summaryrefslogtreecommitdiff
path: root/src/nspawn
AgeCommit message (Collapse)Author
2015-04-06util: rework rm_rf() logicLennart Poettering
- Move to its own file rm-rf.c - Change parameters into a single flags parameter - Remove "honour sticky" logic, it's unused these days
2015-03-31nspawn: fallback on bind mount when mknod failsAlban Crequy
Some systems abusively restrict mknod, even when the device node already exists in /dev. This is unfortunate because it prevents systemd-nspawn from creating the basic devices in /dev in the container. This patch implements a workaround: when mknod fails, fallback on bind mounts. Additionally, /dev/console was created with a mknod with the same major/minor as /dev/null before bind mounting a pts on it. This patch removes the mknod and creates an empty regular file instead. In order to test this patch, I used the following configuration, which I think should replicate the system with the abusive restriction on mknod: # grep devices /proc/self/cgroup 4:devices:/user.slice/restrict # cat /sys/fs/cgroup/devices/user.slice/restrict/devices.list c 1:9 r c 5:2 rw c 136:* rw # systemd-nspawn --register=false -D . v2: - remove "bind", it is not needed since there is already MS_BIND v3: - fix error management when calling touch() - fix lowercase in error message
2015-03-31nspawn: drop sd_booted() checkLennart Poettering
We have no such check in any of the other tools, hence don't have one in nspawn either. (This should make things nicer for Rocket, among other things) Note: removing this check does not mean that we support running nspawn on non-systemd. We explicitly don't. It just means that we remove the check for running it like that. You are still on your own if you do...
2015-03-31nspawn: change filesystem type from "bind" to NULL in mount() syscallsIago López Galeiras
Try to keep syscalls as minimal as possible.
2015-03-13nspawn: tell coverity that we ignore return valueZbigniew Jędrzejewski-Szmek
CID #1271353.
2015-03-13tree-wide: there is no ENOTSUP on linuxDavid Herrmann
Replace ENOTSUP by EOPNOTSUPP as this is what linux actually uses.
2015-03-07nspawn: fix use-after-free and leak in error pathsZbigniew Jędrzejewski-Szmek
CID #1257765.
2015-03-04nspawn: Map all seccomp filters to capabilitiesJay Faulkner
This change makes it so all seccomp filters are mapped to the appropriate capability and are only added if that capability was not requested when running the container. This unbreaks the remaining use cases broken by the addition of seccomp filters without respecting requested capabilities. Co-Authored-By: Clif Houck <me@clifhouck.com> [zj: - adapt to our coding style, make struct anonymous]
2015-02-25nspawn: make kill signal to use for PID 1 configurableLennart Poettering
2015-02-23remove unused includesThomas Hindoe Paaboel Andersen
This patch removes includes that are not used. The removals were found with include-what-you-use which checks if any of the symbols from a header is in use.
2015-02-23nspawn: fix whitespace and typo in partition table blurbJan Synacek
2015-02-19nspawn: chown basic device nodes to userns rootLennart Poettering
2015-02-19nspawn: fix build on non-selinux systemsLennart Poettering
2015-02-19nspawn: add basic user namespacing supportLennart Poettering
(This is incomplete, /proc and /sys are still owned by root from outside the container, not inside)
2015-02-18nspawn: when connected to pipes for stdin/stdout, pass them as-is to PID 1Lennart Poettering
Previously we always invoked the container PID 1 on /dev/console of the container. With this change we do so only if nspawn was invoked interactively (i.e. its stdin/stdout was connected to a TTY). In all other cases we directly pass through the fds unmodified. This has the benefit that nspawn can be added into shell pipelines. https://bugs.freedesktop.org/show_bug.cgi?id=87732
2015-02-18nspawn: add support for --property= to set scope propertiesLennart Poettering
This is similar to systemd-run's --property= setting.
2015-02-04nspawn: Allow module loading if CAP_SYS_MODULE is requestedJay Faulkner
nspawn containers currently block module loading in all cases, with no option to disable it. This allows an admin, specifically setting capability=CAP_SYS_MODULE or capability=all to load modules.
2015-02-03util: rework strappenda(), and rename it strjoina()Lennart Poettering
After all it is now much more like strjoin() than strappend(). At the same time, add support for NULL sentinels, even if they are normally not necessary.
2015-02-02remove unused variablesThomas Hindoe Paaboel Andersen
2015-01-23nspawn: when mounting the cgroup hierarchies, use the exact same mount ↵Lennart Poettering
options for the superblock as the host Otherwise we'll generate kernel runtime warnings about non-matching mount options.
2015-01-23nspawn: mount /tmp in the container, don't leave this to the container's initLennart Poettering
We really want /tmp to be properly mounted, especially in containers that lack CAP_SYS_ADMIN or that are not fully booted up and only get a shell, hence let's do so in nspawn already.
2015-01-23nspawn: allow bind-mounting char and block filesAlban Crequy
2015-01-20nspawn: work around kernel bug with partition table probing on loopback devicesLennart Poettering
When we set up a loopback device with partition probing, the udev "change" event about the configured device is first passed on to userspace, only the the in-kernel partition prober is started. Since partition probing fails with EBUSY when somebody has the device open, the probing frequently fails since udev starts probing/opening the device as soon as it gets the notification about it, and it might do so earlier than the kernel probing. This patch adds a (hopefully temporary) work-around for this, that compares the number of probed partitions of the kernel with those of blkid and synchronously asks for reprobing until the numebrs are in sync. This really deserves a proper kernel fix.
2015-01-20nspawn: add ipvlan supportTom Gundersen
2015-01-19nspawn: support dissecting GPT images that contain only a single generic ↵Lennart Poettering
linux partition This should allow running Ubuntu UEFI GPT Images with nspawn, unmodified.
2015-01-19inspawn: wait until udev has probed a loopback device before making us of itLennart Poettering
2015-01-15nspawn: fix log typosJonathan Boulle
2015-01-15import: rename "gpt" disk image type to "raw"Lennart Poettering
After all, nspawn can now dissect MBR partition levels, too, hence ".gpt" appears a misnomer. Moreover, the the .raw suffix for these files is already pretty popular (the Fedora disk images use it for example), hence sounds like an OK scheme to adopt.
2015-01-15spawn: downgrade loopback detach errors to debugLennart Poettering
Sometimes udev or some other background daemon might keep the loopback devices busy while we already want to detach them. Downgrade the warning about it. Given that we use autodetach downgrading these messages should be with little risk.
2015-01-15nspawn: add support for limited dissecting of MBR disk images with nspawnLennart Poettering
With this change nspawn's -i switch now can now make sense of MBR disk images too - however only if there's only a single, bootable partition of type 0x83 on the image. For all other cases we cannot really make sense from the partition table alone. The big benefit of this change is that upstream Fedora Cloud Images can now be booted unmodified with systemd-nspawn: # wget http://download.fedoraproject.org/pub/fedora/linux/releases/21/Cloud/Images/x86_64/Fedora-Cloud-Base-20141203-21.x86_64.raw.xz # unxz Fedora-Cloud-Base-20141203-21.x86_64.raw.xz # systemd-nspawn -i Fedora-Cloud-Base-20141203-21.x86_64.raw -b Next stop: teach the import logic to automatically download these images, uncompress and verify them.
2015-01-14nspawn: pass the container's init PID out via sd_notify()Lennart Poettering
This is useful for nspawn managers that want to learn when nspawn is finished with initialiuzation, as well what the PID of the init system in the container is.
2015-01-14nspawn: fix an incorrect assert comparisonLennart Poettering
2015-01-14nspawn: add file system locks for controlling access to container imagesLennart Poettering
This adds three kinds of file system locks for container images: a) a file system lock next to the actual image, in a .lck file in the same directory the image is located. This lock has the benefit of usually being located on the same NFS share as the image itself, and thus allows locking container images across NFS shares. b) a file system lock in /run, named after st_dev and st_ino of the root of the image. This lock has the advantage that it is unique even if the same image is bind mounted to two different places at the same time, as the ino/dev stays constant for them. c) a file system lock that is only taken when a new disk image is about to be created, that ensures that checking whether the name is already used across the search path, and actually placing the image is not interrupted by other code taking the name. a + b are read-write locks. When a container is booted in read-only mode a read lock is taken, otherwise a write lock. Lock b is always taken after a, to avoid ABBA problems. Lock c is mostly relevant when renaming or cloning images.
2015-01-14nspawn: remove the right propagation directoryLennart Poettering
2015-01-13nspawn: --help typo fixLennart Poettering
2015-01-13nspawn: add "-n" shortcut for "--network-veth"Lennart Poettering
Now that networkd's IP masquerading support means that running containers with "--network-veth" will provide network access out of the box for the container, let's add a shortcut "-n" for it, to make it easily accessible.
2015-01-13nspawn: add new option "--port=" for exposing container ports on the local hostLennart Poettering
This exposes an IP port on the container as local port using DNAT.
2015-01-08machined: when cloning a raw disk image, also set the NOCOW flagLennart Poettering
2015-01-08nspawn: fix error message when mknod failsTom Gundersen
2015-01-07machinectl: make sure that "machinectl login" exits immediately when the ↵Lennart Poettering
machine it is connected to dies
2015-01-05nspawn: mount most of the cgroup tree read-only in nspawn containers except ↵Lennart Poettering
for the container's own subtree in the name=systemd hierarchy More specifically mount all other hierarchies in their entirety and the name=systemd above the container's subtree read-only.
2014-12-29nspawn: report back to systemd only very late whether we are OKLennart Poettering
That way, systemd can actually figure out if everything is OK with nspawn.
2014-12-28nspawn: use the same image discovery logic in nspawn as in machinedLennart Poettering
2014-12-25nspawn: remove spurious include of <sys/capability.h>Filipe Brandenburger
It does not use any functions from libcap directly. The CAP_* constants in use through this file come from "missing.h" which will import <linux/capability.h> and complement it with CAP_* constants not defined by the current kernel headers. Add an explicit import of our "capability.h" since it does use the function capability_bounding_set_drop from that header file. Previously, that header was implicitly imported through through "cap-list.h". Tested that "systemd-nspawn" builds cleanly and works after this change.
2014-12-23nspawn,pty: port over to new ptsname_malloc() helperLennart Poettering
2014-12-23machinectl,nspawn: don't print extra final newline if pty terminal output ↵Lennart Poettering
was newline-terinated anyway
2014-12-23run: add a new "-t" mode for invoking a binary on an allocated TTYLennart Poettering
2014-12-18machinectl: implement "bind" command to create additional bind mounts from ↵Lennart Poettering
host to container during runtime
2014-12-17nspawn: fix invocation of the raw clone() system call on s390 and crisKen Werner
Since the order of the first and second arguments of the raw clone() system call is reversed on s390 and cris it needs to be invoked differently.
2014-12-12nspawn: when booting in ephemeral mode, append random token to machine nameLennart Poettering
Also, when booting up an ephemeral container of / use the system hostname as default machine name. This way specifiyng -M is unnecessary when booting up an ephemeral container, while allowing any number of ephemeral containers to run from the same tree.