X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=blobdiff_plain;f=src%2Fnspawn%2Fnspawn.c;h=c346f58412e6add45d8d4a42752d2608a068e96a;hb=cb96a2c69a312fb089fef4501650f4fc40a1420b;hp=4e4c5601e74d28f63eae431822d0afd78ecb888a;hpb=51d88d1b4fb4ba7c2ecbc72cbbcababb21e4925f;p=elogind.git diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index 4e4c5601e..c346f5841 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -33,6 +33,7 @@ #include #include #include +#include #include #include #include @@ -55,6 +56,9 @@ #include "loopback-setup.h" #include "sd-id128.h" #include "dev-setup.h" +#include "fdset.h" +#include "build.h" +#include "fileio.h" typedef enum LinkJournal { LINK_NO, @@ -94,13 +98,16 @@ static uint64_t arg_retain = (1ULL << CAP_SYS_PTRACE) | (1ULL << CAP_SYS_TTY_CONFIG) | (1ULL << CAP_SYS_RESOURCE) | - (1ULL << CAP_SYS_BOOT); + (1ULL << CAP_SYS_BOOT) | + (1ULL << CAP_AUDIT_WRITE) | + (1ULL << CAP_AUDIT_CONTROL); static int help(void) { printf("%s [OPTIONS...] [PATH] [ARGUMENTS...]\n\n" "Spawn a minimal namespace container for debugging, testing and building.\n\n" " -h --help Show this help\n" + " --version Print version string\n" " -D --directory=NAME Root directory for the container\n" " -b --boot Boot up full system (i.e. invoke init)\n" " -u --user=USER Run the command under specified user or uid\n" @@ -119,7 +126,8 @@ static int help(void) { static int parse_argv(int argc, char *argv[]) { enum { - ARG_PRIVATE_NETWORK = 0x100, + ARG_VERSION = 0x100, + ARG_PRIVATE_NETWORK, ARG_UUID, ARG_READ_ONLY, ARG_CAPABILITY, @@ -128,6 +136,7 @@ static int parse_argv(int argc, char *argv[]) { static const struct option options[] = { { "help", no_argument, NULL, 'h' }, + { "version", no_argument, NULL, ARG_VERSION }, { "directory", required_argument, NULL, 'D' }, { "user", required_argument, NULL, 'u' }, { "controllers", required_argument, NULL, 'C' }, @@ -153,6 +162,11 @@ static int parse_argv(int argc, char *argv[]) { help(); return 0; + case ARG_VERSION: + puts(PACKAGE_STRING); + puts(SYSTEMD_FEATURES); + return 0; + case 'D': free(arg_directory); arg_directory = canonicalize_file_name(optarg); @@ -253,6 +267,11 @@ static int parse_argv(int argc, char *argv[]) { } } + if (optind < argc && arg_boot) { + log_error("Cannot specify a command together with '-b'"); + return -EINVAL; + } + return 1; } @@ -816,13 +835,18 @@ static int is_os_tree(const char *path) { return r < 0 ? 0 : 1; } -static int process_pty(int master, sigset_t *mask) { +static int process_pty(int master, pid_t pid, sigset_t *mask) { char in_buffer[LINE_MAX], out_buffer[LINE_MAX]; size_t in_buffer_full = 0, out_buffer_full = 0; struct epoll_event stdin_ev, stdout_ev, master_ev, signal_ev; bool stdin_readable = false, stdout_writable = false, master_readable = false, master_writable = false; int ep = -1, signal_fd = -1, r; + bool tried_orderly_shutdown = false; + + assert(master >= 0); + assert(pid > 0); + assert(mask); fd_nonblock(STDIN_FILENO, 1); fd_nonblock(STDOUT_FILENO, 1); @@ -868,8 +892,17 @@ static int process_pty(int master, sigset_t *mask) { signal_ev.events = EPOLLIN; signal_ev.data.fd = signal_fd; - if (epoll_ctl(ep, EPOLL_CTL_ADD, STDOUT_FILENO, &stdout_ev) < 0 || - epoll_ctl(ep, EPOLL_CTL_ADD, master, &master_ev) < 0 || + if (epoll_ctl(ep, EPOLL_CTL_ADD, STDOUT_FILENO, &stdout_ev) < 0) { + if (errno != EPERM) { + log_error("Failed to register stdout in epoll: %m"); + r = -errno; + goto finish; + } + /* stdout without epoll support. Likely redirected to regular file. */ + stdout_writable = true; + } + + if (epoll_ctl(ep, EPOLL_CTL_ADD, master, &master_ev) < 0 || epoll_ctl(ep, EPOLL_CTL_ADD, signal_fd, &signal_ev) < 0) { log_error("Failed to register fds in epoll: %m"); r = -errno; @@ -939,6 +972,14 @@ static int process_pty(int master, sigset_t *mask) { /* The window size changed, let's forward that. */ if (ioctl(STDIN_FILENO, TIOCGWINSZ, &ws) >= 0) ioctl(master, TIOCSWINSZ, &ws); + } else if (sfsi.ssi_signo == SIGTERM && arg_boot && !tried_orderly_shutdown) { + + log_info("Trying to halt container. Send SIGTERM again to trigger immediate termination."); + + /* This only works for systemd... */ + tried_orderly_shutdown = true; + kill(pid, SIGRTMIN+3); + } else { r = 0; goto finish; @@ -1041,13 +1082,14 @@ int main(int argc, char *argv[]) { int r = EXIT_FAILURE, k; char *oldcg = NULL, *newcg = NULL; char **controller = NULL; - int master = -1; + int master = -1, n_fd_passed; const char *console = NULL; struct termios saved_attr, raw_attr; sigset_t mask; bool saved_attr_valid = false; struct winsize ws; int kmsg_socket_pair[2] = { -1, -1 }; + FDSet *fds = NULL; log_parse_environment(); log_open(); @@ -1092,6 +1134,18 @@ int main(int argc, char *argv[]) { goto finish; } + log_close(); + n_fd_passed = sd_listen_fds(false); + if (n_fd_passed > 0) { + k = fdset_new_listen_fds(&fds, false); + if (k < 0) { + log_error("Failed to collect file descriptors: %s", strerror(-k)); + goto finish; + } + } + fdset_close_others(fds); + log_open(); + k = cg_get_by_pid(SYSTEMD_CGROUP_CONTROLLER, 0, &oldcg); if (k < 0) { log_error("Failed to determine current cgroup: %s", strerror(-k)); @@ -1156,12 +1210,11 @@ int main(int argc, char *argv[]) { for (;;) { siginfo_t status; + int pipefd[2]; - if (saved_attr_valid) { - if (tcsetattr(STDIN_FILENO, TCSANOW, &raw_attr) < 0) { - log_error("Failed to set terminal attributes: %m"); - goto finish; - } + if(pipe2(pipefd, O_NONBLOCK|O_CLOEXEC) < 0) { + log_error("pipe2(): %m"); + goto finish; } pid = syscall(__NR_clone, SIGCHLD|CLONE_NEWIPC|CLONE_NEWNS|CLONE_NEWPID|CLONE_NEWUTS|(arg_private_network ? CLONE_NEWNET : 0), NULL); @@ -1176,10 +1229,10 @@ int main(int argc, char *argv[]) { if (pid == 0) { /* child */ - const char *home = NULL; uid_t uid = (uid_t) -1; gid_t gid = (gid_t) -1; + unsigned n_env = 0; const char *envp[] = { "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", "container=systemd-nspawn", /* LXC sets container=lxc, so follow the scheme here */ @@ -1188,28 +1241,56 @@ int main(int argc, char *argv[]) { NULL, /* USER */ NULL, /* LOGNAME */ NULL, /* container_uuid */ + NULL, /* LISTEN_FDS */ + NULL, /* LISTEN_PID */ NULL }; envp[2] = strv_find_prefix(environ, "TERM="); + n_env = 3; + + close_nointr_nofail(pipefd[1]); + fd_wait_for_event(pipefd[0], POLLHUP, -1); + close_nointr_nofail(pipefd[0]); close_nointr_nofail(master); + master = -1; + + if (saved_attr_valid) { + if (tcsetattr(STDIN_FILENO, TCSANOW, &raw_attr) < 0) { + log_error("Failed to set terminal attributes: %m"); + goto child_fail; + } + } close_nointr(STDIN_FILENO); close_nointr(STDOUT_FILENO); close_nointr(STDERR_FILENO); - close_all_fds(&kmsg_socket_pair[1], 1); + close_nointr_nofail(kmsg_socket_pair[0]); + kmsg_socket_pair[0] = -1; reset_all_signal_handlers(); assert_se(sigemptyset(&mask) == 0); assert_se(sigprocmask(SIG_SETMASK, &mask, NULL) == 0); - if (open_terminal(console, O_RDWR) != STDIN_FILENO || - dup2(STDIN_FILENO, STDOUT_FILENO) != STDOUT_FILENO || - dup2(STDIN_FILENO, STDERR_FILENO) != STDERR_FILENO) + k = open_terminal(console, O_RDWR); + if (k != STDIN_FILENO) { + if (k >= 0) { + close_nointr_nofail(k); + k = -EINVAL; + } + + log_error("Failed to open console: %s", strerror(-k)); goto child_fail; + } + + if (dup2(STDIN_FILENO, STDOUT_FILENO) != STDOUT_FILENO || + dup2(STDIN_FILENO, STDERR_FILENO) != STDERR_FILENO) { + log_error("Failed to duplicate console: %m"); + goto child_fail; + } if (setsid() < 0) { log_error("setsid() failed: %m"); @@ -1256,6 +1337,7 @@ int main(int argc, char *argv[]) { goto child_fail; close_nointr_nofail(kmsg_socket_pair[1]); + kmsg_socket_pair[1] = -1; if (setup_boot_id(arg_directory) < 0) goto child_fail; @@ -1354,15 +1436,29 @@ int main(int argc, char *argv[]) { } } - if ((asprintf((char**)(envp + 3), "HOME=%s", home ? home: "/root") < 0) || - (asprintf((char**)(envp + 4), "USER=%s", arg_user ? arg_user : "root") < 0) || - (asprintf((char**)(envp + 5), "LOGNAME=%s", arg_user ? arg_user : "root") < 0)) { + if ((asprintf((char**)(envp + n_env++), "HOME=%s", home ? home: "/root") < 0) || + (asprintf((char**)(envp + n_env++), "USER=%s", arg_user ? arg_user : "root") < 0) || + (asprintf((char**)(envp + n_env++), "LOGNAME=%s", arg_user ? arg_user : "root") < 0)) { log_oom(); goto child_fail; } if (arg_uuid) { - if (asprintf((char**)(envp + 6), "container_uuid=%s", arg_uuid) < 0) { + if (asprintf((char**)(envp + n_env++), "container_uuid=%s", arg_uuid) < 0) { + log_oom(); + goto child_fail; + } + } + + if (fdset_size(fds) > 0) { + k = fdset_cloexec(fds, false); + if (k < 0) { + log_error("Failed to unset O_CLOEXEC for file descriptors."); + goto child_fail; + } + + if ((asprintf((char **)(envp + n_env++), "LISTEN_FDS=%u", n_fd_passed) < 0) || + (asprintf((char **)(envp + n_env++), "LISTEN_PID=%lu", (unsigned long) getpid()) < 0)) { log_oom(); goto child_fail; } @@ -1401,9 +1497,15 @@ int main(int argc, char *argv[]) { _exit(EXIT_FAILURE); } - if (process_pty(master, &mask) < 0) - goto finish; + log_info("Init process in the container running as PID %d", pid); + close_nointr_nofail(pipefd[0]); + close_nointr_nofail(pipefd[1]); + fdset_free(fds); + fds = NULL; + + if (process_pty(master, pid, &mask) < 0) + goto finish; if (saved_attr_valid) tcsetattr(STDIN_FILENO, TCSANOW, &saved_attr); @@ -1465,5 +1567,7 @@ finish: free(oldcg); free(newcg); + fdset_free(fds); + return r; }