2 * lxc: linux Container library
4 * (C) Copyright IBM Corp. 2007, 2008
7 * Daniel Lezcano <daniel.lezcano at free.fr>
9 * This library is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU Lesser General Public
11 * License as published by the Free Software Foundation; either
12 * version 2.1 of the License, or (at your option) any later version.
14 * This library is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 * Lesser General Public License for more details.
19 * You should have received a copy of the GNU Lesser General Public
20 * License along with this library; if not, write to the Free Software
21 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
40 #include <arpa/inet.h>
41 #include <linux/loop.h>
43 #include <netinet/in.h>
45 #include <sys/mount.h>
46 #include <sys/param.h>
47 #include <sys/prctl.h>
49 #include <sys/socket.h>
50 #include <sys/sysmacros.h>
51 #include <sys/syscall.h>
52 #include <sys/types.h>
53 #include <sys/utsname.h>
58 # include <sys/mkdev.h>
62 #include <sys/statvfs.h>
68 #include <../include/openpty.h>
71 #ifdef HAVE_LINUX_MEMFD_H
72 #include <linux/memfd.h>
77 #include "caps.h" /* for lxc_caps_last_cap() */
80 #include "confile_utils.h"
85 #include "lxcoverlay.h"
86 #include "lxcseccomp.h"
87 #include "namespace.h"
94 #include <sys/capability.h>
97 #if HAVE_SYS_PERSONALITY_H
98 #include <sys/personality.h>
102 #include <../include/lxcmntent.h>
104 #include <../include/prlimit.h>
110 lxc_log_define(lxc_conf
, lxc
);
114 #define CAP_SETFCAP 31
117 #ifndef CAP_MAC_OVERRIDE
118 #define CAP_MAC_OVERRIDE 32
121 #ifndef CAP_MAC_ADMIN
122 #define CAP_MAC_ADMIN 33
126 #ifndef PR_CAPBSET_DROP
127 #define PR_CAPBSET_DROP 24
130 #ifndef LO_FLAGS_AUTOCLEAR
131 #define LO_FLAGS_AUTOCLEAR 4
142 /* needed for cgroup automount checks, regardless of whether we
143 * have included linux/capability.h or not */
144 #ifndef CAP_SYS_ADMIN
145 #define CAP_SYS_ADMIN 21
148 /* Define pivot_root() if missing from the C library */
149 #ifndef HAVE_PIVOT_ROOT
150 static int pivot_root(const char * new_root
, const char * put_old
)
152 #ifdef __NR_pivot_root
153 return syscall(__NR_pivot_root
, new_root
, put_old
);
160 extern int pivot_root(const char * new_root
, const char * put_old
);
163 /* Define sethostname() if missing from the C library */
164 #ifndef HAVE_SETHOSTNAME
165 static int sethostname(const char * name
, size_t len
)
167 #ifdef __NR_sethostname
168 return syscall(__NR_sethostname
, name
, len
);
177 #define MS_PRIVATE (1<<18)
181 #define MS_LAZYTIME (1<<25)
186 #define MFD_CLOEXEC 0x0001U
189 #ifndef MFD_ALLOW_SEALING
190 #define MFD_ALLOW_SEALING 0x0002U
193 #ifndef HAVE_MEMFD_CREATE
194 static int memfd_create(const char *name
, unsigned int flags
) {
195 #ifndef __NR_memfd_create
197 #define __NR_memfd_create 356
198 #elif defined __x86_64__
199 #define __NR_memfd_create 319
200 #elif defined __arm__
201 #define __NR_memfd_create 385
202 #elif defined __aarch64__
203 #define __NR_memfd_create 279
204 #elif defined __s390__
205 #define __NR_memfd_create 350
206 #elif defined __powerpc__
207 #define __NR_memfd_create 360
208 #elif defined __sparc__
209 #define __NR_memfd_create 348
210 #elif defined __blackfin__
211 #define __NR_memfd_create 390
212 #elif defined __ia64__
213 #define __NR_memfd_create 1340
214 #elif defined _MIPS_SIM
215 #if _MIPS_SIM == _MIPS_SIM_ABI32
216 #define __NR_memfd_create 4354
218 #if _MIPS_SIM == _MIPS_SIM_NABI32
219 #define __NR_memfd_create 6318
221 #if _MIPS_SIM == _MIPS_SIM_ABI64
222 #define __NR_memfd_create 5314
226 #ifdef __NR_memfd_create
227 return syscall(__NR_memfd_create
, name
, flags
);
234 extern int memfd_create(const char *name
, unsigned int flags
);
237 char *lxchook_names
[NUM_LXC_HOOKS
] = {
238 "pre-start", "pre-mount", "mount", "autodev", "start", "stop", "post-stop", "clone", "destroy" };
240 typedef int (*instantiate_cb
)(struct lxc_handler
*, struct lxc_netdev
*);
259 * The lxc_conf of the container currently being worked on in an
261 * This is used in the error calls
264 __thread
struct lxc_conf
*current_config
;
266 struct lxc_conf
*current_config
;
269 /* Declare this here, since we don't want to reshuffle the whole file. */
270 static int in_caplist(int cap
, struct lxc_list
*caps
);
272 static int instantiate_veth(struct lxc_handler
*, struct lxc_netdev
*);
273 static int instantiate_macvlan(struct lxc_handler
*, struct lxc_netdev
*);
274 static int instantiate_vlan(struct lxc_handler
*, struct lxc_netdev
*);
275 static int instantiate_phys(struct lxc_handler
*, struct lxc_netdev
*);
276 static int instantiate_empty(struct lxc_handler
*, struct lxc_netdev
*);
277 static int instantiate_none(struct lxc_handler
*, struct lxc_netdev
*);
279 static instantiate_cb netdev_conf
[LXC_NET_MAXCONFTYPE
+ 1] = {
280 [LXC_NET_VETH
] = instantiate_veth
,
281 [LXC_NET_MACVLAN
] = instantiate_macvlan
,
282 [LXC_NET_VLAN
] = instantiate_vlan
,
283 [LXC_NET_PHYS
] = instantiate_phys
,
284 [LXC_NET_EMPTY
] = instantiate_empty
,
285 [LXC_NET_NONE
] = instantiate_none
,
288 static int shutdown_veth(struct lxc_handler
*, struct lxc_netdev
*);
289 static int shutdown_macvlan(struct lxc_handler
*, struct lxc_netdev
*);
290 static int shutdown_vlan(struct lxc_handler
*, struct lxc_netdev
*);
291 static int shutdown_phys(struct lxc_handler
*, struct lxc_netdev
*);
292 static int shutdown_empty(struct lxc_handler
*, struct lxc_netdev
*);
293 static int shutdown_none(struct lxc_handler
*, struct lxc_netdev
*);
295 static instantiate_cb netdev_deconf
[LXC_NET_MAXCONFTYPE
+ 1] = {
296 [LXC_NET_VETH
] = shutdown_veth
,
297 [LXC_NET_MACVLAN
] = shutdown_macvlan
,
298 [LXC_NET_VLAN
] = shutdown_vlan
,
299 [LXC_NET_PHYS
] = shutdown_phys
,
300 [LXC_NET_EMPTY
] = shutdown_empty
,
301 [LXC_NET_NONE
] = shutdown_none
,
304 static struct mount_opt mount_opt
[] = {
305 { "async", 1, MS_SYNCHRONOUS
},
306 { "atime", 1, MS_NOATIME
},
307 { "bind", 0, MS_BIND
},
308 { "defaults", 0, 0 },
309 { "dev", 1, MS_NODEV
},
310 { "diratime", 1, MS_NODIRATIME
},
311 { "dirsync", 0, MS_DIRSYNC
},
312 { "exec", 1, MS_NOEXEC
},
313 { "lazytime", 0, MS_LAZYTIME
},
314 { "mand", 0, MS_MANDLOCK
},
315 { "noatime", 0, MS_NOATIME
},
316 { "nodev", 0, MS_NODEV
},
317 { "nodiratime", 0, MS_NODIRATIME
},
318 { "noexec", 0, MS_NOEXEC
},
319 { "nomand", 1, MS_MANDLOCK
},
320 { "norelatime", 1, MS_RELATIME
},
321 { "nostrictatime", 1, MS_STRICTATIME
},
322 { "nosuid", 0, MS_NOSUID
},
323 { "rbind", 0, MS_BIND
|MS_REC
},
324 { "relatime", 0, MS_RELATIME
},
325 { "remount", 0, MS_REMOUNT
},
326 { "ro", 0, MS_RDONLY
},
327 { "rw", 1, MS_RDONLY
},
328 { "strictatime", 0, MS_STRICTATIME
},
329 { "suid", 1, MS_NOSUID
},
330 { "sync", 0, MS_SYNCHRONOUS
},
335 static struct caps_opt caps_opt
[] = {
336 { "chown", CAP_CHOWN
},
337 { "dac_override", CAP_DAC_OVERRIDE
},
338 { "dac_read_search", CAP_DAC_READ_SEARCH
},
339 { "fowner", CAP_FOWNER
},
340 { "fsetid", CAP_FSETID
},
341 { "kill", CAP_KILL
},
342 { "setgid", CAP_SETGID
},
343 { "setuid", CAP_SETUID
},
344 { "setpcap", CAP_SETPCAP
},
345 { "linux_immutable", CAP_LINUX_IMMUTABLE
},
346 { "net_bind_service", CAP_NET_BIND_SERVICE
},
347 { "net_broadcast", CAP_NET_BROADCAST
},
348 { "net_admin", CAP_NET_ADMIN
},
349 { "net_raw", CAP_NET_RAW
},
350 { "ipc_lock", CAP_IPC_LOCK
},
351 { "ipc_owner", CAP_IPC_OWNER
},
352 { "sys_module", CAP_SYS_MODULE
},
353 { "sys_rawio", CAP_SYS_RAWIO
},
354 { "sys_chroot", CAP_SYS_CHROOT
},
355 { "sys_ptrace", CAP_SYS_PTRACE
},
356 { "sys_pacct", CAP_SYS_PACCT
},
357 { "sys_admin", CAP_SYS_ADMIN
},
358 { "sys_boot", CAP_SYS_BOOT
},
359 { "sys_nice", CAP_SYS_NICE
},
360 { "sys_resource", CAP_SYS_RESOURCE
},
361 { "sys_time", CAP_SYS_TIME
},
362 { "sys_tty_config", CAP_SYS_TTY_CONFIG
},
363 { "mknod", CAP_MKNOD
},
364 { "lease", CAP_LEASE
},
365 #ifdef CAP_AUDIT_READ
366 { "audit_read", CAP_AUDIT_READ
},
368 #ifdef CAP_AUDIT_WRITE
369 { "audit_write", CAP_AUDIT_WRITE
},
371 #ifdef CAP_AUDIT_CONTROL
372 { "audit_control", CAP_AUDIT_CONTROL
},
374 { "setfcap", CAP_SETFCAP
},
375 { "mac_override", CAP_MAC_OVERRIDE
},
376 { "mac_admin", CAP_MAC_ADMIN
},
378 { "syslog", CAP_SYSLOG
},
380 #ifdef CAP_WAKE_ALARM
381 { "wake_alarm", CAP_WAKE_ALARM
},
383 #ifdef CAP_BLOCK_SUSPEND
384 { "block_suspend", CAP_BLOCK_SUSPEND
},
388 static struct caps_opt caps_opt
[] = {};
391 static struct limit_opt limit_opt
[] = {
396 { "core", RLIMIT_CORE
},
399 { "cpu", RLIMIT_CPU
},
402 { "data", RLIMIT_DATA
},
405 { "fsize", RLIMIT_FSIZE
},
408 { "locks", RLIMIT_LOCKS
},
410 #ifdef RLIMIT_MEMLOCK
411 { "memlock", RLIMIT_MEMLOCK
},
413 #ifdef RLIMIT_MSGQUEUE
414 { "msgqueue", RLIMIT_MSGQUEUE
},
417 { "nice", RLIMIT_NICE
},
420 { "nofile", RLIMIT_NOFILE
},
423 { "nproc", RLIMIT_NPROC
},
426 { "rss", RLIMIT_RSS
},
429 { "rtprio", RLIMIT_RTPRIO
},
432 { "rttime", RLIMIT_RTTIME
},
434 #ifdef RLIMIT_SIGPENDING
435 { "sigpending", RLIMIT_SIGPENDING
},
438 { "stack", RLIMIT_STACK
},
442 static int run_buffer(char *buffer
)
444 struct lxc_popen_FILE
*f
;
448 f
= lxc_popen(buffer
);
450 SYSERROR("Failed to popen() %s.", buffer
);
454 output
= malloc(LXC_LOG_BUFFER_SIZE
);
456 ERROR("Failed to allocate memory for %s.", buffer
);
461 while (fgets(output
, LXC_LOG_BUFFER_SIZE
, f
->f
))
462 DEBUG("Script %s with output: %s.", buffer
, output
);
468 SYSERROR("Script exited with error.");
470 } else if (WIFEXITED(ret
) && WEXITSTATUS(ret
) != 0) {
471 ERROR("Script exited with status %d.", WEXITSTATUS(ret
));
473 } else if (WIFSIGNALED(ret
)) {
474 ERROR("Script terminated by signal %d.", WTERMSIG(ret
));
481 static int run_script_argv(const char *name
, const char *section
,
482 const char *script
, const char *hook
,
483 const char *lxcpath
, char **argsin
)
489 INFO("Executing script \"%s\" for container \"%s\", config section \"%s\".",
490 script
, name
, section
);
492 for (i
= 0; argsin
&& argsin
[i
]; i
++)
493 size
+= strlen(argsin
[i
]) + 1;
495 size
+= strlen(hook
) + 1;
497 size
+= strlen(script
);
498 size
+= strlen(name
);
499 size
+= strlen(section
);
505 buffer
= alloca(size
);
507 ERROR("Failed to allocate memory.");
512 snprintf(buffer
, size
, "%s %s %s %s", script
, name
, section
, hook
);
513 if (ret
< 0 || (size_t)ret
>= size
) {
514 ERROR("Script name too long.");
518 for (i
= 0; argsin
&& argsin
[i
]; i
++) {
519 int len
= size
- ret
;
521 rc
= snprintf(buffer
+ ret
, len
, " %s", argsin
[i
]);
522 if (rc
< 0 || rc
>= len
) {
523 ERROR("Script args too long.");
529 return run_buffer(buffer
);
532 static int run_script(const char *name
, const char *section
, const char *script
,
540 INFO("Executing script \"%s\" for container \"%s\", config section \"%s\".",
541 script
, name
, section
);
543 va_start(ap
, script
);
544 while ((p
= va_arg(ap
, char *)))
545 size
+= strlen(p
) + 1;
548 size
+= strlen(script
);
549 size
+= strlen(name
);
550 size
+= strlen(section
);
556 buffer
= alloca(size
);
558 ERROR("Failed to allocate memory.");
562 ret
= snprintf(buffer
, size
, "%s %s %s", script
, name
, section
);
563 if (ret
< 0 || ret
>= size
) {
564 ERROR("Script name too long.");
568 va_start(ap
, script
);
569 while ((p
= va_arg(ap
, char *))) {
570 int len
= size
- ret
;
572 rc
= snprintf(buffer
+ ret
, len
, " %s", p
);
573 if (rc
< 0 || rc
>= len
) {
574 ERROR("Script args too long.");
581 return run_buffer(buffer
);
586 * if rootfs is a directory, then open ${rootfs}/lxc.hold for writing for
587 * the duration of the container run, to prevent the container from marking
588 * the underlying fs readonly on shutdown. unlink the file immediately so
589 * no name pollution is happens
590 * return -1 on error.
591 * return -2 if nothing needed to be pinned.
592 * return an open fd (>=0) if we pinned it.
594 int pin_rootfs(const char *rootfs
)
596 char absrootfs
[MAXPATHLEN
];
597 char absrootfspin
[MAXPATHLEN
];
601 if (rootfs
== NULL
|| strlen(rootfs
) == 0)
604 if (!realpath(rootfs
, absrootfs
))
607 if (access(absrootfs
, F_OK
))
610 if (stat(absrootfs
, &s
))
613 if (!S_ISDIR(s
.st_mode
))
616 ret
= snprintf(absrootfspin
, MAXPATHLEN
, "%s/lxc.hold", absrootfs
);
617 if (ret
>= MAXPATHLEN
)
620 fd
= open(absrootfspin
, O_CREAT
| O_RDWR
, S_IWUSR
|S_IRUSR
);
623 (void)unlink(absrootfspin
);
628 * If we are asking to remount something, make sure that any
629 * NOEXEC etc are honored.
631 unsigned long add_required_remount_flags(const char *s
, const char *d
,
636 unsigned long required_flags
= 0;
638 if (!(flags
& MS_REMOUNT
))
646 if (statvfs(s
, &sb
) < 0)
649 if (sb
.f_flag
& MS_NOSUID
)
650 required_flags
|= MS_NOSUID
;
651 if (sb
.f_flag
& MS_NODEV
)
652 required_flags
|= MS_NODEV
;
653 if (sb
.f_flag
& MS_RDONLY
)
654 required_flags
|= MS_RDONLY
;
655 if (sb
.f_flag
& MS_NOEXEC
)
656 required_flags
|= MS_NOEXEC
;
658 return flags
| required_flags
;
664 static int lxc_mount_auto_mounts(struct lxc_conf
*conf
, int flags
, struct lxc_handler
*handler
)
672 const char *destination
;
676 } default_mounts
[] = {
677 /* Read-only bind-mounting... In older kernels, doing that required
678 * to do one MS_BIND mount and then MS_REMOUNT|MS_RDONLY the same
679 * one. According to mount(2) manpage, MS_BIND honors MS_RDONLY from
680 * kernel 2.6.26 onwards. However, this apparently does not work on
681 * kernel 3.8. Unfortunately, on that very same kernel, doing the
682 * same trick as above doesn't seem to work either, there one needs
683 * to ALSO specify MS_BIND for the remount, otherwise the entire
684 * fs is remounted read-only or the mount fails because it's busy...
685 * MS_REMOUNT|MS_BIND|MS_RDONLY seems to work for kernels as low as
688 { LXC_AUTO_PROC_MASK
, LXC_AUTO_PROC_MIXED
, "proc", "%r/proc", "proc", MS_NODEV
|MS_NOEXEC
|MS_NOSUID
, NULL
},
689 /* proc/tty is used as a temporary placeholder for proc/sys/net which we'll move back in a few steps */
690 { LXC_AUTO_PROC_MASK
, LXC_AUTO_PROC_MIXED
, "%r/proc/sys/net", "%r/proc/tty", NULL
, MS_BIND
, NULL
},
691 { LXC_AUTO_PROC_MASK
, LXC_AUTO_PROC_MIXED
, "%r/proc/sys", "%r/proc/sys", NULL
, MS_BIND
, NULL
},
692 { LXC_AUTO_PROC_MASK
, LXC_AUTO_PROC_MIXED
, NULL
, "%r/proc/sys", NULL
, MS_REMOUNT
|MS_BIND
|MS_RDONLY
, NULL
},
693 { LXC_AUTO_PROC_MASK
, LXC_AUTO_PROC_MIXED
, "%r/proc/tty", "%r/proc/sys/net", NULL
, MS_MOVE
, NULL
},
694 { LXC_AUTO_PROC_MASK
, LXC_AUTO_PROC_MIXED
, "%r/proc/sysrq-trigger", "%r/proc/sysrq-trigger", NULL
, MS_BIND
, NULL
},
695 { LXC_AUTO_PROC_MASK
, LXC_AUTO_PROC_MIXED
, NULL
, "%r/proc/sysrq-trigger", NULL
, MS_REMOUNT
|MS_BIND
|MS_RDONLY
, NULL
},
696 { LXC_AUTO_PROC_MASK
, LXC_AUTO_PROC_RW
, "proc", "%r/proc", "proc", MS_NODEV
|MS_NOEXEC
|MS_NOSUID
, NULL
},
697 { LXC_AUTO_SYS_MASK
, LXC_AUTO_SYS_RW
, "sysfs", "%r/sys", "sysfs", 0, NULL
},
698 { LXC_AUTO_SYS_MASK
, LXC_AUTO_SYS_RO
, "sysfs", "%r/sys", "sysfs", MS_RDONLY
, NULL
},
699 { LXC_AUTO_SYS_MASK
, LXC_AUTO_SYS_MIXED
, "sysfs", "%r/sys", "sysfs", MS_NODEV
|MS_NOEXEC
|MS_NOSUID
, NULL
},
700 { LXC_AUTO_SYS_MASK
, LXC_AUTO_SYS_MIXED
, "%r/sys", "%r/sys", NULL
, MS_BIND
, NULL
},
701 { LXC_AUTO_SYS_MASK
, LXC_AUTO_SYS_MIXED
, NULL
, "%r/sys", NULL
, MS_REMOUNT
|MS_BIND
|MS_RDONLY
, NULL
},
702 { LXC_AUTO_SYS_MASK
, LXC_AUTO_SYS_MIXED
, "sysfs", "%r/sys/devices/virtual/net", "sysfs", 0, NULL
},
703 { LXC_AUTO_SYS_MASK
, LXC_AUTO_SYS_MIXED
, "%r/sys/devices/virtual/net/devices/virtual/net", "%r/sys/devices/virtual/net", NULL
, MS_BIND
, NULL
},
704 { LXC_AUTO_SYS_MASK
, LXC_AUTO_SYS_MIXED
, NULL
, "%r/sys/devices/virtual/net", NULL
, MS_REMOUNT
|MS_BIND
|MS_NOSUID
|MS_NODEV
|MS_NOEXEC
, NULL
},
705 { 0, 0, NULL
, NULL
, NULL
, 0, NULL
}
708 for (i
= 0; default_mounts
[i
].match_mask
; i
++) {
709 if ((flags
& default_mounts
[i
].match_mask
) == default_mounts
[i
].match_flag
) {
711 char *destination
= NULL
;
713 unsigned long mflags
;
715 if (default_mounts
[i
].source
) {
716 /* will act like strdup if %r is not present */
717 source
= lxc_string_replace("%r", conf
->rootfs
.path
? conf
->rootfs
.mount
: "", default_mounts
[i
].source
);
719 SYSERROR("memory allocation error");
723 if (!default_mounts
[i
].destination
) {
724 ERROR("BUG: auto mounts destination %d was NULL", i
);
728 /* will act like strdup if %r is not present */
729 destination
= lxc_string_replace("%r", conf
->rootfs
.path
? conf
->rootfs
.mount
: "", default_mounts
[i
].destination
);
732 SYSERROR("memory allocation error");
737 mflags
= add_required_remount_flags(source
, destination
,
738 default_mounts
[i
].flags
);
739 r
= safe_mount(source
, destination
, default_mounts
[i
].fstype
, mflags
, default_mounts
[i
].options
, conf
->rootfs
.path
? conf
->rootfs
.mount
: NULL
);
741 if (r
< 0 && errno
== ENOENT
) {
742 INFO("Mount source or target for %s on %s doesn't exist. Skipping.", source
, destination
);
746 SYSERROR("error mounting %s on %s flags %lu", source
, destination
, mflags
);
757 if (flags
& LXC_AUTO_CGROUP_MASK
) {
760 cg_flags
= flags
& LXC_AUTO_CGROUP_MASK
;
761 /* If the type of cgroup mount was not specified, it depends on the
762 * container's capabilities as to what makes sense: if we have
763 * CAP_SYS_ADMIN, the read-only part can be remounted read-write
764 * anyway, so we may as well default to read-write; then the admin
765 * will not be given a false sense of security. (And if they really
766 * want mixed r/o r/w, then they can explicitly specify :mixed.)
767 * OTOH, if the container lacks CAP_SYS_ADMIN, do only default to
768 * :mixed, because then the container can't remount it read-write. */
769 if (cg_flags
== LXC_AUTO_CGROUP_NOSPEC
|| cg_flags
== LXC_AUTO_CGROUP_FULL_NOSPEC
) {
770 int has_sys_admin
= 0;
772 if (!lxc_list_empty(&conf
->keepcaps
))
773 has_sys_admin
= in_caplist(CAP_SYS_ADMIN
, &conf
->keepcaps
);
775 has_sys_admin
= !in_caplist(CAP_SYS_ADMIN
, &conf
->caps
);
777 if (cg_flags
== LXC_AUTO_CGROUP_NOSPEC
)
778 cg_flags
= has_sys_admin
? LXC_AUTO_CGROUP_RW
: LXC_AUTO_CGROUP_MIXED
;
780 cg_flags
= has_sys_admin
? LXC_AUTO_CGROUP_FULL_RW
: LXC_AUTO_CGROUP_FULL_MIXED
;
783 if (!cgroup_mount(conf
->rootfs
.path
? conf
->rootfs
.mount
: "", handler
, cg_flags
)) {
784 SYSERROR("error mounting /sys/fs/cgroup");
792 static int setup_utsname(struct utsname
*utsname
)
797 if (sethostname(utsname
->nodename
, strlen(utsname
->nodename
))) {
798 SYSERROR("failed to set the hostname to '%s'", utsname
->nodename
);
802 INFO("'%s' hostname has been setup", utsname
->nodename
);
807 struct dev_symlinks
{
812 static const struct dev_symlinks dev_symlinks
[] = {
813 {"/proc/self/fd", "fd"},
814 {"/proc/self/fd/0", "stdin"},
815 {"/proc/self/fd/1", "stdout"},
816 {"/proc/self/fd/2", "stderr"},
819 static int setup_dev_symlinks(const struct lxc_rootfs
*rootfs
)
821 char path
[MAXPATHLEN
];
826 for (i
= 0; i
< sizeof(dev_symlinks
) / sizeof(dev_symlinks
[0]); i
++) {
827 const struct dev_symlinks
*d
= &dev_symlinks
[i
];
828 ret
= snprintf(path
, sizeof(path
), "%s/dev/%s", rootfs
->path
? rootfs
->mount
: "", d
->name
);
829 if (ret
< 0 || ret
>= MAXPATHLEN
)
833 * Stat the path first. If we don't get an error
834 * accept it as is and don't try to create it
836 if (!stat(path
, &s
)) {
840 ret
= symlink(d
->oldpath
, path
);
842 if (ret
&& errno
!= EEXIST
) {
843 if ( errno
== EROFS
) {
844 WARN("Warning: Read Only file system while creating %s", path
);
846 SYSERROR("Error creating %s", path
);
855 * Build a space-separate list of ptys to pass to systemd.
857 static bool append_ptyname(char **pp
, char *name
)
862 *pp
= malloc(strlen(name
) + strlen("container_ttys=") + 1);
865 sprintf(*pp
, "container_ttys=%s", name
);
868 p
= realloc(*pp
, strlen(*pp
) + strlen(name
) + 2);
877 static int lxc_setup_tty(struct lxc_conf
*conf
)
880 const struct lxc_tty_info
*tty_info
= &conf
->tty_info
;
881 char *ttydir
= conf
->ttydir
;
882 char path
[MAXPATHLEN
], lxcpath
[MAXPATHLEN
];
884 if (!conf
->rootfs
.path
)
887 for (i
= 0; i
< tty_info
->nbtty
; i
++) {
888 struct lxc_pty_info
*pty_info
= &tty_info
->pty_info
[i
];
890 ret
= snprintf(path
, sizeof(path
), "/dev/tty%d", i
+ 1);
891 if (ret
< 0 || (size_t)ret
>= sizeof(path
)) {
892 ERROR("pathname too long for ttys");
897 /* create dev/lxc/tty%d" */
898 ret
= snprintf(lxcpath
, sizeof(lxcpath
),
899 "/dev/%s/tty%d", ttydir
, i
+ 1);
900 if (ret
< 0 || (size_t)ret
>= sizeof(lxcpath
)) {
901 ERROR("pathname too long for ttys");
905 ret
= creat(lxcpath
, 0660);
906 if (ret
< 0 && errno
!= EEXIST
) {
907 SYSERROR("failed to create \"%s\"", lxcpath
);
914 if (ret
< 0 && errno
!= ENOENT
) {
915 SYSERROR("failed to unlink \"%s\"", path
);
919 ret
= mount(pty_info
->name
, lxcpath
, "none", MS_BIND
, 0);
921 WARN("failed to bind mount \"%s\" onto \"%s\"",
922 pty_info
->name
, path
);
925 DEBUG("bind mounted \"%s\" onto \"%s\"", pty_info
->name
,
928 ret
= snprintf(lxcpath
, sizeof(lxcpath
), "%s/tty%d",
930 if (ret
< 0 || (size_t)ret
>= sizeof(lxcpath
)) {
931 ERROR("tty pathname too long");
935 ret
= symlink(lxcpath
, path
);
937 SYSERROR("failed to create symlink \"%s\" -> \"%s\"",
942 /* If we populated /dev, then we need to create
945 ret
= access(path
, F_OK
);
947 ret
= creat(path
, 0660);
949 SYSERROR("failed to create \"%s\"", path
);
950 /* this isn't fatal, continue */
956 ret
= mount(pty_info
->name
, path
, "none", MS_BIND
, 0);
958 SYSERROR("failed to mount '%s'->'%s'", pty_info
->name
, path
);
962 DEBUG("bind mounted \"%s\" onto \"%s\"", pty_info
->name
,
966 if (!append_ptyname(&conf
->pty_names
, pty_info
->name
)) {
967 ERROR("Error setting up container_ttys string");
972 INFO("finished setting up %d /dev/tty<N> device(s)", tty_info
->nbtty
);
976 static int setup_rootfs_pivot_root(const char *rootfs
)
978 int oldroot
= -1, newroot
= -1;
980 oldroot
= open("/", O_DIRECTORY
| O_RDONLY
);
982 SYSERROR("Error opening old-/ for fchdir");
985 newroot
= open(rootfs
, O_DIRECTORY
| O_RDONLY
);
987 SYSERROR("Error opening new-/ for fchdir");
991 /* change into new root fs */
992 if (fchdir(newroot
)) {
993 SYSERROR("can't chdir to new rootfs '%s'", rootfs
);
997 /* pivot_root into our new root fs */
998 if (pivot_root(".", ".")) {
999 SYSERROR("pivot_root syscall failed");
1004 * at this point the old-root is mounted on top of our new-root
1005 * To unmounted it we must not be chdir'd into it, so escape back
1008 if (fchdir(oldroot
) < 0) {
1009 SYSERROR("Error entering oldroot");
1012 if (umount2(".", MNT_DETACH
) < 0) {
1013 SYSERROR("Error detaching old root");
1017 if (fchdir(newroot
) < 0) {
1018 SYSERROR("Error re-entering newroot");
1025 DEBUG("pivot_root syscall to '%s' successful", rootfs
);
1038 * Just create a path for /dev under $lxcpath/$name and in rootfs
1039 * If we hit an error, log it but don't fail yet.
1041 static int mount_autodev(const char *name
, const struct lxc_rootfs
*rootfs
, const char *lxcpath
)
1047 INFO("Mounting container /dev");
1049 /* $(rootfs->mount) + "/dev/pts" + '\0' */
1050 clen
= (rootfs
->path
? strlen(rootfs
->mount
) : 0) + 9;
1051 path
= alloca(clen
);
1053 ret
= snprintf(path
, clen
, "%s/dev", rootfs
->path
? rootfs
->mount
: "");
1054 if (ret
< 0 || ret
>= clen
)
1057 if (!dir_exists(path
)) {
1058 WARN("No /dev in container.");
1059 WARN("Proceeding without autodev setup");
1063 ret
= safe_mount("none", path
, "tmpfs", 0, "size=500000,mode=755",
1064 rootfs
->path
? rootfs
->mount
: NULL
);
1066 SYSERROR("Failed mounting tmpfs onto %s\n", path
);
1070 INFO("Mounted tmpfs onto %s", path
);
1072 ret
= snprintf(path
, clen
, "%s/dev/pts", rootfs
->path
? rootfs
->mount
: "");
1073 if (ret
< 0 || ret
>= clen
)
1077 * If we are running on a devtmpfs mapping, dev/pts may already exist.
1078 * If not, then create it and exit if that fails...
1080 if (!dir_exists(path
)) {
1081 ret
= mkdir(path
, S_IRWXU
| S_IRGRP
| S_IXGRP
| S_IROTH
| S_IXOTH
);
1083 SYSERROR("Failed to create /dev/pts in container");
1088 INFO("Mounted container /dev");
1099 static const struct lxc_devs lxc_devs
[] = {
1100 { "null", S_IFCHR
| S_IRWXU
| S_IRWXG
| S_IRWXO
, 1, 3 },
1101 { "zero", S_IFCHR
| S_IRWXU
| S_IRWXG
| S_IRWXO
, 1, 5 },
1102 { "full", S_IFCHR
| S_IRWXU
| S_IRWXG
| S_IRWXO
, 1, 7 },
1103 { "urandom", S_IFCHR
| S_IRWXU
| S_IRWXG
| S_IRWXO
, 1, 9 },
1104 { "random", S_IFCHR
| S_IRWXU
| S_IRWXG
| S_IRWXO
, 1, 8 },
1105 { "tty", S_IFCHR
| S_IRWXU
| S_IRWXG
| S_IRWXO
, 5, 0 },
1108 static int lxc_fill_autodev(const struct lxc_rootfs
*rootfs
)
1111 char path
[MAXPATHLEN
];
1115 ret
= snprintf(path
, MAXPATHLEN
, "%s/dev", rootfs
->path
? rootfs
->mount
: "");
1116 if (ret
< 0 || ret
>= MAXPATHLEN
) {
1117 ERROR("Error calculating container /dev location");
1121 /* ignore, just don't try to fill in */
1122 if (!dir_exists(path
))
1125 INFO("populating container /dev");
1126 cmask
= umask(S_IXUSR
| S_IXGRP
| S_IXOTH
);
1127 for (i
= 0; i
< sizeof(lxc_devs
) / sizeof(lxc_devs
[0]); i
++) {
1128 const struct lxc_devs
*d
= &lxc_devs
[i
];
1130 ret
= snprintf(path
, MAXPATHLEN
, "%s/dev/%s", rootfs
->path
? rootfs
->mount
: "", d
->name
);
1131 if (ret
< 0 || ret
>= MAXPATHLEN
)
1134 ret
= mknod(path
, d
->mode
, makedev(d
->maj
, d
->min
));
1136 char hostpath
[MAXPATHLEN
];
1139 if (errno
== EEXIST
) {
1140 DEBUG("\"%s\" device already existed", path
);
1144 /* Unprivileged containers cannot create devices, so
1145 * bind mount the device from the host.
1147 ret
= snprintf(hostpath
, MAXPATHLEN
, "/dev/%s", d
->name
);
1148 if (ret
< 0 || ret
>= MAXPATHLEN
)
1150 pathfile
= fopen(path
, "wb");
1152 SYSERROR("Failed to create device mount target '%s'", path
);
1156 if (safe_mount(hostpath
, path
, 0, MS_BIND
, NULL
, rootfs
->path
? rootfs
->mount
: NULL
) != 0) {
1157 SYSERROR("Failed bind mounting device %s from host into container", d
->name
);
1160 DEBUG("bind mounted \"%s\" onto \"%s\"", hostpath
, path
);
1162 DEBUG("created device node \"%s\"", path
);
1167 INFO("populated container /dev");
1171 static int lxc_setup_rootfs(struct lxc_conf
*conf
)
1175 const struct lxc_rootfs
*rootfs
;
1177 rootfs
= &conf
->rootfs
;
1178 if (!rootfs
->path
) {
1179 if (mount("", "/", NULL
, MS_SLAVE
| MS_REC
, 0)) {
1180 SYSERROR("Failed to make / rslave.");
1186 if (access(rootfs
->mount
, F_OK
)) {
1187 SYSERROR("Failed to access to \"%s\". Check it is present.",
1192 bdev
= bdev_init(conf
, rootfs
->path
, rootfs
->mount
, rootfs
->options
);
1194 ERROR("Failed to mount rootfs \"%s\" onto \"%s\" with options \"%s\".",
1195 rootfs
->path
, rootfs
->mount
,
1196 rootfs
->options
? rootfs
->options
: "(null)");
1200 ret
= bdev
->ops
->mount(bdev
);
1203 ERROR("Failed to mount rootfs \"%s\" onto \"%s\" with options \"%s\".",
1204 rootfs
->path
, rootfs
->mount
,
1205 rootfs
->options
? rootfs
->options
: "(null)");
1209 DEBUG("Mounted rootfs \"%s\" onto \"%s\" with options \"%s\".",
1210 rootfs
->path
, rootfs
->mount
,
1211 rootfs
->options
? rootfs
->options
: "(null)");
1216 int prepare_ramfs_root(char *root
)
1218 char buf
[LXC_LINELEN
], *p
;
1219 char nroot
[PATH_MAX
];
1224 if (realpath(root
, nroot
) == NULL
)
1227 if (chdir("/") == -1)
1231 * We could use here MS_MOVE, but in userns this mount is
1232 * locked and can't be moved.
1234 if (mount(root
, "/", NULL
, MS_REC
| MS_BIND
, NULL
) < 0) {
1235 SYSERROR("Failed to move %s into /", root
);
1239 if (mount(NULL
, "/", NULL
, MS_REC
| MS_PRIVATE
, NULL
) < 0) {
1240 SYSERROR("Failed to make . rprivate");
1245 * The following code cleans up inhereted mounts which are not
1248 * The mountinfo file shows not all mounts, if a few points have been
1249 * unmounted between read operations from the mountinfo. So we need to
1250 * read mountinfo a few times.
1252 * This loop can be skipped if a container uses unserns, because all
1253 * inherited mounts are locked and we should live with all this trash.
1258 f
= fopen("./proc/self/mountinfo", "r");
1260 SYSERROR("Unable to open /proc/self/mountinfo");
1263 while (fgets(buf
, LXC_LINELEN
, f
)) {
1264 for (p
= buf
, i
=0; p
&& i
< 4; i
++)
1265 p
= strchr(p
+1, ' ');
1268 p2
= strchr(p
+1, ' ');
1275 if (strcmp(p
+ 1, "/") == 0)
1277 if (strcmp(p
+ 1, "/proc") == 0)
1280 if (umount2(p
, MNT_DETACH
) == 0)
1288 /* This also can be skipped if a container uses unserns */
1289 umount2("./proc", MNT_DETACH
);
1291 /* It is weird, but chdir("..") moves us in a new root */
1292 if (chdir("..") == -1) {
1293 SYSERROR("Unable to change working directory");
1297 if (chroot(".") == -1) {
1298 SYSERROR("Unable to chroot");
1305 static int setup_pivot_root(const struct lxc_rootfs
*rootfs
)
1307 if (!rootfs
->path
) {
1308 DEBUG("container does not have a rootfs, so not doing pivot root");
1312 if (detect_ramfs_rootfs()) {
1313 DEBUG("detected that container is on ramfs");
1314 if (prepare_ramfs_root(rootfs
->mount
)) {
1315 ERROR("failed to prepare minimal ramfs root");
1319 DEBUG("prepared ramfs root for container");
1323 if (setup_rootfs_pivot_root(rootfs
->mount
) < 0) {
1324 ERROR("failed to pivot root");
1328 DEBUG("finished pivot root");
1332 static int lxc_setup_devpts(int num_pts
)
1335 const char *default_devpts_mntopts
= "newinstance,ptmxmode=0666,mode=0620,gid=5";
1336 char devpts_mntopts
[256];
1339 DEBUG("no new devpts instance will be mounted since no pts "
1340 "devices are requested");
1344 ret
= snprintf(devpts_mntopts
, sizeof(devpts_mntopts
), "%s,max=%d",
1345 default_devpts_mntopts
, num_pts
);
1346 if (ret
< 0 || (size_t)ret
>= sizeof(devpts_mntopts
))
1349 /* Unmount old devpts instance. */
1350 ret
= access("/dev/pts/ptmx", F_OK
);
1352 ret
= umount("/dev/pts");
1354 SYSERROR("failed to unmount old devpts instance");
1357 DEBUG("unmounted old /dev/pts instance");
1360 /* Create mountpoint for devpts instance. */
1361 ret
= mkdir("/dev/pts", 0755);
1362 if (ret
< 0 && errno
!= EEXIST
) {
1363 SYSERROR("failed to create the \"/dev/pts\" directory");
1367 /* Mount new devpts instance. */
1368 ret
= mount("devpts", "/dev/pts", "devpts", MS_MGC_VAL
, devpts_mntopts
);
1370 SYSERROR("failed to mount new devpts instance");
1373 DEBUG("mount new devpts instance with options \"%s\"", devpts_mntopts
);
1375 /* Remove any pre-existing /dev/ptmx file. */
1376 ret
= access("/dev/ptmx", F_OK
);
1378 ret
= remove("/dev/ptmx");
1380 SYSERROR("failed to remove existing \"/dev/ptmx\"");
1383 DEBUG("removed existing \"/dev/ptmx\"");
1386 /* Create dummy /dev/ptmx file as bind mountpoint for /dev/pts/ptmx. */
1387 ret
= open("/dev/ptmx", O_CREAT
, 0666);
1389 SYSERROR("failed to create dummy \"/dev/ptmx\" file as bind mount target");
1393 DEBUG("created dummy \"/dev/ptmx\" file as bind mount target");
1395 /* Fallback option: create symlink /dev/ptmx -> /dev/pts/ptmx */
1396 ret
= mount("/dev/pts/ptmx", "/dev/ptmx", NULL
, MS_BIND
, NULL
);
1398 DEBUG("bind mounted \"/dev/pts/ptmx\" to \"/dev/ptmx\"");
1401 /* Fallthrough and try to create a symlink. */
1402 ERROR("failed to bind mount \"/dev/pts/ptmx\" to \"/dev/ptmx\"");
1405 /* Remove the dummy /dev/ptmx file we created above. */
1406 ret
= remove("/dev/ptmx");
1408 SYSERROR("failed to remove existing \"/dev/ptmx\"");
1412 /* Fallback option: Create symlink /dev/ptmx -> /dev/pts/ptmx. */
1413 ret
= symlink("/dev/pts/ptmx", "/dev/ptmx");
1415 SYSERROR("failed to create symlink \"/dev/ptmx\" -> \"/dev/pts/ptmx\"");
1418 DEBUG("created symlink \"/dev/ptmx\" -> \"/dev/pts/ptmx\"");
1423 static int setup_personality(int persona
)
1425 #if HAVE_SYS_PERSONALITY_H
1429 if (personality(persona
) < 0) {
1430 SYSERROR("failed to set personality to '0x%x'", persona
);
1434 INFO("set personality to '0x%x'", persona
);
1440 static int lxc_setup_dev_console(const struct lxc_rootfs
*rootfs
,
1441 const struct lxc_console
*console
)
1443 char path
[MAXPATHLEN
];
1446 if (console
->path
&& !strcmp(console
->path
, "none"))
1449 ret
= snprintf(path
, sizeof(path
), "%s/dev/console", rootfs
->mount
);
1450 if (ret
< 0 || (size_t)ret
>= sizeof(path
))
1453 /* When we are asked to setup a console we remove any previous
1454 * /dev/console bind-mounts.
1456 if (file_exists(path
)) {
1457 ret
= lxc_unstack_mountpoint(path
, false);
1459 ERROR("failed to unmount \"%s\": %s", path
, strerror(errno
));
1462 DEBUG("cleared all (%d) mounts from \"%s\"", ret
, path
);
1467 SYSERROR("error unlinking %s", path
);
1472 /* For unprivileged containers autodev or automounts will already have
1473 * taken care of creating /dev/console.
1475 fd
= open(path
, O_CREAT
| O_EXCL
, S_IXUSR
| S_IXGRP
| S_IXOTH
);
1477 if (errno
!= EEXIST
) {
1478 SYSERROR("failed to create console");
1485 if (chmod(console
->name
, S_IXUSR
| S_IXGRP
| S_IXOTH
)) {
1486 SYSERROR("failed to set mode '0%o' to '%s'", S_IXUSR
| S_IXGRP
| S_IXOTH
, console
->name
);
1490 if (safe_mount(console
->name
, path
, "none", MS_BIND
, 0, rootfs
->mount
) < 0) {
1491 ERROR("failed to mount '%s' on '%s'", console
->name
, path
);
1495 DEBUG("mounted pts device \"%s\" onto \"%s\"", console
->name
, path
);
1499 static int lxc_setup_ttydir_console(const struct lxc_rootfs
*rootfs
,
1500 const struct lxc_console
*console
,
1504 char path
[MAXPATHLEN
], lxcpath
[MAXPATHLEN
];
1506 /* create rootfs/dev/<ttydir> directory */
1507 ret
= snprintf(path
, sizeof(path
), "%s/dev/%s", rootfs
->mount
, ttydir
);
1508 if (ret
< 0 || (size_t)ret
>= sizeof(path
))
1511 ret
= mkdir(path
, 0755);
1512 if (ret
&& errno
!= EEXIST
) {
1513 SYSERROR("failed with errno %d to create %s", errno
, path
);
1516 DEBUG("created directory for console and tty devices at \%s\"", path
);
1518 ret
= snprintf(lxcpath
, sizeof(lxcpath
), "%s/dev/%s/console", rootfs
->mount
, ttydir
);
1519 if (ret
< 0 || (size_t)ret
>= sizeof(lxcpath
))
1522 ret
= creat(lxcpath
, 0660);
1523 if (ret
== -1 && errno
!= EEXIST
) {
1524 SYSERROR("error %d creating %s", errno
, lxcpath
);
1530 ret
= snprintf(path
, sizeof(path
), "%s/dev/console", rootfs
->mount
);
1531 if (ret
< 0 || (size_t)ret
>= sizeof(lxcpath
))
1534 /* When we are asked to setup a console we remove any previous
1535 * /dev/console bind-mounts.
1537 if (console
->path
&& !strcmp(console
->path
, "none")) {
1539 ret
= stat(path
, &st
);
1541 if (errno
== ENOENT
)
1543 SYSERROR("failed stat() \"%s\"", path
);
1547 /* /dev/console must be character device with major number 5 and
1548 * minor number 1. If not, give benefit of the doubt and assume
1549 * the user has mounted something else right there on purpose.
1551 if (((st
.st_mode
& S_IFMT
) != S_IFCHR
) || major(st
.st_rdev
) != 5 || minor(st
.st_rdev
) != 1)
1554 /* In case the user requested a bind-mount for /dev/console and
1555 * requests a ttydir we move the mount to the
1556 * /dev/<ttydir/console.
1557 * Note, we only move the uppermost mount and clear all other
1558 * mounts underneath for safety.
1559 * If it is a character device created via mknod() we simply
1562 ret
= safe_mount(path
, lxcpath
, "none", MS_MOVE
, NULL
, rootfs
->mount
);
1564 if (errno
!= EINVAL
) {
1565 ERROR("failed to MS_MOVE \"%s\" to \"%s\": %s", path
, lxcpath
, strerror(errno
));
1568 /* path was not a mountpoint */
1569 ret
= rename(path
, lxcpath
);
1571 ERROR("failed to rename \"%s\" to \"%s\": %s", path
, lxcpath
, strerror(errno
));
1574 DEBUG("renamed \"%s\" to \"%s\"", path
, lxcpath
);
1576 DEBUG("moved mount \"%s\" to \"%s\"", path
, lxcpath
);
1579 /* Clear all remaining bind-mounts. */
1580 ret
= lxc_unstack_mountpoint(path
, false);
1582 ERROR("failed to unmount \"%s\": %s", path
, strerror(errno
));
1585 DEBUG("cleared all (%d) mounts from \"%s\"", ret
, path
);
1588 if (file_exists(path
)) {
1589 ret
= lxc_unstack_mountpoint(path
, false);
1591 ERROR("failed to unmount \"%s\": %s", path
, strerror(errno
));
1594 DEBUG("cleared all (%d) mounts from \"%s\"", ret
, path
);
1598 if (safe_mount(console
->name
, lxcpath
, "none", MS_BIND
, 0, rootfs
->mount
) < 0) {
1599 ERROR("failed to mount '%s' on '%s'", console
->name
, lxcpath
);
1602 DEBUG("mounted \"%s\" onto \"%s\"", console
->name
, lxcpath
);
1605 /* create symlink from rootfs /dev/console to '<ttydir>/console' */
1606 ret
= snprintf(lxcpath
, sizeof(lxcpath
), "%s/console", ttydir
);
1607 if (ret
< 0 || (size_t)ret
>= sizeof(lxcpath
))
1611 if (ret
&& errno
!= ENOENT
) {
1612 SYSERROR("error unlinking %s", path
);
1616 ret
= symlink(lxcpath
, path
);
1618 SYSERROR("failed to create symlink for console from \"%s\" to \"%s\"", lxcpath
, path
);
1622 DEBUG("console has been setup under \"%s\" and symlinked to \"%s\"", lxcpath
, path
);
1626 static int lxc_setup_console(const struct lxc_rootfs
*rootfs
,
1627 const struct lxc_console
*console
, char *ttydir
)
1629 /* We don't have a rootfs, /dev/console will be shared. */
1630 if (!rootfs
->path
) {
1631 DEBUG("/dev/console will be shared with the host");
1636 return lxc_setup_dev_console(rootfs
, console
);
1638 return lxc_setup_ttydir_console(rootfs
, console
, ttydir
);
1641 static void parse_mntopt(char *opt
, unsigned long *flags
, char **data
)
1643 struct mount_opt
*mo
;
1645 /* If opt is found in mount_opt, set or clear flags.
1646 * Otherwise append it to data. */
1648 for (mo
= &mount_opt
[0]; mo
->name
!= NULL
; mo
++) {
1649 if (!strncmp(opt
, mo
->name
, strlen(mo
->name
))) {
1651 *flags
&= ~mo
->flag
;
1663 int parse_mntopts(const char *mntopts
, unsigned long *mntflags
,
1667 char *p
, *saveptr
= NULL
;
1675 s
= strdup(mntopts
);
1677 SYSERROR("failed to allocate memory");
1681 data
= malloc(strlen(s
) + 1);
1683 SYSERROR("failed to allocate memory");
1689 for (p
= strtok_r(s
, ",", &saveptr
); p
!= NULL
;
1690 p
= strtok_r(NULL
, ",", &saveptr
))
1691 parse_mntopt(p
, mntflags
, &data
);
1702 static void null_endofword(char *word
)
1704 while (*word
&& *word
!= ' ' && *word
!= '\t')
1710 * skip @nfields spaces in @src
1712 static char *get_field(char *src
, int nfields
)
1717 for (i
= 0; i
< nfields
; i
++) {
1718 while (*p
&& *p
!= ' ' && *p
!= '\t')
1727 static int mount_entry(const char *fsname
, const char *target
,
1728 const char *fstype
, unsigned long mountflags
,
1729 const char *data
, int optional
, int dev
, const char *rootfs
)
1735 if (safe_mount(fsname
, target
, fstype
, mountflags
& ~MS_REMOUNT
, data
, rootfs
)) {
1737 INFO("failed to mount '%s' on '%s' (optional): %s", fsname
,
1738 target
, strerror(errno
));
1742 SYSERROR("failed to mount '%s' on '%s'", fsname
, target
);
1747 if ((mountflags
& MS_REMOUNT
) || (mountflags
& MS_BIND
)) {
1748 DEBUG("remounting %s on %s to respect bind or remount options",
1749 fsname
? fsname
: "(none)", target
? target
: "(none)");
1750 unsigned long rqd_flags
= 0;
1751 if (mountflags
& MS_RDONLY
)
1752 rqd_flags
|= MS_RDONLY
;
1754 if (statvfs(fsname
, &sb
) == 0) {
1755 unsigned long required_flags
= rqd_flags
;
1756 if (sb
.f_flag
& MS_NOSUID
)
1757 required_flags
|= MS_NOSUID
;
1758 if (sb
.f_flag
& MS_NODEV
&& !dev
)
1759 required_flags
|= MS_NODEV
;
1760 if (sb
.f_flag
& MS_RDONLY
)
1761 required_flags
|= MS_RDONLY
;
1762 if (sb
.f_flag
& MS_NOEXEC
)
1763 required_flags
|= MS_NOEXEC
;
1764 DEBUG("(at remount) flags for %s was %lu, required extra flags are %lu", fsname
, sb
.f_flag
, required_flags
);
1766 * If this was a bind mount request, and required_flags
1767 * does not have any flags which are not already in
1768 * mountflags, then skip the remount
1770 if (!(mountflags
& MS_REMOUNT
)) {
1771 if (!(required_flags
& ~mountflags
) && rqd_flags
== 0) {
1772 DEBUG("mountflags already was %lu, skipping remount",
1777 mountflags
|= required_flags
;
1781 if (mount(fsname
, target
, fstype
,
1782 mountflags
| MS_REMOUNT
, data
) < 0) {
1784 INFO("failed to mount '%s' on '%s' (optional): %s",
1785 fsname
, target
, strerror(errno
));
1789 SYSERROR("failed to mount '%s' on '%s'",
1799 DEBUG("mounted '%s' on '%s', type '%s'", fsname
, target
, fstype
);
1805 * Remove 'optional', 'create=dir', and 'create=file' from mntopt
1807 static void cull_mntent_opt(struct mntent
*mntent
)
1811 char *list
[] = {"create=dir",
1816 for (i
=0; list
[i
]; i
++) {
1817 if (!(p
= strstr(mntent
->mnt_opts
, list
[i
])))
1819 p2
= strchr(p
, ',');
1821 /* no more mntopts, so just chop it here */
1825 memmove(p
, p2
+1, strlen(p2
+1)+1);
1829 static int mount_entry_create_dir_file(const struct mntent
*mntent
,
1830 const char* path
, const struct lxc_rootfs
*rootfs
,
1831 const char *lxc_name
, const char *lxc_path
)
1833 char *pathdirname
= NULL
;
1835 FILE *pathfile
= NULL
;
1837 if (strncmp(mntent
->mnt_type
, "overlay", 7) == 0) {
1838 if (ovl_mkdir(mntent
, rootfs
, lxc_name
, lxc_path
) < 0)
1840 } else if (strncmp(mntent
->mnt_type
, "aufs", 4) == 0) {
1841 if (aufs_mkdir(mntent
, rootfs
, lxc_name
, lxc_path
) < 0)
1845 if (hasmntopt(mntent
, "create=dir")) {
1846 if (mkdir_p(path
, 0755) < 0) {
1847 WARN("Failed to create mount target '%s'", path
);
1852 if (hasmntopt(mntent
, "create=file") && access(path
, F_OK
)) {
1853 pathdirname
= strdup(path
);
1854 pathdirname
= dirname(pathdirname
);
1855 if (mkdir_p(pathdirname
, 0755) < 0) {
1856 WARN("Failed to create target directory");
1858 pathfile
= fopen(path
, "wb");
1860 WARN("Failed to create mount target '%s'", path
);
1870 /* rootfs, lxc_name, and lxc_path can be NULL when the container is created
1871 * without a rootfs. */
1872 static inline int mount_entry_on_generic(struct mntent
*mntent
,
1873 const char* path
, const struct lxc_rootfs
*rootfs
,
1874 const char *lxc_name
, const char *lxc_path
)
1876 unsigned long mntflags
;
1879 bool optional
= hasmntopt(mntent
, "optional") != NULL
;
1880 bool dev
= hasmntopt(mntent
, "dev") != NULL
;
1882 char *rootfs_path
= NULL
;
1883 if (rootfs
&& rootfs
->path
)
1884 rootfs_path
= rootfs
->mount
;
1886 ret
= mount_entry_create_dir_file(mntent
, path
, rootfs
, lxc_name
, lxc_path
);
1889 return optional
? 0 : -1;
1891 cull_mntent_opt(mntent
);
1893 if (parse_mntopts(mntent
->mnt_opts
, &mntflags
, &mntdata
) < 0) {
1898 ret
= mount_entry(mntent
->mnt_fsname
, path
, mntent
->mnt_type
, mntflags
,
1899 mntdata
, optional
, dev
, rootfs_path
);
1905 static inline int mount_entry_on_systemfs(struct mntent
*mntent
)
1907 char path
[MAXPATHLEN
];
1910 /* For containers created without a rootfs all mounts are treated as
1911 * absolute paths starting at / on the host. */
1912 if (mntent
->mnt_dir
[0] != '/')
1913 ret
= snprintf(path
, sizeof(path
), "/%s", mntent
->mnt_dir
);
1915 ret
= snprintf(path
, sizeof(path
), "%s", mntent
->mnt_dir
);
1917 if (ret
< 0 || ret
>= sizeof(path
)) {
1918 ERROR("path name too long");
1922 return mount_entry_on_generic(mntent
, path
, NULL
, NULL
, NULL
);
1925 static int mount_entry_on_absolute_rootfs(struct mntent
*mntent
,
1926 const struct lxc_rootfs
*rootfs
,
1927 const char *lxc_name
,
1928 const char *lxc_path
)
1931 char path
[MAXPATHLEN
];
1932 int r
, ret
= 0, offset
;
1933 const char *lxcpath
;
1935 lxcpath
= lxc_global_config_value("lxc.lxcpath");
1937 ERROR("Out of memory");
1941 /* if rootfs->path is a blockdev path, allow container fstab to
1942 * use $lxcpath/CN/rootfs as the target prefix */
1943 r
= snprintf(path
, MAXPATHLEN
, "%s/%s/rootfs", lxcpath
, lxc_name
);
1944 if (r
< 0 || r
>= MAXPATHLEN
)
1947 aux
= strstr(mntent
->mnt_dir
, path
);
1949 offset
= strlen(path
);
1954 aux
= strstr(mntent
->mnt_dir
, rootfs
->path
);
1956 WARN("ignoring mount point '%s'", mntent
->mnt_dir
);
1959 offset
= strlen(rootfs
->path
);
1963 r
= snprintf(path
, MAXPATHLEN
, "%s/%s", rootfs
->mount
,
1965 if (r
< 0 || r
>= MAXPATHLEN
) {
1966 WARN("pathnme too long for '%s'", mntent
->mnt_dir
);
1970 return mount_entry_on_generic(mntent
, path
, rootfs
, lxc_name
, lxc_path
);
1973 static int mount_entry_on_relative_rootfs(struct mntent
*mntent
,
1974 const struct lxc_rootfs
*rootfs
,
1975 const char *lxc_name
,
1976 const char *lxc_path
)
1978 char path
[MAXPATHLEN
];
1981 /* relative to root mount point */
1982 ret
= snprintf(path
, sizeof(path
), "%s/%s", rootfs
->mount
, mntent
->mnt_dir
);
1983 if (ret
< 0 || ret
>= sizeof(path
)) {
1984 ERROR("path name too long");
1988 return mount_entry_on_generic(mntent
, path
, rootfs
, lxc_name
, lxc_path
);
1991 static int mount_file_entries(const struct lxc_rootfs
*rootfs
, FILE *file
,
1992 const char *lxc_name
, const char *lxc_path
)
1994 struct mntent mntent
;
1998 while (getmntent_r(file
, &mntent
, buf
, sizeof(buf
))) {
2000 if (!rootfs
->path
) {
2001 if (mount_entry_on_systemfs(&mntent
))
2006 /* We have a separate root, mounts are relative to it */
2007 if (mntent
.mnt_dir
[0] != '/') {
2008 if (mount_entry_on_relative_rootfs(&mntent
, rootfs
, lxc_name
, lxc_path
))
2013 if (mount_entry_on_absolute_rootfs(&mntent
, rootfs
, lxc_name
, lxc_path
))
2019 INFO("mount points have been setup");
2024 static int setup_mount(const struct lxc_rootfs
*rootfs
, const char *fstab
,
2025 const char *lxc_name
, const char *lxc_path
)
2033 file
= setmntent(fstab
, "r");
2035 SYSERROR("failed to use '%s'", fstab
);
2039 ret
= mount_file_entries(rootfs
, file
, lxc_name
, lxc_path
);
2045 FILE *make_anonymous_mount_file(struct lxc_list
*mount
)
2049 struct lxc_list
*iterator
;
2053 fd
= memfd_create("lxc_mount_file", MFD_CLOEXEC
);
2055 if (errno
!= ENOSYS
)
2059 file
= fdopen(fd
, "r+");
2063 int saved_errno
= errno
;
2066 ERROR("Could not create mount entry file: %s.", strerror(saved_errno
));
2070 lxc_list_for_each(iterator
, mount
) {
2071 mount_entry
= iterator
->elem
;
2072 ret
= fprintf(file
, "%s\n", mount_entry
);
2073 if (ret
< strlen(mount_entry
))
2074 WARN("Could not write mount entry to anonymous mount file.");
2077 if (fseek(file
, 0, SEEK_SET
) < 0) {
2085 static int setup_mount_entries(const struct lxc_rootfs
*rootfs
,
2086 struct lxc_list
*mount
, const char *lxc_name
,
2087 const char *lxc_path
)
2092 file
= make_anonymous_mount_file(mount
);
2096 ret
= mount_file_entries(rootfs
, file
, lxc_name
, lxc_path
);
2102 static int parse_cap(const char *cap
)
2108 if (!strcmp(cap
, "none"))
2111 for (i
= 0; i
< sizeof(caps_opt
)/sizeof(caps_opt
[0]); i
++) {
2113 if (strcmp(cap
, caps_opt
[i
].name
))
2116 capid
= caps_opt
[i
].value
;
2121 /* try to see if it's numeric, so the user may specify
2122 * capabilities that the running kernel knows about but
2125 capid
= strtol(cap
, &ptr
, 10);
2126 if (!ptr
|| *ptr
!= '\0' || errno
!= 0)
2127 /* not a valid number */
2129 else if (capid
> lxc_caps_last_cap())
2130 /* we have a number but it's not a valid
2138 int in_caplist(int cap
, struct lxc_list
*caps
)
2140 struct lxc_list
*iterator
;
2143 lxc_list_for_each(iterator
, caps
) {
2144 capid
= parse_cap(iterator
->elem
);
2152 static int setup_caps(struct lxc_list
*caps
)
2154 struct lxc_list
*iterator
;
2158 lxc_list_for_each(iterator
, caps
) {
2160 drop_entry
= iterator
->elem
;
2162 capid
= parse_cap(drop_entry
);
2165 ERROR("unknown capability %s", drop_entry
);
2169 DEBUG("drop capability '%s' (%d)", drop_entry
, capid
);
2171 if (prctl(PR_CAPBSET_DROP
, capid
, 0, 0, 0)) {
2172 SYSERROR("failed to remove %s capability", drop_entry
);
2178 DEBUG("capabilities have been setup");
2183 static int dropcaps_except(struct lxc_list
*caps
)
2185 struct lxc_list
*iterator
;
2188 int numcaps
= lxc_caps_last_cap() + 1;
2189 INFO("found %d capabilities", numcaps
);
2191 if (numcaps
<= 0 || numcaps
> 200)
2194 // caplist[i] is 1 if we keep capability i
2195 int *caplist
= alloca(numcaps
* sizeof(int));
2196 memset(caplist
, 0, numcaps
* sizeof(int));
2198 lxc_list_for_each(iterator
, caps
) {
2200 keep_entry
= iterator
->elem
;
2202 capid
= parse_cap(keep_entry
);
2208 ERROR("unknown capability %s", keep_entry
);
2212 DEBUG("keep capability '%s' (%d)", keep_entry
, capid
);
2216 for (i
=0; i
<numcaps
; i
++) {
2219 if (prctl(PR_CAPBSET_DROP
, i
, 0, 0, 0)) {
2220 SYSERROR("failed to remove capability %d", i
);
2225 DEBUG("capabilities have been setup");
2230 static int setup_hw_addr(char *hwaddr
, const char *ifname
)
2232 struct sockaddr sockaddr
;
2234 int ret
, fd
, saved_errno
;
2236 ret
= lxc_convert_mac(hwaddr
, &sockaddr
);
2238 ERROR("mac address '%s' conversion failed : %s",
2239 hwaddr
, strerror(-ret
));
2243 memcpy(ifr
.ifr_name
, ifname
, IFNAMSIZ
);
2244 ifr
.ifr_name
[IFNAMSIZ
-1] = '\0';
2245 memcpy((char *) &ifr
.ifr_hwaddr
, (char *) &sockaddr
, sizeof(sockaddr
));
2247 fd
= socket(AF_INET
, SOCK_DGRAM
, 0);
2249 ERROR("socket failure : %s", strerror(errno
));
2253 ret
= ioctl(fd
, SIOCSIFHWADDR
, &ifr
);
2254 saved_errno
= errno
;
2257 ERROR("ioctl failure : %s", strerror(saved_errno
));
2259 DEBUG("mac address '%s' on '%s' has been setup", hwaddr
, ifr
.ifr_name
);
2264 static int setup_ipv4_addr(struct lxc_list
*ip
, int ifindex
)
2266 struct lxc_list
*iterator
;
2267 struct lxc_inetdev
*inetdev
;
2270 lxc_list_for_each(iterator
, ip
) {
2272 inetdev
= iterator
->elem
;
2274 err
= lxc_ipv4_addr_add(ifindex
, &inetdev
->addr
,
2275 &inetdev
->bcast
, inetdev
->prefix
);
2277 ERROR("failed to setup_ipv4_addr ifindex %d : %s",
2278 ifindex
, strerror(-err
));
2286 static int setup_ipv6_addr(struct lxc_list
*ip
, int ifindex
)
2288 struct lxc_list
*iterator
;
2289 struct lxc_inet6dev
*inet6dev
;
2292 lxc_list_for_each(iterator
, ip
) {
2294 inet6dev
= iterator
->elem
;
2296 err
= lxc_ipv6_addr_add(ifindex
, &inet6dev
->addr
,
2297 &inet6dev
->mcast
, &inet6dev
->acast
,
2300 ERROR("failed to setup_ipv6_addr ifindex %d : %s",
2301 ifindex
, strerror(-err
));
2309 static int lxc_setup_netdev_in_child_namespaces(struct lxc_netdev
*netdev
)
2311 char ifname
[IFNAMSIZ
];
2313 const char *net_type_name
;
2314 char *current_ifname
= ifname
;
2316 /* empty network namespace */
2317 if (!netdev
->ifindex
) {
2318 if (netdev
->flags
& IFF_UP
) {
2319 err
= lxc_netdev_up("lo");
2321 ERROR("failed to set the loopback up : %s",
2327 if (netdev
->type
== LXC_NET_EMPTY
)
2330 if (netdev
->type
== LXC_NET_NONE
)
2333 if (netdev
->type
!= LXC_NET_VETH
) {
2334 net_type_name
= lxc_net_type_to_str(netdev
->type
);
2335 ERROR("%s networks are not supported for containers "
2336 "not setup up by privileged users",
2341 netdev
->ifindex
= if_nametoindex(netdev
->name
);
2344 /* get the new ifindex in case of physical netdev */
2345 if (netdev
->type
== LXC_NET_PHYS
) {
2346 if (!(netdev
->ifindex
= if_nametoindex(netdev
->link
))) {
2347 ERROR("failed to get ifindex for %s",
2353 /* retrieve the name of the interface */
2354 if (!if_indextoname(netdev
->ifindex
, current_ifname
)) {
2355 ERROR("no interface corresponding to index '%d'",
2360 /* default: let the system to choose one interface name */
2362 netdev
->name
= netdev
->type
== LXC_NET_PHYS
?
2363 netdev
->link
: "eth%d";
2365 /* rename the interface name */
2366 if (strcmp(ifname
, netdev
->name
) != 0) {
2367 err
= lxc_netdev_rename_by_name(ifname
, netdev
->name
);
2369 ERROR("failed to rename %s->%s : %s", ifname
, netdev
->name
,
2375 /* Re-read the name of the interface because its name has changed
2376 * and would be automatically allocated by the system
2378 if (!if_indextoname(netdev
->ifindex
, current_ifname
)) {
2379 ERROR("no interface corresponding to index '%d'",
2384 /* set a mac address */
2385 if (netdev
->hwaddr
) {
2386 if (setup_hw_addr(netdev
->hwaddr
, current_ifname
)) {
2387 ERROR("failed to setup hw address for '%s'",
2393 /* setup ipv4 addresses on the interface */
2394 if (setup_ipv4_addr(&netdev
->ipv4
, netdev
->ifindex
)) {
2395 ERROR("failed to setup ip addresses for '%s'",
2400 /* setup ipv6 addresses on the interface */
2401 if (setup_ipv6_addr(&netdev
->ipv6
, netdev
->ifindex
)) {
2402 ERROR("failed to setup ipv6 addresses for '%s'",
2407 /* set the network device up */
2408 if (netdev
->flags
& IFF_UP
) {
2411 err
= lxc_netdev_up(current_ifname
);
2413 ERROR("failed to set '%s' up : %s", current_ifname
,
2418 /* the network is up, make the loopback up too */
2419 err
= lxc_netdev_up("lo");
2421 ERROR("failed to set the loopback up : %s",
2427 /* We can only set up the default routes after bringing
2428 * up the interface, sine bringing up the interface adds
2429 * the link-local routes and we can't add a default
2430 * route if the gateway is not reachable. */
2432 /* setup ipv4 gateway on the interface */
2433 if (netdev
->ipv4_gateway
) {
2434 if (!(netdev
->flags
& IFF_UP
)) {
2435 ERROR("Cannot add ipv4 gateway for %s when not bringing up the interface", ifname
);
2439 if (lxc_list_empty(&netdev
->ipv4
)) {
2440 ERROR("Cannot add ipv4 gateway for %s when not assigning an address", ifname
);
2444 err
= lxc_ipv4_gateway_add(netdev
->ifindex
, netdev
->ipv4_gateway
);
2446 err
= lxc_ipv4_dest_add(netdev
->ifindex
, netdev
->ipv4_gateway
);
2448 ERROR("failed to add ipv4 dest for '%s': %s",
2449 ifname
, strerror(-err
));
2452 err
= lxc_ipv4_gateway_add(netdev
->ifindex
, netdev
->ipv4_gateway
);
2454 ERROR("failed to setup ipv4 gateway for '%s': %s",
2455 ifname
, strerror(-err
));
2456 if (netdev
->ipv4_gateway_auto
) {
2457 char buf
[INET_ADDRSTRLEN
];
2458 inet_ntop(AF_INET
, netdev
->ipv4_gateway
, buf
, sizeof(buf
));
2459 ERROR("tried to set autodetected ipv4 gateway '%s'", buf
);
2466 /* setup ipv6 gateway on the interface */
2467 if (netdev
->ipv6_gateway
) {
2468 if (!(netdev
->flags
& IFF_UP
)) {
2469 ERROR("Cannot add ipv6 gateway for %s when not bringing up the interface", ifname
);
2473 if (lxc_list_empty(&netdev
->ipv6
) && !IN6_IS_ADDR_LINKLOCAL(netdev
->ipv6_gateway
)) {
2474 ERROR("Cannot add ipv6 gateway for %s when not assigning an address", ifname
);
2478 err
= lxc_ipv6_gateway_add(netdev
->ifindex
, netdev
->ipv6_gateway
);
2480 err
= lxc_ipv6_dest_add(netdev
->ifindex
, netdev
->ipv6_gateway
);
2482 ERROR("failed to add ipv6 dest for '%s': %s",
2483 ifname
, strerror(-err
));
2486 err
= lxc_ipv6_gateway_add(netdev
->ifindex
, netdev
->ipv6_gateway
);
2488 ERROR("failed to setup ipv6 gateway for '%s': %s",
2489 ifname
, strerror(-err
));
2490 if (netdev
->ipv6_gateway_auto
) {
2491 char buf
[INET6_ADDRSTRLEN
];
2492 inet_ntop(AF_INET6
, netdev
->ipv6_gateway
, buf
, sizeof(buf
));
2493 ERROR("tried to set autodetected ipv6 gateway '%s'", buf
);
2500 DEBUG("'%s' has been setup", current_ifname
);
2505 static int lxc_setup_networks_in_child_namespaces(const struct lxc_conf
*conf
,
2506 struct lxc_list
*network
)
2508 struct lxc_list
*iterator
;
2509 struct lxc_netdev
*netdev
;
2511 lxc_log_configured_netdevs(conf
);
2513 lxc_list_for_each(iterator
, network
) {
2514 netdev
= iterator
->elem
;
2516 /* REMOVE in LXC 3.0 */
2517 if (netdev
->idx
< 0) {
2518 ERROR("WARNING: using \"lxc.network.*\" keys to define "
2519 "networks is DEPRECATED, please switch to using "
2520 "\"lxc.net.[i].* keys\"");
2523 if (lxc_setup_netdev_in_child_namespaces(netdev
)) {
2524 ERROR("failed to setup netdev");
2529 if (!lxc_list_empty(network
))
2530 INFO("network has been setup");
2535 static int parse_resource(const char *res
) {
2539 for (i
= 0; i
< sizeof(limit_opt
)/sizeof(limit_opt
[0]); ++i
) {
2540 if (strcmp(res
, limit_opt
[i
].name
) == 0)
2541 return limit_opt
[i
].value
;
2544 /* try to see if it's numeric, so the user may specify
2545 * resources that the running kernel knows about but
2547 if (lxc_safe_int(res
, &resid
) == 0)
2552 int setup_resource_limits(struct lxc_list
*limits
, pid_t pid
) {
2553 struct lxc_list
*it
;
2554 struct lxc_limit
*lim
;
2557 lxc_list_for_each(it
, limits
) {
2560 resid
= parse_resource(lim
->resource
);
2562 ERROR("unknown resource %s", lim
->resource
);
2566 if (prlimit(pid
, resid
, &lim
->limit
, NULL
) != 0) {
2567 ERROR("failed to set limit %s: %s", lim
->resource
, strerror(errno
));
2574 /* try to move physical nics to the init netns */
2575 void lxc_restore_phys_nics_to_netns(int netnsfd
, struct lxc_conf
*conf
)
2578 char ifname
[IFNAMSIZ
];
2580 if (netnsfd
< 0 || conf
->num_savednics
== 0)
2583 INFO("Running to reset %d nic names.", conf
->num_savednics
);
2585 oldfd
= lxc_preserve_ns(getpid(), "net");
2587 SYSERROR("Failed to open monitor netns fd.");
2591 if (setns(netnsfd
, 0) != 0) {
2592 SYSERROR("Failed to enter container netns to reset nics");
2596 for (i
=0; i
<conf
->num_savednics
; i
++) {
2597 struct saved_nic
*s
= &conf
->saved_nics
[i
];
2598 /* retrieve the name of the interface */
2599 if (!if_indextoname(s
->ifindex
, ifname
)) {
2600 WARN("no interface corresponding to index '%d'", s
->ifindex
);
2603 if (lxc_netdev_move_by_name(ifname
, 1, s
->orig_name
))
2604 WARN("Error moving nic name:%s back to host netns", ifname
);
2607 conf
->num_savednics
= 0;
2609 if (setns(oldfd
, 0) != 0)
2610 SYSERROR("Failed to re-enter monitor's netns");
2614 static char *default_rootfs_mount
= LXCROOTFSMOUNT
;
2616 struct lxc_conf
*lxc_conf_init(void)
2618 struct lxc_conf
*new;
2621 new = malloc(sizeof(*new));
2623 ERROR("lxc_conf_init : %s", strerror(errno
));
2626 memset(new, 0, sizeof(*new));
2628 new->loglevel
= LXC_LOG_LEVEL_NOTSET
;
2629 new->personality
= -1;
2631 new->console
.log_path
= NULL
;
2632 new->console
.log_fd
= -1;
2633 new->console
.path
= NULL
;
2634 new->console
.peer
= -1;
2635 new->console
.peerpty
.busy
= -1;
2636 new->console
.peerpty
.master
= -1;
2637 new->console
.peerpty
.slave
= -1;
2638 new->console
.master
= -1;
2639 new->console
.slave
= -1;
2640 new->console
.name
[0] = '\0';
2641 new->maincmd_fd
= -1;
2643 new->rootfs
.mount
= strdup(default_rootfs_mount
);
2644 if (!new->rootfs
.mount
) {
2645 ERROR("lxc_conf_init : %s", strerror(errno
));
2650 lxc_list_init(&new->cgroup
);
2651 lxc_list_init(&new->network
);
2652 lxc_list_init(&new->mount_list
);
2653 lxc_list_init(&new->caps
);
2654 lxc_list_init(&new->keepcaps
);
2655 lxc_list_init(&new->id_map
);
2656 lxc_list_init(&new->includes
);
2657 lxc_list_init(&new->aliens
);
2658 lxc_list_init(&new->environment
);
2659 lxc_list_init(&new->limits
);
2660 for (i
=0; i
<NUM_LXC_HOOKS
; i
++)
2661 lxc_list_init(&new->hooks
[i
]);
2662 lxc_list_init(&new->groups
);
2663 new->lsm_aa_profile
= NULL
;
2664 new->lsm_se_context
= NULL
;
2665 new->tmp_umount_proc
= 0;
2667 for (i
= 0; i
< LXC_NS_MAX
; i
++)
2668 new->inherit_ns_fd
[i
] = -1;
2670 /* if running in a new user namespace, init and COMMAND
2671 * default to running as UID/GID 0 when using lxc-execute */
2678 static int instantiate_veth(struct lxc_handler
*handler
, struct lxc_netdev
*netdev
)
2680 char *veth1
, *veth2
;
2681 char veth1buf
[IFNAMSIZ
], veth2buf
[IFNAMSIZ
];
2682 int bridge_index
, err
;
2683 unsigned int mtu
= 0;
2685 if (netdev
->priv
.veth_attr
.pair
) {
2686 veth1
= netdev
->priv
.veth_attr
.pair
;
2687 if (handler
->conf
->reboot
)
2688 lxc_netdev_delete_by_name(veth1
);
2690 err
= snprintf(veth1buf
, sizeof(veth1buf
), "vethXXXXXX");
2691 if (err
>= sizeof(veth1buf
)) { /* can't *really* happen, but... */
2692 ERROR("veth1 name too long");
2695 veth1
= lxc_mkifname(veth1buf
);
2697 ERROR("failed to allocate a temporary name");
2700 /* store away for deconf */
2701 memcpy(netdev
->priv
.veth_attr
.veth1
, veth1
, IFNAMSIZ
);
2704 snprintf(veth2buf
, sizeof(veth2buf
), "vethXXXXXX");
2705 veth2
= lxc_mkifname(veth2buf
);
2707 ERROR("failed to allocate a temporary name");
2711 err
= lxc_veth_create(veth1
, veth2
);
2713 ERROR("failed to create veth pair \"%s\" and \"%s\": %s", veth1
,
2714 veth2
, strerror(-err
));
2718 /* changing the high byte of the mac address to 0xfe, the bridge interface
2719 * will always keep the host's mac address and not take the mac address
2721 err
= setup_private_host_hw_addr(veth1
);
2723 ERROR("failed to change mac address of host interface \"%s\": %s",
2724 veth1
, strerror(-err
));
2728 netdev
->ifindex
= if_nametoindex(veth2
);
2729 if (!netdev
->ifindex
) {
2730 ERROR("failed to retrieve the index for \"%s\"", veth2
);
2735 if (lxc_safe_uint(netdev
->mtu
, &mtu
) < 0)
2736 WARN("failed to parse mtu from");
2738 INFO("retrieved mtu %d", mtu
);
2739 } else if (netdev
->link
) {
2740 bridge_index
= if_nametoindex(netdev
->link
);
2742 mtu
= netdev_get_mtu(bridge_index
);
2743 INFO("retrieved mtu %d from %s", mtu
, netdev
->link
);
2745 mtu
= netdev_get_mtu(netdev
->ifindex
);
2746 INFO("retrieved mtu %d from %s", mtu
, veth2
);
2751 err
= lxc_netdev_set_mtu(veth1
, mtu
);
2753 err
= lxc_netdev_set_mtu(veth2
, mtu
);
2755 ERROR("failed to set mtu \"%d\" for veth pair \"%s\" "
2757 mtu
, veth1
, veth2
, strerror(-err
));
2763 err
= lxc_bridge_attach(handler
->lxcpath
, handler
->name
, netdev
->link
, veth1
);
2765 ERROR("failed to attach \"%s\" to bridge \"%s\": %s",
2766 veth1
, netdev
->link
, strerror(-err
));
2769 INFO("attached \"%s\" to bridge \"%s\"", veth1
, netdev
->link
);
2772 err
= lxc_netdev_up(veth1
);
2774 ERROR("failed to set \"%s\" up: %s", veth1
, strerror(-err
));
2778 if (netdev
->upscript
) {
2779 err
= run_script(handler
->name
, "net", netdev
->upscript
, "up",
2780 "veth", veth1
, (char*) NULL
);
2785 DEBUG("instantiated veth \"%s/%s\", index is \"%d\"", veth1
, veth2
,
2791 if (netdev
->ifindex
!= 0)
2792 lxc_netdev_delete_by_name(veth1
);
2793 if (!netdev
->priv
.veth_attr
.pair
)
2799 static int shutdown_veth(struct lxc_handler
*handler
, struct lxc_netdev
*netdev
)
2804 if (netdev
->priv
.veth_attr
.pair
)
2805 veth1
= netdev
->priv
.veth_attr
.pair
;
2807 veth1
= netdev
->priv
.veth_attr
.veth1
;
2809 if (netdev
->downscript
) {
2810 err
= run_script(handler
->name
, "net", netdev
->downscript
,
2811 "down", "veth", veth1
, (char*) NULL
);
2818 static int instantiate_macvlan(struct lxc_handler
*handler
, struct lxc_netdev
*netdev
)
2820 char peerbuf
[IFNAMSIZ
], *peer
;
2823 if (!netdev
->link
) {
2824 ERROR("no link specified for macvlan netdev");
2828 err
= snprintf(peerbuf
, sizeof(peerbuf
), "mcXXXXXX");
2829 if (err
>= sizeof(peerbuf
))
2832 peer
= lxc_mkifname(peerbuf
);
2834 ERROR("failed to make a temporary name");
2838 err
= lxc_macvlan_create(netdev
->link
, peer
,
2839 netdev
->priv
.macvlan_attr
.mode
);
2841 ERROR("failed to create macvlan interface '%s' on '%s' : %s",
2842 peer
, netdev
->link
, strerror(-err
));
2846 netdev
->ifindex
= if_nametoindex(peer
);
2847 if (!netdev
->ifindex
) {
2848 ERROR("failed to retrieve the index for %s", peer
);
2852 if (netdev
->upscript
) {
2853 err
= run_script(handler
->name
, "net", netdev
->upscript
, "up",
2854 "macvlan", netdev
->link
, (char*) NULL
);
2859 DEBUG("instantiated macvlan '%s', index is '%d' and mode '%d'",
2860 peer
, netdev
->ifindex
, netdev
->priv
.macvlan_attr
.mode
);
2864 lxc_netdev_delete_by_name(peer
);
2869 static int shutdown_macvlan(struct lxc_handler
*handler
, struct lxc_netdev
*netdev
)
2873 if (netdev
->downscript
) {
2874 err
= run_script(handler
->name
, "net", netdev
->downscript
,
2875 "down", "macvlan", netdev
->link
,
2883 /* XXX: merge with instantiate_macvlan */
2884 static int instantiate_vlan(struct lxc_handler
*handler
, struct lxc_netdev
*netdev
)
2886 char peer
[IFNAMSIZ
];
2888 static uint16_t vlan_cntr
= 0;
2889 unsigned int mtu
= 0;
2891 if (!netdev
->link
) {
2892 ERROR("no link specified for vlan netdev");
2896 err
= snprintf(peer
, sizeof(peer
), "vlan%d-%d", netdev
->priv
.vlan_attr
.vid
, vlan_cntr
++);
2897 if (err
>= sizeof(peer
)) {
2898 ERROR("peer name too long");
2902 err
= lxc_vlan_create(netdev
->link
, peer
, netdev
->priv
.vlan_attr
.vid
);
2904 ERROR("failed to create vlan interface '%s' on '%s' : %s",
2905 peer
, netdev
->link
, strerror(-err
));
2909 netdev
->ifindex
= if_nametoindex(peer
);
2910 if (!netdev
->ifindex
) {
2911 ERROR("failed to retrieve the ifindex for %s", peer
);
2912 lxc_netdev_delete_by_name(peer
);
2916 DEBUG("instantiated vlan '%s', ifindex is '%d'", " vlan1000",
2919 if (lxc_safe_uint(netdev
->mtu
, &mtu
) < 0) {
2920 ERROR("Failed to retrieve mtu from: '%d'/'%s'.",
2921 netdev
->ifindex
, netdev
->name
);
2924 err
= lxc_netdev_set_mtu(peer
, mtu
);
2926 ERROR("failed to set mtu '%s' for %s : %s",
2927 netdev
->mtu
, peer
, strerror(-err
));
2928 lxc_netdev_delete_by_name(peer
);
2936 static int shutdown_vlan(struct lxc_handler
*handler
, struct lxc_netdev
*netdev
)
2941 static int instantiate_phys(struct lxc_handler
*handler
, struct lxc_netdev
*netdev
)
2943 if (!netdev
->link
) {
2944 ERROR("no link specified for the physical interface");
2948 netdev
->ifindex
= if_nametoindex(netdev
->link
);
2949 if (!netdev
->ifindex
) {
2950 ERROR("failed to retrieve the index for %s", netdev
->link
);
2954 if (netdev
->upscript
) {
2956 err
= run_script(handler
->name
, "net", netdev
->upscript
,
2957 "up", "phys", netdev
->link
, (char*) NULL
);
2965 static int shutdown_phys(struct lxc_handler
*handler
, struct lxc_netdev
*netdev
)
2969 if (netdev
->downscript
) {
2970 err
= run_script(handler
->name
, "net", netdev
->downscript
,
2971 "down", "phys", netdev
->link
, (char*) NULL
);
2978 static int instantiate_none(struct lxc_handler
*handler
, struct lxc_netdev
*netdev
)
2980 netdev
->ifindex
= 0;
2984 static int instantiate_empty(struct lxc_handler
*handler
, struct lxc_netdev
*netdev
)
2986 netdev
->ifindex
= 0;
2987 if (netdev
->upscript
) {
2989 err
= run_script(handler
->name
, "net", netdev
->upscript
,
2990 "up", "empty", (char*) NULL
);
2997 static int shutdown_empty(struct lxc_handler
*handler
, struct lxc_netdev
*netdev
)
3001 if (netdev
->downscript
) {
3002 err
= run_script(handler
->name
, "net", netdev
->downscript
,
3003 "down", "empty", (char*) NULL
);
3010 static int shutdown_none(struct lxc_handler
*handler
, struct lxc_netdev
*netdev
)
3015 int lxc_requests_empty_network(struct lxc_handler
*handler
)
3017 struct lxc_list
*network
= &handler
->conf
->network
;
3018 struct lxc_list
*iterator
;
3019 struct lxc_netdev
*netdev
;
3020 bool found_none
= false, found_nic
= false;
3022 if (lxc_list_empty(network
))
3025 lxc_list_for_each(iterator
, network
) {
3027 netdev
= iterator
->elem
;
3029 if (netdev
->type
== LXC_NET_NONE
)
3034 if (found_none
&& !found_nic
)
3039 int lxc_setup_networks_in_parent_namespaces(struct lxc_handler
*handler
)
3042 struct lxc_netdev
*netdev
;
3043 struct lxc_list
*iterator
;
3044 struct lxc_list
*network
= &handler
->conf
->network
;
3046 /* We need to be root. */
3047 am_root
= (getuid() == 0);
3051 lxc_list_for_each(iterator
, network
) {
3052 netdev
= iterator
->elem
;
3054 if (netdev
->type
< 0 || netdev
->type
> LXC_NET_MAXCONFTYPE
) {
3055 ERROR("invalid network configuration type '%d'",
3060 if (netdev
->type
!= LXC_NET_MACVLAN
&&
3061 netdev
->priv
.macvlan_attr
.mode
) {
3062 ERROR("Invalid macvlan.mode for a non-macvlan netdev");
3066 if (netdev
->type
!= LXC_NET_VETH
&&
3067 netdev
->priv
.veth_attr
.pair
) {
3068 ERROR("Invalid veth pair for a non-veth netdev");
3072 if (netdev
->type
!= LXC_NET_VLAN
&&
3073 netdev
->priv
.vlan_attr
.vid
> 0) {
3074 ERROR("Invalid vlan.id for a non-macvlan netdev");
3078 if (netdev_conf
[netdev
->type
](handler
, netdev
)) {
3079 ERROR("failed to create netdev");
3088 bool lxc_delete_network(struct lxc_handler
*handler
)
3091 struct lxc_list
*network
= &handler
->conf
->network
;
3092 struct lxc_list
*iterator
;
3093 struct lxc_netdev
*netdev
;
3094 bool deleted_all
= true;
3096 lxc_list_for_each(iterator
, network
) {
3097 netdev
= iterator
->elem
;
3099 if (netdev
->ifindex
!= 0 && netdev
->type
== LXC_NET_PHYS
) {
3100 if (lxc_netdev_rename_by_index(netdev
->ifindex
, netdev
->link
))
3101 WARN("Failed to rename interface with index %d "
3102 "to its initial name \"%s\".",
3103 netdev
->ifindex
, netdev
->link
);
3107 if (netdev_deconf
[netdev
->type
](handler
, netdev
)) {
3108 WARN("Failed to destroy netdev");
3111 /* Recent kernel remove the virtual interfaces when the network
3112 * namespace is destroyed but in case we did not moved the
3113 * interface to the network namespace, we have to destroy it
3115 if (netdev
->ifindex
!= 0) {
3116 ret
= lxc_netdev_delete_by_index(netdev
->ifindex
);
3117 if (-ret
== ENODEV
) {
3118 INFO("Interface \"%s\" with index %d already "
3119 "deleted or existing in different network "
3121 netdev
->name
? netdev
->name
: "(null)",
3123 } else if (ret
< 0) {
3124 deleted_all
= false;
3125 WARN("Failed to remove interface \"%s\" with "
3127 netdev
->name
? netdev
->name
: "(null)",
3128 netdev
->ifindex
, strerror(-ret
));
3130 INFO("Removed interface \"%s\" with index %d.",
3131 netdev
->name
? netdev
->name
: "(null)",
3136 /* Explicitly delete host veth device to prevent lingering
3137 * devices. We had issues in LXD around this.
3139 if (netdev
->ifindex
!= 0 && netdev
->type
== LXC_NET_VETH
&& !am_unpriv()) {
3141 if (netdev
->priv
.veth_attr
.pair
) {
3142 hostveth
= netdev
->priv
.veth_attr
.pair
;
3143 ret
= lxc_netdev_delete_by_name(hostveth
);
3145 WARN("Failed to remove interface \"%s\" from host: %s.", hostveth
, strerror(-ret
));
3147 INFO("Removed interface \"%s\" from host.", hostveth
);
3149 } else if (strlen(netdev
->priv
.veth_attr
.veth1
) > 0) {
3150 hostveth
= netdev
->priv
.veth_attr
.veth1
;
3151 ret
= lxc_netdev_delete_by_name(hostveth
);
3153 WARN("Failed to remove \"%s\" from host: %s.", hostveth
, strerror(-ret
));
3155 INFO("Removed interface \"%s\" from host.", hostveth
);
3156 memset((void *)&netdev
->priv
.veth_attr
.veth1
, 0, sizeof(netdev
->priv
.veth_attr
.veth1
));
3165 #define LXC_USERNIC_PATH LIBEXECDIR "/lxc/lxc-user-nic"
3167 /* lxc-user-nic returns "interface_name:interface_name\n" */
3168 #define MAX_BUFFER_SIZE IFNAMSIZ * 2 + 2
3169 static int unpriv_assign_nic(const char *lxcpath
, char *lxcname
,
3170 struct lxc_netdev
*netdev
, pid_t pid
)
3173 int bytes
, pipefd
[2];
3174 char *token
, *saveptr
= NULL
;
3175 char buffer
[MAX_BUFFER_SIZE
];
3176 char netdev_link
[IFNAMSIZ
+ 1];
3178 if (netdev
->type
!= LXC_NET_VETH
) {
3179 ERROR("nic type %d not support for unprivileged use",
3184 if (pipe(pipefd
) < 0) {
3185 SYSERROR("pipe failed");
3197 if (child
== 0) { // child
3198 /* Call lxc-user-nic pid type bridge. */
3200 char pidstr
[LXC_NUMSTRLEN64
];
3202 close(pipefd
[0]); /* Close the read-end of the pipe. */
3204 /* Redirect stdout to write-end of the pipe. */
3205 ret
= dup2(pipefd
[1], STDOUT_FILENO
);
3206 close(pipefd
[1]); /* Close the write-end of the pipe. */
3208 SYSERROR("Failed to dup2() to redirect stdout to pipe file descriptor.");
3213 strncpy(netdev_link
, netdev
->link
, IFNAMSIZ
);
3215 strncpy(netdev_link
, "none", IFNAMSIZ
);
3217 ret
= snprintf(pidstr
, LXC_NUMSTRLEN64
, "%d", pid
);
3218 if (ret
< 0 || ret
>= LXC_NUMSTRLEN64
)
3220 pidstr
[LXC_NUMSTRLEN64
- 1] = '\0';
3222 INFO("Execing lxc-user-nic %s %s %s veth %s %s", lxcpath
,
3223 lxcname
, pidstr
, netdev_link
, netdev
->name
);
3224 execlp(LXC_USERNIC_PATH
, LXC_USERNIC_PATH
, lxcpath
, lxcname
,
3225 pidstr
, "veth", netdev_link
, netdev
->name
, NULL
);
3227 SYSERROR("Failed to exec lxc-user-nic.");
3231 /* close the write-end of the pipe */
3234 bytes
= read(pipefd
[0], &buffer
, MAX_BUFFER_SIZE
);
3236 SYSERROR("Failed to read from pipe file descriptor.");
3237 buffer
[bytes
- 1] = '\0';
3239 if (wait_for_pid(child
) != 0) {
3244 /* close the read-end of the pipe */
3247 /* fill netdev->name field */
3248 token
= strtok_r(buffer
, ":", &saveptr
);
3252 netdev
->name
= malloc(IFNAMSIZ
+ 1);
3253 if (!netdev
->name
) {
3254 SYSERROR("Failed to allocate memory.");
3257 memset(netdev
->name
, 0, IFNAMSIZ
+ 1);
3258 strncpy(netdev
->name
, token
, IFNAMSIZ
);
3260 /* fill netdev->veth_attr.pair field */
3261 token
= strtok_r(NULL
, ":", &saveptr
);
3265 netdev
->priv
.veth_attr
.pair
= strdup(token
);
3266 if (!netdev
->priv
.veth_attr
.pair
) {
3267 ERROR("Failed to allocate memory.");
3274 int lxc_assign_network(const char *lxcpath
, char *lxcname
,
3275 struct lxc_list
*network
, pid_t pid
)
3277 struct lxc_list
*iterator
;
3278 struct lxc_netdev
*netdev
;
3279 char ifname
[IFNAMSIZ
];
3280 int am_root
= (getuid() == 0);
3283 lxc_list_for_each(iterator
, network
) {
3285 netdev
= iterator
->elem
;
3287 if (netdev
->type
== LXC_NET_VETH
&& !am_root
) {
3289 INFO("mtu ignored due to insufficient privilege");
3290 if (unpriv_assign_nic(lxcpath
, lxcname
, netdev
, pid
))
3292 /* lxc-user-nic has moved the nic to the new ns.
3293 * unpriv_assign_nic() fills in netdev->name.
3294 * netdev->ifindex will be filed in at
3295 * lxc_setup_netdev_in_child_namespaces.
3300 /* empty network namespace, nothing to move */
3301 if (!netdev
->ifindex
)
3304 /* retrieve the name of the interface */
3305 if (!if_indextoname(netdev
->ifindex
, ifname
)) {
3306 ERROR("no interface corresponding to index '%d'", netdev
->ifindex
);
3310 err
= lxc_netdev_move_by_name(ifname
, pid
, NULL
);
3312 ERROR("failed to move '%s' to the container : %s",
3313 netdev
->link
, strerror(-err
));
3317 DEBUG("move '%s'/'%s' to '%d': .", ifname
, netdev
->name
, pid
);
3323 static int write_id_mapping(enum idtype idtype
, pid_t pid
, const char *buf
,
3326 char path
[MAXPATHLEN
];
3329 ret
= snprintf(path
, MAXPATHLEN
, "/proc/%d/%cid_map", pid
,
3330 idtype
== ID_TYPE_UID
? 'u' : 'g');
3331 if (ret
< 0 || ret
>= MAXPATHLEN
) {
3332 ERROR("failed to create path \"%s\"", path
);
3336 fd
= open(path
, O_WRONLY
);
3338 SYSERROR("failed to open \"%s\"", path
);
3343 ret
= lxc_write_nointr(fd
, buf
, buf_size
);
3344 if (ret
!= buf_size
) {
3345 SYSERROR("failed to write %cid mapping to \"%s\"",
3346 idtype
== ID_TYPE_UID
? 'u' : 'g', path
);
3355 /* Check whether a binary exist and has either CAP_SETUID, CAP_SETGID or both.
3357 * @return 1 if functional binary was found
3358 * @return 0 if binary exists but is lacking privilege
3359 * @return -ENOENT if binary does not exist
3360 * @return -EINVAL if cap to check is neither CAP_SETUID nor CAP_SETGID
3363 static int idmaptool_on_path_and_privileged(const char *binary
, cap_value_t cap
)
3370 if (cap
!= CAP_SETUID
&& cap
!= CAP_SETGID
)
3373 path
= on_path(binary
, NULL
);
3377 ret
= stat(path
, &st
);
3383 /* Check if the binary is setuid. */
3384 if (st
.st_mode
& S_ISUID
) {
3385 DEBUG("The binary \"%s\" does have the setuid bit set.", path
);
3390 #if HAVE_LIBCAP && LIBCAP_SUPPORTS_FILE_CAPABILITIES
3391 /* Check if it has the CAP_SETUID capability. */
3392 if ((cap
& CAP_SETUID
) &&
3393 lxc_file_cap_is_set(path
, CAP_SETUID
, CAP_EFFECTIVE
) &&
3394 lxc_file_cap_is_set(path
, CAP_SETUID
, CAP_PERMITTED
)) {
3395 DEBUG("The binary \"%s\" has CAP_SETUID in its CAP_EFFECTIVE "
3396 "and CAP_PERMITTED sets.", path
);
3401 /* Check if it has the CAP_SETGID capability. */
3402 if ((cap
& CAP_SETGID
) &&
3403 lxc_file_cap_is_set(path
, CAP_SETGID
, CAP_EFFECTIVE
) &&
3404 lxc_file_cap_is_set(path
, CAP_SETGID
, CAP_PERMITTED
)) {
3405 DEBUG("The binary \"%s\" has CAP_SETGID in its CAP_EFFECTIVE "
3406 "and CAP_PERMITTED sets.", path
);
3411 /* If we cannot check for file capabilities we need to give the benefit
3412 * of the doubt. Otherwise we might fail even though all the necessary
3413 * file capabilities are set.
3415 DEBUG("Cannot check for file capabilites as full capability support is "
3416 "missing. Manual intervention needed.");
3425 int lxc_map_ids_exec_wrapper(void *args
)
3427 execl("/bin/sh", "sh", "-c", (char *)args
, (char *)NULL
);
3431 int lxc_map_ids(struct lxc_list
*idmap
, pid_t pid
)
3434 struct lxc_list
*iterator
;
3439 char cmd_output
[MAXPATHLEN
];
3440 /* strlen("new@idmap") = 9
3448 * We add some additional space to make sure that we really have
3449 * LXC_IDMAPLEN bytes available for our the {g,u]id mapping.
3451 char mapbuf
[9 + 1 + LXC_NUMSTRLEN64
+ 1 + LXC_IDMAPLEN
] = {0};
3452 int ret
= 0, uidmap
= 0, gidmap
= 0;
3453 bool use_shadow
= false, had_entry
= false;
3455 /* If new{g,u}idmap exists, that is, if shadow is handing out subuid
3456 * ranges, then insist that root also reserve ranges in subuid. This
3457 * will protected it by preventing another user from being handed the
3460 uidmap
= idmaptool_on_path_and_privileged("newuidmap", CAP_SETUID
);
3461 if (uidmap
== -ENOENT
)
3462 WARN("newuidmap binary is missing");
3464 WARN("newuidmap is lacking necessary privileges");
3466 gidmap
= idmaptool_on_path_and_privileged("newgidmap", CAP_SETGID
);
3467 if (gidmap
== -ENOENT
)
3468 WARN("newgidmap binary is missing");
3470 WARN("newgidmap is lacking necessary privileges");
3472 if (uidmap
> 0 && gidmap
> 0) {
3473 DEBUG("Functional newuidmap and newgidmap binary found.");
3476 /* In case unprivileged users run application containers via
3477 * execute() or a start*() there are valid cases where they may
3478 * only want to map their own {g,u}id. Let's not block them from
3479 * doing so by requiring geteuid() == 0.
3481 DEBUG("No newuidmap and newgidmap binary found. Trying to "
3482 "write directly with euid %d.", geteuid());
3485 for (type
= ID_TYPE_UID
, u_or_g
= 'u'; type
<= ID_TYPE_GID
;
3486 type
++, u_or_g
= 'g') {
3490 pos
+= sprintf(mapbuf
, "new%cidmap %d", u_or_g
, pid
);
3492 lxc_list_for_each(iterator
, idmap
) {
3493 /* The kernel only takes <= 4k for writes to
3494 * /proc/<nr>/[ug]id_map
3496 map
= iterator
->elem
;
3497 if (map
->idtype
!= type
)
3502 left
= LXC_IDMAPLEN
- (pos
- mapbuf
);
3503 fill
= snprintf(pos
, left
, "%s%lu %lu %lu%s",
3504 use_shadow
? " " : "", map
->nsid
,
3505 map
->hostid
, map
->range
,
3506 use_shadow
? "" : "\n");
3507 if (fill
<= 0 || fill
>= left
)
3508 SYSERROR("Too many {g,u}id mappings defined.");
3515 /* Try to catch the ouput of new{g,u}idmap to make debugging
3519 ret
= run_command(cmd_output
, sizeof(cmd_output
),
3520 lxc_map_ids_exec_wrapper
,
3523 ERROR("new%cidmap failed to write mapping: %s",
3524 u_or_g
, cmd_output
);
3528 ret
= write_id_mapping(type
, pid
, mapbuf
, pos
- mapbuf
);
3533 memset(mapbuf
, 0, sizeof(mapbuf
));
3540 * return the host uid/gid to which the container root is mapped in
3542 * Return true if id was found, false otherwise.
3544 bool get_mapped_rootid(struct lxc_conf
*conf
, enum idtype idtype
,
3547 struct lxc_list
*it
;
3550 lxc_list_for_each(it
, &conf
->id_map
) {
3552 if (map
->idtype
!= idtype
)
3562 int mapped_hostid(unsigned id
, struct lxc_conf
*conf
, enum idtype idtype
)
3564 struct lxc_list
*it
;
3566 lxc_list_for_each(it
, &conf
->id_map
) {
3568 if (map
->idtype
!= idtype
)
3570 if (id
>= map
->hostid
&& id
< map
->hostid
+ map
->range
)
3571 return (id
- map
->hostid
) + map
->nsid
;
3576 int find_unmapped_nsid(struct lxc_conf
*conf
, enum idtype idtype
)
3578 struct lxc_list
*it
;
3580 unsigned int freeid
= 0;
3582 lxc_list_for_each(it
, &conf
->id_map
) {
3584 if (map
->idtype
!= idtype
)
3586 if (freeid
>= map
->nsid
&& freeid
< map
->nsid
+ map
->range
) {
3587 freeid
= map
->nsid
+ map
->range
;
3594 int lxc_find_gateway_addresses(struct lxc_handler
*handler
)
3596 struct lxc_list
*network
= &handler
->conf
->network
;
3597 struct lxc_list
*iterator
;
3598 struct lxc_netdev
*netdev
;
3601 lxc_list_for_each(iterator
, network
) {
3602 netdev
= iterator
->elem
;
3604 if (!netdev
->ipv4_gateway_auto
&& !netdev
->ipv6_gateway_auto
)
3607 if (netdev
->type
!= LXC_NET_VETH
&& netdev
->type
!= LXC_NET_MACVLAN
) {
3608 ERROR("gateway = auto only supported for "
3609 "veth and macvlan");
3613 if (!netdev
->link
) {
3614 ERROR("gateway = auto needs a link interface");
3618 link_index
= if_nametoindex(netdev
->link
);
3622 if (netdev
->ipv4_gateway_auto
) {
3623 if (lxc_ipv4_addr_get(link_index
, &netdev
->ipv4_gateway
)) {
3624 ERROR("failed to automatically find ipv4 gateway "
3625 "address from link interface '%s'", netdev
->link
);
3630 if (netdev
->ipv6_gateway_auto
) {
3631 if (lxc_ipv6_addr_get(link_index
, &netdev
->ipv6_gateway
)) {
3632 ERROR("failed to automatically find ipv6 gateway "
3633 "address from link interface '%s'", netdev
->link
);
3642 int lxc_create_tty(const char *name
, struct lxc_conf
*conf
)
3644 struct lxc_tty_info
*tty_info
= &conf
->tty_info
;
3647 /* no tty in the configuration */
3651 tty_info
->pty_info
= malloc(sizeof(*tty_info
->pty_info
) * conf
->tty
);
3652 if (!tty_info
->pty_info
) {
3653 SYSERROR("failed to allocate struct *pty_info");
3657 for (i
= 0; i
< conf
->tty
; i
++) {
3658 struct lxc_pty_info
*pty_info
= &tty_info
->pty_info
[i
];
3661 ret
= openpty(&pty_info
->master
, &pty_info
->slave
,
3662 pty_info
->name
, NULL
, NULL
);
3665 SYSERROR("failed to create pty device number %d", i
);
3666 tty_info
->nbtty
= i
;
3667 lxc_delete_tty(tty_info
);
3671 DEBUG("allocated pty \"%s\" with master fd %d and slave fd %d",
3672 pty_info
->name
, pty_info
->master
, pty_info
->slave
);
3674 /* Prevent leaking the file descriptors to the container */
3675 ret
= fcntl(pty_info
->master
, F_SETFD
, FD_CLOEXEC
);
3677 WARN("failed to set FD_CLOEXEC flag on master fd %d of "
3678 "pty device \"%s\": %s",
3679 pty_info
->master
, pty_info
->name
, strerror(errno
));
3681 ret
= fcntl(pty_info
->slave
, F_SETFD
, FD_CLOEXEC
);
3683 WARN("failed to set FD_CLOEXEC flag on slave fd %d of "
3684 "pty device \"%s\": %s",
3685 pty_info
->slave
, pty_info
->name
, strerror(errno
));
3690 tty_info
->nbtty
= conf
->tty
;
3692 INFO("finished allocating %d pts devices", conf
->tty
);
3696 void lxc_delete_tty(struct lxc_tty_info
*tty_info
)
3700 for (i
= 0; i
< tty_info
->nbtty
; i
++) {
3701 struct lxc_pty_info
*pty_info
= &tty_info
->pty_info
[i
];
3703 close(pty_info
->master
);
3704 close(pty_info
->slave
);
3707 free(tty_info
->pty_info
);
3708 tty_info
->pty_info
= NULL
;
3709 tty_info
->nbtty
= 0;
3713 int chown_mapped_root_exec_wrapper(void *args
)
3715 execvp("lxc-usernsexec", args
);
3720 * chown_mapped_root: for an unprivileged user with uid/gid X to
3721 * chown a dir to subuid/subgid Y, he needs to run chown as root
3722 * in a userns where nsid 0 is mapped to hostuid/hostgid Y, and
3723 * nsid Y is mapped to hostuid/hostgid X. That way, the container
3724 * root is privileged with respect to hostuid/hostgid X, allowing
3725 * him to do the chown.
3727 int chown_mapped_root(char *path
, struct lxc_conf
*conf
)
3729 uid_t rootuid
, rootgid
;
3731 char *chownpath
= path
;
3732 int hostuid
, hostgid
, ret
;
3734 char map1
[100], map2
[100], map3
[100], map4
[100], map5
[100];
3736 char *args1
[] = {"lxc-usernsexec",
3741 "--", "chown", ugid
, path
,
3743 char *args2
[] = {"lxc-usernsexec",
3749 "--", "chown", ugid
, path
,
3751 char cmd_output
[MAXPATHLEN
];
3753 hostuid
= geteuid();
3754 hostgid
= getegid();
3756 if (!get_mapped_rootid(conf
, ID_TYPE_UID
, &val
)) {
3757 ERROR("No uid mapping for container root");
3760 rootuid
= (uid_t
)val
;
3761 if (!get_mapped_rootid(conf
, ID_TYPE_GID
, &val
)) {
3762 ERROR("No gid mapping for container root");
3765 rootgid
= (gid_t
)val
;
3768 * In case of overlay, we want only the writeable layer to be chowned
3770 if (strncmp(path
, "overlayfs:", 10) == 0 || strncmp(path
, "aufs:", 5) == 0) {
3771 chownpath
= strchr(path
, ':');
3773 ERROR("Bad overlay path: %s", path
);
3776 chownpath
= strchr(chownpath
+ 1, ':');
3778 ERROR("Bad overlay path: %s", path
);
3785 if (chown(path
, rootuid
, rootgid
) < 0) {
3786 ERROR("Error chowning %s", path
);
3792 if (rootuid
== hostuid
) {
3794 INFO("Container root is our uid; no need to chown");
3798 /* save the current gid of "path" */
3799 if (stat(path
, &sb
) < 0) {
3800 ERROR("Error stat %s", path
);
3804 /* Update the path argument in case this was overlayfs. */
3805 args1
[sizeof(args1
) / sizeof(args1
[0]) - 2] = path
;
3806 args2
[sizeof(args2
) / sizeof(args2
[0]) - 2] = path
;
3809 * A file has to be group-owned by a gid mapped into the
3810 * container, or the container won't be privileged over it.
3812 DEBUG("trying to chown \"%s\" to %d", path
, hostgid
);
3813 if (sb
.st_uid
== hostuid
&&
3814 mapped_hostid(sb
.st_gid
, conf
, ID_TYPE_GID
) < 0 &&
3815 chown(path
, -1, hostgid
) < 0) {
3816 ERROR("Failed chgrping %s", path
);
3821 ret
= snprintf(map1
, 100, "u:0:%d:1", rootuid
);
3822 if (ret
< 0 || ret
>= 100) {
3823 ERROR("Error uid printing map string");
3827 // "u:hostuid:hostuid:1"
3828 ret
= snprintf(map2
, 100, "u:%d:%d:1", hostuid
, hostuid
);
3829 if (ret
< 0 || ret
>= 100) {
3830 ERROR("Error uid printing map string");
3835 ret
= snprintf(map3
, 100, "g:0:%d:1", rootgid
);
3836 if (ret
< 0 || ret
>= 100) {
3837 ERROR("Error gid printing map string");
3841 // "g:pathgid:rootgid+pathgid:1"
3842 ret
= snprintf(map4
, 100, "g:%d:%d:1", (gid_t
)sb
.st_gid
,
3843 rootgid
+ (gid_t
)sb
.st_gid
);
3844 if (ret
< 0 || ret
>= 100) {
3845 ERROR("Error gid printing map string");
3849 // "g:hostgid:hostgid:1"
3850 ret
= snprintf(map5
, 100, "g:%d:%d:1", hostgid
, hostgid
);
3851 if (ret
< 0 || ret
>= 100) {
3852 ERROR("Error gid printing map string");
3856 // "0:pathgid" (chown)
3857 ret
= snprintf(ugid
, 100, "0:%d", (gid_t
)sb
.st_gid
);
3858 if (ret
< 0 || ret
>= 100) {
3859 ERROR("Error owner printing format string for chown");
3863 if (hostgid
== sb
.st_gid
)
3864 ret
= run_command(cmd_output
, sizeof(cmd_output
),
3865 chown_mapped_root_exec_wrapper
,
3868 ret
= run_command(cmd_output
, sizeof(cmd_output
),
3869 chown_mapped_root_exec_wrapper
,
3872 ERROR("lxc-usernsexec failed: %s", cmd_output
);
3877 int lxc_ttys_shift_ids(struct lxc_conf
*c
)
3879 if (lxc_list_empty(&c
->id_map
))
3882 if (!strcmp(c
->console
.name
, ""))
3885 if (chown_mapped_root(c
->console
.name
, c
) < 0) {
3886 ERROR("failed to chown console \"%s\"", c
->console
.name
);
3890 TRACE("chowned console \"%s\"", c
->console
.name
);
3895 /* NOTE: Must not be called from inside the container namespace! */
3896 int lxc_create_tmp_proc_mount(struct lxc_conf
*conf
)
3900 mounted
= lxc_mount_proc_if_needed(conf
->rootfs
.path
? conf
->rootfs
.mount
: "");
3901 if (mounted
== -1) {
3902 SYSERROR("failed to mount /proc in the container");
3903 /* continue only if there is no rootfs */
3904 if (conf
->rootfs
.path
)
3906 } else if (mounted
== 1) {
3907 conf
->tmp_umount_proc
= 1;
3913 void tmp_proc_unmount(struct lxc_conf
*lxc_conf
)
3915 if (lxc_conf
->tmp_umount_proc
== 1) {
3917 lxc_conf
->tmp_umount_proc
= 0;
3921 void remount_all_slave(void)
3923 /* walk /proc/mounts and change any shared entries to slave */
3924 FILE *f
= fopen("/proc/self/mountinfo", "r");
3929 SYSERROR("Failed to open /proc/self/mountinfo to mark all shared");
3930 ERROR("Continuing container startup...");
3934 while (getline(&line
, &len
, f
) != -1) {
3935 char *target
, *opts
;
3936 target
= get_field(line
, 4);
3939 opts
= get_field(target
, 2);
3942 null_endofword(opts
);
3943 if (!strstr(opts
, "shared"))
3945 null_endofword(target
);
3946 if (mount(NULL
, target
, NULL
, MS_SLAVE
, NULL
)) {
3947 SYSERROR("Failed to make %s rslave", target
);
3948 ERROR("Continuing...");
3955 void lxc_execute_bind_init(struct lxc_conf
*conf
)
3958 char path
[PATH_MAX
], destpath
[PATH_MAX
], *p
;
3960 /* If init exists in the container, don't bind mount a static one */
3961 p
= choose_init(conf
->rootfs
.mount
);
3967 ret
= snprintf(path
, PATH_MAX
, SBINDIR
"/init.lxc.static");
3968 if (ret
< 0 || ret
>= PATH_MAX
) {
3969 WARN("Path name too long searching for lxc.init.static");
3973 if (!file_exists(path
)) {
3974 INFO("%s does not exist on host", path
);
3978 ret
= snprintf(destpath
, PATH_MAX
, "%s%s", conf
->rootfs
.mount
, "/init.lxc.static");
3979 if (ret
< 0 || ret
>= PATH_MAX
) {
3980 WARN("Path name too long for container's lxc.init.static");
3984 if (!file_exists(destpath
)) {
3985 FILE * pathfile
= fopen(destpath
, "wb");
3987 SYSERROR("Failed to create mount target '%s'", destpath
);
3993 ret
= safe_mount(path
, destpath
, "none", MS_BIND
, NULL
, conf
->rootfs
.mount
);
3995 SYSERROR("Failed to bind lxc.init.static into container");
3996 INFO("lxc.init.static bound into container at %s", path
);
4000 * This does the work of remounting / if it is shared, calling the
4001 * container pre-mount hooks, and mounting the rootfs.
4003 int do_rootfs_setup(struct lxc_conf
*conf
, const char *name
, const char *lxcpath
)
4005 if (conf
->rootfs_setup
) {
4007 * rootfs was set up in another namespace. bind-mount it
4008 * to give us a mount in our own ns so we can pivot_root to it
4010 const char *path
= conf
->rootfs
.mount
;
4011 if (mount(path
, path
, "rootfs", MS_BIND
, NULL
) < 0) {
4012 ERROR("Failed to bind-mount container / onto itself");
4018 remount_all_slave();
4020 if (run_lxc_hooks(name
, "pre-mount", conf
, lxcpath
, NULL
)) {
4021 ERROR("failed to run pre-mount hooks for container '%s'.", name
);
4025 if (lxc_setup_rootfs(conf
)) {
4026 ERROR("failed to setup rootfs for '%s'", name
);
4030 conf
->rootfs_setup
= true;
4034 static bool verify_start_hooks(struct lxc_conf
*conf
)
4036 struct lxc_list
*it
;
4037 char path
[MAXPATHLEN
];
4038 lxc_list_for_each(it
, &conf
->hooks
[LXCHOOK_START
]) {
4039 char *hookname
= it
->elem
;
4043 ret
= snprintf(path
, MAXPATHLEN
, "%s%s",
4044 conf
->rootfs
.path
? conf
->rootfs
.mount
: "", hookname
);
4045 if (ret
< 0 || ret
>= MAXPATHLEN
)
4047 ret
= stat(path
, &st
);
4049 SYSERROR("Start hook %s not found in container",
4059 static int lxc_send_ttys_to_parent(struct lxc_handler
*handler
)
4063 struct lxc_pty_info
*pty_info
;
4064 struct lxc_conf
*conf
= handler
->conf
;
4065 const struct lxc_tty_info
*tty_info
= &conf
->tty_info
;
4066 int sock
= handler
->ttysock
[0];
4068 size_t num_ttyfds
= (2 * conf
->tty
);
4070 ttyfds
= malloc(num_ttyfds
* sizeof(int));
4074 for (i
= 0; i
< num_ttyfds
; i
++) {
4075 pty_info
= &tty_info
->pty_info
[i
/ 2];
4076 ttyfds
[i
++] = pty_info
->slave
;
4077 ttyfds
[i
] = pty_info
->master
;
4078 TRACE("send pty \"%s\" with master fd %d and slave fd %d to "
4080 pty_info
->name
, pty_info
->master
, pty_info
->slave
);
4083 ret
= lxc_abstract_unix_send_fds(sock
, ttyfds
, num_ttyfds
, NULL
, 0);
4085 ERROR("failed to send %d ttys to parent: %s", conf
->tty
,
4088 TRACE("sent %d ttys to parent", conf
->tty
);
4090 close(handler
->ttysock
[0]);
4091 close(handler
->ttysock
[1]);
4093 for (i
= 0; i
< num_ttyfds
; i
++)
4101 int lxc_setup(struct lxc_handler
*handler
)
4103 const char *name
= handler
->name
;
4104 struct lxc_conf
*lxc_conf
= handler
->conf
;
4105 const char *lxcpath
= handler
->lxcpath
;
4107 if (do_rootfs_setup(lxc_conf
, name
, lxcpath
) < 0) {
4108 ERROR("Error setting up rootfs mount after spawn");
4112 if (lxc_conf
->inherit_ns_fd
[LXC_NS_UTS
] == -1) {
4113 if (setup_utsname(lxc_conf
->utsname
)) {
4114 ERROR("failed to setup the utsname for '%s'", name
);
4119 if (lxc_setup_networks_in_child_namespaces(lxc_conf
,
4120 &lxc_conf
->network
)) {
4121 ERROR("failed to setup the network for '%s'", name
);
4125 if (lxc_conf
->autodev
> 0) {
4126 if (mount_autodev(name
, &lxc_conf
->rootfs
, lxcpath
)) {
4127 ERROR("failed to mount /dev in the container");
4132 /* do automatic mounts (mainly /proc and /sys), but exclude
4133 * those that need to wait until other stuff has finished
4135 if (lxc_mount_auto_mounts(lxc_conf
, lxc_conf
->auto_mounts
& ~LXC_AUTO_CGROUP_MASK
, handler
) < 0) {
4136 ERROR("failed to setup the automatic mounts for '%s'", name
);
4140 if (setup_mount(&lxc_conf
->rootfs
, lxc_conf
->fstab
, name
, lxcpath
)) {
4141 ERROR("failed to setup the mounts for '%s'", name
);
4145 if (!lxc_list_empty(&lxc_conf
->mount_list
) && setup_mount_entries(&lxc_conf
->rootfs
, &lxc_conf
->mount_list
, name
, lxcpath
)) {
4146 ERROR("failed to setup the mount entries for '%s'", name
);
4150 /* Make sure any start hooks are in the container */
4151 if (!verify_start_hooks(lxc_conf
))
4154 if (lxc_conf
->is_execute
)
4155 lxc_execute_bind_init(lxc_conf
);
4157 /* now mount only cgroup, if wanted;
4158 * before, /sys could not have been mounted
4159 * (is either mounted automatically or via fstab entries)
4161 if (lxc_mount_auto_mounts(lxc_conf
, lxc_conf
->auto_mounts
& LXC_AUTO_CGROUP_MASK
, handler
) < 0) {
4162 ERROR("failed to setup the automatic mounts for '%s'", name
);
4166 if (run_lxc_hooks(name
, "mount", lxc_conf
, lxcpath
, NULL
)) {
4167 ERROR("failed to run mount hooks for container '%s'.", name
);
4171 if (lxc_conf
->autodev
> 0) {
4172 if (run_lxc_hooks(name
, "autodev", lxc_conf
, lxcpath
, NULL
)) {
4173 ERROR("failed to run autodev hooks for container '%s'.", name
);
4176 if (lxc_fill_autodev(&lxc_conf
->rootfs
)) {
4177 ERROR("failed to populate /dev in the container");
4182 if (!lxc_conf
->is_execute
&& lxc_setup_console(&lxc_conf
->rootfs
, &lxc_conf
->console
, lxc_conf
->ttydir
)) {
4183 ERROR("failed to setup the console for '%s'", name
);
4187 if (!lxc_conf
->is_execute
&& setup_dev_symlinks(&lxc_conf
->rootfs
)) {
4188 ERROR("failed to setup /dev symlinks for '%s'", name
);
4192 /* mount /proc if it's not already there */
4193 if (lxc_create_tmp_proc_mount(lxc_conf
) < 0) {
4194 ERROR("failed to LSM mount proc for '%s'", name
);
4198 if (setup_pivot_root(&lxc_conf
->rootfs
)) {
4199 ERROR("failed to set rootfs for '%s'", name
);
4203 if (lxc_setup_devpts(lxc_conf
->pts
)) {
4204 ERROR("failed to setup the new pts instance");
4208 if (lxc_create_tty(name
, lxc_conf
)) {
4209 ERROR("failed to create the ttys");
4213 if (lxc_send_ttys_to_parent(handler
) < 0) {
4214 ERROR("failure sending console info to parent");
4218 if (!lxc_conf
->is_execute
&& lxc_setup_tty(lxc_conf
)) {
4219 ERROR("failed to setup the ttys for '%s'", name
);
4223 if (lxc_conf
->pty_names
&& setenv("container_ttys", lxc_conf
->pty_names
, 1))
4224 SYSERROR("failed to set environment variable for container ptys");
4227 if (setup_personality(lxc_conf
->personality
)) {
4228 ERROR("failed to setup personality");
4232 if (!lxc_list_empty(&lxc_conf
->keepcaps
)) {
4233 if (!lxc_list_empty(&lxc_conf
->caps
)) {
4234 ERROR("Container requests lxc.cap.drop and lxc.cap.keep: either use lxc.cap.drop or lxc.cap.keep, not both.");
4237 if (dropcaps_except(&lxc_conf
->keepcaps
)) {
4238 ERROR("failed to keep requested caps");
4241 } else if (setup_caps(&lxc_conf
->caps
)) {
4242 ERROR("failed to drop capabilities");
4246 NOTICE("Container \"%s\" is set up", name
);
4251 int run_lxc_hooks(const char *name
, char *hook
, struct lxc_conf
*conf
,
4252 const char *lxcpath
, char *argv
[])
4255 struct lxc_list
*it
;
4257 if (strcmp(hook
, "pre-start") == 0)
4258 which
= LXCHOOK_PRESTART
;
4259 else if (strcmp(hook
, "pre-mount") == 0)
4260 which
= LXCHOOK_PREMOUNT
;
4261 else if (strcmp(hook
, "mount") == 0)
4262 which
= LXCHOOK_MOUNT
;
4263 else if (strcmp(hook
, "autodev") == 0)
4264 which
= LXCHOOK_AUTODEV
;
4265 else if (strcmp(hook
, "start") == 0)
4266 which
= LXCHOOK_START
;
4267 else if (strcmp(hook
, "stop") == 0)
4268 which
= LXCHOOK_STOP
;
4269 else if (strcmp(hook
, "post-stop") == 0)
4270 which
= LXCHOOK_POSTSTOP
;
4271 else if (strcmp(hook
, "clone") == 0)
4272 which
= LXCHOOK_CLONE
;
4273 else if (strcmp(hook
, "destroy") == 0)
4274 which
= LXCHOOK_DESTROY
;
4277 lxc_list_for_each(it
, &conf
->hooks
[which
]) {
4279 char *hookname
= it
->elem
;
4280 ret
= run_script_argv(name
, "lxc", hookname
, hook
, lxcpath
, argv
);
4287 int lxc_clear_config_caps(struct lxc_conf
*c
)
4289 struct lxc_list
*it
,*next
;
4291 lxc_list_for_each_safe(it
, &c
->caps
, next
) {
4299 static int lxc_free_idmap(struct lxc_list
*id_map
) {
4300 struct lxc_list
*it
, *next
;
4302 lxc_list_for_each_safe(it
, id_map
, next
) {
4310 int lxc_clear_idmaps(struct lxc_conf
*c
)
4312 return lxc_free_idmap(&c
->id_map
);
4315 int lxc_clear_config_keepcaps(struct lxc_conf
*c
)
4317 struct lxc_list
*it
,*next
;
4319 lxc_list_for_each_safe(it
, &c
->keepcaps
, next
) {
4327 int lxc_clear_cgroups(struct lxc_conf
*c
, const char *key
)
4329 struct lxc_list
*it
,*next
;
4331 const char *k
= NULL
;
4333 if (strcmp(key
, "lxc.cgroup") == 0)
4335 else if (strncmp(key
, "lxc.cgroup.", sizeof("lxc.cgroup.")-1) == 0)
4336 k
= key
+ sizeof("lxc.cgroup.")-1;
4340 lxc_list_for_each_safe(it
, &c
->cgroup
, next
) {
4341 struct lxc_cgroup
*cg
= it
->elem
;
4342 if (!all
&& strcmp(cg
->subsystem
, k
) != 0)
4345 free(cg
->subsystem
);
4353 int lxc_clear_limits(struct lxc_conf
*c
, const char *key
)
4355 struct lxc_list
*it
, *next
;
4357 const char *k
= NULL
;
4359 if (strcmp(key
, "lxc.limit") == 0
4360 || strcmp(key
, "lxc.prlimit"))
4362 else if (strncmp(key
, "lxc.limit.", sizeof("lxc.limit.")-1) == 0)
4363 k
= key
+ sizeof("lxc.limit.")-1;
4364 else if (strncmp(key
, "lxc.prlimit.", sizeof("lxc.prlimit.")-1) == 0)
4365 k
= key
+ sizeof("lxc.prlimit.")-1;
4369 lxc_list_for_each_safe(it
, &c
->limits
, next
) {
4370 struct lxc_limit
*lim
= it
->elem
;
4371 if (!all
&& strcmp(lim
->resource
, k
) != 0)
4374 free(lim
->resource
);
4381 int lxc_clear_groups(struct lxc_conf
*c
)
4383 struct lxc_list
*it
,*next
;
4385 lxc_list_for_each_safe(it
, &c
->groups
, next
) {
4393 int lxc_clear_environment(struct lxc_conf
*c
)
4395 struct lxc_list
*it
,*next
;
4397 lxc_list_for_each_safe(it
, &c
->environment
, next
) {
4406 int lxc_clear_mount_entries(struct lxc_conf
*c
)
4408 struct lxc_list
*it
,*next
;
4410 lxc_list_for_each_safe(it
, &c
->mount_list
, next
) {
4418 int lxc_clear_automounts(struct lxc_conf
*c
)
4424 int lxc_clear_hooks(struct lxc_conf
*c
, const char *key
)
4426 struct lxc_list
*it
,*next
;
4427 bool all
= false, done
= false;
4428 const char *k
= NULL
;
4431 if (strcmp(key
, "lxc.hook") == 0)
4433 else if (strncmp(key
, "lxc.hook.", sizeof("lxc.hook.")-1) == 0)
4434 k
= key
+ sizeof("lxc.hook.")-1;
4438 for (i
=0; i
<NUM_LXC_HOOKS
; i
++) {
4439 if (all
|| strcmp(k
, lxchook_names
[i
]) == 0) {
4440 lxc_list_for_each_safe(it
, &c
->hooks
[i
], next
) {
4450 ERROR("Invalid hook key: %s", key
);
4456 static void lxc_clear_saved_nics(struct lxc_conf
*conf
)
4460 if (!conf
->saved_nics
)
4462 for (i
=0; i
< conf
->num_savednics
; i
++)
4463 free(conf
->saved_nics
[i
].orig_name
);
4464 free(conf
->saved_nics
);
4467 static inline void lxc_clear_aliens(struct lxc_conf
*conf
)
4469 struct lxc_list
*it
,*next
;
4471 lxc_list_for_each_safe(it
, &conf
->aliens
, next
) {
4478 void lxc_clear_includes(struct lxc_conf
*conf
)
4480 struct lxc_list
*it
,*next
;
4482 lxc_list_for_each_safe(it
, &conf
->includes
, next
) {
4489 void lxc_conf_free(struct lxc_conf
*conf
)
4493 if (current_config
== conf
)
4494 current_config
= NULL
;
4495 free(conf
->console
.log_path
);
4496 free(conf
->console
.path
);
4497 free(conf
->rootfs
.mount
);
4498 free(conf
->rootfs
.bdev_type
);
4499 free(conf
->rootfs
.options
);
4500 free(conf
->rootfs
.path
);
4501 free(conf
->logfile
);
4502 if (conf
->logfd
!= -1)
4504 free(conf
->utsname
);
4508 free(conf
->init_cmd
);
4509 free(conf
->unexpanded_config
);
4510 free(conf
->pty_names
);
4512 lxc_free_networks(&conf
->network
);
4513 free(conf
->lsm_aa_profile
);
4514 free(conf
->lsm_se_context
);
4515 lxc_seccomp_free(conf
);
4516 lxc_clear_config_caps(conf
);
4517 lxc_clear_config_keepcaps(conf
);
4518 lxc_clear_cgroups(conf
, "lxc.cgroup");
4519 lxc_clear_hooks(conf
, "lxc.hook");
4520 lxc_clear_mount_entries(conf
);
4521 lxc_clear_saved_nics(conf
);
4522 lxc_clear_idmaps(conf
);
4523 lxc_clear_groups(conf
);
4524 lxc_clear_includes(conf
);
4525 lxc_clear_aliens(conf
);
4526 lxc_clear_environment(conf
);
4527 lxc_clear_limits(conf
, "lxc.prlimit");
4531 struct userns_fn_data
{
4533 const char *fn_name
;
4538 static int run_userns_fn(void *data
)
4540 struct userns_fn_data
*d
= data
;
4543 /* Close write end of the pipe. */
4546 /* Wait for parent to finish establishing a new mapping in the user
4547 * namespace we are executing in.
4549 if (read(d
->p
[0], &c
, 1) != 1)
4552 /* Close read end of the pipe. */
4556 TRACE("calling function \"%s\"", d
->fn_name
);
4557 /* Call function to run. */
4558 return d
->fn(d
->arg
);
4561 static struct id_map
*mapped_hostid_entry(struct lxc_conf
*conf
, unsigned id
,
4564 struct lxc_list
*it
;
4566 struct id_map
*retmap
= NULL
;
4568 lxc_list_for_each(it
, &conf
->id_map
) {
4570 if (map
->idtype
!= idtype
)
4573 if (id
>= map
->hostid
&& id
< map
->hostid
+ map
->range
) {
4582 retmap
= malloc(sizeof(*retmap
));
4586 memcpy(retmap
, map
, sizeof(*retmap
));
4591 * Allocate a new {g,u}id mapping for the given {g,u}id. Re-use an already
4592 * existing one or establish a new one.
4594 static struct id_map
*idmap_add(struct lxc_conf
*conf
, uid_t id
, enum idtype type
)
4597 struct id_map
*entry
= NULL
;
4599 /* Reuse existing mapping. */
4600 entry
= mapped_hostid_entry(conf
, id
, type
);
4604 /* Find new mapping. */
4605 hostid_mapped
= find_unmapped_nsid(conf
, type
);
4606 if (hostid_mapped
< 0) {
4607 DEBUG("failed to find free mapping for id %d", id
);
4611 entry
= malloc(sizeof(*entry
));
4615 entry
->idtype
= type
;
4616 entry
->nsid
= hostid_mapped
;
4617 entry
->hostid
= (unsigned long)id
;
4623 /* Run a function in a new user namespace.
4624 * The caller's euid/egid will be mapped if it is not already.
4625 * Afaict, userns_exec_1() is only used to operate based on privileges for the
4626 * user's own {g,u}id on the host and for the container root's unmapped {g,u}id.
4627 * This means we require only to establish a mapping from:
4628 * - the container root {g,u}id as seen from the host > user's host {g,u}id
4629 * - the container root -> some sub{g,u}id
4630 * The former we add, if the user did not specifiy a mapping. The latter we
4631 * retrieve from the ontainer's configured {g,u}id mappings as it must have been
4632 * there to start the container in the first place.
4634 int userns_exec_1(struct lxc_conf
*conf
, int (*fn
)(void *), void *data
,
4635 const char *fn_name
)
4639 struct userns_fn_data d
;
4641 struct lxc_list
*it
;
4645 struct lxc_list
*idmap
= NULL
, *tmplist
= NULL
;
4646 struct id_map
*container_root_uid
= NULL
, *container_root_gid
= NULL
,
4647 *host_uid_map
= NULL
, *host_gid_map
= NULL
;
4651 SYSERROR("opening pipe");
4655 d
.fn_name
= fn_name
;
4660 /* Clone child in new user namespace. */
4661 pid
= lxc_clone(run_userns_fn
, &d
, CLONE_NEWUSER
);
4663 ERROR("failed to clone child process in new user namespace");
4670 /* Find container root. */
4671 lxc_list_for_each(it
, &conf
->id_map
) {
4677 if (map
->idtype
== ID_TYPE_UID
&& container_root_uid
== NULL
) {
4678 container_root_uid
= malloc(sizeof(*container_root_uid
));
4679 if (!container_root_uid
)
4681 container_root_uid
->idtype
= map
->idtype
;
4682 container_root_uid
->hostid
= map
->hostid
;
4683 container_root_uid
->nsid
= 0;
4684 container_root_uid
->range
= map
->range
;
4685 } else if (map
->idtype
== ID_TYPE_GID
&& container_root_gid
== NULL
) {
4686 container_root_gid
= malloc(sizeof(*container_root_gid
));
4687 if (!container_root_gid
)
4689 container_root_gid
->idtype
= map
->idtype
;
4690 container_root_gid
->hostid
= map
->hostid
;
4691 container_root_gid
->nsid
= 0;
4692 container_root_gid
->range
= map
->range
;
4695 /* Found container root. */
4696 if (container_root_uid
&& container_root_gid
)
4700 /* This is actually checked earlier but it can't hurt. */
4701 if (!container_root_uid
|| !container_root_gid
) {
4702 ERROR("no mapping for container root found");
4706 host_uid_map
= container_root_uid
;
4707 host_gid_map
= container_root_gid
;
4709 /* Check whether the {g,u}id of the user has a mapping. */
4712 if (euid
!= container_root_uid
->hostid
)
4713 host_uid_map
= idmap_add(conf
, euid
, ID_TYPE_UID
);
4715 if (egid
!= container_root_gid
->hostid
)
4716 host_gid_map
= idmap_add(conf
, egid
, ID_TYPE_GID
);
4718 if (!host_uid_map
) {
4719 DEBUG("failed to find mapping for uid %d", euid
);
4723 if (!host_gid_map
) {
4724 DEBUG("failed to find mapping for gid %d", egid
);
4728 /* Allocate new {g,u}id map list. */
4729 idmap
= malloc(sizeof(*idmap
));
4732 lxc_list_init(idmap
);
4734 /* Add container root to the map. */
4735 tmplist
= malloc(sizeof(*tmplist
));
4738 lxc_list_add_elem(tmplist
, container_root_uid
);
4739 lxc_list_add_tail(idmap
, tmplist
);
4741 if (host_uid_map
&& (host_uid_map
!= container_root_uid
)) {
4742 /* idmap will now keep track of that memory. */
4743 container_root_uid
= NULL
;
4745 /* Add container root to the map. */
4746 tmplist
= malloc(sizeof(*tmplist
));
4749 lxc_list_add_elem(tmplist
, host_uid_map
);
4750 lxc_list_add_tail(idmap
, tmplist
);
4752 /* idmap will now keep track of that memory. */
4753 container_root_uid
= NULL
;
4754 /* idmap will now keep track of that memory. */
4755 host_uid_map
= NULL
;
4757 tmplist
= malloc(sizeof(*tmplist
));
4760 lxc_list_add_elem(tmplist
, container_root_gid
);
4761 lxc_list_add_tail(idmap
, tmplist
);
4763 if (host_gid_map
&& (host_gid_map
!= container_root_gid
)) {
4764 /* idmap will now keep track of that memory. */
4765 container_root_gid
= NULL
;
4767 tmplist
= malloc(sizeof(*tmplist
));
4770 lxc_list_add_elem(tmplist
, host_gid_map
);
4771 lxc_list_add_tail(idmap
, tmplist
);
4773 /* idmap will now keep track of that memory. */
4774 container_root_gid
= NULL
;
4775 /* idmap will now keep track of that memory. */
4776 host_gid_map
= NULL
;
4778 if (lxc_log_get_level() == LXC_LOG_LEVEL_TRACE
||
4779 conf
->loglevel
== LXC_LOG_LEVEL_TRACE
) {
4780 lxc_list_for_each(it
, idmap
) {
4782 TRACE("establishing %cid mapping for \"%d\" in new "
4783 "user namespace: nsuid %lu - hostid %lu - range "
4785 (map
->idtype
== ID_TYPE_UID
) ? 'u' : 'g', pid
,
4786 map
->nsid
, map
->hostid
, map
->range
);
4790 /* Set up {g,u}id mapping for user namespace of child process. */
4791 ret
= lxc_map_ids(idmap
, pid
);
4793 ERROR("error setting up {g,u}id mappings for child process "
4799 /* Tell child to proceed. */
4800 if (write(p
[1], &c
, 1) != 1) {
4801 SYSERROR("failed telling child process \"%d\" to proceed", pid
);
4805 /* Wait for child to finish. */
4806 ret
= wait_for_pid(pid
);
4810 lxc_free_idmap(idmap
);
4811 if (container_root_uid
)
4812 free(container_root_uid
);
4813 if (container_root_gid
)
4814 free(container_root_gid
);
4815 if (host_uid_map
&& (host_uid_map
!= container_root_uid
))
4817 if (host_gid_map
&& (host_gid_map
!= container_root_gid
))
4827 /* not thread-safe, do not use from api without first forking */
4828 static char* getuname(void)
4830 struct passwd
*result
;
4832 result
= getpwuid(geteuid());
4836 return strdup(result
->pw_name
);
4839 /* not thread-safe, do not use from api without first forking */
4840 static char *getgname(void)
4842 struct group
*result
;
4844 result
= getgrgid(getegid());
4848 return strdup(result
->gr_name
);
4851 /* not thread-safe, do not use from api without first forking */
4852 void suggest_default_idmap(void)
4855 unsigned int uid
= 0, urange
= 0, gid
= 0, grange
= 0;
4857 char *uname
, *gname
;
4860 if (!(uname
= getuname()))
4863 if (!(gname
= getgname())) {
4868 f
= fopen(subuidfile
, "r");
4870 ERROR("Your system is not configured with subuids");
4875 while (getline(&line
, &len
, f
) != -1) {
4876 size_t no_newline
= 0;
4877 char *p
= strchr(line
, ':'), *p2
;
4884 if (strcmp(line
, uname
))
4886 p2
= strchr(p
, ':');
4893 no_newline
= strcspn(p2
, "\n");
4894 p2
[no_newline
] = '\0';
4896 if (lxc_safe_uint(p
, &uid
) < 0)
4897 WARN("Could not parse UID.");
4898 if (lxc_safe_uint(p2
, &urange
) < 0)
4899 WARN("Could not parse UID range.");
4903 f
= fopen(subgidfile
, "r");
4905 ERROR("Your system is not configured with subgids");
4910 while (getline(&line
, &len
, f
) != -1) {
4911 size_t no_newline
= 0;
4912 char *p
= strchr(line
, ':'), *p2
;
4919 if (strcmp(line
, uname
))
4921 p2
= strchr(p
, ':');
4928 no_newline
= strcspn(p2
, "\n");
4929 p2
[no_newline
] = '\0';
4931 if (lxc_safe_uint(p
, &gid
) < 0)
4932 WARN("Could not parse GID.");
4933 if (lxc_safe_uint(p2
, &grange
) < 0)
4934 WARN("Could not parse GID range.");
4940 if (!urange
|| !grange
) {
4941 ERROR("You do not have subuids or subgids allocated");
4942 ERROR("Unprivileged containers require subuids and subgids");
4946 ERROR("You must either run as root, or define uid mappings");
4947 ERROR("To pass uid mappings to lxc-create, you could create");
4948 ERROR("~/.config/lxc/default.conf:");
4949 ERROR("lxc.include = %s", LXC_DEFAULT_CONFIG
);
4950 ERROR("lxc.id_map = u 0 %u %u", uid
, urange
);
4951 ERROR("lxc.id_map = g 0 %u %u", gid
, grange
);
4957 static void free_cgroup_settings(struct lxc_list
*result
)
4959 struct lxc_list
*iterator
, *next
;
4961 lxc_list_for_each_safe(iterator
, result
, next
) {
4962 lxc_list_del(iterator
);
4969 * Return the list of cgroup_settings sorted according to the following rules
4970 * 1. Put memory.limit_in_bytes before memory.memsw.limit_in_bytes
4972 struct lxc_list
*sort_cgroup_settings(struct lxc_list
* cgroup_settings
)
4974 struct lxc_list
*result
;
4975 struct lxc_list
*memsw_limit
= NULL
;
4976 struct lxc_list
*it
= NULL
;
4977 struct lxc_cgroup
*cg
= NULL
;
4978 struct lxc_list
*item
= NULL
;
4980 result
= malloc(sizeof(*result
));
4982 ERROR("failed to allocate memory to sort cgroup settings");
4985 lxc_list_init(result
);
4987 /*Iterate over the cgroup settings and copy them to the output list*/
4988 lxc_list_for_each(it
, cgroup_settings
) {
4989 item
= malloc(sizeof(*item
));
4991 ERROR("failed to allocate memory to sort cgroup settings");
4992 free_cgroup_settings(result
);
4995 item
->elem
= it
->elem
;
4997 if (strcmp(cg
->subsystem
, "memory.memsw.limit_in_bytes") == 0) {
4998 /* Store the memsw_limit location */
5000 } else if (strcmp(cg
->subsystem
, "memory.limit_in_bytes") == 0 && memsw_limit
!= NULL
) {
5001 /* lxc.cgroup.memory.memsw.limit_in_bytes is found before
5002 * lxc.cgroup.memory.limit_in_bytes, swap these two items */
5003 item
->elem
= memsw_limit
->elem
;
5004 memsw_limit
->elem
= it
->elem
;
5006 lxc_list_add_tail(result
, item
);