chiark / gitweb /
~ianmdlvl / elogind.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
nspawn: actually allow access to /dev/net/tun in the container
[elogind.git] / src / nspawn / nspawn.c
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index b118c739e8c6b0f562b2daf14520d15443d420e4..f04d32613123f4da9805c9a293b773d39b4e1e1d 100644 (file)
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -166,8 +166,7 @@ static unsigned long arg_personality = 0xffffffffLU;
 static const char *arg_image = NULL;
 static Volatile arg_volatile = VOLATILE_NO;
 
-static int help(void) {
-
+static void help(void) {
         printf("%s [OPTIONS...] [PATH] [ARGUMENTS...]\n\n"
                "Spawn a minimal namespace container for debugging, testing and building.\n\n"
                "  -h --help                 Show this help\n"
@@ -216,8 +215,6 @@ static int help(void) {
                "                            the service unit nspawn is running in\n"
                "     --volatile[=MODE]      Run the system in volatile mode\n",
                program_invocation_short_name);
-
-        return 0;
 }
 
 static int parse_argv(int argc, char *argv[]) {
@@ -285,12 +282,13 @@ static int parse_argv(int argc, char *argv[]) {
         assert(argc >= 0);
         assert(argv);
 
-        while ((c = getopt_long(argc, argv, "+hD:u:bL:M:jS:Z:qi:", options, NULL)) >= 0) {
+        while ((c = getopt_long(argc, argv, "+hD:u:bL:M:jS:Z:qi:", options, NULL)) >= 0)
 
                 switch (c) {
 
                 case 'h':
-                        return help();
+                        help();
+                        return 0;
 
                 case ARG_VERSION:
                         puts(PACKAGE_STRING);
@@ -593,7 +591,6 @@ static int parse_argv(int argc, char *argv[]) {
                 default:
                         assert_not_reached("Unhandled option");
                 }
-        }
 
         if (arg_share_system)
                 arg_register = false;
@@ -678,7 +675,18 @@ static int mount_all(const char *dest) {
                 if (mount_table[k].what && t > 0)
                         continue;
 
-                mkdir_p(where, 0755);
+                t = mkdir_p(where, 0755);
+                if (t < 0) {
+                        if (mount_table[k].fatal) {
+                               log_error("Failed to create directory %s: %s", where, strerror(-t));
+
+                                if (r == 0)
+                                        r = t;
+                        } else
+                               log_warning("Failed to create directory %s: %s", where, strerror(-t));
+
+                        continue;
+                }
 
 #ifdef HAVE_SELINUX
                 if (arg_selinux_apifs_context &&
@@ -697,13 +705,15 @@ static int mount_all(const char *dest) {
                           where,
                           mount_table[k].type,
                           mount_table[k].flags,
-                          o) < 0 &&
-                    mount_table[k].fatal) {
+                          o) < 0) {
 
-                        log_error("mount(%s) failed: %m", where);
+                        if (mount_table[k].fatal) {
+                                log_error("mount(%s) failed: %m", where);
 
-                        if (r == 0)
-                                r = -errno;
+                                if (r == 0)
+                                        r = -errno;
+                        } else
+                                log_warning("mount(%s) failed: %m", where);
                 }
         }
 
@@ -746,15 +756,35 @@ static int mount_binds(const char *dest, char **l, bool ro) {
 
                 /* Create the mount point, but be conservative -- refuse to create block
                  * and char devices. */
-                if (S_ISDIR(source_st.st_mode))
-                        mkdir_label(where, 0755);
-                else if (S_ISFIFO(source_st.st_mode))
-                        mkfifo(where, 0644);
-                else if (S_ISSOCK(source_st.st_mode))
-                        mknod(where, 0644 | S_IFSOCK, 0);
-                else if (S_ISREG(source_st.st_mode))
-                        touch(where);
-                else {
+                if (S_ISDIR(source_st.st_mode)) {
+                        r = mkdir_label(where, 0755);
+                        if (r < 0) {
+                                log_error("Failed to create mount point %s: %s", where, strerror(-r));
+
+                                return r;
+                        }
+                } else if (S_ISFIFO(source_st.st_mode)) {
+                        r = mkfifo(where, 0644);
+                        if (r < 0 && errno != EEXIST) {
+                                log_error("Failed to create mount point %s: %m", where);
+
+                                return -errno;
+                        }
+                } else if (S_ISSOCK(source_st.st_mode)) {
+                        r = mknod(where, 0644 | S_IFSOCK, 0);
+                        if (r < 0 && errno != EEXIST) {
+                                log_error("Failed to create mount point %s: %m", where);
+
+                                return -errno;
+                        }
+                } else if (S_ISREG(source_st.st_mode)) {
+                        r = touch(where);
+                        if (r < 0) {
+                                log_error("Failed to create mount point %s: %s", where, strerror(-r));
+
+                                return r;
+                        }
+                } else {
                         log_error("Refusing to create mountpoint for file: %s", *x);
                         return -ENOTSUP;
                 }
@@ -781,12 +811,18 @@ static int mount_tmpfs(const char *dest) {
 
         STRV_FOREACH_PAIR(i, o, arg_tmpfs) {
                 _cleanup_free_ char *where = NULL;
+                int r;
 
                 where = strappend(dest, *i);
                 if (!where)
                         return log_oom();
 
-                mkdir_label(where, 0755);
+                r = mkdir_label(where, 0755);
+                if (r < 0) {
+                        log_error("creating mount point for tmpfs %s failed: %s", where, strerror(-r));
+
+                        return r;
+                }
 
                 if (mount("tmpfs", where, "tmpfs", MS_NODEV|MS_STRICTATIME, *o) < 0) {
                         log_error("tmpfs mount to %s failed: %m", where);
@@ -847,8 +883,19 @@ static int setup_timezone(const char *dest) {
         if (!what)
                 return log_oom();
 
-        mkdir_parents(where, 0755);
-        unlink(where);
+        r = mkdir_parents(where, 0755);
+        if (r < 0) {
+                log_error("Failed to create directory for timezone info %s in container: %s", where, strerror(-r));
+
+                return 0;
+        }
+
+        r = unlink(where);
+        if (r < 0 && errno != ENOENT) {
+                log_error("Failed to remove existing timezone info %s in container: %m", where);
+
+                return 0;
+        }
 
         if (symlink(what, where) < 0) {
                 log_error("Failed to correct timezone of container: %m");
@@ -860,6 +907,7 @@ static int setup_timezone(const char *dest) {
 
 static int setup_resolv_conf(const char *dest) {
         _cleanup_free_ char *where = NULL;
+        int r;
 
         assert(dest);
 
@@ -873,8 +921,19 @@ static int setup_resolv_conf(const char *dest) {
 
         /* We don't really care for the results of this really. If it
          * fails, it fails, but meh... */
-        mkdir_parents(where, 0755);
-        copy_file("/etc/resolv.conf", where, O_TRUNC|O_NOFOLLOW, 0644);
+        r = mkdir_parents(where, 0755);
+        if (r < 0) {
+                log_warning("Failed to create parent directory for resolv.conf %s: %s", where, strerror(-r));
+
+                return 0;
+        }
+
+        r = copy_file("/etc/resolv.conf", where, O_TRUNC|O_NOFOLLOW, 0644);
+        if (r < 0) {
+                log_warning("Failed to copy /etc/resolv.conf to %s: %s", where, strerror(-r));
+
+                return 0;
+        }
 
         return 0;
 }
@@ -898,7 +957,11 @@ static int setup_volatile_state(const char *directory) {
         }
 
         p = strappenda(directory, "/var");
-        mkdir(p, 0755);
+        r = mkdir(p, 0755);
+        if (r < 0 && errno != EEXIST) {
+                log_error("Failed to create %s: %m", directory);
+                return -errno;
+        }
 
         if (mount("tmpfs", p, "tmpfs", MS_STRICTATIME, "mode=755") < 0) {
                 log_error("Failed to mount tmpfs to /var: %m");
@@ -938,7 +1001,13 @@ static int setup_volatile(const char *directory) {
         f = strappenda(directory, "/usr");
         t = strappenda(template, "/usr");
 
-        mkdir(t, 0755);
+        r = mkdir(t, 0755);
+        if (r < 0 && errno != EEXIST) {
+                log_error("Failed to create %s: %m", t);
+                r = -errno;
+                goto fail;
+        }
+
         if (mount(f, t, "bind", MS_BIND|MS_REC, NULL) < 0) {
                 log_error("Failed to create /usr bind mount: %m");
                 r = -errno;
@@ -1032,7 +1101,8 @@ static int copy_devnodes(const char *dest) {
                 "full\0"
                 "random\0"
                 "urandom\0"
-                "tty\0";
+                "tty\0"
+                "net/tun\0";
 
         const char *d;
         int r = 0;
@@ -1063,10 +1133,17 @@ static int copy_devnodes(const char *dest) {
                         log_error("%s is not a char or block device, cannot copy", from);
                         return -EIO;
 
-                } else if (mknod(to, st.st_mode, st.st_rdev) < 0) {
+                } else {
+                        r = mkdir_parents(to, 0775);
+                        if (r < 0) {
+                                log_error("Failed to create parent directory of %s: %s", to, strerror(-r));
+                                return -r;
+                        }
 
-                        log_error("mknod(%s) failed: %m", dest);
-                        return  -errno;
+                        if (mknod(to, st.st_mode, st.st_rdev) < 0) {
+                                log_error("mknod(%s) failed: %m", dest);
+                                return  -errno;
+                        }
                 }
         }
 
@@ -1297,7 +1374,7 @@ static int setup_journal(const char *directory) {
 
                         r = mkdir_p(q, 0755);
                         if (r < 0)
-                                log_warning("failed to create directory %s: %m", q);
+                                log_warning("Failed to create directory %s: %m", q);
                         return 0;
                 }
 
@@ -1332,7 +1409,7 @@ static int setup_journal(const char *directory) {
 
                 r = mkdir_p(q, 0755);
                 if (r < 0)
-                        log_warning("failed to create directory %s: %m", q);
+                        log_warning("Failed to create directory %s: %m", q);
                 return 0;
         }
 
@@ -1389,7 +1466,7 @@ static int drop_capabilities(void) {
 
 static int register_machine(pid_t pid, int local_ifindex) {
         _cleanup_bus_error_free_ sd_bus_error error = SD_BUS_ERROR_NULL;
-        _cleanup_bus_unref_ sd_bus *bus = NULL;
+        _cleanup_bus_close_unref_ sd_bus *bus = NULL;
         int r;
 
         if (!arg_register)
@@ -1481,6 +1558,7 @@ static int register_machine(pid_t pid, int local_ifindex) {
                                           "/dev/random", "rwm",
                                           "/dev/urandom", "rwm",
                                           "/dev/tty", "rwm",
+                                          "/dev/net/tun", "rwm",
                                           /* Allow the container
                                            * access to ptys. However,
                                            * do not permit the
@@ -1524,7 +1602,7 @@ static int register_machine(pid_t pid, int local_ifindex) {
 static int terminate_machine(pid_t pid) {
         _cleanup_bus_error_free_ sd_bus_error error = SD_BUS_ERROR_NULL;
         _cleanup_bus_message_unref_ sd_bus_message *reply = NULL;
-        _cleanup_bus_unref_ sd_bus *bus = NULL;
+        _cleanup_bus_close_unref_ sd_bus *bus = NULL;
         const char *path;
         int r;
 
@@ -1609,9 +1687,10 @@ static int reset_audit_loginuid(void) {
         return 0;
 }
 
-#define HASH_KEY SD_ID128_MAKE(c3,c4,f9,19,b5,57,b2,1c,e6,cf,14,27,03,9c,ee,a2)
+#define HOST_HASH_KEY SD_ID128_MAKE(1a,37,6f,c7,46,ec,45,0b,ad,a3,d5,31,06,60,5d,b1)
+#define CONTAINER_HASH_KEY SD_ID128_MAKE(c3,c4,f9,19,b5,57,b2,1c,e6,cf,14,27,03,9c,ee,a2)
 
-static int get_mac(struct ether_addr *mac) {
+static int generate_mac(struct ether_addr *mac, sd_id128_t hash_key) {
         int r;
 
         uint8_t result[8];
@@ -1633,7 +1712,7 @@ static int get_mac(struct ether_addr *mac) {
 
         /* Let's hash the host machine ID plus the container name. We
          * use a fixed, but originally randomly created hash key here. */
-        siphash24(result, v, sz, HASH_KEY.bytes);
+        siphash24(result, v, sz, hash_key.bytes);
 
         assert_cc(ETH_ALEN <= sizeof(result));
         memcpy(mac->ether_addr_octet, result, ETH_ALEN);
@@ -1648,7 +1727,7 @@ static int get_mac(struct ether_addr *mac) {
 static int setup_veth(pid_t pid, char iface_name[IFNAMSIZ], int *ifi) {
         _cleanup_rtnl_message_unref_ sd_rtnl_message *m = NULL;
         _cleanup_rtnl_unref_ sd_rtnl *rtnl = NULL;
-        struct ether_addr mac;
+        struct ether_addr mac_host, mac_container;
         int r, i;
 
         if (!arg_private_network)
@@ -1659,12 +1738,18 @@ static int setup_veth(pid_t pid, char iface_name[IFNAMSIZ], int *ifi) {
 
         /* Use two different interface name prefixes depending whether
          * we are in bridge mode or not. */
-        snprintf(iface_name, IFNAMSIZ, "%s-%s",
+        snprintf(iface_name, IFNAMSIZ - 1, "%s-%s",
                  arg_network_bridge ? "vb" : "ve", arg_machine);
 
-        r = get_mac(&mac);
+        r = generate_mac(&mac_container, CONTAINER_HASH_KEY);
+        if (r < 0) {
+                log_error("Failed to generate predictable MAC address for container side");
+                return r;
+        }
+
+        r = generate_mac(&mac_host, HOST_HASH_KEY);
         if (r < 0) {
-                log_error("Failed to generate predictable MAC address for host0");
+                log_error("Failed to generate predictable MAC address for host side");
                 return r;
         }
 
@@ -1686,6 +1771,12 @@ static int setup_veth(pid_t pid, char iface_name[IFNAMSIZ], int *ifi) {
                 return r;
         }
 
+        r = sd_rtnl_message_append_ether_addr(m, IFLA_ADDRESS, &mac_host);
+        if (r < 0) {
+                log_error("Failed to add netlink MAC address: %s", strerror(-r));
+                return r;
+        }
+
         r = sd_rtnl_message_open_container(m, IFLA_LINKINFO);
         if (r < 0) {
                 log_error("Failed to open netlink container: %s", strerror(-r));
@@ -1710,7 +1801,7 @@ static int setup_veth(pid_t pid, char iface_name[IFNAMSIZ], int *ifi) {
                 return r;
         }
 
-        r = sd_rtnl_message_append_ether_addr(m, IFLA_ADDRESS, &mac);
+        r = sd_rtnl_message_append_ether_addr(m, IFLA_ADDRESS, &mac_container);
         if (r < 0) {
                 log_error("Failed to add netlink MAC address: %s", strerror(-r));
                 return r;
@@ -1876,7 +1967,7 @@ static int move_network_interfaces(pid_t pid) {
                 if (ifi < 0)
                         return ifi;
 
-                r = sd_rtnl_message_new_link(rtnl, &m, RTM_NEWLINK, ifi);
+                r = sd_rtnl_message_new_link(rtnl, &m, RTM_SETLINK, ifi);
                 if (r < 0) {
                         log_error("Failed to allocate netlink message: %s", strerror(-r));
                         return r;
@@ -2525,20 +2616,27 @@ static int mount_devices(
 
 static void loop_remove(int nr, int *image_fd) {
         _cleanup_close_ int control = -1;
+        int r;
 
         if (nr < 0)
                 return;
 
         if (image_fd && *image_fd >= 0) {
-                ioctl(*image_fd, LOOP_CLR_FD);
+                r = ioctl(*image_fd, LOOP_CLR_FD);
+                if (r < 0)
+                        log_warning("Failed to close loop image: %m");
                 *image_fd = safe_close(*image_fd);
         }
 
         control = open("/dev/loop-control", O_RDWR|O_CLOEXEC|O_NOCTTY|O_NONBLOCK);
-        if (control < 0)
+        if (control < 0) {
+                log_warning("Failed to open /dev/loop-control: %m");
                 return;
+        }
 
-        ioctl(control, LOOP_CTL_REMOVE, nr);
+        r = ioctl(control, LOOP_CTL_REMOVE, nr);
+        if (r < 0)
+                log_warning("Failed to remove loop %d: %m", nr);
 }
 
 static int spawn_getent(const char *database, const char *key, pid_t *rpid) {
@@ -3061,7 +3159,9 @@ int main(int argc, char *argv[]) {
                 goto finish;
         }
 
-        sd_notify(0, "READY=1");
+        sd_notify(false,
+                  "READY=1\n"
+                  "STATUS=Container running.");
 
         assert_se(sigemptyset(&mask) == 0);
         assert_se(sigemptyset(&mask_chld) == 0);
@@ -3144,9 +3244,7 @@ int main(int argc, char *argv[]) {
                         kmsg_socket_pair[0] = safe_close(kmsg_socket_pair[0]);
 
                         reset_all_signal_handlers();
-
-                        assert_se(sigemptyset(&mask) == 0);
-                        assert_se(sigprocmask(SIG_SETMASK, &mask, NULL) == 0);
+                        reset_signal_mask();
 
                         k = open_terminal(console, O_RDWR);
                         if (k != STDIN_FILENO) {
@@ -3494,6 +3592,10 @@ int main(int argc, char *argv[]) {
         }
 
 finish:
+        sd_notify(false,
+                  "STOPPING=1\n"
+                  "STATUS=Terminating...");
+
         loop_remove(loop_nr, &image_fd);
 
         if (pid > 0)
Unnamed repository; edit this file 'description' to name the repository.