1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2010 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
25 #include <sys/types.h>
26 #include <sys/mount.h>
31 #include <sys/prctl.h>
35 #include <sys/socket.h>
36 #include <linux/netlink.h>
38 #include <linux/veth.h>
39 #include <sys/personality.h>
40 #include <linux/loop.h>
44 #include <selinux/selinux.h>
52 #include <blkid/blkid.h>
55 #include "sd-daemon.h"
58 #include "sd-netlink.h"
59 #include "random-util.h"
66 #include "cgroup-util.h"
68 #include "path-util.h"
69 #include "loopback-setup.h"
70 #include "dev-setup.h"
75 #include "bus-error.h"
78 #include "netlink-util.h"
79 #include "udev-util.h"
80 #include "blkid-util.h"
82 #include "siphash24.h"
84 #include "base-filesystem.h"
86 #include "event-util.h"
87 #include "capability.h"
89 #include "btrfs-util.h"
90 #include "machine-image.h"
92 #include "in-addr-util.h"
93 #include "firewall-util.h"
94 #include "local-addresses.h"
95 #include "formats-util.h"
96 #include "process-util.h"
97 #include "terminal-util.h"
98 #include "hostname-util.h"
99 #include "signal-util.h"
102 #include "seccomp-util.h"
105 typedef struct ExposePort
{
108 uint16_t container_port
;
109 LIST_FIELDS(struct ExposePort
, ports
);
112 typedef enum ContainerStatus
{
113 CONTAINER_TERMINATED
,
117 typedef enum LinkJournal
{
124 typedef enum Volatile
{
130 typedef enum CustomMountType
{
133 CUSTOM_MOUNT_OVERLAY
,
136 typedef struct CustomMount
{
137 CustomMountType type
;
139 char *source
; /* for overlayfs this is the upper directory */
146 static char *arg_directory
= NULL
;
147 static char *arg_template
= NULL
;
148 static char *arg_user
= NULL
;
149 static sd_id128_t arg_uuid
= {};
150 static char *arg_machine
= NULL
;
151 static const char *arg_selinux_context
= NULL
;
152 static const char *arg_selinux_apifs_context
= NULL
;
153 static const char *arg_slice
= NULL
;
154 static bool arg_private_network
= false;
155 static bool arg_read_only
= false;
156 static bool arg_boot
= false;
157 static bool arg_ephemeral
= false;
158 static LinkJournal arg_link_journal
= LINK_AUTO
;
159 static bool arg_link_journal_try
= false;
160 static uint64_t arg_retain
=
161 (1ULL << CAP_CHOWN
) |
162 (1ULL << CAP_DAC_OVERRIDE
) |
163 (1ULL << CAP_DAC_READ_SEARCH
) |
164 (1ULL << CAP_FOWNER
) |
165 (1ULL << CAP_FSETID
) |
166 (1ULL << CAP_IPC_OWNER
) |
168 (1ULL << CAP_LEASE
) |
169 (1ULL << CAP_LINUX_IMMUTABLE
) |
170 (1ULL << CAP_NET_BIND_SERVICE
) |
171 (1ULL << CAP_NET_BROADCAST
) |
172 (1ULL << CAP_NET_RAW
) |
173 (1ULL << CAP_SETGID
) |
174 (1ULL << CAP_SETFCAP
) |
175 (1ULL << CAP_SETPCAP
) |
176 (1ULL << CAP_SETUID
) |
177 (1ULL << CAP_SYS_ADMIN
) |
178 (1ULL << CAP_SYS_CHROOT
) |
179 (1ULL << CAP_SYS_NICE
) |
180 (1ULL << CAP_SYS_PTRACE
) |
181 (1ULL << CAP_SYS_TTY_CONFIG
) |
182 (1ULL << CAP_SYS_RESOURCE
) |
183 (1ULL << CAP_SYS_BOOT
) |
184 (1ULL << CAP_AUDIT_WRITE
) |
185 (1ULL << CAP_AUDIT_CONTROL
) |
187 static CustomMount
*arg_custom_mounts
= NULL
;
188 static unsigned arg_n_custom_mounts
= 0;
189 static char **arg_setenv
= NULL
;
190 static bool arg_quiet
= false;
191 static bool arg_share_system
= false;
192 static bool arg_register
= true;
193 static bool arg_keep_unit
= false;
194 static char **arg_network_interfaces
= NULL
;
195 static char **arg_network_macvlan
= NULL
;
196 static char **arg_network_ipvlan
= NULL
;
197 static bool arg_network_veth
= false;
198 static const char *arg_network_bridge
= NULL
;
199 static unsigned long arg_personality
= PERSONALITY_INVALID
;
200 static char *arg_image
= NULL
;
201 static Volatile arg_volatile
= VOLATILE_NO
;
202 static ExposePort
*arg_expose_ports
= NULL
;
203 static char **arg_property
= NULL
;
204 static uid_t arg_uid_shift
= UID_INVALID
, arg_uid_range
= 0x10000U
;
205 static bool arg_userns
= false;
206 static int arg_kill_signal
= 0;
208 static void help(void) {
209 printf("%s [OPTIONS...] [PATH] [ARGUMENTS...]\n\n"
210 "Spawn a minimal namespace container for debugging, testing and building.\n\n"
211 " -h --help Show this help\n"
212 " --version Print version string\n"
213 " -q --quiet Do not show status information\n"
214 " -D --directory=PATH Root directory for the container\n"
215 " --template=PATH Initialize root directory from template directory,\n"
217 " -x --ephemeral Run container with snapshot of root directory, and\n"
218 " remove it after exit\n"
219 " -i --image=PATH File system device or disk image for the container\n"
220 " -b --boot Boot up full system (i.e. invoke init)\n"
221 " -u --user=USER Run the command under specified user or uid\n"
222 " -M --machine=NAME Set the machine name for the container\n"
223 " --uuid=UUID Set a specific machine UUID for the container\n"
224 " -S --slice=SLICE Place the container in the specified slice\n"
225 " --property=NAME=VALUE Set scope unit property\n"
226 " --private-users[=UIDBASE[:NUIDS]]\n"
227 " Run within user namespace\n"
228 " --private-network Disable network in container\n"
229 " --network-interface=INTERFACE\n"
230 " Assign an existing network interface to the\n"
232 " --network-macvlan=INTERFACE\n"
233 " Create a macvlan network interface based on an\n"
234 " existing network interface to the container\n"
235 " --network-ipvlan=INTERFACE\n"
236 " Create a ipvlan network interface based on an\n"
237 " existing network interface to the container\n"
238 " -n --network-veth Add a virtual ethernet connection between host\n"
240 " --network-bridge=INTERFACE\n"
241 " Add a virtual ethernet connection between host\n"
242 " and container and add it to an existing bridge on\n"
244 " -p --port=[PROTOCOL:]HOSTPORT[:CONTAINERPORT]\n"
245 " Expose a container IP port on the host\n"
246 " -Z --selinux-context=SECLABEL\n"
247 " Set the SELinux security context to be used by\n"
248 " processes in the container\n"
249 " -L --selinux-apifs-context=SECLABEL\n"
250 " Set the SELinux security context to be used by\n"
251 " API/tmpfs file systems in the container\n"
252 " --capability=CAP In addition to the default, retain specified\n"
254 " --drop-capability=CAP Drop the specified capability from the default set\n"
255 " --kill-signal=SIGNAL Select signal to use for shutting down PID 1\n"
256 " --link-journal=MODE Link up guest journal, one of no, auto, guest, host,\n"
257 " try-guest, try-host\n"
258 " -j Equivalent to --link-journal=try-guest\n"
259 " --read-only Mount the root directory read-only\n"
260 " --bind=PATH[:PATH] Bind mount a file or directory from the host into\n"
262 " --bind-ro=PATH[:PATH] Similar, but creates a read-only bind mount\n"
263 " --tmpfs=PATH:[OPTIONS] Mount an empty tmpfs to the specified directory\n"
264 " --overlay=PATH[:PATH...]:PATH\n"
265 " Create an overlay mount from the host to \n"
267 " --overlay-ro=PATH[:PATH...]:PATH\n"
268 " Similar, but creates a read-only overlay mount\n"
269 " --setenv=NAME=VALUE Pass an environment variable to PID 1\n"
270 " --share-system Share system namespaces with host\n"
271 " --register=BOOLEAN Register container as machine\n"
272 " --keep-unit Do not register a scope for the machine, reuse\n"
273 " the service unit nspawn is running in\n"
274 " --volatile[=MODE] Run the system in volatile mode\n"
275 , program_invocation_short_name
);
278 static CustomMount
* custom_mount_add(CustomMountType t
) {
279 CustomMount
*c
, *ret
;
281 c
= realloc(arg_custom_mounts
, (arg_n_custom_mounts
+ 1) * sizeof(CustomMount
));
285 arg_custom_mounts
= c
;
286 ret
= arg_custom_mounts
+ arg_n_custom_mounts
;
287 arg_n_custom_mounts
++;
289 *ret
= (CustomMount
) { .type
= t
};
294 static void custom_mount_free_all(void) {
297 for (i
= 0; i
< arg_n_custom_mounts
; i
++) {
298 CustomMount
*m
= &arg_custom_mounts
[i
];
301 free(m
->destination
);
305 (void) rm_rf(m
->work_dir
, REMOVE_ROOT
|REMOVE_PHYSICAL
);
312 arg_custom_mounts
= mfree(arg_custom_mounts
);
313 arg_n_custom_mounts
= 0;
316 static int custom_mount_compare(const void *a
, const void *b
) {
317 const CustomMount
*x
= a
, *y
= b
;
320 r
= path_compare(x
->destination
, y
->destination
);
324 if (x
->type
< y
->type
)
326 if (x
->type
> y
->type
)
332 static int custom_mounts_prepare(void) {
336 /* Ensure the mounts are applied prefix first. */
337 qsort_safe(arg_custom_mounts
, arg_n_custom_mounts
, sizeof(CustomMount
), custom_mount_compare
);
339 /* Allocate working directories for the overlay file systems that need it */
340 for (i
= 0; i
< arg_n_custom_mounts
; i
++) {
341 CustomMount
*m
= &arg_custom_mounts
[i
];
343 if (arg_userns
&& arg_uid_shift
== UID_INVALID
&& path_equal(m
->destination
, "/")) {
344 log_error("--private-users with automatic UID shift may not be combined with custom root mounts.");
348 if (m
->type
!= CUSTOM_MOUNT_OVERLAY
)
357 r
= tempfn_random(m
->source
, NULL
, &m
->work_dir
);
359 return log_error_errno(r
, "Failed to generate work directory from %s: %m", m
->source
);
365 static int set_sanitized_path(char **b
, const char *path
) {
371 p
= canonicalize_file_name(path
);
376 p
= path_make_absolute_cwd(path
);
382 *b
= path_kill_slashes(p
);
386 static int parse_argv(int argc
, char *argv
[]) {
405 ARG_NETWORK_INTERFACE
,
417 static const struct option options
[] = {
418 { "help", no_argument
, NULL
, 'h' },
419 { "version", no_argument
, NULL
, ARG_VERSION
},
420 { "directory", required_argument
, NULL
, 'D' },
421 { "template", required_argument
, NULL
, ARG_TEMPLATE
},
422 { "ephemeral", no_argument
, NULL
, 'x' },
423 { "user", required_argument
, NULL
, 'u' },
424 { "private-network", no_argument
, NULL
, ARG_PRIVATE_NETWORK
},
425 { "boot", no_argument
, NULL
, 'b' },
426 { "uuid", required_argument
, NULL
, ARG_UUID
},
427 { "read-only", no_argument
, NULL
, ARG_READ_ONLY
},
428 { "capability", required_argument
, NULL
, ARG_CAPABILITY
},
429 { "drop-capability", required_argument
, NULL
, ARG_DROP_CAPABILITY
},
430 { "link-journal", required_argument
, NULL
, ARG_LINK_JOURNAL
},
431 { "bind", required_argument
, NULL
, ARG_BIND
},
432 { "bind-ro", required_argument
, NULL
, ARG_BIND_RO
},
433 { "tmpfs", required_argument
, NULL
, ARG_TMPFS
},
434 { "overlay", required_argument
, NULL
, ARG_OVERLAY
},
435 { "overlay-ro", required_argument
, NULL
, ARG_OVERLAY_RO
},
436 { "machine", required_argument
, NULL
, 'M' },
437 { "slice", required_argument
, NULL
, 'S' },
438 { "setenv", required_argument
, NULL
, ARG_SETENV
},
439 { "selinux-context", required_argument
, NULL
, 'Z' },
440 { "selinux-apifs-context", required_argument
, NULL
, 'L' },
441 { "quiet", no_argument
, NULL
, 'q' },
442 { "share-system", no_argument
, NULL
, ARG_SHARE_SYSTEM
},
443 { "register", required_argument
, NULL
, ARG_REGISTER
},
444 { "keep-unit", no_argument
, NULL
, ARG_KEEP_UNIT
},
445 { "network-interface", required_argument
, NULL
, ARG_NETWORK_INTERFACE
},
446 { "network-macvlan", required_argument
, NULL
, ARG_NETWORK_MACVLAN
},
447 { "network-ipvlan", required_argument
, NULL
, ARG_NETWORK_IPVLAN
},
448 { "network-veth", no_argument
, NULL
, 'n' },
449 { "network-bridge", required_argument
, NULL
, ARG_NETWORK_BRIDGE
},
450 { "personality", required_argument
, NULL
, ARG_PERSONALITY
},
451 { "image", required_argument
, NULL
, 'i' },
452 { "volatile", optional_argument
, NULL
, ARG_VOLATILE
},
453 { "port", required_argument
, NULL
, 'p' },
454 { "property", required_argument
, NULL
, ARG_PROPERTY
},
455 { "private-users", optional_argument
, NULL
, ARG_PRIVATE_USERS
},
456 { "kill-signal", required_argument
, NULL
, ARG_KILL_SIGNAL
},
461 uint64_t plus
= 0, minus
= 0;
466 while ((c
= getopt_long(argc
, argv
, "+hD:u:bL:M:jS:Z:qi:xp:n", options
, NULL
)) >= 0)
475 puts(PACKAGE_STRING
);
476 puts(SYSTEMD_FEATURES
);
480 r
= set_sanitized_path(&arg_directory
, optarg
);
482 return log_error_errno(r
, "Invalid root directory: %m");
487 r
= set_sanitized_path(&arg_template
, optarg
);
489 return log_error_errno(r
, "Invalid template directory: %m");
494 r
= set_sanitized_path(&arg_image
, optarg
);
496 return log_error_errno(r
, "Invalid image path: %m");
501 arg_ephemeral
= true;
505 r
= free_and_strdup(&arg_user
, optarg
);
511 case ARG_NETWORK_BRIDGE
:
512 arg_network_bridge
= optarg
;
517 arg_network_veth
= true;
518 arg_private_network
= true;
521 case ARG_NETWORK_INTERFACE
:
522 if (strv_extend(&arg_network_interfaces
, optarg
) < 0)
525 arg_private_network
= true;
528 case ARG_NETWORK_MACVLAN
:
529 if (strv_extend(&arg_network_macvlan
, optarg
) < 0)
532 arg_private_network
= true;
535 case ARG_NETWORK_IPVLAN
:
536 if (strv_extend(&arg_network_ipvlan
, optarg
) < 0)
541 case ARG_PRIVATE_NETWORK
:
542 arg_private_network
= true;
550 r
= sd_id128_from_string(optarg
, &arg_uuid
);
552 log_error("Invalid UUID: %s", optarg
);
562 if (isempty(optarg
)) {
563 arg_machine
= mfree(arg_machine
);
565 if (!machine_name_is_valid(optarg
)) {
566 log_error("Invalid machine name: %s", optarg
);
570 r
= free_and_strdup(&arg_machine
, optarg
);
578 arg_selinux_context
= optarg
;
582 arg_selinux_apifs_context
= optarg
;
586 arg_read_only
= true;
590 case ARG_DROP_CAPABILITY
: {
591 const char *state
, *word
;
594 FOREACH_WORD_SEPARATOR(word
, length
, optarg
, ",", state
) {
595 _cleanup_free_
char *t
;
597 t
= strndup(word
, length
);
601 if (streq(t
, "all")) {
602 if (c
== ARG_CAPABILITY
)
603 plus
= (uint64_t) -1;
605 minus
= (uint64_t) -1;
609 cap
= capability_from_name(t
);
611 log_error("Failed to parse capability %s.", t
);
615 if (c
== ARG_CAPABILITY
)
616 plus
|= 1ULL << (uint64_t) cap
;
618 minus
|= 1ULL << (uint64_t) cap
;
626 arg_link_journal
= LINK_GUEST
;
627 arg_link_journal_try
= true;
630 case ARG_LINK_JOURNAL
:
631 if (streq(optarg
, "auto")) {
632 arg_link_journal
= LINK_AUTO
;
633 arg_link_journal_try
= false;
634 } else if (streq(optarg
, "no")) {
635 arg_link_journal
= LINK_NO
;
636 arg_link_journal_try
= false;
637 } else if (streq(optarg
, "guest")) {
638 arg_link_journal
= LINK_GUEST
;
639 arg_link_journal_try
= false;
640 } else if (streq(optarg
, "host")) {
641 arg_link_journal
= LINK_HOST
;
642 arg_link_journal_try
= false;
643 } else if (streq(optarg
, "try-guest")) {
644 arg_link_journal
= LINK_GUEST
;
645 arg_link_journal_try
= true;
646 } else if (streq(optarg
, "try-host")) {
647 arg_link_journal
= LINK_HOST
;
648 arg_link_journal_try
= true;
650 log_error("Failed to parse link journal mode %s", optarg
);
658 const char *current
= optarg
;
659 _cleanup_free_
char *source
= NULL
, *destination
= NULL
;
661 _cleanup_strv_free_
char **strv
= NULL
;
663 r
= extract_many_words(¤t
, ":", EXTRACT_DONT_COALESCE_SEPARATORS
, &source
, &destination
, NULL
);
666 destination
= strdup(source
);
672 log_error("Invalid bind mount specification: %s", optarg
);
676 if (!source
|| !destination
)
679 if (!path_is_absolute(source
) || !path_is_absolute(destination
)) {
680 log_error("Invalid bind mount specification: %s", optarg
);
684 m
= custom_mount_add(CUSTOM_MOUNT_BIND
);
689 m
->destination
= destination
;
690 m
->read_only
= c
== ARG_BIND_RO
;
692 source
= destination
= NULL
;
698 const char *current
= optarg
;
699 _cleanup_free_
char *path
= NULL
, *opts
= NULL
;
702 r
= extract_first_word(¤t
, &path
, ":", EXTRACT_DONT_COALESCE_SEPARATORS
);
706 log_error("Invalid tmpfs specification: %s", optarg
);
710 opts
= strdup(current
);
712 opts
= strdup("mode=0755");
717 if (!path_is_absolute(path
)) {
718 log_error("Invalid tmpfs specification: %s", optarg
);
722 m
= custom_mount_add(CUSTOM_MOUNT_TMPFS
);
726 m
->destination
= path
;
735 case ARG_OVERLAY_RO
: {
736 _cleanup_free_
char *upper
= NULL
, *destination
= NULL
;
737 _cleanup_strv_free_
char **lower
= NULL
;
742 lower
= strv_split(optarg
, ":");
746 STRV_FOREACH(i
, lower
) {
747 if (!path_is_absolute(*i
)) {
748 log_error("Overlay path %s is not absolute.", *i
);
756 log_error("--overlay= needs at least two colon-separated directories specified.");
761 /* If two parameters are specified,
762 * the first one is the lower, the
763 * second one the upper directory. And
764 * we'll also define the destination
765 * mount point the same as the upper. */
769 destination
= strdup(upper
);
774 upper
= lower
[n
- 2];
775 destination
= lower
[n
- 1];
779 m
= custom_mount_add(CUSTOM_MOUNT_OVERLAY
);
783 m
->destination
= destination
;
786 m
->read_only
= c
== ARG_OVERLAY_RO
;
788 upper
= destination
= NULL
;
797 if (!env_assignment_is_valid(optarg
)) {
798 log_error("Environment variable assignment '%s' is not valid.", optarg
);
802 n
= strv_env_set(arg_setenv
, optarg
);
806 strv_free(arg_setenv
);
815 case ARG_SHARE_SYSTEM
:
816 arg_share_system
= true;
820 r
= parse_boolean(optarg
);
822 log_error("Failed to parse --register= argument: %s", optarg
);
830 arg_keep_unit
= true;
833 case ARG_PERSONALITY
:
835 arg_personality
= personality_from_string(optarg
);
836 if (arg_personality
== PERSONALITY_INVALID
) {
837 log_error("Unknown or unsupported personality '%s'.", optarg
);
846 arg_volatile
= VOLATILE_YES
;
848 r
= parse_boolean(optarg
);
850 if (streq(optarg
, "state"))
851 arg_volatile
= VOLATILE_STATE
;
853 log_error("Failed to parse --volatile= argument: %s", optarg
);
857 arg_volatile
= r
? VOLATILE_YES
: VOLATILE_NO
;
863 const char *split
, *e
;
864 uint16_t container_port
, host_port
;
868 if ((e
= startswith(optarg
, "tcp:")))
869 protocol
= IPPROTO_TCP
;
870 else if ((e
= startswith(optarg
, "udp:")))
871 protocol
= IPPROTO_UDP
;
874 protocol
= IPPROTO_TCP
;
877 split
= strchr(e
, ':');
879 char v
[split
- e
+ 1];
881 memcpy(v
, e
, split
- e
);
884 r
= safe_atou16(v
, &host_port
);
885 if (r
< 0 || host_port
<= 0) {
886 log_error("Failed to parse host port: %s", optarg
);
890 r
= safe_atou16(split
+ 1, &container_port
);
892 r
= safe_atou16(e
, &container_port
);
893 host_port
= container_port
;
896 if (r
< 0 || container_port
<= 0) {
897 log_error("Failed to parse host port: %s", optarg
);
901 LIST_FOREACH(ports
, p
, arg_expose_ports
) {
902 if (p
->protocol
== protocol
&& p
->host_port
== host_port
) {
903 log_error("Duplicate port specification: %s", optarg
);
908 p
= new(ExposePort
, 1);
912 p
->protocol
= protocol
;
913 p
->host_port
= host_port
;
914 p
->container_port
= container_port
;
916 LIST_PREPEND(ports
, arg_expose_ports
, p
);
922 if (strv_extend(&arg_property
, optarg
) < 0)
927 case ARG_PRIVATE_USERS
:
929 _cleanup_free_
char *buffer
= NULL
;
930 const char *range
, *shift
;
932 range
= strchr(optarg
, ':');
934 buffer
= strndup(optarg
, range
- optarg
);
940 if (safe_atou32(range
, &arg_uid_range
) < 0 || arg_uid_range
<= 0) {
941 log_error("Failed to parse UID range: %s", range
);
947 if (parse_uid(shift
, &arg_uid_shift
) < 0) {
948 log_error("Failed to parse UID: %s", optarg
);
956 case ARG_KILL_SIGNAL
:
957 arg_kill_signal
= signal_from_string_try_harder(optarg
);
958 if (arg_kill_signal
< 0) {
959 log_error("Cannot parse signal: %s", optarg
);
969 assert_not_reached("Unhandled option");
972 if (arg_share_system
)
973 arg_register
= false;
975 if (arg_boot
&& arg_share_system
) {
976 log_error("--boot and --share-system may not be combined.");
980 if (arg_keep_unit
&& cg_pid_get_owner_uid(0, NULL
) >= 0) {
981 log_error("--keep-unit may not be used when invoked from a user session.");
985 if (arg_directory
&& arg_image
) {
986 log_error("--directory= and --image= may not be combined.");
990 if (arg_template
&& arg_image
) {
991 log_error("--template= and --image= may not be combined.");
995 if (arg_template
&& !(arg_directory
|| arg_machine
)) {
996 log_error("--template= needs --directory= or --machine=.");
1000 if (arg_ephemeral
&& arg_template
) {
1001 log_error("--ephemeral and --template= may not be combined.");
1005 if (arg_ephemeral
&& arg_image
) {
1006 log_error("--ephemeral and --image= may not be combined.");
1010 if (arg_ephemeral
&& !IN_SET(arg_link_journal
, LINK_NO
, LINK_AUTO
)) {
1011 log_error("--ephemeral and --link-journal= may not be combined.");
1015 if (arg_volatile
!= VOLATILE_NO
&& arg_read_only
) {
1016 log_error("Cannot combine --read-only with --volatile. Note that --volatile already implies a read-only base hierarchy.");
1020 if (arg_expose_ports
&& !arg_private_network
) {
1021 log_error("Cannot use --port= without private networking.");
1025 if (arg_userns
&& access("/proc/self/uid_map", F_OK
) < 0)
1026 return log_error_errno(EOPNOTSUPP
, "--private-users= is not supported, kernel compiled without user namespace support.");
1028 arg_retain
= (arg_retain
| plus
| (arg_private_network
? 1ULL << CAP_NET_ADMIN
: 0)) & ~minus
;
1030 if (arg_boot
&& arg_kill_signal
<= 0)
1031 arg_kill_signal
= SIGRTMIN
+3;
1036 static int tmpfs_patch_options(const char *options
, char **ret
) {
1039 if (arg_userns
&& arg_uid_shift
!= 0) {
1040 assert(arg_uid_shift
!= UID_INVALID
);
1043 (void) asprintf(&buf
, "%s,uid=" UID_FMT
",gid=" UID_FMT
, options
, arg_uid_shift
, arg_uid_shift
);
1045 (void) asprintf(&buf
, "uid=" UID_FMT
",gid=" UID_FMT
, arg_uid_shift
, arg_uid_shift
);
1053 if (arg_selinux_apifs_context
) {
1057 t
= strjoin(options
, ",context=\"", arg_selinux_apifs_context
, "\"", NULL
);
1059 t
= strjoin("context=\"", arg_selinux_apifs_context
, "\"", NULL
);
1074 static int mount_all(const char *dest
, bool userns
) {
1076 typedef struct MountPoint
{
1080 const char *options
;
1081 unsigned long flags
;
1086 static const MountPoint mount_table
[] = {
1087 { "proc", "/proc", "proc", NULL
, MS_NOSUID
|MS_NOEXEC
|MS_NODEV
, true, true },
1088 { "/proc/sys", "/proc/sys", NULL
, NULL
, MS_BIND
, true, true }, /* Bind mount first */
1089 { NULL
, "/proc/sys", NULL
, NULL
, MS_BIND
|MS_RDONLY
|MS_NOSUID
|MS_NOEXEC
|MS_NODEV
|MS_REMOUNT
, true, true }, /* Then, make it r/o */
1090 { "sysfs", "/sys", "sysfs", NULL
, MS_RDONLY
|MS_NOSUID
|MS_NOEXEC
|MS_NODEV
, true, false },
1091 { "tmpfs", "/sys/fs/cgroup", "tmpfs", "mode=755", MS_NOSUID
|MS_NOEXEC
|MS_NODEV
|MS_STRICTATIME
, true, false },
1092 { "tmpfs", "/dev", "tmpfs", "mode=755", MS_NOSUID
|MS_STRICTATIME
, true, false },
1093 { "tmpfs", "/dev/shm", "tmpfs", "mode=1777", MS_NOSUID
|MS_NODEV
|MS_STRICTATIME
, true, false },
1094 { "tmpfs", "/run", "tmpfs", "mode=755", MS_NOSUID
|MS_NODEV
|MS_STRICTATIME
, true, false },
1095 { "tmpfs", "/tmp", "tmpfs", "mode=1777", MS_STRICTATIME
, true, false },
1097 { "/sys/fs/selinux", "/sys/fs/selinux", NULL
, NULL
, MS_BIND
, false, false }, /* Bind mount first */
1098 { NULL
, "/sys/fs/selinux", NULL
, NULL
, MS_BIND
|MS_RDONLY
|MS_NOSUID
|MS_NOEXEC
|MS_NODEV
|MS_REMOUNT
, false, false }, /* Then, make it r/o */
1105 for (k
= 0; k
< ELEMENTSOF(mount_table
); k
++) {
1106 _cleanup_free_
char *where
= NULL
, *options
= NULL
;
1109 if (userns
!= mount_table
[k
].userns
)
1112 where
= prefix_root(dest
, mount_table
[k
].where
);
1116 r
= path_is_mount_point(where
, AT_SYMLINK_FOLLOW
);
1117 if (r
< 0 && r
!= -ENOENT
)
1118 return log_error_errno(r
, "Failed to detect whether %s is a mount point: %m", where
);
1120 /* Skip this entry if it is not a remount. */
1121 if (mount_table
[k
].what
&& r
> 0)
1124 r
= mkdir_p(where
, 0755);
1126 if (mount_table
[k
].fatal
)
1127 return log_error_errno(r
, "Failed to create directory %s: %m", where
);
1129 log_warning_errno(r
, "Failed to create directory %s: %m", where
);
1133 o
= mount_table
[k
].options
;
1134 if (streq_ptr(mount_table
[k
].type
, "tmpfs")) {
1135 r
= tmpfs_patch_options(o
, &options
);
1142 if (mount(mount_table
[k
].what
,
1144 mount_table
[k
].type
,
1145 mount_table
[k
].flags
,
1148 if (mount_table
[k
].fatal
)
1149 return log_error_errno(errno
, "mount(%s) failed: %m", where
);
1151 log_warning_errno(errno
, "mount(%s) failed, ignoring: %m", where
);
1158 static int mount_bind(const char *dest
, CustomMount
*m
) {
1159 struct stat source_st
, dest_st
;
1165 if (stat(m
->source
, &source_st
) < 0)
1166 return log_error_errno(errno
, "Failed to stat %s: %m", m
->source
);
1168 where
= prefix_roota(dest
, m
->destination
);
1170 if (stat(where
, &dest_st
) >= 0) {
1171 if (S_ISDIR(source_st
.st_mode
) && !S_ISDIR(dest_st
.st_mode
)) {
1172 log_error("Cannot bind mount directory %s on file %s.", m
->source
, where
);
1176 if (!S_ISDIR(source_st
.st_mode
) && S_ISDIR(dest_st
.st_mode
)) {
1177 log_error("Cannot bind mount file %s on directory %s.", m
->source
, where
);
1181 } else if (errno
== ENOENT
) {
1182 r
= mkdir_parents_label(where
, 0755);
1184 return log_error_errno(r
, "Failed to make parents of %s: %m", where
);
1186 log_error_errno(errno
, "Failed to stat %s: %m", where
);
1190 /* Create the mount point. Any non-directory file can be
1191 * mounted on any non-directory file (regular, fifo, socket,
1194 if (S_ISDIR(source_st
.st_mode
))
1195 r
= mkdir_label(where
, 0755);
1198 if (r
< 0 && r
!= -EEXIST
)
1199 return log_error_errno(r
, "Failed to create mount point %s: %m", where
);
1201 if (mount(m
->source
, where
, NULL
, MS_BIND
, NULL
) < 0)
1202 return log_error_errno(errno
, "mount(%s) failed: %m", where
);
1205 r
= bind_remount_recursive(where
, true);
1207 return log_error_errno(r
, "Read-only bind mount failed: %m");
1213 static int mount_tmpfs(const char *dest
, CustomMount
*m
) {
1214 const char *where
, *options
;
1215 _cleanup_free_
char *buf
= NULL
;
1221 where
= prefix_roota(dest
, m
->destination
);
1223 r
= mkdir_p_label(where
, 0755);
1224 if (r
< 0 && r
!= -EEXIST
)
1225 return log_error_errno(r
, "Creating mount point for tmpfs %s failed: %m", where
);
1227 r
= tmpfs_patch_options(m
->options
, &buf
);
1230 options
= r
> 0 ? buf
: m
->options
;
1232 if (mount("tmpfs", where
, "tmpfs", MS_NODEV
|MS_STRICTATIME
, options
) < 0)
1233 return log_error_errno(errno
, "tmpfs mount to %s failed: %m", where
);
1238 static int mount_overlay(const char *dest
, CustomMount
*m
) {
1239 _cleanup_free_
char *lower
= NULL
;
1240 const char *where
, *options
;
1246 where
= prefix_roota(dest
, m
->destination
);
1248 r
= mkdir_label(where
, 0755);
1249 if (r
< 0 && r
!= -EEXIST
)
1250 return log_error_errno(r
, "Creating mount point for overlay %s failed: %m", where
);
1252 (void) mkdir_p_label(m
->source
, 0755);
1254 strv_reverse(m
->lower
);
1255 lower
= strv_join(m
->lower
, ":");
1256 strv_reverse(m
->lower
);
1261 options
= strjoina("lowerdir=", m
->source
, ":", lower
);
1263 assert(m
->work_dir
);
1264 (void) mkdir_label(m
->work_dir
, 0700);
1266 options
= strjoina("lowerdir=", lower
, ",upperdir=", m
->source
, ",workdir=", m
->work_dir
);
1269 if (mount("overlay", where
, "overlay", m
->read_only
? MS_RDONLY
: 0, options
) < 0)
1270 return log_error_errno(errno
, "overlay mount to %s failed: %m", where
);
1275 static int mount_custom(const char *dest
) {
1281 for (i
= 0; i
< arg_n_custom_mounts
; i
++) {
1282 CustomMount
*m
= &arg_custom_mounts
[i
];
1286 case CUSTOM_MOUNT_BIND
:
1287 r
= mount_bind(dest
, m
);
1290 case CUSTOM_MOUNT_TMPFS
:
1291 r
= mount_tmpfs(dest
, m
);
1294 case CUSTOM_MOUNT_OVERLAY
:
1295 r
= mount_overlay(dest
, m
);
1299 assert_not_reached("Unknown custom mount type");
1309 static int mount_cgroup_hierarchy(const char *dest
, const char *controller
, const char *hierarchy
, bool read_only
) {
1313 to
= strjoina(dest
, "/sys/fs/cgroup/", hierarchy
);
1315 r
= path_is_mount_point(to
, 0);
1316 if (r
< 0 && r
!= -ENOENT
)
1317 return log_error_errno(r
, "Failed to determine if %s is mounted already: %m", to
);
1323 /* The superblock mount options of the mount point need to be
1324 * identical to the hosts', and hence writable... */
1325 if (mount("cgroup", to
, "cgroup", MS_NOSUID
|MS_NOEXEC
|MS_NODEV
, controller
) < 0)
1326 return log_error_errno(errno
, "Failed to mount to %s: %m", to
);
1328 /* ... hence let's only make the bind mount read-only, not the
1331 if (mount(NULL
, to
, NULL
, MS_BIND
|MS_REMOUNT
|MS_NOSUID
|MS_NOEXEC
|MS_NODEV
|MS_RDONLY
, NULL
) < 0)
1332 return log_error_errno(errno
, "Failed to remount %s read-only: %m", to
);
1337 static int mount_cgroup(const char *dest
) {
1338 _cleanup_set_free_free_ Set
*controllers
= NULL
;
1339 const char *cgroup_root
;
1342 controllers
= set_new(&string_hash_ops
);
1346 r
= cg_kernel_controllers(controllers
);
1348 return log_error_errno(r
, "Failed to determine cgroup controllers: %m");
1351 _cleanup_free_
char *controller
= NULL
, *origin
= NULL
, *combined
= NULL
;
1353 controller
= set_steal_first(controllers
);
1357 origin
= prefix_root("/sys/fs/cgroup/", controller
);
1361 r
= readlink_malloc(origin
, &combined
);
1363 /* Not a symbolic link, but directly a single cgroup hierarchy */
1365 r
= mount_cgroup_hierarchy(dest
, controller
, controller
, true);
1370 return log_error_errno(r
, "Failed to read link %s: %m", origin
);
1372 _cleanup_free_
char *target
= NULL
;
1374 target
= prefix_root(dest
, origin
);
1378 /* A symbolic link, a combination of controllers in one hierarchy */
1380 if (!filename_is_valid(combined
)) {
1381 log_warning("Ignoring invalid combined hierarchy %s.", combined
);
1385 r
= mount_cgroup_hierarchy(dest
, combined
, combined
, true);
1389 r
= symlink_idempotent(combined
, target
);
1391 log_error("Invalid existing symlink for combined hierarchy");
1395 return log_error_errno(r
, "Failed to create symlink for combined hierarchy: %m");
1399 r
= mount_cgroup_hierarchy(dest
, "name=systemd,xattr", "systemd", false);
1403 cgroup_root
= prefix_roota(dest
, "/sys/fs/cgroup");
1404 if (mount(NULL
, cgroup_root
, NULL
, MS_REMOUNT
|MS_NOSUID
|MS_NOEXEC
|MS_NODEV
|MS_STRICTATIME
|MS_RDONLY
, "mode=755") < 0)
1405 return log_error_errno(errno
, "Failed to remount %s read-only: %m", cgroup_root
);
1410 static int mount_systemd_cgroup_writable(const char *dest
) {
1411 _cleanup_free_
char *own_cgroup_path
= NULL
;
1412 const char *systemd_root
, *systemd_own
;
1417 r
= cg_pid_get_path(NULL
, 0, &own_cgroup_path
);
1419 return log_error_errno(r
, "Failed to determine our own cgroup path: %m");
1421 /* Make our own cgroup a (writable) bind mount */
1422 systemd_own
= strjoina(dest
, "/sys/fs/cgroup/systemd", own_cgroup_path
);
1423 if (mount(systemd_own
, systemd_own
, NULL
, MS_BIND
, NULL
) < 0)
1424 return log_error_errno(errno
, "Failed to turn %s into a bind mount: %m", own_cgroup_path
);
1426 /* And then remount the systemd cgroup root read-only */
1427 systemd_root
= prefix_roota(dest
, "/sys/fs/cgroup/systemd");
1428 if (mount(NULL
, systemd_root
, NULL
, MS_BIND
|MS_REMOUNT
|MS_NOSUID
|MS_NOEXEC
|MS_NODEV
|MS_RDONLY
, NULL
) < 0)
1429 return log_error_errno(errno
, "Failed to mount cgroup root read-only: %m");
1434 static int userns_lchown(const char *p
, uid_t uid
, gid_t gid
) {
1440 if (uid
== UID_INVALID
&& gid
== GID_INVALID
)
1443 if (uid
!= UID_INVALID
) {
1444 uid
+= arg_uid_shift
;
1446 if (uid
< arg_uid_shift
|| uid
>= arg_uid_shift
+ arg_uid_range
)
1450 if (gid
!= GID_INVALID
) {
1451 gid
+= (gid_t
) arg_uid_shift
;
1453 if (gid
< (gid_t
) arg_uid_shift
|| gid
>= (gid_t
) (arg_uid_shift
+ arg_uid_range
))
1457 if (lchown(p
, uid
, gid
) < 0)
1463 static int userns_mkdir(const char *root
, const char *path
, mode_t mode
, uid_t uid
, gid_t gid
) {
1466 q
= prefix_roota(root
, path
);
1467 if (mkdir(q
, mode
) < 0) {
1468 if (errno
== EEXIST
)
1473 return userns_lchown(q
, uid
, gid
);
1476 static int setup_timezone(const char *dest
) {
1477 _cleanup_free_
char *p
= NULL
, *q
= NULL
;
1478 const char *where
, *check
, *what
;
1484 /* Fix the timezone, if possible */
1485 r
= readlink_malloc("/etc/localtime", &p
);
1487 log_warning("/etc/localtime is not a symlink, not updating container timezone.");
1491 z
= path_startswith(p
, "../usr/share/zoneinfo/");
1493 z
= path_startswith(p
, "/usr/share/zoneinfo/");
1495 log_warning("/etc/localtime does not point into /usr/share/zoneinfo/, not updating container timezone.");
1499 where
= prefix_roota(dest
, "/etc/localtime");
1500 r
= readlink_malloc(where
, &q
);
1502 y
= path_startswith(q
, "../usr/share/zoneinfo/");
1504 y
= path_startswith(q
, "/usr/share/zoneinfo/");
1506 /* Already pointing to the right place? Then do nothing .. */
1507 if (y
&& streq(y
, z
))
1511 check
= strjoina("/usr/share/zoneinfo/", z
);
1512 check
= prefix_root(dest
, check
);
1513 if (laccess(check
, F_OK
) < 0) {
1514 log_warning("Timezone %s does not exist in container, not updating container timezone.", z
);
1519 if (r
< 0 && errno
!= ENOENT
) {
1520 log_error_errno(errno
, "Failed to remove existing timezone info %s in container: %m", where
);
1524 what
= strjoina("../usr/share/zoneinfo/", z
);
1525 if (symlink(what
, where
) < 0) {
1526 log_error_errno(errno
, "Failed to correct timezone of container: %m");
1530 r
= userns_lchown(where
, 0, 0);
1532 return log_warning_errno(r
, "Failed to chown /etc/localtime: %m");
1537 static int setup_resolv_conf(const char *dest
) {
1538 const char *where
= NULL
;
1543 if (arg_private_network
)
1546 /* Fix resolv.conf, if possible */
1547 where
= prefix_roota(dest
, "/etc/resolv.conf");
1549 r
= copy_file("/etc/resolv.conf", where
, O_TRUNC
|O_NOFOLLOW
, 0644, 0);
1551 /* If the file already exists as symlink, let's
1552 * suppress the warning, under the assumption that
1553 * resolved or something similar runs inside and the
1554 * symlink points there.
1556 * If the disk image is read-only, there's also no
1557 * point in complaining.
1559 log_full_errno(IN_SET(r
, -ELOOP
, -EROFS
) ? LOG_DEBUG
: LOG_WARNING
, r
,
1560 "Failed to copy /etc/resolv.conf to %s: %m", where
);
1564 r
= userns_lchown(where
, 0, 0);
1566 log_warning_errno(r
, "Failed to chown /etc/resolv.conf: %m");
1571 static int setup_volatile_state(const char *directory
) {
1572 _cleanup_free_
char *buf
= NULL
;
1573 const char *p
, *options
;
1578 if (arg_volatile
!= VOLATILE_STATE
)
1581 /* --volatile=state means we simply overmount /var
1582 with a tmpfs, and the rest read-only. */
1584 r
= bind_remount_recursive(directory
, true);
1586 return log_error_errno(r
, "Failed to remount %s read-only: %m", directory
);
1588 p
= prefix_roota(directory
, "/var");
1590 if (r
< 0 && errno
!= EEXIST
)
1591 return log_error_errno(errno
, "Failed to create %s: %m", directory
);
1593 options
= "mode=755";
1594 r
= tmpfs_patch_options(options
, &buf
);
1600 if (mount("tmpfs", p
, "tmpfs", MS_STRICTATIME
, options
) < 0)
1601 return log_error_errno(errno
, "Failed to mount tmpfs to /var: %m");
1606 static int setup_volatile(const char *directory
) {
1607 bool tmpfs_mounted
= false, bind_mounted
= false;
1608 char template[] = "/tmp/nspawn-volatile-XXXXXX";
1609 _cleanup_free_
char *buf
= NULL
;
1610 const char *f
, *t
, *options
;
1615 if (arg_volatile
!= VOLATILE_YES
)
1618 /* --volatile=yes means we mount a tmpfs to the root dir, and
1619 the original /usr to use inside it, and that read-only. */
1621 if (!mkdtemp(template))
1622 return log_error_errno(errno
, "Failed to create temporary directory: %m");
1624 options
= "mode=755";
1625 r
= tmpfs_patch_options(options
, &buf
);
1631 if (mount("tmpfs", template, "tmpfs", MS_STRICTATIME
, options
) < 0) {
1632 r
= log_error_errno(errno
, "Failed to mount tmpfs for root directory: %m");
1636 tmpfs_mounted
= true;
1638 f
= prefix_roota(directory
, "/usr");
1639 t
= prefix_roota(template, "/usr");
1642 if (r
< 0 && errno
!= EEXIST
) {
1643 r
= log_error_errno(errno
, "Failed to create %s: %m", t
);
1647 if (mount(f
, t
, NULL
, MS_BIND
|MS_REC
, NULL
) < 0) {
1648 r
= log_error_errno(errno
, "Failed to create /usr bind mount: %m");
1652 bind_mounted
= true;
1654 r
= bind_remount_recursive(t
, true);
1656 log_error_errno(r
, "Failed to remount %s read-only: %m", t
);
1660 if (mount(template, directory
, NULL
, MS_MOVE
, NULL
) < 0) {
1661 r
= log_error_errno(errno
, "Failed to move root mount: %m");
1665 (void) rmdir(template);
1674 (void) umount(template);
1675 (void) rmdir(template);
1679 static char* id128_format_as_uuid(sd_id128_t id
, char s
[37]) {
1683 "%02x%02x%02x%02x-%02x%02x-%02x%02x-%02x%02x-%02x%02x%02x%02x%02x%02x",
1684 SD_ID128_FORMAT_VAL(id
));
1689 static int setup_boot_id(const char *dest
) {
1690 const char *from
, *to
;
1691 sd_id128_t rnd
= {};
1695 if (arg_share_system
)
1698 /* Generate a new randomized boot ID, so that each boot-up of
1699 * the container gets a new one */
1701 from
= prefix_roota(dest
, "/run/proc-sys-kernel-random-boot-id");
1702 to
= prefix_roota(dest
, "/proc/sys/kernel/random/boot_id");
1704 r
= sd_id128_randomize(&rnd
);
1706 return log_error_errno(r
, "Failed to generate random boot id: %m");
1708 id128_format_as_uuid(rnd
, as_uuid
);
1710 r
= write_string_file(from
, as_uuid
, WRITE_STRING_FILE_CREATE
);
1712 return log_error_errno(r
, "Failed to write boot id: %m");
1714 if (mount(from
, to
, NULL
, MS_BIND
, NULL
) < 0)
1715 r
= log_error_errno(errno
, "Failed to bind mount boot id: %m");
1716 else if (mount(NULL
, to
, NULL
, MS_BIND
|MS_REMOUNT
|MS_RDONLY
|MS_NOSUID
|MS_NODEV
, NULL
) < 0)
1717 log_warning_errno(errno
, "Failed to make boot id read-only: %m");
1723 static int copy_devnodes(const char *dest
) {
1725 static const char devnodes
[] =
1736 _cleanup_umask_ mode_t u
;
1742 /* Create /dev/net, so that we can create /dev/net/tun in it */
1743 if (userns_mkdir(dest
, "/dev/net", 0755, 0, 0) < 0)
1744 return log_error_errno(r
, "Failed to create /dev/net directory: %m");
1746 NULSTR_FOREACH(d
, devnodes
) {
1747 _cleanup_free_
char *from
= NULL
, *to
= NULL
;
1750 from
= strappend("/dev/", d
);
1751 to
= prefix_root(dest
, from
);
1753 if (stat(from
, &st
) < 0) {
1755 if (errno
!= ENOENT
)
1756 return log_error_errno(errno
, "Failed to stat %s: %m", from
);
1758 } else if (!S_ISCHR(st
.st_mode
) && !S_ISBLK(st
.st_mode
)) {
1760 log_error("%s is not a char or block device, cannot copy.", from
);
1764 if (mknod(to
, st
.st_mode
, st
.st_rdev
) < 0) {
1766 return log_error_errno(errno
, "mknod(%s) failed: %m", to
);
1768 /* Some systems abusively restrict mknod but
1769 * allow bind mounts. */
1772 return log_error_errno(r
, "touch (%s) failed: %m", to
);
1773 if (mount(from
, to
, NULL
, MS_BIND
, NULL
) < 0)
1774 return log_error_errno(errno
, "Both mknod and bind mount (%s) failed: %m", to
);
1777 r
= userns_lchown(to
, 0, 0);
1779 return log_error_errno(r
, "chown() of device node %s failed: %m", to
);
1786 static int setup_pts(const char *dest
) {
1787 _cleanup_free_
char *options
= NULL
;
1791 if (arg_selinux_apifs_context
)
1792 (void) asprintf(&options
,
1793 "newinstance,ptmxmode=0666,mode=620,gid=" GID_FMT
",context=\"%s\"",
1794 arg_uid_shift
+ TTY_GID
,
1795 arg_selinux_apifs_context
);
1798 (void) asprintf(&options
,
1799 "newinstance,ptmxmode=0666,mode=620,gid=" GID_FMT
,
1800 arg_uid_shift
+ TTY_GID
);
1805 /* Mount /dev/pts itself */
1806 p
= prefix_roota(dest
, "/dev/pts");
1807 if (mkdir(p
, 0755) < 0)
1808 return log_error_errno(errno
, "Failed to create /dev/pts: %m");
1809 if (mount("devpts", p
, "devpts", MS_NOSUID
|MS_NOEXEC
, options
) < 0)
1810 return log_error_errno(errno
, "Failed to mount /dev/pts: %m");
1811 if (userns_lchown(p
, 0, 0) < 0)
1812 return log_error_errno(errno
, "Failed to chown /dev/pts: %m");
1814 /* Create /dev/ptmx symlink */
1815 p
= prefix_roota(dest
, "/dev/ptmx");
1816 if (symlink("pts/ptmx", p
) < 0)
1817 return log_error_errno(errno
, "Failed to create /dev/ptmx symlink: %m");
1818 if (userns_lchown(p
, 0, 0) < 0)
1819 return log_error_errno(errno
, "Failed to chown /dev/ptmx: %m");
1821 /* And fix /dev/pts/ptmx ownership */
1822 p
= prefix_roota(dest
, "/dev/pts/ptmx");
1823 if (userns_lchown(p
, 0, 0) < 0)
1824 return log_error_errno(errno
, "Failed to chown /dev/pts/ptmx: %m");
1829 static int setup_dev_console(const char *dest
, const char *console
) {
1830 _cleanup_umask_ mode_t u
;
1839 r
= chmod_and_chown(console
, 0600, arg_uid_shift
, arg_uid_shift
);
1841 return log_error_errno(r
, "Failed to correct access mode for TTY: %m");
1843 /* We need to bind mount the right tty to /dev/console since
1844 * ptys can only exist on pts file systems. To have something
1845 * to bind mount things on we create a empty regular file. */
1847 to
= prefix_roota(dest
, "/dev/console");
1850 return log_error_errno(r
, "touch() for /dev/console failed: %m");
1852 if (mount(console
, to
, NULL
, MS_BIND
, NULL
) < 0)
1853 return log_error_errno(errno
, "Bind mount for /dev/console failed: %m");
1858 static int setup_kmsg(const char *dest
, int kmsg_socket
) {
1859 const char *from
, *to
;
1860 _cleanup_umask_ mode_t u
;
1863 struct cmsghdr cmsghdr
;
1864 uint8_t buf
[CMSG_SPACE(sizeof(int))];
1866 struct msghdr mh
= {
1867 .msg_control
= &control
,
1868 .msg_controllen
= sizeof(control
),
1870 struct cmsghdr
*cmsg
;
1872 assert(kmsg_socket
>= 0);
1876 /* We create the kmsg FIFO as /run/kmsg, but immediately
1877 * delete it after bind mounting it to /proc/kmsg. While FIFOs
1878 * on the reading side behave very similar to /proc/kmsg,
1879 * their writing side behaves differently from /dev/kmsg in
1880 * that writing blocks when nothing is reading. In order to
1881 * avoid any problems with containers deadlocking due to this
1882 * we simply make /dev/kmsg unavailable to the container. */
1883 from
= prefix_roota(dest
, "/run/kmsg");
1884 to
= prefix_roota(dest
, "/proc/kmsg");
1886 if (mkfifo(from
, 0600) < 0)
1887 return log_error_errno(errno
, "mkfifo() for /run/kmsg failed: %m");
1888 if (mount(from
, to
, NULL
, MS_BIND
, NULL
) < 0)
1889 return log_error_errno(errno
, "Bind mount for /proc/kmsg failed: %m");
1891 fd
= open(from
, O_RDWR
|O_NDELAY
|O_CLOEXEC
);
1893 return log_error_errno(errno
, "Failed to open fifo: %m");
1895 cmsg
= CMSG_FIRSTHDR(&mh
);
1896 cmsg
->cmsg_level
= SOL_SOCKET
;
1897 cmsg
->cmsg_type
= SCM_RIGHTS
;
1898 cmsg
->cmsg_len
= CMSG_LEN(sizeof(int));
1899 memcpy(CMSG_DATA(cmsg
), &fd
, sizeof(int));
1901 mh
.msg_controllen
= cmsg
->cmsg_len
;
1903 /* Store away the fd in the socket, so that it stays open as
1904 * long as we run the child */
1905 k
= sendmsg(kmsg_socket
, &mh
, MSG_NOSIGNAL
);
1909 return log_error_errno(errno
, "Failed to send FIFO fd: %m");
1911 /* And now make the FIFO unavailable as /run/kmsg... */
1912 (void) unlink(from
);
1917 static int send_rtnl(int send_fd
) {
1919 struct cmsghdr cmsghdr
;
1920 uint8_t buf
[CMSG_SPACE(sizeof(int))];
1922 struct msghdr mh
= {
1923 .msg_control
= &control
,
1924 .msg_controllen
= sizeof(control
),
1926 struct cmsghdr
*cmsg
;
1927 _cleanup_close_
int fd
= -1;
1930 assert(send_fd
>= 0);
1932 if (!arg_expose_ports
)
1935 fd
= socket(PF_NETLINK
, SOCK_RAW
|SOCK_CLOEXEC
|SOCK_NONBLOCK
, NETLINK_ROUTE
);
1937 return log_error_errno(errno
, "Failed to allocate container netlink: %m");
1939 cmsg
= CMSG_FIRSTHDR(&mh
);
1940 cmsg
->cmsg_level
= SOL_SOCKET
;
1941 cmsg
->cmsg_type
= SCM_RIGHTS
;
1942 cmsg
->cmsg_len
= CMSG_LEN(sizeof(int));
1943 memcpy(CMSG_DATA(cmsg
), &fd
, sizeof(int));
1945 mh
.msg_controllen
= cmsg
->cmsg_len
;
1947 /* Store away the fd in the socket, so that it stays open as
1948 * long as we run the child */
1949 k
= sendmsg(send_fd
, &mh
, MSG_NOSIGNAL
);
1951 return log_error_errno(errno
, "Failed to send netlink fd: %m");
1956 static int flush_ports(union in_addr_union
*exposed
) {
1958 int r
, af
= AF_INET
;
1962 if (!arg_expose_ports
)
1965 if (in_addr_is_null(af
, exposed
))
1968 log_debug("Lost IP address.");
1970 LIST_FOREACH(ports
, p
, arg_expose_ports
) {
1971 r
= fw_add_local_dnat(false,
1982 log_warning_errno(r
, "Failed to modify firewall: %m");
1985 *exposed
= IN_ADDR_NULL
;
1989 static int expose_ports(sd_netlink
*rtnl
, union in_addr_union
*exposed
) {
1990 _cleanup_free_
struct local_address
*addresses
= NULL
;
1991 _cleanup_free_
char *pretty
= NULL
;
1992 union in_addr_union new_exposed
;
1995 int af
= AF_INET
, r
;
1999 /* Invoked each time an address is added or removed inside the
2002 if (!arg_expose_ports
)
2005 r
= local_addresses(rtnl
, 0, af
, &addresses
);
2007 return log_error_errno(r
, "Failed to enumerate local addresses: %m");
2010 addresses
[0].family
== af
&&
2011 addresses
[0].scope
< RT_SCOPE_LINK
;
2014 return flush_ports(exposed
);
2016 new_exposed
= addresses
[0].address
;
2017 if (in_addr_equal(af
, exposed
, &new_exposed
))
2020 in_addr_to_string(af
, &new_exposed
, &pretty
);
2021 log_debug("New container IP is %s.", strna(pretty
));
2023 LIST_FOREACH(ports
, p
, arg_expose_ports
) {
2025 r
= fw_add_local_dnat(true,
2034 in_addr_is_null(af
, exposed
) ? NULL
: exposed
);
2036 log_warning_errno(r
, "Failed to modify firewall: %m");
2039 *exposed
= new_exposed
;
2043 static int on_address_change(sd_netlink
*rtnl
, sd_netlink_message
*m
, void *userdata
) {
2044 union in_addr_union
*exposed
= userdata
;
2050 expose_ports(rtnl
, exposed
);
2054 static int watch_rtnl(sd_event
*event
, int recv_fd
, union in_addr_union
*exposed
, sd_netlink
**ret
) {
2056 struct cmsghdr cmsghdr
;
2057 uint8_t buf
[CMSG_SPACE(sizeof(int))];
2059 struct msghdr mh
= {
2060 .msg_control
= &control
,
2061 .msg_controllen
= sizeof(control
),
2063 struct cmsghdr
*cmsg
;
2064 _cleanup_netlink_unref_ sd_netlink
*rtnl
= NULL
;
2069 assert(recv_fd
>= 0);
2072 if (!arg_expose_ports
)
2075 k
= recvmsg(recv_fd
, &mh
, MSG_NOSIGNAL
);
2077 return log_error_errno(errno
, "Failed to recv netlink fd: %m");
2079 cmsg
= CMSG_FIRSTHDR(&mh
);
2080 assert(cmsg
->cmsg_level
== SOL_SOCKET
);
2081 assert(cmsg
->cmsg_type
== SCM_RIGHTS
);
2082 assert(cmsg
->cmsg_len
== CMSG_LEN(sizeof(int)));
2083 memcpy(&fd
, CMSG_DATA(cmsg
), sizeof(int));
2085 r
= sd_netlink_open_fd(&rtnl
, fd
);
2088 return log_error_errno(r
, "Failed to create rtnl object: %m");
2091 r
= sd_netlink_add_match(rtnl
, RTM_NEWADDR
, on_address_change
, exposed
);
2093 return log_error_errno(r
, "Failed to subscribe to RTM_NEWADDR messages: %m");
2095 r
= sd_netlink_add_match(rtnl
, RTM_DELADDR
, on_address_change
, exposed
);
2097 return log_error_errno(r
, "Failed to subscribe to RTM_DELADDR messages: %m");
2099 r
= sd_netlink_attach_event(rtnl
, event
, 0);
2101 return log_error_errno(r
, "Failed to add to even loop: %m");
2109 static int setup_hostname(void) {
2111 if (arg_share_system
)
2114 if (sethostname_idempotent(arg_machine
) < 0)
2120 static int setup_journal(const char *directory
) {
2121 sd_id128_t machine_id
, this_id
;
2122 _cleanup_free_
char *b
= NULL
, *d
= NULL
;
2123 const char *etc_machine_id
, *p
, *q
;
2127 /* Don't link journals in ephemeral mode */
2131 etc_machine_id
= prefix_roota(directory
, "/etc/machine-id");
2133 r
= read_one_line_file(etc_machine_id
, &b
);
2134 if (r
== -ENOENT
&& arg_link_journal
== LINK_AUTO
)
2137 return log_error_errno(r
, "Failed to read machine ID from %s: %m", etc_machine_id
);
2140 if (isempty(id
) && arg_link_journal
== LINK_AUTO
)
2143 /* Verify validity */
2144 r
= sd_id128_from_string(id
, &machine_id
);
2146 return log_error_errno(r
, "Failed to parse machine ID from %s: %m", etc_machine_id
);
2148 r
= sd_id128_get_machine(&this_id
);
2150 return log_error_errno(r
, "Failed to retrieve machine ID: %m");
2152 if (sd_id128_equal(machine_id
, this_id
)) {
2153 log_full(arg_link_journal
== LINK_AUTO
? LOG_WARNING
: LOG_ERR
,
2154 "Host and machine ids are equal (%s): refusing to link journals", id
);
2155 if (arg_link_journal
== LINK_AUTO
)
2160 if (arg_link_journal
== LINK_NO
)
2163 r
= userns_mkdir(directory
, "/var", 0755, 0, 0);
2165 return log_error_errno(r
, "Failed to create /var: %m");
2167 r
= userns_mkdir(directory
, "/var/log", 0755, 0, 0);
2169 return log_error_errno(r
, "Failed to create /var/log: %m");
2171 r
= userns_mkdir(directory
, "/var/log/journal", 0755, 0, 0);
2173 return log_error_errno(r
, "Failed to create /var/log/journal: %m");
2175 p
= strjoina("/var/log/journal/", id
);
2176 q
= prefix_roota(directory
, p
);
2178 if (path_is_mount_point(p
, 0) > 0) {
2179 if (arg_link_journal
!= LINK_AUTO
) {
2180 log_error("%s: already a mount point, refusing to use for journal", p
);
2187 if (path_is_mount_point(q
, 0) > 0) {
2188 if (arg_link_journal
!= LINK_AUTO
) {
2189 log_error("%s: already a mount point, refusing to use for journal", q
);
2196 r
= readlink_and_make_absolute(p
, &d
);
2198 if ((arg_link_journal
== LINK_GUEST
||
2199 arg_link_journal
== LINK_AUTO
) &&
2202 r
= userns_mkdir(directory
, p
, 0755, 0, 0);
2204 log_warning_errno(errno
, "Failed to create directory %s: %m", q
);
2209 return log_error_errno(errno
, "Failed to remove symlink %s: %m", p
);
2210 } else if (r
== -EINVAL
) {
2212 if (arg_link_journal
== LINK_GUEST
&&
2215 if (errno
== ENOTDIR
) {
2216 log_error("%s already exists and is neither a symlink nor a directory", p
);
2219 log_error_errno(errno
, "Failed to remove %s: %m", p
);
2223 } else if (r
!= -ENOENT
) {
2224 log_error_errno(errno
, "readlink(%s) failed: %m", p
);
2228 if (arg_link_journal
== LINK_GUEST
) {
2230 if (symlink(q
, p
) < 0) {
2231 if (arg_link_journal_try
) {
2232 log_debug_errno(errno
, "Failed to symlink %s to %s, skipping journal setup: %m", q
, p
);
2235 log_error_errno(errno
, "Failed to symlink %s to %s: %m", q
, p
);
2240 r
= userns_mkdir(directory
, p
, 0755, 0, 0);
2242 log_warning_errno(errno
, "Failed to create directory %s: %m", q
);
2246 if (arg_link_journal
== LINK_HOST
) {
2247 /* don't create parents here -- if the host doesn't have
2248 * permanent journal set up, don't force it here */
2251 if (arg_link_journal_try
) {
2252 log_debug_errno(errno
, "Failed to create %s, skipping journal setup: %m", p
);
2255 log_error_errno(errno
, "Failed to create %s: %m", p
);
2260 } else if (access(p
, F_OK
) < 0)
2263 if (dir_is_empty(q
) == 0)
2264 log_warning("%s is not empty, proceeding anyway.", q
);
2266 r
= userns_mkdir(directory
, p
, 0755, 0, 0);
2268 log_error_errno(errno
, "Failed to create %s: %m", q
);
2272 if (mount(p
, q
, NULL
, MS_BIND
, NULL
) < 0)
2273 return log_error_errno(errno
, "Failed to bind mount journal from host into guest: %m");
2278 static int drop_capabilities(void) {
2279 return capability_bounding_set_drop(~arg_retain
, false);
2282 static int register_machine(pid_t pid
, int local_ifindex
) {
2283 _cleanup_bus_error_free_ sd_bus_error error
= SD_BUS_ERROR_NULL
;
2284 _cleanup_bus_flush_close_unref_ sd_bus
*bus
= NULL
;
2290 r
= sd_bus_default_system(&bus
);
2292 return log_error_errno(r
, "Failed to open system bus: %m");
2294 if (arg_keep_unit
) {
2295 r
= sd_bus_call_method(
2297 "org.freedesktop.machine1",
2298 "/org/freedesktop/machine1",
2299 "org.freedesktop.machine1.Manager",
2300 "RegisterMachineWithNetwork",
2305 SD_BUS_MESSAGE_APPEND_ID128(arg_uuid
),
2309 strempty(arg_directory
),
2310 local_ifindex
> 0 ? 1 : 0, local_ifindex
);
2312 _cleanup_bus_message_unref_ sd_bus_message
*m
= NULL
;
2316 r
= sd_bus_message_new_method_call(
2319 "org.freedesktop.machine1",
2320 "/org/freedesktop/machine1",
2321 "org.freedesktop.machine1.Manager",
2322 "CreateMachineWithNetwork");
2324 return bus_log_create_error(r
);
2326 r
= sd_bus_message_append(
2330 SD_BUS_MESSAGE_APPEND_ID128(arg_uuid
),
2334 strempty(arg_directory
),
2335 local_ifindex
> 0 ? 1 : 0, local_ifindex
);
2337 return bus_log_create_error(r
);
2339 r
= sd_bus_message_open_container(m
, 'a', "(sv)");
2341 return bus_log_create_error(r
);
2343 if (!isempty(arg_slice
)) {
2344 r
= sd_bus_message_append(m
, "(sv)", "Slice", "s", arg_slice
);
2346 return bus_log_create_error(r
);
2349 r
= sd_bus_message_append(m
, "(sv)", "DevicePolicy", "s", "strict");
2351 return bus_log_create_error(r
);
2353 /* If you make changes here, also make sure to update
2354 * systemd-nspawn@.service, to keep the device
2355 * policies in sync regardless if we are run with or
2356 * without the --keep-unit switch. */
2357 r
= sd_bus_message_append(m
, "(sv)", "DeviceAllow", "a(ss)", 9,
2358 /* Allow the container to
2359 * access and create the API
2360 * device nodes, so that
2361 * PrivateDevices= in the
2362 * container can work
2367 "/dev/random", "rwm",
2368 "/dev/urandom", "rwm",
2370 "/dev/net/tun", "rwm",
2371 /* Allow the container
2372 * access to ptys. However,
2374 * container to ever create
2375 * these device nodes. */
2376 "/dev/pts/ptmx", "rw",
2379 return bus_log_create_error(r
);
2381 for (j
= 0; j
< arg_n_custom_mounts
; j
++) {
2382 CustomMount
*cm
= &arg_custom_mounts
[j
];
2384 if (cm
->type
!= CUSTOM_MOUNT_BIND
)
2387 r
= is_device_node(cm
->source
);
2389 return log_error_errno(r
, "Failed to stat %s: %m", cm
->source
);
2392 r
= sd_bus_message_append(m
, "(sv)", "DeviceAllow", "a(ss)", 1,
2393 cm
->source
, cm
->read_only
? "r" : "rw");
2395 return log_error_errno(r
, "Failed to append message arguments: %m");
2399 if (arg_kill_signal
!= 0) {
2400 r
= sd_bus_message_append(m
, "(sv)", "KillSignal", "i", arg_kill_signal
);
2402 return bus_log_create_error(r
);
2404 r
= sd_bus_message_append(m
, "(sv)", "KillMode", "s", "mixed");
2406 return bus_log_create_error(r
);
2409 STRV_FOREACH(i
, arg_property
) {
2410 r
= sd_bus_message_open_container(m
, 'r', "sv");
2412 return bus_log_create_error(r
);
2414 r
= bus_append_unit_property_assignment(m
, *i
);
2418 r
= sd_bus_message_close_container(m
);
2420 return bus_log_create_error(r
);
2423 r
= sd_bus_message_close_container(m
);
2425 return bus_log_create_error(r
);
2427 r
= sd_bus_call(bus
, m
, 0, &error
, NULL
);
2431 log_error("Failed to register machine: %s", bus_error_message(&error
, r
));
2438 static int terminate_machine(pid_t pid
) {
2439 _cleanup_bus_error_free_ sd_bus_error error
= SD_BUS_ERROR_NULL
;
2440 _cleanup_bus_message_unref_ sd_bus_message
*reply
= NULL
;
2441 _cleanup_bus_flush_close_unref_ sd_bus
*bus
= NULL
;
2448 /* If we are reusing the unit, then just exit, systemd will do
2449 * the right thing when we exit. */
2453 r
= sd_bus_default_system(&bus
);
2455 return log_error_errno(r
, "Failed to open system bus: %m");
2457 r
= sd_bus_call_method(
2459 "org.freedesktop.machine1",
2460 "/org/freedesktop/machine1",
2461 "org.freedesktop.machine1.Manager",
2468 /* Note that the machine might already have been
2469 * cleaned up automatically, hence don't consider it a
2470 * failure if we cannot get the machine object. */
2471 log_debug("Failed to get machine: %s", bus_error_message(&error
, r
));
2475 r
= sd_bus_message_read(reply
, "o", &path
);
2477 return bus_log_parse_error(r
);
2479 r
= sd_bus_call_method(
2481 "org.freedesktop.machine1",
2483 "org.freedesktop.machine1.Machine",
2489 log_debug("Failed to terminate machine: %s", bus_error_message(&error
, r
));
2496 static int reset_audit_loginuid(void) {
2497 _cleanup_free_
char *p
= NULL
;
2500 if (arg_share_system
)
2503 r
= read_one_line_file("/proc/self/loginuid", &p
);
2507 return log_error_errno(r
, "Failed to read /proc/self/loginuid: %m");
2509 /* Already reset? */
2510 if (streq(p
, "4294967295"))
2513 r
= write_string_file("/proc/self/loginuid", "4294967295", 0);
2516 "Failed to reset audit login UID. This probably means that your kernel is too\n"
2517 "old and you have audit enabled. Note that the auditing subsystem is known to\n"
2518 "be incompatible with containers on old kernels. Please make sure to upgrade\n"
2519 "your kernel or to off auditing with 'audit=0' on the kernel command line before\n"
2520 "using systemd-nspawn. Sleeping for 5s... (%m)");
2528 #define HOST_HASH_KEY SD_ID128_MAKE(1a,37,6f,c7,46,ec,45,0b,ad,a3,d5,31,06,60,5d,b1)
2529 #define CONTAINER_HASH_KEY SD_ID128_MAKE(c3,c4,f9,19,b5,57,b2,1c,e6,cf,14,27,03,9c,ee,a2)
2530 #define MACVLAN_HASH_KEY SD_ID128_MAKE(00,13,6d,bc,66,83,44,81,bb,0c,f9,51,1f,24,a6,6f)
2532 static int generate_mac(struct ether_addr
*mac
, sd_id128_t hash_key
, uint64_t idx
) {
2538 l
= strlen(arg_machine
);
2539 sz
= sizeof(sd_id128_t
) + l
;
2545 /* fetch some persistent data unique to the host */
2546 r
= sd_id128_get_machine((sd_id128_t
*) v
);
2550 /* combine with some data unique (on this host) to this
2551 * container instance */
2552 i
= mempcpy(v
+ sizeof(sd_id128_t
), arg_machine
, l
);
2555 memcpy(i
, &idx
, sizeof(idx
));
2558 /* Let's hash the host machine ID plus the container name. We
2559 * use a fixed, but originally randomly created hash key here. */
2560 siphash24(result
, v
, sz
, hash_key
.bytes
);
2562 assert_cc(ETH_ALEN
<= sizeof(result
));
2563 memcpy(mac
->ether_addr_octet
, result
, ETH_ALEN
);
2565 /* see eth_random_addr in the kernel */
2566 mac
->ether_addr_octet
[0] &= 0xfe; /* clear multicast bit */
2567 mac
->ether_addr_octet
[0] |= 0x02; /* set local assignment bit (IEEE802) */
2572 static int setup_veth(pid_t pid
, char iface_name
[IFNAMSIZ
], int *ifi
) {
2573 _cleanup_netlink_message_unref_ sd_netlink_message
*m
= NULL
;
2574 _cleanup_netlink_unref_ sd_netlink
*rtnl
= NULL
;
2575 struct ether_addr mac_host
, mac_container
;
2578 if (!arg_private_network
)
2581 if (!arg_network_veth
)
2584 /* Use two different interface name prefixes depending whether
2585 * we are in bridge mode or not. */
2586 snprintf(iface_name
, IFNAMSIZ
- 1, "%s-%s",
2587 arg_network_bridge
? "vb" : "ve", arg_machine
);
2589 r
= generate_mac(&mac_container
, CONTAINER_HASH_KEY
, 0);
2591 return log_error_errno(r
, "Failed to generate predictable MAC address for container side: %m");
2593 r
= generate_mac(&mac_host
, HOST_HASH_KEY
, 0);
2595 return log_error_errno(r
, "Failed to generate predictable MAC address for host side: %m");
2597 r
= sd_netlink_open(&rtnl
);
2599 return log_error_errno(r
, "Failed to connect to netlink: %m");
2601 r
= sd_rtnl_message_new_link(rtnl
, &m
, RTM_NEWLINK
, 0);
2603 return log_error_errno(r
, "Failed to allocate netlink message: %m");
2605 r
= sd_netlink_message_append_string(m
, IFLA_IFNAME
, iface_name
);
2607 return log_error_errno(r
, "Failed to add netlink interface name: %m");
2609 r
= sd_netlink_message_append_ether_addr(m
, IFLA_ADDRESS
, &mac_host
);
2611 return log_error_errno(r
, "Failed to add netlink MAC address: %m");
2613 r
= sd_netlink_message_open_container(m
, IFLA_LINKINFO
);
2615 return log_error_errno(r
, "Failed to open netlink container: %m");
2617 r
= sd_netlink_message_open_container_union(m
, IFLA_INFO_DATA
, "veth");
2619 return log_error_errno(r
, "Failed to open netlink container: %m");
2621 r
= sd_netlink_message_open_container(m
, VETH_INFO_PEER
);
2623 return log_error_errno(r
, "Failed to open netlink container: %m");
2625 r
= sd_netlink_message_append_string(m
, IFLA_IFNAME
, "host0");
2627 return log_error_errno(r
, "Failed to add netlink interface name: %m");
2629 r
= sd_netlink_message_append_ether_addr(m
, IFLA_ADDRESS
, &mac_container
);
2631 return log_error_errno(r
, "Failed to add netlink MAC address: %m");
2633 r
= sd_netlink_message_append_u32(m
, IFLA_NET_NS_PID
, pid
);
2635 return log_error_errno(r
, "Failed to add netlink namespace field: %m");
2637 r
= sd_netlink_message_close_container(m
);
2639 return log_error_errno(r
, "Failed to close netlink container: %m");
2641 r
= sd_netlink_message_close_container(m
);
2643 return log_error_errno(r
, "Failed to close netlink container: %m");
2645 r
= sd_netlink_message_close_container(m
);
2647 return log_error_errno(r
, "Failed to close netlink container: %m");
2649 r
= sd_netlink_call(rtnl
, m
, 0, NULL
);
2651 return log_error_errno(r
, "Failed to add new veth interfaces (host0, %s): %m", iface_name
);
2653 i
= (int) if_nametoindex(iface_name
);
2655 return log_error_errno(errno
, "Failed to resolve interface %s: %m", iface_name
);
2662 static int setup_bridge(const char veth_name
[], int *ifi
) {
2663 _cleanup_netlink_message_unref_ sd_netlink_message
*m
= NULL
;
2664 _cleanup_netlink_unref_ sd_netlink
*rtnl
= NULL
;
2667 if (!arg_private_network
)
2670 if (!arg_network_veth
)
2673 if (!arg_network_bridge
)
2676 bridge
= (int) if_nametoindex(arg_network_bridge
);
2678 return log_error_errno(errno
, "Failed to resolve interface %s: %m", arg_network_bridge
);
2682 r
= sd_netlink_open(&rtnl
);
2684 return log_error_errno(r
, "Failed to connect to netlink: %m");
2686 r
= sd_rtnl_message_new_link(rtnl
, &m
, RTM_SETLINK
, 0);
2688 return log_error_errno(r
, "Failed to allocate netlink message: %m");
2690 r
= sd_rtnl_message_link_set_flags(m
, IFF_UP
, IFF_UP
);
2692 return log_error_errno(r
, "Failed to set IFF_UP flag: %m");
2694 r
= sd_netlink_message_append_string(m
, IFLA_IFNAME
, veth_name
);
2696 return log_error_errno(r
, "Failed to add netlink interface name field: %m");
2698 r
= sd_netlink_message_append_u32(m
, IFLA_MASTER
, bridge
);
2700 return log_error_errno(r
, "Failed to add netlink master field: %m");
2702 r
= sd_netlink_call(rtnl
, m
, 0, NULL
);
2704 return log_error_errno(r
, "Failed to add veth interface to bridge: %m");
2709 static int parse_interface(struct udev
*udev
, const char *name
) {
2710 _cleanup_udev_device_unref_
struct udev_device
*d
= NULL
;
2711 char ifi_str
[2 + DECIMAL_STR_MAX(int)];
2714 ifi
= (int) if_nametoindex(name
);
2716 return log_error_errno(errno
, "Failed to resolve interface %s: %m", name
);
2718 sprintf(ifi_str
, "n%i", ifi
);
2719 d
= udev_device_new_from_device_id(udev
, ifi_str
);
2721 return log_error_errno(errno
, "Failed to get udev device for interface %s: %m", name
);
2723 if (udev_device_get_is_initialized(d
) <= 0) {
2724 log_error("Network interface %s is not initialized yet.", name
);
2731 static int move_network_interfaces(pid_t pid
) {
2732 _cleanup_udev_unref_
struct udev
*udev
= NULL
;
2733 _cleanup_netlink_unref_ sd_netlink
*rtnl
= NULL
;
2737 if (!arg_private_network
)
2740 if (strv_isempty(arg_network_interfaces
))
2743 r
= sd_netlink_open(&rtnl
);
2745 return log_error_errno(r
, "Failed to connect to netlink: %m");
2749 log_error("Failed to connect to udev.");
2753 STRV_FOREACH(i
, arg_network_interfaces
) {
2754 _cleanup_netlink_message_unref_ sd_netlink_message
*m
= NULL
;
2757 ifi
= parse_interface(udev
, *i
);
2761 r
= sd_rtnl_message_new_link(rtnl
, &m
, RTM_SETLINK
, ifi
);
2763 return log_error_errno(r
, "Failed to allocate netlink message: %m");
2765 r
= sd_netlink_message_append_u32(m
, IFLA_NET_NS_PID
, pid
);
2767 return log_error_errno(r
, "Failed to append namespace PID to netlink message: %m");
2769 r
= sd_netlink_call(rtnl
, m
, 0, NULL
);
2771 return log_error_errno(r
, "Failed to move interface %s to namespace: %m", *i
);
2777 static int setup_macvlan(pid_t pid
) {
2778 _cleanup_udev_unref_
struct udev
*udev
= NULL
;
2779 _cleanup_netlink_unref_ sd_netlink
*rtnl
= NULL
;
2784 if (!arg_private_network
)
2787 if (strv_isempty(arg_network_macvlan
))
2790 r
= sd_netlink_open(&rtnl
);
2792 return log_error_errno(r
, "Failed to connect to netlink: %m");
2796 log_error("Failed to connect to udev.");
2800 STRV_FOREACH(i
, arg_network_macvlan
) {
2801 _cleanup_netlink_message_unref_ sd_netlink_message
*m
= NULL
;
2802 _cleanup_free_
char *n
= NULL
;
2803 struct ether_addr mac
;
2806 ifi
= parse_interface(udev
, *i
);
2810 r
= generate_mac(&mac
, MACVLAN_HASH_KEY
, idx
++);
2812 return log_error_errno(r
, "Failed to create MACVLAN MAC address: %m");
2814 r
= sd_rtnl_message_new_link(rtnl
, &m
, RTM_NEWLINK
, 0);
2816 return log_error_errno(r
, "Failed to allocate netlink message: %m");
2818 r
= sd_netlink_message_append_u32(m
, IFLA_LINK
, ifi
);
2820 return log_error_errno(r
, "Failed to add netlink interface index: %m");
2822 n
= strappend("mv-", *i
);
2826 strshorten(n
, IFNAMSIZ
-1);
2828 r
= sd_netlink_message_append_string(m
, IFLA_IFNAME
, n
);
2830 return log_error_errno(r
, "Failed to add netlink interface name: %m");
2832 r
= sd_netlink_message_append_ether_addr(m
, IFLA_ADDRESS
, &mac
);
2834 return log_error_errno(r
, "Failed to add netlink MAC address: %m");
2836 r
= sd_netlink_message_append_u32(m
, IFLA_NET_NS_PID
, pid
);
2838 return log_error_errno(r
, "Failed to add netlink namespace field: %m");
2840 r
= sd_netlink_message_open_container(m
, IFLA_LINKINFO
);
2842 return log_error_errno(r
, "Failed to open netlink container: %m");
2844 r
= sd_netlink_message_open_container_union(m
, IFLA_INFO_DATA
, "macvlan");
2846 return log_error_errno(r
, "Failed to open netlink container: %m");
2848 r
= sd_netlink_message_append_u32(m
, IFLA_MACVLAN_MODE
, MACVLAN_MODE_BRIDGE
);
2850 return log_error_errno(r
, "Failed to append macvlan mode: %m");
2852 r
= sd_netlink_message_close_container(m
);
2854 return log_error_errno(r
, "Failed to close netlink container: %m");
2856 r
= sd_netlink_message_close_container(m
);
2858 return log_error_errno(r
, "Failed to close netlink container: %m");
2860 r
= sd_netlink_call(rtnl
, m
, 0, NULL
);
2862 return log_error_errno(r
, "Failed to add new macvlan interfaces: %m");
2868 static int setup_ipvlan(pid_t pid
) {
2869 _cleanup_udev_unref_
struct udev
*udev
= NULL
;
2870 _cleanup_netlink_unref_ sd_netlink
*rtnl
= NULL
;
2874 if (!arg_private_network
)
2877 if (strv_isempty(arg_network_ipvlan
))
2880 r
= sd_netlink_open(&rtnl
);
2882 return log_error_errno(r
, "Failed to connect to netlink: %m");
2886 log_error("Failed to connect to udev.");
2890 STRV_FOREACH(i
, arg_network_ipvlan
) {
2891 _cleanup_netlink_message_unref_ sd_netlink_message
*m
= NULL
;
2892 _cleanup_free_
char *n
= NULL
;
2895 ifi
= parse_interface(udev
, *i
);
2899 r
= sd_rtnl_message_new_link(rtnl
, &m
, RTM_NEWLINK
, 0);
2901 return log_error_errno(r
, "Failed to allocate netlink message: %m");
2903 r
= sd_netlink_message_append_u32(m
, IFLA_LINK
, ifi
);
2905 return log_error_errno(r
, "Failed to add netlink interface index: %m");
2907 n
= strappend("iv-", *i
);
2911 strshorten(n
, IFNAMSIZ
-1);
2913 r
= sd_netlink_message_append_string(m
, IFLA_IFNAME
, n
);
2915 return log_error_errno(r
, "Failed to add netlink interface name: %m");
2917 r
= sd_netlink_message_append_u32(m
, IFLA_NET_NS_PID
, pid
);
2919 return log_error_errno(r
, "Failed to add netlink namespace field: %m");
2921 r
= sd_netlink_message_open_container(m
, IFLA_LINKINFO
);
2923 return log_error_errno(r
, "Failed to open netlink container: %m");
2925 r
= sd_netlink_message_open_container_union(m
, IFLA_INFO_DATA
, "ipvlan");
2927 return log_error_errno(r
, "Failed to open netlink container: %m");
2929 r
= sd_netlink_message_append_u16(m
, IFLA_IPVLAN_MODE
, IPVLAN_MODE_L2
);
2931 return log_error_errno(r
, "Failed to add ipvlan mode: %m");
2933 r
= sd_netlink_message_close_container(m
);
2935 return log_error_errno(r
, "Failed to close netlink container: %m");
2937 r
= sd_netlink_message_close_container(m
);
2939 return log_error_errno(r
, "Failed to close netlink container: %m");
2941 r
= sd_netlink_call(rtnl
, m
, 0, NULL
);
2943 return log_error_errno(r
, "Failed to add new ipvlan interfaces: %m");
2949 static int setup_seccomp(void) {
2952 static const struct {
2953 uint64_t capability
;
2956 { CAP_SYS_RAWIO
, SCMP_SYS(iopl
) },
2957 { CAP_SYS_RAWIO
, SCMP_SYS(ioperm
) },
2958 { CAP_SYS_BOOT
, SCMP_SYS(kexec_load
) },
2959 { CAP_SYS_ADMIN
, SCMP_SYS(swapon
) },
2960 { CAP_SYS_ADMIN
, SCMP_SYS(swapoff
) },
2961 { CAP_SYS_ADMIN
, SCMP_SYS(open_by_handle_at
) },
2962 { CAP_SYS_MODULE
, SCMP_SYS(init_module
) },
2963 { CAP_SYS_MODULE
, SCMP_SYS(finit_module
) },
2964 { CAP_SYS_MODULE
, SCMP_SYS(delete_module
) },
2965 { CAP_SYSLOG
, SCMP_SYS(syslog
) },
2968 scmp_filter_ctx seccomp
;
2972 seccomp
= seccomp_init(SCMP_ACT_ALLOW
);
2976 r
= seccomp_add_secondary_archs(seccomp
);
2978 log_error_errno(r
, "Failed to add secondary archs to seccomp filter: %m");
2982 for (i
= 0; i
< ELEMENTSOF(blacklist
); i
++) {
2983 if (arg_retain
& (1ULL << blacklist
[i
].capability
))
2986 r
= seccomp_rule_add(seccomp
, SCMP_ACT_ERRNO(EPERM
), blacklist
[i
].syscall_num
, 0);
2988 continue; /* unknown syscall */
2990 log_error_errno(r
, "Failed to block syscall: %m");
2997 Audit is broken in containers, much of the userspace audit
2998 hookup will fail if running inside a container. We don't
2999 care and just turn off creation of audit sockets.
3001 This will make socket(AF_NETLINK, *, NETLINK_AUDIT) fail
3002 with EAFNOSUPPORT which audit userspace uses as indication
3003 that audit is disabled in the kernel.
3006 r
= seccomp_rule_add(
3008 SCMP_ACT_ERRNO(EAFNOSUPPORT
),
3011 SCMP_A0(SCMP_CMP_EQ
, AF_NETLINK
),
3012 SCMP_A2(SCMP_CMP_EQ
, NETLINK_AUDIT
));
3014 log_error_errno(r
, "Failed to add audit seccomp rule: %m");
3018 r
= seccomp_attr_set(seccomp
, SCMP_FLTATR_CTL_NNP
, 0);
3020 log_error_errno(r
, "Failed to unset NO_NEW_PRIVS: %m");
3024 r
= seccomp_load(seccomp
);
3026 log_debug_errno(r
, "Kernel is probably not configured with CONFIG_SECCOMP. Disabling seccomp audit filter: %m");
3031 log_error_errno(r
, "Failed to install seccomp audit filter: %m");
3036 seccomp_release(seccomp
);
3044 static int setup_propagate(const char *root
) {
3047 (void) mkdir_p("/run/systemd/nspawn/", 0755);
3048 (void) mkdir_p("/run/systemd/nspawn/propagate", 0600);
3049 p
= strjoina("/run/systemd/nspawn/propagate/", arg_machine
);
3050 (void) mkdir_p(p
, 0600);
3052 if (userns_mkdir(root
, "/run/systemd", 0755, 0, 0) < 0)
3053 return log_error_errno(errno
, "Failed to create /run/systemd: %m");
3055 if (userns_mkdir(root
, "/run/systemd/nspawn", 0755, 0, 0) < 0)
3056 return log_error_errno(errno
, "Failed to create /run/systemd/nspawn: %m");
3058 if (userns_mkdir(root
, "/run/systemd/nspawn/incoming", 0600, 0, 0) < 0)
3059 return log_error_errno(errno
, "Failed to create /run/systemd/nspawn/incoming: %m");
3061 q
= prefix_roota(root
, "/run/systemd/nspawn/incoming");
3062 if (mount(p
, q
, NULL
, MS_BIND
, NULL
) < 0)
3063 return log_error_errno(errno
, "Failed to install propagation bind mount.");
3065 if (mount(NULL
, q
, NULL
, MS_BIND
|MS_REMOUNT
|MS_RDONLY
, NULL
) < 0)
3066 return log_error_errno(errno
, "Failed to make propagation mount read-only");
3071 static int setup_image(char **device_path
, int *loop_nr
) {
3072 struct loop_info64 info
= {
3073 .lo_flags
= LO_FLAGS_AUTOCLEAR
|LO_FLAGS_PARTSCAN
3075 _cleanup_close_
int fd
= -1, control
= -1, loop
= -1;
3076 _cleanup_free_
char* loopdev
= NULL
;
3080 assert(device_path
);
3084 fd
= open(arg_image
, O_CLOEXEC
|(arg_read_only
? O_RDONLY
: O_RDWR
)|O_NONBLOCK
|O_NOCTTY
);
3086 return log_error_errno(errno
, "Failed to open %s: %m", arg_image
);
3088 if (fstat(fd
, &st
) < 0)
3089 return log_error_errno(errno
, "Failed to stat %s: %m", arg_image
);
3091 if (S_ISBLK(st
.st_mode
)) {
3094 p
= strdup(arg_image
);
3108 if (!S_ISREG(st
.st_mode
)) {
3109 log_error_errno(errno
, "%s is not a regular file or block device: %m", arg_image
);
3113 control
= open("/dev/loop-control", O_RDWR
|O_CLOEXEC
|O_NOCTTY
|O_NONBLOCK
);
3115 return log_error_errno(errno
, "Failed to open /dev/loop-control: %m");
3117 nr
= ioctl(control
, LOOP_CTL_GET_FREE
);
3119 return log_error_errno(errno
, "Failed to allocate loop device: %m");
3121 if (asprintf(&loopdev
, "/dev/loop%i", nr
) < 0)
3124 loop
= open(loopdev
, O_CLOEXEC
|(arg_read_only
? O_RDONLY
: O_RDWR
)|O_NONBLOCK
|O_NOCTTY
);
3126 return log_error_errno(errno
, "Failed to open loop device %s: %m", loopdev
);
3128 if (ioctl(loop
, LOOP_SET_FD
, fd
) < 0)
3129 return log_error_errno(errno
, "Failed to set loopback file descriptor on %s: %m", loopdev
);
3132 info
.lo_flags
|= LO_FLAGS_READ_ONLY
;
3134 if (ioctl(loop
, LOOP_SET_STATUS64
, &info
) < 0)
3135 return log_error_errno(errno
, "Failed to set loopback settings on %s: %m", loopdev
);
3137 *device_path
= loopdev
;
3148 #define PARTITION_TABLE_BLURB \
3149 "Note that the disk image needs to either contain only a single MBR partition of\n" \
3150 "type 0x83 that is marked bootable, or a single GPT partition of type " \
3151 "0FC63DAF-8483-4772-8E79-3D69D8477DE4 or follow\n" \
3152 " http://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/\n" \
3153 "to be bootable with systemd-nspawn."
3155 static int dissect_image(
3157 char **root_device
, bool *root_device_rw
,
3158 char **home_device
, bool *home_device_rw
,
3159 char **srv_device
, bool *srv_device_rw
,
3163 int home_nr
= -1, srv_nr
= -1;
3164 #ifdef GPT_ROOT_NATIVE
3167 #ifdef GPT_ROOT_SECONDARY
3168 int secondary_root_nr
= -1;
3170 _cleanup_free_
char *home
= NULL
, *root
= NULL
, *secondary_root
= NULL
, *srv
= NULL
, *generic
= NULL
;
3171 _cleanup_udev_enumerate_unref_
struct udev_enumerate
*e
= NULL
;
3172 _cleanup_udev_device_unref_
struct udev_device
*d
= NULL
;
3173 _cleanup_blkid_free_probe_ blkid_probe b
= NULL
;
3174 _cleanup_udev_unref_
struct udev
*udev
= NULL
;
3175 struct udev_list_entry
*first
, *item
;
3176 bool home_rw
= true, root_rw
= true, secondary_root_rw
= true, srv_rw
= true, generic_rw
= true;
3177 bool is_gpt
, is_mbr
, multiple_generic
= false;
3178 const char *pttype
= NULL
;
3185 assert(root_device
);
3186 assert(home_device
);
3191 b
= blkid_new_probe();
3196 r
= blkid_probe_set_device(b
, fd
, 0, 0);
3201 log_error_errno(errno
, "Failed to set device on blkid probe: %m");
3205 blkid_probe_enable_partitions(b
, 1);
3206 blkid_probe_set_partitions_flags(b
, BLKID_PARTS_ENTRY_DETAILS
);
3209 r
= blkid_do_safeprobe(b
);
3210 if (r
== -2 || r
== 1) {
3211 log_error("Failed to identify any partition table on\n"
3213 PARTITION_TABLE_BLURB
, arg_image
);
3215 } else if (r
!= 0) {
3218 log_error_errno(errno
, "Failed to probe: %m");
3222 (void) blkid_probe_lookup_value(b
, "PTTYPE", &pttype
, NULL
);
3224 is_gpt
= streq_ptr(pttype
, "gpt");
3225 is_mbr
= streq_ptr(pttype
, "dos");
3227 if (!is_gpt
&& !is_mbr
) {
3228 log_error("No GPT or MBR partition table discovered on\n"
3230 PARTITION_TABLE_BLURB
, arg_image
);
3235 pl
= blkid_probe_get_partitions(b
);
3240 log_error("Failed to list partitions of %s", arg_image
);
3248 if (fstat(fd
, &st
) < 0)
3249 return log_error_errno(errno
, "Failed to stat block device: %m");
3251 d
= udev_device_new_from_devnum(udev
, 'b', st
.st_rdev
);
3259 log_error("Kernel partitions never appeared.");
3263 e
= udev_enumerate_new(udev
);
3267 r
= udev_enumerate_add_match_parent(e
, d
);
3271 r
= udev_enumerate_scan_devices(e
);
3273 return log_error_errno(r
, "Failed to scan for partition devices of %s: %m", arg_image
);
3275 /* Count the partitions enumerated by the kernel */
3277 first
= udev_enumerate_get_list_entry(e
);
3278 udev_list_entry_foreach(item
, first
)
3281 /* Count the partitions enumerated by blkid */
3282 m
= blkid_partlist_numof_partitions(pl
);
3286 log_error("blkid and kernel partition list do not match.");
3292 /* The kernel has probed fewer partitions than
3293 * blkid? Maybe the kernel prober is still
3294 * running or it got EBUSY because udev
3295 * already opened the device. Let's reprobe
3296 * the device, which is a synchronous call
3297 * that waits until probing is complete. */
3299 for (j
= 0; j
< 20; j
++) {
3301 r
= ioctl(fd
, BLKRRPART
, 0);
3304 if (r
>= 0 || r
!= -EBUSY
)
3307 /* If something else has the device
3308 * open, such as an udev rule, the
3309 * ioctl will return EBUSY. Since
3310 * there's no way to wait until it
3311 * isn't busy anymore, let's just wait
3312 * a bit, and try again.
3314 * This is really something they
3315 * should fix in the kernel! */
3317 usleep(50 * USEC_PER_MSEC
);
3321 return log_error_errno(r
, "Failed to reread partition table: %m");
3324 e
= udev_enumerate_unref(e
);
3327 first
= udev_enumerate_get_list_entry(e
);
3328 udev_list_entry_foreach(item
, first
) {
3329 _cleanup_udev_device_unref_
struct udev_device
*q
;
3331 unsigned long long flags
;
3337 q
= udev_device_new_from_syspath(udev
, udev_list_entry_get_name(item
));
3342 log_error_errno(errno
, "Failed to get partition device of %s: %m", arg_image
);
3346 qn
= udev_device_get_devnum(q
);
3350 if (st
.st_rdev
== qn
)
3353 node
= udev_device_get_devnode(q
);
3357 pp
= blkid_partlist_devno_to_partition(pl
, qn
);
3361 flags
= blkid_partition_get_flags(pp
);
3363 nr
= blkid_partition_get_partno(pp
);
3371 if (flags
& GPT_FLAG_NO_AUTO
)
3374 stype
= blkid_partition_get_type_string(pp
);
3378 if (sd_id128_from_string(stype
, &type_id
) < 0)
3381 if (sd_id128_equal(type_id
, GPT_HOME
)) {
3383 if (home
&& nr
>= home_nr
)
3387 home_rw
= !(flags
& GPT_FLAG_READ_ONLY
);
3389 r
= free_and_strdup(&home
, node
);
3393 } else if (sd_id128_equal(type_id
, GPT_SRV
)) {
3395 if (srv
&& nr
>= srv_nr
)
3399 srv_rw
= !(flags
& GPT_FLAG_READ_ONLY
);
3401 r
= free_and_strdup(&srv
, node
);
3405 #ifdef GPT_ROOT_NATIVE
3406 else if (sd_id128_equal(type_id
, GPT_ROOT_NATIVE
)) {
3408 if (root
&& nr
>= root_nr
)
3412 root_rw
= !(flags
& GPT_FLAG_READ_ONLY
);
3414 r
= free_and_strdup(&root
, node
);
3419 #ifdef GPT_ROOT_SECONDARY
3420 else if (sd_id128_equal(type_id
, GPT_ROOT_SECONDARY
)) {
3422 if (secondary_root
&& nr
>= secondary_root_nr
)
3425 secondary_root_nr
= nr
;
3426 secondary_root_rw
= !(flags
& GPT_FLAG_READ_ONLY
);
3428 r
= free_and_strdup(&secondary_root
, node
);
3433 else if (sd_id128_equal(type_id
, GPT_LINUX_GENERIC
)) {
3436 multiple_generic
= true;
3438 generic_rw
= !(flags
& GPT_FLAG_READ_ONLY
);
3440 r
= free_and_strdup(&generic
, node
);
3446 } else if (is_mbr
) {
3449 if (flags
!= 0x80) /* Bootable flag */
3452 type
= blkid_partition_get_type(pp
);
3453 if (type
!= 0x83) /* Linux partition */
3457 multiple_generic
= true;
3461 r
= free_and_strdup(&root
, node
);
3469 *root_device
= root
;
3472 *root_device_rw
= root_rw
;
3474 } else if (secondary_root
) {
3475 *root_device
= secondary_root
;
3476 secondary_root
= NULL
;
3478 *root_device_rw
= secondary_root_rw
;
3480 } else if (generic
) {
3482 /* There were no partitions with precise meanings
3483 * around, but we found generic partitions. In this
3484 * case, if there's only one, we can go ahead and boot
3485 * it, otherwise we bail out, because we really cannot
3486 * make any sense of it. */
3488 if (multiple_generic
) {
3489 log_error("Identified multiple bootable Linux partitions on\n"
3491 PARTITION_TABLE_BLURB
, arg_image
);
3495 *root_device
= generic
;
3498 *root_device_rw
= generic_rw
;
3501 log_error("Failed to identify root partition in disk image\n"
3503 PARTITION_TABLE_BLURB
, arg_image
);
3508 *home_device
= home
;
3511 *home_device_rw
= home_rw
;
3518 *srv_device_rw
= srv_rw
;
3523 log_error("--image= is not supported, compiled without blkid support.");
3528 static int mount_device(const char *what
, const char *where
, const char *directory
, bool rw
) {
3530 _cleanup_blkid_free_probe_ blkid_probe b
= NULL
;
3531 const char *fstype
, *p
;
3541 p
= strjoina(where
, directory
);
3546 b
= blkid_new_probe_from_filename(what
);
3550 log_error_errno(errno
, "Failed to allocate prober for %s: %m", what
);
3554 blkid_probe_enable_superblocks(b
, 1);
3555 blkid_probe_set_superblocks_flags(b
, BLKID_SUBLKS_TYPE
);
3558 r
= blkid_do_safeprobe(b
);
3559 if (r
== -1 || r
== 1) {
3560 log_error("Cannot determine file system type of %s", what
);
3562 } else if (r
!= 0) {
3565 log_error_errno(errno
, "Failed to probe %s: %m", what
);
3570 if (blkid_probe_lookup_value(b
, "TYPE", &fstype
, NULL
) < 0) {
3573 log_error("Failed to determine file system type of %s", what
);
3577 if (streq(fstype
, "crypto_LUKS")) {
3578 log_error("nspawn currently does not support LUKS disk images.");
3582 if (mount(what
, p
, fstype
, MS_NODEV
|(rw
? 0 : MS_RDONLY
), NULL
) < 0)
3583 return log_error_errno(errno
, "Failed to mount %s: %m", what
);
3587 log_error("--image= is not supported, compiled without blkid support.");
3592 static int mount_devices(
3594 const char *root_device
, bool root_device_rw
,
3595 const char *home_device
, bool home_device_rw
,
3596 const char *srv_device
, bool srv_device_rw
) {
3602 r
= mount_device(root_device
, arg_directory
, NULL
, root_device_rw
);
3604 return log_error_errno(r
, "Failed to mount root directory: %m");
3608 r
= mount_device(home_device
, arg_directory
, "/home", home_device_rw
);
3610 return log_error_errno(r
, "Failed to mount home directory: %m");
3614 r
= mount_device(srv_device
, arg_directory
, "/srv", srv_device_rw
);
3616 return log_error_errno(r
, "Failed to mount server data directory: %m");
3622 static void loop_remove(int nr
, int *image_fd
) {
3623 _cleanup_close_
int control
= -1;
3629 if (image_fd
&& *image_fd
>= 0) {
3630 r
= ioctl(*image_fd
, LOOP_CLR_FD
);
3632 log_debug_errno(errno
, "Failed to close loop image: %m");
3633 *image_fd
= safe_close(*image_fd
);
3636 control
= open("/dev/loop-control", O_RDWR
|O_CLOEXEC
|O_NOCTTY
|O_NONBLOCK
);
3638 log_warning_errno(errno
, "Failed to open /dev/loop-control: %m");
3642 r
= ioctl(control
, LOOP_CTL_REMOVE
, nr
);
3644 log_debug_errno(errno
, "Failed to remove loop %d: %m", nr
);
3647 static int spawn_getent(const char *database
, const char *key
, pid_t
*rpid
) {
3655 if (pipe2(pipe_fds
, O_CLOEXEC
) < 0)
3656 return log_error_errno(errno
, "Failed to allocate pipe: %m");
3660 return log_error_errno(errno
, "Failed to fork getent child: %m");
3661 else if (pid
== 0) {
3663 char *empty_env
= NULL
;
3665 if (dup3(pipe_fds
[1], STDOUT_FILENO
, 0) < 0)
3666 _exit(EXIT_FAILURE
);
3668 if (pipe_fds
[0] > 2)
3669 safe_close(pipe_fds
[0]);
3670 if (pipe_fds
[1] > 2)
3671 safe_close(pipe_fds
[1]);
3673 nullfd
= open("/dev/null", O_RDWR
);
3675 _exit(EXIT_FAILURE
);
3677 if (dup3(nullfd
, STDIN_FILENO
, 0) < 0)
3678 _exit(EXIT_FAILURE
);
3680 if (dup3(nullfd
, STDERR_FILENO
, 0) < 0)
3681 _exit(EXIT_FAILURE
);
3686 (void) reset_all_signal_handlers();
3687 (void) reset_signal_mask();
3688 close_all_fds(NULL
, 0);
3690 execle("/usr/bin/getent", "getent", database
, key
, NULL
, &empty_env
);
3691 execle("/bin/getent", "getent", database
, key
, NULL
, &empty_env
);
3692 _exit(EXIT_FAILURE
);
3695 pipe_fds
[1] = safe_close(pipe_fds
[1]);
3702 static int change_uid_gid(char **_home
) {
3703 char line
[LINE_MAX
], *x
, *u
, *g
, *h
;
3704 const char *word
, *state
;
3705 _cleanup_free_ uid_t
*uids
= NULL
;
3706 _cleanup_free_
char *home
= NULL
;
3707 _cleanup_fclose_
FILE *f
= NULL
;
3708 _cleanup_close_
int fd
= -1;
3709 unsigned n_uids
= 0;
3718 if (!arg_user
|| streq(arg_user
, "root") || streq(arg_user
, "0")) {
3719 /* Reset everything fully to 0, just in case */
3721 r
= reset_uid_gid();
3723 return log_error_errno(r
, "Failed to become root: %m");
3729 /* First, get user credentials */
3730 fd
= spawn_getent("passwd", arg_user
, &pid
);
3734 f
= fdopen(fd
, "r");
3739 if (!fgets(line
, sizeof(line
), f
)) {
3742 log_error("Failed to resolve user %s.", arg_user
);
3746 log_error_errno(errno
, "Failed to read from getent: %m");
3752 wait_for_terminate_and_warn("getent passwd", pid
, true);
3754 x
= strchr(line
, ':');
3756 log_error("/etc/passwd entry has invalid user field.");
3760 u
= strchr(x
+1, ':');
3762 log_error("/etc/passwd entry has invalid password field.");
3769 log_error("/etc/passwd entry has invalid UID field.");
3777 log_error("/etc/passwd entry has invalid GID field.");
3782 h
= strchr(x
+1, ':');
3784 log_error("/etc/passwd entry has invalid GECOS field.");
3791 log_error("/etc/passwd entry has invalid home directory field.");
3797 r
= parse_uid(u
, &uid
);
3799 log_error("Failed to parse UID of user.");
3803 r
= parse_gid(g
, &gid
);
3805 log_error("Failed to parse GID of user.");
3813 /* Second, get group memberships */
3814 fd
= spawn_getent("initgroups", arg_user
, &pid
);
3819 f
= fdopen(fd
, "r");
3824 if (!fgets(line
, sizeof(line
), f
)) {
3826 log_error("Failed to resolve user %s.", arg_user
);
3830 log_error_errno(errno
, "Failed to read from getent: %m");
3836 wait_for_terminate_and_warn("getent initgroups", pid
, true);
3838 /* Skip over the username and subsequent separator whitespace */
3840 x
+= strcspn(x
, WHITESPACE
);
3841 x
+= strspn(x
, WHITESPACE
);
3843 FOREACH_WORD(word
, l
, x
, state
) {
3849 if (!GREEDY_REALLOC(uids
, sz
, n_uids
+1))
3852 r
= parse_uid(c
, &uids
[n_uids
++]);
3854 log_error("Failed to parse group data from getent.");
3859 r
= mkdir_parents(home
, 0775);
3861 return log_error_errno(r
, "Failed to make home root directory: %m");
3863 r
= mkdir_safe(home
, 0755, uid
, gid
);
3864 if (r
< 0 && r
!= -EEXIST
)
3865 return log_error_errno(r
, "Failed to make home directory: %m");
3867 (void) fchown(STDIN_FILENO
, uid
, gid
);
3868 (void) fchown(STDOUT_FILENO
, uid
, gid
);
3869 (void) fchown(STDERR_FILENO
, uid
, gid
);
3871 if (setgroups(n_uids
, uids
) < 0)
3872 return log_error_errno(errno
, "Failed to set auxiliary groups: %m");
3874 if (setresgid(gid
, gid
, gid
) < 0)
3875 return log_error_errno(errno
, "setregid() failed: %m");
3877 if (setresuid(uid
, uid
, uid
) < 0)
3878 return log_error_errno(errno
, "setreuid() failed: %m");
3890 * < 0 : wait_for_terminate() failed to get the state of the
3891 * container, the container was terminated by a signal, or
3892 * failed for an unknown reason. No change is made to the
3893 * container argument.
3894 * > 0 : The program executed in the container terminated with an
3895 * error. The exit code of the program executed in the
3896 * container is returned. The container argument has been set
3897 * to CONTAINER_TERMINATED.
3898 * 0 : The container is being rebooted, has been shut down or exited
3899 * successfully. The container argument has been set to either
3900 * CONTAINER_TERMINATED or CONTAINER_REBOOTED.
3902 * That is, success is indicated by a return value of zero, and an
3903 * error is indicated by a non-zero value.
3905 static int wait_for_container(pid_t pid
, ContainerStatus
*container
) {
3909 r
= wait_for_terminate(pid
, &status
);
3911 return log_warning_errno(r
, "Failed to wait for container: %m");
3913 switch (status
.si_code
) {
3916 if (status
.si_status
== 0) {
3917 log_full(arg_quiet
? LOG_DEBUG
: LOG_INFO
, "Container %s exited successfully.", arg_machine
);
3920 log_full(arg_quiet
? LOG_DEBUG
: LOG_INFO
, "Container %s failed with error code %i.", arg_machine
, status
.si_status
);
3922 *container
= CONTAINER_TERMINATED
;
3923 return status
.si_status
;
3926 if (status
.si_status
== SIGINT
) {
3928 log_full(arg_quiet
? LOG_DEBUG
: LOG_INFO
, "Container %s has been shut down.", arg_machine
);
3929 *container
= CONTAINER_TERMINATED
;
3932 } else if (status
.si_status
== SIGHUP
) {
3934 log_full(arg_quiet
? LOG_DEBUG
: LOG_INFO
, "Container %s is being rebooted.", arg_machine
);
3935 *container
= CONTAINER_REBOOTED
;
3939 /* CLD_KILLED fallthrough */
3942 log_error("Container %s terminated by signal %s.", arg_machine
, signal_to_string(status
.si_status
));
3946 log_error("Container %s failed due to unknown reason.", arg_machine
);
3953 static void nop_handler(int sig
) {}
3955 static int on_orderly_shutdown(sd_event_source
*s
, const struct signalfd_siginfo
*si
, void *userdata
) {
3958 pid
= PTR_TO_UINT32(userdata
);
3960 if (kill(pid
, arg_kill_signal
) >= 0) {
3961 log_info("Trying to halt container. Send SIGTERM again to trigger immediate termination.");
3962 sd_event_source_set_userdata(s
, NULL
);
3967 sd_event_exit(sd_event_source_get_event(s
), 0);
3971 static int determine_names(void) {
3974 if (!arg_image
&& !arg_directory
) {
3976 _cleanup_(image_unrefp
) Image
*i
= NULL
;
3978 r
= image_find(arg_machine
, &i
);
3980 return log_error_errno(r
, "Failed to find image for machine '%s': %m", arg_machine
);
3982 log_error("No image for machine '%s': %m", arg_machine
);
3986 if (i
->type
== IMAGE_RAW
)
3987 r
= set_sanitized_path(&arg_image
, i
->path
);
3989 r
= set_sanitized_path(&arg_directory
, i
->path
);
3991 return log_error_errno(r
, "Invalid image directory: %m");
3994 arg_read_only
= arg_read_only
|| i
->read_only
;
3996 arg_directory
= get_current_dir_name();
3998 if (!arg_directory
&& !arg_machine
) {
3999 log_error("Failed to determine path, please use -D or -i.");
4005 if (arg_directory
&& path_equal(arg_directory
, "/"))
4006 arg_machine
= gethostname_malloc();
4008 arg_machine
= strdup(basename(arg_image
?: arg_directory
));
4013 hostname_cleanup(arg_machine
);
4014 if (!machine_name_is_valid(arg_machine
)) {
4015 log_error("Failed to determine machine name automatically, please use -M.");
4019 if (arg_ephemeral
) {
4022 /* Add a random suffix when this is an
4023 * ephemeral machine, so that we can run many
4024 * instances at once without manually having
4025 * to specify -M each time. */
4027 if (asprintf(&b
, "%s-%016" PRIx64
, arg_machine
, random_u64()) < 0)
4038 static int determine_uid_shift(const char *directory
) {
4046 if (arg_uid_shift
== UID_INVALID
) {
4049 r
= stat(directory
, &st
);
4051 return log_error_errno(errno
, "Failed to determine UID base of %s: %m", directory
);
4053 arg_uid_shift
= st
.st_uid
& UINT32_C(0xffff0000);
4055 if (arg_uid_shift
!= (st
.st_gid
& UINT32_C(0xffff0000))) {
4056 log_error("UID and GID base of %s don't match.", directory
);
4060 arg_uid_range
= UINT32_C(0x10000);
4063 if (arg_uid_shift
> (uid_t
) -1 - arg_uid_range
) {
4064 log_error("UID base too high for UID range.");
4068 log_info("Using user namespaces with base " UID_FMT
" and range " UID_FMT
".", arg_uid_shift
, arg_uid_range
);
4072 static int inner_child(
4074 const char *directory
,
4082 _cleanup_free_
char *home
= NULL
;
4084 const char *envp
[] = {
4085 "PATH=" DEFAULT_PATH_SPLIT_USR
,
4086 "container=systemd-nspawn", /* LXC sets container=lxc, so follow the scheme here */
4091 NULL
, /* container_uuid */
4092 NULL
, /* LISTEN_FDS */
4093 NULL
, /* LISTEN_PID */
4097 _cleanup_strv_free_
char **env_use
= NULL
;
4102 assert(kmsg_socket
>= 0);
4105 /* Tell the parent, that it now can write the UID map. */
4106 (void) barrier_place(barrier
); /* #1 */
4108 /* Wait until the parent wrote the UID map */
4109 if (!barrier_place_and_sync(barrier
)) { /* #2 */
4110 log_error("Parent died too early");
4115 r
= mount_all(NULL
, true);
4119 /* Wait until we are cgroup-ified, so that we
4120 * can mount the right cgroup path writable */
4121 if (!barrier_place_and_sync(barrier
)) { /* #3 */
4122 log_error("Parent died too early");
4126 r
= mount_systemd_cgroup_writable("");
4130 r
= reset_uid_gid();
4132 return log_error_errno(r
, "Couldn't become new root: %m");
4134 r
= setup_boot_id(NULL
);
4138 r
= setup_kmsg(NULL
, kmsg_socket
);
4141 kmsg_socket
= safe_close(kmsg_socket
);
4146 return log_error_errno(errno
, "setsid() failed: %m");
4148 if (arg_private_network
)
4151 r
= send_rtnl(rtnl_socket
);
4154 rtnl_socket
= safe_close(rtnl_socket
);
4156 if (drop_capabilities() < 0)
4157 return log_error_errno(errno
, "drop_capabilities() failed: %m");
4161 if (arg_personality
!= PERSONALITY_INVALID
) {
4162 if (personality(arg_personality
) < 0)
4163 return log_error_errno(errno
, "personality() failed: %m");
4164 } else if (secondary
) {
4165 if (personality(PER_LINUX32
) < 0)
4166 return log_error_errno(errno
, "personality() failed: %m");
4170 if (arg_selinux_context
)
4171 if (setexeccon((security_context_t
) arg_selinux_context
) < 0)
4172 return log_error_errno(errno
, "setexeccon(\"%s\") failed: %m", arg_selinux_context
);
4175 r
= change_uid_gid(&home
);
4179 envp
[n_env
] = strv_find_prefix(environ
, "TERM=");
4183 if ((asprintf((char**)(envp
+ n_env
++), "HOME=%s", home
? home
: "/root") < 0) ||
4184 (asprintf((char**)(envp
+ n_env
++), "USER=%s", arg_user
? arg_user
: "root") < 0) ||
4185 (asprintf((char**)(envp
+ n_env
++), "LOGNAME=%s", arg_user
? arg_user
: "root") < 0))
4188 if (!sd_id128_equal(arg_uuid
, SD_ID128_NULL
)) {
4191 if (asprintf((char**)(envp
+ n_env
++), "container_uuid=%s", id128_format_as_uuid(arg_uuid
, as_uuid
)) < 0)
4195 if (fdset_size(fds
) > 0) {
4196 r
= fdset_cloexec(fds
, false);
4198 return log_error_errno(r
, "Failed to unset O_CLOEXEC for file descriptors.");
4200 if ((asprintf((char **)(envp
+ n_env
++), "LISTEN_FDS=%u", fdset_size(fds
)) < 0) ||
4201 (asprintf((char **)(envp
+ n_env
++), "LISTEN_PID=1") < 0))
4205 env_use
= strv_env_merge(2, envp
, arg_setenv
);
4209 /* Let the parent know that we are ready and
4210 * wait until the parent is ready with the
4212 if (!barrier_place_and_sync(barrier
)) { /* #4 */
4213 log_error("Parent died too early");
4217 /* Now, explicitly close the log, so that we
4218 * then can close all remaining fds. Closing
4219 * the log explicitly first has the benefit
4220 * that the logging subsystem knows about it,
4221 * and is thus ready to be reopened should we
4222 * need it again. Note that the other fds
4223 * closed here are at least the locking and
4226 (void) fdset_close_others(fds
);
4232 /* Automatically search for the init system */
4234 m
= 1 + argc
- optind
;
4235 a
= newa(char*, m
+ 1);
4236 memcpy(a
+ 1, argv
+ optind
, m
* sizeof(char*));
4238 a
[0] = (char*) "/usr/lib/systemd/systemd";
4239 execve(a
[0], a
, env_use
);
4241 a
[0] = (char*) "/lib/systemd/systemd";
4242 execve(a
[0], a
, env_use
);
4244 a
[0] = (char*) "/sbin/init";
4245 execve(a
[0], a
, env_use
);
4246 } else if (argc
> optind
)
4247 execvpe(argv
[optind
], argv
+ optind
, env_use
);
4249 chdir(home
? home
: "/root");
4250 execle("/bin/bash", "-bash", NULL
, env_use
);
4251 execle("/bin/sh", "-sh", NULL
, env_use
);
4255 return log_error_errno(errno
, "execv() failed: %m");
4258 static int outer_child(
4260 const char *directory
,
4261 const char *console
,
4262 const char *root_device
, bool root_device_rw
,
4263 const char *home_device
, bool home_device_rw
,
4264 const char *srv_device
, bool srv_device_rw
,
4270 int uid_shift_socket
,
4282 assert(pid_socket
>= 0);
4283 assert(kmsg_socket
>= 0);
4285 if (prctl(PR_SET_PDEATHSIG
, SIGKILL
) < 0)
4286 return log_error_errno(errno
, "PR_SET_PDEATHSIG failed: %m");
4289 close_nointr(STDIN_FILENO
);
4290 close_nointr(STDOUT_FILENO
);
4291 close_nointr(STDERR_FILENO
);
4293 r
= open_terminal(console
, O_RDWR
);
4294 if (r
!= STDIN_FILENO
) {
4300 return log_error_errno(r
, "Failed to open console: %m");
4303 if (dup2(STDIN_FILENO
, STDOUT_FILENO
) != STDOUT_FILENO
||
4304 dup2(STDIN_FILENO
, STDERR_FILENO
) != STDERR_FILENO
)
4305 return log_error_errno(errno
, "Failed to duplicate console: %m");
4308 r
= reset_audit_loginuid();
4312 /* Mark everything as slave, so that we still
4313 * receive mounts from the real root, but don't
4314 * propagate mounts to the real root. */
4315 if (mount(NULL
, "/", NULL
, MS_SLAVE
|MS_REC
, NULL
) < 0)
4316 return log_error_errno(errno
, "MS_SLAVE|MS_REC failed: %m");
4318 r
= mount_devices(directory
,
4319 root_device
, root_device_rw
,
4320 home_device
, home_device_rw
,
4321 srv_device
, srv_device_rw
);
4325 r
= determine_uid_shift(directory
);
4330 l
= send(uid_shift_socket
, &arg_uid_shift
, sizeof(arg_uid_shift
), MSG_NOSIGNAL
);
4332 return log_error_errno(errno
, "Failed to send UID shift: %m");
4333 if (l
!= sizeof(arg_uid_shift
)) {
4334 log_error("Short write while sending UID shift.");
4339 /* Turn directory into bind mount */
4340 if (mount(directory
, directory
, NULL
, MS_BIND
|MS_REC
, NULL
) < 0)
4341 return log_error_errno(errno
, "Failed to make bind mount: %m");
4343 r
= setup_volatile(directory
);
4347 r
= setup_volatile_state(directory
);
4351 r
= base_filesystem_create(directory
, arg_uid_shift
, (gid_t
) arg_uid_shift
);
4355 if (arg_read_only
) {
4356 r
= bind_remount_recursive(directory
, true);
4358 return log_error_errno(r
, "Failed to make tree read-only: %m");
4361 r
= mount_all(directory
, false);
4365 if (copy_devnodes(directory
) < 0)
4368 dev_setup(directory
, arg_uid_shift
, arg_uid_shift
);
4370 if (setup_pts(directory
) < 0)
4373 r
= setup_propagate(directory
);
4377 r
= setup_dev_console(directory
, console
);
4381 r
= setup_seccomp();
4385 r
= setup_timezone(directory
);
4389 r
= setup_resolv_conf(directory
);
4393 r
= setup_journal(directory
);
4397 r
= mount_custom(directory
);
4401 r
= mount_cgroup(directory
);
4405 r
= mount_move_root(directory
);
4407 return log_error_errno(r
, "Failed to move root directory: %m");
4409 pid
= raw_clone(SIGCHLD
|CLONE_NEWNS
|
4410 (arg_share_system
? 0 : CLONE_NEWIPC
|CLONE_NEWPID
|CLONE_NEWUTS
) |
4411 (arg_private_network
? CLONE_NEWNET
: 0) |
4412 (arg_userns
? CLONE_NEWUSER
: 0),
4415 return log_error_errno(errno
, "Failed to fork inner child: %m");
4418 pid_socket
= safe_close(pid_socket
);
4419 uid_shift_socket
= safe_close(uid_shift_socket
);
4421 /* The inner child has all namespaces that are
4422 * requested, so that we all are owned by the user if
4423 * user namespaces are turned on. */
4425 r
= inner_child(barrier
, directory
, secondary
, kmsg_socket
, rtnl_socket
, fds
, argc
, argv
);
4427 _exit(EXIT_FAILURE
);
4429 _exit(EXIT_SUCCESS
);
4432 l
= send(pid_socket
, &pid
, sizeof(pid
), MSG_NOSIGNAL
);
4434 return log_error_errno(errno
, "Failed to send PID: %m");
4435 if (l
!= sizeof(pid
)) {
4436 log_error("Short write while sending PID.");
4440 pid_socket
= safe_close(pid_socket
);
4445 static int setup_uid_map(pid_t pid
) {
4446 char uid_map
[strlen("/proc//uid_map") + DECIMAL_STR_MAX(uid_t
) + 1], line
[DECIMAL_STR_MAX(uid_t
)*3+3+1];
4451 xsprintf(uid_map
, "/proc/" PID_FMT
"/uid_map", pid
);
4452 xsprintf(line
, UID_FMT
" " UID_FMT
" " UID_FMT
"\n", 0, arg_uid_shift
, arg_uid_range
);
4453 r
= write_string_file(uid_map
, line
, 0);
4455 return log_error_errno(r
, "Failed to write UID map: %m");
4457 /* We always assign the same UID and GID ranges */
4458 xsprintf(uid_map
, "/proc/" PID_FMT
"/gid_map", pid
);
4459 r
= write_string_file(uid_map
, line
, 0);
4461 return log_error_errno(r
, "Failed to write GID map: %m");
4466 static int chown_cgroup(pid_t pid
) {
4467 _cleanup_free_
char *path
= NULL
, *fs
= NULL
;
4468 _cleanup_close_
int fd
= -1;
4472 r
= cg_pid_get_path(NULL
, pid
, &path
);
4474 return log_error_errno(r
, "Failed to get container cgroup path: %m");
4476 r
= cg_get_path(SYSTEMD_CGROUP_CONTROLLER
, path
, NULL
, &fs
);
4478 return log_error_errno(r
, "Failed to get file system path for container cgroup: %m");
4480 fd
= open(fs
, O_RDONLY
|O_CLOEXEC
|O_DIRECTORY
);
4482 return log_error_errno(errno
, "Failed to open %s: %m", fs
);
4484 FOREACH_STRING(fn
, ".", "tasks", "notify_on_release", "cgroup.procs", "cgroup.clone_children")
4485 if (fchownat(fd
, fn
, arg_uid_shift
, arg_uid_shift
, 0) < 0)
4486 log_warning_errno(errno
, "Failed to chown() cgroup file %s, ignoring: %m", fn
);
4491 int main(int argc
, char *argv
[]) {
4493 _cleanup_free_
char *device_path
= NULL
, *root_device
= NULL
, *home_device
= NULL
, *srv_device
= NULL
, *console
= NULL
;
4494 bool root_device_rw
= true, home_device_rw
= true, srv_device_rw
= true;
4495 _cleanup_close_
int master
= -1, image_fd
= -1;
4496 _cleanup_fdset_free_ FDSet
*fds
= NULL
;
4497 int r
, n_fd_passed
, loop_nr
= -1;
4498 char veth_name
[IFNAMSIZ
];
4499 bool secondary
= false, remove_subvol
= false;
4502 int ret
= EXIT_SUCCESS
;
4503 union in_addr_union exposed
= {};
4504 _cleanup_release_lock_file_ LockFile tree_global_lock
= LOCK_FILE_INIT
, tree_local_lock
= LOCK_FILE_INIT
;
4507 log_parse_environment();
4510 r
= parse_argv(argc
, argv
);
4514 r
= determine_names();
4518 if (geteuid() != 0) {
4519 log_error("Need to be root.");
4524 n_fd_passed
= sd_listen_fds(false);
4525 if (n_fd_passed
> 0) {
4526 r
= fdset_new_listen_fds(&fds
, false);
4528 log_error_errno(r
, "Failed to collect file descriptors: %m");
4533 if (arg_directory
) {
4536 if (path_equal(arg_directory
, "/") && !arg_ephemeral
) {
4537 log_error("Spawning container on root directory is not supported. Consider using --ephemeral.");
4542 if (arg_ephemeral
) {
4543 _cleanup_free_
char *np
= NULL
;
4545 /* If the specified path is a mount point we
4546 * generate the new snapshot immediately
4547 * inside it under a random name. However if
4548 * the specified is not a mount point we
4549 * create the new snapshot in the parent
4550 * directory, just next to it. */
4551 r
= path_is_mount_point(arg_directory
, 0);
4553 log_error_errno(r
, "Failed to determine whether directory %s is mount point: %m", arg_directory
);
4557 r
= tempfn_random_child(arg_directory
, "machine.", &np
);
4559 r
= tempfn_random(arg_directory
, "machine.", &np
);
4561 log_error_errno(r
, "Failed to generate name for snapshot: %m");
4565 r
= image_path_lock(np
, (arg_read_only
? LOCK_SH
: LOCK_EX
) | LOCK_NB
, &tree_global_lock
, &tree_local_lock
);
4567 log_error_errno(r
, "Failed to lock %s: %m", np
);
4571 r
= btrfs_subvol_snapshot(arg_directory
, np
, (arg_read_only
? BTRFS_SNAPSHOT_READ_ONLY
: 0) | BTRFS_SNAPSHOT_FALLBACK_COPY
| BTRFS_SNAPSHOT_RECURSIVE
);
4573 log_error_errno(r
, "Failed to create snapshot %s from %s: %m", np
, arg_directory
);
4577 free(arg_directory
);
4581 remove_subvol
= true;
4584 r
= image_path_lock(arg_directory
, (arg_read_only
? LOCK_SH
: LOCK_EX
) | LOCK_NB
, &tree_global_lock
, &tree_local_lock
);
4586 log_error_errno(r
, "Directory tree %s is currently busy.", arg_directory
);
4590 log_error_errno(r
, "Failed to lock %s: %m", arg_directory
);
4595 r
= btrfs_subvol_snapshot(arg_template
, arg_directory
, (arg_read_only
? BTRFS_SNAPSHOT_READ_ONLY
: 0) | BTRFS_SNAPSHOT_FALLBACK_COPY
| BTRFS_SNAPSHOT_RECURSIVE
);
4598 log_info("Directory %s already exists, not populating from template %s.", arg_directory
, arg_template
);
4600 log_error_errno(r
, "Couldn't create snapshot %s from %s: %m", arg_directory
, arg_template
);
4604 log_info("Populated %s from template %s.", arg_directory
, arg_template
);
4610 if (path_is_os_tree(arg_directory
) <= 0) {
4611 log_error("Directory %s doesn't look like an OS root directory (os-release file is missing). Refusing.", arg_directory
);
4618 p
= strjoina(arg_directory
,
4619 argc
> optind
&& path_is_absolute(argv
[optind
]) ? argv
[optind
] : "/usr/bin/");
4620 if (access(p
, F_OK
) < 0) {
4621 log_error("Directory %s lacks the binary to execute or doesn't look like a binary tree. Refusing.", arg_directory
);
4628 char template[] = "/tmp/nspawn-root-XXXXXX";
4631 assert(!arg_template
);
4633 r
= image_path_lock(arg_image
, (arg_read_only
? LOCK_SH
: LOCK_EX
) | LOCK_NB
, &tree_global_lock
, &tree_local_lock
);
4635 r
= log_error_errno(r
, "Disk image %s is currently busy.", arg_image
);
4639 r
= log_error_errno(r
, "Failed to create image lock: %m");
4643 if (!mkdtemp(template)) {
4644 log_error_errno(errno
, "Failed to create temporary directory: %m");
4649 arg_directory
= strdup(template);
4650 if (!arg_directory
) {
4655 image_fd
= setup_image(&device_path
, &loop_nr
);
4661 r
= dissect_image(image_fd
,
4662 &root_device
, &root_device_rw
,
4663 &home_device
, &home_device_rw
,
4664 &srv_device
, &srv_device_rw
,
4670 r
= custom_mounts_prepare();
4675 isatty(STDIN_FILENO
) > 0 &&
4676 isatty(STDOUT_FILENO
) > 0;
4678 master
= posix_openpt(O_RDWR
|O_NOCTTY
|O_CLOEXEC
|O_NDELAY
);
4680 r
= log_error_errno(errno
, "Failed to acquire pseudo tty: %m");
4684 r
= ptsname_malloc(master
, &console
);
4686 r
= log_error_errno(r
, "Failed to determine tty name: %m");
4690 if (unlockpt(master
) < 0) {
4691 r
= log_error_errno(errno
, "Failed to unlock tty: %m");
4696 log_info("Spawning container %s on %s.\nPress ^] three times within 1s to kill container.",
4697 arg_machine
, arg_image
?: arg_directory
);
4699 assert_se(sigprocmask_many(SIG_BLOCK
, NULL
, SIGCHLD
, SIGWINCH
, SIGTERM
, SIGINT
, -1) >= 0);
4701 assert_se(sigemptyset(&mask_chld
) == 0);
4702 assert_se(sigaddset(&mask_chld
, SIGCHLD
) == 0);
4704 if (prctl(PR_SET_CHILD_SUBREAPER
, 1) < 0) {
4705 r
= log_error_errno(errno
, "Failed to become subreaper: %m");
4710 _cleanup_close_pair_
int kmsg_socket_pair
[2] = { -1, -1 }, rtnl_socket_pair
[2] = { -1, -1 }, pid_socket_pair
[2] = { -1, -1 },
4711 uid_shift_socket_pair
[2] = { -1, -1 };
4712 ContainerStatus container_status
;
4713 _cleanup_(barrier_destroy
) Barrier barrier
= BARRIER_NULL
;
4714 static const struct sigaction sa
= {
4715 .sa_handler
= nop_handler
,
4716 .sa_flags
= SA_NOCLDSTOP
,
4720 _cleanup_event_unref_ sd_event
*event
= NULL
;
4721 _cleanup_(pty_forward_freep
) PTYForward
*forward
= NULL
;
4722 _cleanup_netlink_unref_ sd_netlink
*rtnl
= NULL
;
4725 r
= barrier_create(&barrier
);
4727 log_error_errno(r
, "Cannot initialize IPC barrier: %m");
4731 if (socketpair(AF_UNIX
, SOCK_DGRAM
|SOCK_CLOEXEC
, 0, kmsg_socket_pair
) < 0) {
4732 r
= log_error_errno(errno
, "Failed to create kmsg socket pair: %m");
4736 if (socketpair(AF_UNIX
, SOCK_DGRAM
|SOCK_CLOEXEC
, 0, rtnl_socket_pair
) < 0) {
4737 r
= log_error_errno(errno
, "Failed to create rtnl socket pair: %m");
4741 if (socketpair(AF_UNIX
, SOCK_DGRAM
|SOCK_CLOEXEC
, 0, pid_socket_pair
) < 0) {
4742 r
= log_error_errno(errno
, "Failed to create pid socket pair: %m");
4747 if (socketpair(AF_UNIX
, SOCK_DGRAM
|SOCK_CLOEXEC
, 0, uid_shift_socket_pair
) < 0) {
4748 r
= log_error_errno(errno
, "Failed to create uid shift socket pair: %m");
4752 /* Child can be killed before execv(), so handle SIGCHLD
4753 * in order to interrupt parent's blocking calls and
4754 * give it a chance to call wait() and terminate. */
4755 r
= sigprocmask(SIG_UNBLOCK
, &mask_chld
, NULL
);
4757 r
= log_error_errno(errno
, "Failed to change the signal mask: %m");
4761 r
= sigaction(SIGCHLD
, &sa
, NULL
);
4763 r
= log_error_errno(errno
, "Failed to install SIGCHLD handler: %m");
4767 pid
= raw_clone(SIGCHLD
|CLONE_NEWNS
, NULL
);
4769 if (errno
== EINVAL
)
4770 r
= log_error_errno(errno
, "clone() failed, do you have namespace support enabled in your kernel? (You need UTS, IPC, PID and NET namespacing built in): %m");
4772 r
= log_error_errno(errno
, "clone() failed: %m");
4778 /* The outer child only has a file system namespace. */
4779 barrier_set_role(&barrier
, BARRIER_CHILD
);
4781 master
= safe_close(master
);
4783 kmsg_socket_pair
[0] = safe_close(kmsg_socket_pair
[0]);
4784 rtnl_socket_pair
[0] = safe_close(rtnl_socket_pair
[0]);
4785 pid_socket_pair
[0] = safe_close(pid_socket_pair
[0]);
4786 uid_shift_socket_pair
[0] = safe_close(uid_shift_socket_pair
[0]);
4788 (void) reset_all_signal_handlers();
4789 (void) reset_signal_mask();
4791 r
= outer_child(&barrier
,
4794 root_device
, root_device_rw
,
4795 home_device
, home_device_rw
,
4796 srv_device
, srv_device_rw
,
4800 kmsg_socket_pair
[1],
4801 rtnl_socket_pair
[1],
4802 uid_shift_socket_pair
[1],
4806 _exit(EXIT_FAILURE
);
4808 _exit(EXIT_SUCCESS
);
4811 barrier_set_role(&barrier
, BARRIER_PARENT
);
4816 kmsg_socket_pair
[1] = safe_close(kmsg_socket_pair
[1]);
4817 rtnl_socket_pair
[1] = safe_close(rtnl_socket_pair
[1]);
4818 pid_socket_pair
[1] = safe_close(pid_socket_pair
[1]);
4820 /* Wait for the outer child. */
4821 r
= wait_for_terminate_and_warn("namespace helper", pid
, NULL
);
4830 /* And now retrieve the PID of the inner child. */
4831 l
= recv(pid_socket_pair
[0], &pid
, sizeof(pid
), 0);
4833 r
= log_error_errno(errno
, "Failed to read inner child PID: %m");
4836 if (l
!= sizeof(pid
)) {
4837 log_error("Short read while reading inner child PID: %m");
4842 log_debug("Init process invoked as PID " PID_FMT
, pid
);
4845 if (!barrier_place_and_sync(&barrier
)) { /* #1 */
4846 log_error("Child died too early.");
4851 l
= recv(uid_shift_socket_pair
[0], &arg_uid_shift
, sizeof(arg_uid_shift
), 0);
4853 r
= log_error_errno(errno
, "Failed to read UID shift: %m");
4856 if (l
!= sizeof(arg_uid_shift
)) {
4857 log_error("Short read while reading UID shift: %m");
4862 r
= setup_uid_map(pid
);
4866 (void) barrier_place(&barrier
); /* #2 */
4869 r
= move_network_interfaces(pid
);
4873 r
= setup_veth(pid
, veth_name
, &ifi
);
4877 r
= setup_bridge(veth_name
, &ifi
);
4881 r
= setup_macvlan(pid
);
4885 r
= setup_ipvlan(pid
);
4889 r
= register_machine(pid
, ifi
);
4893 r
= chown_cgroup(pid
);
4897 /* Notify the child that the parent is ready with all
4898 * its setup (including cgroup-ification), and that
4899 * the child can now hand over control to the code to
4900 * run inside the container. */
4901 (void) barrier_place(&barrier
); /* #3 */
4903 /* Block SIGCHLD here, before notifying child.
4904 * process_pty() will handle it with the other signals. */
4905 assert_se(sigprocmask(SIG_BLOCK
, &mask_chld
, NULL
) >= 0);
4907 /* Reset signal to default */
4908 r
= default_signals(SIGCHLD
, -1);
4910 log_error_errno(r
, "Failed to reset SIGCHLD: %m");
4914 /* Let the child know that we are ready and wait that the child is completely ready now. */
4915 if (!barrier_place_and_sync(&barrier
)) { /* #5 */
4916 log_error("Client died too early.");
4923 "STATUS=Container running.\n"
4924 "X_NSPAWN_LEADER_PID=" PID_FMT
, pid
);
4926 r
= sd_event_new(&event
);
4928 log_error_errno(r
, "Failed to get default event source: %m");
4932 if (arg_kill_signal
> 0) {
4933 /* Try to kill the init system on SIGINT or SIGTERM */
4934 sd_event_add_signal(event
, NULL
, SIGINT
, on_orderly_shutdown
, UINT32_TO_PTR(pid
));
4935 sd_event_add_signal(event
, NULL
, SIGTERM
, on_orderly_shutdown
, UINT32_TO_PTR(pid
));
4937 /* Immediately exit */
4938 sd_event_add_signal(event
, NULL
, SIGINT
, NULL
, NULL
);
4939 sd_event_add_signal(event
, NULL
, SIGTERM
, NULL
, NULL
);
4942 /* simply exit on sigchld */
4943 sd_event_add_signal(event
, NULL
, SIGCHLD
, NULL
, NULL
);
4945 if (arg_expose_ports
) {
4946 r
= watch_rtnl(event
, rtnl_socket_pair
[0], &exposed
, &rtnl
);
4950 (void) expose_ports(rtnl
, &exposed
);
4953 rtnl_socket_pair
[0] = safe_close(rtnl_socket_pair
[0]);
4955 r
= pty_forward_new(event
, master
, true, !interactive
, &forward
);
4957 log_error_errno(r
, "Failed to create PTY forwarder: %m");
4961 r
= sd_event_loop(event
);
4963 log_error_errno(r
, "Failed to run event loop: %m");
4967 pty_forward_get_last_char(forward
, &last_char
);
4969 forward
= pty_forward_free(forward
);
4971 if (!arg_quiet
&& last_char
!= '\n')
4974 /* Kill if it is not dead yet anyway */
4975 terminate_machine(pid
);
4977 /* Normally redundant, but better safe than sorry */
4980 r
= wait_for_container(pid
, &container_status
);
4984 /* We failed to wait for the container, or the
4985 * container exited abnormally */
4987 else if (r
> 0 || container_status
== CONTAINER_TERMINATED
){
4988 /* The container exited with a non-zero
4989 * status, or with zero status and no reboot
4995 /* CONTAINER_REBOOTED, loop again */
4997 if (arg_keep_unit
) {
4998 /* Special handling if we are running as a
4999 * service: instead of simply restarting the
5000 * machine we want to restart the entire
5001 * service, so let's inform systemd about this
5002 * with the special exit code 133. The service
5003 * file uses RestartForceExitStatus=133 so
5004 * that this results in a full nspawn
5005 * restart. This is necessary since we might
5006 * have cgroup parameters set we want to have
5013 flush_ports(&exposed
);
5019 "STATUS=Terminating...");
5024 /* Try to flush whatever is still queued in the pty */
5026 (void) copy_bytes(master
, STDOUT_FILENO
, (off_t
) -1, false);
5028 loop_remove(loop_nr
, &image_fd
);
5030 if (remove_subvol
&& arg_directory
) {
5033 k
= btrfs_subvol_remove(arg_directory
, true);
5035 log_warning_errno(k
, "Cannot remove subvolume '%s', ignoring: %m", arg_directory
);
5041 p
= strjoina("/run/systemd/nspawn/propagate/", arg_machine
);
5042 (void) rm_rf(p
, REMOVE_ROOT
);
5045 free(arg_directory
);
5050 strv_free(arg_setenv
);
5051 strv_free(arg_network_interfaces
);
5052 strv_free(arg_network_macvlan
);
5053 strv_free(arg_network_ipvlan
);
5054 custom_mount_free_all();
5056 flush_ports(&exposed
);
5058 while (arg_expose_ports
) {
5059 ExposePort
*p
= arg_expose_ports
;
5060 LIST_REMOVE(ports
, arg_expose_ports
, p
);
5064 return r
< 0 ? EXIT_FAILURE
: ret
;