1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2010 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
25 #include <sys/types.h>
26 #include <sys/syscall.h>
27 #include <sys/mount.h>
33 #include <sys/prctl.h>
34 #include <sys/capability.h>
37 #include <sys/signalfd.h>
41 #include <sys/socket.h>
42 #include <linux/netlink.h>
44 #include <linux/veth.h>
45 #include <sys/personality.h>
46 #include <linux/loop.h>
49 #include <selinux/selinux.h>
57 #include <blkid/blkid.h>
60 #include "sd-daemon.h"
70 #include "cgroup-util.h"
72 #include "path-util.h"
73 #include "loopback-setup.h"
74 #include "dev-setup.h"
79 #include "bus-error.h"
81 #include "bus-kernel.h"
84 #include "rtnl-util.h"
85 #include "udev-util.h"
86 #include "blkid-util.h"
88 #include "siphash24.h"
90 #include "base-filesystem.h"
94 #include "seccomp-util.h"
97 typedef enum ContainerStatus {
102 typedef enum LinkJournal {
109 typedef enum Volatile {
115 static char *arg_directory = NULL;
116 static char *arg_user = NULL;
117 static sd_id128_t arg_uuid = {};
118 static char *arg_machine = NULL;
119 static const char *arg_selinux_context = NULL;
120 static const char *arg_selinux_apifs_context = NULL;
121 static const char *arg_slice = NULL;
122 static bool arg_private_network = false;
123 static bool arg_read_only = false;
124 static bool arg_boot = false;
125 static LinkJournal arg_link_journal = LINK_AUTO;
126 static uint64_t arg_retain =
127 (1ULL << CAP_CHOWN) |
128 (1ULL << CAP_DAC_OVERRIDE) |
129 (1ULL << CAP_DAC_READ_SEARCH) |
130 (1ULL << CAP_FOWNER) |
131 (1ULL << CAP_FSETID) |
132 (1ULL << CAP_IPC_OWNER) |
134 (1ULL << CAP_LEASE) |
135 (1ULL << CAP_LINUX_IMMUTABLE) |
136 (1ULL << CAP_NET_BIND_SERVICE) |
137 (1ULL << CAP_NET_BROADCAST) |
138 (1ULL << CAP_NET_RAW) |
139 (1ULL << CAP_SETGID) |
140 (1ULL << CAP_SETFCAP) |
141 (1ULL << CAP_SETPCAP) |
142 (1ULL << CAP_SETUID) |
143 (1ULL << CAP_SYS_ADMIN) |
144 (1ULL << CAP_SYS_CHROOT) |
145 (1ULL << CAP_SYS_NICE) |
146 (1ULL << CAP_SYS_PTRACE) |
147 (1ULL << CAP_SYS_TTY_CONFIG) |
148 (1ULL << CAP_SYS_RESOURCE) |
149 (1ULL << CAP_SYS_BOOT) |
150 (1ULL << CAP_AUDIT_WRITE) |
151 (1ULL << CAP_AUDIT_CONTROL) |
153 static char **arg_bind = NULL;
154 static char **arg_bind_ro = NULL;
155 static char **arg_tmpfs = NULL;
156 static char **arg_setenv = NULL;
157 static bool arg_quiet = false;
158 static bool arg_share_system = false;
159 static bool arg_register = true;
160 static bool arg_keep_unit = false;
161 static char **arg_network_interfaces = NULL;
162 static char **arg_network_macvlan = NULL;
163 static bool arg_network_veth = false;
164 static const char *arg_network_bridge = NULL;
165 static unsigned long arg_personality = 0xffffffffLU;
166 static const char *arg_image = NULL;
167 static Volatile arg_volatile = VOLATILE_NO;
169 static void help(void) {
170 printf("%s [OPTIONS...] [PATH] [ARGUMENTS...]\n\n"
171 "Spawn a minimal namespace container for debugging, testing and building.\n\n"
172 " -h --help Show this help\n"
173 " --version Print version string\n"
174 " -q --quiet Do not show status information\n"
175 " -D --directory=PATH Root directory for the container\n"
176 " -i --image=PATH File system device or image for the container\n"
177 " -b --boot Boot up full system (i.e. invoke init)\n"
178 " -u --user=USER Run the command under specified user or uid\n"
179 " -M --machine=NAME Set the machine name for the container\n"
180 " --uuid=UUID Set a specific machine UUID for the container\n"
181 " -S --slice=SLICE Place the container in the specified slice\n"
182 " --private-network Disable network in container\n"
183 " --network-interface=INTERFACE\n"
184 " Assign an existing network interface to the\n"
186 " --network-macvlan=INTERFACE\n"
187 " Create a macvlan network interface based on an\n"
188 " existing network interface to the container\n"
189 " --network-veth Add a virtual ethernet connection between host\n"
191 " --network-bridge=INTERFACE\n"
192 " Add a virtual ethernet connection between host\n"
193 " and container and add it to an existing bridge on\n"
195 " -Z --selinux-context=SECLABEL\n"
196 " Set the SELinux security context to be used by\n"
197 " processes in the container\n"
198 " -L --selinux-apifs-context=SECLABEL\n"
199 " Set the SELinux security context to be used by\n"
200 " API/tmpfs file systems in the container\n"
201 " --capability=CAP In addition to the default, retain specified\n"
203 " --drop-capability=CAP Drop the specified capability from the default set\n"
204 " --link-journal=MODE Link up guest journal, one of no, auto, guest, host\n"
205 " -j Equivalent to --link-journal=host\n"
206 " --read-only Mount the root directory read-only\n"
207 " --bind=PATH[:PATH] Bind mount a file or directory from the host into\n"
209 " --bind-ro=PATH[:PATH] Similar, but creates a read-only bind mount\n"
210 " --tmpfs=PATH:[OPTIONS] Mount an empty tmpfs to the specified directory\n"
211 " --setenv=NAME=VALUE Pass an environment variable to PID 1\n"
212 " --share-system Share system namespaces with host\n"
213 " --register=BOOLEAN Register container as machine\n"
214 " --keep-unit Do not register a scope for the machine, reuse\n"
215 " the service unit nspawn is running in\n"
216 " --volatile[=MODE] Run the system in volatile mode\n",
217 program_invocation_short_name);
220 static int parse_argv(int argc, char *argv[]) {
237 ARG_NETWORK_INTERFACE,
245 static const struct option options[] = {
246 { "help", no_argument, NULL, 'h' },
247 { "version", no_argument, NULL, ARG_VERSION },
248 { "directory", required_argument, NULL, 'D' },
249 { "user", required_argument, NULL, 'u' },
250 { "private-network", no_argument, NULL, ARG_PRIVATE_NETWORK },
251 { "boot", no_argument, NULL, 'b' },
252 { "uuid", required_argument, NULL, ARG_UUID },
253 { "read-only", no_argument, NULL, ARG_READ_ONLY },
254 { "capability", required_argument, NULL, ARG_CAPABILITY },
255 { "drop-capability", required_argument, NULL, ARG_DROP_CAPABILITY },
256 { "link-journal", required_argument, NULL, ARG_LINK_JOURNAL },
257 { "bind", required_argument, NULL, ARG_BIND },
258 { "bind-ro", required_argument, NULL, ARG_BIND_RO },
259 { "tmpfs", required_argument, NULL, ARG_TMPFS },
260 { "machine", required_argument, NULL, 'M' },
261 { "slice", required_argument, NULL, 'S' },
262 { "setenv", required_argument, NULL, ARG_SETENV },
263 { "selinux-context", required_argument, NULL, 'Z' },
264 { "selinux-apifs-context", required_argument, NULL, 'L' },
265 { "quiet", no_argument, NULL, 'q' },
266 { "share-system", no_argument, NULL, ARG_SHARE_SYSTEM },
267 { "register", required_argument, NULL, ARG_REGISTER },
268 { "keep-unit", no_argument, NULL, ARG_KEEP_UNIT },
269 { "network-interface", required_argument, NULL, ARG_NETWORK_INTERFACE },
270 { "network-macvlan", required_argument, NULL, ARG_NETWORK_MACVLAN },
271 { "network-veth", no_argument, NULL, ARG_NETWORK_VETH },
272 { "network-bridge", required_argument, NULL, ARG_NETWORK_BRIDGE },
273 { "personality", required_argument, NULL, ARG_PERSONALITY },
274 { "image", required_argument, NULL, 'i' },
275 { "volatile", optional_argument, NULL, ARG_VOLATILE },
280 uint64_t plus = 0, minus = 0;
285 while ((c = getopt_long(argc, argv, "+hD:u:bL:M:jS:Z:qi:", options, NULL)) >= 0)
294 puts(PACKAGE_STRING);
295 puts(SYSTEMD_FEATURES);
300 arg_directory = canonicalize_file_name(optarg);
301 if (!arg_directory) {
302 log_error("Invalid root directory: %m");
314 arg_user = strdup(optarg);
320 case ARG_NETWORK_BRIDGE:
321 arg_network_bridge = optarg;
325 case ARG_NETWORK_VETH:
326 arg_network_veth = true;
327 arg_private_network = true;
330 case ARG_NETWORK_INTERFACE:
331 if (strv_extend(&arg_network_interfaces, optarg) < 0)
334 arg_private_network = true;
337 case ARG_NETWORK_MACVLAN:
338 if (strv_extend(&arg_network_macvlan, optarg) < 0)
343 case ARG_PRIVATE_NETWORK:
344 arg_private_network = true;
352 r = sd_id128_from_string(optarg, &arg_uuid);
354 log_error("Invalid UUID: %s", optarg);
364 if (isempty(optarg)) {
369 if (!hostname_is_valid(optarg)) {
370 log_error("Invalid machine name: %s", optarg);
375 arg_machine = strdup(optarg);
383 arg_selinux_context = optarg;
387 arg_selinux_apifs_context = optarg;
391 arg_read_only = true;
395 case ARG_DROP_CAPABILITY: {
396 const char *state, *word;
399 FOREACH_WORD_SEPARATOR(word, length, optarg, ",", state) {
400 _cleanup_free_ char *t;
403 t = strndup(word, length);
407 if (streq(t, "all")) {
408 if (c == ARG_CAPABILITY)
409 plus = (uint64_t) -1;
411 minus = (uint64_t) -1;
413 if (cap_from_name(t, &cap) < 0) {
414 log_error("Failed to parse capability %s.", t);
418 if (c == ARG_CAPABILITY)
419 plus |= 1ULL << (uint64_t) cap;
421 minus |= 1ULL << (uint64_t) cap;
429 arg_link_journal = LINK_GUEST;
432 case ARG_LINK_JOURNAL:
433 if (streq(optarg, "auto"))
434 arg_link_journal = LINK_AUTO;
435 else if (streq(optarg, "no"))
436 arg_link_journal = LINK_NO;
437 else if (streq(optarg, "guest"))
438 arg_link_journal = LINK_GUEST;
439 else if (streq(optarg, "host"))
440 arg_link_journal = LINK_HOST;
442 log_error("Failed to parse link journal mode %s", optarg);
450 _cleanup_free_ char *a = NULL, *b = NULL;
454 x = c == ARG_BIND ? &arg_bind : &arg_bind_ro;
456 e = strchr(optarg, ':');
458 a = strndup(optarg, e - optarg);
468 if (!path_is_absolute(a) || !path_is_absolute(b)) {
469 log_error("Invalid bind mount specification: %s", optarg);
473 r = strv_extend(x, a);
477 r = strv_extend(x, b);
485 _cleanup_free_ char *a = NULL, *b = NULL;
488 e = strchr(optarg, ':');
490 a = strndup(optarg, e - optarg);
494 b = strdup("mode=0755");
500 if (!path_is_absolute(a)) {
501 log_error("Invalid tmpfs specification: %s", optarg);
505 r = strv_push(&arg_tmpfs, a);
511 r = strv_push(&arg_tmpfs, b);
523 if (!env_assignment_is_valid(optarg)) {
524 log_error("Environment variable assignment '%s' is not valid.", optarg);
528 n = strv_env_set(arg_setenv, optarg);
532 strv_free(arg_setenv);
541 case ARG_SHARE_SYSTEM:
542 arg_share_system = true;
546 r = parse_boolean(optarg);
548 log_error("Failed to parse --register= argument: %s", optarg);
556 arg_keep_unit = true;
559 case ARG_PERSONALITY:
561 arg_personality = personality_from_string(optarg);
562 if (arg_personality == 0xffffffffLU) {
563 log_error("Unknown or unsupported personality '%s'.", optarg);
572 arg_volatile = VOLATILE_YES;
574 r = parse_boolean(optarg);
576 if (streq(optarg, "state"))
577 arg_volatile = VOLATILE_STATE;
579 log_error("Failed to parse --volatile= argument: %s", optarg);
583 arg_volatile = r ? VOLATILE_YES : VOLATILE_NO;
592 assert_not_reached("Unhandled option");
595 if (arg_share_system)
596 arg_register = false;
598 if (arg_boot && arg_share_system) {
599 log_error("--boot and --share-system may not be combined.");
603 if (arg_keep_unit && cg_pid_get_owner_uid(0, NULL) >= 0) {
604 log_error("--keep-unit may not be used when invoked from a user session.");
608 if (arg_directory && arg_image) {
609 log_error("--directory= and --image= may not be combined.");
613 if (arg_volatile != VOLATILE_NO && arg_read_only) {
614 log_error("Cannot combine --read-only with --volatile. Note that --volatile already implies a read-only base hierarchy.");
618 arg_retain = (arg_retain | plus | (arg_private_network ? 1ULL << CAP_NET_ADMIN : 0)) & ~minus;
623 static int mount_all(const char *dest) {
625 typedef struct MountPoint {
634 static const MountPoint mount_table[] = {
635 { "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, true },
636 { "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND, true }, /* Bind mount first */
637 { NULL, "/proc/sys", NULL, NULL, MS_BIND|MS_RDONLY|MS_REMOUNT, true }, /* Then, make it r/o */
638 { "sysfs", "/sys", "sysfs", NULL, MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV, true },
639 { "tmpfs", "/dev", "tmpfs", "mode=755", MS_NOSUID|MS_STRICTATIME, true },
640 { "devpts", "/dev/pts", "devpts","newinstance,ptmxmode=0666,mode=620,gid=" STRINGIFY(TTY_GID), MS_NOSUID|MS_NOEXEC, true },
641 { "tmpfs", "/dev/shm", "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV|MS_STRICTATIME, true },
642 { "tmpfs", "/run", "tmpfs", "mode=755", MS_NOSUID|MS_NODEV|MS_STRICTATIME, true },
644 { "/sys/fs/selinux", "/sys/fs/selinux", NULL, NULL, MS_BIND, false }, /* Bind mount first */
645 { NULL, "/sys/fs/selinux", NULL, NULL, MS_BIND|MS_RDONLY|MS_REMOUNT, false }, /* Then, make it r/o */
652 for (k = 0; k < ELEMENTSOF(mount_table); k++) {
653 _cleanup_free_ char *where = NULL;
655 _cleanup_free_ char *options = NULL;
660 where = strjoin(dest, "/", mount_table[k].where, NULL);
664 t = path_is_mount_point(where, true);
666 log_error("Failed to detect whether %s is a mount point: %s", where, strerror(-t));
674 /* Skip this entry if it is not a remount. */
675 if (mount_table[k].what && t > 0)
678 t = mkdir_p(where, 0755);
680 if (mount_table[k].fatal) {
681 log_error("Failed to create directory %s: %s", where, strerror(-t));
686 log_warning("Failed to create directory %s: %s", where, strerror(-t));
692 if (arg_selinux_apifs_context &&
693 (streq_ptr(mount_table[k].what, "tmpfs") || streq_ptr(mount_table[k].what, "devpts"))) {
694 options = strjoin(mount_table[k].options, ",context=\"", arg_selinux_apifs_context, "\"", NULL);
701 o = mount_table[k].options;
704 if (mount(mount_table[k].what,
707 mount_table[k].flags,
710 if (mount_table[k].fatal) {
711 log_error("mount(%s) failed: %m", where);
716 log_warning("mount(%s) failed: %m", where);
723 static int mount_binds(const char *dest, char **l, bool ro) {
726 STRV_FOREACH_PAIR(x, y, l) {
727 _cleanup_free_ char *where = NULL;
728 struct stat source_st, dest_st;
731 if (stat(*x, &source_st) < 0) {
732 log_error("Failed to stat %s: %m", *x);
736 where = strappend(dest, *y);
740 r = stat(where, &dest_st);
742 if ((source_st.st_mode & S_IFMT) != (dest_st.st_mode & S_IFMT)) {
743 log_error("The file types of %s and %s do not match. Refusing bind mount", *x, where);
746 } else if (errno == ENOENT) {
747 r = mkdir_parents_label(where, 0755);
749 log_error("Failed to bind mount %s: %s", *x, strerror(-r));
753 log_error("Failed to bind mount %s: %m", *x);
757 /* Create the mount point, but be conservative -- refuse to create block
758 * and char devices. */
759 if (S_ISDIR(source_st.st_mode)) {
760 r = mkdir_label(where, 0755);
762 log_error("Failed to create mount point %s: %s", where, strerror(-r));
766 } else if (S_ISFIFO(source_st.st_mode)) {
767 r = mkfifo(where, 0644);
768 if (r < 0 && errno != EEXIST) {
769 log_error("Failed to create mount point %s: %m", where);
773 } else if (S_ISSOCK(source_st.st_mode)) {
774 r = mknod(where, 0644 | S_IFSOCK, 0);
775 if (r < 0 && errno != EEXIST) {
776 log_error("Failed to create mount point %s: %m", where);
780 } else if (S_ISREG(source_st.st_mode)) {
783 log_error("Failed to create mount point %s: %s", where, strerror(-r));
788 log_error("Refusing to create mountpoint for file: %s", *x);
792 if (mount(*x, where, "bind", MS_BIND, NULL) < 0) {
793 log_error("mount(%s) failed: %m", where);
798 r = bind_remount_recursive(where, true);
800 log_error("Read-Only bind mount failed: %s", strerror(-r));
809 static int mount_tmpfs(const char *dest) {
812 STRV_FOREACH_PAIR(i, o, arg_tmpfs) {
813 _cleanup_free_ char *where = NULL;
816 where = strappend(dest, *i);
820 r = mkdir_label(where, 0755);
822 log_error("creating mount point for tmpfs %s failed: %s", where, strerror(-r));
827 if (mount("tmpfs", where, "tmpfs", MS_NODEV|MS_STRICTATIME, *o) < 0) {
828 log_error("tmpfs mount to %s failed: %m", where);
836 static int setup_timezone(const char *dest) {
837 _cleanup_free_ char *where = NULL, *p = NULL, *q = NULL, *check = NULL, *what = NULL;
843 /* Fix the timezone, if possible */
844 r = readlink_malloc("/etc/localtime", &p);
846 log_warning("/etc/localtime is not a symlink, not updating container timezone.");
850 z = path_startswith(p, "../usr/share/zoneinfo/");
852 z = path_startswith(p, "/usr/share/zoneinfo/");
854 log_warning("/etc/localtime does not point into /usr/share/zoneinfo/, not updating container timezone.");
858 where = strappend(dest, "/etc/localtime");
862 r = readlink_malloc(where, &q);
864 y = path_startswith(q, "../usr/share/zoneinfo/");
866 y = path_startswith(q, "/usr/share/zoneinfo/");
868 /* Already pointing to the right place? Then do nothing .. */
869 if (y && streq(y, z))
873 check = strjoin(dest, "/usr/share/zoneinfo/", z, NULL);
877 if (access(check, F_OK) < 0) {
878 log_warning("Timezone %s does not exist in container, not updating container timezone.", z);
882 what = strappend("../usr/share/zoneinfo/", z);
886 r = mkdir_parents(where, 0755);
888 log_error("Failed to create directory for timezone info %s in container: %s", where, strerror(-r));
894 if (r < 0 && errno != ENOENT) {
895 log_error("Failed to remove existing timezone info %s in container: %m", where);
900 if (symlink(what, where) < 0) {
901 log_error("Failed to correct timezone of container: %m");
908 static int setup_resolv_conf(const char *dest) {
909 _cleanup_free_ char *where = NULL;
914 if (arg_private_network)
917 /* Fix resolv.conf, if possible */
918 where = strappend(dest, "/etc/resolv.conf");
922 /* We don't really care for the results of this really. If it
923 * fails, it fails, but meh... */
924 r = mkdir_parents(where, 0755);
926 log_warning("Failed to create parent directory for resolv.conf %s: %s", where, strerror(-r));
931 r = copy_file("/etc/resolv.conf", where, O_TRUNC|O_NOFOLLOW, 0644);
933 log_warning("Failed to copy /etc/resolv.conf to %s: %s", where, strerror(-r));
941 static int setup_volatile_state(const char *directory) {
947 if (arg_volatile != VOLATILE_STATE)
950 /* --volatile=state means we simply overmount /var
951 with a tmpfs, and the rest read-only. */
953 r = bind_remount_recursive(directory, true);
955 log_error("Failed to remount %s read-only: %s", directory, strerror(-r));
959 p = strappenda(directory, "/var");
961 if (r < 0 && errno != EEXIST) {
962 log_error("Failed to create %s: %m", directory);
966 if (mount("tmpfs", p, "tmpfs", MS_STRICTATIME, "mode=755") < 0) {
967 log_error("Failed to mount tmpfs to /var: %m");
974 static int setup_volatile(const char *directory) {
975 bool tmpfs_mounted = false, bind_mounted = false;
976 char template[] = "/tmp/nspawn-volatile-XXXXXX";
982 if (arg_volatile != VOLATILE_YES)
985 /* --volatile=yes means we mount a tmpfs to the root dir, and
986 the original /usr to use inside it, and that read-only. */
988 if (!mkdtemp(template)) {
989 log_error("Failed to create temporary directory: %m");
993 if (mount("tmpfs", template, "tmpfs", MS_STRICTATIME, "mode=755") < 0) {
994 log_error("Failed to mount tmpfs for root directory: %m");
999 tmpfs_mounted = true;
1001 f = strappenda(directory, "/usr");
1002 t = strappenda(template, "/usr");
1005 if (r < 0 && errno != EEXIST) {
1006 log_error("Failed to create %s: %m", t);
1011 if (mount(f, t, "bind", MS_BIND|MS_REC, NULL) < 0) {
1012 log_error("Failed to create /usr bind mount: %m");
1017 bind_mounted = true;
1019 r = bind_remount_recursive(t, true);
1021 log_error("Failed to remount %s read-only: %s", t, strerror(-r));
1025 if (mount(template, directory, NULL, MS_MOVE, NULL) < 0) {
1026 log_error("Failed to move root mount: %m");
1044 static char* id128_format_as_uuid(sd_id128_t id, char s[37]) {
1047 "%02x%02x%02x%02x-%02x%02x-%02x%02x-%02x%02x-%02x%02x%02x%02x%02x%02x",
1048 SD_ID128_FORMAT_VAL(id));
1053 static int setup_boot_id(const char *dest) {
1054 _cleanup_free_ char *from = NULL, *to = NULL;
1055 sd_id128_t rnd = {};
1061 if (arg_share_system)
1064 /* Generate a new randomized boot ID, so that each boot-up of
1065 * the container gets a new one */
1067 from = strappend(dest, "/dev/proc-sys-kernel-random-boot-id");
1068 to = strappend(dest, "/proc/sys/kernel/random/boot_id");
1072 r = sd_id128_randomize(&rnd);
1074 log_error("Failed to generate random boot id: %s", strerror(-r));
1078 id128_format_as_uuid(rnd, as_uuid);
1080 r = write_string_file(from, as_uuid);
1082 log_error("Failed to write boot id: %s", strerror(-r));
1086 if (mount(from, to, "bind", MS_BIND, NULL) < 0) {
1087 log_error("Failed to bind mount boot id: %m");
1089 } else if (mount(from, to, "bind", MS_BIND|MS_REMOUNT|MS_RDONLY, NULL))
1090 log_warning("Failed to make boot id read-only: %m");
1096 static int copy_devnodes(const char *dest) {
1098 static const char devnodes[] =
1108 _cleanup_umask_ mode_t u;
1114 NULSTR_FOREACH(d, devnodes) {
1115 _cleanup_free_ char *from = NULL, *to = NULL;
1118 from = strappend("/dev/", d);
1119 to = strjoin(dest, "/dev/", d, NULL);
1123 if (stat(from, &st) < 0) {
1125 if (errno != ENOENT) {
1126 log_error("Failed to stat %s: %m", from);
1130 } else if (!S_ISCHR(st.st_mode) && !S_ISBLK(st.st_mode)) {
1132 log_error("%s is not a char or block device, cannot copy", from);
1135 } else if (mknod(to, st.st_mode, st.st_rdev) < 0) {
1137 log_error("mknod(%s) failed: %m", dest);
1145 static int setup_ptmx(const char *dest) {
1146 _cleanup_free_ char *p = NULL;
1148 p = strappend(dest, "/dev/ptmx");
1152 if (symlink("pts/ptmx", p) < 0) {
1153 log_error("Failed to create /dev/ptmx symlink: %m");
1160 static int setup_dev_console(const char *dest, const char *console) {
1161 _cleanup_umask_ mode_t u;
1171 if (stat("/dev/null", &st) < 0) {
1172 log_error("Failed to stat /dev/null: %m");
1176 r = chmod_and_chown(console, 0600, 0, 0);
1178 log_error("Failed to correct access mode for TTY: %s", strerror(-r));
1182 /* We need to bind mount the right tty to /dev/console since
1183 * ptys can only exist on pts file systems. To have something
1184 * to bind mount things on we create a device node first, and
1185 * use /dev/null for that since we the cgroups device policy
1186 * allows us to create that freely, while we cannot create
1187 * /dev/console. (Note that the major minor doesn't actually
1188 * matter here, since we mount it over anyway). */
1190 to = strappenda(dest, "/dev/console");
1191 if (mknod(to, (st.st_mode & ~07777) | 0600, st.st_rdev) < 0) {
1192 log_error("mknod() for /dev/console failed: %m");
1196 if (mount(console, to, "bind", MS_BIND, NULL) < 0) {
1197 log_error("Bind mount for /dev/console failed: %m");
1204 static int setup_kmsg(const char *dest, int kmsg_socket) {
1205 _cleanup_free_ char *from = NULL, *to = NULL;
1207 _cleanup_umask_ mode_t u;
1209 struct cmsghdr cmsghdr;
1210 uint8_t buf[CMSG_SPACE(sizeof(int))];
1212 struct msghdr mh = {
1213 .msg_control = &control,
1214 .msg_controllen = sizeof(control),
1216 struct cmsghdr *cmsg;
1219 assert(kmsg_socket >= 0);
1223 /* We create the kmsg FIFO as /dev/kmsg, but immediately
1224 * delete it after bind mounting it to /proc/kmsg. While FIFOs
1225 * on the reading side behave very similar to /proc/kmsg,
1226 * their writing side behaves differently from /dev/kmsg in
1227 * that writing blocks when nothing is reading. In order to
1228 * avoid any problems with containers deadlocking due to this
1229 * we simply make /dev/kmsg unavailable to the container. */
1230 if (asprintf(&from, "%s/dev/kmsg", dest) < 0 ||
1231 asprintf(&to, "%s/proc/kmsg", dest) < 0)
1234 if (mkfifo(from, 0600) < 0) {
1235 log_error("mkfifo() for /dev/kmsg failed: %m");
1239 r = chmod_and_chown(from, 0600, 0, 0);
1241 log_error("Failed to correct access mode for /dev/kmsg: %s", strerror(-r));
1245 if (mount(from, to, "bind", MS_BIND, NULL) < 0) {
1246 log_error("Bind mount for /proc/kmsg failed: %m");
1250 fd = open(from, O_RDWR|O_NDELAY|O_CLOEXEC);
1252 log_error("Failed to open fifo: %m");
1256 cmsg = CMSG_FIRSTHDR(&mh);
1257 cmsg->cmsg_level = SOL_SOCKET;
1258 cmsg->cmsg_type = SCM_RIGHTS;
1259 cmsg->cmsg_len = CMSG_LEN(sizeof(int));
1260 memcpy(CMSG_DATA(cmsg), &fd, sizeof(int));
1262 mh.msg_controllen = cmsg->cmsg_len;
1264 /* Store away the fd in the socket, so that it stays open as
1265 * long as we run the child */
1266 k = sendmsg(kmsg_socket, &mh, MSG_DONTWAIT|MSG_NOSIGNAL);
1270 log_error("Failed to send FIFO fd: %m");
1274 /* And now make the FIFO unavailable as /dev/kmsg... */
1279 static int setup_hostname(void) {
1281 if (arg_share_system)
1284 if (sethostname(arg_machine, strlen(arg_machine)) < 0)
1290 static int setup_journal(const char *directory) {
1291 sd_id128_t machine_id, this_id;
1292 _cleanup_free_ char *p = NULL, *b = NULL, *q = NULL, *d = NULL;
1296 p = strappend(directory, "/etc/machine-id");
1300 r = read_one_line_file(p, &b);
1301 if (r == -ENOENT && arg_link_journal == LINK_AUTO)
1304 log_error("Failed to read machine ID from %s: %s", p, strerror(-r));
1309 if (isempty(id) && arg_link_journal == LINK_AUTO)
1312 /* Verify validity */
1313 r = sd_id128_from_string(id, &machine_id);
1315 log_error("Failed to parse machine ID from %s: %s", p, strerror(-r));
1319 r = sd_id128_get_machine(&this_id);
1321 log_error("Failed to retrieve machine ID: %s", strerror(-r));
1325 if (sd_id128_equal(machine_id, this_id)) {
1326 log_full(arg_link_journal == LINK_AUTO ? LOG_WARNING : LOG_ERR,
1327 "Host and machine ids are equal (%s): refusing to link journals", id);
1328 if (arg_link_journal == LINK_AUTO)
1334 if (arg_link_journal == LINK_NO)
1338 p = strappend("/var/log/journal/", id);
1339 q = strjoin(directory, "/var/log/journal/", id, NULL);
1343 if (path_is_mount_point(p, false) > 0) {
1344 if (arg_link_journal != LINK_AUTO) {
1345 log_error("%s: already a mount point, refusing to use for journal", p);
1352 if (path_is_mount_point(q, false) > 0) {
1353 if (arg_link_journal != LINK_AUTO) {
1354 log_error("%s: already a mount point, refusing to use for journal", q);
1361 r = readlink_and_make_absolute(p, &d);
1363 if ((arg_link_journal == LINK_GUEST ||
1364 arg_link_journal == LINK_AUTO) &&
1367 r = mkdir_p(q, 0755);
1369 log_warning("Failed to create directory %s: %m", q);
1373 if (unlink(p) < 0) {
1374 log_error("Failed to remove symlink %s: %m", p);
1377 } else if (r == -EINVAL) {
1379 if (arg_link_journal == LINK_GUEST &&
1382 if (errno == ENOTDIR) {
1383 log_error("%s already exists and is neither a symlink nor a directory", p);
1386 log_error("Failed to remove %s: %m", p);
1390 } else if (r != -ENOENT) {
1391 log_error("readlink(%s) failed: %m", p);
1395 if (arg_link_journal == LINK_GUEST) {
1397 if (symlink(q, p) < 0) {
1398 log_error("Failed to symlink %s to %s: %m", q, p);
1402 r = mkdir_p(q, 0755);
1404 log_warning("Failed to create directory %s: %m", q);
1408 if (arg_link_journal == LINK_HOST) {
1409 r = mkdir_p(p, 0755);
1411 log_error("Failed to create %s: %m", p);
1415 } else if (access(p, F_OK) < 0)
1418 if (dir_is_empty(q) == 0)
1419 log_warning("%s is not empty, proceeding anyway.", q);
1421 r = mkdir_p(q, 0755);
1423 log_error("Failed to create %s: %m", q);
1427 if (mount(p, q, "bind", MS_BIND, NULL) < 0) {
1428 log_error("Failed to bind mount journal from host into guest: %m");
1435 static int setup_kdbus(const char *dest, const char *path) {
1441 p = strappenda(dest, "/dev/kdbus");
1442 if (mkdir(p, 0755) < 0) {
1443 log_error("Failed to create kdbus path: %m");
1447 if (mount(path, p, "bind", MS_BIND, NULL) < 0) {
1448 log_error("Failed to mount kdbus domain path: %m");
1455 static int drop_capabilities(void) {
1456 return capability_bounding_set_drop(~arg_retain, false);
1459 static int register_machine(pid_t pid, int local_ifindex) {
1460 _cleanup_bus_error_free_ sd_bus_error error = SD_BUS_ERROR_NULL;
1461 _cleanup_bus_close_unref_ sd_bus *bus = NULL;
1467 r = sd_bus_default_system(&bus);
1469 log_error("Failed to open system bus: %s", strerror(-r));
1473 if (arg_keep_unit) {
1474 r = sd_bus_call_method(
1476 "org.freedesktop.machine1",
1477 "/org/freedesktop/machine1",
1478 "org.freedesktop.machine1.Manager",
1479 "RegisterMachineWithNetwork",
1484 SD_BUS_MESSAGE_APPEND_ID128(arg_uuid),
1488 strempty(arg_directory),
1489 local_ifindex > 0 ? 1 : 0, local_ifindex);
1491 _cleanup_bus_message_unref_ sd_bus_message *m = NULL;
1493 r = sd_bus_message_new_method_call(
1496 "org.freedesktop.machine1",
1497 "/org/freedesktop/machine1",
1498 "org.freedesktop.machine1.Manager",
1499 "CreateMachineWithNetwork");
1501 log_error("Failed to create message: %s", strerror(-r));
1505 r = sd_bus_message_append(
1509 SD_BUS_MESSAGE_APPEND_ID128(arg_uuid),
1513 strempty(arg_directory),
1514 local_ifindex > 0 ? 1 : 0, local_ifindex);
1516 log_error("Failed to append message arguments: %s", strerror(-r));
1520 r = sd_bus_message_open_container(m, 'a', "(sv)");
1522 log_error("Failed to open container: %s", strerror(-r));
1526 if (!isempty(arg_slice)) {
1527 r = sd_bus_message_append(m, "(sv)", "Slice", "s", arg_slice);
1529 log_error("Failed to append slice: %s", strerror(-r));
1534 r = sd_bus_message_append(m, "(sv)", "DevicePolicy", "s", "strict");
1536 log_error("Failed to add device policy: %s", strerror(-r));
1540 r = sd_bus_message_append(m, "(sv)", "DeviceAllow", "a(ss)", 10,
1541 /* Allow the container to
1542 * access and create the API
1543 * device nodes, so that
1544 * PrivateDevices= in the
1545 * container can work
1550 "/dev/random", "rwm",
1551 "/dev/urandom", "rwm",
1553 /* Allow the container
1554 * access to ptys. However,
1556 * container to ever create
1557 * these device nodes. */
1558 "/dev/pts/ptmx", "rw",
1560 /* Allow the container
1561 * access to all kdbus
1562 * devices. Again, the
1563 * container cannot create
1564 * these nodes, only use
1565 * them. We use a pretty
1566 * open match here, so that
1567 * the kernel API can still
1570 "char-kdbus/*", "rw");
1572 log_error("Failed to add device whitelist: %s", strerror(-r));
1576 r = sd_bus_message_close_container(m);
1578 log_error("Failed to close container: %s", strerror(-r));
1582 r = sd_bus_call(bus, m, 0, &error, NULL);
1586 log_error("Failed to register machine: %s", bus_error_message(&error, r));
1593 static int terminate_machine(pid_t pid) {
1594 _cleanup_bus_error_free_ sd_bus_error error = SD_BUS_ERROR_NULL;
1595 _cleanup_bus_message_unref_ sd_bus_message *reply = NULL;
1596 _cleanup_bus_close_unref_ sd_bus *bus = NULL;
1603 r = sd_bus_default_system(&bus);
1605 log_error("Failed to open system bus: %s", strerror(-r));
1609 r = sd_bus_call_method(
1611 "org.freedesktop.machine1",
1612 "/org/freedesktop/machine1",
1613 "org.freedesktop.machine1.Manager",
1620 /* Note that the machine might already have been
1621 * cleaned up automatically, hence don't consider it a
1622 * failure if we cannot get the machine object. */
1623 log_debug("Failed to get machine: %s", bus_error_message(&error, r));
1627 r = sd_bus_message_read(reply, "o", &path);
1629 return bus_log_parse_error(r);
1631 r = sd_bus_call_method(
1633 "org.freedesktop.machine1",
1635 "org.freedesktop.machine1.Machine",
1641 log_debug("Failed to terminate machine: %s", bus_error_message(&error, r));
1648 static int reset_audit_loginuid(void) {
1649 _cleanup_free_ char *p = NULL;
1652 if (arg_share_system)
1655 r = read_one_line_file("/proc/self/loginuid", &p);
1659 log_error("Failed to read /proc/self/loginuid: %s", strerror(-r));
1663 /* Already reset? */
1664 if (streq(p, "4294967295"))
1667 r = write_string_file("/proc/self/loginuid", "4294967295");
1669 log_error("Failed to reset audit login UID. This probably means that your kernel is too\n"
1670 "old and you have audit enabled. Note that the auditing subsystem is known to\n"
1671 "be incompatible with containers on old kernels. Please make sure to upgrade\n"
1672 "your kernel or to off auditing with 'audit=0' on the kernel command line before\n"
1673 "using systemd-nspawn. Sleeping for 5s... (%s)\n", strerror(-r));
1681 #define HOST_HASH_KEY SD_ID128_MAKE(1a,37,6f,c7,46,ec,45,0b,ad,a3,d5,31,06,60,5d,b1)
1682 #define CONTAINER_HASH_KEY SD_ID128_MAKE(c3,c4,f9,19,b5,57,b2,1c,e6,cf,14,27,03,9c,ee,a2)
1684 static int generate_mac(struct ether_addr *mac, sd_id128_t hash_key) {
1691 l = strlen(arg_machine);
1692 sz = sizeof(sd_id128_t) + l;
1695 /* fetch some persistent data unique to the host */
1696 r = sd_id128_get_machine((sd_id128_t*) v);
1700 /* combine with some data unique (on this host) to this
1701 * container instance */
1702 memcpy(v + sizeof(sd_id128_t), arg_machine, l);
1704 /* Let's hash the host machine ID plus the container name. We
1705 * use a fixed, but originally randomly created hash key here. */
1706 siphash24(result, v, sz, hash_key.bytes);
1708 assert_cc(ETH_ALEN <= sizeof(result));
1709 memcpy(mac->ether_addr_octet, result, ETH_ALEN);
1711 /* see eth_random_addr in the kernel */
1712 mac->ether_addr_octet[0] &= 0xfe; /* clear multicast bit */
1713 mac->ether_addr_octet[0] |= 0x02; /* set local assignment bit (IEEE802) */
1718 static int setup_veth(pid_t pid, char iface_name[IFNAMSIZ], int *ifi) {
1719 _cleanup_rtnl_message_unref_ sd_rtnl_message *m = NULL;
1720 _cleanup_rtnl_unref_ sd_rtnl *rtnl = NULL;
1721 struct ether_addr mac_host, mac_container;
1724 if (!arg_private_network)
1727 if (!arg_network_veth)
1730 /* Use two different interface name prefixes depending whether
1731 * we are in bridge mode or not. */
1732 snprintf(iface_name, IFNAMSIZ - 1, "%s-%s",
1733 arg_network_bridge ? "vb" : "ve", arg_machine);
1735 r = generate_mac(&mac_container, CONTAINER_HASH_KEY);
1737 log_error("Failed to generate predictable MAC address for container side");
1741 r = generate_mac(&mac_host, HOST_HASH_KEY);
1743 log_error("Failed to generate predictable MAC address for host side");
1747 r = sd_rtnl_open(&rtnl, 0);
1749 log_error("Failed to connect to netlink: %s", strerror(-r));
1753 r = sd_rtnl_message_new_link(rtnl, &m, RTM_NEWLINK, 0);
1755 log_error("Failed to allocate netlink message: %s", strerror(-r));
1759 r = sd_rtnl_message_append_string(m, IFLA_IFNAME, iface_name);
1761 log_error("Failed to add netlink interface name: %s", strerror(-r));
1765 r = sd_rtnl_message_append_ether_addr(m, IFLA_ADDRESS, &mac_host);
1767 log_error("Failed to add netlink MAC address: %s", strerror(-r));
1771 r = sd_rtnl_message_open_container(m, IFLA_LINKINFO);
1773 log_error("Failed to open netlink container: %s", strerror(-r));
1777 r = sd_rtnl_message_open_container_union(m, IFLA_INFO_DATA, "veth");
1779 log_error("Failed to open netlink container: %s", strerror(-r));
1783 r = sd_rtnl_message_open_container(m, VETH_INFO_PEER);
1785 log_error("Failed to open netlink container: %s", strerror(-r));
1789 r = sd_rtnl_message_append_string(m, IFLA_IFNAME, "host0");
1791 log_error("Failed to add netlink interface name: %s", strerror(-r));
1795 r = sd_rtnl_message_append_ether_addr(m, IFLA_ADDRESS, &mac_container);
1797 log_error("Failed to add netlink MAC address: %s", strerror(-r));
1801 r = sd_rtnl_message_append_u32(m, IFLA_NET_NS_PID, pid);
1803 log_error("Failed to add netlink namespace field: %s", strerror(-r));
1807 r = sd_rtnl_message_close_container(m);
1809 log_error("Failed to close netlink container: %s", strerror(-r));
1813 r = sd_rtnl_message_close_container(m);
1815 log_error("Failed to close netlink container: %s", strerror(-r));
1819 r = sd_rtnl_message_close_container(m);
1821 log_error("Failed to close netlink container: %s", strerror(-r));
1825 r = sd_rtnl_call(rtnl, m, 0, NULL);
1827 log_error("Failed to add new veth interfaces: %s", strerror(-r));
1831 i = (int) if_nametoindex(iface_name);
1833 log_error("Failed to resolve interface %s: %m", iface_name);
1842 static int setup_bridge(const char veth_name[], int *ifi) {
1843 _cleanup_rtnl_message_unref_ sd_rtnl_message *m = NULL;
1844 _cleanup_rtnl_unref_ sd_rtnl *rtnl = NULL;
1847 if (!arg_private_network)
1850 if (!arg_network_veth)
1853 if (!arg_network_bridge)
1856 bridge = (int) if_nametoindex(arg_network_bridge);
1858 log_error("Failed to resolve interface %s: %m", arg_network_bridge);
1864 r = sd_rtnl_open(&rtnl, 0);
1866 log_error("Failed to connect to netlink: %s", strerror(-r));
1870 r = sd_rtnl_message_new_link(rtnl, &m, RTM_SETLINK, 0);
1872 log_error("Failed to allocate netlink message: %s", strerror(-r));
1876 r = sd_rtnl_message_link_set_flags(m, IFF_UP, IFF_UP);
1878 log_error("Failed to set IFF_UP flag: %s", strerror(-r));
1882 r = sd_rtnl_message_append_string(m, IFLA_IFNAME, veth_name);
1884 log_error("Failed to add netlink interface name field: %s", strerror(-r));
1888 r = sd_rtnl_message_append_u32(m, IFLA_MASTER, bridge);
1890 log_error("Failed to add netlink master field: %s", strerror(-r));
1894 r = sd_rtnl_call(rtnl, m, 0, NULL);
1896 log_error("Failed to add veth interface to bridge: %s", strerror(-r));
1903 static int parse_interface(struct udev *udev, const char *name) {
1904 _cleanup_udev_device_unref_ struct udev_device *d = NULL;
1905 char ifi_str[2 + DECIMAL_STR_MAX(int)];
1908 ifi = (int) if_nametoindex(name);
1910 log_error("Failed to resolve interface %s: %m", name);
1914 sprintf(ifi_str, "n%i", ifi);
1915 d = udev_device_new_from_device_id(udev, ifi_str);
1917 log_error("Failed to get udev device for interface %s: %m", name);
1921 if (udev_device_get_is_initialized(d) <= 0) {
1922 log_error("Network interface %s is not initialized yet.", name);
1929 static int move_network_interfaces(pid_t pid) {
1930 _cleanup_udev_unref_ struct udev *udev = NULL;
1931 _cleanup_rtnl_unref_ sd_rtnl *rtnl = NULL;
1935 if (!arg_private_network)
1938 if (strv_isempty(arg_network_interfaces))
1941 r = sd_rtnl_open(&rtnl, 0);
1943 log_error("Failed to connect to netlink: %s", strerror(-r));
1949 log_error("Failed to connect to udev.");
1953 STRV_FOREACH(i, arg_network_interfaces) {
1954 _cleanup_rtnl_message_unref_ sd_rtnl_message *m = NULL;
1957 ifi = parse_interface(udev, *i);
1961 r = sd_rtnl_message_new_link(rtnl, &m, RTM_SETLINK, ifi);
1963 log_error("Failed to allocate netlink message: %s", strerror(-r));
1967 r = sd_rtnl_message_append_u32(m, IFLA_NET_NS_PID, pid);
1969 log_error("Failed to append namespace PID to netlink message: %s", strerror(-r));
1973 r = sd_rtnl_call(rtnl, m, 0, NULL);
1975 log_error("Failed to move interface %s to namespace: %s", *i, strerror(-r));
1983 static int setup_macvlan(pid_t pid) {
1984 _cleanup_udev_unref_ struct udev *udev = NULL;
1985 _cleanup_rtnl_unref_ sd_rtnl *rtnl = NULL;
1989 if (!arg_private_network)
1992 if (strv_isempty(arg_network_macvlan))
1995 r = sd_rtnl_open(&rtnl, 0);
1997 log_error("Failed to connect to netlink: %s", strerror(-r));
2003 log_error("Failed to connect to udev.");
2007 STRV_FOREACH(i, arg_network_macvlan) {
2008 _cleanup_rtnl_message_unref_ sd_rtnl_message *m = NULL;
2009 _cleanup_free_ char *n = NULL;
2012 ifi = parse_interface(udev, *i);
2016 r = sd_rtnl_message_new_link(rtnl, &m, RTM_NEWLINK, 0);
2018 log_error("Failed to allocate netlink message: %s", strerror(-r));
2022 r = sd_rtnl_message_append_u32(m, IFLA_LINK, ifi);
2024 log_error("Failed to add netlink interface index: %s", strerror(-r));
2028 n = strappend("mv-", *i);
2032 strshorten(n, IFNAMSIZ-1);
2034 r = sd_rtnl_message_append_string(m, IFLA_IFNAME, n);
2036 log_error("Failed to add netlink interface name: %s", strerror(-r));
2040 r = sd_rtnl_message_append_u32(m, IFLA_NET_NS_PID, pid);
2042 log_error("Failed to add netlink namespace field: %s", strerror(-r));
2046 r = sd_rtnl_message_open_container(m, IFLA_LINKINFO);
2048 log_error("Failed to open netlink container: %s", strerror(-r));
2052 r = sd_rtnl_message_open_container_union(m, IFLA_INFO_DATA, "macvlan");
2054 log_error("Failed to open netlink container: %s", strerror(-r));
2058 r = sd_rtnl_message_append_u32(m, IFLA_MACVLAN_MODE, MACVLAN_MODE_BRIDGE);
2060 log_error("Failed to append macvlan mode: %s", strerror(-r));
2064 r = sd_rtnl_message_close_container(m);
2066 log_error("Failed to close netlink container: %s", strerror(-r));
2070 r = sd_rtnl_message_close_container(m);
2072 log_error("Failed to close netlink container: %s", strerror(-r));
2076 r = sd_rtnl_call(rtnl, m, 0, NULL);
2078 log_error("Failed to add new macvlan interfaces: %s", strerror(-r));
2086 static int setup_seccomp(void) {
2089 static const int blacklist[] = {
2090 SCMP_SYS(kexec_load),
2091 SCMP_SYS(open_by_handle_at),
2092 SCMP_SYS(init_module),
2093 SCMP_SYS(finit_module),
2094 SCMP_SYS(delete_module),
2101 scmp_filter_ctx seccomp;
2105 seccomp = seccomp_init(SCMP_ACT_ALLOW);
2109 r = seccomp_add_secondary_archs(seccomp);
2111 log_error("Failed to add secondary archs to seccomp filter: %s", strerror(-r));
2115 for (i = 0; i < ELEMENTSOF(blacklist); i++) {
2116 r = seccomp_rule_add(seccomp, SCMP_ACT_ERRNO(EPERM), blacklist[i], 0);
2118 continue; /* unknown syscall */
2120 log_error("Failed to block syscall: %s", strerror(-r));
2126 Audit is broken in containers, much of the userspace audit
2127 hookup will fail if running inside a container. We don't
2128 care and just turn off creation of audit sockets.
2130 This will make socket(AF_NETLINK, *, NETLINK_AUDIT) fail
2131 with EAFNOSUPPORT which audit userspace uses as indication
2132 that audit is disabled in the kernel.
2135 r = seccomp_rule_add(
2137 SCMP_ACT_ERRNO(EAFNOSUPPORT),
2140 SCMP_A0(SCMP_CMP_EQ, AF_NETLINK),
2141 SCMP_A2(SCMP_CMP_EQ, NETLINK_AUDIT));
2143 log_error("Failed to add audit seccomp rule: %s", strerror(-r));
2147 r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
2149 log_error("Failed to unset NO_NEW_PRIVS: %s", strerror(-r));
2153 r = seccomp_load(seccomp);
2155 log_error("Failed to install seccomp audit filter: %s", strerror(-r));
2158 seccomp_release(seccomp);
2166 static int setup_image(char **device_path, int *loop_nr) {
2167 struct loop_info64 info = {
2168 .lo_flags = LO_FLAGS_AUTOCLEAR|LO_FLAGS_PARTSCAN
2170 _cleanup_close_ int fd = -1, control = -1, loop = -1;
2171 _cleanup_free_ char* loopdev = NULL;
2175 assert(device_path);
2178 fd = open(arg_image, O_CLOEXEC|(arg_read_only ? O_RDONLY : O_RDWR)|O_NONBLOCK|O_NOCTTY);
2180 log_error("Failed to open %s: %m", arg_image);
2184 if (fstat(fd, &st) < 0) {
2185 log_error("Failed to stat %s: %m", arg_image);
2189 if (S_ISBLK(st.st_mode)) {
2192 p = strdup(arg_image);
2206 if (!S_ISREG(st.st_mode)) {
2207 log_error("%s is not a regular file or block device: %m", arg_image);
2211 control = open("/dev/loop-control", O_RDWR|O_CLOEXEC|O_NOCTTY|O_NONBLOCK);
2213 log_error("Failed to open /dev/loop-control: %m");
2217 nr = ioctl(control, LOOP_CTL_GET_FREE);
2219 log_error("Failed to allocate loop device: %m");
2223 if (asprintf(&loopdev, "/dev/loop%i", nr) < 0)
2226 loop = open(loopdev, O_CLOEXEC|(arg_read_only ? O_RDONLY : O_RDWR)|O_NONBLOCK|O_NOCTTY);
2228 log_error("Failed to open loop device %s: %m", loopdev);
2232 if (ioctl(loop, LOOP_SET_FD, fd) < 0) {
2233 log_error("Failed to set loopback file descriptor on %s: %m", loopdev);
2238 info.lo_flags |= LO_FLAGS_READ_ONLY;
2240 if (ioctl(loop, LOOP_SET_STATUS64, &info) < 0) {
2241 log_error("Failed to set loopback settings on %s: %m", loopdev);
2245 *device_path = loopdev;
2256 static int dissect_image(
2258 char **root_device, bool *root_device_rw,
2259 char **home_device, bool *home_device_rw,
2260 char **srv_device, bool *srv_device_rw,
2264 int home_nr = -1, root_nr = -1, secondary_root_nr = -1, srv_nr = -1;
2265 _cleanup_free_ char *home = NULL, *root = NULL, *secondary_root = NULL, *srv = NULL;
2266 _cleanup_udev_enumerate_unref_ struct udev_enumerate *e = NULL;
2267 _cleanup_udev_device_unref_ struct udev_device *d = NULL;
2268 _cleanup_blkid_free_probe_ blkid_probe b = NULL;
2269 _cleanup_udev_unref_ struct udev *udev = NULL;
2270 struct udev_list_entry *first, *item;
2271 bool home_rw = true, root_rw = true, secondary_root_rw = true, srv_rw = true;
2272 const char *pttype = NULL;
2278 assert(root_device);
2279 assert(home_device);
2283 b = blkid_new_probe();
2288 r = blkid_probe_set_device(b, fd, 0, 0);
2293 log_error("Failed to set device on blkid probe: %m");
2297 blkid_probe_enable_partitions(b, 1);
2298 blkid_probe_set_partitions_flags(b, BLKID_PARTS_ENTRY_DETAILS);
2301 r = blkid_do_safeprobe(b);
2302 if (r == -2 || r == 1) {
2303 log_error("Failed to identify any partition table on %s.\n"
2304 "Note that the disk image needs to follow http://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/ to be supported by systemd-nspawn.", arg_image);
2306 } else if (r != 0) {
2309 log_error("Failed to probe: %m");
2313 blkid_probe_lookup_value(b, "PTTYPE", &pttype, NULL);
2314 if (!streq_ptr(pttype, "gpt")) {
2315 log_error("Image %s does not carry a GUID Partition Table.\n"
2316 "Note that the disk image needs to follow http://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/ to be supported by systemd-nspawn.", arg_image);
2321 pl = blkid_probe_get_partitions(b);
2326 log_error("Failed to list partitions of %s", arg_image);
2334 if (fstat(fd, &st) < 0) {
2335 log_error("Failed to stat block device: %m");
2339 d = udev_device_new_from_devnum(udev, 'b', st.st_rdev);
2343 e = udev_enumerate_new(udev);
2347 r = udev_enumerate_add_match_parent(e, d);
2351 r = udev_enumerate_scan_devices(e);
2353 log_error("Failed to scan for partition devices of %s: %s", arg_image, strerror(-r));
2357 first = udev_enumerate_get_list_entry(e);
2358 udev_list_entry_foreach(item, first) {
2359 _cleanup_udev_device_unref_ struct udev_device *q;
2360 const char *stype, *node;
2361 unsigned long long flags;
2368 q = udev_device_new_from_syspath(udev, udev_list_entry_get_name(item));
2373 log_error("Failed to get partition device of %s: %m", arg_image);
2377 qn = udev_device_get_devnum(q);
2381 if (st.st_rdev == qn)
2384 node = udev_device_get_devnode(q);
2388 pp = blkid_partlist_devno_to_partition(pl, qn);
2392 flags = blkid_partition_get_flags(pp);
2393 if (flags & GPT_FLAG_NO_AUTO)
2396 nr = blkid_partition_get_partno(pp);
2400 stype = blkid_partition_get_type_string(pp);
2404 if (sd_id128_from_string(stype, &type_id) < 0)
2407 if (sd_id128_equal(type_id, GPT_HOME)) {
2409 if (home && nr >= home_nr)
2413 home_rw = !(flags & GPT_FLAG_READ_ONLY);
2416 home = strdup(node);
2419 } else if (sd_id128_equal(type_id, GPT_SRV)) {
2421 if (srv && nr >= srv_nr)
2425 srv_rw = !(flags & GPT_FLAG_READ_ONLY);
2432 #ifdef GPT_ROOT_NATIVE
2433 else if (sd_id128_equal(type_id, GPT_ROOT_NATIVE)) {
2435 if (root && nr >= root_nr)
2439 root_rw = !(flags & GPT_FLAG_READ_ONLY);
2442 root = strdup(node);
2447 #ifdef GPT_ROOT_SECONDARY
2448 else if (sd_id128_equal(type_id, GPT_ROOT_SECONDARY)) {
2450 if (secondary_root && nr >= secondary_root_nr)
2453 secondary_root_nr = nr;
2454 secondary_root_rw = !(flags & GPT_FLAG_READ_ONLY);
2457 free(secondary_root);
2458 secondary_root = strdup(node);
2459 if (!secondary_root)
2465 if (!root && !secondary_root) {
2466 log_error("Failed to identify root partition in disk image %s.\n"
2467 "Note that the disk image needs to follow http://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/ to be supported by systemd-nspawn.", arg_image);
2472 *root_device = root;
2475 *root_device_rw = root_rw;
2477 } else if (secondary_root) {
2478 *root_device = secondary_root;
2479 secondary_root = NULL;
2481 *root_device_rw = secondary_root_rw;
2486 *home_device = home;
2489 *home_device_rw = home_rw;
2496 *srv_device_rw = srv_rw;
2501 log_error("--image= is not supported, compiled without blkid support.");
2506 static int mount_device(const char *what, const char *where, const char *directory, bool rw) {
2508 _cleanup_blkid_free_probe_ blkid_probe b = NULL;
2509 const char *fstype, *p;
2519 p = strappenda(where, directory);
2524 b = blkid_new_probe_from_filename(what);
2528 log_error("Failed to allocate prober for %s: %m", what);
2532 blkid_probe_enable_superblocks(b, 1);
2533 blkid_probe_set_superblocks_flags(b, BLKID_SUBLKS_TYPE);
2536 r = blkid_do_safeprobe(b);
2537 if (r == -1 || r == 1) {
2538 log_error("Cannot determine file system type of %s", what);
2540 } else if (r != 0) {
2543 log_error("Failed to probe %s: %m", what);
2548 if (blkid_probe_lookup_value(b, "TYPE", &fstype, NULL) < 0) {
2551 log_error("Failed to determine file system type of %s", what);
2555 if (streq(fstype, "crypto_LUKS")) {
2556 log_error("nspawn currently does not support LUKS disk images.");
2560 if (mount(what, p, fstype, MS_NODEV|(rw ? 0 : MS_RDONLY), NULL) < 0) {
2561 log_error("Failed to mount %s: %m", what);
2567 log_error("--image= is not supported, compiled without blkid support.");
2572 static int mount_devices(
2574 const char *root_device, bool root_device_rw,
2575 const char *home_device, bool home_device_rw,
2576 const char *srv_device, bool srv_device_rw) {
2582 r = mount_device(root_device, arg_directory, NULL, root_device_rw);
2584 log_error("Failed to mount root directory: %s", strerror(-r));
2590 r = mount_device(home_device, arg_directory, "/home", home_device_rw);
2592 log_error("Failed to mount home directory: %s", strerror(-r));
2598 r = mount_device(srv_device, arg_directory, "/srv", srv_device_rw);
2600 log_error("Failed to mount server data directory: %s", strerror(-r));
2608 static void loop_remove(int nr, int *image_fd) {
2609 _cleanup_close_ int control = -1;
2615 if (image_fd && *image_fd >= 0) {
2616 r = ioctl(*image_fd, LOOP_CLR_FD);
2618 log_warning("Failed to close loop image: %m");
2619 *image_fd = safe_close(*image_fd);
2622 control = open("/dev/loop-control", O_RDWR|O_CLOEXEC|O_NOCTTY|O_NONBLOCK);
2624 log_warning("Failed to open /dev/loop-control: %m");
2628 r = ioctl(control, LOOP_CTL_REMOVE, nr);
2630 log_warning("Failed to remove loop %d: %m", nr);
2633 static int spawn_getent(const char *database, const char *key, pid_t *rpid) {
2641 if (pipe2(pipe_fds, O_CLOEXEC) < 0) {
2642 log_error("Failed to allocate pipe: %m");
2648 log_error("Failed to fork getent child: %m");
2650 } else if (pid == 0) {
2652 char *empty_env = NULL;
2654 if (dup3(pipe_fds[1], STDOUT_FILENO, 0) < 0)
2655 _exit(EXIT_FAILURE);
2657 if (pipe_fds[0] > 2)
2658 safe_close(pipe_fds[0]);
2659 if (pipe_fds[1] > 2)
2660 safe_close(pipe_fds[1]);
2662 nullfd = open("/dev/null", O_RDWR);
2664 _exit(EXIT_FAILURE);
2666 if (dup3(nullfd, STDIN_FILENO, 0) < 0)
2667 _exit(EXIT_FAILURE);
2669 if (dup3(nullfd, STDERR_FILENO, 0) < 0)
2670 _exit(EXIT_FAILURE);
2675 reset_all_signal_handlers();
2676 close_all_fds(NULL, 0);
2678 execle("/usr/bin/getent", "getent", database, key, NULL, &empty_env);
2679 execle("/bin/getent", "getent", database, key, NULL, &empty_env);
2680 _exit(EXIT_FAILURE);
2683 pipe_fds[1] = safe_close(pipe_fds[1]);
2690 static int change_uid_gid(char **_home) {
2691 char line[LINE_MAX], *x, *u, *g, *h;
2692 const char *word, *state;
2693 _cleanup_free_ uid_t *uids = NULL;
2694 _cleanup_free_ char *home = NULL;
2695 _cleanup_fclose_ FILE *f = NULL;
2696 _cleanup_close_ int fd = -1;
2697 unsigned n_uids = 0;
2706 if (!arg_user || streq(arg_user, "root") || streq(arg_user, "0")) {
2707 /* Reset everything fully to 0, just in case */
2709 if (setgroups(0, NULL) < 0) {
2710 log_error("setgroups() failed: %m");
2714 if (setresgid(0, 0, 0) < 0) {
2715 log_error("setregid() failed: %m");
2719 if (setresuid(0, 0, 0) < 0) {
2720 log_error("setreuid() failed: %m");
2728 /* First, get user credentials */
2729 fd = spawn_getent("passwd", arg_user, &pid);
2733 f = fdopen(fd, "r");
2738 if (!fgets(line, sizeof(line), f)) {
2741 log_error("Failed to resolve user %s.", arg_user);
2745 log_error("Failed to read from getent: %m");
2751 wait_for_terminate_and_warn("getent passwd", pid);
2753 x = strchr(line, ':');
2755 log_error("/etc/passwd entry has invalid user field.");
2759 u = strchr(x+1, ':');
2761 log_error("/etc/passwd entry has invalid password field.");
2768 log_error("/etc/passwd entry has invalid UID field.");
2776 log_error("/etc/passwd entry has invalid GID field.");
2781 h = strchr(x+1, ':');
2783 log_error("/etc/passwd entry has invalid GECOS field.");
2790 log_error("/etc/passwd entry has invalid home directory field.");
2796 r = parse_uid(u, &uid);
2798 log_error("Failed to parse UID of user.");
2802 r = parse_gid(g, &gid);
2804 log_error("Failed to parse GID of user.");
2812 /* Second, get group memberships */
2813 fd = spawn_getent("initgroups", arg_user, &pid);
2818 f = fdopen(fd, "r");
2823 if (!fgets(line, sizeof(line), f)) {
2825 log_error("Failed to resolve user %s.", arg_user);
2829 log_error("Failed to read from getent: %m");
2835 wait_for_terminate_and_warn("getent initgroups", pid);
2837 /* Skip over the username and subsequent separator whitespace */
2839 x += strcspn(x, WHITESPACE);
2840 x += strspn(x, WHITESPACE);
2842 FOREACH_WORD(word, l, x, state) {
2848 if (!GREEDY_REALLOC(uids, sz, n_uids+1))
2851 r = parse_uid(c, &uids[n_uids++]);
2853 log_error("Failed to parse group data from getent.");
2858 r = mkdir_parents(home, 0775);
2860 log_error("Failed to make home root directory: %s", strerror(-r));
2864 r = mkdir_safe(home, 0755, uid, gid);
2865 if (r < 0 && r != -EEXIST) {
2866 log_error("Failed to make home directory: %s", strerror(-r));
2870 fchown(STDIN_FILENO, uid, gid);
2871 fchown(STDOUT_FILENO, uid, gid);
2872 fchown(STDERR_FILENO, uid, gid);
2874 if (setgroups(n_uids, uids) < 0) {
2875 log_error("Failed to set auxiliary groups: %m");
2879 if (setresgid(gid, gid, gid) < 0) {
2880 log_error("setregid() failed: %m");
2884 if (setresuid(uid, uid, uid) < 0) {
2885 log_error("setreuid() failed: %m");
2899 * < 0 : wait_for_terminate() failed to get the state of the
2900 * container, the container was terminated by a signal, or
2901 * failed for an unknown reason. No change is made to the
2902 * container argument.
2903 * > 0 : The program executed in the container terminated with an
2904 * error. The exit code of the program executed in the
2905 * container is returned. No change is made to the container
2907 * 0 : The container is being rebooted, has been shut down or exited
2908 * successfully. The container argument has been set to either
2909 * CONTAINER_TERMINATED or CONTAINER_REBOOTED.
2911 * That is, success is indicated by a return value of zero, and an
2912 * error is indicated by a non-zero value.
2914 static int wait_for_container(pid_t pid, ContainerStatus *container) {
2918 r = wait_for_terminate(pid, &status);
2920 log_warning("Failed to wait for container: %s", strerror(-r));
2924 switch (status.si_code) {
2926 r = status.si_status;
2929 log_debug("Container %s exited successfully.",
2932 *container = CONTAINER_TERMINATED;
2934 log_error("Container %s failed with error code %i.",
2935 arg_machine, status.si_status);
2940 if (status.si_status == SIGINT) {
2942 log_info("Container %s has been shut down.",
2945 *container = CONTAINER_TERMINATED;
2948 } else if (status.si_status == SIGHUP) {
2950 log_info("Container %s is being rebooted.",
2953 *container = CONTAINER_REBOOTED;
2957 /* CLD_KILLED fallthrough */
2960 log_error("Container %s terminated by signal %s.",
2961 arg_machine, signal_to_string(status.si_status));
2966 log_error("Container %s failed due to unknown reason.",
2975 static void nop_handler(int sig) {}
2977 int main(int argc, char *argv[]) {
2979 _cleanup_free_ char *kdbus_domain = NULL, *device_path = NULL, *root_device = NULL, *home_device = NULL, *srv_device = NULL;
2980 bool root_device_rw = true, home_device_rw = true, srv_device_rw = true;
2981 _cleanup_close_ int master = -1, kdbus_fd = -1, image_fd = -1;
2982 _cleanup_close_pair_ int kmsg_socket_pair[2] = { -1, -1 };
2983 _cleanup_fdset_free_ FDSet *fds = NULL;
2984 int r = EXIT_FAILURE, k, n_fd_passed, loop_nr = -1;
2985 const char *console = NULL;
2986 char veth_name[IFNAMSIZ];
2987 bool secondary = false;
2988 sigset_t mask, mask_chld;
2991 log_parse_environment();
2994 k = parse_argv(argc, argv);
3003 if (arg_directory) {
3006 p = path_make_absolute_cwd(arg_directory);
3007 free(arg_directory);
3010 arg_directory = get_current_dir_name();
3012 if (!arg_directory) {
3013 log_error("Failed to determine path, please use -D.");
3016 path_kill_slashes(arg_directory);
3020 arg_machine = strdup(basename(arg_image ? arg_image : arg_directory));
3026 hostname_cleanup(arg_machine, false);
3027 if (isempty(arg_machine)) {
3028 log_error("Failed to determine machine name automatically, please use -M.");
3033 if (geteuid() != 0) {
3034 log_error("Need to be root.");
3038 if (sd_booted() <= 0) {
3039 log_error("Not running on a systemd system.");
3044 n_fd_passed = sd_listen_fds(false);
3045 if (n_fd_passed > 0) {
3046 k = fdset_new_listen_fds(&fds, false);
3048 log_error("Failed to collect file descriptors: %s", strerror(-k));
3052 fdset_close_others(fds);
3055 if (arg_directory) {
3056 if (path_equal(arg_directory, "/")) {
3057 log_error("Spawning container on root directory not supported.");
3062 if (path_is_os_tree(arg_directory) <= 0) {
3063 log_error("Directory %s doesn't look like an OS root directory (os-release file is missing). Refusing.", arg_directory);
3069 p = strappenda(arg_directory,
3070 argc > optind && path_is_absolute(argv[optind]) ? argv[optind] : "/usr/bin/");
3071 if (access(p, F_OK) < 0) {
3072 log_error("Directory %s lacks the binary to execute or doesn't look like a binary tree. Refusing.", arg_directory);
3078 char template[] = "/tmp/nspawn-root-XXXXXX";
3080 if (!mkdtemp(template)) {
3081 log_error("Failed to create temporary directory: %m");
3086 arg_directory = strdup(template);
3087 if (!arg_directory) {
3092 image_fd = setup_image(&device_path, &loop_nr);
3098 r = dissect_image(image_fd,
3099 &root_device, &root_device_rw,
3100 &home_device, &home_device_rw,
3101 &srv_device, &srv_device_rw,
3107 master = posix_openpt(O_RDWR|O_NOCTTY|O_CLOEXEC|O_NDELAY);
3109 log_error("Failed to acquire pseudo tty: %m");
3113 console = ptsname(master);
3115 log_error("Failed to determine tty name: %m");
3120 log_info("Spawning container %s on %s.\nPress ^] three times within 1s to kill container.",
3121 arg_machine, arg_image ? arg_image : arg_directory);
3123 if (unlockpt(master) < 0) {
3124 log_error("Failed to unlock tty: %m");
3128 if (access("/dev/kdbus/control", F_OK) >= 0) {
3130 if (arg_share_system) {
3131 kdbus_domain = strdup("/dev/kdbus");
3132 if (!kdbus_domain) {
3139 ns = strappenda("machine-", arg_machine);
3140 kdbus_fd = bus_kernel_create_domain(ns, &kdbus_domain);
3142 log_debug("Failed to create kdbus domain: %s", strerror(-r));
3144 log_debug("Successfully created kdbus domain as %s", kdbus_domain);
3148 if (socketpair(AF_UNIX, SOCK_DGRAM|SOCK_NONBLOCK|SOCK_CLOEXEC, 0, kmsg_socket_pair) < 0) {
3149 log_error("Failed to create kmsg socket pair: %m");
3155 "STATUS=Container running.");
3157 assert_se(sigemptyset(&mask) == 0);
3158 assert_se(sigemptyset(&mask_chld) == 0);
3159 sigaddset(&mask_chld, SIGCHLD);
3160 sigset_add_many(&mask, SIGCHLD, SIGWINCH, SIGTERM, SIGINT, -1);
3161 assert_se(sigprocmask(SIG_BLOCK, &mask, NULL) == 0);
3164 ContainerStatus container_status;
3165 _cleanup_(barrier_destroy) Barrier barrier = BARRIER_NULL;
3166 struct sigaction sa = {
3167 .sa_handler = nop_handler,
3168 .sa_flags = SA_NOCLDSTOP,
3171 r = barrier_create(&barrier);
3173 log_error("Cannot initialize IPC barrier: %s", strerror(-r));
3177 /* Child can be killed before execv(), so handle SIGCHLD
3178 * in order to interrupt parent's blocking calls and
3179 * give it a chance to call wait() and terminate. */
3180 r = sigprocmask(SIG_UNBLOCK, &mask_chld, NULL);
3182 log_error("Failed to change the signal mask: %m");
3186 r = sigaction(SIGCHLD, &sa, NULL);
3188 log_error("Failed to install SIGCHLD handler: %m");
3192 pid = syscall(__NR_clone, SIGCHLD|CLONE_NEWNS|
3193 (arg_share_system ? 0 : CLONE_NEWIPC|CLONE_NEWPID|CLONE_NEWUTS)|
3194 (arg_private_network ? CLONE_NEWNET : 0), NULL);
3196 if (errno == EINVAL)
3197 log_error("clone() failed, do you have namespace support enabled in your kernel? (You need UTS, IPC, PID and NET namespacing built in): %m");
3199 log_error("clone() failed: %m");
3207 _cleanup_free_ char *home = NULL;
3209 const char *envp[] = {
3210 "PATH=" DEFAULT_PATH_SPLIT_USR,
3211 "container=systemd-nspawn", /* LXC sets container=lxc, so follow the scheme here */
3216 NULL, /* container_uuid */
3217 NULL, /* LISTEN_FDS */
3218 NULL, /* LISTEN_PID */
3223 barrier_set_role(&barrier, BARRIER_CHILD);
3225 envp[n_env] = strv_find_prefix(environ, "TERM=");
3229 master = safe_close(master);
3231 close_nointr(STDIN_FILENO);
3232 close_nointr(STDOUT_FILENO);
3233 close_nointr(STDERR_FILENO);
3235 kmsg_socket_pair[0] = safe_close(kmsg_socket_pair[0]);
3237 reset_all_signal_handlers();
3238 reset_signal_mask();
3240 k = open_terminal(console, O_RDWR);
3241 if (k != STDIN_FILENO) {
3247 log_error("Failed to open console: %s", strerror(-k));
3248 _exit(EXIT_FAILURE);
3251 if (dup2(STDIN_FILENO, STDOUT_FILENO) != STDOUT_FILENO ||
3252 dup2(STDIN_FILENO, STDERR_FILENO) != STDERR_FILENO) {
3253 log_error("Failed to duplicate console: %m");
3254 _exit(EXIT_FAILURE);
3258 log_error("setsid() failed: %m");
3259 _exit(EXIT_FAILURE);
3262 if (reset_audit_loginuid() < 0)
3263 _exit(EXIT_FAILURE);
3265 if (prctl(PR_SET_PDEATHSIG, SIGKILL) < 0) {
3266 log_error("PR_SET_PDEATHSIG failed: %m");
3267 _exit(EXIT_FAILURE);
3270 /* Mark everything as slave, so that we still
3271 * receive mounts from the real root, but don't
3272 * propagate mounts to the real root. */
3273 if (mount(NULL, "/", NULL, MS_SLAVE|MS_REC, NULL) < 0) {
3274 log_error("MS_SLAVE|MS_REC failed: %m");
3275 _exit(EXIT_FAILURE);
3278 if (mount_devices(arg_directory,
3279 root_device, root_device_rw,
3280 home_device, home_device_rw,
3281 srv_device, srv_device_rw) < 0)
3282 _exit(EXIT_FAILURE);
3284 /* Turn directory into bind mount */
3285 if (mount(arg_directory, arg_directory, "bind", MS_BIND|MS_REC, NULL) < 0) {
3286 log_error("Failed to make bind mount: %m");
3287 _exit(EXIT_FAILURE);
3290 r = setup_volatile(arg_directory);
3292 _exit(EXIT_FAILURE);
3294 if (setup_volatile_state(arg_directory) < 0)
3295 _exit(EXIT_FAILURE);
3297 r = base_filesystem_create(arg_directory);
3299 _exit(EXIT_FAILURE);
3301 if (arg_read_only) {
3302 k = bind_remount_recursive(arg_directory, true);
3304 log_error("Failed to make tree read-only: %s", strerror(-k));
3305 _exit(EXIT_FAILURE);
3309 if (mount_all(arg_directory) < 0)
3310 _exit(EXIT_FAILURE);
3312 if (copy_devnodes(arg_directory) < 0)
3313 _exit(EXIT_FAILURE);
3315 if (setup_ptmx(arg_directory) < 0)
3316 _exit(EXIT_FAILURE);
3318 dev_setup(arg_directory);
3320 if (setup_seccomp() < 0)
3321 _exit(EXIT_FAILURE);
3323 if (setup_dev_console(arg_directory, console) < 0)
3324 _exit(EXIT_FAILURE);
3326 if (setup_kmsg(arg_directory, kmsg_socket_pair[1]) < 0)
3327 _exit(EXIT_FAILURE);
3329 kmsg_socket_pair[1] = safe_close(kmsg_socket_pair[1]);
3331 if (setup_boot_id(arg_directory) < 0)
3332 _exit(EXIT_FAILURE);
3334 if (setup_timezone(arg_directory) < 0)
3335 _exit(EXIT_FAILURE);
3337 if (setup_resolv_conf(arg_directory) < 0)
3338 _exit(EXIT_FAILURE);
3340 if (setup_journal(arg_directory) < 0)
3341 _exit(EXIT_FAILURE);
3343 if (mount_binds(arg_directory, arg_bind, false) < 0)
3344 _exit(EXIT_FAILURE);
3346 if (mount_binds(arg_directory, arg_bind_ro, true) < 0)
3347 _exit(EXIT_FAILURE);
3349 if (mount_tmpfs(arg_directory) < 0)
3350 _exit(EXIT_FAILURE);
3352 if (setup_kdbus(arg_directory, kdbus_domain) < 0)
3353 _exit(EXIT_FAILURE);
3355 /* Tell the parent that we are ready, and that
3356 * it can cgroupify us to that we lack access
3357 * to certain devices and resources. */
3358 barrier_place(&barrier);
3360 if (chdir(arg_directory) < 0) {
3361 log_error("chdir(%s) failed: %m", arg_directory);
3362 _exit(EXIT_FAILURE);
3365 if (mount(arg_directory, "/", NULL, MS_MOVE, NULL) < 0) {
3366 log_error("mount(MS_MOVE) failed: %m");
3367 _exit(EXIT_FAILURE);
3370 if (chroot(".") < 0) {
3371 log_error("chroot() failed: %m");
3372 _exit(EXIT_FAILURE);
3375 if (chdir("/") < 0) {
3376 log_error("chdir() failed: %m");
3377 _exit(EXIT_FAILURE);
3382 if (arg_private_network)
3385 if (drop_capabilities() < 0) {
3386 log_error("drop_capabilities() failed: %m");
3387 _exit(EXIT_FAILURE);
3390 r = change_uid_gid(&home);
3392 _exit(EXIT_FAILURE);
3394 if ((asprintf((char**)(envp + n_env++), "HOME=%s", home ? home: "/root") < 0) ||
3395 (asprintf((char**)(envp + n_env++), "USER=%s", arg_user ? arg_user : "root") < 0) ||
3396 (asprintf((char**)(envp + n_env++), "LOGNAME=%s", arg_user ? arg_user : "root") < 0)) {
3398 _exit(EXIT_FAILURE);
3401 if (!sd_id128_equal(arg_uuid, SD_ID128_NULL)) {
3404 if (asprintf((char**)(envp + n_env++), "container_uuid=%s", id128_format_as_uuid(arg_uuid, as_uuid)) < 0) {
3406 _exit(EXIT_FAILURE);
3410 if (fdset_size(fds) > 0) {
3411 k = fdset_cloexec(fds, false);
3413 log_error("Failed to unset O_CLOEXEC for file descriptors.");
3414 _exit(EXIT_FAILURE);
3417 if ((asprintf((char **)(envp + n_env++), "LISTEN_FDS=%u", n_fd_passed) < 0) ||
3418 (asprintf((char **)(envp + n_env++), "LISTEN_PID=1") < 0)) {
3420 _exit(EXIT_FAILURE);
3426 if (arg_personality != 0xffffffffLU) {
3427 if (personality(arg_personality) < 0) {
3428 log_error("personality() failed: %m");
3429 _exit(EXIT_FAILURE);
3431 } else if (secondary) {
3432 if (personality(PER_LINUX32) < 0) {
3433 log_error("personality() failed: %m");
3434 _exit(EXIT_FAILURE);
3439 if (arg_selinux_context)
3440 if (setexeccon((security_context_t) arg_selinux_context) < 0) {
3441 log_error("setexeccon(\"%s\") failed: %m", arg_selinux_context);
3442 _exit(EXIT_FAILURE);
3446 if (!strv_isempty(arg_setenv)) {
3449 n = strv_env_merge(2, envp, arg_setenv);
3452 _exit(EXIT_FAILURE);
3457 env_use = (char**) envp;
3459 /* Wait until the parent is ready with the setup, too... */
3460 if (!barrier_place_and_sync(&barrier))
3461 _exit(EXIT_FAILURE);
3467 /* Automatically search for the init system */
3469 l = 1 + argc - optind;
3470 a = newa(char*, l + 1);
3471 memcpy(a + 1, argv + optind, l * sizeof(char*));
3473 a[0] = (char*) "/usr/lib/systemd/systemd";
3474 execve(a[0], a, env_use);
3476 a[0] = (char*) "/lib/systemd/systemd";
3477 execve(a[0], a, env_use);
3479 a[0] = (char*) "/sbin/init";
3480 execve(a[0], a, env_use);
3481 } else if (argc > optind)
3482 execvpe(argv[optind], argv + optind, env_use);
3484 chdir(home ? home : "/root");
3485 execle("/bin/bash", "-bash", NULL, env_use);
3486 execle("/bin/sh", "-sh", NULL, env_use);
3489 log_error("execv() failed: %m");
3490 _exit(EXIT_FAILURE);
3493 barrier_set_role(&barrier, BARRIER_PARENT);
3497 /* wait for child-setup to be done */
3498 if (barrier_place_and_sync(&barrier)) {
3501 r = move_network_interfaces(pid);
3505 r = setup_veth(pid, veth_name, &ifi);
3509 r = setup_bridge(veth_name, &ifi);
3513 r = setup_macvlan(pid);
3517 r = register_machine(pid, ifi);
3521 /* Block SIGCHLD here, before notifying child.
3522 * process_pty() will handle it with the other signals. */
3523 r = sigprocmask(SIG_BLOCK, &mask_chld, NULL);
3527 /* Reset signal to default */
3528 r = default_signals(SIGCHLD, -1);
3532 /* Notify the child that the parent is ready with all
3533 * its setup, and that the child can now hand over
3534 * control to the code to run inside the container. */
3535 barrier_place(&barrier);
3537 k = process_pty(master, &mask, arg_boot ? pid : 0, SIGRTMIN+3);
3546 /* Kill if it is not dead yet anyway */
3547 terminate_machine(pid);
3550 /* Normally redundant, but better safe than sorry */
3553 r = wait_for_container(pid, &container_status);
3557 /* We failed to wait for the container, or the
3558 * container exited abnormally */
3561 } else if (r > 0 || container_status == CONTAINER_TERMINATED)
3562 /* The container exited with a non-zero
3563 * status, or with zero status and no reboot
3567 /* CONTAINER_REBOOTED, loop again */
3569 if (arg_keep_unit) {
3570 /* Special handling if we are running as a
3571 * service: instead of simply restarting the
3572 * machine we want to restart the entire
3573 * service, so let's inform systemd about this
3574 * with the special exit code 133. The service
3575 * file uses RestartForceExitStatus=133 so
3576 * that this results in a full nspawn
3577 * restart. This is necessary since we might
3578 * have cgroup parameters set we want to have
3588 "STATUS=Terminating...");
3590 loop_remove(loop_nr, &image_fd);
3595 free(arg_directory);
3598 strv_free(arg_setenv);
3599 strv_free(arg_network_interfaces);
3600 strv_free(arg_network_macvlan);
3601 strv_free(arg_bind);
3602 strv_free(arg_bind_ro);
3603 strv_free(arg_tmpfs);
~ianmdlvl / elogind.git / blob