1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2010 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
25 #include <sys/types.h>
26 #include <sys/syscall.h>
27 #include <sys/mount.h>
33 #include <sys/prctl.h>
34 #include <sys/capability.h>
37 #include <sys/signalfd.h>
41 #include <sys/socket.h>
42 #include <linux/netlink.h>
43 #include <sys/eventfd.h>
45 #include <linux/veth.h>
46 #include <sys/personality.h>
47 #include <linux/loop.h>
50 #include <selinux/selinux.h>
58 #include <blkid/blkid.h>
61 #include "sd-daemon.h"
71 #include "cgroup-util.h"
73 #include "path-util.h"
74 #include "loopback-setup.h"
75 #include "dev-setup.h"
80 #include "bus-error.h"
82 #include "bus-kernel.h"
85 #include "rtnl-util.h"
86 #include "udev-util.h"
87 #include "blkid-util.h"
89 #include "siphash24.h"
92 #include "seccomp-util.h"
95 typedef enum ContainerStatus {
100 typedef enum LinkJournal {
107 static char *arg_directory = NULL;
108 static char *arg_user = NULL;
109 static sd_id128_t arg_uuid = {};
110 static char *arg_machine = NULL;
111 static const char *arg_selinux_context = NULL;
112 static const char *arg_selinux_apifs_context = NULL;
113 static const char *arg_slice = NULL;
114 static bool arg_private_network = false;
115 static bool arg_read_only = false;
116 static bool arg_boot = false;
117 static LinkJournal arg_link_journal = LINK_AUTO;
118 static uint64_t arg_retain =
119 (1ULL << CAP_CHOWN) |
120 (1ULL << CAP_DAC_OVERRIDE) |
121 (1ULL << CAP_DAC_READ_SEARCH) |
122 (1ULL << CAP_FOWNER) |
123 (1ULL << CAP_FSETID) |
124 (1ULL << CAP_IPC_OWNER) |
126 (1ULL << CAP_LEASE) |
127 (1ULL << CAP_LINUX_IMMUTABLE) |
128 (1ULL << CAP_NET_BIND_SERVICE) |
129 (1ULL << CAP_NET_BROADCAST) |
130 (1ULL << CAP_NET_RAW) |
131 (1ULL << CAP_SETGID) |
132 (1ULL << CAP_SETFCAP) |
133 (1ULL << CAP_SETPCAP) |
134 (1ULL << CAP_SETUID) |
135 (1ULL << CAP_SYS_ADMIN) |
136 (1ULL << CAP_SYS_CHROOT) |
137 (1ULL << CAP_SYS_NICE) |
138 (1ULL << CAP_SYS_PTRACE) |
139 (1ULL << CAP_SYS_TTY_CONFIG) |
140 (1ULL << CAP_SYS_RESOURCE) |
141 (1ULL << CAP_SYS_BOOT) |
142 (1ULL << CAP_AUDIT_WRITE) |
143 (1ULL << CAP_AUDIT_CONTROL) |
145 static char **arg_bind = NULL;
146 static char **arg_bind_ro = NULL;
147 static char **arg_setenv = NULL;
148 static bool arg_quiet = false;
149 static bool arg_share_system = false;
150 static bool arg_register = true;
151 static bool arg_keep_unit = false;
152 static char **arg_network_interfaces = NULL;
153 static char **arg_network_macvlan = NULL;
154 static bool arg_network_veth = false;
155 static const char *arg_network_bridge = NULL;
156 static unsigned long arg_personality = 0xffffffffLU;
157 static const char *arg_image = NULL;
159 static int help(void) {
161 printf("%s [OPTIONS...] [PATH] [ARGUMENTS...]\n\n"
162 "Spawn a minimal namespace container for debugging, testing and building.\n\n"
163 " -h --help Show this help\n"
164 " --version Print version string\n"
165 " -q --quiet Do not show status information\n"
166 " -D --directory=PATH Root directory for the container\n"
167 " -i --image=PATH File system device or image for the container\n"
168 " -b --boot Boot up full system (i.e. invoke init)\n"
169 " -u --user=USER Run the command under specified user or uid\n"
170 " -M --machine=NAME Set the machine name for the container\n"
171 " --uuid=UUID Set a specific machine UUID for the container\n"
172 " -S --slice=SLICE Place the container in the specified slice\n"
173 " --private-network Disable network in container\n"
174 " --network-interface=INTERFACE\n"
175 " Assign an existing network interface to the\n"
177 " --network-macvlan=INTERFACE\n"
178 " Create a macvlan network interface based on an\n"
179 " existing network interface to the container\n"
180 " --network-veth Add a virtual ethernet connection between host\n"
182 " --network-bridge=INTERFACE\n"
183 " Add a virtual ethernet connection between host\n"
184 " and container and add it to an existing bridge on\n"
186 " -Z --selinux-context=SECLABEL\n"
187 " Set the SELinux security context to be used by\n"
188 " processes in the container\n"
189 " -L --selinux-apifs-context=SECLABEL\n"
190 " Set the SELinux security context to be used by\n"
191 " API/tmpfs file systems in the container\n"
192 " --capability=CAP In addition to the default, retain specified\n"
194 " --drop-capability=CAP Drop the specified capability from the default set\n"
195 " --link-journal=MODE Link up guest journal, one of no, auto, guest, host\n"
196 " -j Equivalent to --link-journal=host\n"
197 " --read-only Mount the root directory read-only\n"
198 " --bind=PATH[:PATH] Bind mount a file or directory from the host into\n"
200 " --bind-ro=PATH[:PATH] Similar, but creates a read-only bind mount\n"
201 " --setenv=NAME=VALUE Pass an environment variable to PID 1\n"
202 " --share-system Share system namespaces with host\n"
203 " --register=BOOLEAN Register container as machine\n"
204 " --keep-unit Do not register a scope for the machine, reuse\n"
205 " the service unit nspawn is running in\n",
206 program_invocation_short_name);
211 static int parse_argv(int argc, char *argv[]) {
227 ARG_NETWORK_INTERFACE,
234 static const struct option options[] = {
235 { "help", no_argument, NULL, 'h' },
236 { "version", no_argument, NULL, ARG_VERSION },
237 { "directory", required_argument, NULL, 'D' },
238 { "user", required_argument, NULL, 'u' },
239 { "private-network", no_argument, NULL, ARG_PRIVATE_NETWORK },
240 { "boot", no_argument, NULL, 'b' },
241 { "uuid", required_argument, NULL, ARG_UUID },
242 { "read-only", no_argument, NULL, ARG_READ_ONLY },
243 { "capability", required_argument, NULL, ARG_CAPABILITY },
244 { "drop-capability", required_argument, NULL, ARG_DROP_CAPABILITY },
245 { "link-journal", required_argument, NULL, ARG_LINK_JOURNAL },
246 { "bind", required_argument, NULL, ARG_BIND },
247 { "bind-ro", required_argument, NULL, ARG_BIND_RO },
248 { "machine", required_argument, NULL, 'M' },
249 { "slice", required_argument, NULL, 'S' },
250 { "setenv", required_argument, NULL, ARG_SETENV },
251 { "selinux-context", required_argument, NULL, 'Z' },
252 { "selinux-apifs-context", required_argument, NULL, 'L' },
253 { "quiet", no_argument, NULL, 'q' },
254 { "share-system", no_argument, NULL, ARG_SHARE_SYSTEM },
255 { "register", required_argument, NULL, ARG_REGISTER },
256 { "keep-unit", no_argument, NULL, ARG_KEEP_UNIT },
257 { "network-interface", required_argument, NULL, ARG_NETWORK_INTERFACE },
258 { "network-macvlan", required_argument, NULL, ARG_NETWORK_MACVLAN },
259 { "network-veth", no_argument, NULL, ARG_NETWORK_VETH },
260 { "network-bridge", required_argument, NULL, ARG_NETWORK_BRIDGE },
261 { "personality", required_argument, NULL, ARG_PERSONALITY },
262 { "image", required_argument, NULL, 'i' },
267 uint64_t plus = 0, minus = 0;
272 while ((c = getopt_long(argc, argv, "+hD:u:bL:M:jS:Z:qi:", options, NULL)) >= 0) {
280 puts(PACKAGE_STRING);
281 puts(SYSTEMD_FEATURES);
286 arg_directory = canonicalize_file_name(optarg);
287 if (!arg_directory) {
288 log_error("Invalid root directory: %m");
300 arg_user = strdup(optarg);
306 case ARG_NETWORK_BRIDGE:
307 arg_network_bridge = optarg;
311 case ARG_NETWORK_VETH:
312 arg_network_veth = true;
313 arg_private_network = true;
316 case ARG_NETWORK_INTERFACE:
317 if (strv_extend(&arg_network_interfaces, optarg) < 0)
320 arg_private_network = true;
323 case ARG_NETWORK_MACVLAN:
324 if (strv_extend(&arg_network_macvlan, optarg) < 0)
329 case ARG_PRIVATE_NETWORK:
330 arg_private_network = true;
338 r = sd_id128_from_string(optarg, &arg_uuid);
340 log_error("Invalid UUID: %s", optarg);
350 if (isempty(optarg)) {
355 if (!hostname_is_valid(optarg)) {
356 log_error("Invalid machine name: %s", optarg);
361 arg_machine = strdup(optarg);
369 arg_selinux_context = optarg;
373 arg_selinux_apifs_context = optarg;
377 arg_read_only = true;
381 case ARG_DROP_CAPABILITY: {
385 FOREACH_WORD_SEPARATOR(word, length, optarg, ",", state) {
386 _cleanup_free_ char *t;
389 t = strndup(word, length);
393 if (streq(t, "all")) {
394 if (c == ARG_CAPABILITY)
395 plus = (uint64_t) -1;
397 minus = (uint64_t) -1;
399 if (cap_from_name(t, &cap) < 0) {
400 log_error("Failed to parse capability %s.", t);
404 if (c == ARG_CAPABILITY)
405 plus |= 1ULL << (uint64_t) cap;
407 minus |= 1ULL << (uint64_t) cap;
415 arg_link_journal = LINK_GUEST;
418 case ARG_LINK_JOURNAL:
419 if (streq(optarg, "auto"))
420 arg_link_journal = LINK_AUTO;
421 else if (streq(optarg, "no"))
422 arg_link_journal = LINK_NO;
423 else if (streq(optarg, "guest"))
424 arg_link_journal = LINK_GUEST;
425 else if (streq(optarg, "host"))
426 arg_link_journal = LINK_HOST;
428 log_error("Failed to parse link journal mode %s", optarg);
436 _cleanup_free_ char *a = NULL, *b = NULL;
440 x = c == ARG_BIND ? &arg_bind : &arg_bind_ro;
442 e = strchr(optarg, ':');
444 a = strndup(optarg, e - optarg);
454 if (!path_is_absolute(a) || !path_is_absolute(b)) {
455 log_error("Invalid bind mount specification: %s", optarg);
459 r = strv_extend(x, a);
463 r = strv_extend(x, b);
473 if (!env_assignment_is_valid(optarg)) {
474 log_error("Environment variable assignment '%s' is not valid.", optarg);
478 n = strv_env_set(arg_setenv, optarg);
482 strv_free(arg_setenv);
491 case ARG_SHARE_SYSTEM:
492 arg_share_system = true;
496 r = parse_boolean(optarg);
498 log_error("Failed to parse --register= argument: %s", optarg);
506 arg_keep_unit = true;
509 case ARG_PERSONALITY:
511 arg_personality = personality_from_string(optarg);
512 if (arg_personality == 0xffffffffLU) {
513 log_error("Unknown or unsupported personality '%s'.", optarg);
523 assert_not_reached("Unhandled option");
527 if (arg_share_system)
528 arg_register = false;
530 if (arg_boot && arg_share_system) {
531 log_error("--boot and --share-system may not be combined.");
535 if (arg_keep_unit && cg_pid_get_owner_uid(0, NULL) >= 0) {
536 log_error("--keep-unit may not be used when invoked from a user session.");
540 if (arg_directory && arg_image) {
541 log_error("--directory= and --image= may not be combined.");
545 arg_retain = (arg_retain | plus | (arg_private_network ? 1ULL << CAP_NET_ADMIN : 0)) & ~minus;
550 static int mount_all(const char *dest) {
552 typedef struct MountPoint {
561 static const MountPoint mount_table[] = {
562 { "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, true },
563 { "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND, true }, /* Bind mount first */
564 { NULL, "/proc/sys", NULL, NULL, MS_BIND|MS_RDONLY|MS_REMOUNT, true }, /* Then, make it r/o */
565 { "sysfs", "/sys", "sysfs", NULL, MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV, true },
566 { "tmpfs", "/dev", "tmpfs", "mode=755", MS_NOSUID|MS_STRICTATIME, true },
567 { "devpts", "/dev/pts", "devpts","newinstance,ptmxmode=0666,mode=620,gid=" STRINGIFY(TTY_GID), MS_NOSUID|MS_NOEXEC, true },
568 { "tmpfs", "/dev/shm", "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV|MS_STRICTATIME, true },
569 { "tmpfs", "/run", "tmpfs", "mode=755", MS_NOSUID|MS_NODEV|MS_STRICTATIME, true },
571 { "/sys/fs/selinux", "/sys/fs/selinux", NULL, NULL, MS_BIND, false }, /* Bind mount first */
572 { NULL, "/sys/fs/selinux", NULL, NULL, MS_BIND|MS_RDONLY|MS_REMOUNT, false }, /* Then, make it r/o */
579 for (k = 0; k < ELEMENTSOF(mount_table); k++) {
580 _cleanup_free_ char *where = NULL;
582 _cleanup_free_ char *options = NULL;
587 where = strjoin(dest, "/", mount_table[k].where, NULL);
591 t = path_is_mount_point(where, true);
593 log_error("Failed to detect whether %s is a mount point: %s", where, strerror(-t));
601 /* Skip this entry if it is not a remount. */
602 if (mount_table[k].what && t > 0)
605 mkdir_p(where, 0755);
608 if (arg_selinux_apifs_context &&
609 (streq_ptr(mount_table[k].what, "tmpfs") || streq_ptr(mount_table[k].what, "devpts"))) {
610 options = strjoin(mount_table[k].options, ",context=\"", arg_selinux_apifs_context, "\"", NULL);
617 o = mount_table[k].options;
620 if (mount(mount_table[k].what,
623 mount_table[k].flags,
625 mount_table[k].fatal) {
627 log_error("mount(%s) failed: %m", where);
637 static int mount_binds(const char *dest, char **l, unsigned long flags) {
640 STRV_FOREACH_PAIR(x, y, l) {
642 struct stat source_st, dest_st;
645 if (stat(*x, &source_st) < 0) {
646 log_error("Failed to stat %s: %m", *x);
650 where = strappenda(dest, *y);
651 r = stat(where, &dest_st);
653 if ((source_st.st_mode & S_IFMT) != (dest_st.st_mode & S_IFMT)) {
654 log_error("The file types of %s and %s do not match. Refusing bind mount",
658 } else if (errno == ENOENT) {
659 r = mkdir_parents_label(where, 0755);
661 log_error("Failed to bind mount %s: %s", *x, strerror(-r));
665 log_error("Failed to bind mount %s: %m", *x);
668 /* Create the mount point, but be conservative -- refuse to create block
669 * and char devices. */
670 if (S_ISDIR(source_st.st_mode))
671 mkdir_label(where, 0755);
672 else if (S_ISFIFO(source_st.st_mode))
674 else if (S_ISSOCK(source_st.st_mode))
675 mknod(where, 0644 | S_IFSOCK, 0);
676 else if (S_ISREG(source_st.st_mode))
679 log_error("Refusing to create mountpoint for file: %s", *x);
683 if (mount(*x, where, "bind", MS_BIND, NULL) < 0) {
684 log_error("mount(%s) failed: %m", where);
688 if (flags && mount(NULL, where, NULL, MS_REMOUNT|MS_BIND|flags, NULL) < 0) {
689 log_error("mount(%s) failed: %m", where);
697 static int setup_timezone(const char *dest) {
698 _cleanup_free_ char *where = NULL, *p = NULL, *q = NULL, *check = NULL, *what = NULL;
704 /* Fix the timezone, if possible */
705 r = readlink_malloc("/etc/localtime", &p);
707 log_warning("/etc/localtime is not a symlink, not updating container timezone.");
711 z = path_startswith(p, "../usr/share/zoneinfo/");
713 z = path_startswith(p, "/usr/share/zoneinfo/");
715 log_warning("/etc/localtime does not point into /usr/share/zoneinfo/, not updating container timezone.");
719 where = strappend(dest, "/etc/localtime");
723 r = readlink_malloc(where, &q);
725 y = path_startswith(q, "../usr/share/zoneinfo/");
727 y = path_startswith(q, "/usr/share/zoneinfo/");
730 /* Already pointing to the right place? Then do nothing .. */
731 if (y && streq(y, z))
735 check = strjoin(dest, "/usr/share/zoneinfo/", z, NULL);
739 if (access(check, F_OK) < 0) {
740 log_warning("Timezone %s does not exist in container, not updating container timezone.", z);
744 what = strappend("../usr/share/zoneinfo/", z);
749 if (symlink(what, where) < 0) {
750 log_error("Failed to correct timezone of container: %m");
757 static int setup_resolv_conf(const char *dest) {
758 char _cleanup_free_ *where = NULL;
762 if (arg_private_network)
765 /* Fix resolv.conf, if possible */
766 where = strappend(dest, "/etc/resolv.conf");
770 /* We don't really care for the results of this really. If it
771 * fails, it fails, but meh... */
772 copy_file("/etc/resolv.conf", where, O_TRUNC|O_NOFOLLOW);
777 static char* id128_format_as_uuid(sd_id128_t id, char s[37]) {
780 "%02x%02x%02x%02x-%02x%02x-%02x%02x-%02x%02x-%02x%02x%02x%02x%02x%02x",
781 SD_ID128_FORMAT_VAL(id));
786 static int setup_boot_id(const char *dest) {
787 _cleanup_free_ char *from = NULL, *to = NULL;
794 if (arg_share_system)
797 /* Generate a new randomized boot ID, so that each boot-up of
798 * the container gets a new one */
800 from = strappend(dest, "/dev/proc-sys-kernel-random-boot-id");
801 to = strappend(dest, "/proc/sys/kernel/random/boot_id");
805 r = sd_id128_randomize(&rnd);
807 log_error("Failed to generate random boot id: %s", strerror(-r));
811 id128_format_as_uuid(rnd, as_uuid);
813 r = write_string_file(from, as_uuid);
815 log_error("Failed to write boot id: %s", strerror(-r));
819 if (mount(from, to, "bind", MS_BIND, NULL) < 0) {
820 log_error("Failed to bind mount boot id: %m");
822 } else if (mount(from, to, "bind", MS_BIND|MS_REMOUNT|MS_RDONLY, NULL))
823 log_warning("Failed to make boot id read-only: %m");
829 static int copy_devnodes(const char *dest) {
831 static const char devnodes[] =
841 _cleanup_umask_ mode_t u;
847 NULSTR_FOREACH(d, devnodes) {
848 _cleanup_free_ char *from = NULL, *to = NULL;
851 from = strappend("/dev/", d);
852 to = strjoin(dest, "/dev/", d, NULL);
856 if (stat(from, &st) < 0) {
858 if (errno != ENOENT) {
859 log_error("Failed to stat %s: %m", from);
863 } else if (!S_ISCHR(st.st_mode) && !S_ISBLK(st.st_mode)) {
865 log_error("%s is not a char or block device, cannot copy", from);
868 } else if (mknod(to, st.st_mode, st.st_rdev) < 0) {
870 log_error("mknod(%s) failed: %m", dest);
878 static int setup_ptmx(const char *dest) {
879 _cleanup_free_ char *p = NULL;
881 p = strappend(dest, "/dev/ptmx");
885 if (symlink("pts/ptmx", p) < 0) {
886 log_error("Failed to create /dev/ptmx symlink: %m");
893 static int setup_dev_console(const char *dest, const char *console) {
894 _cleanup_umask_ mode_t u;
904 if (stat("/dev/null", &st) < 0) {
905 log_error("Failed to stat /dev/null: %m");
909 r = chmod_and_chown(console, 0600, 0, 0);
911 log_error("Failed to correct access mode for TTY: %s", strerror(-r));
915 /* We need to bind mount the right tty to /dev/console since
916 * ptys can only exist on pts file systems. To have something
917 * to bind mount things on we create a device node first, and
918 * use /dev/null for that since we the cgroups device policy
919 * allows us to create that freely, while we cannot create
920 * /dev/console. (Note that the major minor doesn't actually
921 * matter here, since we mount it over anyway). */
923 to = strappenda(dest, "/dev/console");
924 if (mknod(to, (st.st_mode & ~07777) | 0600, st.st_rdev) < 0) {
925 log_error("mknod() for /dev/console failed: %m");
929 if (mount(console, to, "bind", MS_BIND, NULL) < 0) {
930 log_error("Bind mount for /dev/console failed: %m");
937 static int setup_kmsg(const char *dest, int kmsg_socket) {
938 _cleanup_free_ char *from = NULL, *to = NULL;
940 _cleanup_umask_ mode_t u;
942 struct cmsghdr cmsghdr;
943 uint8_t buf[CMSG_SPACE(sizeof(int))];
946 .msg_control = &control,
947 .msg_controllen = sizeof(control),
949 struct cmsghdr *cmsg;
952 assert(kmsg_socket >= 0);
956 /* We create the kmsg FIFO as /dev/kmsg, but immediately
957 * delete it after bind mounting it to /proc/kmsg. While FIFOs
958 * on the reading side behave very similar to /proc/kmsg,
959 * their writing side behaves differently from /dev/kmsg in
960 * that writing blocks when nothing is reading. In order to
961 * avoid any problems with containers deadlocking due to this
962 * we simply make /dev/kmsg unavailable to the container. */
963 if (asprintf(&from, "%s/dev/kmsg", dest) < 0 ||
964 asprintf(&to, "%s/proc/kmsg", dest) < 0)
967 if (mkfifo(from, 0600) < 0) {
968 log_error("mkfifo() for /dev/kmsg failed: %m");
972 r = chmod_and_chown(from, 0600, 0, 0);
974 log_error("Failed to correct access mode for /dev/kmsg: %s", strerror(-r));
978 if (mount(from, to, "bind", MS_BIND, NULL) < 0) {
979 log_error("Bind mount for /proc/kmsg failed: %m");
983 fd = open(from, O_RDWR|O_NDELAY|O_CLOEXEC);
985 log_error("Failed to open fifo: %m");
989 cmsg = CMSG_FIRSTHDR(&mh);
990 cmsg->cmsg_level = SOL_SOCKET;
991 cmsg->cmsg_type = SCM_RIGHTS;
992 cmsg->cmsg_len = CMSG_LEN(sizeof(int));
993 memcpy(CMSG_DATA(cmsg), &fd, sizeof(int));
995 mh.msg_controllen = cmsg->cmsg_len;
997 /* Store away the fd in the socket, so that it stays open as
998 * long as we run the child */
999 k = sendmsg(kmsg_socket, &mh, MSG_DONTWAIT|MSG_NOSIGNAL);
1003 log_error("Failed to send FIFO fd: %m");
1007 /* And now make the FIFO unavailable as /dev/kmsg... */
1012 static int setup_hostname(void) {
1014 if (arg_share_system)
1017 if (sethostname(arg_machine, strlen(arg_machine)) < 0)
1023 static int setup_journal(const char *directory) {
1024 sd_id128_t machine_id, this_id;
1025 _cleanup_free_ char *p = NULL, *b = NULL, *q = NULL, *d = NULL;
1029 p = strappend(directory, "/etc/machine-id");
1033 r = read_one_line_file(p, &b);
1034 if (r == -ENOENT && arg_link_journal == LINK_AUTO)
1037 log_error("Failed to read machine ID from %s: %s", p, strerror(-r));
1042 if (isempty(id) && arg_link_journal == LINK_AUTO)
1045 /* Verify validity */
1046 r = sd_id128_from_string(id, &machine_id);
1048 log_error("Failed to parse machine ID from %s: %s", p, strerror(-r));
1052 r = sd_id128_get_machine(&this_id);
1054 log_error("Failed to retrieve machine ID: %s", strerror(-r));
1058 if (sd_id128_equal(machine_id, this_id)) {
1059 log_full(arg_link_journal == LINK_AUTO ? LOG_WARNING : LOG_ERR,
1060 "Host and machine ids are equal (%s): refusing to link journals", id);
1061 if (arg_link_journal == LINK_AUTO)
1067 if (arg_link_journal == LINK_NO)
1071 p = strappend("/var/log/journal/", id);
1072 q = strjoin(directory, "/var/log/journal/", id, NULL);
1076 if (path_is_mount_point(p, false) > 0) {
1077 if (arg_link_journal != LINK_AUTO) {
1078 log_error("%s: already a mount point, refusing to use for journal", p);
1085 if (path_is_mount_point(q, false) > 0) {
1086 if (arg_link_journal != LINK_AUTO) {
1087 log_error("%s: already a mount point, refusing to use for journal", q);
1094 r = readlink_and_make_absolute(p, &d);
1096 if ((arg_link_journal == LINK_GUEST ||
1097 arg_link_journal == LINK_AUTO) &&
1100 r = mkdir_p(q, 0755);
1102 log_warning("failed to create directory %s: %m", q);
1106 if (unlink(p) < 0) {
1107 log_error("Failed to remove symlink %s: %m", p);
1110 } else if (r == -EINVAL) {
1112 if (arg_link_journal == LINK_GUEST &&
1115 if (errno == ENOTDIR) {
1116 log_error("%s already exists and is neither a symlink nor a directory", p);
1119 log_error("Failed to remove %s: %m", p);
1123 } else if (r != -ENOENT) {
1124 log_error("readlink(%s) failed: %m", p);
1128 if (arg_link_journal == LINK_GUEST) {
1130 if (symlink(q, p) < 0) {
1131 log_error("Failed to symlink %s to %s: %m", q, p);
1135 r = mkdir_p(q, 0755);
1137 log_warning("failed to create directory %s: %m", q);
1141 if (arg_link_journal == LINK_HOST) {
1142 r = mkdir_p(p, 0755);
1144 log_error("Failed to create %s: %m", p);
1148 } else if (access(p, F_OK) < 0)
1151 if (dir_is_empty(q) == 0)
1152 log_warning("%s is not empty, proceeding anyway.", q);
1154 r = mkdir_p(q, 0755);
1156 log_error("Failed to create %s: %m", q);
1160 if (mount(p, q, "bind", MS_BIND, NULL) < 0) {
1161 log_error("Failed to bind mount journal from host into guest: %m");
1168 static int setup_kdbus(const char *dest, const char *path) {
1174 p = strappenda(dest, "/dev/kdbus");
1175 if (mkdir(p, 0755) < 0) {
1176 log_error("Failed to create kdbus path: %m");
1180 if (mount(path, p, "bind", MS_BIND, NULL) < 0) {
1181 log_error("Failed to mount kdbus domain path: %m");
1188 static int drop_capabilities(void) {
1189 return capability_bounding_set_drop(~arg_retain, false);
1192 static int register_machine(pid_t pid) {
1193 _cleanup_bus_error_free_ sd_bus_error error = SD_BUS_ERROR_NULL;
1194 _cleanup_bus_unref_ sd_bus *bus = NULL;
1200 r = sd_bus_default_system(&bus);
1202 log_error("Failed to open system bus: %s", strerror(-r));
1206 if (arg_keep_unit) {
1207 r = sd_bus_call_method(
1209 "org.freedesktop.machine1",
1210 "/org/freedesktop/machine1",
1211 "org.freedesktop.machine1.Manager",
1217 SD_BUS_MESSAGE_APPEND_ID128(arg_uuid),
1221 strempty(arg_directory));
1223 _cleanup_bus_message_unref_ sd_bus_message *m = NULL;
1225 r = sd_bus_message_new_method_call(
1228 "org.freedesktop.machine1",
1229 "/org/freedesktop/machine1",
1230 "org.freedesktop.machine1.Manager",
1233 log_error("Failed to create message: %s", strerror(-r));
1237 r = sd_bus_message_append(
1241 SD_BUS_MESSAGE_APPEND_ID128(arg_uuid),
1245 strempty(arg_directory));
1247 log_error("Failed to append message arguments: %s", strerror(-r));
1251 r = sd_bus_message_open_container(m, 'a', "(sv)");
1253 log_error("Failed to open container: %s", strerror(-r));
1257 if (!isempty(arg_slice)) {
1258 r = sd_bus_message_append(m, "(sv)", "Slice", "s", arg_slice);
1260 log_error("Failed to append slice: %s", strerror(-r));
1265 r = sd_bus_message_append(m, "(sv)", "DevicePolicy", "s", "strict");
1267 log_error("Failed to add device policy: %s", strerror(-r));
1271 r = sd_bus_message_append(m, "(sv)", "DeviceAllow", "a(ss)", 10,
1272 /* Allow the container to
1273 * access and create the API
1274 * device nodes, so that
1275 * PrivateDevices= in the
1276 * container can work
1281 "/dev/random", "rwm",
1282 "/dev/urandom", "rwm",
1284 /* Allow the container
1285 * access to ptys. However,
1287 * container to ever create
1288 * these device nodes. */
1289 "/dev/pts/ptmx", "rw",
1291 /* Allow the container
1292 * access to all kdbus
1293 * devices. Again, the
1294 * container cannot create
1295 * these nodes, only use
1296 * them. We use a pretty
1297 * open match here, so that
1298 * the kernel API can still
1301 "char-kdbus/*", "rw");
1303 log_error("Failed to add device whitelist: %s", strerror(-r));
1307 r = sd_bus_message_close_container(m);
1309 log_error("Failed to close container: %s", strerror(-r));
1313 r = sd_bus_call(bus, m, 0, &error, NULL);
1317 log_error("Failed to register machine: %s", bus_error_message(&error, r));
1324 static int terminate_machine(pid_t pid) {
1325 _cleanup_bus_error_free_ sd_bus_error error = SD_BUS_ERROR_NULL;
1326 _cleanup_bus_message_unref_ sd_bus_message *reply = NULL;
1327 _cleanup_bus_unref_ sd_bus *bus = NULL;
1334 r = sd_bus_default_system(&bus);
1336 log_error("Failed to open system bus: %s", strerror(-r));
1340 r = sd_bus_call_method(
1342 "org.freedesktop.machine1",
1343 "/org/freedesktop/machine1",
1344 "org.freedesktop.machine1.Manager",
1351 /* Note that the machine might already have been
1352 * cleaned up automatically, hence don't consider it a
1353 * failure if we cannot get the machine object. */
1354 log_debug("Failed to get machine: %s", bus_error_message(&error, r));
1358 r = sd_bus_message_read(reply, "o", &path);
1360 return bus_log_parse_error(r);
1362 r = sd_bus_call_method(
1364 "org.freedesktop.machine1",
1366 "org.freedesktop.machine1.Machine",
1372 log_debug("Failed to terminate machine: %s", bus_error_message(&error, r));
1379 static int reset_audit_loginuid(void) {
1380 _cleanup_free_ char *p = NULL;
1383 if (arg_share_system)
1386 r = read_one_line_file("/proc/self/loginuid", &p);
1390 log_error("Failed to read /proc/self/loginuid: %s", strerror(-r));
1394 /* Already reset? */
1395 if (streq(p, "4294967295"))
1398 r = write_string_file("/proc/self/loginuid", "4294967295");
1400 log_error("Failed to reset audit login UID. This probably means that your kernel is too\n"
1401 "old and you have audit enabled. Note that the auditing subsystem is known to\n"
1402 "be incompatible with containers on old kernels. Please make sure to upgrade\n"
1403 "your kernel or to off auditing with 'audit=0' on the kernel command line before\n"
1404 "using systemd-nspawn. Sleeping for 5s... (%s)\n", strerror(-r));
1412 #define HASH_KEY SD_ID128_MAKE(c3,c4,f9,19,b5,57,b2,1c,e6,cf,14,27,03,9c,ee,a2)
1414 static int get_mac(struct ether_addr *mac) {
1421 l = strlen(arg_machine);
1422 sz = sizeof(sd_id128_t) + l;
1425 /* fetch some persistent data unique to the host */
1426 r = sd_id128_get_machine((sd_id128_t*) v);
1430 /* combine with some data unique (on this host) to this
1431 * container instance */
1432 memcpy(v + sizeof(sd_id128_t), arg_machine, l);
1434 /* Let's hash the host machine ID plus the container name. We
1435 * use a fixed, but originally randomly created hash key here. */
1436 siphash24(result, v, sz, HASH_KEY.bytes);
1438 assert_cc(ETH_ALEN <= sizeof(result));
1439 memcpy(mac->ether_addr_octet, result, ETH_ALEN);
1441 /* see eth_random_addr in the kernel */
1442 mac->ether_addr_octet[0] &= 0xfe; /* clear multicast bit */
1443 mac->ether_addr_octet[0] |= 0x02; /* set local assignment bit (IEEE802) */
1448 static int setup_veth(pid_t pid, char iface_name[IFNAMSIZ]) {
1449 _cleanup_rtnl_message_unref_ sd_rtnl_message *m = NULL;
1450 _cleanup_rtnl_unref_ sd_rtnl *rtnl = NULL;
1451 struct ether_addr mac;
1454 if (!arg_private_network)
1457 if (!arg_network_veth)
1460 /* Use two different interface name prefixes depending whether
1461 * we are in bridge mode or not. */
1462 if (arg_network_bridge)
1463 memcpy(iface_name, "vb-", 3);
1465 memcpy(iface_name, "ve-", 3);
1466 strncpy(iface_name+3, arg_machine, IFNAMSIZ - 3);
1470 log_error("Failed to generate predictable MAC address for host0");
1474 r = sd_rtnl_open(&rtnl, 0);
1476 log_error("Failed to connect to netlink: %s", strerror(-r));
1480 r = sd_rtnl_message_new_link(rtnl, &m, RTM_NEWLINK, 0);
1482 log_error("Failed to allocate netlink message: %s", strerror(-r));
1486 r = sd_rtnl_message_append_string(m, IFLA_IFNAME, iface_name);
1488 log_error("Failed to add netlink interface name: %s", strerror(-r));
1492 r = sd_rtnl_message_open_container(m, IFLA_LINKINFO);
1494 log_error("Failed to open netlink container: %s", strerror(-r));
1498 r = sd_rtnl_message_open_container_union(m, IFLA_INFO_DATA, "veth");
1500 log_error("Failed to open netlink container: %s", strerror(-r));
1504 r = sd_rtnl_message_open_container(m, VETH_INFO_PEER);
1506 log_error("Failed to open netlink container: %s", strerror(-r));
1510 r = sd_rtnl_message_append_string(m, IFLA_IFNAME, "host0");
1512 log_error("Failed to add netlink interface name: %s", strerror(-r));
1516 r = sd_rtnl_message_append_ether_addr(m, IFLA_ADDRESS, &mac);
1518 log_error("Failed to add netlink MAC address: %s", strerror(-r));
1522 r = sd_rtnl_message_append_u32(m, IFLA_NET_NS_PID, pid);
1524 log_error("Failed to add netlink namespace field: %s", strerror(-r));
1528 r = sd_rtnl_message_close_container(m);
1530 log_error("Failed to close netlink container: %s", strerror(-r));
1534 r = sd_rtnl_message_close_container(m);
1536 log_error("Failed to close netlink container: %s", strerror(-r));
1540 r = sd_rtnl_message_close_container(m);
1542 log_error("Failed to close netlink container: %s", strerror(-r));
1546 r = sd_rtnl_call(rtnl, m, 0, NULL);
1548 log_error("Failed to add new veth interfaces: %s", strerror(-r));
1555 static int setup_bridge(const char veth_name[]) {
1556 _cleanup_rtnl_message_unref_ sd_rtnl_message *m = NULL;
1557 _cleanup_rtnl_unref_ sd_rtnl *rtnl = NULL;
1560 if (!arg_private_network)
1563 if (!arg_network_veth)
1566 if (!arg_network_bridge)
1569 bridge = (int) if_nametoindex(arg_network_bridge);
1571 log_error("Failed to resolve interface %s: %m", arg_network_bridge);
1575 r = sd_rtnl_open(&rtnl, 0);
1577 log_error("Failed to connect to netlink: %s", strerror(-r));
1581 r = sd_rtnl_message_new_link(rtnl, &m, RTM_SETLINK, 0);
1583 log_error("Failed to allocate netlink message: %s", strerror(-r));
1587 r = sd_rtnl_message_link_set_flags(m, IFF_UP, IFF_UP);
1589 log_error("Failed to set IFF_UP flag: %s", strerror(-r));
1593 r = sd_rtnl_message_append_string(m, IFLA_IFNAME, veth_name);
1595 log_error("Failed to add netlink interface name field: %s", strerror(-r));
1599 r = sd_rtnl_message_append_u32(m, IFLA_MASTER, bridge);
1601 log_error("Failed to add netlink master field: %s", strerror(-r));
1605 r = sd_rtnl_call(rtnl, m, 0, NULL);
1607 log_error("Failed to add veth interface to bridge: %s", strerror(-r));
1614 static int parse_interface(struct udev *udev, const char *name) {
1615 _cleanup_udev_device_unref_ struct udev_device *d = NULL;
1616 char ifi_str[2 + DECIMAL_STR_MAX(int)];
1619 ifi = (int) if_nametoindex(name);
1621 log_error("Failed to resolve interface %s: %m", name);
1625 sprintf(ifi_str, "n%i", ifi);
1626 d = udev_device_new_from_device_id(udev, ifi_str);
1628 log_error("Failed to get udev device for interface %s: %m", name);
1632 if (udev_device_get_is_initialized(d) <= 0) {
1633 log_error("Network interface %s is not initialized yet.", name);
1640 static int move_network_interfaces(pid_t pid) {
1641 _cleanup_udev_unref_ struct udev *udev = NULL;
1642 _cleanup_rtnl_unref_ sd_rtnl *rtnl = NULL;
1646 if (!arg_private_network)
1649 if (strv_isempty(arg_network_interfaces))
1652 r = sd_rtnl_open(&rtnl, 0);
1654 log_error("Failed to connect to netlink: %s", strerror(-r));
1660 log_error("Failed to connect to udev.");
1664 STRV_FOREACH(i, arg_network_interfaces) {
1665 _cleanup_rtnl_message_unref_ sd_rtnl_message *m = NULL;
1668 ifi = parse_interface(udev, *i);
1672 r = sd_rtnl_message_new_link(rtnl, &m, RTM_NEWLINK, ifi);
1674 log_error("Failed to allocate netlink message: %s", strerror(-r));
1678 r = sd_rtnl_message_append_u32(m, IFLA_NET_NS_PID, pid);
1680 log_error("Failed to append namespace PID to netlink message: %s", strerror(-r));
1684 r = sd_rtnl_call(rtnl, m, 0, NULL);
1686 log_error("Failed to move interface %s to namespace: %s", *i, strerror(-r));
1694 static int setup_macvlan(pid_t pid) {
1695 _cleanup_udev_unref_ struct udev *udev = NULL;
1696 _cleanup_rtnl_unref_ sd_rtnl *rtnl = NULL;
1700 if (!arg_private_network)
1703 if (strv_isempty(arg_network_macvlan))
1706 r = sd_rtnl_open(&rtnl, 0);
1708 log_error("Failed to connect to netlink: %s", strerror(-r));
1714 log_error("Failed to connect to udev.");
1718 STRV_FOREACH(i, arg_network_macvlan) {
1719 _cleanup_rtnl_message_unref_ sd_rtnl_message *m = NULL;
1720 _cleanup_free_ char *n = NULL;
1723 ifi = parse_interface(udev, *i);
1727 r = sd_rtnl_message_new_link(rtnl, &m, RTM_NEWLINK, 0);
1729 log_error("Failed to allocate netlink message: %s", strerror(-r));
1733 r = sd_rtnl_message_append_u32(m, IFLA_LINK, ifi);
1735 log_error("Failed to add netlink interface index: %s", strerror(-r));
1739 n = strappend("mv-", *i);
1743 strshorten(n, IFNAMSIZ-1);
1745 r = sd_rtnl_message_append_string(m, IFLA_IFNAME, n);
1747 log_error("Failed to add netlink interface name: %s", strerror(-r));
1751 r = sd_rtnl_message_append_u32(m, IFLA_NET_NS_PID, pid);
1753 log_error("Failed to add netlink namespace field: %s", strerror(-r));
1757 r = sd_rtnl_message_open_container(m, IFLA_LINKINFO);
1759 log_error("Failed to open netlink container: %s", strerror(-r));
1763 r = sd_rtnl_message_open_container_union(m, IFLA_INFO_DATA, "macvlan");
1765 log_error("Failed to open netlink container: %s", strerror(-r));
1769 r = sd_rtnl_message_append_u32(m, IFLA_MACVLAN_MODE, MACVLAN_MODE_BRIDGE);
1771 log_error("Failed to append macvlan mode: %s", strerror(-r));
1775 r = sd_rtnl_message_close_container(m);
1777 log_error("Failed to close netlink container: %s", strerror(-r));
1781 r = sd_rtnl_message_close_container(m);
1783 log_error("Failed to close netlink container: %s", strerror(-r));
1787 r = sd_rtnl_call(rtnl, m, 0, NULL);
1789 log_error("Failed to add new macvlan interfaces: %s", strerror(-r));
1797 static int audit_still_doesnt_work_in_containers(void) {
1800 scmp_filter_ctx seccomp;
1804 Audit is broken in containers, much of the userspace audit
1805 hookup will fail if running inside a container. We don't
1806 care and just turn off creation of audit sockets.
1808 This will make socket(AF_NETLINK, *, NETLINK_AUDIT) fail
1809 with EAFNOSUPPORT which audit userspace uses as indication
1810 that audit is disabled in the kernel.
1813 seccomp = seccomp_init(SCMP_ACT_ALLOW);
1817 r = seccomp_add_secondary_archs(seccomp);
1819 log_error("Failed to add secondary archs to seccomp filter: %s", strerror(-r));
1823 r = seccomp_rule_add(
1825 SCMP_ACT_ERRNO(EAFNOSUPPORT),
1828 SCMP_A0(SCMP_CMP_EQ, AF_NETLINK),
1829 SCMP_A2(SCMP_CMP_EQ, NETLINK_AUDIT));
1831 log_error("Failed to add audit seccomp rule: %s", strerror(-r));
1835 r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
1837 log_error("Failed to unset NO_NEW_PRIVS: %s", strerror(-r));
1841 r = seccomp_load(seccomp);
1843 log_error("Failed to install seccomp audit filter: %s", strerror(-r));
1846 seccomp_release(seccomp);
1854 static int setup_image(char **device_path, int *loop_nr) {
1855 struct loop_info64 info = {
1856 .lo_flags = LO_FLAGS_AUTOCLEAR|LO_FLAGS_PARTSCAN
1858 _cleanup_close_ int fd = -1, control = -1, loop = -1;
1859 _cleanup_free_ char* loopdev = NULL;
1863 assert(device_path);
1866 fd = open(arg_image, O_CLOEXEC|(arg_read_only ? O_RDONLY : O_RDWR)|O_NONBLOCK|O_NOCTTY);
1868 log_error("Failed to open %s: %m", arg_image);
1872 if (fstat(fd, &st) < 0) {
1873 log_error("Failed to stat %s: %m", arg_image);
1877 if (S_ISBLK(st.st_mode)) {
1880 p = strdup(arg_image);
1894 if (!S_ISREG(st.st_mode)) {
1895 log_error("%s is not a regular file or block device: %m", arg_image);
1899 control = open("/dev/loop-control", O_RDWR|O_CLOEXEC|O_NOCTTY|O_NONBLOCK);
1901 log_error("Failed to open /dev/loop-control: %m");
1905 nr = ioctl(control, LOOP_CTL_GET_FREE);
1907 log_error("Failed to allocate loop device: %m");
1911 if (asprintf(&loopdev, "/dev/loop%i", nr) < 0)
1914 loop = open(loopdev, O_CLOEXEC|(arg_read_only ? O_RDONLY : O_RDWR)|O_NONBLOCK|O_NOCTTY);
1916 log_error("Failed to open loop device %s: %m", loopdev);
1920 if (ioctl(loop, LOOP_SET_FD, fd) < 0) {
1921 log_error("Failed to set loopback file descriptor on %s: %m", loopdev);
1926 info.lo_flags |= LO_FLAGS_READ_ONLY;
1928 if (ioctl(loop, LOOP_SET_STATUS64, &info) < 0) {
1929 log_error("Failed to set loopback settings on %s: %m", loopdev);
1933 *device_path = loopdev;
1944 static int dissect_image(
1946 char **root_device, bool *root_device_rw,
1947 char **home_device, bool *home_device_rw,
1948 char **srv_device, bool *srv_device_rw,
1952 int home_nr = -1, root_nr = -1, secondary_root_nr = -1, srv_nr = -1;
1953 _cleanup_free_ char *home = NULL, *root = NULL, *secondary_root = NULL, *srv = NULL;
1954 _cleanup_udev_enumerate_unref_ struct udev_enumerate *e = NULL;
1955 _cleanup_udev_device_unref_ struct udev_device *d = NULL;
1956 _cleanup_blkid_free_probe_ blkid_probe b = NULL;
1957 _cleanup_udev_unref_ struct udev *udev = NULL;
1958 struct udev_list_entry *first, *item;
1959 bool home_rw = true, root_rw = true, secondary_root_rw = true, srv_rw = true;
1960 const char *pttype = NULL;
1966 assert(root_device);
1967 assert(home_device);
1971 b = blkid_new_probe();
1976 r = blkid_probe_set_device(b, fd, 0, 0);
1981 log_error("Failed to set device on blkid probe: %m");
1985 blkid_probe_enable_partitions(b, 1);
1986 blkid_probe_set_partitions_flags(b, BLKID_PARTS_ENTRY_DETAILS);
1989 r = blkid_do_safeprobe(b);
1990 if (r == -2 || r == 1) {
1991 log_error("Failed to identify any partition table on %s.\n"
1992 "Note that the disk image needs to follow http://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/ to be supported by systemd-nspawn.", arg_image);
1994 } else if (r != 0) {
1997 log_error("Failed to probe: %m");
2001 blkid_probe_lookup_value(b, "PTTYPE", &pttype, NULL);
2002 if (!streq_ptr(pttype, "gpt")) {
2003 log_error("Image %s does not carry a GUID Partition Table.\n"
2004 "Note that the disk image needs to follow http://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/ to be supported by systemd-nspawn.", arg_image);
2009 pl = blkid_probe_get_partitions(b);
2014 log_error("Failed to list partitions of %s", arg_image);
2022 if (fstat(fd, &st) < 0) {
2023 log_error("Failed to stat block device: %m");
2027 d = udev_device_new_from_devnum(udev, 'b', st.st_rdev);
2031 e = udev_enumerate_new(udev);
2035 r = udev_enumerate_add_match_parent(e, d);
2039 r = udev_enumerate_scan_devices(e);
2041 log_error("Failed to scan for partition devices of %s: %s", arg_image, strerror(-r));
2045 first = udev_enumerate_get_list_entry(e);
2046 udev_list_entry_foreach(item, first) {
2047 _cleanup_udev_device_unref_ struct udev_device *q;
2048 const char *stype, *node;
2049 unsigned long long flags;
2056 q = udev_device_new_from_syspath(udev, udev_list_entry_get_name(item));
2061 log_error("Failed to get partition device of %s: %m", arg_image);
2065 qn = udev_device_get_devnum(q);
2069 if (st.st_rdev == qn)
2072 node = udev_device_get_devnode(q);
2076 pp = blkid_partlist_devno_to_partition(pl, qn);
2080 flags = blkid_partition_get_flags(pp);
2081 if (flags & GPT_FLAG_NO_AUTO)
2084 nr = blkid_partition_get_partno(pp);
2088 stype = blkid_partition_get_type_string(pp);
2092 if (sd_id128_from_string(stype, &type_id) < 0)
2095 if (sd_id128_equal(type_id, GPT_HOME)) {
2097 if (home && nr >= home_nr)
2101 home_rw = !(flags & GPT_FLAG_READ_ONLY);
2104 home = strdup(node);
2107 } else if (sd_id128_equal(type_id, GPT_SRV)) {
2109 if (srv && nr >= srv_nr)
2113 srv_rw = !(flags & GPT_FLAG_READ_ONLY);
2120 #ifdef GPT_ROOT_NATIVE
2121 else if (sd_id128_equal(type_id, GPT_ROOT_NATIVE)) {
2123 if (root && nr >= root_nr)
2127 root_rw = !(flags & GPT_FLAG_READ_ONLY);
2130 root = strdup(node);
2135 #ifdef GPT_ROOT_SECONDARY
2136 else if (sd_id128_equal(type_id, GPT_ROOT_SECONDARY)) {
2138 if (secondary_root && nr >= secondary_root_nr)
2141 secondary_root_nr = nr;
2142 secondary_root_rw = !(flags & GPT_FLAG_READ_ONLY);
2145 free(secondary_root);
2146 secondary_root = strdup(node);
2147 if (!secondary_root)
2153 if (!root && !secondary_root) {
2154 log_error("Failed to identify root partition in disk image %s.\n"
2155 "Note that the disk image needs to follow http://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/ to be supported by systemd-nspawn.", arg_image);
2160 *root_device = root;
2163 *root_device_rw = root_rw;
2165 } else if (secondary_root) {
2166 *root_device = secondary_root;
2167 secondary_root = NULL;
2169 *root_device_rw = secondary_root_rw;
2174 *home_device = home;
2177 *home_device_rw = home_rw;
2184 *srv_device_rw = srv_rw;
2189 log_error("--image= is not supported, compiled without blkid support.");
2194 static int mount_device(const char *what, const char *where, const char *directory, bool rw) {
2196 _cleanup_blkid_free_probe_ blkid_probe b = NULL;
2197 const char *fstype, *p;
2207 p = strappenda(where, directory);
2212 b = blkid_new_probe_from_filename(what);
2216 log_error("Failed to allocate prober for %s: %m", what);
2220 blkid_probe_enable_superblocks(b, 1);
2221 blkid_probe_set_superblocks_flags(b, BLKID_SUBLKS_TYPE);
2224 r = blkid_do_safeprobe(b);
2225 if (r == -1 || r == 1) {
2226 log_error("Cannot determine file system type of %s", what);
2228 } else if (r != 0) {
2231 log_error("Failed to probe %s: %m", what);
2236 if (blkid_probe_lookup_value(b, "TYPE", &fstype, NULL) < 0) {
2239 log_error("Failed to determine file system type of %s", what);
2243 if (streq(fstype, "crypto_LUKS")) {
2244 log_error("nspawn currently does not support LUKS disk images.");
2248 if (mount(what, p, fstype, MS_NODEV|(rw ? 0 : MS_RDONLY), NULL) < 0) {
2249 log_error("Failed to mount %s: %m", what);
2255 log_error("--image= is not supported, compiled without blkid support.");
2260 static int mount_devices(
2262 const char *root_device, bool root_device_rw,
2263 const char *home_device, bool home_device_rw,
2264 const char *srv_device, bool srv_device_rw) {
2270 r = mount_device(root_device, arg_directory, NULL, root_device_rw);
2272 log_error("Failed to mount root directory: %s", strerror(-r));
2278 r = mount_device(home_device, arg_directory, "/home", home_device_rw);
2280 log_error("Failed to mount home directory: %s", strerror(-r));
2286 r = mount_device(srv_device, arg_directory, "/srv", srv_device_rw);
2288 log_error("Failed to mount server data directory: %s", strerror(-r));
2296 static void loop_remove(int nr, int *image_fd) {
2297 _cleanup_close_ int control = -1;
2302 if (image_fd && *image_fd >= 0) {
2303 ioctl(*image_fd, LOOP_CLR_FD);
2304 *image_fd = safe_close(*image_fd);
2307 control = open("/dev/loop-control", O_RDWR|O_CLOEXEC|O_NOCTTY|O_NONBLOCK);
2311 ioctl(control, LOOP_CTL_REMOVE, nr);
2314 static int spawn_getent(const char *database, const char *key, pid_t *rpid) {
2322 if (pipe2(pipe_fds, O_CLOEXEC) < 0) {
2323 log_error("Failed to allocate pipe: %m");
2329 log_error("Failed to fork getent child: %m");
2331 } else if (pid == 0) {
2333 char *empty_env = NULL;
2335 if (dup3(pipe_fds[1], STDOUT_FILENO, 0) < 0)
2336 _exit(EXIT_FAILURE);
2338 if (pipe_fds[0] > 2)
2339 safe_close(pipe_fds[0]);
2340 if (pipe_fds[1] > 2)
2341 safe_close(pipe_fds[1]);
2343 nullfd = open("/dev/null", O_RDWR);
2345 _exit(EXIT_FAILURE);
2347 if (dup3(nullfd, STDIN_FILENO, 0) < 0)
2348 _exit(EXIT_FAILURE);
2350 if (dup3(nullfd, STDERR_FILENO, 0) < 0)
2351 _exit(EXIT_FAILURE);
2356 reset_all_signal_handlers();
2357 close_all_fds(NULL, 0);
2359 execle("/usr/bin/getent", "getent", database, key, NULL, &empty_env);
2360 execle("/bin/getent", "getent", database, key, NULL, &empty_env);
2361 _exit(EXIT_FAILURE);
2364 pipe_fds[1] = safe_close(pipe_fds[1]);
2371 static int change_uid_gid(char **_home) {
2372 char line[LINE_MAX], *w, *x, *state, *u, *g, *h;
2373 _cleanup_free_ uid_t *uids = NULL;
2374 _cleanup_free_ char *home = NULL;
2375 _cleanup_fclose_ FILE *f = NULL;
2376 _cleanup_close_ int fd = -1;
2377 unsigned n_uids = 0;
2386 if (!arg_user || streq(arg_user, "root") || streq(arg_user, "0")) {
2387 /* Reset everything fully to 0, just in case */
2389 if (setgroups(0, NULL) < 0) {
2390 log_error("setgroups() failed: %m");
2394 if (setresgid(0, 0, 0) < 0) {
2395 log_error("setregid() failed: %m");
2399 if (setresuid(0, 0, 0) < 0) {
2400 log_error("setreuid() failed: %m");
2408 /* First, get user credentials */
2409 fd = spawn_getent("passwd", arg_user, &pid);
2413 f = fdopen(fd, "r");
2418 if (!fgets(line, sizeof(line), f)) {
2421 log_error("Failed to resolve user %s.", arg_user);
2425 log_error("Failed to read from getent: %m");
2431 wait_for_terminate_and_warn("getent passwd", pid);
2433 x = strchr(line, ':');
2435 log_error("/etc/passwd entry has invalid user field.");
2439 u = strchr(x+1, ':');
2441 log_error("/etc/passwd entry has invalid password field.");
2448 log_error("/etc/passwd entry has invalid UID field.");
2456 log_error("/etc/passwd entry has invalid GID field.");
2461 h = strchr(x+1, ':');
2463 log_error("/etc/passwd entry has invalid GECOS field.");
2470 log_error("/etc/passwd entry has invalid home directory field.");
2476 r = parse_uid(u, &uid);
2478 log_error("Failed to parse UID of user.");
2482 r = parse_gid(g, &gid);
2484 log_error("Failed to parse GID of user.");
2492 /* Second, get group memberships */
2493 fd = spawn_getent("initgroups", arg_user, &pid);
2498 f = fdopen(fd, "r");
2503 if (!fgets(line, sizeof(line), f)) {
2505 log_error("Failed to resolve user %s.", arg_user);
2509 log_error("Failed to read from getent: %m");
2515 wait_for_terminate_and_warn("getent initgroups", pid);
2517 /* Skip over the username and subsequent separator whitespace */
2519 x += strcspn(x, WHITESPACE);
2520 x += strspn(x, WHITESPACE);
2522 FOREACH_WORD(w, l, x, state) {
2528 if (!GREEDY_REALLOC(uids, sz, n_uids+1))
2531 r = parse_uid(c, &uids[n_uids++]);
2533 log_error("Failed to parse group data from getent.");
2538 r = mkdir_parents(home, 0775);
2540 log_error("Failed to make home root directory: %s", strerror(-r));
2544 r = mkdir_safe(home, 0755, uid, gid);
2545 if (r < 0 && r != -EEXIST) {
2546 log_error("Failed to make home directory: %s", strerror(-r));
2550 fchown(STDIN_FILENO, uid, gid);
2551 fchown(STDOUT_FILENO, uid, gid);
2552 fchown(STDERR_FILENO, uid, gid);
2554 if (setgroups(n_uids, uids) < 0) {
2555 log_error("Failed to set auxiliary groups: %m");
2559 if (setresgid(gid, gid, gid) < 0) {
2560 log_error("setregid() failed: %m");
2564 if (setresuid(uid, uid, uid) < 0) {
2565 log_error("setreuid() failed: %m");
2578 * Return 0 in case the container is being rebooted, has been shut
2579 * down or exited successfully. On failures a negative value is
2582 * The status of the container "CONTAINER_TERMINATED" or
2583 * "CONTAINER_REBOOTED" will be saved in the container argument
2585 static int wait_for_container(pid_t pid, ContainerStatus *container) {
2589 r = wait_for_terminate(pid, &status);
2593 switch (status.si_code) {
2595 r = status.si_status;
2598 log_debug("Container %s exited successfully.",
2601 *container = CONTAINER_TERMINATED;
2603 log_error("Container %s failed with error code %i.",
2604 arg_machine, status.si_status);
2610 if (status.si_status == SIGINT) {
2612 log_info("Container %s has been shut down.",
2615 *container = CONTAINER_TERMINATED;
2618 } else if (status.si_status == SIGHUP) {
2620 log_info("Container %s is being rebooted.",
2623 *container = CONTAINER_REBOOTED;
2627 /* CLD_KILLED fallthrough */
2630 log_error("Container %s terminated by signal %s.",
2631 arg_machine, signal_to_string(status.si_status));
2636 log_error("Container %s failed due to unknown reason.",
2645 int main(int argc, char *argv[]) {
2647 _cleanup_free_ char *kdbus_domain = NULL, *device_path = NULL, *root_device = NULL, *home_device = NULL, *srv_device = NULL;
2648 bool root_device_rw = true, home_device_rw = true, srv_device_rw = true;
2649 _cleanup_close_ int master = -1, kdbus_fd = -1, image_fd = -1;
2650 _cleanup_close_pair_ int kmsg_socket_pair[2] = { -1, -1 };
2651 _cleanup_fdset_free_ FDSet *fds = NULL;
2652 int r = EXIT_FAILURE, k, n_fd_passed, loop_nr = -1;
2653 const char *console = NULL;
2654 char veth_name[IFNAMSIZ];
2655 bool secondary = false;
2659 log_parse_environment();
2662 k = parse_argv(argc, argv);
2671 if (arg_directory) {
2674 p = path_make_absolute_cwd(arg_directory);
2675 free(arg_directory);
2678 arg_directory = get_current_dir_name();
2680 if (!arg_directory) {
2681 log_error("Failed to determine path, please use -D.");
2684 path_kill_slashes(arg_directory);
2688 arg_machine = strdup(basename(arg_image ? arg_image : arg_directory));
2694 hostname_cleanup(arg_machine, false);
2695 if (isempty(arg_machine)) {
2696 log_error("Failed to determine machine name automatically, please use -M.");
2701 if (geteuid() != 0) {
2702 log_error("Need to be root.");
2706 if (sd_booted() <= 0) {
2707 log_error("Not running on a systemd system.");
2712 n_fd_passed = sd_listen_fds(false);
2713 if (n_fd_passed > 0) {
2714 k = fdset_new_listen_fds(&fds, false);
2716 log_error("Failed to collect file descriptors: %s", strerror(-k));
2720 fdset_close_others(fds);
2723 if (arg_directory) {
2724 if (path_equal(arg_directory, "/")) {
2725 log_error("Spawning container on root directory not supported.");
2730 if (path_is_os_tree(arg_directory) <= 0) {
2731 log_error("Directory %s doesn't look like an OS root directory (/etc/os-release is missing). Refusing.", arg_directory);
2737 p = strappenda(arg_directory,
2738 argc > optind && path_is_absolute(argv[optind]) ? argv[optind] : "/usr/bin/");
2739 if (access(p, F_OK) < 0) {
2740 log_error("Directory %s lacks the binary to execute or doesn't look like a binary tree. Refusing.", arg_directory);
2746 char template[] = "/tmp/nspawn-root-XXXXXX";
2748 if (!mkdtemp(template)) {
2749 log_error("Failed to create temporary directory: %m");
2754 arg_directory = strdup(template);
2755 if (!arg_directory) {
2760 image_fd = setup_image(&device_path, &loop_nr);
2766 r = dissect_image(image_fd, &root_device, &root_device_rw, &home_device, &home_device_rw, &srv_device, &srv_device_rw, &secondary);
2771 master = posix_openpt(O_RDWR|O_NOCTTY|O_CLOEXEC|O_NDELAY);
2773 log_error("Failed to acquire pseudo tty: %m");
2777 console = ptsname(master);
2779 log_error("Failed to determine tty name: %m");
2784 log_info("Spawning container %s on %s. Press ^] three times within 1s to abort execution.", arg_machine, arg_image ? arg_image : arg_directory);
2786 if (unlockpt(master) < 0) {
2787 log_error("Failed to unlock tty: %m");
2791 if (access("/dev/kdbus/control", F_OK) >= 0) {
2793 if (arg_share_system) {
2794 kdbus_domain = strdup("/dev/kdbus");
2795 if (!kdbus_domain) {
2802 ns = strappenda("machine-", arg_machine);
2803 kdbus_fd = bus_kernel_create_domain(ns, &kdbus_domain);
2805 log_debug("Failed to create kdbus domain: %s", strerror(-r));
2807 log_debug("Successfully created kdbus domain as %s", kdbus_domain);
2811 if (socketpair(AF_UNIX, SOCK_DGRAM|SOCK_NONBLOCK|SOCK_CLOEXEC, 0, kmsg_socket_pair) < 0) {
2812 log_error("Failed to create kmsg socket pair: %m");
2816 sd_notify(0, "READY=1");
2818 assert_se(sigemptyset(&mask) == 0);
2819 sigset_add_many(&mask, SIGCHLD, SIGWINCH, SIGTERM, SIGINT, -1);
2820 assert_se(sigprocmask(SIG_BLOCK, &mask, NULL) == 0);
2823 ContainerStatus container_status;
2824 int parent_ready_fd = -1, child_ready_fd = -1;
2827 parent_ready_fd = eventfd(0, EFD_CLOEXEC);
2828 if (parent_ready_fd < 0) {
2829 log_error("Failed to create event fd: %m");
2833 child_ready_fd = eventfd(0, EFD_CLOEXEC);
2834 if (child_ready_fd < 0) {
2835 log_error("Failed to create event fd: %m");
2839 pid = syscall(__NR_clone,
2840 SIGCHLD|CLONE_NEWNS|
2841 (arg_share_system ? 0 : CLONE_NEWIPC|CLONE_NEWPID|CLONE_NEWUTS)|
2842 (arg_private_network ? CLONE_NEWNET : 0), NULL);
2844 if (errno == EINVAL)
2845 log_error("clone() failed, do you have namespace support enabled in your kernel? (You need UTS, IPC, PID and NET namespacing built in): %m");
2847 log_error("clone() failed: %m");
2854 _cleanup_free_ char *home = NULL;
2856 const char *envp[] = {
2857 "PATH=" DEFAULT_PATH_SPLIT_USR,
2858 "container=systemd-nspawn", /* LXC sets container=lxc, so follow the scheme here */
2863 NULL, /* container_uuid */
2864 NULL, /* LISTEN_FDS */
2865 NULL, /* LISTEN_PID */
2870 envp[n_env] = strv_find_prefix(environ, "TERM=");
2874 master = safe_close(master);
2876 close_nointr(STDIN_FILENO);
2877 close_nointr(STDOUT_FILENO);
2878 close_nointr(STDERR_FILENO);
2880 kmsg_socket_pair[0] = safe_close(kmsg_socket_pair[0]);
2882 reset_all_signal_handlers();
2884 assert_se(sigemptyset(&mask) == 0);
2885 assert_se(sigprocmask(SIG_SETMASK, &mask, NULL) == 0);
2887 k = open_terminal(console, O_RDWR);
2888 if (k != STDIN_FILENO) {
2894 log_error("Failed to open console: %s", strerror(-k));
2898 if (dup2(STDIN_FILENO, STDOUT_FILENO) != STDOUT_FILENO ||
2899 dup2(STDIN_FILENO, STDERR_FILENO) != STDERR_FILENO) {
2900 log_error("Failed to duplicate console: %m");
2905 log_error("setsid() failed: %m");
2909 if (reset_audit_loginuid() < 0)
2912 if (prctl(PR_SET_PDEATHSIG, SIGKILL) < 0) {
2913 log_error("PR_SET_PDEATHSIG failed: %m");
2917 /* Mark everything as slave, so that we still
2918 * receive mounts from the real root, but don't
2919 * propagate mounts to the real root. */
2920 if (mount(NULL, "/", NULL, MS_SLAVE|MS_REC, NULL) < 0) {
2921 log_error("MS_SLAVE|MS_REC failed: %m");
2925 if (mount_devices(arg_directory,
2926 root_device, root_device_rw,
2927 home_device, home_device_rw,
2928 srv_device, srv_device_rw) < 0)
2931 /* Turn directory into bind mount */
2932 if (mount(arg_directory, arg_directory, "bind", MS_BIND|MS_REC, NULL) < 0) {
2933 log_error("Failed to make bind mount.");
2938 if (mount(arg_directory, arg_directory, "bind", MS_BIND|MS_REMOUNT|MS_RDONLY|MS_REC, NULL) < 0) {
2939 log_error("Failed to make read-only.");
2943 if (mount_all(arg_directory) < 0)
2946 if (copy_devnodes(arg_directory) < 0)
2949 if (setup_ptmx(arg_directory) < 0)
2952 dev_setup(arg_directory);
2954 if (audit_still_doesnt_work_in_containers() < 0)
2957 if (setup_dev_console(arg_directory, console) < 0)
2960 if (setup_kmsg(arg_directory, kmsg_socket_pair[1]) < 0)
2963 kmsg_socket_pair[1] = safe_close(kmsg_socket_pair[1]);
2965 if (setup_boot_id(arg_directory) < 0)
2968 if (setup_timezone(arg_directory) < 0)
2971 if (setup_resolv_conf(arg_directory) < 0)
2974 if (setup_journal(arg_directory) < 0)
2977 if (mount_binds(arg_directory, arg_bind, 0) < 0)
2980 if (mount_binds(arg_directory, arg_bind_ro, MS_RDONLY) < 0)
2983 if (setup_kdbus(arg_directory, kdbus_domain) < 0)
2986 /* Tell the parent that we are ready, and that
2987 * it can cgroupify us to that we lack access
2988 * to certain devices and resources. */
2989 eventfd_write(child_ready_fd, 1);
2990 child_ready_fd = safe_close(child_ready_fd);
2992 if (chdir(arg_directory) < 0) {
2993 log_error("chdir(%s) failed: %m", arg_directory);
2997 if (mount(arg_directory, "/", NULL, MS_MOVE, NULL) < 0) {
2998 log_error("mount(MS_MOVE) failed: %m");
3002 if (chroot(".") < 0) {
3003 log_error("chroot() failed: %m");
3007 if (chdir("/") < 0) {
3008 log_error("chdir() failed: %m");
3014 if (arg_private_network)
3017 if (drop_capabilities() < 0) {
3018 log_error("drop_capabilities() failed: %m");
3022 r = change_uid_gid(&home);
3026 if ((asprintf((char**)(envp + n_env++), "HOME=%s", home ? home: "/root") < 0) ||
3027 (asprintf((char**)(envp + n_env++), "USER=%s", arg_user ? arg_user : "root") < 0) ||
3028 (asprintf((char**)(envp + n_env++), "LOGNAME=%s", arg_user ? arg_user : "root") < 0)) {
3033 if (!sd_id128_equal(arg_uuid, SD_ID128_NULL)) {
3036 if (asprintf((char**)(envp + n_env++), "container_uuid=%s", id128_format_as_uuid(arg_uuid, as_uuid)) < 0) {
3042 if (fdset_size(fds) > 0) {
3043 k = fdset_cloexec(fds, false);
3045 log_error("Failed to unset O_CLOEXEC for file descriptors.");
3049 if ((asprintf((char **)(envp + n_env++), "LISTEN_FDS=%u", n_fd_passed) < 0) ||
3050 (asprintf((char **)(envp + n_env++), "LISTEN_PID=1") < 0)) {
3058 if (arg_personality != 0xffffffffLU) {
3059 if (personality(arg_personality) < 0) {
3060 log_error("personality() failed: %m");
3063 } else if (secondary) {
3064 if (personality(PER_LINUX32) < 0) {
3065 log_error("personality() failed: %m");
3071 if (arg_selinux_context)
3072 if (setexeccon((security_context_t) arg_selinux_context) < 0) {
3073 log_error("setexeccon(\"%s\") failed: %m", arg_selinux_context);
3078 if (!strv_isempty(arg_setenv)) {
3081 n = strv_env_merge(2, envp, arg_setenv);
3089 env_use = (char**) envp;
3091 /* Wait until the parent is ready with the setup, too... */
3092 eventfd_read(parent_ready_fd, &x);
3093 parent_ready_fd = safe_close(parent_ready_fd);
3099 /* Automatically search for the init system */
3101 l = 1 + argc - optind;
3102 a = newa(char*, l + 1);
3103 memcpy(a + 1, argv + optind, l * sizeof(char*));
3105 a[0] = (char*) "/usr/lib/systemd/systemd";
3106 execve(a[0], a, env_use);
3108 a[0] = (char*) "/lib/systemd/systemd";
3109 execve(a[0], a, env_use);
3111 a[0] = (char*) "/sbin/init";
3112 execve(a[0], a, env_use);
3113 } else if (argc > optind)
3114 execvpe(argv[optind], argv + optind, env_use);
3116 chdir(home ? home : "/root");
3117 execle("/bin/bash", "-bash", NULL, env_use);
3118 execle("/bin/sh", "-sh", NULL, env_use);
3121 log_error("execv() failed: %m");
3124 _exit(EXIT_FAILURE);
3130 /* Wait until the child reported that it is ready with
3131 * all it needs to do with privileges. After we got
3132 * the notification we can make the process join its
3133 * cgroup which might limit what it can do */
3134 eventfd_read(child_ready_fd, &x);
3136 r = register_machine(pid);
3140 r = move_network_interfaces(pid);
3144 r = setup_veth(pid, veth_name);
3148 r = setup_bridge(veth_name);
3152 r = setup_macvlan(pid);
3156 /* Notify the child that the parent is ready with all
3157 * its setup, and thtat the child can now hand over
3158 * control to the code to run inside the container. */
3159 eventfd_write(parent_ready_fd, 1);
3161 k = process_pty(master, &mask, arg_boot ? pid : 0, SIGRTMIN+3);
3170 /* Kill if it is not dead yet anyway */
3171 terminate_machine(pid);
3173 /* Redundant, but better safe than sorry */
3176 r = wait_for_container(pid, &container_status);
3182 } else if (container_status == CONTAINER_TERMINATED)
3185 /* CONTAINER_REBOOTED, loop again */
3189 loop_remove(loop_nr, &image_fd);
3194 free(arg_directory);
3197 strv_free(arg_setenv);
3198 strv_free(arg_network_interfaces);
3199 strv_free(arg_network_macvlan);
3200 strv_free(arg_bind);
3201 strv_free(arg_bind_ro);
~ianmdlvl / elogind.git / blob