1 /* SPDX-License-Identifier: LGPL-2.1+ */
10 #include <linux/loop.h>
13 #include <selinux/selinux.h>
19 #include <sys/personality.h>
20 #include <sys/prctl.h>
21 #include <sys/types.h>
26 #include "sd-daemon.h"
29 #include "alloc-util.h"
31 #include "base-filesystem.h"
32 #include "blkid-util.h"
33 #include "btrfs-util.h"
34 #include "bus-error.h"
37 #include "capability-util.h"
38 #include "cgroup-util.h"
40 #include "cpu-set-util.h"
41 #include "dev-setup.h"
42 #include "dissect-image.h"
47 #include "format-util.h"
50 #include "hexdecoct.h"
51 #include "hostname-util.h"
52 #include "id128-util.h"
54 #include "loop-util.h"
55 #include "loopback-setup.h"
56 #include "machine-image.h"
58 #include "main-func.h"
59 #include "missing_sched.h"
61 #include "mount-util.h"
62 #include "mountpoint-util.h"
63 #include "namespace-util.h"
64 #include "netlink-util.h"
65 #include "nspawn-cgroup.h"
66 #include "nspawn-def.h"
67 #include "nspawn-expose-ports.h"
68 #include "nspawn-mount.h"
69 #include "nspawn-network.h"
70 #include "nspawn-oci.h"
71 #include "nspawn-patch-uid.h"
72 #include "nspawn-register.h"
73 #include "nspawn-seccomp.h"
74 #include "nspawn-settings.h"
75 #include "nspawn-setuid.h"
76 #include "nspawn-stub-pid1.h"
77 #include "nulstr-util.h"
80 #include "parse-util.h"
81 #include "path-util.h"
82 #include "pretty-print.h"
83 #include "process-util.h"
85 #include "random-util.h"
86 #include "raw-clone.h"
87 #include "rlimit-util.h"
90 #include "seccomp-util.h"
92 #include "selinux-util.h"
93 #include "signal-util.h"
94 #include "socket-util.h"
95 #include "stat-util.h"
96 #include "stdio-util.h"
97 #include "string-table.h"
98 #include "string-util.h"
100 #include "sysctl-util.h"
101 #include "terminal-util.h"
102 #include "tmpfile-util.h"
103 #include "umask-util.h"
104 #include "unit-name.h"
105 #include "user-util.h"
109 #define STATIC_RESOLV_CONF "/lib/systemd/resolv.conf"
111 #define STATIC_RESOLV_CONF "/usr/lib/systemd/resolv.conf"
114 /* nspawn is listening on the socket at the path in the constant nspawn_notify_socket_path
115 * nspawn_notify_socket_path is relative to the container
116 * the init process in the container pid can send messages to nspawn following the sd_notify(3) protocol */
117 #define NSPAWN_NOTIFY_SOCKET_PATH "/run/systemd/nspawn/notify"
119 #define EXIT_FORCE_RESTART 133
121 typedef enum ContainerStatus
{
122 CONTAINER_TERMINATED
,
126 static char *arg_directory
= NULL
;
127 static char *arg_template
= NULL
;
128 static char *arg_chdir
= NULL
;
129 static char *arg_pivot_root_new
= NULL
;
130 static char *arg_pivot_root_old
= NULL
;
131 static char *arg_user
= NULL
;
132 static uid_t arg_uid
= UID_INVALID
;
133 static gid_t arg_gid
= GID_INVALID
;
134 static gid_t
* arg_supplementary_gids
= NULL
;
135 static size_t arg_n_supplementary_gids
= 0;
136 static sd_id128_t arg_uuid
= {};
137 static char *arg_machine
= NULL
; /* The name used by the host to refer to this */
138 static char *arg_hostname
= NULL
; /* The name the payload sees by default */
139 static const char *arg_selinux_context
= NULL
;
140 static const char *arg_selinux_apifs_context
= NULL
;
141 static char *arg_slice
= NULL
;
142 static bool arg_private_network
= false;
143 static bool arg_read_only
= false;
144 static StartMode arg_start_mode
= START_PID1
;
145 static bool arg_ephemeral
= false;
146 static LinkJournal arg_link_journal
= LINK_AUTO
;
147 static bool arg_link_journal_try
= false;
148 static uint64_t arg_caps_retain
=
149 (1ULL << CAP_AUDIT_CONTROL
) |
150 (1ULL << CAP_AUDIT_WRITE
) |
151 (1ULL << CAP_CHOWN
) |
152 (1ULL << CAP_DAC_OVERRIDE
) |
153 (1ULL << CAP_DAC_READ_SEARCH
) |
154 (1ULL << CAP_FOWNER
) |
155 (1ULL << CAP_FSETID
) |
156 (1ULL << CAP_IPC_OWNER
) |
158 (1ULL << CAP_LEASE
) |
159 (1ULL << CAP_LINUX_IMMUTABLE
) |
160 (1ULL << CAP_MKNOD
) |
161 (1ULL << CAP_NET_BIND_SERVICE
) |
162 (1ULL << CAP_NET_BROADCAST
) |
163 (1ULL << CAP_NET_RAW
) |
164 (1ULL << CAP_SETFCAP
) |
165 (1ULL << CAP_SETGID
) |
166 (1ULL << CAP_SETPCAP
) |
167 (1ULL << CAP_SETUID
) |
168 (1ULL << CAP_SYS_ADMIN
) |
169 (1ULL << CAP_SYS_BOOT
) |
170 (1ULL << CAP_SYS_CHROOT
) |
171 (1ULL << CAP_SYS_NICE
) |
172 (1ULL << CAP_SYS_PTRACE
) |
173 (1ULL << CAP_SYS_RESOURCE
) |
174 (1ULL << CAP_SYS_TTY_CONFIG
);
175 static CapabilityQuintet arg_full_capabilities
= CAPABILITY_QUINTET_NULL
;
176 static CustomMount
*arg_custom_mounts
= NULL
;
177 static size_t arg_n_custom_mounts
= 0;
178 static char **arg_setenv
= NULL
;
179 static bool arg_quiet
= false;
180 static bool arg_register
= true;
181 static bool arg_keep_unit
= false;
182 static char **arg_network_interfaces
= NULL
;
183 static char **arg_network_macvlan
= NULL
;
184 static char **arg_network_ipvlan
= NULL
;
185 static bool arg_network_veth
= false;
186 static char **arg_network_veth_extra
= NULL
;
187 static char *arg_network_bridge
= NULL
;
188 static char *arg_network_zone
= NULL
;
189 static char *arg_network_namespace_path
= NULL
;
190 static PagerFlags arg_pager_flags
= 0;
191 static unsigned long arg_personality
= PERSONALITY_INVALID
;
192 static char *arg_image
= NULL
;
193 static char *arg_oci_bundle
= NULL
;
194 static VolatileMode arg_volatile_mode
= VOLATILE_NO
;
195 static ExposePort
*arg_expose_ports
= NULL
;
196 static char **arg_property
= NULL
;
197 static sd_bus_message
*arg_property_message
= NULL
;
198 static UserNamespaceMode arg_userns_mode
= USER_NAMESPACE_NO
;
199 static uid_t arg_uid_shift
= UID_INVALID
, arg_uid_range
= 0x10000U
;
200 static bool arg_userns_chown
= false;
201 static int arg_kill_signal
= 0;
202 static CGroupUnified arg_unified_cgroup_hierarchy
= CGROUP_UNIFIED_UNKNOWN
;
203 static SettingsMask arg_settings_mask
= 0;
204 static int arg_settings_trusted
= -1;
205 static char **arg_parameters
= NULL
;
206 static const char *arg_container_service_name
= "systemd-nspawn";
207 static bool arg_notify_ready
= false;
208 static bool arg_use_cgns
= true;
209 static unsigned long arg_clone_ns_flags
= CLONE_NEWIPC
|CLONE_NEWPID
|CLONE_NEWUTS
;
210 static MountSettingsMask arg_mount_settings
= MOUNT_APPLY_APIVFS_RO
|MOUNT_APPLY_TMPFS_TMP
;
211 static void *arg_root_hash
= NULL
;
212 static size_t arg_root_hash_size
= 0;
213 static char **arg_syscall_whitelist
= NULL
;
214 static char **arg_syscall_blacklist
= NULL
;
216 static scmp_filter_ctx arg_seccomp
= NULL
;
218 static struct rlimit
*arg_rlimit
[_RLIMIT_MAX
] = {};
219 static bool arg_no_new_privileges
= false;
220 static int arg_oom_score_adjust
= 0;
221 static bool arg_oom_score_adjust_set
= false;
222 static CPUSet arg_cpu_set
= {};
223 static ResolvConfMode arg_resolv_conf
= RESOLV_CONF_AUTO
;
224 static TimezoneMode arg_timezone
= TIMEZONE_AUTO
;
225 static unsigned arg_console_width
= (unsigned) -1, arg_console_height
= (unsigned) -1;
226 static DeviceNode
* arg_extra_nodes
= NULL
;
227 static size_t arg_n_extra_nodes
= 0;
228 static char **arg_sysctl
= NULL
;
229 static ConsoleMode arg_console_mode
= _CONSOLE_MODE_INVALID
;
231 STATIC_DESTRUCTOR_REGISTER(arg_directory
, freep
);
232 STATIC_DESTRUCTOR_REGISTER(arg_template
, freep
);
233 STATIC_DESTRUCTOR_REGISTER(arg_chdir
, freep
);
234 STATIC_DESTRUCTOR_REGISTER(arg_pivot_root_new
, freep
);
235 STATIC_DESTRUCTOR_REGISTER(arg_pivot_root_old
, freep
);
236 STATIC_DESTRUCTOR_REGISTER(arg_user
, freep
);
237 STATIC_DESTRUCTOR_REGISTER(arg_supplementary_gids
, freep
);
238 STATIC_DESTRUCTOR_REGISTER(arg_machine
, freep
);
239 STATIC_DESTRUCTOR_REGISTER(arg_hostname
, freep
);
240 STATIC_DESTRUCTOR_REGISTER(arg_slice
, freep
);
241 STATIC_DESTRUCTOR_REGISTER(arg_setenv
, strv_freep
);
242 STATIC_DESTRUCTOR_REGISTER(arg_network_interfaces
, strv_freep
);
243 STATIC_DESTRUCTOR_REGISTER(arg_network_macvlan
, strv_freep
);
244 STATIC_DESTRUCTOR_REGISTER(arg_network_ipvlan
, strv_freep
);
245 STATIC_DESTRUCTOR_REGISTER(arg_network_veth_extra
, strv_freep
);
246 STATIC_DESTRUCTOR_REGISTER(arg_network_bridge
, freep
);
247 STATIC_DESTRUCTOR_REGISTER(arg_network_zone
, freep
);
248 STATIC_DESTRUCTOR_REGISTER(arg_network_namespace_path
, freep
);
249 STATIC_DESTRUCTOR_REGISTER(arg_image
, freep
);
250 STATIC_DESTRUCTOR_REGISTER(arg_oci_bundle
, freep
);
251 STATIC_DESTRUCTOR_REGISTER(arg_property
, strv_freep
);
252 STATIC_DESTRUCTOR_REGISTER(arg_property_message
, sd_bus_message_unrefp
);
253 STATIC_DESTRUCTOR_REGISTER(arg_parameters
, strv_freep
);
254 STATIC_DESTRUCTOR_REGISTER(arg_root_hash
, freep
);
255 STATIC_DESTRUCTOR_REGISTER(arg_syscall_whitelist
, strv_freep
);
256 STATIC_DESTRUCTOR_REGISTER(arg_syscall_blacklist
, strv_freep
);
258 STATIC_DESTRUCTOR_REGISTER(arg_seccomp
, seccomp_releasep
);
260 STATIC_DESTRUCTOR_REGISTER(arg_cpu_set
, cpu_set_reset
);
261 STATIC_DESTRUCTOR_REGISTER(arg_sysctl
, strv_freep
);
263 static int handle_arg_console(const char *arg
) {
264 if (streq(arg
, "help")) {
272 if (streq(arg
, "interactive"))
273 arg_console_mode
= CONSOLE_INTERACTIVE
;
274 else if (streq(arg
, "read-only"))
275 arg_console_mode
= CONSOLE_READ_ONLY
;
276 else if (streq(arg
, "passive"))
277 arg_console_mode
= CONSOLE_PASSIVE
;
278 else if (streq(arg
, "pipe"))
279 arg_console_mode
= CONSOLE_PIPE
;
281 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Unknown console mode: %s", optarg
);
283 arg_settings_mask
|= SETTING_CONSOLE_MODE
;
287 static int help(void) {
288 _cleanup_free_
char *link
= NULL
;
291 (void) pager_open(arg_pager_flags
);
293 r
= terminal_urlify_man("systemd-nspawn", "1", &link
);
297 printf("%1$s [OPTIONS...] [PATH] [ARGUMENTS...]\n\n"
298 "Spawn a command or OS in a light-weight container.\n\n"
299 " -h --help Show this help\n"
300 " --version Print version string\n"
301 " -q --quiet Do not show status information\n"
302 " --no-pager Do not pipe output into a pager\n"
303 " --settings=BOOLEAN Load additional settings from .nspawn file\n\n"
305 " -D --directory=PATH Root directory for the container\n"
306 " --template=PATH Initialize root directory from template directory,\n"
308 " -x --ephemeral Run container with snapshot of root directory, and\n"
309 " remove it after exit\n"
310 " -i --image=PATH Root file system disk image (or device node) for\n"
312 " --oci-bundle=PATH OCI bundle directory\n"
313 " --read-only Mount the root directory read-only\n"
314 " --volatile[=MODE] Run the system in volatile mode\n"
315 " --root-hash=HASH Specify verity root hash for root disk image\n"
316 " --pivot-root=PATH[:PATH]\n"
317 " Pivot root to given directory in the container\n\n"
318 "%3$sExecution:%4$s\n"
319 " -a --as-pid2 Maintain a stub init as PID1, invoke binary as PID2\n"
320 " -b --boot Boot up full system (i.e. invoke init)\n"
321 " --chdir=PATH Set working directory in the container\n"
322 " -E --setenv=NAME=VALUE Pass an environment variable to PID 1\n"
323 " -u --user=USER Run the command under specified user or UID\n"
324 " --kill-signal=SIGNAL Select signal to use for shutting down PID 1\n"
325 " --notify-ready=BOOLEAN Receive notifications from the child init process\n\n"
326 "%3$sSystem Identity:%4$s\n"
327 " -M --machine=NAME Set the machine name for the container\n"
328 " --hostname=NAME Override the hostname for the container\n"
329 " --uuid=UUID Set a specific machine UUID for the container\n\n"
330 "%3$sProperties:%4$s\n"
331 " -S --slice=SLICE Place the container in the specified slice\n"
332 " --property=NAME=VALUE Set scope unit property\n"
333 " --register=BOOLEAN Register container as machine\n"
334 " --keep-unit Do not register a scope for the machine, reuse\n"
335 " the service unit nspawn is running in\n\n"
336 "%3$sUser Namespacing:%4$s\n"
337 " -U --private-users=pick Run within user namespace, autoselect UID/GID range\n"
338 " --private-users[=UIDBASE[:NUIDS]]\n"
339 " Similar, but with user configured UID/GID range\n"
340 " --private-users-chown Adjust OS tree ownership to private UID/GID range\n\n"
341 "%3$sNetworking:%4$s\n"
342 " --private-network Disable network in container\n"
343 " --network-interface=INTERFACE\n"
344 " Assign an existing network interface to the\n"
346 " --network-macvlan=INTERFACE\n"
347 " Create a macvlan network interface based on an\n"
348 " existing network interface to the container\n"
349 " --network-ipvlan=INTERFACE\n"
350 " Create a ipvlan network interface based on an\n"
351 " existing network interface to the container\n"
352 " -n --network-veth Add a virtual Ethernet connection between host\n"
354 " --network-veth-extra=HOSTIF[:CONTAINERIF]\n"
355 " Add an additional virtual Ethernet link between\n"
356 " host and container\n"
357 " --network-bridge=INTERFACE\n"
358 " Add a virtual Ethernet connection to the container\n"
359 " and attach it to an existing bridge on the host\n"
360 " --network-zone=NAME Similar, but attach the new interface to an\n"
361 " an automatically managed bridge interface\n"
362 " --network-namespace-path=PATH\n"
363 " Set network namespace to the one represented by\n"
364 " the specified kernel namespace file node\n"
365 " -p --port=[PROTOCOL:]HOSTPORT[:CONTAINERPORT]\n"
366 " Expose a container IP port on the host\n\n"
367 "%3$sSecurity:%4$s\n"
368 " --capability=CAP In addition to the default, retain specified\n"
370 " --drop-capability=CAP Drop the specified capability from the default set\n"
371 " --no-new-privileges Set PR_SET_NO_NEW_PRIVS flag for container payload\n"
372 " --system-call-filter=LIST|~LIST\n"
373 " Permit/prohibit specific system calls\n"
374 " -Z --selinux-context=SECLABEL\n"
375 " Set the SELinux security context to be used by\n"
376 " processes in the container\n"
377 " -L --selinux-apifs-context=SECLABEL\n"
378 " Set the SELinux security context to be used by\n"
379 " API/tmpfs file systems in the container\n\n"
380 "%3$sResources:%4$s\n"
381 " --rlimit=NAME=LIMIT Set a resource limit for the payload\n"
382 " --oom-score-adjust=VALUE\n"
383 " Adjust the OOM score value for the payload\n"
384 " --cpu-affinity=CPUS Adjust the CPU affinity of the container\n"
385 " --personality=ARCH Pick personality for this container\n\n"
386 "%3$sIntegration:%4$s\n"
387 " --resolv-conf=MODE Select mode of /etc/resolv.conf initialization\n"
388 " --timezone=MODE Select mode of /etc/localtime initialization\n"
389 " --link-journal=MODE Link up guest journal, one of no, auto, guest, \n"
390 " host, try-guest, try-host\n"
391 " -j Equivalent to --link-journal=try-guest\n\n"
393 " --bind=PATH[:PATH[:OPTIONS]]\n"
394 " Bind mount a file or directory from the host into\n"
396 " --bind-ro=PATH[:PATH[:OPTIONS]\n"
397 " Similar, but creates a read-only bind mount\n"
398 " --inaccessible=PATH Over-mount file node with inaccessible node to mask\n"
400 " --tmpfs=PATH:[OPTIONS] Mount an empty tmpfs to the specified directory\n"
401 " --overlay=PATH[:PATH...]:PATH\n"
402 " Create an overlay mount from the host to \n"
404 " --overlay-ro=PATH[:PATH...]:PATH\n"
405 " Similar, but creates a read-only overlay mount\n\n"
406 "%3$sInput/Output:%4$s\n"
407 " --console=MODE Select how stdin/stdout/stderr and /dev/console are\n"
408 " set up for the container.\n"
409 " -P --pipe Equivalent to --console=pipe\n"
410 "\nSee the %2$s for details.\n"
411 , program_invocation_short_name
413 , ansi_underline(), ansi_normal());
418 static int custom_mount_check_all(void) {
421 for (i
= 0; i
< arg_n_custom_mounts
; i
++) {
422 CustomMount
*m
= &arg_custom_mounts
[i
];
424 if (path_equal(m
->destination
, "/") && arg_userns_mode
!= USER_NAMESPACE_NO
) {
425 if (arg_userns_chown
)
426 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
427 "--private-users-chown may not be combined with custom root mounts.");
428 else if (arg_uid_shift
== UID_INVALID
)
429 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
430 "--private-users with automatic UID shift may not be combined with custom root mounts.");
437 static int detect_unified_cgroup_hierarchy_from_environment(void) {
438 const char *e
, *var
= "SYSTEMD_NSPAWN_UNIFIED_HIERARCHY";
441 /* Allow the user to control whether the unified hierarchy is used */
445 static bool warned
= false;
447 var
= "UNIFIED_CGROUP_HIERARCHY";
450 log_info("$UNIFIED_CGROUP_HIERARCHY has been renamed to $SYSTEMD_NSPAWN_UNIFIED_HIERARCHY.");
456 r
= parse_boolean(e
);
458 return log_error_errno(r
, "Failed to parse $%s: %m", var
);
460 arg_unified_cgroup_hierarchy
= CGROUP_UNIFIED_ALL
;
462 arg_unified_cgroup_hierarchy
= CGROUP_UNIFIED_NONE
;
468 static int detect_unified_cgroup_hierarchy_from_image(const char *directory
) {
471 /* Let's inherit the mode to use from the host system, but let's take into consideration what systemd
472 * in the image actually supports. */
473 r
= cg_all_unified();
475 return log_error_errno(r
, "Failed to determine whether we are in all unified mode.");
477 /* Unified cgroup hierarchy support was added in 230. Unfortunately the detection
478 * routine only detects 231, so we'll have a false negative here for 230. */
479 r
= systemd_installation_has_version(directory
, 230);
481 return log_error_errno(r
, "Failed to determine systemd version in container: %m");
483 arg_unified_cgroup_hierarchy
= CGROUP_UNIFIED_ALL
;
485 arg_unified_cgroup_hierarchy
= CGROUP_UNIFIED_NONE
;
486 } else if (cg_unified_controller(SYSTEMD_CGROUP_CONTROLLER
) > 0) {
487 /* Mixed cgroup hierarchy support was added in 233 */
488 r
= systemd_installation_has_version(directory
, 233);
490 return log_error_errno(r
, "Failed to determine systemd version in container: %m");
492 arg_unified_cgroup_hierarchy
= CGROUP_UNIFIED_SYSTEMD
;
494 arg_unified_cgroup_hierarchy
= CGROUP_UNIFIED_NONE
;
496 arg_unified_cgroup_hierarchy
= CGROUP_UNIFIED_NONE
;
498 log_debug("Using %s hierarchy for container.",
499 arg_unified_cgroup_hierarchy
== CGROUP_UNIFIED_NONE
? "legacy" :
500 arg_unified_cgroup_hierarchy
== CGROUP_UNIFIED_SYSTEMD
? "hybrid" : "unified");
505 static int parse_share_ns_env(const char *name
, unsigned long ns_flag
) {
508 r
= getenv_bool(name
);
512 return log_error_errno(r
, "Failed to parse $%s: %m", name
);
514 arg_clone_ns_flags
= (arg_clone_ns_flags
& ~ns_flag
) | (r
> 0 ? 0 : ns_flag
);
515 arg_settings_mask
|= SETTING_CLONE_NS_FLAGS
;
519 static int parse_mount_settings_env(void) {
523 r
= getenv_bool("SYSTEMD_NSPAWN_TMPFS_TMP");
524 if (r
< 0 && r
!= -ENXIO
)
525 return log_error_errno(r
, "Failed to parse $SYSTEMD_NSPAWN_TMPFS_TMP: %m");
527 SET_FLAG(arg_mount_settings
, MOUNT_APPLY_TMPFS_TMP
, r
> 0);
529 e
= getenv("SYSTEMD_NSPAWN_API_VFS_WRITABLE");
530 if (streq_ptr(e
, "network"))
531 arg_mount_settings
|= MOUNT_APPLY_APIVFS_RO
|MOUNT_APPLY_APIVFS_NETNS
;
534 r
= parse_boolean(e
);
536 return log_error_errno(r
, "Failed to parse $SYSTEMD_NSPAWN_API_VFS_WRITABLE: %m");
538 SET_FLAG(arg_mount_settings
, MOUNT_APPLY_APIVFS_RO
, r
== 0);
539 SET_FLAG(arg_mount_settings
, MOUNT_APPLY_APIVFS_NETNS
, false);
545 static int parse_environment(void) {
549 r
= parse_share_ns_env("SYSTEMD_NSPAWN_SHARE_NS_IPC", CLONE_NEWIPC
);
552 r
= parse_share_ns_env("SYSTEMD_NSPAWN_SHARE_NS_PID", CLONE_NEWPID
);
555 r
= parse_share_ns_env("SYSTEMD_NSPAWN_SHARE_NS_UTS", CLONE_NEWUTS
);
558 r
= parse_share_ns_env("SYSTEMD_NSPAWN_SHARE_SYSTEM", CLONE_NEWIPC
|CLONE_NEWPID
|CLONE_NEWUTS
);
562 r
= parse_mount_settings_env();
566 /* SYSTEMD_NSPAWN_USE_CGNS=0 can be used to disable CLONE_NEWCGROUP use,
567 * even if it is supported. If not supported, it has no effect. */
568 if (!cg_ns_supported())
569 arg_use_cgns
= false;
571 r
= getenv_bool("SYSTEMD_NSPAWN_USE_CGNS");
574 return log_error_errno(r
, "Failed to parse $SYSTEMD_NSPAWN_USE_CGNS: %m");
578 arg_use_cgns
= r
> 0;
579 arg_settings_mask
|= SETTING_USE_CGNS
;
583 e
= getenv("SYSTEMD_NSPAWN_CONTAINER_SERVICE");
585 arg_container_service_name
= e
;
587 return detect_unified_cgroup_hierarchy_from_environment();
590 static int parse_argv(int argc
, char *argv
[]) {
608 ARG_NETWORK_INTERFACE
,
613 ARG_NETWORK_VETH_EXTRA
,
614 ARG_NETWORK_NAMESPACE_PATH
,
624 ARG_PRIVATE_USERS_CHOWN
,
627 ARG_SYSTEM_CALL_FILTER
,
630 ARG_NO_NEW_PRIVILEGES
,
631 ARG_OOM_SCORE_ADJUST
,
641 static const struct option options
[] = {
642 { "help", no_argument
, NULL
, 'h' },
643 { "version", no_argument
, NULL
, ARG_VERSION
},
644 { "directory", required_argument
, NULL
, 'D' },
645 { "template", required_argument
, NULL
, ARG_TEMPLATE
},
646 { "ephemeral", no_argument
, NULL
, 'x' },
647 { "user", required_argument
, NULL
, 'u' },
648 { "private-network", no_argument
, NULL
, ARG_PRIVATE_NETWORK
},
649 { "as-pid2", no_argument
, NULL
, 'a' },
650 { "boot", no_argument
, NULL
, 'b' },
651 { "uuid", required_argument
, NULL
, ARG_UUID
},
652 { "read-only", no_argument
, NULL
, ARG_READ_ONLY
},
653 { "capability", required_argument
, NULL
, ARG_CAPABILITY
},
654 { "drop-capability", required_argument
, NULL
, ARG_DROP_CAPABILITY
},
655 { "no-new-privileges", required_argument
, NULL
, ARG_NO_NEW_PRIVILEGES
},
656 { "link-journal", required_argument
, NULL
, ARG_LINK_JOURNAL
},
657 { "bind", required_argument
, NULL
, ARG_BIND
},
658 { "bind-ro", required_argument
, NULL
, ARG_BIND_RO
},
659 { "tmpfs", required_argument
, NULL
, ARG_TMPFS
},
660 { "overlay", required_argument
, NULL
, ARG_OVERLAY
},
661 { "overlay-ro", required_argument
, NULL
, ARG_OVERLAY_RO
},
662 { "inaccessible", required_argument
, NULL
, ARG_INACCESSIBLE
},
663 { "machine", required_argument
, NULL
, 'M' },
664 { "hostname", required_argument
, NULL
, ARG_HOSTNAME
},
665 { "slice", required_argument
, NULL
, 'S' },
666 { "setenv", required_argument
, NULL
, 'E' },
667 { "selinux-context", required_argument
, NULL
, 'Z' },
668 { "selinux-apifs-context", required_argument
, NULL
, 'L' },
669 { "quiet", no_argument
, NULL
, 'q' },
670 { "share-system", no_argument
, NULL
, ARG_SHARE_SYSTEM
}, /* not documented */
671 { "register", required_argument
, NULL
, ARG_REGISTER
},
672 { "keep-unit", no_argument
, NULL
, ARG_KEEP_UNIT
},
673 { "network-interface", required_argument
, NULL
, ARG_NETWORK_INTERFACE
},
674 { "network-macvlan", required_argument
, NULL
, ARG_NETWORK_MACVLAN
},
675 { "network-ipvlan", required_argument
, NULL
, ARG_NETWORK_IPVLAN
},
676 { "network-veth", no_argument
, NULL
, 'n' },
677 { "network-veth-extra", required_argument
, NULL
, ARG_NETWORK_VETH_EXTRA
},
678 { "network-bridge", required_argument
, NULL
, ARG_NETWORK_BRIDGE
},
679 { "network-zone", required_argument
, NULL
, ARG_NETWORK_ZONE
},
680 { "network-namespace-path", required_argument
, NULL
, ARG_NETWORK_NAMESPACE_PATH
},
681 { "personality", required_argument
, NULL
, ARG_PERSONALITY
},
682 { "image", required_argument
, NULL
, 'i' },
683 { "volatile", optional_argument
, NULL
, ARG_VOLATILE
},
684 { "port", required_argument
, NULL
, 'p' },
685 { "property", required_argument
, NULL
, ARG_PROPERTY
},
686 { "private-users", optional_argument
, NULL
, ARG_PRIVATE_USERS
},
687 { "private-users-chown", optional_argument
, NULL
, ARG_PRIVATE_USERS_CHOWN
},
688 { "kill-signal", required_argument
, NULL
, ARG_KILL_SIGNAL
},
689 { "settings", required_argument
, NULL
, ARG_SETTINGS
},
690 { "chdir", required_argument
, NULL
, ARG_CHDIR
},
691 { "pivot-root", required_argument
, NULL
, ARG_PIVOT_ROOT
},
692 { "notify-ready", required_argument
, NULL
, ARG_NOTIFY_READY
},
693 { "root-hash", required_argument
, NULL
, ARG_ROOT_HASH
},
694 { "system-call-filter", required_argument
, NULL
, ARG_SYSTEM_CALL_FILTER
},
695 { "rlimit", required_argument
, NULL
, ARG_RLIMIT
},
696 { "oom-score-adjust", required_argument
, NULL
, ARG_OOM_SCORE_ADJUST
},
697 { "cpu-affinity", required_argument
, NULL
, ARG_CPU_AFFINITY
},
698 { "resolv-conf", required_argument
, NULL
, ARG_RESOLV_CONF
},
699 { "timezone", required_argument
, NULL
, ARG_TIMEZONE
},
700 { "console", required_argument
, NULL
, ARG_CONSOLE
},
701 { "pipe", no_argument
, NULL
, ARG_PIPE
},
702 { "oci-bundle", required_argument
, NULL
, ARG_OCI_BUNDLE
},
703 { "no-pager", no_argument
, NULL
, ARG_NO_PAGER
},
709 uint64_t plus
= 0, minus
= 0;
710 bool mask_all_settings
= false, mask_no_settings
= false;
715 while ((c
= getopt_long(argc
, argv
, "+hD:u:abL:M:jS:Z:qi:xp:nUE:P", options
, NULL
)) >= 0)
725 r
= parse_path_argument_and_warn(optarg
, false, &arg_directory
);
729 arg_settings_mask
|= SETTING_DIRECTORY
;
733 r
= parse_path_argument_and_warn(optarg
, false, &arg_template
);
737 arg_settings_mask
|= SETTING_DIRECTORY
;
741 r
= parse_path_argument_and_warn(optarg
, false, &arg_image
);
745 arg_settings_mask
|= SETTING_DIRECTORY
;
749 r
= parse_path_argument_and_warn(optarg
, false, &arg_oci_bundle
);
756 arg_ephemeral
= true;
757 arg_settings_mask
|= SETTING_EPHEMERAL
;
761 r
= free_and_strdup(&arg_user
, optarg
);
765 arg_settings_mask
|= SETTING_USER
;
768 case ARG_NETWORK_ZONE
: {
771 j
= strjoin("vz-", optarg
);
775 if (!ifname_valid(j
)) {
776 log_error("Network zone name not valid: %s", j
);
781 free_and_replace(arg_network_zone
, j
);
783 arg_network_veth
= true;
784 arg_private_network
= true;
785 arg_settings_mask
|= SETTING_NETWORK
;
789 case ARG_NETWORK_BRIDGE
:
791 if (!ifname_valid(optarg
))
792 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
793 "Bridge interface name not valid: %s", optarg
);
795 r
= free_and_strdup(&arg_network_bridge
, optarg
);
801 arg_network_veth
= true;
802 arg_private_network
= true;
803 arg_settings_mask
|= SETTING_NETWORK
;
806 case ARG_NETWORK_VETH_EXTRA
:
807 r
= veth_extra_parse(&arg_network_veth_extra
, optarg
);
809 return log_error_errno(r
, "Failed to parse --network-veth-extra= parameter: %s", optarg
);
811 arg_private_network
= true;
812 arg_settings_mask
|= SETTING_NETWORK
;
815 case ARG_NETWORK_INTERFACE
:
816 if (!ifname_valid(optarg
))
817 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
818 "Network interface name not valid: %s", optarg
);
820 if (strv_extend(&arg_network_interfaces
, optarg
) < 0)
823 arg_private_network
= true;
824 arg_settings_mask
|= SETTING_NETWORK
;
827 case ARG_NETWORK_MACVLAN
:
829 if (!ifname_valid(optarg
))
830 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
831 "MACVLAN network interface name not valid: %s", optarg
);
833 if (strv_extend(&arg_network_macvlan
, optarg
) < 0)
836 arg_private_network
= true;
837 arg_settings_mask
|= SETTING_NETWORK
;
840 case ARG_NETWORK_IPVLAN
:
842 if (!ifname_valid(optarg
))
843 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
844 "IPVLAN network interface name not valid: %s", optarg
);
846 if (strv_extend(&arg_network_ipvlan
, optarg
) < 0)
850 case ARG_PRIVATE_NETWORK
:
851 arg_private_network
= true;
852 arg_settings_mask
|= SETTING_NETWORK
;
855 case ARG_NETWORK_NAMESPACE_PATH
:
856 r
= parse_path_argument_and_warn(optarg
, false, &arg_network_namespace_path
);
860 arg_settings_mask
|= SETTING_NETWORK
;
864 if (arg_start_mode
== START_PID2
)
865 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
866 "--boot and --as-pid2 may not be combined.");
868 arg_start_mode
= START_BOOT
;
869 arg_settings_mask
|= SETTING_START_MODE
;
873 if (arg_start_mode
== START_BOOT
)
874 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
875 "--boot and --as-pid2 may not be combined.");
877 arg_start_mode
= START_PID2
;
878 arg_settings_mask
|= SETTING_START_MODE
;
882 r
= sd_id128_from_string(optarg
, &arg_uuid
);
884 return log_error_errno(r
, "Invalid UUID: %s", optarg
);
886 if (sd_id128_is_null(arg_uuid
))
887 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
888 "Machine UUID may not be all zeroes.");
890 arg_settings_mask
|= SETTING_MACHINE_ID
;
894 _cleanup_free_
char *mangled
= NULL
;
896 r
= unit_name_mangle_with_suffix(optarg
, NULL
, UNIT_NAME_MANGLE_WARN
, ".slice", &mangled
);
900 free_and_replace(arg_slice
, mangled
);
901 arg_settings_mask
|= SETTING_SLICE
;
907 arg_machine
= mfree(arg_machine
);
909 if (!machine_name_is_valid(optarg
))
910 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
911 "Invalid machine name: %s", optarg
);
913 r
= free_and_strdup(&arg_machine
, optarg
);
921 arg_hostname
= mfree(arg_hostname
);
923 if (!hostname_is_valid(optarg
, false))
924 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
925 "Invalid hostname: %s", optarg
);
927 r
= free_and_strdup(&arg_hostname
, optarg
);
932 arg_settings_mask
|= SETTING_HOSTNAME
;
936 arg_selinux_context
= optarg
;
940 arg_selinux_apifs_context
= optarg
;
944 arg_read_only
= true;
945 arg_settings_mask
|= SETTING_READ_ONLY
;
949 case ARG_DROP_CAPABILITY
: {
952 _cleanup_free_
char *t
= NULL
;
954 r
= extract_first_word(&p
, &t
, ",", 0);
956 return log_error_errno(r
, "Failed to parse capability %s.", t
);
960 if (streq(t
, "all")) {
961 if (c
== ARG_CAPABILITY
)
962 plus
= (uint64_t) -1;
964 minus
= (uint64_t) -1;
966 r
= capability_from_name(t
);
968 return log_error_errno(r
, "Failed to parse capability %s.", t
);
970 if (c
== ARG_CAPABILITY
)
977 arg_settings_mask
|= SETTING_CAPABILITY
;
981 case ARG_NO_NEW_PRIVILEGES
:
982 r
= parse_boolean(optarg
);
984 return log_error_errno(r
, "Failed to parse --no-new-privileges= argument: %s", optarg
);
986 arg_no_new_privileges
= r
;
987 arg_settings_mask
|= SETTING_NO_NEW_PRIVILEGES
;
991 arg_link_journal
= LINK_GUEST
;
992 arg_link_journal_try
= true;
993 arg_settings_mask
|= SETTING_LINK_JOURNAL
;
996 case ARG_LINK_JOURNAL
:
997 r
= parse_link_journal(optarg
, &arg_link_journal
, &arg_link_journal_try
);
999 return log_error_errno(r
, "Failed to parse link journal mode %s", optarg
);
1001 arg_settings_mask
|= SETTING_LINK_JOURNAL
;
1006 r
= bind_mount_parse(&arg_custom_mounts
, &arg_n_custom_mounts
, optarg
, c
== ARG_BIND_RO
);
1008 return log_error_errno(r
, "Failed to parse --bind(-ro)= argument %s: %m", optarg
);
1010 arg_settings_mask
|= SETTING_CUSTOM_MOUNTS
;
1014 r
= tmpfs_mount_parse(&arg_custom_mounts
, &arg_n_custom_mounts
, optarg
);
1016 return log_error_errno(r
, "Failed to parse --tmpfs= argument %s: %m", optarg
);
1018 arg_settings_mask
|= SETTING_CUSTOM_MOUNTS
;
1022 case ARG_OVERLAY_RO
:
1023 r
= overlay_mount_parse(&arg_custom_mounts
, &arg_n_custom_mounts
, optarg
, c
== ARG_OVERLAY_RO
);
1024 if (r
== -EADDRNOTAVAIL
)
1025 return log_error_errno(r
, "--overlay(-ro)= needs at least two colon-separated directories specified.");
1027 return log_error_errno(r
, "Failed to parse --overlay(-ro)= argument %s: %m", optarg
);
1029 arg_settings_mask
|= SETTING_CUSTOM_MOUNTS
;
1032 case ARG_INACCESSIBLE
:
1033 r
= inaccessible_mount_parse(&arg_custom_mounts
, &arg_n_custom_mounts
, optarg
);
1035 return log_error_errno(r
, "Failed to parse --inaccessible= argument %s: %m", optarg
);
1037 arg_settings_mask
|= SETTING_CUSTOM_MOUNTS
;
1043 if (!env_assignment_is_valid(optarg
))
1044 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
1045 "Environment variable assignment '%s' is not valid.", optarg
);
1047 n
= strv_env_set(arg_setenv
, optarg
);
1051 strv_free_and_replace(arg_setenv
, n
);
1052 arg_settings_mask
|= SETTING_ENVIRONMENT
;
1060 case ARG_SHARE_SYSTEM
:
1061 /* We don't officially support this anymore, except for compat reasons. People should use the
1062 * $SYSTEMD_NSPAWN_SHARE_* environment variables instead. */
1063 log_warning("Please do not use --share-system anymore, use $SYSTEMD_NSPAWN_SHARE_* instead.");
1064 arg_clone_ns_flags
= 0;
1068 r
= parse_boolean(optarg
);
1070 log_error("Failed to parse --register= argument: %s", optarg
);
1078 arg_keep_unit
= true;
1081 case ARG_PERSONALITY
:
1083 arg_personality
= personality_from_string(optarg
);
1084 if (arg_personality
== PERSONALITY_INVALID
)
1085 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
1086 "Unknown or unsupported personality '%s'.", optarg
);
1088 arg_settings_mask
|= SETTING_PERSONALITY
;
1094 arg_volatile_mode
= VOLATILE_YES
;
1095 else if (streq(optarg
, "help")) {
1096 DUMP_STRING_TABLE(volatile_mode
, VolatileMode
, _VOLATILE_MODE_MAX
);
1101 m
= volatile_mode_from_string(optarg
);
1103 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
1104 "Failed to parse --volatile= argument: %s", optarg
);
1106 arg_volatile_mode
= m
;
1109 arg_settings_mask
|= SETTING_VOLATILE_MODE
;
1113 r
= expose_port_parse(&arg_expose_ports
, optarg
);
1115 return log_error_errno(r
, "Duplicate port specification: %s", optarg
);
1117 return log_error_errno(r
, "Failed to parse host port %s: %m", optarg
);
1119 arg_settings_mask
|= SETTING_EXPOSE_PORTS
;
1123 if (strv_extend(&arg_property
, optarg
) < 0)
1128 case ARG_PRIVATE_USERS
: {
1133 else if (!in_charset(optarg
, DIGITS
))
1134 /* do *not* parse numbers as booleans */
1135 boolean
= parse_boolean(optarg
);
1137 if (boolean
== false) {
1138 /* no: User namespacing off */
1139 arg_userns_mode
= USER_NAMESPACE_NO
;
1140 arg_uid_shift
= UID_INVALID
;
1141 arg_uid_range
= UINT32_C(0x10000);
1142 } else if (boolean
== true) {
1143 /* yes: User namespacing on, UID range is read from root dir */
1144 arg_userns_mode
= USER_NAMESPACE_FIXED
;
1145 arg_uid_shift
= UID_INVALID
;
1146 arg_uid_range
= UINT32_C(0x10000);
1147 } else if (streq(optarg
, "pick")) {
1148 /* pick: User namespacing on, UID range is picked randomly */
1149 arg_userns_mode
= USER_NAMESPACE_PICK
;
1150 arg_uid_shift
= UID_INVALID
;
1151 arg_uid_range
= UINT32_C(0x10000);
1153 _cleanup_free_
char *buffer
= NULL
;
1154 const char *range
, *shift
;
1156 /* anything else: User namespacing on, UID range is explicitly configured */
1158 range
= strchr(optarg
, ':');
1160 buffer
= strndup(optarg
, range
- optarg
);
1166 r
= safe_atou32(range
, &arg_uid_range
);
1168 return log_error_errno(r
, "Failed to parse UID range \"%s\": %m", range
);
1172 r
= parse_uid(shift
, &arg_uid_shift
);
1174 return log_error_errno(r
, "Failed to parse UID \"%s\": %m", optarg
);
1176 arg_userns_mode
= USER_NAMESPACE_FIXED
;
1179 if (arg_uid_range
<= 0)
1180 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
1181 "UID range cannot be 0.");
1183 arg_settings_mask
|= SETTING_USERNS
;
1188 if (userns_supported()) {
1189 arg_userns_mode
= USER_NAMESPACE_PICK
;
1190 arg_uid_shift
= UID_INVALID
;
1191 arg_uid_range
= UINT32_C(0x10000);
1193 arg_settings_mask
|= SETTING_USERNS
;
1198 case ARG_PRIVATE_USERS_CHOWN
:
1199 arg_userns_chown
= true;
1201 arg_settings_mask
|= SETTING_USERNS
;
1204 case ARG_KILL_SIGNAL
:
1205 if (streq(optarg
, "help")) {
1206 DUMP_STRING_TABLE(signal
, int, _NSIG
);
1210 arg_kill_signal
= signal_from_string(optarg
);
1211 if (arg_kill_signal
< 0)
1212 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
1213 "Cannot parse signal: %s", optarg
);
1215 arg_settings_mask
|= SETTING_KILL_SIGNAL
;
1220 /* no → do not read files
1221 * yes → read files, do not override cmdline, trust only subset
1222 * override → read files, override cmdline, trust only subset
1223 * trusted → read files, do not override cmdline, trust all
1226 r
= parse_boolean(optarg
);
1228 if (streq(optarg
, "trusted")) {
1229 mask_all_settings
= false;
1230 mask_no_settings
= false;
1231 arg_settings_trusted
= true;
1233 } else if (streq(optarg
, "override")) {
1234 mask_all_settings
= false;
1235 mask_no_settings
= true;
1236 arg_settings_trusted
= -1;
1238 return log_error_errno(r
, "Failed to parse --settings= argument: %s", optarg
);
1241 mask_all_settings
= false;
1242 mask_no_settings
= false;
1243 arg_settings_trusted
= -1;
1246 mask_all_settings
= true;
1247 mask_no_settings
= false;
1248 arg_settings_trusted
= false;
1254 if (!path_is_absolute(optarg
))
1255 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
1256 "Working directory %s is not an absolute path.", optarg
);
1258 r
= free_and_strdup(&arg_chdir
, optarg
);
1262 arg_settings_mask
|= SETTING_WORKING_DIRECTORY
;
1265 case ARG_PIVOT_ROOT
:
1266 r
= pivot_root_parse(&arg_pivot_root_new
, &arg_pivot_root_old
, optarg
);
1268 return log_error_errno(r
, "Failed to parse --pivot-root= argument %s: %m", optarg
);
1270 arg_settings_mask
|= SETTING_PIVOT_ROOT
;
1273 case ARG_NOTIFY_READY
:
1274 r
= parse_boolean(optarg
);
1276 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
1277 "%s is not a valid notify mode. Valid modes are: yes, no, and ready.", optarg
);
1278 arg_notify_ready
= r
;
1279 arg_settings_mask
|= SETTING_NOTIFY_READY
;
1282 case ARG_ROOT_HASH
: {
1286 r
= unhexmem(optarg
, strlen(optarg
), &k
, &l
);
1288 return log_error_errno(r
, "Failed to parse root hash: %s", optarg
);
1289 if (l
< sizeof(sd_id128_t
)) {
1291 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Root hash must be at least 128bit long: %s", optarg
);
1294 free(arg_root_hash
);
1296 arg_root_hash_size
= l
;
1300 case ARG_SYSTEM_CALL_FILTER
: {
1304 negative
= optarg
[0] == '~';
1305 items
= negative
? optarg
+ 1 : optarg
;
1308 _cleanup_free_
char *word
= NULL
;
1310 r
= extract_first_word(&items
, &word
, NULL
, 0);
1316 return log_error_errno(r
, "Failed to parse system call filter: %m");
1319 r
= strv_extend(&arg_syscall_blacklist
, word
);
1321 r
= strv_extend(&arg_syscall_whitelist
, word
);
1326 arg_settings_mask
|= SETTING_SYSCALL_FILTER
;
1332 _cleanup_free_
char *name
= NULL
;
1335 if (streq(optarg
, "help")) {
1336 DUMP_STRING_TABLE(rlimit
, int, _RLIMIT_MAX
);
1340 eq
= strchr(optarg
, '=');
1342 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
1343 "--rlimit= expects an '=' assignment.");
1345 name
= strndup(optarg
, eq
- optarg
);
1349 rl
= rlimit_from_string_harder(name
);
1351 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
1352 "Unknown resource limit: %s", name
);
1354 if (!arg_rlimit
[rl
]) {
1355 arg_rlimit
[rl
] = new0(struct rlimit
, 1);
1356 if (!arg_rlimit
[rl
])
1360 r
= rlimit_parse(rl
, eq
+ 1, arg_rlimit
[rl
]);
1362 return log_error_errno(r
, "Failed to parse resource limit: %s", eq
+ 1);
1364 arg_settings_mask
|= SETTING_RLIMIT_FIRST
<< rl
;
1368 case ARG_OOM_SCORE_ADJUST
:
1369 r
= parse_oom_score_adjust(optarg
, &arg_oom_score_adjust
);
1371 return log_error_errno(r
, "Failed to parse --oom-score-adjust= parameter: %s", optarg
);
1373 arg_oom_score_adjust_set
= true;
1374 arg_settings_mask
|= SETTING_OOM_SCORE_ADJUST
;
1377 case ARG_CPU_AFFINITY
: {
1380 r
= parse_cpu_set(optarg
, &cpuset
);
1382 return log_error_errno(r
, "Failed to parse CPU affinity mask %s: %m", optarg
);
1384 cpu_set_reset(&arg_cpu_set
);
1385 arg_cpu_set
= cpuset
;
1386 arg_settings_mask
|= SETTING_CPU_AFFINITY
;
1390 case ARG_RESOLV_CONF
:
1391 if (streq(optarg
, "help")) {
1392 DUMP_STRING_TABLE(resolv_conf_mode
, ResolvConfMode
, _RESOLV_CONF_MODE_MAX
);
1396 arg_resolv_conf
= resolv_conf_mode_from_string(optarg
);
1397 if (arg_resolv_conf
< 0)
1398 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
1399 "Failed to parse /etc/resolv.conf mode: %s", optarg
);
1401 arg_settings_mask
|= SETTING_RESOLV_CONF
;
1405 if (streq(optarg
, "help")) {
1406 DUMP_STRING_TABLE(timezone_mode
, TimezoneMode
, _TIMEZONE_MODE_MAX
);
1410 arg_timezone
= timezone_mode_from_string(optarg
);
1411 if (arg_timezone
< 0)
1412 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
1413 "Failed to parse /etc/localtime mode: %s", optarg
);
1415 arg_settings_mask
|= SETTING_TIMEZONE
;
1419 r
= handle_arg_console(optarg
);
1426 r
= handle_arg_console("pipe");
1432 arg_pager_flags
|= PAGER_DISABLE
;
1439 assert_not_reached("Unhandled option");
1442 if (argc
> optind
) {
1443 strv_free(arg_parameters
);
1444 arg_parameters
= strv_copy(argv
+ optind
);
1445 if (!arg_parameters
)
1448 arg_settings_mask
|= SETTING_START_MODE
;
1451 if (arg_ephemeral
&& arg_template
&& !arg_directory
)
1452 /* User asked for ephemeral execution but specified --template= instead of --directory=. Semantically
1453 * such an invocation makes some sense, see https://github.com/systemd/systemd/issues/3667. Let's
1454 * accept this here, and silently make "--ephemeral --template=" equivalent to "--ephemeral
1456 arg_directory
= TAKE_PTR(arg_template
);
1458 arg_caps_retain
= (arg_caps_retain
| plus
| (arg_private_network
? UINT64_C(1) << CAP_NET_ADMIN
: 0)) & ~minus
;
1460 /* Make sure to parse environment before we reset the settings mask below */
1461 r
= parse_environment();
1465 /* Load all settings from .nspawn files */
1466 if (mask_no_settings
)
1467 arg_settings_mask
= 0;
1469 /* Don't load any settings from .nspawn files */
1470 if (mask_all_settings
)
1471 arg_settings_mask
= _SETTINGS_MASK_ALL
;
1476 static int verify_arguments(void) {
1479 if (arg_start_mode
== START_PID2
&& arg_unified_cgroup_hierarchy
== CGROUP_UNIFIED_UNKNOWN
) {
1480 /* If we are running the stub init in the container, we don't need to look at what the init
1481 * in the container supports, because we are not using it. Let's immediately pick the right
1482 * setting based on the host system configuration.
1484 * We only do this, if the user didn't use an environment variable to override the detection.
1487 r
= cg_all_unified();
1489 return log_error_errno(r
, "Failed to determine whether we are in all unified mode.");
1491 arg_unified_cgroup_hierarchy
= CGROUP_UNIFIED_ALL
;
1492 else if (cg_unified_controller(SYSTEMD_CGROUP_CONTROLLER
) > 0)
1493 arg_unified_cgroup_hierarchy
= CGROUP_UNIFIED_SYSTEMD
;
1495 arg_unified_cgroup_hierarchy
= CGROUP_UNIFIED_NONE
;
1498 if (arg_userns_mode
!= USER_NAMESPACE_NO
)
1499 arg_mount_settings
|= MOUNT_USE_USERNS
;
1501 if (arg_private_network
)
1502 arg_mount_settings
|= MOUNT_APPLY_APIVFS_NETNS
;
1504 if (!(arg_clone_ns_flags
& CLONE_NEWPID
) ||
1505 !(arg_clone_ns_flags
& CLONE_NEWUTS
)) {
1506 arg_register
= false;
1507 if (arg_start_mode
!= START_PID1
)
1508 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "--boot cannot be used without namespacing.");
1511 if (arg_userns_mode
== USER_NAMESPACE_PICK
)
1512 arg_userns_chown
= true;
1514 if (arg_start_mode
== START_BOOT
&& arg_kill_signal
<= 0)
1515 arg_kill_signal
= SIGRTMIN
+3;
1517 if (arg_volatile_mode
!= VOLATILE_NO
) /* Make sure all file systems contained in the image are mounted read-only if we are in volatile mode */
1518 arg_read_only
= true;
1520 if (arg_keep_unit
&& arg_register
&& cg_pid_get_owner_uid(0, NULL
) >= 0)
1521 /* Save the user from accidentally registering either user-$SESSION.scope or user@.service.
1522 * The latter is not technically a user session, but we don't need to labour the point. */
1523 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "--keep-unit --register=yes may not be used when invoked from a user session.");
1525 if (arg_directory
&& arg_image
)
1526 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "--directory= and --image= may not be combined.");
1528 if (arg_template
&& arg_image
)
1529 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "--template= and --image= may not be combined.");
1531 if (arg_template
&& !(arg_directory
|| arg_machine
))
1532 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "--template= needs --directory= or --machine=.");
1534 if (arg_ephemeral
&& arg_template
)
1535 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "--ephemeral and --template= may not be combined.");
1537 if (arg_ephemeral
&& !IN_SET(arg_link_journal
, LINK_NO
, LINK_AUTO
))
1538 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "--ephemeral and --link-journal= may not be combined.");
1540 if (arg_userns_mode
!= USER_NAMESPACE_NO
&& !userns_supported())
1541 return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP
), "--private-users= is not supported, kernel compiled without user namespace support.");
1543 if (arg_userns_chown
&& arg_read_only
)
1544 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
1545 "--read-only and --private-users-chown may not be combined.");
1547 /* We don't support --private-users-chown together with any of the volatile modes since we couldn't
1548 * change the read-only part of the tree (i.e. /usr) anyway, or because it would trigger a massive
1549 * copy-up (in case of overlay) making the entire exercise pointless. */
1550 if (arg_userns_chown
&& arg_volatile_mode
!= VOLATILE_NO
)
1551 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "--volatile= and --private-users-chown may not be combined.");
1553 /* If --network-namespace-path is given with any other network-related option, we need to error out,
1554 * to avoid conflicts between different network options. */
1555 if (arg_network_namespace_path
&&
1556 (arg_network_interfaces
|| arg_network_macvlan
||
1557 arg_network_ipvlan
|| arg_network_veth_extra
||
1558 arg_network_bridge
|| arg_network_zone
||
1559 arg_network_veth
|| arg_private_network
))
1560 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "--network-namespace-path= cannot be combined with other network options.");
1562 if (arg_network_bridge
&& arg_network_zone
)
1563 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
1564 "--network-bridge= and --network-zone= may not be combined.");
1566 if (arg_userns_mode
!= USER_NAMESPACE_NO
&& (arg_mount_settings
& MOUNT_APPLY_APIVFS_NETNS
) && !arg_private_network
)
1567 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Invalid namespacing settings. Mounting sysfs with --private-users requires --private-network.");
1569 if (arg_userns_mode
!= USER_NAMESPACE_NO
&& !(arg_mount_settings
& MOUNT_APPLY_APIVFS_RO
))
1570 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Cannot combine --private-users with read-write mounts.");
1572 if (arg_expose_ports
&& !arg_private_network
)
1573 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Cannot use --port= without private networking.");
1576 if (arg_expose_ports
)
1577 return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP
), "--port= is not supported, compiled without libiptc support.");
1580 r
= custom_mount_check_all();
1587 static int userns_lchown(const char *p
, uid_t uid
, gid_t gid
) {
1590 if (arg_userns_mode
== USER_NAMESPACE_NO
)
1593 if (uid
== UID_INVALID
&& gid
== GID_INVALID
)
1596 if (uid
!= UID_INVALID
) {
1597 uid
+= arg_uid_shift
;
1599 if (uid
< arg_uid_shift
|| uid
>= arg_uid_shift
+ arg_uid_range
)
1603 if (gid
!= GID_INVALID
) {
1604 gid
+= (gid_t
) arg_uid_shift
;
1606 if (gid
< (gid_t
) arg_uid_shift
|| gid
>= (gid_t
) (arg_uid_shift
+ arg_uid_range
))
1610 if (lchown(p
, uid
, gid
) < 0)
1616 static int userns_mkdir(const char *root
, const char *path
, mode_t mode
, uid_t uid
, gid_t gid
) {
1620 q
= prefix_roota(root
, path
);
1621 r
= mkdir_errno_wrapper(q
, mode
);
1627 return userns_lchown(q
, uid
, gid
);
1630 static const char *timezone_from_path(const char *path
) {
1631 return PATH_STARTSWITH_SET(
1633 "../usr/share/zoneinfo/",
1634 "/usr/share/zoneinfo/");
1637 static bool etc_writable(void) {
1638 return !arg_read_only
|| IN_SET(arg_volatile_mode
, VOLATILE_YES
, VOLATILE_OVERLAY
);
1641 static int setup_timezone(const char *dest
) {
1642 _cleanup_free_
char *p
= NULL
, *etc
= NULL
;
1643 const char *where
, *check
;
1649 if (IN_SET(arg_timezone
, TIMEZONE_AUTO
, TIMEZONE_SYMLINK
)) {
1650 r
= readlink_malloc("/etc/localtime", &p
);
1651 if (r
== -ENOENT
&& arg_timezone
== TIMEZONE_AUTO
)
1652 m
= etc_writable() ? TIMEZONE_DELETE
: TIMEZONE_OFF
;
1653 else if (r
== -EINVAL
&& arg_timezone
== TIMEZONE_AUTO
) /* regular file? */
1654 m
= etc_writable() ? TIMEZONE_COPY
: TIMEZONE_BIND
;
1656 log_warning_errno(r
, "Failed to read host's /etc/localtime symlink, not updating container timezone: %m");
1657 /* To handle warning, delete /etc/localtime and replace it with a symbolic link to a time zone data
1661 * ln -s /usr/share/zoneinfo/UTC /etc/localtime
1664 } else if (arg_timezone
== TIMEZONE_AUTO
)
1665 m
= etc_writable() ? TIMEZONE_SYMLINK
: TIMEZONE_BIND
;
1671 if (m
== TIMEZONE_OFF
)
1674 r
= chase_symlinks("/etc", dest
, CHASE_PREFIX_ROOT
, &etc
, NULL
);
1676 log_warning_errno(r
, "Failed to resolve /etc path in container, ignoring: %m");
1680 where
= strjoina(etc
, "/localtime");
1684 case TIMEZONE_DELETE
:
1685 if (unlink(where
) < 0)
1686 log_full_errno(errno
== ENOENT
? LOG_DEBUG
: LOG_WARNING
, errno
, "Failed to remove '%s', ignoring: %m", where
);
1690 case TIMEZONE_SYMLINK
: {
1691 _cleanup_free_
char *q
= NULL
;
1692 const char *z
, *what
;
1694 z
= timezone_from_path(p
);
1696 log_warning("/etc/localtime does not point into /usr/share/zoneinfo/, not updating container timezone.");
1700 r
= readlink_malloc(where
, &q
);
1701 if (r
>= 0 && streq_ptr(timezone_from_path(q
), z
))
1702 return 0; /* Already pointing to the right place? Then do nothing .. */
1704 check
= strjoina(dest
, "/usr/share/zoneinfo/", z
);
1705 r
= chase_symlinks(check
, dest
, 0, NULL
, NULL
);
1707 log_debug_errno(r
, "Timezone %s does not exist (or is not accessible) in container, not creating symlink: %m", z
);
1709 if (unlink(where
) < 0 && errno
!= ENOENT
) {
1710 log_full_errno(IN_SET(errno
, EROFS
, EACCES
, EPERM
) ? LOG_DEBUG
: LOG_WARNING
, /* Don't complain on read-only images */
1711 errno
, "Failed to remove existing timezone info %s in container, ignoring: %m", where
);
1715 what
= strjoina("../usr/share/zoneinfo/", z
);
1716 if (symlink(what
, where
) < 0) {
1717 log_full_errno(IN_SET(errno
, EROFS
, EACCES
, EPERM
) ? LOG_DEBUG
: LOG_WARNING
,
1718 errno
, "Failed to correct timezone of container, ignoring: %m");
1728 case TIMEZONE_BIND
: {
1729 _cleanup_free_
char *resolved
= NULL
;
1732 found
= chase_symlinks(where
, dest
, CHASE_NONEXISTENT
, &resolved
, NULL
);
1734 log_warning_errno(found
, "Failed to resolve /etc/localtime path in container, ignoring: %m");
1738 if (found
== 0) /* missing? */
1739 (void) touch(resolved
);
1741 r
= mount_verbose(LOG_WARNING
, "/etc/localtime", resolved
, NULL
, MS_BIND
, NULL
);
1743 return mount_verbose(LOG_ERR
, NULL
, resolved
, NULL
, MS_BIND
|MS_REMOUNT
|MS_RDONLY
|MS_NOSUID
|MS_NODEV
, NULL
);
1749 /* If mounting failed, try to copy */
1750 r
= copy_file_atomic("/etc/localtime", where
, 0644, 0, 0, COPY_REFLINK
|COPY_REPLACE
);
1752 log_full_errno(IN_SET(r
, -EROFS
, -EACCES
, -EPERM
) ? LOG_DEBUG
: LOG_WARNING
, r
,
1753 "Failed to copy /etc/localtime to %s, ignoring: %m", where
);
1760 assert_not_reached("unexpected mode");
1763 /* Fix permissions of the symlink or file copy we just created */
1764 r
= userns_lchown(where
, 0, 0);
1766 log_warning_errno(r
, "Failed to chown /etc/localtime, ignoring: %m");
1771 static int have_resolv_conf(const char *path
) {
1774 if (access(path
, F_OK
) < 0) {
1775 if (errno
== ENOENT
)
1778 return log_debug_errno(errno
, "Failed to determine whether '%s' is available: %m", path
);
1784 static int resolved_listening(void) {
1785 _cleanup_(sd_bus_error_free
) sd_bus_error error
= SD_BUS_ERROR_NULL
;
1786 _cleanup_(sd_bus_flush_close_unrefp
) sd_bus
*bus
= NULL
;
1787 _cleanup_free_
char *dns_stub_listener_mode
= NULL
;
1790 /* Check if resolved is listening */
1792 r
= sd_bus_open_system(&bus
);
1794 return log_debug_errno(r
, "Failed to open system bus: %m");
1796 r
= bus_name_has_owner(bus
, "org.freedesktop.resolve1", NULL
);
1798 return log_debug_errno(r
, "Failed to check whether the 'org.freedesktop.resolve1' bus name is taken: %m");
1802 r
= sd_bus_get_property_string(bus
,
1803 "org.freedesktop.resolve1",
1804 "/org/freedesktop/resolve1",
1805 "org.freedesktop.resolve1.Manager",
1808 &dns_stub_listener_mode
);
1810 return log_debug_errno(r
, "Failed to query DNSStubListener property: %s", bus_error_message(&error
, r
));
1812 return STR_IN_SET(dns_stub_listener_mode
, "udp", "yes");
1815 static int setup_resolv_conf(const char *dest
) {
1816 _cleanup_free_
char *etc
= NULL
;
1817 const char *where
, *what
;
1823 if (arg_resolv_conf
== RESOLV_CONF_AUTO
) {
1824 if (arg_private_network
)
1825 m
= RESOLV_CONF_OFF
;
1826 else if (have_resolv_conf(STATIC_RESOLV_CONF
) > 0 && resolved_listening() > 0)
1827 m
= etc_writable() ? RESOLV_CONF_COPY_STATIC
: RESOLV_CONF_BIND_STATIC
;
1828 else if (have_resolv_conf("/etc/resolv.conf") > 0)
1829 m
= etc_writable() ? RESOLV_CONF_COPY_HOST
: RESOLV_CONF_BIND_HOST
;
1831 m
= etc_writable() ? RESOLV_CONF_DELETE
: RESOLV_CONF_OFF
;
1833 m
= arg_resolv_conf
;
1835 if (m
== RESOLV_CONF_OFF
)
1838 r
= chase_symlinks("/etc", dest
, CHASE_PREFIX_ROOT
, &etc
, NULL
);
1840 log_warning_errno(r
, "Failed to resolve /etc path in container, ignoring: %m");
1844 where
= strjoina(etc
, "/resolv.conf");
1846 if (m
== RESOLV_CONF_DELETE
) {
1847 if (unlink(where
) < 0)
1848 log_full_errno(errno
== ENOENT
? LOG_DEBUG
: LOG_WARNING
, errno
, "Failed to remove '%s', ignoring: %m", where
);
1853 if (IN_SET(m
, RESOLV_CONF_BIND_STATIC
, RESOLV_CONF_COPY_STATIC
))
1854 what
= STATIC_RESOLV_CONF
;
1856 what
= "/etc/resolv.conf";
1858 if (IN_SET(m
, RESOLV_CONF_BIND_HOST
, RESOLV_CONF_BIND_STATIC
)) {
1859 _cleanup_free_
char *resolved
= NULL
;
1862 found
= chase_symlinks(where
, dest
, CHASE_NONEXISTENT
, &resolved
, NULL
);
1864 log_warning_errno(found
, "Failed to resolve /etc/resolv.conf path in container, ignoring: %m");
1868 if (found
== 0) /* missing? */
1869 (void) touch(resolved
);
1871 r
= mount_verbose(LOG_WARNING
, what
, resolved
, NULL
, MS_BIND
, NULL
);
1873 return mount_verbose(LOG_ERR
, NULL
, resolved
, NULL
, MS_BIND
|MS_REMOUNT
|MS_RDONLY
|MS_NOSUID
|MS_NODEV
, NULL
);
1876 /* If that didn't work, let's copy the file */
1877 r
= copy_file(what
, where
, O_TRUNC
|O_NOFOLLOW
, 0644, 0, 0, COPY_REFLINK
);
1879 /* If the file already exists as symlink, let's suppress the warning, under the assumption that
1880 * resolved or something similar runs inside and the symlink points there.
1882 * If the disk image is read-only, there's also no point in complaining.
1884 log_full_errno(!IN_SET(RESOLV_CONF_COPY_HOST
, RESOLV_CONF_COPY_STATIC
) && IN_SET(r
, -ELOOP
, -EROFS
, -EACCES
, -EPERM
) ? LOG_DEBUG
: LOG_WARNING
, r
,
1885 "Failed to copy /etc/resolv.conf to %s, ignoring: %m", where
);
1889 r
= userns_lchown(where
, 0, 0);
1891 log_warning_errno(r
, "Failed to chown /etc/resolv.conf, ignoring: %m");
1896 static int setup_boot_id(void) {
1897 _cleanup_(unlink_and_freep
) char *from
= NULL
;
1898 _cleanup_free_
char *path
= NULL
;
1899 sd_id128_t rnd
= SD_ID128_NULL
;
1903 /* Generate a new randomized boot ID, so that each boot-up of the container gets a new one */
1905 r
= tempfn_random_child("/run", "proc-sys-kernel-random-boot-id", &path
);
1907 return log_error_errno(r
, "Failed to generate random boot ID path: %m");
1909 r
= sd_id128_randomize(&rnd
);
1911 return log_error_errno(r
, "Failed to generate random boot id: %m");
1913 r
= id128_write(path
, ID128_UUID
, rnd
, false);
1915 return log_error_errno(r
, "Failed to write boot id: %m");
1917 from
= TAKE_PTR(path
);
1918 to
= "/proc/sys/kernel/random/boot_id";
1920 r
= mount_verbose(LOG_ERR
, from
, to
, NULL
, MS_BIND
, NULL
);
1924 return mount_verbose(LOG_ERR
, NULL
, to
, NULL
, MS_BIND
|MS_REMOUNT
|MS_RDONLY
|MS_NOSUID
|MS_NOEXEC
|MS_NODEV
, NULL
);
1927 static int copy_devnodes(const char *dest
) {
1928 static const char devnodes
[] =
1937 _cleanup_umask_ mode_t u
;
1945 /* Create /dev/net, so that we can create /dev/net/tun in it */
1946 if (userns_mkdir(dest
, "/dev/net", 0755, 0, 0) < 0)
1947 return log_error_errno(r
, "Failed to create /dev/net directory: %m");
1949 NULSTR_FOREACH(d
, devnodes
) {
1950 _cleanup_free_
char *from
= NULL
, *to
= NULL
;
1953 from
= path_join("/dev/", d
);
1957 to
= path_join(dest
, from
);
1961 if (stat(from
, &st
) < 0) {
1963 if (errno
!= ENOENT
)
1964 return log_error_errno(errno
, "Failed to stat %s: %m", from
);
1966 } else if (!S_ISCHR(st
.st_mode
) && !S_ISBLK(st
.st_mode
))
1967 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
1968 "%s is not a char or block device, cannot copy.", from
);
1970 _cleanup_free_
char *sl
= NULL
, *prefixed
= NULL
, *dn
= NULL
, *t
= NULL
;
1972 if (mknod(to
, st
.st_mode
, st
.st_rdev
) < 0) {
1973 /* Explicitly warn the user when /dev is already populated. */
1974 if (errno
== EEXIST
)
1975 log_notice("%s/dev is pre-mounted and pre-populated. If a pre-mounted /dev is provided it needs to be an unpopulated file system.", dest
);
1977 return log_error_errno(errno
, "mknod(%s) failed: %m", to
);
1979 /* Some systems abusively restrict mknod but allow bind mounts. */
1982 return log_error_errno(r
, "touch (%s) failed: %m", to
);
1983 r
= mount_verbose(LOG_DEBUG
, from
, to
, NULL
, MS_BIND
, NULL
);
1985 return log_error_errno(r
, "Both mknod and bind mount (%s) failed: %m", to
);
1988 r
= userns_lchown(to
, 0, 0);
1990 return log_error_errno(r
, "chown() of device node %s failed: %m", to
);
1992 dn
= path_join("/dev", S_ISCHR(st
.st_mode
) ? "char" : "block");
1996 r
= userns_mkdir(dest
, dn
, 0755, 0, 0);
1998 return log_error_errno(r
, "Failed to create '%s': %m", dn
);
2000 if (asprintf(&sl
, "%s/%u:%u", dn
, major(st
.st_rdev
), minor(st
.st_rdev
)) < 0)
2003 prefixed
= path_join(dest
, sl
);
2007 t
= path_join("..", d
);
2011 if (symlink(t
, prefixed
) < 0)
2012 log_debug_errno(errno
, "Failed to symlink '%s' to '%s': %m", t
, prefixed
);
2019 static int make_extra_nodes(const char *dest
) {
2020 _cleanup_umask_ mode_t u
;
2026 for (i
= 0; i
< arg_n_extra_nodes
; i
++) {
2027 _cleanup_free_
char *path
= NULL
;
2028 DeviceNode
*n
= arg_extra_nodes
+ i
;
2030 path
= path_join(dest
, n
->path
);
2034 if (mknod(path
, n
->mode
, S_ISCHR(n
->mode
) || S_ISBLK(n
->mode
) ? makedev(n
->major
, n
->minor
) : 0) < 0)
2035 return log_error_errno(errno
, "Failed to create device node '%s': %m", path
);
2037 r
= chmod_and_chown(path
, n
->mode
, n
->uid
, n
->gid
);
2039 return log_error_errno(r
, "Failed to adjust device node ownership of '%s': %m", path
);
2045 static int setup_pts(const char *dest
) {
2046 _cleanup_free_
char *options
= NULL
;
2051 if (arg_selinux_apifs_context
)
2052 (void) asprintf(&options
,
2053 "newinstance,ptmxmode=0666,mode=620,gid=" GID_FMT
",context=\"%s\"",
2054 arg_uid_shift
+ TTY_GID
,
2055 arg_selinux_apifs_context
);
2058 (void) asprintf(&options
,
2059 "newinstance,ptmxmode=0666,mode=620,gid=" GID_FMT
,
2060 arg_uid_shift
+ TTY_GID
);
2065 /* Mount /dev/pts itself */
2066 p
= prefix_roota(dest
, "/dev/pts");
2067 r
= mkdir_errno_wrapper(p
, 0755);
2069 return log_error_errno(r
, "Failed to create /dev/pts: %m");
2071 r
= mount_verbose(LOG_ERR
, "devpts", p
, "devpts", MS_NOSUID
|MS_NOEXEC
, options
);
2074 r
= userns_lchown(p
, 0, 0);
2076 return log_error_errno(r
, "Failed to chown /dev/pts: %m");
2078 /* Create /dev/ptmx symlink */
2079 p
= prefix_roota(dest
, "/dev/ptmx");
2080 if (symlink("pts/ptmx", p
) < 0)
2081 return log_error_errno(errno
, "Failed to create /dev/ptmx symlink: %m");
2082 r
= userns_lchown(p
, 0, 0);
2084 return log_error_errno(r
, "Failed to chown /dev/ptmx: %m");
2086 /* And fix /dev/pts/ptmx ownership */
2087 p
= prefix_roota(dest
, "/dev/pts/ptmx");
2088 r
= userns_lchown(p
, 0, 0);
2090 return log_error_errno(r
, "Failed to chown /dev/pts/ptmx: %m");
2095 static int setup_stdio_as_dev_console(void) {
2099 terminal
= open_terminal("/dev/console", O_RDWR
);
2101 return log_error_errno(terminal
, "Failed to open console: %m");
2103 /* Make sure we can continue logging to the original stderr, even if
2104 * stderr points elsewhere now */
2105 r
= log_dup_console();
2107 return log_error_errno(r
, "Failed to duplicate stderr: %m");
2109 /* invalidates 'terminal' on success and failure */
2110 r
= rearrange_stdio(terminal
, terminal
, terminal
);
2112 return log_error_errno(r
, "Failed to move console to stdin/stdout/stderr: %m");
2117 static int setup_dev_console(const char *console
) {
2118 _cleanup_free_
char *p
= NULL
;
2121 /* Create /dev/console symlink */
2122 r
= path_make_relative("/dev", console
, &p
);
2124 return log_error_errno(r
, "Failed to create relative path: %m");
2126 if (symlink(p
, "/dev/console") < 0)
2127 return log_error_errno(errno
, "Failed to create /dev/console symlink: %m");
2132 static int setup_keyring(void) {
2133 key_serial_t keyring
;
2135 /* Allocate a new session keyring for the container. This makes sure the keyring of the session systemd-nspawn
2136 * was invoked from doesn't leak into the container. Note that by default we block keyctl() and request_key()
2137 * anyway via seccomp so doing this operation isn't strictly necessary, but in case people explicitly whitelist
2138 * these system calls let's make sure we don't leak anything into the container. */
2140 keyring
= keyctl(KEYCTL_JOIN_SESSION_KEYRING
, 0, 0, 0, 0);
2141 if (keyring
== -1) {
2142 if (errno
== ENOSYS
)
2143 log_debug_errno(errno
, "Kernel keyring not supported, ignoring.");
2144 else if (IN_SET(errno
, EACCES
, EPERM
))
2145 log_debug_errno(errno
, "Kernel keyring access prohibited, ignoring.");
2147 return log_error_errno(errno
, "Setting up kernel keyring failed: %m");
2153 static int setup_kmsg(int kmsg_socket
) {
2154 _cleanup_(unlink_and_freep
) char *from
= NULL
;
2155 _cleanup_free_
char *fifo
= NULL
;
2156 _cleanup_close_
int fd
= -1;
2157 _cleanup_umask_ mode_t u
;
2160 assert(kmsg_socket
>= 0);
2164 /* We create the kmsg FIFO as as temporary file in /run, but immediately delete it after bind mounting it to
2165 * /proc/kmsg. While FIFOs on the reading side behave very similar to /proc/kmsg, their writing side behaves
2166 * differently from /dev/kmsg in that writing blocks when nothing is reading. In order to avoid any problems
2167 * with containers deadlocking due to this we simply make /dev/kmsg unavailable to the container. */
2169 r
= tempfn_random_child("/run", "proc-kmsg", &fifo
);
2171 return log_error_errno(r
, "Failed to generate kmsg path: %m");
2173 if (mkfifo(fifo
, 0600) < 0)
2174 return log_error_errno(errno
, "mkfifo() for /run/kmsg failed: %m");
2176 from
= TAKE_PTR(fifo
);
2178 r
= mount_verbose(LOG_ERR
, from
, "/proc/kmsg", NULL
, MS_BIND
, NULL
);
2182 fd
= open(from
, O_RDWR
|O_NONBLOCK
|O_CLOEXEC
);
2184 return log_error_errno(errno
, "Failed to open fifo: %m");
2186 /* Store away the fd in the socket, so that it stays open as long as we run the child */
2187 r
= send_one_fd(kmsg_socket
, fd
, 0);
2189 return log_error_errno(r
, "Failed to send FIFO fd: %m");
2194 static int on_address_change(sd_netlink
*rtnl
, sd_netlink_message
*m
, void *userdata
) {
2195 union in_addr_union
*exposed
= userdata
;
2201 expose_port_execute(rtnl
, arg_expose_ports
, exposed
);
2205 static int setup_hostname(void) {
2208 if ((arg_clone_ns_flags
& CLONE_NEWUTS
) == 0)
2211 r
= sethostname_idempotent(arg_hostname
?: arg_machine
);
2213 return log_error_errno(r
, "Failed to set hostname: %m");
2218 static int setup_journal(const char *directory
) {
2219 _cleanup_free_
char *d
= NULL
;
2220 const char *dirname
, *p
, *q
;
2226 /* Don't link journals in ephemeral mode */
2230 if (arg_link_journal
== LINK_NO
)
2233 try = arg_link_journal_try
|| arg_link_journal
== LINK_AUTO
;
2235 r
= sd_id128_get_machine(&this_id
);
2237 return log_error_errno(r
, "Failed to retrieve machine ID: %m");
2239 if (sd_id128_equal(arg_uuid
, this_id
)) {
2240 log_full(try ? LOG_WARNING
: LOG_ERR
,
2241 "Host and machine ids are equal (%s): refusing to link journals", sd_id128_to_string(arg_uuid
, id
));
2247 FOREACH_STRING(dirname
, "/var", "/var/log", "/var/log/journal") {
2248 r
= userns_mkdir(directory
, dirname
, 0755, 0, 0);
2250 bool ignore
= r
== -EROFS
&& try;
2251 log_full_errno(ignore
? LOG_DEBUG
: LOG_ERR
, r
,
2252 "Failed to create %s%s: %m", dirname
, ignore
? ", ignoring" : "");
2253 return ignore
? 0 : r
;
2257 (void) sd_id128_to_string(arg_uuid
, id
);
2259 p
= strjoina("/var/log/journal/", id
);
2260 q
= prefix_roota(directory
, p
);
2262 if (path_is_mount_point(p
, NULL
, 0) > 0) {
2266 return log_error_errno(SYNTHETIC_ERRNO(EEXIST
),
2267 "%s: already a mount point, refusing to use for journal", p
);
2270 if (path_is_mount_point(q
, NULL
, 0) > 0) {
2274 return log_error_errno(SYNTHETIC_ERRNO(EEXIST
),
2275 "%s: already a mount point, refusing to use for journal", q
);
2278 r
= readlink_and_make_absolute(p
, &d
);
2280 if (IN_SET(arg_link_journal
, LINK_GUEST
, LINK_AUTO
) &&
2283 r
= userns_mkdir(directory
, p
, 0755, 0, 0);
2285 log_warning_errno(r
, "Failed to create directory %s: %m", q
);
2290 return log_error_errno(errno
, "Failed to remove symlink %s: %m", p
);
2291 } else if (r
== -EINVAL
) {
2293 if (arg_link_journal
== LINK_GUEST
&&
2296 if (errno
== ENOTDIR
) {
2297 log_error("%s already exists and is neither a symlink nor a directory", p
);
2300 return log_error_errno(errno
, "Failed to remove %s: %m", p
);
2302 } else if (r
!= -ENOENT
)
2303 return log_error_errno(r
, "readlink(%s) failed: %m", p
);
2305 if (arg_link_journal
== LINK_GUEST
) {
2307 if (symlink(q
, p
) < 0) {
2309 log_debug_errno(errno
, "Failed to symlink %s to %s, skipping journal setup: %m", q
, p
);
2312 return log_error_errno(errno
, "Failed to symlink %s to %s: %m", q
, p
);
2315 r
= userns_mkdir(directory
, p
, 0755, 0, 0);
2317 log_warning_errno(r
, "Failed to create directory %s: %m", q
);
2321 if (arg_link_journal
== LINK_HOST
) {
2322 /* don't create parents here — if the host doesn't have
2323 * permanent journal set up, don't force it here */
2325 r
= mkdir_errno_wrapper(p
, 0755);
2326 if (r
< 0 && r
!= -EEXIST
) {
2328 log_debug_errno(r
, "Failed to create %s, skipping journal setup: %m", p
);
2331 return log_error_errno(r
, "Failed to create %s: %m", p
);
2334 } else if (access(p
, F_OK
) < 0)
2337 if (dir_is_empty(q
) == 0)
2338 log_warning("%s is not empty, proceeding anyway.", q
);
2340 r
= userns_mkdir(directory
, p
, 0755, 0, 0);
2342 return log_error_errno(r
, "Failed to create %s: %m", q
);
2344 r
= mount_verbose(LOG_DEBUG
, p
, q
, NULL
, MS_BIND
, NULL
);
2346 return log_error_errno(errno
, "Failed to bind mount journal from host into guest: %m");
2351 static int drop_capabilities(uid_t uid
) {
2352 CapabilityQuintet q
;
2354 /* Let's initialize all five capability sets to something valid. If the quintet was configured via
2355 * OCI use that, but fill in missing bits. If it wasn't then derive the quintet in full from
2356 * arg_caps_retain. */
2358 if (capability_quintet_is_set(&arg_full_capabilities
)) {
2359 q
= arg_full_capabilities
;
2361 if (q
.bounding
== (uint64_t) -1)
2362 q
.bounding
= uid
== 0 ? arg_caps_retain
: 0;
2364 if (q
.effective
== (uint64_t) -1)
2365 q
.effective
= uid
== 0 ? q
.bounding
: 0;
2367 if (q
.inheritable
== (uint64_t) -1)
2368 q
.inheritable
= uid
== 0 ? q
.bounding
: 0;
2370 if (q
.permitted
== (uint64_t) -1)
2371 q
.permitted
= uid
== 0 ? q
.bounding
: 0;
2373 if (q
.ambient
== (uint64_t) -1 && ambient_capabilities_supported())
2376 if (capability_quintet_mangle(&q
))
2377 return log_error_errno(SYNTHETIC_ERRNO(EPERM
), "Cannot set capabilities that are not in the current bounding set.");
2380 q
= (CapabilityQuintet
) {
2381 .bounding
= arg_caps_retain
,
2382 .effective
= uid
== 0 ? arg_caps_retain
: 0,
2383 .inheritable
= uid
== 0 ? arg_caps_retain
: 0,
2384 .permitted
= uid
== 0 ? arg_caps_retain
: 0,
2385 .ambient
= ambient_capabilities_supported() ? 0 : (uint64_t) -1,
2388 /* If we're not using OCI, proceed with mangled capabilities (so we don't error out)
2389 * in order to maintain the same behavior as systemd < 242. */
2390 if (capability_quintet_mangle(&q
))
2391 log_full(arg_quiet
? LOG_DEBUG
: LOG_WARNING
,
2392 "Some capabilities will not be set because they are not in the current bounding set.");
2396 return capability_quintet_enforce(&q
);
2399 static int reset_audit_loginuid(void) {
2400 _cleanup_free_
char *p
= NULL
;
2403 if ((arg_clone_ns_flags
& CLONE_NEWPID
) == 0)
2406 r
= read_one_line_file("/proc/self/loginuid", &p
);
2410 return log_error_errno(r
, "Failed to read /proc/self/loginuid: %m");
2412 /* Already reset? */
2413 if (streq(p
, "4294967295"))
2416 r
= write_string_file("/proc/self/loginuid", "4294967295", WRITE_STRING_FILE_DISABLE_BUFFER
);
2419 "Failed to reset audit login UID. This probably means that your kernel is too\n"
2420 "old and you have audit enabled. Note that the auditing subsystem is known to\n"
2421 "be incompatible with containers on old kernels. Please make sure to upgrade\n"
2422 "your kernel or to off auditing with 'audit=0' on the kernel command line before\n"
2423 "using systemd-nspawn. Sleeping for 5s... (%m)");
2431 static int setup_propagate(const char *root
) {
2435 (void) mkdir_p("/run/systemd/nspawn/", 0755);
2436 (void) mkdir_p("/run/systemd/nspawn/propagate", 0600);
2437 p
= strjoina("/run/systemd/nspawn/propagate/", arg_machine
);
2438 (void) mkdir_p(p
, 0600);
2440 r
= userns_mkdir(root
, "/run/systemd", 0755, 0, 0);
2442 return log_error_errno(r
, "Failed to create /run/systemd: %m");
2444 r
= userns_mkdir(root
, "/run/systemd/nspawn", 0755, 0, 0);
2446 return log_error_errno(r
, "Failed to create /run/systemd/nspawn: %m");
2448 r
= userns_mkdir(root
, "/run/systemd/nspawn/incoming", 0600, 0, 0);
2450 return log_error_errno(r
, "Failed to create /run/systemd/nspawn/incoming: %m");
2452 q
= prefix_roota(root
, "/run/systemd/nspawn/incoming");
2453 r
= mount_verbose(LOG_ERR
, p
, q
, NULL
, MS_BIND
, NULL
);
2457 r
= mount_verbose(LOG_ERR
, NULL
, q
, NULL
, MS_BIND
|MS_REMOUNT
|MS_RDONLY
, NULL
);
2461 /* machined will MS_MOVE into that directory, and that's only
2462 * supported for non-shared mounts. */
2463 return mount_verbose(LOG_ERR
, NULL
, q
, NULL
, MS_SLAVE
, NULL
);
2466 static int setup_machine_id(const char *directory
) {
2467 const char *etc_machine_id
;
2471 /* If the UUID in the container is already set, then that's what counts, and we use. If it isn't set, and the
2472 * caller passed --uuid=, then we'll pass it in the $container_uuid env var to PID 1 of the container. The
2473 * assumption is that PID 1 will then write it to /etc/machine-id to make it persistent. If --uuid= is not
2474 * passed we generate a random UUID, and pass it via $container_uuid. In effect this means that /etc/machine-id
2475 * in the container and our idea of the container UUID will always be in sync (at least if PID 1 in the
2476 * container behaves nicely). */
2478 etc_machine_id
= prefix_roota(directory
, "/etc/machine-id");
2480 r
= id128_read(etc_machine_id
, ID128_PLAIN
, &id
);
2482 if (!IN_SET(r
, -ENOENT
, -ENOMEDIUM
)) /* If the file is missing or empty, we don't mind */
2483 return log_error_errno(r
, "Failed to read machine ID from container image: %m");
2485 if (sd_id128_is_null(arg_uuid
)) {
2486 r
= sd_id128_randomize(&arg_uuid
);
2488 return log_error_errno(r
, "Failed to acquire randomized machine UUID: %m");
2491 if (sd_id128_is_null(id
))
2492 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
2493 "Machine ID in container image is zero, refusing.");
2501 static int recursive_chown(const char *directory
, uid_t shift
, uid_t range
) {
2506 if (arg_userns_mode
== USER_NAMESPACE_NO
|| !arg_userns_chown
)
2509 r
= path_patch_uid(directory
, arg_uid_shift
, arg_uid_range
);
2510 if (r
== -EOPNOTSUPP
)
2511 return log_error_errno(r
, "Automatic UID/GID adjusting is only supported for UID/GID ranges starting at multiples of 2^16 with a range of 2^16.");
2513 return log_error_errno(r
, "Upper 16 bits of root directory UID and GID do not match.");
2515 return log_error_errno(r
, "Failed to adjust UID/GID shift of OS tree: %m");
2517 log_debug("Root directory of image is already owned by the right UID/GID range, skipping recursive chown operation.");
2519 log_debug("Patched directory tree to match UID/GID range.");
2526 * < 0 : wait_for_terminate() failed to get the state of the
2527 * container, the container was terminated by a signal, or
2528 * failed for an unknown reason. No change is made to the
2529 * container argument.
2530 * > 0 : The program executed in the container terminated with an
2531 * error. The exit code of the program executed in the
2532 * container is returned. The container argument has been set
2533 * to CONTAINER_TERMINATED.
2534 * 0 : The container is being rebooted, has been shut down or exited
2535 * successfully. The container argument has been set to either
2536 * CONTAINER_TERMINATED or CONTAINER_REBOOTED.
2538 * That is, success is indicated by a return value of zero, and an
2539 * error is indicated by a non-zero value.
2541 static int wait_for_container(pid_t pid
, ContainerStatus
*container
) {
2545 r
= wait_for_terminate(pid
, &status
);
2547 return log_warning_errno(r
, "Failed to wait for container: %m");
2549 switch (status
.si_code
) {
2552 if (status
.si_status
== 0)
2553 log_full(arg_quiet
? LOG_DEBUG
: LOG_INFO
, "Container %s exited successfully.", arg_machine
);
2555 log_full(arg_quiet
? LOG_DEBUG
: LOG_INFO
, "Container %s failed with error code %i.", arg_machine
, status
.si_status
);
2557 *container
= CONTAINER_TERMINATED
;
2558 return status
.si_status
;
2561 if (status
.si_status
== SIGINT
) {
2562 log_full(arg_quiet
? LOG_DEBUG
: LOG_INFO
, "Container %s has been shut down.", arg_machine
);
2563 *container
= CONTAINER_TERMINATED
;
2566 } else if (status
.si_status
== SIGHUP
) {
2567 log_full(arg_quiet
? LOG_DEBUG
: LOG_INFO
, "Container %s is being rebooted.", arg_machine
);
2568 *container
= CONTAINER_REBOOTED
;
2574 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
2575 "Container %s terminated by signal %s.", arg_machine
, signal_to_string(status
.si_status
));
2578 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
2579 "Container %s failed due to unknown reason.", arg_machine
);
2583 static int on_orderly_shutdown(sd_event_source
*s
, const struct signalfd_siginfo
*si
, void *userdata
) {
2586 pid
= PTR_TO_PID(userdata
);
2588 if (kill(pid
, arg_kill_signal
) >= 0) {
2589 log_info("Trying to halt container. Send SIGTERM again to trigger immediate termination.");
2590 sd_event_source_set_userdata(s
, NULL
);
2595 sd_event_exit(sd_event_source_get_event(s
), 0);
2599 static int on_sigchld(sd_event_source
*s
, const struct signalfd_siginfo
*ssi
, void *userdata
) {
2605 pid
= PTR_TO_PID(userdata
);
2610 if (waitid(P_ALL
, 0, &si
, WNOHANG
|WNOWAIT
|WEXITED
) < 0)
2611 return log_error_errno(errno
, "Failed to waitid(): %m");
2612 if (si
.si_pid
== 0) /* No pending children. */
2614 if (si
.si_pid
== pid
) {
2615 /* The main process we care for has exited. Return from
2616 * signal handler but leave the zombie. */
2617 sd_event_exit(sd_event_source_get_event(s
), 0);
2621 /* Reap all other children. */
2622 (void) waitid(P_PID
, si
.si_pid
, &si
, WNOHANG
|WEXITED
);
2628 static int on_request_stop(sd_bus_message
*m
, void *userdata
, sd_bus_error
*error
) {
2633 pid
= PTR_TO_PID(userdata
);
2635 if (arg_kill_signal
> 0) {
2636 log_info("Container termination requested. Attempting to halt container.");
2637 (void) kill(pid
, arg_kill_signal
);
2639 log_info("Container termination requested. Exiting.");
2640 sd_event_exit(sd_bus_get_event(sd_bus_message_get_bus(m
)), 0);
2646 static int determine_names(void) {
2649 if (arg_template
&& !arg_directory
&& arg_machine
) {
2651 /* If --template= was specified then we should not
2652 * search for a machine, but instead create a new one
2653 * in /var/lib/machine. */
2655 arg_directory
= path_join("/var/lib/machines", arg_machine
);
2660 if (!arg_image
&& !arg_directory
) {
2662 _cleanup_(image_unrefp
) Image
*i
= NULL
;
2664 r
= image_find(IMAGE_MACHINE
, arg_machine
, &i
);
2666 return log_error_errno(r
, "No image for machine '%s'.", arg_machine
);
2668 return log_error_errno(r
, "Failed to find image for machine '%s': %m", arg_machine
);
2670 if (IN_SET(i
->type
, IMAGE_RAW
, IMAGE_BLOCK
))
2671 r
= free_and_strdup(&arg_image
, i
->path
);
2673 r
= free_and_strdup(&arg_directory
, i
->path
);
2678 arg_read_only
= arg_read_only
|| i
->read_only
;
2680 r
= safe_getcwd(&arg_directory
);
2682 return log_error_errno(r
, "Failed to determine current directory: %m");
2685 if (!arg_directory
&& !arg_image
)
2686 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Failed to determine path, please use -D or -i.");
2690 if (arg_directory
&& path_equal(arg_directory
, "/"))
2691 arg_machine
= gethostname_malloc();
2696 arg_machine
= strdup(basename(arg_image
));
2698 /* Truncate suffix if there is one */
2699 e
= endswith(arg_machine
, ".raw");
2703 arg_machine
= strdup(basename(arg_directory
));
2708 hostname_cleanup(arg_machine
);
2709 if (!machine_name_is_valid(arg_machine
))
2710 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Failed to determine machine name automatically, please use -M.");
2712 if (arg_ephemeral
) {
2715 /* Add a random suffix when this is an
2716 * ephemeral machine, so that we can run many
2717 * instances at once without manually having
2718 * to specify -M each time. */
2720 if (asprintf(&b
, "%s-%016" PRIx64
, arg_machine
, random_u64()) < 0)
2731 static int chase_symlinks_and_update(char **p
, unsigned flags
) {
2740 r
= chase_symlinks(*p
, NULL
, flags
, &chased
, NULL
);
2742 return log_error_errno(r
, "Failed to resolve path %s: %m", *p
);
2744 return free_and_replace(*p
, chased
);
2747 static int determine_uid_shift(const char *directory
) {
2750 if (arg_userns_mode
== USER_NAMESPACE_NO
) {
2755 if (arg_uid_shift
== UID_INVALID
) {
2758 r
= stat(directory
, &st
);
2760 return log_error_errno(errno
, "Failed to determine UID base of %s: %m", directory
);
2762 arg_uid_shift
= st
.st_uid
& UINT32_C(0xffff0000);
2764 if (arg_uid_shift
!= (st
.st_gid
& UINT32_C(0xffff0000)))
2765 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
2766 "UID and GID base of %s don't match.", directory
);
2768 arg_uid_range
= UINT32_C(0x10000);
2771 if (arg_uid_shift
> (uid_t
) -1 - arg_uid_range
)
2772 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
2773 "UID base too high for UID range.");
2778 static unsigned long effective_clone_ns_flags(void) {
2779 unsigned long flags
= arg_clone_ns_flags
;
2781 if (arg_private_network
)
2782 flags
|= CLONE_NEWNET
;
2784 flags
|= CLONE_NEWCGROUP
;
2785 if (arg_userns_mode
!= USER_NAMESPACE_NO
)
2786 flags
|= CLONE_NEWUSER
;
2791 static int patch_sysctl(void) {
2793 /* This table is inspired by runc's sysctl() function */
2794 static const struct {
2797 unsigned long clone_flags
;
2799 { "kernel.hostname", false, CLONE_NEWUTS
},
2800 { "kernel.domainname", false, CLONE_NEWUTS
},
2801 { "kernel.msgmax", false, CLONE_NEWIPC
},
2802 { "kernel.msgmnb", false, CLONE_NEWIPC
},
2803 { "kernel.msgmni", false, CLONE_NEWIPC
},
2804 { "kernel.sem", false, CLONE_NEWIPC
},
2805 { "kernel.shmall", false, CLONE_NEWIPC
},
2806 { "kernel.shmmax", false, CLONE_NEWIPC
},
2807 { "kernel.shmmni", false, CLONE_NEWIPC
},
2808 { "fs.mqueue.", true, CLONE_NEWIPC
},
2809 { "net.", true, CLONE_NEWNET
},
2812 unsigned long flags
;
2816 flags
= effective_clone_ns_flags();
2818 STRV_FOREACH_PAIR(k
, v
, arg_sysctl
) {
2822 for (i
= 0; i
< ELEMENTSOF(safe_sysctl
); i
++) {
2824 if (!FLAGS_SET(flags
, safe_sysctl
[i
].clone_flags
))
2827 if (safe_sysctl
[i
].prefix
)
2828 good
= startswith(*k
, safe_sysctl
[i
].key
);
2830 good
= streq(*k
, safe_sysctl
[i
].key
);
2837 return log_error_errno(SYNTHETIC_ERRNO(EPERM
), "Refusing to write to sysctl '%s', as it is not safe in the selected namespaces.", *k
);
2839 r
= sysctl_write(*k
, *v
);
2841 return log_error_errno(r
, "Failed to write sysctl '%s': %m", *k
);
2847 static int inner_child(
2849 const char *directory
,
2853 int master_pty_socket
,
2856 _cleanup_free_
char *home
= NULL
;
2859 const char *envp
[] = {
2860 "PATH=" DEFAULT_PATH_COMPAT
,
2861 NULL
, /* container */
2866 NULL
, /* container_uuid */
2867 NULL
, /* LISTEN_FDS */
2868 NULL
, /* LISTEN_PID */
2869 NULL
, /* NOTIFY_SOCKET */
2872 const char *exec_target
;
2873 _cleanup_strv_free_
char **env_use
= NULL
;
2874 int r
, which_failed
;
2876 /* This is the "inner" child process, i.e. the one forked off by the "outer" child process, which is the one
2877 * the container manager itself forked off. At the time of clone() it gained its own CLONE_NEWNS, CLONE_NEWPID,
2878 * CLONE_NEWUTS, CLONE_NEWIPC, CLONE_NEWUSER namespaces. Note that it has its own CLONE_NEWNS namespace,
2879 * separate from the CLONE_NEWNS created for the "outer" child, and also separate from the host's CLONE_NEWNS
2880 * namespace. The reason for having two levels of CLONE_NEWNS namespaces is that the "inner" one is owned by
2881 * the CLONE_NEWUSER namespace of the container, while the "outer" one is owned by the host's CLONE_NEWUSER
2884 * Note at this point we have no CLONE_NEWNET namespace yet. We'll acquire that one later through
2885 * unshare(). See below. */
2889 assert(kmsg_socket
>= 0);
2891 log_debug("Inner child is initializing.");
2893 if (arg_userns_mode
!= USER_NAMESPACE_NO
) {
2894 /* Tell the parent, that it now can write the UID map. */
2895 (void) barrier_place(barrier
); /* #1 */
2897 /* Wait until the parent wrote the UID map */
2898 if (!barrier_place_and_sync(barrier
)) /* #2 */
2899 return log_error_errno(SYNTHETIC_ERRNO(ESRCH
),
2900 "Parent died too early");
2903 r
= reset_uid_gid();
2905 return log_error_errno(r
, "Couldn't become new root: %m");
2908 arg_mount_settings
| MOUNT_IN_USERNS
,
2910 arg_selinux_apifs_context
);
2914 if (!arg_network_namespace_path
&& arg_private_network
) {
2915 r
= unshare(CLONE_NEWNET
);
2917 return log_error_errno(errno
, "Failed to unshare network namespace: %m");
2919 /* Tell the parent that it can setup network interfaces. */
2920 (void) barrier_place(barrier
); /* #3 */
2923 r
= mount_sysfs(NULL
, arg_mount_settings
);
2927 /* Wait until we are cgroup-ified, so that we
2928 * can mount the right cgroup path writable */
2929 if (!barrier_place_and_sync(barrier
)) /* #4 */
2930 return log_error_errno(SYNTHETIC_ERRNO(ESRCH
),
2931 "Parent died too early");
2934 r
= unshare(CLONE_NEWCGROUP
);
2936 return log_error_errno(errno
, "Failed to unshare cgroup namespace: %m");
2939 arg_unified_cgroup_hierarchy
,
2940 arg_userns_mode
!= USER_NAMESPACE_NO
,
2943 arg_selinux_apifs_context
,
2948 r
= mount_systemd_cgroup_writable("", arg_unified_cgroup_hierarchy
);
2953 r
= setup_boot_id();
2957 r
= setup_kmsg(kmsg_socket
);
2960 kmsg_socket
= safe_close(kmsg_socket
);
2965 arg_n_custom_mounts
,
2969 arg_selinux_apifs_context
,
2975 return log_error_errno(errno
, "setsid() failed: %m");
2977 if (arg_private_network
)
2980 if (arg_expose_ports
) {
2981 r
= expose_port_send_rtnl(rtnl_socket
);
2984 rtnl_socket
= safe_close(rtnl_socket
);
2987 if (arg_console_mode
!= CONSOLE_PIPE
) {
2988 _cleanup_close_
int master
= -1;
2989 _cleanup_free_
char *console
= NULL
;
2991 /* Allocate a pty and make it available as /dev/console. */
2992 master
= openpt_allocate(O_RDWR
|O_NONBLOCK
, &console
);
2994 return log_error_errno(master
, "Failed to allocate a pty: %m");
2996 r
= setup_dev_console(console
);
2998 return log_error_errno(r
, "Failed to setup /dev/console: %m");
3000 r
= send_one_fd(master_pty_socket
, master
, 0);
3002 return log_error_errno(r
, "Failed to send master fd: %m");
3003 master_pty_socket
= safe_close(master_pty_socket
);
3005 r
= setup_stdio_as_dev_console();
3014 if (arg_oom_score_adjust_set
) {
3015 r
= set_oom_score_adjust(arg_oom_score_adjust
);
3017 return log_error_errno(r
, "Failed to adjust OOM score: %m");
3020 if (arg_cpu_set
.set
)
3021 if (sched_setaffinity(0, arg_cpu_set
.allocated
, arg_cpu_set
.set
) < 0)
3022 return log_error_errno(errno
, "Failed to set CPU affinity: %m");
3024 (void) setup_hostname();
3026 if (arg_personality
!= PERSONALITY_INVALID
) {
3027 r
= safe_personality(arg_personality
);
3029 return log_error_errno(r
, "personality() failed: %m");
3030 } else if (secondary
) {
3031 r
= safe_personality(PER_LINUX32
);
3033 return log_error_errno(r
, "personality() failed: %m");
3036 r
= setrlimit_closest_all((const struct rlimit
*const*) arg_rlimit
, &which_failed
);
3038 return log_error_errno(r
, "Failed to apply resource limit RLIMIT_%s: %m", rlimit_to_string(which_failed
));
3043 if (is_seccomp_available()) {
3045 r
= seccomp_load(arg_seccomp
);
3046 if (ERRNO_IS_SECCOMP_FATAL(r
))
3047 return log_error_errno(r
, "Failed to install seccomp filter: %m");
3049 log_debug_errno(r
, "Failed to install seccomp filter: %m");
3054 r
= setup_seccomp(arg_caps_retain
, arg_syscall_whitelist
, arg_syscall_blacklist
);
3060 if (arg_selinux_context
)
3061 if (setexeccon(arg_selinux_context
) < 0)
3062 return log_error_errno(errno
, "setexeccon(\"%s\") failed: %m", arg_selinux_context
);
3065 /* Make sure we keep the caps across the uid/gid dropping, so that we can retain some selected caps
3066 * if we need to later on. */
3067 if (prctl(PR_SET_KEEPCAPS
, 1) < 0)
3068 return log_error_errno(errno
, "Failed to set PR_SET_KEEPCAPS: %m");
3070 if (uid_is_valid(arg_uid
) || gid_is_valid(arg_gid
))
3071 r
= change_uid_gid_raw(arg_uid
, arg_gid
, arg_supplementary_gids
, arg_n_supplementary_gids
);
3073 r
= change_uid_gid(arg_user
, &home
);
3077 r
= drop_capabilities(getuid());
3079 return log_error_errno(r
, "Dropping capabilities failed: %m");
3081 if (arg_no_new_privileges
)
3082 if (prctl(PR_SET_NO_NEW_PRIVS
, 1, 0, 0, 0) < 0)
3083 return log_error_errno(errno
, "Failed to disable new privileges: %m");
3085 /* LXC sets container=lxc, so follow the scheme here */
3086 envp
[n_env
++] = strjoina("container=", arg_container_service_name
);
3088 envp
[n_env
] = strv_find_prefix(environ
, "TERM=");
3092 if (home
|| !uid_is_valid(arg_uid
) || arg_uid
== 0)
3093 if (asprintf((char**)(envp
+ n_env
++), "HOME=%s", home
?: "/root") < 0)
3096 if (arg_user
|| !uid_is_valid(arg_uid
) || arg_uid
== 0)
3097 if (asprintf((char**)(envp
+ n_env
++), "USER=%s", arg_user
?: "root") < 0 ||
3098 asprintf((char**)(envp
+ n_env
++), "LOGNAME=%s", arg_user
? arg_user
: "root") < 0)
3101 assert(!sd_id128_is_null(arg_uuid
));
3103 if (asprintf((char**)(envp
+ n_env
++), "container_uuid=%s", id128_to_uuid_string(arg_uuid
, as_uuid
)) < 0)
3106 if (fdset_size(fds
) > 0) {
3107 r
= fdset_cloexec(fds
, false);
3109 return log_error_errno(r
, "Failed to unset O_CLOEXEC for file descriptors.");
3111 if ((asprintf((char **)(envp
+ n_env
++), "LISTEN_FDS=%u", fdset_size(fds
)) < 0) ||
3112 (asprintf((char **)(envp
+ n_env
++), "LISTEN_PID=1") < 0))
3115 if (asprintf((char **)(envp
+ n_env
++), "NOTIFY_SOCKET=%s", NSPAWN_NOTIFY_SOCKET_PATH
) < 0)
3118 env_use
= strv_env_merge(2, envp
, arg_setenv
);
3122 /* Let the parent know that we are ready and
3123 * wait until the parent is ready with the
3125 if (!barrier_place_and_sync(barrier
)) /* #5 */
3126 return log_error_errno(SYNTHETIC_ERRNO(ESRCH
),
3127 "Parent died too early");
3130 if (chdir(arg_chdir
) < 0)
3131 return log_error_errno(errno
, "Failed to change to specified working directory %s: %m", arg_chdir
);
3133 if (arg_start_mode
== START_PID2
) {
3134 r
= stub_pid1(arg_uuid
);
3139 log_debug("Inner child completed, invoking payload.");
3141 /* Now, explicitly close the log, so that we then can close all remaining fds. Closing the log explicitly first
3142 * has the benefit that the logging subsystem knows about it, and is thus ready to be reopened should we need
3143 * it again. Note that the other fds closed here are at least the locking and barrier fds. */
3145 log_set_open_when_needed(true);
3147 (void) fdset_close_others(fds
);
3149 if (arg_start_mode
== START_BOOT
) {
3153 /* Automatically search for the init system */
3155 m
= strv_length(arg_parameters
);
3156 a
= newa(char*, m
+ 2);
3157 memcpy_safe(a
+ 1, arg_parameters
, m
* sizeof(char*));
3160 a
[0] = (char*) "/usr/lib/systemd/systemd";
3161 execve(a
[0], a
, env_use
);
3163 a
[0] = (char*) "/lib/systemd/systemd";
3164 execve(a
[0], a
, env_use
);
3166 a
[0] = (char*) "/sbin/init";
3167 execve(a
[0], a
, env_use
);
3169 exec_target
= "/usr/lib/systemd/systemd, /lib/systemd/systemd, /sbin/init";
3170 } else if (!strv_isempty(arg_parameters
)) {
3171 const char *dollar_path
;
3173 exec_target
= arg_parameters
[0];
3175 /* Use the user supplied search $PATH if there is one, or DEFAULT_PATH_COMPAT if not to search the
3177 dollar_path
= strv_env_get(env_use
, "PATH");
3179 if (putenv((char*) dollar_path
) != 0)
3180 return log_error_errno(errno
, "Failed to update $PATH: %m");
3183 execvpe(arg_parameters
[0], arg_parameters
, env_use
);
3186 /* If we cannot change the directory, we'll end up in /, that is expected. */
3187 (void) chdir(home
?: "/root");
3189 execle("/bin/bash", "-bash", NULL
, env_use
);
3190 execle("/bin/sh", "-sh", NULL
, env_use
);
3192 exec_target
= "/bin/bash, /bin/sh";
3195 return log_error_errno(errno
, "execv(%s) failed: %m", exec_target
);
3198 static int setup_sd_notify_child(void) {
3199 _cleanup_close_
int fd
= -1;
3200 union sockaddr_union sa
= {
3201 .un
.sun_family
= AF_UNIX
,
3202 .un
.sun_path
= NSPAWN_NOTIFY_SOCKET_PATH
,
3206 fd
= socket(AF_UNIX
, SOCK_DGRAM
|SOCK_CLOEXEC
|SOCK_NONBLOCK
, 0);
3208 return log_error_errno(errno
, "Failed to allocate notification socket: %m");
3210 (void) mkdir_parents(NSPAWN_NOTIFY_SOCKET_PATH
, 0755);
3211 (void) sockaddr_un_unlink(&sa
.un
);
3213 r
= bind(fd
, &sa
.sa
, SOCKADDR_UN_LEN(sa
.un
));
3215 return log_error_errno(errno
, "bind(" NSPAWN_NOTIFY_SOCKET_PATH
") failed: %m");
3217 r
= userns_lchown(NSPAWN_NOTIFY_SOCKET_PATH
, 0, 0);
3219 return log_error_errno(r
, "Failed to chown " NSPAWN_NOTIFY_SOCKET_PATH
": %m");
3221 r
= setsockopt_int(fd
, SOL_SOCKET
, SO_PASSCRED
, true);
3223 return log_error_errno(r
, "SO_PASSCRED failed: %m");
3228 static int outer_child(
3230 const char *directory
,
3231 DissectedImage
*dissected_image
,
3238 int uid_shift_socket
,
3239 int master_pty_socket
,
3240 int unified_cgroup_hierarchy_socket
,
3244 _cleanup_close_
int fd
= -1;
3249 /* This is the "outer" child process, i.e the one forked off by the container manager itself. It already has
3250 * its own CLONE_NEWNS namespace (which was created by the clone()). It still lives in the host's CLONE_NEWPID,
3251 * CLONE_NEWUTS, CLONE_NEWIPC, CLONE_NEWUSER and CLONE_NEWNET namespaces. After it completed a number of
3252 * initializations a second child (the "inner" one) is forked off it, and it exits. */
3256 assert(pid_socket
>= 0);
3257 assert(uuid_socket
>= 0);
3258 assert(notify_socket
>= 0);
3259 assert(master_pty_socket
>= 0);
3260 assert(kmsg_socket
>= 0);
3262 log_debug("Outer child is initializing.");
3264 if (prctl(PR_SET_PDEATHSIG
, SIGKILL
) < 0)
3265 return log_error_errno(errno
, "PR_SET_PDEATHSIG failed: %m");
3267 r
= reset_audit_loginuid();
3271 /* Mark everything as slave, so that we still
3272 * receive mounts from the real root, but don't
3273 * propagate mounts to the real root. */
3274 r
= mount_verbose(LOG_ERR
, NULL
, "/", NULL
, MS_SLAVE
|MS_REC
, NULL
);
3278 if (dissected_image
) {
3279 /* If we are operating on a disk image, then mount its root directory now, but leave out the rest. We
3280 * can read the UID shift from it if we need to. Further down we'll mount the rest, but then with the
3281 * uid shift known. That way we can mount VFAT file systems shifted to the right place right away. This
3282 * makes sure ESP partitions and userns are compatible. */
3284 r
= dissected_image_mount(dissected_image
, directory
, arg_uid_shift
,
3285 DISSECT_IMAGE_MOUNT_ROOT_ONLY
|DISSECT_IMAGE_DISCARD_ON_LOOP
|
3286 (arg_read_only
? DISSECT_IMAGE_READ_ONLY
: 0)|
3287 (arg_start_mode
== START_BOOT
? DISSECT_IMAGE_VALIDATE_OS
: 0));
3292 r
= determine_uid_shift(directory
);
3296 if (arg_userns_mode
!= USER_NAMESPACE_NO
) {
3297 /* Let the parent know which UID shift we read from the image */
3298 l
= send(uid_shift_socket
, &arg_uid_shift
, sizeof(arg_uid_shift
), MSG_NOSIGNAL
);
3300 return log_error_errno(errno
, "Failed to send UID shift: %m");
3301 if (l
!= sizeof(arg_uid_shift
))
3302 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
3303 "Short write while sending UID shift.");
3305 if (arg_userns_mode
== USER_NAMESPACE_PICK
) {
3306 /* When we are supposed to pick the UID shift, the parent will check now whether the UID shift
3307 * we just read from the image is available. If yes, it will send the UID shift back to us, if
3308 * not it will pick a different one, and send it back to us. */
3310 l
= recv(uid_shift_socket
, &arg_uid_shift
, sizeof(arg_uid_shift
), 0);
3312 return log_error_errno(errno
, "Failed to recv UID shift: %m");
3313 if (l
!= sizeof(arg_uid_shift
))
3314 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
3315 "Short read while receiving UID shift.");
3318 log_full(arg_quiet
? LOG_DEBUG
: LOG_INFO
,
3319 "Selected user namespace base " UID_FMT
" and range " UID_FMT
".", arg_uid_shift
, arg_uid_range
);
3322 if (path_equal(directory
, "/")) {
3323 /* If the directory we shall boot is the host, let's operate on a bind mount at a different
3324 * place, so that we can make changes to its mount structure (for example, to implement
3325 * --volatile=) without this interfering with our ability to access files such as
3326 * /etc/localtime to copy into the container. Note that we use a fixed place for this
3327 * (instead of a temporary directory, since we are living in our own mount namspace here
3328 * already, and thus don't need to be afraid of colliding with anyone else's mounts).*/
3329 (void) mkdir_p("/run/systemd/nspawn-root", 0755);
3331 r
= mount_verbose(LOG_ERR
, "/", "/run/systemd/nspawn-root", NULL
, MS_BIND
|MS_REC
, NULL
);
3335 directory
= "/run/systemd/nspawn-root";
3337 } else if (!dissected_image
) {
3338 /* Turn directory into bind mount (we need that so that we can move the bind mount to root
3340 r
= mount_verbose(LOG_ERR
, directory
, directory
, NULL
, MS_BIND
|MS_REC
, NULL
);
3345 r
= setup_pivot_root(
3348 arg_pivot_root_old
);
3352 r
= setup_volatile_mode(
3355 arg_userns_mode
!= USER_NAMESPACE_NO
,
3358 arg_selinux_apifs_context
);
3362 if (dissected_image
) {
3363 /* Now we know the uid shift, let's now mount everything else that might be in the image. */
3364 r
= dissected_image_mount(dissected_image
, directory
, arg_uid_shift
,
3365 DISSECT_IMAGE_MOUNT_NON_ROOT_ONLY
|DISSECT_IMAGE_DISCARD_ON_LOOP
|(arg_read_only
? DISSECT_IMAGE_READ_ONLY
: 0));
3370 if (arg_unified_cgroup_hierarchy
== CGROUP_UNIFIED_UNKNOWN
) {
3371 /* OK, we don't know yet which cgroup mode to use yet. Let's figure it out, and tell the parent. */
3373 r
= detect_unified_cgroup_hierarchy_from_image(directory
);
3377 l
= send(unified_cgroup_hierarchy_socket
, &arg_unified_cgroup_hierarchy
, sizeof(arg_unified_cgroup_hierarchy
), MSG_NOSIGNAL
);
3379 return log_error_errno(errno
, "Failed to send cgroup mode: %m");
3380 if (l
!= sizeof(arg_unified_cgroup_hierarchy
))
3381 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
3382 "Short write while sending cgroup mode.");
3384 unified_cgroup_hierarchy_socket
= safe_close(unified_cgroup_hierarchy_socket
);
3387 /* Mark everything as shared so our mounts get propagated down. This is
3388 * required to make new bind mounts available in systemd services
3389 * inside the container that create a new mount namespace.
3390 * See https://github.com/systemd/systemd/issues/3860
3391 * Further submounts (such as /dev) done after this will inherit the
3392 * shared propagation mode. */
3393 r
= mount_verbose(LOG_ERR
, NULL
, directory
, NULL
, MS_SHARED
|MS_REC
, NULL
);
3397 r
= recursive_chown(directory
, arg_uid_shift
, arg_uid_range
);
3401 r
= base_filesystem_create(directory
, arg_uid_shift
, (gid_t
) arg_uid_shift
);
3405 if (arg_read_only
&& arg_volatile_mode
== VOLATILE_NO
) {
3406 r
= bind_remount_recursive(directory
, MS_RDONLY
, MS_RDONLY
, NULL
);
3408 return log_error_errno(r
, "Failed to make tree read-only: %m");
3411 r
= mount_all(directory
,
3414 arg_selinux_apifs_context
);
3418 r
= copy_devnodes(directory
);
3422 r
= make_extra_nodes(directory
);
3426 (void) dev_setup(directory
, arg_uid_shift
, arg_uid_shift
);
3427 (void) make_inaccessible_nodes(directory
, arg_uid_shift
, arg_uid_shift
);
3429 r
= setup_pts(directory
);
3433 r
= setup_propagate(directory
);
3437 r
= setup_keyring();
3441 r
= setup_timezone(directory
);
3445 r
= setup_resolv_conf(directory
);
3449 r
= setup_machine_id(directory
);
3453 r
= setup_journal(directory
);
3460 arg_n_custom_mounts
,
3461 arg_userns_mode
!= USER_NAMESPACE_NO
,
3464 arg_selinux_apifs_context
,
3469 if (!arg_use_cgns
) {
3472 arg_unified_cgroup_hierarchy
,
3473 arg_userns_mode
!= USER_NAMESPACE_NO
,
3476 arg_selinux_apifs_context
,
3482 r
= mount_move_root(directory
);
3484 return log_error_errno(r
, "Failed to move root directory: %m");
3486 fd
= setup_sd_notify_child();
3490 pid
= raw_clone(SIGCHLD
|CLONE_NEWNS
|
3491 arg_clone_ns_flags
|
3492 (arg_userns_mode
!= USER_NAMESPACE_NO
? CLONE_NEWUSER
: 0));
3494 return log_error_errno(errno
, "Failed to fork inner child: %m");
3496 pid_socket
= safe_close(pid_socket
);
3497 uuid_socket
= safe_close(uuid_socket
);
3498 notify_socket
= safe_close(notify_socket
);
3499 uid_shift_socket
= safe_close(uid_shift_socket
);
3501 /* The inner child has all namespaces that are
3502 * requested, so that we all are owned by the user if
3503 * user namespaces are turned on. */
3505 if (arg_network_namespace_path
) {
3506 r
= namespace_enter(-1, -1, netns_fd
, -1, -1);
3508 return log_error_errno(r
, "Failed to join network namespace: %m");
3511 r
= inner_child(barrier
, directory
, secondary
, kmsg_socket
, rtnl_socket
, master_pty_socket
, fds
);
3513 _exit(EXIT_FAILURE
);
3515 _exit(EXIT_SUCCESS
);
3518 l
= send(pid_socket
, &pid
, sizeof(pid
), MSG_NOSIGNAL
);
3520 return log_error_errno(errno
, "Failed to send PID: %m");
3521 if (l
!= sizeof(pid
))
3522 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
3523 "Short write while sending PID.");
3525 l
= send(uuid_socket
, &arg_uuid
, sizeof(arg_uuid
), MSG_NOSIGNAL
);
3527 return log_error_errno(errno
, "Failed to send machine ID: %m");
3528 if (l
!= sizeof(arg_uuid
))
3529 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
3530 "Short write while sending machine ID.");
3532 l
= send_one_fd(notify_socket
, fd
, 0);
3534 return log_error_errno(l
, "Failed to send notify fd: %m");
3536 pid_socket
= safe_close(pid_socket
);
3537 uuid_socket
= safe_close(uuid_socket
);
3538 notify_socket
= safe_close(notify_socket
);
3539 master_pty_socket
= safe_close(master_pty_socket
);
3540 kmsg_socket
= safe_close(kmsg_socket
);
3541 rtnl_socket
= safe_close(rtnl_socket
);
3542 netns_fd
= safe_close(netns_fd
);
3547 static int uid_shift_pick(uid_t
*shift
, LockFile
*ret_lock_file
) {
3548 bool tried_hashed
= false;
3549 unsigned n_tries
= 100;
3554 assert(ret_lock_file
);
3555 assert(arg_userns_mode
== USER_NAMESPACE_PICK
);
3556 assert(arg_uid_range
== 0x10000U
);
3560 (void) mkdir("/run/systemd/nspawn-uid", 0755);
3563 char lock_path
[STRLEN("/run/systemd/nspawn-uid/") + DECIMAL_STR_MAX(uid_t
) + 1];
3564 _cleanup_(release_lock_file
) LockFile lf
= LOCK_FILE_INIT
;
3569 if (candidate
< CONTAINER_UID_BASE_MIN
|| candidate
> CONTAINER_UID_BASE_MAX
)
3571 if ((candidate
& UINT32_C(0xFFFF)) != 0)
3574 xsprintf(lock_path
, "/run/systemd/nspawn-uid/" UID_FMT
, candidate
);
3575 r
= make_lock_file(lock_path
, LOCK_EX
|LOCK_NB
, &lf
);
3576 if (r
== -EBUSY
) /* Range already taken by another nspawn instance */
3581 /* Make some superficial checks whether the range is currently known in the user database */
3582 if (getpwuid(candidate
))
3584 if (getpwuid(candidate
+ UINT32_C(0xFFFE)))
3586 if (getgrgid(candidate
))
3588 if (getgrgid(candidate
+ UINT32_C(0xFFFE)))
3591 *ret_lock_file
= lf
;
3592 lf
= (struct LockFile
) LOCK_FILE_INIT
;
3597 if (arg_machine
&& !tried_hashed
) {
3598 /* Try to hash the base from the container name */
3600 static const uint8_t hash_key
[] = {
3601 0xe1, 0x56, 0xe0, 0xf0, 0x4a, 0xf0, 0x41, 0xaf,
3602 0x96, 0x41, 0xcf, 0x41, 0x33, 0x94, 0xff, 0x72
3605 candidate
= (uid_t
) siphash24(arg_machine
, strlen(arg_machine
), hash_key
);
3607 tried_hashed
= true;
3609 random_bytes(&candidate
, sizeof(candidate
));
3611 candidate
= (candidate
% (CONTAINER_UID_BASE_MAX
- CONTAINER_UID_BASE_MIN
)) + CONTAINER_UID_BASE_MIN
;
3612 candidate
&= (uid_t
) UINT32_C(0xFFFF0000);
3616 static int setup_uid_map(pid_t pid
) {
3617 char uid_map
[STRLEN("/proc//uid_map") + DECIMAL_STR_MAX(uid_t
) + 1], line
[DECIMAL_STR_MAX(uid_t
)*3+3+1];
3622 xsprintf(uid_map
, "/proc/" PID_FMT
"/uid_map", pid
);
3623 xsprintf(line
, UID_FMT
" " UID_FMT
" " UID_FMT
"\n", 0, arg_uid_shift
, arg_uid_range
);
3624 r
= write_string_file(uid_map
, line
, WRITE_STRING_FILE_DISABLE_BUFFER
);
3626 return log_error_errno(r
, "Failed to write UID map: %m");
3628 /* We always assign the same UID and GID ranges */
3629 xsprintf(uid_map
, "/proc/" PID_FMT
"/gid_map", pid
);
3630 r
= write_string_file(uid_map
, line
, WRITE_STRING_FILE_DISABLE_BUFFER
);
3632 return log_error_errno(r
, "Failed to write GID map: %m");
3637 static int nspawn_dispatch_notify_fd(sd_event_source
*source
, int fd
, uint32_t revents
, void *userdata
) {
3638 char buf
[NOTIFY_BUFFER_MAX
+1];
3640 struct iovec iovec
= {
3642 .iov_len
= sizeof(buf
)-1,
3645 struct cmsghdr cmsghdr
;
3646 uint8_t buf
[CMSG_SPACE(sizeof(struct ucred
)) +
3647 CMSG_SPACE(sizeof(int) * NOTIFY_FD_MAX
)];
3649 struct msghdr msghdr
= {
3652 .msg_control
= &control
,
3653 .msg_controllen
= sizeof(control
),
3655 struct cmsghdr
*cmsg
;
3656 struct ucred
*ucred
= NULL
;
3658 pid_t inner_child_pid
;
3659 _cleanup_strv_free_
char **tags
= NULL
;
3663 inner_child_pid
= PTR_TO_PID(userdata
);
3665 if (revents
!= EPOLLIN
) {
3666 log_warning("Got unexpected poll event for notify fd.");
3670 n
= recvmsg(fd
, &msghdr
, MSG_DONTWAIT
|MSG_CMSG_CLOEXEC
);
3672 if (IN_SET(errno
, EAGAIN
, EINTR
))
3675 return log_warning_errno(errno
, "Couldn't read notification socket: %m");
3677 cmsg_close_all(&msghdr
);
3679 CMSG_FOREACH(cmsg
, &msghdr
) {
3680 if (cmsg
->cmsg_level
== SOL_SOCKET
&&
3681 cmsg
->cmsg_type
== SCM_CREDENTIALS
&&
3682 cmsg
->cmsg_len
== CMSG_LEN(sizeof(struct ucred
))) {
3684 ucred
= (struct ucred
*) CMSG_DATA(cmsg
);
3688 if (!ucred
|| ucred
->pid
!= inner_child_pid
) {
3689 log_debug("Received notify message without valid credentials. Ignoring.");
3693 if ((size_t) n
>= sizeof(buf
)) {
3694 log_warning("Received notify message exceeded maximum size. Ignoring.");
3699 tags
= strv_split(buf
, "\n\r");
3703 if (strv_find(tags
, "READY=1"))
3704 (void) sd_notifyf(false, "READY=1\n");
3706 p
= strv_find_startswith(tags
, "STATUS=");
3708 (void) sd_notifyf(false, "STATUS=Container running: %s", p
);
3713 static int setup_sd_notify_parent(sd_event
*event
, int fd
, pid_t
*inner_child_pid
, sd_event_source
**notify_event_source
) {
3716 r
= sd_event_add_io(event
, notify_event_source
, fd
, EPOLLIN
, nspawn_dispatch_notify_fd
, inner_child_pid
);
3718 return log_error_errno(r
, "Failed to allocate notify event source: %m");
3720 (void) sd_event_source_set_description(*notify_event_source
, "nspawn-notify");
3725 static int merge_settings(Settings
*settings
, const char *path
) {
3731 /* Copy over bits from the settings, unless they have been explicitly masked by command line switches. Note
3732 * that this steals the fields of the Settings* structure, and hence modifies it. */
3734 if ((arg_settings_mask
& SETTING_START_MODE
) == 0 &&
3735 settings
->start_mode
>= 0) {
3736 arg_start_mode
= settings
->start_mode
;
3737 strv_free_and_replace(arg_parameters
, settings
->parameters
);
3740 if ((arg_settings_mask
& SETTING_EPHEMERAL
) == 0)
3741 arg_ephemeral
= settings
->ephemeral
;
3743 if ((arg_settings_mask
& SETTING_DIRECTORY
) == 0 &&
3746 if (!arg_settings_trusted
)
3747 log_warning("Ignoring root directory setting, file %s is not trusted.", path
);
3749 free_and_replace(arg_directory
, settings
->root
);
3752 if ((arg_settings_mask
& SETTING_PIVOT_ROOT
) == 0 &&
3753 settings
->pivot_root_new
) {
3754 free_and_replace(arg_pivot_root_new
, settings
->pivot_root_new
);
3755 free_and_replace(arg_pivot_root_old
, settings
->pivot_root_old
);
3758 if ((arg_settings_mask
& SETTING_WORKING_DIRECTORY
) == 0 &&
3759 settings
->working_directory
)
3760 free_and_replace(arg_chdir
, settings
->working_directory
);
3762 if ((arg_settings_mask
& SETTING_ENVIRONMENT
) == 0 &&
3763 settings
->environment
)
3764 strv_free_and_replace(arg_setenv
, settings
->environment
);
3766 if ((arg_settings_mask
& SETTING_USER
) == 0) {
3769 free_and_replace(arg_user
, settings
->user
);
3771 if (uid_is_valid(settings
->uid
))
3772 arg_uid
= settings
->uid
;
3773 if (gid_is_valid(settings
->gid
))
3774 arg_gid
= settings
->gid
;
3775 if (settings
->n_supplementary_gids
> 0) {
3776 free_and_replace(arg_supplementary_gids
, settings
->supplementary_gids
);
3777 arg_n_supplementary_gids
= settings
->n_supplementary_gids
;
3781 if ((arg_settings_mask
& SETTING_CAPABILITY
) == 0) {
3782 uint64_t plus
, minus
;
3784 /* Note that we copy both the simple plus/minus caps here, and the full quintet from the
3785 * Settings structure */
3787 plus
= settings
->capability
;
3788 minus
= settings
->drop_capability
;
3790 if ((arg_settings_mask
& SETTING_NETWORK
) == 0) {
3791 if (settings_private_network(settings
))
3792 plus
|= UINT64_C(1) << CAP_NET_ADMIN
;
3794 minus
|= UINT64_C(1) << CAP_NET_ADMIN
;
3797 if (!arg_settings_trusted
&& plus
!= 0) {
3798 if (settings
->capability
!= 0)
3799 log_warning("Ignoring Capability= setting, file %s is not trusted.", path
);
3801 arg_caps_retain
|= plus
;
3803 arg_caps_retain
&= ~minus
;
3805 /* Copy the full capabilities over too */
3806 if (capability_quintet_is_set(&settings
->full_capabilities
)) {
3807 if (!arg_settings_trusted
)
3808 log_warning("Ignoring capability settings, file %s is not trusted.", path
);
3810 arg_full_capabilities
= settings
->full_capabilities
;
3814 if ((arg_settings_mask
& SETTING_KILL_SIGNAL
) == 0 &&
3815 settings
->kill_signal
> 0)
3816 arg_kill_signal
= settings
->kill_signal
;
3818 if ((arg_settings_mask
& SETTING_PERSONALITY
) == 0 &&
3819 settings
->personality
!= PERSONALITY_INVALID
)
3820 arg_personality
= settings
->personality
;
3822 if ((arg_settings_mask
& SETTING_MACHINE_ID
) == 0 &&
3823 !sd_id128_is_null(settings
->machine_id
)) {
3825 if (!arg_settings_trusted
)
3826 log_warning("Ignoring MachineID= setting, file %s is not trusted.", path
);
3828 arg_uuid
= settings
->machine_id
;
3831 if ((arg_settings_mask
& SETTING_READ_ONLY
) == 0 &&
3832 settings
->read_only
>= 0)
3833 arg_read_only
= settings
->read_only
;
3835 if ((arg_settings_mask
& SETTING_VOLATILE_MODE
) == 0 &&
3836 settings
->volatile_mode
!= _VOLATILE_MODE_INVALID
)
3837 arg_volatile_mode
= settings
->volatile_mode
;
3839 if ((arg_settings_mask
& SETTING_CUSTOM_MOUNTS
) == 0 &&
3840 settings
->n_custom_mounts
> 0) {
3842 if (!arg_settings_trusted
)
3843 log_warning("Ignoring TemporaryFileSystem=, Bind= and BindReadOnly= settings, file %s is not trusted.", path
);
3845 custom_mount_free_all(arg_custom_mounts
, arg_n_custom_mounts
);
3846 arg_custom_mounts
= TAKE_PTR(settings
->custom_mounts
);
3847 arg_n_custom_mounts
= settings
->n_custom_mounts
;
3848 settings
->n_custom_mounts
= 0;
3852 if ((arg_settings_mask
& SETTING_NETWORK
) == 0 &&
3853 (settings
->private_network
>= 0 ||
3854 settings
->network_veth
>= 0 ||
3855 settings
->network_bridge
||
3856 settings
->network_zone
||
3857 settings
->network_interfaces
||
3858 settings
->network_macvlan
||
3859 settings
->network_ipvlan
||
3860 settings
->network_veth_extra
||
3861 settings
->network_namespace_path
)) {
3863 if (!arg_settings_trusted
)
3864 log_warning("Ignoring network settings, file %s is not trusted.", path
);
3866 arg_network_veth
= settings_network_veth(settings
);
3867 arg_private_network
= settings_private_network(settings
);
3869 strv_free_and_replace(arg_network_interfaces
, settings
->network_interfaces
);
3870 strv_free_and_replace(arg_network_macvlan
, settings
->network_macvlan
);
3871 strv_free_and_replace(arg_network_ipvlan
, settings
->network_ipvlan
);
3872 strv_free_and_replace(arg_network_veth_extra
, settings
->network_veth_extra
);
3874 free_and_replace(arg_network_bridge
, settings
->network_bridge
);
3875 free_and_replace(arg_network_zone
, settings
->network_zone
);
3877 free_and_replace(arg_network_namespace_path
, settings
->network_namespace_path
);
3881 if ((arg_settings_mask
& SETTING_EXPOSE_PORTS
) == 0 &&
3882 settings
->expose_ports
) {
3884 if (!arg_settings_trusted
)
3885 log_warning("Ignoring Port= setting, file %s is not trusted.", path
);
3887 expose_port_free_all(arg_expose_ports
);
3888 arg_expose_ports
= TAKE_PTR(settings
->expose_ports
);
3892 if ((arg_settings_mask
& SETTING_USERNS
) == 0 &&
3893 settings
->userns_mode
!= _USER_NAMESPACE_MODE_INVALID
) {
3895 if (!arg_settings_trusted
)
3896 log_warning("Ignoring PrivateUsers= and PrivateUsersChown= settings, file %s is not trusted.", path
);
3898 arg_userns_mode
= settings
->userns_mode
;
3899 arg_uid_shift
= settings
->uid_shift
;
3900 arg_uid_range
= settings
->uid_range
;
3901 arg_userns_chown
= settings
->userns_chown
;
3905 if ((arg_settings_mask
& SETTING_NOTIFY_READY
) == 0)
3906 arg_notify_ready
= settings
->notify_ready
;
3908 if ((arg_settings_mask
& SETTING_SYSCALL_FILTER
) == 0) {
3910 if (!arg_settings_trusted
&& !strv_isempty(settings
->syscall_whitelist
))
3911 log_warning("Ignoring SystemCallFilter= settings, file %s is not trusted.", path
);
3913 strv_free_and_replace(arg_syscall_whitelist
, settings
->syscall_whitelist
);
3914 strv_free_and_replace(arg_syscall_blacklist
, settings
->syscall_blacklist
);
3918 if (!arg_settings_trusted
&& settings
->seccomp
)
3919 log_warning("Ignoring SECCOMP filter, file %s is not trusted.", path
);
3921 seccomp_release(arg_seccomp
);
3922 arg_seccomp
= TAKE_PTR(settings
->seccomp
);
3927 for (rl
= 0; rl
< _RLIMIT_MAX
; rl
++) {
3928 if ((arg_settings_mask
& (SETTING_RLIMIT_FIRST
<< rl
)))
3931 if (!settings
->rlimit
[rl
])
3934 if (!arg_settings_trusted
) {
3935 log_warning("Ignoring Limit%s= setting, file '%s' is not trusted.", rlimit_to_string(rl
), path
);
3939 free_and_replace(arg_rlimit
[rl
], settings
->rlimit
[rl
]);
3942 if ((arg_settings_mask
& SETTING_HOSTNAME
) == 0 &&
3944 free_and_replace(arg_hostname
, settings
->hostname
);
3946 if ((arg_settings_mask
& SETTING_NO_NEW_PRIVILEGES
) == 0 &&
3947 settings
->no_new_privileges
>= 0)
3948 arg_no_new_privileges
= settings
->no_new_privileges
;
3950 if ((arg_settings_mask
& SETTING_OOM_SCORE_ADJUST
) == 0 &&
3951 settings
->oom_score_adjust_set
) {
3953 if (!arg_settings_trusted
)
3954 log_warning("Ignoring OOMScoreAdjust= setting, file '%s' is not trusted.", path
);
3956 arg_oom_score_adjust
= settings
->oom_score_adjust
;
3957 arg_oom_score_adjust_set
= true;
3961 if ((arg_settings_mask
& SETTING_CPU_AFFINITY
) == 0 &&
3962 settings
->cpu_set
.set
) {
3964 if (!arg_settings_trusted
)
3965 log_warning("Ignoring CPUAffinity= setting, file '%s' is not trusted.", path
);
3967 cpu_set_reset(&arg_cpu_set
);
3968 arg_cpu_set
= settings
->cpu_set
;
3969 settings
->cpu_set
= (CPUSet
) {};
3973 if ((arg_settings_mask
& SETTING_RESOLV_CONF
) == 0 &&
3974 settings
->resolv_conf
!= _RESOLV_CONF_MODE_INVALID
)
3975 arg_resolv_conf
= settings
->resolv_conf
;
3977 if ((arg_settings_mask
& SETTING_LINK_JOURNAL
) == 0 &&
3978 settings
->link_journal
!= _LINK_JOURNAL_INVALID
) {
3980 if (!arg_settings_trusted
)
3981 log_warning("Ignoring journal link setting, file '%s' is not trusted.", path
);
3983 arg_link_journal
= settings
->link_journal
;
3984 arg_link_journal_try
= settings
->link_journal_try
;
3988 if ((arg_settings_mask
& SETTING_TIMEZONE
) == 0 &&
3989 settings
->timezone
!= _TIMEZONE_MODE_INVALID
)
3990 arg_timezone
= settings
->timezone
;
3992 if ((arg_settings_mask
& SETTING_SLICE
) == 0 &&
3995 if (!arg_settings_trusted
)
3996 log_warning("Ignoring slice setting, file '%s' is not trusted.", path
);
3998 free_and_replace(arg_slice
, settings
->slice
);
4001 if ((arg_settings_mask
& SETTING_USE_CGNS
) == 0 &&
4002 settings
->use_cgns
>= 0) {
4004 if (!arg_settings_trusted
)
4005 log_warning("Ignoring cgroup namespace setting, file '%s' is not trusted.", path
);
4007 arg_use_cgns
= settings
->use_cgns
;
4010 if ((arg_settings_mask
& SETTING_CLONE_NS_FLAGS
) == 0 &&
4011 settings
->clone_ns_flags
!= (unsigned long) -1) {
4013 if (!arg_settings_trusted
)
4014 log_warning("Ignoring namespace setting, file '%s' is not trusted.", path
);
4016 arg_clone_ns_flags
= settings
->clone_ns_flags
;
4019 if ((arg_settings_mask
& SETTING_CONSOLE_MODE
) == 0 &&
4020 settings
->console_mode
>= 0) {
4022 if (!arg_settings_trusted
)
4023 log_warning("Ignoring console mode setting, file '%s' is not trusted.", path
);
4025 arg_console_mode
= settings
->console_mode
;
4028 /* The following properties can only be set through the OCI settings logic, not from the command line, hence we
4029 * don't consult arg_settings_mask for them. */
4031 sd_bus_message_unref(arg_property_message
);
4032 arg_property_message
= TAKE_PTR(settings
->properties
);
4034 arg_console_width
= settings
->console_width
;
4035 arg_console_height
= settings
->console_height
;
4037 device_node_array_free(arg_extra_nodes
, arg_n_extra_nodes
);
4038 arg_extra_nodes
= TAKE_PTR(settings
->extra_nodes
);
4039 arg_n_extra_nodes
= settings
->n_extra_nodes
;
4044 static int load_settings(void) {
4045 _cleanup_(settings_freep
) Settings
*settings
= NULL
;
4046 _cleanup_fclose_
FILE *f
= NULL
;
4047 _cleanup_free_
char *p
= NULL
;
4054 /* If all settings are masked, there's no point in looking for
4055 * the settings file */
4056 if ((arg_settings_mask
& _SETTINGS_MASK_ALL
) == _SETTINGS_MASK_ALL
)
4059 fn
= strjoina(arg_machine
, ".nspawn");
4061 /* We first look in the admin's directories in /etc and /run */
4062 FOREACH_STRING(i
, "/etc/systemd/nspawn", "/run/systemd/nspawn") {
4063 _cleanup_free_
char *j
= NULL
;
4065 j
= path_join(i
, fn
);
4073 /* By default, we trust configuration from /etc and /run */
4074 if (arg_settings_trusted
< 0)
4075 arg_settings_trusted
= true;
4080 if (errno
!= ENOENT
)
4081 return log_error_errno(errno
, "Failed to open %s: %m", j
);
4085 /* After that, let's look for a file next to the
4086 * actual image we shall boot. */
4089 p
= file_in_same_dir(arg_image
, fn
);
4092 } else if (arg_directory
&& !path_equal(arg_directory
, "/")) {
4093 p
= file_in_same_dir(arg_directory
, fn
);
4100 if (!f
&& errno
!= ENOENT
)
4101 return log_error_errno(errno
, "Failed to open %s: %m", p
);
4103 /* By default, we do not trust configuration from /var/lib/machines */
4104 if (arg_settings_trusted
< 0)
4105 arg_settings_trusted
= false;
4112 log_debug("Settings are trusted: %s", yes_no(arg_settings_trusted
));
4114 r
= settings_load(f
, p
, &settings
);
4118 return merge_settings(settings
, p
);
4121 static int load_oci_bundle(void) {
4122 _cleanup_(settings_freep
) Settings
*settings
= NULL
;
4125 if (!arg_oci_bundle
)
4128 /* By default let's trust OCI bundles */
4129 if (arg_settings_trusted
< 0)
4130 arg_settings_trusted
= true;
4132 r
= oci_load(NULL
, arg_oci_bundle
, &settings
);
4136 return merge_settings(settings
, arg_oci_bundle
);
4139 static int run_container(
4140 DissectedImage
*dissected_image
,
4143 char veth_name
[IFNAMSIZ
], bool *veth_created
,
4144 union in_addr_union
*exposed
,
4145 int *master
, pid_t
*pid
, int *ret
) {
4147 static const struct sigaction sa
= {
4148 .sa_handler
= nop_signal_handler
,
4149 .sa_flags
= SA_NOCLDSTOP
|SA_RESTART
,
4152 _cleanup_(release_lock_file
) LockFile uid_shift_lock
= LOCK_FILE_INIT
;
4153 _cleanup_close_
int etc_passwd_lock
= -1;
4154 _cleanup_close_pair_
int
4155 kmsg_socket_pair
[2] = { -1, -1 },
4156 rtnl_socket_pair
[2] = { -1, -1 },
4157 pid_socket_pair
[2] = { -1, -1 },
4158 uuid_socket_pair
[2] = { -1, -1 },
4159 notify_socket_pair
[2] = { -1, -1 },
4160 uid_shift_socket_pair
[2] = { -1, -1 },
4161 master_pty_socket_pair
[2] = { -1, -1 },
4162 unified_cgroup_hierarchy_socket_pair
[2] = { -1, -1};
4164 _cleanup_close_
int notify_socket
= -1;
4165 _cleanup_(barrier_destroy
) Barrier barrier
= BARRIER_NULL
;
4166 _cleanup_(sd_event_source_unrefp
) sd_event_source
*notify_event_source
= NULL
;
4167 _cleanup_(sd_event_unrefp
) sd_event
*event
= NULL
;
4168 _cleanup_(pty_forward_freep
) PTYForward
*forward
= NULL
;
4169 _cleanup_(sd_netlink_unrefp
) sd_netlink
*rtnl
= NULL
;
4170 _cleanup_(sd_bus_flush_close_unrefp
) sd_bus
*bus
= NULL
;
4171 ContainerStatus container_status
= 0;
4175 _cleanup_close_
int netns_fd
= -1;
4177 assert_se(sigemptyset(&mask_chld
) == 0);
4178 assert_se(sigaddset(&mask_chld
, SIGCHLD
) == 0);
4180 if (arg_userns_mode
== USER_NAMESPACE_PICK
) {
4181 /* When we shall pick the UID/GID range, let's first lock /etc/passwd, so that we can safely
4182 * check with getpwuid() if the specific user already exists. Note that /etc might be
4183 * read-only, in which case this will fail with EROFS. But that's really OK, as in that case we
4184 * can be reasonably sure that no users are going to be added. Note that getpwuid() checks are
4185 * really just an extra safety net. We kinda assume that the UID range we allocate from is
4188 etc_passwd_lock
= take_etc_passwd_lock(NULL
);
4189 if (etc_passwd_lock
< 0 && etc_passwd_lock
!= -EROFS
)
4190 return log_error_errno(etc_passwd_lock
, "Failed to take /etc/passwd lock: %m");
4193 r
= barrier_create(&barrier
);
4195 return log_error_errno(r
, "Cannot initialize IPC barrier: %m");
4197 if (socketpair(AF_UNIX
, SOCK_SEQPACKET
|SOCK_CLOEXEC
, 0, kmsg_socket_pair
) < 0)
4198 return log_error_errno(errno
, "Failed to create kmsg socket pair: %m");
4200 if (socketpair(AF_UNIX
, SOCK_SEQPACKET
|SOCK_CLOEXEC
, 0, rtnl_socket_pair
) < 0)
4201 return log_error_errno(errno
, "Failed to create rtnl socket pair: %m");
4203 if (socketpair(AF_UNIX
, SOCK_SEQPACKET
|SOCK_CLOEXEC
, 0, pid_socket_pair
) < 0)
4204 return log_error_errno(errno
, "Failed to create pid socket pair: %m");
4206 if (socketpair(AF_UNIX
, SOCK_SEQPACKET
|SOCK_CLOEXEC
, 0, uuid_socket_pair
) < 0)
4207 return log_error_errno(errno
, "Failed to create id socket pair: %m");
4209 if (socketpair(AF_UNIX
, SOCK_SEQPACKET
|SOCK_CLOEXEC
, 0, notify_socket_pair
) < 0)
4210 return log_error_errno(errno
, "Failed to create notify socket pair: %m");
4212 if (socketpair(AF_UNIX
, SOCK_SEQPACKET
|SOCK_CLOEXEC
, 0, master_pty_socket_pair
) < 0)
4213 return log_error_errno(errno
, "Failed to create console socket pair: %m");
4215 if (arg_userns_mode
!= USER_NAMESPACE_NO
)
4216 if (socketpair(AF_UNIX
, SOCK_SEQPACKET
|SOCK_CLOEXEC
, 0, uid_shift_socket_pair
) < 0)
4217 return log_error_errno(errno
, "Failed to create uid shift socket pair: %m");
4219 if (arg_unified_cgroup_hierarchy
== CGROUP_UNIFIED_UNKNOWN
)
4220 if (socketpair(AF_UNIX
, SOCK_SEQPACKET
|SOCK_CLOEXEC
, 0, unified_cgroup_hierarchy_socket_pair
) < 0)
4221 return log_error_errno(errno
, "Failed to create unified cgroup socket pair: %m");
4223 /* Child can be killed before execv(), so handle SIGCHLD in order to interrupt
4224 * parent's blocking calls and give it a chance to call wait() and terminate. */
4225 r
= sigprocmask(SIG_UNBLOCK
, &mask_chld
, NULL
);
4227 return log_error_errno(errno
, "Failed to change the signal mask: %m");
4229 r
= sigaction(SIGCHLD
, &sa
, NULL
);
4231 return log_error_errno(errno
, "Failed to install SIGCHLD handler: %m");
4233 if (arg_network_namespace_path
) {
4234 netns_fd
= open(arg_network_namespace_path
, O_RDONLY
|O_NOCTTY
|O_CLOEXEC
);
4236 return log_error_errno(errno
, "Cannot open file %s: %m", arg_network_namespace_path
);
4238 r
= fd_is_network_ns(netns_fd
);
4240 log_debug_errno(r
, "Cannot determine if passed network namespace path '%s' really refers to a network namespace, assuming it does.", arg_network_namespace_path
);
4242 return log_error_errno(r
, "Failed to check %s fs type: %m", arg_network_namespace_path
);
4244 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
4245 "Path %s doesn't refer to a network namespace, refusing.", arg_network_namespace_path
);
4248 *pid
= raw_clone(SIGCHLD
|CLONE_NEWNS
);
4250 return log_error_errno(errno
, "clone() failed%s: %m",
4252 ", do you have namespace support enabled in your kernel? (You need UTS, IPC, PID and NET namespacing built in)" : "");
4255 /* The outer child only has a file system namespace. */
4256 barrier_set_role(&barrier
, BARRIER_CHILD
);
4258 kmsg_socket_pair
[0] = safe_close(kmsg_socket_pair
[0]);
4259 rtnl_socket_pair
[0] = safe_close(rtnl_socket_pair
[0]);
4260 pid_socket_pair
[0] = safe_close(pid_socket_pair
[0]);
4261 uuid_socket_pair
[0] = safe_close(uuid_socket_pair
[0]);
4262 notify_socket_pair
[0] = safe_close(notify_socket_pair
[0]);
4263 master_pty_socket_pair
[0] = safe_close(master_pty_socket_pair
[0]);
4264 uid_shift_socket_pair
[0] = safe_close(uid_shift_socket_pair
[0]);
4265 unified_cgroup_hierarchy_socket_pair
[0] = safe_close(unified_cgroup_hierarchy_socket_pair
[0]);
4267 (void) reset_all_signal_handlers();
4268 (void) reset_signal_mask();
4270 r
= outer_child(&barrier
,
4275 uuid_socket_pair
[1],
4276 notify_socket_pair
[1],
4277 kmsg_socket_pair
[1],
4278 rtnl_socket_pair
[1],
4279 uid_shift_socket_pair
[1],
4280 master_pty_socket_pair
[1],
4281 unified_cgroup_hierarchy_socket_pair
[1],
4285 _exit(EXIT_FAILURE
);
4287 _exit(EXIT_SUCCESS
);
4290 barrier_set_role(&barrier
, BARRIER_PARENT
);
4294 kmsg_socket_pair
[1] = safe_close(kmsg_socket_pair
[1]);
4295 rtnl_socket_pair
[1] = safe_close(rtnl_socket_pair
[1]);
4296 pid_socket_pair
[1] = safe_close(pid_socket_pair
[1]);
4297 uuid_socket_pair
[1] = safe_close(uuid_socket_pair
[1]);
4298 notify_socket_pair
[1] = safe_close(notify_socket_pair
[1]);
4299 master_pty_socket_pair
[1] = safe_close(master_pty_socket_pair
[1]);
4300 uid_shift_socket_pair
[1] = safe_close(uid_shift_socket_pair
[1]);
4301 unified_cgroup_hierarchy_socket_pair
[1] = safe_close(unified_cgroup_hierarchy_socket_pair
[1]);
4303 if (arg_userns_mode
!= USER_NAMESPACE_NO
) {
4304 /* The child just let us know the UID shift it might have read from the image. */
4305 l
= recv(uid_shift_socket_pair
[0], &arg_uid_shift
, sizeof arg_uid_shift
, 0);
4307 return log_error_errno(errno
, "Failed to read UID shift: %m");
4308 if (l
!= sizeof arg_uid_shift
)
4309 return log_error_errno(SYNTHETIC_ERRNO(EIO
), "Short read while reading UID shift.");
4311 if (arg_userns_mode
== USER_NAMESPACE_PICK
) {
4312 /* If we are supposed to pick the UID shift, let's try to use the shift read from the
4313 * image, but if that's already in use, pick a new one, and report back to the child,
4314 * which one we now picked. */
4316 r
= uid_shift_pick(&arg_uid_shift
, &uid_shift_lock
);
4318 return log_error_errno(r
, "Failed to pick suitable UID/GID range: %m");
4320 l
= send(uid_shift_socket_pair
[0], &arg_uid_shift
, sizeof arg_uid_shift
, MSG_NOSIGNAL
);
4322 return log_error_errno(errno
, "Failed to send UID shift: %m");
4323 if (l
!= sizeof arg_uid_shift
)
4324 return log_error_errno(SYNTHETIC_ERRNO(EIO
), "Short write while writing UID shift.");
4328 if (arg_unified_cgroup_hierarchy
== CGROUP_UNIFIED_UNKNOWN
) {
4329 /* The child let us know the support cgroup mode it might have read from the image. */
4330 l
= recv(unified_cgroup_hierarchy_socket_pair
[0], &arg_unified_cgroup_hierarchy
, sizeof(arg_unified_cgroup_hierarchy
), 0);
4332 return log_error_errno(errno
, "Failed to read cgroup mode: %m");
4333 if (l
!= sizeof(arg_unified_cgroup_hierarchy
))
4334 return log_error_errno(SYNTHETIC_ERRNO(EIO
), "Short read while reading cgroup mode (%zu bytes).%s",
4335 l
, l
== 0 ? " The child is most likely dead." : "");
4338 /* Wait for the outer child. */
4339 r
= wait_for_terminate_and_check("(sd-namespace)", *pid
, WAIT_LOG_ABNORMAL
);
4342 if (r
!= EXIT_SUCCESS
)
4345 /* And now retrieve the PID of the inner child. */
4346 l
= recv(pid_socket_pair
[0], pid
, sizeof *pid
, 0);
4348 return log_error_errno(errno
, "Failed to read inner child PID: %m");
4349 if (l
!= sizeof *pid
)
4350 return log_error_errno(SYNTHETIC_ERRNO(EIO
), "Short read while reading inner child PID.");
4352 /* We also retrieve container UUID in case it was generated by outer child */
4353 l
= recv(uuid_socket_pair
[0], &arg_uuid
, sizeof arg_uuid
, 0);
4355 return log_error_errno(errno
, "Failed to read container machine ID: %m");
4356 if (l
!= sizeof(arg_uuid
))
4357 return log_error_errno(SYNTHETIC_ERRNO(EIO
), "Short read while reading container machined ID.");
4359 /* We also retrieve the socket used for notifications generated by outer child */
4360 notify_socket
= receive_one_fd(notify_socket_pair
[0], 0);
4361 if (notify_socket
< 0)
4362 return log_error_errno(notify_socket
,
4363 "Failed to receive notification socket from the outer child: %m");
4365 log_debug("Init process invoked as PID "PID_FMT
, *pid
);
4367 if (arg_userns_mode
!= USER_NAMESPACE_NO
) {
4368 if (!barrier_place_and_sync(&barrier
)) /* #1 */
4369 return log_error_errno(SYNTHETIC_ERRNO(ESRCH
), "Child died too early.");
4371 r
= setup_uid_map(*pid
);
4375 (void) barrier_place(&barrier
); /* #2 */
4378 if (arg_private_network
) {
4379 if (!arg_network_namespace_path
) {
4380 /* Wait until the child has unshared its network namespace. */
4381 if (!barrier_place_and_sync(&barrier
)) /* #3 */
4382 return log_error_errno(SYNTHETIC_ERRNO(ESRCH
), "Child died too early");
4385 r
= move_network_interfaces(*pid
, arg_network_interfaces
);
4389 if (arg_network_veth
) {
4390 r
= setup_veth(arg_machine
, *pid
, veth_name
,
4391 arg_network_bridge
|| arg_network_zone
);
4397 if (arg_network_bridge
) {
4398 /* Add the interface to a bridge */
4399 r
= setup_bridge(veth_name
, arg_network_bridge
, false);
4404 } else if (arg_network_zone
) {
4405 /* Add the interface to a bridge, possibly creating it */
4406 r
= setup_bridge(veth_name
, arg_network_zone
, true);
4414 r
= setup_veth_extra(arg_machine
, *pid
, arg_network_veth_extra
);
4418 /* We created the primary and extra veth links now; let's remember this, so that we know to
4419 remove them later on. Note that we don't bother with removing veth links that were created
4420 here when their setup failed half-way, because in that case the kernel should be able to
4421 remove them on its own, since they cannot be referenced by anything yet. */
4422 *veth_created
= true;
4424 r
= setup_macvlan(arg_machine
, *pid
, arg_network_macvlan
);
4428 r
= setup_ipvlan(arg_machine
, *pid
, arg_network_ipvlan
);
4433 if (arg_register
|| !arg_keep_unit
) {
4434 r
= sd_bus_default_system(&bus
);
4436 return log_error_errno(r
, "Failed to open system bus: %m");
4438 r
= sd_bus_set_close_on_exit(bus
, false);
4440 return log_error_errno(r
, "Failed to disable close-on-exit behaviour: %m");
4443 if (!arg_keep_unit
) {
4444 /* When a new scope is created for this container, then we'll be registered as its controller, in which
4445 * case PID 1 will send us a friendly RequestStop signal, when it is asked to terminate the
4446 * scope. Let's hook into that, and cleanly shut down the container, and print a friendly message. */
4448 r
= sd_bus_match_signal_async(
4451 "org.freedesktop.systemd1",
4453 "org.freedesktop.systemd1.Scope",
4455 on_request_stop
, NULL
, PID_TO_PTR(*pid
));
4457 return log_error_errno(r
, "Failed to request RequestStop match: %m");
4461 r
= register_machine(
4469 arg_custom_mounts
, arg_n_custom_mounts
,
4472 arg_property_message
,
4474 arg_container_service_name
);
4478 } else if (!arg_keep_unit
) {
4484 arg_custom_mounts
, arg_n_custom_mounts
,
4487 arg_property_message
);
4491 } else if (arg_slice
|| arg_property
)
4492 log_notice("Machine and scope registration turned off, --slice= and --property= settings will have no effect.");
4494 r
= create_subcgroup(*pid
, arg_keep_unit
, arg_unified_cgroup_hierarchy
);
4498 r
= sync_cgroup(*pid
, arg_unified_cgroup_hierarchy
, arg_uid_shift
);
4502 r
= chown_cgroup(*pid
, arg_unified_cgroup_hierarchy
, arg_uid_shift
);
4506 /* Notify the child that the parent is ready with all
4507 * its setup (including cgroup-ification), and that
4508 * the child can now hand over control to the code to
4509 * run inside the container. */
4510 (void) barrier_place(&barrier
); /* #4 */
4512 /* Block SIGCHLD here, before notifying child.
4513 * process_pty() will handle it with the other signals. */
4514 assert_se(sigprocmask(SIG_BLOCK
, &mask_chld
, NULL
) >= 0);
4516 /* Reset signal to default */
4517 r
= default_signals(SIGCHLD
, -1);
4519 return log_error_errno(r
, "Failed to reset SIGCHLD: %m");
4521 r
= sd_event_new(&event
);
4523 return log_error_errno(r
, "Failed to get default event source: %m");
4525 (void) sd_event_set_watchdog(event
, true);
4528 r
= sd_bus_attach_event(bus
, event
, 0);
4530 return log_error_errno(r
, "Failed to attach bus to event loop: %m");
4533 r
= setup_sd_notify_parent(event
, notify_socket
, PID_TO_PTR(*pid
), ¬ify_event_source
);
4537 /* Let the child know that we are ready and wait that the child is completely ready now. */
4538 if (!barrier_place_and_sync(&barrier
)) /* #5 */
4539 return log_error_errno(SYNTHETIC_ERRNO(ESRCH
), "Child died too early.");
4541 /* At this point we have made use of the UID we picked, and thus nss-mymachines
4542 * will make them appear in getpwuid(), thus we can release the /etc/passwd lock. */
4543 etc_passwd_lock
= safe_close(etc_passwd_lock
);
4545 (void) sd_notifyf(false,
4546 "STATUS=Container running.\n"
4547 "X_NSPAWN_LEADER_PID=" PID_FMT
, *pid
);
4548 if (!arg_notify_ready
)
4549 (void) sd_notify(false, "READY=1\n");
4551 if (arg_kill_signal
> 0) {
4552 /* Try to kill the init system on SIGINT or SIGTERM */
4553 (void) sd_event_add_signal(event
, NULL
, SIGINT
, on_orderly_shutdown
, PID_TO_PTR(*pid
));
4554 (void) sd_event_add_signal(event
, NULL
, SIGTERM
, on_orderly_shutdown
, PID_TO_PTR(*pid
));
4556 /* Immediately exit */
4557 (void) sd_event_add_signal(event
, NULL
, SIGINT
, NULL
, NULL
);
4558 (void) sd_event_add_signal(event
, NULL
, SIGTERM
, NULL
, NULL
);
4561 /* Exit when the child exits */
4562 (void) sd_event_add_signal(event
, NULL
, SIGCHLD
, on_sigchld
, PID_TO_PTR(*pid
));
4564 if (arg_expose_ports
) {
4565 r
= expose_port_watch_rtnl(event
, rtnl_socket_pair
[0], on_address_change
, exposed
, &rtnl
);
4569 (void) expose_port_execute(rtnl
, arg_expose_ports
, exposed
);
4572 rtnl_socket_pair
[0] = safe_close(rtnl_socket_pair
[0]);
4574 if (arg_console_mode
!= CONSOLE_PIPE
) {
4575 _cleanup_close_
int fd
= -1;
4576 PTYForwardFlags flags
= 0;
4578 /* Retrieve the master pty allocated by inner child */
4579 fd
= receive_one_fd(master_pty_socket_pair
[0], 0);
4581 return log_error_errno(fd
, "Failed to receive master pty from the inner child: %m");
4583 switch (arg_console_mode
) {
4585 case CONSOLE_READ_ONLY
:
4586 flags
|= PTY_FORWARD_READ_ONLY
;
4590 case CONSOLE_INTERACTIVE
:
4591 flags
|= PTY_FORWARD_IGNORE_VHANGUP
;
4593 r
= pty_forward_new(event
, fd
, flags
, &forward
);
4595 return log_error_errno(r
, "Failed to create PTY forwarder: %m");
4597 if (arg_console_width
!= (unsigned) -1 || arg_console_height
!= (unsigned) -1)
4598 (void) pty_forward_set_width_height(forward
,
4600 arg_console_height
);
4604 assert(arg_console_mode
== CONSOLE_PASSIVE
);
4607 *master
= TAKE_FD(fd
);
4610 r
= sd_event_loop(event
);
4612 return log_error_errno(r
, "Failed to run event loop: %m");
4617 (void) pty_forward_get_last_char(forward
, &last_char
);
4618 forward
= pty_forward_free(forward
);
4620 if (!arg_quiet
&& last_char
!= '\n')
4624 /* Kill if it is not dead yet anyway */
4625 if (!arg_register
&& !arg_keep_unit
&& bus
)
4626 terminate_scope(bus
, arg_machine
);
4628 /* Normally redundant, but better safe than sorry */
4629 (void) kill(*pid
, SIGKILL
);
4631 r
= wait_for_container(*pid
, &container_status
);
4634 /* Tell machined that we are gone. */
4636 (void) unregister_machine(bus
, arg_machine
);
4639 /* We failed to wait for the container, or the container exited abnormally. */
4641 if (r
> 0 || container_status
== CONTAINER_TERMINATED
) {
4642 /* r > 0 → The container exited with a non-zero status.
4643 * As a special case, we need to replace 133 with a different value,
4644 * because 133 is special-cased in the service file to reboot the container.
4645 * otherwise → The container exited with zero status and a reboot was not requested.
4647 if (r
== EXIT_FORCE_RESTART
)
4648 r
= EXIT_FAILURE
; /* replace 133 with the general failure code */
4650 return 0; /* finito */
4653 /* CONTAINER_REBOOTED, loop again */
4655 if (arg_keep_unit
) {
4656 /* Special handling if we are running as a service: instead of simply
4657 * restarting the machine we want to restart the entire service, so let's
4658 * inform systemd about this with the special exit code 133. The service
4659 * file uses RestartForceExitStatus=133 so that this results in a full
4660 * nspawn restart. This is necessary since we might have cgroup parameters
4661 * set we want to have flushed out. */
4662 *ret
= EXIT_FORCE_RESTART
;
4663 return 0; /* finito */
4666 expose_port_flush(arg_expose_ports
, exposed
);
4668 (void) remove_veth_links(veth_name
, arg_network_veth_extra
);
4669 *veth_created
= false;
4670 return 1; /* loop again */
4673 static int initialize_rlimits(void) {
4674 /* The default resource limits the kernel passes to PID 1, as per kernel 4.16. Let's pass our container payload
4675 * the same values as the kernel originally passed to PID 1, in order to minimize differences between host and
4676 * container execution environments. */
4678 static const struct rlimit kernel_defaults
[_RLIMIT_MAX
] = {
4679 [RLIMIT_AS
] = { RLIM_INFINITY
, RLIM_INFINITY
},
4680 [RLIMIT_CORE
] = { 0, RLIM_INFINITY
},
4681 [RLIMIT_CPU
] = { RLIM_INFINITY
, RLIM_INFINITY
},
4682 [RLIMIT_DATA
] = { RLIM_INFINITY
, RLIM_INFINITY
},
4683 [RLIMIT_FSIZE
] = { RLIM_INFINITY
, RLIM_INFINITY
},
4684 [RLIMIT_LOCKS
] = { RLIM_INFINITY
, RLIM_INFINITY
},
4685 [RLIMIT_MEMLOCK
] = { 65536, 65536 },
4686 [RLIMIT_MSGQUEUE
] = { 819200, 819200 },
4687 [RLIMIT_NICE
] = { 0, 0 },
4688 [RLIMIT_NOFILE
] = { 1024, 4096 },
4689 [RLIMIT_RSS
] = { RLIM_INFINITY
, RLIM_INFINITY
},
4690 [RLIMIT_RTPRIO
] = { 0, 0 },
4691 [RLIMIT_RTTIME
] = { RLIM_INFINITY
, RLIM_INFINITY
},
4692 [RLIMIT_STACK
] = { 8388608, RLIM_INFINITY
},
4694 /* The kernel scales the default for RLIMIT_NPROC and RLIMIT_SIGPENDING based on the system's amount of
4695 * RAM. To provide best compatibility we'll read these limits off PID 1 instead of hardcoding them
4696 * here. This is safe as we know that PID 1 doesn't change these two limits and thus the original
4697 * kernel's initialization should still be valid during runtime — at least if PID 1 is systemd. Note
4698 * that PID 1 changes a number of other resource limits during early initialization which is why we
4699 * don't read the other limits from PID 1 but prefer the static table above. */
4704 for (rl
= 0; rl
< _RLIMIT_MAX
; rl
++) {
4705 /* Let's only fill in what the user hasn't explicitly configured anyway */
4706 if ((arg_settings_mask
& (SETTING_RLIMIT_FIRST
<< rl
)) == 0) {
4707 const struct rlimit
*v
;
4708 struct rlimit buffer
;
4710 if (IN_SET(rl
, RLIMIT_NPROC
, RLIMIT_SIGPENDING
)) {
4711 /* For these two let's read the limits off PID 1. See above for an explanation. */
4713 if (prlimit(1, rl
, NULL
, &buffer
) < 0)
4714 return log_error_errno(errno
, "Failed to read resource limit RLIMIT_%s of PID 1: %m", rlimit_to_string(rl
));
4718 v
= kernel_defaults
+ rl
;
4720 arg_rlimit
[rl
] = newdup(struct rlimit
, v
, 1);
4721 if (!arg_rlimit
[rl
])
4725 if (DEBUG_LOGGING
) {
4726 _cleanup_free_
char *k
= NULL
;
4728 (void) rlimit_format(arg_rlimit
[rl
], &k
);
4729 log_debug("Setting RLIMIT_%s to %s.", rlimit_to_string(rl
), k
);
4736 static int run(int argc
, char *argv
[]) {
4737 bool secondary
= false, remove_directory
= false, remove_image
= false,
4738 veth_created
= false, remove_tmprootdir
= false;
4739 _cleanup_close_
int master
= -1;
4740 _cleanup_fdset_free_ FDSet
*fds
= NULL
;
4741 int r
, n_fd_passed
, ret
= EXIT_SUCCESS
;
4742 char veth_name
[IFNAMSIZ
] = "";
4743 union in_addr_union exposed
= {};
4744 _cleanup_(release_lock_file
) LockFile tree_global_lock
= LOCK_FILE_INIT
, tree_local_lock
= LOCK_FILE_INIT
;
4745 char tmprootdir
[] = "/tmp/nspawn-root-XXXXXX";
4746 _cleanup_(loop_device_unrefp
) LoopDevice
*loop
= NULL
;
4747 _cleanup_(decrypted_image_unrefp
) DecryptedImage
*decrypted_image
= NULL
;
4748 _cleanup_(dissected_image_unrefp
) DissectedImage
*dissected_image
= NULL
;
4751 log_parse_environment();
4754 r
= parse_argv(argc
, argv
);
4762 r
= initialize_rlimits();
4766 r
= load_oci_bundle();
4770 r
= determine_names();
4774 r
= load_settings();
4780 log_error_errno(r
, "Failed to determine whether the unified cgroups hierarchy is used: %m");
4784 r
= verify_arguments();
4788 /* Reapply environment settings. */
4789 (void) detect_unified_cgroup_hierarchy_from_environment();
4791 /* Ignore SIGPIPE here, because we use splice() on the ptyfwd stuff and that will generate SIGPIPE if
4792 * the result is closed. Note that the container payload child will reset signal mask+handler anyway,
4793 * so just turning this off here means we only turn it off in nspawn itself, not any children. */
4794 (void) ignore_signals(SIGPIPE
, -1);
4796 n_fd_passed
= sd_listen_fds(false);
4797 if (n_fd_passed
> 0) {
4798 r
= fdset_new_listen_fds(&fds
, false);
4800 log_error_errno(r
, "Failed to collect file descriptors: %m");
4805 /* The "default" umask. This is appropriate for most file and directory
4806 * operations performed by nspawn, and is the umask that will be used for
4807 * the child. Functions like copy_devnodes() change the umask temporarily. */
4810 if (arg_directory
) {
4813 /* Safety precaution: let's not allow running images from the live host OS image, as long as
4814 * /var from the host will propagate into container dynamically (because bad things happen if
4815 * two systems write to the same /var). Let's allow it for the special cases where /var is
4816 * either copied (i.e. --ephemeral) or replaced (i.e. --volatile=yes|state). */
4817 if (path_equal(arg_directory
, "/") && !(arg_ephemeral
|| IN_SET(arg_volatile_mode
, VOLATILE_YES
, VOLATILE_STATE
))) {
4818 log_error("Spawning container on root directory is not supported. Consider using --ephemeral, --volatile=yes or --volatile=state.");
4823 if (arg_ephemeral
) {
4824 _cleanup_free_
char *np
= NULL
;
4826 r
= chase_symlinks_and_update(&arg_directory
, 0);
4830 /* If the specified path is a mount point we generate the new snapshot immediately
4831 * inside it under a random name. However if the specified is not a mount point we
4832 * create the new snapshot in the parent directory, just next to it. */
4833 r
= path_is_mount_point(arg_directory
, NULL
, 0);
4835 log_error_errno(r
, "Failed to determine whether directory %s is mount point: %m", arg_directory
);
4839 r
= tempfn_random_child(arg_directory
, "machine.", &np
);
4841 r
= tempfn_random(arg_directory
, "machine.", &np
);
4843 log_error_errno(r
, "Failed to generate name for directory snapshot: %m");
4847 /* We take an exclusive lock on this image, since it's our private, ephemeral copy
4848 * only owned by us and noone else. */
4849 r
= image_path_lock(np
, LOCK_EX
|LOCK_NB
, &tree_global_lock
, &tree_local_lock
);
4851 log_error_errno(r
, "Failed to lock %s: %m", np
);
4856 BLOCK_SIGNALS(SIGINT
);
4857 r
= btrfs_subvol_snapshot(arg_directory
, np
,
4858 (arg_read_only
? BTRFS_SNAPSHOT_READ_ONLY
: 0) |
4859 BTRFS_SNAPSHOT_FALLBACK_COPY
|
4860 BTRFS_SNAPSHOT_FALLBACK_DIRECTORY
|
4861 BTRFS_SNAPSHOT_RECURSIVE
|
4862 BTRFS_SNAPSHOT_QUOTA
|
4863 BTRFS_SNAPSHOT_SIGINT
);
4866 log_error_errno(r
, "Interrupted while copying file system tree to %s, removed again.", np
);
4870 log_error_errno(r
, "Failed to create snapshot %s from %s: %m", np
, arg_directory
);
4874 free_and_replace(arg_directory
, np
);
4875 remove_directory
= true;
4877 r
= chase_symlinks_and_update(&arg_directory
, arg_template
? CHASE_NONEXISTENT
: 0);
4881 r
= image_path_lock(arg_directory
, (arg_read_only
? LOCK_SH
: LOCK_EX
) | LOCK_NB
, &tree_global_lock
, &tree_local_lock
);
4883 log_error_errno(r
, "Directory tree %s is currently busy.", arg_directory
);
4887 log_error_errno(r
, "Failed to lock %s: %m", arg_directory
);
4892 r
= chase_symlinks_and_update(&arg_template
, 0);
4897 BLOCK_SIGNALS(SIGINT
);
4898 r
= btrfs_subvol_snapshot(arg_template
, arg_directory
,
4899 (arg_read_only
? BTRFS_SNAPSHOT_READ_ONLY
: 0) |
4900 BTRFS_SNAPSHOT_FALLBACK_COPY
|
4901 BTRFS_SNAPSHOT_FALLBACK_DIRECTORY
|
4902 BTRFS_SNAPSHOT_FALLBACK_IMMUTABLE
|
4903 BTRFS_SNAPSHOT_RECURSIVE
|
4904 BTRFS_SNAPSHOT_QUOTA
|
4905 BTRFS_SNAPSHOT_SIGINT
);
4908 log_full(arg_quiet
? LOG_DEBUG
: LOG_INFO
,
4909 "Directory %s already exists, not populating from template %s.", arg_directory
, arg_template
);
4910 else if (r
== -EINTR
) {
4911 log_error_errno(r
, "Interrupted while copying file system tree to %s, removed again.", arg_directory
);
4914 log_error_errno(r
, "Couldn't create snapshot %s from %s: %m", arg_directory
, arg_template
);
4917 log_full(arg_quiet
? LOG_DEBUG
: LOG_INFO
,
4918 "Populated %s from template %s.", arg_directory
, arg_template
);
4922 if (arg_start_mode
== START_BOOT
) {
4925 if (arg_pivot_root_new
)
4926 p
= prefix_roota(arg_directory
, arg_pivot_root_new
);
4930 if (path_is_os_tree(p
) <= 0) {
4931 log_error("Directory %s doesn't look like an OS root directory (os-release file is missing). Refusing.", p
);
4938 if (arg_pivot_root_new
)
4939 p
= prefix_roota(arg_directory
, arg_pivot_root_new
);
4943 q
= strjoina(p
, "/usr/");
4945 if (laccess(q
, F_OK
) < 0) {
4946 log_error("Directory %s doesn't look like it has an OS tree. Refusing.", p
);
4954 assert(!arg_template
);
4956 r
= chase_symlinks_and_update(&arg_image
, 0);
4960 if (arg_ephemeral
) {
4961 _cleanup_free_
char *np
= NULL
;
4963 r
= tempfn_random(arg_image
, "machine.", &np
);
4965 log_error_errno(r
, "Failed to generate name for image snapshot: %m");
4969 /* Always take an exclusive lock on our own ephemeral copy. */
4970 r
= image_path_lock(np
, LOCK_EX
|LOCK_NB
, &tree_global_lock
, &tree_local_lock
);
4972 r
= log_error_errno(r
, "Failed to create image lock: %m");
4977 BLOCK_SIGNALS(SIGINT
);
4978 r
= copy_file(arg_image
, np
, O_EXCL
, arg_read_only
? 0400 : 0600, FS_NOCOW_FL
, FS_NOCOW_FL
, COPY_REFLINK
|COPY_CRTIME
|COPY_SIGINT
);
4981 log_error_errno(r
, "Interrupted while copying image file to %s, removed again.", np
);
4985 r
= log_error_errno(r
, "Failed to copy image file: %m");
4989 free_and_replace(arg_image
, np
);
4990 remove_image
= true;
4992 r
= image_path_lock(arg_image
, (arg_read_only
? LOCK_SH
: LOCK_EX
) | LOCK_NB
, &tree_global_lock
, &tree_local_lock
);
4994 r
= log_error_errno(r
, "Disk image %s is currently busy.", arg_image
);
4998 r
= log_error_errno(r
, "Failed to create image lock: %m");
5002 if (!arg_root_hash
) {
5003 r
= root_hash_load(arg_image
, &arg_root_hash
, &arg_root_hash_size
);
5005 log_error_errno(r
, "Failed to load root hash file for %s: %m", arg_image
);
5011 if (!mkdtemp(tmprootdir
)) {
5012 r
= log_error_errno(errno
, "Failed to create temporary directory: %m");
5016 remove_tmprootdir
= true;
5018 arg_directory
= strdup(tmprootdir
);
5019 if (!arg_directory
) {
5024 r
= loop_device_make_by_path(arg_image
, arg_read_only
? O_RDONLY
: O_RDWR
, &loop
);
5026 log_error_errno(r
, "Failed to set up loopback block device: %m");
5030 r
= dissect_image_and_warn(
5033 arg_root_hash
, arg_root_hash_size
,
5034 DISSECT_IMAGE_REQUIRE_ROOT
,
5037 /* dissected_image_and_warn() already printed a brief error message. Extend on that with more details */
5038 log_notice("Note that the disk image needs to\n"
5039 " a) either contain only a single MBR partition of type 0x83 that is marked bootable\n"
5040 " b) or contain a single GPT partition of type 0FC63DAF-8483-4772-8E79-3D69D8477DE4\n"
5041 " c) or follow http://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/\n"
5042 " d) or contain a file system without a partition table\n"
5043 "in order to be bootable with systemd-nspawn.");
5049 if (!arg_root_hash
&& dissected_image
->can_verity
)
5050 log_notice("Note: image %s contains verity information, but no root hash specified! Proceeding without integrity checking.", arg_image
);
5052 r
= dissected_image_decrypt_interactively(dissected_image
, NULL
, arg_root_hash
, arg_root_hash_size
, 0, &decrypted_image
);
5056 /* Now that we mounted the image, let's try to remove it again, if it is ephemeral */
5057 if (remove_image
&& unlink(arg_image
) >= 0)
5058 remove_image
= false;
5061 r
= custom_mount_prepare_all(arg_directory
, arg_custom_mounts
, arg_n_custom_mounts
);
5065 if (arg_console_mode
< 0)
5067 isatty(STDIN_FILENO
) > 0 &&
5068 isatty(STDOUT_FILENO
) > 0 ? CONSOLE_INTERACTIVE
: CONSOLE_READ_ONLY
;
5070 if (arg_console_mode
== CONSOLE_PIPE
) /* if we pass STDERR on to the container, don't add our own logs into it too */
5074 log_info("Spawning container %s on %s.\nPress ^] three times within 1s to kill container.",
5075 arg_machine
, arg_image
?: arg_directory
);
5077 assert_se(sigprocmask_many(SIG_BLOCK
, NULL
, SIGCHLD
, SIGWINCH
, SIGTERM
, SIGINT
, -1) >= 0);
5079 if (prctl(PR_SET_CHILD_SUBREAPER
, 1, 0, 0, 0) < 0) {
5080 r
= log_error_errno(errno
, "Failed to become subreaper: %m");
5085 r
= run_container(dissected_image
,
5088 veth_name
, &veth_created
,
5096 (void) sd_notify(false,
5097 r
== 0 && ret
== EXIT_FORCE_RESTART
? "STOPPING=1\nSTATUS=Restarting..." :
5098 "STOPPING=1\nSTATUS=Terminating...");
5101 (void) kill(pid
, SIGKILL
);
5103 /* Try to flush whatever is still queued in the pty */
5105 (void) copy_bytes(master
, STDOUT_FILENO
, (uint64_t) -1, 0);
5106 master
= safe_close(master
);
5110 (void) wait_for_terminate(pid
, NULL
);
5114 if (remove_directory
&& arg_directory
) {
5117 k
= rm_rf(arg_directory
, REMOVE_ROOT
|REMOVE_PHYSICAL
|REMOVE_SUBVOLUME
);
5119 log_warning_errno(k
, "Cannot remove '%s', ignoring: %m", arg_directory
);
5122 if (remove_image
&& arg_image
) {
5123 if (unlink(arg_image
) < 0)
5124 log_warning_errno(errno
, "Can't remove image file '%s', ignoring: %m", arg_image
);
5127 if (remove_tmprootdir
) {
5128 if (rmdir(tmprootdir
) < 0)
5129 log_debug_errno(errno
, "Can't remove temporary root directory '%s', ignoring: %m", tmprootdir
);
5135 p
= strjoina("/run/systemd/nspawn/propagate/", arg_machine
);
5136 (void) rm_rf(p
, REMOVE_ROOT
);
5139 expose_port_flush(arg_expose_ports
, &exposed
);
5142 (void) remove_veth_links(veth_name
, arg_network_veth_extra
);
5143 (void) remove_bridge(arg_network_zone
);
5145 custom_mount_free_all(arg_custom_mounts
, arg_n_custom_mounts
);
5146 expose_port_free_all(arg_expose_ports
);
5147 rlimit_free_all(arg_rlimit
);
5148 device_node_array_free(arg_extra_nodes
, arg_n_extra_nodes
);
5156 DEFINE_MAIN_FUNCTION_WITH_POSITIVE_FAILURE(run
);