X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=elogind.git;a=blobdiff_plain;f=src%2Fnspawn%2Fnspawn.c;h=dd7337bc91351e80632fb57fdad84ab0d5986d2f;hp=09153c87ce2694de46835467aa19f99838ae75b8;hb=9bd37b40fac198fee2ff4eabc8793f1a7f2770fe;hpb=e724b0639c43c2821613fc4f7f755f87c49a22e8 diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index 09153c87c..dd7337bc9 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -33,21 +33,17 @@ #include #include #include -#include -#include #include #include #include #include #include #include +#include -#ifdef HAVE_XATTR -#include -#endif - -#include - +#include "sd-daemon.h" +#include "sd-bus.h" +#include "sd-id128.h" #include "log.h" #include "util.h" #include "mkdir.h" @@ -58,11 +54,14 @@ #include "strv.h" #include "path-util.h" #include "loopback-setup.h" -#include "sd-id128.h" #include "dev-setup.h" #include "fdset.h" #include "build.h" #include "fileio.h" +#include "bus-util.h" +#include "bus-error.h" +#include "ptyfwd.h" +#include "bus-kernel.h" #ifndef TTY_GID #define TTY_GID 5 @@ -77,9 +76,9 @@ typedef enum LinkJournal { static char *arg_directory = NULL; static char *arg_user = NULL; -static char **arg_controllers = NULL; -static char *arg_uuid = NULL; +static sd_id128_t arg_uuid = {}; static char *arg_machine = NULL; +static const char *arg_slice = NULL; static bool arg_private_network = false; static bool arg_read_only = false; static bool arg_boot = false; @@ -122,14 +121,14 @@ static int help(void) { " -D --directory=NAME Root directory for the container\n" " -b --boot Boot up full system (i.e. invoke init)\n" " -u --user=USER Run the command under specified user or uid\n" - " -C --controllers=LIST Put the container in specified comma-separated\n" - " cgroup hierarchies\n" " --uuid=UUID Set a specific machine UUID for the container\n" " -M --machine=NAME Set the machine name for the container\n" + " -S --slice=SLICE Place the container in the specified slice\n" " --private-network Disable network in container\n" " --read-only Mount the root directory read-only\n" " --capability=CAP In addition to the default, retain specified\n" " capability\n" + " --drop-capability=CAP Drop the specified capability from the default set\n" " --link-journal=MODE Link up guest journal, one of no, auto, guest, host\n" " -j Equivalent to --link-journal=host\n" " --bind=PATH[:PATH] Bind mount a file or directory from the host into\n" @@ -148,6 +147,7 @@ static int parse_argv(int argc, char *argv[]) { ARG_UUID, ARG_READ_ONLY, ARG_CAPABILITY, + ARG_DROP_CAPABILITY, ARG_LINK_JOURNAL, ARG_BIND, ARG_BIND_RO @@ -158,31 +158,31 @@ static int parse_argv(int argc, char *argv[]) { { "version", no_argument, NULL, ARG_VERSION }, { "directory", required_argument, NULL, 'D' }, { "user", required_argument, NULL, 'u' }, - { "controllers", required_argument, NULL, 'C' }, { "private-network", no_argument, NULL, ARG_PRIVATE_NETWORK }, { "boot", no_argument, NULL, 'b' }, { "uuid", required_argument, NULL, ARG_UUID }, { "read-only", no_argument, NULL, ARG_READ_ONLY }, { "capability", required_argument, NULL, ARG_CAPABILITY }, + { "drop-capability", required_argument, NULL, ARG_DROP_CAPABILITY }, { "link-journal", required_argument, NULL, ARG_LINK_JOURNAL }, { "bind", required_argument, NULL, ARG_BIND }, { "bind-ro", required_argument, NULL, ARG_BIND_RO }, { "machine", required_argument, NULL, 'M' }, - { NULL, 0, NULL, 0 } + { "slice", required_argument, NULL, 'S' }, + {} }; - int c; + int c, r; assert(argc >= 0); assert(argv); - while ((c = getopt_long(argc, argv, "+hD:u:C:bM:j", options, NULL)) >= 0) { + while ((c = getopt_long(argc, argv, "+hD:u:bM:jS:", options, NULL)) >= 0) { switch (c) { case 'h': - help(); - return 0; + return help(); case ARG_VERSION: puts(PACKAGE_STRING); @@ -193,7 +193,7 @@ static int parse_argv(int argc, char *argv[]) { free(arg_directory); arg_directory = canonicalize_file_name(optarg); if (!arg_directory) { - log_error("Failed to canonicalize root directory."); + log_error("Invalid root directory: %m"); return -ENOMEM; } @@ -207,15 +207,6 @@ static int parse_argv(int argc, char *argv[]) { break; - case 'C': - strv_free(arg_controllers); - arg_controllers = strv_split(optarg, ","); - if (!arg_controllers) - return log_oom(); - - cg_shorten_controllers(arg_controllers); - break; - case ARG_PRIVATE_NETWORK: arg_private_network = true; break; @@ -225,12 +216,18 @@ static int parse_argv(int argc, char *argv[]) { break; case ARG_UUID: - if (!id128_is_valid(optarg)) { + r = sd_id128_from_string(optarg, &arg_uuid); + if (r < 0) { log_error("Invalid UUID: %s", optarg); - return -EINVAL; + return r; } + break; + + case 'S': + arg_slice = strdup(optarg); + if (!arg_slice) + return log_oom(); - arg_uuid = optarg; break; case 'M': @@ -250,7 +247,8 @@ static int parse_argv(int argc, char *argv[]) { arg_read_only = true; break; - case ARG_CAPABILITY: { + case ARG_CAPABILITY: + case ARG_DROP_CAPABILITY: { char *state, *word; size_t length; @@ -269,7 +267,11 @@ static int parse_argv(int argc, char *argv[]) { } free(t); - arg_retain |= 1ULL << (uint64_t) cap; + + if (c == ARG_CAPABILITY) + arg_retain |= 1ULL << (uint64_t) cap; + else + arg_retain &= ~(1ULL << (uint64_t) cap); } break; @@ -300,7 +302,6 @@ static int parse_argv(int argc, char *argv[]) { _cleanup_free_ char *a = NULL, *b = NULL; char *e; char ***x; - int r; x = c == ARG_BIND ? &arg_bind : &arg_bind_ro; @@ -323,11 +324,11 @@ static int parse_argv(int argc, char *argv[]) { r = strv_extend(x, a); if (r < 0) - return r; + return log_oom(); r = strv_extend(x, b); if (r < 0) - return r; + return log_oom(); break; } @@ -336,8 +337,7 @@ static int parse_argv(int argc, char *argv[]) { return -EINVAL; default: - log_error("Unknown option code %c", c); - return -EINVAL; + assert_not_reached("Unhandled option"); } } @@ -419,12 +419,39 @@ static int mount_binds(const char *dest, char **l, unsigned long flags) { STRV_FOREACH_PAIR(x, y, l) { _cleanup_free_ char *where = NULL; + struct stat source_st, dest_st; + + if (stat(*x, &source_st) < 0) { + log_error("failed to stat %s: %m", *x); + return -errno; + } where = strjoin(dest, "/", *y, NULL); if (!where) return log_oom(); - mkdir_p_label(where, 0755); + if (stat(where, &dest_st) == 0) { + if ((source_st.st_mode & S_IFMT) != (dest_st.st_mode & S_IFMT)) { + log_error("The file types of %s and %s do not match. Refusing bind mount", + *x, where); + return -EINVAL; + } + } else { + /* Create the mount point, but be conservative -- refuse to create block + * and char devices. */ + if (S_ISDIR(source_st.st_mode)) + mkdir_p_label(where, 0755); + else if (S_ISFIFO(source_st.st_mode)) + mkfifo(where, 0644); + else if (S_ISSOCK(source_st.st_mode)) + mknod(where, 0644 | S_IFSOCK, 0); + else if (S_ISREG(source_st.st_mode)) + touch(where); + else { + log_error("Refusing to create mountpoint for file: %s", *x); + return -ENOTSUP; + } + } if (mount(*x, where, "bind", MS_BIND, NULL) < 0) { log_error("mount(%s) failed: %m", where); @@ -502,7 +529,6 @@ static int setup_timezone(const char *dest) { static int setup_resolv_conf(const char *dest) { char _cleanup_free_ *where = NULL; - _cleanup_close_ int fd = -1; assert(dest); @@ -514,18 +540,9 @@ static int setup_resolv_conf(const char *dest) { if (!where) return log_oom(); - fd = open(where, O_WRONLY|O_CREAT|O_EXCL|O_CLOEXEC|O_NOCTTY|O_NOFOLLOW, 0644); - /* We don't really care for the results of this really. If it * fails, it fails, but meh... */ - if (mount("/etc/resolv.conf", where, "bind", MS_BIND, NULL) < 0) - log_warning("Failed to bind mount /etc/resolv.conf: %m"); - else - if (mount("/etc/resolv.conf", where, "bind", - MS_BIND|MS_REMOUNT|MS_RDONLY, NULL) < 0) { - log_error("Failed to remount /etc/resolv.conf readonly: %m"); - return -errno; - } + copy_file("/etc/resolv.conf", where, O_TRUNC|O_NOFOLLOW); return 0; } @@ -911,327 +928,138 @@ static int setup_journal(const char *directory) { return 0; } -static int setup_cgroup(const char *path) { - char **c; - int r; +static int setup_kdbus(const char *dest, const char *path) { + const char *p; - r = cg_create_and_attach(SYSTEMD_CGROUP_CONTROLLER, path, 1); - if (r < 0) { - log_error("Failed to create cgroup: %s", strerror(-r)); - return r; + if (!path) + return 0; + + p = strappenda(dest, "/dev/kdbus"); + if (mkdir(p, 0755) < 0) { + log_error("Failed to create kdbus path: %m"); + return -errno; } - STRV_FOREACH(c, arg_controllers) { - r = cg_create_and_attach(*c, path, 1); - if (r < 0) - log_warning("Failed to create cgroup in controller %s: %s", *c, strerror(-r)); + if (mount(path, p, "bind", MS_BIND, NULL) < 0) { + log_error("Failed to mount kdbus namespace path: %m"); + return -errno; } return 0; } -static int save_attributes(const char *cgroup, pid_t pid, const char *uuid, const char *directory) { -#ifdef HAVE_XATTR - _cleanup_free_ char *path = NULL; - char buf[DECIMAL_STR_MAX(pid_t)]; - int r = 0, k; - - assert(cgroup); - assert(pid >= 0); - assert(arg_directory); +static int drop_capabilities(void) { + return capability_bounding_set_drop(~arg_retain, false); +} - assert_se(snprintf(buf, sizeof(buf), "%lu", (unsigned long) pid) < (int) sizeof(buf)); +static int register_machine(void) { + _cleanup_bus_error_free_ sd_bus_error error = SD_BUS_ERROR_NULL; + _cleanup_bus_unref_ sd_bus *bus = NULL; + int r; - r = cg_get_path(SYSTEMD_CGROUP_CONTROLLER, cgroup, NULL, &path); + r = sd_bus_open_system(&bus); if (r < 0) { - log_error("Failed to get path: %s", strerror(-r)); + log_error("Failed to open system bus: %s", strerror(-r)); return r; } - r = setxattr(path, "trusted.init_pid", buf, strlen(buf), XATTR_CREATE); - if (r < 0) - log_warning("Failed to set %s attribute on %s: %m", "trusted.init_pid", path); - - if (uuid) { - k = setxattr(path, "trusted.machine_id", uuid, strlen(uuid), XATTR_CREATE); - if (k < 0) { - log_warning("Failed to set %s attribute on %s: %m", "trusted.machine_id", path); - if (r == 0) - r = k; - } + r = sd_bus_call_method( + bus, + "org.freedesktop.machine1", + "/org/freedesktop/machine1", + "org.freedesktop.machine1.Manager", + "CreateMachine", + &error, + NULL, + "sayssusa(sv)", + arg_machine, + SD_BUS_MESSAGE_APPEND_ID128(arg_uuid), + "nspawn", + "container", + (uint32_t) 0, + strempty(arg_directory), + !isempty(arg_slice), "Slice", "s", arg_slice); + if (r < 0) { + log_error("Failed to register machine: %s", bus_error_message(&error, r)); + return r; } - k = setxattr(path, "trusted.root_directory", directory, strlen(directory), XATTR_CREATE); - if (k < 0) { - log_warning("Failed to set %s attribute on %s: %m", "trusted.root_directory", path); - if (r == 0) - r = k; - } - return r; -#else return 0; -#endif -} - -static int drop_capabilities(void) { - return capability_bounding_set_drop(~arg_retain, false); } -static int process_pty(int master, pid_t pid, sigset_t *mask) { - - char in_buffer[LINE_MAX], out_buffer[LINE_MAX]; - size_t in_buffer_full = 0, out_buffer_full = 0; - struct epoll_event stdin_ev, stdout_ev, master_ev, signal_ev; - bool stdin_readable = false, stdout_writable = false, master_readable = false, master_writable = false; - int ep = -1, signal_fd = -1, r; - bool tried_orderly_shutdown = false; - - assert(master >= 0); - assert(pid > 0); - assert(mask); - - fd_nonblock(STDIN_FILENO, 1); - fd_nonblock(STDOUT_FILENO, 1); - fd_nonblock(master, 1); - - signal_fd = signalfd(-1, mask, SFD_NONBLOCK|SFD_CLOEXEC); - if (signal_fd < 0) { - log_error("signalfd(): %m"); - r = -errno; - goto finish; - } - - ep = epoll_create1(EPOLL_CLOEXEC); - if (ep < 0) { - log_error("Failed to create epoll: %m"); - r = -errno; - goto finish; - } - - /* We read from STDIN only if this is actually a TTY, - * otherwise we assume non-interactivity. */ - if (isatty(STDIN_FILENO)) { - zero(stdin_ev); - stdin_ev.events = EPOLLIN|EPOLLET; - stdin_ev.data.fd = STDIN_FILENO; +static int terminate_machine(pid_t pid) { + _cleanup_bus_error_free_ sd_bus_error error = SD_BUS_ERROR_NULL; + _cleanup_bus_message_unref_ sd_bus_message *reply = NULL; + _cleanup_bus_unref_ sd_bus *bus = NULL; + const char *path; + int r; - if (epoll_ctl(ep, EPOLL_CTL_ADD, STDIN_FILENO, &stdin_ev) < 0) { - log_error("Failed to register STDIN in epoll: %m"); - r = -errno; - goto finish; - } + r = sd_bus_default_system(&bus); + if (r < 0) { + log_error("Failed to open system bus: %s", strerror(-r)); + return r; } - zero(stdout_ev); - stdout_ev.events = EPOLLOUT|EPOLLET; - stdout_ev.data.fd = STDOUT_FILENO; - - zero(master_ev); - master_ev.events = EPOLLIN|EPOLLOUT|EPOLLET; - master_ev.data.fd = master; - - zero(signal_ev); - signal_ev.events = EPOLLIN; - signal_ev.data.fd = signal_fd; - - if (epoll_ctl(ep, EPOLL_CTL_ADD, STDOUT_FILENO, &stdout_ev) < 0) { - if (errno != EPERM) { - log_error("Failed to register stdout in epoll: %m"); - r = -errno; - goto finish; - } - /* stdout without epoll support. Likely redirected to regular file. */ - stdout_writable = true; + r = sd_bus_call_method( + bus, + "org.freedesktop.machine1", + "/org/freedesktop/machine1", + "org.freedesktop.machine1.Manager", + "GetMachineByPID", + &error, + &reply, + "u", + (uint32_t) pid); + if (r < 0) { + /* Note that the machine might already have been + * cleaned up automatically, hence don't consider it a + * failure if we cannot get the machine object. */ + log_debug("Failed to get machine: %s", bus_error_message(&error, r)); + return 0; } - if (epoll_ctl(ep, EPOLL_CTL_ADD, master, &master_ev) < 0 || - epoll_ctl(ep, EPOLL_CTL_ADD, signal_fd, &signal_ev) < 0) { - log_error("Failed to register fds in epoll: %m"); - r = -errno; - goto finish; + r = sd_bus_message_read(reply, "o", &path); + if (r < 0) + return bus_log_parse_error(r); + + r = sd_bus_call_method( + bus, + "org.freedesktop.machine1", + path, + "org.freedesktop.machine1.Machine", + "Terminate", + &error, + NULL, + NULL); + if (r < 0) { + log_debug("Failed to terminate machine: %s", bus_error_message(&error, r)); + return 0; } - for (;;) { - struct epoll_event ev[16]; - ssize_t k; - int i, nfds; - - nfds = epoll_wait(ep, ev, ELEMENTSOF(ev), -1); - if (nfds < 0) { - - if (errno == EINTR || errno == EAGAIN) - continue; - - log_error("epoll_wait(): %m"); - r = -errno; - goto finish; - } - - assert(nfds >= 1); - - for (i = 0; i < nfds; i++) { - if (ev[i].data.fd == STDIN_FILENO) { - - if (ev[i].events & (EPOLLIN|EPOLLHUP)) - stdin_readable = true; - - } else if (ev[i].data.fd == STDOUT_FILENO) { - - if (ev[i].events & (EPOLLOUT|EPOLLHUP)) - stdout_writable = true; - - } else if (ev[i].data.fd == master) { - - if (ev[i].events & (EPOLLIN|EPOLLHUP)) - master_readable = true; - - if (ev[i].events & (EPOLLOUT|EPOLLHUP)) - master_writable = true; - - } else if (ev[i].data.fd == signal_fd) { - struct signalfd_siginfo sfsi; - ssize_t n; - - n = read(signal_fd, &sfsi, sizeof(sfsi)); - if (n != sizeof(sfsi)) { - - if (n >= 0) { - log_error("Failed to read from signalfd: invalid block size"); - r = -EIO; - goto finish; - } - - if (errno != EINTR && errno != EAGAIN) { - log_error("Failed to read from signalfd: %m"); - r = -errno; - goto finish; - } - } else { - - if (sfsi.ssi_signo == SIGWINCH) { - struct winsize ws; - - /* The window size changed, let's forward that. */ - if (ioctl(STDIN_FILENO, TIOCGWINSZ, &ws) >= 0) - ioctl(master, TIOCSWINSZ, &ws); - } else if (sfsi.ssi_signo == SIGTERM && arg_boot && !tried_orderly_shutdown) { - - log_info("Trying to halt container. Send SIGTERM again to trigger immediate termination."); - - /* This only works for systemd... */ - tried_orderly_shutdown = true; - kill(pid, SIGRTMIN+3); - - } else { - r = 0; - goto finish; - } - } - } - } - - while ((stdin_readable && in_buffer_full <= 0) || - (master_writable && in_buffer_full > 0) || - (master_readable && out_buffer_full <= 0) || - (stdout_writable && out_buffer_full > 0)) { - - if (stdin_readable && in_buffer_full < LINE_MAX) { - - k = read(STDIN_FILENO, in_buffer + in_buffer_full, LINE_MAX - in_buffer_full); - if (k < 0) { - - if (errno == EAGAIN || errno == EPIPE || errno == ECONNRESET || errno == EIO) - stdin_readable = false; - else { - log_error("read(): %m"); - r = -errno; - goto finish; - } - } else - in_buffer_full += (size_t) k; - } - - if (master_writable && in_buffer_full > 0) { - - k = write(master, in_buffer, in_buffer_full); - if (k < 0) { - - if (errno == EAGAIN || errno == EPIPE || errno == ECONNRESET || errno == EIO) - master_writable = false; - else { - log_error("write(): %m"); - r = -errno; - goto finish; - } - - } else { - assert(in_buffer_full >= (size_t) k); - memmove(in_buffer, in_buffer + k, in_buffer_full - k); - in_buffer_full -= k; - } - } - - if (master_readable && out_buffer_full < LINE_MAX) { - - k = read(master, out_buffer + out_buffer_full, LINE_MAX - out_buffer_full); - if (k < 0) { - - if (errno == EAGAIN || errno == EPIPE || errno == ECONNRESET || errno == EIO) - master_readable = false; - else { - log_error("read(): %m"); - r = -errno; - goto finish; - } - } else - out_buffer_full += (size_t) k; - } - - if (stdout_writable && out_buffer_full > 0) { + return 0; +} - k = write(STDOUT_FILENO, out_buffer, out_buffer_full); - if (k < 0) { +static bool audit_enabled(void) { + int fd; - if (errno == EAGAIN || errno == EPIPE || errno == ECONNRESET || errno == EIO) - stdout_writable = false; - else { - log_error("write(): %m"); - r = -errno; - goto finish; - } - - } else { - assert(out_buffer_full >= (size_t) k); - memmove(out_buffer, out_buffer + k, out_buffer_full - k); - out_buffer_full -= k; - } - } - } + fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_AUDIT); + if (fd >= 0) { + close_nointr_nofail(fd); + return true; } - -finish: - if (ep >= 0) - close_nointr_nofail(ep); - - if (signal_fd >= 0) - close_nointr_nofail(signal_fd); - - return r; + return false; } int main(int argc, char *argv[]) { pid_t pid = 0; int r = EXIT_FAILURE, k; - _cleanup_free_ char *newcg = NULL; - _cleanup_close_ int master = -1; + _cleanup_close_ int master = -1, kdbus_fd = -1; int n_fd_passed; const char *console = NULL; - struct termios saved_attr, raw_attr; sigset_t mask; - bool saved_attr_valid = false; - struct winsize ws; - int kmsg_socket_pair[2] = { -1, -1 }; - FDSet *fds = NULL; + _cleanup_close_pipe_ int kmsg_socket_pair[2] = { -1, -1 }; + _cleanup_fdset_free_ FDSet *fds = NULL; + _cleanup_free_ char *kdbus_namespace = NULL; log_parse_environment(); log_open(); @@ -1284,6 +1112,13 @@ int main(int argc, char *argv[]) { goto finish; } + if (arg_boot && audit_enabled()) { + log_warning("The kernel auditing subsystem is known to be incompatible with containers.\n" + "Please make sure to turn off auditing with 'audit=0' on the kernel command\n" + "line before using systemd-nspawn. Sleeping for 5s...\n"); + sleep(5); + } + if (path_equal(arg_directory, "/")) { log_error("Spawning container on root directory not supported."); goto finish; @@ -1306,22 +1141,6 @@ int main(int argc, char *argv[]) { fdset_close_others(fds); log_open(); - k = cg_get_machine_path(arg_machine, &newcg); - if (k < 0) { - log_error("Failed to determine machine cgroup path: %s", strerror(-k)); - goto finish; - } - - k = cg_is_empty_recursive(SYSTEMD_CGROUP_CONTROLLER, newcg, true); - if (k <= 0 && k != -ENOENT) { - log_error("Container already running."); - - free(newcg); - newcg = NULL; - - goto finish; - } - master = posix_openpt(O_RDWR|O_NOCTTY|O_CLOEXEC|O_NDELAY); if (master < 0) { log_error("Failed to acquire pseudo tty: %m"); @@ -1334,23 +1153,18 @@ int main(int argc, char *argv[]) { goto finish; } - log_info("Spawning namespace container on %s (console is %s).", arg_directory, console); - - if (ioctl(STDIN_FILENO, TIOCGWINSZ, &ws) >= 0) - ioctl(master, TIOCSWINSZ, &ws); + log_info("Spawning container %s on %s. Press ^] three times within 1s to abort execution.", arg_machine, arg_directory); if (unlockpt(master) < 0) { log_error("Failed to unlock tty: %m"); goto finish; } - if (tcgetattr(STDIN_FILENO, &saved_attr) >= 0) { - saved_attr_valid = true; - - raw_attr = saved_attr; - cfmakeraw(&raw_attr); - raw_attr.c_lflag &= ~ECHO; - } + kdbus_fd = bus_kernel_create_namespace(arg_machine, &kdbus_namespace); + if (r < 0) + log_debug("Failed to create kdbus namespace: %s", strerror(-r)); + else + log_debug("Successfully created kdbus namespace as %s", kdbus_namespace); if (socketpair(AF_UNIX, SOCK_DGRAM|SOCK_NONBLOCK|SOCK_CLOEXEC, 0, kmsg_socket_pair) < 0) { log_error("Failed to create kmsg socket pair."); @@ -1365,18 +1179,6 @@ int main(int argc, char *argv[]) { for (;;) { siginfo_t status; - int pipefd[2], pipefd2[2]; - - if (pipe2(pipefd, O_NONBLOCK|O_CLOEXEC) < 0) { - log_error("pipe2(): %m"); - goto finish; - } - - if (pipe2(pipefd2, O_NONBLOCK|O_CLOEXEC) < 0) { - log_error("pipe2(): %m"); - close_pipe(pipefd); - goto finish; - } pid = syscall(__NR_clone, SIGCHLD|CLONE_NEWIPC|CLONE_NEWNS|CLONE_NEWPID|CLONE_NEWUTS|(arg_private_network ? CLONE_NEWNET : 0), NULL); if (pid < 0) { @@ -1411,21 +1213,9 @@ int main(int argc, char *argv[]) { if (envp[n_env]) n_env ++; - /* Wait for the parent process to log our PID */ - close_nointr_nofail(pipefd[1]); - fd_wait_for_event(pipefd[0], POLLHUP, -1); - close_nointr_nofail(pipefd[0]); - close_nointr_nofail(master); master = -1; - if (saved_attr_valid) { - if (tcsetattr(STDIN_FILENO, TCSANOW, &raw_attr) < 0) { - log_error("Failed to set terminal attributes: %m"); - goto child_fail; - } - } - close_nointr(STDIN_FILENO); close_nointr(STDOUT_FILENO); close_nointr(STDERR_FILENO); @@ -1465,10 +1255,9 @@ int main(int argc, char *argv[]) { goto child_fail; } - if (setup_cgroup(newcg) < 0) - goto child_fail; - - close_pipe(pipefd2); + r = register_machine(); + if (r < 0) + goto finish; /* Mark everything as slave, so that we still * receive mounts from the real root, but don't @@ -1528,6 +1317,9 @@ int main(int argc, char *argv[]) { if (mount_binds(arg_directory, arg_bind_ro, MS_RDONLY) < 0) goto child_fail; + if (setup_kdbus(arg_directory, kdbus_namespace) < 0) + goto child_fail; + if (chdir(arg_directory) < 0) { log_error("chdir(%s) failed: %m", arg_directory); goto child_fail; @@ -1620,8 +1412,8 @@ int main(int argc, char *argv[]) { goto child_fail; } - if (arg_uuid) { - if (asprintf((char**)(envp + n_env++), "container_uuid=%s", arg_uuid) < 0) { + if (!sd_id128_equal(arg_uuid, SD_ID128_NULL)) { + if (asprintf((char**)(envp + n_env++), "container_uuid=" SD_ID128_FORMAT_STR, SD_ID128_FORMAT_VAL(arg_uuid)) < 0) { log_oom(); goto child_fail; } @@ -1635,7 +1427,7 @@ int main(int argc, char *argv[]) { } if ((asprintf((char **)(envp + n_env++), "LISTEN_FDS=%u", n_fd_passed) < 0) || - (asprintf((char **)(envp + n_env++), "LISTEN_PID=%lu", (unsigned long) 1) < 0)) { + (asprintf((char **)(envp + n_env++), "LISTEN_PID=1") < 0)) { log_oom(); goto child_fail; } @@ -1674,27 +1466,26 @@ int main(int argc, char *argv[]) { _exit(EXIT_FAILURE); } - log_info("Init process in the container running as PID %lu.", (unsigned long) pid); - close_nointr_nofail(pipefd[0]); - close_nointr_nofail(pipefd[1]); - - /* Wait for the child process to establish cgroup hierarchy */ - close_nointr_nofail(pipefd2[1]); - fd_wait_for_event(pipefd2[0], POLLHUP, -1); - close_nointr_nofail(pipefd2[0]); - - save_attributes(newcg, pid, arg_uuid, arg_directory); - fdset_free(fds); fds = NULL; - if (process_pty(master, pid, &mask) < 0) - goto finish; + k = process_pty(master, &mask, arg_boot ? pid : 0, SIGRTMIN+3); + if (k < 0) { + r = EXIT_FAILURE; + break; + } + + putc('\n', stdout); - if (saved_attr_valid) - tcsetattr(STDIN_FILENO, TCSANOW, &saved_attr); + /* Kill if it is not dead yet anyway */ + terminate_machine(pid); + + /* Redundant, but better safe than sorry */ + kill(pid, SIGKILL); k = wait_for_terminate(pid, &status); + pid = 0; + if (k < 0) { r = EXIT_FAILURE; break; @@ -1703,48 +1494,40 @@ int main(int argc, char *argv[]) { if (status.si_code == CLD_EXITED) { r = status.si_status; if (status.si_status != 0) { - log_error("Container failed with error code %i.", status.si_status); + log_error("Container %s failed with error code %i.", arg_machine, status.si_status); break; } - log_debug("Container exited successfully."); + log_debug("Container %s exited successfully.", arg_machine); break; } else if (status.si_code == CLD_KILLED && status.si_status == SIGINT) { - log_info("Container has been shut down."); + log_info("Container %s has been shut down.", arg_machine); r = 0; break; } else if (status.si_code == CLD_KILLED && status.si_status == SIGHUP) { - log_info("Container is being rebooted."); + log_info("Container %s is being rebooted.", arg_machine); continue; } else if (status.si_code == CLD_KILLED || status.si_code == CLD_DUMPED) { - log_error("Container terminated by signal %s.", signal_to_string(status.si_status)); + log_error("Container %s terminated by signal %s.", arg_machine, signal_to_string(status.si_status)); r = EXIT_FAILURE; break; } else { - log_error("Container failed due to unknown reason."); + log_error("Container %s failed due to unknown reason.", arg_machine); r = EXIT_FAILURE; break; } } finish: - if (saved_attr_valid) - tcsetattr(STDIN_FILENO, TCSANOW, &saved_attr); - - close_pipe(kmsg_socket_pair); - - if (newcg) - cg_kill_recursive_and_wait(SYSTEMD_CGROUP_CONTROLLER, newcg, true); + if (pid > 0) + kill(pid, SIGKILL); free(arg_directory); free(arg_machine); - strv_free(arg_controllers); - - fdset_free(fds); return r; }