diff options
-rw-r--r-- | src/core/execute.c | 26 | ||||
-rw-r--r-- | src/dissect/dissect.c | 3 | ||||
-rw-r--r-- | src/nspawn/nspawn.c | 27 | ||||
-rw-r--r-- | src/shared/dissect-image.c | 14 | ||||
-rw-r--r-- | src/shared/dissect-image.h | 2 |
5 files changed, 49 insertions, 23 deletions
diff --git a/src/core/execute.c b/src/core/execute.c index e23faf25bd..dda8736804 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -4655,11 +4655,13 @@ static int exec_child( if (mpol_is_valid(numa_policy_get_type(&context->numa_policy))) { r = apply_numa_policy(&context->numa_policy); - if (r == -EOPNOTSUPP) - log_unit_debug_errno(unit, r, "NUMA support not available, ignoring."); - else if (r < 0) { - *exit_status = EXIT_NUMA_POLICY; - return log_unit_error_errno(unit, r, "Failed to set NUMA memory policy: %m"); + if (r < 0) { + if (ERRNO_IS_NOT_SUPPORTED(r)) + log_unit_debug_errno(unit, r, "NUMA support not available, ignoring."); + else { + *exit_status = EXIT_NUMA_POLICY; + return log_unit_error_errno(unit, r, "Failed to set NUMA memory policy: %m"); + } } } @@ -4917,12 +4919,14 @@ static int exec_child( if (ns_type_supported(NAMESPACE_NET)) { r = setup_shareable_ns(runtime->netns_storage_socket, CLONE_NEWNET); - if (r == -EPERM) - log_unit_warning_errno(unit, r, - "PrivateNetwork=yes is configured, but network namespace setup failed, ignoring: %m"); - else if (r < 0) { - *exit_status = EXIT_NETWORK; - return log_unit_error_errno(unit, r, "Failed to set up network namespacing: %m"); + if (r < 0) { + if (ERRNO_IS_PRIVILEGE(r)) + log_unit_warning_errno(unit, r, + "PrivateNetwork=yes is configured, but network namespace setup failed, ignoring: %m"); + else { + *exit_status = EXIT_NETWORK; + return log_unit_error_errno(unit, r, "Failed to set up network namespacing: %m"); + } } } else if (context->network_namespace_path) { *exit_status = EXIT_NETWORK; diff --git a/src/dissect/dissect.c b/src/dissect/dissect.c index a6a5b9e210..f08e745a55 100644 --- a/src/dissect/dissect.c +++ b/src/dissect/dissect.c @@ -603,6 +603,9 @@ static int action_dissect(DissectedImage *m, LoopDevice *d) { printf(" Sec. Size: %" PRIu32 "\n", m->sector_size); + printf(" Arch.: %s\n", + strna(architecture_to_string(dissected_image_architecture(m)))); + if (arg_json_format_flags & JSON_FORMAT_OFF) putc('\n', stdout); diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index e498dc59c6..f3a8593ec5 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -233,6 +233,7 @@ static size_t arg_n_credentials = 0; static char **arg_bind_user = NULL; static bool arg_suppress_sync = false; static char *arg_settings_filename = NULL; +static Architecture arg_architecture = _ARCHITECTURE_INVALID; STATIC_DESTRUCTOR_REGISTER(arg_directory, freep); STATIC_DESTRUCTOR_REGISTER(arg_template, freep); @@ -3222,7 +3223,6 @@ static int patch_sysctl(void) { static int inner_child( Barrier *barrier, const char *directory, - bool secondary, int fd_inner_socket, FDSet *fds, char **os_release_pairs) { @@ -3402,11 +3402,16 @@ static int inner_child( r = safe_personality(arg_personality); if (r < 0) return log_error_errno(r, "personality() failed: %m"); - } else if (secondary) { +#ifdef ARCHITECTURE_SECONDARY + } else if (arg_architecture == ARCHITECTURE_SECONDARY) { r = safe_personality(PER_LINUX32); if (r < 0) return log_error_errno(r, "personality() failed: %m"); - } +#endif + } else if (arg_architecture >= 0 && arg_architecture != native_architecture()) + return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), + "Selected architecture '%s' not supported locally, refusing.", + architecture_to_string(arg_architecture)); r = setrlimit_closest_all((const struct rlimit *const*) arg_rlimit, &which_failed); if (r < 0) @@ -3636,7 +3641,6 @@ static int outer_child( Barrier *barrier, const char *directory, DissectedImage *dissected_image, - bool secondary, int fd_outer_socket, int fd_inner_socket, FDSet *fds, @@ -4032,7 +4036,7 @@ static int outer_child( return log_error_errno(r, "Failed to join network namespace: %m"); } - r = inner_child(barrier, directory, secondary, fd_inner_socket, fds, os_release_pairs); + r = inner_child(barrier, directory, fd_inner_socket, fds, os_release_pairs); if (r < 0) _exit(EXIT_FAILURE); @@ -4743,7 +4747,6 @@ static int load_oci_bundle(void) { static int run_container( DissectedImage *dissected_image, - bool secondary, FDSet *fds, char veth_name[IFNAMSIZ], bool *veth_created, struct ExposeArgs *expose_args, @@ -4845,7 +4848,6 @@ static int run_container( r = outer_child(&barrier, arg_directory, dissected_image, - secondary, fd_outer_socket_pair[1], fd_inner_socket_pair[1], fds, @@ -5430,8 +5432,7 @@ static int cant_be_in_netns(void) { } static int run(int argc, char *argv[]) { - bool secondary = false, remove_directory = false, remove_image = false, - veth_created = false, remove_tmprootdir = false; + bool remove_directory = false, remove_image = false, veth_created = false, remove_tmprootdir = false; _cleanup_close_ int master = -EBADF; _cleanup_fdset_free_ FDSet *fds = NULL; int r, n_fd_passed, ret = EXIT_SUCCESS; @@ -5518,8 +5519,8 @@ static int run(int argc, char *argv[]) { * two systems write to the same /var). Let's allow it for the special cases where /var is * either copied (i.e. --ephemeral) or replaced (i.e. --volatile=yes|state). */ if (path_equal(arg_directory, "/") && !(arg_ephemeral || IN_SET(arg_volatile_mode, VOLATILE_YES, VOLATILE_STATE))) { - log_error("Spawning container on root directory is not supported. Consider using --ephemeral, --volatile=yes or --volatile=state."); - r = -EINVAL; + r = log_error_errno(SYNTHETIC_ERRNO(EINVAL), + "Spawning container on root directory is not supported. Consider using --ephemeral, --volatile=yes or --volatile=state."); goto finish; } @@ -5792,6 +5793,9 @@ static int run(int argc, char *argv[]) { /* Now that we mounted the image, let's try to remove it again, if it is ephemeral */ if (remove_image && unlink(arg_image) >= 0) remove_image = false; + + if (arg_architecture < 0) + arg_architecture = dissected_image_architecture(dissected_image); } r = custom_mount_prepare_all(arg_directory, arg_custom_mounts, arg_n_custom_mounts); @@ -5827,7 +5831,6 @@ static int run(int argc, char *argv[]) { } for (;;) { r = run_container(dissected_image, - secondary, fds, veth_name, &veth_created, &expose_args, &master, diff --git a/src/shared/dissect-image.c b/src/shared/dissect-image.c index b20e21cce2..9636fd8d48 100644 --- a/src/shared/dissect-image.c +++ b/src/shared/dissect-image.c @@ -3156,6 +3156,20 @@ finish: return r; } +Architecture dissected_image_architecture(DissectedImage *img) { + assert(img); + + if (img->partitions[PARTITION_ROOT].found && + img->partitions[PARTITION_ROOT].architecture >= 0) + return img->partitions[PARTITION_ROOT].architecture; + + if (img->partitions[PARTITION_USR].found && + img->partitions[PARTITION_USR].architecture >= 0) + return img->partitions[PARTITION_USR].architecture; + + return _ARCHITECTURE_INVALID; +} + int dissect_loop_device( LoopDevice *loop, const VeritySettings *verity, diff --git a/src/shared/dissect-image.h b/src/shared/dissect-image.h index 3efe784ee9..6b90895216 100644 --- a/src/shared/dissect-image.h +++ b/src/shared/dissect-image.h @@ -160,6 +160,8 @@ int dissected_image_mount_and_warn(DissectedImage *m, const char *where, uid_t u int dissected_image_acquire_metadata(DissectedImage *m, DissectImageFlags extra_flags); +Architecture dissected_image_architecture(DissectedImage *m); + DecryptedImage* decrypted_image_ref(DecryptedImage *p); DecryptedImage* decrypted_image_unref(DecryptedImage *p); DEFINE_TRIVIAL_CLEANUP_FUNC(DecryptedImage*, decrypted_image_unref); |