1 /* SPDX-License-Identifier: LGPL-2.1+ */
3 This file is part of systemd.
5 Copyright 2010 Lennart Poettering
7 systemd is free software; you can redistribute it and/or modify it
8 under the terms of the GNU Lesser General Public License as published by
9 the Free Software Foundation; either version 2.1 of the License, or
10 (at your option) any later version.
12 systemd is distributed in the hope that it will be useful, but
13 WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 Lesser General Public License for more details.
17 You should have received a copy of the GNU Lesser General Public License
18 along with systemd; If not, see <http://www.gnu.org/licenses/>.
27 #include <linux/loop.h>
31 #include <selinux/selinux.h>
38 #include <sys/mount.h>
39 #include <sys/personality.h>
40 #include <sys/prctl.h>
41 #include <sys/types.h>
46 #include "sd-daemon.h"
49 #include "alloc-util.h"
51 #include "base-filesystem.h"
52 #include "blkid-util.h"
53 #include "btrfs-util.h"
56 #include "capability-util.h"
57 #include "cgroup-util.h"
59 #include "dev-setup.h"
60 #include "dissect-image.h"
65 #include "format-util.h"
68 #include "hexdecoct.h"
69 #include "hostname-util.h"
70 #include "id128-util.h"
72 #include "loop-util.h"
73 #include "loopback-setup.h"
74 #include "machine-image.h"
78 #include "mount-util.h"
79 #include "netlink-util.h"
80 #include "nspawn-cgroup.h"
81 #include "nspawn-def.h"
82 #include "nspawn-expose-ports.h"
83 #include "nspawn-mount.h"
84 #include "nspawn-network.h"
85 #include "nspawn-patch-uid.h"
86 #include "nspawn-register.h"
87 #include "nspawn-seccomp.h"
88 #include "nspawn-settings.h"
89 #include "nspawn-setuid.h"
90 #include "nspawn-stub-pid1.h"
91 #include "parse-util.h"
92 #include "path-util.h"
93 #include "process-util.h"
95 #include "random-util.h"
96 #include "raw-clone.h"
98 #include "selinux-util.h"
99 #include "signal-util.h"
100 #include "socket-util.h"
101 #include "stat-util.h"
102 #include "stdio-util.h"
103 #include "string-util.h"
105 #include "terminal-util.h"
106 #include "udev-util.h"
107 #include "umask-util.h"
108 #include "user-util.h"
111 /* nspawn is listening on the socket at the path in the constant nspawn_notify_socket_path
112 * nspawn_notify_socket_path is relative to the container
113 * the init process in the container pid can send messages to nspawn following the sd_notify(3) protocol */
114 #define NSPAWN_NOTIFY_SOCKET_PATH "/run/systemd/nspawn/notify"
116 #define EXIT_FORCE_RESTART 133
118 typedef enum ContainerStatus
{
119 CONTAINER_TERMINATED
,
123 typedef enum LinkJournal
{
130 static char *arg_directory
= NULL
;
131 static char *arg_template
= NULL
;
132 static char *arg_chdir
= NULL
;
133 static char *arg_pivot_root_new
= NULL
;
134 static char *arg_pivot_root_old
= NULL
;
135 static char *arg_user
= NULL
;
136 static sd_id128_t arg_uuid
= {};
137 static char *arg_machine
= NULL
;
138 static const char *arg_selinux_context
= NULL
;
139 static const char *arg_selinux_apifs_context
= NULL
;
140 static const char *arg_slice
= NULL
;
141 static bool arg_private_network
= false;
142 static bool arg_read_only
= false;
143 static StartMode arg_start_mode
= START_PID1
;
144 static bool arg_ephemeral
= false;
145 static LinkJournal arg_link_journal
= LINK_AUTO
;
146 static bool arg_link_journal_try
= false;
147 static uint64_t arg_caps_retain
=
148 (1ULL << CAP_AUDIT_CONTROL
) |
149 (1ULL << CAP_AUDIT_WRITE
) |
150 (1ULL << CAP_CHOWN
) |
151 (1ULL << CAP_DAC_OVERRIDE
) |
152 (1ULL << CAP_DAC_READ_SEARCH
) |
153 (1ULL << CAP_FOWNER
) |
154 (1ULL << CAP_FSETID
) |
155 (1ULL << CAP_IPC_OWNER
) |
157 (1ULL << CAP_LEASE
) |
158 (1ULL << CAP_LINUX_IMMUTABLE
) |
159 (1ULL << CAP_MKNOD
) |
160 (1ULL << CAP_NET_BIND_SERVICE
) |
161 (1ULL << CAP_NET_BROADCAST
) |
162 (1ULL << CAP_NET_RAW
) |
163 (1ULL << CAP_SETFCAP
) |
164 (1ULL << CAP_SETGID
) |
165 (1ULL << CAP_SETPCAP
) |
166 (1ULL << CAP_SETUID
) |
167 (1ULL << CAP_SYS_ADMIN
) |
168 (1ULL << CAP_SYS_BOOT
) |
169 (1ULL << CAP_SYS_CHROOT
) |
170 (1ULL << CAP_SYS_NICE
) |
171 (1ULL << CAP_SYS_PTRACE
) |
172 (1ULL << CAP_SYS_RESOURCE
) |
173 (1ULL << CAP_SYS_TTY_CONFIG
);
174 static CustomMount
*arg_custom_mounts
= NULL
;
175 static unsigned arg_n_custom_mounts
= 0;
176 static char **arg_setenv
= NULL
;
177 static bool arg_quiet
= false;
178 static bool arg_register
= true;
179 static bool arg_keep_unit
= false;
180 static char **arg_network_interfaces
= NULL
;
181 static char **arg_network_macvlan
= NULL
;
182 static char **arg_network_ipvlan
= NULL
;
183 static bool arg_network_veth
= false;
184 static char **arg_network_veth_extra
= NULL
;
185 static char *arg_network_bridge
= NULL
;
186 static char *arg_network_zone
= NULL
;
187 static unsigned long arg_personality
= PERSONALITY_INVALID
;
188 static char *arg_image
= NULL
;
189 static VolatileMode arg_volatile_mode
= VOLATILE_NO
;
190 static ExposePort
*arg_expose_ports
= NULL
;
191 static char **arg_property
= NULL
;
192 static UserNamespaceMode arg_userns_mode
= USER_NAMESPACE_NO
;
193 static uid_t arg_uid_shift
= UID_INVALID
, arg_uid_range
= 0x10000U
;
194 static bool arg_userns_chown
= false;
195 static int arg_kill_signal
= 0;
196 static CGroupUnified arg_unified_cgroup_hierarchy
= CGROUP_UNIFIED_UNKNOWN
;
197 static SettingsMask arg_settings_mask
= 0;
198 static int arg_settings_trusted
= -1;
199 static char **arg_parameters
= NULL
;
200 static const char *arg_container_service_name
= "systemd-nspawn";
201 static bool arg_notify_ready
= false;
202 static bool arg_use_cgns
= true;
203 static unsigned long arg_clone_ns_flags
= CLONE_NEWIPC
|CLONE_NEWPID
|CLONE_NEWUTS
;
204 static MountSettingsMask arg_mount_settings
= MOUNT_APPLY_APIVFS_RO
;
205 static void *arg_root_hash
= NULL
;
206 static size_t arg_root_hash_size
= 0;
207 static char **arg_syscall_whitelist
= NULL
;
208 static char **arg_syscall_blacklist
= NULL
;
210 static void help(void) {
211 printf("%s [OPTIONS...] [PATH] [ARGUMENTS...]\n\n"
212 "Spawn a minimal namespace container for debugging, testing and building.\n\n"
213 " -h --help Show this help\n"
214 " --version Print version string\n"
215 " -q --quiet Do not show status information\n"
216 " -D --directory=PATH Root directory for the container\n"
217 " --template=PATH Initialize root directory from template directory,\n"
219 " -x --ephemeral Run container with snapshot of root directory, and\n"
220 " remove it after exit\n"
221 " -i --image=PATH File system device or disk image for the container\n"
222 " --root-hash=HASH Specify verity root hash\n"
223 " -a --as-pid2 Maintain a stub init as PID1, invoke binary as PID2\n"
224 " -b --boot Boot up full system (i.e. invoke init)\n"
225 " --chdir=PATH Set working directory in the container\n"
226 " --pivot-root=PATH[:PATH]\n"
227 " Pivot root to given directory in the container\n"
228 " -u --user=USER Run the command under specified user or uid\n"
229 " -M --machine=NAME Set the machine name for the container\n"
230 " --uuid=UUID Set a specific machine UUID for the container\n"
231 " -S --slice=SLICE Place the container in the specified slice\n"
232 " --property=NAME=VALUE Set scope unit property\n"
233 " -U --private-users=pick Run within user namespace, autoselect UID/GID range\n"
234 " --private-users[=UIDBASE[:NUIDS]]\n"
235 " Similar, but with user configured UID/GID range\n"
236 " --private-users-chown Adjust OS tree ownership to private UID/GID range\n"
237 " --private-network Disable network in container\n"
238 " --network-interface=INTERFACE\n"
239 " Assign an existing network interface to the\n"
241 " --network-macvlan=INTERFACE\n"
242 " Create a macvlan network interface based on an\n"
243 " existing network interface to the container\n"
244 " --network-ipvlan=INTERFACE\n"
245 " Create a ipvlan network interface based on an\n"
246 " existing network interface to the container\n"
247 " -n --network-veth Add a virtual Ethernet connection between host\n"
249 " --network-veth-extra=HOSTIF[:CONTAINERIF]\n"
250 " Add an additional virtual Ethernet link between\n"
251 " host and container\n"
252 " --network-bridge=INTERFACE\n"
253 " Add a virtual Ethernet connection to the container\n"
254 " and attach it to an existing bridge on the host\n"
255 " --network-zone=NAME Similar, but attach the new interface to an\n"
256 " an automatically managed bridge interface\n"
257 " -p --port=[PROTOCOL:]HOSTPORT[:CONTAINERPORT]\n"
258 " Expose a container IP port on the host\n"
259 " -Z --selinux-context=SECLABEL\n"
260 " Set the SELinux security context to be used by\n"
261 " processes in the container\n"
262 " -L --selinux-apifs-context=SECLABEL\n"
263 " Set the SELinux security context to be used by\n"
264 " API/tmpfs file systems in the container\n"
265 " --capability=CAP In addition to the default, retain specified\n"
267 " --drop-capability=CAP Drop the specified capability from the default set\n"
268 " --system-call-filter=LIST|~LIST\n"
269 " Permit/prohibit specific system calls\n"
270 " --kill-signal=SIGNAL Select signal to use for shutting down PID 1\n"
271 " --link-journal=MODE Link up guest journal, one of no, auto, guest, \n"
272 " host, try-guest, try-host\n"
273 " -j Equivalent to --link-journal=try-guest\n"
274 " --read-only Mount the root directory read-only\n"
275 " --bind=PATH[:PATH[:OPTIONS]]\n"
276 " Bind mount a file or directory from the host into\n"
278 " --bind-ro=PATH[:PATH[:OPTIONS]\n"
279 " Similar, but creates a read-only bind mount\n"
280 " --tmpfs=PATH:[OPTIONS] Mount an empty tmpfs to the specified directory\n"
281 " --overlay=PATH[:PATH...]:PATH\n"
282 " Create an overlay mount from the host to \n"
284 " --overlay-ro=PATH[:PATH...]:PATH\n"
285 " Similar, but creates a read-only overlay mount\n"
286 " -E --setenv=NAME=VALUE Pass an environment variable to PID 1\n"
287 " --register=BOOLEAN Register container as machine\n"
288 " --keep-unit Do not register a scope for the machine, reuse\n"
289 " the service unit nspawn is running in\n"
290 " --volatile[=MODE] Run the system in volatile mode\n"
291 " --settings=BOOLEAN Load additional settings from .nspawn file\n"
292 " --notify-ready=BOOLEAN Receive notifications from the child init process\n"
293 , program_invocation_short_name
);
296 static int custom_mount_check_all(void) {
299 for (i
= 0; i
< arg_n_custom_mounts
; i
++) {
300 CustomMount
*m
= &arg_custom_mounts
[i
];
302 if (path_equal(m
->destination
, "/") && arg_userns_mode
!= USER_NAMESPACE_NO
) {
304 if (arg_userns_chown
) {
305 log_error("--private-users-chown may not be combined with custom root mounts.");
307 } else if (arg_uid_shift
== UID_INVALID
) {
308 log_error("--private-users with automatic UID shift may not be combined with custom root mounts.");
317 static int detect_unified_cgroup_hierarchy(const char *directory
) {
321 /* Allow the user to control whether the unified hierarchy is used */
322 e
= getenv("UNIFIED_CGROUP_HIERARCHY");
324 r
= parse_boolean(e
);
326 return log_error_errno(r
, "Failed to parse $UNIFIED_CGROUP_HIERARCHY.");
328 arg_unified_cgroup_hierarchy
= CGROUP_UNIFIED_ALL
;
330 arg_unified_cgroup_hierarchy
= CGROUP_UNIFIED_NONE
;
335 /* Otherwise inherit the default from the host system */
336 r
= cg_all_unified();
338 return log_error_errno(r
, "Failed to determine whether we are in all unified mode.");
340 /* Unified cgroup hierarchy support was added in 230. Unfortunately the detection
341 * routine only detects 231, so we'll have a false negative here for 230. */
342 r
= systemd_installation_has_version(directory
, 230);
344 return log_error_errno(r
, "Failed to determine systemd version in container: %m");
346 arg_unified_cgroup_hierarchy
= CGROUP_UNIFIED_ALL
;
348 arg_unified_cgroup_hierarchy
= CGROUP_UNIFIED_NONE
;
349 } else if (cg_unified_controller(SYSTEMD_CGROUP_CONTROLLER
) > 0) {
350 /* Mixed cgroup hierarchy support was added in 233 */
351 r
= systemd_installation_has_version(directory
, 233);
353 return log_error_errno(r
, "Failed to determine systemd version in container: %m");
355 arg_unified_cgroup_hierarchy
= CGROUP_UNIFIED_SYSTEMD
;
357 arg_unified_cgroup_hierarchy
= CGROUP_UNIFIED_NONE
;
359 arg_unified_cgroup_hierarchy
= CGROUP_UNIFIED_NONE
;
364 static void parse_share_ns_env(const char *name
, unsigned long ns_flag
) {
367 r
= getenv_bool(name
);
371 log_warning_errno(r
, "Failed to parse %s from environment, defaulting to false.", name
);
372 arg_clone_ns_flags
= (arg_clone_ns_flags
& ~ns_flag
) | (r
> 0 ? 0 : ns_flag
);
375 static void parse_mount_settings_env(void) {
379 e
= getenv("SYSTEMD_NSPAWN_API_VFS_WRITABLE");
383 if (streq(e
, "network")) {
384 arg_mount_settings
|= MOUNT_APPLY_APIVFS_RO
|MOUNT_APPLY_APIVFS_NETNS
;
388 r
= parse_boolean(e
);
390 log_warning_errno(r
, "Failed to parse SYSTEMD_NSPAWN_API_VFS_WRITABLE from environment, ignoring.");
394 SET_FLAG(arg_mount_settings
, MOUNT_APPLY_APIVFS_RO
, r
== 0);
395 SET_FLAG(arg_mount_settings
, MOUNT_APPLY_APIVFS_NETNS
, false);
398 static int parse_argv(int argc
, char *argv
[]) {
416 ARG_NETWORK_INTERFACE
,
421 ARG_NETWORK_VETH_EXTRA
,
431 ARG_PRIVATE_USERS_CHOWN
,
434 ARG_SYSTEM_CALL_FILTER
,
437 static const struct option options
[] = {
438 { "help", no_argument
, NULL
, 'h' },
439 { "version", no_argument
, NULL
, ARG_VERSION
},
440 { "directory", required_argument
, NULL
, 'D' },
441 { "template", required_argument
, NULL
, ARG_TEMPLATE
},
442 { "ephemeral", no_argument
, NULL
, 'x' },
443 { "user", required_argument
, NULL
, 'u' },
444 { "private-network", no_argument
, NULL
, ARG_PRIVATE_NETWORK
},
445 { "as-pid2", no_argument
, NULL
, 'a' },
446 { "boot", no_argument
, NULL
, 'b' },
447 { "uuid", required_argument
, NULL
, ARG_UUID
},
448 { "read-only", no_argument
, NULL
, ARG_READ_ONLY
},
449 { "capability", required_argument
, NULL
, ARG_CAPABILITY
},
450 { "drop-capability", required_argument
, NULL
, ARG_DROP_CAPABILITY
},
451 { "link-journal", required_argument
, NULL
, ARG_LINK_JOURNAL
},
452 { "bind", required_argument
, NULL
, ARG_BIND
},
453 { "bind-ro", required_argument
, NULL
, ARG_BIND_RO
},
454 { "tmpfs", required_argument
, NULL
, ARG_TMPFS
},
455 { "overlay", required_argument
, NULL
, ARG_OVERLAY
},
456 { "overlay-ro", required_argument
, NULL
, ARG_OVERLAY_RO
},
457 { "machine", required_argument
, NULL
, 'M' },
458 { "slice", required_argument
, NULL
, 'S' },
459 { "setenv", required_argument
, NULL
, 'E' },
460 { "selinux-context", required_argument
, NULL
, 'Z' },
461 { "selinux-apifs-context", required_argument
, NULL
, 'L' },
462 { "quiet", no_argument
, NULL
, 'q' },
463 { "share-system", no_argument
, NULL
, ARG_SHARE_SYSTEM
}, /* not documented */
464 { "register", required_argument
, NULL
, ARG_REGISTER
},
465 { "keep-unit", no_argument
, NULL
, ARG_KEEP_UNIT
},
466 { "network-interface", required_argument
, NULL
, ARG_NETWORK_INTERFACE
},
467 { "network-macvlan", required_argument
, NULL
, ARG_NETWORK_MACVLAN
},
468 { "network-ipvlan", required_argument
, NULL
, ARG_NETWORK_IPVLAN
},
469 { "network-veth", no_argument
, NULL
, 'n' },
470 { "network-veth-extra", required_argument
, NULL
, ARG_NETWORK_VETH_EXTRA
},
471 { "network-bridge", required_argument
, NULL
, ARG_NETWORK_BRIDGE
},
472 { "network-zone", required_argument
, NULL
, ARG_NETWORK_ZONE
},
473 { "personality", required_argument
, NULL
, ARG_PERSONALITY
},
474 { "image", required_argument
, NULL
, 'i' },
475 { "volatile", optional_argument
, NULL
, ARG_VOLATILE
},
476 { "port", required_argument
, NULL
, 'p' },
477 { "property", required_argument
, NULL
, ARG_PROPERTY
},
478 { "private-users", optional_argument
, NULL
, ARG_PRIVATE_USERS
},
479 { "private-users-chown", optional_argument
, NULL
, ARG_PRIVATE_USERS_CHOWN
},
480 { "kill-signal", required_argument
, NULL
, ARG_KILL_SIGNAL
},
481 { "settings", required_argument
, NULL
, ARG_SETTINGS
},
482 { "chdir", required_argument
, NULL
, ARG_CHDIR
},
483 { "pivot-root", required_argument
, NULL
, ARG_PIVOT_ROOT
},
484 { "notify-ready", required_argument
, NULL
, ARG_NOTIFY_READY
},
485 { "root-hash", required_argument
, NULL
, ARG_ROOT_HASH
},
486 { "system-call-filter", required_argument
, NULL
, ARG_SYSTEM_CALL_FILTER
},
492 uint64_t plus
= 0, minus
= 0;
493 bool mask_all_settings
= false, mask_no_settings
= false;
498 while ((c
= getopt_long(argc
, argv
, "+hD:u:abL:M:jS:Z:qi:xp:nUE:", options
, NULL
)) >= 0)
510 r
= parse_path_argument_and_warn(optarg
, false, &arg_directory
);
516 r
= parse_path_argument_and_warn(optarg
, false, &arg_template
);
522 r
= parse_path_argument_and_warn(optarg
, false, &arg_image
);
528 arg_ephemeral
= true;
532 r
= free_and_strdup(&arg_user
, optarg
);
536 arg_settings_mask
|= SETTING_USER
;
539 case ARG_NETWORK_ZONE
: {
542 j
= strappend("vz-", optarg
);
546 if (!ifname_valid(j
)) {
547 log_error("Network zone name not valid: %s", j
);
552 free(arg_network_zone
);
553 arg_network_zone
= j
;
555 arg_network_veth
= true;
556 arg_private_network
= true;
557 arg_settings_mask
|= SETTING_NETWORK
;
561 case ARG_NETWORK_BRIDGE
:
563 if (!ifname_valid(optarg
)) {
564 log_error("Bridge interface name not valid: %s", optarg
);
568 r
= free_and_strdup(&arg_network_bridge
, optarg
);
575 arg_network_veth
= true;
576 arg_private_network
= true;
577 arg_settings_mask
|= SETTING_NETWORK
;
580 case ARG_NETWORK_VETH_EXTRA
:
581 r
= veth_extra_parse(&arg_network_veth_extra
, optarg
);
583 return log_error_errno(r
, "Failed to parse --network-veth-extra= parameter: %s", optarg
);
585 arg_private_network
= true;
586 arg_settings_mask
|= SETTING_NETWORK
;
589 case ARG_NETWORK_INTERFACE
:
591 if (!ifname_valid(optarg
)) {
592 log_error("Network interface name not valid: %s", optarg
);
596 if (strv_extend(&arg_network_interfaces
, optarg
) < 0)
599 arg_private_network
= true;
600 arg_settings_mask
|= SETTING_NETWORK
;
603 case ARG_NETWORK_MACVLAN
:
605 if (!ifname_valid(optarg
)) {
606 log_error("MACVLAN network interface name not valid: %s", optarg
);
610 if (strv_extend(&arg_network_macvlan
, optarg
) < 0)
613 arg_private_network
= true;
614 arg_settings_mask
|= SETTING_NETWORK
;
617 case ARG_NETWORK_IPVLAN
:
619 if (!ifname_valid(optarg
)) {
620 log_error("IPVLAN network interface name not valid: %s", optarg
);
624 if (strv_extend(&arg_network_ipvlan
, optarg
) < 0)
629 case ARG_PRIVATE_NETWORK
:
630 arg_private_network
= true;
631 arg_settings_mask
|= SETTING_NETWORK
;
635 if (arg_start_mode
== START_PID2
) {
636 log_error("--boot and --as-pid2 may not be combined.");
640 arg_start_mode
= START_BOOT
;
641 arg_settings_mask
|= SETTING_START_MODE
;
645 if (arg_start_mode
== START_BOOT
) {
646 log_error("--boot and --as-pid2 may not be combined.");
650 arg_start_mode
= START_PID2
;
651 arg_settings_mask
|= SETTING_START_MODE
;
655 r
= sd_id128_from_string(optarg
, &arg_uuid
);
657 return log_error_errno(r
, "Invalid UUID: %s", optarg
);
659 if (sd_id128_is_null(arg_uuid
)) {
660 log_error("Machine UUID may not be all zeroes.");
664 arg_settings_mask
|= SETTING_MACHINE_ID
;
673 arg_machine
= mfree(arg_machine
);
675 if (!machine_name_is_valid(optarg
)) {
676 log_error("Invalid machine name: %s", optarg
);
680 r
= free_and_strdup(&arg_machine
, optarg
);
687 arg_selinux_context
= optarg
;
691 arg_selinux_apifs_context
= optarg
;
695 arg_read_only
= true;
696 arg_settings_mask
|= SETTING_READ_ONLY
;
700 case ARG_DROP_CAPABILITY
: {
703 _cleanup_free_
char *t
= NULL
;
705 r
= extract_first_word(&p
, &t
, ",", 0);
707 return log_error_errno(r
, "Failed to parse capability %s.", t
);
712 if (streq(t
, "all")) {
713 if (c
== ARG_CAPABILITY
)
714 plus
= (uint64_t) -1;
716 minus
= (uint64_t) -1;
720 cap
= capability_from_name(t
);
722 log_error("Failed to parse capability %s.", t
);
726 if (c
== ARG_CAPABILITY
)
727 plus
|= 1ULL << (uint64_t) cap
;
729 minus
|= 1ULL << (uint64_t) cap
;
733 arg_settings_mask
|= SETTING_CAPABILITY
;
738 arg_link_journal
= LINK_GUEST
;
739 arg_link_journal_try
= true;
742 case ARG_LINK_JOURNAL
:
743 if (streq(optarg
, "auto")) {
744 arg_link_journal
= LINK_AUTO
;
745 arg_link_journal_try
= false;
746 } else if (streq(optarg
, "no")) {
747 arg_link_journal
= LINK_NO
;
748 arg_link_journal_try
= false;
749 } else if (streq(optarg
, "guest")) {
750 arg_link_journal
= LINK_GUEST
;
751 arg_link_journal_try
= false;
752 } else if (streq(optarg
, "host")) {
753 arg_link_journal
= LINK_HOST
;
754 arg_link_journal_try
= false;
755 } else if (streq(optarg
, "try-guest")) {
756 arg_link_journal
= LINK_GUEST
;
757 arg_link_journal_try
= true;
758 } else if (streq(optarg
, "try-host")) {
759 arg_link_journal
= LINK_HOST
;
760 arg_link_journal_try
= true;
762 log_error("Failed to parse link journal mode %s", optarg
);
770 r
= bind_mount_parse(&arg_custom_mounts
, &arg_n_custom_mounts
, optarg
, c
== ARG_BIND_RO
);
772 return log_error_errno(r
, "Failed to parse --bind(-ro)= argument %s: %m", optarg
);
774 arg_settings_mask
|= SETTING_CUSTOM_MOUNTS
;
778 r
= tmpfs_mount_parse(&arg_custom_mounts
, &arg_n_custom_mounts
, optarg
);
780 return log_error_errno(r
, "Failed to parse --tmpfs= argument %s: %m", optarg
);
782 arg_settings_mask
|= SETTING_CUSTOM_MOUNTS
;
787 r
= overlay_mount_parse(&arg_custom_mounts
, &arg_n_custom_mounts
, optarg
, c
== ARG_OVERLAY_RO
);
788 if (r
== -EADDRNOTAVAIL
)
789 return log_error_errno(r
, "--overlay(-ro)= needs at least two colon-separated directories specified.");
791 return log_error_errno(r
, "Failed to parse --overlay(-ro)= argument %s: %m", optarg
);
793 arg_settings_mask
|= SETTING_CUSTOM_MOUNTS
;
799 if (!env_assignment_is_valid(optarg
)) {
800 log_error("Environment variable assignment '%s' is not valid.", optarg
);
804 n
= strv_env_set(arg_setenv
, optarg
);
808 strv_free(arg_setenv
);
811 arg_settings_mask
|= SETTING_ENVIRONMENT
;
819 case ARG_SHARE_SYSTEM
:
820 /* We don't officially support this anymore, except for compat reasons. People should use the
821 * $SYSTEMD_NSPAWN_SHARE_* environment variables instead. */
822 arg_clone_ns_flags
= 0;
826 r
= parse_boolean(optarg
);
828 log_error("Failed to parse --register= argument: %s", optarg
);
836 arg_keep_unit
= true;
839 case ARG_PERSONALITY
:
841 arg_personality
= personality_from_string(optarg
);
842 if (arg_personality
== PERSONALITY_INVALID
) {
843 log_error("Unknown or unsupported personality '%s'.", optarg
);
847 arg_settings_mask
|= SETTING_PERSONALITY
;
853 arg_volatile_mode
= VOLATILE_YES
;
857 m
= volatile_mode_from_string(optarg
);
859 log_error("Failed to parse --volatile= argument: %s", optarg
);
862 arg_volatile_mode
= m
;
865 arg_settings_mask
|= SETTING_VOLATILE_MODE
;
869 r
= expose_port_parse(&arg_expose_ports
, optarg
);
871 return log_error_errno(r
, "Duplicate port specification: %s", optarg
);
873 return log_error_errno(r
, "Failed to parse host port %s: %m", optarg
);
875 arg_settings_mask
|= SETTING_EXPOSE_PORTS
;
879 if (strv_extend(&arg_property
, optarg
) < 0)
884 case ARG_PRIVATE_USERS
: {
889 else if (!in_charset(optarg
, DIGITS
))
890 /* do *not* parse numbers as booleans */
891 boolean
= parse_boolean(optarg
);
893 if (boolean
== false) {
894 /* no: User namespacing off */
895 arg_userns_mode
= USER_NAMESPACE_NO
;
896 arg_uid_shift
= UID_INVALID
;
897 arg_uid_range
= UINT32_C(0x10000);
898 } else if (boolean
== true) {
899 /* yes: User namespacing on, UID range is read from root dir */
900 arg_userns_mode
= USER_NAMESPACE_FIXED
;
901 arg_uid_shift
= UID_INVALID
;
902 arg_uid_range
= UINT32_C(0x10000);
903 } else if (streq(optarg
, "pick")) {
904 /* pick: User namespacing on, UID range is picked randomly */
905 arg_userns_mode
= USER_NAMESPACE_PICK
;
906 arg_uid_shift
= UID_INVALID
;
907 arg_uid_range
= UINT32_C(0x10000);
909 _cleanup_free_
char *buffer
= NULL
;
910 const char *range
, *shift
;
912 /* anything else: User namespacing on, UID range is explicitly configured */
914 range
= strchr(optarg
, ':');
916 buffer
= strndup(optarg
, range
- optarg
);
922 r
= safe_atou32(range
, &arg_uid_range
);
924 return log_error_errno(r
, "Failed to parse UID range \"%s\": %m", range
);
928 r
= parse_uid(shift
, &arg_uid_shift
);
930 return log_error_errno(r
, "Failed to parse UID \"%s\": %m", optarg
);
932 arg_userns_mode
= USER_NAMESPACE_FIXED
;
935 if (arg_uid_range
<= 0) {
936 log_error("UID range cannot be 0.");
940 arg_settings_mask
|= SETTING_USERNS
;
945 if (userns_supported()) {
946 arg_userns_mode
= USER_NAMESPACE_PICK
;
947 arg_uid_shift
= UID_INVALID
;
948 arg_uid_range
= UINT32_C(0x10000);
950 arg_settings_mask
|= SETTING_USERNS
;
955 case ARG_PRIVATE_USERS_CHOWN
:
956 arg_userns_chown
= true;
958 arg_settings_mask
|= SETTING_USERNS
;
961 case ARG_KILL_SIGNAL
:
962 arg_kill_signal
= signal_from_string_try_harder(optarg
);
963 if (arg_kill_signal
< 0) {
964 log_error("Cannot parse signal: %s", optarg
);
968 arg_settings_mask
|= SETTING_KILL_SIGNAL
;
973 /* no → do not read files
974 * yes → read files, do not override cmdline, trust only subset
975 * override → read files, override cmdline, trust only subset
976 * trusted → read files, do not override cmdline, trust all
979 r
= parse_boolean(optarg
);
981 if (streq(optarg
, "trusted")) {
982 mask_all_settings
= false;
983 mask_no_settings
= false;
984 arg_settings_trusted
= true;
986 } else if (streq(optarg
, "override")) {
987 mask_all_settings
= false;
988 mask_no_settings
= true;
989 arg_settings_trusted
= -1;
991 return log_error_errno(r
, "Failed to parse --settings= argument: %s", optarg
);
994 mask_all_settings
= false;
995 mask_no_settings
= false;
996 arg_settings_trusted
= -1;
999 mask_all_settings
= true;
1000 mask_no_settings
= false;
1001 arg_settings_trusted
= false;
1007 if (!path_is_absolute(optarg
)) {
1008 log_error("Working directory %s is not an absolute path.", optarg
);
1012 r
= free_and_strdup(&arg_chdir
, optarg
);
1016 arg_settings_mask
|= SETTING_WORKING_DIRECTORY
;
1019 case ARG_PIVOT_ROOT
:
1020 r
= pivot_root_parse(&arg_pivot_root_new
, &arg_pivot_root_old
, optarg
);
1022 return log_error_errno(r
, "Failed to parse --pivot-root= argument %s: %m", optarg
);
1024 arg_settings_mask
|= SETTING_PIVOT_ROOT
;
1027 case ARG_NOTIFY_READY
:
1028 r
= parse_boolean(optarg
);
1030 log_error("%s is not a valid notify mode. Valid modes are: yes, no, and ready.", optarg
);
1033 arg_notify_ready
= r
;
1034 arg_settings_mask
|= SETTING_NOTIFY_READY
;
1037 case ARG_ROOT_HASH
: {
1041 r
= unhexmem(optarg
, strlen(optarg
), &k
, &l
);
1043 return log_error_errno(r
, "Failed to parse root hash: %s", optarg
);
1044 if (l
< sizeof(sd_id128_t
)) {
1045 log_error("Root hash must be at least 128bit long: %s", optarg
);
1050 free(arg_root_hash
);
1052 arg_root_hash_size
= l
;
1056 case ARG_SYSTEM_CALL_FILTER
: {
1060 negative
= optarg
[0] == '~';
1061 items
= negative
? optarg
+ 1 : optarg
;
1064 _cleanup_free_
char *word
= NULL
;
1066 r
= extract_first_word(&items
, &word
, NULL
, 0);
1072 return log_error_errno(r
, "Failed to parse system call filter: %m");
1075 r
= strv_extend(&arg_syscall_blacklist
, word
);
1077 r
= strv_extend(&arg_syscall_whitelist
, word
);
1082 arg_settings_mask
|= SETTING_SYSCALL_FILTER
;
1090 assert_not_reached("Unhandled option");
1093 parse_share_ns_env("SYSTEMD_NSPAWN_SHARE_NS_IPC", CLONE_NEWIPC
);
1094 parse_share_ns_env("SYSTEMD_NSPAWN_SHARE_NS_PID", CLONE_NEWPID
);
1095 parse_share_ns_env("SYSTEMD_NSPAWN_SHARE_NS_UTS", CLONE_NEWUTS
);
1096 parse_share_ns_env("SYSTEMD_NSPAWN_SHARE_SYSTEM", CLONE_NEWIPC
|CLONE_NEWPID
|CLONE_NEWUTS
);
1098 if (arg_userns_mode
!= USER_NAMESPACE_NO
)
1099 arg_mount_settings
|= MOUNT_USE_USERNS
;
1101 if (arg_private_network
)
1102 arg_mount_settings
|= MOUNT_APPLY_APIVFS_NETNS
;
1104 parse_mount_settings_env();
1106 if (!(arg_clone_ns_flags
& CLONE_NEWPID
) ||
1107 !(arg_clone_ns_flags
& CLONE_NEWUTS
)) {
1108 arg_register
= false;
1109 if (arg_start_mode
!= START_PID1
) {
1110 log_error("--boot cannot be used without namespacing.");
1115 if (arg_userns_mode
== USER_NAMESPACE_PICK
)
1116 arg_userns_chown
= true;
1118 if (arg_keep_unit
&& arg_register
&& cg_pid_get_owner_uid(0, NULL
) >= 0) {
1119 /* Save the user from accidentally registering either user-$SESSION.scope or user@.service.
1120 * The latter is not technically a user session, but we don't need to labour the point. */
1121 log_error("--keep-unit --register=yes may not be used when invoked from a user session.");
1125 if (arg_directory
&& arg_image
) {
1126 log_error("--directory= and --image= may not be combined.");
1130 if (arg_template
&& arg_image
) {
1131 log_error("--template= and --image= may not be combined.");
1135 if (arg_ephemeral
&& arg_template
&& !arg_directory
) {
1136 /* User asked for ephemeral execution but specified --template= instead of --directory=. Semantically
1137 * such an invocation makes some sense, see https://github.com/systemd/systemd/issues/3667. Let's
1138 * accept this here, and silently make "--ephemeral --template=" equivalent to "--ephemeral
1141 arg_directory
= arg_template
;
1142 arg_template
= NULL
;
1145 if (arg_template
&& !(arg_directory
|| arg_machine
)) {
1146 log_error("--template= needs --directory= or --machine=.");
1150 if (arg_ephemeral
&& arg_template
) {
1151 log_error("--ephemeral and --template= may not be combined.");
1155 if (arg_ephemeral
&& !IN_SET(arg_link_journal
, LINK_NO
, LINK_AUTO
)) {
1156 log_error("--ephemeral and --link-journal= may not be combined.");
1160 if (arg_userns_mode
!= USER_NAMESPACE_NO
&& !userns_supported()) {
1161 log_error("--private-users= is not supported, kernel compiled without user namespace support.");
1165 if (arg_userns_chown
&& arg_read_only
) {
1166 log_error("--read-only and --private-users-chown may not be combined.");
1170 if (arg_network_bridge
&& arg_network_zone
) {
1171 log_error("--network-bridge= and --network-zone= may not be combined.");
1175 if (argc
> optind
) {
1176 arg_parameters
= strv_copy(argv
+ optind
);
1177 if (!arg_parameters
)
1180 arg_settings_mask
|= SETTING_START_MODE
;
1183 /* Load all settings from .nspawn files */
1184 if (mask_no_settings
)
1185 arg_settings_mask
= 0;
1187 /* Don't load any settings from .nspawn files */
1188 if (mask_all_settings
)
1189 arg_settings_mask
= _SETTINGS_MASK_ALL
;
1191 arg_caps_retain
= (arg_caps_retain
| plus
| (arg_private_network
? 1ULL << CAP_NET_ADMIN
: 0)) & ~minus
;
1193 r
= cg_unified_flush();
1195 return log_error_errno(r
, "Failed to determine whether the unified cgroups hierarchy is used: %m");
1197 e
= getenv("SYSTEMD_NSPAWN_CONTAINER_SERVICE");
1199 arg_container_service_name
= e
;
1201 r
= getenv_bool("SYSTEMD_NSPAWN_USE_CGNS");
1203 arg_use_cgns
= cg_ns_supported();
1207 r
= custom_mount_check_all();
1214 static int verify_arguments(void) {
1215 if (arg_userns_mode
!= USER_NAMESPACE_NO
&& (arg_mount_settings
& MOUNT_APPLY_APIVFS_NETNS
) && !arg_private_network
) {
1216 log_error("Invalid namespacing settings. Mounting sysfs with --private-users requires --private-network.");
1220 if (arg_userns_mode
!= USER_NAMESPACE_NO
&& !(arg_mount_settings
& MOUNT_APPLY_APIVFS_RO
)) {
1221 log_error("Cannot combine --private-users with read-write mounts.");
1225 if (arg_volatile_mode
!= VOLATILE_NO
&& arg_read_only
) {
1226 log_error("Cannot combine --read-only with --volatile. Note that --volatile already implies a read-only base hierarchy.");
1230 if (arg_expose_ports
&& !arg_private_network
) {
1231 log_error("Cannot use --port= without private networking.");
1236 if (arg_expose_ports
) {
1237 log_error("--port= is not supported, compiled without libiptc support.");
1242 if (arg_start_mode
== START_BOOT
&& arg_kill_signal
<= 0)
1243 arg_kill_signal
= SIGRTMIN
+3;
1248 static int userns_lchown(const char *p
, uid_t uid
, gid_t gid
) {
1251 if (arg_userns_mode
== USER_NAMESPACE_NO
)
1254 if (uid
== UID_INVALID
&& gid
== GID_INVALID
)
1257 if (uid
!= UID_INVALID
) {
1258 uid
+= arg_uid_shift
;
1260 if (uid
< arg_uid_shift
|| uid
>= arg_uid_shift
+ arg_uid_range
)
1264 if (gid
!= GID_INVALID
) {
1265 gid
+= (gid_t
) arg_uid_shift
;
1267 if (gid
< (gid_t
) arg_uid_shift
|| gid
>= (gid_t
) (arg_uid_shift
+ arg_uid_range
))
1271 if (lchown(p
, uid
, gid
) < 0)
1277 static int userns_mkdir(const char *root
, const char *path
, mode_t mode
, uid_t uid
, gid_t gid
) {
1280 q
= prefix_roota(root
, path
);
1281 if (mkdir(q
, mode
) < 0) {
1282 if (errno
== EEXIST
)
1287 return userns_lchown(q
, uid
, gid
);
1290 static int setup_timezone(const char *dest
) {
1291 _cleanup_free_
char *p
= NULL
, *q
= NULL
;
1292 const char *where
, *check
, *what
;
1298 /* Fix the timezone, if possible */
1299 r
= readlink_malloc("/etc/localtime", &p
);
1301 log_warning("host's /etc/localtime is not a symlink, not updating container timezone.");
1302 /* to handle warning, delete /etc/localtime and replace it
1303 * with a symbolic link to a time zone data file.
1306 * ln -s /usr/share/zoneinfo/UTC /etc/localtime
1311 z
= path_startswith(p
, "../usr/share/zoneinfo/");
1313 z
= path_startswith(p
, "/usr/share/zoneinfo/");
1315 log_warning("/etc/localtime does not point into /usr/share/zoneinfo/, not updating container timezone.");
1319 where
= prefix_roota(dest
, "/etc/localtime");
1320 r
= readlink_malloc(where
, &q
);
1322 y
= path_startswith(q
, "../usr/share/zoneinfo/");
1324 y
= path_startswith(q
, "/usr/share/zoneinfo/");
1326 /* Already pointing to the right place? Then do nothing .. */
1327 if (y
&& streq(y
, z
))
1331 check
= strjoina("/usr/share/zoneinfo/", z
);
1332 check
= prefix_roota(dest
, check
);
1333 if (laccess(check
, F_OK
) < 0) {
1334 log_warning("Timezone %s does not exist in container, not updating container timezone.", z
);
1338 if (unlink(where
) < 0 && errno
!= ENOENT
) {
1339 log_full_errno(IN_SET(errno
, EROFS
, EACCES
, EPERM
) ? LOG_DEBUG
: LOG_WARNING
, /* Don't complain on read-only images */
1341 "Failed to remove existing timezone info %s in container, ignoring: %m", where
);
1345 what
= strjoina("../usr/share/zoneinfo/", z
);
1346 if (symlink(what
, where
) < 0) {
1347 log_full_errno(IN_SET(errno
, EROFS
, EACCES
, EPERM
) ? LOG_DEBUG
: LOG_WARNING
,
1349 "Failed to correct timezone of container, ignoring: %m");
1353 r
= userns_lchown(where
, 0, 0);
1355 return log_warning_errno(r
, "Failed to chown /etc/localtime: %m");
1360 static int resolved_listening(void) {
1361 _cleanup_(sd_bus_flush_close_unrefp
) sd_bus
*bus
= NULL
;
1362 _cleanup_free_
char *dns_stub_listener_mode
= NULL
;
1365 /* Check if resolved is listening */
1367 r
= sd_bus_open_system(&bus
);
1371 r
= bus_name_has_owner(bus
, "org.freedesktop.resolve1", NULL
);
1375 r
= sd_bus_get_property_string(bus
,
1376 "org.freedesktop.resolve1",
1377 "/org/freedesktop/resolve1",
1378 "org.freedesktop.resolve1.Manager",
1381 &dns_stub_listener_mode
);
1385 return STR_IN_SET(dns_stub_listener_mode
, "udp", "yes");
1388 static int setup_resolv_conf(const char *dest
) {
1389 _cleanup_free_
char *resolved
= NULL
, *etc
= NULL
;
1395 if (arg_private_network
)
1398 r
= chase_symlinks("/etc", dest
, CHASE_PREFIX_ROOT
, &etc
);
1400 log_warning_errno(r
, "Failed to resolve /etc path in container, ignoring: %m");
1404 where
= strjoina(etc
, "/resolv.conf");
1405 found
= chase_symlinks(where
, dest
, CHASE_NONEXISTENT
, &resolved
);
1407 log_warning_errno(found
, "Failed to resolve /etc/resolv.conf path in container, ignoring: %m");
1411 if (access("/usr/lib/systemd/resolv.conf", F_OK
) >= 0 &&
1412 resolved_listening() > 0) {
1414 /* resolved is enabled on the host. In this, case bind mount its static resolv.conf file into the
1415 * container, so that the container can use the host's resolver. Given that network namespacing is
1416 * disabled it's only natural of the container also uses the host's resolver. It also has the big
1417 * advantage that the container will be able to follow the host's DNS server configuration changes
1420 if (found
== 0) /* missing? */
1421 (void) touch(resolved
);
1423 r
= mount_verbose(LOG_DEBUG
, "/usr/lib/systemd/resolv.conf", resolved
, NULL
, MS_BIND
, NULL
);
1425 return mount_verbose(LOG_ERR
, NULL
, resolved
, NULL
, MS_BIND
|MS_REMOUNT
|MS_RDONLY
|MS_NOSUID
|MS_NODEV
, NULL
);
1428 /* If that didn't work, let's copy the file */
1429 r
= copy_file("/etc/resolv.conf", where
, O_TRUNC
|O_NOFOLLOW
, 0644, 0, COPY_REFLINK
);
1431 /* If the file already exists as symlink, let's suppress the warning, under the assumption that
1432 * resolved or something similar runs inside and the symlink points there.
1434 * If the disk image is read-only, there's also no point in complaining.
1436 log_full_errno(IN_SET(r
, -ELOOP
, -EROFS
, -EACCES
, -EPERM
) ? LOG_DEBUG
: LOG_WARNING
, r
,
1437 "Failed to copy /etc/resolv.conf to %s, ignoring: %m", where
);
1441 r
= userns_lchown(where
, 0, 0);
1443 log_warning_errno(r
, "Failed to chown /etc/resolv.conf, ignoring: %m");
1448 static int setup_boot_id(const char *dest
) {
1449 sd_id128_t rnd
= SD_ID128_NULL
;
1450 const char *from
, *to
;
1453 /* Generate a new randomized boot ID, so that each boot-up of
1454 * the container gets a new one */
1456 from
= prefix_roota(dest
, "/run/proc-sys-kernel-random-boot-id");
1457 to
= prefix_roota(dest
, "/proc/sys/kernel/random/boot_id");
1459 r
= sd_id128_randomize(&rnd
);
1461 return log_error_errno(r
, "Failed to generate random boot id: %m");
1463 r
= id128_write(from
, ID128_UUID
, rnd
, false);
1465 return log_error_errno(r
, "Failed to write boot id: %m");
1467 r
= mount_verbose(LOG_ERR
, from
, to
, NULL
, MS_BIND
, NULL
);
1469 r
= mount_verbose(LOG_ERR
, NULL
, to
, NULL
,
1470 MS_BIND
|MS_REMOUNT
|MS_RDONLY
|MS_NOSUID
|MS_NODEV
, NULL
);
1472 (void) unlink(from
);
1476 static int copy_devnodes(const char *dest
) {
1478 static const char devnodes
[] =
1489 _cleanup_umask_ mode_t u
;
1495 /* Create /dev/net, so that we can create /dev/net/tun in it */
1496 if (userns_mkdir(dest
, "/dev/net", 0755, 0, 0) < 0)
1497 return log_error_errno(r
, "Failed to create /dev/net directory: %m");
1499 NULSTR_FOREACH(d
, devnodes
) {
1500 _cleanup_free_
char *from
= NULL
, *to
= NULL
;
1503 from
= strappend("/dev/", d
);
1504 to
= prefix_root(dest
, from
);
1506 if (stat(from
, &st
) < 0) {
1508 if (errno
!= ENOENT
)
1509 return log_error_errno(errno
, "Failed to stat %s: %m", from
);
1511 } else if (!S_ISCHR(st
.st_mode
) && !S_ISBLK(st
.st_mode
)) {
1513 log_error("%s is not a char or block device, cannot copy.", from
);
1517 if (mknod(to
, st
.st_mode
, st
.st_rdev
) < 0) {
1518 /* Explicitly warn the user when /dev is already populated. */
1519 if (errno
== EEXIST
)
1520 log_notice("%s/dev is pre-mounted and pre-populated. If a pre-mounted /dev is provided it needs to be an unpopulated file system.", dest
);
1522 return log_error_errno(errno
, "mknod(%s) failed: %m", to
);
1524 /* Some systems abusively restrict mknod but
1525 * allow bind mounts. */
1528 return log_error_errno(r
, "touch (%s) failed: %m", to
);
1529 r
= mount_verbose(LOG_DEBUG
, from
, to
, NULL
, MS_BIND
, NULL
);
1531 return log_error_errno(r
, "Both mknod and bind mount (%s) failed: %m", to
);
1534 r
= userns_lchown(to
, 0, 0);
1536 return log_error_errno(r
, "chown() of device node %s failed: %m", to
);
1543 static int setup_pts(const char *dest
) {
1544 _cleanup_free_
char *options
= NULL
;
1549 if (arg_selinux_apifs_context
)
1550 (void) asprintf(&options
,
1551 "newinstance,ptmxmode=0666,mode=620,gid=" GID_FMT
",context=\"%s\"",
1552 arg_uid_shift
+ TTY_GID
,
1553 arg_selinux_apifs_context
);
1556 (void) asprintf(&options
,
1557 "newinstance,ptmxmode=0666,mode=620,gid=" GID_FMT
,
1558 arg_uid_shift
+ TTY_GID
);
1563 /* Mount /dev/pts itself */
1564 p
= prefix_roota(dest
, "/dev/pts");
1565 if (mkdir(p
, 0755) < 0)
1566 return log_error_errno(errno
, "Failed to create /dev/pts: %m");
1567 r
= mount_verbose(LOG_ERR
, "devpts", p
, "devpts", MS_NOSUID
|MS_NOEXEC
, options
);
1570 r
= userns_lchown(p
, 0, 0);
1572 return log_error_errno(r
, "Failed to chown /dev/pts: %m");
1574 /* Create /dev/ptmx symlink */
1575 p
= prefix_roota(dest
, "/dev/ptmx");
1576 if (symlink("pts/ptmx", p
) < 0)
1577 return log_error_errno(errno
, "Failed to create /dev/ptmx symlink: %m");
1578 r
= userns_lchown(p
, 0, 0);
1580 return log_error_errno(r
, "Failed to chown /dev/ptmx: %m");
1582 /* And fix /dev/pts/ptmx ownership */
1583 p
= prefix_roota(dest
, "/dev/pts/ptmx");
1584 r
= userns_lchown(p
, 0, 0);
1586 return log_error_errno(r
, "Failed to chown /dev/pts/ptmx: %m");
1591 static int setup_dev_console(const char *dest
, const char *console
) {
1592 _cleanup_umask_ mode_t u
;
1601 r
= chmod_and_chown(console
, 0600, arg_uid_shift
, arg_uid_shift
);
1603 return log_error_errno(r
, "Failed to correct access mode for TTY: %m");
1605 /* We need to bind mount the right tty to /dev/console since
1606 * ptys can only exist on pts file systems. To have something
1607 * to bind mount things on we create a empty regular file. */
1609 to
= prefix_roota(dest
, "/dev/console");
1612 return log_error_errno(r
, "touch() for /dev/console failed: %m");
1614 return mount_verbose(LOG_ERR
, console
, to
, NULL
, MS_BIND
, NULL
);
1617 static int setup_keyring(void) {
1618 key_serial_t keyring
;
1620 /* Allocate a new session keyring for the container. This makes sure the keyring of the session systemd-nspawn
1621 * was invoked from doesn't leak into the container. Note that by default we block keyctl() and request_key()
1622 * anyway via seccomp so doing this operation isn't strictly necessary, but in case people explicitly whitelist
1623 * these system calls let's make sure we don't leak anything into the container. */
1625 keyring
= keyctl(KEYCTL_JOIN_SESSION_KEYRING
, 0, 0, 0, 0);
1626 if (keyring
== -1) {
1627 if (errno
== ENOSYS
)
1628 log_debug_errno(errno
, "Kernel keyring not supported, ignoring.");
1629 else if (IN_SET(errno
, EACCES
, EPERM
))
1630 log_debug_errno(errno
, "Kernel keyring access prohibited, ignoring.");
1632 return log_error_errno(errno
, "Setting up kernel keyring failed: %m");
1638 static int setup_kmsg(const char *dest
, int kmsg_socket
) {
1639 const char *from
, *to
;
1640 _cleanup_umask_ mode_t u
;
1643 assert(kmsg_socket
>= 0);
1647 /* We create the kmsg FIFO as /run/kmsg, but immediately
1648 * delete it after bind mounting it to /proc/kmsg. While FIFOs
1649 * on the reading side behave very similar to /proc/kmsg,
1650 * their writing side behaves differently from /dev/kmsg in
1651 * that writing blocks when nothing is reading. In order to
1652 * avoid any problems with containers deadlocking due to this
1653 * we simply make /dev/kmsg unavailable to the container. */
1654 from
= prefix_roota(dest
, "/run/kmsg");
1655 to
= prefix_roota(dest
, "/proc/kmsg");
1657 if (mkfifo(from
, 0600) < 0)
1658 return log_error_errno(errno
, "mkfifo() for /run/kmsg failed: %m");
1659 r
= mount_verbose(LOG_ERR
, from
, to
, NULL
, MS_BIND
, NULL
);
1663 fd
= open(from
, O_RDWR
|O_NDELAY
|O_CLOEXEC
);
1665 return log_error_errno(errno
, "Failed to open fifo: %m");
1667 /* Store away the fd in the socket, so that it stays open as
1668 * long as we run the child */
1669 r
= send_one_fd(kmsg_socket
, fd
, 0);
1673 return log_error_errno(r
, "Failed to send FIFO fd: %m");
1675 /* And now make the FIFO unavailable as /run/kmsg... */
1676 (void) unlink(from
);
1681 static int on_address_change(sd_netlink
*rtnl
, sd_netlink_message
*m
, void *userdata
) {
1682 union in_addr_union
*exposed
= userdata
;
1688 expose_port_execute(rtnl
, arg_expose_ports
, exposed
);
1692 static int setup_hostname(void) {
1694 if ((arg_clone_ns_flags
& CLONE_NEWUTS
) == 0)
1697 if (sethostname_idempotent(arg_machine
) < 0)
1703 static int setup_journal(const char *directory
) {
1705 _cleanup_free_
char *d
= NULL
;
1711 /* Don't link journals in ephemeral mode */
1715 if (arg_link_journal
== LINK_NO
)
1718 try = arg_link_journal_try
|| arg_link_journal
== LINK_AUTO
;
1720 r
= sd_id128_get_machine(&this_id
);
1722 return log_error_errno(r
, "Failed to retrieve machine ID: %m");
1724 if (sd_id128_equal(arg_uuid
, this_id
)) {
1725 log_full(try ? LOG_WARNING
: LOG_ERR
,
1726 "Host and machine ids are equal (%s): refusing to link journals", sd_id128_to_string(arg_uuid
, id
));
1732 r
= userns_mkdir(directory
, "/var", 0755, 0, 0);
1734 return log_error_errno(r
, "Failed to create /var: %m");
1736 r
= userns_mkdir(directory
, "/var/log", 0755, 0, 0);
1738 return log_error_errno(r
, "Failed to create /var/log: %m");
1740 r
= userns_mkdir(directory
, "/var/log/journal", 0755, 0, 0);
1742 return log_error_errno(r
, "Failed to create /var/log/journal: %m");
1744 (void) sd_id128_to_string(arg_uuid
, id
);
1746 p
= strjoina("/var/log/journal/", id
);
1747 q
= prefix_roota(directory
, p
);
1749 if (path_is_mount_point(p
, NULL
, 0) > 0) {
1753 log_error("%s: already a mount point, refusing to use for journal", p
);
1757 if (path_is_mount_point(q
, NULL
, 0) > 0) {
1761 log_error("%s: already a mount point, refusing to use for journal", q
);
1765 r
= readlink_and_make_absolute(p
, &d
);
1767 if (IN_SET(arg_link_journal
, LINK_GUEST
, LINK_AUTO
) &&
1770 r
= userns_mkdir(directory
, p
, 0755, 0, 0);
1772 log_warning_errno(r
, "Failed to create directory %s: %m", q
);
1777 return log_error_errno(errno
, "Failed to remove symlink %s: %m", p
);
1778 } else if (r
== -EINVAL
) {
1780 if (arg_link_journal
== LINK_GUEST
&&
1783 if (errno
== ENOTDIR
) {
1784 log_error("%s already exists and is neither a symlink nor a directory", p
);
1787 return log_error_errno(errno
, "Failed to remove %s: %m", p
);
1789 } else if (r
!= -ENOENT
)
1790 return log_error_errno(r
, "readlink(%s) failed: %m", p
);
1792 if (arg_link_journal
== LINK_GUEST
) {
1794 if (symlink(q
, p
) < 0) {
1796 log_debug_errno(errno
, "Failed to symlink %s to %s, skipping journal setup: %m", q
, p
);
1799 return log_error_errno(errno
, "Failed to symlink %s to %s: %m", q
, p
);
1802 r
= userns_mkdir(directory
, p
, 0755, 0, 0);
1804 log_warning_errno(r
, "Failed to create directory %s: %m", q
);
1808 if (arg_link_journal
== LINK_HOST
) {
1809 /* don't create parents here — if the host doesn't have
1810 * permanent journal set up, don't force it here */
1812 if (mkdir(p
, 0755) < 0 && errno
!= EEXIST
) {
1814 log_debug_errno(errno
, "Failed to create %s, skipping journal setup: %m", p
);
1817 return log_error_errno(errno
, "Failed to create %s: %m", p
);
1820 } else if (access(p
, F_OK
) < 0)
1823 if (dir_is_empty(q
) == 0)
1824 log_warning("%s is not empty, proceeding anyway.", q
);
1826 r
= userns_mkdir(directory
, p
, 0755, 0, 0);
1828 return log_error_errno(r
, "Failed to create %s: %m", q
);
1830 r
= mount_verbose(LOG_DEBUG
, p
, q
, NULL
, MS_BIND
, NULL
);
1832 return log_error_errno(errno
, "Failed to bind mount journal from host into guest: %m");
1837 static int drop_capabilities(void) {
1838 return capability_bounding_set_drop(arg_caps_retain
, false);
1841 static int reset_audit_loginuid(void) {
1842 _cleanup_free_
char *p
= NULL
;
1845 if ((arg_clone_ns_flags
& CLONE_NEWPID
) == 0)
1848 r
= read_one_line_file("/proc/self/loginuid", &p
);
1852 return log_error_errno(r
, "Failed to read /proc/self/loginuid: %m");
1854 /* Already reset? */
1855 if (streq(p
, "4294967295"))
1858 r
= write_string_file("/proc/self/loginuid", "4294967295", 0);
1861 "Failed to reset audit login UID. This probably means that your kernel is too\n"
1862 "old and you have audit enabled. Note that the auditing subsystem is known to\n"
1863 "be incompatible with containers on old kernels. Please make sure to upgrade\n"
1864 "your kernel or to off auditing with 'audit=0' on the kernel command line before\n"
1865 "using systemd-nspawn. Sleeping for 5s... (%m)");
1874 static int setup_propagate(const char *root
) {
1878 (void) mkdir_p("/run/systemd/nspawn/", 0755);
1879 (void) mkdir_p("/run/systemd/nspawn/propagate", 0600);
1880 p
= strjoina("/run/systemd/nspawn/propagate/", arg_machine
);
1881 (void) mkdir_p(p
, 0600);
1883 r
= userns_mkdir(root
, "/run/systemd", 0755, 0, 0);
1885 return log_error_errno(r
, "Failed to create /run/systemd: %m");
1887 r
= userns_mkdir(root
, "/run/systemd/nspawn", 0755, 0, 0);
1889 return log_error_errno(r
, "Failed to create /run/systemd/nspawn: %m");
1891 r
= userns_mkdir(root
, "/run/systemd/nspawn/incoming", 0600, 0, 0);
1893 return log_error_errno(r
, "Failed to create /run/systemd/nspawn/incoming: %m");
1895 q
= prefix_roota(root
, "/run/systemd/nspawn/incoming");
1896 r
= mount_verbose(LOG_ERR
, p
, q
, NULL
, MS_BIND
, NULL
);
1900 r
= mount_verbose(LOG_ERR
, NULL
, q
, NULL
, MS_BIND
|MS_REMOUNT
|MS_RDONLY
, NULL
);
1904 /* machined will MS_MOVE into that directory, and that's only
1905 * supported for non-shared mounts. */
1906 return mount_verbose(LOG_ERR
, NULL
, q
, NULL
, MS_SLAVE
, NULL
);
1909 static int setup_machine_id(const char *directory
) {
1910 const char *etc_machine_id
;
1914 /* If the UUID in the container is already set, then that's what counts, and we use. If it isn't set, and the
1915 * caller passed --uuid=, then we'll pass it in the $container_uuid env var to PID 1 of the container. The
1916 * assumption is that PID 1 will then write it to /etc/machine-id to make it persistent. If --uuid= is not
1917 * passed we generate a random UUID, and pass it via $container_uuid. In effect this means that /etc/machine-id
1918 * in the container and our idea of the container UUID will always be in sync (at least if PID 1 in the
1919 * container behaves nicely). */
1921 etc_machine_id
= prefix_roota(directory
, "/etc/machine-id");
1923 r
= id128_read(etc_machine_id
, ID128_PLAIN
, &id
);
1925 if (!IN_SET(r
, -ENOENT
, -ENOMEDIUM
)) /* If the file is missing or empty, we don't mind */
1926 return log_error_errno(r
, "Failed to read machine ID from container image: %m");
1928 if (sd_id128_is_null(arg_uuid
)) {
1929 r
= sd_id128_randomize(&arg_uuid
);
1931 return log_error_errno(r
, "Failed to acquire randomized machine UUID: %m");
1934 if (sd_id128_is_null(id
)) {
1935 log_error("Machine ID in container image is zero, refusing.");
1945 static int recursive_chown(const char *directory
, uid_t shift
, uid_t range
) {
1950 if (arg_userns_mode
== USER_NAMESPACE_NO
|| !arg_userns_chown
)
1953 r
= path_patch_uid(directory
, arg_uid_shift
, arg_uid_range
);
1954 if (r
== -EOPNOTSUPP
)
1955 return log_error_errno(r
, "Automatic UID/GID adjusting is only supported for UID/GID ranges starting at multiples of 2^16 with a range of 2^16.");
1957 return log_error_errno(r
, "Upper 16 bits of root directory UID and GID do not match.");
1959 return log_error_errno(r
, "Failed to adjust UID/GID shift of OS tree: %m");
1961 log_debug("Root directory of image is already owned by the right UID/GID range, skipping recursive chown operation.");
1963 log_debug("Patched directory tree to match UID/GID range.");
1970 * < 0 : wait_for_terminate() failed to get the state of the
1971 * container, the container was terminated by a signal, or
1972 * failed for an unknown reason. No change is made to the
1973 * container argument.
1974 * > 0 : The program executed in the container terminated with an
1975 * error. The exit code of the program executed in the
1976 * container is returned. The container argument has been set
1977 * to CONTAINER_TERMINATED.
1978 * 0 : The container is being rebooted, has been shut down or exited
1979 * successfully. The container argument has been set to either
1980 * CONTAINER_TERMINATED or CONTAINER_REBOOTED.
1982 * That is, success is indicated by a return value of zero, and an
1983 * error is indicated by a non-zero value.
1985 static int wait_for_container(pid_t pid
, ContainerStatus
*container
) {
1989 r
= wait_for_terminate(pid
, &status
);
1991 return log_warning_errno(r
, "Failed to wait for container: %m");
1993 switch (status
.si_code
) {
1996 if (status
.si_status
== 0)
1997 log_full(arg_quiet
? LOG_DEBUG
: LOG_INFO
, "Container %s exited successfully.", arg_machine
);
1999 log_full(arg_quiet
? LOG_DEBUG
: LOG_INFO
, "Container %s failed with error code %i.", arg_machine
, status
.si_status
);
2001 *container
= CONTAINER_TERMINATED
;
2002 return status
.si_status
;
2005 if (status
.si_status
== SIGINT
) {
2006 log_full(arg_quiet
? LOG_DEBUG
: LOG_INFO
, "Container %s has been shut down.", arg_machine
);
2007 *container
= CONTAINER_TERMINATED
;
2010 } else if (status
.si_status
== SIGHUP
) {
2011 log_full(arg_quiet
? LOG_DEBUG
: LOG_INFO
, "Container %s is being rebooted.", arg_machine
);
2012 *container
= CONTAINER_REBOOTED
;
2019 log_error("Container %s terminated by signal %s.", arg_machine
, signal_to_string(status
.si_status
));
2023 log_error("Container %s failed due to unknown reason.", arg_machine
);
2028 static int on_orderly_shutdown(sd_event_source
*s
, const struct signalfd_siginfo
*si
, void *userdata
) {
2031 pid
= PTR_TO_PID(userdata
);
2033 if (kill(pid
, arg_kill_signal
) >= 0) {
2034 log_info("Trying to halt container. Send SIGTERM again to trigger immediate termination.");
2035 sd_event_source_set_userdata(s
, NULL
);
2040 sd_event_exit(sd_event_source_get_event(s
), 0);
2044 static int on_sigchld(sd_event_source
*s
, const struct signalfd_siginfo
*ssi
, void *userdata
) {
2047 if (waitid(P_ALL
, 0, &si
, WNOHANG
|WNOWAIT
|WEXITED
) < 0)
2048 return log_error_errno(errno
, "Failed to waitid(): %m");
2049 if (si
.si_pid
== 0) /* No pending children. */
2051 if (si
.si_pid
== PTR_TO_PID(userdata
)) {
2052 /* The main process we care for has exited. Return from
2053 * signal handler but leave the zombie. */
2054 sd_event_exit(sd_event_source_get_event(s
), 0);
2057 /* Reap all other children. */
2058 (void) waitid(P_PID
, si
.si_pid
, &si
, WNOHANG
|WEXITED
);
2064 static int determine_names(void) {
2067 if (arg_template
&& !arg_directory
&& arg_machine
) {
2069 /* If --template= was specified then we should not
2070 * search for a machine, but instead create a new one
2071 * in /var/lib/machine. */
2073 arg_directory
= strjoin("/var/lib/machines/", arg_machine
);
2078 if (!arg_image
&& !arg_directory
) {
2080 _cleanup_(image_unrefp
) Image
*i
= NULL
;
2082 r
= image_find(arg_machine
, &i
);
2084 return log_error_errno(r
, "Failed to find image for machine '%s': %m", arg_machine
);
2086 log_error("No image for machine '%s'.", arg_machine
);
2090 if (IN_SET(i
->type
, IMAGE_RAW
, IMAGE_BLOCK
))
2091 r
= free_and_strdup(&arg_image
, i
->path
);
2093 r
= free_and_strdup(&arg_directory
, i
->path
);
2098 arg_read_only
= arg_read_only
|| i
->read_only
;
2100 arg_directory
= get_current_dir_name();
2102 if (!arg_directory
&& !arg_image
) {
2103 log_error("Failed to determine path, please use -D or -i.");
2110 if (arg_directory
&& path_equal(arg_directory
, "/"))
2111 arg_machine
= gethostname_malloc();
2116 arg_machine
= strdup(basename(arg_image
));
2118 /* Truncate suffix if there is one */
2119 e
= endswith(arg_machine
, ".raw");
2123 arg_machine
= strdup(basename(arg_directory
));
2128 hostname_cleanup(arg_machine
);
2129 if (!machine_name_is_valid(arg_machine
)) {
2130 log_error("Failed to determine machine name automatically, please use -M.");
2134 if (arg_ephemeral
) {
2137 /* Add a random suffix when this is an
2138 * ephemeral machine, so that we can run many
2139 * instances at once without manually having
2140 * to specify -M each time. */
2142 if (asprintf(&b
, "%s-%016" PRIx64
, arg_machine
, random_u64()) < 0)
2153 static int chase_symlinks_and_update(char **p
, unsigned flags
) {
2162 r
= chase_symlinks(*p
, NULL
, flags
, &chased
);
2164 return log_error_errno(r
, "Failed to resolve path %s: %m", *p
);
2172 static int determine_uid_shift(const char *directory
) {
2175 if (arg_userns_mode
== USER_NAMESPACE_NO
) {
2180 if (arg_uid_shift
== UID_INVALID
) {
2183 r
= stat(directory
, &st
);
2185 return log_error_errno(errno
, "Failed to determine UID base of %s: %m", directory
);
2187 arg_uid_shift
= st
.st_uid
& UINT32_C(0xffff0000);
2189 if (arg_uid_shift
!= (st
.st_gid
& UINT32_C(0xffff0000))) {
2190 log_error("UID and GID base of %s don't match.", directory
);
2194 arg_uid_range
= UINT32_C(0x10000);
2197 if (arg_uid_shift
> (uid_t
) -1 - arg_uid_range
) {
2198 log_error("UID base too high for UID range.");
2205 static int inner_child(
2207 const char *directory
,
2213 _cleanup_free_
char *home
= NULL
;
2216 const char *envp
[] = {
2217 "PATH=" DEFAULT_PATH_SPLIT_USR
,
2218 NULL
, /* container */
2223 NULL
, /* container_uuid */
2224 NULL
, /* LISTEN_FDS */
2225 NULL
, /* LISTEN_PID */
2226 NULL
, /* NOTIFY_SOCKET */
2229 const char *exec_target
;
2231 _cleanup_strv_free_
char **env_use
= NULL
;
2236 assert(kmsg_socket
>= 0);
2238 if (arg_userns_mode
!= USER_NAMESPACE_NO
) {
2239 /* Tell the parent, that it now can write the UID map. */
2240 (void) barrier_place(barrier
); /* #1 */
2242 /* Wait until the parent wrote the UID map */
2243 if (!barrier_place_and_sync(barrier
)) { /* #2 */
2244 log_error("Parent died too early");
2249 r
= reset_uid_gid();
2251 return log_error_errno(r
, "Couldn't become new root: %m");
2254 arg_mount_settings
| MOUNT_IN_USERNS
,
2257 arg_selinux_apifs_context
);
2262 r
= mount_sysfs(NULL
, arg_mount_settings
);
2266 /* Wait until we are cgroup-ified, so that we
2267 * can mount the right cgroup path writable */
2268 if (!barrier_place_and_sync(barrier
)) { /* #3 */
2269 log_error("Parent died too early");
2273 if (arg_use_cgns
&& cg_ns_supported()) {
2274 r
= unshare(CLONE_NEWCGROUP
);
2276 return log_error_errno(errno
, "Failed to unshare cgroup namespace");
2279 arg_unified_cgroup_hierarchy
,
2280 arg_userns_mode
!= USER_NAMESPACE_NO
,
2283 arg_selinux_apifs_context
,
2288 r
= mount_systemd_cgroup_writable("", arg_unified_cgroup_hierarchy
);
2293 r
= setup_boot_id(NULL
);
2297 r
= setup_kmsg(NULL
, kmsg_socket
);
2300 kmsg_socket
= safe_close(kmsg_socket
);
2305 return log_error_errno(errno
, "setsid() failed: %m");
2307 if (arg_private_network
)
2310 if (arg_expose_ports
) {
2311 r
= expose_port_send_rtnl(rtnl_socket
);
2314 rtnl_socket
= safe_close(rtnl_socket
);
2317 r
= drop_capabilities();
2319 return log_error_errno(r
, "drop_capabilities() failed: %m");
2323 if (arg_personality
!= PERSONALITY_INVALID
) {
2324 r
= safe_personality(arg_personality
);
2326 return log_error_errno(r
, "personality() failed: %m");
2327 } else if (secondary
) {
2328 r
= safe_personality(PER_LINUX32
);
2330 return log_error_errno(r
, "personality() failed: %m");
2334 if (arg_selinux_context
)
2335 if (setexeccon(arg_selinux_context
) < 0)
2336 return log_error_errno(errno
, "setexeccon(\"%s\") failed: %m", arg_selinux_context
);
2339 r
= change_uid_gid(arg_user
, &home
);
2343 /* LXC sets container=lxc, so follow the scheme here */
2344 envp
[n_env
++] = strjoina("container=", arg_container_service_name
);
2346 envp
[n_env
] = strv_find_prefix(environ
, "TERM=");
2350 if ((asprintf((char**)(envp
+ n_env
++), "HOME=%s", home
? home
: "/root") < 0) ||
2351 (asprintf((char**)(envp
+ n_env
++), "USER=%s", arg_user
? arg_user
: "root") < 0) ||
2352 (asprintf((char**)(envp
+ n_env
++), "LOGNAME=%s", arg_user
? arg_user
: "root") < 0))
2355 assert(!sd_id128_is_null(arg_uuid
));
2357 if (asprintf((char**)(envp
+ n_env
++), "container_uuid=%s", id128_to_uuid_string(arg_uuid
, as_uuid
)) < 0)
2360 if (fdset_size(fds
) > 0) {
2361 r
= fdset_cloexec(fds
, false);
2363 return log_error_errno(r
, "Failed to unset O_CLOEXEC for file descriptors.");
2365 if ((asprintf((char **)(envp
+ n_env
++), "LISTEN_FDS=%u", fdset_size(fds
)) < 0) ||
2366 (asprintf((char **)(envp
+ n_env
++), "LISTEN_PID=1") < 0))
2369 if (asprintf((char **)(envp
+ n_env
++), "NOTIFY_SOCKET=%s", NSPAWN_NOTIFY_SOCKET_PATH
) < 0)
2372 env_use
= strv_env_merge(2, envp
, arg_setenv
);
2376 /* Let the parent know that we are ready and
2377 * wait until the parent is ready with the
2379 if (!barrier_place_and_sync(barrier
)) { /* #4 */
2380 log_error("Parent died too early");
2385 if (chdir(arg_chdir
) < 0)
2386 return log_error_errno(errno
, "Failed to change to specified working directory %s: %m", arg_chdir
);
2388 if (arg_start_mode
== START_PID2
) {
2389 r
= stub_pid1(arg_uuid
);
2394 /* Now, explicitly close the log, so that we
2395 * then can close all remaining fds. Closing
2396 * the log explicitly first has the benefit
2397 * that the logging subsystem knows about it,
2398 * and is thus ready to be reopened should we
2399 * need it again. Note that the other fds
2400 * closed here are at least the locking and
2403 (void) fdset_close_others(fds
);
2405 if (arg_start_mode
== START_BOOT
) {
2409 /* Automatically search for the init system */
2411 m
= strv_length(arg_parameters
);
2412 a
= newa(char*, m
+ 2);
2413 memcpy_safe(a
+ 1, arg_parameters
, m
* sizeof(char*));
2416 a
[0] = (char*) "/usr/lib/systemd/systemd";
2417 execve(a
[0], a
, env_use
);
2419 a
[0] = (char*) "/lib/systemd/systemd";
2420 execve(a
[0], a
, env_use
);
2422 a
[0] = (char*) "/sbin/init";
2423 execve(a
[0], a
, env_use
);
2425 exec_target
= "/usr/lib/systemd/systemd, /lib/systemd/systemd, /sbin/init";
2426 } else if (!strv_isempty(arg_parameters
)) {
2427 exec_target
= arg_parameters
[0];
2428 execvpe(arg_parameters
[0], arg_parameters
, env_use
);
2431 /* If we cannot change the directory, we'll end up in /, that is expected. */
2432 (void) chdir(home
?: "/root");
2434 execle("/bin/bash", "-bash", NULL
, env_use
);
2435 execle("/bin/sh", "-sh", NULL
, env_use
);
2437 exec_target
= "/bin/bash, /bin/sh";
2442 return log_error_errno(r
, "execv(%s) failed: %m", exec_target
);
2445 static int setup_sd_notify_child(void) {
2446 static const int one
= 1;
2448 union sockaddr_union sa
= {
2449 .sa
.sa_family
= AF_UNIX
,
2453 fd
= socket(AF_UNIX
, SOCK_DGRAM
|SOCK_CLOEXEC
|SOCK_NONBLOCK
, 0);
2455 return log_error_errno(errno
, "Failed to allocate notification socket: %m");
2457 (void) mkdir_parents(NSPAWN_NOTIFY_SOCKET_PATH
, 0755);
2458 (void) unlink(NSPAWN_NOTIFY_SOCKET_PATH
);
2460 strncpy(sa
.un
.sun_path
, NSPAWN_NOTIFY_SOCKET_PATH
, sizeof(sa
.un
.sun_path
)-1);
2461 r
= bind(fd
, &sa
.sa
, SOCKADDR_UN_LEN(sa
.un
));
2464 return log_error_errno(errno
, "bind(%s) failed: %m", sa
.un
.sun_path
);
2467 r
= userns_lchown(NSPAWN_NOTIFY_SOCKET_PATH
, 0, 0);
2470 return log_error_errno(r
, "Failed to chown " NSPAWN_NOTIFY_SOCKET_PATH
": %m");
2473 r
= setsockopt(fd
, SOL_SOCKET
, SO_PASSCRED
, &one
, sizeof(one
));
2476 return log_error_errno(errno
, "SO_PASSCRED failed: %m");
2482 static int outer_child(
2484 const char *directory
,
2485 const char *console
,
2486 DissectedImage
*dissected_image
,
2494 int uid_shift_socket
,
2500 _cleanup_close_
int fd
= -1;
2505 assert(pid_socket
>= 0);
2506 assert(uuid_socket
>= 0);
2507 assert(notify_socket
>= 0);
2508 assert(kmsg_socket
>= 0);
2510 if (prctl(PR_SET_PDEATHSIG
, SIGKILL
) < 0)
2511 return log_error_errno(errno
, "PR_SET_PDEATHSIG failed: %m");
2514 close_nointr(STDIN_FILENO
);
2515 close_nointr(STDOUT_FILENO
);
2516 close_nointr(STDERR_FILENO
);
2518 r
= open_terminal(console
, O_RDWR
);
2519 if (r
!= STDIN_FILENO
) {
2525 return log_error_errno(r
, "Failed to open console: %m");
2528 if (dup2(STDIN_FILENO
, STDOUT_FILENO
) != STDOUT_FILENO
||
2529 dup2(STDIN_FILENO
, STDERR_FILENO
) != STDERR_FILENO
)
2530 return log_error_errno(errno
, "Failed to duplicate console: %m");
2533 r
= reset_audit_loginuid();
2537 /* Mark everything as slave, so that we still
2538 * receive mounts from the real root, but don't
2539 * propagate mounts to the real root. */
2540 r
= mount_verbose(LOG_ERR
, NULL
, "/", NULL
, MS_SLAVE
|MS_REC
, NULL
);
2544 if (dissected_image
) {
2545 r
= dissected_image_mount(dissected_image
, directory
, DISSECT_IMAGE_DISCARD_ON_LOOP
|(arg_read_only
? DISSECT_IMAGE_READ_ONLY
: 0));
2550 r
= determine_uid_shift(directory
);
2554 if (arg_userns_mode
!= USER_NAMESPACE_NO
) {
2555 /* Let the parent know which UID shift we read from the image */
2556 l
= send(uid_shift_socket
, &arg_uid_shift
, sizeof(arg_uid_shift
), MSG_NOSIGNAL
);
2558 return log_error_errno(errno
, "Failed to send UID shift: %m");
2559 if (l
!= sizeof(arg_uid_shift
)) {
2560 log_error("Short write while sending UID shift.");
2564 if (arg_userns_mode
== USER_NAMESPACE_PICK
) {
2565 /* When we are supposed to pick the UID shift, the parent will check now whether the UID shift
2566 * we just read from the image is available. If yes, it will send the UID shift back to us, if
2567 * not it will pick a different one, and send it back to us. */
2569 l
= recv(uid_shift_socket
, &arg_uid_shift
, sizeof(arg_uid_shift
), 0);
2571 return log_error_errno(errno
, "Failed to recv UID shift: %m");
2572 if (l
!= sizeof(arg_uid_shift
)) {
2573 log_error("Short read while receiving UID shift.");
2578 log_info("Selected user namespace base " UID_FMT
" and range " UID_FMT
".", arg_uid_shift
, arg_uid_range
);
2581 /* Turn directory into bind mount */
2582 r
= mount_verbose(LOG_ERR
, directory
, directory
, NULL
, MS_BIND
|MS_REC
, NULL
);
2586 r
= setup_pivot_root(
2589 arg_pivot_root_old
);
2596 arg_userns_mode
!= USER_NAMESPACE_NO
,
2599 arg_selinux_context
);
2603 r
= setup_volatile_state(
2606 arg_userns_mode
!= USER_NAMESPACE_NO
,
2609 arg_selinux_context
);
2613 /* Mark everything as shared so our mounts get propagated down. This is
2614 * required to make new bind mounts available in systemd services
2615 * inside the containter that create a new mount namespace.
2616 * See https://github.com/systemd/systemd/issues/3860
2617 * Further submounts (such as /dev) done after this will inherit the
2618 * shared propagation mode. */
2619 r
= mount_verbose(LOG_ERR
, NULL
, directory
, NULL
, MS_SHARED
|MS_REC
, NULL
);
2623 r
= recursive_chown(directory
, arg_uid_shift
, arg_uid_range
);
2627 r
= base_filesystem_create(directory
, arg_uid_shift
, (gid_t
) arg_uid_shift
);
2631 if (arg_read_only
) {
2632 r
= bind_remount_recursive(directory
, true, NULL
);
2634 return log_error_errno(r
, "Failed to make tree read-only: %m");
2637 r
= mount_all(directory
,
2641 arg_selinux_apifs_context
);
2645 r
= copy_devnodes(directory
);
2649 dev_setup(directory
, arg_uid_shift
, arg_uid_shift
);
2651 r
= setup_pts(directory
);
2655 r
= setup_propagate(directory
);
2659 r
= setup_dev_console(directory
, console
);
2663 r
= setup_keyring();
2667 r
= setup_seccomp(arg_caps_retain
, arg_syscall_whitelist
, arg_syscall_blacklist
);
2671 r
= setup_timezone(directory
);
2675 r
= setup_resolv_conf(directory
);
2679 r
= setup_machine_id(directory
);
2683 r
= setup_journal(directory
);
2690 arg_n_custom_mounts
,
2691 arg_userns_mode
!= USER_NAMESPACE_NO
,
2694 arg_selinux_apifs_context
);
2698 if (!arg_use_cgns
|| !cg_ns_supported()) {
2701 arg_unified_cgroup_hierarchy
,
2702 arg_userns_mode
!= USER_NAMESPACE_NO
,
2705 arg_selinux_apifs_context
,
2711 r
= mount_move_root(directory
);
2713 return log_error_errno(r
, "Failed to move root directory: %m");
2715 fd
= setup_sd_notify_child();
2719 pid
= raw_clone(SIGCHLD
|CLONE_NEWNS
|
2720 arg_clone_ns_flags
|
2721 (arg_private_network
? CLONE_NEWNET
: 0) |
2722 (arg_userns_mode
!= USER_NAMESPACE_NO
? CLONE_NEWUSER
: 0));
2724 return log_error_errno(errno
, "Failed to fork inner child: %m");
2726 pid_socket
= safe_close(pid_socket
);
2727 uuid_socket
= safe_close(uuid_socket
);
2728 notify_socket
= safe_close(notify_socket
);
2729 uid_shift_socket
= safe_close(uid_shift_socket
);
2731 /* The inner child has all namespaces that are
2732 * requested, so that we all are owned by the user if
2733 * user namespaces are turned on. */
2735 r
= inner_child(barrier
, directory
, secondary
, kmsg_socket
, rtnl_socket
, fds
);
2737 _exit(EXIT_FAILURE
);
2739 _exit(EXIT_SUCCESS
);
2742 l
= send(pid_socket
, &pid
, sizeof(pid
), MSG_NOSIGNAL
);
2744 return log_error_errno(errno
, "Failed to send PID: %m");
2745 if (l
!= sizeof(pid
)) {
2746 log_error("Short write while sending PID.");
2750 l
= send(uuid_socket
, &arg_uuid
, sizeof(arg_uuid
), MSG_NOSIGNAL
);
2752 return log_error_errno(errno
, "Failed to send machine ID: %m");
2753 if (l
!= sizeof(arg_uuid
)) {
2754 log_error("Short write while sending machine ID.");
2758 l
= send_one_fd(notify_socket
, fd
, 0);
2760 return log_error_errno(errno
, "Failed to send notify fd: %m");
2762 pid_socket
= safe_close(pid_socket
);
2763 uuid_socket
= safe_close(uuid_socket
);
2764 notify_socket
= safe_close(notify_socket
);
2765 kmsg_socket
= safe_close(kmsg_socket
);
2766 rtnl_socket
= safe_close(rtnl_socket
);
2771 static int uid_shift_pick(uid_t
*shift
, LockFile
*ret_lock_file
) {
2772 unsigned n_tries
= 100;
2777 assert(ret_lock_file
);
2778 assert(arg_userns_mode
== USER_NAMESPACE_PICK
);
2779 assert(arg_uid_range
== 0x10000U
);
2783 (void) mkdir("/run/systemd/nspawn-uid", 0755);
2786 char lock_path
[strlen("/run/systemd/nspawn-uid/") + DECIMAL_STR_MAX(uid_t
) + 1];
2787 _cleanup_release_lock_file_ LockFile lf
= LOCK_FILE_INIT
;
2792 if (candidate
< UID_SHIFT_PICK_MIN
|| candidate
> UID_SHIFT_PICK_MAX
)
2794 if ((candidate
& UINT32_C(0xFFFF)) != 0)
2797 xsprintf(lock_path
, "/run/systemd/nspawn-uid/" UID_FMT
, candidate
);
2798 r
= make_lock_file(lock_path
, LOCK_EX
|LOCK_NB
, &lf
);
2799 if (r
== -EBUSY
) /* Range already taken by another nspawn instance */
2804 /* Make some superficial checks whether the range is currently known in the user database */
2805 if (getpwuid(candidate
))
2807 if (getpwuid(candidate
+ UINT32_C(0xFFFE)))
2809 if (getgrgid(candidate
))
2811 if (getgrgid(candidate
+ UINT32_C(0xFFFE)))
2814 *ret_lock_file
= lf
;
2815 lf
= (struct LockFile
) LOCK_FILE_INIT
;
2820 random_bytes(&candidate
, sizeof(candidate
));
2821 candidate
= (candidate
% (UID_SHIFT_PICK_MAX
- UID_SHIFT_PICK_MIN
)) + UID_SHIFT_PICK_MIN
;
2822 candidate
&= (uid_t
) UINT32_C(0xFFFF0000);
2826 static int setup_uid_map(pid_t pid
) {
2827 char uid_map
[strlen("/proc//uid_map") + DECIMAL_STR_MAX(uid_t
) + 1], line
[DECIMAL_STR_MAX(uid_t
)*3+3+1];
2832 xsprintf(uid_map
, "/proc/" PID_FMT
"/uid_map", pid
);
2833 xsprintf(line
, UID_FMT
" " UID_FMT
" " UID_FMT
"\n", 0, arg_uid_shift
, arg_uid_range
);
2834 r
= write_string_file(uid_map
, line
, 0);
2836 return log_error_errno(r
, "Failed to write UID map: %m");
2838 /* We always assign the same UID and GID ranges */
2839 xsprintf(uid_map
, "/proc/" PID_FMT
"/gid_map", pid
);
2840 r
= write_string_file(uid_map
, line
, 0);
2842 return log_error_errno(r
, "Failed to write GID map: %m");
2847 static int nspawn_dispatch_notify_fd(sd_event_source
*source
, int fd
, uint32_t revents
, void *userdata
) {
2848 char buf
[NOTIFY_BUFFER_MAX
+1];
2850 struct iovec iovec
= {
2852 .iov_len
= sizeof(buf
)-1,
2855 struct cmsghdr cmsghdr
;
2856 uint8_t buf
[CMSG_SPACE(sizeof(struct ucred
)) +
2857 CMSG_SPACE(sizeof(int) * NOTIFY_FD_MAX
)];
2859 struct msghdr msghdr
= {
2862 .msg_control
= &control
,
2863 .msg_controllen
= sizeof(control
),
2865 struct cmsghdr
*cmsg
;
2866 struct ucred
*ucred
= NULL
;
2868 pid_t inner_child_pid
;
2869 _cleanup_strv_free_
char **tags
= NULL
;
2873 inner_child_pid
= PTR_TO_PID(userdata
);
2875 if (revents
!= EPOLLIN
) {
2876 log_warning("Got unexpected poll event for notify fd.");
2880 n
= recvmsg(fd
, &msghdr
, MSG_DONTWAIT
|MSG_CMSG_CLOEXEC
);
2882 if (IN_SET(errno
, EAGAIN
, EINTR
))
2885 return log_warning_errno(errno
, "Couldn't read notification socket: %m");
2887 cmsg_close_all(&msghdr
);
2889 CMSG_FOREACH(cmsg
, &msghdr
) {
2890 if (cmsg
->cmsg_level
== SOL_SOCKET
&&
2891 cmsg
->cmsg_type
== SCM_CREDENTIALS
&&
2892 cmsg
->cmsg_len
== CMSG_LEN(sizeof(struct ucred
))) {
2894 ucred
= (struct ucred
*) CMSG_DATA(cmsg
);
2898 if (!ucred
|| ucred
->pid
!= inner_child_pid
) {
2899 log_debug("Received notify message without valid credentials. Ignoring.");
2903 if ((size_t) n
>= sizeof(buf
)) {
2904 log_warning("Received notify message exceeded maximum size. Ignoring.");
2909 tags
= strv_split(buf
, "\n\r");
2913 if (strv_find(tags
, "READY=1"))
2914 sd_notifyf(false, "READY=1\n");
2916 p
= strv_find_startswith(tags
, "STATUS=");
2918 sd_notifyf(false, "STATUS=Container running: %s", p
);
2923 static int setup_sd_notify_parent(sd_event
*event
, int fd
, pid_t
*inner_child_pid
, sd_event_source
**notify_event_source
) {
2926 r
= sd_event_add_io(event
, notify_event_source
, fd
, EPOLLIN
, nspawn_dispatch_notify_fd
, inner_child_pid
);
2928 return log_error_errno(r
, "Failed to allocate notify event source: %m");
2930 (void) sd_event_source_set_description(*notify_event_source
, "nspawn-notify");
2935 static int load_settings(void) {
2936 _cleanup_(settings_freep
) Settings
*settings
= NULL
;
2937 _cleanup_fclose_
FILE *f
= NULL
;
2938 _cleanup_free_
char *p
= NULL
;
2942 /* If all settings are masked, there's no point in looking for
2943 * the settings file */
2944 if ((arg_settings_mask
& _SETTINGS_MASK_ALL
) == _SETTINGS_MASK_ALL
)
2947 fn
= strjoina(arg_machine
, ".nspawn");
2949 /* We first look in the admin's directories in /etc and /run */
2950 FOREACH_STRING(i
, "/etc/systemd/nspawn", "/run/systemd/nspawn") {
2951 _cleanup_free_
char *j
= NULL
;
2953 j
= strjoin(i
, "/", fn
);
2962 /* By default, we trust configuration from /etc and /run */
2963 if (arg_settings_trusted
< 0)
2964 arg_settings_trusted
= true;
2969 if (errno
!= ENOENT
)
2970 return log_error_errno(errno
, "Failed to open %s: %m", j
);
2974 /* After that, let's look for a file next to the
2975 * actual image we shall boot. */
2978 p
= file_in_same_dir(arg_image
, fn
);
2981 } else if (arg_directory
) {
2982 p
= file_in_same_dir(arg_directory
, fn
);
2989 if (!f
&& errno
!= ENOENT
)
2990 return log_error_errno(errno
, "Failed to open %s: %m", p
);
2992 /* By default, we do not trust configuration from /var/lib/machines */
2993 if (arg_settings_trusted
< 0)
2994 arg_settings_trusted
= false;
3001 log_debug("Settings are trusted: %s", yes_no(arg_settings_trusted
));
3003 r
= settings_load(f
, p
, &settings
);
3007 /* Copy over bits from the settings, unless they have been
3008 * explicitly masked by command line switches. */
3010 if ((arg_settings_mask
& SETTING_START_MODE
) == 0 &&
3011 settings
->start_mode
>= 0) {
3012 arg_start_mode
= settings
->start_mode
;
3014 strv_free(arg_parameters
);
3015 arg_parameters
= settings
->parameters
;
3016 settings
->parameters
= NULL
;
3019 if ((arg_settings_mask
& SETTING_PIVOT_ROOT
) == 0 &&
3020 settings
->pivot_root_new
) {
3021 free_and_replace(arg_pivot_root_new
, settings
->pivot_root_new
);
3022 free_and_replace(arg_pivot_root_old
, settings
->pivot_root_old
);
3025 if ((arg_settings_mask
& SETTING_WORKING_DIRECTORY
) == 0 &&
3026 settings
->working_directory
) {
3028 arg_chdir
= settings
->working_directory
;
3029 settings
->working_directory
= NULL
;
3032 if ((arg_settings_mask
& SETTING_ENVIRONMENT
) == 0 &&
3033 settings
->environment
) {
3034 strv_free(arg_setenv
);
3035 arg_setenv
= settings
->environment
;
3036 settings
->environment
= NULL
;
3039 if ((arg_settings_mask
& SETTING_USER
) == 0 &&
3042 arg_user
= settings
->user
;
3043 settings
->user
= NULL
;
3046 if ((arg_settings_mask
& SETTING_CAPABILITY
) == 0) {
3049 plus
= settings
->capability
;
3050 if (settings_private_network(settings
))
3051 plus
|= (1ULL << CAP_NET_ADMIN
);
3053 if (!arg_settings_trusted
&& plus
!= 0) {
3054 if (settings
->capability
!= 0)
3055 log_warning("Ignoring Capability= setting, file %s is not trusted.", p
);
3057 arg_caps_retain
|= plus
;
3059 arg_caps_retain
&= ~settings
->drop_capability
;
3062 if ((arg_settings_mask
& SETTING_KILL_SIGNAL
) == 0 &&
3063 settings
->kill_signal
> 0)
3064 arg_kill_signal
= settings
->kill_signal
;
3066 if ((arg_settings_mask
& SETTING_PERSONALITY
) == 0 &&
3067 settings
->personality
!= PERSONALITY_INVALID
)
3068 arg_personality
= settings
->personality
;
3070 if ((arg_settings_mask
& SETTING_MACHINE_ID
) == 0 &&
3071 !sd_id128_is_null(settings
->machine_id
)) {
3073 if (!arg_settings_trusted
)
3074 log_warning("Ignoring MachineID= setting, file %s is not trusted.", p
);
3076 arg_uuid
= settings
->machine_id
;
3079 if ((arg_settings_mask
& SETTING_READ_ONLY
) == 0 &&
3080 settings
->read_only
>= 0)
3081 arg_read_only
= settings
->read_only
;
3083 if ((arg_settings_mask
& SETTING_VOLATILE_MODE
) == 0 &&
3084 settings
->volatile_mode
!= _VOLATILE_MODE_INVALID
)
3085 arg_volatile_mode
= settings
->volatile_mode
;
3087 if ((arg_settings_mask
& SETTING_CUSTOM_MOUNTS
) == 0 &&
3088 settings
->n_custom_mounts
> 0) {
3090 if (!arg_settings_trusted
)
3091 log_warning("Ignoring TemporaryFileSystem=, Bind= and BindReadOnly= settings, file %s is not trusted.", p
);
3093 custom_mount_free_all(arg_custom_mounts
, arg_n_custom_mounts
);
3094 arg_custom_mounts
= settings
->custom_mounts
;
3095 arg_n_custom_mounts
= settings
->n_custom_mounts
;
3097 settings
->custom_mounts
= NULL
;
3098 settings
->n_custom_mounts
= 0;
3102 if ((arg_settings_mask
& SETTING_NETWORK
) == 0 &&
3103 (settings
->private_network
>= 0 ||
3104 settings
->network_veth
>= 0 ||
3105 settings
->network_bridge
||
3106 settings
->network_zone
||
3107 settings
->network_interfaces
||
3108 settings
->network_macvlan
||
3109 settings
->network_ipvlan
||
3110 settings
->network_veth_extra
)) {
3112 if (!arg_settings_trusted
)
3113 log_warning("Ignoring network settings, file %s is not trusted.", p
);
3115 arg_network_veth
= settings_network_veth(settings
);
3116 arg_private_network
= settings_private_network(settings
);
3118 strv_free(arg_network_interfaces
);
3119 arg_network_interfaces
= settings
->network_interfaces
;
3120 settings
->network_interfaces
= NULL
;
3122 strv_free(arg_network_macvlan
);
3123 arg_network_macvlan
= settings
->network_macvlan
;
3124 settings
->network_macvlan
= NULL
;
3126 strv_free(arg_network_ipvlan
);
3127 arg_network_ipvlan
= settings
->network_ipvlan
;
3128 settings
->network_ipvlan
= NULL
;
3130 strv_free(arg_network_veth_extra
);
3131 arg_network_veth_extra
= settings
->network_veth_extra
;
3132 settings
->network_veth_extra
= NULL
;
3134 free(arg_network_bridge
);
3135 arg_network_bridge
= settings
->network_bridge
;
3136 settings
->network_bridge
= NULL
;
3138 free(arg_network_zone
);
3139 arg_network_zone
= settings
->network_zone
;
3140 settings
->network_zone
= NULL
;
3144 if ((arg_settings_mask
& SETTING_EXPOSE_PORTS
) == 0 &&
3145 settings
->expose_ports
) {
3147 if (!arg_settings_trusted
)
3148 log_warning("Ignoring Port= setting, file %s is not trusted.", p
);
3150 expose_port_free_all(arg_expose_ports
);
3151 arg_expose_ports
= settings
->expose_ports
;
3152 settings
->expose_ports
= NULL
;
3156 if ((arg_settings_mask
& SETTING_USERNS
) == 0 &&
3157 settings
->userns_mode
!= _USER_NAMESPACE_MODE_INVALID
) {
3159 if (!arg_settings_trusted
)
3160 log_warning("Ignoring PrivateUsers= and PrivateUsersChown= settings, file %s is not trusted.", p
);
3162 arg_userns_mode
= settings
->userns_mode
;
3163 arg_uid_shift
= settings
->uid_shift
;
3164 arg_uid_range
= settings
->uid_range
;
3165 arg_userns_chown
= settings
->userns_chown
;
3169 if ((arg_settings_mask
& SETTING_NOTIFY_READY
) == 0)
3170 arg_notify_ready
= settings
->notify_ready
;
3172 if ((arg_settings_mask
& SETTING_SYSCALL_FILTER
) == 0) {
3174 if (!arg_settings_trusted
&& !strv_isempty(arg_syscall_whitelist
))
3175 log_warning("Ignoring SystemCallFilter= settings, file %s is not trusted.", p
);
3177 strv_free(arg_syscall_whitelist
);
3178 strv_free(arg_syscall_blacklist
);
3180 arg_syscall_whitelist
= settings
->syscall_whitelist
;
3181 arg_syscall_blacklist
= settings
->syscall_blacklist
;
3183 settings
->syscall_whitelist
= settings
->syscall_blacklist
= NULL
;
3190 static int run(int master
,
3191 const char* console
,
3192 DissectedImage
*dissected_image
,
3196 char veth_name
[IFNAMSIZ
], bool *veth_created
,
3197 union in_addr_union
*exposed
,
3198 pid_t
*pid
, int *ret
) {
3200 static const struct sigaction sa
= {
3201 .sa_handler
= nop_signal_handler
,
3202 .sa_flags
= SA_NOCLDSTOP
|SA_RESTART
,
3205 _cleanup_release_lock_file_ LockFile uid_shift_lock
= LOCK_FILE_INIT
;
3206 _cleanup_close_
int etc_passwd_lock
= -1;
3207 _cleanup_close_pair_
int
3208 kmsg_socket_pair
[2] = { -1, -1 },
3209 rtnl_socket_pair
[2] = { -1, -1 },
3210 pid_socket_pair
[2] = { -1, -1 },
3211 uuid_socket_pair
[2] = { -1, -1 },
3212 notify_socket_pair
[2] = { -1, -1 },
3213 uid_shift_socket_pair
[2] = { -1, -1 };
3214 _cleanup_close_
int notify_socket
= -1;
3215 _cleanup_(barrier_destroy
) Barrier barrier
= BARRIER_NULL
;
3216 _cleanup_(sd_event_source_unrefp
) sd_event_source
*notify_event_source
= NULL
;
3217 _cleanup_(sd_event_unrefp
) sd_event
*event
= NULL
;
3218 _cleanup_(pty_forward_freep
) PTYForward
*forward
= NULL
;
3219 _cleanup_(sd_netlink_unrefp
) sd_netlink
*rtnl
= NULL
;
3220 ContainerStatus container_status
= 0;
3226 assert_se(sigemptyset(&mask_chld
) == 0);
3227 assert_se(sigaddset(&mask_chld
, SIGCHLD
) == 0);
3229 if (arg_userns_mode
== USER_NAMESPACE_PICK
) {
3230 /* When we shall pick the UID/GID range, let's first lock /etc/passwd, so that we can safely
3231 * check with getpwuid() if the specific user already exists. Note that /etc might be
3232 * read-only, in which case this will fail with EROFS. But that's really OK, as in that case we
3233 * can be reasonably sure that no users are going to be added. Note that getpwuid() checks are
3234 * really just an extra safety net. We kinda assume that the UID range we allocate from is
3237 etc_passwd_lock
= take_etc_passwd_lock(NULL
);
3238 if (etc_passwd_lock
< 0 && etc_passwd_lock
!= -EROFS
)
3239 return log_error_errno(etc_passwd_lock
, "Failed to take /etc/passwd lock: %m");
3242 r
= barrier_create(&barrier
);
3244 return log_error_errno(r
, "Cannot initialize IPC barrier: %m");
3246 if (socketpair(AF_UNIX
, SOCK_SEQPACKET
|SOCK_CLOEXEC
, 0, kmsg_socket_pair
) < 0)
3247 return log_error_errno(errno
, "Failed to create kmsg socket pair: %m");
3249 if (socketpair(AF_UNIX
, SOCK_SEQPACKET
|SOCK_CLOEXEC
, 0, rtnl_socket_pair
) < 0)
3250 return log_error_errno(errno
, "Failed to create rtnl socket pair: %m");
3252 if (socketpair(AF_UNIX
, SOCK_SEQPACKET
|SOCK_CLOEXEC
, 0, pid_socket_pair
) < 0)
3253 return log_error_errno(errno
, "Failed to create pid socket pair: %m");
3255 if (socketpair(AF_UNIX
, SOCK_SEQPACKET
|SOCK_CLOEXEC
, 0, uuid_socket_pair
) < 0)
3256 return log_error_errno(errno
, "Failed to create id socket pair: %m");
3258 if (socketpair(AF_UNIX
, SOCK_SEQPACKET
|SOCK_CLOEXEC
, 0, notify_socket_pair
) < 0)
3259 return log_error_errno(errno
, "Failed to create notify socket pair: %m");
3261 if (arg_userns_mode
!= USER_NAMESPACE_NO
)
3262 if (socketpair(AF_UNIX
, SOCK_SEQPACKET
|SOCK_CLOEXEC
, 0, uid_shift_socket_pair
) < 0)
3263 return log_error_errno(errno
, "Failed to create uid shift socket pair: %m");
3265 /* Child can be killed before execv(), so handle SIGCHLD in order to interrupt
3266 * parent's blocking calls and give it a chance to call wait() and terminate. */
3267 r
= sigprocmask(SIG_UNBLOCK
, &mask_chld
, NULL
);
3269 return log_error_errno(errno
, "Failed to change the signal mask: %m");
3271 r
= sigaction(SIGCHLD
, &sa
, NULL
);
3273 return log_error_errno(errno
, "Failed to install SIGCHLD handler: %m");
3275 *pid
= raw_clone(SIGCHLD
|CLONE_NEWNS
);
3277 return log_error_errno(errno
, "clone() failed%s: %m",
3279 ", do you have namespace support enabled in your kernel? (You need UTS, IPC, PID and NET namespacing built in)" : "");
3282 /* The outer child only has a file system namespace. */
3283 barrier_set_role(&barrier
, BARRIER_CHILD
);
3285 master
= safe_close(master
);
3287 kmsg_socket_pair
[0] = safe_close(kmsg_socket_pair
[0]);
3288 rtnl_socket_pair
[0] = safe_close(rtnl_socket_pair
[0]);
3289 pid_socket_pair
[0] = safe_close(pid_socket_pair
[0]);
3290 uuid_socket_pair
[0] = safe_close(uuid_socket_pair
[0]);
3291 notify_socket_pair
[0] = safe_close(notify_socket_pair
[0]);
3292 uid_shift_socket_pair
[0] = safe_close(uid_shift_socket_pair
[0]);
3294 (void) reset_all_signal_handlers();
3295 (void) reset_signal_mask();
3297 r
= outer_child(&barrier
,
3304 uuid_socket_pair
[1],
3305 notify_socket_pair
[1],
3306 kmsg_socket_pair
[1],
3307 rtnl_socket_pair
[1],
3308 uid_shift_socket_pair
[1],
3311 _exit(EXIT_FAILURE
);
3313 _exit(EXIT_SUCCESS
);
3316 barrier_set_role(&barrier
, BARRIER_PARENT
);
3318 fds
= fdset_free(fds
);
3320 kmsg_socket_pair
[1] = safe_close(kmsg_socket_pair
[1]);
3321 rtnl_socket_pair
[1] = safe_close(rtnl_socket_pair
[1]);
3322 pid_socket_pair
[1] = safe_close(pid_socket_pair
[1]);
3323 uuid_socket_pair
[1] = safe_close(uuid_socket_pair
[1]);
3324 notify_socket_pair
[1] = safe_close(notify_socket_pair
[1]);
3325 uid_shift_socket_pair
[1] = safe_close(uid_shift_socket_pair
[1]);
3327 if (arg_userns_mode
!= USER_NAMESPACE_NO
) {
3328 /* The child just let us know the UID shift it might have read from the image. */
3329 l
= recv(uid_shift_socket_pair
[0], &arg_uid_shift
, sizeof arg_uid_shift
, 0);
3331 return log_error_errno(errno
, "Failed to read UID shift: %m");
3332 if (l
!= sizeof arg_uid_shift
) {
3333 log_error("Short read while reading UID shift.");
3337 if (arg_userns_mode
== USER_NAMESPACE_PICK
) {
3338 /* If we are supposed to pick the UID shift, let's try to use the shift read from the
3339 * image, but if that's already in use, pick a new one, and report back to the child,
3340 * which one we now picked. */
3342 r
= uid_shift_pick(&arg_uid_shift
, &uid_shift_lock
);
3344 return log_error_errno(r
, "Failed to pick suitable UID/GID range: %m");
3346 l
= send(uid_shift_socket_pair
[0], &arg_uid_shift
, sizeof arg_uid_shift
, MSG_NOSIGNAL
);
3348 return log_error_errno(errno
, "Failed to send UID shift: %m");
3349 if (l
!= sizeof arg_uid_shift
) {
3350 log_error("Short write while writing UID shift.");
3356 /* Wait for the outer child. */
3357 r
= wait_for_terminate_and_warn("namespace helper", *pid
, NULL
);
3359 return r
< 0 ? r
: -EIO
;
3361 /* And now retrieve the PID of the inner child. */
3362 l
= recv(pid_socket_pair
[0], pid
, sizeof *pid
, 0);
3364 return log_error_errno(errno
, "Failed to read inner child PID: %m");
3365 if (l
!= sizeof *pid
) {
3366 log_error("Short read while reading inner child PID.");
3370 /* We also retrieve container UUID in case it was generated by outer child */
3371 l
= recv(uuid_socket_pair
[0], &arg_uuid
, sizeof arg_uuid
, 0);
3373 return log_error_errno(errno
, "Failed to read container machine ID: %m");
3374 if (l
!= sizeof(arg_uuid
)) {
3375 log_error("Short read while reading container machined ID.");
3379 /* We also retrieve the socket used for notifications generated by outer child */
3380 notify_socket
= receive_one_fd(notify_socket_pair
[0], 0);
3381 if (notify_socket
< 0)
3382 return log_error_errno(notify_socket
,
3383 "Failed to receive notification socket from the outer child: %m");
3385 log_debug("Init process invoked as PID "PID_FMT
, *pid
);
3387 if (arg_userns_mode
!= USER_NAMESPACE_NO
) {
3388 if (!barrier_place_and_sync(&barrier
)) { /* #1 */
3389 log_error("Child died too early.");
3393 r
= setup_uid_map(*pid
);
3397 (void) barrier_place(&barrier
); /* #2 */
3400 if (arg_private_network
) {
3402 r
= move_network_interfaces(*pid
, arg_network_interfaces
);
3406 if (arg_network_veth
) {
3407 r
= setup_veth(arg_machine
, *pid
, veth_name
,
3408 arg_network_bridge
|| arg_network_zone
);
3414 if (arg_network_bridge
) {
3415 /* Add the interface to a bridge */
3416 r
= setup_bridge(veth_name
, arg_network_bridge
, false);
3421 } else if (arg_network_zone
) {
3422 /* Add the interface to a bridge, possibly creating it */
3423 r
= setup_bridge(veth_name
, arg_network_zone
, true);
3431 r
= setup_veth_extra(arg_machine
, *pid
, arg_network_veth_extra
);
3435 /* We created the primary and extra veth links now; let's remember this, so that we know to
3436 remove them later on. Note that we don't bother with removing veth links that were created
3437 here when their setup failed half-way, because in that case the kernel should be able to
3438 remove them on its own, since they cannot be referenced by anything yet. */
3439 *veth_created
= true;
3441 r
= setup_macvlan(arg_machine
, *pid
, arg_network_macvlan
);
3445 r
= setup_ipvlan(arg_machine
, *pid
, arg_network_ipvlan
);
3451 r
= register_machine(
3458 arg_custom_mounts
, arg_n_custom_mounts
,
3462 arg_container_service_name
);
3465 } else if (!arg_keep_unit
) {
3470 arg_custom_mounts
, arg_n_custom_mounts
,
3476 } else if (arg_slice
|| arg_property
)
3477 log_notice("Machine and scope registration turned off, --slice= and --property= settings will have no effect.");
3479 r
= sync_cgroup(*pid
, arg_unified_cgroup_hierarchy
, arg_uid_shift
);
3483 if (arg_keep_unit
) {
3484 r
= create_subcgroup(*pid
, arg_unified_cgroup_hierarchy
);
3489 r
= chown_cgroup(*pid
, arg_uid_shift
);
3493 /* Notify the child that the parent is ready with all
3494 * its setup (including cgroup-ification), and that
3495 * the child can now hand over control to the code to
3496 * run inside the container. */
3497 (void) barrier_place(&barrier
); /* #3 */
3499 /* Block SIGCHLD here, before notifying child.
3500 * process_pty() will handle it with the other signals. */
3501 assert_se(sigprocmask(SIG_BLOCK
, &mask_chld
, NULL
) >= 0);
3503 /* Reset signal to default */
3504 r
= default_signals(SIGCHLD
, -1);
3506 return log_error_errno(r
, "Failed to reset SIGCHLD: %m");
3508 r
= sd_event_new(&event
);
3510 return log_error_errno(r
, "Failed to get default event source: %m");
3512 r
= setup_sd_notify_parent(event
, notify_socket
, PID_TO_PTR(*pid
), ¬ify_event_source
);
3516 /* Let the child know that we are ready and wait that the child is completely ready now. */
3517 if (!barrier_place_and_sync(&barrier
)) { /* #4 */
3518 log_error("Child died too early.");
3522 /* At this point we have made use of the UID we picked, and thus nss-mymachines
3523 * will make them appear in getpwuid(), thus we can release the /etc/passwd lock. */
3524 etc_passwd_lock
= safe_close(etc_passwd_lock
);
3527 "STATUS=Container running.\n"
3528 "X_NSPAWN_LEADER_PID=" PID_FMT
, *pid
);
3529 if (!arg_notify_ready
)
3530 sd_notify(false, "READY=1\n");
3532 if (arg_kill_signal
> 0) {
3533 /* Try to kill the init system on SIGINT or SIGTERM */
3534 sd_event_add_signal(event
, NULL
, SIGINT
, on_orderly_shutdown
, PID_TO_PTR(*pid
));
3535 sd_event_add_signal(event
, NULL
, SIGTERM
, on_orderly_shutdown
, PID_TO_PTR(*pid
));
3537 /* Immediately exit */
3538 sd_event_add_signal(event
, NULL
, SIGINT
, NULL
, NULL
);
3539 sd_event_add_signal(event
, NULL
, SIGTERM
, NULL
, NULL
);
3542 /* Exit when the child exits */
3543 sd_event_add_signal(event
, NULL
, SIGCHLD
, on_sigchld
, PID_TO_PTR(*pid
));
3545 if (arg_expose_ports
) {
3546 r
= expose_port_watch_rtnl(event
, rtnl_socket_pair
[0], on_address_change
, exposed
, &rtnl
);
3550 (void) expose_port_execute(rtnl
, arg_expose_ports
, exposed
);
3553 rtnl_socket_pair
[0] = safe_close(rtnl_socket_pair
[0]);
3555 r
= pty_forward_new(event
, master
,
3556 PTY_FORWARD_IGNORE_VHANGUP
| (interactive
? 0 : PTY_FORWARD_READ_ONLY
),
3559 return log_error_errno(r
, "Failed to create PTY forwarder: %m");
3561 r
= sd_event_loop(event
);
3563 return log_error_errno(r
, "Failed to run event loop: %m");
3565 pty_forward_get_last_char(forward
, &last_char
);
3567 forward
= pty_forward_free(forward
);
3569 if (!arg_quiet
&& last_char
!= '\n')
3572 /* Kill if it is not dead yet anyway */
3573 if (arg_register
&& !arg_keep_unit
)
3574 terminate_machine(*pid
);
3576 /* Normally redundant, but better safe than sorry */
3577 (void) kill(*pid
, SIGKILL
);
3579 r
= wait_for_container(*pid
, &container_status
);
3583 /* We failed to wait for the container, or the container exited abnormally. */
3585 if (r
> 0 || container_status
== CONTAINER_TERMINATED
) {
3586 /* r > 0 → The container exited with a non-zero status.
3587 * As a special case, we need to replace 133 with a different value,
3588 * because 133 is special-cased in the service file to reboot the container.
3589 * otherwise → The container exited with zero status and a reboot was not requested.
3591 if (r
== EXIT_FORCE_RESTART
)
3592 r
= EXIT_FAILURE
; /* replace 133 with the general failure code */
3594 return 0; /* finito */
3597 /* CONTAINER_REBOOTED, loop again */
3599 if (arg_keep_unit
) {
3600 /* Special handling if we are running as a service: instead of simply
3601 * restarting the machine we want to restart the entire service, so let's
3602 * inform systemd about this with the special exit code 133. The service
3603 * file uses RestartForceExitStatus=133 so that this results in a full
3604 * nspawn restart. This is necessary since we might have cgroup parameters
3605 * set we want to have flushed out. */
3606 *ret
= EXIT_FORCE_RESTART
;
3607 return 0; /* finito */
3610 expose_port_flush(arg_expose_ports
, exposed
);
3612 (void) remove_veth_links(veth_name
, arg_network_veth_extra
);
3613 *veth_created
= false;
3614 return 1; /* loop again */
3617 int main(int argc
, char *argv
[]) {
3619 _cleanup_free_
char *console
= NULL
;
3620 _cleanup_close_
int master
= -1;
3621 _cleanup_fdset_free_ FDSet
*fds
= NULL
;
3622 int r
, n_fd_passed
, ret
= EXIT_SUCCESS
;
3623 char veth_name
[IFNAMSIZ
] = "";
3624 bool secondary
= false, remove_directory
= false, remove_image
= false;
3626 union in_addr_union exposed
= {};
3627 _cleanup_release_lock_file_ LockFile tree_global_lock
= LOCK_FILE_INIT
, tree_local_lock
= LOCK_FILE_INIT
;
3628 bool interactive
, veth_created
= false, remove_tmprootdir
= false;
3629 char tmprootdir
[] = "/tmp/nspawn-root-XXXXXX";
3630 _cleanup_(loop_device_unrefp
) LoopDevice
*loop
= NULL
;
3631 _cleanup_(decrypted_image_unrefp
) DecryptedImage
*decrypted_image
= NULL
;
3632 _cleanup_(dissected_image_unrefp
) DissectedImage
*dissected_image
= NULL
;
3634 log_parse_environment();
3637 /* Make sure rename_process() in the stub init process can work */
3641 r
= parse_argv(argc
, argv
);
3645 if (geteuid() != 0) {
3646 log_error("Need to be root.");
3650 r
= determine_names();
3654 r
= load_settings();
3658 r
= verify_arguments();
3662 n_fd_passed
= sd_listen_fds(false);
3663 if (n_fd_passed
> 0) {
3664 r
= fdset_new_listen_fds(&fds
, false);
3666 log_error_errno(r
, "Failed to collect file descriptors: %m");
3671 if (arg_directory
) {
3674 if (path_equal(arg_directory
, "/") && !arg_ephemeral
) {
3675 log_error("Spawning container on root directory is not supported. Consider using --ephemeral.");
3680 if (arg_ephemeral
) {
3681 _cleanup_free_
char *np
= NULL
;
3683 r
= chase_symlinks_and_update(&arg_directory
, 0);
3687 /* If the specified path is a mount point we
3688 * generate the new snapshot immediately
3689 * inside it under a random name. However if
3690 * the specified is not a mount point we
3691 * create the new snapshot in the parent
3692 * directory, just next to it. */
3693 r
= path_is_mount_point(arg_directory
, NULL
, 0);
3695 log_error_errno(r
, "Failed to determine whether directory %s is mount point: %m", arg_directory
);
3699 r
= tempfn_random_child(arg_directory
, "machine.", &np
);
3701 r
= tempfn_random(arg_directory
, "machine.", &np
);
3703 log_error_errno(r
, "Failed to generate name for directory snapshot: %m");
3707 r
= image_path_lock(np
, (arg_read_only
? LOCK_SH
: LOCK_EX
) | LOCK_NB
, &tree_global_lock
, &tree_local_lock
);
3709 log_error_errno(r
, "Failed to lock %s: %m", np
);
3713 r
= btrfs_subvol_snapshot(arg_directory
, np
,
3714 (arg_read_only
? BTRFS_SNAPSHOT_READ_ONLY
: 0) |
3715 BTRFS_SNAPSHOT_FALLBACK_COPY
|
3716 BTRFS_SNAPSHOT_FALLBACK_DIRECTORY
|
3717 BTRFS_SNAPSHOT_RECURSIVE
|
3718 BTRFS_SNAPSHOT_QUOTA
);
3720 log_error_errno(r
, "Failed to create snapshot %s from %s: %m", np
, arg_directory
);
3724 free(arg_directory
);
3728 remove_directory
= true;
3731 r
= chase_symlinks_and_update(&arg_directory
, arg_template
? CHASE_NONEXISTENT
: 0);
3735 r
= image_path_lock(arg_directory
, (arg_read_only
? LOCK_SH
: LOCK_EX
) | LOCK_NB
, &tree_global_lock
, &tree_local_lock
);
3737 log_error_errno(r
, "Directory tree %s is currently busy.", arg_directory
);
3741 log_error_errno(r
, "Failed to lock %s: %m", arg_directory
);
3746 r
= chase_symlinks_and_update(&arg_template
, 0);
3750 r
= btrfs_subvol_snapshot(arg_template
, arg_directory
,
3751 (arg_read_only
? BTRFS_SNAPSHOT_READ_ONLY
: 0) |
3752 BTRFS_SNAPSHOT_FALLBACK_COPY
|
3753 BTRFS_SNAPSHOT_FALLBACK_DIRECTORY
|
3754 BTRFS_SNAPSHOT_FALLBACK_IMMUTABLE
|
3755 BTRFS_SNAPSHOT_RECURSIVE
|
3756 BTRFS_SNAPSHOT_QUOTA
);
3759 log_info("Directory %s already exists, not populating from template %s.", arg_directory
, arg_template
);
3761 log_error_errno(r
, "Couldn't create snapshot %s from %s: %m", arg_directory
, arg_template
);
3765 log_info("Populated %s from template %s.", arg_directory
, arg_template
);
3770 if (arg_start_mode
== START_BOOT
) {
3771 if (path_is_os_tree(arg_directory
) <= 0) {
3772 log_error("Directory %s doesn't look like an OS root directory (os-release file is missing). Refusing.", arg_directory
);
3779 p
= strjoina(arg_directory
, "/usr/");
3780 if (laccess(p
, F_OK
) < 0) {
3781 log_error("Directory %s doesn't look like it has an OS tree. Refusing.", arg_directory
);
3789 assert(!arg_template
);
3791 r
= chase_symlinks_and_update(&arg_image
, 0);
3795 if (arg_ephemeral
) {
3796 _cleanup_free_
char *np
= NULL
;
3798 r
= tempfn_random(arg_image
, "machine.", &np
);
3800 log_error_errno(r
, "Failed to generate name for image snapshot: %m");
3804 r
= image_path_lock(np
, (arg_read_only
? LOCK_SH
: LOCK_EX
) | LOCK_NB
, &tree_global_lock
, &tree_local_lock
);
3806 r
= log_error_errno(r
, "Failed to create image lock: %m");
3810 r
= copy_file(arg_image
, np
, O_EXCL
, arg_read_only
? 0400 : 0600, FS_NOCOW_FL
, COPY_REFLINK
);
3812 r
= log_error_errno(r
, "Failed to copy image file: %m");
3820 remove_image
= true;
3822 r
= image_path_lock(arg_image
, (arg_read_only
? LOCK_SH
: LOCK_EX
) | LOCK_NB
, &tree_global_lock
, &tree_local_lock
);
3824 r
= log_error_errno(r
, "Disk image %s is currently busy.", arg_image
);
3828 r
= log_error_errno(r
, "Failed to create image lock: %m");
3832 if (!arg_root_hash
) {
3833 r
= root_hash_load(arg_image
, &arg_root_hash
, &arg_root_hash_size
);
3835 log_error_errno(r
, "Failed to load root hash file for %s: %m", arg_image
);
3841 if (!mkdtemp(tmprootdir
)) {
3842 r
= log_error_errno(errno
, "Failed to create temporary directory: %m");
3846 remove_tmprootdir
= true;
3848 arg_directory
= strdup(tmprootdir
);
3849 if (!arg_directory
) {
3854 r
= loop_device_make_by_path(arg_image
, arg_read_only
? O_RDONLY
: O_RDWR
, &loop
);
3856 log_error_errno(r
, "Failed to set up loopback block device: %m");
3862 arg_root_hash
, arg_root_hash_size
,
3863 DISSECT_IMAGE_REQUIRE_ROOT
,
3866 log_error_errno(r
, "Could not find a suitable file system or partition table in image: %s", arg_image
);
3868 log_notice("Note that the disk image needs to\n"
3869 " a) either contain only a single MBR partition of type 0x83 that is marked bootable\n"
3870 " b) or contain a single GPT partition of type 0FC63DAF-8483-4772-8E79-3D69D8477DE4\n"
3871 " c) or follow http://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/\n"
3872 " d) or contain a file system without a partition table\n"
3873 "in order to be bootable with systemd-nspawn.");
3876 if (r
== -EADDRNOTAVAIL
) {
3877 log_error_errno(r
, "No root partition for specified root hash found.");
3880 if (r
== -EOPNOTSUPP
) {
3881 log_error_errno(r
, "--image= is not supported, compiled without blkid support.");
3884 if (r
== -EPROTONOSUPPORT
) {
3885 log_error_errno(r
, "Device is loopback block device with partition scanning turned off, please turn it on.");
3889 log_error_errno(r
, "Failed to dissect image: %m");
3893 if (!arg_root_hash
&& dissected_image
->can_verity
)
3894 log_notice("Note: image %s contains verity information, but no root hash specified! Proceeding without integrity checking.", arg_image
);
3896 r
= dissected_image_decrypt_interactively(dissected_image
, NULL
, arg_root_hash
, arg_root_hash_size
, 0, &decrypted_image
);
3900 /* Now that we mounted the image, let's try to remove it again, if it is ephemeral */
3901 if (remove_image
&& unlink(arg_image
) >= 0)
3902 remove_image
= false;
3905 r
= custom_mount_prepare_all(arg_directory
, arg_custom_mounts
, arg_n_custom_mounts
);
3909 r
= detect_unified_cgroup_hierarchy(arg_directory
);
3914 isatty(STDIN_FILENO
) > 0 &&
3915 isatty(STDOUT_FILENO
) > 0;
3917 master
= posix_openpt(O_RDWR
|O_NOCTTY
|O_CLOEXEC
|O_NDELAY
);
3919 r
= log_error_errno(errno
, "Failed to acquire pseudo tty: %m");
3923 r
= ptsname_malloc(master
, &console
);
3925 r
= log_error_errno(r
, "Failed to determine tty name: %m");
3929 if (arg_selinux_apifs_context
) {
3930 r
= mac_selinux_apply(console
, arg_selinux_apifs_context
);
3935 if (unlockpt(master
) < 0) {
3936 r
= log_error_errno(errno
, "Failed to unlock tty: %m");
3941 log_info("Spawning container %s on %s.\nPress ^] three times within 1s to kill container.",
3942 arg_machine
, arg_image
?: arg_directory
);
3944 assert_se(sigprocmask_many(SIG_BLOCK
, NULL
, SIGCHLD
, SIGWINCH
, SIGTERM
, SIGINT
, -1) >= 0);
3946 if (prctl(PR_SET_CHILD_SUBREAPER
, 1) < 0) {
3947 r
= log_error_errno(errno
, "Failed to become subreaper: %m");
3955 interactive
, secondary
,
3957 veth_name
, &veth_created
,
3966 r
== 0 && ret
== EXIT_FORCE_RESTART
? "STOPPING=1\nSTATUS=Restarting..." :
3967 "STOPPING=1\nSTATUS=Terminating...");
3970 (void) kill(pid
, SIGKILL
);
3972 /* Try to flush whatever is still queued in the pty */
3974 (void) copy_bytes(master
, STDOUT_FILENO
, (uint64_t) -1, 0);
3975 master
= safe_close(master
);
3979 (void) wait_for_terminate(pid
, NULL
);
3981 if (remove_directory
&& arg_directory
) {
3984 k
= rm_rf(arg_directory
, REMOVE_ROOT
|REMOVE_PHYSICAL
|REMOVE_SUBVOLUME
);
3986 log_warning_errno(k
, "Cannot remove '%s', ignoring: %m", arg_directory
);
3989 if (remove_image
&& arg_image
) {
3990 if (unlink(arg_image
) < 0)
3991 log_warning_errno(errno
, "Can't remove image file '%s', ignoring: %m", arg_image
);
3994 if (remove_tmprootdir
) {
3995 if (rmdir(tmprootdir
) < 0)
3996 log_debug_errno(errno
, "Can't remove temporary root directory '%s', ignoring: %m", tmprootdir
);
4002 p
= strjoina("/run/systemd/nspawn/propagate/", arg_machine
);
4003 (void) rm_rf(p
, REMOVE_ROOT
);
4006 expose_port_flush(arg_expose_ports
, &exposed
);
4009 (void) remove_veth_links(veth_name
, arg_network_veth_extra
);
4010 (void) remove_bridge(arg_network_zone
);
4012 free(arg_directory
);
4017 free(arg_pivot_root_new
);
4018 free(arg_pivot_root_old
);
4020 strv_free(arg_setenv
);
4021 free(arg_network_bridge
);
4022 strv_free(arg_network_interfaces
);
4023 strv_free(arg_network_macvlan
);
4024 strv_free(arg_network_ipvlan
);
4025 strv_free(arg_network_veth_extra
);
4026 strv_free(arg_parameters
);
4027 custom_mount_free_all(arg_custom_mounts
, arg_n_custom_mounts
);
4028 expose_port_free_all(arg_expose_ports
);
4029 free(arg_root_hash
);
4031 return r
< 0 ? EXIT_FAILURE
: ret
;