[systemd-commits] 3 commits - man/systemd-nspawn.xml src/core src/libsystemd src/network src/nspawn src/systemd
Lennart Poettering
lennart at kemper.freedesktop.org
Thu Feb 13 14:11:00 CET 2014
man/systemd-nspawn.xml | 25 +++++++++++++++++++++----
src/core/loopback-setup.c | 6 +++---
src/libsystemd/sd-rtnl/rtnl-message.c | 6 +++---
src/libsystemd/sd-rtnl/rtnl-util.c | 4 ++--
src/libsystemd/sd-rtnl/test-rtnl.c | 18 +++++++++---------
src/network/networkd-address.c | 4 ++--
src/network/networkd-link.c | 6 +++---
src/network/networkd-netdev.c | 4 ++--
src/network/networkd-route.c | 2 +-
src/nspawn/nspawn.c | 23 +++++++++++++----------
src/systemd/sd-rtnl.h | 6 +++---
11 files changed, 62 insertions(+), 42 deletions(-)
New commits:
commit b88eb17a7a9aad8287df275c46c1d09b1aee09fd
Author: Lennart Poettering <lennart at poettering.net>
Date: Thu Feb 13 14:08:16 2014 +0100
nspawn: no need to subscribe to netlink messages if we just want to execute one operation
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index 9ce1fa9..689592e 100644
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -1265,7 +1265,7 @@ static int move_network_interfaces(pid_t pid) {
if (strv_isempty(arg_network_interfaces))
return 0;
- r = sd_rtnl_open(NETLINK_ROUTE, &rtnl);
+ r = sd_rtnl_open(0, &rtnl);
if (r < 0) {
log_error("Failed to connect to netlink: %s", strerror(-r));
return r;
@@ -1273,10 +1273,10 @@ static int move_network_interfaces(pid_t pid) {
STRV_FOREACH(i, arg_network_interfaces) {
_cleanup_rtnl_message_unref_ sd_rtnl_message *m = NULL;
- unsigned ifi;
+ int ifi;
- ifi = if_nametoindex(*i);
- if (ifi == 0) {
+ ifi = (int) if_nametoindex(*i);
+ if (ifi <= 0) {
log_error("Failed to resolve interface %s: %m", *i);
return -errno;
}
@@ -1295,7 +1295,7 @@ static int move_network_interfaces(pid_t pid) {
r = sd_rtnl_call(rtnl, m, 0, NULL);
if (r < 0) {
- log_error("Failed to move interface to namespace: %s", strerror(-r));
+ log_error("Failed to move interface %s to namespace: %s", *i, strerror(-r));
return r;
}
}
commit a42c8b54b1619078c02f5e439bd2564c6d0f901f
Author: Lennart Poettering <lennart at poettering.net>
Date: Thu Feb 13 14:07:59 2014 +0100
nspawn: --private-network should imply CAP_NET_ADMIN
diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml
index 7a88436..ffd7070 100644
--- a/man/systemd-nspawn.xml
+++ b/man/systemd-nspawn.xml
@@ -277,7 +277,15 @@
the container. This makes all network
interfaces unavailable in the
container, with the exception of the
- loopback device.</para></listitem>
+ loopback device and those specified
+ with
+ <option>--network-interface=</option>. If
+ this option is specified the
+ CAP_NET_ADMIN capability will be added
+ to the set of capabilities the
+ container retains. The latter may be
+ disabled by using
+ <option>--drop-capability=</option>.</para></listitem>
</varlistentry>
<varlistentry>
@@ -290,7 +298,13 @@
namespace and place it in the
container. When the container
terminates it is moved back to the
- host namespace.</para></listitem>
+ host namespace. Note that
+ <option>--network-interface=</option>
+ implies
+ <option>--private-network</option>. This
+ option may be used more than once to
+ add multiple network interfaces to the
+ container.</para></listitem>
</varlistentry>
<varlistentry>
@@ -323,8 +337,11 @@
CAP_SYS_CHROOT, CAP_SYS_NICE,
CAP_SYS_PTRACE, CAP_SYS_TTY_CONFIG,
CAP_SYS_RESOURCE, CAP_SYS_BOOT,
- CAP_AUDIT_WRITE, CAP_AUDIT_CONTROL. If
- the special value
+ CAP_AUDIT_WRITE,
+ CAP_AUDIT_CONTROL. Also CAP_NET_ADMIN
+ is retained if
+ <option>--private-network</option> is
+ specified. If the special value
<literal>all</literal> is passed all
capabilities are
retained.</para></listitem>
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index 679c005..9ce1fa9 100644
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -216,6 +216,7 @@ static int parse_argv(int argc, char *argv[]) {
};
int c, r;
+ uint64_t plus = 0, minus = 0;
assert(argc >= 0);
assert(argv);
@@ -325,9 +326,9 @@ static int parse_argv(int argc, char *argv[]) {
if (streq(t, "all")) {
if (c == ARG_CAPABILITY)
- arg_retain = (uint64_t) -1;
+ plus = (uint64_t) -1;
else
- arg_retain = 0;
+ minus = (uint64_t) -1;
} else {
if (cap_from_name(t, &cap) < 0) {
log_error("Failed to parse capability %s.", t);
@@ -335,9 +336,9 @@ static int parse_argv(int argc, char *argv[]) {
}
if (c == ARG_CAPABILITY)
- arg_retain |= 1ULL << (uint64_t) cap;
+ plus |= 1ULL << (uint64_t) cap;
else
- arg_retain &= ~(1ULL << (uint64_t) cap);
+ minus |= 1ULL << (uint64_t) cap;
}
}
@@ -460,6 +461,8 @@ static int parse_argv(int argc, char *argv[]) {
return -EINVAL;
}
+ arg_retain = (arg_retain | plus | (arg_private_network ? 1ULL << CAP_NET_ADMIN : 0)) & ~minus;
+
return 1;
}
commit d595c5cc9e894c3608ed634052b0ba93aa94bf2f
Author: Lennart Poettering <lennart at poettering.net>
Date: Thu Feb 13 13:53:25 2014 +0100
rtnl: rename constructors from the form sd_rtnl_xxx_yyy_new() to sd_rtnl_xxx_new_yyy()
So far we followed the rule to always indicate the "flavour" of
constructors after the "_new_" or "_open_" in the function name, so
let's keep things in sync here for rtnl and do the same.
diff --git a/src/core/loopback-setup.c b/src/core/loopback-setup.c
index e8c4630..a53855f 100644
--- a/src/core/loopback-setup.c
+++ b/src/core/loopback-setup.c
@@ -51,7 +51,7 @@ static int add_addresses(sd_rtnl *rtnl, int if_loopback, struct in_addr *ipv4_ad
_cleanup_rtnl_message_unref_ sd_rtnl_message *ipv4 = NULL, *ipv6 = NULL;
int r;
- r = sd_rtnl_message_addr_new(RTM_NEWADDR, if_loopback, AF_INET, &ipv4);
+ r = sd_rtnl_message_new_addr(RTM_NEWADDR, if_loopback, AF_INET, &ipv4);
if (r < 0)
return r;
@@ -80,7 +80,7 @@ static int add_addresses(sd_rtnl *rtnl, int if_loopback, struct in_addr *ipv4_ad
if (!socket_ipv6_is_supported())
return 0;
- r = sd_rtnl_message_addr_new(RTM_NEWADDR, if_loopback, AF_INET6, &ipv6);
+ r = sd_rtnl_message_new_addr(RTM_NEWADDR, if_loopback, AF_INET6, &ipv6);
if (r < 0)
return r;
@@ -113,7 +113,7 @@ static int start_interface(sd_rtnl *rtnl, int if_loopback, struct in_addr *ipv4_
_cleanup_rtnl_message_unref_ sd_rtnl_message *req = NULL;
int r;
- r = sd_rtnl_message_link_new(RTM_SETLINK, if_loopback, &req);
+ r = sd_rtnl_message_new_link(RTM_SETLINK, if_loopback, &req);
if (r < 0)
return r;
diff --git a/src/libsystemd/sd-rtnl/rtnl-message.c b/src/libsystemd/sd-rtnl/rtnl-message.c
index 625d54a..bcfffef 100644
--- a/src/libsystemd/sd-rtnl/rtnl-message.c
+++ b/src/libsystemd/sd-rtnl/rtnl-message.c
@@ -81,7 +81,7 @@ int sd_rtnl_message_route_set_dst_prefixlen(sd_rtnl_message *m, unsigned char pr
return 0;
}
-int sd_rtnl_message_route_new(uint16_t nlmsg_type, unsigned char rtm_family,
+int sd_rtnl_message_new_route(uint16_t nlmsg_type, unsigned char rtm_family,
sd_rtnl_message **ret) {
struct rtmsg *rtm;
int r;
@@ -144,7 +144,7 @@ int sd_rtnl_message_link_set_type(sd_rtnl_message *m, unsigned type) {
return 0;
}
-int sd_rtnl_message_link_new(uint16_t nlmsg_type, int index, sd_rtnl_message **ret) {
+int sd_rtnl_message_new_link(uint16_t nlmsg_type, int index, sd_rtnl_message **ret) {
struct ifinfomsg *ifi;
int r;
@@ -217,7 +217,7 @@ int sd_rtnl_message_addr_set_scope(sd_rtnl_message *m, unsigned char scope) {
return 0;
}
-int sd_rtnl_message_addr_new(uint16_t nlmsg_type, int index, unsigned char family,
+int sd_rtnl_message_new_addr(uint16_t nlmsg_type, int index, unsigned char family,
sd_rtnl_message **ret) {
struct ifaddrmsg *ifa;
int r;
diff --git a/src/libsystemd/sd-rtnl/rtnl-util.c b/src/libsystemd/sd-rtnl/rtnl-util.c
index ba4fab0..caa21d6 100644
--- a/src/libsystemd/sd-rtnl/rtnl-util.c
+++ b/src/libsystemd/sd-rtnl/rtnl-util.c
@@ -35,7 +35,7 @@ int rtnl_set_link_name(sd_rtnl *rtnl, int ifindex, const char *name) {
assert(ifindex > 0);
assert(name);
- r = sd_rtnl_message_link_new(RTM_SETLINK, ifindex, &message);
+ r = sd_rtnl_message_new_link(RTM_SETLINK, ifindex, &message);
if (r < 0)
return r;
@@ -62,7 +62,7 @@ int rtnl_set_link_properties(sd_rtnl *rtnl, int ifindex, const char *alias,
if (!alias && !mac && mtu == 0)
return 0;
- r = sd_rtnl_message_link_new(RTM_SETLINK, ifindex, &message);
+ r = sd_rtnl_message_new_link(RTM_SETLINK, ifindex, &message);
if (r < 0)
return r;
diff --git a/src/libsystemd/sd-rtnl/test-rtnl.c b/src/libsystemd/sd-rtnl/test-rtnl.c
index bc88300..53efed5 100644
--- a/src/libsystemd/sd-rtnl/test-rtnl.c
+++ b/src/libsystemd/sd-rtnl/test-rtnl.c
@@ -37,7 +37,7 @@ static void test_link_configure(sd_rtnl *rtnl, int ifindex) {
void *data;
/* we'd really like to test NEWLINK, but let's not mess with the running kernel */
- assert(sd_rtnl_message_link_new(RTM_GETLINK, ifindex, &message) >= 0);
+ assert(sd_rtnl_message_new_link(RTM_GETLINK, ifindex, &message) >= 0);
assert(sd_rtnl_message_append_string(message, IFLA_IFNAME, name) >= 0);
assert(sd_rtnl_message_append_ether_addr(message, IFLA_ADDRESS, ether_aton(mac)) >= 0);
assert(sd_rtnl_message_append_u32(message, IFLA_MTU, mtu) >= 0);
@@ -66,7 +66,7 @@ static void test_link_get(sd_rtnl *rtnl, int ifindex) {
void *data;
uint16_t type;
- assert(sd_rtnl_message_link_new(RTM_GETLINK, ifindex, &m) >= 0);
+ assert(sd_rtnl_message_new_link(RTM_GETLINK, ifindex, &m) >= 0);
assert(m);
/* u8 test cases */
@@ -137,7 +137,7 @@ static void test_route(void) {
void *data;
int r;
- r = sd_rtnl_message_route_new(RTM_NEWROUTE, AF_INET, &req);
+ r = sd_rtnl_message_new_route(RTM_NEWROUTE, AF_INET, &req);
if (r < 0) {
log_error("Could not create RTM_NEWROUTE message: %s", strerror(-r));
return;
@@ -216,7 +216,7 @@ static void test_event_loop(int ifindex) {
assert(ifname);
assert(sd_rtnl_open(0, &rtnl) >= 0);
- assert(sd_rtnl_message_link_new(RTM_GETLINK, ifindex, &m) >= 0);
+ assert(sd_rtnl_message_new_link(RTM_GETLINK, ifindex, &m) >= 0);
assert(sd_rtnl_call_async(rtnl, m, &link_handler, ifname, 0, NULL) >= 0);
@@ -250,7 +250,7 @@ static void test_async(int ifindex) {
assert(sd_rtnl_open(0, &rtnl) >= 0);
- assert(sd_rtnl_message_link_new(RTM_GETLINK, ifindex, &m) >= 0);
+ assert(sd_rtnl_message_new_link(RTM_GETLINK, ifindex, &m) >= 0);
assert(sd_rtnl_call_async(rtnl, m, &link_handler, ifname, 0, &serial) >= 0);
@@ -265,8 +265,8 @@ static void test_pipe(int ifindex) {
assert(sd_rtnl_open(0, &rtnl) >= 0);
- assert(sd_rtnl_message_link_new(RTM_GETLINK, ifindex, &m1) >= 0);
- assert(sd_rtnl_message_link_new(RTM_GETLINK, ifindex, &m2) >= 0);
+ assert(sd_rtnl_message_new_link(RTM_GETLINK, ifindex, &m1) >= 0);
+ assert(sd_rtnl_message_new_link(RTM_GETLINK, ifindex, &m2) >= 0);
counter ++;
assert(sd_rtnl_call_async(rtnl, m1, &pipe_handler, &counter, 0, NULL) >= 0);
@@ -285,7 +285,7 @@ static void test_container(void) {
uint16_t type;
void *data;
- assert(sd_rtnl_message_link_new(RTM_NEWLINK, 0, &m) >= 0);
+ assert(sd_rtnl_message_new_link(RTM_NEWLINK, 0, &m) >= 0);
assert(sd_rtnl_message_open_container(m, IFLA_LINKINFO) >= 0);
assert(sd_rtnl_message_open_container(m, IFLA_LINKINFO) == -ENOTSUP);
@@ -365,7 +365,7 @@ int main(void) {
test_link_configure(rtnl, if_loopback);
- assert(sd_rtnl_message_link_new(RTM_GETLINK, if_loopback, &m) >= 0);
+ assert(sd_rtnl_message_new_link(RTM_GETLINK, if_loopback, &m) >= 0);
assert(m);
assert(sd_rtnl_message_get_type(m, &type) >= 0);
diff --git a/src/network/networkd-address.c b/src/network/networkd-address.c
index 94e7a9c..edae62c 100644
--- a/src/network/networkd-address.c
+++ b/src/network/networkd-address.c
@@ -105,7 +105,7 @@ int address_drop(Address *address, Link *link,
assert(link->manager);
assert(link->manager->rtnl);
- r = sd_rtnl_message_addr_new(RTM_DELADDR, link->ifindex, address->family, &req);
+ r = sd_rtnl_message_new_addr(RTM_DELADDR, link->ifindex, address->family, &req);
if (r < 0) {
log_error("Could not allocate RTM_DELADDR message: %s",
strerror(-r));
@@ -149,7 +149,7 @@ int address_configure(Address *address, Link *link,
assert(link->manager);
assert(link->manager->rtnl);
- r = sd_rtnl_message_addr_new(RTM_NEWADDR, link->ifindex,
+ r = sd_rtnl_message_new_addr(RTM_NEWADDR, link->ifindex,
address->family, &req);
if (r < 0) {
log_error("Could not allocate RTM_NEWADDR message: %s",
diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c
index 3ef7622..d83c4ce 100644
--- a/src/network/networkd-link.c
+++ b/src/network/networkd-link.c
@@ -435,7 +435,7 @@ static int link_set_mtu(Link *link, uint32_t mtu) {
log_debug_link(link, "setting MTU: %" PRIu32, mtu);
- r = sd_rtnl_message_link_new(RTM_SETLINK, link->ifindex, &req);
+ r = sd_rtnl_message_new_link(RTM_SETLINK, link->ifindex, &req);
if (r < 0) {
log_error_link(link, "Could not allocate RTM_SETLINK message");
return r;
@@ -792,7 +792,7 @@ static int link_up(Link *link) {
log_debug_link(link, "bringing link up");
- r = sd_rtnl_message_link_new(RTM_SETLINK, link->ifindex, &req);
+ r = sd_rtnl_message_new_link(RTM_SETLINK, link->ifindex, &req);
if (r < 0) {
log_error_link(link, "Could not allocate RTM_SETLINK message");
return r;
@@ -959,7 +959,7 @@ static int link_get(Link *link) {
log_debug_link(link, "requesting link status");
- r = sd_rtnl_message_link_new(RTM_GETLINK, link->ifindex, &req);
+ r = sd_rtnl_message_new_link(RTM_GETLINK, link->ifindex, &req);
if (r < 0) {
log_error_link(link, "Could not allocate RTM_GETLINK message");
return r;
diff --git a/src/network/networkd-netdev.c b/src/network/networkd-netdev.c
index 8c9fa62..30eb77d 100644
--- a/src/network/networkd-netdev.c
+++ b/src/network/networkd-netdev.c
@@ -92,7 +92,7 @@ static int netdev_enslave_ready(NetDev *netdev, Link* link, sd_rtnl_message_hand
assert(link);
assert(callback);
- r = sd_rtnl_message_link_new(RTM_SETLINK, link->ifindex, &req);
+ r = sd_rtnl_message_new_link(RTM_SETLINK, link->ifindex, &req);
if (r < 0) {
log_error_netdev(netdev,
"Could not allocate RTM_SETLINK message: %s",
@@ -168,7 +168,7 @@ static int netdev_create(NetDev *netdev, Link *link, sd_rtnl_message_handler_t c
assert(netdev->manager);
assert(netdev->manager->rtnl);
- r = sd_rtnl_message_link_new(RTM_NEWLINK, 0, &req);
+ r = sd_rtnl_message_new_link(RTM_NEWLINK, 0, &req);
if (r < 0) {
log_error_netdev(netdev,
"Could not allocate RTM_NEWLINK message: %s",
diff --git a/src/network/networkd-route.c b/src/network/networkd-route.c
index 31d4177..098539e 100644
--- a/src/network/networkd-route.c
+++ b/src/network/networkd-route.c
@@ -105,7 +105,7 @@ int route_configure(Route *route, Link *link,
assert(link->ifindex > 0);
assert(route->family == AF_INET || route->family == AF_INET6);
- r = sd_rtnl_message_route_new(RTM_NEWROUTE, route->family, &req);
+ r = sd_rtnl_message_new_route(RTM_NEWROUTE, route->family, &req);
if (r < 0) {
log_error("Could not create RTM_NEWROUTE message: %s", strerror(-r));
return r;
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index 1437aa7..679c005 100644
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -1278,7 +1278,7 @@ static int move_network_interfaces(pid_t pid) {
return -errno;
}
- r = sd_rtnl_message_link_new(RTM_NEWLINK, ifi, &m);
+ r = sd_rtnl_message_new_link(RTM_NEWLINK, ifi, &m);
if (r < 0) {
log_error("Failed to allocate netlink message: %s", strerror(-r));
return r;
diff --git a/src/systemd/sd-rtnl.h b/src/systemd/sd-rtnl.h
index c162878..5506bfa 100644
--- a/src/systemd/sd-rtnl.h
+++ b/src/systemd/sd-rtnl.h
@@ -66,10 +66,10 @@ int sd_rtnl_attach_event(sd_rtnl *nl, sd_event *e, int priority);
int sd_rtnl_detach_event(sd_rtnl *nl);
/* messages */
-int sd_rtnl_message_link_new(uint16_t msg_type, int index, sd_rtnl_message **ret);
-int sd_rtnl_message_addr_new(uint16_t msg_type, int index, unsigned char family,
+int sd_rtnl_message_new_link(uint16_t msg_type, int index, sd_rtnl_message **ret);
+int sd_rtnl_message_new_addr(uint16_t msg_type, int index, unsigned char family,
sd_rtnl_message **ret);
-int sd_rtnl_message_route_new(uint16_t nlmsg_type, unsigned char rtm_family,
+int sd_rtnl_message_new_route(uint16_t nlmsg_type, unsigned char rtm_family,
sd_rtnl_message **ret);
/*
unsigned char rtm_dst_len, unsigned char rtm_src_len,
More information about the systemd-commits
mailing list