1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2010 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
25 #include <sys/types.h>
26 #include <sys/syscall.h>
27 #include <sys/mount.h>
33 #include <sys/prctl.h>
34 #include <sys/capability.h>
37 #include <sys/signalfd.h>
41 #include <sys/socket.h>
42 #include <linux/netlink.h>
44 #include <linux/veth.h>
45 #include <sys/personality.h>
46 #include <linux/loop.h>
49 #include <selinux/selinux.h>
57 #include <blkid/blkid.h>
60 #include "sd-daemon.h"
70 #include "cgroup-util.h"
72 #include "path-util.h"
73 #include "loopback-setup.h"
74 #include "dev-setup.h"
79 #include "bus-error.h"
81 #include "bus-kernel.h"
84 #include "rtnl-util.h"
85 #include "udev-util.h"
86 #include "blkid-util.h"
88 #include "siphash24.h"
90 #include "base-filesystem.h"
92 #include "event-util.h"
95 #include "seccomp-util.h"
98 typedef enum ContainerStatus {
103 typedef enum LinkJournal {
110 typedef enum Volatile {
116 static char *arg_directory = NULL;
117 static char *arg_user = NULL;
118 static sd_id128_t arg_uuid = {};
119 static char *arg_machine = NULL;
120 static const char *arg_selinux_context = NULL;
121 static const char *arg_selinux_apifs_context = NULL;
122 static const char *arg_slice = NULL;
123 static bool arg_private_network = false;
124 static bool arg_read_only = false;
125 static bool arg_boot = false;
126 static LinkJournal arg_link_journal = LINK_AUTO;
127 static bool arg_link_journal_try = false;
128 static uint64_t arg_retain =
129 (1ULL << CAP_CHOWN) |
130 (1ULL << CAP_DAC_OVERRIDE) |
131 (1ULL << CAP_DAC_READ_SEARCH) |
132 (1ULL << CAP_FOWNER) |
133 (1ULL << CAP_FSETID) |
134 (1ULL << CAP_IPC_OWNER) |
136 (1ULL << CAP_LEASE) |
137 (1ULL << CAP_LINUX_IMMUTABLE) |
138 (1ULL << CAP_NET_BIND_SERVICE) |
139 (1ULL << CAP_NET_BROADCAST) |
140 (1ULL << CAP_NET_RAW) |
141 (1ULL << CAP_SETGID) |
142 (1ULL << CAP_SETFCAP) |
143 (1ULL << CAP_SETPCAP) |
144 (1ULL << CAP_SETUID) |
145 (1ULL << CAP_SYS_ADMIN) |
146 (1ULL << CAP_SYS_CHROOT) |
147 (1ULL << CAP_SYS_NICE) |
148 (1ULL << CAP_SYS_PTRACE) |
149 (1ULL << CAP_SYS_TTY_CONFIG) |
150 (1ULL << CAP_SYS_RESOURCE) |
151 (1ULL << CAP_SYS_BOOT) |
152 (1ULL << CAP_AUDIT_WRITE) |
153 (1ULL << CAP_AUDIT_CONTROL) |
155 static char **arg_bind = NULL;
156 static char **arg_bind_ro = NULL;
157 static char **arg_tmpfs = NULL;
158 static char **arg_setenv = NULL;
159 static bool arg_quiet = false;
160 static bool arg_share_system = false;
161 static bool arg_register = true;
162 static bool arg_keep_unit = false;
163 static char **arg_network_interfaces = NULL;
164 static char **arg_network_macvlan = NULL;
165 static bool arg_network_veth = false;
166 static const char *arg_network_bridge = NULL;
167 static unsigned long arg_personality = 0xffffffffLU;
168 static const char *arg_image = NULL;
169 static Volatile arg_volatile = VOLATILE_NO;
171 static void help(void) {
172 printf("%s [OPTIONS...] [PATH] [ARGUMENTS...]\n\n"
173 "Spawn a minimal namespace container for debugging, testing and building.\n\n"
174 " -h --help Show this help\n"
175 " --version Print version string\n"
176 " -q --quiet Do not show status information\n"
177 " -D --directory=PATH Root directory for the container\n"
178 " -i --image=PATH File system device or image for the container\n"
179 " -b --boot Boot up full system (i.e. invoke init)\n"
180 " -u --user=USER Run the command under specified user or uid\n"
181 " -M --machine=NAME Set the machine name for the container\n"
182 " --uuid=UUID Set a specific machine UUID for the container\n"
183 " -S --slice=SLICE Place the container in the specified slice\n"
184 " --private-network Disable network in container\n"
185 " --network-interface=INTERFACE\n"
186 " Assign an existing network interface to the\n"
188 " --network-macvlan=INTERFACE\n"
189 " Create a macvlan network interface based on an\n"
190 " existing network interface to the container\n"
191 " --network-veth Add a virtual ethernet connection between host\n"
193 " --network-bridge=INTERFACE\n"
194 " Add a virtual ethernet connection between host\n"
195 " and container and add it to an existing bridge on\n"
197 " -Z --selinux-context=SECLABEL\n"
198 " Set the SELinux security context to be used by\n"
199 " processes in the container\n"
200 " -L --selinux-apifs-context=SECLABEL\n"
201 " Set the SELinux security context to be used by\n"
202 " API/tmpfs file systems in the container\n"
203 " --capability=CAP In addition to the default, retain specified\n"
205 " --drop-capability=CAP Drop the specified capability from the default set\n"
206 " --link-journal=MODE Link up guest journal, one of no, auto, guest, host,\n"
207 " try-guest, try-host\n"
208 " -j Equivalent to --link-journal=try-guest\n"
209 " --read-only Mount the root directory read-only\n"
210 " --bind=PATH[:PATH] Bind mount a file or directory from the host into\n"
212 " --bind-ro=PATH[:PATH] Similar, but creates a read-only bind mount\n"
213 " --tmpfs=PATH:[OPTIONS] Mount an empty tmpfs to the specified directory\n"
214 " --setenv=NAME=VALUE Pass an environment variable to PID 1\n"
215 " --share-system Share system namespaces with host\n"
216 " --register=BOOLEAN Register container as machine\n"
217 " --keep-unit Do not register a scope for the machine, reuse\n"
218 " the service unit nspawn is running in\n"
219 " --volatile[=MODE] Run the system in volatile mode\n",
220 program_invocation_short_name);
223 static int parse_argv(int argc, char *argv[]) {
240 ARG_NETWORK_INTERFACE,
248 static const struct option options[] = {
249 { "help", no_argument, NULL, 'h' },
250 { "version", no_argument, NULL, ARG_VERSION },
251 { "directory", required_argument, NULL, 'D' },
252 { "user", required_argument, NULL, 'u' },
253 { "private-network", no_argument, NULL, ARG_PRIVATE_NETWORK },
254 { "boot", no_argument, NULL, 'b' },
255 { "uuid", required_argument, NULL, ARG_UUID },
256 { "read-only", no_argument, NULL, ARG_READ_ONLY },
257 { "capability", required_argument, NULL, ARG_CAPABILITY },
258 { "drop-capability", required_argument, NULL, ARG_DROP_CAPABILITY },
259 { "link-journal", required_argument, NULL, ARG_LINK_JOURNAL },
260 { "bind", required_argument, NULL, ARG_BIND },
261 { "bind-ro", required_argument, NULL, ARG_BIND_RO },
262 { "tmpfs", required_argument, NULL, ARG_TMPFS },
263 { "machine", required_argument, NULL, 'M' },
264 { "slice", required_argument, NULL, 'S' },
265 { "setenv", required_argument, NULL, ARG_SETENV },
266 { "selinux-context", required_argument, NULL, 'Z' },
267 { "selinux-apifs-context", required_argument, NULL, 'L' },
268 { "quiet", no_argument, NULL, 'q' },
269 { "share-system", no_argument, NULL, ARG_SHARE_SYSTEM },
270 { "register", required_argument, NULL, ARG_REGISTER },
271 { "keep-unit", no_argument, NULL, ARG_KEEP_UNIT },
272 { "network-interface", required_argument, NULL, ARG_NETWORK_INTERFACE },
273 { "network-macvlan", required_argument, NULL, ARG_NETWORK_MACVLAN },
274 { "network-veth", no_argument, NULL, ARG_NETWORK_VETH },
275 { "network-bridge", required_argument, NULL, ARG_NETWORK_BRIDGE },
276 { "personality", required_argument, NULL, ARG_PERSONALITY },
277 { "image", required_argument, NULL, 'i' },
278 { "volatile", optional_argument, NULL, ARG_VOLATILE },
283 uint64_t plus = 0, minus = 0;
288 while ((c = getopt_long(argc, argv, "+hD:u:bL:M:jS:Z:qi:", options, NULL)) >= 0)
297 puts(PACKAGE_STRING);
298 puts(SYSTEMD_FEATURES);
303 arg_directory = canonicalize_file_name(optarg);
304 if (!arg_directory) {
305 log_error_errno(errno, "Invalid root directory: %m");
317 arg_user = strdup(optarg);
323 case ARG_NETWORK_BRIDGE:
324 arg_network_bridge = optarg;
328 case ARG_NETWORK_VETH:
329 arg_network_veth = true;
330 arg_private_network = true;
333 case ARG_NETWORK_INTERFACE:
334 if (strv_extend(&arg_network_interfaces, optarg) < 0)
337 arg_private_network = true;
340 case ARG_NETWORK_MACVLAN:
341 if (strv_extend(&arg_network_macvlan, optarg) < 0)
346 case ARG_PRIVATE_NETWORK:
347 arg_private_network = true;
355 r = sd_id128_from_string(optarg, &arg_uuid);
357 log_error("Invalid UUID: %s", optarg);
367 if (isempty(optarg)) {
372 if (!hostname_is_valid(optarg)) {
373 log_error("Invalid machine name: %s", optarg);
378 arg_machine = strdup(optarg);
386 arg_selinux_context = optarg;
390 arg_selinux_apifs_context = optarg;
394 arg_read_only = true;
398 case ARG_DROP_CAPABILITY: {
399 const char *state, *word;
402 FOREACH_WORD_SEPARATOR(word, length, optarg, ",", state) {
403 _cleanup_free_ char *t;
406 t = strndup(word, length);
410 if (streq(t, "all")) {
411 if (c == ARG_CAPABILITY)
412 plus = (uint64_t) -1;
414 minus = (uint64_t) -1;
416 if (cap_from_name(t, &cap) < 0) {
417 log_error("Failed to parse capability %s.", t);
421 if (c == ARG_CAPABILITY)
422 plus |= 1ULL << (uint64_t) cap;
424 minus |= 1ULL << (uint64_t) cap;
432 arg_link_journal = LINK_GUEST;
433 arg_link_journal_try = true;
436 case ARG_LINK_JOURNAL:
437 if (streq(optarg, "auto"))
438 arg_link_journal = LINK_AUTO;
439 else if (streq(optarg, "no"))
440 arg_link_journal = LINK_NO;
441 else if (streq(optarg, "guest"))
442 arg_link_journal = LINK_GUEST;
443 else if (streq(optarg, "host"))
444 arg_link_journal = LINK_HOST;
445 else if (streq(optarg, "try-guest")) {
446 arg_link_journal = LINK_GUEST;
447 arg_link_journal_try = true;
448 } else if (streq(optarg, "try-host")) {
449 arg_link_journal = LINK_HOST;
450 arg_link_journal_try = true;
452 log_error("Failed to parse link journal mode %s", optarg);
460 _cleanup_free_ char *a = NULL, *b = NULL;
464 x = c == ARG_BIND ? &arg_bind : &arg_bind_ro;
466 e = strchr(optarg, ':');
468 a = strndup(optarg, e - optarg);
478 if (!path_is_absolute(a) || !path_is_absolute(b)) {
479 log_error("Invalid bind mount specification: %s", optarg);
483 r = strv_extend(x, a);
487 r = strv_extend(x, b);
495 _cleanup_free_ char *a = NULL, *b = NULL;
498 e = strchr(optarg, ':');
500 a = strndup(optarg, e - optarg);
504 b = strdup("mode=0755");
510 if (!path_is_absolute(a)) {
511 log_error("Invalid tmpfs specification: %s", optarg);
515 r = strv_push(&arg_tmpfs, a);
521 r = strv_push(&arg_tmpfs, b);
533 if (!env_assignment_is_valid(optarg)) {
534 log_error("Environment variable assignment '%s' is not valid.", optarg);
538 n = strv_env_set(arg_setenv, optarg);
542 strv_free(arg_setenv);
551 case ARG_SHARE_SYSTEM:
552 arg_share_system = true;
556 r = parse_boolean(optarg);
558 log_error("Failed to parse --register= argument: %s", optarg);
566 arg_keep_unit = true;
569 case ARG_PERSONALITY:
571 arg_personality = personality_from_string(optarg);
572 if (arg_personality == 0xffffffffLU) {
573 log_error("Unknown or unsupported personality '%s'.", optarg);
582 arg_volatile = VOLATILE_YES;
584 r = parse_boolean(optarg);
586 if (streq(optarg, "state"))
587 arg_volatile = VOLATILE_STATE;
589 log_error("Failed to parse --volatile= argument: %s", optarg);
593 arg_volatile = r ? VOLATILE_YES : VOLATILE_NO;
602 assert_not_reached("Unhandled option");
605 if (arg_share_system)
606 arg_register = false;
608 if (arg_boot && arg_share_system) {
609 log_error("--boot and --share-system may not be combined.");
613 if (arg_keep_unit && cg_pid_get_owner_uid(0, NULL) >= 0) {
614 log_error("--keep-unit may not be used when invoked from a user session.");
618 if (arg_directory && arg_image) {
619 log_error("--directory= and --image= may not be combined.");
623 if (arg_volatile != VOLATILE_NO && arg_read_only) {
624 log_error("Cannot combine --read-only with --volatile. Note that --volatile already implies a read-only base hierarchy.");
628 arg_retain = (arg_retain | plus | (arg_private_network ? 1ULL << CAP_NET_ADMIN : 0)) & ~minus;
633 static int mount_all(const char *dest) {
635 typedef struct MountPoint {
644 static const MountPoint mount_table[] = {
645 { "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, true },
646 { "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND, true }, /* Bind mount first */
647 { NULL, "/proc/sys", NULL, NULL, MS_BIND|MS_RDONLY|MS_REMOUNT, true }, /* Then, make it r/o */
648 { "sysfs", "/sys", "sysfs", NULL, MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV, true },
649 { "tmpfs", "/dev", "tmpfs", "mode=755", MS_NOSUID|MS_STRICTATIME, true },
650 { "devpts", "/dev/pts", "devpts","newinstance,ptmxmode=0666,mode=620,gid=" STRINGIFY(TTY_GID), MS_NOSUID|MS_NOEXEC, true },
651 { "tmpfs", "/dev/shm", "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV|MS_STRICTATIME, true },
652 { "tmpfs", "/run", "tmpfs", "mode=755", MS_NOSUID|MS_NODEV|MS_STRICTATIME, true },
654 { "/sys/fs/selinux", "/sys/fs/selinux", NULL, NULL, MS_BIND, false }, /* Bind mount first */
655 { NULL, "/sys/fs/selinux", NULL, NULL, MS_BIND|MS_RDONLY|MS_REMOUNT, false }, /* Then, make it r/o */
662 for (k = 0; k < ELEMENTSOF(mount_table); k++) {
663 _cleanup_free_ char *where = NULL;
665 _cleanup_free_ char *options = NULL;
670 where = strjoin(dest, "/", mount_table[k].where, NULL);
674 t = path_is_mount_point(where, true);
676 log_error_errno(t, "Failed to detect whether %s is a mount point: %m", where);
684 /* Skip this entry if it is not a remount. */
685 if (mount_table[k].what && t > 0)
688 t = mkdir_p(where, 0755);
690 if (mount_table[k].fatal) {
691 log_error_errno(t, "Failed to create directory %s: %m", where);
696 log_warning_errno(t, "Failed to create directory %s: %m", where);
702 if (arg_selinux_apifs_context &&
703 (streq_ptr(mount_table[k].what, "tmpfs") || streq_ptr(mount_table[k].what, "devpts"))) {
704 options = strjoin(mount_table[k].options, ",context=\"", arg_selinux_apifs_context, "\"", NULL);
711 o = mount_table[k].options;
714 if (mount(mount_table[k].what,
717 mount_table[k].flags,
720 if (mount_table[k].fatal) {
721 log_error_errno(errno, "mount(%s) failed: %m", where);
726 log_warning_errno(errno, "mount(%s) failed: %m", where);
733 static int mount_binds(const char *dest, char **l, bool ro) {
736 STRV_FOREACH_PAIR(x, y, l) {
737 _cleanup_free_ char *where = NULL;
738 struct stat source_st, dest_st;
741 if (stat(*x, &source_st) < 0)
742 return log_error_errno(errno, "Failed to stat %s: %m", *x);
744 where = strappend(dest, *y);
748 r = stat(where, &dest_st);
750 if ((source_st.st_mode & S_IFMT) != (dest_st.st_mode & S_IFMT)) {
751 log_error("The file types of %s and %s do not match. Refusing bind mount", *x, where);
754 } else if (errno == ENOENT) {
755 r = mkdir_parents_label(where, 0755);
757 return log_error_errno(r, "Failed to bind mount %s: %m", *x);
759 log_error_errno(errno, "Failed to bind mount %s: %m", *x);
763 /* Create the mount point, but be conservative -- refuse to create block
764 * and char devices. */
765 if (S_ISDIR(source_st.st_mode)) {
766 r = mkdir_label(where, 0755);
767 if (r < 0 && errno != EEXIST)
768 return log_error_errno(r, "Failed to create mount point %s: %m", where);
769 } else if (S_ISFIFO(source_st.st_mode)) {
770 r = mkfifo(where, 0644);
771 if (r < 0 && errno != EEXIST)
772 return log_error_errno(errno, "Failed to create mount point %s: %m", where);
773 } else if (S_ISSOCK(source_st.st_mode)) {
774 r = mknod(where, 0644 | S_IFSOCK, 0);
775 if (r < 0 && errno != EEXIST)
776 return log_error_errno(errno, "Failed to create mount point %s: %m", where);
777 } else if (S_ISREG(source_st.st_mode)) {
780 return log_error_errno(r, "Failed to create mount point %s: %m", where);
782 log_error("Refusing to create mountpoint for file: %s", *x);
786 if (mount(*x, where, "bind", MS_BIND, NULL) < 0)
787 return log_error_errno(errno, "mount(%s) failed: %m", where);
790 r = bind_remount_recursive(where, true);
792 return log_error_errno(r, "Read-Only bind mount failed: %m");
799 static int mount_tmpfs(const char *dest) {
802 STRV_FOREACH_PAIR(i, o, arg_tmpfs) {
803 _cleanup_free_ char *where = NULL;
806 where = strappend(dest, *i);
810 r = mkdir_label(where, 0755);
811 if (r < 0 && r != -EEXIST)
812 return log_error_errno(r, "Creating mount point for tmpfs %s failed: %m", where);
814 if (mount("tmpfs", where, "tmpfs", MS_NODEV|MS_STRICTATIME, *o) < 0)
815 return log_error_errno(errno, "tmpfs mount to %s failed: %m", where);
821 static int setup_timezone(const char *dest) {
822 _cleanup_free_ char *where = NULL, *p = NULL, *q = NULL, *check = NULL, *what = NULL;
828 /* Fix the timezone, if possible */
829 r = readlink_malloc("/etc/localtime", &p);
831 log_warning("/etc/localtime is not a symlink, not updating container timezone.");
835 z = path_startswith(p, "../usr/share/zoneinfo/");
837 z = path_startswith(p, "/usr/share/zoneinfo/");
839 log_warning("/etc/localtime does not point into /usr/share/zoneinfo/, not updating container timezone.");
843 where = strappend(dest, "/etc/localtime");
847 r = readlink_malloc(where, &q);
849 y = path_startswith(q, "../usr/share/zoneinfo/");
851 y = path_startswith(q, "/usr/share/zoneinfo/");
853 /* Already pointing to the right place? Then do nothing .. */
854 if (y && streq(y, z))
858 check = strjoin(dest, "/usr/share/zoneinfo/", z, NULL);
862 if (access(check, F_OK) < 0) {
863 log_warning("Timezone %s does not exist in container, not updating container timezone.", z);
867 what = strappend("../usr/share/zoneinfo/", z);
871 r = mkdir_parents(where, 0755);
873 log_error_errno(r, "Failed to create directory for timezone info %s in container: %m", where);
879 if (r < 0 && errno != ENOENT) {
880 log_error_errno(errno, "Failed to remove existing timezone info %s in container: %m", where);
885 if (symlink(what, where) < 0) {
886 log_error_errno(errno, "Failed to correct timezone of container: %m");
893 static int setup_resolv_conf(const char *dest) {
894 _cleanup_free_ char *where = NULL;
899 if (arg_private_network)
902 /* Fix resolv.conf, if possible */
903 where = strappend(dest, "/etc/resolv.conf");
907 /* We don't really care for the results of this really. If it
908 * fails, it fails, but meh... */
909 r = mkdir_parents(where, 0755);
911 log_warning_errno(r, "Failed to create parent directory for resolv.conf %s: %m", where);
916 r = copy_file("/etc/resolv.conf", where, O_TRUNC|O_NOFOLLOW, 0644);
918 log_warning_errno(r, "Failed to copy /etc/resolv.conf to %s: %m", where);
926 static int setup_volatile_state(const char *directory) {
932 if (arg_volatile != VOLATILE_STATE)
935 /* --volatile=state means we simply overmount /var
936 with a tmpfs, and the rest read-only. */
938 r = bind_remount_recursive(directory, true);
940 return log_error_errno(r, "Failed to remount %s read-only: %m", directory);
942 p = strappenda(directory, "/var");
944 if (r < 0 && errno != EEXIST)
945 return log_error_errno(errno, "Failed to create %s: %m", directory);
947 if (mount("tmpfs", p, "tmpfs", MS_STRICTATIME, "mode=755") < 0)
948 return log_error_errno(errno, "Failed to mount tmpfs to /var: %m");
953 static int setup_volatile(const char *directory) {
954 bool tmpfs_mounted = false, bind_mounted = false;
955 char template[] = "/tmp/nspawn-volatile-XXXXXX";
961 if (arg_volatile != VOLATILE_YES)
964 /* --volatile=yes means we mount a tmpfs to the root dir, and
965 the original /usr to use inside it, and that read-only. */
967 if (!mkdtemp(template))
968 return log_error_errno(errno, "Failed to create temporary directory: %m");
970 if (mount("tmpfs", template, "tmpfs", MS_STRICTATIME, "mode=755") < 0) {
971 log_error_errno(errno, "Failed to mount tmpfs for root directory: %m");
976 tmpfs_mounted = true;
978 f = strappenda(directory, "/usr");
979 t = strappenda(template, "/usr");
982 if (r < 0 && errno != EEXIST) {
983 log_error_errno(errno, "Failed to create %s: %m", t);
988 if (mount(f, t, "bind", MS_BIND|MS_REC, NULL) < 0) {
989 log_error_errno(errno, "Failed to create /usr bind mount: %m");
996 r = bind_remount_recursive(t, true);
998 log_error_errno(r, "Failed to remount %s read-only: %m", t);
1002 if (mount(template, directory, NULL, MS_MOVE, NULL) < 0) {
1003 log_error_errno(errno, "Failed to move root mount: %m");
1021 static char* id128_format_as_uuid(sd_id128_t id, char s[37]) {
1024 "%02x%02x%02x%02x-%02x%02x-%02x%02x-%02x%02x-%02x%02x%02x%02x%02x%02x",
1025 SD_ID128_FORMAT_VAL(id));
1030 static int setup_boot_id(const char *dest) {
1031 _cleanup_free_ char *from = NULL, *to = NULL;
1032 sd_id128_t rnd = {};
1038 if (arg_share_system)
1041 /* Generate a new randomized boot ID, so that each boot-up of
1042 * the container gets a new one */
1044 from = strappend(dest, "/dev/proc-sys-kernel-random-boot-id");
1045 to = strappend(dest, "/proc/sys/kernel/random/boot_id");
1049 r = sd_id128_randomize(&rnd);
1051 return log_error_errno(r, "Failed to generate random boot id: %m");
1053 id128_format_as_uuid(rnd, as_uuid);
1055 r = write_string_file(from, as_uuid);
1057 return log_error_errno(r, "Failed to write boot id: %m");
1059 if (mount(from, to, "bind", MS_BIND, NULL) < 0) {
1060 log_error_errno(errno, "Failed to bind mount boot id: %m");
1062 } else if (mount(from, to, "bind", MS_BIND|MS_REMOUNT|MS_RDONLY, NULL))
1063 log_warning_errno(errno, "Failed to make boot id read-only: %m");
1069 static int copy_devnodes(const char *dest) {
1071 static const char devnodes[] =
1082 _cleanup_umask_ mode_t u;
1088 NULSTR_FOREACH(d, devnodes) {
1089 _cleanup_free_ char *from = NULL, *to = NULL;
1092 from = strappend("/dev/", d);
1093 to = strjoin(dest, "/dev/", d, NULL);
1097 if (stat(from, &st) < 0) {
1099 if (errno != ENOENT)
1100 return log_error_errno(errno, "Failed to stat %s: %m", from);
1102 } else if (!S_ISCHR(st.st_mode) && !S_ISBLK(st.st_mode)) {
1104 log_error("%s is not a char or block device, cannot copy", from);
1108 r = mkdir_parents(to, 0775);
1110 log_error_errno(r, "Failed to create parent directory of %s: %m", to);
1114 if (mknod(to, st.st_mode, st.st_rdev) < 0)
1115 return log_error_errno(errno, "mknod(%s) failed: %m", dest);
1122 static int setup_ptmx(const char *dest) {
1123 _cleanup_free_ char *p = NULL;
1125 p = strappend(dest, "/dev/ptmx");
1129 if (symlink("pts/ptmx", p) < 0)
1130 return log_error_errno(errno, "Failed to create /dev/ptmx symlink: %m");
1135 static int setup_dev_console(const char *dest, const char *console) {
1136 _cleanup_umask_ mode_t u;
1146 if (stat("/dev/null", &st) < 0)
1147 return log_error_errno(errno, "Failed to stat /dev/null: %m");
1149 r = chmod_and_chown(console, 0600, 0, 0);
1151 return log_error_errno(r, "Failed to correct access mode for TTY: %m");
1153 /* We need to bind mount the right tty to /dev/console since
1154 * ptys can only exist on pts file systems. To have something
1155 * to bind mount things on we create a device node first, and
1156 * use /dev/null for that since we the cgroups device policy
1157 * allows us to create that freely, while we cannot create
1158 * /dev/console. (Note that the major minor doesn't actually
1159 * matter here, since we mount it over anyway). */
1161 to = strappenda(dest, "/dev/console");
1162 if (mknod(to, (st.st_mode & ~07777) | 0600, st.st_rdev) < 0)
1163 return log_error_errno(errno, "mknod() for /dev/console failed: %m");
1165 if (mount(console, to, "bind", MS_BIND, NULL) < 0)
1166 return log_error_errno(errno, "Bind mount for /dev/console failed: %m");
1171 static int setup_kmsg(const char *dest, int kmsg_socket) {
1172 _cleanup_free_ char *from = NULL, *to = NULL;
1174 _cleanup_umask_ mode_t u;
1176 struct cmsghdr cmsghdr;
1177 uint8_t buf[CMSG_SPACE(sizeof(int))];
1179 struct msghdr mh = {
1180 .msg_control = &control,
1181 .msg_controllen = sizeof(control),
1183 struct cmsghdr *cmsg;
1186 assert(kmsg_socket >= 0);
1190 /* We create the kmsg FIFO as /dev/kmsg, but immediately
1191 * delete it after bind mounting it to /proc/kmsg. While FIFOs
1192 * on the reading side behave very similar to /proc/kmsg,
1193 * their writing side behaves differently from /dev/kmsg in
1194 * that writing blocks when nothing is reading. In order to
1195 * avoid any problems with containers deadlocking due to this
1196 * we simply make /dev/kmsg unavailable to the container. */
1197 if (asprintf(&from, "%s/dev/kmsg", dest) < 0 ||
1198 asprintf(&to, "%s/proc/kmsg", dest) < 0)
1201 if (mkfifo(from, 0600) < 0)
1202 return log_error_errno(errno, "mkfifo() for /dev/kmsg failed: %m");
1204 r = chmod_and_chown(from, 0600, 0, 0);
1206 return log_error_errno(r, "Failed to correct access mode for /dev/kmsg: %m");
1208 if (mount(from, to, "bind", MS_BIND, NULL) < 0)
1209 return log_error_errno(errno, "Bind mount for /proc/kmsg failed: %m");
1211 fd = open(from, O_RDWR|O_NDELAY|O_CLOEXEC);
1213 return log_error_errno(errno, "Failed to open fifo: %m");
1215 cmsg = CMSG_FIRSTHDR(&mh);
1216 cmsg->cmsg_level = SOL_SOCKET;
1217 cmsg->cmsg_type = SCM_RIGHTS;
1218 cmsg->cmsg_len = CMSG_LEN(sizeof(int));
1219 memcpy(CMSG_DATA(cmsg), &fd, sizeof(int));
1221 mh.msg_controllen = cmsg->cmsg_len;
1223 /* Store away the fd in the socket, so that it stays open as
1224 * long as we run the child */
1225 k = sendmsg(kmsg_socket, &mh, MSG_DONTWAIT|MSG_NOSIGNAL);
1229 return log_error_errno(errno, "Failed to send FIFO fd: %m");
1231 /* And now make the FIFO unavailable as /dev/kmsg... */
1236 static int setup_hostname(void) {
1238 if (arg_share_system)
1241 if (sethostname_idempotent(arg_machine) < 0)
1247 static int setup_journal(const char *directory) {
1248 sd_id128_t machine_id, this_id;
1249 _cleanup_free_ char *p = NULL, *b = NULL, *q = NULL, *d = NULL;
1253 p = strappend(directory, "/etc/machine-id");
1257 r = read_one_line_file(p, &b);
1258 if (r == -ENOENT && arg_link_journal == LINK_AUTO)
1261 return log_error_errno(r, "Failed to read machine ID from %s: %m", p);
1264 if (isempty(id) && arg_link_journal == LINK_AUTO)
1267 /* Verify validity */
1268 r = sd_id128_from_string(id, &machine_id);
1270 return log_error_errno(r, "Failed to parse machine ID from %s: %m", p);
1272 r = sd_id128_get_machine(&this_id);
1274 return log_error_errno(r, "Failed to retrieve machine ID: %m");
1276 if (sd_id128_equal(machine_id, this_id)) {
1277 log_full(arg_link_journal == LINK_AUTO ? LOG_WARNING : LOG_ERR,
1278 "Host and machine ids are equal (%s): refusing to link journals", id);
1279 if (arg_link_journal == LINK_AUTO)
1285 if (arg_link_journal == LINK_NO)
1289 p = strappend("/var/log/journal/", id);
1290 q = strjoin(directory, "/var/log/journal/", id, NULL);
1294 if (path_is_mount_point(p, false) > 0) {
1295 if (arg_link_journal != LINK_AUTO) {
1296 log_error("%s: already a mount point, refusing to use for journal", p);
1303 if (path_is_mount_point(q, false) > 0) {
1304 if (arg_link_journal != LINK_AUTO) {
1305 log_error("%s: already a mount point, refusing to use for journal", q);
1312 r = readlink_and_make_absolute(p, &d);
1314 if ((arg_link_journal == LINK_GUEST ||
1315 arg_link_journal == LINK_AUTO) &&
1318 r = mkdir_p(q, 0755);
1320 log_warning_errno(errno, "Failed to create directory %s: %m", q);
1325 return log_error_errno(errno, "Failed to remove symlink %s: %m", p);
1326 } else if (r == -EINVAL) {
1328 if (arg_link_journal == LINK_GUEST &&
1331 if (errno == ENOTDIR) {
1332 log_error("%s already exists and is neither a symlink nor a directory", p);
1335 log_error_errno(errno, "Failed to remove %s: %m", p);
1339 } else if (r != -ENOENT) {
1340 log_error_errno(errno, "readlink(%s) failed: %m", p);
1344 if (arg_link_journal == LINK_GUEST) {
1346 if (symlink(q, p) < 0) {
1347 if (arg_link_journal_try) {
1348 log_debug_errno(errno, "Failed to symlink %s to %s, skipping journal setup: %m", q, p);
1351 log_error_errno(errno, "Failed to symlink %s to %s: %m", q, p);
1356 r = mkdir_p(q, 0755);
1358 log_warning_errno(errno, "Failed to create directory %s: %m", q);
1362 if (arg_link_journal == LINK_HOST) {
1363 /* don't create parents here -- if the host doesn't have
1364 * permanent journal set up, don't force it here */
1367 if (arg_link_journal_try) {
1368 log_debug_errno(errno, "Failed to create %s, skipping journal setup: %m", p);
1371 log_error_errno(errno, "Failed to create %s: %m", p);
1376 } else if (access(p, F_OK) < 0)
1379 if (dir_is_empty(q) == 0)
1380 log_warning("%s is not empty, proceeding anyway.", q);
1382 r = mkdir_p(q, 0755);
1384 log_error_errno(errno, "Failed to create %s: %m", q);
1388 if (mount(p, q, "bind", MS_BIND, NULL) < 0)
1389 return log_error_errno(errno, "Failed to bind mount journal from host into guest: %m");
1394 static int drop_capabilities(void) {
1395 return capability_bounding_set_drop(~arg_retain, false);
1398 static int register_machine(pid_t pid, int local_ifindex) {
1399 _cleanup_bus_error_free_ sd_bus_error error = SD_BUS_ERROR_NULL;
1400 _cleanup_bus_close_unref_ sd_bus *bus = NULL;
1406 r = sd_bus_default_system(&bus);
1408 return log_error_errno(r, "Failed to open system bus: %m");
1410 if (arg_keep_unit) {
1411 r = sd_bus_call_method(
1413 "org.freedesktop.machine1",
1414 "/org/freedesktop/machine1",
1415 "org.freedesktop.machine1.Manager",
1416 "RegisterMachineWithNetwork",
1421 SD_BUS_MESSAGE_APPEND_ID128(arg_uuid),
1425 strempty(arg_directory),
1426 local_ifindex > 0 ? 1 : 0, local_ifindex);
1428 _cleanup_bus_message_unref_ sd_bus_message *m = NULL;
1430 r = sd_bus_message_new_method_call(
1433 "org.freedesktop.machine1",
1434 "/org/freedesktop/machine1",
1435 "org.freedesktop.machine1.Manager",
1436 "CreateMachineWithNetwork");
1438 return log_error_errno(r, "Failed to create message: %m");
1440 r = sd_bus_message_append(
1444 SD_BUS_MESSAGE_APPEND_ID128(arg_uuid),
1448 strempty(arg_directory),
1449 local_ifindex > 0 ? 1 : 0, local_ifindex);
1451 return log_error_errno(r, "Failed to append message arguments: %m");
1453 r = sd_bus_message_open_container(m, 'a', "(sv)");
1455 return log_error_errno(r, "Failed to open container: %m");
1457 if (!isempty(arg_slice)) {
1458 r = sd_bus_message_append(m, "(sv)", "Slice", "s", arg_slice);
1460 return log_error_errno(r, "Failed to append slice: %m");
1463 r = sd_bus_message_append(m, "(sv)", "DevicePolicy", "s", "strict");
1465 return log_error_errno(r, "Failed to add device policy: %m");
1467 r = sd_bus_message_append(m, "(sv)", "DeviceAllow", "a(ss)", 9,
1468 /* Allow the container to
1469 * access and create the API
1470 * device nodes, so that
1471 * PrivateDevices= in the
1472 * container can work
1477 "/dev/random", "rwm",
1478 "/dev/urandom", "rwm",
1480 "/dev/net/tun", "rwm",
1481 /* Allow the container
1482 * access to ptys. However,
1484 * container to ever create
1485 * these device nodes. */
1486 "/dev/pts/ptmx", "rw",
1489 return log_error_errno(r, "Failed to add device whitelist: %m");
1491 r = sd_bus_message_close_container(m);
1493 return log_error_errno(r, "Failed to close container: %m");
1495 r = sd_bus_call(bus, m, 0, &error, NULL);
1499 log_error("Failed to register machine: %s", bus_error_message(&error, r));
1506 static int terminate_machine(pid_t pid) {
1507 _cleanup_bus_error_free_ sd_bus_error error = SD_BUS_ERROR_NULL;
1508 _cleanup_bus_message_unref_ sd_bus_message *reply = NULL;
1509 _cleanup_bus_close_unref_ sd_bus *bus = NULL;
1516 r = sd_bus_default_system(&bus);
1518 return log_error_errno(r, "Failed to open system bus: %m");
1520 r = sd_bus_call_method(
1522 "org.freedesktop.machine1",
1523 "/org/freedesktop/machine1",
1524 "org.freedesktop.machine1.Manager",
1531 /* Note that the machine might already have been
1532 * cleaned up automatically, hence don't consider it a
1533 * failure if we cannot get the machine object. */
1534 log_debug("Failed to get machine: %s", bus_error_message(&error, r));
1538 r = sd_bus_message_read(reply, "o", &path);
1540 return bus_log_parse_error(r);
1542 r = sd_bus_call_method(
1544 "org.freedesktop.machine1",
1546 "org.freedesktop.machine1.Machine",
1552 log_debug("Failed to terminate machine: %s", bus_error_message(&error, r));
1559 static int reset_audit_loginuid(void) {
1560 _cleanup_free_ char *p = NULL;
1563 if (arg_share_system)
1566 r = read_one_line_file("/proc/self/loginuid", &p);
1570 return log_error_errno(r, "Failed to read /proc/self/loginuid: %m");
1572 /* Already reset? */
1573 if (streq(p, "4294967295"))
1576 r = write_string_file("/proc/self/loginuid", "4294967295");
1578 log_error("Failed to reset audit login UID. This probably means that your kernel is too\n"
1579 "old and you have audit enabled. Note that the auditing subsystem is known to\n"
1580 "be incompatible with containers on old kernels. Please make sure to upgrade\n"
1581 "your kernel or to off auditing with 'audit=0' on the kernel command line before\n"
1582 "using systemd-nspawn. Sleeping for 5s... (%s)\n", strerror(-r));
1590 #define HOST_HASH_KEY SD_ID128_MAKE(1a,37,6f,c7,46,ec,45,0b,ad,a3,d5,31,06,60,5d,b1)
1591 #define CONTAINER_HASH_KEY SD_ID128_MAKE(c3,c4,f9,19,b5,57,b2,1c,e6,cf,14,27,03,9c,ee,a2)
1593 static int generate_mac(struct ether_addr *mac, sd_id128_t hash_key) {
1600 l = strlen(arg_machine);
1601 sz = sizeof(sd_id128_t) + l;
1604 /* fetch some persistent data unique to the host */
1605 r = sd_id128_get_machine((sd_id128_t*) v);
1609 /* combine with some data unique (on this host) to this
1610 * container instance */
1611 memcpy(v + sizeof(sd_id128_t), arg_machine, l);
1613 /* Let's hash the host machine ID plus the container name. We
1614 * use a fixed, but originally randomly created hash key here. */
1615 siphash24(result, v, sz, hash_key.bytes);
1617 assert_cc(ETH_ALEN <= sizeof(result));
1618 memcpy(mac->ether_addr_octet, result, ETH_ALEN);
1620 /* see eth_random_addr in the kernel */
1621 mac->ether_addr_octet[0] &= 0xfe; /* clear multicast bit */
1622 mac->ether_addr_octet[0] |= 0x02; /* set local assignment bit (IEEE802) */
1627 static int setup_veth(pid_t pid, char iface_name[IFNAMSIZ], int *ifi) {
1628 _cleanup_rtnl_message_unref_ sd_rtnl_message *m = NULL;
1629 _cleanup_rtnl_unref_ sd_rtnl *rtnl = NULL;
1630 struct ether_addr mac_host, mac_container;
1633 if (!arg_private_network)
1636 if (!arg_network_veth)
1639 /* Use two different interface name prefixes depending whether
1640 * we are in bridge mode or not. */
1641 snprintf(iface_name, IFNAMSIZ - 1, "%s-%s",
1642 arg_network_bridge ? "vb" : "ve", arg_machine);
1644 r = generate_mac(&mac_container, CONTAINER_HASH_KEY);
1646 log_error("Failed to generate predictable MAC address for container side");
1650 r = generate_mac(&mac_host, HOST_HASH_KEY);
1652 log_error("Failed to generate predictable MAC address for host side");
1656 r = sd_rtnl_open(&rtnl, 0);
1658 return log_error_errno(r, "Failed to connect to netlink: %m");
1660 r = sd_rtnl_message_new_link(rtnl, &m, RTM_NEWLINK, 0);
1662 return log_error_errno(r, "Failed to allocate netlink message: %m");
1664 r = sd_rtnl_message_append_string(m, IFLA_IFNAME, iface_name);
1666 return log_error_errno(r, "Failed to add netlink interface name: %m");
1668 r = sd_rtnl_message_append_ether_addr(m, IFLA_ADDRESS, &mac_host);
1670 return log_error_errno(r, "Failed to add netlink MAC address: %m");
1672 r = sd_rtnl_message_open_container(m, IFLA_LINKINFO);
1674 return log_error_errno(r, "Failed to open netlink container: %m");
1676 r = sd_rtnl_message_open_container_union(m, IFLA_INFO_DATA, "veth");
1678 return log_error_errno(r, "Failed to open netlink container: %m");
1680 r = sd_rtnl_message_open_container(m, VETH_INFO_PEER);
1682 return log_error_errno(r, "Failed to open netlink container: %m");
1684 r = sd_rtnl_message_append_string(m, IFLA_IFNAME, "host0");
1686 return log_error_errno(r, "Failed to add netlink interface name: %m");
1688 r = sd_rtnl_message_append_ether_addr(m, IFLA_ADDRESS, &mac_container);
1690 return log_error_errno(r, "Failed to add netlink MAC address: %m");
1692 r = sd_rtnl_message_append_u32(m, IFLA_NET_NS_PID, pid);
1694 return log_error_errno(r, "Failed to add netlink namespace field: %m");
1696 r = sd_rtnl_message_close_container(m);
1698 return log_error_errno(r, "Failed to close netlink container: %m");
1700 r = sd_rtnl_message_close_container(m);
1702 return log_error_errno(r, "Failed to close netlink container: %m");
1704 r = sd_rtnl_message_close_container(m);
1706 return log_error_errno(r, "Failed to close netlink container: %m");
1708 r = sd_rtnl_call(rtnl, m, 0, NULL);
1710 return log_error_errno(r, "Failed to add new veth interfaces: %m");
1712 i = (int) if_nametoindex(iface_name);
1714 return log_error_errno(errno, "Failed to resolve interface %s: %m", iface_name);
1721 static int setup_bridge(const char veth_name[], int *ifi) {
1722 _cleanup_rtnl_message_unref_ sd_rtnl_message *m = NULL;
1723 _cleanup_rtnl_unref_ sd_rtnl *rtnl = NULL;
1726 if (!arg_private_network)
1729 if (!arg_network_veth)
1732 if (!arg_network_bridge)
1735 bridge = (int) if_nametoindex(arg_network_bridge);
1737 return log_error_errno(errno, "Failed to resolve interface %s: %m", arg_network_bridge);
1741 r = sd_rtnl_open(&rtnl, 0);
1743 return log_error_errno(r, "Failed to connect to netlink: %m");
1745 r = sd_rtnl_message_new_link(rtnl, &m, RTM_SETLINK, 0);
1747 return log_error_errno(r, "Failed to allocate netlink message: %m");
1749 r = sd_rtnl_message_link_set_flags(m, IFF_UP, IFF_UP);
1751 return log_error_errno(r, "Failed to set IFF_UP flag: %m");
1753 r = sd_rtnl_message_append_string(m, IFLA_IFNAME, veth_name);
1755 return log_error_errno(r, "Failed to add netlink interface name field: %m");
1757 r = sd_rtnl_message_append_u32(m, IFLA_MASTER, bridge);
1759 return log_error_errno(r, "Failed to add netlink master field: %m");
1761 r = sd_rtnl_call(rtnl, m, 0, NULL);
1763 return log_error_errno(r, "Failed to add veth interface to bridge: %m");
1768 static int parse_interface(struct udev *udev, const char *name) {
1769 _cleanup_udev_device_unref_ struct udev_device *d = NULL;
1770 char ifi_str[2 + DECIMAL_STR_MAX(int)];
1773 ifi = (int) if_nametoindex(name);
1775 return log_error_errno(errno, "Failed to resolve interface %s: %m", name);
1777 sprintf(ifi_str, "n%i", ifi);
1778 d = udev_device_new_from_device_id(udev, ifi_str);
1780 return log_error_errno(errno, "Failed to get udev device for interface %s: %m", name);
1782 if (udev_device_get_is_initialized(d) <= 0) {
1783 log_error("Network interface %s is not initialized yet.", name);
1790 static int move_network_interfaces(pid_t pid) {
1791 _cleanup_udev_unref_ struct udev *udev = NULL;
1792 _cleanup_rtnl_unref_ sd_rtnl *rtnl = NULL;
1796 if (!arg_private_network)
1799 if (strv_isempty(arg_network_interfaces))
1802 r = sd_rtnl_open(&rtnl, 0);
1804 return log_error_errno(r, "Failed to connect to netlink: %m");
1808 log_error("Failed to connect to udev.");
1812 STRV_FOREACH(i, arg_network_interfaces) {
1813 _cleanup_rtnl_message_unref_ sd_rtnl_message *m = NULL;
1816 ifi = parse_interface(udev, *i);
1820 r = sd_rtnl_message_new_link(rtnl, &m, RTM_SETLINK, ifi);
1822 return log_error_errno(r, "Failed to allocate netlink message: %m");
1824 r = sd_rtnl_message_append_u32(m, IFLA_NET_NS_PID, pid);
1826 return log_error_errno(r, "Failed to append namespace PID to netlink message: %m");
1828 r = sd_rtnl_call(rtnl, m, 0, NULL);
1830 return log_error_errno(r, "Failed to move interface %s to namespace: %m", *i);
1836 static int setup_macvlan(pid_t pid) {
1837 _cleanup_udev_unref_ struct udev *udev = NULL;
1838 _cleanup_rtnl_unref_ sd_rtnl *rtnl = NULL;
1842 if (!arg_private_network)
1845 if (strv_isempty(arg_network_macvlan))
1848 r = sd_rtnl_open(&rtnl, 0);
1850 return log_error_errno(r, "Failed to connect to netlink: %m");
1854 log_error("Failed to connect to udev.");
1858 STRV_FOREACH(i, arg_network_macvlan) {
1859 _cleanup_rtnl_message_unref_ sd_rtnl_message *m = NULL;
1860 _cleanup_free_ char *n = NULL;
1863 ifi = parse_interface(udev, *i);
1867 r = sd_rtnl_message_new_link(rtnl, &m, RTM_NEWLINK, 0);
1869 return log_error_errno(r, "Failed to allocate netlink message: %m");
1871 r = sd_rtnl_message_append_u32(m, IFLA_LINK, ifi);
1873 return log_error_errno(r, "Failed to add netlink interface index: %m");
1875 n = strappend("mv-", *i);
1879 strshorten(n, IFNAMSIZ-1);
1881 r = sd_rtnl_message_append_string(m, IFLA_IFNAME, n);
1883 return log_error_errno(r, "Failed to add netlink interface name: %m");
1885 r = sd_rtnl_message_append_u32(m, IFLA_NET_NS_PID, pid);
1887 return log_error_errno(r, "Failed to add netlink namespace field: %m");
1889 r = sd_rtnl_message_open_container(m, IFLA_LINKINFO);
1891 return log_error_errno(r, "Failed to open netlink container: %m");
1893 r = sd_rtnl_message_open_container_union(m, IFLA_INFO_DATA, "macvlan");
1895 return log_error_errno(r, "Failed to open netlink container: %m");
1897 r = sd_rtnl_message_append_u32(m, IFLA_MACVLAN_MODE, MACVLAN_MODE_BRIDGE);
1899 return log_error_errno(r, "Failed to append macvlan mode: %m");
1901 r = sd_rtnl_message_close_container(m);
1903 return log_error_errno(r, "Failed to close netlink container: %m");
1905 r = sd_rtnl_message_close_container(m);
1907 return log_error_errno(r, "Failed to close netlink container: %m");
1909 r = sd_rtnl_call(rtnl, m, 0, NULL);
1911 return log_error_errno(r, "Failed to add new macvlan interfaces: %m");
1917 static int setup_seccomp(void) {
1920 static const int blacklist[] = {
1921 SCMP_SYS(kexec_load),
1922 SCMP_SYS(open_by_handle_at),
1923 SCMP_SYS(init_module),
1924 SCMP_SYS(finit_module),
1925 SCMP_SYS(delete_module),
1932 scmp_filter_ctx seccomp;
1936 seccomp = seccomp_init(SCMP_ACT_ALLOW);
1940 r = seccomp_add_secondary_archs(seccomp);
1942 log_error_errno(r, "Failed to add secondary archs to seccomp filter: %m");
1946 for (i = 0; i < ELEMENTSOF(blacklist); i++) {
1947 r = seccomp_rule_add(seccomp, SCMP_ACT_ERRNO(EPERM), blacklist[i], 0);
1949 continue; /* unknown syscall */
1951 log_error_errno(r, "Failed to block syscall: %m");
1957 Audit is broken in containers, much of the userspace audit
1958 hookup will fail if running inside a container. We don't
1959 care and just turn off creation of audit sockets.
1961 This will make socket(AF_NETLINK, *, NETLINK_AUDIT) fail
1962 with EAFNOSUPPORT which audit userspace uses as indication
1963 that audit is disabled in the kernel.
1966 r = seccomp_rule_add(
1968 SCMP_ACT_ERRNO(EAFNOSUPPORT),
1971 SCMP_A0(SCMP_CMP_EQ, AF_NETLINK),
1972 SCMP_A2(SCMP_CMP_EQ, NETLINK_AUDIT));
1974 log_error_errno(r, "Failed to add audit seccomp rule: %m");
1978 r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
1980 log_error_errno(r, "Failed to unset NO_NEW_PRIVS: %m");
1984 r = seccomp_load(seccomp);
1986 log_error_errno(r, "Failed to install seccomp audit filter: %m");
1989 seccomp_release(seccomp);
1997 static int setup_image(char **device_path, int *loop_nr) {
1998 struct loop_info64 info = {
1999 .lo_flags = LO_FLAGS_AUTOCLEAR|LO_FLAGS_PARTSCAN
2001 _cleanup_close_ int fd = -1, control = -1, loop = -1;
2002 _cleanup_free_ char* loopdev = NULL;
2006 assert(device_path);
2009 fd = open(arg_image, O_CLOEXEC|(arg_read_only ? O_RDONLY : O_RDWR)|O_NONBLOCK|O_NOCTTY);
2011 return log_error_errno(errno, "Failed to open %s: %m", arg_image);
2013 if (fstat(fd, &st) < 0)
2014 return log_error_errno(errno, "Failed to stat %s: %m", arg_image);
2016 if (S_ISBLK(st.st_mode)) {
2019 p = strdup(arg_image);
2033 if (!S_ISREG(st.st_mode)) {
2034 log_error_errno(errno, "%s is not a regular file or block device: %m", arg_image);
2038 control = open("/dev/loop-control", O_RDWR|O_CLOEXEC|O_NOCTTY|O_NONBLOCK);
2040 return log_error_errno(errno, "Failed to open /dev/loop-control: %m");
2042 nr = ioctl(control, LOOP_CTL_GET_FREE);
2044 return log_error_errno(errno, "Failed to allocate loop device: %m");
2046 if (asprintf(&loopdev, "/dev/loop%i", nr) < 0)
2049 loop = open(loopdev, O_CLOEXEC|(arg_read_only ? O_RDONLY : O_RDWR)|O_NONBLOCK|O_NOCTTY);
2051 return log_error_errno(errno, "Failed to open loop device %s: %m", loopdev);
2053 if (ioctl(loop, LOOP_SET_FD, fd) < 0)
2054 return log_error_errno(errno, "Failed to set loopback file descriptor on %s: %m", loopdev);
2057 info.lo_flags |= LO_FLAGS_READ_ONLY;
2059 if (ioctl(loop, LOOP_SET_STATUS64, &info) < 0)
2060 return log_error_errno(errno, "Failed to set loopback settings on %s: %m", loopdev);
2062 *device_path = loopdev;
2073 static int dissect_image(
2075 char **root_device, bool *root_device_rw,
2076 char **home_device, bool *home_device_rw,
2077 char **srv_device, bool *srv_device_rw,
2081 int home_nr = -1, srv_nr = -1;
2082 #ifdef GPT_ROOT_NATIVE
2085 #ifdef GPT_ROOT_SECONDARY
2086 int secondary_root_nr = -1;
2089 _cleanup_free_ char *home = NULL, *root = NULL, *secondary_root = NULL, *srv = NULL;
2090 _cleanup_udev_enumerate_unref_ struct udev_enumerate *e = NULL;
2091 _cleanup_udev_device_unref_ struct udev_device *d = NULL;
2092 _cleanup_blkid_free_probe_ blkid_probe b = NULL;
2093 _cleanup_udev_unref_ struct udev *udev = NULL;
2094 struct udev_list_entry *first, *item;
2095 bool home_rw = true, root_rw = true, secondary_root_rw = true, srv_rw = true;
2096 const char *pttype = NULL;
2102 assert(root_device);
2103 assert(home_device);
2107 b = blkid_new_probe();
2112 r = blkid_probe_set_device(b, fd, 0, 0);
2117 log_error_errno(errno, "Failed to set device on blkid probe: %m");
2121 blkid_probe_enable_partitions(b, 1);
2122 blkid_probe_set_partitions_flags(b, BLKID_PARTS_ENTRY_DETAILS);
2125 r = blkid_do_safeprobe(b);
2126 if (r == -2 || r == 1) {
2127 log_error("Failed to identify any partition table on %s.\n"
2128 "Note that the disk image needs to follow http://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/ to be supported by systemd-nspawn.", arg_image);
2130 } else if (r != 0) {
2133 log_error_errno(errno, "Failed to probe: %m");
2137 blkid_probe_lookup_value(b, "PTTYPE", &pttype, NULL);
2138 if (!streq_ptr(pttype, "gpt")) {
2139 log_error("Image %s does not carry a GUID Partition Table.\n"
2140 "Note that the disk image needs to follow http://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/ to be supported by systemd-nspawn.", arg_image);
2145 pl = blkid_probe_get_partitions(b);
2150 log_error("Failed to list partitions of %s", arg_image);
2158 if (fstat(fd, &st) < 0)
2159 return log_error_errno(errno, "Failed to stat block device: %m");
2161 d = udev_device_new_from_devnum(udev, 'b', st.st_rdev);
2165 e = udev_enumerate_new(udev);
2169 r = udev_enumerate_add_match_parent(e, d);
2173 r = udev_enumerate_scan_devices(e);
2175 return log_error_errno(r, "Failed to scan for partition devices of %s: %m", arg_image);
2177 first = udev_enumerate_get_list_entry(e);
2178 udev_list_entry_foreach(item, first) {
2179 _cleanup_udev_device_unref_ struct udev_device *q;
2180 const char *stype, *node;
2181 unsigned long long flags;
2188 q = udev_device_new_from_syspath(udev, udev_list_entry_get_name(item));
2193 log_error_errno(errno, "Failed to get partition device of %s: %m", arg_image);
2197 qn = udev_device_get_devnum(q);
2201 if (st.st_rdev == qn)
2204 node = udev_device_get_devnode(q);
2208 pp = blkid_partlist_devno_to_partition(pl, qn);
2212 flags = blkid_partition_get_flags(pp);
2213 if (flags & GPT_FLAG_NO_AUTO)
2216 nr = blkid_partition_get_partno(pp);
2220 stype = blkid_partition_get_type_string(pp);
2224 if (sd_id128_from_string(stype, &type_id) < 0)
2227 if (sd_id128_equal(type_id, GPT_HOME)) {
2229 if (home && nr >= home_nr)
2233 home_rw = !(flags & GPT_FLAG_READ_ONLY);
2236 home = strdup(node);
2239 } else if (sd_id128_equal(type_id, GPT_SRV)) {
2241 if (srv && nr >= srv_nr)
2245 srv_rw = !(flags & GPT_FLAG_READ_ONLY);
2252 #ifdef GPT_ROOT_NATIVE
2253 else if (sd_id128_equal(type_id, GPT_ROOT_NATIVE)) {
2255 if (root && nr >= root_nr)
2259 root_rw = !(flags & GPT_FLAG_READ_ONLY);
2262 root = strdup(node);
2267 #ifdef GPT_ROOT_SECONDARY
2268 else if (sd_id128_equal(type_id, GPT_ROOT_SECONDARY)) {
2270 if (secondary_root && nr >= secondary_root_nr)
2273 secondary_root_nr = nr;
2274 secondary_root_rw = !(flags & GPT_FLAG_READ_ONLY);
2277 free(secondary_root);
2278 secondary_root = strdup(node);
2279 if (!secondary_root)
2285 if (!root && !secondary_root) {
2286 log_error("Failed to identify root partition in disk image %s.\n"
2287 "Note that the disk image needs to follow http://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/ to be supported by systemd-nspawn.", arg_image);
2292 *root_device = root;
2295 *root_device_rw = root_rw;
2297 } else if (secondary_root) {
2298 *root_device = secondary_root;
2299 secondary_root = NULL;
2301 *root_device_rw = secondary_root_rw;
2306 *home_device = home;
2309 *home_device_rw = home_rw;
2316 *srv_device_rw = srv_rw;
2321 log_error("--image= is not supported, compiled without blkid support.");
2326 static int mount_device(const char *what, const char *where, const char *directory, bool rw) {
2328 _cleanup_blkid_free_probe_ blkid_probe b = NULL;
2329 const char *fstype, *p;
2339 p = strappenda(where, directory);
2344 b = blkid_new_probe_from_filename(what);
2348 log_error_errno(errno, "Failed to allocate prober for %s: %m", what);
2352 blkid_probe_enable_superblocks(b, 1);
2353 blkid_probe_set_superblocks_flags(b, BLKID_SUBLKS_TYPE);
2356 r = blkid_do_safeprobe(b);
2357 if (r == -1 || r == 1) {
2358 log_error("Cannot determine file system type of %s", what);
2360 } else if (r != 0) {
2363 log_error_errno(errno, "Failed to probe %s: %m", what);
2368 if (blkid_probe_lookup_value(b, "TYPE", &fstype, NULL) < 0) {
2371 log_error("Failed to determine file system type of %s", what);
2375 if (streq(fstype, "crypto_LUKS")) {
2376 log_error("nspawn currently does not support LUKS disk images.");
2380 if (mount(what, p, fstype, MS_NODEV|(rw ? 0 : MS_RDONLY), NULL) < 0)
2381 return log_error_errno(errno, "Failed to mount %s: %m", what);
2385 log_error("--image= is not supported, compiled without blkid support.");
2390 static int mount_devices(
2392 const char *root_device, bool root_device_rw,
2393 const char *home_device, bool home_device_rw,
2394 const char *srv_device, bool srv_device_rw) {
2400 r = mount_device(root_device, arg_directory, NULL, root_device_rw);
2402 return log_error_errno(r, "Failed to mount root directory: %m");
2406 r = mount_device(home_device, arg_directory, "/home", home_device_rw);
2408 return log_error_errno(r, "Failed to mount home directory: %m");
2412 r = mount_device(srv_device, arg_directory, "/srv", srv_device_rw);
2414 return log_error_errno(r, "Failed to mount server data directory: %m");
2420 static void loop_remove(int nr, int *image_fd) {
2421 _cleanup_close_ int control = -1;
2427 if (image_fd && *image_fd >= 0) {
2428 r = ioctl(*image_fd, LOOP_CLR_FD);
2430 log_warning_errno(errno, "Failed to close loop image: %m");
2431 *image_fd = safe_close(*image_fd);
2434 control = open("/dev/loop-control", O_RDWR|O_CLOEXEC|O_NOCTTY|O_NONBLOCK);
2436 log_warning_errno(errno, "Failed to open /dev/loop-control: %m");
2440 r = ioctl(control, LOOP_CTL_REMOVE, nr);
2442 log_warning_errno(errno, "Failed to remove loop %d: %m", nr);
2445 static int spawn_getent(const char *database, const char *key, pid_t *rpid) {
2453 if (pipe2(pipe_fds, O_CLOEXEC) < 0)
2454 return log_error_errno(errno, "Failed to allocate pipe: %m");
2458 return log_error_errno(errno, "Failed to fork getent child: %m");
2459 else if (pid == 0) {
2461 char *empty_env = NULL;
2463 if (dup3(pipe_fds[1], STDOUT_FILENO, 0) < 0)
2464 _exit(EXIT_FAILURE);
2466 if (pipe_fds[0] > 2)
2467 safe_close(pipe_fds[0]);
2468 if (pipe_fds[1] > 2)
2469 safe_close(pipe_fds[1]);
2471 nullfd = open("/dev/null", O_RDWR);
2473 _exit(EXIT_FAILURE);
2475 if (dup3(nullfd, STDIN_FILENO, 0) < 0)
2476 _exit(EXIT_FAILURE);
2478 if (dup3(nullfd, STDERR_FILENO, 0) < 0)
2479 _exit(EXIT_FAILURE);
2484 reset_all_signal_handlers();
2485 close_all_fds(NULL, 0);
2487 execle("/usr/bin/getent", "getent", database, key, NULL, &empty_env);
2488 execle("/bin/getent", "getent", database, key, NULL, &empty_env);
2489 _exit(EXIT_FAILURE);
2492 pipe_fds[1] = safe_close(pipe_fds[1]);
2499 static int change_uid_gid(char **_home) {
2500 char line[LINE_MAX], *x, *u, *g, *h;
2501 const char *word, *state;
2502 _cleanup_free_ uid_t *uids = NULL;
2503 _cleanup_free_ char *home = NULL;
2504 _cleanup_fclose_ FILE *f = NULL;
2505 _cleanup_close_ int fd = -1;
2506 unsigned n_uids = 0;
2515 if (!arg_user || streq(arg_user, "root") || streq(arg_user, "0")) {
2516 /* Reset everything fully to 0, just in case */
2518 if (setgroups(0, NULL) < 0)
2519 return log_error_errno(errno, "setgroups() failed: %m");
2521 if (setresgid(0, 0, 0) < 0)
2522 return log_error_errno(errno, "setregid() failed: %m");
2524 if (setresuid(0, 0, 0) < 0)
2525 return log_error_errno(errno, "setreuid() failed: %m");
2531 /* First, get user credentials */
2532 fd = spawn_getent("passwd", arg_user, &pid);
2536 f = fdopen(fd, "r");
2541 if (!fgets(line, sizeof(line), f)) {
2544 log_error("Failed to resolve user %s.", arg_user);
2548 log_error_errno(errno, "Failed to read from getent: %m");
2554 wait_for_terminate_and_warn("getent passwd", pid, true);
2556 x = strchr(line, ':');
2558 log_error("/etc/passwd entry has invalid user field.");
2562 u = strchr(x+1, ':');
2564 log_error("/etc/passwd entry has invalid password field.");
2571 log_error("/etc/passwd entry has invalid UID field.");
2579 log_error("/etc/passwd entry has invalid GID field.");
2584 h = strchr(x+1, ':');
2586 log_error("/etc/passwd entry has invalid GECOS field.");
2593 log_error("/etc/passwd entry has invalid home directory field.");
2599 r = parse_uid(u, &uid);
2601 log_error("Failed to parse UID of user.");
2605 r = parse_gid(g, &gid);
2607 log_error("Failed to parse GID of user.");
2615 /* Second, get group memberships */
2616 fd = spawn_getent("initgroups", arg_user, &pid);
2621 f = fdopen(fd, "r");
2626 if (!fgets(line, sizeof(line), f)) {
2628 log_error("Failed to resolve user %s.", arg_user);
2632 log_error_errno(errno, "Failed to read from getent: %m");
2638 wait_for_terminate_and_warn("getent initgroups", pid, true);
2640 /* Skip over the username and subsequent separator whitespace */
2642 x += strcspn(x, WHITESPACE);
2643 x += strspn(x, WHITESPACE);
2645 FOREACH_WORD(word, l, x, state) {
2651 if (!GREEDY_REALLOC(uids, sz, n_uids+1))
2654 r = parse_uid(c, &uids[n_uids++]);
2656 log_error("Failed to parse group data from getent.");
2661 r = mkdir_parents(home, 0775);
2663 return log_error_errno(r, "Failed to make home root directory: %m");
2665 r = mkdir_safe(home, 0755, uid, gid);
2666 if (r < 0 && r != -EEXIST)
2667 return log_error_errno(r, "Failed to make home directory: %m");
2669 fchown(STDIN_FILENO, uid, gid);
2670 fchown(STDOUT_FILENO, uid, gid);
2671 fchown(STDERR_FILENO, uid, gid);
2673 if (setgroups(n_uids, uids) < 0)
2674 return log_error_errno(errno, "Failed to set auxiliary groups: %m");
2676 if (setresgid(gid, gid, gid) < 0)
2677 return log_error_errno(errno, "setregid() failed: %m");
2679 if (setresuid(uid, uid, uid) < 0)
2680 return log_error_errno(errno, "setreuid() failed: %m");
2692 * < 0 : wait_for_terminate() failed to get the state of the
2693 * container, the container was terminated by a signal, or
2694 * failed for an unknown reason. No change is made to the
2695 * container argument.
2696 * > 0 : The program executed in the container terminated with an
2697 * error. The exit code of the program executed in the
2698 * container is returned. The container argument has been set
2699 * to CONTAINER_TERMINATED.
2700 * 0 : The container is being rebooted, has been shut down or exited
2701 * successfully. The container argument has been set to either
2702 * CONTAINER_TERMINATED or CONTAINER_REBOOTED.
2704 * That is, success is indicated by a return value of zero, and an
2705 * error is indicated by a non-zero value.
2707 static int wait_for_container(pid_t pid, ContainerStatus *container) {
2711 r = wait_for_terminate(pid, &status);
2713 return log_warning_errno(r, "Failed to wait for container: %m");
2715 switch (status.si_code) {
2718 if (status.si_status == 0) {
2719 log_full(arg_quiet ? LOG_DEBUG : LOG_INFO, "Container %s exited successfully.", arg_machine);
2722 log_full(arg_quiet ? LOG_DEBUG : LOG_INFO, "Container %s failed with error code %i.", arg_machine, status.si_status);
2724 *container = CONTAINER_TERMINATED;
2725 return status.si_status;
2728 if (status.si_status == SIGINT) {
2730 log_full(arg_quiet ? LOG_DEBUG : LOG_INFO, "Container %s has been shut down.", arg_machine);
2731 *container = CONTAINER_TERMINATED;
2734 } else if (status.si_status == SIGHUP) {
2736 log_full(arg_quiet ? LOG_DEBUG : LOG_INFO, "Container %s is being rebooted.", arg_machine);
2737 *container = CONTAINER_REBOOTED;
2741 /* CLD_KILLED fallthrough */
2744 log_error("Container %s terminated by signal %s.", arg_machine, signal_to_string(status.si_status));
2748 log_error("Container %s failed due to unknown reason.", arg_machine);
2755 static void nop_handler(int sig) {}
2757 static int on_orderly_shutdown(sd_event_source *s, const struct signalfd_siginfo *si, void *userdata) {
2760 pid = PTR_TO_UINT32(userdata);
2762 if (kill(pid, SIGRTMIN+3) >= 0) {
2763 log_info("Trying to halt container. Send SIGTERM again to trigger immediate termination.");
2764 sd_event_source_set_userdata(s, NULL);
2769 sd_event_exit(sd_event_source_get_event(s), 0);
2773 int main(int argc, char *argv[]) {
2775 _cleanup_free_ char *device_path = NULL, *root_device = NULL, *home_device = NULL, *srv_device = NULL;
2776 bool root_device_rw = true, home_device_rw = true, srv_device_rw = true;
2777 _cleanup_close_ int master = -1, image_fd = -1;
2778 _cleanup_close_pair_ int kmsg_socket_pair[2] = { -1, -1 };
2779 _cleanup_fdset_free_ FDSet *fds = NULL;
2780 int r = EXIT_FAILURE, k, n_fd_passed, loop_nr = -1;
2781 const char *console = NULL;
2782 char veth_name[IFNAMSIZ];
2783 bool secondary = false;
2784 sigset_t mask, mask_chld;
2787 log_parse_environment();
2790 k = parse_argv(argc, argv);
2799 if (arg_directory) {
2802 p = path_make_absolute_cwd(arg_directory);
2803 free(arg_directory);
2806 arg_directory = get_current_dir_name();
2808 if (!arg_directory) {
2809 log_error("Failed to determine path, please use -D.");
2812 path_kill_slashes(arg_directory);
2816 arg_machine = strdup(basename(arg_image ? arg_image : arg_directory));
2822 hostname_cleanup(arg_machine, false);
2823 if (isempty(arg_machine)) {
2824 log_error("Failed to determine machine name automatically, please use -M.");
2829 if (geteuid() != 0) {
2830 log_error("Need to be root.");
2834 if (sd_booted() <= 0) {
2835 log_error("Not running on a systemd system.");
2840 n_fd_passed = sd_listen_fds(false);
2841 if (n_fd_passed > 0) {
2842 k = fdset_new_listen_fds(&fds, false);
2844 log_error_errno(k, "Failed to collect file descriptors: %m");
2848 fdset_close_others(fds);
2851 if (arg_directory) {
2852 if (path_equal(arg_directory, "/")) {
2853 log_error("Spawning container on root directory not supported.");
2858 if (path_is_os_tree(arg_directory) <= 0) {
2859 log_error("Directory %s doesn't look like an OS root directory (os-release file is missing). Refusing.", arg_directory);
2865 p = strappenda(arg_directory,
2866 argc > optind && path_is_absolute(argv[optind]) ? argv[optind] : "/usr/bin/");
2867 if (access(p, F_OK) < 0) {
2868 log_error("Directory %s lacks the binary to execute or doesn't look like a binary tree. Refusing.", arg_directory);
2874 char template[] = "/tmp/nspawn-root-XXXXXX";
2876 if (!mkdtemp(template)) {
2877 log_error_errno(errno, "Failed to create temporary directory: %m");
2882 arg_directory = strdup(template);
2883 if (!arg_directory) {
2888 image_fd = setup_image(&device_path, &loop_nr);
2894 r = dissect_image(image_fd,
2895 &root_device, &root_device_rw,
2896 &home_device, &home_device_rw,
2897 &srv_device, &srv_device_rw,
2903 master = posix_openpt(O_RDWR|O_NOCTTY|O_CLOEXEC|O_NDELAY);
2905 log_error_errno(errno, "Failed to acquire pseudo tty: %m");
2909 console = ptsname(master);
2911 log_error_errno(errno, "Failed to determine tty name: %m");
2916 log_info("Spawning container %s on %s.\nPress ^] three times within 1s to kill container.",
2917 arg_machine, arg_image ? arg_image : arg_directory);
2919 if (unlockpt(master) < 0) {
2920 log_error_errno(errno, "Failed to unlock tty: %m");
2924 if (socketpair(AF_UNIX, SOCK_DGRAM|SOCK_NONBLOCK|SOCK_CLOEXEC, 0, kmsg_socket_pair) < 0) {
2925 log_error_errno(errno, "Failed to create kmsg socket pair: %m");
2931 "STATUS=Container running.");
2933 assert_se(sigemptyset(&mask) == 0);
2934 sigset_add_many(&mask, SIGCHLD, SIGWINCH, SIGTERM, SIGINT, -1);
2935 assert_se(sigprocmask(SIG_BLOCK, &mask, NULL) == 0);
2937 assert_se(sigemptyset(&mask_chld) == 0);
2938 assert_se(sigaddset(&mask_chld, SIGCHLD) == 0);
2941 ContainerStatus container_status;
2942 _cleanup_(barrier_destroy) Barrier barrier = BARRIER_NULL;
2943 struct sigaction sa = {
2944 .sa_handler = nop_handler,
2945 .sa_flags = SA_NOCLDSTOP,
2948 r = barrier_create(&barrier);
2950 log_error_errno(r, "Cannot initialize IPC barrier: %m");
2954 /* Child can be killed before execv(), so handle SIGCHLD
2955 * in order to interrupt parent's blocking calls and
2956 * give it a chance to call wait() and terminate. */
2957 r = sigprocmask(SIG_UNBLOCK, &mask_chld, NULL);
2959 log_error_errno(errno, "Failed to change the signal mask: %m");
2963 r = sigaction(SIGCHLD, &sa, NULL);
2965 log_error_errno(errno, "Failed to install SIGCHLD handler: %m");
2969 pid = syscall(__NR_clone, SIGCHLD|CLONE_NEWNS|
2970 (arg_share_system ? 0 : CLONE_NEWIPC|CLONE_NEWPID|CLONE_NEWUTS)|
2971 (arg_private_network ? CLONE_NEWNET : 0), NULL);
2973 if (errno == EINVAL)
2974 log_error_errno(errno, "clone() failed, do you have namespace support enabled in your kernel? (You need UTS, IPC, PID and NET namespacing built in): %m");
2976 log_error_errno(errno, "clone() failed: %m");
2984 _cleanup_free_ char *home = NULL;
2986 const char *envp[] = {
2987 "PATH=" DEFAULT_PATH_SPLIT_USR,
2988 "container=systemd-nspawn", /* LXC sets container=lxc, so follow the scheme here */
2993 NULL, /* container_uuid */
2994 NULL, /* LISTEN_FDS */
2995 NULL, /* LISTEN_PID */
3000 barrier_set_role(&barrier, BARRIER_CHILD);
3002 envp[n_env] = strv_find_prefix(environ, "TERM=");
3006 master = safe_close(master);
3008 close_nointr(STDIN_FILENO);
3009 close_nointr(STDOUT_FILENO);
3010 close_nointr(STDERR_FILENO);
3012 kmsg_socket_pair[0] = safe_close(kmsg_socket_pair[0]);
3014 reset_all_signal_handlers();
3015 reset_signal_mask();
3017 k = open_terminal(console, O_RDWR);
3018 if (k != STDIN_FILENO) {
3024 log_error_errno(k, "Failed to open console: %m");
3025 _exit(EXIT_FAILURE);
3028 if (dup2(STDIN_FILENO, STDOUT_FILENO) != STDOUT_FILENO ||
3029 dup2(STDIN_FILENO, STDERR_FILENO) != STDERR_FILENO) {
3030 log_error_errno(errno, "Failed to duplicate console: %m");
3031 _exit(EXIT_FAILURE);
3035 log_error_errno(errno, "setsid() failed: %m");
3036 _exit(EXIT_FAILURE);
3039 if (reset_audit_loginuid() < 0)
3040 _exit(EXIT_FAILURE);
3042 if (prctl(PR_SET_PDEATHSIG, SIGKILL) < 0) {
3043 log_error_errno(errno, "PR_SET_PDEATHSIG failed: %m");
3044 _exit(EXIT_FAILURE);
3047 /* Mark everything as slave, so that we still
3048 * receive mounts from the real root, but don't
3049 * propagate mounts to the real root. */
3050 if (mount(NULL, "/", NULL, MS_SLAVE|MS_REC, NULL) < 0) {
3051 log_error_errno(errno, "MS_SLAVE|MS_REC failed: %m");
3052 _exit(EXIT_FAILURE);
3055 if (mount_devices(arg_directory,
3056 root_device, root_device_rw,
3057 home_device, home_device_rw,
3058 srv_device, srv_device_rw) < 0)
3059 _exit(EXIT_FAILURE);
3061 /* Turn directory into bind mount */
3062 if (mount(arg_directory, arg_directory, "bind", MS_BIND|MS_REC, NULL) < 0) {
3063 log_error_errno(errno, "Failed to make bind mount: %m");
3064 _exit(EXIT_FAILURE);
3067 r = setup_volatile(arg_directory);
3069 _exit(EXIT_FAILURE);
3071 if (setup_volatile_state(arg_directory) < 0)
3072 _exit(EXIT_FAILURE);
3074 r = base_filesystem_create(arg_directory);
3076 _exit(EXIT_FAILURE);
3078 if (arg_read_only) {
3079 k = bind_remount_recursive(arg_directory, true);
3081 log_error_errno(k, "Failed to make tree read-only: %m");
3082 _exit(EXIT_FAILURE);
3086 if (mount_all(arg_directory) < 0)
3087 _exit(EXIT_FAILURE);
3089 if (copy_devnodes(arg_directory) < 0)
3090 _exit(EXIT_FAILURE);
3092 if (setup_ptmx(arg_directory) < 0)
3093 _exit(EXIT_FAILURE);
3095 dev_setup(arg_directory);
3097 if (setup_seccomp() < 0)
3098 _exit(EXIT_FAILURE);
3100 if (setup_dev_console(arg_directory, console) < 0)
3101 _exit(EXIT_FAILURE);
3103 if (setup_kmsg(arg_directory, kmsg_socket_pair[1]) < 0)
3104 _exit(EXIT_FAILURE);
3106 kmsg_socket_pair[1] = safe_close(kmsg_socket_pair[1]);
3108 if (setup_boot_id(arg_directory) < 0)
3109 _exit(EXIT_FAILURE);
3111 if (setup_timezone(arg_directory) < 0)
3112 _exit(EXIT_FAILURE);
3114 if (setup_resolv_conf(arg_directory) < 0)
3115 _exit(EXIT_FAILURE);
3117 if (setup_journal(arg_directory) < 0)
3118 _exit(EXIT_FAILURE);
3120 if (mount_binds(arg_directory, arg_bind, false) < 0)
3121 _exit(EXIT_FAILURE);
3123 if (mount_binds(arg_directory, arg_bind_ro, true) < 0)
3124 _exit(EXIT_FAILURE);
3126 if (mount_tmpfs(arg_directory) < 0)
3127 _exit(EXIT_FAILURE);
3129 /* Tell the parent that we are ready, and that
3130 * it can cgroupify us to that we lack access
3131 * to certain devices and resources. */
3132 (void)barrier_place(&barrier);
3134 if (chdir(arg_directory) < 0) {
3135 log_error_errno(errno, "chdir(%s) failed: %m", arg_directory);
3136 _exit(EXIT_FAILURE);
3139 if (mount(arg_directory, "/", NULL, MS_MOVE, NULL) < 0) {
3140 log_error_errno(errno, "mount(MS_MOVE) failed: %m");
3141 _exit(EXIT_FAILURE);
3144 if (chroot(".") < 0) {
3145 log_error_errno(errno, "chroot() failed: %m");
3146 _exit(EXIT_FAILURE);
3149 if (chdir("/") < 0) {
3150 log_error_errno(errno, "chdir() failed: %m");
3151 _exit(EXIT_FAILURE);
3156 if (arg_private_network)
3159 if (drop_capabilities() < 0) {
3160 log_error_errno(errno, "drop_capabilities() failed: %m");
3161 _exit(EXIT_FAILURE);
3164 r = change_uid_gid(&home);
3166 _exit(EXIT_FAILURE);
3168 if ((asprintf((char**)(envp + n_env++), "HOME=%s", home ? home: "/root") < 0) ||
3169 (asprintf((char**)(envp + n_env++), "USER=%s", arg_user ? arg_user : "root") < 0) ||
3170 (asprintf((char**)(envp + n_env++), "LOGNAME=%s", arg_user ? arg_user : "root") < 0)) {
3172 _exit(EXIT_FAILURE);
3175 if (!sd_id128_equal(arg_uuid, SD_ID128_NULL)) {
3178 if (asprintf((char**)(envp + n_env++), "container_uuid=%s", id128_format_as_uuid(arg_uuid, as_uuid)) < 0) {
3180 _exit(EXIT_FAILURE);
3184 if (fdset_size(fds) > 0) {
3185 k = fdset_cloexec(fds, false);
3187 log_error("Failed to unset O_CLOEXEC for file descriptors.");
3188 _exit(EXIT_FAILURE);
3191 if ((asprintf((char **)(envp + n_env++), "LISTEN_FDS=%u", n_fd_passed) < 0) ||
3192 (asprintf((char **)(envp + n_env++), "LISTEN_PID=1") < 0)) {
3194 _exit(EXIT_FAILURE);
3200 if (arg_personality != 0xffffffffLU) {
3201 if (personality(arg_personality) < 0) {
3202 log_error_errno(errno, "personality() failed: %m");
3203 _exit(EXIT_FAILURE);
3205 } else if (secondary) {
3206 if (personality(PER_LINUX32) < 0) {
3207 log_error_errno(errno, "personality() failed: %m");
3208 _exit(EXIT_FAILURE);
3213 if (arg_selinux_context)
3214 if (setexeccon((security_context_t) arg_selinux_context) < 0) {
3215 log_error_errno(errno, "setexeccon(\"%s\") failed: %m", arg_selinux_context);
3216 _exit(EXIT_FAILURE);
3220 if (!strv_isempty(arg_setenv)) {
3223 n = strv_env_merge(2, envp, arg_setenv);
3226 _exit(EXIT_FAILURE);
3231 env_use = (char**) envp;
3233 /* Wait until the parent is ready with the setup, too... */
3234 if (!barrier_place_and_sync(&barrier))
3235 _exit(EXIT_FAILURE);
3241 /* Automatically search for the init system */
3243 l = 1 + argc - optind;
3244 a = newa(char*, l + 1);
3245 memcpy(a + 1, argv + optind, l * sizeof(char*));
3247 a[0] = (char*) "/usr/lib/systemd/systemd";
3248 execve(a[0], a, env_use);
3250 a[0] = (char*) "/lib/systemd/systemd";
3251 execve(a[0], a, env_use);
3253 a[0] = (char*) "/sbin/init";
3254 execve(a[0], a, env_use);
3255 } else if (argc > optind)
3256 execvpe(argv[optind], argv + optind, env_use);
3258 chdir(home ? home : "/root");
3259 execle("/bin/bash", "-bash", NULL, env_use);
3260 execle("/bin/sh", "-sh", NULL, env_use);
3263 log_error_errno(errno, "execv() failed: %m");
3264 _exit(EXIT_FAILURE);
3267 barrier_set_role(&barrier, BARRIER_PARENT);
3271 /* wait for child-setup to be done */
3272 if (barrier_place_and_sync(&barrier)) {
3273 _cleanup_event_unref_ sd_event *event = NULL;
3274 _cleanup_(pty_forward_freep) PTYForward *forward = NULL;
3277 r = move_network_interfaces(pid);
3281 r = setup_veth(pid, veth_name, &ifi);
3285 r = setup_bridge(veth_name, &ifi);
3289 r = setup_macvlan(pid);
3293 r = register_machine(pid, ifi);
3297 /* Block SIGCHLD here, before notifying child.
3298 * process_pty() will handle it with the other signals. */
3299 r = sigprocmask(SIG_BLOCK, &mask_chld, NULL);
3303 /* Reset signal to default */
3304 r = default_signals(SIGCHLD, -1);
3308 /* Notify the child that the parent is ready with all
3309 * its setup, and that the child can now hand over
3310 * control to the code to run inside the container. */
3311 (void)barrier_place(&barrier);
3313 r = sd_event_new(&event);
3315 log_error_errno(r, "Failed to get default event source: %m");
3320 /* Try to kill the init system on SIGINT or SIGTERM */
3321 sd_event_add_signal(event, NULL, SIGINT, on_orderly_shutdown, UINT32_TO_PTR(pid));
3322 sd_event_add_signal(event, NULL, SIGTERM, on_orderly_shutdown, UINT32_TO_PTR(pid));
3324 /* Immediately exit */
3325 sd_event_add_signal(event, NULL, SIGINT, NULL, NULL);
3326 sd_event_add_signal(event, NULL, SIGTERM, NULL, NULL);
3329 /* simply exit on sigchld */
3330 sd_event_add_signal(event, NULL, SIGCHLD, NULL, NULL);
3332 r = pty_forward_new(event, master, &forward);
3334 log_error_errno(r, "Failed to create PTY forwarder: %m");
3338 r = sd_event_loop(event);
3340 return log_error_errno(r, "Failed to run event loop: %m");
3342 forward = pty_forward_free(forward);
3347 /* Kill if it is not dead yet anyway */
3348 terminate_machine(pid);
3351 /* Normally redundant, but better safe than sorry */
3354 r = wait_for_container(pid, &container_status);
3358 /* We failed to wait for the container, or the
3359 * container exited abnormally */
3362 } else if (r > 0 || container_status == CONTAINER_TERMINATED)
3363 /* The container exited with a non-zero
3364 * status, or with zero status and no reboot
3368 /* CONTAINER_REBOOTED, loop again */
3370 if (arg_keep_unit) {
3371 /* Special handling if we are running as a
3372 * service: instead of simply restarting the
3373 * machine we want to restart the entire
3374 * service, so let's inform systemd about this
3375 * with the special exit code 133. The service
3376 * file uses RestartForceExitStatus=133 so
3377 * that this results in a full nspawn
3378 * restart. This is necessary since we might
3379 * have cgroup parameters set we want to have
3389 "STATUS=Terminating...");
3391 loop_remove(loop_nr, &image_fd);
3396 free(arg_directory);
3399 strv_free(arg_setenv);
3400 strv_free(arg_network_interfaces);
3401 strv_free(arg_network_macvlan);
3402 strv_free(arg_bind);
3403 strv_free(arg_bind_ro);
3404 strv_free(arg_tmpfs);
~ianmdlvl / elogind.git / blob