Merge pull request #1165 from poettering/nspawn-files
various fixes to the core, logind, machined, nspawn
This commit is contained in:
commit
6167a91c74
|
@ -130,6 +130,7 @@ MANPAGES += \
|
|||
man/systemd.kill.5 \
|
||||
man/systemd.link.5 \
|
||||
man/systemd.mount.5 \
|
||||
man/systemd.nspawn.5 \
|
||||
man/systemd.path.5 \
|
||||
man/systemd.preset.5 \
|
||||
man/systemd.resource-control.5 \
|
||||
|
@ -2382,6 +2383,7 @@ EXTRA_DIST += \
|
|||
man/systemd.mount.xml \
|
||||
man/systemd.netdev.xml \
|
||||
man/systemd.network.xml \
|
||||
man/systemd.nspawn.xml \
|
||||
man/systemd.path.xml \
|
||||
man/systemd.preset.xml \
|
||||
man/systemd.resource-control.xml \
|
||||
|
|
13
Makefile.am
13
Makefile.am
|
@ -155,6 +155,7 @@ noinst_PROGRAMS =
|
|||
TESTS =
|
||||
endif
|
||||
udevlibexec_PROGRAMS =
|
||||
gperf_gperf_sources =
|
||||
|
||||
in_files = $(filter %.in,$(EXTRA_DIST))
|
||||
in_in_files = $(filter %.in.in, $(in_files))
|
||||
|
@ -220,6 +221,7 @@ AM_CPPFLAGS = \
|
|||
-I $(top_builddir)/src/journal \
|
||||
-I $(top_srcdir)/src/timedate \
|
||||
-I $(top_srcdir)/src/timesync \
|
||||
-I $(top_srcdir)/src/nspawn \
|
||||
-I $(top_srcdir)/src/resolve \
|
||||
-I $(top_builddir)/src/resolve \
|
||||
-I $(top_srcdir)/src/systemd \
|
||||
|
@ -2776,11 +2778,20 @@ systemd_cgtop_LDADD = \
|
|||
# ------------------------------------------------------------------------------
|
||||
systemd_nspawn_SOURCES = \
|
||||
src/nspawn/nspawn.c \
|
||||
src/nspawn/nspawn.h \
|
||||
src/nspawn/nspawn-settings.c \
|
||||
src/nspawn/nspawn-settings.h \
|
||||
src/core/mount-setup.c \
|
||||
src/core/mount-setup.h \
|
||||
src/core/loopback-setup.c \
|
||||
src/core/loopback-setup.h
|
||||
|
||||
nodist_systemd_nspawn_SOURCES = \
|
||||
src/nspawn/nspawn-gperf.c
|
||||
|
||||
gperf_gperf_sources += \
|
||||
src/nspawn/nspawn-gperf.gperf
|
||||
|
||||
systemd_nspawn_CFLAGS = \
|
||||
$(AM_CFLAGS) \
|
||||
$(BLKID_CFLAGS) \
|
||||
|
@ -3486,7 +3497,7 @@ nodist_libudev_core_la_SOURCES = \
|
|||
src/udev/keyboard-keys-to-name.h \
|
||||
src/udev/net/link-config-gperf.c
|
||||
|
||||
gperf_gperf_sources = \
|
||||
gperf_gperf_sources += \
|
||||
src/udev/net/link-config-gperf.gperf
|
||||
|
||||
libudev_core_la_CFLAGS = \
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
<?xml version='1.0'?> <!--*-nxml-*-->
|
||||
<?xml version='1.0'?> <!--*- Mode: nxml; nxml-child-indent: 2; indent-tabs-mode: nil -*-->
|
||||
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
||||
|
||||
|
@ -748,34 +748,86 @@
|
|||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--volatile</option><replaceable>=MODE</replaceable></term>
|
||||
<term><option>--volatile</option></term>
|
||||
<term><option>--volatile=</option><replaceable>MODE</replaceable></term>
|
||||
|
||||
<listitem><para>Boots the container in volatile mode. When no
|
||||
mode parameter is passed or when mode is specified as
|
||||
<literal>yes</literal> full volatile mode is enabled. This
|
||||
<option>yes</option> full volatile mode is enabled. This
|
||||
means the root directory is mounted as mostly unpopulated
|
||||
<literal>tmpfs</literal> instance, and
|
||||
<filename>/usr</filename> from the OS tree is mounted into it,
|
||||
read-only (the system thus starts up with read-only OS
|
||||
resources, but pristine state and configuration, any changes
|
||||
to the either are lost on shutdown). When the mode parameter
|
||||
is specified as <literal>state</literal> the OS tree is
|
||||
is specified as <option>state</option> the OS tree is
|
||||
mounted read-only, but <filename>/var</filename> is mounted as
|
||||
<literal>tmpfs</literal> instance into it (the system thus
|
||||
starts up with read-only OS resources and configuration, but
|
||||
pristine state, any changes to the latter are lost on
|
||||
shutdown). When the mode parameter is specified as
|
||||
<literal>no</literal> (the default) the whole OS tree is made
|
||||
<option>no</option> (the default) the whole OS tree is made
|
||||
available writable.</para>
|
||||
|
||||
<para>Note that setting this to <literal>yes</literal> or
|
||||
<literal>state</literal> will only work correctly with
|
||||
<para>Note that setting this to <option>yes</option> or
|
||||
<option>state</option> will only work correctly with
|
||||
operating systems in the container that can boot up with only
|
||||
<filename>/usr</filename> mounted, and are able to populate
|
||||
<filename>/var</filename> automatically, as
|
||||
needed.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--settings=</option><replaceable>MODE</replaceable></term>
|
||||
|
||||
<listitem><para>Controls whether
|
||||
<command>systemd-nspawn</command> shall search for and use
|
||||
additional per-container settings from
|
||||
<filename>.nspawn</filename> files. Takes a boolean or the
|
||||
special values <option>override</option> or
|
||||
<option>trusted</option>.</para>
|
||||
|
||||
<para>If enabled (the default) a settings file named after the
|
||||
machine (as specified with the <option>--machine=</option>
|
||||
setting, or derived from the directory or image file name)
|
||||
with the suffix <filename>.nspawn</filename> is searched in
|
||||
<filename>/etc/systemd/nspawn/</filename> and
|
||||
<filename>/run/systemd/nspawn/</filename>. If it is found
|
||||
there, its settings are read and used. If it is not found
|
||||
there it is subequently searched in the same directory as the
|
||||
image file or in the immediate parent of the root directory of
|
||||
the container. In this case, if the file is found its settings
|
||||
will be also read and used, but potentially unsafe settings
|
||||
are ignored. Note that in both these cases settings on the
|
||||
command line take precendence over the corresponding settings
|
||||
from loaded <filename>.nspawn</filename> files, if both are
|
||||
specified. Unsafe settings are considered all settings that
|
||||
elevate the container's privileges or grant access to
|
||||
additional resources such as files or directories of the
|
||||
host. For details about the format and contents of
|
||||
<filename>.nspawn</filename> files consult
|
||||
<citerefentry><refentrytitle>systemd.nspawn</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
|
||||
|
||||
<para>If this option is set to <option>override</option> the
|
||||
file is searched, read and used the same way, however the order of
|
||||
precedence is reversed: settings read from the
|
||||
<filename>.nspawn</filename> file will take precedence over
|
||||
the corresponding command line options, if both are
|
||||
specified.</para>
|
||||
|
||||
<para>If this option is set to <option>trusted</option> the
|
||||
file is searched, read and used the same way, but regardless
|
||||
if found in <filename>/etc/systemd/nspawn/</filename>,
|
||||
<filename>/run/systemd/nspawn/</filename> or next to the image
|
||||
file or container root directory, all settings will take
|
||||
effect, however command line arguments still take precedence
|
||||
over corresponding settings.</para>
|
||||
|
||||
<para>If disabled no <filename>.nspawn</filename> file is read
|
||||
and no settings except the ones on the command line are in
|
||||
effect.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<xi:include href="standard-options.xml" xpointer="help" />
|
||||
<xi:include href="standard-options.xml" xpointer="version" />
|
||||
</variablelist>
|
||||
|
@ -859,6 +911,7 @@
|
|||
<title>See Also</title>
|
||||
<para>
|
||||
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
|
||||
<citerefentry><refentrytitle>systemd.nspawn</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
|
||||
<citerefentry project='man-pages'><refentrytitle>chroot</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
|
||||
<citerefentry project='mankier'><refentrytitle>dnf</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
|
||||
<citerefentry project='die-net'><refentrytitle>yum</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
|
||||
|
|
383
man/systemd.nspawn.xml
Normal file
383
man/systemd.nspawn.xml
Normal file
|
@ -0,0 +1,383 @@
|
|||
<?xml version='1.0'?> <!--*- Mode: nxml; nxml-child-indent: 2; indent-tabs-mode: nil -*-->
|
||||
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
|
||||
<!ENTITY % entities SYSTEM "custom-entities.ent" >
|
||||
%entities;
|
||||
]>
|
||||
|
||||
<!--
|
||||
This file is part of systemd.
|
||||
|
||||
Copyright 2015 Lennart Poettering
|
||||
|
||||
systemd is free software; you can redistribute it and/or modify it
|
||||
under the terms of the GNU Lesser General Public License as published by
|
||||
the Free Software Foundation; either version 2.1 of the License, or
|
||||
(at your option) any later version.
|
||||
|
||||
systemd is distributed in the hope that it will be useful, but
|
||||
WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
Lesser General Public License for more details.
|
||||
|
||||
You should have received a copy of the GNU Lesser General Public License
|
||||
along with systemd; If not, see <http://www.gnu.org/licenses/>.
|
||||
-->
|
||||
|
||||
<refentry id="systemd.nspawn">
|
||||
|
||||
<refentryinfo>
|
||||
<title>systemd.nspawn</title>
|
||||
<productname>systemd</productname>
|
||||
|
||||
<authorgroup>
|
||||
<author>
|
||||
<contrib>Developer</contrib>
|
||||
<firstname>Lennart</firstname>
|
||||
<surname>Poettering</surname>
|
||||
<email>lennart@poettering.net</email>
|
||||
</author>
|
||||
</authorgroup>
|
||||
</refentryinfo>
|
||||
|
||||
<refmeta>
|
||||
<refentrytitle>systemd.nspawn</refentrytitle>
|
||||
<manvolnum>5</manvolnum>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
<refname>systemd.nspawn</refname>
|
||||
<refpurpose>Container settings</refpurpose>
|
||||
</refnamediv>
|
||||
|
||||
<refsynopsisdiv>
|
||||
<para><filename>/etc/systemd/nspawn/<replaceable>machine</replaceable>.nspawn</filename></para>
|
||||
<para><filename>/run/systemd/nspawn/<replaceable>machine</replaceable>.nspawn</filename></para>
|
||||
<para><filename>/var/lib/machines/<replaceable>machine</replaceable>.nspawn</filename></para>
|
||||
</refsynopsisdiv>
|
||||
|
||||
<refsect1>
|
||||
<title>Description</title>
|
||||
|
||||
<para>An nspawn container settings file (suffix
|
||||
<filename>.nspawn</filename>) encodes additional runtime
|
||||
information about a local container, and is searched, read and
|
||||
used by
|
||||
<citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>
|
||||
when starting a container. Files of this type are named after the
|
||||
containers they define settings for. They are optional, and only
|
||||
required for containers whose execution environment shall differ
|
||||
from the defaults. Files of this type mostly contain settings that
|
||||
may also be set on the <command>systemd-nspawn</command> command
|
||||
line, and make it easier to persistently attach specific settings
|
||||
to specific containers. The syntax of these files is inspired by
|
||||
<filename>.desktop</filename> files following the <ulink
|
||||
url="http://standards.freedesktop.org/desktop-entry-spec/latest/">XDG
|
||||
Desktop Entry Specification</ulink>, which are in turn inspired by
|
||||
Microsoft Windows <filename>.ini</filename> files.</para>
|
||||
|
||||
<para>Boolean arguments used in these settings files can be
|
||||
written in various formats. For positive settings the strings
|
||||
<option>1</option>, <option>yes</option>, <option>true</option>
|
||||
and <option>on</option> are equivalent. For negative settings, the
|
||||
strings <option>0</option>, <option>no</option>,
|
||||
<option>false</option> and <option>off</option> are
|
||||
equivalent.</para>
|
||||
|
||||
<para>Empty lines and lines starting with # or ; are
|
||||
ignored. This may be used for commenting. Lines ending
|
||||
in a backslash are concatenated with the following
|
||||
line while reading and the backslash is replaced by a
|
||||
space character. This may be used to wrap long lines.</para>
|
||||
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title><filename>.nspawn</filename> File Discovery</title>
|
||||
|
||||
<para>Files are searched by appending the
|
||||
<filename>.nspawn</filename> suffix to the machine name of the
|
||||
container, as specified with the <option>--machine=</option>
|
||||
switch of <command>systemd-nspawn</command>, or derived from the
|
||||
directory or image file name. This file is first searched in
|
||||
<filename>/etc/systemd/nspawn/</filename> and
|
||||
<filename>/run/systemd/nspawn/</filename>. If found in these
|
||||
directories its settings are read and all of them take full effect
|
||||
(but are possibly overriden by corresponding command line
|
||||
arguments). If not found the file will then be searched next to
|
||||
the image file or in the immediate parent of the root directory of
|
||||
the container. If the file is found there only a subset of the
|
||||
settings will take effect however. All settings that possibly
|
||||
elevate privileges or grant additional access to resources of the
|
||||
host (such as files or directories) are ignored. To which options
|
||||
this applies is documented below.</para>
|
||||
|
||||
<para>Persistent settings file created and maintained by the
|
||||
administrator (and thus trusted) should be placed in
|
||||
<filename>/etc/systemd/nspawn/</filename>, while automatically
|
||||
downloaded (and thus potentially untrusted) settings files are
|
||||
placed in <filename>/var/lib/machines/</filename> instead (next to
|
||||
the container images), where their security impact is limited. In
|
||||
order to add privileged settings to <filename>.nspawn</filename>
|
||||
files acquired from the image vendor it is recommended to copy the
|
||||
settings files into <filename>/etc/systemd/nspawn/</filename> and
|
||||
edit them there, so that the privileged options become
|
||||
available. The precise algorithm how the files are searched and
|
||||
interpreted may be configured with
|
||||
<command>systemd-nspawn</command>'s <option>--settings=</option>
|
||||
switch, see
|
||||
<citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>
|
||||
for details.</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>[Exec] Section Options</title>
|
||||
|
||||
<para>Settings files may include an <literal>[Exec]</literal>
|
||||
section, which carries various execution parameters:</para>
|
||||
|
||||
<variablelist>
|
||||
|
||||
<varlistentry>
|
||||
<term><varname>Boot=</varname></term>
|
||||
|
||||
<listitem><para>Takes a boolean argument, defaults to off. If
|
||||
enabled <command>systemd-nspawn</command> will automatically
|
||||
search for an <filename>init</filename> executable and invoke
|
||||
it. In this case the specified parameters using
|
||||
<varname>Parameters=</varname> are passed as additional
|
||||
arguments to the <filename>init</filename> process. This
|
||||
setting corresponds to the <option>--boot</option> switch on
|
||||
the <command>systemd-nspawn</command> command
|
||||
line. </para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><varname>Parameters=</varname></term>
|
||||
|
||||
<listitem><para>Takes a space separated list of
|
||||
arguments. This is either a command line, beginning with the
|
||||
binary name to execute, or – if <varname>Boot=</varname> is
|
||||
enabled – the list of arguments to pass to the init
|
||||
process. This setting corresponds to the command line
|
||||
parameters passed on the <command>systemd-nspawn</command>
|
||||
command line.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><varname>Environment=</varname></term>
|
||||
|
||||
<listitem><para>Takes an environment variable assignment
|
||||
consisting of key and value, separated by
|
||||
<literal>=</literal>. Sets an environment variable for the
|
||||
main process invoked in the container. This setting may be
|
||||
used multiple times to set multiple environment variables. It
|
||||
corresponds to the <option>--setenv=</option> command line
|
||||
switch.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><varname>User=</varname></term>
|
||||
|
||||
<listitem><para>Takes a UNIX user name. Specifies the user
|
||||
name to invoke the main process of the container as. This user
|
||||
must be known in the container's user database. This
|
||||
corresponds to the <option>--user=</option> command line
|
||||
switch.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><varname>Capability=</varname></term>
|
||||
<term><varname>DropCapability=</varname></term>
|
||||
|
||||
<listitem><para>Takes a space separated list of Linux process
|
||||
capabilities (see
|
||||
<citerefentry><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
|
||||
for details). The <varname>Capability=</varname> setting
|
||||
specifies additional capabilities to pass on top of the
|
||||
default set of capabilites. The
|
||||
<varname>DropCapability=</varname> setting specifies
|
||||
capabilities to drop from the default set. These settings
|
||||
correspond to the <option>--capability=</option> and
|
||||
<option>--drop-capability=</option> command line
|
||||
switches. Note that <varname>Capability=</varname> is a
|
||||
privileged setting, and only takes effect in
|
||||
<filename>.nspawn</filename> files in
|
||||
<filename>/etc/systemd/nspawn/</filename> and
|
||||
<filename>/run/system/nspawn/</filename> (see above). On the
|
||||
other hand <varname>DropCapability=</varname> takes effect in
|
||||
all cases.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><varname>Personality=</varname></term>
|
||||
|
||||
<listitem><para>Configures the kernel personality for the
|
||||
container. This is equivalent to the
|
||||
<option>--personality=</option> switch.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><varname>MachineID=</varname></term>
|
||||
|
||||
<listitem><para>Configures the 128bit machine ID (UUID) to pass to
|
||||
the container. This is equivalent to the
|
||||
<option>--uuid=</option> command line switch. This option is
|
||||
privileged (see above). </para></listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>[Files] Section Options</title>
|
||||
|
||||
<para>Settings files may include a <literal>[Files]</literal>
|
||||
section, which carries various parameters configuring the file
|
||||
system of the container:</para>
|
||||
|
||||
<variablelist>
|
||||
|
||||
<varlistentry>
|
||||
<term><varname>ReadOnly=</varname></term>
|
||||
|
||||
<listitem><para>Takes a boolean argument, defaults to off. If
|
||||
specified the container will be run with a read-only file
|
||||
system. This setting corresponds to the
|
||||
<option>--read-only</option> command line
|
||||
switch.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><varname>Volatile=</varname></term>
|
||||
|
||||
<listitem><para>Takes a boolean argument, or the special value
|
||||
<literal>state</literal>. This configures whether to run the
|
||||
container with volatile state and/or configuration. This
|
||||
option is equivalent to <option>--volatile=</option>, see
|
||||
<citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>
|
||||
for details about the specific options
|
||||
supported.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><varname>Bind=</varname></term>
|
||||
<term><varname>BindReadOnly=</varname></term>
|
||||
|
||||
<listitem><para>Adds a bind mount from the host into the
|
||||
container. Takes a single path, a pair of two paths separated
|
||||
by a colon, or a triplet of two paths plus an option string
|
||||
separated by colons. This option may be used multiple times to
|
||||
configure multiple bind mounts. This option is equivalent to
|
||||
the command line switches <option>--bind=</option> and
|
||||
<option>--bind-ro=</option>, see
|
||||
<citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>
|
||||
for details about the specific options supported. This setting
|
||||
is privileged (see above).</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><varname>TemporaryFileSystem=</varname></term>
|
||||
|
||||
<listitem><para>Adds a <literal>tmpfs</literal> mount to the
|
||||
container. Takes a path or a pair of path and option string,
|
||||
separated by a colon. This option may be used mutiple times to
|
||||
configure multiple <literal>tmpfs</literal> mounts. This
|
||||
option is equivalent to the command line switch
|
||||
<option>--tmpfs=</option>, see
|
||||
<citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>
|
||||
for details about the specific options supported. This setting
|
||||
is privileged (see above).</para></listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>[Network] Section Options</title>
|
||||
|
||||
<para>Settings files may include a <literal>[Network]</literal>
|
||||
section, which carries various parameters configuring the network
|
||||
connectivity of the container:</para>
|
||||
|
||||
<variablelist>
|
||||
|
||||
<varlistentry>
|
||||
<term><varname>Private=</varname></term>
|
||||
|
||||
<listitem><para>Takes a boolean argument, defaults to off. If
|
||||
enabled the container will run in its own network namespace
|
||||
and not share network interfaces and configuration with the
|
||||
host. This setting corresponds to the
|
||||
<option>--private-network</option> command line
|
||||
switch.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><varname>VirtualEthernet=</varname></term>
|
||||
|
||||
<listitem><para>Takes a boolean argument. Configures whether
|
||||
to create a virtual ethernet connection
|
||||
(<literal>veth</literal>) between host and the container. This
|
||||
setting implies <varname>Private=yes</varname>. This setting
|
||||
corresponds to the <option>--network-veth</option> command
|
||||
line switch. This option is privileged (see
|
||||
above).</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><varname>Interface=</varname></term>
|
||||
|
||||
<listitem><para>Takes a space separated list of interfaces to
|
||||
add to the container. This option corresponds to the
|
||||
<option>--network-interface=</option> command line switch and
|
||||
implies <varname>Private=yes</varname>. This option is
|
||||
privileged (see above).</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><varname>MACVLAN=</varname></term>
|
||||
<term><varname>IPVLAN=</varname></term>
|
||||
|
||||
<listitem><para>Takes a space separated list of interfaces to
|
||||
add MACLVAN or IPVLAN interfaces to, which are then added to
|
||||
the container. These options correspond to the
|
||||
<option>--network-macvlan=</option> and
|
||||
<option>--network-ipvlan=</option> command line switches and
|
||||
imply <varname>Private=yes</varname>. These options are
|
||||
privileged (see above).</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><varname>Bridge=</varname></term>
|
||||
|
||||
<listitem><para>Takes an interface name. This setting implies
|
||||
<varname>VirtualEthernet=yes</varname> and
|
||||
<varname>Private=yes</varname> and has the effect that the
|
||||
host side of the created virtual Ethernet link is connected to
|
||||
the specified bridge interface. This option corresponds to the
|
||||
<option>--network-bridge=</option> command line switch. This
|
||||
option is privileged (see above).</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><varname>Port=</varname></term>
|
||||
|
||||
<listitem><para>Exposes a TCP or UDP port of the container on
|
||||
the host. This option corresponds to the
|
||||
<option>--port=</option> command line switch, see
|
||||
<citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>
|
||||
for the precise syntax of the argument this option takes. This
|
||||
option is privileged (see above).</para></listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>See Also</title>
|
||||
<para>
|
||||
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
|
||||
<citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
|
||||
<citerefentry><refentrytitle>systemd.directives</refentrytitle><manvolnum>7</manvolnum></citerefentry>
|
||||
</para>
|
||||
</refsect1>
|
||||
|
||||
</refentry>
|
|
@ -256,7 +256,7 @@
|
|||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>Unit Load Path</title>
|
||||
<title>Unit File Load Path</title>
|
||||
|
||||
<para>Unit files are loaded from a set of paths determined during
|
||||
compilation, described in the two tables below. Unit files found
|
||||
|
|
|
@ -22,7 +22,6 @@
|
|||
along with systemd; If not, see <http://www.gnu.org/licenses/>.
|
||||
***/
|
||||
|
||||
|
||||
int conf_files_list(char ***strv, const char *suffix, const char *root, const char *dir, ...);
|
||||
int conf_files_list_strv(char ***strv, const char *suffix, const char *root, const char* const* dirs);
|
||||
int conf_files_list_nulstr(char ***strv, const char *suffix, const char *root, const char *dirs);
|
||||
int conf_files_list(char ***ret, const char *suffix, const char *root, const char *dir, ...);
|
||||
int conf_files_list_strv(char ***ret, const char *suffix, const char *root, const char* const* dirs);
|
||||
int conf_files_list_nulstr(char ***ret, const char *suffix, const char *root, const char *dirs);
|
||||
|
|
|
@ -106,7 +106,7 @@ m4_define(`KILL_CONTEXT_CONFIG_ITEMS',
|
|||
`$1.SendSIGKILL, config_parse_bool, 0, offsetof($1, kill_context.send_sigkill)
|
||||
$1.SendSIGHUP, config_parse_bool, 0, offsetof($1, kill_context.send_sighup)
|
||||
$1.KillMode, config_parse_kill_mode, 0, offsetof($1, kill_context.kill_mode)
|
||||
$1.KillSignal, config_parse_kill_signal, 0, offsetof($1, kill_context.kill_signal)'
|
||||
$1.KillSignal, config_parse_signal, 0, offsetof($1, kill_context.kill_signal)'
|
||||
)m4_dnl
|
||||
m4_define(`CGROUP_CONTEXT_CONFIG_ITEMS',
|
||||
`$1.Slice, config_parse_unit_slice, 0, 0
|
||||
|
|
|
@ -1048,7 +1048,7 @@ int config_parse_bounding_set(const char *unit,
|
|||
|
||||
cap = capability_from_name(t);
|
||||
if (cap < 0) {
|
||||
log_syntax(unit, LOG_ERR, filename, line, errno, "Failed to parse capability in bounding set, ignoring: %s", t);
|
||||
log_syntax(unit, LOG_ERR, filename, line, EINVAL, "Failed to parse capability in bounding set, ignoring: %s", t);
|
||||
continue;
|
||||
}
|
||||
|
||||
|
@ -1143,39 +1143,8 @@ int config_parse_sysv_priority(const char *unit,
|
|||
#endif
|
||||
|
||||
DEFINE_CONFIG_PARSE_ENUM(config_parse_exec_utmp_mode, exec_utmp_mode, ExecUtmpMode, "Failed to parse utmp mode");
|
||||
|
||||
DEFINE_CONFIG_PARSE_ENUM(config_parse_kill_mode, kill_mode, KillMode, "Failed to parse kill mode");
|
||||
|
||||
int config_parse_kill_signal(const char *unit,
|
||||
const char *filename,
|
||||
unsigned line,
|
||||
const char *section,
|
||||
unsigned section_line,
|
||||
const char *lvalue,
|
||||
int ltype,
|
||||
const char *rvalue,
|
||||
void *data,
|
||||
void *userdata) {
|
||||
|
||||
int *sig = data;
|
||||
int r;
|
||||
|
||||
assert(filename);
|
||||
assert(lvalue);
|
||||
assert(rvalue);
|
||||
assert(sig);
|
||||
|
||||
r = signal_from_string_try_harder(rvalue);
|
||||
if (r <= 0) {
|
||||
log_syntax(unit, LOG_ERR, filename, line, -r,
|
||||
"Failed to parse kill signal, ignoring: %s", rvalue);
|
||||
return 0;
|
||||
}
|
||||
|
||||
*sig = r;
|
||||
return 0;
|
||||
}
|
||||
|
||||
int config_parse_exec_mount_flags(const char *unit,
|
||||
const char *filename,
|
||||
unsigned line,
|
||||
|
@ -3021,36 +2990,6 @@ int config_parse_job_mode_isolate(
|
|||
return 0;
|
||||
}
|
||||
|
||||
int config_parse_personality(
|
||||
const char *unit,
|
||||
const char *filename,
|
||||
unsigned line,
|
||||
const char *section,
|
||||
unsigned section_line,
|
||||
const char *lvalue,
|
||||
int ltype,
|
||||
const char *rvalue,
|
||||
void *data,
|
||||
void *userdata) {
|
||||
|
||||
unsigned long *personality = data, p;
|
||||
|
||||
assert(filename);
|
||||
assert(lvalue);
|
||||
assert(rvalue);
|
||||
assert(personality);
|
||||
|
||||
p = personality_from_string(rvalue);
|
||||
if (p == PERSONALITY_INVALID) {
|
||||
log_syntax(unit, LOG_ERR, filename, line, EINVAL,
|
||||
"Failed to parse personality, ignoring: %s", rvalue);
|
||||
return 0;
|
||||
}
|
||||
|
||||
*personality = p;
|
||||
return 0;
|
||||
}
|
||||
|
||||
int config_parse_runtime_directory(
|
||||
const char *unit,
|
||||
const char *filename,
|
||||
|
@ -3720,7 +3659,7 @@ void unit_dump_config_items(FILE *f) {
|
|||
{ config_parse_sysv_priority, "SYSVPRIORITY" },
|
||||
#endif
|
||||
{ config_parse_kill_mode, "KILLMODE" },
|
||||
{ config_parse_kill_signal, "SIGNAL" },
|
||||
{ config_parse_signal, "SIGNAL" },
|
||||
{ config_parse_socket_listen, "SOCKET [...]" },
|
||||
{ config_parse_socket_bind, "SOCKETBIND" },
|
||||
{ config_parse_socket_bindtodevice, "NETWORKINTERFACE" },
|
||||
|
|
|
@ -92,7 +92,6 @@ int config_parse_blockio_bandwidth(const char *unit, const char *filename, unsig
|
|||
int config_parse_job_mode(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
|
||||
int config_parse_job_mode_isolate(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
|
||||
int config_parse_exec_selinux_context(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
|
||||
int config_parse_personality(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
|
||||
int config_parse_exec_apparmor_profile(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
|
||||
int config_parse_exec_smack_process_label(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
|
||||
int config_parse_address_families(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
|
||||
|
|
|
@ -1416,9 +1416,14 @@ int unit_start(Unit *u) {
|
|||
|
||||
assert(u);
|
||||
|
||||
/* Units that aren't loaded cannot be started */
|
||||
if (u->load_state != UNIT_LOADED)
|
||||
return -EINVAL;
|
||||
|
||||
/* Units of types that aren't supported annot be started either */
|
||||
if (!unit_supported(u))
|
||||
return -EOPNOTSUPP;
|
||||
|
||||
/* If this is already started, then this will succeed. Note
|
||||
* that this will even succeed if this unit is not startable
|
||||
* by the user. This is relied on to detect when we need to
|
||||
|
@ -1451,9 +1456,6 @@ int unit_start(Unit *u) {
|
|||
return unit_start(following);
|
||||
}
|
||||
|
||||
if (!unit_supported(u))
|
||||
return -EOPNOTSUPP;
|
||||
|
||||
/* If it is stopped, but we cannot start it, then fail */
|
||||
if (!UNIT_VTABLE(u)->start)
|
||||
return -EBADR;
|
||||
|
@ -1472,6 +1474,12 @@ int unit_start(Unit *u) {
|
|||
bool unit_can_start(Unit *u) {
|
||||
assert(u);
|
||||
|
||||
if (u->load_state != UNIT_LOADED)
|
||||
return false;
|
||||
|
||||
if (!unit_supported(u))
|
||||
return false;
|
||||
|
||||
return !!UNIT_VTABLE(u)->start;
|
||||
}
|
||||
|
||||
|
|
|
@ -1789,10 +1789,9 @@ static int nologin_timeout_handler(
|
|||
}
|
||||
|
||||
static int update_schedule_file(Manager *m) {
|
||||
|
||||
int r;
|
||||
_cleanup_free_ char *temp_path = NULL;
|
||||
_cleanup_fclose_ FILE *f = NULL;
|
||||
_cleanup_free_ char *t = NULL, *temp_path = NULL;
|
||||
int r;
|
||||
|
||||
assert(m);
|
||||
|
||||
|
@ -1800,12 +1799,6 @@ static int update_schedule_file(Manager *m) {
|
|||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to create shutdown subdirectory: %m");
|
||||
|
||||
if (!isempty(m->wall_message)) {
|
||||
t = cescape(m->wall_message);
|
||||
if (!t)
|
||||
return log_oom();
|
||||
}
|
||||
|
||||
r = fopen_temporary("/run/systemd/shutdown/scheduled", &f, &temp_path);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to save information about scheduled shutdowns: %m");
|
||||
|
@ -1820,8 +1813,17 @@ static int update_schedule_file(Manager *m) {
|
|||
m->enable_wall_messages,
|
||||
m->scheduled_shutdown_type);
|
||||
|
||||
if (t)
|
||||
if (!isempty(m->wall_message)) {
|
||||
_cleanup_free_ char *t;
|
||||
|
||||
t = cescape(m->wall_message);
|
||||
if (!t) {
|
||||
r = -ENOMEM;
|
||||
goto fail;
|
||||
}
|
||||
|
||||
fprintf(f, "WALL_MESSAGE=%s\n", t);
|
||||
}
|
||||
|
||||
r = fflush_and_check(f);
|
||||
if (r < 0)
|
||||
|
|
|
@ -547,8 +547,18 @@ int machine_openpt(Machine *m, int flags) {
|
|||
|
||||
switch (m->class) {
|
||||
|
||||
case MACHINE_HOST:
|
||||
return posix_openpt(flags);
|
||||
case MACHINE_HOST: {
|
||||
int fd;
|
||||
|
||||
fd = posix_openpt(flags);
|
||||
if (fd < 0)
|
||||
return -errno;
|
||||
|
||||
if (unlockpt(fd) < 0)
|
||||
return -errno;
|
||||
|
||||
return fd;
|
||||
}
|
||||
|
||||
case MACHINE_CONTAINER:
|
||||
if (m->leader <= 0)
|
||||
|
|
1
src/nspawn/.gitignore
vendored
Normal file
1
src/nspawn/.gitignore
vendored
Normal file
|
@ -0,0 +1 @@
|
|||
/nspawn-gperf.c
|
38
src/nspawn/nspawn-gperf.gperf
Normal file
38
src/nspawn/nspawn-gperf.gperf
Normal file
|
@ -0,0 +1,38 @@
|
|||
%{
|
||||
#include <stddef.h>
|
||||
#include "conf-parser.h"
|
||||
#include "nspawn.h"
|
||||
#include "nspawn-settings.h"
|
||||
%}
|
||||
struct ConfigPerfItem;
|
||||
%null_strings
|
||||
%language=ANSI-C
|
||||
%define slot-name section_and_lvalue
|
||||
%define hash-function-name nspawn_gperf_hash
|
||||
%define lookup-function-name nspawn_gperf_lookup
|
||||
%readonly-tables
|
||||
%omit-struct-type
|
||||
%struct-type
|
||||
%includes
|
||||
%%
|
||||
Exec.Boot, config_parse_tristate, 0, offsetof(Settings, boot)
|
||||
Exec.Parameters, config_parse_strv, 0, offsetof(Settings, parameters)
|
||||
Exec.Environment, config_parse_strv, 0, offsetof(Settings, environment)
|
||||
Exec.User, config_parse_string, 0, offsetof(Settings, user)
|
||||
Exec.Capability, config_parse_capability, 0, offsetof(Settings, capability)
|
||||
Exec.DropCapability, config_parse_capability, 0, offsetof(Settings, drop_capability)
|
||||
Exec.KillSignal, config_parse_signal, 0, offsetof(Settings, kill_signal)
|
||||
Exec.Personality, config_parse_personality, 0, offsetof(Settings, personality)
|
||||
Exec.MachineID, config_parse_id128, 0, offsetof(Settings, machine_id)
|
||||
Files.ReadOnly, config_parse_tristate, 0, offsetof(Settings, read_only)
|
||||
Files.Volatile, config_parse_volatile_mode, 0, offsetof(Settings, volatile_mode)
|
||||
Files.Bind, config_parse_bind, 0, 0
|
||||
Files.BindReadOnly, config_parse_bind, 1, 0
|
||||
Files.TemporaryFileSystem, config_parse_tmpfs, 0, 0
|
||||
Network.Private, config_parse_tristate, 0, offsetof(Settings, private_network)
|
||||
Network.Interface, config_parse_strv, 0, offsetof(Settings, network_interfaces)
|
||||
Network.MACVLAN, config_parse_strv, 0, offsetof(Settings, network_macvlan)
|
||||
Network.IPVLAN, config_parse_strv, 0, offsetof(Settings, network_ipvlan)
|
||||
Network.VirtualEthernet, config_parse_tristate, 0, offsetof(Settings, network_veth)
|
||||
Network.Bridge config_parse_string, 0, offsetof(Settings, network_bridge)
|
||||
Network.Port, config_parse_expose_port, 0, 0
|
263
src/nspawn/nspawn-settings.c
Normal file
263
src/nspawn/nspawn-settings.c
Normal file
|
@ -0,0 +1,263 @@
|
|||
/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
|
||||
|
||||
/***
|
||||
This file is part of systemd.
|
||||
|
||||
Copyright 2015 Lennart Poettering
|
||||
|
||||
systemd is free software; you can redistribute it and/or modify it
|
||||
under the terms of the GNU Lesser General Public License as published by
|
||||
the Free Software Foundation; either version 2.1 of the License, or
|
||||
(at your option) any later version.
|
||||
|
||||
systemd is distributed in the hope that it will be useful, but
|
||||
WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
Lesser General Public License for more details.
|
||||
|
||||
You should have received a copy of the GNU Lesser General Public License
|
||||
along with systemd; If not, see <http://www.gnu.org/licenses/>.
|
||||
***/
|
||||
|
||||
#include "util.h"
|
||||
#include "conf-parser.h"
|
||||
#include "strv.h"
|
||||
#include "cap-list.h"
|
||||
|
||||
#include "nspawn.h"
|
||||
#include "nspawn-settings.h"
|
||||
|
||||
int settings_load(FILE *f, const char *path, Settings **ret) {
|
||||
_cleanup_(settings_freep) Settings *s = NULL;
|
||||
int r;
|
||||
|
||||
assert(path);
|
||||
assert(ret);
|
||||
|
||||
s = new0(Settings, 1);
|
||||
if (!s)
|
||||
return -ENOMEM;
|
||||
|
||||
s->boot = -1;
|
||||
s->personality = PERSONALITY_INVALID;
|
||||
|
||||
s->read_only = -1;
|
||||
s->volatile_mode = _VOLATILE_MODE_INVALID;
|
||||
|
||||
s->private_network = -1;
|
||||
s->network_veth = -1;
|
||||
|
||||
r = config_parse(NULL, path, f,
|
||||
"Exec\0"
|
||||
"Network\0"
|
||||
"Files\0",
|
||||
config_item_perf_lookup, nspawn_gperf_lookup,
|
||||
false,
|
||||
false,
|
||||
true,
|
||||
s);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
*ret = s;
|
||||
s = NULL;
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
Settings* settings_free(Settings *s) {
|
||||
|
||||
if (!s)
|
||||
return NULL;
|
||||
|
||||
strv_free(s->parameters);
|
||||
strv_free(s->environment);
|
||||
free(s->user);
|
||||
|
||||
strv_free(s->network_interfaces);
|
||||
strv_free(s->network_macvlan);
|
||||
strv_free(s->network_ipvlan);
|
||||
free(s->network_bridge);
|
||||
expose_port_free_all(s->expose_ports);
|
||||
|
||||
custom_mount_free_all(s->custom_mounts, s->n_custom_mounts);
|
||||
free(s);
|
||||
|
||||
return NULL;
|
||||
}
|
||||
|
||||
DEFINE_CONFIG_PARSE_ENUM(config_parse_volatile_mode, volatile_mode, VolatileMode, "Failed to parse volatile mode");
|
||||
|
||||
int config_parse_expose_port(
|
||||
const char *unit,
|
||||
const char *filename,
|
||||
unsigned line,
|
||||
const char *section,
|
||||
unsigned section_line,
|
||||
const char *lvalue,
|
||||
int ltype,
|
||||
const char *rvalue,
|
||||
void *data,
|
||||
void *userdata) {
|
||||
|
||||
Settings *s = data;
|
||||
int r;
|
||||
|
||||
assert(filename);
|
||||
assert(lvalue);
|
||||
assert(rvalue);
|
||||
|
||||
r = expose_port_parse(&s->expose_ports, rvalue);
|
||||
if (r == -EEXIST) {
|
||||
log_syntax(unit, LOG_ERR, filename, line, r, "Duplicate port specification, ignoring: %s", rvalue);
|
||||
return 0;
|
||||
}
|
||||
if (r < 0) {
|
||||
log_syntax(unit, LOG_ERR, filename, line, r, "Failed to parse host port %s: %m", rvalue);
|
||||
return 0;
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
int config_parse_capability(
|
||||
const char *unit,
|
||||
const char *filename,
|
||||
unsigned line,
|
||||
const char *section,
|
||||
unsigned section_line,
|
||||
const char *lvalue,
|
||||
int ltype,
|
||||
const char *rvalue,
|
||||
void *data,
|
||||
void *userdata) {
|
||||
|
||||
uint64_t u = 0, *result = data;
|
||||
int r;
|
||||
|
||||
assert(filename);
|
||||
assert(lvalue);
|
||||
assert(rvalue);
|
||||
|
||||
for (;;) {
|
||||
_cleanup_free_ char *word = NULL;
|
||||
int cap;
|
||||
|
||||
r = extract_first_word(&rvalue, &word, NULL, 0);
|
||||
if (r < 0) {
|
||||
log_syntax(unit, LOG_ERR, filename, line, r, "Failed to extract capability string, ignoring: %s", rvalue);
|
||||
return 0;
|
||||
}
|
||||
if (r == 0)
|
||||
break;
|
||||
|
||||
cap = capability_from_name(word);
|
||||
if (cap < 0) {
|
||||
log_syntax(unit, LOG_ERR, filename, line, cap, "Failed to parse capability, ignoring: %s", word);
|
||||
continue;
|
||||
}
|
||||
|
||||
u |= 1 << ((uint64_t) cap);
|
||||
}
|
||||
|
||||
if (u == 0)
|
||||
return 0;
|
||||
|
||||
*result |= u;
|
||||
return 0;
|
||||
}
|
||||
|
||||
int config_parse_id128(
|
||||
const char *unit,
|
||||
const char *filename,
|
||||
unsigned line,
|
||||
const char *section,
|
||||
unsigned section_line,
|
||||
const char *lvalue,
|
||||
int ltype,
|
||||
const char *rvalue,
|
||||
void *data,
|
||||
void *userdata) {
|
||||
|
||||
sd_id128_t t, *result = data;
|
||||
int r;
|
||||
|
||||
assert(filename);
|
||||
assert(lvalue);
|
||||
assert(rvalue);
|
||||
|
||||
r = sd_id128_from_string(rvalue, &t);
|
||||
if (r < 0) {
|
||||
log_syntax(unit, LOG_ERR, filename, line, r, "Failed to parse 128bit ID/UUID, ignoring: %s", rvalue);
|
||||
return 0;
|
||||
}
|
||||
|
||||
*result = t;
|
||||
return 0;
|
||||
}
|
||||
|
||||
int config_parse_bind(
|
||||
const char *unit,
|
||||
const char *filename,
|
||||
unsigned line,
|
||||
const char *section,
|
||||
unsigned section_line,
|
||||
const char *lvalue,
|
||||
int ltype,
|
||||
const char *rvalue,
|
||||
void *data,
|
||||
void *userdata) {
|
||||
|
||||
Settings *settings = data;
|
||||
int r;
|
||||
|
||||
assert(filename);
|
||||
assert(lvalue);
|
||||
assert(rvalue);
|
||||
|
||||
r = bind_mount_parse(&settings->custom_mounts, &settings->n_custom_mounts, rvalue, ltype);
|
||||
if (r < 0) {
|
||||
log_syntax(unit, LOG_ERR, filename, line, r, "Invalid bind mount specification %s: %m", rvalue);
|
||||
return 0;
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
int config_parse_tmpfs(
|
||||
const char *unit,
|
||||
const char *filename,
|
||||
unsigned line,
|
||||
const char *section,
|
||||
unsigned section_line,
|
||||
const char *lvalue,
|
||||
int ltype,
|
||||
const char *rvalue,
|
||||
void *data,
|
||||
void *userdata) {
|
||||
|
||||
Settings *settings = data;
|
||||
int r;
|
||||
|
||||
assert(filename);
|
||||
assert(lvalue);
|
||||
assert(rvalue);
|
||||
|
||||
r = tmpfs_mount_parse(&settings->custom_mounts, &settings->n_custom_mounts, rvalue);
|
||||
if (r < 0) {
|
||||
log_syntax(unit, LOG_ERR, filename, line, r, "Invalid temporary file system specification %s: %m", rvalue);
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (settings->network_bridge)
|
||||
settings->network_veth = true;
|
||||
|
||||
if (settings->network_interfaces ||
|
||||
settings->network_macvlan ||
|
||||
settings->network_ipvlan ||
|
||||
settings->network_bridge ||
|
||||
settings->network_veth)
|
||||
settings->private_network = true;
|
||||
|
||||
return 0;
|
||||
}
|
85
src/nspawn/nspawn-settings.h
Normal file
85
src/nspawn/nspawn-settings.h
Normal file
|
@ -0,0 +1,85 @@
|
|||
/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
|
||||
|
||||
#pragma once
|
||||
|
||||
/***
|
||||
This file is part of systemd.
|
||||
|
||||
Copyright 2015 Lennart Poettering
|
||||
|
||||
systemd is free software; you can redistribute it and/or modify it
|
||||
under the terms of the GNU Lesser General Public License as published by
|
||||
the Free Software Foundation; either version 2.1 of the License, or
|
||||
(at your option) any later version.
|
||||
|
||||
systemd is distributed in the hope that it will be useful, but
|
||||
WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
Lesser General Public License for more details.
|
||||
|
||||
You should have received a copy of the GNU Lesser General Public License
|
||||
along with systemd; If not, see <http://www.gnu.org/licenses/>.
|
||||
***/
|
||||
|
||||
#include <stdio.h>
|
||||
|
||||
#include "macro.h"
|
||||
#include "nspawn.h"
|
||||
|
||||
typedef enum SettingsMask {
|
||||
SETTING_BOOT = 1 << 0,
|
||||
SETTING_ENVIRONMENT = 1 << 1,
|
||||
SETTING_USER = 1 << 2,
|
||||
SETTING_CAPABILITY = 1 << 3,
|
||||
SETTING_KILL_SIGNAL = 1 << 4,
|
||||
SETTING_PERSONALITY = 1 << 5,
|
||||
SETTING_MACHINE_ID = 1 << 6,
|
||||
SETTING_NETWORK = 1 << 7,
|
||||
SETTING_EXPOSE_PORTS = 1 << 8,
|
||||
SETTING_READ_ONLY = 1 << 9,
|
||||
SETTING_VOLATILE_MODE = 1 << 10,
|
||||
SETTING_CUSTOM_MOUNTS = 1 << 11,
|
||||
_SETTINGS_MASK_ALL = (1 << 12) -1
|
||||
} SettingsMask;
|
||||
|
||||
typedef struct Settings {
|
||||
/* [Run] */
|
||||
int boot;
|
||||
char **parameters;
|
||||
char **environment;
|
||||
char *user;
|
||||
uint64_t capability;
|
||||
uint64_t drop_capability;
|
||||
int kill_signal;
|
||||
unsigned long personality;
|
||||
sd_id128_t machine_id;
|
||||
|
||||
/* [Image] */
|
||||
int read_only;
|
||||
VolatileMode volatile_mode;
|
||||
CustomMount *custom_mounts;
|
||||
unsigned n_custom_mounts;
|
||||
|
||||
/* [Network] */
|
||||
int private_network;
|
||||
int network_veth;
|
||||
char *network_bridge;
|
||||
char **network_interfaces;
|
||||
char **network_macvlan;
|
||||
char **network_ipvlan;
|
||||
ExposePort *expose_ports;
|
||||
} Settings;
|
||||
|
||||
int settings_load(FILE *f, const char *path, Settings **ret);
|
||||
Settings* settings_free(Settings *s);
|
||||
|
||||
DEFINE_TRIVIAL_CLEANUP_FUNC(Settings*, settings_free);
|
||||
|
||||
const struct ConfigPerfItem* nspawn_gperf_lookup(const char *key, unsigned length);
|
||||
|
||||
int config_parse_capability(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
|
||||
int config_parse_id128(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
|
||||
int config_parse_expose_port(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
|
||||
int config_parse_volatile_mode(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
|
||||
int config_parse_bind(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
|
||||
int config_parse_tmpfs(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
|
File diff suppressed because it is too large
Load diff
69
src/nspawn/nspawn.h
Normal file
69
src/nspawn/nspawn.h
Normal file
|
@ -0,0 +1,69 @@
|
|||
/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
|
||||
|
||||
#pragma once
|
||||
|
||||
/***
|
||||
This file is part of systemd.
|
||||
|
||||
Copyright 2015 Lennart Poettering
|
||||
|
||||
systemd is free software; you can redistribute it and/or modify it
|
||||
under the terms of the GNU Lesser General Public License as published by
|
||||
the Free Software Foundation; either version 2.1 of the License, or
|
||||
(at your option) any later version.
|
||||
|
||||
systemd is distributed in the hope that it will be useful, but
|
||||
WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
Lesser General Public License for more details.
|
||||
|
||||
You should have received a copy of the GNU Lesser General Public License
|
||||
along with systemd; If not, see <http://www.gnu.org/licenses/>.
|
||||
***/
|
||||
|
||||
#include <inttypes.h>
|
||||
#include <stdbool.h>
|
||||
|
||||
#include "list.h"
|
||||
|
||||
typedef enum VolatileMode {
|
||||
VOLATILE_NO,
|
||||
VOLATILE_YES,
|
||||
VOLATILE_STATE,
|
||||
_VOLATILE_MODE_MAX,
|
||||
_VOLATILE_MODE_INVALID = -1
|
||||
} VolatileMode;
|
||||
|
||||
typedef enum CustomMountType {
|
||||
CUSTOM_MOUNT_BIND,
|
||||
CUSTOM_MOUNT_TMPFS,
|
||||
CUSTOM_MOUNT_OVERLAY,
|
||||
_CUSTOM_MOUNT_TYPE_MAX,
|
||||
_CUSTOM_MOUNT_TYPE_INVALID = -1
|
||||
} CustomMountType;
|
||||
|
||||
typedef struct CustomMount {
|
||||
CustomMountType type;
|
||||
bool read_only;
|
||||
char *source; /* for overlayfs this is the upper directory */
|
||||
char *destination;
|
||||
char *options;
|
||||
char *work_dir;
|
||||
char **lower;
|
||||
} CustomMount;
|
||||
|
||||
typedef struct ExposePort {
|
||||
int protocol;
|
||||
uint16_t host_port;
|
||||
uint16_t container_port;
|
||||
LIST_FIELDS(struct ExposePort, ports);
|
||||
} ExposePort;
|
||||
|
||||
void custom_mount_free_all(CustomMount *l, unsigned n);
|
||||
int bind_mount_parse(CustomMount **l, unsigned *n, const char *s, bool read_only);
|
||||
int tmpfs_mount_parse(CustomMount **l, unsigned *n, const char *s);
|
||||
|
||||
void expose_port_free_all(ExposePort *p);
|
||||
int expose_port_parse(ExposePort **l, const char *s);
|
||||
|
||||
VolatileMode volatile_mode_from_string(const char *s);
|
|
@ -24,7 +24,7 @@
|
|||
#include <errno.h>
|
||||
#include <stdlib.h>
|
||||
|
||||
#include "conf-parser.h"
|
||||
#include "sd-messages.h"
|
||||
#include "conf-files.h"
|
||||
#include "util.h"
|
||||
#include "macro.h"
|
||||
|
@ -32,7 +32,8 @@
|
|||
#include "log.h"
|
||||
#include "utf8.h"
|
||||
#include "path-util.h"
|
||||
#include "sd-messages.h"
|
||||
#include "signal-util.h"
|
||||
#include "conf-parser.h"
|
||||
|
||||
int config_item_table_lookup(
|
||||
const void *table,
|
||||
|
@ -575,6 +576,39 @@ int config_parse_bool(const char* unit,
|
|||
return 0;
|
||||
}
|
||||
|
||||
int config_parse_tristate(
|
||||
const char* unit,
|
||||
const char *filename,
|
||||
unsigned line,
|
||||
const char *section,
|
||||
unsigned section_line,
|
||||
const char *lvalue,
|
||||
int ltype,
|
||||
const char *rvalue,
|
||||
void *data,
|
||||
void *userdata) {
|
||||
|
||||
int k, *t = data;
|
||||
|
||||
assert(filename);
|
||||
assert(lvalue);
|
||||
assert(rvalue);
|
||||
assert(data);
|
||||
|
||||
/* A tristate is pretty much a boolean, except that it can
|
||||
* also take the special value -1, indicating "uninitialized",
|
||||
* much like NULL is for a pointer type. */
|
||||
|
||||
k = parse_boolean(rvalue);
|
||||
if (k < 0) {
|
||||
log_syntax(unit, LOG_ERR, filename, line, k, "Failed to parse boolean value, ignoring: %s", rvalue);
|
||||
return 0;
|
||||
}
|
||||
|
||||
*t = !!k;
|
||||
return 0;
|
||||
}
|
||||
|
||||
int config_parse_string(
|
||||
const char *unit,
|
||||
const char *filename,
|
||||
|
@ -802,3 +836,61 @@ int config_parse_log_level(
|
|||
*o = (*o & LOG_FACMASK) | x;
|
||||
return 0;
|
||||
}
|
||||
|
||||
int config_parse_signal(
|
||||
const char *unit,
|
||||
const char *filename,
|
||||
unsigned line,
|
||||
const char *section,
|
||||
unsigned section_line,
|
||||
const char *lvalue,
|
||||
int ltype,
|
||||
const char *rvalue,
|
||||
void *data,
|
||||
void *userdata) {
|
||||
|
||||
int *sig = data, r;
|
||||
|
||||
assert(filename);
|
||||
assert(lvalue);
|
||||
assert(rvalue);
|
||||
assert(sig);
|
||||
|
||||
r = signal_from_string_try_harder(rvalue);
|
||||
if (r <= 0) {
|
||||
log_syntax(unit, LOG_ERR, filename, line, EINVAL, "Failed to parse signal name, ignoring: %s", rvalue);
|
||||
return 0;
|
||||
}
|
||||
|
||||
*sig = r;
|
||||
return 0;
|
||||
}
|
||||
|
||||
int config_parse_personality(
|
||||
const char *unit,
|
||||
const char *filename,
|
||||
unsigned line,
|
||||
const char *section,
|
||||
unsigned section_line,
|
||||
const char *lvalue,
|
||||
int ltype,
|
||||
const char *rvalue,
|
||||
void *data,
|
||||
void *userdata) {
|
||||
|
||||
unsigned long *personality = data, p;
|
||||
|
||||
assert(filename);
|
||||
assert(lvalue);
|
||||
assert(rvalue);
|
||||
assert(personality);
|
||||
|
||||
p = personality_from_string(rvalue);
|
||||
if (p == PERSONALITY_INVALID) {
|
||||
log_syntax(unit, LOG_ERR, filename, line, EINVAL, "Failed to parse personality, ignoring: %s", rvalue);
|
||||
return 0;
|
||||
}
|
||||
|
||||
*personality = p;
|
||||
return 0;
|
||||
}
|
||||
|
|
|
@ -111,6 +111,7 @@ int config_parse_iec_size(const char *unit, const char *filename, unsigned line,
|
|||
int config_parse_si_size(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
|
||||
int config_parse_iec_off(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
|
||||
int config_parse_bool(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
|
||||
int config_parse_tristate(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
|
||||
int config_parse_string(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
|
||||
int config_parse_path(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
|
||||
int config_parse_strv(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
|
||||
|
@ -119,6 +120,8 @@ int config_parse_nsec(const char *unit, const char *filename, unsigned line, con
|
|||
int config_parse_mode(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
|
||||
int config_parse_log_facility(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
|
||||
int config_parse_log_level(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
|
||||
int config_parse_signal(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
|
||||
int config_parse_personality(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
|
||||
|
||||
#define log_invalid_utf8(unit, level, config_file, config_line, error, rvalue) \
|
||||
do { \
|
||||
|
|
|
@ -33,7 +33,7 @@
|
|||
|
||||
static const char image_search_path[] =
|
||||
"/var/lib/machines\0"
|
||||
"/var/lib/container\0"
|
||||
"/var/lib/container\0" /* legacy */
|
||||
"/usr/local/lib/machines\0"
|
||||
"/usr/lib/machines\0";
|
||||
|
||||
|
|
|
@ -13,7 +13,7 @@ Before=machines.target
|
|||
After=network.target
|
||||
|
||||
[Service]
|
||||
ExecStart=@bindir@/systemd-nspawn --quiet --keep-unit --boot --link-journal=try-guest --network-veth --machine=%I
|
||||
ExecStart=@bindir@/systemd-nspawn --quiet --keep-unit --boot --link-journal=try-guest --network-veth --settings=override --machine=%I
|
||||
KillMode=mixed
|
||||
Type=notify
|
||||
RestartForceExitStatus=133
|
||||
|
|
Loading…
Reference in a new issue