]> git.proxmox.com Git - mirror_lxc.git/blob - src/lxc/lxccontainer.c
projects / mirror_lxc.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge pull request #3492 from brauner/2020-07-18/visibility_hidden
[mirror_lxc.git] / src / lxc / lxccontainer.c
1 /* SPDX-License-Identifier: LGPL-2.1+ */
2
3 #ifndef _GNU_SOURCE
4 #define _GNU_SOURCE 1
5 #endif
6 #include <arpa/inet.h>
7 #include <dirent.h>
8 #include <errno.h>
9 #include <fcntl.h>
10 #include <grp.h>
11 #include <libgen.h>
12 #include <pthread.h>
13 #include <sched.h>
14 #include <stdarg.h>
15 #include <stdint.h>
16 #include <stdio.h>
17 #include <stdlib.h>
18 #include <sys/file.h>
19 #include <sys/mman.h>
20 #include <sys/mount.h>
21 #include <sys/stat.h>
22 #include <sys/syscall.h>
23 #include <sys/sysmacros.h>
24 #include <sys/types.h>
25 #include <sys/wait.h>
26 #include <unistd.h>
27
28 #include "../include/netns_ifaddrs.h"
29 #include "af_unix.h"
30 #include "api_extensions.h"
31 #include "attach.h"
32 #include "cgroup.h"
33 #include "macro.h"
34 #include "commands.h"
35 #include "commands_utils.h"
36 #include "conf.h"
37 #include "config.h"
38 #include "confile.h"
39 #include "confile_utils.h"
40 #include "criu.h"
41 #include "error.h"
42 #include "initutils.h"
43 #include "log.h"
44 #include "lxc.h"
45 #include "lxccontainer.h"
46 #include "lxclock.h"
47 #include "memory_utils.h"
48 #include "monitor.h"
49 #include "namespace.h"
50 #include "network.h"
51 #include "parse.h"
52 #include "process_utils.h"
53 #include "start.h"
54 #include "state.h"
55 #include "storage.h"
56 #include "storage/btrfs.h"
57 #include "storage/overlay.h"
58 #include "storage_utils.h"
59 #include "sync.h"
60 #include "syscall_wrappers.h"
61 #include "terminal.h"
62 #include "utils.h"
63 #include "version.h"
64
65 #if HAVE_OPENSSL
66 #include <openssl/evp.h>
67 #endif
68
69 /* major()/minor() */
70 #ifdef MAJOR_IN_MKDEV
71 #include <sys/mkdev.h>
72 #endif
73
74 #if IS_BIONIC
75 #include <../include/lxcmntent.h>
76 #else
77 #include <mntent.h>
78 #endif
79
80 #ifndef HAVE_STRLCPY
81 #include "include/strlcpy.h"
82 #endif
83
84 lxc_log_define(lxccontainer, lxc);
85
86 static bool do_lxcapi_destroy(struct lxc_container *c);
87 static const char *lxcapi_get_config_path(struct lxc_container *c);
88 #define do_lxcapi_get_config_path(c) lxcapi_get_config_path(c)
89 static bool do_lxcapi_set_config_item(struct lxc_container *c, const char *key, const char *v);
90 static bool container_destroy(struct lxc_container *c,
91 struct lxc_storage *storage);
92 static bool get_snappath_dir(struct lxc_container *c, char *snappath);
93 static bool lxcapi_snapshot_destroy_all(struct lxc_container *c);
94 static bool do_lxcapi_save_config(struct lxc_container *c, const char *alt_file);
95
96 static bool config_file_exists(const char *lxcpath, const char *cname)
97 {
98 __do_free char *fname = NULL;
99 int ret;
100 size_t len;
101
102 /* $lxcpath + '/' + $cname + '/config' + \0 */
103 len = strlen(lxcpath) + 1 + strlen(cname) + 1 + strlen(LXC_CONFIG_FNAME) + 1;
104 fname = must_realloc(NULL, len);
105 ret = snprintf(fname, len, "%s/%s/%s", lxcpath, cname, LXC_CONFIG_FNAME);
106 if (ret < 0 || (size_t)ret >= len)
107 return false;
108
109 return file_exists(fname);
110 }
111
112 /*
113 * A few functions to help detect when a container creation failed. If a
114 * container creation was killed partway through, then trying to actually start
115 * that container could harm the host. We detect this by creating a 'partial'
116 * file under the container directory, and keeping an advisory lock. When
117 * container creation completes, we remove that file. When we load or try to
118 * start a container, if we find that file, without a flock, we remove the
119 * container.
120 */
121 enum {
122 LXC_CREATE_FAILED = -1,
123 LXC_CREATE_SUCCESS = 0,
124 LXC_CREATE_ONGOING = 1,
125 LXC_CREATE_INCOMPLETE = 2,
126 };
127
128 static int ongoing_create(struct lxc_container *c)
129 {
130 __do_close int fd = -EBADF;
131 __do_free char *path = NULL;
132 struct flock lk = {0};
133 int ret;
134 size_t len;
135
136 len = strlen(c->config_path) + 1 + strlen(c->name) + 1 + strlen(LXC_PARTIAL_FNAME) + 1;
137 path = must_realloc(NULL, len);
138 ret = snprintf(path, len, "%s/%s/%s", c->config_path, c->name, LXC_PARTIAL_FNAME);
139 if (ret < 0 || (size_t)ret >= len)
140 return LXC_CREATE_FAILED;
141
142 fd = open(path, O_RDWR | O_CLOEXEC);
143 if (fd < 0) {
144 if (errno != ENOENT)
145 return LXC_CREATE_FAILED;
146
147 return LXC_CREATE_SUCCESS;
148 }
149
150 lk.l_type = F_WRLCK;
151 lk.l_whence = SEEK_SET;
152 /*
153 * F_OFD_GETLK requires that l_pid be set to 0 otherwise the kernel
154 * will EINVAL us.
155 */
156 lk.l_pid = 0;
157
158 ret = fcntl(fd, F_OFD_GETLK, &lk);
159 if (ret < 0 && errno == EINVAL) {
160 ret = flock(fd, LOCK_EX | LOCK_NB);
161 if (ret < 0 && errno == EWOULDBLOCK)
162 ret = 0;
163 }
164
165 /* F_OFD_GETLK will not send us back a pid so don't check it. */
166 if (ret == 0)
167 /* Create is still ongoing. */
168 return LXC_CREATE_ONGOING;
169
170 /* Create completed but partial is still there. */
171 return LXC_CREATE_INCOMPLETE;
172 }
173
174 static int create_partial(struct lxc_container *c)
175 {
176 __do_free char *path = NULL;
177 int fd, ret;
178 size_t len;
179 struct flock lk = {0};
180
181 /* $lxcpath + '/' + $name + '/partial' + \0 */
182 len = strlen(c->config_path) + 1 + strlen(c->name) + 1 + strlen(LXC_PARTIAL_FNAME) + 1;
183 path = must_realloc(NULL, len);
184 ret = snprintf(path, len, "%s/%s/%s", c->config_path, c->name, LXC_PARTIAL_FNAME);
185 if (ret < 0 || (size_t)ret >= len)
186 return -1;
187
188 fd = open(path, O_RDWR | O_CREAT | O_EXCL | O_CLOEXEC, 0000);
189 if (fd < 0)
190 return -1;
191
192 lk.l_type = F_WRLCK;
193 lk.l_whence = SEEK_SET;
194
195 ret = fcntl(fd, F_OFD_SETLKW, &lk);
196 if (ret < 0) {
197 if (errno == EINVAL) {
198 ret = flock(fd, LOCK_EX);
199 if (ret == 0)
200 return fd;
201 }
202
203 SYSERROR("Failed to lock partial file %s", path);
204 close(fd);
205 return -1;
206 }
207
208 return fd;
209 }
210
211 static void remove_partial(struct lxc_container *c, int fd)
212 {
213 __do_free char *path = NULL;
214 int ret;
215 size_t len;
216
217 close(fd);
218
219 /* $lxcpath + '/' + $name + '/partial' + \0 */
220 len = strlen(c->config_path) + 1 + strlen(c->name) + 1 + strlen(LXC_PARTIAL_FNAME) + 1;
221 path = must_realloc(NULL, len);
222 ret = snprintf(path, len, "%s/%s/%s", c->config_path, c->name, LXC_PARTIAL_FNAME);
223 if (ret < 0 || (size_t)ret >= len)
224 return;
225
226 ret = unlink(path);
227 if (ret < 0)
228 SYSERROR("Failed to remove partial file %s", path);
229 }
230
231 /* LOCKING
232 * 1. container_mem_lock(c) protects the struct lxc_container from multiple threads.
233 * 2. container_disk_lock(c) protects the on-disk container data - in particular the
234 * container configuration file.
235 * The container_disk_lock also takes the container_mem_lock.
236 * 3. thread_mutex protects process data (ex: fd table) from multiple threads.
237 * NOTHING mutexes two independent programs with their own struct
238 * lxc_container for the same c->name, between API calls. For instance,
239 * c->config_read(); c->start(); Between those calls, data on disk
240 * could change (which shouldn't bother the caller unless for instance
241 * the rootfs get moved). c->config_read(); update; c->config_write();
242 * Two such updaters could race. The callers should therefore check their
243 * results. Trying to prevent that would necessarily expose us to deadlocks
244 * due to hung callers. So I prefer to keep the locks only within our own
245 * functions, not across functions.
246 *
247 * If you're going to clone while holding a lxccontainer, increment
248 * c->numthreads (under privlock) before forking. When deleting,
249 * decrement numthreads under privlock, then if it hits 0 you can delete.
250 * Do not ever use a lxccontainer whose numthreads you did not bump.
251 */
252 static void lxc_container_free(struct lxc_container *c)
253 {
254 if (!c)
255 return;
256
257 free(c->configfile);
258 c->configfile = NULL;
259
260 free(c->error_string);
261 c->error_string = NULL;
262
263 if (c->slock) {
264 lxc_putlock(c->slock);
265 c->slock = NULL;
266 }
267
268 if (c->privlock) {
269 lxc_putlock(c->privlock);
270 c->privlock = NULL;
271 }
272
273 free(c->name);
274 c->name = NULL;
275
276 if (c->lxc_conf) {
277 lxc_conf_free(c->lxc_conf);
278 c->lxc_conf = NULL;
279 }
280
281 free(c->config_path);
282 c->config_path = NULL;
283
284 free(c);
285 }
286
287 /* Consider the following case:
288 *
289 * |====================================================================|
290 * | freer | racing get()er |
291 * |====================================================================|
292 * | lxc_container_put() | lxc_container_get() |
293 * | \ lxclock(c->privlock) | c->numthreads < 1? (no) |
294 * | \ c->numthreads = 0 | \ lxclock(c->privlock) -> waits |
295 * | \ lxcunlock() | \ |
296 * | \ lxc_container_free() | \ lxclock() returns |
297 * | | \ c->numthreads < 1 -> return 0 |
298 * | \ \ (free stuff) | |
299 * | \ \ sem_destroy(privlock) | |
300 * |_______________________________|____________________________________|
301 *
302 * When the get()er checks numthreads the first time, one of the following
303 * is true:
304 * 1. freer has set numthreads = 0. get() returns 0
305 * 2. freer is between lxclock and setting numthreads to 0. get()er will
306 * sem_wait on privlock, get lxclock after freer() drops it, then see
307 * numthreads is 0 and exit without touching lxclock again..
308 * 3. freer has not yet locked privlock. If get()er runs first, then put()er
309 * will see --numthreads = 1 and not call lxc_container_free().
310 */
311
312 int lxc_container_get(struct lxc_container *c)
313 {
314 if (!c)
315 return 0;
316
317 /* If someone else has already started freeing the container, don't try
318 * to take the lock, which may be invalid.
319 */
320 if (c->numthreads < 1)
321 return 0;
322
323 if (container_mem_lock(c))
324 return 0;
325
326 /* Bail without trying to unlock, bc the privlock is now probably in
327 * freed memory.
328 */
329 if (c->numthreads < 1)
330 return 0;
331
332 c->numthreads++;
333 container_mem_unlock(c);
334
335 return 1;
336 }
337
338 int lxc_container_put(struct lxc_container *c)
339 {
340 if (!c)
341 return -1;
342
343 if (container_mem_lock(c))
344 return -1;
345
346 c->numthreads--;
347
348 if (c->numthreads < 1) {
349 container_mem_unlock(c);
350 lxc_container_free(c);
351 return 1;
352 }
353
354 container_mem_unlock(c);
355 return 0;
356 }
357
358 static bool do_lxcapi_is_defined(struct lxc_container *c)
359 {
360 int statret;
361 struct stat statbuf;
362 bool ret = false;
363
364 if (!c)
365 return false;
366
367 if (container_mem_lock(c))
368 return false;
369
370 if (!c->configfile)
371 goto on_error;
372
373 statret = stat(c->configfile, &statbuf);
374 if (statret != 0)
375 goto on_error;
376
377 ret = true;
378
379 on_error:
380 container_mem_unlock(c);
381 return ret;
382 }
383
384 #define WRAP_API(rettype, fnname) \
385 static rettype fnname(struct lxc_container *c) \
386 { \
387 rettype ret; \
388 bool reset_config = false; \
389 \
390 if (!current_config && c && c->lxc_conf) { \
391 current_config = c->lxc_conf; \
392 reset_config = true; \
393 } \
394 \
395 ret = do_##fnname(c); \
396 if (reset_config) \
397 current_config = NULL; \
398 \
399 return ret; \
400 }
401
402 #define WRAP_API_1(rettype, fnname, t1) \
403 static rettype fnname(struct lxc_container *c, t1 a1) \
404 { \
405 rettype ret; \
406 bool reset_config = false; \
407 \
408 if (!current_config && c && c->lxc_conf) { \
409 current_config = c->lxc_conf; \
410 reset_config = true; \
411 } \
412 \
413 ret = do_##fnname(c, a1); \
414 if (reset_config) \
415 current_config = NULL; \
416 \
417 return ret; \
418 }
419
420 #define WRAP_API_2(rettype, fnname, t1, t2) \
421 static rettype fnname(struct lxc_container *c, t1 a1, t2 a2) \
422 { \
423 rettype ret; \
424 bool reset_config = false; \
425 \
426 if (!current_config && c && c->lxc_conf) { \
427 current_config = c->lxc_conf; \
428 reset_config = true; \
429 } \
430 \
431 ret = do_##fnname(c, a1, a2); \
432 if (reset_config) \
433 current_config = NULL; \
434 \
435 return ret; \
436 }
437
438 #define WRAP_API_3(rettype, fnname, t1, t2, t3) \
439 static rettype fnname(struct lxc_container *c, t1 a1, t2 a2, t3 a3) \
440 { \
441 rettype ret; \
442 bool reset_config = false; \
443 \
444 if (!current_config && c && c->lxc_conf) { \
445 current_config = c->lxc_conf; \
446 reset_config = true; \
447 } \
448 \
449 ret = do_##fnname(c, a1, a2, a3); \
450 if (reset_config) \
451 current_config = NULL; \
452 \
453 return ret; \
454 }
455
456 #define WRAP_API_6(rettype, fnname, t1, t2, t3, t4, t5, t6) \
457 static rettype fnname(struct lxc_container *c, t1 a1, t2 a2, t3 a3, \
458 t4 a4, t5 a5, t6 a6) \
459 { \
460 rettype ret; \
461 bool reset_config = false; \
462 \
463 if (!current_config && c && c->lxc_conf) { \
464 current_config = c->lxc_conf; \
465 reset_config = true; \
466 } \
467 \
468 ret = do_##fnname(c, a1, a2, a3, a4, a5, a6); \
469 if (reset_config) \
470 current_config = NULL; \
471 \
472 return ret; \
473 }
474
475 WRAP_API(bool, lxcapi_is_defined)
476
477 static const char *do_lxcapi_state(struct lxc_container *c)
478 {
479 lxc_state_t s;
480
481 if (!c)
482 return NULL;
483
484 s = lxc_getstate(c->name, c->config_path);
485 return lxc_state2str(s);
486 }
487
488 WRAP_API(const char *, lxcapi_state)
489
490 static bool is_stopped(struct lxc_container *c)
491 {
492 lxc_state_t s;
493
494 s = lxc_getstate(c->name, c->config_path);
495 return (s == STOPPED);
496 }
497
498 static bool do_lxcapi_is_running(struct lxc_container *c)
499 {
500 if (!c)
501 return false;
502
503 return !is_stopped(c);
504 }
505
506 WRAP_API(bool, lxcapi_is_running)
507
508 static bool do_lxcapi_freeze(struct lxc_container *c)
509 {
510 lxc_state_t s;
511
512 if (!c || !c->lxc_conf)
513 return false;
514
515 s = lxc_getstate(c->name, c->config_path);
516 if (s != FROZEN)
517 return lxc_freeze(c->lxc_conf, c->name, c->config_path) == 0;
518
519 return true;
520 }
521
522 WRAP_API(bool, lxcapi_freeze)
523
524 static bool do_lxcapi_unfreeze(struct lxc_container *c)
525 {
526 lxc_state_t s;
527
528 if (!c || !c->lxc_conf)
529 return false;
530
531 s = lxc_getstate(c->name, c->config_path);
532 if (s == FROZEN)
533 return lxc_unfreeze(c->lxc_conf, c->name, c->config_path) == 0;
534
535 return true;
536 }
537
538 WRAP_API(bool, lxcapi_unfreeze)
539
540 static int do_lxcapi_console_getfd(struct lxc_container *c, int *ttynum, int *ptxfd)
541 {
542 if (!c)
543 return -1;
544
545 return lxc_terminal_getfd(c, ttynum, ptxfd);
546 }
547
548 WRAP_API_2(int, lxcapi_console_getfd, int *, int *)
549
550 static int lxcapi_console(struct lxc_container *c, int ttynum, int stdinfd,
551 int stdoutfd, int stderrfd, int escape)
552 {
553 int ret;
554
555 if (!c)
556 return -1;
557
558 current_config = c->lxc_conf;
559 ret = lxc_console(c, ttynum, stdinfd, stdoutfd, stderrfd, escape);
560 current_config = NULL;
561
562 return ret;
563 }
564
565 static int do_lxcapi_console_log(struct lxc_container *c, struct lxc_console_log *log)
566 {
567 int ret;
568
569 if (!c)
570 return -EINVAL;
571
572 ret = lxc_cmd_console_log(c->name, do_lxcapi_get_config_path(c), log);
573 if (ret < 0) {
574 if (ret == -ENODATA)
575 NOTICE("The console log is empty");
576 else if (ret == -EFAULT)
577 NOTICE("The container does not keep a console log");
578 else if (ret == -ENOENT)
579 NOTICE("The container does not keep a console log file");
580 else if (ret == -EIO)
581 NOTICE("Failed to write console log to log file");
582 else
583 ERROR("Failed to retrieve console log");
584 }
585
586 return ret;
587 }
588
589 WRAP_API_1(int, lxcapi_console_log, struct lxc_console_log *)
590
591 static pid_t do_lxcapi_init_pid(struct lxc_container *c)
592 {
593 if (!c)
594 return -1;
595
596 return lxc_cmd_get_init_pid(c->name, c->config_path);
597 }
598
599 WRAP_API(pid_t, lxcapi_init_pid)
600
601 static int do_lxcapi_init_pidfd(struct lxc_container *c)
602 {
603 if (!c)
604 return ret_errno(EBADF);
605
606 return lxc_cmd_get_init_pidfd(c->name, c->config_path);
607 }
608
609 WRAP_API(int, lxcapi_init_pidfd)
610
611 static bool load_config_locked(struct lxc_container *c, const char *fname)
612 {
613 if (!c->lxc_conf)
614 c->lxc_conf = lxc_conf_init();
615
616 if (!c->lxc_conf)
617 return false;
618
619 if (lxc_config_read(fname, c->lxc_conf, false) != 0)
620 return false;
621
622 c->lxc_conf->name = c->name;
623 return true;
624 }
625
626 static bool do_lxcapi_load_config(struct lxc_container *c, const char *alt_file)
627 {
628 int lret;
629 const char *fname;
630 bool need_disklock = false, ret = false;
631
632 if (!c)
633 return false;
634
635 fname = c->configfile;
636
637 if (alt_file)
638 fname = alt_file;
639
640 if (!fname)
641 return false;
642
643 /* If we're reading something other than the container's config, we only
644 * need to lock the in-memory container. If loading the container's
645 * config file, take the disk lock.
646 */
647 if (strcmp(fname, c->configfile) == 0)
648 need_disklock = true;
649
650 if (need_disklock)
651 lret = container_disk_lock(c);
652 else
653 lret = container_mem_lock(c);
654 if (lret)
655 return false;
656
657 ret = load_config_locked(c, fname);
658
659 if (need_disklock)
660 container_disk_unlock(c);
661 else
662 container_mem_unlock(c);
663
664 return ret;
665 }
666
667 WRAP_API_1(bool, lxcapi_load_config, const char *)
668
669 static bool do_lxcapi_want_daemonize(struct lxc_container *c, bool state)
670 {
671 if (!c || !c->lxc_conf)
672 return false;
673
674 if (container_mem_lock(c))
675 return false;
676
677 c->daemonize = state;
678
679 container_mem_unlock(c);
680
681 return true;
682 }
683
684 WRAP_API_1(bool, lxcapi_want_daemonize, bool)
685
686 static bool do_lxcapi_want_close_all_fds(struct lxc_container *c, bool state)
687 {
688 if (!c || !c->lxc_conf)
689 return false;
690
691 if (container_mem_lock(c))
692 return false;
693
694 c->lxc_conf->close_all_fds = state;
695
696 container_mem_unlock(c);
697
698 return true;
699 }
700
701 WRAP_API_1(bool, lxcapi_want_close_all_fds, bool)
702
703 static bool do_lxcapi_wait(struct lxc_container *c, const char *state,
704 int timeout)
705 {
706 int ret;
707
708 if (!c)
709 return false;
710
711 ret = lxc_wait(c->name, state, timeout, c->config_path);
712 return ret == 0;
713 }
714
715 WRAP_API_2(bool, lxcapi_wait, const char *, int)
716
717 static bool am_single_threaded(void)
718 {
719 __do_closedir DIR *dir = NULL;
720 struct dirent *direntp;
721 int count = 0;
722
723 dir = opendir("/proc/self/task");
724 if (!dir)
725 return false;
726
727 while ((direntp = readdir(dir))) {
728 if (strcmp(direntp->d_name, ".") == 0)
729 continue;
730
731 if (strcmp(direntp->d_name, "..") == 0)
732 continue;
733
734 count++;
735 if (count > 1)
736 break;
737 }
738
739 return count == 1;
740 }
741
742 static void push_arg(char ***argp, char *arg, int *nargs)
743 {
744 char *copy;
745 char **argv;
746
747 copy = must_copy_string(arg);
748
749 do {
750 argv = realloc(*argp, (*nargs + 2) * sizeof(char *));
751 } while (!argv);
752
753 *argp = argv;
754 argv[*nargs] = copy;
755 (*nargs)++;
756 argv[*nargs] = NULL;
757 }
758
759 static char **split_init_cmd(const char *incmd)
760 {
761 __do_free char *copy = NULL;
762 char *p;
763 char **argv;
764 int nargs = 0;
765
766 if (!incmd)
767 return NULL;
768
769 copy = must_copy_string(incmd);
770
771 do {
772 argv = malloc(sizeof(char *));
773 } while (!argv);
774
775 argv[0] = NULL;
776 lxc_iterate_parts (p, copy, " ")
777 push_arg(&argv, p, &nargs);
778
779 if (nargs == 0) {
780 free(argv);
781 return NULL;
782 }
783
784 return argv;
785 }
786
787 static void free_init_cmd(char **argv)
788 {
789 int i = 0;
790
791 if (!argv)
792 return;
793
794 while (argv[i])
795 free(argv[i++]);
796
797 free(argv);
798 }
799
800 static int lxc_rcv_status(int state_socket)
801 {
802 int ret;
803 int state = -1;
804
805 again:
806 /* Receive container state. */
807 ret = lxc_abstract_unix_rcv_credential(state_socket, &state, sizeof(int));
808 if (ret <= 0) {
809 if (errno != EINTR)
810 return -1;
811
812 TRACE("Caught EINTR; retrying");
813 goto again;
814 }
815
816 return state;
817 }
818
819 static bool wait_on_daemonized_start(struct lxc_handler *handler, int pid)
820 {
821 int ret, state;
822
823 /* The first child is going to fork() again and then exits. So we reap
824 * the first child here.
825 */
826 ret = wait_for_pid(pid);
827 if (ret < 0)
828 DEBUG("Failed waiting on first child %d", pid);
829 else
830 DEBUG("First child %d exited", pid);
831
832 /* Close write end of the socket pair. */
833 close_prot_errno_disarm(handler->state_socket_pair[1]);
834
835 state = lxc_rcv_status(handler->state_socket_pair[0]);
836
837 /* Close read end of the socket pair. */
838 close_prot_errno_disarm(handler->state_socket_pair[0]);
839
840 if (state < 0) {
841 SYSERROR("Failed to receive the container state");
842 return false;
843 }
844
845 /* If we receive anything else then running we know that the container
846 * failed to start.
847 */
848 if (state != RUNNING) {
849 ERROR("Received container state \"%s\" instead of \"RUNNING\"",
850 lxc_state2str(state));
851 return false;
852 }
853
854 TRACE("Container is in \"RUNNING\" state");
855 return true;
856 }
857
858 static bool do_lxcapi_start(struct lxc_container *c, int useinit, char * const argv[])
859 {
860 int ret;
861 struct lxc_handler *handler;
862 struct lxc_conf *conf;
863 char *default_args[] = {
864 "/sbin/init",
865 NULL,
866 };
867 char **init_cmd = NULL;
868
869 /* container does exist */
870 if (!c)
871 return false;
872
873 /* If anything fails before we set error_num, we want an error in there.
874 */
875 c->error_num = 1;
876
877 /* Container has not been setup. */
878 if (!c->lxc_conf)
879 return false;
880
881 ret = ongoing_create(c);
882 switch (ret) {
883 case LXC_CREATE_FAILED:
884 ERROR("Failed checking for incomplete container creation");
885 return false;
886 case LXC_CREATE_ONGOING:
887 ERROR("Ongoing container creation detected");
888 return false;
889 case LXC_CREATE_INCOMPLETE:
890 ERROR("Failed to create container");
891 do_lxcapi_destroy(c);
892 return false;
893 }
894
895 if (container_mem_lock(c))
896 return false;
897
898 conf = c->lxc_conf;
899
900 /* initialize handler */
901 handler = lxc_init_handler(NULL, c->name, conf, c->config_path, c->daemonize);
902
903 container_mem_unlock(c);
904 if (!handler)
905 return false;
906
907 if (!argv) {
908 if (useinit && conf->execute_cmd)
909 argv = init_cmd = split_init_cmd(conf->execute_cmd);
910 else
911 argv = init_cmd = split_init_cmd(conf->init_cmd);
912 }
913
914 /* ... otherwise use default_args. */
915 if (!argv) {
916 if (useinit) {
917 ERROR("No valid init detected");
918 lxc_put_handler(handler);
919 return false;
920 }
921 argv = default_args;
922 }
923
924 /* I'm not sure what locks we want here.Any? Is liblxc's locking enough
925 * here to protect the on disk container? We don't want to exclude
926 * things like lxc_info while the container is running.
927 */
928 if (c->daemonize) {
929 bool started;
930 char title[2048];
931 pid_t pid_first, pid_second;
932
933 pid_first = fork();
934 if (pid_first < 0) {
935 free_init_cmd(init_cmd);
936 lxc_put_handler(handler);
937 return false;
938 }
939
940 /* first parent */
941 if (pid_first != 0) {
942 /* Set to NULL because we don't want father unlink
943 * the PID file, child will do the free and unlink.
944 */
945 c->pidfile = NULL;
946
947 /* Wait for container to tell us whether it started
948 * successfully.
949 */
950 started = wait_on_daemonized_start(handler, pid_first);
951
952 free_init_cmd(init_cmd);
953 lxc_put_handler(handler);
954 return started;
955 }
956
957 /* first child */
958
959 /* We don't really care if this doesn't print all the
960 * characters. All that it means is that the proctitle will be
961 * ugly. Similarly, we also don't care if setproctitle() fails.
962 */
963 ret = snprintf(title, sizeof(title), "[lxc monitor] %s %s", c->config_path, c->name);
964 if (ret > 0) {
965 ret = setproctitle(title);
966 if (ret < 0)
967 INFO("Failed to set process title to %s", title);
968 else
969 INFO("Set process title to %s", title);
970 }
971
972 /* We fork() a second time to be reparented to init. Like
973 * POSIX's daemon() function we change to "/" and redirect
974 * std{in,out,err} to /dev/null.
975 */
976 pid_second = fork();
977 if (pid_second < 0) {
978 SYSERROR("Failed to fork first child process");
979 _exit(EXIT_FAILURE);
980 }
981
982 /* second parent */
983 if (pid_second != 0) {
984 free_init_cmd(init_cmd);
985 lxc_put_handler(handler);
986 _exit(EXIT_SUCCESS);
987 }
988
989 /* second child */
990
991 /* change to / directory */
992 ret = chdir("/");
993 if (ret < 0) {
994 SYSERROR("Failed to change to \"/\" directory");
995 _exit(EXIT_FAILURE);
996 }
997
998 ret = inherit_fds(handler, true);
999 if (ret < 0)
1000 _exit(EXIT_FAILURE);
1001
1002 /* redirect std{in,out,err} to /dev/null */
1003 ret = null_stdfds();
1004 if (ret < 0) {
1005 ERROR("Failed to redirect std{in,out,err} to /dev/null");
1006 _exit(EXIT_FAILURE);
1007 }
1008
1009 /* become session leader */
1010 ret = setsid();
1011 if (ret < 0)
1012 TRACE("Process %d is already process group leader", lxc_raw_getpid());
1013 } else if (!am_single_threaded()) {
1014 ERROR("Cannot start non-daemonized container when threaded");
1015 free_init_cmd(init_cmd);
1016 lxc_put_handler(handler);
1017 return false;
1018 }
1019
1020 /* We need to write PID file after daemonize, so we always write the
1021 * right PID.
1022 */
1023 if (c->pidfile) {
1024 int w;
1025 char pidstr[INTTYPE_TO_STRLEN(pid_t)];
1026
1027 w = snprintf(pidstr, sizeof(pidstr), "%d", lxc_raw_getpid());
1028 if (w < 0 || (size_t)w >= sizeof(pidstr)) {
1029 free_init_cmd(init_cmd);
1030 lxc_put_handler(handler);
1031
1032 SYSERROR("Failed to write monitor pid to \"%s\"", c->pidfile);
1033
1034 if (c->daemonize)
1035 _exit(EXIT_FAILURE);
1036
1037 return false;
1038 }
1039
1040 ret = lxc_write_to_file(c->pidfile, pidstr, w, false, 0600);
1041 if (ret < 0) {
1042 free_init_cmd(init_cmd);
1043 lxc_put_handler(handler);
1044
1045 SYSERROR("Failed to write monitor pid to \"%s\"", c->pidfile);
1046
1047 if (c->daemonize)
1048 _exit(EXIT_FAILURE);
1049
1050 return false;
1051 }
1052 }
1053
1054 conf->reboot = REBOOT_NONE;
1055
1056 /* Unshare the mount namespace if requested */
1057 if (conf->monitor_unshare) {
1058 ret = unshare(CLONE_NEWNS);
1059 if (ret < 0) {
1060 SYSERROR("Failed to unshare mount namespace");
1061 lxc_put_handler(handler);
1062 ret = 1;
1063 goto on_error;
1064 }
1065
1066 ret = mount(NULL, "/", NULL, MS_SLAVE|MS_REC, NULL);
1067 if (ret < 0) {
1068 SYSERROR("Failed to recursively turn root mount tree into dependent mount. Continuing...");
1069 lxc_put_handler(handler);
1070 ret = 1;
1071 goto on_error;
1072 }
1073 }
1074
1075 reboot:
1076 if (conf->reboot == REBOOT_INIT) {
1077 /* initialize handler */
1078 handler = lxc_init_handler(handler, c->name, conf, c->config_path, c->daemonize);
1079 if (!handler) {
1080 ret = 1;
1081 goto on_error;
1082 }
1083 }
1084
1085 ret = inherit_fds(handler, c->daemonize);
1086 if (ret < 0) {
1087 lxc_put_handler(handler);
1088 ret = 1;
1089 goto on_error;
1090 }
1091
1092 if (useinit)
1093 ret = lxc_execute(c->name, argv, 1, handler, c->config_path,
1094 c->daemonize, &c->error_num);
1095 else
1096 ret = lxc_start(argv, handler, c->config_path, c->daemonize,
1097 &c->error_num);
1098
1099 if (conf->reboot == REBOOT_REQ) {
1100 INFO("Container requested reboot");
1101 conf->reboot = REBOOT_INIT;
1102 goto reboot;
1103 }
1104
1105 on_error:
1106 if (c->pidfile) {
1107 unlink(c->pidfile);
1108 free(c->pidfile);
1109 c->pidfile = NULL;
1110 }
1111 free_init_cmd(init_cmd);
1112
1113 if (c->daemonize && ret != 0)
1114 _exit(EXIT_FAILURE);
1115 else if (c->daemonize)
1116 _exit(EXIT_SUCCESS);
1117
1118 if (ret != 0)
1119 return false;
1120
1121 return true;
1122 }
1123
1124 static bool lxcapi_start(struct lxc_container *c, int useinit,
1125 char *const argv[])
1126 {
1127 bool ret;
1128
1129 current_config = c ? c->lxc_conf : NULL;
1130 ret = do_lxcapi_start(c, useinit, argv);
1131 current_config = NULL;
1132
1133 return ret;
1134 }
1135
1136 /* Note, there MUST be an ending NULL. */
1137 static bool lxcapi_startl(struct lxc_container *c, int useinit, ...)
1138 {
1139 va_list ap;
1140 char **inargs = NULL;
1141 bool bret = false;
1142
1143 /* container exists */
1144 if (!c)
1145 return false;
1146
1147 current_config = c->lxc_conf;
1148
1149 va_start(ap, useinit);
1150 inargs = lxc_va_arg_list_to_argv(ap, 0, 1);
1151 va_end(ap);
1152 if (!inargs)
1153 goto on_error;
1154
1155 /* pass NULL if no arguments were supplied */
1156 bret = do_lxcapi_start(c, useinit, *inargs ? inargs : NULL);
1157
1158 on_error:
1159 if (inargs) {
1160 char **arg;
1161
1162 for (arg = inargs; *arg; arg++)
1163 free(*arg);
1164 free(inargs);
1165 }
1166
1167 current_config = NULL;
1168
1169 return bret;
1170 }
1171
1172 static bool do_lxcapi_stop(struct lxc_container *c)
1173 {
1174 int ret;
1175
1176 if (!c)
1177 return false;
1178
1179 ret = lxc_cmd_stop(c->name, c->config_path);
1180
1181 return ret == 0;
1182 }
1183
1184 WRAP_API(bool, lxcapi_stop)
1185
1186 static int do_create_container_dir(const char *path, struct lxc_conf *conf)
1187 {
1188 int lasterr;
1189 int ret = -1;
1190
1191 mode_t mask = umask(0002);
1192 ret = mkdir(path, 0770);
1193 lasterr = errno;
1194 umask(mask);
1195 errno = lasterr;
1196 if (ret) {
1197 if (errno != EEXIST)
1198 return -1;
1199
1200 ret = 0;
1201 }
1202
1203 if (!lxc_list_empty(&conf->id_map)) {
1204 ret = chown_mapped_root(path, conf);
1205 if (ret < 0)
1206 ret = -1;
1207 }
1208
1209 return ret;
1210 }
1211
1212 /* Create the standard expected container dir. */
1213 static bool create_container_dir(struct lxc_container *c)
1214 {
1215 int ret;
1216 size_t len;
1217 char *s;
1218
1219 len = strlen(c->config_path) + strlen(c->name) + 2;
1220 s = malloc(len);
1221 if (!s)
1222 return false;
1223
1224 ret = snprintf(s, len, "%s/%s", c->config_path, c->name);
1225 if (ret < 0 || (size_t)ret >= len) {
1226 free(s);
1227 return false;
1228 }
1229
1230 ret = do_create_container_dir(s, c->lxc_conf);
1231 free(s);
1232
1233 return ret == 0;
1234 }
1235
1236 /* do_storage_create: thin wrapper around storage_create(). Like
1237 * storage_create(), it returns a mounted bdev on success, NULL on error.
1238 */
1239 static struct lxc_storage *do_storage_create(struct lxc_container *c,
1240 const char *type,
1241 struct bdev_specs *specs)
1242 {
1243 __do_free char *dest = NULL;
1244 int ret;
1245 size_t len;
1246 struct lxc_storage *bdev;
1247
1248 /* rootfs.path or lxcpath/lxcname/rootfs */
1249 if (c->lxc_conf->rootfs.path &&
1250 (access(c->lxc_conf->rootfs.path, F_OK) == 0)) {
1251 const char *rpath = c->lxc_conf->rootfs.path;
1252 len = strlen(rpath) + 1;
1253 dest = must_realloc(NULL, len);
1254 ret = snprintf(dest, len, "%s", rpath);
1255 } else {
1256 const char *lxcpath = do_lxcapi_get_config_path(c);
1257 len = strlen(c->name) + 1 + strlen(lxcpath) + 1 + strlen(LXC_ROOTFS_DNAME) + 1;
1258 dest = must_realloc(NULL, len);
1259 ret = snprintf(dest, len, "%s/%s/%s", lxcpath, c->name, LXC_ROOTFS_DNAME);
1260 }
1261 if (ret < 0 || (size_t)ret >= len)
1262 return NULL;
1263
1264 bdev = storage_create(dest, type, c->name, specs, c->lxc_conf);
1265 if (!bdev) {
1266 ERROR("Failed to create \"%s\" storage", type);
1267 return NULL;
1268 }
1269
1270 if (!c->set_config_item(c, "lxc.rootfs.path", bdev->src)) {
1271 ERROR("Failed to set \"lxc.rootfs.path = %s\"", bdev->src);
1272 storage_put(bdev);
1273 return NULL;
1274 }
1275
1276 /* If we are not root, chown the rootfs dir to root in the target user
1277 * namespace.
1278 */
1279 if (am_guest_unpriv() || !lxc_list_empty(&c->lxc_conf->id_map)) {
1280 ret = chown_mapped_root(bdev->dest, c->lxc_conf);
1281 if (ret < 0) {
1282 ERROR("Error chowning \"%s\" to container root", bdev->dest);
1283 suggest_default_idmap();
1284 storage_put(bdev);
1285 return NULL;
1286 }
1287 }
1288
1289 return bdev;
1290 }
1291
1292 /* Strip path and return name of file for argv[0] passed to execvp */
1293 static char *lxctemplatefilename(char *tpath)
1294 {
1295 char *p;
1296
1297 p = tpath + strlen(tpath) - 1;
1298 while ( (p-1) >= tpath && *(p-1) != '/')
1299 p--;
1300
1301 return p;
1302 }
1303
1304 static bool create_run_template(struct lxc_container *c, char *tpath,
1305 bool need_null_stdfds, char *const argv[])
1306 {
1307 int ret;
1308 pid_t pid;
1309
1310 if (!tpath)
1311 return true;
1312
1313 pid = fork();
1314 if (pid < 0) {
1315 SYSERROR("Failed to fork task for container creation template");
1316 return false;
1317 }
1318
1319 if (pid == 0) { /* child */
1320 int i, len;
1321 char *namearg, *patharg, *rootfsarg;
1322 char **newargv;
1323 int nargs = 0;
1324 struct lxc_storage *bdev = NULL;
1325 struct lxc_conf *conf = c->lxc_conf;
1326 uid_t euid;
1327
1328 if (need_null_stdfds) {
1329 ret = null_stdfds();
1330 if (ret < 0)
1331 _exit(EXIT_FAILURE);
1332 }
1333
1334 bdev = storage_init(c->lxc_conf);
1335 if (!bdev) {
1336 ERROR("Failed to initialize storage");
1337 _exit(EXIT_FAILURE);
1338 }
1339
1340 euid = geteuid();
1341 if (euid == 0) {
1342 ret = unshare(CLONE_NEWNS);
1343 if (ret < 0) {
1344 ERROR("Failed to unshare CLONE_NEWNS");
1345 _exit(EXIT_FAILURE);
1346 }
1347
1348 if (detect_shared_rootfs() && mount(NULL, "/", NULL, MS_SLAVE | MS_REC, NULL))
1349 SYSERROR("Failed to recursively turn root mount tree into dependent mount. Continuing...");
1350 }
1351
1352 if (strcmp(bdev->type, "dir") != 0 && strcmp(bdev->type, "btrfs") != 0) {
1353 if (euid != 0) {
1354 ERROR("Unprivileged users can only create "
1355 "btrfs and directory-backed containers");
1356 _exit(EXIT_FAILURE);
1357 }
1358
1359 if (strcmp(bdev->type, "overlay") == 0 ||
1360 strcmp(bdev->type, "overlayfs") == 0) {
1361 /* If we create an overlay container we need to
1362 * rsync the contents into
1363 * <container-path>/<container-name>/rootfs.
1364 * However, the overlay mount function will
1365 * mount
1366 * <container-path>/<container-name>/delta0
1367 * over
1368 * <container-path>/<container-name>/rootfs
1369 * which means we would rsync the rootfs into
1370 * the delta directory. That doesn't make sense
1371 * since the delta directory only exists to
1372 * record the differences to
1373 * <container-path>/<container-name>/rootfs. So
1374 * let's simply bind-mount here and then rsync
1375 * directly into
1376 * <container-path>/<container-name>/rootfs.
1377 */
1378 char *src;
1379
1380 src = ovl_get_rootfs(bdev->src, &(size_t){0});
1381 if (!src) {
1382 ERROR("Failed to get rootfs");
1383 _exit(EXIT_FAILURE);
1384 }
1385
1386 ret = mount(src, bdev->dest, "bind", MS_BIND | MS_REC, NULL);
1387 if (ret < 0) {
1388 ERROR("Failed to mount rootfs");
1389 _exit(EXIT_FAILURE);
1390 }
1391 } else {
1392 ret = bdev->ops->mount(bdev);
1393 if (ret < 0) {
1394 ERROR("Failed to mount rootfs");
1395 _exit(EXIT_FAILURE);
1396 }
1397 }
1398 } else { /* TODO come up with a better way here! */
1399 const char *src;
1400 free(bdev->dest);
1401 src = lxc_storage_get_path(bdev->src, bdev->type);
1402 bdev->dest = strdup(src);
1403 }
1404
1405 /* Create our new array, pre-pend the template name and base
1406 * args.
1407 */
1408 if (argv)
1409 for (nargs = 0; argv[nargs]; nargs++)
1410 ;
1411
1412 /* template, path, rootfs and name args */
1413 nargs += 4;
1414
1415 newargv = malloc(nargs * sizeof(*newargv));
1416 if (!newargv)
1417 _exit(EXIT_FAILURE);
1418 newargv[0] = lxctemplatefilename(tpath);
1419
1420 /* --path */
1421 len = strlen(c->config_path) + strlen(c->name) + strlen("--path=") + 2;
1422 patharg = malloc(len);
1423 if (!patharg)
1424 _exit(EXIT_FAILURE);
1425
1426 ret = snprintf(patharg, len, "--path=%s/%s", c->config_path, c->name);
1427 if (ret < 0 || ret >= len)
1428 _exit(EXIT_FAILURE);
1429 newargv[1] = patharg;
1430
1431 /* --name */
1432 len = strlen("--name=") + strlen(c->name) + 1;
1433 namearg = malloc(len);
1434 if (!namearg)
1435 _exit(EXIT_FAILURE);
1436
1437 ret = snprintf(namearg, len, "--name=%s", c->name);
1438 if (ret < 0 || ret >= len)
1439 _exit(EXIT_FAILURE);
1440 newargv[2] = namearg;
1441
1442 /* --rootfs */
1443 len = strlen("--rootfs=") + 1 + strlen(bdev->dest);
1444 rootfsarg = malloc(len);
1445 if (!rootfsarg)
1446 _exit(EXIT_FAILURE);
1447
1448 ret = snprintf(rootfsarg, len, "--rootfs=%s", bdev->dest);
1449 if (ret < 0 || ret >= len)
1450 _exit(EXIT_FAILURE);
1451 newargv[3] = rootfsarg;
1452
1453 /* add passed-in args */
1454 if (argv)
1455 for (i = 4; i < nargs; i++)
1456 newargv[i] = argv[i - 4];
1457
1458 /* add trailing NULL */
1459 nargs++;
1460 newargv = realloc(newargv, nargs * sizeof(*newargv));
1461 if (!newargv)
1462 _exit(EXIT_FAILURE);
1463 newargv[nargs - 1] = NULL;
1464
1465 /* If we're running the template in a mapped userns, then we
1466 * prepend the template command with: lxc-usernsexec <-m map1>
1467 * ... <-m mapn> -- and we append "--mapped-uid x", where x is
1468 * the mapped uid for our geteuid()
1469 */
1470 if (!lxc_list_empty(&conf->id_map)) {
1471 int extraargs, hostuid_mapped, hostgid_mapped;
1472 char **n2;
1473 char txtuid[20], txtgid[20];
1474 struct lxc_list *it;
1475 struct id_map *map;
1476 int n2args = 1;
1477
1478 n2 = malloc(n2args * sizeof(*n2));
1479 if (!n2)
1480 _exit(EXIT_FAILURE);
1481
1482 newargv[0] = tpath;
1483 tpath = "lxc-usernsexec";
1484 n2[0] = "lxc-usernsexec";
1485
1486 lxc_list_for_each(it, &conf->id_map) {
1487 map = it->elem;
1488 n2args += 2;
1489 n2 = realloc(n2, n2args * sizeof(char *));
1490 if (!n2)
1491 _exit(EXIT_FAILURE);
1492
1493 n2[n2args - 2] = "-m";
1494 n2[n2args - 1] = malloc(200);
1495 if (!n2[n2args - 1])
1496 _exit(EXIT_FAILURE);
1497
1498 ret = snprintf(n2[n2args - 1], 200, "%c:%lu:%lu:%lu",
1499 map->idtype == ID_TYPE_UID ? 'u' : 'g',
1500 map->nsid, map->hostid, map->range);
1501 if (ret < 0 || ret >= 200)
1502 _exit(EXIT_FAILURE);
1503 }
1504
1505 hostuid_mapped = mapped_hostid(geteuid(), conf, ID_TYPE_UID);
1506 extraargs = hostuid_mapped >= 0 ? 1 : 3;
1507
1508 n2 = realloc(n2, (nargs + n2args + extraargs) * sizeof(char *));
1509 if (!n2)
1510 _exit(EXIT_FAILURE);
1511
1512 if (hostuid_mapped < 0) {
1513 hostuid_mapped = find_unmapped_nsid(conf, ID_TYPE_UID);
1514 n2[n2args++] = "-m";
1515 if (hostuid_mapped < 0) {
1516 ERROR("Failed to find free uid to map");
1517 _exit(EXIT_FAILURE);
1518 }
1519
1520 n2[n2args++] = malloc(200);
1521 if (!n2[n2args - 1]) {
1522 SYSERROR("out of memory");
1523 _exit(EXIT_FAILURE);
1524 }
1525
1526 ret = snprintf(n2[n2args - 1], 200, "u:%d:%d:1",
1527 hostuid_mapped, geteuid());
1528 if (ret < 0 || ret >= 200)
1529 _exit(EXIT_FAILURE);
1530 }
1531
1532 hostgid_mapped = mapped_hostid(getegid(), conf, ID_TYPE_GID);
1533 extraargs = hostgid_mapped >= 0 ? 1 : 3;
1534
1535 n2 = realloc(n2, (nargs + n2args + extraargs) * sizeof(char *));
1536 if (!n2)
1537 _exit(EXIT_FAILURE);
1538
1539 if (hostgid_mapped < 0) {
1540 hostgid_mapped = find_unmapped_nsid(conf, ID_TYPE_GID);
1541 n2[n2args++] = "-m";
1542 if (hostgid_mapped < 0) {
1543 ERROR("Failed to find free gid to map");
1544 _exit(EXIT_FAILURE);
1545 }
1546
1547 n2[n2args++] = malloc(200);
1548 if (!n2[n2args - 1]) {
1549 SYSERROR("out of memory");
1550 _exit(EXIT_FAILURE);
1551 }
1552
1553 ret = snprintf(n2[n2args - 1], 200, "g:%d:%d:1",
1554 hostgid_mapped, getegid());
1555 if (ret < 0 || ret >= 200)
1556 _exit(EXIT_FAILURE);
1557 }
1558
1559 n2[n2args++] = "--";
1560
1561 for (i = 0; i < nargs; i++)
1562 n2[i + n2args] = newargv[i];
1563 n2args += nargs;
1564
1565 /* Finally add "--mapped-uid $uid" to tell template what
1566 * to chown cached images to.
1567 */
1568 n2args += 4;
1569 n2 = realloc(n2, n2args * sizeof(char *));
1570 if (!n2)
1571 _exit(EXIT_FAILURE);
1572
1573 /* note n2[n2args-1] is NULL */
1574 n2[n2args - 5] = "--mapped-uid";
1575
1576 ret = snprintf(txtuid, 20, "%d", hostuid_mapped);
1577 if (ret < 0 || ret >= 20) {
1578 free(newargv);
1579 free(n2);
1580 _exit(EXIT_FAILURE);
1581 }
1582
1583 n2[n2args - 4] = txtuid;
1584 n2[n2args - 3] = "--mapped-gid";
1585
1586 ret = snprintf(txtgid, 20, "%d", hostgid_mapped);
1587 if (ret < 0 || ret >= 20) {
1588 free(newargv);
1589 free(n2);
1590 _exit(EXIT_FAILURE);
1591 }
1592
1593 n2[n2args - 2] = txtgid;
1594 n2[n2args - 1] = NULL;
1595 free(newargv);
1596 newargv = n2;
1597 }
1598
1599 execvp(tpath, newargv);
1600 SYSERROR("Failed to execute template %s", tpath);
1601 _exit(EXIT_FAILURE);
1602 }
1603
1604 ret = wait_for_pid(pid);
1605 if (ret != 0) {
1606 ERROR("Failed to create container from template");
1607 return false;
1608 }
1609
1610 return true;
1611 }
1612
1613 static bool prepend_lxc_header(char *path, const char *t, char *const argv[])
1614 {
1615 long flen;
1616 size_t len;
1617 char *contents;
1618 FILE *f;
1619 int ret = -1;
1620 #if HAVE_OPENSSL
1621 int i;
1622 unsigned int md_len = 0;
1623 unsigned char md_value[EVP_MAX_MD_SIZE];
1624 char *tpath;
1625 #endif
1626
1627 f = fopen(path, "re");
1628 if (f == NULL)
1629 return false;
1630
1631 ret = fseek(f, 0, SEEK_END);
1632 if (ret < 0)
1633 goto out_error;
1634
1635 ret = -1;
1636 flen = ftell(f);
1637 if (flen < 0)
1638 goto out_error;
1639
1640 ret = fseek(f, 0, SEEK_SET);
1641 if (ret < 0)
1642 goto out_error;
1643
1644 ret = fseek(f, 0, SEEK_SET);
1645 if (ret < 0)
1646 goto out_error;
1647
1648 ret = -1;
1649 contents = malloc(flen + 1);
1650 if (!contents)
1651 goto out_error;
1652
1653 len = fread(contents, 1, flen, f);
1654 if (len != flen)
1655 goto out_free_contents;
1656
1657 contents[flen] = '\0';
1658
1659 ret = fclose(f);
1660 f = NULL;
1661 if (ret < 0)
1662 goto out_free_contents;
1663
1664 #if HAVE_OPENSSL
1665 tpath = get_template_path(t);
1666 if (!tpath) {
1667 ERROR("Invalid template \"%s\" specified", t);
1668 goto out_free_contents;
1669 }
1670
1671 ret = sha1sum_file(tpath, md_value, &md_len);
1672 if (ret < 0) {
1673 ERROR("Failed to get sha1sum of %s", tpath);
1674 free(tpath);
1675 goto out_free_contents;
1676 }
1677 free(tpath);
1678 #endif
1679
1680 f = fopen(path, "we");
1681 if (f == NULL) {
1682 SYSERROR("Reopening config for writing");
1683 free(contents);
1684 return false;
1685 }
1686
1687 fprintf(f, "# Template used to create this container: %s\n", t);
1688 if (argv) {
1689 fprintf(f, "# Parameters passed to the template:");
1690 while (*argv) {
1691 fprintf(f, " %s", *argv);
1692 argv++;
1693 }
1694 fprintf(f, "\n");
1695 }
1696
1697 #if HAVE_OPENSSL
1698 fprintf(f, "# Template script checksum (SHA-1): ");
1699 for (i=0; i<md_len; i++)
1700 fprintf(f, "%02x", md_value[i]);
1701 fprintf(f, "\n");
1702 #endif
1703 fprintf(f, "# For additional config options, please look at lxc.container.conf(5)\n");
1704 fprintf(f, "\n# Uncomment the following line to support nesting containers:\n");
1705 fprintf(f, "#lxc.include = " LXCTEMPLATECONFIG "/nesting.conf\n");
1706 fprintf(f, "# (Be aware this has security implications)\n\n");
1707 if (fwrite(contents, 1, flen, f) != flen) {
1708 SYSERROR("Writing original contents");
1709 free(contents);
1710 fclose(f);
1711 return false;
1712 }
1713
1714 ret = 0;
1715
1716 out_free_contents:
1717 free(contents);
1718
1719 out_error:
1720 if (f) {
1721 int newret;
1722 newret = fclose(f);
1723 if (ret == 0)
1724 ret = newret;
1725 }
1726
1727 if (ret < 0) {
1728 SYSERROR("Error prepending header");
1729 return false;
1730 }
1731
1732 return true;
1733 }
1734
1735 static void lxcapi_clear_config(struct lxc_container *c)
1736 {
1737 if (!c || !c->lxc_conf)
1738 return;
1739
1740 lxc_conf_free(c->lxc_conf);
1741 c->lxc_conf = NULL;
1742 }
1743
1744 #define do_lxcapi_clear_config(c) lxcapi_clear_config(c)
1745
1746 /*
1747 * lxcapi_create:
1748 * create a container with the given parameters.
1749 * @c: container to be created. It has the lxcpath, name, and a starting
1750 * configuration already set
1751 * @t: the template to execute to instantiate the root filesystem and
1752 * adjust the configuration.
1753 * @bdevtype: backing store type to use. If NULL, dir will be used.
1754 * @specs: additional parameters for the backing store, i.e. LVM vg to
1755 * use.
1756 *
1757 * @argv: the arguments to pass to the template, terminated by NULL. If no
1758 * arguments, you can just pass NULL.
1759 */
1760 static bool do_lxcapi_create(struct lxc_container *c, const char *t,
1761 const char *bdevtype, struct bdev_specs *specs,
1762 int flags, char *const argv[])
1763 {
1764 int partial_fd;
1765 mode_t mask;
1766 pid_t pid;
1767 bool ret = false, rootfs_managed = true;
1768 char *tpath = NULL;
1769
1770 if (!c)
1771 return false;
1772
1773 if (t) {
1774 tpath = get_template_path(t);
1775 if (!tpath) {
1776 ERROR("Unknown template \"%s\"", t);
1777 goto out;
1778 }
1779 }
1780
1781 /* If a template is passed in, and the rootfs already is defined in the
1782 * container config and exists, then the caller is trying to create an
1783 * existing container. Return an error, but do NOT delete the container.
1784 */
1785 if (do_lxcapi_is_defined(c) && c->lxc_conf && c->lxc_conf->rootfs.path &&
1786 access(c->lxc_conf->rootfs.path, F_OK) == 0 && tpath) {
1787 ERROR("Container \"%s\" already exists in \"%s\"", c->name,
1788 c->config_path);
1789 goto free_tpath;
1790 }
1791
1792 if (!c->lxc_conf) {
1793 if (!do_lxcapi_load_config(c, lxc_global_config_value("lxc.default_config"))) {
1794 ERROR("Error loading default configuration file %s",
1795 lxc_global_config_value("lxc.default_config"));
1796 goto free_tpath;
1797 }
1798 }
1799
1800 if (!create_container_dir(c))
1801 goto free_tpath;
1802
1803 if (c->lxc_conf->rootfs.path)
1804 rootfs_managed = false;
1805
1806 /* If both template and rootfs.path are set, template is setup as
1807 * rootfs.path. The container is already created if we have a config and
1808 * rootfs.path is accessible
1809 */
1810 if (!c->lxc_conf->rootfs.path && !tpath) {
1811 /* No template passed in and rootfs does not exist. */
1812 if (!c->save_config(c, NULL)) {
1813 ERROR("Failed to save initial config for \"%s\"", c->name);
1814 goto out;
1815 }
1816 ret = true;
1817 goto out;
1818 }
1819
1820 /* Rootfs passed into configuration, but does not exist. */
1821 if (c->lxc_conf->rootfs.path && access(c->lxc_conf->rootfs.path, F_OK) != 0)
1822 goto out;
1823
1824 if (do_lxcapi_is_defined(c) && c->lxc_conf->rootfs.path && !tpath) {
1825 /* Rootfs already existed, user just wanted to save the loaded
1826 * configuration.
1827 */
1828 if (!c->save_config(c, NULL))
1829 ERROR("Failed to save initial config for \"%s\"", c->name);
1830
1831 ret = true;
1832 goto out;
1833 }
1834
1835 /* Mark that this container is being created */
1836 partial_fd = create_partial(c);
1837 if (partial_fd < 0)
1838 goto out;
1839
1840 /* No need to get disk lock bc we have the partial lock. */
1841
1842 mask = umask(0022);
1843
1844 /* Create the storage.
1845 * Note we can't do this in the same task as we use to execute the
1846 * template because of the way zfs works.
1847 * After you 'zfs create', zfs mounts the fs only in the initial
1848 * namespace.
1849 */
1850 pid = fork();
1851 if (pid < 0) {
1852 SYSERROR("Failed to fork task for container creation template");
1853 goto out_unlock;
1854 }
1855
1856 if (pid == 0) { /* child */
1857 struct lxc_storage *bdev = NULL;
1858
1859 bdev = do_storage_create(c, bdevtype, specs);
1860 if (!bdev) {
1861 ERROR("Failed to create %s storage for %s",
1862 bdevtype ? bdevtype : "(none)", c->name);
1863 _exit(EXIT_FAILURE);
1864 }
1865
1866 /* Save config file again to store the new rootfs location. */
1867 if (!do_lxcapi_save_config(c, NULL)) {
1868 ERROR("Failed to save initial config for %s", c->name);
1869 /* Parent task won't see the storage driver in the
1870 * config so we delete it.
1871 */
1872 bdev->ops->umount(bdev);
1873 bdev->ops->destroy(bdev);
1874 _exit(EXIT_FAILURE);
1875 }
1876
1877 _exit(EXIT_SUCCESS);
1878 }
1879
1880 if (wait_for_pid(pid) != 0)
1881 goto out_unlock;
1882
1883 /* Reload config to get the rootfs. */
1884 lxc_conf_free(c->lxc_conf);
1885 c->lxc_conf = NULL;
1886
1887 if (!load_config_locked(c, c->configfile))
1888 goto out_unlock;
1889
1890 if (!create_run_template(c, tpath, !!(flags & LXC_CREATE_QUIET), argv))
1891 goto out_unlock;
1892
1893 /* Now clear out the lxc_conf we have, reload from the created
1894 * container.
1895 */
1896 do_lxcapi_clear_config(c);
1897
1898 if (t) {
1899 if (!prepend_lxc_header(c->configfile, tpath, argv)) {
1900 ERROR("Failed to prepend header to config file");
1901 goto out_unlock;
1902 }
1903 }
1904
1905 ret = load_config_locked(c, c->configfile);
1906
1907 out_unlock:
1908 umask(mask);
1909 remove_partial(c, partial_fd);
1910
1911 out:
1912 if (!ret) {
1913 bool reset_managed = c->lxc_conf->rootfs.managed;
1914
1915 /*
1916 * Ensure that we don't destroy storage we didn't create
1917 * ourselves.
1918 */
1919 if (!rootfs_managed)
1920 c->lxc_conf->rootfs.managed = false;
1921 container_destroy(c, NULL);
1922 c->lxc_conf->rootfs.managed = reset_managed;
1923 }
1924
1925 free_tpath:
1926 free(tpath);
1927 return ret;
1928 }
1929
1930 static bool lxcapi_create(struct lxc_container *c, const char *t,
1931 const char *bdevtype, struct bdev_specs *specs,
1932 int flags, char *const argv[])
1933 {
1934 bool ret;
1935
1936 current_config = c ? c->lxc_conf : NULL;
1937
1938 ret = do_lxcapi_create(c, t, bdevtype, specs, flags, argv);
1939 current_config = NULL;
1940 return ret;
1941 }
1942
1943 static bool do_lxcapi_reboot(struct lxc_container *c)
1944 {
1945 __do_close int pidfd = -EBADF;
1946 pid_t pid = -1;
1947 int ret;
1948 int rebootsignal = SIGINT;
1949
1950 if (!c)
1951 return false;
1952
1953 if (!do_lxcapi_is_running(c))
1954 return false;
1955
1956 pidfd = do_lxcapi_init_pidfd(c);
1957 if (pidfd < 0) {
1958 pid = do_lxcapi_init_pid(c);
1959 if (pid <= 0)
1960 return false;
1961 }
1962
1963 if (c->lxc_conf && c->lxc_conf->rebootsignal)
1964 rebootsignal = c->lxc_conf->rebootsignal;
1965
1966 if (pidfd >= 0)
1967 ret = lxc_raw_pidfd_send_signal(pidfd, rebootsignal, NULL, 0);
1968 else
1969 ret = kill(pid, rebootsignal);
1970 if (ret < 0)
1971 return log_warn(false, "Failed to send signal %d to pid %d",
1972 rebootsignal, pid);
1973
1974 return true;
1975 }
1976
1977 WRAP_API(bool, lxcapi_reboot)
1978
1979 static bool do_lxcapi_reboot2(struct lxc_container *c, int timeout)
1980 {
1981 __do_close int pidfd = -EBADF, state_client_fd = -EBADF;
1982 int rebootsignal = SIGINT;
1983 pid_t pid = -1;
1984 lxc_state_t states[MAX_STATE] = {0};
1985 int killret, ret;
1986
1987 if (!c)
1988 return false;
1989
1990 if (!do_lxcapi_is_running(c))
1991 return true;
1992
1993 pidfd = do_lxcapi_init_pidfd(c);
1994 if (pidfd < 0) {
1995 pid = do_lxcapi_init_pid(c);
1996 if (pid <= 0)
1997 return true;
1998 }
1999
2000 if (c->lxc_conf && c->lxc_conf->rebootsignal)
2001 rebootsignal = c->lxc_conf->rebootsignal;
2002
2003 /* Add a new state client before sending the shutdown signal so that we
2004 * don't miss a state.
2005 */
2006 if (timeout != 0) {
2007 states[RUNNING] = 2;
2008 ret = lxc_cmd_add_state_client(c->name, c->config_path, states,
2009 &state_client_fd);
2010 if (ret < 0)
2011 return false;
2012
2013 if (state_client_fd < 0)
2014 return false;
2015
2016 if (ret == RUNNING)
2017 return true;
2018
2019 if (ret < MAX_STATE)
2020 return false;
2021 }
2022
2023 /* Send reboot signal to container. */
2024 if (pidfd >= 0)
2025 killret = lxc_raw_pidfd_send_signal(pidfd, rebootsignal, NULL, 0);
2026 else
2027 killret = kill(pid, rebootsignal);
2028 if (killret < 0)
2029 return log_warn(false, "Failed to send signal %d to pid %d", rebootsignal, pid);
2030 TRACE("Sent signal %d to pid %d", rebootsignal, pid);
2031
2032 if (timeout == 0)
2033 return true;
2034
2035 ret = lxc_cmd_sock_rcv_state(state_client_fd, timeout);
2036 if (ret < 0)
2037 return false;
2038
2039 TRACE("Received state \"%s\"", lxc_state2str(ret));
2040 if (ret != RUNNING)
2041 return false;
2042
2043 return true;
2044 }
2045
2046 WRAP_API_1(bool, lxcapi_reboot2, int)
2047
2048 static bool do_lxcapi_shutdown(struct lxc_container *c, int timeout)
2049 {
2050 __do_close int pidfd = -EBADF, state_client_fd = -EBADF;
2051 int haltsignal = SIGPWR;
2052 pid_t pid = -1;
2053 lxc_state_t states[MAX_STATE] = {0};
2054 int killret, ret;
2055
2056 if (!c)
2057 return false;
2058
2059 if (!do_lxcapi_is_running(c))
2060 return true;
2061
2062 pidfd = do_lxcapi_init_pidfd(c);
2063 pid = do_lxcapi_init_pid(c);
2064 if (pid <= 0)
2065 return true;
2066
2067 /* Detect whether we should send SIGRTMIN + 3 (e.g. systemd). */
2068 if (c->lxc_conf && c->lxc_conf->haltsignal)
2069 haltsignal = c->lxc_conf->haltsignal;
2070 else if (task_blocks_signal(pid, (SIGRTMIN + 3)))
2071 haltsignal = (SIGRTMIN + 3);
2072
2073
2074 /*
2075 * Add a new state client before sending the shutdown signal so
2076 * that we don't miss a state.
2077 */
2078 if (timeout != 0) {
2079 states[STOPPED] = 1;
2080 ret = lxc_cmd_add_state_client(c->name, c->config_path, states,
2081 &state_client_fd);
2082 if (ret < 0)
2083 return false;
2084
2085 if (state_client_fd < 0)
2086 return false;
2087
2088 if (ret == STOPPED)
2089 return true;
2090
2091 if (ret < MAX_STATE)
2092 return false;
2093 }
2094
2095 if (pidfd >= 0) {
2096 struct pollfd pidfd_poll = {
2097 .events = POLLIN,
2098 .fd = pidfd,
2099 };
2100
2101 killret = lxc_raw_pidfd_send_signal(pidfd, haltsignal,
2102 NULL, 0);
2103 if (killret < 0)
2104 return log_warn(false, "Failed to send signal %d to pidfd %d",
2105 haltsignal, pidfd);
2106
2107 TRACE("Sent signal %d to pidfd %d", haltsignal, pidfd);
2108
2109 /*
2110 * No need for going through all of the state server
2111 * complications anymore. We can just poll on pidfds. :)
2112 */
2113
2114 if (timeout != 0) {
2115 ret = poll(&pidfd_poll, 1, timeout * 1000);
2116 if (ret < 0 || !(pidfd_poll.revents & POLLIN))
2117 return false;
2118
2119 TRACE("Pidfd polling detected container exit");
2120 }
2121 } else {
2122 killret = kill(pid, haltsignal);
2123 if (killret < 0)
2124 return log_warn(false, "Failed to send signal %d to pid %d",
2125 haltsignal, pid);
2126
2127 TRACE("Sent signal %d to pid %d", haltsignal, pid);
2128 }
2129
2130 if (timeout == 0)
2131 return true;
2132
2133 ret = lxc_cmd_sock_rcv_state(state_client_fd, timeout);
2134 if (ret < 0)
2135 return false;
2136
2137 TRACE("Received state \"%s\"", lxc_state2str(ret));
2138 if (ret != STOPPED)
2139 return false;
2140
2141 return true;
2142 }
2143
2144 WRAP_API_1(bool, lxcapi_shutdown, int)
2145
2146 static bool lxcapi_createl(struct lxc_container *c, const char *t,
2147 const char *bdevtype, struct bdev_specs *specs, int flags, ...)
2148 {
2149 bool bret = false;
2150 char **args = NULL;
2151 va_list ap;
2152
2153 if (!c)
2154 return false;
2155
2156 current_config = c->lxc_conf;
2157
2158 /*
2159 * since we're going to wait for create to finish, I don't think we
2160 * need to get a copy of the arguments.
2161 */
2162 va_start(ap, flags);
2163 args = lxc_va_arg_list_to_argv(ap, 0, 0);
2164 va_end(ap);
2165 if (!args) {
2166 ERROR("Failed to allocate memory");
2167 goto out;
2168 }
2169
2170 bret = do_lxcapi_create(c, t, bdevtype, specs, flags, args);
2171
2172 out:
2173 free(args);
2174 current_config = NULL;
2175 return bret;
2176 }
2177
2178 static void do_clear_unexp_config_line(struct lxc_conf *conf, const char *key)
2179 {
2180 if (!strcmp(key, "lxc.cgroup"))
2181 return clear_unexp_config_line(conf, key, true);
2182
2183 if (!strcmp(key, "lxc.network"))
2184 return clear_unexp_config_line(conf, key, true);
2185
2186 if (!strcmp(key, "lxc.net"))
2187 return clear_unexp_config_line(conf, key, true);
2188
2189 /* Clear a network with a specific index. */
2190 if (!strncmp(key, "lxc.net.", 8)) {
2191 int ret;
2192 const char *idx;
2193
2194 idx = key + 8;
2195 ret = lxc_safe_uint(idx, &(unsigned int){0});
2196 if (!ret)
2197 return clear_unexp_config_line(conf, key, true);
2198 }
2199
2200 if (!strcmp(key, "lxc.hook"))
2201 return clear_unexp_config_line(conf, key, true);
2202
2203 return clear_unexp_config_line(conf, key, false);
2204 }
2205
2206 static bool do_lxcapi_clear_config_item(struct lxc_container *c,
2207 const char *key)
2208 {
2209 int ret = 1;
2210 struct lxc_config_t *config;
2211
2212 if (!c || !c->lxc_conf)
2213 return false;
2214
2215 if (container_mem_lock(c))
2216 return false;
2217
2218 config = lxc_get_config(key);
2219 /* Verify that the config key exists and that it has a callback
2220 * implemented.
2221 */
2222 if (config && config->clr)
2223 ret = config->clr(key, c->lxc_conf, NULL);
2224
2225 if (!ret)
2226 do_clear_unexp_config_line(c->lxc_conf, key);
2227
2228 container_mem_unlock(c);
2229 return ret == 0;
2230 }
2231
2232 WRAP_API_1(bool, lxcapi_clear_config_item, const char *)
2233
2234 static inline bool enter_net_ns(struct lxc_container *c)
2235 {
2236 pid_t pid = do_lxcapi_init_pid(c);
2237
2238 if (pid < 0)
2239 return false;
2240
2241 if ((geteuid() != 0 || (c->lxc_conf && !lxc_list_empty(&c->lxc_conf->id_map))) &&
2242 (access("/proc/self/ns/user", F_OK) == 0))
2243 if (!switch_to_ns(pid, "user"))
2244 return false;
2245
2246 return switch_to_ns(pid, "net");
2247 }
2248
2249 /* Used by qsort and bsearch functions for comparing names. */
2250 static inline int string_cmp(char **first, char **second)
2251 {
2252 return strcmp(*first, *second);
2253 }
2254
2255 /* Used by qsort and bsearch functions for comparing container names. */
2256 static inline int container_cmp(struct lxc_container **first,
2257 struct lxc_container **second)
2258 {
2259 return strcmp((*first)->name, (*second)->name);
2260 }
2261
2262 static bool add_to_array(char ***names, char *cname, int pos)
2263 {
2264 char **newnames = realloc(*names, (pos+1) * sizeof(char *));
2265 if (!newnames) {
2266 ERROR("Out of memory");
2267 return false;
2268 }
2269
2270 *names = newnames;
2271 newnames[pos] = strdup(cname);
2272 if (!newnames[pos])
2273 return false;
2274
2275 /* Sort the array as we will use binary search on it. */
2276 qsort(newnames, pos + 1, sizeof(char *),
2277 (int (*)(const void *, const void *))string_cmp);
2278
2279 return true;
2280 }
2281
2282 static bool add_to_clist(struct lxc_container ***list, struct lxc_container *c,
2283 int pos, bool sort)
2284 {
2285 struct lxc_container **newlist = realloc(*list, (pos + 1) * sizeof(struct lxc_container *));
2286 if (!newlist) {
2287 ERROR("Out of memory");
2288 return false;
2289 }
2290
2291 *list = newlist;
2292 newlist[pos] = c;
2293
2294 /* Sort the array as we will use binary search on it. */
2295 if (sort)
2296 qsort(newlist, pos + 1, sizeof(struct lxc_container *),
2297 (int (*)(const void *, const void *))container_cmp);
2298
2299 return true;
2300 }
2301
2302 static char** get_from_array(char ***names, char *cname, int size)
2303 {
2304 return (char **)bsearch(&cname, *names, size, sizeof(char *), (int (*)(const void *, const void *))string_cmp);
2305 }
2306
2307 static bool array_contains(char ***names, char *cname, int size)
2308 {
2309 if(get_from_array(names, cname, size) != NULL)
2310 return true;
2311
2312 return false;
2313 }
2314
2315 static bool remove_from_array(char ***names, char *cname, int size)
2316 {
2317 char **result = get_from_array(names, cname, size);
2318 if (result != NULL) {
2319 free(result);
2320 return true;
2321 }
2322
2323 return false;
2324 }
2325
2326 static char **do_lxcapi_get_interfaces(struct lxc_container *c)
2327 {
2328 pid_t pid;
2329 int i, count = 0, pipefd[2];
2330 char **interfaces = NULL;
2331 char interface[IFNAMSIZ];
2332
2333 if (pipe2(pipefd, O_CLOEXEC) < 0)
2334 return NULL;
2335
2336 pid = fork();
2337 if (pid < 0) {
2338 SYSERROR("Failed to fork task to get interfaces information");
2339 close(pipefd[0]);
2340 close(pipefd[1]);
2341 return NULL;
2342 }
2343
2344 if (pid == 0) { /* child */
2345 int ret = 1, nbytes;
2346 struct netns_ifaddrs *interfaceArray = NULL, *tempIfAddr = NULL;
2347
2348 /* close the read-end of the pipe */
2349 close(pipefd[0]);
2350
2351 if (!enter_net_ns(c)) {
2352 SYSERROR("Failed to enter network namespace");
2353 goto out;
2354 }
2355
2356 /* Grab the list of interfaces */
2357 if (netns_getifaddrs(&interfaceArray, -1, &(bool){false})) {
2358 SYSERROR("Failed to get interfaces list");
2359 goto out;
2360 }
2361
2362 /* Iterate through the interfaces */
2363 for (tempIfAddr = interfaceArray; tempIfAddr != NULL;
2364 tempIfAddr = tempIfAddr->ifa_next) {
2365 nbytes = lxc_write_nointr(pipefd[1], tempIfAddr->ifa_name, IFNAMSIZ);
2366 if (nbytes < 0)
2367 goto out;
2368
2369 count++;
2370 }
2371
2372 ret = 0;
2373
2374 out:
2375 if (interfaceArray)
2376 netns_freeifaddrs(interfaceArray);
2377
2378 /* close the write-end of the pipe, thus sending EOF to the reader */
2379 close(pipefd[1]);
2380 _exit(ret);
2381 }
2382
2383 /* close the write-end of the pipe */
2384 close(pipefd[1]);
2385
2386 while (lxc_read_nointr(pipefd[0], &interface, IFNAMSIZ) == IFNAMSIZ) {
2387 interface[IFNAMSIZ - 1] = '\0';
2388
2389 if (array_contains(&interfaces, interface, count))
2390 continue;
2391
2392 if (!add_to_array(&interfaces, interface, count))
2393 ERROR("Failed to add \"%s\" to array", interface);
2394
2395 count++;
2396 }
2397
2398 if (wait_for_pid(pid) != 0) {
2399 for (i = 0; i < count; i++)
2400 free(interfaces[i]);
2401
2402 free(interfaces);
2403 interfaces = NULL;
2404 }
2405
2406 /* close the read-end of the pipe */
2407 close(pipefd[0]);
2408
2409 /* Append NULL to the array */
2410 if (interfaces)
2411 interfaces = (char **)lxc_append_null_to_array((void **)interfaces, count);
2412
2413 return interfaces;
2414 }
2415
2416 WRAP_API(char **, lxcapi_get_interfaces)
2417
2418 static char **do_lxcapi_get_ips(struct lxc_container *c, const char *interface,
2419 const char *family, int scope)
2420 {
2421 int i, ret;
2422 pid_t pid;
2423 int pipefd[2];
2424 char address[INET6_ADDRSTRLEN];
2425 int count = 0;
2426 char **addresses = NULL;
2427
2428 ret = pipe2(pipefd, O_CLOEXEC);
2429 if (ret < 0) {
2430 SYSERROR("Failed to create pipe");
2431 return NULL;
2432 }
2433
2434 pid = fork();
2435 if (pid < 0) {
2436 SYSERROR("Failed to create new process");
2437 close(pipefd[0]);
2438 close(pipefd[1]);
2439 return NULL;
2440 }
2441
2442 if (pid == 0) {
2443 ssize_t nbytes;
2444 char addressOutputBuffer[INET6_ADDRSTRLEN];
2445 char *address_ptr = NULL;
2446 void *tempAddrPtr = NULL;
2447 struct netns_ifaddrs *interfaceArray = NULL, *tempIfAddr = NULL;
2448
2449 /* close the read-end of the pipe */
2450 close(pipefd[0]);
2451
2452 if (!enter_net_ns(c)) {
2453 SYSERROR("Failed to attach to network namespace");
2454 goto out;
2455 }
2456
2457 /* Grab the list of interfaces */
2458 if (netns_getifaddrs(&interfaceArray, -1, &(bool){false})) {
2459 SYSERROR("Failed to get interfaces list");
2460 goto out;
2461 }
2462
2463 /* Iterate through the interfaces */
2464 for (tempIfAddr = interfaceArray; tempIfAddr;
2465 tempIfAddr = tempIfAddr->ifa_next) {
2466 if (tempIfAddr->ifa_addr == NULL)
2467 continue;
2468
2469 #pragma GCC diagnostic push
2470 #pragma GCC diagnostic ignored "-Wcast-align"
2471
2472 if (tempIfAddr->ifa_addr->sa_family == AF_INET) {
2473 if (family && strcmp(family, "inet"))
2474 continue;
2475
2476 tempAddrPtr = &((struct sockaddr_in *)tempIfAddr->ifa_addr)->sin_addr;
2477 } else {
2478 if (family && strcmp(family, "inet6"))
2479 continue;
2480
2481 if (((struct sockaddr_in6 *)tempIfAddr->ifa_addr)->sin6_scope_id != scope)
2482 continue;
2483
2484 tempAddrPtr = &((struct sockaddr_in6 *)tempIfAddr->ifa_addr)->sin6_addr;
2485 }
2486
2487 #pragma GCC diagnostic pop
2488
2489 if (interface && strcmp(interface, tempIfAddr->ifa_name))
2490 continue;
2491 else if (!interface && strcmp("lo", tempIfAddr->ifa_name) == 0)
2492 continue;
2493
2494 address_ptr = (char *)inet_ntop(tempIfAddr->ifa_addr->sa_family,
2495 tempAddrPtr, addressOutputBuffer,
2496 sizeof(addressOutputBuffer));
2497 if (!address_ptr)
2498 continue;
2499
2500 nbytes = lxc_write_nointr(pipefd[1], address_ptr, INET6_ADDRSTRLEN);
2501 if (nbytes != INET6_ADDRSTRLEN) {
2502 SYSERROR("Failed to send ipv6 address \"%s\"",
2503 address_ptr);
2504 goto out;
2505 }
2506
2507 count++;
2508 }
2509
2510 ret = 0;
2511
2512 out:
2513 if (interfaceArray)
2514 netns_freeifaddrs(interfaceArray);
2515
2516 /* close the write-end of the pipe, thus sending EOF to the reader */
2517 close(pipefd[1]);
2518 _exit(ret);
2519 }
2520
2521 /* close the write-end of the pipe */
2522 close(pipefd[1]);
2523
2524 while (lxc_read_nointr(pipefd[0], &address, INET6_ADDRSTRLEN) == INET6_ADDRSTRLEN) {
2525 address[INET6_ADDRSTRLEN - 1] = '\0';
2526
2527 if (!add_to_array(&addresses, address, count))
2528 ERROR("PARENT: add_to_array failed");
2529
2530 count++;
2531 }
2532
2533 if (wait_for_pid(pid) != 0) {
2534 for (i = 0; i < count; i++)
2535 free(addresses[i]);
2536
2537 free(addresses);
2538 addresses = NULL;
2539 }
2540
2541 /* close the read-end of the pipe */
2542 close(pipefd[0]);
2543
2544 /* Append NULL to the array */
2545 if (addresses)
2546 addresses = (char **)lxc_append_null_to_array((void **)addresses, count);
2547
2548 return addresses;
2549 }
2550
2551 WRAP_API_3(char **, lxcapi_get_ips, const char *, const char *, int)
2552
2553 static int do_lxcapi_get_config_item(struct lxc_container *c, const char *key, char *retv, int inlen)
2554 {
2555 int ret = -1;
2556 struct lxc_config_t *config;
2557
2558 if (!c || !c->lxc_conf)
2559 return -1;
2560
2561 if (container_mem_lock(c))
2562 return -1;
2563
2564 config = lxc_get_config(key);
2565 /* Verify that the config key exists and that it has a callback
2566 * implemented.
2567 */
2568 if (config && config->get)
2569 ret = config->get(key, retv, inlen, c->lxc_conf, NULL);
2570
2571 container_mem_unlock(c);
2572 return ret;
2573 }
2574
2575 WRAP_API_3(int, lxcapi_get_config_item, const char *, char *, int)
2576
2577 static char* do_lxcapi_get_running_config_item(struct lxc_container *c, const char *key)
2578 {
2579 char *ret;
2580
2581 if (!c || !c->lxc_conf)
2582 return NULL;
2583
2584 if (container_mem_lock(c))
2585 return NULL;
2586
2587 ret = lxc_cmd_get_config_item(c->name, key, do_lxcapi_get_config_path(c));
2588 container_mem_unlock(c);
2589 return ret;
2590 }
2591
2592 WRAP_API_1(char *, lxcapi_get_running_config_item, const char *)
2593
2594 static int do_lxcapi_get_keys(struct lxc_container *c, const char *key, char *retv, int inlen)
2595 {
2596 int ret = -1;
2597
2598 /* List all config items. */
2599 if (!key)
2600 return lxc_list_config_items(retv, inlen);
2601
2602 if (!c || !c->lxc_conf)
2603 return -1;
2604
2605 if (container_mem_lock(c))
2606 return -1;
2607
2608 /* Support 'lxc.net.<idx>', i.e. 'lxc.net.0'
2609 * This is an intelligent result to show which keys are valid given the
2610 * type of nic it is.
2611 */
2612 if (strncmp(key, "lxc.net.", 8) == 0)
2613 ret = lxc_list_net(c->lxc_conf, key, retv, inlen);
2614 else
2615 ret = lxc_list_subkeys(c->lxc_conf, key, retv, inlen);
2616
2617 container_mem_unlock(c);
2618 return ret;
2619 }
2620
2621 WRAP_API_3(int, lxcapi_get_keys, const char *, char *, int)
2622
2623 static bool do_lxcapi_save_config(struct lxc_container *c, const char *alt_file)
2624 {
2625 int fd, lret;
2626 bool ret = false, need_disklock = false;
2627
2628 if (!alt_file)
2629 alt_file = c->configfile;
2630
2631 if (!alt_file)
2632 return false;
2633
2634 /* If we haven't yet loaded a config, load the stock config. */
2635 if (!c->lxc_conf) {
2636 if (!do_lxcapi_load_config(c, lxc_global_config_value("lxc.default_config"))) {
2637 ERROR("Error loading default configuration file %s "
2638 "while saving %s",
2639 lxc_global_config_value("lxc.default_config"),
2640 c->name);
2641 return false;
2642 }
2643 }
2644
2645 if (!create_container_dir(c))
2646 return false;
2647
2648 /* If we're writing to the container's config file, take the disk lock.
2649 * Otherwise just take the memlock to protect the struct lxc_container
2650 * while we're traversing it.
2651 */
2652 if (strcmp(c->configfile, alt_file) == 0)
2653 need_disklock = true;
2654
2655 if (need_disklock)
2656 lret = container_disk_lock(c);
2657 else
2658 lret = container_mem_lock(c);
2659 if (lret)
2660 return false;
2661
2662 fd = open(alt_file, O_WRONLY | O_CREAT | O_TRUNC | O_CLOEXEC,
2663 S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP);
2664 if (fd < 0)
2665 goto on_error;
2666
2667 lret = write_config(fd, c->lxc_conf);
2668 close(fd);
2669 if (lret < 0)
2670 goto on_error;
2671
2672 ret = true;
2673
2674 on_error:
2675 if (need_disklock)
2676 container_disk_unlock(c);
2677 else
2678 container_mem_unlock(c);
2679
2680 return ret;
2681 }
2682
2683 WRAP_API_1(bool, lxcapi_save_config, const char *)
2684
2685
2686 static bool mod_rdep(struct lxc_container *c0, struct lxc_container *c, bool inc)
2687 {
2688 FILE *f1;
2689 struct stat fbuf;
2690 void *buf = NULL;
2691 char *del = NULL;
2692 char path[PATH_MAX];
2693 char newpath[PATH_MAX];
2694 int fd, ret, n = 0, v = 0;
2695 bool bret = false;
2696 size_t len = 0, bytes = 0;
2697
2698 if (container_disk_lock(c0))
2699 return false;
2700
2701 ret = snprintf(path, PATH_MAX, "%s/%s/lxc_snapshots", c0->config_path, c0->name);
2702 if (ret < 0 || ret > PATH_MAX)
2703 goto out;
2704
2705 ret = snprintf(newpath, PATH_MAX, "%s\n%s\n", c->config_path, c->name);
2706 if (ret < 0 || ret > PATH_MAX)
2707 goto out;
2708
2709 /* If we find an lxc-snapshot file using the old format only listing the
2710 * number of snapshots we will keep using it. */
2711 f1 = fopen(path, "re");
2712 if (f1) {
2713 n = fscanf(f1, "%d", &v);
2714 fclose(f1);
2715 if (n == 1 && v == 0) {
2716 ret = remove(path);
2717 if (ret < 0)
2718 SYSERROR("Failed to remove \"%s\"", path);
2719
2720 n = 0;
2721 }
2722 }
2723
2724 if (n == 1) {
2725 v += inc ? 1 : -1;
2726 f1 = fopen(path, "we");
2727 if (!f1)
2728 goto out;
2729
2730 if (fprintf(f1, "%d\n", v) < 0) {
2731 ERROR("Error writing new snapshots value");
2732 fclose(f1);
2733 goto out;
2734 }
2735
2736 ret = fclose(f1);
2737 if (ret != 0) {
2738 SYSERROR("Error writing to or closing snapshots file");
2739 goto out;
2740 }
2741 } else {
2742 /* Here we know that we have or can use an lxc-snapshot file
2743 * using the new format. */
2744 if (inc) {
2745 f1 = fopen(path, "ae");
2746 if (!f1)
2747 goto out;
2748
2749 if (fprintf(f1, "%s", newpath) < 0) {
2750 ERROR("Error writing new snapshots entry");
2751 ret = fclose(f1);
2752 if (ret != 0)
2753 SYSERROR("Error writing to or closing snapshots file");
2754 goto out;
2755 }
2756
2757 ret = fclose(f1);
2758 if (ret != 0) {
2759 SYSERROR("Error writing to or closing snapshots file");
2760 goto out;
2761 }
2762 } else if (!inc) {
2763 if ((fd = open(path, O_RDWR | O_CLOEXEC)) < 0)
2764 goto out;
2765
2766 if (fstat(fd, &fbuf) < 0) {
2767 close(fd);
2768 goto out;
2769 }
2770
2771 if (fbuf.st_size != 0) {
2772 buf = lxc_strmmap(NULL, fbuf.st_size, PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);
2773 if (buf == MAP_FAILED) {
2774 SYSERROR("Failed to create mapping %s", path);
2775 close(fd);
2776 goto out;
2777 }
2778
2779 len = strlen(newpath);
2780 while ((del = strstr((char *)buf, newpath))) {
2781 memmove(del, del + len, strlen(del) - len + 1);
2782 bytes += len;
2783 }
2784
2785 lxc_strmunmap(buf, fbuf.st_size);
2786 if (ftruncate(fd, fbuf.st_size - bytes) < 0) {
2787 SYSERROR("Failed to truncate file %s", path);
2788 close(fd);
2789 goto out;
2790 }
2791 }
2792
2793 close(fd);
2794 }
2795
2796 /* If the lxc-snapshot file is empty, remove it. */
2797 if (stat(path, &fbuf) < 0)
2798 goto out;
2799
2800 if (!fbuf.st_size) {
2801 ret = remove(path);
2802 if (ret < 0)
2803 SYSERROR("Failed to remove \"%s\"", path);
2804 }
2805 }
2806
2807 bret = true;
2808
2809 out:
2810 container_disk_unlock(c0);
2811 return bret;
2812 }
2813
2814 void mod_all_rdeps(struct lxc_container *c, bool inc)
2815 {
2816 __do_free char *lxcpath = NULL, *lxcname = NULL;
2817 __do_fclose FILE *f = NULL;
2818 size_t pathlen = 0, namelen = 0;
2819 struct lxc_container *p;
2820 char path[PATH_MAX];
2821 int ret;
2822
2823 ret = snprintf(path, PATH_MAX, "%s/%s/lxc_rdepends",
2824 c->config_path, c->name);
2825 if (ret < 0 || ret >= PATH_MAX) {
2826 ERROR("Path name too long");
2827 return;
2828 }
2829
2830 f = fopen(path, "re");
2831 if (!f)
2832 return;
2833
2834 while (getline(&lxcpath, &pathlen, f) != -1) {
2835 if (getline(&lxcname, &namelen, f) == -1) {
2836 ERROR("badly formatted file %s", path);
2837 return;
2838 }
2839
2840 remove_trailing_newlines(lxcpath);
2841 remove_trailing_newlines(lxcname);
2842
2843 if ((p = lxc_container_new(lxcname, lxcpath)) == NULL) {
2844 ERROR("Unable to find dependent container %s:%s",
2845 lxcpath, lxcname);
2846 continue;
2847 }
2848
2849 if (!mod_rdep(p, c, inc))
2850 ERROR("Failed to update snapshots file for %s:%s",
2851 lxcpath, lxcname);
2852
2853 lxc_container_put(p);
2854 }
2855 }
2856
2857 static bool has_fs_snapshots(struct lxc_container *c)
2858 {
2859 __do_fclose FILE *f = NULL;
2860 char path[PATH_MAX];
2861 int ret, v;
2862 struct stat fbuf;
2863
2864 ret = snprintf(path, PATH_MAX, "%s/%s/lxc_snapshots", c->config_path,
2865 c->name);
2866 if (ret < 0 || ret > PATH_MAX)
2867 return false;
2868
2869 /* If the file doesn't exist there are no snapshots. */
2870 if (stat(path, &fbuf) < 0)
2871 return false;
2872
2873 v = fbuf.st_size;
2874 if (v != 0) {
2875 f = fopen(path, "re");
2876 if (!f)
2877 return false;
2878
2879 ret = fscanf(f, "%d", &v);
2880 if (ret != 1)
2881 INFO("Container uses new lxc-snapshots format %s", path);
2882 }
2883
2884 return v != 0;
2885 }
2886
2887 static bool has_snapshots(struct lxc_container *c)
2888 {
2889 __do_closedir DIR *dir = NULL;
2890 char path[PATH_MAX];
2891 struct dirent *direntp;
2892 int count = 0;
2893
2894 if (!get_snappath_dir(c, path))
2895 return false;
2896
2897 dir = opendir(path);
2898 if (!dir)
2899 return false;
2900
2901 while ((direntp = readdir(dir))) {
2902 if (!strcmp(direntp->d_name, "."))
2903 continue;
2904
2905 if (!strcmp(direntp->d_name, ".."))
2906 continue;
2907 count++;
2908 break;
2909 }
2910
2911 return count > 0;
2912 }
2913
2914 static bool do_destroy_container(struct lxc_conf *conf) {
2915 int ret;
2916
2917 if (am_guest_unpriv()) {
2918 ret = userns_exec_full(conf, storage_destroy_wrapper, conf,
2919 "storage_destroy_wrapper");
2920 if (ret < 0)
2921 return false;
2922
2923 return true;
2924 }
2925
2926 return storage_destroy(conf);
2927 }
2928
2929 static int lxc_rmdir_onedev_wrapper(void *data)
2930 {
2931 char *arg = (char *) data;
2932 return lxc_rmdir_onedev(arg, "snaps");
2933 }
2934
2935 static int lxc_unlink_exec_wrapper(void *data)
2936 {
2937 char *arg = data;
2938 return unlink(arg);
2939 }
2940
2941 static bool container_destroy(struct lxc_container *c,
2942 struct lxc_storage *storage)
2943 {
2944 const char *p1;
2945 size_t len;
2946 struct lxc_conf *conf;
2947 char *path = NULL;
2948 bool bret = false;
2949 int ret = 0;
2950
2951 if (!c || !do_lxcapi_is_defined(c))
2952 return false;
2953
2954 conf = c->lxc_conf;
2955 if (container_disk_lock(c))
2956 return false;
2957
2958 if (!is_stopped(c)) {
2959 /* We should queue some sort of error - in c->error_string? */
2960 ERROR("container %s is not stopped", c->name);
2961 goto out;
2962 }
2963
2964 if (conf && !lxc_list_empty(&conf->hooks[LXCHOOK_DESTROY])) {
2965 /* Start of environment variable setup for hooks */
2966 if (setenv("LXC_NAME", c->name, 1))
2967 SYSERROR("Failed to set environment variable for container name");
2968
2969 if (conf->rcfile && setenv("LXC_CONFIG_FILE", conf->rcfile, 1))
2970 SYSERROR("Failed to set environment variable for config path");
2971
2972 if (conf->rootfs.mount && setenv("LXC_ROOTFS_MOUNT", conf->rootfs.mount, 1))
2973 SYSERROR("Failed to set environment variable for rootfs mount");
2974
2975 if (conf->rootfs.path && setenv("LXC_ROOTFS_PATH", conf->rootfs.path, 1))
2976 SYSERROR("Failed to set environment variable for rootfs mount");
2977
2978 if (conf->console.path && setenv("LXC_CONSOLE", conf->console.path, 1))
2979 SYSERROR("Failed to set environment variable for console path");
2980
2981 if (conf->console.log_path && setenv("LXC_CONSOLE_LOGPATH", conf->console.log_path, 1))
2982 SYSERROR("Failed to set environment variable for console log");
2983 /* End of environment variable setup for hooks */
2984
2985 if (run_lxc_hooks(c->name, "destroy", conf, NULL)) {
2986 ERROR("Failed to execute clone hook for \"%s\"", c->name);
2987 goto out;
2988 }
2989 }
2990
2991 if (current_config && conf == current_config) {
2992 current_config = NULL;
2993
2994 if (conf->logfd != -1) {
2995 close(conf->logfd);
2996 conf->logfd = -1;
2997 }
2998 }
2999
3000 /* LXC is not managing the storage of the container. */
3001 if (conf && !conf->rootfs.managed)
3002 goto on_success;
3003
3004 if (conf && conf->rootfs.path && conf->rootfs.mount) {
3005 if (!do_destroy_container(conf)) {
3006 ERROR("Error destroying rootfs for %s", c->name);
3007 goto out;
3008 }
3009 INFO("Destroyed rootfs for %s", c->name);
3010 }
3011
3012 mod_all_rdeps(c, false);
3013
3014 p1 = do_lxcapi_get_config_path(c);
3015 /* strlen(p1)
3016 * +
3017 * /
3018 * +
3019 * strlen(c->name)
3020 * +
3021 * /
3022 * +
3023 * strlen("config") = 6
3024 * +
3025 * \0
3026 */
3027 len = strlen(p1) + 1 + strlen(c->name) + 1 + strlen(LXC_CONFIG_FNAME) + 1;
3028 path = malloc(len);
3029 if (!path) {
3030 ERROR("Failed to allocate memory");
3031 goto out;
3032 }
3033
3034 /* For an overlay container the rootfs is considered immutable and
3035 * cannot be removed when restoring from a snapshot.
3036 */
3037 if (storage && (!strcmp(storage->type, "overlay") ||
3038 !strcmp(storage->type, "overlayfs")) &&
3039 (storage->flags & LXC_STORAGE_INTERNAL_OVERLAY_RESTORE)) {
3040 ret = snprintf(path, len, "%s/%s/%s", p1, c->name, LXC_CONFIG_FNAME);
3041 if (ret < 0 || (size_t)ret >= len)
3042 goto out;
3043
3044 if (am_guest_unpriv())
3045 ret = userns_exec_1(conf, lxc_unlink_exec_wrapper, path,
3046 "lxc_unlink_exec_wrapper");
3047 else
3048 ret = unlink(path);
3049 if (ret < 0) {
3050 SYSERROR("Failed to destroy config file \"%s\" for \"%s\"",
3051 path, c->name);
3052 goto out;
3053 }
3054 INFO("Destroyed config file \"%s\" for \"%s\"", path, c->name);
3055
3056 bret = true;
3057 goto out;
3058 }
3059
3060 ret = snprintf(path, len, "%s/%s", p1, c->name);
3061 if (ret < 0 || (size_t)ret >= len)
3062 goto out;
3063
3064 if (am_guest_unpriv())
3065 ret = userns_exec_full(conf, lxc_rmdir_onedev_wrapper, path,
3066 "lxc_rmdir_onedev_wrapper");
3067 else
3068 ret = lxc_rmdir_onedev(path, "snaps");
3069 if (ret < 0) {
3070 ERROR("Failed to destroy directory \"%s\" for \"%s\"", path,
3071 c->name);
3072 goto out;
3073 }
3074 INFO("Destroyed directory \"%s\" for \"%s\"", path, c->name);
3075
3076 on_success:
3077 bret = true;
3078
3079 out:
3080 if (path)
3081 free(path);
3082
3083 container_disk_unlock(c);
3084 return bret;
3085 }
3086
3087 static bool do_lxcapi_destroy(struct lxc_container *c)
3088 {
3089 if (!c || !lxcapi_is_defined(c))
3090 return false;
3091
3092 if (c->lxc_conf && c->lxc_conf->rootfs.managed) {
3093 if (has_snapshots(c)) {
3094 ERROR("Container %s has snapshots; not removing", c->name);
3095 return false;
3096 }
3097
3098 if (has_fs_snapshots(c)) {
3099 ERROR("container %s has snapshots on its rootfs", c->name);
3100 return false;
3101 }
3102 }
3103
3104 return container_destroy(c, NULL);
3105 }
3106
3107 WRAP_API(bool, lxcapi_destroy)
3108
3109 static bool do_lxcapi_destroy_with_snapshots(struct lxc_container *c)
3110 {
3111 if (!c || !lxcapi_is_defined(c))
3112 return false;
3113
3114 if (!lxcapi_snapshot_destroy_all(c)) {
3115 ERROR("Error deleting all snapshots");
3116 return false;
3117 }
3118
3119 return lxcapi_destroy(c);
3120 }
3121
3122 WRAP_API(bool, lxcapi_destroy_with_snapshots)
3123
3124 int lxc_set_config_item_locked(struct lxc_conf *conf, const char *key,
3125 const char *v)
3126 {
3127 int ret;
3128 struct lxc_config_t *config;
3129 bool bret = true;
3130
3131 config = lxc_get_config(key);
3132 if (!config)
3133 return -EINVAL;
3134
3135 ret = config->set(key, v, conf, NULL);
3136 if (ret < 0)
3137 return -EINVAL;
3138
3139 if (lxc_config_value_empty(v))
3140 do_clear_unexp_config_line(conf, key);
3141 else
3142 bret = do_append_unexp_config_line(conf, key, v);
3143 if (!bret)
3144 return -ENOMEM;
3145
3146 return 0;
3147 }
3148
3149 static bool do_set_config_item_locked(struct lxc_container *c, const char *key,
3150 const char *v)
3151 {
3152 int ret;
3153
3154 if (!c->lxc_conf)
3155 c->lxc_conf = lxc_conf_init();
3156
3157 if (!c->lxc_conf)
3158 return false;
3159
3160 ret = lxc_set_config_item_locked(c->lxc_conf, key, v);
3161 if (ret < 0)
3162 return false;
3163
3164 return true;
3165 }
3166
3167 static bool do_lxcapi_set_config_item(struct lxc_container *c, const char *key, const char *v)
3168 {
3169 bool b = false;
3170
3171 if (!c)
3172 return false;
3173
3174 if (container_mem_lock(c))
3175 return false;
3176
3177 b = do_set_config_item_locked(c, key, v);
3178
3179 container_mem_unlock(c);
3180 return b;
3181 }
3182
3183 WRAP_API_2(bool, lxcapi_set_config_item, const char *, const char *)
3184
3185 static char *lxcapi_config_file_name(struct lxc_container *c)
3186 {
3187 if (!c || !c->configfile)
3188 return NULL;
3189
3190 return strdup(c->configfile);
3191 }
3192
3193 static const char *lxcapi_get_config_path(struct lxc_container *c)
3194 {
3195 if (!c || !c->config_path)
3196 return NULL;
3197
3198 return (const char *)(c->config_path);
3199 }
3200
3201 /*
3202 * not for export
3203 * Just recalculate the c->configfile based on the
3204 * c->config_path, which must be set.
3205 * The lxc_container must be locked or not yet public.
3206 */
3207 static bool set_config_filename(struct lxc_container *c)
3208 {
3209 char *newpath;
3210 int len, ret;
3211
3212 if (!c->config_path)
3213 return false;
3214
3215 /* $lxc_path + "/" + c->name + "/" + "config" + '\0' */
3216 len = strlen(c->config_path) + 1 + strlen(c->name) + 1 + strlen(LXC_CONFIG_FNAME) + 1;
3217 newpath = malloc(len);
3218 if (!newpath)
3219 return false;
3220
3221 ret = snprintf(newpath, len, "%s/%s/%s", c->config_path, c->name, LXC_CONFIG_FNAME);
3222 if (ret < 0 || ret >= len) {
3223 fprintf(stderr, "Error printing out config file name\n");
3224 free(newpath);
3225 return false;
3226 }
3227
3228 free(c->configfile);
3229 c->configfile = newpath;
3230
3231 return true;
3232 }
3233
3234 static bool do_lxcapi_set_config_path(struct lxc_container *c, const char *path)
3235 {
3236 char *p;
3237 bool b = false;
3238 char *oldpath = NULL;
3239
3240 if (!c)
3241 return b;
3242
3243 if (container_mem_lock(c))
3244 return b;
3245
3246 p = strdup(path);
3247 if (!p) {
3248 ERROR("Out of memory setting new lxc path");
3249 goto err;
3250 }
3251
3252 b = true;
3253 if (c->config_path)
3254 oldpath = c->config_path;
3255 c->config_path = p;
3256
3257 /* Since we've changed the config path, we have to change the
3258 * config file name too */
3259 if (!set_config_filename(c)) {
3260 ERROR("Out of memory setting new config filename");
3261 b = false;
3262 free(c->config_path);
3263 c->config_path = oldpath;
3264 oldpath = NULL;
3265 }
3266
3267 err:
3268 free(oldpath);
3269 container_mem_unlock(c);
3270 return b;
3271 }
3272
3273 WRAP_API_1(bool, lxcapi_set_config_path, const char *)
3274
3275 static bool do_lxcapi_set_cgroup_item(struct lxc_container *c, const char *subsys, const char *value)
3276 {
3277 call_cleaner(cgroup_exit) struct cgroup_ops *cgroup_ops = NULL;
3278
3279 if (!c)
3280 return false;
3281
3282 if (is_stopped(c))
3283 return false;
3284
3285 cgroup_ops = cgroup_init(c->lxc_conf);
3286 if (!cgroup_ops)
3287 return false;
3288
3289 return cgroup_ops->set(cgroup_ops, subsys, value, c->name,
3290 c->config_path) == 0;
3291 }
3292
3293 WRAP_API_2(bool, lxcapi_set_cgroup_item, const char *, const char *)
3294
3295 static int do_lxcapi_get_cgroup_item(struct lxc_container *c, const char *subsys, char *retv, int inlen)
3296 {
3297 call_cleaner(cgroup_exit) struct cgroup_ops *cgroup_ops = NULL;
3298
3299 if (!c)
3300 return -1;
3301
3302 if (is_stopped(c))
3303 return -1;
3304
3305 cgroup_ops = cgroup_init(c->lxc_conf);
3306 if (!cgroup_ops)
3307 return -1;
3308
3309 return cgroup_ops->get(cgroup_ops, subsys, retv, inlen, c->name,
3310 c->config_path);
3311 }
3312
3313 WRAP_API_3(int, lxcapi_get_cgroup_item, const char *, char *, int)
3314
3315 const char *lxc_get_global_config_item(const char *key)
3316 {
3317 return lxc_global_config_value(key);
3318 }
3319
3320 const char *lxc_get_version(void)
3321 {
3322 return LXC_VERSION;
3323 }
3324
3325 static int copy_file(const char *old, const char *new)
3326 {
3327 int in, out;
3328 ssize_t len, ret;
3329 char buf[8096];
3330 struct stat sbuf;
3331
3332 if (file_exists(new)) {
3333 ERROR("copy destination %s exists", new);
3334 return -1;
3335 }
3336
3337 ret = stat(old, &sbuf);
3338 if (ret < 0) {
3339 INFO("Error stat'ing %s", old);
3340 return -1;
3341 }
3342
3343 in = open(old, O_RDONLY);
3344 if (in < 0) {
3345 SYSERROR("Error opening original file %s", old);
3346 return -1;
3347 }
3348
3349 out = open(new, O_CREAT | O_EXCL | O_WRONLY, 0644);
3350 if (out < 0) {
3351 SYSERROR("Error opening new file %s", new);
3352 close(in);
3353 return -1;
3354 }
3355
3356 for (;;) {
3357 len = lxc_read_nointr(in, buf, 8096);
3358 if (len < 0) {
3359 SYSERROR("Error reading old file %s", old);
3360 goto err;
3361 }
3362
3363 if (len == 0)
3364 break;
3365
3366 ret = lxc_write_nointr(out, buf, len);
3367 if (ret < len) { /* should we retry? */
3368 SYSERROR("Error: write to new file %s was interrupted", new);
3369 goto err;
3370 }
3371 }
3372
3373 close(in);
3374 close(out);
3375
3376 /* We set mode, but not owner/group. */
3377 ret = chmod(new, sbuf.st_mode);
3378 if (ret) {
3379 SYSERROR("Error setting mode on %s", new);
3380 return -1;
3381 }
3382
3383 return 0;
3384
3385 err:
3386 close(in);
3387 close(out);
3388 return -1;
3389 }
3390
3391 static int copyhooks(struct lxc_container *oldc, struct lxc_container *c)
3392 {
3393 __do_free char *cpath = NULL;
3394 int i, len, ret;
3395 struct lxc_list *it;
3396
3397 len = strlen(oldc->config_path) + strlen(oldc->name) + 3;
3398 cpath = must_realloc(NULL, len);
3399 ret = snprintf(cpath, len, "%s/%s/", oldc->config_path, oldc->name);
3400 if (ret < 0 || ret >= len)
3401 return -1;
3402
3403 for (i=0; i<NUM_LXC_HOOKS; i++) {
3404 lxc_list_for_each(it, &c->lxc_conf->hooks[i]) {
3405 char *hookname = it->elem;
3406 char *fname = strrchr(hookname, '/');
3407 char tmppath[PATH_MAX];
3408 if (!fname) /* relative path - we don't support, but maybe we should */
3409 return 0;
3410
3411 if (strncmp(hookname, cpath, len - 1) != 0) {
3412 /* this hook is public - ignore */
3413 continue;
3414 }
3415
3416 /* copy the script, and change the entry in confile */
3417 ret = snprintf(tmppath, PATH_MAX, "%s/%s/%s",
3418 c->config_path, c->name, fname+1);
3419 if (ret < 0 || ret >= PATH_MAX)
3420 return -1;
3421
3422 ret = copy_file(it->elem, tmppath);
3423 if (ret < 0)
3424 return -1;
3425
3426 free(it->elem);
3427
3428 it->elem = strdup(tmppath);
3429 if (!it->elem) {
3430 ERROR("out of memory copying hook path");
3431 return -1;
3432 }
3433 }
3434 }
3435
3436 if (!clone_update_unexp_hooks(c->lxc_conf, oldc->config_path,
3437 c->config_path, oldc->name, c->name)) {
3438 ERROR("Error saving new hooks in clone");
3439 return -1;
3440 }
3441
3442 do_lxcapi_save_config(c, NULL);
3443 return 0;
3444 }
3445
3446
3447 static int copy_fstab(struct lxc_container *oldc, struct lxc_container *c)
3448 {
3449 char newpath[PATH_MAX];
3450 char *oldpath = oldc->lxc_conf->fstab;
3451 int ret;
3452
3453 if (!oldpath)
3454 return 0;
3455
3456 clear_unexp_config_line(c->lxc_conf, "lxc.mount.fstab", false);
3457
3458 char *p = strrchr(oldpath, '/');
3459 if (!p)
3460 return -1;
3461
3462 ret = snprintf(newpath, PATH_MAX, "%s/%s%s",
3463 c->config_path, c->name, p);
3464 if (ret < 0 || ret >= PATH_MAX) {
3465 ERROR("error printing new path for %s", oldpath);
3466 return -1;
3467 }
3468
3469 if (file_exists(newpath)) {
3470 ERROR("error: fstab file %s exists", newpath);
3471 return -1;
3472 }
3473
3474 if (copy_file(oldpath, newpath) < 0) {
3475 ERROR("error: copying %s to %s", oldpath, newpath);
3476 return -1;
3477 }
3478
3479 free(c->lxc_conf->fstab);
3480
3481 c->lxc_conf->fstab = strdup(newpath);
3482 if (!c->lxc_conf->fstab) {
3483 ERROR("error: allocating pathname");
3484 return -1;
3485 }
3486
3487 if (!do_append_unexp_config_line(c->lxc_conf, "lxc.mount.fstab", newpath)) {
3488 ERROR("error saving new lxctab");
3489 return -1;
3490 }
3491
3492 return 0;
3493 }
3494
3495 static void copy_rdepends(struct lxc_container *c, struct lxc_container *c0)
3496 {
3497 char path0[PATH_MAX], path1[PATH_MAX];
3498 int ret;
3499
3500 ret = snprintf(path0, PATH_MAX, "%s/%s/lxc_rdepends", c0->config_path,
3501 c0->name);
3502 if (ret < 0 || ret >= PATH_MAX) {
3503 WARN("Error copying reverse dependencies");
3504 return;
3505 }
3506
3507 ret = snprintf(path1, PATH_MAX, "%s/%s/lxc_rdepends", c->config_path,
3508 c->name);
3509 if (ret < 0 || ret >= PATH_MAX) {
3510 WARN("Error copying reverse dependencies");
3511 return;
3512 }
3513
3514 if (copy_file(path0, path1) < 0) {
3515 INFO("Error copying reverse dependencies");
3516 return;
3517 }
3518 }
3519
3520 static bool add_rdepends(struct lxc_container *c, struct lxc_container *c0)
3521 {
3522 __do_fclose FILE *f = NULL;
3523 int ret;
3524 char path[PATH_MAX];
3525
3526 ret = snprintf(path, sizeof(path), "%s/%s/lxc_rdepends", c->config_path, c->name);
3527 if (ret < 0 || ret >= sizeof(path))
3528 return false;
3529
3530 f = fopen(path, "ae");
3531 if (!f)
3532 return false;
3533
3534 /* If anything goes wrong, just return an error. */
3535 return fprintf(f, "%s\n%s\n", c0->config_path, c0->name) > 0;
3536 }
3537
3538 /*
3539 * If the fs natively supports snapshot clones with no penalty,
3540 * then default to those even if not requested.
3541 * Currently we only do this for btrfs.
3542 */
3543 static bool should_default_to_snapshot(struct lxc_container *c0,
3544 struct lxc_container *c1)
3545 {
3546 __do_free char *p0 = NULL, *p1 = NULL;
3547 int ret;
3548 size_t l0 = strlen(c0->config_path) + strlen(c0->name) + 2;
3549 size_t l1 = strlen(c1->config_path) + strlen(c1->name) + 2;
3550 char *rootfs = c0->lxc_conf->rootfs.path;
3551
3552 p0 = must_realloc(NULL, l0 + 1);
3553 p1 = must_realloc(NULL, l1 + 1);
3554 ret = snprintf(p0, l0, "%s/%s", c0->config_path, c0->name);
3555 if (ret < 0 || ret >= l0)
3556 return false;
3557
3558 ret = snprintf(p1, l1, "%s/%s", c1->config_path, c1->name);
3559 if (ret < 0 || ret >= l1)
3560 return false;
3561
3562 if (!is_btrfs_fs(p0) || !is_btrfs_fs(p1))
3563 return false;
3564
3565 if (is_btrfs_subvol(rootfs) <= 0)
3566 return false;
3567
3568 return btrfs_same_fs(p0, p1) == 0;
3569 }
3570
3571 static int copy_storage(struct lxc_container *c0, struct lxc_container *c,
3572 const char *newtype, int flags, const char *bdevdata,
3573 uint64_t newsize)
3574 {
3575 struct lxc_storage *bdev;
3576 bool need_rdep;
3577
3578 if (should_default_to_snapshot(c0, c))
3579 flags |= LXC_CLONE_SNAPSHOT;
3580
3581 bdev = storage_copy(c0, c->name, c->config_path, newtype, flags,
3582 bdevdata, newsize, &need_rdep);
3583 if (!bdev) {
3584 ERROR("Error copying storage.");
3585 return -1;
3586 }
3587
3588 /* Set new rootfs. */
3589 free(c->lxc_conf->rootfs.path);
3590 c->lxc_conf->rootfs.path = strdup(bdev->src);
3591 storage_put(bdev);
3592
3593 if (!c->lxc_conf->rootfs.path) {
3594 ERROR("Out of memory while setting storage path.");
3595 return -1;
3596 }
3597
3598 /* Append a new lxc.rootfs.path entry to the unexpanded config. */
3599 clear_unexp_config_line(c->lxc_conf, "lxc.rootfs.path", false);
3600 if (!do_append_unexp_config_line(c->lxc_conf, "lxc.rootfs.path",
3601 c->lxc_conf->rootfs.path)) {
3602 ERROR("Error saving new rootfs to cloned config.");
3603 return -1;
3604 }
3605
3606 if (flags & LXC_CLONE_SNAPSHOT)
3607 copy_rdepends(c, c0);
3608
3609 if (need_rdep) {
3610 if (!add_rdepends(c, c0))
3611 WARN("Error adding reverse dependency from %s to %s",
3612 c->name, c0->name);
3613 }
3614
3615 mod_all_rdeps(c, true);
3616
3617 return 0;
3618 }
3619
3620 struct clone_update_data {
3621 struct lxc_container *c0;
3622 struct lxc_container *c1;
3623 int flags;
3624 char **hookargs;
3625 };
3626
3627 static int clone_update_rootfs(struct clone_update_data *data)
3628 {
3629 struct lxc_container *c0 = data->c0;
3630 struct lxc_container *c = data->c1;
3631 int flags = data->flags;
3632 char **hookargs = data->hookargs;
3633 int ret = -1;
3634 char path[PATH_MAX];
3635 struct lxc_storage *bdev;
3636 FILE *fout;
3637 struct lxc_conf *conf = c->lxc_conf;
3638
3639 /* update hostname in rootfs */
3640 /* we're going to mount, so run in a clean namespace to simplify cleanup */
3641
3642 (void)lxc_setgroups(0, NULL);
3643
3644 if (setgid(0) < 0) {
3645 ERROR("Failed to setgid to 0");
3646 return -1;
3647 }
3648
3649 if (setuid(0) < 0) {
3650 ERROR("Failed to setuid to 0");
3651 return -1;
3652 }
3653
3654 if (unshare(CLONE_NEWNS) < 0)
3655 return -1;
3656
3657 bdev = storage_init(c->lxc_conf);
3658 if (!bdev)
3659 return -1;
3660
3661 if (strcmp(bdev->type, "dir") != 0) {
3662 if (unshare(CLONE_NEWNS) < 0) {
3663 ERROR("error unsharing mounts");
3664 storage_put(bdev);
3665 return -1;
3666 }
3667
3668 if (detect_shared_rootfs() && mount(NULL, "/", NULL, MS_SLAVE | MS_REC, NULL))
3669 SYSERROR("Failed to recursively turn root mount tree into dependent mount. Continuing...");
3670
3671 if (bdev->ops->mount(bdev) < 0) {
3672 storage_put(bdev);
3673 return -1;
3674 }
3675 } else { /* TODO come up with a better way */
3676 free(bdev->dest);
3677 bdev->dest = strdup(lxc_storage_get_path(bdev->src, bdev->type));
3678 }
3679
3680 if (!lxc_list_empty(&conf->hooks[LXCHOOK_CLONE])) {
3681 /* Start of environment variable setup for hooks */
3682 if (c0->name && setenv("LXC_SRC_NAME", c0->name, 1))
3683 SYSERROR("failed to set environment variable for source container name");
3684
3685 if (setenv("LXC_NAME", c->name, 1))
3686 SYSERROR("failed to set environment variable for container name");
3687
3688 if (conf->rcfile && setenv("LXC_CONFIG_FILE", conf->rcfile, 1))
3689 SYSERROR("failed to set environment variable for config path");
3690
3691 if (bdev->dest && setenv("LXC_ROOTFS_MOUNT", bdev->dest, 1))
3692 SYSERROR("failed to set environment variable for rootfs mount");
3693
3694 if (conf->rootfs.path && setenv("LXC_ROOTFS_PATH", conf->rootfs.path, 1))
3695 SYSERROR("failed to set environment variable for rootfs mount");
3696
3697 if (run_lxc_hooks(c->name, "clone", conf, hookargs)) {
3698 ERROR("Error executing clone hook for %s", c->name);
3699 storage_put(bdev);
3700 return -1;
3701 }
3702 }
3703
3704 if (!(flags & LXC_CLONE_KEEPNAME)) {
3705 ret = snprintf(path, PATH_MAX, "%s/etc/hostname", bdev->dest);
3706 storage_put(bdev);
3707
3708 if (ret < 0 || ret >= PATH_MAX)
3709 return -1;
3710
3711 if (!file_exists(path))
3712 return 0;
3713
3714 if (!(fout = fopen(path, "we"))) {
3715 SYSERROR("unable to open %s: ignoring", path);
3716 return 0;
3717 }
3718
3719 if (fprintf(fout, "%s", c->name) < 0) {
3720 fclose(fout);
3721 return -1;
3722 }
3723
3724 if (fclose(fout) < 0)
3725 return -1;
3726 } else {
3727 storage_put(bdev);
3728 }
3729
3730 return 0;
3731 }
3732
3733 static int clone_update_rootfs_wrapper(void *data)
3734 {
3735 struct clone_update_data *arg = (struct clone_update_data *) data;
3736 return clone_update_rootfs(arg);
3737 }
3738
3739 /*
3740 * We want to support:
3741 sudo lxc-clone -o o1 -n n1 -s -L|-fssize fssize -v|--vgname vgname \
3742 -p|--lvprefix lvprefix -t|--fstype fstype -B backingstore
3743
3744 -s [ implies overlay]
3745 -s -B overlay
3746
3747 only rootfs gets converted (copied/snapshotted) on clone.
3748 */
3749
3750 static int create_file_dirname(char *path, struct lxc_conf *conf)
3751 {
3752 char *p = strrchr(path, '/');
3753 int ret = -1;
3754
3755 if (!p)
3756 return -1;
3757
3758 *p = '\0';
3759 ret = do_create_container_dir(path, conf);
3760 *p = '/';
3761
3762 return ret;
3763 }
3764
3765 static struct lxc_container *do_lxcapi_clone(struct lxc_container *c, const char *newname,
3766 const char *lxcpath, int flags,
3767 const char *bdevtype, const char *bdevdata, uint64_t newsize,
3768 char **hookargs)
3769 {
3770 char newpath[PATH_MAX];
3771 int fd, ret;
3772 struct clone_update_data data;
3773 size_t saved_unexp_len;
3774 pid_t pid;
3775 int storage_copied = 0;
3776 char *origroot = NULL, *saved_unexp_conf = NULL;
3777 struct lxc_container *c2 = NULL;
3778
3779 if (!c || !do_lxcapi_is_defined(c))
3780 return NULL;
3781
3782 if (container_mem_lock(c))
3783 return NULL;
3784 if (!is_stopped(c) && !(flags & LXC_CLONE_ALLOW_RUNNING)) {
3785 ERROR("error: Original container (%s) is running. Use --allowrunning if you want to force a snapshot of the running container.", c->name);
3786 goto out;
3787 }
3788
3789 /* Make sure the container doesn't yet exist. */
3790 if (!newname)
3791 newname = c->name;
3792
3793 if (!lxcpath)
3794 lxcpath = do_lxcapi_get_config_path(c);
3795
3796 ret = snprintf(newpath, PATH_MAX, "%s/%s/%s", lxcpath, newname, LXC_CONFIG_FNAME);
3797 if (ret < 0 || ret >= PATH_MAX) {
3798 SYSERROR("clone: failed making config pathname");
3799 goto out;
3800 }
3801
3802 if (file_exists(newpath)) {
3803 ERROR("error: clone: %s exists", newpath);
3804 goto out;
3805 }
3806
3807 ret = create_file_dirname(newpath, c->lxc_conf);
3808 if (ret < 0 && errno != EEXIST) {
3809 ERROR("Error creating container dir for %s", newpath);
3810 goto out;
3811 }
3812
3813 /* Copy the configuration. Tweak it as needed. */
3814 if (c->lxc_conf->rootfs.path) {
3815 origroot = c->lxc_conf->rootfs.path;
3816 c->lxc_conf->rootfs.path = NULL;
3817 }
3818
3819 fd = open(newpath, O_WRONLY | O_CREAT | O_CLOEXEC,
3820 S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP);
3821 if (fd < 0) {
3822 SYSERROR("Failed to open \"%s\"", newpath);
3823 goto out;
3824 }
3825
3826 saved_unexp_conf = c->lxc_conf->unexpanded_config;
3827 saved_unexp_len = c->lxc_conf->unexpanded_len;
3828 c->lxc_conf->unexpanded_config = strdup(saved_unexp_conf);
3829 if (!c->lxc_conf->unexpanded_config) {
3830 close(fd);
3831 goto out;
3832 }
3833
3834 clear_unexp_config_line(c->lxc_conf, "lxc.rootfs.path", false);
3835 write_config(fd, c->lxc_conf);
3836 close(fd);
3837
3838 c->lxc_conf->rootfs.path = origroot;
3839
3840 free(c->lxc_conf->unexpanded_config);
3841 c->lxc_conf->unexpanded_config = saved_unexp_conf;
3842 saved_unexp_conf = NULL;
3843 c->lxc_conf->unexpanded_len = saved_unexp_len;
3844
3845 ret = snprintf(newpath, PATH_MAX, "%s/%s/%s", lxcpath, newname, LXC_ROOTFS_DNAME);
3846 if (ret < 0 || ret >= PATH_MAX) {
3847 SYSERROR("clone: failed making rootfs pathname");
3848 goto out;
3849 }
3850
3851 ret = mkdir(newpath, 0755);
3852 if (ret < 0) {
3853 /* For an overlay container the rootfs is considered immutable
3854 * and will not have been removed when restoring from a
3855 * snapshot.
3856 */
3857 if (errno != ENOENT &&
3858 !(flags & LXC_STORAGE_INTERNAL_OVERLAY_RESTORE)) {
3859 SYSERROR("Failed to create directory \"%s\"", newpath);
3860 goto out;
3861 }
3862 }
3863
3864 if (am_guest_unpriv()) {
3865 if (chown_mapped_root(newpath, c->lxc_conf) < 0) {
3866 ERROR("Error chowning %s to container root", newpath);
3867 goto out;
3868 }
3869 }
3870
3871 c2 = lxc_container_new(newname, lxcpath);
3872 if (!c2) {
3873 ERROR("clone: failed to create new container (%s %s)", newname,
3874 lxcpath);
3875 goto out;
3876 }
3877
3878 /* copy/snapshot rootfs's */
3879 ret = copy_storage(c, c2, bdevtype, flags, bdevdata, newsize);
3880 if (ret < 0)
3881 goto out;
3882
3883 /* update utsname */
3884 if (!(flags & LXC_CLONE_KEEPNAME)) {
3885 clear_unexp_config_line(c2->lxc_conf, "lxc.utsname", false);
3886 clear_unexp_config_line(c2->lxc_conf, "lxc.uts.name", false);
3887
3888 if (!do_set_config_item_locked(c2, "lxc.uts.name", newname)) {
3889 ERROR("Error setting new hostname");
3890 goto out;
3891 }
3892 }
3893
3894 /* copy hooks */
3895 ret = copyhooks(c, c2);
3896 if (ret < 0) {
3897 ERROR("error copying hooks");
3898 goto out;
3899 }
3900
3901 if (copy_fstab(c, c2) < 0) {
3902 ERROR("error copying fstab");
3903 goto out;
3904 }
3905
3906 /* update macaddrs */
3907 if (!(flags & LXC_CLONE_KEEPMACADDR)) {
3908 if (!network_new_hwaddrs(c2->lxc_conf)) {
3909 ERROR("Error updating mac addresses");
3910 goto out;
3911 }
3912 }
3913
3914 /* Update absolute paths for overlay mount directories. */
3915 if (ovl_update_abs_paths(c2->lxc_conf, c->config_path, c->name, lxcpath, newname) < 0)
3916 goto out;
3917
3918 /* We've now successfully created c2's storage, so clear it out if we
3919 * fail after this.
3920 */
3921 storage_copied = 1;
3922
3923 if (!c2->save_config(c2, NULL))
3924 goto out;
3925
3926 if ((pid = fork()) < 0) {
3927 SYSERROR("fork");
3928 goto out;
3929 }
3930
3931 if (pid > 0) {
3932 ret = wait_for_pid(pid);
3933 if (ret)
3934 goto out;
3935
3936 container_mem_unlock(c);
3937 return c2;
3938 }
3939
3940 data.c0 = c;
3941 data.c1 = c2;
3942 data.flags = flags;
3943 data.hookargs = hookargs;
3944
3945 if (am_guest_unpriv())
3946 ret = userns_exec_full(c->lxc_conf, clone_update_rootfs_wrapper,
3947 &data, "clone_update_rootfs_wrapper");
3948 else
3949 ret = clone_update_rootfs(&data);
3950 if (ret < 0)
3951 _exit(EXIT_FAILURE);
3952
3953 container_mem_unlock(c);
3954 _exit(EXIT_SUCCESS);
3955
3956 out:
3957 container_mem_unlock(c);
3958 if (c2) {
3959 if (!storage_copied)
3960 c2->lxc_conf->rootfs.path = NULL;
3961
3962 c2->destroy(c2);
3963 lxc_container_put(c2);
3964 }
3965
3966 return NULL;
3967 }
3968
3969 static struct lxc_container *lxcapi_clone(struct lxc_container *c, const char *newname,
3970 const char *lxcpath, int flags,
3971 const char *bdevtype, const char *bdevdata, uint64_t newsize,
3972 char **hookargs)
3973 {
3974 struct lxc_container * ret;
3975
3976 current_config = c ? c->lxc_conf : NULL;
3977 ret = do_lxcapi_clone(c, newname, lxcpath, flags, bdevtype, bdevdata, newsize, hookargs);
3978 current_config = NULL;
3979
3980 return ret;
3981 }
3982
3983 static bool do_lxcapi_rename(struct lxc_container *c, const char *newname)
3984 {
3985 struct lxc_storage *bdev;
3986 struct lxc_container *newc;
3987
3988 if (!c || !c->name || !c->config_path || !c->lxc_conf)
3989 return false;
3990
3991 if (has_fs_snapshots(c) || has_snapshots(c)) {
3992 ERROR("Renaming a container with snapshots is not supported");
3993 return false;
3994 }
3995
3996 bdev = storage_init(c->lxc_conf);
3997 if (!bdev) {
3998 ERROR("Failed to find original backing store type");
3999 return false;
4000 }
4001
4002 newc = lxcapi_clone(c, newname, c->config_path, LXC_CLONE_KEEPMACADDR, NULL, bdev->type, 0, NULL);
4003 storage_put(bdev);
4004 if (!newc) {
4005 lxc_container_put(newc);
4006 return false;
4007 }
4008
4009 if (newc && lxcapi_is_defined(newc))
4010 lxc_container_put(newc);
4011
4012 if (!container_destroy(c, NULL)) {
4013 ERROR("Could not destroy existing container %s", c->name);
4014 return false;
4015 }
4016
4017 return true;
4018 }
4019
4020 WRAP_API_1(bool, lxcapi_rename, const char *)
4021
4022 static int lxcapi_attach(struct lxc_container *c,
4023 lxc_attach_exec_t exec_function, void *exec_payload,
4024 lxc_attach_options_t *options, pid_t *attached_process)
4025 {
4026 int ret;
4027
4028 if (!c)
4029 return -1;
4030
4031 current_config = c->lxc_conf;
4032
4033 ret = lxc_attach(c, exec_function, exec_payload, options,
4034 attached_process);
4035 current_config = NULL;
4036 return ret;
4037 }
4038
4039 static int do_lxcapi_attach_run_wait(struct lxc_container *c,
4040 lxc_attach_options_t *options,
4041 const char *program,
4042 const char *const argv[])
4043 {
4044 lxc_attach_command_t command;
4045 pid_t pid;
4046 int ret;
4047
4048 if (!c)
4049 return -1;
4050
4051 command.program = (char *)program;
4052 command.argv = (char **)argv;
4053
4054 ret = lxc_attach(c, lxc_attach_run_command, &command, options, &pid);
4055 if (ret < 0)
4056 return ret;
4057
4058 return lxc_wait_for_pid_status(pid);
4059 }
4060
4061 static int lxcapi_attach_run_wait(struct lxc_container *c,
4062 lxc_attach_options_t *options,
4063 const char *program, const char *const argv[])
4064 {
4065 int ret;
4066
4067 current_config = c ? c->lxc_conf : NULL;
4068 ret = do_lxcapi_attach_run_wait(c, options, program, argv);
4069 current_config = NULL;
4070
4071 return ret;
4072 }
4073
4074 static int get_next_index(const char *lxcpath, char *cname)
4075 {
4076 __do_free char *fname = NULL;
4077 struct stat sb;
4078 int i = 0, ret;
4079
4080 fname = must_realloc(NULL, strlen(lxcpath) + 20);
4081
4082 for (;;) {
4083 sprintf(fname, "%s/snap%d", lxcpath, i);
4084
4085 ret = stat(fname, &sb);
4086 if (ret != 0)
4087 return i;
4088
4089 i++;
4090 }
4091 }
4092
4093 static bool get_snappath_dir(struct lxc_container *c, char *snappath)
4094 {
4095 int ret;
4096
4097 /*
4098 * If the old style snapshot path exists, use it
4099 * /var/lib/lxc -> /var/lib/lxcsnaps
4100 */
4101 ret = snprintf(snappath, PATH_MAX, "%ssnaps", c->config_path);
4102 if (ret < 0 || ret >= PATH_MAX)
4103 return false;
4104
4105 if (dir_exists(snappath)) {
4106 ret = snprintf(snappath, PATH_MAX, "%ssnaps/%s", c->config_path, c->name);
4107 if (ret < 0 || ret >= PATH_MAX)
4108 return false;
4109
4110 return true;
4111 }
4112
4113 /*
4114 * Use the new style path
4115 * /var/lib/lxc -> /var/lib/lxc + c->name + /snaps + \0
4116 */
4117 ret = snprintf(snappath, PATH_MAX, "%s/%s/snaps", c->config_path, c->name);
4118 if (ret < 0 || ret >= PATH_MAX)
4119 return false;
4120
4121 return true;
4122 }
4123
4124 static int do_lxcapi_snapshot(struct lxc_container *c, const char *commentfile)
4125 {
4126 __do_free char *dfnam = NULL;
4127 int len;
4128 int i, flags, ret;
4129 time_t timer;
4130 struct tm tm_info;
4131 struct lxc_container *c2;
4132 char snappath[PATH_MAX], newname[20];
4133 char buffer[25];
4134 FILE *f;
4135
4136 if (!c || !lxcapi_is_defined(c))
4137 return -1;
4138
4139 if (!storage_can_backup(c->lxc_conf)) {
4140 ERROR("%s's backing store cannot be backed up", c->name);
4141 ERROR("Your container must use another backing store type");
4142 return -1;
4143 }
4144
4145 if (!get_snappath_dir(c, snappath))
4146 return -1;
4147
4148 i = get_next_index(snappath, c->name);
4149
4150 if (mkdir_p(snappath, 0755) < 0) {
4151 ERROR("Failed to create snapshot directory %s", snappath);
4152 return -1;
4153 }
4154
4155 ret = snprintf(newname, 20, "snap%d", i);
4156 if (ret < 0 || ret >= 20)
4157 return -1;
4158
4159 /*
4160 * We pass LXC_CLONE_SNAPSHOT to make sure that a rdepends file entry is
4161 * created in the original container
4162 */
4163 flags = LXC_CLONE_SNAPSHOT | LXC_CLONE_KEEPMACADDR | LXC_CLONE_KEEPNAME |
4164 LXC_CLONE_KEEPBDEVTYPE | LXC_CLONE_MAYBE_SNAPSHOT;
4165 if (storage_is_dir(c->lxc_conf)) {
4166 ERROR("Snapshot of directory-backed container requested");
4167 ERROR("Making a copy-clone. If you do want snapshots, then");
4168 ERROR("please create overlay clone first, snapshot that");
4169 ERROR("and keep the original container pristine");
4170 flags &= ~LXC_CLONE_SNAPSHOT | LXC_CLONE_MAYBE_SNAPSHOT;
4171 }
4172
4173 c2 = do_lxcapi_clone(c, newname, snappath, flags, NULL, NULL, 0, NULL);
4174 if (!c2) {
4175 ERROR("Failed to clone of %s:%s", c->config_path, c->name);
4176 return -1;
4177 }
4178
4179 lxc_container_put(c2);
4180
4181 /* Now write down the creation time. */
4182 time(&timer);
4183
4184 if (!localtime_r(&timer, &tm_info)) {
4185 ERROR("Failed to get localtime");
4186 return -1;
4187 }
4188
4189 strftime(buffer, 25, "%Y:%m:%d %H:%M:%S", &tm_info);
4190
4191 len = strlen(snappath) + 1 + strlen(newname) + 1 + strlen(LXC_TIMESTAMP_FNAME) + 1;
4192 dfnam = must_realloc(NULL, len);
4193 snprintf(dfnam, len, "%s/%s/%s", snappath, newname, LXC_TIMESTAMP_FNAME);
4194 f = fopen(dfnam, "we");
4195 if (!f) {
4196 ERROR("Failed to open %s", dfnam);
4197 return -1;
4198 }
4199
4200 if (fprintf(f, "%s", buffer) < 0) {
4201 SYSERROR("Writing timestamp");
4202 fclose(f);
4203 return -1;
4204 }
4205
4206 ret = fclose(f);
4207 if (ret != 0) {
4208 SYSERROR("Writing timestamp");
4209 return -1;
4210 }
4211
4212 if (commentfile) {
4213 __do_free char *path = NULL;
4214 /* $p / $name / comment \0 */
4215 len = strlen(snappath) + 1 + strlen(newname) + 1 + strlen(LXC_COMMENT_FNAME) + 1;
4216
4217 path = must_realloc(NULL, len);
4218 snprintf(path, len, "%s/%s/%s", snappath, newname, LXC_COMMENT_FNAME);
4219 return copy_file(commentfile, path) < 0 ? -1 : i;
4220 }
4221
4222 return i;
4223 }
4224
4225 WRAP_API_1(int, lxcapi_snapshot, const char *)
4226
4227 static void lxcsnap_free(struct lxc_snapshot *s)
4228 {
4229 free(s->name);
4230 free(s->comment_pathname);
4231 free(s->timestamp);
4232 free(s->lxcpath);
4233 }
4234
4235 static char *get_snapcomment_path(char* snappath, char *name)
4236 {
4237 /* $snappath/$name/comment */
4238 int ret, len = strlen(snappath) + strlen(name) + 10;
4239 char *s = malloc(len);
4240
4241 if (s) {
4242 ret = snprintf(s, len, "%s/%s/comment", snappath, name);
4243 if (ret < 0 || ret >= len) {
4244 free(s);
4245 s = NULL;
4246 }
4247 }
4248
4249 return s;
4250 }
4251
4252 static char *get_timestamp(char* snappath, char *name)
4253 {
4254 __do_free char *s = NULL;
4255 __do_fclose FILE *fin = NULL;
4256 char path[PATH_MAX];
4257 int ret, len;
4258
4259 ret = snprintf(path, PATH_MAX, "%s/%s/ts", snappath, name);
4260 if (ret < 0 || ret >= PATH_MAX)
4261 return NULL;
4262
4263 fin = fopen(path, "re");
4264 if (!fin)
4265 return NULL;
4266
4267 (void) fseek(fin, 0, SEEK_END);
4268 len = ftell(fin);
4269 (void) fseek(fin, 0, SEEK_SET);
4270 if (len > 0) {
4271 s = malloc(len+1);
4272 if (s) {
4273 s[len] = '\0';
4274 if (fread(s, 1, len, fin) != len)
4275 return log_error_errno(NULL, errno, "reading timestamp");
4276 }
4277 }
4278
4279 return move_ptr(s);
4280 }
4281
4282 static int do_lxcapi_snapshot_list(struct lxc_container *c, struct lxc_snapshot **ret_snaps)
4283 {
4284 __do_closedir DIR *dir = NULL;
4285 char snappath[PATH_MAX], path2[PATH_MAX];
4286 int count = 0, ret;
4287 struct dirent *direntp;
4288 struct lxc_snapshot *snaps =NULL, *nsnaps;
4289
4290 if (!c || !lxcapi_is_defined(c))
4291 return -1;
4292
4293 if (!get_snappath_dir(c, snappath)) {
4294 ERROR("path name too long");
4295 return -1;
4296 }
4297
4298 dir = opendir(snappath);
4299 if (!dir) {
4300 INFO("Failed to open %s - assuming no snapshots", snappath);
4301 return 0;
4302 }
4303
4304 while ((direntp = readdir(dir))) {
4305 if (!strcmp(direntp->d_name, "."))
4306 continue;
4307
4308 if (!strcmp(direntp->d_name, ".."))
4309 continue;
4310
4311 ret = snprintf(path2, PATH_MAX, "%s/%s/%s", snappath, direntp->d_name, LXC_CONFIG_FNAME);
4312 if (ret < 0 || ret >= PATH_MAX) {
4313 ERROR("pathname too long");
4314 goto out_free;
4315 }
4316
4317 if (!file_exists(path2))
4318 continue;
4319
4320 nsnaps = realloc(snaps, (count + 1)*sizeof(*snaps));
4321 if (!nsnaps) {
4322 SYSERROR("Out of memory");
4323 goto out_free;
4324 }
4325
4326 snaps = nsnaps;
4327 snaps[count].free = lxcsnap_free;
4328 snaps[count].name = strdup(direntp->d_name);
4329 if (!snaps[count].name)
4330 goto out_free;
4331
4332 snaps[count].lxcpath = strdup(snappath);
4333 if (!snaps[count].lxcpath) {
4334 free(snaps[count].name);
4335 goto out_free;
4336 }
4337
4338 snaps[count].comment_pathname = get_snapcomment_path(snappath, direntp->d_name);
4339 snaps[count].timestamp = get_timestamp(snappath, direntp->d_name);
4340 count++;
4341 }
4342
4343 *ret_snaps = snaps;
4344 return count;
4345
4346 out_free:
4347 if (snaps) {
4348 for (int i = 0; i < count; i++)
4349 lxcsnap_free(&snaps[i]);
4350
4351 free(snaps);
4352 }
4353
4354 return -1;
4355 }
4356
4357 WRAP_API_1(int, lxcapi_snapshot_list, struct lxc_snapshot **)
4358
4359 static bool do_lxcapi_snapshot_restore(struct lxc_container *c, const char *snapname, const char *newname)
4360 {
4361 char clonelxcpath[PATH_MAX];
4362 int flags = 0;
4363 struct lxc_container *snap, *rest;
4364 struct lxc_storage *bdev;
4365 bool b = false;
4366
4367 if (!c || !c->name || !c->config_path)
4368 return false;
4369
4370 if (has_fs_snapshots(c)) {
4371 ERROR("container rootfs has dependent snapshots");
4372 return false;
4373 }
4374
4375 bdev = storage_init(c->lxc_conf);
4376 if (!bdev) {
4377 ERROR("Failed to find original backing store type");
4378 return false;
4379 }
4380
4381 /* For an overlay container the rootfs is considered immutable
4382 * and cannot be removed when restoring from a snapshot. We pass this
4383 * internal flag along to communicate this to various parts of the
4384 * codebase.
4385 */
4386 if (!strcmp(bdev->type, "overlay") || !strcmp(bdev->type, "overlayfs"))
4387 bdev->flags |= LXC_STORAGE_INTERNAL_OVERLAY_RESTORE;
4388
4389 if (!newname)
4390 newname = c->name;
4391
4392 if (!get_snappath_dir(c, clonelxcpath)) {
4393 storage_put(bdev);
4394 return false;
4395 }
4396 /* how should we lock this? */
4397
4398 snap = lxc_container_new(snapname, clonelxcpath);
4399 if (!snap || !lxcapi_is_defined(snap)) {
4400 ERROR("Could not open snapshot %s", snapname);
4401
4402 if (snap)
4403 lxc_container_put(snap);
4404
4405 storage_put(bdev);
4406 return false;
4407 }
4408
4409 if (!strcmp(c->name, newname)) {
4410 if (!container_destroy(c, bdev)) {
4411 ERROR("Could not destroy existing container %s", newname);
4412 lxc_container_put(snap);
4413 storage_put(bdev);
4414 return false;
4415 }
4416 }
4417
4418 if (strcmp(bdev->type, "dir") != 0 && strcmp(bdev->type, "loop") != 0)
4419 flags = LXC_CLONE_SNAPSHOT | LXC_CLONE_MAYBE_SNAPSHOT;
4420
4421 if (!strcmp(bdev->type, "overlay") || !strcmp(bdev->type, "overlayfs"))
4422 flags |= LXC_STORAGE_INTERNAL_OVERLAY_RESTORE;
4423
4424 rest = lxcapi_clone(snap, newname, c->config_path, flags, bdev->type,
4425 NULL, 0, NULL);
4426 storage_put(bdev);
4427 if (rest && lxcapi_is_defined(rest))
4428 b = true;
4429
4430 if (rest)
4431 lxc_container_put(rest);
4432
4433 lxc_container_put(snap);
4434 return b;
4435 }
4436
4437 WRAP_API_2(bool, lxcapi_snapshot_restore, const char *, const char *)
4438
4439 static bool do_snapshot_destroy(const char *snapname, const char *clonelxcpath)
4440 {
4441 struct lxc_container *snap = NULL;
4442 bool bret = false;
4443
4444 snap = lxc_container_new(snapname, clonelxcpath);
4445 if (!snap) {
4446 ERROR("Could not find snapshot %s", snapname);
4447 goto err;
4448 }
4449
4450 if (!do_lxcapi_destroy(snap)) {
4451 ERROR("Could not destroy snapshot %s", snapname);
4452 goto err;
4453 }
4454
4455 bret = true;
4456
4457 err:
4458 if (snap)
4459 lxc_container_put(snap);
4460
4461 return bret;
4462 }
4463
4464 static bool remove_all_snapshots(const char *path)
4465 {
4466 __do_closedir DIR *dir = NULL;
4467 struct dirent *direntp;
4468 bool bret = true;
4469
4470 dir = opendir(path);
4471 if (!dir) {
4472 SYSERROR("opendir on snapshot path %s", path);
4473 return false;
4474 }
4475
4476 while ((direntp = readdir(dir))) {
4477 if (!strcmp(direntp->d_name, "."))
4478 continue;
4479
4480 if (!strcmp(direntp->d_name, ".."))
4481 continue;
4482
4483 if (!do_snapshot_destroy(direntp->d_name, path)) {
4484 bret = false;
4485 continue;
4486 }
4487 }
4488
4489 if (rmdir(path))
4490 SYSERROR("Error removing directory %s", path);
4491
4492 return bret;
4493 }
4494
4495 static bool do_lxcapi_snapshot_destroy(struct lxc_container *c, const char *snapname)
4496 {
4497 char clonelxcpath[PATH_MAX];
4498
4499 if (!c || !c->name || !c->config_path || !snapname)
4500 return false;
4501
4502 if (!get_snappath_dir(c, clonelxcpath))
4503 return false;
4504
4505 return do_snapshot_destroy(snapname, clonelxcpath);
4506 }
4507
4508 WRAP_API_1(bool, lxcapi_snapshot_destroy, const char *)
4509
4510 static bool do_lxcapi_snapshot_destroy_all(struct lxc_container *c)
4511 {
4512 char clonelxcpath[PATH_MAX];
4513
4514 if (!c || !c->name || !c->config_path)
4515 return false;
4516
4517 if (!get_snappath_dir(c, clonelxcpath))
4518 return false;
4519
4520 return remove_all_snapshots(clonelxcpath);
4521 }
4522
4523 WRAP_API(bool, lxcapi_snapshot_destroy_all)
4524
4525 static bool do_lxcapi_may_control(struct lxc_container *c)
4526 {
4527 if (!c)
4528 return false;
4529
4530 return lxc_try_cmd(c->name, c->config_path) == 0;
4531 }
4532
4533 WRAP_API(bool, lxcapi_may_control)
4534
4535 static bool do_add_remove_node(pid_t init_pid, const char *path, bool add,
4536 struct stat *st)
4537 {
4538 int ret;
4539 char *tmp;
4540 pid_t pid;
4541 char chrootpath[PATH_MAX];
4542 char *directory_path = NULL;
4543
4544 pid = fork();
4545 if (pid < 0) {
4546 SYSERROR("Failed to fork()");
4547 return false;
4548 }
4549
4550 if (pid) {
4551 ret = wait_for_pid(pid);
4552 if (ret != 0) {
4553 ERROR("Failed to create device node");
4554 return false;
4555 }
4556
4557 return true;
4558 }
4559
4560 /* prepare the path */
4561 ret = snprintf(chrootpath, PATH_MAX, "/proc/%d/root", init_pid);
4562 if (ret < 0 || ret >= PATH_MAX)
4563 return false;
4564
4565 ret = chroot(chrootpath);
4566 if (ret < 0)
4567 _exit(EXIT_FAILURE);
4568
4569 ret = chdir("/");
4570 if (ret < 0)
4571 _exit(EXIT_FAILURE);
4572
4573 /* remove path if it exists */
4574 ret = faccessat(AT_FDCWD, path, F_OK, AT_SYMLINK_NOFOLLOW);
4575 if(ret == 0) {
4576 ret = unlink(path);
4577 if (ret < 0) {
4578 SYSERROR("Failed to remove \"%s\"", path);
4579 _exit(EXIT_FAILURE);
4580 }
4581 }
4582
4583 if (!add)
4584 _exit(EXIT_SUCCESS);
4585
4586 /* create any missing directories */
4587 tmp = strdup(path);
4588 if (!tmp)
4589 _exit(EXIT_FAILURE);
4590
4591 directory_path = dirname(tmp);
4592 ret = mkdir_p(directory_path, 0755);
4593 if (ret < 0 && errno != EEXIST) {
4594 SYSERROR("Failed to create path \"%s\"", directory_path);
4595 free(tmp);
4596 _exit(EXIT_FAILURE);
4597 }
4598
4599 /* create the device node */
4600 ret = mknod(path, st->st_mode, st->st_rdev);
4601 free(tmp);
4602 if (ret < 0) {
4603 SYSERROR("Failed to create device node at \"%s\"", path);
4604 _exit(EXIT_FAILURE);
4605 }
4606
4607 _exit(EXIT_SUCCESS);
4608 }
4609
4610 static bool add_remove_device_node(struct lxc_container *c, const char *src_path, const char *dest_path, bool add)
4611 {
4612 int ret;
4613 struct stat st;
4614 char value[LXC_MAX_BUFFER];
4615 const char *p;
4616 pid_t init_pid;
4617
4618 /* make sure container is running */
4619 if (!do_lxcapi_is_running(c)) {
4620 ERROR("container is not running");
4621 return false;
4622 }
4623
4624 /* use src_path if dest_path is NULL otherwise use dest_path */
4625 p = dest_path ? dest_path : src_path;
4626
4627 /* make sure we can access p */
4628 if(access(p, F_OK) < 0 || stat(p, &st) < 0)
4629 return false;
4630
4631 /* continue if path is character device or block device */
4632 if (S_ISCHR(st.st_mode))
4633 ret = snprintf(value, LXC_MAX_BUFFER, "c %d:%d rwm", major(st.st_rdev), minor(st.st_rdev));
4634 else if (S_ISBLK(st.st_mode))
4635 ret = snprintf(value, LXC_MAX_BUFFER, "b %d:%d rwm", major(st.st_rdev), minor(st.st_rdev));
4636 else
4637 return false;
4638
4639 /* check snprintf return code */
4640 if (ret < 0 || ret >= LXC_MAX_BUFFER)
4641 return false;
4642
4643 init_pid = do_lxcapi_init_pid(c);
4644 if (init_pid < 0) {
4645 ERROR("Failed to get init pid");
4646 return false;
4647 }
4648
4649 if (!do_add_remove_node(init_pid, p, add, &st))
4650 return false;
4651
4652 /* add or remove device to/from cgroup access list */
4653 if (add) {
4654 if (!do_lxcapi_set_cgroup_item(c, "devices.allow", value)) {
4655 ERROR("set_cgroup_item failed while adding the device node");
4656 return false;
4657 }
4658 } else {
4659 if (!do_lxcapi_set_cgroup_item(c, "devices.deny", value)) {
4660 ERROR("set_cgroup_item failed while removing the device node");
4661 return false;
4662 }
4663 }
4664
4665 return true;
4666 }
4667
4668 static bool do_lxcapi_add_device_node(struct lxc_container *c, const char *src_path, const char *dest_path)
4669 {
4670 // cannot mknod if we're not privileged wrt init_user_ns
4671 if (am_host_unpriv()) {
4672 ERROR(LXC_UNPRIV_EOPNOTSUPP, __FUNCTION__);
4673 return false;
4674 }
4675
4676 return add_remove_device_node(c, src_path, dest_path, true);
4677 }
4678
4679 WRAP_API_2(bool, lxcapi_add_device_node, const char *, const char *)
4680
4681 static bool do_lxcapi_remove_device_node(struct lxc_container *c, const char *src_path, const char *dest_path)
4682 {
4683 if (am_guest_unpriv()) {
4684 ERROR(LXC_UNPRIV_EOPNOTSUPP, __FUNCTION__);
4685 return false;
4686 }
4687
4688 return add_remove_device_node(c, src_path, dest_path, false);
4689 }
4690
4691 WRAP_API_2(bool, lxcapi_remove_device_node, const char *, const char *)
4692
4693 static bool do_lxcapi_attach_interface(struct lxc_container *c,
4694 const char *ifname,
4695 const char *dst_ifname)
4696 {
4697 pid_t init_pid;
4698 int ret = 0;
4699
4700 if (am_guest_unpriv()) {
4701 ERROR(LXC_UNPRIV_EOPNOTSUPP, __FUNCTION__);
4702 return false;
4703 }
4704
4705 if (!ifname) {
4706 ERROR("No source interface name given");
4707 return false;
4708 }
4709
4710 ret = lxc_netdev_isup(ifname);
4711 if (ret > 0) {
4712 /* netdev of ifname is up. */
4713 ret = lxc_netdev_down(ifname);
4714 if (ret)
4715 goto err;
4716 }
4717
4718 init_pid = do_lxcapi_init_pid(c);
4719 if (init_pid < 0) {
4720 ERROR("Failed to get init pid");
4721 goto err;
4722 }
4723
4724 ret = lxc_netdev_move_by_name(ifname, init_pid, dst_ifname);
4725 if (ret)
4726 goto err;
4727
4728 INFO("Moved network device \"%s\" to network namespace of %d", ifname, init_pid);
4729 return true;
4730
4731 err:
4732 return false;
4733 }
4734
4735 WRAP_API_2(bool, lxcapi_attach_interface, const char *, const char *)
4736
4737 static bool do_lxcapi_detach_interface(struct lxc_container *c,
4738 const char *ifname,
4739 const char *dst_ifname)
4740 {
4741 int ret;
4742 pid_t pid, pid_outside;
4743 __do_free char *physname = NULL;
4744
4745 /*
4746 * TODO - if this is a physical device, then we need am_host_unpriv.
4747 * But for other types guest privilege suffices.
4748 */
4749 if (am_guest_unpriv()) {
4750 ERROR(LXC_UNPRIV_EOPNOTSUPP, __FUNCTION__);
4751 return false;
4752 }
4753
4754 if (!ifname) {
4755 ERROR("No source interface name given");
4756 return false;
4757 }
4758
4759 pid_outside = lxc_raw_getpid();
4760 pid = fork();
4761 if (pid < 0) {
4762 ERROR("Failed to fork");
4763 return false;
4764 }
4765
4766 if (pid == 0) { /* child */
4767 pid_t init_pid;
4768
4769 init_pid = do_lxcapi_init_pid(c);
4770 if (init_pid < 0) {
4771 ERROR("Failed to get init pid");
4772 _exit(EXIT_FAILURE);
4773 }
4774 if (!switch_to_ns(init_pid, "net")) {
4775 ERROR("Failed to enter network namespace");
4776 _exit(EXIT_FAILURE);
4777 }
4778
4779 /* create new mount namespace for use with remounting /sys and is_wlan() below. */
4780 ret = unshare(CLONE_NEWNS);
4781 if (ret < 0) {
4782 ERROR("Failed to unshare mount namespace");
4783 _exit(EXIT_FAILURE);
4784 }
4785
4786 /* set / recursively as private so that mount propagation doesn't affect us. */
4787 if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, 0) < 0) {
4788 ERROR("Failed to recursively set / as private in mount namespace");
4789 _exit(EXIT_FAILURE);
4790 }
4791
4792 ret = lxc_netdev_isup(ifname);
4793 if (ret < 0) {
4794 ERROR("Failed to determine whether network device \"%s\" is up", ifname);
4795 _exit(EXIT_FAILURE);
4796 }
4797
4798 /* netdev of ifname is up. */
4799 if (ret) {
4800 ret = lxc_netdev_down(ifname);
4801 if (ret) {
4802 ERROR("Failed to set network device \"%s\" down", ifname);
4803 _exit(EXIT_FAILURE);
4804 }
4805 }
4806
4807 /* remount /sys so is_wlan() can check if this device is a wlan device. */
4808 lxc_attach_remount_sys_proc();
4809 physname = is_wlan(ifname);
4810 if (physname)
4811 ret = lxc_netdev_move_wlan(physname, ifname, pid_outside, dst_ifname);
4812 else
4813 ret = lxc_netdev_move_by_name(ifname, pid_outside, dst_ifname);
4814
4815 /* -EINVAL means there is no netdev named as ifname. */
4816 if (ret < 0) {
4817 if (ret == -EINVAL)
4818 ERROR("Network device \"%s\" not found", ifname);
4819 else
4820 ERROR("Failed to remove network device \"%s\"", ifname);
4821
4822 _exit(EXIT_FAILURE);
4823 }
4824
4825 _exit(EXIT_SUCCESS);
4826 }
4827
4828 ret = wait_for_pid(pid);
4829 if (ret != 0)
4830 return false;
4831
4832 INFO("Moved network device \"%s\" to network namespace of %d", ifname, pid_outside);
4833 return true;
4834 }
4835
4836 WRAP_API_2(bool, lxcapi_detach_interface, const char *, const char *)
4837
4838 static int do_lxcapi_migrate(struct lxc_container *c, unsigned int cmd,
4839 struct migrate_opts *opts, unsigned int size)
4840 {
4841 int ret = -1;
4842 struct migrate_opts *valid_opts = opts;
4843 uint64_t features_to_check = 0;
4844
4845 /* If the caller has a bigger (newer) struct migrate_opts, let's make
4846 * sure that the stuff on the end is zero, i.e. that they didn't ask us
4847 * to do anything special.
4848 */
4849 if (size > sizeof(*opts)) {
4850 unsigned char *addr;
4851 unsigned char *end;
4852
4853 addr = (void *)opts + sizeof(*opts);
4854 end = (void *)opts + size;
4855
4856 for (; addr < end; addr++)
4857 if (*addr)
4858 return -E2BIG;
4859 }
4860
4861 /* If the caller has a smaller struct, let's zero out the end for them
4862 * so we don't accidentally use bits of it that they didn't know about
4863 * to initialize.
4864 */
4865 if (size < sizeof(*opts)) {
4866 valid_opts = malloc(sizeof(*opts));
4867 if (!valid_opts)
4868 return -ENOMEM;
4869
4870 memset(valid_opts, 0, sizeof(*opts));
4871 memcpy(valid_opts, opts, size);
4872 }
4873
4874 switch (cmd) {
4875 case MIGRATE_PRE_DUMP:
4876 if (!do_lxcapi_is_running(c)) {
4877 ERROR("container is not running");
4878 goto on_error;
4879 }
4880
4881 ret = !__criu_pre_dump(c, valid_opts);
4882 break;
4883 case MIGRATE_DUMP:
4884 if (!do_lxcapi_is_running(c)) {
4885 ERROR("container is not running");
4886 goto on_error;
4887 }
4888
4889 ret = !__criu_dump(c, valid_opts);
4890 break;
4891 case MIGRATE_RESTORE:
4892 if (do_lxcapi_is_running(c)) {
4893 ERROR("container is already running");
4894 goto on_error;
4895 }
4896
4897 ret = !__criu_restore(c, valid_opts);
4898 break;
4899 case MIGRATE_FEATURE_CHECK:
4900 features_to_check = valid_opts->features_to_check;
4901 ret = !__criu_check_feature(&features_to_check);
4902 if (ret) {
4903 /* Something went wrong. Let's let the caller
4904 * know which feature checks failed. */
4905 valid_opts->features_to_check = features_to_check;
4906 }
4907 break;
4908 default:
4909 ERROR("invalid migrate command %u", cmd);
4910 ret = -EINVAL;
4911 }
4912
4913 on_error:
4914 if (size < sizeof(*opts))
4915 free(valid_opts);
4916
4917 return ret;
4918 }
4919
4920 WRAP_API_3(int, lxcapi_migrate, unsigned int, struct migrate_opts *, unsigned int)
4921
4922 static bool do_lxcapi_checkpoint(struct lxc_container *c, char *directory, bool stop, bool verbose)
4923 {
4924 struct migrate_opts opts;
4925
4926 memset(&opts, 0, sizeof(opts));
4927
4928 opts.directory = directory;
4929 opts.stop = stop;
4930 opts.verbose = verbose;
4931
4932 return !do_lxcapi_migrate(c, MIGRATE_DUMP, &opts, sizeof(opts));
4933 }
4934
4935 WRAP_API_3(bool, lxcapi_checkpoint, char *, bool, bool)
4936
4937 static bool do_lxcapi_restore(struct lxc_container *c, char *directory, bool verbose)
4938 {
4939 struct migrate_opts opts;
4940
4941 memset(&opts, 0, sizeof(opts));
4942
4943 opts.directory = directory;
4944 opts.verbose = verbose;
4945
4946 return !do_lxcapi_migrate(c, MIGRATE_RESTORE, &opts, sizeof(opts));
4947 }
4948
4949 WRAP_API_2(bool, lxcapi_restore, char *, bool)
4950
4951 /* @st_mode is the st_mode field of the stat(source) return struct */
4952 static int create_mount_target(const char *dest, mode_t st_mode)
4953 {
4954 char *dirdup, *destdirname;
4955 int ret;
4956
4957 dirdup = strdup(dest);
4958 if (!dirdup) {
4959 SYSERROR("Failed to duplicate target name \"%s\"", dest);
4960 return -1;
4961 }
4962 destdirname = dirname(dirdup);
4963
4964 ret = mkdir_p(destdirname, 0755);
4965 if (ret < 0) {
4966 SYSERROR("Failed to create \"%s\"", destdirname);
4967 free(dirdup);
4968 return ret;
4969 }
4970 free(dirdup);
4971
4972 (void)remove(dest);
4973
4974 if (S_ISDIR(st_mode))
4975 ret = mkdir(dest, 0000);
4976 else
4977 ret = mknod(dest, S_IFREG | 0000, 0);
4978
4979 if (ret == 0)
4980 TRACE("Created mount target \"%s\"", dest);
4981 else if (ret < 0 && errno != EEXIST) {
4982 SYSERROR("Failed to create mount target \"%s\"", dest);
4983 return -1;
4984 }
4985
4986 return 0;
4987 }
4988
4989 static int do_lxcapi_mount(struct lxc_container *c, const char *source,
4990 const char *target, const char *filesystemtype,
4991 unsigned long mountflags, const void *data,
4992 struct lxc_mount *mnt)
4993 {
4994 char *suff, *sret;
4995 char template[PATH_MAX], path[PATH_MAX];
4996 pid_t pid, init_pid;
4997 struct stat sb;
4998 bool is_dir;
4999 int ret = -1, fd = -EBADF;
5000
5001 if (!c || !c->lxc_conf) {
5002 ERROR("Container or configuration is NULL");
5003 return -EINVAL;
5004 }
5005
5006 if (!c->lxc_conf->shmount.path_host) {
5007 ERROR("Host path to shared mountpoint must be specified in the config\n");
5008 return -EINVAL;
5009 }
5010
5011 ret = snprintf(template, sizeof(template), "%s/.lxcmount_XXXXXX", c->lxc_conf->shmount.path_host);
5012 if (ret < 0 || (size_t)ret >= sizeof(template)) {
5013 SYSERROR("Error writing shmounts tempdir name");
5014 goto out;
5015 }
5016
5017 /* Create a temporary file / dir under the shared mountpoint */
5018 if (!source || strcmp(source, "") == 0) {
5019 /* If source is not specified, maybe we want to mount a filesystem? */
5020 sb.st_mode = S_IFDIR;
5021 } else {
5022 ret = stat(source, &sb);
5023 if (ret < 0) {
5024 SYSERROR("Error getting stat info about the source \"%s\"", source);
5025 goto out;
5026 }
5027 }
5028
5029 is_dir = (S_ISDIR(sb.st_mode) != 0);
5030 if (is_dir) {
5031 sret = mkdtemp(template);
5032 if (!sret) {
5033 SYSERROR("Could not create shmounts temporary dir");
5034 goto out;
5035 }
5036 } else {
5037 fd = lxc_make_tmpfile(template, false);
5038 if (fd < 0) {
5039 SYSERROR("Could not create shmounts temporary file");
5040 goto out;
5041 }
5042 }
5043
5044 /* Do the fork */
5045 pid = fork();
5046 if (pid < 0) {
5047 SYSERROR("Could not fork");
5048 goto out;
5049 }
5050
5051 if (pid == 0) {
5052 /* Do the mount */
5053 ret = mount(source, template, filesystemtype, mountflags, data);
5054 if (ret < 0) {
5055 SYSERROR("Failed to mount onto \"%s\"", template);
5056 _exit(EXIT_FAILURE);
5057 }
5058 TRACE("Mounted \"%s\" onto \"%s\"", source, template);
5059
5060 init_pid = do_lxcapi_init_pid(c);
5061 if (init_pid < 0) {
5062 ERROR("Failed to obtain container's init pid");
5063 _exit(EXIT_FAILURE);
5064 }
5065
5066 /* Enter the container namespaces */
5067 if (!lxc_list_empty(&c->lxc_conf->id_map)) {
5068 if (!switch_to_ns(init_pid, "user")) {
5069 ERROR("Failed to enter user namespace");
5070 _exit(EXIT_FAILURE);
5071 }
5072
5073 if (!lxc_switch_uid_gid(0, 0))
5074 _exit(EXIT_FAILURE);
5075 }
5076
5077 if (!switch_to_ns(init_pid, "mnt")) {
5078 ERROR("Failed to enter mount namespace");
5079 _exit(EXIT_FAILURE);
5080 }
5081
5082 ret = create_mount_target(target, sb.st_mode);
5083 if (ret < 0)
5084 _exit(EXIT_FAILURE);
5085
5086 suff = strrchr(template, '/');
5087 if (!suff)
5088 goto cleanup_target_in_child;
5089
5090 ret = snprintf(path, sizeof(path), "%s%s", c->lxc_conf->shmount.path_cont, suff);
5091 if (ret < 0 || (size_t)ret >= sizeof(path)) {
5092 SYSERROR("Error writing container mountpoint name");
5093 goto cleanup_target_in_child;
5094 }
5095
5096 ret = mount(path, target, NULL, MS_MOVE | MS_REC, NULL);
5097 if (ret < 0) {
5098 SYSERROR("Failed to move the mount from \"%s\" to \"%s\"", path, target);
5099 goto cleanup_target_in_child;
5100 }
5101 TRACE("Moved mount from \"%s\" to \"%s\"", path, target);
5102
5103 _exit(EXIT_SUCCESS);
5104
5105 cleanup_target_in_child:
5106 (void)remove(target);
5107 _exit(EXIT_FAILURE);
5108 }
5109
5110 ret = wait_for_pid(pid);
5111 if (ret < 0)
5112 SYSERROR("Wait for the child with pid %ld failed", (long)pid);
5113 else
5114 ret = 0;
5115
5116 if (umount2(template, MNT_DETACH))
5117 SYSWARN("Failed to remove temporary mount \"%s\"", template);
5118
5119 if (is_dir)
5120 (void)rmdir(template);
5121 else
5122 (void)unlink(template);
5123
5124 out:
5125 if (fd >= 0)
5126 close(fd);
5127
5128 return ret;
5129 }
5130
5131 WRAP_API_6(int, lxcapi_mount, const char *, const char *, const char *,
5132 unsigned long, const void *, struct lxc_mount *)
5133
5134 static int do_lxcapi_umount(struct lxc_container *c, const char *target,
5135 unsigned long flags, struct lxc_mount *mnt)
5136 {
5137 pid_t pid, init_pid;
5138 int ret = -1;
5139
5140 if (!c || !c->lxc_conf) {
5141 ERROR("Container or configuration is NULL");
5142 return -EINVAL;
5143 }
5144
5145 /* Do the fork */
5146 pid = fork();
5147 if (pid < 0) {
5148 SYSERROR("Could not fork");
5149 return -1;
5150 }
5151
5152 if (pid == 0) {
5153 init_pid = do_lxcapi_init_pid(c);
5154 if (init_pid < 0) {
5155 ERROR("Failed to obtain container's init pid");
5156 _exit(EXIT_FAILURE);
5157 }
5158
5159 /* Enter the container namespaces */
5160 if (!lxc_list_empty(&c->lxc_conf->id_map)) {
5161 if (!switch_to_ns(init_pid, "user")) {
5162 ERROR("Failed to enter user namespace");
5163 _exit(EXIT_FAILURE);
5164 }
5165 }
5166
5167 if (!switch_to_ns(init_pid, "mnt")) {
5168 ERROR("Failed to enter mount namespace");
5169 _exit(EXIT_FAILURE);
5170 }
5171
5172 /* Do the unmount */
5173 ret = umount2(target, flags);
5174 if (ret < 0) {
5175 SYSERROR("Failed to umount \"%s\"", target);
5176 _exit(EXIT_FAILURE);
5177 }
5178
5179 _exit(EXIT_SUCCESS);
5180 }
5181
5182 ret = wait_for_pid(pid);
5183 if (ret < 0) {
5184 SYSERROR("Wait for the child with pid %ld failed", (long)pid);
5185 return -ret;
5186 }
5187
5188 return 0;
5189 }
5190
5191 WRAP_API_3(int, lxcapi_umount, const char *, unsigned long, struct lxc_mount*)
5192
5193 static int lxcapi_attach_run_waitl(struct lxc_container *c, lxc_attach_options_t *options, const char *program, const char *arg, ...)
5194 {
5195 va_list ap;
5196 const char **argv;
5197 int ret;
5198
5199 if (!c)
5200 return -1;
5201
5202 current_config = c->lxc_conf;
5203
5204 va_start(ap, arg);
5205 argv = lxc_va_arg_list_to_argv_const(ap, 1);
5206 va_end(ap);
5207
5208 if (!argv) {
5209 ERROR("Memory allocation error.");
5210 ret = -1;
5211 goto out;
5212 }
5213 argv[0] = arg;
5214
5215 ret = do_lxcapi_attach_run_wait(c, options, program, (const char * const *)argv);
5216 free((void*)argv);
5217
5218 out:
5219 current_config = NULL;
5220 return ret;
5221 }
5222
5223 static int do_lxcapi_seccomp_notify_fd(struct lxc_container *c)
5224 {
5225 if (!c || !c->lxc_conf)
5226 return ret_set_errno(-1, -EINVAL);
5227
5228 return lxc_seccomp_get_notify_fd(&c->lxc_conf->seccomp);
5229 }
5230
5231 WRAP_API(int, lxcapi_seccomp_notify_fd)
5232
5233 struct lxc_container *lxc_container_new(const char *name, const char *configpath)
5234 {
5235 struct lxc_container *c;
5236 size_t len;
5237 int rc;
5238
5239 if (!name)
5240 return NULL;
5241
5242 c = malloc(sizeof(*c));
5243 if (!c) {
5244 fprintf(stderr, "Failed to allocate memory for %s\n", name);
5245 return NULL;
5246 }
5247 memset(c, 0, sizeof(*c));
5248
5249 if (configpath)
5250 c->config_path = strdup(configpath);
5251 else
5252 c->config_path = strdup(lxc_global_config_value("lxc.lxcpath"));
5253 if (!c->config_path) {
5254 fprintf(stderr, "Failed to allocate memory for %s\n", name);
5255 goto err;
5256 }
5257
5258 remove_trailing_slashes(c->config_path);
5259
5260 len = strlen(name);
5261 c->name = malloc(len + 1);
5262 if (!c->name) {
5263 fprintf(stderr, "Failed to allocate memory for %s\n", name);
5264 goto err;
5265 }
5266 (void)strlcpy(c->name, name, len + 1);
5267
5268 c->numthreads = 1;
5269 c->slock = lxc_newlock(c->config_path, name);
5270 if (!c->slock) {
5271 fprintf(stderr, "Failed to create lock for %s\n", name);
5272 goto err;
5273 }
5274
5275 c->privlock = lxc_newlock(NULL, NULL);
5276 if (!c->privlock) {
5277 fprintf(stderr, "Failed to create private lock for %s\n", name);
5278 goto err;
5279 }
5280
5281 if (!set_config_filename(c)) {
5282 fprintf(stderr, "Failed to create config file name for %s\n", name);
5283 goto err;
5284 }
5285
5286 if (file_exists(c->configfile) && !lxcapi_load_config(c, NULL)) {
5287 fprintf(stderr, "Failed to load config for %s\n", name);
5288 goto err;
5289 }
5290
5291 rc = ongoing_create(c);
5292 switch (rc) {
5293 case LXC_CREATE_INCOMPLETE:
5294 SYSERROR("Failed to complete container creation for %s", c->name);
5295 container_destroy(c, NULL);
5296 lxcapi_clear_config(c);
5297 break;
5298 case LXC_CREATE_ONGOING:
5299 /* container creation going on */
5300 break;
5301 case LXC_CREATE_FAILED:
5302 /* container creation failed */
5303 if (errno != EACCES && errno != EPERM) {
5304 /* insufficient privileges */
5305 SYSERROR("Failed checking for incomplete container %s creation", c->name);
5306 goto err;
5307 }
5308 break;
5309 }
5310
5311 c->daemonize = true;
5312 c->pidfile = NULL;
5313
5314 /* Assign the member functions. */
5315 c->is_defined = lxcapi_is_defined;
5316 c->state = lxcapi_state;
5317 c->is_running = lxcapi_is_running;
5318 c->freeze = lxcapi_freeze;
5319 c->unfreeze = lxcapi_unfreeze;
5320 c->console = lxcapi_console;
5321 c->console_getfd = lxcapi_console_getfd;
5322 c->init_pid = lxcapi_init_pid;
5323 c->init_pidfd = lxcapi_init_pidfd;
5324 c->load_config = lxcapi_load_config;
5325 c->want_daemonize = lxcapi_want_daemonize;
5326 c->want_close_all_fds = lxcapi_want_close_all_fds;
5327 c->start = lxcapi_start;
5328 c->startl = lxcapi_startl;
5329 c->stop = lxcapi_stop;
5330 c->config_file_name = lxcapi_config_file_name;
5331 c->wait = lxcapi_wait;
5332 c->set_config_item = lxcapi_set_config_item;
5333 c->destroy = lxcapi_destroy;
5334 c->destroy_with_snapshots = lxcapi_destroy_with_snapshots;
5335 c->rename = lxcapi_rename;
5336 c->save_config = lxcapi_save_config;
5337 c->get_keys = lxcapi_get_keys;
5338 c->create = lxcapi_create;
5339 c->createl = lxcapi_createl;
5340 c->shutdown = lxcapi_shutdown;
5341 c->reboot = lxcapi_reboot;
5342 c->reboot2 = lxcapi_reboot2;
5343 c->clear_config = lxcapi_clear_config;
5344 c->clear_config_item = lxcapi_clear_config_item;
5345 c->get_config_item = lxcapi_get_config_item;
5346 c->get_running_config_item = lxcapi_get_running_config_item;
5347 c->get_cgroup_item = lxcapi_get_cgroup_item;
5348 c->set_cgroup_item = lxcapi_set_cgroup_item;
5349 c->get_config_path = lxcapi_get_config_path;
5350 c->set_config_path = lxcapi_set_config_path;
5351 c->clone = lxcapi_clone;
5352 c->get_interfaces = lxcapi_get_interfaces;
5353 c->get_ips = lxcapi_get_ips;
5354 c->attach = lxcapi_attach;
5355 c->attach_run_wait = lxcapi_attach_run_wait;
5356 c->attach_run_waitl = lxcapi_attach_run_waitl;
5357 c->snapshot = lxcapi_snapshot;
5358 c->snapshot_list = lxcapi_snapshot_list;
5359 c->snapshot_restore = lxcapi_snapshot_restore;
5360 c->snapshot_destroy = lxcapi_snapshot_destroy;
5361 c->snapshot_destroy_all = lxcapi_snapshot_destroy_all;
5362 c->may_control = lxcapi_may_control;
5363 c->add_device_node = lxcapi_add_device_node;
5364 c->remove_device_node = lxcapi_remove_device_node;
5365 c->attach_interface = lxcapi_attach_interface;
5366 c->detach_interface = lxcapi_detach_interface;
5367 c->checkpoint = lxcapi_checkpoint;
5368 c->restore = lxcapi_restore;
5369 c->migrate = lxcapi_migrate;
5370 c->console_log = lxcapi_console_log;
5371 c->mount = lxcapi_mount;
5372 c->umount = lxcapi_umount;
5373 c->seccomp_notify_fd = lxcapi_seccomp_notify_fd;
5374
5375 return c;
5376
5377 err:
5378 lxc_container_free(c);
5379 return NULL;
5380 }
5381
5382 int lxc_get_wait_states(const char **states)
5383 {
5384 int i;
5385
5386 if (states)
5387 for (i=0; i<MAX_STATE; i++)
5388 states[i] = lxc_state2str(i);
5389
5390 return MAX_STATE;
5391 }
5392
5393 /*
5394 * These next two could probably be done smarter with reusing a common function
5395 * with different iterators and tests...
5396 */
5397 int list_defined_containers(const char *lxcpath, char ***names, struct lxc_container ***cret)
5398 {
5399 __do_closedir DIR *dir = NULL;
5400 int i, cfound = 0, nfound = 0;
5401 struct dirent *direntp;
5402 struct lxc_container *c;
5403
5404 if (!lxcpath)
5405 lxcpath = lxc_global_config_value("lxc.lxcpath");
5406
5407 dir = opendir(lxcpath);
5408 if (!dir) {
5409 SYSERROR("opendir on lxcpath");
5410 return -1;
5411 }
5412
5413 if (cret)
5414 *cret = NULL;
5415
5416 if (names)
5417 *names = NULL;
5418
5419 while ((direntp = readdir(dir))) {
5420 /* Ignore '.', '..' and any hidden directory. */
5421 if (!strncmp(direntp->d_name, ".", 1))
5422 continue;
5423
5424 if (!config_file_exists(lxcpath, direntp->d_name))
5425 continue;
5426
5427 if (names)
5428 if (!add_to_array(names, direntp->d_name, cfound))
5429 goto free_bad;
5430
5431 cfound++;
5432
5433 if (!cret) {
5434 nfound++;
5435 continue;
5436 }
5437
5438 c = lxc_container_new(direntp->d_name, lxcpath);
5439 if (!c) {
5440 INFO("Container %s:%s has a config but could not be loaded",
5441 lxcpath, direntp->d_name);
5442
5443 if (names)
5444 if(!remove_from_array(names, direntp->d_name, cfound--))
5445 goto free_bad;
5446
5447 continue;
5448 }
5449
5450 if (!do_lxcapi_is_defined(c)) {
5451 INFO("Container %s:%s has a config but is not defined",
5452 lxcpath, direntp->d_name);
5453
5454 if (names)
5455 if(!remove_from_array(names, direntp->d_name, cfound--))
5456 goto free_bad;
5457
5458 lxc_container_put(c);
5459 continue;
5460 }
5461
5462 if (!add_to_clist(cret, c, nfound, true)) {
5463 lxc_container_put(c);
5464 goto free_bad;
5465 }
5466
5467 nfound++;
5468 }
5469
5470 return nfound;
5471
5472 free_bad:
5473 if (names && *names) {
5474 for (i = 0; i < cfound; i++)
5475 free((*names)[i]);
5476 free(*names);
5477 }
5478
5479 if (cret && *cret) {
5480 for (i = 0; i < nfound; i++)
5481 lxc_container_put((*cret)[i]);
5482 free(*cret);
5483 }
5484
5485 return -1;
5486 }
5487
5488 int list_active_containers(const char *lxcpath, char ***nret,
5489 struct lxc_container ***cret)
5490 {
5491 __do_free char *line = NULL;
5492 __do_fclose FILE *f = NULL;
5493 int i, ret = -1, cret_cnt = 0, ct_name_cnt = 0;
5494 int lxcpath_len;
5495 char **ct_name = NULL;
5496 size_t len = 0;
5497 struct lxc_container *c = NULL;
5498 bool is_hashed;
5499
5500 if (!lxcpath)
5501 lxcpath = lxc_global_config_value("lxc.lxcpath");
5502 lxcpath_len = strlen(lxcpath);
5503
5504 if (cret)
5505 *cret = NULL;
5506
5507 if (nret)
5508 *nret = NULL;
5509
5510 f = fopen("/proc/net/unix", "re");
5511 if (!f)
5512 return -1;
5513
5514 while (getline(&line, &len, f) != -1) {
5515 char *p = strrchr(line, ' '), *p2;
5516 if (!p)
5517 continue;
5518 p++;
5519
5520 if (*p != 0x40)
5521 continue;
5522 p++;
5523
5524 is_hashed = false;
5525
5526 if (strncmp(p, lxcpath, lxcpath_len) == 0) {
5527 p += lxcpath_len;
5528 } else if (strncmp(p, "lxc/", 4) == 0) {
5529 p += 4;
5530 is_hashed = true;
5531 } else {
5532 continue;
5533 }
5534
5535 while (*p == '/')
5536 p++;
5537
5538 /* Now p is the start of lxc_name. */
5539 p2 = strchr(p, '/');
5540 if (!p2 || strncmp(p2, "/command", 8) != 0)
5541 continue;
5542 *p2 = '\0';
5543
5544 if (is_hashed) {
5545 char *recvpath = lxc_cmd_get_lxcpath(p);
5546 if (!recvpath)
5547 continue;
5548
5549 if (strncmp(lxcpath, recvpath, lxcpath_len) != 0) {
5550 free(recvpath);
5551 continue;
5552 }
5553 free(recvpath);
5554
5555 p = lxc_cmd_get_name(p);
5556 if (!p)
5557 continue;
5558 }
5559
5560 if (array_contains(&ct_name, p, ct_name_cnt)) {
5561 if (is_hashed)
5562 free(p);
5563 continue;
5564 }
5565
5566 if (!add_to_array(&ct_name, p, ct_name_cnt)) {
5567 if (is_hashed)
5568 free(p);
5569 goto free_cret_list;
5570 }
5571
5572 ct_name_cnt++;
5573
5574 if (!cret) {
5575 if (is_hashed)
5576 free(p);
5577 continue;
5578 }
5579
5580 c = lxc_container_new(p, lxcpath);
5581 if (!c) {
5582 INFO("Container %s:%s is running but could not be loaded",
5583 lxcpath, p);
5584
5585 remove_from_array(&ct_name, p, ct_name_cnt--);
5586 if (is_hashed)
5587 free(p);
5588
5589 continue;
5590 }
5591
5592 if (is_hashed)
5593 free(p);
5594
5595 /*
5596 * If this is an anonymous container, then is_defined *can*
5597 * return false. So we don't do that check. Count on the
5598 * fact that the command socket exists.
5599 */
5600
5601 if (!add_to_clist(cret, c, cret_cnt, true)) {
5602 lxc_container_put(c);
5603 goto free_cret_list;
5604 }
5605
5606 cret_cnt++;
5607 }
5608
5609 if (nret && cret && cret_cnt != ct_name_cnt) {
5610 if (c)
5611 lxc_container_put(c);
5612 goto free_cret_list;
5613 }
5614
5615 ret = ct_name_cnt;
5616 if (nret)
5617 *nret = ct_name;
5618 else
5619 goto free_ct_name;
5620
5621 goto out;
5622
5623 free_cret_list:
5624 if (cret && *cret) {
5625 for (i = 0; i < cret_cnt; i++)
5626 lxc_container_put((*cret)[i]);
5627 free(*cret);
5628 }
5629
5630 free_ct_name:
5631 if (ct_name) {
5632 for (i = 0; i < ct_name_cnt; i++)
5633 free(ct_name[i]);
5634 free(ct_name);
5635 }
5636
5637 out:
5638 return ret;
5639 }
5640
5641 int list_all_containers(const char *lxcpath, char ***nret,
5642 struct lxc_container ***cret)
5643 {
5644 int i, ret, active_cnt, ct_cnt, ct_list_cnt;
5645 char **active_name;
5646 char **ct_name;
5647 struct lxc_container **ct_list = NULL;
5648
5649 ct_cnt = list_defined_containers(lxcpath, &ct_name, NULL);
5650 if (ct_cnt < 0)
5651 return ct_cnt;
5652
5653 active_cnt = list_active_containers(lxcpath, &active_name, NULL);
5654 if (active_cnt < 0) {
5655 ret = active_cnt;
5656 goto free_ct_name;
5657 }
5658
5659 for (i = 0; i < active_cnt; i++) {
5660 if (!array_contains(&ct_name, active_name[i], ct_cnt)) {
5661 if (!add_to_array(&ct_name, active_name[i], ct_cnt)) {
5662 ret = -1;
5663 goto free_active_name;
5664 }
5665
5666 ct_cnt++;
5667 }
5668
5669 free(active_name[i]);
5670 active_name[i] = NULL;
5671 }
5672
5673 free(active_name);
5674 active_name = NULL;
5675 active_cnt = 0;
5676
5677 for (i = 0, ct_list_cnt = 0; i < ct_cnt && cret; i++) {
5678 struct lxc_container *c;
5679
5680 c = lxc_container_new(ct_name[i], lxcpath);
5681 if (!c) {
5682 WARN("Container %s:%s could not be loaded", lxcpath, ct_name[i]);
5683 remove_from_array(&ct_name, ct_name[i], ct_cnt--);
5684 continue;
5685 }
5686
5687 if (!add_to_clist(&ct_list, c, ct_list_cnt, false)) {
5688 lxc_container_put(c);
5689 ret = -1;
5690 goto free_ct_list;
5691 }
5692
5693 ct_list_cnt++;
5694 }
5695
5696 if (cret)
5697 *cret = ct_list;
5698
5699 if (nret) {
5700 *nret = ct_name;
5701 } else {
5702 ret = ct_cnt;
5703 goto free_ct_name;
5704 }
5705
5706 return ct_cnt;
5707
5708 free_ct_list:
5709 for (i = 0; i < ct_list_cnt; i++) {
5710 lxc_container_put(ct_list[i]);
5711 }
5712 free(ct_list);
5713
5714 free_active_name:
5715 for (i = 0; i < active_cnt; i++) {
5716 free(active_name[i]);
5717 }
5718 free(active_name);
5719
5720 free_ct_name:
5721 for (i = 0; i < ct_cnt; i++) {
5722 free(ct_name[i]);
5723 }
5724 free(ct_name);
5725 return ret;
5726 }
5727
5728 bool lxc_config_item_is_supported(const char *key)
5729 {
5730 return !!lxc_get_config(key);
5731 }
5732
5733 bool lxc_has_api_extension(const char *extension)
5734 {
5735 /* The NULL API extension is always present. :) */
5736 if (!extension)
5737 return true;
5738
5739 for (size_t i = 0; i < nr_api_extensions; i++)
5740 if (strcmp(api_extensions[i], extension) == 0)
5741 return true;
5742
5743 return false;
5744 }
LXC mirror