Commit Graph

1547 Commits

Author SHA1 Message Date
Integral
ddb8a639d5 tree-wide: replace for loop with FOREACH_ELEMENT or FOREACH_ARRAY macros (#34893) 2024-10-26 07:10:22 +09:00
Lennart Poettering
988053eac3 tree-wide: use isatty_safe() everywhere 2024-10-25 14:09:38 +02:00
Zbigniew Jędrzejewski-Szmek
2c23b7054f Merge pull request #34783 from keszybz/man-nspawn-private-users
Change systemd-nspawn man page to strongly recommend private users
2024-10-18 18:44:05 +02:00
Zbigniew Jędrzejewski-Szmek
487d412327 tree-wise: use "lightweight" spelling
Both spellings were used, but the dictionary says that "lightweight"
is the standard spelling.
2024-10-18 18:43:40 +02:00
Lennart Poettering
33dd894546 fdset: optionally, close remaining fds asynchronously 2024-10-17 09:48:05 +02:00
Yu Watanabe
223a67e572 tree-wide: replace reallocarray() with GREEDY_REALLOC() 2024-10-08 19:56:09 +09:00
Yu Watanabe
f769518c9a tree-wide: drop doubled empty lines 2024-10-07 09:51:37 +02:00
Mike Yuan
3f8999a76e fs-util: rename laccess to access_nofollow
In order to distinguish it from libc function naming.
2024-10-05 01:30:43 +02:00
Mickaël Salaün
e996663475 seccomp-util: include @sandbox in @default
Every services and containers should be able to protect their users and
limit the impact of security bugs thanks to the security syscalls
provided by seccomp and Landlock.  The goal of these syscalls is to
improve security with additional restrictions.  They are designed to be
safely used by unprivileged (and then potentially malicious) users.

Remove the now-redundant "seccomp" entry for nspawn.
2024-09-27 12:37:37 +02:00
Yu Watanabe
26d35019de tree-wide: drop unnecessary 'struct' 2024-09-19 01:34:57 +09:00
Yu Watanabe
3292120adf nspawn: fix typo
Follow-up for d7a6bb9891.
2024-09-16 11:47:43 +09:00
Lennart Poettering
d7a6bb9891 tree-wide: make sigprocmask() changes more automatic
This tries to get rid of most manual sigprocmask() changes, in favour
of:

1. The SD_EVENT_SIGNAL_PROCMASK flag to sd_event_add_signal()
2. The sd_event_set_signal_exit() call for handling SIGTERM/SIGINT
3. Move masking of SIGWINCH into ptyfwd, out of nspawn/vmspawn/run

And while we are at it get rid of a bunch of event source fields whose
lifetime is bound to the sd_event object they belong to anyway, and make
use of the "floating" event source feature of sd-event instead.
2024-09-13 17:12:28 +02:00
Yu Watanabe
da7fb6dad7 nspawn: use ERRNO_IS_NEG_NOT_SUPPORTED() at one more place
Follow-up for dc3223919f.
Addresses https://github.com/systemd/systemd/pull/34067#discussion_r1748061156.

Error codes other than ENOSYS may not come here, but if it comes, still
there is nothing we can do here, so let's not log the failure loudly.
2024-09-10 04:38:33 +09:00
Yu Watanabe
b86b90cec5 nspawn: sync DeviceAllow= setting with systemd-nspawn@.service
Follow-up for dc3223919f.
Addresses https://github.com/systemd/systemd/pull/34067#discussion_r1748592958.

Otherwise, containers started with and without --keep-unit option run in
different device policies.
2024-09-10 04:38:11 +09:00
Lennart Poettering
7a3223f509 Merge pull request #34258 from yuwata/nspawn-volatile-u
nspawn: make --volatile work with -U
2024-09-09 17:11:11 +02:00
Luke T. Shumaker
dc3223919f nspawn: enable FUSE in containers
Linux kernel v4.18 (2018-08-12) added user-namespace support to FUSE, and
bumped the FUSE version to 7.27 (see: da315f6e0398 (Merge tag
'fuse-update-4.18' of
git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse, Linus Torvalds,
2018-06-07).  This means that on such kernels it is safe to enable FUSE in
nspawn containers.

In outer_child(), before calling copy_devnodes(), check the FUSE version to
decide whether enable (>=7.27) or disable (<7.27) FUSE in the container.  We
look at the FUSE version instead of the kernel version in order to enable FUSE
support on older-versioned kernels that may have the mentioned patchset
backported ([as requested by @poettering][1]).  However, I am not sure that
this is safe; user-namespace support is not a documented part of the FUSE
protocol, which is what FUSE_KERNEL_VERSION/FUSE_KERNEL_MINOR_VERSION are meant
to capture.  While the same patchset
 - added FUSE_ABORT_ERROR (which is all that the 7.27 version bump
   is documented as including),
 - bumped FUSE_KERNEL_MINOR_VERSION from 26 to 27, and
 - added user-namespace support
these 3 things are not inseparable; it is conceivable to me that a backport
could include the first 2 of those things and exclude the 3rd; perhaps it would
be safer to check the kernel version.

Do note that our get_fuse_version() function uses the fsopen() family of
syscalls, which were not added until Linux kernel v5.2 (2019-07-07); so if
nothing has been backported, then the minimum kernel version for FUSE-in-nspawn
is actually v5.2, not v4.18.

Pass whether or not to enable FUSE to copy_devnodes(); have copy_devnodes()
copy in /dev/fuse if enabled.

Pass whether or not to enable FUSE back over fd_outer_socket to run_container()
so that it can pass that to append_machine_properties() (via either
register_machine() or allocate_scope()); have append_machine_properties()
append "DeviceAllow=/dev/fuse rw" if enabled.

For testing, simply check that /dev/fuse can be opened for reading and writing,
but that actually reading from it fails with EPERM.  The test assumes that if
FUSE is supported (/dev/fuse exists), then the testsuite is running on a kernel
with FUSE >= 7.27; I am unsure how to go about writing a test that validates
that the version check disables FUSE on old kernels.

[1]: https://github.com/systemd/systemd/issues/17607#issuecomment-745418835

Closes #17607
2024-09-07 10:18:35 -06:00
Luke T. Shumaker
f1bf6054ce nspawn: register_machine() and allocate_scope() bools to flags 2024-09-06 18:33:50 -06:00
Luke T. Shumaker
14762b27d3 nspawn: re-flow comments that are wrapped weird 2024-09-06 18:33:50 -06:00
Luke T. Shumaker
6cb5c6aeef nspawn: convert copy_devnodes():devnodes from nulstr to strv 2024-09-06 18:33:50 -06:00
Luke T. Shumaker
cde9210efd nspawn: fix the comment about which namespaces outer_child is in
The comment says that it is still in the host's CLONE_NEWUSER namespace,
which is not true if !arg_privileged.  Also, it says that the CLONE_NEWNS
namespace was created by clone(), but if !arg_privileged then it was
actually created by nsresource_allocate_userns() and switched into by
setns().  Fix those inaccuracies.

When trying to word it clearly, there are enough commas and nested clauses
that I think it's clearer to break it into a list/table.
2024-09-06 18:33:50 -06:00
Daan De Meyer
c81c2ed1eb Merge pull request #34280 from yuwata/cleanups
tree-wide: trivial cleanups
2024-09-06 08:08:56 +02:00
Yu Watanabe
efedb6b0f3 nspawn: refuse to bind mount device node from host when --private-users= is specified
Also do not chown if a device node is bind-mounted.

Fixes #34243.
2024-09-06 13:28:17 +09:00
Yu Watanabe
025be2361b nspawn: only remount /usr/ with idmap when --volatile=yes
The root directory is already mounted with a picked UID shift, hence
it is not necessary to remount with idmap. However, /usr/ is a bind-mount,
hence it must be remounted with idmap.

With this change, now '-U --volatile=yes' works fine.

Fixes #34254.
2024-09-06 13:24:12 +09:00
Yu Watanabe
2c2511aa73 nspawn: mount /var/ after remount_idmap() when --volatile=state
Previously, remount_idmap() failed as /var/ was already mounted, thus
remounting (strictly speaking, unmounting old root directory) failed
with -EBUSY.

As tmpfs /var/ is mounted with picked UID shift, it should not be
remounted with idmap, but needs to be mounted after the root directory
being remounted.

This makes '-U --volatile=state' work as expected.
2024-09-06 13:22:26 +09:00
Yu Watanabe
21cd84df69 nspawn: use strv_extend() and friends to build directories passed to remount_idmap()
No functional change, just refactoring and preparation for later change.
2024-09-06 13:13:15 +09:00
Yu Watanabe
0e40a26341 nspawn: fix indentation 2024-09-06 13:10:04 +09:00
Yu Watanabe
3ce22ee7f8 Merge pull request #34090 from DaanDeMeyer/cow-fix
Rework COW <=> NOCOW copying behavior
2024-09-05 10:19:49 +09:00
Daan De Meyer
b1cfa93080 copy: Introduce COPY_NOCOW_AFTER and use it when copying images
When dealing with copying COW images, we have to make a tradeoff:

- Either we don't touch the NOCOW bit on the copied file COW and get
  an instant copy because we're able to reflink, but we might get
  reduced performance if the source file was COW as COW files and lots
  of random writes don't play well together.
- Or we force NOCOW for the copied file, which means we have to do a
  full copy as reflinking from COW files to NOCOW files or vice versa
  is not supported.

In exec-invoke.c, we've opted for the first option. In nspawn.c and
discover-image.c, we've opted for the second option.

In nspawn, this applies to the --ephemeral option to make ephemeral
copies. In discover-image.c, this applies to cloning images into
/var/lib/machines. Both these features might be used to run many
machines of the same original image. We really don't want to force
a full copy onto users in these scenarios when they're expecting
reflink behavior, leading to them running out of disk space. Instead,
degraded performance in their machines is a much less severe issue,
which they will discover on their own if it affects them, at which
point they can make their original image NOCOW at which point they'll
get both the reflinks and better performance.

Given the above reasoning, let's switch nspawn.c and discover-image.c
to use COPY_NOCOW_AFTER as well instead of enabling NOCOW upfront and
forcing a copy if the original source image is COW.
2024-09-04 19:23:16 +02:00
Mike Yuan
ad501930d7 socket-util: make recvmsg_safe() handle MSG_TRUNC too
Also, unify MSG_TRUNC handling all across the codebase.
2024-09-04 18:51:44 +02:00
Daan De Meyer
519216b71f Revert "tree-wide: Don't explicity disable copy-on-write when copying images"
Let's still try to disable COW after copying. It won't do much, but
it doesn't hurt either.

See https://github.com/systemd/systemd/pull/33825/files#r1727288871.

This reverts commit 42e9288180.
2024-09-04 18:49:05 +02:00
Yu Watanabe
42efe5be1d tree-wide: drop msg argument for DEFINE_CONFIG_PARSE() macro and friends
This makes the macros use log_syntax_parse_error(), hopefully which provides
more informative log message in general, and reduces binary size.
2024-09-02 05:45:09 +09:00
Lennart Poettering
313c178b1b user-record: add helper that checks if a user record is root or the nobody user 2024-08-28 18:56:45 +02:00
Lennart Poettering
12e506f437 nspawn: propagate SSH authorized keys when binding user into contaier via --bind-user=
This means the host user typically can just log into his own account
bound into the container via SSH.
2024-08-28 17:13:48 +01:00
Daan De Meyer
615226abd8 Revert "nspawn: Allow specifying custom init program"
I don't actually need this anymore since we're going with a
unit based approach for the containers stuff internally so
let's just revert it.

Fixes #34085

This reverts commit ce2291730d.
2024-08-22 22:20:42 +02:00
Daan De Meyer
6a30e66df5 Revert "nspawn: fix settings leak for init parameter"
This reverts commit 1e2aa88bb2.
2024-08-22 22:20:36 +02:00
Lennart Poettering
300b7e7620 tree-wide: use isatty_safe() more 2024-08-20 11:11:53 +02:00
Dr. David Alan Gilbert
c76fdfc51b nspawn: Fix help typo
'an an' -> 'an'
2024-08-14 13:45:27 +09:00
Daan De Meyer
d89ee0fcf9 nspawn: Assume unified cgroup hierarchy if there's no systemd in the image
If there's no systemd installation in the image, assume the unified
cgroup hierarchy.
2024-08-13 19:09:26 +02:00
Luca Boccassi
1e2aa88bb2 nspawn: fix settings leak for init parameter
Fixes https://github.com/systemd/systemd/issues/33960

Follow-up for ce2291730d
2024-08-08 06:58:52 +02:00
Daan De Meyer
ce2291730d nspawn: Allow specifying custom init program
This allows for example forcing to use /sbin/init instead of always
using /usr/lib/systemd/systemd if it exists. Or it allows using a
different path altogether.
2024-08-06 23:00:17 +02:00
Daan De Meyer
d3f0b4f3d2 nspawn: Drop unused includes 2024-08-06 10:25:06 +02:00
Yu Watanabe
1bfa47418e nspawn: remove macvlan interfaces before network namespace died
This is similar to what we do for veth interfaces in remove_veth_links().

When a container rebooted, macvlan interfaces created by the previous
boot may still exist in the kernel, and that causes -EADDRINUSE after
reboot.

Hopefully fixes #680.
2024-07-30 12:38:50 +02:00
Daan De Meyer
42e9288180 tree-wide: Don't explicity disable copy-on-write when copying images
Since the copy helpers now copy file attributes as well, let's not
explicitly disable copy-on-write anymore when we copy an image. If
the source already has copy-on-write disabled, the copy will have it
disabled as well. Otherwise, the copy will also have copy-on-write
enabled.

This makes sure that reflinks always work as reflink is only supported
if both source and target are copy-on-write or both source and target
are not copy-on-write.
2024-07-25 11:56:07 +02:00
Zbigniew Jędrzejewski-Szmek
cddbd730cb Merge pull request #33370 from grawity/run-title
run: add option to prevent the setting of terminal title
2024-06-28 14:46:27 +02:00
Mantas Mikulėnas
86295cb60e run: move condition inside set_window_title() 2024-06-25 10:39:15 +03:00
Mantas Mikulėnas
0bdaa99827 nspawn, vmspawn: honor the new window title switch 2024-06-25 10:39:15 +03:00
Lennart Poettering
e16be05858 nspawn: machine registration is now available unpriv 2024-06-21 17:38:23 +02:00
Zbigniew Jędrzejewski-Szmek
bfd5a0687f various: move const ptr indicator to return value 2024-06-19 16:28:28 +02:00
Lennart Poettering
9ace806fcb nspawn: use parse_boolean_argument() at two places 2024-06-14 21:21:06 +01:00
Lennart Poettering
309a747fa6 libsystemd: turn json.[ch] into a public API
This is preparation for making our Varlink API a public API. Since our
Varlink API is built on top of our JSON API we need to make that public
first (it's a nice API, but JSON APIs there are already enough, this is
purely about the Varlink angle).

I made most of the json.h APIs public, and just placed them in
sd-json.h. Sometimes I wasn't so sure however, since the underlying data
structures would have to be made public too. If in doubt I didn#t risk
it, and moved the relevant API to src/libsystemd/sd-json/json-util.h
instead (without any sd_* symbol prefixes).

This is mostly a giant search/replace patch.
2024-06-12 18:42:22 +02:00