1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2010 Lennart Poettering
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
25 #include <sys/types.h>
26 #include <sys/syscall.h>
27 #include <sys/mount.h>
33 #include <sys/prctl.h>
34 #include <sys/capability.h>
37 #include <sys/signalfd.h>
41 #include <sys/socket.h>
42 #include <linux/netlink.h>
43 #include <sys/eventfd.h>
45 #include <linux/veth.h>
48 #include <selinux/selinux.h>
55 #include "sd-daemon.h"
65 #include "cgroup-util.h"
67 #include "path-util.h"
68 #include "loopback-setup.h"
69 #include "dev-setup.h"
74 #include "bus-error.h"
76 #include "bus-kernel.h"
79 #include "rtnl-util.h"
80 #include "udev-util.h"
82 typedef enum LinkJournal {
89 static char *arg_directory = NULL;
90 static char *arg_user = NULL;
91 static sd_id128_t arg_uuid = {};
92 static char *arg_machine = NULL;
93 static char *arg_selinux_context = NULL;
94 static char *arg_selinux_apifs_context = NULL;
95 static const char *arg_slice = NULL;
96 static bool arg_private_network = false;
97 static bool arg_read_only = false;
98 static bool arg_boot = false;
99 static LinkJournal arg_link_journal = LINK_AUTO;
100 static uint64_t arg_retain =
101 (1ULL << CAP_CHOWN) |
102 (1ULL << CAP_DAC_OVERRIDE) |
103 (1ULL << CAP_DAC_READ_SEARCH) |
104 (1ULL << CAP_FOWNER) |
105 (1ULL << CAP_FSETID) |
106 (1ULL << CAP_IPC_OWNER) |
108 (1ULL << CAP_LEASE) |
109 (1ULL << CAP_LINUX_IMMUTABLE) |
110 (1ULL << CAP_NET_BIND_SERVICE) |
111 (1ULL << CAP_NET_BROADCAST) |
112 (1ULL << CAP_NET_RAW) |
113 (1ULL << CAP_SETGID) |
114 (1ULL << CAP_SETFCAP) |
115 (1ULL << CAP_SETPCAP) |
116 (1ULL << CAP_SETUID) |
117 (1ULL << CAP_SYS_ADMIN) |
118 (1ULL << CAP_SYS_CHROOT) |
119 (1ULL << CAP_SYS_NICE) |
120 (1ULL << CAP_SYS_PTRACE) |
121 (1ULL << CAP_SYS_TTY_CONFIG) |
122 (1ULL << CAP_SYS_RESOURCE) |
123 (1ULL << CAP_SYS_BOOT) |
124 (1ULL << CAP_AUDIT_WRITE) |
125 (1ULL << CAP_AUDIT_CONTROL) |
127 static char **arg_bind = NULL;
128 static char **arg_bind_ro = NULL;
129 static char **arg_setenv = NULL;
130 static bool arg_quiet = false;
131 static bool arg_share_system = false;
132 static bool arg_register = true;
133 static bool arg_keep_unit = false;
134 static char **arg_network_interfaces = NULL;
135 static bool arg_network_veth = false;
136 static char *arg_network_bridge = NULL;
138 static int help(void) {
140 printf("%s [OPTIONS...] [PATH] [ARGUMENTS...]\n\n"
141 "Spawn a minimal namespace container for debugging, testing and building.\n\n"
142 " -h --help Show this help\n"
143 " --version Print version string\n"
144 " -q --quiet Do not show status information\n"
145 " -D --directory=NAME Root directory for the container\n"
146 " -b --boot Boot up full system (i.e. invoke init)\n"
147 " -u --user=USER Run the command under specified user or uid\n"
148 " -M --machine=NAME Set the machine name for the container\n"
149 " --uuid=UUID Set a specific machine UUID for the container\n"
150 " -S --slice=SLICE Place the container in the specified slice\n"
151 " --private-network Disable network in container\n"
152 " --network-interface=INTERFACE\n"
153 " Assign an existing network interface to the\n"
155 " --network-veth Add a virtual ethernet connection between host\n"
157 " --network-bridge=INTERFACE\n"
158 " Add a virtual ethernet connection between host\n"
159 " and container and add it to an existing bridge on\n"
161 " -Z --selinux-context=SECLABEL\n"
162 " Set the SELinux security context to be used by\n"
163 " processes in the container\n"
164 " -L --selinux-apifs-context=SECLABEL\n"
165 " Set the SELinux security context to be used by\n"
166 " API/tmpfs file systems in the container\n"
167 " --capability=CAP In addition to the default, retain specified\n"
169 " --drop-capability=CAP Drop the specified capability from the default set\n"
170 " --link-journal=MODE Link up guest journal, one of no, auto, guest, host\n"
171 " -j Equivalent to --link-journal=host\n"
172 " --read-only Mount the root directory read-only\n"
173 " --bind=PATH[:PATH] Bind mount a file or directory from the host into\n"
175 " --bind-ro=PATH[:PATH] Similar, but creates a read-only bind mount\n"
176 " --setenv=NAME=VALUE Pass an environment variable to PID 1\n"
177 " --share-system Share system namespaces with host\n"
178 " --register=BOOLEAN Register container as machine\n"
179 " --keep-unit Do not register a scope for the machine, reuse\n"
180 " the service unit nspawn is running in\n",
181 program_invocation_short_name);
186 static int parse_argv(int argc, char *argv[]) {
202 ARG_NETWORK_INTERFACE,
207 static const struct option options[] = {
208 { "help", no_argument, NULL, 'h' },
209 { "version", no_argument, NULL, ARG_VERSION },
210 { "directory", required_argument, NULL, 'D' },
211 { "user", required_argument, NULL, 'u' },
212 { "private-network", no_argument, NULL, ARG_PRIVATE_NETWORK },
213 { "boot", no_argument, NULL, 'b' },
214 { "uuid", required_argument, NULL, ARG_UUID },
215 { "read-only", no_argument, NULL, ARG_READ_ONLY },
216 { "capability", required_argument, NULL, ARG_CAPABILITY },
217 { "drop-capability", required_argument, NULL, ARG_DROP_CAPABILITY },
218 { "link-journal", required_argument, NULL, ARG_LINK_JOURNAL },
219 { "bind", required_argument, NULL, ARG_BIND },
220 { "bind-ro", required_argument, NULL, ARG_BIND_RO },
221 { "machine", required_argument, NULL, 'M' },
222 { "slice", required_argument, NULL, 'S' },
223 { "setenv", required_argument, NULL, ARG_SETENV },
224 { "selinux-context", required_argument, NULL, 'Z' },
225 { "selinux-apifs-context", required_argument, NULL, 'L' },
226 { "quiet", no_argument, NULL, 'q' },
227 { "share-system", no_argument, NULL, ARG_SHARE_SYSTEM },
228 { "register", required_argument, NULL, ARG_REGISTER },
229 { "keep-unit", no_argument, NULL, ARG_KEEP_UNIT },
230 { "network-interface", required_argument, NULL, ARG_NETWORK_INTERFACE },
231 { "network-veth", no_argument, NULL, ARG_NETWORK_VETH },
232 { "network-bridge", required_argument, NULL, ARG_NETWORK_BRIDGE },
237 uint64_t plus = 0, minus = 0;
242 while ((c = getopt_long(argc, argv, "+hD:u:bL:M:jS:Z:q", options, NULL)) >= 0) {
250 puts(PACKAGE_STRING);
251 puts(SYSTEMD_FEATURES);
256 arg_directory = canonicalize_file_name(optarg);
257 if (!arg_directory) {
258 log_error("Invalid root directory: %m");
266 arg_user = strdup(optarg);
272 case ARG_NETWORK_BRIDGE:
273 arg_network_bridge = strdup(optarg);
274 if (!arg_network_bridge)
279 case ARG_NETWORK_VETH:
280 arg_network_veth = true;
281 arg_private_network = true;
284 case ARG_NETWORK_INTERFACE:
285 if (strv_push(&arg_network_interfaces, optarg) < 0)
290 case ARG_PRIVATE_NETWORK:
291 arg_private_network = true;
299 r = sd_id128_from_string(optarg, &arg_uuid);
301 log_error("Invalid UUID: %s", optarg);
307 arg_slice = strdup(optarg);
314 if (isempty(optarg)) {
319 if (!hostname_is_valid(optarg)) {
320 log_error("Invalid machine name: %s", optarg);
325 arg_machine = strdup(optarg);
333 arg_selinux_context = optarg;
337 arg_selinux_apifs_context = optarg;
341 arg_read_only = true;
345 case ARG_DROP_CAPABILITY: {
349 FOREACH_WORD_SEPARATOR(word, length, optarg, ",", state) {
350 _cleanup_free_ char *t;
353 t = strndup(word, length);
357 if (streq(t, "all")) {
358 if (c == ARG_CAPABILITY)
359 plus = (uint64_t) -1;
361 minus = (uint64_t) -1;
363 if (cap_from_name(t, &cap) < 0) {
364 log_error("Failed to parse capability %s.", t);
368 if (c == ARG_CAPABILITY)
369 plus |= 1ULL << (uint64_t) cap;
371 minus |= 1ULL << (uint64_t) cap;
379 arg_link_journal = LINK_GUEST;
382 case ARG_LINK_JOURNAL:
383 if (streq(optarg, "auto"))
384 arg_link_journal = LINK_AUTO;
385 else if (streq(optarg, "no"))
386 arg_link_journal = LINK_NO;
387 else if (streq(optarg, "guest"))
388 arg_link_journal = LINK_GUEST;
389 else if (streq(optarg, "host"))
390 arg_link_journal = LINK_HOST;
392 log_error("Failed to parse link journal mode %s", optarg);
400 _cleanup_free_ char *a = NULL, *b = NULL;
404 x = c == ARG_BIND ? &arg_bind : &arg_bind_ro;
406 e = strchr(optarg, ':');
408 a = strndup(optarg, e - optarg);
418 if (!path_is_absolute(a) || !path_is_absolute(b)) {
419 log_error("Invalid bind mount specification: %s", optarg);
423 r = strv_extend(x, a);
427 r = strv_extend(x, b);
437 if (!env_assignment_is_valid(optarg)) {
438 log_error("Environment variable assignment '%s' is not valid.", optarg);
442 n = strv_env_set(arg_setenv, optarg);
446 strv_free(arg_setenv);
455 case ARG_SHARE_SYSTEM:
456 arg_share_system = true;
460 r = parse_boolean(optarg);
462 log_error("Failed to parse --register= argument: %s", optarg);
470 arg_keep_unit = true;
477 assert_not_reached("Unhandled option");
481 if (arg_share_system)
482 arg_register = false;
484 if (arg_boot && arg_share_system) {
485 log_error("--boot and --share-system may not be combined.");
489 if (arg_keep_unit && cg_pid_get_owner_uid(0, NULL) >= 0) {
490 log_error("--keep-unit may not be used when invoked from a user session.");
494 arg_retain = (arg_retain | plus | (arg_private_network ? 1ULL << CAP_NET_ADMIN : 0)) & ~minus;
499 static int mount_all(const char *dest) {
501 typedef struct MountPoint {
510 static const MountPoint mount_table[] = {
511 { "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, true },
512 { "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND, true }, /* Bind mount first */
513 { NULL, "/proc/sys", NULL, NULL, MS_BIND|MS_RDONLY|MS_REMOUNT, true }, /* Then, make it r/o */
514 { "sysfs", "/sys", "sysfs", NULL, MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV, true },
515 { "tmpfs", "/dev", "tmpfs", "mode=755", MS_NOSUID|MS_STRICTATIME, true },
516 { "devpts", "/dev/pts", "devpts","newinstance,ptmxmode=0666,mode=620,gid=" STRINGIFY(TTY_GID), MS_NOSUID|MS_NOEXEC, true },
517 { "tmpfs", "/dev/shm", "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV|MS_STRICTATIME, true },
518 { "tmpfs", "/run", "tmpfs", "mode=755", MS_NOSUID|MS_NODEV|MS_STRICTATIME, true },
520 { "/sys/fs/selinux", "/sys/fs/selinux", NULL, NULL, MS_BIND, false }, /* Bind mount first */
521 { NULL, "/sys/fs/selinux", NULL, NULL, MS_BIND|MS_RDONLY|MS_REMOUNT, false }, /* Then, make it r/o */
528 for (k = 0; k < ELEMENTSOF(mount_table); k++) {
529 _cleanup_free_ char *where = NULL;
531 _cleanup_free_ char *options = NULL;
536 where = strjoin(dest, "/", mount_table[k].where, NULL);
540 t = path_is_mount_point(where, true);
542 log_error("Failed to detect whether %s is a mount point: %s", where, strerror(-t));
550 /* Skip this entry if it is not a remount. */
551 if (mount_table[k].what && t > 0)
554 mkdir_p(where, 0755);
557 if (arg_selinux_apifs_context &&
558 (streq_ptr(mount_table[k].what, "tmpfs") || streq_ptr(mount_table[k].what, "devpts"))) {
559 options = strjoin(mount_table[k].options, ",context=\"", arg_selinux_apifs_context, "\"", NULL);
566 o = mount_table[k].options;
569 if (mount(mount_table[k].what,
572 mount_table[k].flags,
574 mount_table[k].fatal) {
576 log_error("mount(%s) failed: %m", where);
586 static int mount_binds(const char *dest, char **l, unsigned long flags) {
589 STRV_FOREACH_PAIR(x, y, l) {
591 struct stat source_st, dest_st;
594 if (stat(*x, &source_st) < 0) {
595 log_error("failed to stat %s: %m", *x);
599 where = strappenda(dest, *y);
600 r = stat(where, &dest_st);
602 if ((source_st.st_mode & S_IFMT) != (dest_st.st_mode & S_IFMT)) {
603 log_error("The file types of %s and %s do not match. Refusing bind mount",
607 } else if (errno == ENOENT) {
608 r = mkdir_parents_label(where, 0755);
610 log_error("Failed to bind mount %s: %s", *x, strerror(-r));
614 log_error("Failed to bind mount %s: %s", *x, strerror(errno));
617 /* Create the mount point, but be conservative -- refuse to create block
618 * and char devices. */
619 if (S_ISDIR(source_st.st_mode))
620 mkdir_label(where, 0755);
621 else if (S_ISFIFO(source_st.st_mode))
623 else if (S_ISSOCK(source_st.st_mode))
624 mknod(where, 0644 | S_IFSOCK, 0);
625 else if (S_ISREG(source_st.st_mode))
628 log_error("Refusing to create mountpoint for file: %s", *x);
632 if (mount(*x, where, "bind", MS_BIND, NULL) < 0) {
633 log_error("mount(%s) failed: %m", where);
637 if (flags && mount(NULL, where, NULL, MS_REMOUNT|MS_BIND|flags, NULL) < 0) {
638 log_error("mount(%s) failed: %m", where);
646 static int setup_timezone(const char *dest) {
647 _cleanup_free_ char *where = NULL, *p = NULL, *q = NULL, *check = NULL, *what = NULL;
653 /* Fix the timezone, if possible */
654 r = readlink_malloc("/etc/localtime", &p);
656 log_warning("/etc/localtime is not a symlink, not updating container timezone.");
660 z = path_startswith(p, "../usr/share/zoneinfo/");
662 z = path_startswith(p, "/usr/share/zoneinfo/");
664 log_warning("/etc/localtime does not point into /usr/share/zoneinfo/, not updating container timezone.");
668 where = strappend(dest, "/etc/localtime");
672 r = readlink_malloc(where, &q);
674 y = path_startswith(q, "../usr/share/zoneinfo/");
676 y = path_startswith(q, "/usr/share/zoneinfo/");
679 /* Already pointing to the right place? Then do nothing .. */
680 if (y && streq(y, z))
684 check = strjoin(dest, "/usr/share/zoneinfo/", z, NULL);
688 if (access(check, F_OK) < 0) {
689 log_warning("Timezone %s does not exist in container, not updating container timezone.", z);
693 what = strappend("../usr/share/zoneinfo/", z);
698 if (symlink(what, where) < 0) {
699 log_error("Failed to correct timezone of container: %m");
706 static int setup_resolv_conf(const char *dest) {
707 char _cleanup_free_ *where = NULL;
711 if (arg_private_network)
714 /* Fix resolv.conf, if possible */
715 where = strappend(dest, "/etc/resolv.conf");
719 /* We don't really care for the results of this really. If it
720 * fails, it fails, but meh... */
721 copy_file("/etc/resolv.conf", where, O_TRUNC|O_NOFOLLOW);
726 static int setup_boot_id(const char *dest) {
727 _cleanup_free_ char *from = NULL, *to = NULL;
734 if (arg_share_system)
737 /* Generate a new randomized boot ID, so that each boot-up of
738 * the container gets a new one */
740 from = strappend(dest, "/dev/proc-sys-kernel-random-boot-id");
741 to = strappend(dest, "/proc/sys/kernel/random/boot_id");
745 r = sd_id128_randomize(&rnd);
747 log_error("Failed to generate random boot id: %s", strerror(-r));
751 snprintf(as_uuid, sizeof(as_uuid),
752 "%02x%02x%02x%02x-%02x%02x-%02x%02x-%02x%02x-%02x%02x%02x%02x%02x%02x",
753 SD_ID128_FORMAT_VAL(rnd));
754 char_array_0(as_uuid);
756 r = write_string_file(from, as_uuid);
758 log_error("Failed to write boot id: %s", strerror(-r));
762 if (mount(from, to, "bind", MS_BIND, NULL) < 0) {
763 log_error("Failed to bind mount boot id: %m");
765 } else if (mount(from, to, "bind", MS_BIND|MS_REMOUNT|MS_RDONLY, NULL))
766 log_warning("Failed to make boot id read-only: %m");
772 static int copy_devnodes(const char *dest) {
774 static const char devnodes[] =
784 _cleanup_umask_ mode_t u;
790 NULSTR_FOREACH(d, devnodes) {
791 _cleanup_free_ char *from = NULL, *to = NULL;
794 from = strappend("/dev/", d);
795 to = strjoin(dest, "/dev/", d, NULL);
799 if (stat(from, &st) < 0) {
801 if (errno != ENOENT) {
802 log_error("Failed to stat %s: %m", from);
806 } else if (!S_ISCHR(st.st_mode) && !S_ISBLK(st.st_mode)) {
808 log_error("%s is not a char or block device, cannot copy", from);
811 } else if (mknod(to, st.st_mode, st.st_rdev) < 0) {
813 log_error("mknod(%s) failed: %m", dest);
821 static int setup_ptmx(const char *dest) {
822 _cleanup_free_ char *p = NULL;
824 p = strappend(dest, "/dev/ptmx");
828 if (symlink("pts/ptmx", p) < 0) {
829 log_error("Failed to create /dev/ptmx symlink: %m");
836 static int setup_dev_console(const char *dest, const char *console) {
838 _cleanup_free_ char *to = NULL;
840 _cleanup_umask_ mode_t u;
847 if (stat(console, &st) < 0) {
848 log_error("Failed to stat %s: %m", console);
851 } else if (!S_ISCHR(st.st_mode)) {
852 log_error("/dev/console is not a char device");
856 r = chmod_and_chown(console, 0600, 0, 0);
858 log_error("Failed to correct access mode for TTY: %s", strerror(-r));
862 if (asprintf(&to, "%s/dev/console", dest) < 0)
865 /* We need to bind mount the right tty to /dev/console since
866 * ptys can only exist on pts file systems. To have something
867 * to bind mount things on we create a device node first, that
868 * has the right major/minor (note that the major minor
869 * doesn't actually matter here, since we mount it over
872 if (mknod(to, (st.st_mode & ~07777) | 0600, st.st_rdev) < 0) {
873 log_error("mknod() for /dev/console failed: %m");
877 if (mount(console, to, "bind", MS_BIND, NULL) < 0) {
878 log_error("Bind mount for /dev/console failed: %m");
885 static int setup_kmsg(const char *dest, int kmsg_socket) {
886 _cleanup_free_ char *from = NULL, *to = NULL;
888 _cleanup_umask_ mode_t u;
890 struct cmsghdr cmsghdr;
891 uint8_t buf[CMSG_SPACE(sizeof(int))];
894 .msg_control = &control,
895 .msg_controllen = sizeof(control),
897 struct cmsghdr *cmsg;
900 assert(kmsg_socket >= 0);
904 /* We create the kmsg FIFO as /dev/kmsg, but immediately
905 * delete it after bind mounting it to /proc/kmsg. While FIFOs
906 * on the reading side behave very similar to /proc/kmsg,
907 * their writing side behaves differently from /dev/kmsg in
908 * that writing blocks when nothing is reading. In order to
909 * avoid any problems with containers deadlocking due to this
910 * we simply make /dev/kmsg unavailable to the container. */
911 if (asprintf(&from, "%s/dev/kmsg", dest) < 0 ||
912 asprintf(&to, "%s/proc/kmsg", dest) < 0)
915 if (mkfifo(from, 0600) < 0) {
916 log_error("mkfifo() for /dev/kmsg failed: %m");
920 r = chmod_and_chown(from, 0600, 0, 0);
922 log_error("Failed to correct access mode for /dev/kmsg: %s", strerror(-r));
926 if (mount(from, to, "bind", MS_BIND, NULL) < 0) {
927 log_error("Bind mount for /proc/kmsg failed: %m");
931 fd = open(from, O_RDWR|O_NDELAY|O_CLOEXEC);
933 log_error("Failed to open fifo: %m");
937 cmsg = CMSG_FIRSTHDR(&mh);
938 cmsg->cmsg_level = SOL_SOCKET;
939 cmsg->cmsg_type = SCM_RIGHTS;
940 cmsg->cmsg_len = CMSG_LEN(sizeof(int));
941 memcpy(CMSG_DATA(cmsg), &fd, sizeof(int));
943 mh.msg_controllen = cmsg->cmsg_len;
945 /* Store away the fd in the socket, so that it stays open as
946 * long as we run the child */
947 k = sendmsg(kmsg_socket, &mh, MSG_DONTWAIT|MSG_NOSIGNAL);
948 close_nointr_nofail(fd);
951 log_error("Failed to send FIFO fd: %m");
955 /* And now make the FIFO unavailable as /dev/kmsg... */
960 static int setup_hostname(void) {
962 if (arg_share_system)
965 if (sethostname(arg_machine, strlen(arg_machine)) < 0)
971 static int setup_journal(const char *directory) {
972 sd_id128_t machine_id, this_id;
973 _cleanup_free_ char *p = NULL, *b = NULL, *q = NULL, *d = NULL;
977 p = strappend(directory, "/etc/machine-id");
981 r = read_one_line_file(p, &b);
982 if (r == -ENOENT && arg_link_journal == LINK_AUTO)
985 log_error("Failed to read machine ID from %s: %s", p, strerror(-r));
990 if (isempty(id) && arg_link_journal == LINK_AUTO)
993 /* Verify validity */
994 r = sd_id128_from_string(id, &machine_id);
996 log_error("Failed to parse machine ID from %s: %s", p, strerror(-r));
1000 r = sd_id128_get_machine(&this_id);
1002 log_error("Failed to retrieve machine ID: %s", strerror(-r));
1006 if (sd_id128_equal(machine_id, this_id)) {
1007 log_full(arg_link_journal == LINK_AUTO ? LOG_WARNING : LOG_ERR,
1008 "Host and machine ids are equal (%s): refusing to link journals", id);
1009 if (arg_link_journal == LINK_AUTO)
1015 if (arg_link_journal == LINK_NO)
1019 p = strappend("/var/log/journal/", id);
1020 q = strjoin(directory, "/var/log/journal/", id, NULL);
1024 if (path_is_mount_point(p, false) > 0) {
1025 if (arg_link_journal != LINK_AUTO) {
1026 log_error("%s: already a mount point, refusing to use for journal", p);
1033 if (path_is_mount_point(q, false) > 0) {
1034 if (arg_link_journal != LINK_AUTO) {
1035 log_error("%s: already a mount point, refusing to use for journal", q);
1042 r = readlink_and_make_absolute(p, &d);
1044 if ((arg_link_journal == LINK_GUEST ||
1045 arg_link_journal == LINK_AUTO) &&
1048 r = mkdir_p(q, 0755);
1050 log_warning("failed to create directory %s: %m", q);
1054 if (unlink(p) < 0) {
1055 log_error("Failed to remove symlink %s: %m", p);
1058 } else if (r == -EINVAL) {
1060 if (arg_link_journal == LINK_GUEST &&
1063 if (errno == ENOTDIR) {
1064 log_error("%s already exists and is neither a symlink nor a directory", p);
1067 log_error("Failed to remove %s: %m", p);
1071 } else if (r != -ENOENT) {
1072 log_error("readlink(%s) failed: %m", p);
1076 if (arg_link_journal == LINK_GUEST) {
1078 if (symlink(q, p) < 0) {
1079 log_error("Failed to symlink %s to %s: %m", q, p);
1083 r = mkdir_p(q, 0755);
1085 log_warning("failed to create directory %s: %m", q);
1089 if (arg_link_journal == LINK_HOST) {
1090 r = mkdir_p(p, 0755);
1092 log_error("Failed to create %s: %m", p);
1096 } else if (access(p, F_OK) < 0)
1099 if (dir_is_empty(q) == 0) {
1100 log_error("%s not empty.", q);
1104 r = mkdir_p(q, 0755);
1106 log_error("Failed to create %s: %m", q);
1110 if (mount(p, q, "bind", MS_BIND, NULL) < 0) {
1111 log_error("Failed to bind mount journal from host into guest: %m");
1118 static int setup_kdbus(const char *dest, const char *path) {
1124 p = strappenda(dest, "/dev/kdbus");
1125 if (mkdir(p, 0755) < 0) {
1126 log_error("Failed to create kdbus path: %m");
1130 if (mount(path, p, "bind", MS_BIND, NULL) < 0) {
1131 log_error("Failed to mount kdbus domain path: %m");
1138 static int drop_capabilities(void) {
1139 return capability_bounding_set_drop(~arg_retain, false);
1142 static int register_machine(pid_t pid) {
1143 _cleanup_bus_error_free_ sd_bus_error error = SD_BUS_ERROR_NULL;
1144 _cleanup_bus_unref_ sd_bus *bus = NULL;
1150 r = sd_bus_default_system(&bus);
1152 log_error("Failed to open system bus: %s", strerror(-r));
1156 if (arg_keep_unit) {
1157 r = sd_bus_call_method(
1159 "org.freedesktop.machine1",
1160 "/org/freedesktop/machine1",
1161 "org.freedesktop.machine1.Manager",
1167 SD_BUS_MESSAGE_APPEND_ID128(arg_uuid),
1171 strempty(arg_directory));
1173 r = sd_bus_call_method(
1175 "org.freedesktop.machine1",
1176 "/org/freedesktop/machine1",
1177 "org.freedesktop.machine1.Manager",
1183 SD_BUS_MESSAGE_APPEND_ID128(arg_uuid),
1187 strempty(arg_directory),
1188 !isempty(arg_slice), "Slice", "s", arg_slice);
1192 log_error("Failed to register machine: %s", bus_error_message(&error, r));
1199 static int terminate_machine(pid_t pid) {
1200 _cleanup_bus_error_free_ sd_bus_error error = SD_BUS_ERROR_NULL;
1201 _cleanup_bus_message_unref_ sd_bus_message *reply = NULL;
1202 _cleanup_bus_unref_ sd_bus *bus = NULL;
1209 r = sd_bus_default_system(&bus);
1211 log_error("Failed to open system bus: %s", strerror(-r));
1215 r = sd_bus_call_method(
1217 "org.freedesktop.machine1",
1218 "/org/freedesktop/machine1",
1219 "org.freedesktop.machine1.Manager",
1226 /* Note that the machine might already have been
1227 * cleaned up automatically, hence don't consider it a
1228 * failure if we cannot get the machine object. */
1229 log_debug("Failed to get machine: %s", bus_error_message(&error, r));
1233 r = sd_bus_message_read(reply, "o", &path);
1235 return bus_log_parse_error(r);
1237 r = sd_bus_call_method(
1239 "org.freedesktop.machine1",
1241 "org.freedesktop.machine1.Machine",
1247 log_debug("Failed to terminate machine: %s", bus_error_message(&error, r));
1254 static int reset_audit_loginuid(void) {
1255 _cleanup_free_ char *p = NULL;
1258 if (arg_share_system)
1261 r = read_one_line_file("/proc/self/loginuid", &p);
1265 log_error("Failed to read /proc/self/loginuid: %s", strerror(-r));
1269 /* Already reset? */
1270 if (streq(p, "4294967295"))
1273 r = write_string_file("/proc/self/loginuid", "4294967295");
1275 log_error("Failed to reset audit login UID. This probably means that your kernel is too\n"
1276 "old and you have audit enabled. Note that the auditing subsystem is known to\n"
1277 "be incompatible with containers on old kernels. Please make sure to upgrade\n"
1278 "your kernel or to off auditing with 'audit=0' on the kernel command line before\n"
1279 "using systemd-nspawn. Sleeping for 5s... (%s)\n", strerror(-r));
1287 static int setup_veth(pid_t pid, char iface_name[]) {
1288 _cleanup_rtnl_message_unref_ sd_rtnl_message *m = NULL;
1289 _cleanup_rtnl_unref_ sd_rtnl *rtnl = NULL;
1292 if (!arg_private_network)
1295 if (!arg_network_veth)
1298 strncpy(iface_name+3, arg_machine, IFNAMSIZ - 3);
1300 r = sd_rtnl_open(0, &rtnl);
1302 log_error("Failed to connect to netlink: %s", strerror(-r));
1306 r = sd_rtnl_message_new_link(rtnl, RTM_NEWLINK, 0, &m);
1308 log_error("Failed to allocate netlink message: %s", strerror(-r));
1312 r = sd_rtnl_message_append_string(m, IFLA_IFNAME, iface_name);
1314 log_error("Failed to add netlink interface name: %s", strerror(-r));
1318 r = sd_rtnl_message_open_container(m, IFLA_LINKINFO);
1320 log_error("Failed to open netlink container: %s", strerror(-r));
1324 r = sd_rtnl_message_append_string(m, IFLA_INFO_KIND, "veth");
1326 log_error("Failed to append netlink kind: %s", strerror(-r));
1330 r = sd_rtnl_message_open_container(m, IFLA_INFO_DATA);
1332 log_error("Failed to open netlink container: %s", strerror(-r));
1336 r = sd_rtnl_message_open_container(m, VETH_INFO_PEER);
1338 log_error("Failed to open netlink container: %s", strerror(-r));
1342 r = sd_rtnl_message_append_string(m, IFLA_IFNAME, "host0");
1344 log_error("Failed to add netlink interface name: %s", strerror(-r));
1348 r = sd_rtnl_message_append_u32(m, IFLA_NET_NS_PID, pid);
1350 log_error("Failed to add netlink namespace field: %s", strerror(-r));
1354 r = sd_rtnl_message_close_container(m);
1356 log_error("Failed to close netlink container: %s", strerror(-r));
1360 r = sd_rtnl_message_close_container(m);
1362 log_error("Failed to close netlink container: %s", strerror(-r));
1366 r = sd_rtnl_message_close_container(m);
1368 log_error("Failed to close netlink container: %s", strerror(-r));
1372 r = sd_rtnl_call(rtnl, m, 0, NULL);
1374 log_error("Failed to add new veth interfaces: %s", strerror(-r));
1381 static int setup_bridge(const char veth_name[]) {
1382 _cleanup_rtnl_message_unref_ sd_rtnl_message *m = NULL;
1383 _cleanup_rtnl_unref_ sd_rtnl *rtnl = NULL;
1386 if (!arg_private_network)
1389 if (!arg_network_veth)
1392 if (!arg_network_bridge)
1395 bridge = (int) if_nametoindex(arg_network_bridge);
1397 log_error("Failed to resolve interface %s: %m", arg_network_bridge);
1401 r = sd_rtnl_open(0, &rtnl);
1403 log_error("Failed to connect to netlink: %s", strerror(-r));
1407 r = sd_rtnl_message_new_link(rtnl, RTM_SETLINK, 0, &m);
1409 log_error("Failed to allocate netlink message: %s", strerror(-r));
1413 r = sd_rtnl_message_append_string(m, IFLA_IFNAME, veth_name);
1415 log_error("Failed to add netlink interface name field: %s", strerror(-r));
1419 r = sd_rtnl_message_append_u32(m, IFLA_MASTER, bridge);
1421 log_error("Failed to add netlink master field: %s", strerror(-r));
1425 r = sd_rtnl_call(rtnl, m, 0, NULL);
1427 log_error("Failed to add veth interface to bridge: %s", strerror(-r));
1434 static int move_network_interfaces(pid_t pid) {
1435 _cleanup_udev_unref_ struct udev *udev = NULL;
1436 _cleanup_rtnl_unref_ sd_rtnl *rtnl = NULL;
1440 if (!arg_private_network)
1443 if (strv_isempty(arg_network_interfaces))
1446 r = sd_rtnl_open(0, &rtnl);
1448 log_error("Failed to connect to netlink: %s", strerror(-r));
1454 log_error("Failed to connect to udev.");
1458 STRV_FOREACH(i, arg_network_interfaces) {
1459 _cleanup_rtnl_message_unref_ sd_rtnl_message *m = NULL;
1460 _cleanup_udev_device_unref_ struct udev_device *d = NULL;
1461 char ifi_str[2 + DECIMAL_STR_MAX(int)];
1464 ifi = (int) if_nametoindex(*i);
1466 log_error("Failed to resolve interface %s: %m", *i);
1470 sprintf(ifi_str, "n%i", ifi);
1471 d = udev_device_new_from_device_id(udev, ifi_str);
1473 log_error("Failed to get udev device for interface %s: %m", *i);
1477 if (udev_device_get_is_initialized(d) <= 0) {
1478 log_error("Network interface %s is not initialized yet.", *i);
1482 r = sd_rtnl_message_new_link(rtnl, RTM_NEWLINK, ifi, &m);
1484 log_error("Failed to allocate netlink message: %s", strerror(-r));
1488 r = sd_rtnl_message_append_u32(m, IFLA_NET_NS_PID, pid);
1490 log_error("Failed to append namespace PID to netlink message: %s", strerror(-r));
1494 r = sd_rtnl_call(rtnl, m, 0, NULL);
1496 log_error("Failed to move interface %s to namespace: %s", *i, strerror(-r));
1504 static int audit_still_doesnt_work_in_containers(void) {
1507 scmp_filter_ctx seccomp;
1511 Audit is broken in containers, much of the userspace audit
1512 hookup will fail if running inside a container. We don't
1513 care and just turn off creation of audit sockets.
1515 This will make socket(AF_NETLINK, *, NETLINK_AUDIT) fail
1516 with EAFNOSUPPORT which audit userspace uses as indication
1517 that audit is disabled in the kernel.
1520 seccomp = seccomp_init(SCMP_ACT_ALLOW);
1524 r = seccomp_rule_add_exact(
1526 SCMP_ACT_ERRNO(EAFNOSUPPORT),
1529 SCMP_A0(SCMP_CMP_EQ, AF_NETLINK),
1530 SCMP_A2(SCMP_CMP_EQ, NETLINK_AUDIT));
1532 log_error("Failed to add audit seccomp rule: %s", strerror(-r));
1536 r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
1538 log_error("Failed to unset NO_NEW_PRIVS: %s", strerror(-r));
1543 r = seccomp_arch_add(seccomp, SCMP_ARCH_X86);
1544 if (r < 0 && r != -EEXIST) {
1545 log_error("Failed to add x86 to seccomp filter: %s", strerror(-r));
1550 r = seccomp_load(seccomp);
1552 log_error("Failed to install seccomp audit filter: %s", strerror(-r));
1555 seccomp_release(seccomp);
1563 int main(int argc, char *argv[]) {
1565 _cleanup_close_ int master = -1, kdbus_fd = -1, sync_fd = -1;
1566 _cleanup_close_pipe_ int kmsg_socket_pair[2] = { -1, -1 };
1567 _cleanup_free_ char *kdbus_domain = NULL;
1568 _cleanup_fdset_free_ FDSet *fds = NULL;
1569 const char *console = NULL;
1570 int r = EXIT_FAILURE, k;
1574 char veth_name[IFNAMSIZ] = "ve-";
1576 log_parse_environment();
1579 k = parse_argv(argc, argv);
1587 if (arg_directory) {
1590 p = path_make_absolute_cwd(arg_directory);
1591 free(arg_directory);
1594 arg_directory = get_current_dir_name();
1596 if (!arg_directory) {
1597 log_error("Failed to determine path, please use -D.");
1601 path_kill_slashes(arg_directory);
1604 arg_machine = strdup(basename(arg_directory));
1610 hostname_cleanup(arg_machine, false);
1611 if (isempty(arg_machine)) {
1612 log_error("Failed to determine machine name automatically, please use -M.");
1617 if (geteuid() != 0) {
1618 log_error("Need to be root.");
1622 if (sd_booted() <= 0) {
1623 log_error("Not running on a systemd system.");
1627 if (path_equal(arg_directory, "/")) {
1628 log_error("Spawning container on root directory not supported.");
1633 if (path_is_os_tree(arg_directory) <= 0) {
1634 log_error("Directory %s doesn't look like an OS root directory (/etc/os-release is missing). Refusing.", arg_directory);
1640 p = strappenda(arg_directory,
1641 argc > optind && path_is_absolute(argv[optind]) ? argv[optind] : "/usr/bin/");
1642 if (access(p, F_OK) < 0) {
1643 log_error("Directory %s lacks the binary to execute or doesn't look like a binary tree. Refusing.", arg_directory);
1650 n_fd_passed = sd_listen_fds(false);
1651 if (n_fd_passed > 0) {
1652 k = fdset_new_listen_fds(&fds, false);
1654 log_error("Failed to collect file descriptors: %s", strerror(-k));
1658 fdset_close_others(fds);
1661 master = posix_openpt(O_RDWR|O_NOCTTY|O_CLOEXEC|O_NDELAY);
1663 log_error("Failed to acquire pseudo tty: %m");
1667 console = ptsname(master);
1669 log_error("Failed to determine tty name: %m");
1674 log_info("Spawning container %s on %s. Press ^] three times within 1s to abort execution.", arg_machine, arg_directory);
1676 if (unlockpt(master) < 0) {
1677 log_error("Failed to unlock tty: %m");
1681 if (access("/dev/kdbus/control", F_OK) >= 0) {
1683 if (arg_share_system) {
1684 kdbus_domain = strdup("/dev/kdbus");
1685 if (!kdbus_domain) {
1692 ns = strappenda("machine-", arg_machine);
1693 kdbus_fd = bus_kernel_create_domain(ns, &kdbus_domain);
1695 log_debug("Failed to create kdbus domain: %s", strerror(-r));
1697 log_debug("Successfully created kdbus domain as %s", kdbus_domain);
1701 if (socketpair(AF_UNIX, SOCK_DGRAM|SOCK_NONBLOCK|SOCK_CLOEXEC, 0, kmsg_socket_pair) < 0) {
1702 log_error("Failed to create kmsg socket pair: %m");
1706 sd_notify(0, "READY=1");
1708 assert_se(sigemptyset(&mask) == 0);
1709 sigset_add_many(&mask, SIGCHLD, SIGWINCH, SIGTERM, SIGINT, -1);
1710 assert_se(sigprocmask(SIG_BLOCK, &mask, NULL) == 0);
1715 sync_fd = eventfd(0, EFD_CLOEXEC);
1717 log_error("Failed to create event fd: %m");
1721 pid = syscall(__NR_clone,
1722 SIGCHLD|CLONE_NEWNS|
1723 (arg_share_system ? 0 : CLONE_NEWIPC|CLONE_NEWPID|CLONE_NEWUTS)|
1724 (arg_private_network ? CLONE_NEWNET : 0), NULL);
1726 if (errno == EINVAL)
1727 log_error("clone() failed, do you have namespace support enabled in your kernel? (You need UTS, IPC, PID and NET namespacing built in): %m");
1729 log_error("clone() failed: %m");
1736 const char *home = NULL;
1737 uid_t uid = (uid_t) -1;
1738 gid_t gid = (gid_t) -1;
1740 const char *envp[] = {
1741 "PATH=" DEFAULT_PATH_SPLIT_USR,
1742 "container=systemd-nspawn", /* LXC sets container=lxc, so follow the scheme here */
1747 NULL, /* container_uuid */
1748 NULL, /* LISTEN_FDS */
1749 NULL, /* LISTEN_PID */
1755 envp[n_env] = strv_find_prefix(environ, "TERM=");
1759 close_nointr_nofail(master);
1762 close_nointr(STDIN_FILENO);
1763 close_nointr(STDOUT_FILENO);
1764 close_nointr(STDERR_FILENO);
1766 close_nointr_nofail(kmsg_socket_pair[0]);
1767 kmsg_socket_pair[0] = -1;
1769 reset_all_signal_handlers();
1771 assert_se(sigemptyset(&mask) == 0);
1772 assert_se(sigprocmask(SIG_SETMASK, &mask, NULL) == 0);
1774 k = open_terminal(console, O_RDWR);
1775 if (k != STDIN_FILENO) {
1777 close_nointr_nofail(k);
1781 log_error("Failed to open console: %s", strerror(-k));
1785 if (dup2(STDIN_FILENO, STDOUT_FILENO) != STDOUT_FILENO ||
1786 dup2(STDIN_FILENO, STDERR_FILENO) != STDERR_FILENO) {
1787 log_error("Failed to duplicate console: %m");
1792 log_error("setsid() failed: %m");
1796 if (reset_audit_loginuid() < 0)
1799 if (prctl(PR_SET_PDEATHSIG, SIGKILL) < 0) {
1800 log_error("PR_SET_PDEATHSIG failed: %m");
1804 /* Mark everything as slave, so that we still
1805 * receive mounts from the real root, but don't
1806 * propagate mounts to the real root. */
1807 if (mount(NULL, "/", NULL, MS_SLAVE|MS_REC, NULL) < 0) {
1808 log_error("MS_SLAVE|MS_REC failed: %m");
1812 /* Turn directory into bind mount */
1813 if (mount(arg_directory, arg_directory, "bind", MS_BIND|MS_REC, NULL) < 0) {
1814 log_error("Failed to make bind mount.");
1819 if (mount(arg_directory, arg_directory, "bind", MS_BIND|MS_REMOUNT|MS_RDONLY|MS_REC, NULL) < 0) {
1820 log_error("Failed to make read-only.");
1824 if (mount_all(arg_directory) < 0)
1827 if (copy_devnodes(arg_directory) < 0)
1830 if (setup_ptmx(arg_directory) < 0)
1833 dev_setup(arg_directory);
1835 if (audit_still_doesnt_work_in_containers() < 0)
1838 if (setup_dev_console(arg_directory, console) < 0)
1841 if (setup_kmsg(arg_directory, kmsg_socket_pair[1]) < 0)
1844 close_nointr_nofail(kmsg_socket_pair[1]);
1845 kmsg_socket_pair[1] = -1;
1847 if (setup_boot_id(arg_directory) < 0)
1850 if (setup_timezone(arg_directory) < 0)
1853 if (setup_resolv_conf(arg_directory) < 0)
1856 if (setup_journal(arg_directory) < 0)
1859 if (mount_binds(arg_directory, arg_bind, 0) < 0)
1862 if (mount_binds(arg_directory, arg_bind_ro, MS_RDONLY) < 0)
1865 if (setup_kdbus(arg_directory, kdbus_domain) < 0)
1868 if (chdir(arg_directory) < 0) {
1869 log_error("chdir(%s) failed: %m", arg_directory);
1873 if (mount(arg_directory, "/", NULL, MS_MOVE, NULL) < 0) {
1874 log_error("mount(MS_MOVE) failed: %m");
1878 if (chroot(".") < 0) {
1879 log_error("chroot() failed: %m");
1883 if (chdir("/") < 0) {
1884 log_error("chdir() failed: %m");
1890 if (arg_private_network)
1893 if (drop_capabilities() < 0) {
1894 log_error("drop_capabilities() failed: %m");
1900 /* Note that this resolves user names
1901 * inside the container, and hence
1902 * accesses the NSS modules from the
1903 * container and not the host. This is
1906 if (get_user_creds((const char**)&arg_user, &uid, &gid, &home, NULL) < 0) {
1907 log_error("get_user_creds() failed: %m");
1911 if (mkdir_parents_label(home, 0775) < 0) {
1912 log_error("mkdir_parents_label() failed: %m");
1916 if (mkdir_safe_label(home, 0775, uid, gid) < 0) {
1917 log_error("mkdir_safe_label() failed: %m");
1921 if (initgroups((const char*)arg_user, gid) < 0) {
1922 log_error("initgroups() failed: %m");
1926 if (setresgid(gid, gid, gid) < 0) {
1927 log_error("setregid() failed: %m");
1931 if (setresuid(uid, uid, uid) < 0) {
1932 log_error("setreuid() failed: %m");
1936 /* Reset everything fully to 0, just in case */
1938 if (setgroups(0, NULL) < 0) {
1939 log_error("setgroups() failed: %m");
1943 if (setresgid(0, 0, 0) < 0) {
1944 log_error("setregid() failed: %m");
1948 if (setresuid(0, 0, 0) < 0) {
1949 log_error("setreuid() failed: %m");
1954 if ((asprintf((char**)(envp + n_env++), "HOME=%s", home ? home: "/root") < 0) ||
1955 (asprintf((char**)(envp + n_env++), "USER=%s", arg_user ? arg_user : "root") < 0) ||
1956 (asprintf((char**)(envp + n_env++), "LOGNAME=%s", arg_user ? arg_user : "root") < 0)) {
1961 if (!sd_id128_equal(arg_uuid, SD_ID128_NULL)) {
1962 if (asprintf((char**)(envp + n_env++), "container_uuid=" SD_ID128_FORMAT_STR, SD_ID128_FORMAT_VAL(arg_uuid)) < 0) {
1968 if (fdset_size(fds) > 0) {
1969 k = fdset_cloexec(fds, false);
1971 log_error("Failed to unset O_CLOEXEC for file descriptors.");
1975 if ((asprintf((char **)(envp + n_env++), "LISTEN_FDS=%u", n_fd_passed) < 0) ||
1976 (asprintf((char **)(envp + n_env++), "LISTEN_PID=1") < 0)) {
1984 eventfd_read(sync_fd, &x);
1985 close_nointr_nofail(sync_fd);
1988 if (!strv_isempty(arg_setenv)) {
1991 n = strv_env_merge(2, envp, arg_setenv);
1999 env_use = (char**) envp;
2002 if (arg_selinux_context)
2003 if (setexeccon(arg_selinux_context) < 0)
2004 log_error("setexeccon(\"%s\") failed: %m", arg_selinux_context);
2010 /* Automatically search for the init system */
2012 l = 1 + argc - optind;
2013 a = newa(char*, l + 1);
2014 memcpy(a + 1, argv + optind, l * sizeof(char*));
2016 a[0] = (char*) "/usr/lib/systemd/systemd";
2017 execve(a[0], a, env_use);
2019 a[0] = (char*) "/lib/systemd/systemd";
2020 execve(a[0], a, env_use);
2022 a[0] = (char*) "/sbin/init";
2023 execve(a[0], a, env_use);
2024 } else if (argc > optind)
2025 execvpe(argv[optind], argv + optind, env_use);
2027 chdir(home ? home : "/root");
2028 execle("/bin/bash", "-bash", NULL, env_use);
2029 execle("/bin/sh", "-sh", NULL, env_use);
2032 log_error("execv() failed: %m");
2035 _exit(EXIT_FAILURE);
2041 r = register_machine(pid);
2045 r = move_network_interfaces(pid);
2049 r = setup_veth(pid, veth_name);
2053 r = setup_bridge(veth_name);
2057 eventfd_write(sync_fd, 1);
2058 close_nointr_nofail(sync_fd);
2061 k = process_pty(master, &mask, arg_boot ? pid : 0, SIGRTMIN+3);
2070 /* Kill if it is not dead yet anyway */
2071 terminate_machine(pid);
2073 /* Redundant, but better safe than sorry */
2076 k = wait_for_terminate(pid, &status);
2084 if (status.si_code == CLD_EXITED) {
2085 r = status.si_status;
2086 if (status.si_status != 0) {
2087 log_error("Container %s failed with error code %i.", arg_machine, status.si_status);
2092 log_debug("Container %s exited successfully.", arg_machine);
2094 } else if (status.si_code == CLD_KILLED &&
2095 status.si_status == SIGINT) {
2098 log_info("Container %s has been shut down.", arg_machine);
2101 } else if (status.si_code == CLD_KILLED &&
2102 status.si_status == SIGHUP) {
2105 log_info("Container %s is being rebooted.", arg_machine);
2107 } else if (status.si_code == CLD_KILLED ||
2108 status.si_code == CLD_DUMPED) {
2110 log_error("Container %s terminated by signal %s.", arg_machine, signal_to_string(status.si_status));
2114 log_error("Container %s failed due to unknown reason.", arg_machine);
2124 free(arg_directory);
2127 free(arg_network_interfaces);
~ianmdlvl / elogind.git / blob