1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2010 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
25 #include <sys/types.h>
26 #include <sys/syscall.h>
27 #include <sys/mount.h>
33 #include <sys/prctl.h>
34 #include <sys/capability.h>
37 #include <sys/signalfd.h>
41 #include <sys/socket.h>
42 #include <linux/netlink.h>
43 #include <sys/eventfd.h>
45 #include <linux/veth.h>
46 #include <sys/personality.h>
47 #include <linux/loop.h>
50 #include <selinux/selinux.h>
58 #include <blkid/blkid.h>
61 #include "sd-daemon.h"
71 #include "cgroup-util.h"
73 #include "path-util.h"
74 #include "loopback-setup.h"
75 #include "dev-setup.h"
80 #include "bus-error.h"
82 #include "bus-kernel.h"
85 #include "rtnl-util.h"
86 #include "udev-util.h"
87 #include "blkid-util.h"
89 #include "siphash24.h"
92 #include "seccomp-util.h"
95 typedef enum LinkJournal {
102 static char *arg_directory = NULL;
103 static char *arg_user = NULL;
104 static sd_id128_t arg_uuid = {};
105 static char *arg_machine = NULL;
106 static const char *arg_selinux_context = NULL;
107 static const char *arg_selinux_apifs_context = NULL;
108 static const char *arg_slice = NULL;
109 static bool arg_private_network = false;
110 static bool arg_read_only = false;
111 static bool arg_boot = false;
112 static LinkJournal arg_link_journal = LINK_AUTO;
113 static uint64_t arg_retain =
114 (1ULL << CAP_CHOWN) |
115 (1ULL << CAP_DAC_OVERRIDE) |
116 (1ULL << CAP_DAC_READ_SEARCH) |
117 (1ULL << CAP_FOWNER) |
118 (1ULL << CAP_FSETID) |
119 (1ULL << CAP_IPC_OWNER) |
121 (1ULL << CAP_LEASE) |
122 (1ULL << CAP_LINUX_IMMUTABLE) |
123 (1ULL << CAP_NET_BIND_SERVICE) |
124 (1ULL << CAP_NET_BROADCAST) |
125 (1ULL << CAP_NET_RAW) |
126 (1ULL << CAP_SETGID) |
127 (1ULL << CAP_SETFCAP) |
128 (1ULL << CAP_SETPCAP) |
129 (1ULL << CAP_SETUID) |
130 (1ULL << CAP_SYS_ADMIN) |
131 (1ULL << CAP_SYS_CHROOT) |
132 (1ULL << CAP_SYS_NICE) |
133 (1ULL << CAP_SYS_PTRACE) |
134 (1ULL << CAP_SYS_TTY_CONFIG) |
135 (1ULL << CAP_SYS_RESOURCE) |
136 (1ULL << CAP_SYS_BOOT) |
137 (1ULL << CAP_AUDIT_WRITE) |
138 (1ULL << CAP_AUDIT_CONTROL) |
140 static char **arg_bind = NULL;
141 static char **arg_bind_ro = NULL;
142 static char **arg_setenv = NULL;
143 static bool arg_quiet = false;
144 static bool arg_share_system = false;
145 static bool arg_register = true;
146 static bool arg_keep_unit = false;
147 static char **arg_network_interfaces = NULL;
148 static char **arg_network_macvlan = NULL;
149 static bool arg_network_veth = false;
150 static const char *arg_network_bridge = NULL;
151 static unsigned long arg_personality = 0xffffffffLU;
152 static const char *arg_image = NULL;
154 static int help(void) {
156 printf("%s [OPTIONS...] [PATH] [ARGUMENTS...]\n\n"
157 "Spawn a minimal namespace container for debugging, testing and building.\n\n"
158 " -h --help Show this help\n"
159 " --version Print version string\n"
160 " -q --quiet Do not show status information\n"
161 " -D --directory=PATH Root directory for the container\n"
162 " -i --image=PATH File system device or image for the container\n"
163 " -b --boot Boot up full system (i.e. invoke init)\n"
164 " -u --user=USER Run the command under specified user or uid\n"
165 " -M --machine=NAME Set the machine name for the container\n"
166 " --uuid=UUID Set a specific machine UUID for the container\n"
167 " -S --slice=SLICE Place the container in the specified slice\n"
168 " --private-network Disable network in container\n"
169 " --network-interface=INTERFACE\n"
170 " Assign an existing network interface to the\n"
172 " --network-macvlan=INTERFACE\n"
173 " Create a macvlan network interface based on an\n"
174 " existing network interface to the container\n"
175 " --network-veth Add a virtual ethernet connection between host\n"
177 " --network-bridge=INTERFACE\n"
178 " Add a virtual ethernet connection between host\n"
179 " and container and add it to an existing bridge on\n"
181 " -Z --selinux-context=SECLABEL\n"
182 " Set the SELinux security context to be used by\n"
183 " processes in the container\n"
184 " -L --selinux-apifs-context=SECLABEL\n"
185 " Set the SELinux security context to be used by\n"
186 " API/tmpfs file systems in the container\n"
187 " --capability=CAP In addition to the default, retain specified\n"
189 " --drop-capability=CAP Drop the specified capability from the default set\n"
190 " --link-journal=MODE Link up guest journal, one of no, auto, guest, host\n"
191 " -j Equivalent to --link-journal=host\n"
192 " --read-only Mount the root directory read-only\n"
193 " --bind=PATH[:PATH] Bind mount a file or directory from the host into\n"
195 " --bind-ro=PATH[:PATH] Similar, but creates a read-only bind mount\n"
196 " --setenv=NAME=VALUE Pass an environment variable to PID 1\n"
197 " --share-system Share system namespaces with host\n"
198 " --register=BOOLEAN Register container as machine\n"
199 " --keep-unit Do not register a scope for the machine, reuse\n"
200 " the service unit nspawn is running in\n",
201 program_invocation_short_name);
206 static int parse_argv(int argc, char *argv[]) {
222 ARG_NETWORK_INTERFACE,
229 static const struct option options[] = {
230 { "help", no_argument, NULL, 'h' },
231 { "version", no_argument, NULL, ARG_VERSION },
232 { "directory", required_argument, NULL, 'D' },
233 { "user", required_argument, NULL, 'u' },
234 { "private-network", no_argument, NULL, ARG_PRIVATE_NETWORK },
235 { "boot", no_argument, NULL, 'b' },
236 { "uuid", required_argument, NULL, ARG_UUID },
237 { "read-only", no_argument, NULL, ARG_READ_ONLY },
238 { "capability", required_argument, NULL, ARG_CAPABILITY },
239 { "drop-capability", required_argument, NULL, ARG_DROP_CAPABILITY },
240 { "link-journal", required_argument, NULL, ARG_LINK_JOURNAL },
241 { "bind", required_argument, NULL, ARG_BIND },
242 { "bind-ro", required_argument, NULL, ARG_BIND_RO },
243 { "machine", required_argument, NULL, 'M' },
244 { "slice", required_argument, NULL, 'S' },
245 { "setenv", required_argument, NULL, ARG_SETENV },
246 { "selinux-context", required_argument, NULL, 'Z' },
247 { "selinux-apifs-context", required_argument, NULL, 'L' },
248 { "quiet", no_argument, NULL, 'q' },
249 { "share-system", no_argument, NULL, ARG_SHARE_SYSTEM },
250 { "register", required_argument, NULL, ARG_REGISTER },
251 { "keep-unit", no_argument, NULL, ARG_KEEP_UNIT },
252 { "network-interface", required_argument, NULL, ARG_NETWORK_INTERFACE },
253 { "network-macvlan", required_argument, NULL, ARG_NETWORK_MACVLAN },
254 { "network-veth", no_argument, NULL, ARG_NETWORK_VETH },
255 { "network-bridge", required_argument, NULL, ARG_NETWORK_BRIDGE },
256 { "personality", required_argument, NULL, ARG_PERSONALITY },
257 { "image", required_argument, NULL, 'i' },
262 uint64_t plus = 0, minus = 0;
267 while ((c = getopt_long(argc, argv, "+hD:u:bL:M:jS:Z:qi:", options, NULL)) >= 0) {
275 puts(PACKAGE_STRING);
276 puts(SYSTEMD_FEATURES);
281 arg_directory = canonicalize_file_name(optarg);
282 if (!arg_directory) {
283 log_error("Invalid root directory: %m");
295 arg_user = strdup(optarg);
301 case ARG_NETWORK_BRIDGE:
302 arg_network_bridge = optarg;
306 case ARG_NETWORK_VETH:
307 arg_network_veth = true;
308 arg_private_network = true;
311 case ARG_NETWORK_INTERFACE:
312 if (strv_extend(&arg_network_interfaces, optarg) < 0)
315 arg_private_network = true;
318 case ARG_NETWORK_MACVLAN:
319 if (strv_extend(&arg_network_macvlan, optarg) < 0)
324 case ARG_PRIVATE_NETWORK:
325 arg_private_network = true;
333 r = sd_id128_from_string(optarg, &arg_uuid);
335 log_error("Invalid UUID: %s", optarg);
345 if (isempty(optarg)) {
350 if (!hostname_is_valid(optarg)) {
351 log_error("Invalid machine name: %s", optarg);
356 arg_machine = strdup(optarg);
364 arg_selinux_context = optarg;
368 arg_selinux_apifs_context = optarg;
372 arg_read_only = true;
376 case ARG_DROP_CAPABILITY: {
380 FOREACH_WORD_SEPARATOR(word, length, optarg, ",", state) {
381 _cleanup_free_ char *t;
384 t = strndup(word, length);
388 if (streq(t, "all")) {
389 if (c == ARG_CAPABILITY)
390 plus = (uint64_t) -1;
392 minus = (uint64_t) -1;
394 if (cap_from_name(t, &cap) < 0) {
395 log_error("Failed to parse capability %s.", t);
399 if (c == ARG_CAPABILITY)
400 plus |= 1ULL << (uint64_t) cap;
402 minus |= 1ULL << (uint64_t) cap;
410 arg_link_journal = LINK_GUEST;
413 case ARG_LINK_JOURNAL:
414 if (streq(optarg, "auto"))
415 arg_link_journal = LINK_AUTO;
416 else if (streq(optarg, "no"))
417 arg_link_journal = LINK_NO;
418 else if (streq(optarg, "guest"))
419 arg_link_journal = LINK_GUEST;
420 else if (streq(optarg, "host"))
421 arg_link_journal = LINK_HOST;
423 log_error("Failed to parse link journal mode %s", optarg);
431 _cleanup_free_ char *a = NULL, *b = NULL;
435 x = c == ARG_BIND ? &arg_bind : &arg_bind_ro;
437 e = strchr(optarg, ':');
439 a = strndup(optarg, e - optarg);
449 if (!path_is_absolute(a) || !path_is_absolute(b)) {
450 log_error("Invalid bind mount specification: %s", optarg);
454 r = strv_extend(x, a);
458 r = strv_extend(x, b);
468 if (!env_assignment_is_valid(optarg)) {
469 log_error("Environment variable assignment '%s' is not valid.", optarg);
473 n = strv_env_set(arg_setenv, optarg);
477 strv_free(arg_setenv);
486 case ARG_SHARE_SYSTEM:
487 arg_share_system = true;
491 r = parse_boolean(optarg);
493 log_error("Failed to parse --register= argument: %s", optarg);
501 arg_keep_unit = true;
504 case ARG_PERSONALITY:
506 arg_personality = personality_from_string(optarg);
507 if (arg_personality == 0xffffffffLU) {
508 log_error("Unknown or unsupported personality '%s'.", optarg);
518 assert_not_reached("Unhandled option");
522 if (arg_share_system)
523 arg_register = false;
525 if (arg_boot && arg_share_system) {
526 log_error("--boot and --share-system may not be combined.");
530 if (arg_keep_unit && cg_pid_get_owner_uid(0, NULL) >= 0) {
531 log_error("--keep-unit may not be used when invoked from a user session.");
535 if (arg_directory && arg_image) {
536 log_error("--directory= and --image= may not be combined.");
540 arg_retain = (arg_retain | plus | (arg_private_network ? 1ULL << CAP_NET_ADMIN : 0)) & ~minus;
545 static int mount_all(const char *dest) {
547 typedef struct MountPoint {
556 static const MountPoint mount_table[] = {
557 { "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, true },
558 { "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND, true }, /* Bind mount first */
559 { NULL, "/proc/sys", NULL, NULL, MS_BIND|MS_RDONLY|MS_REMOUNT, true }, /* Then, make it r/o */
560 { "sysfs", "/sys", "sysfs", NULL, MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV, true },
561 { "tmpfs", "/dev", "tmpfs", "mode=755", MS_NOSUID|MS_STRICTATIME, true },
562 { "devpts", "/dev/pts", "devpts","newinstance,ptmxmode=0666,mode=620,gid=" STRINGIFY(TTY_GID), MS_NOSUID|MS_NOEXEC, true },
563 { "tmpfs", "/dev/shm", "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV|MS_STRICTATIME, true },
564 { "tmpfs", "/run", "tmpfs", "mode=755", MS_NOSUID|MS_NODEV|MS_STRICTATIME, true },
566 { "/sys/fs/selinux", "/sys/fs/selinux", NULL, NULL, MS_BIND, false }, /* Bind mount first */
567 { NULL, "/sys/fs/selinux", NULL, NULL, MS_BIND|MS_RDONLY|MS_REMOUNT, false }, /* Then, make it r/o */
574 for (k = 0; k < ELEMENTSOF(mount_table); k++) {
575 _cleanup_free_ char *where = NULL;
577 _cleanup_free_ char *options = NULL;
582 where = strjoin(dest, "/", mount_table[k].where, NULL);
586 t = path_is_mount_point(where, true);
588 log_error("Failed to detect whether %s is a mount point: %s", where, strerror(-t));
596 /* Skip this entry if it is not a remount. */
597 if (mount_table[k].what && t > 0)
600 mkdir_p(where, 0755);
603 if (arg_selinux_apifs_context &&
604 (streq_ptr(mount_table[k].what, "tmpfs") || streq_ptr(mount_table[k].what, "devpts"))) {
605 options = strjoin(mount_table[k].options, ",context=\"", arg_selinux_apifs_context, "\"", NULL);
612 o = mount_table[k].options;
615 if (mount(mount_table[k].what,
618 mount_table[k].flags,
620 mount_table[k].fatal) {
622 log_error("mount(%s) failed: %m", where);
632 static int mount_binds(const char *dest, char **l, unsigned long flags) {
635 STRV_FOREACH_PAIR(x, y, l) {
637 struct stat source_st, dest_st;
640 if (stat(*x, &source_st) < 0) {
641 log_error("Failed to stat %s: %m", *x);
645 where = strappenda(dest, *y);
646 r = stat(where, &dest_st);
648 if ((source_st.st_mode & S_IFMT) != (dest_st.st_mode & S_IFMT)) {
649 log_error("The file types of %s and %s do not match. Refusing bind mount",
653 } else if (errno == ENOENT) {
654 r = mkdir_parents_label(where, 0755);
656 log_error("Failed to bind mount %s: %s", *x, strerror(-r));
660 log_error("Failed to bind mount %s: %s", *x, strerror(errno));
663 /* Create the mount point, but be conservative -- refuse to create block
664 * and char devices. */
665 if (S_ISDIR(source_st.st_mode))
666 mkdir_label(where, 0755);
667 else if (S_ISFIFO(source_st.st_mode))
669 else if (S_ISSOCK(source_st.st_mode))
670 mknod(where, 0644 | S_IFSOCK, 0);
671 else if (S_ISREG(source_st.st_mode))
674 log_error("Refusing to create mountpoint for file: %s", *x);
678 if (mount(*x, where, "bind", MS_BIND, NULL) < 0) {
679 log_error("mount(%s) failed: %m", where);
683 if (flags && mount(NULL, where, NULL, MS_REMOUNT|MS_BIND|flags, NULL) < 0) {
684 log_error("mount(%s) failed: %m", where);
692 static int setup_timezone(const char *dest) {
693 _cleanup_free_ char *where = NULL, *p = NULL, *q = NULL, *check = NULL, *what = NULL;
699 /* Fix the timezone, if possible */
700 r = readlink_malloc("/etc/localtime", &p);
702 log_warning("/etc/localtime is not a symlink, not updating container timezone.");
706 z = path_startswith(p, "../usr/share/zoneinfo/");
708 z = path_startswith(p, "/usr/share/zoneinfo/");
710 log_warning("/etc/localtime does not point into /usr/share/zoneinfo/, not updating container timezone.");
714 where = strappend(dest, "/etc/localtime");
718 r = readlink_malloc(where, &q);
720 y = path_startswith(q, "../usr/share/zoneinfo/");
722 y = path_startswith(q, "/usr/share/zoneinfo/");
725 /* Already pointing to the right place? Then do nothing .. */
726 if (y && streq(y, z))
730 check = strjoin(dest, "/usr/share/zoneinfo/", z, NULL);
734 if (access(check, F_OK) < 0) {
735 log_warning("Timezone %s does not exist in container, not updating container timezone.", z);
739 what = strappend("../usr/share/zoneinfo/", z);
744 if (symlink(what, where) < 0) {
745 log_error("Failed to correct timezone of container: %m");
752 static int setup_resolv_conf(const char *dest) {
753 char _cleanup_free_ *where = NULL;
757 if (arg_private_network)
760 /* Fix resolv.conf, if possible */
761 where = strappend(dest, "/etc/resolv.conf");
765 /* We don't really care for the results of this really. If it
766 * fails, it fails, but meh... */
767 copy_file("/etc/resolv.conf", where, O_TRUNC|O_NOFOLLOW);
772 static char* id128_format_as_uuid(sd_id128_t id, char s[37]) {
775 "%02x%02x%02x%02x-%02x%02x-%02x%02x-%02x%02x-%02x%02x%02x%02x%02x%02x",
776 SD_ID128_FORMAT_VAL(id));
781 static int setup_boot_id(const char *dest) {
782 _cleanup_free_ char *from = NULL, *to = NULL;
789 if (arg_share_system)
792 /* Generate a new randomized boot ID, so that each boot-up of
793 * the container gets a new one */
795 from = strappend(dest, "/dev/proc-sys-kernel-random-boot-id");
796 to = strappend(dest, "/proc/sys/kernel/random/boot_id");
800 r = sd_id128_randomize(&rnd);
802 log_error("Failed to generate random boot id: %s", strerror(-r));
806 id128_format_as_uuid(rnd, as_uuid);
808 r = write_string_file(from, as_uuid);
810 log_error("Failed to write boot id: %s", strerror(-r));
814 if (mount(from, to, "bind", MS_BIND, NULL) < 0) {
815 log_error("Failed to bind mount boot id: %m");
817 } else if (mount(from, to, "bind", MS_BIND|MS_REMOUNT|MS_RDONLY, NULL))
818 log_warning("Failed to make boot id read-only: %m");
824 static int copy_devnodes(const char *dest) {
826 static const char devnodes[] =
836 _cleanup_umask_ mode_t u;
842 NULSTR_FOREACH(d, devnodes) {
843 _cleanup_free_ char *from = NULL, *to = NULL;
846 from = strappend("/dev/", d);
847 to = strjoin(dest, "/dev/", d, NULL);
851 if (stat(from, &st) < 0) {
853 if (errno != ENOENT) {
854 log_error("Failed to stat %s: %m", from);
858 } else if (!S_ISCHR(st.st_mode) && !S_ISBLK(st.st_mode)) {
860 log_error("%s is not a char or block device, cannot copy", from);
863 } else if (mknod(to, st.st_mode, st.st_rdev) < 0) {
865 log_error("mknod(%s) failed: %m", dest);
873 static int setup_ptmx(const char *dest) {
874 _cleanup_free_ char *p = NULL;
876 p = strappend(dest, "/dev/ptmx");
880 if (symlink("pts/ptmx", p) < 0) {
881 log_error("Failed to create /dev/ptmx symlink: %m");
888 static int setup_dev_console(const char *dest, const char *console) {
889 _cleanup_umask_ mode_t u;
899 if (stat("/dev/null", &st) < 0) {
900 log_error("Failed to stat /dev/null: %m");
904 r = chmod_and_chown(console, 0600, 0, 0);
906 log_error("Failed to correct access mode for TTY: %s", strerror(-r));
910 /* We need to bind mount the right tty to /dev/console since
911 * ptys can only exist on pts file systems. To have something
912 * to bind mount things on we create a device node first, and
913 * use /dev/null for that since we the cgroups device policy
914 * allows us to create that freely, while we cannot create
915 * /dev/console. (Note that the major minor doesn't actually
916 * matter here, since we mount it over anyway). */
918 to = strappenda(dest, "/dev/console");
919 if (mknod(to, (st.st_mode & ~07777) | 0600, st.st_rdev) < 0) {
920 log_error("mknod() for /dev/console failed: %m");
924 if (mount(console, to, "bind", MS_BIND, NULL) < 0) {
925 log_error("Bind mount for /dev/console failed: %m");
932 static int setup_kmsg(const char *dest, int kmsg_socket) {
933 _cleanup_free_ char *from = NULL, *to = NULL;
935 _cleanup_umask_ mode_t u;
937 struct cmsghdr cmsghdr;
938 uint8_t buf[CMSG_SPACE(sizeof(int))];
941 .msg_control = &control,
942 .msg_controllen = sizeof(control),
944 struct cmsghdr *cmsg;
947 assert(kmsg_socket >= 0);
951 /* We create the kmsg FIFO as /dev/kmsg, but immediately
952 * delete it after bind mounting it to /proc/kmsg. While FIFOs
953 * on the reading side behave very similar to /proc/kmsg,
954 * their writing side behaves differently from /dev/kmsg in
955 * that writing blocks when nothing is reading. In order to
956 * avoid any problems with containers deadlocking due to this
957 * we simply make /dev/kmsg unavailable to the container. */
958 if (asprintf(&from, "%s/dev/kmsg", dest) < 0 ||
959 asprintf(&to, "%s/proc/kmsg", dest) < 0)
962 if (mkfifo(from, 0600) < 0) {
963 log_error("mkfifo() for /dev/kmsg failed: %m");
967 r = chmod_and_chown(from, 0600, 0, 0);
969 log_error("Failed to correct access mode for /dev/kmsg: %s", strerror(-r));
973 if (mount(from, to, "bind", MS_BIND, NULL) < 0) {
974 log_error("Bind mount for /proc/kmsg failed: %m");
978 fd = open(from, O_RDWR|O_NDELAY|O_CLOEXEC);
980 log_error("Failed to open fifo: %m");
984 cmsg = CMSG_FIRSTHDR(&mh);
985 cmsg->cmsg_level = SOL_SOCKET;
986 cmsg->cmsg_type = SCM_RIGHTS;
987 cmsg->cmsg_len = CMSG_LEN(sizeof(int));
988 memcpy(CMSG_DATA(cmsg), &fd, sizeof(int));
990 mh.msg_controllen = cmsg->cmsg_len;
992 /* Store away the fd in the socket, so that it stays open as
993 * long as we run the child */
994 k = sendmsg(kmsg_socket, &mh, MSG_DONTWAIT|MSG_NOSIGNAL);
998 log_error("Failed to send FIFO fd: %m");
1002 /* And now make the FIFO unavailable as /dev/kmsg... */
1007 static int setup_hostname(void) {
1009 if (arg_share_system)
1012 if (sethostname(arg_machine, strlen(arg_machine)) < 0)
1018 static int setup_journal(const char *directory) {
1019 sd_id128_t machine_id, this_id;
1020 _cleanup_free_ char *p = NULL, *b = NULL, *q = NULL, *d = NULL;
1024 p = strappend(directory, "/etc/machine-id");
1028 r = read_one_line_file(p, &b);
1029 if (r == -ENOENT && arg_link_journal == LINK_AUTO)
1032 log_error("Failed to read machine ID from %s: %s", p, strerror(-r));
1037 if (isempty(id) && arg_link_journal == LINK_AUTO)
1040 /* Verify validity */
1041 r = sd_id128_from_string(id, &machine_id);
1043 log_error("Failed to parse machine ID from %s: %s", p, strerror(-r));
1047 r = sd_id128_get_machine(&this_id);
1049 log_error("Failed to retrieve machine ID: %s", strerror(-r));
1053 if (sd_id128_equal(machine_id, this_id)) {
1054 log_full(arg_link_journal == LINK_AUTO ? LOG_WARNING : LOG_ERR,
1055 "Host and machine ids are equal (%s): refusing to link journals", id);
1056 if (arg_link_journal == LINK_AUTO)
1062 if (arg_link_journal == LINK_NO)
1066 p = strappend("/var/log/journal/", id);
1067 q = strjoin(directory, "/var/log/journal/", id, NULL);
1071 if (path_is_mount_point(p, false) > 0) {
1072 if (arg_link_journal != LINK_AUTO) {
1073 log_error("%s: already a mount point, refusing to use for journal", p);
1080 if (path_is_mount_point(q, false) > 0) {
1081 if (arg_link_journal != LINK_AUTO) {
1082 log_error("%s: already a mount point, refusing to use for journal", q);
1089 r = readlink_and_make_absolute(p, &d);
1091 if ((arg_link_journal == LINK_GUEST ||
1092 arg_link_journal == LINK_AUTO) &&
1095 r = mkdir_p(q, 0755);
1097 log_warning("failed to create directory %s: %m", q);
1101 if (unlink(p) < 0) {
1102 log_error("Failed to remove symlink %s: %m", p);
1105 } else if (r == -EINVAL) {
1107 if (arg_link_journal == LINK_GUEST &&
1110 if (errno == ENOTDIR) {
1111 log_error("%s already exists and is neither a symlink nor a directory", p);
1114 log_error("Failed to remove %s: %m", p);
1118 } else if (r != -ENOENT) {
1119 log_error("readlink(%s) failed: %m", p);
1123 if (arg_link_journal == LINK_GUEST) {
1125 if (symlink(q, p) < 0) {
1126 log_error("Failed to symlink %s to %s: %m", q, p);
1130 r = mkdir_p(q, 0755);
1132 log_warning("failed to create directory %s: %m", q);
1136 if (arg_link_journal == LINK_HOST) {
1137 r = mkdir_p(p, 0755);
1139 log_error("Failed to create %s: %m", p);
1143 } else if (access(p, F_OK) < 0)
1146 if (dir_is_empty(q) == 0) {
1147 log_error("%s not empty.", q);
1151 r = mkdir_p(q, 0755);
1153 log_error("Failed to create %s: %m", q);
1157 if (mount(p, q, "bind", MS_BIND, NULL) < 0) {
1158 log_error("Failed to bind mount journal from host into guest: %m");
1165 static int setup_kdbus(const char *dest, const char *path) {
1171 p = strappenda(dest, "/dev/kdbus");
1172 if (mkdir(p, 0755) < 0) {
1173 log_error("Failed to create kdbus path: %m");
1177 if (mount(path, p, "bind", MS_BIND, NULL) < 0) {
1178 log_error("Failed to mount kdbus domain path: %m");
1185 static int drop_capabilities(void) {
1186 return capability_bounding_set_drop(~arg_retain, false);
1189 static int register_machine(pid_t pid) {
1190 _cleanup_bus_error_free_ sd_bus_error error = SD_BUS_ERROR_NULL;
1191 _cleanup_bus_unref_ sd_bus *bus = NULL;
1197 r = sd_bus_default_system(&bus);
1199 log_error("Failed to open system bus: %s", strerror(-r));
1203 if (arg_keep_unit) {
1204 r = sd_bus_call_method(
1206 "org.freedesktop.machine1",
1207 "/org/freedesktop/machine1",
1208 "org.freedesktop.machine1.Manager",
1214 SD_BUS_MESSAGE_APPEND_ID128(arg_uuid),
1218 strempty(arg_directory));
1220 _cleanup_bus_message_unref_ sd_bus_message *m = NULL;
1222 r = sd_bus_message_new_method_call(
1225 "org.freedesktop.machine1",
1226 "/org/freedesktop/machine1",
1227 "org.freedesktop.machine1.Manager",
1230 log_error("Failed to create message: %s", strerror(-r));
1234 r = sd_bus_message_append(
1238 SD_BUS_MESSAGE_APPEND_ID128(arg_uuid),
1242 strempty(arg_directory));
1244 log_error("Failed to append message arguments: %s", strerror(-r));
1248 r = sd_bus_message_open_container(m, 'a', "(sv)");
1250 log_error("Failed to open container: %s", strerror(-r));
1254 if (!isempty(arg_slice)) {
1255 r = sd_bus_message_append(m, "(sv)", "Slice", "s", arg_slice);
1257 log_error("Failed to append slice: %s", strerror(-r));
1262 r = sd_bus_message_append(m, "(sv)", "DevicePolicy", "s", "strict");
1264 log_error("Failed to add device policy: %s", strerror(-r));
1268 r = sd_bus_message_append(m, "(sv)", "DeviceAllow", "a(ss)", 10,
1269 /* Allow the container to
1270 * access and create the API
1271 * device nodes, so that
1272 * PrivateDevices= in the
1273 * container can work
1278 "/dev/random", "rwm",
1279 "/dev/urandom", "rwm",
1281 /* Allow the container
1282 * access to ptys. However,
1284 * container to ever create
1285 * these device nodes. */
1286 "/dev/pts/ptmx", "rw",
1288 /* Allow the container
1289 * access to all kdbus
1290 * devices. Again, the
1291 * container cannot create
1292 * these nodes, only use
1293 * them. We use a pretty
1294 * open match here, so that
1295 * the kernel API can still
1298 "char-kdbus/*", "rw");
1300 log_error("Failed to add device whitelist: %s", strerror(-r));
1304 r = sd_bus_message_close_container(m);
1306 log_error("Failed to close container: %s", strerror(-r));
1310 r = sd_bus_call(bus, m, 0, &error, NULL);
1314 log_error("Failed to register machine: %s", bus_error_message(&error, r));
1321 static int terminate_machine(pid_t pid) {
1322 _cleanup_bus_error_free_ sd_bus_error error = SD_BUS_ERROR_NULL;
1323 _cleanup_bus_message_unref_ sd_bus_message *reply = NULL;
1324 _cleanup_bus_unref_ sd_bus *bus = NULL;
1331 r = sd_bus_default_system(&bus);
1333 log_error("Failed to open system bus: %s", strerror(-r));
1337 r = sd_bus_call_method(
1339 "org.freedesktop.machine1",
1340 "/org/freedesktop/machine1",
1341 "org.freedesktop.machine1.Manager",
1348 /* Note that the machine might already have been
1349 * cleaned up automatically, hence don't consider it a
1350 * failure if we cannot get the machine object. */
1351 log_debug("Failed to get machine: %s", bus_error_message(&error, r));
1355 r = sd_bus_message_read(reply, "o", &path);
1357 return bus_log_parse_error(r);
1359 r = sd_bus_call_method(
1361 "org.freedesktop.machine1",
1363 "org.freedesktop.machine1.Machine",
1369 log_debug("Failed to terminate machine: %s", bus_error_message(&error, r));
1376 static int reset_audit_loginuid(void) {
1377 _cleanup_free_ char *p = NULL;
1380 if (arg_share_system)
1383 r = read_one_line_file("/proc/self/loginuid", &p);
1387 log_error("Failed to read /proc/self/loginuid: %s", strerror(-r));
1391 /* Already reset? */
1392 if (streq(p, "4294967295"))
1395 r = write_string_file("/proc/self/loginuid", "4294967295");
1397 log_error("Failed to reset audit login UID. This probably means that your kernel is too\n"
1398 "old and you have audit enabled. Note that the auditing subsystem is known to\n"
1399 "be incompatible with containers on old kernels. Please make sure to upgrade\n"
1400 "your kernel or to off auditing with 'audit=0' on the kernel command line before\n"
1401 "using systemd-nspawn. Sleeping for 5s... (%s)\n", strerror(-r));
1409 #define HASH_KEY SD_ID128_MAKE(c3,c4,f9,19,b5,57,b2,1c,e6,cf,14,27,03,9c,ee,a2)
1411 static int get_mac(struct ether_addr *mac) {
1418 l = strlen(arg_machine);
1419 sz = sizeof(sd_id128_t) + l;
1422 /* fetch some persistent data unique to the host */
1423 r = sd_id128_get_machine((sd_id128_t*) v);
1427 /* combine with some data unique (on this host) to this
1428 * container instance */
1429 memcpy(v + sizeof(sd_id128_t), arg_machine, l);
1431 /* Let's hash the host machine ID plus the container name. We
1432 * use a fixed, but originally randomly created hash key here. */
1433 siphash24(result, v, sz, HASH_KEY.bytes);
1435 assert_cc(ETH_ALEN <= sizeof(result));
1436 memcpy(mac->ether_addr_octet, result, ETH_ALEN);
1438 /* see eth_random_addr in the kernel */
1439 mac->ether_addr_octet[0] &= 0xfe; /* clear multicast bit */
1440 mac->ether_addr_octet[0] |= 0x02; /* set local assignment bit (IEEE802) */
1445 static int setup_veth(pid_t pid, char iface_name[IFNAMSIZ]) {
1446 _cleanup_rtnl_message_unref_ sd_rtnl_message *m = NULL;
1447 _cleanup_rtnl_unref_ sd_rtnl *rtnl = NULL;
1448 struct ether_addr mac;
1451 if (!arg_private_network)
1454 if (!arg_network_veth)
1457 /* Use two different interface name prefixes depending whether
1458 * we are in bridge mode or not. */
1459 if (arg_network_bridge)
1460 memcpy(iface_name, "vb-", 3);
1462 memcpy(iface_name, "ve-", 3);
1463 strncpy(iface_name+3, arg_machine, IFNAMSIZ - 3);
1467 log_error("Failed to generate predictable MAC address for host0");
1471 r = sd_rtnl_open(&rtnl, 0);
1473 log_error("Failed to connect to netlink: %s", strerror(-r));
1477 r = sd_rtnl_message_new_link(rtnl, &m, RTM_NEWLINK, 0);
1479 log_error("Failed to allocate netlink message: %s", strerror(-r));
1483 r = sd_rtnl_message_append_string(m, IFLA_IFNAME, iface_name);
1485 log_error("Failed to add netlink interface name: %s", strerror(-r));
1489 r = sd_rtnl_message_open_container(m, IFLA_LINKINFO);
1491 log_error("Failed to open netlink container: %s", strerror(-r));
1495 r = sd_rtnl_message_open_container_union(m, IFLA_INFO_DATA, "veth");
1497 log_error("Failed to open netlink container: %s", strerror(-r));
1501 r = sd_rtnl_message_open_container(m, VETH_INFO_PEER);
1503 log_error("Failed to open netlink container: %s", strerror(-r));
1507 r = sd_rtnl_message_append_string(m, IFLA_IFNAME, "host0");
1509 log_error("Failed to add netlink interface name: %s", strerror(-r));
1513 r = sd_rtnl_message_append_ether_addr(m, IFLA_ADDRESS, &mac);
1515 log_error("Failed to add netlink MAC address: %s", strerror(-r));
1519 r = sd_rtnl_message_append_u32(m, IFLA_NET_NS_PID, pid);
1521 log_error("Failed to add netlink namespace field: %s", strerror(-r));
1525 r = sd_rtnl_message_close_container(m);
1527 log_error("Failed to close netlink container: %s", strerror(-r));
1531 r = sd_rtnl_message_close_container(m);
1533 log_error("Failed to close netlink container: %s", strerror(-r));
1537 r = sd_rtnl_message_close_container(m);
1539 log_error("Failed to close netlink container: %s", strerror(-r));
1543 r = sd_rtnl_call(rtnl, m, 0, NULL);
1545 log_error("Failed to add new veth interfaces: %s", strerror(-r));
1552 static int setup_bridge(const char veth_name[]) {
1553 _cleanup_rtnl_message_unref_ sd_rtnl_message *m = NULL;
1554 _cleanup_rtnl_unref_ sd_rtnl *rtnl = NULL;
1557 if (!arg_private_network)
1560 if (!arg_network_veth)
1563 if (!arg_network_bridge)
1566 bridge = (int) if_nametoindex(arg_network_bridge);
1568 log_error("Failed to resolve interface %s: %m", arg_network_bridge);
1572 r = sd_rtnl_open(&rtnl, 0);
1574 log_error("Failed to connect to netlink: %s", strerror(-r));
1578 r = sd_rtnl_message_new_link(rtnl, &m, RTM_SETLINK, 0);
1580 log_error("Failed to allocate netlink message: %s", strerror(-r));
1584 r = sd_rtnl_message_link_set_flags(m, IFF_UP, IFF_UP);
1586 log_error("Failed to set IFF_UP flag: %s", strerror(-r));
1590 r = sd_rtnl_message_append_string(m, IFLA_IFNAME, veth_name);
1592 log_error("Failed to add netlink interface name field: %s", strerror(-r));
1596 r = sd_rtnl_message_append_u32(m, IFLA_MASTER, bridge);
1598 log_error("Failed to add netlink master field: %s", strerror(-r));
1602 r = sd_rtnl_call(rtnl, m, 0, NULL);
1604 log_error("Failed to add veth interface to bridge: %s", strerror(-r));
1611 static int parse_interface(struct udev *udev, const char *name) {
1612 _cleanup_udev_device_unref_ struct udev_device *d = NULL;
1613 char ifi_str[2 + DECIMAL_STR_MAX(int)];
1616 ifi = (int) if_nametoindex(name);
1618 log_error("Failed to resolve interface %s: %m", name);
1622 sprintf(ifi_str, "n%i", ifi);
1623 d = udev_device_new_from_device_id(udev, ifi_str);
1625 log_error("Failed to get udev device for interface %s: %m", name);
1629 if (udev_device_get_is_initialized(d) <= 0) {
1630 log_error("Network interface %s is not initialized yet.", name);
1637 static int move_network_interfaces(pid_t pid) {
1638 _cleanup_udev_unref_ struct udev *udev = NULL;
1639 _cleanup_rtnl_unref_ sd_rtnl *rtnl = NULL;
1643 if (!arg_private_network)
1646 if (strv_isempty(arg_network_interfaces))
1649 r = sd_rtnl_open(&rtnl, 0);
1651 log_error("Failed to connect to netlink: %s", strerror(-r));
1657 log_error("Failed to connect to udev.");
1661 STRV_FOREACH(i, arg_network_interfaces) {
1662 _cleanup_rtnl_message_unref_ sd_rtnl_message *m = NULL;
1665 ifi = parse_interface(udev, *i);
1669 r = sd_rtnl_message_new_link(rtnl, &m, RTM_NEWLINK, ifi);
1671 log_error("Failed to allocate netlink message: %s", strerror(-r));
1675 r = sd_rtnl_message_append_u32(m, IFLA_NET_NS_PID, pid);
1677 log_error("Failed to append namespace PID to netlink message: %s", strerror(-r));
1681 r = sd_rtnl_call(rtnl, m, 0, NULL);
1683 log_error("Failed to move interface %s to namespace: %s", *i, strerror(-r));
1691 static int setup_macvlan(pid_t pid) {
1692 _cleanup_udev_unref_ struct udev *udev = NULL;
1693 _cleanup_rtnl_unref_ sd_rtnl *rtnl = NULL;
1697 if (!arg_private_network)
1700 if (strv_isempty(arg_network_macvlan))
1703 r = sd_rtnl_open(&rtnl, 0);
1705 log_error("Failed to connect to netlink: %s", strerror(-r));
1711 log_error("Failed to connect to udev.");
1715 STRV_FOREACH(i, arg_network_macvlan) {
1716 _cleanup_rtnl_message_unref_ sd_rtnl_message *m = NULL;
1717 _cleanup_free_ char *n = NULL;
1720 ifi = parse_interface(udev, *i);
1724 r = sd_rtnl_message_new_link(rtnl, &m, RTM_NEWLINK, 0);
1726 log_error("Failed to allocate netlink message: %s", strerror(-r));
1730 r = sd_rtnl_message_append_u32(m, IFLA_LINK, ifi);
1732 log_error("Failed to add netlink interface index: %s", strerror(-r));
1736 n = strappend("mv-", *i);
1740 strshorten(n, IFNAMSIZ-1);
1742 r = sd_rtnl_message_append_string(m, IFLA_IFNAME, n);
1744 log_error("Failed to add netlink interface name: %s", strerror(-r));
1748 r = sd_rtnl_message_append_u32(m, IFLA_NET_NS_PID, pid);
1750 log_error("Failed to add netlink namespace field: %s", strerror(-r));
1754 r = sd_rtnl_message_open_container(m, IFLA_LINKINFO);
1756 log_error("Failed to open netlink container: %s", strerror(-r));
1760 r = sd_rtnl_message_open_container_union(m, IFLA_INFO_DATA, "macvlan");
1762 log_error("Failed to open netlink container: %s", strerror(-r));
1766 r = sd_rtnl_message_append_u32(m, IFLA_MACVLAN_MODE, MACVLAN_MODE_BRIDGE);
1768 log_error("Failed to append macvlan mode: %s", strerror(-r));
1772 r = sd_rtnl_message_close_container(m);
1774 log_error("Failed to close netlink container: %s", strerror(-r));
1778 r = sd_rtnl_message_close_container(m);
1780 log_error("Failed to close netlink container: %s", strerror(-r));
1784 r = sd_rtnl_call(rtnl, m, 0, NULL);
1786 log_error("Failed to add new macvlan interfaces: %s", strerror(-r));
1794 static int audit_still_doesnt_work_in_containers(void) {
1797 scmp_filter_ctx seccomp;
1801 Audit is broken in containers, much of the userspace audit
1802 hookup will fail if running inside a container. We don't
1803 care and just turn off creation of audit sockets.
1805 This will make socket(AF_NETLINK, *, NETLINK_AUDIT) fail
1806 with EAFNOSUPPORT which audit userspace uses as indication
1807 that audit is disabled in the kernel.
1810 seccomp = seccomp_init(SCMP_ACT_ALLOW);
1814 r = seccomp_add_secondary_archs(seccomp);
1816 log_error("Failed to add secondary archs to seccomp filter: %s", strerror(-r));
1820 r = seccomp_rule_add(
1822 SCMP_ACT_ERRNO(EAFNOSUPPORT),
1825 SCMP_A0(SCMP_CMP_EQ, AF_NETLINK),
1826 SCMP_A2(SCMP_CMP_EQ, NETLINK_AUDIT));
1828 log_error("Failed to add audit seccomp rule: %s", strerror(-r));
1832 r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
1834 log_error("Failed to unset NO_NEW_PRIVS: %s", strerror(-r));
1838 r = seccomp_load(seccomp);
1840 log_error("Failed to install seccomp audit filter: %s", strerror(-r));
1843 seccomp_release(seccomp);
1851 static int setup_image(char **device_path, int *loop_nr) {
1852 struct loop_info64 info = {
1853 .lo_flags = LO_FLAGS_AUTOCLEAR|LO_FLAGS_PARTSCAN
1855 _cleanup_close_ int fd = -1, control = -1, loop = -1;
1856 _cleanup_free_ char* loopdev = NULL;
1860 assert(device_path);
1863 fd = open(arg_image, O_CLOEXEC|(arg_read_only ? O_RDONLY : O_RDWR)|O_NONBLOCK|O_NOCTTY);
1865 log_error("Failed to open %s: %m", arg_image);
1869 if (fstat(fd, &st) < 0) {
1870 log_error("Failed to stat %s: %m", arg_image);
1874 if (S_ISBLK(st.st_mode)) {
1877 p = strdup(arg_image);
1891 if (!S_ISREG(st.st_mode)) {
1892 log_error("%s is not a regular file or block device: %m", arg_image);
1896 control = open("/dev/loop-control", O_RDWR|O_CLOEXEC|O_NOCTTY|O_NONBLOCK);
1898 log_error("Failed to open /dev/loop-control: %m");
1902 nr = ioctl(control, LOOP_CTL_GET_FREE);
1904 log_error("Failed to allocate loop device: %m");
1908 if (asprintf(&loopdev, "/dev/loop%i", nr) < 0)
1911 loop = open(loopdev, O_CLOEXEC|(arg_read_only ? O_RDONLY : O_RDWR)|O_NONBLOCK|O_NOCTTY);
1913 log_error("Failed to open loop device %s: %m", loopdev);
1917 if (ioctl(loop, LOOP_SET_FD, fd) < 0) {
1918 log_error("Failed to set loopback file descriptor on %s: %m", loopdev);
1923 info.lo_flags |= LO_FLAGS_READ_ONLY;
1925 if (ioctl(loop, LOOP_SET_STATUS64, &info) < 0) {
1926 log_error("Failed to set loopback settings on %s: %m", loopdev);
1930 *device_path = loopdev;
1941 static int dissect_image(
1943 char **root_device, bool *root_device_rw,
1944 char **home_device, bool *home_device_rw,
1945 char **srv_device, bool *srv_device_rw,
1949 int home_nr = -1, root_nr = -1, secondary_root_nr = -1, srv_nr = -1;
1950 _cleanup_free_ char *home = NULL, *root = NULL, *secondary_root = NULL, *srv = NULL;
1951 _cleanup_udev_enumerate_unref_ struct udev_enumerate *e = NULL;
1952 _cleanup_udev_device_unref_ struct udev_device *d = NULL;
1953 _cleanup_blkid_free_probe_ blkid_probe b = NULL;
1954 _cleanup_udev_unref_ struct udev *udev = NULL;
1955 struct udev_list_entry *first, *item;
1956 bool home_rw = true, root_rw = true, secondary_root_rw = true, srv_rw = true;
1957 const char *pttype = NULL;
1963 assert(root_device);
1964 assert(home_device);
1968 b = blkid_new_probe();
1973 r = blkid_probe_set_device(b, fd, 0, 0);
1978 log_error("Failed to set device on blkid probe: %m");
1982 blkid_probe_enable_partitions(b, 1);
1983 blkid_probe_set_partitions_flags(b, BLKID_PARTS_ENTRY_DETAILS);
1986 r = blkid_do_safeprobe(b);
1987 if (r == -2 || r == 1) {
1988 log_error("Failed to identify any partition table on %s.\n"
1989 "Note that the disk image needs to follow http://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/ to be supported by systemd-nspawn.", arg_image);
1991 } else if (r != 0) {
1994 log_error("Failed to probe: %m");
1998 blkid_probe_lookup_value(b, "PTTYPE", &pttype, NULL);
1999 if (!streq_ptr(pttype, "gpt")) {
2000 log_error("Image %s does not carry a GUID Partition Table.\n"
2001 "Note that the disk image needs to follow http://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/ to be supported by systemd-nspawn.", arg_image);
2006 pl = blkid_probe_get_partitions(b);
2011 log_error("Failed to list partitions of %s", arg_image);
2019 if (fstat(fd, &st) < 0) {
2020 log_error("Failed to stat block device: %m");
2024 d = udev_device_new_from_devnum(udev, 'b', st.st_rdev);
2028 e = udev_enumerate_new(udev);
2032 r = udev_enumerate_add_match_parent(e, d);
2036 r = udev_enumerate_scan_devices(e);
2038 log_error("Failed to scan for partition devices of %s: %s", arg_image, strerror(-r));
2042 first = udev_enumerate_get_list_entry(e);
2043 udev_list_entry_foreach(item, first) {
2044 _cleanup_udev_device_unref_ struct udev_device *q;
2045 const char *stype, *node;
2046 unsigned long long flags;
2053 q = udev_device_new_from_syspath(udev, udev_list_entry_get_name(item));
2058 log_error("Failed to get partition device of %s: %m", arg_image);
2062 qn = udev_device_get_devnum(q);
2066 if (st.st_rdev == qn)
2069 node = udev_device_get_devnode(q);
2073 pp = blkid_partlist_devno_to_partition(pl, qn);
2077 flags = blkid_partition_get_flags(pp);
2078 if (flags & GPT_FLAG_NO_AUTO)
2081 nr = blkid_partition_get_partno(pp);
2085 stype = blkid_partition_get_type_string(pp);
2089 if (sd_id128_from_string(stype, &type_id) < 0)
2092 if (sd_id128_equal(type_id, GPT_HOME)) {
2094 if (home && nr >= home_nr)
2098 home_rw = !(flags & GPT_FLAG_READ_ONLY);
2101 home = strdup(node);
2104 } else if (sd_id128_equal(type_id, GPT_SRV)) {
2106 if (srv && nr >= srv_nr)
2110 srv_rw = !(flags & GPT_FLAG_READ_ONLY);
2117 #ifdef GPT_ROOT_NATIVE
2118 else if (sd_id128_equal(type_id, GPT_ROOT_NATIVE)) {
2120 if (root && nr >= root_nr)
2124 root_rw = !(flags & GPT_FLAG_READ_ONLY);
2127 root = strdup(node);
2132 #ifdef GPT_ROOT_SECONDARY
2133 else if (sd_id128_equal(type_id, GPT_ROOT_SECONDARY)) {
2135 if (secondary_root && nr >= secondary_root_nr)
2138 secondary_root_nr = nr;
2139 secondary_root_rw = !(flags & GPT_FLAG_READ_ONLY);
2142 free(secondary_root);
2143 secondary_root = strdup(node);
2144 if (!secondary_root)
2150 if (!root && !secondary_root) {
2151 log_error("Failed to identify root partition in disk image %s.\n"
2152 "Note that the disk image needs to follow http://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/ to be supported by systemd-nspawn.", arg_image);
2157 *root_device = root;
2160 *root_device_rw = root_rw;
2162 } else if (secondary_root) {
2163 *root_device = secondary_root;
2164 secondary_root = NULL;
2166 *root_device_rw = secondary_root_rw;
2171 *home_device = home;
2174 *home_device_rw = home_rw;
2181 *srv_device_rw = srv_rw;
2186 log_error("--image= is not supported, compiled without blkid support.");
2191 static int mount_device(const char *what, const char *where, const char *directory, bool rw) {
2193 _cleanup_blkid_free_probe_ blkid_probe b = NULL;
2194 const char *fstype, *p;
2204 p = strappenda(where, directory);
2209 b = blkid_new_probe_from_filename(what);
2213 log_error("Failed to allocate prober for %s: %m", what);
2217 blkid_probe_enable_superblocks(b, 1);
2218 blkid_probe_set_superblocks_flags(b, BLKID_SUBLKS_TYPE);
2221 r = blkid_do_safeprobe(b);
2222 if (r == -1 || r == 1) {
2223 log_error("Cannot determine file system type of %s", what);
2225 } else if (r != 0) {
2228 log_error("Failed to probe %s: %m", what);
2233 if (blkid_probe_lookup_value(b, "TYPE", &fstype, NULL) < 0) {
2236 log_error("Failed to determine file system type of %s", what);
2240 if (streq(fstype, "crypto_LUKS")) {
2241 log_error("nspawn currently does not support LUKS disk images.");
2245 if (mount(what, p, fstype, MS_NODEV|(rw ? 0 : MS_RDONLY), NULL) < 0) {
2246 log_error("Failed to mount %s: %m", what);
2252 log_error("--image= is not supported, compiled without blkid support.");
2257 static int mount_devices(
2259 const char *root_device, bool root_device_rw,
2260 const char *home_device, bool home_device_rw,
2261 const char *srv_device, bool srv_device_rw) {
2267 r = mount_device(root_device, arg_directory, NULL, root_device_rw);
2269 log_error("Failed to mount root directory: %s", strerror(-r));
2275 r = mount_device(home_device, arg_directory, "/home", home_device_rw);
2277 log_error("Failed to mount home directory: %s", strerror(-r));
2283 r = mount_device(srv_device, arg_directory, "/srv", srv_device_rw);
2285 log_error("Failed to mount server data directory: %s", strerror(-r));
2293 static void loop_remove(int nr, int *image_fd) {
2294 _cleanup_close_ int control = -1;
2299 if (image_fd && *image_fd >= 0) {
2300 ioctl(*image_fd, LOOP_CLR_FD);
2301 *image_fd = safe_close(*image_fd);
2304 control = open("/dev/loop-control", O_RDWR|O_CLOEXEC|O_NOCTTY|O_NONBLOCK);
2308 ioctl(control, LOOP_CTL_REMOVE, nr);
2311 static int spawn_getent(const char *database, const char *key, pid_t *rpid) {
2319 if (pipe2(pipe_fds, O_CLOEXEC) < 0) {
2320 log_error("Failed to allocate pipe: %m");
2326 log_error("Failed to fork getent child: %m");
2328 } else if (pid == 0) {
2330 char *empty_env = NULL;
2332 if (dup3(pipe_fds[1], STDOUT_FILENO, 0) < 0)
2333 _exit(EXIT_FAILURE);
2335 if (pipe_fds[0] > 2)
2336 safe_close(pipe_fds[0]);
2337 if (pipe_fds[1] > 2)
2338 safe_close(pipe_fds[1]);
2340 nullfd = open("/dev/null", O_RDWR);
2342 _exit(EXIT_FAILURE);
2344 if (dup3(nullfd, STDIN_FILENO, 0) < 0)
2345 _exit(EXIT_FAILURE);
2347 if (dup3(nullfd, STDERR_FILENO, 0) < 0)
2348 _exit(EXIT_FAILURE);
2353 reset_all_signal_handlers();
2354 close_all_fds(NULL, 0);
2356 execle("/usr/bin/getent", "getent", database, key, NULL, &empty_env);
2357 execle("/bin/getent", "getent", database, key, NULL, &empty_env);
2358 _exit(EXIT_FAILURE);
2361 pipe_fds[1] = safe_close(pipe_fds[1]);
2368 static int change_uid_gid(char **_home) {
2369 char line[LINE_MAX], *w, *x, *state, *u, *g, *h;
2370 _cleanup_free_ uid_t *uids = NULL;
2371 _cleanup_free_ char *home = NULL;
2372 _cleanup_fclose_ FILE *f = NULL;
2373 _cleanup_close_ int fd = -1;
2374 unsigned n_uids = 0;
2383 if (!arg_user || streq(arg_user, "root") || streq(arg_user, "0")) {
2384 /* Reset everything fully to 0, just in case */
2386 if (setgroups(0, NULL) < 0) {
2387 log_error("setgroups() failed: %m");
2391 if (setresgid(0, 0, 0) < 0) {
2392 log_error("setregid() failed: %m");
2396 if (setresuid(0, 0, 0) < 0) {
2397 log_error("setreuid() failed: %m");
2405 /* First, get user credentials */
2406 fd = spawn_getent("passwd", arg_user, &pid);
2410 f = fdopen(fd, "r");
2415 if (!fgets(line, sizeof(line), f)) {
2418 log_error("Failed to resolve user %s.", arg_user);
2422 log_error("Failed to read from getent: %m");
2428 wait_for_terminate_and_warn("getent passwd", pid);
2430 x = strchr(line, ':');
2432 log_error("/etc/passwd entry has invalid user field.");
2436 u = strchr(x+1, ':');
2438 log_error("/etc/passwd entry has invalid password field.");
2445 log_error("/etc/passwd entry has invalid UID field.");
2453 log_error("/etc/passwd entry has invalid GID field.");
2458 h = strchr(x+1, ':');
2460 log_error("/etc/passwd entry has invalid GECOS field.");
2467 log_error("/etc/passwd entry has invalid home directory field.");
2473 r = parse_uid(u, &uid);
2475 log_error("Failed to parse UID of user.");
2479 r = parse_gid(g, &gid);
2481 log_error("Failed to parse GID of user.");
2489 /* Second, get group memberships */
2490 fd = spawn_getent("initgroups", arg_user, &pid);
2495 f = fdopen(fd, "r");
2500 if (!fgets(line, sizeof(line), f)) {
2502 log_error("Failed to resolve user %s.", arg_user);
2506 log_error("Failed to read from getent: %m");
2512 wait_for_terminate_and_warn("getent initgroups", pid);
2514 /* Skip over the username and subsequent separator whitespace */
2516 x += strcspn(x, WHITESPACE);
2517 x += strspn(x, WHITESPACE);
2519 FOREACH_WORD(w, l, x, state) {
2525 if (!GREEDY_REALLOC(uids, sz, n_uids+1))
2528 r = parse_uid(c, &uids[n_uids++]);
2530 log_error("Failed to parse group data from getent.");
2535 r = mkdir_parents(home, 0775);
2537 log_error("Failed to make home root directory: %s", strerror(-r));
2541 r = mkdir_safe(home, 0755, uid, gid);
2542 if (r < 0 && r != -EEXIST) {
2543 log_error("Failed to make home directory: %s", strerror(-r));
2547 fchown(STDIN_FILENO, uid, gid);
2548 fchown(STDOUT_FILENO, uid, gid);
2549 fchown(STDERR_FILENO, uid, gid);
2551 if (setgroups(n_uids, uids) < 0) {
2552 log_error("Failed to set auxiliary groups: %m");
2556 if (setresgid(gid, gid, gid) < 0) {
2557 log_error("setregid() failed: %m");
2561 if (setresuid(uid, uid, uid) < 0) {
2562 log_error("setreuid() failed: %m");
2574 int main(int argc, char *argv[]) {
2576 _cleanup_free_ char *kdbus_domain = NULL, *device_path = NULL, *root_device = NULL, *home_device = NULL, *srv_device = NULL;
2577 bool root_device_rw = true, home_device_rw = true, srv_device_rw = true;
2578 _cleanup_close_ int master = -1, kdbus_fd = -1, image_fd = -1;
2579 _cleanup_close_pair_ int kmsg_socket_pair[2] = { -1, -1 };
2580 _cleanup_fdset_free_ FDSet *fds = NULL;
2581 int r = EXIT_FAILURE, k, n_fd_passed, loop_nr = -1;
2582 const char *console = NULL;
2583 char veth_name[IFNAMSIZ];
2584 bool secondary = false;
2588 log_parse_environment();
2591 k = parse_argv(argc, argv);
2600 if (arg_directory) {
2603 p = path_make_absolute_cwd(arg_directory);
2604 free(arg_directory);
2607 arg_directory = get_current_dir_name();
2609 if (!arg_directory) {
2610 log_error("Failed to determine path, please use -D.");
2613 path_kill_slashes(arg_directory);
2617 arg_machine = strdup(basename(arg_image ? arg_image : arg_directory));
2623 hostname_cleanup(arg_machine, false);
2624 if (isempty(arg_machine)) {
2625 log_error("Failed to determine machine name automatically, please use -M.");
2630 if (geteuid() != 0) {
2631 log_error("Need to be root.");
2635 if (sd_booted() <= 0) {
2636 log_error("Not running on a systemd system.");
2641 n_fd_passed = sd_listen_fds(false);
2642 if (n_fd_passed > 0) {
2643 k = fdset_new_listen_fds(&fds, false);
2645 log_error("Failed to collect file descriptors: %s", strerror(-k));
2649 fdset_close_others(fds);
2652 if (arg_directory) {
2653 if (path_equal(arg_directory, "/")) {
2654 log_error("Spawning container on root directory not supported.");
2659 if (path_is_os_tree(arg_directory) <= 0) {
2660 log_error("Directory %s doesn't look like an OS root directory (/etc/os-release is missing). Refusing.", arg_directory);
2666 p = strappenda(arg_directory,
2667 argc > optind && path_is_absolute(argv[optind]) ? argv[optind] : "/usr/bin/");
2668 if (access(p, F_OK) < 0) {
2669 log_error("Directory %s lacks the binary to execute or doesn't look like a binary tree. Refusing.", arg_directory);
2675 char template[] = "/tmp/nspawn-root-XXXXXX";
2677 if (!mkdtemp(template)) {
2678 log_error("Failed to create temporary directory: %m");
2683 arg_directory = strdup(template);
2684 if (!arg_directory) {
2689 image_fd = setup_image(&device_path, &loop_nr);
2695 r = dissect_image(image_fd, &root_device, &root_device_rw, &home_device, &home_device_rw, &srv_device, &srv_device_rw, &secondary);
2700 master = posix_openpt(O_RDWR|O_NOCTTY|O_CLOEXEC|O_NDELAY);
2702 log_error("Failed to acquire pseudo tty: %m");
2706 console = ptsname(master);
2708 log_error("Failed to determine tty name: %m");
2713 log_info("Spawning container %s on %s. Press ^] three times within 1s to abort execution.", arg_machine, arg_image ? arg_image : arg_directory);
2715 if (unlockpt(master) < 0) {
2716 log_error("Failed to unlock tty: %m");
2720 if (access("/dev/kdbus/control", F_OK) >= 0) {
2722 if (arg_share_system) {
2723 kdbus_domain = strdup("/dev/kdbus");
2724 if (!kdbus_domain) {
2731 ns = strappenda("machine-", arg_machine);
2732 kdbus_fd = bus_kernel_create_domain(ns, &kdbus_domain);
2734 log_debug("Failed to create kdbus domain: %s", strerror(-r));
2736 log_debug("Successfully created kdbus domain as %s", kdbus_domain);
2740 if (socketpair(AF_UNIX, SOCK_DGRAM|SOCK_NONBLOCK|SOCK_CLOEXEC, 0, kmsg_socket_pair) < 0) {
2741 log_error("Failed to create kmsg socket pair: %m");
2745 sd_notify(0, "READY=1");
2747 assert_se(sigemptyset(&mask) == 0);
2748 sigset_add_many(&mask, SIGCHLD, SIGWINCH, SIGTERM, SIGINT, -1);
2749 assert_se(sigprocmask(SIG_BLOCK, &mask, NULL) == 0);
2752 int parent_ready_fd = -1, child_ready_fd = -1;
2756 parent_ready_fd = eventfd(0, EFD_CLOEXEC);
2757 if (parent_ready_fd < 0) {
2758 log_error("Failed to create event fd: %m");
2762 child_ready_fd = eventfd(0, EFD_CLOEXEC);
2763 if (child_ready_fd < 0) {
2764 log_error("Failed to create event fd: %m");
2768 pid = syscall(__NR_clone,
2769 SIGCHLD|CLONE_NEWNS|
2770 (arg_share_system ? 0 : CLONE_NEWIPC|CLONE_NEWPID|CLONE_NEWUTS)|
2771 (arg_private_network ? CLONE_NEWNET : 0), NULL);
2773 if (errno == EINVAL)
2774 log_error("clone() failed, do you have namespace support enabled in your kernel? (You need UTS, IPC, PID and NET namespacing built in): %m");
2776 log_error("clone() failed: %m");
2783 _cleanup_free_ char *home = NULL;
2785 const char *envp[] = {
2786 "PATH=" DEFAULT_PATH_SPLIT_USR,
2787 "container=systemd-nspawn", /* LXC sets container=lxc, so follow the scheme here */
2792 NULL, /* container_uuid */
2793 NULL, /* LISTEN_FDS */
2794 NULL, /* LISTEN_PID */
2799 envp[n_env] = strv_find_prefix(environ, "TERM=");
2803 master = safe_close(master);
2805 close_nointr(STDIN_FILENO);
2806 close_nointr(STDOUT_FILENO);
2807 close_nointr(STDERR_FILENO);
2809 kmsg_socket_pair[0] = safe_close(kmsg_socket_pair[0]);
2811 reset_all_signal_handlers();
2813 assert_se(sigemptyset(&mask) == 0);
2814 assert_se(sigprocmask(SIG_SETMASK, &mask, NULL) == 0);
2816 k = open_terminal(console, O_RDWR);
2817 if (k != STDIN_FILENO) {
2823 log_error("Failed to open console: %s", strerror(-k));
2827 if (dup2(STDIN_FILENO, STDOUT_FILENO) != STDOUT_FILENO ||
2828 dup2(STDIN_FILENO, STDERR_FILENO) != STDERR_FILENO) {
2829 log_error("Failed to duplicate console: %m");
2834 log_error("setsid() failed: %m");
2838 if (reset_audit_loginuid() < 0)
2841 if (prctl(PR_SET_PDEATHSIG, SIGKILL) < 0) {
2842 log_error("PR_SET_PDEATHSIG failed: %m");
2846 /* Mark everything as slave, so that we still
2847 * receive mounts from the real root, but don't
2848 * propagate mounts to the real root. */
2849 if (mount(NULL, "/", NULL, MS_SLAVE|MS_REC, NULL) < 0) {
2850 log_error("MS_SLAVE|MS_REC failed: %m");
2854 if (mount_devices(arg_directory,
2855 root_device, root_device_rw,
2856 home_device, home_device_rw,
2857 srv_device, srv_device_rw) < 0)
2860 /* Turn directory into bind mount */
2861 if (mount(arg_directory, arg_directory, "bind", MS_BIND|MS_REC, NULL) < 0) {
2862 log_error("Failed to make bind mount.");
2867 if (mount(arg_directory, arg_directory, "bind", MS_BIND|MS_REMOUNT|MS_RDONLY|MS_REC, NULL) < 0) {
2868 log_error("Failed to make read-only.");
2872 if (mount_all(arg_directory) < 0)
2875 if (copy_devnodes(arg_directory) < 0)
2878 if (setup_ptmx(arg_directory) < 0)
2881 dev_setup(arg_directory);
2883 if (audit_still_doesnt_work_in_containers() < 0)
2886 if (setup_dev_console(arg_directory, console) < 0)
2889 if (setup_kmsg(arg_directory, kmsg_socket_pair[1]) < 0)
2892 kmsg_socket_pair[1] = safe_close(kmsg_socket_pair[1]);
2894 if (setup_boot_id(arg_directory) < 0)
2897 if (setup_timezone(arg_directory) < 0)
2900 if (setup_resolv_conf(arg_directory) < 0)
2903 if (setup_journal(arg_directory) < 0)
2906 if (mount_binds(arg_directory, arg_bind, 0) < 0)
2909 if (mount_binds(arg_directory, arg_bind_ro, MS_RDONLY) < 0)
2912 if (setup_kdbus(arg_directory, kdbus_domain) < 0)
2915 /* Tell the parent that we are ready, and that
2916 * it can cgroupify us to that we lack access
2917 * to certain devices and resources. */
2918 eventfd_write(child_ready_fd, 1);
2919 child_ready_fd = safe_close(child_ready_fd);
2921 if (chdir(arg_directory) < 0) {
2922 log_error("chdir(%s) failed: %m", arg_directory);
2926 if (mount(arg_directory, "/", NULL, MS_MOVE, NULL) < 0) {
2927 log_error("mount(MS_MOVE) failed: %m");
2931 if (chroot(".") < 0) {
2932 log_error("chroot() failed: %m");
2936 if (chdir("/") < 0) {
2937 log_error("chdir() failed: %m");
2943 if (arg_private_network)
2946 if (drop_capabilities() < 0) {
2947 log_error("drop_capabilities() failed: %m");
2951 r = change_uid_gid(&home);
2955 if ((asprintf((char**)(envp + n_env++), "HOME=%s", home ? home: "/root") < 0) ||
2956 (asprintf((char**)(envp + n_env++), "USER=%s", arg_user ? arg_user : "root") < 0) ||
2957 (asprintf((char**)(envp + n_env++), "LOGNAME=%s", arg_user ? arg_user : "root") < 0)) {
2962 if (!sd_id128_equal(arg_uuid, SD_ID128_NULL)) {
2965 if (asprintf((char**)(envp + n_env++), "container_uuid=%s", id128_format_as_uuid(arg_uuid, as_uuid)) < 0) {
2971 if (fdset_size(fds) > 0) {
2972 k = fdset_cloexec(fds, false);
2974 log_error("Failed to unset O_CLOEXEC for file descriptors.");
2978 if ((asprintf((char **)(envp + n_env++), "LISTEN_FDS=%u", n_fd_passed) < 0) ||
2979 (asprintf((char **)(envp + n_env++), "LISTEN_PID=1") < 0)) {
2987 if (arg_personality != 0xffffffffLU) {
2988 if (personality(arg_personality) < 0) {
2989 log_error("personality() failed: %m");
2992 } else if (secondary) {
2993 if (personality(PER_LINUX32) < 0) {
2994 log_error("personality() failed: %m");
3000 if (arg_selinux_context)
3001 if (setexeccon((security_context_t) arg_selinux_context) < 0) {
3002 log_error("setexeccon(\"%s\") failed: %m", arg_selinux_context);
3007 if (!strv_isempty(arg_setenv)) {
3010 n = strv_env_merge(2, envp, arg_setenv);
3018 env_use = (char**) envp;
3020 /* Wait until the parent is ready with the setup, too... */
3021 eventfd_read(parent_ready_fd, &x);
3022 parent_ready_fd = safe_close(parent_ready_fd);
3028 /* Automatically search for the init system */
3030 l = 1 + argc - optind;
3031 a = newa(char*, l + 1);
3032 memcpy(a + 1, argv + optind, l * sizeof(char*));
3034 a[0] = (char*) "/usr/lib/systemd/systemd";
3035 execve(a[0], a, env_use);
3037 a[0] = (char*) "/lib/systemd/systemd";
3038 execve(a[0], a, env_use);
3040 a[0] = (char*) "/sbin/init";
3041 execve(a[0], a, env_use);
3042 } else if (argc > optind)
3043 execvpe(argv[optind], argv + optind, env_use);
3045 chdir(home ? home : "/root");
3046 execle("/bin/bash", "-bash", NULL, env_use);
3047 execle("/bin/sh", "-sh", NULL, env_use);
3050 log_error("execv() failed: %m");
3053 _exit(EXIT_FAILURE);
3059 /* Wait until the child reported that it is ready with
3060 * all it needs to do with privileges. After we got
3061 * the notification we can make the process join its
3062 * cgroup which might limit what it can do */
3063 eventfd_read(child_ready_fd, &x);
3065 r = register_machine(pid);
3069 r = move_network_interfaces(pid);
3073 r = setup_veth(pid, veth_name);
3077 r = setup_bridge(veth_name);
3081 r = setup_macvlan(pid);
3085 /* Notify the child that the parent is ready with all
3086 * its setup, and thtat the child can now hand over
3087 * control to the code to run inside the container. */
3088 eventfd_write(parent_ready_fd, 1);
3090 k = process_pty(master, &mask, arg_boot ? pid : 0, SIGRTMIN+3);
3099 /* Kill if it is not dead yet anyway */
3100 terminate_machine(pid);
3102 /* Redundant, but better safe than sorry */
3105 k = wait_for_terminate(pid, &status);
3113 if (status.si_code == CLD_EXITED) {
3114 r = status.si_status;
3115 if (status.si_status != 0) {
3116 log_error("Container %s failed with error code %i.", arg_machine, status.si_status);
3121 log_debug("Container %s exited successfully.", arg_machine);
3123 } else if (status.si_code == CLD_KILLED &&
3124 status.si_status == SIGINT) {
3127 log_info("Container %s has been shut down.", arg_machine);
3130 } else if (status.si_code == CLD_KILLED &&
3131 status.si_status == SIGHUP) {
3134 log_info("Container %s is being rebooted.", arg_machine);
3136 } else if (status.si_code == CLD_KILLED ||
3137 status.si_code == CLD_DUMPED) {
3139 log_error("Container %s terminated by signal %s.", arg_machine, signal_to_string(status.si_status));
3143 log_error("Container %s failed due to unknown reason.", arg_machine);
3150 loop_remove(loop_nr, &image_fd);
3155 free(arg_directory);
3158 strv_free(arg_setenv);
3159 strv_free(arg_network_interfaces);
3160 strv_free(arg_network_macvlan);
3161 strv_free(arg_bind);
3162 strv_free(arg_bind_ro);
~ianmdlvl / elogind.git / blob