summaryrefslogtreecommitdiff
path: root/src/nspawn/nspawn.c
AgeCommit message (Collapse)Author
2014-02-04nspawn: various fixes in selinux hookupLennart Poettering
- As suggested, prefix argument variables with "arg_" how we do this usually. - As suggested, don't involve memory allocations when storing command line arguments. - Break --help text at 80 chars - man: explain that this is about SELinux - don't do unnecessary memory allocations when putting together mount option string
2014-02-04Add SELinux support to systemd-nspawnDan Walsh
This patch adds to new options: -Z PROCESS_LABEL This specifies the process label to run on processes run within the container. -L FILE_LABEL The file label to assign to memory file systems created within the container. For example if you wanted to wrap an container with SELinux sandbox labels, you could execute a command line the following chcon system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -R /srv/container systemd-nspawn -L system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 -Z system_u:system_r:svirt_lxc_net_t:s0:c0,c1 -D /srv/container /bin/sh
2014-02-01bus: update kdbus.h (ABI break)Kay Sievers
2014-01-29nspawn: fix reboot event fd reuseLennart Poettering
2014-01-20exec: introduce PrivateDevices= switch to provide services with a private /devLennart Poettering
Similar to PrivateNetwork=, PrivateTmp= introduce PrivateDevices= that sets up a private /dev with only the API pseudo-devices like /dev/null, /dev/zero, /dev/random, but not any physical devices in them.
2014-01-09nspawn: do not invoke RegisterMachine on machined from inside the new PID ↵Lennart Poettering
namespace On kdbus user credentials are not translated across PID namespaces, but simply invalidated if sender and receiver namespaces don't match. This makes it impossible to properly authenticate requests from different PID namespaces (which is probably a good thing). Hence, register the machine in the parent and not the client and properly synchronize this.
2013-12-20DEFAULT_PATH_SPLIT_USR macroShawn Landden
2013-12-13nspawn: add new --setenv= switch to set an environment variable for the ↵Lennart Poettering
container to spawn
2013-12-11nspawn: complain and continue if machine has same idZbigniew Jędrzejewski-Szmek
If --link-journal=host or --link-journal=guest is used, this totally cannot work and we exit with an error. If however --link-journal=auto or --link-journal=no is used, just display a warning. Having the same machine id can happen if booting from the same filesystem as the host. Since other things mostly function correctly, let's allow that. https://bugs.freedesktop.org/show_bug.cgi?id=68369
2013-12-12bus: connect directly via kdbus in sd_bus_open_system_container()Lennart Poettering
kdbus fortunately exposes the container's busses in the host fs, hence we can access it directly instead of doing the namespacing dance.
2013-12-06Get rid of our reimplementation of basenameZbigniew Jędrzejewski-Szmek
The only problem is that libgen.h #defines basename to point to it's own broken implementation instead of the GNU one. This can be fixed by #undefining basename.
2013-12-06nspawn: fix buggy mount_binds, now works for bind-mounted filesShawn Landden
2013-11-30nspawn: set up a kdbus namespace when starting a containerLennart Poettering
2013-11-26nspawn: improve error message when we cannot resolve the root directory argumentLennart Poettering
2013-11-20nspawn: add new --drop-capability= switchLennart Poettering
2013-11-12bus: introduce concept of a default bus for each thread and make use of it ↵Lennart Poettering
everywhere We want to emphasize bus connections as per-thread communication primitives, hence introduce a concept of a per-thread default bus, and make use of it everywhere.
2013-11-07bus: log message parsing errors everywhere with a generalized ↵Lennart Poettering
bus_log_parse_error()
2013-11-06clients: unify how we invoke getopt_long()Lennart Poettering
Among other things this makes sure we always expose a --version command and show it in the help texts.
2013-11-06nspawn: explicitly terminate machines when we exit nspawnLennart Poettering
https://bugs.freedesktop.org/show_bug.cgi?id=68370 https://bugzilla.redhat.com/show_bug.cgi?id=988883
2013-11-05nspawn: log out of memory errorsDjalal Harouni
2013-10-31machinectl: add new command to spawn a getty inside a containerLennart Poettering
2013-10-31nspawn: split out pty forwaring logic into ptyfwd.cLennart Poettering
2013-10-30nspawn: only pass in slice setting if it is setLennart Poettering
2013-10-16timedated: use libsystemd-bus instead of libdbus for bus communicationLennart Poettering
Among other things this also adds a few things necessary for the change: - Considerably more powerful error returning APIs in libsystemd-bus - Adapter for connecting an sd_bus to an sd_event - As I reworked the PolicyKit logic to the new library I also made it asynchronous, so that PolicyKit requests of one user cannot block out another user anymore. - We always use the macro names for common bus error. That way it is harder to mistype them since the compiler will notice
2013-10-13Introduce _cleanup_fdset_free_Zbigniew Jędrzejewski-Szmek
2013-10-02nspawn: always copy /etc/resolv.conf rather than bind mountLennart Poettering
We were already creating the file if it was missing, and this way containers can reconfigure the file without running into problems. This also makes resolv.conf handling more alike to handling of /etc/localtime, which is also not a bind mount.
2013-09-19fix grammatical errorDave Reisner
2013-09-19nspawn: be less liberal about creating bind mount destinationsDave Reisner
Previously, if a file's bind mount destination didn't exist, nspawn would blindly create a directory, and the subsequent bind mount would fail. Examine the filetype of the source and ensure that, if the destination does not exist, that it is created appropriately. Also go one step further and ensure that the filetypes of the source and destination match.
2013-08-23nspawn: trivial simplificationZbigniew Jędrzejewski-Szmek
2013-07-19nspawn: Reorder includes to fix compilationJesper Larsen
Commit 2e996f4d4b642c5682c608c9692ad2ffae398ab2 added an include of linux/netlink.h This kernel header is not self contained in the linux 2.6 kernel which breaks compilation with an unknown type sa_family_t A workaround is to include linux/netlink.h after sys/socket.h
2013-07-02nspawn: use the corect method signature for CreateMachine()Lennart Poettering
2013-07-02machined: split out machine registration stuff from logindLennart Poettering
Embedded folks don't need the machine registration stuff, hence it's nice to make this optional. Also, I'd expect that machinectl will grow additional commands quickly, for example to join existing containers and suchlike, hence it's better keeping that separate from loginctl.
2013-06-20nspawn: '-C' option has been removedZbigniew Jędrzejewski-Szmek
Fixup for 9444b1f "logind: add infrastructure to keep track of machines, and move to slices."
2013-06-20logind: add infrastructure to keep track of machines, and move to slicesLennart Poettering
- This changes all logind cgroup objects to use slice objects rather than fixed croup locations. - logind can now collect minimal information about running VMs/containers. As fixed cgroup locations can no longer be used we need an entity that keeps track of machine cgroups in whatever slice they might be located. Since logind already keeps track of users, sessions and seats this is a trivial addition. - nspawn will now register with logind and pass various bits of metadata along. A new option "--slice=" has been added to place the container in a specific slice. - loginctl gained commands to list, introspect and terminate machines. - user.slice and machine.slice will now be pulled in by logind.service, since only logind.service requires this slice.
2013-05-10nspawn: only warn about audit when booting the containerDave Reisner
The audit subsystem isn't relevant when nspawn is only being used as a chroot.
2013-05-09nspawn: Include netlink headers rather than using #ifdefColin Walters
This is a better fix than e13e1fad8b231e187bd5de3ce668411bdcd3ac1a for failing to compile without audit that 77b6e19458f37cfde127ec6aa9494c0ac45ad890 introduced.
2013-05-09Fix previous commit for !HAVE_AUDITColin Walters
2013-05-10audit: since audit is apparently never going to be fixed for containers tell ↵Lennart Poettering
the user what's going on Let's try to be helpful to the user and give him a hint what he can do to make nspawn work with normal OS containers. https://bugzilla.redhat.com/show_bug.cgi?id=893751
2013-05-07hostname: only suppress setting of pretty hostname if it is non-equal to the ↵Lennart Poettering
static hostname and if the static hostname is set, too https://bugzilla.redhat.com/show_bug.cgi?id=957814
2013-05-07build-sys: support builds without EAs againLennart Poettering
2013-05-06nspawn: explain that we look for /etc/os-release in the container directoryLennart Poettering
https://bugs.freedesktop.org/show_bug.cgi?id=64014
2013-05-02nspawn: inherit the exit status of containerDave Reisner
If we get as far as successfully starting the container, nspawn should inherit the exit status of the child container process as its own.
2013-05-01cgls: add --machine/-MZbigniew Jędrzejewski-Szmek
cg_get_machine_path is modified to include the escaped machine name + ".nspawn" if the machine argument is nonnull.
2013-04-30units: add an easy-to-use unit template file systemd-nspawn@.service for ↵Lennart Poettering
running containers as system services
2013-04-30id128: when taking user input for a 128bit ID, validate syntaxLennart Poettering
Also, always accept both our simple hexdump syntax and UUID syntax.
2013-04-29nspawn: add -M option to optstringEvangelos Foutras
This was missed in commit 7027ff61a34a12487712b382a061c654acc3a679 and means that the --machine option would work but not its shorthand, -M.
2013-04-22cgroup: make sure all our cgroup objects have a suffix and are properly escapedLennart Poettering
Session objects will now get the .session suffix, user objects the .user suffix, nspawn containers the .nspawn suffix. This also changes the user cgroups to be named after the numeric UID rather than the username, since this allows us the parse these paths standalone without requiring access to the cgroup file system. This also changes the mapping of instanced units to cgroups. Instead of mapping foo@bar.service to the cgroup path /user/foo@.service/bar we will now map it to /user/foo@.service/foo@bar.service, in order to ensure that all our objects are properly suffixed in the tree.
2013-04-22nspawn: suffix the nspawn cgroups with ".nspawn"Lennart Poettering
As discussed with Dan Berrange it's a good idea to suffix all objects in the cgroup tree with ".something", so that when the system is partitioned using a resource management tool we can drop objects of different types into the same partition directory without generate namespace conflicts. We'l add this to the Pax Control Group document as soon as write access to the fdo wiki is restored.
2013-04-22nspawn: always use cg_get_path() to determine fs path for a cgroupLennart Poettering
2013-04-21systemd,nspawn: use extended attributes to store metadataZbigniew Jędrzejewski-Szmek
All attributes are stored as text, since root_directory is already text, and it seems easier to have all of them in text format. Attributes are written in the trusted. namespace, because the kernel currently does not allow user. attributes on cgroups. This is a PITA, and CAP_SYS_ADMIN is required to *read* the attributes. Alas. A second pipe is opened for the child to signal the parent that the cgroup hierarchy has been set up.