1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2010 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
25 #include <sys/types.h>
26 #include <sys/syscall.h>
27 #include <sys/mount.h>
33 #include <sys/prctl.h>
36 #include <sys/signalfd.h>
40 #include <sys/socket.h>
41 #include <linux/netlink.h>
43 #include <linux/veth.h>
44 #include <sys/personality.h>
45 #include <linux/loop.h>
48 #include <selinux/selinux.h>
56 #include <blkid/blkid.h>
59 #include "sd-daemon.h"
69 #include "cgroup-util.h"
71 #include "path-util.h"
72 #include "loopback-setup.h"
73 #include "dev-setup.h"
78 #include "bus-error.h"
80 #include "bus-kernel.h"
83 #include "rtnl-util.h"
84 #include "udev-util.h"
85 #include "blkid-util.h"
87 #include "siphash24.h"
89 #include "base-filesystem.h"
91 #include "event-util.h"
92 #include "capability.h"
94 #include "btrfs-util.h"
95 #include "machine-image.h"
98 #include "seccomp-util.h"
101 typedef enum ContainerStatus {
102 CONTAINER_TERMINATED,
106 typedef enum LinkJournal {
113 typedef enum Volatile {
119 static char *arg_directory = NULL;
120 static char *arg_template = NULL;
121 static char *arg_user = NULL;
122 static sd_id128_t arg_uuid = {};
123 static char *arg_machine = NULL;
124 static const char *arg_selinux_context = NULL;
125 static const char *arg_selinux_apifs_context = NULL;
126 static const char *arg_slice = NULL;
127 static bool arg_private_network = false;
128 static bool arg_read_only = false;
129 static bool arg_boot = false;
130 static bool arg_ephemeral = false;
131 static LinkJournal arg_link_journal = LINK_AUTO;
132 static bool arg_link_journal_try = false;
133 static uint64_t arg_retain =
134 (1ULL << CAP_CHOWN) |
135 (1ULL << CAP_DAC_OVERRIDE) |
136 (1ULL << CAP_DAC_READ_SEARCH) |
137 (1ULL << CAP_FOWNER) |
138 (1ULL << CAP_FSETID) |
139 (1ULL << CAP_IPC_OWNER) |
141 (1ULL << CAP_LEASE) |
142 (1ULL << CAP_LINUX_IMMUTABLE) |
143 (1ULL << CAP_NET_BIND_SERVICE) |
144 (1ULL << CAP_NET_BROADCAST) |
145 (1ULL << CAP_NET_RAW) |
146 (1ULL << CAP_SETGID) |
147 (1ULL << CAP_SETFCAP) |
148 (1ULL << CAP_SETPCAP) |
149 (1ULL << CAP_SETUID) |
150 (1ULL << CAP_SYS_ADMIN) |
151 (1ULL << CAP_SYS_CHROOT) |
152 (1ULL << CAP_SYS_NICE) |
153 (1ULL << CAP_SYS_PTRACE) |
154 (1ULL << CAP_SYS_TTY_CONFIG) |
155 (1ULL << CAP_SYS_RESOURCE) |
156 (1ULL << CAP_SYS_BOOT) |
157 (1ULL << CAP_AUDIT_WRITE) |
158 (1ULL << CAP_AUDIT_CONTROL) |
160 static char **arg_bind = NULL;
161 static char **arg_bind_ro = NULL;
162 static char **arg_tmpfs = NULL;
163 static char **arg_setenv = NULL;
164 static bool arg_quiet = false;
165 static bool arg_share_system = false;
166 static bool arg_register = true;
167 static bool arg_keep_unit = false;
168 static char **arg_network_interfaces = NULL;
169 static char **arg_network_macvlan = NULL;
170 static bool arg_network_veth = false;
171 static const char *arg_network_bridge = NULL;
172 static unsigned long arg_personality = 0xffffffffLU;
173 static char *arg_image = NULL;
174 static Volatile arg_volatile = VOLATILE_NO;
176 static void help(void) {
177 printf("%s [OPTIONS...] [PATH] [ARGUMENTS...]\n\n"
178 "Spawn a minimal namespace container for debugging, testing and building.\n\n"
179 " -h --help Show this help\n"
180 " --version Print version string\n"
181 " -q --quiet Do not show status information\n"
182 " -D --directory=PATH Root directory for the container\n"
183 " --template=PATH Initialize root directory from template directory,\n"
185 " -x --ephemeral Run container with snapshot of root directory, and\n"
186 " remove it after exit\n"
187 " -i --image=PATH File system device or disk image for the container\n"
188 " -b --boot Boot up full system (i.e. invoke init)\n"
189 " -u --user=USER Run the command under specified user or uid\n"
190 " -M --machine=NAME Set the machine name for the container\n"
191 " --uuid=UUID Set a specific machine UUID for the container\n"
192 " -S --slice=SLICE Place the container in the specified slice\n"
193 " --private-network Disable network in container\n"
194 " --network-interface=INTERFACE\n"
195 " Assign an existing network interface to the\n"
197 " --network-macvlan=INTERFACE\n"
198 " Create a macvlan network interface based on an\n"
199 " existing network interface to the container\n"
200 " --network-veth Add a virtual ethernet connection between host\n"
202 " --network-bridge=INTERFACE\n"
203 " Add a virtual ethernet connection between host\n"
204 " and container and add it to an existing bridge on\n"
206 " -Z --selinux-context=SECLABEL\n"
207 " Set the SELinux security context to be used by\n"
208 " processes in the container\n"
209 " -L --selinux-apifs-context=SECLABEL\n"
210 " Set the SELinux security context to be used by\n"
211 " API/tmpfs file systems in the container\n"
212 " --capability=CAP In addition to the default, retain specified\n"
214 " --drop-capability=CAP Drop the specified capability from the default set\n"
215 " --link-journal=MODE Link up guest journal, one of no, auto, guest, host,\n"
216 " try-guest, try-host\n"
217 " -j Equivalent to --link-journal=try-guest\n"
218 " --read-only Mount the root directory read-only\n"
219 " --bind=PATH[:PATH] Bind mount a file or directory from the host into\n"
221 " --bind-ro=PATH[:PATH] Similar, but creates a read-only bind mount\n"
222 " --tmpfs=PATH:[OPTIONS] Mount an empty tmpfs to the specified directory\n"
223 " --setenv=NAME=VALUE Pass an environment variable to PID 1\n"
224 " --share-system Share system namespaces with host\n"
225 " --register=BOOLEAN Register container as machine\n"
226 " --keep-unit Do not register a scope for the machine, reuse\n"
227 " the service unit nspawn is running in\n"
228 " --volatile[=MODE] Run the system in volatile mode\n",
229 program_invocation_short_name);
232 static int set_sanitized_path(char **b, const char *path) {
238 p = canonicalize_file_name(path);
243 p = path_make_absolute_cwd(path);
249 *b = path_kill_slashes(p);
253 static int parse_argv(int argc, char *argv[]) {
270 ARG_NETWORK_INTERFACE,
279 static const struct option options[] = {
280 { "help", no_argument, NULL, 'h' },
281 { "version", no_argument, NULL, ARG_VERSION },
282 { "directory", required_argument, NULL, 'D' },
283 { "template", required_argument, NULL, ARG_TEMPLATE },
284 { "ephemeral", no_argument, NULL, 'x' },
285 { "user", required_argument, NULL, 'u' },
286 { "private-network", no_argument, NULL, ARG_PRIVATE_NETWORK },
287 { "boot", no_argument, NULL, 'b' },
288 { "uuid", required_argument, NULL, ARG_UUID },
289 { "read-only", no_argument, NULL, ARG_READ_ONLY },
290 { "capability", required_argument, NULL, ARG_CAPABILITY },
291 { "drop-capability", required_argument, NULL, ARG_DROP_CAPABILITY },
292 { "link-journal", required_argument, NULL, ARG_LINK_JOURNAL },
293 { "bind", required_argument, NULL, ARG_BIND },
294 { "bind-ro", required_argument, NULL, ARG_BIND_RO },
295 { "tmpfs", required_argument, NULL, ARG_TMPFS },
296 { "machine", required_argument, NULL, 'M' },
297 { "slice", required_argument, NULL, 'S' },
298 { "setenv", required_argument, NULL, ARG_SETENV },
299 { "selinux-context", required_argument, NULL, 'Z' },
300 { "selinux-apifs-context", required_argument, NULL, 'L' },
301 { "quiet", no_argument, NULL, 'q' },
302 { "share-system", no_argument, NULL, ARG_SHARE_SYSTEM },
303 { "register", required_argument, NULL, ARG_REGISTER },
304 { "keep-unit", no_argument, NULL, ARG_KEEP_UNIT },
305 { "network-interface", required_argument, NULL, ARG_NETWORK_INTERFACE },
306 { "network-macvlan", required_argument, NULL, ARG_NETWORK_MACVLAN },
307 { "network-veth", no_argument, NULL, ARG_NETWORK_VETH },
308 { "network-bridge", required_argument, NULL, ARG_NETWORK_BRIDGE },
309 { "personality", required_argument, NULL, ARG_PERSONALITY },
310 { "image", required_argument, NULL, 'i' },
311 { "volatile", optional_argument, NULL, ARG_VOLATILE },
316 uint64_t plus = 0, minus = 0;
321 while ((c = getopt_long(argc, argv, "+hD:u:bL:M:jS:Z:qi:x", options, NULL)) >= 0)
330 puts(PACKAGE_STRING);
331 puts(SYSTEMD_FEATURES);
335 r = set_sanitized_path(&arg_directory, optarg);
337 return log_error_errno(r, "Invalid root directory: %m");
342 r = set_sanitized_path(&arg_template, optarg);
344 return log_error_errno(r, "Invalid template directory: %m");
349 r = set_sanitized_path(&arg_image, optarg);
351 return log_error_errno(r, "Invalid image path: %m");
356 arg_ephemeral = true;
361 arg_user = strdup(optarg);
367 case ARG_NETWORK_BRIDGE:
368 arg_network_bridge = optarg;
372 case ARG_NETWORK_VETH:
373 arg_network_veth = true;
374 arg_private_network = true;
377 case ARG_NETWORK_INTERFACE:
378 if (strv_extend(&arg_network_interfaces, optarg) < 0)
381 arg_private_network = true;
384 case ARG_NETWORK_MACVLAN:
385 if (strv_extend(&arg_network_macvlan, optarg) < 0)
390 case ARG_PRIVATE_NETWORK:
391 arg_private_network = true;
399 r = sd_id128_from_string(optarg, &arg_uuid);
401 log_error("Invalid UUID: %s", optarg);
411 if (isempty(optarg)) {
415 if (!machine_name_is_valid(optarg)) {
416 log_error("Invalid machine name: %s", optarg);
420 r = free_and_strdup(&arg_machine, optarg);
428 arg_selinux_context = optarg;
432 arg_selinux_apifs_context = optarg;
436 arg_read_only = true;
440 case ARG_DROP_CAPABILITY: {
441 const char *state, *word;
444 FOREACH_WORD_SEPARATOR(word, length, optarg, ",", state) {
445 _cleanup_free_ char *t;
447 t = strndup(word, length);
451 if (streq(t, "all")) {
452 if (c == ARG_CAPABILITY)
453 plus = (uint64_t) -1;
455 minus = (uint64_t) -1;
459 cap = capability_from_name(t);
461 log_error("Failed to parse capability %s.", t);
465 if (c == ARG_CAPABILITY)
466 plus |= 1ULL << (uint64_t) cap;
468 minus |= 1ULL << (uint64_t) cap;
476 arg_link_journal = LINK_GUEST;
477 arg_link_journal_try = true;
480 case ARG_LINK_JOURNAL:
481 if (streq(optarg, "auto")) {
482 arg_link_journal = LINK_AUTO;
483 arg_link_journal_try = false;
484 } else if (streq(optarg, "no")) {
485 arg_link_journal = LINK_NO;
486 arg_link_journal_try = false;
487 } else if (streq(optarg, "guest")) {
488 arg_link_journal = LINK_GUEST;
489 arg_link_journal_try = false;
490 } else if (streq(optarg, "host")) {
491 arg_link_journal = LINK_HOST;
492 arg_link_journal_try = false;
493 } else if (streq(optarg, "try-guest")) {
494 arg_link_journal = LINK_GUEST;
495 arg_link_journal_try = true;
496 } else if (streq(optarg, "try-host")) {
497 arg_link_journal = LINK_HOST;
498 arg_link_journal_try = true;
500 log_error("Failed to parse link journal mode %s", optarg);
508 _cleanup_free_ char *a = NULL, *b = NULL;
512 x = c == ARG_BIND ? &arg_bind : &arg_bind_ro;
514 e = strchr(optarg, ':');
516 a = strndup(optarg, e - optarg);
526 if (!path_is_absolute(a) || !path_is_absolute(b)) {
527 log_error("Invalid bind mount specification: %s", optarg);
531 r = strv_extend(x, a);
535 r = strv_extend(x, b);
543 _cleanup_free_ char *a = NULL, *b = NULL;
546 e = strchr(optarg, ':');
548 a = strndup(optarg, e - optarg);
552 b = strdup("mode=0755");
558 if (!path_is_absolute(a)) {
559 log_error("Invalid tmpfs specification: %s", optarg);
563 r = strv_push(&arg_tmpfs, a);
569 r = strv_push(&arg_tmpfs, b);
581 if (!env_assignment_is_valid(optarg)) {
582 log_error("Environment variable assignment '%s' is not valid.", optarg);
586 n = strv_env_set(arg_setenv, optarg);
590 strv_free(arg_setenv);
599 case ARG_SHARE_SYSTEM:
600 arg_share_system = true;
604 r = parse_boolean(optarg);
606 log_error("Failed to parse --register= argument: %s", optarg);
614 arg_keep_unit = true;
617 case ARG_PERSONALITY:
619 arg_personality = personality_from_string(optarg);
620 if (arg_personality == 0xffffffffLU) {
621 log_error("Unknown or unsupported personality '%s'.", optarg);
630 arg_volatile = VOLATILE_YES;
632 r = parse_boolean(optarg);
634 if (streq(optarg, "state"))
635 arg_volatile = VOLATILE_STATE;
637 log_error("Failed to parse --volatile= argument: %s", optarg);
641 arg_volatile = r ? VOLATILE_YES : VOLATILE_NO;
650 assert_not_reached("Unhandled option");
653 if (arg_share_system)
654 arg_register = false;
656 if (arg_boot && arg_share_system) {
657 log_error("--boot and --share-system may not be combined.");
661 if (arg_keep_unit && cg_pid_get_owner_uid(0, NULL) >= 0) {
662 log_error("--keep-unit may not be used when invoked from a user session.");
666 if (arg_directory && arg_image) {
667 log_error("--directory= and --image= may not be combined.");
671 if (arg_template && arg_image) {
672 log_error("--template= and --image= may not be combined.");
676 if (arg_template && !(arg_directory || arg_machine)) {
677 log_error("--template= needs --directory= or --machine=.");
681 if (arg_ephemeral && arg_template) {
682 log_error("--ephemeral and --template= may not be combined.");
686 if (arg_ephemeral && arg_image) {
687 log_error("--ephemeral and --image= may not be combined.");
691 if (arg_ephemeral && !IN_SET(arg_link_journal, LINK_NO, LINK_AUTO)) {
692 log_error("--ephemeral and --link-journal= may not be combined.");
696 if (arg_volatile != VOLATILE_NO && arg_read_only) {
697 log_error("Cannot combine --read-only with --volatile. Note that --volatile already implies a read-only base hierarchy.");
701 arg_retain = (arg_retain | plus | (arg_private_network ? 1ULL << CAP_NET_ADMIN : 0)) & ~minus;
706 static int mount_all(const char *dest) {
708 typedef struct MountPoint {
717 static const MountPoint mount_table[] = {
718 { "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, true },
719 { "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND, true }, /* Bind mount first */
720 { NULL, "/proc/sys", NULL, NULL, MS_BIND|MS_RDONLY|MS_REMOUNT, true }, /* Then, make it r/o */
721 { "sysfs", "/sys", "sysfs", NULL, MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV, true },
722 { "tmpfs", "/dev", "tmpfs", "mode=755", MS_NOSUID|MS_STRICTATIME, true },
723 { "devpts", "/dev/pts", "devpts","newinstance,ptmxmode=0666,mode=620,gid=" STRINGIFY(TTY_GID), MS_NOSUID|MS_NOEXEC, true },
724 { "tmpfs", "/dev/shm", "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV|MS_STRICTATIME, true },
725 { "tmpfs", "/run", "tmpfs", "mode=755", MS_NOSUID|MS_NODEV|MS_STRICTATIME, true },
727 { "/sys/fs/selinux", "/sys/fs/selinux", NULL, NULL, MS_BIND, false }, /* Bind mount first */
728 { NULL, "/sys/fs/selinux", NULL, NULL, MS_BIND|MS_RDONLY|MS_REMOUNT, false }, /* Then, make it r/o */
735 for (k = 0; k < ELEMENTSOF(mount_table); k++) {
736 _cleanup_free_ char *where = NULL;
738 _cleanup_free_ char *options = NULL;
743 where = strjoin(dest, "/", mount_table[k].where, NULL);
747 t = path_is_mount_point(where, true);
749 log_error_errno(t, "Failed to detect whether %s is a mount point: %m", where);
757 /* Skip this entry if it is not a remount. */
758 if (mount_table[k].what && t > 0)
761 t = mkdir_p(where, 0755);
763 if (mount_table[k].fatal) {
764 log_error_errno(t, "Failed to create directory %s: %m", where);
769 log_warning_errno(t, "Failed to create directory %s: %m", where);
775 if (arg_selinux_apifs_context &&
776 (streq_ptr(mount_table[k].what, "tmpfs") || streq_ptr(mount_table[k].what, "devpts"))) {
777 options = strjoin(mount_table[k].options, ",context=\"", arg_selinux_apifs_context, "\"", NULL);
784 o = mount_table[k].options;
787 if (mount(mount_table[k].what,
790 mount_table[k].flags,
793 if (mount_table[k].fatal) {
794 log_error_errno(errno, "mount(%s) failed: %m", where);
799 log_warning_errno(errno, "mount(%s) failed: %m", where);
806 static int mount_binds(const char *dest, char **l, bool ro) {
809 STRV_FOREACH_PAIR(x, y, l) {
810 _cleanup_free_ char *where = NULL;
811 struct stat source_st, dest_st;
814 if (stat(*x, &source_st) < 0)
815 return log_error_errno(errno, "Failed to stat %s: %m", *x);
817 where = strappend(dest, *y);
821 r = stat(where, &dest_st);
823 if ((source_st.st_mode & S_IFMT) != (dest_st.st_mode & S_IFMT)) {
824 log_error("The file types of %s and %s do not match. Refusing bind mount", *x, where);
827 } else if (errno == ENOENT) {
828 r = mkdir_parents_label(where, 0755);
830 return log_error_errno(r, "Failed to bind mount %s: %m", *x);
832 log_error_errno(errno, "Failed to bind mount %s: %m", *x);
836 /* Create the mount point, but be conservative -- refuse to create block
837 * and char devices. */
838 if (S_ISDIR(source_st.st_mode)) {
839 r = mkdir_label(where, 0755);
840 if (r < 0 && errno != EEXIST)
841 return log_error_errno(r, "Failed to create mount point %s: %m", where);
842 } else if (S_ISFIFO(source_st.st_mode)) {
843 r = mkfifo(where, 0644);
844 if (r < 0 && errno != EEXIST)
845 return log_error_errno(errno, "Failed to create mount point %s: %m", where);
846 } else if (S_ISSOCK(source_st.st_mode)) {
847 r = mknod(where, 0644 | S_IFSOCK, 0);
848 if (r < 0 && errno != EEXIST)
849 return log_error_errno(errno, "Failed to create mount point %s: %m", where);
850 } else if (S_ISREG(source_st.st_mode)) {
853 return log_error_errno(r, "Failed to create mount point %s: %m", where);
855 log_error("Refusing to create mountpoint for file: %s", *x);
859 if (mount(*x, where, "bind", MS_BIND, NULL) < 0)
860 return log_error_errno(errno, "mount(%s) failed: %m", where);
863 r = bind_remount_recursive(where, true);
865 return log_error_errno(r, "Read-Only bind mount failed: %m");
872 static int mount_tmpfs(const char *dest) {
875 STRV_FOREACH_PAIR(i, o, arg_tmpfs) {
876 _cleanup_free_ char *where = NULL;
879 where = strappend(dest, *i);
883 r = mkdir_label(where, 0755);
884 if (r < 0 && r != -EEXIST)
885 return log_error_errno(r, "Creating mount point for tmpfs %s failed: %m", where);
887 if (mount("tmpfs", where, "tmpfs", MS_NODEV|MS_STRICTATIME, *o) < 0)
888 return log_error_errno(errno, "tmpfs mount to %s failed: %m", where);
894 static int setup_timezone(const char *dest) {
895 _cleanup_free_ char *where = NULL, *p = NULL, *q = NULL, *check = NULL, *what = NULL;
901 /* Fix the timezone, if possible */
902 r = readlink_malloc("/etc/localtime", &p);
904 log_warning("/etc/localtime is not a symlink, not updating container timezone.");
908 z = path_startswith(p, "../usr/share/zoneinfo/");
910 z = path_startswith(p, "/usr/share/zoneinfo/");
912 log_warning("/etc/localtime does not point into /usr/share/zoneinfo/, not updating container timezone.");
916 where = strappend(dest, "/etc/localtime");
920 r = readlink_malloc(where, &q);
922 y = path_startswith(q, "../usr/share/zoneinfo/");
924 y = path_startswith(q, "/usr/share/zoneinfo/");
926 /* Already pointing to the right place? Then do nothing .. */
927 if (y && streq(y, z))
931 check = strjoin(dest, "/usr/share/zoneinfo/", z, NULL);
935 if (access(check, F_OK) < 0) {
936 log_warning("Timezone %s does not exist in container, not updating container timezone.", z);
940 what = strappend("../usr/share/zoneinfo/", z);
944 r = mkdir_parents(where, 0755);
946 log_error_errno(r, "Failed to create directory for timezone info %s in container: %m", where);
952 if (r < 0 && errno != ENOENT) {
953 log_error_errno(errno, "Failed to remove existing timezone info %s in container: %m", where);
958 if (symlink(what, where) < 0) {
959 log_error_errno(errno, "Failed to correct timezone of container: %m");
966 static int setup_resolv_conf(const char *dest) {
967 _cleanup_free_ char *where = NULL;
972 if (arg_private_network)
975 /* Fix resolv.conf, if possible */
976 where = strappend(dest, "/etc/resolv.conf");
980 /* We don't really care for the results of this really. If it
981 * fails, it fails, but meh... */
982 r = mkdir_parents(where, 0755);
984 log_warning_errno(r, "Failed to create parent directory for resolv.conf %s: %m", where);
989 r = copy_file("/etc/resolv.conf", where, O_TRUNC|O_NOFOLLOW, 0644);
991 log_warning_errno(r, "Failed to copy /etc/resolv.conf to %s: %m", where);
999 static int setup_volatile_state(const char *directory) {
1005 if (arg_volatile != VOLATILE_STATE)
1008 /* --volatile=state means we simply overmount /var
1009 with a tmpfs, and the rest read-only. */
1011 r = bind_remount_recursive(directory, true);
1013 return log_error_errno(r, "Failed to remount %s read-only: %m", directory);
1015 p = strappenda(directory, "/var");
1017 if (r < 0 && errno != EEXIST)
1018 return log_error_errno(errno, "Failed to create %s: %m", directory);
1020 if (mount("tmpfs", p, "tmpfs", MS_STRICTATIME, "mode=755") < 0)
1021 return log_error_errno(errno, "Failed to mount tmpfs to /var: %m");
1026 static int setup_volatile(const char *directory) {
1027 bool tmpfs_mounted = false, bind_mounted = false;
1028 char template[] = "/tmp/nspawn-volatile-XXXXXX";
1034 if (arg_volatile != VOLATILE_YES)
1037 /* --volatile=yes means we mount a tmpfs to the root dir, and
1038 the original /usr to use inside it, and that read-only. */
1040 if (!mkdtemp(template))
1041 return log_error_errno(errno, "Failed to create temporary directory: %m");
1043 if (mount("tmpfs", template, "tmpfs", MS_STRICTATIME, "mode=755") < 0) {
1044 log_error_errno(errno, "Failed to mount tmpfs for root directory: %m");
1049 tmpfs_mounted = true;
1051 f = strappenda(directory, "/usr");
1052 t = strappenda(template, "/usr");
1055 if (r < 0 && errno != EEXIST) {
1056 log_error_errno(errno, "Failed to create %s: %m", t);
1061 if (mount(f, t, "bind", MS_BIND|MS_REC, NULL) < 0) {
1062 log_error_errno(errno, "Failed to create /usr bind mount: %m");
1067 bind_mounted = true;
1069 r = bind_remount_recursive(t, true);
1071 log_error_errno(r, "Failed to remount %s read-only: %m", t);
1075 if (mount(template, directory, NULL, MS_MOVE, NULL) < 0) {
1076 log_error_errno(errno, "Failed to move root mount: %m");
1094 static char* id128_format_as_uuid(sd_id128_t id, char s[37]) {
1097 "%02x%02x%02x%02x-%02x%02x-%02x%02x-%02x%02x-%02x%02x%02x%02x%02x%02x",
1098 SD_ID128_FORMAT_VAL(id));
1103 static int setup_boot_id(const char *dest) {
1104 _cleanup_free_ char *from = NULL, *to = NULL;
1105 sd_id128_t rnd = {};
1111 if (arg_share_system)
1114 /* Generate a new randomized boot ID, so that each boot-up of
1115 * the container gets a new one */
1117 from = strappend(dest, "/dev/proc-sys-kernel-random-boot-id");
1118 to = strappend(dest, "/proc/sys/kernel/random/boot_id");
1122 r = sd_id128_randomize(&rnd);
1124 return log_error_errno(r, "Failed to generate random boot id: %m");
1126 id128_format_as_uuid(rnd, as_uuid);
1128 r = write_string_file(from, as_uuid);
1130 return log_error_errno(r, "Failed to write boot id: %m");
1132 if (mount(from, to, "bind", MS_BIND, NULL) < 0) {
1133 log_error_errno(errno, "Failed to bind mount boot id: %m");
1135 } else if (mount(from, to, "bind", MS_BIND|MS_REMOUNT|MS_RDONLY, NULL))
1136 log_warning_errno(errno, "Failed to make boot id read-only: %m");
1142 static int copy_devnodes(const char *dest) {
1144 static const char devnodes[] =
1155 _cleanup_umask_ mode_t u;
1161 NULSTR_FOREACH(d, devnodes) {
1162 _cleanup_free_ char *from = NULL, *to = NULL;
1165 from = strappend("/dev/", d);
1166 to = strjoin(dest, "/dev/", d, NULL);
1170 if (stat(from, &st) < 0) {
1172 if (errno != ENOENT)
1173 return log_error_errno(errno, "Failed to stat %s: %m", from);
1175 } else if (!S_ISCHR(st.st_mode) && !S_ISBLK(st.st_mode)) {
1177 log_error("%s is not a char or block device, cannot copy", from);
1181 r = mkdir_parents(to, 0775);
1183 log_error_errno(r, "Failed to create parent directory of %s: %m", to);
1187 if (mknod(to, st.st_mode, st.st_rdev) < 0)
1188 return log_error_errno(errno, "mknod(%s) failed: %m", dest);
1195 static int setup_ptmx(const char *dest) {
1196 _cleanup_free_ char *p = NULL;
1198 p = strappend(dest, "/dev/ptmx");
1202 if (symlink("pts/ptmx", p) < 0)
1203 return log_error_errno(errno, "Failed to create /dev/ptmx symlink: %m");
1208 static int setup_dev_console(const char *dest, const char *console) {
1209 _cleanup_umask_ mode_t u;
1219 if (stat("/dev/null", &st) < 0)
1220 return log_error_errno(errno, "Failed to stat /dev/null: %m");
1222 r = chmod_and_chown(console, 0600, 0, 0);
1224 return log_error_errno(r, "Failed to correct access mode for TTY: %m");
1226 /* We need to bind mount the right tty to /dev/console since
1227 * ptys can only exist on pts file systems. To have something
1228 * to bind mount things on we create a device node first, and
1229 * use /dev/null for that since we the cgroups device policy
1230 * allows us to create that freely, while we cannot create
1231 * /dev/console. (Note that the major minor doesn't actually
1232 * matter here, since we mount it over anyway). */
1234 to = strappenda(dest, "/dev/console");
1235 if (mknod(to, (st.st_mode & ~07777) | 0600, st.st_rdev) < 0)
1236 return log_error_errno(errno, "mknod() for /dev/console failed: %m");
1238 if (mount(console, to, "bind", MS_BIND, NULL) < 0)
1239 return log_error_errno(errno, "Bind mount for /dev/console failed: %m");
1244 static int setup_kmsg(const char *dest, int kmsg_socket) {
1245 _cleanup_free_ char *from = NULL, *to = NULL;
1247 _cleanup_umask_ mode_t u;
1249 struct cmsghdr cmsghdr;
1250 uint8_t buf[CMSG_SPACE(sizeof(int))];
1252 struct msghdr mh = {
1253 .msg_control = &control,
1254 .msg_controllen = sizeof(control),
1256 struct cmsghdr *cmsg;
1259 assert(kmsg_socket >= 0);
1263 /* We create the kmsg FIFO as /dev/kmsg, but immediately
1264 * delete it after bind mounting it to /proc/kmsg. While FIFOs
1265 * on the reading side behave very similar to /proc/kmsg,
1266 * their writing side behaves differently from /dev/kmsg in
1267 * that writing blocks when nothing is reading. In order to
1268 * avoid any problems with containers deadlocking due to this
1269 * we simply make /dev/kmsg unavailable to the container. */
1270 if (asprintf(&from, "%s/dev/kmsg", dest) < 0 ||
1271 asprintf(&to, "%s/proc/kmsg", dest) < 0)
1274 if (mkfifo(from, 0600) < 0)
1275 return log_error_errno(errno, "mkfifo() for /dev/kmsg failed: %m");
1277 r = chmod_and_chown(from, 0600, 0, 0);
1279 return log_error_errno(r, "Failed to correct access mode for /dev/kmsg: %m");
1281 if (mount(from, to, "bind", MS_BIND, NULL) < 0)
1282 return log_error_errno(errno, "Bind mount for /proc/kmsg failed: %m");
1284 fd = open(from, O_RDWR|O_NDELAY|O_CLOEXEC);
1286 return log_error_errno(errno, "Failed to open fifo: %m");
1288 cmsg = CMSG_FIRSTHDR(&mh);
1289 cmsg->cmsg_level = SOL_SOCKET;
1290 cmsg->cmsg_type = SCM_RIGHTS;
1291 cmsg->cmsg_len = CMSG_LEN(sizeof(int));
1292 memcpy(CMSG_DATA(cmsg), &fd, sizeof(int));
1294 mh.msg_controllen = cmsg->cmsg_len;
1296 /* Store away the fd in the socket, so that it stays open as
1297 * long as we run the child */
1298 k = sendmsg(kmsg_socket, &mh, MSG_DONTWAIT|MSG_NOSIGNAL);
1302 return log_error_errno(errno, "Failed to send FIFO fd: %m");
1304 /* And now make the FIFO unavailable as /dev/kmsg... */
1309 static int setup_hostname(void) {
1311 if (arg_share_system)
1314 if (sethostname_idempotent(arg_machine) < 0)
1320 static int setup_journal(const char *directory) {
1321 sd_id128_t machine_id, this_id;
1322 _cleanup_free_ char *p = NULL, *b = NULL, *q = NULL, *d = NULL;
1326 /* Don't link journals in ephemeral mode */
1330 p = strappend(directory, "/etc/machine-id");
1334 r = read_one_line_file(p, &b);
1335 if (r == -ENOENT && arg_link_journal == LINK_AUTO)
1338 return log_error_errno(r, "Failed to read machine ID from %s: %m", p);
1341 if (isempty(id) && arg_link_journal == LINK_AUTO)
1344 /* Verify validity */
1345 r = sd_id128_from_string(id, &machine_id);
1347 return log_error_errno(r, "Failed to parse machine ID from %s: %m", p);
1349 r = sd_id128_get_machine(&this_id);
1351 return log_error_errno(r, "Failed to retrieve machine ID: %m");
1353 if (sd_id128_equal(machine_id, this_id)) {
1354 log_full(arg_link_journal == LINK_AUTO ? LOG_WARNING : LOG_ERR,
1355 "Host and machine ids are equal (%s): refusing to link journals", id);
1356 if (arg_link_journal == LINK_AUTO)
1361 if (arg_link_journal == LINK_NO)
1365 p = strappend("/var/log/journal/", id);
1366 q = strjoin(directory, "/var/log/journal/", id, NULL);
1370 if (path_is_mount_point(p, false) > 0) {
1371 if (arg_link_journal != LINK_AUTO) {
1372 log_error("%s: already a mount point, refusing to use for journal", p);
1379 if (path_is_mount_point(q, false) > 0) {
1380 if (arg_link_journal != LINK_AUTO) {
1381 log_error("%s: already a mount point, refusing to use for journal", q);
1388 r = readlink_and_make_absolute(p, &d);
1390 if ((arg_link_journal == LINK_GUEST ||
1391 arg_link_journal == LINK_AUTO) &&
1394 r = mkdir_p(q, 0755);
1396 log_warning_errno(errno, "Failed to create directory %s: %m", q);
1401 return log_error_errno(errno, "Failed to remove symlink %s: %m", p);
1402 } else if (r == -EINVAL) {
1404 if (arg_link_journal == LINK_GUEST &&
1407 if (errno == ENOTDIR) {
1408 log_error("%s already exists and is neither a symlink nor a directory", p);
1411 log_error_errno(errno, "Failed to remove %s: %m", p);
1415 } else if (r != -ENOENT) {
1416 log_error_errno(errno, "readlink(%s) failed: %m", p);
1420 if (arg_link_journal == LINK_GUEST) {
1422 if (symlink(q, p) < 0) {
1423 if (arg_link_journal_try) {
1424 log_debug_errno(errno, "Failed to symlink %s to %s, skipping journal setup: %m", q, p);
1427 log_error_errno(errno, "Failed to symlink %s to %s: %m", q, p);
1432 r = mkdir_p(q, 0755);
1434 log_warning_errno(errno, "Failed to create directory %s: %m", q);
1438 if (arg_link_journal == LINK_HOST) {
1439 /* don't create parents here -- if the host doesn't have
1440 * permanent journal set up, don't force it here */
1443 if (arg_link_journal_try) {
1444 log_debug_errno(errno, "Failed to create %s, skipping journal setup: %m", p);
1447 log_error_errno(errno, "Failed to create %s: %m", p);
1452 } else if (access(p, F_OK) < 0)
1455 if (dir_is_empty(q) == 0)
1456 log_warning("%s is not empty, proceeding anyway.", q);
1458 r = mkdir_p(q, 0755);
1460 log_error_errno(errno, "Failed to create %s: %m", q);
1464 if (mount(p, q, "bind", MS_BIND, NULL) < 0)
1465 return log_error_errno(errno, "Failed to bind mount journal from host into guest: %m");
1470 static int drop_capabilities(void) {
1471 return capability_bounding_set_drop(~arg_retain, false);
1474 static int register_machine(pid_t pid, int local_ifindex) {
1475 _cleanup_bus_error_free_ sd_bus_error error = SD_BUS_ERROR_NULL;
1476 _cleanup_bus_close_unref_ sd_bus *bus = NULL;
1482 r = sd_bus_default_system(&bus);
1484 return log_error_errno(r, "Failed to open system bus: %m");
1486 if (arg_keep_unit) {
1487 r = sd_bus_call_method(
1489 "org.freedesktop.machine1",
1490 "/org/freedesktop/machine1",
1491 "org.freedesktop.machine1.Manager",
1492 "RegisterMachineWithNetwork",
1497 SD_BUS_MESSAGE_APPEND_ID128(arg_uuid),
1501 strempty(arg_directory),
1502 local_ifindex > 0 ? 1 : 0, local_ifindex);
1504 _cleanup_bus_message_unref_ sd_bus_message *m = NULL;
1506 r = sd_bus_message_new_method_call(
1509 "org.freedesktop.machine1",
1510 "/org/freedesktop/machine1",
1511 "org.freedesktop.machine1.Manager",
1512 "CreateMachineWithNetwork");
1514 return log_error_errno(r, "Failed to create message: %m");
1516 r = sd_bus_message_append(
1520 SD_BUS_MESSAGE_APPEND_ID128(arg_uuid),
1524 strempty(arg_directory),
1525 local_ifindex > 0 ? 1 : 0, local_ifindex);
1527 return log_error_errno(r, "Failed to append message arguments: %m");
1529 r = sd_bus_message_open_container(m, 'a', "(sv)");
1531 return log_error_errno(r, "Failed to open container: %m");
1533 if (!isempty(arg_slice)) {
1534 r = sd_bus_message_append(m, "(sv)", "Slice", "s", arg_slice);
1536 return log_error_errno(r, "Failed to append slice: %m");
1539 r = sd_bus_message_append(m, "(sv)", "DevicePolicy", "s", "strict");
1541 return log_error_errno(r, "Failed to add device policy: %m");
1543 r = sd_bus_message_append(m, "(sv)", "DeviceAllow", "a(ss)", 9,
1544 /* Allow the container to
1545 * access and create the API
1546 * device nodes, so that
1547 * PrivateDevices= in the
1548 * container can work
1553 "/dev/random", "rwm",
1554 "/dev/urandom", "rwm",
1556 "/dev/net/tun", "rwm",
1557 /* Allow the container
1558 * access to ptys. However,
1560 * container to ever create
1561 * these device nodes. */
1562 "/dev/pts/ptmx", "rw",
1565 return log_error_errno(r, "Failed to add device whitelist: %m");
1567 r = sd_bus_message_close_container(m);
1569 return log_error_errno(r, "Failed to close container: %m");
1571 r = sd_bus_call(bus, m, 0, &error, NULL);
1575 log_error("Failed to register machine: %s", bus_error_message(&error, r));
1582 static int terminate_machine(pid_t pid) {
1583 _cleanup_bus_error_free_ sd_bus_error error = SD_BUS_ERROR_NULL;
1584 _cleanup_bus_message_unref_ sd_bus_message *reply = NULL;
1585 _cleanup_bus_close_unref_ sd_bus *bus = NULL;
1592 r = sd_bus_default_system(&bus);
1594 return log_error_errno(r, "Failed to open system bus: %m");
1596 r = sd_bus_call_method(
1598 "org.freedesktop.machine1",
1599 "/org/freedesktop/machine1",
1600 "org.freedesktop.machine1.Manager",
1607 /* Note that the machine might already have been
1608 * cleaned up automatically, hence don't consider it a
1609 * failure if we cannot get the machine object. */
1610 log_debug("Failed to get machine: %s", bus_error_message(&error, r));
1614 r = sd_bus_message_read(reply, "o", &path);
1616 return bus_log_parse_error(r);
1618 r = sd_bus_call_method(
1620 "org.freedesktop.machine1",
1622 "org.freedesktop.machine1.Machine",
1628 log_debug("Failed to terminate machine: %s", bus_error_message(&error, r));
1635 static int reset_audit_loginuid(void) {
1636 _cleanup_free_ char *p = NULL;
1639 if (arg_share_system)
1642 r = read_one_line_file("/proc/self/loginuid", &p);
1646 return log_error_errno(r, "Failed to read /proc/self/loginuid: %m");
1648 /* Already reset? */
1649 if (streq(p, "4294967295"))
1652 r = write_string_file("/proc/self/loginuid", "4294967295");
1654 log_error("Failed to reset audit login UID. This probably means that your kernel is too\n"
1655 "old and you have audit enabled. Note that the auditing subsystem is known to\n"
1656 "be incompatible with containers on old kernels. Please make sure to upgrade\n"
1657 "your kernel or to off auditing with 'audit=0' on the kernel command line before\n"
1658 "using systemd-nspawn. Sleeping for 5s... (%s)\n", strerror(-r));
1666 #define HOST_HASH_KEY SD_ID128_MAKE(1a,37,6f,c7,46,ec,45,0b,ad,a3,d5,31,06,60,5d,b1)
1667 #define CONTAINER_HASH_KEY SD_ID128_MAKE(c3,c4,f9,19,b5,57,b2,1c,e6,cf,14,27,03,9c,ee,a2)
1668 #define MACVLAN_HASH_KEY SD_ID128_MAKE(00,13,6d,bc,66,83,44,81,bb,0c,f9,51,1f,24,a6,6f)
1670 static int generate_mac(struct ether_addr *mac, sd_id128_t hash_key, uint64_t idx) {
1676 l = strlen(arg_machine);
1677 sz = sizeof(sd_id128_t) + l;
1683 /* fetch some persistent data unique to the host */
1684 r = sd_id128_get_machine((sd_id128_t*) v);
1688 /* combine with some data unique (on this host) to this
1689 * container instance */
1690 i = mempcpy(v + sizeof(sd_id128_t), arg_machine, l);
1693 memcpy(i, &idx, sizeof(idx));
1696 /* Let's hash the host machine ID plus the container name. We
1697 * use a fixed, but originally randomly created hash key here. */
1698 siphash24(result, v, sz, hash_key.bytes);
1700 assert_cc(ETH_ALEN <= sizeof(result));
1701 memcpy(mac->ether_addr_octet, result, ETH_ALEN);
1703 /* see eth_random_addr in the kernel */
1704 mac->ether_addr_octet[0] &= 0xfe; /* clear multicast bit */
1705 mac->ether_addr_octet[0] |= 0x02; /* set local assignment bit (IEEE802) */
1710 static int setup_veth(pid_t pid, char iface_name[IFNAMSIZ], int *ifi) {
1711 _cleanup_rtnl_message_unref_ sd_rtnl_message *m = NULL;
1712 _cleanup_rtnl_unref_ sd_rtnl *rtnl = NULL;
1713 struct ether_addr mac_host, mac_container;
1716 if (!arg_private_network)
1719 if (!arg_network_veth)
1722 /* Use two different interface name prefixes depending whether
1723 * we are in bridge mode or not. */
1724 snprintf(iface_name, IFNAMSIZ - 1, "%s-%s",
1725 arg_network_bridge ? "vb" : "ve", arg_machine);
1727 r = generate_mac(&mac_container, CONTAINER_HASH_KEY, 0);
1729 return log_error_errno(r, "Failed to generate predictable MAC address for container side: %m");
1731 r = generate_mac(&mac_host, HOST_HASH_KEY, 0);
1733 return log_error_errno(r, "Failed to generate predictable MAC address for host side: %m");
1735 r = sd_rtnl_open(&rtnl, 0);
1737 return log_error_errno(r, "Failed to connect to netlink: %m");
1739 r = sd_rtnl_message_new_link(rtnl, &m, RTM_NEWLINK, 0);
1741 return log_error_errno(r, "Failed to allocate netlink message: %m");
1743 r = sd_rtnl_message_append_string(m, IFLA_IFNAME, iface_name);
1745 return log_error_errno(r, "Failed to add netlink interface name: %m");
1747 r = sd_rtnl_message_append_ether_addr(m, IFLA_ADDRESS, &mac_host);
1749 return log_error_errno(r, "Failed to add netlink MAC address: %m");
1751 r = sd_rtnl_message_open_container(m, IFLA_LINKINFO);
1753 return log_error_errno(r, "Failed to open netlink container: %m");
1755 r = sd_rtnl_message_open_container_union(m, IFLA_INFO_DATA, "veth");
1757 return log_error_errno(r, "Failed to open netlink container: %m");
1759 r = sd_rtnl_message_open_container(m, VETH_INFO_PEER);
1761 return log_error_errno(r, "Failed to open netlink container: %m");
1763 r = sd_rtnl_message_append_string(m, IFLA_IFNAME, "host0");
1765 return log_error_errno(r, "Failed to add netlink interface name: %m");
1767 r = sd_rtnl_message_append_ether_addr(m, IFLA_ADDRESS, &mac_container);
1769 return log_error_errno(r, "Failed to add netlink MAC address: %m");
1771 r = sd_rtnl_message_append_u32(m, IFLA_NET_NS_PID, pid);
1773 return log_error_errno(r, "Failed to add netlink namespace field: %m");
1775 r = sd_rtnl_message_close_container(m);
1777 return log_error_errno(r, "Failed to close netlink container: %m");
1779 r = sd_rtnl_message_close_container(m);
1781 return log_error_errno(r, "Failed to close netlink container: %m");
1783 r = sd_rtnl_message_close_container(m);
1785 return log_error_errno(r, "Failed to close netlink container: %m");
1787 r = sd_rtnl_call(rtnl, m, 0, NULL);
1789 return log_error_errno(r, "Failed to add new veth interfaces: %m");
1791 i = (int) if_nametoindex(iface_name);
1793 return log_error_errno(errno, "Failed to resolve interface %s: %m", iface_name);
1800 static int setup_bridge(const char veth_name[], int *ifi) {
1801 _cleanup_rtnl_message_unref_ sd_rtnl_message *m = NULL;
1802 _cleanup_rtnl_unref_ sd_rtnl *rtnl = NULL;
1805 if (!arg_private_network)
1808 if (!arg_network_veth)
1811 if (!arg_network_bridge)
1814 bridge = (int) if_nametoindex(arg_network_bridge);
1816 return log_error_errno(errno, "Failed to resolve interface %s: %m", arg_network_bridge);
1820 r = sd_rtnl_open(&rtnl, 0);
1822 return log_error_errno(r, "Failed to connect to netlink: %m");
1824 r = sd_rtnl_message_new_link(rtnl, &m, RTM_SETLINK, 0);
1826 return log_error_errno(r, "Failed to allocate netlink message: %m");
1828 r = sd_rtnl_message_link_set_flags(m, IFF_UP, IFF_UP);
1830 return log_error_errno(r, "Failed to set IFF_UP flag: %m");
1832 r = sd_rtnl_message_append_string(m, IFLA_IFNAME, veth_name);
1834 return log_error_errno(r, "Failed to add netlink interface name field: %m");
1836 r = sd_rtnl_message_append_u32(m, IFLA_MASTER, bridge);
1838 return log_error_errno(r, "Failed to add netlink master field: %m");
1840 r = sd_rtnl_call(rtnl, m, 0, NULL);
1842 return log_error_errno(r, "Failed to add veth interface to bridge: %m");
1847 static int parse_interface(struct udev *udev, const char *name) {
1848 _cleanup_udev_device_unref_ struct udev_device *d = NULL;
1849 char ifi_str[2 + DECIMAL_STR_MAX(int)];
1852 ifi = (int) if_nametoindex(name);
1854 return log_error_errno(errno, "Failed to resolve interface %s: %m", name);
1856 sprintf(ifi_str, "n%i", ifi);
1857 d = udev_device_new_from_device_id(udev, ifi_str);
1859 return log_error_errno(errno, "Failed to get udev device for interface %s: %m", name);
1861 if (udev_device_get_is_initialized(d) <= 0) {
1862 log_error("Network interface %s is not initialized yet.", name);
1869 static int move_network_interfaces(pid_t pid) {
1870 _cleanup_udev_unref_ struct udev *udev = NULL;
1871 _cleanup_rtnl_unref_ sd_rtnl *rtnl = NULL;
1875 if (!arg_private_network)
1878 if (strv_isempty(arg_network_interfaces))
1881 r = sd_rtnl_open(&rtnl, 0);
1883 return log_error_errno(r, "Failed to connect to netlink: %m");
1887 log_error("Failed to connect to udev.");
1891 STRV_FOREACH(i, arg_network_interfaces) {
1892 _cleanup_rtnl_message_unref_ sd_rtnl_message *m = NULL;
1895 ifi = parse_interface(udev, *i);
1899 r = sd_rtnl_message_new_link(rtnl, &m, RTM_SETLINK, ifi);
1901 return log_error_errno(r, "Failed to allocate netlink message: %m");
1903 r = sd_rtnl_message_append_u32(m, IFLA_NET_NS_PID, pid);
1905 return log_error_errno(r, "Failed to append namespace PID to netlink message: %m");
1907 r = sd_rtnl_call(rtnl, m, 0, NULL);
1909 return log_error_errno(r, "Failed to move interface %s to namespace: %m", *i);
1915 static int setup_macvlan(pid_t pid) {
1916 _cleanup_udev_unref_ struct udev *udev = NULL;
1917 _cleanup_rtnl_unref_ sd_rtnl *rtnl = NULL;
1922 if (!arg_private_network)
1925 if (strv_isempty(arg_network_macvlan))
1928 r = sd_rtnl_open(&rtnl, 0);
1930 return log_error_errno(r, "Failed to connect to netlink: %m");
1934 log_error("Failed to connect to udev.");
1938 STRV_FOREACH(i, arg_network_macvlan) {
1939 _cleanup_rtnl_message_unref_ sd_rtnl_message *m = NULL;
1940 _cleanup_free_ char *n = NULL;
1941 struct ether_addr mac;
1944 ifi = parse_interface(udev, *i);
1948 r = generate_mac(&mac, MACVLAN_HASH_KEY, idx++);
1950 return log_error_errno(r, "Failed to create MACVLAN MAC address: %m");
1952 r = sd_rtnl_message_new_link(rtnl, &m, RTM_NEWLINK, 0);
1954 return log_error_errno(r, "Failed to allocate netlink message: %m");
1956 r = sd_rtnl_message_append_u32(m, IFLA_LINK, ifi);
1958 return log_error_errno(r, "Failed to add netlink interface index: %m");
1960 n = strappend("mv-", *i);
1964 strshorten(n, IFNAMSIZ-1);
1966 r = sd_rtnl_message_append_string(m, IFLA_IFNAME, n);
1968 return log_error_errno(r, "Failed to add netlink interface name: %m");
1970 r = sd_rtnl_message_append_ether_addr(m, IFLA_ADDRESS, &mac);
1972 return log_error_errno(r, "Failed to add netlink MAC address: %m");
1974 r = sd_rtnl_message_append_u32(m, IFLA_NET_NS_PID, pid);
1976 return log_error_errno(r, "Failed to add netlink namespace field: %m");
1978 r = sd_rtnl_message_open_container(m, IFLA_LINKINFO);
1980 return log_error_errno(r, "Failed to open netlink container: %m");
1982 r = sd_rtnl_message_open_container_union(m, IFLA_INFO_DATA, "macvlan");
1984 return log_error_errno(r, "Failed to open netlink container: %m");
1986 r = sd_rtnl_message_append_u32(m, IFLA_MACVLAN_MODE, MACVLAN_MODE_BRIDGE);
1988 return log_error_errno(r, "Failed to append macvlan mode: %m");
1990 r = sd_rtnl_message_close_container(m);
1992 return log_error_errno(r, "Failed to close netlink container: %m");
1994 r = sd_rtnl_message_close_container(m);
1996 return log_error_errno(r, "Failed to close netlink container: %m");
1998 r = sd_rtnl_call(rtnl, m, 0, NULL);
2000 return log_error_errno(r, "Failed to add new macvlan interfaces: %m");
2006 static int setup_seccomp(void) {
2009 static const int blacklist[] = {
2010 SCMP_SYS(kexec_load),
2011 SCMP_SYS(open_by_handle_at),
2012 SCMP_SYS(init_module),
2013 SCMP_SYS(finit_module),
2014 SCMP_SYS(delete_module),
2021 scmp_filter_ctx seccomp;
2025 seccomp = seccomp_init(SCMP_ACT_ALLOW);
2029 r = seccomp_add_secondary_archs(seccomp);
2031 log_error_errno(r, "Failed to add secondary archs to seccomp filter: %m");
2035 for (i = 0; i < ELEMENTSOF(blacklist); i++) {
2036 r = seccomp_rule_add(seccomp, SCMP_ACT_ERRNO(EPERM), blacklist[i], 0);
2038 continue; /* unknown syscall */
2040 log_error_errno(r, "Failed to block syscall: %m");
2046 Audit is broken in containers, much of the userspace audit
2047 hookup will fail if running inside a container. We don't
2048 care and just turn off creation of audit sockets.
2050 This will make socket(AF_NETLINK, *, NETLINK_AUDIT) fail
2051 with EAFNOSUPPORT which audit userspace uses as indication
2052 that audit is disabled in the kernel.
2055 r = seccomp_rule_add(
2057 SCMP_ACT_ERRNO(EAFNOSUPPORT),
2060 SCMP_A0(SCMP_CMP_EQ, AF_NETLINK),
2061 SCMP_A2(SCMP_CMP_EQ, NETLINK_AUDIT));
2063 log_error_errno(r, "Failed to add audit seccomp rule: %m");
2067 r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
2069 log_error_errno(r, "Failed to unset NO_NEW_PRIVS: %m");
2073 r = seccomp_load(seccomp);
2075 log_error_errno(r, "Failed to install seccomp audit filter: %m");
2078 seccomp_release(seccomp);
2086 static int setup_propagate(const char *root) {
2089 (void) mkdir_p("/run/systemd/nspawn/", 0755);
2090 (void) mkdir_p("/run/systemd/nspawn/propagate", 0600);
2091 p = strappenda("/run/systemd/nspawn/propagate/", arg_machine);
2092 (void) mkdir_p(p, 0600);
2094 q = strappenda(root, "/run/systemd/nspawn/incoming");
2095 mkdir_parents(q, 0755);
2098 if (mount(p, q, NULL, MS_BIND, NULL) < 0)
2099 return log_error_errno(errno, "Failed to install propagation bind mount.");
2101 if (mount(NULL, q, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY, NULL) < 0)
2102 return log_error_errno(errno, "Failed to make propagation mount read-only");
2107 static int setup_image(char **device_path, int *loop_nr) {
2108 struct loop_info64 info = {
2109 .lo_flags = LO_FLAGS_AUTOCLEAR|LO_FLAGS_PARTSCAN
2111 _cleanup_close_ int fd = -1, control = -1, loop = -1;
2112 _cleanup_free_ char* loopdev = NULL;
2116 assert(device_path);
2120 fd = open(arg_image, O_CLOEXEC|(arg_read_only ? O_RDONLY : O_RDWR)|O_NONBLOCK|O_NOCTTY);
2122 return log_error_errno(errno, "Failed to open %s: %m", arg_image);
2124 if (fstat(fd, &st) < 0)
2125 return log_error_errno(errno, "Failed to stat %s: %m", arg_image);
2127 if (S_ISBLK(st.st_mode)) {
2130 p = strdup(arg_image);
2144 if (!S_ISREG(st.st_mode)) {
2145 log_error_errno(errno, "%s is not a regular file or block device: %m", arg_image);
2149 control = open("/dev/loop-control", O_RDWR|O_CLOEXEC|O_NOCTTY|O_NONBLOCK);
2151 return log_error_errno(errno, "Failed to open /dev/loop-control: %m");
2153 nr = ioctl(control, LOOP_CTL_GET_FREE);
2155 return log_error_errno(errno, "Failed to allocate loop device: %m");
2157 if (asprintf(&loopdev, "/dev/loop%i", nr) < 0)
2160 loop = open(loopdev, O_CLOEXEC|(arg_read_only ? O_RDONLY : O_RDWR)|O_NONBLOCK|O_NOCTTY);
2162 return log_error_errno(errno, "Failed to open loop device %s: %m", loopdev);
2164 if (ioctl(loop, LOOP_SET_FD, fd) < 0)
2165 return log_error_errno(errno, "Failed to set loopback file descriptor on %s: %m", loopdev);
2168 info.lo_flags |= LO_FLAGS_READ_ONLY;
2170 if (ioctl(loop, LOOP_SET_STATUS64, &info) < 0)
2171 return log_error_errno(errno, "Failed to set loopback settings on %s: %m", loopdev);
2173 *device_path = loopdev;
2184 static int dissect_image(
2186 char **root_device, bool *root_device_rw,
2187 char **home_device, bool *home_device_rw,
2188 char **srv_device, bool *srv_device_rw,
2192 int home_nr = -1, srv_nr = -1;
2193 #ifdef GPT_ROOT_NATIVE
2196 #ifdef GPT_ROOT_SECONDARY
2197 int secondary_root_nr = -1;
2200 _cleanup_free_ char *home = NULL, *root = NULL, *secondary_root = NULL, *srv = NULL;
2201 _cleanup_udev_enumerate_unref_ struct udev_enumerate *e = NULL;
2202 _cleanup_udev_device_unref_ struct udev_device *d = NULL;
2203 _cleanup_blkid_free_probe_ blkid_probe b = NULL;
2204 _cleanup_udev_unref_ struct udev *udev = NULL;
2205 struct udev_list_entry *first, *item;
2206 bool home_rw = true, root_rw = true, secondary_root_rw = true, srv_rw = true;
2207 const char *pttype = NULL;
2213 assert(root_device);
2214 assert(home_device);
2219 b = blkid_new_probe();
2224 r = blkid_probe_set_device(b, fd, 0, 0);
2229 log_error_errno(errno, "Failed to set device on blkid probe: %m");
2233 blkid_probe_enable_partitions(b, 1);
2234 blkid_probe_set_partitions_flags(b, BLKID_PARTS_ENTRY_DETAILS);
2237 r = blkid_do_safeprobe(b);
2238 if (r == -2 || r == 1) {
2239 log_error("Failed to identify any partition table on %s.\n"
2240 "Note that the disk image needs to follow http://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/ to be supported by systemd-nspawn.", arg_image);
2242 } else if (r != 0) {
2245 log_error_errno(errno, "Failed to probe: %m");
2249 blkid_probe_lookup_value(b, "PTTYPE", &pttype, NULL);
2250 if (!streq_ptr(pttype, "gpt")) {
2251 log_error("Image %s does not carry a GUID Partition Table.\n"
2252 "Note that the disk image needs to follow http://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/ to be supported by systemd-nspawn.", arg_image);
2257 pl = blkid_probe_get_partitions(b);
2262 log_error("Failed to list partitions of %s", arg_image);
2270 if (fstat(fd, &st) < 0)
2271 return log_error_errno(errno, "Failed to stat block device: %m");
2273 d = udev_device_new_from_devnum(udev, 'b', st.st_rdev);
2277 e = udev_enumerate_new(udev);
2281 r = udev_enumerate_add_match_parent(e, d);
2285 r = udev_enumerate_scan_devices(e);
2287 return log_error_errno(r, "Failed to scan for partition devices of %s: %m", arg_image);
2289 first = udev_enumerate_get_list_entry(e);
2290 udev_list_entry_foreach(item, first) {
2291 _cleanup_udev_device_unref_ struct udev_device *q;
2292 const char *stype, *node;
2293 unsigned long long flags;
2300 q = udev_device_new_from_syspath(udev, udev_list_entry_get_name(item));
2305 log_error_errno(errno, "Failed to get partition device of %s: %m", arg_image);
2309 qn = udev_device_get_devnum(q);
2313 if (st.st_rdev == qn)
2316 node = udev_device_get_devnode(q);
2320 pp = blkid_partlist_devno_to_partition(pl, qn);
2324 flags = blkid_partition_get_flags(pp);
2325 if (flags & GPT_FLAG_NO_AUTO)
2328 nr = blkid_partition_get_partno(pp);
2332 stype = blkid_partition_get_type_string(pp);
2336 if (sd_id128_from_string(stype, &type_id) < 0)
2339 if (sd_id128_equal(type_id, GPT_HOME)) {
2341 if (home && nr >= home_nr)
2345 home_rw = !(flags & GPT_FLAG_READ_ONLY);
2348 home = strdup(node);
2351 } else if (sd_id128_equal(type_id, GPT_SRV)) {
2353 if (srv && nr >= srv_nr)
2357 srv_rw = !(flags & GPT_FLAG_READ_ONLY);
2364 #ifdef GPT_ROOT_NATIVE
2365 else if (sd_id128_equal(type_id, GPT_ROOT_NATIVE)) {
2367 if (root && nr >= root_nr)
2371 root_rw = !(flags & GPT_FLAG_READ_ONLY);
2374 root = strdup(node);
2379 #ifdef GPT_ROOT_SECONDARY
2380 else if (sd_id128_equal(type_id, GPT_ROOT_SECONDARY)) {
2382 if (secondary_root && nr >= secondary_root_nr)
2385 secondary_root_nr = nr;
2386 secondary_root_rw = !(flags & GPT_FLAG_READ_ONLY);
2389 free(secondary_root);
2390 secondary_root = strdup(node);
2391 if (!secondary_root)
2397 if (!root && !secondary_root) {
2398 log_error("Failed to identify root partition in disk image %s.\n"
2399 "Note that the disk image needs to follow http://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/ to be supported by systemd-nspawn.", arg_image);
2404 *root_device = root;
2407 *root_device_rw = root_rw;
2409 } else if (secondary_root) {
2410 *root_device = secondary_root;
2411 secondary_root = NULL;
2413 *root_device_rw = secondary_root_rw;
2418 *home_device = home;
2421 *home_device_rw = home_rw;
2428 *srv_device_rw = srv_rw;
2433 log_error("--image= is not supported, compiled without blkid support.");
2438 static int mount_device(const char *what, const char *where, const char *directory, bool rw) {
2440 _cleanup_blkid_free_probe_ blkid_probe b = NULL;
2441 const char *fstype, *p;
2451 p = strappenda(where, directory);
2456 b = blkid_new_probe_from_filename(what);
2460 log_error_errno(errno, "Failed to allocate prober for %s: %m", what);
2464 blkid_probe_enable_superblocks(b, 1);
2465 blkid_probe_set_superblocks_flags(b, BLKID_SUBLKS_TYPE);
2468 r = blkid_do_safeprobe(b);
2469 if (r == -1 || r == 1) {
2470 log_error("Cannot determine file system type of %s", what);
2472 } else if (r != 0) {
2475 log_error_errno(errno, "Failed to probe %s: %m", what);
2480 if (blkid_probe_lookup_value(b, "TYPE", &fstype, NULL) < 0) {
2483 log_error("Failed to determine file system type of %s", what);
2487 if (streq(fstype, "crypto_LUKS")) {
2488 log_error("nspawn currently does not support LUKS disk images.");
2492 if (mount(what, p, fstype, MS_NODEV|(rw ? 0 : MS_RDONLY), NULL) < 0)
2493 return log_error_errno(errno, "Failed to mount %s: %m", what);
2497 log_error("--image= is not supported, compiled without blkid support.");
2502 static int mount_devices(
2504 const char *root_device, bool root_device_rw,
2505 const char *home_device, bool home_device_rw,
2506 const char *srv_device, bool srv_device_rw) {
2512 r = mount_device(root_device, arg_directory, NULL, root_device_rw);
2514 return log_error_errno(r, "Failed to mount root directory: %m");
2518 r = mount_device(home_device, arg_directory, "/home", home_device_rw);
2520 return log_error_errno(r, "Failed to mount home directory: %m");
2524 r = mount_device(srv_device, arg_directory, "/srv", srv_device_rw);
2526 return log_error_errno(r, "Failed to mount server data directory: %m");
2532 static void loop_remove(int nr, int *image_fd) {
2533 _cleanup_close_ int control = -1;
2539 if (image_fd && *image_fd >= 0) {
2540 r = ioctl(*image_fd, LOOP_CLR_FD);
2542 log_warning_errno(errno, "Failed to close loop image: %m");
2543 *image_fd = safe_close(*image_fd);
2546 control = open("/dev/loop-control", O_RDWR|O_CLOEXEC|O_NOCTTY|O_NONBLOCK);
2548 log_warning_errno(errno, "Failed to open /dev/loop-control: %m");
2552 r = ioctl(control, LOOP_CTL_REMOVE, nr);
2554 log_warning_errno(errno, "Failed to remove loop %d: %m", nr);
2557 static int spawn_getent(const char *database, const char *key, pid_t *rpid) {
2565 if (pipe2(pipe_fds, O_CLOEXEC) < 0)
2566 return log_error_errno(errno, "Failed to allocate pipe: %m");
2570 return log_error_errno(errno, "Failed to fork getent child: %m");
2571 else if (pid == 0) {
2573 char *empty_env = NULL;
2575 if (dup3(pipe_fds[1], STDOUT_FILENO, 0) < 0)
2576 _exit(EXIT_FAILURE);
2578 if (pipe_fds[0] > 2)
2579 safe_close(pipe_fds[0]);
2580 if (pipe_fds[1] > 2)
2581 safe_close(pipe_fds[1]);
2583 nullfd = open("/dev/null", O_RDWR);
2585 _exit(EXIT_FAILURE);
2587 if (dup3(nullfd, STDIN_FILENO, 0) < 0)
2588 _exit(EXIT_FAILURE);
2590 if (dup3(nullfd, STDERR_FILENO, 0) < 0)
2591 _exit(EXIT_FAILURE);
2596 reset_all_signal_handlers();
2597 close_all_fds(NULL, 0);
2599 execle("/usr/bin/getent", "getent", database, key, NULL, &empty_env);
2600 execle("/bin/getent", "getent", database, key, NULL, &empty_env);
2601 _exit(EXIT_FAILURE);
2604 pipe_fds[1] = safe_close(pipe_fds[1]);
2611 static int change_uid_gid(char **_home) {
2612 char line[LINE_MAX], *x, *u, *g, *h;
2613 const char *word, *state;
2614 _cleanup_free_ uid_t *uids = NULL;
2615 _cleanup_free_ char *home = NULL;
2616 _cleanup_fclose_ FILE *f = NULL;
2617 _cleanup_close_ int fd = -1;
2618 unsigned n_uids = 0;
2627 if (!arg_user || streq(arg_user, "root") || streq(arg_user, "0")) {
2628 /* Reset everything fully to 0, just in case */
2630 if (setgroups(0, NULL) < 0)
2631 return log_error_errno(errno, "setgroups() failed: %m");
2633 if (setresgid(0, 0, 0) < 0)
2634 return log_error_errno(errno, "setregid() failed: %m");
2636 if (setresuid(0, 0, 0) < 0)
2637 return log_error_errno(errno, "setreuid() failed: %m");
2643 /* First, get user credentials */
2644 fd = spawn_getent("passwd", arg_user, &pid);
2648 f = fdopen(fd, "r");
2653 if (!fgets(line, sizeof(line), f)) {
2656 log_error("Failed to resolve user %s.", arg_user);
2660 log_error_errno(errno, "Failed to read from getent: %m");
2666 wait_for_terminate_and_warn("getent passwd", pid, true);
2668 x = strchr(line, ':');
2670 log_error("/etc/passwd entry has invalid user field.");
2674 u = strchr(x+1, ':');
2676 log_error("/etc/passwd entry has invalid password field.");
2683 log_error("/etc/passwd entry has invalid UID field.");
2691 log_error("/etc/passwd entry has invalid GID field.");
2696 h = strchr(x+1, ':');
2698 log_error("/etc/passwd entry has invalid GECOS field.");
2705 log_error("/etc/passwd entry has invalid home directory field.");
2711 r = parse_uid(u, &uid);
2713 log_error("Failed to parse UID of user.");
2717 r = parse_gid(g, &gid);
2719 log_error("Failed to parse GID of user.");
2727 /* Second, get group memberships */
2728 fd = spawn_getent("initgroups", arg_user, &pid);
2733 f = fdopen(fd, "r");
2738 if (!fgets(line, sizeof(line), f)) {
2740 log_error("Failed to resolve user %s.", arg_user);
2744 log_error_errno(errno, "Failed to read from getent: %m");
2750 wait_for_terminate_and_warn("getent initgroups", pid, true);
2752 /* Skip over the username and subsequent separator whitespace */
2754 x += strcspn(x, WHITESPACE);
2755 x += strspn(x, WHITESPACE);
2757 FOREACH_WORD(word, l, x, state) {
2763 if (!GREEDY_REALLOC(uids, sz, n_uids+1))
2766 r = parse_uid(c, &uids[n_uids++]);
2768 log_error("Failed to parse group data from getent.");
2773 r = mkdir_parents(home, 0775);
2775 return log_error_errno(r, "Failed to make home root directory: %m");
2777 r = mkdir_safe(home, 0755, uid, gid);
2778 if (r < 0 && r != -EEXIST)
2779 return log_error_errno(r, "Failed to make home directory: %m");
2781 fchown(STDIN_FILENO, uid, gid);
2782 fchown(STDOUT_FILENO, uid, gid);
2783 fchown(STDERR_FILENO, uid, gid);
2785 if (setgroups(n_uids, uids) < 0)
2786 return log_error_errno(errno, "Failed to set auxiliary groups: %m");
2788 if (setresgid(gid, gid, gid) < 0)
2789 return log_error_errno(errno, "setregid() failed: %m");
2791 if (setresuid(uid, uid, uid) < 0)
2792 return log_error_errno(errno, "setreuid() failed: %m");
2804 * < 0 : wait_for_terminate() failed to get the state of the
2805 * container, the container was terminated by a signal, or
2806 * failed for an unknown reason. No change is made to the
2807 * container argument.
2808 * > 0 : The program executed in the container terminated with an
2809 * error. The exit code of the program executed in the
2810 * container is returned. The container argument has been set
2811 * to CONTAINER_TERMINATED.
2812 * 0 : The container is being rebooted, has been shut down or exited
2813 * successfully. The container argument has been set to either
2814 * CONTAINER_TERMINATED or CONTAINER_REBOOTED.
2816 * That is, success is indicated by a return value of zero, and an
2817 * error is indicated by a non-zero value.
2819 static int wait_for_container(pid_t pid, ContainerStatus *container) {
2823 r = wait_for_terminate(pid, &status);
2825 return log_warning_errno(r, "Failed to wait for container: %m");
2827 switch (status.si_code) {
2830 if (status.si_status == 0) {
2831 log_full(arg_quiet ? LOG_DEBUG : LOG_INFO, "Container %s exited successfully.", arg_machine);
2834 log_full(arg_quiet ? LOG_DEBUG : LOG_INFO, "Container %s failed with error code %i.", arg_machine, status.si_status);
2836 *container = CONTAINER_TERMINATED;
2837 return status.si_status;
2840 if (status.si_status == SIGINT) {
2842 log_full(arg_quiet ? LOG_DEBUG : LOG_INFO, "Container %s has been shut down.", arg_machine);
2843 *container = CONTAINER_TERMINATED;
2846 } else if (status.si_status == SIGHUP) {
2848 log_full(arg_quiet ? LOG_DEBUG : LOG_INFO, "Container %s is being rebooted.", arg_machine);
2849 *container = CONTAINER_REBOOTED;
2853 /* CLD_KILLED fallthrough */
2856 log_error("Container %s terminated by signal %s.", arg_machine, signal_to_string(status.si_status));
2860 log_error("Container %s failed due to unknown reason.", arg_machine);
2867 static void nop_handler(int sig) {}
2869 static int on_orderly_shutdown(sd_event_source *s, const struct signalfd_siginfo *si, void *userdata) {
2872 pid = PTR_TO_UINT32(userdata);
2874 if (kill(pid, SIGRTMIN+3) >= 0) {
2875 log_info("Trying to halt container. Send SIGTERM again to trigger immediate termination.");
2876 sd_event_source_set_userdata(s, NULL);
2881 sd_event_exit(sd_event_source_get_event(s), 0);
2885 static int determine_names(void) {
2888 if (!arg_image && !arg_directory) {
2890 _cleanup_(image_unrefp) Image *i = NULL;
2892 r = image_find(arg_machine, &i);
2894 return log_error_errno(r, "Failed to find image for machine '%s': %m", arg_machine);
2896 log_error("No image for machine '%s': %m", arg_machine);
2900 if (i->type == IMAGE_GPT)
2901 r = set_sanitized_path(&arg_image, i->path);
2903 r = set_sanitized_path(&arg_directory, i->path);
2905 return log_error_errno(r, "Invalid image directory: %m");
2907 arg_read_only = arg_read_only || i->read_only;
2909 arg_directory = get_current_dir_name();
2911 if (!arg_directory && !arg_machine) {
2912 log_error("Failed to determine path, please use -D or -i.");
2918 if (arg_directory && path_equal(arg_directory, "/"))
2919 arg_machine = gethostname_malloc();
2921 arg_machine = strdup(basename(arg_image ?: arg_directory));
2926 hostname_cleanup(arg_machine, false);
2927 if (!machine_name_is_valid(arg_machine)) {
2928 log_error("Failed to determine machine name automatically, please use -M.");
2932 if (arg_ephemeral) {
2935 /* Add a random suffix when this is an
2936 * ephemeral machine, so that we can run many
2937 * instances at once without manually having
2938 * to specify -M each time. */
2940 if (asprintf(&b, "%s-%016" PRIx64, arg_machine, random_u64()) < 0)
2951 int main(int argc, char *argv[]) {
2953 _cleanup_free_ char *device_path = NULL, *root_device = NULL, *home_device = NULL, *srv_device = NULL, *console = NULL;
2954 bool root_device_rw = true, home_device_rw = true, srv_device_rw = true;
2955 _cleanup_close_ int master = -1, image_fd = -1;
2956 _cleanup_close_pair_ int kmsg_socket_pair[2] = { -1, -1 };
2957 _cleanup_fdset_free_ FDSet *fds = NULL;
2958 int r, n_fd_passed, loop_nr = -1;
2959 char veth_name[IFNAMSIZ];
2960 bool secondary = false, remove_subvol = false;
2961 sigset_t mask, mask_chld;
2963 int ret = EXIT_SUCCESS;
2965 log_parse_environment();
2968 r = parse_argv(argc, argv);
2972 r = determine_names();
2976 if (geteuid() != 0) {
2977 log_error("Need to be root.");
2982 if (sd_booted() <= 0) {
2983 log_error("Not running on a systemd system.");
2989 n_fd_passed = sd_listen_fds(false);
2990 if (n_fd_passed > 0) {
2991 r = fdset_new_listen_fds(&fds, false);
2993 log_error_errno(r, "Failed to collect file descriptors: %m");
2997 fdset_close_others(fds);
3000 if (arg_directory) {
3003 if (path_equal(arg_directory, "/") && !arg_ephemeral) {
3004 log_error("Spawning container on root directory is not supported. Consider using --ephemeral.");
3010 r = btrfs_subvol_snapshot(arg_template, arg_directory, arg_read_only, true);
3013 log_info("Directory %s already exists, not populating from template %s.", arg_directory, arg_template);
3015 log_error_errno(r, "Couldn't create snapshort %s from %s: %m", arg_directory, arg_template);
3019 log_info("Populated %s from template %s.", arg_directory, arg_template);
3022 } else if (arg_ephemeral) {
3025 /* If the specified path is a mount point we
3026 * generate the new snapshot immediately
3027 * inside it under a random name. However if
3028 * the specified is not a mount point we
3029 * create the new snapshot in the parent
3030 * directory, just next to it. */
3031 r = path_is_mount_point(arg_directory, false);
3033 log_error_errno(r, "Failed to determine whether directory %s is mount point: %m", arg_directory);
3037 r = tempfn_random_child(arg_directory, &np);
3039 r = tempfn_random(arg_directory, &np);
3041 log_error_errno(r, "Failed to generate name for snapshot: %m");
3045 r = btrfs_subvol_snapshot(arg_directory, np, arg_read_only, true);
3048 log_error_errno(r, "Failed to create snapshot %s from %s: %m", np, arg_directory);
3052 free(arg_directory);
3055 remove_subvol = true;
3059 if (path_is_os_tree(arg_directory) <= 0) {
3060 log_error("Directory %s doesn't look like an OS root directory (os-release file is missing). Refusing.", arg_directory);
3067 p = strappenda(arg_directory,
3068 argc > optind && path_is_absolute(argv[optind]) ? argv[optind] : "/usr/bin/");
3069 if (access(p, F_OK) < 0) {
3070 log_error("Directory %s lacks the binary to execute or doesn't look like a binary tree. Refusing.", arg_directory);
3077 char template[] = "/tmp/nspawn-root-XXXXXX";
3080 assert(!arg_template);
3082 if (!mkdtemp(template)) {
3083 log_error_errno(errno, "Failed to create temporary directory: %m");
3088 arg_directory = strdup(template);
3089 if (!arg_directory) {
3094 image_fd = setup_image(&device_path, &loop_nr);
3100 r = dissect_image(image_fd,
3101 &root_device, &root_device_rw,
3102 &home_device, &home_device_rw,
3103 &srv_device, &srv_device_rw,
3109 master = posix_openpt(O_RDWR|O_NOCTTY|O_CLOEXEC|O_NDELAY);
3111 r = log_error_errno(errno, "Failed to acquire pseudo tty: %m");
3115 r = ptsname_malloc(master, &console);
3117 r = log_error_errno(r, "Failed to determine tty name: %m");
3122 log_info("Spawning container %s on %s.\nPress ^] three times within 1s to kill container.",
3123 arg_machine, arg_image ?: arg_directory);
3125 if (unlockpt(master) < 0) {
3126 r = log_error_errno(errno, "Failed to unlock tty: %m");
3130 if (socketpair(AF_UNIX, SOCK_DGRAM|SOCK_NONBLOCK|SOCK_CLOEXEC, 0, kmsg_socket_pair) < 0) {
3131 r = log_error_errno(errno, "Failed to create kmsg socket pair: %m");
3137 "STATUS=Container running.");
3139 assert_se(sigemptyset(&mask) == 0);
3140 sigset_add_many(&mask, SIGCHLD, SIGWINCH, SIGTERM, SIGINT, -1);
3141 assert_se(sigprocmask(SIG_BLOCK, &mask, NULL) == 0);
3143 assert_se(sigemptyset(&mask_chld) == 0);
3144 assert_se(sigaddset(&mask_chld, SIGCHLD) == 0);
3147 ContainerStatus container_status;
3148 _cleanup_(barrier_destroy) Barrier barrier = BARRIER_NULL;
3149 struct sigaction sa = {
3150 .sa_handler = nop_handler,
3151 .sa_flags = SA_NOCLDSTOP,
3154 r = barrier_create(&barrier);
3156 log_error_errno(r, "Cannot initialize IPC barrier: %m");
3160 /* Child can be killed before execv(), so handle SIGCHLD
3161 * in order to interrupt parent's blocking calls and
3162 * give it a chance to call wait() and terminate. */
3163 r = sigprocmask(SIG_UNBLOCK, &mask_chld, NULL);
3165 r = log_error_errno(errno, "Failed to change the signal mask: %m");
3169 r = sigaction(SIGCHLD, &sa, NULL);
3171 r = log_error_errno(errno, "Failed to install SIGCHLD handler: %m");
3175 pid = raw_clone(SIGCHLD|CLONE_NEWNS|
3176 (arg_share_system ? 0 : CLONE_NEWIPC|CLONE_NEWPID|CLONE_NEWUTS)|
3177 (arg_private_network ? CLONE_NEWNET : 0), NULL);
3179 if (errno == EINVAL)
3180 r = log_error_errno(errno, "clone() failed, do you have namespace support enabled in your kernel? (You need UTS, IPC, PID and NET namespacing built in): %m");
3182 r = log_error_errno(errno, "clone() failed: %m");
3189 _cleanup_free_ char *home = NULL;
3191 const char *envp[] = {
3192 "PATH=" DEFAULT_PATH_SPLIT_USR,
3193 "container=systemd-nspawn", /* LXC sets container=lxc, so follow the scheme here */
3198 NULL, /* container_uuid */
3199 NULL, /* LISTEN_FDS */
3200 NULL, /* LISTEN_PID */
3205 barrier_set_role(&barrier, BARRIER_CHILD);
3207 envp[n_env] = strv_find_prefix(environ, "TERM=");
3211 master = safe_close(master);
3213 close_nointr(STDIN_FILENO);
3214 close_nointr(STDOUT_FILENO);
3215 close_nointr(STDERR_FILENO);
3217 kmsg_socket_pair[0] = safe_close(kmsg_socket_pair[0]);
3219 reset_all_signal_handlers();
3220 reset_signal_mask();
3222 r = open_terminal(console, O_RDWR);
3223 if (r != STDIN_FILENO) {
3229 log_error_errno(r, "Failed to open console: %m");
3230 _exit(EXIT_FAILURE);
3233 if (dup2(STDIN_FILENO, STDOUT_FILENO) != STDOUT_FILENO ||
3234 dup2(STDIN_FILENO, STDERR_FILENO) != STDERR_FILENO) {
3235 log_error_errno(errno, "Failed to duplicate console: %m");
3236 _exit(EXIT_FAILURE);
3240 log_error_errno(errno, "setsid() failed: %m");
3241 _exit(EXIT_FAILURE);
3244 if (reset_audit_loginuid() < 0)
3245 _exit(EXIT_FAILURE);
3247 if (prctl(PR_SET_PDEATHSIG, SIGKILL) < 0) {
3248 log_error_errno(errno, "PR_SET_PDEATHSIG failed: %m");
3249 _exit(EXIT_FAILURE);
3252 /* Mark everything as slave, so that we still
3253 * receive mounts from the real root, but don't
3254 * propagate mounts to the real root. */
3255 if (mount(NULL, "/", NULL, MS_SLAVE|MS_REC, NULL) < 0) {
3256 log_error_errno(errno, "MS_SLAVE|MS_REC failed: %m");
3257 _exit(EXIT_FAILURE);
3260 if (mount_devices(arg_directory,
3261 root_device, root_device_rw,
3262 home_device, home_device_rw,
3263 srv_device, srv_device_rw) < 0)
3264 _exit(EXIT_FAILURE);
3266 /* Turn directory into bind mount */
3267 if (mount(arg_directory, arg_directory, "bind", MS_BIND|MS_REC, NULL) < 0) {
3268 log_error_errno(errno, "Failed to make bind mount: %m");
3269 _exit(EXIT_FAILURE);
3272 r = setup_volatile(arg_directory);
3274 _exit(EXIT_FAILURE);
3276 if (setup_volatile_state(arg_directory) < 0)
3277 _exit(EXIT_FAILURE);
3279 r = base_filesystem_create(arg_directory);
3281 _exit(EXIT_FAILURE);
3283 if (arg_read_only) {
3284 r = bind_remount_recursive(arg_directory, true);
3286 log_error_errno(r, "Failed to make tree read-only: %m");
3287 _exit(EXIT_FAILURE);
3291 if (mount_all(arg_directory) < 0)
3292 _exit(EXIT_FAILURE);
3294 if (copy_devnodes(arg_directory) < 0)
3295 _exit(EXIT_FAILURE);
3297 if (setup_ptmx(arg_directory) < 0)
3298 _exit(EXIT_FAILURE);
3300 dev_setup(arg_directory);
3302 if (setup_propagate(arg_directory) < 0)
3303 _exit(EXIT_FAILURE);
3305 if (setup_seccomp() < 0)
3306 _exit(EXIT_FAILURE);
3308 if (setup_dev_console(arg_directory, console) < 0)
3309 _exit(EXIT_FAILURE);
3311 if (setup_kmsg(arg_directory, kmsg_socket_pair[1]) < 0)
3312 _exit(EXIT_FAILURE);
3314 kmsg_socket_pair[1] = safe_close(kmsg_socket_pair[1]);
3316 if (setup_boot_id(arg_directory) < 0)
3317 _exit(EXIT_FAILURE);
3319 if (setup_timezone(arg_directory) < 0)
3320 _exit(EXIT_FAILURE);
3322 if (setup_resolv_conf(arg_directory) < 0)
3323 _exit(EXIT_FAILURE);
3325 if (setup_journal(arg_directory) < 0)
3326 _exit(EXIT_FAILURE);
3328 if (mount_binds(arg_directory, arg_bind, false) < 0)
3329 _exit(EXIT_FAILURE);
3331 if (mount_binds(arg_directory, arg_bind_ro, true) < 0)
3332 _exit(EXIT_FAILURE);
3334 if (mount_tmpfs(arg_directory) < 0)
3335 _exit(EXIT_FAILURE);
3337 /* Tell the parent that we are ready, and that
3338 * it can cgroupify us to that we lack access
3339 * to certain devices and resources. */
3340 (void)barrier_place(&barrier);
3342 if (chdir(arg_directory) < 0) {
3343 log_error_errno(errno, "chdir(%s) failed: %m", arg_directory);
3344 _exit(EXIT_FAILURE);
3347 if (mount(arg_directory, "/", NULL, MS_MOVE, NULL) < 0) {
3348 log_error_errno(errno, "mount(MS_MOVE) failed: %m");
3349 _exit(EXIT_FAILURE);
3352 if (chroot(".") < 0) {
3353 log_error_errno(errno, "chroot() failed: %m");
3354 _exit(EXIT_FAILURE);
3357 if (chdir("/") < 0) {
3358 log_error_errno(errno, "chdir() failed: %m");
3359 _exit(EXIT_FAILURE);
3364 if (arg_private_network)
3367 if (drop_capabilities() < 0) {
3368 log_error_errno(errno, "drop_capabilities() failed: %m");
3369 _exit(EXIT_FAILURE);
3372 r = change_uid_gid(&home);
3374 _exit(EXIT_FAILURE);
3376 if ((asprintf((char**)(envp + n_env++), "HOME=%s", home ? home: "/root") < 0) ||
3377 (asprintf((char**)(envp + n_env++), "USER=%s", arg_user ? arg_user : "root") < 0) ||
3378 (asprintf((char**)(envp + n_env++), "LOGNAME=%s", arg_user ? arg_user : "root") < 0)) {
3380 _exit(EXIT_FAILURE);
3383 if (!sd_id128_equal(arg_uuid, SD_ID128_NULL)) {
3386 if (asprintf((char**)(envp + n_env++), "container_uuid=%s", id128_format_as_uuid(arg_uuid, as_uuid)) < 0) {
3388 _exit(EXIT_FAILURE);
3392 if (fdset_size(fds) > 0) {
3393 r = fdset_cloexec(fds, false);
3395 log_error_errno(r, "Failed to unset O_CLOEXEC for file descriptors.");
3396 _exit(EXIT_FAILURE);
3399 if ((asprintf((char **)(envp + n_env++), "LISTEN_FDS=%u", n_fd_passed) < 0) ||
3400 (asprintf((char **)(envp + n_env++), "LISTEN_PID=1") < 0)) {
3402 _exit(EXIT_FAILURE);
3408 if (arg_personality != 0xffffffffLU) {
3409 if (personality(arg_personality) < 0) {
3410 log_error_errno(errno, "personality() failed: %m");
3411 _exit(EXIT_FAILURE);
3413 } else if (secondary) {
3414 if (personality(PER_LINUX32) < 0) {
3415 log_error_errno(errno, "personality() failed: %m");
3416 _exit(EXIT_FAILURE);
3421 if (arg_selinux_context)
3422 if (setexeccon((security_context_t) arg_selinux_context) < 0) {
3423 log_error_errno(errno, "setexeccon(\"%s\") failed: %m", arg_selinux_context);
3424 _exit(EXIT_FAILURE);
3428 if (!strv_isempty(arg_setenv)) {
3431 n = strv_env_merge(2, envp, arg_setenv);
3434 _exit(EXIT_FAILURE);
3439 env_use = (char**) envp;
3441 /* Wait until the parent is ready with the setup, too... */
3442 if (!barrier_place_and_sync(&barrier))
3443 _exit(EXIT_FAILURE);
3449 /* Automatically search for the init system */
3451 l = 1 + argc - optind;
3452 a = newa(char*, l + 1);
3453 memcpy(a + 1, argv + optind, l * sizeof(char*));
3455 a[0] = (char*) "/usr/lib/systemd/systemd";
3456 execve(a[0], a, env_use);
3458 a[0] = (char*) "/lib/systemd/systemd";
3459 execve(a[0], a, env_use);
3461 a[0] = (char*) "/sbin/init";
3462 execve(a[0], a, env_use);
3463 } else if (argc > optind)
3464 execvpe(argv[optind], argv + optind, env_use);
3466 chdir(home ? home : "/root");
3467 execle("/bin/bash", "-bash", NULL, env_use);
3468 execle("/bin/sh", "-sh", NULL, env_use);
3471 log_error_errno(errno, "execv() failed: %m");
3472 _exit(EXIT_FAILURE);
3475 barrier_set_role(&barrier, BARRIER_PARENT);
3479 /* wait for child-setup to be done */
3480 if (barrier_place_and_sync(&barrier)) {
3481 _cleanup_event_unref_ sd_event *event = NULL;
3482 _cleanup_(pty_forward_freep) PTYForward *forward = NULL;
3486 r = move_network_interfaces(pid);
3490 r = setup_veth(pid, veth_name, &ifi);
3494 r = setup_bridge(veth_name, &ifi);
3498 r = setup_macvlan(pid);
3502 r = register_machine(pid, ifi);
3506 /* Block SIGCHLD here, before notifying child.
3507 * process_pty() will handle it with the other signals. */
3508 r = sigprocmask(SIG_BLOCK, &mask_chld, NULL);
3512 /* Reset signal to default */
3513 r = default_signals(SIGCHLD, -1);
3517 /* Notify the child that the parent is ready with all
3518 * its setup, and that the child can now hand over
3519 * control to the code to run inside the container. */
3520 (void)barrier_place(&barrier);
3522 r = sd_event_new(&event);
3524 log_error_errno(r, "Failed to get default event source: %m");
3529 /* Try to kill the init system on SIGINT or SIGTERM */
3530 sd_event_add_signal(event, NULL, SIGINT, on_orderly_shutdown, UINT32_TO_PTR(pid));
3531 sd_event_add_signal(event, NULL, SIGTERM, on_orderly_shutdown, UINT32_TO_PTR(pid));
3533 /* Immediately exit */
3534 sd_event_add_signal(event, NULL, SIGINT, NULL, NULL);
3535 sd_event_add_signal(event, NULL, SIGTERM, NULL, NULL);
3538 /* simply exit on sigchld */
3539 sd_event_add_signal(event, NULL, SIGCHLD, NULL, NULL);
3541 r = pty_forward_new(event, master, true, &forward);
3543 log_error_errno(r, "Failed to create PTY forwarder: %m");
3547 r = sd_event_loop(event);
3549 log_error_errno(r, "Failed to run event loop: %m");
3553 pty_forward_last_char(forward, &last_char);
3555 forward = pty_forward_free(forward);
3557 if (!arg_quiet && last_char != '\n')
3560 /* Kill if it is not dead yet anyway */
3561 terminate_machine(pid);
3564 /* Normally redundant, but better safe than sorry */
3567 r = wait_for_container(pid, &container_status);
3571 /* We failed to wait for the container, or the
3572 * container exited abnormally */
3574 else if (r > 0 || container_status == CONTAINER_TERMINATED){
3575 /* The container exited with a non-zero
3576 * status, or with zero status and no reboot
3582 /* CONTAINER_REBOOTED, loop again */
3584 if (arg_keep_unit) {
3585 /* Special handling if we are running as a
3586 * service: instead of simply restarting the
3587 * machine we want to restart the entire
3588 * service, so let's inform systemd about this
3589 * with the special exit code 133. The service
3590 * file uses RestartForceExitStatus=133 so
3591 * that this results in a full nspawn
3592 * restart. This is necessary since we might
3593 * have cgroup parameters set we want to have
3604 "STATUS=Terminating...");
3606 loop_remove(loop_nr, &image_fd);
3611 if (remove_subvol && arg_directory) {
3614 k = btrfs_subvol_remove(arg_directory);
3616 log_warning_errno(k, "Cannot remove subvolume '%s', ignoring: %m", arg_directory);
3622 p = strappenda("/run/systemd/nspawn/propagate", arg_machine);
3623 (void) rm_rf(p, false, true, false);
3626 free(arg_directory);
3631 strv_free(arg_setenv);
3632 strv_free(arg_network_interfaces);
3633 strv_free(arg_network_macvlan);
3634 strv_free(arg_bind);
3635 strv_free(arg_bind_ro);
3636 strv_free(arg_tmpfs);
3638 return r < 0 ? EXIT_FAILURE : ret;
~ianmdlvl / elogind.git / blob