1 /* SPDX-License-Identifier: LGPL-2.1+ */
8 #include <linux/loop.h>
10 #include <selinux/selinux.h>
14 #include <sys/personality.h>
15 #include <sys/prctl.h>
16 #include <sys/types.h>
21 #include "sd-daemon.h"
24 #include "alloc-util.h"
26 #include "base-filesystem.h"
27 #include "blkid-util.h"
28 #include "btrfs-util.h"
29 #include "bus-error.h"
32 #include "capability-util.h"
33 #include "cgroup-util.h"
35 #include "cpu-set-util.h"
36 #include "dev-setup.h"
37 #include "dissect-image.h"
42 #include "format-util.h"
45 #include "hexdecoct.h"
46 #include "hostname-util.h"
47 #include "id128-util.h"
49 #include "loop-util.h"
50 #include "loopback-setup.h"
51 #include "machine-image.h"
53 #include "main-func.h"
54 #include "missing_sched.h"
56 #include "mount-util.h"
57 #include "mountpoint-util.h"
58 #include "namespace-util.h"
59 #include "netlink-util.h"
60 #include "nspawn-cgroup.h"
61 #include "nspawn-def.h"
62 #include "nspawn-expose-ports.h"
63 #include "nspawn-mount.h"
64 #include "nspawn-network.h"
65 #include "nspawn-oci.h"
66 #include "nspawn-patch-uid.h"
67 #include "nspawn-register.h"
68 #include "nspawn-seccomp.h"
69 #include "nspawn-settings.h"
70 #include "nspawn-setuid.h"
71 #include "nspawn-stub-pid1.h"
72 #include "nulstr-util.h"
75 #include "parse-util.h"
76 #include "path-util.h"
77 #include "pretty-print.h"
78 #include "process-util.h"
80 #include "random-util.h"
81 #include "raw-clone.h"
82 #include "rlimit-util.h"
85 #include "seccomp-util.h"
87 #include "selinux-util.h"
88 #include "signal-util.h"
89 #include "socket-util.h"
90 #include "stat-util.h"
91 #include "stdio-util.h"
92 #include "string-table.h"
93 #include "string-util.h"
95 #include "sysctl-util.h"
96 #include "terminal-util.h"
97 #include "tmpfile-util.h"
98 #include "umask-util.h"
99 #include "unit-name.h"
100 #include "user-util.h"
104 #define STATIC_RESOLV_CONF "/lib/systemd/resolv.conf"
106 #define STATIC_RESOLV_CONF "/usr/lib/systemd/resolv.conf"
109 /* nspawn is listening on the socket at the path in the constant nspawn_notify_socket_path
110 * nspawn_notify_socket_path is relative to the container
111 * the init process in the container pid can send messages to nspawn following the sd_notify(3) protocol */
112 #define NSPAWN_NOTIFY_SOCKET_PATH "/run/systemd/nspawn/notify"
114 #define EXIT_FORCE_RESTART 133
116 typedef enum ContainerStatus
{
117 CONTAINER_TERMINATED
,
121 static char *arg_directory
= NULL
;
122 static char *arg_template
= NULL
;
123 static char *arg_chdir
= NULL
;
124 static char *arg_pivot_root_new
= NULL
;
125 static char *arg_pivot_root_old
= NULL
;
126 static char *arg_user
= NULL
;
127 static uid_t arg_uid
= UID_INVALID
;
128 static gid_t arg_gid
= GID_INVALID
;
129 static gid_t
* arg_supplementary_gids
= NULL
;
130 static size_t arg_n_supplementary_gids
= 0;
131 static sd_id128_t arg_uuid
= {};
132 static char *arg_machine
= NULL
; /* The name used by the host to refer to this */
133 static char *arg_hostname
= NULL
; /* The name the payload sees by default */
134 static const char *arg_selinux_context
= NULL
;
135 static const char *arg_selinux_apifs_context
= NULL
;
136 static char *arg_slice
= NULL
;
137 static bool arg_private_network
= false;
138 static bool arg_read_only
= false;
139 static StartMode arg_start_mode
= START_PID1
;
140 static bool arg_ephemeral
= false;
141 static LinkJournal arg_link_journal
= LINK_AUTO
;
142 static bool arg_link_journal_try
= false;
143 static uint64_t arg_caps_retain
=
144 (1ULL << CAP_AUDIT_CONTROL
) |
145 (1ULL << CAP_AUDIT_WRITE
) |
146 (1ULL << CAP_CHOWN
) |
147 (1ULL << CAP_DAC_OVERRIDE
) |
148 (1ULL << CAP_DAC_READ_SEARCH
) |
149 (1ULL << CAP_FOWNER
) |
150 (1ULL << CAP_FSETID
) |
151 (1ULL << CAP_IPC_OWNER
) |
153 (1ULL << CAP_LEASE
) |
154 (1ULL << CAP_LINUX_IMMUTABLE
) |
155 (1ULL << CAP_MKNOD
) |
156 (1ULL << CAP_NET_BIND_SERVICE
) |
157 (1ULL << CAP_NET_BROADCAST
) |
158 (1ULL << CAP_NET_RAW
) |
159 (1ULL << CAP_SETFCAP
) |
160 (1ULL << CAP_SETGID
) |
161 (1ULL << CAP_SETPCAP
) |
162 (1ULL << CAP_SETUID
) |
163 (1ULL << CAP_SYS_ADMIN
) |
164 (1ULL << CAP_SYS_BOOT
) |
165 (1ULL << CAP_SYS_CHROOT
) |
166 (1ULL << CAP_SYS_NICE
) |
167 (1ULL << CAP_SYS_PTRACE
) |
168 (1ULL << CAP_SYS_RESOURCE
) |
169 (1ULL << CAP_SYS_TTY_CONFIG
);
170 static CapabilityQuintet arg_full_capabilities
= CAPABILITY_QUINTET_NULL
;
171 static CustomMount
*arg_custom_mounts
= NULL
;
172 static size_t arg_n_custom_mounts
= 0;
173 static char **arg_setenv
= NULL
;
174 static bool arg_quiet
= false;
175 static bool arg_register
= true;
176 static bool arg_keep_unit
= false;
177 static char **arg_network_interfaces
= NULL
;
178 static char **arg_network_macvlan
= NULL
;
179 static char **arg_network_ipvlan
= NULL
;
180 static bool arg_network_veth
= false;
181 static char **arg_network_veth_extra
= NULL
;
182 static char *arg_network_bridge
= NULL
;
183 static char *arg_network_zone
= NULL
;
184 static char *arg_network_namespace_path
= NULL
;
185 static PagerFlags arg_pager_flags
= 0;
186 static unsigned long arg_personality
= PERSONALITY_INVALID
;
187 static char *arg_image
= NULL
;
188 static char *arg_oci_bundle
= NULL
;
189 static VolatileMode arg_volatile_mode
= VOLATILE_NO
;
190 static ExposePort
*arg_expose_ports
= NULL
;
191 static char **arg_property
= NULL
;
192 static sd_bus_message
*arg_property_message
= NULL
;
193 static UserNamespaceMode arg_userns_mode
= USER_NAMESPACE_NO
;
194 static uid_t arg_uid_shift
= UID_INVALID
, arg_uid_range
= 0x10000U
;
195 static bool arg_userns_chown
= false;
196 static int arg_kill_signal
= 0;
197 static CGroupUnified arg_unified_cgroup_hierarchy
= CGROUP_UNIFIED_UNKNOWN
;
198 static SettingsMask arg_settings_mask
= 0;
199 static int arg_settings_trusted
= -1;
200 static char **arg_parameters
= NULL
;
201 static const char *arg_container_service_name
= "systemd-nspawn";
202 static bool arg_notify_ready
= false;
203 static bool arg_use_cgns
= true;
204 static unsigned long arg_clone_ns_flags
= CLONE_NEWIPC
|CLONE_NEWPID
|CLONE_NEWUTS
;
205 static MountSettingsMask arg_mount_settings
= MOUNT_APPLY_APIVFS_RO
|MOUNT_APPLY_TMPFS_TMP
;
206 static void *arg_root_hash
= NULL
;
207 static size_t arg_root_hash_size
= 0;
208 static char **arg_syscall_whitelist
= NULL
;
209 static char **arg_syscall_blacklist
= NULL
;
211 static scmp_filter_ctx arg_seccomp
= NULL
;
213 static struct rlimit
*arg_rlimit
[_RLIMIT_MAX
] = {};
214 static bool arg_no_new_privileges
= false;
215 static int arg_oom_score_adjust
= 0;
216 static bool arg_oom_score_adjust_set
= false;
217 static CPUSet arg_cpu_set
= {};
218 static ResolvConfMode arg_resolv_conf
= RESOLV_CONF_AUTO
;
219 static TimezoneMode arg_timezone
= TIMEZONE_AUTO
;
220 static unsigned arg_console_width
= (unsigned) -1, arg_console_height
= (unsigned) -1;
221 static DeviceNode
* arg_extra_nodes
= NULL
;
222 static size_t arg_n_extra_nodes
= 0;
223 static char **arg_sysctl
= NULL
;
224 static ConsoleMode arg_console_mode
= _CONSOLE_MODE_INVALID
;
226 STATIC_DESTRUCTOR_REGISTER(arg_directory
, freep
);
227 STATIC_DESTRUCTOR_REGISTER(arg_template
, freep
);
228 STATIC_DESTRUCTOR_REGISTER(arg_chdir
, freep
);
229 STATIC_DESTRUCTOR_REGISTER(arg_pivot_root_new
, freep
);
230 STATIC_DESTRUCTOR_REGISTER(arg_pivot_root_old
, freep
);
231 STATIC_DESTRUCTOR_REGISTER(arg_user
, freep
);
232 STATIC_DESTRUCTOR_REGISTER(arg_supplementary_gids
, freep
);
233 STATIC_DESTRUCTOR_REGISTER(arg_machine
, freep
);
234 STATIC_DESTRUCTOR_REGISTER(arg_hostname
, freep
);
235 STATIC_DESTRUCTOR_REGISTER(arg_slice
, freep
);
236 STATIC_DESTRUCTOR_REGISTER(arg_setenv
, strv_freep
);
237 STATIC_DESTRUCTOR_REGISTER(arg_network_interfaces
, strv_freep
);
238 STATIC_DESTRUCTOR_REGISTER(arg_network_macvlan
, strv_freep
);
239 STATIC_DESTRUCTOR_REGISTER(arg_network_ipvlan
, strv_freep
);
240 STATIC_DESTRUCTOR_REGISTER(arg_network_veth_extra
, strv_freep
);
241 STATIC_DESTRUCTOR_REGISTER(arg_network_bridge
, freep
);
242 STATIC_DESTRUCTOR_REGISTER(arg_network_zone
, freep
);
243 STATIC_DESTRUCTOR_REGISTER(arg_network_namespace_path
, freep
);
244 STATIC_DESTRUCTOR_REGISTER(arg_image
, freep
);
245 STATIC_DESTRUCTOR_REGISTER(arg_oci_bundle
, freep
);
246 STATIC_DESTRUCTOR_REGISTER(arg_property
, strv_freep
);
247 STATIC_DESTRUCTOR_REGISTER(arg_property_message
, sd_bus_message_unrefp
);
248 STATIC_DESTRUCTOR_REGISTER(arg_parameters
, strv_freep
);
249 STATIC_DESTRUCTOR_REGISTER(arg_root_hash
, freep
);
250 STATIC_DESTRUCTOR_REGISTER(arg_syscall_whitelist
, strv_freep
);
251 STATIC_DESTRUCTOR_REGISTER(arg_syscall_blacklist
, strv_freep
);
253 STATIC_DESTRUCTOR_REGISTER(arg_seccomp
, seccomp_releasep
);
255 STATIC_DESTRUCTOR_REGISTER(arg_cpu_set
, cpu_set_reset
);
256 STATIC_DESTRUCTOR_REGISTER(arg_sysctl
, strv_freep
);
258 static int handle_arg_console(const char *arg
) {
259 if (streq(arg
, "help")) {
267 if (streq(arg
, "interactive"))
268 arg_console_mode
= CONSOLE_INTERACTIVE
;
269 else if (streq(arg
, "read-only"))
270 arg_console_mode
= CONSOLE_READ_ONLY
;
271 else if (streq(arg
, "passive"))
272 arg_console_mode
= CONSOLE_PASSIVE
;
273 else if (streq(arg
, "pipe"))
274 arg_console_mode
= CONSOLE_PIPE
;
276 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Unknown console mode: %s", optarg
);
278 arg_settings_mask
|= SETTING_CONSOLE_MODE
;
282 static int help(void) {
283 _cleanup_free_
char *link
= NULL
;
286 (void) pager_open(arg_pager_flags
);
288 r
= terminal_urlify_man("systemd-nspawn", "1", &link
);
292 printf("%1$s [OPTIONS...] [PATH] [ARGUMENTS...]\n\n"
293 "Spawn a command or OS in a light-weight container.\n\n"
294 " -h --help Show this help\n"
295 " --version Print version string\n"
296 " -q --quiet Do not show status information\n"
297 " --no-pager Do not pipe output into a pager\n"
298 " --settings=BOOLEAN Load additional settings from .nspawn file\n\n"
300 " -D --directory=PATH Root directory for the container\n"
301 " --template=PATH Initialize root directory from template directory,\n"
303 " -x --ephemeral Run container with snapshot of root directory, and\n"
304 " remove it after exit\n"
305 " -i --image=PATH Root file system disk image (or device node) for\n"
307 " --oci-bundle=PATH OCI bundle directory\n"
308 " --read-only Mount the root directory read-only\n"
309 " --volatile[=MODE] Run the system in volatile mode\n"
310 " --root-hash=HASH Specify verity root hash for root disk image\n"
311 " --pivot-root=PATH[:PATH]\n"
312 " Pivot root to given directory in the container\n\n"
313 "%3$sExecution:%4$s\n"
314 " -a --as-pid2 Maintain a stub init as PID1, invoke binary as PID2\n"
315 " -b --boot Boot up full system (i.e. invoke init)\n"
316 " --chdir=PATH Set working directory in the container\n"
317 " -E --setenv=NAME=VALUE Pass an environment variable to PID 1\n"
318 " -u --user=USER Run the command under specified user or UID\n"
319 " --kill-signal=SIGNAL Select signal to use for shutting down PID 1\n"
320 " --notify-ready=BOOLEAN Receive notifications from the child init process\n\n"
321 "%3$sSystem Identity:%4$s\n"
322 " -M --machine=NAME Set the machine name for the container\n"
323 " --hostname=NAME Override the hostname for the container\n"
324 " --uuid=UUID Set a specific machine UUID for the container\n\n"
325 "%3$sProperties:%4$s\n"
326 " -S --slice=SLICE Place the container in the specified slice\n"
327 " --property=NAME=VALUE Set scope unit property\n"
328 " --register=BOOLEAN Register container as machine\n"
329 " --keep-unit Do not register a scope for the machine, reuse\n"
330 " the service unit nspawn is running in\n\n"
331 "%3$sUser Namespacing:%4$s\n"
332 " -U --private-users=pick Run within user namespace, autoselect UID/GID range\n"
333 " --private-users[=UIDBASE[:NUIDS]]\n"
334 " Similar, but with user configured UID/GID range\n"
335 " --private-users-chown Adjust OS tree ownership to private UID/GID range\n\n"
336 "%3$sNetworking:%4$s\n"
337 " --private-network Disable network in container\n"
338 " --network-interface=INTERFACE\n"
339 " Assign an existing network interface to the\n"
341 " --network-macvlan=INTERFACE\n"
342 " Create a macvlan network interface based on an\n"
343 " existing network interface to the container\n"
344 " --network-ipvlan=INTERFACE\n"
345 " Create a ipvlan network interface based on an\n"
346 " existing network interface to the container\n"
347 " -n --network-veth Add a virtual Ethernet connection between host\n"
349 " --network-veth-extra=HOSTIF[:CONTAINERIF]\n"
350 " Add an additional virtual Ethernet link between\n"
351 " host and container\n"
352 " --network-bridge=INTERFACE\n"
353 " Add a virtual Ethernet connection to the container\n"
354 " and attach it to an existing bridge on the host\n"
355 " --network-zone=NAME Similar, but attach the new interface to an\n"
356 " an automatically managed bridge interface\n"
357 " --network-namespace-path=PATH\n"
358 " Set network namespace to the one represented by\n"
359 " the specified kernel namespace file node\n"
360 " -p --port=[PROTOCOL:]HOSTPORT[:CONTAINERPORT]\n"
361 " Expose a container IP port on the host\n\n"
362 "%3$sSecurity:%4$s\n"
363 " --capability=CAP In addition to the default, retain specified\n"
365 " --drop-capability=CAP Drop the specified capability from the default set\n"
366 " --no-new-privileges Set PR_SET_NO_NEW_PRIVS flag for container payload\n"
367 " --system-call-filter=LIST|~LIST\n"
368 " Permit/prohibit specific system calls\n"
369 " -Z --selinux-context=SECLABEL\n"
370 " Set the SELinux security context to be used by\n"
371 " processes in the container\n"
372 " -L --selinux-apifs-context=SECLABEL\n"
373 " Set the SELinux security context to be used by\n"
374 " API/tmpfs file systems in the container\n\n"
375 "%3$sResources:%4$s\n"
376 " --rlimit=NAME=LIMIT Set a resource limit for the payload\n"
377 " --oom-score-adjust=VALUE\n"
378 " Adjust the OOM score value for the payload\n"
379 " --cpu-affinity=CPUS Adjust the CPU affinity of the container\n"
380 " --personality=ARCH Pick personality for this container\n\n"
381 "%3$sIntegration:%4$s\n"
382 " --resolv-conf=MODE Select mode of /etc/resolv.conf initialization\n"
383 " --timezone=MODE Select mode of /etc/localtime initialization\n"
384 " --link-journal=MODE Link up guest journal, one of no, auto, guest, \n"
385 " host, try-guest, try-host\n"
386 " -j Equivalent to --link-journal=try-guest\n\n"
388 " --bind=PATH[:PATH[:OPTIONS]]\n"
389 " Bind mount a file or directory from the host into\n"
391 " --bind-ro=PATH[:PATH[:OPTIONS]\n"
392 " Similar, but creates a read-only bind mount\n"
393 " --inaccessible=PATH Over-mount file node with inaccessible node to mask\n"
395 " --tmpfs=PATH:[OPTIONS] Mount an empty tmpfs to the specified directory\n"
396 " --overlay=PATH[:PATH...]:PATH\n"
397 " Create an overlay mount from the host to \n"
399 " --overlay-ro=PATH[:PATH...]:PATH\n"
400 " Similar, but creates a read-only overlay mount\n\n"
401 "%3$sInput/Output:%4$s\n"
402 " --console=MODE Select how stdin/stdout/stderr and /dev/console are\n"
403 " set up for the container.\n"
404 " -P --pipe Equivalent to --console=pipe\n"
405 "\nSee the %2$s for details.\n"
406 , program_invocation_short_name
408 , ansi_underline(), ansi_normal());
413 static int custom_mount_check_all(void) {
416 for (i
= 0; i
< arg_n_custom_mounts
; i
++) {
417 CustomMount
*m
= &arg_custom_mounts
[i
];
419 if (path_equal(m
->destination
, "/") && arg_userns_mode
!= USER_NAMESPACE_NO
) {
420 if (arg_userns_chown
)
421 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
422 "--private-users-chown may not be combined with custom root mounts.");
423 else if (arg_uid_shift
== UID_INVALID
)
424 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
425 "--private-users with automatic UID shift may not be combined with custom root mounts.");
432 static int detect_unified_cgroup_hierarchy_from_environment(void) {
433 const char *e
, *var
= "SYSTEMD_NSPAWN_UNIFIED_HIERARCHY";
436 /* Allow the user to control whether the unified hierarchy is used */
440 /* $UNIFIED_CGROUP_HIERARCHY has been renamed to $SYSTEMD_NSPAWN_UNIFIED_HIERARCHY. */
441 var
= "UNIFIED_CGROUP_HIERARCHY";
446 r
= parse_boolean(e
);
448 return log_error_errno(r
, "Failed to parse $%s: %m", var
);
450 arg_unified_cgroup_hierarchy
= CGROUP_UNIFIED_ALL
;
452 arg_unified_cgroup_hierarchy
= CGROUP_UNIFIED_NONE
;
458 static int detect_unified_cgroup_hierarchy_from_image(const char *directory
) {
461 /* Let's inherit the mode to use from the host system, but let's take into consideration what systemd
462 * in the image actually supports. */
463 r
= cg_all_unified();
465 return log_error_errno(r
, "Failed to determine whether we are in all unified mode.");
467 /* Unified cgroup hierarchy support was added in 230. Unfortunately the detection
468 * routine only detects 231, so we'll have a false negative here for 230. */
469 r
= systemd_installation_has_version(directory
, 230);
471 return log_error_errno(r
, "Failed to determine systemd version in container: %m");
473 arg_unified_cgroup_hierarchy
= CGROUP_UNIFIED_ALL
;
475 arg_unified_cgroup_hierarchy
= CGROUP_UNIFIED_NONE
;
476 } else if (cg_unified_controller(SYSTEMD_CGROUP_CONTROLLER
) > 0) {
477 /* Mixed cgroup hierarchy support was added in 233 */
478 r
= systemd_installation_has_version(directory
, 233);
480 return log_error_errno(r
, "Failed to determine systemd version in container: %m");
482 arg_unified_cgroup_hierarchy
= CGROUP_UNIFIED_SYSTEMD
;
484 arg_unified_cgroup_hierarchy
= CGROUP_UNIFIED_NONE
;
486 arg_unified_cgroup_hierarchy
= CGROUP_UNIFIED_NONE
;
488 log_debug("Using %s hierarchy for container.",
489 arg_unified_cgroup_hierarchy
== CGROUP_UNIFIED_NONE
? "legacy" :
490 arg_unified_cgroup_hierarchy
== CGROUP_UNIFIED_SYSTEMD
? "hybrid" : "unified");
495 static int parse_share_ns_env(const char *name
, unsigned long ns_flag
) {
498 r
= getenv_bool(name
);
502 return log_error_errno(r
, "Failed to parse $%s: %m", name
);
504 arg_clone_ns_flags
= (arg_clone_ns_flags
& ~ns_flag
) | (r
> 0 ? 0 : ns_flag
);
505 arg_settings_mask
|= SETTING_CLONE_NS_FLAGS
;
509 static int parse_mount_settings_env(void) {
513 r
= getenv_bool("SYSTEMD_NSPAWN_TMPFS_TMP");
514 if (r
< 0 && r
!= -ENXIO
)
515 return log_error_errno(r
, "Failed to parse $SYSTEMD_NSPAWN_TMPFS_TMP: %m");
517 SET_FLAG(arg_mount_settings
, MOUNT_APPLY_TMPFS_TMP
, r
> 0);
519 e
= getenv("SYSTEMD_NSPAWN_API_VFS_WRITABLE");
520 if (streq_ptr(e
, "network"))
521 arg_mount_settings
|= MOUNT_APPLY_APIVFS_RO
|MOUNT_APPLY_APIVFS_NETNS
;
524 r
= parse_boolean(e
);
526 return log_error_errno(r
, "Failed to parse $SYSTEMD_NSPAWN_API_VFS_WRITABLE: %m");
528 SET_FLAG(arg_mount_settings
, MOUNT_APPLY_APIVFS_RO
, r
== 0);
529 SET_FLAG(arg_mount_settings
, MOUNT_APPLY_APIVFS_NETNS
, false);
535 static int parse_environment(void) {
539 r
= parse_share_ns_env("SYSTEMD_NSPAWN_SHARE_NS_IPC", CLONE_NEWIPC
);
542 r
= parse_share_ns_env("SYSTEMD_NSPAWN_SHARE_NS_PID", CLONE_NEWPID
);
545 r
= parse_share_ns_env("SYSTEMD_NSPAWN_SHARE_NS_UTS", CLONE_NEWUTS
);
548 r
= parse_share_ns_env("SYSTEMD_NSPAWN_SHARE_SYSTEM", CLONE_NEWIPC
|CLONE_NEWPID
|CLONE_NEWUTS
);
552 r
= parse_mount_settings_env();
556 /* SYSTEMD_NSPAWN_USE_CGNS=0 can be used to disable CLONE_NEWCGROUP use,
557 * even if it is supported. If not supported, it has no effect. */
558 if (!cg_ns_supported())
559 arg_use_cgns
= false;
561 r
= getenv_bool("SYSTEMD_NSPAWN_USE_CGNS");
564 return log_error_errno(r
, "Failed to parse $SYSTEMD_NSPAWN_USE_CGNS: %m");
568 arg_use_cgns
= r
> 0;
569 arg_settings_mask
|= SETTING_USE_CGNS
;
573 e
= getenv("SYSTEMD_NSPAWN_CONTAINER_SERVICE");
575 arg_container_service_name
= e
;
577 return detect_unified_cgroup_hierarchy_from_environment();
580 static int parse_argv(int argc
, char *argv
[]) {
598 ARG_NETWORK_INTERFACE
,
603 ARG_NETWORK_VETH_EXTRA
,
604 ARG_NETWORK_NAMESPACE_PATH
,
614 ARG_PRIVATE_USERS_CHOWN
,
617 ARG_SYSTEM_CALL_FILTER
,
620 ARG_NO_NEW_PRIVILEGES
,
621 ARG_OOM_SCORE_ADJUST
,
631 static const struct option options
[] = {
632 { "help", no_argument
, NULL
, 'h' },
633 { "version", no_argument
, NULL
, ARG_VERSION
},
634 { "directory", required_argument
, NULL
, 'D' },
635 { "template", required_argument
, NULL
, ARG_TEMPLATE
},
636 { "ephemeral", no_argument
, NULL
, 'x' },
637 { "user", required_argument
, NULL
, 'u' },
638 { "private-network", no_argument
, NULL
, ARG_PRIVATE_NETWORK
},
639 { "as-pid2", no_argument
, NULL
, 'a' },
640 { "boot", no_argument
, NULL
, 'b' },
641 { "uuid", required_argument
, NULL
, ARG_UUID
},
642 { "read-only", no_argument
, NULL
, ARG_READ_ONLY
},
643 { "capability", required_argument
, NULL
, ARG_CAPABILITY
},
644 { "drop-capability", required_argument
, NULL
, ARG_DROP_CAPABILITY
},
645 { "no-new-privileges", required_argument
, NULL
, ARG_NO_NEW_PRIVILEGES
},
646 { "link-journal", required_argument
, NULL
, ARG_LINK_JOURNAL
},
647 { "bind", required_argument
, NULL
, ARG_BIND
},
648 { "bind-ro", required_argument
, NULL
, ARG_BIND_RO
},
649 { "tmpfs", required_argument
, NULL
, ARG_TMPFS
},
650 { "overlay", required_argument
, NULL
, ARG_OVERLAY
},
651 { "overlay-ro", required_argument
, NULL
, ARG_OVERLAY_RO
},
652 { "inaccessible", required_argument
, NULL
, ARG_INACCESSIBLE
},
653 { "machine", required_argument
, NULL
, 'M' },
654 { "hostname", required_argument
, NULL
, ARG_HOSTNAME
},
655 { "slice", required_argument
, NULL
, 'S' },
656 { "setenv", required_argument
, NULL
, 'E' },
657 { "selinux-context", required_argument
, NULL
, 'Z' },
658 { "selinux-apifs-context", required_argument
, NULL
, 'L' },
659 { "quiet", no_argument
, NULL
, 'q' },
660 { "share-system", no_argument
, NULL
, ARG_SHARE_SYSTEM
}, /* not documented */
661 { "register", required_argument
, NULL
, ARG_REGISTER
},
662 { "keep-unit", no_argument
, NULL
, ARG_KEEP_UNIT
},
663 { "network-interface", required_argument
, NULL
, ARG_NETWORK_INTERFACE
},
664 { "network-macvlan", required_argument
, NULL
, ARG_NETWORK_MACVLAN
},
665 { "network-ipvlan", required_argument
, NULL
, ARG_NETWORK_IPVLAN
},
666 { "network-veth", no_argument
, NULL
, 'n' },
667 { "network-veth-extra", required_argument
, NULL
, ARG_NETWORK_VETH_EXTRA
},
668 { "network-bridge", required_argument
, NULL
, ARG_NETWORK_BRIDGE
},
669 { "network-zone", required_argument
, NULL
, ARG_NETWORK_ZONE
},
670 { "network-namespace-path", required_argument
, NULL
, ARG_NETWORK_NAMESPACE_PATH
},
671 { "personality", required_argument
, NULL
, ARG_PERSONALITY
},
672 { "image", required_argument
, NULL
, 'i' },
673 { "volatile", optional_argument
, NULL
, ARG_VOLATILE
},
674 { "port", required_argument
, NULL
, 'p' },
675 { "property", required_argument
, NULL
, ARG_PROPERTY
},
676 { "private-users", optional_argument
, NULL
, ARG_PRIVATE_USERS
},
677 { "private-users-chown", optional_argument
, NULL
, ARG_PRIVATE_USERS_CHOWN
},
678 { "kill-signal", required_argument
, NULL
, ARG_KILL_SIGNAL
},
679 { "settings", required_argument
, NULL
, ARG_SETTINGS
},
680 { "chdir", required_argument
, NULL
, ARG_CHDIR
},
681 { "pivot-root", required_argument
, NULL
, ARG_PIVOT_ROOT
},
682 { "notify-ready", required_argument
, NULL
, ARG_NOTIFY_READY
},
683 { "root-hash", required_argument
, NULL
, ARG_ROOT_HASH
},
684 { "system-call-filter", required_argument
, NULL
, ARG_SYSTEM_CALL_FILTER
},
685 { "rlimit", required_argument
, NULL
, ARG_RLIMIT
},
686 { "oom-score-adjust", required_argument
, NULL
, ARG_OOM_SCORE_ADJUST
},
687 { "cpu-affinity", required_argument
, NULL
, ARG_CPU_AFFINITY
},
688 { "resolv-conf", required_argument
, NULL
, ARG_RESOLV_CONF
},
689 { "timezone", required_argument
, NULL
, ARG_TIMEZONE
},
690 { "console", required_argument
, NULL
, ARG_CONSOLE
},
691 { "pipe", no_argument
, NULL
, ARG_PIPE
},
692 { "oci-bundle", required_argument
, NULL
, ARG_OCI_BUNDLE
},
693 { "no-pager", no_argument
, NULL
, ARG_NO_PAGER
},
699 uint64_t plus
= 0, minus
= 0;
700 bool mask_all_settings
= false, mask_no_settings
= false;
705 while ((c
= getopt_long(argc
, argv
, "+hD:u:abL:M:jS:Z:qi:xp:nUE:P", options
, NULL
)) >= 0)
715 r
= parse_path_argument_and_warn(optarg
, false, &arg_directory
);
719 arg_settings_mask
|= SETTING_DIRECTORY
;
723 r
= parse_path_argument_and_warn(optarg
, false, &arg_template
);
727 arg_settings_mask
|= SETTING_DIRECTORY
;
731 r
= parse_path_argument_and_warn(optarg
, false, &arg_image
);
735 arg_settings_mask
|= SETTING_DIRECTORY
;
739 r
= parse_path_argument_and_warn(optarg
, false, &arg_oci_bundle
);
746 arg_ephemeral
= true;
747 arg_settings_mask
|= SETTING_EPHEMERAL
;
751 r
= free_and_strdup(&arg_user
, optarg
);
755 arg_settings_mask
|= SETTING_USER
;
758 case ARG_NETWORK_ZONE
: {
761 j
= strjoin("vz-", optarg
);
765 if (!ifname_valid(j
)) {
766 log_error("Network zone name not valid: %s", j
);
771 free_and_replace(arg_network_zone
, j
);
773 arg_network_veth
= true;
774 arg_private_network
= true;
775 arg_settings_mask
|= SETTING_NETWORK
;
779 case ARG_NETWORK_BRIDGE
:
781 if (!ifname_valid(optarg
))
782 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
783 "Bridge interface name not valid: %s", optarg
);
785 r
= free_and_strdup(&arg_network_bridge
, optarg
);
791 arg_network_veth
= true;
792 arg_private_network
= true;
793 arg_settings_mask
|= SETTING_NETWORK
;
796 case ARG_NETWORK_VETH_EXTRA
:
797 r
= veth_extra_parse(&arg_network_veth_extra
, optarg
);
799 return log_error_errno(r
, "Failed to parse --network-veth-extra= parameter: %s", optarg
);
801 arg_private_network
= true;
802 arg_settings_mask
|= SETTING_NETWORK
;
805 case ARG_NETWORK_INTERFACE
:
806 if (!ifname_valid(optarg
))
807 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
808 "Network interface name not valid: %s", optarg
);
810 if (strv_extend(&arg_network_interfaces
, optarg
) < 0)
813 arg_private_network
= true;
814 arg_settings_mask
|= SETTING_NETWORK
;
817 case ARG_NETWORK_MACVLAN
:
819 if (!ifname_valid(optarg
))
820 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
821 "MACVLAN network interface name not valid: %s", optarg
);
823 if (strv_extend(&arg_network_macvlan
, optarg
) < 0)
826 arg_private_network
= true;
827 arg_settings_mask
|= SETTING_NETWORK
;
830 case ARG_NETWORK_IPVLAN
:
832 if (!ifname_valid(optarg
))
833 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
834 "IPVLAN network interface name not valid: %s", optarg
);
836 if (strv_extend(&arg_network_ipvlan
, optarg
) < 0)
840 case ARG_PRIVATE_NETWORK
:
841 arg_private_network
= true;
842 arg_settings_mask
|= SETTING_NETWORK
;
845 case ARG_NETWORK_NAMESPACE_PATH
:
846 r
= parse_path_argument_and_warn(optarg
, false, &arg_network_namespace_path
);
850 arg_settings_mask
|= SETTING_NETWORK
;
854 if (arg_start_mode
== START_PID2
)
855 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
856 "--boot and --as-pid2 may not be combined.");
858 arg_start_mode
= START_BOOT
;
859 arg_settings_mask
|= SETTING_START_MODE
;
863 if (arg_start_mode
== START_BOOT
)
864 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
865 "--boot and --as-pid2 may not be combined.");
867 arg_start_mode
= START_PID2
;
868 arg_settings_mask
|= SETTING_START_MODE
;
872 r
= sd_id128_from_string(optarg
, &arg_uuid
);
874 return log_error_errno(r
, "Invalid UUID: %s", optarg
);
876 if (sd_id128_is_null(arg_uuid
))
877 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
878 "Machine UUID may not be all zeroes.");
880 arg_settings_mask
|= SETTING_MACHINE_ID
;
884 _cleanup_free_
char *mangled
= NULL
;
886 r
= unit_name_mangle_with_suffix(optarg
, NULL
, UNIT_NAME_MANGLE_WARN
, ".slice", &mangled
);
890 free_and_replace(arg_slice
, mangled
);
891 arg_settings_mask
|= SETTING_SLICE
;
897 arg_machine
= mfree(arg_machine
);
899 if (!machine_name_is_valid(optarg
))
900 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
901 "Invalid machine name: %s", optarg
);
903 r
= free_and_strdup(&arg_machine
, optarg
);
911 arg_hostname
= mfree(arg_hostname
);
913 if (!hostname_is_valid(optarg
, false))
914 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
915 "Invalid hostname: %s", optarg
);
917 r
= free_and_strdup(&arg_hostname
, optarg
);
922 arg_settings_mask
|= SETTING_HOSTNAME
;
926 arg_selinux_context
= optarg
;
930 arg_selinux_apifs_context
= optarg
;
934 arg_read_only
= true;
935 arg_settings_mask
|= SETTING_READ_ONLY
;
939 case ARG_DROP_CAPABILITY
: {
942 _cleanup_free_
char *t
= NULL
;
944 r
= extract_first_word(&p
, &t
, ",", 0);
946 return log_error_errno(r
, "Failed to parse capability %s.", t
);
950 if (streq(t
, "all")) {
951 if (c
== ARG_CAPABILITY
)
952 plus
= (uint64_t) -1;
954 minus
= (uint64_t) -1;
956 r
= capability_from_name(t
);
958 return log_error_errno(r
, "Failed to parse capability %s.", t
);
960 if (c
== ARG_CAPABILITY
)
967 arg_settings_mask
|= SETTING_CAPABILITY
;
971 case ARG_NO_NEW_PRIVILEGES
:
972 r
= parse_boolean(optarg
);
974 return log_error_errno(r
, "Failed to parse --no-new-privileges= argument: %s", optarg
);
976 arg_no_new_privileges
= r
;
977 arg_settings_mask
|= SETTING_NO_NEW_PRIVILEGES
;
981 arg_link_journal
= LINK_GUEST
;
982 arg_link_journal_try
= true;
983 arg_settings_mask
|= SETTING_LINK_JOURNAL
;
986 case ARG_LINK_JOURNAL
:
987 r
= parse_link_journal(optarg
, &arg_link_journal
, &arg_link_journal_try
);
989 return log_error_errno(r
, "Failed to parse link journal mode %s", optarg
);
991 arg_settings_mask
|= SETTING_LINK_JOURNAL
;
996 r
= bind_mount_parse(&arg_custom_mounts
, &arg_n_custom_mounts
, optarg
, c
== ARG_BIND_RO
);
998 return log_error_errno(r
, "Failed to parse --bind(-ro)= argument %s: %m", optarg
);
1000 arg_settings_mask
|= SETTING_CUSTOM_MOUNTS
;
1004 r
= tmpfs_mount_parse(&arg_custom_mounts
, &arg_n_custom_mounts
, optarg
);
1006 return log_error_errno(r
, "Failed to parse --tmpfs= argument %s: %m", optarg
);
1008 arg_settings_mask
|= SETTING_CUSTOM_MOUNTS
;
1012 case ARG_OVERLAY_RO
:
1013 r
= overlay_mount_parse(&arg_custom_mounts
, &arg_n_custom_mounts
, optarg
, c
== ARG_OVERLAY_RO
);
1014 if (r
== -EADDRNOTAVAIL
)
1015 return log_error_errno(r
, "--overlay(-ro)= needs at least two colon-separated directories specified.");
1017 return log_error_errno(r
, "Failed to parse --overlay(-ro)= argument %s: %m", optarg
);
1019 arg_settings_mask
|= SETTING_CUSTOM_MOUNTS
;
1022 case ARG_INACCESSIBLE
:
1023 r
= inaccessible_mount_parse(&arg_custom_mounts
, &arg_n_custom_mounts
, optarg
);
1025 return log_error_errno(r
, "Failed to parse --inaccessible= argument %s: %m", optarg
);
1027 arg_settings_mask
|= SETTING_CUSTOM_MOUNTS
;
1033 if (!env_assignment_is_valid(optarg
))
1034 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
1035 "Environment variable assignment '%s' is not valid.", optarg
);
1037 n
= strv_env_set(arg_setenv
, optarg
);
1041 strv_free_and_replace(arg_setenv
, n
);
1042 arg_settings_mask
|= SETTING_ENVIRONMENT
;
1050 case ARG_SHARE_SYSTEM
:
1051 /* We don't officially support this anymore, except for compat reasons. People should use the
1052 * $SYSTEMD_NSPAWN_SHARE_* environment variables instead. */
1053 log_warning("Please do not use --share-system anymore, use $SYSTEMD_NSPAWN_SHARE_* instead.");
1054 arg_clone_ns_flags
= 0;
1058 r
= parse_boolean(optarg
);
1060 log_error("Failed to parse --register= argument: %s", optarg
);
1068 arg_keep_unit
= true;
1071 case ARG_PERSONALITY
:
1073 arg_personality
= personality_from_string(optarg
);
1074 if (arg_personality
== PERSONALITY_INVALID
)
1075 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
1076 "Unknown or unsupported personality '%s'.", optarg
);
1078 arg_settings_mask
|= SETTING_PERSONALITY
;
1084 arg_volatile_mode
= VOLATILE_YES
;
1085 else if (streq(optarg
, "help")) {
1086 DUMP_STRING_TABLE(volatile_mode
, VolatileMode
, _VOLATILE_MODE_MAX
);
1091 m
= volatile_mode_from_string(optarg
);
1093 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
1094 "Failed to parse --volatile= argument: %s", optarg
);
1096 arg_volatile_mode
= m
;
1099 arg_settings_mask
|= SETTING_VOLATILE_MODE
;
1103 r
= expose_port_parse(&arg_expose_ports
, optarg
);
1105 return log_error_errno(r
, "Duplicate port specification: %s", optarg
);
1107 return log_error_errno(r
, "Failed to parse host port %s: %m", optarg
);
1109 arg_settings_mask
|= SETTING_EXPOSE_PORTS
;
1113 if (strv_extend(&arg_property
, optarg
) < 0)
1118 case ARG_PRIVATE_USERS
: {
1123 else if (!in_charset(optarg
, DIGITS
))
1124 /* do *not* parse numbers as booleans */
1125 boolean
= parse_boolean(optarg
);
1127 if (boolean
== false) {
1128 /* no: User namespacing off */
1129 arg_userns_mode
= USER_NAMESPACE_NO
;
1130 arg_uid_shift
= UID_INVALID
;
1131 arg_uid_range
= UINT32_C(0x10000);
1132 } else if (boolean
== true) {
1133 /* yes: User namespacing on, UID range is read from root dir */
1134 arg_userns_mode
= USER_NAMESPACE_FIXED
;
1135 arg_uid_shift
= UID_INVALID
;
1136 arg_uid_range
= UINT32_C(0x10000);
1137 } else if (streq(optarg
, "pick")) {
1138 /* pick: User namespacing on, UID range is picked randomly */
1139 arg_userns_mode
= USER_NAMESPACE_PICK
;
1140 arg_uid_shift
= UID_INVALID
;
1141 arg_uid_range
= UINT32_C(0x10000);
1143 _cleanup_free_
char *buffer
= NULL
;
1144 const char *range
, *shift
;
1146 /* anything else: User namespacing on, UID range is explicitly configured */
1148 range
= strchr(optarg
, ':');
1150 buffer
= strndup(optarg
, range
- optarg
);
1156 r
= safe_atou32(range
, &arg_uid_range
);
1158 return log_error_errno(r
, "Failed to parse UID range \"%s\": %m", range
);
1162 r
= parse_uid(shift
, &arg_uid_shift
);
1164 return log_error_errno(r
, "Failed to parse UID \"%s\": %m", optarg
);
1166 arg_userns_mode
= USER_NAMESPACE_FIXED
;
1169 if (arg_uid_range
<= 0)
1170 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
1171 "UID range cannot be 0.");
1173 arg_settings_mask
|= SETTING_USERNS
;
1178 if (userns_supported()) {
1179 arg_userns_mode
= USER_NAMESPACE_PICK
;
1180 arg_uid_shift
= UID_INVALID
;
1181 arg_uid_range
= UINT32_C(0x10000);
1183 arg_settings_mask
|= SETTING_USERNS
;
1188 case ARG_PRIVATE_USERS_CHOWN
:
1189 arg_userns_chown
= true;
1191 arg_settings_mask
|= SETTING_USERNS
;
1194 case ARG_KILL_SIGNAL
:
1195 if (streq(optarg
, "help")) {
1196 DUMP_STRING_TABLE(signal
, int, _NSIG
);
1200 arg_kill_signal
= signal_from_string(optarg
);
1201 if (arg_kill_signal
< 0)
1202 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
1203 "Cannot parse signal: %s", optarg
);
1205 arg_settings_mask
|= SETTING_KILL_SIGNAL
;
1210 /* no → do not read files
1211 * yes → read files, do not override cmdline, trust only subset
1212 * override → read files, override cmdline, trust only subset
1213 * trusted → read files, do not override cmdline, trust all
1216 r
= parse_boolean(optarg
);
1218 if (streq(optarg
, "trusted")) {
1219 mask_all_settings
= false;
1220 mask_no_settings
= false;
1221 arg_settings_trusted
= true;
1223 } else if (streq(optarg
, "override")) {
1224 mask_all_settings
= false;
1225 mask_no_settings
= true;
1226 arg_settings_trusted
= -1;
1228 return log_error_errno(r
, "Failed to parse --settings= argument: %s", optarg
);
1231 mask_all_settings
= false;
1232 mask_no_settings
= false;
1233 arg_settings_trusted
= -1;
1236 mask_all_settings
= true;
1237 mask_no_settings
= false;
1238 arg_settings_trusted
= false;
1244 if (!path_is_absolute(optarg
))
1245 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
1246 "Working directory %s is not an absolute path.", optarg
);
1248 r
= free_and_strdup(&arg_chdir
, optarg
);
1252 arg_settings_mask
|= SETTING_WORKING_DIRECTORY
;
1255 case ARG_PIVOT_ROOT
:
1256 r
= pivot_root_parse(&arg_pivot_root_new
, &arg_pivot_root_old
, optarg
);
1258 return log_error_errno(r
, "Failed to parse --pivot-root= argument %s: %m", optarg
);
1260 arg_settings_mask
|= SETTING_PIVOT_ROOT
;
1263 case ARG_NOTIFY_READY
:
1264 r
= parse_boolean(optarg
);
1266 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
1267 "%s is not a valid notify mode. Valid modes are: yes, no, and ready.", optarg
);
1268 arg_notify_ready
= r
;
1269 arg_settings_mask
|= SETTING_NOTIFY_READY
;
1272 case ARG_ROOT_HASH
: {
1276 r
= unhexmem(optarg
, strlen(optarg
), &k
, &l
);
1278 return log_error_errno(r
, "Failed to parse root hash: %s", optarg
);
1279 if (l
< sizeof(sd_id128_t
)) {
1281 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Root hash must be at least 128bit long: %s", optarg
);
1284 free(arg_root_hash
);
1286 arg_root_hash_size
= l
;
1290 case ARG_SYSTEM_CALL_FILTER
: {
1294 negative
= optarg
[0] == '~';
1295 items
= negative
? optarg
+ 1 : optarg
;
1298 _cleanup_free_
char *word
= NULL
;
1300 r
= extract_first_word(&items
, &word
, NULL
, 0);
1306 return log_error_errno(r
, "Failed to parse system call filter: %m");
1309 r
= strv_extend(&arg_syscall_blacklist
, word
);
1311 r
= strv_extend(&arg_syscall_whitelist
, word
);
1316 arg_settings_mask
|= SETTING_SYSCALL_FILTER
;
1322 _cleanup_free_
char *name
= NULL
;
1325 if (streq(optarg
, "help")) {
1326 DUMP_STRING_TABLE(rlimit
, int, _RLIMIT_MAX
);
1330 eq
= strchr(optarg
, '=');
1332 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
1333 "--rlimit= expects an '=' assignment.");
1335 name
= strndup(optarg
, eq
- optarg
);
1339 rl
= rlimit_from_string_harder(name
);
1341 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
1342 "Unknown resource limit: %s", name
);
1344 if (!arg_rlimit
[rl
]) {
1345 arg_rlimit
[rl
] = new0(struct rlimit
, 1);
1346 if (!arg_rlimit
[rl
])
1350 r
= rlimit_parse(rl
, eq
+ 1, arg_rlimit
[rl
]);
1352 return log_error_errno(r
, "Failed to parse resource limit: %s", eq
+ 1);
1354 arg_settings_mask
|= SETTING_RLIMIT_FIRST
<< rl
;
1358 case ARG_OOM_SCORE_ADJUST
:
1359 r
= parse_oom_score_adjust(optarg
, &arg_oom_score_adjust
);
1361 return log_error_errno(r
, "Failed to parse --oom-score-adjust= parameter: %s", optarg
);
1363 arg_oom_score_adjust_set
= true;
1364 arg_settings_mask
|= SETTING_OOM_SCORE_ADJUST
;
1367 case ARG_CPU_AFFINITY
: {
1370 r
= parse_cpu_set(optarg
, &cpuset
);
1372 return log_error_errno(r
, "Failed to parse CPU affinity mask %s: %m", optarg
);
1374 cpu_set_reset(&arg_cpu_set
);
1375 arg_cpu_set
= cpuset
;
1376 arg_settings_mask
|= SETTING_CPU_AFFINITY
;
1380 case ARG_RESOLV_CONF
:
1381 if (streq(optarg
, "help")) {
1382 DUMP_STRING_TABLE(resolv_conf_mode
, ResolvConfMode
, _RESOLV_CONF_MODE_MAX
);
1386 arg_resolv_conf
= resolv_conf_mode_from_string(optarg
);
1387 if (arg_resolv_conf
< 0)
1388 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
1389 "Failed to parse /etc/resolv.conf mode: %s", optarg
);
1391 arg_settings_mask
|= SETTING_RESOLV_CONF
;
1395 if (streq(optarg
, "help")) {
1396 DUMP_STRING_TABLE(timezone_mode
, TimezoneMode
, _TIMEZONE_MODE_MAX
);
1400 arg_timezone
= timezone_mode_from_string(optarg
);
1401 if (arg_timezone
< 0)
1402 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
1403 "Failed to parse /etc/localtime mode: %s", optarg
);
1405 arg_settings_mask
|= SETTING_TIMEZONE
;
1409 r
= handle_arg_console(optarg
);
1416 r
= handle_arg_console("pipe");
1422 arg_pager_flags
|= PAGER_DISABLE
;
1429 assert_not_reached("Unhandled option");
1432 if (argc
> optind
) {
1433 strv_free(arg_parameters
);
1434 arg_parameters
= strv_copy(argv
+ optind
);
1435 if (!arg_parameters
)
1438 arg_settings_mask
|= SETTING_START_MODE
;
1441 if (arg_ephemeral
&& arg_template
&& !arg_directory
)
1442 /* User asked for ephemeral execution but specified --template= instead of --directory=. Semantically
1443 * such an invocation makes some sense, see https://github.com/systemd/systemd/issues/3667. Let's
1444 * accept this here, and silently make "--ephemeral --template=" equivalent to "--ephemeral
1446 arg_directory
= TAKE_PTR(arg_template
);
1448 arg_caps_retain
= (arg_caps_retain
| plus
| (arg_private_network
? UINT64_C(1) << CAP_NET_ADMIN
: 0)) & ~minus
;
1450 /* Make sure to parse environment before we reset the settings mask below */
1451 r
= parse_environment();
1455 /* Load all settings from .nspawn files */
1456 if (mask_no_settings
)
1457 arg_settings_mask
= 0;
1459 /* Don't load any settings from .nspawn files */
1460 if (mask_all_settings
)
1461 arg_settings_mask
= _SETTINGS_MASK_ALL
;
1466 static int verify_arguments(void) {
1469 if (arg_start_mode
== START_PID2
&& arg_unified_cgroup_hierarchy
== CGROUP_UNIFIED_UNKNOWN
) {
1470 /* If we are running the stub init in the container, we don't need to look at what the init
1471 * in the container supports, because we are not using it. Let's immediately pick the right
1472 * setting based on the host system configuration.
1474 * We only do this, if the user didn't use an environment variable to override the detection.
1477 r
= cg_all_unified();
1479 return log_error_errno(r
, "Failed to determine whether we are in all unified mode.");
1481 arg_unified_cgroup_hierarchy
= CGROUP_UNIFIED_ALL
;
1482 else if (cg_unified_controller(SYSTEMD_CGROUP_CONTROLLER
) > 0)
1483 arg_unified_cgroup_hierarchy
= CGROUP_UNIFIED_SYSTEMD
;
1485 arg_unified_cgroup_hierarchy
= CGROUP_UNIFIED_NONE
;
1488 if (arg_userns_mode
!= USER_NAMESPACE_NO
)
1489 arg_mount_settings
|= MOUNT_USE_USERNS
;
1491 if (arg_private_network
)
1492 arg_mount_settings
|= MOUNT_APPLY_APIVFS_NETNS
;
1494 if (!(arg_clone_ns_flags
& CLONE_NEWPID
) ||
1495 !(arg_clone_ns_flags
& CLONE_NEWUTS
)) {
1496 arg_register
= false;
1497 if (arg_start_mode
!= START_PID1
)
1498 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "--boot cannot be used without namespacing.");
1501 if (arg_userns_mode
== USER_NAMESPACE_PICK
)
1502 arg_userns_chown
= true;
1504 if (arg_start_mode
== START_BOOT
&& arg_kill_signal
<= 0)
1505 arg_kill_signal
= SIGRTMIN
+3;
1507 if (arg_volatile_mode
!= VOLATILE_NO
) /* Make sure all file systems contained in the image are mounted read-only if we are in volatile mode */
1508 arg_read_only
= true;
1510 if (arg_keep_unit
&& arg_register
&& cg_pid_get_owner_uid(0, NULL
) >= 0)
1511 /* Save the user from accidentally registering either user-$SESSION.scope or user@.service.
1512 * The latter is not technically a user session, but we don't need to labour the point. */
1513 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "--keep-unit --register=yes may not be used when invoked from a user session.");
1515 if (arg_directory
&& arg_image
)
1516 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "--directory= and --image= may not be combined.");
1518 if (arg_template
&& arg_image
)
1519 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "--template= and --image= may not be combined.");
1521 if (arg_template
&& !(arg_directory
|| arg_machine
))
1522 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "--template= needs --directory= or --machine=.");
1524 if (arg_ephemeral
&& arg_template
)
1525 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "--ephemeral and --template= may not be combined.");
1527 if (arg_ephemeral
&& !IN_SET(arg_link_journal
, LINK_NO
, LINK_AUTO
))
1528 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "--ephemeral and --link-journal= may not be combined.");
1530 if (arg_userns_mode
!= USER_NAMESPACE_NO
&& !userns_supported())
1531 return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP
), "--private-users= is not supported, kernel compiled without user namespace support.");
1533 if (arg_userns_chown
&& arg_read_only
)
1534 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
1535 "--read-only and --private-users-chown may not be combined.");
1537 /* We don't support --private-users-chown together with any of the volatile modes since we couldn't
1538 * change the read-only part of the tree (i.e. /usr) anyway, or because it would trigger a massive
1539 * copy-up (in case of overlay) making the entire exercise pointless. */
1540 if (arg_userns_chown
&& arg_volatile_mode
!= VOLATILE_NO
)
1541 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "--volatile= and --private-users-chown may not be combined.");
1543 /* If --network-namespace-path is given with any other network-related option, we need to error out,
1544 * to avoid conflicts between different network options. */
1545 if (arg_network_namespace_path
&&
1546 (arg_network_interfaces
|| arg_network_macvlan
||
1547 arg_network_ipvlan
|| arg_network_veth_extra
||
1548 arg_network_bridge
|| arg_network_zone
||
1549 arg_network_veth
|| arg_private_network
))
1550 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "--network-namespace-path= cannot be combined with other network options.");
1552 if (arg_network_bridge
&& arg_network_zone
)
1553 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
1554 "--network-bridge= and --network-zone= may not be combined.");
1556 if (arg_userns_mode
!= USER_NAMESPACE_NO
&& (arg_mount_settings
& MOUNT_APPLY_APIVFS_NETNS
) && !arg_private_network
)
1557 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Invalid namespacing settings. Mounting sysfs with --private-users requires --private-network.");
1559 if (arg_userns_mode
!= USER_NAMESPACE_NO
&& !(arg_mount_settings
& MOUNT_APPLY_APIVFS_RO
))
1560 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Cannot combine --private-users with read-write mounts.");
1562 if (arg_expose_ports
&& !arg_private_network
)
1563 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Cannot use --port= without private networking.");
1566 if (arg_expose_ports
)
1567 return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP
), "--port= is not supported, compiled without libiptc support.");
1570 r
= custom_mount_check_all();
1577 static int userns_lchown(const char *p
, uid_t uid
, gid_t gid
) {
1580 if (arg_userns_mode
== USER_NAMESPACE_NO
)
1583 if (uid
== UID_INVALID
&& gid
== GID_INVALID
)
1586 if (uid
!= UID_INVALID
) {
1587 uid
+= arg_uid_shift
;
1589 if (uid
< arg_uid_shift
|| uid
>= arg_uid_shift
+ arg_uid_range
)
1593 if (gid
!= GID_INVALID
) {
1594 gid
+= (gid_t
) arg_uid_shift
;
1596 if (gid
< (gid_t
) arg_uid_shift
|| gid
>= (gid_t
) (arg_uid_shift
+ arg_uid_range
))
1600 if (lchown(p
, uid
, gid
) < 0)
1606 static int userns_mkdir(const char *root
, const char *path
, mode_t mode
, uid_t uid
, gid_t gid
) {
1610 q
= prefix_roota(root
, path
);
1611 r
= mkdir_errno_wrapper(q
, mode
);
1617 return userns_lchown(q
, uid
, gid
);
1620 static const char *timezone_from_path(const char *path
) {
1621 return PATH_STARTSWITH_SET(
1623 "../usr/share/zoneinfo/",
1624 "/usr/share/zoneinfo/");
1627 static bool etc_writable(void) {
1628 return !arg_read_only
|| IN_SET(arg_volatile_mode
, VOLATILE_YES
, VOLATILE_OVERLAY
);
1631 static int setup_timezone(const char *dest
) {
1632 _cleanup_free_
char *p
= NULL
, *etc
= NULL
;
1633 const char *where
, *check
;
1639 if (IN_SET(arg_timezone
, TIMEZONE_AUTO
, TIMEZONE_SYMLINK
)) {
1640 r
= readlink_malloc("/etc/localtime", &p
);
1641 if (r
== -ENOENT
&& arg_timezone
== TIMEZONE_AUTO
)
1642 m
= etc_writable() ? TIMEZONE_DELETE
: TIMEZONE_OFF
;
1643 else if (r
== -EINVAL
&& arg_timezone
== TIMEZONE_AUTO
) /* regular file? */
1644 m
= etc_writable() ? TIMEZONE_COPY
: TIMEZONE_BIND
;
1646 log_warning_errno(r
, "Failed to read host's /etc/localtime symlink, not updating container timezone: %m");
1647 /* To handle warning, delete /etc/localtime and replace it with a symbolic link to a time zone data
1651 * ln -s /usr/share/zoneinfo/UTC /etc/localtime
1654 } else if (arg_timezone
== TIMEZONE_AUTO
)
1655 m
= etc_writable() ? TIMEZONE_SYMLINK
: TIMEZONE_BIND
;
1661 if (m
== TIMEZONE_OFF
)
1664 r
= chase_symlinks("/etc", dest
, CHASE_PREFIX_ROOT
, &etc
, NULL
);
1666 log_warning_errno(r
, "Failed to resolve /etc path in container, ignoring: %m");
1670 where
= strjoina(etc
, "/localtime");
1674 case TIMEZONE_DELETE
:
1675 if (unlink(where
) < 0)
1676 log_full_errno(errno
== ENOENT
? LOG_DEBUG
: LOG_WARNING
, errno
, "Failed to remove '%s', ignoring: %m", where
);
1680 case TIMEZONE_SYMLINK
: {
1681 _cleanup_free_
char *q
= NULL
;
1682 const char *z
, *what
;
1684 z
= timezone_from_path(p
);
1686 log_warning("/etc/localtime does not point into /usr/share/zoneinfo/, not updating container timezone.");
1690 r
= readlink_malloc(where
, &q
);
1691 if (r
>= 0 && streq_ptr(timezone_from_path(q
), z
))
1692 return 0; /* Already pointing to the right place? Then do nothing .. */
1694 check
= strjoina(dest
, "/usr/share/zoneinfo/", z
);
1695 r
= chase_symlinks(check
, dest
, 0, NULL
, NULL
);
1697 log_debug_errno(r
, "Timezone %s does not exist (or is not accessible) in container, not creating symlink: %m", z
);
1699 if (unlink(where
) < 0 && errno
!= ENOENT
) {
1700 log_full_errno(IN_SET(errno
, EROFS
, EACCES
, EPERM
) ? LOG_DEBUG
: LOG_WARNING
, /* Don't complain on read-only images */
1701 errno
, "Failed to remove existing timezone info %s in container, ignoring: %m", where
);
1705 what
= strjoina("../usr/share/zoneinfo/", z
);
1706 if (symlink(what
, where
) < 0) {
1707 log_full_errno(IN_SET(errno
, EROFS
, EACCES
, EPERM
) ? LOG_DEBUG
: LOG_WARNING
,
1708 errno
, "Failed to correct timezone of container, ignoring: %m");
1718 case TIMEZONE_BIND
: {
1719 _cleanup_free_
char *resolved
= NULL
;
1722 found
= chase_symlinks(where
, dest
, CHASE_NONEXISTENT
, &resolved
, NULL
);
1724 log_warning_errno(found
, "Failed to resolve /etc/localtime path in container, ignoring: %m");
1728 if (found
== 0) /* missing? */
1729 (void) touch(resolved
);
1731 r
= mount_verbose(LOG_WARNING
, "/etc/localtime", resolved
, NULL
, MS_BIND
, NULL
);
1733 return mount_verbose(LOG_ERR
, NULL
, resolved
, NULL
, MS_BIND
|MS_REMOUNT
|MS_RDONLY
|MS_NOSUID
|MS_NODEV
, NULL
);
1739 /* If mounting failed, try to copy */
1740 r
= copy_file_atomic("/etc/localtime", where
, 0644, 0, 0, COPY_REFLINK
|COPY_REPLACE
);
1742 log_full_errno(IN_SET(r
, -EROFS
, -EACCES
, -EPERM
) ? LOG_DEBUG
: LOG_WARNING
, r
,
1743 "Failed to copy /etc/localtime to %s, ignoring: %m", where
);
1750 assert_not_reached("unexpected mode");
1753 /* Fix permissions of the symlink or file copy we just created */
1754 r
= userns_lchown(where
, 0, 0);
1756 log_warning_errno(r
, "Failed to chown /etc/localtime, ignoring: %m");
1761 static int have_resolv_conf(const char *path
) {
1764 if (access(path
, F_OK
) < 0) {
1765 if (errno
== ENOENT
)
1768 return log_debug_errno(errno
, "Failed to determine whether '%s' is available: %m", path
);
1774 static int resolved_listening(void) {
1775 _cleanup_(sd_bus_error_free
) sd_bus_error error
= SD_BUS_ERROR_NULL
;
1776 _cleanup_(sd_bus_flush_close_unrefp
) sd_bus
*bus
= NULL
;
1777 _cleanup_free_
char *dns_stub_listener_mode
= NULL
;
1780 /* Check if resolved is listening */
1782 r
= sd_bus_open_system(&bus
);
1784 return log_debug_errno(r
, "Failed to open system bus: %m");
1786 r
= bus_name_has_owner(bus
, "org.freedesktop.resolve1", NULL
);
1788 return log_debug_errno(r
, "Failed to check whether the 'org.freedesktop.resolve1' bus name is taken: %m");
1792 r
= sd_bus_get_property_string(bus
,
1793 "org.freedesktop.resolve1",
1794 "/org/freedesktop/resolve1",
1795 "org.freedesktop.resolve1.Manager",
1798 &dns_stub_listener_mode
);
1800 return log_debug_errno(r
, "Failed to query DNSStubListener property: %s", bus_error_message(&error
, r
));
1802 return STR_IN_SET(dns_stub_listener_mode
, "udp", "yes");
1805 static int setup_resolv_conf(const char *dest
) {
1806 _cleanup_free_
char *etc
= NULL
;
1807 const char *where
, *what
;
1813 if (arg_resolv_conf
== RESOLV_CONF_AUTO
) {
1814 if (arg_private_network
)
1815 m
= RESOLV_CONF_OFF
;
1816 else if (have_resolv_conf(STATIC_RESOLV_CONF
) > 0 && resolved_listening() > 0)
1817 m
= etc_writable() ? RESOLV_CONF_COPY_STATIC
: RESOLV_CONF_BIND_STATIC
;
1818 else if (have_resolv_conf("/etc/resolv.conf") > 0)
1819 m
= etc_writable() ? RESOLV_CONF_COPY_HOST
: RESOLV_CONF_BIND_HOST
;
1821 m
= etc_writable() ? RESOLV_CONF_DELETE
: RESOLV_CONF_OFF
;
1823 m
= arg_resolv_conf
;
1825 if (m
== RESOLV_CONF_OFF
)
1828 r
= chase_symlinks("/etc", dest
, CHASE_PREFIX_ROOT
, &etc
, NULL
);
1830 log_warning_errno(r
, "Failed to resolve /etc path in container, ignoring: %m");
1834 where
= strjoina(etc
, "/resolv.conf");
1836 if (m
== RESOLV_CONF_DELETE
) {
1837 if (unlink(where
) < 0)
1838 log_full_errno(errno
== ENOENT
? LOG_DEBUG
: LOG_WARNING
, errno
, "Failed to remove '%s', ignoring: %m", where
);
1843 if (IN_SET(m
, RESOLV_CONF_BIND_STATIC
, RESOLV_CONF_COPY_STATIC
))
1844 what
= STATIC_RESOLV_CONF
;
1846 what
= "/etc/resolv.conf";
1848 if (IN_SET(m
, RESOLV_CONF_BIND_HOST
, RESOLV_CONF_BIND_STATIC
)) {
1849 _cleanup_free_
char *resolved
= NULL
;
1852 found
= chase_symlinks(where
, dest
, CHASE_NONEXISTENT
, &resolved
, NULL
);
1854 log_warning_errno(found
, "Failed to resolve /etc/resolv.conf path in container, ignoring: %m");
1858 if (found
== 0) /* missing? */
1859 (void) touch(resolved
);
1861 r
= mount_verbose(LOG_WARNING
, what
, resolved
, NULL
, MS_BIND
, NULL
);
1863 return mount_verbose(LOG_ERR
, NULL
, resolved
, NULL
, MS_BIND
|MS_REMOUNT
|MS_RDONLY
|MS_NOSUID
|MS_NODEV
, NULL
);
1866 /* If that didn't work, let's copy the file */
1867 r
= copy_file(what
, where
, O_TRUNC
|O_NOFOLLOW
, 0644, 0, 0, COPY_REFLINK
);
1869 /* If the file already exists as symlink, let's suppress the warning, under the assumption that
1870 * resolved or something similar runs inside and the symlink points there.
1872 * If the disk image is read-only, there's also no point in complaining.
1874 log_full_errno(!IN_SET(RESOLV_CONF_COPY_HOST
, RESOLV_CONF_COPY_STATIC
) && IN_SET(r
, -ELOOP
, -EROFS
, -EACCES
, -EPERM
) ? LOG_DEBUG
: LOG_WARNING
, r
,
1875 "Failed to copy /etc/resolv.conf to %s, ignoring: %m", where
);
1879 r
= userns_lchown(where
, 0, 0);
1881 log_warning_errno(r
, "Failed to chown /etc/resolv.conf, ignoring: %m");
1886 static int setup_boot_id(void) {
1887 _cleanup_(unlink_and_freep
) char *from
= NULL
;
1888 _cleanup_free_
char *path
= NULL
;
1889 sd_id128_t rnd
= SD_ID128_NULL
;
1893 /* Generate a new randomized boot ID, so that each boot-up of the container gets a new one */
1895 r
= tempfn_random_child("/run", "proc-sys-kernel-random-boot-id", &path
);
1897 return log_error_errno(r
, "Failed to generate random boot ID path: %m");
1899 r
= sd_id128_randomize(&rnd
);
1901 return log_error_errno(r
, "Failed to generate random boot id: %m");
1903 r
= id128_write(path
, ID128_UUID
, rnd
, false);
1905 return log_error_errno(r
, "Failed to write boot id: %m");
1907 from
= TAKE_PTR(path
);
1908 to
= "/proc/sys/kernel/random/boot_id";
1910 r
= mount_verbose(LOG_ERR
, from
, to
, NULL
, MS_BIND
, NULL
);
1914 return mount_verbose(LOG_ERR
, NULL
, to
, NULL
, MS_BIND
|MS_REMOUNT
|MS_RDONLY
|MS_NOSUID
|MS_NOEXEC
|MS_NODEV
, NULL
);
1917 static int copy_devnodes(const char *dest
) {
1918 static const char devnodes
[] =
1927 _cleanup_umask_ mode_t u
;
1935 /* Create /dev/net, so that we can create /dev/net/tun in it */
1936 if (userns_mkdir(dest
, "/dev/net", 0755, 0, 0) < 0)
1937 return log_error_errno(r
, "Failed to create /dev/net directory: %m");
1939 NULSTR_FOREACH(d
, devnodes
) {
1940 _cleanup_free_
char *from
= NULL
, *to
= NULL
;
1943 from
= path_join("/dev/", d
);
1947 to
= path_join(dest
, from
);
1951 if (stat(from
, &st
) < 0) {
1953 if (errno
!= ENOENT
)
1954 return log_error_errno(errno
, "Failed to stat %s: %m", from
);
1956 } else if (!S_ISCHR(st
.st_mode
) && !S_ISBLK(st
.st_mode
))
1957 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
1958 "%s is not a char or block device, cannot copy.", from
);
1960 _cleanup_free_
char *sl
= NULL
, *prefixed
= NULL
, *dn
= NULL
, *t
= NULL
;
1962 if (mknod(to
, st
.st_mode
, st
.st_rdev
) < 0) {
1963 /* Explicitly warn the user when /dev is already populated. */
1964 if (errno
== EEXIST
)
1965 log_notice("%s/dev is pre-mounted and pre-populated. If a pre-mounted /dev is provided it needs to be an unpopulated file system.", dest
);
1967 return log_error_errno(errno
, "mknod(%s) failed: %m", to
);
1969 /* Some systems abusively restrict mknod but allow bind mounts. */
1972 return log_error_errno(r
, "touch (%s) failed: %m", to
);
1973 r
= mount_verbose(LOG_DEBUG
, from
, to
, NULL
, MS_BIND
, NULL
);
1975 return log_error_errno(r
, "Both mknod and bind mount (%s) failed: %m", to
);
1978 r
= userns_lchown(to
, 0, 0);
1980 return log_error_errno(r
, "chown() of device node %s failed: %m", to
);
1982 dn
= path_join("/dev", S_ISCHR(st
.st_mode
) ? "char" : "block");
1986 r
= userns_mkdir(dest
, dn
, 0755, 0, 0);
1988 return log_error_errno(r
, "Failed to create '%s': %m", dn
);
1990 if (asprintf(&sl
, "%s/%u:%u", dn
, major(st
.st_rdev
), minor(st
.st_rdev
)) < 0)
1993 prefixed
= path_join(dest
, sl
);
1997 t
= path_join("..", d
);
2001 if (symlink(t
, prefixed
) < 0)
2002 log_debug_errno(errno
, "Failed to symlink '%s' to '%s': %m", t
, prefixed
);
2009 static int make_extra_nodes(const char *dest
) {
2010 _cleanup_umask_ mode_t u
;
2016 for (i
= 0; i
< arg_n_extra_nodes
; i
++) {
2017 _cleanup_free_
char *path
= NULL
;
2018 DeviceNode
*n
= arg_extra_nodes
+ i
;
2020 path
= path_join(dest
, n
->path
);
2024 if (mknod(path
, n
->mode
, S_ISCHR(n
->mode
) || S_ISBLK(n
->mode
) ? makedev(n
->major
, n
->minor
) : 0) < 0)
2025 return log_error_errno(errno
, "Failed to create device node '%s': %m", path
);
2027 r
= chmod_and_chown(path
, n
->mode
, n
->uid
, n
->gid
);
2029 return log_error_errno(r
, "Failed to adjust device node ownership of '%s': %m", path
);
2035 static int setup_pts(const char *dest
) {
2036 _cleanup_free_
char *options
= NULL
;
2041 if (arg_selinux_apifs_context
)
2042 (void) asprintf(&options
,
2043 "newinstance,ptmxmode=0666,mode=620,gid=" GID_FMT
",context=\"%s\"",
2044 arg_uid_shift
+ TTY_GID
,
2045 arg_selinux_apifs_context
);
2048 (void) asprintf(&options
,
2049 "newinstance,ptmxmode=0666,mode=620,gid=" GID_FMT
,
2050 arg_uid_shift
+ TTY_GID
);
2055 /* Mount /dev/pts itself */
2056 p
= prefix_roota(dest
, "/dev/pts");
2057 r
= mkdir_errno_wrapper(p
, 0755);
2059 return log_error_errno(r
, "Failed to create /dev/pts: %m");
2061 r
= mount_verbose(LOG_ERR
, "devpts", p
, "devpts", MS_NOSUID
|MS_NOEXEC
, options
);
2064 r
= userns_lchown(p
, 0, 0);
2066 return log_error_errno(r
, "Failed to chown /dev/pts: %m");
2068 /* Create /dev/ptmx symlink */
2069 p
= prefix_roota(dest
, "/dev/ptmx");
2070 if (symlink("pts/ptmx", p
) < 0)
2071 return log_error_errno(errno
, "Failed to create /dev/ptmx symlink: %m");
2072 r
= userns_lchown(p
, 0, 0);
2074 return log_error_errno(r
, "Failed to chown /dev/ptmx: %m");
2076 /* And fix /dev/pts/ptmx ownership */
2077 p
= prefix_roota(dest
, "/dev/pts/ptmx");
2078 r
= userns_lchown(p
, 0, 0);
2080 return log_error_errno(r
, "Failed to chown /dev/pts/ptmx: %m");
2085 static int setup_stdio_as_dev_console(void) {
2089 terminal
= open_terminal("/dev/console", O_RDWR
);
2091 return log_error_errno(terminal
, "Failed to open console: %m");
2093 /* Make sure we can continue logging to the original stderr, even if
2094 * stderr points elsewhere now */
2095 r
= log_dup_console();
2097 return log_error_errno(r
, "Failed to duplicate stderr: %m");
2099 /* invalidates 'terminal' on success and failure */
2100 r
= rearrange_stdio(terminal
, terminal
, terminal
);
2102 return log_error_errno(r
, "Failed to move console to stdin/stdout/stderr: %m");
2107 static int setup_dev_console(const char *console
) {
2108 _cleanup_free_
char *p
= NULL
;
2111 /* Create /dev/console symlink */
2112 r
= path_make_relative("/dev", console
, &p
);
2114 return log_error_errno(r
, "Failed to create relative path: %m");
2116 if (symlink(p
, "/dev/console") < 0)
2117 return log_error_errno(errno
, "Failed to create /dev/console symlink: %m");
2122 static int setup_keyring(void) {
2123 key_serial_t keyring
;
2125 /* Allocate a new session keyring for the container. This makes sure the keyring of the session systemd-nspawn
2126 * was invoked from doesn't leak into the container. Note that by default we block keyctl() and request_key()
2127 * anyway via seccomp so doing this operation isn't strictly necessary, but in case people explicitly whitelist
2128 * these system calls let's make sure we don't leak anything into the container. */
2130 keyring
= keyctl(KEYCTL_JOIN_SESSION_KEYRING
, 0, 0, 0, 0);
2131 if (keyring
== -1) {
2132 if (errno
== ENOSYS
)
2133 log_debug_errno(errno
, "Kernel keyring not supported, ignoring.");
2134 else if (IN_SET(errno
, EACCES
, EPERM
))
2135 log_debug_errno(errno
, "Kernel keyring access prohibited, ignoring.");
2137 return log_error_errno(errno
, "Setting up kernel keyring failed: %m");
2143 static int setup_kmsg(int kmsg_socket
) {
2144 _cleanup_(unlink_and_freep
) char *from
= NULL
;
2145 _cleanup_free_
char *fifo
= NULL
;
2146 _cleanup_close_
int fd
= -1;
2147 _cleanup_umask_ mode_t u
;
2150 assert(kmsg_socket
>= 0);
2154 /* We create the kmsg FIFO as as temporary file in /run, but immediately delete it after bind mounting it to
2155 * /proc/kmsg. While FIFOs on the reading side behave very similar to /proc/kmsg, their writing side behaves
2156 * differently from /dev/kmsg in that writing blocks when nothing is reading. In order to avoid any problems
2157 * with containers deadlocking due to this we simply make /dev/kmsg unavailable to the container. */
2159 r
= tempfn_random_child("/run", "proc-kmsg", &fifo
);
2161 return log_error_errno(r
, "Failed to generate kmsg path: %m");
2163 if (mkfifo(fifo
, 0600) < 0)
2164 return log_error_errno(errno
, "mkfifo() for /run/kmsg failed: %m");
2166 from
= TAKE_PTR(fifo
);
2168 r
= mount_verbose(LOG_ERR
, from
, "/proc/kmsg", NULL
, MS_BIND
, NULL
);
2172 fd
= open(from
, O_RDWR
|O_NONBLOCK
|O_CLOEXEC
);
2174 return log_error_errno(errno
, "Failed to open fifo: %m");
2176 /* Store away the fd in the socket, so that it stays open as long as we run the child */
2177 r
= send_one_fd(kmsg_socket
, fd
, 0);
2179 return log_error_errno(r
, "Failed to send FIFO fd: %m");
2184 static int on_address_change(sd_netlink
*rtnl
, sd_netlink_message
*m
, void *userdata
) {
2185 union in_addr_union
*exposed
= userdata
;
2191 expose_port_execute(rtnl
, arg_expose_ports
, exposed
);
2195 static int setup_hostname(void) {
2198 if ((arg_clone_ns_flags
& CLONE_NEWUTS
) == 0)
2201 r
= sethostname_idempotent(arg_hostname
?: arg_machine
);
2203 return log_error_errno(r
, "Failed to set hostname: %m");
2208 static int setup_journal(const char *directory
) {
2209 _cleanup_free_
char *d
= NULL
;
2210 const char *dirname
, *p
, *q
;
2216 /* Don't link journals in ephemeral mode */
2220 if (arg_link_journal
== LINK_NO
)
2223 try = arg_link_journal_try
|| arg_link_journal
== LINK_AUTO
;
2225 r
= sd_id128_get_machine(&this_id
);
2227 return log_error_errno(r
, "Failed to retrieve machine ID: %m");
2229 if (sd_id128_equal(arg_uuid
, this_id
)) {
2230 log_full(try ? LOG_WARNING
: LOG_ERR
,
2231 "Host and machine ids are equal (%s): refusing to link journals", sd_id128_to_string(arg_uuid
, id
));
2237 FOREACH_STRING(dirname
, "/var", "/var/log", "/var/log/journal") {
2238 r
= userns_mkdir(directory
, dirname
, 0755, 0, 0);
2240 bool ignore
= r
== -EROFS
&& try;
2241 log_full_errno(ignore
? LOG_DEBUG
: LOG_ERR
, r
,
2242 "Failed to create %s%s: %m", dirname
, ignore
? ", ignoring" : "");
2243 return ignore
? 0 : r
;
2247 (void) sd_id128_to_string(arg_uuid
, id
);
2249 p
= strjoina("/var/log/journal/", id
);
2250 q
= prefix_roota(directory
, p
);
2252 if (path_is_mount_point(p
, NULL
, 0) > 0) {
2256 return log_error_errno(SYNTHETIC_ERRNO(EEXIST
),
2257 "%s: already a mount point, refusing to use for journal", p
);
2260 if (path_is_mount_point(q
, NULL
, 0) > 0) {
2264 return log_error_errno(SYNTHETIC_ERRNO(EEXIST
),
2265 "%s: already a mount point, refusing to use for journal", q
);
2268 r
= readlink_and_make_absolute(p
, &d
);
2270 if (IN_SET(arg_link_journal
, LINK_GUEST
, LINK_AUTO
) &&
2273 r
= userns_mkdir(directory
, p
, 0755, 0, 0);
2275 log_warning_errno(r
, "Failed to create directory %s: %m", q
);
2280 return log_error_errno(errno
, "Failed to remove symlink %s: %m", p
);
2281 } else if (r
== -EINVAL
) {
2283 if (arg_link_journal
== LINK_GUEST
&&
2286 if (errno
== ENOTDIR
) {
2287 log_error("%s already exists and is neither a symlink nor a directory", p
);
2290 return log_error_errno(errno
, "Failed to remove %s: %m", p
);
2292 } else if (r
!= -ENOENT
)
2293 return log_error_errno(r
, "readlink(%s) failed: %m", p
);
2295 if (arg_link_journal
== LINK_GUEST
) {
2297 if (symlink(q
, p
) < 0) {
2299 log_debug_errno(errno
, "Failed to symlink %s to %s, skipping journal setup: %m", q
, p
);
2302 return log_error_errno(errno
, "Failed to symlink %s to %s: %m", q
, p
);
2305 r
= userns_mkdir(directory
, p
, 0755, 0, 0);
2307 log_warning_errno(r
, "Failed to create directory %s: %m", q
);
2311 if (arg_link_journal
== LINK_HOST
) {
2312 /* don't create parents here — if the host doesn't have
2313 * permanent journal set up, don't force it here */
2315 r
= mkdir_errno_wrapper(p
, 0755);
2316 if (r
< 0 && r
!= -EEXIST
) {
2318 log_debug_errno(r
, "Failed to create %s, skipping journal setup: %m", p
);
2321 return log_error_errno(r
, "Failed to create %s: %m", p
);
2324 } else if (access(p
, F_OK
) < 0)
2327 if (dir_is_empty(q
) == 0)
2328 log_warning("%s is not empty, proceeding anyway.", q
);
2330 r
= userns_mkdir(directory
, p
, 0755, 0, 0);
2332 return log_error_errno(r
, "Failed to create %s: %m", q
);
2334 r
= mount_verbose(LOG_DEBUG
, p
, q
, NULL
, MS_BIND
, NULL
);
2336 return log_error_errno(errno
, "Failed to bind mount journal from host into guest: %m");
2341 static int drop_capabilities(uid_t uid
) {
2342 CapabilityQuintet q
;
2344 /* Let's initialize all five capability sets to something valid. If the quintet was configured via
2345 * OCI use that, but fill in missing bits. If it wasn't then derive the quintet in full from
2346 * arg_caps_retain. */
2348 if (capability_quintet_is_set(&arg_full_capabilities
)) {
2349 q
= arg_full_capabilities
;
2351 if (q
.bounding
== (uint64_t) -1)
2352 q
.bounding
= uid
== 0 ? arg_caps_retain
: 0;
2354 if (q
.effective
== (uint64_t) -1)
2355 q
.effective
= uid
== 0 ? q
.bounding
: 0;
2357 if (q
.inheritable
== (uint64_t) -1)
2358 q
.inheritable
= uid
== 0 ? q
.bounding
: 0;
2360 if (q
.permitted
== (uint64_t) -1)
2361 q
.permitted
= uid
== 0 ? q
.bounding
: 0;
2363 if (q
.ambient
== (uint64_t) -1 && ambient_capabilities_supported())
2366 if (capability_quintet_mangle(&q
))
2367 return log_error_errno(SYNTHETIC_ERRNO(EPERM
), "Cannot set capabilities that are not in the current bounding set.");
2370 q
= (CapabilityQuintet
) {
2371 .bounding
= arg_caps_retain
,
2372 .effective
= uid
== 0 ? arg_caps_retain
: 0,
2373 .inheritable
= uid
== 0 ? arg_caps_retain
: 0,
2374 .permitted
= uid
== 0 ? arg_caps_retain
: 0,
2375 .ambient
= ambient_capabilities_supported() ? 0 : (uint64_t) -1,
2378 /* If we're not using OCI, proceed with mangled capabilities (so we don't error out)
2379 * in order to maintain the same behavior as systemd < 242. */
2380 if (capability_quintet_mangle(&q
))
2381 log_full(arg_quiet
? LOG_DEBUG
: LOG_WARNING
,
2382 "Some capabilities will not be set because they are not in the current bounding set.");
2386 return capability_quintet_enforce(&q
);
2389 static int reset_audit_loginuid(void) {
2390 _cleanup_free_
char *p
= NULL
;
2393 if ((arg_clone_ns_flags
& CLONE_NEWPID
) == 0)
2396 r
= read_one_line_file("/proc/self/loginuid", &p
);
2400 return log_error_errno(r
, "Failed to read /proc/self/loginuid: %m");
2402 /* Already reset? */
2403 if (streq(p
, "4294967295"))
2406 r
= write_string_file("/proc/self/loginuid", "4294967295", WRITE_STRING_FILE_DISABLE_BUFFER
);
2409 "Failed to reset audit login UID. This probably means that your kernel is too\n"
2410 "old and you have audit enabled. Note that the auditing subsystem is known to\n"
2411 "be incompatible with containers on old kernels. Please make sure to upgrade\n"
2412 "your kernel or to off auditing with 'audit=0' on the kernel command line before\n"
2413 "using systemd-nspawn. Sleeping for 5s... (%m)");
2421 static int setup_propagate(const char *root
) {
2425 (void) mkdir_p("/run/systemd/nspawn/", 0755);
2426 (void) mkdir_p("/run/systemd/nspawn/propagate", 0600);
2427 p
= strjoina("/run/systemd/nspawn/propagate/", arg_machine
);
2428 (void) mkdir_p(p
, 0600);
2430 r
= userns_mkdir(root
, "/run/systemd", 0755, 0, 0);
2432 return log_error_errno(r
, "Failed to create /run/systemd: %m");
2434 r
= userns_mkdir(root
, "/run/systemd/nspawn", 0755, 0, 0);
2436 return log_error_errno(r
, "Failed to create /run/systemd/nspawn: %m");
2438 r
= userns_mkdir(root
, "/run/systemd/nspawn/incoming", 0600, 0, 0);
2440 return log_error_errno(r
, "Failed to create /run/systemd/nspawn/incoming: %m");
2442 q
= prefix_roota(root
, "/run/systemd/nspawn/incoming");
2443 r
= mount_verbose(LOG_ERR
, p
, q
, NULL
, MS_BIND
, NULL
);
2447 r
= mount_verbose(LOG_ERR
, NULL
, q
, NULL
, MS_BIND
|MS_REMOUNT
|MS_RDONLY
, NULL
);
2451 /* machined will MS_MOVE into that directory, and that's only
2452 * supported for non-shared mounts. */
2453 return mount_verbose(LOG_ERR
, NULL
, q
, NULL
, MS_SLAVE
, NULL
);
2456 static int setup_machine_id(const char *directory
) {
2457 const char *etc_machine_id
;
2461 /* If the UUID in the container is already set, then that's what counts, and we use. If it isn't set, and the
2462 * caller passed --uuid=, then we'll pass it in the $container_uuid env var to PID 1 of the container. The
2463 * assumption is that PID 1 will then write it to /etc/machine-id to make it persistent. If --uuid= is not
2464 * passed we generate a random UUID, and pass it via $container_uuid. In effect this means that /etc/machine-id
2465 * in the container and our idea of the container UUID will always be in sync (at least if PID 1 in the
2466 * container behaves nicely). */
2468 etc_machine_id
= prefix_roota(directory
, "/etc/machine-id");
2470 r
= id128_read(etc_machine_id
, ID128_PLAIN
, &id
);
2472 if (!IN_SET(r
, -ENOENT
, -ENOMEDIUM
)) /* If the file is missing or empty, we don't mind */
2473 return log_error_errno(r
, "Failed to read machine ID from container image: %m");
2475 if (sd_id128_is_null(arg_uuid
)) {
2476 r
= sd_id128_randomize(&arg_uuid
);
2478 return log_error_errno(r
, "Failed to acquire randomized machine UUID: %m");
2481 if (sd_id128_is_null(id
))
2482 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
2483 "Machine ID in container image is zero, refusing.");
2491 static int recursive_chown(const char *directory
, uid_t shift
, uid_t range
) {
2496 if (arg_userns_mode
== USER_NAMESPACE_NO
|| !arg_userns_chown
)
2499 r
= path_patch_uid(directory
, arg_uid_shift
, arg_uid_range
);
2500 if (r
== -EOPNOTSUPP
)
2501 return log_error_errno(r
, "Automatic UID/GID adjusting is only supported for UID/GID ranges starting at multiples of 2^16 with a range of 2^16.");
2503 return log_error_errno(r
, "Upper 16 bits of root directory UID and GID do not match.");
2505 return log_error_errno(r
, "Failed to adjust UID/GID shift of OS tree: %m");
2507 log_debug("Root directory of image is already owned by the right UID/GID range, skipping recursive chown operation.");
2509 log_debug("Patched directory tree to match UID/GID range.");
2516 * < 0 : wait_for_terminate() failed to get the state of the
2517 * container, the container was terminated by a signal, or
2518 * failed for an unknown reason. No change is made to the
2519 * container argument.
2520 * > 0 : The program executed in the container terminated with an
2521 * error. The exit code of the program executed in the
2522 * container is returned. The container argument has been set
2523 * to CONTAINER_TERMINATED.
2524 * 0 : The container is being rebooted, has been shut down or exited
2525 * successfully. The container argument has been set to either
2526 * CONTAINER_TERMINATED or CONTAINER_REBOOTED.
2528 * That is, success is indicated by a return value of zero, and an
2529 * error is indicated by a non-zero value.
2531 static int wait_for_container(pid_t pid
, ContainerStatus
*container
) {
2535 r
= wait_for_terminate(pid
, &status
);
2537 return log_warning_errno(r
, "Failed to wait for container: %m");
2539 switch (status
.si_code
) {
2542 if (status
.si_status
== 0)
2543 log_full(arg_quiet
? LOG_DEBUG
: LOG_INFO
, "Container %s exited successfully.", arg_machine
);
2545 log_full(arg_quiet
? LOG_DEBUG
: LOG_INFO
, "Container %s failed with error code %i.", arg_machine
, status
.si_status
);
2547 *container
= CONTAINER_TERMINATED
;
2548 return status
.si_status
;
2551 if (status
.si_status
== SIGINT
) {
2552 log_full(arg_quiet
? LOG_DEBUG
: LOG_INFO
, "Container %s has been shut down.", arg_machine
);
2553 *container
= CONTAINER_TERMINATED
;
2556 } else if (status
.si_status
== SIGHUP
) {
2557 log_full(arg_quiet
? LOG_DEBUG
: LOG_INFO
, "Container %s is being rebooted.", arg_machine
);
2558 *container
= CONTAINER_REBOOTED
;
2564 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
2565 "Container %s terminated by signal %s.", arg_machine
, signal_to_string(status
.si_status
));
2568 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
2569 "Container %s failed due to unknown reason.", arg_machine
);
2573 static int on_orderly_shutdown(sd_event_source
*s
, const struct signalfd_siginfo
*si
, void *userdata
) {
2576 pid
= PTR_TO_PID(userdata
);
2578 if (kill(pid
, arg_kill_signal
) >= 0) {
2579 log_info("Trying to halt container. Send SIGTERM again to trigger immediate termination.");
2580 sd_event_source_set_userdata(s
, NULL
);
2585 sd_event_exit(sd_event_source_get_event(s
), 0);
2589 static int on_sigchld(sd_event_source
*s
, const struct signalfd_siginfo
*ssi
, void *userdata
) {
2595 pid
= PTR_TO_PID(userdata
);
2600 if (waitid(P_ALL
, 0, &si
, WNOHANG
|WNOWAIT
|WEXITED
) < 0)
2601 return log_error_errno(errno
, "Failed to waitid(): %m");
2602 if (si
.si_pid
== 0) /* No pending children. */
2604 if (si
.si_pid
== pid
) {
2605 /* The main process we care for has exited. Return from
2606 * signal handler but leave the zombie. */
2607 sd_event_exit(sd_event_source_get_event(s
), 0);
2611 /* Reap all other children. */
2612 (void) waitid(P_PID
, si
.si_pid
, &si
, WNOHANG
|WEXITED
);
2618 static int on_request_stop(sd_bus_message
*m
, void *userdata
, sd_bus_error
*error
) {
2623 pid
= PTR_TO_PID(userdata
);
2625 if (arg_kill_signal
> 0) {
2626 log_info("Container termination requested. Attempting to halt container.");
2627 (void) kill(pid
, arg_kill_signal
);
2629 log_info("Container termination requested. Exiting.");
2630 sd_event_exit(sd_bus_get_event(sd_bus_message_get_bus(m
)), 0);
2636 static int determine_names(void) {
2639 if (arg_template
&& !arg_directory
&& arg_machine
) {
2641 /* If --template= was specified then we should not
2642 * search for a machine, but instead create a new one
2643 * in /var/lib/machine. */
2645 arg_directory
= path_join("/var/lib/machines", arg_machine
);
2650 if (!arg_image
&& !arg_directory
) {
2652 _cleanup_(image_unrefp
) Image
*i
= NULL
;
2654 r
= image_find(IMAGE_MACHINE
, arg_machine
, &i
);
2656 return log_error_errno(r
, "No image for machine '%s'.", arg_machine
);
2658 return log_error_errno(r
, "Failed to find image for machine '%s': %m", arg_machine
);
2660 if (IN_SET(i
->type
, IMAGE_RAW
, IMAGE_BLOCK
))
2661 r
= free_and_strdup(&arg_image
, i
->path
);
2663 r
= free_and_strdup(&arg_directory
, i
->path
);
2668 arg_read_only
= arg_read_only
|| i
->read_only
;
2670 r
= safe_getcwd(&arg_directory
);
2672 return log_error_errno(r
, "Failed to determine current directory: %m");
2675 if (!arg_directory
&& !arg_image
)
2676 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Failed to determine path, please use -D or -i.");
2680 if (arg_directory
&& path_equal(arg_directory
, "/"))
2681 arg_machine
= gethostname_malloc();
2686 arg_machine
= strdup(basename(arg_image
));
2688 /* Truncate suffix if there is one */
2689 e
= endswith(arg_machine
, ".raw");
2693 arg_machine
= strdup(basename(arg_directory
));
2698 hostname_cleanup(arg_machine
);
2699 if (!machine_name_is_valid(arg_machine
))
2700 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Failed to determine machine name automatically, please use -M.");
2702 if (arg_ephemeral
) {
2705 /* Add a random suffix when this is an
2706 * ephemeral machine, so that we can run many
2707 * instances at once without manually having
2708 * to specify -M each time. */
2710 if (asprintf(&b
, "%s-%016" PRIx64
, arg_machine
, random_u64()) < 0)
2721 static int chase_symlinks_and_update(char **p
, unsigned flags
) {
2730 r
= chase_symlinks(*p
, NULL
, flags
, &chased
, NULL
);
2732 return log_error_errno(r
, "Failed to resolve path %s: %m", *p
);
2734 return free_and_replace(*p
, chased
);
2737 static int determine_uid_shift(const char *directory
) {
2740 if (arg_userns_mode
== USER_NAMESPACE_NO
) {
2745 if (arg_uid_shift
== UID_INVALID
) {
2748 r
= stat(directory
, &st
);
2750 return log_error_errno(errno
, "Failed to determine UID base of %s: %m", directory
);
2752 arg_uid_shift
= st
.st_uid
& UINT32_C(0xffff0000);
2754 if (arg_uid_shift
!= (st
.st_gid
& UINT32_C(0xffff0000)))
2755 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
2756 "UID and GID base of %s don't match.", directory
);
2758 arg_uid_range
= UINT32_C(0x10000);
2761 if (arg_uid_shift
> (uid_t
) -1 - arg_uid_range
)
2762 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
2763 "UID base too high for UID range.");
2768 static unsigned long effective_clone_ns_flags(void) {
2769 unsigned long flags
= arg_clone_ns_flags
;
2771 if (arg_private_network
)
2772 flags
|= CLONE_NEWNET
;
2774 flags
|= CLONE_NEWCGROUP
;
2775 if (arg_userns_mode
!= USER_NAMESPACE_NO
)
2776 flags
|= CLONE_NEWUSER
;
2781 static int patch_sysctl(void) {
2783 /* This table is inspired by runc's sysctl() function */
2784 static const struct {
2787 unsigned long clone_flags
;
2789 { "kernel.hostname", false, CLONE_NEWUTS
},
2790 { "kernel.domainname", false, CLONE_NEWUTS
},
2791 { "kernel.msgmax", false, CLONE_NEWIPC
},
2792 { "kernel.msgmnb", false, CLONE_NEWIPC
},
2793 { "kernel.msgmni", false, CLONE_NEWIPC
},
2794 { "kernel.sem", false, CLONE_NEWIPC
},
2795 { "kernel.shmall", false, CLONE_NEWIPC
},
2796 { "kernel.shmmax", false, CLONE_NEWIPC
},
2797 { "kernel.shmmni", false, CLONE_NEWIPC
},
2798 { "fs.mqueue.", true, CLONE_NEWIPC
},
2799 { "net.", true, CLONE_NEWNET
},
2802 unsigned long flags
;
2806 flags
= effective_clone_ns_flags();
2808 STRV_FOREACH_PAIR(k
, v
, arg_sysctl
) {
2812 for (i
= 0; i
< ELEMENTSOF(safe_sysctl
); i
++) {
2814 if (!FLAGS_SET(flags
, safe_sysctl
[i
].clone_flags
))
2817 if (safe_sysctl
[i
].prefix
)
2818 good
= startswith(*k
, safe_sysctl
[i
].key
);
2820 good
= streq(*k
, safe_sysctl
[i
].key
);
2827 return log_error_errno(SYNTHETIC_ERRNO(EPERM
), "Refusing to write to sysctl '%s', as it is not safe in the selected namespaces.", *k
);
2829 r
= sysctl_write(*k
, *v
);
2831 return log_error_errno(r
, "Failed to write sysctl '%s': %m", *k
);
2837 static int inner_child(
2839 const char *directory
,
2843 int master_pty_socket
,
2846 _cleanup_free_
char *home
= NULL
;
2849 const char *envp
[] = {
2850 "PATH=" DEFAULT_PATH_COMPAT
,
2851 NULL
, /* container */
2856 NULL
, /* container_uuid */
2857 NULL
, /* LISTEN_FDS */
2858 NULL
, /* LISTEN_PID */
2859 NULL
, /* NOTIFY_SOCKET */
2862 const char *exec_target
;
2863 _cleanup_strv_free_
char **env_use
= NULL
;
2864 int r
, which_failed
;
2866 /* This is the "inner" child process, i.e. the one forked off by the "outer" child process, which is the one
2867 * the container manager itself forked off. At the time of clone() it gained its own CLONE_NEWNS, CLONE_NEWPID,
2868 * CLONE_NEWUTS, CLONE_NEWIPC, CLONE_NEWUSER namespaces. Note that it has its own CLONE_NEWNS namespace,
2869 * separate from the CLONE_NEWNS created for the "outer" child, and also separate from the host's CLONE_NEWNS
2870 * namespace. The reason for having two levels of CLONE_NEWNS namespaces is that the "inner" one is owned by
2871 * the CLONE_NEWUSER namespace of the container, while the "outer" one is owned by the host's CLONE_NEWUSER
2874 * Note at this point we have no CLONE_NEWNET namespace yet. We'll acquire that one later through
2875 * unshare(). See below. */
2879 assert(kmsg_socket
>= 0);
2881 log_debug("Inner child is initializing.");
2883 if (arg_userns_mode
!= USER_NAMESPACE_NO
) {
2884 /* Tell the parent, that it now can write the UID map. */
2885 (void) barrier_place(barrier
); /* #1 */
2887 /* Wait until the parent wrote the UID map */
2888 if (!barrier_place_and_sync(barrier
)) /* #2 */
2889 return log_error_errno(SYNTHETIC_ERRNO(ESRCH
),
2890 "Parent died too early");
2893 r
= reset_uid_gid();
2895 return log_error_errno(r
, "Couldn't become new root: %m");
2898 arg_mount_settings
| MOUNT_IN_USERNS
,
2900 arg_selinux_apifs_context
);
2904 if (!arg_network_namespace_path
&& arg_private_network
) {
2905 r
= unshare(CLONE_NEWNET
);
2907 return log_error_errno(errno
, "Failed to unshare network namespace: %m");
2909 /* Tell the parent that it can setup network interfaces. */
2910 (void) barrier_place(barrier
); /* #3 */
2913 r
= mount_sysfs(NULL
, arg_mount_settings
);
2917 /* Wait until we are cgroup-ified, so that we
2918 * can mount the right cgroup path writable */
2919 if (!barrier_place_and_sync(barrier
)) /* #4 */
2920 return log_error_errno(SYNTHETIC_ERRNO(ESRCH
),
2921 "Parent died too early");
2924 r
= unshare(CLONE_NEWCGROUP
);
2926 return log_error_errno(errno
, "Failed to unshare cgroup namespace: %m");
2929 arg_unified_cgroup_hierarchy
,
2930 arg_userns_mode
!= USER_NAMESPACE_NO
,
2933 arg_selinux_apifs_context
,
2938 r
= mount_systemd_cgroup_writable("", arg_unified_cgroup_hierarchy
);
2943 r
= setup_boot_id();
2947 r
= setup_kmsg(kmsg_socket
);
2950 kmsg_socket
= safe_close(kmsg_socket
);
2955 arg_n_custom_mounts
,
2959 arg_selinux_apifs_context
,
2965 return log_error_errno(errno
, "setsid() failed: %m");
2967 if (arg_private_network
)
2970 if (arg_expose_ports
) {
2971 r
= expose_port_send_rtnl(rtnl_socket
);
2974 rtnl_socket
= safe_close(rtnl_socket
);
2977 if (arg_console_mode
!= CONSOLE_PIPE
) {
2978 _cleanup_close_
int master
= -1;
2979 _cleanup_free_
char *console
= NULL
;
2981 /* Allocate a pty and make it available as /dev/console. */
2982 master
= openpt_allocate(O_RDWR
|O_NONBLOCK
, &console
);
2984 return log_error_errno(master
, "Failed to allocate a pty: %m");
2986 r
= setup_dev_console(console
);
2988 return log_error_errno(r
, "Failed to setup /dev/console: %m");
2990 r
= send_one_fd(master_pty_socket
, master
, 0);
2992 return log_error_errno(r
, "Failed to send master fd: %m");
2993 master_pty_socket
= safe_close(master_pty_socket
);
2995 r
= setup_stdio_as_dev_console();
3004 if (arg_oom_score_adjust_set
) {
3005 r
= set_oom_score_adjust(arg_oom_score_adjust
);
3007 return log_error_errno(r
, "Failed to adjust OOM score: %m");
3010 if (arg_cpu_set
.set
)
3011 if (sched_setaffinity(0, arg_cpu_set
.allocated
, arg_cpu_set
.set
) < 0)
3012 return log_error_errno(errno
, "Failed to set CPU affinity: %m");
3014 (void) setup_hostname();
3016 if (arg_personality
!= PERSONALITY_INVALID
) {
3017 r
= safe_personality(arg_personality
);
3019 return log_error_errno(r
, "personality() failed: %m");
3020 } else if (secondary
) {
3021 r
= safe_personality(PER_LINUX32
);
3023 return log_error_errno(r
, "personality() failed: %m");
3026 r
= setrlimit_closest_all((const struct rlimit
*const*) arg_rlimit
, &which_failed
);
3028 return log_error_errno(r
, "Failed to apply resource limit RLIMIT_%s: %m", rlimit_to_string(which_failed
));
3033 if (is_seccomp_available()) {
3035 r
= seccomp_load(arg_seccomp
);
3036 if (ERRNO_IS_SECCOMP_FATAL(r
))
3037 return log_error_errno(r
, "Failed to install seccomp filter: %m");
3039 log_debug_errno(r
, "Failed to install seccomp filter: %m");
3044 r
= setup_seccomp(arg_caps_retain
, arg_syscall_whitelist
, arg_syscall_blacklist
);
3050 if (arg_selinux_context
)
3051 if (setexeccon(arg_selinux_context
) < 0)
3052 return log_error_errno(errno
, "setexeccon(\"%s\") failed: %m", arg_selinux_context
);
3055 /* Make sure we keep the caps across the uid/gid dropping, so that we can retain some selected caps
3056 * if we need to later on. */
3057 if (prctl(PR_SET_KEEPCAPS
, 1) < 0)
3058 return log_error_errno(errno
, "Failed to set PR_SET_KEEPCAPS: %m");
3060 if (uid_is_valid(arg_uid
) || gid_is_valid(arg_gid
))
3061 r
= change_uid_gid_raw(arg_uid
, arg_gid
, arg_supplementary_gids
, arg_n_supplementary_gids
);
3063 r
= change_uid_gid(arg_user
, &home
);
3067 r
= drop_capabilities(getuid());
3069 return log_error_errno(r
, "Dropping capabilities failed: %m");
3071 if (arg_no_new_privileges
)
3072 if (prctl(PR_SET_NO_NEW_PRIVS
, 1, 0, 0, 0) < 0)
3073 return log_error_errno(errno
, "Failed to disable new privileges: %m");
3075 /* LXC sets container=lxc, so follow the scheme here */
3076 envp
[n_env
++] = strjoina("container=", arg_container_service_name
);
3078 envp
[n_env
] = strv_find_prefix(environ
, "TERM=");
3082 if (home
|| !uid_is_valid(arg_uid
) || arg_uid
== 0)
3083 if (asprintf((char**)(envp
+ n_env
++), "HOME=%s", home
?: "/root") < 0)
3086 if (arg_user
|| !uid_is_valid(arg_uid
) || arg_uid
== 0)
3087 if (asprintf((char**)(envp
+ n_env
++), "USER=%s", arg_user
?: "root") < 0 ||
3088 asprintf((char**)(envp
+ n_env
++), "LOGNAME=%s", arg_user
? arg_user
: "root") < 0)
3091 assert(!sd_id128_is_null(arg_uuid
));
3093 if (asprintf((char**)(envp
+ n_env
++), "container_uuid=%s", id128_to_uuid_string(arg_uuid
, as_uuid
)) < 0)
3096 if (fdset_size(fds
) > 0) {
3097 r
= fdset_cloexec(fds
, false);
3099 return log_error_errno(r
, "Failed to unset O_CLOEXEC for file descriptors.");
3101 if ((asprintf((char **)(envp
+ n_env
++), "LISTEN_FDS=%u", fdset_size(fds
)) < 0) ||
3102 (asprintf((char **)(envp
+ n_env
++), "LISTEN_PID=1") < 0))
3105 if (asprintf((char **)(envp
+ n_env
++), "NOTIFY_SOCKET=%s", NSPAWN_NOTIFY_SOCKET_PATH
) < 0)
3108 env_use
= strv_env_merge(2, envp
, arg_setenv
);
3112 /* Let the parent know that we are ready and
3113 * wait until the parent is ready with the
3115 if (!barrier_place_and_sync(barrier
)) /* #5 */
3116 return log_error_errno(SYNTHETIC_ERRNO(ESRCH
),
3117 "Parent died too early");
3120 if (chdir(arg_chdir
) < 0)
3121 return log_error_errno(errno
, "Failed to change to specified working directory %s: %m", arg_chdir
);
3123 if (arg_start_mode
== START_PID2
) {
3124 r
= stub_pid1(arg_uuid
);
3129 log_debug("Inner child completed, invoking payload.");
3131 /* Now, explicitly close the log, so that we then can close all remaining fds. Closing the log explicitly first
3132 * has the benefit that the logging subsystem knows about it, and is thus ready to be reopened should we need
3133 * it again. Note that the other fds closed here are at least the locking and barrier fds. */
3135 log_set_open_when_needed(true);
3137 (void) fdset_close_others(fds
);
3139 if (arg_start_mode
== START_BOOT
) {
3143 /* Automatically search for the init system */
3145 m
= strv_length(arg_parameters
);
3146 a
= newa(char*, m
+ 2);
3147 memcpy_safe(a
+ 1, arg_parameters
, m
* sizeof(char*));
3150 a
[0] = (char*) "/usr/lib/systemd/systemd";
3151 execve(a
[0], a
, env_use
);
3153 a
[0] = (char*) "/lib/systemd/systemd";
3154 execve(a
[0], a
, env_use
);
3156 a
[0] = (char*) "/sbin/init";
3157 execve(a
[0], a
, env_use
);
3159 exec_target
= "/usr/lib/systemd/systemd, /lib/systemd/systemd, /sbin/init";
3160 } else if (!strv_isempty(arg_parameters
)) {
3161 const char *dollar_path
;
3163 exec_target
= arg_parameters
[0];
3165 /* Use the user supplied search $PATH if there is one, or DEFAULT_PATH_COMPAT if not to search the
3167 dollar_path
= strv_env_get(env_use
, "PATH");
3169 if (putenv((char*) dollar_path
) != 0)
3170 return log_error_errno(errno
, "Failed to update $PATH: %m");
3173 execvpe(arg_parameters
[0], arg_parameters
, env_use
);
3176 /* If we cannot change the directory, we'll end up in /, that is expected. */
3177 (void) chdir(home
?: "/root");
3179 execle("/bin/bash", "-bash", NULL
, env_use
);
3180 execle("/bin/sh", "-sh", NULL
, env_use
);
3182 exec_target
= "/bin/bash, /bin/sh";
3185 return log_error_errno(errno
, "execv(%s) failed: %m", exec_target
);
3188 static int setup_sd_notify_child(void) {
3189 _cleanup_close_
int fd
= -1;
3190 union sockaddr_union sa
= {
3191 .un
.sun_family
= AF_UNIX
,
3192 .un
.sun_path
= NSPAWN_NOTIFY_SOCKET_PATH
,
3196 fd
= socket(AF_UNIX
, SOCK_DGRAM
|SOCK_CLOEXEC
|SOCK_NONBLOCK
, 0);
3198 return log_error_errno(errno
, "Failed to allocate notification socket: %m");
3200 (void) mkdir_parents(NSPAWN_NOTIFY_SOCKET_PATH
, 0755);
3201 (void) sockaddr_un_unlink(&sa
.un
);
3203 r
= bind(fd
, &sa
.sa
, SOCKADDR_UN_LEN(sa
.un
));
3205 return log_error_errno(errno
, "bind(" NSPAWN_NOTIFY_SOCKET_PATH
") failed: %m");
3207 r
= userns_lchown(NSPAWN_NOTIFY_SOCKET_PATH
, 0, 0);
3209 return log_error_errno(r
, "Failed to chown " NSPAWN_NOTIFY_SOCKET_PATH
": %m");
3211 r
= setsockopt_int(fd
, SOL_SOCKET
, SO_PASSCRED
, true);
3213 return log_error_errno(r
, "SO_PASSCRED failed: %m");
3218 static int outer_child(
3220 const char *directory
,
3221 DissectedImage
*dissected_image
,
3228 int uid_shift_socket
,
3229 int master_pty_socket
,
3230 int unified_cgroup_hierarchy_socket
,
3234 _cleanup_close_
int fd
= -1;
3239 /* This is the "outer" child process, i.e the one forked off by the container manager itself. It already has
3240 * its own CLONE_NEWNS namespace (which was created by the clone()). It still lives in the host's CLONE_NEWPID,
3241 * CLONE_NEWUTS, CLONE_NEWIPC, CLONE_NEWUSER and CLONE_NEWNET namespaces. After it completed a number of
3242 * initializations a second child (the "inner" one) is forked off it, and it exits. */
3246 assert(pid_socket
>= 0);
3247 assert(uuid_socket
>= 0);
3248 assert(notify_socket
>= 0);
3249 assert(master_pty_socket
>= 0);
3250 assert(kmsg_socket
>= 0);
3252 log_debug("Outer child is initializing.");
3254 if (prctl(PR_SET_PDEATHSIG
, SIGKILL
) < 0)
3255 return log_error_errno(errno
, "PR_SET_PDEATHSIG failed: %m");
3257 r
= reset_audit_loginuid();
3261 /* Mark everything as slave, so that we still
3262 * receive mounts from the real root, but don't
3263 * propagate mounts to the real root. */
3264 r
= mount_verbose(LOG_ERR
, NULL
, "/", NULL
, MS_SLAVE
|MS_REC
, NULL
);
3268 if (dissected_image
) {
3269 /* If we are operating on a disk image, then mount its root directory now, but leave out the rest. We
3270 * can read the UID shift from it if we need to. Further down we'll mount the rest, but then with the
3271 * uid shift known. That way we can mount VFAT file systems shifted to the right place right away. This
3272 * makes sure ESP partitions and userns are compatible. */
3274 r
= dissected_image_mount(dissected_image
, directory
, arg_uid_shift
,
3275 DISSECT_IMAGE_MOUNT_ROOT_ONLY
|DISSECT_IMAGE_DISCARD_ON_LOOP
|
3276 (arg_read_only
? DISSECT_IMAGE_READ_ONLY
: 0)|
3277 (arg_start_mode
== START_BOOT
? DISSECT_IMAGE_VALIDATE_OS
: 0));
3282 r
= determine_uid_shift(directory
);
3286 if (arg_userns_mode
!= USER_NAMESPACE_NO
) {
3287 /* Let the parent know which UID shift we read from the image */
3288 l
= send(uid_shift_socket
, &arg_uid_shift
, sizeof(arg_uid_shift
), MSG_NOSIGNAL
);
3290 return log_error_errno(errno
, "Failed to send UID shift: %m");
3291 if (l
!= sizeof(arg_uid_shift
))
3292 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
3293 "Short write while sending UID shift.");
3295 if (arg_userns_mode
== USER_NAMESPACE_PICK
) {
3296 /* When we are supposed to pick the UID shift, the parent will check now whether the UID shift
3297 * we just read from the image is available. If yes, it will send the UID shift back to us, if
3298 * not it will pick a different one, and send it back to us. */
3300 l
= recv(uid_shift_socket
, &arg_uid_shift
, sizeof(arg_uid_shift
), 0);
3302 return log_error_errno(errno
, "Failed to recv UID shift: %m");
3303 if (l
!= sizeof(arg_uid_shift
))
3304 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
3305 "Short read while receiving UID shift.");
3308 log_full(arg_quiet
? LOG_DEBUG
: LOG_INFO
,
3309 "Selected user namespace base " UID_FMT
" and range " UID_FMT
".", arg_uid_shift
, arg_uid_range
);
3312 if (path_equal(directory
, "/")) {
3313 /* If the directory we shall boot is the host, let's operate on a bind mount at a different
3314 * place, so that we can make changes to its mount structure (for example, to implement
3315 * --volatile=) without this interfering with our ability to access files such as
3316 * /etc/localtime to copy into the container. Note that we use a fixed place for this
3317 * (instead of a temporary directory, since we are living in our own mount namspace here
3318 * already, and thus don't need to be afraid of colliding with anyone else's mounts).*/
3319 (void) mkdir_p("/run/systemd/nspawn-root", 0755);
3321 r
= mount_verbose(LOG_ERR
, "/", "/run/systemd/nspawn-root", NULL
, MS_BIND
|MS_REC
, NULL
);
3325 directory
= "/run/systemd/nspawn-root";
3327 } else if (!dissected_image
) {
3328 /* Turn directory into bind mount (we need that so that we can move the bind mount to root
3330 r
= mount_verbose(LOG_ERR
, directory
, directory
, NULL
, MS_BIND
|MS_REC
, NULL
);
3335 r
= setup_pivot_root(
3338 arg_pivot_root_old
);
3342 r
= setup_volatile_mode(
3345 arg_userns_mode
!= USER_NAMESPACE_NO
,
3348 arg_selinux_apifs_context
);
3352 if (dissected_image
) {
3353 /* Now we know the uid shift, let's now mount everything else that might be in the image. */
3354 r
= dissected_image_mount(dissected_image
, directory
, arg_uid_shift
,
3355 DISSECT_IMAGE_MOUNT_NON_ROOT_ONLY
|DISSECT_IMAGE_DISCARD_ON_LOOP
|(arg_read_only
? DISSECT_IMAGE_READ_ONLY
: 0));
3360 if (arg_unified_cgroup_hierarchy
== CGROUP_UNIFIED_UNKNOWN
) {
3361 /* OK, we don't know yet which cgroup mode to use yet. Let's figure it out, and tell the parent. */
3363 r
= detect_unified_cgroup_hierarchy_from_image(directory
);
3367 l
= send(unified_cgroup_hierarchy_socket
, &arg_unified_cgroup_hierarchy
, sizeof(arg_unified_cgroup_hierarchy
), MSG_NOSIGNAL
);
3369 return log_error_errno(errno
, "Failed to send cgroup mode: %m");
3370 if (l
!= sizeof(arg_unified_cgroup_hierarchy
))
3371 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
3372 "Short write while sending cgroup mode.");
3374 unified_cgroup_hierarchy_socket
= safe_close(unified_cgroup_hierarchy_socket
);
3377 /* Mark everything as shared so our mounts get propagated down. This is
3378 * required to make new bind mounts available in systemd services
3379 * inside the container that create a new mount namespace.
3380 * See https://github.com/systemd/systemd/issues/3860
3381 * Further submounts (such as /dev) done after this will inherit the
3382 * shared propagation mode. */
3383 r
= mount_verbose(LOG_ERR
, NULL
, directory
, NULL
, MS_SHARED
|MS_REC
, NULL
);
3387 r
= recursive_chown(directory
, arg_uid_shift
, arg_uid_range
);
3391 r
= base_filesystem_create(directory
, arg_uid_shift
, (gid_t
) arg_uid_shift
);
3395 if (arg_read_only
&& arg_volatile_mode
== VOLATILE_NO
) {
3396 r
= bind_remount_recursive(directory
, MS_RDONLY
, MS_RDONLY
, NULL
);
3398 return log_error_errno(r
, "Failed to make tree read-only: %m");
3401 r
= mount_all(directory
,
3404 arg_selinux_apifs_context
);
3408 r
= copy_devnodes(directory
);
3412 r
= make_extra_nodes(directory
);
3416 (void) dev_setup(directory
, arg_uid_shift
, arg_uid_shift
);
3417 (void) make_inaccessible_nodes(directory
, arg_uid_shift
, arg_uid_shift
);
3419 r
= setup_pts(directory
);
3423 r
= setup_propagate(directory
);
3427 r
= setup_keyring();
3431 r
= setup_timezone(directory
);
3435 r
= setup_resolv_conf(directory
);
3439 r
= setup_machine_id(directory
);
3443 r
= setup_journal(directory
);
3450 arg_n_custom_mounts
,
3451 arg_userns_mode
!= USER_NAMESPACE_NO
,
3454 arg_selinux_apifs_context
,
3459 if (!arg_use_cgns
) {
3462 arg_unified_cgroup_hierarchy
,
3463 arg_userns_mode
!= USER_NAMESPACE_NO
,
3466 arg_selinux_apifs_context
,
3472 r
= mount_move_root(directory
);
3474 return log_error_errno(r
, "Failed to move root directory: %m");
3476 fd
= setup_sd_notify_child();
3480 pid
= raw_clone(SIGCHLD
|CLONE_NEWNS
|
3481 arg_clone_ns_flags
|
3482 (arg_userns_mode
!= USER_NAMESPACE_NO
? CLONE_NEWUSER
: 0));
3484 return log_error_errno(errno
, "Failed to fork inner child: %m");
3486 pid_socket
= safe_close(pid_socket
);
3487 uuid_socket
= safe_close(uuid_socket
);
3488 notify_socket
= safe_close(notify_socket
);
3489 uid_shift_socket
= safe_close(uid_shift_socket
);
3491 /* The inner child has all namespaces that are
3492 * requested, so that we all are owned by the user if
3493 * user namespaces are turned on. */
3495 if (arg_network_namespace_path
) {
3496 r
= namespace_enter(-1, -1, netns_fd
, -1, -1);
3498 return log_error_errno(r
, "Failed to join network namespace: %m");
3501 r
= inner_child(barrier
, directory
, secondary
, kmsg_socket
, rtnl_socket
, master_pty_socket
, fds
);
3503 _exit(EXIT_FAILURE
);
3505 _exit(EXIT_SUCCESS
);
3508 l
= send(pid_socket
, &pid
, sizeof(pid
), MSG_NOSIGNAL
);
3510 return log_error_errno(errno
, "Failed to send PID: %m");
3511 if (l
!= sizeof(pid
))
3512 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
3513 "Short write while sending PID.");
3515 l
= send(uuid_socket
, &arg_uuid
, sizeof(arg_uuid
), MSG_NOSIGNAL
);
3517 return log_error_errno(errno
, "Failed to send machine ID: %m");
3518 if (l
!= sizeof(arg_uuid
))
3519 return log_error_errno(SYNTHETIC_ERRNO(EIO
),
3520 "Short write while sending machine ID.");
3522 l
= send_one_fd(notify_socket
, fd
, 0);
3524 return log_error_errno(l
, "Failed to send notify fd: %m");
3526 pid_socket
= safe_close(pid_socket
);
3527 uuid_socket
= safe_close(uuid_socket
);
3528 notify_socket
= safe_close(notify_socket
);
3529 master_pty_socket
= safe_close(master_pty_socket
);
3530 kmsg_socket
= safe_close(kmsg_socket
);
3531 rtnl_socket
= safe_close(rtnl_socket
);
3532 netns_fd
= safe_close(netns_fd
);
3537 static int uid_shift_pick(uid_t
*shift
, LockFile
*ret_lock_file
) {
3538 bool tried_hashed
= false;
3539 unsigned n_tries
= 100;
3544 assert(ret_lock_file
);
3545 assert(arg_userns_mode
== USER_NAMESPACE_PICK
);
3546 assert(arg_uid_range
== 0x10000U
);
3550 (void) mkdir("/run/systemd/nspawn-uid", 0755);
3553 char lock_path
[STRLEN("/run/systemd/nspawn-uid/") + DECIMAL_STR_MAX(uid_t
) + 1];
3554 _cleanup_(release_lock_file
) LockFile lf
= LOCK_FILE_INIT
;
3559 if (candidate
< CONTAINER_UID_BASE_MIN
|| candidate
> CONTAINER_UID_BASE_MAX
)
3561 if ((candidate
& UINT32_C(0xFFFF)) != 0)
3564 xsprintf(lock_path
, "/run/systemd/nspawn-uid/" UID_FMT
, candidate
);
3565 r
= make_lock_file(lock_path
, LOCK_EX
|LOCK_NB
, &lf
);
3566 if (r
== -EBUSY
) /* Range already taken by another nspawn instance */
3571 /* Make some superficial checks whether the range is currently known in the user database */
3572 if (getpwuid(candidate
))
3574 if (getpwuid(candidate
+ UINT32_C(0xFFFE)))
3576 if (getgrgid(candidate
))
3578 if (getgrgid(candidate
+ UINT32_C(0xFFFE)))
3581 *ret_lock_file
= lf
;
3582 lf
= (struct LockFile
) LOCK_FILE_INIT
;
3587 if (arg_machine
&& !tried_hashed
) {
3588 /* Try to hash the base from the container name */
3590 static const uint8_t hash_key
[] = {
3591 0xe1, 0x56, 0xe0, 0xf0, 0x4a, 0xf0, 0x41, 0xaf,
3592 0x96, 0x41, 0xcf, 0x41, 0x33, 0x94, 0xff, 0x72
3595 candidate
= (uid_t
) siphash24(arg_machine
, strlen(arg_machine
), hash_key
);
3597 tried_hashed
= true;
3599 random_bytes(&candidate
, sizeof(candidate
));
3601 candidate
= (candidate
% (CONTAINER_UID_BASE_MAX
- CONTAINER_UID_BASE_MIN
)) + CONTAINER_UID_BASE_MIN
;
3602 candidate
&= (uid_t
) UINT32_C(0xFFFF0000);
3606 static int setup_uid_map(pid_t pid
) {
3607 char uid_map
[STRLEN("/proc//uid_map") + DECIMAL_STR_MAX(uid_t
) + 1], line
[DECIMAL_STR_MAX(uid_t
)*3+3+1];
3612 xsprintf(uid_map
, "/proc/" PID_FMT
"/uid_map", pid
);
3613 xsprintf(line
, UID_FMT
" " UID_FMT
" " UID_FMT
"\n", 0, arg_uid_shift
, arg_uid_range
);
3614 r
= write_string_file(uid_map
, line
, WRITE_STRING_FILE_DISABLE_BUFFER
);
3616 return log_error_errno(r
, "Failed to write UID map: %m");
3618 /* We always assign the same UID and GID ranges */
3619 xsprintf(uid_map
, "/proc/" PID_FMT
"/gid_map", pid
);
3620 r
= write_string_file(uid_map
, line
, WRITE_STRING_FILE_DISABLE_BUFFER
);
3622 return log_error_errno(r
, "Failed to write GID map: %m");
3627 static int nspawn_dispatch_notify_fd(sd_event_source
*source
, int fd
, uint32_t revents
, void *userdata
) {
3628 char buf
[NOTIFY_BUFFER_MAX
+1];
3630 struct iovec iovec
= {
3632 .iov_len
= sizeof(buf
)-1,
3635 struct cmsghdr cmsghdr
;
3636 uint8_t buf
[CMSG_SPACE(sizeof(struct ucred
)) +
3637 CMSG_SPACE(sizeof(int) * NOTIFY_FD_MAX
)];
3639 struct msghdr msghdr
= {
3642 .msg_control
= &control
,
3643 .msg_controllen
= sizeof(control
),
3645 struct cmsghdr
*cmsg
;
3646 struct ucred
*ucred
= NULL
;
3648 pid_t inner_child_pid
;
3649 _cleanup_strv_free_
char **tags
= NULL
;
3653 inner_child_pid
= PTR_TO_PID(userdata
);
3655 if (revents
!= EPOLLIN
) {
3656 log_warning("Got unexpected poll event for notify fd.");
3660 n
= recvmsg(fd
, &msghdr
, MSG_DONTWAIT
|MSG_CMSG_CLOEXEC
);
3662 if (IN_SET(errno
, EAGAIN
, EINTR
))
3665 return log_warning_errno(errno
, "Couldn't read notification socket: %m");
3667 cmsg_close_all(&msghdr
);
3669 CMSG_FOREACH(cmsg
, &msghdr
) {
3670 if (cmsg
->cmsg_level
== SOL_SOCKET
&&
3671 cmsg
->cmsg_type
== SCM_CREDENTIALS
&&
3672 cmsg
->cmsg_len
== CMSG_LEN(sizeof(struct ucred
))) {
3674 ucred
= (struct ucred
*) CMSG_DATA(cmsg
);
3678 if (!ucred
|| ucred
->pid
!= inner_child_pid
) {
3679 log_debug("Received notify message without valid credentials. Ignoring.");
3683 if ((size_t) n
>= sizeof(buf
)) {
3684 log_warning("Received notify message exceeded maximum size. Ignoring.");
3689 tags
= strv_split(buf
, "\n\r");
3693 if (strv_find(tags
, "READY=1"))
3694 (void) sd_notifyf(false, "READY=1\n");
3696 p
= strv_find_startswith(tags
, "STATUS=");
3698 (void) sd_notifyf(false, "STATUS=Container running: %s", p
);
3703 static int setup_sd_notify_parent(sd_event
*event
, int fd
, pid_t
*inner_child_pid
, sd_event_source
**notify_event_source
) {
3706 r
= sd_event_add_io(event
, notify_event_source
, fd
, EPOLLIN
, nspawn_dispatch_notify_fd
, inner_child_pid
);
3708 return log_error_errno(r
, "Failed to allocate notify event source: %m");
3710 (void) sd_event_source_set_description(*notify_event_source
, "nspawn-notify");
3715 static int merge_settings(Settings
*settings
, const char *path
) {
3721 /* Copy over bits from the settings, unless they have been explicitly masked by command line switches. Note
3722 * that this steals the fields of the Settings* structure, and hence modifies it. */
3724 if ((arg_settings_mask
& SETTING_START_MODE
) == 0 &&
3725 settings
->start_mode
>= 0) {
3726 arg_start_mode
= settings
->start_mode
;
3727 strv_free_and_replace(arg_parameters
, settings
->parameters
);
3730 if ((arg_settings_mask
& SETTING_EPHEMERAL
) == 0)
3731 arg_ephemeral
= settings
->ephemeral
;
3733 if ((arg_settings_mask
& SETTING_DIRECTORY
) == 0 &&
3736 if (!arg_settings_trusted
)
3737 log_warning("Ignoring root directory setting, file %s is not trusted.", path
);
3739 free_and_replace(arg_directory
, settings
->root
);
3742 if ((arg_settings_mask
& SETTING_PIVOT_ROOT
) == 0 &&
3743 settings
->pivot_root_new
) {
3744 free_and_replace(arg_pivot_root_new
, settings
->pivot_root_new
);
3745 free_and_replace(arg_pivot_root_old
, settings
->pivot_root_old
);
3748 if ((arg_settings_mask
& SETTING_WORKING_DIRECTORY
) == 0 &&
3749 settings
->working_directory
)
3750 free_and_replace(arg_chdir
, settings
->working_directory
);
3752 if ((arg_settings_mask
& SETTING_ENVIRONMENT
) == 0 &&
3753 settings
->environment
)
3754 strv_free_and_replace(arg_setenv
, settings
->environment
);
3756 if ((arg_settings_mask
& SETTING_USER
) == 0) {
3759 free_and_replace(arg_user
, settings
->user
);
3761 if (uid_is_valid(settings
->uid
))
3762 arg_uid
= settings
->uid
;
3763 if (gid_is_valid(settings
->gid
))
3764 arg_gid
= settings
->gid
;
3765 if (settings
->n_supplementary_gids
> 0) {
3766 free_and_replace(arg_supplementary_gids
, settings
->supplementary_gids
);
3767 arg_n_supplementary_gids
= settings
->n_supplementary_gids
;
3771 if ((arg_settings_mask
& SETTING_CAPABILITY
) == 0) {
3772 uint64_t plus
, minus
;
3774 /* Note that we copy both the simple plus/minus caps here, and the full quintet from the
3775 * Settings structure */
3777 plus
= settings
->capability
;
3778 minus
= settings
->drop_capability
;
3780 if ((arg_settings_mask
& SETTING_NETWORK
) == 0) {
3781 if (settings_private_network(settings
))
3782 plus
|= UINT64_C(1) << CAP_NET_ADMIN
;
3784 minus
|= UINT64_C(1) << CAP_NET_ADMIN
;
3787 if (!arg_settings_trusted
&& plus
!= 0) {
3788 if (settings
->capability
!= 0)
3789 log_warning("Ignoring Capability= setting, file %s is not trusted.", path
);
3791 arg_caps_retain
|= plus
;
3793 arg_caps_retain
&= ~minus
;
3795 /* Copy the full capabilities over too */
3796 if (capability_quintet_is_set(&settings
->full_capabilities
)) {
3797 if (!arg_settings_trusted
)
3798 log_warning("Ignoring capability settings, file %s is not trusted.", path
);
3800 arg_full_capabilities
= settings
->full_capabilities
;
3804 if ((arg_settings_mask
& SETTING_KILL_SIGNAL
) == 0 &&
3805 settings
->kill_signal
> 0)
3806 arg_kill_signal
= settings
->kill_signal
;
3808 if ((arg_settings_mask
& SETTING_PERSONALITY
) == 0 &&
3809 settings
->personality
!= PERSONALITY_INVALID
)
3810 arg_personality
= settings
->personality
;
3812 if ((arg_settings_mask
& SETTING_MACHINE_ID
) == 0 &&
3813 !sd_id128_is_null(settings
->machine_id
)) {
3815 if (!arg_settings_trusted
)
3816 log_warning("Ignoring MachineID= setting, file %s is not trusted.", path
);
3818 arg_uuid
= settings
->machine_id
;
3821 if ((arg_settings_mask
& SETTING_READ_ONLY
) == 0 &&
3822 settings
->read_only
>= 0)
3823 arg_read_only
= settings
->read_only
;
3825 if ((arg_settings_mask
& SETTING_VOLATILE_MODE
) == 0 &&
3826 settings
->volatile_mode
!= _VOLATILE_MODE_INVALID
)
3827 arg_volatile_mode
= settings
->volatile_mode
;
3829 if ((arg_settings_mask
& SETTING_CUSTOM_MOUNTS
) == 0 &&
3830 settings
->n_custom_mounts
> 0) {
3832 if (!arg_settings_trusted
)
3833 log_warning("Ignoring TemporaryFileSystem=, Bind= and BindReadOnly= settings, file %s is not trusted.", path
);
3835 custom_mount_free_all(arg_custom_mounts
, arg_n_custom_mounts
);
3836 arg_custom_mounts
= TAKE_PTR(settings
->custom_mounts
);
3837 arg_n_custom_mounts
= settings
->n_custom_mounts
;
3838 settings
->n_custom_mounts
= 0;
3842 if ((arg_settings_mask
& SETTING_NETWORK
) == 0 &&
3843 (settings
->private_network
>= 0 ||
3844 settings
->network_veth
>= 0 ||
3845 settings
->network_bridge
||
3846 settings
->network_zone
||
3847 settings
->network_interfaces
||
3848 settings
->network_macvlan
||
3849 settings
->network_ipvlan
||
3850 settings
->network_veth_extra
||
3851 settings
->network_namespace_path
)) {
3853 if (!arg_settings_trusted
)
3854 log_warning("Ignoring network settings, file %s is not trusted.", path
);
3856 arg_network_veth
= settings_network_veth(settings
);
3857 arg_private_network
= settings_private_network(settings
);
3859 strv_free_and_replace(arg_network_interfaces
, settings
->network_interfaces
);
3860 strv_free_and_replace(arg_network_macvlan
, settings
->network_macvlan
);
3861 strv_free_and_replace(arg_network_ipvlan
, settings
->network_ipvlan
);
3862 strv_free_and_replace(arg_network_veth_extra
, settings
->network_veth_extra
);
3864 free_and_replace(arg_network_bridge
, settings
->network_bridge
);
3865 free_and_replace(arg_network_zone
, settings
->network_zone
);
3867 free_and_replace(arg_network_namespace_path
, settings
->network_namespace_path
);
3871 if ((arg_settings_mask
& SETTING_EXPOSE_PORTS
) == 0 &&
3872 settings
->expose_ports
) {
3874 if (!arg_settings_trusted
)
3875 log_warning("Ignoring Port= setting, file %s is not trusted.", path
);
3877 expose_port_free_all(arg_expose_ports
);
3878 arg_expose_ports
= TAKE_PTR(settings
->expose_ports
);
3882 if ((arg_settings_mask
& SETTING_USERNS
) == 0 &&
3883 settings
->userns_mode
!= _USER_NAMESPACE_MODE_INVALID
) {
3885 if (!arg_settings_trusted
)
3886 log_warning("Ignoring PrivateUsers= and PrivateUsersChown= settings, file %s is not trusted.", path
);
3888 arg_userns_mode
= settings
->userns_mode
;
3889 arg_uid_shift
= settings
->uid_shift
;
3890 arg_uid_range
= settings
->uid_range
;
3891 arg_userns_chown
= settings
->userns_chown
;
3895 if ((arg_settings_mask
& SETTING_NOTIFY_READY
) == 0)
3896 arg_notify_ready
= settings
->notify_ready
;
3898 if ((arg_settings_mask
& SETTING_SYSCALL_FILTER
) == 0) {
3900 if (!arg_settings_trusted
&& !strv_isempty(settings
->syscall_whitelist
))
3901 log_warning("Ignoring SystemCallFilter= settings, file %s is not trusted.", path
);
3903 strv_free_and_replace(arg_syscall_whitelist
, settings
->syscall_whitelist
);
3904 strv_free_and_replace(arg_syscall_blacklist
, settings
->syscall_blacklist
);
3908 if (!arg_settings_trusted
&& settings
->seccomp
)
3909 log_warning("Ignoring SECCOMP filter, file %s is not trusted.", path
);
3911 seccomp_release(arg_seccomp
);
3912 arg_seccomp
= TAKE_PTR(settings
->seccomp
);
3917 for (rl
= 0; rl
< _RLIMIT_MAX
; rl
++) {
3918 if ((arg_settings_mask
& (SETTING_RLIMIT_FIRST
<< rl
)))
3921 if (!settings
->rlimit
[rl
])
3924 if (!arg_settings_trusted
) {
3925 log_warning("Ignoring Limit%s= setting, file '%s' is not trusted.", rlimit_to_string(rl
), path
);
3929 free_and_replace(arg_rlimit
[rl
], settings
->rlimit
[rl
]);
3932 if ((arg_settings_mask
& SETTING_HOSTNAME
) == 0 &&
3934 free_and_replace(arg_hostname
, settings
->hostname
);
3936 if ((arg_settings_mask
& SETTING_NO_NEW_PRIVILEGES
) == 0 &&
3937 settings
->no_new_privileges
>= 0)
3938 arg_no_new_privileges
= settings
->no_new_privileges
;
3940 if ((arg_settings_mask
& SETTING_OOM_SCORE_ADJUST
) == 0 &&
3941 settings
->oom_score_adjust_set
) {
3943 if (!arg_settings_trusted
)
3944 log_warning("Ignoring OOMScoreAdjust= setting, file '%s' is not trusted.", path
);
3946 arg_oom_score_adjust
= settings
->oom_score_adjust
;
3947 arg_oom_score_adjust_set
= true;
3951 if ((arg_settings_mask
& SETTING_CPU_AFFINITY
) == 0 &&
3952 settings
->cpu_set
.set
) {
3954 if (!arg_settings_trusted
)
3955 log_warning("Ignoring CPUAffinity= setting, file '%s' is not trusted.", path
);
3957 cpu_set_reset(&arg_cpu_set
);
3958 arg_cpu_set
= settings
->cpu_set
;
3959 settings
->cpu_set
= (CPUSet
) {};
3963 if ((arg_settings_mask
& SETTING_RESOLV_CONF
) == 0 &&
3964 settings
->resolv_conf
!= _RESOLV_CONF_MODE_INVALID
)
3965 arg_resolv_conf
= settings
->resolv_conf
;
3967 if ((arg_settings_mask
& SETTING_LINK_JOURNAL
) == 0 &&
3968 settings
->link_journal
!= _LINK_JOURNAL_INVALID
) {
3970 if (!arg_settings_trusted
)
3971 log_warning("Ignoring journal link setting, file '%s' is not trusted.", path
);
3973 arg_link_journal
= settings
->link_journal
;
3974 arg_link_journal_try
= settings
->link_journal_try
;
3978 if ((arg_settings_mask
& SETTING_TIMEZONE
) == 0 &&
3979 settings
->timezone
!= _TIMEZONE_MODE_INVALID
)
3980 arg_timezone
= settings
->timezone
;
3982 if ((arg_settings_mask
& SETTING_SLICE
) == 0 &&
3985 if (!arg_settings_trusted
)
3986 log_warning("Ignoring slice setting, file '%s' is not trusted.", path
);
3988 free_and_replace(arg_slice
, settings
->slice
);
3991 if ((arg_settings_mask
& SETTING_USE_CGNS
) == 0 &&
3992 settings
->use_cgns
>= 0) {
3994 if (!arg_settings_trusted
)
3995 log_warning("Ignoring cgroup namespace setting, file '%s' is not trusted.", path
);
3997 arg_use_cgns
= settings
->use_cgns
;
4000 if ((arg_settings_mask
& SETTING_CLONE_NS_FLAGS
) == 0 &&
4001 settings
->clone_ns_flags
!= (unsigned long) -1) {
4003 if (!arg_settings_trusted
)
4004 log_warning("Ignoring namespace setting, file '%s' is not trusted.", path
);
4006 arg_clone_ns_flags
= settings
->clone_ns_flags
;
4009 if ((arg_settings_mask
& SETTING_CONSOLE_MODE
) == 0 &&
4010 settings
->console_mode
>= 0) {
4012 if (!arg_settings_trusted
)
4013 log_warning("Ignoring console mode setting, file '%s' is not trusted.", path
);
4015 arg_console_mode
= settings
->console_mode
;
4018 /* The following properties can only be set through the OCI settings logic, not from the command line, hence we
4019 * don't consult arg_settings_mask for them. */
4021 sd_bus_message_unref(arg_property_message
);
4022 arg_property_message
= TAKE_PTR(settings
->properties
);
4024 arg_console_width
= settings
->console_width
;
4025 arg_console_height
= settings
->console_height
;
4027 device_node_array_free(arg_extra_nodes
, arg_n_extra_nodes
);
4028 arg_extra_nodes
= TAKE_PTR(settings
->extra_nodes
);
4029 arg_n_extra_nodes
= settings
->n_extra_nodes
;
4034 static int load_settings(void) {
4035 _cleanup_(settings_freep
) Settings
*settings
= NULL
;
4036 _cleanup_fclose_
FILE *f
= NULL
;
4037 _cleanup_free_
char *p
= NULL
;
4044 /* If all settings are masked, there's no point in looking for
4045 * the settings file */
4046 if ((arg_settings_mask
& _SETTINGS_MASK_ALL
) == _SETTINGS_MASK_ALL
)
4049 fn
= strjoina(arg_machine
, ".nspawn");
4051 /* We first look in the admin's directories in /etc and /run */
4052 FOREACH_STRING(i
, "/etc/systemd/nspawn", "/run/systemd/nspawn") {
4053 _cleanup_free_
char *j
= NULL
;
4055 j
= path_join(i
, fn
);
4063 /* By default, we trust configuration from /etc and /run */
4064 if (arg_settings_trusted
< 0)
4065 arg_settings_trusted
= true;
4070 if (errno
!= ENOENT
)
4071 return log_error_errno(errno
, "Failed to open %s: %m", j
);
4075 /* After that, let's look for a file next to the
4076 * actual image we shall boot. */
4079 p
= file_in_same_dir(arg_image
, fn
);
4082 } else if (arg_directory
&& !path_equal(arg_directory
, "/")) {
4083 p
= file_in_same_dir(arg_directory
, fn
);
4090 if (!f
&& errno
!= ENOENT
)
4091 return log_error_errno(errno
, "Failed to open %s: %m", p
);
4093 /* By default, we do not trust configuration from /var/lib/machines */
4094 if (arg_settings_trusted
< 0)
4095 arg_settings_trusted
= false;
4102 log_debug("Settings are trusted: %s", yes_no(arg_settings_trusted
));
4104 r
= settings_load(f
, p
, &settings
);
4108 return merge_settings(settings
, p
);
4111 static int load_oci_bundle(void) {
4112 _cleanup_(settings_freep
) Settings
*settings
= NULL
;
4115 if (!arg_oci_bundle
)
4118 /* By default let's trust OCI bundles */
4119 if (arg_settings_trusted
< 0)
4120 arg_settings_trusted
= true;
4122 r
= oci_load(NULL
, arg_oci_bundle
, &settings
);
4126 return merge_settings(settings
, arg_oci_bundle
);
4129 static int run_container(
4130 DissectedImage
*dissected_image
,
4133 char veth_name
[IFNAMSIZ
], bool *veth_created
,
4134 union in_addr_union
*exposed
,
4135 int *master
, pid_t
*pid
, int *ret
) {
4137 static const struct sigaction sa
= {
4138 .sa_handler
= nop_signal_handler
,
4139 .sa_flags
= SA_NOCLDSTOP
|SA_RESTART
,
4142 _cleanup_(release_lock_file
) LockFile uid_shift_lock
= LOCK_FILE_INIT
;
4143 _cleanup_close_
int etc_passwd_lock
= -1;
4144 _cleanup_close_pair_
int
4145 kmsg_socket_pair
[2] = { -1, -1 },
4146 rtnl_socket_pair
[2] = { -1, -1 },
4147 pid_socket_pair
[2] = { -1, -1 },
4148 uuid_socket_pair
[2] = { -1, -1 },
4149 notify_socket_pair
[2] = { -1, -1 },
4150 uid_shift_socket_pair
[2] = { -1, -1 },
4151 master_pty_socket_pair
[2] = { -1, -1 },
4152 unified_cgroup_hierarchy_socket_pair
[2] = { -1, -1};
4154 _cleanup_close_
int notify_socket
= -1;
4155 _cleanup_(barrier_destroy
) Barrier barrier
= BARRIER_NULL
;
4156 _cleanup_(sd_event_source_unrefp
) sd_event_source
*notify_event_source
= NULL
;
4157 _cleanup_(sd_event_unrefp
) sd_event
*event
= NULL
;
4158 _cleanup_(pty_forward_freep
) PTYForward
*forward
= NULL
;
4159 _cleanup_(sd_netlink_unrefp
) sd_netlink
*rtnl
= NULL
;
4160 _cleanup_(sd_bus_flush_close_unrefp
) sd_bus
*bus
= NULL
;
4161 ContainerStatus container_status
= 0;
4165 _cleanup_close_
int netns_fd
= -1;
4167 assert_se(sigemptyset(&mask_chld
) == 0);
4168 assert_se(sigaddset(&mask_chld
, SIGCHLD
) == 0);
4170 if (arg_userns_mode
== USER_NAMESPACE_PICK
) {
4171 /* When we shall pick the UID/GID range, let's first lock /etc/passwd, so that we can safely
4172 * check with getpwuid() if the specific user already exists. Note that /etc might be
4173 * read-only, in which case this will fail with EROFS. But that's really OK, as in that case we
4174 * can be reasonably sure that no users are going to be added. Note that getpwuid() checks are
4175 * really just an extra safety net. We kinda assume that the UID range we allocate from is
4178 etc_passwd_lock
= take_etc_passwd_lock(NULL
);
4179 if (etc_passwd_lock
< 0 && etc_passwd_lock
!= -EROFS
)
4180 return log_error_errno(etc_passwd_lock
, "Failed to take /etc/passwd lock: %m");
4183 r
= barrier_create(&barrier
);
4185 return log_error_errno(r
, "Cannot initialize IPC barrier: %m");
4187 if (socketpair(AF_UNIX
, SOCK_SEQPACKET
|SOCK_CLOEXEC
, 0, kmsg_socket_pair
) < 0)
4188 return log_error_errno(errno
, "Failed to create kmsg socket pair: %m");
4190 if (socketpair(AF_UNIX
, SOCK_SEQPACKET
|SOCK_CLOEXEC
, 0, rtnl_socket_pair
) < 0)
4191 return log_error_errno(errno
, "Failed to create rtnl socket pair: %m");
4193 if (socketpair(AF_UNIX
, SOCK_SEQPACKET
|SOCK_CLOEXEC
, 0, pid_socket_pair
) < 0)
4194 return log_error_errno(errno
, "Failed to create pid socket pair: %m");
4196 if (socketpair(AF_UNIX
, SOCK_SEQPACKET
|SOCK_CLOEXEC
, 0, uuid_socket_pair
) < 0)
4197 return log_error_errno(errno
, "Failed to create id socket pair: %m");
4199 if (socketpair(AF_UNIX
, SOCK_SEQPACKET
|SOCK_CLOEXEC
, 0, notify_socket_pair
) < 0)
4200 return log_error_errno(errno
, "Failed to create notify socket pair: %m");
4202 if (socketpair(AF_UNIX
, SOCK_SEQPACKET
|SOCK_CLOEXEC
, 0, master_pty_socket_pair
) < 0)
4203 return log_error_errno(errno
, "Failed to create console socket pair: %m");
4205 if (arg_userns_mode
!= USER_NAMESPACE_NO
)
4206 if (socketpair(AF_UNIX
, SOCK_SEQPACKET
|SOCK_CLOEXEC
, 0, uid_shift_socket_pair
) < 0)
4207 return log_error_errno(errno
, "Failed to create uid shift socket pair: %m");
4209 if (arg_unified_cgroup_hierarchy
== CGROUP_UNIFIED_UNKNOWN
)
4210 if (socketpair(AF_UNIX
, SOCK_SEQPACKET
|SOCK_CLOEXEC
, 0, unified_cgroup_hierarchy_socket_pair
) < 0)
4211 return log_error_errno(errno
, "Failed to create unified cgroup socket pair: %m");
4213 /* Child can be killed before execv(), so handle SIGCHLD in order to interrupt
4214 * parent's blocking calls and give it a chance to call wait() and terminate. */
4215 r
= sigprocmask(SIG_UNBLOCK
, &mask_chld
, NULL
);
4217 return log_error_errno(errno
, "Failed to change the signal mask: %m");
4219 r
= sigaction(SIGCHLD
, &sa
, NULL
);
4221 return log_error_errno(errno
, "Failed to install SIGCHLD handler: %m");
4223 if (arg_network_namespace_path
) {
4224 netns_fd
= open(arg_network_namespace_path
, O_RDONLY
|O_NOCTTY
|O_CLOEXEC
);
4226 return log_error_errno(errno
, "Cannot open file %s: %m", arg_network_namespace_path
);
4228 r
= fd_is_network_ns(netns_fd
);
4230 log_debug_errno(r
, "Cannot determine if passed network namespace path '%s' really refers to a network namespace, assuming it does.", arg_network_namespace_path
);
4232 return log_error_errno(r
, "Failed to check %s fs type: %m", arg_network_namespace_path
);
4234 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
),
4235 "Path %s doesn't refer to a network namespace, refusing.", arg_network_namespace_path
);
4238 *pid
= raw_clone(SIGCHLD
|CLONE_NEWNS
);
4240 return log_error_errno(errno
, "clone() failed%s: %m",
4242 ", do you have namespace support enabled in your kernel? (You need UTS, IPC, PID and NET namespacing built in)" : "");
4245 /* The outer child only has a file system namespace. */
4246 barrier_set_role(&barrier
, BARRIER_CHILD
);
4248 kmsg_socket_pair
[0] = safe_close(kmsg_socket_pair
[0]);
4249 rtnl_socket_pair
[0] = safe_close(rtnl_socket_pair
[0]);
4250 pid_socket_pair
[0] = safe_close(pid_socket_pair
[0]);
4251 uuid_socket_pair
[0] = safe_close(uuid_socket_pair
[0]);
4252 notify_socket_pair
[0] = safe_close(notify_socket_pair
[0]);
4253 master_pty_socket_pair
[0] = safe_close(master_pty_socket_pair
[0]);
4254 uid_shift_socket_pair
[0] = safe_close(uid_shift_socket_pair
[0]);
4255 unified_cgroup_hierarchy_socket_pair
[0] = safe_close(unified_cgroup_hierarchy_socket_pair
[0]);
4257 (void) reset_all_signal_handlers();
4258 (void) reset_signal_mask();
4260 r
= outer_child(&barrier
,
4265 uuid_socket_pair
[1],
4266 notify_socket_pair
[1],
4267 kmsg_socket_pair
[1],
4268 rtnl_socket_pair
[1],
4269 uid_shift_socket_pair
[1],
4270 master_pty_socket_pair
[1],
4271 unified_cgroup_hierarchy_socket_pair
[1],
4275 _exit(EXIT_FAILURE
);
4277 _exit(EXIT_SUCCESS
);
4280 barrier_set_role(&barrier
, BARRIER_PARENT
);
4284 kmsg_socket_pair
[1] = safe_close(kmsg_socket_pair
[1]);
4285 rtnl_socket_pair
[1] = safe_close(rtnl_socket_pair
[1]);
4286 pid_socket_pair
[1] = safe_close(pid_socket_pair
[1]);
4287 uuid_socket_pair
[1] = safe_close(uuid_socket_pair
[1]);
4288 notify_socket_pair
[1] = safe_close(notify_socket_pair
[1]);
4289 master_pty_socket_pair
[1] = safe_close(master_pty_socket_pair
[1]);
4290 uid_shift_socket_pair
[1] = safe_close(uid_shift_socket_pair
[1]);
4291 unified_cgroup_hierarchy_socket_pair
[1] = safe_close(unified_cgroup_hierarchy_socket_pair
[1]);
4293 if (arg_userns_mode
!= USER_NAMESPACE_NO
) {
4294 /* The child just let us know the UID shift it might have read from the image. */
4295 l
= recv(uid_shift_socket_pair
[0], &arg_uid_shift
, sizeof arg_uid_shift
, 0);
4297 return log_error_errno(errno
, "Failed to read UID shift: %m");
4298 if (l
!= sizeof arg_uid_shift
)
4299 return log_error_errno(SYNTHETIC_ERRNO(EIO
), "Short read while reading UID shift.");
4301 if (arg_userns_mode
== USER_NAMESPACE_PICK
) {
4302 /* If we are supposed to pick the UID shift, let's try to use the shift read from the
4303 * image, but if that's already in use, pick a new one, and report back to the child,
4304 * which one we now picked. */
4306 r
= uid_shift_pick(&arg_uid_shift
, &uid_shift_lock
);
4308 return log_error_errno(r
, "Failed to pick suitable UID/GID range: %m");
4310 l
= send(uid_shift_socket_pair
[0], &arg_uid_shift
, sizeof arg_uid_shift
, MSG_NOSIGNAL
);
4312 return log_error_errno(errno
, "Failed to send UID shift: %m");
4313 if (l
!= sizeof arg_uid_shift
)
4314 return log_error_errno(SYNTHETIC_ERRNO(EIO
), "Short write while writing UID shift.");
4318 if (arg_unified_cgroup_hierarchy
== CGROUP_UNIFIED_UNKNOWN
) {
4319 /* The child let us know the support cgroup mode it might have read from the image. */
4320 l
= recv(unified_cgroup_hierarchy_socket_pair
[0], &arg_unified_cgroup_hierarchy
, sizeof(arg_unified_cgroup_hierarchy
), 0);
4322 return log_error_errno(errno
, "Failed to read cgroup mode: %m");
4323 if (l
!= sizeof(arg_unified_cgroup_hierarchy
))
4324 return log_error_errno(SYNTHETIC_ERRNO(EIO
), "Short read while reading cgroup mode (%zu bytes).%s",
4325 l
, l
== 0 ? " The child is most likely dead." : "");
4328 /* Wait for the outer child. */
4329 r
= wait_for_terminate_and_check("(sd-namespace)", *pid
, WAIT_LOG_ABNORMAL
);
4332 if (r
!= EXIT_SUCCESS
)
4335 /* And now retrieve the PID of the inner child. */
4336 l
= recv(pid_socket_pair
[0], pid
, sizeof *pid
, 0);
4338 return log_error_errno(errno
, "Failed to read inner child PID: %m");
4339 if (l
!= sizeof *pid
)
4340 return log_error_errno(SYNTHETIC_ERRNO(EIO
), "Short read while reading inner child PID.");
4342 /* We also retrieve container UUID in case it was generated by outer child */
4343 l
= recv(uuid_socket_pair
[0], &arg_uuid
, sizeof arg_uuid
, 0);
4345 return log_error_errno(errno
, "Failed to read container machine ID: %m");
4346 if (l
!= sizeof(arg_uuid
))
4347 return log_error_errno(SYNTHETIC_ERRNO(EIO
), "Short read while reading container machined ID.");
4349 /* We also retrieve the socket used for notifications generated by outer child */
4350 notify_socket
= receive_one_fd(notify_socket_pair
[0], 0);
4351 if (notify_socket
< 0)
4352 return log_error_errno(notify_socket
,
4353 "Failed to receive notification socket from the outer child: %m");
4355 log_debug("Init process invoked as PID "PID_FMT
, *pid
);
4357 if (arg_userns_mode
!= USER_NAMESPACE_NO
) {
4358 if (!barrier_place_and_sync(&barrier
)) /* #1 */
4359 return log_error_errno(SYNTHETIC_ERRNO(ESRCH
), "Child died too early.");
4361 r
= setup_uid_map(*pid
);
4365 (void) barrier_place(&barrier
); /* #2 */
4368 if (arg_private_network
) {
4369 if (!arg_network_namespace_path
) {
4370 /* Wait until the child has unshared its network namespace. */
4371 if (!barrier_place_and_sync(&barrier
)) /* #3 */
4372 return log_error_errno(SYNTHETIC_ERRNO(ESRCH
), "Child died too early");
4375 r
= move_network_interfaces(*pid
, arg_network_interfaces
);
4379 if (arg_network_veth
) {
4380 r
= setup_veth(arg_machine
, *pid
, veth_name
,
4381 arg_network_bridge
|| arg_network_zone
);
4387 if (arg_network_bridge
) {
4388 /* Add the interface to a bridge */
4389 r
= setup_bridge(veth_name
, arg_network_bridge
, false);
4394 } else if (arg_network_zone
) {
4395 /* Add the interface to a bridge, possibly creating it */
4396 r
= setup_bridge(veth_name
, arg_network_zone
, true);
4404 r
= setup_veth_extra(arg_machine
, *pid
, arg_network_veth_extra
);
4408 /* We created the primary and extra veth links now; let's remember this, so that we know to
4409 remove them later on. Note that we don't bother with removing veth links that were created
4410 here when their setup failed half-way, because in that case the kernel should be able to
4411 remove them on its own, since they cannot be referenced by anything yet. */
4412 *veth_created
= true;
4414 r
= setup_macvlan(arg_machine
, *pid
, arg_network_macvlan
);
4418 r
= setup_ipvlan(arg_machine
, *pid
, arg_network_ipvlan
);
4423 if (arg_register
|| !arg_keep_unit
) {
4424 r
= sd_bus_default_system(&bus
);
4426 return log_error_errno(r
, "Failed to open system bus: %m");
4428 r
= sd_bus_set_close_on_exit(bus
, false);
4430 return log_error_errno(r
, "Failed to disable close-on-exit behaviour: %m");
4433 if (!arg_keep_unit
) {
4434 /* When a new scope is created for this container, then we'll be registered as its controller, in which
4435 * case PID 1 will send us a friendly RequestStop signal, when it is asked to terminate the
4436 * scope. Let's hook into that, and cleanly shut down the container, and print a friendly message. */
4438 r
= sd_bus_match_signal_async(
4441 "org.freedesktop.systemd1",
4443 "org.freedesktop.systemd1.Scope",
4445 on_request_stop
, NULL
, PID_TO_PTR(*pid
));
4447 return log_error_errno(r
, "Failed to request RequestStop match: %m");
4451 r
= register_machine(
4459 arg_custom_mounts
, arg_n_custom_mounts
,
4462 arg_property_message
,
4464 arg_container_service_name
);
4468 } else if (!arg_keep_unit
) {
4474 arg_custom_mounts
, arg_n_custom_mounts
,
4477 arg_property_message
);
4481 } else if (arg_slice
|| arg_property
)
4482 log_notice("Machine and scope registration turned off, --slice= and --property= settings will have no effect.");
4484 r
= create_subcgroup(*pid
, arg_keep_unit
, arg_unified_cgroup_hierarchy
);
4488 r
= sync_cgroup(*pid
, arg_unified_cgroup_hierarchy
, arg_uid_shift
);
4492 r
= chown_cgroup(*pid
, arg_unified_cgroup_hierarchy
, arg_uid_shift
);
4496 /* Notify the child that the parent is ready with all
4497 * its setup (including cgroup-ification), and that
4498 * the child can now hand over control to the code to
4499 * run inside the container. */
4500 (void) barrier_place(&barrier
); /* #4 */
4502 /* Block SIGCHLD here, before notifying child.
4503 * process_pty() will handle it with the other signals. */
4504 assert_se(sigprocmask(SIG_BLOCK
, &mask_chld
, NULL
) >= 0);
4506 /* Reset signal to default */
4507 r
= default_signals(SIGCHLD
, -1);
4509 return log_error_errno(r
, "Failed to reset SIGCHLD: %m");
4511 r
= sd_event_new(&event
);
4513 return log_error_errno(r
, "Failed to get default event source: %m");
4515 (void) sd_event_set_watchdog(event
, true);
4518 r
= sd_bus_attach_event(bus
, event
, 0);
4520 return log_error_errno(r
, "Failed to attach bus to event loop: %m");
4523 r
= setup_sd_notify_parent(event
, notify_socket
, PID_TO_PTR(*pid
), ¬ify_event_source
);
4527 /* Let the child know that we are ready and wait that the child is completely ready now. */
4528 if (!barrier_place_and_sync(&barrier
)) /* #5 */
4529 return log_error_errno(SYNTHETIC_ERRNO(ESRCH
), "Child died too early.");
4531 /* At this point we have made use of the UID we picked, and thus nss-mymachines
4532 * will make them appear in getpwuid(), thus we can release the /etc/passwd lock. */
4533 etc_passwd_lock
= safe_close(etc_passwd_lock
);
4535 (void) sd_notifyf(false,
4536 "STATUS=Container running.\n"
4537 "X_NSPAWN_LEADER_PID=" PID_FMT
, *pid
);
4538 if (!arg_notify_ready
)
4539 (void) sd_notify(false, "READY=1\n");
4541 if (arg_kill_signal
> 0) {
4542 /* Try to kill the init system on SIGINT or SIGTERM */
4543 (void) sd_event_add_signal(event
, NULL
, SIGINT
, on_orderly_shutdown
, PID_TO_PTR(*pid
));
4544 (void) sd_event_add_signal(event
, NULL
, SIGTERM
, on_orderly_shutdown
, PID_TO_PTR(*pid
));
4546 /* Immediately exit */
4547 (void) sd_event_add_signal(event
, NULL
, SIGINT
, NULL
, NULL
);
4548 (void) sd_event_add_signal(event
, NULL
, SIGTERM
, NULL
, NULL
);
4551 /* Exit when the child exits */
4552 (void) sd_event_add_signal(event
, NULL
, SIGCHLD
, on_sigchld
, PID_TO_PTR(*pid
));
4554 if (arg_expose_ports
) {
4555 r
= expose_port_watch_rtnl(event
, rtnl_socket_pair
[0], on_address_change
, exposed
, &rtnl
);
4559 (void) expose_port_execute(rtnl
, arg_expose_ports
, exposed
);
4562 rtnl_socket_pair
[0] = safe_close(rtnl_socket_pair
[0]);
4564 if (arg_console_mode
!= CONSOLE_PIPE
) {
4565 _cleanup_close_
int fd
= -1;
4566 PTYForwardFlags flags
= 0;
4568 /* Retrieve the master pty allocated by inner child */
4569 fd
= receive_one_fd(master_pty_socket_pair
[0], 0);
4571 return log_error_errno(fd
, "Failed to receive master pty from the inner child: %m");
4573 switch (arg_console_mode
) {
4575 case CONSOLE_READ_ONLY
:
4576 flags
|= PTY_FORWARD_READ_ONLY
;
4580 case CONSOLE_INTERACTIVE
:
4581 flags
|= PTY_FORWARD_IGNORE_VHANGUP
;
4583 r
= pty_forward_new(event
, fd
, flags
, &forward
);
4585 return log_error_errno(r
, "Failed to create PTY forwarder: %m");
4587 if (arg_console_width
!= (unsigned) -1 || arg_console_height
!= (unsigned) -1)
4588 (void) pty_forward_set_width_height(forward
,
4590 arg_console_height
);
4594 assert(arg_console_mode
== CONSOLE_PASSIVE
);
4597 *master
= TAKE_FD(fd
);
4600 r
= sd_event_loop(event
);
4602 return log_error_errno(r
, "Failed to run event loop: %m");
4607 (void) pty_forward_get_last_char(forward
, &last_char
);
4608 forward
= pty_forward_free(forward
);
4610 if (!arg_quiet
&& last_char
!= '\n')
4614 /* Kill if it is not dead yet anyway */
4615 if (!arg_register
&& !arg_keep_unit
&& bus
)
4616 terminate_scope(bus
, arg_machine
);
4618 /* Normally redundant, but better safe than sorry */
4619 (void) kill(*pid
, SIGKILL
);
4621 r
= wait_for_container(*pid
, &container_status
);
4624 /* Tell machined that we are gone. */
4626 (void) unregister_machine(bus
, arg_machine
);
4629 /* We failed to wait for the container, or the container exited abnormally. */
4631 if (r
> 0 || container_status
== CONTAINER_TERMINATED
) {
4632 /* r > 0 → The container exited with a non-zero status.
4633 * As a special case, we need to replace 133 with a different value,
4634 * because 133 is special-cased in the service file to reboot the container.
4635 * otherwise → The container exited with zero status and a reboot was not requested.
4637 if (r
== EXIT_FORCE_RESTART
)
4638 r
= EXIT_FAILURE
; /* replace 133 with the general failure code */
4640 return 0; /* finito */
4643 /* CONTAINER_REBOOTED, loop again */
4645 if (arg_keep_unit
) {
4646 /* Special handling if we are running as a service: instead of simply
4647 * restarting the machine we want to restart the entire service, so let's
4648 * inform systemd about this with the special exit code 133. The service
4649 * file uses RestartForceExitStatus=133 so that this results in a full
4650 * nspawn restart. This is necessary since we might have cgroup parameters
4651 * set we want to have flushed out. */
4652 *ret
= EXIT_FORCE_RESTART
;
4653 return 0; /* finito */
4656 expose_port_flush(arg_expose_ports
, exposed
);
4658 (void) remove_veth_links(veth_name
, arg_network_veth_extra
);
4659 *veth_created
= false;
4660 return 1; /* loop again */
4663 static int initialize_rlimits(void) {
4664 /* The default resource limits the kernel passes to PID 1, as per kernel 4.16. Let's pass our container payload
4665 * the same values as the kernel originally passed to PID 1, in order to minimize differences between host and
4666 * container execution environments. */
4668 static const struct rlimit kernel_defaults
[_RLIMIT_MAX
] = {
4669 [RLIMIT_AS
] = { RLIM_INFINITY
, RLIM_INFINITY
},
4670 [RLIMIT_CORE
] = { 0, RLIM_INFINITY
},
4671 [RLIMIT_CPU
] = { RLIM_INFINITY
, RLIM_INFINITY
},
4672 [RLIMIT_DATA
] = { RLIM_INFINITY
, RLIM_INFINITY
},
4673 [RLIMIT_FSIZE
] = { RLIM_INFINITY
, RLIM_INFINITY
},
4674 [RLIMIT_LOCKS
] = { RLIM_INFINITY
, RLIM_INFINITY
},
4675 [RLIMIT_MEMLOCK
] = { 65536, 65536 },
4676 [RLIMIT_MSGQUEUE
] = { 819200, 819200 },
4677 [RLIMIT_NICE
] = { 0, 0 },
4678 [RLIMIT_NOFILE
] = { 1024, 4096 },
4679 [RLIMIT_RSS
] = { RLIM_INFINITY
, RLIM_INFINITY
},
4680 [RLIMIT_RTPRIO
] = { 0, 0 },
4681 [RLIMIT_RTTIME
] = { RLIM_INFINITY
, RLIM_INFINITY
},
4682 [RLIMIT_STACK
] = { 8388608, RLIM_INFINITY
},
4684 /* The kernel scales the default for RLIMIT_NPROC and RLIMIT_SIGPENDING based on the system's amount of
4685 * RAM. To provide best compatibility we'll read these limits off PID 1 instead of hardcoding them
4686 * here. This is safe as we know that PID 1 doesn't change these two limits and thus the original
4687 * kernel's initialization should still be valid during runtime — at least if PID 1 is systemd. Note
4688 * that PID 1 changes a number of other resource limits during early initialization which is why we
4689 * don't read the other limits from PID 1 but prefer the static table above. */
4694 for (rl
= 0; rl
< _RLIMIT_MAX
; rl
++) {
4695 /* Let's only fill in what the user hasn't explicitly configured anyway */
4696 if ((arg_settings_mask
& (SETTING_RLIMIT_FIRST
<< rl
)) == 0) {
4697 const struct rlimit
*v
;
4698 struct rlimit buffer
;
4700 if (IN_SET(rl
, RLIMIT_NPROC
, RLIMIT_SIGPENDING
)) {
4701 /* For these two let's read the limits off PID 1. See above for an explanation. */
4703 if (prlimit(1, rl
, NULL
, &buffer
) < 0)
4704 return log_error_errno(errno
, "Failed to read resource limit RLIMIT_%s of PID 1: %m", rlimit_to_string(rl
));
4708 v
= kernel_defaults
+ rl
;
4710 arg_rlimit
[rl
] = newdup(struct rlimit
, v
, 1);
4711 if (!arg_rlimit
[rl
])
4715 if (DEBUG_LOGGING
) {
4716 _cleanup_free_
char *k
= NULL
;
4718 (void) rlimit_format(arg_rlimit
[rl
], &k
);
4719 log_debug("Setting RLIMIT_%s to %s.", rlimit_to_string(rl
), k
);
4726 static int run(int argc
, char *argv
[]) {
4727 bool secondary
= false, remove_directory
= false, remove_image
= false,
4728 veth_created
= false, remove_tmprootdir
= false;
4729 _cleanup_close_
int master
= -1;
4730 _cleanup_fdset_free_ FDSet
*fds
= NULL
;
4731 int r
, n_fd_passed
, ret
= EXIT_SUCCESS
;
4732 char veth_name
[IFNAMSIZ
] = "";
4733 union in_addr_union exposed
= {};
4734 _cleanup_(release_lock_file
) LockFile tree_global_lock
= LOCK_FILE_INIT
, tree_local_lock
= LOCK_FILE_INIT
;
4735 char tmprootdir
[] = "/tmp/nspawn-root-XXXXXX";
4736 _cleanup_(loop_device_unrefp
) LoopDevice
*loop
= NULL
;
4737 _cleanup_(decrypted_image_unrefp
) DecryptedImage
*decrypted_image
= NULL
;
4738 _cleanup_(dissected_image_unrefp
) DissectedImage
*dissected_image
= NULL
;
4741 log_parse_environment();
4744 r
= parse_argv(argc
, argv
);
4752 r
= initialize_rlimits();
4756 r
= load_oci_bundle();
4760 r
= determine_names();
4764 r
= load_settings();
4770 log_error_errno(r
, "Failed to determine whether the unified cgroups hierarchy is used: %m");
4774 r
= verify_arguments();
4778 /* Reapply environment settings. */
4779 (void) detect_unified_cgroup_hierarchy_from_environment();
4781 /* Ignore SIGPIPE here, because we use splice() on the ptyfwd stuff and that will generate SIGPIPE if
4782 * the result is closed. Note that the container payload child will reset signal mask+handler anyway,
4783 * so just turning this off here means we only turn it off in nspawn itself, not any children. */
4784 (void) ignore_signals(SIGPIPE
, -1);
4786 n_fd_passed
= sd_listen_fds(false);
4787 if (n_fd_passed
> 0) {
4788 r
= fdset_new_listen_fds(&fds
, false);
4790 log_error_errno(r
, "Failed to collect file descriptors: %m");
4795 /* The "default" umask. This is appropriate for most file and directory
4796 * operations performed by nspawn, and is the umask that will be used for
4797 * the child. Functions like copy_devnodes() change the umask temporarily. */
4800 if (arg_directory
) {
4803 /* Safety precaution: let's not allow running images from the live host OS image, as long as
4804 * /var from the host will propagate into container dynamically (because bad things happen if
4805 * two systems write to the same /var). Let's allow it for the special cases where /var is
4806 * either copied (i.e. --ephemeral) or replaced (i.e. --volatile=yes|state). */
4807 if (path_equal(arg_directory
, "/") && !(arg_ephemeral
|| IN_SET(arg_volatile_mode
, VOLATILE_YES
, VOLATILE_STATE
))) {
4808 log_error("Spawning container on root directory is not supported. Consider using --ephemeral, --volatile=yes or --volatile=state.");
4813 if (arg_ephemeral
) {
4814 _cleanup_free_
char *np
= NULL
;
4816 r
= chase_symlinks_and_update(&arg_directory
, 0);
4820 /* If the specified path is a mount point we generate the new snapshot immediately
4821 * inside it under a random name. However if the specified is not a mount point we
4822 * create the new snapshot in the parent directory, just next to it. */
4823 r
= path_is_mount_point(arg_directory
, NULL
, 0);
4825 log_error_errno(r
, "Failed to determine whether directory %s is mount point: %m", arg_directory
);
4829 r
= tempfn_random_child(arg_directory
, "machine.", &np
);
4831 r
= tempfn_random(arg_directory
, "machine.", &np
);
4833 log_error_errno(r
, "Failed to generate name for directory snapshot: %m");
4837 /* We take an exclusive lock on this image, since it's our private, ephemeral copy
4838 * only owned by us and noone else. */
4839 r
= image_path_lock(np
, LOCK_EX
|LOCK_NB
, &tree_global_lock
, &tree_local_lock
);
4841 log_error_errno(r
, "Failed to lock %s: %m", np
);
4846 BLOCK_SIGNALS(SIGINT
);
4847 r
= btrfs_subvol_snapshot(arg_directory
, np
,
4848 (arg_read_only
? BTRFS_SNAPSHOT_READ_ONLY
: 0) |
4849 BTRFS_SNAPSHOT_FALLBACK_COPY
|
4850 BTRFS_SNAPSHOT_FALLBACK_DIRECTORY
|
4851 BTRFS_SNAPSHOT_RECURSIVE
|
4852 BTRFS_SNAPSHOT_QUOTA
|
4853 BTRFS_SNAPSHOT_SIGINT
);
4856 log_error_errno(r
, "Interrupted while copying file system tree to %s, removed again.", np
);
4860 log_error_errno(r
, "Failed to create snapshot %s from %s: %m", np
, arg_directory
);
4864 free_and_replace(arg_directory
, np
);
4865 remove_directory
= true;
4867 r
= chase_symlinks_and_update(&arg_directory
, arg_template
? CHASE_NONEXISTENT
: 0);
4871 r
= image_path_lock(arg_directory
, (arg_read_only
? LOCK_SH
: LOCK_EX
) | LOCK_NB
, &tree_global_lock
, &tree_local_lock
);
4873 log_error_errno(r
, "Directory tree %s is currently busy.", arg_directory
);
4877 log_error_errno(r
, "Failed to lock %s: %m", arg_directory
);
4882 r
= chase_symlinks_and_update(&arg_template
, 0);
4887 BLOCK_SIGNALS(SIGINT
);
4888 r
= btrfs_subvol_snapshot(arg_template
, arg_directory
,
4889 (arg_read_only
? BTRFS_SNAPSHOT_READ_ONLY
: 0) |
4890 BTRFS_SNAPSHOT_FALLBACK_COPY
|
4891 BTRFS_SNAPSHOT_FALLBACK_DIRECTORY
|
4892 BTRFS_SNAPSHOT_FALLBACK_IMMUTABLE
|
4893 BTRFS_SNAPSHOT_RECURSIVE
|
4894 BTRFS_SNAPSHOT_QUOTA
|
4895 BTRFS_SNAPSHOT_SIGINT
);
4898 log_full(arg_quiet
? LOG_DEBUG
: LOG_INFO
,
4899 "Directory %s already exists, not populating from template %s.", arg_directory
, arg_template
);
4900 else if (r
== -EINTR
) {
4901 log_error_errno(r
, "Interrupted while copying file system tree to %s, removed again.", arg_directory
);
4904 log_error_errno(r
, "Couldn't create snapshot %s from %s: %m", arg_directory
, arg_template
);
4907 log_full(arg_quiet
? LOG_DEBUG
: LOG_INFO
,
4908 "Populated %s from template %s.", arg_directory
, arg_template
);
4912 if (arg_start_mode
== START_BOOT
) {
4915 if (arg_pivot_root_new
)
4916 p
= prefix_roota(arg_directory
, arg_pivot_root_new
);
4920 if (path_is_os_tree(p
) <= 0) {
4921 log_error("Directory %s doesn't look like an OS root directory (os-release file is missing). Refusing.", p
);
4928 if (arg_pivot_root_new
)
4929 p
= prefix_roota(arg_directory
, arg_pivot_root_new
);
4933 q
= strjoina(p
, "/usr/");
4935 if (laccess(q
, F_OK
) < 0) {
4936 log_error("Directory %s doesn't look like it has an OS tree. Refusing.", p
);
4944 assert(!arg_template
);
4946 r
= chase_symlinks_and_update(&arg_image
, 0);
4950 if (arg_ephemeral
) {
4951 _cleanup_free_
char *np
= NULL
;
4953 r
= tempfn_random(arg_image
, "machine.", &np
);
4955 log_error_errno(r
, "Failed to generate name for image snapshot: %m");
4959 /* Always take an exclusive lock on our own ephemeral copy. */
4960 r
= image_path_lock(np
, LOCK_EX
|LOCK_NB
, &tree_global_lock
, &tree_local_lock
);
4962 r
= log_error_errno(r
, "Failed to create image lock: %m");
4967 BLOCK_SIGNALS(SIGINT
);
4968 r
= copy_file(arg_image
, np
, O_EXCL
, arg_read_only
? 0400 : 0600, FS_NOCOW_FL
, FS_NOCOW_FL
, COPY_REFLINK
|COPY_CRTIME
|COPY_SIGINT
);
4971 log_error_errno(r
, "Interrupted while copying image file to %s, removed again.", np
);
4975 r
= log_error_errno(r
, "Failed to copy image file: %m");
4979 free_and_replace(arg_image
, np
);
4980 remove_image
= true;
4982 r
= image_path_lock(arg_image
, (arg_read_only
? LOCK_SH
: LOCK_EX
) | LOCK_NB
, &tree_global_lock
, &tree_local_lock
);
4984 r
= log_error_errno(r
, "Disk image %s is currently busy.", arg_image
);
4988 r
= log_error_errno(r
, "Failed to create image lock: %m");
4992 if (!arg_root_hash
) {
4993 r
= root_hash_load(arg_image
, &arg_root_hash
, &arg_root_hash_size
);
4995 log_error_errno(r
, "Failed to load root hash file for %s: %m", arg_image
);
5001 if (!mkdtemp(tmprootdir
)) {
5002 r
= log_error_errno(errno
, "Failed to create temporary directory: %m");
5006 remove_tmprootdir
= true;
5008 arg_directory
= strdup(tmprootdir
);
5009 if (!arg_directory
) {
5014 r
= loop_device_make_by_path(arg_image
, arg_read_only
? O_RDONLY
: O_RDWR
, &loop
);
5016 log_error_errno(r
, "Failed to set up loopback block device: %m");
5020 r
= dissect_image_and_warn(
5023 arg_root_hash
, arg_root_hash_size
,
5024 DISSECT_IMAGE_REQUIRE_ROOT
,
5027 /* dissected_image_and_warn() already printed a brief error message. Extend on that with more details */
5028 log_notice("Note that the disk image needs to\n"
5029 " a) either contain only a single MBR partition of type 0x83 that is marked bootable\n"
5030 " b) or contain a single GPT partition of type 0FC63DAF-8483-4772-8E79-3D69D8477DE4\n"
5031 " c) or follow http://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/\n"
5032 " d) or contain a file system without a partition table\n"
5033 "in order to be bootable with systemd-nspawn.");
5039 if (!arg_root_hash
&& dissected_image
->can_verity
)
5040 log_notice("Note: image %s contains verity information, but no root hash specified! Proceeding without integrity checking.", arg_image
);
5042 r
= dissected_image_decrypt_interactively(dissected_image
, NULL
, arg_root_hash
, arg_root_hash_size
, 0, &decrypted_image
);
5046 /* Now that we mounted the image, let's try to remove it again, if it is ephemeral */
5047 if (remove_image
&& unlink(arg_image
) >= 0)
5048 remove_image
= false;
5051 r
= custom_mount_prepare_all(arg_directory
, arg_custom_mounts
, arg_n_custom_mounts
);
5055 if (arg_console_mode
< 0)
5057 isatty(STDIN_FILENO
) > 0 &&
5058 isatty(STDOUT_FILENO
) > 0 ? CONSOLE_INTERACTIVE
: CONSOLE_READ_ONLY
;
5060 if (arg_console_mode
== CONSOLE_PIPE
) /* if we pass STDERR on to the container, don't add our own logs into it too */
5064 log_info("Spawning container %s on %s.\nPress ^] three times within 1s to kill container.",
5065 arg_machine
, arg_image
?: arg_directory
);
5067 assert_se(sigprocmask_many(SIG_BLOCK
, NULL
, SIGCHLD
, SIGWINCH
, SIGTERM
, SIGINT
, -1) >= 0);
5069 if (prctl(PR_SET_CHILD_SUBREAPER
, 1, 0, 0, 0) < 0) {
5070 r
= log_error_errno(errno
, "Failed to become subreaper: %m");
5075 r
= run_container(dissected_image
,
5078 veth_name
, &veth_created
,
5086 (void) sd_notify(false,
5087 r
== 0 && ret
== EXIT_FORCE_RESTART
? "STOPPING=1\nSTATUS=Restarting..." :
5088 "STOPPING=1\nSTATUS=Terminating...");
5091 (void) kill(pid
, SIGKILL
);
5093 /* Try to flush whatever is still queued in the pty */
5095 (void) copy_bytes(master
, STDOUT_FILENO
, (uint64_t) -1, 0);
5096 master
= safe_close(master
);
5100 (void) wait_for_terminate(pid
, NULL
);
5104 if (remove_directory
&& arg_directory
) {
5107 k
= rm_rf(arg_directory
, REMOVE_ROOT
|REMOVE_PHYSICAL
|REMOVE_SUBVOLUME
);
5109 log_warning_errno(k
, "Cannot remove '%s', ignoring: %m", arg_directory
);
5112 if (remove_image
&& arg_image
) {
5113 if (unlink(arg_image
) < 0)
5114 log_warning_errno(errno
, "Can't remove image file '%s', ignoring: %m", arg_image
);
5117 if (remove_tmprootdir
) {
5118 if (rmdir(tmprootdir
) < 0)
5119 log_debug_errno(errno
, "Can't remove temporary root directory '%s', ignoring: %m", tmprootdir
);
5125 p
= strjoina("/run/systemd/nspawn/propagate/", arg_machine
);
5126 (void) rm_rf(p
, REMOVE_ROOT
);
5129 expose_port_flush(arg_expose_ports
, &exposed
);
5132 (void) remove_veth_links(veth_name
, arg_network_veth_extra
);
5133 (void) remove_bridge(arg_network_zone
);
5135 custom_mount_free_all(arg_custom_mounts
, arg_n_custom_mounts
);
5136 expose_port_free_all(arg_expose_ports
);
5137 rlimit_free_all(arg_rlimit
);
5138 device_node_array_free(arg_extra_nodes
, arg_n_extra_nodes
);
5146 DEFINE_MAIN_FUNCTION_WITH_POSITIVE_FAILURE(run
);