1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2010 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
25 #include <sys/types.h>
26 #include <sys/syscall.h>
27 #include <sys/mount.h>
33 #include <sys/prctl.h>
34 #include <sys/capability.h>
37 #include <sys/signalfd.h>
41 #include <sys/socket.h>
42 #include <linux/netlink.h>
44 #include <linux/veth.h>
45 #include <sys/personality.h>
46 #include <linux/loop.h>
49 #include <selinux/selinux.h>
57 #include <blkid/blkid.h>
60 #include "sd-daemon.h"
70 #include "cgroup-util.h"
72 #include "path-util.h"
73 #include "loopback-setup.h"
74 #include "dev-setup.h"
79 #include "bus-error.h"
81 #include "bus-kernel.h"
84 #include "rtnl-util.h"
85 #include "udev-util.h"
86 #include "blkid-util.h"
88 #include "siphash24.h"
90 #include "base-filesystem.h"
92 #include "event-util.h"
94 #include "btrfs-util.h"
97 #include "seccomp-util.h"
100 typedef enum ContainerStatus {
101 CONTAINER_TERMINATED,
105 typedef enum LinkJournal {
112 typedef enum Volatile {
118 static char *arg_directory = NULL;
119 static char *arg_template = NULL;
120 static char *arg_user = NULL;
121 static sd_id128_t arg_uuid = {};
122 static char *arg_machine = NULL;
123 static const char *arg_selinux_context = NULL;
124 static const char *arg_selinux_apifs_context = NULL;
125 static const char *arg_slice = NULL;
126 static bool arg_private_network = false;
127 static bool arg_read_only = false;
128 static bool arg_boot = false;
129 static bool arg_ephemeral = false;
130 static LinkJournal arg_link_journal = LINK_AUTO;
131 static bool arg_link_journal_try = false;
132 static uint64_t arg_retain =
133 (1ULL << CAP_CHOWN) |
134 (1ULL << CAP_DAC_OVERRIDE) |
135 (1ULL << CAP_DAC_READ_SEARCH) |
136 (1ULL << CAP_FOWNER) |
137 (1ULL << CAP_FSETID) |
138 (1ULL << CAP_IPC_OWNER) |
140 (1ULL << CAP_LEASE) |
141 (1ULL << CAP_LINUX_IMMUTABLE) |
142 (1ULL << CAP_NET_BIND_SERVICE) |
143 (1ULL << CAP_NET_BROADCAST) |
144 (1ULL << CAP_NET_RAW) |
145 (1ULL << CAP_SETGID) |
146 (1ULL << CAP_SETFCAP) |
147 (1ULL << CAP_SETPCAP) |
148 (1ULL << CAP_SETUID) |
149 (1ULL << CAP_SYS_ADMIN) |
150 (1ULL << CAP_SYS_CHROOT) |
151 (1ULL << CAP_SYS_NICE) |
152 (1ULL << CAP_SYS_PTRACE) |
153 (1ULL << CAP_SYS_TTY_CONFIG) |
154 (1ULL << CAP_SYS_RESOURCE) |
155 (1ULL << CAP_SYS_BOOT) |
156 (1ULL << CAP_AUDIT_WRITE) |
157 (1ULL << CAP_AUDIT_CONTROL) |
159 static char **arg_bind = NULL;
160 static char **arg_bind_ro = NULL;
161 static char **arg_tmpfs = NULL;
162 static char **arg_setenv = NULL;
163 static bool arg_quiet = false;
164 static bool arg_share_system = false;
165 static bool arg_register = true;
166 static bool arg_keep_unit = false;
167 static char **arg_network_interfaces = NULL;
168 static char **arg_network_macvlan = NULL;
169 static bool arg_network_veth = false;
170 static const char *arg_network_bridge = NULL;
171 static unsigned long arg_personality = 0xffffffffLU;
172 static char *arg_image = NULL;
173 static Volatile arg_volatile = VOLATILE_NO;
175 static void help(void) {
176 printf("%s [OPTIONS...] [PATH] [ARGUMENTS...]\n\n"
177 "Spawn a minimal namespace container for debugging, testing and building.\n\n"
178 " -h --help Show this help\n"
179 " --version Print version string\n"
180 " -q --quiet Do not show status information\n"
181 " -D --directory=PATH Root directory for the container\n"
182 " --template=PATH Initialize root directory from template directory,\n"
184 " -x --ephemeral Run container with snapshot of root directory, and\n"
185 " remove it after exit\n"
186 " -i --image=PATH File system device or disk image for the container\n"
187 " -b --boot Boot up full system (i.e. invoke init)\n"
188 " -u --user=USER Run the command under specified user or uid\n"
189 " -M --machine=NAME Set the machine name for the container\n"
190 " --uuid=UUID Set a specific machine UUID for the container\n"
191 " -S --slice=SLICE Place the container in the specified slice\n"
192 " --private-network Disable network in container\n"
193 " --network-interface=INTERFACE\n"
194 " Assign an existing network interface to the\n"
196 " --network-macvlan=INTERFACE\n"
197 " Create a macvlan network interface based on an\n"
198 " existing network interface to the container\n"
199 " --network-veth Add a virtual ethernet connection between host\n"
201 " --network-bridge=INTERFACE\n"
202 " Add a virtual ethernet connection between host\n"
203 " and container and add it to an existing bridge on\n"
205 " -Z --selinux-context=SECLABEL\n"
206 " Set the SELinux security context to be used by\n"
207 " processes in the container\n"
208 " -L --selinux-apifs-context=SECLABEL\n"
209 " Set the SELinux security context to be used by\n"
210 " API/tmpfs file systems in the container\n"
211 " --capability=CAP In addition to the default, retain specified\n"
213 " --drop-capability=CAP Drop the specified capability from the default set\n"
214 " --link-journal=MODE Link up guest journal, one of no, auto, guest, host,\n"
215 " try-guest, try-host\n"
216 " -j Equivalent to --link-journal=try-guest\n"
217 " --read-only Mount the root directory read-only\n"
218 " --bind=PATH[:PATH] Bind mount a file or directory from the host into\n"
220 " --bind-ro=PATH[:PATH] Similar, but creates a read-only bind mount\n"
221 " --tmpfs=PATH:[OPTIONS] Mount an empty tmpfs to the specified directory\n"
222 " --setenv=NAME=VALUE Pass an environment variable to PID 1\n"
223 " --share-system Share system namespaces with host\n"
224 " --register=BOOLEAN Register container as machine\n"
225 " --keep-unit Do not register a scope for the machine, reuse\n"
226 " the service unit nspawn is running in\n"
227 " --volatile[=MODE] Run the system in volatile mode\n",
228 program_invocation_short_name);
231 static int set_sanitized_path(char **b, const char *path) {
237 p = canonicalize_file_name(path);
242 p = path_make_absolute_cwd(path);
248 *b = path_kill_slashes(p);
252 static int parse_argv(int argc, char *argv[]) {
269 ARG_NETWORK_INTERFACE,
278 static const struct option options[] = {
279 { "help", no_argument, NULL, 'h' },
280 { "version", no_argument, NULL, ARG_VERSION },
281 { "directory", required_argument, NULL, 'D' },
282 { "template", required_argument, NULL, ARG_TEMPLATE },
283 { "ephemeral", no_argument, NULL, 'x' },
284 { "user", required_argument, NULL, 'u' },
285 { "private-network", no_argument, NULL, ARG_PRIVATE_NETWORK },
286 { "boot", no_argument, NULL, 'b' },
287 { "uuid", required_argument, NULL, ARG_UUID },
288 { "read-only", no_argument, NULL, ARG_READ_ONLY },
289 { "capability", required_argument, NULL, ARG_CAPABILITY },
290 { "drop-capability", required_argument, NULL, ARG_DROP_CAPABILITY },
291 { "link-journal", required_argument, NULL, ARG_LINK_JOURNAL },
292 { "bind", required_argument, NULL, ARG_BIND },
293 { "bind-ro", required_argument, NULL, ARG_BIND_RO },
294 { "tmpfs", required_argument, NULL, ARG_TMPFS },
295 { "machine", required_argument, NULL, 'M' },
296 { "slice", required_argument, NULL, 'S' },
297 { "setenv", required_argument, NULL, ARG_SETENV },
298 { "selinux-context", required_argument, NULL, 'Z' },
299 { "selinux-apifs-context", required_argument, NULL, 'L' },
300 { "quiet", no_argument, NULL, 'q' },
301 { "share-system", no_argument, NULL, ARG_SHARE_SYSTEM },
302 { "register", required_argument, NULL, ARG_REGISTER },
303 { "keep-unit", no_argument, NULL, ARG_KEEP_UNIT },
304 { "network-interface", required_argument, NULL, ARG_NETWORK_INTERFACE },
305 { "network-macvlan", required_argument, NULL, ARG_NETWORK_MACVLAN },
306 { "network-veth", no_argument, NULL, ARG_NETWORK_VETH },
307 { "network-bridge", required_argument, NULL, ARG_NETWORK_BRIDGE },
308 { "personality", required_argument, NULL, ARG_PERSONALITY },
309 { "image", required_argument, NULL, 'i' },
310 { "volatile", optional_argument, NULL, ARG_VOLATILE },
315 uint64_t plus = 0, minus = 0;
320 while ((c = getopt_long(argc, argv, "+hD:u:bL:M:jS:Z:qi:x", options, NULL)) >= 0)
329 puts(PACKAGE_STRING);
330 puts(SYSTEMD_FEATURES);
334 r = set_sanitized_path(&arg_directory, optarg);
336 return log_error_errno(r, "Invalid root directory: %m");
341 r = set_sanitized_path(&arg_template, optarg);
343 return log_error_errno(r, "Invalid template directory: %m");
348 r = set_sanitized_path(&arg_image, optarg);
350 return log_error_errno(r, "Invalid image path: %m");
355 arg_ephemeral = true;
360 arg_user = strdup(optarg);
366 case ARG_NETWORK_BRIDGE:
367 arg_network_bridge = optarg;
371 case ARG_NETWORK_VETH:
372 arg_network_veth = true;
373 arg_private_network = true;
376 case ARG_NETWORK_INTERFACE:
377 if (strv_extend(&arg_network_interfaces, optarg) < 0)
380 arg_private_network = true;
383 case ARG_NETWORK_MACVLAN:
384 if (strv_extend(&arg_network_macvlan, optarg) < 0)
389 case ARG_PRIVATE_NETWORK:
390 arg_private_network = true;
398 r = sd_id128_from_string(optarg, &arg_uuid);
400 log_error("Invalid UUID: %s", optarg);
410 if (isempty(optarg)) {
414 if (!machine_name_is_valid(optarg)) {
415 log_error("Invalid machine name: %s", optarg);
419 r = free_and_strdup(&arg_machine, optarg);
427 arg_selinux_context = optarg;
431 arg_selinux_apifs_context = optarg;
435 arg_read_only = true;
439 case ARG_DROP_CAPABILITY: {
440 const char *state, *word;
443 FOREACH_WORD_SEPARATOR(word, length, optarg, ",", state) {
444 _cleanup_free_ char *t;
446 t = strndup(word, length);
450 if (streq(t, "all")) {
451 if (c == ARG_CAPABILITY)
452 plus = (uint64_t) -1;
454 minus = (uint64_t) -1;
458 cap = capability_from_name(t);
460 log_error("Failed to parse capability %s.", t);
464 if (c == ARG_CAPABILITY)
465 plus |= 1ULL << (uint64_t) cap;
467 minus |= 1ULL << (uint64_t) cap;
475 arg_link_journal = LINK_GUEST;
476 arg_link_journal_try = true;
479 case ARG_LINK_JOURNAL:
480 if (streq(optarg, "auto")) {
481 arg_link_journal = LINK_AUTO;
482 arg_link_journal_try = false;
483 } else if (streq(optarg, "no")) {
484 arg_link_journal = LINK_NO;
485 arg_link_journal_try = false;
486 } else if (streq(optarg, "guest")) {
487 arg_link_journal = LINK_GUEST;
488 arg_link_journal_try = false;
489 } else if (streq(optarg, "host")) {
490 arg_link_journal = LINK_HOST;
491 arg_link_journal_try = false;
492 } else if (streq(optarg, "try-guest")) {
493 arg_link_journal = LINK_GUEST;
494 arg_link_journal_try = true;
495 } else if (streq(optarg, "try-host")) {
496 arg_link_journal = LINK_HOST;
497 arg_link_journal_try = true;
499 log_error("Failed to parse link journal mode %s", optarg);
507 _cleanup_free_ char *a = NULL, *b = NULL;
511 x = c == ARG_BIND ? &arg_bind : &arg_bind_ro;
513 e = strchr(optarg, ':');
515 a = strndup(optarg, e - optarg);
525 if (!path_is_absolute(a) || !path_is_absolute(b)) {
526 log_error("Invalid bind mount specification: %s", optarg);
530 r = strv_extend(x, a);
534 r = strv_extend(x, b);
542 _cleanup_free_ char *a = NULL, *b = NULL;
545 e = strchr(optarg, ':');
547 a = strndup(optarg, e - optarg);
551 b = strdup("mode=0755");
557 if (!path_is_absolute(a)) {
558 log_error("Invalid tmpfs specification: %s", optarg);
562 r = strv_push(&arg_tmpfs, a);
568 r = strv_push(&arg_tmpfs, b);
580 if (!env_assignment_is_valid(optarg)) {
581 log_error("Environment variable assignment '%s' is not valid.", optarg);
585 n = strv_env_set(arg_setenv, optarg);
589 strv_free(arg_setenv);
598 case ARG_SHARE_SYSTEM:
599 arg_share_system = true;
603 r = parse_boolean(optarg);
605 log_error("Failed to parse --register= argument: %s", optarg);
613 arg_keep_unit = true;
616 case ARG_PERSONALITY:
618 arg_personality = personality_from_string(optarg);
619 if (arg_personality == 0xffffffffLU) {
620 log_error("Unknown or unsupported personality '%s'.", optarg);
629 arg_volatile = VOLATILE_YES;
631 r = parse_boolean(optarg);
633 if (streq(optarg, "state"))
634 arg_volatile = VOLATILE_STATE;
636 log_error("Failed to parse --volatile= argument: %s", optarg);
640 arg_volatile = r ? VOLATILE_YES : VOLATILE_NO;
649 assert_not_reached("Unhandled option");
652 if (arg_share_system)
653 arg_register = false;
655 if (arg_boot && arg_share_system) {
656 log_error("--boot and --share-system may not be combined.");
660 if (arg_keep_unit && cg_pid_get_owner_uid(0, NULL) >= 0) {
661 log_error("--keep-unit may not be used when invoked from a user session.");
665 if (arg_directory && arg_image) {
666 log_error("--directory= and --image= may not be combined.");
670 if (arg_template && arg_image) {
671 log_error("--template= and --image= may not be combined.");
675 if (arg_template && !(arg_directory || arg_machine)) {
676 log_error("--template= needs --directory= or --machine=.");
680 if (arg_ephemeral && arg_template) {
681 log_error("--ephemeral and --template= may not be combined.");
685 if (arg_ephemeral && arg_image) {
686 log_error("--ephemeral and --image= may not be combined.");
690 if (arg_volatile != VOLATILE_NO && arg_read_only) {
691 log_error("Cannot combine --read-only with --volatile. Note that --volatile already implies a read-only base hierarchy.");
695 arg_retain = (arg_retain | plus | (arg_private_network ? 1ULL << CAP_NET_ADMIN : 0)) & ~minus;
700 static int mount_all(const char *dest) {
702 typedef struct MountPoint {
711 static const MountPoint mount_table[] = {
712 { "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, true },
713 { "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND, true }, /* Bind mount first */
714 { NULL, "/proc/sys", NULL, NULL, MS_BIND|MS_RDONLY|MS_REMOUNT, true }, /* Then, make it r/o */
715 { "sysfs", "/sys", "sysfs", NULL, MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV, true },
716 { "tmpfs", "/dev", "tmpfs", "mode=755", MS_NOSUID|MS_STRICTATIME, true },
717 { "devpts", "/dev/pts", "devpts","newinstance,ptmxmode=0666,mode=620,gid=" STRINGIFY(TTY_GID), MS_NOSUID|MS_NOEXEC, true },
718 { "tmpfs", "/dev/shm", "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV|MS_STRICTATIME, true },
719 { "tmpfs", "/run", "tmpfs", "mode=755", MS_NOSUID|MS_NODEV|MS_STRICTATIME, true },
721 { "/sys/fs/selinux", "/sys/fs/selinux", NULL, NULL, MS_BIND, false }, /* Bind mount first */
722 { NULL, "/sys/fs/selinux", NULL, NULL, MS_BIND|MS_RDONLY|MS_REMOUNT, false }, /* Then, make it r/o */
729 for (k = 0; k < ELEMENTSOF(mount_table); k++) {
730 _cleanup_free_ char *where = NULL;
732 _cleanup_free_ char *options = NULL;
737 where = strjoin(dest, "/", mount_table[k].where, NULL);
741 t = path_is_mount_point(where, true);
743 log_error_errno(t, "Failed to detect whether %s is a mount point: %m", where);
751 /* Skip this entry if it is not a remount. */
752 if (mount_table[k].what && t > 0)
755 t = mkdir_p(where, 0755);
757 if (mount_table[k].fatal) {
758 log_error_errno(t, "Failed to create directory %s: %m", where);
763 log_warning_errno(t, "Failed to create directory %s: %m", where);
769 if (arg_selinux_apifs_context &&
770 (streq_ptr(mount_table[k].what, "tmpfs") || streq_ptr(mount_table[k].what, "devpts"))) {
771 options = strjoin(mount_table[k].options, ",context=\"", arg_selinux_apifs_context, "\"", NULL);
778 o = mount_table[k].options;
781 if (mount(mount_table[k].what,
784 mount_table[k].flags,
787 if (mount_table[k].fatal) {
788 log_error_errno(errno, "mount(%s) failed: %m", where);
793 log_warning_errno(errno, "mount(%s) failed: %m", where);
800 static int mount_binds(const char *dest, char **l, bool ro) {
803 STRV_FOREACH_PAIR(x, y, l) {
804 _cleanup_free_ char *where = NULL;
805 struct stat source_st, dest_st;
808 if (stat(*x, &source_st) < 0)
809 return log_error_errno(errno, "Failed to stat %s: %m", *x);
811 where = strappend(dest, *y);
815 r = stat(where, &dest_st);
817 if ((source_st.st_mode & S_IFMT) != (dest_st.st_mode & S_IFMT)) {
818 log_error("The file types of %s and %s do not match. Refusing bind mount", *x, where);
821 } else if (errno == ENOENT) {
822 r = mkdir_parents_label(where, 0755);
824 return log_error_errno(r, "Failed to bind mount %s: %m", *x);
826 log_error_errno(errno, "Failed to bind mount %s: %m", *x);
830 /* Create the mount point, but be conservative -- refuse to create block
831 * and char devices. */
832 if (S_ISDIR(source_st.st_mode)) {
833 r = mkdir_label(where, 0755);
834 if (r < 0 && errno != EEXIST)
835 return log_error_errno(r, "Failed to create mount point %s: %m", where);
836 } else if (S_ISFIFO(source_st.st_mode)) {
837 r = mkfifo(where, 0644);
838 if (r < 0 && errno != EEXIST)
839 return log_error_errno(errno, "Failed to create mount point %s: %m", where);
840 } else if (S_ISSOCK(source_st.st_mode)) {
841 r = mknod(where, 0644 | S_IFSOCK, 0);
842 if (r < 0 && errno != EEXIST)
843 return log_error_errno(errno, "Failed to create mount point %s: %m", where);
844 } else if (S_ISREG(source_st.st_mode)) {
847 return log_error_errno(r, "Failed to create mount point %s: %m", where);
849 log_error("Refusing to create mountpoint for file: %s", *x);
853 if (mount(*x, where, "bind", MS_BIND, NULL) < 0)
854 return log_error_errno(errno, "mount(%s) failed: %m", where);
857 r = bind_remount_recursive(where, true);
859 return log_error_errno(r, "Read-Only bind mount failed: %m");
866 static int mount_tmpfs(const char *dest) {
869 STRV_FOREACH_PAIR(i, o, arg_tmpfs) {
870 _cleanup_free_ char *where = NULL;
873 where = strappend(dest, *i);
877 r = mkdir_label(where, 0755);
878 if (r < 0 && r != -EEXIST)
879 return log_error_errno(r, "Creating mount point for tmpfs %s failed: %m", where);
881 if (mount("tmpfs", where, "tmpfs", MS_NODEV|MS_STRICTATIME, *o) < 0)
882 return log_error_errno(errno, "tmpfs mount to %s failed: %m", where);
888 static int setup_timezone(const char *dest) {
889 _cleanup_free_ char *where = NULL, *p = NULL, *q = NULL, *check = NULL, *what = NULL;
895 /* Fix the timezone, if possible */
896 r = readlink_malloc("/etc/localtime", &p);
898 log_warning("/etc/localtime is not a symlink, not updating container timezone.");
902 z = path_startswith(p, "../usr/share/zoneinfo/");
904 z = path_startswith(p, "/usr/share/zoneinfo/");
906 log_warning("/etc/localtime does not point into /usr/share/zoneinfo/, not updating container timezone.");
910 where = strappend(dest, "/etc/localtime");
914 r = readlink_malloc(where, &q);
916 y = path_startswith(q, "../usr/share/zoneinfo/");
918 y = path_startswith(q, "/usr/share/zoneinfo/");
920 /* Already pointing to the right place? Then do nothing .. */
921 if (y && streq(y, z))
925 check = strjoin(dest, "/usr/share/zoneinfo/", z, NULL);
929 if (access(check, F_OK) < 0) {
930 log_warning("Timezone %s does not exist in container, not updating container timezone.", z);
934 what = strappend("../usr/share/zoneinfo/", z);
938 r = mkdir_parents(where, 0755);
940 log_error_errno(r, "Failed to create directory for timezone info %s in container: %m", where);
946 if (r < 0 && errno != ENOENT) {
947 log_error_errno(errno, "Failed to remove existing timezone info %s in container: %m", where);
952 if (symlink(what, where) < 0) {
953 log_error_errno(errno, "Failed to correct timezone of container: %m");
960 static int setup_resolv_conf(const char *dest) {
961 _cleanup_free_ char *where = NULL;
966 if (arg_private_network)
969 /* Fix resolv.conf, if possible */
970 where = strappend(dest, "/etc/resolv.conf");
974 /* We don't really care for the results of this really. If it
975 * fails, it fails, but meh... */
976 r = mkdir_parents(where, 0755);
978 log_warning_errno(r, "Failed to create parent directory for resolv.conf %s: %m", where);
983 r = copy_file("/etc/resolv.conf", where, O_TRUNC|O_NOFOLLOW, 0644);
985 log_warning_errno(r, "Failed to copy /etc/resolv.conf to %s: %m", where);
993 static int setup_volatile_state(const char *directory) {
999 if (arg_volatile != VOLATILE_STATE)
1002 /* --volatile=state means we simply overmount /var
1003 with a tmpfs, and the rest read-only. */
1005 r = bind_remount_recursive(directory, true);
1007 return log_error_errno(r, "Failed to remount %s read-only: %m", directory);
1009 p = strappenda(directory, "/var");
1011 if (r < 0 && errno != EEXIST)
1012 return log_error_errno(errno, "Failed to create %s: %m", directory);
1014 if (mount("tmpfs", p, "tmpfs", MS_STRICTATIME, "mode=755") < 0)
1015 return log_error_errno(errno, "Failed to mount tmpfs to /var: %m");
1020 static int setup_volatile(const char *directory) {
1021 bool tmpfs_mounted = false, bind_mounted = false;
1022 char template[] = "/tmp/nspawn-volatile-XXXXXX";
1028 if (arg_volatile != VOLATILE_YES)
1031 /* --volatile=yes means we mount a tmpfs to the root dir, and
1032 the original /usr to use inside it, and that read-only. */
1034 if (!mkdtemp(template))
1035 return log_error_errno(errno, "Failed to create temporary directory: %m");
1037 if (mount("tmpfs", template, "tmpfs", MS_STRICTATIME, "mode=755") < 0) {
1038 log_error_errno(errno, "Failed to mount tmpfs for root directory: %m");
1043 tmpfs_mounted = true;
1045 f = strappenda(directory, "/usr");
1046 t = strappenda(template, "/usr");
1049 if (r < 0 && errno != EEXIST) {
1050 log_error_errno(errno, "Failed to create %s: %m", t);
1055 if (mount(f, t, "bind", MS_BIND|MS_REC, NULL) < 0) {
1056 log_error_errno(errno, "Failed to create /usr bind mount: %m");
1061 bind_mounted = true;
1063 r = bind_remount_recursive(t, true);
1065 log_error_errno(r, "Failed to remount %s read-only: %m", t);
1069 if (mount(template, directory, NULL, MS_MOVE, NULL) < 0) {
1070 log_error_errno(errno, "Failed to move root mount: %m");
1088 static char* id128_format_as_uuid(sd_id128_t id, char s[37]) {
1091 "%02x%02x%02x%02x-%02x%02x-%02x%02x-%02x%02x-%02x%02x%02x%02x%02x%02x",
1092 SD_ID128_FORMAT_VAL(id));
1097 static int setup_boot_id(const char *dest) {
1098 _cleanup_free_ char *from = NULL, *to = NULL;
1099 sd_id128_t rnd = {};
1105 if (arg_share_system)
1108 /* Generate a new randomized boot ID, so that each boot-up of
1109 * the container gets a new one */
1111 from = strappend(dest, "/dev/proc-sys-kernel-random-boot-id");
1112 to = strappend(dest, "/proc/sys/kernel/random/boot_id");
1116 r = sd_id128_randomize(&rnd);
1118 return log_error_errno(r, "Failed to generate random boot id: %m");
1120 id128_format_as_uuid(rnd, as_uuid);
1122 r = write_string_file(from, as_uuid);
1124 return log_error_errno(r, "Failed to write boot id: %m");
1126 if (mount(from, to, "bind", MS_BIND, NULL) < 0) {
1127 log_error_errno(errno, "Failed to bind mount boot id: %m");
1129 } else if (mount(from, to, "bind", MS_BIND|MS_REMOUNT|MS_RDONLY, NULL))
1130 log_warning_errno(errno, "Failed to make boot id read-only: %m");
1136 static int copy_devnodes(const char *dest) {
1138 static const char devnodes[] =
1149 _cleanup_umask_ mode_t u;
1155 NULSTR_FOREACH(d, devnodes) {
1156 _cleanup_free_ char *from = NULL, *to = NULL;
1159 from = strappend("/dev/", d);
1160 to = strjoin(dest, "/dev/", d, NULL);
1164 if (stat(from, &st) < 0) {
1166 if (errno != ENOENT)
1167 return log_error_errno(errno, "Failed to stat %s: %m", from);
1169 } else if (!S_ISCHR(st.st_mode) && !S_ISBLK(st.st_mode)) {
1171 log_error("%s is not a char or block device, cannot copy", from);
1175 r = mkdir_parents(to, 0775);
1177 log_error_errno(r, "Failed to create parent directory of %s: %m", to);
1181 if (mknod(to, st.st_mode, st.st_rdev) < 0)
1182 return log_error_errno(errno, "mknod(%s) failed: %m", dest);
1189 static int setup_ptmx(const char *dest) {
1190 _cleanup_free_ char *p = NULL;
1192 p = strappend(dest, "/dev/ptmx");
1196 if (symlink("pts/ptmx", p) < 0)
1197 return log_error_errno(errno, "Failed to create /dev/ptmx symlink: %m");
1202 static int setup_dev_console(const char *dest, const char *console) {
1203 _cleanup_umask_ mode_t u;
1213 if (stat("/dev/null", &st) < 0)
1214 return log_error_errno(errno, "Failed to stat /dev/null: %m");
1216 r = chmod_and_chown(console, 0600, 0, 0);
1218 return log_error_errno(r, "Failed to correct access mode for TTY: %m");
1220 /* We need to bind mount the right tty to /dev/console since
1221 * ptys can only exist on pts file systems. To have something
1222 * to bind mount things on we create a device node first, and
1223 * use /dev/null for that since we the cgroups device policy
1224 * allows us to create that freely, while we cannot create
1225 * /dev/console. (Note that the major minor doesn't actually
1226 * matter here, since we mount it over anyway). */
1228 to = strappenda(dest, "/dev/console");
1229 if (mknod(to, (st.st_mode & ~07777) | 0600, st.st_rdev) < 0)
1230 return log_error_errno(errno, "mknod() for /dev/console failed: %m");
1232 if (mount(console, to, "bind", MS_BIND, NULL) < 0)
1233 return log_error_errno(errno, "Bind mount for /dev/console failed: %m");
1238 static int setup_kmsg(const char *dest, int kmsg_socket) {
1239 _cleanup_free_ char *from = NULL, *to = NULL;
1241 _cleanup_umask_ mode_t u;
1243 struct cmsghdr cmsghdr;
1244 uint8_t buf[CMSG_SPACE(sizeof(int))];
1246 struct msghdr mh = {
1247 .msg_control = &control,
1248 .msg_controllen = sizeof(control),
1250 struct cmsghdr *cmsg;
1253 assert(kmsg_socket >= 0);
1257 /* We create the kmsg FIFO as /dev/kmsg, but immediately
1258 * delete it after bind mounting it to /proc/kmsg. While FIFOs
1259 * on the reading side behave very similar to /proc/kmsg,
1260 * their writing side behaves differently from /dev/kmsg in
1261 * that writing blocks when nothing is reading. In order to
1262 * avoid any problems with containers deadlocking due to this
1263 * we simply make /dev/kmsg unavailable to the container. */
1264 if (asprintf(&from, "%s/dev/kmsg", dest) < 0 ||
1265 asprintf(&to, "%s/proc/kmsg", dest) < 0)
1268 if (mkfifo(from, 0600) < 0)
1269 return log_error_errno(errno, "mkfifo() for /dev/kmsg failed: %m");
1271 r = chmod_and_chown(from, 0600, 0, 0);
1273 return log_error_errno(r, "Failed to correct access mode for /dev/kmsg: %m");
1275 if (mount(from, to, "bind", MS_BIND, NULL) < 0)
1276 return log_error_errno(errno, "Bind mount for /proc/kmsg failed: %m");
1278 fd = open(from, O_RDWR|O_NDELAY|O_CLOEXEC);
1280 return log_error_errno(errno, "Failed to open fifo: %m");
1282 cmsg = CMSG_FIRSTHDR(&mh);
1283 cmsg->cmsg_level = SOL_SOCKET;
1284 cmsg->cmsg_type = SCM_RIGHTS;
1285 cmsg->cmsg_len = CMSG_LEN(sizeof(int));
1286 memcpy(CMSG_DATA(cmsg), &fd, sizeof(int));
1288 mh.msg_controllen = cmsg->cmsg_len;
1290 /* Store away the fd in the socket, so that it stays open as
1291 * long as we run the child */
1292 k = sendmsg(kmsg_socket, &mh, MSG_DONTWAIT|MSG_NOSIGNAL);
1296 return log_error_errno(errno, "Failed to send FIFO fd: %m");
1298 /* And now make the FIFO unavailable as /dev/kmsg... */
1303 static int setup_hostname(void) {
1305 if (arg_share_system)
1308 if (sethostname_idempotent(arg_machine) < 0)
1314 static int setup_journal(const char *directory) {
1315 sd_id128_t machine_id, this_id;
1316 _cleanup_free_ char *p = NULL, *b = NULL, *q = NULL, *d = NULL;
1320 p = strappend(directory, "/etc/machine-id");
1324 r = read_one_line_file(p, &b);
1325 if (r == -ENOENT && arg_link_journal == LINK_AUTO)
1328 return log_error_errno(r, "Failed to read machine ID from %s: %m", p);
1331 if (isempty(id) && arg_link_journal == LINK_AUTO)
1334 /* Verify validity */
1335 r = sd_id128_from_string(id, &machine_id);
1337 return log_error_errno(r, "Failed to parse machine ID from %s: %m", p);
1339 r = sd_id128_get_machine(&this_id);
1341 return log_error_errno(r, "Failed to retrieve machine ID: %m");
1343 if (sd_id128_equal(machine_id, this_id)) {
1344 log_full(arg_link_journal == LINK_AUTO ? LOG_WARNING : LOG_ERR,
1345 "Host and machine ids are equal (%s): refusing to link journals", id);
1346 if (arg_link_journal == LINK_AUTO)
1352 if (arg_link_journal == LINK_NO)
1356 p = strappend("/var/log/journal/", id);
1357 q = strjoin(directory, "/var/log/journal/", id, NULL);
1361 if (path_is_mount_point(p, false) > 0) {
1362 if (arg_link_journal != LINK_AUTO) {
1363 log_error("%s: already a mount point, refusing to use for journal", p);
1370 if (path_is_mount_point(q, false) > 0) {
1371 if (arg_link_journal != LINK_AUTO) {
1372 log_error("%s: already a mount point, refusing to use for journal", q);
1379 r = readlink_and_make_absolute(p, &d);
1381 if ((arg_link_journal == LINK_GUEST ||
1382 arg_link_journal == LINK_AUTO) &&
1385 r = mkdir_p(q, 0755);
1387 log_warning_errno(errno, "Failed to create directory %s: %m", q);
1392 return log_error_errno(errno, "Failed to remove symlink %s: %m", p);
1393 } else if (r == -EINVAL) {
1395 if (arg_link_journal == LINK_GUEST &&
1398 if (errno == ENOTDIR) {
1399 log_error("%s already exists and is neither a symlink nor a directory", p);
1402 log_error_errno(errno, "Failed to remove %s: %m", p);
1406 } else if (r != -ENOENT) {
1407 log_error_errno(errno, "readlink(%s) failed: %m", p);
1411 if (arg_link_journal == LINK_GUEST) {
1413 if (symlink(q, p) < 0) {
1414 if (arg_link_journal_try) {
1415 log_debug_errno(errno, "Failed to symlink %s to %s, skipping journal setup: %m", q, p);
1418 log_error_errno(errno, "Failed to symlink %s to %s: %m", q, p);
1423 r = mkdir_p(q, 0755);
1425 log_warning_errno(errno, "Failed to create directory %s: %m", q);
1429 if (arg_link_journal == LINK_HOST) {
1430 /* don't create parents here -- if the host doesn't have
1431 * permanent journal set up, don't force it here */
1434 if (arg_link_journal_try) {
1435 log_debug_errno(errno, "Failed to create %s, skipping journal setup: %m", p);
1438 log_error_errno(errno, "Failed to create %s: %m", p);
1443 } else if (access(p, F_OK) < 0)
1446 if (dir_is_empty(q) == 0)
1447 log_warning("%s is not empty, proceeding anyway.", q);
1449 r = mkdir_p(q, 0755);
1451 log_error_errno(errno, "Failed to create %s: %m", q);
1455 if (mount(p, q, "bind", MS_BIND, NULL) < 0)
1456 return log_error_errno(errno, "Failed to bind mount journal from host into guest: %m");
1461 static int drop_capabilities(void) {
1462 return capability_bounding_set_drop(~arg_retain, false);
1465 static int register_machine(pid_t pid, int local_ifindex) {
1466 _cleanup_bus_error_free_ sd_bus_error error = SD_BUS_ERROR_NULL;
1467 _cleanup_bus_close_unref_ sd_bus *bus = NULL;
1473 r = sd_bus_default_system(&bus);
1475 return log_error_errno(r, "Failed to open system bus: %m");
1477 if (arg_keep_unit) {
1478 r = sd_bus_call_method(
1480 "org.freedesktop.machine1",
1481 "/org/freedesktop/machine1",
1482 "org.freedesktop.machine1.Manager",
1483 "RegisterMachineWithNetwork",
1488 SD_BUS_MESSAGE_APPEND_ID128(arg_uuid),
1492 strempty(arg_directory),
1493 local_ifindex > 0 ? 1 : 0, local_ifindex);
1495 _cleanup_bus_message_unref_ sd_bus_message *m = NULL;
1497 r = sd_bus_message_new_method_call(
1500 "org.freedesktop.machine1",
1501 "/org/freedesktop/machine1",
1502 "org.freedesktop.machine1.Manager",
1503 "CreateMachineWithNetwork");
1505 return log_error_errno(r, "Failed to create message: %m");
1507 r = sd_bus_message_append(
1511 SD_BUS_MESSAGE_APPEND_ID128(arg_uuid),
1515 strempty(arg_directory),
1516 local_ifindex > 0 ? 1 : 0, local_ifindex);
1518 return log_error_errno(r, "Failed to append message arguments: %m");
1520 r = sd_bus_message_open_container(m, 'a', "(sv)");
1522 return log_error_errno(r, "Failed to open container: %m");
1524 if (!isempty(arg_slice)) {
1525 r = sd_bus_message_append(m, "(sv)", "Slice", "s", arg_slice);
1527 return log_error_errno(r, "Failed to append slice: %m");
1530 r = sd_bus_message_append(m, "(sv)", "DevicePolicy", "s", "strict");
1532 return log_error_errno(r, "Failed to add device policy: %m");
1534 r = sd_bus_message_append(m, "(sv)", "DeviceAllow", "a(ss)", 9,
1535 /* Allow the container to
1536 * access and create the API
1537 * device nodes, so that
1538 * PrivateDevices= in the
1539 * container can work
1544 "/dev/random", "rwm",
1545 "/dev/urandom", "rwm",
1547 "/dev/net/tun", "rwm",
1548 /* Allow the container
1549 * access to ptys. However,
1551 * container to ever create
1552 * these device nodes. */
1553 "/dev/pts/ptmx", "rw",
1556 return log_error_errno(r, "Failed to add device whitelist: %m");
1558 r = sd_bus_message_close_container(m);
1560 return log_error_errno(r, "Failed to close container: %m");
1562 r = sd_bus_call(bus, m, 0, &error, NULL);
1566 log_error("Failed to register machine: %s", bus_error_message(&error, r));
1573 static int terminate_machine(pid_t pid) {
1574 _cleanup_bus_error_free_ sd_bus_error error = SD_BUS_ERROR_NULL;
1575 _cleanup_bus_message_unref_ sd_bus_message *reply = NULL;
1576 _cleanup_bus_close_unref_ sd_bus *bus = NULL;
1583 r = sd_bus_default_system(&bus);
1585 return log_error_errno(r, "Failed to open system bus: %m");
1587 r = sd_bus_call_method(
1589 "org.freedesktop.machine1",
1590 "/org/freedesktop/machine1",
1591 "org.freedesktop.machine1.Manager",
1598 /* Note that the machine might already have been
1599 * cleaned up automatically, hence don't consider it a
1600 * failure if we cannot get the machine object. */
1601 log_debug("Failed to get machine: %s", bus_error_message(&error, r));
1605 r = sd_bus_message_read(reply, "o", &path);
1607 return bus_log_parse_error(r);
1609 r = sd_bus_call_method(
1611 "org.freedesktop.machine1",
1613 "org.freedesktop.machine1.Machine",
1619 log_debug("Failed to terminate machine: %s", bus_error_message(&error, r));
1626 static int reset_audit_loginuid(void) {
1627 _cleanup_free_ char *p = NULL;
1630 if (arg_share_system)
1633 r = read_one_line_file("/proc/self/loginuid", &p);
1637 return log_error_errno(r, "Failed to read /proc/self/loginuid: %m");
1639 /* Already reset? */
1640 if (streq(p, "4294967295"))
1643 r = write_string_file("/proc/self/loginuid", "4294967295");
1645 log_error("Failed to reset audit login UID. This probably means that your kernel is too\n"
1646 "old and you have audit enabled. Note that the auditing subsystem is known to\n"
1647 "be incompatible with containers on old kernels. Please make sure to upgrade\n"
1648 "your kernel or to off auditing with 'audit=0' on the kernel command line before\n"
1649 "using systemd-nspawn. Sleeping for 5s... (%s)\n", strerror(-r));
1657 #define HOST_HASH_KEY SD_ID128_MAKE(1a,37,6f,c7,46,ec,45,0b,ad,a3,d5,31,06,60,5d,b1)
1658 #define CONTAINER_HASH_KEY SD_ID128_MAKE(c3,c4,f9,19,b5,57,b2,1c,e6,cf,14,27,03,9c,ee,a2)
1659 #define MACVLAN_HASH_KEY SD_ID128_MAKE(00,13,6d,bc,66,83,44,81,bb,0c,f9,51,1f,24,a6,6f)
1661 static int generate_mac(struct ether_addr *mac, sd_id128_t hash_key, uint64_t idx) {
1667 l = strlen(arg_machine);
1668 sz = sizeof(sd_id128_t) + l;
1674 /* fetch some persistent data unique to the host */
1675 r = sd_id128_get_machine((sd_id128_t*) v);
1679 /* combine with some data unique (on this host) to this
1680 * container instance */
1681 i = mempcpy(v + sizeof(sd_id128_t), arg_machine, l);
1684 memcpy(i, &idx, sizeof(idx));
1687 /* Let's hash the host machine ID plus the container name. We
1688 * use a fixed, but originally randomly created hash key here. */
1689 siphash24(result, v, sz, hash_key.bytes);
1691 assert_cc(ETH_ALEN <= sizeof(result));
1692 memcpy(mac->ether_addr_octet, result, ETH_ALEN);
1694 /* see eth_random_addr in the kernel */
1695 mac->ether_addr_octet[0] &= 0xfe; /* clear multicast bit */
1696 mac->ether_addr_octet[0] |= 0x02; /* set local assignment bit (IEEE802) */
1701 static int setup_veth(pid_t pid, char iface_name[IFNAMSIZ], int *ifi) {
1702 _cleanup_rtnl_message_unref_ sd_rtnl_message *m = NULL;
1703 _cleanup_rtnl_unref_ sd_rtnl *rtnl = NULL;
1704 struct ether_addr mac_host, mac_container;
1707 if (!arg_private_network)
1710 if (!arg_network_veth)
1713 /* Use two different interface name prefixes depending whether
1714 * we are in bridge mode or not. */
1715 snprintf(iface_name, IFNAMSIZ - 1, "%s-%s",
1716 arg_network_bridge ? "vb" : "ve", arg_machine);
1718 r = generate_mac(&mac_container, CONTAINER_HASH_KEY, 0);
1720 return log_error_errno(r, "Failed to generate predictable MAC address for container side: %m");
1722 r = generate_mac(&mac_host, HOST_HASH_KEY, 0);
1724 return log_error_errno(r, "Failed to generate predictable MAC address for host side: %m");
1726 r = sd_rtnl_open(&rtnl, 0);
1728 return log_error_errno(r, "Failed to connect to netlink: %m");
1730 r = sd_rtnl_message_new_link(rtnl, &m, RTM_NEWLINK, 0);
1732 return log_error_errno(r, "Failed to allocate netlink message: %m");
1734 r = sd_rtnl_message_append_string(m, IFLA_IFNAME, iface_name);
1736 return log_error_errno(r, "Failed to add netlink interface name: %m");
1738 r = sd_rtnl_message_append_ether_addr(m, IFLA_ADDRESS, &mac_host);
1740 return log_error_errno(r, "Failed to add netlink MAC address: %m");
1742 r = sd_rtnl_message_open_container(m, IFLA_LINKINFO);
1744 return log_error_errno(r, "Failed to open netlink container: %m");
1746 r = sd_rtnl_message_open_container_union(m, IFLA_INFO_DATA, "veth");
1748 return log_error_errno(r, "Failed to open netlink container: %m");
1750 r = sd_rtnl_message_open_container(m, VETH_INFO_PEER);
1752 return log_error_errno(r, "Failed to open netlink container: %m");
1754 r = sd_rtnl_message_append_string(m, IFLA_IFNAME, "host0");
1756 return log_error_errno(r, "Failed to add netlink interface name: %m");
1758 r = sd_rtnl_message_append_ether_addr(m, IFLA_ADDRESS, &mac_container);
1760 return log_error_errno(r, "Failed to add netlink MAC address: %m");
1762 r = sd_rtnl_message_append_u32(m, IFLA_NET_NS_PID, pid);
1764 return log_error_errno(r, "Failed to add netlink namespace field: %m");
1766 r = sd_rtnl_message_close_container(m);
1768 return log_error_errno(r, "Failed to close netlink container: %m");
1770 r = sd_rtnl_message_close_container(m);
1772 return log_error_errno(r, "Failed to close netlink container: %m");
1774 r = sd_rtnl_message_close_container(m);
1776 return log_error_errno(r, "Failed to close netlink container: %m");
1778 r = sd_rtnl_call(rtnl, m, 0, NULL);
1780 return log_error_errno(r, "Failed to add new veth interfaces: %m");
1782 i = (int) if_nametoindex(iface_name);
1784 return log_error_errno(errno, "Failed to resolve interface %s: %m", iface_name);
1791 static int setup_bridge(const char veth_name[], int *ifi) {
1792 _cleanup_rtnl_message_unref_ sd_rtnl_message *m = NULL;
1793 _cleanup_rtnl_unref_ sd_rtnl *rtnl = NULL;
1796 if (!arg_private_network)
1799 if (!arg_network_veth)
1802 if (!arg_network_bridge)
1805 bridge = (int) if_nametoindex(arg_network_bridge);
1807 return log_error_errno(errno, "Failed to resolve interface %s: %m", arg_network_bridge);
1811 r = sd_rtnl_open(&rtnl, 0);
1813 return log_error_errno(r, "Failed to connect to netlink: %m");
1815 r = sd_rtnl_message_new_link(rtnl, &m, RTM_SETLINK, 0);
1817 return log_error_errno(r, "Failed to allocate netlink message: %m");
1819 r = sd_rtnl_message_link_set_flags(m, IFF_UP, IFF_UP);
1821 return log_error_errno(r, "Failed to set IFF_UP flag: %m");
1823 r = sd_rtnl_message_append_string(m, IFLA_IFNAME, veth_name);
1825 return log_error_errno(r, "Failed to add netlink interface name field: %m");
1827 r = sd_rtnl_message_append_u32(m, IFLA_MASTER, bridge);
1829 return log_error_errno(r, "Failed to add netlink master field: %m");
1831 r = sd_rtnl_call(rtnl, m, 0, NULL);
1833 return log_error_errno(r, "Failed to add veth interface to bridge: %m");
1838 static int parse_interface(struct udev *udev, const char *name) {
1839 _cleanup_udev_device_unref_ struct udev_device *d = NULL;
1840 char ifi_str[2 + DECIMAL_STR_MAX(int)];
1843 ifi = (int) if_nametoindex(name);
1845 return log_error_errno(errno, "Failed to resolve interface %s: %m", name);
1847 sprintf(ifi_str, "n%i", ifi);
1848 d = udev_device_new_from_device_id(udev, ifi_str);
1850 return log_error_errno(errno, "Failed to get udev device for interface %s: %m", name);
1852 if (udev_device_get_is_initialized(d) <= 0) {
1853 log_error("Network interface %s is not initialized yet.", name);
1860 static int move_network_interfaces(pid_t pid) {
1861 _cleanup_udev_unref_ struct udev *udev = NULL;
1862 _cleanup_rtnl_unref_ sd_rtnl *rtnl = NULL;
1866 if (!arg_private_network)
1869 if (strv_isempty(arg_network_interfaces))
1872 r = sd_rtnl_open(&rtnl, 0);
1874 return log_error_errno(r, "Failed to connect to netlink: %m");
1878 log_error("Failed to connect to udev.");
1882 STRV_FOREACH(i, arg_network_interfaces) {
1883 _cleanup_rtnl_message_unref_ sd_rtnl_message *m = NULL;
1886 ifi = parse_interface(udev, *i);
1890 r = sd_rtnl_message_new_link(rtnl, &m, RTM_SETLINK, ifi);
1892 return log_error_errno(r, "Failed to allocate netlink message: %m");
1894 r = sd_rtnl_message_append_u32(m, IFLA_NET_NS_PID, pid);
1896 return log_error_errno(r, "Failed to append namespace PID to netlink message: %m");
1898 r = sd_rtnl_call(rtnl, m, 0, NULL);
1900 return log_error_errno(r, "Failed to move interface %s to namespace: %m", *i);
1906 static int setup_macvlan(pid_t pid) {
1907 _cleanup_udev_unref_ struct udev *udev = NULL;
1908 _cleanup_rtnl_unref_ sd_rtnl *rtnl = NULL;
1913 if (!arg_private_network)
1916 if (strv_isempty(arg_network_macvlan))
1919 r = sd_rtnl_open(&rtnl, 0);
1921 return log_error_errno(r, "Failed to connect to netlink: %m");
1925 log_error("Failed to connect to udev.");
1929 STRV_FOREACH(i, arg_network_macvlan) {
1930 _cleanup_rtnl_message_unref_ sd_rtnl_message *m = NULL;
1931 _cleanup_free_ char *n = NULL;
1932 struct ether_addr mac;
1935 ifi = parse_interface(udev, *i);
1939 r = generate_mac(&mac, MACVLAN_HASH_KEY, idx++);
1941 return log_error_errno(r, "Failed to create MACVLAN MAC address: %m");
1943 r = sd_rtnl_message_new_link(rtnl, &m, RTM_NEWLINK, 0);
1945 return log_error_errno(r, "Failed to allocate netlink message: %m");
1947 r = sd_rtnl_message_append_u32(m, IFLA_LINK, ifi);
1949 return log_error_errno(r, "Failed to add netlink interface index: %m");
1951 n = strappend("mv-", *i);
1955 strshorten(n, IFNAMSIZ-1);
1957 r = sd_rtnl_message_append_string(m, IFLA_IFNAME, n);
1959 return log_error_errno(r, "Failed to add netlink interface name: %m");
1961 r = sd_rtnl_message_append_ether_addr(m, IFLA_ADDRESS, &mac);
1963 return log_error_errno(r, "Failed to add netlink MAC address: %m");
1965 r = sd_rtnl_message_append_u32(m, IFLA_NET_NS_PID, pid);
1967 return log_error_errno(r, "Failed to add netlink namespace field: %m");
1969 r = sd_rtnl_message_open_container(m, IFLA_LINKINFO);
1971 return log_error_errno(r, "Failed to open netlink container: %m");
1973 r = sd_rtnl_message_open_container_union(m, IFLA_INFO_DATA, "macvlan");
1975 return log_error_errno(r, "Failed to open netlink container: %m");
1977 r = sd_rtnl_message_append_u32(m, IFLA_MACVLAN_MODE, MACVLAN_MODE_BRIDGE);
1979 return log_error_errno(r, "Failed to append macvlan mode: %m");
1981 r = sd_rtnl_message_close_container(m);
1983 return log_error_errno(r, "Failed to close netlink container: %m");
1985 r = sd_rtnl_message_close_container(m);
1987 return log_error_errno(r, "Failed to close netlink container: %m");
1989 r = sd_rtnl_call(rtnl, m, 0, NULL);
1991 return log_error_errno(r, "Failed to add new macvlan interfaces: %m");
1997 static int setup_seccomp(void) {
2000 static const int blacklist[] = {
2001 SCMP_SYS(kexec_load),
2002 SCMP_SYS(open_by_handle_at),
2003 SCMP_SYS(init_module),
2004 SCMP_SYS(finit_module),
2005 SCMP_SYS(delete_module),
2012 scmp_filter_ctx seccomp;
2016 seccomp = seccomp_init(SCMP_ACT_ALLOW);
2020 r = seccomp_add_secondary_archs(seccomp);
2022 log_error_errno(r, "Failed to add secondary archs to seccomp filter: %m");
2026 for (i = 0; i < ELEMENTSOF(blacklist); i++) {
2027 r = seccomp_rule_add(seccomp, SCMP_ACT_ERRNO(EPERM), blacklist[i], 0);
2029 continue; /* unknown syscall */
2031 log_error_errno(r, "Failed to block syscall: %m");
2037 Audit is broken in containers, much of the userspace audit
2038 hookup will fail if running inside a container. We don't
2039 care and just turn off creation of audit sockets.
2041 This will make socket(AF_NETLINK, *, NETLINK_AUDIT) fail
2042 with EAFNOSUPPORT which audit userspace uses as indication
2043 that audit is disabled in the kernel.
2046 r = seccomp_rule_add(
2048 SCMP_ACT_ERRNO(EAFNOSUPPORT),
2051 SCMP_A0(SCMP_CMP_EQ, AF_NETLINK),
2052 SCMP_A2(SCMP_CMP_EQ, NETLINK_AUDIT));
2054 log_error_errno(r, "Failed to add audit seccomp rule: %m");
2058 r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
2060 log_error_errno(r, "Failed to unset NO_NEW_PRIVS: %m");
2064 r = seccomp_load(seccomp);
2066 log_error_errno(r, "Failed to install seccomp audit filter: %m");
2069 seccomp_release(seccomp);
2077 static int setup_image(char **device_path, int *loop_nr) {
2078 struct loop_info64 info = {
2079 .lo_flags = LO_FLAGS_AUTOCLEAR|LO_FLAGS_PARTSCAN
2081 _cleanup_close_ int fd = -1, control = -1, loop = -1;
2082 _cleanup_free_ char* loopdev = NULL;
2086 assert(device_path);
2090 fd = open(arg_image, O_CLOEXEC|(arg_read_only ? O_RDONLY : O_RDWR)|O_NONBLOCK|O_NOCTTY);
2092 return log_error_errno(errno, "Failed to open %s: %m", arg_image);
2094 if (fstat(fd, &st) < 0)
2095 return log_error_errno(errno, "Failed to stat %s: %m", arg_image);
2097 if (S_ISBLK(st.st_mode)) {
2100 p = strdup(arg_image);
2114 if (!S_ISREG(st.st_mode)) {
2115 log_error_errno(errno, "%s is not a regular file or block device: %m", arg_image);
2119 control = open("/dev/loop-control", O_RDWR|O_CLOEXEC|O_NOCTTY|O_NONBLOCK);
2121 return log_error_errno(errno, "Failed to open /dev/loop-control: %m");
2123 nr = ioctl(control, LOOP_CTL_GET_FREE);
2125 return log_error_errno(errno, "Failed to allocate loop device: %m");
2127 if (asprintf(&loopdev, "/dev/loop%i", nr) < 0)
2130 loop = open(loopdev, O_CLOEXEC|(arg_read_only ? O_RDONLY : O_RDWR)|O_NONBLOCK|O_NOCTTY);
2132 return log_error_errno(errno, "Failed to open loop device %s: %m", loopdev);
2134 if (ioctl(loop, LOOP_SET_FD, fd) < 0)
2135 return log_error_errno(errno, "Failed to set loopback file descriptor on %s: %m", loopdev);
2138 info.lo_flags |= LO_FLAGS_READ_ONLY;
2140 if (ioctl(loop, LOOP_SET_STATUS64, &info) < 0)
2141 return log_error_errno(errno, "Failed to set loopback settings on %s: %m", loopdev);
2143 *device_path = loopdev;
2154 static int dissect_image(
2156 char **root_device, bool *root_device_rw,
2157 char **home_device, bool *home_device_rw,
2158 char **srv_device, bool *srv_device_rw,
2162 int home_nr = -1, srv_nr = -1;
2163 #ifdef GPT_ROOT_NATIVE
2166 #ifdef GPT_ROOT_SECONDARY
2167 int secondary_root_nr = -1;
2170 _cleanup_free_ char *home = NULL, *root = NULL, *secondary_root = NULL, *srv = NULL;
2171 _cleanup_udev_enumerate_unref_ struct udev_enumerate *e = NULL;
2172 _cleanup_udev_device_unref_ struct udev_device *d = NULL;
2173 _cleanup_blkid_free_probe_ blkid_probe b = NULL;
2174 _cleanup_udev_unref_ struct udev *udev = NULL;
2175 struct udev_list_entry *first, *item;
2176 bool home_rw = true, root_rw = true, secondary_root_rw = true, srv_rw = true;
2177 const char *pttype = NULL;
2183 assert(root_device);
2184 assert(home_device);
2189 b = blkid_new_probe();
2194 r = blkid_probe_set_device(b, fd, 0, 0);
2199 log_error_errno(errno, "Failed to set device on blkid probe: %m");
2203 blkid_probe_enable_partitions(b, 1);
2204 blkid_probe_set_partitions_flags(b, BLKID_PARTS_ENTRY_DETAILS);
2207 r = blkid_do_safeprobe(b);
2208 if (r == -2 || r == 1) {
2209 log_error("Failed to identify any partition table on %s.\n"
2210 "Note that the disk image needs to follow http://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/ to be supported by systemd-nspawn.", arg_image);
2212 } else if (r != 0) {
2215 log_error_errno(errno, "Failed to probe: %m");
2219 blkid_probe_lookup_value(b, "PTTYPE", &pttype, NULL);
2220 if (!streq_ptr(pttype, "gpt")) {
2221 log_error("Image %s does not carry a GUID Partition Table.\n"
2222 "Note that the disk image needs to follow http://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/ to be supported by systemd-nspawn.", arg_image);
2227 pl = blkid_probe_get_partitions(b);
2232 log_error("Failed to list partitions of %s", arg_image);
2240 if (fstat(fd, &st) < 0)
2241 return log_error_errno(errno, "Failed to stat block device: %m");
2243 d = udev_device_new_from_devnum(udev, 'b', st.st_rdev);
2247 e = udev_enumerate_new(udev);
2251 r = udev_enumerate_add_match_parent(e, d);
2255 r = udev_enumerate_scan_devices(e);
2257 return log_error_errno(r, "Failed to scan for partition devices of %s: %m", arg_image);
2259 first = udev_enumerate_get_list_entry(e);
2260 udev_list_entry_foreach(item, first) {
2261 _cleanup_udev_device_unref_ struct udev_device *q;
2262 const char *stype, *node;
2263 unsigned long long flags;
2270 q = udev_device_new_from_syspath(udev, udev_list_entry_get_name(item));
2275 log_error_errno(errno, "Failed to get partition device of %s: %m", arg_image);
2279 qn = udev_device_get_devnum(q);
2283 if (st.st_rdev == qn)
2286 node = udev_device_get_devnode(q);
2290 pp = blkid_partlist_devno_to_partition(pl, qn);
2294 flags = blkid_partition_get_flags(pp);
2295 if (flags & GPT_FLAG_NO_AUTO)
2298 nr = blkid_partition_get_partno(pp);
2302 stype = blkid_partition_get_type_string(pp);
2306 if (sd_id128_from_string(stype, &type_id) < 0)
2309 if (sd_id128_equal(type_id, GPT_HOME)) {
2311 if (home && nr >= home_nr)
2315 home_rw = !(flags & GPT_FLAG_READ_ONLY);
2318 home = strdup(node);
2321 } else if (sd_id128_equal(type_id, GPT_SRV)) {
2323 if (srv && nr >= srv_nr)
2327 srv_rw = !(flags & GPT_FLAG_READ_ONLY);
2334 #ifdef GPT_ROOT_NATIVE
2335 else if (sd_id128_equal(type_id, GPT_ROOT_NATIVE)) {
2337 if (root && nr >= root_nr)
2341 root_rw = !(flags & GPT_FLAG_READ_ONLY);
2344 root = strdup(node);
2349 #ifdef GPT_ROOT_SECONDARY
2350 else if (sd_id128_equal(type_id, GPT_ROOT_SECONDARY)) {
2352 if (secondary_root && nr >= secondary_root_nr)
2355 secondary_root_nr = nr;
2356 secondary_root_rw = !(flags & GPT_FLAG_READ_ONLY);
2359 free(secondary_root);
2360 secondary_root = strdup(node);
2361 if (!secondary_root)
2367 if (!root && !secondary_root) {
2368 log_error("Failed to identify root partition in disk image %s.\n"
2369 "Note that the disk image needs to follow http://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/ to be supported by systemd-nspawn.", arg_image);
2374 *root_device = root;
2377 *root_device_rw = root_rw;
2379 } else if (secondary_root) {
2380 *root_device = secondary_root;
2381 secondary_root = NULL;
2383 *root_device_rw = secondary_root_rw;
2388 *home_device = home;
2391 *home_device_rw = home_rw;
2398 *srv_device_rw = srv_rw;
2403 log_error("--image= is not supported, compiled without blkid support.");
2408 static int mount_device(const char *what, const char *where, const char *directory, bool rw) {
2410 _cleanup_blkid_free_probe_ blkid_probe b = NULL;
2411 const char *fstype, *p;
2421 p = strappenda(where, directory);
2426 b = blkid_new_probe_from_filename(what);
2430 log_error_errno(errno, "Failed to allocate prober for %s: %m", what);
2434 blkid_probe_enable_superblocks(b, 1);
2435 blkid_probe_set_superblocks_flags(b, BLKID_SUBLKS_TYPE);
2438 r = blkid_do_safeprobe(b);
2439 if (r == -1 || r == 1) {
2440 log_error("Cannot determine file system type of %s", what);
2442 } else if (r != 0) {
2445 log_error_errno(errno, "Failed to probe %s: %m", what);
2450 if (blkid_probe_lookup_value(b, "TYPE", &fstype, NULL) < 0) {
2453 log_error("Failed to determine file system type of %s", what);
2457 if (streq(fstype, "crypto_LUKS")) {
2458 log_error("nspawn currently does not support LUKS disk images.");
2462 if (mount(what, p, fstype, MS_NODEV|(rw ? 0 : MS_RDONLY), NULL) < 0)
2463 return log_error_errno(errno, "Failed to mount %s: %m", what);
2467 log_error("--image= is not supported, compiled without blkid support.");
2472 static int mount_devices(
2474 const char *root_device, bool root_device_rw,
2475 const char *home_device, bool home_device_rw,
2476 const char *srv_device, bool srv_device_rw) {
2482 r = mount_device(root_device, arg_directory, NULL, root_device_rw);
2484 return log_error_errno(r, "Failed to mount root directory: %m");
2488 r = mount_device(home_device, arg_directory, "/home", home_device_rw);
2490 return log_error_errno(r, "Failed to mount home directory: %m");
2494 r = mount_device(srv_device, arg_directory, "/srv", srv_device_rw);
2496 return log_error_errno(r, "Failed to mount server data directory: %m");
2502 static void loop_remove(int nr, int *image_fd) {
2503 _cleanup_close_ int control = -1;
2509 if (image_fd && *image_fd >= 0) {
2510 r = ioctl(*image_fd, LOOP_CLR_FD);
2512 log_warning_errno(errno, "Failed to close loop image: %m");
2513 *image_fd = safe_close(*image_fd);
2516 control = open("/dev/loop-control", O_RDWR|O_CLOEXEC|O_NOCTTY|O_NONBLOCK);
2518 log_warning_errno(errno, "Failed to open /dev/loop-control: %m");
2522 r = ioctl(control, LOOP_CTL_REMOVE, nr);
2524 log_warning_errno(errno, "Failed to remove loop %d: %m", nr);
2527 static int spawn_getent(const char *database, const char *key, pid_t *rpid) {
2535 if (pipe2(pipe_fds, O_CLOEXEC) < 0)
2536 return log_error_errno(errno, "Failed to allocate pipe: %m");
2540 return log_error_errno(errno, "Failed to fork getent child: %m");
2541 else if (pid == 0) {
2543 char *empty_env = NULL;
2545 if (dup3(pipe_fds[1], STDOUT_FILENO, 0) < 0)
2546 _exit(EXIT_FAILURE);
2548 if (pipe_fds[0] > 2)
2549 safe_close(pipe_fds[0]);
2550 if (pipe_fds[1] > 2)
2551 safe_close(pipe_fds[1]);
2553 nullfd = open("/dev/null", O_RDWR);
2555 _exit(EXIT_FAILURE);
2557 if (dup3(nullfd, STDIN_FILENO, 0) < 0)
2558 _exit(EXIT_FAILURE);
2560 if (dup3(nullfd, STDERR_FILENO, 0) < 0)
2561 _exit(EXIT_FAILURE);
2566 reset_all_signal_handlers();
2567 close_all_fds(NULL, 0);
2569 execle("/usr/bin/getent", "getent", database, key, NULL, &empty_env);
2570 execle("/bin/getent", "getent", database, key, NULL, &empty_env);
2571 _exit(EXIT_FAILURE);
2574 pipe_fds[1] = safe_close(pipe_fds[1]);
2581 static int change_uid_gid(char **_home) {
2582 char line[LINE_MAX], *x, *u, *g, *h;
2583 const char *word, *state;
2584 _cleanup_free_ uid_t *uids = NULL;
2585 _cleanup_free_ char *home = NULL;
2586 _cleanup_fclose_ FILE *f = NULL;
2587 _cleanup_close_ int fd = -1;
2588 unsigned n_uids = 0;
2597 if (!arg_user || streq(arg_user, "root") || streq(arg_user, "0")) {
2598 /* Reset everything fully to 0, just in case */
2600 if (setgroups(0, NULL) < 0)
2601 return log_error_errno(errno, "setgroups() failed: %m");
2603 if (setresgid(0, 0, 0) < 0)
2604 return log_error_errno(errno, "setregid() failed: %m");
2606 if (setresuid(0, 0, 0) < 0)
2607 return log_error_errno(errno, "setreuid() failed: %m");
2613 /* First, get user credentials */
2614 fd = spawn_getent("passwd", arg_user, &pid);
2618 f = fdopen(fd, "r");
2623 if (!fgets(line, sizeof(line), f)) {
2626 log_error("Failed to resolve user %s.", arg_user);
2630 log_error_errno(errno, "Failed to read from getent: %m");
2636 wait_for_terminate_and_warn("getent passwd", pid, true);
2638 x = strchr(line, ':');
2640 log_error("/etc/passwd entry has invalid user field.");
2644 u = strchr(x+1, ':');
2646 log_error("/etc/passwd entry has invalid password field.");
2653 log_error("/etc/passwd entry has invalid UID field.");
2661 log_error("/etc/passwd entry has invalid GID field.");
2666 h = strchr(x+1, ':');
2668 log_error("/etc/passwd entry has invalid GECOS field.");
2675 log_error("/etc/passwd entry has invalid home directory field.");
2681 r = parse_uid(u, &uid);
2683 log_error("Failed to parse UID of user.");
2687 r = parse_gid(g, &gid);
2689 log_error("Failed to parse GID of user.");
2697 /* Second, get group memberships */
2698 fd = spawn_getent("initgroups", arg_user, &pid);
2703 f = fdopen(fd, "r");
2708 if (!fgets(line, sizeof(line), f)) {
2710 log_error("Failed to resolve user %s.", arg_user);
2714 log_error_errno(errno, "Failed to read from getent: %m");
2720 wait_for_terminate_and_warn("getent initgroups", pid, true);
2722 /* Skip over the username and subsequent separator whitespace */
2724 x += strcspn(x, WHITESPACE);
2725 x += strspn(x, WHITESPACE);
2727 FOREACH_WORD(word, l, x, state) {
2733 if (!GREEDY_REALLOC(uids, sz, n_uids+1))
2736 r = parse_uid(c, &uids[n_uids++]);
2738 log_error("Failed to parse group data from getent.");
2743 r = mkdir_parents(home, 0775);
2745 return log_error_errno(r, "Failed to make home root directory: %m");
2747 r = mkdir_safe(home, 0755, uid, gid);
2748 if (r < 0 && r != -EEXIST)
2749 return log_error_errno(r, "Failed to make home directory: %m");
2751 fchown(STDIN_FILENO, uid, gid);
2752 fchown(STDOUT_FILENO, uid, gid);
2753 fchown(STDERR_FILENO, uid, gid);
2755 if (setgroups(n_uids, uids) < 0)
2756 return log_error_errno(errno, "Failed to set auxiliary groups: %m");
2758 if (setresgid(gid, gid, gid) < 0)
2759 return log_error_errno(errno, "setregid() failed: %m");
2761 if (setresuid(uid, uid, uid) < 0)
2762 return log_error_errno(errno, "setreuid() failed: %m");
2774 * < 0 : wait_for_terminate() failed to get the state of the
2775 * container, the container was terminated by a signal, or
2776 * failed for an unknown reason. No change is made to the
2777 * container argument.
2778 * > 0 : The program executed in the container terminated with an
2779 * error. The exit code of the program executed in the
2780 * container is returned. The container argument has been set
2781 * to CONTAINER_TERMINATED.
2782 * 0 : The container is being rebooted, has been shut down or exited
2783 * successfully. The container argument has been set to either
2784 * CONTAINER_TERMINATED or CONTAINER_REBOOTED.
2786 * That is, success is indicated by a return value of zero, and an
2787 * error is indicated by a non-zero value.
2789 static int wait_for_container(pid_t pid, ContainerStatus *container) {
2793 r = wait_for_terminate(pid, &status);
2795 return log_warning_errno(r, "Failed to wait for container: %m");
2797 switch (status.si_code) {
2800 if (status.si_status == 0) {
2801 log_full(arg_quiet ? LOG_DEBUG : LOG_INFO, "Container %s exited successfully.", arg_machine);
2804 log_full(arg_quiet ? LOG_DEBUG : LOG_INFO, "Container %s failed with error code %i.", arg_machine, status.si_status);
2806 *container = CONTAINER_TERMINATED;
2807 return status.si_status;
2810 if (status.si_status == SIGINT) {
2812 log_full(arg_quiet ? LOG_DEBUG : LOG_INFO, "Container %s has been shut down.", arg_machine);
2813 *container = CONTAINER_TERMINATED;
2816 } else if (status.si_status == SIGHUP) {
2818 log_full(arg_quiet ? LOG_DEBUG : LOG_INFO, "Container %s is being rebooted.", arg_machine);
2819 *container = CONTAINER_REBOOTED;
2823 /* CLD_KILLED fallthrough */
2826 log_error("Container %s terminated by signal %s.", arg_machine, signal_to_string(status.si_status));
2830 log_error("Container %s failed due to unknown reason.", arg_machine);
2837 static void nop_handler(int sig) {}
2839 static int on_orderly_shutdown(sd_event_source *s, const struct signalfd_siginfo *si, void *userdata) {
2842 pid = PTR_TO_UINT32(userdata);
2844 if (kill(pid, SIGRTMIN+3) >= 0) {
2845 log_info("Trying to halt container. Send SIGTERM again to trigger immediate termination.");
2846 sd_event_source_set_userdata(s, NULL);
2851 sd_event_exit(sd_event_source_get_event(s), 0);
2855 static int determine_names(void) {
2857 if (!arg_image && !arg_directory) {
2859 arg_directory = strappend("/var/lib/container/", arg_machine);
2861 arg_directory = get_current_dir_name();
2863 if (!arg_directory) {
2864 log_error("Failed to determine path, please use -D.");
2870 arg_machine = strdup(basename(arg_image ?: arg_directory));
2874 hostname_cleanup(arg_machine, false);
2875 if (!machine_name_is_valid(arg_machine)) {
2876 log_error("Failed to determine machine name automatically, please use -M.");
2884 int main(int argc, char *argv[]) {
2886 _cleanup_free_ char *device_path = NULL, *root_device = NULL, *home_device = NULL, *srv_device = NULL;
2887 bool root_device_rw = true, home_device_rw = true, srv_device_rw = true;
2888 _cleanup_close_ int master = -1, image_fd = -1;
2889 _cleanup_close_pair_ int kmsg_socket_pair[2] = { -1, -1 };
2890 _cleanup_fdset_free_ FDSet *fds = NULL;
2891 int r, n_fd_passed, loop_nr = -1;
2892 const char *console = NULL;
2893 char veth_name[IFNAMSIZ];
2894 bool secondary = false, remove_subvol = false;
2895 sigset_t mask, mask_chld;
2897 int ret = EXIT_SUCCESS;
2899 log_parse_environment();
2902 r = parse_argv(argc, argv);
2906 r = determine_names();
2910 if (geteuid() != 0) {
2911 log_error("Need to be root.");
2916 if (sd_booted() <= 0) {
2917 log_error("Not running on a systemd system.");
2923 n_fd_passed = sd_listen_fds(false);
2924 if (n_fd_passed > 0) {
2925 r = fdset_new_listen_fds(&fds, false);
2927 log_error_errno(r, "Failed to collect file descriptors: %m");
2931 fdset_close_others(fds);
2934 if (arg_directory) {
2937 if (path_equal(arg_directory, "/")) {
2938 log_error("Spawning container on root directory not supported.");
2944 r = btrfs_subvol_snapshot(arg_template, arg_directory, arg_read_only, true);
2947 log_info("Directory %s already exists, not populating from template %s.", arg_directory, arg_template);
2949 log_error_errno(r, "Couldn't create snapshort %s from %s: %m", arg_directory, arg_template);
2953 log_info("Populated %s from template %s.", arg_directory, arg_template);
2956 } else if (arg_ephemeral) {
2959 r = tempfn_random(arg_directory, &np);
2961 log_error_errno(r, "Failed to generate name for snapshot: %m");
2965 r = btrfs_subvol_snapshot(arg_directory, np, arg_read_only, true);
2968 log_error_errno(r, "Failed to create snapshot %s from %s: %m", np, arg_directory);
2972 free(arg_directory);
2975 remove_subvol = true;
2979 if (path_is_os_tree(arg_directory) <= 0) {
2980 log_error("Directory %s doesn't look like an OS root directory (os-release file is missing). Refusing.", arg_directory);
2987 p = strappenda(arg_directory,
2988 argc > optind && path_is_absolute(argv[optind]) ? argv[optind] : "/usr/bin/");
2989 if (access(p, F_OK) < 0) {
2990 log_error("Directory %s lacks the binary to execute or doesn't look like a binary tree. Refusing.", arg_directory);
2997 char template[] = "/tmp/nspawn-root-XXXXXX";
3000 assert(!arg_template);
3002 if (!mkdtemp(template)) {
3003 log_error_errno(errno, "Failed to create temporary directory: %m");
3008 arg_directory = strdup(template);
3009 if (!arg_directory) {
3014 image_fd = setup_image(&device_path, &loop_nr);
3020 r = dissect_image(image_fd,
3021 &root_device, &root_device_rw,
3022 &home_device, &home_device_rw,
3023 &srv_device, &srv_device_rw,
3029 master = posix_openpt(O_RDWR|O_NOCTTY|O_CLOEXEC|O_NDELAY);
3031 r = log_error_errno(errno, "Failed to acquire pseudo tty: %m");
3035 console = ptsname(master);
3037 r = log_error_errno(errno, "Failed to determine tty name: %m");
3042 log_info("Spawning container %s on %s.\nPress ^] three times within 1s to kill container.",
3043 arg_machine, arg_image ?: arg_directory);
3045 if (unlockpt(master) < 0) {
3046 r = log_error_errno(errno, "Failed to unlock tty: %m");
3050 if (socketpair(AF_UNIX, SOCK_DGRAM|SOCK_NONBLOCK|SOCK_CLOEXEC, 0, kmsg_socket_pair) < 0) {
3051 r = log_error_errno(errno, "Failed to create kmsg socket pair: %m");
3057 "STATUS=Container running.");
3059 assert_se(sigemptyset(&mask) == 0);
3060 sigset_add_many(&mask, SIGCHLD, SIGWINCH, SIGTERM, SIGINT, -1);
3061 assert_se(sigprocmask(SIG_BLOCK, &mask, NULL) == 0);
3063 assert_se(sigemptyset(&mask_chld) == 0);
3064 assert_se(sigaddset(&mask_chld, SIGCHLD) == 0);
3067 ContainerStatus container_status;
3068 _cleanup_(barrier_destroy) Barrier barrier = BARRIER_NULL;
3069 struct sigaction sa = {
3070 .sa_handler = nop_handler,
3071 .sa_flags = SA_NOCLDSTOP,
3074 r = barrier_create(&barrier);
3076 log_error_errno(r, "Cannot initialize IPC barrier: %m");
3080 /* Child can be killed before execv(), so handle SIGCHLD
3081 * in order to interrupt parent's blocking calls and
3082 * give it a chance to call wait() and terminate. */
3083 r = sigprocmask(SIG_UNBLOCK, &mask_chld, NULL);
3085 r = log_error_errno(errno, "Failed to change the signal mask: %m");
3089 r = sigaction(SIGCHLD, &sa, NULL);
3091 r = log_error_errno(errno, "Failed to install SIGCHLD handler: %m");
3095 pid = syscall(__NR_clone, SIGCHLD|CLONE_NEWNS|
3096 (arg_share_system ? 0 : CLONE_NEWIPC|CLONE_NEWPID|CLONE_NEWUTS)|
3097 (arg_private_network ? CLONE_NEWNET : 0), NULL);
3099 if (errno == EINVAL)
3100 r = log_error_errno(errno, "clone() failed, do you have namespace support enabled in your kernel? (You need UTS, IPC, PID and NET namespacing built in): %m");
3102 r = log_error_errno(errno, "clone() failed: %m");
3109 _cleanup_free_ char *home = NULL;
3111 const char *envp[] = {
3112 "PATH=" DEFAULT_PATH_SPLIT_USR,
3113 "container=systemd-nspawn", /* LXC sets container=lxc, so follow the scheme here */
3118 NULL, /* container_uuid */
3119 NULL, /* LISTEN_FDS */
3120 NULL, /* LISTEN_PID */
3125 barrier_set_role(&barrier, BARRIER_CHILD);
3127 envp[n_env] = strv_find_prefix(environ, "TERM=");
3131 master = safe_close(master);
3133 close_nointr(STDIN_FILENO);
3134 close_nointr(STDOUT_FILENO);
3135 close_nointr(STDERR_FILENO);
3137 kmsg_socket_pair[0] = safe_close(kmsg_socket_pair[0]);
3139 reset_all_signal_handlers();
3140 reset_signal_mask();
3142 r = open_terminal(console, O_RDWR);
3143 if (r != STDIN_FILENO) {
3149 log_error_errno(r, "Failed to open console: %m");
3150 _exit(EXIT_FAILURE);
3153 if (dup2(STDIN_FILENO, STDOUT_FILENO) != STDOUT_FILENO ||
3154 dup2(STDIN_FILENO, STDERR_FILENO) != STDERR_FILENO) {
3155 log_error_errno(errno, "Failed to duplicate console: %m");
3156 _exit(EXIT_FAILURE);
3160 log_error_errno(errno, "setsid() failed: %m");
3161 _exit(EXIT_FAILURE);
3164 if (reset_audit_loginuid() < 0)
3165 _exit(EXIT_FAILURE);
3167 if (prctl(PR_SET_PDEATHSIG, SIGKILL) < 0) {
3168 log_error_errno(errno, "PR_SET_PDEATHSIG failed: %m");
3169 _exit(EXIT_FAILURE);
3172 /* Mark everything as slave, so that we still
3173 * receive mounts from the real root, but don't
3174 * propagate mounts to the real root. */
3175 if (mount(NULL, "/", NULL, MS_SLAVE|MS_REC, NULL) < 0) {
3176 log_error_errno(errno, "MS_SLAVE|MS_REC failed: %m");
3177 _exit(EXIT_FAILURE);
3180 if (mount_devices(arg_directory,
3181 root_device, root_device_rw,
3182 home_device, home_device_rw,
3183 srv_device, srv_device_rw) < 0)
3184 _exit(EXIT_FAILURE);
3186 /* Turn directory into bind mount */
3187 if (mount(arg_directory, arg_directory, "bind", MS_BIND|MS_REC, NULL) < 0) {
3188 log_error_errno(errno, "Failed to make bind mount: %m");
3189 _exit(EXIT_FAILURE);
3192 r = setup_volatile(arg_directory);
3194 _exit(EXIT_FAILURE);
3196 if (setup_volatile_state(arg_directory) < 0)
3197 _exit(EXIT_FAILURE);
3199 r = base_filesystem_create(arg_directory);
3201 _exit(EXIT_FAILURE);
3203 if (arg_read_only) {
3204 r = bind_remount_recursive(arg_directory, true);
3206 log_error_errno(r, "Failed to make tree read-only: %m");
3207 _exit(EXIT_FAILURE);
3211 if (mount_all(arg_directory) < 0)
3212 _exit(EXIT_FAILURE);
3214 if (copy_devnodes(arg_directory) < 0)
3215 _exit(EXIT_FAILURE);
3217 if (setup_ptmx(arg_directory) < 0)
3218 _exit(EXIT_FAILURE);
3220 dev_setup(arg_directory);
3222 if (setup_seccomp() < 0)
3223 _exit(EXIT_FAILURE);
3225 if (setup_dev_console(arg_directory, console) < 0)
3226 _exit(EXIT_FAILURE);
3228 if (setup_kmsg(arg_directory, kmsg_socket_pair[1]) < 0)
3229 _exit(EXIT_FAILURE);
3231 kmsg_socket_pair[1] = safe_close(kmsg_socket_pair[1]);
3233 if (setup_boot_id(arg_directory) < 0)
3234 _exit(EXIT_FAILURE);
3236 if (setup_timezone(arg_directory) < 0)
3237 _exit(EXIT_FAILURE);
3239 if (setup_resolv_conf(arg_directory) < 0)
3240 _exit(EXIT_FAILURE);
3242 if (setup_journal(arg_directory) < 0)
3243 _exit(EXIT_FAILURE);
3245 if (mount_binds(arg_directory, arg_bind, false) < 0)
3246 _exit(EXIT_FAILURE);
3248 if (mount_binds(arg_directory, arg_bind_ro, true) < 0)
3249 _exit(EXIT_FAILURE);
3251 if (mount_tmpfs(arg_directory) < 0)
3252 _exit(EXIT_FAILURE);
3254 /* Tell the parent that we are ready, and that
3255 * it can cgroupify us to that we lack access
3256 * to certain devices and resources. */
3257 (void)barrier_place(&barrier);
3259 if (chdir(arg_directory) < 0) {
3260 log_error_errno(errno, "chdir(%s) failed: %m", arg_directory);
3261 _exit(EXIT_FAILURE);
3264 if (mount(arg_directory, "/", NULL, MS_MOVE, NULL) < 0) {
3265 log_error_errno(errno, "mount(MS_MOVE) failed: %m");
3266 _exit(EXIT_FAILURE);
3269 if (chroot(".") < 0) {
3270 log_error_errno(errno, "chroot() failed: %m");
3271 _exit(EXIT_FAILURE);
3274 if (chdir("/") < 0) {
3275 log_error_errno(errno, "chdir() failed: %m");
3276 _exit(EXIT_FAILURE);
3281 if (arg_private_network)
3284 if (drop_capabilities() < 0) {
3285 log_error_errno(errno, "drop_capabilities() failed: %m");
3286 _exit(EXIT_FAILURE);
3289 r = change_uid_gid(&home);
3291 _exit(EXIT_FAILURE);
3293 if ((asprintf((char**)(envp + n_env++), "HOME=%s", home ? home: "/root") < 0) ||
3294 (asprintf((char**)(envp + n_env++), "USER=%s", arg_user ? arg_user : "root") < 0) ||
3295 (asprintf((char**)(envp + n_env++), "LOGNAME=%s", arg_user ? arg_user : "root") < 0)) {
3297 _exit(EXIT_FAILURE);
3300 if (!sd_id128_equal(arg_uuid, SD_ID128_NULL)) {
3303 if (asprintf((char**)(envp + n_env++), "container_uuid=%s", id128_format_as_uuid(arg_uuid, as_uuid)) < 0) {
3305 _exit(EXIT_FAILURE);
3309 if (fdset_size(fds) > 0) {
3310 r = fdset_cloexec(fds, false);
3312 log_error_errno(r, "Failed to unset O_CLOEXEC for file descriptors.");
3313 _exit(EXIT_FAILURE);
3316 if ((asprintf((char **)(envp + n_env++), "LISTEN_FDS=%u", n_fd_passed) < 0) ||
3317 (asprintf((char **)(envp + n_env++), "LISTEN_PID=1") < 0)) {
3319 _exit(EXIT_FAILURE);
3325 if (arg_personality != 0xffffffffLU) {
3326 if (personality(arg_personality) < 0) {
3327 log_error_errno(errno, "personality() failed: %m");
3328 _exit(EXIT_FAILURE);
3330 } else if (secondary) {
3331 if (personality(PER_LINUX32) < 0) {
3332 log_error_errno(errno, "personality() failed: %m");
3333 _exit(EXIT_FAILURE);
3338 if (arg_selinux_context)
3339 if (setexeccon((security_context_t) arg_selinux_context) < 0) {
3340 log_error_errno(errno, "setexeccon(\"%s\") failed: %m", arg_selinux_context);
3341 _exit(EXIT_FAILURE);
3345 if (!strv_isempty(arg_setenv)) {
3348 n = strv_env_merge(2, envp, arg_setenv);
3351 _exit(EXIT_FAILURE);
3356 env_use = (char**) envp;
3358 /* Wait until the parent is ready with the setup, too... */
3359 if (!barrier_place_and_sync(&barrier))
3360 _exit(EXIT_FAILURE);
3366 /* Automatically search for the init system */
3368 l = 1 + argc - optind;
3369 a = newa(char*, l + 1);
3370 memcpy(a + 1, argv + optind, l * sizeof(char*));
3372 a[0] = (char*) "/usr/lib/systemd/systemd";
3373 execve(a[0], a, env_use);
3375 a[0] = (char*) "/lib/systemd/systemd";
3376 execve(a[0], a, env_use);
3378 a[0] = (char*) "/sbin/init";
3379 execve(a[0], a, env_use);
3380 } else if (argc > optind)
3381 execvpe(argv[optind], argv + optind, env_use);
3383 chdir(home ? home : "/root");
3384 execle("/bin/bash", "-bash", NULL, env_use);
3385 execle("/bin/sh", "-sh", NULL, env_use);
3388 log_error_errno(errno, "execv() failed: %m");
3389 _exit(EXIT_FAILURE);
3392 barrier_set_role(&barrier, BARRIER_PARENT);
3396 /* wait for child-setup to be done */
3397 if (barrier_place_and_sync(&barrier)) {
3398 _cleanup_event_unref_ sd_event *event = NULL;
3399 _cleanup_(pty_forward_freep) PTYForward *forward = NULL;
3402 r = move_network_interfaces(pid);
3406 r = setup_veth(pid, veth_name, &ifi);
3410 r = setup_bridge(veth_name, &ifi);
3414 r = setup_macvlan(pid);
3418 r = register_machine(pid, ifi);
3422 /* Block SIGCHLD here, before notifying child.
3423 * process_pty() will handle it with the other signals. */
3424 r = sigprocmask(SIG_BLOCK, &mask_chld, NULL);
3428 /* Reset signal to default */
3429 r = default_signals(SIGCHLD, -1);
3433 /* Notify the child that the parent is ready with all
3434 * its setup, and that the child can now hand over
3435 * control to the code to run inside the container. */
3436 (void)barrier_place(&barrier);
3438 r = sd_event_new(&event);
3440 log_error_errno(r, "Failed to get default event source: %m");
3445 /* Try to kill the init system on SIGINT or SIGTERM */
3446 sd_event_add_signal(event, NULL, SIGINT, on_orderly_shutdown, UINT32_TO_PTR(pid));
3447 sd_event_add_signal(event, NULL, SIGTERM, on_orderly_shutdown, UINT32_TO_PTR(pid));
3449 /* Immediately exit */
3450 sd_event_add_signal(event, NULL, SIGINT, NULL, NULL);
3451 sd_event_add_signal(event, NULL, SIGTERM, NULL, NULL);
3454 /* simply exit on sigchld */
3455 sd_event_add_signal(event, NULL, SIGCHLD, NULL, NULL);
3457 r = pty_forward_new(event, master, &forward);
3459 log_error_errno(r, "Failed to create PTY forwarder: %m");
3463 r = sd_event_loop(event);
3465 log_error_errno(r, "Failed to run event loop: %m");
3469 forward = pty_forward_free(forward);
3474 /* Kill if it is not dead yet anyway */
3475 terminate_machine(pid);
3478 /* Normally redundant, but better safe than sorry */
3481 r = wait_for_container(pid, &container_status);
3485 /* We failed to wait for the container, or the
3486 * container exited abnormally */
3488 else if (r > 0 || container_status == CONTAINER_TERMINATED){
3489 /* The container exited with a non-zero
3490 * status, or with zero status and no reboot
3496 /* CONTAINER_REBOOTED, loop again */
3498 if (arg_keep_unit) {
3499 /* Special handling if we are running as a
3500 * service: instead of simply restarting the
3501 * machine we want to restart the entire
3502 * service, so let's inform systemd about this
3503 * with the special exit code 133. The service
3504 * file uses RestartForceExitStatus=133 so
3505 * that this results in a full nspawn
3506 * restart. This is necessary since we might
3507 * have cgroup parameters set we want to have
3518 "STATUS=Terminating...");
3520 loop_remove(loop_nr, &image_fd);
3525 if (remove_subvol && arg_directory) {
3528 k = btrfs_subvol_remove(arg_directory);
3530 log_warning_errno(k, "Cannot remove subvolume '%s', ignoring: %m", arg_directory);
3533 free(arg_directory);
3538 strv_free(arg_setenv);
3539 strv_free(arg_network_interfaces);
3540 strv_free(arg_network_macvlan);
3541 strv_free(arg_bind);
3542 strv_free(arg_bind_ro);
3543 strv_free(arg_tmpfs);
3545 return r < 0 ? EXIT_FAILURE : ret;