picnoir
/
Systemd
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Systemd/src/nspawn/nspawn.c

4211 lines
167 KiB
C
Raw Normal View History

Add SPDX license identifiers to source files under the LGPL This follows what the kernel is doing, c.f. https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5fd54ace4721fc5ce2bb5aef6318fcf17f421460.
2017-11-18 17:09:20 +01:00
/* SPDX-License-Identifier: LGPL-2.1+ */
nspawn: add simple chroot(1) like tool to execute commands in a namespace container
2011-03-14 02:40:36 +01:00
/***
This file is part of systemd.
Copyright 2010 Lennart Poettering
systemd is free software; you can redistribute it and/or modify it
relicense to LGPLv2.1 (with exceptions) We finally got the OK from all contributors with non-trivial commits to relicense systemd from GPL2+ to LGPL2.1+. Some udev bits continue to be GPL2+ for now, but we are looking into relicensing them too, to allow free copy/paste of all code within systemd. The bits that used to be MIT continue to be MIT. The big benefit of the relicensing is that closed source code may now link against libsystemd-login.so and friends.
2012-04-12 00:20:58 +02:00
under the terms of the GNU Lesser General Public License as published by
the Free Software Foundation; either version 2.1 of the License, or
nspawn: add simple chroot(1) like tool to execute commands in a namespace container
2011-03-14 02:40:36 +01:00
(at your option) any later version.
systemd is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
relicense to LGPLv2.1 (with exceptions) We finally got the OK from all contributors with non-trivial commits to relicense systemd from GPL2+ to LGPL2.1+. Some udev bits continue to be GPL2+ for now, but we are looking into relicensing them too, to allow free copy/paste of all code within systemd. The bits that used to be MIT continue to be MIT. The big benefit of the relicensing is that closed source code may now link against libsystemd-login.so and friends.
2012-04-12 00:20:58 +02:00
Lesser General Public License for more details.
nspawn: add simple chroot(1) like tool to execute commands in a namespace container
2011-03-14 02:40:36 +01:00
relicense to LGPLv2.1 (with exceptions) We finally got the OK from all contributors with non-trivial commits to relicense systemd from GPL2+ to LGPL2.1+. Some udev bits continue to be GPL2+ for now, but we are looking into relicensing them too, to allow free copy/paste of all code within systemd. The bits that used to be MIT continue to be MIT. The big benefit of the relicensing is that closed source code may now link against libsystemd-login.so and friends.
2012-04-12 00:20:58 +02:00
You should have received a copy of the GNU Lesser General Public License
nspawn: add simple chroot(1) like tool to execute commands in a namespace container
2011-03-14 02:40:36 +01:00
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
build-sys: use #if Y instead of #ifdef Y everywhere The advantage is that is the name is mispellt, cpp will warn us. $ git grep -Ee "conf.set\('(HAVE|ENABLE)_" -l|xargs sed -r -i "s/conf.set\('(HAVE|ENABLE)_/conf.set10('\1_/" $ git grep -Ee '#ifn?def (HAVE|ENABLE)' -l|xargs sed -r -i 's/#ifdef (HAVE|ENABLE)/#if \1/; s/#ifndef (HAVE|ENABLE)/#if ! \1/;' $ git grep -Ee 'if.*defined\(HAVE' -l|xargs sed -i -r 's/defined\((HAVE_[A-Z0-9_]*)\)/\1/g' $ git grep -Ee 'if.*defined\(ENABLE' -l|xargs sed -i -r 's/defined\((ENABLE_[A-Z0-9_]*)\)/\1/g' + manual changes to meson.build squash! build-sys: use #if Y instead of #ifdef Y everywhere v2: - fix incorrect setting of HAVE_LIBIDN2
2017-10-03 10:41:51 +02:00
#if HAVE_BLKID
build-sys: correct blkid.h includes When using pkg-config to determine the include flags for blkid the flags are returned as: $ pkg-config blkid --cflags -I/usr/include/blkid -I/usr/include/uuid We use the <blkid/blkid.h> include which would be correct when using the default compiler /usr/include header search path. However, when cross-compiling the blkid.h will not be installed at /usr/include and highly likely in a temporary system root. It is futher compounded if the cross-compile packages are split up and the blkid package is not available in the same sysroot as the compiler. Regardless of the compilation setup, the correct include path should be <blkid.h> if using the pkg-config returned CFLAGS.
2017-04-06 15:12:17 +02:00
#include <blkid.h>
nspawn: sort and clean up included header list Let's remove unnecessary inclusions, and order the list alphabetically as suggested in CODING_STYLE now.
2015-09-07 18:56:54 +02:00
#endif
nspawn: add simple chroot(1) like tool to execute commands in a namespace container
2011-03-14 02:40:36 +01:00
#include <errno.h>
#include <getopt.h>
nspawn: optionally, automatically allocate a UID/GID range for userns containers This adds the new value "pick" to --private-users=. When specified a new UID/GID range of 65536 users is automatically and randomly allocated from the host range 0x00080000-0xDFFF0000 and used for the container. The setting implies --private-users-chown, so that container directory is recursively chown()ed to the newly allocated UID/GID range, if that's necessary. As an optimization before picking a randomized UID/GID the UID of the container's root directory is used as starting point and used if currently not used otherwise. To protect against using the same UID/GID range multiple times a few mechanisms are in place: - The first and the last UID and GID of the range are checked with getpwuid() and getgrgid(). If an entry already exists a different range is picked. Note that by "last" UID the user 65534 is used, as 65535 is the 16bit (uid_t) -1. - A lock file for the range is taken in /run/systemd/nspawn-uid/. Since the ranges are taken in a non-overlapping fashion, and always start on 64K boundaries this allows us to maintain a single lock file for each range that can be randomly picked. This protects nspawn from picking the same range in two parallel instances. - If possible the /etc/passwd lock file is taken while a new range is selected until the container is up. This means adduser/addgroup should safely avoid the range as long as nss-mymachines is used, since the allocated range will then show up in the user database. The UID/GID range nspawn picks from is compiled in and not configurable at the moment. That should probably stay that way, since we already provide ways how users can pick their own ranges manually if they don't like the automatic logic. The new --private-users=pick logic makes user namespacing pretty useful now, as it relieves the user from managing UID/GID ranges.
2016-04-22 11:28:09 +02:00
#include <grp.h>
nspawn: add --image= switch to boot GPT disk images that follow the Discoverable Partitions Specification
2014-03-10 20:35:52 +01:00
#include <linux/loop.h>
nspawn: optionally, automatically allocate a UID/GID range for userns containers This adds the new value "pick" to --private-users=. When specified a new UID/GID range of 65536 users is automatically and randomly allocated from the host range 0x00080000-0xDFFF0000 and used for the container. The setting implies --private-users-chown, so that container directory is recursively chown()ed to the newly allocated UID/GID range, if that's necessary. As an optimization before picking a randomized UID/GID the UID of the container's root directory is used as starting point and used if currently not used otherwise. To protect against using the same UID/GID range multiple times a few mechanisms are in place: - The first and the last UID and GID of the range are checked with getpwuid() and getgrgid(). If an entry already exists a different range is picked. Note that by "last" UID the user 65534 is used, as 65535 is the 16bit (uid_t) -1. - A lock file for the range is taken in /run/systemd/nspawn-uid/. Since the ranges are taken in a non-overlapping fashion, and always start on 64K boundaries this allows us to maintain a single lock file for each range that can be randomly picked. This protects nspawn from picking the same range in two parallel instances. - If possible the /etc/passwd lock file is taken while a new range is selected until the container is up. This means adduser/addgroup should safely avoid the range as long as nss-mymachines is used, since the allocated range will then show up in the user database. The UID/GID range nspawn picks from is compiled in and not configurable at the moment. That should probably stay that way, since we already provide ways how users can pick their own ranges manually if they don't like the automatic logic. The new --private-users=pick logic makes user namespacing pretty useful now, as it relieves the user from managing UID/GID ranges.
2016-04-22 11:28:09 +02:00
#include <pwd.h>
nspawn: sort and clean up included header list Let's remove unnecessary inclusions, and order the list alphabetically as suggested in CODING_STYLE now.
2015-09-07 18:56:54 +02:00
#include <sched.h>
build-sys: use #if Y instead of #ifdef Y everywhere The advantage is that is the name is mispellt, cpp will warn us. $ git grep -Ee "conf.set\('(HAVE|ENABLE)_" -l|xargs sed -r -i "s/conf.set\('(HAVE|ENABLE)_/conf.set10('\1_/" $ git grep -Ee '#ifn?def (HAVE|ENABLE)' -l|xargs sed -r -i 's/#ifdef (HAVE|ENABLE)/#if \1/; s/#ifndef (HAVE|ENABLE)/#if ! \1/;' $ git grep -Ee 'if.*defined\(HAVE' -l|xargs sed -i -r 's/defined\((HAVE_[A-Z0-9_]*)\)/\1/g' $ git grep -Ee 'if.*defined\(ENABLE' -l|xargs sed -i -r 's/defined\((ENABLE_[A-Z0-9_]*)\)/\1/g' + manual changes to meson.build squash! build-sys: use #if Y instead of #ifdef Y everywhere v2: - fix incorrect setting of HAVE_LIBIDN2
2017-10-03 10:41:51 +02:00
#if HAVE_SELINUX
nspawn: sort and clean up included header list Let's remove unnecessary inclusions, and order the list alphabetically as suggested in CODING_STYLE now.
2015-09-07 18:56:54 +02:00
#include <selinux/selinux.h>
nspawn: add --image= switch to boot GPT disk images that follow the Discoverable Partitions Specification
2014-03-10 20:35:52 +01:00
#endif
nspawn: sort and clean up included header list Let's remove unnecessary inclusions, and order the list alphabetically as suggested in CODING_STYLE now.
2015-09-07 18:56:54 +02:00
#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/file.h>
#include <sys/mount.h>
#include <sys/personality.h>
#include <sys/prctl.h>
#include <sys/types.h>
nspawn: when getting SIGCHLD make sure it's from the first child (#4855) When getting SIGCHLD we should not assume that it was the first child forked from system-nspawn that has died as it may also be coming from an orphan process. This change adds a signal handler that ignores SIGCHLD unless it came from the first containerized child - the real child. Before this change the problem can be reproduced as follows: $ sudo systemd-nspawn --directory=/container-root --share-system Press ^] three times within 1s to kill container. [root@andreyu-coreos ~]# { true & } & [1] 22201 [root@andreyu-coreos ~]# Container root-fedora-latest terminated by signal KILL
2016-12-13 02:38:18 +01:00
#include <sys/wait.h>
nspawn: sort and clean up included header list Let's remove unnecessary inclusions, and order the list alphabetically as suggested in CODING_STYLE now.
2015-09-07 18:56:54 +02:00
#include <unistd.h>
nspawn: add --image= switch to boot GPT disk images that follow the Discoverable Partitions Specification
2014-03-10 20:35:52 +01:00
nspawn: tweak check whether resolved is around a bit Let's check D-Bus instead of files in /run to see if resolved is running. This is a bit nicer as bus names are automatically cleaned up when resolved dies, which is not the case for files in /run. See: #4649
2017-02-16 17:56:10 +01:00
#include "sd-bus.h"
nspawn: explicitly terminate machines when we exit nspawn https://bugs.freedesktop.org/show_bug.cgi?id=68370 https://bugzilla.redhat.com/show_bug.cgi?id=988883
2013-11-06 02:05:06 +01:00
#include "sd-daemon.h"
#include "sd-id128.h"
nspawn: sort and clean up included header list Let's remove unnecessary inclusions, and order the list alphabetically as suggested in CODING_STYLE now.
2015-09-07 18:56:54 +02:00
util-lib: split out allocation calls into alloc-util.[ch]
2015-10-27 03:01:06 +01:00
#include "alloc-util.h"
nspawn: sort and clean up included header list Let's remove unnecessary inclusions, and order the list alphabetically as suggested in CODING_STYLE now.
2015-09-07 18:56:54 +02:00
#include "barrier.h"
#include "base-filesystem.h"
#include "blkid-util.h"
#include "btrfs-util.h"
nspawn: tweak check whether resolved is around a bit Let's check D-Bus instead of files in /run to see if resolved is running. This is a bit nicer as bus names are automatically cleaned up when resolved dies, which is not the case for files in /run. See: #4649
2017-02-16 17:56:10 +01:00
#include "bus-util.h"
nspawn: sort and clean up included header list Let's remove unnecessary inclusions, and order the list alphabetically as suggested in CODING_STYLE now.
2015-09-07 18:56:54 +02:00
#include "cap-list.h"
src/basic: rename audit.[ch] → audit-util.[ch] and capability.[ch] → capability-util.[ch] The files are named too generically, so that they might conflict with the upstream project headers. Hence, let's add a "-util" suffix, to clarify that this are just our utility headers and not any official upstream headers.
2015-10-26 23:32:16 +01:00
#include "capability-util.h"
nspawn: move container into its own name=systemd cgroup
2011-03-14 22:33:31 +01:00
#include "cgroup-util.h"
nspawn: sort and clean up included header list Let's remove unnecessary inclusions, and order the list alphabetically as suggested in CODING_STYLE now.
2015-09-07 18:56:54 +02:00
#include "copy.h"
nspawn: add /dev FD symlinks in container setup This creates /dev/fd, /dev/stdin, /dev/stdout, /dev/stderr, and /dev/core as symlinks to /proc on container creation. Except for /dev/core, these are needed for shells like bash to be fully functional.
2012-08-15 02:00:31 +02:00
#include "dev-setup.h"
nspawn: port nspawn to new generalized image dissection code Let's make use of the new internal API. This mostly doesn't change anything for the caller, however, "systemd-nspawn --image=/dev/sda7" works now as the new code can handle disk images with no partition tables, and make any detected images directly the root.
2016-12-01 20:26:09 +01:00
#include "dissect-image.h"
nspawn: sort and clean up included header list Let's remove unnecessary inclusions, and order the list alphabetically as suggested in CODING_STYLE now.
2015-09-07 18:56:54 +02:00
#include "env-util.h"
util-lib: split out fd-related operations into fd-util.[ch] There are more than enough to deserve their own .c file, hence move them over.
2015-10-25 13:14:12 +01:00
#include "fd-util.h"
nspawn: allow passing socket activation fds through nspawn
2012-12-22 19:29:04 +01:00
#include "fdset.h"
honor SELinux labels, when creating and writing config files Also split out some fileio functions to fileio.c and provide a SELinux aware pendant in fileio-label.c see https://bugzilla.redhat.com/show_bug.cgi?id=881577
2013-02-14 12:26:13 +01:00
#include "fileio.h"
Rename formats-util.h to format-util.h We don't have plural in the name of any other -util files and this inconsistency trips me up every time I try to type this file name from memory. "formats-util" is even hard to pronounce.
2016-11-07 16:14:59 +01:00
#include "format-util.h"
util-lib: move a number of fs operations into fs-util.[ch]
2015-10-26 21:16:26 +01:00
#include "fs-util.h"
nspawn: add --image= switch to boot GPT disk images that follow the Discoverable Partitions Specification
2014-03-10 20:35:52 +01:00
#include "gpt.h"
nspawn/dissect: automatically discover dm-verity verity partitions This adds support for discovering and making use of properly tagged dm-verity data integrity partitions. This extends both systemd-nspawn and systemd-dissect with a new --root-hash= switch that takes the root hash to use for the root partition, and is otherwise fully automatic. Verity partitions are discovered automatically by GPT table type UUIDs, as listed in https://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/ (which I updated prior to this change, to include new UUIDs for this purpose. mkosi with https://github.com/systemd/mkosi/pull/39 applied may generate images that carry the necessary integrity data. With that PR and this commit, the following simply lines suffice to boot up an integrity-protected container image: ``` # mkdir test # cd test # mkosi --verity # systemd-nspawn -i ./image.raw -bn ``` Note that mkosi writes the image file to "image.raw" next to a a file "image.roothash" that contains the root hash. systemd-nspawn will look for that file and use it if it exists, in case --root-hash= is not specified explicitly.
2016-12-07 18:28:13 +01:00
#include "hexdecoct.h"
nspawn: sort and clean up included header list Let's remove unnecessary inclusions, and order the list alphabetically as suggested in CODING_STYLE now.
2015-09-07 18:56:54 +02:00
#include "hostname-util.h"
sd-id128: split UUID file read/write code into new id128-util.[ch] We currently have code to read and write files containing UUIDs at various places. Unify this in id128-util.[ch], and move some other stuff there too. The new files are located in src/libsystemd/sd-id128/ (instead of src/shared/), because they are actually the backend of sd_id128_get_machine() and sd_id128_get_boot(). In follow-up patches we can use this reduce the code in nspawn and machine-id-setup by adopted the common implementation.
2016-07-21 17:57:57 +02:00
#include "id128-util.h"
nspawn: sort and clean up included header list Let's remove unnecessary inclusions, and order the list alphabetically as suggested in CODING_STYLE now.
2015-09-07 18:56:54 +02:00
#include "log.h"
nspawn: port nspawn to new generalized image dissection code Let's make use of the new internal API. This mostly doesn't change anything for the caller, however, "systemd-nspawn --image=/dev/sda7" works now as the new code can handle disk images with no partition tables, and make any detected images directly the root.
2016-12-01 20:26:09 +01:00
#include "loop-util.h"
nspawn: sort and clean up included header list Let's remove unnecessary inclusions, and order the list alphabetically as suggested in CODING_STYLE now.
2015-09-07 18:56:54 +02:00
#include "loopback-setup.h"
nspawn: use the same image discovery logic in nspawn as in machined
2014-12-27 02:07:29 +01:00
#include "machine-image.h"
nspawn: sort and clean up included header list Let's remove unnecessary inclusions, and order the list alphabetically as suggested in CODING_STYLE now.
2015-09-07 18:56:54 +02:00
#include "macro.h"
#include "missing.h"
#include "mkdir.h"
util-lib: move mount related utility calls to mount-util.[ch]
2015-10-26 18:44:13 +01:00
#include "mount-util.h"
nspawn: sort and clean up included header list Let's remove unnecessary inclusions, and order the list alphabetically as suggested in CODING_STYLE now.
2015-09-07 18:56:54 +02:00
#include "netlink-util.h"
util-lib: split our string related calls from util.[ch] into its own file string-util.[ch] There are more than enough calls doing string manipulations to deserve its own files, hence do something about it. This patch also sorts the #include blocks of all files that needed to be updated, according to the sorting suggestions from CODING_STYLE. Since pretty much every file needs our string manipulation functions this effectively means that most files have sorted #include blocks now. Also touches a few unrelated include files.
2015-10-24 22:58:24 +02:00
#include "nspawn-cgroup.h"
nspawn: make recursive chown()ing logic safe for being aborted in the middle We currently use the ownership of the top-level directory as a hint whether we need to descent into the whole tree to chown() it recursively or not. This is problematic with the previous chown()ing algorithm, as when descending into the tree we'd first chown() and then descend further down, which meant that the top-level directory would be chowned first, and an aborted recursive chowning would appear on the next invocation as successful, even though it was not. Let's reshuffle things a bit, to make the re-chown()ing safe regarding interruptions: a) We chown() the dir we are looking at last, and descent into all its children first. That way we know that if the top-level dir is properly owned everything inside of it is properly owned too. b) Before starting a chown()ing operation, we mark the top-level directory as owned by a special "busy" UID range, which we can use to recognize whether a tree was fully chowned: if it is marked as busy, it's definitely not fully chowned, as the busy ownership will only be fixed as final step of the chowning. Fixes: #6292
2017-11-16 19:09:32 +01:00
#include "nspawn-def.h"
util-lib: split our string related calls from util.[ch] into its own file string-util.[ch] There are more than enough calls doing string manipulations to deserve its own files, hence do something about it. This patch also sorts the #include blocks of all files that needed to be updated, according to the sorting suggestions from CODING_STYLE. Since pretty much every file needs our string manipulation functions this effectively means that most files have sorted #include blocks now. Also touches a few unrelated include files.
2015-10-24 22:58:24 +02:00
#include "nspawn-expose-ports.h"
#include "nspawn-mount.h"
#include "nspawn-network.h"
nspawn: optionally fix up OS tree uid/gids for userns This adds a new --private-userns-chown switch that may be used in combination with --private-userns. If it is passed a recursive chmod() operation is run on the OS tree, fixing all file owner UID/GIDs to the right ranges. This should make user namespacing pretty workable, as the OS trees don't need to be prepared manually anymore.
2016-04-20 22:53:39 +02:00
#include "nspawn-patch-uid.h"
util-lib: split our string related calls from util.[ch] into its own file string-util.[ch] There are more than enough calls doing string manipulations to deserve its own files, hence do something about it. This patch also sorts the #include blocks of all files that needed to be updated, according to the sorting suggestions from CODING_STYLE. Since pretty much every file needs our string manipulation functions this effectively means that most files have sorted #include blocks now. Also touches a few unrelated include files.
2015-10-24 22:58:24 +02:00
#include "nspawn-register.h"
sd-id128: split UUID file read/write code into new id128-util.[ch] We currently have code to read and write files containing UUIDs at various places. Unify this in id128-util.[ch], and move some other stuff there too. The new files are located in src/libsystemd/sd-id128/ (instead of src/shared/), because they are actually the backend of sd_id128_get_machine() and sd_id128_get_boot(). In follow-up patches we can use this reduce the code in nspawn and machine-id-setup by adopted the common implementation.
2016-07-21 17:57:57 +02:00
#include "nspawn-seccomp.h"
util-lib: split our string related calls from util.[ch] into its own file string-util.[ch] There are more than enough calls doing string manipulations to deserve its own files, hence do something about it. This patch also sorts the #include blocks of all files that needed to be updated, according to the sorting suggestions from CODING_STYLE. Since pretty much every file needs our string manipulation functions this effectively means that most files have sorted #include blocks now. Also touches a few unrelated include files.
2015-10-24 22:58:24 +02:00
#include "nspawn-settings.h"
#include "nspawn-setuid.h"
nspawn: optionally run a stub init process as PID 1 This adds a new switch --as-pid2, which allows running commands as PID 2, while a stub init process is run as PID 1. This is useful in order to run arbitrary commands in a container, as PID1's semantics are different from all other processes regarding reaping of unknown children or signal handling.
2016-02-03 20:32:06 +01:00
#include "nspawn-stub-pid1.h"
util-lib: split string parsing related calls from util.[ch] into parse-util.[ch]
2015-10-26 16:18:16 +01:00
#include "parse-util.h"
nspawn: sort and clean up included header list Let's remove unnecessary inclusions, and order the list alphabetically as suggested in CODING_STYLE now.
2015-09-07 18:56:54 +02:00
#include "path-util.h"
shared: add process-util.[ch]
2015-04-10 19:10:00 +02:00
#include "process-util.h"
nspawn: sort and clean up included header list Let's remove unnecessary inclusions, and order the list alphabetically as suggested in CODING_STYLE now.
2015-09-07 18:56:54 +02:00
#include "ptyfwd.h"
#include "random-util.h"
util-lib: Add sparc64 support for process creation (#3348) The current raw_clone function takes two arguments, the cloning flags and a pointer to the stack for the cloned child. The raw cloning without passing a "thread main" function does not make sense if a new stack is specified, as it returns in both the parent and the child, which will fail in the child as the stack is virgin. All uses of raw_clone indeed pass NULL for the stack pointer which indicates that both processes should share the stack address (so you better don't pass CLONE_VM). This commit refactors the code to not require the caller to pass the stack address, as NULL is the only sensible option. It also adds the magic code needed to make raw_clone work on sparc64, which does not return 0 in %o0 for the child, but indicates the child process by setting %o1 to non-zero. This refactoring is not plain aesthetic, because non-NULL stack addresses need to get mangled before being passed to the clone syscall (you have to apply STACK_BIAS), whereas NULL must not be mangled. Implementing the conditional mangling of the stack address would needlessly complicate the code. raw_clone is moved to a separete header, because the burden of including the assert machinery and sched.h shouldn't be applied to every user of missing_syscalls.h
2016-05-30 02:03:51 +02:00
#include "raw-clone.h"
nspawn: sort and clean up included header list Let's remove unnecessary inclusions, and order the list alphabetically as suggested in CODING_STYLE now.
2015-09-07 18:56:54 +02:00
#include "rm-rf.h"
/dev/console must be labeled with SELinux label If the user specifies an selinux_apifs_context all content created in the container including /dev/console should use this label. Currently when this uses the default label it gets labeled user_devpts_t, which would require us to write a policy allowing container processes to manage user_devpts_t. This means that an escaped process would be allowed to attack all users terminals as well as other container terminals. Changing the label to match the apifs_context, means the processes would only be allowed to manage their specific tty. This change fixes a problem preventing RKT containers from working with systemd-nspawn.
2016-03-09 15:29:25 +01:00
#include "selinux-util.h"
nspawn: sort and clean up included header list Let's remove unnecessary inclusions, and order the list alphabetically as suggested in CODING_STYLE now.
2015-09-07 18:56:54 +02:00
#include "signal-util.h"
socket-util: move remaining socket-related calls from util.[ch] to socket-util.[ch]
2015-10-26 01:09:02 +01:00
#include "socket-util.h"
util-lib: split stat()/statfs()/stavfs() related calls into stat-util.[ch]
2015-10-26 22:01:44 +01:00
#include "stat-util.h"
util-lib: split out printf() helpers to stdio-util.h
2015-10-27 01:26:31 +01:00
#include "stdio-util.h"
util-lib: split our string related calls from util.[ch] into its own file string-util.[ch] There are more than enough calls doing string manipulations to deserve its own files, hence do something about it. This patch also sorts the #include blocks of all files that needed to be updated, according to the sorting suggestions from CODING_STYLE. Since pretty much every file needs our string manipulation functions this effectively means that most files have sorted #include blocks now. Also touches a few unrelated include files.
2015-10-24 22:58:24 +02:00
#include "string-util.h"
nspawn: sort and clean up included header list Let's remove unnecessary inclusions, and order the list alphabetically as suggested in CODING_STYLE now.
2015-09-07 18:56:54 +02:00
#include "strv.h"
#include "terminal-util.h"
#include "udev-util.h"
util-lib: split out umask-related code to umask-util.h
2015-10-26 23:20:41 +01:00
#include "umask-util.h"
util-lib: split out user/group/uid/gid calls into user-util.[ch]
2015-10-25 22:32:30 +01:00
#include "user-util.h"
nspawn: sort and clean up included header list Let's remove unnecessary inclusions, and order the list alphabetically as suggested in CODING_STYLE now.
2015-09-07 18:56:54 +02:00
#include "util.h"
seccomp: add helper call to add all secondary archs to a seccomp filter And make use of it where appropriate for executing services and for nspawn.
2014-02-18 22:14:00 +01:00
nspawn: adjust path to static resolv.conf to support split usr Fixes #7302.
2017-11-25 13:11:04 +01:00
#if HAVE_SPLIT_USR
#define STATIC_RESOLV_CONF "/lib/systemd/resolv.conf"
#else
#define STATIC_RESOLV_CONF "/usr/lib/systemd/resolv.conf"
#endif
nspawn: introduce --notify-ready=[no|yes] (#3474) This the patch implements a notificaiton mechanism from the init process in the container to systemd-nspawn. The switch --notify-ready=yes configures systemd-nspawn to wait the "READY=1" message from the init process in the container to send its own to systemd. --notify-ready=no is equivalent to the previous behavior before this patch, systemd-nspawn notifies systemd with a "READY=1" message when the container is created. This notificaiton mechanism uses socket file with path relative to the contanier "/run/systemd/nspawn/notify". The default values it --notify-ready=no. It is also possible to configure this mechanism from the .nspawn files using NotifyReady. This parameter takes the same options of the command line switch. Before this patch, systemd-nspawn notifies "ready" after the inner child was created, regardless the status of the service running inside it. Now, with --notify-ready=yes, systemd-nspawn notifies when the service is ready. This is really useful when there are dependencies between different contaniers. Fixes https://github.com/systemd/systemd/issues/1369 Based on the work from https://github.com/systemd/systemd/pull/3022 Testing: Boot a OS inside a container with systemd-nspawn. Note: modify the commands accordingly with your filesystem. 1. Create a filesystem where you can boot an OS. 2. sudo systemd-nspawn -D ${HOME}/distros/fedora-23/ sh 2.1. Create the unit file /etc/systemd/system/sleep.service inside the container (You can use the example below) 2.2. systemdctl enable sleep 2.3 exit 3. sudo systemd-run --service-type=notify --unit=notify-test ${HOME}/systemd/systemd-nspawn --notify-ready=yes -D ${HOME}/distros/fedora-23/ -b 4. In a different shell run "systemctl status notify-test" When using --notify-ready=yes the service status is "activating" for 20 seconds before being set to "active (running)". Instead, using --notify-ready=no the service status is marked "active (running)" quickly, without waiting for the 20 seconds. This patch was also test with --private-users=yes, you can test it just adding it at the end of the command at point 3. ------ sleep.service ------ [Unit] Description=sleep After=network.target [Service] Type=oneshot ExecStart=/bin/sleep 20 [Install] WantedBy=multi-user.target ------------ end ------------
2016-06-10 13:09:06 +02:00
/* nspawn is listening on the socket at the path in the constant nspawn_notify_socket_path
* nspawn_notify_socket_path is relative to the container
* the init process in the container pid can send messages to nspawn following the sd_notify(3) protocol */
#define NSPAWN_NOTIFY_SOCKET_PATH "/run/systemd/nspawn/notify"
nspawn: optionally, automatically allocate a UID/GID range for userns containers This adds the new value "pick" to --private-users=. When specified a new UID/GID range of 65536 users is automatically and randomly allocated from the host range 0x00080000-0xDFFF0000 and used for the container. The setting implies --private-users-chown, so that container directory is recursively chown()ed to the newly allocated UID/GID range, if that's necessary. As an optimization before picking a randomized UID/GID the UID of the container's root directory is used as starting point and used if currently not used otherwise. To protect against using the same UID/GID range multiple times a few mechanisms are in place: - The first and the last UID and GID of the range are checked with getpwuid() and getgrgid(). If an entry already exists a different range is picked. Note that by "last" UID the user 65534 is used, as 65535 is the 16bit (uid_t) -1. - A lock file for the range is taken in /run/systemd/nspawn-uid/. Since the ranges are taken in a non-overlapping fashion, and always start on 64K boundaries this allows us to maintain a single lock file for each range that can be randomly picked. This protects nspawn from picking the same range in two parallel instances. - If possible the /etc/passwd lock file is taken while a new range is selected until the container is up. This means adduser/addgroup should safely avoid the range as long as nss-mymachines is used, since the allocated range will then show up in the user database. The UID/GID range nspawn picks from is compiled in and not configurable at the moment. That should probably stay that way, since we already provide ways how users can pick their own ranges manually if they don't like the automatic logic. The new --private-users=pick logic makes user namespacing pretty useful now, as it relieves the user from managing UID/GID ranges.
2016-04-22 11:28:09 +02:00
nspawn: restart the whole systemd-nspawn@.service unit on container reboot (#4613) Since 133 is now used in a few places, add a #define for it. Also make the status message a bit informative. Another issue introduced in b006762. The logic was borked, we were supposed to return 0 to break the loop, and 133 to restart the container, not the other way around. But this doesn't seem to work, reboot fails with: Nov 08 00:41:32 laptop systemd-nspawn[26564]: Failed to register machine: Machine 'fedora-rawhide' already exists So actually the version before this patch worked better, since 133 > 0 and we'd at least loop internally.
2016-11-14 11:49:49 +01:00
#define EXIT_FORCE_RESTART 133
nspawn: move container wait logic into wait_for_container() Move the container wait logic into its own wait_for_container() function and add two status codes: CONTAINER_TERMINATED or CONTAINER_REBOOTED. The status will be stored in its argument, this way we handle: a) Return negative on failures. b) Return zero on success and set the status to either CONTAINER_REBOOTED or CONTAINER_TERMINATED. These status codes are used to terminate nspawn or loop again in case of CONTAINER_REBOOTED.
2014-05-24 15:58:54 +02:00
typedef enum ContainerStatus {
CONTAINER_TERMINATED,
CONTAINER_REBOOTED
} ContainerStatus;
nspawn: introduce new --link-journal= switch to link container journals into host
2012-07-19 02:02:39 +02:00
typedef enum LinkJournal {
LINK_NO,
LINK_AUTO,
LINK_HOST,
LINK_GUEST
} LinkJournal;
nspawn: add simple chroot(1) like tool to execute commands in a namespace container
2011-03-14 02:40:36 +01:00
static char *arg_directory = NULL;
nspawn: beef up nspawn with some btrfs magic This adds --template= to duplicate an OS tree as btrfs snpashot and run it This also adds --ephemeral or -x to create a snapshot of an OS tree and boot that, removing it after exit.
2014-12-12 03:50:59 +01:00
static char *arg_template = NULL;
nspawn: add new --chdir= switch Fixes: #2192
2016-02-02 01:52:01 +01:00
static char *arg_chdir = NULL;
nspawn: Add support for sysroot pivoting (#5258) Add a new --pivot-root argument to systemd-nspawn, which specifies a directory to pivot to / inside the container; while the original / is pivoted to another specified directory (if provided). This adds support for booting container images which may contain several bootable sysroots, as is common with OSTree disk images. When these disk images are booted on real hardware, ostree-prepare-root is run in conjunction with sysroot.mount in the initramfs to achieve the same results.
2017-02-08 16:54:31 +01:00
static char *arg_pivot_root_new = NULL;
static char *arg_pivot_root_old = NULL;
nspawn: spawn shell under specified --user Add -u/--user option, which changes the effective and real user and group id to the new value. The user must exists in the chroot, otherwise it will fail. Both username and user id are accepted. The user home is created as well. It also setup HOME, USER, LOGNAME and SHELL variables .
2011-06-29 14:22:46 +02:00
static char *arg_user = NULL;
logind: add infrastructure to keep track of machines, and move to slices - This changes all logind cgroup objects to use slice objects rather than fixed croup locations. - logind can now collect minimal information about running VMs/containers. As fixed cgroup locations can no longer be used we need an entity that keeps track of machine cgroups in whatever slice they might be located. Since logind already keeps track of users, sessions and seats this is a trivial addition. - nspawn will now register with logind and pass various bits of metadata along. A new option "--slice=" has been added to place the container in a specific slice. - loginctl gained commands to list, introspect and terminate machines. - user.slice and machine.slice will now be pulled in by logind.service, since only logind.service requires this slice.
2013-06-20 03:45:08 +02:00
static sd_id128_t arg_uuid = {};
nspawn: introduce the new /machine/ tree in the cgroup tree and move containers there Containers will now carry a label (normally derived from the root directory name, but configurable by the user), and the container's root cgroup is /machine/<label>. This label is called "machine name", and can cover both containers and VMs (as soon as libvirt also makes use of /machine/). libsystemd-login can be used to query the machine name from a process. This patch also includes numerous clean-ups for the cgroup code.
2013-04-16 04:36:06 +02:00
static char *arg_machine = NULL;
nspawn: add new switch --network-macvlan= to add a macvlan device to the container
2014-02-25 02:27:39 +01:00
static const char *arg_selinux_context = NULL;
static const char *arg_selinux_apifs_context = NULL;
logind: add infrastructure to keep track of machines, and move to slices - This changes all logind cgroup objects to use slice objects rather than fixed croup locations. - logind can now collect minimal information about running VMs/containers. As fixed cgroup locations can no longer be used we need an entity that keeps track of machine cgroups in whatever slice they might be located. Since logind already keeps track of users, sessions and seats this is a trivial addition. - nspawn will now register with logind and pass various bits of metadata along. A new option "--slice=" has been added to place the container in a specific slice. - loginctl gained commands to list, introspect and terminate machines. - user.slice and machine.slice will now be pulled in by logind.service, since only logind.service requires this slice.
2013-06-20 03:45:08 +02:00
static const char *arg_slice = NULL;
exec: introduce PrivateNetwork= process option to turn off network access to specific services
2011-08-02 05:24:58 +02:00
static bool arg_private_network = false;
nspawn: add --read-only switch
2012-04-25 15:11:20 +02:00
static bool arg_read_only = false;
nspawn: optionally run a stub init process as PID 1 This adds a new switch --as-pid2, which allows running commands as PID 2, while a stub init process is run as PID 1. This is useful in order to run arbitrary commands in a container, as PID1's semantics are different from all other processes regarding reaping of unknown children or signal handling.
2016-02-03 20:32:06 +01:00
static StartMode arg_start_mode = START_PID1;
nspawn: beef up nspawn with some btrfs magic This adds --template= to duplicate an OS tree as btrfs snpashot and run it This also adds --ephemeral or -x to create a snapshot of an OS tree and boot that, removing it after exit.
2014-12-12 03:50:59 +01:00
static bool arg_ephemeral = false;
nspawn: introduce new --link-journal= switch to link container journals into host
2012-07-19 02:02:39 +02:00
static LinkJournal arg_link_journal = LINK_AUTO;
nspawn: Add try-{host,guest} journal link modes --link-journal={host,guest} fail if the host does not have persistent journalling enabled and /var/log/journal/ does not exist. Even worse, as there is no stdout/err any more, there is no error message to point that out. Introduce two new modes "try-host" and "try-guest" which don't fail in this case, and instead just silently skip the guest journal setup. Change -j to mean "try-guest" instead of "guest", and fix the wrong --help output for it (it said "host" before). Change systemd-nspawn@.service.in to use "try-guest" so that this unit works with both persistent and non-persistent journals on the host without failing. https://bugs.debian.org/770275
2014-11-20 14:30:52 +01:00
static bool arg_link_journal_try = false;
nspawn: rename arg_retain to arg_caps_retain The argument is about capabilities.
2016-05-26 13:06:55 +02:00
static uint64_t arg_caps_retain =
nspawn: order caps to retain alphabetically
2016-06-10 17:31:06 +02:00
(1ULL << CAP_AUDIT_CONTROL) |
(1ULL << CAP_AUDIT_WRITE) |
nspawn: introduce new --capabilities= flag and make use of it in the nspawn test case
2012-06-28 13:44:39 +02:00
(1ULL << CAP_CHOWN) |
(1ULL << CAP_DAC_OVERRIDE) |
(1ULL << CAP_DAC_READ_SEARCH) |
(1ULL << CAP_FOWNER) |
(1ULL << CAP_FSETID) |
(1ULL << CAP_IPC_OWNER) |
(1ULL << CAP_KILL) |
(1ULL << CAP_LEASE) |
(1ULL << CAP_LINUX_IMMUTABLE) |
nspawn: order caps to retain alphabetically
2016-06-10 17:31:06 +02:00
(1ULL << CAP_MKNOD) |
nspawn: introduce new --capabilities= flag and make use of it in the nspawn test case
2012-06-28 13:44:39 +02:00
(1ULL << CAP_NET_BIND_SERVICE) |
(1ULL << CAP_NET_BROADCAST) |
(1ULL << CAP_NET_RAW) |
(1ULL << CAP_SETFCAP) |
nspawn: order caps to retain alphabetically
2016-06-10 17:31:06 +02:00
(1ULL << CAP_SETGID) |
nspawn: introduce new --capabilities= flag and make use of it in the nspawn test case
2012-06-28 13:44:39 +02:00
(1ULL << CAP_SETPCAP) |
(1ULL << CAP_SETUID) |
(1ULL << CAP_SYS_ADMIN) |
nspawn: order caps to retain alphabetically
2016-06-10 17:31:06 +02:00
(1ULL << CAP_SYS_BOOT) |
nspawn: introduce new --capabilities= flag and make use of it in the nspawn test case
2012-06-28 13:44:39 +02:00
(1ULL << CAP_SYS_CHROOT) |
(1ULL << CAP_SYS_NICE) |
(1ULL << CAP_SYS_PTRACE) |
nspawn: handle poweroff/reboot nicely in containers
2012-09-06 01:23:41 +02:00
(1ULL << CAP_SYS_RESOURCE) |
nspawn: order caps to retain alphabetically
2016-06-10 17:31:06 +02:00
(1ULL << CAP_SYS_TTY_CONFIG);
nspawn: rework custom mount point order, and add support for overlayfs Previously all bind mount mounts were applied in the order specified, followed by all tmpfs mounts in the order specified. This is problematic, if bind mounts shall be placed within tmpfs mounts. This patch hence reworks the custom mount point logic, and alwas applies them in strict prefix-first order. This means the order of mounts specified on the command line becomes irrelevant, the right operation will always be executed. While we are at it this commit also adds native support for overlayfs mounts, as supported by recent kernels.
2015-05-13 14:04:55 +02:00
static CustomMount *arg_custom_mounts = NULL;
static unsigned arg_n_custom_mounts = 0;
nspawn: add new --setenv= switch to set an environment variable for the container to spawn
2013-12-13 16:37:16 +01:00
static char **arg_setenv = NULL;
nspawn: add --quiet switch for turning off any output noise
2014-02-06 00:43:14 +01:00
static bool arg_quiet = false;
nspawn: add --register=yes|no switch to optionally disable registration of the container with machined
2014-02-10 15:36:32 +01:00
static bool arg_register = true;
machined: optionally, allow registration of pre-existing units (scopes or services) as machine with machined
2014-02-11 17:15:38 +01:00
static bool arg_keep_unit = false;
nspawn: add new --network-interface= switch to move an existing interface into the container
2014-02-13 03:27:39 +01:00
static char **arg_network_interfaces = NULL;
nspawn: add new switch --network-macvlan= to add a macvlan device to the container
2014-02-25 02:27:39 +01:00
static char **arg_network_macvlan = NULL;
nspawn: add ipvlan support
2015-01-20 00:18:28 +01:00
static char **arg_network_ipvlan = NULL;
nspawn: add new --network-veth switch to add a virtual ethernet link to the host
2014-02-13 18:47:20 +01:00
static bool arg_network_veth = false;
nspawn: add new --network-veth-extra= switch for defining additional veth links The new switch operates like --network-veth, but may be specified multiple times (to define multiple link pairs) and allows flexible definition of the interface names. This is an independent reimplementation of #1678, but defines different semantics, keeping the behaviour completely independent of --network-veth. It also comes will full hook-up for .nspawn files, and the matching documentation.
2015-11-12 21:54:28 +01:00
static char **arg_network_veth_extra = NULL;
nspawn: add new .nspawn files for container settings .nspawn fiels are simple settings files that may accompany container images and directories and contain settings otherwise passed on the nspawn command line. This provides an efficient way to attach execution data directly to containers.
2015-09-06 01:22:14 +02:00
static char *arg_network_bridge = NULL;
nspawn: add new --network-zone= switch for automatically managed bridge devices This adds a new concept of network "zones", which are little more than bridge devices that are automatically managed by nspawn: when the first container referencing a bridge is started, the bridge device is created, when the last container referencing it is removed the bridge device is removed again. Besides this logic --network-zone= is pretty much identical to --network-bridge=. The usecase for this is to make it easy to run multiple related containers (think MySQL in one and Apache in another) in a common, named virtual Ethernet broadcast zone, that only exists as long as one of them is running, and fully automatically managed otherwise.
2016-05-06 21:00:27 +02:00
static char *arg_network_zone = NULL;
nspawn: introduce an option for specifying network namespace path Add a new option `--network-namespace-path` to systemd-nspawn to allow users to specify an arbitrary network namespace, e.g. `/run/netns/foo`. Then systemd-nspawn will open the netns file, pass the fd to outer_child, and enter the namespace represented by the fd before running inner_child. ``` $ sudo ip netns add foo $ mount | grep /run/netns/foo nsfs on /run/netns/foo type nsfs (rw) ... $ sudo systemd-nspawn -D /srv/fc27 --network-namespace-path=/run/netns/foo \ /bin/readlink -f /proc/self/ns/net /proc/1/ns/net:[4026532009] ``` Note that the option `--network-namespace-path=` cannot be used together with other network-related options such as `--private-network` so that the options do not conflict with each other. Fixes https://github.com/systemd/systemd/issues/7361
2017-11-24 18:22:17 +01:00
static char *arg_network_namespace_path = NULL;
util: introduce PERSONALITY_INVALID as macro for 0xffffffffLU
2015-05-21 19:48:49 +02:00
static unsigned long arg_personality = PERSONALITY_INVALID;
nspawn: beef up nspawn with some btrfs magic This adds --template= to duplicate an OS tree as btrfs snpashot and run it This also adds --ephemeral or -x to create a snapshot of an OS tree and boot that, removing it after exit.
2014-12-12 03:50:59 +01:00
static char *arg_image = NULL;
nspawn: add new .nspawn files for container settings .nspawn fiels are simple settings files that may accompany container images and directories and contain settings otherwise passed on the nspawn command line. This provides an efficient way to attach execution data directly to containers.
2015-09-06 01:22:14 +02:00
static VolatileMode arg_volatile_mode = VOLATILE_NO;
nspawn: add new option "--port=" for exposing container ports on the local host This exposes an IP port on the container as local port using DNAT.
2015-01-13 13:51:51 +01:00
static ExposePort *arg_expose_ports = NULL;
nspawn: add support for --property= to set scope properties This is similar to systemd-run's --property= setting.
2015-02-18 19:38:55 +01:00
static char **arg_property = NULL;
nspawn: allow configuration of user namespaces in .nspawn files In order to implement this we change the bool arg_userns into an enum UserNamespaceMode, which can take one of NO, PICK or FIXED, and replace the arg_uid_range_pick bool with it.
2016-04-22 13:02:53 +02:00
static UserNamespaceMode arg_userns_mode = USER_NAMESPACE_NO;
nspawn: add basic user namespacing support (This is incomplete, /proc and /sys are still owned by root from outside the container, not inside)
2015-02-19 11:30:18 +01:00
static uid_t arg_uid_shift = UID_INVALID, arg_uid_range = 0x10000U;
nspawn: allow configuration of user namespaces in .nspawn files In order to implement this we change the bool arg_userns into an enum UserNamespaceMode, which can take one of NO, PICK or FIXED, and replace the arg_uid_range_pick bool with it.
2016-04-22 13:02:53 +02:00
static bool arg_userns_chown = false;
nspawn: make kill signal to use for PID 1 configurable
2015-02-25 22:04:48 +01:00
static int arg_kill_signal = 0;
core: use the unified hierarchy for the systemd cgroup controller hierarchy Currently, systemd uses either the legacy hierarchies or the unified hierarchy. When the legacy hierarchies are used, systemd uses a named legacy hierarchy mounted on /sys/fs/cgroup/systemd without any kernel controllers for process management. Due to the shortcomings in the legacy hierarchy, this involves a lot of workarounds and complexities. Because the unified hierarchy can be mounted and used in parallel to legacy hierarchies, there's no reason for systemd to use a legacy hierarchy for management even if the kernel resource controllers need to be mounted on legacy hierarchies. It can simply mount the unified hierarchy under /sys/fs/cgroup/systemd and use it without affecting other legacy hierarchies. This disables a significant amount of fragile workaround logics and would allow using features which depend on the unified hierarchy membership such bpf cgroup v2 membership test. In time, this would also allow deleting the said complexities. This patch updates systemd so that it prefers the unified hierarchy for the systemd cgroup controller hierarchy when legacy hierarchies are used for kernel resource controllers. * cg_unified(@controller) is introduced which tests whether the specific controller in on unified hierarchy and used to choose the unified hierarchy code path for process and service management when available. Kernel controller specific operations remain gated by cg_all_unified(). * "systemd.legacy_systemd_cgroup_controller" kernel argument can be used to force the use of legacy hierarchy for systemd cgroup controller. * nspawn: By default nspawn uses the same hierarchies as the host. If UNIFIED_CGROUP_HIERARCHY is set to 1, unified hierarchy is used for all. If 0, legacy for all. * nspawn: arg_unified_cgroup_hierarchy is made an enum and now encodes one of three options - legacy, only systemd controller on unified, and unified. The value is passed into mount setup functions and controls cgroup configuration. * nspawn: Interpretation of SYSTEMD_CGROUP_CONTROLLER to the actual mount option is moved to mount_legacy_cgroup_hierarchy() so that it can take an appropriate action depending on the configuration of the host. v2: - CGroupUnified enum replaces open coded integer values to indicate the cgroup operation mode. - Various style updates. v3: Fixed a bug in detect_unified_cgroup_hierarchy() introduced during v2. v4: Restored legacy container on unified host support and fixed another bug in detect_unified_cgroup_hierarchy().
2016-08-16 00:13:36 +02:00
static CGroupUnified arg_unified_cgroup_hierarchy = CGROUP_UNIFIED_UNKNOWN;
nspawn: add new .nspawn files for container settings .nspawn fiels are simple settings files that may accompany container images and directories and contain settings otherwise passed on the nspawn command line. This provides an efficient way to attach execution data directly to containers.
2015-09-06 01:22:14 +02:00
static SettingsMask arg_settings_mask = 0;
static int arg_settings_trusted = -1;
static char **arg_parameters = NULL;
nspawn: support custom container service name We were hardcoding "systemd-nspawn" as the value of the $container env variable and "nspawn" as the service string in machined registration. This commit allows the user to configure it by setting the $SYSTEMD_NSPAWN_CONTAINER_SERVICE env variable when calling systemd-nspawn. If $SYSTEMD_NSPAWN_CONTAINER_SERVICE is not set, we use the string "systemd-nspawn" for both, fixing the previous inconsistency.
2015-11-09 11:32:34 +01:00
static const char *arg_container_service_name = "systemd-nspawn";
nspawn: introduce --notify-ready=[no|yes] (#3474) This the patch implements a notificaiton mechanism from the init process in the container to systemd-nspawn. The switch --notify-ready=yes configures systemd-nspawn to wait the "READY=1" message from the init process in the container to send its own to systemd. --notify-ready=no is equivalent to the previous behavior before this patch, systemd-nspawn notifies systemd with a "READY=1" message when the container is created. This notificaiton mechanism uses socket file with path relative to the contanier "/run/systemd/nspawn/notify". The default values it --notify-ready=no. It is also possible to configure this mechanism from the .nspawn files using NotifyReady. This parameter takes the same options of the command line switch. Before this patch, systemd-nspawn notifies "ready" after the inner child was created, regardless the status of the service running inside it. Now, with --notify-ready=yes, systemd-nspawn notifies when the service is ready. This is really useful when there are dependencies between different contaniers. Fixes https://github.com/systemd/systemd/issues/1369 Based on the work from https://github.com/systemd/systemd/pull/3022 Testing: Boot a OS inside a container with systemd-nspawn. Note: modify the commands accordingly with your filesystem. 1. Create a filesystem where you can boot an OS. 2. sudo systemd-nspawn -D ${HOME}/distros/fedora-23/ sh 2.1. Create the unit file /etc/systemd/system/sleep.service inside the container (You can use the example below) 2.2. systemdctl enable sleep 2.3 exit 3. sudo systemd-run --service-type=notify --unit=notify-test ${HOME}/systemd/systemd-nspawn --notify-ready=yes -D ${HOME}/distros/fedora-23/ -b 4. In a different shell run "systemctl status notify-test" When using --notify-ready=yes the service status is "activating" for 20 seconds before being set to "active (running)". Instead, using --notify-ready=no the service status is marked "active (running)" quickly, without waiting for the 20 seconds. This patch was also test with --private-users=yes, you can test it just adding it at the end of the command at point 3. ------ sleep.service ------ [Unit] Description=sleep After=network.target [Service] Type=oneshot ExecStart=/bin/sleep 20 [Install] WantedBy=multi-user.target ------------ end ------------
2016-06-10 13:09:06 +02:00
static bool arg_notify_ready = false;
nspawn: add SYSTEMD_NSPAWN_USE_CGNS env variable (#3809) SYSTEMD_NSPAWN_USE_CGNS allows to disable the use of cgroup namespaces.
2016-07-26 16:49:15 +02:00
static bool arg_use_cgns = true;
nspawn: split down SYSTEMD_NSPAWN_SHARE_SYSTEM (#4023) This commit follows further on the deprecation path for --share-system, by splitting and gating each share-able namespace behind its own environment flag.
2016-08-26 00:08:26 +02:00
static unsigned long arg_clone_ns_flags = CLONE_NEWIPC|CLONE_NEWPID|CLONE_NEWUTS;
nspawn: R/W support for /sys, and /proc/sys This commit adds the possibility to leave /sys, and /proc/sys read-write. It introduces a new (undocumented) env var SYSTEMD_NSPAWN_API_VFS_WRITABLE to enable this feature. If set to "yes", /sys, and /proc/sys will be read-write. If set to "no", /sys, and /proc/sys will be read-only. If set to "network" /proc/sys/net will be read-write. This is useful in use-cases, where systemd-nspawn is used in an external network namespace. This adds the possibility to start privileged containers which need more control over settings in the /proc, and /sys filesystem. This is also a follow-up on the discussion from https://github.com/systemd/systemd/pull/4018#r76971862 where an introduction of a simple env var to enable R/W support for those directories was already discussed.
2016-10-14 14:00:15 +02:00
static MountSettingsMask arg_mount_settings = MOUNT_APPLY_APIVFS_RO;
nspawn/dissect: automatically discover dm-verity verity partitions This adds support for discovering and making use of properly tagged dm-verity data integrity partitions. This extends both systemd-nspawn and systemd-dissect with a new --root-hash= switch that takes the root hash to use for the root partition, and is otherwise fully automatic. Verity partitions are discovered automatically by GPT table type UUIDs, as listed in https://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/ (which I updated prior to this change, to include new UUIDs for this purpose. mkosi with https://github.com/systemd/mkosi/pull/39 applied may generate images that carry the necessary integrity data. With that PR and this commit, the following simply lines suffice to boot up an integrity-protected container image: ``` # mkdir test # cd test # mkosi --verity # systemd-nspawn -i ./image.raw -bn ``` Note that mkosi writes the image file to "image.raw" next to a a file "image.roothash" that contains the root hash. systemd-nspawn will look for that file and use it if it exists, in case --root-hash= is not specified explicitly.
2016-12-07 18:28:13 +01:00
static void *arg_root_hash = NULL;
static size_t arg_root_hash_size = 0;
nspawn: implement configurable syscall whitelisting/blacklisting Now that we have ported nspawn's seccomp code to the generic code in seccomp-util, let's extend it to support whitelisting and blacklisting of specific additional syscalls. This uses similar syntax as PID1's support for system call filtering, but in contrast to that always implements a blacklist (and not a whitelist), as we prepopulate the filter with a blacklist, and the unit's system call filter logic does not come with anything prepopulated. (Later on we might actually want to invert the logic here, and whitelist rather than blacklist things, but at this point let's not do that. In case we switch this over later, the syscall add/remove logic of this commit should be compatible conceptually.) Fixes: #5163 Replaces: #5944
2017-09-11 17:45:21 +02:00
static char **arg_syscall_whitelist = NULL;
static char **arg_syscall_blacklist = NULL;
nspawn: add simple chroot(1) like tool to execute commands in a namespace container
2011-03-14 02:40:36 +01:00
Unify parse_argv style getopt is usually good at printing out a nice error message when commandline options are invalid. It distinguishes between an unknown option and a known option with a missing arg. It is better to let it do its job and not use opterr=0 unless we actually want to suppress messages. So remove opterr=0 in the few places where it wasn't really useful. When an error in options is encountered, we should not print a lengthy help() and overwhelm the user, when we know precisely what is wrong with the commandline. In addition, since help() prints to stdout, it should not be used except when requested with -h or --help. Also, simplify things here and there.
2014-08-02 17:12:21 +02:00
static void help(void) {
nspawn: add simple chroot(1) like tool to execute commands in a namespace container
2011-03-14 02:40:36 +01:00
printf("%s [OPTIONS...] [PATH] [ARGUMENTS...]\n\n"
"Spawn a minimal namespace container for debugging, testing and building.\n\n"
Add SELinux support to systemd-nspawn This patch adds to new options: -Z PROCESS_LABEL This specifies the process label to run on processes run within the container. -L FILE_LABEL The file label to assign to memory file systems created within the container. For example if you wanted to wrap an container with SELinux sandbox labels, you could execute a command line the following chcon system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -R /srv/container systemd-nspawn -L system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -Z system_u:system_r:svirt_lxc_net_t:s0:c0,c1 -D /srv/container /bin/sh
2014-01-30 22:28:02 +01:00
" -h --help Show this help\n"
" --version Print version string\n"
nspawn: add new --network-veth switch to add a virtual ethernet link to the host
2014-02-13 18:47:20 +01:00
" -q --quiet Do not show status information\n"
nspawn: add --image= switch to boot GPT disk images that follow the Discoverable Partitions Specification
2014-03-10 20:35:52 +01:00
" -D --directory=PATH Root directory for the container\n"
nspawn: beef up nspawn with some btrfs magic This adds --template= to duplicate an OS tree as btrfs snpashot and run it This also adds --ephemeral or -x to create a snapshot of an OS tree and boot that, removing it after exit.
2014-12-12 03:50:59 +01:00
" --template=PATH Initialize root directory from template directory,\n"
" if missing\n"
" -x --ephemeral Run container with snapshot of root directory, and\n"
" remove it after exit\n"
" -i --image=PATH File system device or disk image for the container\n"
nspawn/dissect: automatically discover dm-verity verity partitions This adds support for discovering and making use of properly tagged dm-verity data integrity partitions. This extends both systemd-nspawn and systemd-dissect with a new --root-hash= switch that takes the root hash to use for the root partition, and is otherwise fully automatic. Verity partitions are discovered automatically by GPT table type UUIDs, as listed in https://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/ (which I updated prior to this change, to include new UUIDs for this purpose. mkosi with https://github.com/systemd/mkosi/pull/39 applied may generate images that carry the necessary integrity data. With that PR and this commit, the following simply lines suffice to boot up an integrity-protected container image: ``` # mkdir test # cd test # mkosi --verity # systemd-nspawn -i ./image.raw -bn ``` Note that mkosi writes the image file to "image.raw" next to a a file "image.roothash" that contains the root hash. systemd-nspawn will look for that file and use it if it exists, in case --root-hash= is not specified explicitly.
2016-12-07 18:28:13 +01:00
" --root-hash=HASH Specify verity root hash\n"
nspawn: optionally run a stub init process as PID 1 This adds a new switch --as-pid2, which allows running commands as PID 2, while a stub init process is run as PID 1. This is useful in order to run arbitrary commands in a container, as PID1's semantics are different from all other processes regarding reaping of unknown children or signal handling.
2016-02-03 20:32:06 +01:00
" -a --as-pid2 Maintain a stub init as PID1, invoke binary as PID2\n"
Add SELinux support to systemd-nspawn This patch adds to new options: -Z PROCESS_LABEL This specifies the process label to run on processes run within the container. -L FILE_LABEL The file label to assign to memory file systems created within the container. For example if you wanted to wrap an container with SELinux sandbox labels, you could execute a command line the following chcon system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -R /srv/container systemd-nspawn -L system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -Z system_u:system_r:svirt_lxc_net_t:s0:c0,c1 -D /srv/container /bin/sh
2014-01-30 22:28:02 +01:00
" -b --boot Boot up full system (i.e. invoke init)\n"
nspawn: add new --chdir= switch Fixes: #2192
2016-02-02 01:52:01 +01:00
" --chdir=PATH Set working directory in the container\n"
nspawn: Add support for sysroot pivoting (#5258) Add a new --pivot-root argument to systemd-nspawn, which specifies a directory to pivot to / inside the container; while the original / is pivoted to another specified directory (if provided). This adds support for booting container images which may contain several bootable sysroots, as is common with OSTree disk images. When these disk images are booted on real hardware, ostree-prepare-root is run in conjunction with sysroot.mount in the initramfs to achieve the same results.
2017-02-08 16:54:31 +01:00
" --pivot-root=PATH[:PATH]\n"
" Pivot root to given directory in the container\n"
Add SELinux support to systemd-nspawn This patch adds to new options: -Z PROCESS_LABEL This specifies the process label to run on processes run within the container. -L FILE_LABEL The file label to assign to memory file systems created within the container. For example if you wanted to wrap an container with SELinux sandbox labels, you could execute a command line the following chcon system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -R /srv/container systemd-nspawn -L system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -Z system_u:system_r:svirt_lxc_net_t:s0:c0,c1 -D /srv/container /bin/sh
2014-01-30 22:28:02 +01:00
" -u --user=USER Run the command under specified user or uid\n"
" -M --machine=NAME Set the machine name for the container\n"
nspawn: add new --network-veth switch to add a virtual ethernet link to the host
2014-02-13 18:47:20 +01:00
" --uuid=UUID Set a specific machine UUID for the container\n"
Add SELinux support to systemd-nspawn This patch adds to new options: -Z PROCESS_LABEL This specifies the process label to run on processes run within the container. -L FILE_LABEL The file label to assign to memory file systems created within the container. For example if you wanted to wrap an container with SELinux sandbox labels, you could execute a command line the following chcon system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -R /srv/container systemd-nspawn -L system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -Z system_u:system_r:svirt_lxc_net_t:s0:c0,c1 -D /srv/container /bin/sh
2014-01-30 22:28:02 +01:00
" -S --slice=SLICE Place the container in the specified slice\n"
nspawn: add support for --property= to set scope properties This is similar to systemd-run's --property= setting.
2015-02-18 19:38:55 +01:00
" --property=NAME=VALUE Set scope unit property\n"
nspawn,resolve: short --help output to fit within 80 columns make dist-check-help FTW!
2016-08-04 02:05:37 +02:00
" -U --private-users=pick Run within user namespace, autoselect UID/GID range\n"
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
" --private-users[=UIDBASE[:NUIDS]]\n"
nspawn,resolve: short --help output to fit within 80 columns make dist-check-help FTW!
2016-08-04 02:05:37 +02:00
" Similar, but with user configured UID/GID range\n"
nspawn, NEWS: add missing "s" in --private-users-chown (#4438)
2016-10-21 05:03:26 +02:00
" --private-users-chown Adjust OS tree ownership to private UID/GID range\n"
nspawn: add new --network-veth switch to add a virtual ethernet link to the host
2014-02-13 18:47:20 +01:00
" --private-network Disable network in container\n"
" --network-interface=INTERFACE\n"
" Assign an existing network interface to the\n"
" container\n"
nspawn: add new switch --network-macvlan= to add a macvlan device to the container
2014-02-25 02:27:39 +01:00
" --network-macvlan=INTERFACE\n"
" Create a macvlan network interface based on an\n"
" existing network interface to the container\n"
nspawn: add ipvlan support
2015-01-20 00:18:28 +01:00
" --network-ipvlan=INTERFACE\n"
" Create a ipvlan network interface based on an\n"
" existing network interface to the container\n"
doc: correct orthography, word forms and missing/extraneous words
2014-08-03 07:11:37 +02:00
" -n --network-veth Add a virtual Ethernet connection between host\n"
nspawn: add new --network-veth switch to add a virtual ethernet link to the host
2014-02-13 18:47:20 +01:00
" and container\n"
nspawn: add new --network-veth-extra= switch for defining additional veth links The new switch operates like --network-veth, but may be specified multiple times (to define multiple link pairs) and allows flexible definition of the interface names. This is an independent reimplementation of #1678, but defines different semantics, keeping the behaviour completely independent of --network-veth. It also comes will full hook-up for .nspawn files, and the matching documentation.
2015-11-12 21:54:28 +01:00
" --network-veth-extra=HOSTIF[:CONTAINERIF]\n"
" Add an additional virtual Ethernet link between\n"
" host and container\n"
nspawn: add new --network-bridge= switch This adds the host side of the veth link to the given bridge. Also refactor the creation of the veth interfaces a bit to set it up from the host rather than the container. This simplifies the addition to the bridge, but otherwise the behavior is unchanged.
2014-02-16 21:12:47 +01:00
" --network-bridge=INTERFACE\n"
nspawn,resolve: short --help output to fit within 80 columns make dist-check-help FTW!
2016-08-04 02:05:37 +02:00
" Add a virtual Ethernet connection to the container\n"
" and attach it to an existing bridge on the host\n"
" --network-zone=NAME Similar, but attach the new interface to an\n"
" an automatically managed bridge interface\n"
nspawn: introduce an option for specifying network namespace path Add a new option `--network-namespace-path` to systemd-nspawn to allow users to specify an arbitrary network namespace, e.g. `/run/netns/foo`. Then systemd-nspawn will open the netns file, pass the fd to outer_child, and enter the namespace represented by the fd before running inner_child. ``` $ sudo ip netns add foo $ mount | grep /run/netns/foo nsfs on /run/netns/foo type nsfs (rw) ... $ sudo systemd-nspawn -D /srv/fc27 --network-namespace-path=/run/netns/foo \ /bin/readlink -f /proc/self/ns/net /proc/1/ns/net:[4026532009] ``` Note that the option `--network-namespace-path=` cannot be used together with other network-related options such as `--private-network` so that the options do not conflict with each other. Fixes https://github.com/systemd/systemd/issues/7361
2017-11-24 18:22:17 +01:00
" --network-namespace-path=PATH\n"
" Set network namespace to the one represented by\n"
" the specified kernel namespace file node\n"
nspawn: add new option "--port=" for exposing container ports on the local host This exposes an IP port on the container as local port using DNAT.
2015-01-13 13:51:51 +01:00
" -p --port=[PROTOCOL:]HOSTPORT[:CONTAINERPORT]\n"
nspawn: --help typo fix
2015-01-13 20:59:07 +01:00
" Expose a container IP port on the host\n"
nspawn,man: use a common vocabulary when referring to selinux security contexts Let's always call the security labels the same way: SMACK: "Smack Label" SELINUX: "SELinux Security Context" And the low-level encapsulation is called "seclabel". Now let's hope we stick to this vocabulary in future, too, and don't mix "label"s and "security contexts" and so on wildly.
2014-02-10 12:32:03 +01:00
" -Z --selinux-context=SECLABEL\n"
" Set the SELinux security context to be used by\n"
" processes in the container\n"
" -L --selinux-apifs-context=SECLABEL\n"
" Set the SELinux security context to be used by\n"
" API/tmpfs file systems in the container\n"
Add SELinux support to systemd-nspawn This patch adds to new options: -Z PROCESS_LABEL This specifies the process label to run on processes run within the container. -L FILE_LABEL The file label to assign to memory file systems created within the container. For example if you wanted to wrap an container with SELinux sandbox labels, you could execute a command line the following chcon system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -R /srv/container systemd-nspawn -L system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -Z system_u:system_r:svirt_lxc_net_t:s0:c0,c1 -D /srv/container /bin/sh
2014-01-30 22:28:02 +01:00
" --capability=CAP In addition to the default, retain specified\n"
" capability\n"
" --drop-capability=CAP Drop the specified capability from the default set\n"
nspawn: implement configurable syscall whitelisting/blacklisting Now that we have ported nspawn's seccomp code to the generic code in seccomp-util, let's extend it to support whitelisting and blacklisting of specific additional syscalls. This uses similar syntax as PID1's support for system call filtering, but in contrast to that always implements a blacklist (and not a whitelist), as we prepopulate the filter with a blacklist, and the unit's system call filter logic does not come with anything prepopulated. (Later on we might actually want to invert the logic here, and whitelist rather than blacklist things, but at this point let's not do that. In case we switch this over later, the syscall add/remove logic of this commit should be compatible conceptually.) Fixes: #5163 Replaces: #5944
2017-09-11 17:45:21 +02:00
" --system-call-filter=LIST|~LIST\n"
" Permit/prohibit specific system calls\n"
nspawn: make kill signal to use for PID 1 configurable
2015-02-25 22:04:48 +01:00
" --kill-signal=SIGNAL Select signal to use for shutting down PID 1\n"
nspawn: make sure --help fits it 79ch
2016-02-03 20:33:38 +01:00
" --link-journal=MODE Link up guest journal, one of no, auto, guest, \n"
" host, try-guest, try-host\n"
nspawn: Add try-{host,guest} journal link modes --link-journal={host,guest} fail if the host does not have persistent journalling enabled and /var/log/journal/ does not exist. Even worse, as there is no stdout/err any more, there is no error message to point that out. Introduce two new modes "try-host" and "try-guest" which don't fail in this case, and instead just silently skip the guest journal setup. Change -j to mean "try-guest" instead of "guest", and fix the wrong --help output for it (it said "host" before). Change systemd-nspawn@.service.in to use "try-guest" so that this unit works with both persistent and non-persistent journals on the host without failing. https://bugs.debian.org/770275
2014-11-20 14:30:52 +01:00
" -j Equivalent to --link-journal=try-guest\n"
nspawn: add new --network-veth switch to add a virtual ethernet link to the host
2014-02-13 18:47:20 +01:00
" --read-only Mount the root directory read-only\n"
nspawn: add (no)rbind option to --bind and --bind-ro --bind and --bind-ro perform the bind mount non-recursively. It is sometimes (often?) desirable to do a recursive mount. This patch adds an optional set of bind mount options in the form of: --bind=src-path:dst-path:options options are comma separated and currently only "rbind" and "norbind" are allowed. Default value is "rbind".
2015-07-22 00:48:38 +02:00
" --bind=PATH[:PATH[:OPTIONS]]\n"
" Bind mount a file or directory from the host into\n"
Add SELinux support to systemd-nspawn This patch adds to new options: -Z PROCESS_LABEL This specifies the process label to run on processes run within the container. -L FILE_LABEL The file label to assign to memory file systems created within the container. For example if you wanted to wrap an container with SELinux sandbox labels, you could execute a command line the following chcon system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -R /srv/container systemd-nspawn -L system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -Z system_u:system_r:svirt_lxc_net_t:s0:c0,c1 -D /srv/container /bin/sh
2014-01-30 22:28:02 +01:00
" the container\n"
nspawn: add (no)rbind option to --bind and --bind-ro --bind and --bind-ro perform the bind mount non-recursively. It is sometimes (often?) desirable to do a recursive mount. This patch adds an optional set of bind mount options in the form of: --bind=src-path:dst-path:options options are comma separated and currently only "rbind" and "norbind" are allowed. Default value is "rbind".
2015-07-22 00:48:38 +02:00
" --bind-ro=PATH[:PATH[:OPTIONS]\n"
" Similar, but creates a read-only bind mount\n"
nspawn: add new --tmpfs= option to mount a tmpfs on specific directories, such as /var
2014-06-11 00:44:30 +02:00
" --tmpfs=PATH:[OPTIONS] Mount an empty tmpfs to the specified directory\n"
nspawn: rework custom mount point order, and add support for overlayfs Previously all bind mount mounts were applied in the order specified, followed by all tmpfs mounts in the order specified. This is problematic, if bind mounts shall be placed within tmpfs mounts. This patch hence reworks the custom mount point logic, and alwas applies them in strict prefix-first order. This means the order of mounts specified on the command line becomes irrelevant, the right operation will always be executed. While we are at it this commit also adds native support for overlayfs mounts, as supported by recent kernels.
2015-05-13 14:04:55 +02:00
" --overlay=PATH[:PATH...]:PATH\n"
" Create an overlay mount from the host to \n"
" the container\n"
" --overlay-ro=PATH[:PATH...]:PATH\n"
" Similar, but creates a read-only overlay mount\n"
nspawn: add -E as alias for --setenv v2: - "=" is required, so remove the <optional> tags that v1 added
2016-04-20 03:54:55 +02:00
" -E --setenv=NAME=VALUE Pass an environment variable to PID 1\n"
nspawn: add --register=yes|no switch to optionally disable registration of the container with machined
2014-02-10 15:36:32 +01:00
" --register=BOOLEAN Register container as machine\n"
machined: optionally, allow registration of pre-existing units (scopes or services) as machine with machined
2014-02-11 17:15:38 +01:00
" --keep-unit Do not register a scope for the machine, reuse\n"
nspawn: add new --volatile switch for booting containers in volatile (ephemeral) mode Two modes are supported: --volatile=yes mounts only /usr into the container, and a tmpfs as root directory. --volatile=state mounts the full OS tree in, but overmounts /var with a tmpfs. --volatile=yes hence boots with an unpopulated /etc and /var, starting with pristine configuration and state. --volatile=state hence boots with an unpopulated /var, only starting with pristine state.
2014-07-04 03:22:33 +02:00
" the service unit nspawn is running in\n"
nspawn: add new option "--port=" for exposing container ports on the local host This exposes an IP port on the container as local port using DNAT.
2015-01-13 13:51:51 +01:00
" --volatile[=MODE] Run the system in volatile mode\n"
nspawn: add new .nspawn files for container settings .nspawn fiels are simple settings files that may accompany container images and directories and contain settings otherwise passed on the nspawn command line. This provides an efficient way to attach execution data directly to containers.
2015-09-06 01:22:14 +02:00
" --settings=BOOLEAN Load additional settings from .nspawn file\n"
nspawn,resolve: short --help output to fit within 80 columns make dist-check-help FTW!
2016-08-04 02:05:37 +02:00
" --notify-ready=BOOLEAN Receive notifications from the child init process\n"
nspawn: add new option "--port=" for exposing container ports on the local host This exposes an IP port on the container as local port using DNAT.
2015-01-13 13:51:51 +01:00
, program_invocation_short_name);
nspawn: add simple chroot(1) like tool to execute commands in a namespace container
2011-03-14 02:40:36 +01:00
}
nspawn: permit prefixing of source paths in --bind= and --overlay= with "+" If a source path is prefixed with "+" it is taken relative to the container's root directory instead of the host. This permits easily establishing bind and overlay mounts based on data from the container rather than the host. This also reworks custom_mounts_prepare(), and turns it into two functions: one custom_mount_check_all() that remains in nspawn.c but purely verifies the validity of the custom mounts configured. And one called custom_mount_prepare_all() that actually does the preparation step, sorts the custom mounts, resolves relative paths, and allocates temporary directories as necessary.
2016-11-30 16:02:47 +01:00
static int custom_mount_check_all(void) {
nspawn: rework custom mount point order, and add support for overlayfs Previously all bind mount mounts were applied in the order specified, followed by all tmpfs mounts in the order specified. This is problematic, if bind mounts shall be placed within tmpfs mounts. This patch hence reworks the custom mount point logic, and alwas applies them in strict prefix-first order. This means the order of mounts specified on the command line becomes irrelevant, the right operation will always be executed. While we are at it this commit also adds native support for overlayfs mounts, as supported by recent kernels.
2015-05-13 14:04:55 +02:00
unsigned i;
for (i = 0; i < arg_n_custom_mounts; i++) {
CustomMount *m = &arg_custom_mounts[i];
nspawn: allow configuration of user namespaces in .nspawn files In order to implement this we change the bool arg_userns into an enum UserNamespaceMode, which can take one of NO, PICK or FIXED, and replace the arg_uid_range_pick bool with it.
2016-04-22 13:02:53 +02:00
if (path_equal(m->destination, "/") && arg_userns_mode != USER_NAMESPACE_NO) {
nspawn: optionally, automatically allocate a UID/GID range for userns containers This adds the new value "pick" to --private-users=. When specified a new UID/GID range of 65536 users is automatically and randomly allocated from the host range 0x00080000-0xDFFF0000 and used for the container. The setting implies --private-users-chown, so that container directory is recursively chown()ed to the newly allocated UID/GID range, if that's necessary. As an optimization before picking a randomized UID/GID the UID of the container's root directory is used as starting point and used if currently not used otherwise. To protect against using the same UID/GID range multiple times a few mechanisms are in place: - The first and the last UID and GID of the range are checked with getpwuid() and getgrgid(). If an entry already exists a different range is picked. Note that by "last" UID the user 65534 is used, as 65535 is the 16bit (uid_t) -1. - A lock file for the range is taken in /run/systemd/nspawn-uid/. Since the ranges are taken in a non-overlapping fashion, and always start on 64K boundaries this allows us to maintain a single lock file for each range that can be randomly picked. This protects nspawn from picking the same range in two parallel instances. - If possible the /etc/passwd lock file is taken while a new range is selected until the container is up. This means adduser/addgroup should safely avoid the range as long as nss-mymachines is used, since the allocated range will then show up in the user database. The UID/GID range nspawn picks from is compiled in and not configurable at the moment. That should probably stay that way, since we already provide ways how users can pick their own ranges manually if they don't like the automatic logic. The new --private-users=pick logic makes user namespacing pretty useful now, as it relieves the user from managing UID/GID ranges.
2016-04-22 11:28:09 +02:00
if (arg_userns_chown) {
log_error("--private-users-chown may not be combined with custom root mounts.");
return -EINVAL;
} else if (arg_uid_shift == UID_INVALID) {
log_error("--private-users with automatic UID shift may not be combined with custom root mounts.");
return -EINVAL;
}
nspawn: Communicate determined UID shift to parent There is logic to determine the UID shift from the file-system, rather than having it be explicitly passed in. However, this needs to happen in the child process that sets up the mounts, as what's important is the UID of the mounted root, rather than the mount-point. Setting up the UID map needs to happen in the parent becuase the inner child needs to have been started, and the outer child is no longer able to access the uid_map file, since it lost access to it when setting up the mounts for the inner child. So we need to communicate the uid shift back out, along with the PID of the inner child process. Failing to communicate this means that the invalid UID shift, which is the value used to specify "this needs to be determined from the file system" is left invalid, so setting up the user namespace's UID shift fails.
2015-06-30 15:41:41 +02:00
}
nspawn: rework custom mount point order, and add support for overlayfs Previously all bind mount mounts were applied in the order specified, followed by all tmpfs mounts in the order specified. This is problematic, if bind mounts shall be placed within tmpfs mounts. This patch hence reworks the custom mount point logic, and alwas applies them in strict prefix-first order. This means the order of mounts specified on the command line becomes irrelevant, the right operation will always be executed. While we are at it this commit also adds native support for overlayfs mounts, as supported by recent kernels.
2015-05-13 14:04:55 +02:00
}
return 0;
}
nspawn: figure out cgroup mode *after* mounting image If we operate on a disk image (i.e. --image=) then it's pointless to look into the mount directory before it is actually mounted to see which systemd version is running inside... Unfortunately we only mount the disk image in the child process, but the parent needs to know the cgroup mode, hence add some IPC for this purpose and communicate the cgroup mode determined from the image back to the parent.
2017-11-27 20:49:35 +01:00
static int detect_unified_cgroup_hierarchy_from_environment(void) {
core: unified cgroup hierarchy support This patch set adds full support the new unified cgroup hierarchy logic of modern kernels. A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is added. If specified the unified hierarchy is mounted to /sys/fs/cgroup instead of a tmpfs. No further hierarchies are mounted. The kernel command line option defaults to off. We can turn it on by default as soon as the kernel's APIs regarding this are stabilized (but even then downstream distros might want to turn this off, as this will break any tools that access cgroupfs directly). It is possibly to choose for each boot individually whether the unified or the legacy hierarchy is used. nspawn will by default provide the legacy hierarchy to containers if the host is using it, and the unified otherwise. However it is possible to run containers with the unified hierarchy on a legacy host and vice versa, by setting the $UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0, respectively. The unified hierarchy provides reliable cgroup empty notifications for the first time, via inotify. To make use of this we maintain one manager-wide inotify fd, and each cgroup to it. This patch also removes cg_delete() which is unused now. On kernel 4.2 only the "memory" controller is compatible with the unified hierarchy, hence that's the only controller systemd exposes when booted in unified heirarchy mode. This introduces a new enum for enumerating supported controllers, plus a related enum for the mask bits mapping to it. The core is changed to make use of this everywhere. This moves PID 1 into a new "init.scope" implicit scope unit in the root slice. This is necessary since on the unified hierarchy cgroups may either contain subgroups or processes but not both. PID 1 hence has to move out of the root cgroup (strictly speaking the root cgroup is the only one where processes and subgroups are still allowed, but in order to support containers nicey, we move PID 1 into the new scope in all cases.) This new unit is also used on legacy hierarchy setups. It's actually pretty useful on all systems, as it can then be used to filter journal messages coming from PID 1, and so on. The root slice ("-.slice") is now implicitly created and started (and does not require a unit file on disk anymore), since that's where "init.scope" is located and the slice needs to be started before the scope can. To check whether we are in unified or legacy hierarchy mode we use statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in legacy mode, if it reports cgroupfs we are in unified mode. This patch set carefuly makes sure that cgls and cgtop continue to work as desired. When invoking nspawn as a service it will implicitly create two subcgroups in the cgroup it is using, one to move the nspawn process into, the other to move the actual container processes into. This is done because of the requirement that cgroups may either contain processes or other subgroups.
2015-09-01 19:22:36 +02:00
const char *e;
core: simplify cg_[all_]unified() cg_[all_]unified() test whether a specific controller or all controllers are on the unified hierarchy. While what's being asked is a simple binary question, the callers must assume that the functions may fail any time, which unnecessarily complicates their usages. This complication is unnecessary. Internally, the test result is cached anyway and there are only a few places where the test actually needs to be performed. This patch simplifies cg_[all_]unified(). * cg_[all_]unified() are updated to return bool. If the result can't be decided, assertion failure is triggered. Error handlings from their callers are dropped. * cg_unified_flush() is updated to calculate the new result synchrnously and return whether it succeeded or not. Places which need to flush the test result are updated to test for failure. This ensures that all the following cg_[all_]unified() tests succeed. * Places which expected possible cg_[all_]unified() failures are updated to call and test cg_unified_flush() before calling cg_[all_]unified(). This includes functions used while setting up mounts during boot and manager_setup_cgroup().
2016-11-21 20:45:53 +01:00
int r;
core: use the unified hierarchy for the systemd cgroup controller hierarchy Currently, systemd uses either the legacy hierarchies or the unified hierarchy. When the legacy hierarchies are used, systemd uses a named legacy hierarchy mounted on /sys/fs/cgroup/systemd without any kernel controllers for process management. Due to the shortcomings in the legacy hierarchy, this involves a lot of workarounds and complexities. Because the unified hierarchy can be mounted and used in parallel to legacy hierarchies, there's no reason for systemd to use a legacy hierarchy for management even if the kernel resource controllers need to be mounted on legacy hierarchies. It can simply mount the unified hierarchy under /sys/fs/cgroup/systemd and use it without affecting other legacy hierarchies. This disables a significant amount of fragile workaround logics and would allow using features which depend on the unified hierarchy membership such bpf cgroup v2 membership test. In time, this would also allow deleting the said complexities. This patch updates systemd so that it prefers the unified hierarchy for the systemd cgroup controller hierarchy when legacy hierarchies are used for kernel resource controllers. * cg_unified(@controller) is introduced which tests whether the specific controller in on unified hierarchy and used to choose the unified hierarchy code path for process and service management when available. Kernel controller specific operations remain gated by cg_all_unified(). * "systemd.legacy_systemd_cgroup_controller" kernel argument can be used to force the use of legacy hierarchy for systemd cgroup controller. * nspawn: By default nspawn uses the same hierarchies as the host. If UNIFIED_CGROUP_HIERARCHY is set to 1, unified hierarchy is used for all. If 0, legacy for all. * nspawn: arg_unified_cgroup_hierarchy is made an enum and now encodes one of three options - legacy, only systemd controller on unified, and unified. The value is passed into mount setup functions and controls cgroup configuration. * nspawn: Interpretation of SYSTEMD_CGROUP_CONTROLLER to the actual mount option is moved to mount_legacy_cgroup_hierarchy() so that it can take an appropriate action depending on the configuration of the host. v2: - CGroupUnified enum replaces open coded integer values to indicate the cgroup operation mode. - Various style updates. v3: Fixed a bug in detect_unified_cgroup_hierarchy() introduced during v2. v4: Restored legacy container on unified host support and fixed another bug in detect_unified_cgroup_hierarchy().
2016-08-16 00:13:36 +02:00
core: unified cgroup hierarchy support This patch set adds full support the new unified cgroup hierarchy logic of modern kernels. A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is added. If specified the unified hierarchy is mounted to /sys/fs/cgroup instead of a tmpfs. No further hierarchies are mounted. The kernel command line option defaults to off. We can turn it on by default as soon as the kernel's APIs regarding this are stabilized (but even then downstream distros might want to turn this off, as this will break any tools that access cgroupfs directly). It is possibly to choose for each boot individually whether the unified or the legacy hierarchy is used. nspawn will by default provide the legacy hierarchy to containers if the host is using it, and the unified otherwise. However it is possible to run containers with the unified hierarchy on a legacy host and vice versa, by setting the $UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0, respectively. The unified hierarchy provides reliable cgroup empty notifications for the first time, via inotify. To make use of this we maintain one manager-wide inotify fd, and each cgroup to it. This patch also removes cg_delete() which is unused now. On kernel 4.2 only the "memory" controller is compatible with the unified hierarchy, hence that's the only controller systemd exposes when booted in unified heirarchy mode. This introduces a new enum for enumerating supported controllers, plus a related enum for the mask bits mapping to it. The core is changed to make use of this everywhere. This moves PID 1 into a new "init.scope" implicit scope unit in the root slice. This is necessary since on the unified hierarchy cgroups may either contain subgroups or processes but not both. PID 1 hence has to move out of the root cgroup (strictly speaking the root cgroup is the only one where processes and subgroups are still allowed, but in order to support containers nicey, we move PID 1 into the new scope in all cases.) This new unit is also used on legacy hierarchy setups. It's actually pretty useful on all systems, as it can then be used to filter journal messages coming from PID 1, and so on. The root slice ("-.slice") is now implicitly created and started (and does not require a unit file on disk anymore), since that's where "init.scope" is located and the slice needs to be started before the scope can. To check whether we are in unified or legacy hierarchy mode we use statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in legacy mode, if it reports cgroupfs we are in unified mode. This patch set carefuly makes sure that cgls and cgtop continue to work as desired. When invoking nspawn as a service it will implicitly create two subcgroups in the cgroup it is using, one to move the nspawn process into, the other to move the actual container processes into. This is done because of the requirement that cgroups may either contain processes or other subgroups.
2015-09-01 19:22:36 +02:00
/* Allow the user to control whether the unified hierarchy is used */
e = getenv("UNIFIED_CGROUP_HIERARCHY");
if (e) {
r = parse_boolean(e);
if (r < 0)
return log_error_errno(r, "Failed to parse $UNIFIED_CGROUP_HIERARCHY.");
core: use the unified hierarchy for the systemd cgroup controller hierarchy Currently, systemd uses either the legacy hierarchies or the unified hierarchy. When the legacy hierarchies are used, systemd uses a named legacy hierarchy mounted on /sys/fs/cgroup/systemd without any kernel controllers for process management. Due to the shortcomings in the legacy hierarchy, this involves a lot of workarounds and complexities. Because the unified hierarchy can be mounted and used in parallel to legacy hierarchies, there's no reason for systemd to use a legacy hierarchy for management even if the kernel resource controllers need to be mounted on legacy hierarchies. It can simply mount the unified hierarchy under /sys/fs/cgroup/systemd and use it without affecting other legacy hierarchies. This disables a significant amount of fragile workaround logics and would allow using features which depend on the unified hierarchy membership such bpf cgroup v2 membership test. In time, this would also allow deleting the said complexities. This patch updates systemd so that it prefers the unified hierarchy for the systemd cgroup controller hierarchy when legacy hierarchies are used for kernel resource controllers. * cg_unified(@controller) is introduced which tests whether the specific controller in on unified hierarchy and used to choose the unified hierarchy code path for process and service management when available. Kernel controller specific operations remain gated by cg_all_unified(). * "systemd.legacy_systemd_cgroup_controller" kernel argument can be used to force the use of legacy hierarchy for systemd cgroup controller. * nspawn: By default nspawn uses the same hierarchies as the host. If UNIFIED_CGROUP_HIERARCHY is set to 1, unified hierarchy is used for all. If 0, legacy for all. * nspawn: arg_unified_cgroup_hierarchy is made an enum and now encodes one of three options - legacy, only systemd controller on unified, and unified. The value is passed into mount setup functions and controls cgroup configuration. * nspawn: Interpretation of SYSTEMD_CGROUP_CONTROLLER to the actual mount option is moved to mount_legacy_cgroup_hierarchy() so that it can take an appropriate action depending on the configuration of the host. v2: - CGroupUnified enum replaces open coded integer values to indicate the cgroup operation mode. - Various style updates. v3: Fixed a bug in detect_unified_cgroup_hierarchy() introduced during v2. v4: Restored legacy container on unified host support and fixed another bug in detect_unified_cgroup_hierarchy().
2016-08-16 00:13:36 +02:00
if (r > 0)
arg_unified_cgroup_hierarchy = CGROUP_UNIFIED_ALL;
else
arg_unified_cgroup_hierarchy = CGROUP_UNIFIED_NONE;
core: unified cgroup hierarchy support This patch set adds full support the new unified cgroup hierarchy logic of modern kernels. A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is added. If specified the unified hierarchy is mounted to /sys/fs/cgroup instead of a tmpfs. No further hierarchies are mounted. The kernel command line option defaults to off. We can turn it on by default as soon as the kernel's APIs regarding this are stabilized (but even then downstream distros might want to turn this off, as this will break any tools that access cgroupfs directly). It is possibly to choose for each boot individually whether the unified or the legacy hierarchy is used. nspawn will by default provide the legacy hierarchy to containers if the host is using it, and the unified otherwise. However it is possible to run containers with the unified hierarchy on a legacy host and vice versa, by setting the $UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0, respectively. The unified hierarchy provides reliable cgroup empty notifications for the first time, via inotify. To make use of this we maintain one manager-wide inotify fd, and each cgroup to it. This patch also removes cg_delete() which is unused now. On kernel 4.2 only the "memory" controller is compatible with the unified hierarchy, hence that's the only controller systemd exposes when booted in unified heirarchy mode. This introduces a new enum for enumerating supported controllers, plus a related enum for the mask bits mapping to it. The core is changed to make use of this everywhere. This moves PID 1 into a new "init.scope" implicit scope unit in the root slice. This is necessary since on the unified hierarchy cgroups may either contain subgroups or processes but not both. PID 1 hence has to move out of the root cgroup (strictly speaking the root cgroup is the only one where processes and subgroups are still allowed, but in order to support containers nicey, we move PID 1 into the new scope in all cases.) This new unit is also used on legacy hierarchy setups. It's actually pretty useful on all systems, as it can then be used to filter journal messages coming from PID 1, and so on. The root slice ("-.slice") is now implicitly created and started (and does not require a unit file on disk anymore), since that's where "init.scope" is located and the slice needs to be started before the scope can. To check whether we are in unified or legacy hierarchy mode we use statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in legacy mode, if it reports cgroupfs we are in unified mode. This patch set carefuly makes sure that cgls and cgtop continue to work as desired. When invoking nspawn as a service it will implicitly create two subcgroups in the cgroup it is using, one to move the nspawn process into, the other to move the actual container processes into. This is done because of the requirement that cgroups may either contain processes or other subgroups.
2015-09-01 19:22:36 +02:00
}
nspawn: figure out cgroup mode *after* mounting image If we operate on a disk image (i.e. --image=) then it's pointless to look into the mount directory before it is actually mounted to see which systemd version is running inside... Unfortunately we only mount the disk image in the child process, but the parent needs to know the cgroup mode, hence add some IPC for this purpose and communicate the cgroup mode determined from the image back to the parent.
2017-11-27 20:49:35 +01:00
return 0;
}
static int detect_unified_cgroup_hierarchy_from_image(const char *directory) {
int r;
/* Let's inherit the mode to use from the host system, but let's take into consideration what systemd in the
* image actually supports. */
cgroup: change cg_unified() to possibly return errors again We use our cgroup APIs in various contexts, including from our libraries sd-login, sd-bus. As we don#t control those environments we can't rely that the unified cgroup setup logic succeeds, and hence really shouldn't assert on it. This more or less reverts 415fc41ceaeada2e32639f24f134b1c248b9e43f.
2017-02-24 17:52:58 +01:00
r = cg_all_unified();
if (r < 0)
return log_error_errno(r, "Failed to determine whether we are in all unified mode.");
if (r > 0) {
nspawn: also fall back to legacy cgroup hierarchy for old containers Current systemd version detection routine cannot detect systemd 230, only systmed >= 231. This means that we'll still use the legacy hierarchy in some cases where we wouldn't have too. If somebody figures out a nice way to detect systemd 230 this can be later improved.
2016-10-09 01:03:53 +02:00
/* Unified cgroup hierarchy support was added in 230. Unfortunately the detection
* routine only detects 231, so we'll have a false negative here for 230. */
r = systemd_installation_has_version(directory, 230);
if (r < 0)
return log_error_errno(r, "Failed to determine systemd version in container: %m");
if (r > 0)
arg_unified_cgroup_hierarchy = CGROUP_UNIFIED_ALL;
else
arg_unified_cgroup_hierarchy = CGROUP_UNIFIED_NONE;
cgroup: rename cg_unified() → cg_unified_controller() cg_unified() is a bit generic a name, let's make clear that it checks whether a specified controller is in unified mode.
2017-02-24 18:00:04 +01:00
} else if (cg_unified_controller(SYSTEMD_CGROUP_CONTROLLER) > 0) {
core: make hybrid cgroup unified mode keep compat /sys/fs/cgroup/systemd hierarchy Currently the hybrid mode mounts cgroup v2 on /sys/fs/cgroup instead of the v1 name=systemd hierarchy. While this works fine for systemd itself, it breaks tools which expect cgroup v1 hierarchy on /sys/fs/cgroup/systemd. This patch updates the hybrid mode so that it mounts v2 hierarchy on /sys/fs/cgroup/unified and keeps v1 "name=systemd" hierarchy on /sys/fs/cgroup/systemd for compatibility. systemd itself doesn't depend on the "name=systemd" hierarchy at all. All operations take place on the v2 hierarchy as before but the v1 hierarchy is kept in sync so that any tools which expect it to be there can keep doing so. This allows systemd to take advantage of cgroup v2 process management without requiring other tools to be aware of the hybrid mode. The hybrid mode is implemented by mapping the special systemd controller to /sys/fs/cgroup/unified and making the basic cgroup utility operations - cg_attach(), cg_create(), cg_rmdir() and cg_trim() - also operate on the /sys/fs/cgroup/systemd hierarchy whenever the cgroup2 hierarchy is updated. While a bit messy, this will allow dropping complications from using cgroup v1 for process management a lot sooner than otherwise possible which should make it a net gain in terms of maintainability. v2: Fixed !cgns breakage reported by @evverx and renamed the unified mount point to /sys/fs/cgroup/unified as suggested by @brauner. v3: chown the compat hierarchy too on delegation. Suggested by @evverx. v4: [zj] - drop the change to default, full "legacy" is still the default.
2016-11-21 20:45:53 +01:00
/* Mixed cgroup hierarchy support was added in 233 */
r = systemd_installation_has_version(directory, 233);
nspawn: use mixed cgroup hierarchy only when container has new systemd systemd-soon-to-be-released-232 is able to deal with the mixed hierarchy. So make an educated guess, and use the mixed hierarchy in that case. Tested by running the host with mixed hierarchy (i.e. simply using a recent kernel with systemd from git), and booting first a container with older systemd, and then one with a newer systemd. Fixes #4008.
2016-10-08 08:18:26 +02:00
if (r < 0)
return log_error_errno(r, "Failed to determine systemd version in container: %m");
if (r > 0)
arg_unified_cgroup_hierarchy = CGROUP_UNIFIED_SYSTEMD;
else
arg_unified_cgroup_hierarchy = CGROUP_UNIFIED_NONE;
} else
core: use the unified hierarchy for the systemd cgroup controller hierarchy Currently, systemd uses either the legacy hierarchies or the unified hierarchy. When the legacy hierarchies are used, systemd uses a named legacy hierarchy mounted on /sys/fs/cgroup/systemd without any kernel controllers for process management. Due to the shortcomings in the legacy hierarchy, this involves a lot of workarounds and complexities. Because the unified hierarchy can be mounted and used in parallel to legacy hierarchies, there's no reason for systemd to use a legacy hierarchy for management even if the kernel resource controllers need to be mounted on legacy hierarchies. It can simply mount the unified hierarchy under /sys/fs/cgroup/systemd and use it without affecting other legacy hierarchies. This disables a significant amount of fragile workaround logics and would allow using features which depend on the unified hierarchy membership such bpf cgroup v2 membership test. In time, this would also allow deleting the said complexities. This patch updates systemd so that it prefers the unified hierarchy for the systemd cgroup controller hierarchy when legacy hierarchies are used for kernel resource controllers. * cg_unified(@controller) is introduced which tests whether the specific controller in on unified hierarchy and used to choose the unified hierarchy code path for process and service management when available. Kernel controller specific operations remain gated by cg_all_unified(). * "systemd.legacy_systemd_cgroup_controller" kernel argument can be used to force the use of legacy hierarchy for systemd cgroup controller. * nspawn: By default nspawn uses the same hierarchies as the host. If UNIFIED_CGROUP_HIERARCHY is set to 1, unified hierarchy is used for all. If 0, legacy for all. * nspawn: arg_unified_cgroup_hierarchy is made an enum and now encodes one of three options - legacy, only systemd controller on unified, and unified. The value is passed into mount setup functions and controls cgroup configuration. * nspawn: Interpretation of SYSTEMD_CGROUP_CONTROLLER to the actual mount option is moved to mount_legacy_cgroup_hierarchy() so that it can take an appropriate action depending on the configuration of the host. v2: - CGroupUnified enum replaces open coded integer values to indicate the cgroup operation mode. - Various style updates. v3: Fixed a bug in detect_unified_cgroup_hierarchy() introduced during v2. v4: Restored legacy container on unified host support and fixed another bug in detect_unified_cgroup_hierarchy().
2016-08-16 00:13:36 +02:00
arg_unified_cgroup_hierarchy = CGROUP_UNIFIED_NONE;
core: unified cgroup hierarchy support This patch set adds full support the new unified cgroup hierarchy logic of modern kernels. A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is added. If specified the unified hierarchy is mounted to /sys/fs/cgroup instead of a tmpfs. No further hierarchies are mounted. The kernel command line option defaults to off. We can turn it on by default as soon as the kernel's APIs regarding this are stabilized (but even then downstream distros might want to turn this off, as this will break any tools that access cgroupfs directly). It is possibly to choose for each boot individually whether the unified or the legacy hierarchy is used. nspawn will by default provide the legacy hierarchy to containers if the host is using it, and the unified otherwise. However it is possible to run containers with the unified hierarchy on a legacy host and vice versa, by setting the $UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0, respectively. The unified hierarchy provides reliable cgroup empty notifications for the first time, via inotify. To make use of this we maintain one manager-wide inotify fd, and each cgroup to it. This patch also removes cg_delete() which is unused now. On kernel 4.2 only the "memory" controller is compatible with the unified hierarchy, hence that's the only controller systemd exposes when booted in unified heirarchy mode. This introduces a new enum for enumerating supported controllers, plus a related enum for the mask bits mapping to it. The core is changed to make use of this everywhere. This moves PID 1 into a new "init.scope" implicit scope unit in the root slice. This is necessary since on the unified hierarchy cgroups may either contain subgroups or processes but not both. PID 1 hence has to move out of the root cgroup (strictly speaking the root cgroup is the only one where processes and subgroups are still allowed, but in order to support containers nicey, we move PID 1 into the new scope in all cases.) This new unit is also used on legacy hierarchy setups. It's actually pretty useful on all systems, as it can then be used to filter journal messages coming from PID 1, and so on. The root slice ("-.slice") is now implicitly created and started (and does not require a unit file on disk anymore), since that's where "init.scope" is located and the slice needs to be started before the scope can. To check whether we are in unified or legacy hierarchy mode we use statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in legacy mode, if it reports cgroupfs we are in unified mode. This patch set carefuly makes sure that cgls and cgtop continue to work as desired. When invoking nspawn as a service it will implicitly create two subcgroups in the cgroup it is using, one to move the nspawn process into, the other to move the actual container processes into. This is done because of the requirement that cgroups may either contain processes or other subgroups.
2015-09-01 19:22:36 +02:00
nspawn: figure out cgroup mode *after* mounting image If we operate on a disk image (i.e. --image=) then it's pointless to look into the mount directory before it is actually mounted to see which systemd version is running inside... Unfortunately we only mount the disk image in the child process, but the parent needs to know the cgroup mode, hence add some IPC for this purpose and communicate the cgroup mode determined from the image back to the parent.
2017-11-27 20:49:35 +01:00
log_debug("Using %s hierarchy for container.",
arg_unified_cgroup_hierarchy == CGROUP_UNIFIED_NONE ? "legacy" :
arg_unified_cgroup_hierarchy == CGROUP_UNIFIED_SYSTEMD ? "hybrid" : "unified");
core: unified cgroup hierarchy support This patch set adds full support the new unified cgroup hierarchy logic of modern kernels. A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is added. If specified the unified hierarchy is mounted to /sys/fs/cgroup instead of a tmpfs. No further hierarchies are mounted. The kernel command line option defaults to off. We can turn it on by default as soon as the kernel's APIs regarding this are stabilized (but even then downstream distros might want to turn this off, as this will break any tools that access cgroupfs directly). It is possibly to choose for each boot individually whether the unified or the legacy hierarchy is used. nspawn will by default provide the legacy hierarchy to containers if the host is using it, and the unified otherwise. However it is possible to run containers with the unified hierarchy on a legacy host and vice versa, by setting the $UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0, respectively. The unified hierarchy provides reliable cgroup empty notifications for the first time, via inotify. To make use of this we maintain one manager-wide inotify fd, and each cgroup to it. This patch also removes cg_delete() which is unused now. On kernel 4.2 only the "memory" controller is compatible with the unified hierarchy, hence that's the only controller systemd exposes when booted in unified heirarchy mode. This introduces a new enum for enumerating supported controllers, plus a related enum for the mask bits mapping to it. The core is changed to make use of this everywhere. This moves PID 1 into a new "init.scope" implicit scope unit in the root slice. This is necessary since on the unified hierarchy cgroups may either contain subgroups or processes but not both. PID 1 hence has to move out of the root cgroup (strictly speaking the root cgroup is the only one where processes and subgroups are still allowed, but in order to support containers nicey, we move PID 1 into the new scope in all cases.) This new unit is also used on legacy hierarchy setups. It's actually pretty useful on all systems, as it can then be used to filter journal messages coming from PID 1, and so on. The root slice ("-.slice") is now implicitly created and started (and does not require a unit file on disk anymore), since that's where "init.scope" is located and the slice needs to be started before the scope can. To check whether we are in unified or legacy hierarchy mode we use statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in legacy mode, if it reports cgroupfs we are in unified mode. This patch set carefuly makes sure that cgls and cgtop continue to work as desired. When invoking nspawn as a service it will implicitly create two subcgroups in the cgroup it is using, one to move the nspawn process into, the other to move the actual container processes into. This is done because of the requirement that cgroups may either contain processes or other subgroups.
2015-09-01 19:22:36 +02:00
return 0;
}
nspawn: split down SYSTEMD_NSPAWN_SHARE_SYSTEM (#4023) This commit follows further on the deprecation path for --share-system, by splitting and gating each share-able namespace behind its own environment flag.
2016-08-26 00:08:26 +02:00
static void parse_share_ns_env(const char *name, unsigned long ns_flag) {
int r;
r = getenv_bool(name);
if (r == -ENXIO)
return;
if (r < 0)
log_warning_errno(r, "Failed to parse %s from environment, defaulting to false.", name);
arg_clone_ns_flags = (arg_clone_ns_flags & ~ns_flag) | (r > 0 ? 0 : ns_flag);
}
nspawn: R/W support for /sys, and /proc/sys This commit adds the possibility to leave /sys, and /proc/sys read-write. It introduces a new (undocumented) env var SYSTEMD_NSPAWN_API_VFS_WRITABLE to enable this feature. If set to "yes", /sys, and /proc/sys will be read-write. If set to "no", /sys, and /proc/sys will be read-only. If set to "network" /proc/sys/net will be read-write. This is useful in use-cases, where systemd-nspawn is used in an external network namespace. This adds the possibility to start privileged containers which need more control over settings in the /proc, and /sys filesystem. This is also a follow-up on the discussion from https://github.com/systemd/systemd/pull/4018#r76971862 where an introduction of a simple env var to enable R/W support for those directories was already discussed.
2016-10-14 14:00:15 +02:00
static void parse_mount_settings_env(void) {
int r;
const char *e;
e = getenv("SYSTEMD_NSPAWN_API_VFS_WRITABLE");
if (!e)
return;
if (streq(e, "network")) {
arg_mount_settings |= MOUNT_APPLY_APIVFS_RO|MOUNT_APPLY_APIVFS_NETNS;
return;
}
r = parse_boolean(e);
if (r < 0) {
log_warning_errno(r, "Failed to parse SYSTEMD_NSPAWN_API_VFS_WRITABLE from environment, ignoring.");
return;
tree-wide: use SET_FLAG in more places (#5892)
2017-05-07 13:03:28 +02:00
}
nspawn: R/W support for /sys, and /proc/sys This commit adds the possibility to leave /sys, and /proc/sys read-write. It introduces a new (undocumented) env var SYSTEMD_NSPAWN_API_VFS_WRITABLE to enable this feature. If set to "yes", /sys, and /proc/sys will be read-write. If set to "no", /sys, and /proc/sys will be read-only. If set to "network" /proc/sys/net will be read-write. This is useful in use-cases, where systemd-nspawn is used in an external network namespace. This adds the possibility to start privileged containers which need more control over settings in the /proc, and /sys filesystem. This is also a follow-up on the discussion from https://github.com/systemd/systemd/pull/4018#r76971862 where an introduction of a simple env var to enable R/W support for those directories was already discussed.
2016-10-14 14:00:15 +02:00
tree-wide: use SET_FLAG in more places (#5892)
2017-05-07 13:03:28 +02:00
SET_FLAG(arg_mount_settings, MOUNT_APPLY_APIVFS_RO, r == 0);
SET_FLAG(arg_mount_settings, MOUNT_APPLY_APIVFS_NETNS, false);
nspawn: R/W support for /sys, and /proc/sys This commit adds the possibility to leave /sys, and /proc/sys read-write. It introduces a new (undocumented) env var SYSTEMD_NSPAWN_API_VFS_WRITABLE to enable this feature. If set to "yes", /sys, and /proc/sys will be read-write. If set to "no", /sys, and /proc/sys will be read-only. If set to "network" /proc/sys/net will be read-write. This is useful in use-cases, where systemd-nspawn is used in an external network namespace. This adds the possibility to start privileged containers which need more control over settings in the /proc, and /sys filesystem. This is also a follow-up on the discussion from https://github.com/systemd/systemd/pull/4018#r76971862 where an introduction of a simple env var to enable R/W support for those directories was already discussed.
2016-10-14 14:00:15 +02:00
}
nspawn: add simple chroot(1) like tool to execute commands in a namespace container
2011-03-14 02:40:36 +01:00
static int parse_argv(int argc, char *argv[]) {
nspawn: add new --no-net switch to turn off networking in the container
2011-08-02 04:49:37 +02:00
enum {
nspawn: add --version
2013-01-11 22:03:49 +01:00
ARG_VERSION = 0x100,
ARG_PRIVATE_NETWORK,
nspawn: add --read-only switch
2012-04-25 15:11:20 +02:00
ARG_UUID,
nspawn: introduce new --capabilities= flag and make use of it in the nspawn test case
2012-06-28 13:44:39 +02:00
ARG_READ_ONLY,
nspawn: introduce new --link-journal= switch to link container journals into host
2012-07-19 02:02:39 +02:00
ARG_CAPABILITY,
nspawn: add new --drop-capability= switch
2013-11-20 22:10:42 +01:00
ARG_DROP_CAPABILITY,
nspawn: add --bind= and --bind-ro= to bind mount host paths into the container
2013-02-25 18:21:13 +01:00
ARG_LINK_JOURNAL,
ARG_BIND,
nspawn: add new --setenv= switch to set an environment variable for the container to spawn
2013-12-13 16:37:16 +01:00
ARG_BIND_RO,
nspawn: add new --tmpfs= option to mount a tmpfs on specific directories, such as /var
2014-06-11 00:44:30 +02:00
ARG_TMPFS,
nspawn: rework custom mount point order, and add support for overlayfs Previously all bind mount mounts were applied in the order specified, followed by all tmpfs mounts in the order specified. This is problematic, if bind mounts shall be placed within tmpfs mounts. This patch hence reworks the custom mount point logic, and alwas applies them in strict prefix-first order. This means the order of mounts specified on the command line becomes irrelevant, the right operation will always be executed. While we are at it this commit also adds native support for overlayfs mounts, as supported by recent kernels.
2015-05-13 14:04:55 +02:00
ARG_OVERLAY,
ARG_OVERLAY_RO,
nspawn: add --register=yes|no switch to optionally disable registration of the container with machined
2014-02-10 15:36:32 +01:00
ARG_SHARE_SYSTEM,
machined: optionally, allow registration of pre-existing units (scopes or services) as machine with machined
2014-02-11 17:15:38 +01:00
ARG_REGISTER,
nspawn: add new --network-interface= switch to move an existing interface into the container
2014-02-13 03:27:39 +01:00
ARG_KEEP_UNIT,
nspawn: add new --network-veth switch to add a virtual ethernet link to the host
2014-02-13 18:47:20 +01:00
ARG_NETWORK_INTERFACE,
nspawn: add new switch --network-macvlan= to add a macvlan device to the container
2014-02-25 02:27:39 +01:00
ARG_NETWORK_MACVLAN,
nspawn: add ipvlan support
2015-01-20 00:18:28 +01:00
ARG_NETWORK_IPVLAN,
nspawn: add new --network-bridge= switch This adds the host side of the veth link to the given bridge. Also refactor the creation of the veth interfaces a bit to set it up from the host rather than the container. This simplifies the addition to the bridge, but otherwise the behavior is unchanged.
2014-02-16 21:12:47 +01:00
ARG_NETWORK_BRIDGE,
nspawn: add new --network-zone= switch for automatically managed bridge devices This adds a new concept of network "zones", which are little more than bridge devices that are automatically managed by nspawn: when the first container referencing a bridge is started, the bridge device is created, when the last container referencing it is removed the bridge device is removed again. Besides this logic --network-zone= is pretty much identical to --network-bridge=. The usecase for this is to make it easy to run multiple related containers (think MySQL in one and Apache in another) in a common, named virtual Ethernet broadcast zone, that only exists as long as one of them is running, and fully automatically managed otherwise.
2016-05-06 21:00:27 +02:00
ARG_NETWORK_ZONE,
nspawn: add new --network-veth-extra= switch for defining additional veth links The new switch operates like --network-veth, but may be specified multiple times (to define multiple link pairs) and allows flexible definition of the interface names. This is an independent reimplementation of #1678, but defines different semantics, keeping the behaviour completely independent of --network-veth. It also comes will full hook-up for .nspawn files, and the matching documentation.
2015-11-12 21:54:28 +01:00
ARG_NETWORK_VETH_EXTRA,
nspawn: introduce an option for specifying network namespace path Add a new option `--network-namespace-path` to systemd-nspawn to allow users to specify an arbitrary network namespace, e.g. `/run/netns/foo`. Then systemd-nspawn will open the netns file, pass the fd to outer_child, and enter the namespace represented by the fd before running inner_child. ``` $ sudo ip netns add foo $ mount | grep /run/netns/foo nsfs on /run/netns/foo type nsfs (rw) ... $ sudo systemd-nspawn -D /srv/fc27 --network-namespace-path=/run/netns/foo \ /bin/readlink -f /proc/self/ns/net /proc/1/ns/net:[4026532009] ``` Note that the option `--network-namespace-path=` cannot be used together with other network-related options such as `--private-network` so that the options do not conflict with each other. Fixes https://github.com/systemd/systemd/issues/7361
2017-11-24 18:22:17 +01:00
ARG_NETWORK_NAMESPACE_PATH,
nspawn: add new --personality= switch to make it easier to run 32bit containers on a 64bit host
2014-02-18 23:35:19 +01:00
ARG_PERSONALITY,
nspawn: add new --volatile switch for booting containers in volatile (ephemeral) mode Two modes are supported: --volatile=yes mounts only /usr into the container, and a tmpfs as root directory. --volatile=state mounts the full OS tree in, but overmounts /var with a tmpfs. --volatile=yes hence boots with an unpopulated /etc and /var, starting with pristine configuration and state. --volatile=state hence boots with an unpopulated /var, only starting with pristine state.
2014-07-04 03:22:33 +02:00
ARG_VOLATILE,
nspawn: beef up nspawn with some btrfs magic This adds --template= to duplicate an OS tree as btrfs snpashot and run it This also adds --ephemeral or -x to create a snapshot of an OS tree and boot that, removing it after exit.
2014-12-12 03:50:59 +01:00
ARG_TEMPLATE,
nspawn: add support for --property= to set scope properties This is similar to systemd-run's --property= setting.
2015-02-18 19:38:55 +01:00
ARG_PROPERTY,
nspawn: add basic user namespacing support (This is incomplete, /proc and /sys are still owned by root from outside the container, not inside)
2015-02-19 11:30:18 +01:00
ARG_PRIVATE_USERS,
nspawn: make kill signal to use for PID 1 configurable
2015-02-25 22:04:48 +01:00
ARG_KILL_SIGNAL,
nspawn: add new .nspawn files for container settings .nspawn fiels are simple settings files that may accompany container images and directories and contain settings otherwise passed on the nspawn command line. This provides an efficient way to attach execution data directly to containers.
2015-09-06 01:22:14 +02:00
ARG_SETTINGS,
nspawn: add new --chdir= switch Fixes: #2192
2016-02-02 01:52:01 +01:00
ARG_CHDIR,
nspawn: Add support for sysroot pivoting (#5258) Add a new --pivot-root argument to systemd-nspawn, which specifies a directory to pivot to / inside the container; while the original / is pivoted to another specified directory (if provided). This adds support for booting container images which may contain several bootable sysroots, as is common with OSTree disk images. When these disk images are booted on real hardware, ostree-prepare-root is run in conjunction with sysroot.mount in the initramfs to achieve the same results.
2017-02-08 16:54:31 +01:00
ARG_PIVOT_ROOT,
nspawn: optionally fix up OS tree uid/gids for userns This adds a new --private-userns-chown switch that may be used in combination with --private-userns. If it is passed a recursive chmod() operation is run on the OS tree, fixing all file owner UID/GIDs to the right ranges. This should make user namespacing pretty workable, as the OS trees don't need to be prepared manually anymore.
2016-04-20 22:53:39 +02:00
ARG_PRIVATE_USERS_CHOWN,
nspawn: introduce --notify-ready=[no|yes] (#3474) This the patch implements a notificaiton mechanism from the init process in the container to systemd-nspawn. The switch --notify-ready=yes configures systemd-nspawn to wait the "READY=1" message from the init process in the container to send its own to systemd. --notify-ready=no is equivalent to the previous behavior before this patch, systemd-nspawn notifies systemd with a "READY=1" message when the container is created. This notificaiton mechanism uses socket file with path relative to the contanier "/run/systemd/nspawn/notify". The default values it --notify-ready=no. It is also possible to configure this mechanism from the .nspawn files using NotifyReady. This parameter takes the same options of the command line switch. Before this patch, systemd-nspawn notifies "ready" after the inner child was created, regardless the status of the service running inside it. Now, with --notify-ready=yes, systemd-nspawn notifies when the service is ready. This is really useful when there are dependencies between different contaniers. Fixes https://github.com/systemd/systemd/issues/1369 Based on the work from https://github.com/systemd/systemd/pull/3022 Testing: Boot a OS inside a container with systemd-nspawn. Note: modify the commands accordingly with your filesystem. 1. Create a filesystem where you can boot an OS. 2. sudo systemd-nspawn -D ${HOME}/distros/fedora-23/ sh 2.1. Create the unit file /etc/systemd/system/sleep.service inside the container (You can use the example below) 2.2. systemdctl enable sleep 2.3 exit 3. sudo systemd-run --service-type=notify --unit=notify-test ${HOME}/systemd/systemd-nspawn --notify-ready=yes -D ${HOME}/distros/fedora-23/ -b 4. In a different shell run "systemctl status notify-test" When using --notify-ready=yes the service status is "activating" for 20 seconds before being set to "active (running)". Instead, using --notify-ready=no the service status is marked "active (running)" quickly, without waiting for the 20 seconds. This patch was also test with --private-users=yes, you can test it just adding it at the end of the command at point 3. ------ sleep.service ------ [Unit] Description=sleep After=network.target [Service] Type=oneshot ExecStart=/bin/sleep 20 [Install] WantedBy=multi-user.target ------------ end ------------
2016-06-10 13:09:06 +02:00
ARG_NOTIFY_READY,
nspawn/dissect: automatically discover dm-verity verity partitions This adds support for discovering and making use of properly tagged dm-verity data integrity partitions. This extends both systemd-nspawn and systemd-dissect with a new --root-hash= switch that takes the root hash to use for the root partition, and is otherwise fully automatic. Verity partitions are discovered automatically by GPT table type UUIDs, as listed in https://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/ (which I updated prior to this change, to include new UUIDs for this purpose. mkosi with https://github.com/systemd/mkosi/pull/39 applied may generate images that carry the necessary integrity data. With that PR and this commit, the following simply lines suffice to boot up an integrity-protected container image: ``` # mkdir test # cd test # mkosi --verity # systemd-nspawn -i ./image.raw -bn ``` Note that mkosi writes the image file to "image.raw" next to a a file "image.roothash" that contains the root hash. systemd-nspawn will look for that file and use it if it exists, in case --root-hash= is not specified explicitly.
2016-12-07 18:28:13 +01:00
ARG_ROOT_HASH,
nspawn: implement configurable syscall whitelisting/blacklisting Now that we have ported nspawn's seccomp code to the generic code in seccomp-util, let's extend it to support whitelisting and blacklisting of specific additional syscalls. This uses similar syntax as PID1's support for system call filtering, but in contrast to that always implements a blacklist (and not a whitelist), as we prepopulate the filter with a blacklist, and the unit's system call filter logic does not come with anything prepopulated. (Later on we might actually want to invert the logic here, and whitelist rather than blacklist things, but at this point let's not do that. In case we switch this over later, the syscall add/remove logic of this commit should be compatible conceptually.) Fixes: #5163 Replaces: #5944
2017-09-11 17:45:21 +02:00
ARG_SYSTEM_CALL_FILTER,
nspawn: add new --no-net switch to turn off networking in the container
2011-08-02 04:49:37 +02:00
};
nspawn: add simple chroot(1) like tool to execute commands in a namespace container
2011-03-14 02:40:36 +01:00
static const struct option options[] = {
nspawn: introduce an option for specifying network namespace path Add a new option `--network-namespace-path` to systemd-nspawn to allow users to specify an arbitrary network namespace, e.g. `/run/netns/foo`. Then systemd-nspawn will open the netns file, pass the fd to outer_child, and enter the namespace represented by the fd before running inner_child. ``` $ sudo ip netns add foo $ mount | grep /run/netns/foo nsfs on /run/netns/foo type nsfs (rw) ... $ sudo systemd-nspawn -D /srv/fc27 --network-namespace-path=/run/netns/foo \ /bin/readlink -f /proc/self/ns/net /proc/1/ns/net:[4026532009] ``` Note that the option `--network-namespace-path=` cannot be used together with other network-related options such as `--private-network` so that the options do not conflict with each other. Fixes https://github.com/systemd/systemd/issues/7361
2017-11-24 18:22:17 +01:00
{ "help", no_argument, NULL, 'h' },
{ "version", no_argument, NULL, ARG_VERSION },
{ "directory", required_argument, NULL, 'D' },
{ "template", required_argument, NULL, ARG_TEMPLATE },
{ "ephemeral", no_argument, NULL, 'x' },
{ "user", required_argument, NULL, 'u' },
{ "private-network", no_argument, NULL, ARG_PRIVATE_NETWORK },
{ "as-pid2", no_argument, NULL, 'a' },
{ "boot", no_argument, NULL, 'b' },
{ "uuid", required_argument, NULL, ARG_UUID },
{ "read-only", no_argument, NULL, ARG_READ_ONLY },
{ "capability", required_argument, NULL, ARG_CAPABILITY },
{ "drop-capability", required_argument, NULL, ARG_DROP_CAPABILITY },
{ "link-journal", required_argument, NULL, ARG_LINK_JOURNAL },
{ "bind", required_argument, NULL, ARG_BIND },
{ "bind-ro", required_argument, NULL, ARG_BIND_RO },
{ "tmpfs", required_argument, NULL, ARG_TMPFS },
{ "overlay", required_argument, NULL, ARG_OVERLAY },
{ "overlay-ro", required_argument, NULL, ARG_OVERLAY_RO },
{ "machine", required_argument, NULL, 'M' },
{ "slice", required_argument, NULL, 'S' },
{ "setenv", required_argument, NULL, 'E' },
{ "selinux-context", required_argument, NULL, 'Z' },
{ "selinux-apifs-context", required_argument, NULL, 'L' },
{ "quiet", no_argument, NULL, 'q' },
{ "share-system", no_argument, NULL, ARG_SHARE_SYSTEM }, /* not documented */
{ "register", required_argument, NULL, ARG_REGISTER },
{ "keep-unit", no_argument, NULL, ARG_KEEP_UNIT },
{ "network-interface", required_argument, NULL, ARG_NETWORK_INTERFACE },
{ "network-macvlan", required_argument, NULL, ARG_NETWORK_MACVLAN },
{ "network-ipvlan", required_argument, NULL, ARG_NETWORK_IPVLAN },
{ "network-veth", no_argument, NULL, 'n' },
{ "network-veth-extra", required_argument, NULL, ARG_NETWORK_VETH_EXTRA },
{ "network-bridge", required_argument, NULL, ARG_NETWORK_BRIDGE },
{ "network-zone", required_argument, NULL, ARG_NETWORK_ZONE },
{ "network-namespace-path", required_argument, NULL, ARG_NETWORK_NAMESPACE_PATH },
{ "personality", required_argument, NULL, ARG_PERSONALITY },
{ "image", required_argument, NULL, 'i' },
{ "volatile", optional_argument, NULL, ARG_VOLATILE },
{ "port", required_argument, NULL, 'p' },
{ "property", required_argument, NULL, ARG_PROPERTY },
{ "private-users", optional_argument, NULL, ARG_PRIVATE_USERS },
{ "private-users-chown", optional_argument, NULL, ARG_PRIVATE_USERS_CHOWN },
{ "kill-signal", required_argument, NULL, ARG_KILL_SIGNAL },
{ "settings", required_argument, NULL, ARG_SETTINGS },
{ "chdir", required_argument, NULL, ARG_CHDIR },
{ "pivot-root", required_argument, NULL, ARG_PIVOT_ROOT },
{ "notify-ready", required_argument, NULL, ARG_NOTIFY_READY },
{ "root-hash", required_argument, NULL, ARG_ROOT_HASH },
{ "system-call-filter", required_argument, NULL, ARG_SYSTEM_CALL_FILTER },
clients: unify how we invoke getopt_long() Among other things this makes sure we always expose a --version command and show it in the help texts.
2013-11-06 18:28:39 +01:00
{}
nspawn: add simple chroot(1) like tool to execute commands in a namespace container
2011-03-14 02:40:36 +01:00
};
logind: add infrastructure to keep track of machines, and move to slices - This changes all logind cgroup objects to use slice objects rather than fixed croup locations. - logind can now collect minimal information about running VMs/containers. As fixed cgroup locations can no longer be used we need an entity that keeps track of machine cgroups in whatever slice they might be located. Since logind already keeps track of users, sessions and seats this is a trivial addition. - nspawn will now register with logind and pass various bits of metadata along. A new option "--slice=" has been added to place the container in a specific slice. - loginctl gained commands to list, introspect and terminate machines. - user.slice and machine.slice will now be pulled in by logind.service, since only logind.service requires this slice.
2013-06-20 03:45:08 +02:00
int c, r;
nspawn: support custom container service name We were hardcoding "systemd-nspawn" as the value of the $container env variable and "nspawn" as the service string in machined registration. This commit allows the user to configure it by setting the $SYSTEMD_NSPAWN_CONTAINER_SERVICE env variable when calling systemd-nspawn. If $SYSTEMD_NSPAWN_CONTAINER_SERVICE is not set, we use the string "systemd-nspawn" for both, fixing the previous inconsistency.
2015-11-09 11:32:34 +01:00
const char *p, *e;
nspawn: --private-network should imply CAP_NET_ADMIN
2014-02-13 14:07:59 +01:00
uint64_t plus = 0, minus = 0;
nspawn: add new .nspawn files for container settings .nspawn fiels are simple settings files that may accompany container images and directories and contain settings otherwise passed on the nspawn command line. This provides an efficient way to attach execution data directly to containers.
2015-09-06 01:22:14 +02:00
bool mask_all_settings = false, mask_no_settings = false;
nspawn: add simple chroot(1) like tool to execute commands in a namespace container
2011-03-14 02:40:36 +01:00
assert(argc >= 0);
assert(argv);
nspawn: add missing -E to getopt_long (#4860)
2016-12-10 05:33:58 +01:00
while ((c = getopt_long(argc, argv, "+hD:u:abL:M:jS:Z:qi:xp:nUE:", options, NULL)) >= 0)
nspawn: add simple chroot(1) like tool to execute commands in a namespace container
2011-03-14 02:40:36 +01:00
switch (c) {
case 'h':
Unify parse_argv style getopt is usually good at printing out a nice error message when commandline options are invalid. It distinguishes between an unknown option and a known option with a missing arg. It is better to let it do its job and not use opterr=0 unless we actually want to suppress messages. So remove opterr=0 in the few places where it wasn't really useful. When an error in options is encountered, we should not print a lengthy help() and overwhelm the user, when we know precisely what is wrong with the commandline. In addition, since help() prints to stdout, it should not be used except when requested with -h or --help. Also, simplify things here and there.
2014-08-02 17:12:21 +02:00
help();
return 0;
nspawn: add simple chroot(1) like tool to execute commands in a namespace container
2011-03-14 02:40:36 +01:00
nspawn: add --version
2013-01-11 22:03:49 +01:00
case ARG_VERSION:
util: introduce common version() implementation and use it everywhere This also allows us to drop build.h from a ton of files, hence do so. Since we touched the #includes of those files, let's order them properly according to CODING_STYLE.
2015-09-23 03:01:06 +02:00
return version();
nspawn: add --version
2013-01-11 22:03:49 +01:00
nspawn: add simple chroot(1) like tool to execute commands in a namespace container
2011-03-14 02:40:36 +01:00
case 'D':
path-util: unify how we process paths specified on the command line Let's introduce a common function that makes relative paths absolute and warns about any errors while doing so.
2015-10-22 19:54:29 +02:00
r = parse_path_argument_and_warn(optarg, false, &arg_directory);
nspawn: beef up nspawn with some btrfs magic This adds --template= to duplicate an OS tree as btrfs snpashot and run it This also adds --ephemeral or -x to create a snapshot of an OS tree and boot that, removing it after exit.
2014-12-12 03:50:59 +01:00
if (r < 0)
path-util: unify how we process paths specified on the command line Let's introduce a common function that makes relative paths absolute and warns about any errors while doing so.
2015-10-22 19:54:29 +02:00
return r;
nspawn: beef up nspawn with some btrfs magic This adds --template= to duplicate an OS tree as btrfs snpashot and run it This also adds --ephemeral or -x to create a snapshot of an OS tree and boot that, removing it after exit.
2014-12-12 03:50:59 +01:00
break;
case ARG_TEMPLATE:
path-util: unify how we process paths specified on the command line Let's introduce a common function that makes relative paths absolute and warns about any errors while doing so.
2015-10-22 19:54:29 +02:00
r = parse_path_argument_and_warn(optarg, false, &arg_template);
nspawn: beef up nspawn with some btrfs magic This adds --template= to duplicate an OS tree as btrfs snpashot and run it This also adds --ephemeral or -x to create a snapshot of an OS tree and boot that, removing it after exit.
2014-12-12 03:50:59 +01:00
if (r < 0)
path-util: unify how we process paths specified on the command line Let's introduce a common function that makes relative paths absolute and warns about any errors while doing so.
2015-10-22 19:54:29 +02:00
return r;
nspawn: add simple chroot(1) like tool to execute commands in a namespace container
2011-03-14 02:40:36 +01:00
break;
nspawn: add --image= switch to boot GPT disk images that follow the Discoverable Partitions Specification
2014-03-10 20:35:52 +01:00
case 'i':
path-util: unify how we process paths specified on the command line Let's introduce a common function that makes relative paths absolute and warns about any errors while doing so.
2015-10-22 19:54:29 +02:00
r = parse_path_argument_and_warn(optarg, false, &arg_image);
nspawn: beef up nspawn with some btrfs magic This adds --template= to duplicate an OS tree as btrfs snpashot and run it This also adds --ephemeral or -x to create a snapshot of an OS tree and boot that, removing it after exit.
2014-12-12 03:50:59 +01:00
if (r < 0)
path-util: unify how we process paths specified on the command line Let's introduce a common function that makes relative paths absolute and warns about any errors while doing so.
2015-10-22 19:54:29 +02:00
return r;
nspawn: beef up nspawn with some btrfs magic This adds --template= to duplicate an OS tree as btrfs snpashot and run it This also adds --ephemeral or -x to create a snapshot of an OS tree and boot that, removing it after exit.
2014-12-12 03:50:59 +01:00
break;
case 'x':
arg_ephemeral = true;
nspawn: add --image= switch to boot GPT disk images that follow the Discoverable Partitions Specification
2014-03-10 20:35:52 +01:00
break;
nspawn: spawn shell under specified --user Add -u/--user option, which changes the effective and real user and group id to the new value. The user must exists in the chroot, otherwise it will fail. Both username and user id are accepted. The user home is created as well. It also setup HOME, USER, LOGNAME and SHELL variables .
2011-06-29 14:22:46 +02:00
case 'u':
tree-wide: use free_and_strdup() Use free_and_strdup() where appropriate and replace equivalent, open-coded versions.
2015-07-29 20:25:57 +02:00
r = free_and_strdup(&arg_user, optarg);
if (r < 0)
nspawn: introduce the new /machine/ tree in the cgroup tree and move containers there Containers will now carry a label (normally derived from the root directory name, but configurable by the user), and the container's root cgroup is /machine/<label>. This label is called "machine name", and can cover both containers and VMs (as soon as libvirt also makes use of /machine/). libsystemd-login can be used to query the machine name from a process. This patch also includes numerous clean-ups for the cgroup code.
2013-04-16 04:36:06 +02:00
return log_oom();
nspawn: spawn shell under specified --user Add -u/--user option, which changes the effective and real user and group id to the new value. The user must exists in the chroot, otherwise it will fail. Both username and user id are accepted. The user home is created as well. It also setup HOME, USER, LOGNAME and SHELL variables .
2011-06-29 14:22:46 +02:00
nspawn: add new .nspawn files for container settings .nspawn fiels are simple settings files that may accompany container images and directories and contain settings otherwise passed on the nspawn command line. This provides an efficient way to attach execution data directly to containers.
2015-09-06 01:22:14 +02:00
arg_settings_mask |= SETTING_USER;
nspawn: spawn shell under specified --user Add -u/--user option, which changes the effective and real user and group id to the new value. The user must exists in the chroot, otherwise it will fail. Both username and user id are accepted. The user home is created as well. It also setup HOME, USER, LOGNAME and SHELL variables .
2011-06-29 14:22:46 +02:00
break;
nspawn: add new --network-zone= switch for automatically managed bridge devices This adds a new concept of network "zones", which are little more than bridge devices that are automatically managed by nspawn: when the first container referencing a bridge is started, the bridge device is created, when the last container referencing it is removed the bridge device is removed again. Besides this logic --network-zone= is pretty much identical to --network-bridge=. The usecase for this is to make it easy to run multiple related containers (think MySQL in one and Apache in another) in a common, named virtual Ethernet broadcast zone, that only exists as long as one of them is running, and fully automatically managed otherwise.
2016-05-06 21:00:27 +02:00
case ARG_NETWORK_ZONE: {
char *j;
j = strappend("vz-", optarg);
if (!j)
return log_oom();
if (!ifname_valid(j)) {
log_error("Network zone name not valid: %s", j);
free(j);
return -EINVAL;
}
free(arg_network_zone);
arg_network_zone = j;
arg_network_veth = true;
arg_private_network = true;
arg_settings_mask |= SETTING_NETWORK;
break;
}
nspawn: add new --network-bridge= switch This adds the host side of the veth link to the given bridge. Also refactor the creation of the veth interfaces a bit to set it up from the host rather than the container. This simplifies the addition to the bridge, but otherwise the behavior is unchanged.
2014-02-16 21:12:47 +01:00
case ARG_NETWORK_BRIDGE:
util-lib: add new ifname_valid() call that validates interface names Make use of this in nspawn at a couple of places. A later commit should port more code over to this, including networkd.
2016-05-06 20:58:32 +02:00
if (!ifname_valid(optarg)) {
log_error("Bridge interface name not valid: %s", optarg);
return -EINVAL;
}
nspawn: add new .nspawn files for container settings .nspawn fiels are simple settings files that may accompany container images and directories and contain settings otherwise passed on the nspawn command line. This provides an efficient way to attach execution data directly to containers.
2015-09-06 01:22:14 +02:00
r = free_and_strdup(&arg_network_bridge, optarg);
if (r < 0)
return log_oom();
nspawn: add new --network-bridge= switch This adds the host side of the veth link to the given bridge. Also refactor the creation of the veth interfaces a bit to set it up from the host rather than the container. This simplifies the addition to the bridge, but otherwise the behavior is unchanged.
2014-02-16 21:12:47 +01:00
tree-wide: adjust fall through comments so that gcc is happy Distcc removes comments, making the comment silencing not work. I know there was a decision against a macro in commit ec251fe7d5bc24b5d38b0853bc5969f3a0ba06e2
2017-11-19 19:06:10 +01:00
_fallthrough_;
nspawn: add "-n" shortcut for "--network-veth" Now that networkd's IP masquerading support means that running containers with "--network-veth" will provide network access out of the box for the container, let's add a shortcut "-n" for it, to make it easily accessible.
2015-01-13 19:42:02 +01:00
case 'n':
nspawn: add new --network-veth switch to add a virtual ethernet link to the host
2014-02-13 18:47:20 +01:00
arg_network_veth = true;
arg_private_network = true;
nspawn: add new .nspawn files for container settings .nspawn fiels are simple settings files that may accompany container images and directories and contain settings otherwise passed on the nspawn command line. This provides an efficient way to attach execution data directly to containers.
2015-09-06 01:22:14 +02:00
arg_settings_mask |= SETTING_NETWORK;
nspawn: add new --network-veth switch to add a virtual ethernet link to the host
2014-02-13 18:47:20 +01:00
break;
nspawn: add new --network-veth-extra= switch for defining additional veth links The new switch operates like --network-veth, but may be specified multiple times (to define multiple link pairs) and allows flexible definition of the interface names. This is an independent reimplementation of #1678, but defines different semantics, keeping the behaviour completely independent of --network-veth. It also comes will full hook-up for .nspawn files, and the matching documentation.
2015-11-12 21:54:28 +01:00
case ARG_NETWORK_VETH_EXTRA:
r = veth_extra_parse(&arg_network_veth_extra, optarg);
if (r < 0)
return log_error_errno(r, "Failed to parse --network-veth-extra= parameter: %s", optarg);
arg_private_network = true;
arg_settings_mask |= SETTING_NETWORK;
break;
nspawn: add new --network-interface= switch to move an existing interface into the container
2014-02-13 03:27:39 +01:00
case ARG_NETWORK_INTERFACE:
util-lib: add new ifname_valid() call that validates interface names Make use of this in nspawn at a couple of places. A later commit should port more code over to this, including networkd.
2016-05-06 20:58:32 +02:00
if (!ifname_valid(optarg)) {
log_error("Network interface name not valid: %s", optarg);
return -EINVAL;
}
nspawn: add new switch --network-macvlan= to add a macvlan device to the container
2014-02-25 02:27:39 +01:00
if (strv_extend(&arg_network_interfaces, optarg) < 0)
return log_oom();
arg_private_network = true;
nspawn: add new .nspawn files for container settings .nspawn fiels are simple settings files that may accompany container images and directories and contain settings otherwise passed on the nspawn command line. This provides an efficient way to attach execution data directly to containers.
2015-09-06 01:22:14 +02:00
arg_settings_mask |= SETTING_NETWORK;
nspawn: add new switch --network-macvlan= to add a macvlan device to the container
2014-02-25 02:27:39 +01:00
break;
case ARG_NETWORK_MACVLAN:
util-lib: add new ifname_valid() call that validates interface names Make use of this in nspawn at a couple of places. A later commit should port more code over to this, including networkd.
2016-05-06 20:58:32 +02:00
if (!ifname_valid(optarg)) {
log_error("MACVLAN network interface name not valid: %s", optarg);
return -EINVAL;
}
nspawn: add new switch --network-macvlan= to add a macvlan device to the container
2014-02-25 02:27:39 +01:00
if (strv_extend(&arg_network_macvlan, optarg) < 0)
nspawn: add new --network-interface= switch to move an existing interface into the container
2014-02-13 03:27:39 +01:00
return log_oom();
nspawn: add ipvlan support
2015-01-20 00:18:28 +01:00
arg_private_network = true;
nspawn: add new .nspawn files for container settings .nspawn fiels are simple settings files that may accompany container images and directories and contain settings otherwise passed on the nspawn command line. This provides an efficient way to attach execution data directly to containers.
2015-09-06 01:22:14 +02:00
arg_settings_mask |= SETTING_NETWORK;
nspawn: add ipvlan support
2015-01-20 00:18:28 +01:00
break;
case ARG_NETWORK_IPVLAN:
util-lib: add new ifname_valid() call that validates interface names Make use of this in nspawn at a couple of places. A later commit should port more code over to this, including networkd.
2016-05-06 20:58:32 +02:00
if (!ifname_valid(optarg)) {
log_error("IPVLAN network interface name not valid: %s", optarg);
return -EINVAL;
}
nspawn: add ipvlan support
2015-01-20 00:18:28 +01:00
if (strv_extend(&arg_network_ipvlan, optarg) < 0)
return log_oom();
tree-wide: adjust fall through comments so that gcc is happy Distcc removes comments, making the comment silencing not work. I know there was a decision against a macro in commit ec251fe7d5bc24b5d38b0853bc5969f3a0ba06e2
2017-11-19 19:06:10 +01:00
_fallthrough_;
exec: introduce PrivateNetwork= process option to turn off network access to specific services
2011-08-02 05:24:58 +02:00
case ARG_PRIVATE_NETWORK:
arg_private_network = true;
nspawn: add new .nspawn files for container settings .nspawn fiels are simple settings files that may accompany container images and directories and contain settings otherwise passed on the nspawn command line. This provides an efficient way to attach execution data directly to containers.
2015-09-06 01:22:14 +02:00
arg_settings_mask |= SETTING_NETWORK;
nspawn: add new --no-net switch to turn off networking in the container
2011-08-02 04:49:37 +02:00
break;
nspawn: introduce an option for specifying network namespace path Add a new option `--network-namespace-path` to systemd-nspawn to allow users to specify an arbitrary network namespace, e.g. `/run/netns/foo`. Then systemd-nspawn will open the netns file, pass the fd to outer_child, and enter the namespace represented by the fd before running inner_child. ``` $ sudo ip netns add foo $ mount | grep /run/netns/foo nsfs on /run/netns/foo type nsfs (rw) ... $ sudo systemd-nspawn -D /srv/fc27 --network-namespace-path=/run/netns/foo \ /bin/readlink -f /proc/self/ns/net /proc/1/ns/net:[4026532009] ``` Note that the option `--network-namespace-path=` cannot be used together with other network-related options such as `--private-network` so that the options do not conflict with each other. Fixes https://github.com/systemd/systemd/issues/7361
2017-11-24 18:22:17 +01:00
case ARG_NETWORK_NAMESPACE_PATH:
r = parse_path_argument_and_warn(optarg, false, &arg_network_namespace_path);
if (r < 0)
return r;
break;
nspawn: add -b switch to automatically look for an init binary
2012-04-22 13:37:24 +02:00
case 'b':
nspawn: optionally run a stub init process as PID 1 This adds a new switch --as-pid2, which allows running commands as PID 2, while a stub init process is run as PID 1. This is useful in order to run arbitrary commands in a container, as PID1's semantics are different from all other processes regarding reaping of unknown children or signal handling.
2016-02-03 20:32:06 +01:00
if (arg_start_mode == START_PID2) {
log_error("--boot and --as-pid2 may not be combined.");
return -EINVAL;
}
arg_start_mode = START_BOOT;
arg_settings_mask |= SETTING_START_MODE;
break;
case 'a':
if (arg_start_mode == START_BOOT) {
log_error("--boot and --as-pid2 may not be combined.");
return -EINVAL;
}
arg_start_mode = START_PID2;
arg_settings_mask |= SETTING_START_MODE;
nspawn: add -b switch to automatically look for an init binary
2012-04-22 13:37:24 +02:00
break;
nspawn: add --uuid= switch to allow setting the machine id for the container
2012-04-22 14:48:21 +02:00
case ARG_UUID:
logind: add infrastructure to keep track of machines, and move to slices - This changes all logind cgroup objects to use slice objects rather than fixed croup locations. - logind can now collect minimal information about running VMs/containers. As fixed cgroup locations can no longer be used we need an entity that keeps track of machine cgroups in whatever slice they might be located. Since logind already keeps track of users, sessions and seats this is a trivial addition. - nspawn will now register with logind and pass various bits of metadata along. A new option "--slice=" has been added to place the container in a specific slice. - loginctl gained commands to list, introspect and terminate machines. - user.slice and machine.slice will now be pulled in by logind.service, since only logind.service requires this slice.
2013-06-20 03:45:08 +02:00
r = sd_id128_from_string(optarg, &arg_uuid);
nspawn: rework /etc/machine-id handling With this change we'll no longer write to /etc/machine-id from nspawn, as that breaks the --volatile= operation, as it ensures the image is never considered in "first boot", since that's bound to the pre-existance of /etc/machine-id. The new logic works like this: - If /etc/machine-id already exists in the container, it is read by nspawn and exposed in "machinectl status" and friends. - If the file doesn't exist yet, but --uuid= is passed on the nspawn cmdline, this UUID is passed in $container_uuid to PID 1, and PID 1 is then expected to persist this to /etc/machine-id for future boots (which systemd already does). - If the file doesn#t exist yet, and no --uuid= is passed a random UUID is generated and passed via $container_uuid. The result is that /etc/machine-id is never initialized by nspawn itself, thus unbreaking the volatile mode. However still the machine ID configured in the machine always matches nspawn's and thus machined's idea of it. Fixes: #3611
2016-07-21 18:53:40 +02:00
if (r < 0)
return log_error_errno(r, "Invalid UUID: %s", optarg);
if (sd_id128_is_null(arg_uuid)) {
log_error("Machine UUID may not be all zeroes.");
return -EINVAL;
id128: when taking user input for a 128bit ID, validate syntax Also, always accept both our simple hexdump syntax and UUID syntax.
2013-04-29 23:39:12 +02:00
}
nspawn: add new .nspawn files for container settings .nspawn fiels are simple settings files that may accompany container images and directories and contain settings otherwise passed on the nspawn command line. This provides an efficient way to attach execution data directly to containers.
2015-09-06 01:22:14 +02:00
arg_settings_mask |= SETTING_MACHINE_ID;
logind: add infrastructure to keep track of machines, and move to slices - This changes all logind cgroup objects to use slice objects rather than fixed croup locations. - logind can now collect minimal information about running VMs/containers. As fixed cgroup locations can no longer be used we need an entity that keeps track of machine cgroups in whatever slice they might be located. Since logind already keeps track of users, sessions and seats this is a trivial addition. - nspawn will now register with logind and pass various bits of metadata along. A new option "--slice=" has been added to place the container in a specific slice. - loginctl gained commands to list, introspect and terminate machines. - user.slice and machine.slice will now be pulled in by logind.service, since only logind.service requires this slice.
2013-06-20 03:45:08 +02:00
break;
id128: when taking user input for a 128bit ID, validate syntax Also, always accept both our simple hexdump syntax and UUID syntax.
2013-04-29 23:39:12 +02:00
logind: add infrastructure to keep track of machines, and move to slices - This changes all logind cgroup objects to use slice objects rather than fixed croup locations. - logind can now collect minimal information about running VMs/containers. As fixed cgroup locations can no longer be used we need an entity that keeps track of machine cgroups in whatever slice they might be located. Since logind already keeps track of users, sessions and seats this is a trivial addition. - nspawn will now register with logind and pass various bits of metadata along. A new option "--slice=" has been added to place the container in a specific slice. - loginctl gained commands to list, introspect and terminate machines. - user.slice and machine.slice will now be pulled in by logind.service, since only logind.service requires this slice.
2013-06-20 03:45:08 +02:00
case 'S':
nspawn: add new switch --network-macvlan= to add a macvlan device to the container
2014-02-25 02:27:39 +01:00
arg_slice = optarg;
nspawn: add --uuid= switch to allow setting the machine id for the container
2012-04-22 14:48:21 +02:00
break;
nspawn: introduce the new /machine/ tree in the cgroup tree and move containers there Containers will now carry a label (normally derived from the root directory name, but configurable by the user), and the container's root cgroup is /machine/<label>. This label is called "machine name", and can cover both containers and VMs (as soon as libvirt also makes use of /machine/). libsystemd-login can be used to query the machine name from a process. This patch also includes numerous clean-ups for the cgroup code.
2013-04-16 04:36:06 +02:00
case 'M':
nspawn: make sure --template= and --machine= my be combined Fixes #1018. Based on a patch from Seth Jennings.
2015-08-25 20:26:51 +02:00
if (isempty(optarg))
tree-wide: introduce mfree() Pretty trivial helper which wraps free() but returns NULL, so we can simplify this: free(foobar); foobar = NULL; to this: foobar = mfree(foobar);
2015-07-31 19:56:38 +02:00
arg_machine = mfree(arg_machine);
nspawn: make sure --template= and --machine= my be combined Fixes #1018. Based on a patch from Seth Jennings.
2015-08-25 20:26:51 +02:00
else {
nspawn: properly validate machine names
2014-12-12 02:49:40 +01:00
if (!machine_name_is_valid(optarg)) {
nspawn: add --register=yes|no switch to optionally disable registration of the container with machined
2014-02-10 15:36:32 +01:00
log_error("Invalid machine name: %s", optarg);
return -EINVAL;
}
nspawn: introduce the new /machine/ tree in the cgroup tree and move containers there Containers will now carry a label (normally derived from the root directory name, but configurable by the user), and the container's root cgroup is /machine/<label>. This label is called "machine name", and can cover both containers and VMs (as soon as libvirt also makes use of /machine/). libsystemd-login can be used to query the machine name from a process. This patch also includes numerous clean-ups for the cgroup code.
2013-04-16 04:36:06 +02:00
nspawn: properly validate machine names
2014-12-12 02:49:40 +01:00
r = free_and_strdup(&arg_machine, optarg);
if (r < 0)
nspawn: add --register=yes|no switch to optionally disable registration of the container with machined
2014-02-10 15:36:32 +01:00
return log_oom();
}
nspawn: fix clobbering of selinux context arg First bug fixed by gcc 7. Yikes.
2017-01-27 06:45:38 +01:00
break;
nspawn: introduce the new /machine/ tree in the cgroup tree and move containers there Containers will now carry a label (normally derived from the root directory name, but configurable by the user), and the container's root cgroup is /machine/<label>. This label is called "machine name", and can cover both containers and VMs (as soon as libvirt also makes use of /machine/). libsystemd-login can be used to query the machine name from a process. This patch also includes numerous clean-ups for the cgroup code.
2013-04-16 04:36:06 +02:00
nspawn,man: use a common vocabulary when referring to selinux security contexts Let's always call the security labels the same way: SMACK: "Smack Label" SELINUX: "SELinux Security Context" And the low-level encapsulation is called "seclabel". Now let's hope we stick to this vocabulary in future, too, and don't mix "label"s and "security contexts" and so on wildly.
2014-02-10 12:32:03 +01:00
case 'Z':
arg_selinux_context = optarg;
Add SELinux support to systemd-nspawn This patch adds to new options: -Z PROCESS_LABEL This specifies the process label to run on processes run within the container. -L FILE_LABEL The file label to assign to memory file systems created within the container. For example if you wanted to wrap an container with SELinux sandbox labels, you could execute a command line the following chcon system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -R /srv/container systemd-nspawn -L system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -Z system_u:system_r:svirt_lxc_net_t:s0:c0,c1 -D /srv/container /bin/sh
2014-01-30 22:28:02 +01:00
break;
nspawn,man: use a common vocabulary when referring to selinux security contexts Let's always call the security labels the same way: SMACK: "Smack Label" SELINUX: "SELinux Security Context" And the low-level encapsulation is called "seclabel". Now let's hope we stick to this vocabulary in future, too, and don't mix "label"s and "security contexts" and so on wildly.
2014-02-10 12:32:03 +01:00
case 'L':
arg_selinux_apifs_context = optarg;
Add SELinux support to systemd-nspawn This patch adds to new options: -Z PROCESS_LABEL This specifies the process label to run on processes run within the container. -L FILE_LABEL The file label to assign to memory file systems created within the container. For example if you wanted to wrap an container with SELinux sandbox labels, you could execute a command line the following chcon system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -R /srv/container systemd-nspawn -L system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -Z system_u:system_r:svirt_lxc_net_t:s0:c0,c1 -D /srv/container /bin/sh
2014-01-30 22:28:02 +01:00
break;
nspawn: add --read-only switch
2012-04-25 15:11:20 +02:00
case ARG_READ_ONLY:
arg_read_only = true;
nspawn: add new .nspawn files for container settings .nspawn fiels are simple settings files that may accompany container images and directories and contain settings otherwise passed on the nspawn command line. This provides an efficient way to attach execution data directly to containers.
2015-09-06 01:22:14 +02:00
arg_settings_mask |= SETTING_READ_ONLY;
nspawn: add --read-only switch
2012-04-25 15:11:20 +02:00
break;
nspawn: add new --drop-capability= switch
2013-11-20 22:10:42 +01:00
case ARG_CAPABILITY:
case ARG_DROP_CAPABILITY: {
nspwan: port to extract_first_word
2015-10-28 18:29:01 +01:00
p = optarg;
tree-wide: minor formatting inconsistency cleanups
2016-02-23 18:52:52 +01:00
for (;;) {
nspwan: port to extract_first_word
2015-10-28 18:29:01 +01:00
_cleanup_free_ char *t = NULL;
nspawn: introduce new --capabilities= flag and make use of it in the nspawn test case
2012-06-28 13:44:39 +02:00
nspwan: port to extract_first_word
2015-10-28 18:29:01 +01:00
r = extract_first_word(&p, &t, ",", 0);
if (r < 0)
return log_error_errno(r, "Failed to parse capability %s.", t);
nspawn: introduce new --capabilities= flag and make use of it in the nspawn test case
2012-06-28 13:44:39 +02:00
nspwan: port to extract_first_word
2015-10-28 18:29:01 +01:00
if (r == 0)
break;
nspawn: introduce new --capabilities= flag and make use of it in the nspawn test case
2012-06-28 13:44:39 +02:00
nspawn: introduce --capability=all for retaining all capabilities
2014-02-13 02:45:11 +01:00
if (streq(t, "all")) {
if (c == ARG_CAPABILITY)
nspawn: --private-network should imply CAP_NET_ADMIN
2014-02-13 14:07:59 +01:00
plus = (uint64_t) -1;
nspawn: introduce --capability=all for retaining all capabilities
2014-02-13 02:45:11 +01:00
else
nspawn: --private-network should imply CAP_NET_ADMIN
2014-02-13 14:07:59 +01:00
minus = (uint64_t) -1;
nspawn: introduce --capability=all for retaining all capabilities
2014-02-13 02:45:11 +01:00
} else {
util: introduce our own gperf based capability list This way, we can ensure we have a more complete, up-to-date list of capabilities around, always.
2014-12-10 03:16:14 +01:00
int cap;
cap = capability_from_name(t);
if (cap < 0) {
nspawn: introduce --capability=all for retaining all capabilities
2014-02-13 02:45:11 +01:00
log_error("Failed to parse capability %s.", t);
return -EINVAL;
}
if (c == ARG_CAPABILITY)
nspawn: --private-network should imply CAP_NET_ADMIN
2014-02-13 14:07:59 +01:00
plus |= 1ULL << (uint64_t) cap;
nspawn: introduce --capability=all for retaining all capabilities
2014-02-13 02:45:11 +01:00
else
nspawn: --private-network should imply CAP_NET_ADMIN
2014-02-13 14:07:59 +01:00
minus |= 1ULL << (uint64_t) cap;
nspawn: introduce new --capabilities= flag and make use of it in the nspawn test case
2012-06-28 13:44:39 +02:00
}
}
nspawn: add new .nspawn files for container settings .nspawn fiels are simple settings files that may accompany container images and directories and contain settings otherwise passed on the nspawn command line. This provides an efficient way to attach execution data directly to containers.
2015-09-06 01:22:14 +02:00
arg_settings_mask |= SETTING_CAPABILITY;
nspawn: introduce new --capabilities= flag and make use of it in the nspawn test case
2012-06-28 13:44:39 +02:00
break;
}
nspawn: introduce new --link-journal= switch to link container journals into host
2012-07-19 02:02:39 +02:00
case 'j':
arg_link_journal = LINK_GUEST;
nspawn: Add try-{host,guest} journal link modes --link-journal={host,guest} fail if the host does not have persistent journalling enabled and /var/log/journal/ does not exist. Even worse, as there is no stdout/err any more, there is no error message to point that out. Introduce two new modes "try-host" and "try-guest" which don't fail in this case, and instead just silently skip the guest journal setup. Change -j to mean "try-guest" instead of "guest", and fix the wrong --help output for it (it said "host" before). Change systemd-nspawn@.service.in to use "try-guest" so that this unit works with both persistent and non-persistent journals on the host without failing. https://bugs.debian.org/770275
2014-11-20 14:30:52 +01:00
arg_link_journal_try = true;
nspawn: introduce new --link-journal= switch to link container journals into host
2012-07-19 02:02:39 +02:00
break;
case ARG_LINK_JOURNAL:
nspawn: properly unset arg_link_journal_try, when --link-journal= is specified
2014-12-12 16:58:30 +01:00
if (streq(optarg, "auto")) {
nspawn: introduce new --link-journal= switch to link container journals into host
2012-07-19 02:02:39 +02:00
arg_link_journal = LINK_AUTO;
nspawn: properly unset arg_link_journal_try, when --link-journal= is specified
2014-12-12 16:58:30 +01:00
arg_link_journal_try = false;
} else if (streq(optarg, "no")) {
nspawn: introduce new --link-journal= switch to link container journals into host
2012-07-19 02:02:39 +02:00
arg_link_journal = LINK_NO;
nspawn: properly unset arg_link_journal_try, when --link-journal= is specified
2014-12-12 16:58:30 +01:00
arg_link_journal_try = false;
} else if (streq(optarg, "guest")) {
nspawn: introduce new --link-journal= switch to link container journals into host
2012-07-19 02:02:39 +02:00
arg_link_journal = LINK_GUEST;
nspawn: properly unset arg_link_journal_try, when --link-journal= is specified
2014-12-12 16:58:30 +01:00
arg_link_journal_try = false;
} else if (streq(optarg, "host")) {
nspawn: introduce new --link-journal= switch to link container journals into host
2012-07-19 02:02:39 +02:00
arg_link_journal = LINK_HOST;
nspawn: properly unset arg_link_journal_try, when --link-journal= is specified
2014-12-12 16:58:30 +01:00
arg_link_journal_try = false;
} else if (streq(optarg, "try-guest")) {
nspawn: Add try-{host,guest} journal link modes --link-journal={host,guest} fail if the host does not have persistent journalling enabled and /var/log/journal/ does not exist. Even worse, as there is no stdout/err any more, there is no error message to point that out. Introduce two new modes "try-host" and "try-guest" which don't fail in this case, and instead just silently skip the guest journal setup. Change -j to mean "try-guest" instead of "guest", and fix the wrong --help output for it (it said "host" before). Change systemd-nspawn@.service.in to use "try-guest" so that this unit works with both persistent and non-persistent journals on the host without failing. https://bugs.debian.org/770275
2014-11-20 14:30:52 +01:00
arg_link_journal = LINK_GUEST;
arg_link_journal_try = true;
} else if (streq(optarg, "try-host")) {
arg_link_journal = LINK_HOST;
arg_link_journal_try = true;
} else {
nspawn: introduce new --link-journal= switch to link container journals into host
2012-07-19 02:02:39 +02:00
log_error("Failed to parse link journal mode %s", optarg);
return -EINVAL;
}
break;
nspawn: add --bind= and --bind-ro= to bind mount host paths into the container
2013-02-25 18:21:13 +01:00
case ARG_BIND:
nspawn: add new .nspawn files for container settings .nspawn fiels are simple settings files that may accompany container images and directories and contain settings otherwise passed on the nspawn command line. This provides an efficient way to attach execution data directly to containers.
2015-09-06 01:22:14 +02:00
case ARG_BIND_RO:
r = bind_mount_parse(&arg_custom_mounts, &arg_n_custom_mounts, optarg, c == ARG_BIND_RO);
if (r < 0)
return log_error_errno(r, "Failed to parse --bind(-ro)= argument %s: %m", optarg);
nspawn: add --bind= and --bind-ro= to bind mount host paths into the container
2013-02-25 18:21:13 +01:00
nspawn: add new .nspawn files for container settings .nspawn fiels are simple settings files that may accompany container images and directories and contain settings otherwise passed on the nspawn command line. This provides an efficient way to attach execution data directly to containers.
2015-09-06 01:22:14 +02:00
arg_settings_mask |= SETTING_CUSTOM_MOUNTS;
nspawn: add --bind= and --bind-ro= to bind mount host paths into the container
2013-02-25 18:21:13 +01:00
break;
nspawn: add new --tmpfs= option to mount a tmpfs on specific directories, such as /var
2014-06-11 00:44:30 +02:00
nspawn: add new .nspawn files for container settings .nspawn fiels are simple settings files that may accompany container images and directories and contain settings otherwise passed on the nspawn command line. This provides an efficient way to attach execution data directly to containers.
2015-09-06 01:22:14 +02:00
case ARG_TMPFS:
r = tmpfs_mount_parse(&arg_custom_mounts, &arg_n_custom_mounts, optarg);
if (r < 0)
return log_error_errno(r, "Failed to parse --tmpfs= argument %s: %m", optarg);
nspawn: rework custom mount point order, and add support for overlayfs Previously all bind mount mounts were applied in the order specified, followed by all tmpfs mounts in the order specified. This is problematic, if bind mounts shall be placed within tmpfs mounts. This patch hence reworks the custom mount point logic, and alwas applies them in strict prefix-first order. This means the order of mounts specified on the command line becomes irrelevant, the right operation will always be executed. While we are at it this commit also adds native support for overlayfs mounts, as supported by recent kernels.
2015-05-13 14:04:55 +02:00
nspawn: add new .nspawn files for container settings .nspawn fiels are simple settings files that may accompany container images and directories and contain settings otherwise passed on the nspawn command line. This provides an efficient way to attach execution data directly to containers.
2015-09-06 01:22:14 +02:00
arg_settings_mask |= SETTING_CUSTOM_MOUNTS;
nspawn: rework custom mount point order, and add support for overlayfs Previously all bind mount mounts were applied in the order specified, followed by all tmpfs mounts in the order specified. This is problematic, if bind mounts shall be placed within tmpfs mounts. This patch hence reworks the custom mount point logic, and alwas applies them in strict prefix-first order. This means the order of mounts specified on the command line becomes irrelevant, the right operation will always be executed. While we are at it this commit also adds native support for overlayfs mounts, as supported by recent kernels.
2015-05-13 14:04:55 +02:00
break;
case ARG_OVERLAY:
nspawn: split out overlayfs argument parsing into a function of its own Add overlay_mount_parse() similar in style to tmpfs_mount_parse() and bind_mount_parse().
2016-11-29 23:47:58 +01:00
case ARG_OVERLAY_RO:
r = overlay_mount_parse(&arg_custom_mounts, &arg_n_custom_mounts, optarg, c == ARG_OVERLAY_RO);
if (r == -EADDRNOTAVAIL)
return log_error_errno(r, "--overlay(-ro)= needs at least two colon-separated directories specified.");
if (r < 0)
return log_error_errno(r, "Failed to parse --overlay(-ro)= argument %s: %m", optarg);
nspawn: add new --tmpfs= option to mount a tmpfs on specific directories, such as /var
2014-06-11 00:44:30 +02:00
nspawn: add new .nspawn files for container settings .nspawn fiels are simple settings files that may accompany container images and directories and contain settings otherwise passed on the nspawn command line. This provides an efficient way to attach execution data directly to containers.
2015-09-06 01:22:14 +02:00
arg_settings_mask |= SETTING_CUSTOM_MOUNTS;
nspawn: add new --tmpfs= option to mount a tmpfs on specific directories, such as /var
2014-06-11 00:44:30 +02:00
break;
nspawn: add -E as alias for --setenv v2: - "=" is required, so remove the <optional> tags that v1 added
2016-04-20 03:54:55 +02:00
case 'E': {
nspawn: add new --setenv= switch to set an environment variable for the container to spawn
2013-12-13 16:37:16 +01:00
char **n;
if (!env_assignment_is_valid(optarg)) {
log_error("Environment variable assignment '%s' is not valid.", optarg);
return -EINVAL;
}
n = strv_env_set(arg_setenv, optarg);
if (!n)
return log_oom();
strv_free(arg_setenv);
arg_setenv = n;
nspawn: add new .nspawn files for container settings .nspawn fiels are simple settings files that may accompany container images and directories and contain settings otherwise passed on the nspawn command line. This provides an efficient way to attach execution data directly to containers.
2015-09-06 01:22:14 +02:00
arg_settings_mask |= SETTING_ENVIRONMENT;
nspawn: add new --setenv= switch to set an environment variable for the container to spawn
2013-12-13 16:37:16 +01:00
break;
}
nspawn: add --quiet switch for turning off any output noise
2014-02-06 00:43:14 +01:00
case 'q':
arg_quiet = true;
break;
nspawn: add new --share-system switch to run a container without PID/UTS/IPC namespacing
2014-02-10 13:15:42 +01:00
case ARG_SHARE_SYSTEM:
nspawn: deprecate --share-system support This removes the --share-system switch: from the documentation, the --help text as well as the command line parsing. It's an ugly option, given that it kinda contradicts the whole concept of PID namespaces that nspawn implements. Since it's barely ever used, let's just deprecate it and remove it from the options. It might be useful as a debugging option, hence the functionality is kept around for now, exposed via an undocumented $SYSTEMD_NSPAWN_SHARE_SYSTEM environment variable.
2016-07-27 14:56:17 +02:00
/* We don't officially support this anymore, except for compat reasons. People should use the
nspawn: split down SYSTEMD_NSPAWN_SHARE_SYSTEM (#4023) This commit follows further on the deprecation path for --share-system, by splitting and gating each share-able namespace behind its own environment flag.
2016-08-26 00:08:26 +02:00
* $SYSTEMD_NSPAWN_SHARE_* environment variables instead. */
arg_clone_ns_flags = 0;
nspawn: add new --share-system switch to run a container without PID/UTS/IPC namespacing
2014-02-10 13:15:42 +01:00
break;
nspawn: add --register=yes|no switch to optionally disable registration of the container with machined
2014-02-10 15:36:32 +01:00
case ARG_REGISTER:
r = parse_boolean(optarg);
if (r < 0) {
log_error("Failed to parse --register= argument: %s", optarg);
return r;
}
arg_register = r;
break;
machined: optionally, allow registration of pre-existing units (scopes or services) as machine with machined
2014-02-11 17:15:38 +01:00
case ARG_KEEP_UNIT:
arg_keep_unit = true;
break;
nspawn: add new --personality= switch to make it easier to run 32bit containers on a 64bit host
2014-02-18 23:35:19 +01:00
case ARG_PERSONALITY:
core: add Personality= option for units to set the personality for spawned processes
2014-02-19 02:15:24 +01:00
arg_personality = personality_from_string(optarg);
util: introduce PERSONALITY_INVALID as macro for 0xffffffffLU
2015-05-21 19:48:49 +02:00
if (arg_personality == PERSONALITY_INVALID) {
nspawn: add new --personality= switch to make it easier to run 32bit containers on a 64bit host
2014-02-18 23:35:19 +01:00
log_error("Unknown or unsupported personality '%s'.", optarg);
return -EINVAL;
}
nspawn: add new .nspawn files for container settings .nspawn fiels are simple settings files that may accompany container images and directories and contain settings otherwise passed on the nspawn command line. This provides an efficient way to attach execution data directly to containers.
2015-09-06 01:22:14 +02:00
arg_settings_mask |= SETTING_PERSONALITY;
nspawn: add new --personality= switch to make it easier to run 32bit containers on a 64bit host
2014-02-18 23:35:19 +01:00
break;
nspawn: add new --volatile switch for booting containers in volatile (ephemeral) mode Two modes are supported: --volatile=yes mounts only /usr into the container, and a tmpfs as root directory. --volatile=state mounts the full OS tree in, but overmounts /var with a tmpfs. --volatile=yes hence boots with an unpopulated /etc and /var, starting with pristine configuration and state. --volatile=state hence boots with an unpopulated /var, only starting with pristine state.
2014-07-04 03:22:33 +02:00
case ARG_VOLATILE:
if (!optarg)
nspawn: add new .nspawn files for container settings .nspawn fiels are simple settings files that may accompany container images and directories and contain settings otherwise passed on the nspawn command line. This provides an efficient way to attach execution data directly to containers.
2015-09-06 01:22:14 +02:00
arg_volatile_mode = VOLATILE_YES;
nspawn: add new --volatile switch for booting containers in volatile (ephemeral) mode Two modes are supported: --volatile=yes mounts only /usr into the container, and a tmpfs as root directory. --volatile=state mounts the full OS tree in, but overmounts /var with a tmpfs. --volatile=yes hence boots with an unpopulated /etc and /var, starting with pristine configuration and state. --volatile=state hence boots with an unpopulated /var, only starting with pristine state.
2014-07-04 03:22:33 +02:00
else {
nspawn: add new .nspawn files for container settings .nspawn fiels are simple settings files that may accompany container images and directories and contain settings otherwise passed on the nspawn command line. This provides an efficient way to attach execution data directly to containers.
2015-09-06 01:22:14 +02:00
VolatileMode m;
nspawn: add new --volatile switch for booting containers in volatile (ephemeral) mode Two modes are supported: --volatile=yes mounts only /usr into the container, and a tmpfs as root directory. --volatile=state mounts the full OS tree in, but overmounts /var with a tmpfs. --volatile=yes hence boots with an unpopulated /etc and /var, starting with pristine configuration and state. --volatile=state hence boots with an unpopulated /var, only starting with pristine state.
2014-07-04 03:22:33 +02:00
nspawn: add new .nspawn files for container settings .nspawn fiels are simple settings files that may accompany container images and directories and contain settings otherwise passed on the nspawn command line. This provides an efficient way to attach execution data directly to containers.
2015-09-06 01:22:14 +02:00
m = volatile_mode_from_string(optarg);
if (m < 0) {
log_error("Failed to parse --volatile= argument: %s", optarg);
nspawn: add new option "--port=" for exposing container ports on the local host This exposes an IP port on the container as local port using DNAT.
2015-01-13 13:51:51 +01:00
return -EINVAL;
nspawn: add new .nspawn files for container settings .nspawn fiels are simple settings files that may accompany container images and directories and contain settings otherwise passed on the nspawn command line. This provides an efficient way to attach execution data directly to containers.
2015-09-06 01:22:14 +02:00
} else
arg_volatile_mode = m;
nspawn: add new option "--port=" for exposing container ports on the local host This exposes an IP port on the container as local port using DNAT.
2015-01-13 13:51:51 +01:00
}
nspawn: add new .nspawn files for container settings .nspawn fiels are simple settings files that may accompany container images and directories and contain settings otherwise passed on the nspawn command line. This provides an efficient way to attach execution data directly to containers.
2015-09-06 01:22:14 +02:00
arg_settings_mask |= SETTING_VOLATILE_MODE;
break;
nspawn: add new option "--port=" for exposing container ports on the local host This exposes an IP port on the container as local port using DNAT.
2015-01-13 13:51:51 +01:00
nspawn: add new .nspawn files for container settings .nspawn fiels are simple settings files that may accompany container images and directories and contain settings otherwise passed on the nspawn command line. This provides an efficient way to attach execution data directly to containers.
2015-09-06 01:22:14 +02:00
case 'p':
r = expose_port_parse(&arg_expose_ports, optarg);
if (r == -EEXIST)
return log_error_errno(r, "Duplicate port specification: %s", optarg);
if (r < 0)
return log_error_errno(r, "Failed to parse host port %s: %m", optarg);
nspawn: add new option "--port=" for exposing container ports on the local host This exposes an IP port on the container as local port using DNAT.
2015-01-13 13:51:51 +01:00
nspawn: add new .nspawn files for container settings .nspawn fiels are simple settings files that may accompany container images and directories and contain settings otherwise passed on the nspawn command line. This provides an efficient way to attach execution data directly to containers.
2015-09-06 01:22:14 +02:00
arg_settings_mask |= SETTING_EXPOSE_PORTS;
nspawn: add new option "--port=" for exposing container ports on the local host This exposes an IP port on the container as local port using DNAT.
2015-01-13 13:51:51 +01:00
break;
nspawn: add support for --property= to set scope properties This is similar to systemd-run's --property= setting.
2015-02-18 19:38:55 +01:00
case ARG_PROPERTY:
if (strv_extend(&arg_property, optarg) < 0)
return log_oom();
break;
nspawn,man: fix parsing of numeric args for --private-users, accept any boolean This is like the previous reverted commit, but any boolean is still accepted, not just "yes" and "no". Man page is adjusted to match the code.
2016-10-10 17:12:57 +02:00
case ARG_PRIVATE_USERS: {
int boolean = -1;
nspawn: allow configuration of user namespaces in .nspawn files In order to implement this we change the bool arg_userns into an enum UserNamespaceMode, which can take one of NO, PICK or FIXED, and replace the arg_uid_range_pick bool with it.
2016-04-22 13:02:53 +02:00
nspawn,man: fix parsing of numeric args for --private-users, accept any boolean This is like the previous reverted commit, but any boolean is still accepted, not just "yes" and "no". Man page is adjusted to match the code.
2016-10-10 17:12:57 +02:00
if (!optarg)
boolean = true;
else if (!in_charset(optarg, DIGITS))
/* do *not* parse numbers as booleans */
boolean = parse_boolean(optarg);
if (boolean == false) {
nspawn: allow configuration of user namespaces in .nspawn files In order to implement this we change the bool arg_userns into an enum UserNamespaceMode, which can take one of NO, PICK or FIXED, and replace the arg_uid_range_pick bool with it.
2016-04-22 13:02:53 +02:00
/* no: User namespacing off */
arg_userns_mode = USER_NAMESPACE_NO;
arg_uid_shift = UID_INVALID;
arg_uid_range = UINT32_C(0x10000);
nspawn,man: fix parsing of numeric args for --private-users, accept any boolean This is like the previous reverted commit, but any boolean is still accepted, not just "yes" and "no". Man page is adjusted to match the code.
2016-10-10 17:12:57 +02:00
} else if (boolean == true) {
nspawn: allow configuration of user namespaces in .nspawn files In order to implement this we change the bool arg_userns into an enum UserNamespaceMode, which can take one of NO, PICK or FIXED, and replace the arg_uid_range_pick bool with it.
2016-04-22 13:02:53 +02:00
/* yes: User namespacing on, UID range is read from root dir */
arg_userns_mode = USER_NAMESPACE_FIXED;
arg_uid_shift = UID_INVALID;
arg_uid_range = UINT32_C(0x10000);
} else if (streq(optarg, "pick")) {
/* pick: User namespacing on, UID range is picked randomly */
arg_userns_mode = USER_NAMESPACE_PICK;
arg_uid_shift = UID_INVALID;
arg_uid_range = UINT32_C(0x10000);
} else {
Revert "nspawn: fix parsing of numeric arguments for --private-users" This reverts commit bfd292ec35c7b768f9fb5cff4d921f3133e62b19.
2016-10-10 16:04:31 +02:00
_cleanup_free_ char *buffer = NULL;
nspawn: add basic user namespacing support (This is incomplete, /proc and /sys are still owned by root from outside the container, not inside)
2015-02-19 11:30:18 +01:00
const char *range, *shift;
nspawn: allow configuration of user namespaces in .nspawn files In order to implement this we change the bool arg_userns into an enum UserNamespaceMode, which can take one of NO, PICK or FIXED, and replace the arg_uid_range_pick bool with it.
2016-04-22 13:02:53 +02:00
/* anything else: User namespacing on, UID range is explicitly configured */
nspawn: add basic user namespacing support (This is incomplete, /proc and /sys are still owned by root from outside the container, not inside)
2015-02-19 11:30:18 +01:00
range = strchr(optarg, ':');
if (range) {
Revert "nspawn: fix parsing of numeric arguments for --private-users" This reverts commit bfd292ec35c7b768f9fb5cff4d921f3133e62b19.
2016-10-10 16:04:31 +02:00
buffer = strndup(optarg, range - optarg);
if (!buffer)
return log_oom();
shift = buffer;
nspawn: add basic user namespacing support (This is incomplete, /proc and /sys are still owned by root from outside the container, not inside)
2015-02-19 11:30:18 +01:00
range++;
nspawn: fix parsing of numeric arguments for --private-users The documentation says lists "yes", "no", "pick", and numeric arguments. But parse_boolean was attempted first, so various numeric arguments were misinterpreted. In particular, this fixes --private-users=0 to mean the same thing as --private-users=0:65536. While at it, use strndupa to avoid some error handling. Also give a better error for an empty UID range. I think it's likely that people will use --private-users=0:0 thinking that the argument means UID:GID.
2016-10-09 17:44:03 +02:00
r = safe_atou32(range, &arg_uid_range);
if (r < 0)
nspawn: better error messages for parsing errors In particular, the check for arg_uid_range <= 0 is moved to the end, so that "foobar:0" gives "Failed to parse UID", and not "UID range cannot be 0.".
2016-10-10 17:22:45 +02:00
return log_error_errno(r, "Failed to parse UID range \"%s\": %m", range);
nspawn: add basic user namespacing support (This is incomplete, /proc and /sys are still owned by root from outside the container, not inside)
2015-02-19 11:30:18 +01:00
} else
shift = optarg;
nspawn: better error messages for parsing errors In particular, the check for arg_uid_range <= 0 is moved to the end, so that "foobar:0" gives "Failed to parse UID", and not "UID range cannot be 0.".
2016-10-10 17:22:45 +02:00
r = parse_uid(shift, &arg_uid_shift);
if (r < 0)
return log_error_errno(r, "Failed to parse UID \"%s\": %m", optarg);
nspawn: allow configuration of user namespaces in .nspawn files In order to implement this we change the bool arg_userns into an enum UserNamespaceMode, which can take one of NO, PICK or FIXED, and replace the arg_uid_range_pick bool with it.
2016-04-22 13:02:53 +02:00
arg_userns_mode = USER_NAMESPACE_FIXED;
nspawn: add basic user namespacing support (This is incomplete, /proc and /sys are still owned by root from outside the container, not inside)
2015-02-19 11:30:18 +01:00
}
nspawn: better error messages for parsing errors In particular, the check for arg_uid_range <= 0 is moved to the end, so that "foobar:0" gives "Failed to parse UID", and not "UID range cannot be 0.".
2016-10-10 17:22:45 +02:00
if (arg_uid_range <= 0) {
log_error("UID range cannot be 0.");
return -EINVAL;
}
nspawn: allow configuration of user namespaces in .nspawn files In order to implement this we change the bool arg_userns into an enum UserNamespaceMode, which can take one of NO, PICK or FIXED, and replace the arg_uid_range_pick bool with it.
2016-04-22 13:02:53 +02:00
arg_settings_mask |= SETTING_USERNS;
nspawn: add basic user namespacing support (This is incomplete, /proc and /sys are still owned by root from outside the container, not inside)
2015-02-19 11:30:18 +01:00
break;
nspawn,man: fix parsing of numeric args for --private-users, accept any boolean This is like the previous reverted commit, but any boolean is still accepted, not just "yes" and "no". Man page is adjusted to match the code.
2016-10-10 17:12:57 +02:00
}
nspawn: add basic user namespacing support (This is incomplete, /proc and /sys are still owned by root from outside the container, not inside)
2015-02-19 11:30:18 +01:00
nspawn: allow configuration of user namespaces in .nspawn files In order to implement this we change the bool arg_userns into an enum UserNamespaceMode, which can take one of NO, PICK or FIXED, and replace the arg_uid_range_pick bool with it.
2016-04-22 13:02:53 +02:00
case 'U':
nspawn: make -U a tiny bit smarter With this change -U will turn on user namespacing only if the kernel actually supports it and otherwise gracefully degrade to non-userns mode.
2016-04-22 14:10:09 +02:00
if (userns_supported()) {
arg_userns_mode = USER_NAMESPACE_PICK;
arg_uid_shift = UID_INVALID;
arg_uid_range = UINT32_C(0x10000);
arg_settings_mask |= SETTING_USERNS;
nspawn: add basic user namespacing support (This is incomplete, /proc and /sys are still owned by root from outside the container, not inside)
2015-02-19 11:30:18 +01:00
}
nspawn: optionally fix up OS tree uid/gids for userns This adds a new --private-userns-chown switch that may be used in combination with --private-userns. If it is passed a recursive chmod() operation is run on the OS tree, fixing all file owner UID/GIDs to the right ranges. This should make user namespacing pretty workable, as the OS trees don't need to be prepared manually anymore.
2016-04-20 22:53:39 +02:00
break;
nspawn: allow configuration of user namespaces in .nspawn files In order to implement this we change the bool arg_userns into an enum UserNamespaceMode, which can take one of NO, PICK or FIXED, and replace the arg_uid_range_pick bool with it.
2016-04-22 13:02:53 +02:00
case ARG_PRIVATE_USERS_CHOWN:
nspawn: add -U as shortcut for --private-users=pick Given that user namespacing is pretty useful now, let's add a shortcut command line switch for the logic.
2016-04-22 11:47:35 +02:00
arg_userns_chown = true;
nspawn: allow configuration of user namespaces in .nspawn files In order to implement this we change the bool arg_userns into an enum UserNamespaceMode, which can take one of NO, PICK or FIXED, and replace the arg_uid_range_pick bool with it.
2016-04-22 13:02:53 +02:00
arg_settings_mask |= SETTING_USERNS;
nspawn: add basic user namespacing support (This is incomplete, /proc and /sys are still owned by root from outside the container, not inside)
2015-02-19 11:30:18 +01:00
break;
nspawn: make kill signal to use for PID 1 configurable
2015-02-25 22:04:48 +01:00
case ARG_KILL_SIGNAL:
arg_kill_signal = signal_from_string_try_harder(optarg);
if (arg_kill_signal < 0) {
log_error("Cannot parse signal: %s", optarg);
return -EINVAL;
}
nspawn: add new .nspawn files for container settings .nspawn fiels are simple settings files that may accompany container images and directories and contain settings otherwise passed on the nspawn command line. This provides an efficient way to attach execution data directly to containers.
2015-09-06 01:22:14 +02:00
arg_settings_mask |= SETTING_KILL_SIGNAL;
break;
case ARG_SETTINGS:
/* no → do not read files
* yes read files, do not override cmdline, trust only subset
* override read files, override cmdline, trust only subset
* trusted read files, do not override cmdline, trust all
*/
r = parse_boolean(optarg);
if (r < 0) {
if (streq(optarg, "trusted")) {
mask_all_settings = false;
mask_no_settings = false;
arg_settings_trusted = true;
} else if (streq(optarg, "override")) {
mask_all_settings = false;
mask_no_settings = true;
arg_settings_trusted = -1;
} else
return log_error_errno(r, "Failed to parse --settings= argument: %s", optarg);
} else if (r > 0) {
/* yes */
mask_all_settings = false;
mask_no_settings = false;
arg_settings_trusted = -1;
} else {
/* no */
mask_all_settings = true;
mask_no_settings = false;
arg_settings_trusted = false;
}
nspawn: make kill signal to use for PID 1 configurable
2015-02-25 22:04:48 +01:00
break;
nspawn: add new --chdir= switch Fixes: #2192
2016-02-02 01:52:01 +01:00
case ARG_CHDIR:
if (!path_is_absolute(optarg)) {
log_error("Working directory %s is not an absolute path.", optarg);
return -EINVAL;
}
r = free_and_strdup(&arg_chdir, optarg);
if (r < 0)
return log_oom();
arg_settings_mask |= SETTING_WORKING_DIRECTORY;
break;
nspawn: Add support for sysroot pivoting (#5258) Add a new --pivot-root argument to systemd-nspawn, which specifies a directory to pivot to / inside the container; while the original / is pivoted to another specified directory (if provided). This adds support for booting container images which may contain several bootable sysroots, as is common with OSTree disk images. When these disk images are booted on real hardware, ostree-prepare-root is run in conjunction with sysroot.mount in the initramfs to achieve the same results.
2017-02-08 16:54:31 +01:00
case ARG_PIVOT_ROOT:
r = pivot_root_parse(&arg_pivot_root_new, &arg_pivot_root_old, optarg);
if (r < 0)
return log_error_errno(r, "Failed to parse --pivot-root= argument %s: %m", optarg);
arg_settings_mask |= SETTING_PIVOT_ROOT;
break;
nspawn: introduce --notify-ready=[no|yes] (#3474) This the patch implements a notificaiton mechanism from the init process in the container to systemd-nspawn. The switch --notify-ready=yes configures systemd-nspawn to wait the "READY=1" message from the init process in the container to send its own to systemd. --notify-ready=no is equivalent to the previous behavior before this patch, systemd-nspawn notifies systemd with a "READY=1" message when the container is created. This notificaiton mechanism uses socket file with path relative to the contanier "/run/systemd/nspawn/notify". The default values it --notify-ready=no. It is also possible to configure this mechanism from the .nspawn files using NotifyReady. This parameter takes the same options of the command line switch. Before this patch, systemd-nspawn notifies "ready" after the inner child was created, regardless the status of the service running inside it. Now, with --notify-ready=yes, systemd-nspawn notifies when the service is ready. This is really useful when there are dependencies between different contaniers. Fixes https://github.com/systemd/systemd/issues/1369 Based on the work from https://github.com/systemd/systemd/pull/3022 Testing: Boot a OS inside a container with systemd-nspawn. Note: modify the commands accordingly with your filesystem. 1. Create a filesystem where you can boot an OS. 2. sudo systemd-nspawn -D ${HOME}/distros/fedora-23/ sh 2.1. Create the unit file /etc/systemd/system/sleep.service inside the container (You can use the example below) 2.2. systemdctl enable sleep 2.3 exit 3. sudo systemd-run --service-type=notify --unit=notify-test ${HOME}/systemd/systemd-nspawn --notify-ready=yes -D ${HOME}/distros/fedora-23/ -b 4. In a different shell run "systemctl status notify-test" When using --notify-ready=yes the service status is "activating" for 20 seconds before being set to "active (running)". Instead, using --notify-ready=no the service status is marked "active (running)" quickly, without waiting for the 20 seconds. This patch was also test with --private-users=yes, you can test it just adding it at the end of the command at point 3. ------ sleep.service ------ [Unit] Description=sleep After=network.target [Service] Type=oneshot ExecStart=/bin/sleep 20 [Install] WantedBy=multi-user.target ------------ end ------------
2016-06-10 13:09:06 +02:00
case ARG_NOTIFY_READY:
r = parse_boolean(optarg);
if (r < 0) {
log_error("%s is not a valid notify mode. Valid modes are: yes, no, and ready.", optarg);
return -EINVAL;
}
arg_notify_ready = r;
arg_settings_mask |= SETTING_NOTIFY_READY;
break;
nspawn/dissect: automatically discover dm-verity verity partitions This adds support for discovering and making use of properly tagged dm-verity data integrity partitions. This extends both systemd-nspawn and systemd-dissect with a new --root-hash= switch that takes the root hash to use for the root partition, and is otherwise fully automatic. Verity partitions are discovered automatically by GPT table type UUIDs, as listed in https://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/ (which I updated prior to this change, to include new UUIDs for this purpose. mkosi with https://github.com/systemd/mkosi/pull/39 applied may generate images that carry the necessary integrity data. With that PR and this commit, the following simply lines suffice to boot up an integrity-protected container image: ``` # mkdir test # cd test # mkosi --verity # systemd-nspawn -i ./image.raw -bn ``` Note that mkosi writes the image file to "image.raw" next to a a file "image.roothash" that contains the root hash. systemd-nspawn will look for that file and use it if it exists, in case --root-hash= is not specified explicitly.
2016-12-07 18:28:13 +01:00
case ARG_ROOT_HASH: {
void *k;
size_t l;
r = unhexmem(optarg, strlen(optarg), &k, &l);
if (r < 0)
return log_error_errno(r, "Failed to parse root hash: %s", optarg);
if (l < sizeof(sd_id128_t)) {
log_error("Root hash must be at least 128bit long: %s", optarg);
free(k);
return -EINVAL;
}
free(arg_root_hash);
arg_root_hash = k;
arg_root_hash_size = l;
break;
}
nspawn: implement configurable syscall whitelisting/blacklisting Now that we have ported nspawn's seccomp code to the generic code in seccomp-util, let's extend it to support whitelisting and blacklisting of specific additional syscalls. This uses similar syntax as PID1's support for system call filtering, but in contrast to that always implements a blacklist (and not a whitelist), as we prepopulate the filter with a blacklist, and the unit's system call filter logic does not come with anything prepopulated. (Later on we might actually want to invert the logic here, and whitelist rather than blacklist things, but at this point let's not do that. In case we switch this over later, the syscall add/remove logic of this commit should be compatible conceptually.) Fixes: #5163 Replaces: #5944
2017-09-11 17:45:21 +02:00
case ARG_SYSTEM_CALL_FILTER: {
bool negative;
const char *items;
negative = optarg[0] == '~';
items = negative ? optarg + 1 : optarg;
for (;;) {
_cleanup_free_ char *word = NULL;
r = extract_first_word(&items, &word, NULL, 0);
if (r == 0)
break;
if (r == -ENOMEM)
return log_oom();
if (r < 0)
return log_error_errno(r, "Failed to parse system call filter: %m");
if (negative)
r = strv_extend(&arg_syscall_blacklist, word);
else
r = strv_extend(&arg_syscall_whitelist, word);
if (r < 0)
return log_oom();
}
arg_settings_mask |= SETTING_SYSCALL_FILTER;
break;
}
nspawn: add simple chroot(1) like tool to execute commands in a namespace container
2011-03-14 02:40:36 +01:00
case '?':
return -EINVAL;
default:
clients: unify how we invoke getopt_long() Among other things this makes sure we always expose a --version command and show it in the help texts.
2013-11-06 18:28:39 +01:00
assert_not_reached("Unhandled option");
nspawn: add simple chroot(1) like tool to execute commands in a namespace container
2011-03-14 02:40:36 +01:00
}
nspawn: introduce an option for specifying network namespace path Add a new option `--network-namespace-path` to systemd-nspawn to allow users to specify an arbitrary network namespace, e.g. `/run/netns/foo`. Then systemd-nspawn will open the netns file, pass the fd to outer_child, and enter the namespace represented by the fd before running inner_child. ``` $ sudo ip netns add foo $ mount | grep /run/netns/foo nsfs on /run/netns/foo type nsfs (rw) ... $ sudo systemd-nspawn -D /srv/fc27 --network-namespace-path=/run/netns/foo \ /bin/readlink -f /proc/self/ns/net /proc/1/ns/net:[4026532009] ``` Note that the option `--network-namespace-path=` cannot be used together with other network-related options such as `--private-network` so that the options do not conflict with each other. Fixes https://github.com/systemd/systemd/issues/7361
2017-11-24 18:22:17 +01:00
/* If --network-namespace-path is given with any other network-related option,
* we need to error out, to avoid conflicts between different network options. */
if (arg_network_namespace_path &&
(arg_network_interfaces || arg_network_macvlan ||
arg_network_ipvlan || arg_network_veth_extra ||
arg_network_bridge || arg_network_zone ||
arg_network_veth || arg_private_network)) {
log_error("--network-namespace-path cannot be combined with other network options.");
return -EINVAL;
}
nspawn: split down SYSTEMD_NSPAWN_SHARE_SYSTEM (#4023) This commit follows further on the deprecation path for --share-system, by splitting and gating each share-able namespace behind its own environment flag.
2016-08-26 00:08:26 +02:00
parse_share_ns_env("SYSTEMD_NSPAWN_SHARE_NS_IPC", CLONE_NEWIPC);
parse_share_ns_env("SYSTEMD_NSPAWN_SHARE_NS_PID", CLONE_NEWPID);
parse_share_ns_env("SYSTEMD_NSPAWN_SHARE_NS_UTS", CLONE_NEWUTS);
parse_share_ns_env("SYSTEMD_NSPAWN_SHARE_SYSTEM", CLONE_NEWIPC|CLONE_NEWPID|CLONE_NEWUTS);
nspawn: deprecate --share-system support This removes the --share-system switch: from the documentation, the --help text as well as the command line parsing. It's an ugly option, given that it kinda contradicts the whole concept of PID namespaces that nspawn implements. Since it's barely ever used, let's just deprecate it and remove it from the options. It might be useful as a debugging option, hence the functionality is kept around for now, exposed via an undocumented $SYSTEMD_NSPAWN_SHARE_SYSTEM environment variable.
2016-07-27 14:56:17 +02:00
nspawn: R/W support for /sys, and /proc/sys This commit adds the possibility to leave /sys, and /proc/sys read-write. It introduces a new (undocumented) env var SYSTEMD_NSPAWN_API_VFS_WRITABLE to enable this feature. If set to "yes", /sys, and /proc/sys will be read-write. If set to "no", /sys, and /proc/sys will be read-only. If set to "network" /proc/sys/net will be read-write. This is useful in use-cases, where systemd-nspawn is used in an external network namespace. This adds the possibility to start privileged containers which need more control over settings in the /proc, and /sys filesystem. This is also a follow-up on the discussion from https://github.com/systemd/systemd/pull/4018#r76971862 where an introduction of a simple env var to enable R/W support for those directories was already discussed.
2016-10-14 14:00:15 +02:00
if (arg_userns_mode != USER_NAMESPACE_NO)
arg_mount_settings |= MOUNT_USE_USERNS;
if (arg_private_network)
arg_mount_settings |= MOUNT_APPLY_APIVFS_NETNS;
parse_mount_settings_env();
nspawn: decouple --boot from CLONE_NEWIPC (#4180) This commit is a minor tweak after the split of `--share-system`, decoupling the `--boot` option from IPC namespacing. Historically there has been a single `--share-system` option for sharing IPC/PID/UTS with the host, which was incompatible with boot/pid1 mode. After the split, it is now possible to express the requirements with better granularity. For reference, this is a followup to #4023 which contains references to previous discussions. I realized too late that CLONE_NEWIPC is not strictly needed for boot mode.
2016-09-24 14:30:42 +02:00
if (!(arg_clone_ns_flags & CLONE_NEWPID) ||
!(arg_clone_ns_flags & CLONE_NEWUTS)) {
nspawn: add --register=yes|no switch to optionally disable registration of the container with machined
2014-02-10 15:36:32 +01:00
arg_register = false;
nspawn: split down SYSTEMD_NSPAWN_SHARE_SYSTEM (#4023) This commit follows further on the deprecation path for --share-system, by splitting and gating each share-able namespace behind its own environment flag.
2016-08-26 00:08:26 +02:00
if (arg_start_mode != START_PID1) {
log_error("--boot cannot be used without namespacing.");
return -EINVAL;
}
}
nspawn: add --register=yes|no switch to optionally disable registration of the container with machined
2014-02-10 15:36:32 +01:00
nspawn: allow configuration of user namespaces in .nspawn files In order to implement this we change the bool arg_userns into an enum UserNamespaceMode, which can take one of NO, PICK or FIXED, and replace the arg_uid_range_pick bool with it.
2016-04-22 13:02:53 +02:00
if (arg_userns_mode == USER_NAMESPACE_PICK)
nspawn: optionally, automatically allocate a UID/GID range for userns containers This adds the new value "pick" to --private-users=. When specified a new UID/GID range of 65536 users is automatically and randomly allocated from the host range 0x00080000-0xDFFF0000 and used for the container. The setting implies --private-users-chown, so that container directory is recursively chown()ed to the newly allocated UID/GID range, if that's necessary. As an optimization before picking a randomized UID/GID the UID of the container's root directory is used as starting point and used if currently not used otherwise. To protect against using the same UID/GID range multiple times a few mechanisms are in place: - The first and the last UID and GID of the range are checked with getpwuid() and getgrgid(). If an entry already exists a different range is picked. Note that by "last" UID the user 65534 is used, as 65535 is the 16bit (uid_t) -1. - A lock file for the range is taken in /run/systemd/nspawn-uid/. Since the ranges are taken in a non-overlapping fashion, and always start on 64K boundaries this allows us to maintain a single lock file for each range that can be randomly picked. This protects nspawn from picking the same range in two parallel instances. - If possible the /etc/passwd lock file is taken while a new range is selected until the container is up. This means adduser/addgroup should safely avoid the range as long as nss-mymachines is used, since the allocated range will then show up in the user database. The UID/GID range nspawn picks from is compiled in and not configurable at the moment. That should probably stay that way, since we already provide ways how users can pick their own ranges manually if they don't like the automatic logic. The new --private-users=pick logic makes user namespacing pretty useful now, as it relieves the user from managing UID/GID ranges.
2016-04-22 11:28:09 +02:00
arg_userns_chown = true;
nspawn: register a scope for the unit if --register=no is specified (#6166) Previously, only when --register=yes was set (the default) the invoked container would get its own scope, created by machined on behalf of nspawn. With this change if --register=no is set nspawn will still get its own scope (which is a good thing, so that --slice= and --property= take effect), but this is not done through machined but by registering a scope unit directly in PID 1. Summary: --register=yes → allocate a new scope through machined (the default) --register=yes --keep-unit → use the unit we are already running in an register with machined --register=no → allocate a new scope directly, but no machined --register=no --keep-unit → do not allocate nor register anything Fixes: #5823
2017-06-28 19:22:46 +02:00
if (arg_keep_unit && arg_register && cg_pid_get_owner_uid(0, NULL) >= 0) {
nspawn: comment to acknowledge lying about "user session"
2017-09-17 15:53:14 +02:00
/* Save the user from accidentally registering either user-$SESSION.scope or user@.service.
* The latter is not technically a user session, but we don't need to labour the point. */
nspawn: register a scope for the unit if --register=no is specified (#6166) Previously, only when --register=yes was set (the default) the invoked container would get its own scope, created by machined on behalf of nspawn. With this change if --register=no is set nspawn will still get its own scope (which is a good thing, so that --slice= and --property= take effect), but this is not done through machined but by registering a scope unit directly in PID 1. Summary: --register=yes → allocate a new scope through machined (the default) --register=yes --keep-unit → use the unit we are already running in an register with machined --register=no → allocate a new scope directly, but no machined --register=no --keep-unit → do not allocate nor register anything Fixes: #5823
2017-06-28 19:22:46 +02:00
log_error("--keep-unit --register=yes may not be used when invoked from a user session.");
machined: optionally, allow registration of pre-existing units (scopes or services) as machine with machined
2014-02-11 17:15:38 +01:00
return -EINVAL;
}
nspawn: add --image= switch to boot GPT disk images that follow the Discoverable Partitions Specification
2014-03-10 20:35:52 +01:00
if (arg_directory && arg_image) {
log_error("--directory= and --image= may not be combined.");
return -EINVAL;
}
nspawn: beef up nspawn with some btrfs magic This adds --template= to duplicate an OS tree as btrfs snpashot and run it This also adds --ephemeral or -x to create a snapshot of an OS tree and boot that, removing it after exit.
2014-12-12 03:50:59 +01:00
if (arg_template && arg_image) {
log_error("--template= and --image= may not be combined.");
return -EINVAL;
}
nspawn: accept --ephemeral --template= as alternative for --ephemeral --directory= As suggested in PR #3667. This PR simply ensures that --template= can be used as alternative to --directory= when --ephemeral is used, following the logic that for ephemeral options the source directory is actually a template. This does not deprecate usage of --directory= with --ephemeral, as I am not convinced the old logic wouldn't make sense. Fixes: #3667
2016-11-25 01:00:31 +01:00
if (arg_ephemeral && arg_template && !arg_directory) {
/* User asked for ephemeral execution but specified --template= instead of --directory=. Semantically
* such an invocation makes some sense, see https://github.com/systemd/systemd/issues/3667. Let's
* accept this here, and silently make "--ephemeral --template=" equivalent to "--ephemeral
* --directory=". */
macro: introduce TAKE_PTR() macro This macro will read a pointer of any type, return it, and set the pointer to NULL. This is useful as an explicit concept of passing ownership of a memory area between pointers. This takes inspiration from Rust: https://doc.rust-lang.org/std/option/enum.Option.html#method.take and was suggested by Alan Jenkins (@sourcejedi). It drops ~160 lines of code from our codebase, which makes me like it. Also, I think it clarifies passing of ownership, and thus helps readability a bit (at least for the initiated who know the new macro)
2018-03-22 16:53:26 +01:00
arg_directory = TAKE_PTR(arg_template);
nspawn: accept --ephemeral --template= as alternative for --ephemeral --directory= As suggested in PR #3667. This PR simply ensures that --template= can be used as alternative to --directory= when --ephemeral is used, following the logic that for ephemeral options the source directory is actually a template. This does not deprecate usage of --directory= with --ephemeral, as I am not convinced the old logic wouldn't make sense. Fixes: #3667
2016-11-25 01:00:31 +01:00
}
nspawn: beef up nspawn with some btrfs magic This adds --template= to duplicate an OS tree as btrfs snpashot and run it This also adds --ephemeral or -x to create a snapshot of an OS tree and boot that, removing it after exit.
2014-12-12 03:50:59 +01:00
if (arg_template && !(arg_directory || arg_machine)) {
log_error("--template= needs --directory= or --machine=.");
return -EINVAL;
}
if (arg_ephemeral && arg_template) {
log_error("--ephemeral and --template= may not be combined.");
return -EINVAL;
}
nspawn: don't link journals in ephemeral mode
2014-12-12 16:58:57 +01:00
if (arg_ephemeral && !IN_SET(arg_link_journal, LINK_NO, LINK_AUTO)) {
log_error("--ephemeral and --link-journal= may not be combined.");
return -EINVAL;
}
nspawn: make -U a tiny bit smarter With this change -U will turn on user namespacing only if the kernel actually supports it and otherwise gracefully degrade to non-userns mode.
2016-04-22 14:10:09 +02:00
if (arg_userns_mode != USER_NAMESPACE_NO && !userns_supported()) {
nspawn: optionally fix up OS tree uid/gids for userns This adds a new --private-userns-chown switch that may be used in combination with --private-userns. If it is passed a recursive chmod() operation is run on the OS tree, fixing all file owner UID/GIDs to the right ranges. This should make user namespacing pretty workable, as the OS trees don't need to be prepared manually anymore.
2016-04-20 22:53:39 +02:00
log_error("--private-users= is not supported, kernel compiled without user namespace support.");
return -EOPNOTSUPP;
}
if (arg_userns_chown && arg_read_only) {
log_error("--read-only and --private-users-chown may not be combined.");
return -EINVAL;
}
nspawn: add new .nspawn files for container settings .nspawn fiels are simple settings files that may accompany container images and directories and contain settings otherwise passed on the nspawn command line. This provides an efficient way to attach execution data directly to containers.
2015-09-06 01:22:14 +02:00
nspawn: add new --network-zone= switch for automatically managed bridge devices This adds a new concept of network "zones", which are little more than bridge devices that are automatically managed by nspawn: when the first container referencing a bridge is started, the bridge device is created, when the last container referencing it is removed the bridge device is removed again. Besides this logic --network-zone= is pretty much identical to --network-bridge=. The usecase for this is to make it easy to run multiple related containers (think MySQL in one and Apache in another) in a common, named virtual Ethernet broadcast zone, that only exists as long as one of them is running, and fully automatically managed otherwise.
2016-05-06 21:00:27 +02:00
if (arg_network_bridge && arg_network_zone) {
log_error("--network-bridge= and --network-zone= may not be combined.");
return -EINVAL;
}
nspawn: add new .nspawn files for container settings .nspawn fiels are simple settings files that may accompany container images and directories and contain settings otherwise passed on the nspawn command line. This provides an efficient way to attach execution data directly to containers.
2015-09-06 01:22:14 +02:00
if (argc > optind) {
arg_parameters = strv_copy(argv + optind);
if (!arg_parameters)
return log_oom();
nspawn: optionally run a stub init process as PID 1 This adds a new switch --as-pid2, which allows running commands as PID 2, while a stub init process is run as PID 1. This is useful in order to run arbitrary commands in a container, as PID1's semantics are different from all other processes regarding reaping of unknown children or signal handling.
2016-02-03 20:32:06 +01:00
arg_settings_mask |= SETTING_START_MODE;
nspawn: add new .nspawn files for container settings .nspawn fiels are simple settings files that may accompany container images and directories and contain settings otherwise passed on the nspawn command line. This provides an efficient way to attach execution data directly to containers.
2015-09-06 01:22:14 +02:00
}
/* Load all settings from .nspawn files */
if (mask_no_settings)
arg_settings_mask = 0;
/* Don't load any settings from .nspawn files */
if (mask_all_settings)
arg_settings_mask = _SETTINGS_MASK_ALL;
nspawn: rename arg_retain to arg_caps_retain The argument is about capabilities.
2016-05-26 13:06:55 +02:00
arg_caps_retain = (arg_caps_retain | plus | (arg_private_network ? 1ULL << CAP_NET_ADMIN : 0)) & ~minus;
nspawn: add new .nspawn files for container settings .nspawn fiels are simple settings files that may accompany container images and directories and contain settings otherwise passed on the nspawn command line. This provides an efficient way to attach execution data directly to containers.
2015-09-06 01:22:14 +02:00
nspawn: check cgroups after parsing options Same justification as in previous commit.
2017-04-25 01:28:05 +02:00
r = cg_unified_flush();
if (r < 0)
return log_error_errno(r, "Failed to determine whether the unified cgroups hierarchy is used: %m");
nspawn: support custom container service name We were hardcoding "systemd-nspawn" as the value of the $container env variable and "nspawn" as the service string in machined registration. This commit allows the user to configure it by setting the $SYSTEMD_NSPAWN_CONTAINER_SERVICE env variable when calling systemd-nspawn. If $SYSTEMD_NSPAWN_CONTAINER_SERVICE is not set, we use the string "systemd-nspawn" for both, fixing the previous inconsistency.
2015-11-09 11:32:34 +01:00
e = getenv("SYSTEMD_NSPAWN_CONTAINER_SERVICE");
if (e)
arg_container_service_name = e;
nspawn: add SYSTEMD_NSPAWN_USE_CGNS env variable (#3809) SYSTEMD_NSPAWN_USE_CGNS allows to disable the use of cgroup namespaces.
2016-07-26 16:49:15 +02:00
r = getenv_bool("SYSTEMD_NSPAWN_USE_CGNS");
if (r < 0)
arg_use_cgns = cg_ns_supported();
else
arg_use_cgns = r;
nspawn: permit prefixing of source paths in --bind= and --overlay= with "+" If a source path is prefixed with "+" it is taken relative to the container's root directory instead of the host. This permits easily establishing bind and overlay mounts based on data from the container rather than the host. This also reworks custom_mounts_prepare(), and turns it into two functions: one custom_mount_check_all() that remains in nspawn.c but purely verifies the validity of the custom mounts configured. And one called custom_mount_prepare_all() that actually does the preparation step, sorts the custom mounts, resolves relative paths, and allocates temporary directories as necessary.
2016-11-30 16:02:47 +01:00
r = custom_mount_check_all();
if (r < 0)
return r;
nspawn: add new .nspawn files for container settings .nspawn fiels are simple settings files that may accompany container images and directories and contain settings otherwise passed on the nspawn command line. This provides an efficient way to attach execution data directly to containers.
2015-09-06 01:22:14 +02:00
return 1;
}
static int verify_arguments(void) {
nspawn: R/W support for /sys, and /proc/sys This commit adds the possibility to leave /sys, and /proc/sys read-write. It introduces a new (undocumented) env var SYSTEMD_NSPAWN_API_VFS_WRITABLE to enable this feature. If set to "yes", /sys, and /proc/sys will be read-write. If set to "no", /sys, and /proc/sys will be read-only. If set to "network" /proc/sys/net will be read-write. This is useful in use-cases, where systemd-nspawn is used in an external network namespace. This adds the possibility to start privileged containers which need more control over settings in the /proc, and /sys filesystem. This is also a follow-up on the discussion from https://github.com/systemd/systemd/pull/4018#r76971862 where an introduction of a simple env var to enable R/W support for those directories was already discussed.
2016-10-14 14:00:15 +02:00
if (arg_userns_mode != USER_NAMESPACE_NO && (arg_mount_settings & MOUNT_APPLY_APIVFS_NETNS) && !arg_private_network) {
log_error("Invalid namespacing settings. Mounting sysfs with --private-users requires --private-network.");
return -EINVAL;
}
if (arg_userns_mode != USER_NAMESPACE_NO && !(arg_mount_settings & MOUNT_APPLY_APIVFS_RO)) {
log_error("Cannot combine --private-users with read-write mounts.");
return -EINVAL;
}
nspawn: add new .nspawn files for container settings .nspawn fiels are simple settings files that may accompany container images and directories and contain settings otherwise passed on the nspawn command line. This provides an efficient way to attach execution data directly to containers.
2015-09-06 01:22:14 +02:00
if (arg_volatile_mode != VOLATILE_NO && arg_read_only) {
nspawn: add new --volatile switch for booting containers in volatile (ephemeral) mode Two modes are supported: --volatile=yes mounts only /usr into the container, and a tmpfs as root directory. --volatile=state mounts the full OS tree in, but overmounts /var with a tmpfs. --volatile=yes hence boots with an unpopulated /etc and /var, starting with pristine configuration and state. --volatile=state hence boots with an unpopulated /var, only starting with pristine state.
2014-07-04 03:22:33 +02:00
log_error("Cannot combine --read-only with --volatile. Note that --volatile already implies a read-only base hierarchy.");
return -EINVAL;
}
nspawn: add new option "--port=" for exposing container ports on the local host This exposes an IP port on the container as local port using DNAT.
2015-01-13 13:51:51 +01:00
if (arg_expose_ports && !arg_private_network) {
log_error("Cannot use --port= without private networking.");
return -EINVAL;
}
build-sys: use #if Y instead of #ifdef Y everywhere The advantage is that is the name is mispellt, cpp will warn us. $ git grep -Ee "conf.set\('(HAVE|ENABLE)_" -l|xargs sed -r -i "s/conf.set\('(HAVE|ENABLE)_/conf.set10('\1_/" $ git grep -Ee '#ifn?def (HAVE|ENABLE)' -l|xargs sed -r -i 's/#ifdef (HAVE|ENABLE)/#if \1/; s/#ifndef (HAVE|ENABLE)/#if ! \1/;' $ git grep -Ee 'if.*defined\(HAVE' -l|xargs sed -i -r 's/defined\((HAVE_[A-Z0-9_]*)\)/\1/g' $ git grep -Ee 'if.*defined\(ENABLE' -l|xargs sed -i -r 's/defined\((ENABLE_[A-Z0-9_]*)\)/\1/g' + manual changes to meson.build squash! build-sys: use #if Y instead of #ifdef Y everywhere v2: - fix incorrect setting of HAVE_LIBIDN2
2017-10-03 10:41:51 +02:00
#if ! HAVE_LIBIPTC
nspawn: don't run nspawn --port=... without libiptc support We get $ systemd-nspawn --image /dev/loop1 --port 8080:80 -n -b 3 --port= is not supported, compiled without libiptc support. instead of a ping-nc-iptables debugging session
2016-03-17 22:06:17 +01:00
if (arg_expose_ports) {
log_error("--port= is not supported, compiled without libiptc support.");
return -EOPNOTSUPP;
}
#endif
nspawn: optionally run a stub init process as PID 1 This adds a new switch --as-pid2, which allows running commands as PID 2, while a stub init process is run as PID 1. This is useful in order to run arbitrary commands in a container, as PID1's semantics are different from all other processes regarding reaping of unknown children or signal handling.
2016-02-03 20:32:06 +01:00
if (arg_start_mode == START_BOOT && arg_kill_signal <= 0)
nspawn: make kill signal to use for PID 1 configurable
2015-02-25 22:04:48 +01:00
arg_kill_signal = SIGRTMIN+3;
nspawn: add new .nspawn files for container settings .nspawn fiels are simple settings files that may accompany container images and directories and contain settings otherwise passed on the nspawn command line. This provides an efficient way to attach execution data directly to containers.
2015-09-06 01:22:14 +02:00
return 0;
nspawn: add simple chroot(1) like tool to execute commands in a namespace container
2011-03-14 02:40:36 +01:00
}
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
static int userns_lchown(const char *p, uid_t uid, gid_t gid) {
assert(p);
nspawn: allow configuration of user namespaces in .nspawn files In order to implement this we change the bool arg_userns into an enum UserNamespaceMode, which can take one of NO, PICK or FIXED, and replace the arg_uid_range_pick bool with it.
2016-04-22 13:02:53 +02:00
if (arg_userns_mode == USER_NAMESPACE_NO)
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
return 0;
if (uid == UID_INVALID && gid == GID_INVALID)
return 0;
if (uid != UID_INVALID) {
uid += arg_uid_shift;
if (uid < arg_uid_shift || uid >= arg_uid_shift + arg_uid_range)
return -EOVERFLOW;
}
if (gid != GID_INVALID) {
gid += (gid_t) arg_uid_shift;
if (gid < (gid_t) arg_uid_shift || gid >= (gid_t) (arg_uid_shift + arg_uid_range))
return -EOVERFLOW;
}
if (lchown(p, uid, gid) < 0)
return -errno;
nspawn: mount most of the cgroup tree read-only in nspawn containers except for the container's own subtree in the name=systemd hierarchy More specifically mount all other hierarchies in their entirety and the name=systemd above the container's subtree read-only.
2014-12-30 01:57:23 +01:00
return 0;
}
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
static int userns_mkdir(const char *root, const char *path, mode_t mode, uid_t uid, gid_t gid) {
const char *q;
Add mkdir_errno_wrapper() and use instead of mkdir() in various places We'd pass pointers to mkdir and mkdir_label to call in various places. mkdir returns the error in errno while mkdir_label returns the error directly.
2017-12-15 17:08:13 +01:00
int r;
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
q = prefix_roota(root, path);
Add mkdir_errno_wrapper() and use instead of mkdir() in various places We'd pass pointers to mkdir and mkdir_label to call in various places. mkdir returns the error in errno while mkdir_label returns the error directly.
2017-12-15 17:08:13 +01:00
r = mkdir_errno_wrapper(q, mode);
if (r == -EEXIST)
return 0;
if (r < 0)
return r;
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
return userns_lchown(q, uid, gid);
}
nspawn: fake /dev/kmsg and /proc/kmsg as fifo
2012-04-13 16:51:33 +02:00
static int setup_timezone(const char *dest) {
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
_cleanup_free_ char *p = NULL, *q = NULL;
const char *where, *check, *what;
nspawn: we can't overmount /etc/localtime anymore since it's usually a symlink now Create the right symlink if possible for /etc/localtime
2012-09-21 16:54:54 +02:00
char *z, *y;
int r;
coverity: change a few things so that coverity doesn't show so many false positives
2011-09-23 01:44:36 +02:00
nspawn: fake /dev/kmsg and /proc/kmsg as fifo
2012-04-13 16:51:33 +02:00
assert(dest);
/* Fix the timezone, if possible */
nspawn: we can't overmount /etc/localtime anymore since it's usually a symlink now Create the right symlink if possible for /etc/localtime
2012-09-21 16:54:54 +02:00
r = readlink_malloc("/etc/localtime", &p);
if (r < 0) {
nspawn: clarify log warning for /etc/localtime not being a symbolic link (#4163)
2016-09-17 09:59:28 +02:00
log_warning("host's /etc/localtime is not a symlink, not updating container timezone.");
/* to handle warning, delete /etc/localtime and replace it
treewide: fix typos (#4217)
2016-09-26 11:32:47 +02:00
* with a symbolic link to a time zone data file.
nspawn: clarify log warning for /etc/localtime not being a symbolic link (#4163)
2016-09-17 09:59:28 +02:00
*
* Example:
nspawn: fix comment typo in setup_timezone example (#4183)
2016-09-20 07:30:48 +02:00
* ln -s /usr/share/zoneinfo/UTC /etc/localtime
nspawn: clarify log warning for /etc/localtime not being a symbolic link (#4163)
2016-09-17 09:59:28 +02:00
*/
nspawn: we can't overmount /etc/localtime anymore since it's usually a symlink now Create the right symlink if possible for /etc/localtime
2012-09-21 16:54:54 +02:00
return 0;
}
z = path_startswith(p, "../usr/share/zoneinfo/");
if (!z)
z = path_startswith(p, "/usr/share/zoneinfo/");
if (!z) {
log_warning("/etc/localtime does not point into /usr/share/zoneinfo/, not updating container timezone.");
return 0;
}
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
where = prefix_roota(dest, "/etc/localtime");
nspawn: we can't overmount /etc/localtime anymore since it's usually a symlink now Create the right symlink if possible for /etc/localtime
2012-09-21 16:54:54 +02:00
r = readlink_malloc(where, &q);
if (r >= 0) {
y = path_startswith(q, "../usr/share/zoneinfo/");
if (!y)
y = path_startswith(q, "/usr/share/zoneinfo/");
nspawn: mount /etc/timezone into nspawn environment too
2012-03-15 00:45:02 +01:00
nspawn: we can't overmount /etc/localtime anymore since it's usually a symlink now Create the right symlink if possible for /etc/localtime
2012-09-21 16:54:54 +02:00
/* Already pointing to the right place? Then do nothing .. */
if (y && streq(y, z))
return 0;
}
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
check = strjoina("/usr/share/zoneinfo/", z);
nspawn: fix memory leak
2016-01-25 12:06:38 +01:00
check = prefix_roota(dest, check);
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
if (laccess(check, F_OK) < 0) {
nspawn: we can't overmount /etc/localtime anymore since it's usually a symlink now Create the right symlink if possible for /etc/localtime
2012-09-21 16:54:54 +02:00
log_warning("Timezone %s does not exist in container, not updating container timezone.", z);
return 0;
}
nspawn: bind mount /dev/nul to /proc/kmsg, so that the container can't muck with the host kmsg
2012-04-12 12:58:08 +02:00
nspawn: don't complain when we can't fix the timezone of read-only containers There's nothing we can do about it, hence don't complain.
2016-12-21 00:39:50 +01:00
if (unlink(where) < 0 && errno != ENOENT) {
log_full_errno(IN_SET(errno, EROFS, EACCES, EPERM) ? LOG_DEBUG : LOG_WARNING, /* Don't complain on read-only images */
errno,
"Failed to remove existing timezone info %s in container, ignoring: %m", where);
nspawn: check some more return values Most of these failures would anyway get caught later on, but now the error messages are a bit more specific.
2014-09-25 18:49:56 +02:00
return 0;
}
nspawn: add new --volatile switch for booting containers in volatile (ephemeral) mode Two modes are supported: --volatile=yes mounts only /usr into the container, and a tmpfs as root directory. --volatile=state mounts the full OS tree in, but overmounts /var with a tmpfs. --volatile=yes hence boots with an unpopulated /etc and /var, starting with pristine configuration and state. --volatile=state hence boots with an unpopulated /var, only starting with pristine state.
2014-07-04 03:22:33 +02:00
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
what = strjoina("../usr/share/zoneinfo/", z);
nspawn: we can't overmount /etc/localtime anymore since it's usually a symlink now Create the right symlink if possible for /etc/localtime
2012-09-21 16:54:54 +02:00
if (symlink(what, where) < 0) {
nspawn: don't complain when we can't fix the timezone of read-only containers There's nothing we can do about it, hence don't complain.
2016-12-21 00:39:50 +01:00
log_full_errno(IN_SET(errno, EROFS, EACCES, EPERM) ? LOG_DEBUG : LOG_WARNING,
errno,
"Failed to correct timezone of container, ignoring: %m");
nspawn: we can't overmount /etc/localtime anymore since it's usually a symlink now Create the right symlink if possible for /etc/localtime
2012-09-21 16:54:54 +02:00
return 0;
}
nspawn: fake /dev/kmsg and /proc/kmsg as fifo
2012-04-13 16:51:33 +02:00
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
r = userns_lchown(where, 0, 0);
if (r < 0)
return log_warning_errno(r, "Failed to chown /etc/localtime: %m");
nspawn: fake /dev/kmsg and /proc/kmsg as fifo
2012-04-13 16:51:33 +02:00
return 0;
nspawn: add simple chroot(1) like tool to execute commands in a namespace container
2011-03-14 02:40:36 +01:00
}
nspawn: check if the DNS stub is listening for requests
2017-03-08 21:45:03 +01:00
static int resolved_listening(void) {
nspawn: tweak check whether resolved is around a bit Let's check D-Bus instead of files in /run to see if resolved is running. This is a bit nicer as bus names are automatically cleaned up when resolved dies, which is not the case for files in /run. See: #4649
2017-02-16 17:56:10 +01:00
_cleanup_(sd_bus_flush_close_unrefp) sd_bus *bus = NULL;
nspawn: check if the DNS stub is listening for requests
2017-03-08 21:45:03 +01:00
_cleanup_free_ char *dns_stub_listener_mode = NULL;
nspawn: tweak check whether resolved is around a bit Let's check D-Bus instead of files in /run to see if resolved is running. This is a bit nicer as bus names are automatically cleaned up when resolved dies, which is not the case for files in /run. See: #4649
2017-02-16 17:56:10 +01:00
int r;
nspawn: check if the DNS stub is listening for requests
2017-03-08 21:45:03 +01:00
/* Check if resolved is listening */
nspawn: tweak check whether resolved is around a bit Let's check D-Bus instead of files in /run to see if resolved is running. This is a bit nicer as bus names are automatically cleaned up when resolved dies, which is not the case for files in /run. See: #4649
2017-02-16 17:56:10 +01:00
r = sd_bus_open_system(&bus);
if (r < 0)
return r;
nspawn: check if the DNS stub is listening for requests
2017-03-08 21:45:03 +01:00
r = bus_name_has_owner(bus, "org.freedesktop.resolve1", NULL);
if (r <= 0)
return r;
r = sd_bus_get_property_string(bus,
"org.freedesktop.resolve1",
"/org/freedesktop/resolve1",
"org.freedesktop.resolve1.Manager",
"DNSStubListener",
NULL,
&dns_stub_listener_mode);
if (r < 0)
return r;
return STR_IN_SET(dns_stub_listener_mode, "udp", "yes");
nspawn: tweak check whether resolved is around a bit Let's check D-Bus instead of files in /run to see if resolved is running. This is a bit nicer as bus names are automatically cleaned up when resolved dies, which is not the case for files in /run. See: #4649
2017-02-16 17:56:10 +01:00
}
nspawn: bind mount /etc/resolv.conf from the host by default
2012-04-25 15:08:00 +02:00
static int setup_resolv_conf(const char *dest) {
nspawn: tweaks to /etc/resolv.conf management Handle properly if /etc is a symlink (i.e. make sure we don't follow the symlink outside the image). Also follow /etc/resolv.conf if it is a symlink, and use the resolved path when creating a mount point and mounting (as both of these operations follow symlinks and rally shouldn't). Handle more types of read-only errors as debug-level issues.
2016-12-21 00:44:00 +01:00
_cleanup_free_ char *resolved = NULL, *etc = NULL;
const char *where;
int r, found;
nspawn: bind mount /etc/resolv.conf from the host by default
2012-04-25 15:08:00 +02:00
assert(dest);
if (arg_private_network)
return 0;
nspawn: tweaks to /etc/resolv.conf management Handle properly if /etc is a symlink (i.e. make sure we don't follow the symlink outside the image). Also follow /etc/resolv.conf if it is a symlink, and use the resolved path when creating a mount point and mounting (as both of these operations follow symlinks and rally shouldn't). Handle more types of read-only errors as debug-level issues.
2016-12-21 00:44:00 +01:00
r = chase_symlinks("/etc", dest, CHASE_PREFIX_ROOT, &etc);
if (r < 0) {
log_warning_errno(r, "Failed to resolve /etc path in container, ignoring: %m");
return 0;
}
where = strjoina(etc, "/resolv.conf");
found = chase_symlinks(where, dest, CHASE_NONEXISTENT, &resolved);
if (found < 0) {
log_warning_errno(found, "Failed to resolve /etc/resolv.conf path in container, ignoring: %m");
return 0;
}
nspawn: check some more return values Most of these failures would anyway get caught later on, but now the error messages are a bit more specific.
2014-09-25 18:49:56 +02:00
nspawn: adjust path to static resolv.conf to support split usr Fixes #7302.
2017-11-25 13:11:04 +01:00
if (access(STATIC_RESOLV_CONF, F_OK) >= 0 &&
nspawn: check if the DNS stub is listening for requests
2017-03-08 21:45:03 +01:00
resolved_listening() > 0) {
nspawn: tweaks to /etc/resolv.conf management Handle properly if /etc is a symlink (i.e. make sure we don't follow the symlink outside the image). Also follow /etc/resolv.conf if it is a symlink, and use the resolved path when creating a mount point and mounting (as both of these operations follow symlinks and rally shouldn't). Handle more types of read-only errors as debug-level issues.
2016-12-21 00:44:00 +01:00
nspawn: try to bind mount resolved's resolv.conf snippet into the container This has the benefit that the container can follow the host's DNS server changes without us having to constantly update the container's resolv.conf settings.
2016-07-27 14:50:45 +02:00
/* resolved is enabled on the host. In this, case bind mount its static resolv.conf file into the
* container, so that the container can use the host's resolver. Given that network namespacing is
* disabled it's only natural of the container also uses the host's resolver. It also has the big
* advantage that the container will be able to follow the host's DNS server configuration changes
* transparently. */
nspawn: tweaks to /etc/resolv.conf management Handle properly if /etc is a symlink (i.e. make sure we don't follow the symlink outside the image). Also follow /etc/resolv.conf if it is a symlink, and use the resolved path when creating a mount point and mounting (as both of these operations follow symlinks and rally shouldn't). Handle more types of read-only errors as debug-level issues.
2016-12-21 00:44:00 +01:00
if (found == 0) /* missing? */
(void) touch(resolved);
nspawn: resolv.conf might not be created initially (#4799) This might happen that resolv.conf is missing in a minimal rootfs and in this case the following warning is emitted: Failed to mount n/a on /mnt/etc/resolv.conf (MS_BIND ""): No such file or directory This patch fixes this case.
2016-12-07 21:36:39 +01:00
nspawn: adjust path to static resolv.conf to support split usr Fixes #7302.
2017-11-25 13:11:04 +01:00
r = mount_verbose(LOG_DEBUG, STATIC_RESOLV_CONF, resolved, NULL, MS_BIND, NULL);
nspawn,mount-util: add [u]mount_verbose and use it in nspawn This makes it easier to debug failed nspawn invocations: Mounting sysfs on /var/lib/machines/fedora-rawhide/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV "")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev (MS_NOSUID|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev/shm (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=1777,uid=1450901504,gid=1450901504")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/run (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")... Bind-mounting /sys/fs/selinux on /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_BIND "")... Remounting /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Mounting proc on /proc (MS_NOSUID|MS_NOEXEC|MS_NODEV "")... Bind-mounting /proc/sys on /proc/sys (MS_BIND "")... Remounting /proc/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Bind-mounting /proc/sysrq-trigger on /proc/sysrq-trigger (MS_BIND "")... Remounting /proc/sysrq-trigger (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Mounting tmpfs on /tmp (MS_STRICTATIME "mode=1777,uid=0,gid=0")... Mounting tmpfs on /sys/fs/cgroup (MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME "mode=755,uid=0,gid=0")... Mounting cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr")... Failed to mount cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr"): No such file or directory
2016-10-10 21:55:20 +02:00
if (r >= 0)
nspawn: tweaks to /etc/resolv.conf management Handle properly if /etc is a symlink (i.e. make sure we don't follow the symlink outside the image). Also follow /etc/resolv.conf if it is a symlink, and use the resolved path when creating a mount point and mounting (as both of these operations follow symlinks and rally shouldn't). Handle more types of read-only errors as debug-level issues.
2016-12-21 00:44:00 +01:00
return mount_verbose(LOG_ERR, NULL, resolved, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY|MS_NOSUID|MS_NODEV, NULL);
nspawn: try to bind mount resolved's resolv.conf snippet into the container This has the benefit that the container can follow the host's DNS server changes without us having to constantly update the container's resolv.conf settings.
2016-07-27 14:50:45 +02:00
}
/* If that didn't work, let's copy the file */
copy: change the various copy_xyz() calls to take a unified flags parameter This adds a unified "copy_flags" parameter to all copy_xyz() function calls, replacing the various boolean flags so far used. This should make many invocations more readable as it is clear what behaviour is precisely requested. This also prepares ground for adding support for more modes later on.
2017-02-13 19:00:22 +01:00
r = copy_file("/etc/resolv.conf", where, O_TRUNC|O_NOFOLLOW, 0644, 0, COPY_REFLINK);
nspawn: check some more return values Most of these failures would anyway get caught later on, but now the error messages are a bit more specific.
2014-09-25 18:49:56 +02:00
if (r < 0) {
nspawn: try to bind mount resolved's resolv.conf snippet into the container This has the benefit that the container can follow the host's DNS server changes without us having to constantly update the container's resolv.conf settings.
2016-07-27 14:50:45 +02:00
/* If the file already exists as symlink, let's suppress the warning, under the assumption that
* resolved or something similar runs inside and the symlink points there.
nspawn: suppress warning when /etc/resolv.conf is a valid symlink In such a case let's suppress the warning (downgrade to LOG_DEBUG), under the assumption that the user has no config file to update in its place, but a symlink that points to something like resolved's automatically managed resolve.conf file. While we are at it, also stop complaining if we cannot write /etc/resolv.conf due to a read-only disk, given that there's little we could do about it.
2015-06-18 19:42:59 +02:00
*
nspawn: try to bind mount resolved's resolv.conf snippet into the container This has the benefit that the container can follow the host's DNS server changes without us having to constantly update the container's resolv.conf settings.
2016-07-27 14:50:45 +02:00
* If the disk image is read-only, there's also no point in complaining.
nspawn: suppress warning when /etc/resolv.conf is a valid symlink In such a case let's suppress the warning (downgrade to LOG_DEBUG), under the assumption that the user has no config file to update in its place, but a symlink that points to something like resolved's automatically managed resolve.conf file. While we are at it, also stop complaining if we cannot write /etc/resolv.conf due to a read-only disk, given that there's little we could do about it.
2015-06-18 19:42:59 +02:00
*/
nspawn: tweaks to /etc/resolv.conf management Handle properly if /etc is a symlink (i.e. make sure we don't follow the symlink outside the image). Also follow /etc/resolv.conf if it is a symlink, and use the resolved path when creating a mount point and mounting (as both of these operations follow symlinks and rally shouldn't). Handle more types of read-only errors as debug-level issues.
2016-12-21 00:44:00 +01:00
log_full_errno(IN_SET(r, -ELOOP, -EROFS, -EACCES, -EPERM) ? LOG_DEBUG : LOG_WARNING, r,
nspawn: try to bind mount resolved's resolv.conf snippet into the container This has the benefit that the container can follow the host's DNS server changes without us having to constantly update the container's resolv.conf settings.
2016-07-27 14:50:45 +02:00
"Failed to copy /etc/resolv.conf to %s, ignoring: %m", where);
nspawn: check some more return values Most of these failures would anyway get caught later on, but now the error messages are a bit more specific.
2014-09-25 18:49:56 +02:00
return 0;
}
nspawn: bind mount /etc/resolv.conf from the host by default
2012-04-25 15:08:00 +02:00
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
r = userns_lchown(where, 0, 0);
if (r < 0)
nspawn: try to bind mount resolved's resolv.conf snippet into the container This has the benefit that the container can follow the host's DNS server changes without us having to constantly update the container's resolv.conf settings.
2016-07-27 14:50:45 +02:00
log_warning_errno(r, "Failed to chown /etc/resolv.conf, ignoring: %m");
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
nspawn: bind mount /etc/resolv.conf from the host by default
2012-04-25 15:08:00 +02:00
return 0;
}
nspawn: generate a new randomized boot ID for each container
2012-09-05 23:39:16 +02:00
static int setup_boot_id(const char *dest) {
tree-wide: use sd_id128_is_null() instead of sd_id128_equal where appropriate It's a bit easier to read because shorter. Also, most likely a tiny bit faster.
2016-07-21 16:06:31 +02:00
sd_id128_t rnd = SD_ID128_NULL;
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
const char *from, *to;
nspawn: generate a new randomized boot ID for each container
2012-09-05 23:39:16 +02:00
int r;
/* Generate a new randomized boot ID, so that each boot-up of
* the container gets a new one */
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
from = prefix_roota(dest, "/run/proc-sys-kernel-random-boot-id");
to = prefix_roota(dest, "/proc/sys/kernel/random/boot_id");
nspawn: generate a new randomized boot ID for each container
2012-09-05 23:39:16 +02:00
r = sd_id128_randomize(&rnd);
treewide: yet more log_*_errno + return simplifications Using: find . -name '*.[ch]' | while read f; do perl -i.mmm -e \ 'local $/; local $_=<>; s/(if\s*\([^\n]+\))\s*{\n(\s*)(log_[a-z_]*_errno\(\s*([->a-zA-Z_]+)\s*,[^;]+);\s*return\s+\g4;\s+}/\1\n\2return \3;/msg; print;' $f done And a couple of manual whitespace fixups.
2014-11-28 18:50:43 +01:00
if (r < 0)
return log_error_errno(r, "Failed to generate random boot id: %m");
nspawn: generate a new randomized boot ID for each container
2012-09-05 23:39:16 +02:00
machine-id-setup: port machine_id_commit() to new id128-util.c APIs
2016-07-21 19:12:50 +02:00
r = id128_write(from, ID128_UUID, rnd, false);
treewide: yet more log_*_errno + return simplifications Using: find . -name '*.[ch]' | while read f; do perl -i.mmm -e \ 'local $/; local $_=<>; s/(if\s*\([^\n]+\))\s*{\n(\s*)(log_[a-z_]*_errno\(\s*([->a-zA-Z_]+)\s*,[^;]+);\s*return\s+\g4;\s+}/\1\n\2return \3;/msg; print;' $f done And a couple of manual whitespace fixups.
2014-11-28 18:50:43 +01:00
if (r < 0)
return log_error_errno(r, "Failed to write boot id: %m");
nspawn: generate a new randomized boot ID for each container
2012-09-05 23:39:16 +02:00
nspawn,mount-util: add [u]mount_verbose and use it in nspawn This makes it easier to debug failed nspawn invocations: Mounting sysfs on /var/lib/machines/fedora-rawhide/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV "")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev (MS_NOSUID|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev/shm (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=1777,uid=1450901504,gid=1450901504")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/run (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")... Bind-mounting /sys/fs/selinux on /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_BIND "")... Remounting /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Mounting proc on /proc (MS_NOSUID|MS_NOEXEC|MS_NODEV "")... Bind-mounting /proc/sys on /proc/sys (MS_BIND "")... Remounting /proc/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Bind-mounting /proc/sysrq-trigger on /proc/sysrq-trigger (MS_BIND "")... Remounting /proc/sysrq-trigger (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Mounting tmpfs on /tmp (MS_STRICTATIME "mode=1777,uid=0,gid=0")... Mounting tmpfs on /sys/fs/cgroup (MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME "mode=755,uid=0,gid=0")... Mounting cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr")... Failed to mount cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr"): No such file or directory
2016-10-10 21:55:20 +02:00
r = mount_verbose(LOG_ERR, from, to, NULL, MS_BIND, NULL);
if (r >= 0)
r = mount_verbose(LOG_ERR, NULL, to, NULL,
MS_BIND|MS_REMOUNT|MS_RDONLY|MS_NOSUID|MS_NODEV, NULL);
nspawn: generate a new randomized boot ID for each container
2012-09-05 23:39:16 +02:00
tree-wide: use sd_id128_is_null() instead of sd_id128_equal where appropriate It's a bit easier to read because shorter. Also, most likely a tiny bit faster.
2016-07-21 16:06:31 +02:00
(void) unlink(from);
nspawn: generate a new randomized boot ID for each container
2012-09-05 23:39:16 +02:00
return r;
}
nspawn: fake /dev/kmsg and /proc/kmsg as fifo
2012-04-13 16:51:33 +02:00
static int copy_devnodes(const char *dest) {
nspawn: add simple chroot(1) like tool to execute commands in a namespace container
2011-03-14 02:40:36 +01:00
static const char devnodes[] =
"null\0"
"zero\0"
"full\0"
"random\0"
"urandom\0"
nspawn: copy /dev/net/tun from host This enables tuntap support in the container (assumning the necessary capabilities are in place).
2014-10-08 15:01:07 +02:00
"tty\0"
"net/tun\0";
nspawn: add simple chroot(1) like tool to execute commands in a namespace container
2011-03-14 02:40:36 +01:00
const char *d;
nspawn: fake /dev/kmsg and /proc/kmsg as fifo
2012-04-13 16:51:33 +02:00
int r = 0;
move _cleanup_ attribute in front of the type http://lists.freedesktop.org/archives/systemd-devel/2013-April/010510.html
2013-04-18 09:11:22 +02:00
_cleanup_umask_ mode_t u;
nspawn: allocate a new pty instead of passing ours through to avoid terminal settings chaos
2011-03-16 02:57:52 +01:00
assert(dest);
nspawn: reset umask if needed
2011-03-14 03:28:00 +01:00
u = umask(0000);
nspawn: add simple chroot(1) like tool to execute commands in a namespace container
2011-03-14 02:40:36 +01:00
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
/* Create /dev/net, so that we can create /dev/net/tun in it */
if (userns_mkdir(dest, "/dev/net", 0755, 0, 0) < 0)
return log_error_errno(r, "Failed to create /dev/net directory: %m");
nspawn: add simple chroot(1) like tool to execute commands in a namespace container
2011-03-14 02:40:36 +01:00
NULSTR_FOREACH(d, devnodes) {
move _cleanup_ attribute in front of the type http://lists.freedesktop.org/archives/systemd-devel/2013-April/010510.html
2013-04-18 09:11:22 +02:00
_cleanup_free_ char *from = NULL, *to = NULL;
exec: introduce PrivateDevices= switch to provide services with a private /dev Similar to PrivateNetwork=, PrivateTmp= introduce PrivateDevices= that sets up a private /dev with only the API pseudo-devices like /dev/null, /dev/zero, /dev/random, but not any physical devices in them.
2014-01-20 19:54:51 +01:00
struct stat st;
nspawn: add simple chroot(1) like tool to execute commands in a namespace container
2011-03-14 02:40:36 +01:00
exec: introduce PrivateDevices= switch to provide services with a private /dev Similar to PrivateNetwork=, PrivateTmp= introduce PrivateDevices= that sets up a private /dev with only the API pseudo-devices like /dev/null, /dev/zero, /dev/random, but not any physical devices in them.
2014-01-20 19:54:51 +01:00
from = strappend("/dev/", d);
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
to = prefix_root(dest, from);
nspawn: add simple chroot(1) like tool to execute commands in a namespace container
2011-03-14 02:40:36 +01:00
if (stat(from, &st) < 0) {
treewide: another round of simplifications Using the same scripts as in f647962d64e "treewide: yet more log_*_errno + return simplifications".
2014-11-28 19:57:32 +01:00
if (errno != ENOENT)
return log_error_errno(errno, "Failed to stat %s: %m", from);
nspawn: add simple chroot(1) like tool to execute commands in a namespace container
2011-03-14 02:40:36 +01:00
nspawn: allocate a new pty instead of passing ours through to avoid terminal settings chaos
2011-03-16 02:57:52 +01:00
} else if (!S_ISCHR(st.st_mode) && !S_ISBLK(st.st_mode)) {
nspawn: add simple chroot(1) like tool to execute commands in a namespace container
2011-03-14 02:40:36 +01:00
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
log_error("%s is not a char or block device, cannot copy.", from);
exec: introduce PrivateDevices= switch to provide services with a private /dev Similar to PrivateNetwork=, PrivateTmp= introduce PrivateDevices= that sets up a private /dev with only the API pseudo-devices like /dev/null, /dev/zero, /dev/random, but not any physical devices in them.
2014-01-20 19:54:51 +01:00
return -EIO;
nspawn: allocate a new pty instead of passing ours through to avoid terminal settings chaos
2011-03-16 02:57:52 +01:00
nspawn: copy /dev/net/tun from host This enables tuntap support in the container (assumning the necessary capabilities are in place).
2014-10-08 15:01:07 +02:00
} else {
nspawn: fallback on bind mount when mknod fails Some systems abusively restrict mknod, even when the device node already exists in /dev. This is unfortunate because it prevents systemd-nspawn from creating the basic devices in /dev in the container. This patch implements a workaround: when mknod fails, fallback on bind mounts. Additionally, /dev/console was created with a mknod with the same major/minor as /dev/null before bind mounting a pts on it. This patch removes the mknod and creates an empty regular file instead. In order to test this patch, I used the following configuration, which I think should replicate the system with the abusive restriction on mknod: # grep devices /proc/self/cgroup 4:devices:/user.slice/restrict # cat /sys/fs/cgroup/devices/user.slice/restrict/devices.list c 1:9 r c 5:2 rw c 136:* rw # systemd-nspawn --register=false -D . v2: - remove "bind", it is not needed since there is already MS_BIND v3: - fix error management when calling touch() - fix lowercase in error message
2015-03-31 17:14:48 +02:00
if (mknod(to, st.st_mode, st.st_rdev) < 0) {
nspawn: reword notice when /dev is pre-mounted and populated (#4971) Fixes: #4676
2016-12-29 11:02:39 +01:00
/* Explicitly warn the user when /dev is already populated. */
nspawn: add log message to let users know that nspawn needs an empty /dev directory (#4226) Fixes https://github.com/systemd/systemd/issues/3695 At the same time it adds a protection against userns chown of inodes of a shared mount point.
2016-10-05 06:57:02 +02:00
if (errno == EEXIST)
nspawn: reword notice when /dev is pre-mounted and populated (#4971) Fixes: #4676
2016-12-29 11:02:39 +01:00
log_notice("%s/dev is pre-mounted and pre-populated. If a pre-mounted /dev is provided it needs to be an unpopulated file system.", dest);
nspawn: fallback on bind mount when mknod fails Some systems abusively restrict mknod, even when the device node already exists in /dev. This is unfortunate because it prevents systemd-nspawn from creating the basic devices in /dev in the container. This patch implements a workaround: when mknod fails, fallback on bind mounts. Additionally, /dev/console was created with a mknod with the same major/minor as /dev/null before bind mounting a pts on it. This patch removes the mknod and creates an empty regular file instead. In order to test this patch, I used the following configuration, which I think should replicate the system with the abusive restriction on mknod: # grep devices /proc/self/cgroup 4:devices:/user.slice/restrict # cat /sys/fs/cgroup/devices/user.slice/restrict/devices.list c 1:9 r c 5:2 rw c 136:* rw # systemd-nspawn --register=false -D . v2: - remove "bind", it is not needed since there is already MS_BIND v3: - fix error management when calling touch() - fix lowercase in error message
2015-03-31 17:14:48 +02:00
if (errno != EPERM)
return log_error_errno(errno, "mknod(%s) failed: %m", to);
/* Some systems abusively restrict mknod but
* allow bind mounts. */
r = touch(to);
if (r < 0)
return log_error_errno(r, "touch (%s) failed: %m", to);
nspawn,mount-util: add [u]mount_verbose and use it in nspawn This makes it easier to debug failed nspawn invocations: Mounting sysfs on /var/lib/machines/fedora-rawhide/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV "")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev (MS_NOSUID|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev/shm (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=1777,uid=1450901504,gid=1450901504")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/run (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")... Bind-mounting /sys/fs/selinux on /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_BIND "")... Remounting /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Mounting proc on /proc (MS_NOSUID|MS_NOEXEC|MS_NODEV "")... Bind-mounting /proc/sys on /proc/sys (MS_BIND "")... Remounting /proc/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Bind-mounting /proc/sysrq-trigger on /proc/sysrq-trigger (MS_BIND "")... Remounting /proc/sysrq-trigger (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Mounting tmpfs on /tmp (MS_STRICTATIME "mode=1777,uid=0,gid=0")... Mounting tmpfs on /sys/fs/cgroup (MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME "mode=755,uid=0,gid=0")... Mounting cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr")... Failed to mount cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr"): No such file or directory
2016-10-10 21:55:20 +02:00
r = mount_verbose(LOG_DEBUG, from, to, NULL, MS_BIND, NULL);
if (r < 0)
return log_error_errno(r, "Both mknod and bind mount (%s) failed: %m", to);
nspawn: fallback on bind mount when mknod fails Some systems abusively restrict mknod, even when the device node already exists in /dev. This is unfortunate because it prevents systemd-nspawn from creating the basic devices in /dev in the container. This patch implements a workaround: when mknod fails, fallback on bind mounts. Additionally, /dev/console was created with a mknod with the same major/minor as /dev/null before bind mounting a pts on it. This patch removes the mknod and creates an empty regular file instead. In order to test this patch, I used the following configuration, which I think should replicate the system with the abusive restriction on mknod: # grep devices /proc/self/cgroup 4:devices:/user.slice/restrict # cat /sys/fs/cgroup/devices/user.slice/restrict/devices.list c 1:9 r c 5:2 rw c 136:* rw # systemd-nspawn --register=false -D . v2: - remove "bind", it is not needed since there is already MS_BIND v3: - fix error management when calling touch() - fix lowercase in error message
2015-03-31 17:14:48 +02:00
}
nspawn: chown basic device nodes to userns root
2015-02-19 12:03:39 +01:00
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
r = userns_lchown(to, 0, 0);
if (r < 0)
return log_error_errno(r, "chown() of device node %s failed: %m", to);
nspawn: add simple chroot(1) like tool to execute commands in a namespace container
2011-03-14 02:40:36 +01:00
}
}
nspawn: fake /dev/kmsg and /proc/kmsg as fifo
2012-04-13 16:51:33 +02:00
return r;
}
nspawn: add simple chroot(1) like tool to execute commands in a namespace container
2011-03-14 02:40:36 +01:00
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
static int setup_pts(const char *dest) {
_cleanup_free_ char *options = NULL;
const char *p;
treewide: use the negative error codes returned by our functions Our functions return negative error codes. Do not rely on errno being set after calling our own functions.
2015-11-05 13:44:06 +01:00
int r;
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
build-sys: use #if Y instead of #ifdef Y everywhere The advantage is that is the name is mispellt, cpp will warn us. $ git grep -Ee "conf.set\('(HAVE|ENABLE)_" -l|xargs sed -r -i "s/conf.set\('(HAVE|ENABLE)_/conf.set10('\1_/" $ git grep -Ee '#ifn?def (HAVE|ENABLE)' -l|xargs sed -r -i 's/#ifdef (HAVE|ENABLE)/#if \1/; s/#ifndef (HAVE|ENABLE)/#if ! \1/;' $ git grep -Ee 'if.*defined\(HAVE' -l|xargs sed -i -r 's/defined\((HAVE_[A-Z0-9_]*)\)/\1/g' $ git grep -Ee 'if.*defined\(ENABLE' -l|xargs sed -i -r 's/defined\((ENABLE_[A-Z0-9_]*)\)/\1/g' + manual changes to meson.build squash! build-sys: use #if Y instead of #ifdef Y everywhere v2: - fix incorrect setting of HAVE_LIBIDN2
2017-10-03 10:41:51 +02:00
#if HAVE_SELINUX
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
if (arg_selinux_apifs_context)
(void) asprintf(&options,
nspawn: Don't pass uid mount option for devpts Mounting devpts with a uid breaks pty allocation with recent glibc versions, which expect that the kernel will set the correct owner for user-allocated ptys. The kernel seems to be smart enough to use the correct uid for root when we switch to a user namespace. This resolves #337.
2015-07-23 04:34:57 +02:00
"newinstance,ptmxmode=0666,mode=620,gid=" GID_FMT ",context=\"%s\"",
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
arg_uid_shift + TTY_GID,
arg_selinux_apifs_context);
else
#endif
(void) asprintf(&options,
nspawn: Don't pass uid mount option for devpts Mounting devpts with a uid breaks pty allocation with recent glibc versions, which expect that the kernel will set the correct owner for user-allocated ptys. The kernel seems to be smart enough to use the correct uid for root when we switch to a user namespace. This resolves #337.
2015-07-23 04:34:57 +02:00
"newinstance,ptmxmode=0666,mode=620,gid=" GID_FMT,
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
arg_uid_shift + TTY_GID);
nspawn: create a separate devpts namespace for nspawn containers
2013-03-07 13:34:07 +01:00
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
if (!options)
nspawn: create a separate devpts namespace for nspawn containers
2013-03-07 13:34:07 +01:00
return log_oom();
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
/* Mount /dev/pts itself */
nspawn: fix memleak This was a typo, swapping prefix_root() in place of prefix_roota(). Fixes CID 1299640.
2015-05-25 23:01:45 +02:00
p = prefix_roota(dest, "/dev/pts");
Add mkdir_errno_wrapper() and use instead of mkdir() in various places We'd pass pointers to mkdir and mkdir_label to call in various places. mkdir returns the error in errno while mkdir_label returns the error directly.
2017-12-15 17:08:13 +01:00
r = mkdir_errno_wrapper(p, 0755);
if (r < 0)
return log_error_errno(r, "Failed to create /dev/pts: %m");
nspawn,mount-util: add [u]mount_verbose and use it in nspawn This makes it easier to debug failed nspawn invocations: Mounting sysfs on /var/lib/machines/fedora-rawhide/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV "")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev (MS_NOSUID|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev/shm (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=1777,uid=1450901504,gid=1450901504")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/run (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")... Bind-mounting /sys/fs/selinux on /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_BIND "")... Remounting /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Mounting proc on /proc (MS_NOSUID|MS_NOEXEC|MS_NODEV "")... Bind-mounting /proc/sys on /proc/sys (MS_BIND "")... Remounting /proc/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Bind-mounting /proc/sysrq-trigger on /proc/sysrq-trigger (MS_BIND "")... Remounting /proc/sysrq-trigger (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Mounting tmpfs on /tmp (MS_STRICTATIME "mode=1777,uid=0,gid=0")... Mounting tmpfs on /sys/fs/cgroup (MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME "mode=755,uid=0,gid=0")... Mounting cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr")... Failed to mount cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr"): No such file or directory
2016-10-10 21:55:20 +02:00
r = mount_verbose(LOG_ERR, "devpts", p, "devpts", MS_NOSUID|MS_NOEXEC, options);
if (r < 0)
return r;
treewide: use the negative error codes returned by our functions Our functions return negative error codes. Do not rely on errno being set after calling our own functions.
2015-11-05 13:44:06 +01:00
r = userns_lchown(p, 0, 0);
if (r < 0)
return log_error_errno(r, "Failed to chown /dev/pts: %m");
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
/* Create /dev/ptmx symlink */
p = prefix_roota(dest, "/dev/ptmx");
treewide: another round of simplifications Using the same scripts as in f647962d64e "treewide: yet more log_*_errno + return simplifications".
2014-11-28 19:57:32 +01:00
if (symlink("pts/ptmx", p) < 0)
return log_error_errno(errno, "Failed to create /dev/ptmx symlink: %m");
treewide: use the negative error codes returned by our functions Our functions return negative error codes. Do not rely on errno being set after calling our own functions.
2015-11-05 13:44:06 +01:00
r = userns_lchown(p, 0, 0);
if (r < 0)
return log_error_errno(r, "Failed to chown /dev/ptmx: %m");
nspawn: create a separate devpts namespace for nspawn containers
2013-03-07 13:34:07 +01:00
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
/* And fix /dev/pts/ptmx ownership */
p = prefix_roota(dest, "/dev/pts/ptmx");
treewide: use the negative error codes returned by our functions Our functions return negative error codes. Do not rely on errno being set after calling our own functions.
2015-11-05 13:44:06 +01:00
r = userns_lchown(p, 0, 0);
if (r < 0)
return log_error_errno(r, "Failed to chown /dev/pts/ptmx: %m");
nspawn: chown basic device nodes to userns root
2015-02-19 12:03:39 +01:00
nspawn: create a separate devpts namespace for nspawn containers
2013-03-07 13:34:07 +01:00
return 0;
}
nspawn: fake /dev/kmsg and /proc/kmsg as fifo
2012-04-13 16:51:33 +02:00
static int setup_dev_console(const char *dest, const char *console) {
nspawn: don't try mknod() of /dev/console with the correct major/minor We overmount /dev/console with an external pty anyway, hence there's no point in using the real major/minor when we create the node to overmount. Instead, use the one of /dev/null now. This fixes a race against the cgroup device controller setup we are using. In case /dev/console was create before the cgroup policy was applied all was good, but if created in the opposite order the mknod() would fail, since creating /dev/console is not allowed by it. Creating /dev/null instances is however permitted, and hence use it.
2014-03-10 21:36:01 +01:00
_cleanup_umask_ mode_t u;
const char *to;
nspawn: fake /dev/kmsg and /proc/kmsg as fifo
2012-04-13 16:51:33 +02:00
int r;
assert(dest);
assert(console);
u = umask(0000);
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
r = chmod_and_chown(console, 0600, arg_uid_shift, arg_uid_shift);
treewide: yet more log_*_errno + return simplifications Using: find . -name '*.[ch]' | while read f; do perl -i.mmm -e \ 'local $/; local $_=<>; s/(if\s*\([^\n]+\))\s*{\n(\s*)(log_[a-z_]*_errno\(\s*([->a-zA-Z_]+)\s*,[^;]+);\s*return\s+\g4;\s+}/\1\n\2return \3;/msg; print;' $f done And a couple of manual whitespace fixups.
2014-11-28 18:50:43 +01:00
if (r < 0)
return log_error_errno(r, "Failed to correct access mode for TTY: %m");
nspawn: add simple chroot(1) like tool to execute commands in a namespace container
2011-03-14 02:40:36 +01:00
nspawn: allocate a new pty instead of passing ours through to avoid terminal settings chaos
2011-03-16 02:57:52 +01:00
/* We need to bind mount the right tty to /dev/console since
* ptys can only exist on pts file systems. To have something
nspawn: fallback on bind mount when mknod fails Some systems abusively restrict mknod, even when the device node already exists in /dev. This is unfortunate because it prevents systemd-nspawn from creating the basic devices in /dev in the container. This patch implements a workaround: when mknod fails, fallback on bind mounts. Additionally, /dev/console was created with a mknod with the same major/minor as /dev/null before bind mounting a pts on it. This patch removes the mknod and creates an empty regular file instead. In order to test this patch, I used the following configuration, which I think should replicate the system with the abusive restriction on mknod: # grep devices /proc/self/cgroup 4:devices:/user.slice/restrict # cat /sys/fs/cgroup/devices/user.slice/restrict/devices.list c 1:9 r c 5:2 rw c 136:* rw # systemd-nspawn --register=false -D . v2: - remove "bind", it is not needed since there is already MS_BIND v3: - fix error management when calling touch() - fix lowercase in error message
2015-03-31 17:14:48 +02:00
* to bind mount things on we create a empty regular file. */
nspawn: allocate a new pty instead of passing ours through to avoid terminal settings chaos
2011-03-16 02:57:52 +01:00
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
to = prefix_roota(dest, "/dev/console");
nspawn: fallback on bind mount when mknod fails Some systems abusively restrict mknod, even when the device node already exists in /dev. This is unfortunate because it prevents systemd-nspawn from creating the basic devices in /dev in the container. This patch implements a workaround: when mknod fails, fallback on bind mounts. Additionally, /dev/console was created with a mknod with the same major/minor as /dev/null before bind mounting a pts on it. This patch removes the mknod and creates an empty regular file instead. In order to test this patch, I used the following configuration, which I think should replicate the system with the abusive restriction on mknod: # grep devices /proc/self/cgroup 4:devices:/user.slice/restrict # cat /sys/fs/cgroup/devices/user.slice/restrict/devices.list c 1:9 r c 5:2 rw c 136:* rw # systemd-nspawn --register=false -D . v2: - remove "bind", it is not needed since there is already MS_BIND v3: - fix error management when calling touch() - fix lowercase in error message
2015-03-31 17:14:48 +02:00
r = touch(to);
if (r < 0)
return log_error_errno(r, "touch() for /dev/console failed: %m");
nspawn: allocate a new pty instead of passing ours through to avoid terminal settings chaos
2011-03-16 02:57:52 +01:00
nspawn,mount-util: add [u]mount_verbose and use it in nspawn This makes it easier to debug failed nspawn invocations: Mounting sysfs on /var/lib/machines/fedora-rawhide/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV "")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev (MS_NOSUID|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev/shm (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=1777,uid=1450901504,gid=1450901504")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/run (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")... Bind-mounting /sys/fs/selinux on /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_BIND "")... Remounting /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Mounting proc on /proc (MS_NOSUID|MS_NOEXEC|MS_NODEV "")... Bind-mounting /proc/sys on /proc/sys (MS_BIND "")... Remounting /proc/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Bind-mounting /proc/sysrq-trigger on /proc/sysrq-trigger (MS_BIND "")... Remounting /proc/sysrq-trigger (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Mounting tmpfs on /tmp (MS_STRICTATIME "mode=1777,uid=0,gid=0")... Mounting tmpfs on /sys/fs/cgroup (MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME "mode=755,uid=0,gid=0")... Mounting cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr")... Failed to mount cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr"): No such file or directory
2016-10-10 21:55:20 +02:00
return mount_verbose(LOG_ERR, console, to, NULL, MS_BIND, NULL);
nspawn: fake /dev/kmsg and /proc/kmsg as fifo
2012-04-13 16:51:33 +02:00
}
nspawn: set up a new session keyring for the container process keyring material should not leak into the container. So far we relied on seccomp to deny access to the keyring, but given that we now made the seccomp configurable, and access to keyctl() and friends may optionally be permitted to containers now let's make sure we disconnect the callers keyring from the keyring of PID 1 in the container.
2017-09-21 14:02:31 +02:00
static int setup_keyring(void) {
key_serial_t keyring;
/* Allocate a new session keyring for the container. This makes sure the keyring of the session systemd-nspawn
* was invoked from doesn't leak into the container. Note that by default we block keyctl() and request_key()
* anyway via seccomp so doing this operation isn't strictly necessary, but in case people explicitly whitelist
* these system calls let's make sure we don't leak anything into the container. */
keyring = keyctl(KEYCTL_JOIN_SESSION_KEYRING, 0, 0, 0, 0);
if (keyring == -1) {
if (errno == ENOSYS)
log_debug_errno(errno, "Kernel keyring not supported, ignoring.");
else if (IN_SET(errno, EACCES, EPERM))
log_debug_errno(errno, "Kernel keyring access prohibited, ignoring.");
else
return log_error_errno(errno, "Setting up kernel keyring failed: %m");
}
return 0;
}
nspawn: fake /dev/kmsg and /proc/kmsg as fifo
2012-04-13 16:51:33 +02:00
static int setup_kmsg(const char *dest, int kmsg_socket) {
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
const char *from, *to;
move _cleanup_ attribute in front of the type http://lists.freedesktop.org/archives/systemd-devel/2013-April/010510.html
2013-04-18 09:11:22 +02:00
_cleanup_umask_ mode_t u;
util: introduce {send,receive}_one_fd() Introduce two new helpers that send/receive a single fd via a unix transport. Also make nspawn use them instead of hard-coding it. Based on a patch by Krzesimir Nowak.
2015-09-22 14:09:54 +02:00
int fd, r;
nspawn: fake /dev/kmsg and /proc/kmsg as fifo
2012-04-13 16:51:33 +02:00
assert(kmsg_socket >= 0);
nspawn: allocate a new pty instead of passing ours through to avoid terminal settings chaos
2011-03-16 02:57:52 +01:00
nspawn: fake /dev/kmsg and /proc/kmsg as fifo
2012-04-13 16:51:33 +02:00
u = umask(0000);
nspawn: allocate a new pty instead of passing ours through to avoid terminal settings chaos
2011-03-16 02:57:52 +01:00
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
/* We create the kmsg FIFO as /run/kmsg, but immediately
nspawn: make /dev/kmsg unavailable in the container, but allow access to /proc/kmsg
2012-04-22 00:32:13 +02:00
* delete it after bind mounting it to /proc/kmsg. While FIFOs
* on the reading side behave very similar to /proc/kmsg,
* their writing side behaves differently from /dev/kmsg in
* that writing blocks when nothing is reading. In order to
* avoid any problems with containers deadlocking due to this
* we simply make /dev/kmsg unavailable to the container. */
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
from = prefix_roota(dest, "/run/kmsg");
to = prefix_roota(dest, "/proc/kmsg");
nspawn: fake /dev/kmsg and /proc/kmsg as fifo
2012-04-13 16:51:33 +02:00
treewide: another round of simplifications Using the same scripts as in f647962d64e "treewide: yet more log_*_errno + return simplifications".
2014-11-28 19:57:32 +01:00
if (mkfifo(from, 0600) < 0)
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
return log_error_errno(errno, "mkfifo() for /run/kmsg failed: %m");
nspawn,mount-util: add [u]mount_verbose and use it in nspawn This makes it easier to debug failed nspawn invocations: Mounting sysfs on /var/lib/machines/fedora-rawhide/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV "")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev (MS_NOSUID|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev/shm (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=1777,uid=1450901504,gid=1450901504")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/run (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")... Bind-mounting /sys/fs/selinux on /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_BIND "")... Remounting /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Mounting proc on /proc (MS_NOSUID|MS_NOEXEC|MS_NODEV "")... Bind-mounting /proc/sys on /proc/sys (MS_BIND "")... Remounting /proc/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Bind-mounting /proc/sysrq-trigger on /proc/sysrq-trigger (MS_BIND "")... Remounting /proc/sysrq-trigger (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Mounting tmpfs on /tmp (MS_STRICTATIME "mode=1777,uid=0,gid=0")... Mounting tmpfs on /sys/fs/cgroup (MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME "mode=755,uid=0,gid=0")... Mounting cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr")... Failed to mount cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr"): No such file or directory
2016-10-10 21:55:20 +02:00
r = mount_verbose(LOG_ERR, from, to, NULL, MS_BIND, NULL);
if (r < 0)
return r;
nspawn: fake /dev/kmsg and /proc/kmsg as fifo
2012-04-13 16:51:33 +02:00
fd = open(from, O_RDWR|O_NDELAY|O_CLOEXEC);
treewide: another round of simplifications Using the same scripts as in f647962d64e "treewide: yet more log_*_errno + return simplifications".
2014-11-28 19:57:32 +01:00
if (fd < 0)
return log_error_errno(errno, "Failed to open fifo: %m");
nspawn: fake /dev/kmsg and /proc/kmsg as fifo
2012-04-13 16:51:33 +02:00
/* Store away the fd in the socket, so that it stays open as
* long as we run the child */
tree-wide: port more code to use send_one_fd() and receive_one_fd() Also, make it slightly more powerful, by accepting a flags argument, and make it safe for handling if more than one cmsg attribute happens to be attached.
2015-09-23 01:00:04 +02:00
r = send_one_fd(kmsg_socket, fd, 0);
util: replace close_nointr_nofail() by a more useful safe_close() safe_close() automatically becomes a NOP when a negative fd is passed, and returns -1 unconditionally. This makes it easy to write lines like this: fd = safe_close(fd); Which will close an fd if it is open, and reset the fd variable correctly. By making use of this new scheme we can drop a > 200 lines of code that was required to test for non-negative fds or to reset the closed fd variable afterwards.
2014-03-18 19:22:43 +01:00
safe_close(fd);
nspawn: fake /dev/kmsg and /proc/kmsg as fifo
2012-04-13 16:51:33 +02:00
util: introduce {send,receive}_one_fd() Introduce two new helpers that send/receive a single fd via a unix transport. Also make nspawn use them instead of hard-coding it. Based on a patch by Krzesimir Nowak.
2015-09-22 14:09:54 +02:00
if (r < 0)
return log_error_errno(r, "Failed to send FIFO fd: %m");
nspawn: allocate a new pty instead of passing ours through to avoid terminal settings chaos
2011-03-16 02:57:52 +01:00
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
/* And now make the FIFO unavailable as /run/kmsg... */
(void) unlink(from);
nspawn: use automatic cleanup for umask
2012-09-16 16:14:11 +02:00
return 0;
nspawn: add simple chroot(1) like tool to execute commands in a namespace container
2011-03-14 02:40:36 +01:00
}
sd-netlink: rename from sd-rtnl
2015-06-12 16:31:33 +02:00
static int on_address_change(sd_netlink *rtnl, sd_netlink_message *m, void *userdata) {
nspawn: add new option "--port=" for exposing container ports on the local host This exposes an IP port on the container as local port using DNAT.
2015-01-13 13:51:51 +01:00
union in_addr_union *exposed = userdata;
assert(rtnl);
assert(m);
assert(exposed);
nspawn: split all port exposure code into nspawn-expose-port.[ch]
2015-09-07 16:52:24 +02:00
expose_port_execute(rtnl, arg_expose_ports, exposed);
nspawn: add new option "--port=" for exposing container ports on the local host This exposes an IP port on the container as local port using DNAT.
2015-01-13 13:51:51 +01:00
return 0;
}
nspawn: be more careful when initializing the hostname from the directory name
2012-04-22 01:01:22 +02:00
static int setup_hostname(void) {
nspawn: split down SYSTEMD_NSPAWN_SHARE_SYSTEM (#4023) This commit follows further on the deprecation path for --share-system, by splitting and gating each share-able namespace behind its own environment flag.
2016-08-26 00:08:26 +02:00
if ((arg_clone_ns_flags & CLONE_NEWUTS) == 0)
nspawn: add --register=yes|no switch to optionally disable registration of the container with machined
2014-02-10 15:36:32 +01:00
return 0;
util: introduce sethostname_idempotent Function queries system hostname and applies changes only when necessary. Also, migrate all client of sethostname to sethostname_idempotent while at it.
2014-10-21 18:17:54 +02:00
if (sethostname_idempotent(arg_machine) < 0)
nspawn: introduce the new /machine/ tree in the cgroup tree and move containers there Containers will now carry a label (normally derived from the root directory name, but configurable by the user), and the container's root cgroup is /machine/<label>. This label is called "machine name", and can cover both containers and VMs (as soon as libvirt also makes use of /machine/). libsystemd-login can be used to query the machine name from a process. This patch also includes numerous clean-ups for the cgroup code.
2013-04-16 04:36:06 +02:00
return -errno;
nspawn: be more careful when initializing the hostname from the directory name
2012-04-22 01:01:22 +02:00
nspawn: introduce the new /machine/ tree in the cgroup tree and move containers there Containers will now carry a label (normally derived from the root directory name, but configurable by the user), and the container's root cgroup is /machine/<label>. This label is called "machine name", and can cover both containers and VMs (as soon as libvirt also makes use of /machine/). libsystemd-login can be used to query the machine name from a process. This patch also includes numerous clean-ups for the cgroup code.
2013-04-16 04:36:06 +02:00
return 0;
nspawn: be more careful when initializing the hostname from the directory name
2012-04-22 01:01:22 +02:00
}
nspawn: introduce new --link-journal= switch to link container journals into host
2012-07-19 02:02:39 +02:00
static int setup_journal(const char *directory) {
nspawn: always setup machine id We check /etc/machine-id of the container and if it is already populated we use value from there, possibly ignoring value of --uuid option from the command line. When dealing with R/O image we setup transient machine id. Once we determined machine id of the container, we use this value for registration with systemd-machined and we also export it via container_uuid environment variable. As registration with systemd-machined is done by the main nspawn process we communicate container machine id established by setup_machine_id from outer child to the main process by unix domain socket. Similarly to PID of inner child.
2016-04-08 13:22:54 +02:00
sd_id128_t this_id;
tree-wide: remove unused variables (#3098)
2016-04-23 02:49:07 +02:00
_cleanup_free_ char *d = NULL;
nspawn: always setup machine id We check /etc/machine-id of the container and if it is already populated we use value from there, possibly ignoring value of --uuid option from the command line. When dealing with R/O image we setup transient machine id. Once we determined machine id of the container, we use this value for registration with systemd-machined and we also export it via container_uuid environment variable. As registration with systemd-machined is done by the main nspawn process we communicate container machine id established by setup_machine_id from outer child to the main process by unix domain socket. Similarly to PID of inner child.
2016-04-08 13:22:54 +02:00
const char *p, *q;
nspawn: make journal linking non-fatal in try and auto modes Fixes #2091
2016-01-28 20:15:49 +01:00
bool try;
nspawn: always setup machine id We check /etc/machine-id of the container and if it is already populated we use value from there, possibly ignoring value of --uuid option from the command line. When dealing with R/O image we setup transient machine id. Once we determined machine id of the container, we use this value for registration with systemd-machined and we also export it via container_uuid environment variable. As registration with systemd-machined is done by the main nspawn process we communicate container machine id established by setup_machine_id from outer child to the main process by unix domain socket. Similarly to PID of inner child.
2016-04-08 13:22:54 +02:00
char id[33];
nspawn: introduce new --link-journal= switch to link container journals into host
2012-07-19 02:02:39 +02:00
int r;
nspawn: don't link journals in ephemeral mode
2014-12-12 16:58:57 +01:00
/* Don't link journals in ephemeral mode */
if (arg_ephemeral)
return 0;
nspawn: make journal linking non-fatal in try and auto modes Fixes #2091
2016-01-28 20:15:49 +01:00
if (arg_link_journal == LINK_NO)
return 0;
try = arg_link_journal_try || arg_link_journal == LINK_AUTO;
nspawn: complain and continue if machine has same id If --link-journal=host or --link-journal=guest is used, this totally cannot work and we exit with an error. If however --link-journal=auto or --link-journal=no is used, just display a warning. Having the same machine id can happen if booting from the same filesystem as the host. Since other things mostly function correctly, let's allow that. https://bugs.freedesktop.org/show_bug.cgi?id=68369
2013-12-12 04:00:33 +01:00
r = sd_id128_get_machine(&this_id);
treewide: yet more log_*_errno + return simplifications Using: find . -name '*.[ch]' | while read f; do perl -i.mmm -e \ 'local $/; local $_=<>; s/(if\s*\([^\n]+\))\s*{\n(\s*)(log_[a-z_]*_errno\(\s*([->a-zA-Z_]+)\s*,[^;]+);\s*return\s+\g4;\s+}/\1\n\2return \3;/msg; print;' $f done And a couple of manual whitespace fixups.
2014-11-28 18:50:43 +01:00
if (r < 0)
return log_error_errno(r, "Failed to retrieve machine ID: %m");
nspawn: complain and continue if machine has same id If --link-journal=host or --link-journal=guest is used, this totally cannot work and we exit with an error. If however --link-journal=auto or --link-journal=no is used, just display a warning. Having the same machine id can happen if booting from the same filesystem as the host. Since other things mostly function correctly, let's allow that. https://bugs.freedesktop.org/show_bug.cgi?id=68369
2013-12-12 04:00:33 +01:00
nspawn: always setup machine id We check /etc/machine-id of the container and if it is already populated we use value from there, possibly ignoring value of --uuid option from the command line. When dealing with R/O image we setup transient machine id. Once we determined machine id of the container, we use this value for registration with systemd-machined and we also export it via container_uuid environment variable. As registration with systemd-machined is done by the main nspawn process we communicate container machine id established by setup_machine_id from outer child to the main process by unix domain socket. Similarly to PID of inner child.
2016-04-08 13:22:54 +02:00
if (sd_id128_equal(arg_uuid, this_id)) {
nspawn: make journal linking non-fatal in try and auto modes Fixes #2091
2016-01-28 20:15:49 +01:00
log_full(try ? LOG_WARNING : LOG_ERR,
nspawn: convert uuid to string (#3146) Fixes: cp /etc/machine-id /var/tmp/systemd-test.HccKPa/nspawn-root/etc systemd-nspawn -D /var/tmp/systemd-test.HccKPa/nspawn-root --link-journal host -b ... Host and machine ids are equal (P�S!V): refusing to link journals
2016-04-29 10:38:35 +02:00
"Host and machine ids are equal (%s): refusing to link journals", sd_id128_to_string(arg_uuid, id));
nspawn: make journal linking non-fatal in try and auto modes Fixes #2091
2016-01-28 20:15:49 +01:00
if (try)
nspawn: complain and continue if machine has same id If --link-journal=host or --link-journal=guest is used, this totally cannot work and we exit with an error. If however --link-journal=auto or --link-journal=no is used, just display a warning. Having the same machine id can happen if booting from the same filesystem as the host. Since other things mostly function correctly, let's allow that. https://bugs.freedesktop.org/show_bug.cgi?id=68369
2013-12-12 04:00:33 +01:00
return 0;
nspawn: don't link journals in ephemeral mode
2014-12-12 16:58:57 +01:00
return -EEXIST;
nspawn: complain and continue if machine has same id If --link-journal=host or --link-journal=guest is used, this totally cannot work and we exit with an error. If however --link-journal=auto or --link-journal=no is used, just display a warning. Having the same machine id can happen if booting from the same filesystem as the host. Since other things mostly function correctly, let's allow that. https://bugs.freedesktop.org/show_bug.cgi?id=68369
2013-12-12 04:00:33 +01:00
}
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
r = userns_mkdir(directory, "/var", 0755, 0, 0);
if (r < 0)
return log_error_errno(r, "Failed to create /var: %m");
r = userns_mkdir(directory, "/var/log", 0755, 0, 0);
if (r < 0)
return log_error_errno(r, "Failed to create /var/log: %m");
r = userns_mkdir(directory, "/var/log/journal", 0755, 0, 0);
if (r < 0)
return log_error_errno(r, "Failed to create /var/log/journal: %m");
nspawn: always setup machine id We check /etc/machine-id of the container and if it is already populated we use value from there, possibly ignoring value of --uuid option from the command line. When dealing with R/O image we setup transient machine id. Once we determined machine id of the container, we use this value for registration with systemd-machined and we also export it via container_uuid environment variable. As registration with systemd-machined is done by the main nspawn process we communicate container machine id established by setup_machine_id from outer child to the main process by unix domain socket. Similarly to PID of inner child.
2016-04-08 13:22:54 +02:00
(void) sd_id128_to_string(arg_uuid, id);
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
p = strjoina("/var/log/journal/", id);
q = prefix_roota(directory, p);
nspawn: use automatic cleanup and provide debug info The documentation for --link-journal is also reworded.
2012-10-02 10:58:31 +02:00
tree-wide: stop using canonicalize_file_name(), use chase_symlinks() instead Let's use chase_symlinks() everywhere, and stop using GNU canonicalize_file_name() everywhere. For most cases this should not change behaviour, however increase exposure of our function to get better tested. Most importantly in a few cases (most notably nspawn) it can take the correct root directory into account when chasing symlinks.
2016-11-18 21:35:21 +01:00
if (path_is_mount_point(p, NULL, 0) > 0) {
nspawn: make journal linking non-fatal in try and auto modes Fixes #2091
2016-01-28 20:15:49 +01:00
if (try)
return 0;
nspawn: use automatic cleanup and provide debug info The documentation for --link-journal is also reworded.
2012-10-02 10:58:31 +02:00
nspawn: make journal linking non-fatal in try and auto modes Fixes #2091
2016-01-28 20:15:49 +01:00
log_error("%s: already a mount point, refusing to use for journal", p);
return -EEXIST;
nspawn: introduce new --link-journal= switch to link container journals into host
2012-07-19 02:02:39 +02:00
}
tree-wide: stop using canonicalize_file_name(), use chase_symlinks() instead Let's use chase_symlinks() everywhere, and stop using GNU canonicalize_file_name() everywhere. For most cases this should not change behaviour, however increase exposure of our function to get better tested. Most importantly in a few cases (most notably nspawn) it can take the correct root directory into account when chasing symlinks.
2016-11-18 21:35:21 +01:00
if (path_is_mount_point(q, NULL, 0) > 0) {
nspawn: make journal linking non-fatal in try and auto modes Fixes #2091
2016-01-28 20:15:49 +01:00
if (try)
return 0;
nspawn: introduce new --link-journal= switch to link container journals into host
2012-07-19 02:02:39 +02:00
nspawn: make journal linking non-fatal in try and auto modes Fixes #2091
2016-01-28 20:15:49 +01:00
log_error("%s: already a mount point, refusing to use for journal", q);
return -EEXIST;
nspawn: introduce new --link-journal= switch to link container journals into host
2012-07-19 02:02:39 +02:00
}
r = readlink_and_make_absolute(p, &d);
if (r >= 0) {
tree-wide: use IN_SET where possible In addition to the changes from #6933 this handles cases that could be matched with the included cocci file.
2017-09-29 00:37:23 +02:00
if (IN_SET(arg_link_journal, LINK_GUEST, LINK_AUTO) &&
nspawn: introduce new --link-journal= switch to link container journals into host
2012-07-19 02:02:39 +02:00
path_equal(d, q)) {
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
r = userns_mkdir(directory, p, 0755, 0, 0);
nspawn: use automatic cleanup and provide debug info The documentation for --link-journal is also reworded.
2012-10-02 10:58:31 +02:00
if (r < 0)
treewide: use the negative error codes returned by our functions Our functions return negative error codes. Do not rely on errno being set after calling our own functions.
2015-11-05 13:44:06 +01:00
log_warning_errno(r, "Failed to create directory %s: %m", q);
nspawn: use automatic cleanup and provide debug info The documentation for --link-journal is also reworded.
2012-10-02 10:58:31 +02:00
return 0;
nspawn: introduce new --link-journal= switch to link container journals into host
2012-07-19 02:02:39 +02:00
}
treewide: another round of simplifications Using the same scripts as in f647962d64e "treewide: yet more log_*_errno + return simplifications".
2014-11-28 19:57:32 +01:00
if (unlink(p) < 0)
return log_error_errno(errno, "Failed to remove symlink %s: %m", p);
nspawn: introduce new --link-journal= switch to link container journals into host
2012-07-19 02:02:39 +02:00
} else if (r == -EINVAL) {
if (arg_link_journal == LINK_GUEST &&
rmdir(p) < 0) {
nspawn: use automatic cleanup and provide debug info The documentation for --link-journal is also reworded.
2012-10-02 10:58:31 +02:00
if (errno == ENOTDIR) {
log_error("%s already exists and is neither a symlink nor a directory", p);
return r;
nspawn: simplify error returns Use the "return log_error_errno(...)" idiom to have fewer curly braces. The last hunk also fixes the return value of setup_journal(), but the fix has no practical effect.
2015-11-05 13:44:10 +01:00
} else
return log_error_errno(errno, "Failed to remove %s: %m", p);
nspawn: introduce new --link-journal= switch to link container journals into host
2012-07-19 02:02:39 +02:00
}
nspawn: simplify error returns Use the "return log_error_errno(...)" idiom to have fewer curly braces. The last hunk also fixes the return value of setup_journal(), but the fix has no practical effect.
2015-11-05 13:44:10 +01:00
} else if (r != -ENOENT)
return log_error_errno(r, "readlink(%s) failed: %m", p);
nspawn: introduce new --link-journal= switch to link container journals into host
2012-07-19 02:02:39 +02:00
if (arg_link_journal == LINK_GUEST) {
if (symlink(q, p) < 0) {
nspawn: make journal linking non-fatal in try and auto modes Fixes #2091
2016-01-28 20:15:49 +01:00
if (try) {
treewide: use log_*_errno whenever %m is in the format string If the format string contains %m, clearly errno must have a meaningful value, so we might as well use log_*_errno to have ERRNO= logged. Using: find . -name '*.[ch]' | xargs sed -r -i -e \ 's/log_(debug|info|notice|warning|error|emergency)\((".*%m.*")/log_\1_errno(errno, \2/' Plus some whitespace, linewrap, and indent adjustments.
2014-11-28 19:29:59 +01:00
log_debug_errno(errno, "Failed to symlink %s to %s, skipping journal setup: %m", q, p);
nspawn: Add try-{host,guest} journal link modes --link-journal={host,guest} fail if the host does not have persistent journalling enabled and /var/log/journal/ does not exist. Even worse, as there is no stdout/err any more, there is no error message to point that out. Introduce two new modes "try-host" and "try-guest" which don't fail in this case, and instead just silently skip the guest journal setup. Change -j to mean "try-guest" instead of "guest", and fix the wrong --help output for it (it said "host" before). Change systemd-nspawn@.service.in to use "try-guest" so that this unit works with both persistent and non-persistent journals on the host without failing. https://bugs.debian.org/770275
2014-11-20 14:30:52 +01:00
return 0;
nspawn: simplify error returns Use the "return log_error_errno(...)" idiom to have fewer curly braces. The last hunk also fixes the return value of setup_journal(), but the fix has no practical effect.
2015-11-05 13:44:10 +01:00
} else
return log_error_errno(errno, "Failed to symlink %s to %s: %m", q, p);
nspawn: introduce new --link-journal= switch to link container journals into host
2012-07-19 02:02:39 +02:00
}
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
r = userns_mkdir(directory, p, 0755, 0, 0);
nspawn: use automatic cleanup and provide debug info The documentation for --link-journal is also reworded.
2012-10-02 10:58:31 +02:00
if (r < 0)
treewide: use the negative error codes returned by our functions Our functions return negative error codes. Do not rely on errno being set after calling our own functions.
2015-11-05 13:44:06 +01:00
log_warning_errno(r, "Failed to create directory %s: %m", q);
nspawn: use automatic cleanup and provide debug info The documentation for --link-journal is also reworded.
2012-10-02 10:58:31 +02:00
return 0;
nspawn: introduce new --link-journal= switch to link container journals into host
2012-07-19 02:02:39 +02:00
}
if (arg_link_journal == LINK_HOST) {
tree-wide: use mdash instead of a two minuses
2016-04-22 04:57:06 +02:00
/* don't create parents here — if the host doesn't have
nspawn: Add try-{host,guest} journal link modes --link-journal={host,guest} fail if the host does not have persistent journalling enabled and /var/log/journal/ does not exist. Even worse, as there is no stdout/err any more, there is no error message to point that out. Introduce two new modes "try-host" and "try-guest" which don't fail in this case, and instead just silently skip the guest journal setup. Change -j to mean "try-guest" instead of "guest", and fix the wrong --help output for it (it said "host" before). Change systemd-nspawn@.service.in to use "try-guest" so that this unit works with both persistent and non-persistent journals on the host without failing. https://bugs.debian.org/770275
2014-11-20 14:30:52 +01:00
* permanent journal set up, don't force it here */
nspawn: make sure --link-journal=host may be used twice in a row Fixes #2186 This fixes fall-out from 574edc90066c3faeadcf4666928ed9b0ac409c75.
2016-01-28 20:24:28 +01:00
Add mkdir_errno_wrapper() and use instead of mkdir() in various places We'd pass pointers to mkdir and mkdir_label to call in various places. mkdir returns the error in errno while mkdir_label returns the error directly.
2017-12-15 17:08:13 +01:00
r = mkdir_errno_wrapper(p, 0755);
if (r < 0 && r != -EEXIST) {
nspawn: make journal linking non-fatal in try and auto modes Fixes #2091
2016-01-28 20:15:49 +01:00
if (try) {
Add mkdir_errno_wrapper() and use instead of mkdir() in various places We'd pass pointers to mkdir and mkdir_label to call in various places. mkdir returns the error in errno while mkdir_label returns the error directly.
2017-12-15 17:08:13 +01:00
log_debug_errno(r, "Failed to create %s, skipping journal setup: %m", p);
nspawn: Add try-{host,guest} journal link modes --link-journal={host,guest} fail if the host does not have persistent journalling enabled and /var/log/journal/ does not exist. Even worse, as there is no stdout/err any more, there is no error message to point that out. Introduce two new modes "try-host" and "try-guest" which don't fail in this case, and instead just silently skip the guest journal setup. Change -j to mean "try-guest" instead of "guest", and fix the wrong --help output for it (it said "host" before). Change systemd-nspawn@.service.in to use "try-guest" so that this unit works with both persistent and non-persistent journals on the host without failing. https://bugs.debian.org/770275
2014-11-20 14:30:52 +01:00
return 0;
nspawn: simplify error returns Use the "return log_error_errno(...)" idiom to have fewer curly braces. The last hunk also fixes the return value of setup_journal(), but the fix has no practical effect.
2015-11-05 13:44:10 +01:00
} else
Add mkdir_errno_wrapper() and use instead of mkdir() in various places We'd pass pointers to mkdir and mkdir_label to call in various places. mkdir returns the error in errno while mkdir_label returns the error directly.
2017-12-15 17:08:13 +01:00
return log_error_errno(r, "Failed to create %s: %m", p);
nspawn: introduce new --link-journal= switch to link container journals into host
2012-07-19 02:02:39 +02:00
}
nspawn: use automatic cleanup and provide debug info The documentation for --link-journal is also reworded.
2012-10-02 10:58:31 +02:00
} else if (access(p, F_OK) < 0)
return 0;
nspawn: introduce new --link-journal= switch to link container journals into host
2012-07-19 02:02:39 +02:00
nspawn: restore journal directory is empty check This undoes part of commit e6a4a517befe559adf6d1dbbadf425c3538849c9. Instead of removing the error message about non-empty journal bind mount directories, simply downgrade the message to a warning and proceed.
2014-05-22 08:19:46 +02:00
if (dir_is_empty(q) == 0)
log_warning("%s is not empty, proceeding anyway.", q);
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
r = userns_mkdir(directory, p, 0755, 0, 0);
treewide: use the negative error codes returned by our functions Our functions return negative error codes. Do not rely on errno being set after calling our own functions.
2015-11-05 13:44:06 +01:00
if (r < 0)
return log_error_errno(r, "Failed to create %s: %m", q);
nspawn: introduce new --link-journal= switch to link container journals into host
2012-07-19 02:02:39 +02:00
nspawn,mount-util: add [u]mount_verbose and use it in nspawn This makes it easier to debug failed nspawn invocations: Mounting sysfs on /var/lib/machines/fedora-rawhide/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV "")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev (MS_NOSUID|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev/shm (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=1777,uid=1450901504,gid=1450901504")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/run (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")... Bind-mounting /sys/fs/selinux on /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_BIND "")... Remounting /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Mounting proc on /proc (MS_NOSUID|MS_NOEXEC|MS_NODEV "")... Bind-mounting /proc/sys on /proc/sys (MS_BIND "")... Remounting /proc/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Bind-mounting /proc/sysrq-trigger on /proc/sysrq-trigger (MS_BIND "")... Remounting /proc/sysrq-trigger (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Mounting tmpfs on /tmp (MS_STRICTATIME "mode=1777,uid=0,gid=0")... Mounting tmpfs on /sys/fs/cgroup (MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME "mode=755,uid=0,gid=0")... Mounting cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr")... Failed to mount cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr"): No such file or directory
2016-10-10 21:55:20 +02:00
r = mount_verbose(LOG_DEBUG, p, q, NULL, MS_BIND, NULL);
if (r < 0)
treewide: another round of simplifications Using the same scripts as in f647962d64e "treewide: yet more log_*_errno + return simplifications".
2014-11-28 19:57:32 +01:00
return log_error_errno(errno, "Failed to bind mount journal from host into guest: %m");
nspawn: introduce new --link-journal= switch to link container journals into host
2012-07-19 02:02:39 +02:00
nspawn: use automatic cleanup and provide debug info The documentation for --link-journal is also reworded.
2012-10-02 10:58:31 +02:00
return 0;
nspawn: introduce new --link-journal= switch to link container journals into host
2012-07-19 02:02:39 +02:00
}
nspawn: add simple chroot(1) like tool to execute commands in a namespace container
2011-03-14 02:40:36 +01:00
static int drop_capabilities(void) {
nspawn: rename arg_retain to arg_caps_retain The argument is about capabilities.
2016-05-26 13:06:55 +02:00
return capability_bounding_set_drop(arg_caps_retain, false);
nspawn: add simple chroot(1) like tool to execute commands in a namespace container
2011-03-14 02:40:36 +01:00
}
nspawn: newer kernels (>= 3.14) allow resetting the audit loginuid, make use of this
2014-02-12 02:52:39 +01:00
static int reset_audit_loginuid(void) {
_cleanup_free_ char *p = NULL;
int r;
nspawn: split down SYSTEMD_NSPAWN_SHARE_SYSTEM (#4023) This commit follows further on the deprecation path for --share-system, by splitting and gating each share-able namespace behind its own environment flag.
2016-08-26 00:08:26 +02:00
if ((arg_clone_ns_flags & CLONE_NEWPID) == 0)
nspawn: newer kernels (>= 3.14) allow resetting the audit loginuid, make use of this
2014-02-12 02:52:39 +01:00
return 0;
r = read_one_line_file("/proc/self/loginuid", &p);
nspawn: fix detection of missing /proc/self/loginuid Running 'systemd-nspawn -D /srv/Fedora/' gave me this error: Failed to read /proc/self/loginuid: No such file or directory Container Fedora failed with error code 1. This patch fixes the problem.
2014-02-25 16:19:35 +01:00
if (r == -ENOENT)
nspawn: newer kernels (>= 3.14) allow resetting the audit loginuid, make use of this
2014-02-12 02:52:39 +01:00
return 0;
treewide: yet more log_*_errno + return simplifications Using: find . -name '*.[ch]' | while read f; do perl -i.mmm -e \ 'local $/; local $_=<>; s/(if\s*\([^\n]+\))\s*{\n(\s*)(log_[a-z_]*_errno\(\s*([->a-zA-Z_]+)\s*,[^;]+);\s*return\s+\g4;\s+}/\1\n\2return \3;/msg; print;' $f done And a couple of manual whitespace fixups.
2014-11-28 18:50:43 +01:00
if (r < 0)
return log_error_errno(r, "Failed to read /proc/self/loginuid: %m");
nspawn: newer kernels (>= 3.14) allow resetting the audit loginuid, make use of this
2014-02-12 02:52:39 +01:00
/* Already reset? */
if (streq(p, "4294967295"))
return 0;
tree-wide: fix write_string_file() user that should not create files The latest consolidation cleanup of write_string_file() revealed some users of that helper which should have used write_string_file_no_create() in the past but didn't. Basically, all existing users that write to files in /sys and /proc should not expect to write to a file which is not yet existant.
2015-07-07 01:27:20 +02:00
r = write_string_file("/proc/self/loginuid", "4294967295", 0);
nspawn: newer kernels (>= 3.14) allow resetting the audit loginuid, make use of this
2014-02-12 02:52:39 +01:00
if (r < 0) {
tree-wide: get rid of more strerror() calls
2015-04-21 18:05:44 +02:00
log_error_errno(r,
"Failed to reset audit login UID. This probably means that your kernel is too\n"
"old and you have audit enabled. Note that the auditing subsystem is known to\n"
"be incompatible with containers on old kernels. Please make sure to upgrade\n"
"your kernel or to off auditing with 'audit=0' on the kernel command line before\n"
"using systemd-nspawn. Sleeping for 5s... (%m)");
audit: since audit is apparently never going to be fixed for containers tell the user what's going on Let's try to be helpful to the user and give him a hint what he can do to make nspawn work with normal OS containers. https://bugzilla.redhat.com/show_bug.cgi?id=893751
2013-05-10 00:14:12 +02:00
nspawn: newer kernels (>= 3.14) allow resetting the audit loginuid, make use of this
2014-02-12 02:52:39 +01:00
sleep(5);
audit: since audit is apparently never going to be fixed for containers tell the user what's going on Let's try to be helpful to the user and give him a hint what he can do to make nspawn work with normal OS containers. https://bugzilla.redhat.com/show_bug.cgi?id=893751
2013-05-10 00:14:12 +02:00
}
nspawn: newer kernels (>= 3.14) allow resetting the audit loginuid, make use of this
2014-02-12 02:52:39 +01:00
return 0;
audit: since audit is apparently never going to be fixed for containers tell the user what's going on Let's try to be helpful to the user and give him a hint what he can do to make nspawn work with normal OS containers. https://bugzilla.redhat.com/show_bug.cgi?id=893751
2013-05-10 00:14:12 +02:00
}
nspawn: make socket(AF_NETLINK, *, NETLINK_AUDIT) fail with EAFNOTSUPPORT in containers The kernel still doesn't support audit in containers, so let's make use of seccomp and simply turn it off entirely. We can get rid of this big as soon as the kernel is fixed again.
2014-02-13 20:30:02 +01:00
machinectl: implement "bind" command to create additional bind mounts from host to container during runtime
2014-12-17 21:51:45 +01:00
static int setup_propagate(const char *root) {
const char *p, *q;
treewide: use the negative error codes returned by our functions Our functions return negative error codes. Do not rely on errno being set after calling our own functions.
2015-11-05 13:44:06 +01:00
int r;
machinectl: implement "bind" command to create additional bind mounts from host to container during runtime
2014-12-17 21:51:45 +01:00
(void) mkdir_p("/run/systemd/nspawn/", 0755);
(void) mkdir_p("/run/systemd/nspawn/propagate", 0600);
util: rework strappenda(), and rename it strjoina() After all it is now much more like strjoin() than strappend(). At the same time, add support for NULL sentinels, even if they are normally not necessary.
2015-02-03 02:05:59 +01:00
p = strjoina("/run/systemd/nspawn/propagate/", arg_machine);
machinectl: implement "bind" command to create additional bind mounts from host to container during runtime
2014-12-17 21:51:45 +01:00
(void) mkdir_p(p, 0600);
treewide: use the negative error codes returned by our functions Our functions return negative error codes. Do not rely on errno being set after calling our own functions.
2015-11-05 13:44:06 +01:00
r = userns_mkdir(root, "/run/systemd", 0755, 0, 0);
if (r < 0)
return log_error_errno(r, "Failed to create /run/systemd: %m");
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
treewide: use the negative error codes returned by our functions Our functions return negative error codes. Do not rely on errno being set after calling our own functions.
2015-11-05 13:44:06 +01:00
r = userns_mkdir(root, "/run/systemd/nspawn", 0755, 0, 0);
if (r < 0)
return log_error_errno(r, "Failed to create /run/systemd/nspawn: %m");
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
treewide: use the negative error codes returned by our functions Our functions return negative error codes. Do not rely on errno being set after calling our own functions.
2015-11-05 13:44:06 +01:00
r = userns_mkdir(root, "/run/systemd/nspawn/incoming", 0600, 0, 0);
if (r < 0)
return log_error_errno(r, "Failed to create /run/systemd/nspawn/incoming: %m");
machinectl: implement "bind" command to create additional bind mounts from host to container during runtime
2014-12-17 21:51:45 +01:00
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
q = prefix_roota(root, "/run/systemd/nspawn/incoming");
nspawn,mount-util: add [u]mount_verbose and use it in nspawn This makes it easier to debug failed nspawn invocations: Mounting sysfs on /var/lib/machines/fedora-rawhide/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV "")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev (MS_NOSUID|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev/shm (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=1777,uid=1450901504,gid=1450901504")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/run (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")... Bind-mounting /sys/fs/selinux on /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_BIND "")... Remounting /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Mounting proc on /proc (MS_NOSUID|MS_NOEXEC|MS_NODEV "")... Bind-mounting /proc/sys on /proc/sys (MS_BIND "")... Remounting /proc/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Bind-mounting /proc/sysrq-trigger on /proc/sysrq-trigger (MS_BIND "")... Remounting /proc/sysrq-trigger (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Mounting tmpfs on /tmp (MS_STRICTATIME "mode=1777,uid=0,gid=0")... Mounting tmpfs on /sys/fs/cgroup (MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME "mode=755,uid=0,gid=0")... Mounting cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr")... Failed to mount cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr"): No such file or directory
2016-10-10 21:55:20 +02:00
r = mount_verbose(LOG_ERR, p, q, NULL, MS_BIND, NULL);
if (r < 0)
return r;
machinectl: implement "bind" command to create additional bind mounts from host to container during runtime
2014-12-17 21:51:45 +01:00
nspawn,mount-util: add [u]mount_verbose and use it in nspawn This makes it easier to debug failed nspawn invocations: Mounting sysfs on /var/lib/machines/fedora-rawhide/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV "")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev (MS_NOSUID|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev/shm (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=1777,uid=1450901504,gid=1450901504")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/run (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")... Bind-mounting /sys/fs/selinux on /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_BIND "")... Remounting /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Mounting proc on /proc (MS_NOSUID|MS_NOEXEC|MS_NODEV "")... Bind-mounting /proc/sys on /proc/sys (MS_BIND "")... Remounting /proc/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Bind-mounting /proc/sysrq-trigger on /proc/sysrq-trigger (MS_BIND "")... Remounting /proc/sysrq-trigger (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Mounting tmpfs on /tmp (MS_STRICTATIME "mode=1777,uid=0,gid=0")... Mounting tmpfs on /sys/fs/cgroup (MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME "mode=755,uid=0,gid=0")... Mounting cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr")... Failed to mount cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr"): No such file or directory
2016-10-10 21:55:20 +02:00
r = mount_verbose(LOG_ERR, NULL, q, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY, NULL);
if (r < 0)
return r;
machinectl: implement "bind" command to create additional bind mounts from host to container during runtime
2014-12-17 21:51:45 +01:00
nspawn: set shared propagation mode for the container
2016-10-01 10:58:56 +02:00
/* machined will MS_MOVE into that directory, and that's only
* supported for non-shared mounts. */
nspawn,mount-util: add [u]mount_verbose and use it in nspawn This makes it easier to debug failed nspawn invocations: Mounting sysfs on /var/lib/machines/fedora-rawhide/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV "")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev (MS_NOSUID|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev/shm (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=1777,uid=1450901504,gid=1450901504")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/run (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")... Bind-mounting /sys/fs/selinux on /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_BIND "")... Remounting /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Mounting proc on /proc (MS_NOSUID|MS_NOEXEC|MS_NODEV "")... Bind-mounting /proc/sys on /proc/sys (MS_BIND "")... Remounting /proc/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Bind-mounting /proc/sysrq-trigger on /proc/sysrq-trigger (MS_BIND "")... Remounting /proc/sysrq-trigger (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Mounting tmpfs on /tmp (MS_STRICTATIME "mode=1777,uid=0,gid=0")... Mounting tmpfs on /sys/fs/cgroup (MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME "mode=755,uid=0,gid=0")... Mounting cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr")... Failed to mount cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr"): No such file or directory
2016-10-10 21:55:20 +02:00
return mount_verbose(LOG_ERR, NULL, q, NULL, MS_SLAVE, NULL);
machinectl: implement "bind" command to create additional bind mounts from host to container during runtime
2014-12-17 21:51:45 +01:00
}
nspawn: rework /etc/machine-id handling With this change we'll no longer write to /etc/machine-id from nspawn, as that breaks the --volatile= operation, as it ensures the image is never considered in "first boot", since that's bound to the pre-existance of /etc/machine-id. The new logic works like this: - If /etc/machine-id already exists in the container, it is read by nspawn and exposed in "machinectl status" and friends. - If the file doesn't exist yet, but --uuid= is passed on the nspawn cmdline, this UUID is passed in $container_uuid to PID 1, and PID 1 is then expected to persist this to /etc/machine-id for future boots (which systemd already does). - If the file doesn#t exist yet, and no --uuid= is passed a random UUID is generated and passed via $container_uuid. The result is that /etc/machine-id is never initialized by nspawn itself, thus unbreaking the volatile mode. However still the machine ID configured in the machine always matches nspawn's and thus machined's idea of it. Fixes: #3611
2016-07-21 18:53:40 +02:00
static int setup_machine_id(const char *directory) {
nspawn: rework machine/boot ID handling code to use new calls from id128-util.[ch]
2016-07-21 18:01:55 +02:00
const char *etc_machine_id;
sd_id128_t id;
tree-wide: use sd_id128_is_null() instead of sd_id128_equal where appropriate It's a bit easier to read because shorter. Also, most likely a tiny bit faster.
2016-07-21 16:06:31 +02:00
int r;
nspawn: always setup machine id We check /etc/machine-id of the container and if it is already populated we use value from there, possibly ignoring value of --uuid option from the command line. When dealing with R/O image we setup transient machine id. Once we determined machine id of the container, we use this value for registration with systemd-machined and we also export it via container_uuid environment variable. As registration with systemd-machined is done by the main nspawn process we communicate container machine id established by setup_machine_id from outer child to the main process by unix domain socket. Similarly to PID of inner child.
2016-04-08 13:22:54 +02:00
nspawn: rework /etc/machine-id handling With this change we'll no longer write to /etc/machine-id from nspawn, as that breaks the --volatile= operation, as it ensures the image is never considered in "first boot", since that's bound to the pre-existance of /etc/machine-id. The new logic works like this: - If /etc/machine-id already exists in the container, it is read by nspawn and exposed in "machinectl status" and friends. - If the file doesn't exist yet, but --uuid= is passed on the nspawn cmdline, this UUID is passed in $container_uuid to PID 1, and PID 1 is then expected to persist this to /etc/machine-id for future boots (which systemd already does). - If the file doesn#t exist yet, and no --uuid= is passed a random UUID is generated and passed via $container_uuid. The result is that /etc/machine-id is never initialized by nspawn itself, thus unbreaking the volatile mode. However still the machine ID configured in the machine always matches nspawn's and thus machined's idea of it. Fixes: #3611
2016-07-21 18:53:40 +02:00
/* If the UUID in the container is already set, then that's what counts, and we use. If it isn't set, and the
* caller passed --uuid=, then we'll pass it in the $container_uuid env var to PID 1 of the container. The
* assumption is that PID 1 will then write it to /etc/machine-id to make it persistent. If --uuid= is not
* passed we generate a random UUID, and pass it via $container_uuid. In effect this means that /etc/machine-id
* in the container and our idea of the container UUID will always be in sync (at least if PID 1 in the
* container behaves nicely). */
nspawn: always setup machine id We check /etc/machine-id of the container and if it is already populated we use value from there, possibly ignoring value of --uuid option from the command line. When dealing with R/O image we setup transient machine id. Once we determined machine id of the container, we use this value for registration with systemd-machined and we also export it via container_uuid environment variable. As registration with systemd-machined is done by the main nspawn process we communicate container machine id established by setup_machine_id from outer child to the main process by unix domain socket. Similarly to PID of inner child.
2016-04-08 13:22:54 +02:00
etc_machine_id = prefix_roota(directory, "/etc/machine-id");
nspawn: rework machine/boot ID handling code to use new calls from id128-util.[ch]
2016-07-21 18:01:55 +02:00
r = id128_read(etc_machine_id, ID128_PLAIN, &id);
nspawn: rework /etc/machine-id handling With this change we'll no longer write to /etc/machine-id from nspawn, as that breaks the --volatile= operation, as it ensures the image is never considered in "first boot", since that's bound to the pre-existance of /etc/machine-id. The new logic works like this: - If /etc/machine-id already exists in the container, it is read by nspawn and exposed in "machinectl status" and friends. - If the file doesn't exist yet, but --uuid= is passed on the nspawn cmdline, this UUID is passed in $container_uuid to PID 1, and PID 1 is then expected to persist this to /etc/machine-id for future boots (which systemd already does). - If the file doesn#t exist yet, and no --uuid= is passed a random UUID is generated and passed via $container_uuid. The result is that /etc/machine-id is never initialized by nspawn itself, thus unbreaking the volatile mode. However still the machine ID configured in the machine always matches nspawn's and thus machined's idea of it. Fixes: #3611
2016-07-21 18:53:40 +02:00
if (r < 0) {
if (!IN_SET(r, -ENOENT, -ENOMEDIUM)) /* If the file is missing or empty, we don't mind */
return log_error_errno(r, "Failed to read machine ID from container image: %m");
nspawn: rework machine/boot ID handling code to use new calls from id128-util.[ch]
2016-07-21 18:01:55 +02:00
nspawn: rework /etc/machine-id handling With this change we'll no longer write to /etc/machine-id from nspawn, as that breaks the --volatile= operation, as it ensures the image is never considered in "first boot", since that's bound to the pre-existance of /etc/machine-id. The new logic works like this: - If /etc/machine-id already exists in the container, it is read by nspawn and exposed in "machinectl status" and friends. - If the file doesn't exist yet, but --uuid= is passed on the nspawn cmdline, this UUID is passed in $container_uuid to PID 1, and PID 1 is then expected to persist this to /etc/machine-id for future boots (which systemd already does). - If the file doesn#t exist yet, and no --uuid= is passed a random UUID is generated and passed via $container_uuid. The result is that /etc/machine-id is never initialized by nspawn itself, thus unbreaking the volatile mode. However still the machine ID configured in the machine always matches nspawn's and thus machined's idea of it. Fixes: #3611
2016-07-21 18:53:40 +02:00
if (sd_id128_is_null(arg_uuid)) {
r = sd_id128_randomize(&arg_uuid);
if (r < 0)
return log_error_errno(r, "Failed to acquire randomized machine UUID: %m");
}
} else {
if (sd_id128_is_null(id)) {
log_error("Machine ID in container image is zero, refusing.");
return -EINVAL;
}
nspawn: always setup machine id We check /etc/machine-id of the container and if it is already populated we use value from there, possibly ignoring value of --uuid option from the command line. When dealing with R/O image we setup transient machine id. Once we determined machine id of the container, we use this value for registration with systemd-machined and we also export it via container_uuid environment variable. As registration with systemd-machined is done by the main nspawn process we communicate container machine id established by setup_machine_id from outer child to the main process by unix domain socket. Similarly to PID of inner child.
2016-04-08 13:22:54 +02:00
nspawn: rework /etc/machine-id handling With this change we'll no longer write to /etc/machine-id from nspawn, as that breaks the --volatile= operation, as it ensures the image is never considered in "first boot", since that's bound to the pre-existance of /etc/machine-id. The new logic works like this: - If /etc/machine-id already exists in the container, it is read by nspawn and exposed in "machinectl status" and friends. - If the file doesn't exist yet, but --uuid= is passed on the nspawn cmdline, this UUID is passed in $container_uuid to PID 1, and PID 1 is then expected to persist this to /etc/machine-id for future boots (which systemd already does). - If the file doesn#t exist yet, and no --uuid= is passed a random UUID is generated and passed via $container_uuid. The result is that /etc/machine-id is never initialized by nspawn itself, thus unbreaking the volatile mode. However still the machine ID configured in the machine always matches nspawn's and thus machined's idea of it. Fixes: #3611
2016-07-21 18:53:40 +02:00
arg_uuid = id;
}
nspawn: rework machine/boot ID handling code to use new calls from id128-util.[ch]
2016-07-21 18:01:55 +02:00
nspawn: always setup machine id We check /etc/machine-id of the container and if it is already populated we use value from there, possibly ignoring value of --uuid option from the command line. When dealing with R/O image we setup transient machine id. Once we determined machine id of the container, we use this value for registration with systemd-machined and we also export it via container_uuid environment variable. As registration with systemd-machined is done by the main nspawn process we communicate container machine id established by setup_machine_id from outer child to the main process by unix domain socket. Similarly to PID of inner child.
2016-04-08 13:22:54 +02:00
return 0;
}
nspawn: optionally fix up OS tree uid/gids for userns This adds a new --private-userns-chown switch that may be used in combination with --private-userns. If it is passed a recursive chmod() operation is run on the OS tree, fixing all file owner UID/GIDs to the right ranges. This should make user namespacing pretty workable, as the OS trees don't need to be prepared manually anymore.
2016-04-20 22:53:39 +02:00
static int recursive_chown(const char *directory, uid_t shift, uid_t range) {
int r;
assert(directory);
nspawn: allow configuration of user namespaces in .nspawn files In order to implement this we change the bool arg_userns into an enum UserNamespaceMode, which can take one of NO, PICK or FIXED, and replace the arg_uid_range_pick bool with it.
2016-04-22 13:02:53 +02:00
if (arg_userns_mode == USER_NAMESPACE_NO || !arg_userns_chown)
nspawn: optionally fix up OS tree uid/gids for userns This adds a new --private-userns-chown switch that may be used in combination with --private-userns. If it is passed a recursive chmod() operation is run on the OS tree, fixing all file owner UID/GIDs to the right ranges. This should make user namespacing pretty workable, as the OS trees don't need to be prepared manually anymore.
2016-04-20 22:53:39 +02:00
return 0;
r = path_patch_uid(directory, arg_uid_shift, arg_uid_range);
if (r == -EOPNOTSUPP)
return log_error_errno(r, "Automatic UID/GID adjusting is only supported for UID/GID ranges starting at multiples of 2^16 with a range of 2^16.");
if (r == -EBADE)
return log_error_errno(r, "Upper 16 bits of root directory UID and GID do not match.");
if (r < 0)
return log_error_errno(r, "Failed to adjust UID/GID shift of OS tree: %m");
if (r == 0)
log_debug("Root directory of image is already owned by the right UID/GID range, skipping recursive chown operation.");
else
log_debug("Patched directory tree to match UID/GID range.");
return r;
}
nspawn: move container wait logic into wait_for_container() Move the container wait logic into its own wait_for_container() function and add two status codes: CONTAINER_TERMINATED or CONTAINER_REBOOTED. The status will be stored in its argument, this way we handle: a) Return negative on failures. b) Return zero on success and set the status to either CONTAINER_REBOOTED or CONTAINER_TERMINATED. These status codes are used to terminate nspawn or loop again in case of CONTAINER_REBOOTED.
2014-05-24 15:58:54 +02:00
/*
nspawn: Fix regression with exit status Commit 113cea8 introduced a bug that caused the exit code of systemd-nspawn to not reflect the exit code of the program executed in the container.
2014-06-30 02:18:02 +02:00
* Return values:
* < 0 : wait_for_terminate() failed to get the state of the
* container, the container was terminated by a signal, or
* failed for an unknown reason. No change is made to the
* container argument.
* > 0 : The program executed in the container terminated with an
* error. The exit code of the program executed in the
units: don't order journal flushing afte remote-fs.target Instead, only depend on the actual file systems we need. This should solve dep loops on setups where remote-fs.target is moved into late boot.
2014-10-31 16:22:36 +01:00
* container is returned. The container argument has been set
* to CONTAINER_TERMINATED.
nspawn: Fix regression with exit status Commit 113cea8 introduced a bug that caused the exit code of systemd-nspawn to not reflect the exit code of the program executed in the container.
2014-06-30 02:18:02 +02:00
* 0 : The container is being rebooted, has been shut down or exited
* successfully. The container argument has been set to either
* CONTAINER_TERMINATED or CONTAINER_REBOOTED.
nspawn: move container wait logic into wait_for_container() Move the container wait logic into its own wait_for_container() function and add two status codes: CONTAINER_TERMINATED or CONTAINER_REBOOTED. The status will be stored in its argument, this way we handle: a) Return negative on failures. b) Return zero on success and set the status to either CONTAINER_REBOOTED or CONTAINER_TERMINATED. These status codes are used to terminate nspawn or loop again in case of CONTAINER_REBOOTED.
2014-05-24 15:58:54 +02:00
*
nspawn: Fix regression with exit status Commit 113cea8 introduced a bug that caused the exit code of systemd-nspawn to not reflect the exit code of the program executed in the container.
2014-06-30 02:18:02 +02:00
* That is, success is indicated by a return value of zero, and an
* error is indicated by a non-zero value.
nspawn: move container wait logic into wait_for_container() Move the container wait logic into its own wait_for_container() function and add two status codes: CONTAINER_TERMINATED or CONTAINER_REBOOTED. The status will be stored in its argument, this way we handle: a) Return negative on failures. b) Return zero on success and set the status to either CONTAINER_REBOOTED or CONTAINER_TERMINATED. These status codes are used to terminate nspawn or loop again in case of CONTAINER_REBOOTED.
2014-05-24 15:58:54 +02:00
*/
static int wait_for_container(pid_t pid, ContainerStatus *container) {
siginfo_t status;
units: don't order journal flushing afte remote-fs.target Instead, only depend on the actual file systems we need. This should solve dep loops on setups where remote-fs.target is moved into late boot.
2014-10-31 16:22:36 +01:00
int r;
nspawn: move container wait logic into wait_for_container() Move the container wait logic into its own wait_for_container() function and add two status codes: CONTAINER_TERMINATED or CONTAINER_REBOOTED. The status will be stored in its argument, this way we handle: a) Return negative on failures. b) Return zero on success and set the status to either CONTAINER_REBOOTED or CONTAINER_TERMINATED. These status codes are used to terminate nspawn or loop again in case of CONTAINER_REBOOTED.
2014-05-24 15:58:54 +02:00
r = wait_for_terminate(pid, &status);
treewide: yet more log_*_errno + return simplifications Using: find . -name '*.[ch]' | while read f; do perl -i.mmm -e \ 'local $/; local $_=<>; s/(if\s*\([^\n]+\))\s*{\n(\s*)(log_[a-z_]*_errno\(\s*([->a-zA-Z_]+)\s*,[^;]+);\s*return\s+\g4;\s+}/\1\n\2return \3;/msg; print;' $f done And a couple of manual whitespace fixups.
2014-11-28 18:50:43 +01:00
if (r < 0)
return log_warning_errno(r, "Failed to wait for container: %m");
nspawn: move container wait logic into wait_for_container() Move the container wait logic into its own wait_for_container() function and add two status codes: CONTAINER_TERMINATED or CONTAINER_REBOOTED. The status will be stored in its argument, this way we handle: a) Return negative on failures. b) Return zero on success and set the status to either CONTAINER_REBOOTED or CONTAINER_TERMINATED. These status codes are used to terminate nspawn or loop again in case of CONTAINER_REBOOTED.
2014-05-24 15:58:54 +02:00
switch (status.si_code) {
nspawn: don't make up -1 as error code
2014-10-30 20:53:23 +01:00
nspawn: move container wait logic into wait_for_container() Move the container wait logic into its own wait_for_container() function and add two status codes: CONTAINER_TERMINATED or CONTAINER_REBOOTED. The status will be stored in its argument, this way we handle: a) Return negative on failures. b) Return zero on success and set the status to either CONTAINER_REBOOTED or CONTAINER_TERMINATED. These status codes are used to terminate nspawn or loop again in case of CONTAINER_REBOOTED.
2014-05-24 15:58:54 +02:00
case CLD_EXITED:
nspawn: remove unreachable return statement (#3320)
2016-05-22 13:02:41 +02:00
if (status.si_status == 0)
units: don't order journal flushing afte remote-fs.target Instead, only depend on the actual file systems we need. This should solve dep loops on setups where remote-fs.target is moved into late boot.
2014-10-31 16:22:36 +01:00
log_full(arg_quiet ? LOG_DEBUG : LOG_INFO, "Container %s exited successfully.", arg_machine);
nspawn: remove unreachable return statement (#3320)
2016-05-22 13:02:41 +02:00
else
units: don't order journal flushing afte remote-fs.target Instead, only depend on the actual file systems we need. This should solve dep loops on setups where remote-fs.target is moved into late boot.
2014-10-31 16:22:36 +01:00
log_full(arg_quiet ? LOG_DEBUG : LOG_INFO, "Container %s failed with error code %i.", arg_machine, status.si_status);
nspawn: don't make up -1 as error code
2014-10-30 20:53:23 +01:00
units: don't order journal flushing afte remote-fs.target Instead, only depend on the actual file systems we need. This should solve dep loops on setups where remote-fs.target is moved into late boot.
2014-10-31 16:22:36 +01:00
*container = CONTAINER_TERMINATED;
return status.si_status;
nspawn: move container wait logic into wait_for_container() Move the container wait logic into its own wait_for_container() function and add two status codes: CONTAINER_TERMINATED or CONTAINER_REBOOTED. The status will be stored in its argument, this way we handle: a) Return negative on failures. b) Return zero on success and set the status to either CONTAINER_REBOOTED or CONTAINER_TERMINATED. These status codes are used to terminate nspawn or loop again in case of CONTAINER_REBOOTED.
2014-05-24 15:58:54 +02:00
case CLD_KILLED:
if (status.si_status == SIGINT) {
units: don't order journal flushing afte remote-fs.target Instead, only depend on the actual file systems we need. This should solve dep loops on setups where remote-fs.target is moved into late boot.
2014-10-31 16:22:36 +01:00
log_full(arg_quiet ? LOG_DEBUG : LOG_INFO, "Container %s has been shut down.", arg_machine);
nspawn: move container wait logic into wait_for_container() Move the container wait logic into its own wait_for_container() function and add two status codes: CONTAINER_TERMINATED or CONTAINER_REBOOTED. The status will be stored in its argument, this way we handle: a) Return negative on failures. b) Return zero on success and set the status to either CONTAINER_REBOOTED or CONTAINER_TERMINATED. These status codes are used to terminate nspawn or loop again in case of CONTAINER_REBOOTED.
2014-05-24 15:58:54 +02:00
*container = CONTAINER_TERMINATED;
units: don't order journal flushing afte remote-fs.target Instead, only depend on the actual file systems we need. This should solve dep loops on setups where remote-fs.target is moved into late boot.
2014-10-31 16:22:36 +01:00
return 0;
nspawn: move container wait logic into wait_for_container() Move the container wait logic into its own wait_for_container() function and add two status codes: CONTAINER_TERMINATED or CONTAINER_REBOOTED. The status will be stored in its argument, this way we handle: a) Return negative on failures. b) Return zero on success and set the status to either CONTAINER_REBOOTED or CONTAINER_TERMINATED. These status codes are used to terminate nspawn or loop again in case of CONTAINER_REBOOTED.
2014-05-24 15:58:54 +02:00
} else if (status.si_status == SIGHUP) {
units: don't order journal flushing afte remote-fs.target Instead, only depend on the actual file systems we need. This should solve dep loops on setups where remote-fs.target is moved into late boot.
2014-10-31 16:22:36 +01:00
log_full(arg_quiet ? LOG_DEBUG : LOG_INFO, "Container %s is being rebooted.", arg_machine);
nspawn: move container wait logic into wait_for_container() Move the container wait logic into its own wait_for_container() function and add two status codes: CONTAINER_TERMINATED or CONTAINER_REBOOTED. The status will be stored in its argument, this way we handle: a) Return negative on failures. b) Return zero on success and set the status to either CONTAINER_REBOOTED or CONTAINER_TERMINATED. These status codes are used to terminate nspawn or loop again in case of CONTAINER_REBOOTED.
2014-05-24 15:58:54 +02:00
*container = CONTAINER_REBOOTED;
units: don't order journal flushing afte remote-fs.target Instead, only depend on the actual file systems we need. This should solve dep loops on setups where remote-fs.target is moved into late boot.
2014-10-31 16:22:36 +01:00
return 0;
nspawn: move container wait logic into wait_for_container() Move the container wait logic into its own wait_for_container() function and add two status codes: CONTAINER_TERMINATED or CONTAINER_REBOOTED. The status will be stored in its argument, this way we handle: a) Return negative on failures. b) Return zero on success and set the status to either CONTAINER_REBOOTED or CONTAINER_TERMINATED. These status codes are used to terminate nspawn or loop again in case of CONTAINER_REBOOTED.
2014-05-24 15:58:54 +02:00
}
units: don't order journal flushing afte remote-fs.target Instead, only depend on the actual file systems we need. This should solve dep loops on setups where remote-fs.target is moved into late boot.
2014-10-31 16:22:36 +01:00
tree-wide: adjust fall through comments so that gcc is happy Distcc removes comments, making the comment silencing not work. I know there was a decision against a macro in commit ec251fe7d5bc24b5d38b0853bc5969f3a0ba06e2
2017-11-19 19:06:10 +01:00
_fallthrough_;
nspawn: move container wait logic into wait_for_container() Move the container wait logic into its own wait_for_container() function and add two status codes: CONTAINER_TERMINATED or CONTAINER_REBOOTED. The status will be stored in its argument, this way we handle: a) Return negative on failures. b) Return zero on success and set the status to either CONTAINER_REBOOTED or CONTAINER_TERMINATED. These status codes are used to terminate nspawn or loop again in case of CONTAINER_REBOOTED.
2014-05-24 15:58:54 +02:00
case CLD_DUMPED:
nspawn: don't make up -1 as error code
2014-10-30 20:53:23 +01:00
log_error("Container %s terminated by signal %s.", arg_machine, signal_to_string(status.si_status));
units: don't order journal flushing afte remote-fs.target Instead, only depend on the actual file systems we need. This should solve dep loops on setups where remote-fs.target is moved into late boot.
2014-10-31 16:22:36 +01:00
return -EIO;
nspawn: move container wait logic into wait_for_container() Move the container wait logic into its own wait_for_container() function and add two status codes: CONTAINER_TERMINATED or CONTAINER_REBOOTED. The status will be stored in its argument, this way we handle: a) Return negative on failures. b) Return zero on success and set the status to either CONTAINER_REBOOTED or CONTAINER_TERMINATED. These status codes are used to terminate nspawn or loop again in case of CONTAINER_REBOOTED.
2014-05-24 15:58:54 +02:00
default:
nspawn: don't make up -1 as error code
2014-10-30 20:53:23 +01:00
log_error("Container %s failed due to unknown reason.", arg_machine);
units: don't order journal flushing afte remote-fs.target Instead, only depend on the actual file systems we need. This should solve dep loops on setups where remote-fs.target is moved into late boot.
2014-10-31 16:22:36 +01:00
return -EIO;
nspawn: move container wait logic into wait_for_container() Move the container wait logic into its own wait_for_container() function and add two status codes: CONTAINER_TERMINATED or CONTAINER_REBOOTED. The status will be stored in its argument, this way we handle: a) Return negative on failures. b) Return zero on success and set the status to either CONTAINER_REBOOTED or CONTAINER_TERMINATED. These status codes are used to terminate nspawn or loop again in case of CONTAINER_REBOOTED.
2014-05-24 15:58:54 +02:00
}
}
ptyforward: rework PTY forwarder logic used by nspawn to utilize the normal event loop We really should not run manual event loops anymore, but standardize on sd_event, so that we can run sd_bus connections from it eventually.
2014-10-31 16:54:11 +01:00
static int on_orderly_shutdown(sd_event_source *s, const struct signalfd_siginfo *si, void *userdata) {
pid_t pid;
tree-wide: use right cast macros for UIDs, GIDs and PIDs
2015-11-17 00:00:32 +01:00
pid = PTR_TO_PID(userdata);
ptyforward: rework PTY forwarder logic used by nspawn to utilize the normal event loop We really should not run manual event loops anymore, but standardize on sd_event, so that we can run sd_bus connections from it eventually.
2014-10-31 16:54:11 +01:00
if (pid > 0) {
nspawn: make kill signal to use for PID 1 configurable
2015-02-25 22:04:48 +01:00
if (kill(pid, arg_kill_signal) >= 0) {
ptyforward: rework PTY forwarder logic used by nspawn to utilize the normal event loop We really should not run manual event loops anymore, but standardize on sd_event, so that we can run sd_bus connections from it eventually.
2014-10-31 16:54:11 +01:00
log_info("Trying to halt container. Send SIGTERM again to trigger immediate termination.");
sd_event_source_set_userdata(s, NULL);
return 0;
}
}
sd_event_exit(sd_event_source_get_event(s), 0);
return 0;
}
nspawn: when getting SIGCHLD make sure it's from the first child (#4855) When getting SIGCHLD we should not assume that it was the first child forked from system-nspawn that has died as it may also be coming from an orphan process. This change adds a signal handler that ignores SIGCHLD unless it came from the first containerized child - the real child. Before this change the problem can be reproduced as follows: $ sudo systemd-nspawn --directory=/container-root --share-system Press ^] three times within 1s to kill container. [root@andreyu-coreos ~]# { true & } & [1] 22201 [root@andreyu-coreos ~]# Container root-fedora-latest terminated by signal KILL
2016-12-13 02:38:18 +01:00
static int on_sigchld(sd_event_source *s, const struct signalfd_siginfo *ssi, void *userdata) {
nspawn: make use of the RequestStop logic of scope units Since time began, scope units had a concept of "Controllers", a bus peer that would be notified when somebody requested a unit to stop. None of our code used that facility so far, let's change that. This way, nspawn can print a nice message when somebody invokes "systemctl stop" on the container's scope unit, and then react with the right action to shut it down.
2017-11-23 19:27:47 +01:00
pid_t pid;
assert(s);
assert(ssi);
pid = PTR_TO_PID(userdata);
nspawn: when getting SIGCHLD make sure it's from the first child (#4855) When getting SIGCHLD we should not assume that it was the first child forked from system-nspawn that has died as it may also be coming from an orphan process. This change adds a signal handler that ignores SIGCHLD unless it came from the first containerized child - the real child. Before this change the problem can be reproduced as follows: $ sudo systemd-nspawn --directory=/container-root --share-system Press ^] three times within 1s to kill container. [root@andreyu-coreos ~]# { true & } & [1] 22201 [root@andreyu-coreos ~]# Container root-fedora-latest terminated by signal KILL
2016-12-13 02:38:18 +01:00
for (;;) {
siginfo_t si = {};
nspawn: make use of the RequestStop logic of scope units Since time began, scope units had a concept of "Controllers", a bus peer that would be notified when somebody requested a unit to stop. None of our code used that facility so far, let's change that. This way, nspawn can print a nice message when somebody invokes "systemctl stop" on the container's scope unit, and then react with the right action to shut it down.
2017-11-23 19:27:47 +01:00
nspawn: when getting SIGCHLD make sure it's from the first child (#4855) When getting SIGCHLD we should not assume that it was the first child forked from system-nspawn that has died as it may also be coming from an orphan process. This change adds a signal handler that ignores SIGCHLD unless it came from the first containerized child - the real child. Before this change the problem can be reproduced as follows: $ sudo systemd-nspawn --directory=/container-root --share-system Press ^] three times within 1s to kill container. [root@andreyu-coreos ~]# { true & } & [1] 22201 [root@andreyu-coreos ~]# Container root-fedora-latest terminated by signal KILL
2016-12-13 02:38:18 +01:00
if (waitid(P_ALL, 0, &si, WNOHANG|WNOWAIT|WEXITED) < 0)
return log_error_errno(errno, "Failed to waitid(): %m");
if (si.si_pid == 0) /* No pending children. */
break;
nspawn: make use of the RequestStop logic of scope units Since time began, scope units had a concept of "Controllers", a bus peer that would be notified when somebody requested a unit to stop. None of our code used that facility so far, let's change that. This way, nspawn can print a nice message when somebody invokes "systemctl stop" on the container's scope unit, and then react with the right action to shut it down.
2017-11-23 19:27:47 +01:00
if (si.si_pid == pid) {
nspawn: when getting SIGCHLD make sure it's from the first child (#4855) When getting SIGCHLD we should not assume that it was the first child forked from system-nspawn that has died as it may also be coming from an orphan process. This change adds a signal handler that ignores SIGCHLD unless it came from the first containerized child - the real child. Before this change the problem can be reproduced as follows: $ sudo systemd-nspawn --directory=/container-root --share-system Press ^] three times within 1s to kill container. [root@andreyu-coreos ~]# { true & } & [1] 22201 [root@andreyu-coreos ~]# Container root-fedora-latest terminated by signal KILL
2016-12-13 02:38:18 +01:00
/* The main process we care for has exited. Return from
* signal handler but leave the zombie. */
sd_event_exit(sd_event_source_get_event(s), 0);
break;
}
nspawn: make use of the RequestStop logic of scope units Since time began, scope units had a concept of "Controllers", a bus peer that would be notified when somebody requested a unit to stop. None of our code used that facility so far, let's change that. This way, nspawn can print a nice message when somebody invokes "systemctl stop" on the container's scope unit, and then react with the right action to shut it down.
2017-11-23 19:27:47 +01:00
nspawn: when getting SIGCHLD make sure it's from the first child (#4855) When getting SIGCHLD we should not assume that it was the first child forked from system-nspawn that has died as it may also be coming from an orphan process. This change adds a signal handler that ignores SIGCHLD unless it came from the first containerized child - the real child. Before this change the problem can be reproduced as follows: $ sudo systemd-nspawn --directory=/container-root --share-system Press ^] three times within 1s to kill container. [root@andreyu-coreos ~]# { true & } & [1] 22201 [root@andreyu-coreos ~]# Container root-fedora-latest terminated by signal KILL
2016-12-13 02:38:18 +01:00
/* Reap all other children. */
(void) waitid(P_PID, si.si_pid, &si, WNOHANG|WEXITED);
}
return 0;
}
nspawn: make use of the RequestStop logic of scope units Since time began, scope units had a concept of "Controllers", a bus peer that would be notified when somebody requested a unit to stop. None of our code used that facility so far, let's change that. This way, nspawn can print a nice message when somebody invokes "systemctl stop" on the container's scope unit, and then react with the right action to shut it down.
2017-11-23 19:27:47 +01:00
static int on_request_stop(sd_bus_message *m, void *userdata, sd_bus_error *error) {
pid_t pid;
assert(m);
pid = PTR_TO_PID(userdata);
if (arg_kill_signal > 0) {
log_info("Container termination requested. Attempting to halt container.");
(void) kill(pid, arg_kill_signal);
} else {
log_info("Container termination requested. Exiting.");
sd_event_exit(sd_bus_get_event(sd_bus_message_get_bus(m)), 0);
}
return 0;
}
nspawn: beef up nspawn with some btrfs magic This adds --template= to duplicate an OS tree as btrfs snpashot and run it This also adds --ephemeral or -x to create a snapshot of an OS tree and boot that, removing it after exit.
2014-12-12 03:50:59 +01:00
static int determine_names(void) {
nspawn: use the same image discovery logic in nspawn as in machined
2014-12-27 02:07:29 +01:00
int r;
nspawn: beef up nspawn with some btrfs magic This adds --template= to duplicate an OS tree as btrfs snpashot and run it This also adds --ephemeral or -x to create a snapshot of an OS tree and boot that, removing it after exit.
2014-12-12 03:50:59 +01:00
nspawn: make sure --template= and --machine= my be combined Fixes #1018. Based on a patch from Seth Jennings.
2015-08-25 20:26:51 +02:00
if (arg_template && !arg_directory && arg_machine) {
/* If --template= was specified then we should not
* search for a machine, but instead create a new one
* in /var/lib/machine. */
tree-wide: drop NULL sentinel from strjoin This makes strjoin and strjoina more similar and avoids the useless final argument. spatch -I . -I ./src -I ./src/basic -I ./src/basic -I ./src/shared -I ./src/shared -I ./src/network -I ./src/locale -I ./src/login -I ./src/journal -I ./src/journal -I ./src/timedate -I ./src/timesync -I ./src/nspawn -I ./src/resolve -I ./src/resolve -I ./src/systemd -I ./src/core -I ./src/core -I ./src/libudev -I ./src/udev -I ./src/udev/net -I ./src/udev -I ./src/libsystemd/sd-bus -I ./src/libsystemd/sd-event -I ./src/libsystemd/sd-login -I ./src/libsystemd/sd-netlink -I ./src/libsystemd/sd-network -I ./src/libsystemd/sd-hwdb -I ./src/libsystemd/sd-device -I ./src/libsystemd/sd-id128 -I ./src/libsystemd-network --sp-file coccinelle/strjoin.cocci --in-place $(git ls-files src/*.c) git grep -e '\bstrjoin\b.*NULL' -l|xargs sed -i -r 's/strjoin\((.*), NULL\)/strjoin(\1)/' This might have missed a few cases (spatch has a really hard time dealing with _cleanup_ macros), but that's no big issue, they can always be fixed later.
2016-10-23 17:43:27 +02:00
arg_directory = strjoin("/var/lib/machines/", arg_machine);
nspawn: make sure --template= and --machine= my be combined Fixes #1018. Based on a patch from Seth Jennings.
2015-08-25 20:26:51 +02:00
if (!arg_directory)
return log_oom();
}
nspawn: beef up nspawn with some btrfs magic This adds --template= to duplicate an OS tree as btrfs snpashot and run it This also adds --ephemeral or -x to create a snapshot of an OS tree and boot that, removing it after exit.
2014-12-12 03:50:59 +01:00
if (!arg_image && !arg_directory) {
nspawn: use the same image discovery logic in nspawn as in machined
2014-12-27 02:07:29 +01:00
if (arg_machine) {
_cleanup_(image_unrefp) Image *i = NULL;
r = image_find(arg_machine, &i);
if (r < 0)
return log_error_errno(r, "Failed to find image for machine '%s': %m", arg_machine);
nspawn: support ephemeral boots from images Previously --ephemeral was only supported with container trees in btrfs subvolumes (i.e. in combination with --directory=). This adds support for --ephemeral in conjunction with disk images (i.e. --image=) too. As side effect this fixes that --ephemeral was accepted but ignored when using -M on a container that turned out to be an image. Fixes: #4664
2016-11-18 18:38:06 +01:00
if (r == 0) {
tree-wide: fix incorrect uses of %m In those cases errno was not set, so we would be logging some unrelated error or "Success".
2017-05-13 17:24:37 +02:00
log_error("No image for machine '%s'.", arg_machine);
nspawn: use the same image discovery logic in nspawn as in machined
2014-12-27 02:07:29 +01:00
return -ENOENT;
}
machine-image: add partial discovery of block devices as images This adds some basic discovery of block device images for nspawn and friends. Note that this doesn't add searching for block devices using udev, but instead expects users to symlink relevant block devices into /var/lib/machines. Discovery is hence done exactly like for dir/subvol/raw file images, except that what is found may be a (symlink to) a block device. For now, we do not support cloning these images, but removal, renaming and read-only flags are supported to the point where that makes sense. Fixe: #6990
2017-10-04 17:36:58 +02:00
if (IN_SET(i->type, IMAGE_RAW, IMAGE_BLOCK))
path-util: unify how we process paths specified on the command line Let's introduce a common function that makes relative paths absolute and warns about any errors while doing so.
2015-10-22 19:54:29 +02:00
r = free_and_strdup(&arg_image, i->path);
nspawn: use the same image discovery logic in nspawn as in machined
2014-12-27 02:07:29 +01:00
else
path-util: unify how we process paths specified on the command line Let's introduce a common function that makes relative paths absolute and warns about any errors while doing so.
2015-10-22 19:54:29 +02:00
r = free_and_strdup(&arg_directory, i->path);
nspawn: use the same image discovery logic in nspawn as in machined
2014-12-27 02:07:29 +01:00
if (r < 0)
nspawn: support ephemeral boots from images Previously --ephemeral was only supported with container trees in btrfs subvolumes (i.e. in combination with --directory=). This adds support for --ephemeral in conjunction with disk images (i.e. --image=) too. As side effect this fixes that --ephemeral was accepted but ignored when using -M on a container that turned out to be an image. Fixes: #4664
2016-11-18 18:38:06 +01:00
return log_oom();
nspawn: use the same image discovery logic in nspawn as in machined
2014-12-27 02:07:29 +01:00
nspawn: don't inherit read-only flag from disk image if --ephemeral is used When --ephemeral is used there's no need to keep the image read-only, so let's not do that then.
2015-04-22 16:56:51 +02:00
if (!arg_ephemeral)
arg_read_only = arg_read_only || i->read_only;
tree-wide: port all code to use safe_getcwd()
2018-01-17 11:17:38 +01:00
} else {
r = safe_getcwd(&arg_directory);
if (r < 0)
return log_error_errno(r, "Failed to determine current directory: %m");
}
nspawn: beef up nspawn with some btrfs magic This adds --template= to duplicate an OS tree as btrfs snpashot and run it This also adds --ephemeral or -x to create a snapshot of an OS tree and boot that, removing it after exit.
2014-12-12 03:50:59 +01:00
nspawn: support ephemeral boots from images Previously --ephemeral was only supported with container trees in btrfs subvolumes (i.e. in combination with --directory=). This adds support for --ephemeral in conjunction with disk images (i.e. --image=) too. As side effect this fixes that --ephemeral was accepted but ignored when using -M on a container that turned out to be an image. Fixes: #4664
2016-11-18 18:38:06 +01:00
if (!arg_directory && !arg_image) {
nspawn: use the same image discovery logic in nspawn as in machined
2014-12-27 02:07:29 +01:00
log_error("Failed to determine path, please use -D or -i.");
nspawn: beef up nspawn with some btrfs magic This adds --template= to duplicate an OS tree as btrfs snpashot and run it This also adds --ephemeral or -x to create a snapshot of an OS tree and boot that, removing it after exit.
2014-12-12 03:50:59 +01:00
return -EINVAL;
}
}
if (!arg_machine) {
nspawn: when generating a machine name from an image name, truncate .raw suffix Let's prettify the machine name we generate for image-based containers: let's chop off the .raw suffix before using it as machine name.
2016-12-07 17:42:40 +01:00
nspawn: when booting in ephemeral mode, append random token to machine name Also, when booting up an ephemeral container of / use the system hostname as default machine name. This way specifiyng -M is unnecessary when booting up an ephemeral container, while allowing any number of ephemeral containers to run from the same tree.
2014-12-12 17:26:31 +01:00
if (arg_directory && path_equal(arg_directory, "/"))
arg_machine = gethostname_malloc();
nspawn: when generating a machine name from an image name, truncate .raw suffix Let's prettify the machine name we generate for image-based containers: let's chop off the .raw suffix before using it as machine name.
2016-12-07 17:42:40 +01:00
else {
if (arg_image) {
char *e;
arg_machine = strdup(basename(arg_image));
/* Truncate suffix if there is one */
e = endswith(arg_machine, ".raw");
if (e)
*e = 0;
} else
arg_machine = strdup(basename(arg_directory));
}
nspawn: beef up nspawn with some btrfs magic This adds --template= to duplicate an OS tree as btrfs snpashot and run it This also adds --ephemeral or -x to create a snapshot of an OS tree and boot that, removing it after exit.
2014-12-12 03:50:59 +01:00
if (!arg_machine)
return log_oom();
hostname-util: get rid of unused parameter of hostname_cleanup() All users are now setting lowercase=false.
2015-07-28 04:36:36 +02:00
hostname_cleanup(arg_machine);
nspawn: beef up nspawn with some btrfs magic This adds --template= to duplicate an OS tree as btrfs snpashot and run it This also adds --ephemeral or -x to create a snapshot of an OS tree and boot that, removing it after exit.
2014-12-12 03:50:59 +01:00
if (!machine_name_is_valid(arg_machine)) {
log_error("Failed to determine machine name automatically, please use -M.");
return -EINVAL;
}
nspawn: when booting in ephemeral mode, append random token to machine name Also, when booting up an ephemeral container of / use the system hostname as default machine name. This way specifiyng -M is unnecessary when booting up an ephemeral container, while allowing any number of ephemeral containers to run from the same tree.
2014-12-12 17:26:31 +01:00
if (arg_ephemeral) {
char *b;
/* Add a random suffix when this is an
* ephemeral machine, so that we can run many
* instances at once without manually having
* to specify -M each time. */
if (asprintf(&b, "%s-%016" PRIx64, arg_machine, random_u64()) < 0)
return log_oom();
free(arg_machine);
arg_machine = b;
}
nspawn: beef up nspawn with some btrfs magic This adds --template= to duplicate an OS tree as btrfs snpashot and run it This also adds --ephemeral or -x to create a snapshot of an OS tree and boot that, removing it after exit.
2014-12-12 03:50:59 +01:00
}
return 0;
}
nspawn: make use of CHASE_NON_EXISTING when locking image If --template= is used on an image, then the image might not exist initially. We can use CHASE_NON_EXISTING to properly lock the image already before it exists. Let's do so.
2016-11-29 18:16:43 +01:00
static int chase_symlinks_and_update(char **p, unsigned flags) {
nspawn: properly handle image/directory paths that are symlinks This resolves any paths specified on --directory=, --template=, and --image= before using them. This makes sure nspawn can be used correctly on symlinked images and directory trees. Fixes: #2001
2016-11-24 21:03:36 +01:00
char *chased;
int r;
assert(p);
if (!*p)
return 0;
nspawn: make use of CHASE_NON_EXISTING when locking image If --template= is used on an image, then the image might not exist initially. We can use CHASE_NON_EXISTING to properly lock the image already before it exists. Let's do so.
2016-11-29 18:16:43 +01:00
r = chase_symlinks(*p, NULL, flags, &chased);
nspawn: properly handle image/directory paths that are symlinks This resolves any paths specified on --directory=, --template=, and --image= before using them. This makes sure nspawn can be used correctly on symlinked images and directory trees. Fixes: #2001
2016-11-24 21:03:36 +01:00
if (r < 0)
return log_error_errno(r, "Failed to resolve path %s: %m", *p);
nspawn: make sure we don't leak the fd in chase_symlinks_and_update No callers use CHASE_OPEN right now, but let's be defensive.
2018-02-15 10:18:25 +01:00
free_and_replace(*p, chased);
return r; /* r might be an fd here in case we ever use CHASE_OPEN in flags */
nspawn: properly handle image/directory paths that are symlinks This resolves any paths specified on --directory=, --template=, and --image= before using them. This makes sure nspawn can be used correctly on symlinked images and directory trees. Fixes: #2001
2016-11-24 21:03:36 +01:00
}
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
static int determine_uid_shift(const char *directory) {
nspawn: add basic user namespacing support (This is incomplete, /proc and /sys are still owned by root from outside the container, not inside)
2015-02-19 11:30:18 +01:00
int r;
nspawn: allow configuration of user namespaces in .nspawn files In order to implement this we change the bool arg_userns into an enum UserNamespaceMode, which can take one of NO, PICK or FIXED, and replace the arg_uid_range_pick bool with it.
2016-04-22 13:02:53 +02:00
if (arg_userns_mode == USER_NAMESPACE_NO) {
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
arg_uid_shift = 0;
nspawn: add basic user namespacing support (This is incomplete, /proc and /sys are still owned by root from outside the container, not inside)
2015-02-19 11:30:18 +01:00
return 0;
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
}
nspawn: add basic user namespacing support (This is incomplete, /proc and /sys are still owned by root from outside the container, not inside)
2015-02-19 11:30:18 +01:00
if (arg_uid_shift == UID_INVALID) {
struct stat st;
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
r = stat(directory, &st);
nspawn: add basic user namespacing support (This is incomplete, /proc and /sys are still owned by root from outside the container, not inside)
2015-02-19 11:30:18 +01:00
if (r < 0)
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
return log_error_errno(errno, "Failed to determine UID base of %s: %m", directory);
nspawn: add basic user namespacing support (This is incomplete, /proc and /sys are still owned by root from outside the container, not inside)
2015-02-19 11:30:18 +01:00
arg_uid_shift = st.st_uid & UINT32_C(0xffff0000);
if (arg_uid_shift != (st.st_gid & UINT32_C(0xffff0000))) {
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
log_error("UID and GID base of %s don't match.", directory);
nspawn: add basic user namespacing support (This is incomplete, /proc and /sys are still owned by root from outside the container, not inside)
2015-02-19 11:30:18 +01:00
return -EINVAL;
}
arg_uid_range = UINT32_C(0x10000);
}
if (arg_uid_shift > (uid_t) -1 - arg_uid_range) {
log_error("UID base too high for UID range.");
return -EINVAL;
}
return 0;
}
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
static int inner_child(
Barrier *barrier,
const char *directory,
bool secondary,
int kmsg_socket,
int rtnl_socket,
nspawn: add new .nspawn files for container settings .nspawn fiels are simple settings files that may accompany container images and directories and contain settings otherwise passed on the nspawn command line. This provides an efficient way to attach execution data directly to containers.
2015-09-06 01:22:14 +02:00
FDSet *fds) {
nspawn: add new --network-veth switch to add a virtual ethernet link to the host
2014-02-13 18:47:20 +01:00
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
_cleanup_free_ char *home = NULL;
nspawn: always setup machine id We check /etc/machine-id of the container and if it is already populated we use value from there, possibly ignoring value of --uuid option from the command line. When dealing with R/O image we setup transient machine id. Once we determined machine id of the container, we use this value for registration with systemd-machined and we also export it via container_uuid environment variable. As registration with systemd-machined is done by the main nspawn process we communicate container machine id established by setup_machine_id from outer child to the main process by unix domain socket. Similarly to PID of inner child.
2016-04-08 13:22:54 +02:00
char as_uuid[37];
nspawn: support custom container service name We were hardcoding "systemd-nspawn" as the value of the $container env variable and "nspawn" as the service string in machined registration. This commit allows the user to configure it by setting the $SYSTEMD_NSPAWN_CONTAINER_SERVICE env variable when calling systemd-nspawn. If $SYSTEMD_NSPAWN_CONTAINER_SERVICE is not set, we use the string "systemd-nspawn" for both, fixing the previous inconsistency.
2015-11-09 11:32:34 +01:00
unsigned n_env = 1;
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
const char *envp[] = {
"PATH=" DEFAULT_PATH_SPLIT_USR,
nspawn: support custom container service name We were hardcoding "systemd-nspawn" as the value of the $container env variable and "nspawn" as the service string in machined registration. This commit allows the user to configure it by setting the $SYSTEMD_NSPAWN_CONTAINER_SERVICE env variable when calling systemd-nspawn. If $SYSTEMD_NSPAWN_CONTAINER_SERVICE is not set, we use the string "systemd-nspawn" for both, fixing the previous inconsistency.
2015-11-09 11:32:34 +01:00
NULL, /* container */
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
NULL, /* TERM */
NULL, /* HOME */
NULL, /* USER */
NULL, /* LOGNAME */
NULL, /* container_uuid */
NULL, /* LISTEN_FDS */
NULL, /* LISTEN_PID */
nspawn: introduce --notify-ready=[no|yes] (#3474) This the patch implements a notificaiton mechanism from the init process in the container to systemd-nspawn. The switch --notify-ready=yes configures systemd-nspawn to wait the "READY=1" message from the init process in the container to send its own to systemd. --notify-ready=no is equivalent to the previous behavior before this patch, systemd-nspawn notifies systemd with a "READY=1" message when the container is created. This notificaiton mechanism uses socket file with path relative to the contanier "/run/systemd/nspawn/notify". The default values it --notify-ready=no. It is also possible to configure this mechanism from the .nspawn files using NotifyReady. This parameter takes the same options of the command line switch. Before this patch, systemd-nspawn notifies "ready" after the inner child was created, regardless the status of the service running inside it. Now, with --notify-ready=yes, systemd-nspawn notifies when the service is ready. This is really useful when there are dependencies between different contaniers. Fixes https://github.com/systemd/systemd/issues/1369 Based on the work from https://github.com/systemd/systemd/pull/3022 Testing: Boot a OS inside a container with systemd-nspawn. Note: modify the commands accordingly with your filesystem. 1. Create a filesystem where you can boot an OS. 2. sudo systemd-nspawn -D ${HOME}/distros/fedora-23/ sh 2.1. Create the unit file /etc/systemd/system/sleep.service inside the container (You can use the example below) 2.2. systemdctl enable sleep 2.3 exit 3. sudo systemd-run --service-type=notify --unit=notify-test ${HOME}/systemd/systemd-nspawn --notify-ready=yes -D ${HOME}/distros/fedora-23/ -b 4. In a different shell run "systemctl status notify-test" When using --notify-ready=yes the service status is "activating" for 20 seconds before being set to "active (running)". Instead, using --notify-ready=no the service status is marked "active (running)" quickly, without waiting for the 20 seconds. This patch was also test with --private-users=yes, you can test it just adding it at the end of the command at point 3. ------ sleep.service ------ [Unit] Description=sleep After=network.target [Service] Type=oneshot ExecStart=/bin/sleep 20 [Install] WantedBy=multi-user.target ------------ end ------------
2016-06-10 13:09:06 +02:00
NULL, /* NOTIFY_SOCKET */
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
NULL
};
nspawn: Print attempted execv() path on failure (#5199) The failure message is typically currently: execv() failed: No such file or directory which is not very useful because it doesn’t tell you which file or directory it was trying to exec.
2017-02-01 14:36:16 +01:00
const char *exec_target;
nspawn: add simple chroot(1) like tool to execute commands in a namespace container
2011-03-14 02:40:36 +01:00
nspawn: avoid memleak Simplify the code a bit, at the cost of potentially duplicating some memory unneccessarily. Fixes CID 1299641.
2015-05-25 22:55:52 +02:00
_cleanup_strv_free_ char **env_use = NULL;
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
int r;
nspawn: add simple chroot(1) like tool to execute commands in a namespace container
2011-03-14 02:40:36 +01:00
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
assert(barrier);
assert(directory);
assert(kmsg_socket >= 0);
nspawn: add simple chroot(1) like tool to execute commands in a namespace container
2011-03-14 02:40:36 +01:00
nspawn: allow configuration of user namespaces in .nspawn files In order to implement this we change the bool arg_userns into an enum UserNamespaceMode, which can take one of NO, PICK or FIXED, and replace the arg_uid_range_pick bool with it.
2016-04-22 13:02:53 +02:00
if (arg_userns_mode != USER_NAMESPACE_NO) {
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
/* Tell the parent, that it now can write the UID map. */
(void) barrier_place(barrier); /* #1 */
nspawn: introduce the new /machine/ tree in the cgroup tree and move containers there Containers will now carry a label (normally derived from the root directory name, but configurable by the user), and the container's root cgroup is /machine/<label>. This label is called "machine name", and can cover both containers and VMs (as soon as libvirt also makes use of /machine/). libsystemd-login can be used to query the machine name from a process. This patch also includes numerous clean-ups for the cgroup code.
2013-04-16 04:36:06 +02:00
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
/* Wait until the parent wrote the UID map */
if (!barrier_place_and_sync(barrier)) { /* #2 */
log_error("Parent died too early");
return -ESRCH;
}
nspawn: add simple chroot(1) like tool to execute commands in a namespace container
2011-03-14 02:40:36 +01:00
}
nspawn: become a new root early https://github.com/torvalds/linux/commit/036d523641c66bef713042894a17f4335f199e49 > vfs: Don't create inodes with a uid or gid unknown to the vfs It is expected that filesystems can not represent uids and gids from outside of their user namespace. Keep things simple by not even trying to create filesystem nodes with non-sense uids and gids. So, we actually should `reset_uid_gid` early to prevent https://github.com/systemd/systemd/pull/4223#issuecomment-252522955 $ sudo UNIFIED_CGROUP_HIERARCHY=no LD_LIBRARY_PATH=.libs .libs/systemd-nspawn -D /var/lib/machines/fedora-rawhide -U -b systemd.unit=multi-user.target Spawning container fedora-rawhide on /var/lib/machines/fedora-rawhide. Press ^] three times within 1s to kill container. Child died too early. Selected user namespace base 1073283072 and range 65536. Failed to mount to /sys/fs/cgroup/systemd: No such file or directory Details: https://github.com/systemd/systemd/pull/4223#issuecomment-253046519 Fixes: #4352
2016-10-20 11:05:46 +02:00
r = reset_uid_gid();
if (r < 0)
return log_error_errno(r, "Couldn't become new root: %m");
nspawn: allow configuration of user namespaces in .nspawn files In order to implement this we change the bool arg_userns into an enum UserNamespaceMode, which can take one of NO, PICK or FIXED, and replace the arg_uid_range_pick bool with it.
2016-04-22 13:02:53 +02:00
r = mount_all(NULL,
nspawn: R/W support for /sys, and /proc/sys This commit adds the possibility to leave /sys, and /proc/sys read-write. It introduces a new (undocumented) env var SYSTEMD_NSPAWN_API_VFS_WRITABLE to enable this feature. If set to "yes", /sys, and /proc/sys will be read-write. If set to "no", /sys, and /proc/sys will be read-only. If set to "network" /proc/sys/net will be read-write. This is useful in use-cases, where systemd-nspawn is used in an external network namespace. This adds the possibility to start privileged containers which need more control over settings in the /proc, and /sys filesystem. This is also a follow-up on the discussion from https://github.com/systemd/systemd/pull/4018#r76971862 where an introduction of a simple env var to enable R/W support for those directories was already discussed.
2016-10-14 14:00:15 +02:00
arg_mount_settings | MOUNT_IN_USERNS,
nspawn: allow configuration of user namespaces in .nspawn files In order to implement this we change the bool arg_userns into an enum UserNamespaceMode, which can take one of NO, PICK or FIXED, and replace the arg_uid_range_pick bool with it.
2016-04-22 13:02:53 +02:00
arg_uid_shift,
arg_uid_range,
arg_selinux_apifs_context);
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
if (r < 0)
return r;
nspawn: move network namespace creation to a separate step (#8430) Fixes #8427. Unsharing the namespace in a separate step changes the ownership of /proc/net/ip_tables_names (and related files) from nobody:nobody to root:root. See [1] and [2] for all the details. [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f13f2aeed154da8e48f90b85e720f8ba39b1e881 [2] https://bugzilla.netfilter.org/show_bug.cgi?id=1064#c9
2018-03-20 18:07:17 +01:00
if (!arg_network_namespace_path && arg_private_network) {
r = unshare(CLONE_NEWNET);
if (r < 0)
return log_error_errno(errno, "Failed to unshare network namespace: %m");
}
nspawn: R/W support for /sys, and /proc/sys This commit adds the possibility to leave /sys, and /proc/sys read-write. It introduces a new (undocumented) env var SYSTEMD_NSPAWN_API_VFS_WRITABLE to enable this feature. If set to "yes", /sys, and /proc/sys will be read-write. If set to "no", /sys, and /proc/sys will be read-only. If set to "network" /proc/sys/net will be read-write. This is useful in use-cases, where systemd-nspawn is used in an external network namespace. This adds the possibility to start privileged containers which need more control over settings in the /proc, and /sys filesystem. This is also a follow-up on the discussion from https://github.com/systemd/systemd/pull/4018#r76971862 where an introduction of a simple env var to enable R/W support for those directories was already discussed.
2016-10-14 14:00:15 +02:00
r = mount_sysfs(NULL, arg_mount_settings);
nspawn: mount /sys as tmpfs, and then mount only select subdirs of the real sysfs below it This way we can hide things like /sys/firmware or /sys/hypervisor from the container, while keeping the device tree around. While this is a security benefit in itself it also allows us to fix issue #1277. Previously we'd mount /sys before creating the user namespace, in order to be able to mount /sys/fs/cgroup/* beneath it (which resides in it), which we can only mount outside of the user namespace. To ensure that the user namespace owns the network namespace we'd set up the network namespace at the same time as the user namespace. Thus, we'd still see the /sys/class/net/ from the originating network namespace, even though we are in our own network namespace now. With this patch, /sys is mounted before transitioning into the user namespace as tmpfs, so that we can also mount /sys/fs/cgroup/* into it this early. The directories such as /sys/class/ are then later added in from the real sysfs from inside the network and user namespace so that they actually show whatis available in it. Fixes #1277
2015-09-30 13:47:28 +02:00
if (r < 0)
return r;
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
/* Wait until we are cgroup-ified, so that we
* can mount the right cgroup path writable */
if (!barrier_place_and_sync(barrier)) { /* #3 */
log_error("Parent died too early");
return -ESRCH;
nspawn: add simple chroot(1) like tool to execute commands in a namespace container
2011-03-14 02:40:36 +01:00
}
nspawn: add SYSTEMD_NSPAWN_USE_CGNS env variable (#3809) SYSTEMD_NSPAWN_USE_CGNS allows to disable the use of cgroup namespaces.
2016-07-26 16:49:15 +02:00
if (arg_use_cgns && cg_ns_supported()) {
nspawn: handle cgroup namespaces (NOTE: Cgroup namespaces work with legacy and unified hierarchies: "This is completely backward compatible and will be completely invisible to any existing cgroup users (except for those running inside a cgroup namespace and looking at /proc/pid/cgroup of tasks outside their namespace.)" (https://lists.linuxfoundation.org/pipermail/containers/2016-January/036582.html) So there is no need to special case unified.) If cgroup namespaces are supported we skip mount_cgroups() in the outer_child(). Instead, we unshare(CLONE_NEWCGROUP) in the inner_child() and only then do we call mount_cgroups(). The clean way to handle cgroup namespaces would be to delegate mounting of cgroups completely to the init system in the container. However, this would likely break backward compatibility with the UNIFIED_CGROUP_HIERARCHY flag of systemd-nspawn. Also no cgroupfs would be mounted whenever the user simply requests a shell and no init is available to mount cgroups. Hence, we introduce mount_legacy_cgns_supported(). After calling unshare(CLONE_NEWCGROUP) it parses /proc/self/cgroup to find the mounted controllers and mounts them inside the new cgroup namespace. This should preserve backward compatibility with the UNIFIED_CGROUP_HIERARCHY flag and mount a cgroupfs when no init in the container is running.
2016-06-23 13:41:56 +02:00
r = unshare(CLONE_NEWCGROUP);
if (r < 0)
nspawn: move network namespace creation to a separate step (#8430) Fixes #8427. Unsharing the namespace in a separate step changes the ownership of /proc/net/ip_tables_names (and related files) from nobody:nobody to root:root. See [1] and [2] for all the details. [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f13f2aeed154da8e48f90b85e720f8ba39b1e881 [2] https://bugzilla.netfilter.org/show_bug.cgi?id=1064#c9
2018-03-20 18:07:17 +01:00
return log_error_errno(errno, "Failed to unshare cgroup namespace: %m");
nspawn: handle cgroup namespaces (NOTE: Cgroup namespaces work with legacy and unified hierarchies: "This is completely backward compatible and will be completely invisible to any existing cgroup users (except for those running inside a cgroup namespace and looking at /proc/pid/cgroup of tasks outside their namespace.)" (https://lists.linuxfoundation.org/pipermail/containers/2016-January/036582.html) So there is no need to special case unified.) If cgroup namespaces are supported we skip mount_cgroups() in the outer_child(). Instead, we unshare(CLONE_NEWCGROUP) in the inner_child() and only then do we call mount_cgroups(). The clean way to handle cgroup namespaces would be to delegate mounting of cgroups completely to the init system in the container. However, this would likely break backward compatibility with the UNIFIED_CGROUP_HIERARCHY flag of systemd-nspawn. Also no cgroupfs would be mounted whenever the user simply requests a shell and no init is available to mount cgroups. Hence, we introduce mount_legacy_cgns_supported(). After calling unshare(CLONE_NEWCGROUP) it parses /proc/self/cgroup to find the mounted controllers and mounts them inside the new cgroup namespace. This should preserve backward compatibility with the UNIFIED_CGROUP_HIERARCHY flag and mount a cgroupfs when no init in the container is running.
2016-06-23 13:41:56 +02:00
r = mount_cgroups(
"",
arg_unified_cgroup_hierarchy,
arg_userns_mode != USER_NAMESPACE_NO,
arg_uid_shift,
arg_uid_range,
nspawn: add SYSTEMD_NSPAWN_USE_CGNS env variable (#3809) SYSTEMD_NSPAWN_USE_CGNS allows to disable the use of cgroup namespaces.
2016-07-26 16:49:15 +02:00
arg_selinux_apifs_context,
nspawn: simplify arg_us_cgns passing We would check the condition cg_ns_supported() twice. No functional change.
2016-10-10 22:12:50 +02:00
true);
nspawn: handle cgroup namespaces (NOTE: Cgroup namespaces work with legacy and unified hierarchies: "This is completely backward compatible and will be completely invisible to any existing cgroup users (except for those running inside a cgroup namespace and looking at /proc/pid/cgroup of tasks outside their namespace.)" (https://lists.linuxfoundation.org/pipermail/containers/2016-January/036582.html) So there is no need to special case unified.) If cgroup namespaces are supported we skip mount_cgroups() in the outer_child(). Instead, we unshare(CLONE_NEWCGROUP) in the inner_child() and only then do we call mount_cgroups(). The clean way to handle cgroup namespaces would be to delegate mounting of cgroups completely to the init system in the container. However, this would likely break backward compatibility with the UNIFIED_CGROUP_HIERARCHY flag of systemd-nspawn. Also no cgroupfs would be mounted whenever the user simply requests a shell and no init is available to mount cgroups. Hence, we introduce mount_legacy_cgns_supported(). After calling unshare(CLONE_NEWCGROUP) it parses /proc/self/cgroup to find the mounted controllers and mounts them inside the new cgroup namespace. This should preserve backward compatibility with the UNIFIED_CGROUP_HIERARCHY flag and mount a cgroupfs when no init in the container is running.
2016-06-23 13:41:56 +02:00
if (r < 0)
return r;
} else {
r = mount_systemd_cgroup_writable("", arg_unified_cgroup_hierarchy);
if (r < 0)
return r;
}
nspawn: beef up nspawn with some btrfs magic This adds --template= to duplicate an OS tree as btrfs snpashot and run it This also adds --ephemeral or -x to create a snapshot of an OS tree and boot that, removing it after exit.
2014-12-12 03:50:59 +01:00
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
r = setup_boot_id(NULL);
if (r < 0)
return r;
nspawn: beef up nspawn with some btrfs magic This adds --template= to duplicate an OS tree as btrfs snpashot and run it This also adds --ephemeral or -x to create a snapshot of an OS tree and boot that, removing it after exit.
2014-12-12 03:50:59 +01:00
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
r = setup_kmsg(NULL, kmsg_socket);
if (r < 0)
return r;
kmsg_socket = safe_close(kmsg_socket);
nspawn: beef up nspawn with some btrfs magic This adds --template= to duplicate an OS tree as btrfs snpashot and run it This also adds --ephemeral or -x to create a snapshot of an OS tree and boot that, removing it after exit.
2014-12-12 03:50:59 +01:00
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
umask(0022);
nspawn: add file system locks for controlling access to container images This adds three kinds of file system locks for container images: a) a file system lock next to the actual image, in a .lck file in the same directory the image is located. This lock has the benefit of usually being located on the same NFS share as the image itself, and thus allows locking container images across NFS shares. b) a file system lock in /run, named after st_dev and st_ino of the root of the image. This lock has the advantage that it is unique even if the same image is bind mounted to two different places at the same time, as the ino/dev stays constant for them. c) a file system lock that is only taken when a new disk image is about to be created, that ensures that checking whether the name is already used across the search path, and actually placing the image is not interrupted by other code taking the name. a + b are read-write locks. When a container is booted in read-only mode a read lock is taken, otherwise a write lock. Lock b is always taken after a, to avoid ABBA problems. Lock c is mostly relevant when renaming or cloning images.
2015-01-14 23:09:02 +01:00
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
if (setsid() < 0)
return log_error_errno(errno, "setsid() failed: %m");
if (arg_private_network)
loopback_setup();
nspawn: split all port exposure code into nspawn-expose-port.[ch]
2015-09-07 16:52:24 +02:00
if (arg_expose_ports) {
r = expose_port_send_rtnl(rtnl_socket);
if (r < 0)
return r;
rtnl_socket = safe_close(rtnl_socket);
}
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
treewide: use the negative error codes returned by our functions Our functions return negative error codes. Do not rely on errno being set after calling our own functions.
2015-11-05 13:44:06 +01:00
r = drop_capabilities();
if (r < 0)
return log_error_errno(r, "drop_capabilities() failed: %m");
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
setup_hostname();
util: introduce PERSONALITY_INVALID as macro for 0xffffffffLU
2015-05-21 19:48:49 +02:00
if (arg_personality != PERSONALITY_INVALID) {
util-lib: wrap personality() to fix up broken glibc error handling (#6766) glibc appears to propagate different errors in different ways, let's fix this up, so that our own code doesn't get confused by this. See #6752 + #6737 for details. Fixes: #6755
2017-09-08 16:16:29 +02:00
r = safe_personality(arg_personality);
if (r < 0)
return log_error_errno(r, "personality() failed: %m");
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
} else if (secondary) {
util-lib: wrap personality() to fix up broken glibc error handling (#6766) glibc appears to propagate different errors in different ways, let's fix this up, so that our own code doesn't get confused by this. See #6752 + #6737 for details. Fixes: #6755
2017-09-08 16:16:29 +02:00
r = safe_personality(PER_LINUX32);
if (r < 0)
return log_error_errno(r, "personality() failed: %m");
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
}
build-sys: use #if Y instead of #ifdef Y everywhere The advantage is that is the name is mispellt, cpp will warn us. $ git grep -Ee "conf.set\('(HAVE|ENABLE)_" -l|xargs sed -r -i "s/conf.set\('(HAVE|ENABLE)_/conf.set10('\1_/" $ git grep -Ee '#ifn?def (HAVE|ENABLE)' -l|xargs sed -r -i 's/#ifdef (HAVE|ENABLE)/#if \1/; s/#ifndef (HAVE|ENABLE)/#if ! \1/;' $ git grep -Ee 'if.*defined\(HAVE' -l|xargs sed -i -r 's/defined\((HAVE_[A-Z0-9_]*)\)/\1/g' $ git grep -Ee 'if.*defined\(ENABLE' -l|xargs sed -i -r 's/defined\((ENABLE_[A-Z0-9_]*)\)/\1/g' + manual changes to meson.build squash! build-sys: use #if Y instead of #ifdef Y everywhere v2: - fix incorrect setting of HAVE_LIBIDN2
2017-10-03 10:41:51 +02:00
#if HAVE_SELINUX
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
if (arg_selinux_context)
tree-wide: get rid of selinux_context_t (#3732) https://github.com/SELinuxProject/selinux/commit/9eb9c9327563014ad6a807814e7975424642d5b9 deprecated selinux_context_t. Replace with a simple char* everywhere. Alternative fix for #3719.
2016-07-15 18:44:02 +02:00
if (setexeccon(arg_selinux_context) < 0)
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
return log_error_errno(errno, "setexeccon(\"%s\") failed: %m", arg_selinux_context);
#endif
nspawn: split out --uid= logic into nspawn-setuid.[ch]
2015-09-07 18:42:14 +02:00
r = change_uid_gid(arg_user, &home);
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
if (r < 0)
return r;
nspawn: support custom container service name We were hardcoding "systemd-nspawn" as the value of the $container env variable and "nspawn" as the service string in machined registration. This commit allows the user to configure it by setting the $SYSTEMD_NSPAWN_CONTAINER_SERVICE env variable when calling systemd-nspawn. If $SYSTEMD_NSPAWN_CONTAINER_SERVICE is not set, we use the string "systemd-nspawn" for both, fixing the previous inconsistency.
2015-11-09 11:32:34 +01:00
/* LXC sets container=lxc, so follow the scheme here */
envp[n_env++] = strjoina("container=", arg_container_service_name);
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
envp[n_env] = strv_find_prefix(environ, "TERM=");
if (envp[n_env])
tree-wide: make ++/-- usage consistent WRT spacing Throughout the tree there's spurious use of spaces separating ++ and -- operators from their respective operands. Make ++ and -- operator consistent with the majority of existing uses; discard the spaces.
2016-02-23 05:32:04 +01:00
n_env++;
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
if ((asprintf((char**)(envp + n_env++), "HOME=%s", home ? home: "/root") < 0) ||
(asprintf((char**)(envp + n_env++), "USER=%s", arg_user ? arg_user : "root") < 0) ||
(asprintf((char**)(envp + n_env++), "LOGNAME=%s", arg_user ? arg_user : "root") < 0))
return log_oom();
tree-wide: use sd_id128_is_null() instead of sd_id128_equal where appropriate It's a bit easier to read because shorter. Also, most likely a tiny bit faster.
2016-07-21 16:06:31 +02:00
assert(!sd_id128_is_null(arg_uuid));
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
nspawn: rework machine/boot ID handling code to use new calls from id128-util.[ch]
2016-07-21 18:01:55 +02:00
if (asprintf((char**)(envp + n_env++), "container_uuid=%s", id128_to_uuid_string(arg_uuid, as_uuid)) < 0)
nspawn: always setup machine id We check /etc/machine-id of the container and if it is already populated we use value from there, possibly ignoring value of --uuid option from the command line. When dealing with R/O image we setup transient machine id. Once we determined machine id of the container, we use this value for registration with systemd-machined and we also export it via container_uuid environment variable. As registration with systemd-machined is done by the main nspawn process we communicate container machine id established by setup_machine_id from outer child to the main process by unix domain socket. Similarly to PID of inner child.
2016-04-08 13:22:54 +02:00
return log_oom();
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
if (fdset_size(fds) > 0) {
r = fdset_cloexec(fds, false);
if (r < 0)
return log_error_errno(r, "Failed to unset O_CLOEXEC for file descriptors.");
if ((asprintf((char **)(envp + n_env++), "LISTEN_FDS=%u", fdset_size(fds)) < 0) ||
(asprintf((char **)(envp + n_env++), "LISTEN_PID=1") < 0))
return log_oom();
}
nspawn: introduce --notify-ready=[no|yes] (#3474) This the patch implements a notificaiton mechanism from the init process in the container to systemd-nspawn. The switch --notify-ready=yes configures systemd-nspawn to wait the "READY=1" message from the init process in the container to send its own to systemd. --notify-ready=no is equivalent to the previous behavior before this patch, systemd-nspawn notifies systemd with a "READY=1" message when the container is created. This notificaiton mechanism uses socket file with path relative to the contanier "/run/systemd/nspawn/notify". The default values it --notify-ready=no. It is also possible to configure this mechanism from the .nspawn files using NotifyReady. This parameter takes the same options of the command line switch. Before this patch, systemd-nspawn notifies "ready" after the inner child was created, regardless the status of the service running inside it. Now, with --notify-ready=yes, systemd-nspawn notifies when the service is ready. This is really useful when there are dependencies between different contaniers. Fixes https://github.com/systemd/systemd/issues/1369 Based on the work from https://github.com/systemd/systemd/pull/3022 Testing: Boot a OS inside a container with systemd-nspawn. Note: modify the commands accordingly with your filesystem. 1. Create a filesystem where you can boot an OS. 2. sudo systemd-nspawn -D ${HOME}/distros/fedora-23/ sh 2.1. Create the unit file /etc/systemd/system/sleep.service inside the container (You can use the example below) 2.2. systemdctl enable sleep 2.3 exit 3. sudo systemd-run --service-type=notify --unit=notify-test ${HOME}/systemd/systemd-nspawn --notify-ready=yes -D ${HOME}/distros/fedora-23/ -b 4. In a different shell run "systemctl status notify-test" When using --notify-ready=yes the service status is "activating" for 20 seconds before being set to "active (running)". Instead, using --notify-ready=no the service status is marked "active (running)" quickly, without waiting for the 20 seconds. This patch was also test with --private-users=yes, you can test it just adding it at the end of the command at point 3. ------ sleep.service ------ [Unit] Description=sleep After=network.target [Service] Type=oneshot ExecStart=/bin/sleep 20 [Install] WantedBy=multi-user.target ------------ end ------------
2016-06-10 13:09:06 +02:00
if (asprintf((char **)(envp + n_env++), "NOTIFY_SOCKET=%s", NSPAWN_NOTIFY_SOCKET_PATH) < 0)
return log_oom();
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
nspawn: avoid memleak Simplify the code a bit, at the cost of potentially duplicating some memory unneccessarily. Fixes CID 1299641.
2015-05-25 22:55:52 +02:00
env_use = strv_env_merge(2, envp, arg_setenv);
if (!env_use)
return log_oom();
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
/* Let the parent know that we are ready and
* wait until the parent is ready with the
* setup, too... */
if (!barrier_place_and_sync(barrier)) { /* #4 */
log_error("Parent died too early");
return -ESRCH;
}
nspawn: add new --chdir= switch Fixes: #2192
2016-02-02 01:52:01 +01:00
if (arg_chdir)
if (chdir(arg_chdir) < 0)
return log_error_errno(errno, "Failed to change to specified working directory %s: %m", arg_chdir);
nspawn: optionally run a stub init process as PID 1 This adds a new switch --as-pid2, which allows running commands as PID 2, while a stub init process is run as PID 1. This is useful in order to run arbitrary commands in a container, as PID1's semantics are different from all other processes regarding reaping of unknown children or signal handling.
2016-02-03 20:32:06 +01:00
if (arg_start_mode == START_PID2) {
nspawn: flush out environment block of the -a stub init process The container detection code in virt.c we ship checks for /proc/1/environ, looking for "container=" in it. Let's make sure our "-a" init stub exposes that correctly. Without this "systemd-detect-virt" run in a "-a" container won't detect that it is being run in a container.
2016-12-06 18:19:23 +01:00
r = stub_pid1(arg_uuid);
nspawn: optionally run a stub init process as PID 1 This adds a new switch --as-pid2, which allows running commands as PID 2, while a stub init process is run as PID 1. This is useful in order to run arbitrary commands in a container, as PID1's semantics are different from all other processes regarding reaping of unknown children or signal handling.
2016-02-03 20:32:06 +01:00
if (r < 0)
return r;
}
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
/* Now, explicitly close the log, so that we
* then can close all remaining fds. Closing
* the log explicitly first has the benefit
* that the logging subsystem knows about it,
* and is thus ready to be reopened should we
* need it again. Note that the other fds
* closed here are at least the locking and
* barrier fds. */
log_close();
(void) fdset_close_others(fds);
nspawn: optionally run a stub init process as PID 1 This adds a new switch --as-pid2, which allows running commands as PID 2, while a stub init process is run as PID 1. This is useful in order to run arbitrary commands in a container, as PID1's semantics are different from all other processes regarding reaping of unknown children or signal handling.
2016-02-03 20:32:06 +01:00
if (arg_start_mode == START_BOOT) {
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
char **a;
size_t m;
/* Automatically search for the init system */
Add memcpy_safe ISO/IEC 9899:1999 §7.21.1/2 says: Where an argument declared as size_t n specifies the length of the array for a function, n can have the value zero on a call to that function. Unless explicitly stated otherwise in the description of a particular function in this subclause, pointer arguments on such a call shall still have valid values, as described in 7.1.4. In base64_append_width memcpy was called as memcpy(x, NULL, 0). GCC 4.9 started making use of this and assumes This worked fine under -O0, but does something strange under -O3. This patch fixes a bug in base64_append_width(), fixes a possible bug in journal_file_append_entry_internal(), and makes use of the new function to simplify the code in other places.
2016-02-02 03:57:41 +01:00
m = strv_length(arg_parameters);
a = newa(char*, m + 2);
memcpy_safe(a + 1, arg_parameters, m * sizeof(char*));
a[1 + m] = NULL;
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
nspawn: shown exec() command is misleading There's no point in updating exec_target for each binary we try to execute, if we override it right-away anyway... Let's just do this once, and include all binaries we try each time. Follow-up for 1a68e1e543fd8f899503bec00585a16ada296ef7.
2017-02-02 18:27:25 +01:00
a[0] = (char*) "/usr/lib/systemd/systemd";
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
execve(a[0], a, env_use);
nspawn: shown exec() command is misleading There's no point in updating exec_target for each binary we try to execute, if we override it right-away anyway... Let's just do this once, and include all binaries we try each time. Follow-up for 1a68e1e543fd8f899503bec00585a16ada296ef7.
2017-02-02 18:27:25 +01:00
a[0] = (char*) "/lib/systemd/systemd";
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
execve(a[0], a, env_use);
nspawn: shown exec() command is misleading There's no point in updating exec_target for each binary we try to execute, if we override it right-away anyway... Let's just do this once, and include all binaries we try each time. Follow-up for 1a68e1e543fd8f899503bec00585a16ada296ef7.
2017-02-02 18:27:25 +01:00
a[0] = (char*) "/sbin/init";
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
execve(a[0], a, env_use);
nspawn: shown exec() command is misleading There's no point in updating exec_target for each binary we try to execute, if we override it right-away anyway... Let's just do this once, and include all binaries we try each time. Follow-up for 1a68e1e543fd8f899503bec00585a16ada296ef7.
2017-02-02 18:27:25 +01:00
exec_target = "/usr/lib/systemd/systemd, /lib/systemd/systemd, /sbin/init";
nspawn: Print attempted execv() path on failure (#5199) The failure message is typically currently: execv() failed: No such file or directory which is not very useful because it doesn’t tell you which file or directory it was trying to exec.
2017-02-01 14:36:16 +01:00
} else if (!strv_isempty(arg_parameters)) {
exec_target = arg_parameters[0];
nspawn: add new .nspawn files for container settings .nspawn fiels are simple settings files that may accompany container images and directories and contain settings otherwise passed on the nspawn command line. This provides an efficient way to attach execution data directly to containers.
2015-09-06 01:22:14 +02:00
execvpe(arg_parameters[0], arg_parameters, env_use);
nspawn: Print attempted execv() path on failure (#5199) The failure message is typically currently: execv() failed: No such file or directory which is not very useful because it doesn’t tell you which file or directory it was trying to exec.
2017-02-01 14:36:16 +01:00
} else {
nspawn: add new --chdir= switch Fixes: #2192
2016-02-02 01:52:01 +01:00
if (!arg_chdir)
nspawn: ignore failure to chdir CID #1322380.
2016-04-09 03:09:06 +02:00
/* If we cannot change the directory, we'll end up in /, that is expected. */
(void) chdir(home ?: "/root");
nspawn: add new --chdir= switch Fixes: #2192
2016-02-02 01:52:01 +01:00
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
execle("/bin/bash", "-bash", NULL, env_use);
execle("/bin/sh", "-sh", NULL, env_use);
nspawn: shown exec() command is misleading There's no point in updating exec_target for each binary we try to execute, if we override it right-away anyway... Let's just do this once, and include all binaries we try each time. Follow-up for 1a68e1e543fd8f899503bec00585a16ada296ef7.
2017-02-02 18:27:25 +01:00
exec_target = "/bin/bash, /bin/sh";
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
}
nspawn: save errno before reopening log after exec failure
2015-11-05 13:44:12 +01:00
r = -errno;
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
(void) log_open();
nspawn: Print attempted execv() path on failure (#5199) The failure message is typically currently: execv() failed: No such file or directory which is not very useful because it doesn’t tell you which file or directory it was trying to exec.
2017-02-01 14:36:16 +01:00
return log_error_errno(r, "execv(%s) failed: %m", exec_target);
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
}
nspawn: introduce --notify-ready=[no|yes] (#3474) This the patch implements a notificaiton mechanism from the init process in the container to systemd-nspawn. The switch --notify-ready=yes configures systemd-nspawn to wait the "READY=1" message from the init process in the container to send its own to systemd. --notify-ready=no is equivalent to the previous behavior before this patch, systemd-nspawn notifies systemd with a "READY=1" message when the container is created. This notificaiton mechanism uses socket file with path relative to the contanier "/run/systemd/nspawn/notify". The default values it --notify-ready=no. It is also possible to configure this mechanism from the .nspawn files using NotifyReady. This parameter takes the same options of the command line switch. Before this patch, systemd-nspawn notifies "ready" after the inner child was created, regardless the status of the service running inside it. Now, with --notify-ready=yes, systemd-nspawn notifies when the service is ready. This is really useful when there are dependencies between different contaniers. Fixes https://github.com/systemd/systemd/issues/1369 Based on the work from https://github.com/systemd/systemd/pull/3022 Testing: Boot a OS inside a container with systemd-nspawn. Note: modify the commands accordingly with your filesystem. 1. Create a filesystem where you can boot an OS. 2. sudo systemd-nspawn -D ${HOME}/distros/fedora-23/ sh 2.1. Create the unit file /etc/systemd/system/sleep.service inside the container (You can use the example below) 2.2. systemdctl enable sleep 2.3 exit 3. sudo systemd-run --service-type=notify --unit=notify-test ${HOME}/systemd/systemd-nspawn --notify-ready=yes -D ${HOME}/distros/fedora-23/ -b 4. In a different shell run "systemctl status notify-test" When using --notify-ready=yes the service status is "activating" for 20 seconds before being set to "active (running)". Instead, using --notify-ready=no the service status is marked "active (running)" quickly, without waiting for the 20 seconds. This patch was also test with --private-users=yes, you can test it just adding it at the end of the command at point 3. ------ sleep.service ------ [Unit] Description=sleep After=network.target [Service] Type=oneshot ExecStart=/bin/sleep 20 [Install] WantedBy=multi-user.target ------------ end ------------
2016-06-10 13:09:06 +02:00
static int setup_sd_notify_child(void) {
static const int one = 1;
int fd = -1;
union sockaddr_union sa = {
.sa.sa_family = AF_UNIX,
};
int r;
fd = socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0);
if (fd < 0)
return log_error_errno(errno, "Failed to allocate notification socket: %m");
(void) mkdir_parents(NSPAWN_NOTIFY_SOCKET_PATH, 0755);
(void) unlink(NSPAWN_NOTIFY_SOCKET_PATH);
strncpy(sa.un.sun_path, NSPAWN_NOTIFY_SOCKET_PATH, sizeof(sa.un.sun_path)-1);
r = bind(fd, &sa.sa, SOCKADDR_UN_LEN(sa.un));
if (r < 0) {
safe_close(fd);
return log_error_errno(errno, "bind(%s) failed: %m", sa.un.sun_path);
}
nspawn: change owner/group of /run/systemd/nspawn/notify to userns-root Fixes #4944
2017-01-17 02:19:34 +01:00
r = userns_lchown(NSPAWN_NOTIFY_SOCKET_PATH, 0, 0);
if (r < 0) {
safe_close(fd);
return log_error_errno(r, "Failed to chown " NSPAWN_NOTIFY_SOCKET_PATH ": %m");
}
nspawn: introduce --notify-ready=[no|yes] (#3474) This the patch implements a notificaiton mechanism from the init process in the container to systemd-nspawn. The switch --notify-ready=yes configures systemd-nspawn to wait the "READY=1" message from the init process in the container to send its own to systemd. --notify-ready=no is equivalent to the previous behavior before this patch, systemd-nspawn notifies systemd with a "READY=1" message when the container is created. This notificaiton mechanism uses socket file with path relative to the contanier "/run/systemd/nspawn/notify". The default values it --notify-ready=no. It is also possible to configure this mechanism from the .nspawn files using NotifyReady. This parameter takes the same options of the command line switch. Before this patch, systemd-nspawn notifies "ready" after the inner child was created, regardless the status of the service running inside it. Now, with --notify-ready=yes, systemd-nspawn notifies when the service is ready. This is really useful when there are dependencies between different contaniers. Fixes https://github.com/systemd/systemd/issues/1369 Based on the work from https://github.com/systemd/systemd/pull/3022 Testing: Boot a OS inside a container with systemd-nspawn. Note: modify the commands accordingly with your filesystem. 1. Create a filesystem where you can boot an OS. 2. sudo systemd-nspawn -D ${HOME}/distros/fedora-23/ sh 2.1. Create the unit file /etc/systemd/system/sleep.service inside the container (You can use the example below) 2.2. systemdctl enable sleep 2.3 exit 3. sudo systemd-run --service-type=notify --unit=notify-test ${HOME}/systemd/systemd-nspawn --notify-ready=yes -D ${HOME}/distros/fedora-23/ -b 4. In a different shell run "systemctl status notify-test" When using --notify-ready=yes the service status is "activating" for 20 seconds before being set to "active (running)". Instead, using --notify-ready=no the service status is marked "active (running)" quickly, without waiting for the 20 seconds. This patch was also test with --private-users=yes, you can test it just adding it at the end of the command at point 3. ------ sleep.service ------ [Unit] Description=sleep After=network.target [Service] Type=oneshot ExecStart=/bin/sleep 20 [Install] WantedBy=multi-user.target ------------ end ------------
2016-06-10 13:09:06 +02:00
r = setsockopt(fd, SOL_SOCKET, SO_PASSCRED, &one, sizeof(one));
if (r < 0) {
safe_close(fd);
return log_error_errno(errno, "SO_PASSCRED failed: %m");
}
return fd;
}
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
static int outer_child(
Barrier *barrier,
const char *directory,
const char *console,
nspawn: port nspawn to new generalized image dissection code Let's make use of the new internal API. This mostly doesn't change anything for the caller, however, "systemd-nspawn --image=/dev/sda7" works now as the new code can handle disk images with no partition tables, and make any detected images directly the root.
2016-12-01 20:26:09 +01:00
DissectedImage *dissected_image,
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
bool interactive,
bool secondary,
int pid_socket,
nspawn: always setup machine id We check /etc/machine-id of the container and if it is already populated we use value from there, possibly ignoring value of --uuid option from the command line. When dealing with R/O image we setup transient machine id. Once we determined machine id of the container, we use this value for registration with systemd-machined and we also export it via container_uuid environment variable. As registration with systemd-machined is done by the main nspawn process we communicate container machine id established by setup_machine_id from outer child to the main process by unix domain socket. Similarly to PID of inner child.
2016-04-08 13:22:54 +02:00
int uuid_socket,
nspawn: introduce --notify-ready=[no|yes] (#3474) This the patch implements a notificaiton mechanism from the init process in the container to systemd-nspawn. The switch --notify-ready=yes configures systemd-nspawn to wait the "READY=1" message from the init process in the container to send its own to systemd. --notify-ready=no is equivalent to the previous behavior before this patch, systemd-nspawn notifies systemd with a "READY=1" message when the container is created. This notificaiton mechanism uses socket file with path relative to the contanier "/run/systemd/nspawn/notify". The default values it --notify-ready=no. It is also possible to configure this mechanism from the .nspawn files using NotifyReady. This parameter takes the same options of the command line switch. Before this patch, systemd-nspawn notifies "ready" after the inner child was created, regardless the status of the service running inside it. Now, with --notify-ready=yes, systemd-nspawn notifies when the service is ready. This is really useful when there are dependencies between different contaniers. Fixes https://github.com/systemd/systemd/issues/1369 Based on the work from https://github.com/systemd/systemd/pull/3022 Testing: Boot a OS inside a container with systemd-nspawn. Note: modify the commands accordingly with your filesystem. 1. Create a filesystem where you can boot an OS. 2. sudo systemd-nspawn -D ${HOME}/distros/fedora-23/ sh 2.1. Create the unit file /etc/systemd/system/sleep.service inside the container (You can use the example below) 2.2. systemdctl enable sleep 2.3 exit 3. sudo systemd-run --service-type=notify --unit=notify-test ${HOME}/systemd/systemd-nspawn --notify-ready=yes -D ${HOME}/distros/fedora-23/ -b 4. In a different shell run "systemctl status notify-test" When using --notify-ready=yes the service status is "activating" for 20 seconds before being set to "active (running)". Instead, using --notify-ready=no the service status is marked "active (running)" quickly, without waiting for the 20 seconds. This patch was also test with --private-users=yes, you can test it just adding it at the end of the command at point 3. ------ sleep.service ------ [Unit] Description=sleep After=network.target [Service] Type=oneshot ExecStart=/bin/sleep 20 [Install] WantedBy=multi-user.target ------------ end ------------
2016-06-10 13:09:06 +02:00
int notify_socket,
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
int kmsg_socket,
int rtnl_socket,
nspawn: Communicate determined UID shift to parent There is logic to determine the UID shift from the file-system, rather than having it be explicitly passed in. However, this needs to happen in the child process that sets up the mounts, as what's important is the UID of the mounted root, rather than the mount-point. Setting up the UID map needs to happen in the parent becuase the inner child needs to have been started, and the outer child is no longer able to access the uid_map file, since it lost access to it when setting up the mounts for the inner child. So we need to communicate the uid shift back out, along with the PID of the inner child process. Failing to communicate this means that the invalid UID shift, which is the value used to specify "this needs to be determined from the file system" is left invalid, so setting up the user namespace's UID shift fails.
2015-06-30 15:41:41 +02:00
int uid_shift_socket,
nspawn: figure out cgroup mode *after* mounting image If we operate on a disk image (i.e. --image=) then it's pointless to look into the mount directory before it is actually mounted to see which systemd version is running inside... Unfortunately we only mount the disk image in the child process, but the parent needs to know the cgroup mode, hence add some IPC for this purpose and communicate the cgroup mode determined from the image back to the parent.
2017-11-27 20:49:35 +01:00
int unified_cgroup_hierarchy_socket,
nspawn: introduce an option for specifying network namespace path Add a new option `--network-namespace-path` to systemd-nspawn to allow users to specify an arbitrary network namespace, e.g. `/run/netns/foo`. Then systemd-nspawn will open the netns file, pass the fd to outer_child, and enter the namespace represented by the fd before running inner_child. ``` $ sudo ip netns add foo $ mount | grep /run/netns/foo nsfs on /run/netns/foo type nsfs (rw) ... $ sudo systemd-nspawn -D /srv/fc27 --network-namespace-path=/run/netns/foo \ /bin/readlink -f /proc/self/ns/net /proc/1/ns/net:[4026532009] ``` Note that the option `--network-namespace-path=` cannot be used together with other network-related options such as `--private-network` so that the options do not conflict with each other. Fixes https://github.com/systemd/systemd/issues/7361
2017-11-24 18:22:17 +01:00
FDSet *fds,
int netns_fd) {
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
pid_t pid;
ssize_t l;
int r;
nspawn: introduce --notify-ready=[no|yes] (#3474) This the patch implements a notificaiton mechanism from the init process in the container to systemd-nspawn. The switch --notify-ready=yes configures systemd-nspawn to wait the "READY=1" message from the init process in the container to send its own to systemd. --notify-ready=no is equivalent to the previous behavior before this patch, systemd-nspawn notifies systemd with a "READY=1" message when the container is created. This notificaiton mechanism uses socket file with path relative to the contanier "/run/systemd/nspawn/notify". The default values it --notify-ready=no. It is also possible to configure this mechanism from the .nspawn files using NotifyReady. This parameter takes the same options of the command line switch. Before this patch, systemd-nspawn notifies "ready" after the inner child was created, regardless the status of the service running inside it. Now, with --notify-ready=yes, systemd-nspawn notifies when the service is ready. This is really useful when there are dependencies between different contaniers. Fixes https://github.com/systemd/systemd/issues/1369 Based on the work from https://github.com/systemd/systemd/pull/3022 Testing: Boot a OS inside a container with systemd-nspawn. Note: modify the commands accordingly with your filesystem. 1. Create a filesystem where you can boot an OS. 2. sudo systemd-nspawn -D ${HOME}/distros/fedora-23/ sh 2.1. Create the unit file /etc/systemd/system/sleep.service inside the container (You can use the example below) 2.2. systemdctl enable sleep 2.3 exit 3. sudo systemd-run --service-type=notify --unit=notify-test ${HOME}/systemd/systemd-nspawn --notify-ready=yes -D ${HOME}/distros/fedora-23/ -b 4. In a different shell run "systemctl status notify-test" When using --notify-ready=yes the service status is "activating" for 20 seconds before being set to "active (running)". Instead, using --notify-ready=no the service status is marked "active (running)" quickly, without waiting for the 20 seconds. This patch was also test with --private-users=yes, you can test it just adding it at the end of the command at point 3. ------ sleep.service ------ [Unit] Description=sleep After=network.target [Service] Type=oneshot ExecStart=/bin/sleep 20 [Install] WantedBy=multi-user.target ------------ end ------------
2016-06-10 13:09:06 +02:00
_cleanup_close_ int fd = -1;
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
assert(barrier);
assert(directory);
assert(console);
assert(pid_socket >= 0);
nspawn: always setup machine id We check /etc/machine-id of the container and if it is already populated we use value from there, possibly ignoring value of --uuid option from the command line. When dealing with R/O image we setup transient machine id. Once we determined machine id of the container, we use this value for registration with systemd-machined and we also export it via container_uuid environment variable. As registration with systemd-machined is done by the main nspawn process we communicate container machine id established by setup_machine_id from outer child to the main process by unix domain socket. Similarly to PID of inner child.
2016-04-08 13:22:54 +02:00
assert(uuid_socket >= 0);
nspawn: introduce --notify-ready=[no|yes] (#3474) This the patch implements a notificaiton mechanism from the init process in the container to systemd-nspawn. The switch --notify-ready=yes configures systemd-nspawn to wait the "READY=1" message from the init process in the container to send its own to systemd. --notify-ready=no is equivalent to the previous behavior before this patch, systemd-nspawn notifies systemd with a "READY=1" message when the container is created. This notificaiton mechanism uses socket file with path relative to the contanier "/run/systemd/nspawn/notify". The default values it --notify-ready=no. It is also possible to configure this mechanism from the .nspawn files using NotifyReady. This parameter takes the same options of the command line switch. Before this patch, systemd-nspawn notifies "ready" after the inner child was created, regardless the status of the service running inside it. Now, with --notify-ready=yes, systemd-nspawn notifies when the service is ready. This is really useful when there are dependencies between different contaniers. Fixes https://github.com/systemd/systemd/issues/1369 Based on the work from https://github.com/systemd/systemd/pull/3022 Testing: Boot a OS inside a container with systemd-nspawn. Note: modify the commands accordingly with your filesystem. 1. Create a filesystem where you can boot an OS. 2. sudo systemd-nspawn -D ${HOME}/distros/fedora-23/ sh 2.1. Create the unit file /etc/systemd/system/sleep.service inside the container (You can use the example below) 2.2. systemdctl enable sleep 2.3 exit 3. sudo systemd-run --service-type=notify --unit=notify-test ${HOME}/systemd/systemd-nspawn --notify-ready=yes -D ${HOME}/distros/fedora-23/ -b 4. In a different shell run "systemctl status notify-test" When using --notify-ready=yes the service status is "activating" for 20 seconds before being set to "active (running)". Instead, using --notify-ready=no the service status is marked "active (running)" quickly, without waiting for the 20 seconds. This patch was also test with --private-users=yes, you can test it just adding it at the end of the command at point 3. ------ sleep.service ------ [Unit] Description=sleep After=network.target [Service] Type=oneshot ExecStart=/bin/sleep 20 [Install] WantedBy=multi-user.target ------------ end ------------
2016-06-10 13:09:06 +02:00
assert(notify_socket >= 0);
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
assert(kmsg_socket >= 0);
if (prctl(PR_SET_PDEATHSIG, SIGKILL) < 0)
return log_error_errno(errno, "PR_SET_PDEATHSIG failed: %m");
if (interactive) {
tree-wide: port various places over to use new rearrange_stdio()
2018-02-28 23:32:49 +01:00
int terminal;
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
tree-wide: port various places over to use new rearrange_stdio()
2018-02-28 23:32:49 +01:00
terminal = open_terminal(console, O_RDWR);
if (terminal < 0)
return log_error_errno(terminal, "Failed to open console: %m");
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
tree-wide: port various places over to use new rearrange_stdio()
2018-02-28 23:32:49 +01:00
r = rearrange_stdio(terminal, terminal, terminal); /* invalidates 'terminal' on success and failure */
if (r < 0)
return log_error_errno(r, "Failed to move console to stdin/stdout/stderr: %m");
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
}
r = reset_audit_loginuid();
if (r < 0)
return r;
/* Mark everything as slave, so that we still
* receive mounts from the real root, but don't
* propagate mounts to the real root. */
nspawn,mount-util: add [u]mount_verbose and use it in nspawn This makes it easier to debug failed nspawn invocations: Mounting sysfs on /var/lib/machines/fedora-rawhide/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV "")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev (MS_NOSUID|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev/shm (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=1777,uid=1450901504,gid=1450901504")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/run (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")... Bind-mounting /sys/fs/selinux on /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_BIND "")... Remounting /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Mounting proc on /proc (MS_NOSUID|MS_NOEXEC|MS_NODEV "")... Bind-mounting /proc/sys on /proc/sys (MS_BIND "")... Remounting /proc/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Bind-mounting /proc/sysrq-trigger on /proc/sysrq-trigger (MS_BIND "")... Remounting /proc/sysrq-trigger (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Mounting tmpfs on /tmp (MS_STRICTATIME "mode=1777,uid=0,gid=0")... Mounting tmpfs on /sys/fs/cgroup (MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME "mode=755,uid=0,gid=0")... Mounting cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr")... Failed to mount cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr"): No such file or directory
2016-10-10 21:55:20 +02:00
r = mount_verbose(LOG_ERR, NULL, "/", NULL, MS_SLAVE|MS_REC, NULL);
if (r < 0)
return r;
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
nspawn: port nspawn to new generalized image dissection code Let's make use of the new internal API. This mostly doesn't change anything for the caller, however, "systemd-nspawn --image=/dev/sda7" works now as the new code can handle disk images with no partition tables, and make any detected images directly the root.
2016-12-01 20:26:09 +01:00
if (dissected_image) {
nspawn: make sure images containing an ESP are compatible with userns -U mode In -U mode we might need to re-chown() all files and directories to match the UID shift we want for the image. That's problematic on fat partitions, such as the ESP (and which is generated by mkosi's --bootable switch), because fat of course knows no UID/GID file ownership natively. With this change we take benefit of the uid= and gid= mount options FAT knows: instead of chown()ing all files and directories we can just specify the right UID/GID to use at mount time. This beefs up the image dissection logic in two ways: 1. First of all support for mounting relevant file systems with uid=/gid= is added: when a UID is specified during mount it is used for all applicable file systems. 2. Secondly, two new mount flags are added: DISSECT_IMAGE_MOUNT_ROOT_ONLY and DISSECT_IMAGE_MOUNT_NON_ROOT_ONLY. If one is specified the mount routine will either only mount the root partition of an image, or all partitions except the root partition. This is used by nspawn: first the root partition is mounted, so that we can determine the UID shift in use so far, based on ownership of the image's root directory. Then, we mount the remaining partitions in a second go, this time with the right UID/GID information.
2017-11-28 16:46:26 +01:00
/* If we are operating on a disk image, then mount its root directory now, but leave out the rest. We
* can read the UID shift from it if we need to. Further down we'll mount the rest, but then with the
* uid shift known. That way we can mount VFAT file systems shifted to the right place right away. This
* makes sure ESP partitions and userns are compatible. */
r = dissected_image_mount(dissected_image, directory, arg_uid_shift,
DISSECT_IMAGE_MOUNT_ROOT_ONLY|DISSECT_IMAGE_DISCARD_ON_LOOP|(arg_read_only ? DISSECT_IMAGE_READ_ONLY : 0));
nspawn: port nspawn to new generalized image dissection code Let's make use of the new internal API. This mostly doesn't change anything for the caller, however, "systemd-nspawn --image=/dev/sda7" works now as the new code can handle disk images with no partition tables, and make any detected images directly the root.
2016-12-01 20:26:09 +01:00
if (r < 0)
return r;
}
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
Revert "nspawn: determine_uid_shift before forking"
2015-07-03 12:30:53 +02:00
r = determine_uid_shift(directory);
if (r < 0)
return r;
nspawn: allow configuration of user namespaces in .nspawn files In order to implement this we change the bool arg_userns into an enum UserNamespaceMode, which can take one of NO, PICK or FIXED, and replace the arg_uid_range_pick bool with it.
2016-04-22 13:02:53 +02:00
if (arg_userns_mode != USER_NAMESPACE_NO) {
nspawn: optionally, automatically allocate a UID/GID range for userns containers This adds the new value "pick" to --private-users=. When specified a new UID/GID range of 65536 users is automatically and randomly allocated from the host range 0x00080000-0xDFFF0000 and used for the container. The setting implies --private-users-chown, so that container directory is recursively chown()ed to the newly allocated UID/GID range, if that's necessary. As an optimization before picking a randomized UID/GID the UID of the container's root directory is used as starting point and used if currently not used otherwise. To protect against using the same UID/GID range multiple times a few mechanisms are in place: - The first and the last UID and GID of the range are checked with getpwuid() and getgrgid(). If an entry already exists a different range is picked. Note that by "last" UID the user 65534 is used, as 65535 is the 16bit (uid_t) -1. - A lock file for the range is taken in /run/systemd/nspawn-uid/. Since the ranges are taken in a non-overlapping fashion, and always start on 64K boundaries this allows us to maintain a single lock file for each range that can be randomly picked. This protects nspawn from picking the same range in two parallel instances. - If possible the /etc/passwd lock file is taken while a new range is selected until the container is up. This means adduser/addgroup should safely avoid the range as long as nss-mymachines is used, since the allocated range will then show up in the user database. The UID/GID range nspawn picks from is compiled in and not configurable at the moment. That should probably stay that way, since we already provide ways how users can pick their own ranges manually if they don't like the automatic logic. The new --private-users=pick logic makes user namespacing pretty useful now, as it relieves the user from managing UID/GID ranges.
2016-04-22 11:28:09 +02:00
/* Let the parent know which UID shift we read from the image */
nspawn: Communicate determined UID shift to parent There is logic to determine the UID shift from the file-system, rather than having it be explicitly passed in. However, this needs to happen in the child process that sets up the mounts, as what's important is the UID of the mounted root, rather than the mount-point. Setting up the UID map needs to happen in the parent becuase the inner child needs to have been started, and the outer child is no longer able to access the uid_map file, since it lost access to it when setting up the mounts for the inner child. So we need to communicate the uid shift back out, along with the PID of the inner child process. Failing to communicate this means that the invalid UID shift, which is the value used to specify "this needs to be determined from the file system" is left invalid, so setting up the user namespace's UID shift fails.
2015-06-30 15:41:41 +02:00
l = send(uid_shift_socket, &arg_uid_shift, sizeof(arg_uid_shift), MSG_NOSIGNAL);
if (l < 0)
return log_error_errno(errno, "Failed to send UID shift: %m");
if (l != sizeof(arg_uid_shift)) {
log_error("Short write while sending UID shift.");
return -EIO;
}
nspawn: optionally, automatically allocate a UID/GID range for userns containers This adds the new value "pick" to --private-users=. When specified a new UID/GID range of 65536 users is automatically and randomly allocated from the host range 0x00080000-0xDFFF0000 and used for the container. The setting implies --private-users-chown, so that container directory is recursively chown()ed to the newly allocated UID/GID range, if that's necessary. As an optimization before picking a randomized UID/GID the UID of the container's root directory is used as starting point and used if currently not used otherwise. To protect against using the same UID/GID range multiple times a few mechanisms are in place: - The first and the last UID and GID of the range are checked with getpwuid() and getgrgid(). If an entry already exists a different range is picked. Note that by "last" UID the user 65534 is used, as 65535 is the 16bit (uid_t) -1. - A lock file for the range is taken in /run/systemd/nspawn-uid/. Since the ranges are taken in a non-overlapping fashion, and always start on 64K boundaries this allows us to maintain a single lock file for each range that can be randomly picked. This protects nspawn from picking the same range in two parallel instances. - If possible the /etc/passwd lock file is taken while a new range is selected until the container is up. This means adduser/addgroup should safely avoid the range as long as nss-mymachines is used, since the allocated range will then show up in the user database. The UID/GID range nspawn picks from is compiled in and not configurable at the moment. That should probably stay that way, since we already provide ways how users can pick their own ranges manually if they don't like the automatic logic. The new --private-users=pick logic makes user namespacing pretty useful now, as it relieves the user from managing UID/GID ranges.
2016-04-22 11:28:09 +02:00
nspawn: allow configuration of user namespaces in .nspawn files In order to implement this we change the bool arg_userns into an enum UserNamespaceMode, which can take one of NO, PICK or FIXED, and replace the arg_uid_range_pick bool with it.
2016-04-22 13:02:53 +02:00
if (arg_userns_mode == USER_NAMESPACE_PICK) {
nspawn: optionally, automatically allocate a UID/GID range for userns containers This adds the new value "pick" to --private-users=. When specified a new UID/GID range of 65536 users is automatically and randomly allocated from the host range 0x00080000-0xDFFF0000 and used for the container. The setting implies --private-users-chown, so that container directory is recursively chown()ed to the newly allocated UID/GID range, if that's necessary. As an optimization before picking a randomized UID/GID the UID of the container's root directory is used as starting point and used if currently not used otherwise. To protect against using the same UID/GID range multiple times a few mechanisms are in place: - The first and the last UID and GID of the range are checked with getpwuid() and getgrgid(). If an entry already exists a different range is picked. Note that by "last" UID the user 65534 is used, as 65535 is the 16bit (uid_t) -1. - A lock file for the range is taken in /run/systemd/nspawn-uid/. Since the ranges are taken in a non-overlapping fashion, and always start on 64K boundaries this allows us to maintain a single lock file for each range that can be randomly picked. This protects nspawn from picking the same range in two parallel instances. - If possible the /etc/passwd lock file is taken while a new range is selected until the container is up. This means adduser/addgroup should safely avoid the range as long as nss-mymachines is used, since the allocated range will then show up in the user database. The UID/GID range nspawn picks from is compiled in and not configurable at the moment. That should probably stay that way, since we already provide ways how users can pick their own ranges manually if they don't like the automatic logic. The new --private-users=pick logic makes user namespacing pretty useful now, as it relieves the user from managing UID/GID ranges.
2016-04-22 11:28:09 +02:00
/* When we are supposed to pick the UID shift, the parent will check now whether the UID shift
* we just read from the image is available. If yes, it will send the UID shift back to us, if
* not it will pick a different one, and send it back to us. */
l = recv(uid_shift_socket, &arg_uid_shift, sizeof(arg_uid_shift), 0);
if (l < 0)
return log_error_errno(errno, "Failed to recv UID shift: %m");
if (l != sizeof(arg_uid_shift)) {
Various fixes for typos found by lintian (#3705)
2016-07-12 12:52:11 +02:00
log_error("Short read while receiving UID shift.");
nspawn: optionally, automatically allocate a UID/GID range for userns containers This adds the new value "pick" to --private-users=. When specified a new UID/GID range of 65536 users is automatically and randomly allocated from the host range 0x00080000-0xDFFF0000 and used for the container. The setting implies --private-users-chown, so that container directory is recursively chown()ed to the newly allocated UID/GID range, if that's necessary. As an optimization before picking a randomized UID/GID the UID of the container's root directory is used as starting point and used if currently not used otherwise. To protect against using the same UID/GID range multiple times a few mechanisms are in place: - The first and the last UID and GID of the range are checked with getpwuid() and getgrgid(). If an entry already exists a different range is picked. Note that by "last" UID the user 65534 is used, as 65535 is the 16bit (uid_t) -1. - A lock file for the range is taken in /run/systemd/nspawn-uid/. Since the ranges are taken in a non-overlapping fashion, and always start on 64K boundaries this allows us to maintain a single lock file for each range that can be randomly picked. This protects nspawn from picking the same range in two parallel instances. - If possible the /etc/passwd lock file is taken while a new range is selected until the container is up. This means adduser/addgroup should safely avoid the range as long as nss-mymachines is used, since the allocated range will then show up in the user database. The UID/GID range nspawn picks from is compiled in and not configurable at the moment. That should probably stay that way, since we already provide ways how users can pick their own ranges manually if they don't like the automatic logic. The new --private-users=pick logic makes user namespacing pretty useful now, as it relieves the user from managing UID/GID ranges.
2016-04-22 11:28:09 +02:00
return -EIO;
}
}
log_info("Selected user namespace base " UID_FMT " and range " UID_FMT ".", arg_uid_shift, arg_uid_range);
nspawn: Communicate determined UID shift to parent There is logic to determine the UID shift from the file-system, rather than having it be explicitly passed in. However, this needs to happen in the child process that sets up the mounts, as what's important is the UID of the mounted root, rather than the mount-point. Setting up the UID map needs to happen in the parent becuase the inner child needs to have been started, and the outer child is no longer able to access the uid_map file, since it lost access to it when setting up the mounts for the inner child. So we need to communicate the uid shift back out, along with the PID of the inner child process. Failing to communicate this means that the invalid UID shift, which is the value used to specify "this needs to be determined from the file system" is left invalid, so setting up the user namespace's UID shift fails.
2015-06-30 15:41:41 +02:00
}
nspawn: make sure images containing an ESP are compatible with userns -U mode In -U mode we might need to re-chown() all files and directories to match the UID shift we want for the image. That's problematic on fat partitions, such as the ESP (and which is generated by mkosi's --bootable switch), because fat of course knows no UID/GID file ownership natively. With this change we take benefit of the uid= and gid= mount options FAT knows: instead of chown()ing all files and directories we can just specify the right UID/GID to use at mount time. This beefs up the image dissection logic in two ways: 1. First of all support for mounting relevant file systems with uid=/gid= is added: when a UID is specified during mount it is used for all applicable file systems. 2. Secondly, two new mount flags are added: DISSECT_IMAGE_MOUNT_ROOT_ONLY and DISSECT_IMAGE_MOUNT_NON_ROOT_ONLY. If one is specified the mount routine will either only mount the root partition of an image, or all partitions except the root partition. This is used by nspawn: first the root partition is mounted, so that we can determine the UID shift in use so far, based on ownership of the image's root directory. Then, we mount the remaining partitions in a second go, this time with the right UID/GID information.
2017-11-28 16:46:26 +01:00
if (dissected_image) {
/* Now we know the uid shift, let's now mount everything else that might be in the image. */
r = dissected_image_mount(dissected_image, directory, arg_uid_shift,
DISSECT_IMAGE_MOUNT_NON_ROOT_ONLY|DISSECT_IMAGE_DISCARD_ON_LOOP|(arg_read_only ? DISSECT_IMAGE_READ_ONLY : 0));
if (r < 0)
return r;
}
nspawn: figure out cgroup mode *after* mounting image If we operate on a disk image (i.e. --image=) then it's pointless to look into the mount directory before it is actually mounted to see which systemd version is running inside... Unfortunately we only mount the disk image in the child process, but the parent needs to know the cgroup mode, hence add some IPC for this purpose and communicate the cgroup mode determined from the image back to the parent.
2017-11-27 20:49:35 +01:00
if (arg_unified_cgroup_hierarchy == CGROUP_UNIFIED_UNKNOWN) {
/* OK, we don't know yet which cgroup mode to use yet. Let's figure it out, and tell the parent. */
r = detect_unified_cgroup_hierarchy_from_image(directory);
if (r < 0)
return r;
l = send(unified_cgroup_hierarchy_socket, &arg_unified_cgroup_hierarchy, sizeof(arg_unified_cgroup_hierarchy), MSG_NOSIGNAL);
if (l < 0)
return log_error_errno(errno, "Failed to send cgroup mode: %m");
if (l != sizeof(arg_unified_cgroup_hierarchy)) {
log_error("Short write while sending cgroup mode: %m");
return -EIO;
}
unified_cgroup_hierarchy_socket = safe_close(unified_cgroup_hierarchy_socket);
}
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
/* Turn directory into bind mount */
nspawn,mount-util: add [u]mount_verbose and use it in nspawn This makes it easier to debug failed nspawn invocations: Mounting sysfs on /var/lib/machines/fedora-rawhide/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV "")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev (MS_NOSUID|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/dev/shm (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=1777,uid=1450901504,gid=1450901504")... Mounting tmpfs on /var/lib/machines/fedora-rawhide/run (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=755,uid=1450901504,gid=1450901504")... Bind-mounting /sys/fs/selinux on /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_BIND "")... Remounting /var/lib/machines/fedora-rawhide/sys/fs/selinux (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Mounting proc on /proc (MS_NOSUID|MS_NOEXEC|MS_NODEV "")... Bind-mounting /proc/sys on /proc/sys (MS_BIND "")... Remounting /proc/sys (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Bind-mounting /proc/sysrq-trigger on /proc/sysrq-trigger (MS_BIND "")... Remounting /proc/sysrq-trigger (MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_BIND|MS_REMOUNT "")... Mounting tmpfs on /tmp (MS_STRICTATIME "mode=1777,uid=0,gid=0")... Mounting tmpfs on /sys/fs/cgroup (MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME "mode=755,uid=0,gid=0")... Mounting cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr")... Failed to mount cgroup on /sys/fs/cgroup/systemd (MS_NOSUID|MS_NOEXEC|MS_NODEV "none,name=systemd,xattr"): No such file or directory
2016-10-10 21:55:20 +02:00
r = mount_verbose(LOG_ERR, directory, directory, NULL, MS_BIND|MS_REC, NULL);
if (r < 0)
return r;
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
nspawn: Add support for sysroot pivoting (#5258) Add a new --pivot-root argument to systemd-nspawn, which specifies a directory to pivot to / inside the container; while the original / is pivoted to another specified directory (if provided). This adds support for booting container images which may contain several bootable sysroots, as is common with OSTree disk images. When these disk images are booted on real hardware, ostree-prepare-root is run in conjunction with sysroot.mount in the initramfs to achieve the same results.
2017-02-08 16:54:31 +01:00
r = setup_pivot_root(
directory,
arg_pivot_root_new,
arg_pivot_root_old);
if (r < 0)
return r;
nspawn: allow configuration of user namespaces in .nspawn files In order to implement this we change the bool arg_userns into an enum UserNamespaceMode, which can take one of NO, PICK or FIXED, and replace the arg_uid_range_pick bool with it.
2016-04-22 13:02:53 +02:00
r = setup_volatile(
directory,
arg_volatile_mode,
arg_userns_mode != USER_NAMESPACE_NO,
arg_uid_shift,
arg_uid_range,
arg_selinux_context);
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
if (r < 0)
return r;
nspawn: allow configuration of user namespaces in .nspawn files In order to implement this we change the bool arg_userns into an enum UserNamespaceMode, which can take one of NO, PICK or FIXED, and replace the arg_uid_range_pick bool with it.
2016-04-22 13:02:53 +02:00
r = setup_volatile_state(
directory,
arg_volatile_mode,
arg_userns_mode != USER_NAMESPACE_NO,
arg_uid_shift,
arg_uid_range,
arg_selinux_context);
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
if (r < 0)
return r;
nspawn: restore --volatile=yes support This was broken by 19caffac75a2590a0c5ebc2a0214960f8188aec7 which remounted the root directory to MS_SHARED before applying the volatile mount logic. This broke things as MS_MOVE is incompatible with MS_SHARED directory trees, and we need MS_MOVE in the volatile mount logic to rearrange the directory tree. Simply swap the order here, apply the volatile logic before we switch to MS_SHARED.
2016-12-12 19:46:56 +01:00
/* Mark everything as shared so our mounts get propagated down. This is
* required to make new bind mounts available in systemd services
* inside the containter that create a new mount namespace.
* See https://github.com/systemd/systemd/issues/3860
* Further submounts (such as /dev) done after this will inherit the
Fix missing space in comments (#5439)
2017-02-24 18:14:02 +01:00
* shared propagation mode. */
nspawn: restore --volatile=yes support This was broken by 19caffac75a2590a0c5ebc2a0214960f8188aec7 which remounted the root directory to MS_SHARED before applying the volatile mount logic. This broke things as MS_MOVE is incompatible with MS_SHARED directory trees, and we need MS_MOVE in the volatile mount logic to rearrange the directory tree. Simply swap the order here, apply the volatile logic before we switch to MS_SHARED.
2016-12-12 19:46:56 +01:00
r = mount_verbose(LOG_ERR, NULL, directory, NULL, MS_SHARED|MS_REC, NULL);
if (r < 0)
return r;
r = recursive_chown(directory, arg_uid_shift, arg_uid_range);
if (r < 0)
return r;
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
r = base_filesystem_create(directory, arg_uid_shift, (gid_t) arg_uid_shift);
if (r < 0)
return r;
if (arg_read_only) {
namespace: rework how ReadWritePaths= is applied Previously, if ReadWritePaths= was nested inside a ReadOnlyPaths= specification, then we'd first recursively apply the ReadOnlyPaths= paths, and make everything below read-only, only in order to then flip the read-only bit again for the subdirs listed in ReadWritePaths= below it. This is not only ugly (as for the dirs in question we first turn on the RO bit, only to turn it off again immediately after), but also problematic in containers, where a container manager might have marked a set of dirs read-only and this code will undo this is ReadWritePaths= is set for any. With this patch behaviour in this regard is altered: ReadOnlyPaths= will not be applied to the children listed in ReadWritePaths= in the first place, so that we do not need to turn off the RO bit for those after all. This means that ReadWritePaths=/ReadOnlyPaths= may only be used to turn on the RO bit, but never to turn it off again. Or to say this differently: if some dirs are marked read-only via some external tool, then ReadWritePaths= will not undo it. This is not only the safer option, but also more in-line with what the man page currently claims: "Entries (files or directories) listed in ReadWritePaths= are accessible from within the namespace with the same access rights as from outside." To implement this change bind_remount_recursive() gained a new "blacklist" string list parameter, which when passed may contain subdirs that shall be excluded from the read-only mounting. A number of functions are updated to add more debug logging to make this more digestable.
2016-09-25 10:40:51 +02:00
r = bind_remount_recursive(directory, true, NULL);
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
if (r < 0)
return log_error_errno(r, "Failed to make tree read-only: %m");
}
nspawn: allow configuration of user namespaces in .nspawn files In order to implement this we change the bool arg_userns into an enum UserNamespaceMode, which can take one of NO, PICK or FIXED, and replace the arg_uid_range_pick bool with it.
2016-04-22 13:02:53 +02:00
r = mount_all(directory,
nspawn: R/W support for /sys, and /proc/sys This commit adds the possibility to leave /sys, and /proc/sys read-write. It introduces a new (undocumented) env var SYSTEMD_NSPAWN_API_VFS_WRITABLE to enable this feature. If set to "yes", /sys, and /proc/sys will be read-write. If set to "no", /sys, and /proc/sys will be read-only. If set to "network" /proc/sys/net will be read-write. This is useful in use-cases, where systemd-nspawn is used in an external network namespace. This adds the possibility to start privileged containers which need more control over settings in the /proc, and /sys filesystem. This is also a follow-up on the discussion from https://github.com/systemd/systemd/pull/4018#r76971862 where an introduction of a simple env var to enable R/W support for those directories was already discussed.
2016-10-14 14:00:15 +02:00
arg_mount_settings,
nspawn: allow configuration of user namespaces in .nspawn files In order to implement this we change the bool arg_userns into an enum UserNamespaceMode, which can take one of NO, PICK or FIXED, and replace the arg_uid_range_pick bool with it.
2016-04-22 13:02:53 +02:00
arg_uid_shift,
arg_uid_range,
arg_selinux_apifs_context);
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
if (r < 0)
return r;
nspawn: properly propagate errors when we fail to set soemthing up
2015-09-08 01:17:15 +02:00
r = copy_devnodes(directory);
if (r < 0)
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
return r;
dev_setup(directory, arg_uid_shift, arg_uid_shift);
nspawn: properly propagate errors when we fail to set soemthing up
2015-09-08 01:17:15 +02:00
r = setup_pts(directory);
if (r < 0)
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
return r;
r = setup_propagate(directory);
if (r < 0)
return r;
r = setup_dev_console(directory, console);
if (r < 0)
return r;
nspawn: set up a new session keyring for the container process keyring material should not leak into the container. So far we relied on seccomp to deny access to the keyring, but given that we now made the seccomp configurable, and access to keyctl() and friends may optionally be permitted to containers now let's make sure we disconnect the callers keyring from the keyring of PID 1 in the container.
2017-09-21 14:02:31 +02:00
r = setup_keyring();
if (r < 0)
return r;
nspawn: implement configurable syscall whitelisting/blacklisting Now that we have ported nspawn's seccomp code to the generic code in seccomp-util, let's extend it to support whitelisting and blacklisting of specific additional syscalls. This uses similar syntax as PID1's support for system call filtering, but in contrast to that always implements a blacklist (and not a whitelist), as we prepopulate the filter with a blacklist, and the unit's system call filter logic does not come with anything prepopulated. (Later on we might actually want to invert the logic here, and whitelist rather than blacklist things, but at this point let's not do that. In case we switch this over later, the syscall add/remove logic of this commit should be compatible conceptually.) Fixes: #5163 Replaces: #5944
2017-09-11 17:45:21 +02:00
r = setup_seccomp(arg_caps_retain, arg_syscall_whitelist, arg_syscall_blacklist);
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
if (r < 0)
return r;
r = setup_timezone(directory);
if (r < 0)
return r;
r = setup_resolv_conf(directory);
if (r < 0)
return r;
nspawn: always setup machine id We check /etc/machine-id of the container and if it is already populated we use value from there, possibly ignoring value of --uuid option from the command line. When dealing with R/O image we setup transient machine id. Once we determined machine id of the container, we use this value for registration with systemd-machined and we also export it via container_uuid environment variable. As registration with systemd-machined is done by the main nspawn process we communicate container machine id established by setup_machine_id from outer child to the main process by unix domain socket. Similarly to PID of inner child.
2016-04-08 13:22:54 +02:00
r = setup_machine_id(directory);
if (r < 0)
return r;
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
r = setup_journal(directory);
if (r < 0)
return r;
nspawn: allow configuration of user namespaces in .nspawn files In order to implement this we change the bool arg_userns into an enum UserNamespaceMode, which can take one of NO, PICK or FIXED, and replace the arg_uid_range_pick bool with it.
2016-04-22 13:02:53 +02:00
r = mount_custom(
directory,
arg_custom_mounts,
arg_n_custom_mounts,
arg_userns_mode != USER_NAMESPACE_NO,
arg_uid_shift,
arg_uid_range,
arg_selinux_apifs_context);
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
if (r < 0)
return r;
nspawn: add SYSTEMD_NSPAWN_USE_CGNS env variable (#3809) SYSTEMD_NSPAWN_USE_CGNS allows to disable the use of cgroup namespaces.
2016-07-26 16:49:15 +02:00
if (!arg_use_cgns || !cg_ns_supported()) {
nspawn: handle cgroup namespaces (NOTE: Cgroup namespaces work with legacy and unified hierarchies: "This is completely backward compatible and will be completely invisible to any existing cgroup users (except for those running inside a cgroup namespace and looking at /proc/pid/cgroup of tasks outside their namespace.)" (https://lists.linuxfoundation.org/pipermail/containers/2016-January/036582.html) So there is no need to special case unified.) If cgroup namespaces are supported we skip mount_cgroups() in the outer_child(). Instead, we unshare(CLONE_NEWCGROUP) in the inner_child() and only then do we call mount_cgroups(). The clean way to handle cgroup namespaces would be to delegate mounting of cgroups completely to the init system in the container. However, this would likely break backward compatibility with the UNIFIED_CGROUP_HIERARCHY flag of systemd-nspawn. Also no cgroupfs would be mounted whenever the user simply requests a shell and no init is available to mount cgroups. Hence, we introduce mount_legacy_cgns_supported(). After calling unshare(CLONE_NEWCGROUP) it parses /proc/self/cgroup to find the mounted controllers and mounts them inside the new cgroup namespace. This should preserve backward compatibility with the UNIFIED_CGROUP_HIERARCHY flag and mount a cgroupfs when no init in the container is running.
2016-06-23 13:41:56 +02:00
r = mount_cgroups(
directory,
arg_unified_cgroup_hierarchy,
arg_userns_mode != USER_NAMESPACE_NO,
arg_uid_shift,
arg_uid_range,
nspawn: add SYSTEMD_NSPAWN_USE_CGNS env variable (#3809) SYSTEMD_NSPAWN_USE_CGNS allows to disable the use of cgroup namespaces.
2016-07-26 16:49:15 +02:00
arg_selinux_apifs_context,
nspawn: simplify arg_us_cgns passing We would check the condition cg_ns_supported() twice. No functional change.
2016-10-10 22:12:50 +02:00
false);
nspawn: handle cgroup namespaces (NOTE: Cgroup namespaces work with legacy and unified hierarchies: "This is completely backward compatible and will be completely invisible to any existing cgroup users (except for those running inside a cgroup namespace and looking at /proc/pid/cgroup of tasks outside their namespace.)" (https://lists.linuxfoundation.org/pipermail/containers/2016-January/036582.html) So there is no need to special case unified.) If cgroup namespaces are supported we skip mount_cgroups() in the outer_child(). Instead, we unshare(CLONE_NEWCGROUP) in the inner_child() and only then do we call mount_cgroups(). The clean way to handle cgroup namespaces would be to delegate mounting of cgroups completely to the init system in the container. However, this would likely break backward compatibility with the UNIFIED_CGROUP_HIERARCHY flag of systemd-nspawn. Also no cgroupfs would be mounted whenever the user simply requests a shell and no init is available to mount cgroups. Hence, we introduce mount_legacy_cgns_supported(). After calling unshare(CLONE_NEWCGROUP) it parses /proc/self/cgroup to find the mounted controllers and mounts them inside the new cgroup namespace. This should preserve backward compatibility with the UNIFIED_CGROUP_HIERARCHY flag and mount a cgroupfs when no init in the container is running.
2016-06-23 13:41:56 +02:00
if (r < 0)
return r;
}
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
r = mount_move_root(directory);
if (r < 0)
return log_error_errno(r, "Failed to move root directory: %m");
nspawn: introduce --notify-ready=[no|yes] (#3474) This the patch implements a notificaiton mechanism from the init process in the container to systemd-nspawn. The switch --notify-ready=yes configures systemd-nspawn to wait the "READY=1" message from the init process in the container to send its own to systemd. --notify-ready=no is equivalent to the previous behavior before this patch, systemd-nspawn notifies systemd with a "READY=1" message when the container is created. This notificaiton mechanism uses socket file with path relative to the contanier "/run/systemd/nspawn/notify". The default values it --notify-ready=no. It is also possible to configure this mechanism from the .nspawn files using NotifyReady. This parameter takes the same options of the command line switch. Before this patch, systemd-nspawn notifies "ready" after the inner child was created, regardless the status of the service running inside it. Now, with --notify-ready=yes, systemd-nspawn notifies when the service is ready. This is really useful when there are dependencies between different contaniers. Fixes https://github.com/systemd/systemd/issues/1369 Based on the work from https://github.com/systemd/systemd/pull/3022 Testing: Boot a OS inside a container with systemd-nspawn. Note: modify the commands accordingly with your filesystem. 1. Create a filesystem where you can boot an OS. 2. sudo systemd-nspawn -D ${HOME}/distros/fedora-23/ sh 2.1. Create the unit file /etc/systemd/system/sleep.service inside the container (You can use the example below) 2.2. systemdctl enable sleep 2.3 exit 3. sudo systemd-run --service-type=notify --unit=notify-test ${HOME}/systemd/systemd-nspawn --notify-ready=yes -D ${HOME}/distros/fedora-23/ -b 4. In a different shell run "systemctl status notify-test" When using --notify-ready=yes the service status is "activating" for 20 seconds before being set to "active (running)". Instead, using --notify-ready=no the service status is marked "active (running)" quickly, without waiting for the 20 seconds. This patch was also test with --private-users=yes, you can test it just adding it at the end of the command at point 3. ------ sleep.service ------ [Unit] Description=sleep After=network.target [Service] Type=oneshot ExecStart=/bin/sleep 20 [Install] WantedBy=multi-user.target ------------ end ------------
2016-06-10 13:09:06 +02:00
fd = setup_sd_notify_child();
if (fd < 0)
return fd;
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
pid = raw_clone(SIGCHLD|CLONE_NEWNS|
nspawn: split down SYSTEMD_NSPAWN_SHARE_SYSTEM (#4023) This commit follows further on the deprecation path for --share-system, by splitting and gating each share-able namespace behind its own environment flag.
2016-08-26 00:08:26 +02:00
arg_clone_ns_flags |
util-lib: Add sparc64 support for process creation (#3348) The current raw_clone function takes two arguments, the cloning flags and a pointer to the stack for the cloned child. The raw cloning without passing a "thread main" function does not make sense if a new stack is specified, as it returns in both the parent and the child, which will fail in the child as the stack is virgin. All uses of raw_clone indeed pass NULL for the stack pointer which indicates that both processes should share the stack address (so you better don't pass CLONE_VM). This commit refactors the code to not require the caller to pass the stack address, as NULL is the only sensible option. It also adds the magic code needed to make raw_clone work on sparc64, which does not return 0 in %o0 for the child, but indicates the child process by setting %o1 to non-zero. This refactoring is not plain aesthetic, because non-NULL stack addresses need to get mangled before being passed to the clone syscall (you have to apply STACK_BIAS), whereas NULL must not be mangled. Implementing the conditional mangling of the stack address would needlessly complicate the code. raw_clone is moved to a separete header, because the burden of including the assert machinery and sched.h shouldn't be applied to every user of missing_syscalls.h
2016-05-30 02:03:51 +02:00
(arg_userns_mode != USER_NAMESPACE_NO ? CLONE_NEWUSER : 0));
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
if (pid < 0)
return log_error_errno(errno, "Failed to fork inner child: %m");
if (pid == 0) {
pid_socket = safe_close(pid_socket);
nspawn: always setup machine id We check /etc/machine-id of the container and if it is already populated we use value from there, possibly ignoring value of --uuid option from the command line. When dealing with R/O image we setup transient machine id. Once we determined machine id of the container, we use this value for registration with systemd-machined and we also export it via container_uuid environment variable. As registration with systemd-machined is done by the main nspawn process we communicate container machine id established by setup_machine_id from outer child to the main process by unix domain socket. Similarly to PID of inner child.
2016-04-08 13:22:54 +02:00
uuid_socket = safe_close(uuid_socket);
nspawn: introduce --notify-ready=[no|yes] (#3474) This the patch implements a notificaiton mechanism from the init process in the container to systemd-nspawn. The switch --notify-ready=yes configures systemd-nspawn to wait the "READY=1" message from the init process in the container to send its own to systemd. --notify-ready=no is equivalent to the previous behavior before this patch, systemd-nspawn notifies systemd with a "READY=1" message when the container is created. This notificaiton mechanism uses socket file with path relative to the contanier "/run/systemd/nspawn/notify". The default values it --notify-ready=no. It is also possible to configure this mechanism from the .nspawn files using NotifyReady. This parameter takes the same options of the command line switch. Before this patch, systemd-nspawn notifies "ready" after the inner child was created, regardless the status of the service running inside it. Now, with --notify-ready=yes, systemd-nspawn notifies when the service is ready. This is really useful when there are dependencies between different contaniers. Fixes https://github.com/systemd/systemd/issues/1369 Based on the work from https://github.com/systemd/systemd/pull/3022 Testing: Boot a OS inside a container with systemd-nspawn. Note: modify the commands accordingly with your filesystem. 1. Create a filesystem where you can boot an OS. 2. sudo systemd-nspawn -D ${HOME}/distros/fedora-23/ sh 2.1. Create the unit file /etc/systemd/system/sleep.service inside the container (You can use the example below) 2.2. systemdctl enable sleep 2.3 exit 3. sudo systemd-run --service-type=notify --unit=notify-test ${HOME}/systemd/systemd-nspawn --notify-ready=yes -D ${HOME}/distros/fedora-23/ -b 4. In a different shell run "systemctl status notify-test" When using --notify-ready=yes the service status is "activating" for 20 seconds before being set to "active (running)". Instead, using --notify-ready=no the service status is marked "active (running)" quickly, without waiting for the 20 seconds. This patch was also test with --private-users=yes, you can test it just adding it at the end of the command at point 3. ------ sleep.service ------ [Unit] Description=sleep After=network.target [Service] Type=oneshot ExecStart=/bin/sleep 20 [Install] WantedBy=multi-user.target ------------ end ------------
2016-06-10 13:09:06 +02:00
notify_socket = safe_close(notify_socket);
nspawn: Communicate determined UID shift to parent There is logic to determine the UID shift from the file-system, rather than having it be explicitly passed in. However, this needs to happen in the child process that sets up the mounts, as what's important is the UID of the mounted root, rather than the mount-point. Setting up the UID map needs to happen in the parent becuase the inner child needs to have been started, and the outer child is no longer able to access the uid_map file, since it lost access to it when setting up the mounts for the inner child. So we need to communicate the uid shift back out, along with the PID of the inner child process. Failing to communicate this means that the invalid UID shift, which is the value used to specify "this needs to be determined from the file system" is left invalid, so setting up the user namespace's UID shift fails.
2015-06-30 15:41:41 +02:00
uid_shift_socket = safe_close(uid_shift_socket);
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
/* The inner child has all namespaces that are
* requested, so that we all are owned by the user if
* user namespaces are turned on. */
nspawn: introduce an option for specifying network namespace path Add a new option `--network-namespace-path` to systemd-nspawn to allow users to specify an arbitrary network namespace, e.g. `/run/netns/foo`. Then systemd-nspawn will open the netns file, pass the fd to outer_child, and enter the namespace represented by the fd before running inner_child. ``` $ sudo ip netns add foo $ mount | grep /run/netns/foo nsfs on /run/netns/foo type nsfs (rw) ... $ sudo systemd-nspawn -D /srv/fc27 --network-namespace-path=/run/netns/foo \ /bin/readlink -f /proc/self/ns/net /proc/1/ns/net:[4026532009] ``` Note that the option `--network-namespace-path=` cannot be used together with other network-related options such as `--private-network` so that the options do not conflict with each other. Fixes https://github.com/systemd/systemd/issues/7361
2017-11-24 18:22:17 +01:00
if (arg_network_namespace_path) {
r = namespace_enter(-1, -1, netns_fd, -1, -1);
if (r < 0)
return r;
}
nspawn: add new .nspawn files for container settings .nspawn fiels are simple settings files that may accompany container images and directories and contain settings otherwise passed on the nspawn command line. This provides an efficient way to attach execution data directly to containers.
2015-09-06 01:22:14 +02:00
r = inner_child(barrier, directory, secondary, kmsg_socket, rtnl_socket, fds);
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
if (r < 0)
_exit(EXIT_FAILURE);
_exit(EXIT_SUCCESS);
}
l = send(pid_socket, &pid, sizeof(pid), MSG_NOSIGNAL);
if (l < 0)
return log_error_errno(errno, "Failed to send PID: %m");
if (l != sizeof(pid)) {
log_error("Short write while sending PID.");
return -EIO;
}
nspawn: always setup machine id We check /etc/machine-id of the container and if it is already populated we use value from there, possibly ignoring value of --uuid option from the command line. When dealing with R/O image we setup transient machine id. Once we determined machine id of the container, we use this value for registration with systemd-machined and we also export it via container_uuid environment variable. As registration with systemd-machined is done by the main nspawn process we communicate container machine id established by setup_machine_id from outer child to the main process by unix domain socket. Similarly to PID of inner child.
2016-04-08 13:22:54 +02:00
l = send(uuid_socket, &arg_uuid, sizeof(arg_uuid), MSG_NOSIGNAL);
if (l < 0)
return log_error_errno(errno, "Failed to send machine ID: %m");
if (l != sizeof(arg_uuid)) {
log_error("Short write while sending machine ID.");
return -EIO;
}
nspawn: introduce --notify-ready=[no|yes] (#3474) This the patch implements a notificaiton mechanism from the init process in the container to systemd-nspawn. The switch --notify-ready=yes configures systemd-nspawn to wait the "READY=1" message from the init process in the container to send its own to systemd. --notify-ready=no is equivalent to the previous behavior before this patch, systemd-nspawn notifies systemd with a "READY=1" message when the container is created. This notificaiton mechanism uses socket file with path relative to the contanier "/run/systemd/nspawn/notify". The default values it --notify-ready=no. It is also possible to configure this mechanism from the .nspawn files using NotifyReady. This parameter takes the same options of the command line switch. Before this patch, systemd-nspawn notifies "ready" after the inner child was created, regardless the status of the service running inside it. Now, with --notify-ready=yes, systemd-nspawn notifies when the service is ready. This is really useful when there are dependencies between different contaniers. Fixes https://github.com/systemd/systemd/issues/1369 Based on the work from https://github.com/systemd/systemd/pull/3022 Testing: Boot a OS inside a container with systemd-nspawn. Note: modify the commands accordingly with your filesystem. 1. Create a filesystem where you can boot an OS. 2. sudo systemd-nspawn -D ${HOME}/distros/fedora-23/ sh 2.1. Create the unit file /etc/systemd/system/sleep.service inside the container (You can use the example below) 2.2. systemdctl enable sleep 2.3 exit 3. sudo systemd-run --service-type=notify --unit=notify-test ${HOME}/systemd/systemd-nspawn --notify-ready=yes -D ${HOME}/distros/fedora-23/ -b 4. In a different shell run "systemctl status notify-test" When using --notify-ready=yes the service status is "activating" for 20 seconds before being set to "active (running)". Instead, using --notify-ready=no the service status is marked "active (running)" quickly, without waiting for the 20 seconds. This patch was also test with --private-users=yes, you can test it just adding it at the end of the command at point 3. ------ sleep.service ------ [Unit] Description=sleep After=network.target [Service] Type=oneshot ExecStart=/bin/sleep 20 [Install] WantedBy=multi-user.target ------------ end ------------
2016-06-10 13:09:06 +02:00
l = send_one_fd(notify_socket, fd, 0);
if (l < 0)
return log_error_errno(errno, "Failed to send notify fd: %m");
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
pid_socket = safe_close(pid_socket);
nspawn: always setup machine id We check /etc/machine-id of the container and if it is already populated we use value from there, possibly ignoring value of --uuid option from the command line. When dealing with R/O image we setup transient machine id. Once we determined machine id of the container, we use this value for registration with systemd-machined and we also export it via container_uuid environment variable. As registration with systemd-machined is done by the main nspawn process we communicate container machine id established by setup_machine_id from outer child to the main process by unix domain socket. Similarly to PID of inner child.
2016-04-08 13:22:54 +02:00
uuid_socket = safe_close(uuid_socket);
nspawn: introduce --notify-ready=[no|yes] (#3474) This the patch implements a notificaiton mechanism from the init process in the container to systemd-nspawn. The switch --notify-ready=yes configures systemd-nspawn to wait the "READY=1" message from the init process in the container to send its own to systemd. --notify-ready=no is equivalent to the previous behavior before this patch, systemd-nspawn notifies systemd with a "READY=1" message when the container is created. This notificaiton mechanism uses socket file with path relative to the contanier "/run/systemd/nspawn/notify". The default values it --notify-ready=no. It is also possible to configure this mechanism from the .nspawn files using NotifyReady. This parameter takes the same options of the command line switch. Before this patch, systemd-nspawn notifies "ready" after the inner child was created, regardless the status of the service running inside it. Now, with --notify-ready=yes, systemd-nspawn notifies when the service is ready. This is really useful when there are dependencies between different contaniers. Fixes https://github.com/systemd/systemd/issues/1369 Based on the work from https://github.com/systemd/systemd/pull/3022 Testing: Boot a OS inside a container with systemd-nspawn. Note: modify the commands accordingly with your filesystem. 1. Create a filesystem where you can boot an OS. 2. sudo systemd-nspawn -D ${HOME}/distros/fedora-23/ sh 2.1. Create the unit file /etc/systemd/system/sleep.service inside the container (You can use the example below) 2.2. systemdctl enable sleep 2.3 exit 3. sudo systemd-run --service-type=notify --unit=notify-test ${HOME}/systemd/systemd-nspawn --notify-ready=yes -D ${HOME}/distros/fedora-23/ -b 4. In a different shell run "systemctl status notify-test" When using --notify-ready=yes the service status is "activating" for 20 seconds before being set to "active (running)". Instead, using --notify-ready=no the service status is marked "active (running)" quickly, without waiting for the 20 seconds. This patch was also test with --private-users=yes, you can test it just adding it at the end of the command at point 3. ------ sleep.service ------ [Unit] Description=sleep After=network.target [Service] Type=oneshot ExecStart=/bin/sleep 20 [Install] WantedBy=multi-user.target ------------ end ------------
2016-06-10 13:09:06 +02:00
notify_socket = safe_close(notify_socket);
nspawn: close unneeded sockets in outer child (David: Note, this is just a cleanup and doesn't fix any bugs)
2015-05-27 13:52:31 +02:00
kmsg_socket = safe_close(kmsg_socket);
rtnl_socket = safe_close(rtnl_socket);
nspawn: introduce an option for specifying network namespace path Add a new option `--network-namespace-path` to systemd-nspawn to allow users to specify an arbitrary network namespace, e.g. `/run/netns/foo`. Then systemd-nspawn will open the netns file, pass the fd to outer_child, and enter the namespace represented by the fd before running inner_child. ``` $ sudo ip netns add foo $ mount | grep /run/netns/foo nsfs on /run/netns/foo type nsfs (rw) ... $ sudo systemd-nspawn -D /srv/fc27 --network-namespace-path=/run/netns/foo \ /bin/readlink -f /proc/self/ns/net /proc/1/ns/net:[4026532009] ``` Note that the option `--network-namespace-path=` cannot be used together with other network-related options such as `--private-network` so that the options do not conflict with each other. Fixes https://github.com/systemd/systemd/issues/7361
2017-11-24 18:22:17 +01:00
netns_fd = safe_close(netns_fd);
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
return 0;
}
nspawn: optionally, automatically allocate a UID/GID range for userns containers This adds the new value "pick" to --private-users=. When specified a new UID/GID range of 65536 users is automatically and randomly allocated from the host range 0x00080000-0xDFFF0000 and used for the container. The setting implies --private-users-chown, so that container directory is recursively chown()ed to the newly allocated UID/GID range, if that's necessary. As an optimization before picking a randomized UID/GID the UID of the container's root directory is used as starting point and used if currently not used otherwise. To protect against using the same UID/GID range multiple times a few mechanisms are in place: - The first and the last UID and GID of the range are checked with getpwuid() and getgrgid(). If an entry already exists a different range is picked. Note that by "last" UID the user 65534 is used, as 65535 is the 16bit (uid_t) -1. - A lock file for the range is taken in /run/systemd/nspawn-uid/. Since the ranges are taken in a non-overlapping fashion, and always start on 64K boundaries this allows us to maintain a single lock file for each range that can be randomly picked. This protects nspawn from picking the same range in two parallel instances. - If possible the /etc/passwd lock file is taken while a new range is selected until the container is up. This means adduser/addgroup should safely avoid the range as long as nss-mymachines is used, since the allocated range will then show up in the user database. The UID/GID range nspawn picks from is compiled in and not configurable at the moment. That should probably stay that way, since we already provide ways how users can pick their own ranges manually if they don't like the automatic logic. The new --private-users=pick logic makes user namespacing pretty useful now, as it relieves the user from managing UID/GID ranges.
2016-04-22 11:28:09 +02:00
static int uid_shift_pick(uid_t *shift, LockFile *ret_lock_file) {
nspawn: hash the machine name, when looking for a suitable UID base (#7437) When "-U" is used we look for a UID range we can use for our container. We start with the UID the tree is already assigned to, and if that didn't work we'd pick random ranges so far. With this change we'll first try to hash a suitable range from the container name, and use that if it works, in order to make UID assignments more likely to be stable. This follows a similar logic PID 1 follows when using DynamicUser=1.
2017-11-24 20:57:19 +01:00
bool tried_hashed = false;
nspawn: optionally, automatically allocate a UID/GID range for userns containers This adds the new value "pick" to --private-users=. When specified a new UID/GID range of 65536 users is automatically and randomly allocated from the host range 0x00080000-0xDFFF0000 and used for the container. The setting implies --private-users-chown, so that container directory is recursively chown()ed to the newly allocated UID/GID range, if that's necessary. As an optimization before picking a randomized UID/GID the UID of the container's root directory is used as starting point and used if currently not used otherwise. To protect against using the same UID/GID range multiple times a few mechanisms are in place: - The first and the last UID and GID of the range are checked with getpwuid() and getgrgid(). If an entry already exists a different range is picked. Note that by "last" UID the user 65534 is used, as 65535 is the 16bit (uid_t) -1. - A lock file for the range is taken in /run/systemd/nspawn-uid/. Since the ranges are taken in a non-overlapping fashion, and always start on 64K boundaries this allows us to maintain a single lock file for each range that can be randomly picked. This protects nspawn from picking the same range in two parallel instances. - If possible the /etc/passwd lock file is taken while a new range is selected until the container is up. This means adduser/addgroup should safely avoid the range as long as nss-mymachines is used, since the allocated range will then show up in the user database. The UID/GID range nspawn picks from is compiled in and not configurable at the moment. That should probably stay that way, since we already provide ways how users can pick their own ranges manually if they don't like the automatic logic. The new --private-users=pick logic makes user namespacing pretty useful now, as it relieves the user from managing UID/GID ranges.
2016-04-22 11:28:09 +02:00
unsigned n_tries = 100;
uid_t candidate;
int r;
assert(shift);
assert(ret_lock_file);
nspawn: allow configuration of user namespaces in .nspawn files In order to implement this we change the bool arg_userns into an enum UserNamespaceMode, which can take one of NO, PICK or FIXED, and replace the arg_uid_range_pick bool with it.
2016-04-22 13:02:53 +02:00
assert(arg_userns_mode == USER_NAMESPACE_PICK);
nspawn: optionally, automatically allocate a UID/GID range for userns containers This adds the new value "pick" to --private-users=. When specified a new UID/GID range of 65536 users is automatically and randomly allocated from the host range 0x00080000-0xDFFF0000 and used for the container. The setting implies --private-users-chown, so that container directory is recursively chown()ed to the newly allocated UID/GID range, if that's necessary. As an optimization before picking a randomized UID/GID the UID of the container's root directory is used as starting point and used if currently not used otherwise. To protect against using the same UID/GID range multiple times a few mechanisms are in place: - The first and the last UID and GID of the range are checked with getpwuid() and getgrgid(). If an entry already exists a different range is picked. Note that by "last" UID the user 65534 is used, as 65535 is the 16bit (uid_t) -1. - A lock file for the range is taken in /run/systemd/nspawn-uid/. Since the ranges are taken in a non-overlapping fashion, and always start on 64K boundaries this allows us to maintain a single lock file for each range that can be randomly picked. This protects nspawn from picking the same range in two parallel instances. - If possible the /etc/passwd lock file is taken while a new range is selected until the container is up. This means adduser/addgroup should safely avoid the range as long as nss-mymachines is used, since the allocated range will then show up in the user database. The UID/GID range nspawn picks from is compiled in and not configurable at the moment. That should probably stay that way, since we already provide ways how users can pick their own ranges manually if they don't like the automatic logic. The new --private-users=pick logic makes user namespacing pretty useful now, as it relieves the user from managing UID/GID ranges.
2016-04-22 11:28:09 +02:00
assert(arg_uid_range == 0x10000U);
candidate = *shift;
(void) mkdir("/run/systemd/nspawn-uid", 0755);
for (;;) {
tree-wide: make use of new STRLEN() macro everywhere (#7639) Let's employ coccinelle to do this for us. Follow-up for #7625.
2017-12-14 19:02:29 +01:00
char lock_path[STRLEN("/run/systemd/nspawn-uid/") + DECIMAL_STR_MAX(uid_t) + 1];
nspawn: optionally, automatically allocate a UID/GID range for userns containers This adds the new value "pick" to --private-users=. When specified a new UID/GID range of 65536 users is automatically and randomly allocated from the host range 0x00080000-0xDFFF0000 and used for the container. The setting implies --private-users-chown, so that container directory is recursively chown()ed to the newly allocated UID/GID range, if that's necessary. As an optimization before picking a randomized UID/GID the UID of the container's root directory is used as starting point and used if currently not used otherwise. To protect against using the same UID/GID range multiple times a few mechanisms are in place: - The first and the last UID and GID of the range are checked with getpwuid() and getgrgid(). If an entry already exists a different range is picked. Note that by "last" UID the user 65534 is used, as 65535 is the 16bit (uid_t) -1. - A lock file for the range is taken in /run/systemd/nspawn-uid/. Since the ranges are taken in a non-overlapping fashion, and always start on 64K boundaries this allows us to maintain a single lock file for each range that can be randomly picked. This protects nspawn from picking the same range in two parallel instances. - If possible the /etc/passwd lock file is taken while a new range is selected until the container is up. This means adduser/addgroup should safely avoid the range as long as nss-mymachines is used, since the allocated range will then show up in the user database. The UID/GID range nspawn picks from is compiled in and not configurable at the moment. That should probably stay that way, since we already provide ways how users can pick their own ranges manually if they don't like the automatic logic. The new --private-users=pick logic makes user namespacing pretty useful now, as it relieves the user from managing UID/GID ranges.
2016-04-22 11:28:09 +02:00
_cleanup_release_lock_file_ LockFile lf = LOCK_FILE_INIT;
if (--n_tries <= 0)
return -EBUSY;
build-sys: make the dynamic UID range, and the container UID range configurable Also, export these ranges in our pkg-config files.
2017-12-02 12:48:31 +01:00
if (candidate < CONTAINER_UID_BASE_MIN || candidate > CONTAINER_UID_BASE_MAX)
nspawn: optionally, automatically allocate a UID/GID range for userns containers This adds the new value "pick" to --private-users=. When specified a new UID/GID range of 65536 users is automatically and randomly allocated from the host range 0x00080000-0xDFFF0000 and used for the container. The setting implies --private-users-chown, so that container directory is recursively chown()ed to the newly allocated UID/GID range, if that's necessary. As an optimization before picking a randomized UID/GID the UID of the container's root directory is used as starting point and used if currently not used otherwise. To protect against using the same UID/GID range multiple times a few mechanisms are in place: - The first and the last UID and GID of the range are checked with getpwuid() and getgrgid(). If an entry already exists a different range is picked. Note that by "last" UID the user 65534 is used, as 65535 is the 16bit (uid_t) -1. - A lock file for the range is taken in /run/systemd/nspawn-uid/. Since the ranges are taken in a non-overlapping fashion, and always start on 64K boundaries this allows us to maintain a single lock file for each range that can be randomly picked. This protects nspawn from picking the same range in two parallel instances. - If possible the /etc/passwd lock file is taken while a new range is selected until the container is up. This means adduser/addgroup should safely avoid the range as long as nss-mymachines is used, since the allocated range will then show up in the user database. The UID/GID range nspawn picks from is compiled in and not configurable at the moment. That should probably stay that way, since we already provide ways how users can pick their own ranges manually if they don't like the automatic logic. The new --private-users=pick logic makes user namespacing pretty useful now, as it relieves the user from managing UID/GID ranges.
2016-04-22 11:28:09 +02:00
goto next;
if ((candidate & UINT32_C(0xFFFF)) != 0)
goto next;
xsprintf(lock_path, "/run/systemd/nspawn-uid/" UID_FMT, candidate);
r = make_lock_file(lock_path, LOCK_EX|LOCK_NB, &lf);
if (r == -EBUSY) /* Range already taken by another nspawn instance */
goto next;
if (r < 0)
return r;
/* Make some superficial checks whether the range is currently known in the user database */
if (getpwuid(candidate))
goto next;
if (getpwuid(candidate + UINT32_C(0xFFFE)))
goto next;
if (getgrgid(candidate))
goto next;
if (getgrgid(candidate + UINT32_C(0xFFFE)))
goto next;
*ret_lock_file = lf;
lf = (struct LockFile) LOCK_FILE_INIT;
*shift = candidate;
return 0;
next:
nspawn: hash the machine name, when looking for a suitable UID base (#7437) When "-U" is used we look for a UID range we can use for our container. We start with the UID the tree is already assigned to, and if that didn't work we'd pick random ranges so far. With this change we'll first try to hash a suitable range from the container name, and use that if it works, in order to make UID assignments more likely to be stable. This follows a similar logic PID 1 follows when using DynamicUser=1.
2017-11-24 20:57:19 +01:00
if (arg_machine && !tried_hashed) {
/* Try to hash the base from the container name */
static const uint8_t hash_key[] = {
0xe1, 0x56, 0xe0, 0xf0, 0x4a, 0xf0, 0x41, 0xaf,
0x96, 0x41, 0xcf, 0x41, 0x33, 0x94, 0xff, 0x72
};
candidate = (uid_t) siphash24(arg_machine, strlen(arg_machine), hash_key);
tried_hashed = true;
} else
random_bytes(&candidate, sizeof(candidate));
build-sys: make the dynamic UID range, and the container UID range configurable Also, export these ranges in our pkg-config files.
2017-12-02 12:48:31 +01:00
candidate = (candidate % (CONTAINER_UID_BASE_MAX - CONTAINER_UID_BASE_MIN)) + CONTAINER_UID_BASE_MIN;
nspawn: optionally, automatically allocate a UID/GID range for userns containers This adds the new value "pick" to --private-users=. When specified a new UID/GID range of 65536 users is automatically and randomly allocated from the host range 0x00080000-0xDFFF0000 and used for the container. The setting implies --private-users-chown, so that container directory is recursively chown()ed to the newly allocated UID/GID range, if that's necessary. As an optimization before picking a randomized UID/GID the UID of the container's root directory is used as starting point and used if currently not used otherwise. To protect against using the same UID/GID range multiple times a few mechanisms are in place: - The first and the last UID and GID of the range are checked with getpwuid() and getgrgid(). If an entry already exists a different range is picked. Note that by "last" UID the user 65534 is used, as 65535 is the 16bit (uid_t) -1. - A lock file for the range is taken in /run/systemd/nspawn-uid/. Since the ranges are taken in a non-overlapping fashion, and always start on 64K boundaries this allows us to maintain a single lock file for each range that can be randomly picked. This protects nspawn from picking the same range in two parallel instances. - If possible the /etc/passwd lock file is taken while a new range is selected until the container is up. This means adduser/addgroup should safely avoid the range as long as nss-mymachines is used, since the allocated range will then show up in the user database. The UID/GID range nspawn picks from is compiled in and not configurable at the moment. That should probably stay that way, since we already provide ways how users can pick their own ranges manually if they don't like the automatic logic. The new --private-users=pick logic makes user namespacing pretty useful now, as it relieves the user from managing UID/GID ranges.
2016-04-22 11:28:09 +02:00
candidate &= (uid_t) UINT32_C(0xFFFF0000);
}
}
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
static int setup_uid_map(pid_t pid) {
tree-wide: make use of new STRLEN() macro everywhere (#7639) Let's employ coccinelle to do this for us. Follow-up for #7625.
2017-12-14 19:02:29 +01:00
char uid_map[STRLEN("/proc//uid_map") + DECIMAL_STR_MAX(uid_t) + 1], line[DECIMAL_STR_MAX(uid_t)*3+3+1];
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
int r;
assert(pid > 1);
xsprintf(uid_map, "/proc/" PID_FMT "/uid_map", pid);
xsprintf(line, UID_FMT " " UID_FMT " " UID_FMT "\n", 0, arg_uid_shift, arg_uid_range);
tree-wide: fix write_string_file() user that should not create files The latest consolidation cleanup of write_string_file() revealed some users of that helper which should have used write_string_file_no_create() in the past but didn't. Basically, all existing users that write to files in /sys and /proc should not expect to write to a file which is not yet existant.
2015-07-07 01:27:20 +02:00
r = write_string_file(uid_map, line, 0);
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
if (r < 0)
return log_error_errno(r, "Failed to write UID map: %m");
/* We always assign the same UID and GID ranges */
xsprintf(uid_map, "/proc/" PID_FMT "/gid_map", pid);
tree-wide: fix write_string_file() user that should not create files The latest consolidation cleanup of write_string_file() revealed some users of that helper which should have used write_string_file_no_create() in the past but didn't. Basically, all existing users that write to files in /sys and /proc should not expect to write to a file which is not yet existant.
2015-07-07 01:27:20 +02:00
r = write_string_file(uid_map, line, 0);
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
if (r < 0)
return log_error_errno(r, "Failed to write GID map: %m");
return 0;
}
nspawn: introduce --notify-ready=[no|yes] (#3474) This the patch implements a notificaiton mechanism from the init process in the container to systemd-nspawn. The switch --notify-ready=yes configures systemd-nspawn to wait the "READY=1" message from the init process in the container to send its own to systemd. --notify-ready=no is equivalent to the previous behavior before this patch, systemd-nspawn notifies systemd with a "READY=1" message when the container is created. This notificaiton mechanism uses socket file with path relative to the contanier "/run/systemd/nspawn/notify". The default values it --notify-ready=no. It is also possible to configure this mechanism from the .nspawn files using NotifyReady. This parameter takes the same options of the command line switch. Before this patch, systemd-nspawn notifies "ready" after the inner child was created, regardless the status of the service running inside it. Now, with --notify-ready=yes, systemd-nspawn notifies when the service is ready. This is really useful when there are dependencies between different contaniers. Fixes https://github.com/systemd/systemd/issues/1369 Based on the work from https://github.com/systemd/systemd/pull/3022 Testing: Boot a OS inside a container with systemd-nspawn. Note: modify the commands accordingly with your filesystem. 1. Create a filesystem where you can boot an OS. 2. sudo systemd-nspawn -D ${HOME}/distros/fedora-23/ sh 2.1. Create the unit file /etc/systemd/system/sleep.service inside the container (You can use the example below) 2.2. systemdctl enable sleep 2.3 exit 3. sudo systemd-run --service-type=notify --unit=notify-test ${HOME}/systemd/systemd-nspawn --notify-ready=yes -D ${HOME}/distros/fedora-23/ -b 4. In a different shell run "systemctl status notify-test" When using --notify-ready=yes the service status is "activating" for 20 seconds before being set to "active (running)". Instead, using --notify-ready=no the service status is marked "active (running)" quickly, without waiting for the 20 seconds. This patch was also test with --private-users=yes, you can test it just adding it at the end of the command at point 3. ------ sleep.service ------ [Unit] Description=sleep After=network.target [Service] Type=oneshot ExecStart=/bin/sleep 20 [Install] WantedBy=multi-user.target ------------ end ------------
2016-06-10 13:09:06 +02:00
static int nspawn_dispatch_notify_fd(sd_event_source *source, int fd, uint32_t revents, void *userdata) {
char buf[NOTIFY_BUFFER_MAX+1];
char *p = NULL;
struct iovec iovec = {
.iov_base = buf,
.iov_len = sizeof(buf)-1,
};
union {
struct cmsghdr cmsghdr;
uint8_t buf[CMSG_SPACE(sizeof(struct ucred)) +
CMSG_SPACE(sizeof(int) * NOTIFY_FD_MAX)];
} control = {};
struct msghdr msghdr = {
.msg_iov = &iovec,
.msg_iovlen = 1,
.msg_control = &control,
.msg_controllen = sizeof(control),
};
struct cmsghdr *cmsg;
struct ucred *ucred = NULL;
ssize_t n;
pid_t inner_child_pid;
_cleanup_strv_free_ char **tags = NULL;
assert(userdata);
inner_child_pid = PTR_TO_PID(userdata);
if (revents != EPOLLIN) {
log_warning("Got unexpected poll event for notify fd.");
return 0;
}
n = recvmsg(fd, &msghdr, MSG_DONTWAIT|MSG_CMSG_CLOEXEC);
if (n < 0) {
tree-wide: use IN_SET where possible In addition to the changes from #6933 this handles cases that could be matched with the included cocci file.
2017-09-29 00:37:23 +02:00
if (IN_SET(errno, EAGAIN, EINTR))
nspawn: introduce --notify-ready=[no|yes] (#3474) This the patch implements a notificaiton mechanism from the init process in the container to systemd-nspawn. The switch --notify-ready=yes configures systemd-nspawn to wait the "READY=1" message from the init process in the container to send its own to systemd. --notify-ready=no is equivalent to the previous behavior before this patch, systemd-nspawn notifies systemd with a "READY=1" message when the container is created. This notificaiton mechanism uses socket file with path relative to the contanier "/run/systemd/nspawn/notify". The default values it --notify-ready=no. It is also possible to configure this mechanism from the .nspawn files using NotifyReady. This parameter takes the same options of the command line switch. Before this patch, systemd-nspawn notifies "ready" after the inner child was created, regardless the status of the service running inside it. Now, with --notify-ready=yes, systemd-nspawn notifies when the service is ready. This is really useful when there are dependencies between different contaniers. Fixes https://github.com/systemd/systemd/issues/1369 Based on the work from https://github.com/systemd/systemd/pull/3022 Testing: Boot a OS inside a container with systemd-nspawn. Note: modify the commands accordingly with your filesystem. 1. Create a filesystem where you can boot an OS. 2. sudo systemd-nspawn -D ${HOME}/distros/fedora-23/ sh 2.1. Create the unit file /etc/systemd/system/sleep.service inside the container (You can use the example below) 2.2. systemdctl enable sleep 2.3 exit 3. sudo systemd-run --service-type=notify --unit=notify-test ${HOME}/systemd/systemd-nspawn --notify-ready=yes -D ${HOME}/distros/fedora-23/ -b 4. In a different shell run "systemctl status notify-test" When using --notify-ready=yes the service status is "activating" for 20 seconds before being set to "active (running)". Instead, using --notify-ready=no the service status is marked "active (running)" quickly, without waiting for the 20 seconds. This patch was also test with --private-users=yes, you can test it just adding it at the end of the command at point 3. ------ sleep.service ------ [Unit] Description=sleep After=network.target [Service] Type=oneshot ExecStart=/bin/sleep 20 [Install] WantedBy=multi-user.target ------------ end ------------
2016-06-10 13:09:06 +02:00
return 0;
return log_warning_errno(errno, "Couldn't read notification socket: %m");
}
cmsg_close_all(&msghdr);
CMSG_FOREACH(cmsg, &msghdr) {
if (cmsg->cmsg_level == SOL_SOCKET &&
cmsg->cmsg_type == SCM_CREDENTIALS &&
cmsg->cmsg_len == CMSG_LEN(sizeof(struct ucred))) {
ucred = (struct ucred*) CMSG_DATA(cmsg);
}
}
if (!ucred || ucred->pid != inner_child_pid) {
nspawn: downgrade warning when we get sd_notify() message from unexpected process (#6416) Given that we set NOTIFY_SOCKET unconditionally it's not surprising that processes way down the process tree think it's smart to send us a notification message. It's still useful to keep this message, for debugging things, but it shouldn't be generated by default.
2017-07-20 20:46:58 +02:00
log_debug("Received notify message without valid credentials. Ignoring.");
nspawn: introduce --notify-ready=[no|yes] (#3474) This the patch implements a notificaiton mechanism from the init process in the container to systemd-nspawn. The switch --notify-ready=yes configures systemd-nspawn to wait the "READY=1" message from the init process in the container to send its own to systemd. --notify-ready=no is equivalent to the previous behavior before this patch, systemd-nspawn notifies systemd with a "READY=1" message when the container is created. This notificaiton mechanism uses socket file with path relative to the contanier "/run/systemd/nspawn/notify". The default values it --notify-ready=no. It is also possible to configure this mechanism from the .nspawn files using NotifyReady. This parameter takes the same options of the command line switch. Before this patch, systemd-nspawn notifies "ready" after the inner child was created, regardless the status of the service running inside it. Now, with --notify-ready=yes, systemd-nspawn notifies when the service is ready. This is really useful when there are dependencies between different contaniers. Fixes https://github.com/systemd/systemd/issues/1369 Based on the work from https://github.com/systemd/systemd/pull/3022 Testing: Boot a OS inside a container with systemd-nspawn. Note: modify the commands accordingly with your filesystem. 1. Create a filesystem where you can boot an OS. 2. sudo systemd-nspawn -D ${HOME}/distros/fedora-23/ sh 2.1. Create the unit file /etc/systemd/system/sleep.service inside the container (You can use the example below) 2.2. systemdctl enable sleep 2.3 exit 3. sudo systemd-run --service-type=notify --unit=notify-test ${HOME}/systemd/systemd-nspawn --notify-ready=yes -D ${HOME}/distros/fedora-23/ -b 4. In a different shell run "systemctl status notify-test" When using --notify-ready=yes the service status is "activating" for 20 seconds before being set to "active (running)". Instead, using --notify-ready=no the service status is marked "active (running)" quickly, without waiting for the 20 seconds. This patch was also test with --private-users=yes, you can test it just adding it at the end of the command at point 3. ------ sleep.service ------ [Unit] Description=sleep After=network.target [Service] Type=oneshot ExecStart=/bin/sleep 20 [Install] WantedBy=multi-user.target ------------ end ------------
2016-06-10 13:09:06 +02:00
return 0;
}
if ((size_t) n >= sizeof(buf)) {
log_warning("Received notify message exceeded maximum size. Ignoring.");
return 0;
}
buf[n] = 0;
tags = strv_split(buf, "\n\r");
if (!tags)
return log_oom();
if (strv_find(tags, "READY=1"))
sd_notifyf(false, "READY=1\n");
p = strv_find_startswith(tags, "STATUS=");
if (p)
sd_notifyf(false, "STATUS=Container running: %s", p);
return 0;
}
nspawn: unref the notify event source (#4941) Fixes: ``` sudo ./libtool --mode=execute valgrind --leak-check=full ./systemd-nspawn -D ./CONT/ -b ... ==21224== 2,444 (656 direct, 1,788 indirect) bytes in 1 blocks are definitely lost in loss record 13 of 15 ==21224== at 0x4C2FA50: calloc (vg_replace_malloc.c:711) ==21224== by 0x4F6F565: sd_event_new (sd-event.c:431) ==21224== by 0x1210BE: run (nspawn.c:3351) ==21224== by 0x123908: main (nspawn.c:3826) ==21224== ==21224== LEAK SUMMARY: ==21224== definitely lost: 656 bytes in 1 blocks ==21224== indirectly lost: 1,788 bytes in 11 blocks ==21224== possibly lost: 0 bytes in 0 blocks ==21224== still reachable: 8,344 bytes in 3 blocks ==21224== suppressed: 0 bytes in 0 blocks ``` Closes #4934
2016-12-21 18:36:15 +01:00
static int setup_sd_notify_parent(sd_event *event, int fd, pid_t *inner_child_pid, sd_event_source **notify_event_source) {
nspawn: introduce --notify-ready=[no|yes] (#3474) This the patch implements a notificaiton mechanism from the init process in the container to systemd-nspawn. The switch --notify-ready=yes configures systemd-nspawn to wait the "READY=1" message from the init process in the container to send its own to systemd. --notify-ready=no is equivalent to the previous behavior before this patch, systemd-nspawn notifies systemd with a "READY=1" message when the container is created. This notificaiton mechanism uses socket file with path relative to the contanier "/run/systemd/nspawn/notify". The default values it --notify-ready=no. It is also possible to configure this mechanism from the .nspawn files using NotifyReady. This parameter takes the same options of the command line switch. Before this patch, systemd-nspawn notifies "ready" after the inner child was created, regardless the status of the service running inside it. Now, with --notify-ready=yes, systemd-nspawn notifies when the service is ready. This is really useful when there are dependencies between different contaniers. Fixes https://github.com/systemd/systemd/issues/1369 Based on the work from https://github.com/systemd/systemd/pull/3022 Testing: Boot a OS inside a container with systemd-nspawn. Note: modify the commands accordingly with your filesystem. 1. Create a filesystem where you can boot an OS. 2. sudo systemd-nspawn -D ${HOME}/distros/fedora-23/ sh 2.1. Create the unit file /etc/systemd/system/sleep.service inside the container (You can use the example below) 2.2. systemdctl enable sleep 2.3 exit 3. sudo systemd-run --service-type=notify --unit=notify-test ${HOME}/systemd/systemd-nspawn --notify-ready=yes -D ${HOME}/distros/fedora-23/ -b 4. In a different shell run "systemctl status notify-test" When using --notify-ready=yes the service status is "activating" for 20 seconds before being set to "active (running)". Instead, using --notify-ready=no the service status is marked "active (running)" quickly, without waiting for the 20 seconds. This patch was also test with --private-users=yes, you can test it just adding it at the end of the command at point 3. ------ sleep.service ------ [Unit] Description=sleep After=network.target [Service] Type=oneshot ExecStart=/bin/sleep 20 [Install] WantedBy=multi-user.target ------------ end ------------
2016-06-10 13:09:06 +02:00
int r;
nspawn: unref the notify event source (#4941) Fixes: ``` sudo ./libtool --mode=execute valgrind --leak-check=full ./systemd-nspawn -D ./CONT/ -b ... ==21224== 2,444 (656 direct, 1,788 indirect) bytes in 1 blocks are definitely lost in loss record 13 of 15 ==21224== at 0x4C2FA50: calloc (vg_replace_malloc.c:711) ==21224== by 0x4F6F565: sd_event_new (sd-event.c:431) ==21224== by 0x1210BE: run (nspawn.c:3351) ==21224== by 0x123908: main (nspawn.c:3826) ==21224== ==21224== LEAK SUMMARY: ==21224== definitely lost: 656 bytes in 1 blocks ==21224== indirectly lost: 1,788 bytes in 11 blocks ==21224== possibly lost: 0 bytes in 0 blocks ==21224== still reachable: 8,344 bytes in 3 blocks ==21224== suppressed: 0 bytes in 0 blocks ``` Closes #4934
2016-12-21 18:36:15 +01:00
r = sd_event_add_io(event, notify_event_source, fd, EPOLLIN, nspawn_dispatch_notify_fd, inner_child_pid);
nspawn: introduce --notify-ready=[no|yes] (#3474) This the patch implements a notificaiton mechanism from the init process in the container to systemd-nspawn. The switch --notify-ready=yes configures systemd-nspawn to wait the "READY=1" message from the init process in the container to send its own to systemd. --notify-ready=no is equivalent to the previous behavior before this patch, systemd-nspawn notifies systemd with a "READY=1" message when the container is created. This notificaiton mechanism uses socket file with path relative to the contanier "/run/systemd/nspawn/notify". The default values it --notify-ready=no. It is also possible to configure this mechanism from the .nspawn files using NotifyReady. This parameter takes the same options of the command line switch. Before this patch, systemd-nspawn notifies "ready" after the inner child was created, regardless the status of the service running inside it. Now, with --notify-ready=yes, systemd-nspawn notifies when the service is ready. This is really useful when there are dependencies between different contaniers. Fixes https://github.com/systemd/systemd/issues/1369 Based on the work from https://github.com/systemd/systemd/pull/3022 Testing: Boot a OS inside a container with systemd-nspawn. Note: modify the commands accordingly with your filesystem. 1. Create a filesystem where you can boot an OS. 2. sudo systemd-nspawn -D ${HOME}/distros/fedora-23/ sh 2.1. Create the unit file /etc/systemd/system/sleep.service inside the container (You can use the example below) 2.2. systemdctl enable sleep 2.3 exit 3. sudo systemd-run --service-type=notify --unit=notify-test ${HOME}/systemd/systemd-nspawn --notify-ready=yes -D ${HOME}/distros/fedora-23/ -b 4. In a different shell run "systemctl status notify-test" When using --notify-ready=yes the service status is "activating" for 20 seconds before being set to "active (running)". Instead, using --notify-ready=no the service status is marked "active (running)" quickly, without waiting for the 20 seconds. This patch was also test with --private-users=yes, you can test it just adding it at the end of the command at point 3. ------ sleep.service ------ [Unit] Description=sleep After=network.target [Service] Type=oneshot ExecStart=/bin/sleep 20 [Install] WantedBy=multi-user.target ------------ end ------------
2016-06-10 13:09:06 +02:00
if (r < 0)
return log_error_errno(r, "Failed to allocate notify event source: %m");
nspawn: unref the notify event source (#4941) Fixes: ``` sudo ./libtool --mode=execute valgrind --leak-check=full ./systemd-nspawn -D ./CONT/ -b ... ==21224== 2,444 (656 direct, 1,788 indirect) bytes in 1 blocks are definitely lost in loss record 13 of 15 ==21224== at 0x4C2FA50: calloc (vg_replace_malloc.c:711) ==21224== by 0x4F6F565: sd_event_new (sd-event.c:431) ==21224== by 0x1210BE: run (nspawn.c:3351) ==21224== by 0x123908: main (nspawn.c:3826) ==21224== ==21224== LEAK SUMMARY: ==21224== definitely lost: 656 bytes in 1 blocks ==21224== indirectly lost: 1,788 bytes in 11 blocks ==21224== possibly lost: 0 bytes in 0 blocks ==21224== still reachable: 8,344 bytes in 3 blocks ==21224== suppressed: 0 bytes in 0 blocks ``` Closes #4934
2016-12-21 18:36:15 +01:00
(void) sd_event_source_set_description(*notify_event_source, "nspawn-notify");
nspawn: introduce --notify-ready=[no|yes] (#3474) This the patch implements a notificaiton mechanism from the init process in the container to systemd-nspawn. The switch --notify-ready=yes configures systemd-nspawn to wait the "READY=1" message from the init process in the container to send its own to systemd. --notify-ready=no is equivalent to the previous behavior before this patch, systemd-nspawn notifies systemd with a "READY=1" message when the container is created. This notificaiton mechanism uses socket file with path relative to the contanier "/run/systemd/nspawn/notify". The default values it --notify-ready=no. It is also possible to configure this mechanism from the .nspawn files using NotifyReady. This parameter takes the same options of the command line switch. Before this patch, systemd-nspawn notifies "ready" after the inner child was created, regardless the status of the service running inside it. Now, with --notify-ready=yes, systemd-nspawn notifies when the service is ready. This is really useful when there are dependencies between different contaniers. Fixes https://github.com/systemd/systemd/issues/1369 Based on the work from https://github.com/systemd/systemd/pull/3022 Testing: Boot a OS inside a container with systemd-nspawn. Note: modify the commands accordingly with your filesystem. 1. Create a filesystem where you can boot an OS. 2. sudo systemd-nspawn -D ${HOME}/distros/fedora-23/ sh 2.1. Create the unit file /etc/systemd/system/sleep.service inside the container (You can use the example below) 2.2. systemdctl enable sleep 2.3 exit 3. sudo systemd-run --service-type=notify --unit=notify-test ${HOME}/systemd/systemd-nspawn --notify-ready=yes -D ${HOME}/distros/fedora-23/ -b 4. In a different shell run "systemctl status notify-test" When using --notify-ready=yes the service status is "activating" for 20 seconds before being set to "active (running)". Instead, using --notify-ready=no the service status is marked "active (running)" quickly, without waiting for the 20 seconds. This patch was also test with --private-users=yes, you can test it just adding it at the end of the command at point 3. ------ sleep.service ------ [Unit] Description=sleep After=network.target [Service] Type=oneshot ExecStart=/bin/sleep 20 [Install] WantedBy=multi-user.target ------------ end ------------
2016-06-10 13:09:06 +02:00
return 0;
}
nspawn: add new .nspawn files for container settings .nspawn fiels are simple settings files that may accompany container images and directories and contain settings otherwise passed on the nspawn command line. This provides an efficient way to attach execution data directly to containers.
2015-09-06 01:22:14 +02:00
static int load_settings(void) {
_cleanup_(settings_freep) Settings *settings = NULL;
_cleanup_fclose_ FILE *f = NULL;
_cleanup_free_ char *p = NULL;
const char *fn, *i;
int r;
/* If all settings are masked, there's no point in looking for
* the settings file */
if ((arg_settings_mask & _SETTINGS_MASK_ALL) == _SETTINGS_MASK_ALL)
return 0;
fn = strjoina(arg_machine, ".nspawn");
/* We first look in the admin's directories in /etc and /run */
FOREACH_STRING(i, "/etc/systemd/nspawn", "/run/systemd/nspawn") {
_cleanup_free_ char *j = NULL;
tree-wide: drop NULL sentinel from strjoin This makes strjoin and strjoina more similar and avoids the useless final argument. spatch -I . -I ./src -I ./src/basic -I ./src/basic -I ./src/shared -I ./src/shared -I ./src/network -I ./src/locale -I ./src/login -I ./src/journal -I ./src/journal -I ./src/timedate -I ./src/timesync -I ./src/nspawn -I ./src/resolve -I ./src/resolve -I ./src/systemd -I ./src/core -I ./src/core -I ./src/libudev -I ./src/udev -I ./src/udev/net -I ./src/udev -I ./src/libsystemd/sd-bus -I ./src/libsystemd/sd-event -I ./src/libsystemd/sd-login -I ./src/libsystemd/sd-netlink -I ./src/libsystemd/sd-network -I ./src/libsystemd/sd-hwdb -I ./src/libsystemd/sd-device -I ./src/libsystemd/sd-id128 -I ./src/libsystemd-network --sp-file coccinelle/strjoin.cocci --in-place $(git ls-files src/*.c) git grep -e '\bstrjoin\b.*NULL' -l|xargs sed -i -r 's/strjoin\((.*), NULL\)/strjoin(\1)/' This might have missed a few cases (spatch has a really hard time dealing with _cleanup_ macros), but that's no big issue, they can always be fixed later.
2016-10-23 17:43:27 +02:00
j = strjoin(i, "/", fn);
nspawn: add new .nspawn files for container settings .nspawn fiels are simple settings files that may accompany container images and directories and contain settings otherwise passed on the nspawn command line. This provides an efficient way to attach execution data directly to containers.
2015-09-06 01:22:14 +02:00
if (!j)
return log_oom();
f = fopen(j, "re");
if (f) {
p = j;
j = NULL;
doc: correct punctuation and improve typography in documentation
2014-08-03 07:11:12 +02:00
/* By default, we trust configuration from /etc and /run */
nspawn: add new .nspawn files for container settings .nspawn fiels are simple settings files that may accompany container images and directories and contain settings otherwise passed on the nspawn command line. This provides an efficient way to attach execution data directly to containers.
2015-09-06 01:22:14 +02:00
if (arg_settings_trusted < 0)
arg_settings_trusted = true;
break;
}
if (errno != ENOENT)
return log_error_errno(errno, "Failed to open %s: %m", j);
}
if (!f) {
/* After that, let's look for a file next to the
* actual image we shall boot. */
if (arg_image) {
p = file_in_same_dir(arg_image, fn);
if (!p)
return log_oom();
} else if (arg_directory) {
p = file_in_same_dir(arg_directory, fn);
if (!p)
return log_oom();
}
if (p) {
f = fopen(p, "re");
if (!f && errno != ENOENT)
return log_error_errno(errno, "Failed to open %s: %m", p);
doc: correct punctuation and improve typography in documentation
2014-08-03 07:11:12 +02:00
/* By default, we do not trust configuration from /var/lib/machines */
nspawn: add new .nspawn files for container settings .nspawn fiels are simple settings files that may accompany container images and directories and contain settings otherwise passed on the nspawn command line. This provides an efficient way to attach execution data directly to containers.
2015-09-06 01:22:14 +02:00
if (arg_settings_trusted < 0)
arg_settings_trusted = false;
}
}
if (!f)
return 0;
log_debug("Settings are trusted: %s", yes_no(arg_settings_trusted));
r = settings_load(f, p, &settings);
if (r < 0)
return r;
/* Copy over bits from the settings, unless they have been
* explicitly masked by command line switches. */
nspawn: optionally run a stub init process as PID 1 This adds a new switch --as-pid2, which allows running commands as PID 2, while a stub init process is run as PID 1. This is useful in order to run arbitrary commands in a container, as PID1's semantics are different from all other processes regarding reaping of unknown children or signal handling.
2016-02-03 20:32:06 +01:00
if ((arg_settings_mask & SETTING_START_MODE) == 0 &&
settings->start_mode >= 0) {
arg_start_mode = settings->start_mode;
nspawn: add new .nspawn files for container settings .nspawn fiels are simple settings files that may accompany container images and directories and contain settings otherwise passed on the nspawn command line. This provides an efficient way to attach execution data directly to containers.
2015-09-06 01:22:14 +02:00
strv_free(arg_parameters);
arg_parameters = settings->parameters;
settings->parameters = NULL;
}
nspawn: Add support for sysroot pivoting (#5258) Add a new --pivot-root argument to systemd-nspawn, which specifies a directory to pivot to / inside the container; while the original / is pivoted to another specified directory (if provided). This adds support for booting container images which may contain several bootable sysroots, as is common with OSTree disk images. When these disk images are booted on real hardware, ostree-prepare-root is run in conjunction with sysroot.mount in the initramfs to achieve the same results.
2017-02-08 16:54:31 +01:00
if ((arg_settings_mask & SETTING_PIVOT_ROOT) == 0 &&
settings->pivot_root_new) {
free_and_replace(arg_pivot_root_new, settings->pivot_root_new);
free_and_replace(arg_pivot_root_old, settings->pivot_root_old);
}
nspawn: add new --chdir= switch Fixes: #2192
2016-02-02 01:52:01 +01:00
if ((arg_settings_mask & SETTING_WORKING_DIRECTORY) == 0 &&
settings->working_directory) {
free(arg_chdir);
arg_chdir = settings->working_directory;
settings->working_directory = NULL;
}
nspawn: add new .nspawn files for container settings .nspawn fiels are simple settings files that may accompany container images and directories and contain settings otherwise passed on the nspawn command line. This provides an efficient way to attach execution data directly to containers.
2015-09-06 01:22:14 +02:00
if ((arg_settings_mask & SETTING_ENVIRONMENT) == 0 &&
settings->environment) {
strv_free(arg_setenv);
arg_setenv = settings->environment;
settings->environment = NULL;
}
if ((arg_settings_mask & SETTING_USER) == 0 &&
settings->user) {
free(arg_user);
arg_user = settings->user;
settings->user = NULL;
}
if ((arg_settings_mask & SETTING_CAPABILITY) == 0) {
nspawn: rework how we determine private networking settings Make sure we acquire CAP_NET_ADMIN if we require virtual networking. Make sure we imply virtual ethernet correctly when bridge is request. Fixes: #1511 Fixes: #1554 Fixes: #1590
2015-10-22 00:59:18 +02:00
uint64_t plus;
nspawn: add new .nspawn files for container settings .nspawn fiels are simple settings files that may accompany container images and directories and contain settings otherwise passed on the nspawn command line. This provides an efficient way to attach execution data directly to containers.
2015-09-06 01:22:14 +02:00
nspawn: rework how we determine private networking settings Make sure we acquire CAP_NET_ADMIN if we require virtual networking. Make sure we imply virtual ethernet correctly when bridge is request. Fixes: #1511 Fixes: #1554 Fixes: #1590
2015-10-22 00:59:18 +02:00
plus = settings->capability;
if (settings_private_network(settings))
plus |= (1ULL << CAP_NET_ADMIN);
if (!arg_settings_trusted && plus != 0) {
if (settings->capability != 0)
log_warning("Ignoring Capability= setting, file %s is not trusted.", p);
} else
nspawn: rename arg_retain to arg_caps_retain The argument is about capabilities.
2016-05-26 13:06:55 +02:00
arg_caps_retain |= plus;
nspawn: add new .nspawn files for container settings .nspawn fiels are simple settings files that may accompany container images and directories and contain settings otherwise passed on the nspawn command line. This provides an efficient way to attach execution data directly to containers.
2015-09-06 01:22:14 +02:00
nspawn: rename arg_retain to arg_caps_retain The argument is about capabilities.
2016-05-26 13:06:55 +02:00
arg_caps_retain &= ~settings->drop_capability;
nspawn: add new .nspawn files for container settings .nspawn fiels are simple settings files that may accompany container images and directories and contain settings otherwise passed on the nspawn command line. This provides an efficient way to attach execution data directly to containers.
2015-09-06 01:22:14 +02:00
}
if ((arg_settings_mask & SETTING_KILL_SIGNAL) == 0 &&
settings->kill_signal > 0)
arg_kill_signal = settings->kill_signal;
if ((arg_settings_mask & SETTING_PERSONALITY) == 0 &&
settings->personality != PERSONALITY_INVALID)
arg_personality = settings->personality;
if ((arg_settings_mask & SETTING_MACHINE_ID) == 0 &&
!sd_id128_is_null(settings->machine_id)) {
if (!arg_settings_trusted)
log_warning("Ignoring MachineID= setting, file %s is not trusted.", p);
else
arg_uuid = settings->machine_id;
}
if ((arg_settings_mask & SETTING_READ_ONLY) == 0 &&
settings->read_only >= 0)
arg_read_only = settings->read_only;
if ((arg_settings_mask & SETTING_VOLATILE_MODE) == 0 &&
settings->volatile_mode != _VOLATILE_MODE_INVALID)
arg_volatile_mode = settings->volatile_mode;
if ((arg_settings_mask & SETTING_CUSTOM_MOUNTS) == 0 &&
settings->n_custom_mounts > 0) {
if (!arg_settings_trusted)
log_warning("Ignoring TemporaryFileSystem=, Bind= and BindReadOnly= settings, file %s is not trusted.", p);
else {
custom_mount_free_all(arg_custom_mounts, arg_n_custom_mounts);
arg_custom_mounts = settings->custom_mounts;
arg_n_custom_mounts = settings->n_custom_mounts;
settings->custom_mounts = NULL;
settings->n_custom_mounts = 0;
}
}
if ((arg_settings_mask & SETTING_NETWORK) == 0 &&
(settings->private_network >= 0 ||
settings->network_veth >= 0 ||
settings->network_bridge ||
nspawn: add new --network-zone= switch for automatically managed bridge devices This adds a new concept of network "zones", which are little more than bridge devices that are automatically managed by nspawn: when the first container referencing a bridge is started, the bridge device is created, when the last container referencing it is removed the bridge device is removed again. Besides this logic --network-zone= is pretty much identical to --network-bridge=. The usecase for this is to make it easy to run multiple related containers (think MySQL in one and Apache in another) in a common, named virtual Ethernet broadcast zone, that only exists as long as one of them is running, and fully automatically managed otherwise.
2016-05-06 21:00:27 +02:00
settings->network_zone ||
nspawn: add new .nspawn files for container settings .nspawn fiels are simple settings files that may accompany container images and directories and contain settings otherwise passed on the nspawn command line. This provides an efficient way to attach execution data directly to containers.
2015-09-06 01:22:14 +02:00
settings->network_interfaces ||
settings->network_macvlan ||
nspawn: add new --network-veth-extra= switch for defining additional veth links The new switch operates like --network-veth, but may be specified multiple times (to define multiple link pairs) and allows flexible definition of the interface names. This is an independent reimplementation of #1678, but defines different semantics, keeping the behaviour completely independent of --network-veth. It also comes will full hook-up for .nspawn files, and the matching documentation.
2015-11-12 21:54:28 +01:00
settings->network_ipvlan ||
settings->network_veth_extra)) {
nspawn: add new .nspawn files for container settings .nspawn fiels are simple settings files that may accompany container images and directories and contain settings otherwise passed on the nspawn command line. This provides an efficient way to attach execution data directly to containers.
2015-09-06 01:22:14 +02:00
if (!arg_settings_trusted)
log_warning("Ignoring network settings, file %s is not trusted.", p);
else {
nspawn: add new --network-veth-extra= switch for defining additional veth links The new switch operates like --network-veth, but may be specified multiple times (to define multiple link pairs) and allows flexible definition of the interface names. This is an independent reimplementation of #1678, but defines different semantics, keeping the behaviour completely independent of --network-veth. It also comes will full hook-up for .nspawn files, and the matching documentation.
2015-11-12 21:54:28 +01:00
arg_network_veth = settings_network_veth(settings);
nspawn: rework how we determine private networking settings Make sure we acquire CAP_NET_ADMIN if we require virtual networking. Make sure we imply virtual ethernet correctly when bridge is request. Fixes: #1511 Fixes: #1554 Fixes: #1590
2015-10-22 00:59:18 +02:00
arg_private_network = settings_private_network(settings);
nspawn: add new .nspawn files for container settings .nspawn fiels are simple settings files that may accompany container images and directories and contain settings otherwise passed on the nspawn command line. This provides an efficient way to attach execution data directly to containers.
2015-09-06 01:22:14 +02:00
strv_free(arg_network_interfaces);
arg_network_interfaces = settings->network_interfaces;
settings->network_interfaces = NULL;
strv_free(arg_network_macvlan);
arg_network_macvlan = settings->network_macvlan;
settings->network_macvlan = NULL;
strv_free(arg_network_ipvlan);
arg_network_ipvlan = settings->network_ipvlan;
settings->network_ipvlan = NULL;
nspawn: add new --network-veth-extra= switch for defining additional veth links The new switch operates like --network-veth, but may be specified multiple times (to define multiple link pairs) and allows flexible definition of the interface names. This is an independent reimplementation of #1678, but defines different semantics, keeping the behaviour completely independent of --network-veth. It also comes will full hook-up for .nspawn files, and the matching documentation.
2015-11-12 21:54:28 +01:00
strv_free(arg_network_veth_extra);
arg_network_veth_extra = settings->network_veth_extra;
settings->network_veth_extra = NULL;
nspawn: add new .nspawn files for container settings .nspawn fiels are simple settings files that may accompany container images and directories and contain settings otherwise passed on the nspawn command line. This provides an efficient way to attach execution data directly to containers.
2015-09-06 01:22:14 +02:00
free(arg_network_bridge);
arg_network_bridge = settings->network_bridge;
settings->network_bridge = NULL;
nspawn: add new --network-zone= switch for automatically managed bridge devices This adds a new concept of network "zones", which are little more than bridge devices that are automatically managed by nspawn: when the first container referencing a bridge is started, the bridge device is created, when the last container referencing it is removed the bridge device is removed again. Besides this logic --network-zone= is pretty much identical to --network-bridge=. The usecase for this is to make it easy to run multiple related containers (think MySQL in one and Apache in another) in a common, named virtual Ethernet broadcast zone, that only exists as long as one of them is running, and fully automatically managed otherwise.
2016-05-06 21:00:27 +02:00
free(arg_network_zone);
arg_network_zone = settings->network_zone;
settings->network_zone = NULL;
nspawn: add new .nspawn files for container settings .nspawn fiels are simple settings files that may accompany container images and directories and contain settings otherwise passed on the nspawn command line. This provides an efficient way to attach execution data directly to containers.
2015-09-06 01:22:14 +02:00
}
}
if ((arg_settings_mask & SETTING_EXPOSE_PORTS) == 0 &&
settings->expose_ports) {
if (!arg_settings_trusted)
log_warning("Ignoring Port= setting, file %s is not trusted.", p);
else {
expose_port_free_all(arg_expose_ports);
arg_expose_ports = settings->expose_ports;
settings->expose_ports = NULL;
}
}
nspawn: allow configuration of user namespaces in .nspawn files In order to implement this we change the bool arg_userns into an enum UserNamespaceMode, which can take one of NO, PICK or FIXED, and replace the arg_uid_range_pick bool with it.
2016-04-22 13:02:53 +02:00
if ((arg_settings_mask & SETTING_USERNS) == 0 &&
settings->userns_mode != _USER_NAMESPACE_MODE_INVALID) {
if (!arg_settings_trusted)
log_warning("Ignoring PrivateUsers= and PrivateUsersChown= settings, file %s is not trusted.", p);
else {
arg_userns_mode = settings->userns_mode;
arg_uid_shift = settings->uid_shift;
arg_uid_range = settings->uid_range;
arg_userns_chown = settings->userns_chown;
}
}
nspawn: introduce --notify-ready=[no|yes] (#3474) This the patch implements a notificaiton mechanism from the init process in the container to systemd-nspawn. The switch --notify-ready=yes configures systemd-nspawn to wait the "READY=1" message from the init process in the container to send its own to systemd. --notify-ready=no is equivalent to the previous behavior before this patch, systemd-nspawn notifies systemd with a "READY=1" message when the container is created. This notificaiton mechanism uses socket file with path relative to the contanier "/run/systemd/nspawn/notify". The default values it --notify-ready=no. It is also possible to configure this mechanism from the .nspawn files using NotifyReady. This parameter takes the same options of the command line switch. Before this patch, systemd-nspawn notifies "ready" after the inner child was created, regardless the status of the service running inside it. Now, with --notify-ready=yes, systemd-nspawn notifies when the service is ready. This is really useful when there are dependencies between different contaniers. Fixes https://github.com/systemd/systemd/issues/1369 Based on the work from https://github.com/systemd/systemd/pull/3022 Testing: Boot a OS inside a container with systemd-nspawn. Note: modify the commands accordingly with your filesystem. 1. Create a filesystem where you can boot an OS. 2. sudo systemd-nspawn -D ${HOME}/distros/fedora-23/ sh 2.1. Create the unit file /etc/systemd/system/sleep.service inside the container (You can use the example below) 2.2. systemdctl enable sleep 2.3 exit 3. sudo systemd-run --service-type=notify --unit=notify-test ${HOME}/systemd/systemd-nspawn --notify-ready=yes -D ${HOME}/distros/fedora-23/ -b 4. In a different shell run "systemctl status notify-test" When using --notify-ready=yes the service status is "activating" for 20 seconds before being set to "active (running)". Instead, using --notify-ready=no the service status is marked "active (running)" quickly, without waiting for the 20 seconds. This patch was also test with --private-users=yes, you can test it just adding it at the end of the command at point 3. ------ sleep.service ------ [Unit] Description=sleep After=network.target [Service] Type=oneshot ExecStart=/bin/sleep 20 [Install] WantedBy=multi-user.target ------------ end ------------
2016-06-10 13:09:06 +02:00
if ((arg_settings_mask & SETTING_NOTIFY_READY) == 0)
arg_notify_ready = settings->notify_ready;
nspawn: implement configurable syscall whitelisting/blacklisting Now that we have ported nspawn's seccomp code to the generic code in seccomp-util, let's extend it to support whitelisting and blacklisting of specific additional syscalls. This uses similar syntax as PID1's support for system call filtering, but in contrast to that always implements a blacklist (and not a whitelist), as we prepopulate the filter with a blacklist, and the unit's system call filter logic does not come with anything prepopulated. (Later on we might actually want to invert the logic here, and whitelist rather than blacklist things, but at this point let's not do that. In case we switch this over later, the syscall add/remove logic of this commit should be compatible conceptually.) Fixes: #5163 Replaces: #5944
2017-09-11 17:45:21 +02:00
if ((arg_settings_mask & SETTING_SYSCALL_FILTER) == 0) {
if (!arg_settings_trusted && !strv_isempty(arg_syscall_whitelist))
log_warning("Ignoring SystemCallFilter= settings, file %s is not trusted.", p);
else {
strv_free(arg_syscall_whitelist);
strv_free(arg_syscall_blacklist);
arg_syscall_whitelist = settings->syscall_whitelist;
arg_syscall_blacklist = settings->syscall_blacklist;
settings->syscall_whitelist = settings->syscall_blacklist = NULL;
}
}
nspawn: add new .nspawn files for container settings .nspawn fiels are simple settings files that may accompany container images and directories and contain settings otherwise passed on the nspawn command line. This provides an efficient way to attach execution data directly to containers.
2015-09-06 01:22:14 +02:00
return 0;
}
nspawn: move the main loop body out to a new function The new function has 416 lines by itself! "return log_error_errno" is used to nicely reduce the volume of error handling code. A few minor issues are fixed on the way: - positive value was used as error value (EIO), causing systemd-nspawn to return success, even though it shouldn't. - In two places random values were used as error status, when the actual value was in an unusual place (etc_password_lock, notify_socket). Those are the only functional changes. There is another potential issue, which is marked with a comment, and left unresolved: the container can also return 133 by itself, causing a spurious reboot.
2016-10-02 21:32:38 +02:00
static int run(int master,
const char* console,
nspawn: port nspawn to new generalized image dissection code Let's make use of the new internal API. This mostly doesn't change anything for the caller, however, "systemd-nspawn --image=/dev/sda7" works now as the new code can handle disk images with no partition tables, and make any detected images directly the root.
2016-12-01 20:26:09 +01:00
DissectedImage *dissected_image,
nspawn: move the main loop body out to a new function The new function has 416 lines by itself! "return log_error_errno" is used to nicely reduce the volume of error handling code. A few minor issues are fixed on the way: - positive value was used as error value (EIO), causing systemd-nspawn to return success, even though it shouldn't. - In two places random values were used as error status, when the actual value was in an unusual place (etc_password_lock, notify_socket). Those are the only functional changes. There is another potential issue, which is marked with a comment, and left unresolved: the container can also return 133 by itself, causing a spurious reboot.
2016-10-02 21:32:38 +02:00
bool interactive,
bool secondary,
FDSet *fds,
char veth_name[IFNAMSIZ], bool *veth_created,
union in_addr_union *exposed,
pid_t *pid, int *ret) {
static const struct sigaction sa = {
.sa_handler = nop_signal_handler,
tree-wide: set SA_RESTART for signal handlers we install We already set it in most cases, but make sure to set it in all others too, and document that that's a good idea.
2016-11-30 15:07:43 +01:00
.sa_flags = SA_NOCLDSTOP|SA_RESTART,
nspawn: move the main loop body out to a new function The new function has 416 lines by itself! "return log_error_errno" is used to nicely reduce the volume of error handling code. A few minor issues are fixed on the way: - positive value was used as error value (EIO), causing systemd-nspawn to return success, even though it shouldn't. - In two places random values were used as error status, when the actual value was in an unusual place (etc_password_lock, notify_socket). Those are the only functional changes. There is another potential issue, which is marked with a comment, and left unresolved: the container can also return 133 by itself, causing a spurious reboot.
2016-10-02 21:32:38 +02:00
};
_cleanup_release_lock_file_ LockFile uid_shift_lock = LOCK_FILE_INIT;
_cleanup_close_ int etc_passwd_lock = -1;
_cleanup_close_pair_ int
kmsg_socket_pair[2] = { -1, -1 },
rtnl_socket_pair[2] = { -1, -1 },
pid_socket_pair[2] = { -1, -1 },
uuid_socket_pair[2] = { -1, -1 },
notify_socket_pair[2] = { -1, -1 },
nspawn: figure out cgroup mode *after* mounting image If we operate on a disk image (i.e. --image=) then it's pointless to look into the mount directory before it is actually mounted to see which systemd version is running inside... Unfortunately we only mount the disk image in the child process, but the parent needs to know the cgroup mode, hence add some IPC for this purpose and communicate the cgroup mode determined from the image back to the parent.
2017-11-27 20:49:35 +01:00
uid_shift_socket_pair[2] = { -1, -1 },
unified_cgroup_hierarchy_socket_pair[2] = { -1, -1};
nspawn: move the main loop body out to a new function The new function has 416 lines by itself! "return log_error_errno" is used to nicely reduce the volume of error handling code. A few minor issues are fixed on the way: - positive value was used as error value (EIO), causing systemd-nspawn to return success, even though it shouldn't. - In two places random values were used as error status, when the actual value was in an unusual place (etc_password_lock, notify_socket). Those are the only functional changes. There is another potential issue, which is marked with a comment, and left unresolved: the container can also return 133 by itself, causing a spurious reboot.
2016-10-02 21:32:38 +02:00
_cleanup_close_ int notify_socket= -1;
_cleanup_(barrier_destroy) Barrier barrier = BARRIER_NULL;
nspawn: unref the notify event source (#4941) Fixes: ``` sudo ./libtool --mode=execute valgrind --leak-check=full ./systemd-nspawn -D ./CONT/ -b ... ==21224== 2,444 (656 direct, 1,788 indirect) bytes in 1 blocks are definitely lost in loss record 13 of 15 ==21224== at 0x4C2FA50: calloc (vg_replace_malloc.c:711) ==21224== by 0x4F6F565: sd_event_new (sd-event.c:431) ==21224== by 0x1210BE: run (nspawn.c:3351) ==21224== by 0x123908: main (nspawn.c:3826) ==21224== ==21224== LEAK SUMMARY: ==21224== definitely lost: 656 bytes in 1 blocks ==21224== indirectly lost: 1,788 bytes in 11 blocks ==21224== possibly lost: 0 bytes in 0 blocks ==21224== still reachable: 8,344 bytes in 3 blocks ==21224== suppressed: 0 bytes in 0 blocks ``` Closes #4934
2016-12-21 18:36:15 +01:00
_cleanup_(sd_event_source_unrefp) sd_event_source *notify_event_source = NULL;
nspawn: move the main loop body out to a new function The new function has 416 lines by itself! "return log_error_errno" is used to nicely reduce the volume of error handling code. A few minor issues are fixed on the way: - positive value was used as error value (EIO), causing systemd-nspawn to return success, even though it shouldn't. - In two places random values were used as error status, when the actual value was in an unusual place (etc_password_lock, notify_socket). Those are the only functional changes. There is another potential issue, which is marked with a comment, and left unresolved: the container can also return 133 by itself, causing a spurious reboot.
2016-10-02 21:32:38 +02:00
_cleanup_(sd_event_unrefp) sd_event *event = NULL;
_cleanup_(pty_forward_freep) PTYForward *forward = NULL;
_cleanup_(sd_netlink_unrefp) sd_netlink *rtnl = NULL;
nspawn: make use of the RequestStop logic of scope units Since time began, scope units had a concept of "Controllers", a bus peer that would be notified when somebody requested a unit to stop. None of our code used that facility so far, let's change that. This way, nspawn can print a nice message when somebody invokes "systemctl stop" on the container's scope unit, and then react with the right action to shut it down.
2017-11-23 19:27:47 +01:00
_cleanup_(sd_bus_flush_close_unrefp) sd_bus *bus = NULL;
nspawn: move the main loop body out to a new function The new function has 416 lines by itself! "return log_error_errno" is used to nicely reduce the volume of error handling code. A few minor issues are fixed on the way: - positive value was used as error value (EIO), causing systemd-nspawn to return success, even though it shouldn't. - In two places random values were used as error status, when the actual value was in an unusual place (etc_password_lock, notify_socket). Those are the only functional changes. There is another potential issue, which is marked with a comment, and left unresolved: the container can also return 133 by itself, causing a spurious reboot.
2016-10-02 21:32:38 +02:00
ContainerStatus container_status = 0;
char last_char = 0;
int ifi = 0, r;
ssize_t l;
sigset_t mask_chld;
nspawn: introduce an option for specifying network namespace path Add a new option `--network-namespace-path` to systemd-nspawn to allow users to specify an arbitrary network namespace, e.g. `/run/netns/foo`. Then systemd-nspawn will open the netns file, pass the fd to outer_child, and enter the namespace represented by the fd before running inner_child. ``` $ sudo ip netns add foo $ mount | grep /run/netns/foo nsfs on /run/netns/foo type nsfs (rw) ... $ sudo systemd-nspawn -D /srv/fc27 --network-namespace-path=/run/netns/foo \ /bin/readlink -f /proc/self/ns/net /proc/1/ns/net:[4026532009] ``` Note that the option `--network-namespace-path=` cannot be used together with other network-related options such as `--private-network` so that the options do not conflict with each other. Fixes https://github.com/systemd/systemd/issues/7361
2017-11-24 18:22:17 +01:00
_cleanup_close_ int netns_fd = -1;
nspawn: move the main loop body out to a new function The new function has 416 lines by itself! "return log_error_errno" is used to nicely reduce the volume of error handling code. A few minor issues are fixed on the way: - positive value was used as error value (EIO), causing systemd-nspawn to return success, even though it shouldn't. - In two places random values were used as error status, when the actual value was in an unusual place (etc_password_lock, notify_socket). Those are the only functional changes. There is another potential issue, which is marked with a comment, and left unresolved: the container can also return 133 by itself, causing a spurious reboot.
2016-10-02 21:32:38 +02:00
assert_se(sigemptyset(&mask_chld) == 0);
assert_se(sigaddset(&mask_chld, SIGCHLD) == 0);
if (arg_userns_mode == USER_NAMESPACE_PICK) {
/* When we shall pick the UID/GID range, let's first lock /etc/passwd, so that we can safely
* check with getpwuid() if the specific user already exists. Note that /etc might be
* read-only, in which case this will fail with EROFS. But that's really OK, as in that case we
* can be reasonably sure that no users are going to be added. Note that getpwuid() checks are
* really just an extra safety net. We kinda assume that the UID range we allocate from is
* really ours. */
etc_passwd_lock = take_etc_passwd_lock(NULL);
if (etc_passwd_lock < 0 && etc_passwd_lock != -EROFS)
return log_error_errno(etc_passwd_lock, "Failed to take /etc/passwd lock: %m");
}
r = barrier_create(&barrier);
if (r < 0)
return log_error_errno(r, "Cannot initialize IPC barrier: %m");
if (socketpair(AF_UNIX, SOCK_SEQPACKET|SOCK_CLOEXEC, 0, kmsg_socket_pair) < 0)
return log_error_errno(errno, "Failed to create kmsg socket pair: %m");
if (socketpair(AF_UNIX, SOCK_SEQPACKET|SOCK_CLOEXEC, 0, rtnl_socket_pair) < 0)
return log_error_errno(errno, "Failed to create rtnl socket pair: %m");
if (socketpair(AF_UNIX, SOCK_SEQPACKET|SOCK_CLOEXEC, 0, pid_socket_pair) < 0)
return log_error_errno(errno, "Failed to create pid socket pair: %m");
if (socketpair(AF_UNIX, SOCK_SEQPACKET|SOCK_CLOEXEC, 0, uuid_socket_pair) < 0)
return log_error_errno(errno, "Failed to create id socket pair: %m");
if (socketpair(AF_UNIX, SOCK_SEQPACKET|SOCK_CLOEXEC, 0, notify_socket_pair) < 0)
return log_error_errno(errno, "Failed to create notify socket pair: %m");
if (arg_userns_mode != USER_NAMESPACE_NO)
if (socketpair(AF_UNIX, SOCK_SEQPACKET|SOCK_CLOEXEC, 0, uid_shift_socket_pair) < 0)
return log_error_errno(errno, "Failed to create uid shift socket pair: %m");
nspawn: figure out cgroup mode *after* mounting image If we operate on a disk image (i.e. --image=) then it's pointless to look into the mount directory before it is actually mounted to see which systemd version is running inside... Unfortunately we only mount the disk image in the child process, but the parent needs to know the cgroup mode, hence add some IPC for this purpose and communicate the cgroup mode determined from the image back to the parent.
2017-11-27 20:49:35 +01:00
if (arg_unified_cgroup_hierarchy == CGROUP_UNIFIED_UNKNOWN)
if (socketpair(AF_UNIX, SOCK_SEQPACKET|SOCK_CLOEXEC, 0, unified_cgroup_hierarchy_socket_pair) < 0)
return log_error_errno(errno, "Failed to create unified cgroup socket pair: %m");
nspawn: move the main loop body out to a new function The new function has 416 lines by itself! "return log_error_errno" is used to nicely reduce the volume of error handling code. A few minor issues are fixed on the way: - positive value was used as error value (EIO), causing systemd-nspawn to return success, even though it shouldn't. - In two places random values were used as error status, when the actual value was in an unusual place (etc_password_lock, notify_socket). Those are the only functional changes. There is another potential issue, which is marked with a comment, and left unresolved: the container can also return 133 by itself, causing a spurious reboot.
2016-10-02 21:32:38 +02:00
/* Child can be killed before execv(), so handle SIGCHLD in order to interrupt
* parent's blocking calls and give it a chance to call wait() and terminate. */
r = sigprocmask(SIG_UNBLOCK, &mask_chld, NULL);
if (r < 0)
return log_error_errno(errno, "Failed to change the signal mask: %m");
r = sigaction(SIGCHLD, &sa, NULL);
if (r < 0)
return log_error_errno(errno, "Failed to install SIGCHLD handler: %m");
nspawn: introduce an option for specifying network namespace path Add a new option `--network-namespace-path` to systemd-nspawn to allow users to specify an arbitrary network namespace, e.g. `/run/netns/foo`. Then systemd-nspawn will open the netns file, pass the fd to outer_child, and enter the namespace represented by the fd before running inner_child. ``` $ sudo ip netns add foo $ mount | grep /run/netns/foo nsfs on /run/netns/foo type nsfs (rw) ... $ sudo systemd-nspawn -D /srv/fc27 --network-namespace-path=/run/netns/foo \ /bin/readlink -f /proc/self/ns/net /proc/1/ns/net:[4026532009] ``` Note that the option `--network-namespace-path=` cannot be used together with other network-related options such as `--private-network` so that the options do not conflict with each other. Fixes https://github.com/systemd/systemd/issues/7361
2017-11-24 18:22:17 +01:00
if (arg_network_namespace_path) {
netns_fd = open(arg_network_namespace_path, O_RDONLY|O_NOCTTY|O_CLOEXEC);
if (netns_fd < 0)
return log_error_errno(errno, "Cannot open file %s: %m", arg_network_namespace_path);
r = fd_is_network_ns(netns_fd);
if (r < 0 && r != -ENOTTY)
return log_error_errno(r, "Failed to check %s fs type: %m", arg_network_namespace_path);
if (r == 0) {
log_error("Path %s doesn't refer to a network namespace", arg_network_namespace_path);
return -EINVAL;
}
}
nspawn: move the main loop body out to a new function The new function has 416 lines by itself! "return log_error_errno" is used to nicely reduce the volume of error handling code. A few minor issues are fixed on the way: - positive value was used as error value (EIO), causing systemd-nspawn to return success, even though it shouldn't. - In two places random values were used as error status, when the actual value was in an unusual place (etc_password_lock, notify_socket). Those are the only functional changes. There is another potential issue, which is marked with a comment, and left unresolved: the container can also return 133 by itself, causing a spurious reboot.
2016-10-02 21:32:38 +02:00
*pid = raw_clone(SIGCHLD|CLONE_NEWNS);
if (*pid < 0)
return log_error_errno(errno, "clone() failed%s: %m",
errno == EINVAL ?
", do you have namespace support enabled in your kernel? (You need UTS, IPC, PID and NET namespacing built in)" : "");
if (*pid == 0) {
/* The outer child only has a file system namespace. */
barrier_set_role(&barrier, BARRIER_CHILD);
master = safe_close(master);
kmsg_socket_pair[0] = safe_close(kmsg_socket_pair[0]);
rtnl_socket_pair[0] = safe_close(rtnl_socket_pair[0]);
pid_socket_pair[0] = safe_close(pid_socket_pair[0]);
uuid_socket_pair[0] = safe_close(uuid_socket_pair[0]);
notify_socket_pair[0] = safe_close(notify_socket_pair[0]);
uid_shift_socket_pair[0] = safe_close(uid_shift_socket_pair[0]);
nspawn: figure out cgroup mode *after* mounting image If we operate on a disk image (i.e. --image=) then it's pointless to look into the mount directory before it is actually mounted to see which systemd version is running inside... Unfortunately we only mount the disk image in the child process, but the parent needs to know the cgroup mode, hence add some IPC for this purpose and communicate the cgroup mode determined from the image back to the parent.
2017-11-27 20:49:35 +01:00
unified_cgroup_hierarchy_socket_pair[0] = safe_close(unified_cgroup_hierarchy_socket_pair[0]);
nspawn: move the main loop body out to a new function The new function has 416 lines by itself! "return log_error_errno" is used to nicely reduce the volume of error handling code. A few minor issues are fixed on the way: - positive value was used as error value (EIO), causing systemd-nspawn to return success, even though it shouldn't. - In two places random values were used as error status, when the actual value was in an unusual place (etc_password_lock, notify_socket). Those are the only functional changes. There is another potential issue, which is marked with a comment, and left unresolved: the container can also return 133 by itself, causing a spurious reboot.
2016-10-02 21:32:38 +02:00
(void) reset_all_signal_handlers();
(void) reset_signal_mask();
r = outer_child(&barrier,
arg_directory,
console,
nspawn: port nspawn to new generalized image dissection code Let's make use of the new internal API. This mostly doesn't change anything for the caller, however, "systemd-nspawn --image=/dev/sda7" works now as the new code can handle disk images with no partition tables, and make any detected images directly the root.
2016-12-01 20:26:09 +01:00
dissected_image,
nspawn: move the main loop body out to a new function The new function has 416 lines by itself! "return log_error_errno" is used to nicely reduce the volume of error handling code. A few minor issues are fixed on the way: - positive value was used as error value (EIO), causing systemd-nspawn to return success, even though it shouldn't. - In two places random values were used as error status, when the actual value was in an unusual place (etc_password_lock, notify_socket). Those are the only functional changes. There is another potential issue, which is marked with a comment, and left unresolved: the container can also return 133 by itself, causing a spurious reboot.
2016-10-02 21:32:38 +02:00
interactive,
secondary,
pid_socket_pair[1],
uuid_socket_pair[1],
notify_socket_pair[1],
kmsg_socket_pair[1],
rtnl_socket_pair[1],
uid_shift_socket_pair[1],
nspawn: figure out cgroup mode *after* mounting image If we operate on a disk image (i.e. --image=) then it's pointless to look into the mount directory before it is actually mounted to see which systemd version is running inside... Unfortunately we only mount the disk image in the child process, but the parent needs to know the cgroup mode, hence add some IPC for this purpose and communicate the cgroup mode determined from the image back to the parent.
2017-11-27 20:49:35 +01:00
unified_cgroup_hierarchy_socket_pair[1],
nspawn: introduce an option for specifying network namespace path Add a new option `--network-namespace-path` to systemd-nspawn to allow users to specify an arbitrary network namespace, e.g. `/run/netns/foo`. Then systemd-nspawn will open the netns file, pass the fd to outer_child, and enter the namespace represented by the fd before running inner_child. ``` $ sudo ip netns add foo $ mount | grep /run/netns/foo nsfs on /run/netns/foo type nsfs (rw) ... $ sudo systemd-nspawn -D /srv/fc27 --network-namespace-path=/run/netns/foo \ /bin/readlink -f /proc/self/ns/net /proc/1/ns/net:[4026532009] ``` Note that the option `--network-namespace-path=` cannot be used together with other network-related options such as `--private-network` so that the options do not conflict with each other. Fixes https://github.com/systemd/systemd/issues/7361
2017-11-24 18:22:17 +01:00
fds,
netns_fd);
nspawn: move the main loop body out to a new function The new function has 416 lines by itself! "return log_error_errno" is used to nicely reduce the volume of error handling code. A few minor issues are fixed on the way: - positive value was used as error value (EIO), causing systemd-nspawn to return success, even though it shouldn't. - In two places random values were used as error status, when the actual value was in an unusual place (etc_password_lock, notify_socket). Those are the only functional changes. There is another potential issue, which is marked with a comment, and left unresolved: the container can also return 133 by itself, causing a spurious reboot.
2016-10-02 21:32:38 +02:00
if (r < 0)
_exit(EXIT_FAILURE);
_exit(EXIT_SUCCESS);
}
barrier_set_role(&barrier, BARRIER_PARENT);
fds = fdset_free(fds);
kmsg_socket_pair[1] = safe_close(kmsg_socket_pair[1]);
rtnl_socket_pair[1] = safe_close(rtnl_socket_pair[1]);
pid_socket_pair[1] = safe_close(pid_socket_pair[1]);
uuid_socket_pair[1] = safe_close(uuid_socket_pair[1]);
notify_socket_pair[1] = safe_close(notify_socket_pair[1]);
uid_shift_socket_pair[1] = safe_close(uid_shift_socket_pair[1]);
nspawn: figure out cgroup mode *after* mounting image If we operate on a disk image (i.e. --image=) then it's pointless to look into the mount directory before it is actually mounted to see which systemd version is running inside... Unfortunately we only mount the disk image in the child process, but the parent needs to know the cgroup mode, hence add some IPC for this purpose and communicate the cgroup mode determined from the image back to the parent.
2017-11-27 20:49:35 +01:00
unified_cgroup_hierarchy_socket_pair[1] = safe_close(unified_cgroup_hierarchy_socket_pair[1]);
nspawn: move the main loop body out to a new function The new function has 416 lines by itself! "return log_error_errno" is used to nicely reduce the volume of error handling code. A few minor issues are fixed on the way: - positive value was used as error value (EIO), causing systemd-nspawn to return success, even though it shouldn't. - In two places random values were used as error status, when the actual value was in an unusual place (etc_password_lock, notify_socket). Those are the only functional changes. There is another potential issue, which is marked with a comment, and left unresolved: the container can also return 133 by itself, causing a spurious reboot.
2016-10-02 21:32:38 +02:00
if (arg_userns_mode != USER_NAMESPACE_NO) {
/* The child just let us know the UID shift it might have read from the image. */
l = recv(uid_shift_socket_pair[0], &arg_uid_shift, sizeof arg_uid_shift, 0);
if (l < 0)
return log_error_errno(errno, "Failed to read UID shift: %m");
if (l != sizeof arg_uid_shift) {
log_error("Short read while reading UID shift.");
return -EIO;
}
if (arg_userns_mode == USER_NAMESPACE_PICK) {
/* If we are supposed to pick the UID shift, let's try to use the shift read from the
* image, but if that's already in use, pick a new one, and report back to the child,
* which one we now picked. */
r = uid_shift_pick(&arg_uid_shift, &uid_shift_lock);
if (r < 0)
return log_error_errno(r, "Failed to pick suitable UID/GID range: %m");
l = send(uid_shift_socket_pair[0], &arg_uid_shift, sizeof arg_uid_shift, MSG_NOSIGNAL);
if (l < 0)
return log_error_errno(errno, "Failed to send UID shift: %m");
if (l != sizeof arg_uid_shift) {
log_error("Short write while writing UID shift.");
return -EIO;
}
}
}
nspawn: figure out cgroup mode *after* mounting image If we operate on a disk image (i.e. --image=) then it's pointless to look into the mount directory before it is actually mounted to see which systemd version is running inside... Unfortunately we only mount the disk image in the child process, but the parent needs to know the cgroup mode, hence add some IPC for this purpose and communicate the cgroup mode determined from the image back to the parent.
2017-11-27 20:49:35 +01:00
if (arg_unified_cgroup_hierarchy == CGROUP_UNIFIED_UNKNOWN) {
/* The child let us know the support cgroup mode it might have read from the image. */
l = recv(unified_cgroup_hierarchy_socket_pair[0], &arg_unified_cgroup_hierarchy, sizeof(arg_unified_cgroup_hierarchy), 0);
if (l < 0)
return log_error_errno(errno, "Failed to read cgroup mode: %m");
if (l != sizeof(arg_unified_cgroup_hierarchy)) {
log_error("Short read while reading cgroup mode.");
return -EIO;
}
}
nspawn: move the main loop body out to a new function The new function has 416 lines by itself! "return log_error_errno" is used to nicely reduce the volume of error handling code. A few minor issues are fixed on the way: - positive value was used as error value (EIO), causing systemd-nspawn to return success, even though it shouldn't. - In two places random values were used as error status, when the actual value was in an unusual place (etc_password_lock, notify_socket). Those are the only functional changes. There is another potential issue, which is marked with a comment, and left unresolved: the container can also return 133 by itself, causing a spurious reboot.
2016-10-02 21:32:38 +02:00
/* Wait for the outer child. */
tree-wide: unify the process name we pass to wait_for_terminate_and_check() with the one we pass to safe_fork()
2017-12-29 18:09:16 +01:00
r = wait_for_terminate_and_check("(sd-namespace)", *pid, WAIT_LOG_ABNORMAL);
if (r < 0)
return r;
if (r != EXIT_SUCCESS)
return -EIO;
nspawn: move the main loop body out to a new function The new function has 416 lines by itself! "return log_error_errno" is used to nicely reduce the volume of error handling code. A few minor issues are fixed on the way: - positive value was used as error value (EIO), causing systemd-nspawn to return success, even though it shouldn't. - In two places random values were used as error status, when the actual value was in an unusual place (etc_password_lock, notify_socket). Those are the only functional changes. There is another potential issue, which is marked with a comment, and left unresolved: the container can also return 133 by itself, causing a spurious reboot.
2016-10-02 21:32:38 +02:00
/* And now retrieve the PID of the inner child. */
l = recv(pid_socket_pair[0], pid, sizeof *pid, 0);
if (l < 0)
return log_error_errno(errno, "Failed to read inner child PID: %m");
if (l != sizeof *pid) {
log_error("Short read while reading inner child PID.");
return -EIO;
}
/* We also retrieve container UUID in case it was generated by outer child */
l = recv(uuid_socket_pair[0], &arg_uuid, sizeof arg_uuid, 0);
if (l < 0)
return log_error_errno(errno, "Failed to read container machine ID: %m");
if (l != sizeof(arg_uuid)) {
log_error("Short read while reading container machined ID.");
return -EIO;
}
/* We also retrieve the socket used for notifications generated by outer child */
notify_socket = receive_one_fd(notify_socket_pair[0], 0);
if (notify_socket < 0)
return log_error_errno(notify_socket,
"Failed to receive notification socket from the outer child: %m");
log_debug("Init process invoked as PID "PID_FMT, *pid);
if (arg_userns_mode != USER_NAMESPACE_NO) {
if (!barrier_place_and_sync(&barrier)) { /* #1 */
log_error("Child died too early.");
return -ESRCH;
}
r = setup_uid_map(*pid);
if (r < 0)
return r;
(void) barrier_place(&barrier); /* #2 */
}
if (arg_private_network) {
r = move_network_interfaces(*pid, arg_network_interfaces);
if (r < 0)
return r;
if (arg_network_veth) {
r = setup_veth(arg_machine, *pid, veth_name,
arg_network_bridge || arg_network_zone);
if (r < 0)
return r;
else if (r > 0)
ifi = r;
if (arg_network_bridge) {
/* Add the interface to a bridge */
r = setup_bridge(veth_name, arg_network_bridge, false);
if (r < 0)
return r;
if (r > 0)
ifi = r;
} else if (arg_network_zone) {
/* Add the interface to a bridge, possibly creating it */
r = setup_bridge(veth_name, arg_network_zone, true);
if (r < 0)
return r;
if (r > 0)
ifi = r;
}
}
r = setup_veth_extra(arg_machine, *pid, arg_network_veth_extra);
if (r < 0)
return r;
/* We created the primary and extra veth links now; let's remember this, so that we know to
remove them later on. Note that we don't bother with removing veth links that were created
here when their setup failed half-way, because in that case the kernel should be able to
remove them on its own, since they cannot be referenced by anything yet. */
*veth_created = true;
r = setup_macvlan(arg_machine, *pid, arg_network_macvlan);
if (r < 0)
return r;
r = setup_ipvlan(arg_machine, *pid, arg_network_ipvlan);
if (r < 0)
return r;
}
nspawn: make use of the RequestStop logic of scope units Since time began, scope units had a concept of "Controllers", a bus peer that would be notified when somebody requested a unit to stop. None of our code used that facility so far, let's change that. This way, nspawn can print a nice message when somebody invokes "systemctl stop" on the container's scope unit, and then react with the right action to shut it down.
2017-11-23 19:27:47 +01:00
if (arg_register || !arg_keep_unit) {
r = sd_bus_default_system(&bus);
if (r < 0)
return log_error_errno(r, "Failed to open system bus: %m");
}
if (!arg_keep_unit) {
/* When a new scope is created for this container, then we'll be registered as its controller, in which
* case PID 1 will send us a friendly RequestStop signal, when it is asked to terminate the
* scope. Let's hook into that, and cleanly shut down the container, and print a friendly message. */
tree-wide: install matches asynchronously Let's remove a number of synchronization points from our service startups: let's drop synchronous match installation, and let's opt for asynchronous instead. Also, let's use sd_bus_match_signal() instead of sd_bus_add_match() where we can.
2017-12-19 12:29:04 +01:00
r = sd_bus_match_signal_async(
bus,
NULL,
"org.freedesktop.systemd1",
NULL,
"org.freedesktop.systemd1.Scope",
"RequestStop",
on_request_stop, NULL, PID_TO_PTR(*pid));
nspawn: make use of the RequestStop logic of scope units Since time began, scope units had a concept of "Controllers", a bus peer that would be notified when somebody requested a unit to stop. None of our code used that facility so far, let's change that. This way, nspawn can print a nice message when somebody invokes "systemctl stop" on the container's scope unit, and then react with the right action to shut it down.
2017-11-23 19:27:47 +01:00
if (r < 0)
tree-wide: install matches asynchronously Let's remove a number of synchronization points from our service startups: let's drop synchronous match installation, and let's opt for asynchronous instead. Also, let's use sd_bus_match_signal() instead of sd_bus_add_match() where we can.
2017-12-19 12:29:04 +01:00
return log_error_errno(r, "Failed to request RequestStop match: %m");
nspawn: make use of the RequestStop logic of scope units Since time began, scope units had a concept of "Controllers", a bus peer that would be notified when somebody requested a unit to stop. None of our code used that facility so far, let's change that. This way, nspawn can print a nice message when somebody invokes "systemctl stop" on the container's scope unit, and then react with the right action to shut it down.
2017-11-23 19:27:47 +01:00
}
nspawn: move the main loop body out to a new function The new function has 416 lines by itself! "return log_error_errno" is used to nicely reduce the volume of error handling code. A few minor issues are fixed on the way: - positive value was used as error value (EIO), causing systemd-nspawn to return success, even though it shouldn't. - In two places random values were used as error status, when the actual value was in an unusual place (etc_password_lock, notify_socket). Those are the only functional changes. There is another potential issue, which is marked with a comment, and left unresolved: the container can also return 133 by itself, causing a spurious reboot.
2016-10-02 21:32:38 +02:00
if (arg_register) {
nspawn: make use of the RequestStop logic of scope units Since time began, scope units had a concept of "Controllers", a bus peer that would be notified when somebody requested a unit to stop. None of our code used that facility so far, let's change that. This way, nspawn can print a nice message when somebody invokes "systemctl stop" on the container's scope unit, and then react with the right action to shut it down.
2017-11-23 19:27:47 +01:00
nspawn: move the main loop body out to a new function The new function has 416 lines by itself! "return log_error_errno" is used to nicely reduce the volume of error handling code. A few minor issues are fixed on the way: - positive value was used as error value (EIO), causing systemd-nspawn to return success, even though it shouldn't. - In two places random values were used as error status, when the actual value was in an unusual place (etc_password_lock, notify_socket). Those are the only functional changes. There is another potential issue, which is marked with a comment, and left unresolved: the container can also return 133 by itself, causing a spurious reboot.
2016-10-02 21:32:38 +02:00
r = register_machine(
nspawn: make use of the RequestStop logic of scope units Since time began, scope units had a concept of "Controllers", a bus peer that would be notified when somebody requested a unit to stop. None of our code used that facility so far, let's change that. This way, nspawn can print a nice message when somebody invokes "systemctl stop" on the container's scope unit, and then react with the right action to shut it down.
2017-11-23 19:27:47 +01:00
bus,
nspawn: move the main loop body out to a new function The new function has 416 lines by itself! "return log_error_errno" is used to nicely reduce the volume of error handling code. A few minor issues are fixed on the way: - positive value was used as error value (EIO), causing systemd-nspawn to return success, even though it shouldn't. - In two places random values were used as error status, when the actual value was in an unusual place (etc_password_lock, notify_socket). Those are the only functional changes. There is another potential issue, which is marked with a comment, and left unresolved: the container can also return 133 by itself, causing a spurious reboot.
2016-10-02 21:32:38 +02:00
arg_machine,
*pid,
arg_directory,
arg_uuid,
ifi,
arg_slice,
arg_custom_mounts, arg_n_custom_mounts,
arg_kill_signal,
arg_property,
arg_keep_unit,
arg_container_service_name);
if (r < 0)
return r;
nspawn: make use of the RequestStop logic of scope units Since time began, scope units had a concept of "Controllers", a bus peer that would be notified when somebody requested a unit to stop. None of our code used that facility so far, let's change that. This way, nspawn can print a nice message when somebody invokes "systemctl stop" on the container's scope unit, and then react with the right action to shut it down.
2017-11-23 19:27:47 +01:00
nspawn: register a scope for the unit if --register=no is specified (#6166) Previously, only when --register=yes was set (the default) the invoked container would get its own scope, created by machined on behalf of nspawn. With this change if --register=no is set nspawn will still get its own scope (which is a good thing, so that --slice= and --property= take effect), but this is not done through machined but by registering a scope unit directly in PID 1. Summary: --register=yes → allocate a new scope through machined (the default) --register=yes --keep-unit → use the unit we are already running in an register with machined --register=no → allocate a new scope directly, but no machined --register=no --keep-unit → do not allocate nor register anything Fixes: #5823
2017-06-28 19:22:46 +02:00
} else if (!arg_keep_unit) {
nspawn: make use of the RequestStop logic of scope units Since time began, scope units had a concept of "Controllers", a bus peer that would be notified when somebody requested a unit to stop. None of our code used that facility so far, let's change that. This way, nspawn can print a nice message when somebody invokes "systemctl stop" on the container's scope unit, and then react with the right action to shut it down.
2017-11-23 19:27:47 +01:00
nspawn: register a scope for the unit if --register=no is specified (#6166) Previously, only when --register=yes was set (the default) the invoked container would get its own scope, created by machined on behalf of nspawn. With this change if --register=no is set nspawn will still get its own scope (which is a good thing, so that --slice= and --property= take effect), but this is not done through machined but by registering a scope unit directly in PID 1. Summary: --register=yes → allocate a new scope through machined (the default) --register=yes --keep-unit → use the unit we are already running in an register with machined --register=no → allocate a new scope directly, but no machined --register=no --keep-unit → do not allocate nor register anything Fixes: #5823
2017-06-28 19:22:46 +02:00
r = allocate_scope(
nspawn: make use of the RequestStop logic of scope units Since time began, scope units had a concept of "Controllers", a bus peer that would be notified when somebody requested a unit to stop. None of our code used that facility so far, let's change that. This way, nspawn can print a nice message when somebody invokes "systemctl stop" on the container's scope unit, and then react with the right action to shut it down.
2017-11-23 19:27:47 +01:00
bus,
nspawn: register a scope for the unit if --register=no is specified (#6166) Previously, only when --register=yes was set (the default) the invoked container would get its own scope, created by machined on behalf of nspawn. With this change if --register=no is set nspawn will still get its own scope (which is a good thing, so that --slice= and --property= take effect), but this is not done through machined but by registering a scope unit directly in PID 1. Summary: --register=yes → allocate a new scope through machined (the default) --register=yes --keep-unit → use the unit we are already running in an register with machined --register=no → allocate a new scope directly, but no machined --register=no --keep-unit → do not allocate nor register anything Fixes: #5823
2017-06-28 19:22:46 +02:00
arg_machine,
*pid,
arg_slice,
arg_custom_mounts, arg_n_custom_mounts,
arg_kill_signal,
arg_property);
if (r < 0)
return r;
} else if (arg_slice || arg_property)
log_notice("Machine and scope registration turned off, --slice= and --property= settings will have no effect.");
nspawn: move the main loop body out to a new function The new function has 416 lines by itself! "return log_error_errno" is used to nicely reduce the volume of error handling code. A few minor issues are fixed on the way: - positive value was used as error value (EIO), causing systemd-nspawn to return success, even though it shouldn't. - In two places random values were used as error status, when the actual value was in an unusual place (etc_password_lock, notify_socket). Those are the only functional changes. There is another potential issue, which is marked with a comment, and left unresolved: the container can also return 133 by itself, causing a spurious reboot.
2016-10-02 21:32:38 +02:00
nspawn: cleanup and chown the synced cgroup hierarchy (#4223) Fixes: #4181
2016-10-13 15:50:46 +02:00
r = sync_cgroup(*pid, arg_unified_cgroup_hierarchy, arg_uid_shift);
nspawn: move the main loop body out to a new function The new function has 416 lines by itself! "return log_error_errno" is used to nicely reduce the volume of error handling code. A few minor issues are fixed on the way: - positive value was used as error value (EIO), causing systemd-nspawn to return success, even though it shouldn't. - In two places random values were used as error status, when the actual value was in an unusual place (etc_password_lock, notify_socket). Those are the only functional changes. There is another potential issue, which is marked with a comment, and left unresolved: the container can also return 133 by itself, causing a spurious reboot.
2016-10-02 21:32:38 +02:00
if (r < 0)
return r;
if (arg_keep_unit) {
r = create_subcgroup(*pid, arg_unified_cgroup_hierarchy);
if (r < 0)
return r;
}
nspawn: when in hybrid mode, chown() both the legacy and the unified hierarchy to the root in the container If user namespacing is used, let's make sure that the root user in the container gets access to both /sys/fs/cgroup/systemd and /sys/fs/cgroup/unified. This matches similar logic in cg_set_access().
2017-11-28 17:58:00 +01:00
r = chown_cgroup(*pid, arg_unified_cgroup_hierarchy, arg_uid_shift);
nspawn: move the main loop body out to a new function The new function has 416 lines by itself! "return log_error_errno" is used to nicely reduce the volume of error handling code. A few minor issues are fixed on the way: - positive value was used as error value (EIO), causing systemd-nspawn to return success, even though it shouldn't. - In two places random values were used as error status, when the actual value was in an unusual place (etc_password_lock, notify_socket). Those are the only functional changes. There is another potential issue, which is marked with a comment, and left unresolved: the container can also return 133 by itself, causing a spurious reboot.
2016-10-02 21:32:38 +02:00
if (r < 0)
return r;
/* Notify the child that the parent is ready with all
* its setup (including cgroup-ification), and that
* the child can now hand over control to the code to
* run inside the container. */
(void) barrier_place(&barrier); /* #3 */
/* Block SIGCHLD here, before notifying child.
* process_pty() will handle it with the other signals. */
assert_se(sigprocmask(SIG_BLOCK, &mask_chld, NULL) >= 0);
/* Reset signal to default */
r = default_signals(SIGCHLD, -1);
if (r < 0)
return log_error_errno(r, "Failed to reset SIGCHLD: %m");
r = sd_event_new(&event);
if (r < 0)
return log_error_errno(r, "Failed to get default event source: %m");
nspawn: turn on watchdog logic for nspawn too It's a long-running daemon, and it's easy to enable, hence do it.
2017-12-07 11:58:25 +01:00
(void) sd_event_set_watchdog(event, true);
nspawn: make use of the RequestStop logic of scope units Since time began, scope units had a concept of "Controllers", a bus peer that would be notified when somebody requested a unit to stop. None of our code used that facility so far, let's change that. This way, nspawn can print a nice message when somebody invokes "systemctl stop" on the container's scope unit, and then react with the right action to shut it down.
2017-11-23 19:27:47 +01:00
if (bus) {
r = sd_bus_attach_event(bus, event, 0);
if (r < 0)
return log_error_errno(r, "Failed to attach bus to event loop: %m");
}
nspawn: unref the notify event source (#4941) Fixes: ``` sudo ./libtool --mode=execute valgrind --leak-check=full ./systemd-nspawn -D ./CONT/ -b ... ==21224== 2,444 (656 direct, 1,788 indirect) bytes in 1 blocks are definitely lost in loss record 13 of 15 ==21224== at 0x4C2FA50: calloc (vg_replace_malloc.c:711) ==21224== by 0x4F6F565: sd_event_new (sd-event.c:431) ==21224== by 0x1210BE: run (nspawn.c:3351) ==21224== by 0x123908: main (nspawn.c:3826) ==21224== ==21224== LEAK SUMMARY: ==21224== definitely lost: 656 bytes in 1 blocks ==21224== indirectly lost: 1,788 bytes in 11 blocks ==21224== possibly lost: 0 bytes in 0 blocks ==21224== still reachable: 8,344 bytes in 3 blocks ==21224== suppressed: 0 bytes in 0 blocks ``` Closes #4934
2016-12-21 18:36:15 +01:00
r = setup_sd_notify_parent(event, notify_socket, PID_TO_PTR(*pid), &notify_event_source);
nspawn: move the main loop body out to a new function The new function has 416 lines by itself! "return log_error_errno" is used to nicely reduce the volume of error handling code. A few minor issues are fixed on the way: - positive value was used as error value (EIO), causing systemd-nspawn to return success, even though it shouldn't. - In two places random values were used as error status, when the actual value was in an unusual place (etc_password_lock, notify_socket). Those are the only functional changes. There is another potential issue, which is marked with a comment, and left unresolved: the container can also return 133 by itself, causing a spurious reboot.
2016-10-02 21:32:38 +02:00
if (r < 0)
return r;
/* Let the child know that we are ready and wait that the child is completely ready now. */
if (!barrier_place_and_sync(&barrier)) { /* #4 */
log_error("Child died too early.");
return -ESRCH;
}
/* At this point we have made use of the UID we picked, and thus nss-mymachines
* will make them appear in getpwuid(), thus we can release the /etc/passwd lock. */
etc_passwd_lock = safe_close(etc_passwd_lock);
sd_notifyf(false,
"STATUS=Container running.\n"
"X_NSPAWN_LEADER_PID=" PID_FMT, *pid);
if (!arg_notify_ready)
sd_notify(false, "READY=1\n");
if (arg_kill_signal > 0) {
/* Try to kill the init system on SIGINT or SIGTERM */
sd_event_add_signal(event, NULL, SIGINT, on_orderly_shutdown, PID_TO_PTR(*pid));
sd_event_add_signal(event, NULL, SIGTERM, on_orderly_shutdown, PID_TO_PTR(*pid));
} else {
/* Immediately exit */
sd_event_add_signal(event, NULL, SIGINT, NULL, NULL);
sd_event_add_signal(event, NULL, SIGTERM, NULL, NULL);
}
nspawn: when getting SIGCHLD make sure it's from the first child (#4855) When getting SIGCHLD we should not assume that it was the first child forked from system-nspawn that has died as it may also be coming from an orphan process. This change adds a signal handler that ignores SIGCHLD unless it came from the first containerized child - the real child. Before this change the problem can be reproduced as follows: $ sudo systemd-nspawn --directory=/container-root --share-system Press ^] three times within 1s to kill container. [root@andreyu-coreos ~]# { true & } & [1] 22201 [root@andreyu-coreos ~]# Container root-fedora-latest terminated by signal KILL
2016-12-13 02:38:18 +01:00
/* Exit when the child exits */
sd_event_add_signal(event, NULL, SIGCHLD, on_sigchld, PID_TO_PTR(*pid));
nspawn: move the main loop body out to a new function The new function has 416 lines by itself! "return log_error_errno" is used to nicely reduce the volume of error handling code. A few minor issues are fixed on the way: - positive value was used as error value (EIO), causing systemd-nspawn to return success, even though it shouldn't. - In two places random values were used as error status, when the actual value was in an unusual place (etc_password_lock, notify_socket). Those are the only functional changes. There is another potential issue, which is marked with a comment, and left unresolved: the container can also return 133 by itself, causing a spurious reboot.
2016-10-02 21:32:38 +02:00
if (arg_expose_ports) {
r = expose_port_watch_rtnl(event, rtnl_socket_pair[0], on_address_change, exposed, &rtnl);
if (r < 0)
return r;
(void) expose_port_execute(rtnl, arg_expose_ports, exposed);
}
rtnl_socket_pair[0] = safe_close(rtnl_socket_pair[0]);
r = pty_forward_new(event, master,
PTY_FORWARD_IGNORE_VHANGUP | (interactive ? 0 : PTY_FORWARD_READ_ONLY),
&forward);
if (r < 0)
return log_error_errno(r, "Failed to create PTY forwarder: %m");
r = sd_event_loop(event);
if (r < 0)
return log_error_errno(r, "Failed to run event loop: %m");
pty_forward_get_last_char(forward, &last_char);
forward = pty_forward_free(forward);
if (!arg_quiet && last_char != '\n')
putc('\n', stdout);
/* Kill if it is not dead yet anyway */
nspawn: make use of the RequestStop logic of scope units Since time began, scope units had a concept of "Controllers", a bus peer that would be notified when somebody requested a unit to stop. None of our code used that facility so far, let's change that. This way, nspawn can print a nice message when somebody invokes "systemctl stop" on the container's scope unit, and then react with the right action to shut it down.
2017-11-23 19:27:47 +01:00
if (arg_register && !arg_keep_unit && bus)
terminate_machine(bus, *pid);
nspawn: move the main loop body out to a new function The new function has 416 lines by itself! "return log_error_errno" is used to nicely reduce the volume of error handling code. A few minor issues are fixed on the way: - positive value was used as error value (EIO), causing systemd-nspawn to return success, even though it shouldn't. - In two places random values were used as error status, when the actual value was in an unusual place (etc_password_lock, notify_socket). Those are the only functional changes. There is another potential issue, which is marked with a comment, and left unresolved: the container can also return 133 by itself, causing a spurious reboot.
2016-10-02 21:32:38 +02:00
/* Normally redundant, but better safe than sorry */
nspawn: remove temporary root directory on exit When mountint a loopback image, we need a temporary root directory we can mount stuff to. Make sure to actually remove it when exiting, so that we don't leave stuff around in /tmp unnecessarily. See: #4664
2016-11-19 00:00:16 +01:00
(void) kill(*pid, SIGKILL);
nspawn: move the main loop body out to a new function The new function has 416 lines by itself! "return log_error_errno" is used to nicely reduce the volume of error handling code. A few minor issues are fixed on the way: - positive value was used as error value (EIO), causing systemd-nspawn to return success, even though it shouldn't. - In two places random values were used as error status, when the actual value was in an unusual place (etc_password_lock, notify_socket). Those are the only functional changes. There is another potential issue, which is marked with a comment, and left unresolved: the container can also return 133 by itself, causing a spurious reboot.
2016-10-02 21:32:38 +02:00
r = wait_for_container(*pid, &container_status);
*pid = 0;
if (r < 0)
/* We failed to wait for the container, or the container exited abnormally. */
return r;
if (r > 0 || container_status == CONTAINER_TERMINATED) {
nspawn: fix spurious reboot if container process returns 133
2016-10-07 16:31:47 +02:00
/* r > 0 → The container exited with a non-zero status.
* As a special case, we need to replace 133 with a different value,
* because 133 is special-cased in the service file to reboot the container.
* otherwise The container exited with zero status and a reboot was not requested.
*/
nspawn: restart the whole systemd-nspawn@.service unit on container reboot (#4613) Since 133 is now used in a few places, add a #define for it. Also make the status message a bit informative. Another issue introduced in b006762. The logic was borked, we were supposed to return 0 to break the loop, and 133 to restart the container, not the other way around. But this doesn't seem to work, reboot fails with: Nov 08 00:41:32 laptop systemd-nspawn[26564]: Failed to register machine: Machine 'fedora-rawhide' already exists So actually the version before this patch worked better, since 133 > 0 and we'd at least loop internally.
2016-11-14 11:49:49 +01:00
if (r == EXIT_FORCE_RESTART)
nspawn: fix spurious reboot if container process returns 133
2016-10-07 16:31:47 +02:00
r = EXIT_FAILURE; /* replace 133 with the general failure code */
nspawn: move the main loop body out to a new function The new function has 416 lines by itself! "return log_error_errno" is used to nicely reduce the volume of error handling code. A few minor issues are fixed on the way: - positive value was used as error value (EIO), causing systemd-nspawn to return success, even though it shouldn't. - In two places random values were used as error status, when the actual value was in an unusual place (etc_password_lock, notify_socket). Those are the only functional changes. There is another potential issue, which is marked with a comment, and left unresolved: the container can also return 133 by itself, causing a spurious reboot.
2016-10-02 21:32:38 +02:00
*ret = r;
return 0; /* finito */
}
/* CONTAINER_REBOOTED, loop again */
if (arg_keep_unit) {
/* Special handling if we are running as a service: instead of simply
* restarting the machine we want to restart the entire service, so let's
* inform systemd about this with the special exit code 133. The service
* file uses RestartForceExitStatus=133 so that this results in a full
* nspawn restart. This is necessary since we might have cgroup parameters
* set we want to have flushed out. */
nspawn: restart the whole systemd-nspawn@.service unit on container reboot (#4613) Since 133 is now used in a few places, add a #define for it. Also make the status message a bit informative. Another issue introduced in b006762. The logic was borked, we were supposed to return 0 to break the loop, and 133 to restart the container, not the other way around. But this doesn't seem to work, reboot fails with: Nov 08 00:41:32 laptop systemd-nspawn[26564]: Failed to register machine: Machine 'fedora-rawhide' already exists So actually the version before this patch worked better, since 133 > 0 and we'd at least loop internally.
2016-11-14 11:49:49 +01:00
*ret = EXIT_FORCE_RESTART;
return 0; /* finito */
nspawn: move the main loop body out to a new function The new function has 416 lines by itself! "return log_error_errno" is used to nicely reduce the volume of error handling code. A few minor issues are fixed on the way: - positive value was used as error value (EIO), causing systemd-nspawn to return success, even though it shouldn't. - In two places random values were used as error status, when the actual value was in an unusual place (etc_password_lock, notify_socket). Those are the only functional changes. There is another potential issue, which is marked with a comment, and left unresolved: the container can also return 133 by itself, causing a spurious reboot.
2016-10-02 21:32:38 +02:00
}
expose_port_flush(arg_expose_ports, exposed);
(void) remove_veth_links(veth_name, arg_network_veth_extra);
*veth_created = false;
return 1; /* loop again */
}
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
int main(int argc, char *argv[]) {
nspawn: port nspawn to new generalized image dissection code Let's make use of the new internal API. This mostly doesn't change anything for the caller, however, "systemd-nspawn --image=/dev/sda7" works now as the new code can handle disk images with no partition tables, and make any detected images directly the root.
2016-12-01 20:26:09 +01:00
_cleanup_free_ char *console = NULL;
_cleanup_close_ int master = -1;
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
_cleanup_fdset_free_ FDSet *fds = NULL;
nspawn: port nspawn to new generalized image dissection code Let's make use of the new internal API. This mostly doesn't change anything for the caller, however, "systemd-nspawn --image=/dev/sda7" works now as the new code can handle disk images with no partition tables, and make any detected images directly the root.
2016-12-01 20:26:09 +01:00
int r, n_fd_passed, ret = EXIT_SUCCESS;
nspawn: initialize the veth_name (#3141) Fixes: $ systemd-nspawn -h ... Failed to remove veth interface ����: Operation not permitted This is a follow-up for d2773e59de3dd970d861
2016-04-28 19:48:17 +02:00
char veth_name[IFNAMSIZ] = "";
nspawn: add fallback top normal copy/reflink when we cannot btrfs snapshot Given that other file systems (notably: xfs) support reflinks these days, let's extend the file system snapshotting logic to fall back to plan copies or reflinks when full btrfs subvolume snapshots are not available. This essentially makes "systemd-nspawn --ephemeral" and "systemd-nspawn --template=" available on non-btrfs subvolumes. Of course, both operations will still be slower on non-btrfs than on btrfs (simply because reflinking each file individually in a directory tree is still slower than doing this in one step for a whole subvolume), but it's probably good enough for many cases, and we should provide the users with the tools, they have to figure out what's good for them. Note that "machinectl clone" already had a fallback like this in place, this patch generalizes this, and adds similar support to our other cases.
2016-11-21 20:02:43 +01:00
bool secondary = false, remove_directory = false, remove_image = false;
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
pid_t pid = 0;
union in_addr_union exposed = {};
_cleanup_release_lock_file_ LockFile tree_global_lock = LOCK_FILE_INIT, tree_local_lock = LOCK_FILE_INIT;
nspawn: remove temporary root directory on exit When mountint a loopback image, we need a temporary root directory we can mount stuff to. Make sure to actually remove it when exiting, so that we don't leave stuff around in /tmp unnecessarily. See: #4664
2016-11-19 00:00:16 +01:00
bool interactive, veth_created = false, remove_tmprootdir = false;
char tmprootdir[] = "/tmp/nspawn-root-XXXXXX";
nspawn: port nspawn to new generalized image dissection code Let's make use of the new internal API. This mostly doesn't change anything for the caller, however, "systemd-nspawn --image=/dev/sda7" works now as the new code can handle disk images with no partition tables, and make any detected images directly the root.
2016-12-01 20:26:09 +01:00
_cleanup_(loop_device_unrefp) LoopDevice *loop = NULL;
dissect: add support for encrypted images This adds support to the image dissector to deal with encrypted images (only LUKS). Given that we now have a neatly isolated image dissector codebase, let's add a new feature to it: support for automatically dealing with encrypted images. This is then exposed in systemd-dissect and nspawn. It's pretty basic: only support for passphrase-based encryption. In order to ensure that "systemd-dissect --mount" results in mount points whose backing LUKS DM devices are cleaned up automatically we use the DM_DEV_REMOVE ioctl() directly on the device (in DM_DEFERRED_REMOVE mode). libgcryptsetup at the moment doesn't provide a proper API for this. Thankfully, the ioctl() API is pretty easy to use.
2016-12-05 16:26:48 +01:00
_cleanup_(decrypted_image_unrefp) DecryptedImage *decrypted_image = NULL;
_cleanup_(dissected_image_unrefp) DissectedImage *dissected_image = NULL;
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
log_parse_environment();
log_open();
core: simplify cg_[all_]unified() cg_[all_]unified() test whether a specific controller or all controllers are on the unified hierarchy. While what's being asked is a simple binary question, the callers must assume that the functions may fail any time, which unnecessarily complicates their usages. This complication is unnecessary. Internally, the test result is cached anyway and there are only a few places where the test actually needs to be performed. This patch simplifies cg_[all_]unified(). * cg_[all_]unified() are updated to return bool. If the result can't be decided, assertion failure is triggered. Error handlings from their callers are dropped. * cg_unified_flush() is updated to calculate the new result synchrnously and return whether it succeeded or not. Places which need to flush the test result are updated to test for failure. This ensures that all the following cg_[all_]unified() tests succeed. * Places which expected possible cg_[all_]unified() failures are updated to call and test cg_unified_flush() before calling cg_[all_]unified(). This includes functions used while setting up mounts during boot and manager_setup_cgroup().
2016-11-21 20:45:53 +01:00
nspawn: optionally run a stub init process as PID 1 This adds a new switch --as-pid2, which allows running commands as PID 2, while a stub init process is run as PID 1. This is useful in order to run arbitrary commands in a container, as PID1's semantics are different from all other processes regarding reaping of unknown children or signal handling.
2016-02-03 20:32:06 +01:00
/* Make sure rename_process() in the stub init process can work */
saved_argv = argv;
saved_argc = argc;
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
r = parse_argv(argc, argv);
if (r <= 0)
goto finish;
tree-wide: unify logging of "Must be root" message Let's unify this in one call, generalizing must_be_root() from bootctl.c.
2017-12-11 23:00:57 +01:00
r = must_be_root();
if (r < 0)
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
goto finish;
tree-wide: unify logging of "Must be root" message Let's unify this in one call, generalizing must_be_root() from bootctl.c.
2017-12-11 23:00:57 +01:00
nspawn: add new .nspawn files for container settings .nspawn fiels are simple settings files that may accompany container images and directories and contain settings otherwise passed on the nspawn command line. This provides an efficient way to attach execution data directly to containers.
2015-09-06 01:22:14 +02:00
r = determine_names();
if (r < 0)
goto finish;
r = load_settings();
if (r < 0)
goto finish;
r = verify_arguments();
if (r < 0)
goto finish;
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
nspawn: figure out cgroup mode *after* mounting image If we operate on a disk image (i.e. --image=) then it's pointless to look into the mount directory before it is actually mounted to see which systemd version is running inside... Unfortunately we only mount the disk image in the child process, but the parent needs to know the cgroup mode, hence add some IPC for this purpose and communicate the cgroup mode determined from the image back to the parent.
2017-11-27 20:49:35 +01:00
r = detect_unified_cgroup_hierarchy_from_environment();
if (r < 0)
goto finish;
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
n_fd_passed = sd_listen_fds(false);
if (n_fd_passed > 0) {
r = fdset_new_listen_fds(&fds, false);
if (r < 0) {
log_error_errno(r, "Failed to collect file descriptors: %m");
goto finish;
}
}
if (arg_directory) {
assert(!arg_image);
if (path_equal(arg_directory, "/") && !arg_ephemeral) {
log_error("Spawning container on root directory is not supported. Consider using --ephemeral.");
r = -EINVAL;
goto finish;
}
if (arg_ephemeral) {
_cleanup_free_ char *np = NULL;
nspawn: make use of CHASE_NON_EXISTING when locking image If --template= is used on an image, then the image might not exist initially. We can use CHASE_NON_EXISTING to properly lock the image already before it exists. Let's do so.
2016-11-29 18:16:43 +01:00
r = chase_symlinks_and_update(&arg_directory, 0);
nspawn: properly handle image/directory paths that are symlinks This resolves any paths specified on --directory=, --template=, and --image= before using them. This makes sure nspawn can be used correctly on symlinked images and directory trees. Fixes: #2001
2016-11-24 21:03:36 +01:00
if (r < 0)
goto finish;
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
/* If the specified path is a mount point we
* generate the new snapshot immediately
* inside it under a random name. However if
* the specified is not a mount point we
* create the new snapshot in the parent
* directory, just next to it. */
tree-wide: stop using canonicalize_file_name(), use chase_symlinks() instead Let's use chase_symlinks() everywhere, and stop using GNU canonicalize_file_name() everywhere. For most cases this should not change behaviour, however increase exposure of our function to get better tested. Most importantly in a few cases (most notably nspawn) it can take the correct root directory into account when chasing symlinks.
2016-11-18 21:35:21 +01:00
r = path_is_mount_point(arg_directory, NULL, 0);
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
if (r < 0) {
log_error_errno(r, "Failed to determine whether directory %s is mount point: %m", arg_directory);
goto finish;
}
if (r > 0)
tmpfiles: automatically remove old machine snapshots at boot Remove old temporary snapshots, but only at boot. Ideally we'd have "self-destroying" btrfs snapshots that go away if the last last reference to it does. To mimic a scheme like this at least remove the old snapshots on fresh boots, where we know they cannot be referenced anymore. Note that we actually remove all temporary files in /var/lib/machines/ at boot, which should be safe since the directory has defined semantics. In the root directory (where systemd-nspawn --ephemeral places snapshots) we are more strict, to avoid removing unrelated temporary files. This also splits out nspawn/container related tmpfiles bits into a new tmpfiles snippet to systemd-nspawn.conf
2015-06-15 19:24:43 +02:00
r = tempfn_random_child(arg_directory, "machine.", &np);
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
else
tmpfiles: automatically remove old machine snapshots at boot Remove old temporary snapshots, but only at boot. Ideally we'd have "self-destroying" btrfs snapshots that go away if the last last reference to it does. To mimic a scheme like this at least remove the old snapshots on fresh boots, where we know they cannot be referenced anymore. Note that we actually remove all temporary files in /var/lib/machines/ at boot, which should be safe since the directory has defined semantics. In the root directory (where systemd-nspawn --ephemeral places snapshots) we are more strict, to avoid removing unrelated temporary files. This also splits out nspawn/container related tmpfiles bits into a new tmpfiles snippet to systemd-nspawn.conf
2015-06-15 19:24:43 +02:00
r = tempfn_random(arg_directory, "machine.", &np);
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
if (r < 0) {
nspawn: support ephemeral boots from images Previously --ephemeral was only supported with container trees in btrfs subvolumes (i.e. in combination with --directory=). This adds support for --ephemeral in conjunction with disk images (i.e. --image=) too. As side effect this fixes that --ephemeral was accepted but ignored when using -M on a container that turned out to be an image. Fixes: #4664
2016-11-18 18:38:06 +01:00
log_error_errno(r, "Failed to generate name for directory snapshot: %m");
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
goto finish;
}
r = image_path_lock(np, (arg_read_only ? LOCK_SH : LOCK_EX) | LOCK_NB, &tree_global_lock, &tree_local_lock);
if (r < 0) {
log_error_errno(r, "Failed to lock %s: %m", np);
goto finish;
}
nspawn: add fallback top normal copy/reflink when we cannot btrfs snapshot Given that other file systems (notably: xfs) support reflinks these days, let's extend the file system snapshotting logic to fall back to plan copies or reflinks when full btrfs subvolume snapshots are not available. This essentially makes "systemd-nspawn --ephemeral" and "systemd-nspawn --template=" available on non-btrfs subvolumes. Of course, both operations will still be slower on non-btrfs than on btrfs (simply because reflinking each file individually in a directory tree is still slower than doing this in one step for a whole subvolume), but it's probably good enough for many cases, and we should provide the users with the tools, they have to figure out what's good for them. Note that "machinectl clone" already had a fallback like this in place, this patch generalizes this, and adds similar support to our other cases.
2016-11-21 20:02:43 +01:00
r = btrfs_subvol_snapshot(arg_directory, np,
(arg_read_only ? BTRFS_SNAPSHOT_READ_ONLY : 0) |
BTRFS_SNAPSHOT_FALLBACK_COPY |
BTRFS_SNAPSHOT_FALLBACK_DIRECTORY |
BTRFS_SNAPSHOT_RECURSIVE |
BTRFS_SNAPSHOT_QUOTA);
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
if (r < 0) {
log_error_errno(r, "Failed to create snapshot %s from %s: %m", np, arg_directory);
goto finish;
nspawn: beef up nspawn with some btrfs magic This adds --template= to duplicate an OS tree as btrfs snpashot and run it This also adds --ephemeral or -x to create a snapshot of an OS tree and boot that, removing it after exit.
2014-12-12 03:50:59 +01:00
}
free(arg_directory);
arg_directory = np;
nspawn: fix use-after-free and leak in error paths CID #1257765.
2015-03-07 20:19:20 +01:00
np = NULL;
nspawn: beef up nspawn with some btrfs magic This adds --template= to duplicate an OS tree as btrfs snpashot and run it This also adds --ephemeral or -x to create a snapshot of an OS tree and boot that, removing it after exit.
2014-12-12 03:50:59 +01:00
nspawn: add fallback top normal copy/reflink when we cannot btrfs snapshot Given that other file systems (notably: xfs) support reflinks these days, let's extend the file system snapshotting logic to fall back to plan copies or reflinks when full btrfs subvolume snapshots are not available. This essentially makes "systemd-nspawn --ephemeral" and "systemd-nspawn --template=" available on non-btrfs subvolumes. Of course, both operations will still be slower on non-btrfs than on btrfs (simply because reflinking each file individually in a directory tree is still slower than doing this in one step for a whole subvolume), but it's probably good enough for many cases, and we should provide the users with the tools, they have to figure out what's good for them. Note that "machinectl clone" already had a fallback like this in place, this patch generalizes this, and adds similar support to our other cases.
2016-11-21 20:02:43 +01:00
remove_directory = true;
nspawn: add file system locks for controlling access to container images This adds three kinds of file system locks for container images: a) a file system lock next to the actual image, in a .lck file in the same directory the image is located. This lock has the benefit of usually being located on the same NFS share as the image itself, and thus allows locking container images across NFS shares. b) a file system lock in /run, named after st_dev and st_ino of the root of the image. This lock has the advantage that it is unique even if the same image is bind mounted to two different places at the same time, as the ino/dev stays constant for them. c) a file system lock that is only taken when a new disk image is about to be created, that ensures that checking whether the name is already used across the search path, and actually placing the image is not interrupted by other code taking the name. a + b are read-write locks. When a container is booted in read-only mode a read lock is taken, otherwise a write lock. Lock b is always taken after a, to avoid ABBA problems. Lock c is mostly relevant when renaming or cloning images.
2015-01-14 23:09:02 +01:00
} else {
util-lib: rename CHASE_NON_EXISTING → CHASE_NONEXISTENT As suggested by @keszybz
2016-12-01 12:49:23 +01:00
r = chase_symlinks_and_update(&arg_directory, arg_template ? CHASE_NONEXISTENT : 0);
nspawn: make use of CHASE_NON_EXISTING when locking image If --template= is used on an image, then the image might not exist initially. We can use CHASE_NON_EXISTING to properly lock the image already before it exists. Let's do so.
2016-11-29 18:16:43 +01:00
if (r < 0)
goto finish;
nspawn: add file system locks for controlling access to container images This adds three kinds of file system locks for container images: a) a file system lock next to the actual image, in a .lck file in the same directory the image is located. This lock has the benefit of usually being located on the same NFS share as the image itself, and thus allows locking container images across NFS shares. b) a file system lock in /run, named after st_dev and st_ino of the root of the image. This lock has the advantage that it is unique even if the same image is bind mounted to two different places at the same time, as the ino/dev stays constant for them. c) a file system lock that is only taken when a new disk image is about to be created, that ensures that checking whether the name is already used across the search path, and actually placing the image is not interrupted by other code taking the name. a + b are read-write locks. When a container is booted in read-only mode a read lock is taken, otherwise a write lock. Lock b is always taken after a, to avoid ABBA problems. Lock c is mostly relevant when renaming or cloning images.
2015-01-14 23:09:02 +01:00
r = image_path_lock(arg_directory, (arg_read_only ? LOCK_SH : LOCK_EX) | LOCK_NB, &tree_global_lock, &tree_local_lock);
if (r == -EBUSY) {
log_error_errno(r, "Directory tree %s is currently busy.", arg_directory);
goto finish;
}
if (r < 0) {
log_error_errno(r, "Failed to lock %s: %m", arg_directory);
nspawn: don't skip cleanup on locking error
2016-07-23 02:28:57 +02:00
goto finish;
nspawn: add file system locks for controlling access to container images This adds three kinds of file system locks for container images: a) a file system lock next to the actual image, in a .lck file in the same directory the image is located. This lock has the benefit of usually being located on the same NFS share as the image itself, and thus allows locking container images across NFS shares. b) a file system lock in /run, named after st_dev and st_ino of the root of the image. This lock has the advantage that it is unique even if the same image is bind mounted to two different places at the same time, as the ino/dev stays constant for them. c) a file system lock that is only taken when a new disk image is about to be created, that ensures that checking whether the name is already used across the search path, and actually placing the image is not interrupted by other code taking the name. a + b are read-write locks. When a container is booted in read-only mode a read lock is taken, otherwise a write lock. Lock b is always taken after a, to avoid ABBA problems. Lock c is mostly relevant when renaming or cloning images.
2015-01-14 23:09:02 +01:00
}
if (arg_template) {
nspawn: make use of CHASE_NON_EXISTING when locking image If --template= is used on an image, then the image might not exist initially. We can use CHASE_NON_EXISTING to properly lock the image already before it exists. Let's do so.
2016-11-29 18:16:43 +01:00
r = chase_symlinks_and_update(&arg_template, 0);
nspawn: properly handle image/directory paths that are symlinks This resolves any paths specified on --directory=, --template=, and --image= before using them. This makes sure nspawn can be used correctly on symlinked images and directory trees. Fixes: #2001
2016-11-24 21:03:36 +01:00
if (r < 0)
goto finish;
nspawn: add fallback top normal copy/reflink when we cannot btrfs snapshot Given that other file systems (notably: xfs) support reflinks these days, let's extend the file system snapshotting logic to fall back to plan copies or reflinks when full btrfs subvolume snapshots are not available. This essentially makes "systemd-nspawn --ephemeral" and "systemd-nspawn --template=" available on non-btrfs subvolumes. Of course, both operations will still be slower on non-btrfs than on btrfs (simply because reflinking each file individually in a directory tree is still slower than doing this in one step for a whole subvolume), but it's probably good enough for many cases, and we should provide the users with the tools, they have to figure out what's good for them. Note that "machinectl clone" already had a fallback like this in place, this patch generalizes this, and adds similar support to our other cases.
2016-11-21 20:02:43 +01:00
r = btrfs_subvol_snapshot(arg_template, arg_directory,
(arg_read_only ? BTRFS_SNAPSHOT_READ_ONLY : 0) |
BTRFS_SNAPSHOT_FALLBACK_COPY |
BTRFS_SNAPSHOT_FALLBACK_DIRECTORY |
BTRFS_SNAPSHOT_FALLBACK_IMMUTABLE |
BTRFS_SNAPSHOT_RECURSIVE |
BTRFS_SNAPSHOT_QUOTA);
nspawn: add file system locks for controlling access to container images This adds three kinds of file system locks for container images: a) a file system lock next to the actual image, in a .lck file in the same directory the image is located. This lock has the benefit of usually being located on the same NFS share as the image itself, and thus allows locking container images across NFS shares. b) a file system lock in /run, named after st_dev and st_ino of the root of the image. This lock has the advantage that it is unique even if the same image is bind mounted to two different places at the same time, as the ino/dev stays constant for them. c) a file system lock that is only taken when a new disk image is about to be created, that ensures that checking whether the name is already used across the search path, and actually placing the image is not interrupted by other code taking the name. a + b are read-write locks. When a container is booted in read-only mode a read lock is taken, otherwise a write lock. Lock b is always taken after a, to avoid ABBA problems. Lock c is mostly relevant when renaming or cloning images.
2015-01-14 23:09:02 +01:00
if (r == -EEXIST) {
if (!arg_quiet)
log_info("Directory %s already exists, not populating from template %s.", arg_directory, arg_template);
} else if (r < 0) {
nspawn: fix log typos
2015-01-15 08:19:30 +01:00
log_error_errno(r, "Couldn't create snapshot %s from %s: %m", arg_directory, arg_template);
nspawn: add file system locks for controlling access to container images This adds three kinds of file system locks for container images: a) a file system lock next to the actual image, in a .lck file in the same directory the image is located. This lock has the benefit of usually being located on the same NFS share as the image itself, and thus allows locking container images across NFS shares. b) a file system lock in /run, named after st_dev and st_ino of the root of the image. This lock has the advantage that it is unique even if the same image is bind mounted to two different places at the same time, as the ino/dev stays constant for them. c) a file system lock that is only taken when a new disk image is about to be created, that ensures that checking whether the name is already used across the search path, and actually placing the image is not interrupted by other code taking the name. a + b are read-write locks. When a container is booted in read-only mode a read lock is taken, otherwise a write lock. Lock b is always taken after a, to avoid ABBA problems. Lock c is mostly relevant when renaming or cloning images.
2015-01-14 23:09:02 +01:00
goto finish;
} else {
if (!arg_quiet)
log_info("Populated %s from template %s.", arg_directory, arg_template);
}
}
nspawn: beef up nspawn with some btrfs magic This adds --template= to duplicate an OS tree as btrfs snpashot and run it This also adds --ephemeral or -x to create a snapshot of an OS tree and boot that, removing it after exit.
2014-12-12 03:50:59 +01:00
}
nspawn: optionally run a stub init process as PID 1 This adds a new switch --as-pid2, which allows running commands as PID 2, while a stub init process is run as PID 1. This is useful in order to run arbitrary commands in a container, as PID1's semantics are different from all other processes regarding reaping of unknown children or signal handling.
2016-02-03 20:32:06 +01:00
if (arg_start_mode == START_BOOT) {
nspawn: add --image= switch to boot GPT disk images that follow the Discoverable Partitions Specification
2014-03-10 20:35:52 +01:00
if (path_is_os_tree(arg_directory) <= 0) {
os-release: define /usr/lib/os-release as fallback for /etc/os-release The file should have been in /usr/lib/ in the first place, since it describes the OS container in /usr (and not the configuration in /etc), hence, let's support os-release files in /usr/lib as fallback if no version in /etc exists, following the usual override logic. A prior commit already enabled tmpfiles to create /etc/os-release as a symlink to /usr/lib/os-release should it be missing, thus providing nice compatibility with applications only checking in /etc. While it's probably a good idea if all apps check both locations via a fallback logic, it is only necessary in the early boot process, as long as the /etc/os-release symlink has not been restored, in case we boot with an empty /etc.
2014-06-13 19:45:52 +02:00
log_error("Directory %s doesn't look like an OS root directory (os-release file is missing). Refusing.", arg_directory);
nspawn: beef up nspawn with some btrfs magic This adds --template= to duplicate an OS tree as btrfs snpashot and run it This also adds --ephemeral or -x to create a snapshot of an OS tree and boot that, removing it after exit.
2014-12-12 03:50:59 +01:00
r = -EINVAL;
nspawn: add --image= switch to boot GPT disk images that follow the Discoverable Partitions Specification
2014-03-10 20:35:52 +01:00
goto finish;
}
} else {
const char *p;
nspawn: don't try to resolve passed binary before entering namespace Othewise we might follow the symlinks on the host, instead of the container. Fixes #1400
2015-10-22 01:33:06 +02:00
p = strjoina(arg_directory, "/usr/");
if (laccess(p, F_OK) < 0) {
log_error("Directory %s doesn't look like it has an OS tree. Refusing.", arg_directory);
nspawn: beef up nspawn with some btrfs magic This adds --template= to duplicate an OS tree as btrfs snpashot and run it This also adds --ephemeral or -x to create a snapshot of an OS tree and boot that, removing it after exit.
2014-12-12 03:50:59 +01:00
r = -EINVAL;
nspawn: add --image= switch to boot GPT disk images that follow the Discoverable Partitions Specification
2014-03-10 20:35:52 +01:00
goto finish;
}
}
nspawn: beef up nspawn with some btrfs magic This adds --template= to duplicate an OS tree as btrfs snpashot and run it This also adds --ephemeral or -x to create a snapshot of an OS tree and boot that, removing it after exit.
2014-12-12 03:50:59 +01:00
nspawn: don't accept just any tree to execute When invoked without -D in an arbitrary directory we should not try to execute anything, make some validity checks first.
2014-02-14 16:35:18 +01:00
} else {
nspawn: beef up nspawn with some btrfs magic This adds --template= to duplicate an OS tree as btrfs snpashot and run it This also adds --ephemeral or -x to create a snapshot of an OS tree and boot that, removing it after exit.
2014-12-12 03:50:59 +01:00
assert(arg_image);
assert(!arg_template);
nspawn: make use of CHASE_NON_EXISTING when locking image If --template= is used on an image, then the image might not exist initially. We can use CHASE_NON_EXISTING to properly lock the image already before it exists. Let's do so.
2016-11-29 18:16:43 +01:00
r = chase_symlinks_and_update(&arg_image, 0);
nspawn: properly handle image/directory paths that are symlinks This resolves any paths specified on --directory=, --template=, and --image= before using them. This makes sure nspawn can be used correctly on symlinked images and directory trees. Fixes: #2001
2016-11-24 21:03:36 +01:00
if (r < 0)
goto finish;
nspawn: support ephemeral boots from images Previously --ephemeral was only supported with container trees in btrfs subvolumes (i.e. in combination with --directory=). This adds support for --ephemeral in conjunction with disk images (i.e. --image=) too. As side effect this fixes that --ephemeral was accepted but ignored when using -M on a container that turned out to be an image. Fixes: #4664
2016-11-18 18:38:06 +01:00
if (arg_ephemeral) {
_cleanup_free_ char *np = NULL;
r = tempfn_random(arg_image, "machine.", &np);
if (r < 0) {
log_error_errno(r, "Failed to generate name for image snapshot: %m");
goto finish;
}
r = image_path_lock(np, (arg_read_only ? LOCK_SH : LOCK_EX) | LOCK_NB, &tree_global_lock, &tree_local_lock);
if (r < 0) {
r = log_error_errno(r, "Failed to create image lock: %m");
goto finish;
}
copy: change the various copy_xyz() calls to take a unified flags parameter This adds a unified "copy_flags" parameter to all copy_xyz() function calls, replacing the various boolean flags so far used. This should make many invocations more readable as it is clear what behaviour is precisely requested. This also prepares ground for adding support for more modes later on.
2017-02-13 19:00:22 +01:00
r = copy_file(arg_image, np, O_EXCL, arg_read_only ? 0400 : 0600, FS_NOCOW_FL, COPY_REFLINK);
nspawn: support ephemeral boots from images Previously --ephemeral was only supported with container trees in btrfs subvolumes (i.e. in combination with --directory=). This adds support for --ephemeral in conjunction with disk images (i.e. --image=) too. As side effect this fixes that --ephemeral was accepted but ignored when using -M on a container that turned out to be an image. Fixes: #4664
2016-11-18 18:38:06 +01:00
if (r < 0) {
r = log_error_errno(r, "Failed to copy image file: %m");
goto finish;
}
free(arg_image);
arg_image = np;
np = NULL;
remove_image = true;
} else {
r = image_path_lock(arg_image, (arg_read_only ? LOCK_SH : LOCK_EX) | LOCK_NB, &tree_global_lock, &tree_local_lock);
if (r == -EBUSY) {
r = log_error_errno(r, "Disk image %s is currently busy.", arg_image);
goto finish;
}
if (r < 0) {
r = log_error_errno(r, "Failed to create image lock: %m");
goto finish;
}
nspawn/dissect: automatically discover dm-verity verity partitions This adds support for discovering and making use of properly tagged dm-verity data integrity partitions. This extends both systemd-nspawn and systemd-dissect with a new --root-hash= switch that takes the root hash to use for the root partition, and is otherwise fully automatic. Verity partitions are discovered automatically by GPT table type UUIDs, as listed in https://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/ (which I updated prior to this change, to include new UUIDs for this purpose. mkosi with https://github.com/systemd/mkosi/pull/39 applied may generate images that carry the necessary integrity data. With that PR and this commit, the following simply lines suffice to boot up an integrity-protected container image: ``` # mkdir test # cd test # mkosi --verity # systemd-nspawn -i ./image.raw -bn ``` Note that mkosi writes the image file to "image.raw" next to a a file "image.roothash" that contains the root hash. systemd-nspawn will look for that file and use it if it exists, in case --root-hash= is not specified explicitly.
2016-12-07 18:28:13 +01:00
core,nspawn,dissect: make nspawn's .roothash file search reusable This makes nspawn's logic of automatically discovering the root hash of an image file generic, and then reuses it in systemd-dissect and in PID1's RootImage= logic, so that verity is automatically set up whenever we can.
2016-12-23 17:10:42 +01:00
if (!arg_root_hash) {
r = root_hash_load(arg_image, &arg_root_hash, &arg_root_hash_size);
if (r < 0) {
log_error_errno(r, "Failed to load root hash file for %s: %m", arg_image);
goto finish;
}
}
nspawn: add file system locks for controlling access to container images This adds three kinds of file system locks for container images: a) a file system lock next to the actual image, in a .lck file in the same directory the image is located. This lock has the benefit of usually being located on the same NFS share as the image itself, and thus allows locking container images across NFS shares. b) a file system lock in /run, named after st_dev and st_ino of the root of the image. This lock has the advantage that it is unique even if the same image is bind mounted to two different places at the same time, as the ino/dev stays constant for them. c) a file system lock that is only taken when a new disk image is about to be created, that ensures that checking whether the name is already used across the search path, and actually placing the image is not interrupted by other code taking the name. a + b are read-write locks. When a container is booted in read-only mode a read lock is taken, otherwise a write lock. Lock b is always taken after a, to avoid ABBA problems. Lock c is mostly relevant when renaming or cloning images.
2015-01-14 23:09:02 +01:00
}
nspawn: remove temporary root directory on exit When mountint a loopback image, we need a temporary root directory we can mount stuff to. Make sure to actually remove it when exiting, so that we don't leave stuff around in /tmp unnecessarily. See: #4664
2016-11-19 00:00:16 +01:00
if (!mkdtemp(tmprootdir)) {
nspawn: support ephemeral boots from images Previously --ephemeral was only supported with container trees in btrfs subvolumes (i.e. in combination with --directory=). This adds support for --ephemeral in conjunction with disk images (i.e. --image=) too. As side effect this fixes that --ephemeral was accepted but ignored when using -M on a container that turned out to be an image. Fixes: #4664
2016-11-18 18:38:06 +01:00
r = log_error_errno(errno, "Failed to create temporary directory: %m");
nspawn: don't accept just any tree to execute When invoked without -D in an arbitrary directory we should not try to execute anything, make some validity checks first.
2014-02-14 16:35:18 +01:00
goto finish;
nspawn: add --image= switch to boot GPT disk images that follow the Discoverable Partitions Specification
2014-03-10 20:35:52 +01:00
}
nspawn: don't accept just any tree to execute When invoked without -D in an arbitrary directory we should not try to execute anything, make some validity checks first.
2014-02-14 16:35:18 +01:00
nspawn: remove temporary root directory on exit When mountint a loopback image, we need a temporary root directory we can mount stuff to. Make sure to actually remove it when exiting, so that we don't leave stuff around in /tmp unnecessarily. See: #4664
2016-11-19 00:00:16 +01:00
remove_tmprootdir = true;
arg_directory = strdup(tmprootdir);
nspawn: add --image= switch to boot GPT disk images that follow the Discoverable Partitions Specification
2014-03-10 20:35:52 +01:00
if (!arg_directory) {
r = log_oom();
goto finish;
nspawn: don't accept just any tree to execute When invoked without -D in an arbitrary directory we should not try to execute anything, make some validity checks first.
2014-02-14 16:35:18 +01:00
}
nspawn: add simple chroot(1) like tool to execute commands in a namespace container
2011-03-14 02:40:36 +01:00
nspawn: port nspawn to new generalized image dissection code Let's make use of the new internal API. This mostly doesn't change anything for the caller, however, "systemd-nspawn --image=/dev/sda7" works now as the new code can handle disk images with no partition tables, and make any detected images directly the root.
2016-12-01 20:26:09 +01:00
r = loop_device_make_by_path(arg_image, arg_read_only ? O_RDONLY : O_RDWR, &loop);
if (r < 0) {
log_error_errno(r, "Failed to set up loopback block device: %m");
nspawn: allow passing socket activation fds through nspawn
2012-12-22 19:29:04 +01:00
goto finish;
}
nspawn: add --image= switch to boot GPT disk images that follow the Discoverable Partitions Specification
2014-03-10 20:35:52 +01:00
dissect: add dissect_image_and_warn() that unifies error message generation for dissect_image() (#8517)
2018-03-21 12:10:01 +01:00
r = dissect_image_and_warn(
dissect: make using a generic partition as root partition optional In preparation for reusing the image dissector in the GPT auto-discovery logic, only optionally fail the dissection when we can't identify a root partition. In the GPT auto-discovery we are completely fine with any kind of root, given that we run when it is already mounted and all we do is find some additional auxiliary partitions on the same disk.
2016-12-15 17:38:11 +01:00
loop->fd,
dissect: add dissect_image_and_warn() that unifies error message generation for dissect_image() (#8517)
2018-03-21 12:10:01 +01:00
arg_image,
dissect: make using a generic partition as root partition optional In preparation for reusing the image dissector in the GPT auto-discovery logic, only optionally fail the dissection when we can't identify a root partition. In the GPT auto-discovery we are completely fine with any kind of root, given that we run when it is already mounted and all we do is find some additional auxiliary partitions on the same disk.
2016-12-15 17:38:11 +01:00
arg_root_hash, arg_root_hash_size,
DISSECT_IMAGE_REQUIRE_ROOT,
&dissected_image);
nspawn: port nspawn to new generalized image dissection code Let's make use of the new internal API. This mostly doesn't change anything for the caller, however, "systemd-nspawn --image=/dev/sda7" works now as the new code can handle disk images with no partition tables, and make any detected images directly the root.
2016-12-01 20:26:09 +01:00
if (r == -ENOPKG) {
dissect: add dissect_image_and_warn() that unifies error message generation for dissect_image() (#8517)
2018-03-21 12:10:01 +01:00
/* dissected_image_and_warn() already printed a brief error message. Extend on that with more details */
nspawn: port nspawn to new generalized image dissection code Let's make use of the new internal API. This mostly doesn't change anything for the caller, however, "systemd-nspawn --image=/dev/sda7" works now as the new code can handle disk images with no partition tables, and make any detected images directly the root.
2016-12-01 20:26:09 +01:00
log_notice("Note that the disk image needs to\n"
" a) either contain only a single MBR partition of type 0x83 that is marked bootable\n"
" b) or contain a single GPT partition of type 0FC63DAF-8483-4772-8E79-3D69D8477DE4\n"
" c) or follow http://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/\n"
" d) or contain a file system without a partition table\n"
"in order to be bootable with systemd-nspawn.");
nspawn: add --image= switch to boot GPT disk images that follow the Discoverable Partitions Specification
2014-03-10 20:35:52 +01:00
goto finish;
nspawn: port nspawn to new generalized image dissection code Let's make use of the new internal API. This mostly doesn't change anything for the caller, however, "systemd-nspawn --image=/dev/sda7" works now as the new code can handle disk images with no partition tables, and make any detected images directly the root.
2016-12-01 20:26:09 +01:00
}
dissect: add dissect_image_and_warn() that unifies error message generation for dissect_image() (#8517)
2018-03-21 12:10:01 +01:00
if (r < 0)
nspawn: allow passing socket activation fds through nspawn
2012-12-22 19:29:04 +01:00
goto finish;
nspawn: add --image= switch to boot GPT disk images that follow the Discoverable Partitions Specification
2014-03-10 20:35:52 +01:00
nspawn/dissect: automatically discover dm-verity verity partitions This adds support for discovering and making use of properly tagged dm-verity data integrity partitions. This extends both systemd-nspawn and systemd-dissect with a new --root-hash= switch that takes the root hash to use for the root partition, and is otherwise fully automatic. Verity partitions are discovered automatically by GPT table type UUIDs, as listed in https://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/ (which I updated prior to this change, to include new UUIDs for this purpose. mkosi with https://github.com/systemd/mkosi/pull/39 applied may generate images that carry the necessary integrity data. With that PR and this commit, the following simply lines suffice to boot up an integrity-protected container image: ``` # mkdir test # cd test # mkosi --verity # systemd-nspawn -i ./image.raw -bn ``` Note that mkosi writes the image file to "image.raw" next to a a file "image.roothash" that contains the root hash. systemd-nspawn will look for that file and use it if it exists, in case --root-hash= is not specified explicitly.
2016-12-07 18:28:13 +01:00
if (!arg_root_hash && dissected_image->can_verity)
log_notice("Note: image %s contains verity information, but no root hash specified! Proceeding without integrity checking.", arg_image);
r = dissected_image_decrypt_interactively(dissected_image, NULL, arg_root_hash, arg_root_hash_size, 0, &decrypted_image);
nspawn: add --image= switch to boot GPT disk images that follow the Discoverable Partitions Specification
2014-03-10 20:35:52 +01:00
if (r < 0)
goto finish;
nspawn: support ephemeral boots from images Previously --ephemeral was only supported with container trees in btrfs subvolumes (i.e. in combination with --directory=). This adds support for --ephemeral in conjunction with disk images (i.e. --image=) too. As side effect this fixes that --ephemeral was accepted but ignored when using -M on a container that turned out to be an image. Fixes: #4664
2016-11-18 18:38:06 +01:00
/* Now that we mounted the image, let's try to remove it again, if it is ephemeral */
if (remove_image && unlink(arg_image) >= 0)
remove_image = false;
nspawn: allow passing socket activation fds through nspawn
2012-12-22 19:29:04 +01:00
}
nspawn: permit prefixing of source paths in --bind= and --overlay= with "+" If a source path is prefixed with "+" it is taken relative to the container's root directory instead of the host. This permits easily establishing bind and overlay mounts based on data from the container rather than the host. This also reworks custom_mounts_prepare(), and turns it into two functions: one custom_mount_check_all() that remains in nspawn.c but purely verifies the validity of the custom mounts configured. And one called custom_mount_prepare_all() that actually does the preparation step, sorts the custom mounts, resolves relative paths, and allocates temporary directories as necessary.
2016-11-30 16:02:47 +01:00
r = custom_mount_prepare_all(arg_directory, arg_custom_mounts, arg_n_custom_mounts);
nspawn: rework custom mount point order, and add support for overlayfs Previously all bind mount mounts were applied in the order specified, followed by all tmpfs mounts in the order specified. This is problematic, if bind mounts shall be placed within tmpfs mounts. This patch hence reworks the custom mount point logic, and alwas applies them in strict prefix-first order. This means the order of mounts specified on the command line becomes irrelevant, the right operation will always be executed. While we are at it this commit also adds native support for overlayfs mounts, as supported by recent kernels.
2015-05-13 14:04:55 +02:00
if (r < 0)
goto finish;
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
interactive =
isatty(STDIN_FILENO) > 0 &&
isatty(STDOUT_FILENO) > 0;
nspawn: when connected to pipes for stdin/stdout, pass them as-is to PID 1 Previously we always invoked the container PID 1 on /dev/console of the container. With this change we do so only if nspawn was invoked interactively (i.e. its stdin/stdout was connected to a TTY). In all other cases we directly pass through the fds unmodified. This has the benefit that nspawn can be added into shell pipelines. https://bugs.freedesktop.org/show_bug.cgi?id=87732
2015-02-18 23:32:55 +01:00
nspawn: generate proper error messages in the child
2012-07-19 02:03:42 +02:00
master = posix_openpt(O_RDWR|O_NOCTTY|O_CLOEXEC|O_NDELAY);
if (master < 0) {
nspawn: beef up nspawn with some btrfs magic This adds --template= to duplicate an OS tree as btrfs snpashot and run it This also adds --ephemeral or -x to create a snapshot of an OS tree and boot that, removing it after exit.
2014-12-12 03:50:59 +01:00
r = log_error_errno(errno, "Failed to acquire pseudo tty: %m");
nspawn: allocate a new pty instead of passing ours through to avoid terminal settings chaos
2011-03-16 02:57:52 +01:00
goto finish;
}
nspawn,pty: port over to new ptsname_malloc() helper
2014-12-23 02:02:08 +01:00
r = ptsname_malloc(master, &console);
if (r < 0) {
r = log_error_errno(r, "Failed to determine tty name: %m");
nspawn: allocate a new pty instead of passing ours through to avoid terminal settings chaos
2011-03-16 02:57:52 +01:00
goto finish;
/dev/console must be labeled with SELinux label If the user specifies an selinux_apifs_context all content created in the container including /dev/console should use this label. Currently when this uses the default label it gets labeled user_devpts_t, which would require us to write a policy allowing container processes to manage user_devpts_t. This means that an escaped process would be allowed to attack all users terminals as well as other container terminals. Changing the label to match the apifs_context, means the processes would only be allowed to manage their specific tty. This change fixes a problem preventing RKT containers from working with systemd-nspawn.
2016-03-09 15:29:25 +01:00
}
if (arg_selinux_apifs_context) {
r = mac_selinux_apply(console, arg_selinux_apifs_context);
if (r < 0)
goto finish;
nspawn: allocate a new pty instead of passing ours through to avoid terminal settings chaos
2011-03-16 02:57:52 +01:00
}
if (unlockpt(master) < 0) {
nspawn: beef up nspawn with some btrfs magic This adds --template= to duplicate an OS tree as btrfs snpashot and run it This also adds --ephemeral or -x to create a snapshot of an OS tree and boot that, removing it after exit.
2014-12-12 03:50:59 +01:00
r = log_error_errno(errno, "Failed to unlock tty: %m");
nspawn: allocate a new pty instead of passing ours through to avoid terminal settings chaos
2011-03-16 02:57:52 +01:00
goto finish;
}
nspawn: when connected to pipes for stdin/stdout, pass them as-is to PID 1 Previously we always invoked the container PID 1 on /dev/console of the container. With this change we do so only if nspawn was invoked interactively (i.e. its stdin/stdout was connected to a TTY). In all other cases we directly pass through the fds unmodified. This has the benefit that nspawn can be added into shell pipelines. https://bugs.freedesktop.org/show_bug.cgi?id=87732
2015-02-18 23:32:55 +01:00
if (!arg_quiet)
log_info("Spawning container %s on %s.\nPress ^] three times within 1s to kill container.",
arg_machine, arg_image ?: arg_directory);
everywhere: port everything to sigprocmask_many() and friends This ports a lot of manual code over to sigprocmask_many() and friends. Also, we now consistly check for sigprocmask() failures with assert_se(), since the call cannot realistically fail unless there's a programming error. Also encloses a few sd_event_add_signal() calls with (void) when we ignore the return values for it knowingly.
2015-06-15 20:13:23 +02:00
assert_se(sigprocmask_many(SIG_BLOCK, NULL, SIGCHLD, SIGWINCH, SIGTERM, SIGINT, -1) >= 0);
nspawn: allocate a new pty instead of passing ours through to avoid terminal settings chaos
2011-03-16 02:57:52 +01:00
nspawn: finish user namespace support
2015-05-21 16:30:58 +02:00
if (prctl(PR_SET_CHILD_SUBREAPER, 1) < 0) {
r = log_error_errno(errno, "Failed to become subreaper: %m");
goto finish;
}
nspawn: handle poweroff/reboot nicely in containers
2012-09-06 01:23:41 +02:00
for (;;) {
nspawn: move the main loop body out to a new function The new function has 416 lines by itself! "return log_error_errno" is used to nicely reduce the volume of error handling code. A few minor issues are fixed on the way: - positive value was used as error value (EIO), causing systemd-nspawn to return success, even though it shouldn't. - In two places random values were used as error status, when the actual value was in an unusual place (etc_password_lock, notify_socket). Those are the only functional changes. There is another potential issue, which is marked with a comment, and left unresolved: the container can also return 133 by itself, causing a spurious reboot.
2016-10-02 21:32:38 +02:00
r = run(master,
console,
nspawn: port nspawn to new generalized image dissection code Let's make use of the new internal API. This mostly doesn't change anything for the caller, however, "systemd-nspawn --image=/dev/sda7" works now as the new code can handle disk images with no partition tables, and make any detected images directly the root.
2016-12-01 20:26:09 +01:00
dissected_image,
nspawn: move the main loop body out to a new function The new function has 416 lines by itself! "return log_error_errno" is used to nicely reduce the volume of error handling code. A few minor issues are fixed on the way: - positive value was used as error value (EIO), causing systemd-nspawn to return success, even though it shouldn't. - In two places random values were used as error status, when the actual value was in an unusual place (etc_password_lock, notify_socket). Those are the only functional changes. There is another potential issue, which is marked with a comment, and left unresolved: the container can also return 133 by itself, causing a spurious reboot.
2016-10-02 21:32:38 +02:00
interactive, secondary,
fds,
veth_name, &veth_created,
&exposed,
&pid, &ret);
if (r <= 0)
nspawn: handle poweroff/reboot nicely in containers
2012-09-06 01:23:41 +02:00
break;
}
nspawn: add simple chroot(1) like tool to execute commands in a namespace container
2011-03-14 02:40:36 +01:00
finish:
notify: send STOPPING=1 from our daemons
2014-08-21 17:19:28 +02:00
sd_notify(false,
nspawn: restart the whole systemd-nspawn@.service unit on container reboot (#4613) Since 133 is now used in a few places, add a #define for it. Also make the status message a bit informative. Another issue introduced in b006762. The logic was borked, we were supposed to return 0 to break the loop, and 133 to restart the container, not the other way around. But this doesn't seem to work, reboot fails with: Nov 08 00:41:32 laptop systemd-nspawn[26564]: Failed to register machine: Machine 'fedora-rawhide' already exists So actually the version before this patch worked better, since 133 > 0 and we'd at least loop internally.
2016-11-14 11:49:49 +01:00
r == 0 && ret == EXIT_FORCE_RESTART ? "STOPPING=1\nSTATUS=Restarting..." :
"STOPPING=1\nSTATUS=Terminating...");
notify: send STOPPING=1 from our daemons
2014-08-21 17:19:28 +02:00
logind: add infrastructure to keep track of machines, and move to slices - This changes all logind cgroup objects to use slice objects rather than fixed croup locations. - logind can now collect minimal information about running VMs/containers. As fixed cgroup locations can no longer be used we need an entity that keeps track of machine cgroups in whatever slice they might be located. Since logind already keeps track of users, sessions and seats this is a trivial addition. - nspawn will now register with logind and pass various bits of metadata along. A new option "--slice=" has been added to place the container in a specific slice. - loginctl gained commands to list, introspect and terminate machines. - user.slice and machine.slice will now be pulled in by logind.service, since only logind.service requires this slice.
2013-06-20 03:45:08 +02:00
if (pid > 0)
nspawn: remove temporary root directory on exit When mountint a loopback image, we need a temporary root directory we can mount stuff to. Make sure to actually remove it when exiting, so that we don't leave stuff around in /tmp unnecessarily. See: #4664
2016-11-19 00:00:16 +01:00
(void) kill(pid, SIGKILL);
nspawn: add simple chroot(1) like tool to execute commands in a namespace container
2011-03-14 02:40:36 +01:00
nspawn: when exiting, flush all remaining bytes from the pty to stdout This is a simpler fix for #210, it simply uses copy_bytes() for the copying.
2015-06-17 20:54:45 +02:00
/* Try to flush whatever is still queued in the pty */
nspawn: try to wait for the container PID 1 to exit, before we exit Let's make the shutdown logic synchronous, so that there's a better chance to detach the loopback device after use.
2016-11-18 23:47:09 +01:00
if (master >= 0) {
copy: change the various copy_xyz() calls to take a unified flags parameter This adds a unified "copy_flags" parameter to all copy_xyz() function calls, replacing the various boolean flags so far used. This should make many invocations more readable as it is clear what behaviour is precisely requested. This also prepares ground for adding support for more modes later on.
2017-02-13 19:00:22 +01:00
(void) copy_bytes(master, STDOUT_FILENO, (uint64_t) -1, 0);
nspawn: try to wait for the container PID 1 to exit, before we exit Let's make the shutdown logic synchronous, so that there's a better chance to detach the loopback device after use.
2016-11-18 23:47:09 +01:00
master = safe_close(master);
}
if (pid > 0)
(void) wait_for_terminate(pid, NULL);
nspawn: when exiting, flush all remaining bytes from the pty to stdout This is a simpler fix for #210, it simply uses copy_bytes() for the copying.
2015-06-17 20:54:45 +02:00
nspawn: add fallback top normal copy/reflink when we cannot btrfs snapshot Given that other file systems (notably: xfs) support reflinks these days, let's extend the file system snapshotting logic to fall back to plan copies or reflinks when full btrfs subvolume snapshots are not available. This essentially makes "systemd-nspawn --ephemeral" and "systemd-nspawn --template=" available on non-btrfs subvolumes. Of course, both operations will still be slower on non-btrfs than on btrfs (simply because reflinking each file individually in a directory tree is still slower than doing this in one step for a whole subvolume), but it's probably good enough for many cases, and we should provide the users with the tools, they have to figure out what's good for them. Note that "machinectl clone" already had a fallback like this in place, this patch generalizes this, and adds similar support to our other cases.
2016-11-21 20:02:43 +01:00
if (remove_directory && arg_directory) {
nspawn: beef up nspawn with some btrfs magic This adds --template= to duplicate an OS tree as btrfs snpashot and run it This also adds --ephemeral or -x to create a snapshot of an OS tree and boot that, removing it after exit.
2014-12-12 03:50:59 +01:00
int k;
nspawn: add fallback top normal copy/reflink when we cannot btrfs snapshot Given that other file systems (notably: xfs) support reflinks these days, let's extend the file system snapshotting logic to fall back to plan copies or reflinks when full btrfs subvolume snapshots are not available. This essentially makes "systemd-nspawn --ephemeral" and "systemd-nspawn --template=" available on non-btrfs subvolumes. Of course, both operations will still be slower on non-btrfs than on btrfs (simply because reflinking each file individually in a directory tree is still slower than doing this in one step for a whole subvolume), but it's probably good enough for many cases, and we should provide the users with the tools, they have to figure out what's good for them. Note that "machinectl clone" already had a fallback like this in place, this patch generalizes this, and adds similar support to our other cases.
2016-11-21 20:02:43 +01:00
k = rm_rf(arg_directory, REMOVE_ROOT|REMOVE_PHYSICAL|REMOVE_SUBVOLUME);
nspawn: beef up nspawn with some btrfs magic This adds --template= to duplicate an OS tree as btrfs snpashot and run it This also adds --ephemeral or -x to create a snapshot of an OS tree and boot that, removing it after exit.
2014-12-12 03:50:59 +01:00
if (k < 0)
nspawn: add fallback top normal copy/reflink when we cannot btrfs snapshot Given that other file systems (notably: xfs) support reflinks these days, let's extend the file system snapshotting logic to fall back to plan copies or reflinks when full btrfs subvolume snapshots are not available. This essentially makes "systemd-nspawn --ephemeral" and "systemd-nspawn --template=" available on non-btrfs subvolumes. Of course, both operations will still be slower on non-btrfs than on btrfs (simply because reflinking each file individually in a directory tree is still slower than doing this in one step for a whole subvolume), but it's probably good enough for many cases, and we should provide the users with the tools, they have to figure out what's good for them. Note that "machinectl clone" already had a fallback like this in place, this patch generalizes this, and adds similar support to our other cases.
2016-11-21 20:02:43 +01:00
log_warning_errno(k, "Cannot remove '%s', ignoring: %m", arg_directory);
nspawn: beef up nspawn with some btrfs magic This adds --template= to duplicate an OS tree as btrfs snpashot and run it This also adds --ephemeral or -x to create a snapshot of an OS tree and boot that, removing it after exit.
2014-12-12 03:50:59 +01:00
}
nspawn: support ephemeral boots from images Previously --ephemeral was only supported with container trees in btrfs subvolumes (i.e. in combination with --directory=). This adds support for --ephemeral in conjunction with disk images (i.e. --image=) too. As side effect this fixes that --ephemeral was accepted but ignored when using -M on a container that turned out to be an image. Fixes: #4664
2016-11-18 18:38:06 +01:00
if (remove_image && arg_image) {
if (unlink(arg_image) < 0)
log_warning_errno(errno, "Can't remove image file '%s', ignoring: %m", arg_image);
}
nspawn: remove temporary root directory on exit When mountint a loopback image, we need a temporary root directory we can mount stuff to. Make sure to actually remove it when exiting, so that we don't leave stuff around in /tmp unnecessarily. See: #4664
2016-11-19 00:00:16 +01:00
if (remove_tmprootdir) {
if (rmdir(tmprootdir) < 0)
log_debug_errno(errno, "Can't remove temporary root directory '%s', ignoring: %m", tmprootdir);
}
machinectl: implement "bind" command to create additional bind mounts from host to container during runtime
2014-12-17 21:51:45 +01:00
if (arg_machine) {
const char *p;
util: rework strappenda(), and rename it strjoina() After all it is now much more like strjoin() than strappend(). At the same time, add support for NULL sentinels, even if they are normally not necessary.
2015-02-03 02:05:59 +01:00
p = strjoina("/run/systemd/nspawn/propagate/", arg_machine);
util: rework rm_rf() logic - Move to its own file rm-rf.c - Change parameters into a single flags parameter - Remove "honour sticky" logic, it's unused these days
2015-04-04 11:52:57 +02:00
(void) rm_rf(p, REMOVE_ROOT);
machinectl: implement "bind" command to create additional bind mounts from host to container during runtime
2014-12-17 21:51:45 +01:00
}
nspawn: split all port exposure code into nspawn-expose-port.[ch]
2015-09-07 16:52:24 +02:00
expose_port_flush(arg_expose_ports, &exposed);
nspawn: only remove veth links we created ourselves Let's make sure we don't remove veth links that existed before nspawn was invoked. https://github.com/systemd/systemd/pull/3209#discussion_r62439999
2016-05-09 15:43:51 +02:00
if (veth_created)
(void) remove_veth_links(veth_name, arg_network_veth_extra);
nspawn: add new --network-zone= switch for automatically managed bridge devices This adds a new concept of network "zones", which are little more than bridge devices that are automatically managed by nspawn: when the first container referencing a bridge is started, the bridge device is created, when the last container referencing it is removed the bridge device is removed again. Besides this logic --network-zone= is pretty much identical to --network-bridge=. The usecase for this is to make it easy to run multiple related containers (think MySQL in one and Apache in another) in a common, named virtual Ethernet broadcast zone, that only exists as long as one of them is running, and fully automatically managed otherwise.
2016-05-06 21:00:27 +02:00
(void) remove_bridge(arg_network_zone);
nspawn: add new .nspawn files for container settings .nspawn fiels are simple settings files that may accompany container images and directories and contain settings otherwise passed on the nspawn command line. This provides an efficient way to attach execution data directly to containers.
2015-09-06 01:22:14 +02:00
nspawn: move container into its own name=systemd cgroup
2011-03-14 22:33:31 +01:00
free(arg_directory);
nspawn: beef up nspawn with some btrfs magic This adds --template= to duplicate an OS tree as btrfs snpashot and run it This also adds --ephemeral or -x to create a snapshot of an OS tree and boot that, removing it after exit.
2014-12-12 03:50:59 +01:00
free(arg_template);
free(arg_image);
nspawn: introduce the new /machine/ tree in the cgroup tree and move containers there Containers will now carry a label (normally derived from the root directory name, but configurable by the user), and the container's root cgroup is /machine/<label>. This label is called "machine name", and can cover both containers and VMs (as soon as libvirt also makes use of /machine/). libsystemd-login can be used to query the machine name from a process. This patch also includes numerous clean-ups for the cgroup code.
2013-04-16 04:36:06 +02:00
free(arg_machine);
nspawn: add new switch --network-macvlan= to add a macvlan device to the container
2014-02-25 02:27:39 +01:00
free(arg_user);
nspawn: Add support for sysroot pivoting (#5258) Add a new --pivot-root argument to systemd-nspawn, which specifies a directory to pivot to / inside the container; while the original / is pivoted to another specified directory (if provided). This adds support for booting container images which may contain several bootable sysroots, as is common with OSTree disk images. When these disk images are booted on real hardware, ostree-prepare-root is run in conjunction with sysroot.mount in the initramfs to achieve the same results.
2017-02-08 16:54:31 +01:00
free(arg_pivot_root_new);
free(arg_pivot_root_old);
nspawn: add new --chdir= switch Fixes: #2192
2016-02-02 01:52:01 +01:00
free(arg_chdir);
nspawn: add new switch --network-macvlan= to add a macvlan device to the container
2014-02-25 02:27:39 +01:00
strv_free(arg_setenv);
nspawn: add new .nspawn files for container settings .nspawn fiels are simple settings files that may accompany container images and directories and contain settings otherwise passed on the nspawn command line. This provides an efficient way to attach execution data directly to containers.
2015-09-06 01:22:14 +02:00
free(arg_network_bridge);
nspawn: add new switch --network-macvlan= to add a macvlan device to the container
2014-02-25 02:27:39 +01:00
strv_free(arg_network_interfaces);
strv_free(arg_network_macvlan);
nspawn: add ipvlan support
2015-01-20 00:18:28 +01:00
strv_free(arg_network_ipvlan);
nspawn: add new --network-veth-extra= switch for defining additional veth links The new switch operates like --network-veth, but may be specified multiple times (to define multiple link pairs) and allows flexible definition of the interface names. This is an independent reimplementation of #1678, but defines different semantics, keeping the behaviour completely independent of --network-veth. It also comes will full hook-up for .nspawn files, and the matching documentation.
2015-11-12 21:54:28 +01:00
strv_free(arg_network_veth_extra);
nspawn: add new .nspawn files for container settings .nspawn fiels are simple settings files that may accompany container images and directories and contain settings otherwise passed on the nspawn command line. This provides an efficient way to attach execution data directly to containers.
2015-09-06 01:22:14 +02:00
strv_free(arg_parameters);
custom_mount_free_all(arg_custom_mounts, arg_n_custom_mounts);
expose_port_free_all(arg_expose_ports);
nspawn/dissect: automatically discover dm-verity verity partitions This adds support for discovering and making use of properly tagged dm-verity data integrity partitions. This extends both systemd-nspawn and systemd-dissect with a new --root-hash= switch that takes the root hash to use for the root partition, and is otherwise fully automatic. Verity partitions are discovered automatically by GPT table type UUIDs, as listed in https://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/ (which I updated prior to this change, to include new UUIDs for this purpose. mkosi with https://github.com/systemd/mkosi/pull/39 applied may generate images that carry the necessary integrity data. With that PR and this commit, the following simply lines suffice to boot up an integrity-protected container image: ``` # mkdir test # cd test # mkosi --verity # systemd-nspawn -i ./image.raw -bn ``` Note that mkosi writes the image file to "image.raw" next to a a file "image.roothash" that contains the root hash. systemd-nspawn will look for that file and use it if it exists, in case --root-hash= is not specified explicitly.
2016-12-07 18:28:13 +01:00
free(arg_root_hash);
nspawn: add new option "--port=" for exposing container ports on the local host This exposes an IP port on the container as local port using DNAT.
2015-01-13 13:51:51 +01:00
nspawn: beef up nspawn with some btrfs magic This adds --template= to duplicate an OS tree as btrfs snpashot and run it This also adds --ephemeral or -x to create a snapshot of an OS tree and boot that, removing it after exit.
2014-12-12 03:50:59 +01:00
return r < 0 ? EXIT_FAILURE : ret;
nspawn: add simple chroot(1) like tool to execute commands in a namespace container
2011-03-14 02:40:36 +01:00
}