1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2010 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
25 #include <sys/types.h>
26 #include <sys/mount.h>
31 #include <sys/prctl.h>
35 #include <sys/socket.h>
36 #include <linux/netlink.h>
38 #include <linux/veth.h>
39 #include <sys/personality.h>
40 #include <linux/loop.h>
44 #include <selinux/selinux.h>
52 #include <blkid/blkid.h>
55 #include "sd-daemon.h"
65 #include "cgroup-util.h"
67 #include "path-util.h"
68 #include "loopback-setup.h"
69 #include "dev-setup.h"
74 #include "bus-error.h"
77 #include "rtnl-util.h"
78 #include "udev-util.h"
79 #include "blkid-util.h"
81 #include "siphash24.h"
83 #include "base-filesystem.h"
85 #include "event-util.h"
86 #include "capability.h"
88 #include "btrfs-util.h"
89 #include "machine-image.h"
91 #include "in-addr-util.h"
93 #include "local-addresses.h"
94 #include "formats-util.h"
95 #include "process-util.h"
98 #include "seccomp-util.h"
101 typedef struct ExposePort
{
104 uint16_t container_port
;
105 LIST_FIELDS(struct ExposePort
, ports
);
108 typedef enum ContainerStatus
{
109 CONTAINER_TERMINATED
,
113 typedef enum LinkJournal
{
120 typedef enum Volatile
{
126 static char *arg_directory
= NULL
;
127 static char *arg_template
= NULL
;
128 static char *arg_user
= NULL
;
129 static sd_id128_t arg_uuid
= {};
130 static char *arg_machine
= NULL
;
131 static const char *arg_selinux_context
= NULL
;
132 static const char *arg_selinux_apifs_context
= NULL
;
133 static const char *arg_slice
= NULL
;
134 static bool arg_private_network
= false;
135 static bool arg_read_only
= false;
136 static bool arg_boot
= false;
137 static bool arg_ephemeral
= false;
138 static LinkJournal arg_link_journal
= LINK_AUTO
;
139 static bool arg_link_journal_try
= false;
140 static uint64_t arg_retain
=
141 (1ULL << CAP_CHOWN
) |
142 (1ULL << CAP_DAC_OVERRIDE
) |
143 (1ULL << CAP_DAC_READ_SEARCH
) |
144 (1ULL << CAP_FOWNER
) |
145 (1ULL << CAP_FSETID
) |
146 (1ULL << CAP_IPC_OWNER
) |
148 (1ULL << CAP_LEASE
) |
149 (1ULL << CAP_LINUX_IMMUTABLE
) |
150 (1ULL << CAP_NET_BIND_SERVICE
) |
151 (1ULL << CAP_NET_BROADCAST
) |
152 (1ULL << CAP_NET_RAW
) |
153 (1ULL << CAP_SETGID
) |
154 (1ULL << CAP_SETFCAP
) |
155 (1ULL << CAP_SETPCAP
) |
156 (1ULL << CAP_SETUID
) |
157 (1ULL << CAP_SYS_ADMIN
) |
158 (1ULL << CAP_SYS_CHROOT
) |
159 (1ULL << CAP_SYS_NICE
) |
160 (1ULL << CAP_SYS_PTRACE
) |
161 (1ULL << CAP_SYS_TTY_CONFIG
) |
162 (1ULL << CAP_SYS_RESOURCE
) |
163 (1ULL << CAP_SYS_BOOT
) |
164 (1ULL << CAP_AUDIT_WRITE
) |
165 (1ULL << CAP_AUDIT_CONTROL
) |
167 static char **arg_bind
= NULL
;
168 static char **arg_bind_ro
= NULL
;
169 static char **arg_tmpfs
= NULL
;
170 static char **arg_setenv
= NULL
;
171 static bool arg_quiet
= false;
172 static bool arg_share_system
= false;
173 static bool arg_register
= true;
174 static bool arg_keep_unit
= false;
175 static char **arg_network_interfaces
= NULL
;
176 static char **arg_network_macvlan
= NULL
;
177 static char **arg_network_ipvlan
= NULL
;
178 static bool arg_network_veth
= false;
179 static const char *arg_network_bridge
= NULL
;
180 static unsigned long arg_personality
= 0xffffffffLU
;
181 static char *arg_image
= NULL
;
182 static Volatile arg_volatile
= VOLATILE_NO
;
183 static ExposePort
*arg_expose_ports
= NULL
;
184 static char **arg_property
= NULL
;
185 static uid_t arg_uid_shift
= UID_INVALID
, arg_uid_range
= 0x10000U
;
186 static bool arg_userns
= false;
187 static int arg_kill_signal
= 0;
189 static void help(void) {
190 printf("%s [OPTIONS...] [PATH] [ARGUMENTS...]\n\n"
191 "Spawn a minimal namespace container for debugging, testing and building.\n\n"
192 " -h --help Show this help\n"
193 " --version Print version string\n"
194 " -q --quiet Do not show status information\n"
195 " -D --directory=PATH Root directory for the container\n"
196 " --template=PATH Initialize root directory from template directory,\n"
198 " -x --ephemeral Run container with snapshot of root directory, and\n"
199 " remove it after exit\n"
200 " -i --image=PATH File system device or disk image for the container\n"
201 " -b --boot Boot up full system (i.e. invoke init)\n"
202 " -u --user=USER Run the command under specified user or uid\n"
203 " -M --machine=NAME Set the machine name for the container\n"
204 " --uuid=UUID Set a specific machine UUID for the container\n"
205 " -S --slice=SLICE Place the container in the specified slice\n"
206 " --property=NAME=VALUE Set scope unit property\n"
207 " --private-network Disable network in container\n"
208 " --network-interface=INTERFACE\n"
209 " Assign an existing network interface to the\n"
211 " --network-macvlan=INTERFACE\n"
212 " Create a macvlan network interface based on an\n"
213 " existing network interface to the container\n"
214 " --network-ipvlan=INTERFACE\n"
215 " Create a ipvlan network interface based on an\n"
216 " existing network interface to the container\n"
217 " -n --network-veth Add a virtual ethernet connection between host\n"
219 " --network-bridge=INTERFACE\n"
220 " Add a virtual ethernet connection between host\n"
221 " and container and add it to an existing bridge on\n"
223 " --private-users[=UIDBASE[:NUIDS]]\n"
224 " Run within user namespace\n"
225 " -p --port=[PROTOCOL:]HOSTPORT[:CONTAINERPORT]\n"
226 " Expose a container IP port on the host\n"
227 " -Z --selinux-context=SECLABEL\n"
228 " Set the SELinux security context to be used by\n"
229 " processes in the container\n"
230 " -L --selinux-apifs-context=SECLABEL\n"
231 " Set the SELinux security context to be used by\n"
232 " API/tmpfs file systems in the container\n"
233 " --capability=CAP In addition to the default, retain specified\n"
235 " --drop-capability=CAP Drop the specified capability from the default set\n"
236 " --kill-signal=SIGNAL Select signal to use for shutting down PID 1\n"
237 " --link-journal=MODE Link up guest journal, one of no, auto, guest, host,\n"
238 " try-guest, try-host\n"
239 " -j Equivalent to --link-journal=try-guest\n"
240 " --read-only Mount the root directory read-only\n"
241 " --bind=PATH[:PATH] Bind mount a file or directory from the host into\n"
243 " --bind-ro=PATH[:PATH] Similar, but creates a read-only bind mount\n"
244 " --tmpfs=PATH:[OPTIONS] Mount an empty tmpfs to the specified directory\n"
245 " --setenv=NAME=VALUE Pass an environment variable to PID 1\n"
246 " --share-system Share system namespaces with host\n"
247 " --register=BOOLEAN Register container as machine\n"
248 " --keep-unit Do not register a scope for the machine, reuse\n"
249 " the service unit nspawn is running in\n"
250 " --volatile[=MODE] Run the system in volatile mode\n"
251 , program_invocation_short_name
);
254 static int set_sanitized_path(char **b
, const char *path
) {
260 p
= canonicalize_file_name(path
);
265 p
= path_make_absolute_cwd(path
);
271 *b
= path_kill_slashes(p
);
275 static int parse_argv(int argc
, char *argv
[]) {
292 ARG_NETWORK_INTERFACE
,
304 static const struct option options
[] = {
305 { "help", no_argument
, NULL
, 'h' },
306 { "version", no_argument
, NULL
, ARG_VERSION
},
307 { "directory", required_argument
, NULL
, 'D' },
308 { "template", required_argument
, NULL
, ARG_TEMPLATE
},
309 { "ephemeral", no_argument
, NULL
, 'x' },
310 { "user", required_argument
, NULL
, 'u' },
311 { "private-network", no_argument
, NULL
, ARG_PRIVATE_NETWORK
},
312 { "boot", no_argument
, NULL
, 'b' },
313 { "uuid", required_argument
, NULL
, ARG_UUID
},
314 { "read-only", no_argument
, NULL
, ARG_READ_ONLY
},
315 { "capability", required_argument
, NULL
, ARG_CAPABILITY
},
316 { "drop-capability", required_argument
, NULL
, ARG_DROP_CAPABILITY
},
317 { "link-journal", required_argument
, NULL
, ARG_LINK_JOURNAL
},
318 { "bind", required_argument
, NULL
, ARG_BIND
},
319 { "bind-ro", required_argument
, NULL
, ARG_BIND_RO
},
320 { "tmpfs", required_argument
, NULL
, ARG_TMPFS
},
321 { "machine", required_argument
, NULL
, 'M' },
322 { "slice", required_argument
, NULL
, 'S' },
323 { "setenv", required_argument
, NULL
, ARG_SETENV
},
324 { "selinux-context", required_argument
, NULL
, 'Z' },
325 { "selinux-apifs-context", required_argument
, NULL
, 'L' },
326 { "quiet", no_argument
, NULL
, 'q' },
327 { "share-system", no_argument
, NULL
, ARG_SHARE_SYSTEM
},
328 { "register", required_argument
, NULL
, ARG_REGISTER
},
329 { "keep-unit", no_argument
, NULL
, ARG_KEEP_UNIT
},
330 { "network-interface", required_argument
, NULL
, ARG_NETWORK_INTERFACE
},
331 { "network-macvlan", required_argument
, NULL
, ARG_NETWORK_MACVLAN
},
332 { "network-ipvlan", required_argument
, NULL
, ARG_NETWORK_IPVLAN
},
333 { "network-veth", no_argument
, NULL
, 'n' },
334 { "network-bridge", required_argument
, NULL
, ARG_NETWORK_BRIDGE
},
335 { "personality", required_argument
, NULL
, ARG_PERSONALITY
},
336 { "image", required_argument
, NULL
, 'i' },
337 { "volatile", optional_argument
, NULL
, ARG_VOLATILE
},
338 { "port", required_argument
, NULL
, 'p' },
339 { "property", required_argument
, NULL
, ARG_PROPERTY
},
340 { "private-users", optional_argument
, NULL
, ARG_PRIVATE_USERS
},
341 { "kill-signal", required_argument
, NULL
, ARG_KILL_SIGNAL
},
346 uint64_t plus
= 0, minus
= 0;
351 while ((c
= getopt_long(argc
, argv
, "+hD:u:bL:M:jS:Z:qi:xp:n", options
, NULL
)) >= 0)
360 puts(PACKAGE_STRING
);
361 puts(SYSTEMD_FEATURES
);
365 r
= set_sanitized_path(&arg_directory
, optarg
);
367 return log_error_errno(r
, "Invalid root directory: %m");
372 r
= set_sanitized_path(&arg_template
, optarg
);
374 return log_error_errno(r
, "Invalid template directory: %m");
379 r
= set_sanitized_path(&arg_image
, optarg
);
381 return log_error_errno(r
, "Invalid image path: %m");
386 arg_ephemeral
= true;
391 arg_user
= strdup(optarg
);
397 case ARG_NETWORK_BRIDGE
:
398 arg_network_bridge
= optarg
;
403 arg_network_veth
= true;
404 arg_private_network
= true;
407 case ARG_NETWORK_INTERFACE
:
408 if (strv_extend(&arg_network_interfaces
, optarg
) < 0)
411 arg_private_network
= true;
414 case ARG_NETWORK_MACVLAN
:
415 if (strv_extend(&arg_network_macvlan
, optarg
) < 0)
418 arg_private_network
= true;
421 case ARG_NETWORK_IPVLAN
:
422 if (strv_extend(&arg_network_ipvlan
, optarg
) < 0)
427 case ARG_PRIVATE_NETWORK
:
428 arg_private_network
= true;
436 r
= sd_id128_from_string(optarg
, &arg_uuid
);
438 log_error("Invalid UUID: %s", optarg
);
448 if (isempty(optarg
)) {
452 if (!machine_name_is_valid(optarg
)) {
453 log_error("Invalid machine name: %s", optarg
);
457 r
= free_and_strdup(&arg_machine
, optarg
);
465 arg_selinux_context
= optarg
;
469 arg_selinux_apifs_context
= optarg
;
473 arg_read_only
= true;
477 case ARG_DROP_CAPABILITY
: {
478 const char *state
, *word
;
481 FOREACH_WORD_SEPARATOR(word
, length
, optarg
, ",", state
) {
482 _cleanup_free_
char *t
;
484 t
= strndup(word
, length
);
488 if (streq(t
, "all")) {
489 if (c
== ARG_CAPABILITY
)
490 plus
= (uint64_t) -1;
492 minus
= (uint64_t) -1;
496 cap
= capability_from_name(t
);
498 log_error("Failed to parse capability %s.", t
);
502 if (c
== ARG_CAPABILITY
)
503 plus
|= 1ULL << (uint64_t) cap
;
505 minus
|= 1ULL << (uint64_t) cap
;
513 arg_link_journal
= LINK_GUEST
;
514 arg_link_journal_try
= true;
517 case ARG_LINK_JOURNAL
:
518 if (streq(optarg
, "auto")) {
519 arg_link_journal
= LINK_AUTO
;
520 arg_link_journal_try
= false;
521 } else if (streq(optarg
, "no")) {
522 arg_link_journal
= LINK_NO
;
523 arg_link_journal_try
= false;
524 } else if (streq(optarg
, "guest")) {
525 arg_link_journal
= LINK_GUEST
;
526 arg_link_journal_try
= false;
527 } else if (streq(optarg
, "host")) {
528 arg_link_journal
= LINK_HOST
;
529 arg_link_journal_try
= false;
530 } else if (streq(optarg
, "try-guest")) {
531 arg_link_journal
= LINK_GUEST
;
532 arg_link_journal_try
= true;
533 } else if (streq(optarg
, "try-host")) {
534 arg_link_journal
= LINK_HOST
;
535 arg_link_journal_try
= true;
537 log_error("Failed to parse link journal mode %s", optarg
);
545 _cleanup_free_
char *a
= NULL
, *b
= NULL
;
549 x
= c
== ARG_BIND
? &arg_bind
: &arg_bind_ro
;
551 e
= strchr(optarg
, ':');
553 a
= strndup(optarg
, e
- optarg
);
563 if (!path_is_absolute(a
) || !path_is_absolute(b
)) {
564 log_error("Invalid bind mount specification: %s", optarg
);
568 r
= strv_extend(x
, a
);
572 r
= strv_extend(x
, b
);
580 _cleanup_free_
char *a
= NULL
, *b
= NULL
;
583 e
= strchr(optarg
, ':');
585 a
= strndup(optarg
, e
- optarg
);
589 b
= strdup("mode=0755");
595 if (!path_is_absolute(a
)) {
596 log_error("Invalid tmpfs specification: %s", optarg
);
600 r
= strv_push(&arg_tmpfs
, a
);
606 r
= strv_push(&arg_tmpfs
, b
);
618 if (!env_assignment_is_valid(optarg
)) {
619 log_error("Environment variable assignment '%s' is not valid.", optarg
);
623 n
= strv_env_set(arg_setenv
, optarg
);
627 strv_free(arg_setenv
);
636 case ARG_SHARE_SYSTEM
:
637 arg_share_system
= true;
641 r
= parse_boolean(optarg
);
643 log_error("Failed to parse --register= argument: %s", optarg
);
651 arg_keep_unit
= true;
654 case ARG_PERSONALITY
:
656 arg_personality
= personality_from_string(optarg
);
657 if (arg_personality
== 0xffffffffLU
) {
658 log_error("Unknown or unsupported personality '%s'.", optarg
);
667 arg_volatile
= VOLATILE_YES
;
669 r
= parse_boolean(optarg
);
671 if (streq(optarg
, "state"))
672 arg_volatile
= VOLATILE_STATE
;
674 log_error("Failed to parse --volatile= argument: %s", optarg
);
678 arg_volatile
= r
? VOLATILE_YES
: VOLATILE_NO
;
684 const char *split
, *e
;
685 uint16_t container_port
, host_port
;
689 if ((e
= startswith(optarg
, "tcp:")))
690 protocol
= IPPROTO_TCP
;
691 else if ((e
= startswith(optarg
, "udp:")))
692 protocol
= IPPROTO_UDP
;
695 protocol
= IPPROTO_TCP
;
698 split
= strchr(e
, ':');
700 char v
[split
- e
+ 1];
702 memcpy(v
, e
, split
- e
);
705 r
= safe_atou16(v
, &host_port
);
706 if (r
< 0 || host_port
<= 0) {
707 log_error("Failed to parse host port: %s", optarg
);
711 r
= safe_atou16(split
+ 1, &container_port
);
713 r
= safe_atou16(e
, &container_port
);
714 host_port
= container_port
;
717 if (r
< 0 || container_port
<= 0) {
718 log_error("Failed to parse host port: %s", optarg
);
722 LIST_FOREACH(ports
, p
, arg_expose_ports
) {
723 if (p
->protocol
== protocol
&& p
->host_port
== host_port
) {
724 log_error("Duplicate port specification: %s", optarg
);
729 p
= new(ExposePort
, 1);
733 p
->protocol
= protocol
;
734 p
->host_port
= host_port
;
735 p
->container_port
= container_port
;
737 LIST_PREPEND(ports
, arg_expose_ports
, p
);
743 if (strv_extend(&arg_property
, optarg
) < 0)
748 case ARG_PRIVATE_USERS
:
750 _cleanup_free_
char *buffer
= NULL
;
751 const char *range
, *shift
;
753 range
= strchr(optarg
, ':');
755 buffer
= strndup(optarg
, range
- optarg
);
761 if (safe_atou32(range
, &arg_uid_range
) < 0 || arg_uid_range
<= 0) {
762 log_error("Failed to parse UID range: %s", range
);
768 if (parse_uid(shift
, &arg_uid_shift
) < 0) {
769 log_error("Failed to parse UID: %s", optarg
);
777 case ARG_KILL_SIGNAL
:
778 arg_kill_signal
= signal_from_string_try_harder(optarg
);
779 if (arg_kill_signal
< 0) {
780 log_error("Cannot parse signal: %s", optarg
);
790 assert_not_reached("Unhandled option");
793 if (arg_share_system
)
794 arg_register
= false;
796 if (arg_boot
&& arg_share_system
) {
797 log_error("--boot and --share-system may not be combined.");
801 if (arg_keep_unit
&& cg_pid_get_owner_uid(0, NULL
) >= 0) {
802 log_error("--keep-unit may not be used when invoked from a user session.");
806 if (arg_directory
&& arg_image
) {
807 log_error("--directory= and --image= may not be combined.");
811 if (arg_template
&& arg_image
) {
812 log_error("--template= and --image= may not be combined.");
816 if (arg_template
&& !(arg_directory
|| arg_machine
)) {
817 log_error("--template= needs --directory= or --machine=.");
821 if (arg_ephemeral
&& arg_template
) {
822 log_error("--ephemeral and --template= may not be combined.");
826 if (arg_ephemeral
&& arg_image
) {
827 log_error("--ephemeral and --image= may not be combined.");
831 if (arg_ephemeral
&& !IN_SET(arg_link_journal
, LINK_NO
, LINK_AUTO
)) {
832 log_error("--ephemeral and --link-journal= may not be combined.");
836 if (arg_volatile
!= VOLATILE_NO
&& arg_read_only
) {
837 log_error("Cannot combine --read-only with --volatile. Note that --volatile already implies a read-only base hierarchy.");
841 if (arg_expose_ports
&& !arg_private_network
) {
842 log_error("Cannot use --port= without private networking.");
846 arg_retain
= (arg_retain
| plus
| (arg_private_network
? 1ULL << CAP_NET_ADMIN
: 0)) & ~minus
;
848 if (arg_boot
&& arg_kill_signal
<= 0)
849 arg_kill_signal
= SIGRTMIN
+3;
854 static int mount_all(const char *dest
) {
856 typedef struct MountPoint
{
865 static const MountPoint mount_table
[] = {
866 { "proc", "/proc", "proc", NULL
, MS_NOSUID
|MS_NOEXEC
|MS_NODEV
, true },
867 { "/proc/sys", "/proc/sys", NULL
, NULL
, MS_BIND
, true }, /* Bind mount first */
868 { NULL
, "/proc/sys", NULL
, NULL
, MS_BIND
|MS_RDONLY
|MS_REMOUNT
, true }, /* Then, make it r/o */
869 { "sysfs", "/sys", "sysfs", NULL
, MS_RDONLY
|MS_NOSUID
|MS_NOEXEC
|MS_NODEV
, true },
870 { "tmpfs", "/dev", "tmpfs", "mode=755", MS_NOSUID
|MS_STRICTATIME
, true },
871 { "devpts", "/dev/pts", "devpts","newinstance,ptmxmode=0666,mode=620,gid=" STRINGIFY(TTY_GID
), MS_NOSUID
|MS_NOEXEC
, true },
872 { "tmpfs", "/dev/shm", "tmpfs", "mode=1777", MS_NOSUID
|MS_NODEV
|MS_STRICTATIME
, true },
873 { "tmpfs", "/run", "tmpfs", "mode=755", MS_NOSUID
|MS_NODEV
|MS_STRICTATIME
, true },
874 { "tmpfs", "/tmp", "tmpfs", "mode=1777", MS_STRICTATIME
, true },
876 { "/sys/fs/selinux", "/sys/fs/selinux", NULL
, NULL
, MS_BIND
, false }, /* Bind mount first */
877 { NULL
, "/sys/fs/selinux", NULL
, NULL
, MS_BIND
|MS_RDONLY
|MS_REMOUNT
, false }, /* Then, make it r/o */
884 for (k
= 0; k
< ELEMENTSOF(mount_table
); k
++) {
885 _cleanup_free_
char *where
= NULL
, *options
= NULL
;
889 where
= strjoin(dest
, "/", mount_table
[k
].where
, NULL
);
893 t
= path_is_mount_point(where
, true);
894 if (t
< 0 && t
!= -ENOENT
) {
895 log_error_errno(t
, "Failed to detect whether %s is a mount point: %m", where
);
903 /* Skip this entry if it is not a remount. */
904 if (mount_table
[k
].what
&& t
> 0)
907 t
= mkdir_p(where
, 0755);
909 if (mount_table
[k
].fatal
) {
910 log_error_errno(t
, "Failed to create directory %s: %m", where
);
915 log_warning_errno(t
, "Failed to create directory %s: %m", where
);
921 if (arg_selinux_apifs_context
&&
922 (streq_ptr(mount_table
[k
].what
, "tmpfs") || streq_ptr(mount_table
[k
].what
, "devpts"))) {
923 options
= strjoin(mount_table
[k
].options
, ",context=\"", arg_selinux_apifs_context
, "\"", NULL
);
930 o
= mount_table
[k
].options
;
932 if (arg_userns
&& arg_uid_shift
!= UID_INVALID
&& streq_ptr(mount_table
[k
].type
, "tmpfs")) {
933 char *uid_options
= NULL
;
936 asprintf(&uid_options
, "%s,uid=" UID_FMT
",gid=" UID_FMT
, o
, arg_uid_shift
, arg_uid_shift
);
938 asprintf(&uid_options
, "uid=" UID_FMT
",gid=" UID_FMT
, arg_uid_shift
, arg_uid_shift
);
943 o
= options
= uid_options
;
946 if (mount(mount_table
[k
].what
,
949 mount_table
[k
].flags
,
952 if (mount_table
[k
].fatal
) {
953 log_error_errno(errno
, "mount(%s) failed: %m", where
);
958 log_warning_errno(errno
, "mount(%s) failed: %m", where
);
965 static int mount_binds(const char *dest
, char **l
, bool ro
) {
968 STRV_FOREACH_PAIR(x
, y
, l
) {
969 _cleanup_free_
char *where
= NULL
;
970 struct stat source_st
, dest_st
;
973 if (stat(*x
, &source_st
) < 0)
974 return log_error_errno(errno
, "Failed to stat %s: %m", *x
);
976 where
= strappend(dest
, *y
);
980 r
= stat(where
, &dest_st
);
982 if (S_ISDIR(source_st
.st_mode
) && !S_ISDIR(dest_st
.st_mode
)) {
983 log_error("Cannot bind mount directory %s on file %s.", *x
, where
);
986 if (!S_ISDIR(source_st
.st_mode
) && S_ISDIR(dest_st
.st_mode
)) {
987 log_error("Cannot bind mount file %s on directory %s.", *x
, where
);
990 } else if (errno
== ENOENT
) {
991 r
= mkdir_parents_label(where
, 0755);
993 return log_error_errno(r
, "Failed to bind mount %s: %m", *x
);
995 log_error_errno(errno
, "Failed to bind mount %s: %m", *x
);
999 /* Create the mount point. Any non-directory file can be
1000 * mounted on any non-directory file (regular, fifo, socket,
1003 if (S_ISDIR(source_st
.st_mode
)) {
1004 r
= mkdir_label(where
, 0755);
1005 if (r
< 0 && errno
!= EEXIST
)
1006 return log_error_errno(r
, "Failed to create mount point %s: %m", where
);
1010 return log_error_errno(r
, "Failed to create mount point %s: %m", where
);
1013 if (mount(*x
, where
, NULL
, MS_BIND
, NULL
) < 0)
1014 return log_error_errno(errno
, "mount(%s) failed: %m", where
);
1017 r
= bind_remount_recursive(where
, true);
1019 return log_error_errno(r
, "Read-Only bind mount failed: %m");
1026 static int mount_cgroup_hierarchy(const char *dest
, const char *controller
, const char *hierarchy
, bool read_only
) {
1030 to
= strjoina(dest
, "/sys/fs/cgroup/", hierarchy
);
1032 r
= path_is_mount_point(to
, false);
1033 if (r
< 0 && r
!= -ENOENT
)
1034 return log_error_errno(r
, "Failed to determine if %s is mounted already: %m", to
);
1040 /* The superblock mount options of the mount point need to be
1041 * identical to the hosts', and hence writable... */
1042 if (mount("cgroup", to
, "cgroup", MS_NOSUID
|MS_NOEXEC
|MS_NODEV
, controller
) < 0)
1043 return log_error_errno(errno
, "Failed to mount to %s: %m", to
);
1045 /* ... hence let's only make the bind mount read-only, not the
1048 if (mount(NULL
, to
, NULL
, MS_BIND
|MS_REMOUNT
|MS_NOSUID
|MS_NOEXEC
|MS_NODEV
|MS_RDONLY
, NULL
) < 0)
1049 return log_error_errno(errno
, "Failed to remount %s read-only: %m", to
);
1054 static int mount_cgroup(const char *dest
) {
1055 _cleanup_set_free_free_ Set
*controllers
= NULL
;
1056 _cleanup_free_
char *own_cgroup_path
= NULL
;
1057 const char *cgroup_root
, *systemd_root
, *systemd_own
;
1060 controllers
= set_new(&string_hash_ops
);
1064 r
= cg_kernel_controllers(controllers
);
1066 return log_error_errno(r
, "Failed to determine cgroup controllers: %m");
1068 r
= cg_pid_get_path(NULL
, 0, &own_cgroup_path
);
1070 return log_error_errno(r
, "Failed to determine our own cgroup path: %m");
1072 cgroup_root
= strjoina(dest
, "/sys/fs/cgroup");
1073 if (mount("tmpfs", cgroup_root
, "tmpfs", MS_NOSUID
|MS_NOEXEC
|MS_NODEV
|MS_STRICTATIME
, "mode=755") < 0)
1074 return log_error_errno(errno
, "Failed to mount tmpfs to /sys/fs/cgroup: %m");
1077 _cleanup_free_
char *controller
= NULL
, *origin
= NULL
, *combined
= NULL
;
1079 controller
= set_steal_first(controllers
);
1083 origin
= strappend("/sys/fs/cgroup/", controller
);
1087 r
= readlink_malloc(origin
, &combined
);
1089 /* Not a symbolic link, but directly a single cgroup hierarchy */
1091 r
= mount_cgroup_hierarchy(dest
, controller
, controller
, true);
1096 return log_error_errno(r
, "Failed to read link %s: %m", origin
);
1098 _cleanup_free_
char *target
= NULL
;
1100 target
= strjoin(dest
, "/sys/fs/cgroup/", controller
, NULL
);
1104 /* A symbolic link, a combination of controllers in one hierarchy */
1106 if (!filename_is_valid(combined
)) {
1107 log_warning("Ignoring invalid combined hierarchy %s.", combined
);
1111 r
= mount_cgroup_hierarchy(dest
, combined
, combined
, true);
1115 if (symlink(combined
, target
) < 0)
1116 return log_error_errno(errno
, "Failed to create symlink for combined hierarchy: %m");
1120 r
= mount_cgroup_hierarchy(dest
, "name=systemd,xattr", "systemd", false);
1124 /* Make our own cgroup a (writable) bind mount */
1125 systemd_own
= strjoina(dest
, "/sys/fs/cgroup/systemd", own_cgroup_path
);
1126 if (mount(systemd_own
, systemd_own
, NULL
, MS_BIND
, NULL
) < 0)
1127 return log_error_errno(errno
, "Failed to turn %s into a bind mount: %m", own_cgroup_path
);
1129 /* And then remount the systemd cgroup root read-only */
1130 systemd_root
= strjoina(dest
, "/sys/fs/cgroup/systemd");
1131 if (mount(NULL
, systemd_root
, NULL
, MS_BIND
|MS_REMOUNT
|MS_NOSUID
|MS_NOEXEC
|MS_NODEV
|MS_RDONLY
, NULL
) < 0)
1132 return log_error_errno(errno
, "Failed to mount cgroup root read-only: %m");
1134 if (mount(NULL
, cgroup_root
, NULL
, MS_REMOUNT
|MS_NOSUID
|MS_NOEXEC
|MS_NODEV
|MS_STRICTATIME
|MS_RDONLY
, "mode=755") < 0)
1135 return log_error_errno(errno
, "Failed to remount %s read-only: %m", cgroup_root
);
1140 static int mount_tmpfs(const char *dest
) {
1143 STRV_FOREACH_PAIR(i
, o
, arg_tmpfs
) {
1144 _cleanup_free_
char *where
= NULL
;
1147 where
= strappend(dest
, *i
);
1151 r
= mkdir_label(where
, 0755);
1152 if (r
< 0 && r
!= -EEXIST
)
1153 return log_error_errno(r
, "Creating mount point for tmpfs %s failed: %m", where
);
1155 if (mount("tmpfs", where
, "tmpfs", MS_NODEV
|MS_STRICTATIME
, *o
) < 0)
1156 return log_error_errno(errno
, "tmpfs mount to %s failed: %m", where
);
1162 static int setup_timezone(const char *dest
) {
1163 _cleanup_free_
char *where
= NULL
, *p
= NULL
, *q
= NULL
, *check
= NULL
, *what
= NULL
;
1169 /* Fix the timezone, if possible */
1170 r
= readlink_malloc("/etc/localtime", &p
);
1172 log_warning("/etc/localtime is not a symlink, not updating container timezone.");
1176 z
= path_startswith(p
, "../usr/share/zoneinfo/");
1178 z
= path_startswith(p
, "/usr/share/zoneinfo/");
1180 log_warning("/etc/localtime does not point into /usr/share/zoneinfo/, not updating container timezone.");
1184 where
= strappend(dest
, "/etc/localtime");
1188 r
= readlink_malloc(where
, &q
);
1190 y
= path_startswith(q
, "../usr/share/zoneinfo/");
1192 y
= path_startswith(q
, "/usr/share/zoneinfo/");
1194 /* Already pointing to the right place? Then do nothing .. */
1195 if (y
&& streq(y
, z
))
1199 check
= strjoin(dest
, "/usr/share/zoneinfo/", z
, NULL
);
1203 if (access(check
, F_OK
) < 0) {
1204 log_warning("Timezone %s does not exist in container, not updating container timezone.", z
);
1208 what
= strappend("../usr/share/zoneinfo/", z
);
1212 r
= mkdir_parents(where
, 0755);
1214 log_error_errno(r
, "Failed to create directory for timezone info %s in container: %m", where
);
1220 if (r
< 0 && errno
!= ENOENT
) {
1221 log_error_errno(errno
, "Failed to remove existing timezone info %s in container: %m", where
);
1226 if (symlink(what
, where
) < 0) {
1227 log_error_errno(errno
, "Failed to correct timezone of container: %m");
1234 static int setup_resolv_conf(const char *dest
) {
1235 _cleanup_free_
char *where
= NULL
;
1240 if (arg_private_network
)
1243 /* Fix resolv.conf, if possible */
1244 where
= strappend(dest
, "/etc/resolv.conf");
1248 /* We don't really care for the results of this really. If it
1249 * fails, it fails, but meh... */
1250 r
= mkdir_parents(where
, 0755);
1252 log_warning_errno(r
, "Failed to create parent directory for resolv.conf %s: %m", where
);
1257 r
= copy_file("/etc/resolv.conf", where
, O_TRUNC
|O_NOFOLLOW
, 0644, 0);
1259 log_warning_errno(r
, "Failed to copy /etc/resolv.conf to %s: %m", where
);
1267 static int setup_volatile_state(const char *directory
) {
1273 if (arg_volatile
!= VOLATILE_STATE
)
1276 /* --volatile=state means we simply overmount /var
1277 with a tmpfs, and the rest read-only. */
1279 r
= bind_remount_recursive(directory
, true);
1281 return log_error_errno(r
, "Failed to remount %s read-only: %m", directory
);
1283 p
= strjoina(directory
, "/var");
1285 if (r
< 0 && errno
!= EEXIST
)
1286 return log_error_errno(errno
, "Failed to create %s: %m", directory
);
1288 if (mount("tmpfs", p
, "tmpfs", MS_STRICTATIME
, "mode=755") < 0)
1289 return log_error_errno(errno
, "Failed to mount tmpfs to /var: %m");
1294 static int setup_volatile(const char *directory
) {
1295 bool tmpfs_mounted
= false, bind_mounted
= false;
1296 char template[] = "/tmp/nspawn-volatile-XXXXXX";
1302 if (arg_volatile
!= VOLATILE_YES
)
1305 /* --volatile=yes means we mount a tmpfs to the root dir, and
1306 the original /usr to use inside it, and that read-only. */
1308 if (!mkdtemp(template))
1309 return log_error_errno(errno
, "Failed to create temporary directory: %m");
1311 if (mount("tmpfs", template, "tmpfs", MS_STRICTATIME
, "mode=755") < 0) {
1312 log_error_errno(errno
, "Failed to mount tmpfs for root directory: %m");
1317 tmpfs_mounted
= true;
1319 f
= strjoina(directory
, "/usr");
1320 t
= strjoina(template, "/usr");
1323 if (r
< 0 && errno
!= EEXIST
) {
1324 log_error_errno(errno
, "Failed to create %s: %m", t
);
1329 if (mount(f
, t
, NULL
, MS_BIND
|MS_REC
, NULL
) < 0) {
1330 log_error_errno(errno
, "Failed to create /usr bind mount: %m");
1335 bind_mounted
= true;
1337 r
= bind_remount_recursive(t
, true);
1339 log_error_errno(r
, "Failed to remount %s read-only: %m", t
);
1343 if (mount(template, directory
, NULL
, MS_MOVE
, NULL
) < 0) {
1344 log_error_errno(errno
, "Failed to move root mount: %m");
1362 static char* id128_format_as_uuid(sd_id128_t id
, char s
[37]) {
1365 "%02x%02x%02x%02x-%02x%02x-%02x%02x-%02x%02x-%02x%02x%02x%02x%02x%02x",
1366 SD_ID128_FORMAT_VAL(id
));
1371 static int setup_boot_id(const char *dest
) {
1372 _cleanup_free_
char *from
= NULL
, *to
= NULL
;
1373 sd_id128_t rnd
= {};
1379 if (arg_share_system
)
1382 /* Generate a new randomized boot ID, so that each boot-up of
1383 * the container gets a new one */
1385 from
= strappend(dest
, "/dev/proc-sys-kernel-random-boot-id");
1386 to
= strappend(dest
, "/proc/sys/kernel/random/boot_id");
1390 r
= sd_id128_randomize(&rnd
);
1392 return log_error_errno(r
, "Failed to generate random boot id: %m");
1394 id128_format_as_uuid(rnd
, as_uuid
);
1396 r
= write_string_file(from
, as_uuid
);
1398 return log_error_errno(r
, "Failed to write boot id: %m");
1400 if (mount(from
, to
, NULL
, MS_BIND
, NULL
) < 0) {
1401 log_error_errno(errno
, "Failed to bind mount boot id: %m");
1403 } else if (mount(from
, to
, NULL
, MS_BIND
|MS_REMOUNT
|MS_RDONLY
, NULL
))
1404 log_warning_errno(errno
, "Failed to make boot id read-only: %m");
1410 static int copy_devnodes(const char *dest
) {
1412 static const char devnodes
[] =
1423 _cleanup_umask_ mode_t u
;
1429 NULSTR_FOREACH(d
, devnodes
) {
1430 _cleanup_free_
char *from
= NULL
, *to
= NULL
;
1433 from
= strappend("/dev/", d
);
1434 to
= strjoin(dest
, "/dev/", d
, NULL
);
1438 if (stat(from
, &st
) < 0) {
1440 if (errno
!= ENOENT
)
1441 return log_error_errno(errno
, "Failed to stat %s: %m", from
);
1443 } else if (!S_ISCHR(st
.st_mode
) && !S_ISBLK(st
.st_mode
)) {
1445 log_error("%s is not a char or block device, cannot copy", from
);
1449 r
= mkdir_parents(to
, 0775);
1451 log_error_errno(r
, "Failed to create parent directory of %s: %m", to
);
1455 if (mknod(to
, st
.st_mode
, st
.st_rdev
) < 0) {
1457 return log_error_errno(errno
, "mknod(%s) failed: %m", to
);
1459 /* Some systems abusively restrict mknod but
1460 * allow bind mounts. */
1463 return log_error_errno(r
, "touch (%s) failed: %m", to
);
1464 if (mount(from
, to
, NULL
, MS_BIND
, NULL
) < 0)
1465 return log_error_errno(errno
, "Both mknod and bind mount (%s) failed: %m", to
);
1468 if (arg_userns
&& arg_uid_shift
!= UID_INVALID
)
1469 if (lchown(to
, arg_uid_shift
, arg_uid_shift
) < 0)
1470 return log_error_errno(errno
, "chown() of device node %s failed: %m", to
);
1477 static int setup_ptmx(const char *dest
) {
1478 _cleanup_free_
char *p
= NULL
;
1480 p
= strappend(dest
, "/dev/ptmx");
1484 if (symlink("pts/ptmx", p
) < 0)
1485 return log_error_errno(errno
, "Failed to create /dev/ptmx symlink: %m");
1487 if (arg_userns
&& arg_uid_shift
!= UID_INVALID
)
1488 if (lchown(p
, arg_uid_shift
, arg_uid_shift
) < 0)
1489 return log_error_errno(errno
, "lchown() of symlink %s failed: %m", p
);
1494 static int setup_dev_console(const char *dest
, const char *console
) {
1495 _cleanup_umask_ mode_t u
;
1504 r
= chmod_and_chown(console
, 0600, 0, 0);
1506 return log_error_errno(r
, "Failed to correct access mode for TTY: %m");
1508 /* We need to bind mount the right tty to /dev/console since
1509 * ptys can only exist on pts file systems. To have something
1510 * to bind mount things on we create a empty regular file. */
1512 to
= strjoina(dest
, "/dev/console");
1515 return log_error_errno(r
, "touch() for /dev/console failed: %m");
1517 if (mount(console
, to
, NULL
, MS_BIND
, NULL
) < 0)
1518 return log_error_errno(errno
, "Bind mount for /dev/console failed: %m");
1523 static int setup_kmsg(const char *dest
, int kmsg_socket
) {
1524 _cleanup_free_
char *from
= NULL
, *to
= NULL
;
1525 _cleanup_umask_ mode_t u
;
1528 struct cmsghdr cmsghdr
;
1529 uint8_t buf
[CMSG_SPACE(sizeof(int))];
1531 struct msghdr mh
= {
1532 .msg_control
= &control
,
1533 .msg_controllen
= sizeof(control
),
1535 struct cmsghdr
*cmsg
;
1538 assert(kmsg_socket
>= 0);
1542 /* We create the kmsg FIFO as /dev/kmsg, but immediately
1543 * delete it after bind mounting it to /proc/kmsg. While FIFOs
1544 * on the reading side behave very similar to /proc/kmsg,
1545 * their writing side behaves differently from /dev/kmsg in
1546 * that writing blocks when nothing is reading. In order to
1547 * avoid any problems with containers deadlocking due to this
1548 * we simply make /dev/kmsg unavailable to the container. */
1549 if (asprintf(&from
, "%s/dev/kmsg", dest
) < 0 ||
1550 asprintf(&to
, "%s/proc/kmsg", dest
) < 0)
1553 if (mkfifo(from
, 0600) < 0)
1554 return log_error_errno(errno
, "mkfifo() for /dev/kmsg failed: %m");
1556 r
= chmod_and_chown(from
, 0600, 0, 0);
1558 return log_error_errno(r
, "Failed to correct access mode for /dev/kmsg: %m");
1560 if (mount(from
, to
, NULL
, MS_BIND
, NULL
) < 0)
1561 return log_error_errno(errno
, "Bind mount for /proc/kmsg failed: %m");
1563 fd
= open(from
, O_RDWR
|O_NDELAY
|O_CLOEXEC
);
1565 return log_error_errno(errno
, "Failed to open fifo: %m");
1567 cmsg
= CMSG_FIRSTHDR(&mh
);
1568 cmsg
->cmsg_level
= SOL_SOCKET
;
1569 cmsg
->cmsg_type
= SCM_RIGHTS
;
1570 cmsg
->cmsg_len
= CMSG_LEN(sizeof(int));
1571 memcpy(CMSG_DATA(cmsg
), &fd
, sizeof(int));
1573 mh
.msg_controllen
= cmsg
->cmsg_len
;
1575 /* Store away the fd in the socket, so that it stays open as
1576 * long as we run the child */
1577 k
= sendmsg(kmsg_socket
, &mh
, MSG_NOSIGNAL
);
1581 return log_error_errno(errno
, "Failed to send FIFO fd: %m");
1583 /* And now make the FIFO unavailable as /dev/kmsg... */
1588 static int send_rtnl(int send_fd
) {
1590 struct cmsghdr cmsghdr
;
1591 uint8_t buf
[CMSG_SPACE(sizeof(int))];
1593 struct msghdr mh
= {
1594 .msg_control
= &control
,
1595 .msg_controllen
= sizeof(control
),
1597 struct cmsghdr
*cmsg
;
1598 _cleanup_close_
int fd
= -1;
1601 assert(send_fd
>= 0);
1603 if (!arg_expose_ports
)
1606 fd
= socket(PF_NETLINK
, SOCK_RAW
|SOCK_CLOEXEC
|SOCK_NONBLOCK
, NETLINK_ROUTE
);
1608 return log_error_errno(errno
, "failed to allocate container netlink: %m");
1610 cmsg
= CMSG_FIRSTHDR(&mh
);
1611 cmsg
->cmsg_level
= SOL_SOCKET
;
1612 cmsg
->cmsg_type
= SCM_RIGHTS
;
1613 cmsg
->cmsg_len
= CMSG_LEN(sizeof(int));
1614 memcpy(CMSG_DATA(cmsg
), &fd
, sizeof(int));
1616 mh
.msg_controllen
= cmsg
->cmsg_len
;
1618 /* Store away the fd in the socket, so that it stays open as
1619 * long as we run the child */
1620 k
= sendmsg(send_fd
, &mh
, MSG_NOSIGNAL
);
1622 return log_error_errno(errno
, "Failed to send netlink fd: %m");
1627 static int flush_ports(union in_addr_union
*exposed
) {
1629 int r
, af
= AF_INET
;
1633 if (!arg_expose_ports
)
1636 if (in_addr_is_null(af
, exposed
))
1639 log_debug("Lost IP address.");
1641 LIST_FOREACH(ports
, p
, arg_expose_ports
) {
1642 r
= fw_add_local_dnat(false,
1653 log_warning_errno(r
, "Failed to modify firewall: %m");
1656 *exposed
= IN_ADDR_NULL
;
1660 static int expose_ports(sd_rtnl
*rtnl
, union in_addr_union
*exposed
) {
1661 _cleanup_free_
struct local_address
*addresses
= NULL
;
1662 _cleanup_free_
char *pretty
= NULL
;
1663 union in_addr_union new_exposed
;
1666 int af
= AF_INET
, r
;
1670 /* Invoked each time an address is added or removed inside the
1673 if (!arg_expose_ports
)
1676 r
= local_addresses(rtnl
, 0, af
, &addresses
);
1678 return log_error_errno(r
, "Failed to enumerate local addresses: %m");
1681 addresses
[0].family
== af
&&
1682 addresses
[0].scope
< RT_SCOPE_LINK
;
1685 return flush_ports(exposed
);
1687 new_exposed
= addresses
[0].address
;
1688 if (in_addr_equal(af
, exposed
, &new_exposed
))
1691 in_addr_to_string(af
, &new_exposed
, &pretty
);
1692 log_debug("New container IP is %s.", strna(pretty
));
1694 LIST_FOREACH(ports
, p
, arg_expose_ports
) {
1696 r
= fw_add_local_dnat(true,
1705 in_addr_is_null(af
, exposed
) ? NULL
: exposed
);
1707 log_warning_errno(r
, "Failed to modify firewall: %m");
1710 *exposed
= new_exposed
;
1714 static int on_address_change(sd_rtnl
*rtnl
, sd_rtnl_message
*m
, void *userdata
) {
1715 union in_addr_union
*exposed
= userdata
;
1721 expose_ports(rtnl
, exposed
);
1725 static int watch_rtnl(sd_event
*event
, int recv_fd
, union in_addr_union
*exposed
, sd_rtnl
**ret
) {
1727 struct cmsghdr cmsghdr
;
1728 uint8_t buf
[CMSG_SPACE(sizeof(int))];
1730 struct msghdr mh
= {
1731 .msg_control
= &control
,
1732 .msg_controllen
= sizeof(control
),
1734 struct cmsghdr
*cmsg
;
1735 _cleanup_rtnl_unref_ sd_rtnl
*rtnl
= NULL
;
1740 assert(recv_fd
>= 0);
1743 if (!arg_expose_ports
)
1746 k
= recvmsg(recv_fd
, &mh
, MSG_NOSIGNAL
);
1748 return log_error_errno(errno
, "Failed to recv netlink fd: %m");
1750 cmsg
= CMSG_FIRSTHDR(&mh
);
1751 assert(cmsg
->cmsg_level
== SOL_SOCKET
);
1752 assert(cmsg
->cmsg_type
== SCM_RIGHTS
);
1753 assert(cmsg
->cmsg_len
== CMSG_LEN(sizeof(int)));
1754 memcpy(&fd
, CMSG_DATA(cmsg
), sizeof(int));
1756 r
= sd_rtnl_open_fd(&rtnl
, fd
, 1, RTNLGRP_IPV4_IFADDR
);
1759 return log_error_errno(r
, "Failed to create rtnl object: %m");
1762 r
= sd_rtnl_add_match(rtnl
, RTM_NEWADDR
, on_address_change
, exposed
);
1764 return log_error_errno(r
, "Failed to subscribe to RTM_NEWADDR messages: %m");
1766 r
= sd_rtnl_add_match(rtnl
, RTM_DELADDR
, on_address_change
, exposed
);
1768 return log_error_errno(r
, "Failed to subscribe to RTM_DELADDR messages: %m");
1770 r
= sd_rtnl_attach_event(rtnl
, event
, 0);
1772 return log_error_errno(r
, "Failed to add to even loop: %m");
1780 static int setup_hostname(void) {
1782 if (arg_share_system
)
1785 if (sethostname_idempotent(arg_machine
) < 0)
1791 static int setup_journal(const char *directory
) {
1792 sd_id128_t machine_id
, this_id
;
1793 _cleanup_free_
char *p
= NULL
, *b
= NULL
, *q
= NULL
, *d
= NULL
;
1797 /* Don't link journals in ephemeral mode */
1801 p
= strappend(directory
, "/etc/machine-id");
1805 r
= read_one_line_file(p
, &b
);
1806 if (r
== -ENOENT
&& arg_link_journal
== LINK_AUTO
)
1809 return log_error_errno(r
, "Failed to read machine ID from %s: %m", p
);
1812 if (isempty(id
) && arg_link_journal
== LINK_AUTO
)
1815 /* Verify validity */
1816 r
= sd_id128_from_string(id
, &machine_id
);
1818 return log_error_errno(r
, "Failed to parse machine ID from %s: %m", p
);
1820 r
= sd_id128_get_machine(&this_id
);
1822 return log_error_errno(r
, "Failed to retrieve machine ID: %m");
1824 if (sd_id128_equal(machine_id
, this_id
)) {
1825 log_full(arg_link_journal
== LINK_AUTO
? LOG_WARNING
: LOG_ERR
,
1826 "Host and machine ids are equal (%s): refusing to link journals", id
);
1827 if (arg_link_journal
== LINK_AUTO
)
1832 if (arg_link_journal
== LINK_NO
)
1836 p
= strappend("/var/log/journal/", id
);
1837 q
= strjoin(directory
, "/var/log/journal/", id
, NULL
);
1841 if (path_is_mount_point(p
, false) > 0) {
1842 if (arg_link_journal
!= LINK_AUTO
) {
1843 log_error("%s: already a mount point, refusing to use for journal", p
);
1850 if (path_is_mount_point(q
, false) > 0) {
1851 if (arg_link_journal
!= LINK_AUTO
) {
1852 log_error("%s: already a mount point, refusing to use for journal", q
);
1859 r
= readlink_and_make_absolute(p
, &d
);
1861 if ((arg_link_journal
== LINK_GUEST
||
1862 arg_link_journal
== LINK_AUTO
) &&
1865 r
= mkdir_p(q
, 0755);
1867 log_warning_errno(errno
, "Failed to create directory %s: %m", q
);
1872 return log_error_errno(errno
, "Failed to remove symlink %s: %m", p
);
1873 } else if (r
== -EINVAL
) {
1875 if (arg_link_journal
== LINK_GUEST
&&
1878 if (errno
== ENOTDIR
) {
1879 log_error("%s already exists and is neither a symlink nor a directory", p
);
1882 log_error_errno(errno
, "Failed to remove %s: %m", p
);
1886 } else if (r
!= -ENOENT
) {
1887 log_error_errno(errno
, "readlink(%s) failed: %m", p
);
1891 if (arg_link_journal
== LINK_GUEST
) {
1893 if (symlink(q
, p
) < 0) {
1894 if (arg_link_journal_try
) {
1895 log_debug_errno(errno
, "Failed to symlink %s to %s, skipping journal setup: %m", q
, p
);
1898 log_error_errno(errno
, "Failed to symlink %s to %s: %m", q
, p
);
1903 r
= mkdir_p(q
, 0755);
1905 log_warning_errno(errno
, "Failed to create directory %s: %m", q
);
1909 if (arg_link_journal
== LINK_HOST
) {
1910 /* don't create parents here -- if the host doesn't have
1911 * permanent journal set up, don't force it here */
1914 if (arg_link_journal_try
) {
1915 log_debug_errno(errno
, "Failed to create %s, skipping journal setup: %m", p
);
1918 log_error_errno(errno
, "Failed to create %s: %m", p
);
1923 } else if (access(p
, F_OK
) < 0)
1926 if (dir_is_empty(q
) == 0)
1927 log_warning("%s is not empty, proceeding anyway.", q
);
1929 r
= mkdir_p(q
, 0755);
1931 log_error_errno(errno
, "Failed to create %s: %m", q
);
1935 if (mount(p
, q
, NULL
, MS_BIND
, NULL
) < 0)
1936 return log_error_errno(errno
, "Failed to bind mount journal from host into guest: %m");
1941 static int drop_capabilities(void) {
1942 return capability_bounding_set_drop(~arg_retain
, false);
1945 static int register_machine(pid_t pid
, int local_ifindex
) {
1946 _cleanup_bus_error_free_ sd_bus_error error
= SD_BUS_ERROR_NULL
;
1947 _cleanup_bus_close_unref_ sd_bus
*bus
= NULL
;
1953 r
= sd_bus_default_system(&bus
);
1955 return log_error_errno(r
, "Failed to open system bus: %m");
1957 if (arg_keep_unit
) {
1958 r
= sd_bus_call_method(
1960 "org.freedesktop.machine1",
1961 "/org/freedesktop/machine1",
1962 "org.freedesktop.machine1.Manager",
1963 "RegisterMachineWithNetwork",
1968 SD_BUS_MESSAGE_APPEND_ID128(arg_uuid
),
1972 strempty(arg_directory
),
1973 local_ifindex
> 0 ? 1 : 0, local_ifindex
);
1975 _cleanup_bus_message_unref_ sd_bus_message
*m
= NULL
;
1978 r
= sd_bus_message_new_method_call(
1981 "org.freedesktop.machine1",
1982 "/org/freedesktop/machine1",
1983 "org.freedesktop.machine1.Manager",
1984 "CreateMachineWithNetwork");
1986 return bus_log_create_error(r
);
1988 r
= sd_bus_message_append(
1992 SD_BUS_MESSAGE_APPEND_ID128(arg_uuid
),
1996 strempty(arg_directory
),
1997 local_ifindex
> 0 ? 1 : 0, local_ifindex
);
1999 return bus_log_create_error(r
);
2001 r
= sd_bus_message_open_container(m
, 'a', "(sv)");
2003 return bus_log_create_error(r
);
2005 if (!isempty(arg_slice
)) {
2006 r
= sd_bus_message_append(m
, "(sv)", "Slice", "s", arg_slice
);
2008 return bus_log_create_error(r
);
2011 r
= sd_bus_message_append(m
, "(sv)", "DevicePolicy", "s", "strict");
2013 return bus_log_create_error(r
);
2015 r
= sd_bus_message_append(m
, "(sv)", "DeviceAllow", "a(ss)", 9,
2016 /* Allow the container to
2017 * access and create the API
2018 * device nodes, so that
2019 * PrivateDevices= in the
2020 * container can work
2025 "/dev/random", "rwm",
2026 "/dev/urandom", "rwm",
2028 "/dev/net/tun", "rwm",
2029 /* Allow the container
2030 * access to ptys. However,
2032 * container to ever create
2033 * these device nodes. */
2034 "/dev/pts/ptmx", "rw",
2037 return log_error_errno(r
, "Failed to add device whitelist: %m");
2039 STRV_FOREACH(i
, arg_property
) {
2040 r
= sd_bus_message_open_container(m
, 'r', "sv");
2042 return bus_log_create_error(r
);
2044 r
= bus_append_unit_property_assignment(m
, *i
);
2048 r
= sd_bus_message_close_container(m
);
2050 return bus_log_create_error(r
);
2053 r
= sd_bus_message_close_container(m
);
2055 return bus_log_create_error(r
);
2057 r
= sd_bus_call(bus
, m
, 0, &error
, NULL
);
2061 log_error("Failed to register machine: %s", bus_error_message(&error
, r
));
2068 static int terminate_machine(pid_t pid
) {
2069 _cleanup_bus_error_free_ sd_bus_error error
= SD_BUS_ERROR_NULL
;
2070 _cleanup_bus_message_unref_ sd_bus_message
*reply
= NULL
;
2071 _cleanup_bus_close_unref_ sd_bus
*bus
= NULL
;
2078 r
= sd_bus_default_system(&bus
);
2080 return log_error_errno(r
, "Failed to open system bus: %m");
2082 r
= sd_bus_call_method(
2084 "org.freedesktop.machine1",
2085 "/org/freedesktop/machine1",
2086 "org.freedesktop.machine1.Manager",
2093 /* Note that the machine might already have been
2094 * cleaned up automatically, hence don't consider it a
2095 * failure if we cannot get the machine object. */
2096 log_debug("Failed to get machine: %s", bus_error_message(&error
, r
));
2100 r
= sd_bus_message_read(reply
, "o", &path
);
2102 return bus_log_parse_error(r
);
2104 r
= sd_bus_call_method(
2106 "org.freedesktop.machine1",
2108 "org.freedesktop.machine1.Machine",
2114 log_debug("Failed to terminate machine: %s", bus_error_message(&error
, r
));
2121 static int reset_audit_loginuid(void) {
2122 _cleanup_free_
char *p
= NULL
;
2125 if (arg_share_system
)
2128 r
= read_one_line_file("/proc/self/loginuid", &p
);
2132 return log_error_errno(r
, "Failed to read /proc/self/loginuid: %m");
2134 /* Already reset? */
2135 if (streq(p
, "4294967295"))
2138 r
= write_string_file("/proc/self/loginuid", "4294967295");
2140 log_error("Failed to reset audit login UID. This probably means that your kernel is too\n"
2141 "old and you have audit enabled. Note that the auditing subsystem is known to\n"
2142 "be incompatible with containers on old kernels. Please make sure to upgrade\n"
2143 "your kernel or to off auditing with 'audit=0' on the kernel command line before\n"
2144 "using systemd-nspawn. Sleeping for 5s... (%s)\n", strerror(-r
));
2152 #define HOST_HASH_KEY SD_ID128_MAKE(1a,37,6f,c7,46,ec,45,0b,ad,a3,d5,31,06,60,5d,b1)
2153 #define CONTAINER_HASH_KEY SD_ID128_MAKE(c3,c4,f9,19,b5,57,b2,1c,e6,cf,14,27,03,9c,ee,a2)
2154 #define MACVLAN_HASH_KEY SD_ID128_MAKE(00,13,6d,bc,66,83,44,81,bb,0c,f9,51,1f,24,a6,6f)
2156 static int generate_mac(struct ether_addr
*mac
, sd_id128_t hash_key
, uint64_t idx
) {
2162 l
= strlen(arg_machine
);
2163 sz
= sizeof(sd_id128_t
) + l
;
2169 /* fetch some persistent data unique to the host */
2170 r
= sd_id128_get_machine((sd_id128_t
*) v
);
2174 /* combine with some data unique (on this host) to this
2175 * container instance */
2176 i
= mempcpy(v
+ sizeof(sd_id128_t
), arg_machine
, l
);
2179 memcpy(i
, &idx
, sizeof(idx
));
2182 /* Let's hash the host machine ID plus the container name. We
2183 * use a fixed, but originally randomly created hash key here. */
2184 siphash24(result
, v
, sz
, hash_key
.bytes
);
2186 assert_cc(ETH_ALEN
<= sizeof(result
));
2187 memcpy(mac
->ether_addr_octet
, result
, ETH_ALEN
);
2189 /* see eth_random_addr in the kernel */
2190 mac
->ether_addr_octet
[0] &= 0xfe; /* clear multicast bit */
2191 mac
->ether_addr_octet
[0] |= 0x02; /* set local assignment bit (IEEE802) */
2196 static int setup_veth(pid_t pid
, char iface_name
[IFNAMSIZ
], int *ifi
) {
2197 _cleanup_rtnl_message_unref_ sd_rtnl_message
*m
= NULL
;
2198 _cleanup_rtnl_unref_ sd_rtnl
*rtnl
= NULL
;
2199 struct ether_addr mac_host
, mac_container
;
2202 if (!arg_private_network
)
2205 if (!arg_network_veth
)
2208 /* Use two different interface name prefixes depending whether
2209 * we are in bridge mode or not. */
2210 snprintf(iface_name
, IFNAMSIZ
- 1, "%s-%s",
2211 arg_network_bridge
? "vb" : "ve", arg_machine
);
2213 r
= generate_mac(&mac_container
, CONTAINER_HASH_KEY
, 0);
2215 return log_error_errno(r
, "Failed to generate predictable MAC address for container side: %m");
2217 r
= generate_mac(&mac_host
, HOST_HASH_KEY
, 0);
2219 return log_error_errno(r
, "Failed to generate predictable MAC address for host side: %m");
2221 r
= sd_rtnl_open(&rtnl
, 0);
2223 return log_error_errno(r
, "Failed to connect to netlink: %m");
2225 r
= sd_rtnl_message_new_link(rtnl
, &m
, RTM_NEWLINK
, 0);
2227 return log_error_errno(r
, "Failed to allocate netlink message: %m");
2229 r
= sd_rtnl_message_append_string(m
, IFLA_IFNAME
, iface_name
);
2231 return log_error_errno(r
, "Failed to add netlink interface name: %m");
2233 r
= sd_rtnl_message_append_ether_addr(m
, IFLA_ADDRESS
, &mac_host
);
2235 return log_error_errno(r
, "Failed to add netlink MAC address: %m");
2237 r
= sd_rtnl_message_open_container(m
, IFLA_LINKINFO
);
2239 return log_error_errno(r
, "Failed to open netlink container: %m");
2241 r
= sd_rtnl_message_open_container_union(m
, IFLA_INFO_DATA
, "veth");
2243 return log_error_errno(r
, "Failed to open netlink container: %m");
2245 r
= sd_rtnl_message_open_container(m
, VETH_INFO_PEER
);
2247 return log_error_errno(r
, "Failed to open netlink container: %m");
2249 r
= sd_rtnl_message_append_string(m
, IFLA_IFNAME
, "host0");
2251 return log_error_errno(r
, "Failed to add netlink interface name: %m");
2253 r
= sd_rtnl_message_append_ether_addr(m
, IFLA_ADDRESS
, &mac_container
);
2255 return log_error_errno(r
, "Failed to add netlink MAC address: %m");
2257 r
= sd_rtnl_message_append_u32(m
, IFLA_NET_NS_PID
, pid
);
2259 return log_error_errno(r
, "Failed to add netlink namespace field: %m");
2261 r
= sd_rtnl_message_close_container(m
);
2263 return log_error_errno(r
, "Failed to close netlink container: %m");
2265 r
= sd_rtnl_message_close_container(m
);
2267 return log_error_errno(r
, "Failed to close netlink container: %m");
2269 r
= sd_rtnl_message_close_container(m
);
2271 return log_error_errno(r
, "Failed to close netlink container: %m");
2273 r
= sd_rtnl_call(rtnl
, m
, 0, NULL
);
2275 return log_error_errno(r
, "Failed to add new veth interfaces: %m");
2277 i
= (int) if_nametoindex(iface_name
);
2279 return log_error_errno(errno
, "Failed to resolve interface %s: %m", iface_name
);
2286 static int setup_bridge(const char veth_name
[], int *ifi
) {
2287 _cleanup_rtnl_message_unref_ sd_rtnl_message
*m
= NULL
;
2288 _cleanup_rtnl_unref_ sd_rtnl
*rtnl
= NULL
;
2291 if (!arg_private_network
)
2294 if (!arg_network_veth
)
2297 if (!arg_network_bridge
)
2300 bridge
= (int) if_nametoindex(arg_network_bridge
);
2302 return log_error_errno(errno
, "Failed to resolve interface %s: %m", arg_network_bridge
);
2306 r
= sd_rtnl_open(&rtnl
, 0);
2308 return log_error_errno(r
, "Failed to connect to netlink: %m");
2310 r
= sd_rtnl_message_new_link(rtnl
, &m
, RTM_SETLINK
, 0);
2312 return log_error_errno(r
, "Failed to allocate netlink message: %m");
2314 r
= sd_rtnl_message_link_set_flags(m
, IFF_UP
, IFF_UP
);
2316 return log_error_errno(r
, "Failed to set IFF_UP flag: %m");
2318 r
= sd_rtnl_message_append_string(m
, IFLA_IFNAME
, veth_name
);
2320 return log_error_errno(r
, "Failed to add netlink interface name field: %m");
2322 r
= sd_rtnl_message_append_u32(m
, IFLA_MASTER
, bridge
);
2324 return log_error_errno(r
, "Failed to add netlink master field: %m");
2326 r
= sd_rtnl_call(rtnl
, m
, 0, NULL
);
2328 return log_error_errno(r
, "Failed to add veth interface to bridge: %m");
2333 static int parse_interface(struct udev
*udev
, const char *name
) {
2334 _cleanup_udev_device_unref_
struct udev_device
*d
= NULL
;
2335 char ifi_str
[2 + DECIMAL_STR_MAX(int)];
2338 ifi
= (int) if_nametoindex(name
);
2340 return log_error_errno(errno
, "Failed to resolve interface %s: %m", name
);
2342 sprintf(ifi_str
, "n%i", ifi
);
2343 d
= udev_device_new_from_device_id(udev
, ifi_str
);
2345 return log_error_errno(errno
, "Failed to get udev device for interface %s: %m", name
);
2347 if (udev_device_get_is_initialized(d
) <= 0) {
2348 log_error("Network interface %s is not initialized yet.", name
);
2355 static int move_network_interfaces(pid_t pid
) {
2356 _cleanup_udev_unref_
struct udev
*udev
= NULL
;
2357 _cleanup_rtnl_unref_ sd_rtnl
*rtnl
= NULL
;
2361 if (!arg_private_network
)
2364 if (strv_isempty(arg_network_interfaces
))
2367 r
= sd_rtnl_open(&rtnl
, 0);
2369 return log_error_errno(r
, "Failed to connect to netlink: %m");
2373 log_error("Failed to connect to udev.");
2377 STRV_FOREACH(i
, arg_network_interfaces
) {
2378 _cleanup_rtnl_message_unref_ sd_rtnl_message
*m
= NULL
;
2381 ifi
= parse_interface(udev
, *i
);
2385 r
= sd_rtnl_message_new_link(rtnl
, &m
, RTM_SETLINK
, ifi
);
2387 return log_error_errno(r
, "Failed to allocate netlink message: %m");
2389 r
= sd_rtnl_message_append_u32(m
, IFLA_NET_NS_PID
, pid
);
2391 return log_error_errno(r
, "Failed to append namespace PID to netlink message: %m");
2393 r
= sd_rtnl_call(rtnl
, m
, 0, NULL
);
2395 return log_error_errno(r
, "Failed to move interface %s to namespace: %m", *i
);
2401 static int setup_macvlan(pid_t pid
) {
2402 _cleanup_udev_unref_
struct udev
*udev
= NULL
;
2403 _cleanup_rtnl_unref_ sd_rtnl
*rtnl
= NULL
;
2408 if (!arg_private_network
)
2411 if (strv_isempty(arg_network_macvlan
))
2414 r
= sd_rtnl_open(&rtnl
, 0);
2416 return log_error_errno(r
, "Failed to connect to netlink: %m");
2420 log_error("Failed to connect to udev.");
2424 STRV_FOREACH(i
, arg_network_macvlan
) {
2425 _cleanup_rtnl_message_unref_ sd_rtnl_message
*m
= NULL
;
2426 _cleanup_free_
char *n
= NULL
;
2427 struct ether_addr mac
;
2430 ifi
= parse_interface(udev
, *i
);
2434 r
= generate_mac(&mac
, MACVLAN_HASH_KEY
, idx
++);
2436 return log_error_errno(r
, "Failed to create MACVLAN MAC address: %m");
2438 r
= sd_rtnl_message_new_link(rtnl
, &m
, RTM_NEWLINK
, 0);
2440 return log_error_errno(r
, "Failed to allocate netlink message: %m");
2442 r
= sd_rtnl_message_append_u32(m
, IFLA_LINK
, ifi
);
2444 return log_error_errno(r
, "Failed to add netlink interface index: %m");
2446 n
= strappend("mv-", *i
);
2450 strshorten(n
, IFNAMSIZ
-1);
2452 r
= sd_rtnl_message_append_string(m
, IFLA_IFNAME
, n
);
2454 return log_error_errno(r
, "Failed to add netlink interface name: %m");
2456 r
= sd_rtnl_message_append_ether_addr(m
, IFLA_ADDRESS
, &mac
);
2458 return log_error_errno(r
, "Failed to add netlink MAC address: %m");
2460 r
= sd_rtnl_message_append_u32(m
, IFLA_NET_NS_PID
, pid
);
2462 return log_error_errno(r
, "Failed to add netlink namespace field: %m");
2464 r
= sd_rtnl_message_open_container(m
, IFLA_LINKINFO
);
2466 return log_error_errno(r
, "Failed to open netlink container: %m");
2468 r
= sd_rtnl_message_open_container_union(m
, IFLA_INFO_DATA
, "macvlan");
2470 return log_error_errno(r
, "Failed to open netlink container: %m");
2472 r
= sd_rtnl_message_append_u32(m
, IFLA_MACVLAN_MODE
, MACVLAN_MODE_BRIDGE
);
2474 return log_error_errno(r
, "Failed to append macvlan mode: %m");
2476 r
= sd_rtnl_message_close_container(m
);
2478 return log_error_errno(r
, "Failed to close netlink container: %m");
2480 r
= sd_rtnl_message_close_container(m
);
2482 return log_error_errno(r
, "Failed to close netlink container: %m");
2484 r
= sd_rtnl_call(rtnl
, m
, 0, NULL
);
2486 return log_error_errno(r
, "Failed to add new macvlan interfaces: %m");
2492 static int setup_ipvlan(pid_t pid
) {
2493 _cleanup_udev_unref_
struct udev
*udev
= NULL
;
2494 _cleanup_rtnl_unref_ sd_rtnl
*rtnl
= NULL
;
2498 if (!arg_private_network
)
2501 if (strv_isempty(arg_network_ipvlan
))
2504 r
= sd_rtnl_open(&rtnl
, 0);
2506 return log_error_errno(r
, "Failed to connect to netlink: %m");
2510 log_error("Failed to connect to udev.");
2514 STRV_FOREACH(i
, arg_network_ipvlan
) {
2515 _cleanup_rtnl_message_unref_ sd_rtnl_message
*m
= NULL
;
2516 _cleanup_free_
char *n
= NULL
;
2519 ifi
= parse_interface(udev
, *i
);
2523 r
= sd_rtnl_message_new_link(rtnl
, &m
, RTM_NEWLINK
, 0);
2525 return log_error_errno(r
, "Failed to allocate netlink message: %m");
2527 r
= sd_rtnl_message_append_u32(m
, IFLA_LINK
, ifi
);
2529 return log_error_errno(r
, "Failed to add netlink interface index: %m");
2531 n
= strappend("iv-", *i
);
2535 strshorten(n
, IFNAMSIZ
-1);
2537 r
= sd_rtnl_message_append_string(m
, IFLA_IFNAME
, n
);
2539 return log_error_errno(r
, "Failed to add netlink interface name: %m");
2541 r
= sd_rtnl_message_append_u32(m
, IFLA_NET_NS_PID
, pid
);
2543 return log_error_errno(r
, "Failed to add netlink namespace field: %m");
2545 r
= sd_rtnl_message_open_container(m
, IFLA_LINKINFO
);
2547 return log_error_errno(r
, "Failed to open netlink container: %m");
2549 r
= sd_rtnl_message_open_container_union(m
, IFLA_INFO_DATA
, "ipvlan");
2551 return log_error_errno(r
, "Failed to open netlink container: %m");
2553 r
= sd_rtnl_message_append_u16(m
, IFLA_IPVLAN_MODE
, IPVLAN_MODE_L2
);
2555 return log_error_errno(r
, "Failed to add ipvlan mode: %m");
2557 r
= sd_rtnl_message_close_container(m
);
2559 return log_error_errno(r
, "Failed to close netlink container: %m");
2561 r
= sd_rtnl_message_close_container(m
);
2563 return log_error_errno(r
, "Failed to close netlink container: %m");
2565 r
= sd_rtnl_call(rtnl
, m
, 0, NULL
);
2567 return log_error_errno(r
, "Failed to add new ipvlan interfaces: %m");
2573 static int setup_seccomp(void) {
2576 static const struct {
2577 uint64_t capability
;
2580 { CAP_SYS_RAWIO
, SCMP_SYS(iopl
)},
2581 { CAP_SYS_RAWIO
, SCMP_SYS(ioperm
)},
2582 { CAP_SYS_BOOT
, SCMP_SYS(kexec_load
)},
2583 { CAP_SYS_ADMIN
, SCMP_SYS(swapon
)},
2584 { CAP_SYS_ADMIN
, SCMP_SYS(swapoff
)},
2585 { CAP_SYS_ADMIN
, SCMP_SYS(open_by_handle_at
)},
2586 { CAP_SYS_MODULE
, SCMP_SYS(init_module
)},
2587 { CAP_SYS_MODULE
, SCMP_SYS(finit_module
)},
2588 { CAP_SYS_MODULE
, SCMP_SYS(delete_module
)},
2591 scmp_filter_ctx seccomp
;
2595 seccomp
= seccomp_init(SCMP_ACT_ALLOW
);
2599 r
= seccomp_add_secondary_archs(seccomp
);
2601 log_error_errno(r
, "Failed to add secondary archs to seccomp filter: %m");
2605 for (i
= 0; i
< ELEMENTSOF(blacklist
); i
++) {
2606 if (arg_retain
& (1ULL << blacklist
[i
].capability
))
2609 r
= seccomp_rule_add(seccomp
, SCMP_ACT_ERRNO(EPERM
), blacklist
[i
].syscall_num
, 0);
2611 continue; /* unknown syscall */
2613 log_error_errno(r
, "Failed to block syscall: %m");
2620 Audit is broken in containers, much of the userspace audit
2621 hookup will fail if running inside a container. We don't
2622 care and just turn off creation of audit sockets.
2624 This will make socket(AF_NETLINK, *, NETLINK_AUDIT) fail
2625 with EAFNOSUPPORT which audit userspace uses as indication
2626 that audit is disabled in the kernel.
2629 r
= seccomp_rule_add(
2631 SCMP_ACT_ERRNO(EAFNOSUPPORT
),
2634 SCMP_A0(SCMP_CMP_EQ
, AF_NETLINK
),
2635 SCMP_A2(SCMP_CMP_EQ
, NETLINK_AUDIT
));
2637 log_error_errno(r
, "Failed to add audit seccomp rule: %m");
2641 r
= seccomp_attr_set(seccomp
, SCMP_FLTATR_CTL_NNP
, 0);
2643 log_error_errno(r
, "Failed to unset NO_NEW_PRIVS: %m");
2647 r
= seccomp_load(seccomp
);
2649 log_error_errno(r
, "Failed to install seccomp audit filter: %m");
2652 seccomp_release(seccomp
);
2660 static int setup_propagate(const char *root
) {
2663 (void) mkdir_p("/run/systemd/nspawn/", 0755);
2664 (void) mkdir_p("/run/systemd/nspawn/propagate", 0600);
2665 p
= strjoina("/run/systemd/nspawn/propagate/", arg_machine
);
2666 (void) mkdir_p(p
, 0600);
2668 q
= strjoina(root
, "/run/systemd/nspawn/incoming");
2669 mkdir_parents(q
, 0755);
2672 if (mount(p
, q
, NULL
, MS_BIND
, NULL
) < 0)
2673 return log_error_errno(errno
, "Failed to install propagation bind mount.");
2675 if (mount(NULL
, q
, NULL
, MS_BIND
|MS_REMOUNT
|MS_RDONLY
, NULL
) < 0)
2676 return log_error_errno(errno
, "Failed to make propagation mount read-only");
2681 static int setup_image(char **device_path
, int *loop_nr
) {
2682 struct loop_info64 info
= {
2683 .lo_flags
= LO_FLAGS_AUTOCLEAR
|LO_FLAGS_PARTSCAN
2685 _cleanup_close_
int fd
= -1, control
= -1, loop
= -1;
2686 _cleanup_free_
char* loopdev
= NULL
;
2690 assert(device_path
);
2694 fd
= open(arg_image
, O_CLOEXEC
|(arg_read_only
? O_RDONLY
: O_RDWR
)|O_NONBLOCK
|O_NOCTTY
);
2696 return log_error_errno(errno
, "Failed to open %s: %m", arg_image
);
2698 if (fstat(fd
, &st
) < 0)
2699 return log_error_errno(errno
, "Failed to stat %s: %m", arg_image
);
2701 if (S_ISBLK(st
.st_mode
)) {
2704 p
= strdup(arg_image
);
2718 if (!S_ISREG(st
.st_mode
)) {
2719 log_error_errno(errno
, "%s is not a regular file or block device: %m", arg_image
);
2723 control
= open("/dev/loop-control", O_RDWR
|O_CLOEXEC
|O_NOCTTY
|O_NONBLOCK
);
2725 return log_error_errno(errno
, "Failed to open /dev/loop-control: %m");
2727 nr
= ioctl(control
, LOOP_CTL_GET_FREE
);
2729 return log_error_errno(errno
, "Failed to allocate loop device: %m");
2731 if (asprintf(&loopdev
, "/dev/loop%i", nr
) < 0)
2734 loop
= open(loopdev
, O_CLOEXEC
|(arg_read_only
? O_RDONLY
: O_RDWR
)|O_NONBLOCK
|O_NOCTTY
);
2736 return log_error_errno(errno
, "Failed to open loop device %s: %m", loopdev
);
2738 if (ioctl(loop
, LOOP_SET_FD
, fd
) < 0)
2739 return log_error_errno(errno
, "Failed to set loopback file descriptor on %s: %m", loopdev
);
2742 info
.lo_flags
|= LO_FLAGS_READ_ONLY
;
2744 if (ioctl(loop
, LOOP_SET_STATUS64
, &info
) < 0)
2745 return log_error_errno(errno
, "Failed to set loopback settings on %s: %m", loopdev
);
2747 *device_path
= loopdev
;
2758 #define PARTITION_TABLE_BLURB \
2759 "Note that the disk image needs to either contain only a single MBR partition of\n" \
2760 "type 0x83 that is marked bootable, or a single GPT partition of type " \
2761 "0FC63DAF-8483-4772-8E79-3D69D8477DE4 or follow\n" \
2762 " http://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/\n" \
2763 "to be bootable with systemd-nspawn."
2765 static int dissect_image(
2767 char **root_device
, bool *root_device_rw
,
2768 char **home_device
, bool *home_device_rw
,
2769 char **srv_device
, bool *srv_device_rw
,
2773 int home_nr
= -1, srv_nr
= -1;
2774 #ifdef GPT_ROOT_NATIVE
2777 #ifdef GPT_ROOT_SECONDARY
2778 int secondary_root_nr
= -1;
2780 _cleanup_free_
char *home
= NULL
, *root
= NULL
, *secondary_root
= NULL
, *srv
= NULL
, *generic
= NULL
;
2781 _cleanup_udev_enumerate_unref_
struct udev_enumerate
*e
= NULL
;
2782 _cleanup_udev_device_unref_
struct udev_device
*d
= NULL
;
2783 _cleanup_blkid_free_probe_ blkid_probe b
= NULL
;
2784 _cleanup_udev_unref_
struct udev
*udev
= NULL
;
2785 struct udev_list_entry
*first
, *item
;
2786 bool home_rw
= true, root_rw
= true, secondary_root_rw
= true, srv_rw
= true, generic_rw
= true;
2787 bool is_gpt
, is_mbr
, multiple_generic
= false;
2788 const char *pttype
= NULL
;
2795 assert(root_device
);
2796 assert(home_device
);
2801 b
= blkid_new_probe();
2806 r
= blkid_probe_set_device(b
, fd
, 0, 0);
2811 log_error_errno(errno
, "Failed to set device on blkid probe: %m");
2815 blkid_probe_enable_partitions(b
, 1);
2816 blkid_probe_set_partitions_flags(b
, BLKID_PARTS_ENTRY_DETAILS
);
2819 r
= blkid_do_safeprobe(b
);
2820 if (r
== -2 || r
== 1) {
2821 log_error("Failed to identify any partition table on\n"
2823 PARTITION_TABLE_BLURB
, arg_image
);
2825 } else if (r
!= 0) {
2828 log_error_errno(errno
, "Failed to probe: %m");
2832 (void) blkid_probe_lookup_value(b
, "PTTYPE", &pttype
, NULL
);
2834 is_gpt
= streq_ptr(pttype
, "gpt");
2835 is_mbr
= streq_ptr(pttype
, "dos");
2837 if (!is_gpt
&& !is_mbr
) {
2838 log_error("No GPT or MBR partition table discovered on\n"
2840 PARTITION_TABLE_BLURB
, arg_image
);
2845 pl
= blkid_probe_get_partitions(b
);
2850 log_error("Failed to list partitions of %s", arg_image
);
2858 if (fstat(fd
, &st
) < 0)
2859 return log_error_errno(errno
, "Failed to stat block device: %m");
2861 d
= udev_device_new_from_devnum(udev
, 'b', st
.st_rdev
);
2869 log_error("Kernel partitions never appeared.");
2873 e
= udev_enumerate_new(udev
);
2877 r
= udev_enumerate_add_match_parent(e
, d
);
2881 r
= udev_enumerate_scan_devices(e
);
2883 return log_error_errno(r
, "Failed to scan for partition devices of %s: %m", arg_image
);
2885 /* Count the partitions enumerated by the kernel */
2887 first
= udev_enumerate_get_list_entry(e
);
2888 udev_list_entry_foreach(item
, first
)
2891 /* Count the partitions enumerated by blkid */
2892 m
= blkid_partlist_numof_partitions(pl
);
2896 log_error("blkid and kernel partition list do not match.");
2902 /* The kernel has probed fewer partitions than
2903 * blkid? Maybe the kernel prober is still
2904 * running or it got EBUSY because udev
2905 * already opened the device. Let's reprobe
2906 * the device, which is a synchronous call
2907 * that waits until probing is complete. */
2909 for (j
= 0; j
< 20; j
++) {
2911 r
= ioctl(fd
, BLKRRPART
, 0);
2914 if (r
>= 0 || r
!= -EBUSY
)
2917 /* If something else has the device
2918 * open, such as an udev rule, the
2919 * ioctl will return EBUSY. Since
2920 * there's no way to wait until it
2921 * isn't busy anymore, let's just wait
2922 * a bit, and try again.
2924 * This is really something they
2925 * should fix in the kernel! */
2927 usleep(50 * USEC_PER_MSEC
);
2931 return log_error_errno(r
, "Failed to reread partition table: %m");
2934 e
= udev_enumerate_unref(e
);
2937 first
= udev_enumerate_get_list_entry(e
);
2938 udev_list_entry_foreach(item
, first
) {
2939 _cleanup_udev_device_unref_
struct udev_device
*q
;
2941 unsigned long long flags
;
2947 q
= udev_device_new_from_syspath(udev
, udev_list_entry_get_name(item
));
2952 log_error_errno(errno
, "Failed to get partition device of %s: %m", arg_image
);
2956 qn
= udev_device_get_devnum(q
);
2960 if (st
.st_rdev
== qn
)
2963 node
= udev_device_get_devnode(q
);
2967 pp
= blkid_partlist_devno_to_partition(pl
, qn
);
2971 flags
= blkid_partition_get_flags(pp
);
2973 nr
= blkid_partition_get_partno(pp
);
2981 if (flags
& GPT_FLAG_NO_AUTO
)
2984 stype
= blkid_partition_get_type_string(pp
);
2988 if (sd_id128_from_string(stype
, &type_id
) < 0)
2991 if (sd_id128_equal(type_id
, GPT_HOME
)) {
2993 if (home
&& nr
>= home_nr
)
2997 home_rw
= !(flags
& GPT_FLAG_READ_ONLY
);
2999 r
= free_and_strdup(&home
, node
);
3003 } else if (sd_id128_equal(type_id
, GPT_SRV
)) {
3005 if (srv
&& nr
>= srv_nr
)
3009 srv_rw
= !(flags
& GPT_FLAG_READ_ONLY
);
3011 r
= free_and_strdup(&srv
, node
);
3015 #ifdef GPT_ROOT_NATIVE
3016 else if (sd_id128_equal(type_id
, GPT_ROOT_NATIVE
)) {
3018 if (root
&& nr
>= root_nr
)
3022 root_rw
= !(flags
& GPT_FLAG_READ_ONLY
);
3024 r
= free_and_strdup(&root
, node
);
3029 #ifdef GPT_ROOT_SECONDARY
3030 else if (sd_id128_equal(type_id
, GPT_ROOT_SECONDARY
)) {
3032 if (secondary_root
&& nr
>= secondary_root_nr
)
3035 secondary_root_nr
= nr
;
3036 secondary_root_rw
= !(flags
& GPT_FLAG_READ_ONLY
);
3038 r
= free_and_strdup(&secondary_root
, node
);
3043 else if (sd_id128_equal(type_id
, GPT_LINUX_GENERIC
)) {
3046 multiple_generic
= true;
3048 generic_rw
= !(flags
& GPT_FLAG_READ_ONLY
);
3050 r
= free_and_strdup(&generic
, node
);
3056 } else if (is_mbr
) {
3059 if (flags
!= 0x80) /* Bootable flag */
3062 type
= blkid_partition_get_type(pp
);
3063 if (type
!= 0x83) /* Linux partition */
3067 multiple_generic
= true;
3071 r
= free_and_strdup(&root
, node
);
3079 *root_device
= root
;
3082 *root_device_rw
= root_rw
;
3084 } else if (secondary_root
) {
3085 *root_device
= secondary_root
;
3086 secondary_root
= NULL
;
3088 *root_device_rw
= secondary_root_rw
;
3090 } else if (generic
) {
3092 /* There were no partitions with precise meanings
3093 * around, but we found generic partitions. In this
3094 * case, if there's only one, we can go ahead and boot
3095 * it, otherwise we bail out, because we really cannot
3096 * make any sense of it. */
3098 if (multiple_generic
) {
3099 log_error("Identified multiple bootable Linux partitions on\n"
3101 PARTITION_TABLE_BLURB
, arg_image
);
3105 *root_device
= generic
;
3108 *root_device_rw
= generic_rw
;
3111 log_error("Failed to identify root partition in disk image\n"
3113 PARTITION_TABLE_BLURB
, arg_image
);
3118 *home_device
= home
;
3121 *home_device_rw
= home_rw
;
3128 *srv_device_rw
= srv_rw
;
3133 log_error("--image= is not supported, compiled without blkid support.");
3138 static int mount_device(const char *what
, const char *where
, const char *directory
, bool rw
) {
3140 _cleanup_blkid_free_probe_ blkid_probe b
= NULL
;
3141 const char *fstype
, *p
;
3151 p
= strjoina(where
, directory
);
3156 b
= blkid_new_probe_from_filename(what
);
3160 log_error_errno(errno
, "Failed to allocate prober for %s: %m", what
);
3164 blkid_probe_enable_superblocks(b
, 1);
3165 blkid_probe_set_superblocks_flags(b
, BLKID_SUBLKS_TYPE
);
3168 r
= blkid_do_safeprobe(b
);
3169 if (r
== -1 || r
== 1) {
3170 log_error("Cannot determine file system type of %s", what
);
3172 } else if (r
!= 0) {
3175 log_error_errno(errno
, "Failed to probe %s: %m", what
);
3180 if (blkid_probe_lookup_value(b
, "TYPE", &fstype
, NULL
) < 0) {
3183 log_error("Failed to determine file system type of %s", what
);
3187 if (streq(fstype
, "crypto_LUKS")) {
3188 log_error("nspawn currently does not support LUKS disk images.");
3192 if (mount(what
, p
, fstype
, MS_NODEV
|(rw
? 0 : MS_RDONLY
), NULL
) < 0)
3193 return log_error_errno(errno
, "Failed to mount %s: %m", what
);
3197 log_error("--image= is not supported, compiled without blkid support.");
3202 static int mount_devices(
3204 const char *root_device
, bool root_device_rw
,
3205 const char *home_device
, bool home_device_rw
,
3206 const char *srv_device
, bool srv_device_rw
) {
3212 r
= mount_device(root_device
, arg_directory
, NULL
, root_device_rw
);
3214 return log_error_errno(r
, "Failed to mount root directory: %m");
3218 r
= mount_device(home_device
, arg_directory
, "/home", home_device_rw
);
3220 return log_error_errno(r
, "Failed to mount home directory: %m");
3224 r
= mount_device(srv_device
, arg_directory
, "/srv", srv_device_rw
);
3226 return log_error_errno(r
, "Failed to mount server data directory: %m");
3232 static void loop_remove(int nr
, int *image_fd
) {
3233 _cleanup_close_
int control
= -1;
3239 if (image_fd
&& *image_fd
>= 0) {
3240 r
= ioctl(*image_fd
, LOOP_CLR_FD
);
3242 log_debug_errno(errno
, "Failed to close loop image: %m");
3243 *image_fd
= safe_close(*image_fd
);
3246 control
= open("/dev/loop-control", O_RDWR
|O_CLOEXEC
|O_NOCTTY
|O_NONBLOCK
);
3248 log_warning_errno(errno
, "Failed to open /dev/loop-control: %m");
3252 r
= ioctl(control
, LOOP_CTL_REMOVE
, nr
);
3254 log_debug_errno(errno
, "Failed to remove loop %d: %m", nr
);
3257 static int spawn_getent(const char *database
, const char *key
, pid_t
*rpid
) {
3265 if (pipe2(pipe_fds
, O_CLOEXEC
) < 0)
3266 return log_error_errno(errno
, "Failed to allocate pipe: %m");
3270 return log_error_errno(errno
, "Failed to fork getent child: %m");
3271 else if (pid
== 0) {
3273 char *empty_env
= NULL
;
3275 if (dup3(pipe_fds
[1], STDOUT_FILENO
, 0) < 0)
3276 _exit(EXIT_FAILURE
);
3278 if (pipe_fds
[0] > 2)
3279 safe_close(pipe_fds
[0]);
3280 if (pipe_fds
[1] > 2)
3281 safe_close(pipe_fds
[1]);
3283 nullfd
= open("/dev/null", O_RDWR
);
3285 _exit(EXIT_FAILURE
);
3287 if (dup3(nullfd
, STDIN_FILENO
, 0) < 0)
3288 _exit(EXIT_FAILURE
);
3290 if (dup3(nullfd
, STDERR_FILENO
, 0) < 0)
3291 _exit(EXIT_FAILURE
);
3296 reset_all_signal_handlers();
3297 close_all_fds(NULL
, 0);
3299 execle("/usr/bin/getent", "getent", database
, key
, NULL
, &empty_env
);
3300 execle("/bin/getent", "getent", database
, key
, NULL
, &empty_env
);
3301 _exit(EXIT_FAILURE
);
3304 pipe_fds
[1] = safe_close(pipe_fds
[1]);
3311 static int change_uid_gid(char **_home
) {
3312 char line
[LINE_MAX
], *x
, *u
, *g
, *h
;
3313 const char *word
, *state
;
3314 _cleanup_free_ uid_t
*uids
= NULL
;
3315 _cleanup_free_
char *home
= NULL
;
3316 _cleanup_fclose_
FILE *f
= NULL
;
3317 _cleanup_close_
int fd
= -1;
3318 unsigned n_uids
= 0;
3327 if (!arg_user
|| streq(arg_user
, "root") || streq(arg_user
, "0")) {
3328 /* Reset everything fully to 0, just in case */
3330 if (setgroups(0, NULL
) < 0)
3331 return log_error_errno(errno
, "setgroups() failed: %m");
3333 if (setresgid(0, 0, 0) < 0)
3334 return log_error_errno(errno
, "setregid() failed: %m");
3336 if (setresuid(0, 0, 0) < 0)
3337 return log_error_errno(errno
, "setreuid() failed: %m");
3343 /* First, get user credentials */
3344 fd
= spawn_getent("passwd", arg_user
, &pid
);
3348 f
= fdopen(fd
, "r");
3353 if (!fgets(line
, sizeof(line
), f
)) {
3356 log_error("Failed to resolve user %s.", arg_user
);
3360 log_error_errno(errno
, "Failed to read from getent: %m");
3366 wait_for_terminate_and_warn("getent passwd", pid
, true);
3368 x
= strchr(line
, ':');
3370 log_error("/etc/passwd entry has invalid user field.");
3374 u
= strchr(x
+1, ':');
3376 log_error("/etc/passwd entry has invalid password field.");
3383 log_error("/etc/passwd entry has invalid UID field.");
3391 log_error("/etc/passwd entry has invalid GID field.");
3396 h
= strchr(x
+1, ':');
3398 log_error("/etc/passwd entry has invalid GECOS field.");
3405 log_error("/etc/passwd entry has invalid home directory field.");
3411 r
= parse_uid(u
, &uid
);
3413 log_error("Failed to parse UID of user.");
3417 r
= parse_gid(g
, &gid
);
3419 log_error("Failed to parse GID of user.");
3427 /* Second, get group memberships */
3428 fd
= spawn_getent("initgroups", arg_user
, &pid
);
3433 f
= fdopen(fd
, "r");
3438 if (!fgets(line
, sizeof(line
), f
)) {
3440 log_error("Failed to resolve user %s.", arg_user
);
3444 log_error_errno(errno
, "Failed to read from getent: %m");
3450 wait_for_terminate_and_warn("getent initgroups", pid
, true);
3452 /* Skip over the username and subsequent separator whitespace */
3454 x
+= strcspn(x
, WHITESPACE
);
3455 x
+= strspn(x
, WHITESPACE
);
3457 FOREACH_WORD(word
, l
, x
, state
) {
3463 if (!GREEDY_REALLOC(uids
, sz
, n_uids
+1))
3466 r
= parse_uid(c
, &uids
[n_uids
++]);
3468 log_error("Failed to parse group data from getent.");
3473 r
= mkdir_parents(home
, 0775);
3475 return log_error_errno(r
, "Failed to make home root directory: %m");
3477 r
= mkdir_safe(home
, 0755, uid
, gid
);
3478 if (r
< 0 && r
!= -EEXIST
)
3479 return log_error_errno(r
, "Failed to make home directory: %m");
3481 fchown(STDIN_FILENO
, uid
, gid
);
3482 fchown(STDOUT_FILENO
, uid
, gid
);
3483 fchown(STDERR_FILENO
, uid
, gid
);
3485 if (setgroups(n_uids
, uids
) < 0)
3486 return log_error_errno(errno
, "Failed to set auxiliary groups: %m");
3488 if (setresgid(gid
, gid
, gid
) < 0)
3489 return log_error_errno(errno
, "setregid() failed: %m");
3491 if (setresuid(uid
, uid
, uid
) < 0)
3492 return log_error_errno(errno
, "setreuid() failed: %m");
3504 * < 0 : wait_for_terminate() failed to get the state of the
3505 * container, the container was terminated by a signal, or
3506 * failed for an unknown reason. No change is made to the
3507 * container argument.
3508 * > 0 : The program executed in the container terminated with an
3509 * error. The exit code of the program executed in the
3510 * container is returned. The container argument has been set
3511 * to CONTAINER_TERMINATED.
3512 * 0 : The container is being rebooted, has been shut down or exited
3513 * successfully. The container argument has been set to either
3514 * CONTAINER_TERMINATED or CONTAINER_REBOOTED.
3516 * That is, success is indicated by a return value of zero, and an
3517 * error is indicated by a non-zero value.
3519 static int wait_for_container(pid_t pid
, ContainerStatus
*container
) {
3523 r
= wait_for_terminate(pid
, &status
);
3525 return log_warning_errno(r
, "Failed to wait for container: %m");
3527 switch (status
.si_code
) {
3530 if (status
.si_status
== 0) {
3531 log_full(arg_quiet
? LOG_DEBUG
: LOG_INFO
, "Container %s exited successfully.", arg_machine
);
3534 log_full(arg_quiet
? LOG_DEBUG
: LOG_INFO
, "Container %s failed with error code %i.", arg_machine
, status
.si_status
);
3536 *container
= CONTAINER_TERMINATED
;
3537 return status
.si_status
;
3540 if (status
.si_status
== SIGINT
) {
3542 log_full(arg_quiet
? LOG_DEBUG
: LOG_INFO
, "Container %s has been shut down.", arg_machine
);
3543 *container
= CONTAINER_TERMINATED
;
3546 } else if (status
.si_status
== SIGHUP
) {
3548 log_full(arg_quiet
? LOG_DEBUG
: LOG_INFO
, "Container %s is being rebooted.", arg_machine
);
3549 *container
= CONTAINER_REBOOTED
;
3553 /* CLD_KILLED fallthrough */
3556 log_error("Container %s terminated by signal %s.", arg_machine
, signal_to_string(status
.si_status
));
3560 log_error("Container %s failed due to unknown reason.", arg_machine
);
3567 static void nop_handler(int sig
) {}
3569 static int on_orderly_shutdown(sd_event_source
*s
, const struct signalfd_siginfo
*si
, void *userdata
) {
3572 pid
= PTR_TO_UINT32(userdata
);
3574 if (kill(pid
, arg_kill_signal
) >= 0) {
3575 log_info("Trying to halt container. Send SIGTERM again to trigger immediate termination.");
3576 sd_event_source_set_userdata(s
, NULL
);
3581 sd_event_exit(sd_event_source_get_event(s
), 0);
3585 static int determine_names(void) {
3588 if (!arg_image
&& !arg_directory
) {
3590 _cleanup_(image_unrefp
) Image
*i
= NULL
;
3592 r
= image_find(arg_machine
, &i
);
3594 return log_error_errno(r
, "Failed to find image for machine '%s': %m", arg_machine
);
3596 log_error("No image for machine '%s': %m", arg_machine
);
3600 if (i
->type
== IMAGE_RAW
)
3601 r
= set_sanitized_path(&arg_image
, i
->path
);
3603 r
= set_sanitized_path(&arg_directory
, i
->path
);
3605 return log_error_errno(r
, "Invalid image directory: %m");
3607 arg_read_only
= arg_read_only
|| i
->read_only
;
3609 arg_directory
= get_current_dir_name();
3611 if (!arg_directory
&& !arg_machine
) {
3612 log_error("Failed to determine path, please use -D or -i.");
3618 if (arg_directory
&& path_equal(arg_directory
, "/"))
3619 arg_machine
= gethostname_malloc();
3621 arg_machine
= strdup(basename(arg_image
?: arg_directory
));
3626 hostname_cleanup(arg_machine
, false);
3627 if (!machine_name_is_valid(arg_machine
)) {
3628 log_error("Failed to determine machine name automatically, please use -M.");
3632 if (arg_ephemeral
) {
3635 /* Add a random suffix when this is an
3636 * ephemeral machine, so that we can run many
3637 * instances at once without manually having
3638 * to specify -M each time. */
3640 if (asprintf(&b
, "%s-%016" PRIx64
, arg_machine
, random_u64()) < 0)
3651 static int determine_uid_shift(void) {
3657 if (arg_uid_shift
== UID_INVALID
) {
3660 r
= stat(arg_directory
, &st
);
3662 return log_error_errno(errno
, "Failed to determine UID base of %s: %m", arg_directory
);
3664 arg_uid_shift
= st
.st_uid
& UINT32_C(0xffff0000);
3666 if (arg_uid_shift
!= (st
.st_gid
& UINT32_C(0xffff0000))) {
3667 log_error("UID and GID base of %s don't match.", arg_directory
);
3671 arg_uid_range
= UINT32_C(0x10000);
3674 if (arg_uid_shift
> (uid_t
) -1 - arg_uid_range
) {
3675 log_error("UID base too high for UID range.");
3679 log_info("Using user namespaces with base " UID_FMT
" and range " UID_FMT
".", arg_uid_shift
, arg_uid_range
);
3683 int main(int argc
, char *argv
[]) {
3685 _cleanup_free_
char *device_path
= NULL
, *root_device
= NULL
, *home_device
= NULL
, *srv_device
= NULL
, *console
= NULL
;
3686 bool root_device_rw
= true, home_device_rw
= true, srv_device_rw
= true;
3687 _cleanup_close_
int master
= -1, image_fd
= -1;
3688 _cleanup_fdset_free_ FDSet
*fds
= NULL
;
3689 int r
, n_fd_passed
, loop_nr
= -1;
3690 char veth_name
[IFNAMSIZ
];
3691 bool secondary
= false, remove_subvol
= false;
3692 sigset_t mask
, mask_chld
;
3694 int ret
= EXIT_SUCCESS
;
3695 union in_addr_union exposed
= {};
3696 _cleanup_release_lock_file_ LockFile tree_global_lock
= LOCK_FILE_INIT
, tree_local_lock
= LOCK_FILE_INIT
;
3699 log_parse_environment();
3702 r
= parse_argv(argc
, argv
);
3706 r
= determine_names();
3710 if (geteuid() != 0) {
3711 log_error("Need to be root.");
3717 n_fd_passed
= sd_listen_fds(false);
3718 if (n_fd_passed
> 0) {
3719 r
= fdset_new_listen_fds(&fds
, false);
3721 log_error_errno(r
, "Failed to collect file descriptors: %m");
3725 fdset_close_others(fds
);
3728 if (arg_directory
) {
3731 if (path_equal(arg_directory
, "/") && !arg_ephemeral
) {
3732 log_error("Spawning container on root directory is not supported. Consider using --ephemeral.");
3737 if (arg_ephemeral
) {
3738 _cleanup_free_
char *np
= NULL
;
3740 /* If the specified path is a mount point we
3741 * generate the new snapshot immediately
3742 * inside it under a random name. However if
3743 * the specified is not a mount point we
3744 * create the new snapshot in the parent
3745 * directory, just next to it. */
3746 r
= path_is_mount_point(arg_directory
, false);
3748 log_error_errno(r
, "Failed to determine whether directory %s is mount point: %m", arg_directory
);
3752 r
= tempfn_random_child(arg_directory
, &np
);
3754 r
= tempfn_random(arg_directory
, &np
);
3756 log_error_errno(r
, "Failed to generate name for snapshot: %m");
3760 r
= image_path_lock(np
, (arg_read_only
? LOCK_SH
: LOCK_EX
) | LOCK_NB
, &tree_global_lock
, &tree_local_lock
);
3762 log_error_errno(r
, "Failed to lock %s: %m", np
);
3766 r
= btrfs_subvol_snapshot(arg_directory
, np
, (arg_read_only
? BTRFS_SNAPSHOT_READ_ONLY
: 0) | BTRFS_SNAPSHOT_FALLBACK_COPY
| BTRFS_SNAPSHOT_RECURSIVE
);
3768 log_error_errno(r
, "Failed to create snapshot %s from %s: %m", np
, arg_directory
);
3772 free(arg_directory
);
3776 remove_subvol
= true;
3779 r
= image_path_lock(arg_directory
, (arg_read_only
? LOCK_SH
: LOCK_EX
) | LOCK_NB
, &tree_global_lock
, &tree_local_lock
);
3781 log_error_errno(r
, "Directory tree %s is currently busy.", arg_directory
);
3785 log_error_errno(r
, "Failed to lock %s: %m", arg_directory
);
3790 r
= btrfs_subvol_snapshot(arg_template
, arg_directory
, (arg_read_only
? BTRFS_SNAPSHOT_READ_ONLY
: 0) | BTRFS_SNAPSHOT_FALLBACK_COPY
| BTRFS_SNAPSHOT_RECURSIVE
);
3793 log_info("Directory %s already exists, not populating from template %s.", arg_directory
, arg_template
);
3795 log_error_errno(r
, "Couldn't create snapshot %s from %s: %m", arg_directory
, arg_template
);
3799 log_info("Populated %s from template %s.", arg_directory
, arg_template
);
3805 if (path_is_os_tree(arg_directory
) <= 0) {
3806 log_error("Directory %s doesn't look like an OS root directory (os-release file is missing). Refusing.", arg_directory
);
3813 p
= strjoina(arg_directory
,
3814 argc
> optind
&& path_is_absolute(argv
[optind
]) ? argv
[optind
] : "/usr/bin/");
3815 if (access(p
, F_OK
) < 0) {
3816 log_error("Directory %s lacks the binary to execute or doesn't look like a binary tree. Refusing.", arg_directory
);
3823 char template[] = "/tmp/nspawn-root-XXXXXX";
3826 assert(!arg_template
);
3828 r
= image_path_lock(arg_image
, (arg_read_only
? LOCK_SH
: LOCK_EX
) | LOCK_NB
, &tree_global_lock
, &tree_local_lock
);
3830 r
= log_error_errno(r
, "Disk image %s is currently busy.", arg_image
);
3834 r
= log_error_errno(r
, "Failed to create image lock: %m");
3838 if (!mkdtemp(template)) {
3839 log_error_errno(errno
, "Failed to create temporary directory: %m");
3844 arg_directory
= strdup(template);
3845 if (!arg_directory
) {
3850 image_fd
= setup_image(&device_path
, &loop_nr
);
3856 r
= dissect_image(image_fd
,
3857 &root_device
, &root_device_rw
,
3858 &home_device
, &home_device_rw
,
3859 &srv_device
, &srv_device_rw
,
3865 r
= determine_uid_shift();
3869 interactive
= isatty(STDIN_FILENO
) > 0 && isatty(STDOUT_FILENO
) > 0;
3871 master
= posix_openpt(O_RDWR
|O_NOCTTY
|O_CLOEXEC
|O_NDELAY
);
3873 r
= log_error_errno(errno
, "Failed to acquire pseudo tty: %m");
3877 r
= ptsname_malloc(master
, &console
);
3879 r
= log_error_errno(r
, "Failed to determine tty name: %m");
3883 if (unlockpt(master
) < 0) {
3884 r
= log_error_errno(errno
, "Failed to unlock tty: %m");
3889 log_info("Spawning container %s on %s.\nPress ^] three times within 1s to kill container.",
3890 arg_machine
, arg_image
?: arg_directory
);
3892 assert_se(sigemptyset(&mask
) == 0);
3893 sigset_add_many(&mask
, SIGCHLD
, SIGWINCH
, SIGTERM
, SIGINT
, -1);
3894 assert_se(sigprocmask(SIG_BLOCK
, &mask
, NULL
) == 0);
3896 assert_se(sigemptyset(&mask_chld
) == 0);
3897 assert_se(sigaddset(&mask_chld
, SIGCHLD
) == 0);
3900 _cleanup_close_pair_
int kmsg_socket_pair
[2] = { -1, -1 }, rtnl_socket_pair
[2] = { -1, -1 };
3901 ContainerStatus container_status
;
3902 _cleanup_(barrier_destroy
) Barrier barrier
= BARRIER_NULL
;
3903 struct sigaction sa
= {
3904 .sa_handler
= nop_handler
,
3905 .sa_flags
= SA_NOCLDSTOP
,
3908 r
= barrier_create(&barrier
);
3910 log_error_errno(r
, "Cannot initialize IPC barrier: %m");
3914 if (socketpair(AF_UNIX
, SOCK_DGRAM
|SOCK_CLOEXEC
, 0, kmsg_socket_pair
) < 0) {
3915 r
= log_error_errno(errno
, "Failed to create kmsg socket pair: %m");
3919 if (socketpair(AF_UNIX
, SOCK_DGRAM
|SOCK_CLOEXEC
, 0, rtnl_socket_pair
) < 0) {
3920 r
= log_error_errno(errno
, "Failed to create rtnl socket pair: %m");
3924 /* Child can be killed before execv(), so handle SIGCHLD
3925 * in order to interrupt parent's blocking calls and
3926 * give it a chance to call wait() and terminate. */
3927 r
= sigprocmask(SIG_UNBLOCK
, &mask_chld
, NULL
);
3929 r
= log_error_errno(errno
, "Failed to change the signal mask: %m");
3933 r
= sigaction(SIGCHLD
, &sa
, NULL
);
3935 r
= log_error_errno(errno
, "Failed to install SIGCHLD handler: %m");
3939 pid
= raw_clone(SIGCHLD
|CLONE_NEWNS
|
3940 (arg_share_system
? 0 : CLONE_NEWIPC
|CLONE_NEWPID
|CLONE_NEWUTS
)|
3941 (arg_private_network
? CLONE_NEWNET
: 0), NULL
);
3943 if (errno
== EINVAL
)
3944 r
= log_error_errno(errno
, "clone() failed, do you have namespace support enabled in your kernel? (You need UTS, IPC, PID and NET namespacing built in): %m");
3946 r
= log_error_errno(errno
, "clone() failed: %m");
3953 _cleanup_free_
char *home
= NULL
;
3955 const char *envp
[] = {
3956 "PATH=" DEFAULT_PATH_SPLIT_USR
,
3957 "container=systemd-nspawn", /* LXC sets container=lxc, so follow the scheme here */
3962 NULL
, /* container_uuid */
3963 NULL
, /* LISTEN_FDS */
3964 NULL
, /* LISTEN_PID */
3969 barrier_set_role(&barrier
, BARRIER_CHILD
);
3971 envp
[n_env
] = strv_find_prefix(environ
, "TERM=");
3975 master
= safe_close(master
);
3977 kmsg_socket_pair
[0] = safe_close(kmsg_socket_pair
[0]);
3978 rtnl_socket_pair
[0] = safe_close(rtnl_socket_pair
[0]);
3980 reset_all_signal_handlers();
3981 reset_signal_mask();
3984 close_nointr(STDIN_FILENO
);
3985 close_nointr(STDOUT_FILENO
);
3986 close_nointr(STDERR_FILENO
);
3988 r
= open_terminal(console
, O_RDWR
);
3989 if (r
!= STDIN_FILENO
) {
3995 log_error_errno(r
, "Failed to open console: %m");
3996 _exit(EXIT_FAILURE
);
3999 if (dup2(STDIN_FILENO
, STDOUT_FILENO
) != STDOUT_FILENO
||
4000 dup2(STDIN_FILENO
, STDERR_FILENO
) != STDERR_FILENO
) {
4001 log_error_errno(errno
, "Failed to duplicate console: %m");
4002 _exit(EXIT_FAILURE
);
4007 log_error_errno(errno
, "setsid() failed: %m");
4008 _exit(EXIT_FAILURE
);
4011 if (reset_audit_loginuid() < 0)
4012 _exit(EXIT_FAILURE
);
4014 if (prctl(PR_SET_PDEATHSIG
, SIGKILL
) < 0) {
4015 log_error_errno(errno
, "PR_SET_PDEATHSIG failed: %m");
4016 _exit(EXIT_FAILURE
);
4019 if (arg_private_network
)
4022 /* Mark everything as slave, so that we still
4023 * receive mounts from the real root, but don't
4024 * propagate mounts to the real root. */
4025 if (mount(NULL
, "/", NULL
, MS_SLAVE
|MS_REC
, NULL
) < 0) {
4026 log_error_errno(errno
, "MS_SLAVE|MS_REC failed: %m");
4027 _exit(EXIT_FAILURE
);
4030 if (mount_devices(arg_directory
,
4031 root_device
, root_device_rw
,
4032 home_device
, home_device_rw
,
4033 srv_device
, srv_device_rw
) < 0)
4034 _exit(EXIT_FAILURE
);
4036 /* Turn directory into bind mount */
4037 if (mount(arg_directory
, arg_directory
, NULL
, MS_BIND
|MS_REC
, NULL
) < 0) {
4038 log_error_errno(errno
, "Failed to make bind mount: %m");
4039 _exit(EXIT_FAILURE
);
4042 r
= setup_volatile(arg_directory
);
4044 _exit(EXIT_FAILURE
);
4046 if (setup_volatile_state(arg_directory
) < 0)
4047 _exit(EXIT_FAILURE
);
4049 r
= base_filesystem_create(arg_directory
);
4051 _exit(EXIT_FAILURE
);
4053 if (arg_read_only
) {
4054 r
= bind_remount_recursive(arg_directory
, true);
4056 log_error_errno(r
, "Failed to make tree read-only: %m");
4057 _exit(EXIT_FAILURE
);
4061 if (mount_all(arg_directory
) < 0)
4062 _exit(EXIT_FAILURE
);
4064 if (copy_devnodes(arg_directory
) < 0)
4065 _exit(EXIT_FAILURE
);
4067 if (setup_ptmx(arg_directory
) < 0)
4068 _exit(EXIT_FAILURE
);
4070 dev_setup(arg_directory
);
4072 if (setup_propagate(arg_directory
) < 0)
4073 _exit(EXIT_FAILURE
);
4075 if (setup_seccomp() < 0)
4076 _exit(EXIT_FAILURE
);
4078 if (setup_dev_console(arg_directory
, console
) < 0)
4079 _exit(EXIT_FAILURE
);
4081 if (setup_kmsg(arg_directory
, kmsg_socket_pair
[1]) < 0)
4082 _exit(EXIT_FAILURE
);
4083 kmsg_socket_pair
[1] = safe_close(kmsg_socket_pair
[1]);
4085 if (send_rtnl(rtnl_socket_pair
[1]) < 0)
4086 _exit(EXIT_FAILURE
);
4087 rtnl_socket_pair
[1] = safe_close(rtnl_socket_pair
[1]);
4089 /* Tell the parent that we are ready, and that
4090 * it can cgroupify us to that we lack access
4091 * to certain devices and resources. */
4092 (void) barrier_place(&barrier
); /* #1 */
4094 if (setup_boot_id(arg_directory
) < 0)
4095 _exit(EXIT_FAILURE
);
4097 if (setup_timezone(arg_directory
) < 0)
4098 _exit(EXIT_FAILURE
);
4100 if (setup_resolv_conf(arg_directory
) < 0)
4101 _exit(EXIT_FAILURE
);
4103 if (setup_journal(arg_directory
) < 0)
4104 _exit(EXIT_FAILURE
);
4106 if (mount_binds(arg_directory
, arg_bind
, false) < 0)
4107 _exit(EXIT_FAILURE
);
4109 if (mount_binds(arg_directory
, arg_bind_ro
, true) < 0)
4110 _exit(EXIT_FAILURE
);
4112 if (mount_tmpfs(arg_directory
) < 0)
4113 _exit(EXIT_FAILURE
);
4115 /* Wait until we are cgroup-ified, so that we
4116 * can mount the right cgroup path writable */
4117 (void) barrier_place_and_sync(&barrier
); /* #2 */
4119 if (mount_cgroup(arg_directory
) < 0)
4120 _exit(EXIT_FAILURE
);
4122 if (chdir(arg_directory
) < 0) {
4123 log_error_errno(errno
, "chdir(%s) failed: %m", arg_directory
);
4124 _exit(EXIT_FAILURE
);
4127 if (mount(arg_directory
, "/", NULL
, MS_MOVE
, NULL
) < 0) {
4128 log_error_errno(errno
, "mount(MS_MOVE) failed: %m");
4129 _exit(EXIT_FAILURE
);
4132 if (chroot(".") < 0) {
4133 log_error_errno(errno
, "chroot() failed: %m");
4134 _exit(EXIT_FAILURE
);
4137 if (chdir("/") < 0) {
4138 log_error_errno(errno
, "chdir() failed: %m");
4139 _exit(EXIT_FAILURE
);
4143 if (unshare(CLONE_NEWUSER
) < 0) {
4144 log_error_errno(errno
, "unshare(CLONE_NEWUSER) failed: %m");
4145 _exit(EXIT_FAILURE
);
4148 /* Tell the parent, that it now can
4149 * write the UID map. */
4150 (void) barrier_place(&barrier
); /* #3 */
4152 /* Wait until the parent wrote the UID
4154 (void) barrier_place_and_sync(&barrier
); /* #4 */
4159 if (drop_capabilities() < 0) {
4160 log_error_errno(errno
, "drop_capabilities() failed: %m");
4161 _exit(EXIT_FAILURE
);
4166 if (arg_personality
!= 0xffffffffLU
) {
4167 if (personality(arg_personality
) < 0) {
4168 log_error_errno(errno
, "personality() failed: %m");
4169 _exit(EXIT_FAILURE
);
4171 } else if (secondary
) {
4172 if (personality(PER_LINUX32
) < 0) {
4173 log_error_errno(errno
, "personality() failed: %m");
4174 _exit(EXIT_FAILURE
);
4179 if (arg_selinux_context
)
4180 if (setexeccon((security_context_t
) arg_selinux_context
) < 0) {
4181 log_error_errno(errno
, "setexeccon(\"%s\") failed: %m", arg_selinux_context
);
4182 _exit(EXIT_FAILURE
);
4186 r
= change_uid_gid(&home
);
4188 _exit(EXIT_FAILURE
);
4190 if ((asprintf((char**)(envp
+ n_env
++), "HOME=%s", home
? home
: "/root") < 0) ||
4191 (asprintf((char**)(envp
+ n_env
++), "USER=%s", arg_user
? arg_user
: "root") < 0) ||
4192 (asprintf((char**)(envp
+ n_env
++), "LOGNAME=%s", arg_user
? arg_user
: "root") < 0)) {
4194 _exit(EXIT_FAILURE
);
4197 if (!sd_id128_equal(arg_uuid
, SD_ID128_NULL
)) {
4200 if (asprintf((char**)(envp
+ n_env
++), "container_uuid=%s", id128_format_as_uuid(arg_uuid
, as_uuid
)) < 0) {
4202 _exit(EXIT_FAILURE
);
4206 if (fdset_size(fds
) > 0) {
4207 r
= fdset_cloexec(fds
, false);
4209 log_error_errno(r
, "Failed to unset O_CLOEXEC for file descriptors.");
4210 _exit(EXIT_FAILURE
);
4213 if ((asprintf((char **)(envp
+ n_env
++), "LISTEN_FDS=%u", n_fd_passed
) < 0) ||
4214 (asprintf((char **)(envp
+ n_env
++), "LISTEN_PID=1") < 0)) {
4216 _exit(EXIT_FAILURE
);
4220 if (!strv_isempty(arg_setenv
)) {
4223 n
= strv_env_merge(2, envp
, arg_setenv
);
4226 _exit(EXIT_FAILURE
);
4231 env_use
= (char**) envp
;
4233 /* Let the parent know that we are ready and
4234 * wait until the parent is ready with the
4236 (void) barrier_place_and_sync(&barrier
); /* #5 */
4242 /* Automatically search for the init system */
4244 l
= 1 + argc
- optind
;
4245 a
= newa(char*, l
+ 1);
4246 memcpy(a
+ 1, argv
+ optind
, l
* sizeof(char*));
4248 a
[0] = (char*) "/usr/lib/systemd/systemd";
4249 execve(a
[0], a
, env_use
);
4251 a
[0] = (char*) "/lib/systemd/systemd";
4252 execve(a
[0], a
, env_use
);
4254 a
[0] = (char*) "/sbin/init";
4255 execve(a
[0], a
, env_use
);
4256 } else if (argc
> optind
)
4257 execvpe(argv
[optind
], argv
+ optind
, env_use
);
4259 chdir(home
? home
: "/root");
4260 execle("/bin/bash", "-bash", NULL
, env_use
);
4261 execle("/bin/sh", "-sh", NULL
, env_use
);
4264 log_error_errno(errno
, "execv() failed: %m");
4265 _exit(EXIT_FAILURE
);
4268 barrier_set_role(&barrier
, BARRIER_PARENT
);
4272 kmsg_socket_pair
[1] = safe_close(kmsg_socket_pair
[1]);
4273 rtnl_socket_pair
[1] = safe_close(rtnl_socket_pair
[1]);
4275 (void) barrier_place(&barrier
); /* #1 */
4277 /* Wait for the most basic Child-setup to be done,
4278 * before we add hardware to it, and place it in a
4280 if (barrier_sync(&barrier
)) { /* #1 */
4283 r
= move_network_interfaces(pid
);
4287 r
= setup_veth(pid
, veth_name
, &ifi
);
4291 r
= setup_bridge(veth_name
, &ifi
);
4295 r
= setup_macvlan(pid
);
4299 r
= setup_ipvlan(pid
);
4303 r
= register_machine(pid
, ifi
);
4307 /* Notify the child that the parent is ready with all
4308 * its setup, and that the child can now hand over
4309 * control to the code to run inside the container. */
4310 (void) barrier_place(&barrier
); /* #2 */
4313 char uid_map
[strlen("/proc//uid_map") + DECIMAL_STR_MAX(uid_t
) + 1], line
[DECIMAL_STR_MAX(uid_t
)*3+3+1];
4315 (void) barrier_place_and_sync(&barrier
); /* #3 */
4317 xsprintf(uid_map
, "/proc/" PID_FMT
"/uid_map", pid
);
4318 xsprintf(line
, UID_FMT
" " UID_FMT
" " UID_FMT
"\n", 0, arg_uid_shift
, arg_uid_range
);
4319 r
= write_string_file(uid_map
, line
);
4321 log_error_errno(r
, "Failed to write UID map: %m");
4325 /* We always assign the same UID and GID ranges */
4326 xsprintf(uid_map
, "/proc/" PID_FMT
"/gid_map", pid
);
4327 r
= write_string_file(uid_map
, line
);
4329 log_error_errno(r
, "Failed to write GID map: %m");
4333 (void) barrier_place(&barrier
); /* #4 */
4336 /* Block SIGCHLD here, before notifying child.
4337 * process_pty() will handle it with the other signals. */
4338 r
= sigprocmask(SIG_BLOCK
, &mask_chld
, NULL
);
4342 /* Reset signal to default */
4343 r
= default_signals(SIGCHLD
, -1);
4347 /* Let the child know that we are ready and wait that the child is completely ready now. */
4348 if (barrier_place_and_sync(&barrier
)) { /* #5 */
4349 _cleanup_event_unref_ sd_event
*event
= NULL
;
4350 _cleanup_(pty_forward_freep
) PTYForward
*forward
= NULL
;
4351 _cleanup_rtnl_unref_ sd_rtnl
*rtnl
= NULL
;
4356 "STATUS=Container running.\n"
4357 "X_NSPAWN_LEADER_PID=" PID_FMT
, pid
);
4359 r
= sd_event_new(&event
);
4361 log_error_errno(r
, "Failed to get default event source: %m");
4365 if (arg_kill_signal
> 0) {
4366 /* Try to kill the init system on SIGINT or SIGTERM */
4367 sd_event_add_signal(event
, NULL
, SIGINT
, on_orderly_shutdown
, UINT32_TO_PTR(pid
));
4368 sd_event_add_signal(event
, NULL
, SIGTERM
, on_orderly_shutdown
, UINT32_TO_PTR(pid
));
4370 /* Immediately exit */
4371 sd_event_add_signal(event
, NULL
, SIGINT
, NULL
, NULL
);
4372 sd_event_add_signal(event
, NULL
, SIGTERM
, NULL
, NULL
);
4375 /* simply exit on sigchld */
4376 sd_event_add_signal(event
, NULL
, SIGCHLD
, NULL
, NULL
);
4378 if (arg_expose_ports
) {
4379 r
= watch_rtnl(event
, rtnl_socket_pair
[0], &exposed
, &rtnl
);
4383 (void) expose_ports(rtnl
, &exposed
);
4386 rtnl_socket_pair
[0] = safe_close(rtnl_socket_pair
[0]);
4388 r
= pty_forward_new(event
, master
, true, !interactive
, &forward
);
4390 log_error_errno(r
, "Failed to create PTY forwarder: %m");
4394 r
= sd_event_loop(event
);
4396 log_error_errno(r
, "Failed to run event loop: %m");
4400 pty_forward_get_last_char(forward
, &last_char
);
4402 forward
= pty_forward_free(forward
);
4404 if (!arg_quiet
&& last_char
!= '\n')
4407 /* Kill if it is not dead yet anyway */
4408 terminate_machine(pid
);
4412 /* Normally redundant, but better safe than sorry */
4415 r
= wait_for_container(pid
, &container_status
);
4419 /* We failed to wait for the container, or the
4420 * container exited abnormally */
4422 else if (r
> 0 || container_status
== CONTAINER_TERMINATED
){
4423 /* The container exited with a non-zero
4424 * status, or with zero status and no reboot
4430 /* CONTAINER_REBOOTED, loop again */
4432 if (arg_keep_unit
) {
4433 /* Special handling if we are running as a
4434 * service: instead of simply restarting the
4435 * machine we want to restart the entire
4436 * service, so let's inform systemd about this
4437 * with the special exit code 133. The service
4438 * file uses RestartForceExitStatus=133 so
4439 * that this results in a full nspawn
4440 * restart. This is necessary since we might
4441 * have cgroup parameters set we want to have
4448 flush_ports(&exposed
);
4454 "STATUS=Terminating...");
4456 loop_remove(loop_nr
, &image_fd
);
4461 if (remove_subvol
&& arg_directory
) {
4464 k
= btrfs_subvol_remove(arg_directory
, true);
4466 log_warning_errno(k
, "Cannot remove subvolume '%s', ignoring: %m", arg_directory
);
4472 p
= strjoina("/run/systemd/nspawn/propagate/", arg_machine
);
4473 (void) rm_rf(p
, REMOVE_ROOT
);
4476 free(arg_directory
);
4481 strv_free(arg_setenv
);
4482 strv_free(arg_network_interfaces
);
4483 strv_free(arg_network_macvlan
);
4484 strv_free(arg_network_ipvlan
);
4485 strv_free(arg_bind
);
4486 strv_free(arg_bind_ro
);
4487 strv_free(arg_tmpfs
);
4489 flush_ports(&exposed
);
4491 while (arg_expose_ports
) {
4492 ExposePort
*p
= arg_expose_ports
;
4493 LIST_REMOVE(ports
, arg_expose_ports
, p
);
4497 return r
< 0 ? EXIT_FAILURE
: ret
;