1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2010 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
25 #include <sys/types.h>
26 #include <sys/syscall.h>
27 #include <sys/mount.h>
33 #include <sys/prctl.h>
34 #include <sys/capability.h>
37 #include <sys/signalfd.h>
41 #include <sys/socket.h>
42 #include <linux/netlink.h>
43 #include <sys/eventfd.h>
45 #include <linux/veth.h>
48 #include <selinux/selinux.h>
55 #include "sd-daemon.h"
65 #include "cgroup-util.h"
67 #include "path-util.h"
68 #include "loopback-setup.h"
69 #include "dev-setup.h"
74 #include "bus-error.h"
76 #include "bus-kernel.h"
79 #include "rtnl-util.h"
80 #include "udev-util.h"
82 typedef enum LinkJournal {
89 static char *arg_directory = NULL;
90 static char *arg_user = NULL;
91 static sd_id128_t arg_uuid = {};
92 static char *arg_machine = NULL;
93 static char *arg_selinux_context = NULL;
94 static char *arg_selinux_apifs_context = NULL;
95 static const char *arg_slice = NULL;
96 static bool arg_private_network = false;
97 static bool arg_read_only = false;
98 static bool arg_boot = false;
99 static LinkJournal arg_link_journal = LINK_AUTO;
100 static uint64_t arg_retain =
101 (1ULL << CAP_CHOWN) |
102 (1ULL << CAP_DAC_OVERRIDE) |
103 (1ULL << CAP_DAC_READ_SEARCH) |
104 (1ULL << CAP_FOWNER) |
105 (1ULL << CAP_FSETID) |
106 (1ULL << CAP_IPC_OWNER) |
108 (1ULL << CAP_LEASE) |
109 (1ULL << CAP_LINUX_IMMUTABLE) |
110 (1ULL << CAP_NET_BIND_SERVICE) |
111 (1ULL << CAP_NET_BROADCAST) |
112 (1ULL << CAP_NET_RAW) |
113 (1ULL << CAP_SETGID) |
114 (1ULL << CAP_SETFCAP) |
115 (1ULL << CAP_SETPCAP) |
116 (1ULL << CAP_SETUID) |
117 (1ULL << CAP_SYS_ADMIN) |
118 (1ULL << CAP_SYS_CHROOT) |
119 (1ULL << CAP_SYS_NICE) |
120 (1ULL << CAP_SYS_PTRACE) |
121 (1ULL << CAP_SYS_TTY_CONFIG) |
122 (1ULL << CAP_SYS_RESOURCE) |
123 (1ULL << CAP_SYS_BOOT) |
124 (1ULL << CAP_AUDIT_WRITE) |
125 (1ULL << CAP_AUDIT_CONTROL) |
127 static char **arg_bind = NULL;
128 static char **arg_bind_ro = NULL;
129 static char **arg_setenv = NULL;
130 static bool arg_quiet = false;
131 static bool arg_share_system = false;
132 static bool arg_register = true;
133 static bool arg_keep_unit = false;
134 static char **arg_network_interfaces = NULL;
135 static bool arg_network_veth = false;
136 static char *arg_network_bridge = NULL;
138 static int help(void) {
140 printf("%s [OPTIONS...] [PATH] [ARGUMENTS...]\n\n"
141 "Spawn a minimal namespace container for debugging, testing and building.\n\n"
142 " -h --help Show this help\n"
143 " --version Print version string\n"
144 " -q --quiet Do not show status information\n"
145 " -D --directory=NAME Root directory for the container\n"
146 " -b --boot Boot up full system (i.e. invoke init)\n"
147 " -u --user=USER Run the command under specified user or uid\n"
148 " -M --machine=NAME Set the machine name for the container\n"
149 " --uuid=UUID Set a specific machine UUID for the container\n"
150 " -S --slice=SLICE Place the container in the specified slice\n"
151 " --private-network Disable network in container\n"
152 " --network-interface=INTERFACE\n"
153 " Assign an existing network interface to the\n"
155 " --network-veth Add a virtual ethernet connection between host\n"
157 " --network-bridge=INTERFACE\n"
158 " Add a virtual ethernet connection between host\n"
159 " and container and add it to an existing bridge on\n"
161 " -Z --selinux-context=SECLABEL\n"
162 " Set the SELinux security context to be used by\n"
163 " processes in the container\n"
164 " -L --selinux-apifs-context=SECLABEL\n"
165 " Set the SELinux security context to be used by\n"
166 " API/tmpfs file systems in the container\n"
167 " --capability=CAP In addition to the default, retain specified\n"
169 " --drop-capability=CAP Drop the specified capability from the default set\n"
170 " --link-journal=MODE Link up guest journal, one of no, auto, guest, host\n"
171 " -j Equivalent to --link-journal=host\n"
172 " --read-only Mount the root directory read-only\n"
173 " --bind=PATH[:PATH] Bind mount a file or directory from the host into\n"
175 " --bind-ro=PATH[:PATH] Similar, but creates a read-only bind mount\n"
176 " --setenv=NAME=VALUE Pass an environment variable to PID 1\n"
177 " --share-system Share system namespaces with host\n"
178 " --register=BOOLEAN Register container as machine\n"
179 " --keep-unit Do not register a scope for the machine, reuse\n"
180 " the service unit nspawn is running in\n",
181 program_invocation_short_name);
186 static int parse_argv(int argc, char *argv[]) {
202 ARG_NETWORK_INTERFACE,
207 static const struct option options[] = {
208 { "help", no_argument, NULL, 'h' },
209 { "version", no_argument, NULL, ARG_VERSION },
210 { "directory", required_argument, NULL, 'D' },
211 { "user", required_argument, NULL, 'u' },
212 { "private-network", no_argument, NULL, ARG_PRIVATE_NETWORK },
213 { "boot", no_argument, NULL, 'b' },
214 { "uuid", required_argument, NULL, ARG_UUID },
215 { "read-only", no_argument, NULL, ARG_READ_ONLY },
216 { "capability", required_argument, NULL, ARG_CAPABILITY },
217 { "drop-capability", required_argument, NULL, ARG_DROP_CAPABILITY },
218 { "link-journal", required_argument, NULL, ARG_LINK_JOURNAL },
219 { "bind", required_argument, NULL, ARG_BIND },
220 { "bind-ro", required_argument, NULL, ARG_BIND_RO },
221 { "machine", required_argument, NULL, 'M' },
222 { "slice", required_argument, NULL, 'S' },
223 { "setenv", required_argument, NULL, ARG_SETENV },
224 { "selinux-context", required_argument, NULL, 'Z' },
225 { "selinux-apifs-context", required_argument, NULL, 'L' },
226 { "quiet", no_argument, NULL, 'q' },
227 { "share-system", no_argument, NULL, ARG_SHARE_SYSTEM },
228 { "register", required_argument, NULL, ARG_REGISTER },
229 { "keep-unit", no_argument, NULL, ARG_KEEP_UNIT },
230 { "network-interface", required_argument, NULL, ARG_NETWORK_INTERFACE },
231 { "network-veth", no_argument, NULL, ARG_NETWORK_VETH },
232 { "network-bridge", required_argument, NULL, ARG_NETWORK_BRIDGE },
237 uint64_t plus = 0, minus = 0;
242 while ((c = getopt_long(argc, argv, "+hD:u:bL:M:jS:Z:q", options, NULL)) >= 0) {
250 puts(PACKAGE_STRING);
251 puts(SYSTEMD_FEATURES);
256 arg_directory = canonicalize_file_name(optarg);
257 if (!arg_directory) {
258 log_error("Invalid root directory: %m");
266 arg_user = strdup(optarg);
272 case ARG_NETWORK_BRIDGE:
273 arg_network_bridge = strdup(optarg);
274 if (!arg_network_bridge)
279 case ARG_NETWORK_VETH:
280 arg_network_veth = true;
281 arg_private_network = true;
284 case ARG_NETWORK_INTERFACE:
285 if (strv_push(&arg_network_interfaces, optarg) < 0)
290 case ARG_PRIVATE_NETWORK:
291 arg_private_network = true;
299 r = sd_id128_from_string(optarg, &arg_uuid);
301 log_error("Invalid UUID: %s", optarg);
307 arg_slice = strdup(optarg);
314 if (isempty(optarg)) {
319 if (!hostname_is_valid(optarg)) {
320 log_error("Invalid machine name: %s", optarg);
325 arg_machine = strdup(optarg);
333 arg_selinux_context = optarg;
337 arg_selinux_apifs_context = optarg;
341 arg_read_only = true;
345 case ARG_DROP_CAPABILITY: {
349 FOREACH_WORD_SEPARATOR(word, length, optarg, ",", state) {
350 _cleanup_free_ char *t;
353 t = strndup(word, length);
357 if (streq(t, "all")) {
358 if (c == ARG_CAPABILITY)
359 plus = (uint64_t) -1;
361 minus = (uint64_t) -1;
363 if (cap_from_name(t, &cap) < 0) {
364 log_error("Failed to parse capability %s.", t);
368 if (c == ARG_CAPABILITY)
369 plus |= 1ULL << (uint64_t) cap;
371 minus |= 1ULL << (uint64_t) cap;
379 arg_link_journal = LINK_GUEST;
382 case ARG_LINK_JOURNAL:
383 if (streq(optarg, "auto"))
384 arg_link_journal = LINK_AUTO;
385 else if (streq(optarg, "no"))
386 arg_link_journal = LINK_NO;
387 else if (streq(optarg, "guest"))
388 arg_link_journal = LINK_GUEST;
389 else if (streq(optarg, "host"))
390 arg_link_journal = LINK_HOST;
392 log_error("Failed to parse link journal mode %s", optarg);
400 _cleanup_free_ char *a = NULL, *b = NULL;
404 x = c == ARG_BIND ? &arg_bind : &arg_bind_ro;
406 e = strchr(optarg, ':');
408 a = strndup(optarg, e - optarg);
418 if (!path_is_absolute(a) || !path_is_absolute(b)) {
419 log_error("Invalid bind mount specification: %s", optarg);
423 r = strv_extend(x, a);
427 r = strv_extend(x, b);
437 if (!env_assignment_is_valid(optarg)) {
438 log_error("Environment variable assignment '%s' is not valid.", optarg);
442 n = strv_env_set(arg_setenv, optarg);
446 strv_free(arg_setenv);
455 case ARG_SHARE_SYSTEM:
456 arg_share_system = true;
460 r = parse_boolean(optarg);
462 log_error("Failed to parse --register= argument: %s", optarg);
470 arg_keep_unit = true;
477 assert_not_reached("Unhandled option");
481 if (arg_share_system)
482 arg_register = false;
484 if (arg_boot && arg_share_system) {
485 log_error("--boot and --share-system may not be combined.");
489 if (arg_keep_unit && cg_pid_get_owner_uid(0, NULL) >= 0) {
490 log_error("--keep-unit may not be used when invoked from a user session.");
494 arg_retain = (arg_retain | plus | (arg_private_network ? 1ULL << CAP_NET_ADMIN : 0)) & ~minus;
499 static int mount_all(const char *dest) {
501 typedef struct MountPoint {
510 static const MountPoint mount_table[] = {
511 { "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, true },
512 { "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND, true }, /* Bind mount first */
513 { NULL, "/proc/sys", NULL, NULL, MS_BIND|MS_RDONLY|MS_REMOUNT, true }, /* Then, make it r/o */
514 { "sysfs", "/sys", "sysfs", NULL, MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV, true },
515 { "tmpfs", "/dev", "tmpfs", "mode=755", MS_NOSUID|MS_STRICTATIME, true },
516 { "devpts", "/dev/pts", "devpts","newinstance,ptmxmode=0666,mode=620,gid=" STRINGIFY(TTY_GID), MS_NOSUID|MS_NOEXEC, true },
517 { "tmpfs", "/dev/shm", "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV|MS_STRICTATIME, true },
518 { "tmpfs", "/run", "tmpfs", "mode=755", MS_NOSUID|MS_NODEV|MS_STRICTATIME, true },
520 { "/sys/fs/selinux", "/sys/fs/selinux", NULL, NULL, MS_BIND, false }, /* Bind mount first */
521 { NULL, "/sys/fs/selinux", NULL, NULL, MS_BIND|MS_RDONLY|MS_REMOUNT, false }, /* Then, make it r/o */
528 for (k = 0; k < ELEMENTSOF(mount_table); k++) {
529 _cleanup_free_ char *where = NULL;
531 _cleanup_free_ char *options = NULL;
536 where = strjoin(dest, "/", mount_table[k].where, NULL);
540 t = path_is_mount_point(where, true);
542 log_error("Failed to detect whether %s is a mount point: %s", where, strerror(-t));
550 /* Skip this entry if it is not a remount. */
551 if (mount_table[k].what && t > 0)
554 mkdir_p(where, 0755);
557 if (arg_selinux_apifs_context &&
558 (streq_ptr(mount_table[k].what, "tmpfs") || streq_ptr(mount_table[k].what, "devpts"))) {
559 options = strjoin(mount_table[k].options, ",context=\"", arg_selinux_apifs_context, "\"", NULL);
566 o = mount_table[k].options;
569 if (mount(mount_table[k].what,
572 mount_table[k].flags,
574 mount_table[k].fatal) {
576 log_error("mount(%s) failed: %m", where);
586 static int mount_binds(const char *dest, char **l, unsigned long flags) {
589 STRV_FOREACH_PAIR(x, y, l) {
591 struct stat source_st, dest_st;
594 if (stat(*x, &source_st) < 0) {
595 log_error("failed to stat %s: %m", *x);
599 where = strappenda(dest, *y);
600 r = stat(where, &dest_st);
602 if ((source_st.st_mode & S_IFMT) != (dest_st.st_mode & S_IFMT)) {
603 log_error("The file types of %s and %s do not match. Refusing bind mount",
607 } else if (errno == ENOENT) {
608 r = mkdir_parents_label(where, 0755);
610 log_error("Failed to bind mount %s: %s", *x, strerror(-r));
614 log_error("Failed to bind mount %s: %s", *x, strerror(errno));
617 /* Create the mount point, but be conservative -- refuse to create block
618 * and char devices. */
619 if (S_ISDIR(source_st.st_mode))
620 mkdir_label(where, 0755);
621 else if (S_ISFIFO(source_st.st_mode))
623 else if (S_ISSOCK(source_st.st_mode))
624 mknod(where, 0644 | S_IFSOCK, 0);
625 else if (S_ISREG(source_st.st_mode))
628 log_error("Refusing to create mountpoint for file: %s", *x);
632 if (mount(*x, where, "bind", MS_BIND, NULL) < 0) {
633 log_error("mount(%s) failed: %m", where);
637 if (flags && mount(NULL, where, NULL, MS_REMOUNT|MS_BIND|flags, NULL) < 0) {
638 log_error("mount(%s) failed: %m", where);
646 static int setup_timezone(const char *dest) {
647 _cleanup_free_ char *where = NULL, *p = NULL, *q = NULL, *check = NULL, *what = NULL;
653 /* Fix the timezone, if possible */
654 r = readlink_malloc("/etc/localtime", &p);
656 log_warning("/etc/localtime is not a symlink, not updating container timezone.");
660 z = path_startswith(p, "../usr/share/zoneinfo/");
662 z = path_startswith(p, "/usr/share/zoneinfo/");
664 log_warning("/etc/localtime does not point into /usr/share/zoneinfo/, not updating container timezone.");
668 where = strappend(dest, "/etc/localtime");
672 r = readlink_malloc(where, &q);
674 y = path_startswith(q, "../usr/share/zoneinfo/");
676 y = path_startswith(q, "/usr/share/zoneinfo/");
679 /* Already pointing to the right place? Then do nothing .. */
680 if (y && streq(y, z))
684 check = strjoin(dest, "/usr/share/zoneinfo/", z, NULL);
688 if (access(check, F_OK) < 0) {
689 log_warning("Timezone %s does not exist in container, not updating container timezone.", z);
693 what = strappend("../usr/share/zoneinfo/", z);
698 if (symlink(what, where) < 0) {
699 log_error("Failed to correct timezone of container: %m");
706 static int setup_resolv_conf(const char *dest) {
707 char _cleanup_free_ *where = NULL;
711 if (arg_private_network)
714 /* Fix resolv.conf, if possible */
715 where = strappend(dest, "/etc/resolv.conf");
719 /* We don't really care for the results of this really. If it
720 * fails, it fails, but meh... */
721 copy_file("/etc/resolv.conf", where, O_TRUNC|O_NOFOLLOW);
726 static int setup_boot_id(const char *dest) {
727 _cleanup_free_ char *from = NULL, *to = NULL;
734 if (arg_share_system)
737 /* Generate a new randomized boot ID, so that each boot-up of
738 * the container gets a new one */
740 from = strappend(dest, "/dev/proc-sys-kernel-random-boot-id");
741 to = strappend(dest, "/proc/sys/kernel/random/boot_id");
745 r = sd_id128_randomize(&rnd);
747 log_error("Failed to generate random boot id: %s", strerror(-r));
751 snprintf(as_uuid, sizeof(as_uuid),
752 "%02x%02x%02x%02x-%02x%02x-%02x%02x-%02x%02x-%02x%02x%02x%02x%02x%02x",
753 SD_ID128_FORMAT_VAL(rnd));
754 char_array_0(as_uuid);
756 r = write_string_file(from, as_uuid);
758 log_error("Failed to write boot id: %s", strerror(-r));
762 if (mount(from, to, "bind", MS_BIND, NULL) < 0) {
763 log_error("Failed to bind mount boot id: %m");
765 } else if (mount(from, to, "bind", MS_BIND|MS_REMOUNT|MS_RDONLY, NULL))
766 log_warning("Failed to make boot id read-only: %m");
772 static int copy_devnodes(const char *dest) {
774 static const char devnodes[] =
784 _cleanup_umask_ mode_t u;
790 NULSTR_FOREACH(d, devnodes) {
791 _cleanup_free_ char *from = NULL, *to = NULL;
794 from = strappend("/dev/", d);
795 to = strjoin(dest, "/dev/", d, NULL);
799 if (stat(from, &st) < 0) {
801 if (errno != ENOENT) {
802 log_error("Failed to stat %s: %m", from);
806 } else if (!S_ISCHR(st.st_mode) && !S_ISBLK(st.st_mode)) {
808 log_error("%s is not a char or block device, cannot copy", from);
811 } else if (mknod(to, st.st_mode, st.st_rdev) < 0) {
813 log_error("mknod(%s) failed: %m", dest);
821 static int setup_ptmx(const char *dest) {
822 _cleanup_free_ char *p = NULL;
824 p = strappend(dest, "/dev/ptmx");
828 if (symlink("pts/ptmx", p) < 0) {
829 log_error("Failed to create /dev/ptmx symlink: %m");
836 static int setup_dev_console(const char *dest, const char *console) {
838 _cleanup_free_ char *to = NULL;
840 _cleanup_umask_ mode_t u;
847 if (stat(console, &st) < 0) {
848 log_error("Failed to stat %s: %m", console);
851 } else if (!S_ISCHR(st.st_mode)) {
852 log_error("/dev/console is not a char device");
856 r = chmod_and_chown(console, 0600, 0, 0);
858 log_error("Failed to correct access mode for TTY: %s", strerror(-r));
862 if (asprintf(&to, "%s/dev/console", dest) < 0)
865 /* We need to bind mount the right tty to /dev/console since
866 * ptys can only exist on pts file systems. To have something
867 * to bind mount things on we create a device node first, that
868 * has the right major/minor (note that the major minor
869 * doesn't actually matter here, since we mount it over
872 if (mknod(to, (st.st_mode & ~07777) | 0600, st.st_rdev) < 0) {
873 log_error("mknod() for /dev/console failed: %m");
877 if (mount(console, to, "bind", MS_BIND, NULL) < 0) {
878 log_error("Bind mount for /dev/console failed: %m");
885 static int setup_kmsg(const char *dest, int kmsg_socket) {
886 _cleanup_free_ char *from = NULL, *to = NULL;
888 _cleanup_umask_ mode_t u;
890 struct cmsghdr cmsghdr;
891 uint8_t buf[CMSG_SPACE(sizeof(int))];
894 .msg_control = &control,
895 .msg_controllen = sizeof(control),
897 struct cmsghdr *cmsg;
900 assert(kmsg_socket >= 0);
904 /* We create the kmsg FIFO as /dev/kmsg, but immediately
905 * delete it after bind mounting it to /proc/kmsg. While FIFOs
906 * on the reading side behave very similar to /proc/kmsg,
907 * their writing side behaves differently from /dev/kmsg in
908 * that writing blocks when nothing is reading. In order to
909 * avoid any problems with containers deadlocking due to this
910 * we simply make /dev/kmsg unavailable to the container. */
911 if (asprintf(&from, "%s/dev/kmsg", dest) < 0 ||
912 asprintf(&to, "%s/proc/kmsg", dest) < 0)
915 if (mkfifo(from, 0600) < 0) {
916 log_error("mkfifo() for /dev/kmsg failed: %m");
920 r = chmod_and_chown(from, 0600, 0, 0);
922 log_error("Failed to correct access mode for /dev/kmsg: %s", strerror(-r));
926 if (mount(from, to, "bind", MS_BIND, NULL) < 0) {
927 log_error("Bind mount for /proc/kmsg failed: %m");
931 fd = open(from, O_RDWR|O_NDELAY|O_CLOEXEC);
933 log_error("Failed to open fifo: %m");
937 cmsg = CMSG_FIRSTHDR(&mh);
938 cmsg->cmsg_level = SOL_SOCKET;
939 cmsg->cmsg_type = SCM_RIGHTS;
940 cmsg->cmsg_len = CMSG_LEN(sizeof(int));
941 memcpy(CMSG_DATA(cmsg), &fd, sizeof(int));
943 mh.msg_controllen = cmsg->cmsg_len;
945 /* Store away the fd in the socket, so that it stays open as
946 * long as we run the child */
947 k = sendmsg(kmsg_socket, &mh, MSG_DONTWAIT|MSG_NOSIGNAL);
948 close_nointr_nofail(fd);
951 log_error("Failed to send FIFO fd: %m");
955 /* And now make the FIFO unavailable as /dev/kmsg... */
960 static int setup_hostname(void) {
962 if (arg_share_system)
965 if (sethostname(arg_machine, strlen(arg_machine)) < 0)
971 static int setup_journal(const char *directory) {
972 sd_id128_t machine_id, this_id;
973 _cleanup_free_ char *p = NULL, *b = NULL, *q = NULL, *d = NULL;
977 p = strappend(directory, "/etc/machine-id");
981 r = read_one_line_file(p, &b);
982 if (r == -ENOENT && arg_link_journal == LINK_AUTO)
985 log_error("Failed to read machine ID from %s: %s", p, strerror(-r));
990 if (isempty(id) && arg_link_journal == LINK_AUTO)
993 /* Verify validity */
994 r = sd_id128_from_string(id, &machine_id);
996 log_error("Failed to parse machine ID from %s: %s", p, strerror(-r));
1000 r = sd_id128_get_machine(&this_id);
1002 log_error("Failed to retrieve machine ID: %s", strerror(-r));
1006 if (sd_id128_equal(machine_id, this_id)) {
1007 log_full(arg_link_journal == LINK_AUTO ? LOG_WARNING : LOG_ERR,
1008 "Host and machine ids are equal (%s): refusing to link journals", id);
1009 if (arg_link_journal == LINK_AUTO)
1015 if (arg_link_journal == LINK_NO)
1019 p = strappend("/var/log/journal/", id);
1020 q = strjoin(directory, "/var/log/journal/", id, NULL);
1024 if (path_is_mount_point(p, false) > 0) {
1025 if (arg_link_journal != LINK_AUTO) {
1026 log_error("%s: already a mount point, refusing to use for journal", p);
1033 if (path_is_mount_point(q, false) > 0) {
1034 if (arg_link_journal != LINK_AUTO) {
1035 log_error("%s: already a mount point, refusing to use for journal", q);
1042 r = readlink_and_make_absolute(p, &d);
1044 if ((arg_link_journal == LINK_GUEST ||
1045 arg_link_journal == LINK_AUTO) &&
1048 r = mkdir_p(q, 0755);
1050 log_warning("failed to create directory %s: %m", q);
1054 if (unlink(p) < 0) {
1055 log_error("Failed to remove symlink %s: %m", p);
1058 } else if (r == -EINVAL) {
1060 if (arg_link_journal == LINK_GUEST &&
1063 if (errno == ENOTDIR) {
1064 log_error("%s already exists and is neither a symlink nor a directory", p);
1067 log_error("Failed to remove %s: %m", p);
1071 } else if (r != -ENOENT) {
1072 log_error("readlink(%s) failed: %m", p);
1076 if (arg_link_journal == LINK_GUEST) {
1078 if (symlink(q, p) < 0) {
1079 log_error("Failed to symlink %s to %s: %m", q, p);
1083 r = mkdir_p(q, 0755);
1085 log_warning("failed to create directory %s: %m", q);
1089 if (arg_link_journal == LINK_HOST) {
1090 r = mkdir_p(p, 0755);
1092 log_error("Failed to create %s: %m", p);
1096 } else if (access(p, F_OK) < 0)
1099 if (dir_is_empty(q) == 0) {
1100 log_error("%s not empty.", q);
1104 r = mkdir_p(q, 0755);
1106 log_error("Failed to create %s: %m", q);
1110 if (mount(p, q, "bind", MS_BIND, NULL) < 0) {
1111 log_error("Failed to bind mount journal from host into guest: %m");
1118 static int setup_kdbus(const char *dest, const char *path) {
1124 p = strappenda(dest, "/dev/kdbus");
1125 if (mkdir(p, 0755) < 0) {
1126 log_error("Failed to create kdbus path: %m");
1130 if (mount(path, p, "bind", MS_BIND, NULL) < 0) {
1131 log_error("Failed to mount kdbus domain path: %m");
1138 static int drop_capabilities(void) {
1139 return capability_bounding_set_drop(~arg_retain, false);
1142 static int register_machine(pid_t pid) {
1143 _cleanup_bus_error_free_ sd_bus_error error = SD_BUS_ERROR_NULL;
1144 _cleanup_bus_unref_ sd_bus *bus = NULL;
1150 r = sd_bus_default_system(&bus);
1152 log_error("Failed to open system bus: %s", strerror(-r));
1156 if (arg_keep_unit) {
1157 r = sd_bus_call_method(
1159 "org.freedesktop.machine1",
1160 "/org/freedesktop/machine1",
1161 "org.freedesktop.machine1.Manager",
1167 SD_BUS_MESSAGE_APPEND_ID128(arg_uuid),
1171 strempty(arg_directory));
1173 r = sd_bus_call_method(
1175 "org.freedesktop.machine1",
1176 "/org/freedesktop/machine1",
1177 "org.freedesktop.machine1.Manager",
1183 SD_BUS_MESSAGE_APPEND_ID128(arg_uuid),
1187 strempty(arg_directory),
1188 !isempty(arg_slice), "Slice", "s", arg_slice);
1192 log_error("Failed to register machine: %s", bus_error_message(&error, r));
1199 static int terminate_machine(pid_t pid) {
1200 _cleanup_bus_error_free_ sd_bus_error error = SD_BUS_ERROR_NULL;
1201 _cleanup_bus_message_unref_ sd_bus_message *reply = NULL;
1202 _cleanup_bus_unref_ sd_bus *bus = NULL;
1209 r = sd_bus_default_system(&bus);
1211 log_error("Failed to open system bus: %s", strerror(-r));
1215 r = sd_bus_call_method(
1217 "org.freedesktop.machine1",
1218 "/org/freedesktop/machine1",
1219 "org.freedesktop.machine1.Manager",
1226 /* Note that the machine might already have been
1227 * cleaned up automatically, hence don't consider it a
1228 * failure if we cannot get the machine object. */
1229 log_debug("Failed to get machine: %s", bus_error_message(&error, r));
1233 r = sd_bus_message_read(reply, "o", &path);
1235 return bus_log_parse_error(r);
1237 r = sd_bus_call_method(
1239 "org.freedesktop.machine1",
1241 "org.freedesktop.machine1.Machine",
1247 log_debug("Failed to terminate machine: %s", bus_error_message(&error, r));
1254 static int reset_audit_loginuid(void) {
1255 _cleanup_free_ char *p = NULL;
1258 if (arg_share_system)
1261 r = read_one_line_file("/proc/self/loginuid", &p);
1265 log_error("Failed to read /proc/self/loginuid: %s", strerror(-r));
1269 /* Already reset? */
1270 if (streq(p, "4294967295"))
1273 r = write_string_file("/proc/self/loginuid", "4294967295");
1275 log_error("Failed to reset audit login UID. This probably means that your kernel is too\n"
1276 "old and you have audit enabled. Note that the auditing subsystem is known to\n"
1277 "be incompatible with containers on old kernels. Please make sure to upgrade\n"
1278 "your kernel or to off auditing with 'audit=0' on the kernel command line before\n"
1279 "using systemd-nspawn. Sleeping for 5s... (%s)\n", strerror(-r));
1287 static int setup_veth(pid_t pid, char iface_name[]) {
1288 _cleanup_rtnl_message_unref_ sd_rtnl_message *m = NULL;
1289 _cleanup_rtnl_unref_ sd_rtnl *rtnl = NULL;
1292 if (!arg_private_network)
1295 if (!arg_network_veth)
1298 strncpy(iface_name+3, arg_machine, IFNAMSIZ - 3);
1300 r = sd_rtnl_open(0, &rtnl);
1302 log_error("Failed to connect to netlink: %s", strerror(-r));
1306 r = sd_rtnl_message_new_link(rtnl, RTM_NEWLINK, 0, &m);
1308 log_error("Failed to allocate netlink message: %s", strerror(-r));
1312 r = sd_rtnl_message_append_string(m, IFLA_IFNAME, iface_name);
1314 log_error("Failed to add netlink interface name: %s", strerror(-r));
1318 r = sd_rtnl_message_open_container(m, IFLA_LINKINFO);
1320 log_error("Failed to open netlink container: %s", strerror(-r));
1324 r = sd_rtnl_message_append_string(m, IFLA_INFO_KIND, "veth");
1326 log_error("Failed to append netlink kind: %s", strerror(-r));
1330 r = sd_rtnl_message_open_container(m, IFLA_INFO_DATA);
1332 log_error("Failed to open netlink container: %s", strerror(-r));
1336 r = sd_rtnl_message_open_container(m, VETH_INFO_PEER);
1338 log_error("Failed to open netlink container: %s", strerror(-r));
1342 r = sd_rtnl_message_append_string(m, IFLA_IFNAME, "host0");
1344 log_error("Failed to add netlink interface name: %s", strerror(-r));
1348 r = sd_rtnl_message_append_u32(m, IFLA_NET_NS_PID, pid);
1350 log_error("Failed to add netlink namespace field: %s", strerror(-r));
1354 r = sd_rtnl_message_close_container(m);
1356 log_error("Failed to close netlink container: %s", strerror(-r));
1360 r = sd_rtnl_message_close_container(m);
1362 log_error("Failed to close netlink container: %s", strerror(-r));
1366 r = sd_rtnl_message_close_container(m);
1368 log_error("Failed to close netlink container: %s", strerror(-r));
1372 r = sd_rtnl_call(rtnl, m, 0, NULL);
1374 log_error("Failed to add new veth interfaces: %s", strerror(-r));
1381 static int setup_bridge(const char veth_name[]) {
1382 _cleanup_rtnl_message_unref_ sd_rtnl_message *m = NULL;
1383 _cleanup_rtnl_unref_ sd_rtnl *rtnl = NULL;
1386 if (!arg_private_network)
1389 if (!arg_network_veth)
1392 if (!arg_network_bridge)
1395 bridge = (int) if_nametoindex(arg_network_bridge);
1397 log_error("Failed to resolve interface %s: %m", arg_network_bridge);
1401 r = sd_rtnl_open(0, &rtnl);
1403 log_error("Failed to connect to netlink: %s", strerror(-r));
1407 r = sd_rtnl_message_new_link(rtnl, RTM_SETLINK, 0, &m);
1409 log_error("Failed to allocate netlink message: %s", strerror(-r));
1413 r = sd_rtnl_message_append_string(m, IFLA_IFNAME, veth_name);
1415 log_error("Failed to add netlink interface name field: %s", strerror(-r));
1419 r = sd_rtnl_message_append_u32(m, IFLA_MASTER, bridge);
1421 log_error("Failed to add netlink master field: %s", strerror(-r));
1425 r = sd_rtnl_call(rtnl, m, 0, NULL);
1427 log_error("Failed to add veth interface to bridge: %s", strerror(-r));
1434 static int move_network_interfaces(pid_t pid) {
1435 _cleanup_udev_unref_ struct udev *udev = NULL;
1436 _cleanup_rtnl_unref_ sd_rtnl *rtnl = NULL;
1440 if (!arg_private_network)
1443 if (strv_isempty(arg_network_interfaces))
1446 r = sd_rtnl_open(0, &rtnl);
1448 log_error("Failed to connect to netlink: %s", strerror(-r));
1454 log_error("Failed to connect to udev.");
1458 STRV_FOREACH(i, arg_network_interfaces) {
1459 _cleanup_rtnl_message_unref_ sd_rtnl_message *m = NULL;
1460 _cleanup_udev_device_unref_ struct udev_device *d = NULL;
1461 char ifi_str[2 + DECIMAL_STR_MAX(int)];
1464 ifi = (int) if_nametoindex(*i);
1466 log_error("Failed to resolve interface %s: %m", *i);
1470 sprintf(ifi_str, "n%i", ifi);
1471 d = udev_device_new_from_device_id(udev, ifi_str);
1473 log_error("Failed to get udev device for interface %s: %m", *i);
1477 if (udev_device_get_is_initialized(d) <= 0) {
1478 log_error("Network interface %s is not initialized yet.", *i);
1482 r = sd_rtnl_message_new_link(rtnl, RTM_NEWLINK, ifi, &m);
1484 log_error("Failed to allocate netlink message: %s", strerror(-r));
1488 r = sd_rtnl_message_append_u32(m, IFLA_NET_NS_PID, pid);
1490 log_error("Failed to append namespace PID to netlink message: %s", strerror(-r));
1494 r = sd_rtnl_call(rtnl, m, 0, NULL);
1496 log_error("Failed to move interface %s to namespace: %s", *i, strerror(-r));
1504 static int audit_still_doesnt_work_in_containers(void) {
1507 scmp_filter_ctx seccomp;
1511 Audit is broken in containers, much of the userspace audit
1512 hookup will fail if running inside a container. We don't
1513 care and just turn off creation of audit sockets.
1515 This will make socket(AF_NETLINK, *, NETLINK_AUDIT) fail
1516 with EAFNOSUPPORT which audit userspace uses as indication
1517 that audit is disabled in the kernel.
1520 seccomp = seccomp_init(SCMP_ACT_ALLOW);
1524 r = seccomp_rule_add_exact(
1526 SCMP_ACT_ERRNO(EAFNOSUPPORT),
1529 SCMP_A0(SCMP_CMP_EQ, AF_NETLINK),
1530 SCMP_A2(SCMP_CMP_EQ, NETLINK_AUDIT));
1532 log_error("Failed to add audit seccomp rule: %s", strerror(-r));
1536 r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
1538 log_error("Failed to unset NO_NEW_PRIVS: %s", strerror(-r));
1542 r = seccomp_load(seccomp);
1544 log_error("Failed to install seccomp audit filter: %s", strerror(-r));
1547 seccomp_release(seccomp);
1555 int main(int argc, char *argv[]) {
1557 _cleanup_close_ int master = -1, kdbus_fd = -1, sync_fd = -1;
1558 _cleanup_close_pipe_ int kmsg_socket_pair[2] = { -1, -1 };
1559 _cleanup_free_ char *kdbus_domain = NULL;
1560 _cleanup_fdset_free_ FDSet *fds = NULL;
1561 const char *console = NULL;
1562 int r = EXIT_FAILURE, k;
1566 char veth_name[IFNAMSIZ] = "ve-";
1568 log_parse_environment();
1571 k = parse_argv(argc, argv);
1579 if (arg_directory) {
1582 p = path_make_absolute_cwd(arg_directory);
1583 free(arg_directory);
1586 arg_directory = get_current_dir_name();
1588 if (!arg_directory) {
1589 log_error("Failed to determine path, please use -D.");
1593 path_kill_slashes(arg_directory);
1596 arg_machine = strdup(basename(arg_directory));
1602 hostname_cleanup(arg_machine, false);
1603 if (isempty(arg_machine)) {
1604 log_error("Failed to determine machine name automatically, please use -M.");
1609 if (geteuid() != 0) {
1610 log_error("Need to be root.");
1614 if (sd_booted() <= 0) {
1615 log_error("Not running on a systemd system.");
1619 if (path_equal(arg_directory, "/")) {
1620 log_error("Spawning container on root directory not supported.");
1625 if (path_is_os_tree(arg_directory) <= 0) {
1626 log_error("Directory %s doesn't look like an OS root directory (/etc/os-release is missing). Refusing.", arg_directory);
1632 p = strappenda(arg_directory,
1633 argc > optind && path_is_absolute(argv[optind]) ? argv[optind] : "/usr/bin/");
1634 if (access(p, F_OK) < 0) {
1635 log_error("Directory %s lacks the binary to execute or doesn't look like a binary tree. Refusing.", arg_directory);
1642 n_fd_passed = sd_listen_fds(false);
1643 if (n_fd_passed > 0) {
1644 k = fdset_new_listen_fds(&fds, false);
1646 log_error("Failed to collect file descriptors: %s", strerror(-k));
1650 fdset_close_others(fds);
1653 master = posix_openpt(O_RDWR|O_NOCTTY|O_CLOEXEC|O_NDELAY);
1655 log_error("Failed to acquire pseudo tty: %m");
1659 console = ptsname(master);
1661 log_error("Failed to determine tty name: %m");
1666 log_info("Spawning container %s on %s. Press ^] three times within 1s to abort execution.", arg_machine, arg_directory);
1668 if (unlockpt(master) < 0) {
1669 log_error("Failed to unlock tty: %m");
1673 if (access("/dev/kdbus/control", F_OK) >= 0) {
1675 if (arg_share_system) {
1676 kdbus_domain = strdup("/dev/kdbus");
1677 if (!kdbus_domain) {
1684 ns = strappenda("machine-", arg_machine);
1685 kdbus_fd = bus_kernel_create_domain(ns, &kdbus_domain);
1687 log_debug("Failed to create kdbus domain: %s", strerror(-r));
1689 log_debug("Successfully created kdbus domain as %s", kdbus_domain);
1693 if (socketpair(AF_UNIX, SOCK_DGRAM|SOCK_NONBLOCK|SOCK_CLOEXEC, 0, kmsg_socket_pair) < 0) {
1694 log_error("Failed to create kmsg socket pair: %m");
1698 sd_notify(0, "READY=1");
1700 assert_se(sigemptyset(&mask) == 0);
1701 sigset_add_many(&mask, SIGCHLD, SIGWINCH, SIGTERM, SIGINT, -1);
1702 assert_se(sigprocmask(SIG_BLOCK, &mask, NULL) == 0);
1707 sync_fd = eventfd(0, EFD_CLOEXEC);
1709 log_error("Failed to create event fd: %m");
1713 pid = syscall(__NR_clone,
1714 SIGCHLD|CLONE_NEWNS|
1715 (arg_share_system ? 0 : CLONE_NEWIPC|CLONE_NEWPID|CLONE_NEWUTS)|
1716 (arg_private_network ? CLONE_NEWNET : 0), NULL);
1718 if (errno == EINVAL)
1719 log_error("clone() failed, do you have namespace support enabled in your kernel? (You need UTS, IPC, PID and NET namespacing built in): %m");
1721 log_error("clone() failed: %m");
1728 const char *home = NULL;
1729 uid_t uid = (uid_t) -1;
1730 gid_t gid = (gid_t) -1;
1732 const char *envp[] = {
1733 "PATH=" DEFAULT_PATH_SPLIT_USR,
1734 "container=systemd-nspawn", /* LXC sets container=lxc, so follow the scheme here */
1739 NULL, /* container_uuid */
1740 NULL, /* LISTEN_FDS */
1741 NULL, /* LISTEN_PID */
1747 envp[n_env] = strv_find_prefix(environ, "TERM=");
1751 close_nointr_nofail(master);
1754 close_nointr(STDIN_FILENO);
1755 close_nointr(STDOUT_FILENO);
1756 close_nointr(STDERR_FILENO);
1758 close_nointr_nofail(kmsg_socket_pair[0]);
1759 kmsg_socket_pair[0] = -1;
1761 reset_all_signal_handlers();
1763 assert_se(sigemptyset(&mask) == 0);
1764 assert_se(sigprocmask(SIG_SETMASK, &mask, NULL) == 0);
1766 k = open_terminal(console, O_RDWR);
1767 if (k != STDIN_FILENO) {
1769 close_nointr_nofail(k);
1773 log_error("Failed to open console: %s", strerror(-k));
1777 if (dup2(STDIN_FILENO, STDOUT_FILENO) != STDOUT_FILENO ||
1778 dup2(STDIN_FILENO, STDERR_FILENO) != STDERR_FILENO) {
1779 log_error("Failed to duplicate console: %m");
1784 log_error("setsid() failed: %m");
1788 if (reset_audit_loginuid() < 0)
1791 if (prctl(PR_SET_PDEATHSIG, SIGKILL) < 0) {
1792 log_error("PR_SET_PDEATHSIG failed: %m");
1796 /* Mark everything as slave, so that we still
1797 * receive mounts from the real root, but don't
1798 * propagate mounts to the real root. */
1799 if (mount(NULL, "/", NULL, MS_SLAVE|MS_REC, NULL) < 0) {
1800 log_error("MS_SLAVE|MS_REC failed: %m");
1804 /* Turn directory into bind mount */
1805 if (mount(arg_directory, arg_directory, "bind", MS_BIND|MS_REC, NULL) < 0) {
1806 log_error("Failed to make bind mount.");
1811 if (mount(arg_directory, arg_directory, "bind", MS_BIND|MS_REMOUNT|MS_RDONLY|MS_REC, NULL) < 0) {
1812 log_error("Failed to make read-only.");
1816 if (mount_all(arg_directory) < 0)
1819 if (copy_devnodes(arg_directory) < 0)
1822 if (setup_ptmx(arg_directory) < 0)
1825 dev_setup(arg_directory);
1827 if (audit_still_doesnt_work_in_containers() < 0)
1830 if (setup_dev_console(arg_directory, console) < 0)
1833 if (setup_kmsg(arg_directory, kmsg_socket_pair[1]) < 0)
1836 close_nointr_nofail(kmsg_socket_pair[1]);
1837 kmsg_socket_pair[1] = -1;
1839 if (setup_boot_id(arg_directory) < 0)
1842 if (setup_timezone(arg_directory) < 0)
1845 if (setup_resolv_conf(arg_directory) < 0)
1848 if (setup_journal(arg_directory) < 0)
1851 if (mount_binds(arg_directory, arg_bind, 0) < 0)
1854 if (mount_binds(arg_directory, arg_bind_ro, MS_RDONLY) < 0)
1857 if (setup_kdbus(arg_directory, kdbus_domain) < 0)
1860 if (chdir(arg_directory) < 0) {
1861 log_error("chdir(%s) failed: %m", arg_directory);
1865 if (mount(arg_directory, "/", NULL, MS_MOVE, NULL) < 0) {
1866 log_error("mount(MS_MOVE) failed: %m");
1870 if (chroot(".") < 0) {
1871 log_error("chroot() failed: %m");
1875 if (chdir("/") < 0) {
1876 log_error("chdir() failed: %m");
1882 if (arg_private_network)
1885 if (drop_capabilities() < 0) {
1886 log_error("drop_capabilities() failed: %m");
1892 /* Note that this resolves user names
1893 * inside the container, and hence
1894 * accesses the NSS modules from the
1895 * container and not the host. This is
1898 if (get_user_creds((const char**)&arg_user, &uid, &gid, &home, NULL) < 0) {
1899 log_error("get_user_creds() failed: %m");
1903 if (mkdir_parents_label(home, 0775) < 0) {
1904 log_error("mkdir_parents_label() failed: %m");
1908 if (mkdir_safe_label(home, 0775, uid, gid) < 0) {
1909 log_error("mkdir_safe_label() failed: %m");
1913 if (initgroups((const char*)arg_user, gid) < 0) {
1914 log_error("initgroups() failed: %m");
1918 if (setresgid(gid, gid, gid) < 0) {
1919 log_error("setregid() failed: %m");
1923 if (setresuid(uid, uid, uid) < 0) {
1924 log_error("setreuid() failed: %m");
1928 /* Reset everything fully to 0, just in case */
1930 if (setgroups(0, NULL) < 0) {
1931 log_error("setgroups() failed: %m");
1935 if (setresgid(0, 0, 0) < 0) {
1936 log_error("setregid() failed: %m");
1940 if (setresuid(0, 0, 0) < 0) {
1941 log_error("setreuid() failed: %m");
1946 if ((asprintf((char**)(envp + n_env++), "HOME=%s", home ? home: "/root") < 0) ||
1947 (asprintf((char**)(envp + n_env++), "USER=%s", arg_user ? arg_user : "root") < 0) ||
1948 (asprintf((char**)(envp + n_env++), "LOGNAME=%s", arg_user ? arg_user : "root") < 0)) {
1953 if (!sd_id128_equal(arg_uuid, SD_ID128_NULL)) {
1954 if (asprintf((char**)(envp + n_env++), "container_uuid=" SD_ID128_FORMAT_STR, SD_ID128_FORMAT_VAL(arg_uuid)) < 0) {
1960 if (fdset_size(fds) > 0) {
1961 k = fdset_cloexec(fds, false);
1963 log_error("Failed to unset O_CLOEXEC for file descriptors.");
1967 if ((asprintf((char **)(envp + n_env++), "LISTEN_FDS=%u", n_fd_passed) < 0) ||
1968 (asprintf((char **)(envp + n_env++), "LISTEN_PID=1") < 0)) {
1976 eventfd_read(sync_fd, &x);
1977 close_nointr_nofail(sync_fd);
1980 if (!strv_isempty(arg_setenv)) {
1983 n = strv_env_merge(2, envp, arg_setenv);
1991 env_use = (char**) envp;
1994 if (arg_selinux_context)
1995 if (setexeccon(arg_selinux_context) < 0)
1996 log_error("setexeccon(\"%s\") failed: %m", arg_selinux_context);
2002 /* Automatically search for the init system */
2004 l = 1 + argc - optind;
2005 a = newa(char*, l + 1);
2006 memcpy(a + 1, argv + optind, l * sizeof(char*));
2008 a[0] = (char*) "/usr/lib/systemd/systemd";
2009 execve(a[0], a, env_use);
2011 a[0] = (char*) "/lib/systemd/systemd";
2012 execve(a[0], a, env_use);
2014 a[0] = (char*) "/sbin/init";
2015 execve(a[0], a, env_use);
2016 } else if (argc > optind)
2017 execvpe(argv[optind], argv + optind, env_use);
2019 chdir(home ? home : "/root");
2020 execle("/bin/bash", "-bash", NULL, env_use);
2021 execle("/bin/sh", "-sh", NULL, env_use);
2024 log_error("execv() failed: %m");
2027 _exit(EXIT_FAILURE);
2033 r = register_machine(pid);
2037 r = move_network_interfaces(pid);
2041 r = setup_veth(pid, veth_name);
2045 r = setup_bridge(veth_name);
2049 eventfd_write(sync_fd, 1);
2050 close_nointr_nofail(sync_fd);
2053 k = process_pty(master, &mask, arg_boot ? pid : 0, SIGRTMIN+3);
2062 /* Kill if it is not dead yet anyway */
2063 terminate_machine(pid);
2065 /* Redundant, but better safe than sorry */
2068 k = wait_for_terminate(pid, &status);
2076 if (status.si_code == CLD_EXITED) {
2077 r = status.si_status;
2078 if (status.si_status != 0) {
2079 log_error("Container %s failed with error code %i.", arg_machine, status.si_status);
2084 log_debug("Container %s exited successfully.", arg_machine);
2086 } else if (status.si_code == CLD_KILLED &&
2087 status.si_status == SIGINT) {
2090 log_info("Container %s has been shut down.", arg_machine);
2093 } else if (status.si_code == CLD_KILLED &&
2094 status.si_status == SIGHUP) {
2097 log_info("Container %s is being rebooted.", arg_machine);
2099 } else if (status.si_code == CLD_KILLED ||
2100 status.si_code == CLD_DUMPED) {
2102 log_error("Container %s terminated by signal %s.", arg_machine, signal_to_string(status.si_status));
2106 log_error("Container %s failed due to unknown reason.", arg_machine);
2116 free(arg_directory);
2119 free(arg_network_interfaces);