1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2010 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
25 #include <sys/types.h>
26 #include <sys/syscall.h>
27 #include <sys/mount.h>
33 #include <sys/prctl.h>
34 #include <sys/capability.h>
36 #include <sys/epoll.h>
38 #include <sys/signalfd.h>
42 #include <systemd/sd-daemon.h>
47 #include "cgroup-util.h"
49 #include "loopback-setup.h"
51 static char *arg_directory = NULL;
52 static char *arg_user = NULL;
53 static bool arg_private_network = false;
55 static int help(void) {
57 printf("%s [OPTIONS...] [PATH] [ARGUMENTS...]\n\n"
58 "Spawn a minimal namespace container for debugging, testing and building.\n\n"
59 " -h --help Show this help\n"
60 " -D --directory=NAME Root directory for the container\n"
61 " -u --user=USER Run the command under specified user or uid\n"
62 " --private-network Disable network in container\n",
63 program_invocation_short_name);
68 static int parse_argv(int argc, char *argv[]) {
71 ARG_PRIVATE_NETWORK = 0x100
74 static const struct option options[] = {
75 { "help", no_argument, NULL, 'h' },
76 { "directory", required_argument, NULL, 'D' },
77 { "user", required_argument, NULL, 'u' },
78 { "private-network", no_argument, NULL, ARG_PRIVATE_NETWORK },
87 while ((c = getopt_long(argc, argv, "+hD:u:", options, NULL)) >= 0) {
97 if (!(arg_directory = strdup(optarg))) {
98 log_error("Failed to duplicate root directory.");
106 if (!(arg_user = strdup(optarg))) {
107 log_error("Failed to duplicate user name.");
113 case ARG_PRIVATE_NETWORK:
114 arg_private_network = true;
121 log_error("Unknown option code %c", c);
129 static int mount_all(const char *dest) {
131 typedef struct MountPoint {
140 static const MountPoint mount_table[] = {
141 { "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, true },
142 { "/proc/sys", "/proc/sys", "bind", NULL, MS_BIND, true }, /* Bind mount first */
143 { "/proc/sys", "/proc/sys", "bind", NULL, MS_BIND|MS_RDONLY|MS_REMOUNT, true }, /* Then, make it r/o */
144 { "/sys", "/sys", "bind", NULL, MS_BIND, true }, /* Bind mount first */
145 { "/sys", "/sys", "bind", NULL, MS_BIND|MS_RDONLY|MS_REMOUNT, true }, /* Then, make it r/o */
146 { "tmpfs", "/dev", "tmpfs", "mode=755", MS_NOSUID, true },
147 { "/dev/pts", "/dev/pts", "bind", NULL, MS_BIND, true },
148 { "tmpfs", "/run", "tmpfs", "mode=755", MS_NOSUID|MS_NODEV, true },
150 { "/sys/fs/selinux", "/sys/fs/selinux", "bind", NULL, MS_BIND, false }, /* Bind mount first */
151 { "/sys/fs/selinux", "/sys/fs/selinux", "bind", NULL, MS_BIND|MS_RDONLY|MS_REMOUNT, false }, /* Then, make it r/o */
159 for (k = 0; k < ELEMENTSOF(mount_table); k++) {
162 if (asprintf(&where, "%s/%s", dest, mount_table[k].where) < 0) {
163 log_error("Out of memory");
171 if ((t = path_is_mount_point(where, false)) < 0) {
172 log_error("Failed to detect whether %s is a mount point: %s", where, strerror(-t));
181 mkdir_p(where, 0755);
183 if (mount(mount_table[k].what,
186 mount_table[k].flags,
187 mount_table[k].options) < 0 &&
188 mount_table[k].fatal) {
190 log_error("mount(%s) failed: %m", where);
199 /* Fix the timezone, if possible */
200 if (asprintf(&where, "%s/etc/localtime", dest) >= 0) {
202 if (mount("/etc/localtime", where, "bind", MS_BIND, NULL) >= 0)
203 mount("/etc/localtime", where, "bind", MS_BIND|MS_REMOUNT|MS_RDONLY, NULL);
208 if (asprintf(&where, "%s/etc/timezone", dest) >= 0) {
210 if (mount("/etc/timezone", where, "bind", MS_BIND, NULL) >= 0)
211 mount("/etc/timezone", where, "bind", MS_BIND|MS_REMOUNT|MS_RDONLY, NULL);
219 static int copy_devnodes(const char *dest, const char *console) {
221 static const char devnodes[] =
236 char *from = NULL, *to = NULL;
243 NULSTR_FOREACH(d, devnodes) {
246 asprintf(&from, "/dev/%s", d);
247 asprintf(&to, "%s/dev/%s", dest, d);
250 log_error("Failed to allocate devnode path");
263 if (stat(from, &st) < 0) {
265 if (errno != ENOENT) {
266 log_error("Failed to stat %s: %m", from);
271 } else if (!S_ISCHR(st.st_mode) && !S_ISBLK(st.st_mode)) {
273 log_error("%s is not a char or block device, cannot copy.", from);
277 } else if (mknod(to, st.st_mode, st.st_rdev) < 0) {
279 log_error("mknod(%s) failed: %m", dest);
288 if (stat(console, &st) < 0) {
290 log_error("Failed to stat %s: %m", console);
296 } else if (!S_ISCHR(st.st_mode)) {
298 log_error("/dev/console is not a char device.");
305 if (asprintf(&to, "%s/dev/console", dest) < 0) {
307 log_error("Out of memory");
314 /* We need to bind mount the right tty to /dev/console since
315 * ptys can only exist on pts file systems. To have something
316 * to bind mount things on we create a device node first, that
317 * has the right major/minor (note that the major minor
318 * doesn't actually matter here, since we mount it over
321 if (mknod(to, (st.st_mode & ~07777) | 0600, st.st_rdev) < 0)
322 log_error("mknod for /dev/console failed: %m");
324 if (mount(console, to, "bind", MS_BIND, NULL) < 0) {
325 log_error("bind mount for /dev/console failed: %m");
333 if ((k = chmod_and_chown(console, 0600, 0, 0)) < 0) {
334 log_error("Failed to correct access mode for TTY: %s", strerror(-k));
346 static int drop_capabilities(void) {
347 static const unsigned long retain[] = {
357 CAP_NET_BIND_SERVICE,
373 for (l = 0; l <= cap_last_cap(); l++) {
376 for (i = 0; i < ELEMENTSOF(retain); i++)
380 if (i < ELEMENTSOF(retain))
383 if (prctl(PR_CAPBSET_DROP, l) < 0) {
384 log_error("PR_CAPBSET_DROP failed: %m");
392 static int is_os_tree(const char *path) {
395 /* We use /bin/sh as flag file if something is an OS */
397 if (asprintf(&p, "%s/bin/sh", path) < 0)
403 return r < 0 ? 0 : 1;
406 static int process_pty(int master, sigset_t *mask) {
408 char in_buffer[LINE_MAX], out_buffer[LINE_MAX];
409 size_t in_buffer_full = 0, out_buffer_full = 0;
410 struct epoll_event stdin_ev, stdout_ev, master_ev, signal_ev;
411 bool stdin_readable = false, stdout_writable = false, master_readable = false, master_writable = false;
412 int ep = -1, signal_fd = -1, r;
414 fd_nonblock(STDIN_FILENO, 1);
415 fd_nonblock(STDOUT_FILENO, 1);
416 fd_nonblock(master, 1);
418 if ((signal_fd = signalfd(-1, mask, SFD_NONBLOCK|SFD_CLOEXEC)) < 0) {
419 log_error("signalfd(): %m");
424 if ((ep = epoll_create1(EPOLL_CLOEXEC)) < 0) {
425 log_error("Failed to create epoll: %m");
431 stdin_ev.events = EPOLLIN|EPOLLET;
432 stdin_ev.data.fd = STDIN_FILENO;
435 stdout_ev.events = EPOLLOUT|EPOLLET;
436 stdout_ev.data.fd = STDOUT_FILENO;
439 master_ev.events = EPOLLIN|EPOLLOUT|EPOLLET;
440 master_ev.data.fd = master;
443 signal_ev.events = EPOLLIN;
444 signal_ev.data.fd = signal_fd;
446 if (epoll_ctl(ep, EPOLL_CTL_ADD, STDIN_FILENO, &stdin_ev) < 0 ||
447 epoll_ctl(ep, EPOLL_CTL_ADD, STDOUT_FILENO, &stdout_ev) < 0 ||
448 epoll_ctl(ep, EPOLL_CTL_ADD, master, &master_ev) < 0 ||
449 epoll_ctl(ep, EPOLL_CTL_ADD, signal_fd, &signal_ev) < 0) {
450 log_error("Failed to regiser fds in epoll: %m");
456 struct epoll_event ev[16];
460 if ((nfds = epoll_wait(ep, ev, ELEMENTSOF(ev), -1)) < 0) {
462 if (errno == EINTR || errno == EAGAIN)
465 log_error("epoll_wait(): %m");
472 for (i = 0; i < nfds; i++) {
473 if (ev[i].data.fd == STDIN_FILENO) {
475 if (ev[i].events & (EPOLLIN|EPOLLHUP))
476 stdin_readable = true;
478 } else if (ev[i].data.fd == STDOUT_FILENO) {
480 if (ev[i].events & (EPOLLOUT|EPOLLHUP))
481 stdout_writable = true;
483 } else if (ev[i].data.fd == master) {
485 if (ev[i].events & (EPOLLIN|EPOLLHUP))
486 master_readable = true;
488 if (ev[i].events & (EPOLLOUT|EPOLLHUP))
489 master_writable = true;
491 } else if (ev[i].data.fd == signal_fd) {
492 struct signalfd_siginfo sfsi;
495 if ((n = read(signal_fd, &sfsi, sizeof(sfsi))) != sizeof(sfsi)) {
498 log_error("Failed to read from signalfd: invalid block size");
503 if (errno != EINTR && errno != EAGAIN) {
504 log_error("Failed to read from signalfd: %m");
510 if (sfsi.ssi_signo == SIGWINCH) {
513 /* The window size changed, let's forward that. */
514 if (ioctl(STDIN_FILENO, TIOCGWINSZ, &ws) >= 0)
515 ioctl(master, TIOCSWINSZ, &ws);
524 while ((stdin_readable && in_buffer_full <= 0) ||
525 (master_writable && in_buffer_full > 0) ||
526 (master_readable && out_buffer_full <= 0) ||
527 (stdout_writable && out_buffer_full > 0)) {
529 if (stdin_readable && in_buffer_full < LINE_MAX) {
531 if ((k = read(STDIN_FILENO, in_buffer + in_buffer_full, LINE_MAX - in_buffer_full)) < 0) {
533 if (errno == EAGAIN || errno == EPIPE || errno == ECONNRESET || errno == EIO)
534 stdin_readable = false;
536 log_error("read(): %m");
541 in_buffer_full += (size_t) k;
544 if (master_writable && in_buffer_full > 0) {
546 if ((k = write(master, in_buffer, in_buffer_full)) < 0) {
548 if (errno == EAGAIN || errno == EPIPE || errno == ECONNRESET || errno == EIO)
549 master_writable = false;
551 log_error("write(): %m");
557 assert(in_buffer_full >= (size_t) k);
558 memmove(in_buffer, in_buffer + k, in_buffer_full - k);
563 if (master_readable && out_buffer_full < LINE_MAX) {
565 if ((k = read(master, out_buffer + out_buffer_full, LINE_MAX - out_buffer_full)) < 0) {
567 if (errno == EAGAIN || errno == EPIPE || errno == ECONNRESET || errno == EIO)
568 master_readable = false;
570 log_error("read(): %m");
575 out_buffer_full += (size_t) k;
578 if (stdout_writable && out_buffer_full > 0) {
580 if ((k = write(STDOUT_FILENO, out_buffer, out_buffer_full)) < 0) {
582 if (errno == EAGAIN || errno == EPIPE || errno == ECONNRESET || errno == EIO)
583 stdout_writable = false;
585 log_error("write(): %m");
591 assert(out_buffer_full >= (size_t) k);
592 memmove(out_buffer, out_buffer + k, out_buffer_full - k);
593 out_buffer_full -= k;
601 close_nointr_nofail(ep);
604 close_nointr_nofail(signal_fd);
609 int main(int argc, char *argv[]) {
611 int r = EXIT_FAILURE, k;
612 char *oldcg = NULL, *newcg = NULL;
614 const char *console = NULL;
615 struct termios saved_attr, raw_attr;
617 bool saved_attr_valid = false;
620 log_parse_environment();
623 if ((r = parse_argv(argc, argv)) <= 0)
629 p = path_make_absolute_cwd(arg_directory);
633 arg_directory = get_current_dir_name();
635 if (!arg_directory) {
636 log_error("Failed to determine path");
640 path_kill_slashes(arg_directory);
642 if (geteuid() != 0) {
643 log_error("Need to be root.");
647 if (sd_booted() <= 0) {
648 log_error("Not running on a systemd system.");
652 if (path_equal(arg_directory, "/")) {
653 log_error("Spawning container on root directory not supported.");
657 if (is_os_tree(arg_directory) <= 0) {
658 log_error("Directory %s doesn't look like an OS root directory. Refusing.", arg_directory);
662 if ((k = cg_get_by_pid(SYSTEMD_CGROUP_CONTROLLER, 0, &oldcg)) < 0) {
663 log_error("Failed to determine current cgroup: %s", strerror(-k));
667 if (asprintf(&newcg, "%s/nspawn-%lu", oldcg, (unsigned long) getpid()) < 0) {
668 log_error("Failed to allocate cgroup path.");
672 if ((k = cg_create_and_attach(SYSTEMD_CGROUP_CONTROLLER, newcg, 0)) < 0) {
673 log_error("Failed to create cgroup: %s", strerror(-k));
677 if ((master = posix_openpt(O_RDWR|O_NOCTTY|O_CLOEXEC|O_NDELAY)) < 0) {
678 log_error("Failed to acquire pseudo tty: %m");
682 if (!(console = ptsname(master))) {
683 log_error("Failed to determine tty name: %m");
687 log_info("Spawning namespace container on %s (console is %s).", arg_directory, console);
689 if (ioctl(STDIN_FILENO, TIOCGWINSZ, &ws) >= 0)
690 ioctl(master, TIOCSWINSZ, &ws);
692 if (unlockpt(master) < 0) {
693 log_error("Failed to unlock tty: %m");
697 if (tcgetattr(STDIN_FILENO, &saved_attr) < 0) {
698 log_error("Failed to get terminal attributes: %m");
702 saved_attr_valid = true;
704 raw_attr = saved_attr;
705 cfmakeraw(&raw_attr);
706 raw_attr.c_lflag &= ~ECHO;
708 if (tcsetattr(STDIN_FILENO, TCSANOW, &raw_attr) < 0) {
709 log_error("Failed to set terminal attributes: %m");
713 assert_se(sigemptyset(&mask) == 0);
714 sigset_add_many(&mask, SIGCHLD, SIGWINCH, SIGTERM, SIGINT, -1);
715 assert_se(sigprocmask(SIG_BLOCK, &mask, NULL) == 0);
717 pid = syscall(__NR_clone, SIGCHLD|CLONE_NEWIPC|CLONE_NEWNS|CLONE_NEWPID|CLONE_NEWUTS|(arg_private_network ? CLONE_NEWNET : 0), NULL);
720 log_error("clone() failed, do you have namespace support enabled in your kernel? (You need UTS, IPC, PID and NET namespacing built in): %m");
722 log_error("clone() failed: %m");
731 const char *home = NULL;
732 uid_t uid = (uid_t) -1;
733 gid_t gid = (gid_t) -1;
734 const char *envp[] = {
735 "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
736 "container=systemd-nspawn", /* LXC sets container=lxc, so follow the scheme here */
744 envp[2] = strv_find_prefix(environ, "TERM=");
746 close_nointr_nofail(master);
748 close_nointr(STDIN_FILENO);
749 close_nointr(STDOUT_FILENO);
750 close_nointr(STDERR_FILENO);
752 close_all_fds(NULL, 0);
754 reset_all_signal_handlers();
756 assert_se(sigemptyset(&mask) == 0);
757 assert_se(sigprocmask(SIG_SETMASK, &mask, NULL) == 0);
762 if (prctl(PR_SET_PDEATHSIG, SIGKILL) < 0)
765 /* Mark / as private, in case somebody marked it shared */
766 if (mount(NULL, "/", NULL, MS_PRIVATE|MS_REC, NULL) < 0)
769 if (mount_all(arg_directory) < 0)
772 if (copy_devnodes(arg_directory, console) < 0)
775 if (chdir(arg_directory) < 0) {
776 log_error("chdir(%s) failed: %m", arg_directory);
780 if (open_terminal("dev/console", O_RDWR) != STDIN_FILENO ||
781 dup2(STDIN_FILENO, STDOUT_FILENO) != STDOUT_FILENO ||
782 dup2(STDIN_FILENO, STDERR_FILENO) != STDERR_FILENO)
785 if (mount(arg_directory, "/", "bind", MS_BIND|MS_MOVE, NULL) < 0) {
786 log_error("mount(MS_MOVE) failed: %m");
790 if (chroot(".") < 0) {
791 log_error("chroot() failed: %m");
795 if (chdir("/") < 0) {
796 log_error("chdir() failed: %m");
804 if (drop_capabilities() < 0)
809 if (get_user_creds((const char**)&arg_user, &uid, &gid, &home) < 0) {
810 log_error("get_user_creds() failed: %m");
814 if (mkdir_parents(home, 0775) < 0) {
815 log_error("mkdir_parents() failed: %m");
819 if (safe_mkdir(home, 0775, uid, gid) < 0) {
820 log_error("safe_mkdir() failed: %m");
824 if (initgroups((const char*)arg_user, gid) < 0) {
825 log_error("initgroups() failed: %m");
829 if (setresgid(gid, gid, gid) < 0) {
830 log_error("setregid() failed: %m");
834 if (setresuid(uid, uid, uid) < 0) {
835 log_error("setreuid() failed: %m");
840 if ((asprintf((char**)(envp + 3), "HOME=%s", home? home: "/root") < 0) ||
841 (asprintf((char**)(envp + 4), "USER=%s", arg_user? arg_user : "root") < 0) ||
842 (asprintf((char**)(envp + 5), "LOGNAME=%s", arg_user? arg_user : "root") < 0)) {
843 log_error("Out of memory");
847 if ((hn = file_name_from_path(arg_directory)))
848 sethostname(hn, strlen(hn));
851 execvpe(argv[optind], argv + optind, (char**) envp);
853 chdir(home ? home : "/root");
854 execle("/bin/bash", "-bash", NULL, (char**) envp);
857 log_error("execv() failed: %m");
863 if (process_pty(master, &mask) < 0)
866 if (saved_attr_valid) {
867 tcsetattr(STDIN_FILENO, TCSANOW, &saved_attr);
868 saved_attr_valid = false;
871 r = wait_for_terminate_and_warn(argc > optind ? argv[optind] : "bash", pid);
877 if (saved_attr_valid)
878 tcsetattr(STDIN_FILENO, TCSANOW, &saved_attr);
881 close_nointr_nofail(master);
884 cg_attach(SYSTEMD_CGROUP_CONTROLLER, oldcg, 0);
887 cg_kill_recursive_and_wait(SYSTEMD_CGROUP_CONTROLLER, newcg, true);
~ianmdlvl / elogind.git / blob