1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2010 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
25 #include <sys/types.h>
26 #include <sys/syscall.h>
27 #include <sys/mount.h>
33 #include <sys/prctl.h>
34 #include <sys/capability.h>
37 #include <sys/signalfd.h>
41 #include <sys/socket.h>
42 #include <linux/netlink.h>
44 #include <linux/veth.h>
45 #include <sys/personality.h>
46 #include <linux/loop.h>
49 #include <selinux/selinux.h>
57 #include <blkid/blkid.h>
60 #include "sd-daemon.h"
70 #include "cgroup-util.h"
72 #include "path-util.h"
73 #include "loopback-setup.h"
74 #include "dev-setup.h"
79 #include "bus-error.h"
81 #include "bus-kernel.h"
84 #include "rtnl-util.h"
85 #include "udev-util.h"
86 #include "blkid-util.h"
88 #include "siphash24.h"
90 #include "base-filesystem.h"
94 #include "seccomp-util.h"
97 typedef enum ContainerStatus {
102 typedef enum LinkJournal {
109 typedef enum Volatile {
115 static char *arg_directory = NULL;
116 static char *arg_user = NULL;
117 static sd_id128_t arg_uuid = {};
118 static char *arg_machine = NULL;
119 static const char *arg_selinux_context = NULL;
120 static const char *arg_selinux_apifs_context = NULL;
121 static const char *arg_slice = NULL;
122 static bool arg_private_network = false;
123 static bool arg_read_only = false;
124 static bool arg_boot = false;
125 static LinkJournal arg_link_journal = LINK_AUTO;
126 static uint64_t arg_retain =
127 (1ULL << CAP_CHOWN) |
128 (1ULL << CAP_DAC_OVERRIDE) |
129 (1ULL << CAP_DAC_READ_SEARCH) |
130 (1ULL << CAP_FOWNER) |
131 (1ULL << CAP_FSETID) |
132 (1ULL << CAP_IPC_OWNER) |
134 (1ULL << CAP_LEASE) |
135 (1ULL << CAP_LINUX_IMMUTABLE) |
136 (1ULL << CAP_NET_BIND_SERVICE) |
137 (1ULL << CAP_NET_BROADCAST) |
138 (1ULL << CAP_NET_RAW) |
139 (1ULL << CAP_SETGID) |
140 (1ULL << CAP_SETFCAP) |
141 (1ULL << CAP_SETPCAP) |
142 (1ULL << CAP_SETUID) |
143 (1ULL << CAP_SYS_ADMIN) |
144 (1ULL << CAP_SYS_CHROOT) |
145 (1ULL << CAP_SYS_NICE) |
146 (1ULL << CAP_SYS_PTRACE) |
147 (1ULL << CAP_SYS_TTY_CONFIG) |
148 (1ULL << CAP_SYS_RESOURCE) |
149 (1ULL << CAP_SYS_BOOT) |
150 (1ULL << CAP_AUDIT_WRITE) |
151 (1ULL << CAP_AUDIT_CONTROL) |
153 static char **arg_bind = NULL;
154 static char **arg_bind_ro = NULL;
155 static char **arg_tmpfs = NULL;
156 static char **arg_setenv = NULL;
157 static bool arg_quiet = false;
158 static bool arg_share_system = false;
159 static bool arg_register = true;
160 static bool arg_keep_unit = false;
161 static char **arg_network_interfaces = NULL;
162 static char **arg_network_macvlan = NULL;
163 static bool arg_network_veth = false;
164 static const char *arg_network_bridge = NULL;
165 static unsigned long arg_personality = 0xffffffffLU;
166 static const char *arg_image = NULL;
167 static Volatile arg_volatile = VOLATILE_NO;
169 static void help(void) {
170 printf("%s [OPTIONS...] [PATH] [ARGUMENTS...]\n\n"
171 "Spawn a minimal namespace container for debugging, testing and building.\n\n"
172 " -h --help Show this help\n"
173 " --version Print version string\n"
174 " -q --quiet Do not show status information\n"
175 " -D --directory=PATH Root directory for the container\n"
176 " -i --image=PATH File system device or image for the container\n"
177 " -b --boot Boot up full system (i.e. invoke init)\n"
178 " -u --user=USER Run the command under specified user or uid\n"
179 " -M --machine=NAME Set the machine name for the container\n"
180 " --uuid=UUID Set a specific machine UUID for the container\n"
181 " -S --slice=SLICE Place the container in the specified slice\n"
182 " --private-network Disable network in container\n"
183 " --network-interface=INTERFACE\n"
184 " Assign an existing network interface to the\n"
186 " --network-macvlan=INTERFACE\n"
187 " Create a macvlan network interface based on an\n"
188 " existing network interface to the container\n"
189 " --network-veth Add a virtual ethernet connection between host\n"
191 " --network-bridge=INTERFACE\n"
192 " Add a virtual ethernet connection between host\n"
193 " and container and add it to an existing bridge on\n"
195 " -Z --selinux-context=SECLABEL\n"
196 " Set the SELinux security context to be used by\n"
197 " processes in the container\n"
198 " -L --selinux-apifs-context=SECLABEL\n"
199 " Set the SELinux security context to be used by\n"
200 " API/tmpfs file systems in the container\n"
201 " --capability=CAP In addition to the default, retain specified\n"
203 " --drop-capability=CAP Drop the specified capability from the default set\n"
204 " --link-journal=MODE Link up guest journal, one of no, auto, guest, host\n"
205 " -j Equivalent to --link-journal=host\n"
206 " --read-only Mount the root directory read-only\n"
207 " --bind=PATH[:PATH] Bind mount a file or directory from the host into\n"
209 " --bind-ro=PATH[:PATH] Similar, but creates a read-only bind mount\n"
210 " --tmpfs=PATH:[OPTIONS] Mount an empty tmpfs to the specified directory\n"
211 " --setenv=NAME=VALUE Pass an environment variable to PID 1\n"
212 " --share-system Share system namespaces with host\n"
213 " --register=BOOLEAN Register container as machine\n"
214 " --keep-unit Do not register a scope for the machine, reuse\n"
215 " the service unit nspawn is running in\n"
216 " --volatile[=MODE] Run the system in volatile mode\n",
217 program_invocation_short_name);
220 static int parse_argv(int argc, char *argv[]) {
237 ARG_NETWORK_INTERFACE,
245 static const struct option options[] = {
246 { "help", no_argument, NULL, 'h' },
247 { "version", no_argument, NULL, ARG_VERSION },
248 { "directory", required_argument, NULL, 'D' },
249 { "user", required_argument, NULL, 'u' },
250 { "private-network", no_argument, NULL, ARG_PRIVATE_NETWORK },
251 { "boot", no_argument, NULL, 'b' },
252 { "uuid", required_argument, NULL, ARG_UUID },
253 { "read-only", no_argument, NULL, ARG_READ_ONLY },
254 { "capability", required_argument, NULL, ARG_CAPABILITY },
255 { "drop-capability", required_argument, NULL, ARG_DROP_CAPABILITY },
256 { "link-journal", required_argument, NULL, ARG_LINK_JOURNAL },
257 { "bind", required_argument, NULL, ARG_BIND },
258 { "bind-ro", required_argument, NULL, ARG_BIND_RO },
259 { "tmpfs", required_argument, NULL, ARG_TMPFS },
260 { "machine", required_argument, NULL, 'M' },
261 { "slice", required_argument, NULL, 'S' },
262 { "setenv", required_argument, NULL, ARG_SETENV },
263 { "selinux-context", required_argument, NULL, 'Z' },
264 { "selinux-apifs-context", required_argument, NULL, 'L' },
265 { "quiet", no_argument, NULL, 'q' },
266 { "share-system", no_argument, NULL, ARG_SHARE_SYSTEM },
267 { "register", required_argument, NULL, ARG_REGISTER },
268 { "keep-unit", no_argument, NULL, ARG_KEEP_UNIT },
269 { "network-interface", required_argument, NULL, ARG_NETWORK_INTERFACE },
270 { "network-macvlan", required_argument, NULL, ARG_NETWORK_MACVLAN },
271 { "network-veth", no_argument, NULL, ARG_NETWORK_VETH },
272 { "network-bridge", required_argument, NULL, ARG_NETWORK_BRIDGE },
273 { "personality", required_argument, NULL, ARG_PERSONALITY },
274 { "image", required_argument, NULL, 'i' },
275 { "volatile", optional_argument, NULL, ARG_VOLATILE },
280 uint64_t plus = 0, minus = 0;
285 while ((c = getopt_long(argc, argv, "+hD:u:bL:M:jS:Z:qi:", options, NULL)) >= 0)
294 puts(PACKAGE_STRING);
295 puts(SYSTEMD_FEATURES);
300 arg_directory = canonicalize_file_name(optarg);
301 if (!arg_directory) {
302 log_error("Invalid root directory: %m");
314 arg_user = strdup(optarg);
320 case ARG_NETWORK_BRIDGE:
321 arg_network_bridge = optarg;
325 case ARG_NETWORK_VETH:
326 arg_network_veth = true;
327 arg_private_network = true;
330 case ARG_NETWORK_INTERFACE:
331 if (strv_extend(&arg_network_interfaces, optarg) < 0)
334 arg_private_network = true;
337 case ARG_NETWORK_MACVLAN:
338 if (strv_extend(&arg_network_macvlan, optarg) < 0)
343 case ARG_PRIVATE_NETWORK:
344 arg_private_network = true;
352 r = sd_id128_from_string(optarg, &arg_uuid);
354 log_error("Invalid UUID: %s", optarg);
364 if (isempty(optarg)) {
369 if (!hostname_is_valid(optarg)) {
370 log_error("Invalid machine name: %s", optarg);
375 arg_machine = strdup(optarg);
383 arg_selinux_context = optarg;
387 arg_selinux_apifs_context = optarg;
391 arg_read_only = true;
395 case ARG_DROP_CAPABILITY: {
396 const char *state, *word;
399 FOREACH_WORD_SEPARATOR(word, length, optarg, ",", state) {
400 _cleanup_free_ char *t;
403 t = strndup(word, length);
407 if (streq(t, "all")) {
408 if (c == ARG_CAPABILITY)
409 plus = (uint64_t) -1;
411 minus = (uint64_t) -1;
413 if (cap_from_name(t, &cap) < 0) {
414 log_error("Failed to parse capability %s.", t);
418 if (c == ARG_CAPABILITY)
419 plus |= 1ULL << (uint64_t) cap;
421 minus |= 1ULL << (uint64_t) cap;
429 arg_link_journal = LINK_GUEST;
432 case ARG_LINK_JOURNAL:
433 if (streq(optarg, "auto"))
434 arg_link_journal = LINK_AUTO;
435 else if (streq(optarg, "no"))
436 arg_link_journal = LINK_NO;
437 else if (streq(optarg, "guest"))
438 arg_link_journal = LINK_GUEST;
439 else if (streq(optarg, "host"))
440 arg_link_journal = LINK_HOST;
442 log_error("Failed to parse link journal mode %s", optarg);
450 _cleanup_free_ char *a = NULL, *b = NULL;
454 x = c == ARG_BIND ? &arg_bind : &arg_bind_ro;
456 e = strchr(optarg, ':');
458 a = strndup(optarg, e - optarg);
468 if (!path_is_absolute(a) || !path_is_absolute(b)) {
469 log_error("Invalid bind mount specification: %s", optarg);
473 r = strv_extend(x, a);
477 r = strv_extend(x, b);
485 _cleanup_free_ char *a = NULL, *b = NULL;
488 e = strchr(optarg, ':');
490 a = strndup(optarg, e - optarg);
494 b = strdup("mode=0755");
500 if (!path_is_absolute(a)) {
501 log_error("Invalid tmpfs specification: %s", optarg);
505 r = strv_push(&arg_tmpfs, a);
511 r = strv_push(&arg_tmpfs, b);
523 if (!env_assignment_is_valid(optarg)) {
524 log_error("Environment variable assignment '%s' is not valid.", optarg);
528 n = strv_env_set(arg_setenv, optarg);
532 strv_free(arg_setenv);
541 case ARG_SHARE_SYSTEM:
542 arg_share_system = true;
546 r = parse_boolean(optarg);
548 log_error("Failed to parse --register= argument: %s", optarg);
556 arg_keep_unit = true;
559 case ARG_PERSONALITY:
561 arg_personality = personality_from_string(optarg);
562 if (arg_personality == 0xffffffffLU) {
563 log_error("Unknown or unsupported personality '%s'.", optarg);
572 arg_volatile = VOLATILE_YES;
574 r = parse_boolean(optarg);
576 if (streq(optarg, "state"))
577 arg_volatile = VOLATILE_STATE;
579 log_error("Failed to parse --volatile= argument: %s", optarg);
583 arg_volatile = r ? VOLATILE_YES : VOLATILE_NO;
592 assert_not_reached("Unhandled option");
595 if (arg_share_system)
596 arg_register = false;
598 if (arg_boot && arg_share_system) {
599 log_error("--boot and --share-system may not be combined.");
603 if (arg_keep_unit && cg_pid_get_owner_uid(0, NULL) >= 0) {
604 log_error("--keep-unit may not be used when invoked from a user session.");
608 if (arg_directory && arg_image) {
609 log_error("--directory= and --image= may not be combined.");
613 if (arg_volatile != VOLATILE_NO && arg_read_only) {
614 log_error("Cannot combine --read-only with --volatile. Note that --volatile already implies a read-only base hierarchy.");
618 arg_retain = (arg_retain | plus | (arg_private_network ? 1ULL << CAP_NET_ADMIN : 0)) & ~minus;
623 static int mount_all(const char *dest) {
625 typedef struct MountPoint {
634 static const MountPoint mount_table[] = {
635 { "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, true },
636 { "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND, true }, /* Bind mount first */
637 { NULL, "/proc/sys", NULL, NULL, MS_BIND|MS_RDONLY|MS_REMOUNT, true }, /* Then, make it r/o */
638 { "sysfs", "/sys", "sysfs", NULL, MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV, true },
639 { "tmpfs", "/dev", "tmpfs", "mode=755", MS_NOSUID|MS_STRICTATIME, true },
640 { "devpts", "/dev/pts", "devpts","newinstance,ptmxmode=0666,mode=620,gid=" STRINGIFY(TTY_GID), MS_NOSUID|MS_NOEXEC, true },
641 { "tmpfs", "/dev/shm", "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV|MS_STRICTATIME, true },
642 { "tmpfs", "/run", "tmpfs", "mode=755", MS_NOSUID|MS_NODEV|MS_STRICTATIME, true },
644 { "/sys/fs/selinux", "/sys/fs/selinux", NULL, NULL, MS_BIND, false }, /* Bind mount first */
645 { NULL, "/sys/fs/selinux", NULL, NULL, MS_BIND|MS_RDONLY|MS_REMOUNT, false }, /* Then, make it r/o */
652 for (k = 0; k < ELEMENTSOF(mount_table); k++) {
653 _cleanup_free_ char *where = NULL;
655 _cleanup_free_ char *options = NULL;
660 where = strjoin(dest, "/", mount_table[k].where, NULL);
664 t = path_is_mount_point(where, true);
666 log_error("Failed to detect whether %s is a mount point: %s", where, strerror(-t));
674 /* Skip this entry if it is not a remount. */
675 if (mount_table[k].what && t > 0)
678 mkdir_p(where, 0755);
681 if (arg_selinux_apifs_context &&
682 (streq_ptr(mount_table[k].what, "tmpfs") || streq_ptr(mount_table[k].what, "devpts"))) {
683 options = strjoin(mount_table[k].options, ",context=\"", arg_selinux_apifs_context, "\"", NULL);
690 o = mount_table[k].options;
693 if (mount(mount_table[k].what,
696 mount_table[k].flags,
698 mount_table[k].fatal) {
700 log_error("mount(%s) failed: %m", where);
710 static int mount_binds(const char *dest, char **l, bool ro) {
713 STRV_FOREACH_PAIR(x, y, l) {
714 _cleanup_free_ char *where = NULL;
715 struct stat source_st, dest_st;
718 if (stat(*x, &source_st) < 0) {
719 log_error("Failed to stat %s: %m", *x);
723 where = strappend(dest, *y);
727 r = stat(where, &dest_st);
729 if ((source_st.st_mode & S_IFMT) != (dest_st.st_mode & S_IFMT)) {
730 log_error("The file types of %s and %s do not match. Refusing bind mount", *x, where);
733 } else if (errno == ENOENT) {
734 r = mkdir_parents_label(where, 0755);
736 log_error("Failed to bind mount %s: %s", *x, strerror(-r));
740 log_error("Failed to bind mount %s: %m", *x);
744 /* Create the mount point, but be conservative -- refuse to create block
745 * and char devices. */
746 if (S_ISDIR(source_st.st_mode))
747 mkdir_label(where, 0755);
748 else if (S_ISFIFO(source_st.st_mode))
750 else if (S_ISSOCK(source_st.st_mode))
751 mknod(where, 0644 | S_IFSOCK, 0);
752 else if (S_ISREG(source_st.st_mode))
755 log_error("Refusing to create mountpoint for file: %s", *x);
759 if (mount(*x, where, "bind", MS_BIND, NULL) < 0) {
760 log_error("mount(%s) failed: %m", where);
765 r = bind_remount_recursive(where, true);
767 log_error("Read-Only bind mount failed: %s", strerror(-r));
776 static int mount_tmpfs(const char *dest) {
779 STRV_FOREACH_PAIR(i, o, arg_tmpfs) {
780 _cleanup_free_ char *where = NULL;
782 where = strappend(dest, *i);
786 mkdir_label(where, 0755);
788 if (mount("tmpfs", where, "tmpfs", MS_NODEV|MS_STRICTATIME, *o) < 0) {
789 log_error("tmpfs mount to %s failed: %m", where);
797 static int setup_timezone(const char *dest) {
798 _cleanup_free_ char *where = NULL, *p = NULL, *q = NULL, *check = NULL, *what = NULL;
804 /* Fix the timezone, if possible */
805 r = readlink_malloc("/etc/localtime", &p);
807 log_warning("/etc/localtime is not a symlink, not updating container timezone.");
811 z = path_startswith(p, "../usr/share/zoneinfo/");
813 z = path_startswith(p, "/usr/share/zoneinfo/");
815 log_warning("/etc/localtime does not point into /usr/share/zoneinfo/, not updating container timezone.");
819 where = strappend(dest, "/etc/localtime");
823 r = readlink_malloc(where, &q);
825 y = path_startswith(q, "../usr/share/zoneinfo/");
827 y = path_startswith(q, "/usr/share/zoneinfo/");
829 /* Already pointing to the right place? Then do nothing .. */
830 if (y && streq(y, z))
834 check = strjoin(dest, "/usr/share/zoneinfo/", z, NULL);
838 if (access(check, F_OK) < 0) {
839 log_warning("Timezone %s does not exist in container, not updating container timezone.", z);
843 what = strappend("../usr/share/zoneinfo/", z);
847 mkdir_parents(where, 0755);
850 if (symlink(what, where) < 0) {
851 log_error("Failed to correct timezone of container: %m");
858 static int setup_resolv_conf(const char *dest) {
859 _cleanup_free_ char *where = NULL;
863 if (arg_private_network)
866 /* Fix resolv.conf, if possible */
867 where = strappend(dest, "/etc/resolv.conf");
871 /* We don't really care for the results of this really. If it
872 * fails, it fails, but meh... */
873 mkdir_parents(where, 0755);
874 copy_file("/etc/resolv.conf", where, O_TRUNC|O_NOFOLLOW, 0644);
879 static int setup_volatile_state(const char *directory) {
885 if (arg_volatile != VOLATILE_STATE)
888 /* --volatile=state means we simply overmount /var
889 with a tmpfs, and the rest read-only. */
891 r = bind_remount_recursive(directory, true);
893 log_error("Failed to remount %s read-only: %s", directory, strerror(-r));
897 p = strappenda(directory, "/var");
900 if (mount("tmpfs", p, "tmpfs", MS_STRICTATIME, "mode=755") < 0) {
901 log_error("Failed to mount tmpfs to /var: %m");
908 static int setup_volatile(const char *directory) {
909 bool tmpfs_mounted = false, bind_mounted = false;
910 char template[] = "/tmp/nspawn-volatile-XXXXXX";
916 if (arg_volatile != VOLATILE_YES)
919 /* --volatile=yes means we mount a tmpfs to the root dir, and
920 the original /usr to use inside it, and that read-only. */
922 if (!mkdtemp(template)) {
923 log_error("Failed to create temporary directory: %m");
927 if (mount("tmpfs", template, "tmpfs", MS_STRICTATIME, "mode=755") < 0) {
928 log_error("Failed to mount tmpfs for root directory: %m");
933 tmpfs_mounted = true;
935 f = strappenda(directory, "/usr");
936 t = strappenda(template, "/usr");
939 if (mount(f, t, "bind", MS_BIND|MS_REC, NULL) < 0) {
940 log_error("Failed to create /usr bind mount: %m");
947 r = bind_remount_recursive(t, true);
949 log_error("Failed to remount %s read-only: %s", t, strerror(-r));
953 if (mount(template, directory, NULL, MS_MOVE, NULL) < 0) {
954 log_error("Failed to move root mount: %m");
972 static char* id128_format_as_uuid(sd_id128_t id, char s[37]) {
975 "%02x%02x%02x%02x-%02x%02x-%02x%02x-%02x%02x-%02x%02x%02x%02x%02x%02x",
976 SD_ID128_FORMAT_VAL(id));
981 static int setup_boot_id(const char *dest) {
982 _cleanup_free_ char *from = NULL, *to = NULL;
989 if (arg_share_system)
992 /* Generate a new randomized boot ID, so that each boot-up of
993 * the container gets a new one */
995 from = strappend(dest, "/dev/proc-sys-kernel-random-boot-id");
996 to = strappend(dest, "/proc/sys/kernel/random/boot_id");
1000 r = sd_id128_randomize(&rnd);
1002 log_error("Failed to generate random boot id: %s", strerror(-r));
1006 id128_format_as_uuid(rnd, as_uuid);
1008 r = write_string_file(from, as_uuid);
1010 log_error("Failed to write boot id: %s", strerror(-r));
1014 if (mount(from, to, "bind", MS_BIND, NULL) < 0) {
1015 log_error("Failed to bind mount boot id: %m");
1017 } else if (mount(from, to, "bind", MS_BIND|MS_REMOUNT|MS_RDONLY, NULL))
1018 log_warning("Failed to make boot id read-only: %m");
1024 static int copy_devnodes(const char *dest) {
1026 static const char devnodes[] =
1036 _cleanup_umask_ mode_t u;
1042 NULSTR_FOREACH(d, devnodes) {
1043 _cleanup_free_ char *from = NULL, *to = NULL;
1046 from = strappend("/dev/", d);
1047 to = strjoin(dest, "/dev/", d, NULL);
1051 if (stat(from, &st) < 0) {
1053 if (errno != ENOENT) {
1054 log_error("Failed to stat %s: %m", from);
1058 } else if (!S_ISCHR(st.st_mode) && !S_ISBLK(st.st_mode)) {
1060 log_error("%s is not a char or block device, cannot copy", from);
1063 } else if (mknod(to, st.st_mode, st.st_rdev) < 0) {
1065 log_error("mknod(%s) failed: %m", dest);
1073 static int setup_ptmx(const char *dest) {
1074 _cleanup_free_ char *p = NULL;
1076 p = strappend(dest, "/dev/ptmx");
1080 if (symlink("pts/ptmx", p) < 0) {
1081 log_error("Failed to create /dev/ptmx symlink: %m");
1088 static int setup_dev_console(const char *dest, const char *console) {
1089 _cleanup_umask_ mode_t u;
1099 if (stat("/dev/null", &st) < 0) {
1100 log_error("Failed to stat /dev/null: %m");
1104 r = chmod_and_chown(console, 0600, 0, 0);
1106 log_error("Failed to correct access mode for TTY: %s", strerror(-r));
1110 /* We need to bind mount the right tty to /dev/console since
1111 * ptys can only exist on pts file systems. To have something
1112 * to bind mount things on we create a device node first, and
1113 * use /dev/null for that since we the cgroups device policy
1114 * allows us to create that freely, while we cannot create
1115 * /dev/console. (Note that the major minor doesn't actually
1116 * matter here, since we mount it over anyway). */
1118 to = strappenda(dest, "/dev/console");
1119 if (mknod(to, (st.st_mode & ~07777) | 0600, st.st_rdev) < 0) {
1120 log_error("mknod() for /dev/console failed: %m");
1124 if (mount(console, to, "bind", MS_BIND, NULL) < 0) {
1125 log_error("Bind mount for /dev/console failed: %m");
1132 static int setup_kmsg(const char *dest, int kmsg_socket) {
1133 _cleanup_free_ char *from = NULL, *to = NULL;
1135 _cleanup_umask_ mode_t u;
1137 struct cmsghdr cmsghdr;
1138 uint8_t buf[CMSG_SPACE(sizeof(int))];
1140 struct msghdr mh = {
1141 .msg_control = &control,
1142 .msg_controllen = sizeof(control),
1144 struct cmsghdr *cmsg;
1147 assert(kmsg_socket >= 0);
1151 /* We create the kmsg FIFO as /dev/kmsg, but immediately
1152 * delete it after bind mounting it to /proc/kmsg. While FIFOs
1153 * on the reading side behave very similar to /proc/kmsg,
1154 * their writing side behaves differently from /dev/kmsg in
1155 * that writing blocks when nothing is reading. In order to
1156 * avoid any problems with containers deadlocking due to this
1157 * we simply make /dev/kmsg unavailable to the container. */
1158 if (asprintf(&from, "%s/dev/kmsg", dest) < 0 ||
1159 asprintf(&to, "%s/proc/kmsg", dest) < 0)
1162 if (mkfifo(from, 0600) < 0) {
1163 log_error("mkfifo() for /dev/kmsg failed: %m");
1167 r = chmod_and_chown(from, 0600, 0, 0);
1169 log_error("Failed to correct access mode for /dev/kmsg: %s", strerror(-r));
1173 if (mount(from, to, "bind", MS_BIND, NULL) < 0) {
1174 log_error("Bind mount for /proc/kmsg failed: %m");
1178 fd = open(from, O_RDWR|O_NDELAY|O_CLOEXEC);
1180 log_error("Failed to open fifo: %m");
1184 cmsg = CMSG_FIRSTHDR(&mh);
1185 cmsg->cmsg_level = SOL_SOCKET;
1186 cmsg->cmsg_type = SCM_RIGHTS;
1187 cmsg->cmsg_len = CMSG_LEN(sizeof(int));
1188 memcpy(CMSG_DATA(cmsg), &fd, sizeof(int));
1190 mh.msg_controllen = cmsg->cmsg_len;
1192 /* Store away the fd in the socket, so that it stays open as
1193 * long as we run the child */
1194 k = sendmsg(kmsg_socket, &mh, MSG_DONTWAIT|MSG_NOSIGNAL);
1198 log_error("Failed to send FIFO fd: %m");
1202 /* And now make the FIFO unavailable as /dev/kmsg... */
1207 static int setup_hostname(void) {
1209 if (arg_share_system)
1212 if (sethostname(arg_machine, strlen(arg_machine)) < 0)
1218 static int setup_journal(const char *directory) {
1219 sd_id128_t machine_id, this_id;
1220 _cleanup_free_ char *p = NULL, *b = NULL, *q = NULL, *d = NULL;
1224 p = strappend(directory, "/etc/machine-id");
1228 r = read_one_line_file(p, &b);
1229 if (r == -ENOENT && arg_link_journal == LINK_AUTO)
1232 log_error("Failed to read machine ID from %s: %s", p, strerror(-r));
1237 if (isempty(id) && arg_link_journal == LINK_AUTO)
1240 /* Verify validity */
1241 r = sd_id128_from_string(id, &machine_id);
1243 log_error("Failed to parse machine ID from %s: %s", p, strerror(-r));
1247 r = sd_id128_get_machine(&this_id);
1249 log_error("Failed to retrieve machine ID: %s", strerror(-r));
1253 if (sd_id128_equal(machine_id, this_id)) {
1254 log_full(arg_link_journal == LINK_AUTO ? LOG_WARNING : LOG_ERR,
1255 "Host and machine ids are equal (%s): refusing to link journals", id);
1256 if (arg_link_journal == LINK_AUTO)
1262 if (arg_link_journal == LINK_NO)
1266 p = strappend("/var/log/journal/", id);
1267 q = strjoin(directory, "/var/log/journal/", id, NULL);
1271 if (path_is_mount_point(p, false) > 0) {
1272 if (arg_link_journal != LINK_AUTO) {
1273 log_error("%s: already a mount point, refusing to use for journal", p);
1280 if (path_is_mount_point(q, false) > 0) {
1281 if (arg_link_journal != LINK_AUTO) {
1282 log_error("%s: already a mount point, refusing to use for journal", q);
1289 r = readlink_and_make_absolute(p, &d);
1291 if ((arg_link_journal == LINK_GUEST ||
1292 arg_link_journal == LINK_AUTO) &&
1295 r = mkdir_p(q, 0755);
1297 log_warning("failed to create directory %s: %m", q);
1301 if (unlink(p) < 0) {
1302 log_error("Failed to remove symlink %s: %m", p);
1305 } else if (r == -EINVAL) {
1307 if (arg_link_journal == LINK_GUEST &&
1310 if (errno == ENOTDIR) {
1311 log_error("%s already exists and is neither a symlink nor a directory", p);
1314 log_error("Failed to remove %s: %m", p);
1318 } else if (r != -ENOENT) {
1319 log_error("readlink(%s) failed: %m", p);
1323 if (arg_link_journal == LINK_GUEST) {
1325 if (symlink(q, p) < 0) {
1326 log_error("Failed to symlink %s to %s: %m", q, p);
1330 r = mkdir_p(q, 0755);
1332 log_warning("failed to create directory %s: %m", q);
1336 if (arg_link_journal == LINK_HOST) {
1337 r = mkdir_p(p, 0755);
1339 log_error("Failed to create %s: %m", p);
1343 } else if (access(p, F_OK) < 0)
1346 if (dir_is_empty(q) == 0)
1347 log_warning("%s is not empty, proceeding anyway.", q);
1349 r = mkdir_p(q, 0755);
1351 log_error("Failed to create %s: %m", q);
1355 if (mount(p, q, "bind", MS_BIND, NULL) < 0) {
1356 log_error("Failed to bind mount journal from host into guest: %m");
1363 static int setup_kdbus(const char *dest, const char *path) {
1369 p = strappenda(dest, "/dev/kdbus");
1370 if (mkdir(p, 0755) < 0) {
1371 log_error("Failed to create kdbus path: %m");
1375 if (mount(path, p, "bind", MS_BIND, NULL) < 0) {
1376 log_error("Failed to mount kdbus domain path: %m");
1383 static int drop_capabilities(void) {
1384 return capability_bounding_set_drop(~arg_retain, false);
1387 static int register_machine(pid_t pid, int local_ifindex) {
1388 _cleanup_bus_error_free_ sd_bus_error error = SD_BUS_ERROR_NULL;
1389 _cleanup_bus_close_unref_ sd_bus *bus = NULL;
1395 r = sd_bus_default_system(&bus);
1397 log_error("Failed to open system bus: %s", strerror(-r));
1401 if (arg_keep_unit) {
1402 r = sd_bus_call_method(
1404 "org.freedesktop.machine1",
1405 "/org/freedesktop/machine1",
1406 "org.freedesktop.machine1.Manager",
1407 "RegisterMachineWithNetwork",
1412 SD_BUS_MESSAGE_APPEND_ID128(arg_uuid),
1416 strempty(arg_directory),
1417 local_ifindex > 0 ? 1 : 0, local_ifindex);
1419 _cleanup_bus_message_unref_ sd_bus_message *m = NULL;
1421 r = sd_bus_message_new_method_call(
1424 "org.freedesktop.machine1",
1425 "/org/freedesktop/machine1",
1426 "org.freedesktop.machine1.Manager",
1427 "CreateMachineWithNetwork");
1429 log_error("Failed to create message: %s", strerror(-r));
1433 r = sd_bus_message_append(
1437 SD_BUS_MESSAGE_APPEND_ID128(arg_uuid),
1441 strempty(arg_directory),
1442 local_ifindex > 0 ? 1 : 0, local_ifindex);
1444 log_error("Failed to append message arguments: %s", strerror(-r));
1448 r = sd_bus_message_open_container(m, 'a', "(sv)");
1450 log_error("Failed to open container: %s", strerror(-r));
1454 if (!isempty(arg_slice)) {
1455 r = sd_bus_message_append(m, "(sv)", "Slice", "s", arg_slice);
1457 log_error("Failed to append slice: %s", strerror(-r));
1462 r = sd_bus_message_append(m, "(sv)", "DevicePolicy", "s", "strict");
1464 log_error("Failed to add device policy: %s", strerror(-r));
1468 r = sd_bus_message_append(m, "(sv)", "DeviceAllow", "a(ss)", 10,
1469 /* Allow the container to
1470 * access and create the API
1471 * device nodes, so that
1472 * PrivateDevices= in the
1473 * container can work
1478 "/dev/random", "rwm",
1479 "/dev/urandom", "rwm",
1481 /* Allow the container
1482 * access to ptys. However,
1484 * container to ever create
1485 * these device nodes. */
1486 "/dev/pts/ptmx", "rw",
1488 /* Allow the container
1489 * access to all kdbus
1490 * devices. Again, the
1491 * container cannot create
1492 * these nodes, only use
1493 * them. We use a pretty
1494 * open match here, so that
1495 * the kernel API can still
1498 "char-kdbus/*", "rw");
1500 log_error("Failed to add device whitelist: %s", strerror(-r));
1504 r = sd_bus_message_close_container(m);
1506 log_error("Failed to close container: %s", strerror(-r));
1510 r = sd_bus_call(bus, m, 0, &error, NULL);
1514 log_error("Failed to register machine: %s", bus_error_message(&error, r));
1521 static int terminate_machine(pid_t pid) {
1522 _cleanup_bus_error_free_ sd_bus_error error = SD_BUS_ERROR_NULL;
1523 _cleanup_bus_message_unref_ sd_bus_message *reply = NULL;
1524 _cleanup_bus_close_unref_ sd_bus *bus = NULL;
1531 r = sd_bus_default_system(&bus);
1533 log_error("Failed to open system bus: %s", strerror(-r));
1537 r = sd_bus_call_method(
1539 "org.freedesktop.machine1",
1540 "/org/freedesktop/machine1",
1541 "org.freedesktop.machine1.Manager",
1548 /* Note that the machine might already have been
1549 * cleaned up automatically, hence don't consider it a
1550 * failure if we cannot get the machine object. */
1551 log_debug("Failed to get machine: %s", bus_error_message(&error, r));
1555 r = sd_bus_message_read(reply, "o", &path);
1557 return bus_log_parse_error(r);
1559 r = sd_bus_call_method(
1561 "org.freedesktop.machine1",
1563 "org.freedesktop.machine1.Machine",
1569 log_debug("Failed to terminate machine: %s", bus_error_message(&error, r));
1576 static int reset_audit_loginuid(void) {
1577 _cleanup_free_ char *p = NULL;
1580 if (arg_share_system)
1583 r = read_one_line_file("/proc/self/loginuid", &p);
1587 log_error("Failed to read /proc/self/loginuid: %s", strerror(-r));
1591 /* Already reset? */
1592 if (streq(p, "4294967295"))
1595 r = write_string_file("/proc/self/loginuid", "4294967295");
1597 log_error("Failed to reset audit login UID. This probably means that your kernel is too\n"
1598 "old and you have audit enabled. Note that the auditing subsystem is known to\n"
1599 "be incompatible with containers on old kernels. Please make sure to upgrade\n"
1600 "your kernel or to off auditing with 'audit=0' on the kernel command line before\n"
1601 "using systemd-nspawn. Sleeping for 5s... (%s)\n", strerror(-r));
1609 #define HOST_HASH_KEY SD_ID128_MAKE(1a,37,6f,c7,46,ec,45,0b,ad,a3,d5,31,06,60,5d,b1)
1610 #define CONTAINER_HASH_KEY SD_ID128_MAKE(c3,c4,f9,19,b5,57,b2,1c,e6,cf,14,27,03,9c,ee,a2)
1612 static int generate_mac(struct ether_addr *mac, sd_id128_t hash_key) {
1619 l = strlen(arg_machine);
1620 sz = sizeof(sd_id128_t) + l;
1623 /* fetch some persistent data unique to the host */
1624 r = sd_id128_get_machine((sd_id128_t*) v);
1628 /* combine with some data unique (on this host) to this
1629 * container instance */
1630 memcpy(v + sizeof(sd_id128_t), arg_machine, l);
1632 /* Let's hash the host machine ID plus the container name. We
1633 * use a fixed, but originally randomly created hash key here. */
1634 siphash24(result, v, sz, hash_key.bytes);
1636 assert_cc(ETH_ALEN <= sizeof(result));
1637 memcpy(mac->ether_addr_octet, result, ETH_ALEN);
1639 /* see eth_random_addr in the kernel */
1640 mac->ether_addr_octet[0] &= 0xfe; /* clear multicast bit */
1641 mac->ether_addr_octet[0] |= 0x02; /* set local assignment bit (IEEE802) */
1646 static int setup_veth(pid_t pid, char iface_name[IFNAMSIZ], int *ifi) {
1647 _cleanup_rtnl_message_unref_ sd_rtnl_message *m = NULL;
1648 _cleanup_rtnl_unref_ sd_rtnl *rtnl = NULL;
1649 struct ether_addr mac_host, mac_container;
1652 if (!arg_private_network)
1655 if (!arg_network_veth)
1658 /* Use two different interface name prefixes depending whether
1659 * we are in bridge mode or not. */
1660 snprintf(iface_name, IFNAMSIZ, "%s-%s",
1661 arg_network_bridge ? "vb" : "ve", arg_machine);
1663 r = generate_mac(&mac_container, CONTAINER_HASH_KEY);
1665 log_error("Failed to generate predictable MAC address for container side");
1669 r = generate_mac(&mac_host, HOST_HASH_KEY);
1671 log_error("Failed to generate predictable MAC address for host side");
1675 r = sd_rtnl_open(&rtnl, 0);
1677 log_error("Failed to connect to netlink: %s", strerror(-r));
1681 r = sd_rtnl_message_new_link(rtnl, &m, RTM_NEWLINK, 0);
1683 log_error("Failed to allocate netlink message: %s", strerror(-r));
1687 r = sd_rtnl_message_append_string(m, IFLA_IFNAME, iface_name);
1689 log_error("Failed to add netlink interface name: %s", strerror(-r));
1693 r = sd_rtnl_message_append_ether_addr(m, IFLA_ADDRESS, &mac_host);
1695 log_error("Failed to add netlink MAC address: %s", strerror(-r));
1699 r = sd_rtnl_message_open_container(m, IFLA_LINKINFO);
1701 log_error("Failed to open netlink container: %s", strerror(-r));
1705 r = sd_rtnl_message_open_container_union(m, IFLA_INFO_DATA, "veth");
1707 log_error("Failed to open netlink container: %s", strerror(-r));
1711 r = sd_rtnl_message_open_container(m, VETH_INFO_PEER);
1713 log_error("Failed to open netlink container: %s", strerror(-r));
1717 r = sd_rtnl_message_append_string(m, IFLA_IFNAME, "host0");
1719 log_error("Failed to add netlink interface name: %s", strerror(-r));
1723 r = sd_rtnl_message_append_ether_addr(m, IFLA_ADDRESS, &mac_container);
1725 log_error("Failed to add netlink MAC address: %s", strerror(-r));
1729 r = sd_rtnl_message_append_u32(m, IFLA_NET_NS_PID, pid);
1731 log_error("Failed to add netlink namespace field: %s", strerror(-r));
1735 r = sd_rtnl_message_close_container(m);
1737 log_error("Failed to close netlink container: %s", strerror(-r));
1741 r = sd_rtnl_message_close_container(m);
1743 log_error("Failed to close netlink container: %s", strerror(-r));
1747 r = sd_rtnl_message_close_container(m);
1749 log_error("Failed to close netlink container: %s", strerror(-r));
1753 r = sd_rtnl_call(rtnl, m, 0, NULL);
1755 log_error("Failed to add new veth interfaces: %s", strerror(-r));
1759 i = (int) if_nametoindex(iface_name);
1761 log_error("Failed to resolve interface %s: %m", iface_name);
1770 static int setup_bridge(const char veth_name[], int *ifi) {
1771 _cleanup_rtnl_message_unref_ sd_rtnl_message *m = NULL;
1772 _cleanup_rtnl_unref_ sd_rtnl *rtnl = NULL;
1775 if (!arg_private_network)
1778 if (!arg_network_veth)
1781 if (!arg_network_bridge)
1784 bridge = (int) if_nametoindex(arg_network_bridge);
1786 log_error("Failed to resolve interface %s: %m", arg_network_bridge);
1792 r = sd_rtnl_open(&rtnl, 0);
1794 log_error("Failed to connect to netlink: %s", strerror(-r));
1798 r = sd_rtnl_message_new_link(rtnl, &m, RTM_SETLINK, 0);
1800 log_error("Failed to allocate netlink message: %s", strerror(-r));
1804 r = sd_rtnl_message_link_set_flags(m, IFF_UP, IFF_UP);
1806 log_error("Failed to set IFF_UP flag: %s", strerror(-r));
1810 r = sd_rtnl_message_append_string(m, IFLA_IFNAME, veth_name);
1812 log_error("Failed to add netlink interface name field: %s", strerror(-r));
1816 r = sd_rtnl_message_append_u32(m, IFLA_MASTER, bridge);
1818 log_error("Failed to add netlink master field: %s", strerror(-r));
1822 r = sd_rtnl_call(rtnl, m, 0, NULL);
1824 log_error("Failed to add veth interface to bridge: %s", strerror(-r));
1831 static int parse_interface(struct udev *udev, const char *name) {
1832 _cleanup_udev_device_unref_ struct udev_device *d = NULL;
1833 char ifi_str[2 + DECIMAL_STR_MAX(int)];
1836 ifi = (int) if_nametoindex(name);
1838 log_error("Failed to resolve interface %s: %m", name);
1842 sprintf(ifi_str, "n%i", ifi);
1843 d = udev_device_new_from_device_id(udev, ifi_str);
1845 log_error("Failed to get udev device for interface %s: %m", name);
1849 if (udev_device_get_is_initialized(d) <= 0) {
1850 log_error("Network interface %s is not initialized yet.", name);
1857 static int move_network_interfaces(pid_t pid) {
1858 _cleanup_udev_unref_ struct udev *udev = NULL;
1859 _cleanup_rtnl_unref_ sd_rtnl *rtnl = NULL;
1863 if (!arg_private_network)
1866 if (strv_isempty(arg_network_interfaces))
1869 r = sd_rtnl_open(&rtnl, 0);
1871 log_error("Failed to connect to netlink: %s", strerror(-r));
1877 log_error("Failed to connect to udev.");
1881 STRV_FOREACH(i, arg_network_interfaces) {
1882 _cleanup_rtnl_message_unref_ sd_rtnl_message *m = NULL;
1885 ifi = parse_interface(udev, *i);
1889 r = sd_rtnl_message_new_link(rtnl, &m, RTM_NEWLINK, ifi);
1891 log_error("Failed to allocate netlink message: %s", strerror(-r));
1895 r = sd_rtnl_message_append_u32(m, IFLA_NET_NS_PID, pid);
1897 log_error("Failed to append namespace PID to netlink message: %s", strerror(-r));
1901 r = sd_rtnl_call(rtnl, m, 0, NULL);
1903 log_error("Failed to move interface %s to namespace: %s", *i, strerror(-r));
1911 static int setup_macvlan(pid_t pid) {
1912 _cleanup_udev_unref_ struct udev *udev = NULL;
1913 _cleanup_rtnl_unref_ sd_rtnl *rtnl = NULL;
1917 if (!arg_private_network)
1920 if (strv_isempty(arg_network_macvlan))
1923 r = sd_rtnl_open(&rtnl, 0);
1925 log_error("Failed to connect to netlink: %s", strerror(-r));
1931 log_error("Failed to connect to udev.");
1935 STRV_FOREACH(i, arg_network_macvlan) {
1936 _cleanup_rtnl_message_unref_ sd_rtnl_message *m = NULL;
1937 _cleanup_free_ char *n = NULL;
1940 ifi = parse_interface(udev, *i);
1944 r = sd_rtnl_message_new_link(rtnl, &m, RTM_NEWLINK, 0);
1946 log_error("Failed to allocate netlink message: %s", strerror(-r));
1950 r = sd_rtnl_message_append_u32(m, IFLA_LINK, ifi);
1952 log_error("Failed to add netlink interface index: %s", strerror(-r));
1956 n = strappend("mv-", *i);
1960 strshorten(n, IFNAMSIZ-1);
1962 r = sd_rtnl_message_append_string(m, IFLA_IFNAME, n);
1964 log_error("Failed to add netlink interface name: %s", strerror(-r));
1968 r = sd_rtnl_message_append_u32(m, IFLA_NET_NS_PID, pid);
1970 log_error("Failed to add netlink namespace field: %s", strerror(-r));
1974 r = sd_rtnl_message_open_container(m, IFLA_LINKINFO);
1976 log_error("Failed to open netlink container: %s", strerror(-r));
1980 r = sd_rtnl_message_open_container_union(m, IFLA_INFO_DATA, "macvlan");
1982 log_error("Failed to open netlink container: %s", strerror(-r));
1986 r = sd_rtnl_message_append_u32(m, IFLA_MACVLAN_MODE, MACVLAN_MODE_BRIDGE);
1988 log_error("Failed to append macvlan mode: %s", strerror(-r));
1992 r = sd_rtnl_message_close_container(m);
1994 log_error("Failed to close netlink container: %s", strerror(-r));
1998 r = sd_rtnl_message_close_container(m);
2000 log_error("Failed to close netlink container: %s", strerror(-r));
2004 r = sd_rtnl_call(rtnl, m, 0, NULL);
2006 log_error("Failed to add new macvlan interfaces: %s", strerror(-r));
2014 static int setup_seccomp(void) {
2017 static const int blacklist[] = {
2018 SCMP_SYS(kexec_load),
2019 SCMP_SYS(open_by_handle_at),
2020 SCMP_SYS(init_module),
2021 SCMP_SYS(finit_module),
2022 SCMP_SYS(delete_module),
2029 scmp_filter_ctx seccomp;
2033 seccomp = seccomp_init(SCMP_ACT_ALLOW);
2037 r = seccomp_add_secondary_archs(seccomp);
2039 log_error("Failed to add secondary archs to seccomp filter: %s", strerror(-r));
2043 for (i = 0; i < ELEMENTSOF(blacklist); i++) {
2044 r = seccomp_rule_add(seccomp, SCMP_ACT_ERRNO(EPERM), blacklist[i], 0);
2046 continue; /* unknown syscall */
2048 log_error("Failed to block syscall: %s", strerror(-r));
2054 Audit is broken in containers, much of the userspace audit
2055 hookup will fail if running inside a container. We don't
2056 care and just turn off creation of audit sockets.
2058 This will make socket(AF_NETLINK, *, NETLINK_AUDIT) fail
2059 with EAFNOSUPPORT which audit userspace uses as indication
2060 that audit is disabled in the kernel.
2063 r = seccomp_rule_add(
2065 SCMP_ACT_ERRNO(EAFNOSUPPORT),
2068 SCMP_A0(SCMP_CMP_EQ, AF_NETLINK),
2069 SCMP_A2(SCMP_CMP_EQ, NETLINK_AUDIT));
2071 log_error("Failed to add audit seccomp rule: %s", strerror(-r));
2075 r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
2077 log_error("Failed to unset NO_NEW_PRIVS: %s", strerror(-r));
2081 r = seccomp_load(seccomp);
2083 log_error("Failed to install seccomp audit filter: %s", strerror(-r));
2086 seccomp_release(seccomp);
2094 static int setup_image(char **device_path, int *loop_nr) {
2095 struct loop_info64 info = {
2096 .lo_flags = LO_FLAGS_AUTOCLEAR|LO_FLAGS_PARTSCAN
2098 _cleanup_close_ int fd = -1, control = -1, loop = -1;
2099 _cleanup_free_ char* loopdev = NULL;
2103 assert(device_path);
2106 fd = open(arg_image, O_CLOEXEC|(arg_read_only ? O_RDONLY : O_RDWR)|O_NONBLOCK|O_NOCTTY);
2108 log_error("Failed to open %s: %m", arg_image);
2112 if (fstat(fd, &st) < 0) {
2113 log_error("Failed to stat %s: %m", arg_image);
2117 if (S_ISBLK(st.st_mode)) {
2120 p = strdup(arg_image);
2134 if (!S_ISREG(st.st_mode)) {
2135 log_error("%s is not a regular file or block device: %m", arg_image);
2139 control = open("/dev/loop-control", O_RDWR|O_CLOEXEC|O_NOCTTY|O_NONBLOCK);
2141 log_error("Failed to open /dev/loop-control: %m");
2145 nr = ioctl(control, LOOP_CTL_GET_FREE);
2147 log_error("Failed to allocate loop device: %m");
2151 if (asprintf(&loopdev, "/dev/loop%i", nr) < 0)
2154 loop = open(loopdev, O_CLOEXEC|(arg_read_only ? O_RDONLY : O_RDWR)|O_NONBLOCK|O_NOCTTY);
2156 log_error("Failed to open loop device %s: %m", loopdev);
2160 if (ioctl(loop, LOOP_SET_FD, fd) < 0) {
2161 log_error("Failed to set loopback file descriptor on %s: %m", loopdev);
2166 info.lo_flags |= LO_FLAGS_READ_ONLY;
2168 if (ioctl(loop, LOOP_SET_STATUS64, &info) < 0) {
2169 log_error("Failed to set loopback settings on %s: %m", loopdev);
2173 *device_path = loopdev;
2184 static int dissect_image(
2186 char **root_device, bool *root_device_rw,
2187 char **home_device, bool *home_device_rw,
2188 char **srv_device, bool *srv_device_rw,
2192 int home_nr = -1, root_nr = -1, secondary_root_nr = -1, srv_nr = -1;
2193 _cleanup_free_ char *home = NULL, *root = NULL, *secondary_root = NULL, *srv = NULL;
2194 _cleanup_udev_enumerate_unref_ struct udev_enumerate *e = NULL;
2195 _cleanup_udev_device_unref_ struct udev_device *d = NULL;
2196 _cleanup_blkid_free_probe_ blkid_probe b = NULL;
2197 _cleanup_udev_unref_ struct udev *udev = NULL;
2198 struct udev_list_entry *first, *item;
2199 bool home_rw = true, root_rw = true, secondary_root_rw = true, srv_rw = true;
2200 const char *pttype = NULL;
2206 assert(root_device);
2207 assert(home_device);
2211 b = blkid_new_probe();
2216 r = blkid_probe_set_device(b, fd, 0, 0);
2221 log_error("Failed to set device on blkid probe: %m");
2225 blkid_probe_enable_partitions(b, 1);
2226 blkid_probe_set_partitions_flags(b, BLKID_PARTS_ENTRY_DETAILS);
2229 r = blkid_do_safeprobe(b);
2230 if (r == -2 || r == 1) {
2231 log_error("Failed to identify any partition table on %s.\n"
2232 "Note that the disk image needs to follow http://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/ to be supported by systemd-nspawn.", arg_image);
2234 } else if (r != 0) {
2237 log_error("Failed to probe: %m");
2241 blkid_probe_lookup_value(b, "PTTYPE", &pttype, NULL);
2242 if (!streq_ptr(pttype, "gpt")) {
2243 log_error("Image %s does not carry a GUID Partition Table.\n"
2244 "Note that the disk image needs to follow http://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/ to be supported by systemd-nspawn.", arg_image);
2249 pl = blkid_probe_get_partitions(b);
2254 log_error("Failed to list partitions of %s", arg_image);
2262 if (fstat(fd, &st) < 0) {
2263 log_error("Failed to stat block device: %m");
2267 d = udev_device_new_from_devnum(udev, 'b', st.st_rdev);
2271 e = udev_enumerate_new(udev);
2275 r = udev_enumerate_add_match_parent(e, d);
2279 r = udev_enumerate_scan_devices(e);
2281 log_error("Failed to scan for partition devices of %s: %s", arg_image, strerror(-r));
2285 first = udev_enumerate_get_list_entry(e);
2286 udev_list_entry_foreach(item, first) {
2287 _cleanup_udev_device_unref_ struct udev_device *q;
2288 const char *stype, *node;
2289 unsigned long long flags;
2296 q = udev_device_new_from_syspath(udev, udev_list_entry_get_name(item));
2301 log_error("Failed to get partition device of %s: %m", arg_image);
2305 qn = udev_device_get_devnum(q);
2309 if (st.st_rdev == qn)
2312 node = udev_device_get_devnode(q);
2316 pp = blkid_partlist_devno_to_partition(pl, qn);
2320 flags = blkid_partition_get_flags(pp);
2321 if (flags & GPT_FLAG_NO_AUTO)
2324 nr = blkid_partition_get_partno(pp);
2328 stype = blkid_partition_get_type_string(pp);
2332 if (sd_id128_from_string(stype, &type_id) < 0)
2335 if (sd_id128_equal(type_id, GPT_HOME)) {
2337 if (home && nr >= home_nr)
2341 home_rw = !(flags & GPT_FLAG_READ_ONLY);
2344 home = strdup(node);
2347 } else if (sd_id128_equal(type_id, GPT_SRV)) {
2349 if (srv && nr >= srv_nr)
2353 srv_rw = !(flags & GPT_FLAG_READ_ONLY);
2360 #ifdef GPT_ROOT_NATIVE
2361 else if (sd_id128_equal(type_id, GPT_ROOT_NATIVE)) {
2363 if (root && nr >= root_nr)
2367 root_rw = !(flags & GPT_FLAG_READ_ONLY);
2370 root = strdup(node);
2375 #ifdef GPT_ROOT_SECONDARY
2376 else if (sd_id128_equal(type_id, GPT_ROOT_SECONDARY)) {
2378 if (secondary_root && nr >= secondary_root_nr)
2381 secondary_root_nr = nr;
2382 secondary_root_rw = !(flags & GPT_FLAG_READ_ONLY);
2385 free(secondary_root);
2386 secondary_root = strdup(node);
2387 if (!secondary_root)
2393 if (!root && !secondary_root) {
2394 log_error("Failed to identify root partition in disk image %s.\n"
2395 "Note that the disk image needs to follow http://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/ to be supported by systemd-nspawn.", arg_image);
2400 *root_device = root;
2403 *root_device_rw = root_rw;
2405 } else if (secondary_root) {
2406 *root_device = secondary_root;
2407 secondary_root = NULL;
2409 *root_device_rw = secondary_root_rw;
2414 *home_device = home;
2417 *home_device_rw = home_rw;
2424 *srv_device_rw = srv_rw;
2429 log_error("--image= is not supported, compiled without blkid support.");
2434 static int mount_device(const char *what, const char *where, const char *directory, bool rw) {
2436 _cleanup_blkid_free_probe_ blkid_probe b = NULL;
2437 const char *fstype, *p;
2447 p = strappenda(where, directory);
2452 b = blkid_new_probe_from_filename(what);
2456 log_error("Failed to allocate prober for %s: %m", what);
2460 blkid_probe_enable_superblocks(b, 1);
2461 blkid_probe_set_superblocks_flags(b, BLKID_SUBLKS_TYPE);
2464 r = blkid_do_safeprobe(b);
2465 if (r == -1 || r == 1) {
2466 log_error("Cannot determine file system type of %s", what);
2468 } else if (r != 0) {
2471 log_error("Failed to probe %s: %m", what);
2476 if (blkid_probe_lookup_value(b, "TYPE", &fstype, NULL) < 0) {
2479 log_error("Failed to determine file system type of %s", what);
2483 if (streq(fstype, "crypto_LUKS")) {
2484 log_error("nspawn currently does not support LUKS disk images.");
2488 if (mount(what, p, fstype, MS_NODEV|(rw ? 0 : MS_RDONLY), NULL) < 0) {
2489 log_error("Failed to mount %s: %m", what);
2495 log_error("--image= is not supported, compiled without blkid support.");
2500 static int mount_devices(
2502 const char *root_device, bool root_device_rw,
2503 const char *home_device, bool home_device_rw,
2504 const char *srv_device, bool srv_device_rw) {
2510 r = mount_device(root_device, arg_directory, NULL, root_device_rw);
2512 log_error("Failed to mount root directory: %s", strerror(-r));
2518 r = mount_device(home_device, arg_directory, "/home", home_device_rw);
2520 log_error("Failed to mount home directory: %s", strerror(-r));
2526 r = mount_device(srv_device, arg_directory, "/srv", srv_device_rw);
2528 log_error("Failed to mount server data directory: %s", strerror(-r));
2536 static void loop_remove(int nr, int *image_fd) {
2537 _cleanup_close_ int control = -1;
2542 if (image_fd && *image_fd >= 0) {
2543 ioctl(*image_fd, LOOP_CLR_FD);
2544 *image_fd = safe_close(*image_fd);
2547 control = open("/dev/loop-control", O_RDWR|O_CLOEXEC|O_NOCTTY|O_NONBLOCK);
2551 ioctl(control, LOOP_CTL_REMOVE, nr);
2554 static int spawn_getent(const char *database, const char *key, pid_t *rpid) {
2562 if (pipe2(pipe_fds, O_CLOEXEC) < 0) {
2563 log_error("Failed to allocate pipe: %m");
2569 log_error("Failed to fork getent child: %m");
2571 } else if (pid == 0) {
2573 char *empty_env = NULL;
2575 if (dup3(pipe_fds[1], STDOUT_FILENO, 0) < 0)
2576 _exit(EXIT_FAILURE);
2578 if (pipe_fds[0] > 2)
2579 safe_close(pipe_fds[0]);
2580 if (pipe_fds[1] > 2)
2581 safe_close(pipe_fds[1]);
2583 nullfd = open("/dev/null", O_RDWR);
2585 _exit(EXIT_FAILURE);
2587 if (dup3(nullfd, STDIN_FILENO, 0) < 0)
2588 _exit(EXIT_FAILURE);
2590 if (dup3(nullfd, STDERR_FILENO, 0) < 0)
2591 _exit(EXIT_FAILURE);
2596 reset_all_signal_handlers();
2597 close_all_fds(NULL, 0);
2599 execle("/usr/bin/getent", "getent", database, key, NULL, &empty_env);
2600 execle("/bin/getent", "getent", database, key, NULL, &empty_env);
2601 _exit(EXIT_FAILURE);
2604 pipe_fds[1] = safe_close(pipe_fds[1]);
2611 static int change_uid_gid(char **_home) {
2612 char line[LINE_MAX], *x, *u, *g, *h;
2613 const char *word, *state;
2614 _cleanup_free_ uid_t *uids = NULL;
2615 _cleanup_free_ char *home = NULL;
2616 _cleanup_fclose_ FILE *f = NULL;
2617 _cleanup_close_ int fd = -1;
2618 unsigned n_uids = 0;
2627 if (!arg_user || streq(arg_user, "root") || streq(arg_user, "0")) {
2628 /* Reset everything fully to 0, just in case */
2630 if (setgroups(0, NULL) < 0) {
2631 log_error("setgroups() failed: %m");
2635 if (setresgid(0, 0, 0) < 0) {
2636 log_error("setregid() failed: %m");
2640 if (setresuid(0, 0, 0) < 0) {
2641 log_error("setreuid() failed: %m");
2649 /* First, get user credentials */
2650 fd = spawn_getent("passwd", arg_user, &pid);
2654 f = fdopen(fd, "r");
2659 if (!fgets(line, sizeof(line), f)) {
2662 log_error("Failed to resolve user %s.", arg_user);
2666 log_error("Failed to read from getent: %m");
2672 wait_for_terminate_and_warn("getent passwd", pid);
2674 x = strchr(line, ':');
2676 log_error("/etc/passwd entry has invalid user field.");
2680 u = strchr(x+1, ':');
2682 log_error("/etc/passwd entry has invalid password field.");
2689 log_error("/etc/passwd entry has invalid UID field.");
2697 log_error("/etc/passwd entry has invalid GID field.");
2702 h = strchr(x+1, ':');
2704 log_error("/etc/passwd entry has invalid GECOS field.");
2711 log_error("/etc/passwd entry has invalid home directory field.");
2717 r = parse_uid(u, &uid);
2719 log_error("Failed to parse UID of user.");
2723 r = parse_gid(g, &gid);
2725 log_error("Failed to parse GID of user.");
2733 /* Second, get group memberships */
2734 fd = spawn_getent("initgroups", arg_user, &pid);
2739 f = fdopen(fd, "r");
2744 if (!fgets(line, sizeof(line), f)) {
2746 log_error("Failed to resolve user %s.", arg_user);
2750 log_error("Failed to read from getent: %m");
2756 wait_for_terminate_and_warn("getent initgroups", pid);
2758 /* Skip over the username and subsequent separator whitespace */
2760 x += strcspn(x, WHITESPACE);
2761 x += strspn(x, WHITESPACE);
2763 FOREACH_WORD(word, l, x, state) {
2769 if (!GREEDY_REALLOC(uids, sz, n_uids+1))
2772 r = parse_uid(c, &uids[n_uids++]);
2774 log_error("Failed to parse group data from getent.");
2779 r = mkdir_parents(home, 0775);
2781 log_error("Failed to make home root directory: %s", strerror(-r));
2785 r = mkdir_safe(home, 0755, uid, gid);
2786 if (r < 0 && r != -EEXIST) {
2787 log_error("Failed to make home directory: %s", strerror(-r));
2791 fchown(STDIN_FILENO, uid, gid);
2792 fchown(STDOUT_FILENO, uid, gid);
2793 fchown(STDERR_FILENO, uid, gid);
2795 if (setgroups(n_uids, uids) < 0) {
2796 log_error("Failed to set auxiliary groups: %m");
2800 if (setresgid(gid, gid, gid) < 0) {
2801 log_error("setregid() failed: %m");
2805 if (setresuid(uid, uid, uid) < 0) {
2806 log_error("setreuid() failed: %m");
2820 * < 0 : wait_for_terminate() failed to get the state of the
2821 * container, the container was terminated by a signal, or
2822 * failed for an unknown reason. No change is made to the
2823 * container argument.
2824 * > 0 : The program executed in the container terminated with an
2825 * error. The exit code of the program executed in the
2826 * container is returned. No change is made to the container
2828 * 0 : The container is being rebooted, has been shut down or exited
2829 * successfully. The container argument has been set to either
2830 * CONTAINER_TERMINATED or CONTAINER_REBOOTED.
2832 * That is, success is indicated by a return value of zero, and an
2833 * error is indicated by a non-zero value.
2835 static int wait_for_container(pid_t pid, ContainerStatus *container) {
2839 r = wait_for_terminate(pid, &status);
2841 log_warning("Failed to wait for container: %s", strerror(-r));
2845 switch (status.si_code) {
2847 r = status.si_status;
2850 log_debug("Container %s exited successfully.",
2853 *container = CONTAINER_TERMINATED;
2855 log_error("Container %s failed with error code %i.",
2856 arg_machine, status.si_status);
2861 if (status.si_status == SIGINT) {
2863 log_info("Container %s has been shut down.",
2866 *container = CONTAINER_TERMINATED;
2869 } else if (status.si_status == SIGHUP) {
2871 log_info("Container %s is being rebooted.",
2874 *container = CONTAINER_REBOOTED;
2878 /* CLD_KILLED fallthrough */
2881 log_error("Container %s terminated by signal %s.",
2882 arg_machine, signal_to_string(status.si_status));
2887 log_error("Container %s failed due to unknown reason.",
2896 static void nop_handler(int sig) {}
2898 int main(int argc, char *argv[]) {
2900 _cleanup_free_ char *kdbus_domain = NULL, *device_path = NULL, *root_device = NULL, *home_device = NULL, *srv_device = NULL;
2901 bool root_device_rw = true, home_device_rw = true, srv_device_rw = true;
2902 _cleanup_close_ int master = -1, kdbus_fd = -1, image_fd = -1;
2903 _cleanup_close_pair_ int kmsg_socket_pair[2] = { -1, -1 };
2904 _cleanup_fdset_free_ FDSet *fds = NULL;
2905 int r = EXIT_FAILURE, k, n_fd_passed, loop_nr = -1;
2906 const char *console = NULL;
2907 char veth_name[IFNAMSIZ];
2908 bool secondary = false;
2909 sigset_t mask, mask_chld;
2912 log_parse_environment();
2915 k = parse_argv(argc, argv);
2924 if (arg_directory) {
2927 p = path_make_absolute_cwd(arg_directory);
2928 free(arg_directory);
2931 arg_directory = get_current_dir_name();
2933 if (!arg_directory) {
2934 log_error("Failed to determine path, please use -D.");
2937 path_kill_slashes(arg_directory);
2941 arg_machine = strdup(basename(arg_image ? arg_image : arg_directory));
2947 hostname_cleanup(arg_machine, false);
2948 if (isempty(arg_machine)) {
2949 log_error("Failed to determine machine name automatically, please use -M.");
2954 if (geteuid() != 0) {
2955 log_error("Need to be root.");
2959 if (sd_booted() <= 0) {
2960 log_error("Not running on a systemd system.");
2965 n_fd_passed = sd_listen_fds(false);
2966 if (n_fd_passed > 0) {
2967 k = fdset_new_listen_fds(&fds, false);
2969 log_error("Failed to collect file descriptors: %s", strerror(-k));
2973 fdset_close_others(fds);
2976 if (arg_directory) {
2977 if (path_equal(arg_directory, "/")) {
2978 log_error("Spawning container on root directory not supported.");
2983 if (path_is_os_tree(arg_directory) <= 0) {
2984 log_error("Directory %s doesn't look like an OS root directory (os-release file is missing). Refusing.", arg_directory);
2990 p = strappenda(arg_directory,
2991 argc > optind && path_is_absolute(argv[optind]) ? argv[optind] : "/usr/bin/");
2992 if (access(p, F_OK) < 0) {
2993 log_error("Directory %s lacks the binary to execute or doesn't look like a binary tree. Refusing.", arg_directory);
2999 char template[] = "/tmp/nspawn-root-XXXXXX";
3001 if (!mkdtemp(template)) {
3002 log_error("Failed to create temporary directory: %m");
3007 arg_directory = strdup(template);
3008 if (!arg_directory) {
3013 image_fd = setup_image(&device_path, &loop_nr);
3019 r = dissect_image(image_fd,
3020 &root_device, &root_device_rw,
3021 &home_device, &home_device_rw,
3022 &srv_device, &srv_device_rw,
3028 master = posix_openpt(O_RDWR|O_NOCTTY|O_CLOEXEC|O_NDELAY);
3030 log_error("Failed to acquire pseudo tty: %m");
3034 console = ptsname(master);
3036 log_error("Failed to determine tty name: %m");
3041 log_info("Spawning container %s on %s.\nPress ^] three times within 1s to kill container.",
3042 arg_machine, arg_image ? arg_image : arg_directory);
3044 if (unlockpt(master) < 0) {
3045 log_error("Failed to unlock tty: %m");
3049 if (access("/dev/kdbus/control", F_OK) >= 0) {
3051 if (arg_share_system) {
3052 kdbus_domain = strdup("/dev/kdbus");
3053 if (!kdbus_domain) {
3060 ns = strappenda("machine-", arg_machine);
3061 kdbus_fd = bus_kernel_create_domain(ns, &kdbus_domain);
3063 log_debug("Failed to create kdbus domain: %s", strerror(-r));
3065 log_debug("Successfully created kdbus domain as %s", kdbus_domain);
3069 if (socketpair(AF_UNIX, SOCK_DGRAM|SOCK_NONBLOCK|SOCK_CLOEXEC, 0, kmsg_socket_pair) < 0) {
3070 log_error("Failed to create kmsg socket pair: %m");
3076 "STATUS=Container running.");
3078 assert_se(sigemptyset(&mask) == 0);
3079 assert_se(sigemptyset(&mask_chld) == 0);
3080 sigaddset(&mask_chld, SIGCHLD);
3081 sigset_add_many(&mask, SIGCHLD, SIGWINCH, SIGTERM, SIGINT, -1);
3082 assert_se(sigprocmask(SIG_BLOCK, &mask, NULL) == 0);
3085 ContainerStatus container_status;
3086 _cleanup_(barrier_destroy) Barrier barrier = BARRIER_NULL;
3087 struct sigaction sa = {
3088 .sa_handler = nop_handler,
3089 .sa_flags = SA_NOCLDSTOP,
3092 r = barrier_create(&barrier);
3094 log_error("Cannot initialize IPC barrier: %s", strerror(-r));
3098 /* Child can be killed before execv(), so handle SIGCHLD
3099 * in order to interrupt parent's blocking calls and
3100 * give it a chance to call wait() and terminate. */
3101 r = sigprocmask(SIG_UNBLOCK, &mask_chld, NULL);
3103 log_error("Failed to change the signal mask: %m");
3107 r = sigaction(SIGCHLD, &sa, NULL);
3109 log_error("Failed to install SIGCHLD handler: %m");
3113 pid = syscall(__NR_clone, SIGCHLD|CLONE_NEWNS|
3114 (arg_share_system ? 0 : CLONE_NEWIPC|CLONE_NEWPID|CLONE_NEWUTS)|
3115 (arg_private_network ? CLONE_NEWNET : 0), NULL);
3117 if (errno == EINVAL)
3118 log_error("clone() failed, do you have namespace support enabled in your kernel? (You need UTS, IPC, PID and NET namespacing built in): %m");
3120 log_error("clone() failed: %m");
3128 _cleanup_free_ char *home = NULL;
3130 const char *envp[] = {
3131 "PATH=" DEFAULT_PATH_SPLIT_USR,
3132 "container=systemd-nspawn", /* LXC sets container=lxc, so follow the scheme here */
3137 NULL, /* container_uuid */
3138 NULL, /* LISTEN_FDS */
3139 NULL, /* LISTEN_PID */
3144 barrier_set_role(&barrier, BARRIER_CHILD);
3146 envp[n_env] = strv_find_prefix(environ, "TERM=");
3150 master = safe_close(master);
3152 close_nointr(STDIN_FILENO);
3153 close_nointr(STDOUT_FILENO);
3154 close_nointr(STDERR_FILENO);
3156 kmsg_socket_pair[0] = safe_close(kmsg_socket_pair[0]);
3158 reset_all_signal_handlers();
3159 reset_signal_mask();
3161 k = open_terminal(console, O_RDWR);
3162 if (k != STDIN_FILENO) {
3168 log_error("Failed to open console: %s", strerror(-k));
3169 _exit(EXIT_FAILURE);
3172 if (dup2(STDIN_FILENO, STDOUT_FILENO) != STDOUT_FILENO ||
3173 dup2(STDIN_FILENO, STDERR_FILENO) != STDERR_FILENO) {
3174 log_error("Failed to duplicate console: %m");
3175 _exit(EXIT_FAILURE);
3179 log_error("setsid() failed: %m");
3180 _exit(EXIT_FAILURE);
3183 if (reset_audit_loginuid() < 0)
3184 _exit(EXIT_FAILURE);
3186 if (prctl(PR_SET_PDEATHSIG, SIGKILL) < 0) {
3187 log_error("PR_SET_PDEATHSIG failed: %m");
3188 _exit(EXIT_FAILURE);
3191 /* Mark everything as slave, so that we still
3192 * receive mounts from the real root, but don't
3193 * propagate mounts to the real root. */
3194 if (mount(NULL, "/", NULL, MS_SLAVE|MS_REC, NULL) < 0) {
3195 log_error("MS_SLAVE|MS_REC failed: %m");
3196 _exit(EXIT_FAILURE);
3199 if (mount_devices(arg_directory,
3200 root_device, root_device_rw,
3201 home_device, home_device_rw,
3202 srv_device, srv_device_rw) < 0)
3203 _exit(EXIT_FAILURE);
3205 /* Turn directory into bind mount */
3206 if (mount(arg_directory, arg_directory, "bind", MS_BIND|MS_REC, NULL) < 0) {
3207 log_error("Failed to make bind mount: %m");
3208 _exit(EXIT_FAILURE);
3211 r = setup_volatile(arg_directory);
3213 _exit(EXIT_FAILURE);
3215 if (setup_volatile_state(arg_directory) < 0)
3216 _exit(EXIT_FAILURE);
3218 r = base_filesystem_create(arg_directory);
3220 _exit(EXIT_FAILURE);
3222 if (arg_read_only) {
3223 k = bind_remount_recursive(arg_directory, true);
3225 log_error("Failed to make tree read-only: %s", strerror(-k));
3226 _exit(EXIT_FAILURE);
3230 if (mount_all(arg_directory) < 0)
3231 _exit(EXIT_FAILURE);
3233 if (copy_devnodes(arg_directory) < 0)
3234 _exit(EXIT_FAILURE);
3236 if (setup_ptmx(arg_directory) < 0)
3237 _exit(EXIT_FAILURE);
3239 dev_setup(arg_directory);
3241 if (setup_seccomp() < 0)
3242 _exit(EXIT_FAILURE);
3244 if (setup_dev_console(arg_directory, console) < 0)
3245 _exit(EXIT_FAILURE);
3247 if (setup_kmsg(arg_directory, kmsg_socket_pair[1]) < 0)
3248 _exit(EXIT_FAILURE);
3250 kmsg_socket_pair[1] = safe_close(kmsg_socket_pair[1]);
3252 if (setup_boot_id(arg_directory) < 0)
3253 _exit(EXIT_FAILURE);
3255 if (setup_timezone(arg_directory) < 0)
3256 _exit(EXIT_FAILURE);
3258 if (setup_resolv_conf(arg_directory) < 0)
3259 _exit(EXIT_FAILURE);
3261 if (setup_journal(arg_directory) < 0)
3262 _exit(EXIT_FAILURE);
3264 if (mount_binds(arg_directory, arg_bind, false) < 0)
3265 _exit(EXIT_FAILURE);
3267 if (mount_binds(arg_directory, arg_bind_ro, true) < 0)
3268 _exit(EXIT_FAILURE);
3270 if (mount_tmpfs(arg_directory) < 0)
3271 _exit(EXIT_FAILURE);
3273 if (setup_kdbus(arg_directory, kdbus_domain) < 0)
3274 _exit(EXIT_FAILURE);
3276 /* Tell the parent that we are ready, and that
3277 * it can cgroupify us to that we lack access
3278 * to certain devices and resources. */
3279 barrier_place(&barrier);
3281 if (chdir(arg_directory) < 0) {
3282 log_error("chdir(%s) failed: %m", arg_directory);
3283 _exit(EXIT_FAILURE);
3286 if (mount(arg_directory, "/", NULL, MS_MOVE, NULL) < 0) {
3287 log_error("mount(MS_MOVE) failed: %m");
3288 _exit(EXIT_FAILURE);
3291 if (chroot(".") < 0) {
3292 log_error("chroot() failed: %m");
3293 _exit(EXIT_FAILURE);
3296 if (chdir("/") < 0) {
3297 log_error("chdir() failed: %m");
3298 _exit(EXIT_FAILURE);
3303 if (arg_private_network)
3306 if (drop_capabilities() < 0) {
3307 log_error("drop_capabilities() failed: %m");
3308 _exit(EXIT_FAILURE);
3311 r = change_uid_gid(&home);
3313 _exit(EXIT_FAILURE);
3315 if ((asprintf((char**)(envp + n_env++), "HOME=%s", home ? home: "/root") < 0) ||
3316 (asprintf((char**)(envp + n_env++), "USER=%s", arg_user ? arg_user : "root") < 0) ||
3317 (asprintf((char**)(envp + n_env++), "LOGNAME=%s", arg_user ? arg_user : "root") < 0)) {
3319 _exit(EXIT_FAILURE);
3322 if (!sd_id128_equal(arg_uuid, SD_ID128_NULL)) {
3325 if (asprintf((char**)(envp + n_env++), "container_uuid=%s", id128_format_as_uuid(arg_uuid, as_uuid)) < 0) {
3327 _exit(EXIT_FAILURE);
3331 if (fdset_size(fds) > 0) {
3332 k = fdset_cloexec(fds, false);
3334 log_error("Failed to unset O_CLOEXEC for file descriptors.");
3335 _exit(EXIT_FAILURE);
3338 if ((asprintf((char **)(envp + n_env++), "LISTEN_FDS=%u", n_fd_passed) < 0) ||
3339 (asprintf((char **)(envp + n_env++), "LISTEN_PID=1") < 0)) {
3341 _exit(EXIT_FAILURE);
3347 if (arg_personality != 0xffffffffLU) {
3348 if (personality(arg_personality) < 0) {
3349 log_error("personality() failed: %m");
3350 _exit(EXIT_FAILURE);
3352 } else if (secondary) {
3353 if (personality(PER_LINUX32) < 0) {
3354 log_error("personality() failed: %m");
3355 _exit(EXIT_FAILURE);
3360 if (arg_selinux_context)
3361 if (setexeccon((security_context_t) arg_selinux_context) < 0) {
3362 log_error("setexeccon(\"%s\") failed: %m", arg_selinux_context);
3363 _exit(EXIT_FAILURE);
3367 if (!strv_isempty(arg_setenv)) {
3370 n = strv_env_merge(2, envp, arg_setenv);
3373 _exit(EXIT_FAILURE);
3378 env_use = (char**) envp;
3380 /* Wait until the parent is ready with the setup, too... */
3381 if (!barrier_place_and_sync(&barrier))
3382 _exit(EXIT_FAILURE);
3388 /* Automatically search for the init system */
3390 l = 1 + argc - optind;
3391 a = newa(char*, l + 1);
3392 memcpy(a + 1, argv + optind, l * sizeof(char*));
3394 a[0] = (char*) "/usr/lib/systemd/systemd";
3395 execve(a[0], a, env_use);
3397 a[0] = (char*) "/lib/systemd/systemd";
3398 execve(a[0], a, env_use);
3400 a[0] = (char*) "/sbin/init";
3401 execve(a[0], a, env_use);
3402 } else if (argc > optind)
3403 execvpe(argv[optind], argv + optind, env_use);
3405 chdir(home ? home : "/root");
3406 execle("/bin/bash", "-bash", NULL, env_use);
3407 execle("/bin/sh", "-sh", NULL, env_use);
3410 log_error("execv() failed: %m");
3411 _exit(EXIT_FAILURE);
3414 barrier_set_role(&barrier, BARRIER_PARENT);
3418 /* wait for child-setup to be done */
3419 if (barrier_place_and_sync(&barrier)) {
3422 r = move_network_interfaces(pid);
3426 r = setup_veth(pid, veth_name, &ifi);
3430 r = setup_bridge(veth_name, &ifi);
3434 r = setup_macvlan(pid);
3438 r = register_machine(pid, ifi);
3442 /* Block SIGCHLD here, before notifying child.
3443 * process_pty() will handle it with the other signals. */
3444 r = sigprocmask(SIG_BLOCK, &mask_chld, NULL);
3448 /* Reset signal to default */
3449 r = default_signals(SIGCHLD, -1);
3453 /* Notify the child that the parent is ready with all
3454 * its setup, and that the child can now hand over
3455 * control to the code to run inside the container. */
3456 barrier_place(&barrier);
3458 k = process_pty(master, &mask, arg_boot ? pid : 0, SIGRTMIN+3);
3467 /* Kill if it is not dead yet anyway */
3468 terminate_machine(pid);
3471 /* Normally redundant, but better safe than sorry */
3474 r = wait_for_container(pid, &container_status);
3478 /* We failed to wait for the container, or the
3479 * container exited abnormally */
3482 } else if (r > 0 || container_status == CONTAINER_TERMINATED)
3483 /* The container exited with a non-zero
3484 * status, or with zero status and no reboot
3488 /* CONTAINER_REBOOTED, loop again */
3490 if (arg_keep_unit) {
3491 /* Special handling if we are running as a
3492 * service: instead of simply restarting the
3493 * machine we want to restart the entire
3494 * service, so let's inform systemd about this
3495 * with the special exit code 133. The service
3496 * file uses RestartForceExitStatus=133 so
3497 * that this results in a full nspawn
3498 * restart. This is necessary since we might
3499 * have cgroup parameters set we want to have
3509 "STATUS=Terminating...");
3511 loop_remove(loop_nr, &image_fd);
3516 free(arg_directory);
3519 strv_free(arg_setenv);
3520 strv_free(arg_network_interfaces);
3521 strv_free(arg_network_macvlan);
3522 strv_free(arg_bind);
3523 strv_free(arg_bind_ro);
3524 strv_free(arg_tmpfs);
~ianmdlvl / elogind.git / blob