1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2010 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
25 #include <sys/types.h>
26 #include <sys/syscall.h>
27 #include <sys/mount.h>
33 #include <sys/prctl.h>
34 #include <sys/capability.h>
37 #include <sys/signalfd.h>
41 #include <sys/socket.h>
42 #include <linux/netlink.h>
44 #include <linux/veth.h>
45 #include <sys/personality.h>
46 #include <linux/loop.h>
49 #include <selinux/selinux.h>
57 #include <blkid/blkid.h>
60 #include "sd-daemon.h"
70 #include "cgroup-util.h"
72 #include "path-util.h"
73 #include "loopback-setup.h"
74 #include "dev-setup.h"
79 #include "bus-error.h"
81 #include "bus-kernel.h"
84 #include "rtnl-util.h"
85 #include "udev-util.h"
86 #include "blkid-util.h"
88 #include "siphash24.h"
90 #include "base-filesystem.h"
94 #include "seccomp-util.h"
97 typedef enum ContainerStatus {
102 typedef enum LinkJournal {
109 typedef enum Volatile {
115 static char *arg_directory = NULL;
116 static char *arg_user = NULL;
117 static sd_id128_t arg_uuid = {};
118 static char *arg_machine = NULL;
119 static const char *arg_selinux_context = NULL;
120 static const char *arg_selinux_apifs_context = NULL;
121 static const char *arg_slice = NULL;
122 static bool arg_private_network = false;
123 static bool arg_read_only = false;
124 static bool arg_boot = false;
125 static LinkJournal arg_link_journal = LINK_AUTO;
126 static uint64_t arg_retain =
127 (1ULL << CAP_CHOWN) |
128 (1ULL << CAP_DAC_OVERRIDE) |
129 (1ULL << CAP_DAC_READ_SEARCH) |
130 (1ULL << CAP_FOWNER) |
131 (1ULL << CAP_FSETID) |
132 (1ULL << CAP_IPC_OWNER) |
134 (1ULL << CAP_LEASE) |
135 (1ULL << CAP_LINUX_IMMUTABLE) |
136 (1ULL << CAP_NET_BIND_SERVICE) |
137 (1ULL << CAP_NET_BROADCAST) |
138 (1ULL << CAP_NET_RAW) |
139 (1ULL << CAP_SETGID) |
140 (1ULL << CAP_SETFCAP) |
141 (1ULL << CAP_SETPCAP) |
142 (1ULL << CAP_SETUID) |
143 (1ULL << CAP_SYS_ADMIN) |
144 (1ULL << CAP_SYS_CHROOT) |
145 (1ULL << CAP_SYS_NICE) |
146 (1ULL << CAP_SYS_PTRACE) |
147 (1ULL << CAP_SYS_TTY_CONFIG) |
148 (1ULL << CAP_SYS_RESOURCE) |
149 (1ULL << CAP_SYS_BOOT) |
150 (1ULL << CAP_AUDIT_WRITE) |
151 (1ULL << CAP_AUDIT_CONTROL) |
153 static char **arg_bind = NULL;
154 static char **arg_bind_ro = NULL;
155 static char **arg_tmpfs = NULL;
156 static char **arg_setenv = NULL;
157 static bool arg_quiet = false;
158 static bool arg_share_system = false;
159 static bool arg_register = true;
160 static bool arg_keep_unit = false;
161 static char **arg_network_interfaces = NULL;
162 static char **arg_network_macvlan = NULL;
163 static bool arg_network_veth = false;
164 static const char *arg_network_bridge = NULL;
165 static unsigned long arg_personality = 0xffffffffLU;
166 static const char *arg_image = NULL;
167 static Volatile arg_volatile = VOLATILE_NO;
169 static void help(void) {
170 printf("%s [OPTIONS...] [PATH] [ARGUMENTS...]\n\n"
171 "Spawn a minimal namespace container for debugging, testing and building.\n\n"
172 " -h --help Show this help\n"
173 " --version Print version string\n"
174 " -q --quiet Do not show status information\n"
175 " -D --directory=PATH Root directory for the container\n"
176 " -i --image=PATH File system device or image for the container\n"
177 " -b --boot Boot up full system (i.e. invoke init)\n"
178 " -u --user=USER Run the command under specified user or uid\n"
179 " -M --machine=NAME Set the machine name for the container\n"
180 " --uuid=UUID Set a specific machine UUID for the container\n"
181 " -S --slice=SLICE Place the container in the specified slice\n"
182 " --private-network Disable network in container\n"
183 " --network-interface=INTERFACE\n"
184 " Assign an existing network interface to the\n"
186 " --network-macvlan=INTERFACE\n"
187 " Create a macvlan network interface based on an\n"
188 " existing network interface to the container\n"
189 " --network-veth Add a virtual ethernet connection between host\n"
191 " --network-bridge=INTERFACE\n"
192 " Add a virtual ethernet connection between host\n"
193 " and container and add it to an existing bridge on\n"
195 " -Z --selinux-context=SECLABEL\n"
196 " Set the SELinux security context to be used by\n"
197 " processes in the container\n"
198 " -L --selinux-apifs-context=SECLABEL\n"
199 " Set the SELinux security context to be used by\n"
200 " API/tmpfs file systems in the container\n"
201 " --capability=CAP In addition to the default, retain specified\n"
203 " --drop-capability=CAP Drop the specified capability from the default set\n"
204 " --link-journal=MODE Link up guest journal, one of no, auto, guest, host\n"
205 " -j Equivalent to --link-journal=host\n"
206 " --read-only Mount the root directory read-only\n"
207 " --bind=PATH[:PATH] Bind mount a file or directory from the host into\n"
209 " --bind-ro=PATH[:PATH] Similar, but creates a read-only bind mount\n"
210 " --tmpfs=PATH:[OPTIONS] Mount an empty tmpfs to the specified directory\n"
211 " --setenv=NAME=VALUE Pass an environment variable to PID 1\n"
212 " --share-system Share system namespaces with host\n"
213 " --register=BOOLEAN Register container as machine\n"
214 " --keep-unit Do not register a scope for the machine, reuse\n"
215 " the service unit nspawn is running in\n"
216 " --volatile[=MODE] Run the system in volatile mode\n",
217 program_invocation_short_name);
220 static int parse_argv(int argc, char *argv[]) {
237 ARG_NETWORK_INTERFACE,
245 static const struct option options[] = {
246 { "help", no_argument, NULL, 'h' },
247 { "version", no_argument, NULL, ARG_VERSION },
248 { "directory", required_argument, NULL, 'D' },
249 { "user", required_argument, NULL, 'u' },
250 { "private-network", no_argument, NULL, ARG_PRIVATE_NETWORK },
251 { "boot", no_argument, NULL, 'b' },
252 { "uuid", required_argument, NULL, ARG_UUID },
253 { "read-only", no_argument, NULL, ARG_READ_ONLY },
254 { "capability", required_argument, NULL, ARG_CAPABILITY },
255 { "drop-capability", required_argument, NULL, ARG_DROP_CAPABILITY },
256 { "link-journal", required_argument, NULL, ARG_LINK_JOURNAL },
257 { "bind", required_argument, NULL, ARG_BIND },
258 { "bind-ro", required_argument, NULL, ARG_BIND_RO },
259 { "tmpfs", required_argument, NULL, ARG_TMPFS },
260 { "machine", required_argument, NULL, 'M' },
261 { "slice", required_argument, NULL, 'S' },
262 { "setenv", required_argument, NULL, ARG_SETENV },
263 { "selinux-context", required_argument, NULL, 'Z' },
264 { "selinux-apifs-context", required_argument, NULL, 'L' },
265 { "quiet", no_argument, NULL, 'q' },
266 { "share-system", no_argument, NULL, ARG_SHARE_SYSTEM },
267 { "register", required_argument, NULL, ARG_REGISTER },
268 { "keep-unit", no_argument, NULL, ARG_KEEP_UNIT },
269 { "network-interface", required_argument, NULL, ARG_NETWORK_INTERFACE },
270 { "network-macvlan", required_argument, NULL, ARG_NETWORK_MACVLAN },
271 { "network-veth", no_argument, NULL, ARG_NETWORK_VETH },
272 { "network-bridge", required_argument, NULL, ARG_NETWORK_BRIDGE },
273 { "personality", required_argument, NULL, ARG_PERSONALITY },
274 { "image", required_argument, NULL, 'i' },
275 { "volatile", optional_argument, NULL, ARG_VOLATILE },
280 uint64_t plus = 0, minus = 0;
285 while ((c = getopt_long(argc, argv, "+hD:u:bL:M:jS:Z:qi:", options, NULL)) >= 0)
294 puts(PACKAGE_STRING);
295 puts(SYSTEMD_FEATURES);
300 arg_directory = canonicalize_file_name(optarg);
301 if (!arg_directory) {
302 log_error("Invalid root directory: %m");
314 arg_user = strdup(optarg);
320 case ARG_NETWORK_BRIDGE:
321 arg_network_bridge = optarg;
325 case ARG_NETWORK_VETH:
326 arg_network_veth = true;
327 arg_private_network = true;
330 case ARG_NETWORK_INTERFACE:
331 if (strv_extend(&arg_network_interfaces, optarg) < 0)
334 arg_private_network = true;
337 case ARG_NETWORK_MACVLAN:
338 if (strv_extend(&arg_network_macvlan, optarg) < 0)
343 case ARG_PRIVATE_NETWORK:
344 arg_private_network = true;
352 r = sd_id128_from_string(optarg, &arg_uuid);
354 log_error("Invalid UUID: %s", optarg);
364 if (isempty(optarg)) {
369 if (!hostname_is_valid(optarg)) {
370 log_error("Invalid machine name: %s", optarg);
375 arg_machine = strdup(optarg);
383 arg_selinux_context = optarg;
387 arg_selinux_apifs_context = optarg;
391 arg_read_only = true;
395 case ARG_DROP_CAPABILITY: {
396 const char *state, *word;
399 FOREACH_WORD_SEPARATOR(word, length, optarg, ",", state) {
400 _cleanup_free_ char *t;
403 t = strndup(word, length);
407 if (streq(t, "all")) {
408 if (c == ARG_CAPABILITY)
409 plus = (uint64_t) -1;
411 minus = (uint64_t) -1;
413 if (cap_from_name(t, &cap) < 0) {
414 log_error("Failed to parse capability %s.", t);
418 if (c == ARG_CAPABILITY)
419 plus |= 1ULL << (uint64_t) cap;
421 minus |= 1ULL << (uint64_t) cap;
429 arg_link_journal = LINK_GUEST;
432 case ARG_LINK_JOURNAL:
433 if (streq(optarg, "auto"))
434 arg_link_journal = LINK_AUTO;
435 else if (streq(optarg, "no"))
436 arg_link_journal = LINK_NO;
437 else if (streq(optarg, "guest"))
438 arg_link_journal = LINK_GUEST;
439 else if (streq(optarg, "host"))
440 arg_link_journal = LINK_HOST;
442 log_error("Failed to parse link journal mode %s", optarg);
450 _cleanup_free_ char *a = NULL, *b = NULL;
454 x = c == ARG_BIND ? &arg_bind : &arg_bind_ro;
456 e = strchr(optarg, ':');
458 a = strndup(optarg, e - optarg);
468 if (!path_is_absolute(a) || !path_is_absolute(b)) {
469 log_error("Invalid bind mount specification: %s", optarg);
473 r = strv_extend(x, a);
477 r = strv_extend(x, b);
485 _cleanup_free_ char *a = NULL, *b = NULL;
488 e = strchr(optarg, ':');
490 a = strndup(optarg, e - optarg);
494 b = strdup("mode=0755");
500 if (!path_is_absolute(a)) {
501 log_error("Invalid tmpfs specification: %s", optarg);
505 r = strv_push(&arg_tmpfs, a);
511 r = strv_push(&arg_tmpfs, b);
523 if (!env_assignment_is_valid(optarg)) {
524 log_error("Environment variable assignment '%s' is not valid.", optarg);
528 n = strv_env_set(arg_setenv, optarg);
532 strv_free(arg_setenv);
541 case ARG_SHARE_SYSTEM:
542 arg_share_system = true;
546 r = parse_boolean(optarg);
548 log_error("Failed to parse --register= argument: %s", optarg);
556 arg_keep_unit = true;
559 case ARG_PERSONALITY:
561 arg_personality = personality_from_string(optarg);
562 if (arg_personality == 0xffffffffLU) {
563 log_error("Unknown or unsupported personality '%s'.", optarg);
572 arg_volatile = VOLATILE_YES;
574 r = parse_boolean(optarg);
576 if (streq(optarg, "state"))
577 arg_volatile = VOLATILE_STATE;
579 log_error("Failed to parse --volatile= argument: %s", optarg);
583 arg_volatile = r ? VOLATILE_YES : VOLATILE_NO;
592 assert_not_reached("Unhandled option");
595 if (arg_share_system)
596 arg_register = false;
598 if (arg_boot && arg_share_system) {
599 log_error("--boot and --share-system may not be combined.");
603 if (arg_keep_unit && cg_pid_get_owner_uid(0, NULL) >= 0) {
604 log_error("--keep-unit may not be used when invoked from a user session.");
608 if (arg_directory && arg_image) {
609 log_error("--directory= and --image= may not be combined.");
613 if (arg_volatile != VOLATILE_NO && arg_read_only) {
614 log_error("Cannot combine --read-only with --volatile. Note that --volatile already implies a read-only base hierarchy.");
618 arg_retain = (arg_retain | plus | (arg_private_network ? 1ULL << CAP_NET_ADMIN : 0)) & ~minus;
623 static int mount_all(const char *dest) {
625 typedef struct MountPoint {
634 static const MountPoint mount_table[] = {
635 { "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, true },
636 { "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND, true }, /* Bind mount first */
637 { NULL, "/proc/sys", NULL, NULL, MS_BIND|MS_RDONLY|MS_REMOUNT, true }, /* Then, make it r/o */
638 { "sysfs", "/sys", "sysfs", NULL, MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV, true },
639 { "tmpfs", "/dev", "tmpfs", "mode=755", MS_NOSUID|MS_STRICTATIME, true },
640 { "devpts", "/dev/pts", "devpts","newinstance,ptmxmode=0666,mode=620,gid=" STRINGIFY(TTY_GID), MS_NOSUID|MS_NOEXEC, true },
641 { "tmpfs", "/dev/shm", "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV|MS_STRICTATIME, true },
642 { "tmpfs", "/run", "tmpfs", "mode=755", MS_NOSUID|MS_NODEV|MS_STRICTATIME, true },
644 { "/sys/fs/selinux", "/sys/fs/selinux", NULL, NULL, MS_BIND, false }, /* Bind mount first */
645 { NULL, "/sys/fs/selinux", NULL, NULL, MS_BIND|MS_RDONLY|MS_REMOUNT, false }, /* Then, make it r/o */
652 for (k = 0; k < ELEMENTSOF(mount_table); k++) {
653 _cleanup_free_ char *where = NULL;
655 _cleanup_free_ char *options = NULL;
660 where = strjoin(dest, "/", mount_table[k].where, NULL);
664 t = path_is_mount_point(where, true);
666 log_error("Failed to detect whether %s is a mount point: %s", where, strerror(-t));
674 /* Skip this entry if it is not a remount. */
675 if (mount_table[k].what && t > 0)
678 t = mkdir_p(where, 0755);
680 if (mount_table[k].fatal) {
681 log_error("Failed to create directory %s: %s", where, strerror(-t));
686 log_warning("Failed to create directory %s: %s", where, strerror(-t));
692 if (arg_selinux_apifs_context &&
693 (streq_ptr(mount_table[k].what, "tmpfs") || streq_ptr(mount_table[k].what, "devpts"))) {
694 options = strjoin(mount_table[k].options, ",context=\"", arg_selinux_apifs_context, "\"", NULL);
701 o = mount_table[k].options;
704 if (mount(mount_table[k].what,
707 mount_table[k].flags,
710 if (mount_table[k].fatal) {
711 log_error("mount(%s) failed: %m", where);
716 log_warning("mount(%s) failed: %m", where);
723 static int mount_binds(const char *dest, char **l, bool ro) {
726 STRV_FOREACH_PAIR(x, y, l) {
727 _cleanup_free_ char *where = NULL;
728 struct stat source_st, dest_st;
731 if (stat(*x, &source_st) < 0) {
732 log_error("Failed to stat %s: %m", *x);
736 where = strappend(dest, *y);
740 r = stat(where, &dest_st);
742 if ((source_st.st_mode & S_IFMT) != (dest_st.st_mode & S_IFMT)) {
743 log_error("The file types of %s and %s do not match. Refusing bind mount", *x, where);
746 } else if (errno == ENOENT) {
747 r = mkdir_parents_label(where, 0755);
749 log_error("Failed to bind mount %s: %s", *x, strerror(-r));
753 log_error("Failed to bind mount %s: %m", *x);
757 /* Create the mount point, but be conservative -- refuse to create block
758 * and char devices. */
759 if (S_ISDIR(source_st.st_mode)) {
760 r = mkdir_label(where, 0755);
762 log_error("Failed to create mount point %s: %s", where, strerror(-r));
766 } else if (S_ISFIFO(source_st.st_mode)) {
767 r = mkfifo(where, 0644);
768 if (r < 0 && errno != EEXIST) {
769 log_error("Failed to create mount point %s: %m", where);
773 } else if (S_ISSOCK(source_st.st_mode)) {
774 r = mknod(where, 0644 | S_IFSOCK, 0);
775 if (r < 0 && errno != EEXIST) {
776 log_error("Failed to create mount point %s: %m", where);
780 } else if (S_ISREG(source_st.st_mode)) {
783 log_error("Failed to create mount point %s: %s", where, strerror(-r));
788 log_error("Refusing to create mountpoint for file: %s", *x);
792 if (mount(*x, where, "bind", MS_BIND, NULL) < 0) {
793 log_error("mount(%s) failed: %m", where);
798 r = bind_remount_recursive(where, true);
800 log_error("Read-Only bind mount failed: %s", strerror(-r));
809 static int mount_tmpfs(const char *dest) {
812 STRV_FOREACH_PAIR(i, o, arg_tmpfs) {
813 _cleanup_free_ char *where = NULL;
816 where = strappend(dest, *i);
820 r = mkdir_label(where, 0755);
822 log_error("creating mount point for tmpfs %s failed: %s", where, strerror(-r));
827 if (mount("tmpfs", where, "tmpfs", MS_NODEV|MS_STRICTATIME, *o) < 0) {
828 log_error("tmpfs mount to %s failed: %m", where);
836 static int setup_timezone(const char *dest) {
837 _cleanup_free_ char *where = NULL, *p = NULL, *q = NULL, *check = NULL, *what = NULL;
843 /* Fix the timezone, if possible */
844 r = readlink_malloc("/etc/localtime", &p);
846 log_warning("/etc/localtime is not a symlink, not updating container timezone.");
850 z = path_startswith(p, "../usr/share/zoneinfo/");
852 z = path_startswith(p, "/usr/share/zoneinfo/");
854 log_warning("/etc/localtime does not point into /usr/share/zoneinfo/, not updating container timezone.");
858 where = strappend(dest, "/etc/localtime");
862 r = readlink_malloc(where, &q);
864 y = path_startswith(q, "../usr/share/zoneinfo/");
866 y = path_startswith(q, "/usr/share/zoneinfo/");
868 /* Already pointing to the right place? Then do nothing .. */
869 if (y && streq(y, z))
873 check = strjoin(dest, "/usr/share/zoneinfo/", z, NULL);
877 if (access(check, F_OK) < 0) {
878 log_warning("Timezone %s does not exist in container, not updating container timezone.", z);
882 what = strappend("../usr/share/zoneinfo/", z);
886 r = mkdir_parents(where, 0755);
888 log_error("Failed to create directory for timezone info %s in container: %s", where, strerror(-r));
894 if (r < 0 && errno != ENOENT) {
895 log_error("Failed to remove existing timezone info %s in container: %m", where);
900 if (symlink(what, where) < 0) {
901 log_error("Failed to correct timezone of container: %m");
908 static int setup_resolv_conf(const char *dest) {
909 _cleanup_free_ char *where = NULL;
914 if (arg_private_network)
917 /* Fix resolv.conf, if possible */
918 where = strappend(dest, "/etc/resolv.conf");
922 /* We don't really care for the results of this really. If it
923 * fails, it fails, but meh... */
924 r = mkdir_parents(where, 0755);
926 log_warning("Failed to create parent directory for resolv.conf %s: %s", where, strerror(-r));
931 r = copy_file("/etc/resolv.conf", where, O_TRUNC|O_NOFOLLOW, 0644);
933 log_warning("Failed to copy /etc/resolv.conf to %s: %s", where, strerror(-r));
941 static int setup_volatile_state(const char *directory) {
947 if (arg_volatile != VOLATILE_STATE)
950 /* --volatile=state means we simply overmount /var
951 with a tmpfs, and the rest read-only. */
953 r = bind_remount_recursive(directory, true);
955 log_error("Failed to remount %s read-only: %s", directory, strerror(-r));
959 p = strappenda(directory, "/var");
961 if (r < 0 && errno != EEXIST) {
962 log_error("Failed to create %s: %m", directory);
966 if (mount("tmpfs", p, "tmpfs", MS_STRICTATIME, "mode=755") < 0) {
967 log_error("Failed to mount tmpfs to /var: %m");
974 static int setup_volatile(const char *directory) {
975 bool tmpfs_mounted = false, bind_mounted = false;
976 char template[] = "/tmp/nspawn-volatile-XXXXXX";
982 if (arg_volatile != VOLATILE_YES)
985 /* --volatile=yes means we mount a tmpfs to the root dir, and
986 the original /usr to use inside it, and that read-only. */
988 if (!mkdtemp(template)) {
989 log_error("Failed to create temporary directory: %m");
993 if (mount("tmpfs", template, "tmpfs", MS_STRICTATIME, "mode=755") < 0) {
994 log_error("Failed to mount tmpfs for root directory: %m");
999 tmpfs_mounted = true;
1001 f = strappenda(directory, "/usr");
1002 t = strappenda(template, "/usr");
1005 if (r < 0 && errno != EEXIST) {
1006 log_error("Failed to create %s: %m", t);
1011 if (mount(f, t, "bind", MS_BIND|MS_REC, NULL) < 0) {
1012 log_error("Failed to create /usr bind mount: %m");
1017 bind_mounted = true;
1019 r = bind_remount_recursive(t, true);
1021 log_error("Failed to remount %s read-only: %s", t, strerror(-r));
1025 if (mount(template, directory, NULL, MS_MOVE, NULL) < 0) {
1026 log_error("Failed to move root mount: %m");
1044 static char* id128_format_as_uuid(sd_id128_t id, char s[37]) {
1047 "%02x%02x%02x%02x-%02x%02x-%02x%02x-%02x%02x-%02x%02x%02x%02x%02x%02x",
1048 SD_ID128_FORMAT_VAL(id));
1053 static int setup_boot_id(const char *dest) {
1054 _cleanup_free_ char *from = NULL, *to = NULL;
1055 sd_id128_t rnd = {};
1061 if (arg_share_system)
1064 /* Generate a new randomized boot ID, so that each boot-up of
1065 * the container gets a new one */
1067 from = strappend(dest, "/dev/proc-sys-kernel-random-boot-id");
1068 to = strappend(dest, "/proc/sys/kernel/random/boot_id");
1072 r = sd_id128_randomize(&rnd);
1074 log_error("Failed to generate random boot id: %s", strerror(-r));
1078 id128_format_as_uuid(rnd, as_uuid);
1080 r = write_string_file(from, as_uuid);
1082 log_error("Failed to write boot id: %s", strerror(-r));
1086 if (mount(from, to, "bind", MS_BIND, NULL) < 0) {
1087 log_error("Failed to bind mount boot id: %m");
1089 } else if (mount(from, to, "bind", MS_BIND|MS_REMOUNT|MS_RDONLY, NULL))
1090 log_warning("Failed to make boot id read-only: %m");
1096 static int copy_devnodes(const char *dest) {
1098 static const char devnodes[] =
1109 _cleanup_umask_ mode_t u;
1115 NULSTR_FOREACH(d, devnodes) {
1116 _cleanup_free_ char *from = NULL, *to = NULL;
1119 from = strappend("/dev/", d);
1120 to = strjoin(dest, "/dev/", d, NULL);
1124 if (stat(from, &st) < 0) {
1126 if (errno != ENOENT) {
1127 log_error("Failed to stat %s: %m", from);
1131 } else if (!S_ISCHR(st.st_mode) && !S_ISBLK(st.st_mode)) {
1133 log_error("%s is not a char or block device, cannot copy", from);
1137 r = mkdir_parents(to, 0775);
1139 log_error("Failed to create parent directory of %s: %s", to, strerror(-r));
1143 if (mknod(to, st.st_mode, st.st_rdev) < 0) {
1144 log_error("mknod(%s) failed: %m", dest);
1153 static int setup_ptmx(const char *dest) {
1154 _cleanup_free_ char *p = NULL;
1156 p = strappend(dest, "/dev/ptmx");
1160 if (symlink("pts/ptmx", p) < 0) {
1161 log_error("Failed to create /dev/ptmx symlink: %m");
1168 static int setup_dev_console(const char *dest, const char *console) {
1169 _cleanup_umask_ mode_t u;
1179 if (stat("/dev/null", &st) < 0) {
1180 log_error("Failed to stat /dev/null: %m");
1184 r = chmod_and_chown(console, 0600, 0, 0);
1186 log_error("Failed to correct access mode for TTY: %s", strerror(-r));
1190 /* We need to bind mount the right tty to /dev/console since
1191 * ptys can only exist on pts file systems. To have something
1192 * to bind mount things on we create a device node first, and
1193 * use /dev/null for that since we the cgroups device policy
1194 * allows us to create that freely, while we cannot create
1195 * /dev/console. (Note that the major minor doesn't actually
1196 * matter here, since we mount it over anyway). */
1198 to = strappenda(dest, "/dev/console");
1199 if (mknod(to, (st.st_mode & ~07777) | 0600, st.st_rdev) < 0) {
1200 log_error("mknod() for /dev/console failed: %m");
1204 if (mount(console, to, "bind", MS_BIND, NULL) < 0) {
1205 log_error("Bind mount for /dev/console failed: %m");
1212 static int setup_kmsg(const char *dest, int kmsg_socket) {
1213 _cleanup_free_ char *from = NULL, *to = NULL;
1215 _cleanup_umask_ mode_t u;
1217 struct cmsghdr cmsghdr;
1218 uint8_t buf[CMSG_SPACE(sizeof(int))];
1220 struct msghdr mh = {
1221 .msg_control = &control,
1222 .msg_controllen = sizeof(control),
1224 struct cmsghdr *cmsg;
1227 assert(kmsg_socket >= 0);
1231 /* We create the kmsg FIFO as /dev/kmsg, but immediately
1232 * delete it after bind mounting it to /proc/kmsg. While FIFOs
1233 * on the reading side behave very similar to /proc/kmsg,
1234 * their writing side behaves differently from /dev/kmsg in
1235 * that writing blocks when nothing is reading. In order to
1236 * avoid any problems with containers deadlocking due to this
1237 * we simply make /dev/kmsg unavailable to the container. */
1238 if (asprintf(&from, "%s/dev/kmsg", dest) < 0 ||
1239 asprintf(&to, "%s/proc/kmsg", dest) < 0)
1242 if (mkfifo(from, 0600) < 0) {
1243 log_error("mkfifo() for /dev/kmsg failed: %m");
1247 r = chmod_and_chown(from, 0600, 0, 0);
1249 log_error("Failed to correct access mode for /dev/kmsg: %s", strerror(-r));
1253 if (mount(from, to, "bind", MS_BIND, NULL) < 0) {
1254 log_error("Bind mount for /proc/kmsg failed: %m");
1258 fd = open(from, O_RDWR|O_NDELAY|O_CLOEXEC);
1260 log_error("Failed to open fifo: %m");
1264 cmsg = CMSG_FIRSTHDR(&mh);
1265 cmsg->cmsg_level = SOL_SOCKET;
1266 cmsg->cmsg_type = SCM_RIGHTS;
1267 cmsg->cmsg_len = CMSG_LEN(sizeof(int));
1268 memcpy(CMSG_DATA(cmsg), &fd, sizeof(int));
1270 mh.msg_controllen = cmsg->cmsg_len;
1272 /* Store away the fd in the socket, so that it stays open as
1273 * long as we run the child */
1274 k = sendmsg(kmsg_socket, &mh, MSG_DONTWAIT|MSG_NOSIGNAL);
1278 log_error("Failed to send FIFO fd: %m");
1282 /* And now make the FIFO unavailable as /dev/kmsg... */
1287 static int setup_hostname(void) {
1289 if (arg_share_system)
1292 if (sethostname(arg_machine, strlen(arg_machine)) < 0)
1298 static int setup_journal(const char *directory) {
1299 sd_id128_t machine_id, this_id;
1300 _cleanup_free_ char *p = NULL, *b = NULL, *q = NULL, *d = NULL;
1304 p = strappend(directory, "/etc/machine-id");
1308 r = read_one_line_file(p, &b);
1309 if (r == -ENOENT && arg_link_journal == LINK_AUTO)
1312 log_error("Failed to read machine ID from %s: %s", p, strerror(-r));
1317 if (isempty(id) && arg_link_journal == LINK_AUTO)
1320 /* Verify validity */
1321 r = sd_id128_from_string(id, &machine_id);
1323 log_error("Failed to parse machine ID from %s: %s", p, strerror(-r));
1327 r = sd_id128_get_machine(&this_id);
1329 log_error("Failed to retrieve machine ID: %s", strerror(-r));
1333 if (sd_id128_equal(machine_id, this_id)) {
1334 log_full(arg_link_journal == LINK_AUTO ? LOG_WARNING : LOG_ERR,
1335 "Host and machine ids are equal (%s): refusing to link journals", id);
1336 if (arg_link_journal == LINK_AUTO)
1342 if (arg_link_journal == LINK_NO)
1346 p = strappend("/var/log/journal/", id);
1347 q = strjoin(directory, "/var/log/journal/", id, NULL);
1351 if (path_is_mount_point(p, false) > 0) {
1352 if (arg_link_journal != LINK_AUTO) {
1353 log_error("%s: already a mount point, refusing to use for journal", p);
1360 if (path_is_mount_point(q, false) > 0) {
1361 if (arg_link_journal != LINK_AUTO) {
1362 log_error("%s: already a mount point, refusing to use for journal", q);
1369 r = readlink_and_make_absolute(p, &d);
1371 if ((arg_link_journal == LINK_GUEST ||
1372 arg_link_journal == LINK_AUTO) &&
1375 r = mkdir_p(q, 0755);
1377 log_warning("Failed to create directory %s: %m", q);
1381 if (unlink(p) < 0) {
1382 log_error("Failed to remove symlink %s: %m", p);
1385 } else if (r == -EINVAL) {
1387 if (arg_link_journal == LINK_GUEST &&
1390 if (errno == ENOTDIR) {
1391 log_error("%s already exists and is neither a symlink nor a directory", p);
1394 log_error("Failed to remove %s: %m", p);
1398 } else if (r != -ENOENT) {
1399 log_error("readlink(%s) failed: %m", p);
1403 if (arg_link_journal == LINK_GUEST) {
1405 if (symlink(q, p) < 0) {
1406 log_error("Failed to symlink %s to %s: %m", q, p);
1410 r = mkdir_p(q, 0755);
1412 log_warning("Failed to create directory %s: %m", q);
1416 if (arg_link_journal == LINK_HOST) {
1417 r = mkdir_p(p, 0755);
1419 log_error("Failed to create %s: %m", p);
1423 } else if (access(p, F_OK) < 0)
1426 if (dir_is_empty(q) == 0)
1427 log_warning("%s is not empty, proceeding anyway.", q);
1429 r = mkdir_p(q, 0755);
1431 log_error("Failed to create %s: %m", q);
1435 if (mount(p, q, "bind", MS_BIND, NULL) < 0) {
1436 log_error("Failed to bind mount journal from host into guest: %m");
1443 static int setup_kdbus(const char *dest, const char *path) {
1449 p = strappenda(dest, "/dev/kdbus");
1450 if (mkdir(p, 0755) < 0) {
1451 log_error("Failed to create kdbus path: %m");
1455 if (mount(path, p, "bind", MS_BIND, NULL) < 0) {
1456 log_error("Failed to mount kdbus domain path: %m");
1463 static int drop_capabilities(void) {
1464 return capability_bounding_set_drop(~arg_retain, false);
1467 static int register_machine(pid_t pid, int local_ifindex) {
1468 _cleanup_bus_error_free_ sd_bus_error error = SD_BUS_ERROR_NULL;
1469 _cleanup_bus_close_unref_ sd_bus *bus = NULL;
1475 r = sd_bus_default_system(&bus);
1477 log_error("Failed to open system bus: %s", strerror(-r));
1481 if (arg_keep_unit) {
1482 r = sd_bus_call_method(
1484 "org.freedesktop.machine1",
1485 "/org/freedesktop/machine1",
1486 "org.freedesktop.machine1.Manager",
1487 "RegisterMachineWithNetwork",
1492 SD_BUS_MESSAGE_APPEND_ID128(arg_uuid),
1496 strempty(arg_directory),
1497 local_ifindex > 0 ? 1 : 0, local_ifindex);
1499 _cleanup_bus_message_unref_ sd_bus_message *m = NULL;
1501 r = sd_bus_message_new_method_call(
1504 "org.freedesktop.machine1",
1505 "/org/freedesktop/machine1",
1506 "org.freedesktop.machine1.Manager",
1507 "CreateMachineWithNetwork");
1509 log_error("Failed to create message: %s", strerror(-r));
1513 r = sd_bus_message_append(
1517 SD_BUS_MESSAGE_APPEND_ID128(arg_uuid),
1521 strempty(arg_directory),
1522 local_ifindex > 0 ? 1 : 0, local_ifindex);
1524 log_error("Failed to append message arguments: %s", strerror(-r));
1528 r = sd_bus_message_open_container(m, 'a', "(sv)");
1530 log_error("Failed to open container: %s", strerror(-r));
1534 if (!isempty(arg_slice)) {
1535 r = sd_bus_message_append(m, "(sv)", "Slice", "s", arg_slice);
1537 log_error("Failed to append slice: %s", strerror(-r));
1542 r = sd_bus_message_append(m, "(sv)", "DevicePolicy", "s", "strict");
1544 log_error("Failed to add device policy: %s", strerror(-r));
1548 r = sd_bus_message_append(m, "(sv)", "DeviceAllow", "a(ss)", 10,
1549 /* Allow the container to
1550 * access and create the API
1551 * device nodes, so that
1552 * PrivateDevices= in the
1553 * container can work
1558 "/dev/random", "rwm",
1559 "/dev/urandom", "rwm",
1561 "/dev/net/tun", "rwm",
1562 /* Allow the container
1563 * access to ptys. However,
1565 * container to ever create
1566 * these device nodes. */
1567 "/dev/pts/ptmx", "rw",
1569 /* Allow the container
1570 * access to all kdbus
1571 * devices. Again, the
1572 * container cannot create
1573 * these nodes, only use
1574 * them. We use a pretty
1575 * open match here, so that
1576 * the kernel API can still
1579 "char-kdbus/*", "rw");
1581 log_error("Failed to add device whitelist: %s", strerror(-r));
1585 r = sd_bus_message_close_container(m);
1587 log_error("Failed to close container: %s", strerror(-r));
1591 r = sd_bus_call(bus, m, 0, &error, NULL);
1595 log_error("Failed to register machine: %s", bus_error_message(&error, r));
1602 static int terminate_machine(pid_t pid) {
1603 _cleanup_bus_error_free_ sd_bus_error error = SD_BUS_ERROR_NULL;
1604 _cleanup_bus_message_unref_ sd_bus_message *reply = NULL;
1605 _cleanup_bus_close_unref_ sd_bus *bus = NULL;
1612 r = sd_bus_default_system(&bus);
1614 log_error("Failed to open system bus: %s", strerror(-r));
1618 r = sd_bus_call_method(
1620 "org.freedesktop.machine1",
1621 "/org/freedesktop/machine1",
1622 "org.freedesktop.machine1.Manager",
1629 /* Note that the machine might already have been
1630 * cleaned up automatically, hence don't consider it a
1631 * failure if we cannot get the machine object. */
1632 log_debug("Failed to get machine: %s", bus_error_message(&error, r));
1636 r = sd_bus_message_read(reply, "o", &path);
1638 return bus_log_parse_error(r);
1640 r = sd_bus_call_method(
1642 "org.freedesktop.machine1",
1644 "org.freedesktop.machine1.Machine",
1650 log_debug("Failed to terminate machine: %s", bus_error_message(&error, r));
1657 static int reset_audit_loginuid(void) {
1658 _cleanup_free_ char *p = NULL;
1661 if (arg_share_system)
1664 r = read_one_line_file("/proc/self/loginuid", &p);
1668 log_error("Failed to read /proc/self/loginuid: %s", strerror(-r));
1672 /* Already reset? */
1673 if (streq(p, "4294967295"))
1676 r = write_string_file("/proc/self/loginuid", "4294967295");
1678 log_error("Failed to reset audit login UID. This probably means that your kernel is too\n"
1679 "old and you have audit enabled. Note that the auditing subsystem is known to\n"
1680 "be incompatible with containers on old kernels. Please make sure to upgrade\n"
1681 "your kernel or to off auditing with 'audit=0' on the kernel command line before\n"
1682 "using systemd-nspawn. Sleeping for 5s... (%s)\n", strerror(-r));
1690 #define HOST_HASH_KEY SD_ID128_MAKE(1a,37,6f,c7,46,ec,45,0b,ad,a3,d5,31,06,60,5d,b1)
1691 #define CONTAINER_HASH_KEY SD_ID128_MAKE(c3,c4,f9,19,b5,57,b2,1c,e6,cf,14,27,03,9c,ee,a2)
1693 static int generate_mac(struct ether_addr *mac, sd_id128_t hash_key) {
1700 l = strlen(arg_machine);
1701 sz = sizeof(sd_id128_t) + l;
1704 /* fetch some persistent data unique to the host */
1705 r = sd_id128_get_machine((sd_id128_t*) v);
1709 /* combine with some data unique (on this host) to this
1710 * container instance */
1711 memcpy(v + sizeof(sd_id128_t), arg_machine, l);
1713 /* Let's hash the host machine ID plus the container name. We
1714 * use a fixed, but originally randomly created hash key here. */
1715 siphash24(result, v, sz, hash_key.bytes);
1717 assert_cc(ETH_ALEN <= sizeof(result));
1718 memcpy(mac->ether_addr_octet, result, ETH_ALEN);
1720 /* see eth_random_addr in the kernel */
1721 mac->ether_addr_octet[0] &= 0xfe; /* clear multicast bit */
1722 mac->ether_addr_octet[0] |= 0x02; /* set local assignment bit (IEEE802) */
1727 static int setup_veth(pid_t pid, char iface_name[IFNAMSIZ], int *ifi) {
1728 _cleanup_rtnl_message_unref_ sd_rtnl_message *m = NULL;
1729 _cleanup_rtnl_unref_ sd_rtnl *rtnl = NULL;
1730 struct ether_addr mac_host, mac_container;
1733 if (!arg_private_network)
1736 if (!arg_network_veth)
1739 /* Use two different interface name prefixes depending whether
1740 * we are in bridge mode or not. */
1741 snprintf(iface_name, IFNAMSIZ - 1, "%s-%s",
1742 arg_network_bridge ? "vb" : "ve", arg_machine);
1744 r = generate_mac(&mac_container, CONTAINER_HASH_KEY);
1746 log_error("Failed to generate predictable MAC address for container side");
1750 r = generate_mac(&mac_host, HOST_HASH_KEY);
1752 log_error("Failed to generate predictable MAC address for host side");
1756 r = sd_rtnl_open(&rtnl, 0);
1758 log_error("Failed to connect to netlink: %s", strerror(-r));
1762 r = sd_rtnl_message_new_link(rtnl, &m, RTM_NEWLINK, 0);
1764 log_error("Failed to allocate netlink message: %s", strerror(-r));
1768 r = sd_rtnl_message_append_string(m, IFLA_IFNAME, iface_name);
1770 log_error("Failed to add netlink interface name: %s", strerror(-r));
1774 r = sd_rtnl_message_append_ether_addr(m, IFLA_ADDRESS, &mac_host);
1776 log_error("Failed to add netlink MAC address: %s", strerror(-r));
1780 r = sd_rtnl_message_open_container(m, IFLA_LINKINFO);
1782 log_error("Failed to open netlink container: %s", strerror(-r));
1786 r = sd_rtnl_message_open_container_union(m, IFLA_INFO_DATA, "veth");
1788 log_error("Failed to open netlink container: %s", strerror(-r));
1792 r = sd_rtnl_message_open_container(m, VETH_INFO_PEER);
1794 log_error("Failed to open netlink container: %s", strerror(-r));
1798 r = sd_rtnl_message_append_string(m, IFLA_IFNAME, "host0");
1800 log_error("Failed to add netlink interface name: %s", strerror(-r));
1804 r = sd_rtnl_message_append_ether_addr(m, IFLA_ADDRESS, &mac_container);
1806 log_error("Failed to add netlink MAC address: %s", strerror(-r));
1810 r = sd_rtnl_message_append_u32(m, IFLA_NET_NS_PID, pid);
1812 log_error("Failed to add netlink namespace field: %s", strerror(-r));
1816 r = sd_rtnl_message_close_container(m);
1818 log_error("Failed to close netlink container: %s", strerror(-r));
1822 r = sd_rtnl_message_close_container(m);
1824 log_error("Failed to close netlink container: %s", strerror(-r));
1828 r = sd_rtnl_message_close_container(m);
1830 log_error("Failed to close netlink container: %s", strerror(-r));
1834 r = sd_rtnl_call(rtnl, m, 0, NULL);
1836 log_error("Failed to add new veth interfaces: %s", strerror(-r));
1840 i = (int) if_nametoindex(iface_name);
1842 log_error("Failed to resolve interface %s: %m", iface_name);
1851 static int setup_bridge(const char veth_name[], int *ifi) {
1852 _cleanup_rtnl_message_unref_ sd_rtnl_message *m = NULL;
1853 _cleanup_rtnl_unref_ sd_rtnl *rtnl = NULL;
1856 if (!arg_private_network)
1859 if (!arg_network_veth)
1862 if (!arg_network_bridge)
1865 bridge = (int) if_nametoindex(arg_network_bridge);
1867 log_error("Failed to resolve interface %s: %m", arg_network_bridge);
1873 r = sd_rtnl_open(&rtnl, 0);
1875 log_error("Failed to connect to netlink: %s", strerror(-r));
1879 r = sd_rtnl_message_new_link(rtnl, &m, RTM_SETLINK, 0);
1881 log_error("Failed to allocate netlink message: %s", strerror(-r));
1885 r = sd_rtnl_message_link_set_flags(m, IFF_UP, IFF_UP);
1887 log_error("Failed to set IFF_UP flag: %s", strerror(-r));
1891 r = sd_rtnl_message_append_string(m, IFLA_IFNAME, veth_name);
1893 log_error("Failed to add netlink interface name field: %s", strerror(-r));
1897 r = sd_rtnl_message_append_u32(m, IFLA_MASTER, bridge);
1899 log_error("Failed to add netlink master field: %s", strerror(-r));
1903 r = sd_rtnl_call(rtnl, m, 0, NULL);
1905 log_error("Failed to add veth interface to bridge: %s", strerror(-r));
1912 static int parse_interface(struct udev *udev, const char *name) {
1913 _cleanup_udev_device_unref_ struct udev_device *d = NULL;
1914 char ifi_str[2 + DECIMAL_STR_MAX(int)];
1917 ifi = (int) if_nametoindex(name);
1919 log_error("Failed to resolve interface %s: %m", name);
1923 sprintf(ifi_str, "n%i", ifi);
1924 d = udev_device_new_from_device_id(udev, ifi_str);
1926 log_error("Failed to get udev device for interface %s: %m", name);
1930 if (udev_device_get_is_initialized(d) <= 0) {
1931 log_error("Network interface %s is not initialized yet.", name);
1938 static int move_network_interfaces(pid_t pid) {
1939 _cleanup_udev_unref_ struct udev *udev = NULL;
1940 _cleanup_rtnl_unref_ sd_rtnl *rtnl = NULL;
1944 if (!arg_private_network)
1947 if (strv_isempty(arg_network_interfaces))
1950 r = sd_rtnl_open(&rtnl, 0);
1952 log_error("Failed to connect to netlink: %s", strerror(-r));
1958 log_error("Failed to connect to udev.");
1962 STRV_FOREACH(i, arg_network_interfaces) {
1963 _cleanup_rtnl_message_unref_ sd_rtnl_message *m = NULL;
1966 ifi = parse_interface(udev, *i);
1970 r = sd_rtnl_message_new_link(rtnl, &m, RTM_SETLINK, ifi);
1972 log_error("Failed to allocate netlink message: %s", strerror(-r));
1976 r = sd_rtnl_message_append_u32(m, IFLA_NET_NS_PID, pid);
1978 log_error("Failed to append namespace PID to netlink message: %s", strerror(-r));
1982 r = sd_rtnl_call(rtnl, m, 0, NULL);
1984 log_error("Failed to move interface %s to namespace: %s", *i, strerror(-r));
1992 static int setup_macvlan(pid_t pid) {
1993 _cleanup_udev_unref_ struct udev *udev = NULL;
1994 _cleanup_rtnl_unref_ sd_rtnl *rtnl = NULL;
1998 if (!arg_private_network)
2001 if (strv_isempty(arg_network_macvlan))
2004 r = sd_rtnl_open(&rtnl, 0);
2006 log_error("Failed to connect to netlink: %s", strerror(-r));
2012 log_error("Failed to connect to udev.");
2016 STRV_FOREACH(i, arg_network_macvlan) {
2017 _cleanup_rtnl_message_unref_ sd_rtnl_message *m = NULL;
2018 _cleanup_free_ char *n = NULL;
2021 ifi = parse_interface(udev, *i);
2025 r = sd_rtnl_message_new_link(rtnl, &m, RTM_NEWLINK, 0);
2027 log_error("Failed to allocate netlink message: %s", strerror(-r));
2031 r = sd_rtnl_message_append_u32(m, IFLA_LINK, ifi);
2033 log_error("Failed to add netlink interface index: %s", strerror(-r));
2037 n = strappend("mv-", *i);
2041 strshorten(n, IFNAMSIZ-1);
2043 r = sd_rtnl_message_append_string(m, IFLA_IFNAME, n);
2045 log_error("Failed to add netlink interface name: %s", strerror(-r));
2049 r = sd_rtnl_message_append_u32(m, IFLA_NET_NS_PID, pid);
2051 log_error("Failed to add netlink namespace field: %s", strerror(-r));
2055 r = sd_rtnl_message_open_container(m, IFLA_LINKINFO);
2057 log_error("Failed to open netlink container: %s", strerror(-r));
2061 r = sd_rtnl_message_open_container_union(m, IFLA_INFO_DATA, "macvlan");
2063 log_error("Failed to open netlink container: %s", strerror(-r));
2067 r = sd_rtnl_message_append_u32(m, IFLA_MACVLAN_MODE, MACVLAN_MODE_BRIDGE);
2069 log_error("Failed to append macvlan mode: %s", strerror(-r));
2073 r = sd_rtnl_message_close_container(m);
2075 log_error("Failed to close netlink container: %s", strerror(-r));
2079 r = sd_rtnl_message_close_container(m);
2081 log_error("Failed to close netlink container: %s", strerror(-r));
2085 r = sd_rtnl_call(rtnl, m, 0, NULL);
2087 log_error("Failed to add new macvlan interfaces: %s", strerror(-r));
2095 static int setup_seccomp(void) {
2098 static const int blacklist[] = {
2099 SCMP_SYS(kexec_load),
2100 SCMP_SYS(open_by_handle_at),
2101 SCMP_SYS(init_module),
2102 SCMP_SYS(finit_module),
2103 SCMP_SYS(delete_module),
2110 scmp_filter_ctx seccomp;
2114 seccomp = seccomp_init(SCMP_ACT_ALLOW);
2118 r = seccomp_add_secondary_archs(seccomp);
2120 log_error("Failed to add secondary archs to seccomp filter: %s", strerror(-r));
2124 for (i = 0; i < ELEMENTSOF(blacklist); i++) {
2125 r = seccomp_rule_add(seccomp, SCMP_ACT_ERRNO(EPERM), blacklist[i], 0);
2127 continue; /* unknown syscall */
2129 log_error("Failed to block syscall: %s", strerror(-r));
2135 Audit is broken in containers, much of the userspace audit
2136 hookup will fail if running inside a container. We don't
2137 care and just turn off creation of audit sockets.
2139 This will make socket(AF_NETLINK, *, NETLINK_AUDIT) fail
2140 with EAFNOSUPPORT which audit userspace uses as indication
2141 that audit is disabled in the kernel.
2144 r = seccomp_rule_add(
2146 SCMP_ACT_ERRNO(EAFNOSUPPORT),
2149 SCMP_A0(SCMP_CMP_EQ, AF_NETLINK),
2150 SCMP_A2(SCMP_CMP_EQ, NETLINK_AUDIT));
2152 log_error("Failed to add audit seccomp rule: %s", strerror(-r));
2156 r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
2158 log_error("Failed to unset NO_NEW_PRIVS: %s", strerror(-r));
2162 r = seccomp_load(seccomp);
2164 log_error("Failed to install seccomp audit filter: %s", strerror(-r));
2167 seccomp_release(seccomp);
2175 static int setup_image(char **device_path, int *loop_nr) {
2176 struct loop_info64 info = {
2177 .lo_flags = LO_FLAGS_AUTOCLEAR|LO_FLAGS_PARTSCAN
2179 _cleanup_close_ int fd = -1, control = -1, loop = -1;
2180 _cleanup_free_ char* loopdev = NULL;
2184 assert(device_path);
2187 fd = open(arg_image, O_CLOEXEC|(arg_read_only ? O_RDONLY : O_RDWR)|O_NONBLOCK|O_NOCTTY);
2189 log_error("Failed to open %s: %m", arg_image);
2193 if (fstat(fd, &st) < 0) {
2194 log_error("Failed to stat %s: %m", arg_image);
2198 if (S_ISBLK(st.st_mode)) {
2201 p = strdup(arg_image);
2215 if (!S_ISREG(st.st_mode)) {
2216 log_error("%s is not a regular file or block device: %m", arg_image);
2220 control = open("/dev/loop-control", O_RDWR|O_CLOEXEC|O_NOCTTY|O_NONBLOCK);
2222 log_error("Failed to open /dev/loop-control: %m");
2226 nr = ioctl(control, LOOP_CTL_GET_FREE);
2228 log_error("Failed to allocate loop device: %m");
2232 if (asprintf(&loopdev, "/dev/loop%i", nr) < 0)
2235 loop = open(loopdev, O_CLOEXEC|(arg_read_only ? O_RDONLY : O_RDWR)|O_NONBLOCK|O_NOCTTY);
2237 log_error("Failed to open loop device %s: %m", loopdev);
2241 if (ioctl(loop, LOOP_SET_FD, fd) < 0) {
2242 log_error("Failed to set loopback file descriptor on %s: %m", loopdev);
2247 info.lo_flags |= LO_FLAGS_READ_ONLY;
2249 if (ioctl(loop, LOOP_SET_STATUS64, &info) < 0) {
2250 log_error("Failed to set loopback settings on %s: %m", loopdev);
2254 *device_path = loopdev;
2265 static int dissect_image(
2267 char **root_device, bool *root_device_rw,
2268 char **home_device, bool *home_device_rw,
2269 char **srv_device, bool *srv_device_rw,
2273 int home_nr = -1, root_nr = -1, secondary_root_nr = -1, srv_nr = -1;
2274 _cleanup_free_ char *home = NULL, *root = NULL, *secondary_root = NULL, *srv = NULL;
2275 _cleanup_udev_enumerate_unref_ struct udev_enumerate *e = NULL;
2276 _cleanup_udev_device_unref_ struct udev_device *d = NULL;
2277 _cleanup_blkid_free_probe_ blkid_probe b = NULL;
2278 _cleanup_udev_unref_ struct udev *udev = NULL;
2279 struct udev_list_entry *first, *item;
2280 bool home_rw = true, root_rw = true, secondary_root_rw = true, srv_rw = true;
2281 const char *pttype = NULL;
2287 assert(root_device);
2288 assert(home_device);
2292 b = blkid_new_probe();
2297 r = blkid_probe_set_device(b, fd, 0, 0);
2302 log_error("Failed to set device on blkid probe: %m");
2306 blkid_probe_enable_partitions(b, 1);
2307 blkid_probe_set_partitions_flags(b, BLKID_PARTS_ENTRY_DETAILS);
2310 r = blkid_do_safeprobe(b);
2311 if (r == -2 || r == 1) {
2312 log_error("Failed to identify any partition table on %s.\n"
2313 "Note that the disk image needs to follow http://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/ to be supported by systemd-nspawn.", arg_image);
2315 } else if (r != 0) {
2318 log_error("Failed to probe: %m");
2322 blkid_probe_lookup_value(b, "PTTYPE", &pttype, NULL);
2323 if (!streq_ptr(pttype, "gpt")) {
2324 log_error("Image %s does not carry a GUID Partition Table.\n"
2325 "Note that the disk image needs to follow http://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/ to be supported by systemd-nspawn.", arg_image);
2330 pl = blkid_probe_get_partitions(b);
2335 log_error("Failed to list partitions of %s", arg_image);
2343 if (fstat(fd, &st) < 0) {
2344 log_error("Failed to stat block device: %m");
2348 d = udev_device_new_from_devnum(udev, 'b', st.st_rdev);
2352 e = udev_enumerate_new(udev);
2356 r = udev_enumerate_add_match_parent(e, d);
2360 r = udev_enumerate_scan_devices(e);
2362 log_error("Failed to scan for partition devices of %s: %s", arg_image, strerror(-r));
2366 first = udev_enumerate_get_list_entry(e);
2367 udev_list_entry_foreach(item, first) {
2368 _cleanup_udev_device_unref_ struct udev_device *q;
2369 const char *stype, *node;
2370 unsigned long long flags;
2377 q = udev_device_new_from_syspath(udev, udev_list_entry_get_name(item));
2382 log_error("Failed to get partition device of %s: %m", arg_image);
2386 qn = udev_device_get_devnum(q);
2390 if (st.st_rdev == qn)
2393 node = udev_device_get_devnode(q);
2397 pp = blkid_partlist_devno_to_partition(pl, qn);
2401 flags = blkid_partition_get_flags(pp);
2402 if (flags & GPT_FLAG_NO_AUTO)
2405 nr = blkid_partition_get_partno(pp);
2409 stype = blkid_partition_get_type_string(pp);
2413 if (sd_id128_from_string(stype, &type_id) < 0)
2416 if (sd_id128_equal(type_id, GPT_HOME)) {
2418 if (home && nr >= home_nr)
2422 home_rw = !(flags & GPT_FLAG_READ_ONLY);
2425 home = strdup(node);
2428 } else if (sd_id128_equal(type_id, GPT_SRV)) {
2430 if (srv && nr >= srv_nr)
2434 srv_rw = !(flags & GPT_FLAG_READ_ONLY);
2441 #ifdef GPT_ROOT_NATIVE
2442 else if (sd_id128_equal(type_id, GPT_ROOT_NATIVE)) {
2444 if (root && nr >= root_nr)
2448 root_rw = !(flags & GPT_FLAG_READ_ONLY);
2451 root = strdup(node);
2456 #ifdef GPT_ROOT_SECONDARY
2457 else if (sd_id128_equal(type_id, GPT_ROOT_SECONDARY)) {
2459 if (secondary_root && nr >= secondary_root_nr)
2462 secondary_root_nr = nr;
2463 secondary_root_rw = !(flags & GPT_FLAG_READ_ONLY);
2466 free(secondary_root);
2467 secondary_root = strdup(node);
2468 if (!secondary_root)
2474 if (!root && !secondary_root) {
2475 log_error("Failed to identify root partition in disk image %s.\n"
2476 "Note that the disk image needs to follow http://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/ to be supported by systemd-nspawn.", arg_image);
2481 *root_device = root;
2484 *root_device_rw = root_rw;
2486 } else if (secondary_root) {
2487 *root_device = secondary_root;
2488 secondary_root = NULL;
2490 *root_device_rw = secondary_root_rw;
2495 *home_device = home;
2498 *home_device_rw = home_rw;
2505 *srv_device_rw = srv_rw;
2510 log_error("--image= is not supported, compiled without blkid support.");
2515 static int mount_device(const char *what, const char *where, const char *directory, bool rw) {
2517 _cleanup_blkid_free_probe_ blkid_probe b = NULL;
2518 const char *fstype, *p;
2528 p = strappenda(where, directory);
2533 b = blkid_new_probe_from_filename(what);
2537 log_error("Failed to allocate prober for %s: %m", what);
2541 blkid_probe_enable_superblocks(b, 1);
2542 blkid_probe_set_superblocks_flags(b, BLKID_SUBLKS_TYPE);
2545 r = blkid_do_safeprobe(b);
2546 if (r == -1 || r == 1) {
2547 log_error("Cannot determine file system type of %s", what);
2549 } else if (r != 0) {
2552 log_error("Failed to probe %s: %m", what);
2557 if (blkid_probe_lookup_value(b, "TYPE", &fstype, NULL) < 0) {
2560 log_error("Failed to determine file system type of %s", what);
2564 if (streq(fstype, "crypto_LUKS")) {
2565 log_error("nspawn currently does not support LUKS disk images.");
2569 if (mount(what, p, fstype, MS_NODEV|(rw ? 0 : MS_RDONLY), NULL) < 0) {
2570 log_error("Failed to mount %s: %m", what);
2576 log_error("--image= is not supported, compiled without blkid support.");
2581 static int mount_devices(
2583 const char *root_device, bool root_device_rw,
2584 const char *home_device, bool home_device_rw,
2585 const char *srv_device, bool srv_device_rw) {
2591 r = mount_device(root_device, arg_directory, NULL, root_device_rw);
2593 log_error("Failed to mount root directory: %s", strerror(-r));
2599 r = mount_device(home_device, arg_directory, "/home", home_device_rw);
2601 log_error("Failed to mount home directory: %s", strerror(-r));
2607 r = mount_device(srv_device, arg_directory, "/srv", srv_device_rw);
2609 log_error("Failed to mount server data directory: %s", strerror(-r));
2617 static void loop_remove(int nr, int *image_fd) {
2618 _cleanup_close_ int control = -1;
2624 if (image_fd && *image_fd >= 0) {
2625 r = ioctl(*image_fd, LOOP_CLR_FD);
2627 log_warning("Failed to close loop image: %m");
2628 *image_fd = safe_close(*image_fd);
2631 control = open("/dev/loop-control", O_RDWR|O_CLOEXEC|O_NOCTTY|O_NONBLOCK);
2633 log_warning("Failed to open /dev/loop-control: %m");
2637 r = ioctl(control, LOOP_CTL_REMOVE, nr);
2639 log_warning("Failed to remove loop %d: %m", nr);
2642 static int spawn_getent(const char *database, const char *key, pid_t *rpid) {
2650 if (pipe2(pipe_fds, O_CLOEXEC) < 0) {
2651 log_error("Failed to allocate pipe: %m");
2657 log_error("Failed to fork getent child: %m");
2659 } else if (pid == 0) {
2661 char *empty_env = NULL;
2663 if (dup3(pipe_fds[1], STDOUT_FILENO, 0) < 0)
2664 _exit(EXIT_FAILURE);
2666 if (pipe_fds[0] > 2)
2667 safe_close(pipe_fds[0]);
2668 if (pipe_fds[1] > 2)
2669 safe_close(pipe_fds[1]);
2671 nullfd = open("/dev/null", O_RDWR);
2673 _exit(EXIT_FAILURE);
2675 if (dup3(nullfd, STDIN_FILENO, 0) < 0)
2676 _exit(EXIT_FAILURE);
2678 if (dup3(nullfd, STDERR_FILENO, 0) < 0)
2679 _exit(EXIT_FAILURE);
2684 reset_all_signal_handlers();
2685 close_all_fds(NULL, 0);
2687 execle("/usr/bin/getent", "getent", database, key, NULL, &empty_env);
2688 execle("/bin/getent", "getent", database, key, NULL, &empty_env);
2689 _exit(EXIT_FAILURE);
2692 pipe_fds[1] = safe_close(pipe_fds[1]);
2699 static int change_uid_gid(char **_home) {
2700 char line[LINE_MAX], *x, *u, *g, *h;
2701 const char *word, *state;
2702 _cleanup_free_ uid_t *uids = NULL;
2703 _cleanup_free_ char *home = NULL;
2704 _cleanup_fclose_ FILE *f = NULL;
2705 _cleanup_close_ int fd = -1;
2706 unsigned n_uids = 0;
2715 if (!arg_user || streq(arg_user, "root") || streq(arg_user, "0")) {
2716 /* Reset everything fully to 0, just in case */
2718 if (setgroups(0, NULL) < 0) {
2719 log_error("setgroups() failed: %m");
2723 if (setresgid(0, 0, 0) < 0) {
2724 log_error("setregid() failed: %m");
2728 if (setresuid(0, 0, 0) < 0) {
2729 log_error("setreuid() failed: %m");
2737 /* First, get user credentials */
2738 fd = spawn_getent("passwd", arg_user, &pid);
2742 f = fdopen(fd, "r");
2747 if (!fgets(line, sizeof(line), f)) {
2750 log_error("Failed to resolve user %s.", arg_user);
2754 log_error("Failed to read from getent: %m");
2760 wait_for_terminate_and_warn("getent passwd", pid);
2762 x = strchr(line, ':');
2764 log_error("/etc/passwd entry has invalid user field.");
2768 u = strchr(x+1, ':');
2770 log_error("/etc/passwd entry has invalid password field.");
2777 log_error("/etc/passwd entry has invalid UID field.");
2785 log_error("/etc/passwd entry has invalid GID field.");
2790 h = strchr(x+1, ':');
2792 log_error("/etc/passwd entry has invalid GECOS field.");
2799 log_error("/etc/passwd entry has invalid home directory field.");
2805 r = parse_uid(u, &uid);
2807 log_error("Failed to parse UID of user.");
2811 r = parse_gid(g, &gid);
2813 log_error("Failed to parse GID of user.");
2821 /* Second, get group memberships */
2822 fd = spawn_getent("initgroups", arg_user, &pid);
2827 f = fdopen(fd, "r");
2832 if (!fgets(line, sizeof(line), f)) {
2834 log_error("Failed to resolve user %s.", arg_user);
2838 log_error("Failed to read from getent: %m");
2844 wait_for_terminate_and_warn("getent initgroups", pid);
2846 /* Skip over the username and subsequent separator whitespace */
2848 x += strcspn(x, WHITESPACE);
2849 x += strspn(x, WHITESPACE);
2851 FOREACH_WORD(word, l, x, state) {
2857 if (!GREEDY_REALLOC(uids, sz, n_uids+1))
2860 r = parse_uid(c, &uids[n_uids++]);
2862 log_error("Failed to parse group data from getent.");
2867 r = mkdir_parents(home, 0775);
2869 log_error("Failed to make home root directory: %s", strerror(-r));
2873 r = mkdir_safe(home, 0755, uid, gid);
2874 if (r < 0 && r != -EEXIST) {
2875 log_error("Failed to make home directory: %s", strerror(-r));
2879 fchown(STDIN_FILENO, uid, gid);
2880 fchown(STDOUT_FILENO, uid, gid);
2881 fchown(STDERR_FILENO, uid, gid);
2883 if (setgroups(n_uids, uids) < 0) {
2884 log_error("Failed to set auxiliary groups: %m");
2888 if (setresgid(gid, gid, gid) < 0) {
2889 log_error("setregid() failed: %m");
2893 if (setresuid(uid, uid, uid) < 0) {
2894 log_error("setreuid() failed: %m");
2908 * < 0 : wait_for_terminate() failed to get the state of the
2909 * container, the container was terminated by a signal, or
2910 * failed for an unknown reason. No change is made to the
2911 * container argument.
2912 * > 0 : The program executed in the container terminated with an
2913 * error. The exit code of the program executed in the
2914 * container is returned. No change is made to the container
2916 * 0 : The container is being rebooted, has been shut down or exited
2917 * successfully. The container argument has been set to either
2918 * CONTAINER_TERMINATED or CONTAINER_REBOOTED.
2920 * That is, success is indicated by a return value of zero, and an
2921 * error is indicated by a non-zero value.
2923 static int wait_for_container(pid_t pid, ContainerStatus *container) {
2927 r = wait_for_terminate(pid, &status);
2929 log_warning("Failed to wait for container: %s", strerror(-r));
2933 switch (status.si_code) {
2935 r = status.si_status;
2938 log_debug("Container %s exited successfully.",
2941 *container = CONTAINER_TERMINATED;
2943 log_error("Container %s failed with error code %i.",
2944 arg_machine, status.si_status);
2949 if (status.si_status == SIGINT) {
2951 log_info("Container %s has been shut down.",
2954 *container = CONTAINER_TERMINATED;
2957 } else if (status.si_status == SIGHUP) {
2959 log_info("Container %s is being rebooted.",
2962 *container = CONTAINER_REBOOTED;
2966 /* CLD_KILLED fallthrough */
2969 log_error("Container %s terminated by signal %s.",
2970 arg_machine, signal_to_string(status.si_status));
2975 log_error("Container %s failed due to unknown reason.",
2984 static void nop_handler(int sig) {}
2986 int main(int argc, char *argv[]) {
2988 _cleanup_free_ char *kdbus_domain = NULL, *device_path = NULL, *root_device = NULL, *home_device = NULL, *srv_device = NULL;
2989 bool root_device_rw = true, home_device_rw = true, srv_device_rw = true;
2990 _cleanup_close_ int master = -1, kdbus_fd = -1, image_fd = -1;
2991 _cleanup_close_pair_ int kmsg_socket_pair[2] = { -1, -1 };
2992 _cleanup_fdset_free_ FDSet *fds = NULL;
2993 int r = EXIT_FAILURE, k, n_fd_passed, loop_nr = -1;
2994 const char *console = NULL;
2995 char veth_name[IFNAMSIZ];
2996 bool secondary = false;
2997 sigset_t mask, mask_chld;
3000 log_parse_environment();
3003 k = parse_argv(argc, argv);
3012 if (arg_directory) {
3015 p = path_make_absolute_cwd(arg_directory);
3016 free(arg_directory);
3019 arg_directory = get_current_dir_name();
3021 if (!arg_directory) {
3022 log_error("Failed to determine path, please use -D.");
3025 path_kill_slashes(arg_directory);
3029 arg_machine = strdup(basename(arg_image ? arg_image : arg_directory));
3035 hostname_cleanup(arg_machine, false);
3036 if (isempty(arg_machine)) {
3037 log_error("Failed to determine machine name automatically, please use -M.");
3042 if (geteuid() != 0) {
3043 log_error("Need to be root.");
3047 if (sd_booted() <= 0) {
3048 log_error("Not running on a systemd system.");
3053 n_fd_passed = sd_listen_fds(false);
3054 if (n_fd_passed > 0) {
3055 k = fdset_new_listen_fds(&fds, false);
3057 log_error("Failed to collect file descriptors: %s", strerror(-k));
3061 fdset_close_others(fds);
3064 if (arg_directory) {
3065 if (path_equal(arg_directory, "/")) {
3066 log_error("Spawning container on root directory not supported.");
3071 if (path_is_os_tree(arg_directory) <= 0) {
3072 log_error("Directory %s doesn't look like an OS root directory (os-release file is missing). Refusing.", arg_directory);
3078 p = strappenda(arg_directory,
3079 argc > optind && path_is_absolute(argv[optind]) ? argv[optind] : "/usr/bin/");
3080 if (access(p, F_OK) < 0) {
3081 log_error("Directory %s lacks the binary to execute or doesn't look like a binary tree. Refusing.", arg_directory);
3087 char template[] = "/tmp/nspawn-root-XXXXXX";
3089 if (!mkdtemp(template)) {
3090 log_error("Failed to create temporary directory: %m");
3095 arg_directory = strdup(template);
3096 if (!arg_directory) {
3101 image_fd = setup_image(&device_path, &loop_nr);
3107 r = dissect_image(image_fd,
3108 &root_device, &root_device_rw,
3109 &home_device, &home_device_rw,
3110 &srv_device, &srv_device_rw,
3116 master = posix_openpt(O_RDWR|O_NOCTTY|O_CLOEXEC|O_NDELAY);
3118 log_error("Failed to acquire pseudo tty: %m");
3122 console = ptsname(master);
3124 log_error("Failed to determine tty name: %m");
3129 log_info("Spawning container %s on %s.\nPress ^] three times within 1s to kill container.",
3130 arg_machine, arg_image ? arg_image : arg_directory);
3132 if (unlockpt(master) < 0) {
3133 log_error("Failed to unlock tty: %m");
3137 if (access("/dev/kdbus/control", F_OK) >= 0) {
3139 if (arg_share_system) {
3140 kdbus_domain = strdup("/dev/kdbus");
3141 if (!kdbus_domain) {
3148 ns = strappenda("machine-", arg_machine);
3149 kdbus_fd = bus_kernel_create_domain(ns, &kdbus_domain);
3151 log_debug("Failed to create kdbus domain: %s", strerror(-r));
3153 log_debug("Successfully created kdbus domain as %s", kdbus_domain);
3157 if (socketpair(AF_UNIX, SOCK_DGRAM|SOCK_NONBLOCK|SOCK_CLOEXEC, 0, kmsg_socket_pair) < 0) {
3158 log_error("Failed to create kmsg socket pair: %m");
3164 "STATUS=Container running.");
3166 assert_se(sigemptyset(&mask) == 0);
3167 assert_se(sigemptyset(&mask_chld) == 0);
3168 sigaddset(&mask_chld, SIGCHLD);
3169 sigset_add_many(&mask, SIGCHLD, SIGWINCH, SIGTERM, SIGINT, -1);
3170 assert_se(sigprocmask(SIG_BLOCK, &mask, NULL) == 0);
3173 ContainerStatus container_status;
3174 _cleanup_(barrier_destroy) Barrier barrier = BARRIER_NULL;
3175 struct sigaction sa = {
3176 .sa_handler = nop_handler,
3177 .sa_flags = SA_NOCLDSTOP,
3180 r = barrier_create(&barrier);
3182 log_error("Cannot initialize IPC barrier: %s", strerror(-r));
3186 /* Child can be killed before execv(), so handle SIGCHLD
3187 * in order to interrupt parent's blocking calls and
3188 * give it a chance to call wait() and terminate. */
3189 r = sigprocmask(SIG_UNBLOCK, &mask_chld, NULL);
3191 log_error("Failed to change the signal mask: %m");
3195 r = sigaction(SIGCHLD, &sa, NULL);
3197 log_error("Failed to install SIGCHLD handler: %m");
3201 pid = syscall(__NR_clone, SIGCHLD|CLONE_NEWNS|
3202 (arg_share_system ? 0 : CLONE_NEWIPC|CLONE_NEWPID|CLONE_NEWUTS)|
3203 (arg_private_network ? CLONE_NEWNET : 0), NULL);
3205 if (errno == EINVAL)
3206 log_error("clone() failed, do you have namespace support enabled in your kernel? (You need UTS, IPC, PID and NET namespacing built in): %m");
3208 log_error("clone() failed: %m");
3216 _cleanup_free_ char *home = NULL;
3218 const char *envp[] = {
3219 "PATH=" DEFAULT_PATH_SPLIT_USR,
3220 "container=systemd-nspawn", /* LXC sets container=lxc, so follow the scheme here */
3225 NULL, /* container_uuid */
3226 NULL, /* LISTEN_FDS */
3227 NULL, /* LISTEN_PID */
3232 barrier_set_role(&barrier, BARRIER_CHILD);
3234 envp[n_env] = strv_find_prefix(environ, "TERM=");
3238 master = safe_close(master);
3240 close_nointr(STDIN_FILENO);
3241 close_nointr(STDOUT_FILENO);
3242 close_nointr(STDERR_FILENO);
3244 kmsg_socket_pair[0] = safe_close(kmsg_socket_pair[0]);
3246 reset_all_signal_handlers();
3247 reset_signal_mask();
3249 k = open_terminal(console, O_RDWR);
3250 if (k != STDIN_FILENO) {
3256 log_error("Failed to open console: %s", strerror(-k));
3257 _exit(EXIT_FAILURE);
3260 if (dup2(STDIN_FILENO, STDOUT_FILENO) != STDOUT_FILENO ||
3261 dup2(STDIN_FILENO, STDERR_FILENO) != STDERR_FILENO) {
3262 log_error("Failed to duplicate console: %m");
3263 _exit(EXIT_FAILURE);
3267 log_error("setsid() failed: %m");
3268 _exit(EXIT_FAILURE);
3271 if (reset_audit_loginuid() < 0)
3272 _exit(EXIT_FAILURE);
3274 if (prctl(PR_SET_PDEATHSIG, SIGKILL) < 0) {
3275 log_error("PR_SET_PDEATHSIG failed: %m");
3276 _exit(EXIT_FAILURE);
3279 /* Mark everything as slave, so that we still
3280 * receive mounts from the real root, but don't
3281 * propagate mounts to the real root. */
3282 if (mount(NULL, "/", NULL, MS_SLAVE|MS_REC, NULL) < 0) {
3283 log_error("MS_SLAVE|MS_REC failed: %m");
3284 _exit(EXIT_FAILURE);
3287 if (mount_devices(arg_directory,
3288 root_device, root_device_rw,
3289 home_device, home_device_rw,
3290 srv_device, srv_device_rw) < 0)
3291 _exit(EXIT_FAILURE);
3293 /* Turn directory into bind mount */
3294 if (mount(arg_directory, arg_directory, "bind", MS_BIND|MS_REC, NULL) < 0) {
3295 log_error("Failed to make bind mount: %m");
3296 _exit(EXIT_FAILURE);
3299 r = setup_volatile(arg_directory);
3301 _exit(EXIT_FAILURE);
3303 if (setup_volatile_state(arg_directory) < 0)
3304 _exit(EXIT_FAILURE);
3306 r = base_filesystem_create(arg_directory);
3308 _exit(EXIT_FAILURE);
3310 if (arg_read_only) {
3311 k = bind_remount_recursive(arg_directory, true);
3313 log_error("Failed to make tree read-only: %s", strerror(-k));
3314 _exit(EXIT_FAILURE);
3318 if (mount_all(arg_directory) < 0)
3319 _exit(EXIT_FAILURE);
3321 if (copy_devnodes(arg_directory) < 0)
3322 _exit(EXIT_FAILURE);
3324 if (setup_ptmx(arg_directory) < 0)
3325 _exit(EXIT_FAILURE);
3327 dev_setup(arg_directory);
3329 if (setup_seccomp() < 0)
3330 _exit(EXIT_FAILURE);
3332 if (setup_dev_console(arg_directory, console) < 0)
3333 _exit(EXIT_FAILURE);
3335 if (setup_kmsg(arg_directory, kmsg_socket_pair[1]) < 0)
3336 _exit(EXIT_FAILURE);
3338 kmsg_socket_pair[1] = safe_close(kmsg_socket_pair[1]);
3340 if (setup_boot_id(arg_directory) < 0)
3341 _exit(EXIT_FAILURE);
3343 if (setup_timezone(arg_directory) < 0)
3344 _exit(EXIT_FAILURE);
3346 if (setup_resolv_conf(arg_directory) < 0)
3347 _exit(EXIT_FAILURE);
3349 if (setup_journal(arg_directory) < 0)
3350 _exit(EXIT_FAILURE);
3352 if (mount_binds(arg_directory, arg_bind, false) < 0)
3353 _exit(EXIT_FAILURE);
3355 if (mount_binds(arg_directory, arg_bind_ro, true) < 0)
3356 _exit(EXIT_FAILURE);
3358 if (mount_tmpfs(arg_directory) < 0)
3359 _exit(EXIT_FAILURE);
3361 if (setup_kdbus(arg_directory, kdbus_domain) < 0)
3362 _exit(EXIT_FAILURE);
3364 /* Tell the parent that we are ready, and that
3365 * it can cgroupify us to that we lack access
3366 * to certain devices and resources. */
3367 barrier_place(&barrier);
3369 if (chdir(arg_directory) < 0) {
3370 log_error("chdir(%s) failed: %m", arg_directory);
3371 _exit(EXIT_FAILURE);
3374 if (mount(arg_directory, "/", NULL, MS_MOVE, NULL) < 0) {
3375 log_error("mount(MS_MOVE) failed: %m");
3376 _exit(EXIT_FAILURE);
3379 if (chroot(".") < 0) {
3380 log_error("chroot() failed: %m");
3381 _exit(EXIT_FAILURE);
3384 if (chdir("/") < 0) {
3385 log_error("chdir() failed: %m");
3386 _exit(EXIT_FAILURE);
3391 if (arg_private_network)
3394 if (drop_capabilities() < 0) {
3395 log_error("drop_capabilities() failed: %m");
3396 _exit(EXIT_FAILURE);
3399 r = change_uid_gid(&home);
3401 _exit(EXIT_FAILURE);
3403 if ((asprintf((char**)(envp + n_env++), "HOME=%s", home ? home: "/root") < 0) ||
3404 (asprintf((char**)(envp + n_env++), "USER=%s", arg_user ? arg_user : "root") < 0) ||
3405 (asprintf((char**)(envp + n_env++), "LOGNAME=%s", arg_user ? arg_user : "root") < 0)) {
3407 _exit(EXIT_FAILURE);
3410 if (!sd_id128_equal(arg_uuid, SD_ID128_NULL)) {
3413 if (asprintf((char**)(envp + n_env++), "container_uuid=%s", id128_format_as_uuid(arg_uuid, as_uuid)) < 0) {
3415 _exit(EXIT_FAILURE);
3419 if (fdset_size(fds) > 0) {
3420 k = fdset_cloexec(fds, false);
3422 log_error("Failed to unset O_CLOEXEC for file descriptors.");
3423 _exit(EXIT_FAILURE);
3426 if ((asprintf((char **)(envp + n_env++), "LISTEN_FDS=%u", n_fd_passed) < 0) ||
3427 (asprintf((char **)(envp + n_env++), "LISTEN_PID=1") < 0)) {
3429 _exit(EXIT_FAILURE);
3435 if (arg_personality != 0xffffffffLU) {
3436 if (personality(arg_personality) < 0) {
3437 log_error("personality() failed: %m");
3438 _exit(EXIT_FAILURE);
3440 } else if (secondary) {
3441 if (personality(PER_LINUX32) < 0) {
3442 log_error("personality() failed: %m");
3443 _exit(EXIT_FAILURE);
3448 if (arg_selinux_context)
3449 if (setexeccon((security_context_t) arg_selinux_context) < 0) {
3450 log_error("setexeccon(\"%s\") failed: %m", arg_selinux_context);
3451 _exit(EXIT_FAILURE);
3455 if (!strv_isempty(arg_setenv)) {
3458 n = strv_env_merge(2, envp, arg_setenv);
3461 _exit(EXIT_FAILURE);
3466 env_use = (char**) envp;
3468 /* Wait until the parent is ready with the setup, too... */
3469 if (!barrier_place_and_sync(&barrier))
3470 _exit(EXIT_FAILURE);
3476 /* Automatically search for the init system */
3478 l = 1 + argc - optind;
3479 a = newa(char*, l + 1);
3480 memcpy(a + 1, argv + optind, l * sizeof(char*));
3482 a[0] = (char*) "/usr/lib/systemd/systemd";
3483 execve(a[0], a, env_use);
3485 a[0] = (char*) "/lib/systemd/systemd";
3486 execve(a[0], a, env_use);
3488 a[0] = (char*) "/sbin/init";
3489 execve(a[0], a, env_use);
3490 } else if (argc > optind)
3491 execvpe(argv[optind], argv + optind, env_use);
3493 chdir(home ? home : "/root");
3494 execle("/bin/bash", "-bash", NULL, env_use);
3495 execle("/bin/sh", "-sh", NULL, env_use);
3498 log_error("execv() failed: %m");
3499 _exit(EXIT_FAILURE);
3502 barrier_set_role(&barrier, BARRIER_PARENT);
3506 /* wait for child-setup to be done */
3507 if (barrier_place_and_sync(&barrier)) {
3510 r = move_network_interfaces(pid);
3514 r = setup_veth(pid, veth_name, &ifi);
3518 r = setup_bridge(veth_name, &ifi);
3522 r = setup_macvlan(pid);
3526 r = register_machine(pid, ifi);
3530 /* Block SIGCHLD here, before notifying child.
3531 * process_pty() will handle it with the other signals. */
3532 r = sigprocmask(SIG_BLOCK, &mask_chld, NULL);
3536 /* Reset signal to default */
3537 r = default_signals(SIGCHLD, -1);
3541 /* Notify the child that the parent is ready with all
3542 * its setup, and that the child can now hand over
3543 * control to the code to run inside the container. */
3544 barrier_place(&barrier);
3546 k = process_pty(master, &mask, arg_boot ? pid : 0, SIGRTMIN+3);
3555 /* Kill if it is not dead yet anyway */
3556 terminate_machine(pid);
3559 /* Normally redundant, but better safe than sorry */
3562 r = wait_for_container(pid, &container_status);
3566 /* We failed to wait for the container, or the
3567 * container exited abnormally */
3570 } else if (r > 0 || container_status == CONTAINER_TERMINATED)
3571 /* The container exited with a non-zero
3572 * status, or with zero status and no reboot
3576 /* CONTAINER_REBOOTED, loop again */
3578 if (arg_keep_unit) {
3579 /* Special handling if we are running as a
3580 * service: instead of simply restarting the
3581 * machine we want to restart the entire
3582 * service, so let's inform systemd about this
3583 * with the special exit code 133. The service
3584 * file uses RestartForceExitStatus=133 so
3585 * that this results in a full nspawn
3586 * restart. This is necessary since we might
3587 * have cgroup parameters set we want to have
3597 "STATUS=Terminating...");
3599 loop_remove(loop_nr, &image_fd);
3604 free(arg_directory);
3607 strv_free(arg_setenv);
3608 strv_free(arg_network_interfaces);
3609 strv_free(arg_network_macvlan);
3610 strv_free(arg_bind);
3611 strv_free(arg_bind_ro);
3612 strv_free(arg_tmpfs);
~ianmdlvl / elogind.git / blob