1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2010 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
25 #include <sys/types.h>
26 #include <sys/mount.h>
31 #include <sys/prctl.h>
35 #include <sys/socket.h>
36 #include <linux/netlink.h>
38 #include <linux/veth.h>
39 #include <sys/personality.h>
40 #include <linux/loop.h>
44 #include <selinux/selinux.h>
52 #include <blkid/blkid.h>
55 #include "sd-daemon.h"
58 #include "sd-netlink.h"
59 #include "random-util.h"
66 #include "cgroup-util.h"
68 #include "path-util.h"
69 #include "loopback-setup.h"
70 #include "dev-setup.h"
75 #include "bus-error.h"
78 #include "netlink-util.h"
79 #include "udev-util.h"
80 #include "blkid-util.h"
82 #include "siphash24.h"
84 #include "base-filesystem.h"
86 #include "event-util.h"
87 #include "capability.h"
89 #include "btrfs-util.h"
90 #include "machine-image.h"
92 #include "in-addr-util.h"
93 #include "firewall-util.h"
94 #include "local-addresses.h"
95 #include "formats-util.h"
96 #include "process-util.h"
97 #include "terminal-util.h"
98 #include "hostname-util.h"
99 #include "signal-util.h"
102 #include "seccomp-util.h"
105 typedef struct ExposePort
{
108 uint16_t container_port
;
109 LIST_FIELDS(struct ExposePort
, ports
);
112 typedef enum ContainerStatus
{
113 CONTAINER_TERMINATED
,
117 typedef enum LinkJournal
{
124 typedef enum Volatile
{
130 typedef enum CustomMountType
{
133 CUSTOM_MOUNT_OVERLAY
,
136 typedef struct CustomMount
{
137 CustomMountType type
;
139 char *source
; /* for overlayfs this is the upper directory */
146 static char *arg_directory
= NULL
;
147 static char *arg_template
= NULL
;
148 static char *arg_user
= NULL
;
149 static sd_id128_t arg_uuid
= {};
150 static char *arg_machine
= NULL
;
151 static const char *arg_selinux_context
= NULL
;
152 static const char *arg_selinux_apifs_context
= NULL
;
153 static const char *arg_slice
= NULL
;
154 static bool arg_private_network
= false;
155 static bool arg_read_only
= false;
156 static bool arg_boot
= false;
157 static bool arg_ephemeral
= false;
158 static LinkJournal arg_link_journal
= LINK_AUTO
;
159 static bool arg_link_journal_try
= false;
160 static uint64_t arg_retain
=
161 (1ULL << CAP_CHOWN
) |
162 (1ULL << CAP_DAC_OVERRIDE
) |
163 (1ULL << CAP_DAC_READ_SEARCH
) |
164 (1ULL << CAP_FOWNER
) |
165 (1ULL << CAP_FSETID
) |
166 (1ULL << CAP_IPC_OWNER
) |
168 (1ULL << CAP_LEASE
) |
169 (1ULL << CAP_LINUX_IMMUTABLE
) |
170 (1ULL << CAP_NET_BIND_SERVICE
) |
171 (1ULL << CAP_NET_BROADCAST
) |
172 (1ULL << CAP_NET_RAW
) |
173 (1ULL << CAP_SETGID
) |
174 (1ULL << CAP_SETFCAP
) |
175 (1ULL << CAP_SETPCAP
) |
176 (1ULL << CAP_SETUID
) |
177 (1ULL << CAP_SYS_ADMIN
) |
178 (1ULL << CAP_SYS_CHROOT
) |
179 (1ULL << CAP_SYS_NICE
) |
180 (1ULL << CAP_SYS_PTRACE
) |
181 (1ULL << CAP_SYS_TTY_CONFIG
) |
182 (1ULL << CAP_SYS_RESOURCE
) |
183 (1ULL << CAP_SYS_BOOT
) |
184 (1ULL << CAP_AUDIT_WRITE
) |
185 (1ULL << CAP_AUDIT_CONTROL
) |
187 static CustomMount
*arg_custom_mounts
= NULL
;
188 static unsigned arg_n_custom_mounts
= 0;
189 static char **arg_setenv
= NULL
;
190 static bool arg_quiet
= false;
191 static bool arg_share_system
= false;
192 static bool arg_register
= true;
193 static bool arg_keep_unit
= false;
194 static char **arg_network_interfaces
= NULL
;
195 static char **arg_network_macvlan
= NULL
;
196 static char **arg_network_ipvlan
= NULL
;
197 static bool arg_network_veth
= false;
198 static const char *arg_network_bridge
= NULL
;
199 static unsigned long arg_personality
= PERSONALITY_INVALID
;
200 static char *arg_image
= NULL
;
201 static Volatile arg_volatile
= VOLATILE_NO
;
202 static ExposePort
*arg_expose_ports
= NULL
;
203 static char **arg_property
= NULL
;
204 static uid_t arg_uid_shift
= UID_INVALID
, arg_uid_range
= 0x10000U
;
205 static bool arg_userns
= false;
206 static int arg_kill_signal
= 0;
208 static void help(void) {
209 printf("%s [OPTIONS...] [PATH] [ARGUMENTS...]\n\n"
210 "Spawn a minimal namespace container for debugging, testing and building.\n\n"
211 " -h --help Show this help\n"
212 " --version Print version string\n"
213 " -q --quiet Do not show status information\n"
214 " -D --directory=PATH Root directory for the container\n"
215 " --template=PATH Initialize root directory from template directory,\n"
217 " -x --ephemeral Run container with snapshot of root directory, and\n"
218 " remove it after exit\n"
219 " -i --image=PATH File system device or disk image for the container\n"
220 " -b --boot Boot up full system (i.e. invoke init)\n"
221 " -u --user=USER Run the command under specified user or uid\n"
222 " -M --machine=NAME Set the machine name for the container\n"
223 " --uuid=UUID Set a specific machine UUID for the container\n"
224 " -S --slice=SLICE Place the container in the specified slice\n"
225 " --property=NAME=VALUE Set scope unit property\n"
226 " --private-users[=UIDBASE[:NUIDS]]\n"
227 " Run within user namespace\n"
228 " --private-network Disable network in container\n"
229 " --network-interface=INTERFACE\n"
230 " Assign an existing network interface to the\n"
232 " --network-macvlan=INTERFACE\n"
233 " Create a macvlan network interface based on an\n"
234 " existing network interface to the container\n"
235 " --network-ipvlan=INTERFACE\n"
236 " Create a ipvlan network interface based on an\n"
237 " existing network interface to the container\n"
238 " -n --network-veth Add a virtual ethernet connection between host\n"
240 " --network-bridge=INTERFACE\n"
241 " Add a virtual ethernet connection between host\n"
242 " and container and add it to an existing bridge on\n"
244 " -p --port=[PROTOCOL:]HOSTPORT[:CONTAINERPORT]\n"
245 " Expose a container IP port on the host\n"
246 " -Z --selinux-context=SECLABEL\n"
247 " Set the SELinux security context to be used by\n"
248 " processes in the container\n"
249 " -L --selinux-apifs-context=SECLABEL\n"
250 " Set the SELinux security context to be used by\n"
251 " API/tmpfs file systems in the container\n"
252 " --capability=CAP In addition to the default, retain specified\n"
254 " --drop-capability=CAP Drop the specified capability from the default set\n"
255 " --kill-signal=SIGNAL Select signal to use for shutting down PID 1\n"
256 " --link-journal=MODE Link up guest journal, one of no, auto, guest, host,\n"
257 " try-guest, try-host\n"
258 " -j Equivalent to --link-journal=try-guest\n"
259 " --read-only Mount the root directory read-only\n"
260 " --bind=PATH[:PATH] Bind mount a file or directory from the host into\n"
262 " --bind-ro=PATH[:PATH] Similar, but creates a read-only bind mount\n"
263 " --tmpfs=PATH:[OPTIONS] Mount an empty tmpfs to the specified directory\n"
264 " --overlay=PATH[:PATH...]:PATH\n"
265 " Create an overlay mount from the host to \n"
267 " --overlay-ro=PATH[:PATH...]:PATH\n"
268 " Similar, but creates a read-only overlay mount\n"
269 " --setenv=NAME=VALUE Pass an environment variable to PID 1\n"
270 " --share-system Share system namespaces with host\n"
271 " --register=BOOLEAN Register container as machine\n"
272 " --keep-unit Do not register a scope for the machine, reuse\n"
273 " the service unit nspawn is running in\n"
274 " --volatile[=MODE] Run the system in volatile mode\n"
275 , program_invocation_short_name
);
278 static CustomMount
* custom_mount_add(CustomMountType t
) {
279 CustomMount
*c
, *ret
;
281 c
= realloc(arg_custom_mounts
, (arg_n_custom_mounts
+ 1) * sizeof(CustomMount
));
285 arg_custom_mounts
= c
;
286 ret
= arg_custom_mounts
+ arg_n_custom_mounts
;
287 arg_n_custom_mounts
++;
289 *ret
= (CustomMount
) { .type
= t
};
294 static void custom_mount_free_all(void) {
297 for (i
= 0; i
< arg_n_custom_mounts
; i
++) {
298 CustomMount
*m
= &arg_custom_mounts
[i
];
301 free(m
->destination
);
305 (void) rm_rf(m
->work_dir
, REMOVE_ROOT
|REMOVE_PHYSICAL
);
312 arg_custom_mounts
= mfree(arg_custom_mounts
);
313 arg_n_custom_mounts
= 0;
316 static int custom_mount_compare(const void *a
, const void *b
) {
317 const CustomMount
*x
= a
, *y
= b
;
320 r
= path_compare(x
->destination
, y
->destination
);
324 if (x
->type
< y
->type
)
326 if (x
->type
> y
->type
)
332 static int custom_mounts_prepare(void) {
336 /* Ensure the mounts are applied prefix first. */
337 qsort_safe(arg_custom_mounts
, arg_n_custom_mounts
, sizeof(CustomMount
), custom_mount_compare
);
339 /* Allocate working directories for the overlay file systems that need it */
340 for (i
= 0; i
< arg_n_custom_mounts
; i
++) {
341 CustomMount
*m
= &arg_custom_mounts
[i
];
343 if (arg_userns
&& arg_uid_shift
== UID_INVALID
&& path_equal(m
->destination
, "/")) {
344 log_error("--private-users with automatic UID shift may not be combined with custom root mounts.");
348 if (m
->type
!= CUSTOM_MOUNT_OVERLAY
)
357 r
= tempfn_random(m
->source
, NULL
, &m
->work_dir
);
359 return log_error_errno(r
, "Failed to generate work directory from %s: %m", m
->source
);
365 static int set_sanitized_path(char **b
, const char *path
) {
371 p
= canonicalize_file_name(path
);
376 p
= path_make_absolute_cwd(path
);
382 *b
= path_kill_slashes(p
);
386 static int parse_argv(int argc
, char *argv
[]) {
405 ARG_NETWORK_INTERFACE
,
417 static const struct option options
[] = {
418 { "help", no_argument
, NULL
, 'h' },
419 { "version", no_argument
, NULL
, ARG_VERSION
},
420 { "directory", required_argument
, NULL
, 'D' },
421 { "template", required_argument
, NULL
, ARG_TEMPLATE
},
422 { "ephemeral", no_argument
, NULL
, 'x' },
423 { "user", required_argument
, NULL
, 'u' },
424 { "private-network", no_argument
, NULL
, ARG_PRIVATE_NETWORK
},
425 { "boot", no_argument
, NULL
, 'b' },
426 { "uuid", required_argument
, NULL
, ARG_UUID
},
427 { "read-only", no_argument
, NULL
, ARG_READ_ONLY
},
428 { "capability", required_argument
, NULL
, ARG_CAPABILITY
},
429 { "drop-capability", required_argument
, NULL
, ARG_DROP_CAPABILITY
},
430 { "link-journal", required_argument
, NULL
, ARG_LINK_JOURNAL
},
431 { "bind", required_argument
, NULL
, ARG_BIND
},
432 { "bind-ro", required_argument
, NULL
, ARG_BIND_RO
},
433 { "tmpfs", required_argument
, NULL
, ARG_TMPFS
},
434 { "overlay", required_argument
, NULL
, ARG_OVERLAY
},
435 { "overlay-ro", required_argument
, NULL
, ARG_OVERLAY_RO
},
436 { "machine", required_argument
, NULL
, 'M' },
437 { "slice", required_argument
, NULL
, 'S' },
438 { "setenv", required_argument
, NULL
, ARG_SETENV
},
439 { "selinux-context", required_argument
, NULL
, 'Z' },
440 { "selinux-apifs-context", required_argument
, NULL
, 'L' },
441 { "quiet", no_argument
, NULL
, 'q' },
442 { "share-system", no_argument
, NULL
, ARG_SHARE_SYSTEM
},
443 { "register", required_argument
, NULL
, ARG_REGISTER
},
444 { "keep-unit", no_argument
, NULL
, ARG_KEEP_UNIT
},
445 { "network-interface", required_argument
, NULL
, ARG_NETWORK_INTERFACE
},
446 { "network-macvlan", required_argument
, NULL
, ARG_NETWORK_MACVLAN
},
447 { "network-ipvlan", required_argument
, NULL
, ARG_NETWORK_IPVLAN
},
448 { "network-veth", no_argument
, NULL
, 'n' },
449 { "network-bridge", required_argument
, NULL
, ARG_NETWORK_BRIDGE
},
450 { "personality", required_argument
, NULL
, ARG_PERSONALITY
},
451 { "image", required_argument
, NULL
, 'i' },
452 { "volatile", optional_argument
, NULL
, ARG_VOLATILE
},
453 { "port", required_argument
, NULL
, 'p' },
454 { "property", required_argument
, NULL
, ARG_PROPERTY
},
455 { "private-users", optional_argument
, NULL
, ARG_PRIVATE_USERS
},
456 { "kill-signal", required_argument
, NULL
, ARG_KILL_SIGNAL
},
461 uint64_t plus
= 0, minus
= 0;
466 while ((c
= getopt_long(argc
, argv
, "+hD:u:bL:M:jS:Z:qi:xp:n", options
, NULL
)) >= 0)
475 puts(PACKAGE_STRING
);
476 puts(SYSTEMD_FEATURES
);
480 r
= set_sanitized_path(&arg_directory
, optarg
);
482 return log_error_errno(r
, "Invalid root directory: %m");
487 r
= set_sanitized_path(&arg_template
, optarg
);
489 return log_error_errno(r
, "Invalid template directory: %m");
494 r
= set_sanitized_path(&arg_image
, optarg
);
496 return log_error_errno(r
, "Invalid image path: %m");
501 arg_ephemeral
= true;
505 r
= free_and_strdup(&arg_user
, optarg
);
511 case ARG_NETWORK_BRIDGE
:
512 arg_network_bridge
= optarg
;
517 arg_network_veth
= true;
518 arg_private_network
= true;
521 case ARG_NETWORK_INTERFACE
:
522 if (strv_extend(&arg_network_interfaces
, optarg
) < 0)
525 arg_private_network
= true;
528 case ARG_NETWORK_MACVLAN
:
529 if (strv_extend(&arg_network_macvlan
, optarg
) < 0)
532 arg_private_network
= true;
535 case ARG_NETWORK_IPVLAN
:
536 if (strv_extend(&arg_network_ipvlan
, optarg
) < 0)
541 case ARG_PRIVATE_NETWORK
:
542 arg_private_network
= true;
550 r
= sd_id128_from_string(optarg
, &arg_uuid
);
552 log_error("Invalid UUID: %s", optarg
);
562 if (isempty(optarg
)) {
563 arg_machine
= mfree(arg_machine
);
565 if (!machine_name_is_valid(optarg
)) {
566 log_error("Invalid machine name: %s", optarg
);
570 r
= free_and_strdup(&arg_machine
, optarg
);
578 arg_selinux_context
= optarg
;
582 arg_selinux_apifs_context
= optarg
;
586 arg_read_only
= true;
590 case ARG_DROP_CAPABILITY
: {
591 const char *state
, *word
;
594 FOREACH_WORD_SEPARATOR(word
, length
, optarg
, ",", state
) {
595 _cleanup_free_
char *t
;
597 t
= strndup(word
, length
);
601 if (streq(t
, "all")) {
602 if (c
== ARG_CAPABILITY
)
603 plus
= (uint64_t) -1;
605 minus
= (uint64_t) -1;
609 cap
= capability_from_name(t
);
611 log_error("Failed to parse capability %s.", t
);
615 if (c
== ARG_CAPABILITY
)
616 plus
|= 1ULL << (uint64_t) cap
;
618 minus
|= 1ULL << (uint64_t) cap
;
626 arg_link_journal
= LINK_GUEST
;
627 arg_link_journal_try
= true;
630 case ARG_LINK_JOURNAL
:
631 if (streq(optarg
, "auto")) {
632 arg_link_journal
= LINK_AUTO
;
633 arg_link_journal_try
= false;
634 } else if (streq(optarg
, "no")) {
635 arg_link_journal
= LINK_NO
;
636 arg_link_journal_try
= false;
637 } else if (streq(optarg
, "guest")) {
638 arg_link_journal
= LINK_GUEST
;
639 arg_link_journal_try
= false;
640 } else if (streq(optarg
, "host")) {
641 arg_link_journal
= LINK_HOST
;
642 arg_link_journal_try
= false;
643 } else if (streq(optarg
, "try-guest")) {
644 arg_link_journal
= LINK_GUEST
;
645 arg_link_journal_try
= true;
646 } else if (streq(optarg
, "try-host")) {
647 arg_link_journal
= LINK_HOST
;
648 arg_link_journal_try
= true;
650 log_error("Failed to parse link journal mode %s", optarg
);
658 const char *current
= optarg
;
659 _cleanup_free_
char *source
= NULL
, *destination
= NULL
;
661 _cleanup_strv_free_
char **strv
= NULL
;
663 r
= extract_many_words(¤t
, ":", EXTRACT_DONT_COALESCE_SEPARATORS
, &source
, &destination
, NULL
);
666 destination
= strdup(source
);
672 log_error("Invalid bind mount specification: %s", optarg
);
676 if (!source
|| !destination
)
679 if (!path_is_absolute(source
) || !path_is_absolute(destination
)) {
680 log_error("Invalid bind mount specification: %s", optarg
);
684 m
= custom_mount_add(CUSTOM_MOUNT_BIND
);
689 m
->destination
= destination
;
690 m
->read_only
= c
== ARG_BIND_RO
;
692 source
= destination
= NULL
;
698 const char *current
= optarg
;
699 _cleanup_free_
char *path
= NULL
, *opts
= NULL
;
702 r
= extract_first_word(¤t
, &path
, ":", EXTRACT_DONT_COALESCE_SEPARATORS
);
706 log_error("Invalid tmpfs specification: %s", optarg
);
710 opts
= strdup(current
);
712 opts
= strdup("mode=0755");
717 if (!path_is_absolute(path
)) {
718 log_error("Invalid tmpfs specification: %s", optarg
);
722 m
= custom_mount_add(CUSTOM_MOUNT_TMPFS
);
726 m
->destination
= path
;
735 case ARG_OVERLAY_RO
: {
736 _cleanup_free_
char *upper
= NULL
, *destination
= NULL
;
737 _cleanup_strv_free_
char **lower
= NULL
;
742 r
= strv_split_extract(&lower
, optarg
, ":", EXTRACT_DONT_COALESCE_SEPARATORS
);
746 log_error("Invalid overlay specification: %s", optarg
);
750 STRV_FOREACH(i
, lower
) {
751 if (!path_is_absolute(*i
)) {
752 log_error("Overlay path %s is not absolute.", *i
);
760 log_error("--overlay= needs at least two colon-separated directories specified.");
765 /* If two parameters are specified,
766 * the first one is the lower, the
767 * second one the upper directory. And
768 * we'll also define the destination
769 * mount point the same as the upper. */
773 destination
= strdup(upper
);
778 upper
= lower
[n
- 2];
779 destination
= lower
[n
- 1];
783 m
= custom_mount_add(CUSTOM_MOUNT_OVERLAY
);
787 m
->destination
= destination
;
790 m
->read_only
= c
== ARG_OVERLAY_RO
;
792 upper
= destination
= NULL
;
801 if (!env_assignment_is_valid(optarg
)) {
802 log_error("Environment variable assignment '%s' is not valid.", optarg
);
806 n
= strv_env_set(arg_setenv
, optarg
);
810 strv_free(arg_setenv
);
819 case ARG_SHARE_SYSTEM
:
820 arg_share_system
= true;
824 r
= parse_boolean(optarg
);
826 log_error("Failed to parse --register= argument: %s", optarg
);
834 arg_keep_unit
= true;
837 case ARG_PERSONALITY
:
839 arg_personality
= personality_from_string(optarg
);
840 if (arg_personality
== PERSONALITY_INVALID
) {
841 log_error("Unknown or unsupported personality '%s'.", optarg
);
850 arg_volatile
= VOLATILE_YES
;
852 r
= parse_boolean(optarg
);
854 if (streq(optarg
, "state"))
855 arg_volatile
= VOLATILE_STATE
;
857 log_error("Failed to parse --volatile= argument: %s", optarg
);
861 arg_volatile
= r
? VOLATILE_YES
: VOLATILE_NO
;
867 const char *split
, *e
;
868 uint16_t container_port
, host_port
;
872 if ((e
= startswith(optarg
, "tcp:")))
873 protocol
= IPPROTO_TCP
;
874 else if ((e
= startswith(optarg
, "udp:")))
875 protocol
= IPPROTO_UDP
;
878 protocol
= IPPROTO_TCP
;
881 split
= strchr(e
, ':');
883 char v
[split
- e
+ 1];
885 memcpy(v
, e
, split
- e
);
888 r
= safe_atou16(v
, &host_port
);
889 if (r
< 0 || host_port
<= 0) {
890 log_error("Failed to parse host port: %s", optarg
);
894 r
= safe_atou16(split
+ 1, &container_port
);
896 r
= safe_atou16(e
, &container_port
);
897 host_port
= container_port
;
900 if (r
< 0 || container_port
<= 0) {
901 log_error("Failed to parse host port: %s", optarg
);
905 LIST_FOREACH(ports
, p
, arg_expose_ports
) {
906 if (p
->protocol
== protocol
&& p
->host_port
== host_port
) {
907 log_error("Duplicate port specification: %s", optarg
);
912 p
= new(ExposePort
, 1);
916 p
->protocol
= protocol
;
917 p
->host_port
= host_port
;
918 p
->container_port
= container_port
;
920 LIST_PREPEND(ports
, arg_expose_ports
, p
);
926 if (strv_extend(&arg_property
, optarg
) < 0)
931 case ARG_PRIVATE_USERS
:
933 _cleanup_free_
char *buffer
= NULL
;
934 const char *range
, *shift
;
936 range
= strchr(optarg
, ':');
938 buffer
= strndup(optarg
, range
- optarg
);
944 if (safe_atou32(range
, &arg_uid_range
) < 0 || arg_uid_range
<= 0) {
945 log_error("Failed to parse UID range: %s", range
);
951 if (parse_uid(shift
, &arg_uid_shift
) < 0) {
952 log_error("Failed to parse UID: %s", optarg
);
960 case ARG_KILL_SIGNAL
:
961 arg_kill_signal
= signal_from_string_try_harder(optarg
);
962 if (arg_kill_signal
< 0) {
963 log_error("Cannot parse signal: %s", optarg
);
973 assert_not_reached("Unhandled option");
976 if (arg_share_system
)
977 arg_register
= false;
979 if (arg_boot
&& arg_share_system
) {
980 log_error("--boot and --share-system may not be combined.");
984 if (arg_keep_unit
&& cg_pid_get_owner_uid(0, NULL
) >= 0) {
985 log_error("--keep-unit may not be used when invoked from a user session.");
989 if (arg_directory
&& arg_image
) {
990 log_error("--directory= and --image= may not be combined.");
994 if (arg_template
&& arg_image
) {
995 log_error("--template= and --image= may not be combined.");
999 if (arg_template
&& !(arg_directory
|| arg_machine
)) {
1000 log_error("--template= needs --directory= or --machine=.");
1004 if (arg_ephemeral
&& arg_template
) {
1005 log_error("--ephemeral and --template= may not be combined.");
1009 if (arg_ephemeral
&& arg_image
) {
1010 log_error("--ephemeral and --image= may not be combined.");
1014 if (arg_ephemeral
&& !IN_SET(arg_link_journal
, LINK_NO
, LINK_AUTO
)) {
1015 log_error("--ephemeral and --link-journal= may not be combined.");
1019 if (arg_volatile
!= VOLATILE_NO
&& arg_read_only
) {
1020 log_error("Cannot combine --read-only with --volatile. Note that --volatile already implies a read-only base hierarchy.");
1024 if (arg_expose_ports
&& !arg_private_network
) {
1025 log_error("Cannot use --port= without private networking.");
1029 if (arg_userns
&& access("/proc/self/uid_map", F_OK
) < 0)
1030 return log_error_errno(EOPNOTSUPP
, "--private-users= is not supported, kernel compiled without user namespace support.");
1032 arg_retain
= (arg_retain
| plus
| (arg_private_network
? 1ULL << CAP_NET_ADMIN
: 0)) & ~minus
;
1034 if (arg_boot
&& arg_kill_signal
<= 0)
1035 arg_kill_signal
= SIGRTMIN
+3;
1040 static int tmpfs_patch_options(const char *options
, char **ret
) {
1043 if (arg_userns
&& arg_uid_shift
!= 0) {
1044 assert(arg_uid_shift
!= UID_INVALID
);
1047 (void) asprintf(&buf
, "%s,uid=" UID_FMT
",gid=" UID_FMT
, options
, arg_uid_shift
, arg_uid_shift
);
1049 (void) asprintf(&buf
, "uid=" UID_FMT
",gid=" UID_FMT
, arg_uid_shift
, arg_uid_shift
);
1057 if (arg_selinux_apifs_context
) {
1061 t
= strjoin(options
, ",context=\"", arg_selinux_apifs_context
, "\"", NULL
);
1063 t
= strjoin("context=\"", arg_selinux_apifs_context
, "\"", NULL
);
1078 static int mount_all(const char *dest
, bool userns
) {
1080 typedef struct MountPoint
{
1084 const char *options
;
1085 unsigned long flags
;
1090 static const MountPoint mount_table
[] = {
1091 { "proc", "/proc", "proc", NULL
, MS_NOSUID
|MS_NOEXEC
|MS_NODEV
, true, true },
1092 { "/proc/sys", "/proc/sys", NULL
, NULL
, MS_BIND
, true, true }, /* Bind mount first */
1093 { NULL
, "/proc/sys", NULL
, NULL
, MS_BIND
|MS_RDONLY
|MS_NOSUID
|MS_NOEXEC
|MS_NODEV
|MS_REMOUNT
, true, true }, /* Then, make it r/o */
1094 { "sysfs", "/sys", "sysfs", NULL
, MS_RDONLY
|MS_NOSUID
|MS_NOEXEC
|MS_NODEV
, true, false },
1095 { "tmpfs", "/sys/fs/cgroup", "tmpfs", "mode=755", MS_NOSUID
|MS_NOEXEC
|MS_NODEV
|MS_STRICTATIME
, true, false },
1096 { "tmpfs", "/dev", "tmpfs", "mode=755", MS_NOSUID
|MS_STRICTATIME
, true, false },
1097 { "tmpfs", "/dev/shm", "tmpfs", "mode=1777", MS_NOSUID
|MS_NODEV
|MS_STRICTATIME
, true, false },
1098 { "tmpfs", "/run", "tmpfs", "mode=755", MS_NOSUID
|MS_NODEV
|MS_STRICTATIME
, true, false },
1099 { "tmpfs", "/tmp", "tmpfs", "mode=1777", MS_STRICTATIME
, true, false },
1101 { "/sys/fs/selinux", "/sys/fs/selinux", NULL
, NULL
, MS_BIND
, false, false }, /* Bind mount first */
1102 { NULL
, "/sys/fs/selinux", NULL
, NULL
, MS_BIND
|MS_RDONLY
|MS_NOSUID
|MS_NOEXEC
|MS_NODEV
|MS_REMOUNT
, false, false }, /* Then, make it r/o */
1109 for (k
= 0; k
< ELEMENTSOF(mount_table
); k
++) {
1110 _cleanup_free_
char *where
= NULL
, *options
= NULL
;
1113 if (userns
!= mount_table
[k
].userns
)
1116 where
= prefix_root(dest
, mount_table
[k
].where
);
1120 r
= path_is_mount_point(where
, AT_SYMLINK_FOLLOW
);
1121 if (r
< 0 && r
!= -ENOENT
)
1122 return log_error_errno(r
, "Failed to detect whether %s is a mount point: %m", where
);
1124 /* Skip this entry if it is not a remount. */
1125 if (mount_table
[k
].what
&& r
> 0)
1128 r
= mkdir_p(where
, 0755);
1130 if (mount_table
[k
].fatal
)
1131 return log_error_errno(r
, "Failed to create directory %s: %m", where
);
1133 log_warning_errno(r
, "Failed to create directory %s: %m", where
);
1137 o
= mount_table
[k
].options
;
1138 if (streq_ptr(mount_table
[k
].type
, "tmpfs")) {
1139 r
= tmpfs_patch_options(o
, &options
);
1146 if (mount(mount_table
[k
].what
,
1148 mount_table
[k
].type
,
1149 mount_table
[k
].flags
,
1152 if (mount_table
[k
].fatal
)
1153 return log_error_errno(errno
, "mount(%s) failed: %m", where
);
1155 log_warning_errno(errno
, "mount(%s) failed, ignoring: %m", where
);
1162 static int mount_bind(const char *dest
, CustomMount
*m
) {
1163 struct stat source_st
, dest_st
;
1169 if (stat(m
->source
, &source_st
) < 0)
1170 return log_error_errno(errno
, "Failed to stat %s: %m", m
->source
);
1172 where
= prefix_roota(dest
, m
->destination
);
1174 if (stat(where
, &dest_st
) >= 0) {
1175 if (S_ISDIR(source_st
.st_mode
) && !S_ISDIR(dest_st
.st_mode
)) {
1176 log_error("Cannot bind mount directory %s on file %s.", m
->source
, where
);
1180 if (!S_ISDIR(source_st
.st_mode
) && S_ISDIR(dest_st
.st_mode
)) {
1181 log_error("Cannot bind mount file %s on directory %s.", m
->source
, where
);
1185 } else if (errno
== ENOENT
) {
1186 r
= mkdir_parents_label(where
, 0755);
1188 return log_error_errno(r
, "Failed to make parents of %s: %m", where
);
1190 log_error_errno(errno
, "Failed to stat %s: %m", where
);
1194 /* Create the mount point. Any non-directory file can be
1195 * mounted on any non-directory file (regular, fifo, socket,
1198 if (S_ISDIR(source_st
.st_mode
))
1199 r
= mkdir_label(where
, 0755);
1202 if (r
< 0 && r
!= -EEXIST
)
1203 return log_error_errno(r
, "Failed to create mount point %s: %m", where
);
1205 if (mount(m
->source
, where
, NULL
, MS_BIND
, NULL
) < 0)
1206 return log_error_errno(errno
, "mount(%s) failed: %m", where
);
1209 r
= bind_remount_recursive(where
, true);
1211 return log_error_errno(r
, "Read-only bind mount failed: %m");
1217 static int mount_tmpfs(const char *dest
, CustomMount
*m
) {
1218 const char *where
, *options
;
1219 _cleanup_free_
char *buf
= NULL
;
1225 where
= prefix_roota(dest
, m
->destination
);
1227 r
= mkdir_p_label(where
, 0755);
1228 if (r
< 0 && r
!= -EEXIST
)
1229 return log_error_errno(r
, "Creating mount point for tmpfs %s failed: %m", where
);
1231 r
= tmpfs_patch_options(m
->options
, &buf
);
1234 options
= r
> 0 ? buf
: m
->options
;
1236 if (mount("tmpfs", where
, "tmpfs", MS_NODEV
|MS_STRICTATIME
, options
) < 0)
1237 return log_error_errno(errno
, "tmpfs mount to %s failed: %m", where
);
1242 static char *joined_and_escaped_lower_dirs(char * const *lower
) {
1243 _cleanup_strv_free_
char **sv
= NULL
;
1245 sv
= strv_copy(lower
);
1251 if (!strv_shell_escape(sv
, ",:"))
1254 return strv_join(sv
, ":");
1257 static int mount_overlay(const char *dest
, CustomMount
*m
) {
1258 _cleanup_free_
char *lower
= NULL
;
1259 const char *where
, *options
;
1265 where
= prefix_roota(dest
, m
->destination
);
1267 r
= mkdir_label(where
, 0755);
1268 if (r
< 0 && r
!= -EEXIST
)
1269 return log_error_errno(r
, "Creating mount point for overlay %s failed: %m", where
);
1271 (void) mkdir_p_label(m
->source
, 0755);
1273 lower
= joined_and_escaped_lower_dirs(m
->lower
);
1278 _cleanup_free_
char *escaped_source
= NULL
;
1280 escaped_source
= shell_escape(m
->source
, ",:");
1281 if (!escaped_source
)
1284 options
= strjoina("lowerdir=", escaped_source
, ":", lower
);
1286 _cleanup_free_
char *escaped_source
= NULL
, *escaped_work_dir
= NULL
;
1288 assert(m
->work_dir
);
1289 (void) mkdir_label(m
->work_dir
, 0700);
1291 escaped_source
= shell_escape(m
->source
, ",:");
1292 if (!escaped_source
)
1294 escaped_work_dir
= shell_escape(m
->work_dir
, ",:");
1295 if (!escaped_work_dir
)
1298 options
= strjoina("lowerdir=", lower
, ",upperdir=", escaped_source
, ",workdir=", escaped_work_dir
);
1301 if (mount("overlay", where
, "overlay", m
->read_only
? MS_RDONLY
: 0, options
) < 0)
1302 return log_error_errno(errno
, "overlay mount to %s failed: %m", where
);
1307 static int mount_custom(const char *dest
) {
1313 for (i
= 0; i
< arg_n_custom_mounts
; i
++) {
1314 CustomMount
*m
= &arg_custom_mounts
[i
];
1318 case CUSTOM_MOUNT_BIND
:
1319 r
= mount_bind(dest
, m
);
1322 case CUSTOM_MOUNT_TMPFS
:
1323 r
= mount_tmpfs(dest
, m
);
1326 case CUSTOM_MOUNT_OVERLAY
:
1327 r
= mount_overlay(dest
, m
);
1331 assert_not_reached("Unknown custom mount type");
1341 static int mount_cgroup_hierarchy(const char *dest
, const char *controller
, const char *hierarchy
, bool read_only
) {
1345 to
= strjoina(dest
, "/sys/fs/cgroup/", hierarchy
);
1347 r
= path_is_mount_point(to
, 0);
1348 if (r
< 0 && r
!= -ENOENT
)
1349 return log_error_errno(r
, "Failed to determine if %s is mounted already: %m", to
);
1355 /* The superblock mount options of the mount point need to be
1356 * identical to the hosts', and hence writable... */
1357 if (mount("cgroup", to
, "cgroup", MS_NOSUID
|MS_NOEXEC
|MS_NODEV
, controller
) < 0)
1358 return log_error_errno(errno
, "Failed to mount to %s: %m", to
);
1360 /* ... hence let's only make the bind mount read-only, not the
1363 if (mount(NULL
, to
, NULL
, MS_BIND
|MS_REMOUNT
|MS_NOSUID
|MS_NOEXEC
|MS_NODEV
|MS_RDONLY
, NULL
) < 0)
1364 return log_error_errno(errno
, "Failed to remount %s read-only: %m", to
);
1369 static int mount_cgroup(const char *dest
) {
1370 _cleanup_set_free_free_ Set
*controllers
= NULL
;
1371 const char *cgroup_root
;
1374 controllers
= set_new(&string_hash_ops
);
1378 r
= cg_kernel_controllers(controllers
);
1380 return log_error_errno(r
, "Failed to determine cgroup controllers: %m");
1383 _cleanup_free_
char *controller
= NULL
, *origin
= NULL
, *combined
= NULL
;
1385 controller
= set_steal_first(controllers
);
1389 origin
= prefix_root("/sys/fs/cgroup/", controller
);
1393 r
= readlink_malloc(origin
, &combined
);
1395 /* Not a symbolic link, but directly a single cgroup hierarchy */
1397 r
= mount_cgroup_hierarchy(dest
, controller
, controller
, true);
1402 return log_error_errno(r
, "Failed to read link %s: %m", origin
);
1404 _cleanup_free_
char *target
= NULL
;
1406 target
= prefix_root(dest
, origin
);
1410 /* A symbolic link, a combination of controllers in one hierarchy */
1412 if (!filename_is_valid(combined
)) {
1413 log_warning("Ignoring invalid combined hierarchy %s.", combined
);
1417 r
= mount_cgroup_hierarchy(dest
, combined
, combined
, true);
1421 r
= symlink_idempotent(combined
, target
);
1423 log_error("Invalid existing symlink for combined hierarchy");
1427 return log_error_errno(r
, "Failed to create symlink for combined hierarchy: %m");
1431 r
= mount_cgroup_hierarchy(dest
, "name=systemd,xattr", "systemd", false);
1435 cgroup_root
= prefix_roota(dest
, "/sys/fs/cgroup");
1436 if (mount(NULL
, cgroup_root
, NULL
, MS_REMOUNT
|MS_NOSUID
|MS_NOEXEC
|MS_NODEV
|MS_STRICTATIME
|MS_RDONLY
, "mode=755") < 0)
1437 return log_error_errno(errno
, "Failed to remount %s read-only: %m", cgroup_root
);
1442 static int mount_systemd_cgroup_writable(const char *dest
) {
1443 _cleanup_free_
char *own_cgroup_path
= NULL
;
1444 const char *systemd_root
, *systemd_own
;
1449 r
= cg_pid_get_path(NULL
, 0, &own_cgroup_path
);
1451 return log_error_errno(r
, "Failed to determine our own cgroup path: %m");
1453 /* Make our own cgroup a (writable) bind mount */
1454 systemd_own
= strjoina(dest
, "/sys/fs/cgroup/systemd", own_cgroup_path
);
1455 if (mount(systemd_own
, systemd_own
, NULL
, MS_BIND
, NULL
) < 0)
1456 return log_error_errno(errno
, "Failed to turn %s into a bind mount: %m", own_cgroup_path
);
1458 /* And then remount the systemd cgroup root read-only */
1459 systemd_root
= prefix_roota(dest
, "/sys/fs/cgroup/systemd");
1460 if (mount(NULL
, systemd_root
, NULL
, MS_BIND
|MS_REMOUNT
|MS_NOSUID
|MS_NOEXEC
|MS_NODEV
|MS_RDONLY
, NULL
) < 0)
1461 return log_error_errno(errno
, "Failed to mount cgroup root read-only: %m");
1466 static int userns_lchown(const char *p
, uid_t uid
, gid_t gid
) {
1472 if (uid
== UID_INVALID
&& gid
== GID_INVALID
)
1475 if (uid
!= UID_INVALID
) {
1476 uid
+= arg_uid_shift
;
1478 if (uid
< arg_uid_shift
|| uid
>= arg_uid_shift
+ arg_uid_range
)
1482 if (gid
!= GID_INVALID
) {
1483 gid
+= (gid_t
) arg_uid_shift
;
1485 if (gid
< (gid_t
) arg_uid_shift
|| gid
>= (gid_t
) (arg_uid_shift
+ arg_uid_range
))
1489 if (lchown(p
, uid
, gid
) < 0)
1495 static int userns_mkdir(const char *root
, const char *path
, mode_t mode
, uid_t uid
, gid_t gid
) {
1498 q
= prefix_roota(root
, path
);
1499 if (mkdir(q
, mode
) < 0) {
1500 if (errno
== EEXIST
)
1505 return userns_lchown(q
, uid
, gid
);
1508 static int setup_timezone(const char *dest
) {
1509 _cleanup_free_
char *p
= NULL
, *q
= NULL
;
1510 const char *where
, *check
, *what
;
1516 /* Fix the timezone, if possible */
1517 r
= readlink_malloc("/etc/localtime", &p
);
1519 log_warning("/etc/localtime is not a symlink, not updating container timezone.");
1523 z
= path_startswith(p
, "../usr/share/zoneinfo/");
1525 z
= path_startswith(p
, "/usr/share/zoneinfo/");
1527 log_warning("/etc/localtime does not point into /usr/share/zoneinfo/, not updating container timezone.");
1531 where
= prefix_roota(dest
, "/etc/localtime");
1532 r
= readlink_malloc(where
, &q
);
1534 y
= path_startswith(q
, "../usr/share/zoneinfo/");
1536 y
= path_startswith(q
, "/usr/share/zoneinfo/");
1538 /* Already pointing to the right place? Then do nothing .. */
1539 if (y
&& streq(y
, z
))
1543 check
= strjoina("/usr/share/zoneinfo/", z
);
1544 check
= prefix_root(dest
, check
);
1545 if (laccess(check
, F_OK
) < 0) {
1546 log_warning("Timezone %s does not exist in container, not updating container timezone.", z
);
1551 if (r
< 0 && errno
!= ENOENT
) {
1552 log_error_errno(errno
, "Failed to remove existing timezone info %s in container: %m", where
);
1556 what
= strjoina("../usr/share/zoneinfo/", z
);
1557 if (symlink(what
, where
) < 0) {
1558 log_error_errno(errno
, "Failed to correct timezone of container: %m");
1562 r
= userns_lchown(where
, 0, 0);
1564 return log_warning_errno(r
, "Failed to chown /etc/localtime: %m");
1569 static int setup_resolv_conf(const char *dest
) {
1570 const char *where
= NULL
;
1575 if (arg_private_network
)
1578 /* Fix resolv.conf, if possible */
1579 where
= prefix_roota(dest
, "/etc/resolv.conf");
1581 r
= copy_file("/etc/resolv.conf", where
, O_TRUNC
|O_NOFOLLOW
, 0644, 0);
1583 /* If the file already exists as symlink, let's
1584 * suppress the warning, under the assumption that
1585 * resolved or something similar runs inside and the
1586 * symlink points there.
1588 * If the disk image is read-only, there's also no
1589 * point in complaining.
1591 log_full_errno(IN_SET(r
, -ELOOP
, -EROFS
) ? LOG_DEBUG
: LOG_WARNING
, r
,
1592 "Failed to copy /etc/resolv.conf to %s: %m", where
);
1596 r
= userns_lchown(where
, 0, 0);
1598 log_warning_errno(r
, "Failed to chown /etc/resolv.conf: %m");
1603 static int setup_volatile_state(const char *directory
) {
1604 _cleanup_free_
char *buf
= NULL
;
1605 const char *p
, *options
;
1610 if (arg_volatile
!= VOLATILE_STATE
)
1613 /* --volatile=state means we simply overmount /var
1614 with a tmpfs, and the rest read-only. */
1616 r
= bind_remount_recursive(directory
, true);
1618 return log_error_errno(r
, "Failed to remount %s read-only: %m", directory
);
1620 p
= prefix_roota(directory
, "/var");
1622 if (r
< 0 && errno
!= EEXIST
)
1623 return log_error_errno(errno
, "Failed to create %s: %m", directory
);
1625 options
= "mode=755";
1626 r
= tmpfs_patch_options(options
, &buf
);
1632 if (mount("tmpfs", p
, "tmpfs", MS_STRICTATIME
, options
) < 0)
1633 return log_error_errno(errno
, "Failed to mount tmpfs to /var: %m");
1638 static int setup_volatile(const char *directory
) {
1639 bool tmpfs_mounted
= false, bind_mounted
= false;
1640 char template[] = "/tmp/nspawn-volatile-XXXXXX";
1641 _cleanup_free_
char *buf
= NULL
;
1642 const char *f
, *t
, *options
;
1647 if (arg_volatile
!= VOLATILE_YES
)
1650 /* --volatile=yes means we mount a tmpfs to the root dir, and
1651 the original /usr to use inside it, and that read-only. */
1653 if (!mkdtemp(template))
1654 return log_error_errno(errno
, "Failed to create temporary directory: %m");
1656 options
= "mode=755";
1657 r
= tmpfs_patch_options(options
, &buf
);
1663 if (mount("tmpfs", template, "tmpfs", MS_STRICTATIME
, options
) < 0) {
1664 r
= log_error_errno(errno
, "Failed to mount tmpfs for root directory: %m");
1668 tmpfs_mounted
= true;
1670 f
= prefix_roota(directory
, "/usr");
1671 t
= prefix_roota(template, "/usr");
1674 if (r
< 0 && errno
!= EEXIST
) {
1675 r
= log_error_errno(errno
, "Failed to create %s: %m", t
);
1679 if (mount(f
, t
, NULL
, MS_BIND
|MS_REC
, NULL
) < 0) {
1680 r
= log_error_errno(errno
, "Failed to create /usr bind mount: %m");
1684 bind_mounted
= true;
1686 r
= bind_remount_recursive(t
, true);
1688 log_error_errno(r
, "Failed to remount %s read-only: %m", t
);
1692 if (mount(template, directory
, NULL
, MS_MOVE
, NULL
) < 0) {
1693 r
= log_error_errno(errno
, "Failed to move root mount: %m");
1697 (void) rmdir(template);
1706 (void) umount(template);
1707 (void) rmdir(template);
1711 static char* id128_format_as_uuid(sd_id128_t id
, char s
[37]) {
1715 "%02x%02x%02x%02x-%02x%02x-%02x%02x-%02x%02x-%02x%02x%02x%02x%02x%02x",
1716 SD_ID128_FORMAT_VAL(id
));
1721 static int setup_boot_id(const char *dest
) {
1722 const char *from
, *to
;
1723 sd_id128_t rnd
= {};
1727 if (arg_share_system
)
1730 /* Generate a new randomized boot ID, so that each boot-up of
1731 * the container gets a new one */
1733 from
= prefix_roota(dest
, "/run/proc-sys-kernel-random-boot-id");
1734 to
= prefix_roota(dest
, "/proc/sys/kernel/random/boot_id");
1736 r
= sd_id128_randomize(&rnd
);
1738 return log_error_errno(r
, "Failed to generate random boot id: %m");
1740 id128_format_as_uuid(rnd
, as_uuid
);
1742 r
= write_string_file(from
, as_uuid
, WRITE_STRING_FILE_CREATE
);
1744 return log_error_errno(r
, "Failed to write boot id: %m");
1746 if (mount(from
, to
, NULL
, MS_BIND
, NULL
) < 0)
1747 r
= log_error_errno(errno
, "Failed to bind mount boot id: %m");
1748 else if (mount(NULL
, to
, NULL
, MS_BIND
|MS_REMOUNT
|MS_RDONLY
|MS_NOSUID
|MS_NODEV
, NULL
) < 0)
1749 log_warning_errno(errno
, "Failed to make boot id read-only: %m");
1755 static int copy_devnodes(const char *dest
) {
1757 static const char devnodes
[] =
1768 _cleanup_umask_ mode_t u
;
1774 /* Create /dev/net, so that we can create /dev/net/tun in it */
1775 if (userns_mkdir(dest
, "/dev/net", 0755, 0, 0) < 0)
1776 return log_error_errno(r
, "Failed to create /dev/net directory: %m");
1778 NULSTR_FOREACH(d
, devnodes
) {
1779 _cleanup_free_
char *from
= NULL
, *to
= NULL
;
1782 from
= strappend("/dev/", d
);
1783 to
= prefix_root(dest
, from
);
1785 if (stat(from
, &st
) < 0) {
1787 if (errno
!= ENOENT
)
1788 return log_error_errno(errno
, "Failed to stat %s: %m", from
);
1790 } else if (!S_ISCHR(st
.st_mode
) && !S_ISBLK(st
.st_mode
)) {
1792 log_error("%s is not a char or block device, cannot copy.", from
);
1796 if (mknod(to
, st
.st_mode
, st
.st_rdev
) < 0) {
1798 return log_error_errno(errno
, "mknod(%s) failed: %m", to
);
1800 /* Some systems abusively restrict mknod but
1801 * allow bind mounts. */
1804 return log_error_errno(r
, "touch (%s) failed: %m", to
);
1805 if (mount(from
, to
, NULL
, MS_BIND
, NULL
) < 0)
1806 return log_error_errno(errno
, "Both mknod and bind mount (%s) failed: %m", to
);
1809 r
= userns_lchown(to
, 0, 0);
1811 return log_error_errno(r
, "chown() of device node %s failed: %m", to
);
1818 static int setup_pts(const char *dest
) {
1819 _cleanup_free_
char *options
= NULL
;
1823 if (arg_selinux_apifs_context
)
1824 (void) asprintf(&options
,
1825 "newinstance,ptmxmode=0666,mode=620,gid=" GID_FMT
",context=\"%s\"",
1826 arg_uid_shift
+ TTY_GID
,
1827 arg_selinux_apifs_context
);
1830 (void) asprintf(&options
,
1831 "newinstance,ptmxmode=0666,mode=620,gid=" GID_FMT
,
1832 arg_uid_shift
+ TTY_GID
);
1837 /* Mount /dev/pts itself */
1838 p
= prefix_roota(dest
, "/dev/pts");
1839 if (mkdir(p
, 0755) < 0)
1840 return log_error_errno(errno
, "Failed to create /dev/pts: %m");
1841 if (mount("devpts", p
, "devpts", MS_NOSUID
|MS_NOEXEC
, options
) < 0)
1842 return log_error_errno(errno
, "Failed to mount /dev/pts: %m");
1843 if (userns_lchown(p
, 0, 0) < 0)
1844 return log_error_errno(errno
, "Failed to chown /dev/pts: %m");
1846 /* Create /dev/ptmx symlink */
1847 p
= prefix_roota(dest
, "/dev/ptmx");
1848 if (symlink("pts/ptmx", p
) < 0)
1849 return log_error_errno(errno
, "Failed to create /dev/ptmx symlink: %m");
1850 if (userns_lchown(p
, 0, 0) < 0)
1851 return log_error_errno(errno
, "Failed to chown /dev/ptmx: %m");
1853 /* And fix /dev/pts/ptmx ownership */
1854 p
= prefix_roota(dest
, "/dev/pts/ptmx");
1855 if (userns_lchown(p
, 0, 0) < 0)
1856 return log_error_errno(errno
, "Failed to chown /dev/pts/ptmx: %m");
1861 static int setup_dev_console(const char *dest
, const char *console
) {
1862 _cleanup_umask_ mode_t u
;
1871 r
= chmod_and_chown(console
, 0600, arg_uid_shift
, arg_uid_shift
);
1873 return log_error_errno(r
, "Failed to correct access mode for TTY: %m");
1875 /* We need to bind mount the right tty to /dev/console since
1876 * ptys can only exist on pts file systems. To have something
1877 * to bind mount things on we create a empty regular file. */
1879 to
= prefix_roota(dest
, "/dev/console");
1882 return log_error_errno(r
, "touch() for /dev/console failed: %m");
1884 if (mount(console
, to
, NULL
, MS_BIND
, NULL
) < 0)
1885 return log_error_errno(errno
, "Bind mount for /dev/console failed: %m");
1890 static int setup_kmsg(const char *dest
, int kmsg_socket
) {
1891 const char *from
, *to
;
1892 _cleanup_umask_ mode_t u
;
1895 struct cmsghdr cmsghdr
;
1896 uint8_t buf
[CMSG_SPACE(sizeof(int))];
1898 struct msghdr mh
= {
1899 .msg_control
= &control
,
1900 .msg_controllen
= sizeof(control
),
1902 struct cmsghdr
*cmsg
;
1904 assert(kmsg_socket
>= 0);
1908 /* We create the kmsg FIFO as /run/kmsg, but immediately
1909 * delete it after bind mounting it to /proc/kmsg. While FIFOs
1910 * on the reading side behave very similar to /proc/kmsg,
1911 * their writing side behaves differently from /dev/kmsg in
1912 * that writing blocks when nothing is reading. In order to
1913 * avoid any problems with containers deadlocking due to this
1914 * we simply make /dev/kmsg unavailable to the container. */
1915 from
= prefix_roota(dest
, "/run/kmsg");
1916 to
= prefix_roota(dest
, "/proc/kmsg");
1918 if (mkfifo(from
, 0600) < 0)
1919 return log_error_errno(errno
, "mkfifo() for /run/kmsg failed: %m");
1920 if (mount(from
, to
, NULL
, MS_BIND
, NULL
) < 0)
1921 return log_error_errno(errno
, "Bind mount for /proc/kmsg failed: %m");
1923 fd
= open(from
, O_RDWR
|O_NDELAY
|O_CLOEXEC
);
1925 return log_error_errno(errno
, "Failed to open fifo: %m");
1927 cmsg
= CMSG_FIRSTHDR(&mh
);
1928 cmsg
->cmsg_level
= SOL_SOCKET
;
1929 cmsg
->cmsg_type
= SCM_RIGHTS
;
1930 cmsg
->cmsg_len
= CMSG_LEN(sizeof(int));
1931 memcpy(CMSG_DATA(cmsg
), &fd
, sizeof(int));
1933 mh
.msg_controllen
= cmsg
->cmsg_len
;
1935 /* Store away the fd in the socket, so that it stays open as
1936 * long as we run the child */
1937 k
= sendmsg(kmsg_socket
, &mh
, MSG_NOSIGNAL
);
1941 return log_error_errno(errno
, "Failed to send FIFO fd: %m");
1943 /* And now make the FIFO unavailable as /run/kmsg... */
1944 (void) unlink(from
);
1949 static int send_rtnl(int send_fd
) {
1951 struct cmsghdr cmsghdr
;
1952 uint8_t buf
[CMSG_SPACE(sizeof(int))];
1954 struct msghdr mh
= {
1955 .msg_control
= &control
,
1956 .msg_controllen
= sizeof(control
),
1958 struct cmsghdr
*cmsg
;
1959 _cleanup_close_
int fd
= -1;
1962 assert(send_fd
>= 0);
1964 if (!arg_expose_ports
)
1967 fd
= socket(PF_NETLINK
, SOCK_RAW
|SOCK_CLOEXEC
|SOCK_NONBLOCK
, NETLINK_ROUTE
);
1969 return log_error_errno(errno
, "Failed to allocate container netlink: %m");
1971 cmsg
= CMSG_FIRSTHDR(&mh
);
1972 cmsg
->cmsg_level
= SOL_SOCKET
;
1973 cmsg
->cmsg_type
= SCM_RIGHTS
;
1974 cmsg
->cmsg_len
= CMSG_LEN(sizeof(int));
1975 memcpy(CMSG_DATA(cmsg
), &fd
, sizeof(int));
1977 mh
.msg_controllen
= cmsg
->cmsg_len
;
1979 /* Store away the fd in the socket, so that it stays open as
1980 * long as we run the child */
1981 k
= sendmsg(send_fd
, &mh
, MSG_NOSIGNAL
);
1983 return log_error_errno(errno
, "Failed to send netlink fd: %m");
1988 static int flush_ports(union in_addr_union
*exposed
) {
1990 int r
, af
= AF_INET
;
1994 if (!arg_expose_ports
)
1997 if (in_addr_is_null(af
, exposed
))
2000 log_debug("Lost IP address.");
2002 LIST_FOREACH(ports
, p
, arg_expose_ports
) {
2003 r
= fw_add_local_dnat(false,
2014 log_warning_errno(r
, "Failed to modify firewall: %m");
2017 *exposed
= IN_ADDR_NULL
;
2021 static int expose_ports(sd_netlink
*rtnl
, union in_addr_union
*exposed
) {
2022 _cleanup_free_
struct local_address
*addresses
= NULL
;
2023 _cleanup_free_
char *pretty
= NULL
;
2024 union in_addr_union new_exposed
;
2027 int af
= AF_INET
, r
;
2031 /* Invoked each time an address is added or removed inside the
2034 if (!arg_expose_ports
)
2037 r
= local_addresses(rtnl
, 0, af
, &addresses
);
2039 return log_error_errno(r
, "Failed to enumerate local addresses: %m");
2042 addresses
[0].family
== af
&&
2043 addresses
[0].scope
< RT_SCOPE_LINK
;
2046 return flush_ports(exposed
);
2048 new_exposed
= addresses
[0].address
;
2049 if (in_addr_equal(af
, exposed
, &new_exposed
))
2052 in_addr_to_string(af
, &new_exposed
, &pretty
);
2053 log_debug("New container IP is %s.", strna(pretty
));
2055 LIST_FOREACH(ports
, p
, arg_expose_ports
) {
2057 r
= fw_add_local_dnat(true,
2066 in_addr_is_null(af
, exposed
) ? NULL
: exposed
);
2068 log_warning_errno(r
, "Failed to modify firewall: %m");
2071 *exposed
= new_exposed
;
2075 static int on_address_change(sd_netlink
*rtnl
, sd_netlink_message
*m
, void *userdata
) {
2076 union in_addr_union
*exposed
= userdata
;
2082 expose_ports(rtnl
, exposed
);
2086 static int watch_rtnl(sd_event
*event
, int recv_fd
, union in_addr_union
*exposed
, sd_netlink
**ret
) {
2088 struct cmsghdr cmsghdr
;
2089 uint8_t buf
[CMSG_SPACE(sizeof(int))];
2091 struct msghdr mh
= {
2092 .msg_control
= &control
,
2093 .msg_controllen
= sizeof(control
),
2095 struct cmsghdr
*cmsg
;
2096 _cleanup_netlink_unref_ sd_netlink
*rtnl
= NULL
;
2101 assert(recv_fd
>= 0);
2104 if (!arg_expose_ports
)
2107 k
= recvmsg(recv_fd
, &mh
, MSG_NOSIGNAL
);
2109 return log_error_errno(errno
, "Failed to recv netlink fd: %m");
2111 cmsg
= CMSG_FIRSTHDR(&mh
);
2112 assert(cmsg
->cmsg_level
== SOL_SOCKET
);
2113 assert(cmsg
->cmsg_type
== SCM_RIGHTS
);
2114 assert(cmsg
->cmsg_len
== CMSG_LEN(sizeof(int)));
2115 memcpy(&fd
, CMSG_DATA(cmsg
), sizeof(int));
2117 r
= sd_netlink_open_fd(&rtnl
, fd
);
2120 return log_error_errno(r
, "Failed to create rtnl object: %m");
2123 r
= sd_netlink_add_match(rtnl
, RTM_NEWADDR
, on_address_change
, exposed
);
2125 return log_error_errno(r
, "Failed to subscribe to RTM_NEWADDR messages: %m");
2127 r
= sd_netlink_add_match(rtnl
, RTM_DELADDR
, on_address_change
, exposed
);
2129 return log_error_errno(r
, "Failed to subscribe to RTM_DELADDR messages: %m");
2131 r
= sd_netlink_attach_event(rtnl
, event
, 0);
2133 return log_error_errno(r
, "Failed to add to even loop: %m");
2141 static int setup_hostname(void) {
2143 if (arg_share_system
)
2146 if (sethostname_idempotent(arg_machine
) < 0)
2152 static int setup_journal(const char *directory
) {
2153 sd_id128_t machine_id
, this_id
;
2154 _cleanup_free_
char *b
= NULL
, *d
= NULL
;
2155 const char *etc_machine_id
, *p
, *q
;
2159 /* Don't link journals in ephemeral mode */
2163 etc_machine_id
= prefix_roota(directory
, "/etc/machine-id");
2165 r
= read_one_line_file(etc_machine_id
, &b
);
2166 if (r
== -ENOENT
&& arg_link_journal
== LINK_AUTO
)
2169 return log_error_errno(r
, "Failed to read machine ID from %s: %m", etc_machine_id
);
2172 if (isempty(id
) && arg_link_journal
== LINK_AUTO
)
2175 /* Verify validity */
2176 r
= sd_id128_from_string(id
, &machine_id
);
2178 return log_error_errno(r
, "Failed to parse machine ID from %s: %m", etc_machine_id
);
2180 r
= sd_id128_get_machine(&this_id
);
2182 return log_error_errno(r
, "Failed to retrieve machine ID: %m");
2184 if (sd_id128_equal(machine_id
, this_id
)) {
2185 log_full(arg_link_journal
== LINK_AUTO
? LOG_WARNING
: LOG_ERR
,
2186 "Host and machine ids are equal (%s): refusing to link journals", id
);
2187 if (arg_link_journal
== LINK_AUTO
)
2192 if (arg_link_journal
== LINK_NO
)
2195 r
= userns_mkdir(directory
, "/var", 0755, 0, 0);
2197 return log_error_errno(r
, "Failed to create /var: %m");
2199 r
= userns_mkdir(directory
, "/var/log", 0755, 0, 0);
2201 return log_error_errno(r
, "Failed to create /var/log: %m");
2203 r
= userns_mkdir(directory
, "/var/log/journal", 0755, 0, 0);
2205 return log_error_errno(r
, "Failed to create /var/log/journal: %m");
2207 p
= strjoina("/var/log/journal/", id
);
2208 q
= prefix_roota(directory
, p
);
2210 if (path_is_mount_point(p
, 0) > 0) {
2211 if (arg_link_journal
!= LINK_AUTO
) {
2212 log_error("%s: already a mount point, refusing to use for journal", p
);
2219 if (path_is_mount_point(q
, 0) > 0) {
2220 if (arg_link_journal
!= LINK_AUTO
) {
2221 log_error("%s: already a mount point, refusing to use for journal", q
);
2228 r
= readlink_and_make_absolute(p
, &d
);
2230 if ((arg_link_journal
== LINK_GUEST
||
2231 arg_link_journal
== LINK_AUTO
) &&
2234 r
= userns_mkdir(directory
, p
, 0755, 0, 0);
2236 log_warning_errno(errno
, "Failed to create directory %s: %m", q
);
2241 return log_error_errno(errno
, "Failed to remove symlink %s: %m", p
);
2242 } else if (r
== -EINVAL
) {
2244 if (arg_link_journal
== LINK_GUEST
&&
2247 if (errno
== ENOTDIR
) {
2248 log_error("%s already exists and is neither a symlink nor a directory", p
);
2251 log_error_errno(errno
, "Failed to remove %s: %m", p
);
2255 } else if (r
!= -ENOENT
) {
2256 log_error_errno(errno
, "readlink(%s) failed: %m", p
);
2260 if (arg_link_journal
== LINK_GUEST
) {
2262 if (symlink(q
, p
) < 0) {
2263 if (arg_link_journal_try
) {
2264 log_debug_errno(errno
, "Failed to symlink %s to %s, skipping journal setup: %m", q
, p
);
2267 log_error_errno(errno
, "Failed to symlink %s to %s: %m", q
, p
);
2272 r
= userns_mkdir(directory
, p
, 0755, 0, 0);
2274 log_warning_errno(errno
, "Failed to create directory %s: %m", q
);
2278 if (arg_link_journal
== LINK_HOST
) {
2279 /* don't create parents here -- if the host doesn't have
2280 * permanent journal set up, don't force it here */
2283 if (arg_link_journal_try
) {
2284 log_debug_errno(errno
, "Failed to create %s, skipping journal setup: %m", p
);
2287 log_error_errno(errno
, "Failed to create %s: %m", p
);
2292 } else if (access(p
, F_OK
) < 0)
2295 if (dir_is_empty(q
) == 0)
2296 log_warning("%s is not empty, proceeding anyway.", q
);
2298 r
= userns_mkdir(directory
, p
, 0755, 0, 0);
2300 log_error_errno(errno
, "Failed to create %s: %m", q
);
2304 if (mount(p
, q
, NULL
, MS_BIND
, NULL
) < 0)
2305 return log_error_errno(errno
, "Failed to bind mount journal from host into guest: %m");
2310 static int drop_capabilities(void) {
2311 return capability_bounding_set_drop(~arg_retain
, false);
2314 static int register_machine(pid_t pid
, int local_ifindex
) {
2315 _cleanup_bus_error_free_ sd_bus_error error
= SD_BUS_ERROR_NULL
;
2316 _cleanup_bus_flush_close_unref_ sd_bus
*bus
= NULL
;
2322 r
= sd_bus_default_system(&bus
);
2324 return log_error_errno(r
, "Failed to open system bus: %m");
2326 if (arg_keep_unit
) {
2327 r
= sd_bus_call_method(
2329 "org.freedesktop.machine1",
2330 "/org/freedesktop/machine1",
2331 "org.freedesktop.machine1.Manager",
2332 "RegisterMachineWithNetwork",
2337 SD_BUS_MESSAGE_APPEND_ID128(arg_uuid
),
2341 strempty(arg_directory
),
2342 local_ifindex
> 0 ? 1 : 0, local_ifindex
);
2344 _cleanup_bus_message_unref_ sd_bus_message
*m
= NULL
;
2348 r
= sd_bus_message_new_method_call(
2351 "org.freedesktop.machine1",
2352 "/org/freedesktop/machine1",
2353 "org.freedesktop.machine1.Manager",
2354 "CreateMachineWithNetwork");
2356 return bus_log_create_error(r
);
2358 r
= sd_bus_message_append(
2362 SD_BUS_MESSAGE_APPEND_ID128(arg_uuid
),
2366 strempty(arg_directory
),
2367 local_ifindex
> 0 ? 1 : 0, local_ifindex
);
2369 return bus_log_create_error(r
);
2371 r
= sd_bus_message_open_container(m
, 'a', "(sv)");
2373 return bus_log_create_error(r
);
2375 if (!isempty(arg_slice
)) {
2376 r
= sd_bus_message_append(m
, "(sv)", "Slice", "s", arg_slice
);
2378 return bus_log_create_error(r
);
2381 r
= sd_bus_message_append(m
, "(sv)", "DevicePolicy", "s", "strict");
2383 return bus_log_create_error(r
);
2385 /* If you make changes here, also make sure to update
2386 * systemd-nspawn@.service, to keep the device
2387 * policies in sync regardless if we are run with or
2388 * without the --keep-unit switch. */
2389 r
= sd_bus_message_append(m
, "(sv)", "DeviceAllow", "a(ss)", 9,
2390 /* Allow the container to
2391 * access and create the API
2392 * device nodes, so that
2393 * PrivateDevices= in the
2394 * container can work
2399 "/dev/random", "rwm",
2400 "/dev/urandom", "rwm",
2402 "/dev/net/tun", "rwm",
2403 /* Allow the container
2404 * access to ptys. However,
2406 * container to ever create
2407 * these device nodes. */
2408 "/dev/pts/ptmx", "rw",
2411 return bus_log_create_error(r
);
2413 for (j
= 0; j
< arg_n_custom_mounts
; j
++) {
2414 CustomMount
*cm
= &arg_custom_mounts
[j
];
2416 if (cm
->type
!= CUSTOM_MOUNT_BIND
)
2419 r
= is_device_node(cm
->source
);
2421 return log_error_errno(r
, "Failed to stat %s: %m", cm
->source
);
2424 r
= sd_bus_message_append(m
, "(sv)", "DeviceAllow", "a(ss)", 1,
2425 cm
->source
, cm
->read_only
? "r" : "rw");
2427 return log_error_errno(r
, "Failed to append message arguments: %m");
2431 if (arg_kill_signal
!= 0) {
2432 r
= sd_bus_message_append(m
, "(sv)", "KillSignal", "i", arg_kill_signal
);
2434 return bus_log_create_error(r
);
2436 r
= sd_bus_message_append(m
, "(sv)", "KillMode", "s", "mixed");
2438 return bus_log_create_error(r
);
2441 STRV_FOREACH(i
, arg_property
) {
2442 r
= sd_bus_message_open_container(m
, 'r', "sv");
2444 return bus_log_create_error(r
);
2446 r
= bus_append_unit_property_assignment(m
, *i
);
2450 r
= sd_bus_message_close_container(m
);
2452 return bus_log_create_error(r
);
2455 r
= sd_bus_message_close_container(m
);
2457 return bus_log_create_error(r
);
2459 r
= sd_bus_call(bus
, m
, 0, &error
, NULL
);
2463 log_error("Failed to register machine: %s", bus_error_message(&error
, r
));
2470 static int terminate_machine(pid_t pid
) {
2471 _cleanup_bus_error_free_ sd_bus_error error
= SD_BUS_ERROR_NULL
;
2472 _cleanup_bus_message_unref_ sd_bus_message
*reply
= NULL
;
2473 _cleanup_bus_flush_close_unref_ sd_bus
*bus
= NULL
;
2480 /* If we are reusing the unit, then just exit, systemd will do
2481 * the right thing when we exit. */
2485 r
= sd_bus_default_system(&bus
);
2487 return log_error_errno(r
, "Failed to open system bus: %m");
2489 r
= sd_bus_call_method(
2491 "org.freedesktop.machine1",
2492 "/org/freedesktop/machine1",
2493 "org.freedesktop.machine1.Manager",
2500 /* Note that the machine might already have been
2501 * cleaned up automatically, hence don't consider it a
2502 * failure if we cannot get the machine object. */
2503 log_debug("Failed to get machine: %s", bus_error_message(&error
, r
));
2507 r
= sd_bus_message_read(reply
, "o", &path
);
2509 return bus_log_parse_error(r
);
2511 r
= sd_bus_call_method(
2513 "org.freedesktop.machine1",
2515 "org.freedesktop.machine1.Machine",
2521 log_debug("Failed to terminate machine: %s", bus_error_message(&error
, r
));
2528 static int reset_audit_loginuid(void) {
2529 _cleanup_free_
char *p
= NULL
;
2532 if (arg_share_system
)
2535 r
= read_one_line_file("/proc/self/loginuid", &p
);
2539 return log_error_errno(r
, "Failed to read /proc/self/loginuid: %m");
2541 /* Already reset? */
2542 if (streq(p
, "4294967295"))
2545 r
= write_string_file("/proc/self/loginuid", "4294967295", 0);
2548 "Failed to reset audit login UID. This probably means that your kernel is too\n"
2549 "old and you have audit enabled. Note that the auditing subsystem is known to\n"
2550 "be incompatible with containers on old kernels. Please make sure to upgrade\n"
2551 "your kernel or to off auditing with 'audit=0' on the kernel command line before\n"
2552 "using systemd-nspawn. Sleeping for 5s... (%m)");
2560 #define HOST_HASH_KEY SD_ID128_MAKE(1a,37,6f,c7,46,ec,45,0b,ad,a3,d5,31,06,60,5d,b1)
2561 #define CONTAINER_HASH_KEY SD_ID128_MAKE(c3,c4,f9,19,b5,57,b2,1c,e6,cf,14,27,03,9c,ee,a2)
2562 #define MACVLAN_HASH_KEY SD_ID128_MAKE(00,13,6d,bc,66,83,44,81,bb,0c,f9,51,1f,24,a6,6f)
2564 static int generate_mac(struct ether_addr
*mac
, sd_id128_t hash_key
, uint64_t idx
) {
2570 l
= strlen(arg_machine
);
2571 sz
= sizeof(sd_id128_t
) + l
;
2577 /* fetch some persistent data unique to the host */
2578 r
= sd_id128_get_machine((sd_id128_t
*) v
);
2582 /* combine with some data unique (on this host) to this
2583 * container instance */
2584 i
= mempcpy(v
+ sizeof(sd_id128_t
), arg_machine
, l
);
2587 memcpy(i
, &idx
, sizeof(idx
));
2590 /* Let's hash the host machine ID plus the container name. We
2591 * use a fixed, but originally randomly created hash key here. */
2592 siphash24(result
, v
, sz
, hash_key
.bytes
);
2594 assert_cc(ETH_ALEN
<= sizeof(result
));
2595 memcpy(mac
->ether_addr_octet
, result
, ETH_ALEN
);
2597 /* see eth_random_addr in the kernel */
2598 mac
->ether_addr_octet
[0] &= 0xfe; /* clear multicast bit */
2599 mac
->ether_addr_octet
[0] |= 0x02; /* set local assignment bit (IEEE802) */
2604 static int setup_veth(pid_t pid
, char iface_name
[IFNAMSIZ
], int *ifi
) {
2605 _cleanup_netlink_message_unref_ sd_netlink_message
*m
= NULL
;
2606 _cleanup_netlink_unref_ sd_netlink
*rtnl
= NULL
;
2607 struct ether_addr mac_host
, mac_container
;
2610 if (!arg_private_network
)
2613 if (!arg_network_veth
)
2616 /* Use two different interface name prefixes depending whether
2617 * we are in bridge mode or not. */
2618 snprintf(iface_name
, IFNAMSIZ
- 1, "%s-%s",
2619 arg_network_bridge
? "vb" : "ve", arg_machine
);
2621 r
= generate_mac(&mac_container
, CONTAINER_HASH_KEY
, 0);
2623 return log_error_errno(r
, "Failed to generate predictable MAC address for container side: %m");
2625 r
= generate_mac(&mac_host
, HOST_HASH_KEY
, 0);
2627 return log_error_errno(r
, "Failed to generate predictable MAC address for host side: %m");
2629 r
= sd_netlink_open(&rtnl
);
2631 return log_error_errno(r
, "Failed to connect to netlink: %m");
2633 r
= sd_rtnl_message_new_link(rtnl
, &m
, RTM_NEWLINK
, 0);
2635 return log_error_errno(r
, "Failed to allocate netlink message: %m");
2637 r
= sd_netlink_message_append_string(m
, IFLA_IFNAME
, iface_name
);
2639 return log_error_errno(r
, "Failed to add netlink interface name: %m");
2641 r
= sd_netlink_message_append_ether_addr(m
, IFLA_ADDRESS
, &mac_host
);
2643 return log_error_errno(r
, "Failed to add netlink MAC address: %m");
2645 r
= sd_netlink_message_open_container(m
, IFLA_LINKINFO
);
2647 return log_error_errno(r
, "Failed to open netlink container: %m");
2649 r
= sd_netlink_message_open_container_union(m
, IFLA_INFO_DATA
, "veth");
2651 return log_error_errno(r
, "Failed to open netlink container: %m");
2653 r
= sd_netlink_message_open_container(m
, VETH_INFO_PEER
);
2655 return log_error_errno(r
, "Failed to open netlink container: %m");
2657 r
= sd_netlink_message_append_string(m
, IFLA_IFNAME
, "host0");
2659 return log_error_errno(r
, "Failed to add netlink interface name: %m");
2661 r
= sd_netlink_message_append_ether_addr(m
, IFLA_ADDRESS
, &mac_container
);
2663 return log_error_errno(r
, "Failed to add netlink MAC address: %m");
2665 r
= sd_netlink_message_append_u32(m
, IFLA_NET_NS_PID
, pid
);
2667 return log_error_errno(r
, "Failed to add netlink namespace field: %m");
2669 r
= sd_netlink_message_close_container(m
);
2671 return log_error_errno(r
, "Failed to close netlink container: %m");
2673 r
= sd_netlink_message_close_container(m
);
2675 return log_error_errno(r
, "Failed to close netlink container: %m");
2677 r
= sd_netlink_message_close_container(m
);
2679 return log_error_errno(r
, "Failed to close netlink container: %m");
2681 r
= sd_netlink_call(rtnl
, m
, 0, NULL
);
2683 return log_error_errno(r
, "Failed to add new veth interfaces (host0, %s): %m", iface_name
);
2685 i
= (int) if_nametoindex(iface_name
);
2687 return log_error_errno(errno
, "Failed to resolve interface %s: %m", iface_name
);
2694 static int setup_bridge(const char veth_name
[], int *ifi
) {
2695 _cleanup_netlink_message_unref_ sd_netlink_message
*m
= NULL
;
2696 _cleanup_netlink_unref_ sd_netlink
*rtnl
= NULL
;
2699 if (!arg_private_network
)
2702 if (!arg_network_veth
)
2705 if (!arg_network_bridge
)
2708 bridge
= (int) if_nametoindex(arg_network_bridge
);
2710 return log_error_errno(errno
, "Failed to resolve interface %s: %m", arg_network_bridge
);
2714 r
= sd_netlink_open(&rtnl
);
2716 return log_error_errno(r
, "Failed to connect to netlink: %m");
2718 r
= sd_rtnl_message_new_link(rtnl
, &m
, RTM_SETLINK
, 0);
2720 return log_error_errno(r
, "Failed to allocate netlink message: %m");
2722 r
= sd_rtnl_message_link_set_flags(m
, IFF_UP
, IFF_UP
);
2724 return log_error_errno(r
, "Failed to set IFF_UP flag: %m");
2726 r
= sd_netlink_message_append_string(m
, IFLA_IFNAME
, veth_name
);
2728 return log_error_errno(r
, "Failed to add netlink interface name field: %m");
2730 r
= sd_netlink_message_append_u32(m
, IFLA_MASTER
, bridge
);
2732 return log_error_errno(r
, "Failed to add netlink master field: %m");
2734 r
= sd_netlink_call(rtnl
, m
, 0, NULL
);
2736 return log_error_errno(r
, "Failed to add veth interface to bridge: %m");
2741 static int parse_interface(struct udev
*udev
, const char *name
) {
2742 _cleanup_udev_device_unref_
struct udev_device
*d
= NULL
;
2743 char ifi_str
[2 + DECIMAL_STR_MAX(int)];
2746 ifi
= (int) if_nametoindex(name
);
2748 return log_error_errno(errno
, "Failed to resolve interface %s: %m", name
);
2750 sprintf(ifi_str
, "n%i", ifi
);
2751 d
= udev_device_new_from_device_id(udev
, ifi_str
);
2753 return log_error_errno(errno
, "Failed to get udev device for interface %s: %m", name
);
2755 if (udev_device_get_is_initialized(d
) <= 0) {
2756 log_error("Network interface %s is not initialized yet.", name
);
2763 static int move_network_interfaces(pid_t pid
) {
2764 _cleanup_udev_unref_
struct udev
*udev
= NULL
;
2765 _cleanup_netlink_unref_ sd_netlink
*rtnl
= NULL
;
2769 if (!arg_private_network
)
2772 if (strv_isempty(arg_network_interfaces
))
2775 r
= sd_netlink_open(&rtnl
);
2777 return log_error_errno(r
, "Failed to connect to netlink: %m");
2781 log_error("Failed to connect to udev.");
2785 STRV_FOREACH(i
, arg_network_interfaces
) {
2786 _cleanup_netlink_message_unref_ sd_netlink_message
*m
= NULL
;
2789 ifi
= parse_interface(udev
, *i
);
2793 r
= sd_rtnl_message_new_link(rtnl
, &m
, RTM_SETLINK
, ifi
);
2795 return log_error_errno(r
, "Failed to allocate netlink message: %m");
2797 r
= sd_netlink_message_append_u32(m
, IFLA_NET_NS_PID
, pid
);
2799 return log_error_errno(r
, "Failed to append namespace PID to netlink message: %m");
2801 r
= sd_netlink_call(rtnl
, m
, 0, NULL
);
2803 return log_error_errno(r
, "Failed to move interface %s to namespace: %m", *i
);
2809 static int setup_macvlan(pid_t pid
) {
2810 _cleanup_udev_unref_
struct udev
*udev
= NULL
;
2811 _cleanup_netlink_unref_ sd_netlink
*rtnl
= NULL
;
2816 if (!arg_private_network
)
2819 if (strv_isempty(arg_network_macvlan
))
2822 r
= sd_netlink_open(&rtnl
);
2824 return log_error_errno(r
, "Failed to connect to netlink: %m");
2828 log_error("Failed to connect to udev.");
2832 STRV_FOREACH(i
, arg_network_macvlan
) {
2833 _cleanup_netlink_message_unref_ sd_netlink_message
*m
= NULL
;
2834 _cleanup_free_
char *n
= NULL
;
2835 struct ether_addr mac
;
2838 ifi
= parse_interface(udev
, *i
);
2842 r
= generate_mac(&mac
, MACVLAN_HASH_KEY
, idx
++);
2844 return log_error_errno(r
, "Failed to create MACVLAN MAC address: %m");
2846 r
= sd_rtnl_message_new_link(rtnl
, &m
, RTM_NEWLINK
, 0);
2848 return log_error_errno(r
, "Failed to allocate netlink message: %m");
2850 r
= sd_netlink_message_append_u32(m
, IFLA_LINK
, ifi
);
2852 return log_error_errno(r
, "Failed to add netlink interface index: %m");
2854 n
= strappend("mv-", *i
);
2858 strshorten(n
, IFNAMSIZ
-1);
2860 r
= sd_netlink_message_append_string(m
, IFLA_IFNAME
, n
);
2862 return log_error_errno(r
, "Failed to add netlink interface name: %m");
2864 r
= sd_netlink_message_append_ether_addr(m
, IFLA_ADDRESS
, &mac
);
2866 return log_error_errno(r
, "Failed to add netlink MAC address: %m");
2868 r
= sd_netlink_message_append_u32(m
, IFLA_NET_NS_PID
, pid
);
2870 return log_error_errno(r
, "Failed to add netlink namespace field: %m");
2872 r
= sd_netlink_message_open_container(m
, IFLA_LINKINFO
);
2874 return log_error_errno(r
, "Failed to open netlink container: %m");
2876 r
= sd_netlink_message_open_container_union(m
, IFLA_INFO_DATA
, "macvlan");
2878 return log_error_errno(r
, "Failed to open netlink container: %m");
2880 r
= sd_netlink_message_append_u32(m
, IFLA_MACVLAN_MODE
, MACVLAN_MODE_BRIDGE
);
2882 return log_error_errno(r
, "Failed to append macvlan mode: %m");
2884 r
= sd_netlink_message_close_container(m
);
2886 return log_error_errno(r
, "Failed to close netlink container: %m");
2888 r
= sd_netlink_message_close_container(m
);
2890 return log_error_errno(r
, "Failed to close netlink container: %m");
2892 r
= sd_netlink_call(rtnl
, m
, 0, NULL
);
2894 return log_error_errno(r
, "Failed to add new macvlan interfaces: %m");
2900 static int setup_ipvlan(pid_t pid
) {
2901 _cleanup_udev_unref_
struct udev
*udev
= NULL
;
2902 _cleanup_netlink_unref_ sd_netlink
*rtnl
= NULL
;
2906 if (!arg_private_network
)
2909 if (strv_isempty(arg_network_ipvlan
))
2912 r
= sd_netlink_open(&rtnl
);
2914 return log_error_errno(r
, "Failed to connect to netlink: %m");
2918 log_error("Failed to connect to udev.");
2922 STRV_FOREACH(i
, arg_network_ipvlan
) {
2923 _cleanup_netlink_message_unref_ sd_netlink_message
*m
= NULL
;
2924 _cleanup_free_
char *n
= NULL
;
2927 ifi
= parse_interface(udev
, *i
);
2931 r
= sd_rtnl_message_new_link(rtnl
, &m
, RTM_NEWLINK
, 0);
2933 return log_error_errno(r
, "Failed to allocate netlink message: %m");
2935 r
= sd_netlink_message_append_u32(m
, IFLA_LINK
, ifi
);
2937 return log_error_errno(r
, "Failed to add netlink interface index: %m");
2939 n
= strappend("iv-", *i
);
2943 strshorten(n
, IFNAMSIZ
-1);
2945 r
= sd_netlink_message_append_string(m
, IFLA_IFNAME
, n
);
2947 return log_error_errno(r
, "Failed to add netlink interface name: %m");
2949 r
= sd_netlink_message_append_u32(m
, IFLA_NET_NS_PID
, pid
);
2951 return log_error_errno(r
, "Failed to add netlink namespace field: %m");
2953 r
= sd_netlink_message_open_container(m
, IFLA_LINKINFO
);
2955 return log_error_errno(r
, "Failed to open netlink container: %m");
2957 r
= sd_netlink_message_open_container_union(m
, IFLA_INFO_DATA
, "ipvlan");
2959 return log_error_errno(r
, "Failed to open netlink container: %m");
2961 r
= sd_netlink_message_append_u16(m
, IFLA_IPVLAN_MODE
, IPVLAN_MODE_L2
);
2963 return log_error_errno(r
, "Failed to add ipvlan mode: %m");
2965 r
= sd_netlink_message_close_container(m
);
2967 return log_error_errno(r
, "Failed to close netlink container: %m");
2969 r
= sd_netlink_message_close_container(m
);
2971 return log_error_errno(r
, "Failed to close netlink container: %m");
2973 r
= sd_netlink_call(rtnl
, m
, 0, NULL
);
2975 return log_error_errno(r
, "Failed to add new ipvlan interfaces: %m");
2981 static int setup_seccomp(void) {
2984 static const struct {
2985 uint64_t capability
;
2988 { CAP_SYS_RAWIO
, SCMP_SYS(iopl
) },
2989 { CAP_SYS_RAWIO
, SCMP_SYS(ioperm
) },
2990 { CAP_SYS_BOOT
, SCMP_SYS(kexec_load
) },
2991 { CAP_SYS_ADMIN
, SCMP_SYS(swapon
) },
2992 { CAP_SYS_ADMIN
, SCMP_SYS(swapoff
) },
2993 { CAP_SYS_ADMIN
, SCMP_SYS(open_by_handle_at
) },
2994 { CAP_SYS_MODULE
, SCMP_SYS(init_module
) },
2995 { CAP_SYS_MODULE
, SCMP_SYS(finit_module
) },
2996 { CAP_SYS_MODULE
, SCMP_SYS(delete_module
) },
2997 { CAP_SYSLOG
, SCMP_SYS(syslog
) },
3000 scmp_filter_ctx seccomp
;
3004 seccomp
= seccomp_init(SCMP_ACT_ALLOW
);
3008 r
= seccomp_add_secondary_archs(seccomp
);
3010 log_error_errno(r
, "Failed to add secondary archs to seccomp filter: %m");
3014 for (i
= 0; i
< ELEMENTSOF(blacklist
); i
++) {
3015 if (arg_retain
& (1ULL << blacklist
[i
].capability
))
3018 r
= seccomp_rule_add(seccomp
, SCMP_ACT_ERRNO(EPERM
), blacklist
[i
].syscall_num
, 0);
3020 continue; /* unknown syscall */
3022 log_error_errno(r
, "Failed to block syscall: %m");
3029 Audit is broken in containers, much of the userspace audit
3030 hookup will fail if running inside a container. We don't
3031 care and just turn off creation of audit sockets.
3033 This will make socket(AF_NETLINK, *, NETLINK_AUDIT) fail
3034 with EAFNOSUPPORT which audit userspace uses as indication
3035 that audit is disabled in the kernel.
3038 r
= seccomp_rule_add(
3040 SCMP_ACT_ERRNO(EAFNOSUPPORT
),
3043 SCMP_A0(SCMP_CMP_EQ
, AF_NETLINK
),
3044 SCMP_A2(SCMP_CMP_EQ
, NETLINK_AUDIT
));
3046 log_error_errno(r
, "Failed to add audit seccomp rule: %m");
3050 r
= seccomp_attr_set(seccomp
, SCMP_FLTATR_CTL_NNP
, 0);
3052 log_error_errno(r
, "Failed to unset NO_NEW_PRIVS: %m");
3056 r
= seccomp_load(seccomp
);
3058 log_debug_errno(r
, "Kernel is probably not configured with CONFIG_SECCOMP. Disabling seccomp audit filter: %m");
3063 log_error_errno(r
, "Failed to install seccomp audit filter: %m");
3068 seccomp_release(seccomp
);
3076 static int setup_propagate(const char *root
) {
3079 (void) mkdir_p("/run/systemd/nspawn/", 0755);
3080 (void) mkdir_p("/run/systemd/nspawn/propagate", 0600);
3081 p
= strjoina("/run/systemd/nspawn/propagate/", arg_machine
);
3082 (void) mkdir_p(p
, 0600);
3084 if (userns_mkdir(root
, "/run/systemd", 0755, 0, 0) < 0)
3085 return log_error_errno(errno
, "Failed to create /run/systemd: %m");
3087 if (userns_mkdir(root
, "/run/systemd/nspawn", 0755, 0, 0) < 0)
3088 return log_error_errno(errno
, "Failed to create /run/systemd/nspawn: %m");
3090 if (userns_mkdir(root
, "/run/systemd/nspawn/incoming", 0600, 0, 0) < 0)
3091 return log_error_errno(errno
, "Failed to create /run/systemd/nspawn/incoming: %m");
3093 q
= prefix_roota(root
, "/run/systemd/nspawn/incoming");
3094 if (mount(p
, q
, NULL
, MS_BIND
, NULL
) < 0)
3095 return log_error_errno(errno
, "Failed to install propagation bind mount.");
3097 if (mount(NULL
, q
, NULL
, MS_BIND
|MS_REMOUNT
|MS_RDONLY
, NULL
) < 0)
3098 return log_error_errno(errno
, "Failed to make propagation mount read-only");
3103 static int setup_image(char **device_path
, int *loop_nr
) {
3104 struct loop_info64 info
= {
3105 .lo_flags
= LO_FLAGS_AUTOCLEAR
|LO_FLAGS_PARTSCAN
3107 _cleanup_close_
int fd
= -1, control
= -1, loop
= -1;
3108 _cleanup_free_
char* loopdev
= NULL
;
3112 assert(device_path
);
3116 fd
= open(arg_image
, O_CLOEXEC
|(arg_read_only
? O_RDONLY
: O_RDWR
)|O_NONBLOCK
|O_NOCTTY
);
3118 return log_error_errno(errno
, "Failed to open %s: %m", arg_image
);
3120 if (fstat(fd
, &st
) < 0)
3121 return log_error_errno(errno
, "Failed to stat %s: %m", arg_image
);
3123 if (S_ISBLK(st
.st_mode
)) {
3126 p
= strdup(arg_image
);
3140 if (!S_ISREG(st
.st_mode
)) {
3141 log_error_errno(errno
, "%s is not a regular file or block device: %m", arg_image
);
3145 control
= open("/dev/loop-control", O_RDWR
|O_CLOEXEC
|O_NOCTTY
|O_NONBLOCK
);
3147 return log_error_errno(errno
, "Failed to open /dev/loop-control: %m");
3149 nr
= ioctl(control
, LOOP_CTL_GET_FREE
);
3151 return log_error_errno(errno
, "Failed to allocate loop device: %m");
3153 if (asprintf(&loopdev
, "/dev/loop%i", nr
) < 0)
3156 loop
= open(loopdev
, O_CLOEXEC
|(arg_read_only
? O_RDONLY
: O_RDWR
)|O_NONBLOCK
|O_NOCTTY
);
3158 return log_error_errno(errno
, "Failed to open loop device %s: %m", loopdev
);
3160 if (ioctl(loop
, LOOP_SET_FD
, fd
) < 0)
3161 return log_error_errno(errno
, "Failed to set loopback file descriptor on %s: %m", loopdev
);
3164 info
.lo_flags
|= LO_FLAGS_READ_ONLY
;
3166 if (ioctl(loop
, LOOP_SET_STATUS64
, &info
) < 0)
3167 return log_error_errno(errno
, "Failed to set loopback settings on %s: %m", loopdev
);
3169 *device_path
= loopdev
;
3180 #define PARTITION_TABLE_BLURB \
3181 "Note that the disk image needs to either contain only a single MBR partition of\n" \
3182 "type 0x83 that is marked bootable, or a single GPT partition of type " \
3183 "0FC63DAF-8483-4772-8E79-3D69D8477DE4 or follow\n" \
3184 " http://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/\n" \
3185 "to be bootable with systemd-nspawn."
3187 static int dissect_image(
3189 char **root_device
, bool *root_device_rw
,
3190 char **home_device
, bool *home_device_rw
,
3191 char **srv_device
, bool *srv_device_rw
,
3195 int home_nr
= -1, srv_nr
= -1;
3196 #ifdef GPT_ROOT_NATIVE
3199 #ifdef GPT_ROOT_SECONDARY
3200 int secondary_root_nr
= -1;
3202 _cleanup_free_
char *home
= NULL
, *root
= NULL
, *secondary_root
= NULL
, *srv
= NULL
, *generic
= NULL
;
3203 _cleanup_udev_enumerate_unref_
struct udev_enumerate
*e
= NULL
;
3204 _cleanup_udev_device_unref_
struct udev_device
*d
= NULL
;
3205 _cleanup_blkid_free_probe_ blkid_probe b
= NULL
;
3206 _cleanup_udev_unref_
struct udev
*udev
= NULL
;
3207 struct udev_list_entry
*first
, *item
;
3208 bool home_rw
= true, root_rw
= true, secondary_root_rw
= true, srv_rw
= true, generic_rw
= true;
3209 bool is_gpt
, is_mbr
, multiple_generic
= false;
3210 const char *pttype
= NULL
;
3217 assert(root_device
);
3218 assert(home_device
);
3223 b
= blkid_new_probe();
3228 r
= blkid_probe_set_device(b
, fd
, 0, 0);
3233 log_error_errno(errno
, "Failed to set device on blkid probe: %m");
3237 blkid_probe_enable_partitions(b
, 1);
3238 blkid_probe_set_partitions_flags(b
, BLKID_PARTS_ENTRY_DETAILS
);
3241 r
= blkid_do_safeprobe(b
);
3242 if (r
== -2 || r
== 1) {
3243 log_error("Failed to identify any partition table on\n"
3245 PARTITION_TABLE_BLURB
, arg_image
);
3247 } else if (r
!= 0) {
3250 log_error_errno(errno
, "Failed to probe: %m");
3254 (void) blkid_probe_lookup_value(b
, "PTTYPE", &pttype
, NULL
);
3256 is_gpt
= streq_ptr(pttype
, "gpt");
3257 is_mbr
= streq_ptr(pttype
, "dos");
3259 if (!is_gpt
&& !is_mbr
) {
3260 log_error("No GPT or MBR partition table discovered on\n"
3262 PARTITION_TABLE_BLURB
, arg_image
);
3267 pl
= blkid_probe_get_partitions(b
);
3272 log_error("Failed to list partitions of %s", arg_image
);
3280 if (fstat(fd
, &st
) < 0)
3281 return log_error_errno(errno
, "Failed to stat block device: %m");
3283 d
= udev_device_new_from_devnum(udev
, 'b', st
.st_rdev
);
3291 log_error("Kernel partitions never appeared.");
3295 e
= udev_enumerate_new(udev
);
3299 r
= udev_enumerate_add_match_parent(e
, d
);
3303 r
= udev_enumerate_scan_devices(e
);
3305 return log_error_errno(r
, "Failed to scan for partition devices of %s: %m", arg_image
);
3307 /* Count the partitions enumerated by the kernel */
3309 first
= udev_enumerate_get_list_entry(e
);
3310 udev_list_entry_foreach(item
, first
)
3313 /* Count the partitions enumerated by blkid */
3314 m
= blkid_partlist_numof_partitions(pl
);
3318 log_error("blkid and kernel partition list do not match.");
3324 /* The kernel has probed fewer partitions than
3325 * blkid? Maybe the kernel prober is still
3326 * running or it got EBUSY because udev
3327 * already opened the device. Let's reprobe
3328 * the device, which is a synchronous call
3329 * that waits until probing is complete. */
3331 for (j
= 0; j
< 20; j
++) {
3333 r
= ioctl(fd
, BLKRRPART
, 0);
3336 if (r
>= 0 || r
!= -EBUSY
)
3339 /* If something else has the device
3340 * open, such as an udev rule, the
3341 * ioctl will return EBUSY. Since
3342 * there's no way to wait until it
3343 * isn't busy anymore, let's just wait
3344 * a bit, and try again.
3346 * This is really something they
3347 * should fix in the kernel! */
3349 usleep(50 * USEC_PER_MSEC
);
3353 return log_error_errno(r
, "Failed to reread partition table: %m");
3356 e
= udev_enumerate_unref(e
);
3359 first
= udev_enumerate_get_list_entry(e
);
3360 udev_list_entry_foreach(item
, first
) {
3361 _cleanup_udev_device_unref_
struct udev_device
*q
;
3363 unsigned long long flags
;
3369 q
= udev_device_new_from_syspath(udev
, udev_list_entry_get_name(item
));
3374 log_error_errno(errno
, "Failed to get partition device of %s: %m", arg_image
);
3378 qn
= udev_device_get_devnum(q
);
3382 if (st
.st_rdev
== qn
)
3385 node
= udev_device_get_devnode(q
);
3389 pp
= blkid_partlist_devno_to_partition(pl
, qn
);
3393 flags
= blkid_partition_get_flags(pp
);
3395 nr
= blkid_partition_get_partno(pp
);
3403 if (flags
& GPT_FLAG_NO_AUTO
)
3406 stype
= blkid_partition_get_type_string(pp
);
3410 if (sd_id128_from_string(stype
, &type_id
) < 0)
3413 if (sd_id128_equal(type_id
, GPT_HOME
)) {
3415 if (home
&& nr
>= home_nr
)
3419 home_rw
= !(flags
& GPT_FLAG_READ_ONLY
);
3421 r
= free_and_strdup(&home
, node
);
3425 } else if (sd_id128_equal(type_id
, GPT_SRV
)) {
3427 if (srv
&& nr
>= srv_nr
)
3431 srv_rw
= !(flags
& GPT_FLAG_READ_ONLY
);
3433 r
= free_and_strdup(&srv
, node
);
3437 #ifdef GPT_ROOT_NATIVE
3438 else if (sd_id128_equal(type_id
, GPT_ROOT_NATIVE
)) {
3440 if (root
&& nr
>= root_nr
)
3444 root_rw
= !(flags
& GPT_FLAG_READ_ONLY
);
3446 r
= free_and_strdup(&root
, node
);
3451 #ifdef GPT_ROOT_SECONDARY
3452 else if (sd_id128_equal(type_id
, GPT_ROOT_SECONDARY
)) {
3454 if (secondary_root
&& nr
>= secondary_root_nr
)
3457 secondary_root_nr
= nr
;
3458 secondary_root_rw
= !(flags
& GPT_FLAG_READ_ONLY
);
3460 r
= free_and_strdup(&secondary_root
, node
);
3465 else if (sd_id128_equal(type_id
, GPT_LINUX_GENERIC
)) {
3468 multiple_generic
= true;
3470 generic_rw
= !(flags
& GPT_FLAG_READ_ONLY
);
3472 r
= free_and_strdup(&generic
, node
);
3478 } else if (is_mbr
) {
3481 if (flags
!= 0x80) /* Bootable flag */
3484 type
= blkid_partition_get_type(pp
);
3485 if (type
!= 0x83) /* Linux partition */
3489 multiple_generic
= true;
3493 r
= free_and_strdup(&root
, node
);
3501 *root_device
= root
;
3504 *root_device_rw
= root_rw
;
3506 } else if (secondary_root
) {
3507 *root_device
= secondary_root
;
3508 secondary_root
= NULL
;
3510 *root_device_rw
= secondary_root_rw
;
3512 } else if (generic
) {
3514 /* There were no partitions with precise meanings
3515 * around, but we found generic partitions. In this
3516 * case, if there's only one, we can go ahead and boot
3517 * it, otherwise we bail out, because we really cannot
3518 * make any sense of it. */
3520 if (multiple_generic
) {
3521 log_error("Identified multiple bootable Linux partitions on\n"
3523 PARTITION_TABLE_BLURB
, arg_image
);
3527 *root_device
= generic
;
3530 *root_device_rw
= generic_rw
;
3533 log_error("Failed to identify root partition in disk image\n"
3535 PARTITION_TABLE_BLURB
, arg_image
);
3540 *home_device
= home
;
3543 *home_device_rw
= home_rw
;
3550 *srv_device_rw
= srv_rw
;
3555 log_error("--image= is not supported, compiled without blkid support.");
3560 static int mount_device(const char *what
, const char *where
, const char *directory
, bool rw
) {
3562 _cleanup_blkid_free_probe_ blkid_probe b
= NULL
;
3563 const char *fstype
, *p
;
3573 p
= strjoina(where
, directory
);
3578 b
= blkid_new_probe_from_filename(what
);
3582 log_error_errno(errno
, "Failed to allocate prober for %s: %m", what
);
3586 blkid_probe_enable_superblocks(b
, 1);
3587 blkid_probe_set_superblocks_flags(b
, BLKID_SUBLKS_TYPE
);
3590 r
= blkid_do_safeprobe(b
);
3591 if (r
== -1 || r
== 1) {
3592 log_error("Cannot determine file system type of %s", what
);
3594 } else if (r
!= 0) {
3597 log_error_errno(errno
, "Failed to probe %s: %m", what
);
3602 if (blkid_probe_lookup_value(b
, "TYPE", &fstype
, NULL
) < 0) {
3605 log_error("Failed to determine file system type of %s", what
);
3609 if (streq(fstype
, "crypto_LUKS")) {
3610 log_error("nspawn currently does not support LUKS disk images.");
3614 if (mount(what
, p
, fstype
, MS_NODEV
|(rw
? 0 : MS_RDONLY
), NULL
) < 0)
3615 return log_error_errno(errno
, "Failed to mount %s: %m", what
);
3619 log_error("--image= is not supported, compiled without blkid support.");
3624 static int mount_devices(
3626 const char *root_device
, bool root_device_rw
,
3627 const char *home_device
, bool home_device_rw
,
3628 const char *srv_device
, bool srv_device_rw
) {
3634 r
= mount_device(root_device
, arg_directory
, NULL
, root_device_rw
);
3636 return log_error_errno(r
, "Failed to mount root directory: %m");
3640 r
= mount_device(home_device
, arg_directory
, "/home", home_device_rw
);
3642 return log_error_errno(r
, "Failed to mount home directory: %m");
3646 r
= mount_device(srv_device
, arg_directory
, "/srv", srv_device_rw
);
3648 return log_error_errno(r
, "Failed to mount server data directory: %m");
3654 static void loop_remove(int nr
, int *image_fd
) {
3655 _cleanup_close_
int control
= -1;
3661 if (image_fd
&& *image_fd
>= 0) {
3662 r
= ioctl(*image_fd
, LOOP_CLR_FD
);
3664 log_debug_errno(errno
, "Failed to close loop image: %m");
3665 *image_fd
= safe_close(*image_fd
);
3668 control
= open("/dev/loop-control", O_RDWR
|O_CLOEXEC
|O_NOCTTY
|O_NONBLOCK
);
3670 log_warning_errno(errno
, "Failed to open /dev/loop-control: %m");
3674 r
= ioctl(control
, LOOP_CTL_REMOVE
, nr
);
3676 log_debug_errno(errno
, "Failed to remove loop %d: %m", nr
);
3679 static int spawn_getent(const char *database
, const char *key
, pid_t
*rpid
) {
3687 if (pipe2(pipe_fds
, O_CLOEXEC
) < 0)
3688 return log_error_errno(errno
, "Failed to allocate pipe: %m");
3692 return log_error_errno(errno
, "Failed to fork getent child: %m");
3693 else if (pid
== 0) {
3695 char *empty_env
= NULL
;
3697 if (dup3(pipe_fds
[1], STDOUT_FILENO
, 0) < 0)
3698 _exit(EXIT_FAILURE
);
3700 if (pipe_fds
[0] > 2)
3701 safe_close(pipe_fds
[0]);
3702 if (pipe_fds
[1] > 2)
3703 safe_close(pipe_fds
[1]);
3705 nullfd
= open("/dev/null", O_RDWR
);
3707 _exit(EXIT_FAILURE
);
3709 if (dup3(nullfd
, STDIN_FILENO
, 0) < 0)
3710 _exit(EXIT_FAILURE
);
3712 if (dup3(nullfd
, STDERR_FILENO
, 0) < 0)
3713 _exit(EXIT_FAILURE
);
3718 (void) reset_all_signal_handlers();
3719 (void) reset_signal_mask();
3720 close_all_fds(NULL
, 0);
3722 execle("/usr/bin/getent", "getent", database
, key
, NULL
, &empty_env
);
3723 execle("/bin/getent", "getent", database
, key
, NULL
, &empty_env
);
3724 _exit(EXIT_FAILURE
);
3727 pipe_fds
[1] = safe_close(pipe_fds
[1]);
3734 static int change_uid_gid(char **_home
) {
3735 char line
[LINE_MAX
], *x
, *u
, *g
, *h
;
3736 const char *word
, *state
;
3737 _cleanup_free_ uid_t
*uids
= NULL
;
3738 _cleanup_free_
char *home
= NULL
;
3739 _cleanup_fclose_
FILE *f
= NULL
;
3740 _cleanup_close_
int fd
= -1;
3741 unsigned n_uids
= 0;
3750 if (!arg_user
|| streq(arg_user
, "root") || streq(arg_user
, "0")) {
3751 /* Reset everything fully to 0, just in case */
3753 r
= reset_uid_gid();
3755 return log_error_errno(r
, "Failed to become root: %m");
3761 /* First, get user credentials */
3762 fd
= spawn_getent("passwd", arg_user
, &pid
);
3766 f
= fdopen(fd
, "r");
3771 if (!fgets(line
, sizeof(line
), f
)) {
3774 log_error("Failed to resolve user %s.", arg_user
);
3778 log_error_errno(errno
, "Failed to read from getent: %m");
3784 wait_for_terminate_and_warn("getent passwd", pid
, true);
3786 x
= strchr(line
, ':');
3788 log_error("/etc/passwd entry has invalid user field.");
3792 u
= strchr(x
+1, ':');
3794 log_error("/etc/passwd entry has invalid password field.");
3801 log_error("/etc/passwd entry has invalid UID field.");
3809 log_error("/etc/passwd entry has invalid GID field.");
3814 h
= strchr(x
+1, ':');
3816 log_error("/etc/passwd entry has invalid GECOS field.");
3823 log_error("/etc/passwd entry has invalid home directory field.");
3829 r
= parse_uid(u
, &uid
);
3831 log_error("Failed to parse UID of user.");
3835 r
= parse_gid(g
, &gid
);
3837 log_error("Failed to parse GID of user.");
3845 /* Second, get group memberships */
3846 fd
= spawn_getent("initgroups", arg_user
, &pid
);
3851 f
= fdopen(fd
, "r");
3856 if (!fgets(line
, sizeof(line
), f
)) {
3858 log_error("Failed to resolve user %s.", arg_user
);
3862 log_error_errno(errno
, "Failed to read from getent: %m");
3868 wait_for_terminate_and_warn("getent initgroups", pid
, true);
3870 /* Skip over the username and subsequent separator whitespace */
3872 x
+= strcspn(x
, WHITESPACE
);
3873 x
+= strspn(x
, WHITESPACE
);
3875 FOREACH_WORD(word
, l
, x
, state
) {
3881 if (!GREEDY_REALLOC(uids
, sz
, n_uids
+1))
3884 r
= parse_uid(c
, &uids
[n_uids
++]);
3886 log_error("Failed to parse group data from getent.");
3891 r
= mkdir_parents(home
, 0775);
3893 return log_error_errno(r
, "Failed to make home root directory: %m");
3895 r
= mkdir_safe(home
, 0755, uid
, gid
);
3896 if (r
< 0 && r
!= -EEXIST
)
3897 return log_error_errno(r
, "Failed to make home directory: %m");
3899 (void) fchown(STDIN_FILENO
, uid
, gid
);
3900 (void) fchown(STDOUT_FILENO
, uid
, gid
);
3901 (void) fchown(STDERR_FILENO
, uid
, gid
);
3903 if (setgroups(n_uids
, uids
) < 0)
3904 return log_error_errno(errno
, "Failed to set auxiliary groups: %m");
3906 if (setresgid(gid
, gid
, gid
) < 0)
3907 return log_error_errno(errno
, "setregid() failed: %m");
3909 if (setresuid(uid
, uid
, uid
) < 0)
3910 return log_error_errno(errno
, "setreuid() failed: %m");
3922 * < 0 : wait_for_terminate() failed to get the state of the
3923 * container, the container was terminated by a signal, or
3924 * failed for an unknown reason. No change is made to the
3925 * container argument.
3926 * > 0 : The program executed in the container terminated with an
3927 * error. The exit code of the program executed in the
3928 * container is returned. The container argument has been set
3929 * to CONTAINER_TERMINATED.
3930 * 0 : The container is being rebooted, has been shut down or exited
3931 * successfully. The container argument has been set to either
3932 * CONTAINER_TERMINATED or CONTAINER_REBOOTED.
3934 * That is, success is indicated by a return value of zero, and an
3935 * error is indicated by a non-zero value.
3937 static int wait_for_container(pid_t pid
, ContainerStatus
*container
) {
3941 r
= wait_for_terminate(pid
, &status
);
3943 return log_warning_errno(r
, "Failed to wait for container: %m");
3945 switch (status
.si_code
) {
3948 if (status
.si_status
== 0) {
3949 log_full(arg_quiet
? LOG_DEBUG
: LOG_INFO
, "Container %s exited successfully.", arg_machine
);
3952 log_full(arg_quiet
? LOG_DEBUG
: LOG_INFO
, "Container %s failed with error code %i.", arg_machine
, status
.si_status
);
3954 *container
= CONTAINER_TERMINATED
;
3955 return status
.si_status
;
3958 if (status
.si_status
== SIGINT
) {
3960 log_full(arg_quiet
? LOG_DEBUG
: LOG_INFO
, "Container %s has been shut down.", arg_machine
);
3961 *container
= CONTAINER_TERMINATED
;
3964 } else if (status
.si_status
== SIGHUP
) {
3966 log_full(arg_quiet
? LOG_DEBUG
: LOG_INFO
, "Container %s is being rebooted.", arg_machine
);
3967 *container
= CONTAINER_REBOOTED
;
3971 /* CLD_KILLED fallthrough */
3974 log_error("Container %s terminated by signal %s.", arg_machine
, signal_to_string(status
.si_status
));
3978 log_error("Container %s failed due to unknown reason.", arg_machine
);
3985 static void nop_handler(int sig
) {}
3987 static int on_orderly_shutdown(sd_event_source
*s
, const struct signalfd_siginfo
*si
, void *userdata
) {
3990 pid
= PTR_TO_UINT32(userdata
);
3992 if (kill(pid
, arg_kill_signal
) >= 0) {
3993 log_info("Trying to halt container. Send SIGTERM again to trigger immediate termination.");
3994 sd_event_source_set_userdata(s
, NULL
);
3999 sd_event_exit(sd_event_source_get_event(s
), 0);
4003 static int determine_names(void) {
4006 if (!arg_image
&& !arg_directory
) {
4008 _cleanup_(image_unrefp
) Image
*i
= NULL
;
4010 r
= image_find(arg_machine
, &i
);
4012 return log_error_errno(r
, "Failed to find image for machine '%s': %m", arg_machine
);
4014 log_error("No image for machine '%s': %m", arg_machine
);
4018 if (i
->type
== IMAGE_RAW
)
4019 r
= set_sanitized_path(&arg_image
, i
->path
);
4021 r
= set_sanitized_path(&arg_directory
, i
->path
);
4023 return log_error_errno(r
, "Invalid image directory: %m");
4026 arg_read_only
= arg_read_only
|| i
->read_only
;
4028 arg_directory
= get_current_dir_name();
4030 if (!arg_directory
&& !arg_machine
) {
4031 log_error("Failed to determine path, please use -D or -i.");
4037 if (arg_directory
&& path_equal(arg_directory
, "/"))
4038 arg_machine
= gethostname_malloc();
4040 arg_machine
= strdup(basename(arg_image
?: arg_directory
));
4045 hostname_cleanup(arg_machine
);
4046 if (!machine_name_is_valid(arg_machine
)) {
4047 log_error("Failed to determine machine name automatically, please use -M.");
4051 if (arg_ephemeral
) {
4054 /* Add a random suffix when this is an
4055 * ephemeral machine, so that we can run many
4056 * instances at once without manually having
4057 * to specify -M each time. */
4059 if (asprintf(&b
, "%s-%016" PRIx64
, arg_machine
, random_u64()) < 0)
4070 static int determine_uid_shift(const char *directory
) {
4078 if (arg_uid_shift
== UID_INVALID
) {
4081 r
= stat(directory
, &st
);
4083 return log_error_errno(errno
, "Failed to determine UID base of %s: %m", directory
);
4085 arg_uid_shift
= st
.st_uid
& UINT32_C(0xffff0000);
4087 if (arg_uid_shift
!= (st
.st_gid
& UINT32_C(0xffff0000))) {
4088 log_error("UID and GID base of %s don't match.", directory
);
4092 arg_uid_range
= UINT32_C(0x10000);
4095 if (arg_uid_shift
> (uid_t
) -1 - arg_uid_range
) {
4096 log_error("UID base too high for UID range.");
4100 log_info("Using user namespaces with base " UID_FMT
" and range " UID_FMT
".", arg_uid_shift
, arg_uid_range
);
4104 static int inner_child(
4106 const char *directory
,
4114 _cleanup_free_
char *home
= NULL
;
4116 const char *envp
[] = {
4117 "PATH=" DEFAULT_PATH_SPLIT_USR
,
4118 "container=systemd-nspawn", /* LXC sets container=lxc, so follow the scheme here */
4123 NULL
, /* container_uuid */
4124 NULL
, /* LISTEN_FDS */
4125 NULL
, /* LISTEN_PID */
4129 _cleanup_strv_free_
char **env_use
= NULL
;
4134 assert(kmsg_socket
>= 0);
4137 /* Tell the parent, that it now can write the UID map. */
4138 (void) barrier_place(barrier
); /* #1 */
4140 /* Wait until the parent wrote the UID map */
4141 if (!barrier_place_and_sync(barrier
)) { /* #2 */
4142 log_error("Parent died too early");
4147 r
= mount_all(NULL
, true);
4151 /* Wait until we are cgroup-ified, so that we
4152 * can mount the right cgroup path writable */
4153 if (!barrier_place_and_sync(barrier
)) { /* #3 */
4154 log_error("Parent died too early");
4158 r
= mount_systemd_cgroup_writable("");
4162 r
= reset_uid_gid();
4164 return log_error_errno(r
, "Couldn't become new root: %m");
4166 r
= setup_boot_id(NULL
);
4170 r
= setup_kmsg(NULL
, kmsg_socket
);
4173 kmsg_socket
= safe_close(kmsg_socket
);
4178 return log_error_errno(errno
, "setsid() failed: %m");
4180 if (arg_private_network
)
4183 r
= send_rtnl(rtnl_socket
);
4186 rtnl_socket
= safe_close(rtnl_socket
);
4188 if (drop_capabilities() < 0)
4189 return log_error_errno(errno
, "drop_capabilities() failed: %m");
4193 if (arg_personality
!= PERSONALITY_INVALID
) {
4194 if (personality(arg_personality
) < 0)
4195 return log_error_errno(errno
, "personality() failed: %m");
4196 } else if (secondary
) {
4197 if (personality(PER_LINUX32
) < 0)
4198 return log_error_errno(errno
, "personality() failed: %m");
4202 if (arg_selinux_context
)
4203 if (setexeccon((security_context_t
) arg_selinux_context
) < 0)
4204 return log_error_errno(errno
, "setexeccon(\"%s\") failed: %m", arg_selinux_context
);
4207 r
= change_uid_gid(&home
);
4211 envp
[n_env
] = strv_find_prefix(environ
, "TERM=");
4215 if ((asprintf((char**)(envp
+ n_env
++), "HOME=%s", home
? home
: "/root") < 0) ||
4216 (asprintf((char**)(envp
+ n_env
++), "USER=%s", arg_user
? arg_user
: "root") < 0) ||
4217 (asprintf((char**)(envp
+ n_env
++), "LOGNAME=%s", arg_user
? arg_user
: "root") < 0))
4220 if (!sd_id128_equal(arg_uuid
, SD_ID128_NULL
)) {
4223 if (asprintf((char**)(envp
+ n_env
++), "container_uuid=%s", id128_format_as_uuid(arg_uuid
, as_uuid
)) < 0)
4227 if (fdset_size(fds
) > 0) {
4228 r
= fdset_cloexec(fds
, false);
4230 return log_error_errno(r
, "Failed to unset O_CLOEXEC for file descriptors.");
4232 if ((asprintf((char **)(envp
+ n_env
++), "LISTEN_FDS=%u", fdset_size(fds
)) < 0) ||
4233 (asprintf((char **)(envp
+ n_env
++), "LISTEN_PID=1") < 0))
4237 env_use
= strv_env_merge(2, envp
, arg_setenv
);
4241 /* Let the parent know that we are ready and
4242 * wait until the parent is ready with the
4244 if (!barrier_place_and_sync(barrier
)) { /* #4 */
4245 log_error("Parent died too early");
4249 /* Now, explicitly close the log, so that we
4250 * then can close all remaining fds. Closing
4251 * the log explicitly first has the benefit
4252 * that the logging subsystem knows about it,
4253 * and is thus ready to be reopened should we
4254 * need it again. Note that the other fds
4255 * closed here are at least the locking and
4258 (void) fdset_close_others(fds
);
4264 /* Automatically search for the init system */
4266 m
= 1 + argc
- optind
;
4267 a
= newa(char*, m
+ 1);
4268 memcpy(a
+ 1, argv
+ optind
, m
* sizeof(char*));
4270 a
[0] = (char*) "/usr/lib/systemd/systemd";
4271 execve(a
[0], a
, env_use
);
4273 a
[0] = (char*) "/lib/systemd/systemd";
4274 execve(a
[0], a
, env_use
);
4276 a
[0] = (char*) "/sbin/init";
4277 execve(a
[0], a
, env_use
);
4278 } else if (argc
> optind
)
4279 execvpe(argv
[optind
], argv
+ optind
, env_use
);
4281 chdir(home
? home
: "/root");
4282 execle("/bin/bash", "-bash", NULL
, env_use
);
4283 execle("/bin/sh", "-sh", NULL
, env_use
);
4287 return log_error_errno(errno
, "execv() failed: %m");
4290 static int outer_child(
4292 const char *directory
,
4293 const char *console
,
4294 const char *root_device
, bool root_device_rw
,
4295 const char *home_device
, bool home_device_rw
,
4296 const char *srv_device
, bool srv_device_rw
,
4302 int uid_shift_socket
,
4314 assert(pid_socket
>= 0);
4315 assert(kmsg_socket
>= 0);
4317 if (prctl(PR_SET_PDEATHSIG
, SIGKILL
) < 0)
4318 return log_error_errno(errno
, "PR_SET_PDEATHSIG failed: %m");
4321 close_nointr(STDIN_FILENO
);
4322 close_nointr(STDOUT_FILENO
);
4323 close_nointr(STDERR_FILENO
);
4325 r
= open_terminal(console
, O_RDWR
);
4326 if (r
!= STDIN_FILENO
) {
4332 return log_error_errno(r
, "Failed to open console: %m");
4335 if (dup2(STDIN_FILENO
, STDOUT_FILENO
) != STDOUT_FILENO
||
4336 dup2(STDIN_FILENO
, STDERR_FILENO
) != STDERR_FILENO
)
4337 return log_error_errno(errno
, "Failed to duplicate console: %m");
4340 r
= reset_audit_loginuid();
4344 /* Mark everything as slave, so that we still
4345 * receive mounts from the real root, but don't
4346 * propagate mounts to the real root. */
4347 if (mount(NULL
, "/", NULL
, MS_SLAVE
|MS_REC
, NULL
) < 0)
4348 return log_error_errno(errno
, "MS_SLAVE|MS_REC failed: %m");
4350 r
= mount_devices(directory
,
4351 root_device
, root_device_rw
,
4352 home_device
, home_device_rw
,
4353 srv_device
, srv_device_rw
);
4357 r
= determine_uid_shift(directory
);
4362 l
= send(uid_shift_socket
, &arg_uid_shift
, sizeof(arg_uid_shift
), MSG_NOSIGNAL
);
4364 return log_error_errno(errno
, "Failed to send UID shift: %m");
4365 if (l
!= sizeof(arg_uid_shift
)) {
4366 log_error("Short write while sending UID shift.");
4371 /* Turn directory into bind mount */
4372 if (mount(directory
, directory
, NULL
, MS_BIND
|MS_REC
, NULL
) < 0)
4373 return log_error_errno(errno
, "Failed to make bind mount: %m");
4375 r
= setup_volatile(directory
);
4379 r
= setup_volatile_state(directory
);
4383 r
= base_filesystem_create(directory
, arg_uid_shift
, (gid_t
) arg_uid_shift
);
4387 if (arg_read_only
) {
4388 r
= bind_remount_recursive(directory
, true);
4390 return log_error_errno(r
, "Failed to make tree read-only: %m");
4393 r
= mount_all(directory
, false);
4397 if (copy_devnodes(directory
) < 0)
4400 dev_setup(directory
, arg_uid_shift
, arg_uid_shift
);
4402 if (setup_pts(directory
) < 0)
4405 r
= setup_propagate(directory
);
4409 r
= setup_dev_console(directory
, console
);
4413 r
= setup_seccomp();
4417 r
= setup_timezone(directory
);
4421 r
= setup_resolv_conf(directory
);
4425 r
= setup_journal(directory
);
4429 r
= mount_custom(directory
);
4433 r
= mount_cgroup(directory
);
4437 r
= mount_move_root(directory
);
4439 return log_error_errno(r
, "Failed to move root directory: %m");
4441 pid
= raw_clone(SIGCHLD
|CLONE_NEWNS
|
4442 (arg_share_system
? 0 : CLONE_NEWIPC
|CLONE_NEWPID
|CLONE_NEWUTS
) |
4443 (arg_private_network
? CLONE_NEWNET
: 0) |
4444 (arg_userns
? CLONE_NEWUSER
: 0),
4447 return log_error_errno(errno
, "Failed to fork inner child: %m");
4450 pid_socket
= safe_close(pid_socket
);
4451 uid_shift_socket
= safe_close(uid_shift_socket
);
4453 /* The inner child has all namespaces that are
4454 * requested, so that we all are owned by the user if
4455 * user namespaces are turned on. */
4457 r
= inner_child(barrier
, directory
, secondary
, kmsg_socket
, rtnl_socket
, fds
, argc
, argv
);
4459 _exit(EXIT_FAILURE
);
4461 _exit(EXIT_SUCCESS
);
4464 l
= send(pid_socket
, &pid
, sizeof(pid
), MSG_NOSIGNAL
);
4466 return log_error_errno(errno
, "Failed to send PID: %m");
4467 if (l
!= sizeof(pid
)) {
4468 log_error("Short write while sending PID.");
4472 pid_socket
= safe_close(pid_socket
);
4477 static int setup_uid_map(pid_t pid
) {
4478 char uid_map
[strlen("/proc//uid_map") + DECIMAL_STR_MAX(uid_t
) + 1], line
[DECIMAL_STR_MAX(uid_t
)*3+3+1];
4483 xsprintf(uid_map
, "/proc/" PID_FMT
"/uid_map", pid
);
4484 xsprintf(line
, UID_FMT
" " UID_FMT
" " UID_FMT
"\n", 0, arg_uid_shift
, arg_uid_range
);
4485 r
= write_string_file(uid_map
, line
, 0);
4487 return log_error_errno(r
, "Failed to write UID map: %m");
4489 /* We always assign the same UID and GID ranges */
4490 xsprintf(uid_map
, "/proc/" PID_FMT
"/gid_map", pid
);
4491 r
= write_string_file(uid_map
, line
, 0);
4493 return log_error_errno(r
, "Failed to write GID map: %m");
4498 static int chown_cgroup(pid_t pid
) {
4499 _cleanup_free_
char *path
= NULL
, *fs
= NULL
;
4500 _cleanup_close_
int fd
= -1;
4504 r
= cg_pid_get_path(NULL
, pid
, &path
);
4506 return log_error_errno(r
, "Failed to get container cgroup path: %m");
4508 r
= cg_get_path(SYSTEMD_CGROUP_CONTROLLER
, path
, NULL
, &fs
);
4510 return log_error_errno(r
, "Failed to get file system path for container cgroup: %m");
4512 fd
= open(fs
, O_RDONLY
|O_CLOEXEC
|O_DIRECTORY
);
4514 return log_error_errno(errno
, "Failed to open %s: %m", fs
);
4516 FOREACH_STRING(fn
, ".", "tasks", "notify_on_release", "cgroup.procs", "cgroup.clone_children")
4517 if (fchownat(fd
, fn
, arg_uid_shift
, arg_uid_shift
, 0) < 0)
4518 log_warning_errno(errno
, "Failed to chown() cgroup file %s, ignoring: %m", fn
);
4523 int main(int argc
, char *argv
[]) {
4525 _cleanup_free_
char *device_path
= NULL
, *root_device
= NULL
, *home_device
= NULL
, *srv_device
= NULL
, *console
= NULL
;
4526 bool root_device_rw
= true, home_device_rw
= true, srv_device_rw
= true;
4527 _cleanup_close_
int master
= -1, image_fd
= -1;
4528 _cleanup_fdset_free_ FDSet
*fds
= NULL
;
4529 int r
, n_fd_passed
, loop_nr
= -1;
4530 char veth_name
[IFNAMSIZ
];
4531 bool secondary
= false, remove_subvol
= false;
4534 int ret
= EXIT_SUCCESS
;
4535 union in_addr_union exposed
= {};
4536 _cleanup_release_lock_file_ LockFile tree_global_lock
= LOCK_FILE_INIT
, tree_local_lock
= LOCK_FILE_INIT
;
4539 log_parse_environment();
4542 r
= parse_argv(argc
, argv
);
4546 r
= determine_names();
4550 if (geteuid() != 0) {
4551 log_error("Need to be root.");
4556 n_fd_passed
= sd_listen_fds(false);
4557 if (n_fd_passed
> 0) {
4558 r
= fdset_new_listen_fds(&fds
, false);
4560 log_error_errno(r
, "Failed to collect file descriptors: %m");
4565 if (arg_directory
) {
4568 if (path_equal(arg_directory
, "/") && !arg_ephemeral
) {
4569 log_error("Spawning container on root directory is not supported. Consider using --ephemeral.");
4574 if (arg_ephemeral
) {
4575 _cleanup_free_
char *np
= NULL
;
4577 /* If the specified path is a mount point we
4578 * generate the new snapshot immediately
4579 * inside it under a random name. However if
4580 * the specified is not a mount point we
4581 * create the new snapshot in the parent
4582 * directory, just next to it. */
4583 r
= path_is_mount_point(arg_directory
, 0);
4585 log_error_errno(r
, "Failed to determine whether directory %s is mount point: %m", arg_directory
);
4589 r
= tempfn_random_child(arg_directory
, "machine.", &np
);
4591 r
= tempfn_random(arg_directory
, "machine.", &np
);
4593 log_error_errno(r
, "Failed to generate name for snapshot: %m");
4597 r
= image_path_lock(np
, (arg_read_only
? LOCK_SH
: LOCK_EX
) | LOCK_NB
, &tree_global_lock
, &tree_local_lock
);
4599 log_error_errno(r
, "Failed to lock %s: %m", np
);
4603 r
= btrfs_subvol_snapshot(arg_directory
, np
, (arg_read_only
? BTRFS_SNAPSHOT_READ_ONLY
: 0) | BTRFS_SNAPSHOT_FALLBACK_COPY
| BTRFS_SNAPSHOT_RECURSIVE
);
4605 log_error_errno(r
, "Failed to create snapshot %s from %s: %m", np
, arg_directory
);
4609 free(arg_directory
);
4613 remove_subvol
= true;
4616 r
= image_path_lock(arg_directory
, (arg_read_only
? LOCK_SH
: LOCK_EX
) | LOCK_NB
, &tree_global_lock
, &tree_local_lock
);
4618 log_error_errno(r
, "Directory tree %s is currently busy.", arg_directory
);
4622 log_error_errno(r
, "Failed to lock %s: %m", arg_directory
);
4627 r
= btrfs_subvol_snapshot(arg_template
, arg_directory
, (arg_read_only
? BTRFS_SNAPSHOT_READ_ONLY
: 0) | BTRFS_SNAPSHOT_FALLBACK_COPY
| BTRFS_SNAPSHOT_RECURSIVE
);
4630 log_info("Directory %s already exists, not populating from template %s.", arg_directory
, arg_template
);
4632 log_error_errno(r
, "Couldn't create snapshot %s from %s: %m", arg_directory
, arg_template
);
4636 log_info("Populated %s from template %s.", arg_directory
, arg_template
);
4642 if (path_is_os_tree(arg_directory
) <= 0) {
4643 log_error("Directory %s doesn't look like an OS root directory (os-release file is missing). Refusing.", arg_directory
);
4650 p
= strjoina(arg_directory
,
4651 argc
> optind
&& path_is_absolute(argv
[optind
]) ? argv
[optind
] : "/usr/bin/");
4652 if (access(p
, F_OK
) < 0) {
4653 log_error("Directory %s lacks the binary to execute or doesn't look like a binary tree. Refusing.", arg_directory
);
4660 char template[] = "/tmp/nspawn-root-XXXXXX";
4663 assert(!arg_template
);
4665 r
= image_path_lock(arg_image
, (arg_read_only
? LOCK_SH
: LOCK_EX
) | LOCK_NB
, &tree_global_lock
, &tree_local_lock
);
4667 r
= log_error_errno(r
, "Disk image %s is currently busy.", arg_image
);
4671 r
= log_error_errno(r
, "Failed to create image lock: %m");
4675 if (!mkdtemp(template)) {
4676 log_error_errno(errno
, "Failed to create temporary directory: %m");
4681 arg_directory
= strdup(template);
4682 if (!arg_directory
) {
4687 image_fd
= setup_image(&device_path
, &loop_nr
);
4693 r
= dissect_image(image_fd
,
4694 &root_device
, &root_device_rw
,
4695 &home_device
, &home_device_rw
,
4696 &srv_device
, &srv_device_rw
,
4702 r
= custom_mounts_prepare();
4707 isatty(STDIN_FILENO
) > 0 &&
4708 isatty(STDOUT_FILENO
) > 0;
4710 master
= posix_openpt(O_RDWR
|O_NOCTTY
|O_CLOEXEC
|O_NDELAY
);
4712 r
= log_error_errno(errno
, "Failed to acquire pseudo tty: %m");
4716 r
= ptsname_malloc(master
, &console
);
4718 r
= log_error_errno(r
, "Failed to determine tty name: %m");
4722 if (unlockpt(master
) < 0) {
4723 r
= log_error_errno(errno
, "Failed to unlock tty: %m");
4728 log_info("Spawning container %s on %s.\nPress ^] three times within 1s to kill container.",
4729 arg_machine
, arg_image
?: arg_directory
);
4731 assert_se(sigprocmask_many(SIG_BLOCK
, NULL
, SIGCHLD
, SIGWINCH
, SIGTERM
, SIGINT
, -1) >= 0);
4733 assert_se(sigemptyset(&mask_chld
) == 0);
4734 assert_se(sigaddset(&mask_chld
, SIGCHLD
) == 0);
4736 if (prctl(PR_SET_CHILD_SUBREAPER
, 1) < 0) {
4737 r
= log_error_errno(errno
, "Failed to become subreaper: %m");
4742 _cleanup_close_pair_
int kmsg_socket_pair
[2] = { -1, -1 }, rtnl_socket_pair
[2] = { -1, -1 }, pid_socket_pair
[2] = { -1, -1 },
4743 uid_shift_socket_pair
[2] = { -1, -1 };
4744 ContainerStatus container_status
;
4745 _cleanup_(barrier_destroy
) Barrier barrier
= BARRIER_NULL
;
4746 static const struct sigaction sa
= {
4747 .sa_handler
= nop_handler
,
4748 .sa_flags
= SA_NOCLDSTOP
,
4752 _cleanup_event_unref_ sd_event
*event
= NULL
;
4753 _cleanup_(pty_forward_freep
) PTYForward
*forward
= NULL
;
4754 _cleanup_netlink_unref_ sd_netlink
*rtnl
= NULL
;
4757 r
= barrier_create(&barrier
);
4759 log_error_errno(r
, "Cannot initialize IPC barrier: %m");
4763 if (socketpair(AF_UNIX
, SOCK_DGRAM
|SOCK_CLOEXEC
, 0, kmsg_socket_pair
) < 0) {
4764 r
= log_error_errno(errno
, "Failed to create kmsg socket pair: %m");
4768 if (socketpair(AF_UNIX
, SOCK_DGRAM
|SOCK_CLOEXEC
, 0, rtnl_socket_pair
) < 0) {
4769 r
= log_error_errno(errno
, "Failed to create rtnl socket pair: %m");
4773 if (socketpair(AF_UNIX
, SOCK_DGRAM
|SOCK_CLOEXEC
, 0, pid_socket_pair
) < 0) {
4774 r
= log_error_errno(errno
, "Failed to create pid socket pair: %m");
4779 if (socketpair(AF_UNIX
, SOCK_DGRAM
|SOCK_CLOEXEC
, 0, uid_shift_socket_pair
) < 0) {
4780 r
= log_error_errno(errno
, "Failed to create uid shift socket pair: %m");
4784 /* Child can be killed before execv(), so handle SIGCHLD
4785 * in order to interrupt parent's blocking calls and
4786 * give it a chance to call wait() and terminate. */
4787 r
= sigprocmask(SIG_UNBLOCK
, &mask_chld
, NULL
);
4789 r
= log_error_errno(errno
, "Failed to change the signal mask: %m");
4793 r
= sigaction(SIGCHLD
, &sa
, NULL
);
4795 r
= log_error_errno(errno
, "Failed to install SIGCHLD handler: %m");
4799 pid
= raw_clone(SIGCHLD
|CLONE_NEWNS
, NULL
);
4801 if (errno
== EINVAL
)
4802 r
= log_error_errno(errno
, "clone() failed, do you have namespace support enabled in your kernel? (You need UTS, IPC, PID and NET namespacing built in): %m");
4804 r
= log_error_errno(errno
, "clone() failed: %m");
4810 /* The outer child only has a file system namespace. */
4811 barrier_set_role(&barrier
, BARRIER_CHILD
);
4813 master
= safe_close(master
);
4815 kmsg_socket_pair
[0] = safe_close(kmsg_socket_pair
[0]);
4816 rtnl_socket_pair
[0] = safe_close(rtnl_socket_pair
[0]);
4817 pid_socket_pair
[0] = safe_close(pid_socket_pair
[0]);
4818 uid_shift_socket_pair
[0] = safe_close(uid_shift_socket_pair
[0]);
4820 (void) reset_all_signal_handlers();
4821 (void) reset_signal_mask();
4823 r
= outer_child(&barrier
,
4826 root_device
, root_device_rw
,
4827 home_device
, home_device_rw
,
4828 srv_device
, srv_device_rw
,
4832 kmsg_socket_pair
[1],
4833 rtnl_socket_pair
[1],
4834 uid_shift_socket_pair
[1],
4838 _exit(EXIT_FAILURE
);
4840 _exit(EXIT_SUCCESS
);
4843 barrier_set_role(&barrier
, BARRIER_PARENT
);
4848 kmsg_socket_pair
[1] = safe_close(kmsg_socket_pair
[1]);
4849 rtnl_socket_pair
[1] = safe_close(rtnl_socket_pair
[1]);
4850 pid_socket_pair
[1] = safe_close(pid_socket_pair
[1]);
4852 /* Wait for the outer child. */
4853 r
= wait_for_terminate_and_warn("namespace helper", pid
, NULL
);
4862 /* And now retrieve the PID of the inner child. */
4863 l
= recv(pid_socket_pair
[0], &pid
, sizeof(pid
), 0);
4865 r
= log_error_errno(errno
, "Failed to read inner child PID: %m");
4868 if (l
!= sizeof(pid
)) {
4869 log_error("Short read while reading inner child PID: %m");
4874 log_debug("Init process invoked as PID " PID_FMT
, pid
);
4877 if (!barrier_place_and_sync(&barrier
)) { /* #1 */
4878 log_error("Child died too early.");
4883 l
= recv(uid_shift_socket_pair
[0], &arg_uid_shift
, sizeof(arg_uid_shift
), 0);
4885 r
= log_error_errno(errno
, "Failed to read UID shift: %m");
4888 if (l
!= sizeof(arg_uid_shift
)) {
4889 log_error("Short read while reading UID shift: %m");
4894 r
= setup_uid_map(pid
);
4898 (void) barrier_place(&barrier
); /* #2 */
4901 r
= move_network_interfaces(pid
);
4905 r
= setup_veth(pid
, veth_name
, &ifi
);
4909 r
= setup_bridge(veth_name
, &ifi
);
4913 r
= setup_macvlan(pid
);
4917 r
= setup_ipvlan(pid
);
4921 r
= register_machine(pid
, ifi
);
4925 r
= chown_cgroup(pid
);
4929 /* Notify the child that the parent is ready with all
4930 * its setup (including cgroup-ification), and that
4931 * the child can now hand over control to the code to
4932 * run inside the container. */
4933 (void) barrier_place(&barrier
); /* #3 */
4935 /* Block SIGCHLD here, before notifying child.
4936 * process_pty() will handle it with the other signals. */
4937 assert_se(sigprocmask(SIG_BLOCK
, &mask_chld
, NULL
) >= 0);
4939 /* Reset signal to default */
4940 r
= default_signals(SIGCHLD
, -1);
4942 log_error_errno(r
, "Failed to reset SIGCHLD: %m");
4946 /* Let the child know that we are ready and wait that the child is completely ready now. */
4947 if (!barrier_place_and_sync(&barrier
)) { /* #5 */
4948 log_error("Client died too early.");
4955 "STATUS=Container running.\n"
4956 "X_NSPAWN_LEADER_PID=" PID_FMT
, pid
);
4958 r
= sd_event_new(&event
);
4960 log_error_errno(r
, "Failed to get default event source: %m");
4964 if (arg_kill_signal
> 0) {
4965 /* Try to kill the init system on SIGINT or SIGTERM */
4966 sd_event_add_signal(event
, NULL
, SIGINT
, on_orderly_shutdown
, UINT32_TO_PTR(pid
));
4967 sd_event_add_signal(event
, NULL
, SIGTERM
, on_orderly_shutdown
, UINT32_TO_PTR(pid
));
4969 /* Immediately exit */
4970 sd_event_add_signal(event
, NULL
, SIGINT
, NULL
, NULL
);
4971 sd_event_add_signal(event
, NULL
, SIGTERM
, NULL
, NULL
);
4974 /* simply exit on sigchld */
4975 sd_event_add_signal(event
, NULL
, SIGCHLD
, NULL
, NULL
);
4977 if (arg_expose_ports
) {
4978 r
= watch_rtnl(event
, rtnl_socket_pair
[0], &exposed
, &rtnl
);
4982 (void) expose_ports(rtnl
, &exposed
);
4985 rtnl_socket_pair
[0] = safe_close(rtnl_socket_pair
[0]);
4987 r
= pty_forward_new(event
, master
, true, !interactive
, &forward
);
4989 log_error_errno(r
, "Failed to create PTY forwarder: %m");
4993 r
= sd_event_loop(event
);
4995 log_error_errno(r
, "Failed to run event loop: %m");
4999 pty_forward_get_last_char(forward
, &last_char
);
5001 forward
= pty_forward_free(forward
);
5003 if (!arg_quiet
&& last_char
!= '\n')
5006 /* Kill if it is not dead yet anyway */
5007 terminate_machine(pid
);
5009 /* Normally redundant, but better safe than sorry */
5012 r
= wait_for_container(pid
, &container_status
);
5016 /* We failed to wait for the container, or the
5017 * container exited abnormally */
5019 else if (r
> 0 || container_status
== CONTAINER_TERMINATED
){
5020 /* The container exited with a non-zero
5021 * status, or with zero status and no reboot
5027 /* CONTAINER_REBOOTED, loop again */
5029 if (arg_keep_unit
) {
5030 /* Special handling if we are running as a
5031 * service: instead of simply restarting the
5032 * machine we want to restart the entire
5033 * service, so let's inform systemd about this
5034 * with the special exit code 133. The service
5035 * file uses RestartForceExitStatus=133 so
5036 * that this results in a full nspawn
5037 * restart. This is necessary since we might
5038 * have cgroup parameters set we want to have
5045 flush_ports(&exposed
);
5051 "STATUS=Terminating...");
5056 /* Try to flush whatever is still queued in the pty */
5058 (void) copy_bytes(master
, STDOUT_FILENO
, (off_t
) -1, false);
5060 loop_remove(loop_nr
, &image_fd
);
5062 if (remove_subvol
&& arg_directory
) {
5065 k
= btrfs_subvol_remove(arg_directory
, true);
5067 log_warning_errno(k
, "Cannot remove subvolume '%s', ignoring: %m", arg_directory
);
5073 p
= strjoina("/run/systemd/nspawn/propagate/", arg_machine
);
5074 (void) rm_rf(p
, REMOVE_ROOT
);
5077 free(arg_directory
);
5082 strv_free(arg_setenv
);
5083 strv_free(arg_network_interfaces
);
5084 strv_free(arg_network_macvlan
);
5085 strv_free(arg_network_ipvlan
);
5086 custom_mount_free_all();
5088 flush_ports(&exposed
);
5090 while (arg_expose_ports
) {
5091 ExposePort
*p
= arg_expose_ports
;
5092 LIST_REMOVE(ports
, arg_expose_ports
, p
);
5096 return r
< 0 ? EXIT_FAILURE
: ret
;