1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2010 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
25 #include <sys/types.h>
26 #include <sys/syscall.h>
27 #include <sys/mount.h>
33 #include <sys/prctl.h>
34 #include <sys/capability.h>
37 #include <sys/signalfd.h>
41 #include <sys/socket.h>
42 #include <linux/netlink.h>
44 #include <linux/veth.h>
45 #include <sys/personality.h>
46 #include <linux/loop.h>
49 #include <selinux/selinux.h>
57 #include <blkid/blkid.h>
60 #include "sd-daemon.h"
70 #include "cgroup-util.h"
72 #include "path-util.h"
73 #include "loopback-setup.h"
74 #include "dev-setup.h"
79 #include "bus-error.h"
81 #include "bus-kernel.h"
84 #include "rtnl-util.h"
85 #include "udev-util.h"
86 #include "blkid-util.h"
88 #include "siphash24.h"
90 #include "base-filesystem.h"
94 #include "seccomp-util.h"
97 typedef enum ContainerStatus {
102 typedef enum LinkJournal {
109 typedef enum Volatile {
115 static char *arg_directory = NULL;
116 static char *arg_user = NULL;
117 static sd_id128_t arg_uuid = {};
118 static char *arg_machine = NULL;
119 static const char *arg_selinux_context = NULL;
120 static const char *arg_selinux_apifs_context = NULL;
121 static const char *arg_slice = NULL;
122 static bool arg_private_network = false;
123 static bool arg_read_only = false;
124 static bool arg_boot = false;
125 static LinkJournal arg_link_journal = LINK_AUTO;
126 static uint64_t arg_retain =
127 (1ULL << CAP_CHOWN) |
128 (1ULL << CAP_DAC_OVERRIDE) |
129 (1ULL << CAP_DAC_READ_SEARCH) |
130 (1ULL << CAP_FOWNER) |
131 (1ULL << CAP_FSETID) |
132 (1ULL << CAP_IPC_OWNER) |
134 (1ULL << CAP_LEASE) |
135 (1ULL << CAP_LINUX_IMMUTABLE) |
136 (1ULL << CAP_NET_BIND_SERVICE) |
137 (1ULL << CAP_NET_BROADCAST) |
138 (1ULL << CAP_NET_RAW) |
139 (1ULL << CAP_SETGID) |
140 (1ULL << CAP_SETFCAP) |
141 (1ULL << CAP_SETPCAP) |
142 (1ULL << CAP_SETUID) |
143 (1ULL << CAP_SYS_ADMIN) |
144 (1ULL << CAP_SYS_CHROOT) |
145 (1ULL << CAP_SYS_NICE) |
146 (1ULL << CAP_SYS_PTRACE) |
147 (1ULL << CAP_SYS_TTY_CONFIG) |
148 (1ULL << CAP_SYS_RESOURCE) |
149 (1ULL << CAP_SYS_BOOT) |
150 (1ULL << CAP_AUDIT_WRITE) |
151 (1ULL << CAP_AUDIT_CONTROL) |
153 static char **arg_bind = NULL;
154 static char **arg_bind_ro = NULL;
155 static char **arg_tmpfs = NULL;
156 static char **arg_setenv = NULL;
157 static bool arg_quiet = false;
158 static bool arg_share_system = false;
159 static bool arg_register = true;
160 static bool arg_keep_unit = false;
161 static char **arg_network_interfaces = NULL;
162 static char **arg_network_macvlan = NULL;
163 static bool arg_network_veth = false;
164 static const char *arg_network_bridge = NULL;
165 static unsigned long arg_personality = 0xffffffffLU;
166 static const char *arg_image = NULL;
167 static Volatile arg_volatile = VOLATILE_NO;
169 static int help(void) {
171 printf("%s [OPTIONS...] [PATH] [ARGUMENTS...]\n\n"
172 "Spawn a minimal namespace container for debugging, testing and building.\n\n"
173 " -h --help Show this help\n"
174 " --version Print version string\n"
175 " -q --quiet Do not show status information\n"
176 " -D --directory=PATH Root directory for the container\n"
177 " -i --image=PATH File system device or image for the container\n"
178 " -b --boot Boot up full system (i.e. invoke init)\n"
179 " -u --user=USER Run the command under specified user or uid\n"
180 " -M --machine=NAME Set the machine name for the container\n"
181 " --uuid=UUID Set a specific machine UUID for the container\n"
182 " -S --slice=SLICE Place the container in the specified slice\n"
183 " --private-network Disable network in container\n"
184 " --network-interface=INTERFACE\n"
185 " Assign an existing network interface to the\n"
187 " --network-macvlan=INTERFACE\n"
188 " Create a macvlan network interface based on an\n"
189 " existing network interface to the container\n"
190 " --network-veth Add a virtual ethernet connection between host\n"
192 " --network-bridge=INTERFACE\n"
193 " Add a virtual ethernet connection between host\n"
194 " and container and add it to an existing bridge on\n"
196 " -Z --selinux-context=SECLABEL\n"
197 " Set the SELinux security context to be used by\n"
198 " processes in the container\n"
199 " -L --selinux-apifs-context=SECLABEL\n"
200 " Set the SELinux security context to be used by\n"
201 " API/tmpfs file systems in the container\n"
202 " --capability=CAP In addition to the default, retain specified\n"
204 " --drop-capability=CAP Drop the specified capability from the default set\n"
205 " --link-journal=MODE Link up guest journal, one of no, auto, guest, host\n"
206 " -j Equivalent to --link-journal=host\n"
207 " --read-only Mount the root directory read-only\n"
208 " --bind=PATH[:PATH] Bind mount a file or directory from the host into\n"
210 " --bind-ro=PATH[:PATH] Similar, but creates a read-only bind mount\n"
211 " --tmpfs=PATH:[OPTIONS] Mount an empty tmpfs to the specified directory\n"
212 " --setenv=NAME=VALUE Pass an environment variable to PID 1\n"
213 " --share-system Share system namespaces with host\n"
214 " --register=BOOLEAN Register container as machine\n"
215 " --keep-unit Do not register a scope for the machine, reuse\n"
216 " the service unit nspawn is running in\n"
217 " --volatile[=MODE] Run the system in volatile mode\n",
218 program_invocation_short_name);
223 static int parse_argv(int argc, char *argv[]) {
240 ARG_NETWORK_INTERFACE,
248 static const struct option options[] = {
249 { "help", no_argument, NULL, 'h' },
250 { "version", no_argument, NULL, ARG_VERSION },
251 { "directory", required_argument, NULL, 'D' },
252 { "user", required_argument, NULL, 'u' },
253 { "private-network", no_argument, NULL, ARG_PRIVATE_NETWORK },
254 { "boot", no_argument, NULL, 'b' },
255 { "uuid", required_argument, NULL, ARG_UUID },
256 { "read-only", no_argument, NULL, ARG_READ_ONLY },
257 { "capability", required_argument, NULL, ARG_CAPABILITY },
258 { "drop-capability", required_argument, NULL, ARG_DROP_CAPABILITY },
259 { "link-journal", required_argument, NULL, ARG_LINK_JOURNAL },
260 { "bind", required_argument, NULL, ARG_BIND },
261 { "bind-ro", required_argument, NULL, ARG_BIND_RO },
262 { "tmpfs", required_argument, NULL, ARG_TMPFS },
263 { "machine", required_argument, NULL, 'M' },
264 { "slice", required_argument, NULL, 'S' },
265 { "setenv", required_argument, NULL, ARG_SETENV },
266 { "selinux-context", required_argument, NULL, 'Z' },
267 { "selinux-apifs-context", required_argument, NULL, 'L' },
268 { "quiet", no_argument, NULL, 'q' },
269 { "share-system", no_argument, NULL, ARG_SHARE_SYSTEM },
270 { "register", required_argument, NULL, ARG_REGISTER },
271 { "keep-unit", no_argument, NULL, ARG_KEEP_UNIT },
272 { "network-interface", required_argument, NULL, ARG_NETWORK_INTERFACE },
273 { "network-macvlan", required_argument, NULL, ARG_NETWORK_MACVLAN },
274 { "network-veth", no_argument, NULL, ARG_NETWORK_VETH },
275 { "network-bridge", required_argument, NULL, ARG_NETWORK_BRIDGE },
276 { "personality", required_argument, NULL, ARG_PERSONALITY },
277 { "image", required_argument, NULL, 'i' },
278 { "volatile", optional_argument, NULL, ARG_VOLATILE },
283 uint64_t plus = 0, minus = 0;
288 while ((c = getopt_long(argc, argv, "+hD:u:bL:M:jS:Z:qi:", options, NULL)) >= 0) {
296 puts(PACKAGE_STRING);
297 puts(SYSTEMD_FEATURES);
302 arg_directory = canonicalize_file_name(optarg);
303 if (!arg_directory) {
304 log_error("Invalid root directory: %m");
316 arg_user = strdup(optarg);
322 case ARG_NETWORK_BRIDGE:
323 arg_network_bridge = optarg;
327 case ARG_NETWORK_VETH:
328 arg_network_veth = true;
329 arg_private_network = true;
332 case ARG_NETWORK_INTERFACE:
333 if (strv_extend(&arg_network_interfaces, optarg) < 0)
336 arg_private_network = true;
339 case ARG_NETWORK_MACVLAN:
340 if (strv_extend(&arg_network_macvlan, optarg) < 0)
345 case ARG_PRIVATE_NETWORK:
346 arg_private_network = true;
354 r = sd_id128_from_string(optarg, &arg_uuid);
356 log_error("Invalid UUID: %s", optarg);
366 if (isempty(optarg)) {
371 if (!hostname_is_valid(optarg)) {
372 log_error("Invalid machine name: %s", optarg);
377 arg_machine = strdup(optarg);
385 arg_selinux_context = optarg;
389 arg_selinux_apifs_context = optarg;
393 arg_read_only = true;
397 case ARG_DROP_CAPABILITY: {
401 FOREACH_WORD_SEPARATOR(word, length, optarg, ",", state) {
402 _cleanup_free_ char *t;
405 t = strndup(word, length);
409 if (streq(t, "all")) {
410 if (c == ARG_CAPABILITY)
411 plus = (uint64_t) -1;
413 minus = (uint64_t) -1;
415 if (cap_from_name(t, &cap) < 0) {
416 log_error("Failed to parse capability %s.", t);
420 if (c == ARG_CAPABILITY)
421 plus |= 1ULL << (uint64_t) cap;
423 minus |= 1ULL << (uint64_t) cap;
431 arg_link_journal = LINK_GUEST;
434 case ARG_LINK_JOURNAL:
435 if (streq(optarg, "auto"))
436 arg_link_journal = LINK_AUTO;
437 else if (streq(optarg, "no"))
438 arg_link_journal = LINK_NO;
439 else if (streq(optarg, "guest"))
440 arg_link_journal = LINK_GUEST;
441 else if (streq(optarg, "host"))
442 arg_link_journal = LINK_HOST;
444 log_error("Failed to parse link journal mode %s", optarg);
452 _cleanup_free_ char *a = NULL, *b = NULL;
456 x = c == ARG_BIND ? &arg_bind : &arg_bind_ro;
458 e = strchr(optarg, ':');
460 a = strndup(optarg, e - optarg);
470 if (!path_is_absolute(a) || !path_is_absolute(b)) {
471 log_error("Invalid bind mount specification: %s", optarg);
475 r = strv_extend(x, a);
479 r = strv_extend(x, b);
487 _cleanup_free_ char *a = NULL, *b = NULL;
490 e = strchr(optarg, ':');
492 a = strndup(optarg, e - optarg);
496 b = strdup("mode=0755");
502 if (!path_is_absolute(a)) {
503 log_error("Invalid tmpfs specification: %s", optarg);
507 r = strv_push(&arg_tmpfs, a);
513 r = strv_push(&arg_tmpfs, b);
525 if (!env_assignment_is_valid(optarg)) {
526 log_error("Environment variable assignment '%s' is not valid.", optarg);
530 n = strv_env_set(arg_setenv, optarg);
534 strv_free(arg_setenv);
543 case ARG_SHARE_SYSTEM:
544 arg_share_system = true;
548 r = parse_boolean(optarg);
550 log_error("Failed to parse --register= argument: %s", optarg);
558 arg_keep_unit = true;
561 case ARG_PERSONALITY:
563 arg_personality = personality_from_string(optarg);
564 if (arg_personality == 0xffffffffLU) {
565 log_error("Unknown or unsupported personality '%s'.", optarg);
574 arg_volatile = VOLATILE_YES;
576 r = parse_boolean(optarg);
578 if (streq(optarg, "state"))
579 arg_volatile = VOLATILE_STATE;
581 log_error("Failed to parse --volatile= argument: %s", optarg);
585 arg_volatile = r ? VOLATILE_YES : VOLATILE_NO;
594 assert_not_reached("Unhandled option");
598 if (arg_share_system)
599 arg_register = false;
601 if (arg_boot && arg_share_system) {
602 log_error("--boot and --share-system may not be combined.");
606 if (arg_keep_unit && cg_pid_get_owner_uid(0, NULL) >= 0) {
607 log_error("--keep-unit may not be used when invoked from a user session.");
611 if (arg_directory && arg_image) {
612 log_error("--directory= and --image= may not be combined.");
616 if (arg_volatile != VOLATILE_NO && arg_read_only) {
617 log_error("Cannot combine --read-only with --volatile. Note that --volatile already implies a read-only base hierarchy.");
621 arg_retain = (arg_retain | plus | (arg_private_network ? 1ULL << CAP_NET_ADMIN : 0)) & ~minus;
626 static int mount_all(const char *dest) {
628 typedef struct MountPoint {
637 static const MountPoint mount_table[] = {
638 { "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, true },
639 { "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND, true }, /* Bind mount first */
640 { NULL, "/proc/sys", NULL, NULL, MS_BIND|MS_RDONLY|MS_REMOUNT, true }, /* Then, make it r/o */
641 { "sysfs", "/sys", "sysfs", NULL, MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV, true },
642 { "tmpfs", "/dev", "tmpfs", "mode=755", MS_NOSUID|MS_STRICTATIME, true },
643 { "devpts", "/dev/pts", "devpts","newinstance,ptmxmode=0666,mode=620,gid=" STRINGIFY(TTY_GID), MS_NOSUID|MS_NOEXEC, true },
644 { "tmpfs", "/dev/shm", "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV|MS_STRICTATIME, true },
645 { "tmpfs", "/run", "tmpfs", "mode=755", MS_NOSUID|MS_NODEV|MS_STRICTATIME, true },
647 { "/sys/fs/selinux", "/sys/fs/selinux", NULL, NULL, MS_BIND, false }, /* Bind mount first */
648 { NULL, "/sys/fs/selinux", NULL, NULL, MS_BIND|MS_RDONLY|MS_REMOUNT, false }, /* Then, make it r/o */
655 for (k = 0; k < ELEMENTSOF(mount_table); k++) {
656 _cleanup_free_ char *where = NULL;
658 _cleanup_free_ char *options = NULL;
663 where = strjoin(dest, "/", mount_table[k].where, NULL);
667 t = path_is_mount_point(where, true);
669 log_error("Failed to detect whether %s is a mount point: %s", where, strerror(-t));
677 /* Skip this entry if it is not a remount. */
678 if (mount_table[k].what && t > 0)
681 mkdir_p(where, 0755);
684 if (arg_selinux_apifs_context &&
685 (streq_ptr(mount_table[k].what, "tmpfs") || streq_ptr(mount_table[k].what, "devpts"))) {
686 options = strjoin(mount_table[k].options, ",context=\"", arg_selinux_apifs_context, "\"", NULL);
693 o = mount_table[k].options;
696 if (mount(mount_table[k].what,
699 mount_table[k].flags,
701 mount_table[k].fatal) {
703 log_error("mount(%s) failed: %m", where);
713 static int mount_binds(const char *dest, char **l, bool ro) {
716 STRV_FOREACH_PAIR(x, y, l) {
717 _cleanup_free_ char *where = NULL;
718 struct stat source_st, dest_st;
721 if (stat(*x, &source_st) < 0) {
722 log_error("Failed to stat %s: %m", *x);
726 where = strappend(dest, *y);
730 r = stat(where, &dest_st);
732 if ((source_st.st_mode & S_IFMT) != (dest_st.st_mode & S_IFMT)) {
733 log_error("The file types of %s and %s do not match. Refusing bind mount", *x, where);
736 } else if (errno == ENOENT) {
737 r = mkdir_parents_label(where, 0755);
739 log_error("Failed to bind mount %s: %s", *x, strerror(-r));
743 log_error("Failed to bind mount %s: %m", *x);
747 /* Create the mount point, but be conservative -- refuse to create block
748 * and char devices. */
749 if (S_ISDIR(source_st.st_mode))
750 mkdir_label(where, 0755);
751 else if (S_ISFIFO(source_st.st_mode))
753 else if (S_ISSOCK(source_st.st_mode))
754 mknod(where, 0644 | S_IFSOCK, 0);
755 else if (S_ISREG(source_st.st_mode))
758 log_error("Refusing to create mountpoint for file: %s", *x);
762 if (mount(*x, where, "bind", MS_BIND, NULL) < 0) {
763 log_error("mount(%s) failed: %m", where);
768 r = bind_remount_recursive(where, true);
770 log_error("Read-Only bind mount failed: %s", strerror(-r));
779 static int mount_tmpfs(const char *dest) {
782 STRV_FOREACH_PAIR(i, o, arg_tmpfs) {
783 _cleanup_free_ char *where = NULL;
785 where = strappend(dest, *i);
789 mkdir_label(where, 0755);
791 if (mount("tmpfs", where, "tmpfs", MS_NODEV|MS_STRICTATIME, *o) < 0) {
792 log_error("tmpfs mount to %s failed: %m", where);
800 static int setup_timezone(const char *dest) {
801 _cleanup_free_ char *where = NULL, *p = NULL, *q = NULL, *check = NULL, *what = NULL;
807 /* Fix the timezone, if possible */
808 r = readlink_malloc("/etc/localtime", &p);
810 log_warning("/etc/localtime is not a symlink, not updating container timezone.");
814 z = path_startswith(p, "../usr/share/zoneinfo/");
816 z = path_startswith(p, "/usr/share/zoneinfo/");
818 log_warning("/etc/localtime does not point into /usr/share/zoneinfo/, not updating container timezone.");
822 where = strappend(dest, "/etc/localtime");
826 r = readlink_malloc(where, &q);
828 y = path_startswith(q, "../usr/share/zoneinfo/");
830 y = path_startswith(q, "/usr/share/zoneinfo/");
832 /* Already pointing to the right place? Then do nothing .. */
833 if (y && streq(y, z))
837 check = strjoin(dest, "/usr/share/zoneinfo/", z, NULL);
841 if (access(check, F_OK) < 0) {
842 log_warning("Timezone %s does not exist in container, not updating container timezone.", z);
846 what = strappend("../usr/share/zoneinfo/", z);
850 mkdir_parents(where, 0755);
853 if (symlink(what, where) < 0) {
854 log_error("Failed to correct timezone of container: %m");
861 static int setup_resolv_conf(const char *dest) {
862 _cleanup_free_ char *where = NULL;
866 if (arg_private_network)
869 /* Fix resolv.conf, if possible */
870 where = strappend(dest, "/etc/resolv.conf");
874 /* We don't really care for the results of this really. If it
875 * fails, it fails, but meh... */
876 mkdir_parents(where, 0755);
877 copy_file("/etc/resolv.conf", where, O_TRUNC|O_NOFOLLOW, 0644);
882 static int setup_volatile_state(const char *directory) {
888 if (arg_volatile != VOLATILE_STATE)
891 /* --volatile=state means we simply overmount /var
892 with a tmpfs, and the rest read-only. */
894 r = bind_remount_recursive(directory, true);
896 log_error("Failed to remount %s read-only: %s", directory, strerror(-r));
900 p = strappenda(directory, "/var");
903 if (mount("tmpfs", p, "tmpfs", MS_STRICTATIME, "mode=755") < 0) {
904 log_error("Failed to mount tmpfs to /var: %m");
911 static int setup_volatile(const char *directory) {
912 bool tmpfs_mounted = false, bind_mounted = false;
913 char template[] = "/tmp/nspawn-volatile-XXXXXX";
919 if (arg_volatile != VOLATILE_YES)
922 /* --volatile=yes means we mount a tmpfs to the root dir, and
923 the original /usr to use inside it, and that read-only. */
925 if (!mkdtemp(template)) {
926 log_error("Failed to create temporary directory: %m");
930 if (mount("tmpfs", template, "tmpfs", MS_STRICTATIME, "mode=755") < 0) {
931 log_error("Failed to mount tmpfs for root directory: %m");
936 tmpfs_mounted = true;
938 f = strappenda(directory, "/usr");
939 t = strappenda(template, "/usr");
942 if (mount(f, t, "bind", MS_BIND|MS_REC, NULL) < 0) {
943 log_error("Failed to create /usr bind mount: %m");
950 r = bind_remount_recursive(t, true);
952 log_error("Failed to remount %s read-only: %s", t, strerror(-r));
956 if (mount(template, directory, NULL, MS_MOVE, NULL) < 0) {
957 log_error("Failed to move root mount: %m");
975 static char* id128_format_as_uuid(sd_id128_t id, char s[37]) {
978 "%02x%02x%02x%02x-%02x%02x-%02x%02x-%02x%02x-%02x%02x%02x%02x%02x%02x",
979 SD_ID128_FORMAT_VAL(id));
984 static int setup_boot_id(const char *dest) {
985 _cleanup_free_ char *from = NULL, *to = NULL;
992 if (arg_share_system)
995 /* Generate a new randomized boot ID, so that each boot-up of
996 * the container gets a new one */
998 from = strappend(dest, "/dev/proc-sys-kernel-random-boot-id");
999 to = strappend(dest, "/proc/sys/kernel/random/boot_id");
1003 r = sd_id128_randomize(&rnd);
1005 log_error("Failed to generate random boot id: %s", strerror(-r));
1009 id128_format_as_uuid(rnd, as_uuid);
1011 r = write_string_file(from, as_uuid);
1013 log_error("Failed to write boot id: %s", strerror(-r));
1017 if (mount(from, to, "bind", MS_BIND, NULL) < 0) {
1018 log_error("Failed to bind mount boot id: %m");
1020 } else if (mount(from, to, "bind", MS_BIND|MS_REMOUNT|MS_RDONLY, NULL))
1021 log_warning("Failed to make boot id read-only: %m");
1027 static int copy_devnodes(const char *dest) {
1029 static const char devnodes[] =
1039 _cleanup_umask_ mode_t u;
1045 NULSTR_FOREACH(d, devnodes) {
1046 _cleanup_free_ char *from = NULL, *to = NULL;
1049 from = strappend("/dev/", d);
1050 to = strjoin(dest, "/dev/", d, NULL);
1054 if (stat(from, &st) < 0) {
1056 if (errno != ENOENT) {
1057 log_error("Failed to stat %s: %m", from);
1061 } else if (!S_ISCHR(st.st_mode) && !S_ISBLK(st.st_mode)) {
1063 log_error("%s is not a char or block device, cannot copy", from);
1066 } else if (mknod(to, st.st_mode, st.st_rdev) < 0) {
1068 log_error("mknod(%s) failed: %m", dest);
1076 static int setup_ptmx(const char *dest) {
1077 _cleanup_free_ char *p = NULL;
1079 p = strappend(dest, "/dev/ptmx");
1083 if (symlink("pts/ptmx", p) < 0) {
1084 log_error("Failed to create /dev/ptmx symlink: %m");
1091 static int setup_dev_console(const char *dest, const char *console) {
1092 _cleanup_umask_ mode_t u;
1102 if (stat("/dev/null", &st) < 0) {
1103 log_error("Failed to stat /dev/null: %m");
1107 r = chmod_and_chown(console, 0600, 0, 0);
1109 log_error("Failed to correct access mode for TTY: %s", strerror(-r));
1113 /* We need to bind mount the right tty to /dev/console since
1114 * ptys can only exist on pts file systems. To have something
1115 * to bind mount things on we create a device node first, and
1116 * use /dev/null for that since we the cgroups device policy
1117 * allows us to create that freely, while we cannot create
1118 * /dev/console. (Note that the major minor doesn't actually
1119 * matter here, since we mount it over anyway). */
1121 to = strappenda(dest, "/dev/console");
1122 if (mknod(to, (st.st_mode & ~07777) | 0600, st.st_rdev) < 0) {
1123 log_error("mknod() for /dev/console failed: %m");
1127 if (mount(console, to, "bind", MS_BIND, NULL) < 0) {
1128 log_error("Bind mount for /dev/console failed: %m");
1135 static int setup_kmsg(const char *dest, int kmsg_socket) {
1136 _cleanup_free_ char *from = NULL, *to = NULL;
1138 _cleanup_umask_ mode_t u;
1140 struct cmsghdr cmsghdr;
1141 uint8_t buf[CMSG_SPACE(sizeof(int))];
1143 struct msghdr mh = {
1144 .msg_control = &control,
1145 .msg_controllen = sizeof(control),
1147 struct cmsghdr *cmsg;
1150 assert(kmsg_socket >= 0);
1154 /* We create the kmsg FIFO as /dev/kmsg, but immediately
1155 * delete it after bind mounting it to /proc/kmsg. While FIFOs
1156 * on the reading side behave very similar to /proc/kmsg,
1157 * their writing side behaves differently from /dev/kmsg in
1158 * that writing blocks when nothing is reading. In order to
1159 * avoid any problems with containers deadlocking due to this
1160 * we simply make /dev/kmsg unavailable to the container. */
1161 if (asprintf(&from, "%s/dev/kmsg", dest) < 0 ||
1162 asprintf(&to, "%s/proc/kmsg", dest) < 0)
1165 if (mkfifo(from, 0600) < 0) {
1166 log_error("mkfifo() for /dev/kmsg failed: %m");
1170 r = chmod_and_chown(from, 0600, 0, 0);
1172 log_error("Failed to correct access mode for /dev/kmsg: %s", strerror(-r));
1176 if (mount(from, to, "bind", MS_BIND, NULL) < 0) {
1177 log_error("Bind mount for /proc/kmsg failed: %m");
1181 fd = open(from, O_RDWR|O_NDELAY|O_CLOEXEC);
1183 log_error("Failed to open fifo: %m");
1187 cmsg = CMSG_FIRSTHDR(&mh);
1188 cmsg->cmsg_level = SOL_SOCKET;
1189 cmsg->cmsg_type = SCM_RIGHTS;
1190 cmsg->cmsg_len = CMSG_LEN(sizeof(int));
1191 memcpy(CMSG_DATA(cmsg), &fd, sizeof(int));
1193 mh.msg_controllen = cmsg->cmsg_len;
1195 /* Store away the fd in the socket, so that it stays open as
1196 * long as we run the child */
1197 k = sendmsg(kmsg_socket, &mh, MSG_DONTWAIT|MSG_NOSIGNAL);
1201 log_error("Failed to send FIFO fd: %m");
1205 /* And now make the FIFO unavailable as /dev/kmsg... */
1210 static int setup_hostname(void) {
1212 if (arg_share_system)
1215 if (sethostname(arg_machine, strlen(arg_machine)) < 0)
1221 static int setup_journal(const char *directory) {
1222 sd_id128_t machine_id, this_id;
1223 _cleanup_free_ char *p = NULL, *b = NULL, *q = NULL, *d = NULL;
1227 p = strappend(directory, "/etc/machine-id");
1231 r = read_one_line_file(p, &b);
1232 if (r == -ENOENT && arg_link_journal == LINK_AUTO)
1235 log_error("Failed to read machine ID from %s: %s", p, strerror(-r));
1240 if (isempty(id) && arg_link_journal == LINK_AUTO)
1243 /* Verify validity */
1244 r = sd_id128_from_string(id, &machine_id);
1246 log_error("Failed to parse machine ID from %s: %s", p, strerror(-r));
1250 r = sd_id128_get_machine(&this_id);
1252 log_error("Failed to retrieve machine ID: %s", strerror(-r));
1256 if (sd_id128_equal(machine_id, this_id)) {
1257 log_full(arg_link_journal == LINK_AUTO ? LOG_WARNING : LOG_ERR,
1258 "Host and machine ids are equal (%s): refusing to link journals", id);
1259 if (arg_link_journal == LINK_AUTO)
1265 if (arg_link_journal == LINK_NO)
1269 p = strappend("/var/log/journal/", id);
1270 q = strjoin(directory, "/var/log/journal/", id, NULL);
1274 if (path_is_mount_point(p, false) > 0) {
1275 if (arg_link_journal != LINK_AUTO) {
1276 log_error("%s: already a mount point, refusing to use for journal", p);
1283 if (path_is_mount_point(q, false) > 0) {
1284 if (arg_link_journal != LINK_AUTO) {
1285 log_error("%s: already a mount point, refusing to use for journal", q);
1292 r = readlink_and_make_absolute(p, &d);
1294 if ((arg_link_journal == LINK_GUEST ||
1295 arg_link_journal == LINK_AUTO) &&
1298 r = mkdir_p(q, 0755);
1300 log_warning("failed to create directory %s: %m", q);
1304 if (unlink(p) < 0) {
1305 log_error("Failed to remove symlink %s: %m", p);
1308 } else if (r == -EINVAL) {
1310 if (arg_link_journal == LINK_GUEST &&
1313 if (errno == ENOTDIR) {
1314 log_error("%s already exists and is neither a symlink nor a directory", p);
1317 log_error("Failed to remove %s: %m", p);
1321 } else if (r != -ENOENT) {
1322 log_error("readlink(%s) failed: %m", p);
1326 if (arg_link_journal == LINK_GUEST) {
1328 if (symlink(q, p) < 0) {
1329 log_error("Failed to symlink %s to %s: %m", q, p);
1333 r = mkdir_p(q, 0755);
1335 log_warning("failed to create directory %s: %m", q);
1339 if (arg_link_journal == LINK_HOST) {
1340 r = mkdir_p(p, 0755);
1342 log_error("Failed to create %s: %m", p);
1346 } else if (access(p, F_OK) < 0)
1349 if (dir_is_empty(q) == 0)
1350 log_warning("%s is not empty, proceeding anyway.", q);
1352 r = mkdir_p(q, 0755);
1354 log_error("Failed to create %s: %m", q);
1358 if (mount(p, q, "bind", MS_BIND, NULL) < 0) {
1359 log_error("Failed to bind mount journal from host into guest: %m");
1366 static int setup_kdbus(const char *dest, const char *path) {
1372 p = strappenda(dest, "/dev/kdbus");
1373 if (mkdir(p, 0755) < 0) {
1374 log_error("Failed to create kdbus path: %m");
1378 if (mount(path, p, "bind", MS_BIND, NULL) < 0) {
1379 log_error("Failed to mount kdbus domain path: %m");
1386 static int drop_capabilities(void) {
1387 return capability_bounding_set_drop(~arg_retain, false);
1390 static int register_machine(pid_t pid, int local_ifindex) {
1391 _cleanup_bus_error_free_ sd_bus_error error = SD_BUS_ERROR_NULL;
1392 _cleanup_bus_unref_ sd_bus *bus = NULL;
1398 r = sd_bus_default_system(&bus);
1400 log_error("Failed to open system bus: %s", strerror(-r));
1404 if (arg_keep_unit) {
1405 r = sd_bus_call_method(
1407 "org.freedesktop.machine1",
1408 "/org/freedesktop/machine1",
1409 "org.freedesktop.machine1.Manager",
1410 "RegisterMachineWithNetwork",
1415 SD_BUS_MESSAGE_APPEND_ID128(arg_uuid),
1419 strempty(arg_directory),
1420 local_ifindex > 0 ? 1 : 0, local_ifindex);
1422 _cleanup_bus_message_unref_ sd_bus_message *m = NULL;
1424 r = sd_bus_message_new_method_call(
1427 "org.freedesktop.machine1",
1428 "/org/freedesktop/machine1",
1429 "org.freedesktop.machine1.Manager",
1430 "CreateMachineWithNetwork");
1432 log_error("Failed to create message: %s", strerror(-r));
1436 r = sd_bus_message_append(
1440 SD_BUS_MESSAGE_APPEND_ID128(arg_uuid),
1444 strempty(arg_directory),
1445 local_ifindex > 0 ? 1 : 0, local_ifindex);
1447 log_error("Failed to append message arguments: %s", strerror(-r));
1451 r = sd_bus_message_open_container(m, 'a', "(sv)");
1453 log_error("Failed to open container: %s", strerror(-r));
1457 if (!isempty(arg_slice)) {
1458 r = sd_bus_message_append(m, "(sv)", "Slice", "s", arg_slice);
1460 log_error("Failed to append slice: %s", strerror(-r));
1465 r = sd_bus_message_append(m, "(sv)", "DevicePolicy", "s", "strict");
1467 log_error("Failed to add device policy: %s", strerror(-r));
1471 r = sd_bus_message_append(m, "(sv)", "DeviceAllow", "a(ss)", 10,
1472 /* Allow the container to
1473 * access and create the API
1474 * device nodes, so that
1475 * PrivateDevices= in the
1476 * container can work
1481 "/dev/random", "rwm",
1482 "/dev/urandom", "rwm",
1484 /* Allow the container
1485 * access to ptys. However,
1487 * container to ever create
1488 * these device nodes. */
1489 "/dev/pts/ptmx", "rw",
1491 /* Allow the container
1492 * access to all kdbus
1493 * devices. Again, the
1494 * container cannot create
1495 * these nodes, only use
1496 * them. We use a pretty
1497 * open match here, so that
1498 * the kernel API can still
1501 "char-kdbus/*", "rw");
1503 log_error("Failed to add device whitelist: %s", strerror(-r));
1507 r = sd_bus_message_close_container(m);
1509 log_error("Failed to close container: %s", strerror(-r));
1513 r = sd_bus_call(bus, m, 0, &error, NULL);
1517 log_error("Failed to register machine: %s", bus_error_message(&error, r));
1524 static int terminate_machine(pid_t pid) {
1525 _cleanup_bus_error_free_ sd_bus_error error = SD_BUS_ERROR_NULL;
1526 _cleanup_bus_message_unref_ sd_bus_message *reply = NULL;
1527 _cleanup_bus_unref_ sd_bus *bus = NULL;
1534 r = sd_bus_default_system(&bus);
1536 log_error("Failed to open system bus: %s", strerror(-r));
1540 r = sd_bus_call_method(
1542 "org.freedesktop.machine1",
1543 "/org/freedesktop/machine1",
1544 "org.freedesktop.machine1.Manager",
1551 /* Note that the machine might already have been
1552 * cleaned up automatically, hence don't consider it a
1553 * failure if we cannot get the machine object. */
1554 log_debug("Failed to get machine: %s", bus_error_message(&error, r));
1558 r = sd_bus_message_read(reply, "o", &path);
1560 return bus_log_parse_error(r);
1562 r = sd_bus_call_method(
1564 "org.freedesktop.machine1",
1566 "org.freedesktop.machine1.Machine",
1572 log_debug("Failed to terminate machine: %s", bus_error_message(&error, r));
1579 static int reset_audit_loginuid(void) {
1580 _cleanup_free_ char *p = NULL;
1583 if (arg_share_system)
1586 r = read_one_line_file("/proc/self/loginuid", &p);
1590 log_error("Failed to read /proc/self/loginuid: %s", strerror(-r));
1594 /* Already reset? */
1595 if (streq(p, "4294967295"))
1598 r = write_string_file("/proc/self/loginuid", "4294967295");
1600 log_error("Failed to reset audit login UID. This probably means that your kernel is too\n"
1601 "old and you have audit enabled. Note that the auditing subsystem is known to\n"
1602 "be incompatible with containers on old kernels. Please make sure to upgrade\n"
1603 "your kernel or to off auditing with 'audit=0' on the kernel command line before\n"
1604 "using systemd-nspawn. Sleeping for 5s... (%s)\n", strerror(-r));
1612 #define HASH_KEY SD_ID128_MAKE(c3,c4,f9,19,b5,57,b2,1c,e6,cf,14,27,03,9c,ee,a2)
1614 static int get_mac(struct ether_addr *mac) {
1621 l = strlen(arg_machine);
1622 sz = sizeof(sd_id128_t) + l;
1625 /* fetch some persistent data unique to the host */
1626 r = sd_id128_get_machine((sd_id128_t*) v);
1630 /* combine with some data unique (on this host) to this
1631 * container instance */
1632 memcpy(v + sizeof(sd_id128_t), arg_machine, l);
1634 /* Let's hash the host machine ID plus the container name. We
1635 * use a fixed, but originally randomly created hash key here. */
1636 siphash24(result, v, sz, HASH_KEY.bytes);
1638 assert_cc(ETH_ALEN <= sizeof(result));
1639 memcpy(mac->ether_addr_octet, result, ETH_ALEN);
1641 /* see eth_random_addr in the kernel */
1642 mac->ether_addr_octet[0] &= 0xfe; /* clear multicast bit */
1643 mac->ether_addr_octet[0] |= 0x02; /* set local assignment bit (IEEE802) */
1648 static int setup_veth(pid_t pid, char iface_name[IFNAMSIZ], int *ifi) {
1649 _cleanup_rtnl_message_unref_ sd_rtnl_message *m = NULL;
1650 _cleanup_rtnl_unref_ sd_rtnl *rtnl = NULL;
1651 struct ether_addr mac;
1654 if (!arg_private_network)
1657 if (!arg_network_veth)
1660 /* Use two different interface name prefixes depending whether
1661 * we are in bridge mode or not. */
1662 if (arg_network_bridge)
1663 memcpy(iface_name, "vb-", 3);
1665 memcpy(iface_name, "ve-", 3);
1666 strncpy(iface_name+3, arg_machine, IFNAMSIZ - 3);
1670 log_error("Failed to generate predictable MAC address for host0");
1674 r = sd_rtnl_open(&rtnl, 0);
1676 log_error("Failed to connect to netlink: %s", strerror(-r));
1680 r = sd_rtnl_message_new_link(rtnl, &m, RTM_NEWLINK, 0);
1682 log_error("Failed to allocate netlink message: %s", strerror(-r));
1686 r = sd_rtnl_message_append_string(m, IFLA_IFNAME, iface_name);
1688 log_error("Failed to add netlink interface name: %s", strerror(-r));
1692 r = sd_rtnl_message_open_container(m, IFLA_LINKINFO);
1694 log_error("Failed to open netlink container: %s", strerror(-r));
1698 r = sd_rtnl_message_open_container_union(m, IFLA_INFO_DATA, "veth");
1700 log_error("Failed to open netlink container: %s", strerror(-r));
1704 r = sd_rtnl_message_open_container(m, VETH_INFO_PEER);
1706 log_error("Failed to open netlink container: %s", strerror(-r));
1710 r = sd_rtnl_message_append_string(m, IFLA_IFNAME, "host0");
1712 log_error("Failed to add netlink interface name: %s", strerror(-r));
1716 r = sd_rtnl_message_append_ether_addr(m, IFLA_ADDRESS, &mac);
1718 log_error("Failed to add netlink MAC address: %s", strerror(-r));
1722 r = sd_rtnl_message_append_u32(m, IFLA_NET_NS_PID, pid);
1724 log_error("Failed to add netlink namespace field: %s", strerror(-r));
1728 r = sd_rtnl_message_close_container(m);
1730 log_error("Failed to close netlink container: %s", strerror(-r));
1734 r = sd_rtnl_message_close_container(m);
1736 log_error("Failed to close netlink container: %s", strerror(-r));
1740 r = sd_rtnl_message_close_container(m);
1742 log_error("Failed to close netlink container: %s", strerror(-r));
1746 r = sd_rtnl_call(rtnl, m, 0, NULL);
1748 log_error("Failed to add new veth interfaces: %s", strerror(-r));
1752 i = (int) if_nametoindex(iface_name);
1754 log_error("Failed to resolve interface %s: %m", iface_name);
1763 static int setup_bridge(const char veth_name[], int *ifi) {
1764 _cleanup_rtnl_message_unref_ sd_rtnl_message *m = NULL;
1765 _cleanup_rtnl_unref_ sd_rtnl *rtnl = NULL;
1768 if (!arg_private_network)
1771 if (!arg_network_veth)
1774 if (!arg_network_bridge)
1777 bridge = (int) if_nametoindex(arg_network_bridge);
1779 log_error("Failed to resolve interface %s: %m", arg_network_bridge);
1785 r = sd_rtnl_open(&rtnl, 0);
1787 log_error("Failed to connect to netlink: %s", strerror(-r));
1791 r = sd_rtnl_message_new_link(rtnl, &m, RTM_SETLINK, 0);
1793 log_error("Failed to allocate netlink message: %s", strerror(-r));
1797 r = sd_rtnl_message_link_set_flags(m, IFF_UP, IFF_UP);
1799 log_error("Failed to set IFF_UP flag: %s", strerror(-r));
1803 r = sd_rtnl_message_append_string(m, IFLA_IFNAME, veth_name);
1805 log_error("Failed to add netlink interface name field: %s", strerror(-r));
1809 r = sd_rtnl_message_append_u32(m, IFLA_MASTER, bridge);
1811 log_error("Failed to add netlink master field: %s", strerror(-r));
1815 r = sd_rtnl_call(rtnl, m, 0, NULL);
1817 log_error("Failed to add veth interface to bridge: %s", strerror(-r));
1824 static int parse_interface(struct udev *udev, const char *name) {
1825 _cleanup_udev_device_unref_ struct udev_device *d = NULL;
1826 char ifi_str[2 + DECIMAL_STR_MAX(int)];
1829 ifi = (int) if_nametoindex(name);
1831 log_error("Failed to resolve interface %s: %m", name);
1835 sprintf(ifi_str, "n%i", ifi);
1836 d = udev_device_new_from_device_id(udev, ifi_str);
1838 log_error("Failed to get udev device for interface %s: %m", name);
1842 if (udev_device_get_is_initialized(d) <= 0) {
1843 log_error("Network interface %s is not initialized yet.", name);
1850 static int move_network_interfaces(pid_t pid) {
1851 _cleanup_udev_unref_ struct udev *udev = NULL;
1852 _cleanup_rtnl_unref_ sd_rtnl *rtnl = NULL;
1856 if (!arg_private_network)
1859 if (strv_isempty(arg_network_interfaces))
1862 r = sd_rtnl_open(&rtnl, 0);
1864 log_error("Failed to connect to netlink: %s", strerror(-r));
1870 log_error("Failed to connect to udev.");
1874 STRV_FOREACH(i, arg_network_interfaces) {
1875 _cleanup_rtnl_message_unref_ sd_rtnl_message *m = NULL;
1878 ifi = parse_interface(udev, *i);
1882 r = sd_rtnl_message_new_link(rtnl, &m, RTM_NEWLINK, ifi);
1884 log_error("Failed to allocate netlink message: %s", strerror(-r));
1888 r = sd_rtnl_message_append_u32(m, IFLA_NET_NS_PID, pid);
1890 log_error("Failed to append namespace PID to netlink message: %s", strerror(-r));
1894 r = sd_rtnl_call(rtnl, m, 0, NULL);
1896 log_error("Failed to move interface %s to namespace: %s", *i, strerror(-r));
1904 static int setup_macvlan(pid_t pid) {
1905 _cleanup_udev_unref_ struct udev *udev = NULL;
1906 _cleanup_rtnl_unref_ sd_rtnl *rtnl = NULL;
1910 if (!arg_private_network)
1913 if (strv_isempty(arg_network_macvlan))
1916 r = sd_rtnl_open(&rtnl, 0);
1918 log_error("Failed to connect to netlink: %s", strerror(-r));
1924 log_error("Failed to connect to udev.");
1928 STRV_FOREACH(i, arg_network_macvlan) {
1929 _cleanup_rtnl_message_unref_ sd_rtnl_message *m = NULL;
1930 _cleanup_free_ char *n = NULL;
1933 ifi = parse_interface(udev, *i);
1937 r = sd_rtnl_message_new_link(rtnl, &m, RTM_NEWLINK, 0);
1939 log_error("Failed to allocate netlink message: %s", strerror(-r));
1943 r = sd_rtnl_message_append_u32(m, IFLA_LINK, ifi);
1945 log_error("Failed to add netlink interface index: %s", strerror(-r));
1949 n = strappend("mv-", *i);
1953 strshorten(n, IFNAMSIZ-1);
1955 r = sd_rtnl_message_append_string(m, IFLA_IFNAME, n);
1957 log_error("Failed to add netlink interface name: %s", strerror(-r));
1961 r = sd_rtnl_message_append_u32(m, IFLA_NET_NS_PID, pid);
1963 log_error("Failed to add netlink namespace field: %s", strerror(-r));
1967 r = sd_rtnl_message_open_container(m, IFLA_LINKINFO);
1969 log_error("Failed to open netlink container: %s", strerror(-r));
1973 r = sd_rtnl_message_open_container_union(m, IFLA_INFO_DATA, "macvlan");
1975 log_error("Failed to open netlink container: %s", strerror(-r));
1979 r = sd_rtnl_message_append_u32(m, IFLA_MACVLAN_MODE, MACVLAN_MODE_BRIDGE);
1981 log_error("Failed to append macvlan mode: %s", strerror(-r));
1985 r = sd_rtnl_message_close_container(m);
1987 log_error("Failed to close netlink container: %s", strerror(-r));
1991 r = sd_rtnl_message_close_container(m);
1993 log_error("Failed to close netlink container: %s", strerror(-r));
1997 r = sd_rtnl_call(rtnl, m, 0, NULL);
1999 log_error("Failed to add new macvlan interfaces: %s", strerror(-r));
2007 static int setup_seccomp(void) {
2010 static const int blacklist[] = {
2011 SCMP_SYS(kexec_load),
2012 SCMP_SYS(open_by_handle_at),
2013 SCMP_SYS(init_module),
2014 SCMP_SYS(finit_module),
2015 SCMP_SYS(delete_module),
2022 scmp_filter_ctx seccomp;
2026 seccomp = seccomp_init(SCMP_ACT_ALLOW);
2030 r = seccomp_add_secondary_archs(seccomp);
2032 log_error("Failed to add secondary archs to seccomp filter: %s", strerror(-r));
2036 for (i = 0; i < ELEMENTSOF(blacklist); i++) {
2037 r = seccomp_rule_add(seccomp, SCMP_ACT_ERRNO(EPERM), blacklist[i], 0);
2039 continue; /* unknown syscall */
2041 log_error("Failed to block syscall: %s", strerror(-r));
2047 Audit is broken in containers, much of the userspace audit
2048 hookup will fail if running inside a container. We don't
2049 care and just turn off creation of audit sockets.
2051 This will make socket(AF_NETLINK, *, NETLINK_AUDIT) fail
2052 with EAFNOSUPPORT which audit userspace uses as indication
2053 that audit is disabled in the kernel.
2056 r = seccomp_rule_add(
2058 SCMP_ACT_ERRNO(EAFNOSUPPORT),
2061 SCMP_A0(SCMP_CMP_EQ, AF_NETLINK),
2062 SCMP_A2(SCMP_CMP_EQ, NETLINK_AUDIT));
2064 log_error("Failed to add audit seccomp rule: %s", strerror(-r));
2068 r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
2070 log_error("Failed to unset NO_NEW_PRIVS: %s", strerror(-r));
2074 r = seccomp_load(seccomp);
2076 log_error("Failed to install seccomp audit filter: %s", strerror(-r));
2079 seccomp_release(seccomp);
2087 static int setup_image(char **device_path, int *loop_nr) {
2088 struct loop_info64 info = {
2089 .lo_flags = LO_FLAGS_AUTOCLEAR|LO_FLAGS_PARTSCAN
2091 _cleanup_close_ int fd = -1, control = -1, loop = -1;
2092 _cleanup_free_ char* loopdev = NULL;
2096 assert(device_path);
2099 fd = open(arg_image, O_CLOEXEC|(arg_read_only ? O_RDONLY : O_RDWR)|O_NONBLOCK|O_NOCTTY);
2101 log_error("Failed to open %s: %m", arg_image);
2105 if (fstat(fd, &st) < 0) {
2106 log_error("Failed to stat %s: %m", arg_image);
2110 if (S_ISBLK(st.st_mode)) {
2113 p = strdup(arg_image);
2127 if (!S_ISREG(st.st_mode)) {
2128 log_error("%s is not a regular file or block device: %m", arg_image);
2132 control = open("/dev/loop-control", O_RDWR|O_CLOEXEC|O_NOCTTY|O_NONBLOCK);
2134 log_error("Failed to open /dev/loop-control: %m");
2138 nr = ioctl(control, LOOP_CTL_GET_FREE);
2140 log_error("Failed to allocate loop device: %m");
2144 if (asprintf(&loopdev, "/dev/loop%i", nr) < 0)
2147 loop = open(loopdev, O_CLOEXEC|(arg_read_only ? O_RDONLY : O_RDWR)|O_NONBLOCK|O_NOCTTY);
2149 log_error("Failed to open loop device %s: %m", loopdev);
2153 if (ioctl(loop, LOOP_SET_FD, fd) < 0) {
2154 log_error("Failed to set loopback file descriptor on %s: %m", loopdev);
2159 info.lo_flags |= LO_FLAGS_READ_ONLY;
2161 if (ioctl(loop, LOOP_SET_STATUS64, &info) < 0) {
2162 log_error("Failed to set loopback settings on %s: %m", loopdev);
2166 *device_path = loopdev;
2177 static int dissect_image(
2179 char **root_device, bool *root_device_rw,
2180 char **home_device, bool *home_device_rw,
2181 char **srv_device, bool *srv_device_rw,
2185 int home_nr = -1, root_nr = -1, secondary_root_nr = -1, srv_nr = -1;
2186 _cleanup_free_ char *home = NULL, *root = NULL, *secondary_root = NULL, *srv = NULL;
2187 _cleanup_udev_enumerate_unref_ struct udev_enumerate *e = NULL;
2188 _cleanup_udev_device_unref_ struct udev_device *d = NULL;
2189 _cleanup_blkid_free_probe_ blkid_probe b = NULL;
2190 _cleanup_udev_unref_ struct udev *udev = NULL;
2191 struct udev_list_entry *first, *item;
2192 bool home_rw = true, root_rw = true, secondary_root_rw = true, srv_rw = true;
2193 const char *pttype = NULL;
2199 assert(root_device);
2200 assert(home_device);
2204 b = blkid_new_probe();
2209 r = blkid_probe_set_device(b, fd, 0, 0);
2214 log_error("Failed to set device on blkid probe: %m");
2218 blkid_probe_enable_partitions(b, 1);
2219 blkid_probe_set_partitions_flags(b, BLKID_PARTS_ENTRY_DETAILS);
2222 r = blkid_do_safeprobe(b);
2223 if (r == -2 || r == 1) {
2224 log_error("Failed to identify any partition table on %s.\n"
2225 "Note that the disk image needs to follow http://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/ to be supported by systemd-nspawn.", arg_image);
2227 } else if (r != 0) {
2230 log_error("Failed to probe: %m");
2234 blkid_probe_lookup_value(b, "PTTYPE", &pttype, NULL);
2235 if (!streq_ptr(pttype, "gpt")) {
2236 log_error("Image %s does not carry a GUID Partition Table.\n"
2237 "Note that the disk image needs to follow http://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/ to be supported by systemd-nspawn.", arg_image);
2242 pl = blkid_probe_get_partitions(b);
2247 log_error("Failed to list partitions of %s", arg_image);
2255 if (fstat(fd, &st) < 0) {
2256 log_error("Failed to stat block device: %m");
2260 d = udev_device_new_from_devnum(udev, 'b', st.st_rdev);
2264 e = udev_enumerate_new(udev);
2268 r = udev_enumerate_add_match_parent(e, d);
2272 r = udev_enumerate_scan_devices(e);
2274 log_error("Failed to scan for partition devices of %s: %s", arg_image, strerror(-r));
2278 first = udev_enumerate_get_list_entry(e);
2279 udev_list_entry_foreach(item, first) {
2280 _cleanup_udev_device_unref_ struct udev_device *q;
2281 const char *stype, *node;
2282 unsigned long long flags;
2289 q = udev_device_new_from_syspath(udev, udev_list_entry_get_name(item));
2294 log_error("Failed to get partition device of %s: %m", arg_image);
2298 qn = udev_device_get_devnum(q);
2302 if (st.st_rdev == qn)
2305 node = udev_device_get_devnode(q);
2309 pp = blkid_partlist_devno_to_partition(pl, qn);
2313 flags = blkid_partition_get_flags(pp);
2314 if (flags & GPT_FLAG_NO_AUTO)
2317 nr = blkid_partition_get_partno(pp);
2321 stype = blkid_partition_get_type_string(pp);
2325 if (sd_id128_from_string(stype, &type_id) < 0)
2328 if (sd_id128_equal(type_id, GPT_HOME)) {
2330 if (home && nr >= home_nr)
2334 home_rw = !(flags & GPT_FLAG_READ_ONLY);
2337 home = strdup(node);
2340 } else if (sd_id128_equal(type_id, GPT_SRV)) {
2342 if (srv && nr >= srv_nr)
2346 srv_rw = !(flags & GPT_FLAG_READ_ONLY);
2353 #ifdef GPT_ROOT_NATIVE
2354 else if (sd_id128_equal(type_id, GPT_ROOT_NATIVE)) {
2356 if (root && nr >= root_nr)
2360 root_rw = !(flags & GPT_FLAG_READ_ONLY);
2363 root = strdup(node);
2368 #ifdef GPT_ROOT_SECONDARY
2369 else if (sd_id128_equal(type_id, GPT_ROOT_SECONDARY)) {
2371 if (secondary_root && nr >= secondary_root_nr)
2374 secondary_root_nr = nr;
2375 secondary_root_rw = !(flags & GPT_FLAG_READ_ONLY);
2378 free(secondary_root);
2379 secondary_root = strdup(node);
2380 if (!secondary_root)
2386 if (!root && !secondary_root) {
2387 log_error("Failed to identify root partition in disk image %s.\n"
2388 "Note that the disk image needs to follow http://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/ to be supported by systemd-nspawn.", arg_image);
2393 *root_device = root;
2396 *root_device_rw = root_rw;
2398 } else if (secondary_root) {
2399 *root_device = secondary_root;
2400 secondary_root = NULL;
2402 *root_device_rw = secondary_root_rw;
2407 *home_device = home;
2410 *home_device_rw = home_rw;
2417 *srv_device_rw = srv_rw;
2422 log_error("--image= is not supported, compiled without blkid support.");
2427 static int mount_device(const char *what, const char *where, const char *directory, bool rw) {
2429 _cleanup_blkid_free_probe_ blkid_probe b = NULL;
2430 const char *fstype, *p;
2440 p = strappenda(where, directory);
2445 b = blkid_new_probe_from_filename(what);
2449 log_error("Failed to allocate prober for %s: %m", what);
2453 blkid_probe_enable_superblocks(b, 1);
2454 blkid_probe_set_superblocks_flags(b, BLKID_SUBLKS_TYPE);
2457 r = blkid_do_safeprobe(b);
2458 if (r == -1 || r == 1) {
2459 log_error("Cannot determine file system type of %s", what);
2461 } else if (r != 0) {
2464 log_error("Failed to probe %s: %m", what);
2469 if (blkid_probe_lookup_value(b, "TYPE", &fstype, NULL) < 0) {
2472 log_error("Failed to determine file system type of %s", what);
2476 if (streq(fstype, "crypto_LUKS")) {
2477 log_error("nspawn currently does not support LUKS disk images.");
2481 if (mount(what, p, fstype, MS_NODEV|(rw ? 0 : MS_RDONLY), NULL) < 0) {
2482 log_error("Failed to mount %s: %m", what);
2488 log_error("--image= is not supported, compiled without blkid support.");
2493 static int mount_devices(
2495 const char *root_device, bool root_device_rw,
2496 const char *home_device, bool home_device_rw,
2497 const char *srv_device, bool srv_device_rw) {
2503 r = mount_device(root_device, arg_directory, NULL, root_device_rw);
2505 log_error("Failed to mount root directory: %s", strerror(-r));
2511 r = mount_device(home_device, arg_directory, "/home", home_device_rw);
2513 log_error("Failed to mount home directory: %s", strerror(-r));
2519 r = mount_device(srv_device, arg_directory, "/srv", srv_device_rw);
2521 log_error("Failed to mount server data directory: %s", strerror(-r));
2529 static void loop_remove(int nr, int *image_fd) {
2530 _cleanup_close_ int control = -1;
2535 if (image_fd && *image_fd >= 0) {
2536 ioctl(*image_fd, LOOP_CLR_FD);
2537 *image_fd = safe_close(*image_fd);
2540 control = open("/dev/loop-control", O_RDWR|O_CLOEXEC|O_NOCTTY|O_NONBLOCK);
2544 ioctl(control, LOOP_CTL_REMOVE, nr);
2547 static int spawn_getent(const char *database, const char *key, pid_t *rpid) {
2555 if (pipe2(pipe_fds, O_CLOEXEC) < 0) {
2556 log_error("Failed to allocate pipe: %m");
2562 log_error("Failed to fork getent child: %m");
2564 } else if (pid == 0) {
2566 char *empty_env = NULL;
2568 if (dup3(pipe_fds[1], STDOUT_FILENO, 0) < 0)
2569 _exit(EXIT_FAILURE);
2571 if (pipe_fds[0] > 2)
2572 safe_close(pipe_fds[0]);
2573 if (pipe_fds[1] > 2)
2574 safe_close(pipe_fds[1]);
2576 nullfd = open("/dev/null", O_RDWR);
2578 _exit(EXIT_FAILURE);
2580 if (dup3(nullfd, STDIN_FILENO, 0) < 0)
2581 _exit(EXIT_FAILURE);
2583 if (dup3(nullfd, STDERR_FILENO, 0) < 0)
2584 _exit(EXIT_FAILURE);
2589 reset_all_signal_handlers();
2590 close_all_fds(NULL, 0);
2592 execle("/usr/bin/getent", "getent", database, key, NULL, &empty_env);
2593 execle("/bin/getent", "getent", database, key, NULL, &empty_env);
2594 _exit(EXIT_FAILURE);
2597 pipe_fds[1] = safe_close(pipe_fds[1]);
2604 static int change_uid_gid(char **_home) {
2605 char line[LINE_MAX], *w, *x, *state, *u, *g, *h;
2606 _cleanup_free_ uid_t *uids = NULL;
2607 _cleanup_free_ char *home = NULL;
2608 _cleanup_fclose_ FILE *f = NULL;
2609 _cleanup_close_ int fd = -1;
2610 unsigned n_uids = 0;
2619 if (!arg_user || streq(arg_user, "root") || streq(arg_user, "0")) {
2620 /* Reset everything fully to 0, just in case */
2622 if (setgroups(0, NULL) < 0) {
2623 log_error("setgroups() failed: %m");
2627 if (setresgid(0, 0, 0) < 0) {
2628 log_error("setregid() failed: %m");
2632 if (setresuid(0, 0, 0) < 0) {
2633 log_error("setreuid() failed: %m");
2641 /* First, get user credentials */
2642 fd = spawn_getent("passwd", arg_user, &pid);
2646 f = fdopen(fd, "r");
2651 if (!fgets(line, sizeof(line), f)) {
2654 log_error("Failed to resolve user %s.", arg_user);
2658 log_error("Failed to read from getent: %m");
2664 wait_for_terminate_and_warn("getent passwd", pid);
2666 x = strchr(line, ':');
2668 log_error("/etc/passwd entry has invalid user field.");
2672 u = strchr(x+1, ':');
2674 log_error("/etc/passwd entry has invalid password field.");
2681 log_error("/etc/passwd entry has invalid UID field.");
2689 log_error("/etc/passwd entry has invalid GID field.");
2694 h = strchr(x+1, ':');
2696 log_error("/etc/passwd entry has invalid GECOS field.");
2703 log_error("/etc/passwd entry has invalid home directory field.");
2709 r = parse_uid(u, &uid);
2711 log_error("Failed to parse UID of user.");
2715 r = parse_gid(g, &gid);
2717 log_error("Failed to parse GID of user.");
2725 /* Second, get group memberships */
2726 fd = spawn_getent("initgroups", arg_user, &pid);
2731 f = fdopen(fd, "r");
2736 if (!fgets(line, sizeof(line), f)) {
2738 log_error("Failed to resolve user %s.", arg_user);
2742 log_error("Failed to read from getent: %m");
2748 wait_for_terminate_and_warn("getent initgroups", pid);
2750 /* Skip over the username and subsequent separator whitespace */
2752 x += strcspn(x, WHITESPACE);
2753 x += strspn(x, WHITESPACE);
2755 FOREACH_WORD(w, l, x, state) {
2761 if (!GREEDY_REALLOC(uids, sz, n_uids+1))
2764 r = parse_uid(c, &uids[n_uids++]);
2766 log_error("Failed to parse group data from getent.");
2771 r = mkdir_parents(home, 0775);
2773 log_error("Failed to make home root directory: %s", strerror(-r));
2777 r = mkdir_safe(home, 0755, uid, gid);
2778 if (r < 0 && r != -EEXIST) {
2779 log_error("Failed to make home directory: %s", strerror(-r));
2783 fchown(STDIN_FILENO, uid, gid);
2784 fchown(STDOUT_FILENO, uid, gid);
2785 fchown(STDERR_FILENO, uid, gid);
2787 if (setgroups(n_uids, uids) < 0) {
2788 log_error("Failed to set auxiliary groups: %m");
2792 if (setresgid(gid, gid, gid) < 0) {
2793 log_error("setregid() failed: %m");
2797 if (setresuid(uid, uid, uid) < 0) {
2798 log_error("setreuid() failed: %m");
2812 * < 0 : wait_for_terminate() failed to get the state of the
2813 * container, the container was terminated by a signal, or
2814 * failed for an unknown reason. No change is made to the
2815 * container argument.
2816 * > 0 : The program executed in the container terminated with an
2817 * error. The exit code of the program executed in the
2818 * container is returned. No change is made to the container
2820 * 0 : The container is being rebooted, has been shut down or exited
2821 * successfully. The container argument has been set to either
2822 * CONTAINER_TERMINATED or CONTAINER_REBOOTED.
2824 * That is, success is indicated by a return value of zero, and an
2825 * error is indicated by a non-zero value.
2827 static int wait_for_container(pid_t pid, ContainerStatus *container) {
2831 r = wait_for_terminate(pid, &status);
2833 log_warning("Failed to wait for container: %s", strerror(-r));
2837 switch (status.si_code) {
2839 r = status.si_status;
2842 log_debug("Container %s exited successfully.",
2845 *container = CONTAINER_TERMINATED;
2847 log_error("Container %s failed with error code %i.",
2848 arg_machine, status.si_status);
2853 if (status.si_status == SIGINT) {
2855 log_info("Container %s has been shut down.",
2858 *container = CONTAINER_TERMINATED;
2861 } else if (status.si_status == SIGHUP) {
2863 log_info("Container %s is being rebooted.",
2866 *container = CONTAINER_REBOOTED;
2870 /* CLD_KILLED fallthrough */
2873 log_error("Container %s terminated by signal %s.",
2874 arg_machine, signal_to_string(status.si_status));
2879 log_error("Container %s failed due to unknown reason.",
2888 static void nop_handler(int sig) {}
2890 int main(int argc, char *argv[]) {
2892 _cleanup_free_ char *kdbus_domain = NULL, *device_path = NULL, *root_device = NULL, *home_device = NULL, *srv_device = NULL;
2893 bool root_device_rw = true, home_device_rw = true, srv_device_rw = true;
2894 _cleanup_close_ int master = -1, kdbus_fd = -1, image_fd = -1;
2895 _cleanup_close_pair_ int kmsg_socket_pair[2] = { -1, -1 };
2896 _cleanup_fdset_free_ FDSet *fds = NULL;
2897 int r = EXIT_FAILURE, k, n_fd_passed, loop_nr = -1;
2898 const char *console = NULL;
2899 char veth_name[IFNAMSIZ];
2900 bool secondary = false;
2901 sigset_t mask, mask_chld;
2904 log_parse_environment();
2907 k = parse_argv(argc, argv);
2916 if (arg_directory) {
2919 p = path_make_absolute_cwd(arg_directory);
2920 free(arg_directory);
2923 arg_directory = get_current_dir_name();
2925 if (!arg_directory) {
2926 log_error("Failed to determine path, please use -D.");
2929 path_kill_slashes(arg_directory);
2933 arg_machine = strdup(basename(arg_image ? arg_image : arg_directory));
2939 hostname_cleanup(arg_machine, false);
2940 if (isempty(arg_machine)) {
2941 log_error("Failed to determine machine name automatically, please use -M.");
2946 if (geteuid() != 0) {
2947 log_error("Need to be root.");
2951 if (sd_booted() <= 0) {
2952 log_error("Not running on a systemd system.");
2957 n_fd_passed = sd_listen_fds(false);
2958 if (n_fd_passed > 0) {
2959 k = fdset_new_listen_fds(&fds, false);
2961 log_error("Failed to collect file descriptors: %s", strerror(-k));
2965 fdset_close_others(fds);
2968 if (arg_directory) {
2969 if (path_equal(arg_directory, "/")) {
2970 log_error("Spawning container on root directory not supported.");
2975 if (path_is_os_tree(arg_directory) <= 0) {
2976 log_error("Directory %s doesn't look like an OS root directory (os-release file is missing). Refusing.", arg_directory);
2982 p = strappenda(arg_directory,
2983 argc > optind && path_is_absolute(argv[optind]) ? argv[optind] : "/usr/bin/");
2984 if (access(p, F_OK) < 0) {
2985 log_error("Directory %s lacks the binary to execute or doesn't look like a binary tree. Refusing.", arg_directory);
2991 char template[] = "/tmp/nspawn-root-XXXXXX";
2993 if (!mkdtemp(template)) {
2994 log_error("Failed to create temporary directory: %m");
2999 arg_directory = strdup(template);
3000 if (!arg_directory) {
3005 image_fd = setup_image(&device_path, &loop_nr);
3011 r = dissect_image(image_fd,
3012 &root_device, &root_device_rw,
3013 &home_device, &home_device_rw,
3014 &srv_device, &srv_device_rw,
3020 master = posix_openpt(O_RDWR|O_NOCTTY|O_CLOEXEC|O_NDELAY);
3022 log_error("Failed to acquire pseudo tty: %m");
3026 console = ptsname(master);
3028 log_error("Failed to determine tty name: %m");
3033 log_info("Spawning container %s on %s.\nPress ^] three times within 1s to kill container.",
3034 arg_machine, arg_image ? arg_image : arg_directory);
3036 if (unlockpt(master) < 0) {
3037 log_error("Failed to unlock tty: %m");
3041 if (access("/dev/kdbus/control", F_OK) >= 0) {
3043 if (arg_share_system) {
3044 kdbus_domain = strdup("/dev/kdbus");
3045 if (!kdbus_domain) {
3052 ns = strappenda("machine-", arg_machine);
3053 kdbus_fd = bus_kernel_create_domain(ns, &kdbus_domain);
3055 log_debug("Failed to create kdbus domain: %s", strerror(-r));
3057 log_debug("Successfully created kdbus domain as %s", kdbus_domain);
3061 if (socketpair(AF_UNIX, SOCK_DGRAM|SOCK_NONBLOCK|SOCK_CLOEXEC, 0, kmsg_socket_pair) < 0) {
3062 log_error("Failed to create kmsg socket pair: %m");
3066 sd_notify(0, "READY=1");
3068 assert_se(sigemptyset(&mask) == 0);
3069 assert_se(sigemptyset(&mask_chld) == 0);
3070 sigaddset(&mask_chld, SIGCHLD);
3071 sigset_add_many(&mask, SIGCHLD, SIGWINCH, SIGTERM, SIGINT, -1);
3072 assert_se(sigprocmask(SIG_BLOCK, &mask, NULL) == 0);
3075 ContainerStatus container_status;
3076 _cleanup_(barrier_destroy) Barrier barrier = BARRIER_NULL;
3077 struct sigaction sa = {
3078 .sa_handler = nop_handler,
3079 .sa_flags = SA_NOCLDSTOP,
3082 r = barrier_create(&barrier);
3084 log_error("Cannot initialize IPC barrier: %s", strerror(-r));
3088 /* Child can be killed before execv(), so handle SIGCHLD
3089 * in order to interrupt parent's blocking calls and
3090 * give it a chance to call wait() and terminate. */
3091 r = sigprocmask(SIG_UNBLOCK, &mask_chld, NULL);
3093 log_error("Failed to change the signal mask: %m");
3097 r = sigaction(SIGCHLD, &sa, NULL);
3099 log_error("Failed to install SIGCHLD handler: %m");
3103 pid = syscall(__NR_clone, SIGCHLD|CLONE_NEWNS|
3104 (arg_share_system ? 0 : CLONE_NEWIPC|CLONE_NEWPID|CLONE_NEWUTS)|
3105 (arg_private_network ? CLONE_NEWNET : 0), NULL);
3107 if (errno == EINVAL)
3108 log_error("clone() failed, do you have namespace support enabled in your kernel? (You need UTS, IPC, PID and NET namespacing built in): %m");
3110 log_error("clone() failed: %m");
3118 _cleanup_free_ char *home = NULL;
3120 const char *envp[] = {
3121 "PATH=" DEFAULT_PATH_SPLIT_USR,
3122 "container=systemd-nspawn", /* LXC sets container=lxc, so follow the scheme here */
3127 NULL, /* container_uuid */
3128 NULL, /* LISTEN_FDS */
3129 NULL, /* LISTEN_PID */
3134 barrier_set_role(&barrier, BARRIER_CHILD);
3136 envp[n_env] = strv_find_prefix(environ, "TERM=");
3140 master = safe_close(master);
3142 close_nointr(STDIN_FILENO);
3143 close_nointr(STDOUT_FILENO);
3144 close_nointr(STDERR_FILENO);
3146 kmsg_socket_pair[0] = safe_close(kmsg_socket_pair[0]);
3148 reset_all_signal_handlers();
3150 assert_se(sigemptyset(&mask) == 0);
3151 assert_se(sigprocmask(SIG_SETMASK, &mask, NULL) == 0);
3153 k = open_terminal(console, O_RDWR);
3154 if (k != STDIN_FILENO) {
3160 log_error("Failed to open console: %s", strerror(-k));
3161 _exit(EXIT_FAILURE);
3164 if (dup2(STDIN_FILENO, STDOUT_FILENO) != STDOUT_FILENO ||
3165 dup2(STDIN_FILENO, STDERR_FILENO) != STDERR_FILENO) {
3166 log_error("Failed to duplicate console: %m");
3167 _exit(EXIT_FAILURE);
3171 log_error("setsid() failed: %m");
3172 _exit(EXIT_FAILURE);
3175 if (reset_audit_loginuid() < 0)
3176 _exit(EXIT_FAILURE);
3178 if (prctl(PR_SET_PDEATHSIG, SIGKILL) < 0) {
3179 log_error("PR_SET_PDEATHSIG failed: %m");
3180 _exit(EXIT_FAILURE);
3183 /* Mark everything as slave, so that we still
3184 * receive mounts from the real root, but don't
3185 * propagate mounts to the real root. */
3186 if (mount(NULL, "/", NULL, MS_SLAVE|MS_REC, NULL) < 0) {
3187 log_error("MS_SLAVE|MS_REC failed: %m");
3188 _exit(EXIT_FAILURE);
3191 if (mount_devices(arg_directory,
3192 root_device, root_device_rw,
3193 home_device, home_device_rw,
3194 srv_device, srv_device_rw) < 0)
3195 _exit(EXIT_FAILURE);
3197 /* Turn directory into bind mount */
3198 if (mount(arg_directory, arg_directory, "bind", MS_BIND|MS_REC, NULL) < 0) {
3199 log_error("Failed to make bind mount: %m");
3200 _exit(EXIT_FAILURE);
3203 r = setup_volatile(arg_directory);
3205 _exit(EXIT_FAILURE);
3207 if (setup_volatile_state(arg_directory) < 0)
3208 _exit(EXIT_FAILURE);
3210 r = base_filesystem_create(arg_directory);
3212 _exit(EXIT_FAILURE);
3214 if (arg_read_only) {
3215 k = bind_remount_recursive(arg_directory, true);
3217 log_error("Failed to make tree read-only: %s", strerror(-k));
3218 _exit(EXIT_FAILURE);
3222 if (mount_all(arg_directory) < 0)
3223 _exit(EXIT_FAILURE);
3225 if (copy_devnodes(arg_directory) < 0)
3226 _exit(EXIT_FAILURE);
3228 if (setup_ptmx(arg_directory) < 0)
3229 _exit(EXIT_FAILURE);
3231 dev_setup(arg_directory);
3233 if (setup_seccomp() < 0)
3234 _exit(EXIT_FAILURE);
3236 if (setup_dev_console(arg_directory, console) < 0)
3237 _exit(EXIT_FAILURE);
3239 if (setup_kmsg(arg_directory, kmsg_socket_pair[1]) < 0)
3240 _exit(EXIT_FAILURE);
3242 kmsg_socket_pair[1] = safe_close(kmsg_socket_pair[1]);
3244 if (setup_boot_id(arg_directory) < 0)
3245 _exit(EXIT_FAILURE);
3247 if (setup_timezone(arg_directory) < 0)
3248 _exit(EXIT_FAILURE);
3250 if (setup_resolv_conf(arg_directory) < 0)
3251 _exit(EXIT_FAILURE);
3253 if (setup_journal(arg_directory) < 0)
3254 _exit(EXIT_FAILURE);
3256 if (mount_binds(arg_directory, arg_bind, false) < 0)
3257 _exit(EXIT_FAILURE);
3259 if (mount_binds(arg_directory, arg_bind_ro, true) < 0)
3260 _exit(EXIT_FAILURE);
3262 if (mount_tmpfs(arg_directory) < 0)
3263 _exit(EXIT_FAILURE);
3265 if (setup_kdbus(arg_directory, kdbus_domain) < 0)
3266 _exit(EXIT_FAILURE);
3268 /* Tell the parent that we are ready, and that
3269 * it can cgroupify us to that we lack access
3270 * to certain devices and resources. */
3271 barrier_place(&barrier);
3273 if (chdir(arg_directory) < 0) {
3274 log_error("chdir(%s) failed: %m", arg_directory);
3275 _exit(EXIT_FAILURE);
3278 if (mount(arg_directory, "/", NULL, MS_MOVE, NULL) < 0) {
3279 log_error("mount(MS_MOVE) failed: %m");
3280 _exit(EXIT_FAILURE);
3283 if (chroot(".") < 0) {
3284 log_error("chroot() failed: %m");
3285 _exit(EXIT_FAILURE);
3288 if (chdir("/") < 0) {
3289 log_error("chdir() failed: %m");
3290 _exit(EXIT_FAILURE);
3295 if (arg_private_network)
3298 if (drop_capabilities() < 0) {
3299 log_error("drop_capabilities() failed: %m");
3300 _exit(EXIT_FAILURE);
3303 r = change_uid_gid(&home);
3305 _exit(EXIT_FAILURE);
3307 if ((asprintf((char**)(envp + n_env++), "HOME=%s", home ? home: "/root") < 0) ||
3308 (asprintf((char**)(envp + n_env++), "USER=%s", arg_user ? arg_user : "root") < 0) ||
3309 (asprintf((char**)(envp + n_env++), "LOGNAME=%s", arg_user ? arg_user : "root") < 0)) {
3311 _exit(EXIT_FAILURE);
3314 if (!sd_id128_equal(arg_uuid, SD_ID128_NULL)) {
3317 if (asprintf((char**)(envp + n_env++), "container_uuid=%s", id128_format_as_uuid(arg_uuid, as_uuid)) < 0) {
3319 _exit(EXIT_FAILURE);
3323 if (fdset_size(fds) > 0) {
3324 k = fdset_cloexec(fds, false);
3326 log_error("Failed to unset O_CLOEXEC for file descriptors.");
3327 _exit(EXIT_FAILURE);
3330 if ((asprintf((char **)(envp + n_env++), "LISTEN_FDS=%u", n_fd_passed) < 0) ||
3331 (asprintf((char **)(envp + n_env++), "LISTEN_PID=1") < 0)) {
3333 _exit(EXIT_FAILURE);
3339 if (arg_personality != 0xffffffffLU) {
3340 if (personality(arg_personality) < 0) {
3341 log_error("personality() failed: %m");
3342 _exit(EXIT_FAILURE);
3344 } else if (secondary) {
3345 if (personality(PER_LINUX32) < 0) {
3346 log_error("personality() failed: %m");
3347 _exit(EXIT_FAILURE);
3352 if (arg_selinux_context)
3353 if (setexeccon((security_context_t) arg_selinux_context) < 0) {
3354 log_error("setexeccon(\"%s\") failed: %m", arg_selinux_context);
3355 _exit(EXIT_FAILURE);
3359 if (!strv_isempty(arg_setenv)) {
3362 n = strv_env_merge(2, envp, arg_setenv);
3365 _exit(EXIT_FAILURE);
3370 env_use = (char**) envp;
3372 /* Wait until the parent is ready with the setup, too... */
3373 if (!barrier_place_and_sync(&barrier))
3374 _exit(EXIT_FAILURE);
3380 /* Automatically search for the init system */
3382 l = 1 + argc - optind;
3383 a = newa(char*, l + 1);
3384 memcpy(a + 1, argv + optind, l * sizeof(char*));
3386 a[0] = (char*) "/usr/lib/systemd/systemd";
3387 execve(a[0], a, env_use);
3389 a[0] = (char*) "/lib/systemd/systemd";
3390 execve(a[0], a, env_use);
3392 a[0] = (char*) "/sbin/init";
3393 execve(a[0], a, env_use);
3394 } else if (argc > optind)
3395 execvpe(argv[optind], argv + optind, env_use);
3397 chdir(home ? home : "/root");
3398 execle("/bin/bash", "-bash", NULL, env_use);
3399 execle("/bin/sh", "-sh", NULL, env_use);
3402 log_error("execv() failed: %m");
3403 _exit(EXIT_FAILURE);
3406 barrier_set_role(&barrier, BARRIER_PARENT);
3410 /* wait for child-setup to be done */
3411 if (barrier_place_and_sync(&barrier)) {
3414 r = move_network_interfaces(pid);
3418 r = setup_veth(pid, veth_name, &ifi);
3422 r = setup_bridge(veth_name, &ifi);
3426 r = setup_macvlan(pid);
3430 r = register_machine(pid, ifi);
3434 /* Block SIGCHLD here, before notifying child.
3435 * process_pty() will handle it with the other signals. */
3436 r = sigprocmask(SIG_BLOCK, &mask_chld, NULL);
3440 /* Reset signal to default */
3441 r = default_signals(SIGCHLD, -1);
3445 /* Notify the child that the parent is ready with all
3446 * its setup, and that the child can now hand over
3447 * control to the code to run inside the container. */
3448 barrier_place(&barrier);
3450 k = process_pty(master, &mask, arg_boot ? pid : 0, SIGRTMIN+3);
3459 /* Kill if it is not dead yet anyway */
3460 terminate_machine(pid);
3463 /* Normally redundant, but better safe than sorry */
3466 r = wait_for_container(pid, &container_status);
3470 /* We failed to wait for the container, or the
3471 * container exited abnormally */
3474 } else if (r > 0 || container_status == CONTAINER_TERMINATED)
3475 /* The container exited with a non-zero
3476 * status, or with zero status and no reboot
3480 /* CONTAINER_REBOOTED, loop again */
3482 if (arg_keep_unit) {
3483 /* Special handling if we are running as a
3484 * service: instead of simply restarting the
3485 * machine we want to restart the entire
3486 * service, so let's inform systemd about this
3487 * with the special exit code 133. The service
3488 * file uses RestartForceExitStatus=133 so
3489 * that this results in a full nspawn
3490 * restart. This is necessary since we might
3491 * have cgroup parameters set we want to have
3499 loop_remove(loop_nr, &image_fd);
3504 free(arg_directory);
3507 strv_free(arg_setenv);
3508 strv_free(arg_network_interfaces);
3509 strv_free(arg_network_macvlan);
3510 strv_free(arg_bind);
3511 strv_free(arg_bind_ro);
3512 strv_free(arg_tmpfs);
~ianmdlvl / elogind.git / blob