diff options
Diffstat (limited to 'src/nspawn/nspawn.c')
| -rw-r--r-- | src/nspawn/nspawn.c | 150 |
1 files changed, 79 insertions, 71 deletions
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index 6a21ed5471..3c31629d1e 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -55,7 +55,7 @@ #include "sd-daemon.h" #include "sd-bus.h" #include "sd-id128.h" -#include "sd-rtnl.h" +#include "sd-netlink.h" #include "random-util.h" #include "log.h" #include "util.h" @@ -75,7 +75,7 @@ #include "bus-error.h" #include "ptyfwd.h" #include "env-util.h" -#include "rtnl-util.h" +#include "netlink-util.h" #include "udev-util.h" #include "blkid-util.h" #include "gpt.h" @@ -90,7 +90,7 @@ #include "machine-image.h" #include "list.h" #include "in-addr-util.h" -#include "fw-util.h" +#include "firewall-util.h" #include "local-addresses.h" #include "formats-util.h" #include "process-util.h" @@ -350,7 +350,7 @@ static int custom_mounts_prepare(void) { if (m->read_only) continue; - r = tempfn_random(m->source, &m->work_dir); + r = tempfn_random(m->source, NULL, &m->work_dir); if (r < 0) return log_error_errno(r, "Failed to generate work directory from %s: %m", m->source); } @@ -1013,6 +1013,9 @@ static int parse_argv(int argc, char *argv[]) { return -EINVAL; } + if (arg_userns && access("/proc/self/uid_map", F_OK) < 0) + return log_error_errno(EOPNOTSUPP, "--private-users= is not supported, kernel compiled without user namespace support."); + arg_retain = (arg_retain | plus | (arg_private_network ? 1ULL << CAP_NET_ADMIN : 0)) & ~minus; if (arg_boot && arg_kill_signal <= 0) @@ -1966,7 +1969,7 @@ static int flush_ports(union in_addr_union *exposed) { return 0; } -static int expose_ports(sd_rtnl *rtnl, union in_addr_union *exposed) { +static int expose_ports(sd_netlink *rtnl, union in_addr_union *exposed) { _cleanup_free_ struct local_address *addresses = NULL; _cleanup_free_ char *pretty = NULL; union in_addr_union new_exposed; @@ -2020,7 +2023,7 @@ static int expose_ports(sd_rtnl *rtnl, union in_addr_union *exposed) { return 0; } -static int on_address_change(sd_rtnl *rtnl, sd_rtnl_message *m, void *userdata) { +static int on_address_change(sd_netlink *rtnl, sd_netlink_message *m, void *userdata) { union in_addr_union *exposed = userdata; assert(rtnl); @@ -2031,7 +2034,7 @@ static int on_address_change(sd_rtnl *rtnl, sd_rtnl_message *m, void *userdata) return 0; } -static int watch_rtnl(sd_event *event, int recv_fd, union in_addr_union *exposed, sd_rtnl **ret) { +static int watch_rtnl(sd_event *event, int recv_fd, union in_addr_union *exposed, sd_netlink **ret) { union { struct cmsghdr cmsghdr; uint8_t buf[CMSG_SPACE(sizeof(int))]; @@ -2041,7 +2044,7 @@ static int watch_rtnl(sd_event *event, int recv_fd, union in_addr_union *exposed .msg_controllen = sizeof(control), }; struct cmsghdr *cmsg; - _cleanup_rtnl_unref_ sd_rtnl *rtnl = NULL; + _cleanup_netlink_unref_ sd_netlink *rtnl = NULL; int fd, r; ssize_t k; @@ -2062,21 +2065,21 @@ static int watch_rtnl(sd_event *event, int recv_fd, union in_addr_union *exposed assert(cmsg->cmsg_len == CMSG_LEN(sizeof(int))); memcpy(&fd, CMSG_DATA(cmsg), sizeof(int)); - r = sd_rtnl_open_fd(&rtnl, fd); + r = sd_netlink_open_fd(&rtnl, fd); if (r < 0) { safe_close(fd); return log_error_errno(r, "Failed to create rtnl object: %m"); } - r = sd_rtnl_add_match(rtnl, RTM_NEWADDR, on_address_change, exposed); + r = sd_netlink_add_match(rtnl, RTM_NEWADDR, on_address_change, exposed); if (r < 0) return log_error_errno(r, "Failed to subscribe to RTM_NEWADDR messages: %m"); - r = sd_rtnl_add_match(rtnl, RTM_DELADDR, on_address_change, exposed); + r = sd_netlink_add_match(rtnl, RTM_DELADDR, on_address_change, exposed); if (r < 0) return log_error_errno(r, "Failed to subscribe to RTM_DELADDR messages: %m"); - r = sd_rtnl_attach_event(rtnl, event, 0); + r = sd_netlink_attach_event(rtnl, event, 0); if (r < 0) return log_error_errno(r, "Failed to add to even loop: %m"); @@ -2550,8 +2553,8 @@ static int generate_mac(struct ether_addr *mac, sd_id128_t hash_key, uint64_t id } static int setup_veth(pid_t pid, char iface_name[IFNAMSIZ], int *ifi) { - _cleanup_rtnl_message_unref_ sd_rtnl_message *m = NULL; - _cleanup_rtnl_unref_ sd_rtnl *rtnl = NULL; + _cleanup_netlink_message_unref_ sd_netlink_message *m = NULL; + _cleanup_netlink_unref_ sd_netlink *rtnl = NULL; struct ether_addr mac_host, mac_container; int r, i; @@ -2574,7 +2577,7 @@ static int setup_veth(pid_t pid, char iface_name[IFNAMSIZ], int *ifi) { if (r < 0) return log_error_errno(r, "Failed to generate predictable MAC address for host side: %m"); - r = sd_rtnl_open(&rtnl); + r = sd_netlink_open(&rtnl); if (r < 0) return log_error_errno(r, "Failed to connect to netlink: %m"); @@ -2582,51 +2585,51 @@ static int setup_veth(pid_t pid, char iface_name[IFNAMSIZ], int *ifi) { if (r < 0) return log_error_errno(r, "Failed to allocate netlink message: %m"); - r = sd_rtnl_message_append_string(m, IFLA_IFNAME, iface_name); + r = sd_netlink_message_append_string(m, IFLA_IFNAME, iface_name); if (r < 0) return log_error_errno(r, "Failed to add netlink interface name: %m"); - r = sd_rtnl_message_append_ether_addr(m, IFLA_ADDRESS, &mac_host); + r = sd_netlink_message_append_ether_addr(m, IFLA_ADDRESS, &mac_host); if (r < 0) return log_error_errno(r, "Failed to add netlink MAC address: %m"); - r = sd_rtnl_message_open_container(m, IFLA_LINKINFO); + r = sd_netlink_message_open_container(m, IFLA_LINKINFO); if (r < 0) return log_error_errno(r, "Failed to open netlink container: %m"); - r = sd_rtnl_message_open_container_union(m, IFLA_INFO_DATA, "veth"); + r = sd_netlink_message_open_container_union(m, IFLA_INFO_DATA, "veth"); if (r < 0) return log_error_errno(r, "Failed to open netlink container: %m"); - r = sd_rtnl_message_open_container(m, VETH_INFO_PEER); + r = sd_netlink_message_open_container(m, VETH_INFO_PEER); if (r < 0) return log_error_errno(r, "Failed to open netlink container: %m"); - r = sd_rtnl_message_append_string(m, IFLA_IFNAME, "host0"); + r = sd_netlink_message_append_string(m, IFLA_IFNAME, "host0"); if (r < 0) return log_error_errno(r, "Failed to add netlink interface name: %m"); - r = sd_rtnl_message_append_ether_addr(m, IFLA_ADDRESS, &mac_container); + r = sd_netlink_message_append_ether_addr(m, IFLA_ADDRESS, &mac_container); if (r < 0) return log_error_errno(r, "Failed to add netlink MAC address: %m"); - r = sd_rtnl_message_append_u32(m, IFLA_NET_NS_PID, pid); + r = sd_netlink_message_append_u32(m, IFLA_NET_NS_PID, pid); if (r < 0) return log_error_errno(r, "Failed to add netlink namespace field: %m"); - r = sd_rtnl_message_close_container(m); + r = sd_netlink_message_close_container(m); if (r < 0) return log_error_errno(r, "Failed to close netlink container: %m"); - r = sd_rtnl_message_close_container(m); + r = sd_netlink_message_close_container(m); if (r < 0) return log_error_errno(r, "Failed to close netlink container: %m"); - r = sd_rtnl_message_close_container(m); + r = sd_netlink_message_close_container(m); if (r < 0) return log_error_errno(r, "Failed to close netlink container: %m"); - r = sd_rtnl_call(rtnl, m, 0, NULL); + r = sd_netlink_call(rtnl, m, 0, NULL); if (r < 0) return log_error_errno(r, "Failed to add new veth interfaces (host0, %s): %m", iface_name); @@ -2640,8 +2643,8 @@ static int setup_veth(pid_t pid, char iface_name[IFNAMSIZ], int *ifi) { } static int setup_bridge(const char veth_name[], int *ifi) { - _cleanup_rtnl_message_unref_ sd_rtnl_message *m = NULL; - _cleanup_rtnl_unref_ sd_rtnl *rtnl = NULL; + _cleanup_netlink_message_unref_ sd_netlink_message *m = NULL; + _cleanup_netlink_unref_ sd_netlink *rtnl = NULL; int r, bridge; if (!arg_private_network) @@ -2659,7 +2662,7 @@ static int setup_bridge(const char veth_name[], int *ifi) { *ifi = bridge; - r = sd_rtnl_open(&rtnl); + r = sd_netlink_open(&rtnl); if (r < 0) return log_error_errno(r, "Failed to connect to netlink: %m"); @@ -2671,15 +2674,15 @@ static int setup_bridge(const char veth_name[], int *ifi) { if (r < 0) return log_error_errno(r, "Failed to set IFF_UP flag: %m"); - r = sd_rtnl_message_append_string(m, IFLA_IFNAME, veth_name); + r = sd_netlink_message_append_string(m, IFLA_IFNAME, veth_name); if (r < 0) return log_error_errno(r, "Failed to add netlink interface name field: %m"); - r = sd_rtnl_message_append_u32(m, IFLA_MASTER, bridge); + r = sd_netlink_message_append_u32(m, IFLA_MASTER, bridge); if (r < 0) return log_error_errno(r, "Failed to add netlink master field: %m"); - r = sd_rtnl_call(rtnl, m, 0, NULL); + r = sd_netlink_call(rtnl, m, 0, NULL); if (r < 0) return log_error_errno(r, "Failed to add veth interface to bridge: %m"); @@ -2710,7 +2713,7 @@ static int parse_interface(struct udev *udev, const char *name) { static int move_network_interfaces(pid_t pid) { _cleanup_udev_unref_ struct udev *udev = NULL; - _cleanup_rtnl_unref_ sd_rtnl *rtnl = NULL; + _cleanup_netlink_unref_ sd_netlink *rtnl = NULL; char **i; int r; @@ -2720,7 +2723,7 @@ static int move_network_interfaces(pid_t pid) { if (strv_isempty(arg_network_interfaces)) return 0; - r = sd_rtnl_open(&rtnl); + r = sd_netlink_open(&rtnl); if (r < 0) return log_error_errno(r, "Failed to connect to netlink: %m"); @@ -2731,7 +2734,7 @@ static int move_network_interfaces(pid_t pid) { } STRV_FOREACH(i, arg_network_interfaces) { - _cleanup_rtnl_message_unref_ sd_rtnl_message *m = NULL; + _cleanup_netlink_message_unref_ sd_netlink_message *m = NULL; int ifi; ifi = parse_interface(udev, *i); @@ -2742,11 +2745,11 @@ static int move_network_interfaces(pid_t pid) { if (r < 0) return log_error_errno(r, "Failed to allocate netlink message: %m"); - r = sd_rtnl_message_append_u32(m, IFLA_NET_NS_PID, pid); + r = sd_netlink_message_append_u32(m, IFLA_NET_NS_PID, pid); if (r < 0) return log_error_errno(r, "Failed to append namespace PID to netlink message: %m"); - r = sd_rtnl_call(rtnl, m, 0, NULL); + r = sd_netlink_call(rtnl, m, 0, NULL); if (r < 0) return log_error_errno(r, "Failed to move interface %s to namespace: %m", *i); } @@ -2756,7 +2759,7 @@ static int move_network_interfaces(pid_t pid) { static int setup_macvlan(pid_t pid) { _cleanup_udev_unref_ struct udev *udev = NULL; - _cleanup_rtnl_unref_ sd_rtnl *rtnl = NULL; + _cleanup_netlink_unref_ sd_netlink *rtnl = NULL; unsigned idx = 0; char **i; int r; @@ -2767,7 +2770,7 @@ static int setup_macvlan(pid_t pid) { if (strv_isempty(arg_network_macvlan)) return 0; - r = sd_rtnl_open(&rtnl); + r = sd_netlink_open(&rtnl); if (r < 0) return log_error_errno(r, "Failed to connect to netlink: %m"); @@ -2778,7 +2781,7 @@ static int setup_macvlan(pid_t pid) { } STRV_FOREACH(i, arg_network_macvlan) { - _cleanup_rtnl_message_unref_ sd_rtnl_message *m = NULL; + _cleanup_netlink_message_unref_ sd_netlink_message *m = NULL; _cleanup_free_ char *n = NULL; struct ether_addr mac; int ifi; @@ -2795,7 +2798,7 @@ static int setup_macvlan(pid_t pid) { if (r < 0) return log_error_errno(r, "Failed to allocate netlink message: %m"); - r = sd_rtnl_message_append_u32(m, IFLA_LINK, ifi); + r = sd_netlink_message_append_u32(m, IFLA_LINK, ifi); if (r < 0) return log_error_errno(r, "Failed to add netlink interface index: %m"); @@ -2805,39 +2808,39 @@ static int setup_macvlan(pid_t pid) { strshorten(n, IFNAMSIZ-1); - r = sd_rtnl_message_append_string(m, IFLA_IFNAME, n); + r = sd_netlink_message_append_string(m, IFLA_IFNAME, n); if (r < 0) return log_error_errno(r, "Failed to add netlink interface name: %m"); - r = sd_rtnl_message_append_ether_addr(m, IFLA_ADDRESS, &mac); + r = sd_netlink_message_append_ether_addr(m, IFLA_ADDRESS, &mac); if (r < 0) return log_error_errno(r, "Failed to add netlink MAC address: %m"); - r = sd_rtnl_message_append_u32(m, IFLA_NET_NS_PID, pid); + r = sd_netlink_message_append_u32(m, IFLA_NET_NS_PID, pid); if (r < 0) return log_error_errno(r, "Failed to add netlink namespace field: %m"); - r = sd_rtnl_message_open_container(m, IFLA_LINKINFO); + r = sd_netlink_message_open_container(m, IFLA_LINKINFO); if (r < 0) return log_error_errno(r, "Failed to open netlink container: %m"); - r = sd_rtnl_message_open_container_union(m, IFLA_INFO_DATA, "macvlan"); + r = sd_netlink_message_open_container_union(m, IFLA_INFO_DATA, "macvlan"); if (r < 0) return log_error_errno(r, "Failed to open netlink container: %m"); - r = sd_rtnl_message_append_u32(m, IFLA_MACVLAN_MODE, MACVLAN_MODE_BRIDGE); + r = sd_netlink_message_append_u32(m, IFLA_MACVLAN_MODE, MACVLAN_MODE_BRIDGE); if (r < 0) return log_error_errno(r, "Failed to append macvlan mode: %m"); - r = sd_rtnl_message_close_container(m); + r = sd_netlink_message_close_container(m); if (r < 0) return log_error_errno(r, "Failed to close netlink container: %m"); - r = sd_rtnl_message_close_container(m); + r = sd_netlink_message_close_container(m); if (r < 0) return log_error_errno(r, "Failed to close netlink container: %m"); - r = sd_rtnl_call(rtnl, m, 0, NULL); + r = sd_netlink_call(rtnl, m, 0, NULL); if (r < 0) return log_error_errno(r, "Failed to add new macvlan interfaces: %m"); } @@ -2847,7 +2850,7 @@ static int setup_macvlan(pid_t pid) { static int setup_ipvlan(pid_t pid) { _cleanup_udev_unref_ struct udev *udev = NULL; - _cleanup_rtnl_unref_ sd_rtnl *rtnl = NULL; + _cleanup_netlink_unref_ sd_netlink *rtnl = NULL; char **i; int r; @@ -2857,7 +2860,7 @@ static int setup_ipvlan(pid_t pid) { if (strv_isempty(arg_network_ipvlan)) return 0; - r = sd_rtnl_open(&rtnl); + r = sd_netlink_open(&rtnl); if (r < 0) return log_error_errno(r, "Failed to connect to netlink: %m"); @@ -2868,7 +2871,7 @@ static int setup_ipvlan(pid_t pid) { } STRV_FOREACH(i, arg_network_ipvlan) { - _cleanup_rtnl_message_unref_ sd_rtnl_message *m = NULL; + _cleanup_netlink_message_unref_ sd_netlink_message *m = NULL; _cleanup_free_ char *n = NULL; int ifi; @@ -2880,7 +2883,7 @@ static int setup_ipvlan(pid_t pid) { if (r < 0) return log_error_errno(r, "Failed to allocate netlink message: %m"); - r = sd_rtnl_message_append_u32(m, IFLA_LINK, ifi); + r = sd_netlink_message_append_u32(m, IFLA_LINK, ifi); if (r < 0) return log_error_errno(r, "Failed to add netlink interface index: %m"); @@ -2890,35 +2893,35 @@ static int setup_ipvlan(pid_t pid) { strshorten(n, IFNAMSIZ-1); - r = sd_rtnl_message_append_string(m, IFLA_IFNAME, n); + r = sd_netlink_message_append_string(m, IFLA_IFNAME, n); if (r < 0) return log_error_errno(r, "Failed to add netlink interface name: %m"); - r = sd_rtnl_message_append_u32(m, IFLA_NET_NS_PID, pid); + r = sd_netlink_message_append_u32(m, IFLA_NET_NS_PID, pid); if (r < 0) return log_error_errno(r, "Failed to add netlink namespace field: %m"); - r = sd_rtnl_message_open_container(m, IFLA_LINKINFO); + r = sd_netlink_message_open_container(m, IFLA_LINKINFO); if (r < 0) return log_error_errno(r, "Failed to open netlink container: %m"); - r = sd_rtnl_message_open_container_union(m, IFLA_INFO_DATA, "ipvlan"); + r = sd_netlink_message_open_container_union(m, IFLA_INFO_DATA, "ipvlan"); if (r < 0) return log_error_errno(r, "Failed to open netlink container: %m"); - r = sd_rtnl_message_append_u16(m, IFLA_IPVLAN_MODE, IPVLAN_MODE_L2); + r = sd_netlink_message_append_u16(m, IFLA_IPVLAN_MODE, IPVLAN_MODE_L2); if (r < 0) return log_error_errno(r, "Failed to add ipvlan mode: %m"); - r = sd_rtnl_message_close_container(m); + r = sd_netlink_message_close_container(m); if (r < 0) return log_error_errno(r, "Failed to close netlink container: %m"); - r = sd_rtnl_message_close_container(m); + r = sd_netlink_message_close_container(m); if (r < 0) return log_error_errno(r, "Failed to close netlink container: %m"); - r = sd_rtnl_call(rtnl, m, 0, NULL); + r = sd_netlink_call(rtnl, m, 0, NULL); if (r < 0) return log_error_errno(r, "Failed to add new ipvlan interfaces: %m"); } @@ -3002,8 +3005,15 @@ static int setup_seccomp(void) { } r = seccomp_load(seccomp); - if (r < 0) + if (r == -EINVAL) { + log_debug_errno(r, "Kernel is probably not configured with CONFIG_SECCOMP. Disabling seccomp audit filter: %m"); + r = 0; + goto finish; + } + if (r < 0) { log_error_errno(r, "Failed to install seccomp audit filter: %m"); + goto finish; + } finish: seccomp_release(seccomp); @@ -4458,7 +4468,7 @@ int main(int argc, char *argv[]) { int r, n_fd_passed, loop_nr = -1; char veth_name[IFNAMSIZ]; bool secondary = false, remove_subvol = false; - sigset_t mask, mask_chld; + sigset_t mask_chld; pid_t pid = 0; int ret = EXIT_SUCCESS; union in_addr_union exposed = {}; @@ -4515,9 +4525,9 @@ int main(int argc, char *argv[]) { goto finish; } if (r > 0) - r = tempfn_random_child(arg_directory, &np); + r = tempfn_random_child(arg_directory, "machine.", &np); else - r = tempfn_random(arg_directory, &np); + r = tempfn_random(arg_directory, "machine.", &np); if (r < 0) { log_error_errno(r, "Failed to generate name for snapshot: %m"); goto finish; @@ -4657,9 +4667,7 @@ int main(int argc, char *argv[]) { log_info("Spawning container %s on %s.\nPress ^] three times within 1s to kill container.", arg_machine, arg_image ?: arg_directory); - assert_se(sigemptyset(&mask) == 0); - sigset_add_many(&mask, SIGCHLD, SIGWINCH, SIGTERM, SIGINT, -1); - assert_se(sigprocmask(SIG_BLOCK, &mask, NULL) == 0); + assert_se(sigprocmask_many(SIG_BLOCK, NULL, SIGCHLD, SIGWINCH, SIGTERM, SIGINT, -1) >= 0); assert_se(sigemptyset(&mask_chld) == 0); assert_se(sigaddset(&mask_chld, SIGCHLD) == 0); @@ -4681,7 +4689,7 @@ int main(int argc, char *argv[]) { ssize_t l; _cleanup_event_unref_ sd_event *event = NULL; _cleanup_(pty_forward_freep) PTYForward *forward = NULL; - _cleanup_rtnl_unref_ sd_rtnl *rtnl = NULL; + _cleanup_netlink_unref_ sd_netlink *rtnl = NULL; char last_char = 0; r = barrier_create(&barrier); |