summaryrefslogtreecommitdiff
path: root/src/nspawn/nspawn.c
AgeCommit message (Collapse)Author
2015-01-20nspawn: work around kernel bug with partition table probing on loopback devicesLennart Poettering
When we set up a loopback device with partition probing, the udev "change" event about the configured device is first passed on to userspace, only the the in-kernel partition prober is started. Since partition probing fails with EBUSY when somebody has the device open, the probing frequently fails since udev starts probing/opening the device as soon as it gets the notification about it, and it might do so earlier than the kernel probing. This patch adds a (hopefully temporary) work-around for this, that compares the number of probed partitions of the kernel with those of blkid and synchronously asks for reprobing until the numebrs are in sync. This really deserves a proper kernel fix.
2015-01-20nspawn: add ipvlan supportTom Gundersen
2015-01-19nspawn: support dissecting GPT images that contain only a single generic ↵Lennart Poettering
linux partition This should allow running Ubuntu UEFI GPT Images with nspawn, unmodified.
2015-01-19inspawn: wait until udev has probed a loopback device before making us of itLennart Poettering
2015-01-15nspawn: fix log typosJonathan Boulle
2015-01-15import: rename "gpt" disk image type to "raw"Lennart Poettering
After all, nspawn can now dissect MBR partition levels, too, hence ".gpt" appears a misnomer. Moreover, the the .raw suffix for these files is already pretty popular (the Fedora disk images use it for example), hence sounds like an OK scheme to adopt.
2015-01-15spawn: downgrade loopback detach errors to debugLennart Poettering
Sometimes udev or some other background daemon might keep the loopback devices busy while we already want to detach them. Downgrade the warning about it. Given that we use autodetach downgrading these messages should be with little risk.
2015-01-15nspawn: add support for limited dissecting of MBR disk images with nspawnLennart Poettering
With this change nspawn's -i switch now can now make sense of MBR disk images too - however only if there's only a single, bootable partition of type 0x83 on the image. For all other cases we cannot really make sense from the partition table alone. The big benefit of this change is that upstream Fedora Cloud Images can now be booted unmodified with systemd-nspawn: # wget http://download.fedoraproject.org/pub/fedora/linux/releases/21/Cloud/Images/x86_64/Fedora-Cloud-Base-20141203-21.x86_64.raw.xz # unxz Fedora-Cloud-Base-20141203-21.x86_64.raw.xz # systemd-nspawn -i Fedora-Cloud-Base-20141203-21.x86_64.raw -b Next stop: teach the import logic to automatically download these images, uncompress and verify them.
2015-01-14nspawn: pass the container's init PID out via sd_notify()Lennart Poettering
This is useful for nspawn managers that want to learn when nspawn is finished with initialiuzation, as well what the PID of the init system in the container is.
2015-01-14nspawn: fix an incorrect assert comparisonLennart Poettering
2015-01-14nspawn: add file system locks for controlling access to container imagesLennart Poettering
This adds three kinds of file system locks for container images: a) a file system lock next to the actual image, in a .lck file in the same directory the image is located. This lock has the benefit of usually being located on the same NFS share as the image itself, and thus allows locking container images across NFS shares. b) a file system lock in /run, named after st_dev and st_ino of the root of the image. This lock has the advantage that it is unique even if the same image is bind mounted to two different places at the same time, as the ino/dev stays constant for them. c) a file system lock that is only taken when a new disk image is about to be created, that ensures that checking whether the name is already used across the search path, and actually placing the image is not interrupted by other code taking the name. a + b are read-write locks. When a container is booted in read-only mode a read lock is taken, otherwise a write lock. Lock b is always taken after a, to avoid ABBA problems. Lock c is mostly relevant when renaming or cloning images.
2015-01-14nspawn: remove the right propagation directoryLennart Poettering
2015-01-13nspawn: --help typo fixLennart Poettering
2015-01-13nspawn: add "-n" shortcut for "--network-veth"Lennart Poettering
Now that networkd's IP masquerading support means that running containers with "--network-veth" will provide network access out of the box for the container, let's add a shortcut "-n" for it, to make it easily accessible.
2015-01-13nspawn: add new option "--port=" for exposing container ports on the local hostLennart Poettering
This exposes an IP port on the container as local port using DNAT.
2015-01-08machined: when cloning a raw disk image, also set the NOCOW flagLennart Poettering
2015-01-08nspawn: fix error message when mknod failsTom Gundersen
2015-01-07machinectl: make sure that "machinectl login" exits immediately when the ↵Lennart Poettering
machine it is connected to dies
2015-01-05nspawn: mount most of the cgroup tree read-only in nspawn containers except ↵Lennart Poettering
for the container's own subtree in the name=systemd hierarchy More specifically mount all other hierarchies in their entirety and the name=systemd above the container's subtree read-only.
2014-12-29nspawn: report back to systemd only very late whether we are OKLennart Poettering
That way, systemd can actually figure out if everything is OK with nspawn.
2014-12-28nspawn: use the same image discovery logic in nspawn as in machinedLennart Poettering
2014-12-25nspawn: remove spurious include of <sys/capability.h>Filipe Brandenburger
It does not use any functions from libcap directly. The CAP_* constants in use through this file come from "missing.h" which will import <linux/capability.h> and complement it with CAP_* constants not defined by the current kernel headers. Add an explicit import of our "capability.h" since it does use the function capability_bounding_set_drop from that header file. Previously, that header was implicitly imported through through "cap-list.h". Tested that "systemd-nspawn" builds cleanly and works after this change.
2014-12-23nspawn,pty: port over to new ptsname_malloc() helperLennart Poettering
2014-12-23machinectl,nspawn: don't print extra final newline if pty terminal output ↵Lennart Poettering
was newline-terinated anyway
2014-12-23run: add a new "-t" mode for invoking a binary on an allocated TTYLennart Poettering
2014-12-18machinectl: implement "bind" command to create additional bind mounts from ↵Lennart Poettering
host to container during runtime
2014-12-17nspawn: fix invocation of the raw clone() system call on s390 and crisKen Werner
Since the order of the first and second arguments of the raw clone() system call is reversed on s390 and cris it needs to be invoked differently.
2014-12-12nspawn: when booting in ephemeral mode, append random token to machine nameLennart Poettering
Also, when booting up an ephemeral container of / use the system hostname as default machine name. This way specifiyng -M is unnecessary when booting up an ephemeral container, while allowing any number of ephemeral containers to run from the same tree.
2014-12-12nspawn: allow spawning ephemeral nspawn containers based on the root file ↵Lennart Poettering
system of the OS This works now: # systemd-nspawn -xb -D / -M foobar Which boots up an ephemeral container, based on the host's root file system. Or in other words: you can now run the very same host OS you booted your system with also in a container, on top of it, without having it interfere. Great for testing whether the init system you are hacking on still boots without reboot the system!
2014-12-12nspawn: don't link journals in ephemeral modeLennart Poettering
2014-12-12nspawn: properly unset arg_link_journal_try, when --link-journal= is specifiedLennart Poettering
2014-12-12nspawn: beef up nspawn with some btrfs magicLennart Poettering
This adds --template= to duplicate an OS tree as btrfs snpashot and run it This also adds --ephemeral or -x to create a snapshot of an OS tree and boot that, removing it after exit.
2014-12-12nspawn: properly validate machine namesLennart Poettering
2014-12-10util: introduce our own gperf based capability listLennart Poettering
This way, we can ensure we have a more complete, up-to-date list of capabilities around, always.
2014-12-10nspawn: create the macvlan MAC addresses in an arch independent stable wayLennart Poettering
2014-12-09nspawn: make sure macvlan MAC addresses are stableLennart Poettering
https://bugs.freedesktop.org/show_bug.cgi?id=85527
2014-12-03nspawn: correct EEXIST check when creating directory to mount /tmp inLennart Poettering
https://bugs.freedesktop.org/show_bug.cgi?id=86309
2014-11-29nspawn: fix unused variable warningZbigniew Jędrzejewski-Szmek
2014-11-29delta: diff returns 1 when files differ, ignore thisZbigniew Jędrzejewski-Szmek
https://bugs.debian/org/771397
2014-11-28treewide: another round of simplificationsMichal Schmidt
Using the same scripts as in f647962d64e "treewide: yet more log_*_errno + return simplifications".
2014-11-28treewide: use log_*_errno whenever %m is in the format stringMichal Schmidt
If the format string contains %m, clearly errno must have a meaningful value, so we might as well use log_*_errno to have ERRNO= logged. Using: find . -name '*.[ch]' | xargs sed -r -i -e \ 's/log_(debug|info|notice|warning|error|emergency)\((".*%m.*")/log_\1_errno(errno, \2/' Plus some whitespace, linewrap, and indent adjustments.
2014-11-28treewide: yet more log_*_errno + return simplificationsMichal Schmidt
Using: find . -name '*.[ch]' | while read f; do perl -i.mmm -e \ 'local $/; local $_=<>; s/(if\s*\([^\n]+\))\s*{\n(\s*)(log_[a-z_]*_errno\(\s*([->a-zA-Z_]+)\s*,[^;]+);\s*return\s+\g4;\s+}/\1\n\2return \3;/msg; print;' $f done And a couple of manual whitespace fixups.
2014-11-28treewide: no need to negate errno for log_*_errno()Michal Schmidt
It corrrectly handles both positive and negative errno values.
2014-11-28treewide: auto-convert the simple cases to log_*_errno()Michal Schmidt
As a followup to 086891e5c1 "log: add an "error" parameter to all low-level logging calls and intrdouce log_error_errno() as log calls that take error numbers", use sed to convert the simple cases to use the new macros: find . -name '*.[ch]' | xargs sed -r -i -e \ 's/log_(debug|info|notice|warning|error|emergency)\("(.*)%s"(.*), strerror\(-([a-zA-Z_]+)\)\);/log_\1_errno(-\4, "\2%m"\3);/' Multi-line log_*() invocations are not covered. And we also should add log_unit_*_errno().
2014-11-22nspawn: ignore EEXIST when mounting tmpfsRichard Schütz
commit 79d80fc1466512d0ca211f4bfcd9de5f2f816a5a introduced a regression that prevents mounting a tmpfs if the mount point already exits in the container's root file system. This commit fixes the problem by ignoring EEXIST.
2014-11-21nspawn: Add try-{host,guest} journal link modesMartin Pitt
--link-journal={host,guest} fail if the host does not have persistent journalling enabled and /var/log/journal/ does not exist. Even worse, as there is no stdout/err any more, there is no error message to point that out. Introduce two new modes "try-host" and "try-guest" which don't fail in this case, and instead just silently skip the guest journal setup. Change -j to mean "try-guest" instead of "guest", and fix the wrong --help output for it (it said "host" before). Change systemd-nspawn@.service.in to use "try-guest" so that this unit works with both persistent and non-persistent journals on the host without failing. https://bugs.debian.org/770275
2014-11-13sd-bus: sync with kdbus upstream (ABI break)Daniel Mack
kdbus has seen a larger update than expected lately, most notably with kdbusfs, a file system to expose the kdbus control files: * Each time a file system of this type is mounted, a new kdbus domain is created. * The layout inside each mount point is the same as before, except that domains are not hierarchically nested anymore. * Domains are therefore also unnamed now. * Unmounting a kdbusfs will automatically also detroy the associated domain. * Hence, the action of creating a kdbus domain is now as privileged as mounting a filesystem. * This way, we can get around creating dev nodes for everything, which is last but not least something that is not limited by 20-bit minor numbers. The kdbus specific bits in nspawn have all been dropped now, as nspawn can rely on the container OS to set up its own kdbus domain, simply by mounting a new instance. A new set of mounts has been added to mount things *after* the kernel modules have been loaded. For now, only kdbus is in this set, which is invoked with mount_setup_late().
2014-11-04barrier: explicitly ignore return values of barrier_place()David Herrmann
The barrier implementation tracks remote states internally. There is no need to check the return value of any barrier_*() function if the caller is not interested in the result. The barrier helpers only return the state of the remote side, which is usually not interesting as later calls to barrier_sync() will catch this, anyway. Shut up coverity by explicitly ignoring return values of barrier_place() if we're not interested in it.
2014-10-31ptyforward: rework PTY forwarder logic used by nspawn to utilize the normal ↵Lennart Poettering
event loop We really should not run manual event loops anymore, but standardize on sd_event, so that we can run sd_bus connections from it eventually.
2014-10-31units: don't order journal flushing afte remote-fs.targetLennart Poettering
Instead, only depend on the actual file systems we need. This should solve dep loops on setups where remote-fs.target is moved into late boot.