2020-11-09 05:23:58 +01:00
/* SPDX-License-Identifier: LGPL-2.1-or-later */
2011-03-14 02:40:36 +01:00
2017-10-03 10:41:51 +02:00
# if HAVE_BLKID
2015-09-07 18:56:54 +02:00
# endif
2011-03-14 02:40:36 +01:00
# include <errno.h>
# include <getopt.h>
2018-12-06 06:57:27 +01:00
# include <linux/fs.h>
2014-03-10 20:35:52 +01:00
# include <linux/loop.h>
2017-10-03 10:41:51 +02:00
# if HAVE_SELINUX
2015-09-07 18:56:54 +02:00
# include <selinux/selinux.h>
2014-03-10 20:35:52 +01:00
# endif
2015-09-07 18:56:54 +02:00
# include <stdlib.h>
# include <sys/file.h>
2020-09-16 22:34:43 +02:00
# include <sys/ioctl.h>
2015-09-07 18:56:54 +02:00
# include <sys/personality.h>
# include <sys/prctl.h>
# include <sys/types.h>
2016-12-13 02:38:18 +01:00
# include <sys/wait.h>
2020-09-16 22:34:43 +02:00
# include <termios.h>
2015-09-07 18:56:54 +02:00
# include <unistd.h>
2014-03-10 20:35:52 +01:00
2017-02-16 17:56:10 +01:00
# include "sd-bus.h"
2013-11-06 02:05:06 +01:00
# include "sd-daemon.h"
# include "sd-id128.h"
2015-09-07 18:56:54 +02:00
2015-10-27 03:01:06 +01:00
# include "alloc-util.h"
2015-09-07 18:56:54 +02:00
# include "barrier.h"
# include "base-filesystem.h"
# include "blkid-util.h"
# include "btrfs-util.h"
2018-05-12 21:51:20 +02:00
# include "bus-error.h"
2017-02-16 17:56:10 +01:00
# include "bus-util.h"
2015-09-07 18:56:54 +02:00
# include "cap-list.h"
2015-10-26 23:32:16 +01:00
# include "capability-util.h"
2011-03-14 22:33:31 +01:00
# include "cgroup-util.h"
2015-09-07 18:56:54 +02:00
# include "copy.h"
2018-05-07 21:47:15 +02:00
# include "cpu-set-util.h"
2012-08-15 02:00:31 +02:00
# include "dev-setup.h"
2016-12-01 20:26:09 +01:00
# include "dissect-image.h"
2015-09-07 18:56:54 +02:00
# include "env-util.h"
2020-07-23 08:47:08 +02:00
# include "escape.h"
2015-10-25 13:14:12 +01:00
# include "fd-util.h"
2012-12-22 19:29:04 +01:00
# include "fdset.h"
2013-02-14 12:26:13 +01:00
# include "fileio.h"
2016-11-07 16:14:59 +01:00
# include "format-util.h"
2015-10-26 21:16:26 +01:00
# include "fs-util.h"
2014-03-10 20:35:52 +01:00
# include "gpt.h"
2016-12-07 18:28:13 +01:00
# include "hexdecoct.h"
2015-09-07 18:56:54 +02:00
# include "hostname-util.h"
2016-07-21 17:57:57 +02:00
# include "id128-util.h"
2020-07-23 08:47:08 +02:00
# include "io-util.h"
2015-09-07 18:56:54 +02:00
# include "log.h"
2016-12-01 20:26:09 +01:00
# include "loop-util.h"
2015-09-07 18:56:54 +02:00
# include "loopback-setup.h"
2014-12-27 02:07:29 +01:00
# include "machine-image.h"
2015-09-07 18:56:54 +02:00
# include "macro.h"
2019-03-21 13:35:45 +01:00
# include "main-func.h"
2019-10-31 03:07:23 +01:00
# include "missing_sched.h"
2015-09-07 18:56:54 +02:00
# include "mkdir.h"
2015-10-26 18:44:13 +01:00
# include "mount-util.h"
2018-11-29 10:24:39 +01:00
# include "mountpoint-util.h"
2019-03-13 11:21:49 +01:00
# include "namespace-util.h"
2015-09-07 18:56:54 +02:00
# include "netlink-util.h"
2015-10-24 22:58:24 +02:00
# include "nspawn-cgroup.h"
2020-07-23 08:47:08 +02:00
# include "nspawn-creds.h"
nspawn: make recursive chown()ing logic safe for being aborted in the middle
We currently use the ownership of the top-level directory as a hint
whether we need to descent into the whole tree to chown() it recursively
or not. This is problematic with the previous chown()ing algorithm, as
when descending into the tree we'd first chown() and then descend
further down, which meant that the top-level directory would be chowned
first, and an aborted recursive chowning would appear on the next
invocation as successful, even though it was not. Let's reshuffle things
a bit, to make the re-chown()ing safe regarding interruptions:
a) We chown() the dir we are looking at last, and descent into all its
children first. That way we know that if the top-level dir is
properly owned everything inside of it is properly owned too.
b) Before starting a chown()ing operation, we mark the top-level
directory as owned by a special "busy" UID range, which we can use to
recognize whether a tree was fully chowned: if it is marked as busy,
it's definitely not fully chowned, as the busy ownership will only be
fixed as final step of the chowning.
Fixes: #6292
2017-11-16 19:09:32 +01:00
# include "nspawn-def.h"
2015-10-24 22:58:24 +02:00
# include "nspawn-expose-ports.h"
# include "nspawn-mount.h"
# include "nspawn-network.h"
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
# include "nspawn-oci.h"
2016-04-20 22:53:39 +02:00
# include "nspawn-patch-uid.h"
2015-10-24 22:58:24 +02:00
# include "nspawn-register.h"
2016-07-21 17:57:57 +02:00
# include "nspawn-seccomp.h"
2015-10-24 22:58:24 +02:00
# include "nspawn-settings.h"
# include "nspawn-setuid.h"
2016-02-03 20:32:06 +01:00
# include "nspawn-stub-pid1.h"
2019-03-14 13:14:33 +01:00
# include "nulstr-util.h"
2018-03-26 16:32:40 +02:00
# include "os-util.h"
2018-05-07 21:18:25 +02:00
# include "pager.h"
2015-10-26 16:18:16 +01:00
# include "parse-util.h"
2015-09-07 18:56:54 +02:00
# include "path-util.h"
2018-11-20 15:42:57 +01:00
# include "pretty-print.h"
2015-04-10 19:10:00 +02:00
# include "process-util.h"
2015-09-07 18:56:54 +02:00
# include "ptyfwd.h"
# include "random-util.h"
2016-05-30 02:03:51 +02:00
# include "raw-clone.h"
2020-04-21 18:33:23 +02:00
# include "resolve-util.h"
2018-05-07 17:59:18 +02:00
# include "rlimit-util.h"
2015-09-07 18:56:54 +02:00
# include "rm-rf.h"
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
# if HAVE_SECCOMP
# include "seccomp-util.h"
# endif
2016-03-09 15:29:25 +01:00
# include "selinux-util.h"
2015-09-07 18:56:54 +02:00
# include "signal-util.h"
2015-10-26 01:09:02 +01:00
# include "socket-util.h"
2015-10-26 22:01:44 +01:00
# include "stat-util.h"
2015-10-27 01:26:31 +01:00
# include "stdio-util.h"
2018-05-22 12:10:56 +02:00
# include "string-table.h"
2015-10-24 22:58:24 +02:00
# include "string-util.h"
2015-09-07 18:56:54 +02:00
# include "strv.h"
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
# include "sysctl-util.h"
2015-09-07 18:56:54 +02:00
# include "terminal-util.h"
2018-11-30 21:05:27 +01:00
# include "tmpfile-util.h"
2015-10-26 23:20:41 +01:00
# include "umask-util.h"
2019-11-01 11:21:05 +01:00
# include "unit-name.h"
2015-10-25 22:32:30 +01:00
# include "user-util.h"
2015-09-07 18:56:54 +02:00
# include "util.h"
2014-02-18 22:14:00 +01:00
2020-07-22 18:00:18 +02:00
/* The notify socket inside the container it can use to talk to nspawn using the sd_notify(3) protocol */
# define NSPAWN_NOTIFY_SOCKET_PATH " / run / host / notify"
2016-04-22 11:28:09 +02:00
2016-11-14 11:49:49 +01:00
# define EXIT_FORCE_RESTART 133
2014-05-24 15:58:54 +02:00
typedef enum ContainerStatus {
CONTAINER_TERMINATED ,
2019-03-21 13:49:42 +01:00
CONTAINER_REBOOTED ,
2014-05-24 15:58:54 +02:00
} ContainerStatus ;
2011-03-14 02:40:36 +01:00
static char * arg_directory = NULL ;
2014-12-12 03:50:59 +01:00
static char * arg_template = NULL ;
2016-02-02 01:52:01 +01:00
static char * arg_chdir = NULL ;
2017-02-08 16:54:31 +01:00
static char * arg_pivot_root_new = NULL ;
static char * arg_pivot_root_old = NULL ;
2011-06-29 14:22:46 +02:00
static char * arg_user = NULL ;
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
static uid_t arg_uid = UID_INVALID ;
static gid_t arg_gid = GID_INVALID ;
static gid_t * arg_supplementary_gids = NULL ;
static size_t arg_n_supplementary_gids = 0 ;
2013-06-20 03:45:08 +02:00
static sd_id128_t arg_uuid = { } ;
2018-05-07 18:37:32 +02:00
static char * arg_machine = NULL ; /* The name used by the host to refer to this */
static char * arg_hostname = NULL ; /* The name the payload sees by default */
2014-02-25 02:27:39 +01:00
static const char * arg_selinux_context = NULL ;
static const char * arg_selinux_apifs_context = NULL ;
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
static char * arg_slice = NULL ;
2011-08-02 05:24:58 +02:00
static bool arg_private_network = false ;
2012-04-25 15:11:20 +02:00
static bool arg_read_only = false ;
2016-02-03 20:32:06 +01:00
static StartMode arg_start_mode = START_PID1 ;
2014-12-12 03:50:59 +01:00
static bool arg_ephemeral = false ;
2012-07-19 02:02:39 +02:00
static LinkJournal arg_link_journal = LINK_AUTO ;
2014-11-20 14:30:52 +01:00
static bool arg_link_journal_try = false ;
2016-05-26 13:06:55 +02:00
static uint64_t arg_caps_retain =
2016-06-10 17:31:06 +02:00
( 1ULL < < CAP_AUDIT_CONTROL ) |
( 1ULL < < CAP_AUDIT_WRITE ) |
2012-06-28 13:44:39 +02:00
( 1ULL < < CAP_CHOWN ) |
( 1ULL < < CAP_DAC_OVERRIDE ) |
( 1ULL < < CAP_DAC_READ_SEARCH ) |
( 1ULL < < CAP_FOWNER ) |
( 1ULL < < CAP_FSETID ) |
( 1ULL < < CAP_IPC_OWNER ) |
( 1ULL < < CAP_KILL ) |
( 1ULL < < CAP_LEASE ) |
( 1ULL < < CAP_LINUX_IMMUTABLE ) |
2016-06-10 17:31:06 +02:00
( 1ULL < < CAP_MKNOD ) |
2012-06-28 13:44:39 +02:00
( 1ULL < < CAP_NET_BIND_SERVICE ) |
( 1ULL < < CAP_NET_BROADCAST ) |
( 1ULL < < CAP_NET_RAW ) |
( 1ULL < < CAP_SETFCAP ) |
2016-06-10 17:31:06 +02:00
( 1ULL < < CAP_SETGID ) |
2012-06-28 13:44:39 +02:00
( 1ULL < < CAP_SETPCAP ) |
( 1ULL < < CAP_SETUID ) |
( 1ULL < < CAP_SYS_ADMIN ) |
2016-06-10 17:31:06 +02:00
( 1ULL < < CAP_SYS_BOOT ) |
2012-06-28 13:44:39 +02:00
( 1ULL < < CAP_SYS_CHROOT ) |
( 1ULL < < CAP_SYS_NICE ) |
( 1ULL < < CAP_SYS_PTRACE ) |
2012-09-06 01:23:41 +02:00
( 1ULL < < CAP_SYS_RESOURCE ) |
2016-06-10 17:31:06 +02:00
( 1ULL < < CAP_SYS_TTY_CONFIG ) ;
2020-12-04 11:27:12 +01:00
static uint64_t arg_caps_ambient = 0 ;
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
static CapabilityQuintet arg_full_capabilities = CAPABILITY_QUINTET_NULL ;
2015-05-13 14:04:55 +02:00
static CustomMount * arg_custom_mounts = NULL ;
2018-04-27 22:01:54 +02:00
static size_t arg_n_custom_mounts = 0 ;
2013-12-13 16:37:16 +01:00
static char * * arg_setenv = NULL ;
2014-02-06 00:43:14 +01:00
static bool arg_quiet = false ;
2014-02-10 15:36:32 +01:00
static bool arg_register = true ;
2014-02-11 17:15:38 +01:00
static bool arg_keep_unit = false ;
2014-02-13 03:27:39 +01:00
static char * * arg_network_interfaces = NULL ;
2014-02-25 02:27:39 +01:00
static char * * arg_network_macvlan = NULL ;
2015-01-20 00:18:28 +01:00
static char * * arg_network_ipvlan = NULL ;
2014-02-13 18:47:20 +01:00
static bool arg_network_veth = false ;
2015-11-12 21:54:28 +01:00
static char * * arg_network_veth_extra = NULL ;
2015-09-06 01:22:14 +02:00
static char * arg_network_bridge = NULL ;
2016-05-06 21:00:27 +02:00
static char * arg_network_zone = NULL ;
2017-11-24 18:22:17 +01:00
static char * arg_network_namespace_path = NULL ;
2019-03-21 15:24:50 +01:00
static PagerFlags arg_pager_flags = 0 ;
2015-05-21 19:48:49 +02:00
static unsigned long arg_personality = PERSONALITY_INVALID ;
2014-12-12 03:50:59 +01:00
static char * arg_image = NULL ;
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
static char * arg_oci_bundle = NULL ;
2015-09-06 01:22:14 +02:00
static VolatileMode arg_volatile_mode = VOLATILE_NO ;
2015-01-13 13:51:51 +01:00
static ExposePort * arg_expose_ports = NULL ;
2015-02-18 19:38:55 +01:00
static char * * arg_property = NULL ;
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
static sd_bus_message * arg_property_message = NULL ;
2016-04-22 13:02:53 +02:00
static UserNamespaceMode arg_userns_mode = USER_NAMESPACE_NO ;
2015-02-19 11:30:18 +01:00
static uid_t arg_uid_shift = UID_INVALID , arg_uid_range = 0x10000U ;
2016-04-22 13:02:53 +02:00
static bool arg_userns_chown = false ;
2015-02-25 22:04:48 +01:00
static int arg_kill_signal = 0 ;
2016-08-16 00:13:36 +02:00
static CGroupUnified arg_unified_cgroup_hierarchy = CGROUP_UNIFIED_UNKNOWN ;
2015-09-06 01:22:14 +02:00
static SettingsMask arg_settings_mask = 0 ;
static int arg_settings_trusted = - 1 ;
static char * * arg_parameters = NULL ;
2015-11-09 11:32:34 +01:00
static const char * arg_container_service_name = " systemd-nspawn " ;
2016-06-10 13:09:06 +02:00
static bool arg_notify_ready = false ;
2016-07-26 16:49:15 +02:00
static bool arg_use_cgns = true ;
2016-08-26 00:08:26 +02:00
static unsigned long arg_clone_ns_flags = CLONE_NEWIPC | CLONE_NEWPID | CLONE_NEWUTS ;
2018-10-08 18:32:03 +02:00
static MountSettingsMask arg_mount_settings = MOUNT_APPLY_APIVFS_RO | MOUNT_APPLY_TMPFS_TMP ;
2020-08-22 12:21:51 +02:00
static VeritySettings arg_verity_settings = VERITY_SETTINGS_DEFAULT ;
2020-06-23 08:31:16 +02:00
static char * * arg_syscall_allow_list = NULL ;
static char * * arg_syscall_deny_list = NULL ;
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
# if HAVE_SECCOMP
static scmp_filter_ctx arg_seccomp = NULL ;
# endif
2018-05-07 17:59:18 +02:00
static struct rlimit * arg_rlimit [ _RLIMIT_MAX ] = { } ;
2018-05-07 19:35:48 +02:00
static bool arg_no_new_privileges = false ;
2018-05-07 21:17:09 +02:00
static int arg_oom_score_adjust = 0 ;
static bool arg_oom_score_adjust_set = false ;
2019-05-21 08:45:19 +02:00
static CPUSet arg_cpu_set = { } ;
2018-05-12 21:50:57 +02:00
static ResolvConfMode arg_resolv_conf = RESOLV_CONF_AUTO ;
2018-05-17 05:43:03 +02:00
static TimezoneMode arg_timezone = TIMEZONE_AUTO ;
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
static unsigned arg_console_width = ( unsigned ) - 1 , arg_console_height = ( unsigned ) - 1 ;
static DeviceNode * arg_extra_nodes = NULL ;
static size_t arg_n_extra_nodes = 0 ;
static char * * arg_sysctl = NULL ;
static ConsoleMode arg_console_mode = _CONSOLE_MODE_INVALID ;
2020-07-23 08:47:08 +02:00
static Credential * arg_credentials = NULL ;
static size_t arg_n_credentials = 0 ;
2011-03-14 02:40:36 +01:00
2019-03-21 13:49:42 +01:00
STATIC_DESTRUCTOR_REGISTER ( arg_directory , freep ) ;
STATIC_DESTRUCTOR_REGISTER ( arg_template , freep ) ;
STATIC_DESTRUCTOR_REGISTER ( arg_chdir , freep ) ;
STATIC_DESTRUCTOR_REGISTER ( arg_pivot_root_new , freep ) ;
STATIC_DESTRUCTOR_REGISTER ( arg_pivot_root_old , freep ) ;
STATIC_DESTRUCTOR_REGISTER ( arg_user , freep ) ;
STATIC_DESTRUCTOR_REGISTER ( arg_supplementary_gids , freep ) ;
STATIC_DESTRUCTOR_REGISTER ( arg_machine , freep ) ;
STATIC_DESTRUCTOR_REGISTER ( arg_hostname , freep ) ;
STATIC_DESTRUCTOR_REGISTER ( arg_slice , freep ) ;
STATIC_DESTRUCTOR_REGISTER ( arg_setenv , strv_freep ) ;
STATIC_DESTRUCTOR_REGISTER ( arg_network_interfaces , strv_freep ) ;
STATIC_DESTRUCTOR_REGISTER ( arg_network_macvlan , strv_freep ) ;
STATIC_DESTRUCTOR_REGISTER ( arg_network_ipvlan , strv_freep ) ;
STATIC_DESTRUCTOR_REGISTER ( arg_network_veth_extra , strv_freep ) ;
STATIC_DESTRUCTOR_REGISTER ( arg_network_bridge , freep ) ;
STATIC_DESTRUCTOR_REGISTER ( arg_network_zone , freep ) ;
STATIC_DESTRUCTOR_REGISTER ( arg_network_namespace_path , freep ) ;
STATIC_DESTRUCTOR_REGISTER ( arg_image , freep ) ;
STATIC_DESTRUCTOR_REGISTER ( arg_oci_bundle , freep ) ;
STATIC_DESTRUCTOR_REGISTER ( arg_property , strv_freep ) ;
STATIC_DESTRUCTOR_REGISTER ( arg_property_message , sd_bus_message_unrefp ) ;
STATIC_DESTRUCTOR_REGISTER ( arg_parameters , strv_freep ) ;
2020-09-15 22:09:08 +02:00
STATIC_DESTRUCTOR_REGISTER ( arg_verity_settings , verity_settings_done ) ;
2020-06-23 08:31:16 +02:00
STATIC_DESTRUCTOR_REGISTER ( arg_syscall_allow_list , strv_freep ) ;
STATIC_DESTRUCTOR_REGISTER ( arg_syscall_deny_list , strv_freep ) ;
2019-03-21 13:49:42 +01:00
# if HAVE_SECCOMP
STATIC_DESTRUCTOR_REGISTER ( arg_seccomp , seccomp_releasep ) ;
# endif
2019-05-21 08:45:19 +02:00
STATIC_DESTRUCTOR_REGISTER ( arg_cpu_set , cpu_set_reset ) ;
2019-03-21 13:49:42 +01:00
STATIC_DESTRUCTOR_REGISTER ( arg_sysctl , strv_freep ) ;
2019-10-23 09:20:46 +02:00
static int handle_arg_console ( const char * arg ) {
if ( streq ( arg , " help " ) ) {
2020-09-17 16:26:14 +02:00
puts ( " autopipe \n "
" interactive \n "
2019-10-23 09:20:46 +02:00
" passive \n "
2020-09-17 16:26:14 +02:00
" pipe \n "
" read-only " ) ;
2019-10-23 09:20:46 +02:00
return 0 ;
}
if ( streq ( arg , " interactive " ) )
arg_console_mode = CONSOLE_INTERACTIVE ;
else if ( streq ( arg , " read-only " ) )
arg_console_mode = CONSOLE_READ_ONLY ;
else if ( streq ( arg , " passive " ) )
arg_console_mode = CONSOLE_PASSIVE ;
2020-09-16 22:12:29 +02:00
else if ( streq ( arg , " pipe " ) ) {
if ( isatty ( STDIN_FILENO ) > 0 & & isatty ( STDOUT_FILENO ) > 0 )
log_full ( arg_quiet ? LOG_DEBUG : LOG_NOTICE ,
" Console mode 'pipe' selected, but standard input/output are connected to an interactive TTY. "
" Most likely you want to use 'interactive' console mode for proper interactivity and shell job control. "
" Proceeding anyway. " ) ;
2019-10-23 09:20:46 +02:00
arg_console_mode = CONSOLE_PIPE ;
2020-09-17 16:26:14 +02:00
} else if ( streq ( arg , " autopipe " ) ) {
if ( isatty ( STDIN_FILENO ) > 0 & & isatty ( STDOUT_FILENO ) > 0 )
arg_console_mode = CONSOLE_INTERACTIVE ;
else
arg_console_mode = CONSOLE_PIPE ;
2020-09-16 22:12:29 +02:00
} else
2019-10-23 09:20:46 +02:00
return log_error_errno ( SYNTHETIC_ERRNO ( EINVAL ) , " Unknown console mode: %s " , optarg ) ;
arg_settings_mask | = SETTING_CONSOLE_MODE ;
return 1 ;
}
2018-08-09 10:32:31 +02:00
static int help ( void ) {
_cleanup_free_ char * link = NULL ;
int r ;
2019-03-21 15:24:50 +01:00
( void ) pager_open ( arg_pager_flags ) ;
2018-05-07 21:18:25 +02:00
2018-08-09 10:32:31 +02:00
r = terminal_urlify_man ( " systemd-nspawn " , " 1 " , & link ) ;
if ( r < 0 )
return log_oom ( ) ;
2019-03-21 13:27:19 +01:00
printf ( " %1$s [OPTIONS...] [PATH] [ARGUMENTS...] \n \n "
2019-11-28 10:51:31 +01:00
" %5$sSpawn a command or OS in a light-weight container.%6$s \n \n "
2014-01-30 22:28:02 +01:00
" -h --help Show this help \n "
" --version Print version string \n "
2014-02-13 18:47:20 +01:00
" -q --quiet Do not show status information \n "
2019-03-21 15:24:50 +01:00
" --no-pager Do not pipe output into a pager \n "
2019-03-21 13:27:19 +01:00
" --settings=BOOLEAN Load additional settings from .nspawn file \n \n "
" %3$sImage:%4$s \n "
2014-03-10 20:35:52 +01:00
" -D --directory=PATH Root directory for the container \n "
2014-12-12 03:50:59 +01:00
" --template=PATH Initialize root directory from template directory, \n "
" if missing \n "
" -x --ephemeral Run container with snapshot of root directory, and \n "
" remove it after exit \n "
2019-03-22 20:21:15 +01:00
" -i --image=PATH Root file system disk image (or device node) for \n "
" the container \n "
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
" --oci-bundle=PATH OCI bundle directory \n "
2019-03-21 13:27:19 +01:00
" --read-only Mount the root directory read-only \n "
" --volatile[=MODE] Run the system in volatile mode \n "
2019-03-22 20:21:15 +01:00
" --root-hash=HASH Specify verity root hash for root disk image \n "
2020-06-02 16:35:58 +02:00
" --root-hash-sig=SIG Specify pkcs7 signature of root hash for verity \n "
" as a DER encoded PKCS7, either as a path to a file \n "
" or as an ASCII base64 encoded string prefixed by \n "
" 'base64:' \n "
2020-05-29 18:51:20 +02:00
" --verity-data=PATH Specify hash device for verity \n "
2019-03-21 13:27:19 +01:00
" --pivot-root=PATH[:PATH] \n "
" Pivot root to given directory in the container \n \n "
" %3$sExecution:%4$s \n "
2016-02-03 20:32:06 +01:00
" -a --as-pid2 Maintain a stub init as PID1, invoke binary as PID2 \n "
2014-01-30 22:28:02 +01:00
" -b --boot Boot up full system (i.e. invoke init) \n "
2016-02-02 01:52:01 +01:00
" --chdir=PATH Set working directory in the container \n "
2019-03-21 13:27:19 +01:00
" -E --setenv=NAME=VALUE Pass an environment variable to PID 1 \n "
" -u --user=USER Run the command under specified user or UID \n "
" --kill-signal=SIGNAL Select signal to use for shutting down PID 1 \n "
" --notify-ready=BOOLEAN Receive notifications from the child init process \n \n "
" %3$sSystem Identity:%4$s \n "
2014-01-30 22:28:02 +01:00
" -M --machine=NAME Set the machine name for the container \n "
2018-05-07 18:37:32 +02:00
" --hostname=NAME Override the hostname for the container \n "
2019-03-21 13:27:19 +01:00
" --uuid=UUID Set a specific machine UUID for the container \n \n "
" %3$sProperties:%4$s \n "
2014-01-30 22:28:02 +01:00
" -S --slice=SLICE Place the container in the specified slice \n "
2015-02-18 19:38:55 +01:00
" --property=NAME=VALUE Set scope unit property \n "
2019-03-21 13:27:19 +01:00
" --register=BOOLEAN Register container as machine \n "
" --keep-unit Do not register a scope for the machine, reuse \n "
" the service unit nspawn is running in \n \n "
" %3$sUser Namespacing:%4$s \n "
2016-08-04 02:05:37 +02:00
" -U --private-users=pick Run within user namespace, autoselect UID/GID range \n "
2015-05-21 16:30:58 +02:00
" --private-users[=UIDBASE[:NUIDS]] \n "
2016-08-04 02:05:37 +02:00
" Similar, but with user configured UID/GID range \n "
2019-03-21 13:27:19 +01:00
" --private-users-chown Adjust OS tree ownership to private UID/GID range \n \n "
" %3$sNetworking:%4$s \n "
2014-02-13 18:47:20 +01:00
" --private-network Disable network in container \n "
" --network-interface=INTERFACE \n "
" Assign an existing network interface to the \n "
" container \n "
2014-02-25 02:27:39 +01:00
" --network-macvlan=INTERFACE \n "
" Create a macvlan network interface based on an \n "
" existing network interface to the container \n "
2015-01-20 00:18:28 +01:00
" --network-ipvlan=INTERFACE \n "
" Create a ipvlan network interface based on an \n "
" existing network interface to the container \n "
2014-08-03 07:11:37 +02:00
" -n --network-veth Add a virtual Ethernet connection between host \n "
2014-02-13 18:47:20 +01:00
" and container \n "
2015-11-12 21:54:28 +01:00
" --network-veth-extra=HOSTIF[:CONTAINERIF] \n "
" Add an additional virtual Ethernet link between \n "
" host and container \n "
2014-02-16 21:12:47 +01:00
" --network-bridge=INTERFACE \n "
2016-08-04 02:05:37 +02:00
" Add a virtual Ethernet connection to the container \n "
" and attach it to an existing bridge on the host \n "
" --network-zone=NAME Similar, but attach the new interface to an \n "
" an automatically managed bridge interface \n "
2017-11-24 18:22:17 +01:00
" --network-namespace-path=PATH \n "
" Set network namespace to the one represented by \n "
" the specified kernel namespace file node \n "
2015-01-13 13:51:51 +01:00
" -p --port=[PROTOCOL:]HOSTPORT[:CONTAINERPORT] \n "
2019-03-21 13:27:19 +01:00
" Expose a container IP port on the host \n \n "
" %3$sSecurity:%4$s \n "
2014-01-30 22:28:02 +01:00
" --capability=CAP In addition to the default, retain specified \n "
" capability \n "
" --drop-capability=CAP Drop the specified capability from the default set \n "
2020-12-04 11:27:12 +01:00
" --ambient-capability=CAP \n "
" Sets the specified capability for the started \n "
" process. Not useful if booting a machine. \n "
2019-03-21 13:31:09 +01:00
" --no-new-privileges Set PR_SET_NO_NEW_PRIVS flag for container payload \n "
2017-09-11 17:45:21 +02:00
" --system-call-filter=LIST|~LIST \n "
" Permit/prohibit specific system calls \n "
2019-03-21 13:27:19 +01:00
" -Z --selinux-context=SECLABEL \n "
" Set the SELinux security context to be used by \n "
" processes in the container \n "
" -L --selinux-apifs-context=SECLABEL \n "
" Set the SELinux security context to be used by \n "
" API/tmpfs file systems in the container \n \n "
" %3$sResources:%4$s \n "
2018-05-07 17:59:18 +02:00
" --rlimit=NAME=LIMIT Set a resource limit for the payload \n "
2018-05-07 21:17:09 +02:00
" --oom-score-adjust=VALUE \n "
" Adjust the OOM score value for the payload \n "
2019-03-21 13:31:09 +01:00
" --cpu-affinity=CPUS Adjust the CPU affinity of the container \n "
" --personality=ARCH Pick personality for this container \n \n "
2019-03-21 13:27:19 +01:00
" %3$sIntegration:%4$s \n "
2018-05-12 21:50:57 +02:00
" --resolv-conf=MODE Select mode of /etc/resolv.conf initialization \n "
2018-05-17 05:43:03 +02:00
" --timezone=MODE Select mode of /etc/localtime initialization \n "
2019-03-21 13:27:19 +01:00
" --link-journal=MODE Link up guest journal, one of no, auto, guest, \n "
" host, try-guest, try-host \n "
" -j Equivalent to --link-journal=try-guest \n \n "
" %3$sMounts:%4$s \n "
2015-07-22 00:48:38 +02:00
" --bind=PATH[:PATH[:OPTIONS]] \n "
" Bind mount a file or directory from the host into \n "
2014-01-30 22:28:02 +01:00
" the container \n "
2015-07-22 00:48:38 +02:00
" --bind-ro=PATH[:PATH[:OPTIONS] \n "
" Similar, but creates a read-only bind mount \n "
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
" --inaccessible=PATH Over-mount file node with inaccessible node to mask \n "
" it \n "
2014-06-11 00:44:30 +02:00
" --tmpfs=PATH:[OPTIONS] Mount an empty tmpfs to the specified directory \n "
2015-05-13 14:04:55 +02:00
" --overlay=PATH[:PATH...]:PATH \n "
" Create an overlay mount from the host to \n "
" the container \n "
" --overlay-ro=PATH[:PATH...]:PATH \n "
2019-03-21 13:27:19 +01:00
" Similar, but creates a read-only overlay mount \n \n "
" %3$sInput/Output:%4$s \n "
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
" --console=MODE Select how stdin/stdout/stderr and /dev/console are \n "
" set up for the container. \n "
2020-07-23 08:47:08 +02:00
" -P --pipe Equivalent to --console=pipe \n \n "
" %3$sCredentials:%4$s \n "
" --set-credential=ID:VALUE \n "
" Pass a credential with literal value to container. \n "
" --load-credential=ID:PATH \n "
" Load credential to pass to container from file or \n "
" AF_UNIX stream socket. \n "
2019-03-21 13:27:19 +01:00
" \n See the %2$s for details. \n "
2018-08-09 10:32:31 +02:00
, program_invocation_short_name
, link
2019-11-28 10:51:31 +01:00
, ansi_underline ( ) , ansi_normal ( )
, ansi_highlight ( ) , ansi_normal ( )
) ;
2018-08-09 10:32:31 +02:00
return 0 ;
2011-03-14 02:40:36 +01:00
}
2016-11-30 16:02:47 +01:00
static int custom_mount_check_all ( void ) {
2018-04-27 22:01:54 +02:00
size_t i ;
2015-05-13 14:04:55 +02:00
for ( i = 0 ; i < arg_n_custom_mounts ; i + + ) {
CustomMount * m = & arg_custom_mounts [ i ] ;
2016-04-22 13:02:53 +02:00
if ( path_equal ( m - > destination , " / " ) & & arg_userns_mode ! = USER_NAMESPACE_NO ) {
2018-11-20 23:40:44 +01:00
if ( arg_userns_chown )
return log_error_errno ( SYNTHETIC_ERRNO ( EINVAL ) ,
" --private-users-chown may not be combined with custom root mounts. " ) ;
else if ( arg_uid_shift = = UID_INVALID )
return log_error_errno ( SYNTHETIC_ERRNO ( EINVAL ) ,
" --private-users with automatic UID shift may not be combined with custom root mounts. " ) ;
2015-06-30 15:41:41 +02:00
}
2015-05-13 14:04:55 +02:00
}
return 0 ;
}
2017-11-27 20:49:35 +01:00
static int detect_unified_cgroup_hierarchy_from_environment ( void ) {
2019-09-27 14:17:41 +02:00
const char * e , * var = " SYSTEMD_NSPAWN_UNIFIED_HIERARCHY " ;
2016-11-21 20:45:53 +01:00
int r ;
2016-08-16 00:13:36 +02:00
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
/* Allow the user to control whether the unified hierarchy is used */
2019-09-27 14:17:41 +02:00
e = getenv ( var ) ;
if ( ! e ) {
2019-11-12 21:10:48 +01:00
/* $UNIFIED_CGROUP_HIERARCHY has been renamed to $SYSTEMD_NSPAWN_UNIFIED_HIERARCHY. */
2019-09-27 14:17:41 +02:00
var = " UNIFIED_CGROUP_HIERARCHY " ;
e = getenv ( var ) ;
}
if ( ! isempty ( e ) ) {
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
r = parse_boolean ( e ) ;
if ( r < 0 )
2019-09-27 14:17:41 +02:00
return log_error_errno ( r , " Failed to parse $%s: %m " , var ) ;
2016-08-16 00:13:36 +02:00
if ( r > 0 )
arg_unified_cgroup_hierarchy = CGROUP_UNIFIED_ALL ;
else
arg_unified_cgroup_hierarchy = CGROUP_UNIFIED_NONE ;
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
}
2017-11-27 20:49:35 +01:00
return 0 ;
}
static int detect_unified_cgroup_hierarchy_from_image ( const char * directory ) {
int r ;
2019-09-27 14:51:53 +02:00
/* Let's inherit the mode to use from the host system, but let's take into consideration what systemd
* in the image actually supports . */
2017-02-24 17:52:58 +01:00
r = cg_all_unified ( ) ;
if ( r < 0 )
return log_error_errno ( r , " Failed to determine whether we are in all unified mode. " ) ;
if ( r > 0 ) {
2016-10-09 01:03:53 +02:00
/* Unified cgroup hierarchy support was added in 230. Unfortunately the detection
* routine only detects 231 , so we ' ll have a false negative here for 230. */
r = systemd_installation_has_version ( directory , 230 ) ;
if ( r < 0 )
return log_error_errno ( r , " Failed to determine systemd version in container: %m " ) ;
if ( r > 0 )
arg_unified_cgroup_hierarchy = CGROUP_UNIFIED_ALL ;
else
arg_unified_cgroup_hierarchy = CGROUP_UNIFIED_NONE ;
2017-02-24 18:00:04 +01:00
} else if ( cg_unified_controller ( SYSTEMD_CGROUP_CONTROLLER ) > 0 ) {
2016-11-21 20:45:53 +01:00
/* Mixed cgroup hierarchy support was added in 233 */
r = systemd_installation_has_version ( directory , 233 ) ;
2016-10-08 08:18:26 +02:00
if ( r < 0 )
return log_error_errno ( r , " Failed to determine systemd version in container: %m " ) ;
if ( r > 0 )
arg_unified_cgroup_hierarchy = CGROUP_UNIFIED_SYSTEMD ;
else
arg_unified_cgroup_hierarchy = CGROUP_UNIFIED_NONE ;
} else
2016-08-16 00:13:36 +02:00
arg_unified_cgroup_hierarchy = CGROUP_UNIFIED_NONE ;
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
2017-11-27 20:49:35 +01:00
log_debug ( " Using %s hierarchy for container. " ,
arg_unified_cgroup_hierarchy = = CGROUP_UNIFIED_NONE ? " legacy " :
arg_unified_cgroup_hierarchy = = CGROUP_UNIFIED_SYSTEMD ? " hybrid " : " unified " ) ;
core: unified cgroup hierarchy support
This patch set adds full support the new unified cgroup hierarchy logic
of modern kernels.
A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is
added. If specified the unified hierarchy is mounted to /sys/fs/cgroup
instead of a tmpfs. No further hierarchies are mounted. The kernel
command line option defaults to off. We can turn it on by default as
soon as the kernel's APIs regarding this are stabilized (but even then
downstream distros might want to turn this off, as this will break any
tools that access cgroupfs directly).
It is possibly to choose for each boot individually whether the unified
or the legacy hierarchy is used. nspawn will by default provide the
legacy hierarchy to containers if the host is using it, and the unified
otherwise. However it is possible to run containers with the unified
hierarchy on a legacy host and vice versa, by setting the
$UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0,
respectively.
The unified hierarchy provides reliable cgroup empty notifications for
the first time, via inotify. To make use of this we maintain one
manager-wide inotify fd, and each cgroup to it.
This patch also removes cg_delete() which is unused now.
On kernel 4.2 only the "memory" controller is compatible with the
unified hierarchy, hence that's the only controller systemd exposes when
booted in unified heirarchy mode.
This introduces a new enum for enumerating supported controllers, plus a
related enum for the mask bits mapping to it. The core is changed to
make use of this everywhere.
This moves PID 1 into a new "init.scope" implicit scope unit in the root
slice. This is necessary since on the unified hierarchy cgroups may
either contain subgroups or processes but not both. PID 1 hence has to
move out of the root cgroup (strictly speaking the root cgroup is the
only one where processes and subgroups are still allowed, but in order
to support containers nicey, we move PID 1 into the new scope in all
cases.) This new unit is also used on legacy hierarchy setups. It's
actually pretty useful on all systems, as it can then be used to filter
journal messages coming from PID 1, and so on.
The root slice ("-.slice") is now implicitly created and started (and
does not require a unit file on disk anymore), since
that's where "init.scope" is located and the slice needs to be started
before the scope can.
To check whether we are in unified or legacy hierarchy mode we use
statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in
legacy mode, if it reports cgroupfs we are in unified mode.
This patch set carefuly makes sure that cgls and cgtop continue to work
as desired.
When invoking nspawn as a service it will implicitly create two
subcgroups in the cgroup it is using, one to move the nspawn process
into, the other to move the actual container processes into. This is
done because of the requirement that cgroups may either contain
processes or other subgroups.
2015-09-01 19:22:36 +02:00
return 0 ;
}
2019-11-20 18:33:32 +01:00
static int parse_capability_spec ( const char * spec , uint64_t * ret_mask ) {
uint64_t mask = 0 ;
int r ;
for ( ; ; ) {
_cleanup_free_ char * t = NULL ;
r = extract_first_word ( & spec , & t , " , " , 0 ) ;
if ( r < 0 )
return log_error_errno ( r , " Failed to parse capability %s. " , t ) ;
if ( r = = 0 )
break ;
if ( streq ( t , " help " ) ) {
for ( int i = 0 ; i < capability_list_length ( ) ; i + + ) {
const char * name ;
name = capability_to_name ( i ) ;
if ( name )
puts ( name ) ;
}
return 0 ; /* quit */
}
if ( streq ( t , " all " ) )
mask = ( uint64_t ) - 1 ;
else {
r = capability_from_name ( t ) ;
if ( r < 0 )
return log_error_errno ( r , " Failed to parse capability %s. " , t ) ;
mask | = 1ULL < < r ;
}
}
* ret_mask = mask ;
return 1 ; /* continue */
}
2019-09-27 13:58:06 +02:00
static int parse_share_ns_env ( const char * name , unsigned long ns_flag ) {
2016-08-26 00:08:26 +02:00
int r ;
r = getenv_bool ( name ) ;
if ( r = = - ENXIO )
2019-09-27 13:58:06 +02:00
return 0 ;
2016-08-26 00:08:26 +02:00
if ( r < 0 )
2019-09-27 13:58:06 +02:00
return log_error_errno ( r , " Failed to parse $%s: %m " , name ) ;
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
2016-08-26 00:08:26 +02:00
arg_clone_ns_flags = ( arg_clone_ns_flags & ~ ns_flag ) | ( r > 0 ? 0 : ns_flag ) ;
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
arg_settings_mask | = SETTING_CLONE_NS_FLAGS ;
2019-09-27 13:58:06 +02:00
return 0 ;
2016-08-26 00:08:26 +02:00
}
2019-09-27 13:58:06 +02:00
static int parse_mount_settings_env ( void ) {
2016-10-14 14:00:15 +02:00
const char * e ;
2018-10-08 18:32:03 +02:00
int r ;
r = getenv_bool ( " SYSTEMD_NSPAWN_TMPFS_TMP " ) ;
2019-09-27 13:58:06 +02:00
if ( r < 0 & & r ! = - ENXIO )
return log_error_errno ( r , " Failed to parse $SYSTEMD_NSPAWN_TMPFS_TMP: %m " ) ;
2018-10-08 18:32:03 +02:00
if ( r > = 0 )
SET_FLAG ( arg_mount_settings , MOUNT_APPLY_TMPFS_TMP , r > 0 ) ;
2016-10-14 14:00:15 +02:00
e = getenv ( " SYSTEMD_NSPAWN_API_VFS_WRITABLE " ) ;
2019-09-27 13:58:06 +02:00
if ( streq_ptr ( e , " network " ) )
2016-10-14 14:00:15 +02:00
arg_mount_settings | = MOUNT_APPLY_APIVFS_RO | MOUNT_APPLY_APIVFS_NETNS ;
2019-09-27 13:58:06 +02:00
else if ( e ) {
r = parse_boolean ( e ) ;
if ( r < 0 )
return log_error_errno ( r , " Failed to parse $SYSTEMD_NSPAWN_API_VFS_WRITABLE: %m " ) ;
SET_FLAG ( arg_mount_settings , MOUNT_APPLY_APIVFS_RO , r = = 0 ) ;
SET_FLAG ( arg_mount_settings , MOUNT_APPLY_APIVFS_NETNS , false ) ;
2017-05-07 13:03:28 +02:00
}
2016-10-14 14:00:15 +02:00
2019-09-27 13:58:06 +02:00
return 0 ;
2016-10-14 14:00:15 +02:00
}
2019-09-27 13:58:06 +02:00
static int parse_environment ( void ) {
2018-12-06 21:54:11 +01:00
const char * e ;
int r ;
2019-09-27 13:58:06 +02:00
r = parse_share_ns_env ( " SYSTEMD_NSPAWN_SHARE_NS_IPC " , CLONE_NEWIPC ) ;
if ( r < 0 )
return r ;
r = parse_share_ns_env ( " SYSTEMD_NSPAWN_SHARE_NS_PID " , CLONE_NEWPID ) ;
if ( r < 0 )
return r ;
r = parse_share_ns_env ( " SYSTEMD_NSPAWN_SHARE_NS_UTS " , CLONE_NEWUTS ) ;
if ( r < 0 )
return r ;
r = parse_share_ns_env ( " SYSTEMD_NSPAWN_SHARE_SYSTEM " , CLONE_NEWIPC | CLONE_NEWPID | CLONE_NEWUTS ) ;
if ( r < 0 )
return r ;
2018-12-06 21:54:11 +01:00
2019-09-27 13:58:06 +02:00
r = parse_mount_settings_env ( ) ;
if ( r < 0 )
return r ;
2018-12-06 21:54:11 +01:00
2018-12-11 12:00:06 +01:00
/* SYSTEMD_NSPAWN_USE_CGNS=0 can be used to disable CLONE_NEWCGROUP use,
* even if it is supported . If not supported , it has no effect . */
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
if ( ! cg_ns_supported ( ) )
2018-12-11 12:00:06 +01:00
arg_use_cgns = false ;
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
else {
r = getenv_bool ( " SYSTEMD_NSPAWN_USE_CGNS " ) ;
if ( r < 0 ) {
if ( r ! = - ENXIO )
2019-09-27 13:58:06 +02:00
return log_error_errno ( r , " Failed to parse $SYSTEMD_NSPAWN_USE_CGNS: %m " ) ;
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
arg_use_cgns = true ;
} else {
arg_use_cgns = r > 0 ;
arg_settings_mask | = SETTING_USE_CGNS ;
}
}
2018-12-06 21:54:11 +01:00
e = getenv ( " SYSTEMD_NSPAWN_CONTAINER_SERVICE " ) ;
if ( e )
arg_container_service_name = e ;
2019-09-27 13:58:06 +02:00
return detect_unified_cgroup_hierarchy_from_environment ( ) ;
2018-12-06 21:54:11 +01:00
}
2011-03-14 02:40:36 +01:00
static int parse_argv ( int argc , char * argv [ ] ) {
2011-08-02 04:49:37 +02:00
enum {
2013-01-11 22:03:49 +01:00
ARG_VERSION = 0x100 ,
ARG_PRIVATE_NETWORK ,
2012-04-25 15:11:20 +02:00
ARG_UUID ,
2012-06-28 13:44:39 +02:00
ARG_READ_ONLY ,
2012-07-19 02:02:39 +02:00
ARG_CAPABILITY ,
2020-12-04 11:27:12 +01:00
ARG_AMBIENT_CAPABILITY ,
2013-11-20 22:10:42 +01:00
ARG_DROP_CAPABILITY ,
2013-02-25 18:21:13 +01:00
ARG_LINK_JOURNAL ,
ARG_BIND ,
2013-12-13 16:37:16 +01:00
ARG_BIND_RO ,
2014-06-11 00:44:30 +02:00
ARG_TMPFS ,
2015-05-13 14:04:55 +02:00
ARG_OVERLAY ,
ARG_OVERLAY_RO ,
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
ARG_INACCESSIBLE ,
2014-02-10 15:36:32 +01:00
ARG_SHARE_SYSTEM ,
2014-02-11 17:15:38 +01:00
ARG_REGISTER ,
2014-02-13 03:27:39 +01:00
ARG_KEEP_UNIT ,
2014-02-13 18:47:20 +01:00
ARG_NETWORK_INTERFACE ,
2014-02-25 02:27:39 +01:00
ARG_NETWORK_MACVLAN ,
2015-01-20 00:18:28 +01:00
ARG_NETWORK_IPVLAN ,
2014-02-16 21:12:47 +01:00
ARG_NETWORK_BRIDGE ,
2016-05-06 21:00:27 +02:00
ARG_NETWORK_ZONE ,
2015-11-12 21:54:28 +01:00
ARG_NETWORK_VETH_EXTRA ,
2017-11-24 18:22:17 +01:00
ARG_NETWORK_NAMESPACE_PATH ,
2014-02-18 23:35:19 +01:00
ARG_PERSONALITY ,
2014-07-04 03:22:33 +02:00
ARG_VOLATILE ,
2014-12-12 03:50:59 +01:00
ARG_TEMPLATE ,
2015-02-18 19:38:55 +01:00
ARG_PROPERTY ,
2015-02-19 11:30:18 +01:00
ARG_PRIVATE_USERS ,
2015-02-25 22:04:48 +01:00
ARG_KILL_SIGNAL ,
2015-09-06 01:22:14 +02:00
ARG_SETTINGS ,
2016-02-02 01:52:01 +01:00
ARG_CHDIR ,
2017-02-08 16:54:31 +01:00
ARG_PIVOT_ROOT ,
2016-04-20 22:53:39 +02:00
ARG_PRIVATE_USERS_CHOWN ,
2016-06-10 13:09:06 +02:00
ARG_NOTIFY_READY ,
2016-12-07 18:28:13 +01:00
ARG_ROOT_HASH ,
2020-09-15 22:09:08 +02:00
ARG_ROOT_HASH_SIG ,
ARG_VERITY_DATA ,
2017-09-11 17:45:21 +02:00
ARG_SYSTEM_CALL_FILTER ,
2018-05-07 17:59:18 +02:00
ARG_RLIMIT ,
2018-05-07 18:37:32 +02:00
ARG_HOSTNAME ,
2018-05-07 19:35:48 +02:00
ARG_NO_NEW_PRIVILEGES ,
2018-05-07 21:17:09 +02:00
ARG_OOM_SCORE_ADJUST ,
2018-05-07 21:47:15 +02:00
ARG_CPU_AFFINITY ,
2018-05-12 21:50:57 +02:00
ARG_RESOLV_CONF ,
2018-05-17 05:43:03 +02:00
ARG_TIMEZONE ,
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
ARG_CONSOLE ,
ARG_PIPE ,
ARG_OCI_BUNDLE ,
2019-03-21 15:24:50 +01:00
ARG_NO_PAGER ,
2020-07-23 08:47:08 +02:00
ARG_SET_CREDENTIAL ,
ARG_LOAD_CREDENTIAL ,
2011-08-02 04:49:37 +02:00
} ;
2011-03-14 02:40:36 +01:00
static const struct option options [ ] = {
2017-11-24 18:22:17 +01:00
{ " help " , no_argument , NULL , ' h ' } ,
{ " version " , no_argument , NULL , ARG_VERSION } ,
{ " directory " , required_argument , NULL , ' D ' } ,
{ " template " , required_argument , NULL , ARG_TEMPLATE } ,
{ " ephemeral " , no_argument , NULL , ' x ' } ,
{ " user " , required_argument , NULL , ' u ' } ,
{ " private-network " , no_argument , NULL , ARG_PRIVATE_NETWORK } ,
{ " as-pid2 " , no_argument , NULL , ' a ' } ,
{ " boot " , no_argument , NULL , ' b ' } ,
{ " uuid " , required_argument , NULL , ARG_UUID } ,
{ " read-only " , no_argument , NULL , ARG_READ_ONLY } ,
{ " capability " , required_argument , NULL , ARG_CAPABILITY } ,
2020-12-04 11:27:12 +01:00
{ " ambient-capability " , required_argument , NULL , ARG_AMBIENT_CAPABILITY } ,
2017-11-24 18:22:17 +01:00
{ " drop-capability " , required_argument , NULL , ARG_DROP_CAPABILITY } ,
2018-05-07 19:35:48 +02:00
{ " no-new-privileges " , required_argument , NULL , ARG_NO_NEW_PRIVILEGES } ,
2017-11-24 18:22:17 +01:00
{ " link-journal " , required_argument , NULL , ARG_LINK_JOURNAL } ,
{ " bind " , required_argument , NULL , ARG_BIND } ,
{ " bind-ro " , required_argument , NULL , ARG_BIND_RO } ,
{ " tmpfs " , required_argument , NULL , ARG_TMPFS } ,
{ " overlay " , required_argument , NULL , ARG_OVERLAY } ,
{ " overlay-ro " , required_argument , NULL , ARG_OVERLAY_RO } ,
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
{ " inaccessible " , required_argument , NULL , ARG_INACCESSIBLE } ,
2017-11-24 18:22:17 +01:00
{ " machine " , required_argument , NULL , ' M ' } ,
2018-05-07 18:37:32 +02:00
{ " hostname " , required_argument , NULL , ARG_HOSTNAME } ,
2017-11-24 18:22:17 +01:00
{ " slice " , required_argument , NULL , ' S ' } ,
{ " setenv " , required_argument , NULL , ' E ' } ,
{ " selinux-context " , required_argument , NULL , ' Z ' } ,
{ " selinux-apifs-context " , required_argument , NULL , ' L ' } ,
{ " quiet " , no_argument , NULL , ' q ' } ,
{ " share-system " , no_argument , NULL , ARG_SHARE_SYSTEM } , /* not documented */
{ " register " , required_argument , NULL , ARG_REGISTER } ,
{ " keep-unit " , no_argument , NULL , ARG_KEEP_UNIT } ,
{ " network-interface " , required_argument , NULL , ARG_NETWORK_INTERFACE } ,
{ " network-macvlan " , required_argument , NULL , ARG_NETWORK_MACVLAN } ,
{ " network-ipvlan " , required_argument , NULL , ARG_NETWORK_IPVLAN } ,
{ " network-veth " , no_argument , NULL , ' n ' } ,
{ " network-veth-extra " , required_argument , NULL , ARG_NETWORK_VETH_EXTRA } ,
{ " network-bridge " , required_argument , NULL , ARG_NETWORK_BRIDGE } ,
{ " network-zone " , required_argument , NULL , ARG_NETWORK_ZONE } ,
{ " network-namespace-path " , required_argument , NULL , ARG_NETWORK_NAMESPACE_PATH } ,
{ " personality " , required_argument , NULL , ARG_PERSONALITY } ,
{ " image " , required_argument , NULL , ' i ' } ,
{ " volatile " , optional_argument , NULL , ARG_VOLATILE } ,
{ " port " , required_argument , NULL , ' p ' } ,
{ " property " , required_argument , NULL , ARG_PROPERTY } ,
{ " private-users " , optional_argument , NULL , ARG_PRIVATE_USERS } ,
{ " private-users-chown " , optional_argument , NULL , ARG_PRIVATE_USERS_CHOWN } ,
{ " kill-signal " , required_argument , NULL , ARG_KILL_SIGNAL } ,
{ " settings " , required_argument , NULL , ARG_SETTINGS } ,
{ " chdir " , required_argument , NULL , ARG_CHDIR } ,
{ " pivot-root " , required_argument , NULL , ARG_PIVOT_ROOT } ,
{ " notify-ready " , required_argument , NULL , ARG_NOTIFY_READY } ,
{ " root-hash " , required_argument , NULL , ARG_ROOT_HASH } ,
2020-09-15 22:09:08 +02:00
{ " root-hash-sig " , required_argument , NULL , ARG_ROOT_HASH_SIG } ,
{ " verity-data " , required_argument , NULL , ARG_VERITY_DATA } ,
2017-11-24 18:22:17 +01:00
{ " system-call-filter " , required_argument , NULL , ARG_SYSTEM_CALL_FILTER } ,
2018-05-07 17:59:18 +02:00
{ " rlimit " , required_argument , NULL , ARG_RLIMIT } ,
2018-05-07 21:17:09 +02:00
{ " oom-score-adjust " , required_argument , NULL , ARG_OOM_SCORE_ADJUST } ,
2018-05-07 21:47:15 +02:00
{ " cpu-affinity " , required_argument , NULL , ARG_CPU_AFFINITY } ,
2018-05-12 21:50:57 +02:00
{ " resolv-conf " , required_argument , NULL , ARG_RESOLV_CONF } ,
2018-05-17 05:43:03 +02:00
{ " timezone " , required_argument , NULL , ARG_TIMEZONE } ,
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
{ " console " , required_argument , NULL , ARG_CONSOLE } ,
{ " pipe " , no_argument , NULL , ARG_PIPE } ,
{ " oci-bundle " , required_argument , NULL , ARG_OCI_BUNDLE } ,
2019-03-21 15:24:50 +01:00
{ " no-pager " , no_argument , NULL , ARG_NO_PAGER } ,
2020-07-23 08:47:08 +02:00
{ " set-credential " , required_argument , NULL , ARG_SET_CREDENTIAL } ,
{ " load-credential " , required_argument , NULL , ARG_LOAD_CREDENTIAL } ,
2013-11-06 18:28:39 +01:00
{ }
2011-03-14 02:40:36 +01:00
} ;
2013-06-20 03:45:08 +02:00
int c , r ;
2014-02-13 14:07:59 +01:00
uint64_t plus = 0 , minus = 0 ;
2015-09-06 01:22:14 +02:00
bool mask_all_settings = false , mask_no_settings = false ;
2011-03-14 02:40:36 +01:00
assert ( argc > = 0 ) ;
assert ( argv ) ;
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
while ( ( c = getopt_long ( argc , argv , " +hD:u:abL:M:jS:Z:qi:xp:nUE:P " , options , NULL ) ) > = 0 )
2011-03-14 02:40:36 +01:00
switch ( c ) {
case ' h ' :
2018-08-09 10:32:31 +02:00
return help ( ) ;
2011-03-14 02:40:36 +01:00
2013-01-11 22:03:49 +01:00
case ARG_VERSION :
2015-09-23 03:01:06 +02:00
return version ( ) ;
2013-01-11 22:03:49 +01:00
2011-03-14 02:40:36 +01:00
case ' D ' :
2015-10-22 19:54:29 +02:00
r = parse_path_argument_and_warn ( optarg , false , & arg_directory ) ;
2014-12-12 03:50:59 +01:00
if ( r < 0 )
2015-10-22 19:54:29 +02:00
return r ;
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
arg_settings_mask | = SETTING_DIRECTORY ;
2014-12-12 03:50:59 +01:00
break ;
case ARG_TEMPLATE :
2015-10-22 19:54:29 +02:00
r = parse_path_argument_and_warn ( optarg , false , & arg_template ) ;
2014-12-12 03:50:59 +01:00
if ( r < 0 )
2015-10-22 19:54:29 +02:00
return r ;
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
arg_settings_mask | = SETTING_DIRECTORY ;
2011-03-14 02:40:36 +01:00
break ;
2014-03-10 20:35:52 +01:00
case ' i ' :
2015-10-22 19:54:29 +02:00
r = parse_path_argument_and_warn ( optarg , false , & arg_image ) ;
2014-12-12 03:50:59 +01:00
if ( r < 0 )
2015-10-22 19:54:29 +02:00
return r ;
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
arg_settings_mask | = SETTING_DIRECTORY ;
break ;
case ARG_OCI_BUNDLE :
r = parse_path_argument_and_warn ( optarg , false , & arg_oci_bundle ) ;
if ( r < 0 )
return r ;
2014-12-12 03:50:59 +01:00
break ;
case ' x ' :
arg_ephemeral = true ;
2018-10-22 19:26:05 +02:00
arg_settings_mask | = SETTING_EPHEMERAL ;
2014-03-10 20:35:52 +01:00
break ;
2011-06-29 14:22:46 +02:00
case ' u ' :
2015-07-29 20:25:57 +02:00
r = free_and_strdup ( & arg_user , optarg ) ;
if ( r < 0 )
2013-04-16 04:36:06 +02:00
return log_oom ( ) ;
2011-06-29 14:22:46 +02:00
2015-09-06 01:22:14 +02:00
arg_settings_mask | = SETTING_USER ;
2011-06-29 14:22:46 +02:00
break ;
2016-05-06 21:00:27 +02:00
case ARG_NETWORK_ZONE : {
char * j ;
2019-07-11 19:14:16 +02:00
j = strjoin ( " vz- " , optarg ) ;
2016-05-06 21:00:27 +02:00
if ( ! j )
return log_oom ( ) ;
if ( ! ifname_valid ( j ) ) {
log_error ( " Network zone name not valid: %s " , j ) ;
free ( j ) ;
return - EINVAL ;
}
2018-06-13 17:40:34 +02:00
free_and_replace ( arg_network_zone , j ) ;
2016-05-06 21:00:27 +02:00
arg_network_veth = true ;
arg_private_network = true ;
arg_settings_mask | = SETTING_NETWORK ;
break ;
}
2014-02-16 21:12:47 +01:00
case ARG_NETWORK_BRIDGE :
2016-05-06 20:58:32 +02:00
2018-11-20 23:40:44 +01:00
if ( ! ifname_valid ( optarg ) )
return log_error_errno ( SYNTHETIC_ERRNO ( EINVAL ) ,
" Bridge interface name not valid: %s " , optarg ) ;
2016-05-06 20:58:32 +02:00
2015-09-06 01:22:14 +02:00
r = free_and_strdup ( & arg_network_bridge , optarg ) ;
if ( r < 0 )
return log_oom ( ) ;
2014-02-16 21:12:47 +01:00
2017-11-19 19:06:10 +01:00
_fallthrough_ ;
2015-01-13 19:42:02 +01:00
case ' n ' :
2014-02-13 18:47:20 +01:00
arg_network_veth = true ;
arg_private_network = true ;
2015-09-06 01:22:14 +02:00
arg_settings_mask | = SETTING_NETWORK ;
2014-02-13 18:47:20 +01:00
break ;
2015-11-12 21:54:28 +01:00
case ARG_NETWORK_VETH_EXTRA :
r = veth_extra_parse ( & arg_network_veth_extra , optarg ) ;
if ( r < 0 )
return log_error_errno ( r , " Failed to parse --network-veth-extra= parameter: %s " , optarg ) ;
arg_private_network = true ;
arg_settings_mask | = SETTING_NETWORK ;
break ;
2014-02-13 03:27:39 +01:00
case ARG_NETWORK_INTERFACE :
2018-11-20 23:40:44 +01:00
if ( ! ifname_valid ( optarg ) )
return log_error_errno ( SYNTHETIC_ERRNO ( EINVAL ) ,
" Network interface name not valid: %s " , optarg ) ;
2016-05-06 20:58:32 +02:00
2019-12-19 21:16:30 +01:00
r = test_network_interface_initialized ( optarg ) ;
if ( r < 0 )
return r ;
2014-02-25 02:27:39 +01:00
if ( strv_extend ( & arg_network_interfaces , optarg ) < 0 )
return log_oom ( ) ;
arg_private_network = true ;
2015-09-06 01:22:14 +02:00
arg_settings_mask | = SETTING_NETWORK ;
2014-02-25 02:27:39 +01:00
break ;
case ARG_NETWORK_MACVLAN :
2016-05-06 20:58:32 +02:00
2018-11-20 23:40:44 +01:00
if ( ! ifname_valid ( optarg ) )
return log_error_errno ( SYNTHETIC_ERRNO ( EINVAL ) ,
" MACVLAN network interface name not valid: %s " , optarg ) ;
2016-05-06 20:58:32 +02:00
2019-12-19 21:16:30 +01:00
r = test_network_interface_initialized ( optarg ) ;
if ( r < 0 )
return r ;
2014-02-25 02:27:39 +01:00
if ( strv_extend ( & arg_network_macvlan , optarg ) < 0 )
2014-02-13 03:27:39 +01:00
return log_oom ( ) ;
2015-01-20 00:18:28 +01:00
arg_private_network = true ;
2015-09-06 01:22:14 +02:00
arg_settings_mask | = SETTING_NETWORK ;
2015-01-20 00:18:28 +01:00
break ;
case ARG_NETWORK_IPVLAN :
2016-05-06 20:58:32 +02:00
2018-11-20 23:40:44 +01:00
if ( ! ifname_valid ( optarg ) )
return log_error_errno ( SYNTHETIC_ERRNO ( EINVAL ) ,
" IPVLAN network interface name not valid: %s " , optarg ) ;
2016-05-06 20:58:32 +02:00
2019-12-19 21:16:30 +01:00
r = test_network_interface_initialized ( optarg ) ;
if ( r < 0 )
return r ;
2015-01-20 00:18:28 +01:00
if ( strv_extend ( & arg_network_ipvlan , optarg ) < 0 )
return log_oom ( ) ;
2017-11-19 19:06:10 +01:00
_fallthrough_ ;
2011-08-02 05:24:58 +02:00
case ARG_PRIVATE_NETWORK :
arg_private_network = true ;
2015-09-06 01:22:14 +02:00
arg_settings_mask | = SETTING_NETWORK ;
2011-08-02 04:49:37 +02:00
break ;
2017-11-24 18:22:17 +01:00
case ARG_NETWORK_NAMESPACE_PATH :
r = parse_path_argument_and_warn ( optarg , false , & arg_network_namespace_path ) ;
if ( r < 0 )
return r ;
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
arg_settings_mask | = SETTING_NETWORK ;
2017-11-24 18:22:17 +01:00
break ;
2012-04-22 13:37:24 +02:00
case ' b ' :
2018-11-20 23:40:44 +01:00
if ( arg_start_mode = = START_PID2 )
return log_error_errno ( SYNTHETIC_ERRNO ( EINVAL ) ,
" --boot and --as-pid2 may not be combined. " ) ;
2016-02-03 20:32:06 +01:00
arg_start_mode = START_BOOT ;
arg_settings_mask | = SETTING_START_MODE ;
break ;
case ' a ' :
2018-11-20 23:40:44 +01:00
if ( arg_start_mode = = START_BOOT )
return log_error_errno ( SYNTHETIC_ERRNO ( EINVAL ) ,
" --boot and --as-pid2 may not be combined. " ) ;
2016-02-03 20:32:06 +01:00
arg_start_mode = START_PID2 ;
arg_settings_mask | = SETTING_START_MODE ;
2012-04-22 13:37:24 +02:00
break ;
2012-04-22 14:48:21 +02:00
case ARG_UUID :
2013-06-20 03:45:08 +02:00
r = sd_id128_from_string ( optarg , & arg_uuid ) ;
2016-07-21 18:53:40 +02:00
if ( r < 0 )
return log_error_errno ( r , " Invalid UUID: %s " , optarg ) ;
2018-11-20 23:40:44 +01:00
if ( sd_id128_is_null ( arg_uuid ) )
return log_error_errno ( SYNTHETIC_ERRNO ( EINVAL ) ,
" Machine UUID may not be all zeroes. " ) ;
2015-09-06 01:22:14 +02:00
arg_settings_mask | = SETTING_MACHINE_ID ;
2013-06-20 03:45:08 +02:00
break ;
2013-04-29 23:39:12 +02:00
2019-11-01 11:21:05 +01:00
case ' S ' : {
_cleanup_free_ char * mangled = NULL ;
r = unit_name_mangle_with_suffix ( optarg , NULL , UNIT_NAME_MANGLE_WARN , " .slice " , & mangled ) ;
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
if ( r < 0 )
return log_oom ( ) ;
2019-11-01 11:21:05 +01:00
free_and_replace ( arg_slice , mangled ) ;
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
arg_settings_mask | = SETTING_SLICE ;
2012-04-22 14:48:21 +02:00
break ;
2019-11-01 11:21:05 +01:00
}
2012-04-22 14:48:21 +02:00
2013-04-16 04:36:06 +02:00
case ' M ' :
2015-08-25 20:26:51 +02:00
if ( isempty ( optarg ) )
2015-07-31 19:56:38 +02:00
arg_machine = mfree ( arg_machine ) ;
2015-08-25 20:26:51 +02:00
else {
2020-12-11 16:40:45 +01:00
if ( ! hostname_is_valid ( optarg , 0 ) )
2018-11-20 23:40:44 +01:00
return log_error_errno ( SYNTHETIC_ERRNO ( EINVAL ) ,
" Invalid machine name: %s " , optarg ) ;
2013-04-16 04:36:06 +02:00
2014-12-12 02:49:40 +01:00
r = free_and_strdup ( & arg_machine , optarg ) ;
if ( r < 0 )
2014-02-10 15:36:32 +01:00
return log_oom ( ) ;
}
2017-01-27 06:45:38 +01:00
break ;
2013-04-16 04:36:06 +02:00
2018-05-07 18:37:32 +02:00
case ARG_HOSTNAME :
if ( isempty ( optarg ) )
arg_hostname = mfree ( arg_hostname ) ;
else {
2020-12-11 16:40:45 +01:00
if ( ! hostname_is_valid ( optarg , 0 ) )
2018-11-20 23:40:44 +01:00
return log_error_errno ( SYNTHETIC_ERRNO ( EINVAL ) ,
" Invalid hostname: %s " , optarg ) ;
2018-05-07 18:37:32 +02:00
r = free_and_strdup ( & arg_hostname , optarg ) ;
if ( r < 0 )
return log_oom ( ) ;
}
arg_settings_mask | = SETTING_HOSTNAME ;
break ;
2014-02-10 12:32:03 +01:00
case ' Z ' :
arg_selinux_context = optarg ;
2014-01-30 22:28:02 +01:00
break ;
2014-02-10 12:32:03 +01:00
case ' L ' :
arg_selinux_apifs_context = optarg ;
2014-01-30 22:28:02 +01:00
break ;
2012-04-25 15:11:20 +02:00
case ARG_READ_ONLY :
arg_read_only = true ;
2015-09-06 01:22:14 +02:00
arg_settings_mask | = SETTING_READ_ONLY ;
2012-04-25 15:11:20 +02:00
break ;
2020-12-04 11:27:12 +01:00
case ARG_AMBIENT_CAPABILITY : {
uint64_t m ;
r = parse_capability_spec ( optarg , & m ) ;
if ( r < = 0 )
return r ;
arg_caps_ambient | = m ;
arg_settings_mask | = SETTING_CAPABILITY ;
break ;
}
2013-11-20 22:10:42 +01:00
case ARG_CAPABILITY :
case ARG_DROP_CAPABILITY : {
2019-11-20 18:33:32 +01:00
uint64_t m ;
r = parse_capability_spec ( optarg , & m ) ;
if ( r < = 0 )
return r ;
2012-06-28 13:44:39 +02:00
2019-11-20 18:33:32 +01:00
if ( c = = ARG_CAPABILITY )
plus | = m ;
else
minus | = m ;
2015-09-06 01:22:14 +02:00
arg_settings_mask | = SETTING_CAPABILITY ;
2012-06-28 13:44:39 +02:00
break ;
}
2018-05-07 19:35:48 +02:00
case ARG_NO_NEW_PRIVILEGES :
r = parse_boolean ( optarg ) ;
if ( r < 0 )
return log_error_errno ( r , " Failed to parse --no-new-privileges= argument: %s " , optarg ) ;
arg_no_new_privileges = r ;
arg_settings_mask | = SETTING_NO_NEW_PRIVILEGES ;
break ;
2012-07-19 02:02:39 +02:00
case ' j ' :
arg_link_journal = LINK_GUEST ;
2014-11-20 14:30:52 +01:00
arg_link_journal_try = true ;
2018-05-12 22:17:16 +02:00
arg_settings_mask | = SETTING_LINK_JOURNAL ;
2012-07-19 02:02:39 +02:00
break ;
case ARG_LINK_JOURNAL :
2018-05-12 22:17:16 +02:00
r = parse_link_journal ( optarg , & arg_link_journal , & arg_link_journal_try ) ;
2019-04-02 14:51:48 +02:00
if ( r < 0 )
return log_error_errno ( r , " Failed to parse link journal mode %s " , optarg ) ;
2012-07-19 02:02:39 +02:00
2018-05-12 22:17:16 +02:00
arg_settings_mask | = SETTING_LINK_JOURNAL ;
2012-07-19 02:02:39 +02:00
break ;
2013-02-25 18:21:13 +01:00
case ARG_BIND :
2015-09-06 01:22:14 +02:00
case ARG_BIND_RO :
r = bind_mount_parse ( & arg_custom_mounts , & arg_n_custom_mounts , optarg , c = = ARG_BIND_RO ) ;
if ( r < 0 )
return log_error_errno ( r , " Failed to parse --bind(-ro) = argument % s : % m " , optarg) ;
2013-02-25 18:21:13 +01:00
2015-09-06 01:22:14 +02:00
arg_settings_mask | = SETTING_CUSTOM_MOUNTS ;
2013-02-25 18:21:13 +01:00
break ;
2014-06-11 00:44:30 +02:00
2015-09-06 01:22:14 +02:00
case ARG_TMPFS :
r = tmpfs_mount_parse ( & arg_custom_mounts , & arg_n_custom_mounts , optarg ) ;
if ( r < 0 )
return log_error_errno ( r , " Failed to parse --tmpfs= argument %s: %m " , optarg ) ;
2015-05-13 14:04:55 +02:00
2015-09-06 01:22:14 +02:00
arg_settings_mask | = SETTING_CUSTOM_MOUNTS ;
2015-05-13 14:04:55 +02:00
break ;
case ARG_OVERLAY :
2016-11-29 23:47:58 +01:00
case ARG_OVERLAY_RO :
r = overlay_mount_parse ( & arg_custom_mounts , & arg_n_custom_mounts , optarg , c = = ARG_OVERLAY_RO ) ;
if ( r = = - EADDRNOTAVAIL )
return log_error_errno ( r , " --overlay(-ro) = needs at least two colon - separated directories specified . " ) ;
if ( r < 0 )
return log_error_errno ( r , " Failed to parse --overlay(-ro) = argument % s : % m " , optarg) ;
2014-06-11 00:44:30 +02:00
2015-09-06 01:22:14 +02:00
arg_settings_mask | = SETTING_CUSTOM_MOUNTS ;
2014-06-11 00:44:30 +02:00
break ;
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
case ARG_INACCESSIBLE :
r = inaccessible_mount_parse ( & arg_custom_mounts , & arg_n_custom_mounts , optarg ) ;
if ( r < 0 )
return log_error_errno ( r , " Failed to parse --inaccessible= argument %s: %m " , optarg ) ;
arg_settings_mask | = SETTING_CUSTOM_MOUNTS ;
break ;
2016-04-20 03:54:55 +02:00
case ' E ' : {
2013-12-13 16:37:16 +01:00
char * * n ;
2018-11-20 23:40:44 +01:00
if ( ! env_assignment_is_valid ( optarg ) )
return log_error_errno ( SYNTHETIC_ERRNO ( EINVAL ) ,
" Environment variable assignment '%s' is not valid. " , optarg ) ;
2013-12-13 16:37:16 +01:00
n = strv_env_set ( arg_setenv , optarg ) ;
if ( ! n )
return log_oom ( ) ;
2018-05-09 17:34:46 +02:00
strv_free_and_replace ( arg_setenv , n ) ;
2015-09-06 01:22:14 +02:00
arg_settings_mask | = SETTING_ENVIRONMENT ;
2013-12-13 16:37:16 +01:00
break ;
}
2014-02-06 00:43:14 +01:00
case ' q ' :
arg_quiet = true ;
break ;
2014-02-10 13:15:42 +01:00
case ARG_SHARE_SYSTEM :
2016-07-27 14:56:17 +02:00
/* We don't officially support this anymore, except for compat reasons. People should use the
2016-08-26 00:08:26 +02:00
* $ SYSTEMD_NSPAWN_SHARE_ * environment variables instead . */
2018-05-12 22:17:38 +02:00
log_warning ( " Please do not use --share-system anymore, use $SYSTEMD_NSPAWN_SHARE_* instead. " ) ;
2016-08-26 00:08:26 +02:00
arg_clone_ns_flags = 0 ;
2014-02-10 13:15:42 +01:00
break ;
2014-02-10 15:36:32 +01:00
case ARG_REGISTER :
r = parse_boolean ( optarg ) ;
if ( r < 0 ) {
log_error ( " Failed to parse --register= argument: %s " , optarg ) ;
return r ;
}
arg_register = r ;
break ;
2014-02-11 17:15:38 +01:00
case ARG_KEEP_UNIT :
arg_keep_unit = true ;
break ;
2014-02-18 23:35:19 +01:00
case ARG_PERSONALITY :
2014-02-19 02:15:24 +01:00
arg_personality = personality_from_string ( optarg ) ;
2018-11-20 23:40:44 +01:00
if ( arg_personality = = PERSONALITY_INVALID )
return log_error_errno ( SYNTHETIC_ERRNO ( EINVAL ) ,
" Unknown or unsupported personality '%s'. " , optarg ) ;
2014-02-18 23:35:19 +01:00
2015-09-06 01:22:14 +02:00
arg_settings_mask | = SETTING_PERSONALITY ;
2014-02-18 23:35:19 +01:00
break ;
2014-07-04 03:22:33 +02:00
case ARG_VOLATILE :
if ( ! optarg )
2015-09-06 01:22:14 +02:00
arg_volatile_mode = VOLATILE_YES ;
2018-05-22 12:10:56 +02:00
else if ( streq ( optarg , " help " ) ) {
DUMP_STRING_TABLE ( volatile_mode , VolatileMode , _VOLATILE_MODE_MAX ) ;
return 0 ;
} else {
2015-09-06 01:22:14 +02:00
VolatileMode m ;
2014-07-04 03:22:33 +02:00
2015-09-06 01:22:14 +02:00
m = volatile_mode_from_string ( optarg ) ;
2018-11-20 23:40:44 +01:00
if ( m < 0 )
return log_error_errno ( SYNTHETIC_ERRNO ( EINVAL ) ,
" Failed to parse --volatile= argument: %s " , optarg ) ;
else
2015-09-06 01:22:14 +02:00
arg_volatile_mode = m ;
2015-01-13 13:51:51 +01:00
}
2015-09-06 01:22:14 +02:00
arg_settings_mask | = SETTING_VOLATILE_MODE ;
break ;
2015-01-13 13:51:51 +01:00
2015-09-06 01:22:14 +02:00
case ' p ' :
r = expose_port_parse ( & arg_expose_ports , optarg ) ;
if ( r = = - EEXIST )
return log_error_errno ( r , " Duplicate port specification: %s " , optarg ) ;
if ( r < 0 )
return log_error_errno ( r , " Failed to parse host port %s: %m " , optarg ) ;
2015-01-13 13:51:51 +01:00
2015-09-06 01:22:14 +02:00
arg_settings_mask | = SETTING_EXPOSE_PORTS ;
2015-01-13 13:51:51 +01:00
break ;
2015-02-18 19:38:55 +01:00
case ARG_PROPERTY :
if ( strv_extend ( & arg_property , optarg ) < 0 )
return log_oom ( ) ;
break ;
2016-10-10 17:12:57 +02:00
case ARG_PRIVATE_USERS : {
int boolean = - 1 ;
2016-04-22 13:02:53 +02:00
2016-10-10 17:12:57 +02:00
if ( ! optarg )
boolean = true ;
else if ( ! in_charset ( optarg , DIGITS ) )
/* do *not* parse numbers as booleans */
boolean = parse_boolean ( optarg ) ;
if ( boolean = = false ) {
2016-04-22 13:02:53 +02:00
/* no: User namespacing off */
arg_userns_mode = USER_NAMESPACE_NO ;
arg_uid_shift = UID_INVALID ;
arg_uid_range = UINT32_C ( 0x10000 ) ;
2016-10-10 17:12:57 +02:00
} else if ( boolean = = true ) {
2016-04-22 13:02:53 +02:00
/* yes: User namespacing on, UID range is read from root dir */
arg_userns_mode = USER_NAMESPACE_FIXED ;
arg_uid_shift = UID_INVALID ;
arg_uid_range = UINT32_C ( 0x10000 ) ;
} else if ( streq ( optarg , " pick " ) ) {
/* pick: User namespacing on, UID range is picked randomly */
arg_userns_mode = USER_NAMESPACE_PICK ;
arg_uid_shift = UID_INVALID ;
arg_uid_range = UINT32_C ( 0x10000 ) ;
} else {
2016-10-10 16:04:31 +02:00
_cleanup_free_ char * buffer = NULL ;
2015-02-19 11:30:18 +01:00
const char * range , * shift ;
2016-04-22 13:02:53 +02:00
/* anything else: User namespacing on, UID range is explicitly configured */
2015-02-19 11:30:18 +01:00
range = strchr ( optarg , ' : ' ) ;
if ( range ) {
2016-10-10 16:04:31 +02:00
buffer = strndup ( optarg , range - optarg ) ;
if ( ! buffer )
return log_oom ( ) ;
shift = buffer ;
2015-02-19 11:30:18 +01:00
range + + ;
2016-10-09 17:44:03 +02:00
r = safe_atou32 ( range , & arg_uid_range ) ;
if ( r < 0 )
2016-10-10 17:22:45 +02:00
return log_error_errno ( r , " Failed to parse UID range \" %s \" : %m " , range ) ;
2015-02-19 11:30:18 +01:00
} else
shift = optarg ;
2016-10-10 17:22:45 +02:00
r = parse_uid ( shift , & arg_uid_shift ) ;
if ( r < 0 )
return log_error_errno ( r , " Failed to parse UID \" %s \" : %m " , optarg ) ;
2016-04-22 13:02:53 +02:00
arg_userns_mode = USER_NAMESPACE_FIXED ;
2015-02-19 11:30:18 +01:00
}
2018-11-20 23:40:44 +01:00
if ( arg_uid_range < = 0 )
return log_error_errno ( SYNTHETIC_ERRNO ( EINVAL ) ,
" UID range cannot be 0. " ) ;
2016-10-10 17:22:45 +02:00
2016-04-22 13:02:53 +02:00
arg_settings_mask | = SETTING_USERNS ;
2015-02-19 11:30:18 +01:00
break ;
2016-10-10 17:12:57 +02:00
}
2015-02-19 11:30:18 +01:00
2016-04-22 13:02:53 +02:00
case ' U ' :
2016-04-22 14:10:09 +02:00
if ( userns_supported ( ) ) {
arg_userns_mode = USER_NAMESPACE_PICK ;
arg_uid_shift = UID_INVALID ;
arg_uid_range = UINT32_C ( 0x10000 ) ;
arg_settings_mask | = SETTING_USERNS ;
2015-02-19 11:30:18 +01:00
}
2016-04-20 22:53:39 +02:00
break ;
2016-04-22 13:02:53 +02:00
case ARG_PRIVATE_USERS_CHOWN :
2016-04-22 11:47:35 +02:00
arg_userns_chown = true ;
2016-04-22 13:02:53 +02:00
arg_settings_mask | = SETTING_USERNS ;
2015-02-19 11:30:18 +01:00
break ;
2015-02-25 22:04:48 +01:00
case ARG_KILL_SIGNAL :
2018-05-22 12:10:56 +02:00
if ( streq ( optarg , " help " ) ) {
DUMP_STRING_TABLE ( signal , int , _NSIG ) ;
return 0 ;
}
2018-05-03 09:38:57 +02:00
arg_kill_signal = signal_from_string ( optarg ) ;
2018-11-20 23:40:44 +01:00
if ( arg_kill_signal < 0 )
return log_error_errno ( SYNTHETIC_ERRNO ( EINVAL ) ,
" Cannot parse signal: %s " , optarg ) ;
2015-02-25 22:04:48 +01:00
2015-09-06 01:22:14 +02:00
arg_settings_mask | = SETTING_KILL_SIGNAL ;
break ;
case ARG_SETTINGS :
/* no → do not read files
* yes → read files , do not override cmdline , trust only subset
* override → read files , override cmdline , trust only subset
* trusted → read files , do not override cmdline , trust all
*/
r = parse_boolean ( optarg ) ;
if ( r < 0 ) {
if ( streq ( optarg , " trusted " ) ) {
mask_all_settings = false ;
mask_no_settings = false ;
arg_settings_trusted = true ;
} else if ( streq ( optarg , " override " ) ) {
mask_all_settings = false ;
mask_no_settings = true ;
arg_settings_trusted = - 1 ;
} else
return log_error_errno ( r , " Failed to parse --settings= argument: %s " , optarg ) ;
} else if ( r > 0 ) {
/* yes */
mask_all_settings = false ;
mask_no_settings = false ;
arg_settings_trusted = - 1 ;
} else {
/* no */
mask_all_settings = true ;
mask_no_settings = false ;
arg_settings_trusted = false ;
}
2015-02-25 22:04:48 +01:00
break ;
2016-02-02 01:52:01 +01:00
case ARG_CHDIR :
2018-11-20 23:40:44 +01:00
if ( ! path_is_absolute ( optarg ) )
return log_error_errno ( SYNTHETIC_ERRNO ( EINVAL ) ,
" Working directory %s is not an absolute path. " , optarg ) ;
2016-02-02 01:52:01 +01:00
r = free_and_strdup ( & arg_chdir , optarg ) ;
if ( r < 0 )
return log_oom ( ) ;
arg_settings_mask | = SETTING_WORKING_DIRECTORY ;
break ;
2017-02-08 16:54:31 +01:00
case ARG_PIVOT_ROOT :
r = pivot_root_parse ( & arg_pivot_root_new , & arg_pivot_root_old , optarg ) ;
if ( r < 0 )
return log_error_errno ( r , " Failed to parse --pivot-root= argument %s: %m " , optarg ) ;
arg_settings_mask | = SETTING_PIVOT_ROOT ;
break ;
2016-06-10 13:09:06 +02:00
case ARG_NOTIFY_READY :
r = parse_boolean ( optarg ) ;
2018-11-20 23:40:44 +01:00
if ( r < 0 )
return log_error_errno ( SYNTHETIC_ERRNO ( EINVAL ) ,
" %s is not a valid notify mode. Valid modes are: yes, no, and ready. " , optarg ) ;
2016-06-10 13:09:06 +02:00
arg_notify_ready = r ;
arg_settings_mask | = SETTING_NOTIFY_READY ;
break ;
2016-12-07 18:28:13 +01:00
case ARG_ROOT_HASH : {
2020-09-15 22:09:08 +02:00
_cleanup_free_ void * k = NULL ;
2016-12-07 18:28:13 +01:00
size_t l ;
r = unhexmem ( optarg , strlen ( optarg ) , & k , & l ) ;
if ( r < 0 )
return log_error_errno ( r , " Failed to parse root hash: %s " , optarg ) ;
2020-09-15 22:09:08 +02:00
if ( l < sizeof ( sd_id128_t ) )
2019-04-02 14:51:48 +02:00
return log_error_errno ( SYNTHETIC_ERRNO ( EINVAL ) , " Root hash must be at least 128bit long: %s " , optarg ) ;
2016-12-07 18:28:13 +01:00
2020-09-15 22:09:08 +02:00
free_and_replace ( arg_verity_settings . root_hash , k ) ;
arg_verity_settings . root_hash_size = l ;
2016-12-07 18:28:13 +01:00
break ;
}
2020-06-02 16:35:58 +02:00
case ARG_ROOT_HASH_SIG : {
char * value ;
2020-09-15 22:09:08 +02:00
size_t l ;
void * p ;
2020-06-02 16:35:58 +02:00
if ( ( value = startswith ( optarg , " base64: " ) ) ) {
r = unbase64mem ( value , strlen ( value ) , & p , & l ) ;
if ( r < 0 )
return log_error_errno ( r , " Failed to parse root hash signature '%s': %m " , optarg ) ;
} else {
2020-09-15 22:09:08 +02:00
r = read_full_file ( optarg , ( char * * ) & p , & l ) ;
2020-06-02 16:35:58 +02:00
if ( r < 0 )
2020-09-15 22:09:08 +02:00
return log_error_errno ( r , " Failed parse root hash signature file '%s': %m " , optarg ) ;
2020-06-02 16:35:58 +02:00
}
2020-09-15 22:09:08 +02:00
free_and_replace ( arg_verity_settings . root_hash_sig , p ) ;
arg_verity_settings . root_hash_sig_size = l ;
2020-06-02 16:35:58 +02:00
break ;
}
2020-09-15 22:09:08 +02:00
case ARG_VERITY_DATA :
r = parse_path_argument_and_warn ( optarg , false , & arg_verity_settings . data_path ) ;
if ( r < 0 )
return r ;
break ;
2017-09-11 17:45:21 +02:00
case ARG_SYSTEM_CALL_FILTER : {
bool negative ;
const char * items ;
negative = optarg [ 0 ] = = ' ~ ' ;
items = negative ? optarg + 1 : optarg ;
for ( ; ; ) {
_cleanup_free_ char * word = NULL ;
r = extract_first_word ( & items , & word , NULL , 0 ) ;
if ( r = = 0 )
break ;
if ( r = = - ENOMEM )
return log_oom ( ) ;
if ( r < 0 )
return log_error_errno ( r , " Failed to parse system call filter: %m " ) ;
if ( negative )
2020-06-23 08:31:16 +02:00
r = strv_extend ( & arg_syscall_deny_list , word ) ;
2017-09-11 17:45:21 +02:00
else
2020-06-23 08:31:16 +02:00
r = strv_extend ( & arg_syscall_allow_list , word ) ;
2017-09-11 17:45:21 +02:00
if ( r < 0 )
return log_oom ( ) ;
}
arg_settings_mask | = SETTING_SYSCALL_FILTER ;
break ;
}
2018-05-07 17:59:18 +02:00
case ARG_RLIMIT : {
const char * eq ;
2019-07-17 10:09:18 +02:00
_cleanup_free_ char * name = NULL ;
2018-05-07 17:59:18 +02:00
int rl ;
2018-05-22 12:10:56 +02:00
if ( streq ( optarg , " help " ) ) {
DUMP_STRING_TABLE ( rlimit , int , _RLIMIT_MAX ) ;
return 0 ;
}
2018-05-07 17:59:18 +02:00
eq = strchr ( optarg , ' = ' ) ;
2018-11-20 23:40:44 +01:00
if ( ! eq )
return log_error_errno ( SYNTHETIC_ERRNO ( EINVAL ) ,
" --rlimit= expects an '=' assignment. " ) ;
2018-05-07 17:59:18 +02:00
name = strndup ( optarg , eq - optarg ) ;
if ( ! name )
return log_oom ( ) ;
rl = rlimit_from_string_harder ( name ) ;
2018-11-20 23:40:44 +01:00
if ( rl < 0 )
return log_error_errno ( SYNTHETIC_ERRNO ( EINVAL ) ,
" Unknown resource limit: %s " , name ) ;
2018-05-07 17:59:18 +02:00
if ( ! arg_rlimit [ rl ] ) {
arg_rlimit [ rl ] = new0 ( struct rlimit , 1 ) ;
if ( ! arg_rlimit [ rl ] )
return log_oom ( ) ;
}
r = rlimit_parse ( rl , eq + 1 , arg_rlimit [ rl ] ) ;
if ( r < 0 )
return log_error_errno ( r , " Failed to parse resource limit: %s " , eq + 1 ) ;
arg_settings_mask | = SETTING_RLIMIT_FIRST < < rl ;
break ;
}
2018-05-07 21:17:09 +02:00
case ARG_OOM_SCORE_ADJUST :
r = parse_oom_score_adjust ( optarg , & arg_oom_score_adjust ) ;
if ( r < 0 )
return log_error_errno ( r , " Failed to parse --oom-score-adjust= parameter: %s " , optarg ) ;
arg_oom_score_adjust_set = true ;
arg_settings_mask | = SETTING_OOM_SCORE_ADJUST ;
break ;
2018-05-07 21:47:15 +02:00
case ARG_CPU_AFFINITY : {
2019-05-21 08:45:19 +02:00
CPUSet cpuset ;
2018-05-07 21:47:15 +02:00
r = parse_cpu_set ( optarg , & cpuset ) ;
if ( r < 0 )
2019-05-21 08:45:19 +02:00
return log_error_errno ( r , " Failed to parse CPU affinity mask %s: %m " , optarg ) ;
2018-05-07 21:47:15 +02:00
2019-05-21 08:45:19 +02:00
cpu_set_reset ( & arg_cpu_set ) ;
arg_cpu_set = cpuset ;
2018-05-07 21:47:15 +02:00
arg_settings_mask | = SETTING_CPU_AFFINITY ;
break ;
}
2018-05-12 21:50:57 +02:00
case ARG_RESOLV_CONF :
if ( streq ( optarg , " help " ) ) {
DUMP_STRING_TABLE ( resolv_conf_mode , ResolvConfMode , _RESOLV_CONF_MODE_MAX ) ;
return 0 ;
}
arg_resolv_conf = resolv_conf_mode_from_string ( optarg ) ;
2018-11-20 23:40:44 +01:00
if ( arg_resolv_conf < 0 )
return log_error_errno ( SYNTHETIC_ERRNO ( EINVAL ) ,
" Failed to parse /etc/resolv.conf mode: %s " , optarg ) ;
2018-05-12 21:50:57 +02:00
arg_settings_mask | = SETTING_RESOLV_CONF ;
break ;
2018-05-17 05:43:03 +02:00
case ARG_TIMEZONE :
if ( streq ( optarg , " help " ) ) {
DUMP_STRING_TABLE ( timezone_mode , TimezoneMode , _TIMEZONE_MODE_MAX ) ;
return 0 ;
}
arg_timezone = timezone_mode_from_string ( optarg ) ;
2018-11-20 23:40:44 +01:00
if ( arg_timezone < 0 )
return log_error_errno ( SYNTHETIC_ERRNO ( EINVAL ) ,
" Failed to parse /etc/localtime mode: %s " , optarg ) ;
2018-05-17 05:43:03 +02:00
arg_settings_mask | = SETTING_TIMEZONE ;
break ;
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
case ARG_CONSOLE :
2019-10-23 09:20:46 +02:00
r = handle_arg_console ( optarg ) ;
if ( r < = 0 )
return r ;
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
break ;
case ' P ' :
case ARG_PIPE :
2019-10-23 09:20:46 +02:00
r = handle_arg_console ( " pipe " ) ;
if ( r < = 0 )
return r ;
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
break ;
2019-03-21 15:24:50 +01:00
case ARG_NO_PAGER :
arg_pager_flags | = PAGER_DISABLE ;
break ;
2020-07-23 08:47:08 +02:00
case ARG_SET_CREDENTIAL : {
_cleanup_free_ char * word = NULL , * data = NULL ;
const char * p = optarg ;
Credential * a ;
size_t i ;
int l ;
r = extract_first_word ( & p , & word , " : " , EXTRACT_DONT_COALESCE_SEPARATORS ) ;
if ( r = = - ENOMEM )
return log_oom ( ) ;
if ( r < 0 )
return log_error_errno ( r , " Failed to parse --set-credential= parameter: %m " ) ;
if ( r = = 0 | | ! p )
return log_error_errno ( SYNTHETIC_ERRNO ( EINVAL ) , " Missing value for --set-credential=: %s " , optarg ) ;
if ( ! credential_name_valid ( word ) )
return log_error_errno ( SYNTHETIC_ERRNO ( EINVAL ) , " Credential name is not valid: %s " , word ) ;
for ( i = 0 ; i < arg_n_credentials ; i + + )
if ( streq ( arg_credentials [ i ] . id , word ) )
return log_error_errno ( SYNTHETIC_ERRNO ( EEXIST ) , " Duplicate credential '%s', refusing. " , word ) ;
l = cunescape ( p , UNESCAPE_ACCEPT_NUL , & data ) ;
if ( l < 0 )
return log_error_errno ( l , " Failed to unescape credential data: %s " , p ) ;
a = reallocarray ( arg_credentials , arg_n_credentials + 1 , sizeof ( Credential ) ) ;
if ( ! a )
return log_oom ( ) ;
a [ arg_n_credentials + + ] = ( Credential ) {
. id = TAKE_PTR ( word ) ,
. data = TAKE_PTR ( data ) ,
. size = l ,
} ;
arg_credentials = a ;
arg_settings_mask | = SETTING_CREDENTIALS ;
break ;
}
case ARG_LOAD_CREDENTIAL : {
ReadFullFileFlags flags = READ_FULL_FILE_SECURE ;
_cleanup_ ( erase_and_freep ) char * data = NULL ;
_cleanup_free_ char * word = NULL , * j = NULL ;
const char * p = optarg ;
Credential * a ;
size_t size , i ;
r = extract_first_word ( & p , & word , " : " , EXTRACT_DONT_COALESCE_SEPARATORS ) ;
if ( r = = - ENOMEM )
return log_oom ( ) ;
if ( r < 0 )
return log_error_errno ( r , " Failed to parse --set-credential= parameter: %m " ) ;
if ( r = = 0 | | ! p )
return log_error_errno ( SYNTHETIC_ERRNO ( EINVAL ) , " Missing value for --set-credential=: %s " , optarg ) ;
if ( ! credential_name_valid ( word ) )
return log_error_errno ( SYNTHETIC_ERRNO ( EINVAL ) , " Credential name is not valid: %s " , word ) ;
for ( i = 0 ; i < arg_n_credentials ; i + + )
if ( streq ( arg_credentials [ i ] . id , word ) )
return log_error_errno ( SYNTHETIC_ERRNO ( EEXIST ) , " Duplicate credential '%s', refusing. " , word ) ;
if ( path_is_absolute ( p ) )
flags | = READ_FULL_FILE_CONNECT_SOCKET ;
else {
const char * e ;
e = getenv ( " CREDENTIALS_DIRECTORY " ) ;
if ( ! e )
return log_error_errno ( SYNTHETIC_ERRNO ( EINVAL ) , " Credential not available (no credentials passed at all): %s " , word ) ;
j = path_join ( e , p ) ;
if ( ! j )
return log_oom ( ) ;
}
2020-11-04 20:25:06 +01:00
r = read_full_file_full ( AT_FDCWD , j ? : p , UINT64_MAX , SIZE_MAX ,
flags ,
NULL ,
& data , & size ) ;
2020-07-23 08:47:08 +02:00
if ( r < 0 )
return log_error_errno ( r , " Failed to read credential '%s': %m " , j ? : p ) ;
a = reallocarray ( arg_credentials , arg_n_credentials + 1 , sizeof ( Credential ) ) ;
if ( ! a )
return log_oom ( ) ;
a [ arg_n_credentials + + ] = ( Credential ) {
. id = TAKE_PTR ( word ) ,
. data = TAKE_PTR ( data ) ,
. size = size ,
} ;
arg_credentials = a ;
arg_settings_mask | = SETTING_CREDENTIALS ;
break ;
}
2011-03-14 02:40:36 +01:00
case ' ? ' :
return - EINVAL ;
default :
2013-11-06 18:28:39 +01:00
assert_not_reached ( " Unhandled option " ) ;
2011-03-14 02:40:36 +01:00
}
2018-12-06 22:00:00 +01:00
if ( argc > optind ) {
strv_free ( arg_parameters ) ;
arg_parameters = strv_copy ( argv + optind ) ;
if ( ! arg_parameters )
return log_oom ( ) ;
2017-11-24 18:22:17 +01:00
2018-12-06 22:00:00 +01:00
arg_settings_mask | = SETTING_START_MODE ;
}
if ( arg_ephemeral & & arg_template & & ! arg_directory )
/* User asked for ephemeral execution but specified --template= instead of --directory=. Semantically
* such an invocation makes some sense , see https : //github.com/systemd/systemd/issues/3667. Let's
* accept this here , and silently make " --ephemeral --template= " equivalent to " --ephemeral
* - - directory = " . */
arg_directory = TAKE_PTR ( arg_template ) ;
2019-03-08 12:10:16 +01:00
arg_caps_retain = ( arg_caps_retain | plus | ( arg_private_network ? UINT64_C ( 1 ) < < CAP_NET_ADMIN : 0 ) ) & ~ minus ;
2018-12-06 22:00:00 +01:00
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
/* Make sure to parse environment before we reset the settings mask below */
2019-09-27 13:58:06 +02:00
r = parse_environment ( ) ;
if ( r < 0 )
return r ;
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
2018-12-06 22:00:00 +01:00
/* Load all settings from .nspawn files */
if ( mask_no_settings )
arg_settings_mask = 0 ;
/* Don't load any settings from .nspawn files */
if ( mask_all_settings )
arg_settings_mask = _SETTINGS_MASK_ALL ;
return 1 ;
}
static int verify_arguments ( void ) {
int r ;
2016-07-27 14:56:17 +02:00
2019-09-27 14:51:53 +02:00
if ( arg_start_mode = = START_PID2 & & arg_unified_cgroup_hierarchy = = CGROUP_UNIFIED_UNKNOWN ) {
/* If we are running the stub init in the container, we don't need to look at what the init
* in the container supports , because we are not using it . Let ' s immediately pick the right
* setting based on the host system configuration .
*
* We only do this , if the user didn ' t use an environment variable to override the detection .
*/
r = cg_all_unified ( ) ;
if ( r < 0 )
return log_error_errno ( r , " Failed to determine whether we are in all unified mode. " ) ;
if ( r > 0 )
arg_unified_cgroup_hierarchy = CGROUP_UNIFIED_ALL ;
else if ( cg_unified_controller ( SYSTEMD_CGROUP_CONTROLLER ) > 0 )
arg_unified_cgroup_hierarchy = CGROUP_UNIFIED_SYSTEMD ;
else
arg_unified_cgroup_hierarchy = CGROUP_UNIFIED_NONE ;
}
2016-10-14 14:00:15 +02:00
if ( arg_userns_mode ! = USER_NAMESPACE_NO )
arg_mount_settings | = MOUNT_USE_USERNS ;
if ( arg_private_network )
arg_mount_settings | = MOUNT_APPLY_APIVFS_NETNS ;
2016-09-24 14:30:42 +02:00
if ( ! ( arg_clone_ns_flags & CLONE_NEWPID ) | |
! ( arg_clone_ns_flags & CLONE_NEWUTS ) ) {
2014-02-10 15:36:32 +01:00
arg_register = false ;
2018-11-20 23:40:44 +01:00
if ( arg_start_mode ! = START_PID1 )
2018-12-06 22:00:00 +01:00
return log_error_errno ( SYNTHETIC_ERRNO ( EINVAL ) , " --boot cannot be used without namespacing. " ) ;
2016-08-26 00:08:26 +02:00
}
2014-02-10 15:36:32 +01:00
2016-04-22 13:02:53 +02:00
if ( arg_userns_mode = = USER_NAMESPACE_PICK )
2016-04-22 11:28:09 +02:00
arg_userns_chown = true ;
2018-12-06 22:00:00 +01:00
if ( arg_start_mode = = START_BOOT & & arg_kill_signal < = 0 )
arg_kill_signal = SIGRTMIN + 3 ;
2018-12-21 23:37:00 +01:00
if ( arg_volatile_mode ! = VOLATILE_NO ) /* Make sure all file systems contained in the image are mounted read-only if we are in volatile mode */
arg_read_only = true ;
2019-12-24 11:40:03 +01:00
if ( has_custom_root_mount ( arg_custom_mounts , arg_n_custom_mounts ) )
arg_read_only = true ;
2018-11-20 23:40:44 +01:00
if ( arg_keep_unit & & arg_register & & cg_pid_get_owner_uid ( 0 , NULL ) > = 0 )
2017-09-17 15:53:14 +02:00
/* Save the user from accidentally registering either user-$SESSION.scope or user@.service.
* The latter is not technically a user session , but we don ' t need to labour the point . */
2018-12-06 22:00:00 +01:00
return log_error_errno ( SYNTHETIC_ERRNO ( EINVAL ) , " --keep-unit --register=yes may not be used when invoked from a user session. " ) ;
2014-02-11 17:15:38 +01:00
2018-11-20 23:40:44 +01:00
if ( arg_directory & & arg_image )
2018-12-06 22:00:00 +01:00
return log_error_errno ( SYNTHETIC_ERRNO ( EINVAL ) , " --directory= and --image= may not be combined. " ) ;
2014-03-10 20:35:52 +01:00
2018-11-20 23:40:44 +01:00
if ( arg_template & & arg_image )
2018-12-06 22:00:00 +01:00
return log_error_errno ( SYNTHETIC_ERRNO ( EINVAL ) , " --template= and --image= may not be combined. " ) ;
2016-11-25 01:00:31 +01:00
2018-11-20 23:40:44 +01:00
if ( arg_template & & ! ( arg_directory | | arg_machine ) )
2018-12-06 22:00:00 +01:00
return log_error_errno ( SYNTHETIC_ERRNO ( EINVAL ) , " --template= needs --directory= or --machine=. " ) ;
2014-12-12 03:50:59 +01:00
2018-11-20 23:40:44 +01:00
if ( arg_ephemeral & & arg_template )
2018-12-06 22:00:00 +01:00
return log_error_errno ( SYNTHETIC_ERRNO ( EINVAL ) , " --ephemeral and --template= may not be combined. " ) ;
2014-12-12 03:50:59 +01:00
2018-11-20 23:40:44 +01:00
if ( arg_ephemeral & & ! IN_SET ( arg_link_journal , LINK_NO , LINK_AUTO ) )
2018-12-06 22:00:00 +01:00
return log_error_errno ( SYNTHETIC_ERRNO ( EINVAL ) , " --ephemeral and --link-journal= may not be combined. " ) ;
2014-12-12 16:58:57 +01:00
2018-11-20 23:40:44 +01:00
if ( arg_userns_mode ! = USER_NAMESPACE_NO & & ! userns_supported ( ) )
2018-12-06 22:00:00 +01:00
return log_error_errno ( SYNTHETIC_ERRNO ( EOPNOTSUPP ) , " --private-users= is not supported, kernel compiled without user namespace support. " ) ;
2016-04-20 22:53:39 +02:00
2018-11-20 23:40:44 +01:00
if ( arg_userns_chown & & arg_read_only )
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
return log_error_errno ( SYNTHETIC_ERRNO ( EINVAL ) ,
" --read-only and --private-users-chown may not be combined. " ) ;
2015-09-06 01:22:14 +02:00
2018-12-21 23:37:00 +01:00
/* We don't support --private-users-chown together with any of the volatile modes since we couldn't
* change the read - only part of the tree ( i . e . / usr ) anyway , or because it would trigger a massive
2019-04-27 02:22:40 +02:00
* copy - up ( in case of overlay ) making the entire exercise pointless . */
2018-12-21 23:37:00 +01:00
if ( arg_userns_chown & & arg_volatile_mode ! = VOLATILE_NO )
return log_error_errno ( SYNTHETIC_ERRNO ( EINVAL ) , " --volatile= and --private-users-chown may not be combined. " ) ;
2019-12-08 20:00:01 +01:00
/* If --network-namespace-path is given with any other network-related option (except --private-network),
* we need to error out , to avoid conflicts between different network options . */
2018-12-06 22:00:00 +01:00
if ( arg_network_namespace_path & &
( arg_network_interfaces | | arg_network_macvlan | |
arg_network_ipvlan | | arg_network_veth_extra | |
arg_network_bridge | | arg_network_zone | |
2019-12-08 20:00:01 +01:00
arg_network_veth ) )
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
return log_error_errno ( SYNTHETIC_ERRNO ( EINVAL ) , " --network-namespace-path= cannot be combined with other network options. " ) ;
2016-11-30 16:02:47 +01:00
2018-12-06 22:00:00 +01:00
if ( arg_network_bridge & & arg_network_zone )
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
return log_error_errno ( SYNTHETIC_ERRNO ( EINVAL ) ,
" --network-bridge= and --network-zone= may not be combined. " ) ;
2015-09-06 01:22:14 +02:00
2018-11-20 23:40:44 +01:00
if ( arg_userns_mode ! = USER_NAMESPACE_NO & & ( arg_mount_settings & MOUNT_APPLY_APIVFS_NETNS ) & & ! arg_private_network )
2018-12-06 22:00:00 +01:00
return log_error_errno ( SYNTHETIC_ERRNO ( EINVAL ) , " Invalid namespacing settings. Mounting sysfs with --private-users requires --private-network. " ) ;
2016-10-14 14:00:15 +02:00
2018-11-20 23:40:44 +01:00
if ( arg_userns_mode ! = USER_NAMESPACE_NO & & ! ( arg_mount_settings & MOUNT_APPLY_APIVFS_RO ) )
2018-12-06 22:00:00 +01:00
return log_error_errno ( SYNTHETIC_ERRNO ( EINVAL ) , " Cannot combine --private-users with read-write mounts. " ) ;
2015-09-06 01:22:14 +02:00
2018-11-20 23:40:44 +01:00
if ( arg_expose_ports & & ! arg_private_network )
2018-12-06 22:00:00 +01:00
return log_error_errno ( SYNTHETIC_ERRNO ( EINVAL ) , " Cannot use --port= without private networking. " ) ;
2015-01-13 13:51:51 +01:00
2017-10-03 10:41:51 +02:00
# if ! HAVE_LIBIPTC
2018-11-20 23:40:44 +01:00
if ( arg_expose_ports )
2018-12-06 22:00:00 +01:00
return log_error_errno ( SYNTHETIC_ERRNO ( EOPNOTSUPP ) , " --port= is not supported, compiled without libiptc support. " ) ;
2016-03-17 22:06:17 +01:00
# endif
2020-12-04 11:27:12 +01:00
if ( arg_caps_ambient ) {
if ( arg_caps_ambient = = ( uint64_t ) - 1 )
return log_error_errno ( SYNTHETIC_ERRNO ( EINVAL ) , " AmbientCapability= does not support the value all. " ) ;
if ( ( arg_caps_ambient & arg_caps_retain ) ! = arg_caps_ambient )
return log_error_errno ( SYNTHETIC_ERRNO ( EINVAL ) , " AmbientCapability= setting is not fully covered by Capability= setting. " ) ;
if ( arg_start_mode = = START_BOOT )
return log_error_errno ( SYNTHETIC_ERRNO ( EINVAL ) , " AmbientCapability= setting is not useful for boot mode. " ) ;
}
2018-12-06 22:00:00 +01:00
r = custom_mount_check_all ( ) ;
if ( r < 0 )
return r ;
2015-02-25 22:04:48 +01:00
2015-09-06 01:22:14 +02:00
return 0 ;
2011-03-14 02:40:36 +01:00
}
2015-05-21 16:30:58 +02:00
static int userns_lchown ( const char * p , uid_t uid , gid_t gid ) {
assert ( p ) ;
2016-04-22 13:02:53 +02:00
if ( arg_userns_mode = = USER_NAMESPACE_NO )
2015-05-21 16:30:58 +02:00
return 0 ;
if ( uid = = UID_INVALID & & gid = = GID_INVALID )
return 0 ;
if ( uid ! = UID_INVALID ) {
uid + = arg_uid_shift ;
if ( uid < arg_uid_shift | | uid > = arg_uid_shift + arg_uid_range )
return - EOVERFLOW ;
}
if ( gid ! = GID_INVALID ) {
gid + = ( gid_t ) arg_uid_shift ;
if ( gid < ( gid_t ) arg_uid_shift | | gid > = ( gid_t ) ( arg_uid_shift + arg_uid_range ) )
return - EOVERFLOW ;
}
if ( lchown ( p , uid , gid ) < 0 )
return - errno ;
2014-12-30 01:57:23 +01:00
return 0 ;
}
2015-05-21 16:30:58 +02:00
static int userns_mkdir ( const char * root , const char * path , mode_t mode , uid_t uid , gid_t gid ) {
const char * q ;
2017-12-15 17:08:13 +01:00
int r ;
2015-05-21 16:30:58 +02:00
q = prefix_roota ( root , path ) ;
2017-12-15 17:08:13 +01:00
r = mkdir_errno_wrapper ( q , mode ) ;
if ( r = = - EEXIST )
return 0 ;
if ( r < 0 )
return r ;
2015-05-21 16:30:58 +02:00
return userns_lchown ( q , uid , gid ) ;
}
2018-05-17 05:43:03 +02:00
static const char * timezone_from_path ( const char * path ) {
2018-11-23 16:51:53 +01:00
return PATH_STARTSWITH_SET (
path ,
" ../usr/share/zoneinfo/ " ,
" /usr/share/zoneinfo/ " ) ;
2018-05-17 05:43:03 +02:00
}
2018-12-21 23:33:44 +01:00
static bool etc_writable ( void ) {
return ! arg_read_only | | IN_SET ( arg_volatile_mode , VOLATILE_YES , VOLATILE_OVERLAY ) ;
}
2012-04-13 16:51:33 +02:00
static int setup_timezone ( const char * dest ) {
2018-05-17 05:43:03 +02:00
_cleanup_free_ char * p = NULL , * etc = NULL ;
const char * where , * check ;
TimezoneMode m ;
2012-09-21 16:54:54 +02:00
int r ;
2011-09-23 01:44:36 +02:00
2012-04-13 16:51:33 +02:00
assert ( dest ) ;
2018-05-17 05:43:03 +02:00
if ( IN_SET ( arg_timezone , TIMEZONE_AUTO , TIMEZONE_SYMLINK ) ) {
r = readlink_malloc ( " /etc/localtime " , & p ) ;
if ( r = = - ENOENT & & arg_timezone = = TIMEZONE_AUTO )
2018-12-21 23:33:44 +01:00
m = etc_writable ( ) ? TIMEZONE_DELETE : TIMEZONE_OFF ;
2018-05-17 05:43:03 +02:00
else if ( r = = - EINVAL & & arg_timezone = = TIMEZONE_AUTO ) /* regular file? */
2018-12-21 23:33:44 +01:00
m = etc_writable ( ) ? TIMEZONE_COPY : TIMEZONE_BIND ;
2018-05-17 05:43:03 +02:00
else if ( r < 0 ) {
log_warning_errno ( r , " Failed to read host's /etc/localtime symlink, not updating container timezone: %m " ) ;
/* To handle warning, delete /etc/localtime and replace it with a symbolic link to a time zone data
* file .
*
* Example :
* ln - s / usr / share / zoneinfo / UTC / etc / localtime
*/
return 0 ;
} else if ( arg_timezone = = TIMEZONE_AUTO )
2018-12-21 23:33:44 +01:00
m = etc_writable ( ) ? TIMEZONE_SYMLINK : TIMEZONE_BIND ;
2018-05-17 05:43:03 +02:00
else
m = arg_timezone ;
} else
m = arg_timezone ;
if ( m = = TIMEZONE_OFF )
return 0 ;
2019-10-24 10:33:20 +02:00
r = chase_symlinks ( " /etc " , dest , CHASE_PREFIX_ROOT , & etc , NULL ) ;
2012-09-21 16:54:54 +02:00
if ( r < 0 ) {
2018-05-17 05:43:03 +02:00
log_warning_errno ( r , " Failed to resolve /etc path in container, ignoring: %m " ) ;
2012-09-21 16:54:54 +02:00
return 0 ;
}
2018-05-17 05:43:03 +02:00
where = strjoina ( etc , " /localtime " ) ;
switch ( m ) {
case TIMEZONE_DELETE :
if ( unlink ( where ) < 0 )
log_full_errno ( errno = = ENOENT ? LOG_DEBUG : LOG_WARNING , errno , " Failed to remove '%s', ignoring: %m " , where ) ;
2012-09-21 16:54:54 +02:00
return 0 ;
2018-05-17 05:43:03 +02:00
case TIMEZONE_SYMLINK : {
_cleanup_free_ char * q = NULL ;
const char * z , * what ;
2012-03-15 00:45:02 +01:00
2018-05-17 05:43:03 +02:00
z = timezone_from_path ( p ) ;
if ( ! z ) {
log_warning ( " /etc/localtime does not point into /usr/share/zoneinfo/, not updating container timezone. " ) ;
2012-09-21 16:54:54 +02:00
return 0 ;
2018-05-17 05:43:03 +02:00
}
2012-09-21 16:54:54 +02:00
2018-05-17 05:43:03 +02:00
r = readlink_malloc ( where , & q ) ;
if ( r > = 0 & & streq_ptr ( timezone_from_path ( q ) , z ) )
return 0 ; /* Already pointing to the right place? Then do nothing .. */
check = strjoina ( dest , " /usr/share/zoneinfo/ " , z ) ;
2019-10-24 10:33:20 +02:00
r = chase_symlinks ( check , dest , 0 , NULL , NULL ) ;
2018-05-17 05:43:03 +02:00
if ( r < 0 )
log_debug_errno ( r , " Timezone %s does not exist (or is not accessible) in container, not creating symlink: %m " , z ) ;
else {
if ( unlink ( where ) < 0 & & errno ! = ENOENT ) {
log_full_errno ( IN_SET ( errno , EROFS , EACCES , EPERM ) ? LOG_DEBUG : LOG_WARNING , /* Don't complain on read-only images */
errno , " Failed to remove existing timezone info %s in container, ignoring: %m " , where ) ;
return 0 ;
}
what = strjoina ( " ../usr/share/zoneinfo/ " , z ) ;
if ( symlink ( what , where ) < 0 ) {
log_full_errno ( IN_SET ( errno , EROFS , EACCES , EPERM ) ? LOG_DEBUG : LOG_WARNING ,
errno , " Failed to correct timezone of container, ignoring: %m " ) ;
return 0 ;
}
break ;
}
_fallthrough_ ;
2012-09-21 16:54:54 +02:00
}
2012-04-12 12:58:08 +02:00
2018-05-17 05:43:03 +02:00
case TIMEZONE_BIND : {
_cleanup_free_ char * resolved = NULL ;
int found ;
2019-10-24 10:33:20 +02:00
found = chase_symlinks ( where , dest , CHASE_NONEXISTENT , & resolved , NULL ) ;
2018-05-17 05:43:03 +02:00
if ( found < 0 ) {
log_warning_errno ( found , " Failed to resolve /etc/localtime path in container, ignoring: %m " ) ;
return 0 ;
}
if ( found = = 0 ) /* missing? */
( void ) touch ( resolved ) ;
2020-09-22 15:51:17 +02:00
r = mount_nofollow_verbose ( LOG_WARNING , " /etc/localtime " , resolved , NULL , MS_BIND , NULL ) ;
2018-05-17 05:43:03 +02:00
if ( r > = 0 )
2020-09-22 15:51:17 +02:00
return mount_nofollow_verbose ( LOG_ERR , NULL , resolved , NULL , MS_BIND | MS_REMOUNT | MS_RDONLY | MS_NOSUID | MS_NODEV , NULL ) ;
2018-05-17 05:43:03 +02:00
_fallthrough_ ;
2014-09-25 18:49:56 +02:00
}
2014-07-04 03:22:33 +02:00
2018-05-17 05:43:03 +02:00
case TIMEZONE_COPY :
/* If mounting failed, try to copy */
2019-03-28 17:54:04 +01:00
r = copy_file_atomic ( " /etc/localtime " , where , 0644 , 0 , 0 , COPY_REFLINK | COPY_REPLACE ) ;
2018-05-17 05:43:03 +02:00
if ( r < 0 ) {
log_full_errno ( IN_SET ( r , - EROFS , - EACCES , - EPERM ) ? LOG_DEBUG : LOG_WARNING , r ,
" Failed to copy /etc/localtime to %s, ignoring: %m " , where ) ;
return 0 ;
}
break ;
default :
assert_not_reached ( " unexpected mode " ) ;
2012-09-21 16:54:54 +02:00
}
2012-04-13 16:51:33 +02:00
2018-05-17 05:43:03 +02:00
/* Fix permissions of the symlink or file copy we just created */
2015-05-21 16:30:58 +02:00
r = userns_lchown ( where , 0 , 0 ) ;
if ( r < 0 )
2018-05-17 05:43:03 +02:00
log_warning_errno ( r , " Failed to chown /etc/localtime, ignoring: %m " ) ;
2015-05-21 16:30:58 +02:00
2012-04-13 16:51:33 +02:00
return 0 ;
2011-03-14 02:40:36 +01:00
}
2018-05-12 21:50:57 +02:00
static int have_resolv_conf ( const char * path ) {
assert ( path ) ;
if ( access ( path , F_OK ) < 0 ) {
if ( errno = = ENOENT )
return 0 ;
return log_debug_errno ( errno , " Failed to determine whether '%s' is available: %m " , path ) ;
}
return 1 ;
}
2017-03-08 21:45:03 +01:00
static int resolved_listening ( void ) {
2018-05-12 21:51:20 +02:00
_cleanup_ ( sd_bus_error_free ) sd_bus_error error = SD_BUS_ERROR_NULL ;
2017-02-16 17:56:10 +01:00
_cleanup_ ( sd_bus_flush_close_unrefp ) sd_bus * bus = NULL ;
2017-03-08 21:45:03 +01:00
_cleanup_free_ char * dns_stub_listener_mode = NULL ;
2017-02-16 17:56:10 +01:00
int r ;
2017-03-08 21:45:03 +01:00
/* Check if resolved is listening */
2017-02-16 17:56:10 +01:00
r = sd_bus_open_system ( & bus ) ;
if ( r < 0 )
2018-05-12 21:51:20 +02:00
return log_debug_errno ( r , " Failed to open system bus: %m " ) ;
2017-02-16 17:56:10 +01:00
2017-03-08 21:45:03 +01:00
r = bus_name_has_owner ( bus , " org.freedesktop.resolve1 " , NULL ) ;
2018-05-12 21:51:20 +02:00
if ( r < 0 )
return log_debug_errno ( r , " Failed to check whether the 'org.freedesktop.resolve1' bus name is taken: %m " ) ;
if ( r = = 0 )
return 0 ;
2017-03-08 21:45:03 +01:00
r = sd_bus_get_property_string ( bus ,
" org.freedesktop.resolve1 " ,
" /org/freedesktop/resolve1 " ,
" org.freedesktop.resolve1.Manager " ,
" DNSStubListener " ,
2018-05-12 21:51:20 +02:00
& error ,
2017-03-08 21:45:03 +01:00
& dns_stub_listener_mode ) ;
if ( r < 0 )
2018-05-12 21:51:20 +02:00
return log_debug_errno ( r , " Failed to query DNSStubListener property: %s " , bus_error_message ( & error , r ) ) ;
2017-03-08 21:45:03 +01:00
return STR_IN_SET ( dns_stub_listener_mode , " udp " , " yes " ) ;
2017-02-16 17:56:10 +01:00
}
2012-04-25 15:08:00 +02:00
static int setup_resolv_conf ( const char * dest ) {
2018-05-12 21:50:57 +02:00
_cleanup_free_ char * etc = NULL ;
const char * where , * what ;
ResolvConfMode m ;
int r ;
2012-04-25 15:08:00 +02:00
assert ( dest ) ;
2018-05-12 21:50:57 +02:00
if ( arg_resolv_conf = = RESOLV_CONF_AUTO ) {
if ( arg_private_network )
m = RESOLV_CONF_OFF ;
2020-04-21 18:33:23 +02:00
else if ( have_resolv_conf ( PRIVATE_STUB_RESOLV_CONF ) > 0 & & resolved_listening ( ) > 0 )
m = etc_writable ( ) ? RESOLV_CONF_COPY_STUB : RESOLV_CONF_BIND_STUB ;
2018-05-12 21:50:57 +02:00
else if ( have_resolv_conf ( " /etc/resolv.conf " ) > 0 )
2018-12-21 23:33:44 +01:00
m = etc_writable ( ) ? RESOLV_CONF_COPY_HOST : RESOLV_CONF_BIND_HOST ;
2018-05-12 21:50:57 +02:00
else
2018-12-21 23:33:44 +01:00
m = etc_writable ( ) ? RESOLV_CONF_DELETE : RESOLV_CONF_OFF ;
2020-04-21 18:33:23 +02:00
2018-05-12 21:50:57 +02:00
} else
m = arg_resolv_conf ;
if ( m = = RESOLV_CONF_OFF )
2012-04-25 15:08:00 +02:00
return 0 ;
2019-10-24 10:33:20 +02:00
r = chase_symlinks ( " /etc " , dest , CHASE_PREFIX_ROOT , & etc , NULL ) ;
2016-12-21 00:44:00 +01:00
if ( r < 0 ) {
log_warning_errno ( r , " Failed to resolve /etc path in container, ignoring: %m " ) ;
return 0 ;
}
where = strjoina ( etc , " /resolv.conf " ) ;
2018-05-12 21:50:57 +02:00
if ( m = = RESOLV_CONF_DELETE ) {
if ( unlink ( where ) < 0 )
log_full_errno ( errno = = ENOENT ? LOG_DEBUG : LOG_WARNING , errno , " Failed to remove '%s', ignoring: %m " , where ) ;
2016-12-21 00:44:00 +01:00
return 0 ;
}
2014-09-25 18:49:56 +02:00
2020-04-21 18:33:23 +02:00
if ( IN_SET ( m , RESOLV_CONF_BIND_STATIC , RESOLV_CONF_REPLACE_STATIC , RESOLV_CONF_COPY_STATIC ) )
what = PRIVATE_STATIC_RESOLV_CONF ;
else if ( IN_SET ( m , RESOLV_CONF_BIND_UPLINK , RESOLV_CONF_REPLACE_UPLINK , RESOLV_CONF_COPY_UPLINK ) )
what = PRIVATE_UPLINK_RESOLV_CONF ;
else if ( IN_SET ( m , RESOLV_CONF_BIND_STUB , RESOLV_CONF_REPLACE_STUB , RESOLV_CONF_COPY_STUB ) )
what = PRIVATE_STUB_RESOLV_CONF ;
2018-05-12 21:50:57 +02:00
else
what = " /etc/resolv.conf " ;
2016-12-21 00:44:00 +01:00
2020-04-21 18:33:23 +02:00
if ( IN_SET ( m , RESOLV_CONF_BIND_HOST , RESOLV_CONF_BIND_STATIC , RESOLV_CONF_BIND_UPLINK , RESOLV_CONF_BIND_STUB ) ) {
2018-05-12 21:50:57 +02:00
_cleanup_free_ char * resolved = NULL ;
int found ;
2019-10-24 10:33:20 +02:00
found = chase_symlinks ( where , dest , CHASE_NONEXISTENT , & resolved , NULL ) ;
2018-05-12 21:50:57 +02:00
if ( found < 0 ) {
log_warning_errno ( found , " Failed to resolve /etc/resolv.conf path in container, ignoring: %m " ) ;
return 0 ;
}
2016-07-27 14:50:45 +02:00
2016-12-21 00:44:00 +01:00
if ( found = = 0 ) /* missing? */
( void ) touch ( resolved ) ;
2016-12-07 21:36:39 +01:00
2020-09-22 15:51:17 +02:00
r = mount_nofollow_verbose ( LOG_WARNING , what , resolved , NULL , MS_BIND , NULL ) ;
nspawn,mount-util: add [u]mount_verbose and use it in nspawn
This makes it easier to debug failed nspawn invocations:
Mounting sysfs on /var/lib/machines/fedora-rawhide/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV "")...
Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev (MS_NOSUID|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")...
Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev/shm (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=1777,uid=1450901504,gid=1450901504")...
Mounting tmpfs on /var/lib/machines/fedora-rawhide/run (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")...
Bind-mounting /sys/fs/selinux on /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_BIND "")...
Remounting /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")...
Mounting proc on /proc (MS_NOSUID|MS_NOEXEC|MS_NODEV "")...
Bind-mounting /proc/sys on /proc/sys (MS_BIND "")...
Remounting /proc/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")...
Bind-mounting /proc/sysrq-trigger on /proc/sysrq-trigger (MS_BIND "")...
Remounting /proc/sysrq-trigger (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")...
Mounting tmpfs on /tmp (MS_STRICTATIME "mode=1777,uid=0,gid=0")...
Mounting tmpfs on /sys/fs/cgroup (MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME "mode=755,uid=0,gid=0")...
Mounting cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr")...
Failed to mount cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr"): No such file or directory
2016-10-10 21:55:20 +02:00
if ( r > = 0 )
2020-09-22 15:51:17 +02:00
return mount_nofollow_verbose ( LOG_ERR , NULL , resolved , NULL , MS_BIND | MS_REMOUNT | MS_RDONLY | MS_NOSUID | MS_NODEV , NULL ) ;
2020-04-21 18:33:23 +02:00
/* If that didn't work, let's copy the file */
2016-07-27 14:50:45 +02:00
}
2020-04-21 18:33:23 +02:00
if ( IN_SET ( m , RESOLV_CONF_REPLACE_HOST , RESOLV_CONF_REPLACE_STATIC , RESOLV_CONF_REPLACE_UPLINK , RESOLV_CONF_REPLACE_STUB ) )
r = copy_file_atomic ( what , where , 0644 , 0 , 0 , COPY_REFLINK | COPY_REPLACE ) ;
else
r = copy_file ( what , where , O_TRUNC | O_NOFOLLOW , 0644 , 0 , 0 , COPY_REFLINK ) ;
2014-09-25 18:49:56 +02:00
if ( r < 0 ) {
2016-07-27 14:50:45 +02:00
/* If the file already exists as symlink, let's suppress the warning, under the assumption that
* resolved or something similar runs inside and the symlink points there .
2015-06-18 19:42:59 +02:00
*
2016-07-27 14:50:45 +02:00
* If the disk image is read - only , there ' s also no point in complaining .
2015-06-18 19:42:59 +02:00
*/
2020-04-21 18:33:23 +02:00
log_full_errno ( ! IN_SET ( RESOLV_CONF_COPY_HOST , RESOLV_CONF_COPY_STATIC , RESOLV_CONF_COPY_UPLINK , RESOLV_CONF_COPY_STUB ) & &
IN_SET ( r , - ELOOP , - EROFS , - EACCES , - EPERM ) ? LOG_DEBUG : LOG_WARNING , r ,
2016-07-27 14:50:45 +02:00
" Failed to copy /etc/resolv.conf to %s, ignoring: %m " , where ) ;
2014-09-25 18:49:56 +02:00
return 0 ;
}
2012-04-25 15:08:00 +02:00
2015-05-21 16:30:58 +02:00
r = userns_lchown ( where , 0 , 0 ) ;
if ( r < 0 )
2016-07-27 14:50:45 +02:00
log_warning_errno ( r , " Failed to chown /etc/resolv.conf, ignoring: %m " ) ;
2015-05-21 16:30:58 +02:00
2012-04-25 15:08:00 +02:00
return 0 ;
}
2018-05-02 10:03:31 +02:00
static int setup_boot_id ( void ) {
2018-04-30 21:20:50 +02:00
_cleanup_ ( unlink_and_freep ) char * from = NULL ;
_cleanup_free_ char * path = NULL ;
2016-07-21 16:06:31 +02:00
sd_id128_t rnd = SD_ID128_NULL ;
2018-04-30 21:20:50 +02:00
const char * to ;
2012-09-05 23:39:16 +02:00
int r ;
2019-04-05 18:14:43 +02:00
/* Generate a new randomized boot ID, so that each boot-up of the container gets a new one */
2012-09-05 23:39:16 +02:00
2019-04-05 18:14:43 +02:00
r = tempfn_random_child ( " /run " , " proc-sys-kernel-random-boot-id " , & path ) ;
2018-04-30 21:20:50 +02:00
if ( r < 0 )
return log_error_errno ( r , " Failed to generate random boot ID path: %m " ) ;
2012-09-05 23:39:16 +02:00
r = sd_id128_randomize ( & rnd ) ;
2014-11-28 18:50:43 +01:00
if ( r < 0 )
return log_error_errno ( r , " Failed to generate random boot id: %m " ) ;
2012-09-05 23:39:16 +02:00
2018-04-30 21:20:50 +02:00
r = id128_write ( path , ID128_UUID , rnd , false ) ;
2014-11-28 18:50:43 +01:00
if ( r < 0 )
return log_error_errno ( r , " Failed to write boot id: %m " ) ;
2012-09-05 23:39:16 +02:00
2018-04-30 21:20:50 +02:00
from = TAKE_PTR ( path ) ;
to = " /proc/sys/kernel/random/boot_id " ;
2020-09-22 15:51:17 +02:00
r = mount_nofollow_verbose ( LOG_ERR , from , to , NULL , MS_BIND , NULL ) ;
2018-04-30 21:20:50 +02:00
if ( r < 0 )
return r ;
2012-09-05 23:39:16 +02:00
2020-09-22 15:51:17 +02:00
return mount_nofollow_verbose ( LOG_ERR , NULL , to , NULL , MS_BIND | MS_REMOUNT | MS_RDONLY | MS_NOSUID | MS_NOEXEC | MS_NODEV , NULL ) ;
2012-09-05 23:39:16 +02:00
}
2012-04-13 16:51:33 +02:00
static int copy_devnodes ( const char * dest ) {
2011-03-14 02:40:36 +01:00
static const char devnodes [ ] =
" null \0 "
" zero \0 "
" full \0 "
" random \0 "
" urandom \0 "
2014-10-08 15:01:07 +02:00
" tty \0 "
" net/tun \0 " ;
2011-03-14 02:40:36 +01:00
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
_cleanup_umask_ mode_t u ;
2011-03-14 02:40:36 +01:00
const char * d ;
2012-04-13 16:51:33 +02:00
int r = 0 ;
2011-03-16 02:57:52 +01:00
assert ( dest ) ;
2011-03-14 03:28:00 +01:00
u = umask ( 0000 ) ;
2011-03-14 02:40:36 +01:00
2015-05-21 16:30:58 +02:00
/* Create /dev/net, so that we can create /dev/net/tun in it */
if ( userns_mkdir ( dest , " /dev/net " , 0755 , 0 , 0 ) < 0 )
return log_error_errno ( r , " Failed to create /dev/net directory: %m " ) ;
2011-03-14 02:40:36 +01:00
NULSTR_FOREACH ( d , devnodes ) {
2013-04-18 09:11:22 +02:00
_cleanup_free_ char * from = NULL , * to = NULL ;
2014-01-20 19:54:51 +01:00
struct stat st ;
2011-03-14 02:40:36 +01:00
2019-06-19 15:20:13 +02:00
from = path_join ( " /dev/ " , d ) ;
2018-08-02 17:57:56 +02:00
if ( ! from )
return log_oom ( ) ;
2019-06-19 15:20:13 +02:00
to = path_join ( dest , from ) ;
2018-08-02 17:57:56 +02:00
if ( ! to )
return log_oom ( ) ;
2011-03-14 02:40:36 +01:00
if ( stat ( from , & st ) < 0 ) {
2014-11-28 19:57:32 +01:00
if ( errno ! = ENOENT )
return log_error_errno ( errno , " Failed to stat %s: %m " , from ) ;
2011-03-14 02:40:36 +01:00
2018-11-20 23:40:44 +01:00
} else if ( ! S_ISCHR ( st . st_mode ) & & ! S_ISBLK ( st . st_mode ) )
return log_error_errno ( SYNTHETIC_ERRNO ( EIO ) ,
" %s is not a char or block device, cannot copy. " , from ) ;
else {
2018-08-02 17:58:13 +02:00
_cleanup_free_ char * sl = NULL , * prefixed = NULL , * dn = NULL , * t = NULL ;
2015-03-31 17:14:48 +02:00
if ( mknod ( to , st . st_mode , st . st_rdev ) < 0 ) {
2016-12-29 11:02:39 +01:00
/* Explicitly warn the user when /dev is already populated. */
2016-10-05 06:57:02 +02:00
if ( errno = = EEXIST )
2016-12-29 11:02:39 +01:00
log_notice ( " %s/dev is pre-mounted and pre-populated. If a pre-mounted /dev is provided it needs to be an unpopulated file system. " , dest ) ;
2015-03-31 17:14:48 +02:00
if ( errno ! = EPERM )
return log_error_errno ( errno , " mknod(%s) failed : % m " , to) ;
2018-08-02 17:58:13 +02:00
/* Some systems abusively restrict mknod but allow bind mounts. */
2015-03-31 17:14:48 +02:00
r = touch ( to ) ;
if ( r < 0 )
return log_error_errno ( r , " touch (%s) failed : % m " , to) ;
2020-09-22 15:51:17 +02:00
r = mount_nofollow_verbose ( LOG_DEBUG , from , to , NULL , MS_BIND , NULL ) ;
nspawn,mount-util: add [u]mount_verbose and use it in nspawn
This makes it easier to debug failed nspawn invocations:
Mounting sysfs on /var/lib/machines/fedora-rawhide/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV "")...
Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev (MS_NOSUID|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")...
Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev/shm (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=1777,uid=1450901504,gid=1450901504")...
Mounting tmpfs on /var/lib/machines/fedora-rawhide/run (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")...
Bind-mounting /sys/fs/selinux on /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_BIND "")...
Remounting /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")...
Mounting proc on /proc (MS_NOSUID|MS_NOEXEC|MS_NODEV "")...
Bind-mounting /proc/sys on /proc/sys (MS_BIND "")...
Remounting /proc/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")...
Bind-mounting /proc/sysrq-trigger on /proc/sysrq-trigger (MS_BIND "")...
Remounting /proc/sysrq-trigger (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")...
Mounting tmpfs on /tmp (MS_STRICTATIME "mode=1777,uid=0,gid=0")...
Mounting tmpfs on /sys/fs/cgroup (MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME "mode=755,uid=0,gid=0")...
Mounting cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr")...
Failed to mount cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr"): No such file or directory
2016-10-10 21:55:20 +02:00
if ( r < 0 )
return log_error_errno ( r , " Both mknod and bind mount (%s) failed : % m " , to) ;
2015-03-31 17:14:48 +02:00
}
2015-02-19 12:03:39 +01:00
2015-05-21 16:30:58 +02:00
r = userns_lchown ( to , 0 , 0 ) ;
if ( r < 0 )
return log_error_errno ( r , " chown() of device node % s failed : % m " , to) ;
2018-08-02 17:58:13 +02:00
2019-06-20 20:07:01 +02:00
dn = path_join ( " /dev " , S_ISCHR ( st . st_mode ) ? " char " : " block " ) ;
2018-08-02 17:58:13 +02:00
if ( ! dn )
return log_oom ( ) ;
r = userns_mkdir ( dest , dn , 0755 , 0 , 0 ) ;
if ( r < 0 )
return log_error_errno ( r , " Failed to create '%s': %m " , dn ) ;
if ( asprintf ( & sl , " %s/%u:%u " , dn , major ( st . st_rdev ) , minor ( st . st_rdev ) ) < 0 )
return log_oom ( ) ;
2019-06-19 15:20:13 +02:00
prefixed = path_join ( dest , sl ) ;
2018-08-02 17:58:13 +02:00
if ( ! prefixed )
return log_oom ( ) ;
2019-06-24 16:59:38 +02:00
t = path_join ( " .. " , d ) ;
2018-08-02 17:58:13 +02:00
if ( ! t )
return log_oom ( ) ;
if ( symlink ( t , prefixed ) < 0 )
log_debug_errno ( errno , " Failed to symlink '%s' to '%s': %m " , t , prefixed ) ;
2011-03-14 02:40:36 +01:00
}
}
2012-04-13 16:51:33 +02:00
return r ;
}
2011-03-14 02:40:36 +01:00
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
static int make_extra_nodes ( const char * dest ) {
_cleanup_umask_ mode_t u ;
size_t i ;
int r ;
u = umask ( 0000 ) ;
for ( i = 0 ; i < arg_n_extra_nodes ; i + + ) {
_cleanup_free_ char * path = NULL ;
DeviceNode * n = arg_extra_nodes + i ;
2019-06-19 15:20:13 +02:00
path = path_join ( dest , n - > path ) ;
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
if ( ! path )
return log_oom ( ) ;
if ( mknod ( path , n - > mode , S_ISCHR ( n - > mode ) | | S_ISBLK ( n - > mode ) ? makedev ( n - > major , n - > minor ) : 0 ) < 0 )
return log_error_errno ( errno , " Failed to create device node '%s': %m " , path ) ;
r = chmod_and_chown ( path , n - > mode , n - > uid , n - > gid ) ;
if ( r < 0 )
return log_error_errno ( r , " Failed to adjust device node ownership of '%s': %m " , path ) ;
}
return 0 ;
}
2015-05-21 16:30:58 +02:00
static int setup_pts ( const char * dest ) {
_cleanup_free_ char * options = NULL ;
const char * p ;
2015-11-05 13:44:06 +01:00
int r ;
2015-05-21 16:30:58 +02:00
2017-10-03 10:41:51 +02:00
# if HAVE_SELINUX
2015-05-21 16:30:58 +02:00
if ( arg_selinux_apifs_context )
( void ) asprintf ( & options ,
2015-07-23 04:34:57 +02:00
" newinstance,ptmxmode=0666,mode=620,gid= " GID_FMT " ,context= \" %s \" " ,
2015-05-21 16:30:58 +02:00
arg_uid_shift + TTY_GID ,
arg_selinux_apifs_context ) ;
else
# endif
( void ) asprintf ( & options ,
2015-07-23 04:34:57 +02:00
" newinstance,ptmxmode=0666,mode=620,gid= " GID_FMT ,
2015-05-21 16:30:58 +02:00
arg_uid_shift + TTY_GID ) ;
2013-03-07 13:34:07 +01:00
2015-05-21 16:30:58 +02:00
if ( ! options )
2013-03-07 13:34:07 +01:00
return log_oom ( ) ;
2015-05-21 16:30:58 +02:00
/* Mount /dev/pts itself */
2015-05-25 23:01:45 +02:00
p = prefix_roota ( dest , " /dev/pts " ) ;
2017-12-15 17:08:13 +01:00
r = mkdir_errno_wrapper ( p , 0755 ) ;
if ( r < 0 )
return log_error_errno ( r , " Failed to create /dev/pts: %m " ) ;
2020-09-22 15:51:17 +02:00
r = mount_nofollow_verbose ( LOG_ERR , " devpts " , p , " devpts " , MS_NOSUID | MS_NOEXEC , options ) ;
nspawn,mount-util: add [u]mount_verbose and use it in nspawn
This makes it easier to debug failed nspawn invocations:
Mounting sysfs on /var/lib/machines/fedora-rawhide/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV "")...
Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev (MS_NOSUID|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")...
Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev/shm (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=1777,uid=1450901504,gid=1450901504")...
Mounting tmpfs on /var/lib/machines/fedora-rawhide/run (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")...
Bind-mounting /sys/fs/selinux on /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_BIND "")...
Remounting /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")...
Mounting proc on /proc (MS_NOSUID|MS_NOEXEC|MS_NODEV "")...
Bind-mounting /proc/sys on /proc/sys (MS_BIND "")...
Remounting /proc/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")...
Bind-mounting /proc/sysrq-trigger on /proc/sysrq-trigger (MS_BIND "")...
Remounting /proc/sysrq-trigger (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")...
Mounting tmpfs on /tmp (MS_STRICTATIME "mode=1777,uid=0,gid=0")...
Mounting tmpfs on /sys/fs/cgroup (MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME "mode=755,uid=0,gid=0")...
Mounting cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr")...
Failed to mount cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr"): No such file or directory
2016-10-10 21:55:20 +02:00
if ( r < 0 )
return r ;
2015-11-05 13:44:06 +01:00
r = userns_lchown ( p , 0 , 0 ) ;
if ( r < 0 )
return log_error_errno ( r , " Failed to chown /dev/pts: %m " ) ;
2015-05-21 16:30:58 +02:00
/* Create /dev/ptmx symlink */
p = prefix_roota ( dest , " /dev/ptmx " ) ;
2014-11-28 19:57:32 +01:00
if ( symlink ( " pts/ptmx " , p ) < 0 )
return log_error_errno ( errno , " Failed to create /dev/ptmx symlink: %m " ) ;
2015-11-05 13:44:06 +01:00
r = userns_lchown ( p , 0 , 0 ) ;
if ( r < 0 )
return log_error_errno ( r , " Failed to chown /dev/ptmx: %m " ) ;
2013-03-07 13:34:07 +01:00
2015-05-21 16:30:58 +02:00
/* And fix /dev/pts/ptmx ownership */
p = prefix_roota ( dest , " /dev/pts/ptmx " ) ;
2015-11-05 13:44:06 +01:00
r = userns_lchown ( p , 0 , 0 ) ;
if ( r < 0 )
return log_error_errno ( r , " Failed to chown /dev/pts/ptmx: %m " ) ;
2015-02-19 12:03:39 +01:00
2013-03-07 13:34:07 +01:00
return 0 ;
}
2019-06-06 10:05:33 +02:00
static int setup_stdio_as_dev_console ( void ) {
2020-09-16 22:16:10 +02:00
_cleanup_close_ int terminal = - 1 ;
2012-04-13 16:51:33 +02:00
int r ;
2020-09-16 22:34:43 +02:00
/* We open the TTY in O_NOCTTY mode, so that we do not become controller yet. We'll do that later
* explicitly , if we are configured to . */
terminal = open_terminal ( " /dev/console " , O_RDWR | O_NOCTTY ) ;
2019-06-06 10:05:33 +02:00
if ( terminal < 0 )
return log_error_errno ( terminal , " Failed to open console: %m " ) ;
2012-04-13 16:51:33 +02:00
2019-06-06 10:05:33 +02:00
/* Make sure we can continue logging to the original stderr, even if
* stderr points elsewhere now */
r = log_dup_console ( ) ;
if ( r < 0 )
return log_error_errno ( r , " Failed to duplicate stderr: %m " ) ;
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
2019-06-06 10:05:33 +02:00
/* invalidates 'terminal' on success and failure */
r = rearrange_stdio ( terminal , terminal , terminal ) ;
2020-09-16 22:16:10 +02:00
TAKE_FD ( terminal ) ;
2014-11-28 18:50:43 +01:00
if ( r < 0 )
2019-06-06 10:05:33 +02:00
return log_error_errno ( r , " Failed to move console to stdin/stdout/stderr: %m " ) ;
return 0 ;
}
2011-03-14 02:40:36 +01:00
2019-06-06 10:05:33 +02:00
static int setup_dev_console ( const char * console ) {
_cleanup_free_ char * p = NULL ;
int r ;
2011-03-16 02:57:52 +01:00
2019-06-06 10:05:33 +02:00
/* Create /dev/console symlink */
r = path_make_relative ( " /dev " , console , & p ) ;
2015-03-31 17:14:48 +02:00
if ( r < 0 )
2019-06-06 10:05:33 +02:00
return log_error_errno ( r , " Failed to create relative path: %m " ) ;
if ( symlink ( p , " /dev/console " ) < 0 )
return log_error_errno ( errno , " Failed to create /dev/console symlink: %m " ) ;
2011-03-16 02:57:52 +01:00
2019-06-06 10:05:33 +02:00
return 0 ;
2012-04-13 16:51:33 +02:00
}
2017-09-21 14:02:31 +02:00
static int setup_keyring ( void ) {
key_serial_t keyring ;
2020-06-23 08:31:16 +02:00
/* Allocate a new session keyring for the container. This makes sure the keyring of the session
* systemd - nspawn was invoked from doesn ' t leak into the container . Note that by default we block
* keyctl ( ) and request_key ( ) anyway via seccomp so doing this operation isn ' t strictly necessary ,
* but in case people explicitly allow - list these system calls let ' s make sure we don ' t leak anything
* into the container . */
2017-09-21 14:02:31 +02:00
keyring = keyctl ( KEYCTL_JOIN_SESSION_KEYRING , 0 , 0 , 0 , 0 ) ;
if ( keyring = = - 1 ) {
if ( errno = = ENOSYS )
log_debug_errno ( errno , " Kernel keyring not supported, ignoring. " ) ;
2020-09-22 14:13:18 +02:00
else if ( ERRNO_IS_PRIVILEGE ( errno ) )
2017-09-21 14:02:31 +02:00
log_debug_errno ( errno , " Kernel keyring access prohibited, ignoring. " ) ;
else
return log_error_errno ( errno , " Setting up kernel keyring failed: %m " ) ;
}
return 0 ;
}
2020-07-23 08:47:08 +02:00
static int setup_credentials ( const char * root ) {
const char * q ;
int r ;
if ( arg_n_credentials < = 0 )
return 0 ;
r = userns_mkdir ( root , " /run/host " , 0755 , 0 , 0 ) ;
if ( r < 0 )
return log_error_errno ( r , " Failed to create /run/host: %m " ) ;
r = userns_mkdir ( root , " /run/host/credentials " , 0700 , 0 , 0 ) ;
if ( r < 0 )
return log_error_errno ( r , " Failed to create /run/host/credentials: %m " ) ;
q = prefix_roota ( root , " /run/host/credentials " ) ;
2020-09-22 15:51:17 +02:00
r = mount_nofollow_verbose ( LOG_ERR , NULL , q , " ramfs " , MS_NOSUID | MS_NOEXEC | MS_NODEV , " mode=0700 " ) ;
2020-07-23 08:47:08 +02:00
if ( r < 0 )
return r ;
for ( size_t i = 0 ; i < arg_n_credentials ; i + + ) {
_cleanup_free_ char * j = NULL ;
_cleanup_close_ int fd = - 1 ;
j = path_join ( q , arg_credentials [ i ] . id ) ;
if ( ! j )
return log_oom ( ) ;
fd = open ( j , O_CREAT | O_EXCL | O_WRONLY | O_CLOEXEC | O_NOFOLLOW , 0600 ) ;
if ( fd < 0 )
return log_error_errno ( errno , " Failed to create credential file %s: %m " , j ) ;
r = loop_write ( fd , arg_credentials [ i ] . data , arg_credentials [ i ] . size , /* do_poll= */ false ) ;
if ( r < 0 )
return log_error_errno ( r , " Failed to write credential to file %s: %m " , j ) ;
if ( fchmod ( fd , 0400 ) < 0 )
return log_error_errno ( errno , " Failed to adjust access mode of %s: %m " , j ) ;
if ( arg_userns_mode ! = USER_NAMESPACE_NO ) {
if ( fchown ( fd , arg_uid_shift , arg_uid_shift ) < 0 )
return log_error_errno ( errno , " Failed to adjust ownership of %s: %m " , j ) ;
}
}
if ( chmod ( q , 0500 ) < 0 )
return log_error_errno ( errno , " Failed to adjust access mode of %s: %m " , q ) ;
r = userns_lchown ( q , 0 , 0 ) ;
if ( r < 0 )
return r ;
/* Make both mount and superblock read-only now */
2020-09-22 15:51:17 +02:00
r = mount_nofollow_verbose ( LOG_ERR , NULL , q , NULL , MS_REMOUNT | MS_BIND | MS_RDONLY | MS_NOSUID | MS_NOEXEC | MS_NODEV , NULL ) ;
2020-07-23 08:47:08 +02:00
if ( r < 0 )
return r ;
2020-09-22 15:51:17 +02:00
return mount_nofollow_verbose ( LOG_ERR , NULL , q , NULL , MS_REMOUNT | MS_RDONLY | MS_NOSUID | MS_NOEXEC | MS_NODEV , " mode=0500 " ) ;
2020-07-23 08:47:08 +02:00
}
2018-05-02 10:03:31 +02:00
static int setup_kmsg ( int kmsg_socket ) {
2018-04-30 21:22:41 +02:00
_cleanup_ ( unlink_and_freep ) char * from = NULL ;
_cleanup_free_ char * fifo = NULL ;
_cleanup_close_ int fd = - 1 ;
2013-04-18 09:11:22 +02:00
_cleanup_umask_ mode_t u ;
2018-04-30 21:22:41 +02:00
int r ;
2012-04-13 16:51:33 +02:00
assert ( kmsg_socket > = 0 ) ;
2011-03-16 02:57:52 +01:00
2012-04-13 16:51:33 +02:00
u = umask ( 0000 ) ;
2011-03-16 02:57:52 +01:00
2019-04-05 18:14:43 +02:00
/* We create the kmsg FIFO as as temporary file in /run, but immediately delete it after bind mounting it to
2018-04-30 21:22:41 +02:00
* / proc / kmsg . While FIFOs on the reading side behave very similar to / proc / kmsg , their writing side behaves
* differently from / dev / kmsg in that writing blocks when nothing is reading . In order to avoid any problems
* with containers deadlocking due to this we simply make / dev / kmsg unavailable to the container . */
2019-04-05 18:14:43 +02:00
r = tempfn_random_child ( " /run " , " proc-kmsg " , & fifo ) ;
2018-04-30 21:22:41 +02:00
if ( r < 0 )
return log_error_errno ( r , " Failed to generate kmsg path: %m " ) ;
2012-04-13 16:51:33 +02:00
2018-04-30 21:22:41 +02:00
if ( mkfifo ( fifo , 0600 ) < 0 )
2015-05-21 16:30:58 +02:00
return log_error_errno ( errno , " mkfifo() for / run / kmsg failed : % m " ) ;
2018-04-30 21:22:41 +02:00
from = TAKE_PTR ( fifo ) ;
2020-09-22 15:51:17 +02:00
r = mount_nofollow_verbose ( LOG_ERR , from , " /proc/kmsg " , NULL , MS_BIND , NULL ) ;
nspawn,mount-util: add [u]mount_verbose and use it in nspawn
This makes it easier to debug failed nspawn invocations:
Mounting sysfs on /var/lib/machines/fedora-rawhide/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV "")...
Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev (MS_NOSUID|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")...
Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev/shm (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=1777,uid=1450901504,gid=1450901504")...
Mounting tmpfs on /var/lib/machines/fedora-rawhide/run (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")...
Bind-mounting /sys/fs/selinux on /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_BIND "")...
Remounting /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")...
Mounting proc on /proc (MS_NOSUID|MS_NOEXEC|MS_NODEV "")...
Bind-mounting /proc/sys on /proc/sys (MS_BIND "")...
Remounting /proc/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")...
Bind-mounting /proc/sysrq-trigger on /proc/sysrq-trigger (MS_BIND "")...
Remounting /proc/sysrq-trigger (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")...
Mounting tmpfs on /tmp (MS_STRICTATIME "mode=1777,uid=0,gid=0")...
Mounting tmpfs on /sys/fs/cgroup (MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME "mode=755,uid=0,gid=0")...
Mounting cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr")...
Failed to mount cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr"): No such file or directory
2016-10-10 21:55:20 +02:00
if ( r < 0 )
return r ;
2012-04-13 16:51:33 +02:00
2018-05-31 12:04:37 +02:00
fd = open ( from , O_RDWR | O_NONBLOCK | O_CLOEXEC ) ;
2014-11-28 19:57:32 +01:00
if ( fd < 0 )
return log_error_errno ( errno , " Failed to open fifo: %m " ) ;
2012-04-13 16:51:33 +02:00
2018-04-30 21:22:41 +02:00
/* Store away the fd in the socket, so that it stays open as long as we run the child */
2015-09-23 01:00:04 +02:00
r = send_one_fd ( kmsg_socket , fd , 0 ) ;
2015-09-22 14:09:54 +02:00
if ( r < 0 )
return log_error_errno ( r , " Failed to send FIFO fd: %m " ) ;
2011-03-16 02:57:52 +01:00
2012-09-16 16:14:11 +02:00
return 0 ;
2011-03-14 02:40:36 +01:00
}
2020-09-15 19:58:44 +02:00
struct ExposeArgs {
union in_addr_union address ;
struct FirewallContext * fw_ctx ;
} ;
2015-06-12 16:31:33 +02:00
static int on_address_change ( sd_netlink * rtnl , sd_netlink_message * m , void * userdata ) {
2020-09-15 19:58:44 +02:00
struct ExposeArgs * args = userdata ;
2015-01-13 13:51:51 +01:00
assert ( rtnl ) ;
assert ( m ) ;
2020-09-15 19:58:44 +02:00
assert ( args ) ;
2015-01-13 13:51:51 +01:00
2020-09-15 19:58:44 +02:00
expose_port_execute ( rtnl , & args - > fw_ctx , arg_expose_ports , & args - > address ) ;
2015-01-13 13:51:51 +01:00
return 0 ;
}
2012-04-22 01:01:22 +02:00
static int setup_hostname ( void ) {
2018-05-07 20:45:39 +02:00
int r ;
2012-04-22 01:01:22 +02:00
2016-08-26 00:08:26 +02:00
if ( ( arg_clone_ns_flags & CLONE_NEWUTS ) = = 0 )
2014-02-10 15:36:32 +01:00
return 0 ;
2018-05-07 20:45:39 +02:00
r = sethostname_idempotent ( arg_hostname ? : arg_machine ) ;
if ( r < 0 )
return log_error_errno ( r , " Failed to set hostname: %m " ) ;
2012-04-22 01:01:22 +02:00
2013-04-16 04:36:06 +02:00
return 0 ;
2012-04-22 01:01:22 +02:00
}
2012-07-19 02:02:39 +02:00
static int setup_journal ( const char * directory ) {
2016-04-23 02:49:07 +02:00
_cleanup_free_ char * d = NULL ;
2019-12-10 11:52:54 +01:00
char id [ SD_ID128_STRING_MAX ] ;
2019-01-16 00:12:50 +01:00
const char * dirname , * p , * q ;
sd_id128_t this_id ;
2016-01-28 20:15:49 +01:00
bool try ;
2012-07-19 02:02:39 +02:00
int r ;
2014-12-12 16:58:57 +01:00
/* Don't link journals in ephemeral mode */
if ( arg_ephemeral )
return 0 ;
2016-01-28 20:15:49 +01:00
if ( arg_link_journal = = LINK_NO )
return 0 ;
try = arg_link_journal_try | | arg_link_journal = = LINK_AUTO ;
2013-12-12 04:00:33 +01:00
r = sd_id128_get_machine ( & this_id ) ;
2014-11-28 18:50:43 +01:00
if ( r < 0 )
return log_error_errno ( r , " Failed to retrieve machine ID: %m " ) ;
2013-12-12 04:00:33 +01:00
2016-04-08 13:22:54 +02:00
if ( sd_id128_equal ( arg_uuid , this_id ) ) {
2016-01-28 20:15:49 +01:00
log_full ( try ? LOG_WARNING : LOG_ERR ,
2016-04-29 10:38:35 +02:00
" Host and machine ids are equal (%s): refusing to link journals " , sd_id128_to_string ( arg_uuid , id ) ) ;
2016-01-28 20:15:49 +01:00
if ( try )
2013-12-12 04:00:33 +01:00
return 0 ;
2014-12-12 16:58:57 +01:00
return - EEXIST ;
2013-12-12 04:00:33 +01:00
}
2018-10-21 19:48:20 +02:00
FOREACH_STRING ( dirname , " /var " , " /var/log " , " /var/log/journal " ) {
r = userns_mkdir ( directory , dirname , 0755 , 0 , 0 ) ;
if ( r < 0 ) {
bool ignore = r = = - EROFS & & try ;
log_full_errno ( ignore ? LOG_DEBUG : LOG_ERR , r ,
" Failed to create %s%s: %m " , dirname , ignore ? " , ignoring " : " " ) ;
return ignore ? 0 : r ;
}
}
2015-05-21 16:30:58 +02:00
2016-04-08 13:22:54 +02:00
( void ) sd_id128_to_string ( arg_uuid , id ) ;
2015-05-21 16:30:58 +02:00
p = strjoina ( " /var/log/journal/ " , id ) ;
q = prefix_roota ( directory , p ) ;
2012-10-02 10:58:31 +02:00
2016-11-18 21:35:21 +01:00
if ( path_is_mount_point ( p , NULL , 0 ) > 0 ) {
2016-01-28 20:15:49 +01:00
if ( try )
return 0 ;
2012-10-02 10:58:31 +02:00
2018-11-20 23:40:44 +01:00
return log_error_errno ( SYNTHETIC_ERRNO ( EEXIST ) ,
" %s: already a mount point, refusing to use for journal " , p ) ;
2012-07-19 02:02:39 +02:00
}
2016-11-18 21:35:21 +01:00
if ( path_is_mount_point ( q , NULL , 0 ) > 0 ) {
2016-01-28 20:15:49 +01:00
if ( try )
return 0 ;
2012-07-19 02:02:39 +02:00
2018-11-20 23:40:44 +01:00
return log_error_errno ( SYNTHETIC_ERRNO ( EEXIST ) ,
" %s: already a mount point, refusing to use for journal " , q ) ;
2012-07-19 02:02:39 +02:00
}
r = readlink_and_make_absolute ( p , & d ) ;
if ( r > = 0 ) {
2017-09-29 00:37:23 +02:00
if ( IN_SET ( arg_link_journal , LINK_GUEST , LINK_AUTO ) & &
2012-07-19 02:02:39 +02:00
path_equal ( d , q ) ) {
2015-05-21 16:30:58 +02:00
r = userns_mkdir ( directory , p , 0755 , 0 , 0 ) ;
2012-10-02 10:58:31 +02:00
if ( r < 0 )
2015-11-05 13:44:06 +01:00
log_warning_errno ( r , " Failed to create directory %s: %m " , q ) ;
2012-10-02 10:58:31 +02:00
return 0 ;
2012-07-19 02:02:39 +02:00
}
2014-11-28 19:57:32 +01:00
if ( unlink ( p ) < 0 )
return log_error_errno ( errno , " Failed to remove symlink %s: %m " , p ) ;
2012-07-19 02:02:39 +02:00
} else if ( r = = - EINVAL ) {
if ( arg_link_journal = = LINK_GUEST & &
rmdir ( p ) < 0 ) {
2012-10-02 10:58:31 +02:00
if ( errno = = ENOTDIR ) {
log_error ( " %s already exists and is neither a symlink nor a directory " , p ) ;
return r ;
2015-11-05 13:44:10 +01:00
} else
return log_error_errno ( errno , " Failed to remove %s: %m " , p ) ;
2012-07-19 02:02:39 +02:00
}
2015-11-05 13:44:10 +01:00
} else if ( r ! = - ENOENT )
return log_error_errno ( r , " readlink(%s) failed : % m " , p) ;
2012-07-19 02:02:39 +02:00
if ( arg_link_journal = = LINK_GUEST ) {
if ( symlink ( q , p ) < 0 ) {
2016-01-28 20:15:49 +01:00
if ( try ) {
2014-11-28 19:29:59 +01:00
log_debug_errno ( errno , " Failed to symlink %s to %s, skipping journal setup: %m " , q , p ) ;
2014-11-20 14:30:52 +01:00
return 0 ;
2015-11-05 13:44:10 +01:00
} else
return log_error_errno ( errno , " Failed to symlink %s to %s: %m " , q , p ) ;
2012-07-19 02:02:39 +02:00
}
2015-05-21 16:30:58 +02:00
r = userns_mkdir ( directory , p , 0755 , 0 , 0 ) ;
2012-10-02 10:58:31 +02:00
if ( r < 0 )
2015-11-05 13:44:06 +01:00
log_warning_errno ( r , " Failed to create directory %s: %m " , q ) ;
2012-10-02 10:58:31 +02:00
return 0 ;
2012-07-19 02:02:39 +02:00
}
if ( arg_link_journal = = LINK_HOST ) {
2016-04-22 04:57:06 +02:00
/* don't create parents here — if the host doesn't have
2014-11-20 14:30:52 +01:00
* permanent journal set up , don ' t force it here */
2016-01-28 20:24:28 +01:00
2017-12-15 17:08:13 +01:00
r = mkdir_errno_wrapper ( p , 0755 ) ;
if ( r < 0 & & r ! = - EEXIST ) {
2016-01-28 20:15:49 +01:00
if ( try ) {
2017-12-15 17:08:13 +01:00
log_debug_errno ( r , " Failed to create %s, skipping journal setup: %m " , p ) ;
2014-11-20 14:30:52 +01:00
return 0 ;
2015-11-05 13:44:10 +01:00
} else
2017-12-15 17:08:13 +01:00
return log_error_errno ( r , " Failed to create %s: %m " , p ) ;
2012-07-19 02:02:39 +02:00
}
2012-10-02 10:58:31 +02:00
} else if ( access ( p , F_OK ) < 0 )
return 0 ;
2012-07-19 02:02:39 +02:00
2014-05-22 08:19:46 +02:00
if ( dir_is_empty ( q ) = = 0 )
log_warning ( " %s is not empty, proceeding anyway. " , q ) ;
2015-05-21 16:30:58 +02:00
r = userns_mkdir ( directory , p , 0755 , 0 , 0 ) ;
2015-11-05 13:44:06 +01:00
if ( r < 0 )
return log_error_errno ( r , " Failed to create %s: %m " , q ) ;
2012-07-19 02:02:39 +02:00
2020-09-22 15:51:17 +02:00
r = mount_nofollow_verbose ( LOG_DEBUG , p , q , NULL , MS_BIND , NULL ) ;
nspawn,mount-util: add [u]mount_verbose and use it in nspawn
This makes it easier to debug failed nspawn invocations:
Mounting sysfs on /var/lib/machines/fedora-rawhide/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV "")...
Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev (MS_NOSUID|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")...
Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev/shm (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=1777,uid=1450901504,gid=1450901504")...
Mounting tmpfs on /var/lib/machines/fedora-rawhide/run (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")...
Bind-mounting /sys/fs/selinux on /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_BIND "")...
Remounting /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")...
Mounting proc on /proc (MS_NOSUID|MS_NOEXEC|MS_NODEV "")...
Bind-mounting /proc/sys on /proc/sys (MS_BIND "")...
Remounting /proc/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")...
Bind-mounting /proc/sysrq-trigger on /proc/sysrq-trigger (MS_BIND "")...
Remounting /proc/sysrq-trigger (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")...
Mounting tmpfs on /tmp (MS_STRICTATIME "mode=1777,uid=0,gid=0")...
Mounting tmpfs on /sys/fs/cgroup (MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME "mode=755,uid=0,gid=0")...
Mounting cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr")...
Failed to mount cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr"): No such file or directory
2016-10-10 21:55:20 +02:00
if ( r < 0 )
2014-11-28 19:57:32 +01:00
return log_error_errno ( errno , " Failed to bind mount journal from host into guest: %m " ) ;
2012-07-19 02:02:39 +02:00
2012-10-02 10:58:31 +02:00
return 0 ;
2012-07-19 02:02:39 +02:00
}
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
static int drop_capabilities ( uid_t uid ) {
CapabilityQuintet q ;
/* Let's initialize all five capability sets to something valid. If the quintet was configured via
* OCI use that , but fill in missing bits . If it wasn ' t then derive the quintet in full from
* arg_caps_retain . */
if ( capability_quintet_is_set ( & arg_full_capabilities ) ) {
q = arg_full_capabilities ;
if ( q . bounding = = ( uint64_t ) - 1 )
q . bounding = uid = = 0 ? arg_caps_retain : 0 ;
if ( q . effective = = ( uint64_t ) - 1 )
q . effective = uid = = 0 ? q . bounding : 0 ;
if ( q . inheritable = = ( uint64_t ) - 1 )
2020-12-04 11:27:12 +01:00
q . inheritable = uid = = 0 ? q . bounding : arg_caps_ambient ;
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
if ( q . permitted = = ( uint64_t ) - 1 )
2020-12-04 11:27:12 +01:00
q . permitted = uid = = 0 ? q . bounding : arg_caps_ambient ;
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
if ( q . ambient = = ( uint64_t ) - 1 & & ambient_capabilities_supported ( ) )
2020-12-04 11:27:12 +01:00
q . ambient = arg_caps_ambient ;
2019-06-04 01:25:43 +02:00
if ( capability_quintet_mangle ( & q ) )
return log_error_errno ( SYNTHETIC_ERRNO ( EPERM ) , " Cannot set capabilities that are not in the current bounding set. " ) ;
} else {
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
q = ( CapabilityQuintet ) {
. bounding = arg_caps_retain ,
. effective = uid = = 0 ? arg_caps_retain : 0 ,
2020-12-04 11:27:12 +01:00
. inheritable = uid = = 0 ? arg_caps_retain : arg_caps_ambient ,
. permitted = uid = = 0 ? arg_caps_retain : arg_caps_ambient ,
. ambient = ambient_capabilities_supported ( ) ? arg_caps_ambient : ( uint64_t ) - 1 ,
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
} ;
2019-06-04 01:25:43 +02:00
/* If we're not using OCI, proceed with mangled capabilities (so we don't error out)
* in order to maintain the same behavior as systemd < 242. */
if ( capability_quintet_mangle ( & q ) )
2019-11-01 20:00:16 +01:00
log_full ( arg_quiet ? LOG_DEBUG : LOG_WARNING ,
" Some capabilities will not be set because they are not in the current bounding set. " ) ;
2019-06-04 01:25:43 +02:00
}
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
return capability_quintet_enforce ( & q ) ;
2011-03-14 02:40:36 +01:00
}
2014-02-12 02:52:39 +01:00
static int reset_audit_loginuid ( void ) {
_cleanup_free_ char * p = NULL ;
int r ;
2016-08-26 00:08:26 +02:00
if ( ( arg_clone_ns_flags & CLONE_NEWPID ) = = 0 )
2014-02-12 02:52:39 +01:00
return 0 ;
r = read_one_line_file ( " /proc/self/loginuid " , & p ) ;
2014-02-25 16:19:35 +01:00
if ( r = = - ENOENT )
2014-02-12 02:52:39 +01:00
return 0 ;
2014-11-28 18:50:43 +01:00
if ( r < 0 )
return log_error_errno ( r , " Failed to read /proc/self/loginuid: %m " ) ;
2014-02-12 02:52:39 +01:00
/* Already reset? */
if ( streq ( p , " 4294967295 " ) )
return 0 ;
2018-11-06 13:00:07 +01:00
r = write_string_file ( " /proc/self/loginuid " , " 4294967295 " , WRITE_STRING_FILE_DISABLE_BUFFER ) ;
2014-02-12 02:52:39 +01:00
if ( r < 0 ) {
2015-04-21 18:05:44 +02:00
log_error_errno ( r ,
" Failed to reset audit login UID. This probably means that your kernel is too \n "
" old and you have audit enabled. Note that the auditing subsystem is known to \n "
" be incompatible with containers on old kernels. Please make sure to upgrade \n "
" your kernel or to off auditing with 'audit=0' on the kernel command line before \n "
" using systemd-nspawn. Sleeping for 5s... (%m) " ) ;
2013-05-10 00:14:12 +02:00
2014-02-12 02:52:39 +01:00
sleep ( 5 ) ;
2013-05-10 00:14:12 +02:00
}
2014-02-12 02:52:39 +01:00
return 0 ;
2013-05-10 00:14:12 +02:00
}
2014-12-17 21:51:45 +01:00
static int setup_propagate ( const char * root ) {
const char * p , * q ;
2015-11-05 13:44:06 +01:00
int r ;
2014-12-17 21:51:45 +01:00
( void ) mkdir_p ( " /run/systemd/nspawn/ " , 0755 ) ;
( void ) mkdir_p ( " /run/systemd/nspawn/propagate " , 0600 ) ;
2015-02-03 02:05:59 +01:00
p = strjoina ( " /run/systemd/nspawn/propagate/ " , arg_machine ) ;
2014-12-17 21:51:45 +01:00
( void ) mkdir_p ( p , 0600 ) ;
2020-07-22 17:57:29 +02:00
r = userns_mkdir ( root , " /run/host " , 0755 , 0 , 0 ) ;
2015-11-05 13:44:06 +01:00
if ( r < 0 )
2020-07-22 17:57:29 +02:00
return log_error_errno ( r , " Failed to create /run/host: %m " ) ;
2015-05-21 16:30:58 +02:00
2020-07-22 17:57:29 +02:00
r = userns_mkdir ( root , " /run/host/incoming " , 0600 , 0 , 0 ) ;
2015-11-05 13:44:06 +01:00
if ( r < 0 )
2020-07-22 17:57:29 +02:00
return log_error_errno ( r , " Failed to create /run/host/incoming: %m " ) ;
2015-05-21 16:30:58 +02:00
2020-07-22 17:57:29 +02:00
q = prefix_roota ( root , " /run/host/incoming " ) ;
2020-09-22 15:51:17 +02:00
r = mount_nofollow_verbose ( LOG_ERR , p , q , NULL , MS_BIND , NULL ) ;
nspawn,mount-util: add [u]mount_verbose and use it in nspawn
This makes it easier to debug failed nspawn invocations:
Mounting sysfs on /var/lib/machines/fedora-rawhide/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV "")...
Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev (MS_NOSUID|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")...
Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev/shm (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=1777,uid=1450901504,gid=1450901504")...
Mounting tmpfs on /var/lib/machines/fedora-rawhide/run (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")...
Bind-mounting /sys/fs/selinux on /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_BIND "")...
Remounting /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")...
Mounting proc on /proc (MS_NOSUID|MS_NOEXEC|MS_NODEV "")...
Bind-mounting /proc/sys on /proc/sys (MS_BIND "")...
Remounting /proc/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")...
Bind-mounting /proc/sysrq-trigger on /proc/sysrq-trigger (MS_BIND "")...
Remounting /proc/sysrq-trigger (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")...
Mounting tmpfs on /tmp (MS_STRICTATIME "mode=1777,uid=0,gid=0")...
Mounting tmpfs on /sys/fs/cgroup (MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME "mode=755,uid=0,gid=0")...
Mounting cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr")...
Failed to mount cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr"): No such file or directory
2016-10-10 21:55:20 +02:00
if ( r < 0 )
return r ;
2014-12-17 21:51:45 +01:00
2020-09-22 15:51:17 +02:00
r = mount_nofollow_verbose ( LOG_ERR , NULL , q , NULL , MS_BIND | MS_REMOUNT | MS_RDONLY , NULL ) ;
nspawn,mount-util: add [u]mount_verbose and use it in nspawn
This makes it easier to debug failed nspawn invocations:
Mounting sysfs on /var/lib/machines/fedora-rawhide/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV "")...
Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev (MS_NOSUID|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")...
Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev/shm (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=1777,uid=1450901504,gid=1450901504")...
Mounting tmpfs on /var/lib/machines/fedora-rawhide/run (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")...
Bind-mounting /sys/fs/selinux on /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_BIND "")...
Remounting /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")...
Mounting proc on /proc (MS_NOSUID|MS_NOEXEC|MS_NODEV "")...
Bind-mounting /proc/sys on /proc/sys (MS_BIND "")...
Remounting /proc/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")...
Bind-mounting /proc/sysrq-trigger on /proc/sysrq-trigger (MS_BIND "")...
Remounting /proc/sysrq-trigger (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")...
Mounting tmpfs on /tmp (MS_STRICTATIME "mode=1777,uid=0,gid=0")...
Mounting tmpfs on /sys/fs/cgroup (MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME "mode=755,uid=0,gid=0")...
Mounting cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr")...
Failed to mount cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr"): No such file or directory
2016-10-10 21:55:20 +02:00
if ( r < 0 )
return r ;
2014-12-17 21:51:45 +01:00
2020-07-22 17:57:29 +02:00
/* machined will MS_MOVE into that directory, and that's only supported for non-shared mounts. */
2020-09-22 15:51:17 +02:00
return mount_nofollow_verbose ( LOG_ERR , NULL , q , NULL , MS_SLAVE , NULL ) ;
2014-12-17 21:51:45 +01:00
}
2016-07-21 18:53:40 +02:00
static int setup_machine_id ( const char * directory ) {
2016-07-21 18:01:55 +02:00
const char * etc_machine_id ;
sd_id128_t id ;
2016-07-21 16:06:31 +02:00
int r ;
2016-04-08 13:22:54 +02:00
2016-07-21 18:53:40 +02:00
/* If the UUID in the container is already set, then that's what counts, and we use. If it isn't set, and the
* caller passed - - uuid = , then we ' ll pass it in the $ container_uuid env var to PID 1 of the container . The
* assumption is that PID 1 will then write it to / etc / machine - id to make it persistent . If - - uuid = is not
* passed we generate a random UUID , and pass it via $ container_uuid . In effect this means that / etc / machine - id
* in the container and our idea of the container UUID will always be in sync ( at least if PID 1 in the
* container behaves nicely ) . */
2016-04-08 13:22:54 +02:00
etc_machine_id = prefix_roota ( directory , " /etc/machine-id " ) ;
2020-10-15 21:22:15 +02:00
r = id128_read ( etc_machine_id , ID128_PLAIN_OR_UNINIT , & id ) ;
2016-07-21 18:53:40 +02:00
if ( r < 0 ) {
if ( ! IN_SET ( r , - ENOENT , - ENOMEDIUM ) ) /* If the file is missing or empty, we don't mind */
return log_error_errno ( r , " Failed to read machine ID from container image: %m " ) ;
2016-07-21 18:01:55 +02:00
2016-07-21 18:53:40 +02:00
if ( sd_id128_is_null ( arg_uuid ) ) {
r = sd_id128_randomize ( & arg_uuid ) ;
if ( r < 0 )
return log_error_errno ( r , " Failed to acquire randomized machine UUID: %m " ) ;
}
} else {
2018-11-20 23:40:44 +01:00
if ( sd_id128_is_null ( id ) )
return log_error_errno ( SYNTHETIC_ERRNO ( EINVAL ) ,
" Machine ID in container image is zero, refusing. " ) ;
2016-04-08 13:22:54 +02:00
2016-07-21 18:53:40 +02:00
arg_uuid = id ;
}
2016-07-21 18:01:55 +02:00
2016-04-08 13:22:54 +02:00
return 0 ;
}
2016-04-20 22:53:39 +02:00
static int recursive_chown ( const char * directory , uid_t shift , uid_t range ) {
int r ;
assert ( directory ) ;
2016-04-22 13:02:53 +02:00
if ( arg_userns_mode = = USER_NAMESPACE_NO | | ! arg_userns_chown )
2016-04-20 22:53:39 +02:00
return 0 ;
r = path_patch_uid ( directory , arg_uid_shift , arg_uid_range ) ;
if ( r = = - EOPNOTSUPP )
return log_error_errno ( r , " Automatic UID/GID adjusting is only supported for UID/GID ranges starting at multiples of 2^16 with a range of 2^16. " ) ;
if ( r = = - EBADE )
return log_error_errno ( r , " Upper 16 bits of root directory UID and GID do not match. " ) ;
if ( r < 0 )
return log_error_errno ( r , " Failed to adjust UID/GID shift of OS tree: %m " ) ;
if ( r = = 0 )
log_debug ( " Root directory of image is already owned by the right UID/GID range, skipping recursive chown operation. " ) ;
else
log_debug ( " Patched directory tree to match UID/GID range. " ) ;
return r ;
}
2014-05-24 15:58:54 +02:00
/*
2014-06-30 02:18:02 +02:00
* Return values :
* < 0 : wait_for_terminate ( ) failed to get the state of the
* container , the container was terminated by a signal , or
* failed for an unknown reason . No change is made to the
* container argument .
* > 0 : The program executed in the container terminated with an
* error . The exit code of the program executed in the
2014-10-31 16:22:36 +01:00
* container is returned . The container argument has been set
* to CONTAINER_TERMINATED .
2014-06-30 02:18:02 +02:00
* 0 : The container is being rebooted , has been shut down or exited
* successfully . The container argument has been set to either
* CONTAINER_TERMINATED or CONTAINER_REBOOTED .
2014-05-24 15:58:54 +02:00
*
2014-06-30 02:18:02 +02:00
* That is , success is indicated by a return value of zero , and an
* error is indicated by a non - zero value .
2014-05-24 15:58:54 +02:00
*/
static int wait_for_container ( pid_t pid , ContainerStatus * container ) {
siginfo_t status ;
2014-10-31 16:22:36 +01:00
int r ;
2014-05-24 15:58:54 +02:00
r = wait_for_terminate ( pid , & status ) ;
2014-11-28 18:50:43 +01:00
if ( r < 0 )
return log_warning_errno ( r , " Failed to wait for container: %m " ) ;
2014-05-24 15:58:54 +02:00
switch ( status . si_code ) {
2014-10-30 20:53:23 +01:00
2014-05-24 15:58:54 +02:00
case CLD_EXITED :
2016-05-22 13:02:41 +02:00
if ( status . si_status = = 0 )
2014-10-31 16:22:36 +01:00
log_full ( arg_quiet ? LOG_DEBUG : LOG_INFO , " Container %s exited successfully. " , arg_machine ) ;
2016-05-22 13:02:41 +02:00
else
2014-10-31 16:22:36 +01:00
log_full ( arg_quiet ? LOG_DEBUG : LOG_INFO , " Container %s failed with error code %i. " , arg_machine , status . si_status ) ;
2014-10-30 20:53:23 +01:00
2014-10-31 16:22:36 +01:00
* container = CONTAINER_TERMINATED ;
return status . si_status ;
2014-05-24 15:58:54 +02:00
case CLD_KILLED :
if ( status . si_status = = SIGINT ) {
2014-10-31 16:22:36 +01:00
log_full ( arg_quiet ? LOG_DEBUG : LOG_INFO , " Container %s has been shut down. " , arg_machine ) ;
2014-05-24 15:58:54 +02:00
* container = CONTAINER_TERMINATED ;
2014-10-31 16:22:36 +01:00
return 0 ;
2014-05-24 15:58:54 +02:00
} else if ( status . si_status = = SIGHUP ) {
2014-10-31 16:22:36 +01:00
log_full ( arg_quiet ? LOG_DEBUG : LOG_INFO , " Container %s is being rebooted. " , arg_machine ) ;
2014-05-24 15:58:54 +02:00
* container = CONTAINER_REBOOTED ;
2014-10-31 16:22:36 +01:00
return 0 ;
2014-05-24 15:58:54 +02:00
}
2014-10-31 16:22:36 +01:00
2017-11-19 19:06:10 +01:00
_fallthrough_ ;
2014-05-24 15:58:54 +02:00
case CLD_DUMPED :
2018-11-20 23:40:44 +01:00
return log_error_errno ( SYNTHETIC_ERRNO ( EIO ) ,
" Container %s terminated by signal %s. " , arg_machine , signal_to_string ( status . si_status ) ) ;
2014-05-24 15:58:54 +02:00
default :
2018-11-20 23:40:44 +01:00
return log_error_errno ( SYNTHETIC_ERRNO ( EIO ) ,
" Container %s failed due to unknown reason. " , arg_machine ) ;
2014-05-24 15:58:54 +02:00
}
}
2014-10-31 16:54:11 +01:00
static int on_orderly_shutdown ( sd_event_source * s , const struct signalfd_siginfo * si , void * userdata ) {
pid_t pid ;
2015-11-17 00:00:32 +01:00
pid = PTR_TO_PID ( userdata ) ;
2014-10-31 16:54:11 +01:00
if ( pid > 0 ) {
2015-02-25 22:04:48 +01:00
if ( kill ( pid , arg_kill_signal ) > = 0 ) {
2014-10-31 16:54:11 +01:00
log_info ( " Trying to halt container. Send SIGTERM again to trigger immediate termination. " ) ;
sd_event_source_set_userdata ( s , NULL ) ;
return 0 ;
}
}
sd_event_exit ( sd_event_source_get_event ( s ) , 0 ) ;
return 0 ;
}
2016-12-13 02:38:18 +01:00
static int on_sigchld ( sd_event_source * s , const struct signalfd_siginfo * ssi , void * userdata ) {
2017-11-23 19:27:47 +01:00
pid_t pid ;
assert ( s ) ;
assert ( ssi ) ;
pid = PTR_TO_PID ( userdata ) ;
2016-12-13 02:38:18 +01:00
for ( ; ; ) {
siginfo_t si = { } ;
2017-11-23 19:27:47 +01:00
2016-12-13 02:38:18 +01:00
if ( waitid ( P_ALL , 0 , & si , WNOHANG | WNOWAIT | WEXITED ) < 0 )
return log_error_errno ( errno , " Failed to waitid() : % m " ) ;
if ( si . si_pid = = 0 ) /* No pending children. */
break ;
2017-11-23 19:27:47 +01:00
if ( si . si_pid = = pid ) {
2016-12-13 02:38:18 +01:00
/* The main process we care for has exited. Return from
* signal handler but leave the zombie . */
sd_event_exit ( sd_event_source_get_event ( s ) , 0 ) ;
break ;
}
2017-11-23 19:27:47 +01:00
2016-12-13 02:38:18 +01:00
/* Reap all other children. */
( void ) waitid ( P_PID , si . si_pid , & si , WNOHANG | WEXITED ) ;
}
return 0 ;
}
2017-11-23 19:27:47 +01:00
static int on_request_stop ( sd_bus_message * m , void * userdata , sd_bus_error * error ) {
pid_t pid ;
assert ( m ) ;
pid = PTR_TO_PID ( userdata ) ;
if ( arg_kill_signal > 0 ) {
log_info ( " Container termination requested. Attempting to halt container. " ) ;
( void ) kill ( pid , arg_kill_signal ) ;
} else {
log_info ( " Container termination requested. Exiting. " ) ;
sd_event_exit ( sd_bus_get_event ( sd_bus_message_get_bus ( m ) ) , 0 ) ;
}
return 0 ;
}
2014-12-12 03:50:59 +01:00
static int determine_names ( void ) {
2014-12-27 02:07:29 +01:00
int r ;
2014-12-12 03:50:59 +01:00
2015-08-25 20:26:51 +02:00
if ( arg_template & & ! arg_directory & & arg_machine ) {
/* If --template= was specified then we should not
* search for a machine , but instead create a new one
* in / var / lib / machine . */
2019-06-20 20:07:01 +02:00
arg_directory = path_join ( " /var/lib/machines " , arg_machine ) ;
2015-08-25 20:26:51 +02:00
if ( ! arg_directory )
return log_oom ( ) ;
}
2014-12-12 03:50:59 +01:00
if ( ! arg_image & & ! arg_directory ) {
2014-12-27 02:07:29 +01:00
if ( arg_machine ) {
_cleanup_ ( image_unrefp ) Image * i = NULL ;
2018-04-05 15:39:43 +02:00
r = image_find ( IMAGE_MACHINE , arg_machine , & i ) ;
2018-04-06 18:53:57 +02:00
if ( r = = - ENOENT )
return log_error_errno ( r , " No image for machine '%s'. " , arg_machine ) ;
2014-12-27 02:07:29 +01:00
if ( r < 0 )
return log_error_errno ( r , " Failed to find image for machine '%s': %m " , arg_machine ) ;
2017-10-04 17:36:58 +02:00
if ( IN_SET ( i - > type , IMAGE_RAW , IMAGE_BLOCK ) )
2015-10-22 19:54:29 +02:00
r = free_and_strdup ( & arg_image , i - > path ) ;
2014-12-27 02:07:29 +01:00
else
2015-10-22 19:54:29 +02:00
r = free_and_strdup ( & arg_directory , i - > path ) ;
2014-12-27 02:07:29 +01:00
if ( r < 0 )
2016-11-18 18:38:06 +01:00
return log_oom ( ) ;
2014-12-27 02:07:29 +01:00
2015-04-22 16:56:51 +02:00
if ( ! arg_ephemeral )
arg_read_only = arg_read_only | | i - > read_only ;
2018-01-17 11:17:38 +01:00
} else {
r = safe_getcwd ( & arg_directory ) ;
if ( r < 0 )
return log_error_errno ( r , " Failed to determine current directory: %m " ) ;
}
2014-12-12 03:50:59 +01:00
2019-04-02 14:51:48 +02:00
if ( ! arg_directory & & ! arg_image )
return log_error_errno ( SYNTHETIC_ERRNO ( EINVAL ) , " Failed to determine path, please use -D or -i. " ) ;
2014-12-12 03:50:59 +01:00
}
if ( ! arg_machine ) {
2014-12-12 17:26:31 +01:00
if ( arg_directory & & path_equal ( arg_directory , " / " ) )
arg_machine = gethostname_malloc ( ) ;
2016-12-07 17:42:40 +01:00
else {
if ( arg_image ) {
char * e ;
arg_machine = strdup ( basename ( arg_image ) ) ;
/* Truncate suffix if there is one */
e = endswith ( arg_machine , " .raw " ) ;
if ( e )
* e = 0 ;
} else
arg_machine = strdup ( basename ( arg_directory ) ) ;
}
2014-12-12 03:50:59 +01:00
if ( ! arg_machine )
return log_oom ( ) ;
2015-07-28 04:36:36 +02:00
hostname_cleanup ( arg_machine ) ;
2020-12-11 16:40:45 +01:00
if ( ! hostname_is_valid ( arg_machine , 0 ) )
2019-04-02 14:51:48 +02:00
return log_error_errno ( SYNTHETIC_ERRNO ( EINVAL ) , " Failed to determine machine name automatically, please use -M. " ) ;
2014-12-12 17:26:31 +01:00
if ( arg_ephemeral ) {
char * b ;
/* Add a random suffix when this is an
* ephemeral machine , so that we can run many
* instances at once without manually having
* to specify - M each time . */
if ( asprintf ( & b , " %s-%016 " PRIx64 , arg_machine , random_u64 ( ) ) < 0 )
return log_oom ( ) ;
free ( arg_machine ) ;
arg_machine = b ;
}
2014-12-12 03:50:59 +01:00
}
return 0 ;
}
2016-11-29 18:16:43 +01:00
static int chase_symlinks_and_update ( char * * p , unsigned flags ) {
2016-11-24 21:03:36 +01:00
char * chased ;
int r ;
assert ( p ) ;
if ( ! * p )
return 0 ;
2019-10-24 10:33:20 +02:00
r = chase_symlinks ( * p , NULL , flags , & chased , NULL ) ;
2016-11-24 21:03:36 +01:00
if ( r < 0 )
return log_error_errno ( r , " Failed to resolve path %s: %m " , * p ) ;
2019-10-24 10:33:20 +02:00
return free_and_replace ( * p , chased ) ;
2016-11-24 21:03:36 +01:00
}
2015-05-21 16:30:58 +02:00
static int determine_uid_shift ( const char * directory ) {
2015-02-19 11:30:18 +01:00
int r ;
2016-04-22 13:02:53 +02:00
if ( arg_userns_mode = = USER_NAMESPACE_NO ) {
2015-05-21 16:30:58 +02:00
arg_uid_shift = 0 ;
2015-02-19 11:30:18 +01:00
return 0 ;
2015-05-21 16:30:58 +02:00
}
2015-02-19 11:30:18 +01:00
if ( arg_uid_shift = = UID_INVALID ) {
struct stat st ;
2015-05-21 16:30:58 +02:00
r = stat ( directory , & st ) ;
2015-02-19 11:30:18 +01:00
if ( r < 0 )
2015-05-21 16:30:58 +02:00
return log_error_errno ( errno , " Failed to determine UID base of %s: %m " , directory ) ;
2015-02-19 11:30:18 +01:00
arg_uid_shift = st . st_uid & UINT32_C ( 0xffff0000 ) ;
2018-11-20 23:40:44 +01:00
if ( arg_uid_shift ! = ( st . st_gid & UINT32_C ( 0xffff0000 ) ) )
return log_error_errno ( SYNTHETIC_ERRNO ( EINVAL ) ,
" UID and GID base of %s don't match. " , directory ) ;
2015-02-19 11:30:18 +01:00
arg_uid_range = UINT32_C ( 0x10000 ) ;
}
2018-11-20 23:40:44 +01:00
if ( arg_uid_shift > ( uid_t ) - 1 - arg_uid_range )
return log_error_errno ( SYNTHETIC_ERRNO ( EINVAL ) ,
" UID base too high for UID range. " ) ;
2015-02-19 11:30:18 +01:00
return 0 ;
}
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
static unsigned long effective_clone_ns_flags ( void ) {
unsigned long flags = arg_clone_ns_flags ;
if ( arg_private_network )
flags | = CLONE_NEWNET ;
if ( arg_use_cgns )
flags | = CLONE_NEWCGROUP ;
if ( arg_userns_mode ! = USER_NAMESPACE_NO )
flags | = CLONE_NEWUSER ;
return flags ;
}
static int patch_sysctl ( void ) {
/* This table is inspired by runc's sysctl() function */
static const struct {
const char * key ;
bool prefix ;
unsigned long clone_flags ;
} safe_sysctl [ ] = {
{ " kernel.hostname " , false , CLONE_NEWUTS } ,
{ " kernel.domainname " , false , CLONE_NEWUTS } ,
{ " kernel.msgmax " , false , CLONE_NEWIPC } ,
{ " kernel.msgmnb " , false , CLONE_NEWIPC } ,
{ " kernel.msgmni " , false , CLONE_NEWIPC } ,
{ " kernel.sem " , false , CLONE_NEWIPC } ,
{ " kernel.shmall " , false , CLONE_NEWIPC } ,
{ " kernel.shmmax " , false , CLONE_NEWIPC } ,
{ " kernel.shmmni " , false , CLONE_NEWIPC } ,
{ " fs.mqueue. " , true , CLONE_NEWIPC } ,
{ " net. " , true , CLONE_NEWNET } ,
} ;
unsigned long flags ;
char * * k , * * v ;
int r ;
flags = effective_clone_ns_flags ( ) ;
STRV_FOREACH_PAIR ( k , v , arg_sysctl ) {
bool good = false ;
size_t i ;
for ( i = 0 ; i < ELEMENTSOF ( safe_sysctl ) ; i + + ) {
if ( ! FLAGS_SET ( flags , safe_sysctl [ i ] . clone_flags ) )
continue ;
if ( safe_sysctl [ i ] . prefix )
good = startswith ( * k , safe_sysctl [ i ] . key ) ;
else
good = streq ( * k , safe_sysctl [ i ] . key ) ;
if ( good )
break ;
}
2019-04-02 14:51:48 +02:00
if ( ! good )
return log_error_errno ( SYNTHETIC_ERRNO ( EPERM ) , " Refusing to write to sysctl '%s', as it is not safe in the selected namespaces. " , * k ) ;
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
r = sysctl_write ( * k , * v ) ;
if ( r < 0 )
return log_error_errno ( r , " Failed to write sysctl '%s': %m " , * k ) ;
}
return 0 ;
}
2015-05-21 16:30:58 +02:00
static int inner_child (
Barrier * barrier ,
const char * directory ,
bool secondary ,
int kmsg_socket ,
int rtnl_socket ,
2019-06-06 10:05:33 +02:00
int master_pty_socket ,
2020-05-22 17:06:54 +02:00
FDSet * fds ,
char * * os_release_pairs ) {
2014-02-13 18:47:20 +01:00
2015-05-21 16:30:58 +02:00
_cleanup_free_ char * home = NULL ;
2019-12-10 11:33:28 +01:00
char as_uuid [ ID128_UUID_STRING_MAX ] ;
2018-04-27 22:01:54 +02:00
size_t n_env = 1 ;
2015-05-21 16:30:58 +02:00
const char * envp [ ] = {
2018-04-20 11:36:25 +02:00
" PATH= " DEFAULT_PATH_COMPAT ,
2015-11-09 11:32:34 +01:00
NULL , /* container */
2015-05-21 16:30:58 +02:00
NULL , /* TERM */
NULL , /* HOME */
NULL , /* USER */
NULL , /* LOGNAME */
NULL , /* container_uuid */
NULL , /* LISTEN_FDS */
NULL , /* LISTEN_PID */
2016-06-10 13:09:06 +02:00
NULL , /* NOTIFY_SOCKET */
2020-07-23 08:47:08 +02:00
NULL , /* CREDENTIALS_DIRECTORY */
2015-05-21 16:30:58 +02:00
NULL
} ;
2017-02-01 14:36:16 +01:00
const char * exec_target ;
2015-05-25 22:55:52 +02:00
_cleanup_strv_free_ char * * env_use = NULL ;
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
int r , which_failed ;
2011-03-14 02:40:36 +01:00
2018-07-26 17:26:18 +02:00
/* This is the "inner" child process, i.e. the one forked off by the "outer" child process, which is the one
* the container manager itself forked off . At the time of clone ( ) it gained its own CLONE_NEWNS , CLONE_NEWPID ,
* CLONE_NEWUTS , CLONE_NEWIPC , CLONE_NEWUSER namespaces . Note that it has its own CLONE_NEWNS namespace ,
* separate from the CLONE_NEWNS created for the " outer " child , and also separate from the host ' s CLONE_NEWNS
* namespace . The reason for having two levels of CLONE_NEWNS namespaces is that the " inner " one is owned by
* the CLONE_NEWUSER namespace of the container , while the " outer " one is owned by the host ' s CLONE_NEWUSER
* namespace .
*
* Note at this point we have no CLONE_NEWNET namespace yet . We ' ll acquire that one later through
* unshare ( ) . See below . */
2015-05-21 16:30:58 +02:00
assert ( barrier ) ;
assert ( directory ) ;
assert ( kmsg_socket > = 0 ) ;
2011-03-14 02:40:36 +01:00
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
log_debug ( " Inner child is initializing. " ) ;
2016-04-22 13:02:53 +02:00
if ( arg_userns_mode ! = USER_NAMESPACE_NO ) {
2015-05-21 16:30:58 +02:00
/* Tell the parent, that it now can write the UID map. */
( void ) barrier_place ( barrier ) ; /* #1 */
2013-04-16 04:36:06 +02:00
2015-05-21 16:30:58 +02:00
/* Wait until the parent wrote the UID map */
2018-11-20 23:40:44 +01:00
if ( ! barrier_place_and_sync ( barrier ) ) /* #2 */
2020-07-23 11:13:44 +02:00
return log_error_errno ( SYNTHETIC_ERRNO ( ESRCH ) , " Parent died too early " ) ;
2011-03-14 02:40:36 +01:00
2020-07-23 11:13:44 +02:00
/* Become the new root user inside our namespace */
r = reset_uid_gid ( ) ;
if ( r < 0 )
return log_error_errno ( r , " Couldn't become new root: %m " ) ;
/* Creating a new user namespace means all MS_SHARED mounts become MS_SLAVE. Let's put them
* back to MS_SHARED here , since that ' s what we want as defaults . ( This will not reconnect
* propagation , but simply create new peer groups for all our mounts ) . */
2020-09-22 15:51:17 +02:00
r = mount_follow_verbose ( LOG_ERR , NULL , " / " , NULL , MS_SHARED | MS_REC , NULL ) ;
2020-07-23 11:13:44 +02:00
if ( r < 0 )
return r ;
}
2016-10-20 11:05:46 +02:00
2016-04-22 13:02:53 +02:00
r = mount_all ( NULL ,
2016-10-14 14:00:15 +02:00
arg_mount_settings | MOUNT_IN_USERNS ,
2016-04-22 13:02:53 +02:00
arg_uid_shift ,
arg_selinux_apifs_context ) ;
2015-05-21 16:30:58 +02:00
if ( r < 0 )
return r ;
2018-03-20 18:07:17 +01:00
if ( ! arg_network_namespace_path & & arg_private_network ) {
r = unshare ( CLONE_NEWNET ) ;
if ( r < 0 )
return log_error_errno ( errno , " Failed to unshare network namespace: %m " ) ;
2018-04-05 16:04:27 +02:00
/* Tell the parent that it can setup network interfaces. */
( void ) barrier_place ( barrier ) ; /* #3 */
2018-03-20 18:07:17 +01:00
}
2016-10-14 14:00:15 +02:00
r = mount_sysfs ( NULL , arg_mount_settings ) ;
2015-09-30 13:47:28 +02:00
if ( r < 0 )
return r ;
2015-05-21 16:30:58 +02:00
/* Wait until we are cgroup-ified, so that we
* can mount the right cgroup path writable */
2018-11-20 23:40:44 +01:00
if ( ! barrier_place_and_sync ( barrier ) ) /* #4 */
return log_error_errno ( SYNTHETIC_ERRNO ( ESRCH ) ,
" Parent died too early " ) ;
2011-03-14 02:40:36 +01:00
2018-12-11 12:00:06 +01:00
if ( arg_use_cgns ) {
2016-06-23 13:41:56 +02:00
r = unshare ( CLONE_NEWCGROUP ) ;
if ( r < 0 )
2018-03-20 18:07:17 +01:00
return log_error_errno ( errno , " Failed to unshare cgroup namespace: %m " ) ;
2016-06-23 13:41:56 +02:00
r = mount_cgroups (
" " ,
arg_unified_cgroup_hierarchy ,
arg_userns_mode ! = USER_NAMESPACE_NO ,
arg_uid_shift ,
arg_uid_range ,
2016-07-26 16:49:15 +02:00
arg_selinux_apifs_context ,
2016-10-10 22:12:50 +02:00
true ) ;
2020-04-22 17:12:08 +02:00
} else
2016-06-23 13:41:56 +02:00
r = mount_systemd_cgroup_writable ( " " , arg_unified_cgroup_hierarchy ) ;
2020-04-22 17:12:08 +02:00
if ( r < 0 )
return r ;
2014-12-12 03:50:59 +01:00
2018-05-02 10:03:31 +02:00
r = setup_boot_id ( ) ;
2015-05-21 16:30:58 +02:00
if ( r < 0 )
return r ;
2014-12-12 03:50:59 +01:00
2018-05-02 10:03:31 +02:00
r = setup_kmsg ( kmsg_socket ) ;
2015-05-21 16:30:58 +02:00
if ( r < 0 )
return r ;
kmsg_socket = safe_close ( kmsg_socket ) ;
2014-12-12 03:50:59 +01:00
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
r = mount_custom (
" / " ,
arg_custom_mounts ,
arg_n_custom_mounts ,
0 ,
arg_selinux_apifs_context ,
2019-12-06 22:45:14 +01:00
MOUNT_NON_ROOT_ONLY | MOUNT_IN_USERNS ) ;
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
if ( r < 0 )
return r ;
2015-05-21 16:30:58 +02:00
if ( setsid ( ) < 0 )
return log_error_errno ( errno , " setsid() failed : % m " ) ;
if ( arg_private_network )
2020-03-04 13:20:31 +01:00
( void ) loopback_setup ( ) ;
2015-05-21 16:30:58 +02:00
2015-09-07 16:52:24 +02:00
if ( arg_expose_ports ) {
r = expose_port_send_rtnl ( rtnl_socket ) ;
if ( r < 0 )
return r ;
rtnl_socket = safe_close ( rtnl_socket ) ;
}
2015-05-21 16:30:58 +02:00
2019-06-06 10:05:33 +02:00
if ( arg_console_mode ! = CONSOLE_PIPE ) {
2019-07-08 15:16:41 +02:00
_cleanup_close_ int master = - 1 ;
2019-06-06 10:05:33 +02:00
_cleanup_free_ char * console = NULL ;
/* Allocate a pty and make it available as /dev/console. */
2019-06-07 10:27:18 +02:00
master = openpt_allocate ( O_RDWR | O_NONBLOCK , & console ) ;
2019-06-06 10:05:33 +02:00
if ( master < 0 )
2019-06-07 10:27:18 +02:00
return log_error_errno ( master , " Failed to allocate a pty: %m " ) ;
2019-06-06 10:05:33 +02:00
r = setup_dev_console ( console ) ;
if ( r < 0 )
2020-03-03 15:00:53 +01:00
return log_error_errno ( r , " Failed to set up /dev/console: %m " ) ;
2019-06-06 10:05:33 +02:00
r = send_one_fd ( master_pty_socket , master , 0 ) ;
if ( r < 0 )
return log_error_errno ( r , " Failed to send master fd: %m " ) ;
master_pty_socket = safe_close ( master_pty_socket ) ;
r = setup_stdio_as_dev_console ( ) ;
if ( r < 0 )
return r ;
}
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
r = patch_sysctl ( ) ;
if ( r < 0 )
return r ;
2018-05-07 21:17:09 +02:00
if ( arg_oom_score_adjust_set ) {
r = set_oom_score_adjust ( arg_oom_score_adjust ) ;
if ( r < 0 )
return log_error_errno ( r , " Failed to adjust OOM score: %m " ) ;
}
2019-05-21 08:45:19 +02:00
if ( arg_cpu_set . set )
if ( sched_setaffinity ( 0 , arg_cpu_set . allocated , arg_cpu_set . set ) < 0 )
2018-05-07 21:47:15 +02:00
return log_error_errno ( errno , " Failed to set CPU affinity: %m " ) ;
2018-05-07 20:45:39 +02:00
( void ) setup_hostname ( ) ;
2015-05-21 16:30:58 +02:00
2015-05-21 19:48:49 +02:00
if ( arg_personality ! = PERSONALITY_INVALID ) {
2017-09-08 16:16:29 +02:00
r = safe_personality ( arg_personality ) ;
if ( r < 0 )
return log_error_errno ( r , " personality() failed : % m " ) ;
2015-05-21 16:30:58 +02:00
} else if ( secondary ) {
2017-09-08 16:16:29 +02:00
r = safe_personality ( PER_LINUX32 ) ;
if ( r < 0 )
return log_error_errno ( r , " personality() failed : % m " ) ;
2015-05-21 16:30:58 +02:00
}
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
r = setrlimit_closest_all ( ( const struct rlimit * const * ) arg_rlimit , & which_failed ) ;
if ( r < 0 )
return log_error_errno ( r , " Failed to apply resource limit RLIMIT_%s: %m " , rlimit_to_string ( which_failed ) ) ;
# if HAVE_SECCOMP
if ( arg_seccomp ) {
if ( is_seccomp_available ( ) ) {
r = seccomp_load ( arg_seccomp ) ;
2019-04-11 01:08:41 +02:00
if ( ERRNO_IS_SECCOMP_FATAL ( r ) )
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
return log_error_errno ( r , " Failed to install seccomp filter: %m " ) ;
if ( r < 0 )
log_debug_errno ( r , " Failed to install seccomp filter: %m " ) ;
}
} else
# endif
{
2020-06-23 08:31:16 +02:00
r = setup_seccomp ( arg_caps_retain , arg_syscall_allow_list , arg_syscall_deny_list ) ;
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
if ( r < 0 )
return r ;
}
2017-10-03 10:41:51 +02:00
# if HAVE_SELINUX
2015-05-21 16:30:58 +02:00
if ( arg_selinux_context )
2016-07-15 18:44:02 +02:00
if ( setexeccon ( arg_selinux_context ) < 0 )
2015-05-21 16:30:58 +02:00
return log_error_errno ( errno , " setexeccon( \" %s \" ) failed : % m " , arg_selinux_context) ;
# endif
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
/* Make sure we keep the caps across the uid/gid dropping, so that we can retain some selected caps
* if we need to later on . */
if ( prctl ( PR_SET_KEEPCAPS , 1 ) < 0 )
return log_error_errno ( errno , " Failed to set PR_SET_KEEPCAPS: %m " ) ;
if ( uid_is_valid ( arg_uid ) | | gid_is_valid ( arg_gid ) )
2020-10-02 11:59:45 +02:00
r = change_uid_gid_raw ( arg_uid , arg_gid , arg_supplementary_gids , arg_n_supplementary_gids , arg_console_mode ! = CONSOLE_PIPE ) ;
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
else
2020-10-02 11:59:45 +02:00
r = change_uid_gid ( arg_user , arg_console_mode ! = CONSOLE_PIPE , & home ) ;
2015-05-21 16:30:58 +02:00
if ( r < 0 )
return r ;
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
r = drop_capabilities ( getuid ( ) ) ;
if ( r < 0 )
return log_error_errno ( r , " Dropping capabilities failed: %m " ) ;
2018-05-07 19:35:48 +02:00
if ( arg_no_new_privileges )
if ( prctl ( PR_SET_NO_NEW_PRIVS , 1 , 0 , 0 , 0 ) < 0 )
return log_error_errno ( errno , " Failed to disable new privileges: %m " ) ;
2015-11-09 11:32:34 +01:00
/* LXC sets container=lxc, so follow the scheme here */
envp [ n_env + + ] = strjoina ( " container= " , arg_container_service_name ) ;
2015-05-21 16:30:58 +02:00
envp [ n_env ] = strv_find_prefix ( environ , " TERM= " ) ;
if ( envp [ n_env ] )
2016-02-23 05:32:04 +01:00
n_env + + ;
2015-05-21 16:30:58 +02:00
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
if ( home | | ! uid_is_valid ( arg_uid ) | | arg_uid = = 0 )
if ( asprintf ( ( char * * ) ( envp + n_env + + ) , " HOME=%s " , home ? : " /root " ) < 0 )
return log_oom ( ) ;
if ( arg_user | | ! uid_is_valid ( arg_uid ) | | arg_uid = = 0 )
if ( asprintf ( ( char * * ) ( envp + n_env + + ) , " USER=%s " , arg_user ? : " root " ) < 0 | |
asprintf ( ( char * * ) ( envp + n_env + + ) , " LOGNAME=%s " , arg_user ? arg_user : " root " ) < 0 )
return log_oom ( ) ;
2015-05-21 16:30:58 +02:00
2016-07-21 16:06:31 +02:00
assert ( ! sd_id128_is_null ( arg_uuid ) ) ;
2015-05-21 16:30:58 +02:00
2016-07-21 18:01:55 +02:00
if ( asprintf ( ( char * * ) ( envp + n_env + + ) , " container_uuid=%s " , id128_to_uuid_string ( arg_uuid , as_uuid ) ) < 0 )
2016-04-08 13:22:54 +02:00
return log_oom ( ) ;
2015-05-21 16:30:58 +02:00
if ( fdset_size ( fds ) > 0 ) {
r = fdset_cloexec ( fds , false ) ;
if ( r < 0 )
return log_error_errno ( r , " Failed to unset O_CLOEXEC for file descriptors. " ) ;
if ( ( asprintf ( ( char * * ) ( envp + n_env + + ) , " LISTEN_FDS=%u " , fdset_size ( fds ) ) < 0 ) | |
( asprintf ( ( char * * ) ( envp + n_env + + ) , " LISTEN_PID=1 " ) < 0 ) )
return log_oom ( ) ;
}
2016-06-10 13:09:06 +02:00
if ( asprintf ( ( char * * ) ( envp + n_env + + ) , " NOTIFY_SOCKET=%s " , NSPAWN_NOTIFY_SOCKET_PATH ) < 0 )
return log_oom ( ) ;
2015-05-21 16:30:58 +02:00
2020-07-23 08:47:08 +02:00
if ( arg_n_credentials > 0 ) {
envp [ n_env ] = strdup ( " CREDENTIALS_DIRECTORY=/run/host/credentials " ) ;
if ( ! envp [ n_env ] )
return log_oom ( ) ;
n_env + + ;
}
2020-07-19 14:11:52 +02:00
env_use = strv_env_merge ( 3 , envp , os_release_pairs , arg_setenv ) ;
2015-05-25 22:55:52 +02:00
if ( ! env_use )
return log_oom ( ) ;
2015-05-21 16:30:58 +02:00
/* Let the parent know that we are ready and
* wait until the parent is ready with the
* setup , too . . . */
2018-11-20 23:40:44 +01:00
if ( ! barrier_place_and_sync ( barrier ) ) /* #5 */
2020-09-16 22:34:43 +02:00
return log_error_errno ( SYNTHETIC_ERRNO ( ESRCH ) , " Parent died too early " ) ;
2015-05-21 16:30:58 +02:00
2016-02-02 01:52:01 +01:00
if ( arg_chdir )
if ( chdir ( arg_chdir ) < 0 )
return log_error_errno ( errno , " Failed to change to specified working directory %s: %m " , arg_chdir ) ;
2016-02-03 20:32:06 +01:00
if ( arg_start_mode = = START_PID2 ) {
2016-12-06 18:19:23 +01:00
r = stub_pid1 ( arg_uuid ) ;
2016-02-03 20:32:06 +01:00
if ( r < 0 )
return r ;
}
2020-09-16 22:34:43 +02:00
if ( arg_console_mode ! = CONSOLE_PIPE ) {
/* So far our pty wasn't controlled by any process. Finally, it's time to change that, if we
* are configured for that . Acquire it as controlling tty . */
if ( ioctl ( STDIN_FILENO , TIOCSCTTY ) < 0 )
return log_error_errno ( errno , " Failed to acquire controlling TTY: %m " ) ;
}
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
log_debug ( " Inner child completed, invoking payload. " ) ;
2018-05-22 16:51:28 +02:00
/* Now, explicitly close the log, so that we then can close all remaining fds. Closing the log explicitly first
* has the benefit that the logging subsystem knows about it , and is thus ready to be reopened should we need
* it again . Note that the other fds closed here are at least the locking and barrier fds . */
2015-05-21 16:30:58 +02:00
log_close ( ) ;
2018-05-22 16:51:28 +02:00
log_set_open_when_needed ( true ) ;
2015-05-21 16:30:58 +02:00
( void ) fdset_close_others ( fds ) ;
2016-02-03 20:32:06 +01:00
if ( arg_start_mode = = START_BOOT ) {
2015-05-21 16:30:58 +02:00
char * * a ;
size_t m ;
/* Automatically search for the init system */
2016-02-02 03:57:41 +01:00
m = strv_length ( arg_parameters ) ;
a = newa ( char * , m + 2 ) ;
memcpy_safe ( a + 1 , arg_parameters , m * sizeof ( char * ) ) ;
a [ 1 + m ] = NULL ;
2015-05-21 16:30:58 +02:00
2017-02-02 18:27:25 +01:00
a [ 0 ] = ( char * ) " /usr/lib/systemd/systemd " ;
2015-05-21 16:30:58 +02:00
execve ( a [ 0 ] , a , env_use ) ;
2017-02-02 18:27:25 +01:00
a [ 0 ] = ( char * ) " /lib/systemd/systemd " ;
2015-05-21 16:30:58 +02:00
execve ( a [ 0 ] , a , env_use ) ;
2017-02-02 18:27:25 +01:00
a [ 0 ] = ( char * ) " /sbin/init " ;
2015-05-21 16:30:58 +02:00
execve ( a [ 0 ] , a , env_use ) ;
2017-02-02 18:27:25 +01:00
exec_target = " /usr/lib/systemd/systemd, /lib/systemd/systemd, /sbin/init " ;
2017-02-01 14:36:16 +01:00
} else if ( ! strv_isempty ( arg_parameters ) ) {
2018-10-13 13:11:32 +02:00
const char * dollar_path ;
2017-02-01 14:36:16 +01:00
exec_target = arg_parameters [ 0 ] ;
2018-10-13 13:11:32 +02:00
/* Use the user supplied search $PATH if there is one, or DEFAULT_PATH_COMPAT if not to search the
* binary . */
dollar_path = strv_env_get ( env_use , " PATH " ) ;
if ( dollar_path ) {
2020-08-01 16:05:01 +02:00
if ( setenv ( " PATH " , dollar_path , 1 ) < 0 )
2018-10-13 13:11:32 +02:00
return log_error_errno ( errno , " Failed to update $PATH: %m " ) ;
}
2015-09-06 01:22:14 +02:00
execvpe ( arg_parameters [ 0 ] , arg_parameters , env_use ) ;
2017-02-01 14:36:16 +01:00
} else {
2016-02-02 01:52:01 +01:00
if ( ! arg_chdir )
2016-04-09 03:09:06 +02:00
/* If we cannot change the directory, we'll end up in /, that is expected. */
( void ) chdir ( home ? : " /root " ) ;
2016-02-02 01:52:01 +01:00
2015-05-21 16:30:58 +02:00
execle ( " /bin/bash " , " -bash " , NULL , env_use ) ;
execle ( " /bin/sh " , " -sh " , NULL , env_use ) ;
2017-02-02 18:27:25 +01:00
exec_target = " /bin/bash, /bin/sh " ;
2015-05-21 16:30:58 +02:00
}
2018-05-22 16:51:28 +02:00
return log_error_errno ( errno , " execv(%s) failed : % m " , exec_target) ;
2015-05-21 16:30:58 +02:00
}
2020-07-22 18:00:18 +02:00
static int setup_notify_child ( void ) {
2018-10-15 19:45:37 +02:00
_cleanup_close_ int fd = - 1 ;
2016-06-10 13:09:06 +02:00
union sockaddr_union sa = {
2018-10-15 13:59:07 +02:00
. un . sun_family = AF_UNIX ,
. un . sun_path = NSPAWN_NOTIFY_SOCKET_PATH ,
2016-06-10 13:09:06 +02:00
} ;
int r ;
fd = socket ( AF_UNIX , SOCK_DGRAM | SOCK_CLOEXEC | SOCK_NONBLOCK , 0 ) ;
if ( fd < 0 )
return log_error_errno ( errno , " Failed to allocate notification socket: %m " ) ;
( void ) mkdir_parents ( NSPAWN_NOTIFY_SOCKET_PATH , 0755 ) ;
2018-10-15 19:40:18 +02:00
( void ) sockaddr_un_unlink ( & sa . un ) ;
2016-06-10 13:09:06 +02:00
r = bind ( fd , & sa . sa , SOCKADDR_UN_LEN ( sa . un ) ) ;
2018-10-15 19:45:37 +02:00
if ( r < 0 )
2018-10-15 13:59:07 +02:00
return log_error_errno ( errno , " bind( " NSPAWN_NOTIFY_SOCKET_PATH " ) failed : % m " ) ;
2016-06-10 13:09:06 +02:00
2017-01-17 02:19:34 +01:00
r = userns_lchown ( NSPAWN_NOTIFY_SOCKET_PATH , 0 , 0 ) ;
2018-10-15 19:45:37 +02:00
if ( r < 0 )
2017-01-17 02:19:34 +01:00
return log_error_errno ( r , " Failed to chown " NSPAWN_NOTIFY_SOCKET_PATH " : %m " ) ;
2018-10-18 19:48:18 +02:00
r = setsockopt_int ( fd , SOL_SOCKET , SO_PASSCRED , true ) ;
2018-10-15 19:45:37 +02:00
if ( r < 0 )
2018-10-18 19:48:18 +02:00
return log_error_errno ( r , " SO_PASSCRED failed: %m " ) ;
2016-06-10 13:09:06 +02:00
2018-10-15 19:45:37 +02:00
return TAKE_FD ( fd ) ;
2016-06-10 13:09:06 +02:00
}
2015-05-21 16:30:58 +02:00
static int outer_child (
Barrier * barrier ,
const char * directory ,
2016-12-01 20:26:09 +01:00
DissectedImage * dissected_image ,
2015-05-21 16:30:58 +02:00
bool secondary ,
int pid_socket ,
2016-04-08 13:22:54 +02:00
int uuid_socket ,
2016-06-10 13:09:06 +02:00
int notify_socket ,
2015-05-21 16:30:58 +02:00
int kmsg_socket ,
int rtnl_socket ,
2015-06-30 15:41:41 +02:00
int uid_shift_socket ,
2019-06-06 10:05:33 +02:00
int master_pty_socket ,
2017-11-27 20:49:35 +01:00
int unified_cgroup_hierarchy_socket ,
2017-11-24 18:22:17 +01:00
FDSet * fds ,
int netns_fd ) {
2015-05-21 16:30:58 +02:00
2020-05-22 17:06:54 +02:00
_cleanup_strv_free_ char * * os_release_pairs = NULL ;
2018-05-07 17:59:18 +02:00
_cleanup_close_ int fd = - 1 ;
2019-11-19 23:24:52 +01:00
const char * p ;
2015-05-21 16:30:58 +02:00
pid_t pid ;
ssize_t l ;
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
int r ;
2015-05-21 16:30:58 +02:00
2018-07-26 17:26:18 +02:00
/* This is the "outer" child process, i.e the one forked off by the container manager itself. It already has
* its own CLONE_NEWNS namespace ( which was created by the clone ( ) ) . It still lives in the host ' s CLONE_NEWPID ,
* CLONE_NEWUTS , CLONE_NEWIPC , CLONE_NEWUSER and CLONE_NEWNET namespaces . After it completed a number of
* initializations a second child ( the " inner " one ) is forked off it , and it exits . */
2015-05-21 16:30:58 +02:00
assert ( barrier ) ;
assert ( directory ) ;
assert ( pid_socket > = 0 ) ;
2016-04-08 13:22:54 +02:00
assert ( uuid_socket > = 0 ) ;
2016-06-10 13:09:06 +02:00
assert ( notify_socket > = 0 ) ;
2019-06-06 10:05:33 +02:00
assert ( master_pty_socket > = 0 ) ;
2015-05-21 16:30:58 +02:00
assert ( kmsg_socket > = 0 ) ;
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
log_debug ( " Outer child is initializing. " ) ;
2020-05-22 17:06:54 +02:00
r = load_os_release_pairs_with_prefix ( " / " , " container_host_ " , & os_release_pairs ) ;
if ( r < 0 )
log_debug_errno ( r , " Failed to read os-release from host for container, ignoring: %m " ) ;
2015-05-21 16:30:58 +02:00
if ( prctl ( PR_SET_PDEATHSIG , SIGKILL ) < 0 )
return log_error_errno ( errno , " PR_SET_PDEATHSIG failed: %m " ) ;
r = reset_audit_loginuid ( ) ;
if ( r < 0 )
return r ;
2020-07-23 11:13:44 +02:00
/* Mark everything as slave, so that we still receive mounts from the real root, but don't propagate
* mounts to the real root . */
2020-09-22 15:51:17 +02:00
r = mount_follow_verbose ( LOG_ERR , NULL , " / " , NULL , MS_SLAVE | MS_REC , NULL ) ;
nspawn,mount-util: add [u]mount_verbose and use it in nspawn
This makes it easier to debug failed nspawn invocations:
Mounting sysfs on /var/lib/machines/fedora-rawhide/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV "")...
Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev (MS_NOSUID|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")...
Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev/shm (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=1777,uid=1450901504,gid=1450901504")...
Mounting tmpfs on /var/lib/machines/fedora-rawhide/run (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")...
Bind-mounting /sys/fs/selinux on /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_BIND "")...
Remounting /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")...
Mounting proc on /proc (MS_NOSUID|MS_NOEXEC|MS_NODEV "")...
Bind-mounting /proc/sys on /proc/sys (MS_BIND "")...
Remounting /proc/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")...
Bind-mounting /proc/sysrq-trigger on /proc/sysrq-trigger (MS_BIND "")...
Remounting /proc/sysrq-trigger (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")...
Mounting tmpfs on /tmp (MS_STRICTATIME "mode=1777,uid=0,gid=0")...
Mounting tmpfs on /sys/fs/cgroup (MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME "mode=755,uid=0,gid=0")...
Mounting cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr")...
Failed to mount cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr"): No such file or directory
2016-10-10 21:55:20 +02:00
if ( r < 0 )
return r ;
2015-05-21 16:30:58 +02:00
2016-12-01 20:26:09 +01:00
if ( dissected_image ) {
2017-11-28 16:46:26 +01:00
/* If we are operating on a disk image, then mount its root directory now, but leave out the rest. We
* can read the UID shift from it if we need to . Further down we ' ll mount the rest , but then with the
* uid shift known . That way we can mount VFAT file systems shifted to the right place right away . This
* makes sure ESP partitions and userns are compatible . */
2020-08-11 15:56:12 +02:00
r = dissected_image_mount_and_warn (
dissected_image , directory , arg_uid_shift ,
DISSECT_IMAGE_MOUNT_ROOT_ONLY | DISSECT_IMAGE_DISCARD_ON_LOOP |
( arg_read_only ? DISSECT_IMAGE_READ_ONLY : DISSECT_IMAGE_FSCK ) |
( arg_start_mode = = START_BOOT ? DISSECT_IMAGE_VALIDATE_OS : 0 ) ) ;
2016-12-01 20:26:09 +01:00
if ( r < 0 )
2020-08-11 15:56:12 +02:00
return r ;
2016-12-01 20:26:09 +01:00
}
2015-05-21 16:30:58 +02:00
2015-07-03 12:30:53 +02:00
r = determine_uid_shift ( directory ) ;
if ( r < 0 )
return r ;
2016-04-22 13:02:53 +02:00
if ( arg_userns_mode ! = USER_NAMESPACE_NO ) {
2016-04-22 11:28:09 +02:00
/* Let the parent know which UID shift we read from the image */
2015-06-30 15:41:41 +02:00
l = send ( uid_shift_socket , & arg_uid_shift , sizeof ( arg_uid_shift ) , MSG_NOSIGNAL ) ;
if ( l < 0 )
return log_error_errno ( errno , " Failed to send UID shift: %m " ) ;
2018-11-20 23:40:44 +01:00
if ( l ! = sizeof ( arg_uid_shift ) )
return log_error_errno ( SYNTHETIC_ERRNO ( EIO ) ,
" Short write while sending UID shift. " ) ;
2016-04-22 11:28:09 +02:00
2016-04-22 13:02:53 +02:00
if ( arg_userns_mode = = USER_NAMESPACE_PICK ) {
2016-04-22 11:28:09 +02:00
/* When we are supposed to pick the UID shift, the parent will check now whether the UID shift
* we just read from the image is available . If yes , it will send the UID shift back to us , if
* not it will pick a different one , and send it back to us . */
l = recv ( uid_shift_socket , & arg_uid_shift , sizeof ( arg_uid_shift ) , 0 ) ;
if ( l < 0 )
return log_error_errno ( errno , " Failed to recv UID shift: %m " ) ;
2018-11-20 23:40:44 +01:00
if ( l ! = sizeof ( arg_uid_shift ) )
return log_error_errno ( SYNTHETIC_ERRNO ( EIO ) ,
" Short read while receiving UID shift. " ) ;
2016-04-22 11:28:09 +02:00
}
2018-09-26 23:40:39 +02:00
log_full ( arg_quiet ? LOG_DEBUG : LOG_INFO ,
" Selected user namespace base " UID_FMT " and range " UID_FMT " . " , arg_uid_shift , arg_uid_range ) ;
2015-06-30 15:41:41 +02:00
}
2019-07-25 13:03:50 +02:00
if ( path_equal ( directory , " / " ) ) {
/* If the directory we shall boot is the host, let's operate on a bind mount at a different
* place , so that we can make changes to its mount structure ( for example , to implement
* - - volatile = ) without this interfering with our ability to access files such as
* / etc / localtime to copy into the container . Note that we use a fixed place for this
* ( instead of a temporary directory , since we are living in our own mount namspace here
* already , and thus don ' t need to be afraid of colliding with anyone else ' s mounts ) . */
( void ) mkdir_p ( " /run/systemd/nspawn-root " , 0755 ) ;
2020-09-22 15:51:17 +02:00
r = mount_nofollow_verbose ( LOG_ERR , " / " , " /run/systemd/nspawn-root " , NULL , MS_BIND | MS_REC , NULL ) ;
2019-07-25 13:03:50 +02:00
if ( r < 0 )
return r ;
directory = " /run/systemd/nspawn-root " ;
2018-12-19 01:03:52 +01:00
}
2018-12-19 01:02:47 +01:00
r = setup_pivot_root (
directory ,
arg_pivot_root_new ,
arg_pivot_root_old ) ;
if ( r < 0 )
return r ;
r = setup_volatile_mode (
directory ,
arg_volatile_mode ,
arg_uid_shift ,
2019-04-12 20:15:35 +02:00
arg_selinux_apifs_context ) ;
2018-12-19 01:02:47 +01:00
if ( r < 0 )
return r ;
2019-12-06 22:45:14 +01:00
r = mount_custom (
directory ,
arg_custom_mounts ,
arg_n_custom_mounts ,
arg_uid_shift ,
arg_selinux_apifs_context ,
MOUNT_ROOT_ONLY ) ;
if ( r < 0 )
return r ;
2019-12-07 12:43:39 +01:00
/* Make sure we always have a mount that we can move to root later on. */
if ( ! path_is_mount_point ( directory , NULL , 0 ) ) {
2020-09-22 15:51:17 +02:00
r = mount_nofollow_verbose ( LOG_ERR , directory , directory , NULL , MS_BIND | MS_REC , NULL ) ;
2019-12-07 12:43:39 +01:00
if ( r < 0 )
return r ;
}
2017-11-28 16:46:26 +01:00
if ( dissected_image ) {
/* Now we know the uid shift, let's now mount everything else that might be in the image. */
r = dissected_image_mount ( dissected_image , directory , arg_uid_shift ,
2020-01-29 19:20:33 +01:00
DISSECT_IMAGE_MOUNT_NON_ROOT_ONLY | DISSECT_IMAGE_DISCARD_ON_LOOP | ( arg_read_only ? DISSECT_IMAGE_READ_ONLY : DISSECT_IMAGE_FSCK ) ) ;
if ( r = = - EUCLEAN )
return log_error_errno ( r , " File system check for image failed: %m " ) ;
2017-11-28 16:46:26 +01:00
if ( r < 0 )
2020-01-29 19:20:33 +01:00
return log_error_errno ( r , " Failed to mount image file system: %m " ) ;
2017-11-28 16:46:26 +01:00
}
2017-11-27 20:49:35 +01:00
if ( arg_unified_cgroup_hierarchy = = CGROUP_UNIFIED_UNKNOWN ) {
/* OK, we don't know yet which cgroup mode to use yet. Let's figure it out, and tell the parent. */
r = detect_unified_cgroup_hierarchy_from_image ( directory ) ;
if ( r < 0 )
return r ;
l = send ( unified_cgroup_hierarchy_socket , & arg_unified_cgroup_hierarchy , sizeof ( arg_unified_cgroup_hierarchy ) , MSG_NOSIGNAL ) ;
if ( l < 0 )
return log_error_errno ( errno , " Failed to send cgroup mode: %m " ) ;
2018-11-20 23:40:44 +01:00
if ( l ! = sizeof ( arg_unified_cgroup_hierarchy ) )
return log_error_errno ( SYNTHETIC_ERRNO ( EIO ) ,
" Short write while sending cgroup mode. " ) ;
2017-11-27 20:49:35 +01:00
unified_cgroup_hierarchy_socket = safe_close ( unified_cgroup_hierarchy_socket ) ;
}
2016-12-12 19:46:56 +01:00
/* Mark everything as shared so our mounts get propagated down. This is
* required to make new bind mounts available in systemd services
2019-04-27 02:22:40 +02:00
* inside the container that create a new mount namespace .
2016-12-12 19:46:56 +01:00
* See https : //github.com/systemd/systemd/issues/3860
* Further submounts ( such as / dev ) done after this will inherit the
2019-12-06 22:45:14 +01:00
* shared propagation mode .
*
* IMPORTANT : Do not overmount the root directory anymore from now on to
* enable moving the root directory mount to root later on .
* https : //github.com/systemd/systemd/issues/3847#issuecomment-562735251
*/
2020-09-22 15:51:17 +02:00
r = mount_nofollow_verbose ( LOG_ERR , NULL , directory , NULL , MS_SHARED | MS_REC , NULL ) ;
2016-12-12 19:46:56 +01:00
if ( r < 0 )
return r ;
r = recursive_chown ( directory , arg_uid_shift , arg_uid_range ) ;
if ( r < 0 )
return r ;
2015-05-21 16:30:58 +02:00
r = base_filesystem_create ( directory , arg_uid_shift , ( gid_t ) arg_uid_shift ) ;
if ( r < 0 )
return r ;
2019-12-23 11:50:02 +01:00
if ( arg_read_only & & arg_volatile_mode = = VOLATILE_NO & &
! has_custom_root_mount ( arg_custom_mounts , arg_n_custom_mounts ) ) {
2019-03-25 17:04:38 +01:00
r = bind_remount_recursive ( directory , MS_RDONLY , MS_RDONLY , NULL ) ;
2015-05-21 16:30:58 +02:00
if ( r < 0 )
return log_error_errno ( r , " Failed to make tree read-only: %m " ) ;
}
2016-04-22 13:02:53 +02:00
r = mount_all ( directory ,
2016-10-14 14:00:15 +02:00
arg_mount_settings ,
2016-04-22 13:02:53 +02:00
arg_uid_shift ,
arg_selinux_apifs_context ) ;
2015-05-21 16:30:58 +02:00
if ( r < 0 )
return r ;
2015-09-08 01:17:15 +02:00
r = copy_devnodes ( directory ) ;
if ( r < 0 )
2015-05-21 16:30:58 +02:00
return r ;
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
r = make_extra_nodes ( directory ) ;
if ( r < 0 )
return r ;
( void ) dev_setup ( directory , arg_uid_shift , arg_uid_shift ) ;
2019-11-19 23:24:52 +01:00
2020-08-14 18:56:54 +02:00
p = prefix_roota ( directory , " /run/host " ) ;
2019-11-19 23:24:52 +01:00
( void ) make_inaccessible_nodes ( p , arg_uid_shift , arg_uid_shift ) ;
2015-05-21 16:30:58 +02:00
2015-09-08 01:17:15 +02:00
r = setup_pts ( directory ) ;
if ( r < 0 )
2015-05-21 16:30:58 +02:00
return r ;
r = setup_propagate ( directory ) ;
if ( r < 0 )
return r ;
2017-09-21 14:02:31 +02:00
r = setup_keyring ( ) ;
if ( r < 0 )
return r ;
2020-07-23 08:47:08 +02:00
r = setup_credentials ( directory ) ;
if ( r < 0 )
return r ;
2020-05-04 18:57:40 +02:00
r = mount_custom (
directory ,
arg_custom_mounts ,
arg_n_custom_mounts ,
arg_uid_shift ,
arg_selinux_apifs_context ,
MOUNT_NON_ROOT_ONLY ) ;
if ( r < 0 )
return r ;
2015-05-21 16:30:58 +02:00
r = setup_timezone ( directory ) ;
if ( r < 0 )
return r ;
r = setup_resolv_conf ( directory ) ;
if ( r < 0 )
return r ;
2016-04-08 13:22:54 +02:00
r = setup_machine_id ( directory ) ;
if ( r < 0 )
return r ;
2015-05-21 16:30:58 +02:00
r = setup_journal ( directory ) ;
if ( r < 0 )
return r ;
2020-08-14 19:58:37 +02:00
/* The same stuff as the $container env var, but nicely readable for the entire payload */
p = prefix_roota ( directory , " /run/host/container-manager " ) ;
( void ) write_string_file ( p , arg_container_service_name , WRITE_STRING_FILE_CREATE ) ;
/* The same stuff as the $container_uuid env var */
p = prefix_roota ( directory , " /run/host/container-uuid " ) ;
( void ) write_string_filef ( p , WRITE_STRING_FILE_CREATE , SD_ID128_UUID_FORMAT_STR , SD_ID128_FORMAT_VAL ( arg_uuid ) ) ;
2018-12-11 12:00:06 +01:00
if ( ! arg_use_cgns ) {
2016-06-23 13:41:56 +02:00
r = mount_cgroups (
directory ,
arg_unified_cgroup_hierarchy ,
arg_userns_mode ! = USER_NAMESPACE_NO ,
arg_uid_shift ,
arg_uid_range ,
2016-07-26 16:49:15 +02:00
arg_selinux_apifs_context ,
2016-10-10 22:12:50 +02:00
false ) ;
2016-06-23 13:41:56 +02:00
if ( r < 0 )
return r ;
}
2015-05-21 16:30:58 +02:00
r = mount_move_root ( directory ) ;
if ( r < 0 )
return log_error_errno ( r , " Failed to move root directory: %m " ) ;
2020-07-22 18:00:18 +02:00
fd = setup_notify_child ( ) ;
2016-06-10 13:09:06 +02:00
if ( fd < 0 )
return fd ;
2015-05-21 16:30:58 +02:00
pid = raw_clone ( SIGCHLD | CLONE_NEWNS |
2016-08-26 00:08:26 +02:00
arg_clone_ns_flags |
2016-05-30 02:03:51 +02:00
( arg_userns_mode ! = USER_NAMESPACE_NO ? CLONE_NEWUSER : 0 ) ) ;
2015-05-21 16:30:58 +02:00
if ( pid < 0 )
return log_error_errno ( errno , " Failed to fork inner child: %m " ) ;
if ( pid = = 0 ) {
pid_socket = safe_close ( pid_socket ) ;
2016-04-08 13:22:54 +02:00
uuid_socket = safe_close ( uuid_socket ) ;
2016-06-10 13:09:06 +02:00
notify_socket = safe_close ( notify_socket ) ;
2015-06-30 15:41:41 +02:00
uid_shift_socket = safe_close ( uid_shift_socket ) ;
2015-05-21 16:30:58 +02:00
2020-07-23 11:13:44 +02:00
/* The inner child has all namespaces that are requested, so that we all are owned by the
* user if user namespaces are turned on . */
2015-05-21 16:30:58 +02:00
2017-11-24 18:22:17 +01:00
if ( arg_network_namespace_path ) {
r = namespace_enter ( - 1 , - 1 , netns_fd , - 1 , - 1 ) ;
if ( r < 0 )
2018-10-31 16:17:22 +01:00
return log_error_errno ( r , " Failed to join network namespace: %m " ) ;
2017-11-24 18:22:17 +01:00
}
2020-05-22 17:06:54 +02:00
r = inner_child ( barrier , directory , secondary , kmsg_socket , rtnl_socket , master_pty_socket , fds , os_release_pairs ) ;
2015-05-21 16:30:58 +02:00
if ( r < 0 )
_exit ( EXIT_FAILURE ) ;
_exit ( EXIT_SUCCESS ) ;
}
l = send ( pid_socket , & pid , sizeof ( pid ) , MSG_NOSIGNAL ) ;
if ( l < 0 )
return log_error_errno ( errno , " Failed to send PID: %m " ) ;
2018-11-20 23:40:44 +01:00
if ( l ! = sizeof ( pid ) )
return log_error_errno ( SYNTHETIC_ERRNO ( EIO ) ,
" Short write while sending PID. " ) ;
2015-05-21 16:30:58 +02:00
2016-04-08 13:22:54 +02:00
l = send ( uuid_socket , & arg_uuid , sizeof ( arg_uuid ) , MSG_NOSIGNAL ) ;
if ( l < 0 )
return log_error_errno ( errno , " Failed to send machine ID: %m " ) ;
2018-11-20 23:40:44 +01:00
if ( l ! = sizeof ( arg_uuid ) )
return log_error_errno ( SYNTHETIC_ERRNO ( EIO ) ,
" Short write while sending machine ID. " ) ;
2016-04-08 13:22:54 +02:00
2016-06-10 13:09:06 +02:00
l = send_one_fd ( notify_socket , fd , 0 ) ;
if ( l < 0 )
2019-06-06 15:58:14 +02:00
return log_error_errno ( l , " Failed to send notify fd: %m " ) ;
2016-06-10 13:09:06 +02:00
2015-05-21 16:30:58 +02:00
pid_socket = safe_close ( pid_socket ) ;
2016-04-08 13:22:54 +02:00
uuid_socket = safe_close ( uuid_socket ) ;
2016-06-10 13:09:06 +02:00
notify_socket = safe_close ( notify_socket ) ;
2019-06-06 10:05:33 +02:00
master_pty_socket = safe_close ( master_pty_socket ) ;
2015-05-27 13:52:31 +02:00
kmsg_socket = safe_close ( kmsg_socket ) ;
rtnl_socket = safe_close ( rtnl_socket ) ;
2017-11-24 18:22:17 +01:00
netns_fd = safe_close ( netns_fd ) ;
2015-05-21 16:30:58 +02:00
return 0 ;
}
2016-04-22 11:28:09 +02:00
static int uid_shift_pick ( uid_t * shift , LockFile * ret_lock_file ) {
2017-11-24 20:57:19 +01:00
bool tried_hashed = false ;
2016-04-22 11:28:09 +02:00
unsigned n_tries = 100 ;
uid_t candidate ;
int r ;
assert ( shift ) ;
assert ( ret_lock_file ) ;
2016-04-22 13:02:53 +02:00
assert ( arg_userns_mode = = USER_NAMESPACE_PICK ) ;
2016-04-22 11:28:09 +02:00
assert ( arg_uid_range = = 0x10000U ) ;
candidate = * shift ;
( void ) mkdir ( " /run/systemd/nspawn-uid " , 0755 ) ;
for ( ; ; ) {
2017-12-14 19:02:29 +01:00
char lock_path [ STRLEN ( " /run/systemd/nspawn-uid/ " ) + DECIMAL_STR_MAX ( uid_t ) + 1 ] ;
tree-wide: drop redundant _cleanup_ macros (#8810)
This drops a good number of type-specific _cleanup_ macros, and patches
all users to just use the generic ones.
In most recent code we abstained from defining type-specific macros, and
this basically removes all those added already, with the exception of
the really low-level ones.
Having explicit macros for this is not too useful, as the expression
without the extra macro is generally just 2ch wider. We should generally
emphesize generic code, unless there are really good reasons for
specific code, hence let's follow this in this case too.
Note that _cleanup_free_ and similar really low-level, libc'ish, Linux
API'ish macros continue to be defined, only the really high-level OO
ones are dropped. From now on this should really be the rule: for really
low-level stuff, such as memory allocation, fd handling and so one, go
ahead and define explicit per-type macros, but for high-level, specific
program code, just use the generic _cleanup_() macro directly, in order
to keep things simple and as readable as possible for the uninitiated.
Note that before this patch some of the APIs (notable libudev ones) were
already used with the high-level macros at some places and with the
generic _cleanup_ macro at others. With this patch we hence unify on the
latter.
2018-04-25 12:31:45 +02:00
_cleanup_ ( release_lock_file ) LockFile lf = LOCK_FILE_INIT ;
2016-04-22 11:28:09 +02:00
if ( - - n_tries < = 0 )
return - EBUSY ;
2017-12-02 12:48:31 +01:00
if ( candidate < CONTAINER_UID_BASE_MIN | | candidate > CONTAINER_UID_BASE_MAX )
2016-04-22 11:28:09 +02:00
goto next ;
if ( ( candidate & UINT32_C ( 0xFFFF ) ) ! = 0 )
goto next ;
xsprintf ( lock_path , " /run/systemd/nspawn-uid/ " UID_FMT , candidate ) ;
r = make_lock_file ( lock_path , LOCK_EX | LOCK_NB , & lf ) ;
if ( r = = - EBUSY ) /* Range already taken by another nspawn instance */
goto next ;
if ( r < 0 )
return r ;
/* Make some superficial checks whether the range is currently known in the user database */
if ( getpwuid ( candidate ) )
goto next ;
if ( getpwuid ( candidate + UINT32_C ( 0xFFFE ) ) )
goto next ;
if ( getgrgid ( candidate ) )
goto next ;
if ( getgrgid ( candidate + UINT32_C ( 0xFFFE ) ) )
goto next ;
* ret_lock_file = lf ;
lf = ( struct LockFile ) LOCK_FILE_INIT ;
* shift = candidate ;
return 0 ;
next :
2017-11-24 20:57:19 +01:00
if ( arg_machine & & ! tried_hashed ) {
/* Try to hash the base from the container name */
static const uint8_t hash_key [ ] = {
0xe1 , 0x56 , 0xe0 , 0xf0 , 0x4a , 0xf0 , 0x41 , 0xaf ,
0x96 , 0x41 , 0xcf , 0x41 , 0x33 , 0x94 , 0xff , 0x72
} ;
candidate = ( uid_t ) siphash24 ( arg_machine , strlen ( arg_machine ) , hash_key ) ;
tried_hashed = true ;
} else
random_bytes ( & candidate , sizeof ( candidate ) ) ;
2017-12-02 12:48:31 +01:00
candidate = ( candidate % ( CONTAINER_UID_BASE_MAX - CONTAINER_UID_BASE_MIN ) ) + CONTAINER_UID_BASE_MIN ;
2016-04-22 11:28:09 +02:00
candidate & = ( uid_t ) UINT32_C ( 0xFFFF0000 ) ;
}
}
2015-05-21 16:30:58 +02:00
static int setup_uid_map ( pid_t pid ) {
2017-12-14 19:02:29 +01:00
char uid_map [ STRLEN ( " /proc//uid_map " ) + DECIMAL_STR_MAX ( uid_t ) + 1 ] , line [ DECIMAL_STR_MAX ( uid_t ) * 3 + 3 + 1 ] ;
2015-05-21 16:30:58 +02:00
int r ;
assert ( pid > 1 ) ;
xsprintf ( uid_map , " /proc/ " PID_FMT " /uid_map " , pid ) ;
xsprintf ( line , UID_FMT " " UID_FMT " " UID_FMT " \n " , 0 , arg_uid_shift , arg_uid_range ) ;
2018-11-06 13:00:07 +01:00
r = write_string_file ( uid_map , line , WRITE_STRING_FILE_DISABLE_BUFFER ) ;
2015-05-21 16:30:58 +02:00
if ( r < 0 )
return log_error_errno ( r , " Failed to write UID map: %m " ) ;
/* We always assign the same UID and GID ranges */
xsprintf ( uid_map , " /proc/ " PID_FMT " /gid_map " , pid ) ;
2018-11-06 13:00:07 +01:00
r = write_string_file ( uid_map , line , WRITE_STRING_FILE_DISABLE_BUFFER ) ;
2015-05-21 16:30:58 +02:00
if ( r < 0 )
return log_error_errno ( r , " Failed to write GID map: %m " ) ;
return 0 ;
}
2016-06-10 13:09:06 +02:00
static int nspawn_dispatch_notify_fd ( sd_event_source * source , int fd , uint32_t revents , void * userdata ) {
char buf [ NOTIFY_BUFFER_MAX + 1 ] ;
char * p = NULL ;
struct iovec iovec = {
. iov_base = buf ,
. iov_len = sizeof ( buf ) - 1 ,
} ;
2020-04-24 23:54:25 +02:00
CMSG_BUFFER_TYPE ( CMSG_SPACE ( sizeof ( struct ucred ) ) +
CMSG_SPACE ( sizeof ( int ) * NOTIFY_FD_MAX ) ) control ;
2016-06-10 13:09:06 +02:00
struct msghdr msghdr = {
. msg_iov = & iovec ,
. msg_iovlen = 1 ,
. msg_control = & control ,
. msg_controllen = sizeof ( control ) ,
} ;
2020-04-17 11:52:48 +02:00
struct ucred * ucred ;
2016-06-10 13:09:06 +02:00
ssize_t n ;
pid_t inner_child_pid ;
_cleanup_strv_free_ char * * tags = NULL ;
assert ( userdata ) ;
inner_child_pid = PTR_TO_PID ( userdata ) ;
if ( revents ! = EPOLLIN ) {
log_warning ( " Got unexpected poll event for notify fd. " ) ;
return 0 ;
}
tree-wide: use recvmsg_safe() at various places
Let's be extra careful whenever we return from recvmsg() and see
MSG_CTRUNC set. This generally means we ran into a programming error, as
we didn't size the control buffer large enough. It's an error condition
we should at least log about, or propagate up. Hence do that.
This is particularly important when receiving fds, since for those the
control data can be of any size. In particular on stream sockets that's
nasty, because if we miss an fd because of control data truncation we
cannot recover, we might not even realize that we are one off.
(Also, when failing early, if there's any chance the socket might be
AF_UNIX let's close all received fds, all the time. We got this right
most of the time, but there were a few cases missing. God, UNIX is hard
to use)
2020-04-23 09:40:03 +02:00
n = recvmsg_safe ( fd , & msghdr , MSG_DONTWAIT | MSG_CMSG_CLOEXEC ) ;
if ( IN_SET ( n , - EAGAIN , - EINTR ) )
return 0 ;
if ( n < 0 )
return log_warning_errno ( n , " Couldn't read notification socket: %m " ) ;
2016-06-10 13:09:06 +02:00
cmsg_close_all ( & msghdr ) ;
2020-04-17 11:52:48 +02:00
ucred = CMSG_FIND_DATA ( & msghdr , SOL_SOCKET , SCM_CREDENTIALS , struct ucred ) ;
2016-06-10 13:09:06 +02:00
if ( ! ucred | | ucred - > pid ! = inner_child_pid ) {
2017-07-20 20:46:58 +02:00
log_debug ( " Received notify message without valid credentials. Ignoring. " ) ;
2016-06-10 13:09:06 +02:00
return 0 ;
}
if ( ( size_t ) n > = sizeof ( buf ) ) {
log_warning ( " Received notify message exceeded maximum size. Ignoring. " ) ;
return 0 ;
}
buf [ n ] = 0 ;
tags = strv_split ( buf , " \n \r " ) ;
if ( ! tags )
return log_oom ( ) ;
if ( strv_find ( tags , " READY=1 " ) )
2019-03-21 16:32:31 +01:00
( void ) sd_notifyf ( false , " READY=1 \n " ) ;
2016-06-10 13:09:06 +02:00
p = strv_find_startswith ( tags , " STATUS= " ) ;
if ( p )
2019-03-21 16:32:31 +01:00
( void ) sd_notifyf ( false , " STATUS=Container running: %s " , p ) ;
2016-06-10 13:09:06 +02:00
return 0 ;
}
2020-07-22 18:00:18 +02:00
static int setup_notify_parent ( sd_event * event , int fd , pid_t * inner_child_pid , sd_event_source * * notify_event_source ) {
2016-06-10 13:09:06 +02:00
int r ;
2016-12-21 18:36:15 +01:00
r = sd_event_add_io ( event , notify_event_source , fd , EPOLLIN , nspawn_dispatch_notify_fd , inner_child_pid ) ;
2016-06-10 13:09:06 +02:00
if ( r < 0 )
return log_error_errno ( r , " Failed to allocate notify event source: %m " ) ;
2016-12-21 18:36:15 +01:00
( void ) sd_event_source_set_description ( * notify_event_source , " nspawn-notify " ) ;
2016-06-10 13:09:06 +02:00
return 0 ;
}
2018-05-07 21:57:00 +02:00
static int merge_settings ( Settings * settings , const char * path ) {
int rl ;
2015-09-06 01:22:14 +02:00
2018-05-07 21:57:00 +02:00
assert ( settings ) ;
assert ( path ) ;
2015-09-06 01:22:14 +02:00
2018-05-07 21:57:00 +02:00
/* Copy over bits from the settings, unless they have been explicitly masked by command line switches. Note
* that this steals the fields of the Settings * structure , and hence modifies it . */
2015-09-06 01:22:14 +02:00
2016-02-03 20:32:06 +01:00
if ( ( arg_settings_mask & SETTING_START_MODE ) = = 0 & &
settings - > start_mode > = 0 ) {
arg_start_mode = settings - > start_mode ;
2018-05-09 17:34:46 +02:00
strv_free_and_replace ( arg_parameters , settings - > parameters ) ;
2015-09-06 01:22:14 +02:00
}
2018-10-22 19:26:05 +02:00
if ( ( arg_settings_mask & SETTING_EPHEMERAL ) = = 0 )
arg_ephemeral = settings - > ephemeral ;
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
if ( ( arg_settings_mask & SETTING_DIRECTORY ) = = 0 & &
settings - > root ) {
if ( ! arg_settings_trusted )
log_warning ( " Ignoring root directory setting, file %s is not trusted. " , path ) ;
else
free_and_replace ( arg_directory , settings - > root ) ;
}
2017-02-08 16:54:31 +01:00
if ( ( arg_settings_mask & SETTING_PIVOT_ROOT ) = = 0 & &
settings - > pivot_root_new ) {
free_and_replace ( arg_pivot_root_new , settings - > pivot_root_new ) ;
free_and_replace ( arg_pivot_root_old , settings - > pivot_root_old ) ;
}
2016-02-02 01:52:01 +01:00
if ( ( arg_settings_mask & SETTING_WORKING_DIRECTORY ) = = 0 & &
2018-04-05 07:26:26 +02:00
settings - > working_directory )
free_and_replace ( arg_chdir , settings - > working_directory ) ;
2016-02-02 01:52:01 +01:00
2015-09-06 01:22:14 +02:00
if ( ( arg_settings_mask & SETTING_ENVIRONMENT ) = = 0 & &
2018-05-09 17:34:46 +02:00
settings - > environment )
strv_free_and_replace ( arg_setenv , settings - > environment ) ;
2015-09-06 01:22:14 +02:00
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
if ( ( arg_settings_mask & SETTING_USER ) = = 0 ) {
if ( settings - > user )
free_and_replace ( arg_user , settings - > user ) ;
if ( uid_is_valid ( settings - > uid ) )
arg_uid = settings - > uid ;
if ( gid_is_valid ( settings - > gid ) )
arg_gid = settings - > gid ;
if ( settings - > n_supplementary_gids > 0 ) {
free_and_replace ( arg_supplementary_gids , settings - > supplementary_gids ) ;
arg_n_supplementary_gids = settings - > n_supplementary_gids ;
}
}
2015-09-06 01:22:14 +02:00
if ( ( arg_settings_mask & SETTING_CAPABILITY ) = = 0 ) {
2019-03-15 15:31:44 +01:00
uint64_t plus , minus ;
2019-11-12 08:36:06 +01:00
uint64_t network_minus = 0 ;
2020-12-04 11:27:12 +01:00
uint64_t ambient ;
2015-09-06 01:22:14 +02:00
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
/* Note that we copy both the simple plus/minus caps here, and the full quintet from the
* Settings structure */
2015-10-22 00:59:18 +02:00
plus = settings - > capability ;
2019-03-15 15:31:44 +01:00
minus = settings - > drop_capability ;
if ( ( arg_settings_mask & SETTING_NETWORK ) = = 0 ) {
if ( settings_private_network ( settings ) )
plus | = UINT64_C ( 1 ) < < CAP_NET_ADMIN ;
else
2019-11-12 08:36:06 +01:00
network_minus | = UINT64_C ( 1 ) < < CAP_NET_ADMIN ;
2019-03-15 15:31:44 +01:00
}
2015-10-22 00:59:18 +02:00
if ( ! arg_settings_trusted & & plus ! = 0 ) {
if ( settings - > capability ! = 0 )
2018-05-07 21:57:00 +02:00
log_warning ( " Ignoring Capability= setting, file %s is not trusted. " , path ) ;
2019-11-12 08:36:06 +01:00
} else {
arg_caps_retain & = ~ network_minus ;
2016-05-26 13:06:55 +02:00
arg_caps_retain | = plus ;
2019-11-12 08:36:06 +01:00
}
2015-09-06 01:22:14 +02:00
2019-03-15 15:31:44 +01:00
arg_caps_retain & = ~ minus ;
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
/* Copy the full capabilities over too */
if ( capability_quintet_is_set ( & settings - > full_capabilities ) ) {
if ( ! arg_settings_trusted )
2019-04-27 02:22:40 +02:00
log_warning ( " Ignoring capability settings, file %s is not trusted. " , path ) ;
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
else
arg_full_capabilities = settings - > full_capabilities ;
}
2020-12-04 11:27:12 +01:00
ambient = settings - > ambient_capability ;
if ( ! arg_settings_trusted & & ambient ! = 0 )
log_warning ( " Ignoring AmbientCapability= setting, file %s is not trusted. " , path ) ;
else
arg_caps_ambient | = ambient ;
2015-09-06 01:22:14 +02:00
}
if ( ( arg_settings_mask & SETTING_KILL_SIGNAL ) = = 0 & &
settings - > kill_signal > 0 )
arg_kill_signal = settings - > kill_signal ;
if ( ( arg_settings_mask & SETTING_PERSONALITY ) = = 0 & &
settings - > personality ! = PERSONALITY_INVALID )
arg_personality = settings - > personality ;
if ( ( arg_settings_mask & SETTING_MACHINE_ID ) = = 0 & &
! sd_id128_is_null ( settings - > machine_id ) ) {
if ( ! arg_settings_trusted )
2018-05-07 21:57:00 +02:00
log_warning ( " Ignoring MachineID= setting, file %s is not trusted. " , path ) ;
2015-09-06 01:22:14 +02:00
else
arg_uuid = settings - > machine_id ;
}
if ( ( arg_settings_mask & SETTING_READ_ONLY ) = = 0 & &
settings - > read_only > = 0 )
arg_read_only = settings - > read_only ;
if ( ( arg_settings_mask & SETTING_VOLATILE_MODE ) = = 0 & &
settings - > volatile_mode ! = _VOLATILE_MODE_INVALID )
arg_volatile_mode = settings - > volatile_mode ;
if ( ( arg_settings_mask & SETTING_CUSTOM_MOUNTS ) = = 0 & &
settings - > n_custom_mounts > 0 ) {
if ( ! arg_settings_trusted )
2018-05-07 21:57:00 +02:00
log_warning ( " Ignoring TemporaryFileSystem=, Bind= and BindReadOnly= settings, file %s is not trusted. " , path ) ;
2015-09-06 01:22:14 +02:00
else {
custom_mount_free_all ( arg_custom_mounts , arg_n_custom_mounts ) ;
2018-04-05 07:26:26 +02:00
arg_custom_mounts = TAKE_PTR ( settings - > custom_mounts ) ;
2015-09-06 01:22:14 +02:00
arg_n_custom_mounts = settings - > n_custom_mounts ;
settings - > n_custom_mounts = 0 ;
}
}
if ( ( arg_settings_mask & SETTING_NETWORK ) = = 0 & &
( settings - > private_network > = 0 | |
settings - > network_veth > = 0 | |
settings - > network_bridge | |
2016-05-06 21:00:27 +02:00
settings - > network_zone | |
2015-09-06 01:22:14 +02:00
settings - > network_interfaces | |
settings - > network_macvlan | |
2015-11-12 21:54:28 +01:00
settings - > network_ipvlan | |
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
settings - > network_veth_extra | |
settings - > network_namespace_path ) ) {
2015-09-06 01:22:14 +02:00
if ( ! arg_settings_trusted )
2018-05-07 21:57:00 +02:00
log_warning ( " Ignoring network settings, file %s is not trusted. " , path ) ;
2015-09-06 01:22:14 +02:00
else {
2015-11-12 21:54:28 +01:00
arg_network_veth = settings_network_veth ( settings ) ;
2015-10-22 00:59:18 +02:00
arg_private_network = settings_private_network ( settings ) ;
2018-05-09 17:34:46 +02:00
strv_free_and_replace ( arg_network_interfaces , settings - > network_interfaces ) ;
strv_free_and_replace ( arg_network_macvlan , settings - > network_macvlan ) ;
strv_free_and_replace ( arg_network_ipvlan , settings - > network_ipvlan ) ;
strv_free_and_replace ( arg_network_veth_extra , settings - > network_veth_extra ) ;
2015-11-12 21:54:28 +01:00
2018-04-05 07:26:26 +02:00
free_and_replace ( arg_network_bridge , settings - > network_bridge ) ;
free_and_replace ( arg_network_zone , settings - > network_zone ) ;
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
free_and_replace ( arg_network_namespace_path , settings - > network_namespace_path ) ;
2015-09-06 01:22:14 +02:00
}
}
if ( ( arg_settings_mask & SETTING_EXPOSE_PORTS ) = = 0 & &
settings - > expose_ports ) {
if ( ! arg_settings_trusted )
2018-05-07 21:57:00 +02:00
log_warning ( " Ignoring Port= setting, file %s is not trusted. " , path ) ;
2015-09-06 01:22:14 +02:00
else {
expose_port_free_all ( arg_expose_ports ) ;
2018-04-05 07:26:26 +02:00
arg_expose_ports = TAKE_PTR ( settings - > expose_ports ) ;
2015-09-06 01:22:14 +02:00
}
}
2016-04-22 13:02:53 +02:00
if ( ( arg_settings_mask & SETTING_USERNS ) = = 0 & &
settings - > userns_mode ! = _USER_NAMESPACE_MODE_INVALID ) {
if ( ! arg_settings_trusted )
2018-05-07 21:57:00 +02:00
log_warning ( " Ignoring PrivateUsers= and PrivateUsersChown= settings, file %s is not trusted. " , path ) ;
2016-04-22 13:02:53 +02:00
else {
arg_userns_mode = settings - > userns_mode ;
arg_uid_shift = settings - > uid_shift ;
arg_uid_range = settings - > uid_range ;
arg_userns_chown = settings - > userns_chown ;
}
}
2016-06-10 13:09:06 +02:00
if ( ( arg_settings_mask & SETTING_NOTIFY_READY ) = = 0 )
arg_notify_ready = settings - > notify_ready ;
2017-09-11 17:45:21 +02:00
if ( ( arg_settings_mask & SETTING_SYSCALL_FILTER ) = = 0 ) {
2020-06-23 08:31:16 +02:00
if ( ! arg_settings_trusted & & ! strv_isempty ( settings - > syscall_allow_list ) )
2018-05-07 21:57:00 +02:00
log_warning ( " Ignoring SystemCallFilter= settings, file %s is not trusted. " , path ) ;
2017-09-11 17:45:21 +02:00
else {
2020-06-23 08:31:16 +02:00
strv_free_and_replace ( arg_syscall_allow_list , settings - > syscall_allow_list ) ;
strv_free_and_replace ( arg_syscall_deny_list , settings - > syscall_deny_list ) ;
2017-09-11 17:45:21 +02:00
}
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
# if HAVE_SECCOMP
if ( ! arg_settings_trusted & & settings - > seccomp )
log_warning ( " Ignoring SECCOMP filter, file %s is not trusted. " , path ) ;
else {
seccomp_release ( arg_seccomp ) ;
arg_seccomp = TAKE_PTR ( settings - > seccomp ) ;
}
# endif
2017-09-11 17:45:21 +02:00
}
2018-05-07 17:59:18 +02:00
for ( rl = 0 ; rl < _RLIMIT_MAX ; rl + + ) {
if ( ( arg_settings_mask & ( SETTING_RLIMIT_FIRST < < rl ) ) )
continue ;
if ( ! settings - > rlimit [ rl ] )
continue ;
if ( ! arg_settings_trusted ) {
2018-05-07 21:57:00 +02:00
log_warning ( " Ignoring Limit%s= setting, file '%s' is not trusted. " , rlimit_to_string ( rl ) , path ) ;
2018-05-07 17:59:18 +02:00
continue ;
}
free_and_replace ( arg_rlimit [ rl ] , settings - > rlimit [ rl ] ) ;
}
2018-05-07 18:37:32 +02:00
if ( ( arg_settings_mask & SETTING_HOSTNAME ) = = 0 & &
settings - > hostname )
free_and_replace ( arg_hostname , settings - > hostname ) ;
2018-05-07 19:35:48 +02:00
if ( ( arg_settings_mask & SETTING_NO_NEW_PRIVILEGES ) = = 0 & &
settings - > no_new_privileges > = 0 )
arg_no_new_privileges = settings - > no_new_privileges ;
2018-05-07 21:17:09 +02:00
if ( ( arg_settings_mask & SETTING_OOM_SCORE_ADJUST ) = = 0 & &
settings - > oom_score_adjust_set ) {
if ( ! arg_settings_trusted )
2018-05-07 21:57:00 +02:00
log_warning ( " Ignoring OOMScoreAdjust= setting, file '%s' is not trusted. " , path ) ;
2018-05-07 21:17:09 +02:00
else {
arg_oom_score_adjust = settings - > oom_score_adjust ;
arg_oom_score_adjust_set = true ;
}
}
2018-05-07 21:47:15 +02:00
if ( ( arg_settings_mask & SETTING_CPU_AFFINITY ) = = 0 & &
2019-05-21 08:45:19 +02:00
settings - > cpu_set . set ) {
2018-05-07 21:47:15 +02:00
if ( ! arg_settings_trusted )
2018-05-07 21:57:00 +02:00
log_warning ( " Ignoring CPUAffinity= setting, file '%s' is not trusted. " , path ) ;
2018-05-07 21:47:15 +02:00
else {
2019-05-21 08:45:19 +02:00
cpu_set_reset ( & arg_cpu_set ) ;
arg_cpu_set = settings - > cpu_set ;
settings - > cpu_set = ( CPUSet ) { } ;
2018-05-07 21:47:15 +02:00
}
}
2018-05-12 21:50:57 +02:00
if ( ( arg_settings_mask & SETTING_RESOLV_CONF ) = = 0 & &
settings - > resolv_conf ! = _RESOLV_CONF_MODE_INVALID )
arg_resolv_conf = settings - > resolv_conf ;
2018-05-12 22:17:16 +02:00
if ( ( arg_settings_mask & SETTING_LINK_JOURNAL ) = = 0 & &
settings - > link_journal ! = _LINK_JOURNAL_INVALID ) {
if ( ! arg_settings_trusted )
log_warning ( " Ignoring journal link setting, file '%s' is not trusted. " , path ) ;
else {
arg_link_journal = settings - > link_journal ;
arg_link_journal_try = settings - > link_journal_try ;
}
}
2018-05-17 05:43:03 +02:00
if ( ( arg_settings_mask & SETTING_TIMEZONE ) = = 0 & &
settings - > timezone ! = _TIMEZONE_MODE_INVALID )
arg_timezone = settings - > timezone ;
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
if ( ( arg_settings_mask & SETTING_SLICE ) = = 0 & &
settings - > slice ) {
if ( ! arg_settings_trusted )
log_warning ( " Ignoring slice setting, file '%s' is not trusted. " , path ) ;
else
free_and_replace ( arg_slice , settings - > slice ) ;
}
if ( ( arg_settings_mask & SETTING_USE_CGNS ) = = 0 & &
settings - > use_cgns > = 0 ) {
if ( ! arg_settings_trusted )
log_warning ( " Ignoring cgroup namespace setting, file '%s' is not trusted. " , path ) ;
else
arg_use_cgns = settings - > use_cgns ;
}
if ( ( arg_settings_mask & SETTING_CLONE_NS_FLAGS ) = = 0 & &
settings - > clone_ns_flags ! = ( unsigned long ) - 1 ) {
if ( ! arg_settings_trusted )
log_warning ( " Ignoring namespace setting, file '%s' is not trusted. " , path ) ;
else
arg_clone_ns_flags = settings - > clone_ns_flags ;
}
if ( ( arg_settings_mask & SETTING_CONSOLE_MODE ) = = 0 & &
settings - > console_mode > = 0 ) {
if ( ! arg_settings_trusted )
log_warning ( " Ignoring console mode setting, file '%s' is not trusted. " , path ) ;
else
arg_console_mode = settings - > console_mode ;
}
/* The following properties can only be set through the OCI settings logic, not from the command line, hence we
* don ' t consult arg_settings_mask for them . */
sd_bus_message_unref ( arg_property_message ) ;
arg_property_message = TAKE_PTR ( settings - > properties ) ;
arg_console_width = settings - > console_width ;
arg_console_height = settings - > console_height ;
2019-03-22 17:23:49 +01:00
device_node_array_free ( arg_extra_nodes , arg_n_extra_nodes ) ;
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
arg_extra_nodes = TAKE_PTR ( settings - > extra_nodes ) ;
arg_n_extra_nodes = settings - > n_extra_nodes ;
2015-09-06 01:22:14 +02:00
return 0 ;
}
2018-05-07 21:57:00 +02:00
static int load_settings ( void ) {
_cleanup_ ( settings_freep ) Settings * settings = NULL ;
_cleanup_fclose_ FILE * f = NULL ;
_cleanup_free_ char * p = NULL ;
const char * fn , * i ;
int r ;
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
if ( arg_oci_bundle )
return 0 ;
2018-05-07 21:57:00 +02:00
/* If all settings are masked, there's no point in looking for
* the settings file */
2020-10-09 14:59:44 +02:00
if ( FLAGS_SET ( arg_settings_mask , _SETTINGS_MASK_ALL ) )
2018-05-07 21:57:00 +02:00
return 0 ;
fn = strjoina ( arg_machine , " .nspawn " ) ;
/* We first look in the admin's directories in /etc and /run */
FOREACH_STRING ( i , " /etc/systemd/nspawn " , " /run/systemd/nspawn " ) {
_cleanup_free_ char * j = NULL ;
2019-06-20 20:07:01 +02:00
j = path_join ( i , fn ) ;
2018-05-07 21:57:00 +02:00
if ( ! j )
return log_oom ( ) ;
f = fopen ( j , " re " ) ;
if ( f ) {
p = TAKE_PTR ( j ) ;
/* By default, we trust configuration from /etc and /run */
if ( arg_settings_trusted < 0 )
arg_settings_trusted = true ;
break ;
}
if ( errno ! = ENOENT )
return log_error_errno ( errno , " Failed to open %s: %m " , j ) ;
}
if ( ! f ) {
/* After that, let's look for a file next to the
* actual image we shall boot . */
if ( arg_image ) {
p = file_in_same_dir ( arg_image , fn ) ;
if ( ! p )
return log_oom ( ) ;
2019-07-25 11:16:50 +02:00
} else if ( arg_directory & & ! path_equal ( arg_directory , " / " ) ) {
2018-05-07 21:57:00 +02:00
p = file_in_same_dir ( arg_directory , fn ) ;
if ( ! p )
return log_oom ( ) ;
}
if ( p ) {
f = fopen ( p , " re " ) ;
if ( ! f & & errno ! = ENOENT )
return log_error_errno ( errno , " Failed to open %s: %m " , p ) ;
/* By default, we do not trust configuration from /var/lib/machines */
if ( arg_settings_trusted < 0 )
arg_settings_trusted = false ;
}
}
if ( ! f )
return 0 ;
log_debug ( " Settings are trusted: %s " , yes_no ( arg_settings_trusted ) ) ;
r = settings_load ( f , p , & settings ) ;
if ( r < 0 )
return r ;
return merge_settings ( settings , p ) ;
}
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
static int load_oci_bundle ( void ) {
_cleanup_ ( settings_freep ) Settings * settings = NULL ;
int r ;
if ( ! arg_oci_bundle )
return 0 ;
/* By default let's trust OCI bundles */
if ( arg_settings_trusted < 0 )
arg_settings_trusted = true ;
r = oci_load ( NULL , arg_oci_bundle , & settings ) ;
if ( r < 0 )
return r ;
return merge_settings ( settings , arg_oci_bundle ) ;
}
2019-06-06 10:05:33 +02:00
static int run_container (
2016-12-01 20:26:09 +01:00
DissectedImage * dissected_image ,
2016-10-02 21:32:38 +02:00
bool secondary ,
FDSet * fds ,
char veth_name [ IFNAMSIZ ] , bool * veth_created ,
2020-09-15 19:58:44 +02:00
struct ExposeArgs * expose_args ,
2019-06-06 10:05:33 +02:00
int * master , pid_t * pid , int * ret ) {
2016-10-02 21:32:38 +02:00
static const struct sigaction sa = {
. sa_handler = nop_signal_handler ,
2016-11-30 15:07:43 +01:00
. sa_flags = SA_NOCLDSTOP | SA_RESTART ,
2016-10-02 21:32:38 +02:00
} ;
tree-wide: drop redundant _cleanup_ macros (#8810)
This drops a good number of type-specific _cleanup_ macros, and patches
all users to just use the generic ones.
In most recent code we abstained from defining type-specific macros, and
this basically removes all those added already, with the exception of
the really low-level ones.
Having explicit macros for this is not too useful, as the expression
without the extra macro is generally just 2ch wider. We should generally
emphesize generic code, unless there are really good reasons for
specific code, hence let's follow this in this case too.
Note that _cleanup_free_ and similar really low-level, libc'ish, Linux
API'ish macros continue to be defined, only the really high-level OO
ones are dropped. From now on this should really be the rule: for really
low-level stuff, such as memory allocation, fd handling and so one, go
ahead and define explicit per-type macros, but for high-level, specific
program code, just use the generic _cleanup_() macro directly, in order
to keep things simple and as readable as possible for the uninitiated.
Note that before this patch some of the APIs (notable libudev ones) were
already used with the high-level macros at some places and with the
generic _cleanup_ macro at others. With this patch we hence unify on the
latter.
2018-04-25 12:31:45 +02:00
_cleanup_ ( release_lock_file ) LockFile uid_shift_lock = LOCK_FILE_INIT ;
2016-10-02 21:32:38 +02:00
_cleanup_close_ int etc_passwd_lock = - 1 ;
_cleanup_close_pair_ int
kmsg_socket_pair [ 2 ] = { - 1 , - 1 } ,
rtnl_socket_pair [ 2 ] = { - 1 , - 1 } ,
pid_socket_pair [ 2 ] = { - 1 , - 1 } ,
uuid_socket_pair [ 2 ] = { - 1 , - 1 } ,
notify_socket_pair [ 2 ] = { - 1 , - 1 } ,
2017-11-27 20:49:35 +01:00
uid_shift_socket_pair [ 2 ] = { - 1 , - 1 } ,
2019-06-06 10:05:33 +02:00
master_pty_socket_pair [ 2 ] = { - 1 , - 1 } ,
2017-11-27 20:49:35 +01:00
unified_cgroup_hierarchy_socket_pair [ 2 ] = { - 1 , - 1 } ;
2019-06-06 10:05:33 +02:00
_cleanup_close_ int notify_socket = - 1 ;
2016-10-02 21:32:38 +02:00
_cleanup_ ( barrier_destroy ) Barrier barrier = BARRIER_NULL ;
2016-12-21 18:36:15 +01:00
_cleanup_ ( sd_event_source_unrefp ) sd_event_source * notify_event_source = NULL ;
2016-10-02 21:32:38 +02:00
_cleanup_ ( sd_event_unrefp ) sd_event * event = NULL ;
_cleanup_ ( pty_forward_freep ) PTYForward * forward = NULL ;
_cleanup_ ( sd_netlink_unrefp ) sd_netlink * rtnl = NULL ;
2017-11-23 19:27:47 +01:00
_cleanup_ ( sd_bus_flush_close_unrefp ) sd_bus * bus = NULL ;
2016-10-02 21:32:38 +02:00
ContainerStatus container_status = 0 ;
int ifi = 0 , r ;
ssize_t l ;
sigset_t mask_chld ;
2019-12-19 21:17:57 +01:00
_cleanup_close_ int child_netns_fd = - 1 ;
2016-10-02 21:32:38 +02:00
assert_se ( sigemptyset ( & mask_chld ) = = 0 ) ;
assert_se ( sigaddset ( & mask_chld , SIGCHLD ) = = 0 ) ;
if ( arg_userns_mode = = USER_NAMESPACE_PICK ) {
/* When we shall pick the UID/GID range, let's first lock /etc/passwd, so that we can safely
* check with getpwuid ( ) if the specific user already exists . Note that / etc might be
* read - only , in which case this will fail with EROFS . But that ' s really OK , as in that case we
* can be reasonably sure that no users are going to be added . Note that getpwuid ( ) checks are
* really just an extra safety net . We kinda assume that the UID range we allocate from is
* really ours . */
etc_passwd_lock = take_etc_passwd_lock ( NULL ) ;
if ( etc_passwd_lock < 0 & & etc_passwd_lock ! = - EROFS )
return log_error_errno ( etc_passwd_lock , " Failed to take /etc/passwd lock: %m " ) ;
}
r = barrier_create ( & barrier ) ;
if ( r < 0 )
return log_error_errno ( r , " Cannot initialize IPC barrier: %m " ) ;
if ( socketpair ( AF_UNIX , SOCK_SEQPACKET | SOCK_CLOEXEC , 0 , kmsg_socket_pair ) < 0 )
return log_error_errno ( errno , " Failed to create kmsg socket pair: %m " ) ;
if ( socketpair ( AF_UNIX , SOCK_SEQPACKET | SOCK_CLOEXEC , 0 , rtnl_socket_pair ) < 0 )
return log_error_errno ( errno , " Failed to create rtnl socket pair: %m " ) ;
if ( socketpair ( AF_UNIX , SOCK_SEQPACKET | SOCK_CLOEXEC , 0 , pid_socket_pair ) < 0 )
return log_error_errno ( errno , " Failed to create pid socket pair: %m " ) ;
if ( socketpair ( AF_UNIX , SOCK_SEQPACKET | SOCK_CLOEXEC , 0 , uuid_socket_pair ) < 0 )
return log_error_errno ( errno , " Failed to create id socket pair: %m " ) ;
if ( socketpair ( AF_UNIX , SOCK_SEQPACKET | SOCK_CLOEXEC , 0 , notify_socket_pair ) < 0 )
return log_error_errno ( errno , " Failed to create notify socket pair: %m " ) ;
2019-06-06 10:05:33 +02:00
if ( socketpair ( AF_UNIX , SOCK_SEQPACKET | SOCK_CLOEXEC , 0 , master_pty_socket_pair ) < 0 )
return log_error_errno ( errno , " Failed to create console socket pair: %m " ) ;
2016-10-02 21:32:38 +02:00
if ( arg_userns_mode ! = USER_NAMESPACE_NO )
if ( socketpair ( AF_UNIX , SOCK_SEQPACKET | SOCK_CLOEXEC , 0 , uid_shift_socket_pair ) < 0 )
return log_error_errno ( errno , " Failed to create uid shift socket pair: %m " ) ;
2017-11-27 20:49:35 +01:00
if ( arg_unified_cgroup_hierarchy = = CGROUP_UNIFIED_UNKNOWN )
if ( socketpair ( AF_UNIX , SOCK_SEQPACKET | SOCK_CLOEXEC , 0 , unified_cgroup_hierarchy_socket_pair ) < 0 )
return log_error_errno ( errno , " Failed to create unified cgroup socket pair: %m " ) ;
2016-10-02 21:32:38 +02:00
/* Child can be killed before execv(), so handle SIGCHLD in order to interrupt
* parent ' s blocking calls and give it a chance to call wait ( ) and terminate . */
r = sigprocmask ( SIG_UNBLOCK , & mask_chld , NULL ) ;
if ( r < 0 )
return log_error_errno ( errno , " Failed to change the signal mask: %m " ) ;
r = sigaction ( SIGCHLD , & sa , NULL ) ;
if ( r < 0 )
return log_error_errno ( errno , " Failed to install SIGCHLD handler: %m " ) ;
2017-11-24 18:22:17 +01:00
if ( arg_network_namespace_path ) {
2019-12-19 21:17:57 +01:00
child_netns_fd = open ( arg_network_namespace_path , O_RDONLY | O_NOCTTY | O_CLOEXEC ) ;
if ( child_netns_fd < 0 )
2017-11-24 18:22:17 +01:00
return log_error_errno ( errno , " Cannot open file %s: %m " , arg_network_namespace_path ) ;
2019-12-19 21:17:57 +01:00
r = fd_is_network_ns ( child_netns_fd ) ;
2018-10-31 13:04:20 +01:00
if ( r = = - EUCLEAN )
log_debug_errno ( r , " Cannot determine if passed network namespace path '%s' really refers to a network namespace, assuming it does. " , arg_network_namespace_path ) ;
else if ( r < 0 )
2017-11-24 18:22:17 +01:00
return log_error_errno ( r , " Failed to check %s fs type: %m " , arg_network_namespace_path ) ;
2019-04-02 14:51:48 +02:00
else if ( r = = 0 )
return log_error_errno ( SYNTHETIC_ERRNO ( EINVAL ) ,
" Path %s doesn't refer to a network namespace, refusing. " , arg_network_namespace_path ) ;
2017-11-24 18:22:17 +01:00
}
2016-10-02 21:32:38 +02:00
* pid = raw_clone ( SIGCHLD | CLONE_NEWNS ) ;
if ( * pid < 0 )
return log_error_errno ( errno , " clone() failed%s: %m " ,
errno = = EINVAL ?
" , do you have namespace support enabled in your kernel? (You need UTS, IPC, PID and NET namespacing built in) " : " " ) ;
if ( * pid = = 0 ) {
/* The outer child only has a file system namespace. */
barrier_set_role ( & barrier , BARRIER_CHILD ) ;
kmsg_socket_pair [ 0 ] = safe_close ( kmsg_socket_pair [ 0 ] ) ;
rtnl_socket_pair [ 0 ] = safe_close ( rtnl_socket_pair [ 0 ] ) ;
pid_socket_pair [ 0 ] = safe_close ( pid_socket_pair [ 0 ] ) ;
uuid_socket_pair [ 0 ] = safe_close ( uuid_socket_pair [ 0 ] ) ;
notify_socket_pair [ 0 ] = safe_close ( notify_socket_pair [ 0 ] ) ;
2019-06-06 10:05:33 +02:00
master_pty_socket_pair [ 0 ] = safe_close ( master_pty_socket_pair [ 0 ] ) ;
2016-10-02 21:32:38 +02:00
uid_shift_socket_pair [ 0 ] = safe_close ( uid_shift_socket_pair [ 0 ] ) ;
2017-11-27 20:49:35 +01:00
unified_cgroup_hierarchy_socket_pair [ 0 ] = safe_close ( unified_cgroup_hierarchy_socket_pair [ 0 ] ) ;
2016-10-02 21:32:38 +02:00
( void ) reset_all_signal_handlers ( ) ;
( void ) reset_signal_mask ( ) ;
r = outer_child ( & barrier ,
arg_directory ,
2016-12-01 20:26:09 +01:00
dissected_image ,
2016-10-02 21:32:38 +02:00
secondary ,
pid_socket_pair [ 1 ] ,
uuid_socket_pair [ 1 ] ,
notify_socket_pair [ 1 ] ,
kmsg_socket_pair [ 1 ] ,
rtnl_socket_pair [ 1 ] ,
uid_shift_socket_pair [ 1 ] ,
2019-06-06 10:05:33 +02:00
master_pty_socket_pair [ 1 ] ,
2017-11-27 20:49:35 +01:00
unified_cgroup_hierarchy_socket_pair [ 1 ] ,
2017-11-24 18:22:17 +01:00
fds ,
2019-12-19 21:17:57 +01:00
child_netns_fd ) ;
2016-10-02 21:32:38 +02:00
if ( r < 0 )
_exit ( EXIT_FAILURE ) ;
_exit ( EXIT_SUCCESS ) ;
}
barrier_set_role ( & barrier , BARRIER_PARENT ) ;
2019-03-22 15:22:45 +01:00
fdset_close ( fds ) ;
2016-10-02 21:32:38 +02:00
kmsg_socket_pair [ 1 ] = safe_close ( kmsg_socket_pair [ 1 ] ) ;
rtnl_socket_pair [ 1 ] = safe_close ( rtnl_socket_pair [ 1 ] ) ;
pid_socket_pair [ 1 ] = safe_close ( pid_socket_pair [ 1 ] ) ;
uuid_socket_pair [ 1 ] = safe_close ( uuid_socket_pair [ 1 ] ) ;
notify_socket_pair [ 1 ] = safe_close ( notify_socket_pair [ 1 ] ) ;
2019-06-06 10:05:33 +02:00
master_pty_socket_pair [ 1 ] = safe_close ( master_pty_socket_pair [ 1 ] ) ;
2016-10-02 21:32:38 +02:00
uid_shift_socket_pair [ 1 ] = safe_close ( uid_shift_socket_pair [ 1 ] ) ;
2017-11-27 20:49:35 +01:00
unified_cgroup_hierarchy_socket_pair [ 1 ] = safe_close ( unified_cgroup_hierarchy_socket_pair [ 1 ] ) ;
2016-10-02 21:32:38 +02:00
if ( arg_userns_mode ! = USER_NAMESPACE_NO ) {
/* The child just let us know the UID shift it might have read from the image. */
l = recv ( uid_shift_socket_pair [ 0 ] , & arg_uid_shift , sizeof arg_uid_shift , 0 ) ;
if ( l < 0 )
return log_error_errno ( errno , " Failed to read UID shift: %m " ) ;
2019-04-02 14:51:48 +02:00
if ( l ! = sizeof arg_uid_shift )
return log_error_errno ( SYNTHETIC_ERRNO ( EIO ) , " Short read while reading UID shift. " ) ;
2016-10-02 21:32:38 +02:00
if ( arg_userns_mode = = USER_NAMESPACE_PICK ) {
/* If we are supposed to pick the UID shift, let's try to use the shift read from the
* image , but if that ' s already in use , pick a new one , and report back to the child ,
* which one we now picked . */
r = uid_shift_pick ( & arg_uid_shift , & uid_shift_lock ) ;
if ( r < 0 )
return log_error_errno ( r , " Failed to pick suitable UID/GID range: %m " ) ;
l = send ( uid_shift_socket_pair [ 0 ] , & arg_uid_shift , sizeof arg_uid_shift , MSG_NOSIGNAL ) ;
if ( l < 0 )
return log_error_errno ( errno , " Failed to send UID shift: %m " ) ;
2019-04-02 14:51:48 +02:00
if ( l ! = sizeof arg_uid_shift )
return log_error_errno ( SYNTHETIC_ERRNO ( EIO ) , " Short write while writing UID shift. " ) ;
2016-10-02 21:32:38 +02:00
}
}
2017-11-27 20:49:35 +01:00
if ( arg_unified_cgroup_hierarchy = = CGROUP_UNIFIED_UNKNOWN ) {
/* The child let us know the support cgroup mode it might have read from the image. */
l = recv ( unified_cgroup_hierarchy_socket_pair [ 0 ] , & arg_unified_cgroup_hierarchy , sizeof ( arg_unified_cgroup_hierarchy ) , 0 ) ;
if ( l < 0 )
return log_error_errno ( errno , " Failed to read cgroup mode: %m " ) ;
2019-04-02 14:51:48 +02:00
if ( l ! = sizeof ( arg_unified_cgroup_hierarchy ) )
return log_error_errno ( SYNTHETIC_ERRNO ( EIO ) , " Short read while reading cgroup mode (%zu bytes).%s " ,
l , l = = 0 ? " The child is most likely dead. " : " " ) ;
2017-11-27 20:49:35 +01:00
}
2016-10-02 21:32:38 +02:00
/* Wait for the outer child. */
2017-12-29 18:09:16 +01:00
r = wait_for_terminate_and_check ( " (sd-namespace) " , * pid , WAIT_LOG_ABNORMAL ) ;
if ( r < 0 )
return r ;
if ( r ! = EXIT_SUCCESS )
return - EIO ;
2016-10-02 21:32:38 +02:00
/* And now retrieve the PID of the inner child. */
l = recv ( pid_socket_pair [ 0 ] , pid , sizeof * pid , 0 ) ;
if ( l < 0 )
return log_error_errno ( errno , " Failed to read inner child PID: %m " ) ;
2019-04-02 14:51:48 +02:00
if ( l ! = sizeof * pid )
return log_error_errno ( SYNTHETIC_ERRNO ( EIO ) , " Short read while reading inner child PID. " ) ;
2016-10-02 21:32:38 +02:00
/* We also retrieve container UUID in case it was generated by outer child */
l = recv ( uuid_socket_pair [ 0 ] , & arg_uuid , sizeof arg_uuid , 0 ) ;
if ( l < 0 )
return log_error_errno ( errno , " Failed to read container machine ID: %m " ) ;
2019-04-02 14:51:48 +02:00
if ( l ! = sizeof ( arg_uuid ) )
return log_error_errno ( SYNTHETIC_ERRNO ( EIO ) , " Short read while reading container machined ID. " ) ;
2016-10-02 21:32:38 +02:00
/* We also retrieve the socket used for notifications generated by outer child */
notify_socket = receive_one_fd ( notify_socket_pair [ 0 ] , 0 ) ;
if ( notify_socket < 0 )
return log_error_errno ( notify_socket ,
" Failed to receive notification socket from the outer child: %m " ) ;
log_debug ( " Init process invoked as PID " PID_FMT , * pid ) ;
if ( arg_userns_mode ! = USER_NAMESPACE_NO ) {
2019-04-02 14:51:48 +02:00
if ( ! barrier_place_and_sync ( & barrier ) ) /* #1 */
return log_error_errno ( SYNTHETIC_ERRNO ( ESRCH ) , " Child died too early. " ) ;
2016-10-02 21:32:38 +02:00
r = setup_uid_map ( * pid ) ;
if ( r < 0 )
return r ;
( void ) barrier_place ( & barrier ) ; /* #2 */
}
if ( arg_private_network ) {
2018-04-05 16:04:27 +02:00
if ( ! arg_network_namespace_path ) {
/* Wait until the child has unshared its network namespace. */
2019-04-02 14:51:48 +02:00
if ( ! barrier_place_and_sync ( & barrier ) ) /* #3 */
return log_error_errno ( SYNTHETIC_ERRNO ( ESRCH ) , " Child died too early " ) ;
2018-04-05 16:04:27 +02:00
}
2019-12-19 21:17:57 +01:00
if ( child_netns_fd < 0 ) {
/* Make sure we have an open file descriptor to the child's network
* namespace so it stays alive even if the child exits . */
r = namespace_open ( * pid , NULL , NULL , & child_netns_fd , NULL , NULL ) ;
if ( r < 0 )
return log_error_errno ( r , " Failed to open child network namespace: %m " ) ;
}
r = move_network_interfaces ( child_netns_fd , arg_network_interfaces ) ;
2016-10-02 21:32:38 +02:00
if ( r < 0 )
return r ;
if ( arg_network_veth ) {
r = setup_veth ( arg_machine , * pid , veth_name ,
arg_network_bridge | | arg_network_zone ) ;
if ( r < 0 )
return r ;
else if ( r > 0 )
ifi = r ;
if ( arg_network_bridge ) {
/* Add the interface to a bridge */
r = setup_bridge ( veth_name , arg_network_bridge , false ) ;
if ( r < 0 )
return r ;
if ( r > 0 )
ifi = r ;
} else if ( arg_network_zone ) {
/* Add the interface to a bridge, possibly creating it */
r = setup_bridge ( veth_name , arg_network_zone , true ) ;
if ( r < 0 )
return r ;
if ( r > 0 )
ifi = r ;
}
}
r = setup_veth_extra ( arg_machine , * pid , arg_network_veth_extra ) ;
if ( r < 0 )
return r ;
/* We created the primary and extra veth links now; let's remember this, so that we know to
remove them later on . Note that we don ' t bother with removing veth links that were created
here when their setup failed half - way , because in that case the kernel should be able to
remove them on its own , since they cannot be referenced by anything yet . */
* veth_created = true ;
r = setup_macvlan ( arg_machine , * pid , arg_network_macvlan ) ;
if ( r < 0 )
return r ;
r = setup_ipvlan ( arg_machine , * pid , arg_network_ipvlan ) ;
if ( r < 0 )
return r ;
}
2017-11-23 19:27:47 +01:00
if ( arg_register | | ! arg_keep_unit ) {
r = sd_bus_default_system ( & bus ) ;
if ( r < 0 )
return log_error_errno ( r , " Failed to open system bus: %m " ) ;
2018-10-06 18:45:58 +02:00
r = sd_bus_set_close_on_exit ( bus , false ) ;
if ( r < 0 )
return log_error_errno ( r , " Failed to disable close-on-exit behaviour: %m " ) ;
2017-11-23 19:27:47 +01:00
}
if ( ! arg_keep_unit ) {
/* When a new scope is created for this container, then we'll be registered as its controller, in which
* case PID 1 will send us a friendly RequestStop signal , when it is asked to terminate the
* scope . Let ' s hook into that , and cleanly shut down the container , and print a friendly message . */
2017-12-19 12:29:04 +01:00
r = sd_bus_match_signal_async (
bus ,
NULL ,
" org.freedesktop.systemd1 " ,
NULL ,
" org.freedesktop.systemd1.Scope " ,
" RequestStop " ,
on_request_stop , NULL , PID_TO_PTR ( * pid ) ) ;
2017-11-23 19:27:47 +01:00
if ( r < 0 )
2017-12-19 12:29:04 +01:00
return log_error_errno ( r , " Failed to request RequestStop match: %m " ) ;
2017-11-23 19:27:47 +01:00
}
2016-10-02 21:32:38 +02:00
if ( arg_register ) {
r = register_machine (
2017-11-23 19:27:47 +01:00
bus ,
2016-10-02 21:32:38 +02:00
arg_machine ,
* pid ,
arg_directory ,
arg_uuid ,
ifi ,
arg_slice ,
arg_custom_mounts , arg_n_custom_mounts ,
arg_kill_signal ,
arg_property ,
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
arg_property_message ,
2016-10-02 21:32:38 +02:00
arg_keep_unit ,
arg_container_service_name ) ;
if ( r < 0 )
return r ;
2017-11-23 19:27:47 +01:00
2017-06-28 19:22:46 +02:00
} else if ( ! arg_keep_unit ) {
r = allocate_scope (
2017-11-23 19:27:47 +01:00
bus ,
2017-06-28 19:22:46 +02:00
arg_machine ,
* pid ,
arg_slice ,
arg_custom_mounts , arg_n_custom_mounts ,
arg_kill_signal ,
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
arg_property ,
arg_property_message ) ;
2017-06-28 19:22:46 +02:00
if ( r < 0 )
return r ;
} else if ( arg_slice | | arg_property )
log_notice ( " Machine and scope registration turned off, --slice= and --property= settings will have no effect. " ) ;
2016-10-02 21:32:38 +02:00
2019-03-05 18:57:53 +01:00
r = create_subcgroup ( * pid , arg_keep_unit , arg_unified_cgroup_hierarchy ) ;
2016-10-02 21:32:38 +02:00
if ( r < 0 )
return r ;
2019-03-05 18:57:53 +01:00
r = sync_cgroup ( * pid , arg_unified_cgroup_hierarchy , arg_uid_shift ) ;
2018-05-02 14:24:54 +02:00
if ( r < 0 )
return r ;
2016-10-02 21:32:38 +02:00
2017-11-28 17:58:00 +01:00
r = chown_cgroup ( * pid , arg_unified_cgroup_hierarchy , arg_uid_shift ) ;
2016-10-02 21:32:38 +02:00
if ( r < 0 )
return r ;
/* Notify the child that the parent is ready with all
* its setup ( including cgroup - ification ) , and that
* the child can now hand over control to the code to
* run inside the container . */
2018-04-05 16:04:27 +02:00
( void ) barrier_place ( & barrier ) ; /* #4 */
2016-10-02 21:32:38 +02:00
/* Block SIGCHLD here, before notifying child.
* process_pty ( ) will handle it with the other signals . */
assert_se ( sigprocmask ( SIG_BLOCK , & mask_chld , NULL ) > = 0 ) ;
/* Reset signal to default */
r = default_signals ( SIGCHLD , - 1 ) ;
if ( r < 0 )
return log_error_errno ( r , " Failed to reset SIGCHLD: %m " ) ;
r = sd_event_new ( & event ) ;
if ( r < 0 )
return log_error_errno ( r , " Failed to get default event source: %m " ) ;
2017-12-07 11:58:25 +01:00
( void ) sd_event_set_watchdog ( event , true ) ;
2017-11-23 19:27:47 +01:00
if ( bus ) {
r = sd_bus_attach_event ( bus , event , 0 ) ;
if ( r < 0 )
return log_error_errno ( r , " Failed to attach bus to event loop: %m " ) ;
}
2020-07-22 18:00:18 +02:00
r = setup_notify_parent ( event , notify_socket , PID_TO_PTR ( * pid ) , & notify_event_source ) ;
2016-10-02 21:32:38 +02:00
if ( r < 0 )
return r ;
/* Let the child know that we are ready and wait that the child is completely ready now. */
2019-04-02 14:51:48 +02:00
if ( ! barrier_place_and_sync ( & barrier ) ) /* #5 */
return log_error_errno ( SYNTHETIC_ERRNO ( ESRCH ) , " Child died too early. " ) ;
2016-10-02 21:32:38 +02:00
2020-07-07 21:58:12 +02:00
/* At this point we have made use of the UID we picked, and thus nss-systemd/systemd-machined.service
2016-10-02 21:32:38 +02:00
* will make them appear in getpwuid ( ) , thus we can release the / etc / passwd lock . */
etc_passwd_lock = safe_close ( etc_passwd_lock ) ;
2019-03-21 16:32:31 +01:00
( void ) sd_notifyf ( false ,
" STATUS=Container running. \n "
" X_NSPAWN_LEADER_PID= " PID_FMT , * pid ) ;
2016-10-02 21:32:38 +02:00
if ( ! arg_notify_ready )
2018-05-08 17:03:58 +02:00
( void ) sd_notify ( false , " READY=1 \n " ) ;
2016-10-02 21:32:38 +02:00
if ( arg_kill_signal > 0 ) {
/* Try to kill the init system on SIGINT or SIGTERM */
2018-05-08 17:03:58 +02:00
( void ) sd_event_add_signal ( event , NULL , SIGINT , on_orderly_shutdown , PID_TO_PTR ( * pid ) ) ;
( void ) sd_event_add_signal ( event , NULL , SIGTERM , on_orderly_shutdown , PID_TO_PTR ( * pid ) ) ;
2016-10-02 21:32:38 +02:00
} else {
/* Immediately exit */
2018-05-08 17:03:58 +02:00
( void ) sd_event_add_signal ( event , NULL , SIGINT , NULL , NULL ) ;
( void ) sd_event_add_signal ( event , NULL , SIGTERM , NULL , NULL ) ;
2016-10-02 21:32:38 +02:00
}
2016-12-13 02:38:18 +01:00
/* Exit when the child exits */
2018-05-08 17:03:58 +02:00
( void ) sd_event_add_signal ( event , NULL , SIGCHLD , on_sigchld , PID_TO_PTR ( * pid ) ) ;
2016-10-02 21:32:38 +02:00
if ( arg_expose_ports ) {
2020-09-15 19:58:44 +02:00
r = expose_port_watch_rtnl ( event , rtnl_socket_pair [ 0 ] , on_address_change , expose_args , & rtnl ) ;
2016-10-02 21:32:38 +02:00
if ( r < 0 )
return r ;
2020-09-15 19:58:44 +02:00
( void ) expose_port_execute ( rtnl , & expose_args - > fw_ctx , arg_expose_ports , & expose_args - > address ) ;
2016-10-02 21:32:38 +02:00
}
rtnl_socket_pair [ 0 ] = safe_close ( rtnl_socket_pair [ 0 ] ) ;
2019-06-06 10:05:33 +02:00
if ( arg_console_mode ! = CONSOLE_PIPE ) {
_cleanup_close_ int fd = - 1 ;
PTYForwardFlags flags = 0 ;
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
2019-06-06 10:05:33 +02:00
/* Retrieve the master pty allocated by inner child */
fd = receive_one_fd ( master_pty_socket_pair [ 0 ] , 0 ) ;
if ( fd < 0 )
return log_error_errno ( fd , " Failed to receive master pty from the inner child: %m " ) ;
switch ( arg_console_mode ) {
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
2019-06-06 10:05:33 +02:00
case CONSOLE_READ_ONLY :
flags | = PTY_FORWARD_READ_ONLY ;
_fallthrough_ ;
case CONSOLE_INTERACTIVE :
flags | = PTY_FORWARD_IGNORE_VHANGUP ;
r = pty_forward_new ( event , fd , flags , & forward ) ;
if ( r < 0 )
return log_error_errno ( r , " Failed to create PTY forwarder: %m " ) ;
if ( arg_console_width ! = ( unsigned ) - 1 | | arg_console_height ! = ( unsigned ) - 1 )
( void ) pty_forward_set_width_height ( forward ,
arg_console_width ,
arg_console_height ) ;
break ;
default :
assert ( arg_console_mode = = CONSOLE_PASSIVE ) ;
}
* master = TAKE_FD ( fd ) ;
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
}
2016-10-02 21:32:38 +02:00
r = sd_event_loop ( event ) ;
if ( r < 0 )
return log_error_errno ( r , " Failed to run event loop: %m " ) ;
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
if ( forward ) {
char last_char = 0 ;
2016-10-02 21:32:38 +02:00
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
( void ) pty_forward_get_last_char ( forward , & last_char ) ;
forward = pty_forward_free ( forward ) ;
2016-10-02 21:32:38 +02:00
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
if ( ! arg_quiet & & last_char ! = ' \n ' )
putc ( ' \n ' , stdout ) ;
}
2016-10-02 21:32:38 +02:00
/* Kill if it is not dead yet anyway */
2019-10-29 09:47:57 +01:00
if ( ! arg_register & & ! arg_keep_unit & & bus )
terminate_scope ( bus , arg_machine ) ;
2016-10-02 21:32:38 +02:00
/* Normally redundant, but better safe than sorry */
2016-11-19 00:00:16 +01:00
( void ) kill ( * pid , SIGKILL ) ;
2016-10-02 21:32:38 +02:00
2019-12-19 21:17:57 +01:00
if ( arg_private_network ) {
/* Move network interfaces back to the parent network namespace. We use `safe_fork`
* to avoid having to move the parent to the child network namespace . */
r = safe_fork ( NULL , FORK_RESET_SIGNALS | FORK_DEATHSIG | FORK_WAIT | FORK_LOG , NULL ) ;
if ( r < 0 )
return r ;
if ( r = = 0 ) {
_cleanup_close_ int parent_netns_fd = - 1 ;
r = namespace_open ( getpid ( ) , NULL , NULL , & parent_netns_fd , NULL , NULL ) ;
if ( r < 0 ) {
log_error_errno ( r , " Failed to open parent network namespace: %m " ) ;
_exit ( EXIT_FAILURE ) ;
}
r = namespace_enter ( - 1 , - 1 , child_netns_fd , - 1 , - 1 ) ;
if ( r < 0 ) {
log_error_errno ( r , " Failed to enter child network namespace: %m " ) ;
_exit ( EXIT_FAILURE ) ;
}
r = move_network_interfaces ( parent_netns_fd , arg_network_interfaces ) ;
if ( r < 0 )
log_error_errno ( r , " Failed to move network interfaces back to parent network namespace: %m " ) ;
_exit ( r < 0 ? EXIT_FAILURE : EXIT_SUCCESS ) ;
}
}
2016-10-02 21:32:38 +02:00
r = wait_for_container ( * pid , & container_status ) ;
* pid = 0 ;
2019-10-29 09:47:57 +01:00
/* Tell machined that we are gone. */
if ( bus )
( void ) unregister_machine ( bus , arg_machine ) ;
2016-10-02 21:32:38 +02:00
if ( r < 0 )
/* We failed to wait for the container, or the container exited abnormally. */
return r ;
if ( r > 0 | | container_status = = CONTAINER_TERMINATED ) {
2016-10-07 16:31:47 +02:00
/* r > 0 → The container exited with a non-zero status.
* As a special case , we need to replace 133 with a different value ,
* because 133 is special - cased in the service file to reboot the container .
* otherwise → The container exited with zero status and a reboot was not requested .
*/
2016-11-14 11:49:49 +01:00
if ( r = = EXIT_FORCE_RESTART )
2016-10-07 16:31:47 +02:00
r = EXIT_FAILURE ; /* replace 133 with the general failure code */
2016-10-02 21:32:38 +02:00
* ret = r ;
return 0 ; /* finito */
}
/* CONTAINER_REBOOTED, loop again */
if ( arg_keep_unit ) {
/* Special handling if we are running as a service: instead of simply
* restarting the machine we want to restart the entire service , so let ' s
* inform systemd about this with the special exit code 133. The service
* file uses RestartForceExitStatus = 133 so that this results in a full
* nspawn restart . This is necessary since we might have cgroup parameters
* set we want to have flushed out . */
2016-11-14 11:49:49 +01:00
* ret = EXIT_FORCE_RESTART ;
return 0 ; /* finito */
2016-10-02 21:32:38 +02:00
}
2020-09-15 19:58:44 +02:00
expose_port_flush ( & expose_args - > fw_ctx , arg_expose_ports , & expose_args - > address ) ;
2016-10-02 21:32:38 +02:00
( void ) remove_veth_links ( veth_name , arg_network_veth_extra ) ;
* veth_created = false ;
return 1 ; /* loop again */
}
2018-05-07 17:59:18 +02:00
static int initialize_rlimits ( void ) {
/* The default resource limits the kernel passes to PID 1, as per kernel 4.16. Let's pass our container payload
* the same values as the kernel originally passed to PID 1 , in order to minimize differences between host and
* container execution environments . */
static const struct rlimit kernel_defaults [ _RLIMIT_MAX ] = {
[ RLIMIT_AS ] = { RLIM_INFINITY , RLIM_INFINITY } ,
[ RLIMIT_CORE ] = { 0 , RLIM_INFINITY } ,
[ RLIMIT_CPU ] = { RLIM_INFINITY , RLIM_INFINITY } ,
[ RLIMIT_DATA ] = { RLIM_INFINITY , RLIM_INFINITY } ,
[ RLIMIT_FSIZE ] = { RLIM_INFINITY , RLIM_INFINITY } ,
[ RLIMIT_LOCKS ] = { RLIM_INFINITY , RLIM_INFINITY } ,
[ RLIMIT_MEMLOCK ] = { 65536 , 65536 } ,
[ RLIMIT_MSGQUEUE ] = { 819200 , 819200 } ,
[ RLIMIT_NICE ] = { 0 , 0 } ,
[ RLIMIT_NOFILE ] = { 1024 , 4096 } ,
[ RLIMIT_RSS ] = { RLIM_INFINITY , RLIM_INFINITY } ,
[ RLIMIT_RTPRIO ] = { 0 , 0 } ,
[ RLIMIT_RTTIME ] = { RLIM_INFINITY , RLIM_INFINITY } ,
[ RLIMIT_STACK ] = { 8388608 , RLIM_INFINITY } ,
/* The kernel scales the default for RLIMIT_NPROC and RLIMIT_SIGPENDING based on the system's amount of
* RAM . To provide best compatibility we ' ll read these limits off PID 1 instead of hardcoding them
* here . This is safe as we know that PID 1 doesn ' t change these two limits and thus the original
* kernel ' s initialization should still be valid during runtime — at least if PID 1 is systemd . Note
* that PID 1 changes a number of other resource limits during early initialization which is why we
* don ' t read the other limits from PID 1 but prefer the static table above . */
} ;
int rl ;
for ( rl = 0 ; rl < _RLIMIT_MAX ; rl + + ) {
/* Let's only fill in what the user hasn't explicitly configured anyway */
if ( ( arg_settings_mask & ( SETTING_RLIMIT_FIRST < < rl ) ) = = 0 ) {
const struct rlimit * v ;
struct rlimit buffer ;
if ( IN_SET ( rl , RLIMIT_NPROC , RLIMIT_SIGPENDING ) ) {
/* For these two let's read the limits off PID 1. See above for an explanation. */
if ( prlimit ( 1 , rl , NULL , & buffer ) < 0 )
return log_error_errno ( errno , " Failed to read resource limit RLIMIT_%s of PID 1: %m " , rlimit_to_string ( rl ) ) ;
v = & buffer ;
} else
v = kernel_defaults + rl ;
arg_rlimit [ rl ] = newdup ( struct rlimit , v , 1 ) ;
if ( ! arg_rlimit [ rl ] )
return log_oom ( ) ;
}
if ( DEBUG_LOGGING ) {
_cleanup_free_ char * k = NULL ;
( void ) rlimit_format ( arg_rlimit [ rl ] , & k ) ;
log_debug ( " Setting RLIMIT_%s to %s. " , rlimit_to_string ( rl ) , k ) ;
}
}
return 0 ;
}
2020-04-22 17:12:35 +02:00
static int cant_be_in_netns ( void ) {
union sockaddr_union sa = {
. un = {
. sun_family = AF_UNIX ,
. sun_path = " /run/udev/control " ,
} ,
} ;
char udev_path [ STRLEN ( " /proc//ns/net " ) + DECIMAL_STR_MAX ( pid_t ) ] ;
_cleanup_free_ char * udev_ns = NULL , * our_ns = NULL ;
_cleanup_close_ int fd = - 1 ;
struct ucred ucred ;
int r ;
/* Check if we are in the same netns as udev. If we aren't, then device monitoring (and thus waiting
* for loopback block devices ) won ' t work , and we will hang . Detect this case and exit early with a
* nice message . */
if ( ! arg_image ) /* only matters if --image= us used, i.e. we actually need to use loopback devices */
return 0 ;
fd = socket ( AF_UNIX , SOCK_SEQPACKET | SOCK_NONBLOCK | SOCK_CLOEXEC , 0 ) ;
if ( fd < 0 )
return log_error_errno ( errno , " Failed to allocate udev control socket: %m " ) ;
if ( connect ( fd , & sa . un , SOCKADDR_UN_LEN ( sa . un ) ) < 0 ) {
if ( errno = = ENOENT | | ERRNO_IS_DISCONNECT ( errno ) )
return log_error_errno ( SYNTHETIC_ERRNO ( EOPNOTSUPP ) ,
" Sorry, but --image= requires access to the host's /run/ hierarchy, since we need access to udev. " ) ;
return log_error_errno ( errno , " Failed to connect socket to udev control socket: %m " ) ;
}
r = getpeercred ( fd , & ucred ) ;
if ( r < 0 )
return log_error_errno ( r , " Failed to determine peer of udev control socket: %m " ) ;
xsprintf ( udev_path , " /proc/ " PID_FMT " /ns/net " , ucred . pid ) ;
r = readlink_malloc ( udev_path , & udev_ns ) ;
if ( r < 0 )
return log_error_errno ( r , " Failed to read network namespace of udev: %m " ) ;
r = readlink_malloc ( " /proc/self/ns/net " , & our_ns ) ;
if ( r < 0 )
return log_error_errno ( r , " Failed to read our own network namespace: %m " ) ;
if ( ! streq ( our_ns , udev_ns ) )
return log_error_errno ( SYNTHETIC_ERRNO ( EOPNOTSUPP ) ,
" Sorry, but --image= is only supported in the main network namespace, since we need access to udev/AF_NETLINK. " ) ;
return 0 ;
}
2019-03-21 13:35:45 +01:00
static int run ( int argc , char * argv [ ] ) {
2019-07-17 10:59:29 +02:00
bool secondary = false , remove_directory = false , remove_image = false ,
veth_created = false , remove_tmprootdir = false ;
2016-12-01 20:26:09 +01:00
_cleanup_close_ int master = - 1 ;
2015-05-21 16:30:58 +02:00
_cleanup_fdset_free_ FDSet * fds = NULL ;
2016-12-01 20:26:09 +01:00
int r , n_fd_passed , ret = EXIT_SUCCESS ;
2016-04-28 19:48:17 +02:00
char veth_name [ IFNAMSIZ ] = " " ;
2020-09-15 19:58:44 +02:00
struct ExposeArgs expose_args = { } ;
tree-wide: drop redundant _cleanup_ macros (#8810)
This drops a good number of type-specific _cleanup_ macros, and patches
all users to just use the generic ones.
In most recent code we abstained from defining type-specific macros, and
this basically removes all those added already, with the exception of
the really low-level ones.
Having explicit macros for this is not too useful, as the expression
without the extra macro is generally just 2ch wider. We should generally
emphesize generic code, unless there are really good reasons for
specific code, hence let's follow this in this case too.
Note that _cleanup_free_ and similar really low-level, libc'ish, Linux
API'ish macros continue to be defined, only the really high-level OO
ones are dropped. From now on this should really be the rule: for really
low-level stuff, such as memory allocation, fd handling and so one, go
ahead and define explicit per-type macros, but for high-level, specific
program code, just use the generic _cleanup_() macro directly, in order
to keep things simple and as readable as possible for the uninitiated.
Note that before this patch some of the APIs (notable libudev ones) were
already used with the high-level macros at some places and with the
generic _cleanup_ macro at others. With this patch we hence unify on the
latter.
2018-04-25 12:31:45 +02:00
_cleanup_ ( release_lock_file ) LockFile tree_global_lock = LOCK_FILE_INIT , tree_local_lock = LOCK_FILE_INIT ;
2016-11-19 00:00:16 +01:00
char tmprootdir [ ] = " /tmp/nspawn-root-XXXXXX " ;
2016-12-01 20:26:09 +01:00
_cleanup_ ( loop_device_unrefp ) LoopDevice * loop = NULL ;
2016-12-05 16:26:48 +01:00
_cleanup_ ( decrypted_image_unrefp ) DecryptedImage * decrypted_image = NULL ;
_cleanup_ ( dissected_image_unrefp ) DissectedImage * dissected_image = NULL ;
2020-09-15 19:58:44 +02:00
_cleanup_ ( fw_ctx_freep ) FirewallContext * fw_ctx = NULL ;
2019-07-17 10:59:29 +02:00
pid_t pid = 0 ;
2015-05-21 16:30:58 +02:00
log_parse_environment ( ) ;
log_open ( ) ;
2016-11-21 20:45:53 +01:00
2015-05-21 16:30:58 +02:00
r = parse_argv ( argc , argv ) ;
if ( r < = 0 )
goto finish ;
2020-09-23 12:20:14 +02:00
if ( geteuid ( ) ! = 0 ) {
r = log_warning_errno ( SYNTHETIC_ERRNO ( EPERM ) ,
argc > = 2 ? " Need to be root. " :
" Need to be root (and some arguments are usually required). \n Hint: try --help " ) ;
2015-05-21 16:30:58 +02:00
goto finish ;
2020-09-23 12:20:14 +02:00
}
2017-12-11 23:00:57 +01:00
2020-04-22 17:12:35 +02:00
r = cant_be_in_netns ( ) ;
if ( r < 0 )
goto finish ;
2018-05-07 17:59:18 +02:00
r = initialize_rlimits ( ) ;
if ( r < 0 )
goto finish ;
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
r = load_oci_bundle ( ) ;
if ( r < 0 )
goto finish ;
2015-09-06 01:22:14 +02:00
r = determine_names ( ) ;
if ( r < 0 )
goto finish ;
r = load_settings ( ) ;
if ( r < 0 )
goto finish ;
2019-08-01 12:48:41 +02:00
r = cg_unified ( ) ;
2018-12-06 21:49:11 +01:00
if ( r < 0 ) {
log_error_errno ( r , " Failed to determine whether the unified cgroups hierarchy is used: %m " ) ;
goto finish ;
}
2015-09-06 01:22:14 +02:00
r = verify_arguments ( ) ;
if ( r < 0 )
goto finish ;
2015-05-21 16:30:58 +02:00
2019-09-27 13:58:06 +02:00
/* Reapply environment settings. */
( void ) detect_unified_cgroup_hierarchy_from_environment ( ) ;
2017-11-27 20:49:35 +01:00
2019-01-26 12:18:16 +01:00
/* Ignore SIGPIPE here, because we use splice() on the ptyfwd stuff and that will generate SIGPIPE if
* the result is closed . Note that the container payload child will reset signal mask + handler anyway ,
* so just turning this off here means we only turn it off in nspawn itself , not any children . */
( void ) ignore_signals ( SIGPIPE , - 1 ) ;
2015-05-21 16:30:58 +02:00
n_fd_passed = sd_listen_fds ( false ) ;
if ( n_fd_passed > 0 ) {
r = fdset_new_listen_fds ( & fds , false ) ;
if ( r < 0 ) {
log_error_errno ( r , " Failed to collect file descriptors: %m " ) ;
goto finish ;
}
}
2018-05-28 11:01:30 +02:00
/* The "default" umask. This is appropriate for most file and directory
* operations performed by nspawn , and is the umask that will be used for
* the child . Functions like copy_devnodes ( ) change the umask temporarily . */
umask ( 0022 ) ;
2015-05-21 16:30:58 +02:00
if ( arg_directory ) {
assert ( ! arg_image ) ;
2019-07-24 17:32:09 +02:00
/* Safety precaution: let's not allow running images from the live host OS image, as long as
* / var from the host will propagate into container dynamically ( because bad things happen if
* two systems write to the same / var ) . Let ' s allow it for the special cases where / var is
* either copied ( i . e . - - ephemeral ) or replaced ( i . e . - - volatile = yes | state ) . */
if ( path_equal ( arg_directory , " / " ) & & ! ( arg_ephemeral | | IN_SET ( arg_volatile_mode , VOLATILE_YES , VOLATILE_STATE ) ) ) {
log_error ( " Spawning container on root directory is not supported. Consider using --ephemeral, --volatile=yes or --volatile=state. " ) ;
2015-05-21 16:30:58 +02:00
r = - EINVAL ;
goto finish ;
}
if ( arg_ephemeral ) {
_cleanup_free_ char * np = NULL ;
2016-11-29 18:16:43 +01:00
r = chase_symlinks_and_update ( & arg_directory , 0 ) ;
2016-11-24 21:03:36 +01:00
if ( r < 0 )
goto finish ;
2019-07-17 10:59:29 +02:00
/* If the specified path is a mount point we generate the new snapshot immediately
* inside it under a random name . However if the specified is not a mount point we
* create the new snapshot in the parent directory , just next to it . */
2016-11-18 21:35:21 +01:00
r = path_is_mount_point ( arg_directory , NULL , 0 ) ;
2015-05-21 16:30:58 +02:00
if ( r < 0 ) {
log_error_errno ( r , " Failed to determine whether directory %s is mount point: %m " , arg_directory ) ;
goto finish ;
}
if ( r > 0 )
2015-06-15 19:24:43 +02:00
r = tempfn_random_child ( arg_directory , " machine. " , & np ) ;
2015-05-21 16:30:58 +02:00
else
2015-06-15 19:24:43 +02:00
r = tempfn_random ( arg_directory , " machine. " , & np ) ;
2015-05-21 16:30:58 +02:00
if ( r < 0 ) {
2016-11-18 18:38:06 +01:00
log_error_errno ( r , " Failed to generate name for directory snapshot: %m " ) ;
2015-05-21 16:30:58 +02:00
goto finish ;
}
2019-07-25 11:17:23 +02:00
/* We take an exclusive lock on this image, since it's our private, ephemeral copy
2020-04-16 17:50:21 +02:00
* only owned by us and no one else . */
2019-07-25 11:17:23 +02:00
r = image_path_lock ( np , LOCK_EX | LOCK_NB , & tree_global_lock , & tree_local_lock ) ;
2015-05-21 16:30:58 +02:00
if ( r < 0 ) {
log_error_errno ( r , " Failed to lock %s: %m " , np ) ;
goto finish ;
}
2019-07-17 10:59:29 +02:00
{
BLOCK_SIGNALS ( SIGINT ) ;
r = btrfs_subvol_snapshot ( arg_directory , np ,
( arg_read_only ? BTRFS_SNAPSHOT_READ_ONLY : 0 ) |
BTRFS_SNAPSHOT_FALLBACK_COPY |
BTRFS_SNAPSHOT_FALLBACK_DIRECTORY |
BTRFS_SNAPSHOT_RECURSIVE |
BTRFS_SNAPSHOT_QUOTA |
BTRFS_SNAPSHOT_SIGINT ) ;
}
if ( r = = - EINTR ) {
log_error_errno ( r , " Interrupted while copying file system tree to %s, removed again. " , np ) ;
goto finish ;
}
2015-05-21 16:30:58 +02:00
if ( r < 0 ) {
log_error_errno ( r , " Failed to create snapshot %s from %s: %m " , np , arg_directory ) ;
goto finish ;
2014-12-12 03:50:59 +01:00
}
2018-04-05 07:26:26 +02:00
free_and_replace ( arg_directory , np ) ;
2016-11-21 20:02:43 +01:00
remove_directory = true ;
2015-01-14 23:09:02 +01:00
} else {
2016-12-01 12:49:23 +01:00
r = chase_symlinks_and_update ( & arg_directory , arg_template ? CHASE_NONEXISTENT : 0 ) ;
2016-11-29 18:16:43 +01:00
if ( r < 0 )
goto finish ;
2015-01-14 23:09:02 +01:00
r = image_path_lock ( arg_directory , ( arg_read_only ? LOCK_SH : LOCK_EX ) | LOCK_NB , & tree_global_lock , & tree_local_lock ) ;
if ( r = = - EBUSY ) {
log_error_errno ( r , " Directory tree %s is currently busy. " , arg_directory ) ;
goto finish ;
}
if ( r < 0 ) {
log_error_errno ( r , " Failed to lock %s: %m " , arg_directory ) ;
2016-07-23 02:28:57 +02:00
goto finish ;
2015-01-14 23:09:02 +01:00
}
if ( arg_template ) {
2016-11-29 18:16:43 +01:00
r = chase_symlinks_and_update ( & arg_template , 0 ) ;
2016-11-24 21:03:36 +01:00
if ( r < 0 )
goto finish ;
2019-07-17 10:59:29 +02:00
{
BLOCK_SIGNALS ( SIGINT ) ;
r = btrfs_subvol_snapshot ( arg_template , arg_directory ,
( arg_read_only ? BTRFS_SNAPSHOT_READ_ONLY : 0 ) |
BTRFS_SNAPSHOT_FALLBACK_COPY |
BTRFS_SNAPSHOT_FALLBACK_DIRECTORY |
BTRFS_SNAPSHOT_FALLBACK_IMMUTABLE |
BTRFS_SNAPSHOT_RECURSIVE |
BTRFS_SNAPSHOT_QUOTA |
BTRFS_SNAPSHOT_SIGINT ) ;
}
2018-09-26 23:40:39 +02:00
if ( r = = - EEXIST )
log_full ( arg_quiet ? LOG_DEBUG : LOG_INFO ,
" Directory %s already exists, not populating from template %s. " , arg_directory , arg_template ) ;
2019-07-17 10:59:29 +02:00
else if ( r = = - EINTR ) {
log_error_errno ( r , " Interrupted while copying file system tree to %s, removed again. " , arg_directory ) ;
goto finish ;
} else if ( r < 0 ) {
2015-01-15 08:19:30 +01:00
log_error_errno ( r , " Couldn't create snapshot %s from %s: %m " , arg_directory , arg_template ) ;
2015-01-14 23:09:02 +01:00
goto finish ;
2018-09-26 23:40:39 +02:00
} else
log_full ( arg_quiet ? LOG_DEBUG : LOG_INFO ,
" Populated %s from template %s. " , arg_directory , arg_template ) ;
2015-01-14 23:09:02 +01:00
}
2014-12-12 03:50:59 +01:00
}
2016-02-03 20:32:06 +01:00
if ( arg_start_mode = = START_BOOT ) {
2018-05-22 16:01:21 +02:00
const char * p ;
2018-05-21 06:10:21 +02:00
2018-05-22 16:01:21 +02:00
if ( arg_pivot_root_new )
p = prefix_roota ( arg_directory , arg_pivot_root_new ) ;
else
p = arg_directory ;
2018-05-21 06:10:21 +02:00
if ( path_is_os_tree ( p ) < = 0 ) {
log_error ( " Directory %s doesn't look like an OS root directory (os-release file is missing). Refusing. " , p ) ;
2014-12-12 03:50:59 +01:00
r = - EINVAL ;
2014-03-10 20:35:52 +01:00
goto finish ;
}
} else {
2018-05-21 06:10:21 +02:00
const char * p , * q ;
2018-05-22 16:01:21 +02:00
if ( arg_pivot_root_new )
p = prefix_roota ( arg_directory , arg_pivot_root_new ) ;
else
p = arg_directory ;
2018-05-21 06:10:21 +02:00
q = strjoina ( p , " /usr/ " ) ;
2014-03-10 20:35:52 +01:00
2018-05-21 06:10:21 +02:00
if ( laccess ( q , F_OK ) < 0 ) {
log_error ( " Directory %s doesn't look like it has an OS tree. Refusing. " , p ) ;
2014-12-12 03:50:59 +01:00
r = - EINVAL ;
2014-03-10 20:35:52 +01:00
goto finish ;
}
}
2014-12-12 03:50:59 +01:00
2014-02-14 16:35:18 +01:00
} else {
2020-05-29 18:51:20 +02:00
DissectImageFlags dissect_image_flags = DISSECT_IMAGE_REQUIRE_ROOT | DISSECT_IMAGE_RELAX_VAR_CHECK ;
2014-12-12 03:50:59 +01:00
assert ( arg_image ) ;
assert ( ! arg_template ) ;
2016-11-29 18:16:43 +01:00
r = chase_symlinks_and_update ( & arg_image , 0 ) ;
2016-11-24 21:03:36 +01:00
if ( r < 0 )
goto finish ;
2016-11-18 18:38:06 +01:00
if ( arg_ephemeral ) {
_cleanup_free_ char * np = NULL ;
r = tempfn_random ( arg_image , " machine. " , & np ) ;
if ( r < 0 ) {
log_error_errno ( r , " Failed to generate name for image snapshot: %m " ) ;
goto finish ;
}
2019-07-25 11:17:23 +02:00
/* Always take an exclusive lock on our own ephemeral copy. */
r = image_path_lock ( np , LOCK_EX | LOCK_NB , & tree_global_lock , & tree_local_lock ) ;
2016-11-18 18:38:06 +01:00
if ( r < 0 ) {
r = log_error_errno ( r , " Failed to create image lock: %m " ) ;
goto finish ;
}
2019-07-17 10:59:29 +02:00
{
BLOCK_SIGNALS ( SIGINT ) ;
r = copy_file ( arg_image , np , O_EXCL , arg_read_only ? 0400 : 0600 , FS_NOCOW_FL , FS_NOCOW_FL , COPY_REFLINK | COPY_CRTIME | COPY_SIGINT ) ;
}
if ( r = = - EINTR ) {
log_error_errno ( r , " Interrupted while copying image file to %s, removed again. " , np ) ;
goto finish ;
}
2016-11-18 18:38:06 +01:00
if ( r < 0 ) {
r = log_error_errno ( r , " Failed to copy image file: %m " ) ;
goto finish ;
}
2018-04-05 07:26:26 +02:00
free_and_replace ( arg_image , np ) ;
2016-11-18 18:38:06 +01:00
remove_image = true ;
} else {
r = image_path_lock ( arg_image , ( arg_read_only ? LOCK_SH : LOCK_EX ) | LOCK_NB , & tree_global_lock , & tree_local_lock ) ;
if ( r = = - EBUSY ) {
r = log_error_errno ( r , " Disk image %s is currently busy. " , arg_image ) ;
goto finish ;
}
if ( r < 0 ) {
r = log_error_errno ( r , " Failed to create image lock: %m " ) ;
goto finish ;
}
2016-12-07 18:28:13 +01:00
2020-09-15 22:09:08 +02:00
r = verity_settings_load (
& arg_verity_settings ,
arg_image , NULL , NULL ) ;
2020-05-29 18:51:20 +02:00
if ( r < 0 ) {
log_error_errno ( r , " Failed to read verity artefacts for %s: %m " , arg_image ) ;
goto finish ;
2016-12-23 17:10:42 +01:00
}
2020-09-15 22:09:08 +02:00
if ( arg_verity_settings . data_path )
dissect_image_flags | = DISSECT_IMAGE_NO_PARTITION_TABLE ;
2015-01-14 23:09:02 +01:00
}
2016-11-19 00:00:16 +01:00
if ( ! mkdtemp ( tmprootdir ) ) {
2016-11-18 18:38:06 +01:00
r = log_error_errno ( errno , " Failed to create temporary directory: %m " ) ;
2014-02-14 16:35:18 +01:00
goto finish ;
2014-03-10 20:35:52 +01:00
}
2014-02-14 16:35:18 +01:00
2016-11-19 00:00:16 +01:00
remove_tmprootdir = true ;
arg_directory = strdup ( tmprootdir ) ;
2014-03-10 20:35:52 +01:00
if ( ! arg_directory ) {
r = log_oom ( ) ;
goto finish ;
2014-02-14 16:35:18 +01:00
}
2011-03-14 02:40:36 +01:00
2020-09-15 22:09:08 +02:00
r = loop_device_make_by_path (
arg_image ,
arg_read_only ? O_RDONLY : O_RDWR ,
FLAGS_SET ( dissect_image_flags , DISSECT_IMAGE_NO_PARTITION_TABLE ) ? 0 : LO_FLAGS_PARTSCAN ,
& loop ) ;
2016-12-01 20:26:09 +01:00
if ( r < 0 ) {
log_error_errno ( r , " Failed to set up loopback block device: %m " ) ;
2012-12-22 19:29:04 +01:00
goto finish ;
}
2014-03-10 20:35:52 +01:00
2018-03-21 12:10:01 +01:00
r = dissect_image_and_warn (
2016-12-15 17:38:11 +01:00
loop - > fd ,
2018-03-21 12:10:01 +01:00
arg_image ,
2020-09-15 22:09:08 +02:00
& arg_verity_settings ,
2020-06-29 14:19:31 +02:00
NULL ,
2020-05-29 18:51:20 +02:00
dissect_image_flags ,
2016-12-15 17:38:11 +01:00
& dissected_image ) ;
2016-12-01 20:26:09 +01:00
if ( r = = - ENOPKG ) {
2018-03-21 12:10:01 +01:00
/* dissected_image_and_warn() already printed a brief error message. Extend on that with more details */
2016-12-01 20:26:09 +01:00
log_notice ( " Note that the disk image needs to \n "
" a) either contain only a single MBR partition of type 0x83 that is marked bootable \n "
" b) or contain a single GPT partition of type 0FC63DAF-8483-4772-8E79-3D69D8477DE4 \n "
2019-12-19 09:27:10 +01:00
" c) or follow https://systemd.io/DISCOVERABLE_PARTITIONS \n "
2016-12-01 20:26:09 +01:00
" d) or contain a file system without a partition table \n "
" in order to be bootable with systemd-nspawn. " ) ;
2014-03-10 20:35:52 +01:00
goto finish ;
2016-12-01 20:26:09 +01:00
}
2018-03-21 12:10:01 +01:00
if ( r < 0 )
2012-12-22 19:29:04 +01:00
goto finish ;
2014-03-10 20:35:52 +01:00
2020-09-15 22:09:08 +02:00
if ( ! arg_verity_settings . root_hash & & dissected_image - > can_verity )
2016-12-07 18:28:13 +01:00
log_notice ( " Note: image %s contains verity information, but no root hash specified! Proceeding without integrity checking. " , arg_image ) ;
2020-09-15 22:09:08 +02:00
r = dissected_image_decrypt_interactively (
dissected_image ,
NULL ,
& arg_verity_settings ,
0 ,
& decrypted_image ) ;
2014-03-10 20:35:52 +01:00
if ( r < 0 )
goto finish ;
2016-11-18 18:38:06 +01:00
/* Now that we mounted the image, let's try to remove it again, if it is ephemeral */
if ( remove_image & & unlink ( arg_image ) > = 0 )
remove_image = false ;
2012-12-22 19:29:04 +01:00
}
2016-11-30 16:02:47 +01:00
r = custom_mount_prepare_all ( arg_directory , arg_custom_mounts , arg_n_custom_mounts ) ;
2015-05-13 14:04:55 +02:00
if ( r < 0 )
goto finish ;
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
if ( arg_console_mode < 0 )
arg_console_mode =
isatty ( STDIN_FILENO ) > 0 & &
isatty ( STDOUT_FILENO ) > 0 ? CONSOLE_INTERACTIVE : CONSOLE_READ_ONLY ;
2015-02-18 23:32:55 +01:00
nspawn: add support for executing OCI runtime bundles with nspawn
This is a pretty large patch, and adds support for OCI runtime bundles
to nspawn. A new switch --oci-bundle= is added that takes a path to an
OCI bundle. The JSON file included therein is read similar to a .nspawn
settings files, however with a different feature set.
Implementation-wise this mostly extends the pre-existing Settings object
to carry additional properties for OCI. However, OCI supports some
concepts .nspawn files did not support yet, which this patch also adds:
1. Support for "masking" files and directories. This functionatly is now
also available via the new --inaccesible= cmdline command, and
Inaccessible= in .nspawn files.
2. Support for mounting arbitrary file systems. (not exposed through
nspawn cmdline nor .nspawn files, because probably not a good idea)
3. Ability to configure the console settings for a container. This
functionality is now also available on the nspawn cmdline in the new
--console= switch (not added to .nspawn for now, as it is something
specific to the invocation really, not a property of the container)
4. Console width/height configuration. Not exposed through
.nspawn/cmdline, but this may be controlled through $COLUMNS and
$LINES like in most other UNIX tools.
5. UID/GID configuration by raw numbers. (not exposed in .nspawn and on
the cmdline, since containers likely have different user tables, and
the existing --user= switch appears to be the better option)
6. OCI hook commands (no exposed in .nspawn/cmdline, as very specific to
OCI)
7. Creation of additional devices nodes in /dev. Most likely not a good
idea, hence not exposed in .nspawn/cmdline. There's already --bind=
to achieve the same, which is the better alternative.
8. Explicit syscall filters. This is not a good idea, due to the skewed
arch support, hence not exposed through .nspawn/cmdline.
9. Configuration of some sysctls on a whitelist. Questionnable, not
supported in .nspawn/cmdline for now.
10. Configuration of all 5 types of capabilities. Not a useful concept,
since the kernel will reduce the caps on execve() anyway. Not
exposed through .nspawn/cmdline as this is not very useful hence.
Note that this only implements the OCI runtime logic itself. It does not
provide a runc-compatible command line tool. This is left for a later
PR. Only with that in place tools such as "buildah" can use the OCI
support in nspawn as drop-in replacement.
Currently still missing is OCI hook support, but it's already parsed and
everything, and should be easy to add. Other than that it's OCI is
implemented pretty comprehensively.
There's a list of incompatibilities in the nspawn-oci.c file. In a later
PR I'd like to convert this into proper markdown and add it to the
documentation directory.
2018-04-25 11:23:37 +02:00
if ( arg_console_mode = = CONSOLE_PIPE ) /* if we pass STDERR on to the container, don't add our own logs into it too */
arg_quiet = true ;
2011-03-16 02:57:52 +01:00
2015-02-18 23:32:55 +01:00
if ( ! arg_quiet )
log_info ( " Spawning container %s on %s. \n Press ^] three times within 1s to kill container. " ,
arg_machine , arg_image ? : arg_directory ) ;
2015-06-15 20:13:23 +02:00
assert_se ( sigprocmask_many ( SIG_BLOCK , NULL , SIGCHLD , SIGWINCH , SIGTERM , SIGINT , - 1 ) > = 0 ) ;
2011-03-16 02:57:52 +01:00
2018-05-07 19:35:48 +02:00
if ( prctl ( PR_SET_CHILD_SUBREAPER , 1 , 0 , 0 , 0 ) < 0 ) {
2015-05-21 16:30:58 +02:00
r = log_error_errno ( errno , " Failed to become subreaper: %m " ) ;
goto finish ;
}
2020-09-15 19:58:44 +02:00
if ( arg_expose_ports ) {
r = fw_ctx_new ( & fw_ctx ) ;
if ( r < 0 ) {
log_error_errno ( r , " Cannot expose configured ports, firewall initialization failed: %m " ) ;
goto finish ;
}
expose_args . fw_ctx = fw_ctx ;
}
2012-09-06 01:23:41 +02:00
for ( ; ; ) {
2019-06-06 10:05:33 +02:00
r = run_container ( dissected_image ,
2019-03-21 13:35:45 +01:00
secondary ,
fds ,
veth_name , & veth_created ,
2020-09-15 19:58:44 +02:00
& expose_args , & master ,
2019-03-21 13:35:45 +01:00
& pid , & ret ) ;
2016-10-02 21:32:38 +02:00
if ( r < = 0 )
2012-09-06 01:23:41 +02:00
break ;
}
2011-03-14 02:40:36 +01:00
finish :
2019-03-21 16:32:31 +01:00
( void ) sd_notify ( false ,
r = = 0 & & ret = = EXIT_FORCE_RESTART ? " STOPPING=1 \n STATUS=Restarting... " :
" STOPPING=1 \n STATUS=Terminating... " ) ;
2014-08-21 17:19:28 +02:00
2013-06-20 03:45:08 +02:00
if ( pid > 0 )
2016-11-19 00:00:16 +01:00
( void ) kill ( pid , SIGKILL ) ;
2011-03-14 02:40:36 +01:00
2015-06-17 20:54:45 +02:00
/* Try to flush whatever is still queued in the pty */
2016-11-18 23:47:09 +01:00
if ( master > = 0 ) {
2017-02-13 19:00:22 +01:00
( void ) copy_bytes ( master , STDOUT_FILENO , ( uint64_t ) - 1 , 0 ) ;
2016-11-18 23:47:09 +01:00
master = safe_close ( master ) ;
}
if ( pid > 0 )
( void ) wait_for_terminate ( pid , NULL ) ;
2015-06-17 20:54:45 +02:00
2018-05-07 21:18:25 +02:00
pager_close ( ) ;
2016-11-21 20:02:43 +01:00
if ( remove_directory & & arg_directory ) {
2014-12-12 03:50:59 +01:00
int k ;
2016-11-21 20:02:43 +01:00
k = rm_rf ( arg_directory , REMOVE_ROOT | REMOVE_PHYSICAL | REMOVE_SUBVOLUME ) ;
2014-12-12 03:50:59 +01:00
if ( k < 0 )
2016-11-21 20:02:43 +01:00
log_warning_errno ( k , " Cannot remove '%s', ignoring: %m " , arg_directory ) ;
2014-12-12 03:50:59 +01:00
}
2016-11-18 18:38:06 +01:00
if ( remove_image & & arg_image ) {
if ( unlink ( arg_image ) < 0 )
log_warning_errno ( errno , " Can't remove image file '%s', ignoring: %m " , arg_image ) ;
}
2016-11-19 00:00:16 +01:00
if ( remove_tmprootdir ) {
if ( rmdir ( tmprootdir ) < 0 )
log_debug_errno ( errno , " Can't remove temporary root directory '%s', ignoring: %m " , tmprootdir ) ;
}
2014-12-17 21:51:45 +01:00
if ( arg_machine ) {
const char * p ;
2015-02-03 02:05:59 +01:00
p = strjoina ( " /run/systemd/nspawn/propagate/ " , arg_machine ) ;
2015-04-04 11:52:57 +02:00
( void ) rm_rf ( p , REMOVE_ROOT ) ;
2014-12-17 21:51:45 +01:00
}
2020-09-15 19:58:44 +02:00
expose_port_flush ( & fw_ctx , arg_expose_ports , & expose_args . address ) ;
2016-05-09 15:43:51 +02:00
if ( veth_created )
( void ) remove_veth_links ( veth_name , arg_network_veth_extra ) ;
2016-05-06 21:00:27 +02:00
( void ) remove_bridge ( arg_network_zone ) ;
2015-09-06 01:22:14 +02:00
custom_mount_free_all ( arg_custom_mounts , arg_n_custom_mounts ) ;
expose_port_free_all ( arg_expose_ports ) ;
2018-05-07 17:59:18 +02:00
rlimit_free_all ( arg_rlimit ) ;
2019-03-22 17:23:49 +01:00
device_node_array_free ( arg_extra_nodes , arg_n_extra_nodes ) ;
2020-07-23 08:47:08 +02:00
credential_free_all ( arg_credentials , arg_n_credentials ) ;
2015-01-13 13:51:51 +01:00
2019-03-21 13:35:45 +01:00
if ( r < 0 )
return r ;
return ret ;
2011-03-14 02:40:36 +01:00
}
2019-03-21 13:35:45 +01:00
DEFINE_MAIN_FUNCTION_WITH_POSITIVE_FAILURE ( run ) ;
