X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=elogind.git;a=blobdiff_plain;f=src%2Fnspawn%2Fnspawn.c;h=1ac0a7008c68c89fe6e9aa399d691101e40f4b58;hp=25f835c230fc3807e289dde074e084dca0405b25;hb=b12afc8c5c5c3ee5720780df9a602288bbcc24ea;hpb=4a62c710b62a5a3c7a8a278b810b9d5b5a0c8f4f diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index 25f835c23..1ac0a7008 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -31,7 +31,6 @@ #include #include #include -#include #include #include #include @@ -90,6 +89,10 @@ #include "base-filesystem.h" #include "barrier.h" #include "event-util.h" +#include "capability.h" +#include "cap-list.h" +#include "btrfs-util.h" +#include "machine-image.h" #ifdef HAVE_SECCOMP #include "seccomp-util.h" @@ -114,6 +117,7 @@ typedef enum Volatile { } Volatile; static char *arg_directory = NULL; +static char *arg_template = NULL; static char *arg_user = NULL; static sd_id128_t arg_uuid = {}; static char *arg_machine = NULL; @@ -123,6 +127,7 @@ static const char *arg_slice = NULL; static bool arg_private_network = false; static bool arg_read_only = false; static bool arg_boot = false; +static bool arg_ephemeral = false; static LinkJournal arg_link_journal = LINK_AUTO; static bool arg_link_journal_try = false; static uint64_t arg_retain = @@ -165,7 +170,7 @@ static char **arg_network_macvlan = NULL; static bool arg_network_veth = false; static const char *arg_network_bridge = NULL; static unsigned long arg_personality = 0xffffffffLU; -static const char *arg_image = NULL; +static char *arg_image = NULL; static Volatile arg_volatile = VOLATILE_NO; static void help(void) { @@ -175,7 +180,11 @@ static void help(void) { " --version Print version string\n" " -q --quiet Do not show status information\n" " -D --directory=PATH Root directory for the container\n" - " -i --image=PATH File system device or image for the container\n" + " --template=PATH Initialize root directory from template directory,\n" + " if missing\n" + " -x --ephemeral Run container with snapshot of root directory, and\n" + " remove it after exit\n" + " -i --image=PATH File system device or disk image for the container\n" " -b --boot Boot up full system (i.e. invoke init)\n" " -u --user=USER Run the command under specified user or uid\n" " -M --machine=NAME Set the machine name for the container\n" @@ -220,6 +229,27 @@ static void help(void) { program_invocation_short_name); } +static int set_sanitized_path(char **b, const char *path) { + char *p; + + assert(b); + assert(path); + + p = canonicalize_file_name(path); + if (!p) { + if (errno != ENOENT) + return -errno; + + p = path_make_absolute_cwd(path); + if (!p) + return -ENOMEM; + } + + free(*b); + *b = path_kill_slashes(p); + return 0; +} + static int parse_argv(int argc, char *argv[]) { enum { @@ -243,12 +273,15 @@ static int parse_argv(int argc, char *argv[]) { ARG_NETWORK_BRIDGE, ARG_PERSONALITY, ARG_VOLATILE, + ARG_TEMPLATE, }; static const struct option options[] = { { "help", no_argument, NULL, 'h' }, { "version", no_argument, NULL, ARG_VERSION }, { "directory", required_argument, NULL, 'D' }, + { "template", required_argument, NULL, ARG_TEMPLATE }, + { "ephemeral", no_argument, NULL, 'x' }, { "user", required_argument, NULL, 'u' }, { "private-network", no_argument, NULL, ARG_PRIVATE_NETWORK }, { "boot", no_argument, NULL, 'b' }, @@ -285,7 +318,7 @@ static int parse_argv(int argc, char *argv[]) { assert(argc >= 0); assert(argv); - while ((c = getopt_long(argc, argv, "+hD:u:bL:M:jS:Z:qi:", options, NULL)) >= 0) + while ((c = getopt_long(argc, argv, "+hD:u:bL:M:jS:Z:qi:x", options, NULL)) >= 0) switch (c) { @@ -299,17 +332,28 @@ static int parse_argv(int argc, char *argv[]) { return 0; case 'D': - free(arg_directory); - arg_directory = canonicalize_file_name(optarg); - if (!arg_directory) { - log_error_errno(errno, "Invalid root directory: %m"); - return -ENOMEM; - } + r = set_sanitized_path(&arg_directory, optarg); + if (r < 0) + return log_error_errno(r, "Invalid root directory: %m"); + + break; + + case ARG_TEMPLATE: + r = set_sanitized_path(&arg_template, optarg); + if (r < 0) + return log_error_errno(r, "Invalid template directory: %m"); break; case 'i': - arg_image = optarg; + r = set_sanitized_path(&arg_image, optarg); + if (r < 0) + return log_error_errno(r, "Invalid image path: %m"); + + break; + + case 'x': + arg_ephemeral = true; break; case 'u': @@ -368,15 +412,13 @@ static int parse_argv(int argc, char *argv[]) { free(arg_machine); arg_machine = NULL; } else { - - if (!hostname_is_valid(optarg)) { + if (!machine_name_is_valid(optarg)) { log_error("Invalid machine name: %s", optarg); return -EINVAL; } - free(arg_machine); - arg_machine = strdup(optarg); - if (!arg_machine) + r = free_and_strdup(&arg_machine, optarg); + if (r < 0) return log_oom(); break; @@ -401,7 +443,6 @@ static int parse_argv(int argc, char *argv[]) { FOREACH_WORD_SEPARATOR(word, length, optarg, ",", state) { _cleanup_free_ char *t; - cap_value_t cap; t = strndup(word, length); if (!t) @@ -413,7 +454,10 @@ static int parse_argv(int argc, char *argv[]) { else minus = (uint64_t) -1; } else { - if (cap_from_name(t, &cap) < 0) { + int cap; + + cap = capability_from_name(t); + if (cap < 0) { log_error("Failed to parse capability %s.", t); return -EINVAL; } @@ -434,15 +478,19 @@ static int parse_argv(int argc, char *argv[]) { break; case ARG_LINK_JOURNAL: - if (streq(optarg, "auto")) + if (streq(optarg, "auto")) { arg_link_journal = LINK_AUTO; - else if (streq(optarg, "no")) + arg_link_journal_try = false; + } else if (streq(optarg, "no")) { arg_link_journal = LINK_NO; - else if (streq(optarg, "guest")) + arg_link_journal_try = false; + } else if (streq(optarg, "guest")) { arg_link_journal = LINK_GUEST; - else if (streq(optarg, "host")) + arg_link_journal_try = false; + } else if (streq(optarg, "host")) { arg_link_journal = LINK_HOST; - else if (streq(optarg, "try-guest")) { + arg_link_journal_try = false; + } else if (streq(optarg, "try-guest")) { arg_link_journal = LINK_GUEST; arg_link_journal_try = true; } else if (streq(optarg, "try-host")) { @@ -620,6 +668,31 @@ static int parse_argv(int argc, char *argv[]) { return -EINVAL; } + if (arg_template && arg_image) { + log_error("--template= and --image= may not be combined."); + return -EINVAL; + } + + if (arg_template && !(arg_directory || arg_machine)) { + log_error("--template= needs --directory= or --machine=."); + return -EINVAL; + } + + if (arg_ephemeral && arg_template) { + log_error("--ephemeral and --template= may not be combined."); + return -EINVAL; + } + + if (arg_ephemeral && arg_image) { + log_error("--ephemeral and --image= may not be combined."); + return -EINVAL; + } + + if (arg_ephemeral && !IN_SET(arg_link_journal, LINK_NO, LINK_AUTO)) { + log_error("--ephemeral and --link-journal= may not be combined."); + return -EINVAL; + } + if (arg_volatile != VOLATILE_NO && arg_read_only) { log_error("Cannot combine --read-only with --volatile. Note that --volatile already implies a read-only base hierarchy."); return -EINVAL; @@ -796,6 +869,112 @@ static int mount_binds(const char *dest, char **l, bool ro) { return 0; } +static int mount_cgroup_hierarchy(const char *dest, const char *controller, const char *hierarchy, bool read_only) { + char *to; + int r; + + to = strappenda(dest, "/sys/fs/cgroup/", hierarchy); + + r = path_is_mount_point(to, false); + if (r < 0) + return log_error_errno(r, "Failed to determine if %s is mounted already: %m", to); + if (r > 0) + return 0; + + mkdir_p(to, 0755); + + if (mount("cgroup", to, "cgroup", MS_NOSUID|MS_NOEXEC|MS_NODEV|(read_only ? MS_RDONLY : 0), controller) < 0) + return log_error_errno(errno, "Failed to mount to %s: %m", to); + + return 1; +} + +static int mount_cgroup(const char *dest) { + _cleanup_set_free_free_ Set *controllers = NULL; + _cleanup_free_ char *own_cgroup_path = NULL; + const char *cgroup_root, *systemd_root, *systemd_own; + int r; + + controllers = set_new(&string_hash_ops); + if (!controllers) + return log_oom(); + + r = cg_kernel_controllers(controllers); + if (r < 0) + return log_error_errno(r, "Failed to determine cgroup controllers: %m"); + + r = cg_pid_get_path(NULL, 0, &own_cgroup_path); + if (r < 0) + return log_error_errno(r, "Failed to determine our own cgroup path: %m"); + + cgroup_root = strappenda(dest, "/sys/fs/cgroup"); + if (mount("tmpfs", cgroup_root, "tmpfs", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME, "mode=755") < 0) + return log_error_errno(errno, "Failed to mount tmpfs to /sys/fs/cgroup: %m"); + + for (;;) { + _cleanup_free_ char *controller = NULL, *origin = NULL, *combined = NULL; + + controller = set_steal_first(controllers); + if (!controller) + break; + + origin = strappend("/sys/fs/cgroup/", controller); + if (!origin) + return log_oom(); + + r = readlink_malloc(origin, &combined); + if (r == -EINVAL) { + /* Not a symbolic link, but directly a single cgroup hierarchy */ + + r = mount_cgroup_hierarchy(dest, controller, controller, true); + if (r < 0) + return r; + + } else if (r < 0) + return log_error_errno(r, "Failed to read link %s: %m", origin); + else { + _cleanup_free_ char *target = NULL; + + target = strjoin(dest, "/sys/fs/cgroup/", controller, NULL); + if (!target) + return log_oom(); + + /* A symbolic link, a combination of controllers in one hierarchy */ + + if (!filename_is_valid(combined)) { + log_warning("Ignoring invalid combined hierarchy %s.", combined); + continue; + } + + r = mount_cgroup_hierarchy(dest, combined, combined, true); + if (r < 0) + return r; + + if (symlink(combined, target) < 0) + return log_error_errno(errno, "Failed to create symlink for combined hiearchy: %m"); + } + } + + r = mount_cgroup_hierarchy(dest, "name=systemd", "systemd", false); + if (r < 0) + return r; + + /* Make our own cgroup a (writable) bind mount */ + systemd_own = strappenda(dest, "/sys/fs/cgroup/systemd", own_cgroup_path); + if (mount(systemd_own, systemd_own, NULL, MS_BIND, NULL) < 0) + return log_error_errno(errno, "Failed to turn %s into a bind mount: %m", own_cgroup_path); + + /* And then remount the systemd cgroup root read-only */ + systemd_root = strappenda(dest, "/sys/fs/cgroup/systemd"); + if (mount(NULL, systemd_root, NULL, MS_BIND|MS_REMOUNT|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY, NULL) < 0) + return log_error_errno(errno, "Failed to mount cgroup root read-only: %m"); + + if (mount(NULL, cgroup_root, NULL, MS_REMOUNT|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME|MS_RDONLY, "mode=755") < 0) + return log_error_errno(errno, "Failed to remount %s read-only: %m", cgroup_root); + + return 0; +} + static int mount_tmpfs(const char *dest) { char **i, **o; @@ -808,8 +987,8 @@ static int mount_tmpfs(const char *dest) { return log_oom(); r = mkdir_label(where, 0755); - if (r < 0 && errno != EEXIST) - return log_error_errno(r, "creating mount point for tmpfs %s failed: %m", where); + if (r < 0 && r != -EEXIST) + return log_error_errno(r, "Creating mount point for tmpfs %s failed: %m", where); if (mount("tmpfs", where, "tmpfs", MS_NODEV|MS_STRICTATIME, *o) < 0) return log_error_errno(errno, "tmpfs mount to %s failed: %m", where); @@ -1250,6 +1429,10 @@ static int setup_journal(const char *directory) { char *id; int r; + /* Don't link journals in ephemeral mode */ + if (arg_ephemeral) + return 0; + p = strappend(directory, "/etc/machine-id"); if (!p) return log_oom(); @@ -1278,8 +1461,7 @@ static int setup_journal(const char *directory) { "Host and machine ids are equal (%s): refusing to link journals", id); if (arg_link_journal == LINK_AUTO) return 0; - return - -EEXIST; + return -EEXIST; } if (arg_link_journal == LINK_NO) @@ -1589,16 +1771,19 @@ static int reset_audit_loginuid(void) { #define HOST_HASH_KEY SD_ID128_MAKE(1a,37,6f,c7,46,ec,45,0b,ad,a3,d5,31,06,60,5d,b1) #define CONTAINER_HASH_KEY SD_ID128_MAKE(c3,c4,f9,19,b5,57,b2,1c,e6,cf,14,27,03,9c,ee,a2) +#define MACVLAN_HASH_KEY SD_ID128_MAKE(00,13,6d,bc,66,83,44,81,bb,0c,f9,51,1f,24,a6,6f) -static int generate_mac(struct ether_addr *mac, sd_id128_t hash_key) { - int r; - +static int generate_mac(struct ether_addr *mac, sd_id128_t hash_key, uint64_t idx) { uint8_t result[8]; size_t l, sz; - uint8_t *v; + uint8_t *v, *i; + int r; l = strlen(arg_machine); sz = sizeof(sd_id128_t) + l; + if (idx > 0) + sz += sizeof(idx); + v = alloca(sz); /* fetch some persistent data unique to the host */ @@ -1608,7 +1793,11 @@ static int generate_mac(struct ether_addr *mac, sd_id128_t hash_key) { /* combine with some data unique (on this host) to this * container instance */ - memcpy(v + sizeof(sd_id128_t), arg_machine, l); + i = mempcpy(v + sizeof(sd_id128_t), arg_machine, l); + if (idx > 0) { + idx = htole64(idx); + memcpy(i, &idx, sizeof(idx)); + } /* Let's hash the host machine ID plus the container name. We * use a fixed, but originally randomly created hash key here. */ @@ -1641,17 +1830,13 @@ static int setup_veth(pid_t pid, char iface_name[IFNAMSIZ], int *ifi) { snprintf(iface_name, IFNAMSIZ - 1, "%s-%s", arg_network_bridge ? "vb" : "ve", arg_machine); - r = generate_mac(&mac_container, CONTAINER_HASH_KEY); - if (r < 0) { - log_error("Failed to generate predictable MAC address for container side"); - return r; - } + r = generate_mac(&mac_container, CONTAINER_HASH_KEY, 0); + if (r < 0) + return log_error_errno(r, "Failed to generate predictable MAC address for container side: %m"); - r = generate_mac(&mac_host, HOST_HASH_KEY); - if (r < 0) { - log_error("Failed to generate predictable MAC address for host side"); - return r; - } + r = generate_mac(&mac_host, HOST_HASH_KEY, 0); + if (r < 0) + return log_error_errno(r, "Failed to generate predictable MAC address for host side: %m"); r = sd_rtnl_open(&rtnl, 0); if (r < 0) @@ -1836,6 +2021,7 @@ static int move_network_interfaces(pid_t pid) { static int setup_macvlan(pid_t pid) { _cleanup_udev_unref_ struct udev *udev = NULL; _cleanup_rtnl_unref_ sd_rtnl *rtnl = NULL; + unsigned idx = 0; char **i; int r; @@ -1858,12 +2044,17 @@ static int setup_macvlan(pid_t pid) { STRV_FOREACH(i, arg_network_macvlan) { _cleanup_rtnl_message_unref_ sd_rtnl_message *m = NULL; _cleanup_free_ char *n = NULL; + struct ether_addr mac; int ifi; ifi = parse_interface(udev, *i); if (ifi < 0) return ifi; + r = generate_mac(&mac, MACVLAN_HASH_KEY, idx++); + if (r < 0) + return log_error_errno(r, "Failed to create MACVLAN MAC address: %m"); + r = sd_rtnl_message_new_link(rtnl, &m, RTM_NEWLINK, 0); if (r < 0) return log_error_errno(r, "Failed to allocate netlink message: %m"); @@ -1882,6 +2073,10 @@ static int setup_macvlan(pid_t pid) { if (r < 0) return log_error_errno(r, "Failed to add netlink interface name: %m"); + r = sd_rtnl_message_append_ether_addr(m, IFLA_ADDRESS, &mac); + if (r < 0) + return log_error_errno(r, "Failed to add netlink MAC address: %m"); + r = sd_rtnl_message_append_u32(m, IFLA_NET_NS_PID, pid); if (r < 0) return log_error_errno(r, "Failed to add netlink namespace field: %m"); @@ -1994,6 +2189,27 @@ finish: } +static int setup_propagate(const char *root) { + const char *p, *q; + + (void) mkdir_p("/run/systemd/nspawn/", 0755); + (void) mkdir_p("/run/systemd/nspawn/propagate", 0600); + p = strappenda("/run/systemd/nspawn/propagate/", arg_machine); + (void) mkdir_p(p, 0600); + + q = strappenda(root, "/run/systemd/nspawn/incoming"); + mkdir_parents(q, 0755); + mkdir_p(q, 0600); + + if (mount(p, q, NULL, MS_BIND, NULL) < 0) + return log_error_errno(errno, "Failed to install propagation bind mount."); + + if (mount(NULL, q, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY, NULL) < 0) + return log_error_errno(errno, "Failed to make propagation mount read-only"); + + return 0; +} + static int setup_image(char **device_path, int *loop_nr) { struct loop_info64 info = { .lo_flags = LO_FLAGS_AUTOCLEAR|LO_FLAGS_PARTSCAN @@ -2005,6 +2221,7 @@ static int setup_image(char **device_path, int *loop_nr) { assert(device_path); assert(loop_nr); + assert(arg_image); fd = open(arg_image, O_CLOEXEC|(arg_read_only ? O_RDONLY : O_RDWR)|O_NONBLOCK|O_NOCTTY); if (fd < 0) @@ -2078,7 +2295,14 @@ static int dissect_image( bool *secondary) { #ifdef HAVE_BLKID - int home_nr = -1, root_nr = -1, secondary_root_nr = -1, srv_nr = -1; + int home_nr = -1, srv_nr = -1; +#ifdef GPT_ROOT_NATIVE + int root_nr = -1; +#endif +#ifdef GPT_ROOT_SECONDARY + int secondary_root_nr = -1; +#endif + _cleanup_free_ char *home = NULL, *root = NULL, *secondary_root = NULL, *srv = NULL; _cleanup_udev_enumerate_unref_ struct udev_enumerate *e = NULL; _cleanup_udev_device_unref_ struct udev_device *d = NULL; @@ -2096,6 +2320,7 @@ static int dissect_image( assert(home_device); assert(srv_device); assert(secondary); + assert(arg_image); b = blkid_new_probe(); if (!b) @@ -2544,7 +2769,7 @@ static int change_uid_gid(char **_home) { truncate_nl(line); - wait_for_terminate_and_warn("getent passwd", pid); + wait_for_terminate_and_warn("getent passwd", pid, true); x = strchr(line, ':'); if (!x) { @@ -2628,7 +2853,7 @@ static int change_uid_gid(char **_home) { truncate_nl(line); - wait_for_terminate_and_warn("getent initgroups", pid); + wait_for_terminate_and_warn("getent initgroups", pid, true); /* Skip over the username and subsequent separator whitespace */ x = line; @@ -2763,78 +2988,115 @@ static int on_orderly_shutdown(sd_event_source *s, const struct signalfd_siginfo return 0; } -int main(int argc, char *argv[]) { - - _cleanup_free_ char *device_path = NULL, *root_device = NULL, *home_device = NULL, *srv_device = NULL; - bool root_device_rw = true, home_device_rw = true, srv_device_rw = true; - _cleanup_close_ int master = -1, image_fd = -1; - _cleanup_close_pair_ int kmsg_socket_pair[2] = { -1, -1 }; - _cleanup_fdset_free_ FDSet *fds = NULL; - int r = EXIT_FAILURE, k, n_fd_passed, loop_nr = -1; - const char *console = NULL; - char veth_name[IFNAMSIZ]; - bool secondary = false; - sigset_t mask, mask_chld; - pid_t pid = 0; +static int determine_names(void) { + int r; - log_parse_environment(); - log_open(); + if (!arg_image && !arg_directory) { + if (arg_machine) { + _cleanup_(image_unrefp) Image *i = NULL; - k = parse_argv(argc, argv); - if (k < 0) - goto finish; - else if (k == 0) { - r = EXIT_SUCCESS; - goto finish; - } + r = image_find(arg_machine, &i); + if (r < 0) + return log_error_errno(r, "Failed to find image for machine '%s': %m", arg_machine); + else if (r == 0) { + log_error("No image for machine '%s': %m", arg_machine); + return -ENOENT; + } - if (!arg_image) { - if (arg_directory) { - char *p; + if (i->type == IMAGE_GPT) + r = set_sanitized_path(&arg_image, i->path); + else + r = set_sanitized_path(&arg_directory, i->path); + if (r < 0) + return log_error_errno(r, "Invalid image directory: %m"); - p = path_make_absolute_cwd(arg_directory); - free(arg_directory); - arg_directory = p; + arg_read_only = arg_read_only || i->read_only; } else arg_directory = get_current_dir_name(); - if (!arg_directory) { - log_error("Failed to determine path, please use -D."); - goto finish; + if (!arg_directory && !arg_machine) { + log_error("Failed to determine path, please use -D or -i."); + return -EINVAL; } - path_kill_slashes(arg_directory); } if (!arg_machine) { - arg_machine = strdup(basename(arg_image ? arg_image : arg_directory)); - if (!arg_machine) { - log_oom(); - goto finish; - } + if (arg_directory && path_equal(arg_directory, "/")) + arg_machine = gethostname_malloc(); + else + arg_machine = strdup(basename(arg_image ?: arg_directory)); + + if (!arg_machine) + return log_oom(); hostname_cleanup(arg_machine, false); - if (isempty(arg_machine)) { + if (!machine_name_is_valid(arg_machine)) { log_error("Failed to determine machine name automatically, please use -M."); - goto finish; + return -EINVAL; + } + + if (arg_ephemeral) { + char *b; + + /* Add a random suffix when this is an + * ephemeral machine, so that we can run many + * instances at once without manually having + * to specify -M each time. */ + + if (asprintf(&b, "%s-%016" PRIx64, arg_machine, random_u64()) < 0) + return log_oom(); + + free(arg_machine); + arg_machine = b; } } + return 0; +} + +int main(int argc, char *argv[]) { + + _cleanup_free_ char *device_path = NULL, *root_device = NULL, *home_device = NULL, *srv_device = NULL, *console = NULL; + bool root_device_rw = true, home_device_rw = true, srv_device_rw = true; + _cleanup_close_ int master = -1, image_fd = -1; + _cleanup_close_pair_ int kmsg_socket_pair[2] = { -1, -1 }; + _cleanup_fdset_free_ FDSet *fds = NULL; + int r, n_fd_passed, loop_nr = -1; + char veth_name[IFNAMSIZ]; + bool secondary = false, remove_subvol = false; + sigset_t mask, mask_chld; + pid_t pid = 0; + int ret = EXIT_SUCCESS; + + log_parse_environment(); + log_open(); + + r = parse_argv(argc, argv); + if (r <= 0) + goto finish; + + r = determine_names(); + if (r < 0) + goto finish; + if (geteuid() != 0) { log_error("Need to be root."); + r = -EPERM; goto finish; } if (sd_booted() <= 0) { log_error("Not running on a systemd system."); + r = -EINVAL; goto finish; } log_close(); n_fd_passed = sd_listen_fds(false); if (n_fd_passed > 0) { - k = fdset_new_listen_fds(&fds, false); - if (k < 0) { - log_error_errno(k, "Failed to collect file descriptors: %m"); + r = fdset_new_listen_fds(&fds, false); + if (r < 0) { + log_error_errno(r, "Failed to collect file descriptors: %m"); goto finish; } } @@ -2842,14 +3104,67 @@ int main(int argc, char *argv[]) { log_open(); if (arg_directory) { - if (path_equal(arg_directory, "/")) { - log_error("Spawning container on root directory not supported."); + assert(!arg_image); + + if (path_equal(arg_directory, "/") && !arg_ephemeral) { + log_error("Spawning container on root directory is not supported. Consider using --ephemeral."); + r = -EINVAL; goto finish; } + if (arg_template) { + r = btrfs_subvol_snapshot(arg_template, arg_directory, arg_read_only, true); + if (r == -EEXIST) { + if (!arg_quiet) + log_info("Directory %s already exists, not populating from template %s.", arg_directory, arg_template); + } else if (r < 0) { + log_error_errno(r, "Couldn't create snapshort %s from %s: %m", arg_directory, arg_template); + goto finish; + } else { + if (!arg_quiet) + log_info("Populated %s from template %s.", arg_directory, arg_template); + } + + } else if (arg_ephemeral) { + char *np; + + /* If the specified path is a mount point we + * generate the new snapshot immediately + * inside it under a random name. However if + * the specified is not a mount point we + * create the new snapshot in the parent + * directory, just next to it. */ + r = path_is_mount_point(arg_directory, false); + if (r < 0) { + log_error_errno(r, "Failed to determine whether directory %s is mount point: %m", arg_directory); + goto finish; + } + if (r > 0) + r = tempfn_random_child(arg_directory, &np); + else + r = tempfn_random(arg_directory, &np); + if (r < 0) { + log_error_errno(r, "Failed to generate name for snapshot: %m"); + goto finish; + } + + r = btrfs_subvol_snapshot(arg_directory, np, arg_read_only, true); + if (r < 0) { + free(np); + log_error_errno(r, "Failed to create snapshot %s from %s: %m", np, arg_directory); + goto finish; + } + + free(arg_directory); + arg_directory = np; + + remove_subvol = true; + } + if (arg_boot) { if (path_is_os_tree(arg_directory) <= 0) { log_error("Directory %s doesn't look like an OS root directory (os-release file is missing). Refusing.", arg_directory); + r = -EINVAL; goto finish; } } else { @@ -2859,13 +3174,17 @@ int main(int argc, char *argv[]) { argc > optind && path_is_absolute(argv[optind]) ? argv[optind] : "/usr/bin/"); if (access(p, F_OK) < 0) { log_error("Directory %s lacks the binary to execute or doesn't look like a binary tree. Refusing.", arg_directory); + r = -EINVAL; goto finish; - } } + } else { char template[] = "/tmp/nspawn-root-XXXXXX"; + assert(arg_image); + assert(!arg_template); + if (!mkdtemp(template)) { log_error_errno(errno, "Failed to create temporary directory: %m"); r = -errno; @@ -2895,34 +3214,30 @@ int main(int argc, char *argv[]) { master = posix_openpt(O_RDWR|O_NOCTTY|O_CLOEXEC|O_NDELAY); if (master < 0) { - log_error_errno(errno, "Failed to acquire pseudo tty: %m"); + r = log_error_errno(errno, "Failed to acquire pseudo tty: %m"); goto finish; } - console = ptsname(master); - if (!console) { - log_error_errno(errno, "Failed to determine tty name: %m"); + r = ptsname_malloc(master, &console); + if (r < 0) { + r = log_error_errno(r, "Failed to determine tty name: %m"); goto finish; } if (!arg_quiet) log_info("Spawning container %s on %s.\nPress ^] three times within 1s to kill container.", - arg_machine, arg_image ? arg_image : arg_directory); + arg_machine, arg_image ?: arg_directory); if (unlockpt(master) < 0) { - log_error_errno(errno, "Failed to unlock tty: %m"); + r = log_error_errno(errno, "Failed to unlock tty: %m"); goto finish; } if (socketpair(AF_UNIX, SOCK_DGRAM|SOCK_NONBLOCK|SOCK_CLOEXEC, 0, kmsg_socket_pair) < 0) { - log_error_errno(errno, "Failed to create kmsg socket pair: %m"); + r = log_error_errno(errno, "Failed to create kmsg socket pair: %m"); goto finish; } - sd_notify(false, - "READY=1\n" - "STATUS=Container running."); - assert_se(sigemptyset(&mask) == 0); sigset_add_many(&mask, SIGCHLD, SIGWINCH, SIGTERM, SIGINT, -1); assert_se(sigprocmask(SIG_BLOCK, &mask, NULL) == 0); @@ -2949,26 +3264,25 @@ int main(int argc, char *argv[]) { * give it a chance to call wait() and terminate. */ r = sigprocmask(SIG_UNBLOCK, &mask_chld, NULL); if (r < 0) { - log_error_errno(errno, "Failed to change the signal mask: %m"); + r = log_error_errno(errno, "Failed to change the signal mask: %m"); goto finish; } r = sigaction(SIGCHLD, &sa, NULL); if (r < 0) { - log_error_errno(errno, "Failed to install SIGCHLD handler: %m"); + r = log_error_errno(errno, "Failed to install SIGCHLD handler: %m"); goto finish; } - pid = syscall(__NR_clone, SIGCHLD|CLONE_NEWNS| - (arg_share_system ? 0 : CLONE_NEWIPC|CLONE_NEWPID|CLONE_NEWUTS)| - (arg_private_network ? CLONE_NEWNET : 0), NULL); + pid = raw_clone(SIGCHLD|CLONE_NEWNS| + (arg_share_system ? 0 : CLONE_NEWIPC|CLONE_NEWPID|CLONE_NEWUTS)| + (arg_private_network ? CLONE_NEWNET : 0), NULL); if (pid < 0) { if (errno == EINVAL) - log_error_errno(errno, "clone() failed, do you have namespace support enabled in your kernel? (You need UTS, IPC, PID and NET namespacing built in): %m"); + r = log_error_errno(errno, "clone() failed, do you have namespace support enabled in your kernel? (You need UTS, IPC, PID and NET namespacing built in): %m"); else - log_error_errno(errno, "clone() failed: %m"); + r = log_error_errno(errno, "clone() failed: %m"); - r = pid; goto finish; } @@ -3007,14 +3321,14 @@ int main(int argc, char *argv[]) { reset_all_signal_handlers(); reset_signal_mask(); - k = open_terminal(console, O_RDWR); - if (k != STDIN_FILENO) { - if (k >= 0) { - safe_close(k); - k = -EINVAL; + r = open_terminal(console, O_RDWR); + if (r != STDIN_FILENO) { + if (r >= 0) { + safe_close(r); + r = -EINVAL; } - log_error_errno(k, "Failed to open console: %m"); + log_error_errno(r, "Failed to open console: %m"); _exit(EXIT_FAILURE); } @@ -3069,9 +3383,9 @@ int main(int argc, char *argv[]) { _exit(EXIT_FAILURE); if (arg_read_only) { - k = bind_remount_recursive(arg_directory, true); - if (k < 0) { - log_error_errno(k, "Failed to make tree read-only: %m"); + r = bind_remount_recursive(arg_directory, true); + if (r < 0) { + log_error_errno(r, "Failed to make tree read-only: %m"); _exit(EXIT_FAILURE); } } @@ -3087,6 +3401,9 @@ int main(int argc, char *argv[]) { dev_setup(arg_directory); + if (setup_propagate(arg_directory) < 0) + _exit(EXIT_FAILURE); + if (setup_seccomp() < 0) _exit(EXIT_FAILURE); @@ -3098,6 +3415,11 @@ int main(int argc, char *argv[]) { kmsg_socket_pair[1] = safe_close(kmsg_socket_pair[1]); + /* Tell the parent that we are ready, and that + * it can cgroupify us to that we lack access + * to certain devices and resources. */ + (void) barrier_place(&barrier); + if (setup_boot_id(arg_directory) < 0) _exit(EXIT_FAILURE); @@ -3119,10 +3441,12 @@ int main(int argc, char *argv[]) { if (mount_tmpfs(arg_directory) < 0) _exit(EXIT_FAILURE); - /* Tell the parent that we are ready, and that - * it can cgroupify us to that we lack access - * to certain devices and resources. */ - (void)barrier_place(&barrier); + /* Wait until we are cgroup-ified, so that we + * can mount the right cgroup path writable */ + (void) barrier_sync_next(&barrier); + + if (mount_cgroup(arg_directory) < 0) + _exit(EXIT_FAILURE); if (chdir(arg_directory) < 0) { log_error_errno(errno, "chdir(%s) failed: %m", arg_directory); @@ -3175,9 +3499,9 @@ int main(int argc, char *argv[]) { } if (fdset_size(fds) > 0) { - k = fdset_cloexec(fds, false); - if (k < 0) { - log_error("Failed to unset O_CLOEXEC for file descriptors."); + r = fdset_cloexec(fds, false); + if (r < 0) { + log_error_errno(r, "Failed to unset O_CLOEXEC for file descriptors."); _exit(EXIT_FAILURE); } @@ -3261,10 +3585,13 @@ int main(int argc, char *argv[]) { fdset_free(fds); fds = NULL; - /* wait for child-setup to be done */ - if (barrier_place_and_sync(&barrier)) { + /* Wait for the most basic Child-setup to be done, + * before we add hardware to it, and place it in a + * cgroup. */ + if (barrier_sync_next(&barrier)) { _cleanup_event_unref_ sd_event *event = NULL; _cleanup_(pty_forward_freep) PTYForward *forward = NULL; + char last_char = 0; int ifi = 0; r = move_network_interfaces(pid); @@ -3301,7 +3628,14 @@ int main(int argc, char *argv[]) { /* Notify the child that the parent is ready with all * its setup, and that the child can now hand over * control to the code to run inside the container. */ - (void)barrier_place(&barrier); + (void) barrier_place(&barrier); + + /* And wait that the child is completely ready now. */ + (void) barrier_place_and_sync(&barrier); + + sd_notify(false, + "READY=1\n" + "STATUS=Container running."); r = sd_event_new(&event); if (r < 0) { @@ -3322,19 +3656,23 @@ int main(int argc, char *argv[]) { /* simply exit on sigchld */ sd_event_add_signal(event, NULL, SIGCHLD, NULL, NULL); - r = pty_forward_new(event, master, &forward); + r = pty_forward_new(event, master, true, &forward); if (r < 0) { log_error_errno(r, "Failed to create PTY forwarder: %m"); goto finish; } r = sd_event_loop(event); - if (r < 0) - return log_error_errno(r, "Failed to run event loop: %m"); + if (r < 0) { + log_error_errno(r, "Failed to run event loop: %m"); + goto finish; + } + + pty_forward_last_char(forward, &last_char); forward = pty_forward_free(forward); - if (!arg_quiet) + if (!arg_quiet && last_char != '\n') putc('\n', stdout); /* Kill if it is not dead yet anyway */ @@ -3347,16 +3685,17 @@ int main(int argc, char *argv[]) { r = wait_for_container(pid, &container_status); pid = 0; - if (r < 0) { + if (r < 0) /* We failed to wait for the container, or the * container exited abnormally */ - r = EXIT_FAILURE; - break; - } else if (r > 0 || container_status == CONTAINER_TERMINATED) + goto finish; + else if (r > 0 || container_status == CONTAINER_TERMINATED){ /* The container exited with a non-zero * status, or with zero status and no reboot * was requested. */ + ret = r; break; + } /* CONTAINER_REBOOTED, loop again */ @@ -3371,7 +3710,8 @@ int main(int argc, char *argv[]) { * restart. This is necessary since we might * have cgroup parameters set we want to have * flushed out. */ - r = 133; + ret = 133; + r = 0; break; } } @@ -3386,7 +3726,24 @@ finish: if (pid > 0) kill(pid, SIGKILL); + if (remove_subvol && arg_directory) { + int k; + + k = btrfs_subvol_remove(arg_directory); + if (k < 0) + log_warning_errno(k, "Cannot remove subvolume '%s', ignoring: %m", arg_directory); + } + + if (arg_machine) { + const char *p; + + p = strappenda("/run/systemd/nspawn/propagate", arg_machine); + (void) rm_rf(p, false, true, false); + } + free(arg_directory); + free(arg_template); + free(arg_image); free(arg_machine); free(arg_user); strv_free(arg_setenv); @@ -3396,5 +3753,5 @@ finish: strv_free(arg_bind_ro); strv_free(arg_tmpfs); - return r; + return r < 0 ? EXIT_FAILURE : ret; }