picnoir
/
Systemd
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

nspawn: add new .nspawn files for container settings 

.nspawn fiels are simple settings files that may accompany container
images and directories and contain settings otherwise passed on the
nspawn command line. This provides an efficient way to attach execution
data directly to containers.
This commit is contained in:
Lennart Poettering 2015-09-06 01:22:14 +02:00
parent 5f430ff76e
commit f757855e81
17 changed files with 1544 additions and 299 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Makefile-man.am
View File

@ -130,6 +130,7 @@ MANPAGES += \
man/systemd.kill.5 \
man/systemd.link.5 \
man/systemd.mount.5 \
man/systemd.nspawn.5 \
man/systemd.path.5 \
man/systemd.preset.5 \
man/systemd.resource-control.5 \
@ -2382,6 +2383,7 @@ EXTRA_DIST += \
man/systemd.mount.xml \
man/systemd.netdev.xml \
man/systemd.network.xml \
man/systemd.nspawn.xml \
man/systemd.path.xml \
man/systemd.preset.xml \
man/systemd.resource-control.xml \

13
Makefile.am
View File

@ -155,6 +155,7 @@ noinst_PROGRAMS =
TESTS =
endif
udevlibexec_PROGRAMS =
gperf_gperf_sources =
in_files = $(filter %.in,$(EXTRA_DIST))
in_in_files = $(filter %.in.in, $(in_files))
@ -220,6 +221,7 @@ AM_CPPFLAGS = \
-I $(top_builddir)/src/journal \
-I $(top_srcdir)/src/timedate \
-I $(top_srcdir)/src/timesync \
-I $(top_srcdir)/src/nspawn \
-I $(top_srcdir)/src/resolve \
-I $(top_builddir)/src/resolve \
-I $(top_srcdir)/src/systemd \
@ -2776,11 +2778,20 @@ systemd_cgtop_LDADD = \
# ------------------------------------------------------------------------------
systemd_nspawn_SOURCES = \
src/nspawn/nspawn.c \
src/nspawn/nspawn.h \
src/nspawn/nspawn-settings.c \
src/nspawn/nspawn-settings.h \
src/core/mount-setup.c \
src/core/mount-setup.h \
src/core/loopback-setup.c \
src/core/loopback-setup.h
nodist_systemd_nspawn_SOURCES = \
src/nspawn/nspawn-gperf.c
gperf_gperf_sources += \
src/nspawn/nspawn-gperf.gperf
systemd_nspawn_CFLAGS = \
$(AM_CFLAGS) \
$(BLKID_CFLAGS) \
@ -3486,7 +3497,7 @@ nodist_libudev_core_la_SOURCES = \
src/udev/keyboard-keys-to-name.h \
src/udev/net/link-config-gperf.c
gperf_gperf_sources = \
gperf_gperf_sources += \
src/udev/net/link-config-gperf.gperf
libudev_core_la_CFLAGS = \

67
man/systemd-nspawn.xml
View File

@ -1,4 +1,4 @@
<?xml version='1.0'?> <!--*-nxml-*-->
<?xml version='1.0'?> <!--*- Mode: nxml; nxml-child-indent: 2; indent-tabs-mode: nil -*-->
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
@ -748,34 +748,86 @@
</varlistentry>
<varlistentry>
<term><option>--volatile</option><replaceable>=MODE</replaceable></term>
<term><option>--volatile</option></term>
<term><option>--volatile=</option><replaceable>MODE</replaceable></term>
<listitem><para>Boots the container in volatile mode. When no
mode parameter is passed or when mode is specified as
<literal>yes</literal> full volatile mode is enabled. This
<option>yes</option> full volatile mode is enabled. This
means the root directory is mounted as mostly unpopulated
<literal>tmpfs</literal> instance, and
<filename>/usr</filename> from the OS tree is mounted into it,
read-only (the system thus starts up with read-only OS
resources, but pristine state and configuration, any changes
to the either are lost on shutdown). When the mode parameter
is specified as <literal>state</literal> the OS tree is
is specified as <option>state</option> the OS tree is
mounted read-only, but <filename>/var</filename> is mounted as
<literal>tmpfs</literal> instance into it (the system thus
starts up with read-only OS resources and configuration, but
pristine state, any changes to the latter are lost on
shutdown). When the mode parameter is specified as
<literal>no</literal> (the default) the whole OS tree is made
<option>no</option> (the default) the whole OS tree is made
available writable.</para>
<para>Note that setting this to <literal>yes</literal> or
<literal>state</literal> will only work correctly with
<para>Note that setting this to <option>yes</option> or
<option>state</option> will only work correctly with
operating systems in the container that can boot up with only
<filename>/usr</filename> mounted, and are able to populate
<filename>/var</filename> automatically, as
needed.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--settings=</option><replaceable>MODE</replaceable></term>
<listitem><para>Controls whether
<command>systemd-nspawn</command> shall search for and use
additional per-container settings from
<filename>.nspawn</filename> files. Takes a boolean or the
special values <option>override</option> or
<option>trusted</option>.</para>
<para>If enabled (the default) a settings file named after the
machine (as specified with the <option>--machine=</option>
setting, or derived from the directory or image file name)
with the suffix <filename>.nspawn</filename> is searched in
<filename>/etc/systemd/nspawn/</filename> and
<filename>/run/systemd/nspawn/</filename>. If it is found
there, its settings are read and used. If it is not found
there it is subequently searched in the same directory as the
image file or in the immediate parent of the root directory of
the container. In this case, if the file is found its settings
will be also read and used, but potentially unsafe settings
are ignored. Note that in both these cases settings on the
command line take precendence over the corresponding settings
from loaded <filename>.nspawn</filename> files, if both are
specified. Unsafe settings are considered all settings that
elevate the container's privileges or grant access to
additional resources such as files or directories of the
host. For details about the format and contents of
<filename>.nspawn</filename> files consult
<citerefentry><refentrytitle>systemd.nspawn</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
<para>If this option is set to <option>override</option> the
file is searched, read and used the same way, however the order of
precedence is reversed: settings read from the
<filename>.nspawn</filename> file will take precedence over
the corresponding command line options, if both are
specified.</para>
<para>If this option is set to <option>trusted</option> the
file is searched, read and used the same way, but regardless
if found in <filename>/etc/systemd/nspawn/</filename>,
<filename>/run/systemd/nspawn/</filename> or next to the image
file or container root directory, all settings will take
effect, however command line arguments still take precedence
over corresponding settings.</para>
<para>If disabled no <filename>.nspawn</filename> file is read
and no settings except the ones on the command line are in
effect.</para></listitem>
</varlistentry>
<xi:include href="standard-options.xml" xpointer="help" />
<xi:include href="standard-options.xml" xpointer="version" />
</variablelist>
@ -859,6 +911,7 @@
<title>See Also</title>
<para>
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd.nspawn</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
<citerefentry project='man-pages'><refentrytitle>chroot</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
<citerefentry project='mankier'><refentrytitle>dnf</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
<citerefentry project='die-net'><refentrytitle>yum</refentrytitle><manvolnum>8</manvolnum></citerefentry>,

383
man/systemd.nspawn.xml Normal file
View File

@ -0,0 +1,383 @@
<?xml version='1.0'?> <!--*- Mode: nxml; nxml-child-indent: 2; indent-tabs-mode: nil -*-->
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
<!ENTITY % entities SYSTEM "custom-entities.ent" >
%entities;
]>
<!--
This file is part of systemd.
Copyright 2015 Lennart Poettering
systemd is free software; you can redistribute it and/or modify it
under the terms of the GNU Lesser General Public License as published by
the Free Software Foundation; either version 2.1 of the License, or
(at your option) any later version.
systemd is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public License
along with systemd; If not, see <http://www.gnu.org/licenses/>.
-->
<refentry id="systemd.nspawn">
<refentryinfo>
<title>systemd.nspawn</title>
<productname>systemd</productname>
<authorgroup>
<author>
<contrib>Developer</contrib>
<firstname>Lennart</firstname>
<surname>Poettering</surname>
<email>lennart@poettering.net</email>
</author>
</authorgroup>
</refentryinfo>
<refmeta>
<refentrytitle>systemd.nspawn</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
<refnamediv>
<refname>systemd.nspawn</refname>
<refpurpose>Container settings</refpurpose>
</refnamediv>
<refsynopsisdiv>
<para><filename>/etc/systemd/nspawn/<replaceable>machine</replaceable>.nspawn</filename></para>
<para><filename>/run/systemd/nspawn/<replaceable>machine</replaceable>.nspawn</filename></para>
<para><filename>/var/lib/machines/<replaceable>machine</replaceable>.nspawn</filename></para>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>An nspawn container settings file (suffix
<filename>.nspawn</filename>) encodes additional runtime
information about a local container, and is searched, read and
used by
<citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>
when starting a container. Files of this type are named after the
containers they define settings for. They are optional, and only
required for containers whose execution environment shall differ
from the defaults. Files of this type mostly contain settings that
may also be set on the <command>systemd-nspawn</command> command
line, and make it easier to persistently attach specific settings
to specific containers. The syntax of these files is inspired by
<filename>.desktop</filename> files following the <ulink
url="http://standards.freedesktop.org/desktop-entry-spec/latest/">XDG
Desktop Entry Specification</ulink>, which are in turn inspired by
Microsoft Windows <filename>.ini</filename> files.</para>
<para>Boolean arguments used in these settings files can be
written in various formats. For positive settings the strings
<option>1</option>, <option>yes</option>, <option>true</option>
and <option>on</option> are equivalent. For negative settings, the
strings <option>0</option>, <option>no</option>,
<option>false</option> and <option>off</option> are
equivalent.</para>
<para>Empty lines and lines starting with # or ; are
ignored. This may be used for commenting. Lines ending
in a backslash are concatenated with the following
line while reading and the backslash is replaced by a
space character. This may be used to wrap long lines.</para>
</refsect1>
<refsect1>
<title><filename>.nspawn</filename> File Discovery</title>
<para>Files are searched by appending the
<filename>.nspawn</filename> suffix to the machine name of the
container, as specified with the <option>--machine=</option>
switch of <command>systemd-nspawn</command>, or derived from the
directory or image file name. This file is first searched in
<filename>/etc/systemd/nspawn/</filename> and
<filename>/run/systemd/nspawn/</filename>. If found in these
directories its settings are read and all of them take full effect
(but are possibly overriden by corresponding command line
arguments). If not found the file will then be searched next to
the image file or in the immediate parent of the root directory of
the container. If the file is found there only a subset of the
settings will take effect however. All settings that possibly
elevate privileges or grant additional access to resources of the
host (such as files or directories) are ignored. To which options
this applies is documented below.</para>
<para>Persistent settings file created and maintained by the
administrator (and thus trusted) should be placed in
<filename>/etc/systemd/nspawn/</filename>, while automatically
downloaded (and thus potentially untrusted) settings files are
placed in <filename>/var/lib/machines/</filename> instead (next to
the container images), where their security impact is limited. In
order to add privileged settings to <filename>.nspawn</filename>
files acquired from the image vendor it is recommended to copy the
settings files into <filename>/etc/systemd/nspawn/</filename> and
edit them there, so that the privileged options become
available. The precise algorithm how the files are searched and
interpreted may be configured with
<command>systemd-nspawn</command>'s <option>--settings=</option>
switch, see
<citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>
for details.</para>
</refsect1>
<refsect1>
<title>[Exec] Section Options</title>
<para>Settings files may include an <literal>[Exec]</literal>
section, which carries various execution parameters:</para>
<variablelist>
<varlistentry>
<term><varname>Boot=</varname></term>
<listitem><para>Takes a boolean argument, defaults to off. If
enabled <command>systemd-nspawn</command> will automatically
search for an <filename>init</filename> executable and invoke
it. In this case the specified parameters using
<varname>Parameters=</varname> are passed as additional
arguments to the <filename>init</filename> process. This
setting corresponds to the <option>--boot</option> switch on
the <command>systemd-nspawn</command> command
line. </para></listitem>
</varlistentry>
<varlistentry>
<term><varname>Parameters=</varname></term>
<listitem><para>Takes a space separated list of
arguments. This is either a command line, beginning with the
binary name to execute, or if <varname>Boot=</varname> is
enabled the list of arguments to pass to the init
process. This setting corresponds to the command line
parameters passed on the <command>systemd-nspawn</command>
command line.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>Environment=</varname></term>
<listitem><para>Takes an environment variable assignment
consisting of key and value, separated by
<literal>=</literal>. Sets an environment variable for the
main process invoked in the container. This setting may be
used multiple times to set multiple environment variables. It
corresponds to the <option>--setenv=</option> command line
switch.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>User=</varname></term>
<listitem><para>Takes a UNIX user name. Specifies the user
name to invoke the main process of the container as. This user
must be known in the container's user database. This
corresponds to the <option>--user=</option> command line
switch.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>Capability=</varname></term>
<term><varname>DropCapability=</varname></term>
<listitem><para>Takes a space separated list of Linux process
capabilities (see
<citerefentry><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
for details). The <varname>Capability=</varname> setting
specifies additional capabilities to pass on top of the
default set of capabilites. The
<varname>DropCapability=</varname> setting specifies
capabilities to drop from the default set. These settings
correspond to the <option>--capability=</option> and
<option>--drop-capability=</option> command line
switches. Note that <varname>Capability=</varname> is a
privileged setting, and only takes effect in
<filename>.nspawn</filename> files in
<filename>/etc/systemd/nspawn/</filename> and
<filename>/run/system/nspawn/</filename> (see above). On the
other hand <varname>DropCapability=</varname> takes effect in
all cases.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>Personality=</varname></term>
<listitem><para>Configures the kernel personality for the
container. This is equivalent to the
<option>--personality=</option> switch.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>MachineID=</varname></term>
<listitem><para>Configures the 128bit machine ID (UUID) to pass to
the container. This is equivalent to the
<option>--uuid=</option> command line switch. This option is
privileged (see above). </para></listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>[Files] Section Options</title>
<para>Settings files may include a <literal>[Files]</literal>
section, which carries various parameters configuring the file
system of the container:</para>
<variablelist>
<varlistentry>
<term><varname>ReadOnly=</varname></term>
<listitem><para>Takes a boolean argument, defaults to off. If
specified the container will be run with a read-only file
system. This setting corresponds to the
<option>--read-only</option> command line
switch.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>Volatile=</varname></term>
<listitem><para>Takes a boolean argument, or the special value
<literal>state</literal>. This configures whether to run the
container with volatile state and/or configuration. This
option is equivalent to <option>--volatile=</option>, see
<citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>
for details about the specific options
supported.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>Bind=</varname></term>
<term><varname>BindReadOnly=</varname></term>
<listitem><para>Adds a bind mount from the host into the
container. Takes a single path, a pair of two paths separated
by a colon, or a triplet of two paths plus an option string
separated by colons. This option may be used multiple times to
configure multiple bind mounts. This option is equivalent to
the command line switches <option>--bind=</option> and
<option>--bind-ro=</option>, see
<citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>
for details about the specific options supported. This setting
is privileged (see above).</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>TemporaryFileSystem=</varname></term>
<listitem><para>Adds a <literal>tmpfs</literal> mount to the
container. Takes a path or a pair of path and option string,
separated by a colon. This option may be used mutiple times to
configure multiple <literal>tmpfs</literal> mounts. This
option is equivalent to the command line switch
<option>--tmpfs=</option>, see
<citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>
for details about the specific options supported. This setting
is privileged (see above).</para></listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>[Network] Section Options</title>
<para>Settings files may include a <literal>[Network]</literal>
section, which carries various parameters configuring the network
connectivity of the container:</para>
<variablelist>
<varlistentry>
<term><varname>Private=</varname></term>
<listitem><para>Takes a boolean argument, defaults to off. If
enabled the container will run in its own network namespace
and not share network interfaces and configuration with the
host. This setting corresponds to the
<option>--private-network</option> command line
switch.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>VirtualEthernet=</varname></term>
<listitem><para>Takes a boolean argument. Configures whether
to create a virtual ethernet connection
(<literal>veth</literal>) between host and the container. This
setting implies <varname>Private=yes</varname>. This setting
corresponds to the <option>--network-veth</option> command
line switch. This option is privileged (see
above).</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>Interface=</varname></term>
<listitem><para>Takes a space separated list of interfaces to
add to the container. This option corresponds to the
<option>--network-interface=</option> command line switch and
implies <varname>Private=yes</varname>. This option is
privileged (see above).</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>MACVLAN=</varname></term>
<term><varname>IPVLAN=</varname></term>
<listitem><para>Takes a space separated list of interfaces to
add MACLVAN or IPVLAN interfaces to, which are then added to
the container. These options correspond to the
<option>--network-macvlan=</option> and
<option>--network-ipvlan=</option> command line switches and
imply <varname>Private=yes</varname>. These options are
privileged (see above).</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>Bridge=</varname></term>
<listitem><para>Takes an interface name. This setting implies
<varname>VirtualEthernet=yes</varname> and
<varname>Private=yes</varname> and has the effect that the
host side of the created virtual Ethernet link is connected to
the specified bridge interface. This option corresponds to the
<option>--network-bridge=</option> command line switch. This
option is privileged (see above).</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>Port=</varname></term>
<listitem><para>Exposes a TCP or UDP port of the container on
the host. This option corresponds to the
<option>--port=</option> command line switch, see
<citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>
for the precise syntax of the argument this option takes. This
option is privileged (see above).</para></listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>See Also</title>
<para>
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd.directives</refentrytitle><manvolnum>7</manvolnum></citerefentry>
</para>
</refsect1>
</refentry>

2
man/systemd.unit.xml
View File

@ -256,7 +256,7 @@
</refsect1>
<refsect1>
<title>Unit Load Path</title>
<title>Unit File Load Path</title>
<para>Unit files are loaded from a set of paths determined during
compilation, described in the two tables below. Unit files found

7
src/basic/conf-files.h
View File

@ -22,7 +22,6 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
int conf_files_list(char ***strv, const char *suffix, const char *root, const char *dir, ...);
int conf_files_list_strv(char ***strv, const char *suffix, const char *root, const char* const* dirs);
int conf_files_list_nulstr(char ***strv, const char *suffix, const char *root, const char *dirs);
int conf_files_list(char ***ret, const char *suffix, const char *root, const char *dir, ...);
int conf_files_list_strv(char ***ret, const char *suffix, const char *root, const char* const* dirs);
int conf_files_list_nulstr(char ***ret, const char *suffix, const char *root, const char *dirs);

2
src/core/load-fragment-gperf.gperf.m4
View File

@ -106,7 +106,7 @@ m4_define(`KILL_CONTEXT_CONFIG_ITEMS',
`$1.SendSIGKILL, config_parse_bool, 0, offsetof($1, kill_context.send_sigkill)
$1.SendSIGHUP, config_parse_bool, 0, offsetof($1, kill_context.send_sighup)
$1.KillMode, config_parse_kill_mode, 0, offsetof($1, kill_context.kill_mode)
$1.KillSignal, config_parse_kill_signal, 0, offsetof($1, kill_context.kill_signal)'
$1.KillSignal, config_parse_signal, 0, offsetof($1, kill_context.kill_signal)'
)m4_dnl
m4_define(`CGROUP_CONTEXT_CONFIG_ITEMS',
`$1.Slice, config_parse_unit_slice, 0, 0

63
src/core/load-fragment.c
View File

@ -1143,39 +1143,8 @@ int config_parse_sysv_priority(const char *unit,
#endif
DEFINE_CONFIG_PARSE_ENUM(config_parse_exec_utmp_mode, exec_utmp_mode, ExecUtmpMode, "Failed to parse utmp mode");
DEFINE_CONFIG_PARSE_ENUM(config_parse_kill_mode, kill_mode, KillMode, "Failed to parse kill mode");
int config_parse_kill_signal(const char *unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
int *sig = data;
int r;
assert(filename);
assert(lvalue);
assert(rvalue);
assert(sig);
r = signal_from_string_try_harder(rvalue);
if (r <= 0) {
log_syntax(unit, LOG_ERR, filename, line, -r,
"Failed to parse kill signal, ignoring: %s", rvalue);
return 0;
}
*sig = r;
return 0;
}
int config_parse_exec_mount_flags(const char *unit,
const char *filename,
unsigned line,
@ -3021,36 +2990,6 @@ int config_parse_job_mode_isolate(
return 0;
}
int config_parse_personality(
const char *unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
unsigned long *personality = data, p;
assert(filename);
assert(lvalue);
assert(rvalue);
assert(personality);
p = personality_from_string(rvalue);
if (p == PERSONALITY_INVALID) {
log_syntax(unit, LOG_ERR, filename, line, EINVAL,
"Failed to parse personality, ignoring: %s", rvalue);
return 0;
}
*personality = p;
return 0;
}
int config_parse_runtime_directory(
const char *unit,
const char *filename,
@ -3720,7 +3659,7 @@ void unit_dump_config_items(FILE *f) {
{ config_parse_sysv_priority, "SYSVPRIORITY" },
#endif
{ config_parse_kill_mode, "KILLMODE" },
{ config_parse_kill_signal, "SIGNAL" },
{ config_parse_signal, "SIGNAL" },
{ config_parse_socket_listen, "SOCKET [...]" },
{ config_parse_socket_bind, "SOCKETBIND" },
{ config_parse_socket_bindtodevice, "NETWORKINTERFACE" },

1
src/core/load-fragment.h
View File

@ -92,7 +92,6 @@ int config_parse_blockio_bandwidth(const char *unit, const char *filename, unsig
int config_parse_job_mode(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
int config_parse_job_mode_isolate(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
int config_parse_exec_selinux_context(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
int config_parse_personality(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
int config_parse_exec_apparmor_profile(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
int config_parse_exec_smack_process_label(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
int config_parse_address_families(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);

1
src/nspawn/.gitignore vendored Normal file
View File

@ -0,0 +1 @@
/nspawn-gperf.c

38
src/nspawn/nspawn-gperf.gperf Normal file
View File

@ -0,0 +1,38 @@
%{
#include <stddef.h>
#include "conf-parser.h"
#include "nspawn.h"
#include "nspawn-settings.h"
%}
struct ConfigPerfItem;
%null_strings
%language=ANSI-C
%define slot-name section_and_lvalue
%define hash-function-name nspawn_gperf_hash
%define lookup-function-name nspawn_gperf_lookup
%readonly-tables
%omit-struct-type
%struct-type
%includes
%%
Exec.Boot, config_parse_tristate, 0, offsetof(Settings, boot)
Exec.Parameters, config_parse_strv, 0, offsetof(Settings, parameters)
Exec.Environment, config_parse_strv, 0, offsetof(Settings, environment)
Exec.User, config_parse_string, 0, offsetof(Settings, user)
Exec.Capability, config_parse_capability, 0, offsetof(Settings, capability)
Exec.DropCapability, config_parse_capability, 0, offsetof(Settings, drop_capability)
Exec.KillSignal, config_parse_signal, 0, offsetof(Settings, kill_signal)
Exec.Personality, config_parse_personality, 0, offsetof(Settings, personality)
Exec.MachineID, config_parse_id128, 0, offsetof(Settings, machine_id)
Files.ReadOnly, config_parse_tristate, 0, offsetof(Settings, read_only)
Files.Volatile, config_parse_volatile_mode, 0, offsetof(Settings, volatile_mode)
Files.Bind, config_parse_bind, 0, 0
Files.BindReadOnly, config_parse_bind, 1, 0
Files.TemporaryFileSystem, config_parse_tmpfs, 0, 0
Network.Private, config_parse_tristate, 0, offsetof(Settings, private_network)
Network.Interface, config_parse_strv, 0, offsetof(Settings, network_interfaces)
Network.MACVLAN, config_parse_strv, 0, offsetof(Settings, network_macvlan)
Network.IPVLAN, config_parse_strv, 0, offsetof(Settings, network_ipvlan)
Network.VirtualEthernet, config_parse_tristate, 0, offsetof(Settings, network_veth)
Network.Bridge config_parse_string, 0, offsetof(Settings, network_bridge)
Network.Port, config_parse_expose_port, 0, 0

263
src/nspawn/nspawn-settings.c Normal file
View File

@ -0,0 +1,263 @@
/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
/***
This file is part of systemd.
Copyright 2015 Lennart Poettering
systemd is free software; you can redistribute it and/or modify it
under the terms of the GNU Lesser General Public License as published by
the Free Software Foundation; either version 2.1 of the License, or
(at your option) any later version.
systemd is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public License
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
#include "util.h"
#include "conf-parser.h"
#include "strv.h"
#include "cap-list.h"
#include "nspawn.h"
#include "nspawn-settings.h"
int settings_load(FILE *f, const char *path, Settings **ret) {
_cleanup_(settings_freep) Settings *s = NULL;
int r;
assert(path);
assert(ret);
s = new0(Settings, 1);
if (!s)
return -ENOMEM;
s->boot = -1;
s->personality = PERSONALITY_INVALID;
s->read_only = -1;
s->volatile_mode = _VOLATILE_MODE_INVALID;
s->private_network = -1;
s->network_veth = -1;
r = config_parse(NULL, path, f,
"Exec\0"
"Network\0"
"Files\0",
config_item_perf_lookup, nspawn_gperf_lookup,
false,
false,
true,
s);
if (r < 0)
return r;
*ret = s;
s = NULL;
return 0;
}
Settings* settings_free(Settings *s) {
if (!s)
return NULL;
strv_free(s->parameters);
strv_free(s->environment);
free(s->user);
strv_free(s->network_interfaces);
strv_free(s->network_macvlan);
strv_free(s->network_ipvlan);
free(s->network_bridge);
expose_port_free_all(s->expose_ports);
custom_mount_free_all(s->custom_mounts, s->n_custom_mounts);
free(s);
return NULL;
}
DEFINE_CONFIG_PARSE_ENUM(config_parse_volatile_mode, volatile_mode, VolatileMode, "Failed to parse volatile mode");
int config_parse_expose_port(
const char *unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
Settings *s = data;
int r;
assert(filename);
assert(lvalue);
assert(rvalue);
r = expose_port_parse(&s->expose_ports, rvalue);
if (r == -EEXIST) {
log_syntax(unit, LOG_ERR, filename, line, r, "Duplicate port specification, ignoring: %s", rvalue);
return 0;
}
if (r < 0) {
log_syntax(unit, LOG_ERR, filename, line, r, "Failed to parse host port %s: %m", rvalue);
return 0;
}
return 0;
}
int config_parse_capability(
const char *unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
uint64_t u = 0, *result = data;
int r;
assert(filename);
assert(lvalue);
assert(rvalue);
for (;;) {
_cleanup_free_ char *word = NULL;
int cap;
r = extract_first_word(&rvalue, &word, NULL, 0);
if (r < 0) {
log_syntax(unit, LOG_ERR, filename, line, r, "Failed to extract capability string, ignoring: %s", rvalue);
return 0;
}
if (r == 0)
break;
cap = capability_from_name(word);
if (cap < 0) {
log_syntax(unit, LOG_ERR, filename, line, cap, "Failed to parse capability, ignoring: %s", word);
continue;
}
u |= 1 << ((uint64_t) cap);
}
if (u == 0)
return 0;
*result |= u;
return 0;
}
int config_parse_id128(
const char *unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
sd_id128_t t, *result = data;
int r;
assert(filename);
assert(lvalue);
assert(rvalue);
r = sd_id128_from_string(rvalue, &t);
if (r < 0) {
log_syntax(unit, LOG_ERR, filename, line, r, "Failed to parse 128bit ID/UUID, ignoring: %s", rvalue);
return 0;
}
*result = t;
return 0;
}
int config_parse_bind(
const char *unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
Settings *settings = data;
int r;
assert(filename);
assert(lvalue);
assert(rvalue);
r = bind_mount_parse(&settings->custom_mounts, &settings->n_custom_mounts, rvalue, ltype);
if (r < 0) {
log_syntax(unit, LOG_ERR, filename, line, r, "Invalid bind mount specification %s: %m", rvalue);
return 0;
}
return 0;
}
int config_parse_tmpfs(
const char *unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
Settings *settings = data;
int r;
assert(filename);
assert(lvalue);
assert(rvalue);
r = tmpfs_mount_parse(&settings->custom_mounts, &settings->n_custom_mounts, rvalue);
if (r < 0) {
log_syntax(unit, LOG_ERR, filename, line, r, "Invalid temporary file system specification %s: %m", rvalue);
return 0;
}
if (settings->network_bridge)
settings->network_veth = true;
if (settings->network_interfaces ||
settings->network_macvlan ||
settings->network_ipvlan ||
settings->network_bridge ||
settings->network_veth)
settings->private_network = true;
return 0;
}

85
src/nspawn/nspawn-settings.h Normal file
View File

@ -0,0 +1,85 @@
/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
#pragma once
/***
This file is part of systemd.
Copyright 2015 Lennart Poettering
systemd is free software; you can redistribute it and/or modify it
under the terms of the GNU Lesser General Public License as published by
the Free Software Foundation; either version 2.1 of the License, or
(at your option) any later version.
systemd is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public License
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
#include <stdio.h>
#include "macro.h"
#include "nspawn.h"
typedef enum SettingsMask {
SETTING_BOOT = 1 << 0,
SETTING_ENVIRONMENT = 1 << 1,
SETTING_USER = 1 << 2,
SETTING_CAPABILITY = 1 << 3,
SETTING_KILL_SIGNAL = 1 << 4,
SETTING_PERSONALITY = 1 << 5,
SETTING_MACHINE_ID = 1 << 6,
SETTING_NETWORK = 1 << 7,
SETTING_EXPOSE_PORTS = 1 << 8,
SETTING_READ_ONLY = 1 << 9,
SETTING_VOLATILE_MODE = 1 << 10,
SETTING_CUSTOM_MOUNTS = 1 << 11,
_SETTINGS_MASK_ALL = (1 << 12) -1
} SettingsMask;
typedef struct Settings {
/* [Run] */
int boot;
char **parameters;
char **environment;
char *user;
uint64_t capability;
uint64_t drop_capability;
int kill_signal;
unsigned long personality;
sd_id128_t machine_id;
/* [Image] */
int read_only;
VolatileMode volatile_mode;
CustomMount *custom_mounts;
unsigned n_custom_mounts;
/* [Network] */
int private_network;
int network_veth;
char *network_bridge;
char **network_interfaces;
char **network_macvlan;
char **network_ipvlan;
ExposePort *expose_ports;
} Settings;
int settings_load(FILE *f, const char *path, Settings **ret);
Settings* settings_free(Settings *s);
DEFINE_TRIVIAL_CLEANUP_FUNC(Settings*, settings_free);
const struct ConfigPerfItem* nspawn_gperf_lookup(const char *key, unsigned length);
int config_parse_capability(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
int config_parse_id128(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
int config_parse_expose_port(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
int config_parse_volatile_mode(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
int config_parse_bind(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
int config_parse_tmpfs(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);

748
src/nspawn/nspawn.c
View File

File diff suppressed because it is too large Load Diff

69
src/nspawn/nspawn.h Normal file
View File

@ -0,0 +1,69 @@
/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
#pragma once
/***
This file is part of systemd.
Copyright 2015 Lennart Poettering
systemd is free software; you can redistribute it and/or modify it
under the terms of the GNU Lesser General Public License as published by
the Free Software Foundation; either version 2.1 of the License, or
(at your option) any later version.
systemd is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public License
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
#include <inttypes.h>
#include <stdbool.h>
#include "list.h"
typedef enum VolatileMode {
VOLATILE_NO,
VOLATILE_YES,
VOLATILE_STATE,
_VOLATILE_MODE_MAX,
_VOLATILE_MODE_INVALID = -1
} VolatileMode;
typedef enum CustomMountType {
CUSTOM_MOUNT_BIND,
CUSTOM_MOUNT_TMPFS,
CUSTOM_MOUNT_OVERLAY,
_CUSTOM_MOUNT_TYPE_MAX,
_CUSTOM_MOUNT_TYPE_INVALID = -1
} CustomMountType;
typedef struct CustomMount {
CustomMountType type;
bool read_only;
char *source; /* for overlayfs this is the upper directory */
char *destination;
char *options;
char *work_dir;
char **lower;
} CustomMount;
typedef struct ExposePort {
int protocol;
uint16_t host_port;
uint16_t container_port;
LIST_FIELDS(struct ExposePort, ports);
} ExposePort;
void custom_mount_free_all(CustomMount *l, unsigned n);
int bind_mount_parse(CustomMount **l, unsigned *n, const char *s, bool read_only);
int tmpfs_mount_parse(CustomMount **l, unsigned *n, const char *s);
void expose_port_free_all(ExposePort *p);
int expose_port_parse(ExposePort **l, const char *s);
VolatileMode volatile_mode_from_string(const char *s);

96
src/shared/conf-parser.c
View File

@ -24,7 +24,7 @@
#include <errno.h>
#include <stdlib.h>
#include "conf-parser.h"
#include "sd-messages.h"
#include "conf-files.h"
#include "util.h"
#include "macro.h"
@ -32,7 +32,8 @@
#include "log.h"
#include "utf8.h"
#include "path-util.h"
#include "sd-messages.h"
#include "signal-util.h"
#include "conf-parser.h"
int config_item_table_lookup(
const void *table,
@ -575,6 +576,39 @@ int config_parse_bool(const char* unit,
return 0;
}
int config_parse_tristate(
const char* unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
int k, *t = data;
assert(filename);
assert(lvalue);
assert(rvalue);
assert(data);
/* A tristate is pretty much a boolean, except that it can
* also take the special value -1, indicating "uninitialized",
* much like NULL is for a pointer type. */
k = parse_boolean(rvalue);
if (k < 0) {
log_syntax(unit, LOG_ERR, filename, line, k, "Failed to parse boolean value, ignoring: %s", rvalue);
return 0;
}
*t = !!k;
return 0;
}
int config_parse_string(
const char *unit,
const char *filename,
@ -802,3 +836,61 @@ int config_parse_log_level(
*o = (*o & LOG_FACMASK) | x;
return 0;
}
int config_parse_signal(
const char *unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
int *sig = data, r;
assert(filename);
assert(lvalue);
assert(rvalue);
assert(sig);
r = signal_from_string_try_harder(rvalue);
if (r <= 0) {
log_syntax(unit, LOG_ERR, filename, line, EINVAL, "Failed to parse signal name, ignoring: %s", rvalue);
return 0;
}
*sig = r;
return 0;
}
int config_parse_personality(
const char *unit,
const char *filename,
unsigned line,
const char *section,
unsigned section_line,
const char *lvalue,
int ltype,
const char *rvalue,
void *data,
void *userdata) {
unsigned long *personality = data, p;
assert(filename);
assert(lvalue);
assert(rvalue);
assert(personality);
p = personality_from_string(rvalue);
if (p == PERSONALITY_INVALID) {
log_syntax(unit, LOG_ERR, filename, line, EINVAL, "Failed to parse personality, ignoring: %s", rvalue);
return 0;
}
*personality = p;
return 0;
}

3
src/shared/conf-parser.h
View File

@ -111,6 +111,7 @@ int config_parse_iec_size(const char *unit, const char *filename, unsigned line,
int config_parse_si_size(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
int config_parse_iec_off(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
int config_parse_bool(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
int config_parse_tristate(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
int config_parse_string(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
int config_parse_path(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
int config_parse_strv(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
@ -119,6 +120,8 @@ int config_parse_nsec(const char *unit, const char *filename, unsigned line, con
int config_parse_mode(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
int config_parse_log_facility(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
int config_parse_log_level(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
int config_parse_signal(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
int config_parse_personality(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
#define log_invalid_utf8(unit, level, config_file, config_line, error, rvalue) \
do { \