Commit Graph

1685 Commits

Author SHA1 Message Date
Yu Watanabe
92366b8fbc nspawn: always set TERM=dumb when running with a pipe
Otherwise, we will get unexpected OSC sequences.
2025-08-13 23:43:52 +09:00
Luca Boccassi
c892e33979 nspawn: fix recursive bind mounts
Follow-up for 90fa161b5b

Fixes https://github.com/systemd/systemd/issues/38505
2025-08-08 10:53:02 +09:00
Yu Watanabe
7f6086d530 tree-wide: do not use %m with SYNTHETIC_ERRNO() 2025-07-22 03:05:54 +09:00
Yu Watanabe
5918ba9c69 tree-wide: fix log messages: "Failed VERB" -> "Failed to VERB" 2025-07-22 03:05:33 +09:00
DaanDeMeyer
dbbbdde266 nspawn: Generalize parse_bind_user_shell()
Preparation for reuse in vmspawn.
2025-07-15 14:22:52 +02:00
DaanDeMeyer
852de7ed70 nspawn: Prepare --bind-user= logic for reuse in systemd-vmspawn
Aside from the usual boilerplate of moving the shared logic to shared/,
we also rework the implementation of --bind-user= to be similar to what
we'll do in systemd-vmspawn. Instead of messing with the nspawn container
user namespace, we use idmapped mounts to map the user's home directory on
the host to the mapped uid in the container.

Ideally we'd also use the "userdb.transient" credentials to provision the
user records, but this would only work for booted containers, whereas the
current logic works for non-booted containers as well.

Aside from being similar to how we'll implement --bind-user= in vmspawn,
using idmapped mounts also allows supporting --bind-user= without having to
use --private-users=.
2025-07-14 16:25:22 +02:00
DaanDeMeyer
b955051244 nspawn: Don't clear idmapping if we're not doing an idmapped mount
We only need to clear the existing idmapping if we're going to be
replacing it with another idmapping. Otherwise we should keep the
existing idmapping in place.
2025-07-14 11:54:56 +01:00
Lennart Poettering
aac7e892e4 machined: make registration of unpriv user's VMs/containers work (#37855)
This adds missing glue to reasonably allow unpriv users VMs/containers
to register with the system machined.

This primarily adds two things:

1. machined can now properly track VMs/containers residing in subcgroups
of units, because that's effectively what happens for per-user
VMs/containers: they are placed below the system unit `user@….service`
in some user unit.

2. machines registered with machined now have an owning UID: users can
operate on their own machines withour re-authentication, but not on
others.

Note that this is only a first step regarding machined's hookup of
nspawn/vmspawn in the long run for unpriv operation.

I think eventually we should make it so that there's both a per-user and
a per-system machined instance (so far, and even with this PR there's
still one per-system instance), and per-user containers/VMs would
registering with *both*. Having two instances makes sense I think,
because it would mean we can make machined reasonably manage the
per-user image discovery, and also do the per-system network/hostname
handling.
2025-07-11 21:10:08 +02:00
Lennart Poettering
6ef1fc6d02 nspawn: properly order include of constants.h 2025-07-11 18:16:48 +02:00
Lennart Poettering
0c250b3919 nspawn: tweak logging/notifications when processing exit requests 2025-07-11 18:15:12 +02:00
Lennart Poettering
f63ca4fc14 nspawn: slightly beef up READY= logic in nspawn
Let's also send out a STATUS= message when we get READY=1 if it didn't
come with a STATUS= message itself.

Also, let's initially say the container is "started", and only once the
READY=1 is seen claim it was "running".
2025-07-11 18:15:12 +02:00
Lennart Poettering
f2f26f1527 nspawn: reorganize scope allocation/registration logic
This cleans up allocation of a scope unit for the container: when
invoked in user context we'll now allocate a scope through the per-user
service manager instead of the per-system manager. This makes a ton more
sense, since it's the user that invokes things after all. And given that
machined now can register containers in the user manager there's nothing
stopping us to clean this up.

Note that this means we'll connect to two busses if run unpriv: once to
the per-user bus to allocate the scope unit, and once to the per-system
bus to register it with machined.
2025-07-11 18:15:12 +02:00
Yu Watanabe
2bdabb167b basic: rename cap-list.c -> capability-list.c
This also renames relevant files in the same way.

Addresses https://github.com/systemd/systemd/pull/37904#discussion_r2191950396
2025-07-11 18:33:43 +09:00
Yu Watanabe
543a48b653 libc-wrapper: introduce a tiny libc wrapper
Then, move syscall definitions to the wrapper, and prototypes are moved
to relevant headers.

This also adds checks for add_key() and request_key(), as one day
glibc may be going to add some of them separatedly.

The check for fspick in meson.build is dropped, as it is currently
unused in our code.

This also moves
- basic/missing_bpf.h -> include/override/linux/bpf.h,
- basic/missing_keyctl.h -> include/override/linux/keyctl.h.
2025-07-11 13:05:46 +09:00
Lennart Poettering
c35ceb84e3 Introduce ERRNO_IS_FS_WRITE_REFUSED(), and use it in binfmt_mounted() (#38117)
- This introduces ERRNO_IS_FS_WRITE_REFUSED(), and apply it where
usable.
- This makes unexpected errors in access_fd() called by binfmt_mounted()
propagated to the caller.
- Renames binfmt_mounted() to binfmt_mounted_and_writable(), as it also
checks the fs is writable.
- Voidifies one disable_binfmt() call in shutdown.c.
2025-07-10 21:38:13 +02:00
DaanDeMeyer
4f54d81ace nspawn: Use in_child_chown() in one more place 2025-07-10 13:55:45 +02:00
DaanDeMeyer
6f60ce002b nspawn: Improve log message 2025-07-10 13:55:43 +02:00
Yu Watanabe
e28d408c6b errno-util: introduce ERRNO_IS_NEG_FS_WRITE_REFUSED() 2025-07-10 14:02:00 +09:00
Mike Yuan
56c6d90f8c mount-util: teach open_tree_attr_fallback() our usual AT_EMPTY_PATH trick
While at it, rename it to _with_fallback following
the naming scheme we use elsewhere.
2025-07-09 10:14:00 +02:00
Matteo Croce
a80c06cf02 nspawn: create mountpoint for bpffs
When we mount a tmpfs as /sys, create a mountpoint for bpf, as we
already do for cgroup
2025-07-08 18:23:46 +02:00
Yu Watanabe
5cc21b78b6 minor fixes to nspawn, machined, vmspawn (#38110)
Nothing earth shattering. Just clean-ups.
2025-07-08 15:54:49 +09:00
Lennart Poettering
ba4624ff6c nspawn: fix parser of --notify-ready=
This switch takes a bool only, not an enum, hence don't claim otherwise
in the error log message.
2025-07-08 06:42:14 +02:00
Lennart Poettering
3779bdd5a3 nspawn: add argument comments to various calls 2025-07-08 06:42:04 +02:00
Lennart Poettering
93555abe29 nspawn: don't use strjoina() for user controlled strings 2025-07-08 06:40:46 +02:00
DaanDeMeyer
90fa161b5b nspawn: Support idmapped mounts on homed managed home directories
Christian made this possible in Linux 6.15 with a new system call
open_tree_attr() that combines open_tree() and mount_setattr().
Because idmapped mounts are (rightfully) not nested, we have to do
some extra shenanigans to make source we're putting the right source
uid in the userns for any idmapped mounts that we do in nspawn.

Of course we also add the necessary boilerplate to make open_tree_attr()
available in our code and wrap open_tree_attr() and the corresponding
fallback in a new function which we then use everywhere else.
2025-07-07 13:58:52 +02:00
Nick Labich
a9e860f22e nspawn: Add --bind-user-shell= to control shells for --bind-user
Prior to this change, no user shell can be specified in the user
records passed into a container via --bind-user=. This new option
allows users to:

1. When false (the default), continue to specify no user shell for
   each bound user record, resulting in the use of the container's
   default shell for bound users.

2. When true, include each host user's shell in the corresponding
   user record passed into a container (via --bind-user=).

3. When an absolute path, set that path as the user shell for each
   user record passed into a container (via --bind-user=).

This does not change the existing behavior, but allows users to
opt-in to either copy the shells specified by the host user records
or override the shell explicitly by path.
2025-06-30 10:45:10 +02:00
Yu Watanabe
4f18ff2e29 tree-wide: include unistd.h where necessary
We use symbols provided by unistd.h without including it. E.g.
open(), close(), read(), write(), access(), symlink(), unlink(), rmdir(),
fsync(), syncfs(), lseek(), ftruncate(), fchown(), dup2(), pipe2(),
getuid(), getgid(), gettid(), getppid(), pipe2(), execv(), _exit(),
environ, STDIN_FILENO, STDOUT_FILENO, STDERR_FILENO, F_OK, and their
friends and variants, so on.

Currently, unistd.h is indirectly included mainly in the following two paths:
- through missing_syscall.h, which is planned to covert to .c file.
- through signal.h -> bits/sigstksz.h, which is new since glibc-2.34.
  Note, signal.h is included by sd-eevent.h. So, many source files
  indirectly include unistd.h if newer glibc is used.

Currently, our baseline on glibc is 2.31. We need to support glibc older
than 2.34, but unfortunately, we do not have any CI environments with
such old glibc. CIFuzz uses glibc-2.31, but it builds only fuzzers, and
many files are even not compiled.
2025-06-30 09:19:15 +02:00
Zbigniew Jędrzejewski-Szmek
7d247d3cb8 meson: drop explicit custom_target names
[1] says:
> Since 0.60.0 the name argument is optional and defaults to the basename of
> the first output
We specify >= 0.62 as the supported version, so drop the duplicate name in all cases
where it is the same as outputs[0], i.e. almost all cases.

[1] https://mesonbuild.com/Reference-manual_functions.html#custom_target
2025-06-28 17:14:50 +02:00
Lennart Poettering
5584632f40 cpu-set-util: fix null pointer dereference and several cleanups (#37900)
Fixes CID#1611618.
2025-06-27 14:59:25 +02:00
Daan De Meyer
9cb6d2bf85 nspawn: Allow bpf() syscall if CAP_BPF is retained
CAP_BPF is closely associated with the bpf() syscall so it makes sense
to allow the latter if the former is retained.
2025-06-25 14:58:31 +01:00
Yu Watanabe
fe3ada076e cpu-set-util: introduce config_parse_cpu_set()
Then, make parse_cpu_set() as a tiny wrapper of it.

Note, previously when an invalid CPU range, e.g. "3-0", is specified,
we ignore the range but allocate an empty set. But, with this commit,
now the conf parser simply ignore it without no side effect.
This potentially changes behavior of a system with such invalid setting,
but the change should be favorable for consistency with other parsers.
2025-06-24 00:20:20 +09:00
Yu Watanabe
296fe3d511 cpu-set-util: rename cpu_set_reset() -> cpu_set_done()
This also introduces cpu_set_done_and_replace().

No functional change, just refactoring.
2025-06-24 00:20:20 +09:00
Mike Yuan
85352c095e various: turn off SO_PASSRIGHTS where fds are not expected 2025-06-17 13:16:44 +02:00
Lennart Poettering
1434ccf709 nspawn: do basic port to PidRef
THis is sometimes a bit superficial, but in many cases allows us to use
pidfd for various of our operations.
2025-06-07 00:28:07 +02:00
Lennart Poettering
ac8c558629 nspawn: start polkit agent while we do polkit operations
Let's make sure unpriv nspawn can acquire privs even when invoked
outside of a desktop environment that has a polkit agent registered.
2025-06-06 22:14:50 +02:00
Yu Watanabe
23f9ff4724 ptyfwd: introduce pty_forward_set_window_title() helper function 2025-06-05 19:06:02 +09:00
Jelle van der Waa
09958bbb98 nspawn: correct argument comments 2025-06-02 17:39:44 +02:00
Mike Yuan
9e73d37512 cgroup-util: move CGROUP_CPU_SHARES/BLKIO* to nspawn-oci
These are only used for translation from OCI metadata
to cgroup v2 values.
2025-05-28 00:21:37 +02:00
Daan De Meyer
1e35e81b2c tree-wide: Clean up includes
Preparation for cleaning up includes in src/shared.
2025-05-22 21:10:15 +02:00
Daan De Meyer
6ee31a53a9 nspawn: Clean up includes
Split out of #37344.
2025-05-21 23:52:20 +09:00
Daan De Meyer
9f74f56f36 test-tables: Pass enum type to test_table() as well
clang-include-cleaner has a hard time figuring out unused includes
with all the macro string concatentation we're doing in test_table().
Let's help it out a little by also passing the enum type into test_table().

While technically not needed, this makes the tests a bit more self-descriptive
and not really much more verbose so it feels like a good chance regardless,
even if the primary purpose is to help clang-include-cleaner figure out
used and unused includes.
2025-05-21 13:24:42 +02:00
Daan De Meyer
a583b34416 meson: Extract more objects instead of compiling multiple times
Also, let's deflatten the lists of sources in preparation for the
next commit at the same time.

In systemctl, we split out systemctl-main.c to make sure the definition
of main() is in a separate object which allows us to extract the systemctl.c
object and link it in the fuzzer target without getting a multiple definition
error when linking.
2025-05-20 10:29:58 +02:00
Jelle van der Waa
346c62f9ca treewide: correct argument comments 2025-05-15 15:39:20 +02:00
Daan De Meyer
6350d2dbd9 meson: Extract objects instead of creating intermediate static libraries
Currently, when we want to add unit tests for code that is compiled into
an executable, we either compile the code at least twice (once for the
executable, and once for each test that uses it) or we create a static
library which is then used by both the executable and all the tests.

Both of these options are not ideal, compiling source files more than
once slows down the build for no reason and creating the intermediate
static libraries takes a lot of boilerplate.

Instead, let's use the extract_objects() method that meson exposes on
build targets. This allows us to extract the objects corresponding to
specific source files and use them in other executables. Because we
define all executables upfront into a dictionary, we integrate this into
the dictionary approach by adding two new fields:

- 'extract' takes a list of files for which objects should be extracted.
  The extracted objects are stored in a dict keyed by the executable name
  from which they were extracted.
- 'objects' takes the name of an executable from which the extracted
  objects should be added to the current executable.

One side effect of this approach is that we can't build test executables
anymore without building the main executable, so we stop building test
executables unless we're also building the main executable. This allows
us to switch to using subdir_done() in all of these subdirectories to skip
parsing them if the corresponding component is disabled.

These changes get me down from 2439 => 2403 ninja targets on a full rebuild
from scratch.
2025-05-12 13:35:50 +02:00
Daan De Meyer
b78d73fa22 conf-parser: Reduce transitive includes 2025-05-07 22:04:46 +09:00
Daan De Meyer
6553db6063 strv: Reduce transitive includes 2025-05-07 22:04:46 +09:00
Daan De Meyer
1fbfbe81b5 tree-wide: Get rid of prefix_roota() in favor of path_join()
We deprecated prefix_roota() in favor of chase() and path_join().
Let's finish the removal by replacing the few remaining call sites
with path_join().
2025-05-06 17:40:33 +02:00
Daan De Meyer
76d62b63ef main-func: Reduce transitive includes
Let's move some logic from _DEFINE_MAIN_FUNCTION() and other places
in main-func.h into functions that we implement in main-func.c to
allow moving some included headers from the header to the .c file.
2025-05-06 10:07:27 +02:00
Daan De Meyer
a0233fcd86 socket-util: Replace sockaddr length macros with functions
There's no need for these to be macros, let's just make them regular
functions instead.
2025-05-02 09:41:41 +02:00
Daan De Meyer
1cf40697e3 tree-wide: Sort includes
This was done by running a locally built clang-format with
https://github.com/llvm/llvm-project/pull/137617 and
https://github.com/llvm/llvm-project/pull/137840 applied on all .c
and .h files.
2025-04-30 09:30:51 +02:00