2017-11-18 17:09:20 +01:00
|
|
|
|
/* SPDX-License-Identifier: LGPL-2.1+ */
|
2015-09-07 15:59:52 +02:00
|
|
|
|
|
2015-10-23 18:52:53 +02:00
|
|
|
|
#include <sys/mount.h>
|
2015-10-24 22:58:24 +02:00
|
|
|
|
#include <linux/magic.h>
|
2015-09-07 15:59:52 +02:00
|
|
|
|
|
2015-10-27 03:01:06 +01:00
|
|
|
|
#include "alloc-util.h"
|
2015-10-23 18:52:53 +02:00
|
|
|
|
#include "escape.h"
|
2016-06-23 13:41:56 +02:00
|
|
|
|
#include "fd-util.h"
|
2015-10-26 21:16:26 +01:00
|
|
|
|
#include "fs-util.h"
|
2015-09-07 15:59:52 +02:00
|
|
|
|
#include "label.h"
|
2015-10-23 18:52:53 +02:00
|
|
|
|
#include "mkdir.h"
|
2015-10-26 18:44:13 +01:00
|
|
|
|
#include "mount-util.h"
|
2018-11-29 10:24:39 +01:00
|
|
|
|
#include "mountpoint-util.h"
|
2015-10-26 16:18:16 +01:00
|
|
|
|
#include "nspawn-mount.h"
|
|
|
|
|
|
#include "parse-util.h"
|
2015-10-23 18:52:53 +02:00
|
|
|
|
#include "path-util.h"
|
|
|
|
|
|
#include "rm-rf.h"
|
2015-09-07 15:59:52 +02:00
|
|
|
|
#include "set.h"
|
2019-03-13 12:14:47 +01:00
|
|
|
|
#include "sort-util.h"
|
2015-10-26 22:01:44 +01:00
|
|
|
|
#include "stat-util.h"
|
2015-10-24 22:58:24 +02:00
|
|
|
|
#include "string-util.h"
|
2015-10-23 18:52:53 +02:00
|
|
|
|
#include "strv.h"
|
2018-11-30 21:05:27 +01:00
|
|
|
|
#include "tmpfile-util.h"
|
2015-10-27 00:42:07 +01:00
|
|
|
|
#include "user-util.h"
|
2015-09-07 15:59:52 +02:00
|
|
|
|
|
2018-04-27 22:01:54 +02:00
|
|
|
|
CustomMount* custom_mount_add(CustomMount **l, size_t *n, CustomMountType t) {
|
2015-09-07 15:59:52 +02:00
|
|
|
|
CustomMount *c, *ret;
|
|
|
|
|
|
|
|
|
|
|
|
assert(l);
|
|
|
|
|
|
assert(n);
|
|
|
|
|
|
assert(t >= 0);
|
|
|
|
|
|
assert(t < _CUSTOM_MOUNT_TYPE_MAX);
|
|
|
|
|
|
|
2018-02-26 21:20:00 +01:00
|
|
|
|
c = reallocarray(*l, *n + 1, sizeof(CustomMount));
|
2015-09-07 15:59:52 +02:00
|
|
|
|
if (!c)
|
|
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
|
|
|
|
*l = c;
|
|
|
|
|
|
ret = *l + *n;
|
|
|
|
|
|
(*n)++;
|
|
|
|
|
|
|
|
|
|
|
|
*ret = (CustomMount) { .type = t };
|
|
|
|
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2018-04-27 22:01:54 +02:00
|
|
|
|
void custom_mount_free_all(CustomMount *l, size_t n) {
|
|
|
|
|
|
size_t i;
|
2015-09-07 15:59:52 +02:00
|
|
|
|
|
|
|
|
|
|
for (i = 0; i < n; i++) {
|
|
|
|
|
|
CustomMount *m = l + i;
|
|
|
|
|
|
|
|
|
|
|
|
free(m->source);
|
|
|
|
|
|
free(m->destination);
|
|
|
|
|
|
free(m->options);
|
|
|
|
|
|
|
|
|
|
|
|
if (m->work_dir) {
|
|
|
|
|
|
(void) rm_rf(m->work_dir, REMOVE_ROOT|REMOVE_PHYSICAL);
|
|
|
|
|
|
free(m->work_dir);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2016-11-30 18:57:42 +01:00
|
|
|
|
if (m->rm_rf_tmpdir) {
|
|
|
|
|
|
(void) rm_rf(m->rm_rf_tmpdir, REMOVE_ROOT|REMOVE_PHYSICAL);
|
|
|
|
|
|
free(m->rm_rf_tmpdir);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2015-09-07 15:59:52 +02:00
|
|
|
|
strv_free(m->lower);
|
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
|
|
|
|
free(m->type_argument);
|
2015-09-07 15:59:52 +02:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
free(l);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2018-09-18 01:39:24 +02:00
|
|
|
|
static int custom_mount_compare(const CustomMount *a, const CustomMount *b) {
|
2015-09-07 15:59:52 +02:00
|
|
|
|
int r;
|
|
|
|
|
|
|
2018-09-18 01:39:24 +02:00
|
|
|
|
r = path_compare(a->destination, b->destination);
|
2015-09-07 15:59:52 +02:00
|
|
|
|
if (r != 0)
|
|
|
|
|
|
return r;
|
|
|
|
|
|
|
2018-09-18 01:39:24 +02:00
|
|
|
|
return CMP(a->type, b->type);
|
2015-09-07 15:59:52 +02:00
|
|
|
|
}
|
|
|
|
|
|
|
2016-11-30 16:02:47 +01:00
|
|
|
|
static bool source_path_is_valid(const char *p) {
|
|
|
|
|
|
assert(p);
|
|
|
|
|
|
|
|
|
|
|
|
if (*p == '+')
|
|
|
|
|
|
p++;
|
|
|
|
|
|
|
|
|
|
|
|
return path_is_absolute(p);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static char *resolve_source_path(const char *dest, const char *source) {
|
|
|
|
|
|
|
|
|
|
|
|
if (!source)
|
|
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
|
|
|
|
if (source[0] == '+')
|
|
|
|
|
|
return prefix_root(dest, source + 1);
|
|
|
|
|
|
|
|
|
|
|
|
return strdup(source);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2018-04-27 22:01:54 +02:00
|
|
|
|
int custom_mount_prepare_all(const char *dest, CustomMount *l, size_t n) {
|
|
|
|
|
|
size_t i;
|
2016-11-30 16:02:47 +01:00
|
|
|
|
int r;
|
|
|
|
|
|
|
|
|
|
|
|
/* Prepare all custom mounts. This will make source we know all temporary directories. This is called in the
|
|
|
|
|
|
* parent process, so that we know the temporary directories to remove on exit before we fork off the
|
|
|
|
|
|
* children. */
|
|
|
|
|
|
|
|
|
|
|
|
assert(l || n == 0);
|
|
|
|
|
|
|
|
|
|
|
|
/* Order the custom mounts, and make sure we have a working directory */
|
2018-09-18 01:39:24 +02:00
|
|
|
|
typesafe_qsort(l, n, custom_mount_compare);
|
2016-11-30 16:02:47 +01:00
|
|
|
|
|
|
|
|
|
|
for (i = 0; i < n; i++) {
|
|
|
|
|
|
CustomMount *m = l + i;
|
|
|
|
|
|
|
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
|
|
|
|
/* /proc we mount in the inner child, i.e. when we acquired CLONE_NEWPID. All other mounts we mount
|
|
|
|
|
|
* already in the outer child, so that the mounts are already established before CLONE_NEWPID and in
|
|
|
|
|
|
* particular CLONE_NEWUSER. This also means any custom mounts below /proc also need to be mounted in
|
|
|
|
|
|
* the inner child, not the outer one. Determine this here. */
|
|
|
|
|
|
m->in_userns = path_startswith(m->destination, "/proc");
|
2016-11-30 16:02:47 +01:00
|
|
|
|
|
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
|
|
|
|
if (m->type == CUSTOM_MOUNT_BIND) {
|
|
|
|
|
|
if (m->source) {
|
|
|
|
|
|
char *s;
|
2016-11-30 16:02:47 +01:00
|
|
|
|
|
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
|
|
|
|
s = resolve_source_path(dest, m->source);
|
|
|
|
|
|
if (!s)
|
|
|
|
|
|
return log_oom();
|
2016-11-30 18:57:42 +01:00
|
|
|
|
|
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
|
|
|
|
free_and_replace(m->source, s);
|
|
|
|
|
|
} else {
|
|
|
|
|
|
/* No source specified? In that case, use a throw-away temporary directory in /var/tmp */
|
2016-11-30 18:57:42 +01:00
|
|
|
|
|
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
|
|
|
|
m->rm_rf_tmpdir = strdup("/var/tmp/nspawn-temp-XXXXXX");
|
|
|
|
|
|
if (!m->rm_rf_tmpdir)
|
|
|
|
|
|
return log_oom();
|
2016-11-30 18:57:42 +01:00
|
|
|
|
|
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
|
|
|
|
if (!mkdtemp(m->rm_rf_tmpdir)) {
|
|
|
|
|
|
m->rm_rf_tmpdir = mfree(m->rm_rf_tmpdir);
|
|
|
|
|
|
return log_error_errno(errno, "Failed to acquire temporary directory: %m");
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
m->source = strjoin(m->rm_rf_tmpdir, "/src");
|
|
|
|
|
|
if (!m->source)
|
|
|
|
|
|
return log_oom();
|
2016-11-30 18:57:42 +01:00
|
|
|
|
|
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
|
|
|
|
if (mkdir(m->source, 0755) < 0)
|
|
|
|
|
|
return log_error_errno(errno, "Failed to create %s: %m", m->source);
|
|
|
|
|
|
}
|
2016-11-30 16:02:47 +01:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if (m->type == CUSTOM_MOUNT_OVERLAY) {
|
|
|
|
|
|
char **j;
|
|
|
|
|
|
|
|
|
|
|
|
STRV_FOREACH(j, m->lower) {
|
|
|
|
|
|
char *s;
|
|
|
|
|
|
|
|
|
|
|
|
s = resolve_source_path(dest, *j);
|
|
|
|
|
|
if (!s)
|
|
|
|
|
|
return log_oom();
|
|
|
|
|
|
|
2018-04-27 22:03:14 +02:00
|
|
|
|
free_and_replace(*j, s);
|
2016-11-30 16:02:47 +01:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if (m->work_dir) {
|
|
|
|
|
|
char *s;
|
|
|
|
|
|
|
|
|
|
|
|
s = resolve_source_path(dest, m->work_dir);
|
|
|
|
|
|
if (!s)
|
|
|
|
|
|
return log_oom();
|
|
|
|
|
|
|
2018-04-27 22:03:14 +02:00
|
|
|
|
free_and_replace(m->work_dir, s);
|
2016-11-30 16:02:47 +01:00
|
|
|
|
} else {
|
|
|
|
|
|
assert(m->source);
|
|
|
|
|
|
|
|
|
|
|
|
r = tempfn_random(m->source, NULL, &m->work_dir);
|
|
|
|
|
|
if (r < 0)
|
|
|
|
|
|
return log_error_errno(r, "Failed to acquire working directory: %m");
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
(void) mkdir_label(m->work_dir, 0700);
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2018-04-27 22:01:54 +02:00
|
|
|
|
int bind_mount_parse(CustomMount **l, size_t *n, const char *s, bool read_only) {
|
2015-09-07 15:59:52 +02:00
|
|
|
|
_cleanup_free_ char *source = NULL, *destination = NULL, *opts = NULL;
|
|
|
|
|
|
const char *p = s;
|
|
|
|
|
|
CustomMount *m;
|
|
|
|
|
|
int r;
|
|
|
|
|
|
|
|
|
|
|
|
assert(l);
|
|
|
|
|
|
assert(n);
|
|
|
|
|
|
|
|
|
|
|
|
r = extract_many_words(&p, ":", EXTRACT_DONT_COALESCE_SEPARATORS, &source, &destination, NULL);
|
|
|
|
|
|
if (r < 0)
|
|
|
|
|
|
return r;
|
|
|
|
|
|
if (r == 0)
|
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
if (r == 1) {
|
2016-11-30 16:02:47 +01:00
|
|
|
|
destination = strdup(source[0] == '+' ? source+1 : source);
|
2015-09-07 15:59:52 +02:00
|
|
|
|
if (!destination)
|
|
|
|
|
|
return -ENOMEM;
|
|
|
|
|
|
}
|
|
|
|
|
|
if (r == 2 && !isempty(p)) {
|
|
|
|
|
|
opts = strdup(p);
|
|
|
|
|
|
if (!opts)
|
|
|
|
|
|
return -ENOMEM;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2016-11-30 18:57:42 +01:00
|
|
|
|
if (isempty(source))
|
2019-03-11 14:27:29 +01:00
|
|
|
|
source = mfree(source);
|
2016-11-30 18:57:42 +01:00
|
|
|
|
else if (!source_path_is_valid(source))
|
2015-09-07 15:59:52 +02:00
|
|
|
|
return -EINVAL;
|
2016-11-30 18:57:42 +01:00
|
|
|
|
|
2015-09-07 15:59:52 +02:00
|
|
|
|
if (!path_is_absolute(destination))
|
|
|
|
|
|
return -EINVAL;
|
2018-12-19 00:01:22 +01:00
|
|
|
|
if (empty_or_root(destination))
|
|
|
|
|
|
return -EINVAL;
|
2015-09-07 15:59:52 +02:00
|
|
|
|
|
|
|
|
|
|
m = custom_mount_add(l, n, CUSTOM_MOUNT_BIND);
|
|
|
|
|
|
if (!m)
|
2016-11-29 23:47:24 +01:00
|
|
|
|
return -ENOMEM;
|
2015-09-07 15:59:52 +02:00
|
|
|
|
|
2019-03-11 14:27:29 +01:00
|
|
|
|
m->source = TAKE_PTR(source);
|
|
|
|
|
|
m->destination = TAKE_PTR(destination);
|
2015-09-07 15:59:52 +02:00
|
|
|
|
m->read_only = read_only;
|
2019-03-11 14:27:29 +01:00
|
|
|
|
m->options = TAKE_PTR(opts);
|
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
|
|
|
|
|
2015-09-07 15:59:52 +02:00
|
|
|
|
return 0;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2018-04-27 22:01:54 +02:00
|
|
|
|
int tmpfs_mount_parse(CustomMount **l, size_t *n, const char *s) {
|
2015-09-07 15:59:52 +02:00
|
|
|
|
_cleanup_free_ char *path = NULL, *opts = NULL;
|
|
|
|
|
|
const char *p = s;
|
|
|
|
|
|
CustomMount *m;
|
|
|
|
|
|
int r;
|
|
|
|
|
|
|
|
|
|
|
|
assert(l);
|
|
|
|
|
|
assert(n);
|
|
|
|
|
|
assert(s);
|
|
|
|
|
|
|
|
|
|
|
|
r = extract_first_word(&p, &path, ":", EXTRACT_DONT_COALESCE_SEPARATORS);
|
|
|
|
|
|
if (r < 0)
|
|
|
|
|
|
return r;
|
|
|
|
|
|
if (r == 0)
|
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
|
|
|
|
if (isempty(p))
|
|
|
|
|
|
opts = strdup("mode=0755");
|
|
|
|
|
|
else
|
|
|
|
|
|
opts = strdup(p);
|
|
|
|
|
|
if (!opts)
|
|
|
|
|
|
return -ENOMEM;
|
|
|
|
|
|
|
|
|
|
|
|
if (!path_is_absolute(path))
|
|
|
|
|
|
return -EINVAL;
|
2018-12-19 00:01:22 +01:00
|
|
|
|
if (empty_or_root(path))
|
|
|
|
|
|
return -EINVAL;
|
2015-09-07 15:59:52 +02:00
|
|
|
|
|
|
|
|
|
|
m = custom_mount_add(l, n, CUSTOM_MOUNT_TMPFS);
|
|
|
|
|
|
if (!m)
|
|
|
|
|
|
return -ENOMEM;
|
|
|
|
|
|
|
2018-04-05 07:26:26 +02:00
|
|
|
|
m->destination = TAKE_PTR(path);
|
|
|
|
|
|
m->options = TAKE_PTR(opts);
|
2015-09-07 15:59:52 +02:00
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2018-04-27 22:01:54 +02:00
|
|
|
|
int overlay_mount_parse(CustomMount **l, size_t *n, const char *s, bool read_only) {
|
2016-11-29 23:47:58 +01:00
|
|
|
|
_cleanup_free_ char *upper = NULL, *destination = NULL;
|
|
|
|
|
|
_cleanup_strv_free_ char **lower = NULL;
|
|
|
|
|
|
CustomMount *m;
|
2016-11-30 16:02:47 +01:00
|
|
|
|
int k;
|
2016-11-29 23:47:58 +01:00
|
|
|
|
|
2016-11-30 16:02:47 +01:00
|
|
|
|
k = strv_split_extract(&lower, s, ":", EXTRACT_DONT_COALESCE_SEPARATORS);
|
|
|
|
|
|
if (k < 0)
|
|
|
|
|
|
return k;
|
2016-11-29 23:47:58 +01:00
|
|
|
|
if (k < 2)
|
|
|
|
|
|
return -EADDRNOTAVAIL;
|
|
|
|
|
|
if (k == 2) {
|
2016-11-30 16:02:47 +01:00
|
|
|
|
/* If two parameters are specified, the first one is the lower, the second one the upper directory. And
|
|
|
|
|
|
* we'll also define the destination mount point the same as the upper. */
|
|
|
|
|
|
|
|
|
|
|
|
if (!source_path_is_valid(lower[0]) ||
|
|
|
|
|
|
!source_path_is_valid(lower[1]))
|
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
2018-03-22 16:53:26 +01:00
|
|
|
|
upper = TAKE_PTR(lower[1]);
|
2016-11-29 23:47:58 +01:00
|
|
|
|
|
2016-11-30 16:02:47 +01:00
|
|
|
|
destination = strdup(upper[0] == '+' ? upper+1 : upper); /* take the destination without "+" prefix */
|
2016-11-29 23:47:58 +01:00
|
|
|
|
if (!destination)
|
|
|
|
|
|
return -ENOMEM;
|
|
|
|
|
|
} else {
|
2016-11-30 18:57:42 +01:00
|
|
|
|
char **i;
|
2016-11-30 16:02:47 +01:00
|
|
|
|
|
|
|
|
|
|
/* If more than two parameters are specified, the last one is the destination, the second to last one
|
|
|
|
|
|
* the "upper", and all before that the "lower" directories. */
|
|
|
|
|
|
|
2016-11-29 23:47:58 +01:00
|
|
|
|
destination = lower[k - 1];
|
2018-03-22 16:53:26 +01:00
|
|
|
|
upper = TAKE_PTR(lower[k - 2]);
|
2016-11-30 16:02:47 +01:00
|
|
|
|
|
2016-11-30 18:57:42 +01:00
|
|
|
|
STRV_FOREACH(i, lower)
|
|
|
|
|
|
if (!source_path_is_valid(*i))
|
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
|
|
|
|
/* If the upper directory is unspecified, then let's create it automatically as a throw-away directory
|
|
|
|
|
|
* in /var/tmp */
|
|
|
|
|
|
if (isempty(upper))
|
2019-03-15 15:53:02 +01:00
|
|
|
|
upper = mfree(upper);
|
2016-11-30 18:57:42 +01:00
|
|
|
|
else if (!source_path_is_valid(upper))
|
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
2016-11-30 16:02:47 +01:00
|
|
|
|
if (!path_is_absolute(destination))
|
|
|
|
|
|
return -EINVAL;
|
2016-11-29 23:47:58 +01:00
|
|
|
|
}
|
|
|
|
|
|
|
2018-12-19 00:01:22 +01:00
|
|
|
|
if (empty_or_root(destination))
|
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
2016-11-29 23:47:58 +01:00
|
|
|
|
m = custom_mount_add(l, n, CUSTOM_MOUNT_OVERLAY);
|
|
|
|
|
|
if (!m)
|
|
|
|
|
|
return -ENOMEM;
|
|
|
|
|
|
|
2018-04-05 07:26:26 +02:00
|
|
|
|
m->destination = TAKE_PTR(destination);
|
|
|
|
|
|
m->source = TAKE_PTR(upper);
|
|
|
|
|
|
m->lower = TAKE_PTR(lower);
|
2016-11-29 23:47:58 +01:00
|
|
|
|
m->read_only = read_only;
|
|
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
|
|
|
|
int inaccessible_mount_parse(CustomMount **l, size_t *n, const char *s) {
|
|
|
|
|
|
_cleanup_free_ char *path = NULL;
|
|
|
|
|
|
CustomMount *m;
|
|
|
|
|
|
|
|
|
|
|
|
assert(l);
|
|
|
|
|
|
assert(n);
|
|
|
|
|
|
assert(s);
|
|
|
|
|
|
|
|
|
|
|
|
if (!path_is_absolute(s))
|
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
|
|
|
|
path = strdup(s);
|
|
|
|
|
|
if (!path)
|
|
|
|
|
|
return -ENOMEM;
|
|
|
|
|
|
|
|
|
|
|
|
m = custom_mount_add(l, n, CUSTOM_MOUNT_INACCESSIBLE);
|
|
|
|
|
|
if (!m)
|
|
|
|
|
|
return -ENOMEM;
|
|
|
|
|
|
|
|
|
|
|
|
m->destination = TAKE_PTR(path);
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2017-07-08 00:57:08 +02:00
|
|
|
|
int tmpfs_patch_options(
|
2015-09-07 15:59:52 +02:00
|
|
|
|
const char *options,
|
nspawn: Simplify tmpfs_patch_options() usage, and trickle that up
One of the things that tmpfs_patch_options does is take an (optional) UID,
and insert "uid=${UID},gid=${UID}" into the options string. So we need a
uid_t argument, and a way of telling if we should use it. Fortunately,
that is built in to the uid_t type by having UID_INVALID as a possible
value.
So this is really a feature that requires one argument. Yet, it is somehow
taking 4! That is absurd. Simplify it to only take one argument, and have
that trickle all the way up to mount_all()'s usage.
Now, in may of the uses, the argument becomes
uid_shift == 0 ? UID_INVALID : uid_shift
because it used to treat uid_shift=0 as invalid unless the patch_ids flag
was also set. This keeps the behavior the same. Note that in all cases
where it is invoked, if !use_userns (sometimes called !userns), then
uid_shift is 0; we don't have to add any checks for that.
That said, I'm pretty sure that "uid=0" and not setting "uid=" are the
same, but Christian Brauner seemed to not think so when implementing the
cgns support. https://github.com/systemd/systemd/pull/3589
2017-06-14 00:06:09 +02:00
|
|
|
|
uid_t uid_shift,
|
2015-09-07 15:59:52 +02:00
|
|
|
|
const char *selinux_apifs_context,
|
|
|
|
|
|
char **ret) {
|
|
|
|
|
|
|
|
|
|
|
|
char *buf = NULL;
|
|
|
|
|
|
|
nspawn: Simplify tmpfs_patch_options() usage, and trickle that up
One of the things that tmpfs_patch_options does is take an (optional) UID,
and insert "uid=${UID},gid=${UID}" into the options string. So we need a
uid_t argument, and a way of telling if we should use it. Fortunately,
that is built in to the uid_t type by having UID_INVALID as a possible
value.
So this is really a feature that requires one argument. Yet, it is somehow
taking 4! That is absurd. Simplify it to only take one argument, and have
that trickle all the way up to mount_all()'s usage.
Now, in may of the uses, the argument becomes
uid_shift == 0 ? UID_INVALID : uid_shift
because it used to treat uid_shift=0 as invalid unless the patch_ids flag
was also set. This keeps the behavior the same. Note that in all cases
where it is invoked, if !use_userns (sometimes called !userns), then
uid_shift is 0; we don't have to add any checks for that.
That said, I'm pretty sure that "uid=0" and not setting "uid=" are the
same, but Christian Brauner seemed to not think so when implementing the
cgns support. https://github.com/systemd/systemd/pull/3589
2017-06-14 00:06:09 +02:00
|
|
|
|
if (uid_shift != UID_INVALID) {
|
2016-10-23 17:57:55 +02:00
|
|
|
|
if (asprintf(&buf, "%s%suid=" UID_FMT ",gid=" UID_FMT,
|
2017-11-24 10:31:08 +01:00
|
|
|
|
strempty(options), options ? "," : "",
|
2016-10-23 17:57:55 +02:00
|
|
|
|
uid_shift, uid_shift) < 0)
|
2015-09-07 15:59:52 +02:00
|
|
|
|
return -ENOMEM;
|
|
|
|
|
|
|
|
|
|
|
|
options = buf;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2017-10-03 10:41:51 +02:00
|
|
|
|
#if HAVE_SELINUX
|
2015-09-07 15:59:52 +02:00
|
|
|
|
if (selinux_apifs_context) {
|
|
|
|
|
|
char *t;
|
|
|
|
|
|
|
2017-11-24 10:31:08 +01:00
|
|
|
|
t = strjoin(strempty(options), options ? "," : "",
|
2016-10-23 17:57:55 +02:00
|
|
|
|
"context=\"", selinux_apifs_context, "\"");
|
|
|
|
|
|
free(buf);
|
|
|
|
|
|
if (!t)
|
2015-09-07 15:59:52 +02:00
|
|
|
|
return -ENOMEM;
|
|
|
|
|
|
|
|
|
|
|
|
buf = t;
|
|
|
|
|
|
}
|
|
|
|
|
|
#endif
|
|
|
|
|
|
|
2016-06-23 13:41:56 +02:00
|
|
|
|
if (!buf && options) {
|
|
|
|
|
|
buf = strdup(options);
|
|
|
|
|
|
if (!buf)
|
|
|
|
|
|
return -ENOMEM;
|
|
|
|
|
|
}
|
2015-09-07 15:59:52 +02:00
|
|
|
|
*ret = buf;
|
2016-06-23 13:41:56 +02:00
|
|
|
|
|
2015-09-07 15:59:52 +02:00
|
|
|
|
return !!buf;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2016-10-14 14:00:15 +02:00
|
|
|
|
int mount_sysfs(const char *dest, MountSettingsMask mount_settings) {
|
2015-09-30 13:47:28 +02:00
|
|
|
|
const char *full, *top, *x;
|
2015-10-15 12:13:13 +02:00
|
|
|
|
int r;
|
2016-10-14 14:00:15 +02:00
|
|
|
|
unsigned long extra_flags = 0;
|
2015-09-30 13:47:28 +02:00
|
|
|
|
|
|
|
|
|
|
top = prefix_roota(dest, "/sys");
|
2017-10-31 16:13:05 +01:00
|
|
|
|
r = path_is_fs_type(top, SYSFS_MAGIC);
|
2015-10-15 12:13:13 +02:00
|
|
|
|
if (r < 0)
|
|
|
|
|
|
return log_error_errno(r, "Failed to determine filesystem type of %s: %m", top);
|
|
|
|
|
|
/* /sys might already be mounted as sysfs by the outer child in the
|
|
|
|
|
|
* !netns case. In this case, it's all good. Don't touch it because we
|
|
|
|
|
|
* don't have the right to do so, see https://github.com/systemd/systemd/issues/1555.
|
|
|
|
|
|
*/
|
|
|
|
|
|
if (r > 0)
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
2015-09-30 13:47:28 +02:00
|
|
|
|
full = prefix_roota(top, "/full");
|
|
|
|
|
|
|
|
|
|
|
|
(void) mkdir(full, 0755);
|
|
|
|
|
|
|
2016-10-14 14:00:15 +02:00
|
|
|
|
if (mount_settings & MOUNT_APPLY_APIVFS_RO)
|
|
|
|
|
|
extra_flags |= MS_RDONLY;
|
|
|
|
|
|
|
nspawn,mount-util: add [u]mount_verbose and use it in nspawn
This makes it easier to debug failed nspawn invocations:
Mounting sysfs on /var/lib/machines/fedora-rawhide/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV "")...
Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev (MS_NOSUID|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")...
Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev/shm (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=1777,uid=1450901504,gid=1450901504")...
Mounting tmpfs on /var/lib/machines/fedora-rawhide/run (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")...
Bind-mounting /sys/fs/selinux on /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_BIND "")...
Remounting /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")...
Mounting proc on /proc (MS_NOSUID|MS_NOEXEC|MS_NODEV "")...
Bind-mounting /proc/sys on /proc/sys (MS_BIND "")...
Remounting /proc/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")...
Bind-mounting /proc/sysrq-trigger on /proc/sysrq-trigger (MS_BIND "")...
Remounting /proc/sysrq-trigger (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")...
Mounting tmpfs on /tmp (MS_STRICTATIME "mode=1777,uid=0,gid=0")...
Mounting tmpfs on /sys/fs/cgroup (MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME "mode=755,uid=0,gid=0")...
Mounting cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr")...
Failed to mount cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr"): No such file or directory
2016-10-10 21:55:20 +02:00
|
|
|
|
r = mount_verbose(LOG_ERR, "sysfs", full, "sysfs",
|
2016-10-14 14:00:15 +02:00
|
|
|
|
MS_NOSUID|MS_NOEXEC|MS_NODEV|extra_flags, NULL);
|
nspawn,mount-util: add [u]mount_verbose and use it in nspawn
This makes it easier to debug failed nspawn invocations:
Mounting sysfs on /var/lib/machines/fedora-rawhide/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV "")...
Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev (MS_NOSUID|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")...
Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev/shm (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=1777,uid=1450901504,gid=1450901504")...
Mounting tmpfs on /var/lib/machines/fedora-rawhide/run (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")...
Bind-mounting /sys/fs/selinux on /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_BIND "")...
Remounting /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")...
Mounting proc on /proc (MS_NOSUID|MS_NOEXEC|MS_NODEV "")...
Bind-mounting /proc/sys on /proc/sys (MS_BIND "")...
Remounting /proc/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")...
Bind-mounting /proc/sysrq-trigger on /proc/sysrq-trigger (MS_BIND "")...
Remounting /proc/sysrq-trigger (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")...
Mounting tmpfs on /tmp (MS_STRICTATIME "mode=1777,uid=0,gid=0")...
Mounting tmpfs on /sys/fs/cgroup (MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME "mode=755,uid=0,gid=0")...
Mounting cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr")...
Failed to mount cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr"): No such file or directory
2016-10-10 21:55:20 +02:00
|
|
|
|
if (r < 0)
|
|
|
|
|
|
return r;
|
2015-09-30 13:47:28 +02:00
|
|
|
|
|
|
|
|
|
|
FOREACH_STRING(x, "block", "bus", "class", "dev", "devices", "kernel") {
|
|
|
|
|
|
_cleanup_free_ char *from = NULL, *to = NULL;
|
|
|
|
|
|
|
|
|
|
|
|
from = prefix_root(full, x);
|
|
|
|
|
|
if (!from)
|
|
|
|
|
|
return log_oom();
|
|
|
|
|
|
|
|
|
|
|
|
to = prefix_root(top, x);
|
|
|
|
|
|
if (!to)
|
|
|
|
|
|
return log_oom();
|
|
|
|
|
|
|
|
|
|
|
|
(void) mkdir(to, 0755);
|
|
|
|
|
|
|
nspawn,mount-util: add [u]mount_verbose and use it in nspawn
This makes it easier to debug failed nspawn invocations:
Mounting sysfs on /var/lib/machines/fedora-rawhide/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV "")...
Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev (MS_NOSUID|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")...
Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev/shm (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=1777,uid=1450901504,gid=1450901504")...
Mounting tmpfs on /var/lib/machines/fedora-rawhide/run (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")...
Bind-mounting /sys/fs/selinux on /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_BIND "")...
Remounting /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")...
Mounting proc on /proc (MS_NOSUID|MS_NOEXEC|MS_NODEV "")...
Bind-mounting /proc/sys on /proc/sys (MS_BIND "")...
Remounting /proc/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")...
Bind-mounting /proc/sysrq-trigger on /proc/sysrq-trigger (MS_BIND "")...
Remounting /proc/sysrq-trigger (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")...
Mounting tmpfs on /tmp (MS_STRICTATIME "mode=1777,uid=0,gid=0")...
Mounting tmpfs on /sys/fs/cgroup (MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME "mode=755,uid=0,gid=0")...
Mounting cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr")...
Failed to mount cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr"): No such file or directory
2016-10-10 21:55:20 +02:00
|
|
|
|
r = mount_verbose(LOG_ERR, from, to, NULL, MS_BIND, NULL);
|
|
|
|
|
|
if (r < 0)
|
|
|
|
|
|
return r;
|
2015-09-30 13:47:28 +02:00
|
|
|
|
|
nspawn,mount-util: add [u]mount_verbose and use it in nspawn
This makes it easier to debug failed nspawn invocations:
Mounting sysfs on /var/lib/machines/fedora-rawhide/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV "")...
Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev (MS_NOSUID|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")...
Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev/shm (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=1777,uid=1450901504,gid=1450901504")...
Mounting tmpfs on /var/lib/machines/fedora-rawhide/run (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")...
Bind-mounting /sys/fs/selinux on /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_BIND "")...
Remounting /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")...
Mounting proc on /proc (MS_NOSUID|MS_NOEXEC|MS_NODEV "")...
Bind-mounting /proc/sys on /proc/sys (MS_BIND "")...
Remounting /proc/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")...
Bind-mounting /proc/sysrq-trigger on /proc/sysrq-trigger (MS_BIND "")...
Remounting /proc/sysrq-trigger (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")...
Mounting tmpfs on /tmp (MS_STRICTATIME "mode=1777,uid=0,gid=0")...
Mounting tmpfs on /sys/fs/cgroup (MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME "mode=755,uid=0,gid=0")...
Mounting cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr")...
Failed to mount cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr"): No such file or directory
2016-10-10 21:55:20 +02:00
|
|
|
|
r = mount_verbose(LOG_ERR, NULL, to, NULL,
|
2016-10-14 14:00:15 +02:00
|
|
|
|
MS_BIND|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REMOUNT|extra_flags, NULL);
|
nspawn,mount-util: add [u]mount_verbose and use it in nspawn
This makes it easier to debug failed nspawn invocations:
Mounting sysfs on /var/lib/machines/fedora-rawhide/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV "")...
Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev (MS_NOSUID|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")...
Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev/shm (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=1777,uid=1450901504,gid=1450901504")...
Mounting tmpfs on /var/lib/machines/fedora-rawhide/run (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")...
Bind-mounting /sys/fs/selinux on /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_BIND "")...
Remounting /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")...
Mounting proc on /proc (MS_NOSUID|MS_NOEXEC|MS_NODEV "")...
Bind-mounting /proc/sys on /proc/sys (MS_BIND "")...
Remounting /proc/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")...
Bind-mounting /proc/sysrq-trigger on /proc/sysrq-trigger (MS_BIND "")...
Remounting /proc/sysrq-trigger (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")...
Mounting tmpfs on /tmp (MS_STRICTATIME "mode=1777,uid=0,gid=0")...
Mounting tmpfs on /sys/fs/cgroup (MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME "mode=755,uid=0,gid=0")...
Mounting cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr")...
Failed to mount cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr"): No such file or directory
2016-10-10 21:55:20 +02:00
|
|
|
|
if (r < 0)
|
|
|
|
|
|
return r;
|
2015-09-30 13:47:28 +02:00
|
|
|
|
}
|
|
|
|
|
|
|
nspawn,mount-util: add [u]mount_verbose and use it in nspawn
This makes it easier to debug failed nspawn invocations:
Mounting sysfs on /var/lib/machines/fedora-rawhide/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV "")...
Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev (MS_NOSUID|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")...
Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev/shm (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=1777,uid=1450901504,gid=1450901504")...
Mounting tmpfs on /var/lib/machines/fedora-rawhide/run (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")...
Bind-mounting /sys/fs/selinux on /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_BIND "")...
Remounting /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")...
Mounting proc on /proc (MS_NOSUID|MS_NOEXEC|MS_NODEV "")...
Bind-mounting /proc/sys on /proc/sys (MS_BIND "")...
Remounting /proc/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")...
Bind-mounting /proc/sysrq-trigger on /proc/sysrq-trigger (MS_BIND "")...
Remounting /proc/sysrq-trigger (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")...
Mounting tmpfs on /tmp (MS_STRICTATIME "mode=1777,uid=0,gid=0")...
Mounting tmpfs on /sys/fs/cgroup (MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME "mode=755,uid=0,gid=0")...
Mounting cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr")...
Failed to mount cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr"): No such file or directory
2016-10-10 21:55:20 +02:00
|
|
|
|
r = umount_verbose(full);
|
|
|
|
|
|
if (r < 0)
|
|
|
|
|
|
return r;
|
2015-09-30 13:47:28 +02:00
|
|
|
|
|
|
|
|
|
|
if (rmdir(full) < 0)
|
|
|
|
|
|
return log_error_errno(errno, "Failed to remove %s: %m", full);
|
|
|
|
|
|
|
2016-06-23 13:41:56 +02:00
|
|
|
|
/* Create mountpoint for cgroups. Otherwise we are not allowed since we
|
|
|
|
|
|
* remount /sys read-only.
|
|
|
|
|
|
*/
|
nspawn: mount_sysfs(): Unconditionally mkdir /sys/fs/cgroup
Currently, mount_sysfs() only creates /sys/fs/cgroup if cg_ns_supported().
The comment explains that we need to "Create mountpoint for
cgroups. Otherwise we are not allowed since we remount /sys read-only.";
that is: that we need to do it now, rather than later. However, the
comment doesn't do anything to explain why we only need to do this if
cg_ns_supported(); shouldn't we _always_ need to do it?
The answer is that if !use_cgns, then this was already done by the outer
child, so mount_sysfs() only needs to do it if use_cgns. Now,
mount_sysfs() doesn't know whether use_cgns, but !cg_ns_supported() implies
!use_cgns, so we can optimize" the case where we _know_ !use_cgns, and deal
with a no-op mkdir_p() in the false-positive where cgns_supported() but
!use_cgns.
But is it really much of an optimization? We're potentially spending an
access(2) (cg_ns_supported() could be cached from a previous call) to
potentially save an lstat(2) and mkdir(2); and all of them are on virtual
fileystems, so they should all be pretty cheap.
So, simplify and drop the conditional. It's a dubious optimization that
requires more text to explain than it's worth.
2017-06-01 19:59:20 +02:00
|
|
|
|
x = prefix_roota(top, "/fs/cgroup");
|
|
|
|
|
|
(void) mkdir_p(x, 0755);
|
2015-09-30 13:47:28 +02:00
|
|
|
|
|
nspawn,mount-util: add [u]mount_verbose and use it in nspawn
This makes it easier to debug failed nspawn invocations:
Mounting sysfs on /var/lib/machines/fedora-rawhide/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV "")...
Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev (MS_NOSUID|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")...
Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev/shm (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=1777,uid=1450901504,gid=1450901504")...
Mounting tmpfs on /var/lib/machines/fedora-rawhide/run (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")...
Bind-mounting /sys/fs/selinux on /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_BIND "")...
Remounting /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")...
Mounting proc on /proc (MS_NOSUID|MS_NOEXEC|MS_NODEV "")...
Bind-mounting /proc/sys on /proc/sys (MS_BIND "")...
Remounting /proc/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")...
Bind-mounting /proc/sysrq-trigger on /proc/sysrq-trigger (MS_BIND "")...
Remounting /proc/sysrq-trigger (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")...
Mounting tmpfs on /tmp (MS_STRICTATIME "mode=1777,uid=0,gid=0")...
Mounting tmpfs on /sys/fs/cgroup (MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME "mode=755,uid=0,gid=0")...
Mounting cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr")...
Failed to mount cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr"): No such file or directory
2016-10-10 21:55:20 +02:00
|
|
|
|
return mount_verbose(LOG_ERR, NULL, top, NULL,
|
2016-10-14 14:00:15 +02:00
|
|
|
|
MS_BIND|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REMOUNT|extra_flags, NULL);
|
2015-09-30 13:47:28 +02:00
|
|
|
|
}
|
|
|
|
|
|
|
2017-07-08 00:30:03 +02:00
|
|
|
|
static int mkdir_userns(const char *path, mode_t mode, uid_t uid_shift) {
|
nspawn: really lchown(uid/gid)
https://github.com/systemd/systemd/pull/4372#issuecomment-253723849:
* `mount_all (outer_child)` creates `container_dir/sys/fs/selinux`
* `mount_all (outer_child)` doesn't patch `container_dir/sys/fs` and so on.
* `mount_sysfs (inner_child)` tries to create `/sys/fs/cgroup`
* This fails
370 stat("/sys/fs", {st_dev=makedev(0, 28), st_ino=13880, st_mode=S_IFDIR|0755, st_nlink=3, st_uid=65534, st_gid=65534, st_blksize=4096, st_blocks=0, st_size=60, st_atime=2016/10/14-05:16:43.398665943, st_mtime=2016/10/14-05:16:43.399665943, st_ctime=2016/10/14-05:16:43.399665943}) = 0
370 mkdir("/sys/fs/cgroup", 0755) = -1 EACCES (Permission denied)
* `mount_syfs (inner_child)` ignores that error and
mount(NULL, "/sys", NULL, MS_RDONLY|MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_REMOUNT|MS_BIND, NULL) = 0
* `mount_cgroups` finally fails
2016-10-20 11:03:40 +02:00
|
|
|
|
int r;
|
|
|
|
|
|
|
|
|
|
|
|
assert(path);
|
|
|
|
|
|
|
2017-12-15 17:08:13 +01:00
|
|
|
|
r = mkdir_errno_wrapper(path, mode);
|
|
|
|
|
|
if (r < 0 && r != -EEXIST)
|
|
|
|
|
|
return r;
|
nspawn: really lchown(uid/gid)
https://github.com/systemd/systemd/pull/4372#issuecomment-253723849:
* `mount_all (outer_child)` creates `container_dir/sys/fs/selinux`
* `mount_all (outer_child)` doesn't patch `container_dir/sys/fs` and so on.
* `mount_sysfs (inner_child)` tries to create `/sys/fs/cgroup`
* This fails
370 stat("/sys/fs", {st_dev=makedev(0, 28), st_ino=13880, st_mode=S_IFDIR|0755, st_nlink=3, st_uid=65534, st_gid=65534, st_blksize=4096, st_blocks=0, st_size=60, st_atime=2016/10/14-05:16:43.398665943, st_mtime=2016/10/14-05:16:43.399665943, st_ctime=2016/10/14-05:16:43.399665943}) = 0
370 mkdir("/sys/fs/cgroup", 0755) = -1 EACCES (Permission denied)
* `mount_syfs (inner_child)` ignores that error and
mount(NULL, "/sys", NULL, MS_RDONLY|MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_REMOUNT|MS_BIND, NULL) = 0
* `mount_cgroups` finally fails
2016-10-20 11:03:40 +02:00
|
|
|
|
|
2017-07-08 00:30:03 +02:00
|
|
|
|
if (uid_shift == UID_INVALID)
|
2016-11-22 13:35:24 +01:00
|
|
|
|
return 0;
|
|
|
|
|
|
|
2017-12-15 17:08:13 +01:00
|
|
|
|
if (lchown(path, uid_shift, uid_shift) < 0)
|
2016-11-22 13:35:24 +01:00
|
|
|
|
return -errno;
|
nspawn: really lchown(uid/gid)
https://github.com/systemd/systemd/pull/4372#issuecomment-253723849:
* `mount_all (outer_child)` creates `container_dir/sys/fs/selinux`
* `mount_all (outer_child)` doesn't patch `container_dir/sys/fs` and so on.
* `mount_sysfs (inner_child)` tries to create `/sys/fs/cgroup`
* This fails
370 stat("/sys/fs", {st_dev=makedev(0, 28), st_ino=13880, st_mode=S_IFDIR|0755, st_nlink=3, st_uid=65534, st_gid=65534, st_blksize=4096, st_blocks=0, st_size=60, st_atime=2016/10/14-05:16:43.398665943, st_mtime=2016/10/14-05:16:43.399665943, st_ctime=2016/10/14-05:16:43.399665943}) = 0
370 mkdir("/sys/fs/cgroup", 0755) = -1 EACCES (Permission denied)
* `mount_syfs (inner_child)` ignores that error and
mount(NULL, "/sys", NULL, MS_RDONLY|MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_REMOUNT|MS_BIND, NULL) = 0
* `mount_cgroups` finally fails
2016-10-20 11:03:40 +02:00
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2017-07-08 00:30:03 +02:00
|
|
|
|
static int mkdir_userns_p(const char *prefix, const char *path, mode_t mode, uid_t uid_shift) {
|
nspawn: really lchown(uid/gid)
https://github.com/systemd/systemd/pull/4372#issuecomment-253723849:
* `mount_all (outer_child)` creates `container_dir/sys/fs/selinux`
* `mount_all (outer_child)` doesn't patch `container_dir/sys/fs` and so on.
* `mount_sysfs (inner_child)` tries to create `/sys/fs/cgroup`
* This fails
370 stat("/sys/fs", {st_dev=makedev(0, 28), st_ino=13880, st_mode=S_IFDIR|0755, st_nlink=3, st_uid=65534, st_gid=65534, st_blksize=4096, st_blocks=0, st_size=60, st_atime=2016/10/14-05:16:43.398665943, st_mtime=2016/10/14-05:16:43.399665943, st_ctime=2016/10/14-05:16:43.399665943}) = 0
370 mkdir("/sys/fs/cgroup", 0755) = -1 EACCES (Permission denied)
* `mount_syfs (inner_child)` ignores that error and
mount(NULL, "/sys", NULL, MS_RDONLY|MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_REMOUNT|MS_BIND, NULL) = 0
* `mount_cgroups` finally fails
2016-10-20 11:03:40 +02:00
|
|
|
|
const char *p, *e;
|
|
|
|
|
|
int r;
|
|
|
|
|
|
|
|
|
|
|
|
assert(path);
|
|
|
|
|
|
|
|
|
|
|
|
if (prefix && !path_startswith(path, prefix))
|
|
|
|
|
|
return -ENOTDIR;
|
|
|
|
|
|
|
|
|
|
|
|
/* create every parent directory in the path, except the last component */
|
|
|
|
|
|
p = path + strspn(path, "/");
|
|
|
|
|
|
for (;;) {
|
|
|
|
|
|
char t[strlen(path) + 1];
|
|
|
|
|
|
|
|
|
|
|
|
e = p + strcspn(p, "/");
|
|
|
|
|
|
p = e + strspn(e, "/");
|
|
|
|
|
|
|
|
|
|
|
|
/* Is this the last component? If so, then we're done */
|
|
|
|
|
|
if (*p == 0)
|
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
|
|
memcpy(t, path, e - path);
|
|
|
|
|
|
t[e-path] = 0;
|
|
|
|
|
|
|
|
|
|
|
|
if (prefix && path_startswith(prefix, t))
|
|
|
|
|
|
continue;
|
|
|
|
|
|
|
2017-07-08 00:30:03 +02:00
|
|
|
|
r = mkdir_userns(t, mode, uid_shift);
|
nspawn: really lchown(uid/gid)
https://github.com/systemd/systemd/pull/4372#issuecomment-253723849:
* `mount_all (outer_child)` creates `container_dir/sys/fs/selinux`
* `mount_all (outer_child)` doesn't patch `container_dir/sys/fs` and so on.
* `mount_sysfs (inner_child)` tries to create `/sys/fs/cgroup`
* This fails
370 stat("/sys/fs", {st_dev=makedev(0, 28), st_ino=13880, st_mode=S_IFDIR|0755, st_nlink=3, st_uid=65534, st_gid=65534, st_blksize=4096, st_blocks=0, st_size=60, st_atime=2016/10/14-05:16:43.398665943, st_mtime=2016/10/14-05:16:43.399665943, st_ctime=2016/10/14-05:16:43.399665943}) = 0
370 mkdir("/sys/fs/cgroup", 0755) = -1 EACCES (Permission denied)
* `mount_syfs (inner_child)` ignores that error and
mount(NULL, "/sys", NULL, MS_RDONLY|MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_REMOUNT|MS_BIND, NULL) = 0
* `mount_cgroups` finally fails
2016-10-20 11:03:40 +02:00
|
|
|
|
if (r < 0)
|
|
|
|
|
|
return r;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2017-07-08 00:30:03 +02:00
|
|
|
|
return mkdir_userns(path, mode, uid_shift);
|
nspawn: really lchown(uid/gid)
https://github.com/systemd/systemd/pull/4372#issuecomment-253723849:
* `mount_all (outer_child)` creates `container_dir/sys/fs/selinux`
* `mount_all (outer_child)` doesn't patch `container_dir/sys/fs` and so on.
* `mount_sysfs (inner_child)` tries to create `/sys/fs/cgroup`
* This fails
370 stat("/sys/fs", {st_dev=makedev(0, 28), st_ino=13880, st_mode=S_IFDIR|0755, st_nlink=3, st_uid=65534, st_gid=65534, st_blksize=4096, st_blocks=0, st_size=60, st_atime=2016/10/14-05:16:43.398665943, st_mtime=2016/10/14-05:16:43.399665943, st_ctime=2016/10/14-05:16:43.399665943}) = 0
370 mkdir("/sys/fs/cgroup", 0755) = -1 EACCES (Permission denied)
* `mount_syfs (inner_child)` ignores that error and
mount(NULL, "/sys", NULL, MS_RDONLY|MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_REMOUNT|MS_BIND, NULL) = 0
* `mount_cgroups` finally fails
2016-10-20 11:03:40 +02:00
|
|
|
|
}
|
|
|
|
|
|
|
2015-09-07 15:59:52 +02:00
|
|
|
|
int mount_all(const char *dest,
|
2016-10-14 14:00:15 +02:00
|
|
|
|
MountSettingsMask mount_settings,
|
nspawn: Simplify tmpfs_patch_options() usage, and trickle that up
One of the things that tmpfs_patch_options does is take an (optional) UID,
and insert "uid=${UID},gid=${UID}" into the options string. So we need a
uid_t argument, and a way of telling if we should use it. Fortunately,
that is built in to the uid_t type by having UID_INVALID as a possible
value.
So this is really a feature that requires one argument. Yet, it is somehow
taking 4! That is absurd. Simplify it to only take one argument, and have
that trickle all the way up to mount_all()'s usage.
Now, in may of the uses, the argument becomes
uid_shift == 0 ? UID_INVALID : uid_shift
because it used to treat uid_shift=0 as invalid unless the patch_ids flag
was also set. This keeps the behavior the same. Note that in all cases
where it is invoked, if !use_userns (sometimes called !userns), then
uid_shift is 0; we don't have to add any checks for that.
That said, I'm pretty sure that "uid=0" and not setting "uid=" are the
same, but Christian Brauner seemed to not think so when implementing the
cgns support. https://github.com/systemd/systemd/pull/3589
2017-06-14 00:06:09 +02:00
|
|
|
|
uid_t uid_shift,
|
2015-09-07 15:59:52 +02:00
|
|
|
|
const char *selinux_apifs_context) {
|
|
|
|
|
|
|
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
|
|
|
|
#define PROC_INACCESSIBLE_REG(path) \
|
|
|
|
|
|
{ "/run/systemd/inaccessible/reg", (path), NULL, NULL, MS_BIND, \
|
|
|
|
|
|
MOUNT_IN_USERNS|MOUNT_APPLY_APIVFS_RO }, /* Bind mount first ... */ \
|
2018-04-30 12:22:41 +02:00
|
|
|
|
{ NULL, (path), NULL, NULL, MS_BIND|MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REMOUNT, \
|
|
|
|
|
|
MOUNT_IN_USERNS|MOUNT_APPLY_APIVFS_RO } /* Then, make it r/o */
|
|
|
|
|
|
|
|
|
|
|
|
#define PROC_READ_ONLY(path) \
|
|
|
|
|
|
{ (path), (path), NULL, NULL, MS_BIND, \
|
|
|
|
|
|
MOUNT_IN_USERNS|MOUNT_APPLY_APIVFS_RO }, /* Bind mount first ... */ \
|
|
|
|
|
|
{ NULL, (path), NULL, NULL, MS_BIND|MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REMOUNT, \
|
|
|
|
|
|
MOUNT_IN_USERNS|MOUNT_APPLY_APIVFS_RO } /* Then, make it r/o */
|
|
|
|
|
|
|
2015-09-07 15:59:52 +02:00
|
|
|
|
typedef struct MountPoint {
|
|
|
|
|
|
const char *what;
|
|
|
|
|
|
const char *where;
|
|
|
|
|
|
const char *type;
|
|
|
|
|
|
const char *options;
|
|
|
|
|
|
unsigned long flags;
|
2016-10-14 14:00:15 +02:00
|
|
|
|
MountSettingsMask mount_settings;
|
2015-09-07 15:59:52 +02:00
|
|
|
|
} MountPoint;
|
|
|
|
|
|
|
|
|
|
|
|
static const MountPoint mount_table[] = {
|
2018-04-30 12:22:41 +02:00
|
|
|
|
/* First we list inner child mounts (i.e. mounts applied *after* entering user namespacing) */
|
|
|
|
|
|
{ "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
|
|
|
|
|
|
MOUNT_FATAL|MOUNT_IN_USERNS },
|
|
|
|
|
|
|
|
|
|
|
|
{ "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND,
|
|
|
|
|
|
MOUNT_FATAL|MOUNT_IN_USERNS|MOUNT_APPLY_APIVFS_RO }, /* Bind mount first ... */
|
|
|
|
|
|
|
|
|
|
|
|
{ "/proc/sys/net", "/proc/sys/net", NULL, NULL, MS_BIND,
|
|
|
|
|
|
MOUNT_FATAL|MOUNT_IN_USERNS|MOUNT_APPLY_APIVFS_RO|MOUNT_APPLY_APIVFS_NETNS }, /* (except for this) */
|
|
|
|
|
|
|
|
|
|
|
|
{ NULL, "/proc/sys", NULL, NULL, MS_BIND|MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REMOUNT,
|
|
|
|
|
|
MOUNT_FATAL|MOUNT_IN_USERNS|MOUNT_APPLY_APIVFS_RO }, /* ... then, make it r/o */
|
|
|
|
|
|
|
|
|
|
|
|
/* Make these files inaccessible to container payloads: they potentially leak information about kernel
|
|
|
|
|
|
* internals or the host's execution environment to the container */
|
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
|
|
|
|
PROC_INACCESSIBLE_REG("/proc/kallsyms"),
|
|
|
|
|
|
PROC_INACCESSIBLE_REG("/proc/kcore"),
|
|
|
|
|
|
PROC_INACCESSIBLE_REG("/proc/keys"),
|
|
|
|
|
|
PROC_INACCESSIBLE_REG("/proc/sysrq-trigger"),
|
|
|
|
|
|
PROC_INACCESSIBLE_REG("/proc/timer_list"),
|
2018-04-30 12:22:41 +02:00
|
|
|
|
|
|
|
|
|
|
/* Make these directories read-only to container payloads: they show hardware information, and in some
|
|
|
|
|
|
* cases contain tunables the container really shouldn't have access to. */
|
|
|
|
|
|
PROC_READ_ONLY("/proc/acpi"),
|
|
|
|
|
|
PROC_READ_ONLY("/proc/apm"),
|
|
|
|
|
|
PROC_READ_ONLY("/proc/asound"),
|
|
|
|
|
|
PROC_READ_ONLY("/proc/bus"),
|
|
|
|
|
|
PROC_READ_ONLY("/proc/fs"),
|
|
|
|
|
|
PROC_READ_ONLY("/proc/irq"),
|
|
|
|
|
|
PROC_READ_ONLY("/proc/scsi"),
|
|
|
|
|
|
|
|
|
|
|
|
/* Then we list outer child mounts (i.e. mounts applied *before* entering user namespacing) */
|
|
|
|
|
|
{ "tmpfs", "/tmp", "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
|
2018-10-08 18:32:03 +02:00
|
|
|
|
MOUNT_FATAL|MOUNT_APPLY_TMPFS_TMP },
|
2018-09-10 14:17:32 +02:00
|
|
|
|
{ "tmpfs", "/sys", "tmpfs", "mode=555", MS_NOSUID|MS_NOEXEC|MS_NODEV,
|
2018-04-30 12:22:41 +02:00
|
|
|
|
MOUNT_FATAL|MOUNT_APPLY_APIVFS_NETNS },
|
|
|
|
|
|
{ "sysfs", "/sys", "sysfs", NULL, MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV,
|
|
|
|
|
|
MOUNT_FATAL|MOUNT_APPLY_APIVFS_RO }, /* skipped if above was mounted */
|
|
|
|
|
|
{ "sysfs", "/sys", "sysfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
|
|
|
|
|
|
MOUNT_FATAL }, /* skipped if above was mounted */
|
|
|
|
|
|
{ "tmpfs", "/dev", "tmpfs", "mode=755", MS_NOSUID|MS_STRICTATIME,
|
|
|
|
|
|
MOUNT_FATAL },
|
|
|
|
|
|
{ "tmpfs", "/dev/shm", "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
|
|
|
|
|
|
MOUNT_FATAL },
|
|
|
|
|
|
{ "tmpfs", "/run", "tmpfs", "mode=755", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
|
|
|
|
|
|
MOUNT_FATAL },
|
2018-07-26 17:24:51 +02:00
|
|
|
|
{ "mqueue", "/dev/mqueue", "mqueue", NULL, 0,
|
|
|
|
|
|
MOUNT_FATAL },
|
2018-04-30 12:22:41 +02:00
|
|
|
|
|
2017-10-03 10:41:51 +02:00
|
|
|
|
#if HAVE_SELINUX
|
2018-04-30 12:22:41 +02:00
|
|
|
|
{ "/sys/fs/selinux", "/sys/fs/selinux", NULL, NULL, MS_BIND,
|
|
|
|
|
|
0 }, /* Bind mount first */
|
|
|
|
|
|
{ NULL, "/sys/fs/selinux", NULL, NULL, MS_BIND|MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REMOUNT,
|
|
|
|
|
|
0 }, /* Then, make it r/o */
|
2015-09-07 15:59:52 +02:00
|
|
|
|
#endif
|
|
|
|
|
|
};
|
|
|
|
|
|
|
2016-10-14 14:00:15 +02:00
|
|
|
|
bool use_userns = (mount_settings & MOUNT_USE_USERNS);
|
|
|
|
|
|
bool netns = (mount_settings & MOUNT_APPLY_APIVFS_NETNS);
|
|
|
|
|
|
bool ro = (mount_settings & MOUNT_APPLY_APIVFS_RO);
|
|
|
|
|
|
bool in_userns = (mount_settings & MOUNT_IN_USERNS);
|
2018-10-08 18:32:03 +02:00
|
|
|
|
bool tmpfs_tmp = (mount_settings & MOUNT_APPLY_TMPFS_TMP);
|
2018-04-30 12:22:41 +02:00
|
|
|
|
size_t k;
|
2018-04-27 22:01:54 +02:00
|
|
|
|
int r;
|
2015-09-07 15:59:52 +02:00
|
|
|
|
|
|
|
|
|
|
for (k = 0; k < ELEMENTSOF(mount_table); k++) {
|
|
|
|
|
|
_cleanup_free_ char *where = NULL, *options = NULL;
|
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
|
|
|
|
const char *o;
|
2016-10-14 14:00:15 +02:00
|
|
|
|
bool fatal = (mount_table[k].mount_settings & MOUNT_FATAL);
|
|
|
|
|
|
|
|
|
|
|
|
if (in_userns != (bool)(mount_table[k].mount_settings & MOUNT_IN_USERNS))
|
|
|
|
|
|
continue;
|
2015-09-07 15:59:52 +02:00
|
|
|
|
|
2016-10-14 14:00:15 +02:00
|
|
|
|
if (!netns && (bool)(mount_table[k].mount_settings & MOUNT_APPLY_APIVFS_NETNS))
|
2015-10-15 12:13:13 +02:00
|
|
|
|
continue;
|
|
|
|
|
|
|
2016-10-14 14:00:15 +02:00
|
|
|
|
if (!ro && (bool)(mount_table[k].mount_settings & MOUNT_APPLY_APIVFS_RO))
|
2015-09-07 15:59:52 +02:00
|
|
|
|
continue;
|
|
|
|
|
|
|
2018-10-08 18:32:03 +02:00
|
|
|
|
if (!tmpfs_tmp && (bool)(mount_table[k].mount_settings & MOUNT_APPLY_TMPFS_TMP))
|
|
|
|
|
|
continue;
|
|
|
|
|
|
|
2016-12-01 12:49:23 +01:00
|
|
|
|
r = chase_symlinks(mount_table[k].where, dest, CHASE_NONEXISTENT|CHASE_PREFIX_ROOT, &where);
|
2016-11-29 18:13:11 +01:00
|
|
|
|
if (r < 0)
|
2016-12-01 12:40:23 +01:00
|
|
|
|
return log_error_errno(r, "Failed to resolve %s/%s: %m", dest, mount_table[k].where);
|
2015-09-07 15:59:52 +02:00
|
|
|
|
|
|
|
|
|
|
/* Skip this entry if it is not a remount. */
|
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
|
|
|
|
if (mount_table[k].what) {
|
|
|
|
|
|
r = path_is_mount_point(where, NULL, 0);
|
|
|
|
|
|
if (r < 0 && r != -ENOENT)
|
|
|
|
|
|
return log_error_errno(r, "Failed to detect whether %s is a mount point: %m", where);
|
|
|
|
|
|
if (r > 0)
|
|
|
|
|
|
continue;
|
|
|
|
|
|
}
|
2015-09-07 15:59:52 +02:00
|
|
|
|
|
2017-07-08 00:30:03 +02:00
|
|
|
|
r = mkdir_userns_p(dest, where, 0755, (use_userns && !in_userns) ? uid_shift : UID_INVALID);
|
2016-08-25 16:25:49 +02:00
|
|
|
|
if (r < 0 && r != -EEXIST) {
|
2017-10-24 19:40:50 +02:00
|
|
|
|
if (fatal && r != -EROFS)
|
2015-09-07 15:59:52 +02:00
|
|
|
|
return log_error_errno(r, "Failed to create directory %s: %m", where);
|
|
|
|
|
|
|
2016-07-18 12:23:08 +02:00
|
|
|
|
log_debug_errno(r, "Failed to create directory %s: %m", where);
|
2017-10-24 19:40:50 +02:00
|
|
|
|
/* If we failed mkdir() or chown() due to the root
|
|
|
|
|
|
* directory being read only, attempt to mount this fs
|
|
|
|
|
|
* anyway and let mount_verbose log any errors */
|
|
|
|
|
|
if (r != -EROFS)
|
|
|
|
|
|
continue;
|
2015-09-07 15:59:52 +02:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
o = mount_table[k].options;
|
|
|
|
|
|
if (streq_ptr(mount_table[k].type, "tmpfs")) {
|
nspawn: Simplify tmpfs_patch_options() usage, and trickle that up
One of the things that tmpfs_patch_options does is take an (optional) UID,
and insert "uid=${UID},gid=${UID}" into the options string. So we need a
uid_t argument, and a way of telling if we should use it. Fortunately,
that is built in to the uid_t type by having UID_INVALID as a possible
value.
So this is really a feature that requires one argument. Yet, it is somehow
taking 4! That is absurd. Simplify it to only take one argument, and have
that trickle all the way up to mount_all()'s usage.
Now, in may of the uses, the argument becomes
uid_shift == 0 ? UID_INVALID : uid_shift
because it used to treat uid_shift=0 as invalid unless the patch_ids flag
was also set. This keeps the behavior the same. Note that in all cases
where it is invoked, if !use_userns (sometimes called !userns), then
uid_shift is 0; we don't have to add any checks for that.
That said, I'm pretty sure that "uid=0" and not setting "uid=" are the
same, but Christian Brauner seemed to not think so when implementing the
cgns support. https://github.com/systemd/systemd/pull/3589
2017-06-14 00:06:09 +02:00
|
|
|
|
r = tmpfs_patch_options(o, in_userns ? 0 : uid_shift, selinux_apifs_context, &options);
|
2015-09-07 15:59:52 +02:00
|
|
|
|
if (r < 0)
|
|
|
|
|
|
return log_oom();
|
|
|
|
|
|
if (r > 0)
|
|
|
|
|
|
o = options;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2016-10-14 14:00:15 +02:00
|
|
|
|
r = mount_verbose(fatal ? LOG_ERR : LOG_DEBUG,
|
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
|
|
|
|
mount_table[k].what,
|
nspawn,mount-util: add [u]mount_verbose and use it in nspawn
This makes it easier to debug failed nspawn invocations:
Mounting sysfs on /var/lib/machines/fedora-rawhide/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV "")...
Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev (MS_NOSUID|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")...
Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev/shm (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=1777,uid=1450901504,gid=1450901504")...
Mounting tmpfs on /var/lib/machines/fedora-rawhide/run (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")...
Bind-mounting /sys/fs/selinux on /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_BIND "")...
Remounting /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")...
Mounting proc on /proc (MS_NOSUID|MS_NOEXEC|MS_NODEV "")...
Bind-mounting /proc/sys on /proc/sys (MS_BIND "")...
Remounting /proc/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")...
Bind-mounting /proc/sysrq-trigger on /proc/sysrq-trigger (MS_BIND "")...
Remounting /proc/sysrq-trigger (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")...
Mounting tmpfs on /tmp (MS_STRICTATIME "mode=1777,uid=0,gid=0")...
Mounting tmpfs on /sys/fs/cgroup (MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME "mode=755,uid=0,gid=0")...
Mounting cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr")...
Failed to mount cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr"): No such file or directory
2016-10-10 21:55:20 +02:00
|
|
|
|
where,
|
|
|
|
|
|
mount_table[k].type,
|
|
|
|
|
|
mount_table[k].flags,
|
|
|
|
|
|
o);
|
2016-10-14 14:00:15 +02:00
|
|
|
|
if (r < 0 && fatal)
|
nspawn,mount-util: add [u]mount_verbose and use it in nspawn
This makes it easier to debug failed nspawn invocations:
Mounting sysfs on /var/lib/machines/fedora-rawhide/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV "")...
Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev (MS_NOSUID|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")...
Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev/shm (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=1777,uid=1450901504,gid=1450901504")...
Mounting tmpfs on /var/lib/machines/fedora-rawhide/run (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")...
Bind-mounting /sys/fs/selinux on /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_BIND "")...
Remounting /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")...
Mounting proc on /proc (MS_NOSUID|MS_NOEXEC|MS_NODEV "")...
Bind-mounting /proc/sys on /proc/sys (MS_BIND "")...
Remounting /proc/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")...
Bind-mounting /proc/sysrq-trigger on /proc/sysrq-trigger (MS_BIND "")...
Remounting /proc/sysrq-trigger (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")...
Mounting tmpfs on /tmp (MS_STRICTATIME "mode=1777,uid=0,gid=0")...
Mounting tmpfs on /sys/fs/cgroup (MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME "mode=755,uid=0,gid=0")...
Mounting cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr")...
Failed to mount cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr"): No such file or directory
2016-10-10 21:55:20 +02:00
|
|
|
|
return r;
|
2015-09-07 15:59:52 +02:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static int mount_bind(const char *dest, CustomMount *m) {
|
2018-02-14 06:25:22 +01:00
|
|
|
|
_cleanup_free_ char *where = NULL;
|
2016-11-25 19:01:36 +01:00
|
|
|
|
struct stat source_st, dest_st;
|
2015-09-07 15:59:52 +02:00
|
|
|
|
int r;
|
|
|
|
|
|
|
2016-11-30 16:02:47 +01:00
|
|
|
|
assert(dest);
|
2015-09-07 15:59:52 +02:00
|
|
|
|
assert(m);
|
|
|
|
|
|
|
|
|
|
|
|
if (stat(m->source, &source_st) < 0)
|
|
|
|
|
|
return log_error_errno(errno, "Failed to stat %s: %m", m->source);
|
|
|
|
|
|
|
2016-12-01 12:49:23 +01:00
|
|
|
|
r = chase_symlinks(m->destination, dest, CHASE_PREFIX_ROOT|CHASE_NONEXISTENT, &where);
|
2016-11-25 19:01:36 +01:00
|
|
|
|
if (r < 0)
|
2016-12-01 12:40:23 +01:00
|
|
|
|
return log_error_errno(r, "Failed to resolve %s/%s: %m", dest, m->destination);
|
2016-11-29 18:13:11 +01:00
|
|
|
|
if (r > 0) { /* Path exists already? */
|
|
|
|
|
|
|
|
|
|
|
|
if (stat(where, &dest_st) < 0)
|
|
|
|
|
|
return log_error_errno(errno, "Failed to stat %s: %m", where);
|
2015-09-07 15:59:52 +02:00
|
|
|
|
|
2018-11-20 23:40:44 +01:00
|
|
|
|
if (S_ISDIR(source_st.st_mode) && !S_ISDIR(dest_st.st_mode))
|
|
|
|
|
|
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
|
|
|
|
|
|
"Cannot bind mount directory %s on file %s.",
|
|
|
|
|
|
m->source, where);
|
|
|
|
|
|
|
|
|
|
|
|
if (!S_ISDIR(source_st.st_mode) && S_ISDIR(dest_st.st_mode))
|
|
|
|
|
|
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
|
|
|
|
|
|
"Cannot bind mount file %s on directory %s.",
|
|
|
|
|
|
m->source, where);
|
2015-09-07 15:59:52 +02:00
|
|
|
|
|
2016-11-29 18:13:11 +01:00
|
|
|
|
} else { /* Path doesn't exist yet? */
|
2015-09-07 15:59:52 +02:00
|
|
|
|
r = mkdir_parents_label(where, 0755);
|
|
|
|
|
|
if (r < 0)
|
|
|
|
|
|
return log_error_errno(r, "Failed to make parents of %s: %m", where);
|
2016-04-01 17:31:55 +02:00
|
|
|
|
|
|
|
|
|
|
/* Create the mount point. Any non-directory file can be
|
|
|
|
|
|
* mounted on any non-directory file (regular, fifo, socket,
|
|
|
|
|
|
* char, block).
|
|
|
|
|
|
*/
|
|
|
|
|
|
if (S_ISDIR(source_st.st_mode))
|
|
|
|
|
|
r = mkdir_label(where, 0755);
|
|
|
|
|
|
else
|
|
|
|
|
|
r = touch(where);
|
|
|
|
|
|
if (r < 0)
|
|
|
|
|
|
return log_error_errno(r, "Failed to create mount point %s: %m", where);
|
2016-11-29 18:13:11 +01:00
|
|
|
|
}
|
2015-09-07 15:59:52 +02:00
|
|
|
|
|
2018-02-14 06:25:22 +01:00
|
|
|
|
r = mount_verbose(LOG_ERR, m->source, where, NULL, MS_BIND | MS_REC, m->options);
|
nspawn,mount-util: add [u]mount_verbose and use it in nspawn
This makes it easier to debug failed nspawn invocations:
Mounting sysfs on /var/lib/machines/fedora-rawhide/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV "")...
Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev (MS_NOSUID|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")...
Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev/shm (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=1777,uid=1450901504,gid=1450901504")...
Mounting tmpfs on /var/lib/machines/fedora-rawhide/run (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")...
Bind-mounting /sys/fs/selinux on /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_BIND "")...
Remounting /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")...
Mounting proc on /proc (MS_NOSUID|MS_NOEXEC|MS_NODEV "")...
Bind-mounting /proc/sys on /proc/sys (MS_BIND "")...
Remounting /proc/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")...
Bind-mounting /proc/sysrq-trigger on /proc/sysrq-trigger (MS_BIND "")...
Remounting /proc/sysrq-trigger (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")...
Mounting tmpfs on /tmp (MS_STRICTATIME "mode=1777,uid=0,gid=0")...
Mounting tmpfs on /sys/fs/cgroup (MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME "mode=755,uid=0,gid=0")...
Mounting cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr")...
Failed to mount cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr"): No such file or directory
2016-10-10 21:55:20 +02:00
|
|
|
|
if (r < 0)
|
|
|
|
|
|
return r;
|
2015-09-07 15:59:52 +02:00
|
|
|
|
|
|
|
|
|
|
if (m->read_only) {
|
namespace: rework how ReadWritePaths= is applied
Previously, if ReadWritePaths= was nested inside a ReadOnlyPaths=
specification, then we'd first recursively apply the ReadOnlyPaths= paths, and
make everything below read-only, only in order to then flip the read-only bit
again for the subdirs listed in ReadWritePaths= below it.
This is not only ugly (as for the dirs in question we first turn on the RO bit,
only to turn it off again immediately after), but also problematic in
containers, where a container manager might have marked a set of dirs read-only
and this code will undo this is ReadWritePaths= is set for any.
With this patch behaviour in this regard is altered: ReadOnlyPaths= will not be
applied to the children listed in ReadWritePaths= in the first place, so that
we do not need to turn off the RO bit for those after all.
This means that ReadWritePaths=/ReadOnlyPaths= may only be used to turn on the
RO bit, but never to turn it off again. Or to say this differently: if some
dirs are marked read-only via some external tool, then ReadWritePaths= will not
undo it.
This is not only the safer option, but also more in-line with what the man page
currently claims:
"Entries (files or directories) listed in ReadWritePaths= are
accessible from within the namespace with the same access rights as
from outside."
To implement this change bind_remount_recursive() gained a new "blacklist"
string list parameter, which when passed may contain subdirs that shall be
excluded from the read-only mounting.
A number of functions are updated to add more debug logging to make this more
digestable.
2016-09-25 10:40:51 +02:00
|
|
|
|
r = bind_remount_recursive(where, true, NULL);
|
2015-09-07 15:59:52 +02:00
|
|
|
|
if (r < 0)
|
|
|
|
|
|
return log_error_errno(r, "Read-only bind mount failed: %m");
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static int mount_tmpfs(
|
|
|
|
|
|
const char *dest,
|
|
|
|
|
|
CustomMount *m,
|
|
|
|
|
|
bool userns, uid_t uid_shift, uid_t uid_range,
|
|
|
|
|
|
const char *selinux_apifs_context) {
|
|
|
|
|
|
|
2016-11-25 19:01:36 +01:00
|
|
|
|
const char *options;
|
|
|
|
|
|
_cleanup_free_ char *buf = NULL, *where = NULL;
|
2015-09-07 15:59:52 +02:00
|
|
|
|
int r;
|
|
|
|
|
|
|
|
|
|
|
|
assert(dest);
|
|
|
|
|
|
assert(m);
|
|
|
|
|
|
|
2016-12-01 12:49:23 +01:00
|
|
|
|
r = chase_symlinks(m->destination, dest, CHASE_PREFIX_ROOT|CHASE_NONEXISTENT, &where);
|
2016-11-25 19:01:36 +01:00
|
|
|
|
if (r < 0)
|
2016-12-01 12:40:23 +01:00
|
|
|
|
return log_error_errno(r, "Failed to resolve %s/%s: %m", dest, m->destination);
|
2016-11-29 18:13:11 +01:00
|
|
|
|
if (r == 0) { /* Doesn't exist yet? */
|
|
|
|
|
|
r = mkdir_p_label(where, 0755);
|
|
|
|
|
|
if (r < 0)
|
|
|
|
|
|
return log_error_errno(r, "Creating mount point for tmpfs %s failed: %m", where);
|
|
|
|
|
|
}
|
2015-09-07 15:59:52 +02:00
|
|
|
|
|
nspawn: Simplify tmpfs_patch_options() usage, and trickle that up
One of the things that tmpfs_patch_options does is take an (optional) UID,
and insert "uid=${UID},gid=${UID}" into the options string. So we need a
uid_t argument, and a way of telling if we should use it. Fortunately,
that is built in to the uid_t type by having UID_INVALID as a possible
value.
So this is really a feature that requires one argument. Yet, it is somehow
taking 4! That is absurd. Simplify it to only take one argument, and have
that trickle all the way up to mount_all()'s usage.
Now, in may of the uses, the argument becomes
uid_shift == 0 ? UID_INVALID : uid_shift
because it used to treat uid_shift=0 as invalid unless the patch_ids flag
was also set. This keeps the behavior the same. Note that in all cases
where it is invoked, if !use_userns (sometimes called !userns), then
uid_shift is 0; we don't have to add any checks for that.
That said, I'm pretty sure that "uid=0" and not setting "uid=" are the
same, but Christian Brauner seemed to not think so when implementing the
cgns support. https://github.com/systemd/systemd/pull/3589
2017-06-14 00:06:09 +02:00
|
|
|
|
r = tmpfs_patch_options(m->options, uid_shift == 0 ? UID_INVALID : uid_shift, selinux_apifs_context, &buf);
|
2015-09-07 15:59:52 +02:00
|
|
|
|
if (r < 0)
|
|
|
|
|
|
return log_oom();
|
|
|
|
|
|
options = r > 0 ? buf : m->options;
|
|
|
|
|
|
|
nspawn,mount-util: add [u]mount_verbose and use it in nspawn
This makes it easier to debug failed nspawn invocations:
Mounting sysfs on /var/lib/machines/fedora-rawhide/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV "")...
Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev (MS_NOSUID|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")...
Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev/shm (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=1777,uid=1450901504,gid=1450901504")...
Mounting tmpfs on /var/lib/machines/fedora-rawhide/run (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")...
Bind-mounting /sys/fs/selinux on /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_BIND "")...
Remounting /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")...
Mounting proc on /proc (MS_NOSUID|MS_NOEXEC|MS_NODEV "")...
Bind-mounting /proc/sys on /proc/sys (MS_BIND "")...
Remounting /proc/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")...
Bind-mounting /proc/sysrq-trigger on /proc/sysrq-trigger (MS_BIND "")...
Remounting /proc/sysrq-trigger (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")...
Mounting tmpfs on /tmp (MS_STRICTATIME "mode=1777,uid=0,gid=0")...
Mounting tmpfs on /sys/fs/cgroup (MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME "mode=755,uid=0,gid=0")...
Mounting cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr")...
Failed to mount cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr"): No such file or directory
2016-10-10 21:55:20 +02:00
|
|
|
|
return mount_verbose(LOG_ERR, "tmpfs", where, "tmpfs", MS_NODEV|MS_STRICTATIME, options);
|
2015-09-07 15:59:52 +02:00
|
|
|
|
}
|
|
|
|
|
|
|
2016-11-30 16:02:47 +01:00
|
|
|
|
static char *joined_and_escaped_lower_dirs(char **lower) {
|
2015-09-07 15:59:52 +02:00
|
|
|
|
_cleanup_strv_free_ char **sv = NULL;
|
|
|
|
|
|
|
|
|
|
|
|
sv = strv_copy(lower);
|
|
|
|
|
|
if (!sv)
|
|
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
|
|
|
|
strv_reverse(sv);
|
|
|
|
|
|
|
|
|
|
|
|
if (!strv_shell_escape(sv, ",:"))
|
|
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
|
|
|
|
return strv_join(sv, ":");
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static int mount_overlay(const char *dest, CustomMount *m) {
|
2016-11-30 16:02:47 +01:00
|
|
|
|
_cleanup_free_ char *lower = NULL, *where = NULL, *escaped_source = NULL;
|
2016-11-25 19:01:36 +01:00
|
|
|
|
const char *options;
|
2015-09-07 15:59:52 +02:00
|
|
|
|
int r;
|
|
|
|
|
|
|
|
|
|
|
|
assert(dest);
|
|
|
|
|
|
assert(m);
|
|
|
|
|
|
|
2016-12-01 12:49:23 +01:00
|
|
|
|
r = chase_symlinks(m->destination, dest, CHASE_PREFIX_ROOT|CHASE_NONEXISTENT, &where);
|
2016-11-25 19:01:36 +01:00
|
|
|
|
if (r < 0)
|
2016-12-01 12:40:23 +01:00
|
|
|
|
return log_error_errno(r, "Failed to resolve %s/%s: %m", dest, m->destination);
|
2016-11-29 18:13:11 +01:00
|
|
|
|
if (r == 0) { /* Doesn't exist yet? */
|
|
|
|
|
|
r = mkdir_label(where, 0755);
|
|
|
|
|
|
if (r < 0)
|
|
|
|
|
|
return log_error_errno(r, "Creating mount point for overlay %s failed: %m", where);
|
|
|
|
|
|
}
|
2015-09-07 15:59:52 +02:00
|
|
|
|
|
|
|
|
|
|
(void) mkdir_p_label(m->source, 0755);
|
|
|
|
|
|
|
|
|
|
|
|
lower = joined_and_escaped_lower_dirs(m->lower);
|
|
|
|
|
|
if (!lower)
|
|
|
|
|
|
return log_oom();
|
|
|
|
|
|
|
2016-11-30 16:02:47 +01:00
|
|
|
|
escaped_source = shell_escape(m->source, ",:");
|
|
|
|
|
|
if (!escaped_source)
|
|
|
|
|
|
return log_oom();
|
2015-09-07 15:59:52 +02:00
|
|
|
|
|
2016-11-30 16:02:47 +01:00
|
|
|
|
if (m->read_only)
|
2015-09-07 15:59:52 +02:00
|
|
|
|
options = strjoina("lowerdir=", escaped_source, ":", lower);
|
2016-11-30 16:02:47 +01:00
|
|
|
|
else {
|
|
|
|
|
|
_cleanup_free_ char *escaped_work_dir = NULL;
|
2015-09-07 15:59:52 +02:00
|
|
|
|
|
|
|
|
|
|
escaped_work_dir = shell_escape(m->work_dir, ",:");
|
|
|
|
|
|
if (!escaped_work_dir)
|
|
|
|
|
|
return log_oom();
|
|
|
|
|
|
|
|
|
|
|
|
options = strjoina("lowerdir=", lower, ",upperdir=", escaped_source, ",workdir=", escaped_work_dir);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
nspawn,mount-util: add [u]mount_verbose and use it in nspawn
This makes it easier to debug failed nspawn invocations:
Mounting sysfs on /var/lib/machines/fedora-rawhide/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV "")...
Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev (MS_NOSUID|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")...
Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev/shm (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=1777,uid=1450901504,gid=1450901504")...
Mounting tmpfs on /var/lib/machines/fedora-rawhide/run (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")...
Bind-mounting /sys/fs/selinux on /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_BIND "")...
Remounting /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")...
Mounting proc on /proc (MS_NOSUID|MS_NOEXEC|MS_NODEV "")...
Bind-mounting /proc/sys on /proc/sys (MS_BIND "")...
Remounting /proc/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")...
Bind-mounting /proc/sysrq-trigger on /proc/sysrq-trigger (MS_BIND "")...
Remounting /proc/sysrq-trigger (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")...
Mounting tmpfs on /tmp (MS_STRICTATIME "mode=1777,uid=0,gid=0")...
Mounting tmpfs on /sys/fs/cgroup (MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME "mode=755,uid=0,gid=0")...
Mounting cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr")...
Failed to mount cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr"): No such file or directory
2016-10-10 21:55:20 +02:00
|
|
|
|
return mount_verbose(LOG_ERR, "overlay", where, "overlay", m->read_only ? MS_RDONLY : 0, options);
|
2015-09-07 15:59:52 +02:00
|
|
|
|
}
|
|
|
|
|
|
|
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
|
|
|
|
static int mount_inaccessible(const char *dest, CustomMount *m) {
|
|
|
|
|
|
_cleanup_free_ char *where = NULL;
|
|
|
|
|
|
const char *source;
|
|
|
|
|
|
struct stat st;
|
|
|
|
|
|
int r;
|
|
|
|
|
|
|
|
|
|
|
|
assert(dest);
|
|
|
|
|
|
assert(m);
|
|
|
|
|
|
|
|
|
|
|
|
r = chase_symlinks_and_stat(m->destination, dest, CHASE_PREFIX_ROOT, &where, &st);
|
|
|
|
|
|
if (r < 0) {
|
|
|
|
|
|
log_full_errno(m->graceful ? LOG_DEBUG : LOG_ERR, r, "Failed to resolve %s/%s: %m", dest, m->destination);
|
|
|
|
|
|
return m->graceful ? 0 : r;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
assert_se(source = mode_to_inaccessible_node(st.st_mode));
|
|
|
|
|
|
|
|
|
|
|
|
r = mount_verbose(m->graceful ? LOG_DEBUG : LOG_ERR, source, where, NULL, MS_BIND, NULL);
|
|
|
|
|
|
if (r < 0)
|
|
|
|
|
|
return m->graceful ? 0 : r;
|
|
|
|
|
|
|
|
|
|
|
|
r = mount_verbose(m->graceful ? LOG_DEBUG : LOG_ERR, NULL, where, NULL, MS_BIND|MS_RDONLY|MS_REMOUNT, NULL);
|
2019-03-21 12:41:02 +01:00
|
|
|
|
if (r < 0) {
|
|
|
|
|
|
umount_verbose(where);
|
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
|
|
|
|
return m->graceful ? 0 : r;
|
2019-03-21 12:41:02 +01:00
|
|
|
|
}
|
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static int mount_arbitrary(const char *dest, CustomMount *m) {
|
|
|
|
|
|
_cleanup_free_ char *where = NULL;
|
|
|
|
|
|
int r;
|
|
|
|
|
|
|
|
|
|
|
|
assert(dest);
|
|
|
|
|
|
assert(m);
|
|
|
|
|
|
|
|
|
|
|
|
r = chase_symlinks(m->destination, dest, CHASE_PREFIX_ROOT|CHASE_NONEXISTENT, &where);
|
|
|
|
|
|
if (r < 0)
|
|
|
|
|
|
return log_error_errno(r, "Failed to resolve %s/%s: %m", dest, m->destination);
|
|
|
|
|
|
if (r == 0) { /* Doesn't exist yet? */
|
|
|
|
|
|
r = mkdir_p_label(where, 0755);
|
|
|
|
|
|
if (r < 0)
|
|
|
|
|
|
return log_error_errno(r, "Creating mount point for mount %s failed: %m", where);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return mount_verbose(LOG_ERR, m->source, where, m->type_argument, 0, m->options);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2015-09-07 15:59:52 +02:00
|
|
|
|
int mount_custom(
|
|
|
|
|
|
const char *dest,
|
2018-04-27 22:01:54 +02:00
|
|
|
|
CustomMount *mounts, size_t n,
|
2015-09-07 15:59:52 +02:00
|
|
|
|
bool userns, uid_t uid_shift, uid_t uid_range,
|
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
|
|
|
|
const char *selinux_apifs_context,
|
|
|
|
|
|
bool in_userns) {
|
2015-09-07 15:59:52 +02:00
|
|
|
|
|
2018-04-27 22:01:54 +02:00
|
|
|
|
size_t i;
|
2015-09-07 15:59:52 +02:00
|
|
|
|
int r;
|
|
|
|
|
|
|
|
|
|
|
|
assert(dest);
|
|
|
|
|
|
|
|
|
|
|
|
for (i = 0; i < n; i++) {
|
|
|
|
|
|
CustomMount *m = mounts + i;
|
|
|
|
|
|
|
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
|
|
|
|
if (m->in_userns != in_userns)
|
|
|
|
|
|
continue;
|
|
|
|
|
|
|
2015-09-07 15:59:52 +02:00
|
|
|
|
switch (m->type) {
|
|
|
|
|
|
|
|
|
|
|
|
case CUSTOM_MOUNT_BIND:
|
|
|
|
|
|
r = mount_bind(dest, m);
|
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
|
|
case CUSTOM_MOUNT_TMPFS:
|
|
|
|
|
|
r = mount_tmpfs(dest, m, userns, uid_shift, uid_range, selinux_apifs_context);
|
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
|
|
case CUSTOM_MOUNT_OVERLAY:
|
|
|
|
|
|
r = mount_overlay(dest, m);
|
|
|
|
|
|
break;
|
|
|
|
|
|
|
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
|
|
|
|
case CUSTOM_MOUNT_INACCESSIBLE:
|
|
|
|
|
|
r = mount_inaccessible(dest, m);
|
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
|
|
case CUSTOM_MOUNT_ARBITRARY:
|
|
|
|
|
|
r = mount_arbitrary(dest, m);
|
|
|
|
|
|
break;
|
|
|
|
|
|
|
2015-09-07 15:59:52 +02:00
|
|
|
|
default:
|
|
|
|
|
|
assert_not_reached("Unknown custom mount type");
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if (r < 0)
|
|
|
|
|
|
return r;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2018-12-19 00:09:57 +01:00
|
|
|
|
static int setup_volatile_state(
|
2015-09-07 15:59:52 +02:00
|
|
|
|
const char *directory,
|
|
|
|
|
|
bool userns, uid_t uid_shift, uid_t uid_range,
|
|
|
|
|
|
const char *selinux_apifs_context) {
|
|
|
|
|
|
|
|
|
|
|
|
_cleanup_free_ char *buf = NULL;
|
|
|
|
|
|
const char *p, *options;
|
|
|
|
|
|
int r;
|
|
|
|
|
|
|
|
|
|
|
|
assert(directory);
|
|
|
|
|
|
|
2018-12-19 00:09:57 +01:00
|
|
|
|
/* --volatile=state means we simply overmount /var with a tmpfs, and the rest read-only. */
|
2015-09-07 15:59:52 +02:00
|
|
|
|
|
namespace: rework how ReadWritePaths= is applied
Previously, if ReadWritePaths= was nested inside a ReadOnlyPaths=
specification, then we'd first recursively apply the ReadOnlyPaths= paths, and
make everything below read-only, only in order to then flip the read-only bit
again for the subdirs listed in ReadWritePaths= below it.
This is not only ugly (as for the dirs in question we first turn on the RO bit,
only to turn it off again immediately after), but also problematic in
containers, where a container manager might have marked a set of dirs read-only
and this code will undo this is ReadWritePaths= is set for any.
With this patch behaviour in this regard is altered: ReadOnlyPaths= will not be
applied to the children listed in ReadWritePaths= in the first place, so that
we do not need to turn off the RO bit for those after all.
This means that ReadWritePaths=/ReadOnlyPaths= may only be used to turn on the
RO bit, but never to turn it off again. Or to say this differently: if some
dirs are marked read-only via some external tool, then ReadWritePaths= will not
undo it.
This is not only the safer option, but also more in-line with what the man page
currently claims:
"Entries (files or directories) listed in ReadWritePaths= are
accessible from within the namespace with the same access rights as
from outside."
To implement this change bind_remount_recursive() gained a new "blacklist"
string list parameter, which when passed may contain subdirs that shall be
excluded from the read-only mounting.
A number of functions are updated to add more debug logging to make this more
digestable.
2016-09-25 10:40:51 +02:00
|
|
|
|
r = bind_remount_recursive(directory, true, NULL);
|
2015-09-07 15:59:52 +02:00
|
|
|
|
if (r < 0)
|
|
|
|
|
|
return log_error_errno(r, "Failed to remount %s read-only: %m", directory);
|
|
|
|
|
|
|
|
|
|
|
|
p = prefix_roota(directory, "/var");
|
|
|
|
|
|
r = mkdir(p, 0755);
|
|
|
|
|
|
if (r < 0 && errno != EEXIST)
|
|
|
|
|
|
return log_error_errno(errno, "Failed to create %s: %m", directory);
|
|
|
|
|
|
|
|
|
|
|
|
options = "mode=755";
|
nspawn: Simplify tmpfs_patch_options() usage, and trickle that up
One of the things that tmpfs_patch_options does is take an (optional) UID,
and insert "uid=${UID},gid=${UID}" into the options string. So we need a
uid_t argument, and a way of telling if we should use it. Fortunately,
that is built in to the uid_t type by having UID_INVALID as a possible
value.
So this is really a feature that requires one argument. Yet, it is somehow
taking 4! That is absurd. Simplify it to only take one argument, and have
that trickle all the way up to mount_all()'s usage.
Now, in may of the uses, the argument becomes
uid_shift == 0 ? UID_INVALID : uid_shift
because it used to treat uid_shift=0 as invalid unless the patch_ids flag
was also set. This keeps the behavior the same. Note that in all cases
where it is invoked, if !use_userns (sometimes called !userns), then
uid_shift is 0; we don't have to add any checks for that.
That said, I'm pretty sure that "uid=0" and not setting "uid=" are the
same, but Christian Brauner seemed to not think so when implementing the
cgns support. https://github.com/systemd/systemd/pull/3589
2017-06-14 00:06:09 +02:00
|
|
|
|
r = tmpfs_patch_options(options, uid_shift == 0 ? UID_INVALID : uid_shift, selinux_apifs_context, &buf);
|
2015-09-07 15:59:52 +02:00
|
|
|
|
if (r < 0)
|
|
|
|
|
|
return log_oom();
|
|
|
|
|
|
if (r > 0)
|
|
|
|
|
|
options = buf;
|
|
|
|
|
|
|
nspawn,mount-util: add [u]mount_verbose and use it in nspawn
This makes it easier to debug failed nspawn invocations:
Mounting sysfs on /var/lib/machines/fedora-rawhide/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV "")...
Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev (MS_NOSUID|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")...
Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev/shm (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=1777,uid=1450901504,gid=1450901504")...
Mounting tmpfs on /var/lib/machines/fedora-rawhide/run (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")...
Bind-mounting /sys/fs/selinux on /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_BIND "")...
Remounting /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")...
Mounting proc on /proc (MS_NOSUID|MS_NOEXEC|MS_NODEV "")...
Bind-mounting /proc/sys on /proc/sys (MS_BIND "")...
Remounting /proc/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")...
Bind-mounting /proc/sysrq-trigger on /proc/sysrq-trigger (MS_BIND "")...
Remounting /proc/sysrq-trigger (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")...
Mounting tmpfs on /tmp (MS_STRICTATIME "mode=1777,uid=0,gid=0")...
Mounting tmpfs on /sys/fs/cgroup (MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME "mode=755,uid=0,gid=0")...
Mounting cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr")...
Failed to mount cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr"): No such file or directory
2016-10-10 21:55:20 +02:00
|
|
|
|
return mount_verbose(LOG_ERR, "tmpfs", p, "tmpfs", MS_STRICTATIME, options);
|
2015-09-07 15:59:52 +02:00
|
|
|
|
}
|
|
|
|
|
|
|
2018-12-19 00:09:57 +01:00
|
|
|
|
static int setup_volatile_yes(
|
2015-09-07 15:59:52 +02:00
|
|
|
|
const char *directory,
|
|
|
|
|
|
bool userns, uid_t uid_shift, uid_t uid_range,
|
|
|
|
|
|
const char *selinux_apifs_context) {
|
|
|
|
|
|
|
|
|
|
|
|
bool tmpfs_mounted = false, bind_mounted = false;
|
|
|
|
|
|
char template[] = "/tmp/nspawn-volatile-XXXXXX";
|
|
|
|
|
|
_cleanup_free_ char *buf = NULL;
|
|
|
|
|
|
const char *f, *t, *options;
|
|
|
|
|
|
int r;
|
|
|
|
|
|
|
|
|
|
|
|
assert(directory);
|
|
|
|
|
|
|
2018-12-19 00:09:57 +01:00
|
|
|
|
/* --volatile=yes means we mount a tmpfs to the root dir, and the original /usr to use inside it, and that
|
|
|
|
|
|
read-only. */
|
2015-09-07 15:59:52 +02:00
|
|
|
|
|
|
|
|
|
|
if (!mkdtemp(template))
|
|
|
|
|
|
return log_error_errno(errno, "Failed to create temporary directory: %m");
|
|
|
|
|
|
|
|
|
|
|
|
options = "mode=755";
|
nspawn: Simplify tmpfs_patch_options() usage, and trickle that up
One of the things that tmpfs_patch_options does is take an (optional) UID,
and insert "uid=${UID},gid=${UID}" into the options string. So we need a
uid_t argument, and a way of telling if we should use it. Fortunately,
that is built in to the uid_t type by having UID_INVALID as a possible
value.
So this is really a feature that requires one argument. Yet, it is somehow
taking 4! That is absurd. Simplify it to only take one argument, and have
that trickle all the way up to mount_all()'s usage.
Now, in may of the uses, the argument becomes
uid_shift == 0 ? UID_INVALID : uid_shift
because it used to treat uid_shift=0 as invalid unless the patch_ids flag
was also set. This keeps the behavior the same. Note that in all cases
where it is invoked, if !use_userns (sometimes called !userns), then
uid_shift is 0; we don't have to add any checks for that.
That said, I'm pretty sure that "uid=0" and not setting "uid=" are the
same, but Christian Brauner seemed to not think so when implementing the
cgns support. https://github.com/systemd/systemd/pull/3589
2017-06-14 00:06:09 +02:00
|
|
|
|
r = tmpfs_patch_options(options, uid_shift == 0 ? UID_INVALID : uid_shift, selinux_apifs_context, &buf);
|
2015-09-07 15:59:52 +02:00
|
|
|
|
if (r < 0)
|
2018-12-19 01:01:46 +01:00
|
|
|
|
goto fail;
|
2015-09-07 15:59:52 +02:00
|
|
|
|
if (r > 0)
|
|
|
|
|
|
options = buf;
|
|
|
|
|
|
|
nspawn,mount-util: add [u]mount_verbose and use it in nspawn
This makes it easier to debug failed nspawn invocations:
Mounting sysfs on /var/lib/machines/fedora-rawhide/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV "")...
Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev (MS_NOSUID|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")...
Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev/shm (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=1777,uid=1450901504,gid=1450901504")...
Mounting tmpfs on /var/lib/machines/fedora-rawhide/run (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")...
Bind-mounting /sys/fs/selinux on /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_BIND "")...
Remounting /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")...
Mounting proc on /proc (MS_NOSUID|MS_NOEXEC|MS_NODEV "")...
Bind-mounting /proc/sys on /proc/sys (MS_BIND "")...
Remounting /proc/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")...
Bind-mounting /proc/sysrq-trigger on /proc/sysrq-trigger (MS_BIND "")...
Remounting /proc/sysrq-trigger (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")...
Mounting tmpfs on /tmp (MS_STRICTATIME "mode=1777,uid=0,gid=0")...
Mounting tmpfs on /sys/fs/cgroup (MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME "mode=755,uid=0,gid=0")...
Mounting cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr")...
Failed to mount cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr"): No such file or directory
2016-10-10 21:55:20 +02:00
|
|
|
|
r = mount_verbose(LOG_ERR, "tmpfs", template, "tmpfs", MS_STRICTATIME, options);
|
|
|
|
|
|
if (r < 0)
|
2015-09-07 15:59:52 +02:00
|
|
|
|
goto fail;
|
|
|
|
|
|
|
|
|
|
|
|
tmpfs_mounted = true;
|
|
|
|
|
|
|
|
|
|
|
|
f = prefix_roota(directory, "/usr");
|
|
|
|
|
|
t = prefix_roota(template, "/usr");
|
|
|
|
|
|
|
|
|
|
|
|
r = mkdir(t, 0755);
|
|
|
|
|
|
if (r < 0 && errno != EEXIST) {
|
|
|
|
|
|
r = log_error_errno(errno, "Failed to create %s: %m", t);
|
|
|
|
|
|
goto fail;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
nspawn,mount-util: add [u]mount_verbose and use it in nspawn
This makes it easier to debug failed nspawn invocations:
Mounting sysfs on /var/lib/machines/fedora-rawhide/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV "")...
Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev (MS_NOSUID|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")...
Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev/shm (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=1777,uid=1450901504,gid=1450901504")...
Mounting tmpfs on /var/lib/machines/fedora-rawhide/run (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")...
Bind-mounting /sys/fs/selinux on /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_BIND "")...
Remounting /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")...
Mounting proc on /proc (MS_NOSUID|MS_NOEXEC|MS_NODEV "")...
Bind-mounting /proc/sys on /proc/sys (MS_BIND "")...
Remounting /proc/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")...
Bind-mounting /proc/sysrq-trigger on /proc/sysrq-trigger (MS_BIND "")...
Remounting /proc/sysrq-trigger (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")...
Mounting tmpfs on /tmp (MS_STRICTATIME "mode=1777,uid=0,gid=0")...
Mounting tmpfs on /sys/fs/cgroup (MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME "mode=755,uid=0,gid=0")...
Mounting cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr")...
Failed to mount cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr"): No such file or directory
2016-10-10 21:55:20 +02:00
|
|
|
|
r = mount_verbose(LOG_ERR, f, t, NULL, MS_BIND|MS_REC, NULL);
|
|
|
|
|
|
if (r < 0)
|
2015-09-07 15:59:52 +02:00
|
|
|
|
goto fail;
|
|
|
|
|
|
|
|
|
|
|
|
bind_mounted = true;
|
|
|
|
|
|
|
namespace: rework how ReadWritePaths= is applied
Previously, if ReadWritePaths= was nested inside a ReadOnlyPaths=
specification, then we'd first recursively apply the ReadOnlyPaths= paths, and
make everything below read-only, only in order to then flip the read-only bit
again for the subdirs listed in ReadWritePaths= below it.
This is not only ugly (as for the dirs in question we first turn on the RO bit,
only to turn it off again immediately after), but also problematic in
containers, where a container manager might have marked a set of dirs read-only
and this code will undo this is ReadWritePaths= is set for any.
With this patch behaviour in this regard is altered: ReadOnlyPaths= will not be
applied to the children listed in ReadWritePaths= in the first place, so that
we do not need to turn off the RO bit for those after all.
This means that ReadWritePaths=/ReadOnlyPaths= may only be used to turn on the
RO bit, but never to turn it off again. Or to say this differently: if some
dirs are marked read-only via some external tool, then ReadWritePaths= will not
undo it.
This is not only the safer option, but also more in-line with what the man page
currently claims:
"Entries (files or directories) listed in ReadWritePaths= are
accessible from within the namespace with the same access rights as
from outside."
To implement this change bind_remount_recursive() gained a new "blacklist"
string list parameter, which when passed may contain subdirs that shall be
excluded from the read-only mounting.
A number of functions are updated to add more debug logging to make this more
digestable.
2016-09-25 10:40:51 +02:00
|
|
|
|
r = bind_remount_recursive(t, true, NULL);
|
2015-09-07 15:59:52 +02:00
|
|
|
|
if (r < 0) {
|
|
|
|
|
|
log_error_errno(r, "Failed to remount %s read-only: %m", t);
|
|
|
|
|
|
goto fail;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
nspawn,mount-util: add [u]mount_verbose and use it in nspawn
This makes it easier to debug failed nspawn invocations:
Mounting sysfs on /var/lib/machines/fedora-rawhide/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV "")...
Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev (MS_NOSUID|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")...
Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev/shm (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=1777,uid=1450901504,gid=1450901504")...
Mounting tmpfs on /var/lib/machines/fedora-rawhide/run (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")...
Bind-mounting /sys/fs/selinux on /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_BIND "")...
Remounting /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")...
Mounting proc on /proc (MS_NOSUID|MS_NOEXEC|MS_NODEV "")...
Bind-mounting /proc/sys on /proc/sys (MS_BIND "")...
Remounting /proc/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")...
Bind-mounting /proc/sysrq-trigger on /proc/sysrq-trigger (MS_BIND "")...
Remounting /proc/sysrq-trigger (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")...
Mounting tmpfs on /tmp (MS_STRICTATIME "mode=1777,uid=0,gid=0")...
Mounting tmpfs on /sys/fs/cgroup (MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME "mode=755,uid=0,gid=0")...
Mounting cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr")...
Failed to mount cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr"): No such file or directory
2016-10-10 21:55:20 +02:00
|
|
|
|
r = mount_verbose(LOG_ERR, template, directory, NULL, MS_MOVE, NULL);
|
|
|
|
|
|
if (r < 0)
|
2015-09-07 15:59:52 +02:00
|
|
|
|
goto fail;
|
|
|
|
|
|
|
|
|
|
|
|
(void) rmdir(template);
|
|
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
|
|
fail:
|
|
|
|
|
|
if (bind_mounted)
|
nspawn,mount-util: add [u]mount_verbose and use it in nspawn
This makes it easier to debug failed nspawn invocations:
Mounting sysfs on /var/lib/machines/fedora-rawhide/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV "")...
Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev (MS_NOSUID|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")...
Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev/shm (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=1777,uid=1450901504,gid=1450901504")...
Mounting tmpfs on /var/lib/machines/fedora-rawhide/run (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")...
Bind-mounting /sys/fs/selinux on /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_BIND "")...
Remounting /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")...
Mounting proc on /proc (MS_NOSUID|MS_NOEXEC|MS_NODEV "")...
Bind-mounting /proc/sys on /proc/sys (MS_BIND "")...
Remounting /proc/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")...
Bind-mounting /proc/sysrq-trigger on /proc/sysrq-trigger (MS_BIND "")...
Remounting /proc/sysrq-trigger (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")...
Mounting tmpfs on /tmp (MS_STRICTATIME "mode=1777,uid=0,gid=0")...
Mounting tmpfs on /sys/fs/cgroup (MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME "mode=755,uid=0,gid=0")...
Mounting cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr")...
Failed to mount cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr"): No such file or directory
2016-10-10 21:55:20 +02:00
|
|
|
|
(void) umount_verbose(t);
|
2015-09-07 15:59:52 +02:00
|
|
|
|
|
|
|
|
|
|
if (tmpfs_mounted)
|
nspawn,mount-util: add [u]mount_verbose and use it in nspawn
This makes it easier to debug failed nspawn invocations:
Mounting sysfs on /var/lib/machines/fedora-rawhide/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV "")...
Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev (MS_NOSUID|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")...
Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev/shm (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=1777,uid=1450901504,gid=1450901504")...
Mounting tmpfs on /var/lib/machines/fedora-rawhide/run (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")...
Bind-mounting /sys/fs/selinux on /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_BIND "")...
Remounting /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")...
Mounting proc on /proc (MS_NOSUID|MS_NOEXEC|MS_NODEV "")...
Bind-mounting /proc/sys on /proc/sys (MS_BIND "")...
Remounting /proc/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")...
Bind-mounting /proc/sysrq-trigger on /proc/sysrq-trigger (MS_BIND "")...
Remounting /proc/sysrq-trigger (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")...
Mounting tmpfs on /tmp (MS_STRICTATIME "mode=1777,uid=0,gid=0")...
Mounting tmpfs on /sys/fs/cgroup (MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME "mode=755,uid=0,gid=0")...
Mounting cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr")...
Failed to mount cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr"): No such file or directory
2016-10-10 21:55:20 +02:00
|
|
|
|
(void) umount_verbose(template);
|
2015-09-07 15:59:52 +02:00
|
|
|
|
(void) rmdir(template);
|
|
|
|
|
|
return r;
|
|
|
|
|
|
}
|
2017-02-08 16:54:31 +01:00
|
|
|
|
|
2018-12-19 01:02:06 +01:00
|
|
|
|
static int setup_volatile_overlay(
|
|
|
|
|
|
const char *directory,
|
|
|
|
|
|
bool userns, uid_t uid_shift, uid_t uid_range,
|
|
|
|
|
|
const char *selinux_apifs_context) {
|
|
|
|
|
|
|
|
|
|
|
|
_cleanup_free_ char *buf = NULL, *escaped_directory = NULL, *escaped_upper = NULL, *escaped_work = NULL;
|
|
|
|
|
|
char template[] = "/tmp/nspawn-volatile-XXXXXX";
|
|
|
|
|
|
const char *upper, *work, *options;
|
|
|
|
|
|
bool tmpfs_mounted = false;
|
|
|
|
|
|
int r;
|
|
|
|
|
|
|
|
|
|
|
|
assert(directory);
|
|
|
|
|
|
|
|
|
|
|
|
/* --volatile=overlay means we mount an overlayfs to the root dir. */
|
|
|
|
|
|
|
|
|
|
|
|
if (!mkdtemp(template))
|
|
|
|
|
|
return log_error_errno(errno, "Failed to create temporary directory: %m");
|
|
|
|
|
|
|
|
|
|
|
|
options = "mode=755";
|
|
|
|
|
|
r = tmpfs_patch_options(options, uid_shift == 0 ? UID_INVALID : uid_shift, selinux_apifs_context, &buf);
|
|
|
|
|
|
if (r < 0)
|
|
|
|
|
|
goto finish;
|
|
|
|
|
|
if (r > 0)
|
|
|
|
|
|
options = buf;
|
|
|
|
|
|
|
|
|
|
|
|
r = mount_verbose(LOG_ERR, "tmpfs", template, "tmpfs", MS_STRICTATIME, options);
|
|
|
|
|
|
if (r < 0)
|
|
|
|
|
|
goto finish;
|
|
|
|
|
|
|
|
|
|
|
|
tmpfs_mounted = true;
|
|
|
|
|
|
|
|
|
|
|
|
upper = strjoina(template, "/upper");
|
|
|
|
|
|
work = strjoina(template, "/work");
|
|
|
|
|
|
|
|
|
|
|
|
if (mkdir(upper, 0755) < 0) {
|
|
|
|
|
|
r = log_error_errno(errno, "Failed to create %s: %m", upper);
|
|
|
|
|
|
goto finish;
|
|
|
|
|
|
}
|
|
|
|
|
|
if (mkdir(work, 0755) < 0) {
|
|
|
|
|
|
r = log_error_errno(errno, "Failed to create %s: %m", work);
|
|
|
|
|
|
goto finish;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/* And now, let's overmount the root dir with an overlayfs that uses the root dir as lower dir. It's kinda nice
|
|
|
|
|
|
* that the kernel allows us to do that without going through some mount point rearrangements. */
|
|
|
|
|
|
|
|
|
|
|
|
escaped_directory = shell_escape(directory, ",:");
|
|
|
|
|
|
escaped_upper = shell_escape(upper, ",:");
|
|
|
|
|
|
escaped_work = shell_escape(work, ",:");
|
|
|
|
|
|
if (!escaped_directory || !escaped_upper || !escaped_work) {
|
|
|
|
|
|
r = -ENOMEM;
|
|
|
|
|
|
goto finish;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
options = strjoina("lowerdir=", escaped_directory, ",upperdir=", escaped_upper, ",workdir=", escaped_work);
|
|
|
|
|
|
r = mount_verbose(LOG_ERR, "overlay", directory, "overlay", 0, options);
|
|
|
|
|
|
|
|
|
|
|
|
finish:
|
|
|
|
|
|
if (tmpfs_mounted)
|
|
|
|
|
|
(void) umount_verbose(template);
|
|
|
|
|
|
|
|
|
|
|
|
(void) rmdir(template);
|
|
|
|
|
|
return r;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2018-12-19 00:09:57 +01:00
|
|
|
|
int setup_volatile_mode(
|
|
|
|
|
|
const char *directory,
|
|
|
|
|
|
VolatileMode mode,
|
|
|
|
|
|
bool userns, uid_t uid_shift, uid_t uid_range,
|
|
|
|
|
|
const char *selinux_apifs_context) {
|
|
|
|
|
|
|
|
|
|
|
|
switch (mode) {
|
|
|
|
|
|
|
|
|
|
|
|
case VOLATILE_YES:
|
|
|
|
|
|
return setup_volatile_yes(directory, userns, uid_shift, uid_range, selinux_apifs_context);
|
|
|
|
|
|
|
|
|
|
|
|
case VOLATILE_STATE:
|
|
|
|
|
|
return setup_volatile_state(directory, userns, uid_shift, uid_range, selinux_apifs_context);
|
|
|
|
|
|
|
2018-12-19 01:02:06 +01:00
|
|
|
|
case VOLATILE_OVERLAY:
|
|
|
|
|
|
return setup_volatile_overlay(directory, userns, uid_shift, uid_range, selinux_apifs_context);
|
|
|
|
|
|
|
2018-12-19 00:09:57 +01:00
|
|
|
|
default:
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2017-02-08 16:54:31 +01:00
|
|
|
|
/* Expects *pivot_root_new and *pivot_root_old to be initialised to allocated memory or NULL. */
|
|
|
|
|
|
int pivot_root_parse(char **pivot_root_new, char **pivot_root_old, const char *s) {
|
|
|
|
|
|
_cleanup_free_ char *root_new = NULL, *root_old = NULL;
|
|
|
|
|
|
const char *p = s;
|
|
|
|
|
|
int r;
|
|
|
|
|
|
|
|
|
|
|
|
assert(pivot_root_new);
|
|
|
|
|
|
assert(pivot_root_old);
|
|
|
|
|
|
|
|
|
|
|
|
r = extract_first_word(&p, &root_new, ":", EXTRACT_DONT_COALESCE_SEPARATORS);
|
|
|
|
|
|
if (r < 0)
|
|
|
|
|
|
return r;
|
|
|
|
|
|
if (r == 0)
|
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
|
|
|
|
if (isempty(p))
|
|
|
|
|
|
root_old = NULL;
|
|
|
|
|
|
else {
|
|
|
|
|
|
root_old = strdup(p);
|
|
|
|
|
|
if (!root_old)
|
|
|
|
|
|
return -ENOMEM;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if (!path_is_absolute(root_new))
|
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
if (root_old && !path_is_absolute(root_old))
|
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
|
|
|
|
free_and_replace(*pivot_root_new, root_new);
|
|
|
|
|
|
free_and_replace(*pivot_root_old, root_old);
|
|
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
int setup_pivot_root(const char *directory, const char *pivot_root_new, const char *pivot_root_old) {
|
|
|
|
|
|
_cleanup_free_ char *directory_pivot_root_new = NULL;
|
|
|
|
|
|
_cleanup_free_ char *pivot_tmp_pivot_root_old = NULL;
|
|
|
|
|
|
char pivot_tmp[] = "/tmp/nspawn-pivot-XXXXXX";
|
|
|
|
|
|
bool remove_pivot_tmp = false;
|
|
|
|
|
|
int r;
|
|
|
|
|
|
|
|
|
|
|
|
assert(directory);
|
|
|
|
|
|
|
|
|
|
|
|
if (!pivot_root_new)
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
|
|
/* Pivot pivot_root_new to / and the existing / to pivot_root_old.
|
|
|
|
|
|
* If pivot_root_old is NULL, the existing / disappears.
|
|
|
|
|
|
* This requires a temporary directory, pivot_tmp, which is
|
|
|
|
|
|
* not a child of either.
|
|
|
|
|
|
*
|
|
|
|
|
|
* This is typically used for OSTree-style containers, where
|
|
|
|
|
|
* the root partition contains several sysroots which could be
|
|
|
|
|
|
* run. Normally, one would be chosen by the bootloader and
|
|
|
|
|
|
* pivoted to / by initramfs.
|
|
|
|
|
|
*
|
|
|
|
|
|
* For example, for an OSTree deployment, pivot_root_new
|
|
|
|
|
|
* would be: /ostree/deploy/$os/deploy/$checksum. Note that this
|
|
|
|
|
|
* code doesn’t do the /var mount which OSTree expects: use
|
|
|
|
|
|
* --bind +/sysroot/ostree/deploy/$os/var:/var for that.
|
|
|
|
|
|
*
|
|
|
|
|
|
* So in the OSTree case, we’ll end up with something like:
|
|
|
|
|
|
* - directory = /tmp/nspawn-root-123456
|
|
|
|
|
|
* - pivot_root_new = /ostree/deploy/os/deploy/123abc
|
|
|
|
|
|
* - pivot_root_old = /sysroot
|
|
|
|
|
|
* - directory_pivot_root_new =
|
|
|
|
|
|
* /tmp/nspawn-root-123456/ostree/deploy/os/deploy/123abc
|
|
|
|
|
|
* - pivot_tmp = /tmp/nspawn-pivot-123456
|
|
|
|
|
|
* - pivot_tmp_pivot_root_old = /tmp/nspawn-pivot-123456/sysroot
|
|
|
|
|
|
*
|
|
|
|
|
|
* Requires all file systems at directory and below to be mounted
|
|
|
|
|
|
* MS_PRIVATE or MS_SLAVE so they can be moved.
|
|
|
|
|
|
*/
|
|
|
|
|
|
directory_pivot_root_new = prefix_root(directory, pivot_root_new);
|
|
|
|
|
|
|
|
|
|
|
|
/* Remount directory_pivot_root_new to make it movable. */
|
|
|
|
|
|
r = mount_verbose(LOG_ERR, directory_pivot_root_new, directory_pivot_root_new, NULL, MS_BIND, NULL);
|
|
|
|
|
|
if (r < 0)
|
|
|
|
|
|
goto done;
|
|
|
|
|
|
|
|
|
|
|
|
if (pivot_root_old) {
|
|
|
|
|
|
if (!mkdtemp(pivot_tmp)) {
|
|
|
|
|
|
r = log_error_errno(errno, "Failed to create temporary directory: %m");
|
|
|
|
|
|
goto done;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
remove_pivot_tmp = true;
|
|
|
|
|
|
pivot_tmp_pivot_root_old = prefix_root(pivot_tmp, pivot_root_old);
|
|
|
|
|
|
|
|
|
|
|
|
r = mount_verbose(LOG_ERR, directory_pivot_root_new, pivot_tmp, NULL, MS_MOVE, NULL);
|
|
|
|
|
|
if (r < 0)
|
|
|
|
|
|
goto done;
|
|
|
|
|
|
|
|
|
|
|
|
r = mount_verbose(LOG_ERR, directory, pivot_tmp_pivot_root_old, NULL, MS_MOVE, NULL);
|
|
|
|
|
|
if (r < 0)
|
|
|
|
|
|
goto done;
|
|
|
|
|
|
|
|
|
|
|
|
r = mount_verbose(LOG_ERR, pivot_tmp, directory, NULL, MS_MOVE, NULL);
|
|
|
|
|
|
if (r < 0)
|
|
|
|
|
|
goto done;
|
|
|
|
|
|
} else {
|
|
|
|
|
|
r = mount_verbose(LOG_ERR, directory_pivot_root_new, directory, NULL, MS_MOVE, NULL);
|
|
|
|
|
|
if (r < 0)
|
|
|
|
|
|
goto done;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
done:
|
|
|
|
|
|
if (remove_pivot_tmp)
|
|
|
|
|
|
(void) rmdir(pivot_tmp);
|
|
|
|
|
|
|
|
|
|
|
|
return r;
|
|
|
|
|
|
}
|