summaryrefslogtreecommitdiff
path: root/src/nspawn
Commit message (Collapse)AuthorAgeFilesLines
* tree-wide: Remove O_CLOEXEC from fdopenChris Down2018-12-121-2/+2
| | | | | | | | | | | | fdopen doesn't accept "e", it's ignored. Let's not mislead people into believing that it actually sets O_CLOEXEC. From `man 3 fdopen`: > e (since glibc 2.7): > Open the file with the O_CLOEXEC flag. See open(2) for more information. This flag is ignored for fdopen() As mentioned by @jlebon in #11131.
* nspawn: check cg_ns_supported() just onceZbigniew Jędrzejewski-Szmek2018-12-111-6/+6
| | | | | | | | | cg_ns_supported() caches, so the condition was really checked just once, but it looks weird to assign the return value to arg_use_cgns (if the variable is not present), because then the other checks are effectively equivalent to if (cg_ns_supported() && cg_ns_supported()) { ... and later if (!cg_ns_supported() || !cg_ns_supported()) { ...
* nspawn: move most validation checks and configuration mangling into ↵Lennart Poettering2018-12-101-76/+60
| | | | | | | | | verify_arguments() That's what the function is for after all, and only if it's done there we can verify the effect of .nspawn files correctly too: after all we should not just validate that everything configured on the command line makes sense, but the stuff configured in the .nspawn files, too.
* nspawn: split out code parsing env vars into a function of its ownLennart Poettering2018-12-101-17/+27
| | | | | | This then let's us to ensure it's called after we parsed the cmdline, and after we loaded the settings file, so that it these env var settings override everything loaded from there.
* nspawn: move cg_unified_flush() invocation out of parse_argv()Lennart Poettering2018-12-101-4/+6
| | | | | It has nothing to do with argument parsing, and hence shouldn't be there.
* Merge pull request #10935 from poettering/rlimit-nofile-safeZbigniew Jędrzejewski-Szmek2018-12-061-0/+3
|\ | | | | | | Merged by hand to resolve a trivial conflict in TODO.
| * tree-wide: invoke rlimit_nofile_safe() before various exec{v,ve,l}() invocationsLennart Poettering2018-12-011-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Whenever we invoke external, foreign code from code that has RLIMIT_NOFILE's soft limit bumped to high values, revert it to 1024 first. This is a safety precaution for compatibility with programs using select() which cannot operate with fds > 1024. This commit adds the call to rlimit_nofile_safe() to all invocations of exec{v,ve,l}() and friends that either are in code that we know runs with RLIMIT_NOFILE bumped up (which is PID 1 and all journal code for starters) or that is part of shared code that might end up there. The calls are placed as early as we can in processes invoking a flavour of execve(), but after the last time we do fd manipulations, so that we can still take benefit of the high fd limits for that.
* | tree-wide: drop missing.h from headers and use relevant missing_*.hYu Watanabe2018-12-061-1/+1
| |
* | lockfile: drop unnecessary headers from lockfile-util.hYu Watanabe2018-12-061-0/+1
| |
* | missing: move fs or mount related definitions to missing_fs.hYu Watanabe2018-12-061-1/+1
| | | | | | | | This also fixes errnous definition MS_REC -> MS_SLAVE.
* | util: drop missing.h from util.hYu Watanabe2018-12-041-0/+1
| |
* | util-lib: split out all temporary file related calls into tmpfiles-util.cLennart Poettering2018-12-022-1/+2
| | | | | | | | | | | | | | | | This splits out a bunch of functions from fileio.c that have to do with temporary files. Simply to make the header files a bit shorter, and to group things more nicely. No code changes, just some rearranging of source files.
* | tree-wide: remove various unused functionsLennart Poettering2018-12-022-5/+0
|/ | | | All found with "cppcheck --enable=unusedFunction".
* Merge pull request #10996 from poettering/oci-prepZbigniew Jędrzejewski-Szmek2018-11-301-0/+2
|\ | | | | Preparation for the nspawn-OCI work
| * nspawn: let's also pre-mount /dev/mqueueLennart Poettering2018-11-291-0/+2
| |
* | Split out part of mount-util.c into mountpoint-util.cZbigniew Jędrzejewski-Szmek2018-11-293-0/+3
|/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The idea is that anything which is related to actually manipulating mounts is in mount-util.c, but functions for mountpoint introspection are moved to the new file. Anything which requires libmount must be in mount-util.c. This was supposed to be a preparation for further changes, with no functional difference, but it results in a significant change in linkage: $ ldd build/libnss_*.so.2 (before) build/libnss_myhostname.so.2: linux-vdso.so.1 (0x00007fff77bf5000) librt.so.1 => /lib64/librt.so.1 (0x00007f4bbb7b2000) libmount.so.1 => /lib64/libmount.so.1 (0x00007f4bbb755000) libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f4bbb734000) libc.so.6 => /lib64/libc.so.6 (0x00007f4bbb56e000) /lib64/ld-linux-x86-64.so.2 (0x00007f4bbb8c1000) libblkid.so.1 => /lib64/libblkid.so.1 (0x00007f4bbb51b000) libuuid.so.1 => /lib64/libuuid.so.1 (0x00007f4bbb512000) libselinux.so.1 => /lib64/libselinux.so.1 (0x00007f4bbb4e3000) libpcre2-8.so.0 => /lib64/libpcre2-8.so.0 (0x00007f4bbb45e000) libdl.so.2 => /lib64/libdl.so.2 (0x00007f4bbb458000) build/libnss_mymachines.so.2: linux-vdso.so.1 (0x00007ffc19cc0000) librt.so.1 => /lib64/librt.so.1 (0x00007fdecb74b000) libcap.so.2 => /lib64/libcap.so.2 (0x00007fdecb744000) libmount.so.1 => /lib64/libmount.so.1 (0x00007fdecb6e7000) libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fdecb6c6000) libc.so.6 => /lib64/libc.so.6 (0x00007fdecb500000) /lib64/ld-linux-x86-64.so.2 (0x00007fdecb8a9000) libblkid.so.1 => /lib64/libblkid.so.1 (0x00007fdecb4ad000) libuuid.so.1 => /lib64/libuuid.so.1 (0x00007fdecb4a2000) libselinux.so.1 => /lib64/libselinux.so.1 (0x00007fdecb475000) libpcre2-8.so.0 => /lib64/libpcre2-8.so.0 (0x00007fdecb3f0000) libdl.so.2 => /lib64/libdl.so.2 (0x00007fdecb3ea000) build/libnss_resolve.so.2: linux-vdso.so.1 (0x00007ffe8ef8e000) librt.so.1 => /lib64/librt.so.1 (0x00007fcf314bd000) libcap.so.2 => /lib64/libcap.so.2 (0x00007fcf314b6000) libmount.so.1 => /lib64/libmount.so.1 (0x00007fcf31459000) libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fcf31438000) libc.so.6 => /lib64/libc.so.6 (0x00007fcf31272000) /lib64/ld-linux-x86-64.so.2 (0x00007fcf31615000) libblkid.so.1 => /lib64/libblkid.so.1 (0x00007fcf3121f000) libuuid.so.1 => /lib64/libuuid.so.1 (0x00007fcf31214000) libselinux.so.1 => /lib64/libselinux.so.1 (0x00007fcf311e7000) libpcre2-8.so.0 => /lib64/libpcre2-8.so.0 (0x00007fcf31162000) libdl.so.2 => /lib64/libdl.so.2 (0x00007fcf3115c000) build/libnss_systemd.so.2: linux-vdso.so.1 (0x00007ffda6d17000) librt.so.1 => /lib64/librt.so.1 (0x00007f610b83c000) libcap.so.2 => /lib64/libcap.so.2 (0x00007f610b835000) libmount.so.1 => /lib64/libmount.so.1 (0x00007f610b7d8000) libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f610b7b7000) libc.so.6 => /lib64/libc.so.6 (0x00007f610b5f1000) /lib64/ld-linux-x86-64.so.2 (0x00007f610b995000) libblkid.so.1 => /lib64/libblkid.so.1 (0x00007f610b59e000) libuuid.so.1 => /lib64/libuuid.so.1 (0x00007f610b593000) libselinux.so.1 => /lib64/libselinux.so.1 (0x00007f610b566000) libpcre2-8.so.0 => /lib64/libpcre2-8.so.0 (0x00007f610b4e1000) libdl.so.2 => /lib64/libdl.so.2 (0x00007f610b4db000) (after) build/libnss_myhostname.so.2: linux-vdso.so.1 (0x00007fff0b5e2000) librt.so.1 => /lib64/librt.so.1 (0x00007fde0c328000) libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fde0c307000) libc.so.6 => /lib64/libc.so.6 (0x00007fde0c141000) /lib64/ld-linux-x86-64.so.2 (0x00007fde0c435000) build/libnss_mymachines.so.2: linux-vdso.so.1 (0x00007ffdc30a7000) librt.so.1 => /lib64/librt.so.1 (0x00007f06ecabb000) libcap.so.2 => /lib64/libcap.so.2 (0x00007f06ecab4000) libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f06eca93000) libc.so.6 => /lib64/libc.so.6 (0x00007f06ec8cd000) /lib64/ld-linux-x86-64.so.2 (0x00007f06ecc15000) build/libnss_resolve.so.2: linux-vdso.so.1 (0x00007ffe95747000) librt.so.1 => /lib64/librt.so.1 (0x00007fa56a80f000) libcap.so.2 => /lib64/libcap.so.2 (0x00007fa56a808000) libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fa56a7e7000) libc.so.6 => /lib64/libc.so.6 (0x00007fa56a621000) /lib64/ld-linux-x86-64.so.2 (0x00007fa56a964000) build/libnss_systemd.so.2: linux-vdso.so.1 (0x00007ffe67b51000) librt.so.1 => /lib64/librt.so.1 (0x00007ffb32113000) libcap.so.2 => /lib64/libcap.so.2 (0x00007ffb3210c000) libpthread.so.0 => /lib64/libpthread.so.0 (0x00007ffb320eb000) libc.so.6 => /lib64/libc.so.6 (0x00007ffb31f25000) /lib64/ld-linux-x86-64.so.2 (0x00007ffb3226a000) I don't quite understand what is going on here, but let's not be too picky.
* util: make *_from_name() returns negative errno on errorYu Watanabe2018-11-282-13/+9
|
* Merge pull request #10901 from poettering/startswith-listYu Watanabe2018-11-261-11/+4
|\ | | | | add new STARTSWITH_SET() macro
| * tree-wide: port more code over to PATH_STARTSWITH_SET()Lennart Poettering2018-11-261-11/+4
| |
* | cgroup: be more careful with which controllers we can enable/disable on a cgroupLennart Poettering2018-11-231-1/+1
|/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This changes cg_enable_everywhere() to return which controllers are enabled for the specified cgroup. This information is then used to correctly track the enablement mask currently in effect for a unit. Moreover, when we try to turn off a controller, and this works, then this is indicates that the parent unit might succesfully turn it off now, too as our unit might have kept it busy. So far, when realizing cgroups, i.e. when syncing up the kernel representation of relevant cgroups with our own idea we would strictly work from the root to the leaves. This is generally a good approach, as when controllers are enabled this has to happen in root-to-leaves order. However, when controllers are disabled this has to happen in the opposite order: in leaves-to-root order (this is because controllers can only be enabled in a child if it is already enabled in the parent, and if it shall be disabled in the parent then it has to be disabled in the child first, otherwise it is considered busy when it is attempted to remove it in the parent). To make things complicated when invalidating a unit's cgroup membershup systemd can actually turn off some controllers previously turned on at the very same time as it turns on other controllers previously turned off. In such a case we have to work up leaves-to-root *and* root-to-leaves right after each other. With this patch this is implemented: we still generally operate root-to-leaves, but as soon as we noticed we successfully turned off a controller previously turned on for a cgroup we'll re-enqueue the cgroup realization for all parents of a unit, thus implementing leaves-to-root where necessary.
* coccinelle: make use of SYNTHETIC_ERRNOZbigniew Jędrzejewski-Szmek2018-11-224-265/+204
| | | | | | | | | | | Ideally, coccinelle would strip unnecessary braces too. But I do not see any option in coccinelle for this, so instead, I edited the patch text using search&replace to remove the braces. Unfortunately this is not fully automatic, in particular it didn't deal well with if-else-if-else blocks and ifdefs, so there is an increased likelikehood be some bugs in such spots. I also removed part of the patch that coccinelle generated for udev, where we returns -1 for failure. This should be fixed independently.
* Merge pull request #10860 from keszybz/more-cleanup-2Lennart Poettering2018-11-211-0/+1
|\ | | | | Do more stuff from main macros
| * Split out pretty-print.c and move pager.c and main-func.h to shared/Zbigniew Jędrzejewski-Szmek2018-11-201-0/+1
| | | | | | | | | | This is high-level functionality, and fits better in shared/ (which is for our executables), than in basic/ (which is also for libraries).
* | nspawn: use EXIT_EXCEPTION where appropriateLennart Poettering2018-11-201-2/+3
|/
* Merge pull request #10753 from keszybz/pager-no-interruptLennart Poettering2018-11-141-1/+1
|\ | | | | Add mode in journalctl where ^C is handled by the pager
| * basic/pager: convert the pager options to a flags argumentZbigniew Jędrzejewski-Szmek2018-11-141-1/+1
| | | | | | | | | | Pretty much everything uses just the first argument, and this doesn't make this common pattern more complicated, but makes it simpler to pass multiple options.
* | nspawn: add a hint to the message we emit when a child diesZbigniew Jędrzejewski-Szmek2018-11-131-1/+2
|/ | | | | | | | | From #10526: $ sudo systemd-nspawn -i image Spawning container image on /home/zbyszek/src/mkosi/image. Press ^] three times within 1s to kill container. Short read while reading cgroup mode.
* nspawn: rework how we allocate/kill scopesLennart Poettering2018-11-093-3/+70
| | | | Fixes: #6347
* nspawn: merge two variable declaration linesLennart Poettering2018-11-091-2/+1
|
* nspawn: simplify machine terminate bus callLennart Poettering2018-11-093-29/+9
| | | | | | We have the machine name anyway, let's use TerminateMachine() on machined's Manager object directly with it. That way it's a single method call only, instead of two, to terminate the machine.
* nspawn: make use of the new sd_bus_set_close_on_exit() call in nspawnLennart Poettering2018-11-091-0/+4
|
* tree-wide: set WRITE_STRING_FILE_DISABLE_BUFFER flag when we write files ↵Yu Watanabe2018-11-062-4/+4
| | | | under /proc or /sys
* nspawn: beef up netns checking a bit, for compat with old kernelsLennart Poettering2018-10-311-3/+5
| | | | Fixes: #10544
* nspawn: add proper error message if setns() on network namespace fd failsLennart Poettering2018-10-311-1/+1
| | | | Addresses: https://github.com/systemd/systemd/pull/10589#issuecomment-434670595
* sd-device: make sd_device_get_is_initialized() returns is_initialized by ↵Yu Watanabe2018-10-291-4/+3
| | | | return value
* add ephemeral to nspawn-settings.Jiuyang liu2018-10-243-3/+10
|
* systemd-nspawn: do not crash on /var/log/journal creation if not requiredZbigniew Jędrzejewski-Szmek2018-10-221-12/+10
| | | | | | | | When running a read-only file system, we might not be able to create /var/log/journal. Do not fail on this, unless actually requested by the --link-journal options. $ systemd-nspawn --image=image.squashfs ...
* nspawn: do not include '%m' in log message if errno is zeroYu Watanabe2018-10-201-1/+1
|
* Merge pull request #10389 from poettering/nspawn-path-fixYu Watanabe2018-10-191-0/+11
|\ | | | | nspawn $PATH execvpe() fix
| * nspawn: use container $PATH (not host $PATH) when searching for PID 1 ↵Lennart Poettering2018-10-181-0/+11
| | | | | | | | | | | | binaries to execute Fixes: #10377
* | tree-wide: introduce setsockopt_int() helper and make use of it everywhereLennart Poettering2018-10-181-2/+2
| | | | | | | | | | | | As suggested by @heftig: https://github.com/systemd/systemd/commit/6d5e65f6454212cd400d0ebda34978a9f20cc26a#commitcomment-30938667
* | Merge pull request #10407 from yuwata/netlink-slotLennart Poettering2018-10-181-2/+2
|\ \ | |/ |/| sd-netlink: introduce sd_netlink_slot object and relevant functions
| * sd-netlink: make sd_netlink_slot take its descriptionYu Watanabe2018-10-161-2/+2
| |
| * sd-netlink: introduce sd_netlink_slotYu Watanabe2018-10-151-2/+2
| |
* | nspawn: TAKE_FD() is your friendLennart Poettering2018-10-151-11/+5
| |
* | tree-wide: use sockaddr_un_unlink() at two more places where appropriateLennart Poettering2018-10-151-1/+1
| |
* | tree-wide: add a single version of "static const int one = 1"Lennart Poettering2018-10-151-2/+1
| | | | | | | | | | | | | | | | | | | | All over the place we define local variables for the various sockopts that take a bool-like "int" value. Sometimes they are const, sometimes static, sometimes both, sometimes neither. Let's clean this up, introduce a common const variable "const_int_one" (as well as one matching "const_int_zero") and use it everywhere, all acorss the codebase.
* | tree-wide: use structured initialization for sockaddr_unLennart Poettering2018-10-151-3/+3
|/
* be consistent about sun_path lengthDavid Tardon2018-10-121-1/+1
| | | | | Most places use the whole buffer for name, without leaving extra space for the trailing NUL.
* nspawn: add comments explaining the namespacing situation and the ↵Lennart Poettering2018-10-091-0/+16
| | | | inner/outer children
View Lorry Controller Status