diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/basic/cgroup-util.c | 2 | ||||
| -rw-r--r-- | src/basic/cgroup-util.h | 4 | ||||
| -rw-r--r-- | src/core/cgroup.c | 4 | ||||
| -rw-r--r-- | src/core/dbus-cgroup.c | 4 | ||||
| -rw-r--r-- | src/import/pull-common.c | 97 | ||||
| -rw-r--r-- | src/import/pull-common.h | 4 | ||||
| -rw-r--r-- | src/import/pull-job.h | 2 | ||||
| -rw-r--r-- | src/import/pull-raw.c | 158 | ||||
| -rw-r--r-- | src/import/pull-raw.h | 2 | ||||
| -rw-r--r-- | src/import/pull-tar.c | 170 | ||||
| -rw-r--r-- | src/import/pull-tar.h | 2 | ||||
| -rw-r--r-- | src/import/pull.c | 22 | ||||
| -rw-r--r-- | src/nspawn/nspawn-gperf.gperf | 2 | 
13 files changed, 419 insertions, 54 deletions
| diff --git a/src/basic/cgroup-util.c b/src/basic/cgroup-util.c index f661a54d99..94a25585b2 100644 --- a/src/basic/cgroup-util.c +++ b/src/basic/cgroup-util.c @@ -2211,7 +2211,7 @@ static const char *cgroup_controller_table[_CGROUP_CONTROLLER_MAX] = {          [CGROUP_CONTROLLER_CPUACCT] = "cpuacct",          [CGROUP_CONTROLLER_BLKIO] = "blkio",          [CGROUP_CONTROLLER_MEMORY] = "memory", -        [CGROUP_CONTROLLER_DEVICE] = "devices", +        [CGROUP_CONTROLLER_DEVICES] = "devices",  };  DEFINE_STRING_TABLE_LOOKUP(cgroup_controller, CGroupController); diff --git a/src/basic/cgroup-util.h b/src/basic/cgroup-util.h index 6fd6d80590..16d439fd9d 100644 --- a/src/basic/cgroup-util.h +++ b/src/basic/cgroup-util.h @@ -34,7 +34,7 @@ typedef enum CGroupController {          CGROUP_CONTROLLER_CPUACCT,          CGROUP_CONTROLLER_BLKIO,          CGROUP_CONTROLLER_MEMORY, -        CGROUP_CONTROLLER_DEVICE, +        CGROUP_CONTROLLER_DEVICES,          _CGROUP_CONTROLLER_MAX,          _CGROUP_CONTROLLER_INVALID = -1,  } CGroupController; @@ -47,7 +47,7 @@ typedef enum CGroupMask {          CGROUP_MASK_CPUACCT = CGROUP_CONTROLLER_TO_MASK(CGROUP_CONTROLLER_CPUACCT),          CGROUP_MASK_BLKIO = CGROUP_CONTROLLER_TO_MASK(CGROUP_CONTROLLER_BLKIO),          CGROUP_MASK_MEMORY = CGROUP_CONTROLLER_TO_MASK(CGROUP_CONTROLLER_MEMORY), -        CGROUP_MASK_DEVICE = CGROUP_CONTROLLER_TO_MASK(CGROUP_CONTROLLER_DEVICE), +        CGROUP_MASK_DEVICES = CGROUP_CONTROLLER_TO_MASK(CGROUP_CONTROLLER_DEVICES),          _CGROUP_MASK_ALL = CGROUP_CONTROLLER_TO_MASK(_CGROUP_CONTROLLER_MAX) - 1  } CGroupMask; diff --git a/src/core/cgroup.c b/src/core/cgroup.c index 9a025cf929..baa7cc5488 100644 --- a/src/core/cgroup.c +++ b/src/core/cgroup.c @@ -404,7 +404,7 @@ void cgroup_context_apply(CGroupContext *c, CGroupMask mask, const char *path, M                                         "Failed to set memory.limit_in_bytes/memory.max on %s: %m", path);          } -        if ((mask & CGROUP_MASK_DEVICE) && !is_root) { +        if ((mask & CGROUP_MASK_DEVICES) && !is_root) {                  CGroupDeviceAllow *a;                  /* Changing the devices list of a populated cgroup @@ -492,7 +492,7 @@ CGroupMask cgroup_context_get_mask(CGroupContext *c) {          if (c->device_allow ||              c->device_policy != CGROUP_AUTO) -                mask |= CGROUP_MASK_DEVICE; +                mask |= CGROUP_MASK_DEVICES;          return mask;  } diff --git a/src/core/dbus-cgroup.c b/src/core/dbus-cgroup.c index e8fd44e294..ba2f4e53b9 100644 --- a/src/core/dbus-cgroup.c +++ b/src/core/dbus-cgroup.c @@ -572,7 +572,7 @@ int bus_cgroup_set_property(                          char *buf;                          c->device_policy = p; -                        u->cgroup_realized_mask &= ~CGROUP_MASK_DEVICE; +                        u->cgroup_realized_mask &= ~CGROUP_MASK_DEVICES;                          buf = strjoina("DevicePolicy=", policy);                          unit_write_drop_in_private(u, mode, name, buf); @@ -651,7 +651,7 @@ int bus_cgroup_set_property(                                          cgroup_context_free_device_allow(c, c->device_allow);                          } -                        u->cgroup_realized_mask &= ~CGROUP_MASK_DEVICE; +                        u->cgroup_realized_mask &= ~CGROUP_MASK_DEVICES;                          f = open_memstream(&buf, &size);                          if (!f) diff --git a/src/import/pull-common.c b/src/import/pull-common.c index 652277e4be..b1681bed17 100644 --- a/src/import/pull-common.c +++ b/src/import/pull-common.c @@ -34,7 +34,14 @@  #define FILENAME_ESCAPE "/.#\"\'" -int pull_find_old_etags(const char *url, const char *image_root, int dt, const char *prefix, const char *suffix, char ***etags) { +int pull_find_old_etags( +                const char *url, +                const char *image_root, +                int dt, +                const char *prefix, +                const char *suffix, +                char ***etags) { +          _cleanup_free_ char *escaped_url = NULL;          _cleanup_closedir_ DIR *d = NULL;          _cleanup_strv_free_ char **l = NULL; @@ -173,6 +180,49 @@ int pull_make_path(const char *url, const char *etag, const char *image_root, co          return 0;  } +int pull_make_settings_job( +                PullJob **ret, +                const char *url, +                CurlGlue *glue, +                PullJobFinished on_finished, +                void *userdata) { + +        _cleanup_free_ char *last_component = NULL, *ll = NULL, *settings_url = NULL; +        _cleanup_(pull_job_unrefp) PullJob *job = NULL; +        const char *q; +        int r; + +        assert(ret); +        assert(url); +        assert(glue); + +        r = import_url_last_component(url, &last_component); +        if (r < 0) +                return r; + +        r = tar_strip_suffixes(last_component, &ll); +        if (r < 0) +                return r; + +        q = strjoina(ll, ".nspawn"); + +        r = import_url_change_last_component(url, q, &settings_url); +        if (r < 0) +                return r; + +        r = pull_job_new(&job, settings_url, glue, userdata); +        if (r < 0) +                return r; + +        job->on_finished = on_finished; +        job->compressed_max = job->uncompressed_max = 1ULL * 1024ULL * 1024ULL; + +        *ret = job; +        job = NULL; + +        return 0; +} +  int pull_make_verification_jobs(                  PullJob **ret_checksum_job,                  PullJob **ret_signature_job, @@ -232,8 +282,8 @@ int pull_make_verification_jobs(          return 0;  } -int pull_verify( -                PullJob *main_job, +int pull_verify(PullJob *main_job, +                PullJob *settings_job,                  PullJob *checksum_job,                  PullJob *signature_job) { @@ -278,12 +328,47 @@ int pull_verify(                     strlen(line));          if (!p || (p != (char*) checksum_job->payload && p[-1] != '\n')) { -                log_error("Checksum did not check out, payload has been tempered with."); +                log_error("DOWNLOAD INVALID: Checksum did not check out, payload has been tempered with.");                  return -EBADMSG;          }          log_info("SHA256 checksum of %s is valid.", main_job->url); +        assert(!settings_job || settings_job->state == PULL_JOB_DONE); + +        if (settings_job && +            settings_job->error == 0 && +            !settings_job->etag_exists) { + +                _cleanup_free_ char *settings_fn = NULL; + +                assert(settings_job->calc_checksum); +                assert(settings_job->checksum); + +                r = import_url_last_component(settings_job->url, &settings_fn); +                if (r < 0) +                        return log_oom(); + +                if (!filename_is_valid(settings_fn)) { +                        log_error("Cannot verify checksum, could not determine server-side settings file name."); +                        return -EBADMSG; +                } + +                line = strjoina(settings_job->checksum, " *", settings_fn, "\n"); + +                p = memmem(checksum_job->payload, +                           checksum_job->payload_size, +                           line, +                           strlen(line)); + +                if (!p || (p != (char*) checksum_job->payload && p[-1] != '\n')) { +                        log_error("DOWNLOAD INVALID: Checksum of settings file did not checkout, settings file has been tempered with."); +                        return -EBADMSG; +                } + +                log_info("SHA256 checksum of %s is valid.", settings_job->url); +        } +          if (!signature_job)                  return 0; @@ -407,7 +492,7 @@ int pull_verify(          if (r < 0)                  goto finish;          if (r > 0) { -                log_error("Signature verification failed."); +                log_error("DOWNLOAD INVALID: Signature verification failed.");                  r = -EBADMSG;          } else {                  log_info("Signature verification succeeded."); @@ -416,7 +501,7 @@ int pull_verify(  finish:          if (sig_file >= 0) -                unlink(sig_file_path); +                (void) unlink(sig_file_path);          if (gpg_home_created)                  (void) rm_rf(gpg_home, REMOVE_ROOT|REMOVE_PHYSICAL); diff --git a/src/import/pull-common.h b/src/import/pull-common.h index bb9cf3efc1..7e6db1862c 100644 --- a/src/import/pull-common.h +++ b/src/import/pull-common.h @@ -32,5 +32,7 @@ int pull_find_old_etags(const char *url, const char *root, int dt, const char *p  int pull_make_path(const char *url, const char *etag, const char *image_root, const char *prefix, const char *suffix, char **ret); +int pull_make_settings_job(PullJob **ret, const char *url, CurlGlue *glue, PullJobFinished on_finished, void *userdata);  int pull_make_verification_jobs(PullJob **ret_checksum_job, PullJob **ret_signature_job, ImportVerify verify, const char *url, CurlGlue *glue, PullJobFinished on_finished, void *userdata); -int pull_verify(PullJob *main_job, PullJob *checksum_job, PullJob *signature_job); + +int pull_verify(PullJob *main_job, PullJob *settings_job, PullJob *checksum_job, PullJob *signature_job); diff --git a/src/import/pull-job.h b/src/import/pull-job.h index 3239aeac20..1777bf1c33 100644 --- a/src/import/pull-job.h +++ b/src/import/pull-job.h @@ -44,7 +44,7 @@ typedef enum PullJobState {          _PULL_JOB_STATE_INVALID = -1,  } PullJobState; -#define PULL_JOB_STATE_IS_COMPLETE(j) (IN_SET((j)->state, PULL_JOB_DONE, PULL_JOB_FAILED)) +#define PULL_JOB_IS_COMPLETE(j) (IN_SET((j)->state, PULL_JOB_DONE, PULL_JOB_FAILED))  typedef enum PullJobCompression {          PULL_JOB_UNCOMPRESSED, diff --git a/src/import/pull-raw.c b/src/import/pull-raw.c index d0e0faa261..44e029ef98 100644 --- a/src/import/pull-raw.c +++ b/src/import/pull-raw.c @@ -57,6 +57,7 @@ struct RawPull {          char *image_root;          PullJob *raw_job; +        PullJob *settings_job;          PullJob *checksum_job;          PullJob *signature_job; @@ -66,9 +67,13 @@ struct RawPull {          char *local;          bool force_local;          bool grow_machine_directory; +        bool settings; -        char *temp_path;          char *final_path; +        char *temp_path; + +        char *settings_path; +        char *settings_temp_path;          ImportVerify verify;  }; @@ -78,6 +83,7 @@ RawPull* raw_pull_unref(RawPull *i) {                  return NULL;          pull_job_unref(i->raw_job); +        pull_job_unref(i->settings_job);          pull_job_unref(i->checksum_job);          pull_job_unref(i->signature_job); @@ -89,7 +95,13 @@ RawPull* raw_pull_unref(RawPull *i) {                  free(i->temp_path);          } +        if (i->settings_temp_path) { +                (void) unlink(i->settings_temp_path); +                free(i->settings_temp_path); +        } +          free(i->final_path); +        free(i->settings_path);          free(i->image_root);          free(i->local);          free(i); @@ -155,6 +167,11 @@ static void raw_pull_report_progress(RawPull *i, RawProgress p) {                  percent = 0; +                if (i->settings_job) { +                        percent += i->settings_job->progress_percent * 5 / 100; +                        remain -= 5; +                } +                  if (i->checksum_job) {                          percent += i->checksum_job->progress_percent * 5 / 100;                          remain -= 5; @@ -253,17 +270,17 @@ static int raw_pull_make_local_copy(RawPull *i) {          if (!i->local)                  return 0; +        if (!i->final_path) { +                r = pull_make_path(i->raw_job->url, i->raw_job->etag, i->image_root, ".raw-", ".raw", &i->final_path); +                if (r < 0) +                        return log_oom(); +        } +          if (i->raw_job->etag_exists) {                  /* We have downloaded this one previously, reopen it */                  assert(i->raw_job->disk_fd < 0); -                if (!i->final_path) { -                        r = pull_make_path(i->raw_job->url, i->raw_job->etag, i->image_root, ".raw-", ".raw", &i->final_path); -                        if (r < 0) -                                return log_oom(); -                } -                  i->raw_job->disk_fd = open(i->final_path, O_RDONLY|O_NOCTTY|O_CLOEXEC);                  if (i->raw_job->disk_fd < 0)                          return log_error_errno(errno, "Failed to open vendor image: %m"); @@ -315,6 +332,28 @@ static int raw_pull_make_local_copy(RawPull *i) {          }          log_info("Created new local image '%s'.", i->local); + +        if (i->settings) { +                const char *local_settings; +                assert(i->settings_job); + +                if (!i->settings_path) { +                        r = pull_make_path(i->settings_job->url, i->settings_job->etag, i->image_root, ".settings-", NULL, &i->settings_path); +                        if (r < 0) +                                return log_oom(); +                } + +                local_settings = strjoina(i->image_root, "/", i->local, ".nspawn"); + +                r = copy_file_atomic(i->settings_path, local_settings, 0644, i->force_local, 0); +                if (r == -EEXIST) +                        log_warning_errno(r, "Settings file %s already exists, not replacing.", local_settings); +                else if (r < 0 && r != -ENOENT) +                        log_warning_errno(r, "Failed to copy settings files %s: %m", local_settings); + +                log_info("Create new settings file '%s.nspawn'", i->local); +        } +          return 0;  } @@ -322,11 +361,13 @@ static bool raw_pull_is_done(RawPull *i) {          assert(i);          assert(i->raw_job); -        if (i->raw_job->state != PULL_JOB_DONE) +        if (!PULL_JOB_IS_COMPLETE(i->raw_job))                  return false; -        if (i->checksum_job && i->checksum_job->state != PULL_JOB_DONE) +        if (i->settings_job && !PULL_JOB_IS_COMPLETE(i->settings_job))                  return false; -        if (i->signature_job && i->signature_job->state != PULL_JOB_DONE) +        if (i->checksum_job && !PULL_JOB_IS_COMPLETE(i->checksum_job)) +                return false; +        if (i->signature_job && !PULL_JOB_IS_COMPLETE(i->signature_job))                  return false;          return true; @@ -340,7 +381,10 @@ static void raw_pull_job_on_finished(PullJob *j) {          assert(j->userdata);          i = j->userdata; -        if (j->error != 0) { +        if (j == i->settings_job) { +                if (j->error != 0) +                        log_info_errno(j->error, "Settings file could not be retrieved, proceeding without."); +        } else if (j->error != 0) {                  if (j == i->checksum_job)                          log_error_errno(j->error, "Failed to retrieve SHA256 checksum, cannot verify. (Try --verify=no?)");                  else if (j == i->signature_job) @@ -362,13 +406,16 @@ static void raw_pull_job_on_finished(PullJob *j) {          if (!raw_pull_is_done(i))                  return; +        if (i->settings_job) +                i->settings_job->disk_fd = safe_close(i->settings_job->disk_fd); +          if (!i->raw_job->etag_exists) {                  /* This is a new download, verify it, and move it into place */                  assert(i->raw_job->disk_fd >= 0);                  raw_pull_report_progress(i, RAW_VERIFYING); -                r = pull_verify(i->raw_job, i->checksum_job, i->signature_job); +                r = pull_verify(i->raw_job, i->settings_job, i->checksum_job, i->signature_job);                  if (r < 0)                          goto finish; @@ -390,8 +437,27 @@ static void raw_pull_job_on_finished(PullJob *j) {                          goto finish;                  } -                free(i->temp_path); -                i->temp_path = NULL; +                i->temp_path = mfree(i->temp_path); + +                if (i->settings_job && +                    i->settings_job->error == 0 && +                    !i->settings_job->etag_exists) { + +                        assert(i->settings_temp_path); +                        assert(i->settings_path); + +                        r = import_make_read_only(i->settings_temp_path); +                        if (r < 0) +                                goto finish; + +                        r = rename_noreplace(AT_FDCWD, i->settings_temp_path, AT_FDCWD, i->settings_path); +                        if (r < 0) { +                                log_error_errno(r, "Failed to rename settings file: %m"); +                                goto finish; +                        } + +                        i->settings_temp_path = mfree(i->settings_temp_path); +                }          }          raw_pull_report_progress(i, RAW_COPYING); @@ -409,7 +475,7 @@ finish:                  sd_event_exit(i->event, r);  } -static int raw_pull_job_on_open_disk(PullJob *j) { +static int raw_pull_job_on_open_disk_raw(PullJob *j) {          RawPull *i;          int r; @@ -442,6 +508,35 @@ static int raw_pull_job_on_open_disk(PullJob *j) {          return 0;  } +static int raw_pull_job_on_open_disk_settings(PullJob *j) { +        RawPull *i; +        int r; + +        assert(j); +        assert(j->userdata); + +        i = j->userdata; +        assert(i->settings_job == j); +        assert(!i->settings_path); +        assert(!i->settings_temp_path); + +        r = pull_make_path(j->url, j->etag, i->image_root, ".settings-", NULL, &i->settings_path); +        if (r < 0) +                return log_oom(); + +        r = tempfn_random(i->settings_path, NULL, &i->settings_temp_path); +        if (r < 0) +                return log_oom(); + +        mkdir_parents_label(i->settings_temp_path, 0700); + +        j->disk_fd = open(i->settings_temp_path, O_RDWR|O_CREAT|O_EXCL|O_NOCTTY|O_CLOEXEC, 0664); +        if (j->disk_fd < 0) +                return log_error_errno(errno, "Failed to create %s: %m", i->settings_temp_path); + +        return 0; +} +  static void raw_pull_job_on_progress(PullJob *j) {          RawPull *i; @@ -453,7 +548,14 @@ static void raw_pull_job_on_progress(PullJob *j) {          raw_pull_report_progress(i, RAW_DOWNLOADING);  } -int raw_pull_start(RawPull *i, const char *url, const char *local, bool force_local, ImportVerify verify) { +int raw_pull_start( +                RawPull *i, +                const char *url, +                const char *local, +                bool force_local, +                ImportVerify verify, +                bool settings) { +          int r;          assert(i); @@ -472,8 +574,10 @@ int raw_pull_start(RawPull *i, const char *url, const char *local, bool force_lo          r = free_and_strdup(&i->local, local);          if (r < 0)                  return r; +          i->force_local = force_local;          i->verify = verify; +        i->settings = settings;          /* Queue job for the image itself */          r = pull_job_new(&i->raw_job, url, i->glue, i); @@ -481,7 +585,7 @@ int raw_pull_start(RawPull *i, const char *url, const char *local, bool force_lo                  return r;          i->raw_job->on_finished = raw_pull_job_on_finished; -        i->raw_job->on_open_disk = raw_pull_job_on_open_disk; +        i->raw_job->on_open_disk = raw_pull_job_on_open_disk_raw;          i->raw_job->on_progress = raw_pull_job_on_progress;          i->raw_job->calc_checksum = verify != IMPORT_VERIFY_NO;          i->raw_job->grow_machine_directory = i->grow_machine_directory; @@ -490,6 +594,20 @@ int raw_pull_start(RawPull *i, const char *url, const char *local, bool force_lo          if (r < 0)                  return r; +        if (settings) { +                r = pull_make_settings_job(&i->settings_job, url, i->glue, raw_pull_job_on_finished, i); +                if (r < 0) +                        return r; + +                i->settings_job->on_open_disk = raw_pull_job_on_open_disk_settings; +                i->settings_job->on_progress = raw_pull_job_on_progress; +                i->settings_job->calc_checksum = verify != IMPORT_VERIFY_NO; + +                r = pull_find_old_etags(i->settings_job->url, i->image_root, DT_REG, ".settings-", NULL, &i->settings_job->old_etags); +                if (r < 0) +                        return r; +        } +          r = pull_make_verification_jobs(&i->checksum_job, &i->signature_job, verify, url, i->glue, raw_pull_job_on_finished, i);          if (r < 0)                  return r; @@ -498,6 +616,12 @@ int raw_pull_start(RawPull *i, const char *url, const char *local, bool force_lo          if (r < 0)                  return r; +        if (i->settings_job) { +                r = pull_job_begin(i->settings_job); +                if (r < 0) +                        return r; +        } +          if (i->checksum_job) {                  i->checksum_job->on_progress = raw_pull_job_on_progress; diff --git a/src/import/pull-raw.h b/src/import/pull-raw.h index 808f7be818..b03b4f5c92 100644 --- a/src/import/pull-raw.h +++ b/src/import/pull-raw.h @@ -34,4 +34,4 @@ RawPull* raw_pull_unref(RawPull *pull);  DEFINE_TRIVIAL_CLEANUP_FUNC(RawPull*, raw_pull_unref); -int raw_pull_start(RawPull *pull, const char *url, const char *local, bool force_local, ImportVerify verify); +int raw_pull_start(RawPull *pull, const char *url, const char *local, bool force_local, ImportVerify verify, bool settings); diff --git a/src/import/pull-tar.c b/src/import/pull-tar.c index d38a2158c4..563765d83d 100644 --- a/src/import/pull-tar.c +++ b/src/import/pull-tar.c @@ -55,6 +55,7 @@ struct TarPull {          char *image_root;          PullJob *tar_job; +        PullJob *settings_job;          PullJob *checksum_job;          PullJob *signature_job; @@ -64,11 +65,15 @@ struct TarPull {          char *local;          bool force_local;          bool grow_machine_directory; +        bool settings;          pid_t tar_pid; -        char *temp_path;          char *final_path; +        char *temp_path; + +        char *settings_path; +        char *settings_temp_path;          ImportVerify verify;  }; @@ -83,6 +88,7 @@ TarPull* tar_pull_unref(TarPull *i) {          }          pull_job_unref(i->tar_job); +        pull_job_unref(i->settings_job);          pull_job_unref(i->checksum_job);          pull_job_unref(i->signature_job); @@ -94,7 +100,13 @@ TarPull* tar_pull_unref(TarPull *i) {                  free(i->temp_path);          } +        if (i->settings_temp_path) { +                (void) unlink(i->settings_temp_path); +                free(i->settings_temp_path); +        } +          free(i->final_path); +        free(i->settings_path);          free(i->image_root);          free(i->local);          free(i); @@ -113,7 +125,6 @@ int tar_pull_new(          int r;          assert(ret); -        assert(event);          i = new0(TarPull, 1);          if (!i) @@ -128,7 +139,13 @@ int tar_pull_new(          i->grow_machine_directory = path_startswith(i->image_root, "/var/lib/machines"); -        i->event = sd_event_ref(event); +        if (event) +                i->event = sd_event_ref(event); +        else { +                r = sd_event_default(&i->event); +                if (r < 0) +                        return r; +        }          r = curl_glue_new(&i->glue, i->event);          if (r < 0) @@ -155,6 +172,11 @@ static void tar_pull_report_progress(TarPull *i, TarProgress p) {                  percent = 0; +                if (i->settings_job) { +                        percent += i->settings_job->progress_percent * 5 / 100; +                        remain -= 5; +                } +                  if (i->checksum_job) {                          percent += i->checksum_job->progress_percent * 5 / 100;                          remain -= 5; @@ -209,6 +231,27 @@ static int tar_pull_make_local_copy(TarPull *i) {          if (r < 0)                  return r; +        if (i->settings) { +                const char *local_settings; +                assert(i->settings_job); + +                if (!i->settings_path) { +                        r = pull_make_path(i->settings_job->url, i->settings_job->etag, i->image_root, ".settings-", NULL, &i->settings_path); +                        if (r < 0) +                                return log_oom(); +                } + +                local_settings = strjoina(i->image_root, "/", i->local, ".nspawn"); + +                r = copy_file_atomic(i->settings_path, local_settings, 0664, i->force_local, 0); +                if (r == -EEXIST) +                        log_warning_errno(r, "Settings file %s already exists, not replacing.", local_settings); +                else if (r < 0 && r != -ENOENT) +                        log_warning_errno(r, "Failed to copy settings files %s: %m", local_settings); + +                log_info("Create new settings file '%s.nspawn'", i->local); +        } +          return 0;  } @@ -216,11 +259,13 @@ static bool tar_pull_is_done(TarPull *i) {          assert(i);          assert(i->tar_job); -        if (i->tar_job->state != PULL_JOB_DONE) +        if (!PULL_JOB_IS_COMPLETE(i->tar_job))                  return false; -        if (i->checksum_job && i->checksum_job->state != PULL_JOB_DONE) +        if (i->settings_job && !PULL_JOB_IS_COMPLETE(i->settings_job))                  return false; -        if (i->signature_job && i->signature_job->state != PULL_JOB_DONE) +        if (i->checksum_job && !PULL_JOB_IS_COMPLETE(i->checksum_job)) +                return false; +        if (i->signature_job && !PULL_JOB_IS_COMPLETE(i->signature_job))                  return false;          return true; @@ -234,7 +279,11 @@ static void tar_pull_job_on_finished(PullJob *j) {          assert(j->userdata);          i = j->userdata; -        if (j->error != 0) { + +        if (j == i->settings_job) { +                if (j->error != 0) +                        log_info_errno(j->error, "Settings file could not be retrieved, proceeding without."); +        } else if (j->error != 0) {                  if (j == i->checksum_job)                          log_error_errno(j->error, "Failed to retrieve SHA256 checksum, cannot verify. (Try --verify=no?)");                  else if (j == i->signature_job) @@ -253,13 +302,19 @@ static void tar_pull_job_on_finished(PullJob *j) {          if (!tar_pull_is_done(i))                  return; -        j->disk_fd = safe_close(i->tar_job->disk_fd); +        i->tar_job->disk_fd = safe_close(i->tar_job->disk_fd); +        if (i->settings_job) +                i->settings_job->disk_fd = safe_close(i->settings_job->disk_fd);          if (i->tar_pid > 0) {                  r = wait_for_terminate_and_warn("tar", i->tar_pid, true);                  i->tar_pid = 0;                  if (r < 0)                          goto finish; +                if (r > 0) { +                        r = -EIO; +                        goto finish; +                }          }          if (!i->tar_job->etag_exists) { @@ -267,7 +322,7 @@ static void tar_pull_job_on_finished(PullJob *j) {                  tar_pull_report_progress(i, TAR_VERIFYING); -                r = pull_verify(i->tar_job, i->checksum_job, i->signature_job); +                r = pull_verify(i->tar_job, i->settings_job, i->checksum_job, i->signature_job);                  if (r < 0)                          goto finish; @@ -283,8 +338,32 @@ static void tar_pull_job_on_finished(PullJob *j) {                          goto finish;                  } -                free(i->temp_path); -                i->temp_path = NULL; +                i->temp_path = mfree(i->temp_path); + +                if (i->settings_job && +                    i->settings_job->error == 0 && +                    !i->settings_job->etag_exists) { + +                        assert(i->settings_temp_path); +                        assert(i->settings_path); + +                        /* Also move the settings file into place, if +                         * it exist. Note that we do so only if we +                         * also moved the tar file in place, to keep +                         * things strictly in sync. */ + +                        r = import_make_read_only(i->settings_temp_path); +                        if (r < 0) +                                goto finish; + +                        r = rename_noreplace(AT_FDCWD, i->settings_temp_path, AT_FDCWD, i->settings_path); +                        if (r < 0) { +                                log_error_errno(r, "Failed to rename settings file: %m"); +                                goto finish; +                        } + +                        i->settings_temp_path = mfree(i->settings_temp_path); +                }          }          tar_pull_report_progress(i, TAR_COPYING); @@ -302,7 +381,7 @@ finish:                  sd_event_exit(i->event, r);  } -static int tar_pull_job_on_open_disk(PullJob *j) { +static int tar_pull_job_on_open_disk_tar(PullJob *j) {          TarPull *i;          int r; @@ -339,6 +418,35 @@ static int tar_pull_job_on_open_disk(PullJob *j) {          return 0;  } +static int tar_pull_job_on_open_disk_settings(PullJob *j) { +        TarPull *i; +        int r; + +        assert(j); +        assert(j->userdata); + +        i = j->userdata; +        assert(i->settings_job == j); +        assert(!i->settings_path); +        assert(!i->settings_temp_path); + +        r = pull_make_path(j->url, j->etag, i->image_root, ".settings-", NULL, &i->settings_path); +        if (r < 0) +                return log_oom(); + +        r = tempfn_random(i->settings_path, NULL, &i->settings_temp_path); +        if (r < 0) +                return log_oom(); + +        mkdir_parents_label(i->settings_temp_path, 0700); + +        j->disk_fd = open(i->settings_temp_path, O_RDWR|O_CREAT|O_EXCL|O_NOCTTY|O_CLOEXEC, 0664); +        if (j->disk_fd < 0) +                return log_error_errno(errno, "Failed to create %s: %m", i->settings_temp_path); + +        return 0; +} +  static void tar_pull_job_on_progress(PullJob *j) {          TarPull *i; @@ -350,10 +458,19 @@ static void tar_pull_job_on_progress(PullJob *j) {          tar_pull_report_progress(i, TAR_DOWNLOADING);  } -int tar_pull_start(TarPull *i, const char *url, const char *local, bool force_local, ImportVerify verify) { +int tar_pull_start( +                TarPull *i, +                const char *url, +                const char *local, +                bool force_local, +                ImportVerify verify, +                bool settings) { +          int r;          assert(i); +        assert(verify < _IMPORT_VERIFY_MAX); +        assert(verify >= 0);          if (!http_url_is_valid(url))                  return -EINVAL; @@ -367,15 +484,18 @@ int tar_pull_start(TarPull *i, const char *url, const char *local, bool force_lo          r = free_and_strdup(&i->local, local);          if (r < 0)                  return r; +          i->force_local = force_local;          i->verify = verify; +        i->settings = settings; +        /* Set up download job for TAR file */          r = pull_job_new(&i->tar_job, url, i->glue, i);          if (r < 0)                  return r;          i->tar_job->on_finished = tar_pull_job_on_finished; -        i->tar_job->on_open_disk = tar_pull_job_on_open_disk; +        i->tar_job->on_open_disk = tar_pull_job_on_open_disk_tar;          i->tar_job->on_progress = tar_pull_job_on_progress;          i->tar_job->calc_checksum = verify != IMPORT_VERIFY_NO;          i->tar_job->grow_machine_directory = i->grow_machine_directory; @@ -384,6 +504,22 @@ int tar_pull_start(TarPull *i, const char *url, const char *local, bool force_lo          if (r < 0)                  return r; +        /* Set up download job for the settings file (.nspawn) */ +        if (settings) { +                r = pull_make_settings_job(&i->settings_job, url, i->glue, tar_pull_job_on_finished, i); +                if (r < 0) +                        return r; + +                i->settings_job->on_open_disk = tar_pull_job_on_open_disk_settings; +                i->settings_job->on_progress = tar_pull_job_on_progress; +                i->settings_job->calc_checksum = verify != IMPORT_VERIFY_NO; + +                r = pull_find_old_etags(i->settings_job->url, i->image_root, DT_REG, ".settings-", NULL, &i->settings_job->old_etags); +                if (r < 0) +                        return r; +        } + +        /* Set up download of checksum/signature files */          r = pull_make_verification_jobs(&i->checksum_job, &i->signature_job, verify, url, i->glue, tar_pull_job_on_finished, i);          if (r < 0)                  return r; @@ -392,6 +528,12 @@ int tar_pull_start(TarPull *i, const char *url, const char *local, bool force_lo          if (r < 0)                  return r; +        if (i->settings_job) { +                r = pull_job_begin(i->settings_job); +                if (r < 0) +                        return r; +        } +          if (i->checksum_job) {                  i->checksum_job->on_progress = tar_pull_job_on_progress; diff --git a/src/import/pull-tar.h b/src/import/pull-tar.h index 0ed507748c..420845ae50 100644 --- a/src/import/pull-tar.h +++ b/src/import/pull-tar.h @@ -34,4 +34,4 @@ TarPull* tar_pull_unref(TarPull *pull);  DEFINE_TRIVIAL_CLEANUP_FUNC(TarPull*, tar_pull_unref); -int tar_pull_start(TarPull *pull, const char *url, const char *local, bool force_local, ImportVerify verify); +int tar_pull_start(TarPull *pull, const char *url, const char *local, bool force_local, ImportVerify verify, bool settings); diff --git a/src/import/pull.c b/src/import/pull.c index e13cd6af97..98c22aeec9 100644 --- a/src/import/pull.c +++ b/src/import/pull.c @@ -37,6 +37,7 @@ static bool arg_force = false;  static const char *arg_image_root = "/var/lib/machines";  static ImportVerify arg_verify = IMPORT_VERIFY_SIGNATURE;  static const char* arg_dkr_index_url = DEFAULT_DKR_INDEX_URL; +static bool arg_settings = true;  static int interrupt_signal_handler(sd_event_source *s, const struct signalfd_siginfo *si, void *userdata) {          log_notice("Transfer aborted."); @@ -118,7 +119,7 @@ static int pull_tar(int argc, char *argv[], void *userdata) {          if (r < 0)                  return log_error_errno(r, "Failed to allocate puller: %m"); -        r = tar_pull_start(pull, url, local, arg_force, arg_verify); +        r = tar_pull_start(pull, url, local, arg_force, arg_verify, arg_settings);          if (r < 0)                  return log_error_errno(r, "Failed to pull image: %m"); @@ -204,7 +205,7 @@ static int pull_raw(int argc, char *argv[], void *userdata) {          if (r < 0)                  return log_error_errno(r, "Failed to allocate puller: %m"); -        r = raw_pull_start(pull, url, local, arg_force, arg_verify); +        r = raw_pull_start(pull, url, local, arg_force, arg_verify, arg_settings);          if (r < 0)                  return log_error_errno(r, "Failed to pull image: %m"); @@ -331,8 +332,9 @@ static int help(int argc, char *argv[], void *userdata) {                 "  -h --help                   Show this help\n"                 "     --version                Show package version\n"                 "     --force                  Force creation of image\n" -               "     --verify=                Verify downloaded image, one of: 'no',\n" -               "                              'checksum', 'signature'.\n" +               "     --verify=MODE            Verify downloaded image, one of: 'no',\n" +               "                              'checksum', 'signature'\n" +               "     --settings=BOOL          Download settings file with image\n"                 "     --image-root=PATH        Image root directory\n"                 "     --dkr-index-url=URL      Specify index URL to use for downloads\n\n"                 "Commands:\n" @@ -352,6 +354,7 @@ static int parse_argv(int argc, char *argv[]) {                  ARG_DKR_INDEX_URL,                  ARG_IMAGE_ROOT,                  ARG_VERIFY, +                ARG_SETTINGS,          };          static const struct option options[] = { @@ -361,10 +364,11 @@ static int parse_argv(int argc, char *argv[]) {                  { "dkr-index-url",   required_argument, NULL, ARG_DKR_INDEX_URL   },                  { "image-root",      required_argument, NULL, ARG_IMAGE_ROOT      },                  { "verify",          required_argument, NULL, ARG_VERIFY          }, +                { "settings",        required_argument, NULL, ARG_SETTINGS        },                  {}          }; -        int c; +        int c, r;          assert(argc >= 0);          assert(argv); @@ -407,6 +411,14 @@ static int parse_argv(int argc, char *argv[]) {                          break; +                case ARG_SETTINGS: +                        r = parse_boolean(optarg); +                        if (r < 0) +                                return log_error_errno(r, "Failed to parse --settings= parameter '%s'", optarg); + +                        arg_settings = r; +                        break; +                  case '?':                          return -EINVAL; diff --git a/src/nspawn/nspawn-gperf.gperf b/src/nspawn/nspawn-gperf.gperf index 074b380306..b5127a387c 100644 --- a/src/nspawn/nspawn-gperf.gperf +++ b/src/nspawn/nspawn-gperf.gperf @@ -34,5 +34,5 @@ Network.Interface,         config_parse_strv,          0, offsetof(Settings, net  Network.MACVLAN,           config_parse_strv,          0, offsetof(Settings, network_macvlan)  Network.IPVLAN,            config_parse_strv,          0, offsetof(Settings, network_ipvlan)  Network.VirtualEthernet,   config_parse_tristate,      0, offsetof(Settings, network_veth) -Network.Bridge             config_parse_string,        0, offsetof(Settings, network_bridge) +Network.Bridge,            config_parse_string,        0, offsetof(Settings, network_bridge)  Network.Port,              config_parse_expose_port,   0, 0 | 
