summaryrefslogtreecommitdiff
path: root/src/grp-machine/systemd-machined
diff options
context:
space:
mode:
Diffstat (limited to 'src/grp-machine/systemd-machined')
-rw-r--r--src/grp-machine/systemd-machined/.gitignore1
-rw-r--r--src/grp-machine/systemd-machined/Makefile75
-rw-r--r--src/grp-machine/systemd-machined/machine.slice11
-rw-r--r--src/grp-machine/systemd-machined/machined.c415
-rw-r--r--src/grp-machine/systemd-machined/org.freedesktop.machine1.conf198
-rw-r--r--src/grp-machine/systemd-machined/org.freedesktop.machine1.policy.in102
-rw-r--r--src/grp-machine/systemd-machined/org.freedesktop.machine1.service12
-rw-r--r--src/grp-machine/systemd-machined/systemd-machined.service.in25
-rw-r--r--src/grp-machine/systemd-machined/systemd-machined.service.xml90
9 files changed, 929 insertions, 0 deletions
diff --git a/src/grp-machine/systemd-machined/.gitignore b/src/grp-machine/systemd-machined/.gitignore
new file mode 100644
index 0000000000..e1065b5894
--- /dev/null
+++ b/src/grp-machine/systemd-machined/.gitignore
@@ -0,0 +1 @@
+/org.freedesktop.machine1.policy
diff --git a/src/grp-machine/systemd-machined/Makefile b/src/grp-machine/systemd-machined/Makefile
new file mode 100644
index 0000000000..432a792a18
--- /dev/null
+++ b/src/grp-machine/systemd-machined/Makefile
@@ -0,0 +1,75 @@
+# -*- Mode: makefile; indent-tabs-mode: t -*-
+#
+# This file is part of systemd.
+#
+# Copyright 2010-2012 Lennart Poettering
+# Copyright 2010-2012 Kay Sievers
+# Copyright 2013 Zbigniew Jędrzejewski-Szmek
+# Copyright 2013 David Strauss
+# Copyright 2016 Luke Shumaker
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+#
+# systemd is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with systemd; If not, see <http://www.gnu.org/licenses/>.
+include $(dir $(lastword $(MAKEFILE_LIST)))/../../../config.mk
+include $(topsrcdir)/build-aux/Makefile.head.mk
+
+systemd_machined_SOURCES = \
+ src/machine/machined.c \
+ src/machine/machined.h
+
+systemd_machined_LDADD = \
+ libmachine-core.la
+
+rootlibexec_PROGRAMS += \
+ systemd-machined
+
+nodist_systemunit_DATA += \
+ units/systemd-machined.service
+
+dist_systemunit_DATA += \
+ units/machine.slice
+
+dist_systemunit_DATA_busnames += \
+ units/org.freedesktop.machine1.busname
+
+dist_dbussystemservice_DATA += \
+ src/machine/org.freedesktop.machine1.service
+
+dist_dbuspolicy_DATA += \
+ src/machine/org.freedesktop.machine1.conf
+
+polkitpolicy_files += \
+ src/machine/org.freedesktop.machine1.policy
+
+SYSTEM_UNIT_ALIASES += \
+ systemd-machined.service dbus-org.freedesktop.machine1.service
+
+BUSNAMES_TARGET_WANTS += \
+ org.freedesktop.machine1.busname
+
+polkitpolicy_in_files += \
+ src/machine/org.freedesktop.machine1.policy.in
+
+EXTRA_DIST += \
+ units/systemd-machined.service.in
+
+# ------------------------------------------------------------------------------
+ifneq ($(ENABLE_IMPORTD),)
+
+ifneq ($(HAVE_LIBCURL),)
+ifneq ($(HAVE_XZ),)
+ifneq ($(HAVE_ZLIB),)
+ifneq ($(HAVE_BZIP2),)
+ifneq ($(HAVE_GCRYPT),)
+
+include $(topsrcdir)/build-aux/Makefile.tail.mk
diff --git a/src/grp-machine/systemd-machined/machine.slice b/src/grp-machine/systemd-machined/machine.slice
new file mode 100644
index 0000000000..3d40dfd73b
--- /dev/null
+++ b/src/grp-machine/systemd-machined/machine.slice
@@ -0,0 +1,11 @@
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+[Unit]
+Description=Virtual Machine and Container Slice
+Documentation=man:systemd.special(7)
+Before=slices.target
diff --git a/src/grp-machine/systemd-machined/machined.c b/src/grp-machine/systemd-machined/machined.c
new file mode 100644
index 0000000000..d6ce7e0c26
--- /dev/null
+++ b/src/grp-machine/systemd-machined/machined.c
@@ -0,0 +1,415 @@
+/***
+ This file is part of systemd.
+
+ Copyright 2013 Lennart Poettering
+
+ systemd is free software; you can redistribute it and/or modify it
+ under the terms of the GNU Lesser General Public License as published by
+ the Free Software Foundation; either version 2.1 of the License, or
+ (at your option) any later version.
+
+ systemd is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public License
+ along with systemd; If not, see <http://www.gnu.org/licenses/>.
+***/
+
+#include <errno.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <systemd/sd-daemon.h>
+
+#include "machine-core/machined.h"
+#include "sd-bus/bus-error.h"
+#include "sd-bus/bus-util.h"
+#include "systemd-basic/alloc-util.h"
+#include "systemd-basic/cgroup-util.h"
+#include "systemd-basic/dirent-util.h"
+#include "systemd-basic/fd-util.h"
+#include "systemd-basic/formats-util.h"
+#include "systemd-basic/hostname-util.h"
+#include "systemd-basic/label.h"
+#include "systemd-basic/signal-util.h"
+#include "systemd-shared/machine-image.h"
+
+Manager *manager_new(void) {
+ Manager *m;
+ int r;
+
+ m = new0(Manager, 1);
+ if (!m)
+ return NULL;
+
+ m->machines = hashmap_new(&string_hash_ops);
+ m->machine_units = hashmap_new(&string_hash_ops);
+ m->machine_leaders = hashmap_new(NULL);
+
+ if (!m->machines || !m->machine_units || !m->machine_leaders) {
+ manager_free(m);
+ return NULL;
+ }
+
+ r = sd_event_default(&m->event);
+ if (r < 0) {
+ manager_free(m);
+ return NULL;
+ }
+
+ sd_event_set_watchdog(m->event, true);
+
+ return m;
+}
+
+void manager_free(Manager *m) {
+ Machine *machine;
+ Image *i;
+
+ assert(m);
+
+ while (m->operations)
+ operation_free(m->operations);
+
+ assert(m->n_operations == 0);
+
+ while ((machine = hashmap_first(m->machines)))
+ machine_free(machine);
+
+ hashmap_free(m->machines);
+ hashmap_free(m->machine_units);
+ hashmap_free(m->machine_leaders);
+
+ while ((i = hashmap_steal_first(m->image_cache)))
+ image_unref(i);
+
+ hashmap_free(m->image_cache);
+
+ sd_event_source_unref(m->image_cache_defer_event);
+
+ bus_verify_polkit_async_registry_free(m->polkit_registry);
+
+ sd_bus_unref(m->bus);
+ sd_event_unref(m->event);
+
+ free(m);
+}
+
+static int manager_add_host_machine(Manager *m) {
+ _cleanup_free_ char *rd = NULL, *unit = NULL;
+ sd_id128_t mid;
+ Machine *t;
+ int r;
+
+ if (m->host_machine)
+ return 0;
+
+ r = sd_id128_get_machine(&mid);
+ if (r < 0)
+ return log_error_errno(r, "Failed to get machine ID: %m");
+
+ rd = strdup("/");
+ if (!rd)
+ return log_oom();
+
+ unit = strdup("-.slice");
+ if (!unit)
+ return log_oom();
+
+ t = machine_new(m, MACHINE_HOST, ".host");
+ if (!t)
+ return log_oom();
+
+ t->leader = 1;
+ t->id = mid;
+
+ t->root_directory = rd;
+ t->unit = unit;
+ rd = unit = NULL;
+
+ dual_timestamp_from_boottime_or_monotonic(&t->timestamp, 0);
+
+ m->host_machine = t;
+
+ return 0;
+}
+
+int manager_enumerate_machines(Manager *m) {
+ _cleanup_closedir_ DIR *d = NULL;
+ struct dirent *de;
+ int r = 0;
+
+ assert(m);
+
+ r = manager_add_host_machine(m);
+ if (r < 0)
+ return r;
+
+ /* Read in machine data stored on disk */
+ d = opendir("/run/systemd/machines");
+ if (!d) {
+ if (errno == ENOENT)
+ return 0;
+
+ return log_error_errno(errno, "Failed to open /run/systemd/machines: %m");
+ }
+
+ FOREACH_DIRENT(de, d, return -errno) {
+ struct Machine *machine;
+ int k;
+
+ if (!dirent_is_file(de))
+ continue;
+
+ /* Ignore symlinks that map the unit name to the machine */
+ if (startswith(de->d_name, "unit:"))
+ continue;
+
+ if (!machine_name_is_valid(de->d_name))
+ continue;
+
+ k = manager_add_machine(m, de->d_name, &machine);
+ if (k < 0) {
+ r = log_error_errno(k, "Failed to add machine by file name %s: %m", de->d_name);
+ continue;
+ }
+
+ machine_add_to_gc_queue(machine);
+
+ k = machine_load(machine);
+ if (k < 0)
+ r = k;
+ }
+
+ return r;
+}
+
+static int manager_connect_bus(Manager *m) {
+ _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
+ int r;
+
+ assert(m);
+ assert(!m->bus);
+
+ r = sd_bus_default_system(&m->bus);
+ if (r < 0)
+ return log_error_errno(r, "Failed to connect to system bus: %m");
+
+ r = sd_bus_add_object_vtable(m->bus, NULL, "/org/freedesktop/machine1", "org.freedesktop.machine1.Manager", manager_vtable, m);
+ if (r < 0)
+ return log_error_errno(r, "Failed to add manager object vtable: %m");
+
+ r = sd_bus_add_fallback_vtable(m->bus, NULL, "/org/freedesktop/machine1/machine", "org.freedesktop.machine1.Machine", machine_vtable, machine_object_find, m);
+ if (r < 0)
+ return log_error_errno(r, "Failed to add machine object vtable: %m");
+
+ r = sd_bus_add_node_enumerator(m->bus, NULL, "/org/freedesktop/machine1/machine", machine_node_enumerator, m);
+ if (r < 0)
+ return log_error_errno(r, "Failed to add machine enumerator: %m");
+
+ r = sd_bus_add_fallback_vtable(m->bus, NULL, "/org/freedesktop/machine1/image", "org.freedesktop.machine1.Image", image_vtable, image_object_find, m);
+ if (r < 0)
+ return log_error_errno(r, "Failed to add image object vtable: %m");
+
+ r = sd_bus_add_node_enumerator(m->bus, NULL, "/org/freedesktop/machine1/image", image_node_enumerator, m);
+ if (r < 0)
+ return log_error_errno(r, "Failed to add image enumerator: %m");
+
+ r = sd_bus_add_match(m->bus,
+ NULL,
+ "type='signal',"
+ "sender='org.freedesktop.systemd1',"
+ "interface='org.freedesktop.systemd1.Manager',"
+ "member='JobRemoved',"
+ "path='/org/freedesktop/systemd1'",
+ match_job_removed,
+ m);
+ if (r < 0)
+ return log_error_errno(r, "Failed to add match for JobRemoved: %m");
+
+ r = sd_bus_add_match(m->bus,
+ NULL,
+ "type='signal',"
+ "sender='org.freedesktop.systemd1',"
+ "interface='org.freedesktop.systemd1.Manager',"
+ "member='UnitRemoved',"
+ "path='/org/freedesktop/systemd1'",
+ match_unit_removed,
+ m);
+ if (r < 0)
+ return log_error_errno(r, "Failed to add match for UnitRemoved: %m");
+
+ r = sd_bus_add_match(m->bus,
+ NULL,
+ "type='signal',"
+ "sender='org.freedesktop.systemd1',"
+ "interface='org.freedesktop.DBus.Properties',"
+ "member='PropertiesChanged',"
+ "arg0='org.freedesktop.systemd1.Unit'",
+ match_properties_changed,
+ m);
+ if (r < 0)
+ return log_error_errno(r, "Failed to add match for PropertiesChanged: %m");
+
+ r = sd_bus_add_match(m->bus,
+ NULL,
+ "type='signal',"
+ "sender='org.freedesktop.systemd1',"
+ "interface='org.freedesktop.systemd1.Manager',"
+ "member='Reloading',"
+ "path='/org/freedesktop/systemd1'",
+ match_reloading,
+ m);
+ if (r < 0)
+ return log_error_errno(r, "Failed to add match for Reloading: %m");
+
+ r = sd_bus_call_method(
+ m->bus,
+ "org.freedesktop.systemd1",
+ "/org/freedesktop/systemd1",
+ "org.freedesktop.systemd1.Manager",
+ "Subscribe",
+ &error,
+ NULL, NULL);
+ if (r < 0) {
+ log_error("Failed to enable subscription: %s", bus_error_message(&error, r));
+ return r;
+ }
+
+ r = sd_bus_request_name(m->bus, "org.freedesktop.machine1", 0);
+ if (r < 0)
+ return log_error_errno(r, "Failed to register name: %m");
+
+ r = sd_bus_attach_event(m->bus, m->event, 0);
+ if (r < 0)
+ return log_error_errno(r, "Failed to attach bus to event loop: %m");
+
+ return 0;
+}
+
+void manager_gc(Manager *m, bool drop_not_started) {
+ Machine *machine;
+
+ assert(m);
+
+ while ((machine = m->machine_gc_queue)) {
+ LIST_REMOVE(gc_queue, m->machine_gc_queue, machine);
+ machine->in_gc_queue = false;
+
+ /* First, if we are not closing yet, initiate stopping */
+ if (!machine_check_gc(machine, drop_not_started) &&
+ machine_get_state(machine) != MACHINE_CLOSING)
+ machine_stop(machine);
+
+ /* Now, the stop probably made this referenced
+ * again, but if it didn't, then it's time to let it
+ * go entirely. */
+ if (!machine_check_gc(machine, drop_not_started)) {
+ machine_finalize(machine);
+ machine_free(machine);
+ }
+ }
+}
+
+int manager_startup(Manager *m) {
+ Machine *machine;
+ Iterator i;
+ int r;
+
+ assert(m);
+
+ /* Connect to the bus */
+ r = manager_connect_bus(m);
+ if (r < 0)
+ return r;
+
+ /* Deserialize state */
+ manager_enumerate_machines(m);
+
+ /* Remove stale objects before we start them */
+ manager_gc(m, false);
+
+ /* And start everything */
+ HASHMAP_FOREACH(machine, m->machines, i)
+ machine_start(machine, NULL, NULL);
+
+ return 0;
+}
+
+static bool check_idle(void *userdata) {
+ Manager *m = userdata;
+
+ if (m->operations)
+ return false;
+
+ manager_gc(m, true);
+
+ return hashmap_isempty(m->machines);
+}
+
+int manager_run(Manager *m) {
+ assert(m);
+
+ return bus_event_loop_with_idle(
+ m->event,
+ m->bus,
+ "org.freedesktop.machine1",
+ DEFAULT_EXIT_USEC,
+ check_idle, m);
+}
+
+int main(int argc, char *argv[]) {
+ Manager *m = NULL;
+ int r;
+
+ log_set_target(LOG_TARGET_AUTO);
+ log_set_facility(LOG_AUTH);
+ log_parse_environment();
+ log_open();
+
+ umask(0022);
+
+ if (argc != 1) {
+ log_error("This program takes no arguments.");
+ r = -EINVAL;
+ goto finish;
+ }
+
+ /* Always create the directories people can create inotify
+ * watches in. Note that some applications might check for the
+ * existence of /run/systemd/machines/ to determine whether
+ * machined is available, so please always make sure this
+ * check stays in. */
+ mkdir_label("/run/systemd/machines", 0755);
+
+ assert_se(sigprocmask_many(SIG_BLOCK, NULL, SIGCHLD, -1) >= 0);
+
+ m = manager_new();
+ if (!m) {
+ r = log_oom();
+ goto finish;
+ }
+
+ r = manager_startup(m);
+ if (r < 0) {
+ log_error_errno(r, "Failed to fully start up daemon: %m");
+ goto finish;
+ }
+
+ log_debug("systemd-machined running as pid "PID_FMT, getpid());
+
+ sd_notify(false,
+ "READY=1\n"
+ "STATUS=Processing requests...");
+
+ r = manager_run(m);
+
+ log_debug("systemd-machined stopped as pid "PID_FMT, getpid());
+
+finish:
+ manager_free(m);
+
+ return r < 0 ? EXIT_FAILURE : EXIT_SUCCESS;
+}
diff --git a/src/grp-machine/systemd-machined/org.freedesktop.machine1.conf b/src/grp-machine/systemd-machined/org.freedesktop.machine1.conf
new file mode 100644
index 0000000000..562b9d3cc0
--- /dev/null
+++ b/src/grp-machine/systemd-machined/org.freedesktop.machine1.conf
@@ -0,0 +1,198 @@
+<?xml version="1.0"?> <!--*-nxml-*-->
+<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+
+<!--
+ This file is part of systemd.
+
+ systemd is free software; you can redistribute it and/or modify it
+ under the terms of the GNU Lesser General Public License as published by
+ the Free Software Foundation; either version 2.1 of the License, or
+ (at your option) any later version.
+-->
+
+<busconfig>
+
+ <policy user="root">
+ <allow own="org.freedesktop.machine1"/>
+ <allow send_destination="org.freedesktop.machine1"/>
+ <allow receive_sender="org.freedesktop.machine1"/>
+ </policy>
+
+ <policy context="default">
+ <deny send_destination="org.freedesktop.machine1"/>
+
+ <allow send_destination="org.freedesktop.machine1"
+ send_interface="org.freedesktop.DBus.Introspectable"/>
+
+ <allow send_destination="org.freedesktop.machine1"
+ send_interface="org.freedesktop.DBus.Peer"/>
+
+ <allow send_destination="org.freedesktop.machine1"
+ send_interface="org.freedesktop.DBus.Properties"
+ send_member="Get"/>
+
+ <allow send_destination="org.freedesktop.machine1"
+ send_interface="org.freedesktop.DBus.Properties"
+ send_member="GetAll"/>
+
+ <allow send_destination="org.freedesktop.machine1"
+ send_interface="org.freedesktop.machine1.Manager"
+ send_member="ListMachines"/>
+
+ <allow send_destination="org.freedesktop.machine1"
+ send_interface="org.freedesktop.machine1.Manager"
+ send_member="ListImages"/>
+
+ <allow send_destination="org.freedesktop.machine1"
+ send_interface="org.freedesktop.machine1.Manager"
+ send_member="GetMachine"/>
+
+ <allow send_destination="org.freedesktop.machine1"
+ send_interface="org.freedesktop.machine1.Manager"
+ send_member="GetMachineByPID"/>
+
+ <allow send_destination="org.freedesktop.machine1"
+ send_interface="org.freedesktop.machine1.Manager"
+ send_member="GetImage"/>
+
+ <allow send_destination="org.freedesktop.machine1"
+ send_interface="org.freedesktop.machine1.Manager"
+ send_member="GetMachineAddresses"/>
+
+ <allow send_destination="org.freedesktop.machine1"
+ send_interface="org.freedesktop.machine1.Manager"
+ send_member="GetMachineOSRelease"/>
+
+ <allow send_destination="org.freedesktop.machine1"
+ send_interface="org.freedesktop.machine1.Manager"
+ send_member="OpenMachineLogin"/>
+
+ <allow send_destination="org.freedesktop.machine1"
+ send_interface="org.freedesktop.machine1.Manager"
+ send_member="OpenMachineShell"/>
+
+ <allow send_destination="org.freedesktop.machine1"
+ send_interface="org.freedesktop.machine1.Manager"
+ send_member="TerminateMachine"/>
+
+ <allow send_destination="org.freedesktop.machine1"
+ send_interface="org.freedesktop.machine1.Manager"
+ send_member="KillMachine"/>
+
+ <allow send_destination="org.freedesktop.machine1"
+ send_interface="org.freedesktop.machine1.Manager"
+ send_member="BindMountMachine"/>
+
+ <allow send_destination="org.freedesktop.machine1"
+ send_interface="org.freedesktop.machine1.Manager"
+ send_member="CopyFromMachine"/>
+
+ <allow send_destination="org.freedesktop.machine1"
+ send_interface="org.freedesktop.machine1.Manager"
+ send_member="CopyToMachine"/>
+
+ <allow send_destination="org.freedesktop.machine1"
+ send_interface="org.freedesktop.machine1.Manager"
+ send_member="RemoveImage"/>
+
+ <allow send_destination="org.freedesktop.machine1"
+ send_interface="org.freedesktop.machine1.Manager"
+ send_member="RenameImage"/>
+
+ <allow send_destination="org.freedesktop.machine1"
+ send_interface="org.freedesktop.machine1.Manager"
+ send_member="CloneImage"/>
+
+ <allow send_destination="org.freedesktop.machine1"
+ send_interface="org.freedesktop.machine1.Manager"
+ send_member="MarkImageReadOnly"/>
+
+ <allow send_destination="org.freedesktop.machine1"
+ send_interface="org.freedesktop.machine1.Manager"
+ send_member="SetPoolLimit"/>
+
+ <allow send_destination="org.freedesktop.machine1"
+ send_interface="org.freedesktop.machine1.Manager"
+ send_member="SetImageLimit"/>
+
+ <allow send_destination="org.freedesktop.machine1"
+ send_interface="org.freedesktop.machine1.Manager"
+ send_member="CleanPool"/>
+
+ <allow send_destination="org.freedesktop.machine1"
+ send_interface="org.freedesktop.machine1.Manager"
+ send_member="MapFromMachineUser"/>
+
+ <allow send_destination="org.freedesktop.machine1"
+ send_interface="org.freedesktop.machine1.Manager"
+ send_member="MapToMachineUser"/>
+
+ <allow send_destination="org.freedesktop.machine1"
+ send_interface="org.freedesktop.machine1.Manager"
+ send_member="MapFromMachineGroup"/>
+
+ <allow send_destination="org.freedesktop.machine1"
+ send_interface="org.freedesktop.machine1.Manager"
+ send_member="MapToMachineGroup"/>
+
+ <allow send_destination="org.freedesktop.machine1"
+ send_interface="org.freedesktop.machine1.Machine"
+ send_member="GetAddresses"/>
+
+ <allow send_destination="org.freedesktop.machine1"
+ send_interface="org.freedesktop.machine1.Machine"
+ send_member="GetOSRelease"/>
+
+ <allow send_destination="org.freedesktop.machine1"
+ send_interface="org.freedesktop.machine1.Machine"
+ send_member="OpenLogin"/>
+
+ <allow send_destination="org.freedesktop.machine1"
+ send_interface="org.freedesktop.machine1.Machine"
+ send_member="OpenShell"/>
+
+ <allow send_destination="org.freedesktop.machine1"
+ send_interface="org.freedesktop.machine1.Machine"
+ send_member="Terminate"/>
+
+ <allow send_destination="org.freedesktop.machine1"
+ send_interface="org.freedesktop.machine1.Machine"
+ send_member="Kill"/>
+
+ <allow send_destination="org.freedesktop.machine1"
+ send_interface="org.freedesktop.machine1.Machine"
+ send_member="BindMount"/>
+
+ <allow send_destination="org.freedesktop.machine1"
+ send_interface="org.freedesktop.machine1.Machine"
+ send_member="CopyFrom"/>
+
+ <allow send_destination="org.freedesktop.machine1"
+ send_interface="org.freedesktop.machine1.Machine"
+ send_member="CopyTo"/>
+
+ <allow send_destination="org.freedesktop.machine1"
+ send_interface="org.freedesktop.machine1.Image"
+ send_member="Remove"/>
+
+ <allow send_destination="org.freedesktop.machine1"
+ send_interface="org.freedesktop.machine1.Image"
+ send_member="Rename"/>
+
+ <allow send_destination="org.freedesktop.machine1"
+ send_interface="org.freedesktop.machine1.Image"
+ send_member="Clone"/>
+
+ <allow send_destination="org.freedesktop.machine1"
+ send_interface="org.freedesktop.machine1.Image"
+ send_member="SetLimit"/>
+
+ <allow send_destination="org.freedesktop.machine1"
+ send_interface="org.freedesktop.machine1.Image"
+ send_member="MarkReadOnly"/>
+
+ <allow receive_sender="org.freedesktop.machine1"/>
+ </policy>
+
+</busconfig>
diff --git a/src/grp-machine/systemd-machined/org.freedesktop.machine1.policy.in b/src/grp-machine/systemd-machined/org.freedesktop.machine1.policy.in
new file mode 100644
index 0000000000..69f78a5c25
--- /dev/null
+++ b/src/grp-machine/systemd-machined/org.freedesktop.machine1.policy.in
@@ -0,0 +1,102 @@
+<?xml version="1.0" encoding="UTF-8"?> <!--*-nxml-*-->
+<!DOCTYPE policyconfig PUBLIC "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
+ "http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
+
+<!--
+ This file is part of systemd.
+
+ systemd is free software; you can redistribute it and/or modify it
+ under the terms of the GNU Lesser General Public License as published by
+ the Free Software Foundation; either version 2.1 of the License, or
+ (at your option) any later version.
+-->
+
+<policyconfig>
+
+ <vendor>The systemd Project</vendor>
+ <vendor_url>http://www.freedesktop.org/wiki/Software/systemd</vendor_url>
+
+ <action id="org.freedesktop.machine1.login">
+ <_description>Log into a local container</_description>
+ <_message>Authentication is required to log into a local container.</_message>
+ <defaults>
+ <allow_any>auth_admin</allow_any>
+ <allow_inactive>auth_admin</allow_inactive>
+ <allow_active>auth_admin_keep</allow_active>
+ </defaults>
+ </action>
+
+ <action id="org.freedesktop.machine1.host-login">
+ <_description>Log into the local host</_description>
+ <_message>Authentication is required to log into the local host.</_message>
+ <defaults>
+ <allow_any>auth_admin</allow_any>
+ <allow_inactive>auth_admin</allow_inactive>
+ <allow_active>yes</allow_active>
+ </defaults>
+ </action>
+
+ <action id="org.freedesktop.machine1.shell">
+ <_description>Acquire a shell in a local container</_description>
+ <_message>Authentication is required to acquire a shell in a local container.</_message>
+ <defaults>
+ <allow_any>auth_admin</allow_any>
+ <allow_inactive>auth_admin</allow_inactive>
+ <allow_active>auth_admin_keep</allow_active>
+ </defaults>
+ <annotate key="org.freedesktop.policykit.imply">org.freedesktop.login1.login</annotate>
+ </action>
+
+ <action id="org.freedesktop.machine1.host-shell">
+ <_description>Acquire a shell on the local host</_description>
+ <_message>Authentication is required to acquire a shell on the local host.</_message>
+ <defaults>
+ <allow_any>auth_admin</allow_any>
+ <allow_inactive>auth_admin</allow_inactive>
+ <allow_active>auth_admin_keep</allow_active>
+ </defaults>
+ <annotate key="org.freedesktop.policykit.imply">org.freedesktop.login1.host-login</annotate>
+ </action>
+
+ <action id="org.freedesktop.machine1.open-pty">
+ <_description>Acquire a pseudo TTY in a local container</_description>
+ <_message>Authentication is required to acquire a pseudo TTY in a local container.</_message>
+ <defaults>
+ <allow_any>auth_admin</allow_any>
+ <allow_inactive>auth_admin</allow_inactive>
+ <allow_active>auth_admin_keep</allow_active>
+ </defaults>
+ </action>
+
+ <action id="org.freedesktop.machine1.host-open-pty">
+ <_description>Acquire a pseudo TTY on the local host</_description>
+ <_message>Authentication is required to acquire a pseudo TTY on the local host.</_message>
+ <defaults>
+ <allow_any>auth_admin</allow_any>
+ <allow_inactive>auth_admin</allow_inactive>
+ <allow_active>auth_admin_keep</allow_active>
+ </defaults>
+ </action>
+
+ <action id="org.freedesktop.machine1.manage-machines">
+ <_description>Manage local virtual machines and containers</_description>
+ <_message>Authentication is required to manage local virtual machines and containers.</_message>
+ <defaults>
+ <allow_any>auth_admin</allow_any>
+ <allow_inactive>auth_admin</allow_inactive>
+ <allow_active>auth_admin_keep</allow_active>
+ </defaults>
+ <annotate key="org.freedesktop.policykit.imply">org.freedesktop.login1.shell org.freedesktop.login1.login</annotate>
+ </action>
+
+ <action id="org.freedesktop.machine1.manage-images">
+ <_description>Manage local virtual machine and container images</_description>
+ <_message>Authentication is required to manage local virtual machine and container images.</_message>
+ <defaults>
+ <allow_any>auth_admin</allow_any>
+ <allow_inactive>auth_admin</allow_inactive>
+ <allow_active>auth_admin_keep</allow_active>
+ </defaults>
+ </action>
+
+</policyconfig>
diff --git a/src/grp-machine/systemd-machined/org.freedesktop.machine1.service b/src/grp-machine/systemd-machined/org.freedesktop.machine1.service
new file mode 100644
index 0000000000..d3dc99852b
--- /dev/null
+++ b/src/grp-machine/systemd-machined/org.freedesktop.machine1.service
@@ -0,0 +1,12 @@
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+[D-BUS Service]
+Name=org.freedesktop.machine1
+Exec=/bin/false
+User=root
+SystemdService=dbus-org.freedesktop.machine1.service
diff --git a/src/grp-machine/systemd-machined/systemd-machined.service.in b/src/grp-machine/systemd-machined/systemd-machined.service.in
new file mode 100644
index 0000000000..dcf9f347b7
--- /dev/null
+++ b/src/grp-machine/systemd-machined/systemd-machined.service.in
@@ -0,0 +1,25 @@
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+[Unit]
+Description=Virtual Machine and Container Registration Service
+Documentation=man:systemd-machined.service(8)
+Documentation=http://www.freedesktop.org/wiki/Software/systemd/machined
+Wants=machine.slice
+After=machine.slice
+
+[Service]
+ExecStart=@rootlibexecdir@/systemd-machined
+BusName=org.freedesktop.machine1
+CapabilityBoundingSet=CAP_KILL CAP_SYS_PTRACE CAP_SYS_ADMIN CAP_SETGID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_CHOWN CAP_FOWNER CAP_FSETID CAP_MKNOD
+WatchdogSec=3min
+MemoryDenyWriteExecute=yes
+SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io
+
+# Note that machined cannot be placed in a mount namespace, since it
+# needs access to the host's mount namespace in order to implement the
+# "machinectl bind" operation.
diff --git a/src/grp-machine/systemd-machined/systemd-machined.service.xml b/src/grp-machine/systemd-machined/systemd-machined.service.xml
new file mode 100644
index 0000000000..999aeee1c6
--- /dev/null
+++ b/src/grp-machine/systemd-machined/systemd-machined.service.xml
@@ -0,0 +1,90 @@
+<?xml version='1.0'?> <!--*-nxml-*-->
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+
+<!--
+ This file is part of systemd.
+
+ Copyright 2013 Zbigniew Jędrzejewski-Szmek
+
+ systemd is free software; you can redistribute it and/or modify it
+ under the terms of the GNU Lesser General Public License as published by
+ the Free Software Foundation; either version 2.1 of the License, or
+ (at your option) any later version.
+
+ systemd is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public License
+ along with systemd; If not, see <http://www.gnu.org/licenses/>.
+-->
+
+<refentry id="systemd-machined.service" conditional='ENABLE_MACHINED'>
+
+ <refentryinfo>
+ <title>systemd-machined.service</title>
+ <productname>systemd</productname>
+
+ <authorgroup>
+ <author>
+ <contrib>Developer</contrib>
+ <firstname>Lennart</firstname>
+ <surname>Poettering</surname>
+ <email>lennart@poettering.net</email>
+ </author>
+ </authorgroup>
+ </refentryinfo>
+
+ <refmeta>
+ <refentrytitle>systemd-machined.service</refentrytitle>
+ <manvolnum>8</manvolnum>
+ </refmeta>
+
+ <refnamediv>
+ <refname>systemd-machined.service</refname>
+ <refname>systemd-machined</refname>
+ <refpurpose>Virtual machine and container registration manager</refpurpose>
+ </refnamediv>
+
+ <refsynopsisdiv>
+ <para><filename>systemd-machined.service</filename></para>
+ <para><filename>/usr/lib/systemd/systemd-machined</filename></para>
+ </refsynopsisdiv>
+
+ <refsect1>
+ <title>Description</title>
+
+ <para><command>systemd-machined</command> is a system service that
+ keeps track of virtual machines and containers, and processes
+ belonging to them.</para>
+
+ <para>See
+ <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>
+ for some examples on how to run containers with OS tools.</para>
+
+ <para>Use
+ <citerefentry><refentrytitle>nss-mymachines</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+ to make the names of local containers known to
+ <command>systemd-machined</command> locally resolvable as host
+ names.</para>
+
+ <para>See the
+ <ulink url="http://www.freedesktop.org/wiki/Software/systemd/machined">
+ machined D-Bus API Documentation</ulink> for information about the
+ APIs <filename>systemd-machined</filename> provides.</para>
+ </refsect1>
+
+ <refsect1>
+ <title>See Also</title>
+ <para>
+ <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>machinectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>nss-mymachines</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>systemd.special</refentrytitle><manvolnum>7</manvolnum></citerefentry>
+ </para>
+ </refsect1>
+
+</refentry>