summaryrefslogtreecommitdiff
path: root/src/nspawn
AgeCommit message (Collapse)Author
2015-09-04nspawn: enable all controllers we can for the "payload" subcgroup we createLennart Poettering
In the unified hierarchy delegating controller access is safe, hence make sure to enable all controllers for the "payload" subcgroup if we create it, so that the container will have all controllers enabled the nspawn service itself has.
2015-09-01core: unified cgroup hierarchy supportLennart Poettering
This patch set adds full support the new unified cgroup hierarchy logic of modern kernels. A new kernel command line option "systemd.unified_cgroup_hierarchy=1" is added. If specified the unified hierarchy is mounted to /sys/fs/cgroup instead of a tmpfs. No further hierarchies are mounted. The kernel command line option defaults to off. We can turn it on by default as soon as the kernel's APIs regarding this are stabilized (but even then downstream distros might want to turn this off, as this will break any tools that access cgroupfs directly). It is possibly to choose for each boot individually whether the unified or the legacy hierarchy is used. nspawn will by default provide the legacy hierarchy to containers if the host is using it, and the unified otherwise. However it is possible to run containers with the unified hierarchy on a legacy host and vice versa, by setting the $UNIFIED_CGROUP_HIERARCHY environment variable for nspawn to 1 or 0, respectively. The unified hierarchy provides reliable cgroup empty notifications for the first time, via inotify. To make use of this we maintain one manager-wide inotify fd, and each cgroup to it. This patch also removes cg_delete() which is unused now. On kernel 4.2 only the "memory" controller is compatible with the unified hierarchy, hence that's the only controller systemd exposes when booted in unified heirarchy mode. This introduces a new enum for enumerating supported controllers, plus a related enum for the mask bits mapping to it. The core is changed to make use of this everywhere. This moves PID 1 into a new "init.scope" implicit scope unit in the root slice. This is necessary since on the unified hierarchy cgroups may either contain subgroups or processes but not both. PID 1 hence has to move out of the root cgroup (strictly speaking the root cgroup is the only one where processes and subgroups are still allowed, but in order to support containers nicey, we move PID 1 into the new scope in all cases.) This new unit is also used on legacy hierarchy setups. It's actually pretty useful on all systems, as it can then be used to filter journal messages coming from PID 1, and so on. The root slice ("-.slice") is now implicitly created and started (and does not require a unit file on disk anymore), since that's where "init.scope" is located and the slice needs to be started before the scope can. To check whether we are in unified or legacy hierarchy mode we use statfs() on /sys/fs/cgroup. If the .f_type field reports tmpfs we are in legacy mode, if it reports cgroupfs we are in unified mode. This patch set carefuly makes sure that cgls and cgtop continue to work as desired. When invoking nspawn as a service it will implicitly create two subcgroups in the cgroup it is using, one to move the nspawn process into, the other to move the actual container processes into. This is done because of the requirement that cgroups may either contain processes or other subgroups.
2015-08-29nspawn: don't try to extract quotes from option string, glibc doesn't do ↵Lennart Poettering
that either Follow-up regarding #649.
2015-08-28nspawn: add (no)rbind option to --bind and --bind-roEugene Yakubovich
--bind and --bind-ro perform the bind mount non-recursively. It is sometimes (often?) desirable to do a recursive mount. This patch adds an optional set of bind mount options in the form of: --bind=src-path:dst-path:options options are comma separated and currently only "rbind" and "norbind" are allowed. Default value is "rbind".
2015-08-25nspawn: make sure --template= and --machine= my be combinedLennart Poettering
Fixes #1018. Based on a patch from Seth Jennings.
2015-08-21remove unused variablesThomas Hindoe Paaboel Andersen
2015-08-07nspawn: Allow : characters in overlay pathsRichard Maw
: characters can be entered with the \: escape sequence.
2015-08-07nspawn: escape paths in overlay mount optionsRichard Maw
Overlayfs uses , as an option separator and : as a list separator. These characters are both valid in file paths, so overlayfs allows file paths which contain these characters to backslash escape these values.
2015-08-07nspawn: Allow : characters in nspawn --bind pathsRichard Maw
: characters in bind paths can be entered as the \: escape sequence.
2015-08-07nspawn: Allow : characters in --tmpfs pathRichard Maw
This now accepts : characters with the \: escape sequence. Other escape sequences are also interpreted, but having a \ in your file path is less likely than :, so this shouldn't break anyone's existing tools.
2015-08-05Merge branch 'hostnamectl-dot-v2'Zbigniew Jędrzejewski-Szmek
Manual merge of https://github.com/systemd/systemd/pull/751.
2015-08-05hostname-util: get rid of unused parameter of hostname_cleanup()Zbigniew Jędrzejewski-Szmek
All users are now setting lowercase=false.
2015-07-31tree-wide: introduce mfree()David Herrmann
Pretty trivial helper which wraps free() but returns NULL, so we can simplify this: free(foobar); foobar = NULL; to this: foobar = mfree(foobar);
2015-07-30tree-wide: use free_and_strdup()Daniel Mack
Use free_and_strdup() where appropriate and replace equivalent, open-coded versions.
2015-07-22nspawn: Don't pass uid mount option for devptsMike Gilbert
Mounting devpts with a uid breaks pty allocation with recent glibc versions, which expect that the kernel will set the correct owner for user-allocated ptys. The kernel seems to be smart enough to use the correct uid for root when we switch to a user namespace. This resolves #337.
2015-07-08Merge pull request #500 from zonque/fileioLennart Poettering
fileio: consolidate write_string_file*()
2015-07-07Remove repeated 'the'sZbigniew Jędrzejewski-Szmek
2015-07-06tree-wide: fix write_string_file() user that should not create filesDaniel Mack
The latest consolidation cleanup of write_string_file() revealed some users of that helper which should have used write_string_file_no_create() in the past but didn't. Basically, all existing users that write to files in /sys and /proc should not expect to write to a file which is not yet existant.
2015-07-06fileio: consolidate write_string_file*()Daniel Mack
Merge write_string_file(), write_string_file_no_create() and write_string_file_atomic() into write_string_file() and provide a flags mask that allows combinations of atomic writing, newline appending and automatic file creation. Change all users accordingly.
2015-07-06Merge pull request #492 from ↵Lennart Poettering
richardmaw-codethink/nspawn-automatic-uid-shift-fix-v2 nspawn: Communicate determined UID shift to parent version 2
2015-07-06nspawn: Communicate determined UID shift to parentRichard Maw
There is logic to determine the UID shift from the file-system, rather than having it be explicitly passed in. However, this needs to happen in the child process that sets up the mounts, as what's important is the UID of the mounted root, rather than the mount-point. Setting up the UID map needs to happen in the parent becuase the inner child needs to have been started, and the outer child is no longer able to access the uid_map file, since it lost access to it when setting up the mounts for the inner child. So we need to communicate the uid shift back out, along with the PID of the inner child process. Failing to communicate this means that the invalid UID shift, which is the value used to specify "this needs to be determined from the file system" is left invalid, so setting up the user namespace's UID shift fails.
2015-07-06nspawn: fix indentingLennart Poettering
2015-07-04Merge pull request #485 from poettering/sd-bus-flush-close-unrefDavid Herrmann
sd-bus: introduce new sd_bus_flush_close_unref() call
2015-07-03sd-bus: introduce new sd_bus_flush_close_unref() callLennart Poettering
sd_bus_flush_close_unref() is a call that simply combines sd_bus_flush() (which writes all unwritten messages out) + sd_bus_close() (which terminates the connection, releasing all unread messages) + sd_bus_unref() (which frees the connection). The combination of this call is used pretty frequently in systemd tools right before exiting, and should also be relevant for most external clients, and is hence useful to cover in a call of its own. Previously the combination of the three calls was already done in the _cleanup_bus_close_unref_ macro, but this was only available internally. Also see #327
2015-07-03Revert "nspawn: determine_uid_shift before forking"Lennart Poettering
2015-06-30Merge pull request #429 from ↵Tom Gundersen
richardmaw-codethink/nspawn-userns-uid-shift-autodetection-fix nspawn: determine_uid_shift before forking
2015-06-30nspawn: determine_uid_shift before forkingRichard Maw
It is needed in one branch of the fork, but calculated in another branch. Failing to do this means using --private-users without specifying a uid shift always fails because it tries to shift the uid to UID_INVALID.
2015-06-30nspawn: Don't remount with fewer optionsRichard Maw
When we do a MS_BIND mount, it inherits the flags of its parent mount. When we do a remount, it sets the flags to exactly what is specified. If we are in a user namespace then these mount points have their flags locked, so you can't reduce the protection. As a consequence, the default setup of mount_all doesn't work with user namespaces. However if we ensure we add the mount flags of the parent mount when remounting, then we aren't removing mount options, so we aren't trying to unlock an option that we aren't allowed to.
2015-06-18nspawn: suppress warning when /etc/resolv.conf is a valid symlinkLennart Poettering
In such a case let's suppress the warning (downgrade to LOG_DEBUG), under the assumption that the user has no config file to update in its place, but a symlink that points to something like resolved's automatically managed resolve.conf file. While we are at it, also stop complaining if we cannot write /etc/resolv.conf due to a read-only disk, given that there's little we could do about it.
2015-06-17nspawn: when exiting, flush all remaining bytes from the pty to stdoutLennart Poettering
This is a simpler fix for #210, it simply uses copy_bytes() for the copying.
2015-06-16nspawn: check if kernel supports userns as early as possibleDjalal Harouni
If the kernel do not support user namespace then one of the children created by nspawn parent will fail at clone(CLONE_NEWUSER) with the generic error EINVAL and without logging the error. At the same time the parent may also try to setup the user namespace and will fail with another error. To improve this, check if the kernel supports user namespace as early as possible.
2015-06-15Merge pull request #214 from poettering/signal-rework-2Lennart Poettering
everywhere: port everything to sigprocmask_many() and friends
2015-06-15everywhere: port everything to sigprocmask_many() and friendsLennart Poettering
This ports a lot of manual code over to sigprocmask_many() and friends. Also, we now consistly check for sigprocmask() failures with assert_se(), since the call cannot realistically fail unless there's a programming error. Also encloses a few sd_event_add_signal() calls with (void) when we ignore the return values for it knowingly.
2015-06-15tmpfiles: automatically remove old machine snapshots at bootLennart Poettering
Remove old temporary snapshots, but only at boot. Ideally we'd have "self-destroying" btrfs snapshots that go away if the last last reference to it does. To mimic a scheme like this at least remove the old snapshots on fresh boots, where we know they cannot be referenced anymore. Note that we actually remove all temporary files in /var/lib/machines/ at boot, which should be safe since the directory has defined semantics. In the root directory (where systemd-nspawn --ephemeral places snapshots) we are more strict, to avoid removing unrelated temporary files. This also splits out nspawn/container related tmpfiles bits into a new tmpfiles snippet to systemd-nspawn.conf
2015-06-15util: when creating temporary file names, allow including extra id string in itLennart Poettering
This adds a "char *extra" parameter to tempfn_xxxxxx(), tempfn_random(), tempfn_ranomd_child(). If non-NULL this string is included in the middle of the newly created file name. This is useful for being able to distuingish the kind of temporary file when we see one. This also adds tests for the three call. For now, we don't make use of this at all, but port all users over.
2015-06-15firewall: rename fw-util.[ch] → firewall-util.[ch]Daniel Mack
The names fw-util.[ch] are too ambiguous, better rename the files to firewall-util.[ch]. Also rename the test accordingly.
2015-06-15Merge pull request #205 from endocode/iaguis/seccomp-v2Lennart Poettering
nspawn: make seccomp loading errors non-fatal
2015-06-15nspawn: make seccomp loading errors non-fatalIago López Galeiras
seccomp_load returns -EINVAL when seccomp support is not enabled in the kernel [1]. This should be a debug log, not an error that interrupts nspawn. If the seccomp filter can't be set and audit is enabled, the user will get an error message anyway. [1]: http://man7.org/linux/man-pages/man2/prctl.2.html
2015-06-13sd-netlink: rename from sd-rtnlTom Gundersen
2015-06-11sd-rtnl: make joining broadcast groups implicitTom Gundersen
2015-06-10tree-wide: whenever we fork off a foreign child process reset signal ↵Lennart Poettering
mask/handlers Also, when the child is potentially long-running make sure to set a death signal. Also, ignore the result of the reset operations explicitly by casting them to (void).
2015-05-29util: split out signal-util.[ch] from util.[ch]Lennart Poettering
No functional changes.
2015-05-29path-util: Change path_is_mount_point() symlink arg from bool to flagsMartin Pitt
This makes path_is_mount_point() consistent with fd_is_mount_point() wrt. flags.
2015-05-25nspawn: fix memleakTom Gundersen
This was a typo, swapping prefix_root() in place of prefix_roota(). Fixes CID 1299640.
2015-05-25nspawn: avoid memleakTom Gundersen
Simplify the code a bit, at the cost of potentially duplicating some memory unneccessarily. Fixes CID 1299641.
2015-05-25nspawn: drop some debugging codeTom Gundersen
These have no effect. Fixes CID 1299643.
2015-05-25nspawn: make coverity happyTom Gundersen
Rather than checking the return of asprintf() we are checking if buf gets allocated, make it clear that it is ok to ignore the return value. Fixes CID 1299644.
2015-05-24nspawn: be verbose about interface namesUmut Tezduyar Lindskog
Allowed interface name is relatively small. Lets not make users go in to the source code to figure out what happened. --machine=debian-tree conflicts with --machine=debian-tree2 ex: Failed to add new veth \ interfaces (host0, vb-debian-tree): File exists
2015-05-21nspawn: prohibit access to the kernel log buffer by defaultLennart Poettering
Unless CAP_SYSLOG is explicitly passed block all access to kmg
2015-05-21util: introduce PERSONALITY_INVALID as macro for 0xffffffffLULennart Poettering