1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2010 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
25 #include <sys/types.h>
26 #include <sys/mount.h>
31 #include <sys/prctl.h>
35 #include <sys/socket.h>
36 #include <linux/netlink.h>
38 #include <linux/veth.h>
39 #include <sys/personality.h>
40 #include <linux/loop.h>
44 #include <selinux/selinux.h>
52 #include <blkid/blkid.h>
55 #include "sd-daemon.h"
65 #include "cgroup-util.h"
67 #include "path-util.h"
68 #include "loopback-setup.h"
69 #include "dev-setup.h"
74 #include "bus-error.h"
77 #include "rtnl-util.h"
78 #include "udev-util.h"
79 #include "blkid-util.h"
81 #include "siphash24.h"
83 #include "base-filesystem.h"
85 #include "event-util.h"
86 #include "capability.h"
88 #include "btrfs-util.h"
89 #include "machine-image.h"
91 #include "in-addr-util.h"
93 #include "local-addresses.h"
96 #include "seccomp-util.h"
99 typedef struct ExposePort
{
102 uint16_t container_port
;
103 LIST_FIELDS(struct ExposePort
, ports
);
106 typedef enum ContainerStatus
{
107 CONTAINER_TERMINATED
,
111 typedef enum LinkJournal
{
118 typedef enum Volatile
{
124 static char *arg_directory
= NULL
;
125 static char *arg_template
= NULL
;
126 static char *arg_user
= NULL
;
127 static sd_id128_t arg_uuid
= {};
128 static char *arg_machine
= NULL
;
129 static const char *arg_selinux_context
= NULL
;
130 static const char *arg_selinux_apifs_context
= NULL
;
131 static const char *arg_slice
= NULL
;
132 static bool arg_private_network
= false;
133 static bool arg_read_only
= false;
134 static bool arg_boot
= false;
135 static bool arg_ephemeral
= false;
136 static LinkJournal arg_link_journal
= LINK_AUTO
;
137 static bool arg_link_journal_try
= false;
138 static uint64_t arg_retain
=
139 (1ULL << CAP_CHOWN
) |
140 (1ULL << CAP_DAC_OVERRIDE
) |
141 (1ULL << CAP_DAC_READ_SEARCH
) |
142 (1ULL << CAP_FOWNER
) |
143 (1ULL << CAP_FSETID
) |
144 (1ULL << CAP_IPC_OWNER
) |
146 (1ULL << CAP_LEASE
) |
147 (1ULL << CAP_LINUX_IMMUTABLE
) |
148 (1ULL << CAP_NET_BIND_SERVICE
) |
149 (1ULL << CAP_NET_BROADCAST
) |
150 (1ULL << CAP_NET_RAW
) |
151 (1ULL << CAP_SETGID
) |
152 (1ULL << CAP_SETFCAP
) |
153 (1ULL << CAP_SETPCAP
) |
154 (1ULL << CAP_SETUID
) |
155 (1ULL << CAP_SYS_ADMIN
) |
156 (1ULL << CAP_SYS_CHROOT
) |
157 (1ULL << CAP_SYS_NICE
) |
158 (1ULL << CAP_SYS_PTRACE
) |
159 (1ULL << CAP_SYS_TTY_CONFIG
) |
160 (1ULL << CAP_SYS_RESOURCE
) |
161 (1ULL << CAP_SYS_BOOT
) |
162 (1ULL << CAP_AUDIT_WRITE
) |
163 (1ULL << CAP_AUDIT_CONTROL
) |
165 static char **arg_bind
= NULL
;
166 static char **arg_bind_ro
= NULL
;
167 static char **arg_tmpfs
= NULL
;
168 static char **arg_setenv
= NULL
;
169 static bool arg_quiet
= false;
170 static bool arg_share_system
= false;
171 static bool arg_register
= true;
172 static bool arg_keep_unit
= false;
173 static char **arg_network_interfaces
= NULL
;
174 static char **arg_network_macvlan
= NULL
;
175 static char **arg_network_ipvlan
= NULL
;
176 static bool arg_network_veth
= false;
177 static const char *arg_network_bridge
= NULL
;
178 static unsigned long arg_personality
= 0xffffffffLU
;
179 static char *arg_image
= NULL
;
180 static Volatile arg_volatile
= VOLATILE_NO
;
181 static ExposePort
*arg_expose_ports
= NULL
;
182 static char **arg_property
= NULL
;
183 static uid_t arg_uid_shift
= UID_INVALID
, arg_uid_range
= 0x10000U
;
184 static bool arg_userns
= false;
185 static int arg_kill_signal
= 0;
187 static void help(void) {
188 printf("%s [OPTIONS...] [PATH] [ARGUMENTS...]\n\n"
189 "Spawn a minimal namespace container for debugging, testing and building.\n\n"
190 " -h --help Show this help\n"
191 " --version Print version string\n"
192 " -q --quiet Do not show status information\n"
193 " -D --directory=PATH Root directory for the container\n"
194 " --template=PATH Initialize root directory from template directory,\n"
196 " -x --ephemeral Run container with snapshot of root directory, and\n"
197 " remove it after exit\n"
198 " -i --image=PATH File system device or disk image for the container\n"
199 " -b --boot Boot up full system (i.e. invoke init)\n"
200 " -u --user=USER Run the command under specified user or uid\n"
201 " -M --machine=NAME Set the machine name for the container\n"
202 " --uuid=UUID Set a specific machine UUID for the container\n"
203 " -S --slice=SLICE Place the container in the specified slice\n"
204 " --property=NAME=VALUE Set scope unit property\n"
205 " --private-network Disable network in container\n"
206 " --network-interface=INTERFACE\n"
207 " Assign an existing network interface to the\n"
209 " --network-macvlan=INTERFACE\n"
210 " Create a macvlan network interface based on an\n"
211 " existing network interface to the container\n"
212 " --network-ipvlan=INTERFACE\n"
213 " Create a ipvlan network interface based on an\n"
214 " existing network interface to the container\n"
215 " -n --network-veth Add a virtual ethernet connection between host\n"
217 " --network-bridge=INTERFACE\n"
218 " Add a virtual ethernet connection between host\n"
219 " and container and add it to an existing bridge on\n"
221 " --private-users[=UIDBASE[:NUIDS]]\n"
222 " Run within user namespace\n"
223 " -p --port=[PROTOCOL:]HOSTPORT[:CONTAINERPORT]\n"
224 " Expose a container IP port on the host\n"
225 " -Z --selinux-context=SECLABEL\n"
226 " Set the SELinux security context to be used by\n"
227 " processes in the container\n"
228 " -L --selinux-apifs-context=SECLABEL\n"
229 " Set the SELinux security context to be used by\n"
230 " API/tmpfs file systems in the container\n"
231 " --capability=CAP In addition to the default, retain specified\n"
233 " --drop-capability=CAP Drop the specified capability from the default set\n"
234 " --kill-signal=SIGNAL Select signal to use for shutting down PID 1\n"
235 " --link-journal=MODE Link up guest journal, one of no, auto, guest, host,\n"
236 " try-guest, try-host\n"
237 " -j Equivalent to --link-journal=try-guest\n"
238 " --read-only Mount the root directory read-only\n"
239 " --bind=PATH[:PATH] Bind mount a file or directory from the host into\n"
241 " --bind-ro=PATH[:PATH] Similar, but creates a read-only bind mount\n"
242 " --tmpfs=PATH:[OPTIONS] Mount an empty tmpfs to the specified directory\n"
243 " --setenv=NAME=VALUE Pass an environment variable to PID 1\n"
244 " --share-system Share system namespaces with host\n"
245 " --register=BOOLEAN Register container as machine\n"
246 " --keep-unit Do not register a scope for the machine, reuse\n"
247 " the service unit nspawn is running in\n"
248 " --volatile[=MODE] Run the system in volatile mode\n"
249 , program_invocation_short_name
);
252 static int set_sanitized_path(char **b
, const char *path
) {
258 p
= canonicalize_file_name(path
);
263 p
= path_make_absolute_cwd(path
);
269 *b
= path_kill_slashes(p
);
273 static int parse_argv(int argc
, char *argv
[]) {
290 ARG_NETWORK_INTERFACE
,
302 static const struct option options
[] = {
303 { "help", no_argument
, NULL
, 'h' },
304 { "version", no_argument
, NULL
, ARG_VERSION
},
305 { "directory", required_argument
, NULL
, 'D' },
306 { "template", required_argument
, NULL
, ARG_TEMPLATE
},
307 { "ephemeral", no_argument
, NULL
, 'x' },
308 { "user", required_argument
, NULL
, 'u' },
309 { "private-network", no_argument
, NULL
, ARG_PRIVATE_NETWORK
},
310 { "boot", no_argument
, NULL
, 'b' },
311 { "uuid", required_argument
, NULL
, ARG_UUID
},
312 { "read-only", no_argument
, NULL
, ARG_READ_ONLY
},
313 { "capability", required_argument
, NULL
, ARG_CAPABILITY
},
314 { "drop-capability", required_argument
, NULL
, ARG_DROP_CAPABILITY
},
315 { "link-journal", required_argument
, NULL
, ARG_LINK_JOURNAL
},
316 { "bind", required_argument
, NULL
, ARG_BIND
},
317 { "bind-ro", required_argument
, NULL
, ARG_BIND_RO
},
318 { "tmpfs", required_argument
, NULL
, ARG_TMPFS
},
319 { "machine", required_argument
, NULL
, 'M' },
320 { "slice", required_argument
, NULL
, 'S' },
321 { "setenv", required_argument
, NULL
, ARG_SETENV
},
322 { "selinux-context", required_argument
, NULL
, 'Z' },
323 { "selinux-apifs-context", required_argument
, NULL
, 'L' },
324 { "quiet", no_argument
, NULL
, 'q' },
325 { "share-system", no_argument
, NULL
, ARG_SHARE_SYSTEM
},
326 { "register", required_argument
, NULL
, ARG_REGISTER
},
327 { "keep-unit", no_argument
, NULL
, ARG_KEEP_UNIT
},
328 { "network-interface", required_argument
, NULL
, ARG_NETWORK_INTERFACE
},
329 { "network-macvlan", required_argument
, NULL
, ARG_NETWORK_MACVLAN
},
330 { "network-ipvlan", required_argument
, NULL
, ARG_NETWORK_IPVLAN
},
331 { "network-veth", no_argument
, NULL
, 'n' },
332 { "network-bridge", required_argument
, NULL
, ARG_NETWORK_BRIDGE
},
333 { "personality", required_argument
, NULL
, ARG_PERSONALITY
},
334 { "image", required_argument
, NULL
, 'i' },
335 { "volatile", optional_argument
, NULL
, ARG_VOLATILE
},
336 { "port", required_argument
, NULL
, 'p' },
337 { "property", required_argument
, NULL
, ARG_PROPERTY
},
338 { "private-users", optional_argument
, NULL
, ARG_PRIVATE_USERS
},
339 { "kill-signal", required_argument
, NULL
, ARG_KILL_SIGNAL
},
344 uint64_t plus
= 0, minus
= 0;
349 while ((c
= getopt_long(argc
, argv
, "+hD:u:bL:M:jS:Z:qi:xp:n", options
, NULL
)) >= 0)
358 puts(PACKAGE_STRING
);
359 puts(SYSTEMD_FEATURES
);
363 r
= set_sanitized_path(&arg_directory
, optarg
);
365 return log_error_errno(r
, "Invalid root directory: %m");
370 r
= set_sanitized_path(&arg_template
, optarg
);
372 return log_error_errno(r
, "Invalid template directory: %m");
377 r
= set_sanitized_path(&arg_image
, optarg
);
379 return log_error_errno(r
, "Invalid image path: %m");
384 arg_ephemeral
= true;
389 arg_user
= strdup(optarg
);
395 case ARG_NETWORK_BRIDGE
:
396 arg_network_bridge
= optarg
;
401 arg_network_veth
= true;
402 arg_private_network
= true;
405 case ARG_NETWORK_INTERFACE
:
406 if (strv_extend(&arg_network_interfaces
, optarg
) < 0)
409 arg_private_network
= true;
412 case ARG_NETWORK_MACVLAN
:
413 if (strv_extend(&arg_network_macvlan
, optarg
) < 0)
416 arg_private_network
= true;
419 case ARG_NETWORK_IPVLAN
:
420 if (strv_extend(&arg_network_ipvlan
, optarg
) < 0)
425 case ARG_PRIVATE_NETWORK
:
426 arg_private_network
= true;
434 r
= sd_id128_from_string(optarg
, &arg_uuid
);
436 log_error("Invalid UUID: %s", optarg
);
446 if (isempty(optarg
)) {
450 if (!machine_name_is_valid(optarg
)) {
451 log_error("Invalid machine name: %s", optarg
);
455 r
= free_and_strdup(&arg_machine
, optarg
);
463 arg_selinux_context
= optarg
;
467 arg_selinux_apifs_context
= optarg
;
471 arg_read_only
= true;
475 case ARG_DROP_CAPABILITY
: {
476 const char *state
, *word
;
479 FOREACH_WORD_SEPARATOR(word
, length
, optarg
, ",", state
) {
480 _cleanup_free_
char *t
;
482 t
= strndup(word
, length
);
486 if (streq(t
, "all")) {
487 if (c
== ARG_CAPABILITY
)
488 plus
= (uint64_t) -1;
490 minus
= (uint64_t) -1;
494 cap
= capability_from_name(t
);
496 log_error("Failed to parse capability %s.", t
);
500 if (c
== ARG_CAPABILITY
)
501 plus
|= 1ULL << (uint64_t) cap
;
503 minus
|= 1ULL << (uint64_t) cap
;
511 arg_link_journal
= LINK_GUEST
;
512 arg_link_journal_try
= true;
515 case ARG_LINK_JOURNAL
:
516 if (streq(optarg
, "auto")) {
517 arg_link_journal
= LINK_AUTO
;
518 arg_link_journal_try
= false;
519 } else if (streq(optarg
, "no")) {
520 arg_link_journal
= LINK_NO
;
521 arg_link_journal_try
= false;
522 } else if (streq(optarg
, "guest")) {
523 arg_link_journal
= LINK_GUEST
;
524 arg_link_journal_try
= false;
525 } else if (streq(optarg
, "host")) {
526 arg_link_journal
= LINK_HOST
;
527 arg_link_journal_try
= false;
528 } else if (streq(optarg
, "try-guest")) {
529 arg_link_journal
= LINK_GUEST
;
530 arg_link_journal_try
= true;
531 } else if (streq(optarg
, "try-host")) {
532 arg_link_journal
= LINK_HOST
;
533 arg_link_journal_try
= true;
535 log_error("Failed to parse link journal mode %s", optarg
);
543 _cleanup_free_
char *a
= NULL
, *b
= NULL
;
547 x
= c
== ARG_BIND
? &arg_bind
: &arg_bind_ro
;
549 e
= strchr(optarg
, ':');
551 a
= strndup(optarg
, e
- optarg
);
561 if (!path_is_absolute(a
) || !path_is_absolute(b
)) {
562 log_error("Invalid bind mount specification: %s", optarg
);
566 r
= strv_extend(x
, a
);
570 r
= strv_extend(x
, b
);
578 _cleanup_free_
char *a
= NULL
, *b
= NULL
;
581 e
= strchr(optarg
, ':');
583 a
= strndup(optarg
, e
- optarg
);
587 b
= strdup("mode=0755");
593 if (!path_is_absolute(a
)) {
594 log_error("Invalid tmpfs specification: %s", optarg
);
598 r
= strv_push(&arg_tmpfs
, a
);
604 r
= strv_push(&arg_tmpfs
, b
);
616 if (!env_assignment_is_valid(optarg
)) {
617 log_error("Environment variable assignment '%s' is not valid.", optarg
);
621 n
= strv_env_set(arg_setenv
, optarg
);
625 strv_free(arg_setenv
);
634 case ARG_SHARE_SYSTEM
:
635 arg_share_system
= true;
639 r
= parse_boolean(optarg
);
641 log_error("Failed to parse --register= argument: %s", optarg
);
649 arg_keep_unit
= true;
652 case ARG_PERSONALITY
:
654 arg_personality
= personality_from_string(optarg
);
655 if (arg_personality
== 0xffffffffLU
) {
656 log_error("Unknown or unsupported personality '%s'.", optarg
);
665 arg_volatile
= VOLATILE_YES
;
667 r
= parse_boolean(optarg
);
669 if (streq(optarg
, "state"))
670 arg_volatile
= VOLATILE_STATE
;
672 log_error("Failed to parse --volatile= argument: %s", optarg
);
676 arg_volatile
= r
? VOLATILE_YES
: VOLATILE_NO
;
682 const char *split
, *e
;
683 uint16_t container_port
, host_port
;
687 if ((e
= startswith(optarg
, "tcp:")))
688 protocol
= IPPROTO_TCP
;
689 else if ((e
= startswith(optarg
, "udp:")))
690 protocol
= IPPROTO_UDP
;
693 protocol
= IPPROTO_TCP
;
696 split
= strchr(e
, ':');
698 char v
[split
- e
+ 1];
700 memcpy(v
, e
, split
- e
);
703 r
= safe_atou16(v
, &host_port
);
704 if (r
< 0 || host_port
<= 0) {
705 log_error("Failed to parse host port: %s", optarg
);
709 r
= safe_atou16(split
+ 1, &container_port
);
711 r
= safe_atou16(e
, &container_port
);
712 host_port
= container_port
;
715 if (r
< 0 || container_port
<= 0) {
716 log_error("Failed to parse host port: %s", optarg
);
720 LIST_FOREACH(ports
, p
, arg_expose_ports
) {
721 if (p
->protocol
== protocol
&& p
->host_port
== host_port
) {
722 log_error("Duplicate port specification: %s", optarg
);
727 p
= new(ExposePort
, 1);
731 p
->protocol
= protocol
;
732 p
->host_port
= host_port
;
733 p
->container_port
= container_port
;
735 LIST_PREPEND(ports
, arg_expose_ports
, p
);
741 if (strv_extend(&arg_property
, optarg
) < 0)
746 case ARG_PRIVATE_USERS
:
748 _cleanup_free_
char *buffer
= NULL
;
749 const char *range
, *shift
;
751 range
= strchr(optarg
, ':');
753 buffer
= strndup(optarg
, range
- optarg
);
759 if (safe_atou32(range
, &arg_uid_range
) < 0 || arg_uid_range
<= 0) {
760 log_error("Failed to parse UID range: %s", range
);
766 if (parse_uid(shift
, &arg_uid_shift
) < 0) {
767 log_error("Failed to parse UID: %s", optarg
);
775 case ARG_KILL_SIGNAL
:
776 arg_kill_signal
= signal_from_string_try_harder(optarg
);
777 if (arg_kill_signal
< 0) {
778 log_error("Cannot parse signal: %s", optarg
);
788 assert_not_reached("Unhandled option");
791 if (arg_share_system
)
792 arg_register
= false;
794 if (arg_boot
&& arg_share_system
) {
795 log_error("--boot and --share-system may not be combined.");
799 if (arg_keep_unit
&& cg_pid_get_owner_uid(0, NULL
) >= 0) {
800 log_error("--keep-unit may not be used when invoked from a user session.");
804 if (arg_directory
&& arg_image
) {
805 log_error("--directory= and --image= may not be combined.");
809 if (arg_template
&& arg_image
) {
810 log_error("--template= and --image= may not be combined.");
814 if (arg_template
&& !(arg_directory
|| arg_machine
)) {
815 log_error("--template= needs --directory= or --machine=.");
819 if (arg_ephemeral
&& arg_template
) {
820 log_error("--ephemeral and --template= may not be combined.");
824 if (arg_ephemeral
&& arg_image
) {
825 log_error("--ephemeral and --image= may not be combined.");
829 if (arg_ephemeral
&& !IN_SET(arg_link_journal
, LINK_NO
, LINK_AUTO
)) {
830 log_error("--ephemeral and --link-journal= may not be combined.");
834 if (arg_volatile
!= VOLATILE_NO
&& arg_read_only
) {
835 log_error("Cannot combine --read-only with --volatile. Note that --volatile already implies a read-only base hierarchy.");
839 if (arg_expose_ports
&& !arg_private_network
) {
840 log_error("Cannot use --port= without private networking.");
844 arg_retain
= (arg_retain
| plus
| (arg_private_network
? 1ULL << CAP_NET_ADMIN
: 0)) & ~minus
;
846 if (arg_boot
&& arg_kill_signal
<= 0)
847 arg_kill_signal
= SIGRTMIN
+3;
852 static int mount_all(const char *dest
) {
854 typedef struct MountPoint
{
863 static const MountPoint mount_table
[] = {
864 { "proc", "/proc", "proc", NULL
, MS_NOSUID
|MS_NOEXEC
|MS_NODEV
, true },
865 { "/proc/sys", "/proc/sys", NULL
, NULL
, MS_BIND
, true }, /* Bind mount first */
866 { NULL
, "/proc/sys", NULL
, NULL
, MS_BIND
|MS_RDONLY
|MS_REMOUNT
, true }, /* Then, make it r/o */
867 { "sysfs", "/sys", "sysfs", NULL
, MS_RDONLY
|MS_NOSUID
|MS_NOEXEC
|MS_NODEV
, true },
868 { "tmpfs", "/dev", "tmpfs", "mode=755", MS_NOSUID
|MS_STRICTATIME
, true },
869 { "devpts", "/dev/pts", "devpts","newinstance,ptmxmode=0666,mode=620,gid=" STRINGIFY(TTY_GID
), MS_NOSUID
|MS_NOEXEC
, true },
870 { "tmpfs", "/dev/shm", "tmpfs", "mode=1777", MS_NOSUID
|MS_NODEV
|MS_STRICTATIME
, true },
871 { "tmpfs", "/run", "tmpfs", "mode=755", MS_NOSUID
|MS_NODEV
|MS_STRICTATIME
, true },
872 { "tmpfs", "/tmp", "tmpfs", "mode=1777", MS_STRICTATIME
, true },
874 { "/sys/fs/selinux", "/sys/fs/selinux", NULL
, NULL
, MS_BIND
, false }, /* Bind mount first */
875 { NULL
, "/sys/fs/selinux", NULL
, NULL
, MS_BIND
|MS_RDONLY
|MS_REMOUNT
, false }, /* Then, make it r/o */
882 for (k
= 0; k
< ELEMENTSOF(mount_table
); k
++) {
883 _cleanup_free_
char *where
= NULL
, *options
= NULL
;
887 where
= strjoin(dest
, "/", mount_table
[k
].where
, NULL
);
891 t
= path_is_mount_point(where
, true);
893 log_error_errno(t
, "Failed to detect whether %s is a mount point: %m", where
);
901 /* Skip this entry if it is not a remount. */
902 if (mount_table
[k
].what
&& t
> 0)
905 t
= mkdir_p(where
, 0755);
907 if (mount_table
[k
].fatal
) {
908 log_error_errno(t
, "Failed to create directory %s: %m", where
);
913 log_warning_errno(t
, "Failed to create directory %s: %m", where
);
919 if (arg_selinux_apifs_context
&&
920 (streq_ptr(mount_table
[k
].what
, "tmpfs") || streq_ptr(mount_table
[k
].what
, "devpts"))) {
921 options
= strjoin(mount_table
[k
].options
, ",context=\"", arg_selinux_apifs_context
, "\"", NULL
);
928 o
= mount_table
[k
].options
;
930 if (arg_userns
&& arg_uid_shift
!= UID_INVALID
&& streq_ptr(mount_table
[k
].type
, "tmpfs")) {
931 char *uid_options
= NULL
;
934 asprintf(&uid_options
, "%s,uid=" UID_FMT
",gid=" UID_FMT
, o
, arg_uid_shift
, arg_uid_shift
);
936 asprintf(&uid_options
, "uid=" UID_FMT
",gid=" UID_FMT
, arg_uid_shift
, arg_uid_shift
);
941 o
= options
= uid_options
;
944 if (mount(mount_table
[k
].what
,
947 mount_table
[k
].flags
,
950 if (mount_table
[k
].fatal
) {
951 log_error_errno(errno
, "mount(%s) failed: %m", where
);
956 log_warning_errno(errno
, "mount(%s) failed: %m", where
);
963 static int mount_binds(const char *dest
, char **l
, bool ro
) {
966 STRV_FOREACH_PAIR(x
, y
, l
) {
967 _cleanup_free_
char *where
= NULL
;
968 struct stat source_st
, dest_st
;
971 if (stat(*x
, &source_st
) < 0)
972 return log_error_errno(errno
, "Failed to stat %s: %m", *x
);
974 where
= strappend(dest
, *y
);
978 r
= stat(where
, &dest_st
);
980 if (S_ISDIR(source_st
.st_mode
) && !S_ISDIR(dest_st
.st_mode
)) {
981 log_error("Cannot bind mount directory %s on file %s.", *x
, where
);
984 if (!S_ISDIR(source_st
.st_mode
) && S_ISDIR(dest_st
.st_mode
)) {
985 log_error("Cannot bind mount file %s on directory %s.", *x
, where
);
988 } else if (errno
== ENOENT
) {
989 r
= mkdir_parents_label(where
, 0755);
991 return log_error_errno(r
, "Failed to bind mount %s: %m", *x
);
993 log_error_errno(errno
, "Failed to bind mount %s: %m", *x
);
997 /* Create the mount point. Any non-directory file can be
998 * mounted on any non-directory file (regular, fifo, socket,
1001 if (S_ISDIR(source_st
.st_mode
)) {
1002 r
= mkdir_label(where
, 0755);
1003 if (r
< 0 && errno
!= EEXIST
)
1004 return log_error_errno(r
, "Failed to create mount point %s: %m", where
);
1008 return log_error_errno(r
, "Failed to create mount point %s: %m", where
);
1011 if (mount(*x
, where
, NULL
, MS_BIND
, NULL
) < 0)
1012 return log_error_errno(errno
, "mount(%s) failed: %m", where
);
1015 r
= bind_remount_recursive(where
, true);
1017 return log_error_errno(r
, "Read-Only bind mount failed: %m");
1024 static int mount_cgroup_hierarchy(const char *dest
, const char *controller
, const char *hierarchy
, bool read_only
) {
1028 to
= strjoina(dest
, "/sys/fs/cgroup/", hierarchy
);
1030 r
= path_is_mount_point(to
, false);
1032 return log_error_errno(r
, "Failed to determine if %s is mounted already: %m", to
);
1038 /* The superblock mount options of the mount point need to be
1039 * identical to the hosts', and hence writable... */
1040 if (mount("cgroup", to
, "cgroup", MS_NOSUID
|MS_NOEXEC
|MS_NODEV
, controller
) < 0)
1041 return log_error_errno(errno
, "Failed to mount to %s: %m", to
);
1043 /* ... hence let's only make the bind mount read-only, not the
1046 if (mount(NULL
, to
, NULL
, MS_BIND
|MS_REMOUNT
|MS_NOSUID
|MS_NOEXEC
|MS_NODEV
|MS_RDONLY
, NULL
) < 0)
1047 return log_error_errno(errno
, "Failed to remount %s read-only: %m", to
);
1052 static int mount_cgroup(const char *dest
) {
1053 _cleanup_set_free_free_ Set
*controllers
= NULL
;
1054 _cleanup_free_
char *own_cgroup_path
= NULL
;
1055 const char *cgroup_root
, *systemd_root
, *systemd_own
;
1058 controllers
= set_new(&string_hash_ops
);
1062 r
= cg_kernel_controllers(controllers
);
1064 return log_error_errno(r
, "Failed to determine cgroup controllers: %m");
1066 r
= cg_pid_get_path(NULL
, 0, &own_cgroup_path
);
1068 return log_error_errno(r
, "Failed to determine our own cgroup path: %m");
1070 cgroup_root
= strjoina(dest
, "/sys/fs/cgroup");
1071 if (mount("tmpfs", cgroup_root
, "tmpfs", MS_NOSUID
|MS_NOEXEC
|MS_NODEV
|MS_STRICTATIME
, "mode=755") < 0)
1072 return log_error_errno(errno
, "Failed to mount tmpfs to /sys/fs/cgroup: %m");
1075 _cleanup_free_
char *controller
= NULL
, *origin
= NULL
, *combined
= NULL
;
1077 controller
= set_steal_first(controllers
);
1081 origin
= strappend("/sys/fs/cgroup/", controller
);
1085 r
= readlink_malloc(origin
, &combined
);
1087 /* Not a symbolic link, but directly a single cgroup hierarchy */
1089 r
= mount_cgroup_hierarchy(dest
, controller
, controller
, true);
1094 return log_error_errno(r
, "Failed to read link %s: %m", origin
);
1096 _cleanup_free_
char *target
= NULL
;
1098 target
= strjoin(dest
, "/sys/fs/cgroup/", controller
, NULL
);
1102 /* A symbolic link, a combination of controllers in one hierarchy */
1104 if (!filename_is_valid(combined
)) {
1105 log_warning("Ignoring invalid combined hierarchy %s.", combined
);
1109 r
= mount_cgroup_hierarchy(dest
, combined
, combined
, true);
1113 if (symlink(combined
, target
) < 0)
1114 return log_error_errno(errno
, "Failed to create symlink for combined hierarchy: %m");
1118 r
= mount_cgroup_hierarchy(dest
, "name=systemd,xattr", "systemd", false);
1122 /* Make our own cgroup a (writable) bind mount */
1123 systemd_own
= strjoina(dest
, "/sys/fs/cgroup/systemd", own_cgroup_path
);
1124 if (mount(systemd_own
, systemd_own
, NULL
, MS_BIND
, NULL
) < 0)
1125 return log_error_errno(errno
, "Failed to turn %s into a bind mount: %m", own_cgroup_path
);
1127 /* And then remount the systemd cgroup root read-only */
1128 systemd_root
= strjoina(dest
, "/sys/fs/cgroup/systemd");
1129 if (mount(NULL
, systemd_root
, NULL
, MS_BIND
|MS_REMOUNT
|MS_NOSUID
|MS_NOEXEC
|MS_NODEV
|MS_RDONLY
, NULL
) < 0)
1130 return log_error_errno(errno
, "Failed to mount cgroup root read-only: %m");
1132 if (mount(NULL
, cgroup_root
, NULL
, MS_REMOUNT
|MS_NOSUID
|MS_NOEXEC
|MS_NODEV
|MS_STRICTATIME
|MS_RDONLY
, "mode=755") < 0)
1133 return log_error_errno(errno
, "Failed to remount %s read-only: %m", cgroup_root
);
1138 static int mount_tmpfs(const char *dest
) {
1141 STRV_FOREACH_PAIR(i
, o
, arg_tmpfs
) {
1142 _cleanup_free_
char *where
= NULL
;
1145 where
= strappend(dest
, *i
);
1149 r
= mkdir_label(where
, 0755);
1150 if (r
< 0 && r
!= -EEXIST
)
1151 return log_error_errno(r
, "Creating mount point for tmpfs %s failed: %m", where
);
1153 if (mount("tmpfs", where
, "tmpfs", MS_NODEV
|MS_STRICTATIME
, *o
) < 0)
1154 return log_error_errno(errno
, "tmpfs mount to %s failed: %m", where
);
1160 static int setup_timezone(const char *dest
) {
1161 _cleanup_free_
char *where
= NULL
, *p
= NULL
, *q
= NULL
, *check
= NULL
, *what
= NULL
;
1167 /* Fix the timezone, if possible */
1168 r
= readlink_malloc("/etc/localtime", &p
);
1170 log_warning("/etc/localtime is not a symlink, not updating container timezone.");
1174 z
= path_startswith(p
, "../usr/share/zoneinfo/");
1176 z
= path_startswith(p
, "/usr/share/zoneinfo/");
1178 log_warning("/etc/localtime does not point into /usr/share/zoneinfo/, not updating container timezone.");
1182 where
= strappend(dest
, "/etc/localtime");
1186 r
= readlink_malloc(where
, &q
);
1188 y
= path_startswith(q
, "../usr/share/zoneinfo/");
1190 y
= path_startswith(q
, "/usr/share/zoneinfo/");
1192 /* Already pointing to the right place? Then do nothing .. */
1193 if (y
&& streq(y
, z
))
1197 check
= strjoin(dest
, "/usr/share/zoneinfo/", z
, NULL
);
1201 if (access(check
, F_OK
) < 0) {
1202 log_warning("Timezone %s does not exist in container, not updating container timezone.", z
);
1206 what
= strappend("../usr/share/zoneinfo/", z
);
1210 r
= mkdir_parents(where
, 0755);
1212 log_error_errno(r
, "Failed to create directory for timezone info %s in container: %m", where
);
1218 if (r
< 0 && errno
!= ENOENT
) {
1219 log_error_errno(errno
, "Failed to remove existing timezone info %s in container: %m", where
);
1224 if (symlink(what
, where
) < 0) {
1225 log_error_errno(errno
, "Failed to correct timezone of container: %m");
1232 static int setup_resolv_conf(const char *dest
) {
1233 _cleanup_free_
char *where
= NULL
;
1238 if (arg_private_network
)
1241 /* Fix resolv.conf, if possible */
1242 where
= strappend(dest
, "/etc/resolv.conf");
1246 /* We don't really care for the results of this really. If it
1247 * fails, it fails, but meh... */
1248 r
= mkdir_parents(where
, 0755);
1250 log_warning_errno(r
, "Failed to create parent directory for resolv.conf %s: %m", where
);
1255 r
= copy_file("/etc/resolv.conf", where
, O_TRUNC
|O_NOFOLLOW
, 0644, 0);
1257 log_warning_errno(r
, "Failed to copy /etc/resolv.conf to %s: %m", where
);
1265 static int setup_volatile_state(const char *directory
) {
1271 if (arg_volatile
!= VOLATILE_STATE
)
1274 /* --volatile=state means we simply overmount /var
1275 with a tmpfs, and the rest read-only. */
1277 r
= bind_remount_recursive(directory
, true);
1279 return log_error_errno(r
, "Failed to remount %s read-only: %m", directory
);
1281 p
= strjoina(directory
, "/var");
1283 if (r
< 0 && errno
!= EEXIST
)
1284 return log_error_errno(errno
, "Failed to create %s: %m", directory
);
1286 if (mount("tmpfs", p
, "tmpfs", MS_STRICTATIME
, "mode=755") < 0)
1287 return log_error_errno(errno
, "Failed to mount tmpfs to /var: %m");
1292 static int setup_volatile(const char *directory
) {
1293 bool tmpfs_mounted
= false, bind_mounted
= false;
1294 char template[] = "/tmp/nspawn-volatile-XXXXXX";
1300 if (arg_volatile
!= VOLATILE_YES
)
1303 /* --volatile=yes means we mount a tmpfs to the root dir, and
1304 the original /usr to use inside it, and that read-only. */
1306 if (!mkdtemp(template))
1307 return log_error_errno(errno
, "Failed to create temporary directory: %m");
1309 if (mount("tmpfs", template, "tmpfs", MS_STRICTATIME
, "mode=755") < 0) {
1310 log_error_errno(errno
, "Failed to mount tmpfs for root directory: %m");
1315 tmpfs_mounted
= true;
1317 f
= strjoina(directory
, "/usr");
1318 t
= strjoina(template, "/usr");
1321 if (r
< 0 && errno
!= EEXIST
) {
1322 log_error_errno(errno
, "Failed to create %s: %m", t
);
1327 if (mount(f
, t
, NULL
, MS_BIND
|MS_REC
, NULL
) < 0) {
1328 log_error_errno(errno
, "Failed to create /usr bind mount: %m");
1333 bind_mounted
= true;
1335 r
= bind_remount_recursive(t
, true);
1337 log_error_errno(r
, "Failed to remount %s read-only: %m", t
);
1341 if (mount(template, directory
, NULL
, MS_MOVE
, NULL
) < 0) {
1342 log_error_errno(errno
, "Failed to move root mount: %m");
1360 static char* id128_format_as_uuid(sd_id128_t id
, char s
[37]) {
1363 "%02x%02x%02x%02x-%02x%02x-%02x%02x-%02x%02x-%02x%02x%02x%02x%02x%02x",
1364 SD_ID128_FORMAT_VAL(id
));
1369 static int setup_boot_id(const char *dest
) {
1370 _cleanup_free_
char *from
= NULL
, *to
= NULL
;
1371 sd_id128_t rnd
= {};
1377 if (arg_share_system
)
1380 /* Generate a new randomized boot ID, so that each boot-up of
1381 * the container gets a new one */
1383 from
= strappend(dest
, "/dev/proc-sys-kernel-random-boot-id");
1384 to
= strappend(dest
, "/proc/sys/kernel/random/boot_id");
1388 r
= sd_id128_randomize(&rnd
);
1390 return log_error_errno(r
, "Failed to generate random boot id: %m");
1392 id128_format_as_uuid(rnd
, as_uuid
);
1394 r
= write_string_file(from
, as_uuid
);
1396 return log_error_errno(r
, "Failed to write boot id: %m");
1398 if (mount(from
, to
, NULL
, MS_BIND
, NULL
) < 0) {
1399 log_error_errno(errno
, "Failed to bind mount boot id: %m");
1401 } else if (mount(from
, to
, NULL
, MS_BIND
|MS_REMOUNT
|MS_RDONLY
, NULL
))
1402 log_warning_errno(errno
, "Failed to make boot id read-only: %m");
1408 static int copy_devnodes(const char *dest
) {
1410 static const char devnodes
[] =
1421 _cleanup_umask_ mode_t u
;
1427 NULSTR_FOREACH(d
, devnodes
) {
1428 _cleanup_free_
char *from
= NULL
, *to
= NULL
;
1431 from
= strappend("/dev/", d
);
1432 to
= strjoin(dest
, "/dev/", d
, NULL
);
1436 if (stat(from
, &st
) < 0) {
1438 if (errno
!= ENOENT
)
1439 return log_error_errno(errno
, "Failed to stat %s: %m", from
);
1441 } else if (!S_ISCHR(st
.st_mode
) && !S_ISBLK(st
.st_mode
)) {
1443 log_error("%s is not a char or block device, cannot copy", from
);
1447 r
= mkdir_parents(to
, 0775);
1449 log_error_errno(r
, "Failed to create parent directory of %s: %m", to
);
1453 if (mknod(to
, st
.st_mode
, st
.st_rdev
) < 0) {
1455 return log_error_errno(errno
, "mknod(%s) failed: %m", to
);
1457 /* Some systems abusively restrict mknod but
1458 * allow bind mounts. */
1461 return log_error_errno(r
, "touch (%s) failed: %m", to
);
1462 if (mount(from
, to
, NULL
, MS_BIND
, NULL
) < 0)
1463 return log_error_errno(errno
, "Both mknod and bind mount (%s) failed: %m", to
);
1466 if (arg_userns
&& arg_uid_shift
!= UID_INVALID
)
1467 if (lchown(to
, arg_uid_shift
, arg_uid_shift
) < 0)
1468 return log_error_errno(errno
, "chown() of device node %s failed: %m", to
);
1475 static int setup_ptmx(const char *dest
) {
1476 _cleanup_free_
char *p
= NULL
;
1478 p
= strappend(dest
, "/dev/ptmx");
1482 if (symlink("pts/ptmx", p
) < 0)
1483 return log_error_errno(errno
, "Failed to create /dev/ptmx symlink: %m");
1485 if (arg_userns
&& arg_uid_shift
!= UID_INVALID
)
1486 if (lchown(p
, arg_uid_shift
, arg_uid_shift
) < 0)
1487 return log_error_errno(errno
, "lchown() of symlink %s failed: %m", p
);
1492 static int setup_dev_console(const char *dest
, const char *console
) {
1493 _cleanup_umask_ mode_t u
;
1502 r
= chmod_and_chown(console
, 0600, 0, 0);
1504 return log_error_errno(r
, "Failed to correct access mode for TTY: %m");
1506 /* We need to bind mount the right tty to /dev/console since
1507 * ptys can only exist on pts file systems. To have something
1508 * to bind mount things on we create a empty regular file. */
1510 to
= strjoina(dest
, "/dev/console");
1513 return log_error_errno(r
, "touch() for /dev/console failed: %m");
1515 if (mount(console
, to
, NULL
, MS_BIND
, NULL
) < 0)
1516 return log_error_errno(errno
, "Bind mount for /dev/console failed: %m");
1521 static int setup_kmsg(const char *dest
, int kmsg_socket
) {
1522 _cleanup_free_
char *from
= NULL
, *to
= NULL
;
1523 _cleanup_umask_ mode_t u
;
1526 struct cmsghdr cmsghdr
;
1527 uint8_t buf
[CMSG_SPACE(sizeof(int))];
1529 struct msghdr mh
= {
1530 .msg_control
= &control
,
1531 .msg_controllen
= sizeof(control
),
1533 struct cmsghdr
*cmsg
;
1536 assert(kmsg_socket
>= 0);
1540 /* We create the kmsg FIFO as /dev/kmsg, but immediately
1541 * delete it after bind mounting it to /proc/kmsg. While FIFOs
1542 * on the reading side behave very similar to /proc/kmsg,
1543 * their writing side behaves differently from /dev/kmsg in
1544 * that writing blocks when nothing is reading. In order to
1545 * avoid any problems with containers deadlocking due to this
1546 * we simply make /dev/kmsg unavailable to the container. */
1547 if (asprintf(&from
, "%s/dev/kmsg", dest
) < 0 ||
1548 asprintf(&to
, "%s/proc/kmsg", dest
) < 0)
1551 if (mkfifo(from
, 0600) < 0)
1552 return log_error_errno(errno
, "mkfifo() for /dev/kmsg failed: %m");
1554 r
= chmod_and_chown(from
, 0600, 0, 0);
1556 return log_error_errno(r
, "Failed to correct access mode for /dev/kmsg: %m");
1558 if (mount(from
, to
, NULL
, MS_BIND
, NULL
) < 0)
1559 return log_error_errno(errno
, "Bind mount for /proc/kmsg failed: %m");
1561 fd
= open(from
, O_RDWR
|O_NDELAY
|O_CLOEXEC
);
1563 return log_error_errno(errno
, "Failed to open fifo: %m");
1565 cmsg
= CMSG_FIRSTHDR(&mh
);
1566 cmsg
->cmsg_level
= SOL_SOCKET
;
1567 cmsg
->cmsg_type
= SCM_RIGHTS
;
1568 cmsg
->cmsg_len
= CMSG_LEN(sizeof(int));
1569 memcpy(CMSG_DATA(cmsg
), &fd
, sizeof(int));
1571 mh
.msg_controllen
= cmsg
->cmsg_len
;
1573 /* Store away the fd in the socket, so that it stays open as
1574 * long as we run the child */
1575 k
= sendmsg(kmsg_socket
, &mh
, MSG_NOSIGNAL
);
1579 return log_error_errno(errno
, "Failed to send FIFO fd: %m");
1581 /* And now make the FIFO unavailable as /dev/kmsg... */
1586 static int send_rtnl(int send_fd
) {
1588 struct cmsghdr cmsghdr
;
1589 uint8_t buf
[CMSG_SPACE(sizeof(int))];
1591 struct msghdr mh
= {
1592 .msg_control
= &control
,
1593 .msg_controllen
= sizeof(control
),
1595 struct cmsghdr
*cmsg
;
1596 _cleanup_close_
int fd
= -1;
1599 assert(send_fd
>= 0);
1601 if (!arg_expose_ports
)
1604 fd
= socket(PF_NETLINK
, SOCK_RAW
|SOCK_CLOEXEC
|SOCK_NONBLOCK
, NETLINK_ROUTE
);
1606 return log_error_errno(errno
, "failed to allocate container netlink: %m");
1608 cmsg
= CMSG_FIRSTHDR(&mh
);
1609 cmsg
->cmsg_level
= SOL_SOCKET
;
1610 cmsg
->cmsg_type
= SCM_RIGHTS
;
1611 cmsg
->cmsg_len
= CMSG_LEN(sizeof(int));
1612 memcpy(CMSG_DATA(cmsg
), &fd
, sizeof(int));
1614 mh
.msg_controllen
= cmsg
->cmsg_len
;
1616 /* Store away the fd in the socket, so that it stays open as
1617 * long as we run the child */
1618 k
= sendmsg(send_fd
, &mh
, MSG_NOSIGNAL
);
1620 return log_error_errno(errno
, "Failed to send netlink fd: %m");
1625 static int flush_ports(union in_addr_union
*exposed
) {
1627 int r
, af
= AF_INET
;
1631 if (!arg_expose_ports
)
1634 if (in_addr_is_null(af
, exposed
))
1637 log_debug("Lost IP address.");
1639 LIST_FOREACH(ports
, p
, arg_expose_ports
) {
1640 r
= fw_add_local_dnat(false,
1651 log_warning_errno(r
, "Failed to modify firewall: %m");
1654 *exposed
= IN_ADDR_NULL
;
1658 static int expose_ports(sd_rtnl
*rtnl
, union in_addr_union
*exposed
) {
1659 _cleanup_free_
struct local_address
*addresses
= NULL
;
1660 _cleanup_free_
char *pretty
= NULL
;
1661 union in_addr_union new_exposed
;
1664 int af
= AF_INET
, r
;
1668 /* Invoked each time an address is added or removed inside the
1671 if (!arg_expose_ports
)
1674 r
= local_addresses(rtnl
, 0, af
, &addresses
);
1676 return log_error_errno(r
, "Failed to enumerate local addresses: %m");
1679 addresses
[0].family
== af
&&
1680 addresses
[0].scope
< RT_SCOPE_LINK
;
1683 return flush_ports(exposed
);
1685 new_exposed
= addresses
[0].address
;
1686 if (in_addr_equal(af
, exposed
, &new_exposed
))
1689 in_addr_to_string(af
, &new_exposed
, &pretty
);
1690 log_debug("New container IP is %s.", strna(pretty
));
1692 LIST_FOREACH(ports
, p
, arg_expose_ports
) {
1694 r
= fw_add_local_dnat(true,
1703 in_addr_is_null(af
, exposed
) ? NULL
: exposed
);
1705 log_warning_errno(r
, "Failed to modify firewall: %m");
1708 *exposed
= new_exposed
;
1712 static int on_address_change(sd_rtnl
*rtnl
, sd_rtnl_message
*m
, void *userdata
) {
1713 union in_addr_union
*exposed
= userdata
;
1719 expose_ports(rtnl
, exposed
);
1723 static int watch_rtnl(sd_event
*event
, int recv_fd
, union in_addr_union
*exposed
, sd_rtnl
**ret
) {
1725 struct cmsghdr cmsghdr
;
1726 uint8_t buf
[CMSG_SPACE(sizeof(int))];
1728 struct msghdr mh
= {
1729 .msg_control
= &control
,
1730 .msg_controllen
= sizeof(control
),
1732 struct cmsghdr
*cmsg
;
1733 _cleanup_rtnl_unref_ sd_rtnl
*rtnl
= NULL
;
1738 assert(recv_fd
>= 0);
1741 if (!arg_expose_ports
)
1744 k
= recvmsg(recv_fd
, &mh
, MSG_NOSIGNAL
);
1746 return log_error_errno(errno
, "Failed to recv netlink fd: %m");
1748 cmsg
= CMSG_FIRSTHDR(&mh
);
1749 assert(cmsg
->cmsg_level
== SOL_SOCKET
);
1750 assert(cmsg
->cmsg_type
== SCM_RIGHTS
);
1751 assert(cmsg
->cmsg_len
== CMSG_LEN(sizeof(int)));
1752 memcpy(&fd
, CMSG_DATA(cmsg
), sizeof(int));
1754 r
= sd_rtnl_open_fd(&rtnl
, fd
, 1, RTNLGRP_IPV4_IFADDR
);
1757 return log_error_errno(r
, "Failed to create rtnl object: %m");
1760 r
= sd_rtnl_add_match(rtnl
, RTM_NEWADDR
, on_address_change
, exposed
);
1762 return log_error_errno(r
, "Failed to subscribe to RTM_NEWADDR messages: %m");
1764 r
= sd_rtnl_add_match(rtnl
, RTM_DELADDR
, on_address_change
, exposed
);
1766 return log_error_errno(r
, "Failed to subscribe to RTM_DELADDR messages: %m");
1768 r
= sd_rtnl_attach_event(rtnl
, event
, 0);
1770 return log_error_errno(r
, "Failed to add to even loop: %m");
1778 static int setup_hostname(void) {
1780 if (arg_share_system
)
1783 if (sethostname_idempotent(arg_machine
) < 0)
1789 static int setup_journal(const char *directory
) {
1790 sd_id128_t machine_id
, this_id
;
1791 _cleanup_free_
char *p
= NULL
, *b
= NULL
, *q
= NULL
, *d
= NULL
;
1795 /* Don't link journals in ephemeral mode */
1799 p
= strappend(directory
, "/etc/machine-id");
1803 r
= read_one_line_file(p
, &b
);
1804 if (r
== -ENOENT
&& arg_link_journal
== LINK_AUTO
)
1807 return log_error_errno(r
, "Failed to read machine ID from %s: %m", p
);
1810 if (isempty(id
) && arg_link_journal
== LINK_AUTO
)
1813 /* Verify validity */
1814 r
= sd_id128_from_string(id
, &machine_id
);
1816 return log_error_errno(r
, "Failed to parse machine ID from %s: %m", p
);
1818 r
= sd_id128_get_machine(&this_id
);
1820 return log_error_errno(r
, "Failed to retrieve machine ID: %m");
1822 if (sd_id128_equal(machine_id
, this_id
)) {
1823 log_full(arg_link_journal
== LINK_AUTO
? LOG_WARNING
: LOG_ERR
,
1824 "Host and machine ids are equal (%s): refusing to link journals", id
);
1825 if (arg_link_journal
== LINK_AUTO
)
1830 if (arg_link_journal
== LINK_NO
)
1834 p
= strappend("/var/log/journal/", id
);
1835 q
= strjoin(directory
, "/var/log/journal/", id
, NULL
);
1839 if (path_is_mount_point(p
, false) > 0) {
1840 if (arg_link_journal
!= LINK_AUTO
) {
1841 log_error("%s: already a mount point, refusing to use for journal", p
);
1848 if (path_is_mount_point(q
, false) > 0) {
1849 if (arg_link_journal
!= LINK_AUTO
) {
1850 log_error("%s: already a mount point, refusing to use for journal", q
);
1857 r
= readlink_and_make_absolute(p
, &d
);
1859 if ((arg_link_journal
== LINK_GUEST
||
1860 arg_link_journal
== LINK_AUTO
) &&
1863 r
= mkdir_p(q
, 0755);
1865 log_warning_errno(errno
, "Failed to create directory %s: %m", q
);
1870 return log_error_errno(errno
, "Failed to remove symlink %s: %m", p
);
1871 } else if (r
== -EINVAL
) {
1873 if (arg_link_journal
== LINK_GUEST
&&
1876 if (errno
== ENOTDIR
) {
1877 log_error("%s already exists and is neither a symlink nor a directory", p
);
1880 log_error_errno(errno
, "Failed to remove %s: %m", p
);
1884 } else if (r
!= -ENOENT
) {
1885 log_error_errno(errno
, "readlink(%s) failed: %m", p
);
1889 if (arg_link_journal
== LINK_GUEST
) {
1891 if (symlink(q
, p
) < 0) {
1892 if (arg_link_journal_try
) {
1893 log_debug_errno(errno
, "Failed to symlink %s to %s, skipping journal setup: %m", q
, p
);
1896 log_error_errno(errno
, "Failed to symlink %s to %s: %m", q
, p
);
1901 r
= mkdir_p(q
, 0755);
1903 log_warning_errno(errno
, "Failed to create directory %s: %m", q
);
1907 if (arg_link_journal
== LINK_HOST
) {
1908 /* don't create parents here -- if the host doesn't have
1909 * permanent journal set up, don't force it here */
1912 if (arg_link_journal_try
) {
1913 log_debug_errno(errno
, "Failed to create %s, skipping journal setup: %m", p
);
1916 log_error_errno(errno
, "Failed to create %s: %m", p
);
1921 } else if (access(p
, F_OK
) < 0)
1924 if (dir_is_empty(q
) == 0)
1925 log_warning("%s is not empty, proceeding anyway.", q
);
1927 r
= mkdir_p(q
, 0755);
1929 log_error_errno(errno
, "Failed to create %s: %m", q
);
1933 if (mount(p
, q
, NULL
, MS_BIND
, NULL
) < 0)
1934 return log_error_errno(errno
, "Failed to bind mount journal from host into guest: %m");
1939 static int drop_capabilities(void) {
1940 return capability_bounding_set_drop(~arg_retain
, false);
1943 static int register_machine(pid_t pid
, int local_ifindex
) {
1944 _cleanup_bus_error_free_ sd_bus_error error
= SD_BUS_ERROR_NULL
;
1945 _cleanup_bus_close_unref_ sd_bus
*bus
= NULL
;
1951 r
= sd_bus_default_system(&bus
);
1953 return log_error_errno(r
, "Failed to open system bus: %m");
1955 if (arg_keep_unit
) {
1956 r
= sd_bus_call_method(
1958 "org.freedesktop.machine1",
1959 "/org/freedesktop/machine1",
1960 "org.freedesktop.machine1.Manager",
1961 "RegisterMachineWithNetwork",
1966 SD_BUS_MESSAGE_APPEND_ID128(arg_uuid
),
1970 strempty(arg_directory
),
1971 local_ifindex
> 0 ? 1 : 0, local_ifindex
);
1973 _cleanup_bus_message_unref_ sd_bus_message
*m
= NULL
;
1976 r
= sd_bus_message_new_method_call(
1979 "org.freedesktop.machine1",
1980 "/org/freedesktop/machine1",
1981 "org.freedesktop.machine1.Manager",
1982 "CreateMachineWithNetwork");
1984 return bus_log_create_error(r
);
1986 r
= sd_bus_message_append(
1990 SD_BUS_MESSAGE_APPEND_ID128(arg_uuid
),
1994 strempty(arg_directory
),
1995 local_ifindex
> 0 ? 1 : 0, local_ifindex
);
1997 return bus_log_create_error(r
);
1999 r
= sd_bus_message_open_container(m
, 'a', "(sv)");
2001 return bus_log_create_error(r
);
2003 if (!isempty(arg_slice
)) {
2004 r
= sd_bus_message_append(m
, "(sv)", "Slice", "s", arg_slice
);
2006 return bus_log_create_error(r
);
2009 r
= sd_bus_message_append(m
, "(sv)", "DevicePolicy", "s", "strict");
2011 return bus_log_create_error(r
);
2013 r
= sd_bus_message_append(m
, "(sv)", "DeviceAllow", "a(ss)", 9,
2014 /* Allow the container to
2015 * access and create the API
2016 * device nodes, so that
2017 * PrivateDevices= in the
2018 * container can work
2023 "/dev/random", "rwm",
2024 "/dev/urandom", "rwm",
2026 "/dev/net/tun", "rwm",
2027 /* Allow the container
2028 * access to ptys. However,
2030 * container to ever create
2031 * these device nodes. */
2032 "/dev/pts/ptmx", "rw",
2035 return log_error_errno(r
, "Failed to add device whitelist: %m");
2037 STRV_FOREACH(i
, arg_property
) {
2038 r
= sd_bus_message_open_container(m
, 'r', "sv");
2040 return bus_log_create_error(r
);
2042 r
= bus_append_unit_property_assignment(m
, *i
);
2046 r
= sd_bus_message_close_container(m
);
2048 return bus_log_create_error(r
);
2051 r
= sd_bus_message_close_container(m
);
2053 return bus_log_create_error(r
);
2055 r
= sd_bus_call(bus
, m
, 0, &error
, NULL
);
2059 log_error("Failed to register machine: %s", bus_error_message(&error
, r
));
2066 static int terminate_machine(pid_t pid
) {
2067 _cleanup_bus_error_free_ sd_bus_error error
= SD_BUS_ERROR_NULL
;
2068 _cleanup_bus_message_unref_ sd_bus_message
*reply
= NULL
;
2069 _cleanup_bus_close_unref_ sd_bus
*bus
= NULL
;
2076 r
= sd_bus_default_system(&bus
);
2078 return log_error_errno(r
, "Failed to open system bus: %m");
2080 r
= sd_bus_call_method(
2082 "org.freedesktop.machine1",
2083 "/org/freedesktop/machine1",
2084 "org.freedesktop.machine1.Manager",
2091 /* Note that the machine might already have been
2092 * cleaned up automatically, hence don't consider it a
2093 * failure if we cannot get the machine object. */
2094 log_debug("Failed to get machine: %s", bus_error_message(&error
, r
));
2098 r
= sd_bus_message_read(reply
, "o", &path
);
2100 return bus_log_parse_error(r
);
2102 r
= sd_bus_call_method(
2104 "org.freedesktop.machine1",
2106 "org.freedesktop.machine1.Machine",
2112 log_debug("Failed to terminate machine: %s", bus_error_message(&error
, r
));
2119 static int reset_audit_loginuid(void) {
2120 _cleanup_free_
char *p
= NULL
;
2123 if (arg_share_system
)
2126 r
= read_one_line_file("/proc/self/loginuid", &p
);
2130 return log_error_errno(r
, "Failed to read /proc/self/loginuid: %m");
2132 /* Already reset? */
2133 if (streq(p
, "4294967295"))
2136 r
= write_string_file("/proc/self/loginuid", "4294967295");
2138 log_error("Failed to reset audit login UID. This probably means that your kernel is too\n"
2139 "old and you have audit enabled. Note that the auditing subsystem is known to\n"
2140 "be incompatible with containers on old kernels. Please make sure to upgrade\n"
2141 "your kernel or to off auditing with 'audit=0' on the kernel command line before\n"
2142 "using systemd-nspawn. Sleeping for 5s... (%s)\n", strerror(-r
));
2150 #define HOST_HASH_KEY SD_ID128_MAKE(1a,37,6f,c7,46,ec,45,0b,ad,a3,d5,31,06,60,5d,b1)
2151 #define CONTAINER_HASH_KEY SD_ID128_MAKE(c3,c4,f9,19,b5,57,b2,1c,e6,cf,14,27,03,9c,ee,a2)
2152 #define MACVLAN_HASH_KEY SD_ID128_MAKE(00,13,6d,bc,66,83,44,81,bb,0c,f9,51,1f,24,a6,6f)
2154 static int generate_mac(struct ether_addr
*mac
, sd_id128_t hash_key
, uint64_t idx
) {
2160 l
= strlen(arg_machine
);
2161 sz
= sizeof(sd_id128_t
) + l
;
2167 /* fetch some persistent data unique to the host */
2168 r
= sd_id128_get_machine((sd_id128_t
*) v
);
2172 /* combine with some data unique (on this host) to this
2173 * container instance */
2174 i
= mempcpy(v
+ sizeof(sd_id128_t
), arg_machine
, l
);
2177 memcpy(i
, &idx
, sizeof(idx
));
2180 /* Let's hash the host machine ID plus the container name. We
2181 * use a fixed, but originally randomly created hash key here. */
2182 siphash24(result
, v
, sz
, hash_key
.bytes
);
2184 assert_cc(ETH_ALEN
<= sizeof(result
));
2185 memcpy(mac
->ether_addr_octet
, result
, ETH_ALEN
);
2187 /* see eth_random_addr in the kernel */
2188 mac
->ether_addr_octet
[0] &= 0xfe; /* clear multicast bit */
2189 mac
->ether_addr_octet
[0] |= 0x02; /* set local assignment bit (IEEE802) */
2194 static int setup_veth(pid_t pid
, char iface_name
[IFNAMSIZ
], int *ifi
) {
2195 _cleanup_rtnl_message_unref_ sd_rtnl_message
*m
= NULL
;
2196 _cleanup_rtnl_unref_ sd_rtnl
*rtnl
= NULL
;
2197 struct ether_addr mac_host
, mac_container
;
2200 if (!arg_private_network
)
2203 if (!arg_network_veth
)
2206 /* Use two different interface name prefixes depending whether
2207 * we are in bridge mode or not. */
2208 snprintf(iface_name
, IFNAMSIZ
- 1, "%s-%s",
2209 arg_network_bridge
? "vb" : "ve", arg_machine
);
2211 r
= generate_mac(&mac_container
, CONTAINER_HASH_KEY
, 0);
2213 return log_error_errno(r
, "Failed to generate predictable MAC address for container side: %m");
2215 r
= generate_mac(&mac_host
, HOST_HASH_KEY
, 0);
2217 return log_error_errno(r
, "Failed to generate predictable MAC address for host side: %m");
2219 r
= sd_rtnl_open(&rtnl
, 0);
2221 return log_error_errno(r
, "Failed to connect to netlink: %m");
2223 r
= sd_rtnl_message_new_link(rtnl
, &m
, RTM_NEWLINK
, 0);
2225 return log_error_errno(r
, "Failed to allocate netlink message: %m");
2227 r
= sd_rtnl_message_append_string(m
, IFLA_IFNAME
, iface_name
);
2229 return log_error_errno(r
, "Failed to add netlink interface name: %m");
2231 r
= sd_rtnl_message_append_ether_addr(m
, IFLA_ADDRESS
, &mac_host
);
2233 return log_error_errno(r
, "Failed to add netlink MAC address: %m");
2235 r
= sd_rtnl_message_open_container(m
, IFLA_LINKINFO
);
2237 return log_error_errno(r
, "Failed to open netlink container: %m");
2239 r
= sd_rtnl_message_open_container_union(m
, IFLA_INFO_DATA
, "veth");
2241 return log_error_errno(r
, "Failed to open netlink container: %m");
2243 r
= sd_rtnl_message_open_container(m
, VETH_INFO_PEER
);
2245 return log_error_errno(r
, "Failed to open netlink container: %m");
2247 r
= sd_rtnl_message_append_string(m
, IFLA_IFNAME
, "host0");
2249 return log_error_errno(r
, "Failed to add netlink interface name: %m");
2251 r
= sd_rtnl_message_append_ether_addr(m
, IFLA_ADDRESS
, &mac_container
);
2253 return log_error_errno(r
, "Failed to add netlink MAC address: %m");
2255 r
= sd_rtnl_message_append_u32(m
, IFLA_NET_NS_PID
, pid
);
2257 return log_error_errno(r
, "Failed to add netlink namespace field: %m");
2259 r
= sd_rtnl_message_close_container(m
);
2261 return log_error_errno(r
, "Failed to close netlink container: %m");
2263 r
= sd_rtnl_message_close_container(m
);
2265 return log_error_errno(r
, "Failed to close netlink container: %m");
2267 r
= sd_rtnl_message_close_container(m
);
2269 return log_error_errno(r
, "Failed to close netlink container: %m");
2271 r
= sd_rtnl_call(rtnl
, m
, 0, NULL
);
2273 return log_error_errno(r
, "Failed to add new veth interfaces: %m");
2275 i
= (int) if_nametoindex(iface_name
);
2277 return log_error_errno(errno
, "Failed to resolve interface %s: %m", iface_name
);
2284 static int setup_bridge(const char veth_name
[], int *ifi
) {
2285 _cleanup_rtnl_message_unref_ sd_rtnl_message
*m
= NULL
;
2286 _cleanup_rtnl_unref_ sd_rtnl
*rtnl
= NULL
;
2289 if (!arg_private_network
)
2292 if (!arg_network_veth
)
2295 if (!arg_network_bridge
)
2298 bridge
= (int) if_nametoindex(arg_network_bridge
);
2300 return log_error_errno(errno
, "Failed to resolve interface %s: %m", arg_network_bridge
);
2304 r
= sd_rtnl_open(&rtnl
, 0);
2306 return log_error_errno(r
, "Failed to connect to netlink: %m");
2308 r
= sd_rtnl_message_new_link(rtnl
, &m
, RTM_SETLINK
, 0);
2310 return log_error_errno(r
, "Failed to allocate netlink message: %m");
2312 r
= sd_rtnl_message_link_set_flags(m
, IFF_UP
, IFF_UP
);
2314 return log_error_errno(r
, "Failed to set IFF_UP flag: %m");
2316 r
= sd_rtnl_message_append_string(m
, IFLA_IFNAME
, veth_name
);
2318 return log_error_errno(r
, "Failed to add netlink interface name field: %m");
2320 r
= sd_rtnl_message_append_u32(m
, IFLA_MASTER
, bridge
);
2322 return log_error_errno(r
, "Failed to add netlink master field: %m");
2324 r
= sd_rtnl_call(rtnl
, m
, 0, NULL
);
2326 return log_error_errno(r
, "Failed to add veth interface to bridge: %m");
2331 static int parse_interface(struct udev
*udev
, const char *name
) {
2332 _cleanup_udev_device_unref_
struct udev_device
*d
= NULL
;
2333 char ifi_str
[2 + DECIMAL_STR_MAX(int)];
2336 ifi
= (int) if_nametoindex(name
);
2338 return log_error_errno(errno
, "Failed to resolve interface %s: %m", name
);
2340 sprintf(ifi_str
, "n%i", ifi
);
2341 d
= udev_device_new_from_device_id(udev
, ifi_str
);
2343 return log_error_errno(errno
, "Failed to get udev device for interface %s: %m", name
);
2345 if (udev_device_get_is_initialized(d
) <= 0) {
2346 log_error("Network interface %s is not initialized yet.", name
);
2353 static int move_network_interfaces(pid_t pid
) {
2354 _cleanup_udev_unref_
struct udev
*udev
= NULL
;
2355 _cleanup_rtnl_unref_ sd_rtnl
*rtnl
= NULL
;
2359 if (!arg_private_network
)
2362 if (strv_isempty(arg_network_interfaces
))
2365 r
= sd_rtnl_open(&rtnl
, 0);
2367 return log_error_errno(r
, "Failed to connect to netlink: %m");
2371 log_error("Failed to connect to udev.");
2375 STRV_FOREACH(i
, arg_network_interfaces
) {
2376 _cleanup_rtnl_message_unref_ sd_rtnl_message
*m
= NULL
;
2379 ifi
= parse_interface(udev
, *i
);
2383 r
= sd_rtnl_message_new_link(rtnl
, &m
, RTM_SETLINK
, ifi
);
2385 return log_error_errno(r
, "Failed to allocate netlink message: %m");
2387 r
= sd_rtnl_message_append_u32(m
, IFLA_NET_NS_PID
, pid
);
2389 return log_error_errno(r
, "Failed to append namespace PID to netlink message: %m");
2391 r
= sd_rtnl_call(rtnl
, m
, 0, NULL
);
2393 return log_error_errno(r
, "Failed to move interface %s to namespace: %m", *i
);
2399 static int setup_macvlan(pid_t pid
) {
2400 _cleanup_udev_unref_
struct udev
*udev
= NULL
;
2401 _cleanup_rtnl_unref_ sd_rtnl
*rtnl
= NULL
;
2406 if (!arg_private_network
)
2409 if (strv_isempty(arg_network_macvlan
))
2412 r
= sd_rtnl_open(&rtnl
, 0);
2414 return log_error_errno(r
, "Failed to connect to netlink: %m");
2418 log_error("Failed to connect to udev.");
2422 STRV_FOREACH(i
, arg_network_macvlan
) {
2423 _cleanup_rtnl_message_unref_ sd_rtnl_message
*m
= NULL
;
2424 _cleanup_free_
char *n
= NULL
;
2425 struct ether_addr mac
;
2428 ifi
= parse_interface(udev
, *i
);
2432 r
= generate_mac(&mac
, MACVLAN_HASH_KEY
, idx
++);
2434 return log_error_errno(r
, "Failed to create MACVLAN MAC address: %m");
2436 r
= sd_rtnl_message_new_link(rtnl
, &m
, RTM_NEWLINK
, 0);
2438 return log_error_errno(r
, "Failed to allocate netlink message: %m");
2440 r
= sd_rtnl_message_append_u32(m
, IFLA_LINK
, ifi
);
2442 return log_error_errno(r
, "Failed to add netlink interface index: %m");
2444 n
= strappend("mv-", *i
);
2448 strshorten(n
, IFNAMSIZ
-1);
2450 r
= sd_rtnl_message_append_string(m
, IFLA_IFNAME
, n
);
2452 return log_error_errno(r
, "Failed to add netlink interface name: %m");
2454 r
= sd_rtnl_message_append_ether_addr(m
, IFLA_ADDRESS
, &mac
);
2456 return log_error_errno(r
, "Failed to add netlink MAC address: %m");
2458 r
= sd_rtnl_message_append_u32(m
, IFLA_NET_NS_PID
, pid
);
2460 return log_error_errno(r
, "Failed to add netlink namespace field: %m");
2462 r
= sd_rtnl_message_open_container(m
, IFLA_LINKINFO
);
2464 return log_error_errno(r
, "Failed to open netlink container: %m");
2466 r
= sd_rtnl_message_open_container_union(m
, IFLA_INFO_DATA
, "macvlan");
2468 return log_error_errno(r
, "Failed to open netlink container: %m");
2470 r
= sd_rtnl_message_append_u32(m
, IFLA_MACVLAN_MODE
, MACVLAN_MODE_BRIDGE
);
2472 return log_error_errno(r
, "Failed to append macvlan mode: %m");
2474 r
= sd_rtnl_message_close_container(m
);
2476 return log_error_errno(r
, "Failed to close netlink container: %m");
2478 r
= sd_rtnl_message_close_container(m
);
2480 return log_error_errno(r
, "Failed to close netlink container: %m");
2482 r
= sd_rtnl_call(rtnl
, m
, 0, NULL
);
2484 return log_error_errno(r
, "Failed to add new macvlan interfaces: %m");
2490 static int setup_ipvlan(pid_t pid
) {
2491 _cleanup_udev_unref_
struct udev
*udev
= NULL
;
2492 _cleanup_rtnl_unref_ sd_rtnl
*rtnl
= NULL
;
2496 if (!arg_private_network
)
2499 if (strv_isempty(arg_network_ipvlan
))
2502 r
= sd_rtnl_open(&rtnl
, 0);
2504 return log_error_errno(r
, "Failed to connect to netlink: %m");
2508 log_error("Failed to connect to udev.");
2512 STRV_FOREACH(i
, arg_network_ipvlan
) {
2513 _cleanup_rtnl_message_unref_ sd_rtnl_message
*m
= NULL
;
2514 _cleanup_free_
char *n
= NULL
;
2517 ifi
= parse_interface(udev
, *i
);
2521 r
= sd_rtnl_message_new_link(rtnl
, &m
, RTM_NEWLINK
, 0);
2523 return log_error_errno(r
, "Failed to allocate netlink message: %m");
2525 r
= sd_rtnl_message_append_u32(m
, IFLA_LINK
, ifi
);
2527 return log_error_errno(r
, "Failed to add netlink interface index: %m");
2529 n
= strappend("iv-", *i
);
2533 strshorten(n
, IFNAMSIZ
-1);
2535 r
= sd_rtnl_message_append_string(m
, IFLA_IFNAME
, n
);
2537 return log_error_errno(r
, "Failed to add netlink interface name: %m");
2539 r
= sd_rtnl_message_append_u32(m
, IFLA_NET_NS_PID
, pid
);
2541 return log_error_errno(r
, "Failed to add netlink namespace field: %m");
2543 r
= sd_rtnl_message_open_container(m
, IFLA_LINKINFO
);
2545 return log_error_errno(r
, "Failed to open netlink container: %m");
2547 r
= sd_rtnl_message_open_container_union(m
, IFLA_INFO_DATA
, "ipvlan");
2549 return log_error_errno(r
, "Failed to open netlink container: %m");
2551 r
= sd_rtnl_message_append_u16(m
, IFLA_IPVLAN_MODE
, IPVLAN_MODE_L2
);
2553 return log_error_errno(r
, "Failed to add ipvlan mode: %m");
2555 r
= sd_rtnl_message_close_container(m
);
2557 return log_error_errno(r
, "Failed to close netlink container: %m");
2559 r
= sd_rtnl_message_close_container(m
);
2561 return log_error_errno(r
, "Failed to close netlink container: %m");
2563 r
= sd_rtnl_call(rtnl
, m
, 0, NULL
);
2565 return log_error_errno(r
, "Failed to add new ipvlan interfaces: %m");
2571 static int setup_seccomp(void) {
2574 static const struct {
2575 uint64_t capability
;
2578 { CAP_SYS_RAWIO
, SCMP_SYS(iopl
)},
2579 { CAP_SYS_RAWIO
, SCMP_SYS(ioperm
)},
2580 { CAP_SYS_BOOT
, SCMP_SYS(kexec_load
)},
2581 { CAP_SYS_ADMIN
, SCMP_SYS(swapon
)},
2582 { CAP_SYS_ADMIN
, SCMP_SYS(swapoff
)},
2583 { CAP_SYS_ADMIN
, SCMP_SYS(open_by_handle_at
)},
2584 { CAP_SYS_MODULE
, SCMP_SYS(init_module
)},
2585 { CAP_SYS_MODULE
, SCMP_SYS(finit_module
)},
2586 { CAP_SYS_MODULE
, SCMP_SYS(delete_module
)},
2589 scmp_filter_ctx seccomp
;
2593 seccomp
= seccomp_init(SCMP_ACT_ALLOW
);
2597 r
= seccomp_add_secondary_archs(seccomp
);
2599 log_error_errno(r
, "Failed to add secondary archs to seccomp filter: %m");
2603 for (i
= 0; i
< ELEMENTSOF(blacklist
); i
++) {
2604 if (arg_retain
& (1ULL << blacklist
[i
].capability
))
2607 r
= seccomp_rule_add(seccomp
, SCMP_ACT_ERRNO(EPERM
), blacklist
[i
].syscall_num
, 0);
2609 continue; /* unknown syscall */
2611 log_error_errno(r
, "Failed to block syscall: %m");
2618 Audit is broken in containers, much of the userspace audit
2619 hookup will fail if running inside a container. We don't
2620 care and just turn off creation of audit sockets.
2622 This will make socket(AF_NETLINK, *, NETLINK_AUDIT) fail
2623 with EAFNOSUPPORT which audit userspace uses as indication
2624 that audit is disabled in the kernel.
2627 r
= seccomp_rule_add(
2629 SCMP_ACT_ERRNO(EAFNOSUPPORT
),
2632 SCMP_A0(SCMP_CMP_EQ
, AF_NETLINK
),
2633 SCMP_A2(SCMP_CMP_EQ
, NETLINK_AUDIT
));
2635 log_error_errno(r
, "Failed to add audit seccomp rule: %m");
2639 r
= seccomp_attr_set(seccomp
, SCMP_FLTATR_CTL_NNP
, 0);
2641 log_error_errno(r
, "Failed to unset NO_NEW_PRIVS: %m");
2645 r
= seccomp_load(seccomp
);
2647 log_error_errno(r
, "Failed to install seccomp audit filter: %m");
2650 seccomp_release(seccomp
);
2658 static int setup_propagate(const char *root
) {
2661 (void) mkdir_p("/run/systemd/nspawn/", 0755);
2662 (void) mkdir_p("/run/systemd/nspawn/propagate", 0600);
2663 p
= strjoina("/run/systemd/nspawn/propagate/", arg_machine
);
2664 (void) mkdir_p(p
, 0600);
2666 q
= strjoina(root
, "/run/systemd/nspawn/incoming");
2667 mkdir_parents(q
, 0755);
2670 if (mount(p
, q
, NULL
, MS_BIND
, NULL
) < 0)
2671 return log_error_errno(errno
, "Failed to install propagation bind mount.");
2673 if (mount(NULL
, q
, NULL
, MS_BIND
|MS_REMOUNT
|MS_RDONLY
, NULL
) < 0)
2674 return log_error_errno(errno
, "Failed to make propagation mount read-only");
2679 static int setup_image(char **device_path
, int *loop_nr
) {
2680 struct loop_info64 info
= {
2681 .lo_flags
= LO_FLAGS_AUTOCLEAR
|LO_FLAGS_PARTSCAN
2683 _cleanup_close_
int fd
= -1, control
= -1, loop
= -1;
2684 _cleanup_free_
char* loopdev
= NULL
;
2688 assert(device_path
);
2692 fd
= open(arg_image
, O_CLOEXEC
|(arg_read_only
? O_RDONLY
: O_RDWR
)|O_NONBLOCK
|O_NOCTTY
);
2694 return log_error_errno(errno
, "Failed to open %s: %m", arg_image
);
2696 if (fstat(fd
, &st
) < 0)
2697 return log_error_errno(errno
, "Failed to stat %s: %m", arg_image
);
2699 if (S_ISBLK(st
.st_mode
)) {
2702 p
= strdup(arg_image
);
2716 if (!S_ISREG(st
.st_mode
)) {
2717 log_error_errno(errno
, "%s is not a regular file or block device: %m", arg_image
);
2721 control
= open("/dev/loop-control", O_RDWR
|O_CLOEXEC
|O_NOCTTY
|O_NONBLOCK
);
2723 return log_error_errno(errno
, "Failed to open /dev/loop-control: %m");
2725 nr
= ioctl(control
, LOOP_CTL_GET_FREE
);
2727 return log_error_errno(errno
, "Failed to allocate loop device: %m");
2729 if (asprintf(&loopdev
, "/dev/loop%i", nr
) < 0)
2732 loop
= open(loopdev
, O_CLOEXEC
|(arg_read_only
? O_RDONLY
: O_RDWR
)|O_NONBLOCK
|O_NOCTTY
);
2734 return log_error_errno(errno
, "Failed to open loop device %s: %m", loopdev
);
2736 if (ioctl(loop
, LOOP_SET_FD
, fd
) < 0)
2737 return log_error_errno(errno
, "Failed to set loopback file descriptor on %s: %m", loopdev
);
2740 info
.lo_flags
|= LO_FLAGS_READ_ONLY
;
2742 if (ioctl(loop
, LOOP_SET_STATUS64
, &info
) < 0)
2743 return log_error_errno(errno
, "Failed to set loopback settings on %s: %m", loopdev
);
2745 *device_path
= loopdev
;
2756 #define PARTITION_TABLE_BLURB \
2757 "Note that the disk image needs to either contain only a single MBR partition of\n" \
2758 "type 0x83 that is marked bootable, or a single GPT partition of type " \
2759 "0FC63DAF-8483-4772-8E79-3D69D8477DE4 or follow\n" \
2760 " http://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/\n" \
2761 "to be bootable with systemd-nspawn."
2763 static int dissect_image(
2765 char **root_device
, bool *root_device_rw
,
2766 char **home_device
, bool *home_device_rw
,
2767 char **srv_device
, bool *srv_device_rw
,
2771 int home_nr
= -1, srv_nr
= -1;
2772 #ifdef GPT_ROOT_NATIVE
2775 #ifdef GPT_ROOT_SECONDARY
2776 int secondary_root_nr
= -1;
2778 _cleanup_free_
char *home
= NULL
, *root
= NULL
, *secondary_root
= NULL
, *srv
= NULL
, *generic
= NULL
;
2779 _cleanup_udev_enumerate_unref_
struct udev_enumerate
*e
= NULL
;
2780 _cleanup_udev_device_unref_
struct udev_device
*d
= NULL
;
2781 _cleanup_blkid_free_probe_ blkid_probe b
= NULL
;
2782 _cleanup_udev_unref_
struct udev
*udev
= NULL
;
2783 struct udev_list_entry
*first
, *item
;
2784 bool home_rw
= true, root_rw
= true, secondary_root_rw
= true, srv_rw
= true, generic_rw
= true;
2785 bool is_gpt
, is_mbr
, multiple_generic
= false;
2786 const char *pttype
= NULL
;
2793 assert(root_device
);
2794 assert(home_device
);
2799 b
= blkid_new_probe();
2804 r
= blkid_probe_set_device(b
, fd
, 0, 0);
2809 log_error_errno(errno
, "Failed to set device on blkid probe: %m");
2813 blkid_probe_enable_partitions(b
, 1);
2814 blkid_probe_set_partitions_flags(b
, BLKID_PARTS_ENTRY_DETAILS
);
2817 r
= blkid_do_safeprobe(b
);
2818 if (r
== -2 || r
== 1) {
2819 log_error("Failed to identify any partition table on\n"
2821 PARTITION_TABLE_BLURB
, arg_image
);
2823 } else if (r
!= 0) {
2826 log_error_errno(errno
, "Failed to probe: %m");
2830 (void) blkid_probe_lookup_value(b
, "PTTYPE", &pttype
, NULL
);
2832 is_gpt
= streq_ptr(pttype
, "gpt");
2833 is_mbr
= streq_ptr(pttype
, "dos");
2835 if (!is_gpt
&& !is_mbr
) {
2836 log_error("No GPT or MBR partition table discovered on\n"
2838 PARTITION_TABLE_BLURB
, arg_image
);
2843 pl
= blkid_probe_get_partitions(b
);
2848 log_error("Failed to list partitions of %s", arg_image
);
2856 if (fstat(fd
, &st
) < 0)
2857 return log_error_errno(errno
, "Failed to stat block device: %m");
2859 d
= udev_device_new_from_devnum(udev
, 'b', st
.st_rdev
);
2867 log_error("Kernel partitions never appeared.");
2871 e
= udev_enumerate_new(udev
);
2875 r
= udev_enumerate_add_match_parent(e
, d
);
2879 r
= udev_enumerate_scan_devices(e
);
2881 return log_error_errno(r
, "Failed to scan for partition devices of %s: %m", arg_image
);
2883 /* Count the partitions enumerated by the kernel */
2885 first
= udev_enumerate_get_list_entry(e
);
2886 udev_list_entry_foreach(item
, first
)
2889 /* Count the partitions enumerated by blkid */
2890 m
= blkid_partlist_numof_partitions(pl
);
2894 log_error("blkid and kernel partition list do not match.");
2900 /* The kernel has probed fewer partitions than
2901 * blkid? Maybe the kernel prober is still
2902 * running or it got EBUSY because udev
2903 * already opened the device. Let's reprobe
2904 * the device, which is a synchronous call
2905 * that waits until probing is complete. */
2907 for (j
= 0; j
< 20; j
++) {
2909 r
= ioctl(fd
, BLKRRPART
, 0);
2912 if (r
>= 0 || r
!= -EBUSY
)
2915 /* If something else has the device
2916 * open, such as an udev rule, the
2917 * ioctl will return EBUSY. Since
2918 * there's no way to wait until it
2919 * isn't busy anymore, let's just wait
2920 * a bit, and try again.
2922 * This is really something they
2923 * should fix in the kernel! */
2925 usleep(50 * USEC_PER_MSEC
);
2929 return log_error_errno(r
, "Failed to reread partition table: %m");
2932 e
= udev_enumerate_unref(e
);
2935 first
= udev_enumerate_get_list_entry(e
);
2936 udev_list_entry_foreach(item
, first
) {
2937 _cleanup_udev_device_unref_
struct udev_device
*q
;
2939 unsigned long long flags
;
2945 q
= udev_device_new_from_syspath(udev
, udev_list_entry_get_name(item
));
2950 log_error_errno(errno
, "Failed to get partition device of %s: %m", arg_image
);
2954 qn
= udev_device_get_devnum(q
);
2958 if (st
.st_rdev
== qn
)
2961 node
= udev_device_get_devnode(q
);
2965 pp
= blkid_partlist_devno_to_partition(pl
, qn
);
2969 flags
= blkid_partition_get_flags(pp
);
2971 nr
= blkid_partition_get_partno(pp
);
2979 if (flags
& GPT_FLAG_NO_AUTO
)
2982 stype
= blkid_partition_get_type_string(pp
);
2986 if (sd_id128_from_string(stype
, &type_id
) < 0)
2989 if (sd_id128_equal(type_id
, GPT_HOME
)) {
2991 if (home
&& nr
>= home_nr
)
2995 home_rw
= !(flags
& GPT_FLAG_READ_ONLY
);
2997 r
= free_and_strdup(&home
, node
);
3001 } else if (sd_id128_equal(type_id
, GPT_SRV
)) {
3003 if (srv
&& nr
>= srv_nr
)
3007 srv_rw
= !(flags
& GPT_FLAG_READ_ONLY
);
3009 r
= free_and_strdup(&srv
, node
);
3013 #ifdef GPT_ROOT_NATIVE
3014 else if (sd_id128_equal(type_id
, GPT_ROOT_NATIVE
)) {
3016 if (root
&& nr
>= root_nr
)
3020 root_rw
= !(flags
& GPT_FLAG_READ_ONLY
);
3022 r
= free_and_strdup(&root
, node
);
3027 #ifdef GPT_ROOT_SECONDARY
3028 else if (sd_id128_equal(type_id
, GPT_ROOT_SECONDARY
)) {
3030 if (secondary_root
&& nr
>= secondary_root_nr
)
3033 secondary_root_nr
= nr
;
3034 secondary_root_rw
= !(flags
& GPT_FLAG_READ_ONLY
);
3036 r
= free_and_strdup(&secondary_root
, node
);
3041 else if (sd_id128_equal(type_id
, GPT_LINUX_GENERIC
)) {
3044 multiple_generic
= true;
3046 generic_rw
= !(flags
& GPT_FLAG_READ_ONLY
);
3048 r
= free_and_strdup(&generic
, node
);
3054 } else if (is_mbr
) {
3057 if (flags
!= 0x80) /* Bootable flag */
3060 type
= blkid_partition_get_type(pp
);
3061 if (type
!= 0x83) /* Linux partition */
3065 multiple_generic
= true;
3069 r
= free_and_strdup(&root
, node
);
3077 *root_device
= root
;
3080 *root_device_rw
= root_rw
;
3082 } else if (secondary_root
) {
3083 *root_device
= secondary_root
;
3084 secondary_root
= NULL
;
3086 *root_device_rw
= secondary_root_rw
;
3088 } else if (generic
) {
3090 /* There were no partitions with precise meanings
3091 * around, but we found generic partitions. In this
3092 * case, if there's only one, we can go ahead and boot
3093 * it, otherwise we bail out, because we really cannot
3094 * make any sense of it. */
3096 if (multiple_generic
) {
3097 log_error("Identified multiple bootable Linux partitions on\n"
3099 PARTITION_TABLE_BLURB
, arg_image
);
3103 *root_device
= generic
;
3106 *root_device_rw
= generic_rw
;
3109 log_error("Failed to identify root partition in disk image\n"
3111 PARTITION_TABLE_BLURB
, arg_image
);
3116 *home_device
= home
;
3119 *home_device_rw
= home_rw
;
3126 *srv_device_rw
= srv_rw
;
3131 log_error("--image= is not supported, compiled without blkid support.");
3136 static int mount_device(const char *what
, const char *where
, const char *directory
, bool rw
) {
3138 _cleanup_blkid_free_probe_ blkid_probe b
= NULL
;
3139 const char *fstype
, *p
;
3149 p
= strjoina(where
, directory
);
3154 b
= blkid_new_probe_from_filename(what
);
3158 log_error_errno(errno
, "Failed to allocate prober for %s: %m", what
);
3162 blkid_probe_enable_superblocks(b
, 1);
3163 blkid_probe_set_superblocks_flags(b
, BLKID_SUBLKS_TYPE
);
3166 r
= blkid_do_safeprobe(b
);
3167 if (r
== -1 || r
== 1) {
3168 log_error("Cannot determine file system type of %s", what
);
3170 } else if (r
!= 0) {
3173 log_error_errno(errno
, "Failed to probe %s: %m", what
);
3178 if (blkid_probe_lookup_value(b
, "TYPE", &fstype
, NULL
) < 0) {
3181 log_error("Failed to determine file system type of %s", what
);
3185 if (streq(fstype
, "crypto_LUKS")) {
3186 log_error("nspawn currently does not support LUKS disk images.");
3190 if (mount(what
, p
, fstype
, MS_NODEV
|(rw
? 0 : MS_RDONLY
), NULL
) < 0)
3191 return log_error_errno(errno
, "Failed to mount %s: %m", what
);
3195 log_error("--image= is not supported, compiled without blkid support.");
3200 static int mount_devices(
3202 const char *root_device
, bool root_device_rw
,
3203 const char *home_device
, bool home_device_rw
,
3204 const char *srv_device
, bool srv_device_rw
) {
3210 r
= mount_device(root_device
, arg_directory
, NULL
, root_device_rw
);
3212 return log_error_errno(r
, "Failed to mount root directory: %m");
3216 r
= mount_device(home_device
, arg_directory
, "/home", home_device_rw
);
3218 return log_error_errno(r
, "Failed to mount home directory: %m");
3222 r
= mount_device(srv_device
, arg_directory
, "/srv", srv_device_rw
);
3224 return log_error_errno(r
, "Failed to mount server data directory: %m");
3230 static void loop_remove(int nr
, int *image_fd
) {
3231 _cleanup_close_
int control
= -1;
3237 if (image_fd
&& *image_fd
>= 0) {
3238 r
= ioctl(*image_fd
, LOOP_CLR_FD
);
3240 log_debug_errno(errno
, "Failed to close loop image: %m");
3241 *image_fd
= safe_close(*image_fd
);
3244 control
= open("/dev/loop-control", O_RDWR
|O_CLOEXEC
|O_NOCTTY
|O_NONBLOCK
);
3246 log_warning_errno(errno
, "Failed to open /dev/loop-control: %m");
3250 r
= ioctl(control
, LOOP_CTL_REMOVE
, nr
);
3252 log_debug_errno(errno
, "Failed to remove loop %d: %m", nr
);
3255 static int spawn_getent(const char *database
, const char *key
, pid_t
*rpid
) {
3263 if (pipe2(pipe_fds
, O_CLOEXEC
) < 0)
3264 return log_error_errno(errno
, "Failed to allocate pipe: %m");
3268 return log_error_errno(errno
, "Failed to fork getent child: %m");
3269 else if (pid
== 0) {
3271 char *empty_env
= NULL
;
3273 if (dup3(pipe_fds
[1], STDOUT_FILENO
, 0) < 0)
3274 _exit(EXIT_FAILURE
);
3276 if (pipe_fds
[0] > 2)
3277 safe_close(pipe_fds
[0]);
3278 if (pipe_fds
[1] > 2)
3279 safe_close(pipe_fds
[1]);
3281 nullfd
= open("/dev/null", O_RDWR
);
3283 _exit(EXIT_FAILURE
);
3285 if (dup3(nullfd
, STDIN_FILENO
, 0) < 0)
3286 _exit(EXIT_FAILURE
);
3288 if (dup3(nullfd
, STDERR_FILENO
, 0) < 0)
3289 _exit(EXIT_FAILURE
);
3294 reset_all_signal_handlers();
3295 close_all_fds(NULL
, 0);
3297 execle("/usr/bin/getent", "getent", database
, key
, NULL
, &empty_env
);
3298 execle("/bin/getent", "getent", database
, key
, NULL
, &empty_env
);
3299 _exit(EXIT_FAILURE
);
3302 pipe_fds
[1] = safe_close(pipe_fds
[1]);
3309 static int change_uid_gid(char **_home
) {
3310 char line
[LINE_MAX
], *x
, *u
, *g
, *h
;
3311 const char *word
, *state
;
3312 _cleanup_free_ uid_t
*uids
= NULL
;
3313 _cleanup_free_
char *home
= NULL
;
3314 _cleanup_fclose_
FILE *f
= NULL
;
3315 _cleanup_close_
int fd
= -1;
3316 unsigned n_uids
= 0;
3325 if (!arg_user
|| streq(arg_user
, "root") || streq(arg_user
, "0")) {
3326 /* Reset everything fully to 0, just in case */
3328 if (setgroups(0, NULL
) < 0)
3329 return log_error_errno(errno
, "setgroups() failed: %m");
3331 if (setresgid(0, 0, 0) < 0)
3332 return log_error_errno(errno
, "setregid() failed: %m");
3334 if (setresuid(0, 0, 0) < 0)
3335 return log_error_errno(errno
, "setreuid() failed: %m");
3341 /* First, get user credentials */
3342 fd
= spawn_getent("passwd", arg_user
, &pid
);
3346 f
= fdopen(fd
, "r");
3351 if (!fgets(line
, sizeof(line
), f
)) {
3354 log_error("Failed to resolve user %s.", arg_user
);
3358 log_error_errno(errno
, "Failed to read from getent: %m");
3364 wait_for_terminate_and_warn("getent passwd", pid
, true);
3366 x
= strchr(line
, ':');
3368 log_error("/etc/passwd entry has invalid user field.");
3372 u
= strchr(x
+1, ':');
3374 log_error("/etc/passwd entry has invalid password field.");
3381 log_error("/etc/passwd entry has invalid UID field.");
3389 log_error("/etc/passwd entry has invalid GID field.");
3394 h
= strchr(x
+1, ':');
3396 log_error("/etc/passwd entry has invalid GECOS field.");
3403 log_error("/etc/passwd entry has invalid home directory field.");
3409 r
= parse_uid(u
, &uid
);
3411 log_error("Failed to parse UID of user.");
3415 r
= parse_gid(g
, &gid
);
3417 log_error("Failed to parse GID of user.");
3425 /* Second, get group memberships */
3426 fd
= spawn_getent("initgroups", arg_user
, &pid
);
3431 f
= fdopen(fd
, "r");
3436 if (!fgets(line
, sizeof(line
), f
)) {
3438 log_error("Failed to resolve user %s.", arg_user
);
3442 log_error_errno(errno
, "Failed to read from getent: %m");
3448 wait_for_terminate_and_warn("getent initgroups", pid
, true);
3450 /* Skip over the username and subsequent separator whitespace */
3452 x
+= strcspn(x
, WHITESPACE
);
3453 x
+= strspn(x
, WHITESPACE
);
3455 FOREACH_WORD(word
, l
, x
, state
) {
3461 if (!GREEDY_REALLOC(uids
, sz
, n_uids
+1))
3464 r
= parse_uid(c
, &uids
[n_uids
++]);
3466 log_error("Failed to parse group data from getent.");
3471 r
= mkdir_parents(home
, 0775);
3473 return log_error_errno(r
, "Failed to make home root directory: %m");
3475 r
= mkdir_safe(home
, 0755, uid
, gid
);
3476 if (r
< 0 && r
!= -EEXIST
)
3477 return log_error_errno(r
, "Failed to make home directory: %m");
3479 fchown(STDIN_FILENO
, uid
, gid
);
3480 fchown(STDOUT_FILENO
, uid
, gid
);
3481 fchown(STDERR_FILENO
, uid
, gid
);
3483 if (setgroups(n_uids
, uids
) < 0)
3484 return log_error_errno(errno
, "Failed to set auxiliary groups: %m");
3486 if (setresgid(gid
, gid
, gid
) < 0)
3487 return log_error_errno(errno
, "setregid() failed: %m");
3489 if (setresuid(uid
, uid
, uid
) < 0)
3490 return log_error_errno(errno
, "setreuid() failed: %m");
3502 * < 0 : wait_for_terminate() failed to get the state of the
3503 * container, the container was terminated by a signal, or
3504 * failed for an unknown reason. No change is made to the
3505 * container argument.
3506 * > 0 : The program executed in the container terminated with an
3507 * error. The exit code of the program executed in the
3508 * container is returned. The container argument has been set
3509 * to CONTAINER_TERMINATED.
3510 * 0 : The container is being rebooted, has been shut down or exited
3511 * successfully. The container argument has been set to either
3512 * CONTAINER_TERMINATED or CONTAINER_REBOOTED.
3514 * That is, success is indicated by a return value of zero, and an
3515 * error is indicated by a non-zero value.
3517 static int wait_for_container(pid_t pid
, ContainerStatus
*container
) {
3521 r
= wait_for_terminate(pid
, &status
);
3523 return log_warning_errno(r
, "Failed to wait for container: %m");
3525 switch (status
.si_code
) {
3528 if (status
.si_status
== 0) {
3529 log_full(arg_quiet
? LOG_DEBUG
: LOG_INFO
, "Container %s exited successfully.", arg_machine
);
3532 log_full(arg_quiet
? LOG_DEBUG
: LOG_INFO
, "Container %s failed with error code %i.", arg_machine
, status
.si_status
);
3534 *container
= CONTAINER_TERMINATED
;
3535 return status
.si_status
;
3538 if (status
.si_status
== SIGINT
) {
3540 log_full(arg_quiet
? LOG_DEBUG
: LOG_INFO
, "Container %s has been shut down.", arg_machine
);
3541 *container
= CONTAINER_TERMINATED
;
3544 } else if (status
.si_status
== SIGHUP
) {
3546 log_full(arg_quiet
? LOG_DEBUG
: LOG_INFO
, "Container %s is being rebooted.", arg_machine
);
3547 *container
= CONTAINER_REBOOTED
;
3551 /* CLD_KILLED fallthrough */
3554 log_error("Container %s terminated by signal %s.", arg_machine
, signal_to_string(status
.si_status
));
3558 log_error("Container %s failed due to unknown reason.", arg_machine
);
3565 static void nop_handler(int sig
) {}
3567 static int on_orderly_shutdown(sd_event_source
*s
, const struct signalfd_siginfo
*si
, void *userdata
) {
3570 pid
= PTR_TO_UINT32(userdata
);
3572 if (kill(pid
, arg_kill_signal
) >= 0) {
3573 log_info("Trying to halt container. Send SIGTERM again to trigger immediate termination.");
3574 sd_event_source_set_userdata(s
, NULL
);
3579 sd_event_exit(sd_event_source_get_event(s
), 0);
3583 static int determine_names(void) {
3586 if (!arg_image
&& !arg_directory
) {
3588 _cleanup_(image_unrefp
) Image
*i
= NULL
;
3590 r
= image_find(arg_machine
, &i
);
3592 return log_error_errno(r
, "Failed to find image for machine '%s': %m", arg_machine
);
3594 log_error("No image for machine '%s': %m", arg_machine
);
3598 if (i
->type
== IMAGE_RAW
)
3599 r
= set_sanitized_path(&arg_image
, i
->path
);
3601 r
= set_sanitized_path(&arg_directory
, i
->path
);
3603 return log_error_errno(r
, "Invalid image directory: %m");
3605 arg_read_only
= arg_read_only
|| i
->read_only
;
3607 arg_directory
= get_current_dir_name();
3609 if (!arg_directory
&& !arg_machine
) {
3610 log_error("Failed to determine path, please use -D or -i.");
3616 if (arg_directory
&& path_equal(arg_directory
, "/"))
3617 arg_machine
= gethostname_malloc();
3619 arg_machine
= strdup(basename(arg_image
?: arg_directory
));
3624 hostname_cleanup(arg_machine
, false);
3625 if (!machine_name_is_valid(arg_machine
)) {
3626 log_error("Failed to determine machine name automatically, please use -M.");
3630 if (arg_ephemeral
) {
3633 /* Add a random suffix when this is an
3634 * ephemeral machine, so that we can run many
3635 * instances at once without manually having
3636 * to specify -M each time. */
3638 if (asprintf(&b
, "%s-%016" PRIx64
, arg_machine
, random_u64()) < 0)
3649 static int determine_uid_shift(void) {
3655 if (arg_uid_shift
== UID_INVALID
) {
3658 r
= stat(arg_directory
, &st
);
3660 return log_error_errno(errno
, "Failed to determine UID base of %s: %m", arg_directory
);
3662 arg_uid_shift
= st
.st_uid
& UINT32_C(0xffff0000);
3664 if (arg_uid_shift
!= (st
.st_gid
& UINT32_C(0xffff0000))) {
3665 log_error("UID and GID base of %s don't match.", arg_directory
);
3669 arg_uid_range
= UINT32_C(0x10000);
3672 if (arg_uid_shift
> (uid_t
) -1 - arg_uid_range
) {
3673 log_error("UID base too high for UID range.");
3677 log_info("Using user namespaces with base " UID_FMT
" and range " UID_FMT
".", arg_uid_shift
, arg_uid_range
);
3681 int main(int argc
, char *argv
[]) {
3683 _cleanup_free_
char *device_path
= NULL
, *root_device
= NULL
, *home_device
= NULL
, *srv_device
= NULL
, *console
= NULL
;
3684 bool root_device_rw
= true, home_device_rw
= true, srv_device_rw
= true;
3685 _cleanup_close_
int master
= -1, image_fd
= -1;
3686 _cleanup_fdset_free_ FDSet
*fds
= NULL
;
3687 int r
, n_fd_passed
, loop_nr
= -1;
3688 char veth_name
[IFNAMSIZ
];
3689 bool secondary
= false, remove_subvol
= false;
3690 sigset_t mask
, mask_chld
;
3692 int ret
= EXIT_SUCCESS
;
3693 union in_addr_union exposed
= {};
3694 _cleanup_release_lock_file_ LockFile tree_global_lock
= LOCK_FILE_INIT
, tree_local_lock
= LOCK_FILE_INIT
;
3697 log_parse_environment();
3700 r
= parse_argv(argc
, argv
);
3704 r
= determine_names();
3708 if (geteuid() != 0) {
3709 log_error("Need to be root.");
3715 n_fd_passed
= sd_listen_fds(false);
3716 if (n_fd_passed
> 0) {
3717 r
= fdset_new_listen_fds(&fds
, false);
3719 log_error_errno(r
, "Failed to collect file descriptors: %m");
3723 fdset_close_others(fds
);
3726 if (arg_directory
) {
3729 if (path_equal(arg_directory
, "/") && !arg_ephemeral
) {
3730 log_error("Spawning container on root directory is not supported. Consider using --ephemeral.");
3735 if (arg_ephemeral
) {
3736 _cleanup_free_
char *np
= NULL
;
3738 /* If the specified path is a mount point we
3739 * generate the new snapshot immediately
3740 * inside it under a random name. However if
3741 * the specified is not a mount point we
3742 * create the new snapshot in the parent
3743 * directory, just next to it. */
3744 r
= path_is_mount_point(arg_directory
, false);
3746 log_error_errno(r
, "Failed to determine whether directory %s is mount point: %m", arg_directory
);
3750 r
= tempfn_random_child(arg_directory
, &np
);
3752 r
= tempfn_random(arg_directory
, &np
);
3754 log_error_errno(r
, "Failed to generate name for snapshot: %m");
3758 r
= image_path_lock(np
, (arg_read_only
? LOCK_SH
: LOCK_EX
) | LOCK_NB
, &tree_global_lock
, &tree_local_lock
);
3760 log_error_errno(r
, "Failed to lock %s: %m", np
);
3764 r
= btrfs_subvol_snapshot(arg_directory
, np
, arg_read_only
, true);
3766 log_error_errno(r
, "Failed to create snapshot %s from %s: %m", np
, arg_directory
);
3770 free(arg_directory
);
3774 remove_subvol
= true;
3777 r
= image_path_lock(arg_directory
, (arg_read_only
? LOCK_SH
: LOCK_EX
) | LOCK_NB
, &tree_global_lock
, &tree_local_lock
);
3779 log_error_errno(r
, "Directory tree %s is currently busy.", arg_directory
);
3783 log_error_errno(r
, "Failed to lock %s: %m", arg_directory
);
3788 r
= btrfs_subvol_snapshot(arg_template
, arg_directory
, arg_read_only
, true);
3791 log_info("Directory %s already exists, not populating from template %s.", arg_directory
, arg_template
);
3793 log_error_errno(r
, "Couldn't create snapshot %s from %s: %m", arg_directory
, arg_template
);
3797 log_info("Populated %s from template %s.", arg_directory
, arg_template
);
3803 if (path_is_os_tree(arg_directory
) <= 0) {
3804 log_error("Directory %s doesn't look like an OS root directory (os-release file is missing). Refusing.", arg_directory
);
3811 p
= strjoina(arg_directory
,
3812 argc
> optind
&& path_is_absolute(argv
[optind
]) ? argv
[optind
] : "/usr/bin/");
3813 if (access(p
, F_OK
) < 0) {
3814 log_error("Directory %s lacks the binary to execute or doesn't look like a binary tree. Refusing.", arg_directory
);
3821 char template[] = "/tmp/nspawn-root-XXXXXX";
3824 assert(!arg_template
);
3826 r
= image_path_lock(arg_image
, (arg_read_only
? LOCK_SH
: LOCK_EX
) | LOCK_NB
, &tree_global_lock
, &tree_local_lock
);
3828 r
= log_error_errno(r
, "Disk image %s is currently busy.", arg_image
);
3832 r
= log_error_errno(r
, "Failed to create image lock: %m");
3836 if (!mkdtemp(template)) {
3837 log_error_errno(errno
, "Failed to create temporary directory: %m");
3842 arg_directory
= strdup(template);
3843 if (!arg_directory
) {
3848 image_fd
= setup_image(&device_path
, &loop_nr
);
3854 r
= dissect_image(image_fd
,
3855 &root_device
, &root_device_rw
,
3856 &home_device
, &home_device_rw
,
3857 &srv_device
, &srv_device_rw
,
3863 r
= determine_uid_shift();
3867 interactive
= isatty(STDIN_FILENO
) > 0 && isatty(STDOUT_FILENO
) > 0;
3869 master
= posix_openpt(O_RDWR
|O_NOCTTY
|O_CLOEXEC
|O_NDELAY
);
3871 r
= log_error_errno(errno
, "Failed to acquire pseudo tty: %m");
3875 r
= ptsname_malloc(master
, &console
);
3877 r
= log_error_errno(r
, "Failed to determine tty name: %m");
3881 if (unlockpt(master
) < 0) {
3882 r
= log_error_errno(errno
, "Failed to unlock tty: %m");
3887 log_info("Spawning container %s on %s.\nPress ^] three times within 1s to kill container.",
3888 arg_machine
, arg_image
?: arg_directory
);
3890 assert_se(sigemptyset(&mask
) == 0);
3891 sigset_add_many(&mask
, SIGCHLD
, SIGWINCH
, SIGTERM
, SIGINT
, -1);
3892 assert_se(sigprocmask(SIG_BLOCK
, &mask
, NULL
) == 0);
3894 assert_se(sigemptyset(&mask_chld
) == 0);
3895 assert_se(sigaddset(&mask_chld
, SIGCHLD
) == 0);
3898 _cleanup_close_pair_
int kmsg_socket_pair
[2] = { -1, -1 }, rtnl_socket_pair
[2] = { -1, -1 };
3899 ContainerStatus container_status
;
3900 _cleanup_(barrier_destroy
) Barrier barrier
= BARRIER_NULL
;
3901 struct sigaction sa
= {
3902 .sa_handler
= nop_handler
,
3903 .sa_flags
= SA_NOCLDSTOP
,
3906 r
= barrier_create(&barrier
);
3908 log_error_errno(r
, "Cannot initialize IPC barrier: %m");
3912 if (socketpair(AF_UNIX
, SOCK_DGRAM
|SOCK_CLOEXEC
, 0, kmsg_socket_pair
) < 0) {
3913 r
= log_error_errno(errno
, "Failed to create kmsg socket pair: %m");
3917 if (socketpair(AF_UNIX
, SOCK_DGRAM
|SOCK_CLOEXEC
, 0, rtnl_socket_pair
) < 0) {
3918 r
= log_error_errno(errno
, "Failed to create rtnl socket pair: %m");
3922 /* Child can be killed before execv(), so handle SIGCHLD
3923 * in order to interrupt parent's blocking calls and
3924 * give it a chance to call wait() and terminate. */
3925 r
= sigprocmask(SIG_UNBLOCK
, &mask_chld
, NULL
);
3927 r
= log_error_errno(errno
, "Failed to change the signal mask: %m");
3931 r
= sigaction(SIGCHLD
, &sa
, NULL
);
3933 r
= log_error_errno(errno
, "Failed to install SIGCHLD handler: %m");
3937 pid
= raw_clone(SIGCHLD
|CLONE_NEWNS
|
3938 (arg_share_system
? 0 : CLONE_NEWIPC
|CLONE_NEWPID
|CLONE_NEWUTS
)|
3939 (arg_private_network
? CLONE_NEWNET
: 0), NULL
);
3941 if (errno
== EINVAL
)
3942 r
= log_error_errno(errno
, "clone() failed, do you have namespace support enabled in your kernel? (You need UTS, IPC, PID and NET namespacing built in): %m");
3944 r
= log_error_errno(errno
, "clone() failed: %m");
3951 _cleanup_free_
char *home
= NULL
;
3953 const char *envp
[] = {
3954 "PATH=" DEFAULT_PATH_SPLIT_USR
,
3955 "container=systemd-nspawn", /* LXC sets container=lxc, so follow the scheme here */
3960 NULL
, /* container_uuid */
3961 NULL
, /* LISTEN_FDS */
3962 NULL
, /* LISTEN_PID */
3967 barrier_set_role(&barrier
, BARRIER_CHILD
);
3969 envp
[n_env
] = strv_find_prefix(environ
, "TERM=");
3973 master
= safe_close(master
);
3975 kmsg_socket_pair
[0] = safe_close(kmsg_socket_pair
[0]);
3976 rtnl_socket_pair
[0] = safe_close(rtnl_socket_pair
[0]);
3978 reset_all_signal_handlers();
3979 reset_signal_mask();
3982 close_nointr(STDIN_FILENO
);
3983 close_nointr(STDOUT_FILENO
);
3984 close_nointr(STDERR_FILENO
);
3986 r
= open_terminal(console
, O_RDWR
);
3987 if (r
!= STDIN_FILENO
) {
3993 log_error_errno(r
, "Failed to open console: %m");
3994 _exit(EXIT_FAILURE
);
3997 if (dup2(STDIN_FILENO
, STDOUT_FILENO
) != STDOUT_FILENO
||
3998 dup2(STDIN_FILENO
, STDERR_FILENO
) != STDERR_FILENO
) {
3999 log_error_errno(errno
, "Failed to duplicate console: %m");
4000 _exit(EXIT_FAILURE
);
4005 log_error_errno(errno
, "setsid() failed: %m");
4006 _exit(EXIT_FAILURE
);
4009 if (reset_audit_loginuid() < 0)
4010 _exit(EXIT_FAILURE
);
4012 if (prctl(PR_SET_PDEATHSIG
, SIGKILL
) < 0) {
4013 log_error_errno(errno
, "PR_SET_PDEATHSIG failed: %m");
4014 _exit(EXIT_FAILURE
);
4017 if (arg_private_network
)
4020 /* Mark everything as slave, so that we still
4021 * receive mounts from the real root, but don't
4022 * propagate mounts to the real root. */
4023 if (mount(NULL
, "/", NULL
, MS_SLAVE
|MS_REC
, NULL
) < 0) {
4024 log_error_errno(errno
, "MS_SLAVE|MS_REC failed: %m");
4025 _exit(EXIT_FAILURE
);
4028 if (mount_devices(arg_directory
,
4029 root_device
, root_device_rw
,
4030 home_device
, home_device_rw
,
4031 srv_device
, srv_device_rw
) < 0)
4032 _exit(EXIT_FAILURE
);
4034 /* Turn directory into bind mount */
4035 if (mount(arg_directory
, arg_directory
, NULL
, MS_BIND
|MS_REC
, NULL
) < 0) {
4036 log_error_errno(errno
, "Failed to make bind mount: %m");
4037 _exit(EXIT_FAILURE
);
4040 r
= setup_volatile(arg_directory
);
4042 _exit(EXIT_FAILURE
);
4044 if (setup_volatile_state(arg_directory
) < 0)
4045 _exit(EXIT_FAILURE
);
4047 r
= base_filesystem_create(arg_directory
);
4049 _exit(EXIT_FAILURE
);
4051 if (arg_read_only
) {
4052 r
= bind_remount_recursive(arg_directory
, true);
4054 log_error_errno(r
, "Failed to make tree read-only: %m");
4055 _exit(EXIT_FAILURE
);
4059 if (mount_all(arg_directory
) < 0)
4060 _exit(EXIT_FAILURE
);
4062 if (copy_devnodes(arg_directory
) < 0)
4063 _exit(EXIT_FAILURE
);
4065 if (setup_ptmx(arg_directory
) < 0)
4066 _exit(EXIT_FAILURE
);
4068 dev_setup(arg_directory
);
4070 if (setup_propagate(arg_directory
) < 0)
4071 _exit(EXIT_FAILURE
);
4073 if (setup_seccomp() < 0)
4074 _exit(EXIT_FAILURE
);
4076 if (setup_dev_console(arg_directory
, console
) < 0)
4077 _exit(EXIT_FAILURE
);
4079 if (setup_kmsg(arg_directory
, kmsg_socket_pair
[1]) < 0)
4080 _exit(EXIT_FAILURE
);
4081 kmsg_socket_pair
[1] = safe_close(kmsg_socket_pair
[1]);
4083 if (send_rtnl(rtnl_socket_pair
[1]) < 0)
4084 _exit(EXIT_FAILURE
);
4085 rtnl_socket_pair
[1] = safe_close(rtnl_socket_pair
[1]);
4087 /* Tell the parent that we are ready, and that
4088 * it can cgroupify us to that we lack access
4089 * to certain devices and resources. */
4090 (void) barrier_place(&barrier
); /* #1 */
4092 if (setup_boot_id(arg_directory
) < 0)
4093 _exit(EXIT_FAILURE
);
4095 if (setup_timezone(arg_directory
) < 0)
4096 _exit(EXIT_FAILURE
);
4098 if (setup_resolv_conf(arg_directory
) < 0)
4099 _exit(EXIT_FAILURE
);
4101 if (setup_journal(arg_directory
) < 0)
4102 _exit(EXIT_FAILURE
);
4104 if (mount_binds(arg_directory
, arg_bind
, false) < 0)
4105 _exit(EXIT_FAILURE
);
4107 if (mount_binds(arg_directory
, arg_bind_ro
, true) < 0)
4108 _exit(EXIT_FAILURE
);
4110 if (mount_tmpfs(arg_directory
) < 0)
4111 _exit(EXIT_FAILURE
);
4113 /* Wait until we are cgroup-ified, so that we
4114 * can mount the right cgroup path writable */
4115 (void) barrier_place_and_sync(&barrier
); /* #2 */
4117 if (mount_cgroup(arg_directory
) < 0)
4118 _exit(EXIT_FAILURE
);
4120 if (chdir(arg_directory
) < 0) {
4121 log_error_errno(errno
, "chdir(%s) failed: %m", arg_directory
);
4122 _exit(EXIT_FAILURE
);
4125 if (mount(arg_directory
, "/", NULL
, MS_MOVE
, NULL
) < 0) {
4126 log_error_errno(errno
, "mount(MS_MOVE) failed: %m");
4127 _exit(EXIT_FAILURE
);
4130 if (chroot(".") < 0) {
4131 log_error_errno(errno
, "chroot() failed: %m");
4132 _exit(EXIT_FAILURE
);
4135 if (chdir("/") < 0) {
4136 log_error_errno(errno
, "chdir() failed: %m");
4137 _exit(EXIT_FAILURE
);
4141 if (unshare(CLONE_NEWUSER
) < 0) {
4142 log_error_errno(errno
, "unshare(CLONE_NEWUSER) failed: %m");
4143 _exit(EXIT_FAILURE
);
4146 /* Tell the parent, that it now can
4147 * write the UID map. */
4148 (void) barrier_place(&barrier
); /* #3 */
4150 /* Wait until the parent wrote the UID
4152 (void) barrier_place_and_sync(&barrier
); /* #4 */
4157 if (drop_capabilities() < 0) {
4158 log_error_errno(errno
, "drop_capabilities() failed: %m");
4159 _exit(EXIT_FAILURE
);
4164 if (arg_personality
!= 0xffffffffLU
) {
4165 if (personality(arg_personality
) < 0) {
4166 log_error_errno(errno
, "personality() failed: %m");
4167 _exit(EXIT_FAILURE
);
4169 } else if (secondary
) {
4170 if (personality(PER_LINUX32
) < 0) {
4171 log_error_errno(errno
, "personality() failed: %m");
4172 _exit(EXIT_FAILURE
);
4177 if (arg_selinux_context
)
4178 if (setexeccon((security_context_t
) arg_selinux_context
) < 0) {
4179 log_error_errno(errno
, "setexeccon(\"%s\") failed: %m", arg_selinux_context
);
4180 _exit(EXIT_FAILURE
);
4184 r
= change_uid_gid(&home
);
4186 _exit(EXIT_FAILURE
);
4188 if ((asprintf((char**)(envp
+ n_env
++), "HOME=%s", home
? home
: "/root") < 0) ||
4189 (asprintf((char**)(envp
+ n_env
++), "USER=%s", arg_user
? arg_user
: "root") < 0) ||
4190 (asprintf((char**)(envp
+ n_env
++), "LOGNAME=%s", arg_user
? arg_user
: "root") < 0)) {
4192 _exit(EXIT_FAILURE
);
4195 if (!sd_id128_equal(arg_uuid
, SD_ID128_NULL
)) {
4198 if (asprintf((char**)(envp
+ n_env
++), "container_uuid=%s", id128_format_as_uuid(arg_uuid
, as_uuid
)) < 0) {
4200 _exit(EXIT_FAILURE
);
4204 if (fdset_size(fds
) > 0) {
4205 r
= fdset_cloexec(fds
, false);
4207 log_error_errno(r
, "Failed to unset O_CLOEXEC for file descriptors.");
4208 _exit(EXIT_FAILURE
);
4211 if ((asprintf((char **)(envp
+ n_env
++), "LISTEN_FDS=%u", n_fd_passed
) < 0) ||
4212 (asprintf((char **)(envp
+ n_env
++), "LISTEN_PID=1") < 0)) {
4214 _exit(EXIT_FAILURE
);
4218 if (!strv_isempty(arg_setenv
)) {
4221 n
= strv_env_merge(2, envp
, arg_setenv
);
4224 _exit(EXIT_FAILURE
);
4229 env_use
= (char**) envp
;
4231 /* Let the parent know that we are ready and
4232 * wait until the parent is ready with the
4234 (void) barrier_place_and_sync(&barrier
); /* #5 */
4240 /* Automatically search for the init system */
4242 l
= 1 + argc
- optind
;
4243 a
= newa(char*, l
+ 1);
4244 memcpy(a
+ 1, argv
+ optind
, l
* sizeof(char*));
4246 a
[0] = (char*) "/usr/lib/systemd/systemd";
4247 execve(a
[0], a
, env_use
);
4249 a
[0] = (char*) "/lib/systemd/systemd";
4250 execve(a
[0], a
, env_use
);
4252 a
[0] = (char*) "/sbin/init";
4253 execve(a
[0], a
, env_use
);
4254 } else if (argc
> optind
)
4255 execvpe(argv
[optind
], argv
+ optind
, env_use
);
4257 chdir(home
? home
: "/root");
4258 execle("/bin/bash", "-bash", NULL
, env_use
);
4259 execle("/bin/sh", "-sh", NULL
, env_use
);
4262 log_error_errno(errno
, "execv() failed: %m");
4263 _exit(EXIT_FAILURE
);
4266 barrier_set_role(&barrier
, BARRIER_PARENT
);
4270 kmsg_socket_pair
[1] = safe_close(kmsg_socket_pair
[1]);
4271 rtnl_socket_pair
[1] = safe_close(rtnl_socket_pair
[1]);
4273 (void) barrier_place(&barrier
); /* #1 */
4275 /* Wait for the most basic Child-setup to be done,
4276 * before we add hardware to it, and place it in a
4278 if (barrier_sync(&barrier
)) { /* #1 */
4281 r
= move_network_interfaces(pid
);
4285 r
= setup_veth(pid
, veth_name
, &ifi
);
4289 r
= setup_bridge(veth_name
, &ifi
);
4293 r
= setup_macvlan(pid
);
4297 r
= setup_ipvlan(pid
);
4301 r
= register_machine(pid
, ifi
);
4305 /* Notify the child that the parent is ready with all
4306 * its setup, and that the child can now hand over
4307 * control to the code to run inside the container. */
4308 (void) barrier_place(&barrier
); /* #2 */
4311 char uid_map
[strlen("/proc//uid_map") + DECIMAL_STR_MAX(uid_t
) + 1], line
[DECIMAL_STR_MAX(uid_t
)*3+3+1];
4313 (void) barrier_place_and_sync(&barrier
); /* #3 */
4315 xsprintf(uid_map
, "/proc/" PID_FMT
"/uid_map", pid
);
4316 xsprintf(line
, UID_FMT
" " UID_FMT
" " UID_FMT
"\n", 0, arg_uid_shift
, arg_uid_range
);
4317 r
= write_string_file(uid_map
, line
);
4319 log_error_errno(r
, "Failed to write UID map: %m");
4323 /* We always assign the same UID and GID ranges */
4324 xsprintf(uid_map
, "/proc/" PID_FMT
"/gid_map", pid
);
4325 r
= write_string_file(uid_map
, line
);
4327 log_error_errno(r
, "Failed to write GID map: %m");
4331 (void) barrier_place(&barrier
); /* #4 */
4334 /* Block SIGCHLD here, before notifying child.
4335 * process_pty() will handle it with the other signals. */
4336 r
= sigprocmask(SIG_BLOCK
, &mask_chld
, NULL
);
4340 /* Reset signal to default */
4341 r
= default_signals(SIGCHLD
, -1);
4345 /* Let the child know that we are ready and wait that the child is completely ready now. */
4346 if (barrier_place_and_sync(&barrier
)) { /* #5 */
4347 _cleanup_event_unref_ sd_event
*event
= NULL
;
4348 _cleanup_(pty_forward_freep
) PTYForward
*forward
= NULL
;
4349 _cleanup_rtnl_unref_ sd_rtnl
*rtnl
= NULL
;
4354 "STATUS=Container running.\n"
4355 "X_NSPAWN_LEADER_PID=" PID_FMT
, pid
);
4357 r
= sd_event_new(&event
);
4359 log_error_errno(r
, "Failed to get default event source: %m");
4363 if (arg_kill_signal
> 0) {
4364 /* Try to kill the init system on SIGINT or SIGTERM */
4365 sd_event_add_signal(event
, NULL
, SIGINT
, on_orderly_shutdown
, UINT32_TO_PTR(pid
));
4366 sd_event_add_signal(event
, NULL
, SIGTERM
, on_orderly_shutdown
, UINT32_TO_PTR(pid
));
4368 /* Immediately exit */
4369 sd_event_add_signal(event
, NULL
, SIGINT
, NULL
, NULL
);
4370 sd_event_add_signal(event
, NULL
, SIGTERM
, NULL
, NULL
);
4373 /* simply exit on sigchld */
4374 sd_event_add_signal(event
, NULL
, SIGCHLD
, NULL
, NULL
);
4376 if (arg_expose_ports
) {
4377 r
= watch_rtnl(event
, rtnl_socket_pair
[0], &exposed
, &rtnl
);
4381 (void) expose_ports(rtnl
, &exposed
);
4384 rtnl_socket_pair
[0] = safe_close(rtnl_socket_pair
[0]);
4386 r
= pty_forward_new(event
, master
, true, !interactive
, &forward
);
4388 log_error_errno(r
, "Failed to create PTY forwarder: %m");
4392 r
= sd_event_loop(event
);
4394 log_error_errno(r
, "Failed to run event loop: %m");
4398 pty_forward_get_last_char(forward
, &last_char
);
4400 forward
= pty_forward_free(forward
);
4402 if (!arg_quiet
&& last_char
!= '\n')
4405 /* Kill if it is not dead yet anyway */
4406 terminate_machine(pid
);
4410 /* Normally redundant, but better safe than sorry */
4413 r
= wait_for_container(pid
, &container_status
);
4417 /* We failed to wait for the container, or the
4418 * container exited abnormally */
4420 else if (r
> 0 || container_status
== CONTAINER_TERMINATED
){
4421 /* The container exited with a non-zero
4422 * status, or with zero status and no reboot
4428 /* CONTAINER_REBOOTED, loop again */
4430 if (arg_keep_unit
) {
4431 /* Special handling if we are running as a
4432 * service: instead of simply restarting the
4433 * machine we want to restart the entire
4434 * service, so let's inform systemd about this
4435 * with the special exit code 133. The service
4436 * file uses RestartForceExitStatus=133 so
4437 * that this results in a full nspawn
4438 * restart. This is necessary since we might
4439 * have cgroup parameters set we want to have
4446 flush_ports(&exposed
);
4452 "STATUS=Terminating...");
4454 loop_remove(loop_nr
, &image_fd
);
4459 if (remove_subvol
&& arg_directory
) {
4462 k
= btrfs_subvol_remove(arg_directory
);
4464 log_warning_errno(k
, "Cannot remove subvolume '%s', ignoring: %m", arg_directory
);
4470 p
= strjoina("/run/systemd/nspawn/propagate/", arg_machine
);
4471 (void) rm_rf(p
, REMOVE_ROOT
);
4474 free(arg_directory
);
4479 strv_free(arg_setenv
);
4480 strv_free(arg_network_interfaces
);
4481 strv_free(arg_network_macvlan
);
4482 strv_free(arg_network_ipvlan
);
4483 strv_free(arg_bind
);
4484 strv_free(arg_bind_ro
);
4485 strv_free(arg_tmpfs
);
4487 flush_ports(&exposed
);
4489 while (arg_expose_ports
) {
4490 ExposePort
*p
= arg_expose_ports
;
4491 LIST_REMOVE(ports
, arg_expose_ports
, p
);
4495 return r
< 0 ? EXIT_FAILURE
: ret
;