1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2010 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
25 #include <sys/types.h>
26 #include <sys/syscall.h>
27 #include <sys/mount.h>
33 #include <sys/prctl.h>
36 #include <sys/signalfd.h>
40 #include <sys/socket.h>
41 #include <linux/netlink.h>
43 #include <linux/veth.h>
44 #include <sys/personality.h>
45 #include <linux/loop.h>
50 #include <selinux/selinux.h>
58 #include <blkid/blkid.h>
61 #include "sd-daemon.h"
71 #include "cgroup-util.h"
73 #include "path-util.h"
74 #include "loopback-setup.h"
75 #include "dev-setup.h"
80 #include "bus-error.h"
82 #include "bus-kernel.h"
85 #include "rtnl-util.h"
86 #include "udev-util.h"
87 #include "blkid-util.h"
89 #include "siphash24.h"
91 #include "base-filesystem.h"
93 #include "event-util.h"
94 #include "capability.h"
96 #include "btrfs-util.h"
97 #include "machine-image.h"
99 #include "in-addr-util.h"
101 #include "local-addresses.h"
104 #include "seccomp-util.h"
107 typedef struct ExposePort {
110 uint16_t container_port;
111 LIST_FIELDS(struct ExposePort, ports);
114 typedef enum ContainerStatus {
115 CONTAINER_TERMINATED,
119 typedef enum LinkJournal {
126 typedef enum Volatile {
132 static char *arg_directory = NULL;
133 static char *arg_template = NULL;
134 static char *arg_user = NULL;
135 static sd_id128_t arg_uuid = {};
136 static char *arg_machine = NULL;
137 static const char *arg_selinux_context = NULL;
138 static const char *arg_selinux_apifs_context = NULL;
139 static const char *arg_slice = NULL;
140 static bool arg_private_network = false;
141 static bool arg_read_only = false;
142 static bool arg_boot = false;
143 static bool arg_ephemeral = false;
144 static LinkJournal arg_link_journal = LINK_AUTO;
145 static bool arg_link_journal_try = false;
146 static uint64_t arg_retain =
147 (1ULL << CAP_CHOWN) |
148 (1ULL << CAP_DAC_OVERRIDE) |
149 (1ULL << CAP_DAC_READ_SEARCH) |
150 (1ULL << CAP_FOWNER) |
151 (1ULL << CAP_FSETID) |
152 (1ULL << CAP_IPC_OWNER) |
154 (1ULL << CAP_LEASE) |
155 (1ULL << CAP_LINUX_IMMUTABLE) |
156 (1ULL << CAP_NET_BIND_SERVICE) |
157 (1ULL << CAP_NET_BROADCAST) |
158 (1ULL << CAP_NET_RAW) |
159 (1ULL << CAP_SETGID) |
160 (1ULL << CAP_SETFCAP) |
161 (1ULL << CAP_SETPCAP) |
162 (1ULL << CAP_SETUID) |
163 (1ULL << CAP_SYS_ADMIN) |
164 (1ULL << CAP_SYS_CHROOT) |
165 (1ULL << CAP_SYS_NICE) |
166 (1ULL << CAP_SYS_PTRACE) |
167 (1ULL << CAP_SYS_TTY_CONFIG) |
168 (1ULL << CAP_SYS_RESOURCE) |
169 (1ULL << CAP_SYS_BOOT) |
170 (1ULL << CAP_AUDIT_WRITE) |
171 (1ULL << CAP_AUDIT_CONTROL) |
173 static char **arg_bind = NULL;
174 static char **arg_bind_ro = NULL;
175 static char **arg_tmpfs = NULL;
176 static char **arg_setenv = NULL;
177 static bool arg_quiet = false;
178 static bool arg_share_system = false;
179 static bool arg_register = true;
180 static bool arg_keep_unit = false;
181 static char **arg_network_interfaces = NULL;
182 static char **arg_network_macvlan = NULL;
183 static char **arg_network_ipvlan = NULL;
184 static bool arg_network_veth = false;
185 static const char *arg_network_bridge = NULL;
186 static unsigned long arg_personality = 0xffffffffLU;
187 static char *arg_image = NULL;
188 static Volatile arg_volatile = VOLATILE_NO;
189 static ExposePort *arg_expose_ports = NULL;
190 static char **arg_property = NULL;
192 static void help(void) {
193 printf("%s [OPTIONS...] [PATH] [ARGUMENTS...]\n\n"
194 "Spawn a minimal namespace container for debugging, testing and building.\n\n"
195 " -h --help Show this help\n"
196 " --version Print version string\n"
197 " -q --quiet Do not show status information\n"
198 " -D --directory=PATH Root directory for the container\n"
199 " --template=PATH Initialize root directory from template directory,\n"
201 " -x --ephemeral Run container with snapshot of root directory, and\n"
202 " remove it after exit\n"
203 " -i --image=PATH File system device or disk image for the container\n"
204 " -b --boot Boot up full system (i.e. invoke init)\n"
205 " -u --user=USER Run the command under specified user or uid\n"
206 " -M --machine=NAME Set the machine name for the container\n"
207 " --uuid=UUID Set a specific machine UUID for the container\n"
208 " -S --slice=SLICE Place the container in the specified slice\n"
209 " --property=NAME=VALUE Set scope unit property\n"
210 " --private-network Disable network in container\n"
211 " --network-interface=INTERFACE\n"
212 " Assign an existing network interface to the\n"
214 " --network-macvlan=INTERFACE\n"
215 " Create a macvlan network interface based on an\n"
216 " existing network interface to the container\n"
217 " --network-ipvlan=INTERFACE\n"
218 " Create a ipvlan network interface based on an\n"
219 " existing network interface to the container\n"
220 " -n --network-veth Add a virtual ethernet connection between host\n"
222 " --network-bridge=INTERFACE\n"
223 " Add a virtual ethernet connection between host\n"
224 " and container and add it to an existing bridge on\n"
226 " -p --port=[PROTOCOL:]HOSTPORT[:CONTAINERPORT]\n"
227 " Expose a container IP port on the host\n"
228 " -Z --selinux-context=SECLABEL\n"
229 " Set the SELinux security context to be used by\n"
230 " processes in the container\n"
231 " -L --selinux-apifs-context=SECLABEL\n"
232 " Set the SELinux security context to be used by\n"
233 " API/tmpfs file systems in the container\n"
234 " --capability=CAP In addition to the default, retain specified\n"
236 " --drop-capability=CAP Drop the specified capability from the default set\n"
237 " --link-journal=MODE Link up guest journal, one of no, auto, guest, host,\n"
238 " try-guest, try-host\n"
239 " -j Equivalent to --link-journal=try-guest\n"
240 " --read-only Mount the root directory read-only\n"
241 " --bind=PATH[:PATH] Bind mount a file or directory from the host into\n"
243 " --bind-ro=PATH[:PATH] Similar, but creates a read-only bind mount\n"
244 " --tmpfs=PATH:[OPTIONS] Mount an empty tmpfs to the specified directory\n"
245 " --setenv=NAME=VALUE Pass an environment variable to PID 1\n"
246 " --share-system Share system namespaces with host\n"
247 " --register=BOOLEAN Register container as machine\n"
248 " --keep-unit Do not register a scope for the machine, reuse\n"
249 " the service unit nspawn is running in\n"
250 " --volatile[=MODE] Run the system in volatile mode\n"
251 , program_invocation_short_name);
254 static int set_sanitized_path(char **b, const char *path) {
260 p = canonicalize_file_name(path);
265 p = path_make_absolute_cwd(path);
271 *b = path_kill_slashes(p);
275 static int parse_argv(int argc, char *argv[]) {
292 ARG_NETWORK_INTERFACE,
302 static const struct option options[] = {
303 { "help", no_argument, NULL, 'h' },
304 { "version", no_argument, NULL, ARG_VERSION },
305 { "directory", required_argument, NULL, 'D' },
306 { "template", required_argument, NULL, ARG_TEMPLATE },
307 { "ephemeral", no_argument, NULL, 'x' },
308 { "user", required_argument, NULL, 'u' },
309 { "private-network", no_argument, NULL, ARG_PRIVATE_NETWORK },
310 { "boot", no_argument, NULL, 'b' },
311 { "uuid", required_argument, NULL, ARG_UUID },
312 { "read-only", no_argument, NULL, ARG_READ_ONLY },
313 { "capability", required_argument, NULL, ARG_CAPABILITY },
314 { "drop-capability", required_argument, NULL, ARG_DROP_CAPABILITY },
315 { "link-journal", required_argument, NULL, ARG_LINK_JOURNAL },
316 { "bind", required_argument, NULL, ARG_BIND },
317 { "bind-ro", required_argument, NULL, ARG_BIND_RO },
318 { "tmpfs", required_argument, NULL, ARG_TMPFS },
319 { "machine", required_argument, NULL, 'M' },
320 { "slice", required_argument, NULL, 'S' },
321 { "setenv", required_argument, NULL, ARG_SETENV },
322 { "selinux-context", required_argument, NULL, 'Z' },
323 { "selinux-apifs-context", required_argument, NULL, 'L' },
324 { "quiet", no_argument, NULL, 'q' },
325 { "share-system", no_argument, NULL, ARG_SHARE_SYSTEM },
326 { "register", required_argument, NULL, ARG_REGISTER },
327 { "keep-unit", no_argument, NULL, ARG_KEEP_UNIT },
328 { "network-interface", required_argument, NULL, ARG_NETWORK_INTERFACE },
329 { "network-macvlan", required_argument, NULL, ARG_NETWORK_MACVLAN },
330 { "network-ipvlan", required_argument, NULL, ARG_NETWORK_IPVLAN },
331 { "network-veth", no_argument, NULL, 'n' },
332 { "network-bridge", required_argument, NULL, ARG_NETWORK_BRIDGE },
333 { "personality", required_argument, NULL, ARG_PERSONALITY },
334 { "image", required_argument, NULL, 'i' },
335 { "volatile", optional_argument, NULL, ARG_VOLATILE },
336 { "port", required_argument, NULL, 'p' },
337 { "property", required_argument, NULL, ARG_PROPERTY },
342 uint64_t plus = 0, minus = 0;
347 while ((c = getopt_long(argc, argv, "+hD:u:bL:M:jS:Z:qi:xp:n", options, NULL)) >= 0)
356 puts(PACKAGE_STRING);
357 puts(SYSTEMD_FEATURES);
361 r = set_sanitized_path(&arg_directory, optarg);
363 return log_error_errno(r, "Invalid root directory: %m");
368 r = set_sanitized_path(&arg_template, optarg);
370 return log_error_errno(r, "Invalid template directory: %m");
375 r = set_sanitized_path(&arg_image, optarg);
377 return log_error_errno(r, "Invalid image path: %m");
382 arg_ephemeral = true;
387 arg_user = strdup(optarg);
393 case ARG_NETWORK_BRIDGE:
394 arg_network_bridge = optarg;
399 arg_network_veth = true;
400 arg_private_network = true;
403 case ARG_NETWORK_INTERFACE:
404 if (strv_extend(&arg_network_interfaces, optarg) < 0)
407 arg_private_network = true;
410 case ARG_NETWORK_MACVLAN:
411 if (strv_extend(&arg_network_macvlan, optarg) < 0)
414 arg_private_network = true;
417 case ARG_NETWORK_IPVLAN:
418 if (strv_extend(&arg_network_ipvlan, optarg) < 0)
423 case ARG_PRIVATE_NETWORK:
424 arg_private_network = true;
432 r = sd_id128_from_string(optarg, &arg_uuid);
434 log_error("Invalid UUID: %s", optarg);
444 if (isempty(optarg)) {
448 if (!machine_name_is_valid(optarg)) {
449 log_error("Invalid machine name: %s", optarg);
453 r = free_and_strdup(&arg_machine, optarg);
461 arg_selinux_context = optarg;
465 arg_selinux_apifs_context = optarg;
469 arg_read_only = true;
473 case ARG_DROP_CAPABILITY: {
474 const char *state, *word;
477 FOREACH_WORD_SEPARATOR(word, length, optarg, ",", state) {
478 _cleanup_free_ char *t;
480 t = strndup(word, length);
484 if (streq(t, "all")) {
485 if (c == ARG_CAPABILITY)
486 plus = (uint64_t) -1;
488 minus = (uint64_t) -1;
492 cap = capability_from_name(t);
494 log_error("Failed to parse capability %s.", t);
498 if (c == ARG_CAPABILITY)
499 plus |= 1ULL << (uint64_t) cap;
501 minus |= 1ULL << (uint64_t) cap;
509 arg_link_journal = LINK_GUEST;
510 arg_link_journal_try = true;
513 case ARG_LINK_JOURNAL:
514 if (streq(optarg, "auto")) {
515 arg_link_journal = LINK_AUTO;
516 arg_link_journal_try = false;
517 } else if (streq(optarg, "no")) {
518 arg_link_journal = LINK_NO;
519 arg_link_journal_try = false;
520 } else if (streq(optarg, "guest")) {
521 arg_link_journal = LINK_GUEST;
522 arg_link_journal_try = false;
523 } else if (streq(optarg, "host")) {
524 arg_link_journal = LINK_HOST;
525 arg_link_journal_try = false;
526 } else if (streq(optarg, "try-guest")) {
527 arg_link_journal = LINK_GUEST;
528 arg_link_journal_try = true;
529 } else if (streq(optarg, "try-host")) {
530 arg_link_journal = LINK_HOST;
531 arg_link_journal_try = true;
533 log_error("Failed to parse link journal mode %s", optarg);
541 _cleanup_free_ char *a = NULL, *b = NULL;
545 x = c == ARG_BIND ? &arg_bind : &arg_bind_ro;
547 e = strchr(optarg, ':');
549 a = strndup(optarg, e - optarg);
559 if (!path_is_absolute(a) || !path_is_absolute(b)) {
560 log_error("Invalid bind mount specification: %s", optarg);
564 r = strv_extend(x, a);
568 r = strv_extend(x, b);
576 _cleanup_free_ char *a = NULL, *b = NULL;
579 e = strchr(optarg, ':');
581 a = strndup(optarg, e - optarg);
585 b = strdup("mode=0755");
591 if (!path_is_absolute(a)) {
592 log_error("Invalid tmpfs specification: %s", optarg);
596 r = strv_push(&arg_tmpfs, a);
602 r = strv_push(&arg_tmpfs, b);
614 if (!env_assignment_is_valid(optarg)) {
615 log_error("Environment variable assignment '%s' is not valid.", optarg);
619 n = strv_env_set(arg_setenv, optarg);
623 strv_free(arg_setenv);
632 case ARG_SHARE_SYSTEM:
633 arg_share_system = true;
637 r = parse_boolean(optarg);
639 log_error("Failed to parse --register= argument: %s", optarg);
647 arg_keep_unit = true;
650 case ARG_PERSONALITY:
652 arg_personality = personality_from_string(optarg);
653 if (arg_personality == 0xffffffffLU) {
654 log_error("Unknown or unsupported personality '%s'.", optarg);
663 arg_volatile = VOLATILE_YES;
665 r = parse_boolean(optarg);
667 if (streq(optarg, "state"))
668 arg_volatile = VOLATILE_STATE;
670 log_error("Failed to parse --volatile= argument: %s", optarg);
674 arg_volatile = r ? VOLATILE_YES : VOLATILE_NO;
680 const char *split, *e;
681 uint16_t container_port, host_port;
685 if ((e = startswith(optarg, "tcp:")))
686 protocol = IPPROTO_TCP;
687 else if ((e = startswith(optarg, "udp:")))
688 protocol = IPPROTO_UDP;
691 protocol = IPPROTO_TCP;
694 split = strchr(e, ':');
696 char v[split - e + 1];
698 memcpy(v, e, split - e);
701 r = safe_atou16(v, &host_port);
702 if (r < 0 || host_port <= 0) {
703 log_error("Failed to parse host port: %s", optarg);
707 r = safe_atou16(split + 1, &container_port);
709 r = safe_atou16(e, &container_port);
710 host_port = container_port;
713 if (r < 0 || container_port <= 0) {
714 log_error("Failed to parse host port: %s", optarg);
718 LIST_FOREACH(ports, p, arg_expose_ports) {
719 if (p->protocol == protocol && p->host_port == host_port) {
720 log_error("Duplicate port specification: %s", optarg);
725 p = new(ExposePort, 1);
729 p->protocol = protocol;
730 p->host_port = host_port;
731 p->container_port = container_port;
733 LIST_PREPEND(ports, arg_expose_ports, p);
739 if (strv_extend(&arg_property, optarg) < 0)
748 assert_not_reached("Unhandled option");
751 if (arg_share_system)
752 arg_register = false;
754 if (arg_boot && arg_share_system) {
755 log_error("--boot and --share-system may not be combined.");
759 if (arg_keep_unit && cg_pid_get_owner_uid(0, NULL) >= 0) {
760 log_error("--keep-unit may not be used when invoked from a user session.");
764 if (arg_directory && arg_image) {
765 log_error("--directory= and --image= may not be combined.");
769 if (arg_template && arg_image) {
770 log_error("--template= and --image= may not be combined.");
774 if (arg_template && !(arg_directory || arg_machine)) {
775 log_error("--template= needs --directory= or --machine=.");
779 if (arg_ephemeral && arg_template) {
780 log_error("--ephemeral and --template= may not be combined.");
784 if (arg_ephemeral && arg_image) {
785 log_error("--ephemeral and --image= may not be combined.");
789 if (arg_ephemeral && !IN_SET(arg_link_journal, LINK_NO, LINK_AUTO)) {
790 log_error("--ephemeral and --link-journal= may not be combined.");
794 if (arg_volatile != VOLATILE_NO && arg_read_only) {
795 log_error("Cannot combine --read-only with --volatile. Note that --volatile already implies a read-only base hierarchy.");
799 if (arg_expose_ports && !arg_private_network) {
800 log_error("Cannot use --port= without private networking.");
804 arg_retain = (arg_retain | plus | (arg_private_network ? 1ULL << CAP_NET_ADMIN : 0)) & ~minus;
809 static int mount_all(const char *dest) {
811 typedef struct MountPoint {
820 static const MountPoint mount_table[] = {
821 { "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, true },
822 { "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND, true }, /* Bind mount first */
823 { NULL, "/proc/sys", NULL, NULL, MS_BIND|MS_RDONLY|MS_REMOUNT, true }, /* Then, make it r/o */
824 { "sysfs", "/sys", "sysfs", NULL, MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV, true },
825 { "tmpfs", "/dev", "tmpfs", "mode=755", MS_NOSUID|MS_STRICTATIME, true },
826 { "devpts", "/dev/pts", "devpts","newinstance,ptmxmode=0666,mode=620,gid=" STRINGIFY(TTY_GID), MS_NOSUID|MS_NOEXEC, true },
827 { "tmpfs", "/dev/shm", "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV|MS_STRICTATIME, true },
828 { "tmpfs", "/run", "tmpfs", "mode=755", MS_NOSUID|MS_NODEV|MS_STRICTATIME, true },
829 { "tmpfs", "/tmp", "tmpfs", "mode=1777", MS_STRICTATIME, true },
831 { "/sys/fs/selinux", "/sys/fs/selinux", NULL, NULL, MS_BIND, false }, /* Bind mount first */
832 { NULL, "/sys/fs/selinux", NULL, NULL, MS_BIND|MS_RDONLY|MS_REMOUNT, false }, /* Then, make it r/o */
839 for (k = 0; k < ELEMENTSOF(mount_table); k++) {
840 _cleanup_free_ char *where = NULL;
842 _cleanup_free_ char *options = NULL;
847 where = strjoin(dest, "/", mount_table[k].where, NULL);
851 t = path_is_mount_point(where, true);
853 log_error_errno(t, "Failed to detect whether %s is a mount point: %m", where);
861 /* Skip this entry if it is not a remount. */
862 if (mount_table[k].what && t > 0)
865 t = mkdir_p(where, 0755);
867 if (mount_table[k].fatal) {
868 log_error_errno(t, "Failed to create directory %s: %m", where);
873 log_warning_errno(t, "Failed to create directory %s: %m", where);
879 if (arg_selinux_apifs_context &&
880 (streq_ptr(mount_table[k].what, "tmpfs") || streq_ptr(mount_table[k].what, "devpts"))) {
881 options = strjoin(mount_table[k].options, ",context=\"", arg_selinux_apifs_context, "\"", NULL);
888 o = mount_table[k].options;
891 if (mount(mount_table[k].what,
894 mount_table[k].flags,
897 if (mount_table[k].fatal) {
898 log_error_errno(errno, "mount(%s) failed: %m", where);
903 log_warning_errno(errno, "mount(%s) failed: %m", where);
910 static int mount_binds(const char *dest, char **l, bool ro) {
913 STRV_FOREACH_PAIR(x, y, l) {
914 _cleanup_free_ char *where = NULL;
915 struct stat source_st, dest_st;
918 if (stat(*x, &source_st) < 0)
919 return log_error_errno(errno, "Failed to stat %s: %m", *x);
921 where = strappend(dest, *y);
925 r = stat(where, &dest_st);
927 if (S_ISDIR(source_st.st_mode) && !S_ISDIR(dest_st.st_mode)) {
928 log_error("Cannot bind mount directory %s on file %s.", *x, where);
931 if (!S_ISDIR(source_st.st_mode) && S_ISDIR(dest_st.st_mode)) {
932 log_error("Cannot bind mount file %s on directory %s.", *x, where);
935 } else if (errno == ENOENT) {
936 r = mkdir_parents_label(where, 0755);
938 return log_error_errno(r, "Failed to bind mount %s: %m", *x);
940 log_error_errno(errno, "Failed to bind mount %s: %m", *x);
944 /* Create the mount point. Any non-directory file can be
945 * mounted on any non-directory file (regular, fifo, socket,
948 if (S_ISDIR(source_st.st_mode)) {
949 r = mkdir_label(where, 0755);
950 if (r < 0 && errno != EEXIST)
951 return log_error_errno(r, "Failed to create mount point %s: %m", where);
955 return log_error_errno(r, "Failed to create mount point %s: %m", where);
958 if (mount(*x, where, "bind", MS_BIND, NULL) < 0)
959 return log_error_errno(errno, "mount(%s) failed: %m", where);
962 r = bind_remount_recursive(where, true);
964 return log_error_errno(r, "Read-Only bind mount failed: %m");
971 static int mount_cgroup_hierarchy(const char *dest, const char *controller, const char *hierarchy, bool read_only) {
975 to = strjoina(dest, "/sys/fs/cgroup/", hierarchy);
977 r = path_is_mount_point(to, false);
979 return log_error_errno(r, "Failed to determine if %s is mounted already: %m", to);
985 /* The superblock mount options of the mount point need to be
986 * identical to the hosts', and hence writable... */
987 if (mount("cgroup", to, "cgroup", MS_NOSUID|MS_NOEXEC|MS_NODEV, controller) < 0)
988 return log_error_errno(errno, "Failed to mount to %s: %m", to);
990 /* ... hence let's only make the bind mount read-only, not the
993 if (mount(NULL, to, NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, NULL) < 0)
994 return log_error_errno(errno, "Failed to remount %s read-only: %m", to);
999 static int mount_cgroup(const char *dest) {
1000 _cleanup_set_free_free_ Set *controllers = NULL;
1001 _cleanup_free_ char *own_cgroup_path = NULL;
1002 const char *cgroup_root, *systemd_root, *systemd_own;
1005 controllers = set_new(&string_hash_ops);
1009 r = cg_kernel_controllers(controllers);
1011 return log_error_errno(r, "Failed to determine cgroup controllers: %m");
1013 r = cg_pid_get_path(NULL, 0, &own_cgroup_path);
1015 return log_error_errno(r, "Failed to determine our own cgroup path: %m");
1017 cgroup_root = strjoina(dest, "/sys/fs/cgroup");
1018 if (mount("tmpfs", cgroup_root, "tmpfs", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME, "mode=755") < 0)
1019 return log_error_errno(errno, "Failed to mount tmpfs to /sys/fs/cgroup: %m");
1022 _cleanup_free_ char *controller = NULL, *origin = NULL, *combined = NULL;
1024 controller = set_steal_first(controllers);
1028 origin = strappend("/sys/fs/cgroup/", controller);
1032 r = readlink_malloc(origin, &combined);
1034 /* Not a symbolic link, but directly a single cgroup hierarchy */
1036 r = mount_cgroup_hierarchy(dest, controller, controller, true);
1041 return log_error_errno(r, "Failed to read link %s: %m", origin);
1043 _cleanup_free_ char *target = NULL;
1045 target = strjoin(dest, "/sys/fs/cgroup/", controller, NULL);
1049 /* A symbolic link, a combination of controllers in one hierarchy */
1051 if (!filename_is_valid(combined)) {
1052 log_warning("Ignoring invalid combined hierarchy %s.", combined);
1056 r = mount_cgroup_hierarchy(dest, combined, combined, true);
1060 if (symlink(combined, target) < 0)
1061 return log_error_errno(errno, "Failed to create symlink for combined hierarchy: %m");
1065 r = mount_cgroup_hierarchy(dest, "name=systemd,xattr", "systemd", false);
1069 /* Make our own cgroup a (writable) bind mount */
1070 systemd_own = strjoina(dest, "/sys/fs/cgroup/systemd", own_cgroup_path);
1071 if (mount(systemd_own, systemd_own, NULL, MS_BIND, NULL) < 0)
1072 return log_error_errno(errno, "Failed to turn %s into a bind mount: %m", own_cgroup_path);
1074 /* And then remount the systemd cgroup root read-only */
1075 systemd_root = strjoina(dest, "/sys/fs/cgroup/systemd");
1076 if (mount(NULL, systemd_root, NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, NULL) < 0)
1077 return log_error_errno(errno, "Failed to mount cgroup root read-only: %m");
1079 if (mount(NULL, cgroup_root, NULL, MS_REMOUNT|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME|MS_RDONLY, "mode=755") < 0)
1080 return log_error_errno(errno, "Failed to remount %s read-only: %m", cgroup_root);
1085 static int mount_tmpfs(const char *dest) {
1088 STRV_FOREACH_PAIR(i, o, arg_tmpfs) {
1089 _cleanup_free_ char *where = NULL;
1092 where = strappend(dest, *i);
1096 r = mkdir_label(where, 0755);
1097 if (r < 0 && r != -EEXIST)
1098 return log_error_errno(r, "Creating mount point for tmpfs %s failed: %m", where);
1100 if (mount("tmpfs", where, "tmpfs", MS_NODEV|MS_STRICTATIME, *o) < 0)
1101 return log_error_errno(errno, "tmpfs mount to %s failed: %m", where);
1107 static int setup_timezone(const char *dest) {
1108 _cleanup_free_ char *where = NULL, *p = NULL, *q = NULL, *check = NULL, *what = NULL;
1114 /* Fix the timezone, if possible */
1115 r = readlink_malloc("/etc/localtime", &p);
1117 log_warning("/etc/localtime is not a symlink, not updating container timezone.");
1121 z = path_startswith(p, "../usr/share/zoneinfo/");
1123 z = path_startswith(p, "/usr/share/zoneinfo/");
1125 log_warning("/etc/localtime does not point into /usr/share/zoneinfo/, not updating container timezone.");
1129 where = strappend(dest, "/etc/localtime");
1133 r = readlink_malloc(where, &q);
1135 y = path_startswith(q, "../usr/share/zoneinfo/");
1137 y = path_startswith(q, "/usr/share/zoneinfo/");
1139 /* Already pointing to the right place? Then do nothing .. */
1140 if (y && streq(y, z))
1144 check = strjoin(dest, "/usr/share/zoneinfo/", z, NULL);
1148 if (access(check, F_OK) < 0) {
1149 log_warning("Timezone %s does not exist in container, not updating container timezone.", z);
1153 what = strappend("../usr/share/zoneinfo/", z);
1157 r = mkdir_parents(where, 0755);
1159 log_error_errno(r, "Failed to create directory for timezone info %s in container: %m", where);
1165 if (r < 0 && errno != ENOENT) {
1166 log_error_errno(errno, "Failed to remove existing timezone info %s in container: %m", where);
1171 if (symlink(what, where) < 0) {
1172 log_error_errno(errno, "Failed to correct timezone of container: %m");
1179 static int setup_resolv_conf(const char *dest) {
1180 _cleanup_free_ char *where = NULL;
1185 if (arg_private_network)
1188 /* Fix resolv.conf, if possible */
1189 where = strappend(dest, "/etc/resolv.conf");
1193 /* We don't really care for the results of this really. If it
1194 * fails, it fails, but meh... */
1195 r = mkdir_parents(where, 0755);
1197 log_warning_errno(r, "Failed to create parent directory for resolv.conf %s: %m", where);
1202 r = copy_file("/etc/resolv.conf", where, O_TRUNC|O_NOFOLLOW, 0644, 0);
1204 log_warning_errno(r, "Failed to copy /etc/resolv.conf to %s: %m", where);
1212 static int setup_volatile_state(const char *directory) {
1218 if (arg_volatile != VOLATILE_STATE)
1221 /* --volatile=state means we simply overmount /var
1222 with a tmpfs, and the rest read-only. */
1224 r = bind_remount_recursive(directory, true);
1226 return log_error_errno(r, "Failed to remount %s read-only: %m", directory);
1228 p = strjoina(directory, "/var");
1230 if (r < 0 && errno != EEXIST)
1231 return log_error_errno(errno, "Failed to create %s: %m", directory);
1233 if (mount("tmpfs", p, "tmpfs", MS_STRICTATIME, "mode=755") < 0)
1234 return log_error_errno(errno, "Failed to mount tmpfs to /var: %m");
1239 static int setup_volatile(const char *directory) {
1240 bool tmpfs_mounted = false, bind_mounted = false;
1241 char template[] = "/tmp/nspawn-volatile-XXXXXX";
1247 if (arg_volatile != VOLATILE_YES)
1250 /* --volatile=yes means we mount a tmpfs to the root dir, and
1251 the original /usr to use inside it, and that read-only. */
1253 if (!mkdtemp(template))
1254 return log_error_errno(errno, "Failed to create temporary directory: %m");
1256 if (mount("tmpfs", template, "tmpfs", MS_STRICTATIME, "mode=755") < 0) {
1257 log_error_errno(errno, "Failed to mount tmpfs for root directory: %m");
1262 tmpfs_mounted = true;
1264 f = strjoina(directory, "/usr");
1265 t = strjoina(template, "/usr");
1268 if (r < 0 && errno != EEXIST) {
1269 log_error_errno(errno, "Failed to create %s: %m", t);
1274 if (mount(f, t, "bind", MS_BIND|MS_REC, NULL) < 0) {
1275 log_error_errno(errno, "Failed to create /usr bind mount: %m");
1280 bind_mounted = true;
1282 r = bind_remount_recursive(t, true);
1284 log_error_errno(r, "Failed to remount %s read-only: %m", t);
1288 if (mount(template, directory, NULL, MS_MOVE, NULL) < 0) {
1289 log_error_errno(errno, "Failed to move root mount: %m");
1307 static char* id128_format_as_uuid(sd_id128_t id, char s[37]) {
1310 "%02x%02x%02x%02x-%02x%02x-%02x%02x-%02x%02x-%02x%02x%02x%02x%02x%02x",
1311 SD_ID128_FORMAT_VAL(id));
1316 static int setup_boot_id(const char *dest) {
1317 _cleanup_free_ char *from = NULL, *to = NULL;
1318 sd_id128_t rnd = {};
1324 if (arg_share_system)
1327 /* Generate a new randomized boot ID, so that each boot-up of
1328 * the container gets a new one */
1330 from = strappend(dest, "/dev/proc-sys-kernel-random-boot-id");
1331 to = strappend(dest, "/proc/sys/kernel/random/boot_id");
1335 r = sd_id128_randomize(&rnd);
1337 return log_error_errno(r, "Failed to generate random boot id: %m");
1339 id128_format_as_uuid(rnd, as_uuid);
1341 r = write_string_file(from, as_uuid);
1343 return log_error_errno(r, "Failed to write boot id: %m");
1345 if (mount(from, to, "bind", MS_BIND, NULL) < 0) {
1346 log_error_errno(errno, "Failed to bind mount boot id: %m");
1348 } else if (mount(from, to, "bind", MS_BIND|MS_REMOUNT|MS_RDONLY, NULL))
1349 log_warning_errno(errno, "Failed to make boot id read-only: %m");
1355 static int copy_devnodes(const char *dest) {
1357 static const char devnodes[] =
1368 _cleanup_umask_ mode_t u;
1374 NULSTR_FOREACH(d, devnodes) {
1375 _cleanup_free_ char *from = NULL, *to = NULL;
1378 from = strappend("/dev/", d);
1379 to = strjoin(dest, "/dev/", d, NULL);
1383 if (stat(from, &st) < 0) {
1385 if (errno != ENOENT)
1386 return log_error_errno(errno, "Failed to stat %s: %m", from);
1388 } else if (!S_ISCHR(st.st_mode) && !S_ISBLK(st.st_mode)) {
1390 log_error("%s is not a char or block device, cannot copy", from);
1394 r = mkdir_parents(to, 0775);
1396 log_error_errno(r, "Failed to create parent directory of %s: %m", to);
1400 if (mknod(to, st.st_mode, st.st_rdev) < 0)
1401 return log_error_errno(errno, "mknod(%s) failed: %m", to);
1408 static int setup_ptmx(const char *dest) {
1409 _cleanup_free_ char *p = NULL;
1411 p = strappend(dest, "/dev/ptmx");
1415 if (symlink("pts/ptmx", p) < 0)
1416 return log_error_errno(errno, "Failed to create /dev/ptmx symlink: %m");
1421 static int setup_dev_console(const char *dest, const char *console) {
1422 _cleanup_umask_ mode_t u;
1432 if (stat("/dev/null", &st) < 0)
1433 return log_error_errno(errno, "Failed to stat /dev/null: %m");
1435 r = chmod_and_chown(console, 0600, 0, 0);
1437 return log_error_errno(r, "Failed to correct access mode for TTY: %m");
1439 /* We need to bind mount the right tty to /dev/console since
1440 * ptys can only exist on pts file systems. To have something
1441 * to bind mount things on we create a device node first, and
1442 * use /dev/null for that since we the cgroups device policy
1443 * allows us to create that freely, while we cannot create
1444 * /dev/console. (Note that the major minor doesn't actually
1445 * matter here, since we mount it over anyway). */
1447 to = strjoina(dest, "/dev/console");
1448 if (mknod(to, (st.st_mode & ~07777) | 0600, st.st_rdev) < 0)
1449 return log_error_errno(errno, "mknod() for /dev/console failed: %m");
1451 if (mount(console, to, "bind", MS_BIND, NULL) < 0)
1452 return log_error_errno(errno, "Bind mount for /dev/console failed: %m");
1457 static int setup_kmsg(const char *dest, int kmsg_socket) {
1458 _cleanup_free_ char *from = NULL, *to = NULL;
1459 _cleanup_umask_ mode_t u;
1462 struct cmsghdr cmsghdr;
1463 uint8_t buf[CMSG_SPACE(sizeof(int))];
1465 struct msghdr mh = {
1466 .msg_control = &control,
1467 .msg_controllen = sizeof(control),
1469 struct cmsghdr *cmsg;
1472 assert(kmsg_socket >= 0);
1476 /* We create the kmsg FIFO as /dev/kmsg, but immediately
1477 * delete it after bind mounting it to /proc/kmsg. While FIFOs
1478 * on the reading side behave very similar to /proc/kmsg,
1479 * their writing side behaves differently from /dev/kmsg in
1480 * that writing blocks when nothing is reading. In order to
1481 * avoid any problems with containers deadlocking due to this
1482 * we simply make /dev/kmsg unavailable to the container. */
1483 if (asprintf(&from, "%s/dev/kmsg", dest) < 0 ||
1484 asprintf(&to, "%s/proc/kmsg", dest) < 0)
1487 if (mkfifo(from, 0600) < 0)
1488 return log_error_errno(errno, "mkfifo() for /dev/kmsg failed: %m");
1490 r = chmod_and_chown(from, 0600, 0, 0);
1492 return log_error_errno(r, "Failed to correct access mode for /dev/kmsg: %m");
1494 if (mount(from, to, "bind", MS_BIND, NULL) < 0)
1495 return log_error_errno(errno, "Bind mount for /proc/kmsg failed: %m");
1497 fd = open(from, O_RDWR|O_NDELAY|O_CLOEXEC);
1499 return log_error_errno(errno, "Failed to open fifo: %m");
1501 cmsg = CMSG_FIRSTHDR(&mh);
1502 cmsg->cmsg_level = SOL_SOCKET;
1503 cmsg->cmsg_type = SCM_RIGHTS;
1504 cmsg->cmsg_len = CMSG_LEN(sizeof(int));
1505 memcpy(CMSG_DATA(cmsg), &fd, sizeof(int));
1507 mh.msg_controllen = cmsg->cmsg_len;
1509 /* Store away the fd in the socket, so that it stays open as
1510 * long as we run the child */
1511 k = sendmsg(kmsg_socket, &mh, MSG_NOSIGNAL);
1515 return log_error_errno(errno, "Failed to send FIFO fd: %m");
1517 /* And now make the FIFO unavailable as /dev/kmsg... */
1522 static int send_rtnl(int send_fd) {
1524 struct cmsghdr cmsghdr;
1525 uint8_t buf[CMSG_SPACE(sizeof(int))];
1527 struct msghdr mh = {
1528 .msg_control = &control,
1529 .msg_controllen = sizeof(control),
1531 struct cmsghdr *cmsg;
1532 _cleanup_close_ int fd = -1;
1535 assert(send_fd >= 0);
1537 if (!arg_expose_ports)
1540 fd = socket(PF_NETLINK, SOCK_RAW|SOCK_CLOEXEC|SOCK_NONBLOCK, NETLINK_ROUTE);
1542 return log_error_errno(errno, "failed to allocate container netlink: %m");
1544 cmsg = CMSG_FIRSTHDR(&mh);
1545 cmsg->cmsg_level = SOL_SOCKET;
1546 cmsg->cmsg_type = SCM_RIGHTS;
1547 cmsg->cmsg_len = CMSG_LEN(sizeof(int));
1548 memcpy(CMSG_DATA(cmsg), &fd, sizeof(int));
1550 mh.msg_controllen = cmsg->cmsg_len;
1552 /* Store away the fd in the socket, so that it stays open as
1553 * long as we run the child */
1554 k = sendmsg(send_fd, &mh, MSG_NOSIGNAL);
1556 return log_error_errno(errno, "Failed to send netlink fd: %m");
1561 static int flush_ports(union in_addr_union *exposed) {
1563 int r, af = AF_INET;
1567 if (!arg_expose_ports)
1570 if (in_addr_is_null(af, exposed))
1573 log_debug("Lost IP address.");
1575 LIST_FOREACH(ports, p, arg_expose_ports) {
1576 r = fw_add_local_dnat(false,
1587 log_warning_errno(r, "Failed to modify firewall: %m");
1590 *exposed = IN_ADDR_NULL;
1594 static int expose_ports(sd_rtnl *rtnl, union in_addr_union *exposed) {
1595 _cleanup_free_ struct local_address *addresses = NULL;
1596 _cleanup_free_ char *pretty = NULL;
1597 union in_addr_union new_exposed;
1600 int af = AF_INET, r;
1604 /* Invoked each time an address is added or removed inside the
1607 if (!arg_expose_ports)
1610 r = local_addresses(rtnl, 0, af, &addresses);
1612 return log_error_errno(r, "Failed to enumerate local addresses: %m");
1615 addresses[0].family == af &&
1616 addresses[0].scope < RT_SCOPE_LINK;
1619 return flush_ports(exposed);
1621 new_exposed = addresses[0].address;
1622 if (in_addr_equal(af, exposed, &new_exposed))
1625 in_addr_to_string(af, &new_exposed, &pretty);
1626 log_debug("New container IP is %s.", strna(pretty));
1628 LIST_FOREACH(ports, p, arg_expose_ports) {
1630 r = fw_add_local_dnat(true,
1639 in_addr_is_null(af, exposed) ? NULL : exposed);
1641 log_warning_errno(r, "Failed to modify firewall: %m");
1644 *exposed = new_exposed;
1648 static int on_address_change(sd_rtnl *rtnl, sd_rtnl_message *m, void *userdata) {
1649 union in_addr_union *exposed = userdata;
1655 expose_ports(rtnl, exposed);
1659 static int watch_rtnl(sd_event *event, int recv_fd, union in_addr_union *exposed, sd_rtnl **ret) {
1661 struct cmsghdr cmsghdr;
1662 uint8_t buf[CMSG_SPACE(sizeof(int))];
1664 struct msghdr mh = {
1665 .msg_control = &control,
1666 .msg_controllen = sizeof(control),
1668 struct cmsghdr *cmsg;
1669 _cleanup_rtnl_unref_ sd_rtnl *rtnl = NULL;
1674 assert(recv_fd >= 0);
1677 if (!arg_expose_ports)
1680 k = recvmsg(recv_fd, &mh, MSG_NOSIGNAL);
1682 return log_error_errno(errno, "Failed to recv netlink fd: %m");
1684 cmsg = CMSG_FIRSTHDR(&mh);
1685 assert(cmsg->cmsg_level == SOL_SOCKET);
1686 assert(cmsg->cmsg_type == SCM_RIGHTS);
1687 assert(cmsg->cmsg_len == CMSG_LEN(sizeof(int)));
1688 memcpy(&fd, CMSG_DATA(cmsg), sizeof(int));
1690 r = sd_rtnl_open_fd(&rtnl, fd, 1, RTNLGRP_IPV4_IFADDR);
1693 return log_error_errno(r, "Failed to create rtnl object: %m");
1696 r = sd_rtnl_add_match(rtnl, RTM_NEWADDR, on_address_change, exposed);
1698 return log_error_errno(r, "Failed to subscribe to RTM_NEWADDR messages: %m");
1700 r = sd_rtnl_add_match(rtnl, RTM_DELADDR, on_address_change, exposed);
1702 return log_error_errno(r, "Failed to subscribe to RTM_DELADDR messages: %m");
1704 r = sd_rtnl_attach_event(rtnl, event, 0);
1706 return log_error_errno(r, "Failed to add to even loop: %m");
1714 static int setup_hostname(void) {
1716 if (arg_share_system)
1719 if (sethostname_idempotent(arg_machine) < 0)
1725 static int setup_journal(const char *directory) {
1726 sd_id128_t machine_id, this_id;
1727 _cleanup_free_ char *p = NULL, *b = NULL, *q = NULL, *d = NULL;
1731 /* Don't link journals in ephemeral mode */
1735 p = strappend(directory, "/etc/machine-id");
1739 r = read_one_line_file(p, &b);
1740 if (r == -ENOENT && arg_link_journal == LINK_AUTO)
1743 return log_error_errno(r, "Failed to read machine ID from %s: %m", p);
1746 if (isempty(id) && arg_link_journal == LINK_AUTO)
1749 /* Verify validity */
1750 r = sd_id128_from_string(id, &machine_id);
1752 return log_error_errno(r, "Failed to parse machine ID from %s: %m", p);
1754 r = sd_id128_get_machine(&this_id);
1756 return log_error_errno(r, "Failed to retrieve machine ID: %m");
1758 if (sd_id128_equal(machine_id, this_id)) {
1759 log_full(arg_link_journal == LINK_AUTO ? LOG_WARNING : LOG_ERR,
1760 "Host and machine ids are equal (%s): refusing to link journals", id);
1761 if (arg_link_journal == LINK_AUTO)
1766 if (arg_link_journal == LINK_NO)
1770 p = strappend("/var/log/journal/", id);
1771 q = strjoin(directory, "/var/log/journal/", id, NULL);
1775 if (path_is_mount_point(p, false) > 0) {
1776 if (arg_link_journal != LINK_AUTO) {
1777 log_error("%s: already a mount point, refusing to use for journal", p);
1784 if (path_is_mount_point(q, false) > 0) {
1785 if (arg_link_journal != LINK_AUTO) {
1786 log_error("%s: already a mount point, refusing to use for journal", q);
1793 r = readlink_and_make_absolute(p, &d);
1795 if ((arg_link_journal == LINK_GUEST ||
1796 arg_link_journal == LINK_AUTO) &&
1799 r = mkdir_p(q, 0755);
1801 log_warning_errno(errno, "Failed to create directory %s: %m", q);
1806 return log_error_errno(errno, "Failed to remove symlink %s: %m", p);
1807 } else if (r == -EINVAL) {
1809 if (arg_link_journal == LINK_GUEST &&
1812 if (errno == ENOTDIR) {
1813 log_error("%s already exists and is neither a symlink nor a directory", p);
1816 log_error_errno(errno, "Failed to remove %s: %m", p);
1820 } else if (r != -ENOENT) {
1821 log_error_errno(errno, "readlink(%s) failed: %m", p);
1825 if (arg_link_journal == LINK_GUEST) {
1827 if (symlink(q, p) < 0) {
1828 if (arg_link_journal_try) {
1829 log_debug_errno(errno, "Failed to symlink %s to %s, skipping journal setup: %m", q, p);
1832 log_error_errno(errno, "Failed to symlink %s to %s: %m", q, p);
1837 r = mkdir_p(q, 0755);
1839 log_warning_errno(errno, "Failed to create directory %s: %m", q);
1843 if (arg_link_journal == LINK_HOST) {
1844 /* don't create parents here -- if the host doesn't have
1845 * permanent journal set up, don't force it here */
1848 if (arg_link_journal_try) {
1849 log_debug_errno(errno, "Failed to create %s, skipping journal setup: %m", p);
1852 log_error_errno(errno, "Failed to create %s: %m", p);
1857 } else if (access(p, F_OK) < 0)
1860 if (dir_is_empty(q) == 0)
1861 log_warning("%s is not empty, proceeding anyway.", q);
1863 r = mkdir_p(q, 0755);
1865 log_error_errno(errno, "Failed to create %s: %m", q);
1869 if (mount(p, q, "bind", MS_BIND, NULL) < 0)
1870 return log_error_errno(errno, "Failed to bind mount journal from host into guest: %m");
1875 static int drop_capabilities(void) {
1876 return capability_bounding_set_drop(~arg_retain, false);
1879 static int register_machine(pid_t pid, int local_ifindex) {
1880 _cleanup_bus_error_free_ sd_bus_error error = SD_BUS_ERROR_NULL;
1881 _cleanup_bus_close_unref_ sd_bus *bus = NULL;
1887 r = sd_bus_default_system(&bus);
1889 return log_error_errno(r, "Failed to open system bus: %m");
1891 if (arg_keep_unit) {
1892 r = sd_bus_call_method(
1894 "org.freedesktop.machine1",
1895 "/org/freedesktop/machine1",
1896 "org.freedesktop.machine1.Manager",
1897 "RegisterMachineWithNetwork",
1902 SD_BUS_MESSAGE_APPEND_ID128(arg_uuid),
1906 strempty(arg_directory),
1907 local_ifindex > 0 ? 1 : 0, local_ifindex);
1909 _cleanup_bus_message_unref_ sd_bus_message *m = NULL;
1912 r = sd_bus_message_new_method_call(
1915 "org.freedesktop.machine1",
1916 "/org/freedesktop/machine1",
1917 "org.freedesktop.machine1.Manager",
1918 "CreateMachineWithNetwork");
1920 return bus_log_create_error(r);
1922 r = sd_bus_message_append(
1926 SD_BUS_MESSAGE_APPEND_ID128(arg_uuid),
1930 strempty(arg_directory),
1931 local_ifindex > 0 ? 1 : 0, local_ifindex);
1933 return bus_log_create_error(r);
1935 r = sd_bus_message_open_container(m, 'a', "(sv)");
1937 return bus_log_create_error(r);
1939 if (!isempty(arg_slice)) {
1940 r = sd_bus_message_append(m, "(sv)", "Slice", "s", arg_slice);
1942 return bus_log_create_error(r);
1945 r = sd_bus_message_append(m, "(sv)", "DevicePolicy", "s", "strict");
1947 return bus_log_create_error(r);
1949 r = sd_bus_message_append(m, "(sv)", "DeviceAllow", "a(ss)", 9,
1950 /* Allow the container to
1951 * access and create the API
1952 * device nodes, so that
1953 * PrivateDevices= in the
1954 * container can work
1959 "/dev/random", "rwm",
1960 "/dev/urandom", "rwm",
1962 "/dev/net/tun", "rwm",
1963 /* Allow the container
1964 * access to ptys. However,
1966 * container to ever create
1967 * these device nodes. */
1968 "/dev/pts/ptmx", "rw",
1971 return log_error_errno(r, "Failed to add device whitelist: %m");
1973 STRV_FOREACH(i, arg_property) {
1974 r = sd_bus_message_open_container(m, 'r', "sv");
1976 return bus_log_create_error(r);
1978 r = bus_append_unit_property_assignment(m, *i);
1982 r = sd_bus_message_close_container(m);
1984 return bus_log_create_error(r);
1987 r = sd_bus_message_close_container(m);
1989 return bus_log_create_error(r);
1991 r = sd_bus_call(bus, m, 0, &error, NULL);
1995 log_error("Failed to register machine: %s", bus_error_message(&error, r));
2002 static int terminate_machine(pid_t pid) {
2003 _cleanup_bus_error_free_ sd_bus_error error = SD_BUS_ERROR_NULL;
2004 _cleanup_bus_message_unref_ sd_bus_message *reply = NULL;
2005 _cleanup_bus_close_unref_ sd_bus *bus = NULL;
2012 r = sd_bus_default_system(&bus);
2014 return log_error_errno(r, "Failed to open system bus: %m");
2016 r = sd_bus_call_method(
2018 "org.freedesktop.machine1",
2019 "/org/freedesktop/machine1",
2020 "org.freedesktop.machine1.Manager",
2027 /* Note that the machine might already have been
2028 * cleaned up automatically, hence don't consider it a
2029 * failure if we cannot get the machine object. */
2030 log_debug("Failed to get machine: %s", bus_error_message(&error, r));
2034 r = sd_bus_message_read(reply, "o", &path);
2036 return bus_log_parse_error(r);
2038 r = sd_bus_call_method(
2040 "org.freedesktop.machine1",
2042 "org.freedesktop.machine1.Machine",
2048 log_debug("Failed to terminate machine: %s", bus_error_message(&error, r));
2055 static int reset_audit_loginuid(void) {
2056 _cleanup_free_ char *p = NULL;
2059 if (arg_share_system)
2062 r = read_one_line_file("/proc/self/loginuid", &p);
2066 return log_error_errno(r, "Failed to read /proc/self/loginuid: %m");
2068 /* Already reset? */
2069 if (streq(p, "4294967295"))
2072 r = write_string_file("/proc/self/loginuid", "4294967295");
2074 log_error("Failed to reset audit login UID. This probably means that your kernel is too\n"
2075 "old and you have audit enabled. Note that the auditing subsystem is known to\n"
2076 "be incompatible with containers on old kernels. Please make sure to upgrade\n"
2077 "your kernel or to off auditing with 'audit=0' on the kernel command line before\n"
2078 "using systemd-nspawn. Sleeping for 5s... (%s)\n", strerror(-r));
2086 #define HOST_HASH_KEY SD_ID128_MAKE(1a,37,6f,c7,46,ec,45,0b,ad,a3,d5,31,06,60,5d,b1)
2087 #define CONTAINER_HASH_KEY SD_ID128_MAKE(c3,c4,f9,19,b5,57,b2,1c,e6,cf,14,27,03,9c,ee,a2)
2088 #define MACVLAN_HASH_KEY SD_ID128_MAKE(00,13,6d,bc,66,83,44,81,bb,0c,f9,51,1f,24,a6,6f)
2090 static int generate_mac(struct ether_addr *mac, sd_id128_t hash_key, uint64_t idx) {
2096 l = strlen(arg_machine);
2097 sz = sizeof(sd_id128_t) + l;
2103 /* fetch some persistent data unique to the host */
2104 r = sd_id128_get_machine((sd_id128_t*) v);
2108 /* combine with some data unique (on this host) to this
2109 * container instance */
2110 i = mempcpy(v + sizeof(sd_id128_t), arg_machine, l);
2113 memcpy(i, &idx, sizeof(idx));
2116 /* Let's hash the host machine ID plus the container name. We
2117 * use a fixed, but originally randomly created hash key here. */
2118 siphash24(result, v, sz, hash_key.bytes);
2120 assert_cc(ETH_ALEN <= sizeof(result));
2121 memcpy(mac->ether_addr_octet, result, ETH_ALEN);
2123 /* see eth_random_addr in the kernel */
2124 mac->ether_addr_octet[0] &= 0xfe; /* clear multicast bit */
2125 mac->ether_addr_octet[0] |= 0x02; /* set local assignment bit (IEEE802) */
2130 static int setup_veth(pid_t pid, char iface_name[IFNAMSIZ], int *ifi) {
2131 _cleanup_rtnl_message_unref_ sd_rtnl_message *m = NULL;
2132 _cleanup_rtnl_unref_ sd_rtnl *rtnl = NULL;
2133 struct ether_addr mac_host, mac_container;
2136 if (!arg_private_network)
2139 if (!arg_network_veth)
2142 /* Use two different interface name prefixes depending whether
2143 * we are in bridge mode or not. */
2144 snprintf(iface_name, IFNAMSIZ - 1, "%s-%s",
2145 arg_network_bridge ? "vb" : "ve", arg_machine);
2147 r = generate_mac(&mac_container, CONTAINER_HASH_KEY, 0);
2149 return log_error_errno(r, "Failed to generate predictable MAC address for container side: %m");
2151 r = generate_mac(&mac_host, HOST_HASH_KEY, 0);
2153 return log_error_errno(r, "Failed to generate predictable MAC address for host side: %m");
2155 r = sd_rtnl_open(&rtnl, 0);
2157 return log_error_errno(r, "Failed to connect to netlink: %m");
2159 r = sd_rtnl_message_new_link(rtnl, &m, RTM_NEWLINK, 0);
2161 return log_error_errno(r, "Failed to allocate netlink message: %m");
2163 r = sd_rtnl_message_append_string(m, IFLA_IFNAME, iface_name);
2165 return log_error_errno(r, "Failed to add netlink interface name: %m");
2167 r = sd_rtnl_message_append_ether_addr(m, IFLA_ADDRESS, &mac_host);
2169 return log_error_errno(r, "Failed to add netlink MAC address: %m");
2171 r = sd_rtnl_message_open_container(m, IFLA_LINKINFO);
2173 return log_error_errno(r, "Failed to open netlink container: %m");
2175 r = sd_rtnl_message_open_container_union(m, IFLA_INFO_DATA, "veth");
2177 return log_error_errno(r, "Failed to open netlink container: %m");
2179 r = sd_rtnl_message_open_container(m, VETH_INFO_PEER);
2181 return log_error_errno(r, "Failed to open netlink container: %m");
2183 r = sd_rtnl_message_append_string(m, IFLA_IFNAME, "host0");
2185 return log_error_errno(r, "Failed to add netlink interface name: %m");
2187 r = sd_rtnl_message_append_ether_addr(m, IFLA_ADDRESS, &mac_container);
2189 return log_error_errno(r, "Failed to add netlink MAC address: %m");
2191 r = sd_rtnl_message_append_u32(m, IFLA_NET_NS_PID, pid);
2193 return log_error_errno(r, "Failed to add netlink namespace field: %m");
2195 r = sd_rtnl_message_close_container(m);
2197 return log_error_errno(r, "Failed to close netlink container: %m");
2199 r = sd_rtnl_message_close_container(m);
2201 return log_error_errno(r, "Failed to close netlink container: %m");
2203 r = sd_rtnl_message_close_container(m);
2205 return log_error_errno(r, "Failed to close netlink container: %m");
2207 r = sd_rtnl_call(rtnl, m, 0, NULL);
2209 return log_error_errno(r, "Failed to add new veth interfaces: %m");
2211 i = (int) if_nametoindex(iface_name);
2213 return log_error_errno(errno, "Failed to resolve interface %s: %m", iface_name);
2220 static int setup_bridge(const char veth_name[], int *ifi) {
2221 _cleanup_rtnl_message_unref_ sd_rtnl_message *m = NULL;
2222 _cleanup_rtnl_unref_ sd_rtnl *rtnl = NULL;
2225 if (!arg_private_network)
2228 if (!arg_network_veth)
2231 if (!arg_network_bridge)
2234 bridge = (int) if_nametoindex(arg_network_bridge);
2236 return log_error_errno(errno, "Failed to resolve interface %s: %m", arg_network_bridge);
2240 r = sd_rtnl_open(&rtnl, 0);
2242 return log_error_errno(r, "Failed to connect to netlink: %m");
2244 r = sd_rtnl_message_new_link(rtnl, &m, RTM_SETLINK, 0);
2246 return log_error_errno(r, "Failed to allocate netlink message: %m");
2248 r = sd_rtnl_message_link_set_flags(m, IFF_UP, IFF_UP);
2250 return log_error_errno(r, "Failed to set IFF_UP flag: %m");
2252 r = sd_rtnl_message_append_string(m, IFLA_IFNAME, veth_name);
2254 return log_error_errno(r, "Failed to add netlink interface name field: %m");
2256 r = sd_rtnl_message_append_u32(m, IFLA_MASTER, bridge);
2258 return log_error_errno(r, "Failed to add netlink master field: %m");
2260 r = sd_rtnl_call(rtnl, m, 0, NULL);
2262 return log_error_errno(r, "Failed to add veth interface to bridge: %m");
2267 static int parse_interface(struct udev *udev, const char *name) {
2268 _cleanup_udev_device_unref_ struct udev_device *d = NULL;
2269 char ifi_str[2 + DECIMAL_STR_MAX(int)];
2272 ifi = (int) if_nametoindex(name);
2274 return log_error_errno(errno, "Failed to resolve interface %s: %m", name);
2276 sprintf(ifi_str, "n%i", ifi);
2277 d = udev_device_new_from_device_id(udev, ifi_str);
2279 return log_error_errno(errno, "Failed to get udev device for interface %s: %m", name);
2281 if (udev_device_get_is_initialized(d) <= 0) {
2282 log_error("Network interface %s is not initialized yet.", name);
2289 static int move_network_interfaces(pid_t pid) {
2290 _cleanup_udev_unref_ struct udev *udev = NULL;
2291 _cleanup_rtnl_unref_ sd_rtnl *rtnl = NULL;
2295 if (!arg_private_network)
2298 if (strv_isempty(arg_network_interfaces))
2301 r = sd_rtnl_open(&rtnl, 0);
2303 return log_error_errno(r, "Failed to connect to netlink: %m");
2307 log_error("Failed to connect to udev.");
2311 STRV_FOREACH(i, arg_network_interfaces) {
2312 _cleanup_rtnl_message_unref_ sd_rtnl_message *m = NULL;
2315 ifi = parse_interface(udev, *i);
2319 r = sd_rtnl_message_new_link(rtnl, &m, RTM_SETLINK, ifi);
2321 return log_error_errno(r, "Failed to allocate netlink message: %m");
2323 r = sd_rtnl_message_append_u32(m, IFLA_NET_NS_PID, pid);
2325 return log_error_errno(r, "Failed to append namespace PID to netlink message: %m");
2327 r = sd_rtnl_call(rtnl, m, 0, NULL);
2329 return log_error_errno(r, "Failed to move interface %s to namespace: %m", *i);
2335 static int setup_macvlan(pid_t pid) {
2336 _cleanup_udev_unref_ struct udev *udev = NULL;
2337 _cleanup_rtnl_unref_ sd_rtnl *rtnl = NULL;
2342 if (!arg_private_network)
2345 if (strv_isempty(arg_network_macvlan))
2348 r = sd_rtnl_open(&rtnl, 0);
2350 return log_error_errno(r, "Failed to connect to netlink: %m");
2354 log_error("Failed to connect to udev.");
2358 STRV_FOREACH(i, arg_network_macvlan) {
2359 _cleanup_rtnl_message_unref_ sd_rtnl_message *m = NULL;
2360 _cleanup_free_ char *n = NULL;
2361 struct ether_addr mac;
2364 ifi = parse_interface(udev, *i);
2368 r = generate_mac(&mac, MACVLAN_HASH_KEY, idx++);
2370 return log_error_errno(r, "Failed to create MACVLAN MAC address: %m");
2372 r = sd_rtnl_message_new_link(rtnl, &m, RTM_NEWLINK, 0);
2374 return log_error_errno(r, "Failed to allocate netlink message: %m");
2376 r = sd_rtnl_message_append_u32(m, IFLA_LINK, ifi);
2378 return log_error_errno(r, "Failed to add netlink interface index: %m");
2380 n = strappend("mv-", *i);
2384 strshorten(n, IFNAMSIZ-1);
2386 r = sd_rtnl_message_append_string(m, IFLA_IFNAME, n);
2388 return log_error_errno(r, "Failed to add netlink interface name: %m");
2390 r = sd_rtnl_message_append_ether_addr(m, IFLA_ADDRESS, &mac);
2392 return log_error_errno(r, "Failed to add netlink MAC address: %m");
2394 r = sd_rtnl_message_append_u32(m, IFLA_NET_NS_PID, pid);
2396 return log_error_errno(r, "Failed to add netlink namespace field: %m");
2398 r = sd_rtnl_message_open_container(m, IFLA_LINKINFO);
2400 return log_error_errno(r, "Failed to open netlink container: %m");
2402 r = sd_rtnl_message_open_container_union(m, IFLA_INFO_DATA, "macvlan");
2404 return log_error_errno(r, "Failed to open netlink container: %m");
2406 r = sd_rtnl_message_append_u32(m, IFLA_MACVLAN_MODE, MACVLAN_MODE_BRIDGE);
2408 return log_error_errno(r, "Failed to append macvlan mode: %m");
2410 r = sd_rtnl_message_close_container(m);
2412 return log_error_errno(r, "Failed to close netlink container: %m");
2414 r = sd_rtnl_message_close_container(m);
2416 return log_error_errno(r, "Failed to close netlink container: %m");
2418 r = sd_rtnl_call(rtnl, m, 0, NULL);
2420 return log_error_errno(r, "Failed to add new macvlan interfaces: %m");
2426 static int setup_ipvlan(pid_t pid) {
2427 _cleanup_udev_unref_ struct udev *udev = NULL;
2428 _cleanup_rtnl_unref_ sd_rtnl *rtnl = NULL;
2432 if (!arg_private_network)
2435 if (strv_isempty(arg_network_ipvlan))
2438 r = sd_rtnl_open(&rtnl, 0);
2440 return log_error_errno(r, "Failed to connect to netlink: %m");
2444 log_error("Failed to connect to udev.");
2448 STRV_FOREACH(i, arg_network_ipvlan) {
2449 _cleanup_rtnl_message_unref_ sd_rtnl_message *m = NULL;
2450 _cleanup_free_ char *n = NULL;
2453 ifi = parse_interface(udev, *i);
2457 r = sd_rtnl_message_new_link(rtnl, &m, RTM_NEWLINK, 0);
2459 return log_error_errno(r, "Failed to allocate netlink message: %m");
2461 r = sd_rtnl_message_append_u32(m, IFLA_LINK, ifi);
2463 return log_error_errno(r, "Failed to add netlink interface index: %m");
2465 n = strappend("iv-", *i);
2469 strshorten(n, IFNAMSIZ-1);
2471 r = sd_rtnl_message_append_string(m, IFLA_IFNAME, n);
2473 return log_error_errno(r, "Failed to add netlink interface name: %m");
2475 r = sd_rtnl_message_append_u32(m, IFLA_NET_NS_PID, pid);
2477 return log_error_errno(r, "Failed to add netlink namespace field: %m");
2479 r = sd_rtnl_message_open_container(m, IFLA_LINKINFO);
2481 return log_error_errno(r, "Failed to open netlink container: %m");
2483 r = sd_rtnl_message_open_container_union(m, IFLA_INFO_DATA, "ipvlan");
2485 return log_error_errno(r, "Failed to open netlink container: %m");
2487 r = sd_rtnl_message_append_u16(m, IFLA_IPVLAN_MODE, IPVLAN_MODE_L2);
2489 return log_error_errno(r, "Failed to add ipvlan mode: %m");
2491 r = sd_rtnl_message_close_container(m);
2493 return log_error_errno(r, "Failed to close netlink container: %m");
2495 r = sd_rtnl_message_close_container(m);
2497 return log_error_errno(r, "Failed to close netlink container: %m");
2499 r = sd_rtnl_call(rtnl, m, 0, NULL);
2501 return log_error_errno(r, "Failed to add new ipvlan interfaces: %m");
2507 static int setup_seccomp(void) {
2510 static const int blacklist[] = {
2511 SCMP_SYS(kexec_load),
2512 SCMP_SYS(open_by_handle_at),
2519 static const int kmod_blacklist[] = {
2520 SCMP_SYS(init_module),
2521 SCMP_SYS(finit_module),
2522 SCMP_SYS(delete_module),
2525 scmp_filter_ctx seccomp;
2529 seccomp = seccomp_init(SCMP_ACT_ALLOW);
2533 r = seccomp_add_secondary_archs(seccomp);
2535 log_error_errno(r, "Failed to add secondary archs to seccomp filter: %m");
2539 for (i = 0; i < ELEMENTSOF(blacklist); i++) {
2540 r = seccomp_rule_add(seccomp, SCMP_ACT_ERRNO(EPERM), blacklist[i], 0);
2542 continue; /* unknown syscall */
2544 log_error_errno(r, "Failed to block syscall: %m");
2549 /* If the CAP_SYS_MODULE capability is not requested then
2550 * we'll block the kmod syscalls too */
2551 if (!(arg_retain & (1ULL << CAP_SYS_MODULE))) {
2552 for (i = 0; i < ELEMENTSOF(kmod_blacklist); i++) {
2553 r = seccomp_rule_add(seccomp, SCMP_ACT_ERRNO(EPERM), kmod_blacklist[i], 0);
2555 continue; /* unknown syscall */
2557 log_error_errno(r, "Failed to block syscall: %m");
2564 Audit is broken in containers, much of the userspace audit
2565 hookup will fail if running inside a container. We don't
2566 care and just turn off creation of audit sockets.
2568 This will make socket(AF_NETLINK, *, NETLINK_AUDIT) fail
2569 with EAFNOSUPPORT which audit userspace uses as indication
2570 that audit is disabled in the kernel.
2573 r = seccomp_rule_add(
2575 SCMP_ACT_ERRNO(EAFNOSUPPORT),
2578 SCMP_A0(SCMP_CMP_EQ, AF_NETLINK),
2579 SCMP_A2(SCMP_CMP_EQ, NETLINK_AUDIT));
2581 log_error_errno(r, "Failed to add audit seccomp rule: %m");
2585 r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
2587 log_error_errno(r, "Failed to unset NO_NEW_PRIVS: %m");
2591 r = seccomp_load(seccomp);
2593 log_error_errno(r, "Failed to install seccomp audit filter: %m");
2596 seccomp_release(seccomp);
2604 static int setup_propagate(const char *root) {
2607 (void) mkdir_p("/run/systemd/nspawn/", 0755);
2608 (void) mkdir_p("/run/systemd/nspawn/propagate", 0600);
2609 p = strjoina("/run/systemd/nspawn/propagate/", arg_machine);
2610 (void) mkdir_p(p, 0600);
2612 q = strjoina(root, "/run/systemd/nspawn/incoming");
2613 mkdir_parents(q, 0755);
2616 if (mount(p, q, NULL, MS_BIND, NULL) < 0)
2617 return log_error_errno(errno, "Failed to install propagation bind mount.");
2619 if (mount(NULL, q, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY, NULL) < 0)
2620 return log_error_errno(errno, "Failed to make propagation mount read-only");
2625 static int setup_image(char **device_path, int *loop_nr) {
2626 struct loop_info64 info = {
2627 .lo_flags = LO_FLAGS_AUTOCLEAR|LO_FLAGS_PARTSCAN
2629 _cleanup_close_ int fd = -1, control = -1, loop = -1;
2630 _cleanup_free_ char* loopdev = NULL;
2634 assert(device_path);
2638 fd = open(arg_image, O_CLOEXEC|(arg_read_only ? O_RDONLY : O_RDWR)|O_NONBLOCK|O_NOCTTY);
2640 return log_error_errno(errno, "Failed to open %s: %m", arg_image);
2642 if (fstat(fd, &st) < 0)
2643 return log_error_errno(errno, "Failed to stat %s: %m", arg_image);
2645 if (S_ISBLK(st.st_mode)) {
2648 p = strdup(arg_image);
2662 if (!S_ISREG(st.st_mode)) {
2663 log_error_errno(errno, "%s is not a regular file or block device: %m", arg_image);
2667 control = open("/dev/loop-control", O_RDWR|O_CLOEXEC|O_NOCTTY|O_NONBLOCK);
2669 return log_error_errno(errno, "Failed to open /dev/loop-control: %m");
2671 nr = ioctl(control, LOOP_CTL_GET_FREE);
2673 return log_error_errno(errno, "Failed to allocate loop device: %m");
2675 if (asprintf(&loopdev, "/dev/loop%i", nr) < 0)
2678 loop = open(loopdev, O_CLOEXEC|(arg_read_only ? O_RDONLY : O_RDWR)|O_NONBLOCK|O_NOCTTY);
2680 return log_error_errno(errno, "Failed to open loop device %s: %m", loopdev);
2682 if (ioctl(loop, LOOP_SET_FD, fd) < 0)
2683 return log_error_errno(errno, "Failed to set loopback file descriptor on %s: %m", loopdev);
2686 info.lo_flags |= LO_FLAGS_READ_ONLY;
2688 if (ioctl(loop, LOOP_SET_STATUS64, &info) < 0)
2689 return log_error_errno(errno, "Failed to set loopback settings on %s: %m", loopdev);
2691 *device_path = loopdev;
2702 #define PARTITION_TABLE_BLURB \
2703 "Note that the disk image needs to either contain only a single MBR partition of\n" \
2704 "type 0x83 that is marked bootable, or a sinlge GPT partition of type" \
2705 "0FC63DAF-8483-4772-8E79-3D69D8477DE4 or follow\n" \
2706 " http://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/\n" \
2707 "to be bootable with systemd-nspawn."
2709 static int dissect_image(
2711 char **root_device, bool *root_device_rw,
2712 char **home_device, bool *home_device_rw,
2713 char **srv_device, bool *srv_device_rw,
2717 int home_nr = -1, srv_nr = -1;
2718 #ifdef GPT_ROOT_NATIVE
2721 #ifdef GPT_ROOT_SECONDARY
2722 int secondary_root_nr = -1;
2724 _cleanup_free_ char *home = NULL, *root = NULL, *secondary_root = NULL, *srv = NULL, *generic = NULL;
2725 _cleanup_udev_enumerate_unref_ struct udev_enumerate *e = NULL;
2726 _cleanup_udev_device_unref_ struct udev_device *d = NULL;
2727 _cleanup_blkid_free_probe_ blkid_probe b = NULL;
2728 _cleanup_udev_unref_ struct udev *udev = NULL;
2729 struct udev_list_entry *first, *item;
2730 bool home_rw = true, root_rw = true, secondary_root_rw = true, srv_rw = true, generic_rw = true;
2731 bool is_gpt, is_mbr, multiple_generic = false;
2732 const char *pttype = NULL;
2739 assert(root_device);
2740 assert(home_device);
2745 b = blkid_new_probe();
2750 r = blkid_probe_set_device(b, fd, 0, 0);
2755 log_error_errno(errno, "Failed to set device on blkid probe: %m");
2759 blkid_probe_enable_partitions(b, 1);
2760 blkid_probe_set_partitions_flags(b, BLKID_PARTS_ENTRY_DETAILS);
2763 r = blkid_do_safeprobe(b);
2764 if (r == -2 || r == 1) {
2765 log_error("Failed to identify any partition table on\n"
2767 PARTITION_TABLE_BLURB, arg_image);
2769 } else if (r != 0) {
2772 log_error_errno(errno, "Failed to probe: %m");
2776 blkid_probe_lookup_value(b, "PTTYPE", &pttype, NULL);
2778 is_gpt = streq_ptr(pttype, "gpt");
2779 is_mbr = streq_ptr(pttype, "dos");
2781 if (!is_gpt && !is_mbr) {
2782 log_error("No GPT or MBR partition table discovered on\n"
2784 PARTITION_TABLE_BLURB, arg_image);
2789 pl = blkid_probe_get_partitions(b);
2794 log_error("Failed to list partitions of %s", arg_image);
2802 if (fstat(fd, &st) < 0)
2803 return log_error_errno(errno, "Failed to stat block device: %m");
2805 d = udev_device_new_from_devnum(udev, 'b', st.st_rdev);
2813 log_error("Kernel partitions never appeared.");
2817 e = udev_enumerate_new(udev);
2821 r = udev_enumerate_add_match_parent(e, d);
2825 r = udev_enumerate_scan_devices(e);
2827 return log_error_errno(r, "Failed to scan for partition devices of %s: %m", arg_image);
2829 /* Count the partitions enumerated by the kernel */
2831 first = udev_enumerate_get_list_entry(e);
2832 udev_list_entry_foreach(item, first)
2835 /* Count the partitions enumerated by blkid */
2836 m = blkid_partlist_numof_partitions(pl);
2840 log_error("blkid and kernel partition list do not match.");
2846 /* The kernel has probed fewer partitions than
2847 * blkid? Maybe the kernel prober is still
2848 * running or it got EBUSY because udev
2849 * already opened the device. Let's reprobe
2850 * the device, which is a synchronous call
2851 * that waits until probing is complete. */
2853 for (j = 0; j < 20; j++) {
2855 r = ioctl(fd, BLKRRPART, 0);
2858 if (r >= 0 || r != -EBUSY)
2861 /* If something else has the device
2862 * open, such as an udev rule, the
2863 * ioctl will return EBUSY. Since
2864 * there's no way to wait until it
2865 * isn't busy anymore, let's just wait
2866 * a bit, and try again.
2868 * This is really something they
2869 * should fix in the kernel! */
2871 usleep(50 * USEC_PER_MSEC);
2875 return log_error_errno(r, "Failed to reread partition table: %m");
2878 e = udev_enumerate_unref(e);
2881 first = udev_enumerate_get_list_entry(e);
2882 udev_list_entry_foreach(item, first) {
2883 _cleanup_udev_device_unref_ struct udev_device *q;
2885 unsigned long long flags;
2891 q = udev_device_new_from_syspath(udev, udev_list_entry_get_name(item));
2896 log_error_errno(errno, "Failed to get partition device of %s: %m", arg_image);
2900 qn = udev_device_get_devnum(q);
2904 if (st.st_rdev == qn)
2907 node = udev_device_get_devnode(q);
2911 pp = blkid_partlist_devno_to_partition(pl, qn);
2915 flags = blkid_partition_get_flags(pp);
2917 nr = blkid_partition_get_partno(pp);
2925 if (flags & GPT_FLAG_NO_AUTO)
2928 stype = blkid_partition_get_type_string(pp);
2932 if (sd_id128_from_string(stype, &type_id) < 0)
2935 if (sd_id128_equal(type_id, GPT_HOME)) {
2937 if (home && nr >= home_nr)
2941 home_rw = !(flags & GPT_FLAG_READ_ONLY);
2943 r = free_and_strdup(&home, node);
2947 } else if (sd_id128_equal(type_id, GPT_SRV)) {
2949 if (srv && nr >= srv_nr)
2953 srv_rw = !(flags & GPT_FLAG_READ_ONLY);
2955 r = free_and_strdup(&srv, node);
2959 #ifdef GPT_ROOT_NATIVE
2960 else if (sd_id128_equal(type_id, GPT_ROOT_NATIVE)) {
2962 if (root && nr >= root_nr)
2966 root_rw = !(flags & GPT_FLAG_READ_ONLY);
2968 r = free_and_strdup(&root, node);
2973 #ifdef GPT_ROOT_SECONDARY
2974 else if (sd_id128_equal(type_id, GPT_ROOT_SECONDARY)) {
2976 if (secondary_root && nr >= secondary_root_nr)
2979 secondary_root_nr = nr;
2980 secondary_root_rw = !(flags & GPT_FLAG_READ_ONLY);
2982 r = free_and_strdup(&secondary_root, node);
2987 else if (sd_id128_equal(type_id, GPT_LINUX_GENERIC)) {
2990 multiple_generic = true;
2992 generic_rw = !(flags & GPT_FLAG_READ_ONLY);
2994 r = free_and_strdup(&generic, node);
3000 } else if (is_mbr) {
3003 if (flags != 0x80) /* Bootable flag */
3006 type = blkid_partition_get_type(pp);
3007 if (type != 0x83) /* Linux partition */
3011 multiple_generic = true;
3015 r = free_and_strdup(&root, node);
3023 *root_device = root;
3026 *root_device_rw = root_rw;
3028 } else if (secondary_root) {
3029 *root_device = secondary_root;
3030 secondary_root = NULL;
3032 *root_device_rw = secondary_root_rw;
3034 } else if (generic) {
3036 /* There were no partitions with precise meanings
3037 * around, but we found generic partitions. In this
3038 * case, if there's only one, we can go ahead and boot
3039 * it, otherwise we bail out, because we really cannot
3040 * make any sense of it. */
3042 if (multiple_generic) {
3043 log_error("Identified multiple bootable Linux partitions on\n"
3045 PARTITION_TABLE_BLURB, arg_image);
3049 *root_device = generic;
3052 *root_device_rw = generic_rw;
3055 log_error("Failed to identify root partition in disk image\n"
3057 PARTITION_TABLE_BLURB, arg_image);
3062 *home_device = home;
3065 *home_device_rw = home_rw;
3072 *srv_device_rw = srv_rw;
3077 log_error("--image= is not supported, compiled without blkid support.");
3082 static int mount_device(const char *what, const char *where, const char *directory, bool rw) {
3084 _cleanup_blkid_free_probe_ blkid_probe b = NULL;
3085 const char *fstype, *p;
3095 p = strjoina(where, directory);
3100 b = blkid_new_probe_from_filename(what);
3104 log_error_errno(errno, "Failed to allocate prober for %s: %m", what);
3108 blkid_probe_enable_superblocks(b, 1);
3109 blkid_probe_set_superblocks_flags(b, BLKID_SUBLKS_TYPE);
3112 r = blkid_do_safeprobe(b);
3113 if (r == -1 || r == 1) {
3114 log_error("Cannot determine file system type of %s", what);
3116 } else if (r != 0) {
3119 log_error_errno(errno, "Failed to probe %s: %m", what);
3124 if (blkid_probe_lookup_value(b, "TYPE", &fstype, NULL) < 0) {
3127 log_error("Failed to determine file system type of %s", what);
3131 if (streq(fstype, "crypto_LUKS")) {
3132 log_error("nspawn currently does not support LUKS disk images.");
3136 if (mount(what, p, fstype, MS_NODEV|(rw ? 0 : MS_RDONLY), NULL) < 0)
3137 return log_error_errno(errno, "Failed to mount %s: %m", what);
3141 log_error("--image= is not supported, compiled without blkid support.");
3146 static int mount_devices(
3148 const char *root_device, bool root_device_rw,
3149 const char *home_device, bool home_device_rw,
3150 const char *srv_device, bool srv_device_rw) {
3156 r = mount_device(root_device, arg_directory, NULL, root_device_rw);
3158 return log_error_errno(r, "Failed to mount root directory: %m");
3162 r = mount_device(home_device, arg_directory, "/home", home_device_rw);
3164 return log_error_errno(r, "Failed to mount home directory: %m");
3168 r = mount_device(srv_device, arg_directory, "/srv", srv_device_rw);
3170 return log_error_errno(r, "Failed to mount server data directory: %m");
3176 static void loop_remove(int nr, int *image_fd) {
3177 _cleanup_close_ int control = -1;
3183 if (image_fd && *image_fd >= 0) {
3184 r = ioctl(*image_fd, LOOP_CLR_FD);
3186 log_debug_errno(errno, "Failed to close loop image: %m");
3187 *image_fd = safe_close(*image_fd);
3190 control = open("/dev/loop-control", O_RDWR|O_CLOEXEC|O_NOCTTY|O_NONBLOCK);
3192 log_warning_errno(errno, "Failed to open /dev/loop-control: %m");
3196 r = ioctl(control, LOOP_CTL_REMOVE, nr);
3198 log_debug_errno(errno, "Failed to remove loop %d: %m", nr);
3201 static int spawn_getent(const char *database, const char *key, pid_t *rpid) {
3209 if (pipe2(pipe_fds, O_CLOEXEC) < 0)
3210 return log_error_errno(errno, "Failed to allocate pipe: %m");
3214 return log_error_errno(errno, "Failed to fork getent child: %m");
3215 else if (pid == 0) {
3217 char *empty_env = NULL;
3219 if (dup3(pipe_fds[1], STDOUT_FILENO, 0) < 0)
3220 _exit(EXIT_FAILURE);
3222 if (pipe_fds[0] > 2)
3223 safe_close(pipe_fds[0]);
3224 if (pipe_fds[1] > 2)
3225 safe_close(pipe_fds[1]);
3227 nullfd = open("/dev/null", O_RDWR);
3229 _exit(EXIT_FAILURE);
3231 if (dup3(nullfd, STDIN_FILENO, 0) < 0)
3232 _exit(EXIT_FAILURE);
3234 if (dup3(nullfd, STDERR_FILENO, 0) < 0)
3235 _exit(EXIT_FAILURE);
3240 reset_all_signal_handlers();
3241 close_all_fds(NULL, 0);
3243 execle("/usr/bin/getent", "getent", database, key, NULL, &empty_env);
3244 execle("/bin/getent", "getent", database, key, NULL, &empty_env);
3245 _exit(EXIT_FAILURE);
3248 pipe_fds[1] = safe_close(pipe_fds[1]);
3255 static int change_uid_gid(char **_home) {
3256 char line[LINE_MAX], *x, *u, *g, *h;
3257 const char *word, *state;
3258 _cleanup_free_ uid_t *uids = NULL;
3259 _cleanup_free_ char *home = NULL;
3260 _cleanup_fclose_ FILE *f = NULL;
3261 _cleanup_close_ int fd = -1;
3262 unsigned n_uids = 0;
3271 if (!arg_user || streq(arg_user, "root") || streq(arg_user, "0")) {
3272 /* Reset everything fully to 0, just in case */
3274 if (setgroups(0, NULL) < 0)
3275 return log_error_errno(errno, "setgroups() failed: %m");
3277 if (setresgid(0, 0, 0) < 0)
3278 return log_error_errno(errno, "setregid() failed: %m");
3280 if (setresuid(0, 0, 0) < 0)
3281 return log_error_errno(errno, "setreuid() failed: %m");
3287 /* First, get user credentials */
3288 fd = spawn_getent("passwd", arg_user, &pid);
3292 f = fdopen(fd, "r");
3297 if (!fgets(line, sizeof(line), f)) {
3300 log_error("Failed to resolve user %s.", arg_user);
3304 log_error_errno(errno, "Failed to read from getent: %m");
3310 wait_for_terminate_and_warn("getent passwd", pid, true);
3312 x = strchr(line, ':');
3314 log_error("/etc/passwd entry has invalid user field.");
3318 u = strchr(x+1, ':');
3320 log_error("/etc/passwd entry has invalid password field.");
3327 log_error("/etc/passwd entry has invalid UID field.");
3335 log_error("/etc/passwd entry has invalid GID field.");
3340 h = strchr(x+1, ':');
3342 log_error("/etc/passwd entry has invalid GECOS field.");
3349 log_error("/etc/passwd entry has invalid home directory field.");
3355 r = parse_uid(u, &uid);
3357 log_error("Failed to parse UID of user.");
3361 r = parse_gid(g, &gid);
3363 log_error("Failed to parse GID of user.");
3371 /* Second, get group memberships */
3372 fd = spawn_getent("initgroups", arg_user, &pid);
3377 f = fdopen(fd, "r");
3382 if (!fgets(line, sizeof(line), f)) {
3384 log_error("Failed to resolve user %s.", arg_user);
3388 log_error_errno(errno, "Failed to read from getent: %m");
3394 wait_for_terminate_and_warn("getent initgroups", pid, true);
3396 /* Skip over the username and subsequent separator whitespace */
3398 x += strcspn(x, WHITESPACE);
3399 x += strspn(x, WHITESPACE);
3401 FOREACH_WORD(word, l, x, state) {
3407 if (!GREEDY_REALLOC(uids, sz, n_uids+1))
3410 r = parse_uid(c, &uids[n_uids++]);
3412 log_error("Failed to parse group data from getent.");
3417 r = mkdir_parents(home, 0775);
3419 return log_error_errno(r, "Failed to make home root directory: %m");
3421 r = mkdir_safe(home, 0755, uid, gid);
3422 if (r < 0 && r != -EEXIST)
3423 return log_error_errno(r, "Failed to make home directory: %m");
3425 fchown(STDIN_FILENO, uid, gid);
3426 fchown(STDOUT_FILENO, uid, gid);
3427 fchown(STDERR_FILENO, uid, gid);
3429 if (setgroups(n_uids, uids) < 0)
3430 return log_error_errno(errno, "Failed to set auxiliary groups: %m");
3432 if (setresgid(gid, gid, gid) < 0)
3433 return log_error_errno(errno, "setregid() failed: %m");
3435 if (setresuid(uid, uid, uid) < 0)
3436 return log_error_errno(errno, "setreuid() failed: %m");
3448 * < 0 : wait_for_terminate() failed to get the state of the
3449 * container, the container was terminated by a signal, or
3450 * failed for an unknown reason. No change is made to the
3451 * container argument.
3452 * > 0 : The program executed in the container terminated with an
3453 * error. The exit code of the program executed in the
3454 * container is returned. The container argument has been set
3455 * to CONTAINER_TERMINATED.
3456 * 0 : The container is being rebooted, has been shut down or exited
3457 * successfully. The container argument has been set to either
3458 * CONTAINER_TERMINATED or CONTAINER_REBOOTED.
3460 * That is, success is indicated by a return value of zero, and an
3461 * error is indicated by a non-zero value.
3463 static int wait_for_container(pid_t pid, ContainerStatus *container) {
3467 r = wait_for_terminate(pid, &status);
3469 return log_warning_errno(r, "Failed to wait for container: %m");
3471 switch (status.si_code) {
3474 if (status.si_status == 0) {
3475 log_full(arg_quiet ? LOG_DEBUG : LOG_INFO, "Container %s exited successfully.", arg_machine);
3478 log_full(arg_quiet ? LOG_DEBUG : LOG_INFO, "Container %s failed with error code %i.", arg_machine, status.si_status);
3480 *container = CONTAINER_TERMINATED;
3481 return status.si_status;
3484 if (status.si_status == SIGINT) {
3486 log_full(arg_quiet ? LOG_DEBUG : LOG_INFO, "Container %s has been shut down.", arg_machine);
3487 *container = CONTAINER_TERMINATED;
3490 } else if (status.si_status == SIGHUP) {
3492 log_full(arg_quiet ? LOG_DEBUG : LOG_INFO, "Container %s is being rebooted.", arg_machine);
3493 *container = CONTAINER_REBOOTED;
3497 /* CLD_KILLED fallthrough */
3500 log_error("Container %s terminated by signal %s.", arg_machine, signal_to_string(status.si_status));
3504 log_error("Container %s failed due to unknown reason.", arg_machine);
3511 static void nop_handler(int sig) {}
3513 static int on_orderly_shutdown(sd_event_source *s, const struct signalfd_siginfo *si, void *userdata) {
3516 pid = PTR_TO_UINT32(userdata);
3518 if (kill(pid, SIGRTMIN+3) >= 0) {
3519 log_info("Trying to halt container. Send SIGTERM again to trigger immediate termination.");
3520 sd_event_source_set_userdata(s, NULL);
3525 sd_event_exit(sd_event_source_get_event(s), 0);
3529 static int determine_names(void) {
3532 if (!arg_image && !arg_directory) {
3534 _cleanup_(image_unrefp) Image *i = NULL;
3536 r = image_find(arg_machine, &i);
3538 return log_error_errno(r, "Failed to find image for machine '%s': %m", arg_machine);
3540 log_error("No image for machine '%s': %m", arg_machine);
3544 if (i->type == IMAGE_RAW)
3545 r = set_sanitized_path(&arg_image, i->path);
3547 r = set_sanitized_path(&arg_directory, i->path);
3549 return log_error_errno(r, "Invalid image directory: %m");
3551 arg_read_only = arg_read_only || i->read_only;
3553 arg_directory = get_current_dir_name();
3555 if (!arg_directory && !arg_machine) {
3556 log_error("Failed to determine path, please use -D or -i.");
3562 if (arg_directory && path_equal(arg_directory, "/"))
3563 arg_machine = gethostname_malloc();
3565 arg_machine = strdup(basename(arg_image ?: arg_directory));
3570 hostname_cleanup(arg_machine, false);
3571 if (!machine_name_is_valid(arg_machine)) {
3572 log_error("Failed to determine machine name automatically, please use -M.");
3576 if (arg_ephemeral) {
3579 /* Add a random suffix when this is an
3580 * ephemeral machine, so that we can run many
3581 * instances at once without manually having
3582 * to specify -M each time. */
3584 if (asprintf(&b, "%s-%016" PRIx64, arg_machine, random_u64()) < 0)
3595 int main(int argc, char *argv[]) {
3597 _cleanup_free_ char *device_path = NULL, *root_device = NULL, *home_device = NULL, *srv_device = NULL, *console = NULL;
3598 bool root_device_rw = true, home_device_rw = true, srv_device_rw = true;
3599 _cleanup_close_ int master = -1, image_fd = -1;
3600 _cleanup_fdset_free_ FDSet *fds = NULL;
3601 int r, n_fd_passed, loop_nr = -1;
3602 char veth_name[IFNAMSIZ];
3603 bool secondary = false, remove_subvol = false;
3604 sigset_t mask, mask_chld;
3606 int ret = EXIT_SUCCESS;
3607 union in_addr_union exposed = {};
3608 _cleanup_release_lock_file_ LockFile tree_global_lock = LOCK_FILE_INIT, tree_local_lock = LOCK_FILE_INIT;
3610 log_parse_environment();
3613 r = parse_argv(argc, argv);
3617 r = determine_names();
3621 if (geteuid() != 0) {
3622 log_error("Need to be root.");
3627 if (sd_booted() <= 0) {
3628 log_error("Not running on a systemd system.");
3634 n_fd_passed = sd_listen_fds(false);
3635 if (n_fd_passed > 0) {
3636 r = fdset_new_listen_fds(&fds, false);
3638 log_error_errno(r, "Failed to collect file descriptors: %m");
3642 fdset_close_others(fds);
3645 if (arg_directory) {
3648 if (path_equal(arg_directory, "/") && !arg_ephemeral) {
3649 log_error("Spawning container on root directory is not supported. Consider using --ephemeral.");
3654 if (arg_ephemeral) {
3657 /* If the specified path is a mount point we
3658 * generate the new snapshot immediately
3659 * inside it under a random name. However if
3660 * the specified is not a mount point we
3661 * create the new snapshot in the parent
3662 * directory, just next to it. */
3663 r = path_is_mount_point(arg_directory, false);
3665 log_error_errno(r, "Failed to determine whether directory %s is mount point: %m", arg_directory);
3669 r = tempfn_random_child(arg_directory, &np);
3671 r = tempfn_random(arg_directory, &np);
3673 log_error_errno(r, "Failed to generate name for snapshot: %m");
3677 r = image_path_lock(np, (arg_read_only ? LOCK_SH : LOCK_EX) | LOCK_NB, &tree_global_lock, &tree_local_lock);
3679 log_error_errno(r, "Failed to lock %s: %m", np);
3683 r = btrfs_subvol_snapshot(arg_directory, np, arg_read_only, true);
3686 log_error_errno(r, "Failed to create snapshot %s from %s: %m", np, arg_directory);
3690 free(arg_directory);
3693 remove_subvol = true;
3696 r = image_path_lock(arg_directory, (arg_read_only ? LOCK_SH : LOCK_EX) | LOCK_NB, &tree_global_lock, &tree_local_lock);
3698 log_error_errno(r, "Directory tree %s is currently busy.", arg_directory);
3702 log_error_errno(r, "Failed to lock %s: %m", arg_directory);
3707 r = btrfs_subvol_snapshot(arg_template, arg_directory, arg_read_only, true);
3710 log_info("Directory %s already exists, not populating from template %s.", arg_directory, arg_template);
3712 log_error_errno(r, "Couldn't create snapshot %s from %s: %m", arg_directory, arg_template);
3716 log_info("Populated %s from template %s.", arg_directory, arg_template);
3722 if (path_is_os_tree(arg_directory) <= 0) {
3723 log_error("Directory %s doesn't look like an OS root directory (os-release file is missing). Refusing.", arg_directory);
3730 p = strjoina(arg_directory,
3731 argc > optind && path_is_absolute(argv[optind]) ? argv[optind] : "/usr/bin/");
3732 if (access(p, F_OK) < 0) {
3733 log_error("Directory %s lacks the binary to execute or doesn't look like a binary tree. Refusing.", arg_directory);
3740 char template[] = "/tmp/nspawn-root-XXXXXX";
3743 assert(!arg_template);
3745 r = image_path_lock(arg_image, (arg_read_only ? LOCK_SH : LOCK_EX) | LOCK_NB, &tree_global_lock, &tree_local_lock);
3747 r = log_error_errno(r, "Disk image %s is currently busy.", arg_image);
3751 r = log_error_errno(r, "Failed to create image lock: %m");
3755 if (!mkdtemp(template)) {
3756 log_error_errno(errno, "Failed to create temporary directory: %m");
3761 arg_directory = strdup(template);
3762 if (!arg_directory) {
3767 image_fd = setup_image(&device_path, &loop_nr);
3773 r = dissect_image(image_fd,
3774 &root_device, &root_device_rw,
3775 &home_device, &home_device_rw,
3776 &srv_device, &srv_device_rw,
3782 master = posix_openpt(O_RDWR|O_NOCTTY|O_CLOEXEC|O_NDELAY);
3784 r = log_error_errno(errno, "Failed to acquire pseudo tty: %m");
3788 r = ptsname_malloc(master, &console);
3790 r = log_error_errno(r, "Failed to determine tty name: %m");
3795 log_info("Spawning container %s on %s.\nPress ^] three times within 1s to kill container.",
3796 arg_machine, arg_image ?: arg_directory);
3798 if (unlockpt(master) < 0) {
3799 r = log_error_errno(errno, "Failed to unlock tty: %m");
3803 assert_se(sigemptyset(&mask) == 0);
3804 sigset_add_many(&mask, SIGCHLD, SIGWINCH, SIGTERM, SIGINT, -1);
3805 assert_se(sigprocmask(SIG_BLOCK, &mask, NULL) == 0);
3807 assert_se(sigemptyset(&mask_chld) == 0);
3808 assert_se(sigaddset(&mask_chld, SIGCHLD) == 0);
3811 _cleanup_close_pair_ int kmsg_socket_pair[2] = { -1, -1 }, rtnl_socket_pair[2] = { -1, -1 };
3812 ContainerStatus container_status;
3813 _cleanup_(barrier_destroy) Barrier barrier = BARRIER_NULL;
3814 struct sigaction sa = {
3815 .sa_handler = nop_handler,
3816 .sa_flags = SA_NOCLDSTOP,
3819 r = barrier_create(&barrier);
3821 log_error_errno(r, "Cannot initialize IPC barrier: %m");
3825 if (socketpair(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0, kmsg_socket_pair) < 0) {
3826 r = log_error_errno(errno, "Failed to create kmsg socket pair: %m");
3830 if (socketpair(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0, rtnl_socket_pair) < 0) {
3831 r = log_error_errno(errno, "Failed to create rtnl socket pair: %m");
3835 /* Child can be killed before execv(), so handle SIGCHLD
3836 * in order to interrupt parent's blocking calls and
3837 * give it a chance to call wait() and terminate. */
3838 r = sigprocmask(SIG_UNBLOCK, &mask_chld, NULL);
3840 r = log_error_errno(errno, "Failed to change the signal mask: %m");
3844 r = sigaction(SIGCHLD, &sa, NULL);
3846 r = log_error_errno(errno, "Failed to install SIGCHLD handler: %m");
3850 pid = raw_clone(SIGCHLD|CLONE_NEWNS|
3851 (arg_share_system ? 0 : CLONE_NEWIPC|CLONE_NEWPID|CLONE_NEWUTS)|
3852 (arg_private_network ? CLONE_NEWNET : 0), NULL);
3854 if (errno == EINVAL)
3855 r = log_error_errno(errno, "clone() failed, do you have namespace support enabled in your kernel? (You need UTS, IPC, PID and NET namespacing built in): %m");
3857 r = log_error_errno(errno, "clone() failed: %m");
3864 _cleanup_free_ char *home = NULL;
3866 const char *envp[] = {
3867 "PATH=" DEFAULT_PATH_SPLIT_USR,
3868 "container=systemd-nspawn", /* LXC sets container=lxc, so follow the scheme here */
3873 NULL, /* container_uuid */
3874 NULL, /* LISTEN_FDS */
3875 NULL, /* LISTEN_PID */
3880 barrier_set_role(&barrier, BARRIER_CHILD);
3882 envp[n_env] = strv_find_prefix(environ, "TERM=");
3886 master = safe_close(master);
3888 close_nointr(STDIN_FILENO);
3889 close_nointr(STDOUT_FILENO);
3890 close_nointr(STDERR_FILENO);
3892 kmsg_socket_pair[0] = safe_close(kmsg_socket_pair[0]);
3893 rtnl_socket_pair[0] = safe_close(rtnl_socket_pair[0]);
3895 reset_all_signal_handlers();
3896 reset_signal_mask();
3898 r = open_terminal(console, O_RDWR);
3899 if (r != STDIN_FILENO) {
3905 log_error_errno(r, "Failed to open console: %m");
3906 _exit(EXIT_FAILURE);
3909 if (dup2(STDIN_FILENO, STDOUT_FILENO) != STDOUT_FILENO ||
3910 dup2(STDIN_FILENO, STDERR_FILENO) != STDERR_FILENO) {
3911 log_error_errno(errno, "Failed to duplicate console: %m");
3912 _exit(EXIT_FAILURE);
3916 log_error_errno(errno, "setsid() failed: %m");
3917 _exit(EXIT_FAILURE);
3920 if (reset_audit_loginuid() < 0)
3921 _exit(EXIT_FAILURE);
3923 if (prctl(PR_SET_PDEATHSIG, SIGKILL) < 0) {
3924 log_error_errno(errno, "PR_SET_PDEATHSIG failed: %m");
3925 _exit(EXIT_FAILURE);
3928 /* Mark everything as slave, so that we still
3929 * receive mounts from the real root, but don't
3930 * propagate mounts to the real root. */
3931 if (mount(NULL, "/", NULL, MS_SLAVE|MS_REC, NULL) < 0) {
3932 log_error_errno(errno, "MS_SLAVE|MS_REC failed: %m");
3933 _exit(EXIT_FAILURE);
3936 if (mount_devices(arg_directory,
3937 root_device, root_device_rw,
3938 home_device, home_device_rw,
3939 srv_device, srv_device_rw) < 0)
3940 _exit(EXIT_FAILURE);
3942 /* Turn directory into bind mount */
3943 if (mount(arg_directory, arg_directory, "bind", MS_BIND|MS_REC, NULL) < 0) {
3944 log_error_errno(errno, "Failed to make bind mount: %m");
3945 _exit(EXIT_FAILURE);
3948 r = setup_volatile(arg_directory);
3950 _exit(EXIT_FAILURE);
3952 if (setup_volatile_state(arg_directory) < 0)
3953 _exit(EXIT_FAILURE);
3955 r = base_filesystem_create(arg_directory);
3957 _exit(EXIT_FAILURE);
3959 if (arg_read_only) {
3960 r = bind_remount_recursive(arg_directory, true);
3962 log_error_errno(r, "Failed to make tree read-only: %m");
3963 _exit(EXIT_FAILURE);
3967 if (mount_all(arg_directory) < 0)
3968 _exit(EXIT_FAILURE);
3970 if (copy_devnodes(arg_directory) < 0)
3971 _exit(EXIT_FAILURE);
3973 if (setup_ptmx(arg_directory) < 0)
3974 _exit(EXIT_FAILURE);
3976 dev_setup(arg_directory);
3978 if (setup_propagate(arg_directory) < 0)
3979 _exit(EXIT_FAILURE);
3981 if (setup_seccomp() < 0)
3982 _exit(EXIT_FAILURE);
3984 if (setup_dev_console(arg_directory, console) < 0)
3985 _exit(EXIT_FAILURE);
3987 if (setup_kmsg(arg_directory, kmsg_socket_pair[1]) < 0)
3988 _exit(EXIT_FAILURE);
3989 kmsg_socket_pair[1] = safe_close(kmsg_socket_pair[1]);
3991 if (send_rtnl(rtnl_socket_pair[1]) < 0)
3992 _exit(EXIT_FAILURE);
3993 rtnl_socket_pair[1] = safe_close(rtnl_socket_pair[1]);
3995 /* Tell the parent that we are ready, and that
3996 * it can cgroupify us to that we lack access
3997 * to certain devices and resources. */
3998 (void) barrier_place(&barrier);
4000 if (setup_boot_id(arg_directory) < 0)
4001 _exit(EXIT_FAILURE);
4003 if (setup_timezone(arg_directory) < 0)
4004 _exit(EXIT_FAILURE);
4006 if (setup_resolv_conf(arg_directory) < 0)
4007 _exit(EXIT_FAILURE);
4009 if (setup_journal(arg_directory) < 0)
4010 _exit(EXIT_FAILURE);
4012 if (mount_binds(arg_directory, arg_bind, false) < 0)
4013 _exit(EXIT_FAILURE);
4015 if (mount_binds(arg_directory, arg_bind_ro, true) < 0)
4016 _exit(EXIT_FAILURE);
4018 if (mount_tmpfs(arg_directory) < 0)
4019 _exit(EXIT_FAILURE);
4021 /* Wait until we are cgroup-ified, so that we
4022 * can mount the right cgroup path writable */
4023 (void) barrier_sync_next(&barrier);
4025 if (mount_cgroup(arg_directory) < 0)
4026 _exit(EXIT_FAILURE);
4028 if (chdir(arg_directory) < 0) {
4029 log_error_errno(errno, "chdir(%s) failed: %m", arg_directory);
4030 _exit(EXIT_FAILURE);
4033 if (mount(arg_directory, "/", NULL, MS_MOVE, NULL) < 0) {
4034 log_error_errno(errno, "mount(MS_MOVE) failed: %m");
4035 _exit(EXIT_FAILURE);
4038 if (chroot(".") < 0) {
4039 log_error_errno(errno, "chroot() failed: %m");
4040 _exit(EXIT_FAILURE);
4043 if (chdir("/") < 0) {
4044 log_error_errno(errno, "chdir() failed: %m");
4045 _exit(EXIT_FAILURE);
4050 if (arg_private_network)
4053 if (drop_capabilities() < 0) {
4054 log_error_errno(errno, "drop_capabilities() failed: %m");
4055 _exit(EXIT_FAILURE);
4058 r = change_uid_gid(&home);
4060 _exit(EXIT_FAILURE);
4062 if ((asprintf((char**)(envp + n_env++), "HOME=%s", home ? home: "/root") < 0) ||
4063 (asprintf((char**)(envp + n_env++), "USER=%s", arg_user ? arg_user : "root") < 0) ||
4064 (asprintf((char**)(envp + n_env++), "LOGNAME=%s", arg_user ? arg_user : "root") < 0)) {
4066 _exit(EXIT_FAILURE);
4069 if (!sd_id128_equal(arg_uuid, SD_ID128_NULL)) {
4072 if (asprintf((char**)(envp + n_env++), "container_uuid=%s", id128_format_as_uuid(arg_uuid, as_uuid)) < 0) {
4074 _exit(EXIT_FAILURE);
4078 if (fdset_size(fds) > 0) {
4079 r = fdset_cloexec(fds, false);
4081 log_error_errno(r, "Failed to unset O_CLOEXEC for file descriptors.");
4082 _exit(EXIT_FAILURE);
4085 if ((asprintf((char **)(envp + n_env++), "LISTEN_FDS=%u", n_fd_passed) < 0) ||
4086 (asprintf((char **)(envp + n_env++), "LISTEN_PID=1") < 0)) {
4088 _exit(EXIT_FAILURE);
4094 if (arg_personality != 0xffffffffLU) {
4095 if (personality(arg_personality) < 0) {
4096 log_error_errno(errno, "personality() failed: %m");
4097 _exit(EXIT_FAILURE);
4099 } else if (secondary) {
4100 if (personality(PER_LINUX32) < 0) {
4101 log_error_errno(errno, "personality() failed: %m");
4102 _exit(EXIT_FAILURE);
4107 if (arg_selinux_context)
4108 if (setexeccon((security_context_t) arg_selinux_context) < 0) {
4109 log_error_errno(errno, "setexeccon(\"%s\") failed: %m", arg_selinux_context);
4110 _exit(EXIT_FAILURE);
4114 if (!strv_isempty(arg_setenv)) {
4117 n = strv_env_merge(2, envp, arg_setenv);
4120 _exit(EXIT_FAILURE);
4125 env_use = (char**) envp;
4127 /* Wait until the parent is ready with the setup, too... */
4128 if (!barrier_place_and_sync(&barrier))
4129 _exit(EXIT_FAILURE);
4135 /* Automatically search for the init system */
4137 l = 1 + argc - optind;
4138 a = newa(char*, l + 1);
4139 memcpy(a + 1, argv + optind, l * sizeof(char*));
4141 a[0] = (char*) "/usr/lib/systemd/systemd";
4142 execve(a[0], a, env_use);
4144 a[0] = (char*) "/lib/systemd/systemd";
4145 execve(a[0], a, env_use);
4147 a[0] = (char*) "/sbin/init";
4148 execve(a[0], a, env_use);
4149 } else if (argc > optind)
4150 execvpe(argv[optind], argv + optind, env_use);
4152 chdir(home ? home : "/root");
4153 execle("/bin/bash", "-bash", NULL, env_use);
4154 execle("/bin/sh", "-sh", NULL, env_use);
4157 log_error_errno(errno, "execv() failed: %m");
4158 _exit(EXIT_FAILURE);
4161 barrier_set_role(&barrier, BARRIER_PARENT);
4165 kmsg_socket_pair[1] = safe_close(kmsg_socket_pair[1]);
4166 rtnl_socket_pair[1] = safe_close(rtnl_socket_pair[1]);
4168 /* Wait for the most basic Child-setup to be done,
4169 * before we add hardware to it, and place it in a
4171 if (barrier_sync_next(&barrier)) {
4174 r = move_network_interfaces(pid);
4178 r = setup_veth(pid, veth_name, &ifi);
4182 r = setup_bridge(veth_name, &ifi);
4186 r = setup_macvlan(pid);
4190 r = setup_ipvlan(pid);
4194 r = register_machine(pid, ifi);
4198 /* Block SIGCHLD here, before notifying child.
4199 * process_pty() will handle it with the other signals. */
4200 r = sigprocmask(SIG_BLOCK, &mask_chld, NULL);
4204 /* Reset signal to default */
4205 r = default_signals(SIGCHLD, -1);
4209 /* Notify the child that the parent is ready with all
4210 * its setup, and that the child can now hand over
4211 * control to the code to run inside the container. */
4212 (void) barrier_place(&barrier);
4214 /* And wait that the child is completely ready now. */
4215 if (barrier_place_and_sync(&barrier)) {
4216 _cleanup_event_unref_ sd_event *event = NULL;
4217 _cleanup_(pty_forward_freep) PTYForward *forward = NULL;
4218 _cleanup_rtnl_unref_ sd_rtnl *rtnl = NULL;
4223 "STATUS=Container running.\n"
4224 "X_NSPAWN_LEADER_PID=" PID_FMT, pid);
4226 r = sd_event_new(&event);
4228 log_error_errno(r, "Failed to get default event source: %m");
4233 /* Try to kill the init system on SIGINT or SIGTERM */
4234 sd_event_add_signal(event, NULL, SIGINT, on_orderly_shutdown, UINT32_TO_PTR(pid));
4235 sd_event_add_signal(event, NULL, SIGTERM, on_orderly_shutdown, UINT32_TO_PTR(pid));
4237 /* Immediately exit */
4238 sd_event_add_signal(event, NULL, SIGINT, NULL, NULL);
4239 sd_event_add_signal(event, NULL, SIGTERM, NULL, NULL);
4242 /* simply exit on sigchld */
4243 sd_event_add_signal(event, NULL, SIGCHLD, NULL, NULL);
4245 if (arg_expose_ports) {
4246 r = watch_rtnl(event, rtnl_socket_pair[0], &exposed, &rtnl);
4250 (void) expose_ports(rtnl, &exposed);
4253 rtnl_socket_pair[0] = safe_close(rtnl_socket_pair[0]);
4255 r = pty_forward_new(event, master, true, &forward);
4257 log_error_errno(r, "Failed to create PTY forwarder: %m");
4261 r = sd_event_loop(event);
4263 log_error_errno(r, "Failed to run event loop: %m");
4267 pty_forward_get_last_char(forward, &last_char);
4269 forward = pty_forward_free(forward);
4271 if (!arg_quiet && last_char != '\n')
4274 /* Kill if it is not dead yet anyway */
4275 terminate_machine(pid);
4279 /* Normally redundant, but better safe than sorry */
4282 r = wait_for_container(pid, &container_status);
4286 /* We failed to wait for the container, or the
4287 * container exited abnormally */
4289 else if (r > 0 || container_status == CONTAINER_TERMINATED){
4290 /* The container exited with a non-zero
4291 * status, or with zero status and no reboot
4297 /* CONTAINER_REBOOTED, loop again */
4299 if (arg_keep_unit) {
4300 /* Special handling if we are running as a
4301 * service: instead of simply restarting the
4302 * machine we want to restart the entire
4303 * service, so let's inform systemd about this
4304 * with the special exit code 133. The service
4305 * file uses RestartForceExitStatus=133 so
4306 * that this results in a full nspawn
4307 * restart. This is necessary since we might
4308 * have cgroup parameters set we want to have
4315 flush_ports(&exposed);
4321 "STATUS=Terminating...");
4323 loop_remove(loop_nr, &image_fd);
4328 if (remove_subvol && arg_directory) {
4331 k = btrfs_subvol_remove(arg_directory);
4333 log_warning_errno(k, "Cannot remove subvolume '%s', ignoring: %m", arg_directory);
4339 p = strjoina("/run/systemd/nspawn/propagate/", arg_machine);
4340 (void) rm_rf(p, false, true, false);
4343 free(arg_directory);
4348 strv_free(arg_setenv);
4349 strv_free(arg_network_interfaces);
4350 strv_free(arg_network_macvlan);
4351 strv_free(arg_network_ipvlan);
4352 strv_free(arg_bind);
4353 strv_free(arg_bind_ro);
4354 strv_free(arg_tmpfs);
4356 flush_ports(&exposed);
4358 while (arg_expose_ports) {
4359 ExposePort *p = arg_expose_ports;
4360 LIST_REMOVE(ports, arg_expose_ports, p);
4364 return r < 0 ? EXIT_FAILURE : ret;