOLEAN Load additional settings from .nspawn file\n\n"
283 " -D --directory=PATH Root directory for the container\n"
284 " --template=PATH Initialize root directory from template directory,\n"
286 " -x --ephemeral Run container with snapshot of root directory, and\n"
287 " remove it after exit\n"
288 " -i --image=PATH Root file system disk image (or device node) for\n"
290 " --oci-bundle=PATH OCI bundle directory\n"
291 " --read-only Mount the root directory read-only\n"
292 " --volatile[=MODE] Run the system in volatile mode\n"
293 " --root-hash=HASH Specify verity root hash for root disk image\n"
294 " --pivot-root=PATH[:PATH]\n"
295 " Pivot root to given directory in the container\n\n"
296 "%3$sExecution:%4$s\n"
297 " -a --as-pid2 Maintain a stub init as PID1, invoke binary as PID2\n"
298 " -b --boot Boot up full system (i.e. invoke init)\n"
299 " --chdir=PATH Set working directory in the container\n"
300 " -E --setenv=NAME=VALUE Pass an environment variable to PID 1\n"
301 " -u --user=USER Run the command under specified user or UID\n"
302 " --kill-signal=SIGNAL Select signal to use for shutting down PID 1\n"
303 " --notify-ready=BOOLEAN Receive notifications from the child init process\n\n"
304 "%3$sSystem Identity:%4$s\n"
305 " -M --machine=NAME Set the machine name for the container\n"
306 " --hostname=NAME Override the hostname for the container\n"
307 " --uuid=UUID Set a specific machine UUID for the container\n\n"
308 "%3$sProperties:%4$s\n"
309 " -S --slice=SLICE Place the container in the specified slice\n"
310 " --property=NAME=VALUE Set scope unit property\n"
311 " --register=BOOLEAN Register container as machine\n"
312 " --keep-unit Do not register a scope for the machine, reuse\n"
313 " the service unit nspawn is running in\n\n"
314 "%3$sUser Namespacing:%4$s\n"
315 " -U --private-users=pick Run within user namespace, autoselect UID/GID range\n"
316 " --private-users[=UIDBASE[:NUIDS]]\n"
317 " Similar, but with user configured UID/GID range\n"
318 " --private-users-chown Adjust OS tree ownership to private UID/GID range\n\n"
319 "%3$sNetworking:%4$s\n"
320 " --private-network Disable network in container\n"
321 " --network-interface=INTERFACE\n"
322 " Assign an existing network interface to the\n"
324 " --network-macvlan=INTERFACE\n"
325 " Create a macvlan network interface based on an\n"
326 " existing network interface to the container\n"
327 " --network-ipvlan=INTERFACE\n"
328 " Create a ipvlan network interface based on an\n"
329 " existing network interface to the container\n"
330 " -n --network-veth Add a virtual Ethernet connection between host\n"
332 " --network-veth-extra=HOSTIF[:CONTAINERIF]\n"
333 " Add an additional virtual Ethernet link between\n"
334 " host and container\n"
335 " --network-bridge=INTERFACE\n"
336 " Add a virtual Ethernet connection to the container\n"
337 " and attach it to an existing bridge on the host\n"
338 " --network-zone=NAME Similar, but attach the new interface to an\n"
339 " an automatically managed bridge interface\n"
340 " --network-namespace-path=PATH\n"
341 " Set network namespace to the one represented by\n"
342 " the specified kernel namespace file node\n"
343 " -p --port=[PROTOCOL:]HOSTPORT[:CONTAINERPORT]\n"
344 " Expose a container IP port on the host\n\n"
345 "%3$sSecurity:%4$s\n"
346 " --capability=CAP In addition to the default, retain specified\n"
348 " --drop-capability=CAP Drop the specified capability from the default set\n"
349 " --no-new-privileges Set PR_SET_NO_NEW_PRIVS flag for container payload\n"
350 " --system-call-filter=LIST|~LIST\n"
351 " Permit/prohibit specific system calls\n"
352 " -Z --selinux-context=SECLABEL\n"
353 " Set the SELinux security context to be used by\n"
354 " processes in the container\n"
355 " -L --selinux-apifs-context=SECLABEL\n"
356 " Set the SELinux security context to be used by\n"
357 " API/tmpfs file systems in the container\n\n"
358 "%3$sResources:%4$s\n"
359 " --rlimit=NAME=LIMIT Set a resource limit for the payload\n"
360 " --oom-score-adjust=VALUE\n"
361 " Adjust the OOM score value for the payload\n"
362 " --cpu-affinity=CPUS Adjust the CPU affinity of the container\n"
363 " --personality=ARCH Pick personality for this container\n\n"
364 "%3$sIntegration:%4$s\n"
365 " --resolv-conf=MODE Select mode of /etc/resolv.conf initialization\n"
366 " --timezone=MODE Select mode of /etc/localtime initialization\n"
367 " --link-journal=MODE Link up guest journal, one of no, auto, guest, \n"
368 " host, try-guest, try-host\n"
369 " -j Equivalent to --link-journal=try-guest\n\n"
371 " --bind=PATH[:PATH[:OPTIONS]]\n"
372 " Bind mount a file or directory from the host into\n"
374 " --bind-ro=PATH[:PATH[:OPTIONS]\n"
375 " Similar, but creates a read-only bind mount\n"
376 " --inaccessible=PATH Over-mount file node with inaccessible node to mask\n"
378 " --tmpfs=PATH:[OPTIONS] Mount an empty tmpfs to the specified directory\n"
379 " --overlay=PATH[:PATH...]:PATH\n"
380 " Create an overlay mount from the host to \n"
382 " --overlay-ro=PATH[:PATH...]:PATH\n"
383 " Similar, but creates a read-only overlay mount\n\n"
384 "%3$sInput/Output:%4$s\n"
385 " --console=MODE Select how stdin/stdout/stderr and /dev/console are\n"
386 " set up for the container.\n"
387 " -P --pipe Equivalent to --console=pipe\n"
388 "\nSee the %2$s for details.\n"
389 , program_invocation_short_name
391 , ansi_underline(), ansi_normal());
396 static int custom_mount_check_all(void) {
399 for (i
= 0; i
< arg_n_custom_mounts
; i
++) {
400 CustomMount
*m
= &arg_custom_mounts
[i
];
402 if (path_equal(m
->destination
, "/") && arg_userns_mode
!= USER_NAMESPACE_NO
) {
403 if (arg_userns_chown
)
404 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
405 "--private-users-chown may not be combined with custom root mounts.");
406 else if (arg_uid_shift
== UID_INVALID
)
407 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
408 "--private-users with automatic UID shift may not be combined with custom root mounts.");
415 static int detect_unified_cgroup_hierarchy_from_environment(void) {
419 /* Allow the user to control whether the unified hierarchy is used */
420 e
= getenv("UNIFIED_CGROUP_HIERARCHY");
422 r
= parse_boolean(e
);
424 return log_error_errno(r
, "Failed to parse $UNIFIED_CGROUP_HIERARCHY.");
426 arg_unified_cgroup_hierarchy
= CGROUP_UNIFIED_ALL
;
428 arg_unified_cgroup_hierarchy
= CGROUP_UNIFIED_NONE
;
434 static int detect_unified_cgroup_hierarchy_from_image(const char *directory
) {
437 /* Let's inherit the mode to use from the host system, but let's take into consideration what systemd in the
438 * image actually supports. */
439 r
= cg_all_unified();
441 return log_error_errno(r
, "Failed to determine whether we are in all unified mode.");
443 /* Unified cgroup hierarchy support was added in 230. Unfortunately the detection
444 * routine only detects 231, so we'll have a false negative here for 230. */
445 r
= systemd_installation_has_version(directory
, 230);
447 return log_error_errno(r
, "Failed to determine systemd version in container: %m");
449 arg_unified_cgroup_hierarchy
= CGROUP_UNIFIED_ALL
;
451 arg_unified_cgroup_hierarchy
= CGROUP_UNIFIED_NONE
;
452 } else if (cg_unified_controller(SYSTEMD_CGROUP_CONTROLLER
) > 0) {
453 /* Mixed cgroup hierarchy support was added in 233 */
454 r
= systemd_installation_has_version(directory
, 233);
456 return log_error_errno(r
, "Failed to determine systemd version in container: %m");
458 arg_unified_cgroup_hierarchy
= CGROUP_UNIFIED_SYSTEMD
;
460 arg_unified_cgroup_hierarchy
= CGROUP_UNIFIED_NONE
;
462 arg_unified_cgroup_hierarchy
= CGROUP_UNIFIED_NONE
;
464 log_debug("Using %s hierarchy for container.",
465 arg_unified_cgroup_hierarchy
== CGROUP_UNIFIED_NONE
? "legacy" :
466 arg_unified_cgroup_hierarchy
== CGROUP_UNIFIED_SYSTEMD
? "hybrid" : "unified");
471 static void parse_share_ns_env(const char *name
, unsigned long ns_flag
) {
474 r
= getenv_bool(name
);
478 log_warning_errno(r
, "Failed to parse %s from environment, defaulting to false.", name
);
480 arg_clone_ns_flags
= (arg_clone_ns_flags
& ~ns_flag
) | (r
> 0 ? 0 : ns_flag
);
481 arg_settings_mask
|= SETTING_CLONE_NS_FLAGS
;
484 static void parse_mount_settings_env(void) {
488 r
= getenv_bool("SYSTEMD_NSPAWN_TMPFS_TMP");
490 SET_FLAG(arg_mount_settings
, MOUNT_APPLY_TMPFS_TMP
, r
> 0);
491 else if (r
!= -ENXIO
)
492 log_warning_errno(r
, "Failed to parse $SYSTEMD_NSPAWN_TMPFS_TMP, ignoring: %m");
494 e
= getenv("SYSTEMD_NSPAWN_API_VFS_WRITABLE");
498 if (streq(e
, "network")) {
499 arg_mount_settings
|= MOUNT_APPLY_APIVFS_RO
|MOUNT_APPLY_APIVFS_NETNS
;
503 r
= parse_boolean(e
);
505 log_warning_errno(r
, "Failed to parse SYSTEMD_NSPAWN_API_VFS_WRITABLE from environment, ignoring.");
509 SET_FLAG(arg_mount_settings
, MOUNT_APPLY_APIVFS_RO
, r
== 0);
510 SET_FLAG(arg_mount_settings
, MOUNT_APPLY_APIVFS_NETNS
, false);
513 static void parse_environment(void) {
517 parse_share_ns_env("SYSTEMD_NSPAWN_SHARE_NS_IPC", CLONE_NEWIPC
);
518 parse_share_ns_env("SYSTEMD_NSPAWN_SHARE_NS_PID", CLONE_NEWPID
);
519 parse_share_ns_env("SYSTEMD_NSPAWN_SHARE_NS_UTS", CLONE_NEWUTS
);
520 parse_share_ns_env("SYSTEMD_NSPAWN_SHARE_SYSTEM", CLONE_NEWIPC
|CLONE_NEWPID
|CLONE_NEWUTS
);
522 parse_mount_settings_env();
524 /* SYSTEMD_NSPAWN_USE_CGNS=0 can be used to disable CLONE_NEWCGROUP use,
525 * even if it is supported. If not supported, it has no effect. */
526 if (!cg_ns_supported())
527 arg_use_cgns
= false;
529 r
= getenv_bool("SYSTEMD_NSPAWN_USE_CGNS");
532 log_warning_errno(r
, "Failed to parse $SYSTEMD_NSPAWN_USE_CGNS, ignoring: %m");
536 arg_use_cgns
= r
> 0;
537 arg_settings_mask
|= SETTING_USE_CGNS
;
541 e
= getenv("SYSTEMD_NSPAWN_CONTAINER_SERVICE");
543 arg_container_service_name
= e
;
545 detect_unified_cgroup_hierarchy_from_environment();
548 static int parse_argv(int argc
, char *argv
[]) {
566 ARG_NETWORK_INTERFACE
,
571 ARG_NETWORK_VETH_EXTRA
,
572 ARG_NETWORK_NAMESPACE_PATH
,
582 ARG_PRIVATE_USERS_CHOWN
,
585 ARG_SYSTEM_CALL_FILTER
,
588 ARG_NO_NEW_PRIVILEGES
,
589 ARG_OOM_SCORE_ADJUST
,
599 static const struct option options
[] = {
600 { "help", no_argument
, NULL
, 'h' },
601 { "version", no_argument
, NULL
, ARG_VERSION
},
602 { "directory", required_argument
, NULL
, 'D' },
603 { "template", required_argument
, NULL
, ARG_TEMPLATE
},
604 { "ephemeral", no_argument
, NULL
, 'x' },
605 { "user", required_argument
, NULL
, 'u' },
606 { "private-network", no_argument
, NULL
, ARG_PRIVATE_NETWORK
},
607 { "as-pid2", no_argument
, NULL
, 'a' },
608 { "boot", no_argument
, NULL
, 'b' },
609 { "uuid", required_argument
, NULL
, ARG_UUID
},
610 { "read-only", no_argument
, NULL
, ARG_READ_ONLY
},
611 { "capability", required_argument
, NULL
, ARG_CAPABILITY
},
612 { "drop-capability", required_argument
, NULL
, ARG_DROP_CAPABILITY
},
613 { "no-new-privileges", required_argument
, NULL
, ARG_NO_NEW_PRIVILEGES
},
614 { "link-journal", required_argument
, NULL
, ARG_LINK_JOURNAL
},
615 { "bind", required_argument
, NULL
, ARG_BIND
},
616 { "bind-ro", required_argument
, NULL
, ARG_BIND_RO
},
617 { "tmpfs", required_argument
, NULL
, ARG_TMPFS
},
618 { "overlay", required_argument
, NULL
, ARG_OVERLAY
},
619 { "overlay-ro", required_argument
, NULL
, ARG_OVERLAY_RO
},
620 { "inaccessible", required_argument
, NULL
, ARG_INACCESSIBLE
},
621 { "machine", required_argument
, NULL
, 'M' },
622 { "hostname", required_argument
, NULL
, ARG_HOSTNAME
},
623 { "slice", required_argument
, NULL
, 'S' },
624 { "setenv", required_argument
, NULL
, 'E' },
625 { "selinux-context", required_argument
, NULL
, 'Z' },
626 { "selinux-apifs-context", required_argument
, NULL
, 'L' },
627 { "quiet", no_argument
, NULL
, 'q' },
628 { "share-system", no_argument
, NULL
, ARG_SHARE_SYSTEM
}, /* not documented */
629 { "register", required_argument
, NULL
, ARG_REGISTER
},
630 { "keep-unit", no_argument
, NULL
, ARG_KEEP_UNIT
},
631 { "network-interface", required_argument
, NULL
, ARG_NETWORK_INTERFACE
},
632 { "network-macvlan", required_argument
, NULL
, ARG_NETWORK_MACVLAN
},
633 { "network-ipvlan", required_argument
, NULL
, ARG_NETWORK_IPVLAN
},
634 { "network-veth", no_argument
, NULL
, 'n' },
635 { "network-veth-extra", required_argument
, NULL
, ARG_NETWORK_VETH_EXTRA
},
636 { "network-bridge", required_argument
, NULL
, ARG_NETWORK_BRIDGE
},
637 { "network-zone", required_argument
, NULL
, ARG_NETWORK_ZONE
},
638 { "network-namespace-path", required_argument
, NULL
, ARG_NETWORK_NAMESPACE_PATH
},
639 { "personality", required_argument
, NULL
, ARG_PERSONALITY
},
640 { "image", required_argument
, NULL
, 'i' },
641 { "volatile", optional_argument
, NULL
, ARG_VOLATILE
},
642 { "port", required_argument
, NULL
, 'p' },
643 { "property", required_argument
, NULL
, ARG_PROPERTY
},
644 { "private-users", optional_argument
, NULL
, ARG_PRIVATE_USERS
},
645 { "private-users-chown", optional_argument
, NULL
, ARG_PRIVATE_USERS_CHOWN
},
646 { "kill-signal", required_argument
, NULL
, ARG_KILL_SIGNAL
},
647 { "settings", required_argument
, NULL
, ARG_SETTINGS
},
648 { "chdir", required_argument
, NULL
, ARG_CHDIR
},
649 { "pivot-root", required_argument
, NULL
, ARG_PIVOT_ROOT
},
650 { "notify-ready", required_argument
, NULL
, ARG_NOTIFY_READY
},
651 { "root-hash", required_argument
, NULL
, ARG_ROOT_HASH
},
652 { "system-call-filter", required_argument
, NULL
, ARG_SYSTEM_CALL_FILTER
},
653 { "rlimit", required_argument
, NULL
, ARG_RLIMIT
},
654 { "oom-score-adjust", required_argument
, NULL
, ARG_OOM_SCORE_ADJUST
},
655 { "cpu-affinity", required_argument
, NULL
, ARG_CPU_AFFINITY
},
656 { "resolv-conf", required_argument
, NULL
, ARG_RESOLV_CONF
},
657 { "timezone", required_argument
, NULL
, ARG_TIMEZONE
},
658 { "console", required_argument
, NULL
, ARG_CONSOLE
},
659 { "pipe", no_argument
, NULL
, ARG_PIPE
},
660 { "oci-bundle", required_argument
, NULL
, ARG_OCI_BUNDLE
},
661 { "no-pager", no_argument
, NULL
, ARG_NO_PAGER
},
667 uint64_t plus
= 0, minus
= 0;
668 bool mask_all_settings
= false, mask_no_settings
= false;
673 while ((c
= getopt_long(argc
, argv
, "+hD:u:abL:M:jS:Z:qi:xp:nUE:P", options
, NULL
)) >= 0)
683 r
= parse_path_argument_and_warn(optarg
, false, &arg_directory
);
687 arg_settings_mask
|= SETTING_DIRECTORY
;
691 r
= parse_path_argument_and_warn(optarg
, false, &arg_template
);
695 arg_settings_mask
|= SETTING_DIRECTORY
;
699 r
= parse_path_argument_and_warn(optarg
, false, &arg_image
);
703 arg_settings_mask
|= SETTING_DIRECTORY
;
707 r
= parse_path_argument_and_warn(optarg
, false, &arg_oci_bundle
);
714 arg_ephemeral
= true;
715 arg_settings_mask
|= SETTING_EPHEMERAL
;
719 r
= free_and_strdup(&arg_user
, optarg
);
723 arg_settings_mask
|= SETTING_USER
;
726 case ARG_NETWORK_ZONE
: {
729 j
= strappend("vz-", optarg
);
733 if (!ifname_valid(j
)) {
734 log_error("Network zone name not valid: %s", j
);
739 free_and_replace(arg_network_zone
, j
);
741 arg_network_veth
= true;
742 arg_private_network
= true;
743 arg_settings_mask
|= SETTING_NETWORK
;
747 case ARG_NETWORK_BRIDGE
:
749 if (!ifname_valid(optarg
))
750 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
751 "Bridge interface name not valid: %s", optarg
);
753 r
= free_and_strdup(&arg_network_bridge
, optarg
);
759 arg_network_veth
= true;
760 arg_private_network
= true;
761 arg_settings_mask
|= SETTING_NETWORK
;
764 case ARG_NETWORK_VETH_EXTRA
:
765 r
= veth_extra_parse(&arg_network_veth_extra
, optarg
);
767 return log_error_errno(r
, "Failed to parse --network-veth-extra= parameter: %s", optarg
);
769 arg_private_network
= true;
770 arg_settings_mask
|= SETTING_NETWORK
;
773 case ARG_NETWORK_INTERFACE
:
774 if (!ifname_valid(optarg
))
775 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
776 "Network interface name not valid: %s", optarg
);
778 if (strv_extend(&arg_network_interfaces
, optarg
) < 0)
781 arg_private_network
= true;
782 arg_settings_mask
|= SETTING_NETWORK
;
785 case ARG_NETWORK_MACVLAN
:
787 if (!ifname_valid(optarg
))
788 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
789 "MACVLAN network interface name not valid: %s", optarg
);
791 if (strv_extend(&arg_network_macvlan
, optarg
) < 0)
794 arg_private_network
= true;
795 arg_settings_mask
|= SETTING_NETWORK
;
798 case ARG_NETWORK_IPVLAN
:
800 if (!ifname_valid(optarg
))
801 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
802 "IPVLAN network interface name not valid: %s", optarg
);
804 if (strv_extend(&arg_network_ipvlan
, optarg
) < 0)
808 case ARG_PRIVATE_NETWORK
:
809 arg_private_network
= true;
810 arg_settings_mask
|= SETTING_NETWORK
;
813 case ARG_NETWORK_NAMESPACE_PATH
:
814 r
= parse_path_argument_and_warn(optarg
, false, &arg_network_namespace_path
);
818 arg_settings_mask
|= SETTING_NETWORK
;
822 if (arg_start_mode
== START_PID2
)
823 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
824 "--boot and --as-pid2 may not be combined.");
826 arg_start_mode
= START_BOOT
;
827 arg_settings_mask
|= SETTING_START_MODE
;
831 if (arg_start_mode
== START_BOOT
)
832 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
833 "--boot and --as-pid2 may not be combined.");
835 arg_start_mode
= START_PID2
;
836 arg_settings_mask
|= SETTING_START_MODE
;
840 r
= sd_id128_from_string(optarg
, &arg_uuid
);
842 return log_error_errno(r
, "Invalid UUID: %s", optarg
);
844 if (sd_id128_is_null(arg_uuid
))
845 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
846 "Machine UUID may not be all zeroes.");
848 arg_settings_mask
|= SETTING_MACHINE_ID
;
852 r
= free_and_strdup(&arg_slice
, optarg
);
856 arg_settings_mask
|= SETTING_SLICE
;
861 arg_machine
= mfree(arg_machine
);
863 if (!machine_name_is_valid(optarg
))
864 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
865 "Invalid machine name: %s", optarg
);
867 r
= free_and_strdup(&arg_machine
, optarg
);
875 arg_hostname
= mfree(arg_hostname
);
877 if (!hostname_is_valid(optarg
, false))
878 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
879 "Invalid hostname: %s", optarg
);
881 r
= free_and_strdup(&arg_hostname
, optarg
);
886 arg_settings_mask
|= SETTING_HOSTNAME
;
890 arg_selinux_context
= optarg
;
894 arg_selinux_apifs_context
= optarg
;
898 arg_read_only
= true;
899 arg_settings_mask
|= SETTING_READ_ONLY
;
903 case ARG_DROP_CAPABILITY
: {
906 _cleanup_free_
char *t
= NULL
;
908 r
= extract_first_word(&p
, &t
, ",", 0);
910 return log_error_errno(r
, "Failed to parse capability %s.", t
);
914 if (streq(t
, "all")) {
915 if (c
== ARG_CAPABILITY
)
916 plus
= (uint64_t) -1;
918 minus
= (uint64_t) -1;
920 r
= capability_from_name(t
);
922 return log_error_errno(r
, "Failed to parse capability %s.", t
);
924 if (c
== ARG_CAPABILITY
)
931 arg_settings_mask
|= SETTING_CAPABILITY
;
935 case ARG_NO_NEW_PRIVILEGES
:
936 r
= parse_boolean(optarg
);
938 return log_error_errno(r
, "Failed to parse --no-new-privileges= argument: %s", optarg
);
940 arg_no_new_privileges
= r
;
941 arg_settings_mask
|= SETTING_NO_NEW_PRIVILEGES
;
945 arg_link_journal
= LINK_GUEST
;
946 arg_link_journal_try
= true;
947 arg_settings_mask
|= SETTING_LINK_JOURNAL
;
950 case ARG_LINK_JOURNAL
:
951 r
= parse_link_journal(optarg
, &arg_link_journal
, &arg_link_journal_try
);
953 log_error_errno(r
, "Failed to parse link journal mode %s", optarg
);
957 arg_settings_mask
|= SETTING_LINK_JOURNAL
;
962 r
= bind_mount_parse(&arg_custom_mounts
, &arg_n_custom_mounts
, optarg
, c
== ARG_BIND_RO
);
964 return log_error_errno(r
, "Failed to parse --bind(-ro)= argument %s: %m", optarg
);
966 arg_settings_mask
|= SETTING_CUSTOM_MOUNTS
;
970 r
= tmpfs_mount_parse(&arg_custom_mounts
, &arg_n_custom_mounts
, optarg
);
972 return log_error_errno(r
, "Failed to parse --tmpfs= argument %s: %m", optarg
);
974 arg_settings_mask
|= SETTING_CUSTOM_MOUNTS
;
979 r
= overlay_mount_parse(&arg_custom_mounts
, &arg_n_custom_mounts
, optarg
, c
== ARG_OVERLAY_RO
);
980 if (r
== -EADDRNOTAVAIL
)
981 return log_error_errno(r
, "--overlay(-ro)= needs at least two colon-separated directories specified.");
983 return log_error_errno(r
, "Failed to parse --overlay(-ro)= argument %s: %m", optarg
);
985 arg_settings_mask
|= SETTING_CUSTOM_MOUNTS
;
988 case ARG_INACCESSIBLE
:
989 r
= inaccessible_mount_parse(&arg_custom_mounts
, &arg_n_custom_mounts
, optarg
);
991 return log_error_errno(r
, "Failed to parse --inaccessible= argument %s: %m", optarg
);
993 arg_settings_mask
|= SETTING_CUSTOM_MOUNTS
;
999 if (!env_assignment_is_valid(optarg
))
1000 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
1001 "Environment variable assignment '%s' is not valid.", optarg
);
1003 n
= strv_env_set(arg_setenv
, optarg
);
1007 strv_free_and_replace(arg_setenv
, n
);
1008 arg_settings_mask
|= SETTING_ENVIRONMENT
;
1016 case ARG_SHARE_SYSTEM
:
1017 /* We don't officially support this anymore, except for compat reasons. People should use the
1018 * $SYSTEMD_NSPAWN_SHARE_* environment variables instead. */
1019 log_warning("Please do not use --share-system anymore, use $SYSTEMD_NSPAWN_SHARE_* instead.");
1020 arg_clone_ns_flags
= 0;
1024 r
= parse_boolean(optarg
);
1026 log_error("Failed to parse --register= argument: %s", optarg
);
1034 arg_keep_unit
= true;
1037 case ARG_PERSONALITY
:
1039 arg_personality
= personality_from_string(optarg
);
1040 if (arg_personality
== PERSONALITY_INVALID
)
1041 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
1042 "Unknown or unsupported personality '%s'.", optarg
);
1044 arg_settings_mask
|= SETTING_PERSONALITY
;
1050 arg_volatile_mode
= VOLATILE_YES
;
1051 else if (streq(optarg
, "help")) {
1052 DUMP_STRING_TABLE(volatile_mode
, VolatileMode
, _VOLATILE_MODE_MAX
);
1057 m
= volatile_mode_from_string(optarg
);
1059 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
1060 "Failed to parse --volatile= argument: %s", optarg
);
1062 arg_volatile_mode
= m
;
1065 arg_settings_mask
|= SETTING_VOLATILE_MODE
;
1069 r
= expose_port_parse(&arg_expose_ports
, optarg
);
1071 return log_error_errno(r
, "Duplicate port specification: %s", optarg
);
1073 return log_error_errno(r
, "Failed to parse host port %s: %m", optarg
);
1075 arg_settings_mask
|= SETTING_EXPOSE_PORTS
;
1079 if (strv_extend(&arg_property
, optarg
) < 0)
1084 case ARG_PRIVATE_USERS
: {
1089 else if (!in_charset(optarg
, DIGITS
))
1090 /* do *not* parse numbers as booleans */
1091 boolean
= parse_boolean(optarg
);
1093 if (boolean
== false) {
1094 /* no: User namespacing off */
1095 arg_userns_mode
= USER_NAMESPACE_NO
;
1096 arg_uid_shift
= UID_INVALID
;
1097 arg_uid_range
= UINT32_C(0x10000);
1098 } else if (boolean
== true) {
1099 /* yes: User namespacing on, UID range is read from root dir */
1100 arg_userns_mode
= USER_NAMESPACE_FIXED
;
1101 arg_uid_shift
= UID_INVALID
;
1102 arg_uid_range
= UINT32_C(0x10000);
1103 } else if (streq(optarg
, "pick")) {
1104 /* pick: User namespacing on, UID range is picked randomly */
1105 arg_userns_mode
= USER_NAMESPACE_PICK
;
1106 arg_uid_shift
= UID_INVALID
;
1107 arg_uid_range
= UINT32_C(0x10000);
1109 _cleanup_free_
char *buffer
= NULL
;
1110 const char *range
, *shift
;
1112 /* anything else: User namespacing on, UID range is explicitly configured */
1114 range
= strchr(optarg
, ':');
1116 buffer
= strndup(optarg
, range
- optarg
);
1122 r
= safe_atou32(range
, &arg_uid_range
);
1124 return log_error_errno(r
, "Failed to parse UID range \"%s\": %m", range
);
1128 r
= parse_uid(shift
, &arg_uid_shift
);
1130 return log_error_errno(r
, "Failed to parse UID \"%s\": %m", optarg
);
1132 arg_userns_mode
= USER_NAMESPACE_FIXED
;
1135 if (arg_uid_range
<= 0)
1136 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
1137 "UID range cannot be 0.");
1139 arg_settings_mask
|= SETTING_USERNS
;
1144 if (userns_supported()) {
1145 arg_userns_mode
= USER_NAMESPACE_PICK
;
1146 arg_uid_shift
= UID_INVALID
;
1147 arg_uid_range
= UINT32_C(0x10000);
1149 arg_settings_mask
|= SETTING_USERNS
;
1154 case ARG_PRIVATE_USERS_CHOWN
:
1155 arg_userns_chown
= true;
1157 arg_settings_mask
|= SETTING_USERNS
;
1160 case ARG_KILL_SIGNAL
:
1161 if (streq(optarg
, "help")) {
1162 DUMP_STRING_TABLE(signal
, int, _NSIG
);
1166 arg_kill_signal
= signal_from_string(optarg
);
1167 if (arg_kill_signal
< 0)
1168 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
1169 "Cannot parse signal: %s", optarg
);
1171 arg_settings_mask
|= SETTING_KILL_SIGNAL
;
1176 /* no → do not read files
1177 * yes → read files, do not override cmdline, trust only subset
1178 * override → read files, override cmdline, trust only subset
1179 * trusted → read files, do not override cmdline, trust all
1182 r
= parse_boolean(optarg
);
1184 if (streq(optarg
, "trusted")) {
1185 mask_all_settings
= false;
1186 mask_no_settings
= false;
1187 arg_settings_trusted
= true;
1189 } else if (streq(optarg
, "override")) {
1190 mask_all_settings
= false;
1191 mask_no_settings
= true;
1192 arg_settings_trusted
= -1;
1194 return log_error_errno(r
, "Failed to parse --settings= argument: %s", optarg
);
1197 mask_all_settings
= false;
1198 mask_no_settings
= false;
1199 arg_settings_trusted
= -1;
1202 mask_all_settings
= true;
1203 mask_no_settings
= false;
1204 arg_settings_trusted
= false;
1210 if (!path_is_absolute(optarg
))
1211 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
1212 "Working directory %s is not an absolute path.", optarg
);
1214 r
= free_and_strdup(&arg_chdir
, optarg
);
1218 arg_settings_mask
|= SETTING_WORKING_DIRECTORY
;
1221 case ARG_PIVOT_ROOT
:
1222 r
= pivot_root_parse(&arg_pivot_root_new
, &arg_pivot_root_old
, optarg
);
1224 return log_error_errno(r
, "Failed to parse --pivot-root= argument %s: %m", optarg
);
1226 arg_settings_mask
|= SETTING_PIVOT_ROOT
;
1229 case ARG_NOTIFY_READY
:
1230 r
= parse_boolean(optarg
);
1232 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
1233 "%s is not a valid notify mode. Valid modes are: yes, no, and ready.", optarg
);
1234 arg_notify_ready
= r
;
1235 arg_settings_mask
|= SETTING_NOTIFY_READY
;
1238 case ARG_ROOT_HASH
: {
1242 r
= unhexmem(optarg
, strlen(optarg
), &k
, &l
);
1244 return log_error_errno(r
, "Failed to parse root hash: %s", optarg
);
1245 if (l
< sizeof(sd_id128_t
)) {
1246 log_error("Root hash must be at least 128bit long: %s", optarg
);
1251 free(arg_root_hash
);
1253 arg_root_hash_size
= l
;
1257 case ARG_SYSTEM_CALL_FILTER
: {
1261 negative
= optarg
[0] == '~';
1262 items
= negative
? optarg
+ 1 : optarg
;
1265 _cleanup_free_
char *word
= NULL
;
1267 r
= extract_first_word(&items
, &word
, NULL
, 0);
1273 return log_error_errno(r
, "Failed to parse system call filter: %m");
1276 r
= strv_extend(&arg_syscall_blacklist
, word
);
1278 r
= strv_extend(&arg_syscall_whitelist
, word
);
1283 arg_settings_mask
|= SETTING_SYSCALL_FILTER
;
1292 if (streq(optarg
, "help")) {
1293 DUMP_STRING_TABLE(rlimit
, int, _RLIMIT_MAX
);
1297 eq
= strchr(optarg
, '=');
1299 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
1300 "--rlimit= expects an '=' assignment.");
1302 name
= strndup(optarg
, eq
- optarg
);
1306 rl
= rlimit_from_string_harder(name
);
1308 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
1309 "Unknown resource limit: %s", name
);
1311 if (!arg_rlimit
[rl
]) {
1312 arg_rlimit
[rl
] = new0(struct rlimit
, 1);
1313 if (!arg_rlimit
[rl
])
1317 r
= rlimit_parse(rl
, eq
+ 1, arg_rlimit
[rl
]);
1319 return log_error_errno(r
, "Failed to parse resource limit: %s", eq
+ 1);
1321 arg_settings_mask
|= SETTING_RLIMIT_FIRST
<< rl
;
1325 case ARG_OOM_SCORE_ADJUST
:
1326 r
= parse_oom_score_adjust(optarg
, &arg_oom_score_adjust
);
1328 return log_error_errno(r
, "Failed to parse --oom-score-adjust= parameter: %s", optarg
);
1330 arg_oom_score_adjust_set
= true;
1331 arg_settings_mask
|= SETTING_OOM_SCORE_ADJUST
;
1334 case ARG_CPU_AFFINITY
: {
1335 _cleanup_cpu_free_ cpu_set_t
*cpuset
= NULL
;
1337 r
= parse_cpu_set(optarg
, &cpuset
);
1339 return log_error_errno(r
, "Failed to parse CPU affinity mask: %s", optarg
);
1342 CPU_FREE(arg_cpuset
);
1344 arg_cpuset
= TAKE_PTR(cpuset
);
1345 arg_cpuset_ncpus
= r
;
1346 arg_settings_mask
|= SETTING_CPU_AFFINITY
;
1350 case ARG_RESOLV_CONF
:
1351 if (streq(optarg
, "help")) {
1352 DUMP_STRING_TABLE(resolv_conf_mode
, ResolvConfMode
, _RESOLV_CONF_MODE_MAX
);
1356 arg_resolv_conf
= resolv_conf_mode_from_string(optarg
);
1357 if (arg_resolv_conf
< 0)
1358 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
1359 "Failed to parse /etc/resolv.conf mode: %s", optarg
);
1361 arg_settings_mask
|= SETTING_RESOLV_CONF
;
1365 if (streq(optarg
, "help")) {
1366 DUMP_STRING_TABLE(timezone_mode
, TimezoneMode
, _TIMEZONE_MODE_MAX
);
1370 arg_timezone
= timezone_mode_from_string(optarg
);
1371 if (arg_timezone
< 0)
1372 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
1373 "Failed to parse /etc/localtime mode: %s", optarg
);
1375 arg_settings_mask
|= SETTING_TIMEZONE
;
1379 if (streq(optarg
, "interactive"))
1380 arg_console_mode
= CONSOLE_INTERACTIVE
;
1381 else if (streq(optarg
, "read-only"))
1382 arg_console_mode
= CONSOLE_READ_ONLY
;
1383 else if (streq(optarg
, "passive"))
1384 arg_console_mode
= CONSOLE_PASSIVE
;
1385 else if (streq(optarg
, "pipe"))
1386 arg_console_mode
= CONSOLE_PIPE
;
1387 else if (streq(optarg
, "help"))
1388 puts("interactive\n"
1393 log_error("Unknown console mode: %s", optarg
);
1397 arg_settings_mask
|= SETTING_CONSOLE_MODE
;
1402 arg_console_mode
= CONSOLE_PIPE
;
1403 arg_settings_mask
|= SETTING_CONSOLE_MODE
;
1407 arg_pager_flags
|= PAGER_DISABLE
;
1414 assert_not_reached("Unhandled option");
1417 if (argc
> optind
) {
1418 strv_free(arg_parameters
);
1419 arg_parameters
= strv_copy(argv
+ optind
);
1420 if (!arg_parameters
)
1423 arg_settings_mask
|= SETTING_START_MODE
;
1426 if (arg_ephemeral
&& arg_template
&& !arg_directory
)
1427 /* User asked for ephemeral execution but specified --template= instead of --directory=. Semantically
1428 * such an invocation makes some sense, see https://github.com/systemd/systemd/issues/3667. Let's
1429 * accept this here, and silently make "--ephemeral --template=" equivalent to "--ephemeral
1431 arg_directory
= TAKE_PTR(arg_template
);
1433 arg_caps_retain
= (arg_caps_retain
| plus
| (arg_private_network
? UINT64_C(1) << CAP_NET_ADMIN
: 0)) & ~minus
;
1435 /* Make sure to parse environment before we reset the settings mask below */
1436 parse_environment();
1438 /* Load all settings from .nspawn files */
1439 if (mask_no_settings
)
1440 arg_settings_mask
= 0;
1442 /* Don't load any settings from .nspawn files */
1443 if (mask_all_settings
)
1444 arg_settings_mask
= _SETTINGS_MASK_ALL
;
1449 static int verify_arguments(void) {
1452 if (arg_userns_mode
!= USER_NAMESPACE_NO
)
1453 arg_mount_settings
|= MOUNT_USE_USERNS
;
1455 if (arg_private_network
)
1456 arg_mount_settings
|= MOUNT_APPLY_APIVFS_NETNS
;
1458 if (!(arg_clone_ns_flags
& CLONE_NEWPID
) ||
1459 !(arg_clone_ns_flags
& CLONE_NEWUTS
)) {
1460 arg_register
= false;
1461 if (arg_start_mode
!= START_PID1
)
1462 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "--boot cannot be used without namespacing.");
1465 if (arg_userns_mode
== USER_NAMESPACE_PICK
)
1466 arg_userns_chown
= true;
1468 if (arg_start_mode
== START_BOOT
&& arg_kill_signal
<= 0)
1469 arg_kill_signal
= SIGRTMIN
+3;
1471 if (arg_volatile_mode
!= VOLATILE_NO
) /* Make sure all file systems contained in the image are mounted read-only if we are in volatile mode */
1472 arg_read_only
= true;
1474 if (arg_keep_unit
&& arg_register
&& cg_pid_get_owner_uid(0, NULL
) >= 0)
1475 /* Save the user from accidentally registering either user-$SESSION.scope or user@.service.
1476 * The latter is not technically a user session, but we don't need to labour the point. */
1477 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "--keep-unit --register=yes may not be used when invoked from a user session.");
1479 if (arg_directory
&& arg_image
)
1480 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "--directory= and --image= may not be combined.");
1482 if (arg_template
&& arg_image
)
1483 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "--template= and --image= may not be combined.");
1485 if (arg_template
&& !(arg_directory
|| arg_machine
))
1486 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "--template= needs --directory= or --machine=.");
1488 if (arg_ephemeral
&& arg_template
)
1489 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "--ephemeral and --template= may not be combined.");
1491 if (arg_ephemeral
&& !IN_SET(arg_link_journal
, LINK_NO
, LINK_AUTO
))
1492 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "--ephemeral and --link-journal= may not be combined.");
1494 if (arg_userns_mode
!= USER_NAMESPACE_NO
&& !userns_supported())
1495 return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP
), "--private-users= is not supported, kernel compiled without user namespace support.");
1497 if (arg_userns_chown
&& arg_read_only
)
1498 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
1499 "--read-only and --private-users-chown may not be combined.");
1501 /* We don't support --private-users-chown together with any of the volatile modes since we couldn't
1502 * change the read-only part of the tree (i.e. /usr) anyway, or because it would trigger a massive
1503 * copy-up (in case of overlay) making the entire excercise pointless. */
1504 if (arg_userns_chown
&& arg_volatile_mode
!= VOLATILE_NO
)
1505 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "--volatile= and --private-users-chown may not be combined.");
1507 /* If --network-namespace-path is given with any other network-related option, we need to error out,
1508 * to avoid conflicts between different network options. */
1509 if (arg_network_namespace_path
&&
1510 (arg_network_interfaces
|| arg_network_macvlan
||
1511 arg_network_ipvlan
|| arg_network_veth_extra
||
1512 arg_network_bridge
|| arg_network_zone
||
1513 arg_network_veth
|| arg_private_network
))
1514 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "--network-namespace-path= cannot be combined with other network options.");
1516 if (arg_network_bridge
&& arg_network_zone
)
1517 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
1518 "--network-bridge= and --network-zone= may not be combined.");
1520 if (arg_userns_mode
!= USER_NAMESPACE_NO
&& (arg_mount_settings
& MOUNT_APPLY_APIVFS_NETNS
) && !arg_private_network
)
1521 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Invalid namespacing settings. Mounting sysfs with --private-users requires --private-network.");
1523 if (arg_userns_mode
!= USER_NAMESPACE_NO
&& !(arg_mount_settings
& MOUNT_APPLY_APIVFS_RO
))
1524 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Cannot combine --private-users with read-write mounts.");
1526 if (arg_expose_ports
&& !arg_private_network
)
1527 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Cannot use --port= without private networking.");
1530 if (arg_expose_ports
)
1531 return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP
), "--port= is not supported, compiled without libiptc support.");
1534 r
= custom_mount_check_all();
1541 static int userns_lchown(const char *p
, uid_t uid
, gid_t gid
) {
1544 if (arg_userns_mode
== USER_NAMESPACE_NO
)
1547 if (uid
== UID_INVALID
&& gid
== GID_INVALID
)
1550 if (uid
!= UID_INVALID
) {
1551 uid
+= arg_uid_shift
;
1553 if (uid
< arg_uid_shift
|| uid
>= arg_uid_shift
+ arg_uid_range
)
1557 if (gid
!= GID_INVALID
) {
1558 gid
+= (gid_t
) arg_uid_shift
;
1560 if (gid
< (gid_t
) arg_uid_shift
|| gid
>= (gid_t
) (arg_uid_shift
+ arg_uid_range
))
1564 if (lchown(p
, uid
, gid
) < 0)
1570 static int userns_mkdir(const char *root
, const char *path
, mode_t mode
, uid_t uid
, gid_t gid
) {
1574 q
= prefix_roota(root
, path
);
1575 r
= mkdir_errno_wrapper(q
, mode
);
1581 return userns_lchown(q
, uid
, gid
);
1584 static const char *timezone_from_path(const char *path
) {
1585 return PATH_STARTSWITH_SET(
1587 "../usr/share/zoneinfo/",
1588 "/usr/share/zoneinfo/");
1591 static bool etc_writable(void) {
1592 return !arg_read_only
|| IN_SET(arg_volatile_mode
, VOLATILE_YES
, VOLATILE_OVERLAY
);
1595 static int setup_timezone(const char *dest
) {
1596 _cleanup_free_
char *p
= NULL
, *etc
= NULL
;
1597 const char *where
, *check
;
1603 if (IN_SET(arg_timezone
, TIMEZONE_AUTO
, TIMEZONE_SYMLINK
)) {
1604 r
= readlink_malloc("/etc/localtime", &p
);
1605 if (r
== -ENOENT
&& arg_timezone
== TIMEZONE_AUTO
)
1606 m
= etc_writable() ? TIMEZONE_DELETE
: TIMEZONE_OFF
;
1607 else if (r
== -EINVAL
&& arg_timezone
== TIMEZONE_AUTO
) /* regular file? */
1608 m
= etc_writable() ? TIMEZONE_COPY
: TIMEZONE_BIND
;
1610 log_warning_errno(r
, "Failed to read host's /etc/localtime symlink, not updating container timezone: %m");
1611 /* To handle warning, delete /etc/localtime and replace it with a symbolic link to a time zone data
1615 * ln -s /usr/share/zoneinfo/UTC /etc/localtime
1618 } else if (arg_timezone
== TIMEZONE_AUTO
)
1619 m
= etc_writable() ? TIMEZONE_SYMLINK
: TIMEZONE_BIND
;
1625 if (m
== TIMEZONE_OFF
)
1628 r
= chase_symlinks("/etc", dest
, CHASE_PREFIX_ROOT
, &etc
);
1630 log_warning_errno(r
, "Failed to resolve /etc path in container, ignoring: %m");
1634 where
= strjoina(etc
, "/localtime");
1638 case TIMEZONE_DELETE
:
1639 if (unlink(where
) < 0)
1640 log_full_errno(errno
== ENOENT
? LOG_DEBUG
: LOG_WARNING
, errno
, "Failed to remove '%s', ignoring: %m", where
);
1644 case TIMEZONE_SYMLINK
: {
1645 _cleanup_free_
char *q
= NULL
;
1646 const char *z
, *what
;
1648 z
= timezone_from_path(p
);
1650 log_warning("/etc/localtime does not point into /usr/share/zoneinfo/, not updating container timezone.");
1654 r
= readlink_malloc(where
, &q
);
1655 if (r
>= 0 && streq_ptr(timezone_from_path(q
), z
))
1656 return 0; /* Already pointing to the right place? Then do nothing .. */
1658 check
= strjoina(dest
, "/usr/share/zoneinfo/", z
);
1659 r
= chase_symlinks(check
, dest
, 0, NULL
);
1661 log_debug_errno(r
, "Timezone %s does not exist (or is not accessible) in container, not creating symlink: %m", z
);
1663 if (unlink(where
) < 0 && errno
!= ENOENT
) {
1664 log_full_errno(IN_SET(errno
, EROFS
, EACCES
, EPERM
) ? LOG_DEBUG
: LOG_WARNING
, /* Don't complain on read-only images */
1665 errno
, "Failed to remove existing timezone info %s in container, ignoring: %m", where
);
1669 what
= strjoina("../usr/share/zoneinfo/", z
);
1670 if (symlink(what
, where
) < 0) {
1671 log_full_errno(IN_SET(errno
, EROFS
, EACCES
, EPERM
) ? LOG_DEBUG
: LOG_WARNING
,
1672 errno
, "Failed to correct timezone of container, ignoring: %m");
1682 case TIMEZONE_BIND
: {
1683 _cleanup_free_
char *resolved
= NULL
;
1686 found
= chase_symlinks(where
, dest
, CHASE_NONEXISTENT
, &resolved
);
1688 log_warning_errno(found
, "Failed to resolve /etc/localtime path in container, ignoring: %m");
1692 if (found
== 0) /* missing? */
1693 (void) touch(resolved
);
1695 r
= mount_verbose(LOG_WARNING
, "/etc/localtime", resolved
, NULL
, MS_BIND
, NULL
);
1697 return mount_verbose(LOG_ERR
, NULL
, resolved
, NULL
, MS_BIND
|MS_REMOUNT
|MS_RDONLY
|MS_NOSUID
|MS_NODEV
, NULL
);
1703 /* If mounting failed, try to copy */
1704 r
= copy_file_atomic("/etc/localtime", where
, 0644, 0, COPY_REFLINK
|COPY_REPLACE
);
1706 log_full_errno(IN_SET(r
, -EROFS
, -EACCES
, -EPERM
) ? LOG_DEBUG
: LOG_WARNING
, r
,
1707 "Failed to copy /etc/localtime to %s, ignoring: %m", where
);
1714 assert_not_reached("unexpected mode");
1717 /* Fix permissions of the symlink or file copy we just created */
1718 r
= userns_lchown(where
, 0, 0);
1720 log_warning_errno(r
, "Failed to chown /etc/localtime, ignoring: %m");
1725 static int have_resolv_conf(const char *path
) {
1728 if (access(path
, F_OK
) < 0) {
1729 if (errno
== ENOENT
)
1732 return log_debug_errno(errno
, "Failed to determine whether '%s' is available: %m", path
);
1738 static int resolved_listening(void) {
1739 _cleanup_(sd_bus_error_free
) sd_bus_error error
= SD_BUS_ERROR_NULL
;
1740 _cleanup_(sd_bus_flush_close_unrefp
) sd_bus
*bus
= NULL
;
1741 _cleanup_free_
char *dns_stub_listener_mode
= NULL
;
1744 /* Check if resolved is listening */
1746 r
= sd_bus_open_system(&bus
);
1748 return log_debug_errno(r
, "Failed to open system bus: %m");
1750 r
= bus_name_has_owner(bus
, "org.freedesktop.resolve1", NULL
);
1752 return log_debug_errno(r
, "Failed to check whether the 'org.freedesktop.resolve1' bus name is taken: %m");
1756 r
= sd_bus_get_property_string(bus
,
1757 "org.freedesktop.resolve1",
1758 "/org/freedesktop/resolve1",
1759 "org.freedesktop.resolve1.Manager",
1762 &dns_stub_listener_mode
);
1764 return log_debug_errno(r
, "Failed to query DNSStubListener property: %s", bus_error_message(&error
, r
));
1766 return STR_IN_SET(dns_stub_listener_mode
, "udp", "yes");
1769 static int setup_resolv_conf(const char *dest
) {
1770 _cleanup_free_
char *etc
= NULL
;
1771 const char *where
, *what
;
1777 if (arg_resolv_conf
== RESOLV_CONF_AUTO
) {
1778 if (arg_private_network
)
1779 m
= RESOLV_CONF_OFF
;
1780 else if (have_resolv_conf(STATIC_RESOLV_CONF
) > 0 && resolved_listening() > 0)
1781 m
= etc_writable() ? RESOLV_CONF_COPY_STATIC
: RESOLV_CONF_BIND_STATIC
;
1782 else if (have_resolv_conf("/etc/resolv.conf") > 0)
1783 m
= etc_writable() ? RESOLV_CONF_COPY_HOST
: RESOLV_CONF_BIND_HOST
;
1785 m
= etc_writable() ? RESOLV_CONF_DELETE
: RESOLV_CONF_OFF
;
1787 m
= arg_resolv_conf
;
1789 if (m
== RESOLV_CONF_OFF
)
1792 r
= chase_symlinks("/etc", dest
, CHASE_PREFIX_ROOT
, &etc
);
1794 log_warning_errno(r
, "Failed to resolve /etc path in container, ignoring: %m");
1798 where
= strjoina(etc
, "/resolv.conf");
1800 if (m
== RESOLV_CONF_DELETE
) {
1801 if (unlink(where
) < 0)
1802 log_full_errno(errno
== ENOENT
? LOG_DEBUG
: LOG_WARNING
, errno
, "Failed to remove '%s', ignoring: %m", where
);
1807 if (IN_SET(m
, RESOLV_CONF_BIND_STATIC
, RESOLV_CONF_COPY_STATIC
))
1808 what
= STATIC_RESOLV_CONF
;
1810 what
= "/etc/resolv.conf";
1812 if (IN_SET(m
, RESOLV_CONF_BIND_HOST
, RESOLV_CONF_BIND_STATIC
)) {
1813 _cleanup_free_
char *resolved
= NULL
;
1816 found
= chase_symlinks(where
, dest
, CHASE_NONEXISTENT
, &resolved
);
1818 log_warning_errno(found
, "Failed to resolve /etc/resolv.conf path in container, ignoring: %m");
1822 if (found
== 0) /* missing? */
1823 (void) touch(resolved
);
1825 r
= mount_verbose(LOG_WARNING
, what
, resolved
, NULL
, MS_BIND
, NULL
);
1827 return mount_verbose(LOG_ERR
, NULL
, resolved
, NULL
, MS_BIND
|MS_REMOUNT
|MS_RDONLY
|MS_NOSUID
|MS_NODEV
, NULL
);
1830 /* If that didn't work, let's copy the file */
1831 r
= copy_file(what
, where
, O_TRUNC
|O_NOFOLLOW
, 0644, 0, COPY_REFLINK
);
1833 /* If the file already exists as symlink, let's suppress the warning, under the assumption that
1834 * resolved or something similar runs inside and the symlink points there.
1836 * If the disk image is read-only, there's also no point in complaining.
1838 log_full_errno(!IN_SET(RESOLV_CONF_COPY_HOST
, RESOLV_CONF_COPY_STATIC
) && IN_SET(r
, -ELOOP
, -EROFS
, -EACCES
, -EPERM
) ? LOG_DEBUG
: LOG_WARNING
, r
,
1839 "Failed to copy /etc/resolv.conf to %s, ignoring: %m", where
);
1843 r
= userns_lchown(where
, 0, 0);
1845 log_warning_errno(r
, "Failed to chown /etc/resolv.conf, ignoring: %m");
1850 static int setup_boot_id(void) {
1851 _cleanup_(unlink_and_freep
) char *from
= NULL
;
1852 _cleanup_free_
char *path
= NULL
;
1853 sd_id128_t rnd
= SD_ID128_NULL
;
1857 /* Generate a new randomized boot ID, so that each boot-up of
1858 * the container gets a new one */
1860 r
= tempfn_random_child(NULL
, "proc-sys-kernel-random-boot-id", &path
);
1862 return log_error_errno(r
, "Failed to generate random boot ID path: %m");
1864 r
= sd_id128_randomize(&rnd
);
1866 return log_error_errno(r
, "Failed to generate random boot id: %m");
1868 r
= id128_write(path
, ID128_UUID
, rnd
, false);
1870 return log_error_errno(r
, "Failed to write boot id: %m");
1872 from
= TAKE_PTR(path
);
1873 to
= "/proc/sys/kernel/random/boot_id";
1875 r
= mount_verbose(LOG_ERR
, from
, to
, NULL
, MS_BIND
, NULL
);
1879 return mount_verbose(LOG_ERR
, NULL
, to
, NULL
, MS_BIND
|MS_REMOUNT
|MS_RDONLY
|MS_NOSUID
|MS_NOEXEC
|MS_NODEV
, NULL
);
1882 static int copy_devnodes(const char *dest
) {
1883 static const char devnodes
[] =
1892 _cleanup_umask_ mode_t u
;
1900 /* Create /dev/net, so that we can create /dev/net/tun in it */
1901 if (userns_mkdir(dest
, "/dev/net", 0755, 0, 0) < 0)
1902 return log_error_errno(r
, "Failed to create /dev/net directory: %m");
1904 NULSTR_FOREACH(d
, devnodes
) {
1905 _cleanup_free_
char *from
= NULL
, *to
= NULL
;
1908 from
= strappend("/dev/", d
);
1912 to
= prefix_root(dest
, from
);
1916 if (stat(from
, &st
) < 0) {
1918 if (errno
!= ENOENT
)
1919 return log_error_errno(errno
, "Failed to stat %s: %m", from
);
1921 } else if (!S_ISCHR(st
.st_mode
) && !S_ISBLK(st
.st_mode
))
1922 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
1923 "%s is not a char or block device, cannot copy.", from
);
1925 _cleanup_free_
char *sl
= NULL
, *prefixed
= NULL
, *dn
= NULL
, *t
= NULL
;
1927 if (mknod(to
, st
.st_mode
, st
.st_rdev
) < 0) {
1928 /* Explicitly warn the user when /dev is already populated. */
1929 if (errno
== EEXIST
)
1930 log_notice("%s/dev is pre-mounted and pre-populated. If a pre-mounted /dev is provided it needs to be an unpopulated file system.", dest
);
1932 return log_error_errno(errno
, "mknod(%s) failed: %m", to
);
1934 /* Some systems abusively restrict mknod but allow bind mounts. */
1937 return log_error_errno(r
, "touch (%s) failed: %m", to
);
1938 r
= mount_verbose(LOG_DEBUG
, from
, to
, NULL
, MS_BIND
, NULL
);
1940 return log_error_errno(r
, "Both mknod and bind mount (%s) failed: %m", to
);
1943 r
= userns_lchown(to
, 0, 0);
1945 return log_error_errno(r
, "chown() of device node %s failed: %m", to
);
1947 dn
= strjoin("/dev/", S_ISCHR(st
.st_mode
) ? "char" : "block");
1951 r
= userns_mkdir(dest
, dn
, 0755, 0, 0);
1953 return log_error_errno(r
, "Failed to create '%s': %m", dn
);
1955 if (asprintf(&sl
, "%s/%u:%u", dn
, major(st
.st_rdev
), minor(st
.st_rdev
)) < 0)
1958 prefixed
= prefix_root(dest
, sl
);
1962 t
= strjoin("../", d
);
1966 if (symlink(t
, prefixed
) < 0)
1967 log_debug_errno(errno
, "Failed to symlink '%s' to '%s': %m", t
, prefixed
);
1974 static int make_extra_nodes(const char *dest
) {
1975 _cleanup_umask_ mode_t u
;
1981 for (i
= 0; i
< arg_n_extra_nodes
; i
++) {
1982 _cleanup_free_
char *path
= NULL
;
1983 DeviceNode
*n
= arg_extra_nodes
+ i
;
1985 path
= prefix_root(dest
, n
->path
);
1989 if (mknod(path
, n
->mode
, S_ISCHR(n
->mode
) || S_ISBLK(n
->mode
) ? makedev(n
->major
, n
->minor
) : 0) < 0)
1990 return log_error_errno(errno
, "Failed to create device node '%s': %m", path
);
1992 r
= chmod_and_chown(path
, n
->mode
, n
->uid
, n
->gid
);
1994 return log_error_errno(r
, "Failed to adjust device node ownership of '%s': %m", path
);
2000 static int setup_pts(const char *dest
) {
2001 _cleanup_free_
char *options
= NULL
;
2006 if (arg_selinux_apifs_context
)
2007 (void) asprintf(&options
,
2008 "newinstance,ptmxmode=0666,mode=620,gid=" GID_FMT
",context=\"%s\"",
2009 arg_uid_shift
+ TTY_GID
,
2010 arg_selinux_apifs_context
);
2013 (void) asprintf(&options
,
2014 "newinstance,ptmxmode=0666,mode=620,gid=" GID_FMT
,
2015 arg_uid_shift
+ TTY_GID
);
2020 /* Mount /dev/pts itself */
2021 p
= prefix_roota(dest
, "/dev/pts");
2022 r
= mkdir_errno_wrapper(p
, 0755);
2024 return log_error_errno(r
, "Failed to create /dev/pts: %m");
2026 r
= mount_verbose(LOG_ERR
, "devpts", p
, "devpts", MS_NOSUID
|MS_NOEXEC
, options
);
2029 r
= userns_lchown(p
, 0, 0);
2031 return log_error_errno(r
, "Failed to chown /dev/pts: %m");
2033 /* Create /dev/ptmx symlink */
2034 p
= prefix_roota(dest
, "/dev/ptmx");
2035 if (symlink("pts/ptmx", p
) < 0)
2036 return log_error_errno(errno
, "Failed to create /dev/ptmx symlink: %m");
2037 r
= userns_lchown(p
, 0, 0);
2039 return log_error_errno(r
, "Failed to chown /dev/ptmx: %m");
2041 /* And fix /dev/pts/ptmx ownership */
2042 p
= prefix_roota(dest
, "/dev/pts/ptmx");
2043 r
= userns_lchown(p
, 0, 0);
2045 return log_error_errno(r
, "Failed to chown /dev/pts/ptmx: %m");
2050 static int setup_dev_console(const char *dest
, const char *console
) {
2051 _cleanup_umask_ mode_t u
;
2062 r
= chmod_and_chown(console
, 0600, arg_uid_shift
, arg_uid_shift
);
2064 return log_error_errno(r
, "Failed to correct access mode for TTY: %m");
2066 /* We need to bind mount the right tty to /dev/console since
2067 * ptys can only exist on pts file systems. To have something
2068 * to bind mount things on we create a empty regular file. */
2070 to
= prefix_roota(dest
, "/dev/console");
2073 return log_error_errno(r
, "touch() for /dev/console failed: %m");
2075 return mount_verbose(LOG_ERR
, console
, to
, NULL
, MS_BIND
, NULL
);
2078 static int setup_keyring(void) {
2079 key_serial_t keyring
;
2081 /* Allocate a new session keyring for the container. This makes sure the keyring of the session systemd-nspawn
2082 * was invoked from doesn't leak into the container. Note that by default we block keyctl() and request_key()
2083 * anyway via seccomp so doing this operation isn't strictly necessary, but in case people explicitly whitelist
2084 * these system calls let's make sure we don't leak anything into the container. */
2086 keyring
= keyctl(KEYCTL_JOIN_SESSION_KEYRING
, 0, 0, 0, 0);
2087 if (keyring
== -1) {
2088 if (errno
== ENOSYS
)
2089 log_debug_errno(errno
, "Kernel keyring not supported, ignoring.");
2090 else if (IN_SET(errno
, EACCES
, EPERM
))
2091 log_debug_errno(errno
, "Kernel keyring access prohibited, ignoring.");
2093 return log_error_errno(errno
, "Setting up kernel keyring failed: %m");
2099 static int setup_kmsg(int kmsg_socket
) {
2100 _cleanup_(unlink_and_freep
) char *from
= NULL
;
2101 _cleanup_free_
char *fifo
= NULL
;
2102 _cleanup_close_
int fd
= -1;
2103 _cleanup_umask_ mode_t u
;
2107 assert(kmsg_socket
>= 0);
2111 /* We create the kmsg FIFO as as temporary file in /tmp, but immediately delete it after bind mounting it to
2112 * /proc/kmsg. While FIFOs on the reading side behave very similar to /proc/kmsg, their writing side behaves
2113 * differently from /dev/kmsg in that writing blocks when nothing is reading. In order to avoid any problems
2114 * with containers deadlocking due to this we simply make /dev/kmsg unavailable to the container. */
2116 r
= tempfn_random_child(NULL
, "proc-kmsg", &fifo
);
2118 return log_error_errno(r
, "Failed to generate kmsg path: %m");
2120 if (mkfifo(fifo
, 0600) < 0)
2121 return log_error_errno(errno
, "mkfifo() for /run/kmsg failed: %m");
2123 from
= TAKE_PTR(fifo
);
2126 r
= mount_verbose(LOG_ERR
, from
, to
, NULL
, MS_BIND
, NULL
);
2130 fd
= open(from
, O_RDWR
|O_NONBLOCK
|O_CLOEXEC
);
2132 return log_error_errno(errno
, "Failed to open fifo: %m");
2134 /* Store away the fd in the socket, so that it stays open as long as we run the child */
2135 r
= send_one_fd(kmsg_socket
, fd
, 0);
2137 return log_error_errno(r
, "Failed to send FIFO fd: %m");
2142 static int on_address_change(sd_netlink
*rtnl
, sd_netlink_message
*m
, void *userdata
) {
2143 union in_addr_union
*exposed
= userdata
;
2149 expose_port_execute(rtnl
, arg_expose_ports
, exposed
);
2153 static int setup_hostname(void) {
2156 if ((arg_clone_ns_flags
& CLONE_NEWUTS
) == 0)
2159 r
= sethostname_idempotent(arg_hostname
?: arg_machine
);
2161 return log_error_errno(r
, "Failed to set hostname: %m");
2166 static int setup_journal(const char *directory
) {
2167 _cleanup_free_
char *d
= NULL
;
2168 const char *dirname
, *p
, *q
;
2174 /* Don't link journals in ephemeral mode */
2178 if (arg_link_journal
== LINK_NO
)
2181 try = arg_link_journal_try
|| arg_link_journal
== LINK_AUTO
;
2183 r
= sd_id128_get_machine(&this_id
);
2185 return log_error_errno(r
, "Failed to retrieve machine ID: %m");
2187 if (sd_id128_equal(arg_uuid
, this_id
)) {
2188 log_full(try ? LOG_WARNING
: LOG_ERR
,
2189 "Host and machine ids are equal (%s): refusing to link journals", sd_id128_to_string(arg_uuid
, id
));
2195 FOREACH_STRING(dirname
, "/var", "/var/log", "/var/log/journal") {
2196 r
= userns_mkdir(directory
, dirname
, 0755, 0, 0);
2198 bool ignore
= r
== -EROFS
&& try;
2199 log_full_errno(ignore
? LOG_DEBUG
: LOG_ERR
, r
,
2200 "Failed to create %s%s: %m", dirname
, ignore
? ", ignoring" : "");
2201 return ignore
? 0 : r
;
2205 (void) sd_id128_to_string(arg_uuid
, id
);
2207 p
= strjoina("/var/log/journal/", id
);
2208 q
= prefix_roota(directory
, p
);
2210 if (path_is_mount_point(p
, NULL
, 0) > 0) {
2214 return log_error_errno(SYNTHETIC_ERRNO(EEXIST
),
2215 "%s: already a mount point, refusing to use for journal", p
);
2218 if (path_is_mount_point(q
, NULL
, 0) > 0) {
2222 return log_error_errno(SYNTHETIC_ERRNO(EEXIST
),
2223 "%s: already a mount point, refusing to use for journal", q
);
2226 r
= readlink_and_make_absolute(p
, &d
);
2228 if (IN_SET(arg_link_journal
, LINK_GUEST
, LINK_AUTO
) &&
2231 r
= userns_mkdir(directory
, p
, 0755, 0, 0);
2233 log_warning_errno(r
, "Failed to create directory %s: %m", q
);
2238 return log_error_errno(errno
, "Failed to remove symlink %s: %m", p
);
2239 } else if (r
== -EINVAL
) {
2241 if (arg_link_journal
== LINK_GUEST
&&
2244 if (errno
== ENOTDIR
) {
2245 log_error("%s already exists and is neither a symlink nor a directory", p
);
2248 return log_error_errno(errno
, "Failed to remove %s: %m", p
);
2250 } else if (r
!= -ENOENT
)
2251 return log_error_errno(r
, "readlink(%s) failed: %m", p
);
2253 if (arg_link_journal
== LINK_GUEST
) {
2255 if (symlink(q
, p
) < 0) {
2257 log_debug_errno(errno
, "Failed to symlink %s to %s, skipping journal setup: %m", q
, p
);
2260 return log_error_errno(errno
, "Failed to symlink %s to %s: %m", q
, p
);
2263 r
= userns_mkdir(directory
, p
, 0755, 0, 0);
2265 log_warning_errno(r
, "Failed to create directory %s: %m", q
);
2269 if (arg_link_journal
== LINK_HOST
) {
2270 /* don't create parents here — if the host doesn't have
2271 * permanent journal set up, don't force it here */
2273 r
= mkdir_errno_wrapper(p
, 0755);
2274 if (r
< 0 && r
!= -EEXIST
) {
2276 log_debug_errno(r
, "Failed to create %s, skipping journal setup: %m", p
);
2279 return log_error_errno(r
, "Failed to create %s: %m", p
);
2282 } else if (access(p
, F_OK
) < 0)
2285 if (dir_is_empty(q
) == 0)
2286 log_warning("%s is not empty, proceeding anyway.", q
);
2288 r
= userns_mkdir(directory
, p
, 0755, 0, 0);
2290 return log_error_errno(r
, "Failed to create %s: %m", q
);
2292 r
= mount_verbose(LOG_DEBUG
, p
, q
, NULL
, MS_BIND
, NULL
);
2294 return log_error_errno(errno
, "Failed to bind mount journal from host into guest: %m");
2299 static int drop_capabilities(uid_t uid
) {
2300 CapabilityQuintet q
;
2302 /* Let's initialize all five capability sets to something valid. If the quintet was configured via
2303 * OCI use that, but fill in missing bits. If it wasn't then derive the quintet in full from
2304 * arg_caps_retain. */
2306 if (capability_quintet_is_set(&arg_full_capabilities
)) {
2307 q
= arg_full_capabilities
;
2309 if (q
.bounding
== (uint64_t) -1)
2310 q
.bounding
= uid
== 0 ? arg_caps_retain
: 0;
2312 if (q
.effective
== (uint64_t) -1)
2313 q
.effective
= uid
== 0 ? q
.bounding
: 0;
2315 if (q
.inheritable
== (uint64_t) -1)
2316 q
.inheritable
= uid
== 0 ? q
.bounding
: 0;
2318 if (q
.permitted
== (uint64_t) -1)
2319 q
.permitted
= uid
== 0 ? q
.bounding
: 0;
2321 if (q
.ambient
== (uint64_t) -1 && ambient_capabilities_supported())
2324 q
= (CapabilityQuintet
) {
2325 .bounding
= arg_caps_retain
,
2326 .effective
= uid
== 0 ? arg_caps_retain
: 0,
2327 .inheritable
= uid
== 0 ? arg_caps_retain
: 0,
2328 .permitted
= uid
== 0 ? arg_caps_retain
: 0,
2329 .ambient
= ambient_capabilities_supported() ? 0 : (uint64_t) -1,
2332 return capability_quintet_enforce(&q
);
2335 static int reset_audit_loginuid(void) {
2336 _cleanup_free_
char *p
= NULL
;
2339 if ((arg_clone_ns_flags
& CLONE_NEWPID
) == 0)
2342 r
= read_one_line_file("/proc/self/loginuid", &p
);
2346 return log_error_errno(r
, "Failed to read /proc/self/loginuid: %m");
2348 /* Already reset? */
2349 if (streq(p
, "4294967295"))
2352 r
= write_string_file("/proc/self/loginuid", "4294967295", WRITE_STRING_FILE_DISABLE_BUFFER
);
2355 "Failed to reset audit login UID. This probably means that your kernel is too\n"
2356 "old and you have audit enabled. Note that the auditing subsystem is known to\n"
2357 "be incompatible with containers on old kernels. Please make sure to upgrade\n"
2358 "your kernel or to off auditing with 'audit=0' on the kernel command line before\n"
2359 "using systemd-nspawn. Sleeping for 5s... (%m)");
2367 static int setup_propagate(const char *root
) {
2371 (void) mkdir_p("/run/systemd/nspawn/", 0755);
2372 (void) mkdir_p("/run/systemd/nspawn/propagate", 0600);
2373 p
= strjoina("/run/systemd/nspawn/propagate/", arg_machine
);
2374 (void) mkdir_p(p
, 0600);
2376 r
= userns_mkdir(root
, "/run/systemd", 0755, 0, 0);
2378 return log_error_errno(r
, "Failed to create /run/systemd: %m");
2380 r
= userns_mkdir(root
, "/run/systemd/nspawn", 0755, 0, 0);
2382 return log_error_errno(r
, "Failed to create /run/systemd/nspawn: %m");
2384 r
= userns_mkdir(root
, "/run/systemd/nspawn/incoming", 0600, 0, 0);
2386 return log_error_errno(r
, "Failed to create /run/systemd/nspawn/incoming: %m");
2388 q
= prefix_roota(root
, "/run/systemd/nspawn/incoming");
2389 r
= mount_verbose(LOG_ERR
, p
, q
, NULL
, MS_BIND
, NULL
);
2393 r
= mount_verbose(LOG_ERR
, NULL
, q
, NULL
, MS_BIND
|MS_REMOUNT
|MS_RDONLY
, NULL
);
2397 /* machined will MS_MOVE into that directory, and that's only
2398 * supported for non-shared mounts. */
2399 return mount_verbose(LOG_ERR
, NULL
, q
, NULL
, MS_SLAVE
, NULL
);
2402 static int setup_machine_id(const char *directory
) {
2403 const char *etc_machine_id
;
2407 /* If the UUID in the container is already set, then that's what counts, and we use. If it isn't set, and the
2408 * caller passed --uuid=, then we'll pass it in the $container_uuid env var to PID 1 of the container. The
2409 * assumption is that PID 1 will then write it to /etc/machine-id to make it persistent. If --uuid= is not
2410 * passed we generate a random UUID, and pass it via $container_uuid. In effect this means that /etc/machine-id
2411 * in the container and our idea of the container UUID will always be in sync (at least if PID 1 in the
2412 * container behaves nicely). */
2414 etc_machine_id
= prefix_roota(directory
, "/etc/machine-id");
2416 r
= id128_read(etc_machine_id
, ID128_PLAIN
, &id
);
2418 if (!IN_SET(r
, -ENOENT
, -ENOMEDIUM
)) /* If the file is missing or empty, we don't mind */
2419 return log_error_errno(r
, "Failed to read machine ID from container image: %m");
2421 if (sd_id128_is_null(arg_uuid
)) {
2422 r
= sd_id128_randomize(&arg_uuid
);
2424 return log_error_errno(r
, "Failed to acquire randomized machine UUID: %m");
2427 if (sd_id128_is_null(id
))
2428 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
2429 "Machine ID in container image is zero, refusing.");
2437 static int recursive_chown(const char *directory
, uid_t shift
, uid_t range
) {
2442 if (arg_userns_mode
== USER_NAMESPACE_NO
|| !arg_userns_chown
)
2445 r
= path_patch_uid(directory
, arg_uid_shift
, arg_uid_range
);
2446 if (r
== -EOPNOTSUPP
)
2447 return log_error_errno(r
, "Automatic UID/GID adjusting is only supported for UID/GID ranges starting at multiples of 2^16 with a range of 2^16.");
2449 return log_error_errno(r
, "Upper 16 bits of root directory UID and GID do not match.");
2451 return log_error_errno(r
, "Failed to adjust UID/GID shift of OS tree: %m");
2453 log_debug("Root directory of image is already owned by the right UID/GID range, skipping recursive chown operation.");
2455 log_debug("Patched directory tree to match UID/GID range.");
2462 * < 0 : wait_for_terminate() failed to get the state of the
2463 * container, the container was terminated by a signal, or
2464 * failed for an unknown reason. No change is made to the
2465 * container argument.
2466 * > 0 : The program executed in the container terminated with an
2467 * error. The exit code of the program executed in the
2468 * container is returned. The container argument has been set
2469 * to CONTAINER_TERMINATED.
2470 * 0 : The container is being rebooted, has been shut down or exited
2471 * successfully. The container argument has been set to either
2472 * CONTAINER_TERMINATED or CONTAINER_REBOOTED.
2474 * That is, success is indicated by a return value of zero, and an
2475 * error is indicated by a non-zero value.
2477 static int wait_for_container(pid_t pid
, ContainerStatus
*container
) {
2481 r
= wait_for_terminate(pid
, &status
);
2483 return log_warning_errno(r
, "Failed to wait for container: %m");
2485 switch (status
.si_code
) {
2488 if (status
.si_status
== 0)
2489 log_full(arg_quiet
? LOG_DEBUG
: LOG_INFO
, "Container %s exited successfully.", arg_machine
);
2491 log_full(arg_quiet
? LOG_DEBUG
: LOG_INFO
, "Container %s failed with error code %i.", arg_machine
, status
.si_status
);
2493 *container
= CONTAINER_TERMINATED
;
2494 return status
.si_status
;
2497 if (status
.si_status
== SIGINT
) {
2498 log_full(arg_quiet
? LOG_DEBUG
: LOG_INFO
, "Container %s has been shut down.", arg_machine
);
2499 *container
= CONTAINER_TERMINATED
;
2502 } else if (status
.si_status
== SIGHUP
) {
2503 log_full(arg_quiet
? LOG_DEBUG
: LOG_INFO
, "Container %s is being rebooted.", arg_machine
);
2504 *container
= CONTAINER_REBOOTED
;
2510 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
2511 "Container %s terminated by signal %s.", arg_machine
, signal_to_string(status
.si_status
));
2514 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
2515 "Container %s failed due to unknown reason.", arg_machine
);
2519 static int on_orderly_shutdown(sd_event_source
*s
, const struct signalfd_siginfo
*si
, void *userdata
) {
2522 pid
= PTR_TO_PID(userdata
);
2524 if (kill(pid
, arg_kill_signal
) >= 0) {
2525 log_info("Trying to halt container. Send SIGTERM again to trigger immediate termination.");
2526 sd_event_source_set_userdata(s
, NULL
);
2531 sd_event_exit(sd_event_source_get_event(s
), 0);
2535 static int on_sigchld(sd_event_source
*s
, const struct signalfd_siginfo
*ssi
, void *userdata
) {
2541 pid
= PTR_TO_PID(userdata
);
2546 if (waitid(P_ALL
, 0, &si
, WNOHANG
|WNOWAIT
|WEXITED
) < 0)
2547 return log_error_errno(errno
, "Failed to waitid(): %m");
2548 if (si
.si_pid
== 0) /* No pending children. */
2550 if (si
.si_pid
== pid
) {
2551 /* The main process we care for has exited. Return from
2552 * signal handler but leave the zombie. */
2553 sd_event_exit(sd_event_source_get_event(s
), 0);
2557 /* Reap all other children. */
2558 (void) waitid(P_PID
, si
.si_pid
, &si
, WNOHANG
|WEXITED
);
2564 static int on_request_stop(sd_bus_message
*m
, void *userdata
, sd_bus_error
*error
) {
2569 pid
= PTR_TO_PID(userdata
);
2571 if (arg_kill_signal
> 0) {
2572 log_info("Container termination requested. Attempting to halt container.");
2573 (void) kill(pid
, arg_kill_signal
);
2575 log_info("Container termination requested. Exiting.");
2576 sd_event_exit(sd_bus_get_event(sd_bus_message_get_bus(m
)), 0);
2582 static int determine_names(void) {
2585 if (arg_template
&& !arg_directory
&& arg_machine
) {
2587 /* If --template= was specified then we should not
2588 * search for a machine, but instead create a new one
2589 * in /var/lib/machine. */
2591 arg_directory
= strjoin("/var/lib/machines/", arg_machine
);
2596 if (!arg_image
&& !arg_directory
) {
2598 _cleanup_(image_unrefp
) Image
*i
= NULL
;
2600 r
= image_find(IMAGE_MACHINE
, arg_machine
, &i
);
2602 return log_error_errno(r
, "No image for machine '%s'.", arg_machine
);
2604 return log_error_errno(r
, "Failed to find image for machine '%s': %m", arg_machine
);
2606 if (IN_SET(i
->type
, IMAGE_RAW
, IMAGE_BLOCK
))
2607 r
= free_and_strdup(&arg_image
, i
->path
);
2609 r
= free_and_strdup(&arg_directory
, i
->path
);
2614 arg_read_only
= arg_read_only
|| i
->read_only
;
2616 r
= safe_getcwd(&arg_directory
);
2618 return log_error_errno(r
, "Failed to determine current directory: %m");
2621 if (!arg_directory
&& !arg_image
) {
2622 log_error("Failed to determine path, please use -D or -i.");
2628 if (arg_directory
&& path_equal(arg_directory
, "/"))
2629 arg_machine
= gethostname_malloc();
2634 arg_machine
= strdup(basename(arg_image
));
2636 /* Truncate suffix if there is one */
2637 e
= endswith(arg_machine
, ".raw");
2641 arg_machine
= strdup(basename(arg_directory
));
2646 hostname_cleanup(arg_machine
);
2647 if (!machine_name_is_valid(arg_machine
)) {
2648 log_error("Failed to determine machine name automatically, please use -M.");
2652 if (arg_ephemeral
) {
2655 /* Add a random suffix when this is an
2656 * ephemeral machine, so that we can run many
2657 * instances at once without manually having
2658 * to specify -M each time. */
2660 if (asprintf(&b
, "%s-%016" PRIx64
, arg_machine
, random_u64()) < 0)
2671 static int chase_symlinks_and_update(char **p
, unsigned flags
) {
2680 r
= chase_symlinks(*p
, NULL
, flags
, &chased
);
2682 return log_error_errno(r
, "Failed to resolve path %s: %m", *p
);
2684 free_and_replace(*p
, chased
);
2685 return r
; /* r might be an fd here in case we ever use CHASE_OPEN in flags */
2688 static int determine_uid_shift(const char *directory
) {
2691 if (arg_userns_mode
== USER_NAMESPACE_NO
) {
2696 if (arg_uid_shift
== UID_INVALID
) {
2699 r
= stat(directory
, &st
);
2701 return log_error_errno(errno
, "Failed to determine UID base of %s: %m", directory
);
2703 arg_uid_shift
= st
.st_uid
& UINT32_C(0xffff0000);
2705 if (arg_uid_shift
!= (st
.st_gid
& UINT32_C(0xffff0000)))
2706 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
2707 "UID and GID base of %s don't match.", directory
);
2709 arg_uid_range
= UINT32_C(0x10000);
2712 if (arg_uid_shift
> (uid_t
) -1 - arg_uid_range
)
2713 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
2714 "UID base too high for UID range.");
2719 static unsigned long effective_clone_ns_flags(void) {
2720 unsigned long flags
= arg_clone_ns_flags
;
2722 if (arg_private_network
)
2723 flags
|= CLONE_NEWNET
;
2725 flags
|= CLONE_NEWCGROUP
;
2726 if (arg_userns_mode
!= USER_NAMESPACE_NO
)
2727 flags
|= CLONE_NEWUSER
;
2732 static int patch_sysctl(void) {
2734 /* This table is inspired by runc's sysctl() function */
2735 static const struct {
2738 unsigned long clone_flags
;
2740 { "kernel.hostname", false, CLONE_NEWUTS
},
2741 { "kernel.domainname", false, CLONE_NEWUTS
},
2742 { "kernel.msgmax", false, CLONE_NEWIPC
},
2743 { "kernel.msgmnb", false, CLONE_NEWIPC
},
2744 { "kernel.msgmni", false, CLONE_NEWIPC
},
2745 { "kernel.sem", false, CLONE_NEWIPC
},
2746 { "kernel.shmall", false, CLONE_NEWIPC
},
2747 { "kernel.shmmax", false, CLONE_NEWIPC
},
2748 { "kernel.shmmni", false, CLONE_NEWIPC
},
2749 { "fs.mqueue.", true, CLONE_NEWIPC
},
2750 { "net.", true, CLONE_NEWNET
},
2753 unsigned long flags
;
2757 flags
= effective_clone_ns_flags();
2759 STRV_FOREACH_PAIR(k
, v
, arg_sysctl
) {
2763 for (i
= 0; i
< ELEMENTSOF(safe_sysctl
); i
++) {
2765 if (!FLAGS_SET(flags
, safe_sysctl
[i
].clone_flags
))
2768 if (safe_sysctl
[i
].prefix
)
2769 good
= startswith(*k
, safe_sysctl
[i
].key
);
2771 good
= streq(*k
, safe_sysctl
[i
].key
);
2778 log_error("Refusing to write to sysctl '%s', as it is not safe in the selected namespaces.", *k
);
2782 r
= sysctl_write(*k
, *v
);
2784 return log_error_errno(r
, "Failed to write sysctl '%s': %m", *k
);
2790 static int inner_child(
2792 const char *directory
,
2798 _cleanup_free_
char *home
= NULL
;
2801 const char *envp
[] = {
2802 "PATH=" DEFAULT_PATH_COMPAT
,
2803 NULL
, /* container */
2808 NULL
, /* container_uuid */
2809 NULL
, /* LISTEN_FDS */
2810 NULL
, /* LISTEN_PID */
2811 NULL
, /* NOTIFY_SOCKET */
2814 const char *exec_target
;
2815 _cleanup_strv_free_
char **env_use
= NULL
;
2816 int r
, which_failed
;
2818 /* This is the "inner" child process, i.e. the one forked off by the "outer" child process, which is the one
2819 * the container manager itself forked off. At the time of clone() it gained its own CLONE_NEWNS, CLONE_NEWPID,
2820 * CLONE_NEWUTS, CLONE_NEWIPC, CLONE_NEWUSER namespaces. Note that it has its own CLONE_NEWNS namespace,
2821 * separate from the CLONE_NEWNS created for the "outer" child, and also separate from the host's CLONE_NEWNS
2822 * namespace. The reason for having two levels of CLONE_NEWNS namespaces is that the "inner" one is owned by
2823 * the CLONE_NEWUSER namespace of the container, while the "outer" one is owned by the host's CLONE_NEWUSER
2826 * Note at this point we have no CLONE_NEWNET namespace yet. We'll acquire that one later through
2827 * unshare(). See below. */
2831 assert(kmsg_socket
>= 0);
2833 log_debug("Inner child is initializing.");
2835 if (arg_userns_mode
!= USER_NAMESPACE_NO
) {
2836 /* Tell the parent, that it now can write the UID map. */
2837 (void) barrier_place(barrier
); /* #1 */
2839 /* Wait until the parent wrote the UID map */
2840 if (!barrier_place_and_sync(barrier
)) /* #2 */
2841 return log_error_errno(SYNTHETIC_ERRNO(ESRCH
),
2842 "Parent died too early");
2845 r
= reset_uid_gid();
2847 return log_error_errno(r
, "Couldn't become new root: %m");
2850 arg_mount_settings
| MOUNT_IN_USERNS
,
2852 arg_selinux_apifs_context
);
2856 if (!arg_network_namespace_path
&& arg_private_network
) {
2857 r
= unshare(CLONE_NEWNET
);
2859 return log_error_errno(errno
, "Failed to unshare network namespace: %m");
2861 /* Tell the parent that it can setup network interfaces. */
2862 (void) barrier_place(barrier
); /* #3 */
2865 r
= mount_sysfs(NULL
, arg_mount_settings
);
2869 /* Wait until we are cgroup-ified, so that we
2870 * can mount the right cgroup path writable */
2871 if (!barrier_place_and_sync(barrier
)) /* #4 */
2872 return log_error_errno(SYNTHETIC_ERRNO(ESRCH
),
2873 "Parent died too early");
2876 r
= unshare(CLONE_NEWCGROUP
);
2878 return log_error_errno(errno
, "Failed to unshare cgroup namespace: %m");
2881 arg_unified_cgroup_hierarchy
,
2882 arg_userns_mode
!= USER_NAMESPACE_NO
,
2885 arg_selinux_apifs_context
,
2890 r
= mount_systemd_cgroup_writable("", arg_unified_cgroup_hierarchy
);
2895 r
= setup_boot_id();
2899 r
= setup_kmsg(kmsg_socket
);
2902 kmsg_socket
= safe_close(kmsg_socket
);
2907 arg_n_custom_mounts
,
2911 arg_selinux_apifs_context
,
2917 return log_error_errno(errno
, "setsid() failed: %m");
2919 if (arg_private_network
)
2922 if (arg_expose_ports
) {
2923 r
= expose_port_send_rtnl(rtnl_socket
);
2926 rtnl_socket
= safe_close(rtnl_socket
);
2933 if (arg_oom_score_adjust_set
) {
2934 r
= set_oom_score_adjust(arg_oom_score_adjust
);
2936 return log_error_errno(r
, "Failed to adjust OOM score: %m");
2940 if (sched_setaffinity(0, CPU_ALLOC_SIZE(arg_cpuset_ncpus
), arg_cpuset
) < 0)
2941 return log_error_errno(errno
, "Failed to set CPU affinity: %m");
2943 (void) setup_hostname();
2945 if (arg_personality
!= PERSONALITY_INVALID
) {
2946 r
= safe_personality(arg_personality
);
2948 return log_error_errno(r
, "personality() failed: %m");
2949 } else if (secondary
) {
2950 r
= safe_personality(PER_LINUX32
);
2952 return log_error_errno(r
, "personality() failed: %m");
2955 r
= setrlimit_closest_all((const struct rlimit
*const*) arg_rlimit
, &which_failed
);
2957 return log_error_errno(r
, "Failed to apply resource limit RLIMIT_%s: %m", rlimit_to_string(which_failed
));
2962 if (is_seccomp_available()) {
2964 r
= seccomp_load(arg_seccomp
);
2965 if (IN_SET(r
, -EPERM
, -EACCES
))
2966 return log_error_errno(r
, "Failed to install seccomp filter: %m");
2968 log_debug_errno(r
, "Failed to install seccomp filter: %m");
2973 r
= setup_seccomp(arg_caps_retain
, arg_syscall_whitelist
, arg_syscall_blacklist
);
2979 if (arg_selinux_context
)
2980 if (setexeccon(arg_selinux_context
) < 0)
2981 return log_error_errno(errno
, "setexeccon(\"%s\") failed: %m", arg_selinux_context
);
2984 /* Make sure we keep the caps across the uid/gid dropping, so that we can retain some selected caps
2985 * if we need to later on. */
2986 if (prctl(PR_SET_KEEPCAPS
, 1) < 0)
2987 return log_error_errno(errno
, "Failed to set PR_SET_KEEPCAPS: %m");
2989 if (uid_is_valid(arg_uid
) || gid_is_valid(arg_gid
))
2990 r
= change_uid_gid_raw(arg_uid
, arg_gid
, arg_supplementary_gids
, arg_n_supplementary_gids
);
2992 r
= change_uid_gid(arg_user
, &home
);
2996 r
= drop_capabilities(getuid());
2998 return log_error_errno(r
, "Dropping capabilities failed: %m");
3000 if (arg_no_new_privileges
)
3001 if (prctl(PR_SET_NO_NEW_PRIVS
, 1, 0, 0, 0) < 0)
3002 return log_error_errno(errno
, "Failed to disable new privileges: %m");
3004 /* LXC sets container=lxc, so follow the scheme here */
3005 envp
[n_env
++] = strjoina("container=", arg_container_service_name
);
3007 envp
[n_env
] = strv_find_prefix(environ
, "TERM=");
3011 if (home
|| !uid_is_valid(arg_uid
) || arg_uid
== 0)
3012 if (asprintf((char**)(envp
+ n_env
++), "HOME=%s", home
?: "/root") < 0)
3015 if (arg_user
|| !uid_is_valid(arg_uid
) || arg_uid
== 0)
3016 if (asprintf((char**)(envp
+ n_env
++), "USER=%s", arg_user
?: "root") < 0 ||
3017 asprintf((char**)(envp
+ n_env
++), "LOGNAME=%s", arg_user
? arg_user
: "root") < 0)
3020 assert(!sd_id128_is_null(arg_uuid
));
3022 if (asprintf((char**)(envp
+ n_env
++), "container_uuid=%s", id128_to_uuid_string(arg_uuid
, as_uuid
)) < 0)
3025 if (fdset_size(fds
) > 0) {
3026 r
= fdset_cloexec(fds
, false);
3028 return log_error_errno(r
, "Failed to unset O_CLOEXEC for file descriptors.");
3030 if ((asprintf((char **)(envp
+ n_env
++), "LISTEN_FDS=%u", fdset_size(fds
)) < 0) ||
3031 (asprintf((char **)(envp
+ n_env
++), "LISTEN_PID=1") < 0))
3034 if (asprintf((char **)(envp
+ n_env
++), "NOTIFY_SOCKET=%s", NSPAWN_NOTIFY_SOCKET_PATH
) < 0)
3037 env_use
= strv_env_merge(2, envp
, arg_setenv
);
3041 /* Let the parent know that we are ready and
3042 * wait until the parent is ready with the
3044 if (!barrier_place_and_sync(barrier
)) /* #5 */
3045 return log_error_errno(SYNTHETIC_ERRNO(ESRCH
),
3046 "Parent died too early");
3049 if (chdir(arg_chdir
) < 0)
3050 return log_error_errno(errno
, "Failed to change to specified working directory %s: %m", arg_chdir
);
3052 if (arg_start_mode
== START_PID2
) {
3053 r
= stub_pid1(arg_uuid
);
3058 log_debug("Inner child completed, invoking payload.");
3060 /* Now, explicitly close the log, so that we then can close all remaining fds. Closing the log explicitly first
3061 * has the benefit that the logging subsystem knows about it, and is thus ready to be reopened should we need
3062 * it again. Note that the other fds closed here are at least the locking and barrier fds. */
3064 log_set_open_when_needed(true);
3066 (void) fdset_close_others(fds
);
3068 if (arg_start_mode
== START_BOOT
) {
3072 /* Automatically search for the init system */
3074 m
= strv_length(arg_parameters
);
3075 a
= newa(char*, m
+ 2);
3076 memcpy_safe(a
+ 1, arg_parameters
, m
* sizeof(char*));
3079 a
[0] = (char*) "/usr/lib/systemd/systemd";
3080 execve(a
[0], a
, env_use
);
3082 a
[0] = (char*) "/lib/systemd/systemd";
3083 execve(a
[0], a
, env_use
);
3085 a
[0] = (char*) "/sbin/init";
3086 execve(a
[0], a
, env_use
);
3088 exec_target
= "/usr/lib/systemd/systemd, /lib/systemd/systemd, /sbin/init";
3089 } else if (!strv_isempty(arg_parameters
)) {
3090 const char *dollar_path
;
3092 exec_target
= arg_parameters
[0];
3094 /* Use the user supplied search $PATH if there is one, or DEFAULT_PATH_COMPAT if not to search the
3096 dollar_path
= strv_env_get(env_use
, "PATH");
3098 if (putenv((char*) dollar_path
) != 0)
3099 return log_error_errno(errno
, "Failed to update $PATH: %m");
3102 execvpe(arg_parameters
[0], arg_parameters
, env_use
);
3105 /* If we cannot change the directory, we'll end up in /, that is expected. */
3106 (void) chdir(home
?: "/root");
3108 execle("/bin/bash", "-bash", NULL
, env_use
);
3109 execle("/bin/sh", "-sh", NULL
, env_use
);
3111 exec_target
= "/bin/bash, /bin/sh";
3114 return log_error_errno(errno
, "execv(%s) failed: %m", exec_target
);
3117 static int setup_sd_notify_child(void) {
3118 _cleanup_close_
int fd
= -1;
3119 union sockaddr_union sa
= {
3120 .un
.sun_family
= AF_UNIX
,
3121 .un
.sun_path
= NSPAWN_NOTIFY_SOCKET_PATH
,
3125 fd
= socket(AF_UNIX
, SOCK_DGRAM
|SOCK_CLOEXEC
|SOCK_NONBLOCK
, 0);
3127 return log_error_errno(errno
, "Failed to allocate notification socket: %m");
3129 (void) mkdir_parents(NSPAWN_NOTIFY_SOCKET_PATH
, 0755);
3130 (void) sockaddr_un_unlink(&sa
.un
);
3132 r
= bind(fd
, &sa
.sa
, SOCKADDR_UN_LEN(sa
.un
));
3134 return log_error_errno(errno
, "bind(" NSPAWN_NOTIFY_SOCKET_PATH
") failed: %m");
3136 r
= userns_lchown(NSPAWN_NOTIFY_SOCKET_PATH
, 0, 0);
3138 return log_error_errno(r
, "Failed to chown " NSPAWN_NOTIFY_SOCKET_PATH
": %m");
3140 r
= setsockopt_int(fd
, SOL_SOCKET
, SO_PASSCRED
, true);
3142 return log_error_errno(r
, "SO_PASSCRED failed: %m");
3147 static int outer_child(
3149 const char *directory
,
3150 const char *console
,
3151 DissectedImage
*dissected_image
,
3158 int uid_shift_socket
,
3159 int unified_cgroup_hierarchy_socket
,
3163 _cleanup_close_
int fd
= -1;
3168 /* This is the "outer" child process, i.e the one forked off by the container manager itself. It already has
3169 * its own CLONE_NEWNS namespace (which was created by the clone()). It still lives in the host's CLONE_NEWPID,
3170 * CLONE_NEWUTS, CLONE_NEWIPC, CLONE_NEWUSER and CLONE_NEWNET namespaces. After it completed a number of
3171 * initializations a second child (the "inner" one) is forked off it, and it exits. */
3175 assert(pid_socket
>= 0);
3176 assert(uuid_socket
>= 0);
3177 assert(notify_socket
>= 0);
3178 assert(kmsg_socket
>= 0);
3180 log_debug("Outer child is initializing.");
3182 if (prctl(PR_SET_PDEATHSIG
, SIGKILL
) < 0)
3183 return log_error_errno(errno
, "PR_SET_PDEATHSIG failed: %m");
3185 if (arg_console_mode
!= CONSOLE_PIPE
) {
3190 terminal
= open_terminal(console
, O_RDWR
);
3192 return log_error_errno(terminal
, "Failed to open console: %m");
3194 /* Make sure we can continue logging to the original stderr, even if stderr points elsewhere now */
3195 r
= log_dup_console();
3197 return log_error_errno(r
, "Failed to duplicate stderr: %m");
3199 r
= rearrange_stdio(terminal
, terminal
, terminal
); /* invalidates 'terminal' on success and failure */
3201 return log_error_errno(r
, "Failed to move console to stdin/stdout/stderr: %m");
3204 r
= reset_audit_loginuid();
3208 /* Mark everything as slave, so that we still
3209 * receive mounts from the real root, but don't
3210 * propagate mounts to the real root. */
3211 r
= mount_verbose(LOG_ERR
, NULL
, "/", NULL
, MS_SLAVE
|MS_REC
, NULL
);
3215 if (dissected_image
) {
3216 /* If we are operating on a disk image, then mount its root directory now, but leave out the rest. We
3217 * can read the UID shift from it if we need to. Further down we'll mount the rest, but then with the
3218 * uid shift known. That way we can mount VFAT file systems shifted to the right place right away. This
3219 * makes sure ESP partitions and userns are compatible. */
3221 r
= dissected_image_mount(dissected_image
, directory
, arg_uid_shift
,
3222 DISSECT_IMAGE_MOUNT_ROOT_ONLY
|DISSECT_IMAGE_DISCARD_ON_LOOP
|
3223 (arg_read_only
? DISSECT_IMAGE_READ_ONLY
: 0)|
3224 (arg_start_mode
== START_BOOT
? DISSECT_IMAGE_VALIDATE_OS
: 0));
3229 r
= determine_uid_shift(directory
);
3233 if (arg_userns_mode
!= USER_NAMESPACE_NO
) {
3234 /* Let the parent know which UID shift we read from the image */
3235 l
= send(uid_shift_socket
, &arg_uid_shift
, sizeof(arg_uid_shift
), MSG_NOSIGNAL
);
3237 return log_error_errno(errno
, "Failed to send UID shift: %m");
3238 if (l
!= sizeof(arg_uid_shift
))
3239 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
3240 "Short write while sending UID shift.");
3242 if (arg_userns_mode
== USER_NAMESPACE_PICK
) {
3243 /* When we are supposed to pick the UID shift, the parent will check now whether the UID shift
3244 * we just read from the image is available. If yes, it will send the UID shift back to us, if
3245 * not it will pick a different one, and send it back to us. */
3247 l
= recv(uid_shift_socket
, &arg_uid_shift
, sizeof(arg_uid_shift
), 0);
3249 return log_error_errno(errno
, "Failed to recv UID shift: %m");
3250 if (l
!= sizeof(arg_uid_shift
))
3251 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
3252 "Short read while receiving UID shift.");
3255 log_full(arg_quiet
? LOG_DEBUG
: LOG_INFO
,
3256 "Selected user namespace base " UID_FMT
" and range " UID_FMT
".", arg_uid_shift
, arg_uid_range
);
3259 if (!dissected_image
) {
3260 /* Turn directory into bind mount */
3261 r
= mount_verbose(LOG_ERR
, directory
, directory
, NULL
, MS_BIND
|MS_REC
, NULL
);
3266 r
= setup_pivot_root(
3269 arg_pivot_root_old
);
3273 r
= setup_volatile_mode(
3276 arg_userns_mode
!= USER_NAMESPACE_NO
,
3279 arg_selinux_context
);
3283 if (dissected_image
) {
3284 /* Now we know the uid shift, let's now mount everything else that might be in the image. */
3285 r
= dissected_image_mount(dissected_image
, directory
, arg_uid_shift
,
3286 DISSECT_IMAGE_MOUNT_NON_ROOT_ONLY
|DISSECT_IMAGE_DISCARD_ON_LOOP
|(arg_read_only
? DISSECT_IMAGE_READ_ONLY
: 0));
3291 if (arg_unified_cgroup_hierarchy
== CGROUP_UNIFIED_UNKNOWN
) {
3292 /* OK, we don't know yet which cgroup mode to use yet. Let's figure it out, and tell the parent. */
3294 r
= detect_unified_cgroup_hierarchy_from_image(directory
);
3298 l
= send(unified_cgroup_hierarchy_socket
, &arg_unified_cgroup_hierarchy
, sizeof(arg_unified_cgroup_hierarchy
), MSG_NOSIGNAL
);
3300 return log_error_errno(errno
, "Failed to send cgroup mode: %m");
3301 if (l
!= sizeof(arg_unified_cgroup_hierarchy
))
3302 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
3303 "Short write while sending cgroup mode.");
3305 unified_cgroup_hierarchy_socket
= safe_close(unified_cgroup_hierarchy_socket
);
3308 /* Mark everything as shared so our mounts get propagated down. This is
3309 * required to make new bind mounts available in systemd services
3310 * inside the containter that create a new mount namespace.
3311 * See https://github.com/systemd/systemd/issues/3860
3312 * Further submounts (such as /dev) done after this will inherit the
3313 * shared propagation mode. */
3314 r
= mount_verbose(LOG_ERR
, NULL
, directory
, NULL
, MS_SHARED
|MS_REC
, NULL
);
3318 r
= recursive_chown(directory
, arg_uid_shift
, arg_uid_range
);
3322 r
= base_filesystem_create(directory
, arg_uid_shift
, (gid_t
) arg_uid_shift
);
3326 if (arg_read_only
&& arg_volatile_mode
== VOLATILE_NO
) {
3327 r
= bind_remount_recursive(directory
, MS_RDONLY
, MS_RDONLY
, NULL
);
3329 return log_error_errno(r
, "Failed to make tree read-only: %m");
3332 r
= mount_all(directory
,
3335 arg_selinux_apifs_context
);
3339 r
= copy_devnodes(directory
);
3343 r
= make_extra_nodes(directory
);
3347 (void) dev_setup(directory
, arg_uid_shift
, arg_uid_shift
);
3348 (void) make_inaccessible_nodes(directory
, arg_uid_shift
, arg_uid_shift
);
3350 r
= setup_pts(directory
);
3354 r
= setup_propagate(directory
);
3358 r
= setup_dev_console(directory
, console
);
3362 r
= setup_keyring();
3366 r
= setup_timezone(directory
);
3370 r
= setup_resolv_conf(directory
);
3374 r
= setup_machine_id(directory
);
3378 r
= setup_journal(directory
);
3385 arg_n_custom_mounts
,
3386 arg_userns_mode
!= USER_NAMESPACE_NO
,
3389 arg_selinux_apifs_context
,
3394 if (!arg_use_cgns
) {
3397 arg_unified_cgroup_hierarchy
,
3398 arg_userns_mode
!= USER_NAMESPACE_NO
,
3401 arg_selinux_apifs_context
,
3407 r
= mount_move_root(directory
);
3409 return log_error_errno(r
, "Failed to move root directory: %m");
3411 fd
= setup_sd_notify_child();
3415 pid
= raw_clone(SIGCHLD
|CLONE_NEWNS
|
3416 arg_clone_ns_flags
|
3417 (arg_userns_mode
!= USER_NAMESPACE_NO
? CLONE_NEWUSER
: 0));
3419 return log_error_errno(errno
, "Failed to fork inner child: %m");
3421 pid_socket
= safe_close(pid_socket
);
3422 uuid_socket
= safe_close(uuid_socket
);
3423 notify_socket
= safe_close(notify_socket
);
3424 uid_shift_socket
= safe_close(uid_shift_socket
);
3426 /* The inner child has all namespaces that are
3427 * requested, so that we all are owned by the user if
3428 * user namespaces are turned on. */
3430 if (arg_network_namespace_path
) {
3431 r
= namespace_enter(-1, -1, netns_fd
, -1, -1);
3433 return log_error_errno(r
, "Failed to join network namespace: %m");
3436 r
= inner_child(barrier
, directory
, secondary
, kmsg_socket
, rtnl_socket
, fds
);
3438 _exit(EXIT_FAILURE
);
3440 _exit(EXIT_SUCCESS
);
3443 l
= send(pid_socket
, &pid
, sizeof(pid
), MSG_NOSIGNAL
);
3445 return log_error_errno(errno
, "Failed to send PID: %m");
3446 if (l
!= sizeof(pid
))
3447 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
3448 "Short write while sending PID.");
3450 l
= send(uuid_socket
, &arg_uuid
, sizeof(arg_uuid
), MSG_NOSIGNAL
);
3452 return log_error_errno(errno
, "Failed to send machine ID: %m");
3453 if (l
!= sizeof(arg_uuid
))
3454 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
3455 "Short write while sending machine ID.");
3457 l
= send_one_fd(notify_socket
, fd
, 0);
3459 return log_error_errno(errno
, "Failed to send notify fd: %m");
3461 pid_socket
= safe_close(pid_socket
);
3462 uuid_socket
= safe_close(uuid_socket
);
3463 notify_socket
= safe_close(notify_socket
);
3464 kmsg_socket
= safe_close(kmsg_socket
);
3465 rtnl_socket
= safe_close(rtnl_socket
);
3466 netns_fd
= safe_close(netns_fd
);
3471 static int uid_shift_pick(uid_t
*shift
, LockFile
*ret_lock_file
) {
3472 bool tried_hashed
= false;
3473 unsigned n_tries
= 100;
3478 assert(ret_lock_file
);
3479 assert(arg_userns_mode
== USER_NAMESPACE_PICK
);
3480 assert(arg_uid_range
== 0x10000U
);
3484 (void) mkdir("/run/systemd/nspawn-uid", 0755);
3487 char lock_path
[STRLEN("/run/systemd/nspawn-uid/") + DECIMAL_STR_MAX(uid_t
) + 1];
3488 _cleanup_(release_lock_file
) LockFile lf
= LOCK_FILE_INIT
;
3493 if (candidate
< CONTAINER_UID_BASE_MIN
|| candidate
> CONTAINER_UID_BASE_MAX
)
3495 if ((candidate
& UINT32_C(0xFFFF)) != 0)
3498 xsprintf(lock_path
, "/run/systemd/nspawn-uid/" UID_FMT
, candidate
);
3499 r
= make_lock_file(lock_path
, LOCK_EX
|LOCK_NB
, &lf
);
3500 if (r
== -EBUSY
) /* Range already taken by another nspawn instance */
3505 /* Make some superficial checks whether the range is currently known in the user database */
3506 if (getpwuid(candidate
))
3508 if (getpwuid(candidate
+ UINT32_C(0xFFFE)))
3510 if (getgrgid(candidate
))
3512 if (getgrgid(candidate
+ UINT32_C(0xFFFE)))
3515 *ret_lock_file
= lf
;
3516 lf
= (struct LockFile
) LOCK_FILE_INIT
;
3521 if (arg_machine
&& !tried_hashed
) {
3522 /* Try to hash the base from the container name */
3524 static const uint8_t hash_key
[] = {
3525 0xe1, 0x56, 0xe0, 0xf0, 0x4a, 0xf0, 0x41, 0xaf,
3526 0x96, 0x41, 0xcf, 0x41, 0x33, 0x94, 0xff, 0x72
3529 candidate
= (uid_t
) siphash24(arg_machine
, strlen(arg_machine
), hash_key
);
3531 tried_hashed
= true;
3533 random_bytes(&candidate
, sizeof(candidate
));
3535 candidate
= (candidate
% (CONTAINER_UID_BASE_MAX
- CONTAINER_UID_BASE_MIN
)) + CONTAINER_UID_BASE_MIN
;
3536 candidate
&= (uid_t
) UINT32_C(0xFFFF0000);
3540 static int setup_uid_map(pid_t pid
) {
3541 char uid_map
[STRLEN("/proc//uid_map") + DECIMAL_STR_MAX(uid_t
) + 1], line
[DECIMAL_STR_MAX(uid_t
)*3+3+1];
3546 xsprintf(uid_map
, "/proc/" PID_FMT
"/uid_map", pid
);
3547 xsprintf(line
, UID_FMT
" " UID_FMT
" " UID_FMT
"\n", 0, arg_uid_shift
, arg_uid_range
);
3548 r
= write_string_file(uid_map
, line
, WRITE_STRING_FILE_DISABLE_BUFFER
);
3550 return log_error_errno(r
, "Failed to write UID map: %m");
3552 /* We always assign the same UID and GID ranges */
3553 xsprintf(uid_map
, "/proc/" PID_FMT
"/gid_map", pid
);
3554 r
= write_string_file(uid_map
, line
, WRITE_STRING_FILE_DISABLE_BUFFER
);
3556 return log_error_errno(r
, "Failed to write GID map: %m");
3561 static int nspawn_dispatch_notify_fd(sd_event_source
*source
, int fd
, uint32_t revents
, void *userdata
) {
3562 char buf
[NOTIFY_BUFFER_MAX
+1];
3564 struct iovec iovec
= {
3566 .iov_len
= sizeof(buf
)-1,
3569 struct cmsghdr cmsghdr
;
3570 uint8_t buf
[CMSG_SPACE(sizeof(struct ucred
)) +
3571 CMSG_SPACE(sizeof(int) * NOTIFY_FD_MAX
)];
3573 struct msghdr msghdr
= {
3576 .msg_control
= &control
,
3577 .msg_controllen
= sizeof(control
),
3579 struct cmsghdr
*cmsg
;
3580 struct ucred
*ucred
= NULL
;
3582 pid_t inner_child_pid
;
3583 _cleanup_strv_free_
char **tags
= NULL
;
3587 inner_child_pid
= PTR_TO_PID(userdata
);
3589 if (revents
!= EPOLLIN
) {
3590 log_warning("Got unexpected poll event for notify fd.");
3594 n
= recvmsg(fd
, &msghdr
, MSG_DONTWAIT
|MSG_CMSG_CLOEXEC
);
3596 if (IN_SET(errno
, EAGAIN
, EINTR
))
3599 return log_warning_errno(errno
, "Couldn't read notification socket: %m");
3601 cmsg_close_all(&msghdr
);
3603 CMSG_FOREACH(cmsg
, &msghdr
) {
3604 if (cmsg
->cmsg_level
== SOL_SOCKET
&&
3605 cmsg
->cmsg_type
== SCM_CREDENTIALS
&&
3606 cmsg
->cmsg_len
== CMSG_LEN(sizeof(struct ucred
))) {
3608 ucred
= (struct ucred
*) CMSG_DATA(cmsg
);
3612 if (!ucred
|| ucred
->pid
!= inner_child_pid
) {
3613 log_debug("Received notify message without valid credentials. Ignoring.");
3617 if ((size_t) n
>= sizeof(buf
)) {
3618 log_warning("Received notify message exceeded maximum size. Ignoring.");
3623 tags
= strv_split(buf
, "\n\r");
3627 if (strv_find(tags
, "READY=1"))
3628 (void) sd_notifyf(false, "READY=1\n");
3630 p
= strv_find_startswith(tags
, "STATUS=");
3632 (void) sd_notifyf(false, "STATUS=Container running: %s", p
);
3637 static int setup_sd_notify_parent(sd_event
*event
, int fd
, pid_t
*inner_child_pid
, sd_event_source
**notify_event_source
) {
3640 r
= sd_event_add_io(event
, notify_event_source
, fd
, EPOLLIN
, nspawn_dispatch_notify_fd
, inner_child_pid
);
3642 return log_error_errno(r
, "Failed to allocate notify event source: %m");
3644 (void) sd_event_source_set_description(*notify_event_source
, "nspawn-notify");
3649 static int merge_settings(Settings
*settings
, const char *path
) {
3655 /* Copy over bits from the settings, unless they have been explicitly masked by command line switches. Note
3656 * that this steals the fields of the Settings* structure, and hence modifies it. */
3658 if ((arg_settings_mask
& SETTING_START_MODE
) == 0 &&
3659 settings
->start_mode
>= 0) {
3660 arg_start_mode
= settings
->start_mode
;
3661 strv_free_and_replace(arg_parameters
, settings
->parameters
);
3664 if ((arg_settings_mask
& SETTING_EPHEMERAL
) == 0)
3665 arg_ephemeral
= settings
->ephemeral
;
3667 if ((arg_settings_mask
& SETTING_DIRECTORY
) == 0 &&
3670 if (!arg_settings_trusted
)
3671 log_warning("Ignoring root directory setting, file %s is not trusted.", path
);
3673 free_and_replace(arg_directory
, settings
->root
);
3676 if ((arg_settings_mask
& SETTING_PIVOT_ROOT
) == 0 &&
3677 settings
->pivot_root_new
) {
3678 free_and_replace(arg_pivot_root_new
, settings
->pivot_root_new
);
3679 free_and_replace(arg_pivot_root_old
, settings
->pivot_root_old
);
3682 if ((arg_settings_mask
& SETTING_WORKING_DIRECTORY
) == 0 &&
3683 settings
->working_directory
)
3684 free_and_replace(arg_chdir
, settings
->working_directory
);
3686 if ((arg_settings_mask
& SETTING_ENVIRONMENT
) == 0 &&
3687 settings
->environment
)
3688 strv_free_and_replace(arg_setenv
, settings
->environment
);
3690 if ((arg_settings_mask
& SETTING_USER
) == 0) {
3693 free_and_replace(arg_user
, settings
->user
);
3695 if (uid_is_valid(settings
->uid
))
3696 arg_uid
= settings
->uid
;
3697 if (gid_is_valid(settings
->gid
))
3698 arg_gid
= settings
->gid
;
3699 if (settings
->n_supplementary_gids
> 0) {
3700 free_and_replace(arg_supplementary_gids
, settings
->supplementary_gids
);
3701 arg_n_supplementary_gids
= settings
->n_supplementary_gids
;
3705 if ((arg_settings_mask
& SETTING_CAPABILITY
) == 0) {
3706 uint64_t plus
, minus
;
3708 /* Note that we copy both the simple plus/minus caps here, and the full quintet from the
3709 * Settings structure */
3711 plus
= settings
->capability
;
3712 minus
= settings
->drop_capability
;
3714 if ((arg_settings_mask
& SETTING_NETWORK
) == 0) {
3715 if (settings_private_network(settings
))
3716 plus
|= UINT64_C(1) << CAP_NET_ADMIN
;
3718 minus
|= UINT64_C(1) << CAP_NET_ADMIN
;
3721 if (!arg_settings_trusted
&& plus
!= 0) {
3722 if (settings
->capability
!= 0)
3723 log_warning("Ignoring Capability= setting, file %s is not trusted.", path
);
3725 arg_caps_retain
|= plus
;
3727 arg_caps_retain
&= ~minus
;
3729 /* Copy the full capabilities over too */
3730 if (capability_quintet_is_set(&settings
->full_capabilities
)) {
3731 if (!arg_settings_trusted
)
3732 log_warning("Ignoring capabilitiy settings, file %s is not trusted.", path
);
3734 arg_full_capabilities
= settings
->full_capabilities
;
3738 if ((arg_settings_mask
& SETTING_KILL_SIGNAL
) == 0 &&
3739 settings
->kill_signal
> 0)
3740 arg_kill_signal
= settings
->kill_signal
;
3742 if ((arg_settings_mask
& SETTING_PERSONALITY
) == 0 &&
3743 settings
->personality
!= PERSONALITY_INVALID
)
3744 arg_personality
= settings
->personality
;
3746 if ((arg_settings_mask
& SETTING_MACHINE_ID
) == 0 &&
3747 !sd_id128_is_null(settings
->machine_id
)) {
3749 if (!arg_settings_trusted
)
3750 log_warning("Ignoring MachineID= setting, file %s is not trusted.", path
);
3752 arg_uuid
= settings
->machine_id
;
3755 if ((arg_settings_mask
& SETTING_READ_ONLY
) == 0 &&
3756 settings
->read_only
>= 0)
3757 arg_read_only
= settings
->read_only
;
3759 if ((arg_settings_mask
& SETTING_VOLATILE_MODE
) == 0 &&
3760 settings
->volatile_mode
!= _VOLATILE_MODE_INVALID
)
3761 arg_volatile_mode
= settings
->volatile_mode
;
3763 if ((arg_settings_mask
& SETTING_CUSTOM_MOUNTS
) == 0 &&
3764 settings
->n_custom_mounts
> 0) {
3766 if (!arg_settings_trusted
)
3767 log_warning("Ignoring TemporaryFileSystem=, Bind= and BindReadOnly= settings, file %s is not trusted.", path
);
3769 custom_mount_free_all(arg_custom_mounts
, arg_n_custom_mounts
);
3770 arg_custom_mounts
= TAKE_PTR(settings
->custom_mounts
);
3771 arg_n_custom_mounts
= settings
->n_custom_mounts
;
3772 settings
->n_custom_mounts
= 0;
3776 if ((arg_settings_mask
& SETTING_NETWORK
) == 0 &&
3777 (settings
->private_network
>= 0 ||
3778 settings
->network_veth
>= 0 ||
3779 settings
->network_bridge
||
3780 settings
->network_zone
||
3781 settings
->network_interfaces
||
3782 settings
->network_macvlan
||
3783 settings
->network_ipvlan
||
3784 settings
->network_veth_extra
||
3785 settings
->network_namespace_path
)) {
3787 if (!arg_settings_trusted
)
3788 log_warning("Ignoring network settings, file %s is not trusted.", path
);
3790 arg_network_veth
= settings_network_veth(settings
);
3791 arg_private_network
= settings_private_network(settings
);
3793 strv_free_and_replace(arg_network_interfaces
, settings
->network_interfaces
);
3794 strv_free_and_replace(arg_network_macvlan
, settings
->network_macvlan
);
3795 strv_free_and_replace(arg_network_ipvlan
, settings
->network_ipvlan
);
3796 strv_free_and_replace(arg_network_veth_extra
, settings
->network_veth_extra
);
3798 free_and_replace(arg_network_bridge
, settings
->network_bridge
);
3799 free_and_replace(arg_network_zone
, settings
->network_zone
);
3801 free_and_replace(arg_network_namespace_path
, settings
->network_namespace_path
);
3805 if ((arg_settings_mask
& SETTING_EXPOSE_PORTS
) == 0 &&
3806 settings
->expose_ports
) {
3808 if (!arg_settings_trusted
)
3809 log_warning("Ignoring Port= setting, file %s is not trusted.", path
);
3811 expose_port_free_all(arg_expose_ports
);
3812 arg_expose_ports
= TAKE_PTR(settings
->expose_ports
);
3816 if ((arg_settings_mask
& SETTING_USERNS
) == 0 &&
3817 settings
->userns_mode
!= _USER_NAMESPACE_MODE_INVALID
) {
3819 if (!arg_settings_trusted
)
3820 log_warning("Ignoring PrivateUsers= and PrivateUsersChown= settings, file %s is not trusted.", path
);
3822 arg_userns_mode
= settings
->userns_mode
;
3823 arg_uid_shift
= settings
->uid_shift
;
3824 arg_uid_range
= settings
->uid_range
;
3825 arg_userns_chown
= settings
->userns_chown
;
3829 if ((arg_settings_mask
& SETTING_NOTIFY_READY
) == 0)
3830 arg_notify_ready
= settings
->notify_ready
;
3832 if ((arg_settings_mask
& SETTING_SYSCALL_FILTER
) == 0) {
3834 if (!arg_settings_trusted
&& !strv_isempty(settings
->syscall_whitelist
))
3835 log_warning("Ignoring SystemCallFilter= settings, file %s is not trusted.", path
);
3837 strv_free_and_replace(arg_syscall_whitelist
, settings
->syscall_whitelist
);
3838 strv_free_and_replace(arg_syscall_blacklist
, settings
->syscall_blacklist
);
3842 if (!arg_settings_trusted
&& settings
->seccomp
)
3843 log_warning("Ignoring SECCOMP filter, file %s is not trusted.", path
);
3845 seccomp_release(arg_seccomp
);
3846 arg_seccomp
= TAKE_PTR(settings
->seccomp
);
3851 for (rl
= 0; rl
< _RLIMIT_MAX
; rl
++) {
3852 if ((arg_settings_mask
& (SETTING_RLIMIT_FIRST
<< rl
)))
3855 if (!settings
->rlimit
[rl
])
3858 if (!arg_settings_trusted
) {
3859 log_warning("Ignoring Limit%s= setting, file '%s' is not trusted.", rlimit_to_string(rl
), path
);
3863 free_and_replace(arg_rlimit
[rl
], settings
->rlimit
[rl
]);
3866 if ((arg_settings_mask
& SETTING_HOSTNAME
) == 0 &&
3868 free_and_replace(arg_hostname
, settings
->hostname
);
3870 if ((arg_settings_mask
& SETTING_NO_NEW_PRIVILEGES
) == 0 &&
3871 settings
->no_new_privileges
>= 0)
3872 arg_no_new_privileges
= settings
->no_new_privileges
;
3874 if ((arg_settings_mask
& SETTING_OOM_SCORE_ADJUST
) == 0 &&
3875 settings
->oom_score_adjust_set
) {
3877 if (!arg_settings_trusted
)
3878 log_warning("Ignoring OOMScoreAdjust= setting, file '%s' is not trusted.", path
);
3880 arg_oom_score_adjust
= settings
->oom_score_adjust
;
3881 arg_oom_score_adjust_set
= true;
3885 if ((arg_settings_mask
& SETTING_CPU_AFFINITY
) == 0 &&
3888 if (!arg_settings_trusted
)
3889 log_warning("Ignoring CPUAffinity= setting, file '%s' is not trusted.", path
);
3892 CPU_FREE(arg_cpuset
);
3893 arg_cpuset
= TAKE_PTR(settings
->cpuset
);
3894 arg_cpuset_ncpus
= settings
->cpuset_ncpus
;
3898 if ((arg_settings_mask
& SETTING_RESOLV_CONF
) == 0 &&
3899 settings
->resolv_conf
!= _RESOLV_CONF_MODE_INVALID
)
3900 arg_resolv_conf
= settings
->resolv_conf
;
3902 if ((arg_settings_mask
& SETTING_LINK_JOURNAL
) == 0 &&
3903 settings
->link_journal
!= _LINK_JOURNAL_INVALID
) {
3905 if (!arg_settings_trusted
)
3906 log_warning("Ignoring journal link setting, file '%s' is not trusted.", path
);
3908 arg_link_journal
= settings
->link_journal
;
3909 arg_link_journal_try
= settings
->link_journal_try
;
3913 if ((arg_settings_mask
& SETTING_TIMEZONE
) == 0 &&
3914 settings
->timezone
!= _TIMEZONE_MODE_INVALID
)
3915 arg_timezone
= settings
->timezone
;
3917 if ((arg_settings_mask
& SETTING_SLICE
) == 0 &&
3920 if (!arg_settings_trusted
)
3921 log_warning("Ignoring slice setting, file '%s' is not trusted.", path
);
3923 free_and_replace(arg_slice
, settings
->slice
);
3926 if ((arg_settings_mask
& SETTING_USE_CGNS
) == 0 &&
3927 settings
->use_cgns
>= 0) {
3929 if (!arg_settings_trusted
)
3930 log_warning("Ignoring cgroup namespace setting, file '%s' is not trusted.", path
);
3932 arg_use_cgns
= settings
->use_cgns
;
3935 if ((arg_settings_mask
& SETTING_CLONE_NS_FLAGS
) == 0 &&
3936 settings
->clone_ns_flags
!= (unsigned long) -1) {
3938 if (!arg_settings_trusted
)
3939 log_warning("Ignoring namespace setting, file '%s' is not trusted.", path
);
3941 arg_clone_ns_flags
= settings
->clone_ns_flags
;
3944 if ((arg_settings_mask
& SETTING_CONSOLE_MODE
) == 0 &&
3945 settings
->console_mode
>= 0) {
3947 if (!arg_settings_trusted
)
3948 log_warning("Ignoring console mode setting, file '%s' is not trusted.", path
);
3950 arg_console_mode
= settings
->console_mode
;
3953 /* The following properties can only be set through the OCI settings logic, not from the command line, hence we
3954 * don't consult arg_settings_mask for them. */
3956 sd_bus_message_unref(arg_property_message
);
3957 arg_property_message
= TAKE_PTR(settings
->properties
);
3959 arg_console_width
= settings
->console_width
;
3960 arg_console_height
= settings
->console_height
;
3962 device_node_array_free(arg_extra_nodes
, arg_n_extra_nodes
);
3963 arg_extra_nodes
= TAKE_PTR(settings
->extra_nodes
);
3964 arg_n_extra_nodes
= settings
->n_extra_nodes
;
3969 static int load_settings(void) {
3970 _cleanup_(settings_freep
) Settings
*settings
= NULL
;
3971 _cleanup_fclose_
FILE *f
= NULL
;
3972 _cleanup_free_
char *p
= NULL
;
3979 /* If all settings are masked, there's no point in looking for
3980 * the settings file */
3981 if ((arg_settings_mask
& _SETTINGS_MASK_ALL
) == _SETTINGS_MASK_ALL
)
3984 fn
= strjoina(arg_machine
, ".nspawn");
3986 /* We first look in the admin's directories in /etc and /run */
3987 FOREACH_STRING(i
, "/etc/systemd/nspawn", "/run/systemd/nspawn") {
3988 _cleanup_free_
char *j
= NULL
;
3990 j
= strjoin(i
, "/", fn
);
3998 /* By default, we trust configuration from /etc and /run */
3999 if (arg_settings_trusted
< 0)
4000 arg_settings_trusted
= true;
4005 if (errno
!= ENOENT
)
4006 return log_error_errno(errno
, "Failed to open %s: %m", j
);
4010 /* After that, let's look for a file next to the
4011 * actual image we shall boot. */
4014 p
= file_in_same_dir(arg_image
, fn
);
4017 } else if (arg_directory
) {
4018 p
= file_in_same_dir(arg_directory
, fn
);
4025 if (!f
&& errno
!= ENOENT
)
4026 return log_error_errno(errno
, "Failed to open %s: %m", p
);
4028 /* By default, we do not trust configuration from /var/lib/machines */
4029 if (arg_settings_trusted
< 0)
4030 arg_settings_trusted
= false;
4037 log_debug("Settings are trusted: %s", yes_no(arg_settings_trusted
));
4039 r
= settings_load(f
, p
, &settings
);
4043 return merge_settings(settings
, p
);
4046 static int load_oci_bundle(void) {
4047 _cleanup_(settings_freep
) Settings
*settings
= NULL
;
4050 if (!arg_oci_bundle
)
4053 /* By default let's trust OCI bundles */
4054 if (arg_settings_trusted
< 0)
4055 arg_settings_trusted
= true;
4057 r
= oci_load(NULL
, arg_oci_bundle
, &settings
);
4061 return merge_settings(settings
, arg_oci_bundle
);
4064 static int run_container(int master
,
4065 const char* console
,
4066 DissectedImage
*dissected_image
,
4069 char veth_name
[IFNAMSIZ
], bool *veth_created
,
4070 union in_addr_union
*exposed
,
4071 pid_t
*pid
, int *ret
) {
4073 static const struct sigaction sa
= {
4074 .sa_handler
= nop_signal_handler
,
4075 .sa_flags
= SA_NOCLDSTOP
|SA_RESTART
,
4078 _cleanup_(release_lock_file
) LockFile uid_shift_lock
= LOCK_FILE_INIT
;
4079 _cleanup_close_
int etc_passwd_lock
= -1;
4080 _cleanup_close_pair_
int
4081 kmsg_socket_pair
[2] = { -1, -1 },
4082 rtnl_socket_pair
[2] = { -1, -1 },
4083 pid_socket_pair
[2] = { -1, -1 },
4084 uuid_socket_pair
[2] = { -1, -1 },
4085 notify_socket_pair
[2] = { -1, -1 },
4086 uid_shift_socket_pair
[2] = { -1, -1 },
4087 unified_cgroup_hierarchy_socket_pair
[2] = { -1, -1};
4089 _cleanup_close_
int notify_socket
= -1;
4090 _cleanup_(barrier_destroy
) Barrier barrier
= BARRIER_NULL
;
4091 _cleanup_(sd_event_source_unrefp
) sd_event_source
*notify_event_source
= NULL
;
4092 _cleanup_(sd_event_unrefp
) sd_event
*event
= NULL
;
4093 _cleanup_(pty_forward_freep
) PTYForward
*forward
= NULL
;
4094 _cleanup_(sd_netlink_unrefp
) sd_netlink
*rtnl
= NULL
;
4095 _cleanup_(sd_bus_flush_close_unrefp
) sd_bus
*bus
= NULL
;
4096 ContainerStatus container_status
= 0;
4100 _cleanup_close_
int netns_fd
= -1;
4102 assert_se(sigemptyset(&mask_chld
) == 0);
4103 assert_se(sigaddset(&mask_chld
, SIGCHLD
) == 0);
4105 if (arg_userns_mode
== USER_NAMESPACE_PICK
) {
4106 /* When we shall pick the UID/GID range, let's first lock /etc/passwd, so that we can safely
4107 * check with getpwuid() if the specific user already exists. Note that /etc might be
4108 * read-only, in which case this will fail with EROFS. But that's really OK, as in that case we
4109 * can be reasonably sure that no users are going to be added. Note that getpwuid() checks are
4110 * really just an extra safety net. We kinda assume that the UID range we allocate from is
4113 etc_passwd_lock
= take_etc_passwd_lock(NULL
);
4114 if (etc_passwd_lock
< 0 && etc_passwd_lock
!= -EROFS
)
4115 return log_error_errno(etc_passwd_lock
, "Failed to take /etc/passwd lock: %m");
4118 r
= barrier_create(&barrier
);
4120 return log_error_errno(r
, "Cannot initialize IPC barrier: %m");
4122 if (socketpair(AF_UNIX
, SOCK_SEQPACKET
|SOCK_CLOEXEC
, 0, kmsg_socket_pair
) < 0)
4123 return log_error_errno(errno
, "Failed to create kmsg socket pair: %m");
4125 if (socketpair(AF_UNIX
, SOCK_SEQPACKET
|SOCK_CLOEXEC
, 0, rtnl_socket_pair
) < 0)
4126 return log_error_errno(errno
, "Failed to create rtnl socket pair: %m");
4128 if (socketpair(AF_UNIX
, SOCK_SEQPACKET
|SOCK_CLOEXEC
, 0, pid_socket_pair
) < 0)
4129 return log_error_errno(errno
, "Failed to create pid socket pair: %m");
4131 if (socketpair(AF_UNIX
, SOCK_SEQPACKET
|SOCK_CLOEXEC
, 0, uuid_socket_pair
) < 0)
4132 return log_error_errno(errno
, "Failed to create id socket pair: %m");
4134 if (socketpair(AF_UNIX
, SOCK_SEQPACKET
|SOCK_CLOEXEC
, 0, notify_socket_pair
) < 0)
4135 return log_error_errno(errno
, "Failed to create notify socket pair: %m");
4137 if (arg_userns_mode
!= USER_NAMESPACE_NO
)
4138 if (socketpair(AF_UNIX
, SOCK_SEQPACKET
|SOCK_CLOEXEC
, 0, uid_shift_socket_pair
) < 0)
4139 return log_error_errno(errno
, "Failed to create uid shift socket pair: %m");
4141 if (arg_unified_cgroup_hierarchy
== CGROUP_UNIFIED_UNKNOWN
)
4142 if (socketpair(AF_UNIX
, SOCK_SEQPACKET
|SOCK_CLOEXEC
, 0, unified_cgroup_hierarchy_socket_pair
) < 0)
4143 return log_error_errno(errno
, "Failed to create unified cgroup socket pair: %m");
4145 /* Child can be killed before execv(), so handle SIGCHLD in order to interrupt
4146 * parent's blocking calls and give it a chance to call wait() and terminate. */
4147 r
= sigprocmask(SIG_UNBLOCK
, &mask_chld
, NULL
);
4149 return log_error_errno(errno
, "Failed to change the signal mask: %m");
4151 r
= sigaction(SIGCHLD
, &sa
, NULL
);
4153 return log_error_errno(errno
, "Failed to install SIGCHLD handler: %m");
4155 if (arg_network_namespace_path
) {
4156 netns_fd
= open(arg_network_namespace_path
, O_RDONLY
|O_NOCTTY
|O_CLOEXEC
);
4158 return log_error_errno(errno
, "Cannot open file %s: %m", arg_network_namespace_path
);
4160 r
= fd_is_network_ns(netns_fd
);
4162 log_debug_errno(r
, "Cannot determine if passed network namespace path '%s' really refers to a network namespace, assuming it does.", arg_network_namespace_path
);
4164 return log_error_errno(r
, "Failed to check %s fs type: %m", arg_network_namespace_path
);
4166 log_error("Path %s doesn't refer to a network namespace, refusing.", arg_network_namespace_path
);
4171 *pid
= raw_clone(SIGCHLD
|CLONE_NEWNS
);
4173 return log_error_errno(errno
, "clone() failed%s: %m",
4175 ", do you have namespace support enabled in your kernel? (You need UTS, IPC, PID and NET namespacing built in)" : "");
4178 /* The outer child only has a file system namespace. */
4179 barrier_set_role(&barrier
, BARRIER_CHILD
);
4181 master
= safe_close(master
);
4183 kmsg_socket_pair
[0] = safe_close(kmsg_socket_pair
[0]);
4184 rtnl_socket_pair
[0] = safe_close(rtnl_socket_pair
[0]);
4185 pid_socket_pair
[0] = safe_close(pid_socket_pair
[0]);
4186 uuid_socket_pair
[0] = safe_close(uuid_socket_pair
[0]);
4187 notify_socket_pair
[0] = safe_close(notify_socket_pair
[0]);
4188 uid_shift_socket_pair
[0] = safe_close(uid_shift_socket_pair
[0]);
4189 unified_cgroup_hierarchy_socket_pair
[0] = safe_close(unified_cgroup_hierarchy_socket_pair
[0]);
4191 (void) reset_all_signal_handlers();
4192 (void) reset_signal_mask();
4194 r
= outer_child(&barrier
,
4200 uuid_socket_pair
[1],
4201 notify_socket_pair
[1],
4202 kmsg_socket_pair
[1],
4203 rtnl_socket_pair
[1],
4204 uid_shift_socket_pair
[1],
4205 unified_cgroup_hierarchy_socket_pair
[1],
4209 _exit(EXIT_FAILURE
);
4211 _exit(EXIT_SUCCESS
);
4214 barrier_set_role(&barrier
, BARRIER_PARENT
);
4218 kmsg_socket_pair
[1] = safe_close(kmsg_socket_pair
[1]);
4219 rtnl_socket_pair
[1] = safe_close(rtnl_socket_pair
[1]);
4220 pid_socket_pair
[1] = safe_close(pid_socket_pair
[1]);
4221 uuid_socket_pair
[1] = safe_close(uuid_socket_pair
[1]);
4222 notify_socket_pair
[1] = safe_close(notify_socket_pair
[1]);
4223 uid_shift_socket_pair
[1] = safe_close(uid_shift_socket_pair
[1]);
4224 unified_cgroup_hierarchy_socket_pair
[1] = safe_close(unified_cgroup_hierarchy_socket_pair
[1]);
4226 if (arg_userns_mode
!= USER_NAMESPACE_NO
) {
4227 /* The child just let us know the UID shift it might have read from the image. */
4228 l
= recv(uid_shift_socket_pair
[0], &arg_uid_shift
, sizeof arg_uid_shift
, 0);
4230 return log_error_errno(errno
, "Failed to read UID shift: %m");
4231 if (l
!= sizeof arg_uid_shift
) {
4232 log_error("Short read while reading UID shift.");
4236 if (arg_userns_mode
== USER_NAMESPACE_PICK
) {
4237 /* If we are supposed to pick the UID shift, let's try to use the shift read from the
4238 * image, but if that's already in use, pick a new one, and report back to the child,
4239 * which one we now picked. */
4241 r
= uid_shift_pick(&arg_uid_shift
, &uid_shift_lock
);
4243 return log_error_errno(r
, "Failed to pick suitable UID/GID range: %m");
4245 l
= send(uid_shift_socket_pair
[0], &arg_uid_shift
, sizeof arg_uid_shift
, MSG_NOSIGNAL
);
4247 return log_error_errno(errno
, "Failed to send UID shift: %m");
4248 if (l
!= sizeof arg_uid_shift
) {
4249 log_error("Short write while writing UID shift.");
4255 if (arg_unified_cgroup_hierarchy
== CGROUP_UNIFIED_UNKNOWN
) {
4256 /* The child let us know the support cgroup mode it might have read from the image. */
4257 l
= recv(unified_cgroup_hierarchy_socket_pair
[0], &arg_unified_cgroup_hierarchy
, sizeof(arg_unified_cgroup_hierarchy
), 0);
4259 return log_error_errno(errno
, "Failed to read cgroup mode: %m");
4260 if (l
!= sizeof(arg_unified_cgroup_hierarchy
)) {
4261 log_error("Short read while reading cgroup mode (%zu bytes).%s",
4262 l
, l
== 0 ? " The child is most likely dead." : "");
4267 /* Wait for the outer child. */
4268 r
= wait_for_terminate_and_check("(sd-namespace)", *pid
, WAIT_LOG_ABNORMAL
);
4271 if (r
!= EXIT_SUCCESS
)
4274 /* And now retrieve the PID of the inner child. */
4275 l
= recv(pid_socket_pair
[0], pid
, sizeof *pid
, 0);
4277 return log_error_errno(errno
, "Failed to read inner child PID: %m");
4278 if (l
!= sizeof *pid
) {
4279 log_error("Short read while reading inner child PID.");
4283 /* We also retrieve container UUID in case it was generated by outer child */
4284 l
= recv(uuid_socket_pair
[0], &arg_uuid
, sizeof arg_uuid
, 0);
4286 return log_error_errno(errno
, "Failed to read container machine ID: %m");
4287 if (l
!= sizeof(arg_uuid
)) {
4288 log_error("Short read while reading container machined ID.");
4292 /* We also retrieve the socket used for notifications generated by outer child */
4293 notify_socket
= receive_one_fd(notify_socket_pair
[0], 0);
4294 if (notify_socket
< 0)
4295 return log_error_errno(notify_socket
,
4296 "Failed to receive notification socket from the outer child: %m");
4298 log_debug("Init process invoked as PID "PID_FMT
, *pid
);
4300 if (arg_userns_mode
!= USER_NAMESPACE_NO
) {
4301 if (!barrier_place_and_sync(&barrier
)) { /* #1 */
4302 log_error("Child died too early.");
4306 r
= setup_uid_map(*pid
);
4310 (void) barrier_place(&barrier
); /* #2 */
4313 if (arg_private_network
) {
4314 if (!arg_network_namespace_path
) {
4315 /* Wait until the child has unshared its network namespace. */
4316 if (!barrier_place_and_sync(&barrier
)) { /* #3 */
4317 log_error("Child died too early");
4322 r
= move_network_interfaces(*pid
, arg_network_interfaces
);
4326 if (arg_network_veth
) {
4327 r
= setup_veth(arg_machine
, *pid
, veth_name
,
4328 arg_network_bridge
|| arg_network_zone
);
4334 if (arg_network_bridge
) {
4335 /* Add the interface to a bridge */
4336 r
= setup_bridge(veth_name
, arg_network_bridge
, false);
4341 } else if (arg_network_zone
) {
4342 /* Add the interface to a bridge, possibly creating it */
4343 r
= setup_bridge(veth_name
, arg_network_zone
, true);
4351 r
= setup_veth_extra(arg_machine
, *pid
, arg_network_veth_extra
);
4355 /* We created the primary and extra veth links now; let's remember this, so that we know to
4356 remove them later on. Note that we don't bother with removing veth links that were created
4357 here when their setup failed half-way, because in that case the kernel should be able to
4358 remove them on its own, since they cannot be referenced by anything yet. */
4359 *veth_created
= true;
4361 r
= setup_macvlan(arg_machine
, *pid
, arg_network_macvlan
);
4365 r
= setup_ipvlan(arg_machine
, *pid
, arg_network_ipvlan
);
4370 if (arg_register
|| !arg_keep_unit
) {
4371 r
= sd_bus_default_system(&bus
);
4373 return log_error_errno(r
, "Failed to open system bus: %m");
4375 r
= sd_bus_set_close_on_exit(bus
, false);
4377 return log_error_errno(r
, "Failed to disable close-on-exit behaviour: %m");
4380 if (!arg_keep_unit
) {
4381 /* When a new scope is created for this container, then we'll be registered as its controller, in which
4382 * case PID 1 will send us a friendly RequestStop signal, when it is asked to terminate the
4383 * scope. Let's hook into that, and cleanly shut down the container, and print a friendly message. */
4385 r
= sd_bus_match_signal_async(
4388 "org.freedesktop.systemd1",
4390 "org.freedesktop.systemd1.Scope",
4392 on_request_stop
, NULL
, PID_TO_PTR(*pid
));
4394 return log_error_errno(r
, "Failed to request RequestStop match: %m");
4398 r
= register_machine(
4406 arg_custom_mounts
, arg_n_custom_mounts
,
4409 arg_property_message
,
4411 arg_container_service_name
);
4415 } else if (!arg_keep_unit
) {
4421 arg_custom_mounts
, arg_n_custom_mounts
,
4424 arg_property_message
);
4428 } else if (arg_slice
|| arg_property
)
4429 log_notice("Machine and scope registration turned off, --slice= and --property= settings will have no effect.");
4431 r
= create_subcgroup(*pid
, arg_keep_unit
, arg_unified_cgroup_hierarchy
);
4435 r
= sync_cgroup(*pid
, arg_unified_cgroup_hierarchy
, arg_uid_shift
);
4439 r
= chown_cgroup(*pid
, arg_unified_cgroup_hierarchy
, arg_uid_shift
);
4443 /* Notify the child that the parent is ready with all
4444 * its setup (including cgroup-ification), and that
4445 * the child can now hand over control to the code to
4446 * run inside the container. */
4447 (void) barrier_place(&barrier
); /* #4 */
4449 /* Block SIGCHLD here, before notifying child.
4450 * process_pty() will handle it with the other signals. */
4451 assert_se(sigprocmask(SIG_BLOCK
, &mask_chld
, NULL
) >= 0);
4453 /* Reset signal to default */
4454 r
= default_signals(SIGCHLD
, -1);
4456 return log_error_errno(r
, "Failed to reset SIGCHLD: %m");
4458 r
= sd_event_new(&event
);
4460 return log_error_errno(r
, "Failed to get default event source: %m");
4462 (void) sd_event_set_watchdog(event
, true);
4465 r
= sd_bus_attach_event(bus
, event
, 0);
4467 return log_error_errno(r
, "Failed to attach bus to event loop: %m");
4470 r
= setup_sd_notify_parent(event
, notify_socket
, PID_TO_PTR(*pid
), ¬ify_event_source
);
4474 /* Let the child know that we are ready and wait that the child is completely ready now. */
4475 if (!barrier_place_and_sync(&barrier
)) { /* #5 */
4476 log_error("Child died too early.");
4480 /* At this point we have made use of the UID we picked, and thus nss-mymachines
4481 * will make them appear in getpwuid(), thus we can release the /etc/passwd lock. */
4482 etc_passwd_lock
= safe_close(etc_passwd_lock
);
4484 (void) sd_notifyf(false,
4485 "STATUS=Container running.\n"
4486 "X_NSPAWN_LEADER_PID=" PID_FMT
, *pid
);
4487 if (!arg_notify_ready
)
4488 (void) sd_notify(false, "READY=1\n");
4490 if (arg_kill_signal
> 0) {
4491 /* Try to kill the init system on SIGINT or SIGTERM */
4492 (void) sd_event_add_signal(event
, NULL
, SIGINT
, on_orderly_shutdown
, PID_TO_PTR(*pid
));
4493 (void) sd_event_add_signal(event
, NULL
, SIGTERM
, on_orderly_shutdown
, PID_TO_PTR(*pid
));
4495 /* Immediately exit */
4496 (void) sd_event_add_signal(event
, NULL
, SIGINT
, NULL
, NULL
);
4497 (void) sd_event_add_signal(event
, NULL
, SIGTERM
, NULL
, NULL
);
4500 /* Exit when the child exits */
4501 (void) sd_event_add_signal(event
, NULL
, SIGCHLD
, on_sigchld
, PID_TO_PTR(*pid
));
4503 if (arg_expose_ports
) {
4504 r
= expose_port_watch_rtnl(event
, rtnl_socket_pair
[0], on_address_change
, exposed
, &rtnl
);
4508 (void) expose_port_execute(rtnl
, arg_expose_ports
, exposed
);
4511 rtnl_socket_pair
[0] = safe_close(rtnl_socket_pair
[0]);
4513 if (IN_SET(arg_console_mode
, CONSOLE_INTERACTIVE
, CONSOLE_READ_ONLY
)) {
4514 assert(master
>= 0);
4516 r
= pty_forward_new(event
, master
,
4517 PTY_FORWARD_IGNORE_VHANGUP
| (arg_console_mode
== CONSOLE_READ_ONLY
? PTY_FORWARD_READ_ONLY
: 0),
4520 return log_error_errno(r
, "Failed to create PTY forwarder: %m");
4522 if (arg_console_width
!= (unsigned) -1 || arg_console_height
!= (unsigned) -1)
4523 (void) pty_forward_set_width_height(forward
, arg_console_width
, arg_console_height
);
4526 r
= sd_event_loop(event
);
4528 return log_error_errno(r
, "Failed to run event loop: %m");
4533 (void) pty_forward_get_last_char(forward
, &last_char
);
4534 forward
= pty_forward_free(forward
);
4536 if (!arg_quiet
&& last_char
!= '\n')
4540 /* Kill if it is not dead yet anyway */
4543 terminate_machine(bus
, arg_machine
);
4544 else if (!arg_keep_unit
)
4545 terminate_scope(bus
, arg_machine
);
4548 /* Normally redundant, but better safe than sorry */
4549 (void) kill(*pid
, SIGKILL
);
4551 r
= wait_for_container(*pid
, &container_status
);
4555 /* We failed to wait for the container, or the container exited abnormally. */
4557 if (r
> 0 || container_status
== CONTAINER_TERMINATED
) {
4558 /* r > 0 → The container exited with a non-zero status.
4559 * As a special case, we need to replace 133 with a different value,
4560 * because 133 is special-cased in the service file to reboot the container.
4561 * otherwise → The container exited with zero status and a reboot was not requested.
4563 if (r
== EXIT_FORCE_RESTART
)
4564 r
= EXIT_FAILURE
; /* replace 133 with the general failure code */
4566 return 0; /* finito */
4569 /* CONTAINER_REBOOTED, loop again */
4571 if (arg_keep_unit
) {
4572 /* Special handling if we are running as a service: instead of simply
4573 * restarting the machine we want to restart the entire service, so let's
4574 * inform systemd about this with the special exit code 133. The service
4575 * file uses RestartForceExitStatus=133 so that this results in a full
4576 * nspawn restart. This is necessary since we might have cgroup parameters
4577 * set we want to have flushed out. */
4578 *ret
= EXIT_FORCE_RESTART
;
4579 return 0; /* finito */
4582 expose_port_flush(arg_expose_ports
, exposed
);
4584 (void) remove_veth_links(veth_name
, arg_network_veth_extra
);
4585 *veth_created
= false;
4586 return 1; /* loop again */
4589 static int initialize_rlimits(void) {
4590 /* The default resource limits the kernel passes to PID 1, as per kernel 4.16. Let's pass our container payload
4591 * the same values as the kernel originally passed to PID 1, in order to minimize differences between host and
4592 * container execution environments. */
4594 static const struct rlimit kernel_defaults
[_RLIMIT_MAX
] = {
4595 [RLIMIT_AS
] = { RLIM_INFINITY
, RLIM_INFINITY
},
4596 [RLIMIT_CORE
] = { 0, RLIM_INFINITY
},
4597 [RLIMIT_CPU
] = { RLIM_INFINITY
, RLIM_INFINITY
},
4598 [RLIMIT_DATA
] = { RLIM_INFINITY
, RLIM_INFINITY
},
4599 [RLIMIT_FSIZE
] = { RLIM_INFINITY
, RLIM_INFINITY
},
4600 [RLIMIT_LOCKS
] = { RLIM_INFINITY
, RLIM_INFINITY
},
4601 [RLIMIT_MEMLOCK
] = { 65536, 65536 },
4602 [RLIMIT_MSGQUEUE
] = { 819200, 819200 },
4603 [RLIMIT_NICE
] = { 0, 0 },
4604 [RLIMIT_NOFILE
] = { 1024, 4096 },
4605 [RLIMIT_RSS
] = { RLIM_INFINITY
, RLIM_INFINITY
},
4606 [RLIMIT_RTPRIO
] = { 0, 0 },
4607 [RLIMIT_RTTIME
] = { RLIM_INFINITY
, RLIM_INFINITY
},
4608 [RLIMIT_STACK
] = { 8388608, RLIM_INFINITY
},
4610 /* The kernel scales the default for RLIMIT_NPROC and RLIMIT_SIGPENDING based on the system's amount of
4611 * RAM. To provide best compatibility we'll read these limits off PID 1 instead of hardcoding them
4612 * here. This is safe as we know that PID 1 doesn't change these two limits and thus the original
4613 * kernel's initialization should still be valid during runtime — at least if PID 1 is systemd. Note
4614 * that PID 1 changes a number of other resource limits during early initialization which is why we
4615 * don't read the other limits from PID 1 but prefer the static table above. */
4620 for (rl
= 0; rl
< _RLIMIT_MAX
; rl
++) {
4621 /* Let's only fill in what the user hasn't explicitly configured anyway */
4622 if ((arg_settings_mask
& (SETTING_RLIMIT_FIRST
<< rl
)) == 0) {
4623 const struct rlimit
*v
;
4624 struct rlimit buffer
;
4626 if (IN_SET(rl
, RLIMIT_NPROC
, RLIMIT_SIGPENDING
)) {
4627 /* For these two let's read the limits off PID 1. See above for an explanation. */
4629 if (prlimit(1, rl
, NULL
, &buffer
) < 0)
4630 return log_error_errno(errno
, "Failed to read resource limit RLIMIT_%s of PID 1: %m", rlimit_to_string(rl
));
4634 v
= kernel_defaults
+ rl
;
4636 arg_rlimit
[rl
] = newdup(struct rlimit
, v
, 1);
4637 if (!arg_rlimit
[rl
])
4641 if (DEBUG_LOGGING
) {
4642 _cleanup_free_
char *k
= NULL
;
4644 (void) rlimit_format(arg_rlimit
[rl
], &k
);
4645 log_debug("Setting RLIMIT_%s to %s.", rlimit_to_string(rl
), k
);
4652 static int run(int argc
, char *argv
[]) {
4653 _cleanup_free_
char *console
= NULL
;
4654 _cleanup_close_
int master
= -1;
4655 _cleanup_fdset_free_ FDSet
*fds
= NULL
;
4656 int r
, n_fd_passed
, ret
= EXIT_SUCCESS
;
4657 char veth_name
[IFNAMSIZ
] = "";
4658 bool secondary
= false, remove_directory
= false, remove_image
= false;
4660 union in_addr_union exposed
= {};
4661 _cleanup_(release_lock_file
) LockFile tree_global_lock
= LOCK_FILE_INIT
, tree_local_lock
= LOCK_FILE_INIT
;
4662 bool veth_created
= false, remove_tmprootdir
= false;
4663 char tmprootdir
[] = "/tmp/nspawn-root-XXXXXX";
4664 _cleanup_(loop_device_unrefp
) LoopDevice
*loop
= NULL
;
4665 _cleanup_(decrypted_image_unrefp
) DecryptedImage
*decrypted_image
= NULL
;
4666 _cleanup_(dissected_image_unrefp
) DissectedImage
*dissected_image
= NULL
;
4668 log_parse_environment();
4671 r
= parse_argv(argc
, argv
);
4679 r
= initialize_rlimits();
4683 r
= load_oci_bundle();
4687 r
= determine_names();
4691 r
= load_settings();
4695 r
= cg_unified_flush();
4697 log_error_errno(r
, "Failed to determine whether the unified cgroups hierarchy is used: %m");
4701 r
= verify_arguments();
4705 r
= detect_unified_cgroup_hierarchy_from_environment();
4709 /* Ignore SIGPIPE here, because we use splice() on the ptyfwd stuff and that will generate SIGPIPE if
4710 * the result is closed. Note that the container payload child will reset signal mask+handler anyway,
4711 * so just turning this off here means we only turn it off in nspawn itself, not any children. */
4712 (void) ignore_signals(SIGPIPE
, -1);
4714 n_fd_passed
= sd_listen_fds(false);
4715 if (n_fd_passed
> 0) {
4716 r
= fdset_new_listen_fds(&fds
, false);
4718 log_error_errno(r
, "Failed to collect file descriptors: %m");
4723 /* The "default" umask. This is appropriate for most file and directory
4724 * operations performed by nspawn, and is the umask that will be used for
4725 * the child. Functions like copy_devnodes() change the umask temporarily. */
4728 if (arg_directory
) {
4731 if (path_equal(arg_directory
, "/") && !arg_ephemeral
) {
4732 log_error("Spawning container on root directory is not supported. Consider using --ephemeral.");
4737 if (arg_ephemeral
) {
4738 _cleanup_free_
char *np
= NULL
;
4740 r
= chase_symlinks_and_update(&arg_directory
, 0);
4744 /* If the specified path is a mount point we
4745 * generate the new snapshot immediately
4746 * inside it under a random name. However if
4747 * the specified is not a mount point we
4748 * create the new snapshot in the parent
4749 * directory, just next to it. */
4750 r
= path_is_mount_point(arg_directory
, NULL
, 0);
4752 log_error_errno(r
, "Failed to determine whether directory %s is mount point: %m", arg_directory
);
4756 r
= tempfn_random_child(arg_directory
, "machine.", &np
);
4758 r
= tempfn_random(arg_directory
, "machine.", &np
);
4760 log_error_errno(r
, "Failed to generate name for directory snapshot: %m");
4764 r
= image_path_lock(np
, (arg_read_only
? LOCK_SH
: LOCK_EX
) | LOCK_NB
, &tree_global_lock
, &tree_local_lock
);
4766 log_error_errno(r
, "Failed to lock %s: %m", np
);
4770 r
= btrfs_subvol_snapshot(arg_directory
, np
,
4771 (arg_read_only
? BTRFS_SNAPSHOT_READ_ONLY
: 0) |
4772 BTRFS_SNAPSHOT_FALLBACK_COPY
|
4773 BTRFS_SNAPSHOT_FALLBACK_DIRECTORY
|
4774 BTRFS_SNAPSHOT_RECURSIVE
|
4775 BTRFS_SNAPSHOT_QUOTA
);
4777 log_error_errno(r
, "Failed to create snapshot %s from %s: %m", np
, arg_directory
);
4781 free_and_replace(arg_directory
, np
);
4783 remove_directory
= true;
4786 r
= chase_symlinks_and_update(&arg_directory
, arg_template
? CHASE_NONEXISTENT
: 0);
4790 r
= image_path_lock(arg_directory
, (arg_read_only
? LOCK_SH
: LOCK_EX
) | LOCK_NB
, &tree_global_lock
, &tree_local_lock
);
4792 log_error_errno(r
, "Directory tree %s is currently busy.", arg_directory
);
4796 log_error_errno(r
, "Failed to lock %s: %m", arg_directory
);
4801 r
= chase_symlinks_and_update(&arg_template
, 0);
4805 r
= btrfs_subvol_snapshot(arg_template
, arg_directory
,
4806 (arg_read_only
? BTRFS_SNAPSHOT_READ_ONLY
: 0) |
4807 BTRFS_SNAPSHOT_FALLBACK_COPY
|
4808 BTRFS_SNAPSHOT_FALLBACK_DIRECTORY
|
4809 BTRFS_SNAPSHOT_FALLBACK_IMMUTABLE
|
4810 BTRFS_SNAPSHOT_RECURSIVE
|
4811 BTRFS_SNAPSHOT_QUOTA
);
4813 log_full(arg_quiet
? LOG_DEBUG
: LOG_INFO
,
4814 "Directory %s already exists, not populating from template %s.", arg_directory
, arg_template
);
4816 log_error_errno(r
, "Couldn't create snapshot %s from %s: %m", arg_directory
, arg_template
);
4819 log_full(arg_quiet
? LOG_DEBUG
: LOG_INFO
,
4820 "Populated %s from template %s.", arg_directory
, arg_template
);
4824 if (arg_start_mode
== START_BOOT
) {
4827 if (arg_pivot_root_new
)
4828 p
= prefix_roota(arg_directory
, arg_pivot_root_new
);
4832 if (path_is_os_tree(p
) <= 0) {
4833 log_error("Directory %s doesn't look like an OS root directory (os-release file is missing). Refusing.", p
);
4840 if (arg_pivot_root_new
)
4841 p
= prefix_roota(arg_directory
, arg_pivot_root_new
);
4845 q
= strjoina(p
, "/usr/");
4847 if (laccess(q
, F_OK
) < 0) {
4848 log_error("Directory %s doesn't look like it has an OS tree. Refusing.", p
);
4856 assert(!arg_template
);
4858 r
= chase_symlinks_and_update(&arg_image
, 0);
4862 if (arg_ephemeral
) {
4863 _cleanup_free_
char *np
= NULL
;
4865 r
= tempfn_random(arg_image
, "machine.", &np
);
4867 log_error_errno(r
, "Failed to generate name for image snapshot: %m");
4871 r
= image_path_lock(np
, (arg_read_only
? LOCK_SH
: LOCK_EX
) | LOCK_NB
, &tree_global_lock
, &tree_local_lock
);
4873 r
= log_error_errno(r
, "Failed to create image lock: %m");
4877 r
= copy_file(arg_image
, np
, O_EXCL
, arg_read_only
? 0400 : 0600, FS_NOCOW_FL
, COPY_REFLINK
|COPY_CRTIME
);
4879 r
= log_error_errno(r
, "Failed to copy image file: %m");
4883 free_and_replace(arg_image
, np
);
4885 remove_image
= true;
4887 r
= image_path_lock(arg_image
, (arg_read_only
? LOCK_SH
: LOCK_EX
) | LOCK_NB
, &tree_global_lock
, &tree_local_lock
);
4889 r
= log_error_errno(r
, "Disk image %s is currently busy.", arg_image
);
4893 r
= log_error_errno(r
, "Failed to create image lock: %m");
4897 if (!arg_root_hash
) {
4898 r
= root_hash_load(arg_image
, &arg_root_hash
, &arg_root_hash_size
);
4900 log_error_errno(r
, "Failed to load root hash file for %s: %m", arg_image
);
4906 if (!mkdtemp(tmprootdir
)) {
4907 r
= log_error_errno(errno
, "Failed to create temporary directory: %m");
4911 remove_tmprootdir
= true;
4913 arg_directory
= strdup(tmprootdir
);
4914 if (!arg_directory
) {
4919 r
= loop_device_make_by_path(arg_image
, arg_read_only
? O_RDONLY
: O_RDWR
, &loop
);
4921 log_error_errno(r
, "Failed to set up loopback block device: %m");
4925 r
= dissect_image_and_warn(
4928 arg_root_hash
, arg_root_hash_size
,
4929 DISSECT_IMAGE_REQUIRE_ROOT
,
4932 /* dissected_image_and_warn() already printed a brief error message. Extend on that with more details */
4933 log_notice("Note that the disk image needs to\n"
4934 " a) either contain only a single MBR partition of type 0x83 that is marked bootable\n"
4935 " b) or contain a single GPT partition of type 0FC63DAF-8483-4772-8E79-3D69D8477DE4\n"
4936 " c) or follow http://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/\n"
4937 " d) or contain a file system without a partition table\n"
4938 "in order to be bootable with systemd-nspawn.");
4944 if (!arg_root_hash
&& dissected_image
->can_verity
)
4945 log_notice("Note: image %s contains verity information, but no root hash specified! Proceeding without integrity checking.", arg_image
);
4947 r
= dissected_image_decrypt_interactively(dissected_image
, NULL
, arg_root_hash
, arg_root_hash_size
, 0, &decrypted_image
);
4951 /* Now that we mounted the image, let's try to remove it again, if it is ephemeral */
4952 if (remove_image
&& unlink(arg_image
) >= 0)
4953 remove_image
= false;
4956 r
= custom_mount_prepare_all(arg_directory
, arg_custom_mounts
, arg_n_custom_mounts
);
4960 if (arg_console_mode
< 0)
4962 isatty(STDIN_FILENO
) > 0 &&
4963 isatty(STDOUT_FILENO
) > 0 ? CONSOLE_INTERACTIVE
: CONSOLE_READ_ONLY
;
4965 if (arg_console_mode
== CONSOLE_PIPE
) /* if we pass STDERR on to the container, don't add our own logs into it too */
4968 if (arg_console_mode
!= CONSOLE_PIPE
) {
4969 master
= posix_openpt(O_RDWR
|O_NOCTTY
|O_CLOEXEC
|O_NONBLOCK
);
4971 r
= log_error_errno(errno
, "Failed to acquire pseudo tty: %m");
4975 r
= ptsname_malloc(master
, &console
);
4977 r
= log_error_errno(r
, "Failed to determine tty name: %m");
4981 if (arg_selinux_apifs_context
) {
4982 r
= mac_selinux_apply(console
, arg_selinux_apifs_context
);
4987 if (unlockpt(master
) < 0) {
4988 r
= log_error_errno(errno
, "Failed to unlock tty: %m");
4994 log_info("Spawning container %s on %s.\nPress ^] three times within 1s to kill container.",
4995 arg_machine
, arg_image
?: arg_directory
);
4997 assert_se(sigprocmask_many(SIG_BLOCK
, NULL
, SIGCHLD
, SIGWINCH
, SIGTERM
, SIGINT
, -1) >= 0);
4999 if (prctl(PR_SET_CHILD_SUBREAPER
, 1, 0, 0, 0) < 0) {
5000 r
= log_error_errno(errno
, "Failed to become subreaper: %m");
5005 r
= run_container(master
,
5010 veth_name
, &veth_created
,
5018 (void) sd_notify(false,
5019 r
== 0 && ret
== EXIT_FORCE_RESTART
? "STOPPING=1\nSTATUS=Restarting..." :
5020 "STOPPING=1\nSTATUS=Terminating...");
5023 (void) kill(pid
, SIGKILL
);
5025 /* Try to flush whatever is still queued in the pty */
5027 (void) copy_bytes(master
, STDOUT_FILENO
, (uint64_t) -1, 0);
5028 master
= safe_close(master
);
5032 (void) wait_for_terminate(pid
, NULL
);
5036 if (remove_directory
&& arg_directory
) {
5039 k
= rm_rf(arg_directory
, REMOVE_ROOT
|REMOVE_PHYSICAL
|REMOVE_SUBVOLUME
);
5041 log_warning_errno(k
, "Cannot remove '%s', ignoring: %m", arg_directory
);
5044 if (remove_image
&& arg_image
) {
5045 if (unlink(arg_image
) < 0)
5046 log_warning_errno(errno
, "Can't remove image file '%s', ignoring: %m", arg_image
);
5049 if (remove_tmprootdir
) {
5050 if (rmdir(tmprootdir
) < 0)
5051 log_debug_errno(errno
, "Can't remove temporary root directory '%s', ignoring: %m", tmprootdir
);
5057 p
= strjoina("/run/systemd/nspawn/propagate/", arg_machine
);
5058 (void) rm_rf(p
, REMOVE_ROOT
);
5061 expose_port_flush(arg_expose_ports
, &exposed
);
5064 (void) remove_veth_links(veth_name
, arg_network_veth_extra
);
5065 (void) remove_bridge(arg_network_zone
);
5067 custom_mount_free_all(arg_custom_mounts
, arg_n_custom_mounts
);
5068 expose_port_free_all(arg_expose_ports
);
5069 rlimit_free_all(arg_rlimit
);
5070 device_node_array_free(arg_extra_nodes
, arg_n_extra_nodes
);
5078 DEFINE_MAIN_FUNCTION_WITH_POSITIVE_FAILURE(run
);