1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2010 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
25 #include <sys/types.h>
26 #include <sys/mount.h>
31 #include <sys/prctl.h>
35 #include <sys/socket.h>
36 #include <linux/netlink.h>
38 #include <linux/veth.h>
39 #include <sys/personality.h>
40 #include <linux/loop.h>
44 #include <selinux/selinux.h>
52 #include <blkid/blkid.h>
55 #include "sd-daemon.h"
64 #include "cgroup-util.h"
66 #include "path-util.h"
67 #include "loopback-setup.h"
68 #include "dev-setup.h"
73 #include "bus-error.h"
76 #include "rtnl-util.h"
77 #include "udev-util.h"
78 #include "blkid-util.h"
80 #include "siphash24.h"
82 #include "base-filesystem.h"
84 #include "event-util.h"
85 #include "capability.h"
87 #include "btrfs-util.h"
88 #include "machine-image.h"
90 #include "in-addr-util.h"
92 #include "local-addresses.h"
95 #include "seccomp-util.h"
98 typedef struct ExposePort {
101 uint16_t container_port;
102 LIST_FIELDS(struct ExposePort, ports);
105 typedef enum ContainerStatus {
106 CONTAINER_TERMINATED,
110 typedef enum LinkJournal {
117 typedef enum Volatile {
123 static char *arg_directory = NULL;
124 static char *arg_template = NULL;
125 static char *arg_user = NULL;
126 static sd_id128_t arg_uuid = {};
127 static char *arg_machine = NULL;
128 static const char *arg_selinux_context = NULL;
129 static const char *arg_selinux_apifs_context = NULL;
130 static const char *arg_slice = NULL;
131 static bool arg_private_network = false;
132 static bool arg_read_only = false;
133 static bool arg_boot = false;
134 static bool arg_ephemeral = false;
135 static LinkJournal arg_link_journal = LINK_AUTO;
136 static bool arg_link_journal_try = false;
137 static uint64_t arg_retain =
138 (1ULL << CAP_CHOWN) |
139 (1ULL << CAP_DAC_OVERRIDE) |
140 (1ULL << CAP_DAC_READ_SEARCH) |
141 (1ULL << CAP_FOWNER) |
142 (1ULL << CAP_FSETID) |
143 (1ULL << CAP_IPC_OWNER) |
145 (1ULL << CAP_LEASE) |
146 (1ULL << CAP_LINUX_IMMUTABLE) |
147 (1ULL << CAP_NET_BIND_SERVICE) |
148 (1ULL << CAP_NET_BROADCAST) |
149 (1ULL << CAP_NET_RAW) |
150 (1ULL << CAP_SETGID) |
151 (1ULL << CAP_SETFCAP) |
152 (1ULL << CAP_SETPCAP) |
153 (1ULL << CAP_SETUID) |
154 (1ULL << CAP_SYS_ADMIN) |
155 (1ULL << CAP_SYS_CHROOT) |
156 (1ULL << CAP_SYS_NICE) |
157 (1ULL << CAP_SYS_PTRACE) |
158 (1ULL << CAP_SYS_TTY_CONFIG) |
159 (1ULL << CAP_SYS_RESOURCE) |
160 (1ULL << CAP_SYS_BOOT) |
161 (1ULL << CAP_AUDIT_WRITE) |
162 (1ULL << CAP_AUDIT_CONTROL) |
164 static char **arg_bind = NULL;
165 static char **arg_bind_ro = NULL;
166 static char **arg_tmpfs = NULL;
167 static char **arg_setenv = NULL;
168 static bool arg_quiet = false;
169 static bool arg_share_system = false;
170 static bool arg_register = true;
171 static bool arg_keep_unit = false;
172 static char **arg_network_interfaces = NULL;
173 static char **arg_network_macvlan = NULL;
174 static char **arg_network_ipvlan = NULL;
175 static bool arg_network_veth = false;
176 static const char *arg_network_bridge = NULL;
177 static unsigned long arg_personality = 0xffffffffLU;
178 static char *arg_image = NULL;
179 static Volatile arg_volatile = VOLATILE_NO;
180 static ExposePort *arg_expose_ports = NULL;
181 static char **arg_property = NULL;
182 static uid_t arg_uid_shift = UID_INVALID, arg_uid_range = 0x10000U;
183 static bool arg_userns = false;
184 static int arg_kill_signal = 0;
186 static void help(void) {
187 printf("%s [OPTIONS...] [PATH] [ARGUMENTS...]\n\n"
188 "Spawn a minimal namespace container for debugging, testing and building.\n\n"
189 " -h --help Show this help\n"
190 " --version Print version string\n"
191 " -q --quiet Do not show status information\n"
192 " -D --directory=PATH Root directory for the container\n"
193 " --template=PATH Initialize root directory from template directory,\n"
195 " -x --ephemeral Run container with snapshot of root directory, and\n"
196 " remove it after exit\n"
197 " -i --image=PATH File system device or disk image for the container\n"
198 " -b --boot Boot up full system (i.e. invoke init)\n"
199 " -u --user=USER Run the command under specified user or uid\n"
200 " -M --machine=NAME Set the machine name for the container\n"
201 " --uuid=UUID Set a specific machine UUID for the container\n"
202 " -S --slice=SLICE Place the container in the specified slice\n"
203 " --property=NAME=VALUE Set scope unit property\n"
204 " --private-network Disable network in container\n"
205 " --network-interface=INTERFACE\n"
206 " Assign an existing network interface to the\n"
208 " --network-macvlan=INTERFACE\n"
209 " Create a macvlan network interface based on an\n"
210 " existing network interface to the container\n"
211 " --network-ipvlan=INTERFACE\n"
212 " Create a ipvlan network interface based on an\n"
213 " existing network interface to the container\n"
214 " -n --network-veth Add a virtual ethernet connection between host\n"
216 " --network-bridge=INTERFACE\n"
217 " Add a virtual ethernet connection between host\n"
218 " and container and add it to an existing bridge on\n"
220 " --private-users[=UIDBASE[:NUIDS]]\n"
221 " Run within user namespace\n"
222 " -p --port=[PROTOCOL:]HOSTPORT[:CONTAINERPORT]\n"
223 " Expose a container IP port on the host\n"
224 " -Z --selinux-context=SECLABEL\n"
225 " Set the SELinux security context to be used by\n"
226 " processes in the container\n"
227 " -L --selinux-apifs-context=SECLABEL\n"
228 " Set the SELinux security context to be used by\n"
229 " API/tmpfs file systems in the container\n"
230 " --capability=CAP In addition to the default, retain specified\n"
232 " --drop-capability=CAP Drop the specified capability from the default set\n"
233 " --kill-signal=SIGNAL Select signal to use for shutting down PID 1\n"
234 " --link-journal=MODE Link up guest journal, one of no, auto, guest, host,\n"
235 " try-guest, try-host\n"
236 " -j Equivalent to --link-journal=try-guest\n"
237 " --read-only Mount the root directory read-only\n"
238 " --bind=PATH[:PATH] Bind mount a file or directory from the host into\n"
240 " --bind-ro=PATH[:PATH] Similar, but creates a read-only bind mount\n"
241 " --tmpfs=PATH:[OPTIONS] Mount an empty tmpfs to the specified directory\n"
242 " --setenv=NAME=VALUE Pass an environment variable to PID 1\n"
243 " --share-system Share system namespaces with host\n"
244 " --register=BOOLEAN Register container as machine\n"
245 " --keep-unit Do not register a scope for the machine, reuse\n"
246 " the service unit nspawn is running in\n"
247 " --volatile[=MODE] Run the system in volatile mode\n"
248 , program_invocation_short_name);
251 static int set_sanitized_path(char **b, const char *path) {
257 p = canonicalize_file_name(path);
262 p = path_make_absolute_cwd(path);
268 *b = path_kill_slashes(p);
272 static int parse_argv(int argc, char *argv[]) {
289 ARG_NETWORK_INTERFACE,
301 static const struct option options[] = {
302 { "help", no_argument, NULL, 'h' },
303 { "version", no_argument, NULL, ARG_VERSION },
304 { "directory", required_argument, NULL, 'D' },
305 { "template", required_argument, NULL, ARG_TEMPLATE },
306 { "ephemeral", no_argument, NULL, 'x' },
307 { "user", required_argument, NULL, 'u' },
308 { "private-network", no_argument, NULL, ARG_PRIVATE_NETWORK },
309 { "boot", no_argument, NULL, 'b' },
310 { "uuid", required_argument, NULL, ARG_UUID },
311 { "read-only", no_argument, NULL, ARG_READ_ONLY },
312 { "capability", required_argument, NULL, ARG_CAPABILITY },
313 { "drop-capability", required_argument, NULL, ARG_DROP_CAPABILITY },
314 { "link-journal", required_argument, NULL, ARG_LINK_JOURNAL },
315 { "bind", required_argument, NULL, ARG_BIND },
316 { "bind-ro", required_argument, NULL, ARG_BIND_RO },
317 { "tmpfs", required_argument, NULL, ARG_TMPFS },
318 { "machine", required_argument, NULL, 'M' },
319 { "slice", required_argument, NULL, 'S' },
320 { "setenv", required_argument, NULL, ARG_SETENV },
321 { "selinux-context", required_argument, NULL, 'Z' },
322 { "selinux-apifs-context", required_argument, NULL, 'L' },
323 { "quiet", no_argument, NULL, 'q' },
324 { "share-system", no_argument, NULL, ARG_SHARE_SYSTEM },
325 { "register", required_argument, NULL, ARG_REGISTER },
326 { "keep-unit", no_argument, NULL, ARG_KEEP_UNIT },
327 { "network-interface", required_argument, NULL, ARG_NETWORK_INTERFACE },
328 { "network-macvlan", required_argument, NULL, ARG_NETWORK_MACVLAN },
329 { "network-ipvlan", required_argument, NULL, ARG_NETWORK_IPVLAN },
330 { "network-veth", no_argument, NULL, 'n' },
331 { "network-bridge", required_argument, NULL, ARG_NETWORK_BRIDGE },
332 { "personality", required_argument, NULL, ARG_PERSONALITY },
333 { "image", required_argument, NULL, 'i' },
334 { "volatile", optional_argument, NULL, ARG_VOLATILE },
335 { "port", required_argument, NULL, 'p' },
336 { "property", required_argument, NULL, ARG_PROPERTY },
337 { "private-users", optional_argument, NULL, ARG_PRIVATE_USERS },
338 { "kill-signal", required_argument, NULL, ARG_KILL_SIGNAL },
343 uint64_t plus = 0, minus = 0;
348 while ((c = getopt_long(argc, argv, "+hD:u:bL:M:jS:Z:qi:xp:n", options, NULL)) >= 0)
357 puts(PACKAGE_STRING);
358 puts(SYSTEMD_FEATURES);
362 r = set_sanitized_path(&arg_directory, optarg);
364 return log_error_errno(r, "Invalid root directory: %m");
369 r = set_sanitized_path(&arg_template, optarg);
371 return log_error_errno(r, "Invalid template directory: %m");
376 r = set_sanitized_path(&arg_image, optarg);
378 return log_error_errno(r, "Invalid image path: %m");
383 arg_ephemeral = true;
388 arg_user = strdup(optarg);
394 case ARG_NETWORK_BRIDGE:
395 arg_network_bridge = optarg;
400 arg_network_veth = true;
401 arg_private_network = true;
404 case ARG_NETWORK_INTERFACE:
405 if (strv_extend(&arg_network_interfaces, optarg) < 0)
408 arg_private_network = true;
411 case ARG_NETWORK_MACVLAN:
412 if (strv_extend(&arg_network_macvlan, optarg) < 0)
415 arg_private_network = true;
418 case ARG_NETWORK_IPVLAN:
419 if (strv_extend(&arg_network_ipvlan, optarg) < 0)
424 case ARG_PRIVATE_NETWORK:
425 arg_private_network = true;
433 r = sd_id128_from_string(optarg, &arg_uuid);
435 log_error("Invalid UUID: %s", optarg);
445 if (isempty(optarg)) {
449 if (!machine_name_is_valid(optarg)) {
450 log_error("Invalid machine name: %s", optarg);
454 r = free_and_strdup(&arg_machine, optarg);
462 arg_selinux_context = optarg;
466 arg_selinux_apifs_context = optarg;
470 arg_read_only = true;
474 case ARG_DROP_CAPABILITY: {
475 const char *state, *word;
478 FOREACH_WORD_SEPARATOR(word, length, optarg, ",", state) {
479 _cleanup_free_ char *t;
481 t = strndup(word, length);
485 if (streq(t, "all")) {
486 if (c == ARG_CAPABILITY)
487 plus = (uint64_t) -1;
489 minus = (uint64_t) -1;
493 cap = capability_from_name(t);
495 log_error("Failed to parse capability %s.", t);
499 if (c == ARG_CAPABILITY)
500 plus |= 1ULL << (uint64_t) cap;
502 minus |= 1ULL << (uint64_t) cap;
510 arg_link_journal = LINK_GUEST;
511 arg_link_journal_try = true;
514 case ARG_LINK_JOURNAL:
515 if (streq(optarg, "auto")) {
516 arg_link_journal = LINK_AUTO;
517 arg_link_journal_try = false;
518 } else if (streq(optarg, "no")) {
519 arg_link_journal = LINK_NO;
520 arg_link_journal_try = false;
521 } else if (streq(optarg, "guest")) {
522 arg_link_journal = LINK_GUEST;
523 arg_link_journal_try = false;
524 } else if (streq(optarg, "host")) {
525 arg_link_journal = LINK_HOST;
526 arg_link_journal_try = false;
527 } else if (streq(optarg, "try-guest")) {
528 arg_link_journal = LINK_GUEST;
529 arg_link_journal_try = true;
530 } else if (streq(optarg, "try-host")) {
531 arg_link_journal = LINK_HOST;
532 arg_link_journal_try = true;
534 log_error("Failed to parse link journal mode %s", optarg);
542 _cleanup_free_ char *a = NULL, *b = NULL;
546 x = c == ARG_BIND ? &arg_bind : &arg_bind_ro;
548 e = strchr(optarg, ':');
550 a = strndup(optarg, e - optarg);
560 if (!path_is_absolute(a) || !path_is_absolute(b)) {
561 log_error("Invalid bind mount specification: %s", optarg);
565 r = strv_extend(x, a);
569 r = strv_extend(x, b);
577 _cleanup_free_ char *a = NULL, *b = NULL;
580 e = strchr(optarg, ':');
582 a = strndup(optarg, e - optarg);
586 b = strdup("mode=0755");
592 if (!path_is_absolute(a)) {
593 log_error("Invalid tmpfs specification: %s", optarg);
597 r = strv_push(&arg_tmpfs, a);
603 r = strv_push(&arg_tmpfs, b);
615 if (!env_assignment_is_valid(optarg)) {
616 log_error("Environment variable assignment '%s' is not valid.", optarg);
620 n = strv_env_set(arg_setenv, optarg);
624 strv_free(arg_setenv);
633 case ARG_SHARE_SYSTEM:
634 arg_share_system = true;
638 r = parse_boolean(optarg);
640 log_error("Failed to parse --register= argument: %s", optarg);
648 arg_keep_unit = true;
651 case ARG_PERSONALITY:
653 arg_personality = personality_from_string(optarg);
654 if (arg_personality == 0xffffffffLU) {
655 log_error("Unknown or unsupported personality '%s'.", optarg);
664 arg_volatile = VOLATILE_YES;
666 r = parse_boolean(optarg);
668 if (streq(optarg, "state"))
669 arg_volatile = VOLATILE_STATE;
671 log_error("Failed to parse --volatile= argument: %s", optarg);
675 arg_volatile = r ? VOLATILE_YES : VOLATILE_NO;
681 const char *split, *e;
682 uint16_t container_port, host_port;
686 if ((e = startswith(optarg, "tcp:")))
687 protocol = IPPROTO_TCP;
688 else if ((e = startswith(optarg, "udp:")))
689 protocol = IPPROTO_UDP;
692 protocol = IPPROTO_TCP;
695 split = strchr(e, ':');
697 char v[split - e + 1];
699 memcpy(v, e, split - e);
702 r = safe_atou16(v, &host_port);
703 if (r < 0 || host_port <= 0) {
704 log_error("Failed to parse host port: %s", optarg);
708 r = safe_atou16(split + 1, &container_port);
710 r = safe_atou16(e, &container_port);
711 host_port = container_port;
714 if (r < 0 || container_port <= 0) {
715 log_error("Failed to parse host port: %s", optarg);
719 LIST_FOREACH(ports, p, arg_expose_ports) {
720 if (p->protocol == protocol && p->host_port == host_port) {
721 log_error("Duplicate port specification: %s", optarg);
726 p = new(ExposePort, 1);
730 p->protocol = protocol;
731 p->host_port = host_port;
732 p->container_port = container_port;
734 LIST_PREPEND(ports, arg_expose_ports, p);
740 if (strv_extend(&arg_property, optarg) < 0)
745 case ARG_PRIVATE_USERS:
747 _cleanup_free_ char *buffer = NULL;
748 const char *range, *shift;
750 range = strchr(optarg, ':');
752 buffer = strndup(optarg, range - optarg);
758 if (safe_atou32(range, &arg_uid_range) < 0 || arg_uid_range <= 0) {
759 log_error("Failed to parse UID range: %s", range);
765 if (parse_uid(shift, &arg_uid_shift) < 0) {
766 log_error("Failed to parse UID: %s", optarg);
774 case ARG_KILL_SIGNAL:
775 arg_kill_signal = signal_from_string_try_harder(optarg);
776 if (arg_kill_signal < 0) {
777 log_error("Cannot parse signal: %s", optarg);
787 assert_not_reached("Unhandled option");
790 if (arg_share_system)
791 arg_register = false;
793 if (arg_boot && arg_share_system) {
794 log_error("--boot and --share-system may not be combined.");
798 if (arg_keep_unit && cg_pid_get_owner_uid(0, NULL) >= 0) {
799 log_error("--keep-unit may not be used when invoked from a user session.");
803 if (arg_directory && arg_image) {
804 log_error("--directory= and --image= may not be combined.");
808 if (arg_template && arg_image) {
809 log_error("--template= and --image= may not be combined.");
813 if (arg_template && !(arg_directory || arg_machine)) {
814 log_error("--template= needs --directory= or --machine=.");
818 if (arg_ephemeral && arg_template) {
819 log_error("--ephemeral and --template= may not be combined.");
823 if (arg_ephemeral && arg_image) {
824 log_error("--ephemeral and --image= may not be combined.");
828 if (arg_ephemeral && !IN_SET(arg_link_journal, LINK_NO, LINK_AUTO)) {
829 log_error("--ephemeral and --link-journal= may not be combined.");
833 if (arg_volatile != VOLATILE_NO && arg_read_only) {
834 log_error("Cannot combine --read-only with --volatile. Note that --volatile already implies a read-only base hierarchy.");
838 if (arg_expose_ports && !arg_private_network) {
839 log_error("Cannot use --port= without private networking.");
843 arg_retain = (arg_retain | plus | (arg_private_network ? 1ULL << CAP_NET_ADMIN : 0)) & ~minus;
845 if (arg_boot && arg_kill_signal <= 0)
846 arg_kill_signal = SIGRTMIN+3;
851 static int mount_all(const char *dest) {
853 typedef struct MountPoint {
862 static const MountPoint mount_table[] = {
863 { "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, true },
864 { "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND, true }, /* Bind mount first */
865 { NULL, "/proc/sys", NULL, NULL, MS_BIND|MS_RDONLY|MS_REMOUNT, true }, /* Then, make it r/o */
866 { "sysfs", "/sys", "sysfs", NULL, MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV, true },
867 { "tmpfs", "/dev", "tmpfs", "mode=755", MS_NOSUID|MS_STRICTATIME, true },
868 { "devpts", "/dev/pts", "devpts","newinstance,ptmxmode=0666,mode=620,gid=" STRINGIFY(TTY_GID), MS_NOSUID|MS_NOEXEC, true },
869 { "tmpfs", "/dev/shm", "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV|MS_STRICTATIME, true },
870 { "tmpfs", "/run", "tmpfs", "mode=755", MS_NOSUID|MS_NODEV|MS_STRICTATIME, true },
871 { "tmpfs", "/tmp", "tmpfs", "mode=1777", MS_STRICTATIME, true },
873 { "/sys/fs/selinux", "/sys/fs/selinux", NULL, NULL, MS_BIND, false }, /* Bind mount first */
874 { NULL, "/sys/fs/selinux", NULL, NULL, MS_BIND|MS_RDONLY|MS_REMOUNT, false }, /* Then, make it r/o */
881 for (k = 0; k < ELEMENTSOF(mount_table); k++) {
882 _cleanup_free_ char *where = NULL, *options = NULL;
886 where = strjoin(dest, "/", mount_table[k].where, NULL);
890 t = path_is_mount_point(where, true);
892 log_error_errno(t, "Failed to detect whether %s is a mount point: %m", where);
900 /* Skip this entry if it is not a remount. */
901 if (mount_table[k].what && t > 0)
904 t = mkdir_p(where, 0755);
906 if (mount_table[k].fatal) {
907 log_error_errno(t, "Failed to create directory %s: %m", where);
912 log_warning_errno(t, "Failed to create directory %s: %m", where);
918 if (arg_selinux_apifs_context &&
919 (streq_ptr(mount_table[k].what, "tmpfs") || streq_ptr(mount_table[k].what, "devpts"))) {
920 options = strjoin(mount_table[k].options, ",context=\"", arg_selinux_apifs_context, "\"", NULL);
927 o = mount_table[k].options;
929 if (arg_userns && arg_uid_shift != UID_INVALID && streq_ptr(mount_table[k].type, "tmpfs")) {
930 char *uid_options = NULL;
933 asprintf(&uid_options, "%s,uid=" UID_FMT ",gid=" UID_FMT, o, arg_uid_shift, arg_uid_shift);
935 asprintf(&uid_options, "uid=" UID_FMT ",gid=" UID_FMT, arg_uid_shift, arg_uid_shift);
940 o = options = uid_options;
943 if (mount(mount_table[k].what,
946 mount_table[k].flags,
949 if (mount_table[k].fatal) {
950 log_error_errno(errno, "mount(%s) failed: %m", where);
955 log_warning_errno(errno, "mount(%s) failed: %m", where);
962 static int mount_binds(const char *dest, char **l, bool ro) {
965 STRV_FOREACH_PAIR(x, y, l) {
966 _cleanup_free_ char *where = NULL;
967 struct stat source_st, dest_st;
970 if (stat(*x, &source_st) < 0)
971 return log_error_errno(errno, "Failed to stat %s: %m", *x);
973 where = strappend(dest, *y);
977 r = stat(where, &dest_st);
979 if (S_ISDIR(source_st.st_mode) && !S_ISDIR(dest_st.st_mode)) {
980 log_error("Cannot bind mount directory %s on file %s.", *x, where);
983 if (!S_ISDIR(source_st.st_mode) && S_ISDIR(dest_st.st_mode)) {
984 log_error("Cannot bind mount file %s on directory %s.", *x, where);
987 } else if (errno == ENOENT) {
988 r = mkdir_parents_label(where, 0755);
990 return log_error_errno(r, "Failed to bind mount %s: %m", *x);
992 log_error_errno(errno, "Failed to bind mount %s: %m", *x);
996 /* Create the mount point. Any non-directory file can be
997 * mounted on any non-directory file (regular, fifo, socket,
1000 if (S_ISDIR(source_st.st_mode)) {
1001 r = mkdir_label(where, 0755);
1002 if (r < 0 && errno != EEXIST)
1003 return log_error_errno(r, "Failed to create mount point %s: %m", where);
1007 return log_error_errno(r, "Failed to create mount point %s: %m", where);
1010 if (mount(*x, where, NULL, MS_BIND, NULL) < 0)
1011 return log_error_errno(errno, "mount(%s) failed: %m", where);
1014 r = bind_remount_recursive(where, true);
1016 return log_error_errno(r, "Read-Only bind mount failed: %m");
1023 static int mount_cgroup_hierarchy(const char *dest, const char *controller, const char *hierarchy, bool read_only) {
1027 to = strjoina(dest, "/sys/fs/cgroup/", hierarchy);
1029 r = path_is_mount_point(to, false);
1031 return log_error_errno(r, "Failed to determine if %s is mounted already: %m", to);
1037 /* The superblock mount options of the mount point need to be
1038 * identical to the hosts', and hence writable... */
1039 if (mount("cgroup", to, "cgroup", MS_NOSUID|MS_NOEXEC|MS_NODEV, controller) < 0)
1040 return log_error_errno(errno, "Failed to mount to %s: %m", to);
1042 /* ... hence let's only make the bind mount read-only, not the
1045 if (mount(NULL, to, NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, NULL) < 0)
1046 return log_error_errno(errno, "Failed to remount %s read-only: %m", to);
1051 static int mount_cgroup(const char *dest) {
1052 _cleanup_set_free_free_ Set *controllers = NULL;
1053 _cleanup_free_ char *own_cgroup_path = NULL;
1054 const char *cgroup_root, *systemd_root, *systemd_own;
1057 controllers = set_new(&string_hash_ops);
1061 r = cg_kernel_controllers(controllers);
1063 return log_error_errno(r, "Failed to determine cgroup controllers: %m");
1065 r = cg_pid_get_path(NULL, 0, &own_cgroup_path);
1067 return log_error_errno(r, "Failed to determine our own cgroup path: %m");
1069 cgroup_root = strjoina(dest, "/sys/fs/cgroup");
1070 if (mount("tmpfs", cgroup_root, "tmpfs", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME, "mode=755") < 0)
1071 return log_error_errno(errno, "Failed to mount tmpfs to /sys/fs/cgroup: %m");
1074 _cleanup_free_ char *controller = NULL, *origin = NULL, *combined = NULL;
1076 controller = set_steal_first(controllers);
1080 origin = strappend("/sys/fs/cgroup/", controller);
1084 r = readlink_malloc(origin, &combined);
1086 /* Not a symbolic link, but directly a single cgroup hierarchy */
1088 r = mount_cgroup_hierarchy(dest, controller, controller, true);
1093 return log_error_errno(r, "Failed to read link %s: %m", origin);
1095 _cleanup_free_ char *target = NULL;
1097 target = strjoin(dest, "/sys/fs/cgroup/", controller, NULL);
1101 /* A symbolic link, a combination of controllers in one hierarchy */
1103 if (!filename_is_valid(combined)) {
1104 log_warning("Ignoring invalid combined hierarchy %s.", combined);
1108 r = mount_cgroup_hierarchy(dest, combined, combined, true);
1112 if (symlink(combined, target) < 0)
1113 return log_error_errno(errno, "Failed to create symlink for combined hierarchy: %m");
1117 r = mount_cgroup_hierarchy(dest, "name=systemd,xattr", "systemd", false);
1121 /* Make our own cgroup a (writable) bind mount */
1122 systemd_own = strjoina(dest, "/sys/fs/cgroup/systemd", own_cgroup_path);
1123 if (mount(systemd_own, systemd_own, NULL, MS_BIND, NULL) < 0)
1124 return log_error_errno(errno, "Failed to turn %s into a bind mount: %m", own_cgroup_path);
1126 /* And then remount the systemd cgroup root read-only */
1127 systemd_root = strjoina(dest, "/sys/fs/cgroup/systemd");
1128 if (mount(NULL, systemd_root, NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, NULL) < 0)
1129 return log_error_errno(errno, "Failed to mount cgroup root read-only: %m");
1131 if (mount(NULL, cgroup_root, NULL, MS_REMOUNT|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME|MS_RDONLY, "mode=755") < 0)
1132 return log_error_errno(errno, "Failed to remount %s read-only: %m", cgroup_root);
1137 static int mount_tmpfs(const char *dest) {
1140 STRV_FOREACH_PAIR(i, o, arg_tmpfs) {
1141 _cleanup_free_ char *where = NULL;
1144 where = strappend(dest, *i);
1148 r = mkdir_label(where, 0755);
1149 if (r < 0 && r != -EEXIST)
1150 return log_error_errno(r, "Creating mount point for tmpfs %s failed: %m", where);
1152 if (mount("tmpfs", where, "tmpfs", MS_NODEV|MS_STRICTATIME, *o) < 0)
1153 return log_error_errno(errno, "tmpfs mount to %s failed: %m", where);
1159 static int setup_timezone(const char *dest) {
1160 _cleanup_free_ char *where = NULL, *p = NULL, *q = NULL, *check = NULL, *what = NULL;
1166 /* Fix the timezone, if possible */
1167 r = readlink_malloc("/etc/localtime", &p);
1169 log_warning("/etc/localtime is not a symlink, not updating container timezone.");
1173 z = path_startswith(p, "../usr/share/zoneinfo/");
1175 z = path_startswith(p, "/usr/share/zoneinfo/");
1177 log_warning("/etc/localtime does not point into /usr/share/zoneinfo/, not updating container timezone.");
1181 where = strappend(dest, "/etc/localtime");
1185 r = readlink_malloc(where, &q);
1187 y = path_startswith(q, "../usr/share/zoneinfo/");
1189 y = path_startswith(q, "/usr/share/zoneinfo/");
1191 /* Already pointing to the right place? Then do nothing .. */
1192 if (y && streq(y, z))
1196 check = strjoin(dest, "/usr/share/zoneinfo/", z, NULL);
1200 if (access(check, F_OK) < 0) {
1201 log_warning("Timezone %s does not exist in container, not updating container timezone.", z);
1205 what = strappend("../usr/share/zoneinfo/", z);
1209 r = mkdir_parents(where, 0755);
1211 log_error_errno(r, "Failed to create directory for timezone info %s in container: %m", where);
1217 if (r < 0 && errno != ENOENT) {
1218 log_error_errno(errno, "Failed to remove existing timezone info %s in container: %m", where);
1223 if (symlink(what, where) < 0) {
1224 log_error_errno(errno, "Failed to correct timezone of container: %m");
1231 static int setup_resolv_conf(const char *dest) {
1232 _cleanup_free_ char *where = NULL;
1237 if (arg_private_network)
1240 /* Fix resolv.conf, if possible */
1241 where = strappend(dest, "/etc/resolv.conf");
1245 /* We don't really care for the results of this really. If it
1246 * fails, it fails, but meh... */
1247 r = mkdir_parents(where, 0755);
1249 log_warning_errno(r, "Failed to create parent directory for resolv.conf %s: %m", where);
1254 r = copy_file("/etc/resolv.conf", where, O_TRUNC|O_NOFOLLOW, 0644, 0);
1256 log_warning_errno(r, "Failed to copy /etc/resolv.conf to %s: %m", where);
1264 static int setup_volatile_state(const char *directory) {
1270 if (arg_volatile != VOLATILE_STATE)
1273 /* --volatile=state means we simply overmount /var
1274 with a tmpfs, and the rest read-only. */
1276 r = bind_remount_recursive(directory, true);
1278 return log_error_errno(r, "Failed to remount %s read-only: %m", directory);
1280 p = strjoina(directory, "/var");
1282 if (r < 0 && errno != EEXIST)
1283 return log_error_errno(errno, "Failed to create %s: %m", directory);
1285 if (mount("tmpfs", p, "tmpfs", MS_STRICTATIME, "mode=755") < 0)
1286 return log_error_errno(errno, "Failed to mount tmpfs to /var: %m");
1291 static int setup_volatile(const char *directory) {
1292 bool tmpfs_mounted = false, bind_mounted = false;
1293 char template[] = "/tmp/nspawn-volatile-XXXXXX";
1299 if (arg_volatile != VOLATILE_YES)
1302 /* --volatile=yes means we mount a tmpfs to the root dir, and
1303 the original /usr to use inside it, and that read-only. */
1305 if (!mkdtemp(template))
1306 return log_error_errno(errno, "Failed to create temporary directory: %m");
1308 if (mount("tmpfs", template, "tmpfs", MS_STRICTATIME, "mode=755") < 0) {
1309 log_error_errno(errno, "Failed to mount tmpfs for root directory: %m");
1314 tmpfs_mounted = true;
1316 f = strjoina(directory, "/usr");
1317 t = strjoina(template, "/usr");
1320 if (r < 0 && errno != EEXIST) {
1321 log_error_errno(errno, "Failed to create %s: %m", t);
1326 if (mount(f, t, NULL, MS_BIND|MS_REC, NULL) < 0) {
1327 log_error_errno(errno, "Failed to create /usr bind mount: %m");
1332 bind_mounted = true;
1334 r = bind_remount_recursive(t, true);
1336 log_error_errno(r, "Failed to remount %s read-only: %m", t);
1340 if (mount(template, directory, NULL, MS_MOVE, NULL) < 0) {
1341 log_error_errno(errno, "Failed to move root mount: %m");
1359 static char* id128_format_as_uuid(sd_id128_t id, char s[37]) {
1362 "%02x%02x%02x%02x-%02x%02x-%02x%02x-%02x%02x-%02x%02x%02x%02x%02x%02x",
1363 SD_ID128_FORMAT_VAL(id));
1368 static int setup_boot_id(const char *dest) {
1369 _cleanup_free_ char *from = NULL, *to = NULL;
1370 sd_id128_t rnd = {};
1376 if (arg_share_system)
1379 /* Generate a new randomized boot ID, so that each boot-up of
1380 * the container gets a new one */
1382 from = strappend(dest, "/dev/proc-sys-kernel-random-boot-id");
1383 to = strappend(dest, "/proc/sys/kernel/random/boot_id");
1387 r = sd_id128_randomize(&rnd);
1389 return log_error_errno(r, "Failed to generate random boot id: %m");
1391 id128_format_as_uuid(rnd, as_uuid);
1393 r = write_string_file(from, as_uuid);
1395 return log_error_errno(r, "Failed to write boot id: %m");
1397 if (mount(from, to, NULL, MS_BIND, NULL) < 0) {
1398 log_error_errno(errno, "Failed to bind mount boot id: %m");
1400 } else if (mount(from, to, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY, NULL))
1401 log_warning_errno(errno, "Failed to make boot id read-only: %m");
1407 static int copy_devnodes(const char *dest) {
1409 static const char devnodes[] =
1420 _cleanup_umask_ mode_t u;
1426 NULSTR_FOREACH(d, devnodes) {
1427 _cleanup_free_ char *from = NULL, *to = NULL;
1430 from = strappend("/dev/", d);
1431 to = strjoin(dest, "/dev/", d, NULL);
1435 if (stat(from, &st) < 0) {
1437 if (errno != ENOENT)
1438 return log_error_errno(errno, "Failed to stat %s: %m", from);
1440 } else if (!S_ISCHR(st.st_mode) && !S_ISBLK(st.st_mode)) {
1442 log_error("%s is not a char or block device, cannot copy", from);
1446 r = mkdir_parents(to, 0775);
1448 log_error_errno(r, "Failed to create parent directory of %s: %m", to);
1452 if (mknod(to, st.st_mode, st.st_rdev) < 0) {
1454 return log_error_errno(errno, "mknod(%s) failed: %m", to);
1456 /* Some systems abusively restrict mknod but
1457 * allow bind mounts. */
1460 return log_error_errno(r, "touch (%s) failed: %m", to);
1461 if (mount(from, to, NULL, MS_BIND, NULL) < 0)
1462 return log_error_errno(errno, "Both mknod and bind mount (%s) failed: %m", to);
1465 if (arg_userns && arg_uid_shift != UID_INVALID)
1466 if (lchown(to, arg_uid_shift, arg_uid_shift) < 0)
1467 return log_error_errno(errno, "chown() of device node %s failed: %m", to);
1474 static int setup_ptmx(const char *dest) {
1475 _cleanup_free_ char *p = NULL;
1477 p = strappend(dest, "/dev/ptmx");
1481 if (symlink("pts/ptmx", p) < 0)
1482 return log_error_errno(errno, "Failed to create /dev/ptmx symlink: %m");
1484 if (arg_userns && arg_uid_shift != UID_INVALID)
1485 if (lchown(p, arg_uid_shift, arg_uid_shift) < 0)
1486 return log_error_errno(errno, "lchown() of symlink %s failed: %m", p);
1491 static int setup_dev_console(const char *dest, const char *console) {
1492 _cleanup_umask_ mode_t u;
1501 r = chmod_and_chown(console, 0600, 0, 0);
1503 return log_error_errno(r, "Failed to correct access mode for TTY: %m");
1505 /* We need to bind mount the right tty to /dev/console since
1506 * ptys can only exist on pts file systems. To have something
1507 * to bind mount things on we create a empty regular file. */
1509 to = strjoina(dest, "/dev/console");
1512 return log_error_errno(r, "touch() for /dev/console failed: %m");
1514 if (mount(console, to, NULL, MS_BIND, NULL) < 0)
1515 return log_error_errno(errno, "Bind mount for /dev/console failed: %m");
1520 static int setup_kmsg(const char *dest, int kmsg_socket) {
1521 _cleanup_free_ char *from = NULL, *to = NULL;
1522 _cleanup_umask_ mode_t u;
1525 struct cmsghdr cmsghdr;
1526 uint8_t buf[CMSG_SPACE(sizeof(int))];
1528 struct msghdr mh = {
1529 .msg_control = &control,
1530 .msg_controllen = sizeof(control),
1532 struct cmsghdr *cmsg;
1535 assert(kmsg_socket >= 0);
1539 /* We create the kmsg FIFO as /dev/kmsg, but immediately
1540 * delete it after bind mounting it to /proc/kmsg. While FIFOs
1541 * on the reading side behave very similar to /proc/kmsg,
1542 * their writing side behaves differently from /dev/kmsg in
1543 * that writing blocks when nothing is reading. In order to
1544 * avoid any problems with containers deadlocking due to this
1545 * we simply make /dev/kmsg unavailable to the container. */
1546 if (asprintf(&from, "%s/dev/kmsg", dest) < 0 ||
1547 asprintf(&to, "%s/proc/kmsg", dest) < 0)
1550 if (mkfifo(from, 0600) < 0)
1551 return log_error_errno(errno, "mkfifo() for /dev/kmsg failed: %m");
1553 r = chmod_and_chown(from, 0600, 0, 0);
1555 return log_error_errno(r, "Failed to correct access mode for /dev/kmsg: %m");
1557 if (mount(from, to, NULL, MS_BIND, NULL) < 0)
1558 return log_error_errno(errno, "Bind mount for /proc/kmsg failed: %m");
1560 fd = open(from, O_RDWR|O_NDELAY|O_CLOEXEC);
1562 return log_error_errno(errno, "Failed to open fifo: %m");
1564 cmsg = CMSG_FIRSTHDR(&mh);
1565 cmsg->cmsg_level = SOL_SOCKET;
1566 cmsg->cmsg_type = SCM_RIGHTS;
1567 cmsg->cmsg_len = CMSG_LEN(sizeof(int));
1568 memcpy(CMSG_DATA(cmsg), &fd, sizeof(int));
1570 mh.msg_controllen = cmsg->cmsg_len;
1572 /* Store away the fd in the socket, so that it stays open as
1573 * long as we run the child */
1574 k = sendmsg(kmsg_socket, &mh, MSG_NOSIGNAL);
1578 return log_error_errno(errno, "Failed to send FIFO fd: %m");
1580 /* And now make the FIFO unavailable as /dev/kmsg... */
1585 static int send_rtnl(int send_fd) {
1587 struct cmsghdr cmsghdr;
1588 uint8_t buf[CMSG_SPACE(sizeof(int))];
1590 struct msghdr mh = {
1591 .msg_control = &control,
1592 .msg_controllen = sizeof(control),
1594 struct cmsghdr *cmsg;
1595 _cleanup_close_ int fd = -1;
1598 assert(send_fd >= 0);
1600 if (!arg_expose_ports)
1603 fd = socket(PF_NETLINK, SOCK_RAW|SOCK_CLOEXEC|SOCK_NONBLOCK, NETLINK_ROUTE);
1605 return log_error_errno(errno, "failed to allocate container netlink: %m");
1607 cmsg = CMSG_FIRSTHDR(&mh);
1608 cmsg->cmsg_level = SOL_SOCKET;
1609 cmsg->cmsg_type = SCM_RIGHTS;
1610 cmsg->cmsg_len = CMSG_LEN(sizeof(int));
1611 memcpy(CMSG_DATA(cmsg), &fd, sizeof(int));
1613 mh.msg_controllen = cmsg->cmsg_len;
1615 /* Store away the fd in the socket, so that it stays open as
1616 * long as we run the child */
1617 k = sendmsg(send_fd, &mh, MSG_NOSIGNAL);
1619 return log_error_errno(errno, "Failed to send netlink fd: %m");
1624 static int flush_ports(union in_addr_union *exposed) {
1626 int r, af = AF_INET;
1630 if (!arg_expose_ports)
1633 if (in_addr_is_null(af, exposed))
1636 log_debug("Lost IP address.");
1638 LIST_FOREACH(ports, p, arg_expose_ports) {
1639 r = fw_add_local_dnat(false,
1650 log_warning_errno(r, "Failed to modify firewall: %m");
1653 *exposed = IN_ADDR_NULL;
1657 static int expose_ports(sd_rtnl *rtnl, union in_addr_union *exposed) {
1658 _cleanup_free_ struct local_address *addresses = NULL;
1659 _cleanup_free_ char *pretty = NULL;
1660 union in_addr_union new_exposed;
1663 int af = AF_INET, r;
1667 /* Invoked each time an address is added or removed inside the
1670 if (!arg_expose_ports)
1673 r = local_addresses(rtnl, 0, af, &addresses);
1675 return log_error_errno(r, "Failed to enumerate local addresses: %m");
1678 addresses[0].family == af &&
1679 addresses[0].scope < RT_SCOPE_LINK;
1682 return flush_ports(exposed);
1684 new_exposed = addresses[0].address;
1685 if (in_addr_equal(af, exposed, &new_exposed))
1688 in_addr_to_string(af, &new_exposed, &pretty);
1689 log_debug("New container IP is %s.", strna(pretty));
1691 LIST_FOREACH(ports, p, arg_expose_ports) {
1693 r = fw_add_local_dnat(true,
1702 in_addr_is_null(af, exposed) ? NULL : exposed);
1704 log_warning_errno(r, "Failed to modify firewall: %m");
1707 *exposed = new_exposed;
1711 static int on_address_change(sd_rtnl *rtnl, sd_rtnl_message *m, void *userdata) {
1712 union in_addr_union *exposed = userdata;
1718 expose_ports(rtnl, exposed);
1722 static int watch_rtnl(sd_event *event, int recv_fd, union in_addr_union *exposed, sd_rtnl **ret) {
1724 struct cmsghdr cmsghdr;
1725 uint8_t buf[CMSG_SPACE(sizeof(int))];
1727 struct msghdr mh = {
1728 .msg_control = &control,
1729 .msg_controllen = sizeof(control),
1731 struct cmsghdr *cmsg;
1732 _cleanup_rtnl_unref_ sd_rtnl *rtnl = NULL;
1737 assert(recv_fd >= 0);
1740 if (!arg_expose_ports)
1743 k = recvmsg(recv_fd, &mh, MSG_NOSIGNAL);
1745 return log_error_errno(errno, "Failed to recv netlink fd: %m");
1747 cmsg = CMSG_FIRSTHDR(&mh);
1748 assert(cmsg->cmsg_level == SOL_SOCKET);
1749 assert(cmsg->cmsg_type == SCM_RIGHTS);
1750 assert(cmsg->cmsg_len == CMSG_LEN(sizeof(int)));
1751 memcpy(&fd, CMSG_DATA(cmsg), sizeof(int));
1753 r = sd_rtnl_open_fd(&rtnl, fd, 1, RTNLGRP_IPV4_IFADDR);
1756 return log_error_errno(r, "Failed to create rtnl object: %m");
1759 r = sd_rtnl_add_match(rtnl, RTM_NEWADDR, on_address_change, exposed);
1761 return log_error_errno(r, "Failed to subscribe to RTM_NEWADDR messages: %m");
1763 r = sd_rtnl_add_match(rtnl, RTM_DELADDR, on_address_change, exposed);
1765 return log_error_errno(r, "Failed to subscribe to RTM_DELADDR messages: %m");
1767 r = sd_rtnl_attach_event(rtnl, event, 0);
1769 return log_error_errno(r, "Failed to add to even loop: %m");
1777 static int setup_hostname(void) {
1779 if (arg_share_system)
1782 if (sethostname_idempotent(arg_machine) < 0)
1788 static int setup_journal(const char *directory) {
1789 sd_id128_t machine_id, this_id;
1790 _cleanup_free_ char *p = NULL, *b = NULL, *q = NULL, *d = NULL;
1794 /* Don't link journals in ephemeral mode */
1798 p = strappend(directory, "/etc/machine-id");
1802 r = read_one_line_file(p, &b);
1803 if (r == -ENOENT && arg_link_journal == LINK_AUTO)
1806 return log_error_errno(r, "Failed to read machine ID from %s: %m", p);
1809 if (isempty(id) && arg_link_journal == LINK_AUTO)
1812 /* Verify validity */
1813 r = sd_id128_from_string(id, &machine_id);
1815 return log_error_errno(r, "Failed to parse machine ID from %s: %m", p);
1817 r = sd_id128_get_machine(&this_id);
1819 return log_error_errno(r, "Failed to retrieve machine ID: %m");
1821 if (sd_id128_equal(machine_id, this_id)) {
1822 log_full(arg_link_journal == LINK_AUTO ? LOG_WARNING : LOG_ERR,
1823 "Host and machine ids are equal (%s): refusing to link journals", id);
1824 if (arg_link_journal == LINK_AUTO)
1829 if (arg_link_journal == LINK_NO)
1833 p = strappend("/var/log/journal/", id);
1834 q = strjoin(directory, "/var/log/journal/", id, NULL);
1838 if (path_is_mount_point(p, false) > 0) {
1839 if (arg_link_journal != LINK_AUTO) {
1840 log_error("%s: already a mount point, refusing to use for journal", p);
1847 if (path_is_mount_point(q, false) > 0) {
1848 if (arg_link_journal != LINK_AUTO) {
1849 log_error("%s: already a mount point, refusing to use for journal", q);
1856 r = readlink_and_make_absolute(p, &d);
1858 if ((arg_link_journal == LINK_GUEST ||
1859 arg_link_journal == LINK_AUTO) &&
1862 r = mkdir_p(q, 0755);
1864 log_warning_errno(errno, "Failed to create directory %s: %m", q);
1869 return log_error_errno(errno, "Failed to remove symlink %s: %m", p);
1870 } else if (r == -EINVAL) {
1872 if (arg_link_journal == LINK_GUEST &&
1875 if (errno == ENOTDIR) {
1876 log_error("%s already exists and is neither a symlink nor a directory", p);
1879 log_error_errno(errno, "Failed to remove %s: %m", p);
1883 } else if (r != -ENOENT) {
1884 log_error_errno(errno, "readlink(%s) failed: %m", p);
1888 if (arg_link_journal == LINK_GUEST) {
1890 if (symlink(q, p) < 0) {
1891 if (arg_link_journal_try) {
1892 log_debug_errno(errno, "Failed to symlink %s to %s, skipping journal setup: %m", q, p);
1895 log_error_errno(errno, "Failed to symlink %s to %s: %m", q, p);
1900 r = mkdir_p(q, 0755);
1902 log_warning_errno(errno, "Failed to create directory %s: %m", q);
1906 if (arg_link_journal == LINK_HOST) {
1907 /* don't create parents here -- if the host doesn't have
1908 * permanent journal set up, don't force it here */
1911 if (arg_link_journal_try) {
1912 log_debug_errno(errno, "Failed to create %s, skipping journal setup: %m", p);
1915 log_error_errno(errno, "Failed to create %s: %m", p);
1920 } else if (access(p, F_OK) < 0)
1923 if (dir_is_empty(q) == 0)
1924 log_warning("%s is not empty, proceeding anyway.", q);
1926 r = mkdir_p(q, 0755);
1928 log_error_errno(errno, "Failed to create %s: %m", q);
1932 if (mount(p, q, NULL, MS_BIND, NULL) < 0)
1933 return log_error_errno(errno, "Failed to bind mount journal from host into guest: %m");
1938 static int drop_capabilities(void) {
1939 return capability_bounding_set_drop(~arg_retain, false);
1942 static int register_machine(pid_t pid, int local_ifindex) {
1943 _cleanup_bus_error_free_ sd_bus_error error = SD_BUS_ERROR_NULL;
1944 _cleanup_bus_close_unref_ sd_bus *bus = NULL;
1950 r = sd_bus_default_system(&bus);
1952 return log_error_errno(r, "Failed to open system bus: %m");
1954 if (arg_keep_unit) {
1955 r = sd_bus_call_method(
1957 "org.freedesktop.machine1",
1958 "/org/freedesktop/machine1",
1959 "org.freedesktop.machine1.Manager",
1960 "RegisterMachineWithNetwork",
1965 SD_BUS_MESSAGE_APPEND_ID128(arg_uuid),
1969 strempty(arg_directory),
1970 local_ifindex > 0 ? 1 : 0, local_ifindex);
1972 _cleanup_bus_message_unref_ sd_bus_message *m = NULL;
1975 r = sd_bus_message_new_method_call(
1978 "org.freedesktop.machine1",
1979 "/org/freedesktop/machine1",
1980 "org.freedesktop.machine1.Manager",
1981 "CreateMachineWithNetwork");
1983 return bus_log_create_error(r);
1985 r = sd_bus_message_append(
1989 SD_BUS_MESSAGE_APPEND_ID128(arg_uuid),
1993 strempty(arg_directory),
1994 local_ifindex > 0 ? 1 : 0, local_ifindex);
1996 return bus_log_create_error(r);
1998 r = sd_bus_message_open_container(m, 'a', "(sv)");
2000 return bus_log_create_error(r);
2002 if (!isempty(arg_slice)) {
2003 r = sd_bus_message_append(m, "(sv)", "Slice", "s", arg_slice);
2005 return bus_log_create_error(r);
2008 r = sd_bus_message_append(m, "(sv)", "DevicePolicy", "s", "strict");
2010 return bus_log_create_error(r);
2012 r = sd_bus_message_append(m, "(sv)", "DeviceAllow", "a(ss)", 9,
2013 /* Allow the container to
2014 * access and create the API
2015 * device nodes, so that
2016 * PrivateDevices= in the
2017 * container can work
2022 "/dev/random", "rwm",
2023 "/dev/urandom", "rwm",
2025 "/dev/net/tun", "rwm",
2026 /* Allow the container
2027 * access to ptys. However,
2029 * container to ever create
2030 * these device nodes. */
2031 "/dev/pts/ptmx", "rw",
2034 return log_error_errno(r, "Failed to add device whitelist: %m");
2036 STRV_FOREACH(i, arg_property) {
2037 r = sd_bus_message_open_container(m, 'r', "sv");
2039 return bus_log_create_error(r);
2041 r = bus_append_unit_property_assignment(m, *i);
2045 r = sd_bus_message_close_container(m);
2047 return bus_log_create_error(r);
2050 r = sd_bus_message_close_container(m);
2052 return bus_log_create_error(r);
2054 r = sd_bus_call(bus, m, 0, &error, NULL);
2058 log_error("Failed to register machine: %s", bus_error_message(&error, r));
2065 static int terminate_machine(pid_t pid) {
2066 _cleanup_bus_error_free_ sd_bus_error error = SD_BUS_ERROR_NULL;
2067 _cleanup_bus_message_unref_ sd_bus_message *reply = NULL;
2068 _cleanup_bus_close_unref_ sd_bus *bus = NULL;
2075 r = sd_bus_default_system(&bus);
2077 return log_error_errno(r, "Failed to open system bus: %m");
2079 r = sd_bus_call_method(
2081 "org.freedesktop.machine1",
2082 "/org/freedesktop/machine1",
2083 "org.freedesktop.machine1.Manager",
2090 /* Note that the machine might already have been
2091 * cleaned up automatically, hence don't consider it a
2092 * failure if we cannot get the machine object. */
2093 log_debug("Failed to get machine: %s", bus_error_message(&error, r));
2097 r = sd_bus_message_read(reply, "o", &path);
2099 return bus_log_parse_error(r);
2101 r = sd_bus_call_method(
2103 "org.freedesktop.machine1",
2105 "org.freedesktop.machine1.Machine",
2111 log_debug("Failed to terminate machine: %s", bus_error_message(&error, r));
2118 static int reset_audit_loginuid(void) {
2119 _cleanup_free_ char *p = NULL;
2122 if (arg_share_system)
2125 r = read_one_line_file("/proc/self/loginuid", &p);
2129 return log_error_errno(r, "Failed to read /proc/self/loginuid: %m");
2131 /* Already reset? */
2132 if (streq(p, "4294967295"))
2135 r = write_string_file("/proc/self/loginuid", "4294967295");
2137 log_error("Failed to reset audit login UID. This probably means that your kernel is too\n"
2138 "old and you have audit enabled. Note that the auditing subsystem is known to\n"
2139 "be incompatible with containers on old kernels. Please make sure to upgrade\n"
2140 "your kernel or to off auditing with 'audit=0' on the kernel command line before\n"
2141 "using systemd-nspawn. Sleeping for 5s... (%s)\n", strerror(-r));
2149 #define HOST_HASH_KEY SD_ID128_MAKE(1a,37,6f,c7,46,ec,45,0b,ad,a3,d5,31,06,60,5d,b1)
2150 #define CONTAINER_HASH_KEY SD_ID128_MAKE(c3,c4,f9,19,b5,57,b2,1c,e6,cf,14,27,03,9c,ee,a2)
2151 #define MACVLAN_HASH_KEY SD_ID128_MAKE(00,13,6d,bc,66,83,44,81,bb,0c,f9,51,1f,24,a6,6f)
2153 static int generate_mac(struct ether_addr *mac, sd_id128_t hash_key, uint64_t idx) {
2159 l = strlen(arg_machine);
2160 sz = sizeof(sd_id128_t) + l;
2166 /* fetch some persistent data unique to the host */
2167 r = sd_id128_get_machine((sd_id128_t*) v);
2171 /* combine with some data unique (on this host) to this
2172 * container instance */
2173 i = mempcpy(v + sizeof(sd_id128_t), arg_machine, l);
2176 memcpy(i, &idx, sizeof(idx));
2179 /* Let's hash the host machine ID plus the container name. We
2180 * use a fixed, but originally randomly created hash key here. */
2181 siphash24(result, v, sz, hash_key.bytes);
2183 assert_cc(ETH_ALEN <= sizeof(result));
2184 memcpy(mac->ether_addr_octet, result, ETH_ALEN);
2186 /* see eth_random_addr in the kernel */
2187 mac->ether_addr_octet[0] &= 0xfe; /* clear multicast bit */
2188 mac->ether_addr_octet[0] |= 0x02; /* set local assignment bit (IEEE802) */
2193 static int setup_veth(pid_t pid, char iface_name[IFNAMSIZ], int *ifi) {
2194 _cleanup_rtnl_message_unref_ sd_rtnl_message *m = NULL;
2195 _cleanup_rtnl_unref_ sd_rtnl *rtnl = NULL;
2196 struct ether_addr mac_host, mac_container;
2199 if (!arg_private_network)
2202 if (!arg_network_veth)
2205 /* Use two different interface name prefixes depending whether
2206 * we are in bridge mode or not. */
2207 snprintf(iface_name, IFNAMSIZ - 1, "%s-%s",
2208 arg_network_bridge ? "vb" : "ve", arg_machine);
2210 r = generate_mac(&mac_container, CONTAINER_HASH_KEY, 0);
2212 return log_error_errno(r, "Failed to generate predictable MAC address for container side: %m");
2214 r = generate_mac(&mac_host, HOST_HASH_KEY, 0);
2216 return log_error_errno(r, "Failed to generate predictable MAC address for host side: %m");
2218 r = sd_rtnl_open(&rtnl, 0);
2220 return log_error_errno(r, "Failed to connect to netlink: %m");
2222 r = sd_rtnl_message_new_link(rtnl, &m, RTM_NEWLINK, 0);
2224 return log_error_errno(r, "Failed to allocate netlink message: %m");
2226 r = sd_rtnl_message_append_string(m, IFLA_IFNAME, iface_name);
2228 return log_error_errno(r, "Failed to add netlink interface name: %m");
2230 r = sd_rtnl_message_append_ether_addr(m, IFLA_ADDRESS, &mac_host);
2232 return log_error_errno(r, "Failed to add netlink MAC address: %m");
2234 r = sd_rtnl_message_open_container(m, IFLA_LINKINFO);
2236 return log_error_errno(r, "Failed to open netlink container: %m");
2238 r = sd_rtnl_message_open_container_union(m, IFLA_INFO_DATA, "veth");
2240 return log_error_errno(r, "Failed to open netlink container: %m");
2242 r = sd_rtnl_message_open_container(m, VETH_INFO_PEER);
2244 return log_error_errno(r, "Failed to open netlink container: %m");
2246 r = sd_rtnl_message_append_string(m, IFLA_IFNAME, "host0");
2248 return log_error_errno(r, "Failed to add netlink interface name: %m");
2250 r = sd_rtnl_message_append_ether_addr(m, IFLA_ADDRESS, &mac_container);
2252 return log_error_errno(r, "Failed to add netlink MAC address: %m");
2254 r = sd_rtnl_message_append_u32(m, IFLA_NET_NS_PID, pid);
2256 return log_error_errno(r, "Failed to add netlink namespace field: %m");
2258 r = sd_rtnl_message_close_container(m);
2260 return log_error_errno(r, "Failed to close netlink container: %m");
2262 r = sd_rtnl_message_close_container(m);
2264 return log_error_errno(r, "Failed to close netlink container: %m");
2266 r = sd_rtnl_message_close_container(m);
2268 return log_error_errno(r, "Failed to close netlink container: %m");
2270 r = sd_rtnl_call(rtnl, m, 0, NULL);
2272 return log_error_errno(r, "Failed to add new veth interfaces: %m");
2274 i = (int) if_nametoindex(iface_name);
2276 return log_error_errno(errno, "Failed to resolve interface %s: %m", iface_name);
2283 static int setup_bridge(const char veth_name[], int *ifi) {
2284 _cleanup_rtnl_message_unref_ sd_rtnl_message *m = NULL;
2285 _cleanup_rtnl_unref_ sd_rtnl *rtnl = NULL;
2288 if (!arg_private_network)
2291 if (!arg_network_veth)
2294 if (!arg_network_bridge)
2297 bridge = (int) if_nametoindex(arg_network_bridge);
2299 return log_error_errno(errno, "Failed to resolve interface %s: %m", arg_network_bridge);
2303 r = sd_rtnl_open(&rtnl, 0);
2305 return log_error_errno(r, "Failed to connect to netlink: %m");
2307 r = sd_rtnl_message_new_link(rtnl, &m, RTM_SETLINK, 0);
2309 return log_error_errno(r, "Failed to allocate netlink message: %m");
2311 r = sd_rtnl_message_link_set_flags(m, IFF_UP, IFF_UP);
2313 return log_error_errno(r, "Failed to set IFF_UP flag: %m");
2315 r = sd_rtnl_message_append_string(m, IFLA_IFNAME, veth_name);
2317 return log_error_errno(r, "Failed to add netlink interface name field: %m");
2319 r = sd_rtnl_message_append_u32(m, IFLA_MASTER, bridge);
2321 return log_error_errno(r, "Failed to add netlink master field: %m");
2323 r = sd_rtnl_call(rtnl, m, 0, NULL);
2325 return log_error_errno(r, "Failed to add veth interface to bridge: %m");
2330 static int parse_interface(struct udev *udev, const char *name) {
2331 _cleanup_udev_device_unref_ struct udev_device *d = NULL;
2332 char ifi_str[2 + DECIMAL_STR_MAX(int)];
2335 ifi = (int) if_nametoindex(name);
2337 return log_error_errno(errno, "Failed to resolve interface %s: %m", name);
2339 sprintf(ifi_str, "n%i", ifi);
2340 d = udev_device_new_from_device_id(udev, ifi_str);
2342 return log_error_errno(errno, "Failed to get udev device for interface %s: %m", name);
2344 if (udev_device_get_is_initialized(d) <= 0) {
2345 log_error("Network interface %s is not initialized yet.", name);
2352 static int move_network_interfaces(pid_t pid) {
2353 _cleanup_udev_unref_ struct udev *udev = NULL;
2354 _cleanup_rtnl_unref_ sd_rtnl *rtnl = NULL;
2358 if (!arg_private_network)
2361 if (strv_isempty(arg_network_interfaces))
2364 r = sd_rtnl_open(&rtnl, 0);
2366 return log_error_errno(r, "Failed to connect to netlink: %m");
2370 log_error("Failed to connect to udev.");
2374 STRV_FOREACH(i, arg_network_interfaces) {
2375 _cleanup_rtnl_message_unref_ sd_rtnl_message *m = NULL;
2378 ifi = parse_interface(udev, *i);
2382 r = sd_rtnl_message_new_link(rtnl, &m, RTM_SETLINK, ifi);
2384 return log_error_errno(r, "Failed to allocate netlink message: %m");
2386 r = sd_rtnl_message_append_u32(m, IFLA_NET_NS_PID, pid);
2388 return log_error_errno(r, "Failed to append namespace PID to netlink message: %m");
2390 r = sd_rtnl_call(rtnl, m, 0, NULL);
2392 return log_error_errno(r, "Failed to move interface %s to namespace: %m", *i);
2398 static int setup_macvlan(pid_t pid) {
2399 _cleanup_udev_unref_ struct udev *udev = NULL;
2400 _cleanup_rtnl_unref_ sd_rtnl *rtnl = NULL;
2405 if (!arg_private_network)
2408 if (strv_isempty(arg_network_macvlan))
2411 r = sd_rtnl_open(&rtnl, 0);
2413 return log_error_errno(r, "Failed to connect to netlink: %m");
2417 log_error("Failed to connect to udev.");
2421 STRV_FOREACH(i, arg_network_macvlan) {
2422 _cleanup_rtnl_message_unref_ sd_rtnl_message *m = NULL;
2423 _cleanup_free_ char *n = NULL;
2424 struct ether_addr mac;
2427 ifi = parse_interface(udev, *i);
2431 r = generate_mac(&mac, MACVLAN_HASH_KEY, idx++);
2433 return log_error_errno(r, "Failed to create MACVLAN MAC address: %m");
2435 r = sd_rtnl_message_new_link(rtnl, &m, RTM_NEWLINK, 0);
2437 return log_error_errno(r, "Failed to allocate netlink message: %m");
2439 r = sd_rtnl_message_append_u32(m, IFLA_LINK, ifi);
2441 return log_error_errno(r, "Failed to add netlink interface index: %m");
2443 n = strappend("mv-", *i);
2447 strshorten(n, IFNAMSIZ-1);
2449 r = sd_rtnl_message_append_string(m, IFLA_IFNAME, n);
2451 return log_error_errno(r, "Failed to add netlink interface name: %m");
2453 r = sd_rtnl_message_append_ether_addr(m, IFLA_ADDRESS, &mac);
2455 return log_error_errno(r, "Failed to add netlink MAC address: %m");
2457 r = sd_rtnl_message_append_u32(m, IFLA_NET_NS_PID, pid);
2459 return log_error_errno(r, "Failed to add netlink namespace field: %m");
2461 r = sd_rtnl_message_open_container(m, IFLA_LINKINFO);
2463 return log_error_errno(r, "Failed to open netlink container: %m");
2465 r = sd_rtnl_message_open_container_union(m, IFLA_INFO_DATA, "macvlan");
2467 return log_error_errno(r, "Failed to open netlink container: %m");
2469 r = sd_rtnl_message_append_u32(m, IFLA_MACVLAN_MODE, MACVLAN_MODE_BRIDGE);
2471 return log_error_errno(r, "Failed to append macvlan mode: %m");
2473 r = sd_rtnl_message_close_container(m);
2475 return log_error_errno(r, "Failed to close netlink container: %m");
2477 r = sd_rtnl_message_close_container(m);
2479 return log_error_errno(r, "Failed to close netlink container: %m");
2481 r = sd_rtnl_call(rtnl, m, 0, NULL);
2483 return log_error_errno(r, "Failed to add new macvlan interfaces: %m");
2489 static int setup_ipvlan(pid_t pid) {
2490 _cleanup_udev_unref_ struct udev *udev = NULL;
2491 _cleanup_rtnl_unref_ sd_rtnl *rtnl = NULL;
2495 if (!arg_private_network)
2498 if (strv_isempty(arg_network_ipvlan))
2501 r = sd_rtnl_open(&rtnl, 0);
2503 return log_error_errno(r, "Failed to connect to netlink: %m");
2507 log_error("Failed to connect to udev.");
2511 STRV_FOREACH(i, arg_network_ipvlan) {
2512 _cleanup_rtnl_message_unref_ sd_rtnl_message *m = NULL;
2513 _cleanup_free_ char *n = NULL;
2516 ifi = parse_interface(udev, *i);
2520 r = sd_rtnl_message_new_link(rtnl, &m, RTM_NEWLINK, 0);
2522 return log_error_errno(r, "Failed to allocate netlink message: %m");
2524 r = sd_rtnl_message_append_u32(m, IFLA_LINK, ifi);
2526 return log_error_errno(r, "Failed to add netlink interface index: %m");
2528 n = strappend("iv-", *i);
2532 strshorten(n, IFNAMSIZ-1);
2534 r = sd_rtnl_message_append_string(m, IFLA_IFNAME, n);
2536 return log_error_errno(r, "Failed to add netlink interface name: %m");
2538 r = sd_rtnl_message_append_u32(m, IFLA_NET_NS_PID, pid);
2540 return log_error_errno(r, "Failed to add netlink namespace field: %m");
2542 r = sd_rtnl_message_open_container(m, IFLA_LINKINFO);
2544 return log_error_errno(r, "Failed to open netlink container: %m");
2546 r = sd_rtnl_message_open_container_union(m, IFLA_INFO_DATA, "ipvlan");
2548 return log_error_errno(r, "Failed to open netlink container: %m");
2550 r = sd_rtnl_message_append_u16(m, IFLA_IPVLAN_MODE, IPVLAN_MODE_L2);
2552 return log_error_errno(r, "Failed to add ipvlan mode: %m");
2554 r = sd_rtnl_message_close_container(m);
2556 return log_error_errno(r, "Failed to close netlink container: %m");
2558 r = sd_rtnl_message_close_container(m);
2560 return log_error_errno(r, "Failed to close netlink container: %m");
2562 r = sd_rtnl_call(rtnl, m, 0, NULL);
2564 return log_error_errno(r, "Failed to add new ipvlan interfaces: %m");
2570 static int setup_seccomp(void) {
2573 static const struct {
2574 uint64_t capability;
2577 { CAP_SYS_RAWIO, SCMP_SYS(iopl)},
2578 { CAP_SYS_RAWIO, SCMP_SYS(ioperm)},
2579 { CAP_SYS_BOOT, SCMP_SYS(kexec_load)},
2580 { CAP_SYS_ADMIN, SCMP_SYS(swapon)},
2581 { CAP_SYS_ADMIN, SCMP_SYS(swapoff)},
2582 { CAP_SYS_ADMIN, SCMP_SYS(open_by_handle_at)},
2583 { CAP_SYS_MODULE, SCMP_SYS(init_module)},
2584 { CAP_SYS_MODULE, SCMP_SYS(finit_module)},
2585 { CAP_SYS_MODULE, SCMP_SYS(delete_module)},
2588 scmp_filter_ctx seccomp;
2592 seccomp = seccomp_init(SCMP_ACT_ALLOW);
2596 r = seccomp_add_secondary_archs(seccomp);
2598 log_error_errno(r, "Failed to add secondary archs to seccomp filter: %m");
2602 for (i = 0; i < ELEMENTSOF(blacklist); i++) {
2603 if (arg_retain & (1ULL << blacklist[i].capability))
2606 r = seccomp_rule_add(seccomp, SCMP_ACT_ERRNO(EPERM), blacklist[i].syscall_num, 0);
2608 continue; /* unknown syscall */
2610 log_error_errno(r, "Failed to block syscall: %m");
2617 Audit is broken in containers, much of the userspace audit
2618 hookup will fail if running inside a container. We don't
2619 care and just turn off creation of audit sockets.
2621 This will make socket(AF_NETLINK, *, NETLINK_AUDIT) fail
2622 with EAFNOSUPPORT which audit userspace uses as indication
2623 that audit is disabled in the kernel.
2626 r = seccomp_rule_add(
2628 SCMP_ACT_ERRNO(EAFNOSUPPORT),
2631 SCMP_A0(SCMP_CMP_EQ, AF_NETLINK),
2632 SCMP_A2(SCMP_CMP_EQ, NETLINK_AUDIT));
2634 log_error_errno(r, "Failed to add audit seccomp rule: %m");
2638 r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
2640 log_error_errno(r, "Failed to unset NO_NEW_PRIVS: %m");
2644 r = seccomp_load(seccomp);
2646 log_error_errno(r, "Failed to install seccomp audit filter: %m");
2649 seccomp_release(seccomp);
2657 static int setup_propagate(const char *root) {
2660 (void) mkdir_p("/run/systemd/nspawn/", 0755);
2661 (void) mkdir_p("/run/systemd/nspawn/propagate", 0600);
2662 p = strjoina("/run/systemd/nspawn/propagate/", arg_machine);
2663 (void) mkdir_p(p, 0600);
2665 q = strjoina(root, "/run/systemd/nspawn/incoming");
2666 mkdir_parents(q, 0755);
2669 if (mount(p, q, NULL, MS_BIND, NULL) < 0)
2670 return log_error_errno(errno, "Failed to install propagation bind mount.");
2672 if (mount(NULL, q, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY, NULL) < 0)
2673 return log_error_errno(errno, "Failed to make propagation mount read-only");
2678 static int setup_image(char **device_path, int *loop_nr) {
2679 struct loop_info64 info = {
2680 .lo_flags = LO_FLAGS_AUTOCLEAR|LO_FLAGS_PARTSCAN
2682 _cleanup_close_ int fd = -1, control = -1, loop = -1;
2683 _cleanup_free_ char* loopdev = NULL;
2687 assert(device_path);
2691 fd = open(arg_image, O_CLOEXEC|(arg_read_only ? O_RDONLY : O_RDWR)|O_NONBLOCK|O_NOCTTY);
2693 return log_error_errno(errno, "Failed to open %s: %m", arg_image);
2695 if (fstat(fd, &st) < 0)
2696 return log_error_errno(errno, "Failed to stat %s: %m", arg_image);
2698 if (S_ISBLK(st.st_mode)) {
2701 p = strdup(arg_image);
2715 if (!S_ISREG(st.st_mode)) {
2716 log_error_errno(errno, "%s is not a regular file or block device: %m", arg_image);
2720 control = open("/dev/loop-control", O_RDWR|O_CLOEXEC|O_NOCTTY|O_NONBLOCK);
2722 return log_error_errno(errno, "Failed to open /dev/loop-control: %m");
2724 nr = ioctl(control, LOOP_CTL_GET_FREE);
2726 return log_error_errno(errno, "Failed to allocate loop device: %m");
2728 if (asprintf(&loopdev, "/dev/loop%i", nr) < 0)
2731 loop = open(loopdev, O_CLOEXEC|(arg_read_only ? O_RDONLY : O_RDWR)|O_NONBLOCK|O_NOCTTY);
2733 return log_error_errno(errno, "Failed to open loop device %s: %m", loopdev);
2735 if (ioctl(loop, LOOP_SET_FD, fd) < 0)
2736 return log_error_errno(errno, "Failed to set loopback file descriptor on %s: %m", loopdev);
2739 info.lo_flags |= LO_FLAGS_READ_ONLY;
2741 if (ioctl(loop, LOOP_SET_STATUS64, &info) < 0)
2742 return log_error_errno(errno, "Failed to set loopback settings on %s: %m", loopdev);
2744 *device_path = loopdev;
2755 #define PARTITION_TABLE_BLURB \
2756 "Note that the disk image needs to either contain only a single MBR partition of\n" \
2757 "type 0x83 that is marked bootable, or a single GPT partition of type " \
2758 "0FC63DAF-8483-4772-8E79-3D69D8477DE4 or follow\n" \
2759 " http://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/\n" \
2760 "to be bootable with systemd-nspawn."
2762 static int dissect_image(
2764 char **root_device, bool *root_device_rw,
2765 char **home_device, bool *home_device_rw,
2766 char **srv_device, bool *srv_device_rw,
2770 int home_nr = -1, srv_nr = -1;
2771 #ifdef GPT_ROOT_NATIVE
2774 #ifdef GPT_ROOT_SECONDARY
2775 int secondary_root_nr = -1;
2777 _cleanup_free_ char *home = NULL, *root = NULL, *secondary_root = NULL, *srv = NULL, *generic = NULL;
2778 _cleanup_udev_enumerate_unref_ struct udev_enumerate *e = NULL;
2779 _cleanup_udev_device_unref_ struct udev_device *d = NULL;
2780 _cleanup_blkid_free_probe_ blkid_probe b = NULL;
2781 _cleanup_udev_unref_ struct udev *udev = NULL;
2782 struct udev_list_entry *first, *item;
2783 bool home_rw = true, root_rw = true, secondary_root_rw = true, srv_rw = true, generic_rw = true;
2784 bool is_gpt, is_mbr, multiple_generic = false;
2785 const char *pttype = NULL;
2792 assert(root_device);
2793 assert(home_device);
2798 b = blkid_new_probe();
2803 r = blkid_probe_set_device(b, fd, 0, 0);
2808 log_error_errno(errno, "Failed to set device on blkid probe: %m");
2812 blkid_probe_enable_partitions(b, 1);
2813 blkid_probe_set_partitions_flags(b, BLKID_PARTS_ENTRY_DETAILS);
2816 r = blkid_do_safeprobe(b);
2817 if (r == -2 || r == 1) {
2818 log_error("Failed to identify any partition table on\n"
2820 PARTITION_TABLE_BLURB, arg_image);
2822 } else if (r != 0) {
2825 log_error_errno(errno, "Failed to probe: %m");
2829 (void) blkid_probe_lookup_value(b, "PTTYPE", &pttype, NULL);
2831 is_gpt = streq_ptr(pttype, "gpt");
2832 is_mbr = streq_ptr(pttype, "dos");
2834 if (!is_gpt && !is_mbr) {
2835 log_error("No GPT or MBR partition table discovered on\n"
2837 PARTITION_TABLE_BLURB, arg_image);
2842 pl = blkid_probe_get_partitions(b);
2847 log_error("Failed to list partitions of %s", arg_image);
2855 if (fstat(fd, &st) < 0)
2856 return log_error_errno(errno, "Failed to stat block device: %m");
2858 d = udev_device_new_from_devnum(udev, 'b', st.st_rdev);
2866 log_error("Kernel partitions never appeared.");
2870 e = udev_enumerate_new(udev);
2874 r = udev_enumerate_add_match_parent(e, d);
2878 r = udev_enumerate_scan_devices(e);
2880 return log_error_errno(r, "Failed to scan for partition devices of %s: %m", arg_image);
2882 /* Count the partitions enumerated by the kernel */
2884 first = udev_enumerate_get_list_entry(e);
2885 udev_list_entry_foreach(item, first)
2888 /* Count the partitions enumerated by blkid */
2889 m = blkid_partlist_numof_partitions(pl);
2893 log_error("blkid and kernel partition list do not match.");
2899 /* The kernel has probed fewer partitions than
2900 * blkid? Maybe the kernel prober is still
2901 * running or it got EBUSY because udev
2902 * already opened the device. Let's reprobe
2903 * the device, which is a synchronous call
2904 * that waits until probing is complete. */
2906 for (j = 0; j < 20; j++) {
2908 r = ioctl(fd, BLKRRPART, 0);
2911 if (r >= 0 || r != -EBUSY)
2914 /* If something else has the device
2915 * open, such as an udev rule, the
2916 * ioctl will return EBUSY. Since
2917 * there's no way to wait until it
2918 * isn't busy anymore, let's just wait
2919 * a bit, and try again.
2921 * This is really something they
2922 * should fix in the kernel! */
2924 usleep(50 * USEC_PER_MSEC);
2928 return log_error_errno(r, "Failed to reread partition table: %m");
2931 e = udev_enumerate_unref(e);
2934 first = udev_enumerate_get_list_entry(e);
2935 udev_list_entry_foreach(item, first) {
2936 _cleanup_udev_device_unref_ struct udev_device *q;
2938 unsigned long long flags;
2944 q = udev_device_new_from_syspath(udev, udev_list_entry_get_name(item));
2949 log_error_errno(errno, "Failed to get partition device of %s: %m", arg_image);
2953 qn = udev_device_get_devnum(q);
2957 if (st.st_rdev == qn)
2960 node = udev_device_get_devnode(q);
2964 pp = blkid_partlist_devno_to_partition(pl, qn);
2968 flags = blkid_partition_get_flags(pp);
2970 nr = blkid_partition_get_partno(pp);
2978 if (flags & GPT_FLAG_NO_AUTO)
2981 stype = blkid_partition_get_type_string(pp);
2985 if (sd_id128_from_string(stype, &type_id) < 0)
2988 if (sd_id128_equal(type_id, GPT_HOME)) {
2990 if (home && nr >= home_nr)
2994 home_rw = !(flags & GPT_FLAG_READ_ONLY);
2996 r = free_and_strdup(&home, node);
3000 } else if (sd_id128_equal(type_id, GPT_SRV)) {
3002 if (srv && nr >= srv_nr)
3006 srv_rw = !(flags & GPT_FLAG_READ_ONLY);
3008 r = free_and_strdup(&srv, node);
3012 #ifdef GPT_ROOT_NATIVE
3013 else if (sd_id128_equal(type_id, GPT_ROOT_NATIVE)) {
3015 if (root && nr >= root_nr)
3019 root_rw = !(flags & GPT_FLAG_READ_ONLY);
3021 r = free_and_strdup(&root, node);
3026 #ifdef GPT_ROOT_SECONDARY
3027 else if (sd_id128_equal(type_id, GPT_ROOT_SECONDARY)) {
3029 if (secondary_root && nr >= secondary_root_nr)
3032 secondary_root_nr = nr;
3033 secondary_root_rw = !(flags & GPT_FLAG_READ_ONLY);
3035 r = free_and_strdup(&secondary_root, node);
3040 else if (sd_id128_equal(type_id, GPT_LINUX_GENERIC)) {
3043 multiple_generic = true;
3045 generic_rw = !(flags & GPT_FLAG_READ_ONLY);
3047 r = free_and_strdup(&generic, node);
3053 } else if (is_mbr) {
3056 if (flags != 0x80) /* Bootable flag */
3059 type = blkid_partition_get_type(pp);
3060 if (type != 0x83) /* Linux partition */
3064 multiple_generic = true;
3068 r = free_and_strdup(&root, node);
3076 *root_device = root;
3079 *root_device_rw = root_rw;
3081 } else if (secondary_root) {
3082 *root_device = secondary_root;
3083 secondary_root = NULL;
3085 *root_device_rw = secondary_root_rw;
3087 } else if (generic) {
3089 /* There were no partitions with precise meanings
3090 * around, but we found generic partitions. In this
3091 * case, if there's only one, we can go ahead and boot
3092 * it, otherwise we bail out, because we really cannot
3093 * make any sense of it. */
3095 if (multiple_generic) {
3096 log_error("Identified multiple bootable Linux partitions on\n"
3098 PARTITION_TABLE_BLURB, arg_image);
3102 *root_device = generic;
3105 *root_device_rw = generic_rw;
3108 log_error("Failed to identify root partition in disk image\n"
3110 PARTITION_TABLE_BLURB, arg_image);
3115 *home_device = home;
3118 *home_device_rw = home_rw;
3125 *srv_device_rw = srv_rw;
3130 log_error("--image= is not supported, compiled without blkid support.");
3135 static int mount_device(const char *what, const char *where, const char *directory, bool rw) {
3137 _cleanup_blkid_free_probe_ blkid_probe b = NULL;
3138 const char *fstype, *p;
3148 p = strjoina(where, directory);
3153 b = blkid_new_probe_from_filename(what);
3157 log_error_errno(errno, "Failed to allocate prober for %s: %m", what);
3161 blkid_probe_enable_superblocks(b, 1);
3162 blkid_probe_set_superblocks_flags(b, BLKID_SUBLKS_TYPE);
3165 r = blkid_do_safeprobe(b);
3166 if (r == -1 || r == 1) {
3167 log_error("Cannot determine file system type of %s", what);
3169 } else if (r != 0) {
3172 log_error_errno(errno, "Failed to probe %s: %m", what);
3177 if (blkid_probe_lookup_value(b, "TYPE", &fstype, NULL) < 0) {
3180 log_error("Failed to determine file system type of %s", what);
3184 if (streq(fstype, "crypto_LUKS")) {
3185 log_error("nspawn currently does not support LUKS disk images.");
3189 if (mount(what, p, fstype, MS_NODEV|(rw ? 0 : MS_RDONLY), NULL) < 0)
3190 return log_error_errno(errno, "Failed to mount %s: %m", what);
3194 log_error("--image= is not supported, compiled without blkid support.");
3199 static int mount_devices(
3201 const char *root_device, bool root_device_rw,
3202 const char *home_device, bool home_device_rw,
3203 const char *srv_device, bool srv_device_rw) {
3209 r = mount_device(root_device, arg_directory, NULL, root_device_rw);
3211 return log_error_errno(r, "Failed to mount root directory: %m");
3215 r = mount_device(home_device, arg_directory, "/home", home_device_rw);
3217 return log_error_errno(r, "Failed to mount home directory: %m");
3221 r = mount_device(srv_device, arg_directory, "/srv", srv_device_rw);
3223 return log_error_errno(r, "Failed to mount server data directory: %m");
3229 static void loop_remove(int nr, int *image_fd) {
3230 _cleanup_close_ int control = -1;
3236 if (image_fd && *image_fd >= 0) {
3237 r = ioctl(*image_fd, LOOP_CLR_FD);
3239 log_debug_errno(errno, "Failed to close loop image: %m");
3240 *image_fd = safe_close(*image_fd);
3243 control = open("/dev/loop-control", O_RDWR|O_CLOEXEC|O_NOCTTY|O_NONBLOCK);
3245 log_warning_errno(errno, "Failed to open /dev/loop-control: %m");
3249 r = ioctl(control, LOOP_CTL_REMOVE, nr);
3251 log_debug_errno(errno, "Failed to remove loop %d: %m", nr);
3254 static int spawn_getent(const char *database, const char *key, pid_t *rpid) {
3262 if (pipe2(pipe_fds, O_CLOEXEC) < 0)
3263 return log_error_errno(errno, "Failed to allocate pipe: %m");
3267 return log_error_errno(errno, "Failed to fork getent child: %m");
3268 else if (pid == 0) {
3270 char *empty_env = NULL;
3272 if (dup3(pipe_fds[1], STDOUT_FILENO, 0) < 0)
3273 _exit(EXIT_FAILURE);
3275 if (pipe_fds[0] > 2)
3276 safe_close(pipe_fds[0]);
3277 if (pipe_fds[1] > 2)
3278 safe_close(pipe_fds[1]);
3280 nullfd = open("/dev/null", O_RDWR);
3282 _exit(EXIT_FAILURE);
3284 if (dup3(nullfd, STDIN_FILENO, 0) < 0)
3285 _exit(EXIT_FAILURE);
3287 if (dup3(nullfd, STDERR_FILENO, 0) < 0)
3288 _exit(EXIT_FAILURE);
3293 reset_all_signal_handlers();
3294 close_all_fds(NULL, 0);
3296 execle("/usr/bin/getent", "getent", database, key, NULL, &empty_env);
3297 execle("/bin/getent", "getent", database, key, NULL, &empty_env);
3298 _exit(EXIT_FAILURE);
3301 pipe_fds[1] = safe_close(pipe_fds[1]);
3308 static int change_uid_gid(char **_home) {
3309 char line[LINE_MAX], *x, *u, *g, *h;
3310 const char *word, *state;
3311 _cleanup_free_ uid_t *uids = NULL;
3312 _cleanup_free_ char *home = NULL;
3313 _cleanup_fclose_ FILE *f = NULL;
3314 _cleanup_close_ int fd = -1;
3315 unsigned n_uids = 0;
3324 if (!arg_user || streq(arg_user, "root") || streq(arg_user, "0")) {
3325 /* Reset everything fully to 0, just in case */
3327 if (setgroups(0, NULL) < 0)
3328 return log_error_errno(errno, "setgroups() failed: %m");
3330 if (setresgid(0, 0, 0) < 0)
3331 return log_error_errno(errno, "setregid() failed: %m");
3333 if (setresuid(0, 0, 0) < 0)
3334 return log_error_errno(errno, "setreuid() failed: %m");
3340 /* First, get user credentials */
3341 fd = spawn_getent("passwd", arg_user, &pid);
3345 f = fdopen(fd, "r");
3350 if (!fgets(line, sizeof(line), f)) {
3353 log_error("Failed to resolve user %s.", arg_user);
3357 log_error_errno(errno, "Failed to read from getent: %m");
3363 wait_for_terminate_and_warn("getent passwd", pid, true);
3365 x = strchr(line, ':');
3367 log_error("/etc/passwd entry has invalid user field.");
3371 u = strchr(x+1, ':');
3373 log_error("/etc/passwd entry has invalid password field.");
3380 log_error("/etc/passwd entry has invalid UID field.");
3388 log_error("/etc/passwd entry has invalid GID field.");
3393 h = strchr(x+1, ':');
3395 log_error("/etc/passwd entry has invalid GECOS field.");
3402 log_error("/etc/passwd entry has invalid home directory field.");
3408 r = parse_uid(u, &uid);
3410 log_error("Failed to parse UID of user.");
3414 r = parse_gid(g, &gid);
3416 log_error("Failed to parse GID of user.");
3424 /* Second, get group memberships */
3425 fd = spawn_getent("initgroups", arg_user, &pid);
3430 f = fdopen(fd, "r");
3435 if (!fgets(line, sizeof(line), f)) {
3437 log_error("Failed to resolve user %s.", arg_user);
3441 log_error_errno(errno, "Failed to read from getent: %m");
3447 wait_for_terminate_and_warn("getent initgroups", pid, true);
3449 /* Skip over the username and subsequent separator whitespace */
3451 x += strcspn(x, WHITESPACE);
3452 x += strspn(x, WHITESPACE);
3454 FOREACH_WORD(word, l, x, state) {
3460 if (!GREEDY_REALLOC(uids, sz, n_uids+1))
3463 r = parse_uid(c, &uids[n_uids++]);
3465 log_error("Failed to parse group data from getent.");
3470 r = mkdir_parents(home, 0775);
3472 return log_error_errno(r, "Failed to make home root directory: %m");
3474 r = mkdir_safe(home, 0755, uid, gid);
3475 if (r < 0 && r != -EEXIST)
3476 return log_error_errno(r, "Failed to make home directory: %m");
3478 fchown(STDIN_FILENO, uid, gid);
3479 fchown(STDOUT_FILENO, uid, gid);
3480 fchown(STDERR_FILENO, uid, gid);
3482 if (setgroups(n_uids, uids) < 0)
3483 return log_error_errno(errno, "Failed to set auxiliary groups: %m");
3485 if (setresgid(gid, gid, gid) < 0)
3486 return log_error_errno(errno, "setregid() failed: %m");
3488 if (setresuid(uid, uid, uid) < 0)
3489 return log_error_errno(errno, "setreuid() failed: %m");
3501 * < 0 : wait_for_terminate() failed to get the state of the
3502 * container, the container was terminated by a signal, or
3503 * failed for an unknown reason. No change is made to the
3504 * container argument.
3505 * > 0 : The program executed in the container terminated with an
3506 * error. The exit code of the program executed in the
3507 * container is returned. The container argument has been set
3508 * to CONTAINER_TERMINATED.
3509 * 0 : The container is being rebooted, has been shut down or exited
3510 * successfully. The container argument has been set to either
3511 * CONTAINER_TERMINATED or CONTAINER_REBOOTED.
3513 * That is, success is indicated by a return value of zero, and an
3514 * error is indicated by a non-zero value.
3516 static int wait_for_container(pid_t pid, ContainerStatus *container) {
3520 r = wait_for_terminate(pid, &status);
3522 return log_warning_errno(r, "Failed to wait for container: %m");
3524 switch (status.si_code) {
3527 if (status.si_status == 0) {
3528 log_full(arg_quiet ? LOG_DEBUG : LOG_INFO, "Container %s exited successfully.", arg_machine);
3531 log_full(arg_quiet ? LOG_DEBUG : LOG_INFO, "Container %s failed with error code %i.", arg_machine, status.si_status);
3533 *container = CONTAINER_TERMINATED;
3534 return status.si_status;
3537 if (status.si_status == SIGINT) {
3539 log_full(arg_quiet ? LOG_DEBUG : LOG_INFO, "Container %s has been shut down.", arg_machine);
3540 *container = CONTAINER_TERMINATED;
3543 } else if (status.si_status == SIGHUP) {
3545 log_full(arg_quiet ? LOG_DEBUG : LOG_INFO, "Container %s is being rebooted.", arg_machine);
3546 *container = CONTAINER_REBOOTED;
3550 /* CLD_KILLED fallthrough */
3553 log_error("Container %s terminated by signal %s.", arg_machine, signal_to_string(status.si_status));
3557 log_error("Container %s failed due to unknown reason.", arg_machine);
3564 static void nop_handler(int sig) {}
3566 static int on_orderly_shutdown(sd_event_source *s, const struct signalfd_siginfo *si, void *userdata) {
3569 pid = PTR_TO_UINT32(userdata);
3571 if (kill(pid, arg_kill_signal) >= 0) {
3572 log_info("Trying to halt container. Send SIGTERM again to trigger immediate termination.");
3573 sd_event_source_set_userdata(s, NULL);
3578 sd_event_exit(sd_event_source_get_event(s), 0);
3582 static int determine_names(void) {
3585 if (!arg_image && !arg_directory) {
3587 _cleanup_(image_unrefp) Image *i = NULL;
3589 r = image_find(arg_machine, &i);
3591 return log_error_errno(r, "Failed to find image for machine '%s': %m", arg_machine);
3593 log_error("No image for machine '%s': %m", arg_machine);
3597 if (i->type == IMAGE_RAW)
3598 r = set_sanitized_path(&arg_image, i->path);
3600 r = set_sanitized_path(&arg_directory, i->path);
3602 return log_error_errno(r, "Invalid image directory: %m");
3604 arg_read_only = arg_read_only || i->read_only;
3606 arg_directory = get_current_dir_name();
3608 if (!arg_directory && !arg_machine) {
3609 log_error("Failed to determine path, please use -D or -i.");
3615 if (arg_directory && path_equal(arg_directory, "/"))
3616 arg_machine = gethostname_malloc();
3618 arg_machine = strdup(basename(arg_image ?: arg_directory));
3623 hostname_cleanup(arg_machine, false);
3624 if (!machine_name_is_valid(arg_machine)) {
3625 log_error("Failed to determine machine name automatically, please use -M.");
3629 if (arg_ephemeral) {
3632 /* Add a random suffix when this is an
3633 * ephemeral machine, so that we can run many
3634 * instances at once without manually having
3635 * to specify -M each time. */
3637 if (asprintf(&b, "%s-%016" PRIx64, arg_machine, random_u64()) < 0)
3648 static int determine_uid_shift(void) {
3654 if (arg_uid_shift == UID_INVALID) {
3657 r = stat(arg_directory, &st);
3659 return log_error_errno(errno, "Failed to determine UID base of %s: %m", arg_directory);
3661 arg_uid_shift = st.st_uid & UINT32_C(0xffff0000);
3663 if (arg_uid_shift != (st.st_gid & UINT32_C(0xffff0000))) {
3664 log_error("UID and GID base of %s don't match.", arg_directory);
3668 arg_uid_range = UINT32_C(0x10000);
3671 if (arg_uid_shift > (uid_t) -1 - arg_uid_range) {
3672 log_error("UID base too high for UID range.");
3676 log_info("Using user namespaces with base " UID_FMT " and range " UID_FMT ".", arg_uid_shift, arg_uid_range);
3680 int main(int argc, char *argv[]) {
3682 _cleanup_free_ char *device_path = NULL, *root_device = NULL, *home_device = NULL, *srv_device = NULL, *console = NULL;
3683 bool root_device_rw = true, home_device_rw = true, srv_device_rw = true;
3684 _cleanup_close_ int master = -1, image_fd = -1;
3685 _cleanup_fdset_free_ FDSet *fds = NULL;
3686 int r, n_fd_passed, loop_nr = -1;
3687 char veth_name[IFNAMSIZ];
3688 bool secondary = false, remove_subvol = false;
3689 sigset_t mask, mask_chld;
3691 int ret = EXIT_SUCCESS;
3692 union in_addr_union exposed = {};
3693 _cleanup_release_lock_file_ LockFile tree_global_lock = LOCK_FILE_INIT, tree_local_lock = LOCK_FILE_INIT;
3696 log_parse_environment();
3699 r = parse_argv(argc, argv);
3703 r = determine_names();
3707 if (geteuid() != 0) {
3708 log_error("Need to be root.");
3714 n_fd_passed = sd_listen_fds(false);
3715 if (n_fd_passed > 0) {
3716 r = fdset_new_listen_fds(&fds, false);
3718 log_error_errno(r, "Failed to collect file descriptors: %m");
3722 fdset_close_others(fds);
3725 if (arg_directory) {
3728 if (path_equal(arg_directory, "/") && !arg_ephemeral) {
3729 log_error("Spawning container on root directory is not supported. Consider using --ephemeral.");
3734 if (arg_ephemeral) {
3735 _cleanup_free_ char *np = NULL;
3737 /* If the specified path is a mount point we
3738 * generate the new snapshot immediately
3739 * inside it under a random name. However if
3740 * the specified is not a mount point we
3741 * create the new snapshot in the parent
3742 * directory, just next to it. */
3743 r = path_is_mount_point(arg_directory, false);
3745 log_error_errno(r, "Failed to determine whether directory %s is mount point: %m", arg_directory);
3749 r = tempfn_random_child(arg_directory, &np);
3751 r = tempfn_random(arg_directory, &np);
3753 log_error_errno(r, "Failed to generate name for snapshot: %m");
3757 r = image_path_lock(np, (arg_read_only ? LOCK_SH : LOCK_EX) | LOCK_NB, &tree_global_lock, &tree_local_lock);
3759 log_error_errno(r, "Failed to lock %s: %m", np);
3763 r = btrfs_subvol_snapshot(arg_directory, np, arg_read_only, true);
3765 log_error_errno(r, "Failed to create snapshot %s from %s: %m", np, arg_directory);
3769 free(arg_directory);
3773 remove_subvol = true;
3776 r = image_path_lock(arg_directory, (arg_read_only ? LOCK_SH : LOCK_EX) | LOCK_NB, &tree_global_lock, &tree_local_lock);
3778 log_error_errno(r, "Directory tree %s is currently busy.", arg_directory);
3782 log_error_errno(r, "Failed to lock %s: %m", arg_directory);
3787 r = btrfs_subvol_snapshot(arg_template, arg_directory, arg_read_only, true);
3790 log_info("Directory %s already exists, not populating from template %s.", arg_directory, arg_template);
3792 log_error_errno(r, "Couldn't create snapshot %s from %s: %m", arg_directory, arg_template);
3796 log_info("Populated %s from template %s.", arg_directory, arg_template);
3802 if (path_is_os_tree(arg_directory) <= 0) {
3803 log_error("Directory %s doesn't look like an OS root directory (os-release file is missing). Refusing.", arg_directory);
3810 p = strjoina(arg_directory,
3811 argc > optind && path_is_absolute(argv[optind]) ? argv[optind] : "/usr/bin/");
3812 if (access(p, F_OK) < 0) {
3813 log_error("Directory %s lacks the binary to execute or doesn't look like a binary tree. Refusing.", arg_directory);
3820 char template[] = "/tmp/nspawn-root-XXXXXX";
3823 assert(!arg_template);
3825 r = image_path_lock(arg_image, (arg_read_only ? LOCK_SH : LOCK_EX) | LOCK_NB, &tree_global_lock, &tree_local_lock);
3827 r = log_error_errno(r, "Disk image %s is currently busy.", arg_image);
3831 r = log_error_errno(r, "Failed to create image lock: %m");
3835 if (!mkdtemp(template)) {
3836 log_error_errno(errno, "Failed to create temporary directory: %m");
3841 arg_directory = strdup(template);
3842 if (!arg_directory) {
3847 image_fd = setup_image(&device_path, &loop_nr);
3853 r = dissect_image(image_fd,
3854 &root_device, &root_device_rw,
3855 &home_device, &home_device_rw,
3856 &srv_device, &srv_device_rw,
3862 r = determine_uid_shift();
3866 interactive = isatty(STDIN_FILENO) > 0 && isatty(STDOUT_FILENO) > 0;
3868 master = posix_openpt(O_RDWR|O_NOCTTY|O_CLOEXEC|O_NDELAY);
3870 r = log_error_errno(errno, "Failed to acquire pseudo tty: %m");
3874 r = ptsname_malloc(master, &console);
3876 r = log_error_errno(r, "Failed to determine tty name: %m");
3880 if (unlockpt(master) < 0) {
3881 r = log_error_errno(errno, "Failed to unlock tty: %m");
3886 log_info("Spawning container %s on %s.\nPress ^] three times within 1s to kill container.",
3887 arg_machine, arg_image ?: arg_directory);
3889 assert_se(sigemptyset(&mask) == 0);
3890 sigset_add_many(&mask, SIGCHLD, SIGWINCH, SIGTERM, SIGINT, -1);
3891 assert_se(sigprocmask(SIG_BLOCK, &mask, NULL) == 0);
3893 assert_se(sigemptyset(&mask_chld) == 0);
3894 assert_se(sigaddset(&mask_chld, SIGCHLD) == 0);
3897 _cleanup_close_pair_ int kmsg_socket_pair[2] = { -1, -1 }, rtnl_socket_pair[2] = { -1, -1 };
3898 ContainerStatus container_status;
3899 _cleanup_(barrier_destroy) Barrier barrier = BARRIER_NULL;
3900 struct sigaction sa = {
3901 .sa_handler = nop_handler,
3902 .sa_flags = SA_NOCLDSTOP,
3905 r = barrier_create(&barrier);
3907 log_error_errno(r, "Cannot initialize IPC barrier: %m");
3911 if (socketpair(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0, kmsg_socket_pair) < 0) {
3912 r = log_error_errno(errno, "Failed to create kmsg socket pair: %m");
3916 if (socketpair(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0, rtnl_socket_pair) < 0) {
3917 r = log_error_errno(errno, "Failed to create rtnl socket pair: %m");
3921 /* Child can be killed before execv(), so handle SIGCHLD
3922 * in order to interrupt parent's blocking calls and
3923 * give it a chance to call wait() and terminate. */
3924 r = sigprocmask(SIG_UNBLOCK, &mask_chld, NULL);
3926 r = log_error_errno(errno, "Failed to change the signal mask: %m");
3930 r = sigaction(SIGCHLD, &sa, NULL);
3932 r = log_error_errno(errno, "Failed to install SIGCHLD handler: %m");
3936 pid = raw_clone(SIGCHLD|CLONE_NEWNS|
3937 (arg_share_system ? 0 : CLONE_NEWIPC|CLONE_NEWPID|CLONE_NEWUTS)|
3938 (arg_private_network ? CLONE_NEWNET : 0), NULL);
3940 if (errno == EINVAL)
3941 r = log_error_errno(errno, "clone() failed, do you have namespace support enabled in your kernel? (You need UTS, IPC, PID and NET namespacing built in): %m");
3943 r = log_error_errno(errno, "clone() failed: %m");
3950 _cleanup_free_ char *home = NULL;
3952 const char *envp[] = {
3953 "PATH=" DEFAULT_PATH_SPLIT_USR,
3954 "container=systemd-nspawn", /* LXC sets container=lxc, so follow the scheme here */
3959 NULL, /* container_uuid */
3960 NULL, /* LISTEN_FDS */
3961 NULL, /* LISTEN_PID */
3966 barrier_set_role(&barrier, BARRIER_CHILD);
3968 envp[n_env] = strv_find_prefix(environ, "TERM=");
3972 master = safe_close(master);
3974 kmsg_socket_pair[0] = safe_close(kmsg_socket_pair[0]);
3975 rtnl_socket_pair[0] = safe_close(rtnl_socket_pair[0]);
3977 reset_all_signal_handlers();
3978 reset_signal_mask();
3981 close_nointr(STDIN_FILENO);
3982 close_nointr(STDOUT_FILENO);
3983 close_nointr(STDERR_FILENO);
3985 r = open_terminal(console, O_RDWR);
3986 if (r != STDIN_FILENO) {
3992 log_error_errno(r, "Failed to open console: %m");
3993 _exit(EXIT_FAILURE);
3996 if (dup2(STDIN_FILENO, STDOUT_FILENO) != STDOUT_FILENO ||
3997 dup2(STDIN_FILENO, STDERR_FILENO) != STDERR_FILENO) {
3998 log_error_errno(errno, "Failed to duplicate console: %m");
3999 _exit(EXIT_FAILURE);
4004 log_error_errno(errno, "setsid() failed: %m");
4005 _exit(EXIT_FAILURE);
4008 if (reset_audit_loginuid() < 0)
4009 _exit(EXIT_FAILURE);
4011 if (prctl(PR_SET_PDEATHSIG, SIGKILL) < 0) {
4012 log_error_errno(errno, "PR_SET_PDEATHSIG failed: %m");
4013 _exit(EXIT_FAILURE);
4016 if (arg_private_network)
4019 /* Mark everything as slave, so that we still
4020 * receive mounts from the real root, but don't
4021 * propagate mounts to the real root. */
4022 if (mount(NULL, "/", NULL, MS_SLAVE|MS_REC, NULL) < 0) {
4023 log_error_errno(errno, "MS_SLAVE|MS_REC failed: %m");
4024 _exit(EXIT_FAILURE);
4027 if (mount_devices(arg_directory,
4028 root_device, root_device_rw,
4029 home_device, home_device_rw,
4030 srv_device, srv_device_rw) < 0)
4031 _exit(EXIT_FAILURE);
4033 /* Turn directory into bind mount */
4034 if (mount(arg_directory, arg_directory, NULL, MS_BIND|MS_REC, NULL) < 0) {
4035 log_error_errno(errno, "Failed to make bind mount: %m");
4036 _exit(EXIT_FAILURE);
4039 r = setup_volatile(arg_directory);
4041 _exit(EXIT_FAILURE);
4043 if (setup_volatile_state(arg_directory) < 0)
4044 _exit(EXIT_FAILURE);
4046 r = base_filesystem_create(arg_directory);
4048 _exit(EXIT_FAILURE);
4050 if (arg_read_only) {
4051 r = bind_remount_recursive(arg_directory, true);
4053 log_error_errno(r, "Failed to make tree read-only: %m");
4054 _exit(EXIT_FAILURE);
4058 if (mount_all(arg_directory) < 0)
4059 _exit(EXIT_FAILURE);
4061 if (copy_devnodes(arg_directory) < 0)
4062 _exit(EXIT_FAILURE);
4064 if (setup_ptmx(arg_directory) < 0)
4065 _exit(EXIT_FAILURE);
4067 dev_setup(arg_directory);
4069 if (setup_propagate(arg_directory) < 0)
4070 _exit(EXIT_FAILURE);
4072 if (setup_seccomp() < 0)
4073 _exit(EXIT_FAILURE);
4075 if (setup_dev_console(arg_directory, console) < 0)
4076 _exit(EXIT_FAILURE);
4078 if (setup_kmsg(arg_directory, kmsg_socket_pair[1]) < 0)
4079 _exit(EXIT_FAILURE);
4080 kmsg_socket_pair[1] = safe_close(kmsg_socket_pair[1]);
4082 if (send_rtnl(rtnl_socket_pair[1]) < 0)
4083 _exit(EXIT_FAILURE);
4084 rtnl_socket_pair[1] = safe_close(rtnl_socket_pair[1]);
4086 /* Tell the parent that we are ready, and that
4087 * it can cgroupify us to that we lack access
4088 * to certain devices and resources. */
4089 (void) barrier_place(&barrier); /* #1 */
4091 if (setup_boot_id(arg_directory) < 0)
4092 _exit(EXIT_FAILURE);
4094 if (setup_timezone(arg_directory) < 0)
4095 _exit(EXIT_FAILURE);
4097 if (setup_resolv_conf(arg_directory) < 0)
4098 _exit(EXIT_FAILURE);
4100 if (setup_journal(arg_directory) < 0)
4101 _exit(EXIT_FAILURE);
4103 if (mount_binds(arg_directory, arg_bind, false) < 0)
4104 _exit(EXIT_FAILURE);
4106 if (mount_binds(arg_directory, arg_bind_ro, true) < 0)
4107 _exit(EXIT_FAILURE);
4109 if (mount_tmpfs(arg_directory) < 0)
4110 _exit(EXIT_FAILURE);
4112 /* Wait until we are cgroup-ified, so that we
4113 * can mount the right cgroup path writable */
4114 (void) barrier_place_and_sync(&barrier); /* #2 */
4116 if (mount_cgroup(arg_directory) < 0)
4117 _exit(EXIT_FAILURE);
4119 if (chdir(arg_directory) < 0) {
4120 log_error_errno(errno, "chdir(%s) failed: %m", arg_directory);
4121 _exit(EXIT_FAILURE);
4124 if (mount(arg_directory, "/", NULL, MS_MOVE, NULL) < 0) {
4125 log_error_errno(errno, "mount(MS_MOVE) failed: %m");
4126 _exit(EXIT_FAILURE);
4129 if (chroot(".") < 0) {
4130 log_error_errno(errno, "chroot() failed: %m");
4131 _exit(EXIT_FAILURE);
4134 if (chdir("/") < 0) {
4135 log_error_errno(errno, "chdir() failed: %m");
4136 _exit(EXIT_FAILURE);
4140 if (unshare(CLONE_NEWUSER) < 0) {
4141 log_error_errno(errno, "unshare(CLONE_NEWUSER) failed: %m");
4142 _exit(EXIT_FAILURE);
4145 /* Tell the parent, that it now can
4146 * write the UID map. */
4147 (void) barrier_place(&barrier); /* #3 */
4149 /* Wait until the parent wrote the UID
4151 (void) barrier_place_and_sync(&barrier); /* #4 */
4156 if (drop_capabilities() < 0) {
4157 log_error_errno(errno, "drop_capabilities() failed: %m");
4158 _exit(EXIT_FAILURE);
4163 if (arg_personality != 0xffffffffLU) {
4164 if (personality(arg_personality) < 0) {
4165 log_error_errno(errno, "personality() failed: %m");
4166 _exit(EXIT_FAILURE);
4168 } else if (secondary) {
4169 if (personality(PER_LINUX32) < 0) {
4170 log_error_errno(errno, "personality() failed: %m");
4171 _exit(EXIT_FAILURE);
4176 if (arg_selinux_context)
4177 if (setexeccon((security_context_t) arg_selinux_context) < 0) {
4178 log_error_errno(errno, "setexeccon(\"%s\") failed: %m", arg_selinux_context);
4179 _exit(EXIT_FAILURE);
4183 r = change_uid_gid(&home);
4185 _exit(EXIT_FAILURE);
4187 if ((asprintf((char**)(envp + n_env++), "HOME=%s", home ? home: "/root") < 0) ||
4188 (asprintf((char**)(envp + n_env++), "USER=%s", arg_user ? arg_user : "root") < 0) ||
4189 (asprintf((char**)(envp + n_env++), "LOGNAME=%s", arg_user ? arg_user : "root") < 0)) {
4191 _exit(EXIT_FAILURE);
4194 if (!sd_id128_equal(arg_uuid, SD_ID128_NULL)) {
4197 if (asprintf((char**)(envp + n_env++), "container_uuid=%s", id128_format_as_uuid(arg_uuid, as_uuid)) < 0) {
4199 _exit(EXIT_FAILURE);
4203 if (fdset_size(fds) > 0) {
4204 r = fdset_cloexec(fds, false);
4206 log_error_errno(r, "Failed to unset O_CLOEXEC for file descriptors.");
4207 _exit(EXIT_FAILURE);
4210 if ((asprintf((char **)(envp + n_env++), "LISTEN_FDS=%u", n_fd_passed) < 0) ||
4211 (asprintf((char **)(envp + n_env++), "LISTEN_PID=1") < 0)) {
4213 _exit(EXIT_FAILURE);
4217 if (!strv_isempty(arg_setenv)) {
4220 n = strv_env_merge(2, envp, arg_setenv);
4223 _exit(EXIT_FAILURE);
4228 env_use = (char**) envp;
4230 /* Let the parent know that we are ready and
4231 * wait until the parent is ready with the
4233 (void) barrier_place_and_sync(&barrier); /* #5 */
4239 /* Automatically search for the init system */
4241 l = 1 + argc - optind;
4242 a = newa(char*, l + 1);
4243 memcpy(a + 1, argv + optind, l * sizeof(char*));
4245 a[0] = (char*) "/usr/lib/systemd/systemd";
4246 execve(a[0], a, env_use);
4248 a[0] = (char*) "/lib/systemd/systemd";
4249 execve(a[0], a, env_use);
4251 a[0] = (char*) "/sbin/init";
4252 execve(a[0], a, env_use);
4253 } else if (argc > optind)
4254 execvpe(argv[optind], argv + optind, env_use);
4256 chdir(home ? home : "/root");
4257 execle("/bin/bash", "-bash", NULL, env_use);
4258 execle("/bin/sh", "-sh", NULL, env_use);
4261 log_error_errno(errno, "execv() failed: %m");
4262 _exit(EXIT_FAILURE);
4265 barrier_set_role(&barrier, BARRIER_PARENT);
4269 kmsg_socket_pair[1] = safe_close(kmsg_socket_pair[1]);
4270 rtnl_socket_pair[1] = safe_close(rtnl_socket_pair[1]);
4272 (void) barrier_place(&barrier); /* #1 */
4274 /* Wait for the most basic Child-setup to be done,
4275 * before we add hardware to it, and place it in a
4277 if (barrier_sync(&barrier)) { /* #1 */
4280 r = move_network_interfaces(pid);
4284 r = setup_veth(pid, veth_name, &ifi);
4288 r = setup_bridge(veth_name, &ifi);
4292 r = setup_macvlan(pid);
4296 r = setup_ipvlan(pid);
4300 r = register_machine(pid, ifi);
4304 /* Notify the child that the parent is ready with all
4305 * its setup, and that the child can now hand over
4306 * control to the code to run inside the container. */
4307 (void) barrier_place(&barrier); /* #2 */
4310 char uid_map[strlen("/proc//uid_map") + DECIMAL_STR_MAX(uid_t) + 1], line[DECIMAL_STR_MAX(uid_t)*3+3+1];
4312 (void) barrier_place_and_sync(&barrier); /* #3 */
4314 xsprintf(uid_map, "/proc/" PID_FMT "/uid_map", pid);
4315 xsprintf(line, UID_FMT " " UID_FMT " " UID_FMT "\n", 0, arg_uid_shift, arg_uid_range);
4316 r = write_string_file(uid_map, line);
4318 log_error_errno(r, "Failed to write UID map: %m");
4322 /* We always assign the same UID and GID ranges */
4323 xsprintf(uid_map, "/proc/" PID_FMT "/gid_map", pid);
4324 r = write_string_file(uid_map, line);
4326 log_error_errno(r, "Failed to write GID map: %m");
4330 (void) barrier_place(&barrier); /* #4 */
4333 /* Block SIGCHLD here, before notifying child.
4334 * process_pty() will handle it with the other signals. */
4335 r = sigprocmask(SIG_BLOCK, &mask_chld, NULL);
4339 /* Reset signal to default */
4340 r = default_signals(SIGCHLD, -1);
4344 /* Let the child know that we are ready and wait that the child is completely ready now. */
4345 if (barrier_place_and_sync(&barrier)) { /* #5 */
4346 _cleanup_event_unref_ sd_event *event = NULL;
4347 _cleanup_(pty_forward_freep) PTYForward *forward = NULL;
4348 _cleanup_rtnl_unref_ sd_rtnl *rtnl = NULL;
4353 "STATUS=Container running.\n"
4354 "X_NSPAWN_LEADER_PID=" PID_FMT, pid);
4356 r = sd_event_new(&event);
4358 log_error_errno(r, "Failed to get default event source: %m");
4362 if (arg_kill_signal > 0) {
4363 /* Try to kill the init system on SIGINT or SIGTERM */
4364 sd_event_add_signal(event, NULL, SIGINT, on_orderly_shutdown, UINT32_TO_PTR(pid));
4365 sd_event_add_signal(event, NULL, SIGTERM, on_orderly_shutdown, UINT32_TO_PTR(pid));
4367 /* Immediately exit */
4368 sd_event_add_signal(event, NULL, SIGINT, NULL, NULL);
4369 sd_event_add_signal(event, NULL, SIGTERM, NULL, NULL);
4372 /* simply exit on sigchld */
4373 sd_event_add_signal(event, NULL, SIGCHLD, NULL, NULL);
4375 if (arg_expose_ports) {
4376 r = watch_rtnl(event, rtnl_socket_pair[0], &exposed, &rtnl);
4380 (void) expose_ports(rtnl, &exposed);
4383 rtnl_socket_pair[0] = safe_close(rtnl_socket_pair[0]);
4385 r = pty_forward_new(event, master, true, !interactive, &forward);
4387 log_error_errno(r, "Failed to create PTY forwarder: %m");
4391 r = sd_event_loop(event);
4393 log_error_errno(r, "Failed to run event loop: %m");
4397 pty_forward_get_last_char(forward, &last_char);
4399 forward = pty_forward_free(forward);
4401 if (!arg_quiet && last_char != '\n')
4404 /* Kill if it is not dead yet anyway */
4405 terminate_machine(pid);
4409 /* Normally redundant, but better safe than sorry */
4412 r = wait_for_container(pid, &container_status);
4416 /* We failed to wait for the container, or the
4417 * container exited abnormally */
4419 else if (r > 0 || container_status == CONTAINER_TERMINATED){
4420 /* The container exited with a non-zero
4421 * status, or with zero status and no reboot
4427 /* CONTAINER_REBOOTED, loop again */
4429 if (arg_keep_unit) {
4430 /* Special handling if we are running as a
4431 * service: instead of simply restarting the
4432 * machine we want to restart the entire
4433 * service, so let's inform systemd about this
4434 * with the special exit code 133. The service
4435 * file uses RestartForceExitStatus=133 so
4436 * that this results in a full nspawn
4437 * restart. This is necessary since we might
4438 * have cgroup parameters set we want to have
4445 flush_ports(&exposed);
4451 "STATUS=Terminating...");
4453 loop_remove(loop_nr, &image_fd);
4458 if (remove_subvol && arg_directory) {
4461 k = btrfs_subvol_remove(arg_directory);
4463 log_warning_errno(k, "Cannot remove subvolume '%s', ignoring: %m", arg_directory);
4469 p = strjoina("/run/systemd/nspawn/propagate/", arg_machine);
4470 (void) rm_rf(p, false, true, false);
4473 free(arg_directory);
4478 strv_free(arg_setenv);
4479 strv_free(arg_network_interfaces);
4480 strv_free(arg_network_macvlan);
4481 strv_free(arg_network_ipvlan);
4482 strv_free(arg_bind);
4483 strv_free(arg_bind_ro);
4484 strv_free(arg_tmpfs);
4486 flush_ports(&exposed);
4488 while (arg_expose_ports) {
4489 ExposePort *p = arg_expose_ports;
4490 LIST_REMOVE(ports, arg_expose_ports, p);
4494 return r < 0 ? EXIT_FAILURE : ret;