summaryrefslogtreecommitdiffstats
path: root/src/dissect (follow)
Commit message (Collapse)AuthorAgeFilesLines
* tree-wide: drop license boilerplateZbigniew Jędrzejewski-Szmek2018-04-061-13/+0
| | | | | | | | | | Files which are installed as-is (any .service and other unit files, .conf files, .policy files, etc), are left as is. My assumption is that SPDX identifiers are not yet that well known, so it's better to retain the extended header to avoid any doubt. I also kept any copyright lines. We can probably remove them, but it'd nice to obtain explicit acks from all involved authors before doing that.
* dissect: add dissect_image_and_warn() that unifies error message generation ↵Lennart Poettering2018-03-211-24/+2
| | | | for dissect_image() (#8517)
* nspawn: make sure images containing an ESP are compatible with userns -U modeLennart Poettering2017-12-051-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | In -U mode we might need to re-chown() all files and directories to match the UID shift we want for the image. That's problematic on fat partitions, such as the ESP (and which is generated by mkosi's --bootable switch), because fat of course knows no UID/GID file ownership natively. With this change we take benefit of the uid= and gid= mount options FAT knows: instead of chown()ing all files and directories we can just specify the right UID/GID to use at mount time. This beefs up the image dissection logic in two ways: 1. First of all support for mounting relevant file systems with uid=/gid= is added: when a UID is specified during mount it is used for all applicable file systems. 2. Secondly, two new mount flags are added: DISSECT_IMAGE_MOUNT_ROOT_ONLY and DISSECT_IMAGE_MOUNT_NON_ROOT_ONLY. If one is specified the mount routine will either only mount the root partition of an image, or all partitions except the root partition. This is used by nspawn: first the root partition is mounted, so that we can determine the UID shift in use so far, based on ownership of the image's root directory. Then, we mount the remaining partitions in a second go, this time with the right UID/GID information.
* dissect: update dissect tool to show image metadataLennart Poettering2017-11-201-0/+31
| | | | | Pretty straight-forward: just use the new metadata dissection API to figure out what an image contains.
* Add SPDX license identifiers to source files under the LGPLZbigniew Jędrzejewski-Szmek2017-11-191-0/+1
| | | | | This follows what the kernel is doing, c.f. https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5fd54ace4721fc5ce2bb5aef6318fcf17f421460.
* dissect: when we invoke dissection on a loop device with partscan help the userLennart Poettering2017-10-261-0/+4
| | | | | | | | | This adds some simply detection logic for cases where dissection is invoked on an externally created loop device, and partitions have been detected on it, but partition scanning so far was off. If this is detected we now print a brief message indicating what the issue is, instead of failing with a useless EINVAL message the kernel passed to us.
* build-sys: drop automake supportZbigniew Jędrzejewski-Szmek2017-07-181-1/+0
| | | | | v2: - also mention m4
* dissect: generate friendly error messages for more error conditionsLennart Poettering2017-02-211-0/+8
| | | | Fixes: #5408
* core,nspawn,dissect: make nspawn's .roothash file search reusableLennart Poettering2017-02-071-0/+8
| | | | | | | This makes nspawn's logic of automatically discovering the root hash of an image file generic, and then reuses it in systemd-dissect and in PID1's RootImage= logic, so that verity is automatically set up whenever we can.
* dissect: make using a generic partition as root partition optionalLennart Poettering2016-12-211-2/+2
| | | | | | | | | | In preparation for reusing the image dissector in the GPT auto-discovery logic, only optionally fail the dissection when we can't identify a root partition. In the GPT auto-discovery we are completely fine with any kind of root, given that we run when it is already mounted and all we do is find some additional auxiliary partitions on the same disk.
* dissect: return the GPT partition UUID, tooLennart Poettering2016-12-211-0/+3
| | | | | This is useful as we can match up the EFI UUID with the one the firmware supposedly used.
* dissect: optionally, only look for GPT partition tables, nothing elseLennart Poettering2016-12-201-1/+1
| | | | | This is useful for reusing the dissector logic in the gpt-auto-discovery logic: there we really don't want to use MBR or naked file systems as root device.
* dissect: add DISSECT_IMAGE_DISCARD_ANY maskZbigniew Jędrzejewski-Szmek2016-12-071-5/+9
| | | | This makes the code to set arg_flags much more readable.
* nspawn/dissect: automatically discover dm-verity verity partitionsLennart Poettering2016-12-071-4/+39
| | | | | | | | | | | | | | | | | | | | | | | | | | | This adds support for discovering and making use of properly tagged dm-verity data integrity partitions. This extends both systemd-nspawn and systemd-dissect with a new --root-hash= switch that takes the root hash to use for the root partition, and is otherwise fully automatic. Verity partitions are discovered automatically by GPT table type UUIDs, as listed in https://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/ (which I updated prior to this change, to include new UUIDs for this purpose. mkosi with https://github.com/systemd/mkosi/pull/39 applied may generate images that carry the necessary integrity data. With that PR and this commit, the following simply lines suffice to boot up an integrity-protected container image: ``` # mkdir test # cd test # mkosi --verity # systemd-nspawn -i ./image.raw -bn ``` Note that mkosi writes the image file to "image.raw" next to a a file "image.roothash" that contains the root hash. systemd-nspawn will look for that file and use it if it exists, in case --root-hash= is not specified explicitly.
* dissect: add support for encrypted imagesLennart Poettering2016-12-071-8/+38
| | | | | | | | | | | | | | | This adds support to the image dissector to deal with encrypted images (only LUKS). Given that we now have a neatly isolated image dissector codebase, let's add a new feature to it: support for automatically dealing with encrypted images. This is then exposed in systemd-dissect and nspawn. It's pretty basic: only support for passphrase-based encryption. In order to ensure that "systemd-dissect --mount" results in mount points whose backing LUKS DM devices are cleaned up automatically we use the DM_DEV_REMOVE ioctl() directly on the device (in DM_DEFERRED_REMOVE mode). libgcryptsetup at the moment doesn't provide a proper API for this. Thankfully, the ioctl() API is pretty easy to use.
* dissect: add small "systemd-dissect" tool as wrapper around dissect-image.cLennart Poettering2016-12-072-0/+207
This adds a small tool that may be used to look into OS images, and mount them to any place. This is mostly a friendlier version of test-dissect-image.c. I am not sure this should really become a proper command of systemd, hence for now do not install it into bindir, but simply libexecdir. This tool is already pretty useful since you can mount image files with it, honouring the various partitions correctly. I figure this is going to become more interesting if the dissctor learns luks and verity support.