X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=blobdiff_plain;f=src%2Fnspawn.c;h=685b4d4e50d4b5c588ebd8374d028b2cb83b046b;hb=3bdf9c1d0a241eff2d17591854172725682b27cd;hp=6f5a9d9547d52931fcd5d5d68aac244e6214c1c4;hpb=4d1c38b8072dca18807371170d5e14fa8dc0baa5;p=elogind.git diff --git a/src/nspawn.c b/src/nspawn.c index 6f5a9d954..685b4d4e5 100644 --- a/src/nspawn.c +++ b/src/nspawn.c @@ -6,16 +6,16 @@ Copyright 2010 Lennart Poettering systemd is free software; you can redistribute it and/or modify it - under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or + under the terms of the GNU Lesser General Public License as published by + the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version. systemd is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. + Lesser General Public License for more details. - You should have received a copy of the GNU General Public License + You should have received a copy of the GNU Lesser General Public License along with systemd; If not, see . ***/ @@ -43,6 +43,8 @@ #include "log.h" #include "util.h" +#include "mkdir.h" +#include "audit.h" #include "missing.h" #include "cgroup-util.h" #include "strv.h" @@ -50,16 +52,18 @@ static char *arg_directory = NULL; static char *arg_user = NULL; +static char **arg_controllers = NULL; static bool arg_private_network = false; static int help(void) { printf("%s [OPTIONS...] [PATH] [ARGUMENTS...]\n\n" "Spawn a minimal namespace container for debugging, testing and building.\n\n" - " -h --help Show this help\n" - " -D --directory=NAME Root directory for the container\n" - " -u --user=USER Run the command under specified user or uid\n" - " --private-network Disable network in container\n", + " -h --help Show this help\n" + " -D --directory=NAME Root directory for the container\n" + " -u --user=USER Run the command under specified user or uid\n" + " -C --controllers=LIST Put the container in specified comma-separated cgroup hierarchies\n" + " --private-network Disable network in container\n", program_invocation_short_name); return 0; @@ -75,6 +79,7 @@ static int parse_argv(int argc, char *argv[]) { { "help", no_argument, NULL, 'h' }, { "directory", required_argument, NULL, 'D' }, { "user", required_argument, NULL, 'u' }, + { "controllers", required_argument, NULL, 'C' }, { "private-network", no_argument, NULL, ARG_PRIVATE_NETWORK }, { NULL, 0, NULL, 0 } }; @@ -84,7 +89,7 @@ static int parse_argv(int argc, char *argv[]) { assert(argc >= 0); assert(argv); - while ((c = getopt_long(argc, argv, "+hD:u:", options, NULL)) >= 0) { + while ((c = getopt_long(argc, argv, "+hD:u:C:", options, NULL)) >= 0) { switch (c) { @@ -110,6 +115,17 @@ static int parse_argv(int argc, char *argv[]) { break; + case 'C': + strv_free(arg_controllers); + arg_controllers = strv_split(optarg, ","); + if (!arg_controllers) { + log_error("Failed to split controllers list."); + return -ENOMEM; + } + strv_uniq(arg_controllers); + + break; + case ARG_PRIVATE_NETWORK: arg_private_network = true; break; @@ -143,9 +159,9 @@ static int mount_all(const char *dest) { { "/proc/sys", "/proc/sys", "bind", NULL, MS_BIND|MS_RDONLY|MS_REMOUNT, true }, /* Then, make it r/o */ { "/sys", "/sys", "bind", NULL, MS_BIND, true }, /* Bind mount first */ { "/sys", "/sys", "bind", NULL, MS_BIND|MS_RDONLY|MS_REMOUNT, true }, /* Then, make it r/o */ - { "tmpfs", "/dev", "tmpfs", "mode=755", MS_NOSUID, true }, + { "tmpfs", "/dev", "tmpfs", "mode=755", MS_NOSUID|MS_STRICTATIME, true }, { "/dev/pts", "/dev/pts", "bind", NULL, MS_BIND, true }, - { "tmpfs", "/run", "tmpfs", "mode=755", MS_NOSUID|MS_NODEV, true }, + { "tmpfs", "/run", "tmpfs", "mode=755", MS_NOSUID|MS_NODEV|MS_STRICTATIME, true }, #ifdef HAVE_SELINUX { "/sys/fs/selinux", "/sys/fs/selinux", "bind", NULL, MS_BIND, false }, /* Bind mount first */ { "/sys/fs/selinux", "/sys/fs/selinux", "bind", NULL, MS_BIND|MS_RDONLY|MS_REMOUNT, false }, /* Then, make it r/o */ @@ -168,7 +184,8 @@ static int mount_all(const char *dest) { break; } - if ((t = path_is_mount_point(where, false)) < 0) { + t = path_is_mount_point(where, false); + if (t < 0) { log_error("Failed to detect whether %s is a mount point: %s", where, strerror(-t)); free(where); @@ -213,6 +230,11 @@ static int mount_all(const char *dest) { free(where); } + if (asprintf(&where, "%s/proc/kmsg", dest) >= 0) { + mount("/dev/null", where, "bind", MS_BIND, NULL); + free(where); + } + return r; } @@ -610,6 +632,7 @@ int main(int argc, char *argv[]) { pid_t pid = 0; int r = EXIT_FAILURE, k; char *oldcg = NULL, *newcg = NULL; + char **controller = NULL; int master = -1; const char *console = NULL; struct termios saved_attr, raw_attr; @@ -669,11 +692,18 @@ int main(int argc, char *argv[]) { goto finish; } - if ((k = cg_create_and_attach(SYSTEMD_CGROUP_CONTROLLER, newcg, 0)) < 0) { + k = cg_create_and_attach(SYSTEMD_CGROUP_CONTROLLER, newcg, 0); + if (k < 0) { log_error("Failed to create cgroup: %s", strerror(-k)); goto finish; } + STRV_FOREACH(controller,arg_controllers) { + k = cg_create_and_attach(*controller, newcg, 0); + if (k < 0) + log_warning("Failed to create cgroup in controller %s: %s", *controller, strerror(-k)); + } + if ((master = posix_openpt(O_RDWR|O_NOCTTY|O_CLOEXEC|O_NDELAY)) < 0) { log_error("Failed to acquire pseudo tty: %m"); goto finish; @@ -887,6 +917,7 @@ finish: cg_kill_recursive_and_wait(SYSTEMD_CGROUP_CONTROLLER, newcg, true); free(arg_directory); + strv_free(arg_controllers); free(oldcg); free(newcg);