1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2010 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
25 #include <sys/types.h>
26 #include <sys/syscall.h>
27 #include <sys/mount.h>
33 #include <sys/prctl.h>
36 #include <sys/signalfd.h>
40 #include <sys/socket.h>
41 #include <linux/netlink.h>
43 #include <linux/veth.h>
44 #include <sys/personality.h>
45 #include <linux/loop.h>
50 #include <selinux/selinux.h>
58 #include <blkid/blkid.h>
61 #include "sd-daemon.h"
71 #include "cgroup-util.h"
73 #include "path-util.h"
74 #include "loopback-setup.h"
75 #include "dev-setup.h"
80 #include "bus-error.h"
82 #include "bus-kernel.h"
85 #include "rtnl-util.h"
86 #include "udev-util.h"
87 #include "blkid-util.h"
89 #include "siphash24.h"
91 #include "base-filesystem.h"
93 #include "event-util.h"
94 #include "capability.h"
96 #include "btrfs-util.h"
97 #include "machine-image.h"
99 #include "in-addr-util.h"
101 #include "local-addresses.h"
104 #include "seccomp-util.h"
107 typedef struct ExposePort {
110 uint16_t container_port;
111 LIST_FIELDS(struct ExposePort, ports);
114 typedef enum ContainerStatus {
115 CONTAINER_TERMINATED,
119 typedef enum LinkJournal {
126 typedef enum Volatile {
132 static char *arg_directory = NULL;
133 static char *arg_template = NULL;
134 static char *arg_user = NULL;
135 static sd_id128_t arg_uuid = {};
136 static char *arg_machine = NULL;
137 static const char *arg_selinux_context = NULL;
138 static const char *arg_selinux_apifs_context = NULL;
139 static const char *arg_slice = NULL;
140 static bool arg_private_network = false;
141 static bool arg_read_only = false;
142 static bool arg_boot = false;
143 static bool arg_ephemeral = false;
144 static LinkJournal arg_link_journal = LINK_AUTO;
145 static bool arg_link_journal_try = false;
146 static uint64_t arg_retain =
147 (1ULL << CAP_CHOWN) |
148 (1ULL << CAP_DAC_OVERRIDE) |
149 (1ULL << CAP_DAC_READ_SEARCH) |
150 (1ULL << CAP_FOWNER) |
151 (1ULL << CAP_FSETID) |
152 (1ULL << CAP_IPC_OWNER) |
154 (1ULL << CAP_LEASE) |
155 (1ULL << CAP_LINUX_IMMUTABLE) |
156 (1ULL << CAP_NET_BIND_SERVICE) |
157 (1ULL << CAP_NET_BROADCAST) |
158 (1ULL << CAP_NET_RAW) |
159 (1ULL << CAP_SETGID) |
160 (1ULL << CAP_SETFCAP) |
161 (1ULL << CAP_SETPCAP) |
162 (1ULL << CAP_SETUID) |
163 (1ULL << CAP_SYS_ADMIN) |
164 (1ULL << CAP_SYS_CHROOT) |
165 (1ULL << CAP_SYS_NICE) |
166 (1ULL << CAP_SYS_PTRACE) |
167 (1ULL << CAP_SYS_TTY_CONFIG) |
168 (1ULL << CAP_SYS_RESOURCE) |
169 (1ULL << CAP_SYS_BOOT) |
170 (1ULL << CAP_AUDIT_WRITE) |
171 (1ULL << CAP_AUDIT_CONTROL) |
173 static char **arg_bind = NULL;
174 static char **arg_bind_ro = NULL;
175 static char **arg_tmpfs = NULL;
176 static char **arg_setenv = NULL;
177 static bool arg_quiet = false;
178 static bool arg_share_system = false;
179 static bool arg_register = true;
180 static bool arg_keep_unit = false;
181 static char **arg_network_interfaces = NULL;
182 static char **arg_network_macvlan = NULL;
183 static char **arg_network_ipvlan = NULL;
184 static bool arg_network_veth = false;
185 static const char *arg_network_bridge = NULL;
186 static unsigned long arg_personality = 0xffffffffLU;
187 static char *arg_image = NULL;
188 static Volatile arg_volatile = VOLATILE_NO;
189 static ExposePort *arg_expose_ports = NULL;
190 static char **arg_property = NULL;
191 static uid_t arg_uid_shift = UID_INVALID, arg_uid_range = 0x10000U;
192 static bool arg_userns = false;
194 static void help(void) {
195 printf("%s [OPTIONS...] [PATH] [ARGUMENTS...]\n\n"
196 "Spawn a minimal namespace container for debugging, testing and building.\n\n"
197 " -h --help Show this help\n"
198 " --version Print version string\n"
199 " -q --quiet Do not show status information\n"
200 " -D --directory=PATH Root directory for the container\n"
201 " --template=PATH Initialize root directory from template directory,\n"
203 " -x --ephemeral Run container with snapshot of root directory, and\n"
204 " remove it after exit\n"
205 " -i --image=PATH File system device or disk image for the container\n"
206 " -b --boot Boot up full system (i.e. invoke init)\n"
207 " -u --user=USER Run the command under specified user or uid\n"
208 " -M --machine=NAME Set the machine name for the container\n"
209 " --uuid=UUID Set a specific machine UUID for the container\n"
210 " -S --slice=SLICE Place the container in the specified slice\n"
211 " --property=NAME=VALUE Set scope unit property\n"
212 " --private-network Disable network in container\n"
213 " --network-interface=INTERFACE\n"
214 " Assign an existing network interface to the\n"
216 " --network-macvlan=INTERFACE\n"
217 " Create a macvlan network interface based on an\n"
218 " existing network interface to the container\n"
219 " --network-ipvlan=INTERFACE\n"
220 " Create a ipvlan network interface based on an\n"
221 " existing network interface to the container\n"
222 " -n --network-veth Add a virtual ethernet connection between host\n"
224 " --network-bridge=INTERFACE\n"
225 " Add a virtual ethernet connection between host\n"
226 " and container and add it to an existing bridge on\n"
228 " --private-users[=UIDBASE[:NUIDS]]\n"
229 " Run within user namespace\n"
230 " -p --port=[PROTOCOL:]HOSTPORT[:CONTAINERPORT]\n"
231 " Expose a container IP port on the host\n"
232 " -Z --selinux-context=SECLABEL\n"
233 " Set the SELinux security context to be used by\n"
234 " processes in the container\n"
235 " -L --selinux-apifs-context=SECLABEL\n"
236 " Set the SELinux security context to be used by\n"
237 " API/tmpfs file systems in the container\n"
238 " --capability=CAP In addition to the default, retain specified\n"
240 " --drop-capability=CAP Drop the specified capability from the default set\n"
241 " --link-journal=MODE Link up guest journal, one of no, auto, guest, host,\n"
242 " try-guest, try-host\n"
243 " -j Equivalent to --link-journal=try-guest\n"
244 " --read-only Mount the root directory read-only\n"
245 " --bind=PATH[:PATH] Bind mount a file or directory from the host into\n"
247 " --bind-ro=PATH[:PATH] Similar, but creates a read-only bind mount\n"
248 " --tmpfs=PATH:[OPTIONS] Mount an empty tmpfs to the specified directory\n"
249 " --setenv=NAME=VALUE Pass an environment variable to PID 1\n"
250 " --share-system Share system namespaces with host\n"
251 " --register=BOOLEAN Register container as machine\n"
252 " --keep-unit Do not register a scope for the machine, reuse\n"
253 " the service unit nspawn is running in\n"
254 " --volatile[=MODE] Run the system in volatile mode\n"
255 , program_invocation_short_name);
258 static int set_sanitized_path(char **b, const char *path) {
264 p = canonicalize_file_name(path);
269 p = path_make_absolute_cwd(path);
275 *b = path_kill_slashes(p);
279 static int parse_argv(int argc, char *argv[]) {
296 ARG_NETWORK_INTERFACE,
307 static const struct option options[] = {
308 { "help", no_argument, NULL, 'h' },
309 { "version", no_argument, NULL, ARG_VERSION },
310 { "directory", required_argument, NULL, 'D' },
311 { "template", required_argument, NULL, ARG_TEMPLATE },
312 { "ephemeral", no_argument, NULL, 'x' },
313 { "user", required_argument, NULL, 'u' },
314 { "private-network", no_argument, NULL, ARG_PRIVATE_NETWORK },
315 { "boot", no_argument, NULL, 'b' },
316 { "uuid", required_argument, NULL, ARG_UUID },
317 { "read-only", no_argument, NULL, ARG_READ_ONLY },
318 { "capability", required_argument, NULL, ARG_CAPABILITY },
319 { "drop-capability", required_argument, NULL, ARG_DROP_CAPABILITY },
320 { "link-journal", required_argument, NULL, ARG_LINK_JOURNAL },
321 { "bind", required_argument, NULL, ARG_BIND },
322 { "bind-ro", required_argument, NULL, ARG_BIND_RO },
323 { "tmpfs", required_argument, NULL, ARG_TMPFS },
324 { "machine", required_argument, NULL, 'M' },
325 { "slice", required_argument, NULL, 'S' },
326 { "setenv", required_argument, NULL, ARG_SETENV },
327 { "selinux-context", required_argument, NULL, 'Z' },
328 { "selinux-apifs-context", required_argument, NULL, 'L' },
329 { "quiet", no_argument, NULL, 'q' },
330 { "share-system", no_argument, NULL, ARG_SHARE_SYSTEM },
331 { "register", required_argument, NULL, ARG_REGISTER },
332 { "keep-unit", no_argument, NULL, ARG_KEEP_UNIT },
333 { "network-interface", required_argument, NULL, ARG_NETWORK_INTERFACE },
334 { "network-macvlan", required_argument, NULL, ARG_NETWORK_MACVLAN },
335 { "network-ipvlan", required_argument, NULL, ARG_NETWORK_IPVLAN },
336 { "network-veth", no_argument, NULL, 'n' },
337 { "network-bridge", required_argument, NULL, ARG_NETWORK_BRIDGE },
338 { "personality", required_argument, NULL, ARG_PERSONALITY },
339 { "image", required_argument, NULL, 'i' },
340 { "volatile", optional_argument, NULL, ARG_VOLATILE },
341 { "port", required_argument, NULL, 'p' },
342 { "property", required_argument, NULL, ARG_PROPERTY },
343 { "private-users", optional_argument, NULL, ARG_PRIVATE_USERS },
348 uint64_t plus = 0, minus = 0;
353 while ((c = getopt_long(argc, argv, "+hD:u:bL:M:jS:Z:qi:xp:n", options, NULL)) >= 0)
362 puts(PACKAGE_STRING);
363 puts(SYSTEMD_FEATURES);
367 r = set_sanitized_path(&arg_directory, optarg);
369 return log_error_errno(r, "Invalid root directory: %m");
374 r = set_sanitized_path(&arg_template, optarg);
376 return log_error_errno(r, "Invalid template directory: %m");
381 r = set_sanitized_path(&arg_image, optarg);
383 return log_error_errno(r, "Invalid image path: %m");
388 arg_ephemeral = true;
393 arg_user = strdup(optarg);
399 case ARG_NETWORK_BRIDGE:
400 arg_network_bridge = optarg;
405 arg_network_veth = true;
406 arg_private_network = true;
409 case ARG_NETWORK_INTERFACE:
410 if (strv_extend(&arg_network_interfaces, optarg) < 0)
413 arg_private_network = true;
416 case ARG_NETWORK_MACVLAN:
417 if (strv_extend(&arg_network_macvlan, optarg) < 0)
420 arg_private_network = true;
423 case ARG_NETWORK_IPVLAN:
424 if (strv_extend(&arg_network_ipvlan, optarg) < 0)
429 case ARG_PRIVATE_NETWORK:
430 arg_private_network = true;
438 r = sd_id128_from_string(optarg, &arg_uuid);
440 log_error("Invalid UUID: %s", optarg);
450 if (isempty(optarg)) {
454 if (!machine_name_is_valid(optarg)) {
455 log_error("Invalid machine name: %s", optarg);
459 r = free_and_strdup(&arg_machine, optarg);
467 arg_selinux_context = optarg;
471 arg_selinux_apifs_context = optarg;
475 arg_read_only = true;
479 case ARG_DROP_CAPABILITY: {
480 const char *state, *word;
483 FOREACH_WORD_SEPARATOR(word, length, optarg, ",", state) {
484 _cleanup_free_ char *t;
486 t = strndup(word, length);
490 if (streq(t, "all")) {
491 if (c == ARG_CAPABILITY)
492 plus = (uint64_t) -1;
494 minus = (uint64_t) -1;
498 cap = capability_from_name(t);
500 log_error("Failed to parse capability %s.", t);
504 if (c == ARG_CAPABILITY)
505 plus |= 1ULL << (uint64_t) cap;
507 minus |= 1ULL << (uint64_t) cap;
515 arg_link_journal = LINK_GUEST;
516 arg_link_journal_try = true;
519 case ARG_LINK_JOURNAL:
520 if (streq(optarg, "auto")) {
521 arg_link_journal = LINK_AUTO;
522 arg_link_journal_try = false;
523 } else if (streq(optarg, "no")) {
524 arg_link_journal = LINK_NO;
525 arg_link_journal_try = false;
526 } else if (streq(optarg, "guest")) {
527 arg_link_journal = LINK_GUEST;
528 arg_link_journal_try = false;
529 } else if (streq(optarg, "host")) {
530 arg_link_journal = LINK_HOST;
531 arg_link_journal_try = false;
532 } else if (streq(optarg, "try-guest")) {
533 arg_link_journal = LINK_GUEST;
534 arg_link_journal_try = true;
535 } else if (streq(optarg, "try-host")) {
536 arg_link_journal = LINK_HOST;
537 arg_link_journal_try = true;
539 log_error("Failed to parse link journal mode %s", optarg);
547 _cleanup_free_ char *a = NULL, *b = NULL;
551 x = c == ARG_BIND ? &arg_bind : &arg_bind_ro;
553 e = strchr(optarg, ':');
555 a = strndup(optarg, e - optarg);
565 if (!path_is_absolute(a) || !path_is_absolute(b)) {
566 log_error("Invalid bind mount specification: %s", optarg);
570 r = strv_extend(x, a);
574 r = strv_extend(x, b);
582 _cleanup_free_ char *a = NULL, *b = NULL;
585 e = strchr(optarg, ':');
587 a = strndup(optarg, e - optarg);
591 b = strdup("mode=0755");
597 if (!path_is_absolute(a)) {
598 log_error("Invalid tmpfs specification: %s", optarg);
602 r = strv_push(&arg_tmpfs, a);
608 r = strv_push(&arg_tmpfs, b);
620 if (!env_assignment_is_valid(optarg)) {
621 log_error("Environment variable assignment '%s' is not valid.", optarg);
625 n = strv_env_set(arg_setenv, optarg);
629 strv_free(arg_setenv);
638 case ARG_SHARE_SYSTEM:
639 arg_share_system = true;
643 r = parse_boolean(optarg);
645 log_error("Failed to parse --register= argument: %s", optarg);
653 arg_keep_unit = true;
656 case ARG_PERSONALITY:
658 arg_personality = personality_from_string(optarg);
659 if (arg_personality == 0xffffffffLU) {
660 log_error("Unknown or unsupported personality '%s'.", optarg);
669 arg_volatile = VOLATILE_YES;
671 r = parse_boolean(optarg);
673 if (streq(optarg, "state"))
674 arg_volatile = VOLATILE_STATE;
676 log_error("Failed to parse --volatile= argument: %s", optarg);
680 arg_volatile = r ? VOLATILE_YES : VOLATILE_NO;
686 const char *split, *e;
687 uint16_t container_port, host_port;
691 if ((e = startswith(optarg, "tcp:")))
692 protocol = IPPROTO_TCP;
693 else if ((e = startswith(optarg, "udp:")))
694 protocol = IPPROTO_UDP;
697 protocol = IPPROTO_TCP;
700 split = strchr(e, ':');
702 char v[split - e + 1];
704 memcpy(v, e, split - e);
707 r = safe_atou16(v, &host_port);
708 if (r < 0 || host_port <= 0) {
709 log_error("Failed to parse host port: %s", optarg);
713 r = safe_atou16(split + 1, &container_port);
715 r = safe_atou16(e, &container_port);
716 host_port = container_port;
719 if (r < 0 || container_port <= 0) {
720 log_error("Failed to parse host port: %s", optarg);
724 LIST_FOREACH(ports, p, arg_expose_ports) {
725 if (p->protocol == protocol && p->host_port == host_port) {
726 log_error("Duplicate port specification: %s", optarg);
731 p = new(ExposePort, 1);
735 p->protocol = protocol;
736 p->host_port = host_port;
737 p->container_port = container_port;
739 LIST_PREPEND(ports, arg_expose_ports, p);
745 if (strv_extend(&arg_property, optarg) < 0)
750 case ARG_PRIVATE_USERS:
752 _cleanup_free_ char *buffer = NULL;
753 const char *range, *shift;
755 range = strchr(optarg, ':');
757 buffer = strndup(optarg, range - optarg);
763 if (safe_atou32(range, &arg_uid_range) < 0 || arg_uid_range <= 0) {
764 log_error("Failed to parse UID range: %s", range);
770 if (parse_uid(shift, &arg_uid_shift) < 0) {
771 log_error("Failed to parse UID: %s", optarg);
783 assert_not_reached("Unhandled option");
786 if (arg_share_system)
787 arg_register = false;
789 if (arg_boot && arg_share_system) {
790 log_error("--boot and --share-system may not be combined.");
794 if (arg_keep_unit && cg_pid_get_owner_uid(0, NULL) >= 0) {
795 log_error("--keep-unit may not be used when invoked from a user session.");
799 if (arg_directory && arg_image) {
800 log_error("--directory= and --image= may not be combined.");
804 if (arg_template && arg_image) {
805 log_error("--template= and --image= may not be combined.");
809 if (arg_template && !(arg_directory || arg_machine)) {
810 log_error("--template= needs --directory= or --machine=.");
814 if (arg_ephemeral && arg_template) {
815 log_error("--ephemeral and --template= may not be combined.");
819 if (arg_ephemeral && arg_image) {
820 log_error("--ephemeral and --image= may not be combined.");
824 if (arg_ephemeral && !IN_SET(arg_link_journal, LINK_NO, LINK_AUTO)) {
825 log_error("--ephemeral and --link-journal= may not be combined.");
829 if (arg_volatile != VOLATILE_NO && arg_read_only) {
830 log_error("Cannot combine --read-only with --volatile. Note that --volatile already implies a read-only base hierarchy.");
834 if (arg_expose_ports && !arg_private_network) {
835 log_error("Cannot use --port= without private networking.");
839 arg_retain = (arg_retain | plus | (arg_private_network ? 1ULL << CAP_NET_ADMIN : 0)) & ~minus;
844 static int mount_all(const char *dest) {
846 typedef struct MountPoint {
855 static const MountPoint mount_table[] = {
856 { "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, true },
857 { "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND, true }, /* Bind mount first */
858 { NULL, "/proc/sys", NULL, NULL, MS_BIND|MS_RDONLY|MS_REMOUNT, true }, /* Then, make it r/o */
859 { "sysfs", "/sys", "sysfs", NULL, MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV, true },
860 { "tmpfs", "/dev", "tmpfs", "mode=755", MS_NOSUID|MS_STRICTATIME, true },
861 { "devpts", "/dev/pts", "devpts","newinstance,ptmxmode=0666,mode=620,gid=" STRINGIFY(TTY_GID), MS_NOSUID|MS_NOEXEC, true },
862 { "tmpfs", "/dev/shm", "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV|MS_STRICTATIME, true },
863 { "tmpfs", "/run", "tmpfs", "mode=755", MS_NOSUID|MS_NODEV|MS_STRICTATIME, true },
864 { "tmpfs", "/tmp", "tmpfs", "mode=1777", MS_STRICTATIME, true },
866 { "/sys/fs/selinux", "/sys/fs/selinux", NULL, NULL, MS_BIND, false }, /* Bind mount first */
867 { NULL, "/sys/fs/selinux", NULL, NULL, MS_BIND|MS_RDONLY|MS_REMOUNT, false }, /* Then, make it r/o */
874 for (k = 0; k < ELEMENTSOF(mount_table); k++) {
875 _cleanup_free_ char *where = NULL, *options = NULL;
879 where = strjoin(dest, "/", mount_table[k].where, NULL);
883 t = path_is_mount_point(where, true);
885 log_error_errno(t, "Failed to detect whether %s is a mount point: %m", where);
893 /* Skip this entry if it is not a remount. */
894 if (mount_table[k].what && t > 0)
897 t = mkdir_p(where, 0755);
899 if (mount_table[k].fatal) {
900 log_error_errno(t, "Failed to create directory %s: %m", where);
905 log_warning_errno(t, "Failed to create directory %s: %m", where);
911 if (arg_selinux_apifs_context &&
912 (streq_ptr(mount_table[k].what, "tmpfs") || streq_ptr(mount_table[k].what, "devpts"))) {
913 options = strjoin(mount_table[k].options, ",context=\"", arg_selinux_apifs_context, "\"", NULL);
920 o = mount_table[k].options;
922 if (arg_userns && arg_uid_shift != UID_INVALID && streq_ptr(mount_table[k].type, "tmpfs")) {
923 char *uid_options = NULL;
926 asprintf(&uid_options, "%s,uid=" UID_FMT ",gid=" UID_FMT, o, arg_uid_shift, arg_uid_shift);
928 asprintf(&uid_options, "uid=" UID_FMT ",gid=" UID_FMT, arg_uid_shift, arg_uid_shift);
933 o = options = uid_options;
936 if (mount(mount_table[k].what,
939 mount_table[k].flags,
942 if (mount_table[k].fatal) {
943 log_error_errno(errno, "mount(%s) failed: %m", where);
948 log_warning_errno(errno, "mount(%s) failed: %m", where);
955 static int mount_binds(const char *dest, char **l, bool ro) {
958 STRV_FOREACH_PAIR(x, y, l) {
959 _cleanup_free_ char *where = NULL;
960 struct stat source_st, dest_st;
963 if (stat(*x, &source_st) < 0)
964 return log_error_errno(errno, "Failed to stat %s: %m", *x);
966 where = strappend(dest, *y);
970 r = stat(where, &dest_st);
972 if (S_ISDIR(source_st.st_mode) && !S_ISDIR(dest_st.st_mode)) {
973 log_error("Cannot bind mount directory %s on file %s.", *x, where);
976 if (!S_ISDIR(source_st.st_mode) && S_ISDIR(dest_st.st_mode)) {
977 log_error("Cannot bind mount file %s on directory %s.", *x, where);
980 } else if (errno == ENOENT) {
981 r = mkdir_parents_label(where, 0755);
983 return log_error_errno(r, "Failed to bind mount %s: %m", *x);
985 log_error_errno(errno, "Failed to bind mount %s: %m", *x);
989 /* Create the mount point. Any non-directory file can be
990 * mounted on any non-directory file (regular, fifo, socket,
993 if (S_ISDIR(source_st.st_mode)) {
994 r = mkdir_label(where, 0755);
995 if (r < 0 && errno != EEXIST)
996 return log_error_errno(r, "Failed to create mount point %s: %m", where);
1000 return log_error_errno(r, "Failed to create mount point %s: %m", where);
1003 if (mount(*x, where, "bind", MS_BIND, NULL) < 0)
1004 return log_error_errno(errno, "mount(%s) failed: %m", where);
1007 r = bind_remount_recursive(where, true);
1009 return log_error_errno(r, "Read-Only bind mount failed: %m");
1016 static int mount_cgroup_hierarchy(const char *dest, const char *controller, const char *hierarchy, bool read_only) {
1020 to = strjoina(dest, "/sys/fs/cgroup/", hierarchy);
1022 r = path_is_mount_point(to, false);
1024 return log_error_errno(r, "Failed to determine if %s is mounted already: %m", to);
1030 /* The superblock mount options of the mount point need to be
1031 * identical to the hosts', and hence writable... */
1032 if (mount("cgroup", to, "cgroup", MS_NOSUID|MS_NOEXEC|MS_NODEV, controller) < 0)
1033 return log_error_errno(errno, "Failed to mount to %s: %m", to);
1035 /* ... hence let's only make the bind mount read-only, not the
1038 if (mount(NULL, to, NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, NULL) < 0)
1039 return log_error_errno(errno, "Failed to remount %s read-only: %m", to);
1044 static int mount_cgroup(const char *dest) {
1045 _cleanup_set_free_free_ Set *controllers = NULL;
1046 _cleanup_free_ char *own_cgroup_path = NULL;
1047 const char *cgroup_root, *systemd_root, *systemd_own;
1050 controllers = set_new(&string_hash_ops);
1054 r = cg_kernel_controllers(controllers);
1056 return log_error_errno(r, "Failed to determine cgroup controllers: %m");
1058 r = cg_pid_get_path(NULL, 0, &own_cgroup_path);
1060 return log_error_errno(r, "Failed to determine our own cgroup path: %m");
1062 cgroup_root = strjoina(dest, "/sys/fs/cgroup");
1063 if (mount("tmpfs", cgroup_root, "tmpfs", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME, "mode=755") < 0)
1064 return log_error_errno(errno, "Failed to mount tmpfs to /sys/fs/cgroup: %m");
1067 _cleanup_free_ char *controller = NULL, *origin = NULL, *combined = NULL;
1069 controller = set_steal_first(controllers);
1073 origin = strappend("/sys/fs/cgroup/", controller);
1077 r = readlink_malloc(origin, &combined);
1079 /* Not a symbolic link, but directly a single cgroup hierarchy */
1081 r = mount_cgroup_hierarchy(dest, controller, controller, true);
1086 return log_error_errno(r, "Failed to read link %s: %m", origin);
1088 _cleanup_free_ char *target = NULL;
1090 target = strjoin(dest, "/sys/fs/cgroup/", controller, NULL);
1094 /* A symbolic link, a combination of controllers in one hierarchy */
1096 if (!filename_is_valid(combined)) {
1097 log_warning("Ignoring invalid combined hierarchy %s.", combined);
1101 r = mount_cgroup_hierarchy(dest, combined, combined, true);
1105 if (symlink(combined, target) < 0)
1106 return log_error_errno(errno, "Failed to create symlink for combined hierarchy: %m");
1110 r = mount_cgroup_hierarchy(dest, "name=systemd,xattr", "systemd", false);
1114 /* Make our own cgroup a (writable) bind mount */
1115 systemd_own = strjoina(dest, "/sys/fs/cgroup/systemd", own_cgroup_path);
1116 if (mount(systemd_own, systemd_own, NULL, MS_BIND, NULL) < 0)
1117 return log_error_errno(errno, "Failed to turn %s into a bind mount: %m", own_cgroup_path);
1119 /* And then remount the systemd cgroup root read-only */
1120 systemd_root = strjoina(dest, "/sys/fs/cgroup/systemd");
1121 if (mount(NULL, systemd_root, NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, NULL) < 0)
1122 return log_error_errno(errno, "Failed to mount cgroup root read-only: %m");
1124 if (mount(NULL, cgroup_root, NULL, MS_REMOUNT|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME|MS_RDONLY, "mode=755") < 0)
1125 return log_error_errno(errno, "Failed to remount %s read-only: %m", cgroup_root);
1130 static int mount_tmpfs(const char *dest) {
1133 STRV_FOREACH_PAIR(i, o, arg_tmpfs) {
1134 _cleanup_free_ char *where = NULL;
1137 where = strappend(dest, *i);
1141 r = mkdir_label(where, 0755);
1142 if (r < 0 && r != -EEXIST)
1143 return log_error_errno(r, "Creating mount point for tmpfs %s failed: %m", where);
1145 if (mount("tmpfs", where, "tmpfs", MS_NODEV|MS_STRICTATIME, *o) < 0)
1146 return log_error_errno(errno, "tmpfs mount to %s failed: %m", where);
1152 static int setup_timezone(const char *dest) {
1153 _cleanup_free_ char *where = NULL, *p = NULL, *q = NULL, *check = NULL, *what = NULL;
1159 /* Fix the timezone, if possible */
1160 r = readlink_malloc("/etc/localtime", &p);
1162 log_warning("/etc/localtime is not a symlink, not updating container timezone.");
1166 z = path_startswith(p, "../usr/share/zoneinfo/");
1168 z = path_startswith(p, "/usr/share/zoneinfo/");
1170 log_warning("/etc/localtime does not point into /usr/share/zoneinfo/, not updating container timezone.");
1174 where = strappend(dest, "/etc/localtime");
1178 r = readlink_malloc(where, &q);
1180 y = path_startswith(q, "../usr/share/zoneinfo/");
1182 y = path_startswith(q, "/usr/share/zoneinfo/");
1184 /* Already pointing to the right place? Then do nothing .. */
1185 if (y && streq(y, z))
1189 check = strjoin(dest, "/usr/share/zoneinfo/", z, NULL);
1193 if (access(check, F_OK) < 0) {
1194 log_warning("Timezone %s does not exist in container, not updating container timezone.", z);
1198 what = strappend("../usr/share/zoneinfo/", z);
1202 r = mkdir_parents(where, 0755);
1204 log_error_errno(r, "Failed to create directory for timezone info %s in container: %m", where);
1210 if (r < 0 && errno != ENOENT) {
1211 log_error_errno(errno, "Failed to remove existing timezone info %s in container: %m", where);
1216 if (symlink(what, where) < 0) {
1217 log_error_errno(errno, "Failed to correct timezone of container: %m");
1224 static int setup_resolv_conf(const char *dest) {
1225 _cleanup_free_ char *where = NULL;
1230 if (arg_private_network)
1233 /* Fix resolv.conf, if possible */
1234 where = strappend(dest, "/etc/resolv.conf");
1238 /* We don't really care for the results of this really. If it
1239 * fails, it fails, but meh... */
1240 r = mkdir_parents(where, 0755);
1242 log_warning_errno(r, "Failed to create parent directory for resolv.conf %s: %m", where);
1247 r = copy_file("/etc/resolv.conf", where, O_TRUNC|O_NOFOLLOW, 0644, 0);
1249 log_warning_errno(r, "Failed to copy /etc/resolv.conf to %s: %m", where);
1257 static int setup_volatile_state(const char *directory) {
1263 if (arg_volatile != VOLATILE_STATE)
1266 /* --volatile=state means we simply overmount /var
1267 with a tmpfs, and the rest read-only. */
1269 r = bind_remount_recursive(directory, true);
1271 return log_error_errno(r, "Failed to remount %s read-only: %m", directory);
1273 p = strjoina(directory, "/var");
1275 if (r < 0 && errno != EEXIST)
1276 return log_error_errno(errno, "Failed to create %s: %m", directory);
1278 if (mount("tmpfs", p, "tmpfs", MS_STRICTATIME, "mode=755") < 0)
1279 return log_error_errno(errno, "Failed to mount tmpfs to /var: %m");
1284 static int setup_volatile(const char *directory) {
1285 bool tmpfs_mounted = false, bind_mounted = false;
1286 char template[] = "/tmp/nspawn-volatile-XXXXXX";
1292 if (arg_volatile != VOLATILE_YES)
1295 /* --volatile=yes means we mount a tmpfs to the root dir, and
1296 the original /usr to use inside it, and that read-only. */
1298 if (!mkdtemp(template))
1299 return log_error_errno(errno, "Failed to create temporary directory: %m");
1301 if (mount("tmpfs", template, "tmpfs", MS_STRICTATIME, "mode=755") < 0) {
1302 log_error_errno(errno, "Failed to mount tmpfs for root directory: %m");
1307 tmpfs_mounted = true;
1309 f = strjoina(directory, "/usr");
1310 t = strjoina(template, "/usr");
1313 if (r < 0 && errno != EEXIST) {
1314 log_error_errno(errno, "Failed to create %s: %m", t);
1319 if (mount(f, t, "bind", MS_BIND|MS_REC, NULL) < 0) {
1320 log_error_errno(errno, "Failed to create /usr bind mount: %m");
1325 bind_mounted = true;
1327 r = bind_remount_recursive(t, true);
1329 log_error_errno(r, "Failed to remount %s read-only: %m", t);
1333 if (mount(template, directory, NULL, MS_MOVE, NULL) < 0) {
1334 log_error_errno(errno, "Failed to move root mount: %m");
1352 static char* id128_format_as_uuid(sd_id128_t id, char s[37]) {
1355 "%02x%02x%02x%02x-%02x%02x-%02x%02x-%02x%02x-%02x%02x%02x%02x%02x%02x",
1356 SD_ID128_FORMAT_VAL(id));
1361 static int setup_boot_id(const char *dest) {
1362 _cleanup_free_ char *from = NULL, *to = NULL;
1363 sd_id128_t rnd = {};
1369 if (arg_share_system)
1372 /* Generate a new randomized boot ID, so that each boot-up of
1373 * the container gets a new one */
1375 from = strappend(dest, "/dev/proc-sys-kernel-random-boot-id");
1376 to = strappend(dest, "/proc/sys/kernel/random/boot_id");
1380 r = sd_id128_randomize(&rnd);
1382 return log_error_errno(r, "Failed to generate random boot id: %m");
1384 id128_format_as_uuid(rnd, as_uuid);
1386 r = write_string_file(from, as_uuid);
1388 return log_error_errno(r, "Failed to write boot id: %m");
1390 if (mount(from, to, "bind", MS_BIND, NULL) < 0) {
1391 log_error_errno(errno, "Failed to bind mount boot id: %m");
1393 } else if (mount(from, to, "bind", MS_BIND|MS_REMOUNT|MS_RDONLY, NULL))
1394 log_warning_errno(errno, "Failed to make boot id read-only: %m");
1400 static int copy_devnodes(const char *dest) {
1402 static const char devnodes[] =
1413 _cleanup_umask_ mode_t u;
1419 NULSTR_FOREACH(d, devnodes) {
1420 _cleanup_free_ char *from = NULL, *to = NULL;
1423 from = strappend("/dev/", d);
1424 to = strjoin(dest, "/dev/", d, NULL);
1428 if (stat(from, &st) < 0) {
1430 if (errno != ENOENT)
1431 return log_error_errno(errno, "Failed to stat %s: %m", from);
1433 } else if (!S_ISCHR(st.st_mode) && !S_ISBLK(st.st_mode)) {
1435 log_error("%s is not a char or block device, cannot copy", from);
1439 r = mkdir_parents(to, 0775);
1441 log_error_errno(r, "Failed to create parent directory of %s: %m", to);
1445 if (mknod(to, st.st_mode, st.st_rdev) < 0)
1446 return log_error_errno(errno, "mknod(%s) failed: %m", to);
1448 if (arg_userns && arg_uid_shift != UID_INVALID)
1449 if (lchown(to, arg_uid_shift, arg_uid_shift) < 0)
1450 return log_error_errno(errno, "chown() of device node %s failed: %m", to);
1457 static int setup_ptmx(const char *dest) {
1458 _cleanup_free_ char *p = NULL;
1460 p = strappend(dest, "/dev/ptmx");
1464 if (symlink("pts/ptmx", p) < 0)
1465 return log_error_errno(errno, "Failed to create /dev/ptmx symlink: %m");
1467 if (arg_userns && arg_uid_shift != UID_INVALID)
1468 if (lchown(p, arg_uid_shift, arg_uid_shift) < 0)
1469 return log_error_errno(errno, "lchown() of symlink %s failed: %m", p);
1474 static int setup_dev_console(const char *dest, const char *console) {
1475 _cleanup_umask_ mode_t u;
1485 if (stat("/dev/null", &st) < 0)
1486 return log_error_errno(errno, "Failed to stat /dev/null: %m");
1488 r = chmod_and_chown(console, 0600, 0, 0);
1490 return log_error_errno(r, "Failed to correct access mode for TTY: %m");
1492 /* We need to bind mount the right tty to /dev/console since
1493 * ptys can only exist on pts file systems. To have something
1494 * to bind mount things on we create a device node first, and
1495 * use /dev/null for that since we the cgroups device policy
1496 * allows us to create that freely, while we cannot create
1497 * /dev/console. (Note that the major minor doesn't actually
1498 * matter here, since we mount it over anyway). */
1500 to = strjoina(dest, "/dev/console");
1501 if (mknod(to, (st.st_mode & ~07777) | 0600, st.st_rdev) < 0)
1502 return log_error_errno(errno, "mknod() for /dev/console failed: %m");
1504 if (mount(console, to, "bind", MS_BIND, NULL) < 0)
1505 return log_error_errno(errno, "Bind mount for /dev/console failed: %m");
1510 static int setup_kmsg(const char *dest, int kmsg_socket) {
1511 _cleanup_free_ char *from = NULL, *to = NULL;
1512 _cleanup_umask_ mode_t u;
1515 struct cmsghdr cmsghdr;
1516 uint8_t buf[CMSG_SPACE(sizeof(int))];
1518 struct msghdr mh = {
1519 .msg_control = &control,
1520 .msg_controllen = sizeof(control),
1522 struct cmsghdr *cmsg;
1525 assert(kmsg_socket >= 0);
1529 /* We create the kmsg FIFO as /dev/kmsg, but immediately
1530 * delete it after bind mounting it to /proc/kmsg. While FIFOs
1531 * on the reading side behave very similar to /proc/kmsg,
1532 * their writing side behaves differently from /dev/kmsg in
1533 * that writing blocks when nothing is reading. In order to
1534 * avoid any problems with containers deadlocking due to this
1535 * we simply make /dev/kmsg unavailable to the container. */
1536 if (asprintf(&from, "%s/dev/kmsg", dest) < 0 ||
1537 asprintf(&to, "%s/proc/kmsg", dest) < 0)
1540 if (mkfifo(from, 0600) < 0)
1541 return log_error_errno(errno, "mkfifo() for /dev/kmsg failed: %m");
1543 r = chmod_and_chown(from, 0600, 0, 0);
1545 return log_error_errno(r, "Failed to correct access mode for /dev/kmsg: %m");
1547 if (mount(from, to, "bind", MS_BIND, NULL) < 0)
1548 return log_error_errno(errno, "Bind mount for /proc/kmsg failed: %m");
1550 fd = open(from, O_RDWR|O_NDELAY|O_CLOEXEC);
1552 return log_error_errno(errno, "Failed to open fifo: %m");
1554 cmsg = CMSG_FIRSTHDR(&mh);
1555 cmsg->cmsg_level = SOL_SOCKET;
1556 cmsg->cmsg_type = SCM_RIGHTS;
1557 cmsg->cmsg_len = CMSG_LEN(sizeof(int));
1558 memcpy(CMSG_DATA(cmsg), &fd, sizeof(int));
1560 mh.msg_controllen = cmsg->cmsg_len;
1562 /* Store away the fd in the socket, so that it stays open as
1563 * long as we run the child */
1564 k = sendmsg(kmsg_socket, &mh, MSG_NOSIGNAL);
1568 return log_error_errno(errno, "Failed to send FIFO fd: %m");
1570 /* And now make the FIFO unavailable as /dev/kmsg... */
1575 static int send_rtnl(int send_fd) {
1577 struct cmsghdr cmsghdr;
1578 uint8_t buf[CMSG_SPACE(sizeof(int))];
1580 struct msghdr mh = {
1581 .msg_control = &control,
1582 .msg_controllen = sizeof(control),
1584 struct cmsghdr *cmsg;
1585 _cleanup_close_ int fd = -1;
1588 assert(send_fd >= 0);
1590 if (!arg_expose_ports)
1593 fd = socket(PF_NETLINK, SOCK_RAW|SOCK_CLOEXEC|SOCK_NONBLOCK, NETLINK_ROUTE);
1595 return log_error_errno(errno, "failed to allocate container netlink: %m");
1597 cmsg = CMSG_FIRSTHDR(&mh);
1598 cmsg->cmsg_level = SOL_SOCKET;
1599 cmsg->cmsg_type = SCM_RIGHTS;
1600 cmsg->cmsg_len = CMSG_LEN(sizeof(int));
1601 memcpy(CMSG_DATA(cmsg), &fd, sizeof(int));
1603 mh.msg_controllen = cmsg->cmsg_len;
1605 /* Store away the fd in the socket, so that it stays open as
1606 * long as we run the child */
1607 k = sendmsg(send_fd, &mh, MSG_NOSIGNAL);
1609 return log_error_errno(errno, "Failed to send netlink fd: %m");
1614 static int flush_ports(union in_addr_union *exposed) {
1616 int r, af = AF_INET;
1620 if (!arg_expose_ports)
1623 if (in_addr_is_null(af, exposed))
1626 log_debug("Lost IP address.");
1628 LIST_FOREACH(ports, p, arg_expose_ports) {
1629 r = fw_add_local_dnat(false,
1640 log_warning_errno(r, "Failed to modify firewall: %m");
1643 *exposed = IN_ADDR_NULL;
1647 static int expose_ports(sd_rtnl *rtnl, union in_addr_union *exposed) {
1648 _cleanup_free_ struct local_address *addresses = NULL;
1649 _cleanup_free_ char *pretty = NULL;
1650 union in_addr_union new_exposed;
1653 int af = AF_INET, r;
1657 /* Invoked each time an address is added or removed inside the
1660 if (!arg_expose_ports)
1663 r = local_addresses(rtnl, 0, af, &addresses);
1665 return log_error_errno(r, "Failed to enumerate local addresses: %m");
1668 addresses[0].family == af &&
1669 addresses[0].scope < RT_SCOPE_LINK;
1672 return flush_ports(exposed);
1674 new_exposed = addresses[0].address;
1675 if (in_addr_equal(af, exposed, &new_exposed))
1678 in_addr_to_string(af, &new_exposed, &pretty);
1679 log_debug("New container IP is %s.", strna(pretty));
1681 LIST_FOREACH(ports, p, arg_expose_ports) {
1683 r = fw_add_local_dnat(true,
1692 in_addr_is_null(af, exposed) ? NULL : exposed);
1694 log_warning_errno(r, "Failed to modify firewall: %m");
1697 *exposed = new_exposed;
1701 static int on_address_change(sd_rtnl *rtnl, sd_rtnl_message *m, void *userdata) {
1702 union in_addr_union *exposed = userdata;
1708 expose_ports(rtnl, exposed);
1712 static int watch_rtnl(sd_event *event, int recv_fd, union in_addr_union *exposed, sd_rtnl **ret) {
1714 struct cmsghdr cmsghdr;
1715 uint8_t buf[CMSG_SPACE(sizeof(int))];
1717 struct msghdr mh = {
1718 .msg_control = &control,
1719 .msg_controllen = sizeof(control),
1721 struct cmsghdr *cmsg;
1722 _cleanup_rtnl_unref_ sd_rtnl *rtnl = NULL;
1727 assert(recv_fd >= 0);
1730 if (!arg_expose_ports)
1733 k = recvmsg(recv_fd, &mh, MSG_NOSIGNAL);
1735 return log_error_errno(errno, "Failed to recv netlink fd: %m");
1737 cmsg = CMSG_FIRSTHDR(&mh);
1738 assert(cmsg->cmsg_level == SOL_SOCKET);
1739 assert(cmsg->cmsg_type == SCM_RIGHTS);
1740 assert(cmsg->cmsg_len == CMSG_LEN(sizeof(int)));
1741 memcpy(&fd, CMSG_DATA(cmsg), sizeof(int));
1743 r = sd_rtnl_open_fd(&rtnl, fd, 1, RTNLGRP_IPV4_IFADDR);
1746 return log_error_errno(r, "Failed to create rtnl object: %m");
1749 r = sd_rtnl_add_match(rtnl, RTM_NEWADDR, on_address_change, exposed);
1751 return log_error_errno(r, "Failed to subscribe to RTM_NEWADDR messages: %m");
1753 r = sd_rtnl_add_match(rtnl, RTM_DELADDR, on_address_change, exposed);
1755 return log_error_errno(r, "Failed to subscribe to RTM_DELADDR messages: %m");
1757 r = sd_rtnl_attach_event(rtnl, event, 0);
1759 return log_error_errno(r, "Failed to add to even loop: %m");
1767 static int setup_hostname(void) {
1769 if (arg_share_system)
1772 if (sethostname_idempotent(arg_machine) < 0)
1778 static int setup_journal(const char *directory) {
1779 sd_id128_t machine_id, this_id;
1780 _cleanup_free_ char *p = NULL, *b = NULL, *q = NULL, *d = NULL;
1784 /* Don't link journals in ephemeral mode */
1788 p = strappend(directory, "/etc/machine-id");
1792 r = read_one_line_file(p, &b);
1793 if (r == -ENOENT && arg_link_journal == LINK_AUTO)
1796 return log_error_errno(r, "Failed to read machine ID from %s: %m", p);
1799 if (isempty(id) && arg_link_journal == LINK_AUTO)
1802 /* Verify validity */
1803 r = sd_id128_from_string(id, &machine_id);
1805 return log_error_errno(r, "Failed to parse machine ID from %s: %m", p);
1807 r = sd_id128_get_machine(&this_id);
1809 return log_error_errno(r, "Failed to retrieve machine ID: %m");
1811 if (sd_id128_equal(machine_id, this_id)) {
1812 log_full(arg_link_journal == LINK_AUTO ? LOG_WARNING : LOG_ERR,
1813 "Host and machine ids are equal (%s): refusing to link journals", id);
1814 if (arg_link_journal == LINK_AUTO)
1819 if (arg_link_journal == LINK_NO)
1823 p = strappend("/var/log/journal/", id);
1824 q = strjoin(directory, "/var/log/journal/", id, NULL);
1828 if (path_is_mount_point(p, false) > 0) {
1829 if (arg_link_journal != LINK_AUTO) {
1830 log_error("%s: already a mount point, refusing to use for journal", p);
1837 if (path_is_mount_point(q, false) > 0) {
1838 if (arg_link_journal != LINK_AUTO) {
1839 log_error("%s: already a mount point, refusing to use for journal", q);
1846 r = readlink_and_make_absolute(p, &d);
1848 if ((arg_link_journal == LINK_GUEST ||
1849 arg_link_journal == LINK_AUTO) &&
1852 r = mkdir_p(q, 0755);
1854 log_warning_errno(errno, "Failed to create directory %s: %m", q);
1859 return log_error_errno(errno, "Failed to remove symlink %s: %m", p);
1860 } else if (r == -EINVAL) {
1862 if (arg_link_journal == LINK_GUEST &&
1865 if (errno == ENOTDIR) {
1866 log_error("%s already exists and is neither a symlink nor a directory", p);
1869 log_error_errno(errno, "Failed to remove %s: %m", p);
1873 } else if (r != -ENOENT) {
1874 log_error_errno(errno, "readlink(%s) failed: %m", p);
1878 if (arg_link_journal == LINK_GUEST) {
1880 if (symlink(q, p) < 0) {
1881 if (arg_link_journal_try) {
1882 log_debug_errno(errno, "Failed to symlink %s to %s, skipping journal setup: %m", q, p);
1885 log_error_errno(errno, "Failed to symlink %s to %s: %m", q, p);
1890 r = mkdir_p(q, 0755);
1892 log_warning_errno(errno, "Failed to create directory %s: %m", q);
1896 if (arg_link_journal == LINK_HOST) {
1897 /* don't create parents here -- if the host doesn't have
1898 * permanent journal set up, don't force it here */
1901 if (arg_link_journal_try) {
1902 log_debug_errno(errno, "Failed to create %s, skipping journal setup: %m", p);
1905 log_error_errno(errno, "Failed to create %s: %m", p);
1910 } else if (access(p, F_OK) < 0)
1913 if (dir_is_empty(q) == 0)
1914 log_warning("%s is not empty, proceeding anyway.", q);
1916 r = mkdir_p(q, 0755);
1918 log_error_errno(errno, "Failed to create %s: %m", q);
1922 if (mount(p, q, "bind", MS_BIND, NULL) < 0)
1923 return log_error_errno(errno, "Failed to bind mount journal from host into guest: %m");
1928 static int drop_capabilities(void) {
1929 return capability_bounding_set_drop(~arg_retain, false);
1932 static int register_machine(pid_t pid, int local_ifindex) {
1933 _cleanup_bus_error_free_ sd_bus_error error = SD_BUS_ERROR_NULL;
1934 _cleanup_bus_close_unref_ sd_bus *bus = NULL;
1940 r = sd_bus_default_system(&bus);
1942 return log_error_errno(r, "Failed to open system bus: %m");
1944 if (arg_keep_unit) {
1945 r = sd_bus_call_method(
1947 "org.freedesktop.machine1",
1948 "/org/freedesktop/machine1",
1949 "org.freedesktop.machine1.Manager",
1950 "RegisterMachineWithNetwork",
1955 SD_BUS_MESSAGE_APPEND_ID128(arg_uuid),
1959 strempty(arg_directory),
1960 local_ifindex > 0 ? 1 : 0, local_ifindex);
1962 _cleanup_bus_message_unref_ sd_bus_message *m = NULL;
1965 r = sd_bus_message_new_method_call(
1968 "org.freedesktop.machine1",
1969 "/org/freedesktop/machine1",
1970 "org.freedesktop.machine1.Manager",
1971 "CreateMachineWithNetwork");
1973 return bus_log_create_error(r);
1975 r = sd_bus_message_append(
1979 SD_BUS_MESSAGE_APPEND_ID128(arg_uuid),
1983 strempty(arg_directory),
1984 local_ifindex > 0 ? 1 : 0, local_ifindex);
1986 return bus_log_create_error(r);
1988 r = sd_bus_message_open_container(m, 'a', "(sv)");
1990 return bus_log_create_error(r);
1992 if (!isempty(arg_slice)) {
1993 r = sd_bus_message_append(m, "(sv)", "Slice", "s", arg_slice);
1995 return bus_log_create_error(r);
1998 r = sd_bus_message_append(m, "(sv)", "DevicePolicy", "s", "strict");
2000 return bus_log_create_error(r);
2002 r = sd_bus_message_append(m, "(sv)", "DeviceAllow", "a(ss)", 9,
2003 /* Allow the container to
2004 * access and create the API
2005 * device nodes, so that
2006 * PrivateDevices= in the
2007 * container can work
2012 "/dev/random", "rwm",
2013 "/dev/urandom", "rwm",
2015 "/dev/net/tun", "rwm",
2016 /* Allow the container
2017 * access to ptys. However,
2019 * container to ever create
2020 * these device nodes. */
2021 "/dev/pts/ptmx", "rw",
2024 return log_error_errno(r, "Failed to add device whitelist: %m");
2026 STRV_FOREACH(i, arg_property) {
2027 r = sd_bus_message_open_container(m, 'r', "sv");
2029 return bus_log_create_error(r);
2031 r = bus_append_unit_property_assignment(m, *i);
2035 r = sd_bus_message_close_container(m);
2037 return bus_log_create_error(r);
2040 r = sd_bus_message_close_container(m);
2042 return bus_log_create_error(r);
2044 r = sd_bus_call(bus, m, 0, &error, NULL);
2048 log_error("Failed to register machine: %s", bus_error_message(&error, r));
2055 static int terminate_machine(pid_t pid) {
2056 _cleanup_bus_error_free_ sd_bus_error error = SD_BUS_ERROR_NULL;
2057 _cleanup_bus_message_unref_ sd_bus_message *reply = NULL;
2058 _cleanup_bus_close_unref_ sd_bus *bus = NULL;
2065 r = sd_bus_default_system(&bus);
2067 return log_error_errno(r, "Failed to open system bus: %m");
2069 r = sd_bus_call_method(
2071 "org.freedesktop.machine1",
2072 "/org/freedesktop/machine1",
2073 "org.freedesktop.machine1.Manager",
2080 /* Note that the machine might already have been
2081 * cleaned up automatically, hence don't consider it a
2082 * failure if we cannot get the machine object. */
2083 log_debug("Failed to get machine: %s", bus_error_message(&error, r));
2087 r = sd_bus_message_read(reply, "o", &path);
2089 return bus_log_parse_error(r);
2091 r = sd_bus_call_method(
2093 "org.freedesktop.machine1",
2095 "org.freedesktop.machine1.Machine",
2101 log_debug("Failed to terminate machine: %s", bus_error_message(&error, r));
2108 static int reset_audit_loginuid(void) {
2109 _cleanup_free_ char *p = NULL;
2112 if (arg_share_system)
2115 r = read_one_line_file("/proc/self/loginuid", &p);
2119 return log_error_errno(r, "Failed to read /proc/self/loginuid: %m");
2121 /* Already reset? */
2122 if (streq(p, "4294967295"))
2125 r = write_string_file("/proc/self/loginuid", "4294967295");
2127 log_error("Failed to reset audit login UID. This probably means that your kernel is too\n"
2128 "old and you have audit enabled. Note that the auditing subsystem is known to\n"
2129 "be incompatible with containers on old kernels. Please make sure to upgrade\n"
2130 "your kernel or to off auditing with 'audit=0' on the kernel command line before\n"
2131 "using systemd-nspawn. Sleeping for 5s... (%s)\n", strerror(-r));
2139 #define HOST_HASH_KEY SD_ID128_MAKE(1a,37,6f,c7,46,ec,45,0b,ad,a3,d5,31,06,60,5d,b1)
2140 #define CONTAINER_HASH_KEY SD_ID128_MAKE(c3,c4,f9,19,b5,57,b2,1c,e6,cf,14,27,03,9c,ee,a2)
2141 #define MACVLAN_HASH_KEY SD_ID128_MAKE(00,13,6d,bc,66,83,44,81,bb,0c,f9,51,1f,24,a6,6f)
2143 static int generate_mac(struct ether_addr *mac, sd_id128_t hash_key, uint64_t idx) {
2149 l = strlen(arg_machine);
2150 sz = sizeof(sd_id128_t) + l;
2156 /* fetch some persistent data unique to the host */
2157 r = sd_id128_get_machine((sd_id128_t*) v);
2161 /* combine with some data unique (on this host) to this
2162 * container instance */
2163 i = mempcpy(v + sizeof(sd_id128_t), arg_machine, l);
2166 memcpy(i, &idx, sizeof(idx));
2169 /* Let's hash the host machine ID plus the container name. We
2170 * use a fixed, but originally randomly created hash key here. */
2171 siphash24(result, v, sz, hash_key.bytes);
2173 assert_cc(ETH_ALEN <= sizeof(result));
2174 memcpy(mac->ether_addr_octet, result, ETH_ALEN);
2176 /* see eth_random_addr in the kernel */
2177 mac->ether_addr_octet[0] &= 0xfe; /* clear multicast bit */
2178 mac->ether_addr_octet[0] |= 0x02; /* set local assignment bit (IEEE802) */
2183 static int setup_veth(pid_t pid, char iface_name[IFNAMSIZ], int *ifi) {
2184 _cleanup_rtnl_message_unref_ sd_rtnl_message *m = NULL;
2185 _cleanup_rtnl_unref_ sd_rtnl *rtnl = NULL;
2186 struct ether_addr mac_host, mac_container;
2189 if (!arg_private_network)
2192 if (!arg_network_veth)
2195 /* Use two different interface name prefixes depending whether
2196 * we are in bridge mode or not. */
2197 snprintf(iface_name, IFNAMSIZ - 1, "%s-%s",
2198 arg_network_bridge ? "vb" : "ve", arg_machine);
2200 r = generate_mac(&mac_container, CONTAINER_HASH_KEY, 0);
2202 return log_error_errno(r, "Failed to generate predictable MAC address for container side: %m");
2204 r = generate_mac(&mac_host, HOST_HASH_KEY, 0);
2206 return log_error_errno(r, "Failed to generate predictable MAC address for host side: %m");
2208 r = sd_rtnl_open(&rtnl, 0);
2210 return log_error_errno(r, "Failed to connect to netlink: %m");
2212 r = sd_rtnl_message_new_link(rtnl, &m, RTM_NEWLINK, 0);
2214 return log_error_errno(r, "Failed to allocate netlink message: %m");
2216 r = sd_rtnl_message_append_string(m, IFLA_IFNAME, iface_name);
2218 return log_error_errno(r, "Failed to add netlink interface name: %m");
2220 r = sd_rtnl_message_append_ether_addr(m, IFLA_ADDRESS, &mac_host);
2222 return log_error_errno(r, "Failed to add netlink MAC address: %m");
2224 r = sd_rtnl_message_open_container(m, IFLA_LINKINFO);
2226 return log_error_errno(r, "Failed to open netlink container: %m");
2228 r = sd_rtnl_message_open_container_union(m, IFLA_INFO_DATA, "veth");
2230 return log_error_errno(r, "Failed to open netlink container: %m");
2232 r = sd_rtnl_message_open_container(m, VETH_INFO_PEER);
2234 return log_error_errno(r, "Failed to open netlink container: %m");
2236 r = sd_rtnl_message_append_string(m, IFLA_IFNAME, "host0");
2238 return log_error_errno(r, "Failed to add netlink interface name: %m");
2240 r = sd_rtnl_message_append_ether_addr(m, IFLA_ADDRESS, &mac_container);
2242 return log_error_errno(r, "Failed to add netlink MAC address: %m");
2244 r = sd_rtnl_message_append_u32(m, IFLA_NET_NS_PID, pid);
2246 return log_error_errno(r, "Failed to add netlink namespace field: %m");
2248 r = sd_rtnl_message_close_container(m);
2250 return log_error_errno(r, "Failed to close netlink container: %m");
2252 r = sd_rtnl_message_close_container(m);
2254 return log_error_errno(r, "Failed to close netlink container: %m");
2256 r = sd_rtnl_message_close_container(m);
2258 return log_error_errno(r, "Failed to close netlink container: %m");
2260 r = sd_rtnl_call(rtnl, m, 0, NULL);
2262 return log_error_errno(r, "Failed to add new veth interfaces: %m");
2264 i = (int) if_nametoindex(iface_name);
2266 return log_error_errno(errno, "Failed to resolve interface %s: %m", iface_name);
2273 static int setup_bridge(const char veth_name[], int *ifi) {
2274 _cleanup_rtnl_message_unref_ sd_rtnl_message *m = NULL;
2275 _cleanup_rtnl_unref_ sd_rtnl *rtnl = NULL;
2278 if (!arg_private_network)
2281 if (!arg_network_veth)
2284 if (!arg_network_bridge)
2287 bridge = (int) if_nametoindex(arg_network_bridge);
2289 return log_error_errno(errno, "Failed to resolve interface %s: %m", arg_network_bridge);
2293 r = sd_rtnl_open(&rtnl, 0);
2295 return log_error_errno(r, "Failed to connect to netlink: %m");
2297 r = sd_rtnl_message_new_link(rtnl, &m, RTM_SETLINK, 0);
2299 return log_error_errno(r, "Failed to allocate netlink message: %m");
2301 r = sd_rtnl_message_link_set_flags(m, IFF_UP, IFF_UP);
2303 return log_error_errno(r, "Failed to set IFF_UP flag: %m");
2305 r = sd_rtnl_message_append_string(m, IFLA_IFNAME, veth_name);
2307 return log_error_errno(r, "Failed to add netlink interface name field: %m");
2309 r = sd_rtnl_message_append_u32(m, IFLA_MASTER, bridge);
2311 return log_error_errno(r, "Failed to add netlink master field: %m");
2313 r = sd_rtnl_call(rtnl, m, 0, NULL);
2315 return log_error_errno(r, "Failed to add veth interface to bridge: %m");
2320 static int parse_interface(struct udev *udev, const char *name) {
2321 _cleanup_udev_device_unref_ struct udev_device *d = NULL;
2322 char ifi_str[2 + DECIMAL_STR_MAX(int)];
2325 ifi = (int) if_nametoindex(name);
2327 return log_error_errno(errno, "Failed to resolve interface %s: %m", name);
2329 sprintf(ifi_str, "n%i", ifi);
2330 d = udev_device_new_from_device_id(udev, ifi_str);
2332 return log_error_errno(errno, "Failed to get udev device for interface %s: %m", name);
2334 if (udev_device_get_is_initialized(d) <= 0) {
2335 log_error("Network interface %s is not initialized yet.", name);
2342 static int move_network_interfaces(pid_t pid) {
2343 _cleanup_udev_unref_ struct udev *udev = NULL;
2344 _cleanup_rtnl_unref_ sd_rtnl *rtnl = NULL;
2348 if (!arg_private_network)
2351 if (strv_isempty(arg_network_interfaces))
2354 r = sd_rtnl_open(&rtnl, 0);
2356 return log_error_errno(r, "Failed to connect to netlink: %m");
2360 log_error("Failed to connect to udev.");
2364 STRV_FOREACH(i, arg_network_interfaces) {
2365 _cleanup_rtnl_message_unref_ sd_rtnl_message *m = NULL;
2368 ifi = parse_interface(udev, *i);
2372 r = sd_rtnl_message_new_link(rtnl, &m, RTM_SETLINK, ifi);
2374 return log_error_errno(r, "Failed to allocate netlink message: %m");
2376 r = sd_rtnl_message_append_u32(m, IFLA_NET_NS_PID, pid);
2378 return log_error_errno(r, "Failed to append namespace PID to netlink message: %m");
2380 r = sd_rtnl_call(rtnl, m, 0, NULL);
2382 return log_error_errno(r, "Failed to move interface %s to namespace: %m", *i);
2388 static int setup_macvlan(pid_t pid) {
2389 _cleanup_udev_unref_ struct udev *udev = NULL;
2390 _cleanup_rtnl_unref_ sd_rtnl *rtnl = NULL;
2395 if (!arg_private_network)
2398 if (strv_isempty(arg_network_macvlan))
2401 r = sd_rtnl_open(&rtnl, 0);
2403 return log_error_errno(r, "Failed to connect to netlink: %m");
2407 log_error("Failed to connect to udev.");
2411 STRV_FOREACH(i, arg_network_macvlan) {
2412 _cleanup_rtnl_message_unref_ sd_rtnl_message *m = NULL;
2413 _cleanup_free_ char *n = NULL;
2414 struct ether_addr mac;
2417 ifi = parse_interface(udev, *i);
2421 r = generate_mac(&mac, MACVLAN_HASH_KEY, idx++);
2423 return log_error_errno(r, "Failed to create MACVLAN MAC address: %m");
2425 r = sd_rtnl_message_new_link(rtnl, &m, RTM_NEWLINK, 0);
2427 return log_error_errno(r, "Failed to allocate netlink message: %m");
2429 r = sd_rtnl_message_append_u32(m, IFLA_LINK, ifi);
2431 return log_error_errno(r, "Failed to add netlink interface index: %m");
2433 n = strappend("mv-", *i);
2437 strshorten(n, IFNAMSIZ-1);
2439 r = sd_rtnl_message_append_string(m, IFLA_IFNAME, n);
2441 return log_error_errno(r, "Failed to add netlink interface name: %m");
2443 r = sd_rtnl_message_append_ether_addr(m, IFLA_ADDRESS, &mac);
2445 return log_error_errno(r, "Failed to add netlink MAC address: %m");
2447 r = sd_rtnl_message_append_u32(m, IFLA_NET_NS_PID, pid);
2449 return log_error_errno(r, "Failed to add netlink namespace field: %m");
2451 r = sd_rtnl_message_open_container(m, IFLA_LINKINFO);
2453 return log_error_errno(r, "Failed to open netlink container: %m");
2455 r = sd_rtnl_message_open_container_union(m, IFLA_INFO_DATA, "macvlan");
2457 return log_error_errno(r, "Failed to open netlink container: %m");
2459 r = sd_rtnl_message_append_u32(m, IFLA_MACVLAN_MODE, MACVLAN_MODE_BRIDGE);
2461 return log_error_errno(r, "Failed to append macvlan mode: %m");
2463 r = sd_rtnl_message_close_container(m);
2465 return log_error_errno(r, "Failed to close netlink container: %m");
2467 r = sd_rtnl_message_close_container(m);
2469 return log_error_errno(r, "Failed to close netlink container: %m");
2471 r = sd_rtnl_call(rtnl, m, 0, NULL);
2473 return log_error_errno(r, "Failed to add new macvlan interfaces: %m");
2479 static int setup_ipvlan(pid_t pid) {
2480 _cleanup_udev_unref_ struct udev *udev = NULL;
2481 _cleanup_rtnl_unref_ sd_rtnl *rtnl = NULL;
2485 if (!arg_private_network)
2488 if (strv_isempty(arg_network_ipvlan))
2491 r = sd_rtnl_open(&rtnl, 0);
2493 return log_error_errno(r, "Failed to connect to netlink: %m");
2497 log_error("Failed to connect to udev.");
2501 STRV_FOREACH(i, arg_network_ipvlan) {
2502 _cleanup_rtnl_message_unref_ sd_rtnl_message *m = NULL;
2503 _cleanup_free_ char *n = NULL;
2506 ifi = parse_interface(udev, *i);
2510 r = sd_rtnl_message_new_link(rtnl, &m, RTM_NEWLINK, 0);
2512 return log_error_errno(r, "Failed to allocate netlink message: %m");
2514 r = sd_rtnl_message_append_u32(m, IFLA_LINK, ifi);
2516 return log_error_errno(r, "Failed to add netlink interface index: %m");
2518 n = strappend("iv-", *i);
2522 strshorten(n, IFNAMSIZ-1);
2524 r = sd_rtnl_message_append_string(m, IFLA_IFNAME, n);
2526 return log_error_errno(r, "Failed to add netlink interface name: %m");
2528 r = sd_rtnl_message_append_u32(m, IFLA_NET_NS_PID, pid);
2530 return log_error_errno(r, "Failed to add netlink namespace field: %m");
2532 r = sd_rtnl_message_open_container(m, IFLA_LINKINFO);
2534 return log_error_errno(r, "Failed to open netlink container: %m");
2536 r = sd_rtnl_message_open_container_union(m, IFLA_INFO_DATA, "ipvlan");
2538 return log_error_errno(r, "Failed to open netlink container: %m");
2540 r = sd_rtnl_message_append_u16(m, IFLA_IPVLAN_MODE, IPVLAN_MODE_L2);
2542 return log_error_errno(r, "Failed to add ipvlan mode: %m");
2544 r = sd_rtnl_message_close_container(m);
2546 return log_error_errno(r, "Failed to close netlink container: %m");
2548 r = sd_rtnl_message_close_container(m);
2550 return log_error_errno(r, "Failed to close netlink container: %m");
2552 r = sd_rtnl_call(rtnl, m, 0, NULL);
2554 return log_error_errno(r, "Failed to add new ipvlan interfaces: %m");
2560 static int setup_seccomp(void) {
2563 static const int blacklist[] = {
2564 SCMP_SYS(kexec_load),
2565 SCMP_SYS(open_by_handle_at),
2572 static const int kmod_blacklist[] = {
2573 SCMP_SYS(init_module),
2574 SCMP_SYS(finit_module),
2575 SCMP_SYS(delete_module),
2578 scmp_filter_ctx seccomp;
2582 seccomp = seccomp_init(SCMP_ACT_ALLOW);
2586 r = seccomp_add_secondary_archs(seccomp);
2588 log_error_errno(r, "Failed to add secondary archs to seccomp filter: %m");
2592 for (i = 0; i < ELEMENTSOF(blacklist); i++) {
2593 r = seccomp_rule_add(seccomp, SCMP_ACT_ERRNO(EPERM), blacklist[i], 0);
2595 continue; /* unknown syscall */
2597 log_error_errno(r, "Failed to block syscall: %m");
2602 /* If the CAP_SYS_MODULE capability is not requested then
2603 * we'll block the kmod syscalls too */
2604 if (!(arg_retain & (1ULL << CAP_SYS_MODULE))) {
2605 for (i = 0; i < ELEMENTSOF(kmod_blacklist); i++) {
2606 r = seccomp_rule_add(seccomp, SCMP_ACT_ERRNO(EPERM), kmod_blacklist[i], 0);
2608 continue; /* unknown syscall */
2610 log_error_errno(r, "Failed to block syscall: %m");
2617 Audit is broken in containers, much of the userspace audit
2618 hookup will fail if running inside a container. We don't
2619 care and just turn off creation of audit sockets.
2621 This will make socket(AF_NETLINK, *, NETLINK_AUDIT) fail
2622 with EAFNOSUPPORT which audit userspace uses as indication
2623 that audit is disabled in the kernel.
2626 r = seccomp_rule_add(
2628 SCMP_ACT_ERRNO(EAFNOSUPPORT),
2631 SCMP_A0(SCMP_CMP_EQ, AF_NETLINK),
2632 SCMP_A2(SCMP_CMP_EQ, NETLINK_AUDIT));
2634 log_error_errno(r, "Failed to add audit seccomp rule: %m");
2638 r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
2640 log_error_errno(r, "Failed to unset NO_NEW_PRIVS: %m");
2644 r = seccomp_load(seccomp);
2646 log_error_errno(r, "Failed to install seccomp audit filter: %m");
2649 seccomp_release(seccomp);
2657 static int setup_propagate(const char *root) {
2660 (void) mkdir_p("/run/systemd/nspawn/", 0755);
2661 (void) mkdir_p("/run/systemd/nspawn/propagate", 0600);
2662 p = strjoina("/run/systemd/nspawn/propagate/", arg_machine);
2663 (void) mkdir_p(p, 0600);
2665 q = strjoina(root, "/run/systemd/nspawn/incoming");
2666 mkdir_parents(q, 0755);
2669 if (mount(p, q, NULL, MS_BIND, NULL) < 0)
2670 return log_error_errno(errno, "Failed to install propagation bind mount.");
2672 if (mount(NULL, q, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY, NULL) < 0)
2673 return log_error_errno(errno, "Failed to make propagation mount read-only");
2678 static int setup_image(char **device_path, int *loop_nr) {
2679 struct loop_info64 info = {
2680 .lo_flags = LO_FLAGS_AUTOCLEAR|LO_FLAGS_PARTSCAN
2682 _cleanup_close_ int fd = -1, control = -1, loop = -1;
2683 _cleanup_free_ char* loopdev = NULL;
2687 assert(device_path);
2691 fd = open(arg_image, O_CLOEXEC|(arg_read_only ? O_RDONLY : O_RDWR)|O_NONBLOCK|O_NOCTTY);
2693 return log_error_errno(errno, "Failed to open %s: %m", arg_image);
2695 if (fstat(fd, &st) < 0)
2696 return log_error_errno(errno, "Failed to stat %s: %m", arg_image);
2698 if (S_ISBLK(st.st_mode)) {
2701 p = strdup(arg_image);
2715 if (!S_ISREG(st.st_mode)) {
2716 log_error_errno(errno, "%s is not a regular file or block device: %m", arg_image);
2720 control = open("/dev/loop-control", O_RDWR|O_CLOEXEC|O_NOCTTY|O_NONBLOCK);
2722 return log_error_errno(errno, "Failed to open /dev/loop-control: %m");
2724 nr = ioctl(control, LOOP_CTL_GET_FREE);
2726 return log_error_errno(errno, "Failed to allocate loop device: %m");
2728 if (asprintf(&loopdev, "/dev/loop%i", nr) < 0)
2731 loop = open(loopdev, O_CLOEXEC|(arg_read_only ? O_RDONLY : O_RDWR)|O_NONBLOCK|O_NOCTTY);
2733 return log_error_errno(errno, "Failed to open loop device %s: %m", loopdev);
2735 if (ioctl(loop, LOOP_SET_FD, fd) < 0)
2736 return log_error_errno(errno, "Failed to set loopback file descriptor on %s: %m", loopdev);
2739 info.lo_flags |= LO_FLAGS_READ_ONLY;
2741 if (ioctl(loop, LOOP_SET_STATUS64, &info) < 0)
2742 return log_error_errno(errno, "Failed to set loopback settings on %s: %m", loopdev);
2744 *device_path = loopdev;
2755 #define PARTITION_TABLE_BLURB \
2756 "Note that the disk image needs to either contain only a single MBR partition of\n" \
2757 "type 0x83 that is marked bootable, or a single GPT partition of type " \
2758 "0FC63DAF-8483-4772-8E79-3D69D8477DE4 or follow\n" \
2759 " http://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/\n" \
2760 "to be bootable with systemd-nspawn."
2762 static int dissect_image(
2764 char **root_device, bool *root_device_rw,
2765 char **home_device, bool *home_device_rw,
2766 char **srv_device, bool *srv_device_rw,
2770 int home_nr = -1, srv_nr = -1;
2771 #ifdef GPT_ROOT_NATIVE
2774 #ifdef GPT_ROOT_SECONDARY
2775 int secondary_root_nr = -1;
2777 _cleanup_free_ char *home = NULL, *root = NULL, *secondary_root = NULL, *srv = NULL, *generic = NULL;
2778 _cleanup_udev_enumerate_unref_ struct udev_enumerate *e = NULL;
2779 _cleanup_udev_device_unref_ struct udev_device *d = NULL;
2780 _cleanup_blkid_free_probe_ blkid_probe b = NULL;
2781 _cleanup_udev_unref_ struct udev *udev = NULL;
2782 struct udev_list_entry *first, *item;
2783 bool home_rw = true, root_rw = true, secondary_root_rw = true, srv_rw = true, generic_rw = true;
2784 bool is_gpt, is_mbr, multiple_generic = false;
2785 const char *pttype = NULL;
2792 assert(root_device);
2793 assert(home_device);
2798 b = blkid_new_probe();
2803 r = blkid_probe_set_device(b, fd, 0, 0);
2808 log_error_errno(errno, "Failed to set device on blkid probe: %m");
2812 blkid_probe_enable_partitions(b, 1);
2813 blkid_probe_set_partitions_flags(b, BLKID_PARTS_ENTRY_DETAILS);
2816 r = blkid_do_safeprobe(b);
2817 if (r == -2 || r == 1) {
2818 log_error("Failed to identify any partition table on\n"
2820 PARTITION_TABLE_BLURB, arg_image);
2822 } else if (r != 0) {
2825 log_error_errno(errno, "Failed to probe: %m");
2829 blkid_probe_lookup_value(b, "PTTYPE", &pttype, NULL);
2831 is_gpt = streq_ptr(pttype, "gpt");
2832 is_mbr = streq_ptr(pttype, "dos");
2834 if (!is_gpt && !is_mbr) {
2835 log_error("No GPT or MBR partition table discovered on\n"
2837 PARTITION_TABLE_BLURB, arg_image);
2842 pl = blkid_probe_get_partitions(b);
2847 log_error("Failed to list partitions of %s", arg_image);
2855 if (fstat(fd, &st) < 0)
2856 return log_error_errno(errno, "Failed to stat block device: %m");
2858 d = udev_device_new_from_devnum(udev, 'b', st.st_rdev);
2866 log_error("Kernel partitions never appeared.");
2870 e = udev_enumerate_new(udev);
2874 r = udev_enumerate_add_match_parent(e, d);
2878 r = udev_enumerate_scan_devices(e);
2880 return log_error_errno(r, "Failed to scan for partition devices of %s: %m", arg_image);
2882 /* Count the partitions enumerated by the kernel */
2884 first = udev_enumerate_get_list_entry(e);
2885 udev_list_entry_foreach(item, first)
2888 /* Count the partitions enumerated by blkid */
2889 m = blkid_partlist_numof_partitions(pl);
2893 log_error("blkid and kernel partition list do not match.");
2899 /* The kernel has probed fewer partitions than
2900 * blkid? Maybe the kernel prober is still
2901 * running or it got EBUSY because udev
2902 * already opened the device. Let's reprobe
2903 * the device, which is a synchronous call
2904 * that waits until probing is complete. */
2906 for (j = 0; j < 20; j++) {
2908 r = ioctl(fd, BLKRRPART, 0);
2911 if (r >= 0 || r != -EBUSY)
2914 /* If something else has the device
2915 * open, such as an udev rule, the
2916 * ioctl will return EBUSY. Since
2917 * there's no way to wait until it
2918 * isn't busy anymore, let's just wait
2919 * a bit, and try again.
2921 * This is really something they
2922 * should fix in the kernel! */
2924 usleep(50 * USEC_PER_MSEC);
2928 return log_error_errno(r, "Failed to reread partition table: %m");
2931 e = udev_enumerate_unref(e);
2934 first = udev_enumerate_get_list_entry(e);
2935 udev_list_entry_foreach(item, first) {
2936 _cleanup_udev_device_unref_ struct udev_device *q;
2938 unsigned long long flags;
2944 q = udev_device_new_from_syspath(udev, udev_list_entry_get_name(item));
2949 log_error_errno(errno, "Failed to get partition device of %s: %m", arg_image);
2953 qn = udev_device_get_devnum(q);
2957 if (st.st_rdev == qn)
2960 node = udev_device_get_devnode(q);
2964 pp = blkid_partlist_devno_to_partition(pl, qn);
2968 flags = blkid_partition_get_flags(pp);
2970 nr = blkid_partition_get_partno(pp);
2978 if (flags & GPT_FLAG_NO_AUTO)
2981 stype = blkid_partition_get_type_string(pp);
2985 if (sd_id128_from_string(stype, &type_id) < 0)
2988 if (sd_id128_equal(type_id, GPT_HOME)) {
2990 if (home && nr >= home_nr)
2994 home_rw = !(flags & GPT_FLAG_READ_ONLY);
2996 r = free_and_strdup(&home, node);
3000 } else if (sd_id128_equal(type_id, GPT_SRV)) {
3002 if (srv && nr >= srv_nr)
3006 srv_rw = !(flags & GPT_FLAG_READ_ONLY);
3008 r = free_and_strdup(&srv, node);
3012 #ifdef GPT_ROOT_NATIVE
3013 else if (sd_id128_equal(type_id, GPT_ROOT_NATIVE)) {
3015 if (root && nr >= root_nr)
3019 root_rw = !(flags & GPT_FLAG_READ_ONLY);
3021 r = free_and_strdup(&root, node);
3026 #ifdef GPT_ROOT_SECONDARY
3027 else if (sd_id128_equal(type_id, GPT_ROOT_SECONDARY)) {
3029 if (secondary_root && nr >= secondary_root_nr)
3032 secondary_root_nr = nr;
3033 secondary_root_rw = !(flags & GPT_FLAG_READ_ONLY);
3035 r = free_and_strdup(&secondary_root, node);
3040 else if (sd_id128_equal(type_id, GPT_LINUX_GENERIC)) {
3043 multiple_generic = true;
3045 generic_rw = !(flags & GPT_FLAG_READ_ONLY);
3047 r = free_and_strdup(&generic, node);
3053 } else if (is_mbr) {
3056 if (flags != 0x80) /* Bootable flag */
3059 type = blkid_partition_get_type(pp);
3060 if (type != 0x83) /* Linux partition */
3064 multiple_generic = true;
3068 r = free_and_strdup(&root, node);
3076 *root_device = root;
3079 *root_device_rw = root_rw;
3081 } else if (secondary_root) {
3082 *root_device = secondary_root;
3083 secondary_root = NULL;
3085 *root_device_rw = secondary_root_rw;
3087 } else if (generic) {
3089 /* There were no partitions with precise meanings
3090 * around, but we found generic partitions. In this
3091 * case, if there's only one, we can go ahead and boot
3092 * it, otherwise we bail out, because we really cannot
3093 * make any sense of it. */
3095 if (multiple_generic) {
3096 log_error("Identified multiple bootable Linux partitions on\n"
3098 PARTITION_TABLE_BLURB, arg_image);
3102 *root_device = generic;
3105 *root_device_rw = generic_rw;
3108 log_error("Failed to identify root partition in disk image\n"
3110 PARTITION_TABLE_BLURB, arg_image);
3115 *home_device = home;
3118 *home_device_rw = home_rw;
3125 *srv_device_rw = srv_rw;
3130 log_error("--image= is not supported, compiled without blkid support.");
3135 static int mount_device(const char *what, const char *where, const char *directory, bool rw) {
3137 _cleanup_blkid_free_probe_ blkid_probe b = NULL;
3138 const char *fstype, *p;
3148 p = strjoina(where, directory);
3153 b = blkid_new_probe_from_filename(what);
3157 log_error_errno(errno, "Failed to allocate prober for %s: %m", what);
3161 blkid_probe_enable_superblocks(b, 1);
3162 blkid_probe_set_superblocks_flags(b, BLKID_SUBLKS_TYPE);
3165 r = blkid_do_safeprobe(b);
3166 if (r == -1 || r == 1) {
3167 log_error("Cannot determine file system type of %s", what);
3169 } else if (r != 0) {
3172 log_error_errno(errno, "Failed to probe %s: %m", what);
3177 if (blkid_probe_lookup_value(b, "TYPE", &fstype, NULL) < 0) {
3180 log_error("Failed to determine file system type of %s", what);
3184 if (streq(fstype, "crypto_LUKS")) {
3185 log_error("nspawn currently does not support LUKS disk images.");
3189 if (mount(what, p, fstype, MS_NODEV|(rw ? 0 : MS_RDONLY), NULL) < 0)
3190 return log_error_errno(errno, "Failed to mount %s: %m", what);
3194 log_error("--image= is not supported, compiled without blkid support.");
3199 static int mount_devices(
3201 const char *root_device, bool root_device_rw,
3202 const char *home_device, bool home_device_rw,
3203 const char *srv_device, bool srv_device_rw) {
3209 r = mount_device(root_device, arg_directory, NULL, root_device_rw);
3211 return log_error_errno(r, "Failed to mount root directory: %m");
3215 r = mount_device(home_device, arg_directory, "/home", home_device_rw);
3217 return log_error_errno(r, "Failed to mount home directory: %m");
3221 r = mount_device(srv_device, arg_directory, "/srv", srv_device_rw);
3223 return log_error_errno(r, "Failed to mount server data directory: %m");
3229 static void loop_remove(int nr, int *image_fd) {
3230 _cleanup_close_ int control = -1;
3236 if (image_fd && *image_fd >= 0) {
3237 r = ioctl(*image_fd, LOOP_CLR_FD);
3239 log_debug_errno(errno, "Failed to close loop image: %m");
3240 *image_fd = safe_close(*image_fd);
3243 control = open("/dev/loop-control", O_RDWR|O_CLOEXEC|O_NOCTTY|O_NONBLOCK);
3245 log_warning_errno(errno, "Failed to open /dev/loop-control: %m");
3249 r = ioctl(control, LOOP_CTL_REMOVE, nr);
3251 log_debug_errno(errno, "Failed to remove loop %d: %m", nr);
3254 static int spawn_getent(const char *database, const char *key, pid_t *rpid) {
3262 if (pipe2(pipe_fds, O_CLOEXEC) < 0)
3263 return log_error_errno(errno, "Failed to allocate pipe: %m");
3267 return log_error_errno(errno, "Failed to fork getent child: %m");
3268 else if (pid == 0) {
3270 char *empty_env = NULL;
3272 if (dup3(pipe_fds[1], STDOUT_FILENO, 0) < 0)
3273 _exit(EXIT_FAILURE);
3275 if (pipe_fds[0] > 2)
3276 safe_close(pipe_fds[0]);
3277 if (pipe_fds[1] > 2)
3278 safe_close(pipe_fds[1]);
3280 nullfd = open("/dev/null", O_RDWR);
3282 _exit(EXIT_FAILURE);
3284 if (dup3(nullfd, STDIN_FILENO, 0) < 0)
3285 _exit(EXIT_FAILURE);
3287 if (dup3(nullfd, STDERR_FILENO, 0) < 0)
3288 _exit(EXIT_FAILURE);
3293 reset_all_signal_handlers();
3294 close_all_fds(NULL, 0);
3296 execle("/usr/bin/getent", "getent", database, key, NULL, &empty_env);
3297 execle("/bin/getent", "getent", database, key, NULL, &empty_env);
3298 _exit(EXIT_FAILURE);
3301 pipe_fds[1] = safe_close(pipe_fds[1]);
3308 static int change_uid_gid(char **_home) {
3309 char line[LINE_MAX], *x, *u, *g, *h;
3310 const char *word, *state;
3311 _cleanup_free_ uid_t *uids = NULL;
3312 _cleanup_free_ char *home = NULL;
3313 _cleanup_fclose_ FILE *f = NULL;
3314 _cleanup_close_ int fd = -1;
3315 unsigned n_uids = 0;
3324 if (!arg_user || streq(arg_user, "root") || streq(arg_user, "0")) {
3325 /* Reset everything fully to 0, just in case */
3327 if (setgroups(0, NULL) < 0)
3328 return log_error_errno(errno, "setgroups() failed: %m");
3330 if (setresgid(0, 0, 0) < 0)
3331 return log_error_errno(errno, "setregid() failed: %m");
3333 if (setresuid(0, 0, 0) < 0)
3334 return log_error_errno(errno, "setreuid() failed: %m");
3340 /* First, get user credentials */
3341 fd = spawn_getent("passwd", arg_user, &pid);
3345 f = fdopen(fd, "r");
3350 if (!fgets(line, sizeof(line), f)) {
3353 log_error("Failed to resolve user %s.", arg_user);
3357 log_error_errno(errno, "Failed to read from getent: %m");
3363 wait_for_terminate_and_warn("getent passwd", pid, true);
3365 x = strchr(line, ':');
3367 log_error("/etc/passwd entry has invalid user field.");
3371 u = strchr(x+1, ':');
3373 log_error("/etc/passwd entry has invalid password field.");
3380 log_error("/etc/passwd entry has invalid UID field.");
3388 log_error("/etc/passwd entry has invalid GID field.");
3393 h = strchr(x+1, ':');
3395 log_error("/etc/passwd entry has invalid GECOS field.");
3402 log_error("/etc/passwd entry has invalid home directory field.");
3408 r = parse_uid(u, &uid);
3410 log_error("Failed to parse UID of user.");
3414 r = parse_gid(g, &gid);
3416 log_error("Failed to parse GID of user.");
3424 /* Second, get group memberships */
3425 fd = spawn_getent("initgroups", arg_user, &pid);
3430 f = fdopen(fd, "r");
3435 if (!fgets(line, sizeof(line), f)) {
3437 log_error("Failed to resolve user %s.", arg_user);
3441 log_error_errno(errno, "Failed to read from getent: %m");
3447 wait_for_terminate_and_warn("getent initgroups", pid, true);
3449 /* Skip over the username and subsequent separator whitespace */
3451 x += strcspn(x, WHITESPACE);
3452 x += strspn(x, WHITESPACE);
3454 FOREACH_WORD(word, l, x, state) {
3460 if (!GREEDY_REALLOC(uids, sz, n_uids+1))
3463 r = parse_uid(c, &uids[n_uids++]);
3465 log_error("Failed to parse group data from getent.");
3470 r = mkdir_parents(home, 0775);
3472 return log_error_errno(r, "Failed to make home root directory: %m");
3474 r = mkdir_safe(home, 0755, uid, gid);
3475 if (r < 0 && r != -EEXIST)
3476 return log_error_errno(r, "Failed to make home directory: %m");
3478 fchown(STDIN_FILENO, uid, gid);
3479 fchown(STDOUT_FILENO, uid, gid);
3480 fchown(STDERR_FILENO, uid, gid);
3482 if (setgroups(n_uids, uids) < 0)
3483 return log_error_errno(errno, "Failed to set auxiliary groups: %m");
3485 if (setresgid(gid, gid, gid) < 0)
3486 return log_error_errno(errno, "setregid() failed: %m");
3488 if (setresuid(uid, uid, uid) < 0)
3489 return log_error_errno(errno, "setreuid() failed: %m");
3501 * < 0 : wait_for_terminate() failed to get the state of the
3502 * container, the container was terminated by a signal, or
3503 * failed for an unknown reason. No change is made to the
3504 * container argument.
3505 * > 0 : The program executed in the container terminated with an
3506 * error. The exit code of the program executed in the
3507 * container is returned. The container argument has been set
3508 * to CONTAINER_TERMINATED.
3509 * 0 : The container is being rebooted, has been shut down or exited
3510 * successfully. The container argument has been set to either
3511 * CONTAINER_TERMINATED or CONTAINER_REBOOTED.
3513 * That is, success is indicated by a return value of zero, and an
3514 * error is indicated by a non-zero value.
3516 static int wait_for_container(pid_t pid, ContainerStatus *container) {
3520 r = wait_for_terminate(pid, &status);
3522 return log_warning_errno(r, "Failed to wait for container: %m");
3524 switch (status.si_code) {
3527 if (status.si_status == 0) {
3528 log_full(arg_quiet ? LOG_DEBUG : LOG_INFO, "Container %s exited successfully.", arg_machine);
3531 log_full(arg_quiet ? LOG_DEBUG : LOG_INFO, "Container %s failed with error code %i.", arg_machine, status.si_status);
3533 *container = CONTAINER_TERMINATED;
3534 return status.si_status;
3537 if (status.si_status == SIGINT) {
3539 log_full(arg_quiet ? LOG_DEBUG : LOG_INFO, "Container %s has been shut down.", arg_machine);
3540 *container = CONTAINER_TERMINATED;
3543 } else if (status.si_status == SIGHUP) {
3545 log_full(arg_quiet ? LOG_DEBUG : LOG_INFO, "Container %s is being rebooted.", arg_machine);
3546 *container = CONTAINER_REBOOTED;
3550 /* CLD_KILLED fallthrough */
3553 log_error("Container %s terminated by signal %s.", arg_machine, signal_to_string(status.si_status));
3557 log_error("Container %s failed due to unknown reason.", arg_machine);
3564 static void nop_handler(int sig) {}
3566 static int on_orderly_shutdown(sd_event_source *s, const struct signalfd_siginfo *si, void *userdata) {
3569 pid = PTR_TO_UINT32(userdata);
3571 if (kill(pid, SIGRTMIN+3) >= 0) {
3572 log_info("Trying to halt container. Send SIGTERM again to trigger immediate termination.");
3573 sd_event_source_set_userdata(s, NULL);
3578 sd_event_exit(sd_event_source_get_event(s), 0);
3582 static int determine_names(void) {
3585 if (!arg_image && !arg_directory) {
3587 _cleanup_(image_unrefp) Image *i = NULL;
3589 r = image_find(arg_machine, &i);
3591 return log_error_errno(r, "Failed to find image for machine '%s': %m", arg_machine);
3593 log_error("No image for machine '%s': %m", arg_machine);
3597 if (i->type == IMAGE_RAW)
3598 r = set_sanitized_path(&arg_image, i->path);
3600 r = set_sanitized_path(&arg_directory, i->path);
3602 return log_error_errno(r, "Invalid image directory: %m");
3604 arg_read_only = arg_read_only || i->read_only;
3606 arg_directory = get_current_dir_name();
3608 if (!arg_directory && !arg_machine) {
3609 log_error("Failed to determine path, please use -D or -i.");
3615 if (arg_directory && path_equal(arg_directory, "/"))
3616 arg_machine = gethostname_malloc();
3618 arg_machine = strdup(basename(arg_image ?: arg_directory));
3623 hostname_cleanup(arg_machine, false);
3624 if (!machine_name_is_valid(arg_machine)) {
3625 log_error("Failed to determine machine name automatically, please use -M.");
3629 if (arg_ephemeral) {
3632 /* Add a random suffix when this is an
3633 * ephemeral machine, so that we can run many
3634 * instances at once without manually having
3635 * to specify -M each time. */
3637 if (asprintf(&b, "%s-%016" PRIx64, arg_machine, random_u64()) < 0)
3648 static int determine_uid_shift(void) {
3654 if (arg_uid_shift == UID_INVALID) {
3657 r = stat(arg_directory, &st);
3659 return log_error_errno(errno, "Failed to determine UID base of %s: %m", arg_directory);
3661 arg_uid_shift = st.st_uid & UINT32_C(0xffff0000);
3663 if (arg_uid_shift != (st.st_gid & UINT32_C(0xffff0000))) {
3664 log_error("UID and GID base of %s don't match.", arg_directory);
3668 arg_uid_range = UINT32_C(0x10000);
3671 if (arg_uid_shift > (uid_t) -1 - arg_uid_range) {
3672 log_error("UID base too high for UID range.");
3676 log_info("Using user namespaces with base " UID_FMT " and range " UID_FMT ".", arg_uid_shift, arg_uid_range);
3680 int main(int argc, char *argv[]) {
3682 _cleanup_free_ char *device_path = NULL, *root_device = NULL, *home_device = NULL, *srv_device = NULL, *console = NULL;
3683 bool root_device_rw = true, home_device_rw = true, srv_device_rw = true;
3684 _cleanup_close_ int master = -1, image_fd = -1;
3685 _cleanup_fdset_free_ FDSet *fds = NULL;
3686 int r, n_fd_passed, loop_nr = -1;
3687 char veth_name[IFNAMSIZ];
3688 bool secondary = false, remove_subvol = false;
3689 sigset_t mask, mask_chld;
3691 int ret = EXIT_SUCCESS;
3692 union in_addr_union exposed = {};
3693 _cleanup_release_lock_file_ LockFile tree_global_lock = LOCK_FILE_INIT, tree_local_lock = LOCK_FILE_INIT;
3696 log_parse_environment();
3699 r = parse_argv(argc, argv);
3703 r = determine_names();
3707 if (geteuid() != 0) {
3708 log_error("Need to be root.");
3713 if (sd_booted() <= 0) {
3714 log_error("Not running on a systemd system.");
3720 n_fd_passed = sd_listen_fds(false);
3721 if (n_fd_passed > 0) {
3722 r = fdset_new_listen_fds(&fds, false);
3724 log_error_errno(r, "Failed to collect file descriptors: %m");
3728 fdset_close_others(fds);
3731 if (arg_directory) {
3734 if (path_equal(arg_directory, "/") && !arg_ephemeral) {
3735 log_error("Spawning container on root directory is not supported. Consider using --ephemeral.");
3740 if (arg_ephemeral) {
3743 /* If the specified path is a mount point we
3744 * generate the new snapshot immediately
3745 * inside it under a random name. However if
3746 * the specified is not a mount point we
3747 * create the new snapshot in the parent
3748 * directory, just next to it. */
3749 r = path_is_mount_point(arg_directory, false);
3751 log_error_errno(r, "Failed to determine whether directory %s is mount point: %m", arg_directory);
3755 r = tempfn_random_child(arg_directory, &np);
3757 r = tempfn_random(arg_directory, &np);
3759 log_error_errno(r, "Failed to generate name for snapshot: %m");
3763 r = image_path_lock(np, (arg_read_only ? LOCK_SH : LOCK_EX) | LOCK_NB, &tree_global_lock, &tree_local_lock);
3765 log_error_errno(r, "Failed to lock %s: %m", np);
3769 r = btrfs_subvol_snapshot(arg_directory, np, arg_read_only, true);
3772 log_error_errno(r, "Failed to create snapshot %s from %s: %m", np, arg_directory);
3776 free(arg_directory);
3779 remove_subvol = true;
3782 r = image_path_lock(arg_directory, (arg_read_only ? LOCK_SH : LOCK_EX) | LOCK_NB, &tree_global_lock, &tree_local_lock);
3784 log_error_errno(r, "Directory tree %s is currently busy.", arg_directory);
3788 log_error_errno(r, "Failed to lock %s: %m", arg_directory);
3793 r = btrfs_subvol_snapshot(arg_template, arg_directory, arg_read_only, true);
3796 log_info("Directory %s already exists, not populating from template %s.", arg_directory, arg_template);
3798 log_error_errno(r, "Couldn't create snapshot %s from %s: %m", arg_directory, arg_template);
3802 log_info("Populated %s from template %s.", arg_directory, arg_template);
3808 if (path_is_os_tree(arg_directory) <= 0) {
3809 log_error("Directory %s doesn't look like an OS root directory (os-release file is missing). Refusing.", arg_directory);
3816 p = strjoina(arg_directory,
3817 argc > optind && path_is_absolute(argv[optind]) ? argv[optind] : "/usr/bin/");
3818 if (access(p, F_OK) < 0) {
3819 log_error("Directory %s lacks the binary to execute or doesn't look like a binary tree. Refusing.", arg_directory);
3826 char template[] = "/tmp/nspawn-root-XXXXXX";
3829 assert(!arg_template);
3831 r = image_path_lock(arg_image, (arg_read_only ? LOCK_SH : LOCK_EX) | LOCK_NB, &tree_global_lock, &tree_local_lock);
3833 r = log_error_errno(r, "Disk image %s is currently busy.", arg_image);
3837 r = log_error_errno(r, "Failed to create image lock: %m");
3841 if (!mkdtemp(template)) {
3842 log_error_errno(errno, "Failed to create temporary directory: %m");
3847 arg_directory = strdup(template);
3848 if (!arg_directory) {
3853 image_fd = setup_image(&device_path, &loop_nr);
3859 r = dissect_image(image_fd,
3860 &root_device, &root_device_rw,
3861 &home_device, &home_device_rw,
3862 &srv_device, &srv_device_rw,
3868 r = determine_uid_shift();
3872 interactive = isatty(STDIN_FILENO) > 0 && isatty(STDOUT_FILENO) > 0;
3874 master = posix_openpt(O_RDWR|O_NOCTTY|O_CLOEXEC|O_NDELAY);
3876 r = log_error_errno(errno, "Failed to acquire pseudo tty: %m");
3880 r = ptsname_malloc(master, &console);
3882 r = log_error_errno(r, "Failed to determine tty name: %m");
3886 if (unlockpt(master) < 0) {
3887 r = log_error_errno(errno, "Failed to unlock tty: %m");
3892 log_info("Spawning container %s on %s.\nPress ^] three times within 1s to kill container.",
3893 arg_machine, arg_image ?: arg_directory);
3895 assert_se(sigemptyset(&mask) == 0);
3896 sigset_add_many(&mask, SIGCHLD, SIGWINCH, SIGTERM, SIGINT, -1);
3897 assert_se(sigprocmask(SIG_BLOCK, &mask, NULL) == 0);
3899 assert_se(sigemptyset(&mask_chld) == 0);
3900 assert_se(sigaddset(&mask_chld, SIGCHLD) == 0);
3903 _cleanup_close_pair_ int kmsg_socket_pair[2] = { -1, -1 }, rtnl_socket_pair[2] = { -1, -1 };
3904 ContainerStatus container_status;
3905 _cleanup_(barrier_destroy) Barrier barrier = BARRIER_NULL;
3906 struct sigaction sa = {
3907 .sa_handler = nop_handler,
3908 .sa_flags = SA_NOCLDSTOP,
3911 r = barrier_create(&barrier);
3913 log_error_errno(r, "Cannot initialize IPC barrier: %m");
3917 if (socketpair(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0, kmsg_socket_pair) < 0) {
3918 r = log_error_errno(errno, "Failed to create kmsg socket pair: %m");
3922 if (socketpair(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0, rtnl_socket_pair) < 0) {
3923 r = log_error_errno(errno, "Failed to create rtnl socket pair: %m");
3927 /* Child can be killed before execv(), so handle SIGCHLD
3928 * in order to interrupt parent's blocking calls and
3929 * give it a chance to call wait() and terminate. */
3930 r = sigprocmask(SIG_UNBLOCK, &mask_chld, NULL);
3932 r = log_error_errno(errno, "Failed to change the signal mask: %m");
3936 r = sigaction(SIGCHLD, &sa, NULL);
3938 r = log_error_errno(errno, "Failed to install SIGCHLD handler: %m");
3942 pid = raw_clone(SIGCHLD|CLONE_NEWNS|
3943 (arg_share_system ? 0 : CLONE_NEWIPC|CLONE_NEWPID|CLONE_NEWUTS)|
3944 (arg_private_network ? CLONE_NEWNET : 0), NULL);
3946 if (errno == EINVAL)
3947 r = log_error_errno(errno, "clone() failed, do you have namespace support enabled in your kernel? (You need UTS, IPC, PID and NET namespacing built in): %m");
3949 r = log_error_errno(errno, "clone() failed: %m");
3956 _cleanup_free_ char *home = NULL;
3958 const char *envp[] = {
3959 "PATH=" DEFAULT_PATH_SPLIT_USR,
3960 "container=systemd-nspawn", /* LXC sets container=lxc, so follow the scheme here */
3965 NULL, /* container_uuid */
3966 NULL, /* LISTEN_FDS */
3967 NULL, /* LISTEN_PID */
3972 barrier_set_role(&barrier, BARRIER_CHILD);
3974 envp[n_env] = strv_find_prefix(environ, "TERM=");
3978 master = safe_close(master);
3980 kmsg_socket_pair[0] = safe_close(kmsg_socket_pair[0]);
3981 rtnl_socket_pair[0] = safe_close(rtnl_socket_pair[0]);
3983 reset_all_signal_handlers();
3984 reset_signal_mask();
3987 close_nointr(STDIN_FILENO);
3988 close_nointr(STDOUT_FILENO);
3989 close_nointr(STDERR_FILENO);
3991 r = open_terminal(console, O_RDWR);
3992 if (r != STDIN_FILENO) {
3998 log_error_errno(r, "Failed to open console: %m");
3999 _exit(EXIT_FAILURE);
4002 if (dup2(STDIN_FILENO, STDOUT_FILENO) != STDOUT_FILENO ||
4003 dup2(STDIN_FILENO, STDERR_FILENO) != STDERR_FILENO) {
4004 log_error_errno(errno, "Failed to duplicate console: %m");
4005 _exit(EXIT_FAILURE);
4010 log_error_errno(errno, "setsid() failed: %m");
4011 _exit(EXIT_FAILURE);
4014 if (reset_audit_loginuid() < 0)
4015 _exit(EXIT_FAILURE);
4017 if (prctl(PR_SET_PDEATHSIG, SIGKILL) < 0) {
4018 log_error_errno(errno, "PR_SET_PDEATHSIG failed: %m");
4019 _exit(EXIT_FAILURE);
4022 if (arg_private_network)
4025 /* Mark everything as slave, so that we still
4026 * receive mounts from the real root, but don't
4027 * propagate mounts to the real root. */
4028 if (mount(NULL, "/", NULL, MS_SLAVE|MS_REC, NULL) < 0) {
4029 log_error_errno(errno, "MS_SLAVE|MS_REC failed: %m");
4030 _exit(EXIT_FAILURE);
4033 if (mount_devices(arg_directory,
4034 root_device, root_device_rw,
4035 home_device, home_device_rw,
4036 srv_device, srv_device_rw) < 0)
4037 _exit(EXIT_FAILURE);
4039 /* Turn directory into bind mount */
4040 if (mount(arg_directory, arg_directory, "bind", MS_BIND|MS_REC, NULL) < 0) {
4041 log_error_errno(errno, "Failed to make bind mount: %m");
4042 _exit(EXIT_FAILURE);
4045 r = setup_volatile(arg_directory);
4047 _exit(EXIT_FAILURE);
4049 if (setup_volatile_state(arg_directory) < 0)
4050 _exit(EXIT_FAILURE);
4052 r = base_filesystem_create(arg_directory);
4054 _exit(EXIT_FAILURE);
4056 if (arg_read_only) {
4057 r = bind_remount_recursive(arg_directory, true);
4059 log_error_errno(r, "Failed to make tree read-only: %m");
4060 _exit(EXIT_FAILURE);
4064 if (mount_all(arg_directory) < 0)
4065 _exit(EXIT_FAILURE);
4067 if (copy_devnodes(arg_directory) < 0)
4068 _exit(EXIT_FAILURE);
4070 if (setup_ptmx(arg_directory) < 0)
4071 _exit(EXIT_FAILURE);
4073 dev_setup(arg_directory);
4075 if (setup_propagate(arg_directory) < 0)
4076 _exit(EXIT_FAILURE);
4078 if (setup_seccomp() < 0)
4079 _exit(EXIT_FAILURE);
4081 if (setup_dev_console(arg_directory, console) < 0)
4082 _exit(EXIT_FAILURE);
4084 if (setup_kmsg(arg_directory, kmsg_socket_pair[1]) < 0)
4085 _exit(EXIT_FAILURE);
4086 kmsg_socket_pair[1] = safe_close(kmsg_socket_pair[1]);
4088 if (send_rtnl(rtnl_socket_pair[1]) < 0)
4089 _exit(EXIT_FAILURE);
4090 rtnl_socket_pair[1] = safe_close(rtnl_socket_pair[1]);
4092 /* Tell the parent that we are ready, and that
4093 * it can cgroupify us to that we lack access
4094 * to certain devices and resources. */
4095 (void) barrier_place(&barrier); /* #1 */
4097 if (setup_boot_id(arg_directory) < 0)
4098 _exit(EXIT_FAILURE);
4100 if (setup_timezone(arg_directory) < 0)
4101 _exit(EXIT_FAILURE);
4103 if (setup_resolv_conf(arg_directory) < 0)
4104 _exit(EXIT_FAILURE);
4106 if (setup_journal(arg_directory) < 0)
4107 _exit(EXIT_FAILURE);
4109 if (mount_binds(arg_directory, arg_bind, false) < 0)
4110 _exit(EXIT_FAILURE);
4112 if (mount_binds(arg_directory, arg_bind_ro, true) < 0)
4113 _exit(EXIT_FAILURE);
4115 if (mount_tmpfs(arg_directory) < 0)
4116 _exit(EXIT_FAILURE);
4118 /* Wait until we are cgroup-ified, so that we
4119 * can mount the right cgroup path writable */
4120 (void) barrier_place_and_sync(&barrier); /* #2 */
4122 if (mount_cgroup(arg_directory) < 0)
4123 _exit(EXIT_FAILURE);
4125 if (chdir(arg_directory) < 0) {
4126 log_error_errno(errno, "chdir(%s) failed: %m", arg_directory);
4127 _exit(EXIT_FAILURE);
4130 if (mount(arg_directory, "/", NULL, MS_MOVE, NULL) < 0) {
4131 log_error_errno(errno, "mount(MS_MOVE) failed: %m");
4132 _exit(EXIT_FAILURE);
4135 if (chroot(".") < 0) {
4136 log_error_errno(errno, "chroot() failed: %m");
4137 _exit(EXIT_FAILURE);
4140 if (chdir("/") < 0) {
4141 log_error_errno(errno, "chdir() failed: %m");
4142 _exit(EXIT_FAILURE);
4146 if (unshare(CLONE_NEWUSER) < 0) {
4147 log_error_errno(errno, "unshare(CLONE_NEWUSER) failed: %m");
4148 _exit(EXIT_FAILURE);
4151 /* Tell the parent, that it now can
4152 * write the UID map. */
4153 (void) barrier_place(&barrier); /* #3 */
4155 /* Wait until the parent wrote the UID
4157 (void) barrier_place_and_sync(&barrier); /* #4 */
4162 if (drop_capabilities() < 0) {
4163 log_error_errno(errno, "drop_capabilities() failed: %m");
4164 _exit(EXIT_FAILURE);
4169 if (arg_personality != 0xffffffffLU) {
4170 if (personality(arg_personality) < 0) {
4171 log_error_errno(errno, "personality() failed: %m");
4172 _exit(EXIT_FAILURE);
4174 } else if (secondary) {
4175 if (personality(PER_LINUX32) < 0) {
4176 log_error_errno(errno, "personality() failed: %m");
4177 _exit(EXIT_FAILURE);
4182 if (arg_selinux_context)
4183 if (setexeccon((security_context_t) arg_selinux_context) < 0) {
4184 log_error_errno(errno, "setexeccon(\"%s\") failed: %m", arg_selinux_context);
4185 _exit(EXIT_FAILURE);
4189 r = change_uid_gid(&home);
4191 _exit(EXIT_FAILURE);
4193 if ((asprintf((char**)(envp + n_env++), "HOME=%s", home ? home: "/root") < 0) ||
4194 (asprintf((char**)(envp + n_env++), "USER=%s", arg_user ? arg_user : "root") < 0) ||
4195 (asprintf((char**)(envp + n_env++), "LOGNAME=%s", arg_user ? arg_user : "root") < 0)) {
4197 _exit(EXIT_FAILURE);
4200 if (!sd_id128_equal(arg_uuid, SD_ID128_NULL)) {
4203 if (asprintf((char**)(envp + n_env++), "container_uuid=%s", id128_format_as_uuid(arg_uuid, as_uuid)) < 0) {
4205 _exit(EXIT_FAILURE);
4209 if (fdset_size(fds) > 0) {
4210 r = fdset_cloexec(fds, false);
4212 log_error_errno(r, "Failed to unset O_CLOEXEC for file descriptors.");
4213 _exit(EXIT_FAILURE);
4216 if ((asprintf((char **)(envp + n_env++), "LISTEN_FDS=%u", n_fd_passed) < 0) ||
4217 (asprintf((char **)(envp + n_env++), "LISTEN_PID=1") < 0)) {
4219 _exit(EXIT_FAILURE);
4223 if (!strv_isempty(arg_setenv)) {
4226 n = strv_env_merge(2, envp, arg_setenv);
4229 _exit(EXIT_FAILURE);
4234 env_use = (char**) envp;
4236 /* Let the parent know that we are ready and
4237 * wait until the parent is ready with the
4239 (void) barrier_place_and_sync(&barrier); /* #5 */
4245 /* Automatically search for the init system */
4247 l = 1 + argc - optind;
4248 a = newa(char*, l + 1);
4249 memcpy(a + 1, argv + optind, l * sizeof(char*));
4251 a[0] = (char*) "/usr/lib/systemd/systemd";
4252 execve(a[0], a, env_use);
4254 a[0] = (char*) "/lib/systemd/systemd";
4255 execve(a[0], a, env_use);
4257 a[0] = (char*) "/sbin/init";
4258 execve(a[0], a, env_use);
4259 } else if (argc > optind)
4260 execvpe(argv[optind], argv + optind, env_use);
4262 chdir(home ? home : "/root");
4263 execle("/bin/bash", "-bash", NULL, env_use);
4264 execle("/bin/sh", "-sh", NULL, env_use);
4267 log_error_errno(errno, "execv() failed: %m");
4268 _exit(EXIT_FAILURE);
4271 barrier_set_role(&barrier, BARRIER_PARENT);
4275 kmsg_socket_pair[1] = safe_close(kmsg_socket_pair[1]);
4276 rtnl_socket_pair[1] = safe_close(rtnl_socket_pair[1]);
4278 (void) barrier_place(&barrier); /* #1 */
4280 /* Wait for the most basic Child-setup to be done,
4281 * before we add hardware to it, and place it in a
4283 if (barrier_sync(&barrier)) { /* #1 */
4286 r = move_network_interfaces(pid);
4290 r = setup_veth(pid, veth_name, &ifi);
4294 r = setup_bridge(veth_name, &ifi);
4298 r = setup_macvlan(pid);
4302 r = setup_ipvlan(pid);
4306 r = register_machine(pid, ifi);
4310 /* Notify the child that the parent is ready with all
4311 * its setup, and that the child can now hand over
4312 * control to the code to run inside the container. */
4313 (void) barrier_place(&barrier); /* #2 */
4316 char uid_map[strlen("/proc//uid_map") + DECIMAL_STR_MAX(uid_t) + 1], line[DECIMAL_STR_MAX(uid_t)*3+3+1];
4318 (void) barrier_place_and_sync(&barrier); /* #3 */
4320 xsprintf(uid_map, "/proc/" PID_FMT "/uid_map", pid);
4321 xsprintf(line, UID_FMT " " UID_FMT " " UID_FMT "\n", 0, arg_uid_shift, arg_uid_range);
4322 r = write_string_file(uid_map, line);
4324 log_error_errno(r, "Failed to write UID map: %m");
4328 /* We always assign the same UID and GID ranges */
4329 xsprintf(uid_map, "/proc/" PID_FMT "/gid_map", pid);
4330 r = write_string_file(uid_map, line);
4332 log_error_errno(r, "Failed to write GID map: %m");
4336 (void) barrier_place(&barrier); /* #4 */
4339 /* Block SIGCHLD here, before notifying child.
4340 * process_pty() will handle it with the other signals. */
4341 r = sigprocmask(SIG_BLOCK, &mask_chld, NULL);
4345 /* Reset signal to default */
4346 r = default_signals(SIGCHLD, -1);
4350 /* Let the child know that we are ready and wait that the child is completely ready now. */
4351 if (barrier_place_and_sync(&barrier)) { /* #5 */
4352 _cleanup_event_unref_ sd_event *event = NULL;
4353 _cleanup_(pty_forward_freep) PTYForward *forward = NULL;
4354 _cleanup_rtnl_unref_ sd_rtnl *rtnl = NULL;
4359 "STATUS=Container running.\n"
4360 "X_NSPAWN_LEADER_PID=" PID_FMT, pid);
4362 r = sd_event_new(&event);
4364 log_error_errno(r, "Failed to get default event source: %m");
4369 /* Try to kill the init system on SIGINT or SIGTERM */
4370 sd_event_add_signal(event, NULL, SIGINT, on_orderly_shutdown, UINT32_TO_PTR(pid));
4371 sd_event_add_signal(event, NULL, SIGTERM, on_orderly_shutdown, UINT32_TO_PTR(pid));
4373 /* Immediately exit */
4374 sd_event_add_signal(event, NULL, SIGINT, NULL, NULL);
4375 sd_event_add_signal(event, NULL, SIGTERM, NULL, NULL);
4378 /* simply exit on sigchld */
4379 sd_event_add_signal(event, NULL, SIGCHLD, NULL, NULL);
4381 if (arg_expose_ports) {
4382 r = watch_rtnl(event, rtnl_socket_pair[0], &exposed, &rtnl);
4386 (void) expose_ports(rtnl, &exposed);
4389 rtnl_socket_pair[0] = safe_close(rtnl_socket_pair[0]);
4391 r = pty_forward_new(event, master, true, !interactive, &forward);
4393 log_error_errno(r, "Failed to create PTY forwarder: %m");
4397 r = sd_event_loop(event);
4399 log_error_errno(r, "Failed to run event loop: %m");
4403 pty_forward_get_last_char(forward, &last_char);
4405 forward = pty_forward_free(forward);
4407 if (!arg_quiet && last_char != '\n')
4410 /* Kill if it is not dead yet anyway */
4411 terminate_machine(pid);
4415 /* Normally redundant, but better safe than sorry */
4418 r = wait_for_container(pid, &container_status);
4422 /* We failed to wait for the container, or the
4423 * container exited abnormally */
4425 else if (r > 0 || container_status == CONTAINER_TERMINATED){
4426 /* The container exited with a non-zero
4427 * status, or with zero status and no reboot
4433 /* CONTAINER_REBOOTED, loop again */
4435 if (arg_keep_unit) {
4436 /* Special handling if we are running as a
4437 * service: instead of simply restarting the
4438 * machine we want to restart the entire
4439 * service, so let's inform systemd about this
4440 * with the special exit code 133. The service
4441 * file uses RestartForceExitStatus=133 so
4442 * that this results in a full nspawn
4443 * restart. This is necessary since we might
4444 * have cgroup parameters set we want to have
4451 flush_ports(&exposed);
4457 "STATUS=Terminating...");
4459 loop_remove(loop_nr, &image_fd);
4464 if (remove_subvol && arg_directory) {
4467 k = btrfs_subvol_remove(arg_directory);
4469 log_warning_errno(k, "Cannot remove subvolume '%s', ignoring: %m", arg_directory);
4475 p = strjoina("/run/systemd/nspawn/propagate/", arg_machine);
4476 (void) rm_rf(p, false, true, false);
4479 free(arg_directory);
4484 strv_free(arg_setenv);
4485 strv_free(arg_network_interfaces);
4486 strv_free(arg_network_macvlan);
4487 strv_free(arg_network_ipvlan);
4488 strv_free(arg_bind);
4489 strv_free(arg_bind_ro);
4490 strv_free(arg_tmpfs);
4492 flush_ports(&exposed);
4494 while (arg_expose_ports) {
4495 ExposePort *p = arg_expose_ports;
4496 LIST_REMOVE(ports, arg_expose_ports, p);
4500 return r < 0 ? EXIT_FAILURE : ret;
~ianmdlvl / elogind.git / blob