1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2010 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
25 #include <sys/types.h>
26 #include <sys/syscall.h>
27 #include <sys/mount.h>
33 #include <sys/prctl.h>
34 #include <sys/capability.h>
37 #include <sys/signalfd.h>
41 #include <sys/socket.h>
42 #include <linux/netlink.h>
43 #include <sys/eventfd.h>
45 #include <linux/veth.h>
46 #include <sys/personality.h>
47 #include <linux/loop.h>
50 #include <selinux/selinux.h>
58 #include <blkid/blkid.h>
61 #include "sd-daemon.h"
71 #include "cgroup-util.h"
73 #include "path-util.h"
74 #include "loopback-setup.h"
75 #include "dev-setup.h"
80 #include "bus-error.h"
82 #include "bus-kernel.h"
85 #include "rtnl-util.h"
86 #include "udev-util.h"
87 #include "blkid-util.h"
89 #include "siphash24.h"
92 #include "seccomp-util.h"
95 typedef enum LinkJournal {
102 static char *arg_directory = NULL;
103 static char *arg_user = NULL;
104 static sd_id128_t arg_uuid = {};
105 static char *arg_machine = NULL;
106 static const char *arg_selinux_context = NULL;
107 static const char *arg_selinux_apifs_context = NULL;
108 static const char *arg_slice = NULL;
109 static bool arg_private_network = false;
110 static bool arg_read_only = false;
111 static bool arg_boot = false;
112 static LinkJournal arg_link_journal = LINK_AUTO;
113 static uint64_t arg_retain =
114 (1ULL << CAP_CHOWN) |
115 (1ULL << CAP_DAC_OVERRIDE) |
116 (1ULL << CAP_DAC_READ_SEARCH) |
117 (1ULL << CAP_FOWNER) |
118 (1ULL << CAP_FSETID) |
119 (1ULL << CAP_IPC_OWNER) |
121 (1ULL << CAP_LEASE) |
122 (1ULL << CAP_LINUX_IMMUTABLE) |
123 (1ULL << CAP_NET_BIND_SERVICE) |
124 (1ULL << CAP_NET_BROADCAST) |
125 (1ULL << CAP_NET_RAW) |
126 (1ULL << CAP_SETGID) |
127 (1ULL << CAP_SETFCAP) |
128 (1ULL << CAP_SETPCAP) |
129 (1ULL << CAP_SETUID) |
130 (1ULL << CAP_SYS_ADMIN) |
131 (1ULL << CAP_SYS_CHROOT) |
132 (1ULL << CAP_SYS_NICE) |
133 (1ULL << CAP_SYS_PTRACE) |
134 (1ULL << CAP_SYS_TTY_CONFIG) |
135 (1ULL << CAP_SYS_RESOURCE) |
136 (1ULL << CAP_SYS_BOOT) |
137 (1ULL << CAP_AUDIT_WRITE) |
138 (1ULL << CAP_AUDIT_CONTROL) |
140 static char **arg_bind = NULL;
141 static char **arg_bind_ro = NULL;
142 static char **arg_setenv = NULL;
143 static bool arg_quiet = false;
144 static bool arg_share_system = false;
145 static bool arg_register = true;
146 static bool arg_keep_unit = false;
147 static char **arg_network_interfaces = NULL;
148 static char **arg_network_macvlan = NULL;
149 static bool arg_network_veth = false;
150 static const char *arg_network_bridge = NULL;
151 static unsigned long arg_personality = 0xffffffffLU;
152 static const char *arg_image = NULL;
154 static int help(void) {
156 printf("%s [OPTIONS...] [PATH] [ARGUMENTS...]\n\n"
157 "Spawn a minimal namespace container for debugging, testing and building.\n\n"
158 " -h --help Show this help\n"
159 " --version Print version string\n"
160 " -q --quiet Do not show status information\n"
161 " -D --directory=PATH Root directory for the container\n"
162 " -i --image=PATH File system device or image for the container\n"
163 " -b --boot Boot up full system (i.e. invoke init)\n"
164 " -u --user=USER Run the command under specified user or uid\n"
165 " -M --machine=NAME Set the machine name for the container\n"
166 " --uuid=UUID Set a specific machine UUID for the container\n"
167 " -S --slice=SLICE Place the container in the specified slice\n"
168 " --private-network Disable network in container\n"
169 " --network-interface=INTERFACE\n"
170 " Assign an existing network interface to the\n"
172 " --network-macvlan=INTERFACE\n"
173 " Create a macvlan network interface based on an\n"
174 " existing network interface to the container\n"
175 " --network-veth Add a virtual ethernet connection between host\n"
177 " --network-bridge=INTERFACE\n"
178 " Add a virtual ethernet connection between host\n"
179 " and container and add it to an existing bridge on\n"
181 " -Z --selinux-context=SECLABEL\n"
182 " Set the SELinux security context to be used by\n"
183 " processes in the container\n"
184 " -L --selinux-apifs-context=SECLABEL\n"
185 " Set the SELinux security context to be used by\n"
186 " API/tmpfs file systems in the container\n"
187 " --capability=CAP In addition to the default, retain specified\n"
189 " --drop-capability=CAP Drop the specified capability from the default set\n"
190 " --link-journal=MODE Link up guest journal, one of no, auto, guest, host\n"
191 " -j Equivalent to --link-journal=host\n"
192 " --read-only Mount the root directory read-only\n"
193 " --bind=PATH[:PATH] Bind mount a file or directory from the host into\n"
195 " --bind-ro=PATH[:PATH] Similar, but creates a read-only bind mount\n"
196 " --setenv=NAME=VALUE Pass an environment variable to PID 1\n"
197 " --share-system Share system namespaces with host\n"
198 " --register=BOOLEAN Register container as machine\n"
199 " --keep-unit Do not register a scope for the machine, reuse\n"
200 " the service unit nspawn is running in\n",
201 program_invocation_short_name);
206 static int parse_argv(int argc, char *argv[]) {
222 ARG_NETWORK_INTERFACE,
229 static const struct option options[] = {
230 { "help", no_argument, NULL, 'h' },
231 { "version", no_argument, NULL, ARG_VERSION },
232 { "directory", required_argument, NULL, 'D' },
233 { "user", required_argument, NULL, 'u' },
234 { "private-network", no_argument, NULL, ARG_PRIVATE_NETWORK },
235 { "boot", no_argument, NULL, 'b' },
236 { "uuid", required_argument, NULL, ARG_UUID },
237 { "read-only", no_argument, NULL, ARG_READ_ONLY },
238 { "capability", required_argument, NULL, ARG_CAPABILITY },
239 { "drop-capability", required_argument, NULL, ARG_DROP_CAPABILITY },
240 { "link-journal", required_argument, NULL, ARG_LINK_JOURNAL },
241 { "bind", required_argument, NULL, ARG_BIND },
242 { "bind-ro", required_argument, NULL, ARG_BIND_RO },
243 { "machine", required_argument, NULL, 'M' },
244 { "slice", required_argument, NULL, 'S' },
245 { "setenv", required_argument, NULL, ARG_SETENV },
246 { "selinux-context", required_argument, NULL, 'Z' },
247 { "selinux-apifs-context", required_argument, NULL, 'L' },
248 { "quiet", no_argument, NULL, 'q' },
249 { "share-system", no_argument, NULL, ARG_SHARE_SYSTEM },
250 { "register", required_argument, NULL, ARG_REGISTER },
251 { "keep-unit", no_argument, NULL, ARG_KEEP_UNIT },
252 { "network-interface", required_argument, NULL, ARG_NETWORK_INTERFACE },
253 { "network-macvlan", required_argument, NULL, ARG_NETWORK_MACVLAN },
254 { "network-veth", no_argument, NULL, ARG_NETWORK_VETH },
255 { "network-bridge", required_argument, NULL, ARG_NETWORK_BRIDGE },
256 { "personality", required_argument, NULL, ARG_PERSONALITY },
257 { "image", required_argument, NULL, 'i' },
262 uint64_t plus = 0, minus = 0;
267 while ((c = getopt_long(argc, argv, "+hD:u:bL:M:jS:Z:qi:", options, NULL)) >= 0) {
275 puts(PACKAGE_STRING);
276 puts(SYSTEMD_FEATURES);
281 arg_directory = canonicalize_file_name(optarg);
282 if (!arg_directory) {
283 log_error("Invalid root directory: %m");
295 arg_user = strdup(optarg);
301 case ARG_NETWORK_BRIDGE:
302 arg_network_bridge = optarg;
306 case ARG_NETWORK_VETH:
307 arg_network_veth = true;
308 arg_private_network = true;
311 case ARG_NETWORK_INTERFACE:
312 if (strv_extend(&arg_network_interfaces, optarg) < 0)
315 arg_private_network = true;
318 case ARG_NETWORK_MACVLAN:
319 if (strv_extend(&arg_network_macvlan, optarg) < 0)
324 case ARG_PRIVATE_NETWORK:
325 arg_private_network = true;
333 r = sd_id128_from_string(optarg, &arg_uuid);
335 log_error("Invalid UUID: %s", optarg);
345 if (isempty(optarg)) {
350 if (!hostname_is_valid(optarg)) {
351 log_error("Invalid machine name: %s", optarg);
356 arg_machine = strdup(optarg);
364 arg_selinux_context = optarg;
368 arg_selinux_apifs_context = optarg;
372 arg_read_only = true;
376 case ARG_DROP_CAPABILITY: {
380 FOREACH_WORD_SEPARATOR(word, length, optarg, ",", state) {
381 _cleanup_free_ char *t;
384 t = strndup(word, length);
388 if (streq(t, "all")) {
389 if (c == ARG_CAPABILITY)
390 plus = (uint64_t) -1;
392 minus = (uint64_t) -1;
394 if (cap_from_name(t, &cap) < 0) {
395 log_error("Failed to parse capability %s.", t);
399 if (c == ARG_CAPABILITY)
400 plus |= 1ULL << (uint64_t) cap;
402 minus |= 1ULL << (uint64_t) cap;
410 arg_link_journal = LINK_GUEST;
413 case ARG_LINK_JOURNAL:
414 if (streq(optarg, "auto"))
415 arg_link_journal = LINK_AUTO;
416 else if (streq(optarg, "no"))
417 arg_link_journal = LINK_NO;
418 else if (streq(optarg, "guest"))
419 arg_link_journal = LINK_GUEST;
420 else if (streq(optarg, "host"))
421 arg_link_journal = LINK_HOST;
423 log_error("Failed to parse link journal mode %s", optarg);
431 _cleanup_free_ char *a = NULL, *b = NULL;
435 x = c == ARG_BIND ? &arg_bind : &arg_bind_ro;
437 e = strchr(optarg, ':');
439 a = strndup(optarg, e - optarg);
449 if (!path_is_absolute(a) || !path_is_absolute(b)) {
450 log_error("Invalid bind mount specification: %s", optarg);
454 r = strv_extend(x, a);
458 r = strv_extend(x, b);
468 if (!env_assignment_is_valid(optarg)) {
469 log_error("Environment variable assignment '%s' is not valid.", optarg);
473 n = strv_env_set(arg_setenv, optarg);
477 strv_free(arg_setenv);
486 case ARG_SHARE_SYSTEM:
487 arg_share_system = true;
491 r = parse_boolean(optarg);
493 log_error("Failed to parse --register= argument: %s", optarg);
501 arg_keep_unit = true;
504 case ARG_PERSONALITY:
506 arg_personality = personality_from_string(optarg);
507 if (arg_personality == 0xffffffffLU) {
508 log_error("Unknown or unsupported personality '%s'.", optarg);
518 assert_not_reached("Unhandled option");
522 if (arg_share_system)
523 arg_register = false;
525 if (arg_boot && arg_share_system) {
526 log_error("--boot and --share-system may not be combined.");
530 if (arg_keep_unit && cg_pid_get_owner_uid(0, NULL) >= 0) {
531 log_error("--keep-unit may not be used when invoked from a user session.");
535 if (arg_directory && arg_image) {
536 log_error("--directory= and --image= may not be combined.");
540 arg_retain = (arg_retain | plus | (arg_private_network ? 1ULL << CAP_NET_ADMIN : 0)) & ~minus;
545 static int mount_all(const char *dest) {
547 typedef struct MountPoint {
556 static const MountPoint mount_table[] = {
557 { "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, true },
558 { "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND, true }, /* Bind mount first */
559 { NULL, "/proc/sys", NULL, NULL, MS_BIND|MS_RDONLY|MS_REMOUNT, true }, /* Then, make it r/o */
560 { "sysfs", "/sys", "sysfs", NULL, MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV, true },
561 { "tmpfs", "/dev", "tmpfs", "mode=755", MS_NOSUID|MS_STRICTATIME, true },
562 { "devpts", "/dev/pts", "devpts","newinstance,ptmxmode=0666,mode=620,gid=" STRINGIFY(TTY_GID), MS_NOSUID|MS_NOEXEC, true },
563 { "tmpfs", "/dev/shm", "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV|MS_STRICTATIME, true },
564 { "tmpfs", "/run", "tmpfs", "mode=755", MS_NOSUID|MS_NODEV|MS_STRICTATIME, true },
566 { "/sys/fs/selinux", "/sys/fs/selinux", NULL, NULL, MS_BIND, false }, /* Bind mount first */
567 { NULL, "/sys/fs/selinux", NULL, NULL, MS_BIND|MS_RDONLY|MS_REMOUNT, false }, /* Then, make it r/o */
574 for (k = 0; k < ELEMENTSOF(mount_table); k++) {
575 _cleanup_free_ char *where = NULL;
577 _cleanup_free_ char *options = NULL;
582 where = strjoin(dest, "/", mount_table[k].where, NULL);
586 t = path_is_mount_point(where, true);
588 log_error("Failed to detect whether %s is a mount point: %s", where, strerror(-t));
596 /* Skip this entry if it is not a remount. */
597 if (mount_table[k].what && t > 0)
600 mkdir_p(where, 0755);
603 if (arg_selinux_apifs_context &&
604 (streq_ptr(mount_table[k].what, "tmpfs") || streq_ptr(mount_table[k].what, "devpts"))) {
605 options = strjoin(mount_table[k].options, ",context=\"", arg_selinux_apifs_context, "\"", NULL);
612 o = mount_table[k].options;
615 if (mount(mount_table[k].what,
618 mount_table[k].flags,
620 mount_table[k].fatal) {
622 log_error("mount(%s) failed: %m", where);
632 static int mount_binds(const char *dest, char **l, unsigned long flags) {
635 STRV_FOREACH_PAIR(x, y, l) {
637 struct stat source_st, dest_st;
640 if (stat(*x, &source_st) < 0) {
641 log_error("Failed to stat %s: %m", *x);
645 where = strappenda(dest, *y);
646 r = stat(where, &dest_st);
648 if ((source_st.st_mode & S_IFMT) != (dest_st.st_mode & S_IFMT)) {
649 log_error("The file types of %s and %s do not match. Refusing bind mount",
653 } else if (errno == ENOENT) {
654 r = mkdir_parents_label(where, 0755);
656 log_error("Failed to bind mount %s: %s", *x, strerror(-r));
660 log_error("Failed to bind mount %s: %s", *x, strerror(errno));
663 /* Create the mount point, but be conservative -- refuse to create block
664 * and char devices. */
665 if (S_ISDIR(source_st.st_mode))
666 mkdir_label(where, 0755);
667 else if (S_ISFIFO(source_st.st_mode))
669 else if (S_ISSOCK(source_st.st_mode))
670 mknod(where, 0644 | S_IFSOCK, 0);
671 else if (S_ISREG(source_st.st_mode))
674 log_error("Refusing to create mountpoint for file: %s", *x);
678 if (mount(*x, where, "bind", MS_BIND, NULL) < 0) {
679 log_error("mount(%s) failed: %m", where);
683 if (flags && mount(NULL, where, NULL, MS_REMOUNT|MS_BIND|flags, NULL) < 0) {
684 log_error("mount(%s) failed: %m", where);
692 static int setup_timezone(const char *dest) {
693 _cleanup_free_ char *where = NULL, *p = NULL, *q = NULL, *check = NULL, *what = NULL;
699 /* Fix the timezone, if possible */
700 r = readlink_malloc("/etc/localtime", &p);
702 log_warning("/etc/localtime is not a symlink, not updating container timezone.");
706 z = path_startswith(p, "../usr/share/zoneinfo/");
708 z = path_startswith(p, "/usr/share/zoneinfo/");
710 log_warning("/etc/localtime does not point into /usr/share/zoneinfo/, not updating container timezone.");
714 where = strappend(dest, "/etc/localtime");
718 r = readlink_malloc(where, &q);
720 y = path_startswith(q, "../usr/share/zoneinfo/");
722 y = path_startswith(q, "/usr/share/zoneinfo/");
725 /* Already pointing to the right place? Then do nothing .. */
726 if (y && streq(y, z))
730 check = strjoin(dest, "/usr/share/zoneinfo/", z, NULL);
734 if (access(check, F_OK) < 0) {
735 log_warning("Timezone %s does not exist in container, not updating container timezone.", z);
739 what = strappend("../usr/share/zoneinfo/", z);
744 if (symlink(what, where) < 0) {
745 log_error("Failed to correct timezone of container: %m");
752 static int setup_resolv_conf(const char *dest) {
753 char _cleanup_free_ *where = NULL;
757 if (arg_private_network)
760 /* Fix resolv.conf, if possible */
761 where = strappend(dest, "/etc/resolv.conf");
765 /* We don't really care for the results of this really. If it
766 * fails, it fails, but meh... */
767 copy_file("/etc/resolv.conf", where, O_TRUNC|O_NOFOLLOW);
772 static char* id128_format_as_uuid(sd_id128_t id, char s[37]) {
775 "%02x%02x%02x%02x-%02x%02x-%02x%02x-%02x%02x-%02x%02x%02x%02x%02x%02x",
776 SD_ID128_FORMAT_VAL(id));
781 static int setup_boot_id(const char *dest) {
782 _cleanup_free_ char *from = NULL, *to = NULL;
789 if (arg_share_system)
792 /* Generate a new randomized boot ID, so that each boot-up of
793 * the container gets a new one */
795 from = strappend(dest, "/dev/proc-sys-kernel-random-boot-id");
796 to = strappend(dest, "/proc/sys/kernel/random/boot_id");
800 r = sd_id128_randomize(&rnd);
802 log_error("Failed to generate random boot id: %s", strerror(-r));
806 id128_format_as_uuid(rnd, as_uuid);
808 r = write_string_file(from, as_uuid);
810 log_error("Failed to write boot id: %s", strerror(-r));
814 if (mount(from, to, "bind", MS_BIND, NULL) < 0) {
815 log_error("Failed to bind mount boot id: %m");
817 } else if (mount(from, to, "bind", MS_BIND|MS_REMOUNT|MS_RDONLY, NULL))
818 log_warning("Failed to make boot id read-only: %m");
824 static int copy_devnodes(const char *dest) {
826 static const char devnodes[] =
836 _cleanup_umask_ mode_t u;
842 NULSTR_FOREACH(d, devnodes) {
843 _cleanup_free_ char *from = NULL, *to = NULL;
846 from = strappend("/dev/", d);
847 to = strjoin(dest, "/dev/", d, NULL);
851 if (stat(from, &st) < 0) {
853 if (errno != ENOENT) {
854 log_error("Failed to stat %s: %m", from);
858 } else if (!S_ISCHR(st.st_mode) && !S_ISBLK(st.st_mode)) {
860 log_error("%s is not a char or block device, cannot copy", from);
863 } else if (mknod(to, st.st_mode, st.st_rdev) < 0) {
865 log_error("mknod(%s) failed: %m", dest);
873 static int setup_ptmx(const char *dest) {
874 _cleanup_free_ char *p = NULL;
876 p = strappend(dest, "/dev/ptmx");
880 if (symlink("pts/ptmx", p) < 0) {
881 log_error("Failed to create /dev/ptmx symlink: %m");
888 static int setup_dev_console(const char *dest, const char *console) {
889 _cleanup_umask_ mode_t u;
899 if (stat("/dev/null", &st) < 0) {
900 log_error("Failed to stat /dev/null: %m");
904 r = chmod_and_chown(console, 0600, 0, 0);
906 log_error("Failed to correct access mode for TTY: %s", strerror(-r));
910 /* We need to bind mount the right tty to /dev/console since
911 * ptys can only exist on pts file systems. To have something
912 * to bind mount things on we create a device node first, and
913 * use /dev/null for that since we the cgroups device policy
914 * allows us to create that freely, while we cannot create
915 * /dev/console. (Note that the major minor doesn't actually
916 * matter here, since we mount it over anyway). */
918 to = strappenda(dest, "/dev/console");
919 if (mknod(to, (st.st_mode & ~07777) | 0600, st.st_rdev) < 0) {
920 log_error("mknod() for /dev/console failed: %m");
924 if (mount(console, to, "bind", MS_BIND, NULL) < 0) {
925 log_error("Bind mount for /dev/console failed: %m");
932 static int setup_kmsg(const char *dest, int kmsg_socket) {
933 _cleanup_free_ char *from = NULL, *to = NULL;
935 _cleanup_umask_ mode_t u;
937 struct cmsghdr cmsghdr;
938 uint8_t buf[CMSG_SPACE(sizeof(int))];
941 .msg_control = &control,
942 .msg_controllen = sizeof(control),
944 struct cmsghdr *cmsg;
947 assert(kmsg_socket >= 0);
951 /* We create the kmsg FIFO as /dev/kmsg, but immediately
952 * delete it after bind mounting it to /proc/kmsg. While FIFOs
953 * on the reading side behave very similar to /proc/kmsg,
954 * their writing side behaves differently from /dev/kmsg in
955 * that writing blocks when nothing is reading. In order to
956 * avoid any problems with containers deadlocking due to this
957 * we simply make /dev/kmsg unavailable to the container. */
958 if (asprintf(&from, "%s/dev/kmsg", dest) < 0 ||
959 asprintf(&to, "%s/proc/kmsg", dest) < 0)
962 if (mkfifo(from, 0600) < 0) {
963 log_error("mkfifo() for /dev/kmsg failed: %m");
967 r = chmod_and_chown(from, 0600, 0, 0);
969 log_error("Failed to correct access mode for /dev/kmsg: %s", strerror(-r));
973 if (mount(from, to, "bind", MS_BIND, NULL) < 0) {
974 log_error("Bind mount for /proc/kmsg failed: %m");
978 fd = open(from, O_RDWR|O_NDELAY|O_CLOEXEC);
980 log_error("Failed to open fifo: %m");
984 cmsg = CMSG_FIRSTHDR(&mh);
985 cmsg->cmsg_level = SOL_SOCKET;
986 cmsg->cmsg_type = SCM_RIGHTS;
987 cmsg->cmsg_len = CMSG_LEN(sizeof(int));
988 memcpy(CMSG_DATA(cmsg), &fd, sizeof(int));
990 mh.msg_controllen = cmsg->cmsg_len;
992 /* Store away the fd in the socket, so that it stays open as
993 * long as we run the child */
994 k = sendmsg(kmsg_socket, &mh, MSG_DONTWAIT|MSG_NOSIGNAL);
998 log_error("Failed to send FIFO fd: %m");
1002 /* And now make the FIFO unavailable as /dev/kmsg... */
1007 static int setup_hostname(void) {
1009 if (arg_share_system)
1012 if (sethostname(arg_machine, strlen(arg_machine)) < 0)
1018 static int setup_journal(const char *directory) {
1019 sd_id128_t machine_id, this_id;
1020 _cleanup_free_ char *p = NULL, *b = NULL, *q = NULL, *d = NULL;
1024 p = strappend(directory, "/etc/machine-id");
1028 r = read_one_line_file(p, &b);
1029 if (r == -ENOENT && arg_link_journal == LINK_AUTO)
1032 log_error("Failed to read machine ID from %s: %s", p, strerror(-r));
1037 if (isempty(id) && arg_link_journal == LINK_AUTO)
1040 /* Verify validity */
1041 r = sd_id128_from_string(id, &machine_id);
1043 log_error("Failed to parse machine ID from %s: %s", p, strerror(-r));
1047 r = sd_id128_get_machine(&this_id);
1049 log_error("Failed to retrieve machine ID: %s", strerror(-r));
1053 if (sd_id128_equal(machine_id, this_id)) {
1054 log_full(arg_link_journal == LINK_AUTO ? LOG_WARNING : LOG_ERR,
1055 "Host and machine ids are equal (%s): refusing to link journals", id);
1056 if (arg_link_journal == LINK_AUTO)
1062 if (arg_link_journal == LINK_NO)
1066 p = strappend("/var/log/journal/", id);
1067 q = strjoin(directory, "/var/log/journal/", id, NULL);
1071 if (path_is_mount_point(p, false) > 0) {
1072 if (arg_link_journal != LINK_AUTO) {
1073 log_error("%s: already a mount point, refusing to use for journal", p);
1080 if (path_is_mount_point(q, false) > 0) {
1081 if (arg_link_journal != LINK_AUTO) {
1082 log_error("%s: already a mount point, refusing to use for journal", q);
1089 r = readlink_and_make_absolute(p, &d);
1091 if ((arg_link_journal == LINK_GUEST ||
1092 arg_link_journal == LINK_AUTO) &&
1095 r = mkdir_p(q, 0755);
1097 log_warning("failed to create directory %s: %m", q);
1101 if (unlink(p) < 0) {
1102 log_error("Failed to remove symlink %s: %m", p);
1105 } else if (r == -EINVAL) {
1107 if (arg_link_journal == LINK_GUEST &&
1110 if (errno == ENOTDIR) {
1111 log_error("%s already exists and is neither a symlink nor a directory", p);
1114 log_error("Failed to remove %s: %m", p);
1118 } else if (r != -ENOENT) {
1119 log_error("readlink(%s) failed: %m", p);
1123 if (arg_link_journal == LINK_GUEST) {
1125 if (symlink(q, p) < 0) {
1126 log_error("Failed to symlink %s to %s: %m", q, p);
1130 r = mkdir_p(q, 0755);
1132 log_warning("failed to create directory %s: %m", q);
1136 if (arg_link_journal == LINK_HOST) {
1137 r = mkdir_p(p, 0755);
1139 log_error("Failed to create %s: %m", p);
1143 } else if (access(p, F_OK) < 0)
1146 r = mkdir_p(q, 0755);
1148 log_error("Failed to create %s: %m", q);
1152 if (mount(p, q, "bind", MS_BIND, NULL) < 0) {
1153 log_error("Failed to bind mount journal from host into guest: %m");
1160 static int setup_kdbus(const char *dest, const char *path) {
1166 p = strappenda(dest, "/dev/kdbus");
1167 if (mkdir(p, 0755) < 0) {
1168 log_error("Failed to create kdbus path: %m");
1172 if (mount(path, p, "bind", MS_BIND, NULL) < 0) {
1173 log_error("Failed to mount kdbus domain path: %m");
1180 static int drop_capabilities(void) {
1181 return capability_bounding_set_drop(~arg_retain, false);
1184 static int register_machine(pid_t pid) {
1185 _cleanup_bus_error_free_ sd_bus_error error = SD_BUS_ERROR_NULL;
1186 _cleanup_bus_unref_ sd_bus *bus = NULL;
1192 r = sd_bus_default_system(&bus);
1194 log_error("Failed to open system bus: %s", strerror(-r));
1198 if (arg_keep_unit) {
1199 r = sd_bus_call_method(
1201 "org.freedesktop.machine1",
1202 "/org/freedesktop/machine1",
1203 "org.freedesktop.machine1.Manager",
1209 SD_BUS_MESSAGE_APPEND_ID128(arg_uuid),
1213 strempty(arg_directory));
1215 _cleanup_bus_message_unref_ sd_bus_message *m = NULL;
1217 r = sd_bus_message_new_method_call(
1220 "org.freedesktop.machine1",
1221 "/org/freedesktop/machine1",
1222 "org.freedesktop.machine1.Manager",
1225 log_error("Failed to create message: %s", strerror(-r));
1229 r = sd_bus_message_append(
1233 SD_BUS_MESSAGE_APPEND_ID128(arg_uuid),
1237 strempty(arg_directory));
1239 log_error("Failed to append message arguments: %s", strerror(-r));
1243 r = sd_bus_message_open_container(m, 'a', "(sv)");
1245 log_error("Failed to open container: %s", strerror(-r));
1249 if (!isempty(arg_slice)) {
1250 r = sd_bus_message_append(m, "(sv)", "Slice", "s", arg_slice);
1252 log_error("Failed to append slice: %s", strerror(-r));
1257 r = sd_bus_message_append(m, "(sv)", "DevicePolicy", "s", "strict");
1259 log_error("Failed to add device policy: %s", strerror(-r));
1263 r = sd_bus_message_append(m, "(sv)", "DeviceAllow", "a(ss)", 10,
1264 /* Allow the container to
1265 * access and create the API
1266 * device nodes, so that
1267 * PrivateDevices= in the
1268 * container can work
1273 "/dev/random", "rwm",
1274 "/dev/urandom", "rwm",
1276 /* Allow the container
1277 * access to ptys. However,
1279 * container to ever create
1280 * these device nodes. */
1281 "/dev/pts/ptmx", "rw",
1283 /* Allow the container
1284 * access to all kdbus
1285 * devices. Again, the
1286 * container cannot create
1287 * these nodes, only use
1288 * them. We use a pretty
1289 * open match here, so that
1290 * the kernel API can still
1293 "char-kdbus/*", "rw");
1295 log_error("Failed to add device whitelist: %s", strerror(-r));
1299 r = sd_bus_message_close_container(m);
1301 log_error("Failed to close container: %s", strerror(-r));
1305 r = sd_bus_call(bus, m, 0, &error, NULL);
1309 log_error("Failed to register machine: %s", bus_error_message(&error, r));
1316 static int terminate_machine(pid_t pid) {
1317 _cleanup_bus_error_free_ sd_bus_error error = SD_BUS_ERROR_NULL;
1318 _cleanup_bus_message_unref_ sd_bus_message *reply = NULL;
1319 _cleanup_bus_unref_ sd_bus *bus = NULL;
1326 r = sd_bus_default_system(&bus);
1328 log_error("Failed to open system bus: %s", strerror(-r));
1332 r = sd_bus_call_method(
1334 "org.freedesktop.machine1",
1335 "/org/freedesktop/machine1",
1336 "org.freedesktop.machine1.Manager",
1343 /* Note that the machine might already have been
1344 * cleaned up automatically, hence don't consider it a
1345 * failure if we cannot get the machine object. */
1346 log_debug("Failed to get machine: %s", bus_error_message(&error, r));
1350 r = sd_bus_message_read(reply, "o", &path);
1352 return bus_log_parse_error(r);
1354 r = sd_bus_call_method(
1356 "org.freedesktop.machine1",
1358 "org.freedesktop.machine1.Machine",
1364 log_debug("Failed to terminate machine: %s", bus_error_message(&error, r));
1371 static int reset_audit_loginuid(void) {
1372 _cleanup_free_ char *p = NULL;
1375 if (arg_share_system)
1378 r = read_one_line_file("/proc/self/loginuid", &p);
1382 log_error("Failed to read /proc/self/loginuid: %s", strerror(-r));
1386 /* Already reset? */
1387 if (streq(p, "4294967295"))
1390 r = write_string_file("/proc/self/loginuid", "4294967295");
1392 log_error("Failed to reset audit login UID. This probably means that your kernel is too\n"
1393 "old and you have audit enabled. Note that the auditing subsystem is known to\n"
1394 "be incompatible with containers on old kernels. Please make sure to upgrade\n"
1395 "your kernel or to off auditing with 'audit=0' on the kernel command line before\n"
1396 "using systemd-nspawn. Sleeping for 5s... (%s)\n", strerror(-r));
1404 #define HASH_KEY SD_ID128_MAKE(c3,c4,f9,19,b5,57,b2,1c,e6,cf,14,27,03,9c,ee,a2)
1406 static int get_mac(struct ether_addr *mac) {
1413 l = strlen(arg_machine);
1414 sz = sizeof(sd_id128_t) + l;
1417 /* fetch some persistent data unique to the host */
1418 r = sd_id128_get_machine((sd_id128_t*) v);
1422 /* combine with some data unique (on this host) to this
1423 * container instance */
1424 memcpy(v + sizeof(sd_id128_t), arg_machine, l);
1426 /* Let's hash the host machine ID plus the container name. We
1427 * use a fixed, but originally randomly created hash key here. */
1428 siphash24(result, v, sz, HASH_KEY.bytes);
1430 assert_cc(ETH_ALEN <= sizeof(result));
1431 memcpy(mac->ether_addr_octet, result, ETH_ALEN);
1433 /* see eth_random_addr in the kernel */
1434 mac->ether_addr_octet[0] &= 0xfe; /* clear multicast bit */
1435 mac->ether_addr_octet[0] |= 0x02; /* set local assignment bit (IEEE802) */
1440 static int setup_veth(pid_t pid, char iface_name[IFNAMSIZ]) {
1441 _cleanup_rtnl_message_unref_ sd_rtnl_message *m = NULL;
1442 _cleanup_rtnl_unref_ sd_rtnl *rtnl = NULL;
1443 struct ether_addr mac;
1446 if (!arg_private_network)
1449 if (!arg_network_veth)
1452 /* Use two different interface name prefixes depending whether
1453 * we are in bridge mode or not. */
1454 if (arg_network_bridge)
1455 memcpy(iface_name, "vb-", 3);
1457 memcpy(iface_name, "ve-", 3);
1458 strncpy(iface_name+3, arg_machine, IFNAMSIZ - 3);
1462 log_error("Failed to generate predictable MAC address for host0");
1466 r = sd_rtnl_open(&rtnl, 0);
1468 log_error("Failed to connect to netlink: %s", strerror(-r));
1472 r = sd_rtnl_message_new_link(rtnl, &m, RTM_NEWLINK, 0);
1474 log_error("Failed to allocate netlink message: %s", strerror(-r));
1478 r = sd_rtnl_message_append_string(m, IFLA_IFNAME, iface_name);
1480 log_error("Failed to add netlink interface name: %s", strerror(-r));
1484 r = sd_rtnl_message_open_container(m, IFLA_LINKINFO);
1486 log_error("Failed to open netlink container: %s", strerror(-r));
1490 r = sd_rtnl_message_open_container_union(m, IFLA_INFO_DATA, "veth");
1492 log_error("Failed to open netlink container: %s", strerror(-r));
1496 r = sd_rtnl_message_open_container(m, VETH_INFO_PEER);
1498 log_error("Failed to open netlink container: %s", strerror(-r));
1502 r = sd_rtnl_message_append_string(m, IFLA_IFNAME, "host0");
1504 log_error("Failed to add netlink interface name: %s", strerror(-r));
1508 r = sd_rtnl_message_append_ether_addr(m, IFLA_ADDRESS, &mac);
1510 log_error("Failed to add netlink MAC address: %s", strerror(-r));
1514 r = sd_rtnl_message_append_u32(m, IFLA_NET_NS_PID, pid);
1516 log_error("Failed to add netlink namespace field: %s", strerror(-r));
1520 r = sd_rtnl_message_close_container(m);
1522 log_error("Failed to close netlink container: %s", strerror(-r));
1526 r = sd_rtnl_message_close_container(m);
1528 log_error("Failed to close netlink container: %s", strerror(-r));
1532 r = sd_rtnl_message_close_container(m);
1534 log_error("Failed to close netlink container: %s", strerror(-r));
1538 r = sd_rtnl_call(rtnl, m, 0, NULL);
1540 log_error("Failed to add new veth interfaces: %s", strerror(-r));
1547 static int setup_bridge(const char veth_name[]) {
1548 _cleanup_rtnl_message_unref_ sd_rtnl_message *m = NULL;
1549 _cleanup_rtnl_unref_ sd_rtnl *rtnl = NULL;
1552 if (!arg_private_network)
1555 if (!arg_network_veth)
1558 if (!arg_network_bridge)
1561 bridge = (int) if_nametoindex(arg_network_bridge);
1563 log_error("Failed to resolve interface %s: %m", arg_network_bridge);
1567 r = sd_rtnl_open(&rtnl, 0);
1569 log_error("Failed to connect to netlink: %s", strerror(-r));
1573 r = sd_rtnl_message_new_link(rtnl, &m, RTM_SETLINK, 0);
1575 log_error("Failed to allocate netlink message: %s", strerror(-r));
1579 r = sd_rtnl_message_link_set_flags(m, IFF_UP, IFF_UP);
1581 log_error("Failed to set IFF_UP flag: %s", strerror(-r));
1585 r = sd_rtnl_message_append_string(m, IFLA_IFNAME, veth_name);
1587 log_error("Failed to add netlink interface name field: %s", strerror(-r));
1591 r = sd_rtnl_message_append_u32(m, IFLA_MASTER, bridge);
1593 log_error("Failed to add netlink master field: %s", strerror(-r));
1597 r = sd_rtnl_call(rtnl, m, 0, NULL);
1599 log_error("Failed to add veth interface to bridge: %s", strerror(-r));
1606 static int parse_interface(struct udev *udev, const char *name) {
1607 _cleanup_udev_device_unref_ struct udev_device *d = NULL;
1608 char ifi_str[2 + DECIMAL_STR_MAX(int)];
1611 ifi = (int) if_nametoindex(name);
1613 log_error("Failed to resolve interface %s: %m", name);
1617 sprintf(ifi_str, "n%i", ifi);
1618 d = udev_device_new_from_device_id(udev, ifi_str);
1620 log_error("Failed to get udev device for interface %s: %m", name);
1624 if (udev_device_get_is_initialized(d) <= 0) {
1625 log_error("Network interface %s is not initialized yet.", name);
1632 static int move_network_interfaces(pid_t pid) {
1633 _cleanup_udev_unref_ struct udev *udev = NULL;
1634 _cleanup_rtnl_unref_ sd_rtnl *rtnl = NULL;
1638 if (!arg_private_network)
1641 if (strv_isempty(arg_network_interfaces))
1644 r = sd_rtnl_open(&rtnl, 0);
1646 log_error("Failed to connect to netlink: %s", strerror(-r));
1652 log_error("Failed to connect to udev.");
1656 STRV_FOREACH(i, arg_network_interfaces) {
1657 _cleanup_rtnl_message_unref_ sd_rtnl_message *m = NULL;
1660 ifi = parse_interface(udev, *i);
1664 r = sd_rtnl_message_new_link(rtnl, &m, RTM_NEWLINK, ifi);
1666 log_error("Failed to allocate netlink message: %s", strerror(-r));
1670 r = sd_rtnl_message_append_u32(m, IFLA_NET_NS_PID, pid);
1672 log_error("Failed to append namespace PID to netlink message: %s", strerror(-r));
1676 r = sd_rtnl_call(rtnl, m, 0, NULL);
1678 log_error("Failed to move interface %s to namespace: %s", *i, strerror(-r));
1686 static int setup_macvlan(pid_t pid) {
1687 _cleanup_udev_unref_ struct udev *udev = NULL;
1688 _cleanup_rtnl_unref_ sd_rtnl *rtnl = NULL;
1692 if (!arg_private_network)
1695 if (strv_isempty(arg_network_macvlan))
1698 r = sd_rtnl_open(&rtnl, 0);
1700 log_error("Failed to connect to netlink: %s", strerror(-r));
1706 log_error("Failed to connect to udev.");
1710 STRV_FOREACH(i, arg_network_macvlan) {
1711 _cleanup_rtnl_message_unref_ sd_rtnl_message *m = NULL;
1712 _cleanup_free_ char *n = NULL;
1715 ifi = parse_interface(udev, *i);
1719 r = sd_rtnl_message_new_link(rtnl, &m, RTM_NEWLINK, 0);
1721 log_error("Failed to allocate netlink message: %s", strerror(-r));
1725 r = sd_rtnl_message_append_u32(m, IFLA_LINK, ifi);
1727 log_error("Failed to add netlink interface index: %s", strerror(-r));
1731 n = strappend("mv-", *i);
1735 strshorten(n, IFNAMSIZ-1);
1737 r = sd_rtnl_message_append_string(m, IFLA_IFNAME, n);
1739 log_error("Failed to add netlink interface name: %s", strerror(-r));
1743 r = sd_rtnl_message_append_u32(m, IFLA_NET_NS_PID, pid);
1745 log_error("Failed to add netlink namespace field: %s", strerror(-r));
1749 r = sd_rtnl_message_open_container(m, IFLA_LINKINFO);
1751 log_error("Failed to open netlink container: %s", strerror(-r));
1755 r = sd_rtnl_message_open_container_union(m, IFLA_INFO_DATA, "macvlan");
1757 log_error("Failed to open netlink container: %s", strerror(-r));
1761 r = sd_rtnl_message_append_u32(m, IFLA_MACVLAN_MODE, MACVLAN_MODE_BRIDGE);
1763 log_error("Failed to append macvlan mode: %s", strerror(-r));
1767 r = sd_rtnl_message_close_container(m);
1769 log_error("Failed to close netlink container: %s", strerror(-r));
1773 r = sd_rtnl_message_close_container(m);
1775 log_error("Failed to close netlink container: %s", strerror(-r));
1779 r = sd_rtnl_call(rtnl, m, 0, NULL);
1781 log_error("Failed to add new macvlan interfaces: %s", strerror(-r));
1789 static int audit_still_doesnt_work_in_containers(void) {
1792 scmp_filter_ctx seccomp;
1796 Audit is broken in containers, much of the userspace audit
1797 hookup will fail if running inside a container. We don't
1798 care and just turn off creation of audit sockets.
1800 This will make socket(AF_NETLINK, *, NETLINK_AUDIT) fail
1801 with EAFNOSUPPORT which audit userspace uses as indication
1802 that audit is disabled in the kernel.
1805 seccomp = seccomp_init(SCMP_ACT_ALLOW);
1809 r = seccomp_add_secondary_archs(seccomp);
1811 log_error("Failed to add secondary archs to seccomp filter: %s", strerror(-r));
1815 r = seccomp_rule_add(
1817 SCMP_ACT_ERRNO(EAFNOSUPPORT),
1820 SCMP_A0(SCMP_CMP_EQ, AF_NETLINK),
1821 SCMP_A2(SCMP_CMP_EQ, NETLINK_AUDIT));
1823 log_error("Failed to add audit seccomp rule: %s", strerror(-r));
1827 r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
1829 log_error("Failed to unset NO_NEW_PRIVS: %s", strerror(-r));
1833 r = seccomp_load(seccomp);
1835 log_error("Failed to install seccomp audit filter: %s", strerror(-r));
1838 seccomp_release(seccomp);
1846 static int setup_image(char **device_path, int *loop_nr) {
1847 struct loop_info64 info = {
1848 .lo_flags = LO_FLAGS_AUTOCLEAR|LO_FLAGS_PARTSCAN
1850 _cleanup_close_ int fd = -1, control = -1, loop = -1;
1851 _cleanup_free_ char* loopdev = NULL;
1855 assert(device_path);
1858 fd = open(arg_image, O_CLOEXEC|(arg_read_only ? O_RDONLY : O_RDWR)|O_NONBLOCK|O_NOCTTY);
1860 log_error("Failed to open %s: %m", arg_image);
1864 if (fstat(fd, &st) < 0) {
1865 log_error("Failed to stat %s: %m", arg_image);
1869 if (S_ISBLK(st.st_mode)) {
1872 p = strdup(arg_image);
1886 if (!S_ISREG(st.st_mode)) {
1887 log_error("%s is not a regular file or block device: %m", arg_image);
1891 control = open("/dev/loop-control", O_RDWR|O_CLOEXEC|O_NOCTTY|O_NONBLOCK);
1893 log_error("Failed to open /dev/loop-control: %m");
1897 nr = ioctl(control, LOOP_CTL_GET_FREE);
1899 log_error("Failed to allocate loop device: %m");
1903 if (asprintf(&loopdev, "/dev/loop%i", nr) < 0)
1906 loop = open(loopdev, O_CLOEXEC|(arg_read_only ? O_RDONLY : O_RDWR)|O_NONBLOCK|O_NOCTTY);
1908 log_error("Failed to open loop device %s: %m", loopdev);
1912 if (ioctl(loop, LOOP_SET_FD, fd) < 0) {
1913 log_error("Failed to set loopback file descriptor on %s: %m", loopdev);
1918 info.lo_flags |= LO_FLAGS_READ_ONLY;
1920 if (ioctl(loop, LOOP_SET_STATUS64, &info) < 0) {
1921 log_error("Failed to set loopback settings on %s: %m", loopdev);
1925 *device_path = loopdev;
1936 static int dissect_image(
1938 char **root_device, bool *root_device_rw,
1939 char **home_device, bool *home_device_rw,
1940 char **srv_device, bool *srv_device_rw,
1944 int home_nr = -1, root_nr = -1, secondary_root_nr = -1, srv_nr = -1;
1945 _cleanup_free_ char *home = NULL, *root = NULL, *secondary_root = NULL, *srv = NULL;
1946 _cleanup_udev_enumerate_unref_ struct udev_enumerate *e = NULL;
1947 _cleanup_udev_device_unref_ struct udev_device *d = NULL;
1948 _cleanup_blkid_free_probe_ blkid_probe b = NULL;
1949 _cleanup_udev_unref_ struct udev *udev = NULL;
1950 struct udev_list_entry *first, *item;
1951 bool home_rw = true, root_rw = true, secondary_root_rw = true, srv_rw = true;
1952 const char *pttype = NULL;
1958 assert(root_device);
1959 assert(home_device);
1963 b = blkid_new_probe();
1968 r = blkid_probe_set_device(b, fd, 0, 0);
1973 log_error("Failed to set device on blkid probe: %m");
1977 blkid_probe_enable_partitions(b, 1);
1978 blkid_probe_set_partitions_flags(b, BLKID_PARTS_ENTRY_DETAILS);
1981 r = blkid_do_safeprobe(b);
1982 if (r == -2 || r == 1) {
1983 log_error("Failed to identify any partition table on %s.\n"
1984 "Note that the disk image needs to follow http://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/ to be supported by systemd-nspawn.", arg_image);
1986 } else if (r != 0) {
1989 log_error("Failed to probe: %m");
1993 blkid_probe_lookup_value(b, "PTTYPE", &pttype, NULL);
1994 if (!streq_ptr(pttype, "gpt")) {
1995 log_error("Image %s does not carry a GUID Partition Table.\n"
1996 "Note that the disk image needs to follow http://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/ to be supported by systemd-nspawn.", arg_image);
2001 pl = blkid_probe_get_partitions(b);
2006 log_error("Failed to list partitions of %s", arg_image);
2014 if (fstat(fd, &st) < 0) {
2015 log_error("Failed to stat block device: %m");
2019 d = udev_device_new_from_devnum(udev, 'b', st.st_rdev);
2023 e = udev_enumerate_new(udev);
2027 r = udev_enumerate_add_match_parent(e, d);
2031 r = udev_enumerate_scan_devices(e);
2033 log_error("Failed to scan for partition devices of %s: %s", arg_image, strerror(-r));
2037 first = udev_enumerate_get_list_entry(e);
2038 udev_list_entry_foreach(item, first) {
2039 _cleanup_udev_device_unref_ struct udev_device *q;
2040 const char *stype, *node;
2041 unsigned long long flags;
2048 q = udev_device_new_from_syspath(udev, udev_list_entry_get_name(item));
2053 log_error("Failed to get partition device of %s: %m", arg_image);
2057 qn = udev_device_get_devnum(q);
2061 if (st.st_rdev == qn)
2064 node = udev_device_get_devnode(q);
2068 pp = blkid_partlist_devno_to_partition(pl, qn);
2072 flags = blkid_partition_get_flags(pp);
2073 if (flags & GPT_FLAG_NO_AUTO)
2076 nr = blkid_partition_get_partno(pp);
2080 stype = blkid_partition_get_type_string(pp);
2084 if (sd_id128_from_string(stype, &type_id) < 0)
2087 if (sd_id128_equal(type_id, GPT_HOME)) {
2089 if (home && nr >= home_nr)
2093 home_rw = !(flags & GPT_FLAG_READ_ONLY);
2096 home = strdup(node);
2099 } else if (sd_id128_equal(type_id, GPT_SRV)) {
2101 if (srv && nr >= srv_nr)
2105 srv_rw = !(flags & GPT_FLAG_READ_ONLY);
2112 #ifdef GPT_ROOT_NATIVE
2113 else if (sd_id128_equal(type_id, GPT_ROOT_NATIVE)) {
2115 if (root && nr >= root_nr)
2119 root_rw = !(flags & GPT_FLAG_READ_ONLY);
2122 root = strdup(node);
2127 #ifdef GPT_ROOT_SECONDARY
2128 else if (sd_id128_equal(type_id, GPT_ROOT_SECONDARY)) {
2130 if (secondary_root && nr >= secondary_root_nr)
2133 secondary_root_nr = nr;
2134 secondary_root_rw = !(flags & GPT_FLAG_READ_ONLY);
2137 free(secondary_root);
2138 secondary_root = strdup(node);
2139 if (!secondary_root)
2145 if (!root && !secondary_root) {
2146 log_error("Failed to identify root partition in disk image %s.\n"
2147 "Note that the disk image needs to follow http://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/ to be supported by systemd-nspawn.", arg_image);
2152 *root_device = root;
2155 *root_device_rw = root_rw;
2157 } else if (secondary_root) {
2158 *root_device = secondary_root;
2159 secondary_root = NULL;
2161 *root_device_rw = secondary_root_rw;
2166 *home_device = home;
2169 *home_device_rw = home_rw;
2176 *srv_device_rw = srv_rw;
2181 log_error("--image= is not supported, compiled without blkid support.");
2186 static int mount_device(const char *what, const char *where, const char *directory, bool rw) {
2188 _cleanup_blkid_free_probe_ blkid_probe b = NULL;
2189 const char *fstype, *p;
2199 p = strappenda(where, directory);
2204 b = blkid_new_probe_from_filename(what);
2208 log_error("Failed to allocate prober for %s: %m", what);
2212 blkid_probe_enable_superblocks(b, 1);
2213 blkid_probe_set_superblocks_flags(b, BLKID_SUBLKS_TYPE);
2216 r = blkid_do_safeprobe(b);
2217 if (r == -1 || r == 1) {
2218 log_error("Cannot determine file system type of %s", what);
2220 } else if (r != 0) {
2223 log_error("Failed to probe %s: %m", what);
2228 if (blkid_probe_lookup_value(b, "TYPE", &fstype, NULL) < 0) {
2231 log_error("Failed to determine file system type of %s", what);
2235 if (streq(fstype, "crypto_LUKS")) {
2236 log_error("nspawn currently does not support LUKS disk images.");
2240 if (mount(what, p, fstype, MS_NODEV|(rw ? 0 : MS_RDONLY), NULL) < 0) {
2241 log_error("Failed to mount %s: %m", what);
2247 log_error("--image= is not supported, compiled without blkid support.");
2252 static int mount_devices(
2254 const char *root_device, bool root_device_rw,
2255 const char *home_device, bool home_device_rw,
2256 const char *srv_device, bool srv_device_rw) {
2262 r = mount_device(root_device, arg_directory, NULL, root_device_rw);
2264 log_error("Failed to mount root directory: %s", strerror(-r));
2270 r = mount_device(home_device, arg_directory, "/home", home_device_rw);
2272 log_error("Failed to mount home directory: %s", strerror(-r));
2278 r = mount_device(srv_device, arg_directory, "/srv", srv_device_rw);
2280 log_error("Failed to mount server data directory: %s", strerror(-r));
2288 static void loop_remove(int nr, int *image_fd) {
2289 _cleanup_close_ int control = -1;
2294 if (image_fd && *image_fd >= 0) {
2295 ioctl(*image_fd, LOOP_CLR_FD);
2296 *image_fd = safe_close(*image_fd);
2299 control = open("/dev/loop-control", O_RDWR|O_CLOEXEC|O_NOCTTY|O_NONBLOCK);
2303 ioctl(control, LOOP_CTL_REMOVE, nr);
2306 static int spawn_getent(const char *database, const char *key, pid_t *rpid) {
2314 if (pipe2(pipe_fds, O_CLOEXEC) < 0) {
2315 log_error("Failed to allocate pipe: %m");
2321 log_error("Failed to fork getent child: %m");
2323 } else if (pid == 0) {
2325 char *empty_env = NULL;
2327 if (dup3(pipe_fds[1], STDOUT_FILENO, 0) < 0)
2328 _exit(EXIT_FAILURE);
2330 if (pipe_fds[0] > 2)
2331 safe_close(pipe_fds[0]);
2332 if (pipe_fds[1] > 2)
2333 safe_close(pipe_fds[1]);
2335 nullfd = open("/dev/null", O_RDWR);
2337 _exit(EXIT_FAILURE);
2339 if (dup3(nullfd, STDIN_FILENO, 0) < 0)
2340 _exit(EXIT_FAILURE);
2342 if (dup3(nullfd, STDERR_FILENO, 0) < 0)
2343 _exit(EXIT_FAILURE);
2348 reset_all_signal_handlers();
2349 close_all_fds(NULL, 0);
2351 execle("/usr/bin/getent", "getent", database, key, NULL, &empty_env);
2352 execle("/bin/getent", "getent", database, key, NULL, &empty_env);
2353 _exit(EXIT_FAILURE);
2356 pipe_fds[1] = safe_close(pipe_fds[1]);
2363 static int change_uid_gid(char **_home) {
2364 char line[LINE_MAX], *w, *x, *state, *u, *g, *h;
2365 _cleanup_free_ uid_t *uids = NULL;
2366 _cleanup_free_ char *home = NULL;
2367 _cleanup_fclose_ FILE *f = NULL;
2368 _cleanup_close_ int fd = -1;
2369 unsigned n_uids = 0;
2378 if (!arg_user || streq(arg_user, "root") || streq(arg_user, "0")) {
2379 /* Reset everything fully to 0, just in case */
2381 if (setgroups(0, NULL) < 0) {
2382 log_error("setgroups() failed: %m");
2386 if (setresgid(0, 0, 0) < 0) {
2387 log_error("setregid() failed: %m");
2391 if (setresuid(0, 0, 0) < 0) {
2392 log_error("setreuid() failed: %m");
2400 /* First, get user credentials */
2401 fd = spawn_getent("passwd", arg_user, &pid);
2405 f = fdopen(fd, "r");
2410 if (!fgets(line, sizeof(line), f)) {
2413 log_error("Failed to resolve user %s.", arg_user);
2417 log_error("Failed to read from getent: %m");
2423 wait_for_terminate_and_warn("getent passwd", pid);
2425 x = strchr(line, ':');
2427 log_error("/etc/passwd entry has invalid user field.");
2431 u = strchr(x+1, ':');
2433 log_error("/etc/passwd entry has invalid password field.");
2440 log_error("/etc/passwd entry has invalid UID field.");
2448 log_error("/etc/passwd entry has invalid GID field.");
2453 h = strchr(x+1, ':');
2455 log_error("/etc/passwd entry has invalid GECOS field.");
2462 log_error("/etc/passwd entry has invalid home directory field.");
2468 r = parse_uid(u, &uid);
2470 log_error("Failed to parse UID of user.");
2474 r = parse_gid(g, &gid);
2476 log_error("Failed to parse GID of user.");
2484 /* Second, get group memberships */
2485 fd = spawn_getent("initgroups", arg_user, &pid);
2490 f = fdopen(fd, "r");
2495 if (!fgets(line, sizeof(line), f)) {
2497 log_error("Failed to resolve user %s.", arg_user);
2501 log_error("Failed to read from getent: %m");
2507 wait_for_terminate_and_warn("getent initgroups", pid);
2509 /* Skip over the username and subsequent separator whitespace */
2511 x += strcspn(x, WHITESPACE);
2512 x += strspn(x, WHITESPACE);
2514 FOREACH_WORD(w, l, x, state) {
2520 if (!GREEDY_REALLOC(uids, sz, n_uids+1))
2523 r = parse_uid(c, &uids[n_uids++]);
2525 log_error("Failed to parse group data from getent.");
2530 r = mkdir_parents(home, 0775);
2532 log_error("Failed to make home root directory: %s", strerror(-r));
2536 r = mkdir_safe(home, 0755, uid, gid);
2537 if (r < 0 && r != -EEXIST) {
2538 log_error("Failed to make home directory: %s", strerror(-r));
2542 fchown(STDIN_FILENO, uid, gid);
2543 fchown(STDOUT_FILENO, uid, gid);
2544 fchown(STDERR_FILENO, uid, gid);
2546 if (setgroups(n_uids, uids) < 0) {
2547 log_error("Failed to set auxiliary groups: %m");
2551 if (setresgid(gid, gid, gid) < 0) {
2552 log_error("setregid() failed: %m");
2556 if (setresuid(uid, uid, uid) < 0) {
2557 log_error("setreuid() failed: %m");
2569 int main(int argc, char *argv[]) {
2571 _cleanup_free_ char *kdbus_domain = NULL, *device_path = NULL, *root_device = NULL, *home_device = NULL, *srv_device = NULL;
2572 bool root_device_rw = true, home_device_rw = true, srv_device_rw = true;
2573 _cleanup_close_ int master = -1, kdbus_fd = -1, image_fd = -1;
2574 _cleanup_close_pair_ int kmsg_socket_pair[2] = { -1, -1 };
2575 _cleanup_fdset_free_ FDSet *fds = NULL;
2576 int r = EXIT_FAILURE, k, n_fd_passed, loop_nr = -1;
2577 const char *console = NULL;
2578 char veth_name[IFNAMSIZ];
2579 bool secondary = false;
2583 log_parse_environment();
2586 k = parse_argv(argc, argv);
2595 if (arg_directory) {
2598 p = path_make_absolute_cwd(arg_directory);
2599 free(arg_directory);
2602 arg_directory = get_current_dir_name();
2604 if (!arg_directory) {
2605 log_error("Failed to determine path, please use -D.");
2608 path_kill_slashes(arg_directory);
2612 arg_machine = strdup(basename(arg_image ? arg_image : arg_directory));
2618 hostname_cleanup(arg_machine, false);
2619 if (isempty(arg_machine)) {
2620 log_error("Failed to determine machine name automatically, please use -M.");
2625 if (geteuid() != 0) {
2626 log_error("Need to be root.");
2630 if (sd_booted() <= 0) {
2631 log_error("Not running on a systemd system.");
2636 n_fd_passed = sd_listen_fds(false);
2637 if (n_fd_passed > 0) {
2638 k = fdset_new_listen_fds(&fds, false);
2640 log_error("Failed to collect file descriptors: %s", strerror(-k));
2644 fdset_close_others(fds);
2647 if (arg_directory) {
2648 if (path_equal(arg_directory, "/")) {
2649 log_error("Spawning container on root directory not supported.");
2654 if (path_is_os_tree(arg_directory) <= 0) {
2655 log_error("Directory %s doesn't look like an OS root directory (/etc/os-release is missing). Refusing.", arg_directory);
2661 p = strappenda(arg_directory,
2662 argc > optind && path_is_absolute(argv[optind]) ? argv[optind] : "/usr/bin/");
2663 if (access(p, F_OK) < 0) {
2664 log_error("Directory %s lacks the binary to execute or doesn't look like a binary tree. Refusing.", arg_directory);
2670 char template[] = "/tmp/nspawn-root-XXXXXX";
2672 if (!mkdtemp(template)) {
2673 log_error("Failed to create temporary directory: %m");
2678 arg_directory = strdup(template);
2679 if (!arg_directory) {
2684 image_fd = setup_image(&device_path, &loop_nr);
2690 r = dissect_image(image_fd, &root_device, &root_device_rw, &home_device, &home_device_rw, &srv_device, &srv_device_rw, &secondary);
2695 master = posix_openpt(O_RDWR|O_NOCTTY|O_CLOEXEC|O_NDELAY);
2697 log_error("Failed to acquire pseudo tty: %m");
2701 console = ptsname(master);
2703 log_error("Failed to determine tty name: %m");
2708 log_info("Spawning container %s on %s. Press ^] three times within 1s to abort execution.", arg_machine, arg_image ? arg_image : arg_directory);
2710 if (unlockpt(master) < 0) {
2711 log_error("Failed to unlock tty: %m");
2715 if (access("/dev/kdbus/control", F_OK) >= 0) {
2717 if (arg_share_system) {
2718 kdbus_domain = strdup("/dev/kdbus");
2719 if (!kdbus_domain) {
2726 ns = strappenda("machine-", arg_machine);
2727 kdbus_fd = bus_kernel_create_domain(ns, &kdbus_domain);
2729 log_debug("Failed to create kdbus domain: %s", strerror(-r));
2731 log_debug("Successfully created kdbus domain as %s", kdbus_domain);
2735 if (socketpair(AF_UNIX, SOCK_DGRAM|SOCK_NONBLOCK|SOCK_CLOEXEC, 0, kmsg_socket_pair) < 0) {
2736 log_error("Failed to create kmsg socket pair: %m");
2740 sd_notify(0, "READY=1");
2742 assert_se(sigemptyset(&mask) == 0);
2743 sigset_add_many(&mask, SIGCHLD, SIGWINCH, SIGTERM, SIGINT, -1);
2744 assert_se(sigprocmask(SIG_BLOCK, &mask, NULL) == 0);
2747 int parent_ready_fd = -1, child_ready_fd = -1;
2751 parent_ready_fd = eventfd(0, EFD_CLOEXEC);
2752 if (parent_ready_fd < 0) {
2753 log_error("Failed to create event fd: %m");
2757 child_ready_fd = eventfd(0, EFD_CLOEXEC);
2758 if (child_ready_fd < 0) {
2759 log_error("Failed to create event fd: %m");
2763 pid = syscall(__NR_clone,
2764 SIGCHLD|CLONE_NEWNS|
2765 (arg_share_system ? 0 : CLONE_NEWIPC|CLONE_NEWPID|CLONE_NEWUTS)|
2766 (arg_private_network ? CLONE_NEWNET : 0), NULL);
2768 if (errno == EINVAL)
2769 log_error("clone() failed, do you have namespace support enabled in your kernel? (You need UTS, IPC, PID and NET namespacing built in): %m");
2771 log_error("clone() failed: %m");
2778 _cleanup_free_ char *home = NULL;
2780 const char *envp[] = {
2781 "PATH=" DEFAULT_PATH_SPLIT_USR,
2782 "container=systemd-nspawn", /* LXC sets container=lxc, so follow the scheme here */
2787 NULL, /* container_uuid */
2788 NULL, /* LISTEN_FDS */
2789 NULL, /* LISTEN_PID */
2794 envp[n_env] = strv_find_prefix(environ, "TERM=");
2798 master = safe_close(master);
2800 close_nointr(STDIN_FILENO);
2801 close_nointr(STDOUT_FILENO);
2802 close_nointr(STDERR_FILENO);
2804 kmsg_socket_pair[0] = safe_close(kmsg_socket_pair[0]);
2806 reset_all_signal_handlers();
2808 assert_se(sigemptyset(&mask) == 0);
2809 assert_se(sigprocmask(SIG_SETMASK, &mask, NULL) == 0);
2811 k = open_terminal(console, O_RDWR);
2812 if (k != STDIN_FILENO) {
2818 log_error("Failed to open console: %s", strerror(-k));
2822 if (dup2(STDIN_FILENO, STDOUT_FILENO) != STDOUT_FILENO ||
2823 dup2(STDIN_FILENO, STDERR_FILENO) != STDERR_FILENO) {
2824 log_error("Failed to duplicate console: %m");
2829 log_error("setsid() failed: %m");
2833 if (reset_audit_loginuid() < 0)
2836 if (prctl(PR_SET_PDEATHSIG, SIGKILL) < 0) {
2837 log_error("PR_SET_PDEATHSIG failed: %m");
2841 /* Mark everything as slave, so that we still
2842 * receive mounts from the real root, but don't
2843 * propagate mounts to the real root. */
2844 if (mount(NULL, "/", NULL, MS_SLAVE|MS_REC, NULL) < 0) {
2845 log_error("MS_SLAVE|MS_REC failed: %m");
2849 if (mount_devices(arg_directory,
2850 root_device, root_device_rw,
2851 home_device, home_device_rw,
2852 srv_device, srv_device_rw) < 0)
2855 /* Turn directory into bind mount */
2856 if (mount(arg_directory, arg_directory, "bind", MS_BIND|MS_REC, NULL) < 0) {
2857 log_error("Failed to make bind mount.");
2862 if (mount(arg_directory, arg_directory, "bind", MS_BIND|MS_REMOUNT|MS_RDONLY|MS_REC, NULL) < 0) {
2863 log_error("Failed to make read-only.");
2867 if (mount_all(arg_directory) < 0)
2870 if (copy_devnodes(arg_directory) < 0)
2873 if (setup_ptmx(arg_directory) < 0)
2876 dev_setup(arg_directory);
2878 if (audit_still_doesnt_work_in_containers() < 0)
2881 if (setup_dev_console(arg_directory, console) < 0)
2884 if (setup_kmsg(arg_directory, kmsg_socket_pair[1]) < 0)
2887 kmsg_socket_pair[1] = safe_close(kmsg_socket_pair[1]);
2889 if (setup_boot_id(arg_directory) < 0)
2892 if (setup_timezone(arg_directory) < 0)
2895 if (setup_resolv_conf(arg_directory) < 0)
2898 if (setup_journal(arg_directory) < 0)
2901 if (mount_binds(arg_directory, arg_bind, 0) < 0)
2904 if (mount_binds(arg_directory, arg_bind_ro, MS_RDONLY) < 0)
2907 if (setup_kdbus(arg_directory, kdbus_domain) < 0)
2910 /* Tell the parent that we are ready, and that
2911 * it can cgroupify us to that we lack access
2912 * to certain devices and resources. */
2913 eventfd_write(child_ready_fd, 1);
2914 child_ready_fd = safe_close(child_ready_fd);
2916 if (chdir(arg_directory) < 0) {
2917 log_error("chdir(%s) failed: %m", arg_directory);
2921 if (mount(arg_directory, "/", NULL, MS_MOVE, NULL) < 0) {
2922 log_error("mount(MS_MOVE) failed: %m");
2926 if (chroot(".") < 0) {
2927 log_error("chroot() failed: %m");
2931 if (chdir("/") < 0) {
2932 log_error("chdir() failed: %m");
2938 if (arg_private_network)
2941 if (drop_capabilities() < 0) {
2942 log_error("drop_capabilities() failed: %m");
2946 r = change_uid_gid(&home);
2950 if ((asprintf((char**)(envp + n_env++), "HOME=%s", home ? home: "/root") < 0) ||
2951 (asprintf((char**)(envp + n_env++), "USER=%s", arg_user ? arg_user : "root") < 0) ||
2952 (asprintf((char**)(envp + n_env++), "LOGNAME=%s", arg_user ? arg_user : "root") < 0)) {
2957 if (!sd_id128_equal(arg_uuid, SD_ID128_NULL)) {
2960 if (asprintf((char**)(envp + n_env++), "container_uuid=%s", id128_format_as_uuid(arg_uuid, as_uuid)) < 0) {
2966 if (fdset_size(fds) > 0) {
2967 k = fdset_cloexec(fds, false);
2969 log_error("Failed to unset O_CLOEXEC for file descriptors.");
2973 if ((asprintf((char **)(envp + n_env++), "LISTEN_FDS=%u", n_fd_passed) < 0) ||
2974 (asprintf((char **)(envp + n_env++), "LISTEN_PID=1") < 0)) {
2982 if (arg_personality != 0xffffffffLU) {
2983 if (personality(arg_personality) < 0) {
2984 log_error("personality() failed: %m");
2987 } else if (secondary) {
2988 if (personality(PER_LINUX32) < 0) {
2989 log_error("personality() failed: %m");
2995 if (arg_selinux_context)
2996 if (setexeccon((security_context_t) arg_selinux_context) < 0) {
2997 log_error("setexeccon(\"%s\") failed: %m", arg_selinux_context);
3002 if (!strv_isempty(arg_setenv)) {
3005 n = strv_env_merge(2, envp, arg_setenv);
3013 env_use = (char**) envp;
3015 /* Wait until the parent is ready with the setup, too... */
3016 eventfd_read(parent_ready_fd, &x);
3017 parent_ready_fd = safe_close(parent_ready_fd);
3023 /* Automatically search for the init system */
3025 l = 1 + argc - optind;
3026 a = newa(char*, l + 1);
3027 memcpy(a + 1, argv + optind, l * sizeof(char*));
3029 a[0] = (char*) "/usr/lib/systemd/systemd";
3030 execve(a[0], a, env_use);
3032 a[0] = (char*) "/lib/systemd/systemd";
3033 execve(a[0], a, env_use);
3035 a[0] = (char*) "/sbin/init";
3036 execve(a[0], a, env_use);
3037 } else if (argc > optind)
3038 execvpe(argv[optind], argv + optind, env_use);
3040 chdir(home ? home : "/root");
3041 execle("/bin/bash", "-bash", NULL, env_use);
3042 execle("/bin/sh", "-sh", NULL, env_use);
3045 log_error("execv() failed: %m");
3048 _exit(EXIT_FAILURE);
3054 /* Wait until the child reported that it is ready with
3055 * all it needs to do with privileges. After we got
3056 * the notification we can make the process join its
3057 * cgroup which might limit what it can do */
3058 eventfd_read(child_ready_fd, &x);
3060 r = register_machine(pid);
3064 r = move_network_interfaces(pid);
3068 r = setup_veth(pid, veth_name);
3072 r = setup_bridge(veth_name);
3076 r = setup_macvlan(pid);
3080 /* Notify the child that the parent is ready with all
3081 * its setup, and thtat the child can now hand over
3082 * control to the code to run inside the container. */
3083 eventfd_write(parent_ready_fd, 1);
3085 k = process_pty(master, &mask, arg_boot ? pid : 0, SIGRTMIN+3);
3094 /* Kill if it is not dead yet anyway */
3095 terminate_machine(pid);
3097 /* Redundant, but better safe than sorry */
3100 k = wait_for_terminate(pid, &status);
3108 if (status.si_code == CLD_EXITED) {
3109 r = status.si_status;
3110 if (status.si_status != 0) {
3111 log_error("Container %s failed with error code %i.", arg_machine, status.si_status);
3116 log_debug("Container %s exited successfully.", arg_machine);
3118 } else if (status.si_code == CLD_KILLED &&
3119 status.si_status == SIGINT) {
3122 log_info("Container %s has been shut down.", arg_machine);
3125 } else if (status.si_code == CLD_KILLED &&
3126 status.si_status == SIGHUP) {
3129 log_info("Container %s is being rebooted.", arg_machine);
3131 } else if (status.si_code == CLD_KILLED ||
3132 status.si_code == CLD_DUMPED) {
3134 log_error("Container %s terminated by signal %s.", arg_machine, signal_to_string(status.si_status));
3138 log_error("Container %s failed due to unknown reason.", arg_machine);
3145 loop_remove(loop_nr, &image_fd);
3150 free(arg_directory);
3153 strv_free(arg_setenv);
3154 strv_free(arg_network_interfaces);
3155 strv_free(arg_network_macvlan);
3156 strv_free(arg_bind);
3157 strv_free(arg_bind_ro);
~ianmdlvl / elogind.git / blob