util: split-out conf-file.[ch]

[elogind.git] / src / nspawn / nspawn.c

diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index bf3a84471dd833b4b6380c04cbfd8d06c885dd40..2a1f37bffcd50dca1a40bc3763e4f0827dc230e7 100644 (file)
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -57,6 +57,7 @@ static char *arg_user = NULL;
 static char **arg_controllers = NULL;
 static char *arg_uuid = NULL;
 static bool arg_private_network = false;
+static bool arg_read_only = false;
 static bool arg_boot = false;
 
 static int help(void) {
@@ -69,7 +70,8 @@ static int help(void) {
                "  -u --user=USER        Run the command under specified user or uid\n"
                "  -C --controllers=LIST Put the container in specified comma-separated cgroup hierarchies\n"
                "     --uuid=UUID        Set a specific machine UUID for the container\n"
-               "     --private-network  Disable network in container\n",
+               "     --private-network  Disable network in container\n"
+               "     --read-only        Mount the root directory read-only\n",
                program_invocation_short_name);
 
         return 0;
@@ -79,7 +81,8 @@ static int parse_argv(int argc, char *argv[]) {
 
         enum {
                 ARG_PRIVATE_NETWORK = 0x100,
-                ARG_UUID
+                ARG_UUID,
+                ARG_READ_ONLY
         };
 
         static const struct option options[] = {
@@ -90,6 +93,7 @@ static int parse_argv(int argc, char *argv[]) {
                 { "private-network", no_argument,       NULL, ARG_PRIVATE_NETWORK },
                 { "boot",            no_argument,       NULL, 'b'                 },
                 { "uuid",            required_argument, NULL, ARG_UUID            },
+                { "read-only",       no_argument,       NULL, ARG_READ_ONLY       },
                 { NULL,              0,                 NULL, 0                   }
         };
 
@@ -148,6 +152,10 @@ static int parse_argv(int argc, char *argv[]) {
                         arg_uuid = optarg;
                         break;
 
+                case ARG_READ_ONLY:
+                        arg_read_only = true;
+                        break;
+
                 case '?':
                         return -EINVAL;
 
@@ -263,6 +271,28 @@ static int setup_timezone(const char *dest) {
         return 0;
 }
 
+static int setup_resolv_conf(const char *dest) {
+        char *where;
+
+        assert(dest);
+
+        if (arg_private_network)
+                return 0;
+
+        /* Fix resolv.conf, if possible */
+        if (asprintf(&where, "%s/etc/resolv.conf", dest) < 0) {
+                log_error("Out of memory");
+                return -ENOMEM;
+        }
+
+        if (mount("/etc/resolv.conf", where, "bind", MS_BIND, NULL) >= 0)
+                mount("/etc/resolv.conf", where, "bind", MS_BIND|MS_REMOUNT|MS_RDONLY, NULL);
+
+        free(where);
+
+        return 0;
+}
+
 static int copy_devnodes(const char *dest) {
 
         static const char devnodes[] =
@@ -949,6 +979,18 @@ int main(int argc, char *argv[]) {
                 if (mount(NULL, "/", NULL, MS_PRIVATE|MS_REC, NULL) < 0)
                         goto child_fail;
 
+                /* Turn directory into bind mount */
+                if (mount(arg_directory, arg_directory, "bind", MS_BIND, NULL) < 0) {
+                        log_error("Failed to make bind mount.");
+                        goto child_fail;
+                }
+
+                if (arg_read_only)
+                        if (mount(arg_directory, arg_directory, "bind", MS_BIND|MS_REMOUNT|MS_RDONLY, NULL) < 0) {
+                                log_error("Failed to make read-only.");
+                                goto child_fail;
+                        }
+
                 if (mount_all(arg_directory) < 0)
                         goto child_fail;
 
@@ -966,6 +1008,9 @@ int main(int argc, char *argv[]) {
                 if (setup_timezone(arg_directory) < 0)
                         goto child_fail;
 
+                if (setup_resolv_conf(arg_directory) < 0)
+                        goto child_fail;
+
                 if (chdir(arg_directory) < 0) {
                         log_error("chdir(%s) failed: %m", arg_directory);
                         goto child_fail;
@@ -976,8 +1021,8 @@ int main(int argc, char *argv[]) {
                     dup2(STDIN_FILENO, STDERR_FILENO) != STDERR_FILENO)
                         goto child_fail;
 
-                if (mount(arg_directory, "/", "bind", MS_BIND, NULL) < 0) {
-                        log_error("mount(MS_MOVE) failed: %m");
+                if (mount(arg_directory, "/", "bind", MS_MOVE, NULL) < 0) {
+                        log_error("mount(MS_BIND) failed: %m");
                         goto child_fail;
                 }