[lxc-devel] [PATCH v3 5/6] lxc-attach: Add -s option to select namespaces to attach to
Serge Hallyn
serge.hallyn at canonical.com
Thu May 24 14:19:06 UTC 2012
Quoting Christian Seiler (christian at iwakd.de):
> This patch allows the user to select any list of namespaces (network, pid,
> mount, uts, ipc, user) that lxc-attach should use when attaching to the
> container; all other namespaces will not be attached to.
>
> This allows the user to for example attach to just the network namespace and
> use the host's (and not the container's) network tools to reconfigure the
> network of the container.
>
> Signed-off-by: Christian Seiler <christian at iwakd.de>
> Cc: Daniel Lezcano <daniel.lezcano at free.fr>
> Cc: Serge Hallyn <serge.hallyn at canonical.com>
Acked-by: Serge Hallyn <serge.hallyn at canonical.com>
> ---
> doc/lxc-attach.sgml.in | 98 +++++++++++++++++++++++++++++++++++++++++++++--
> src/lxc/lxc_attach.c | 20 +++++++++-
> 2 files changed, 112 insertions(+), 6 deletions(-)
>
> diff --git a/doc/lxc-attach.sgml.in b/doc/lxc-attach.sgml.in
> index 7092f16..035cd27 100644
> --- a/doc/lxc-attach.sgml.in
> +++ b/doc/lxc-attach.sgml.in
> @@ -49,7 +49,8 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
> <refsynopsisdiv>
> <cmdsynopsis><command>lxc-attach <replaceable>-n
> name</replaceable> <optional>-a
> - arch</optional> <optional>-e</optional>
> + arch</optional> <optional>-e</optional> <optional>-s
> + namespaces</optional>
> <optional>-- command</optional></command></cmdsynopsis>
> </refsynopsisdiv>
>
> @@ -122,6 +123,29 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
> </listitem>
> </varlistentry>
>
> + <varlistentry>
> + <term>
> + <option>-s, --namespaces <replaceable>namespaces</replaceable></option>
> + </term>
> + <listitem>
> + <para>
> + Specify the namespaces to attach to, as a pipe-separated liste,
> + e.g. <replaceable>NETWORK|IPC</replaceable>. Allowed values are
> + <replaceable>MOUNT</replaceable>, <replaceable>PID</replaceable>,
> + <replaceable>UTSNAME</replaceable>, <replaceable>IPC</replaceable>,
> + <replaceable>USER </replaceable> and
> + <replaceable>NETWORK</replaceable>. This allows one to change
> + the context of the process to e.g. the network namespace of the
> + container while retaining the other namespaces as those of the
> + host.
> + </para>
> + <para>
> + <emphasis>Important:</emphasis> This option implies
> + <option>-e</option>.
> + </para>
> + </listitem>
> + </varlistentry>
> +
> </variablelist>
>
> </refsect1>
> @@ -144,19 +168,83 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
> </para>
> <para>
> To deactivate the network link eth1 of a running container that
> - does not have the NET_ADMIN capability, use the <option>-e</option>
> - option to use increased capabilities:
> + does not have the NET_ADMIN capability, use either the
> + <option>-e</option> option to use increased capabilities,
> + assuming the <command>ip</command> tool is installed:
> <programlisting>
> lxc-attach -n container -e -- /sbin/ip link delete eth1
> </programlisting>
> + Or, alternatively, use the <option>-s</option> to use the
> + tools installed on the host outside the container:
> + <programlisting>
> + lxc-attach -n container -s NETWORK -- /sbin/ip link delete eth1
> + </programlisting>
> </para>
> </refsect1>
>
> <refsect1>
> + <title>Compatibility</title>
> + <para>
> + Attaching completely (including the pid and mount namespaces) to a
> + container requires a patched kernel, please see the lxc website for
> + details. <command>lxc-attach</command> will fail in that case if
> + used with an unpatched kernel.
> + </para>
> + <para>
> + Nevertheless, it will succeed on an unpatched kernel of version 3.0
> + or higher if the <option>-s</option> option is used to restrict the
> + namespaces that the process is to be attached to to one or more of
> + <replaceable>NETWORK</replaceable>, <replaceable>IPC</replaceable>
> + and <replaceable>UTSNAME</replaceable>.
> + </para>
> + <para>
> + Attaching to user namespaces is currently completely unsupported
> + by the kernel. <command>lxc-attach</command> should however be able
> + to do this once once future kernel versions implement this.
> + </para>
> + </refsect1>
> +
> + <refsect1>
> + <title>Notes</title>
> + <para>
> + The Linux <replaceable>/proc</replaceable> and
> + <replaceable>/sys</replaceable> filesystems contain information
> + about some quantities that are affected by namespaces, such as
> + the directories named after process ids in
> + <replaceable>/proc</replaceable> or the network interface infromation
> + in <replaceable>/sys/class/net</replaceable>. The namespace of the
> + process mounting the pseudo-filesystems determines what information
> + is shown, <emphasis>not</emphasis> the namespace of the process
> + accessing <replaceable>/proc</replaceable> or
> + <replaceable>/sys</replaceable>.
> + </para>
> + <para>
> + If one uses the <option>-s</option> option to only attach to
> + the pid namespace of a container, but not its mount namespace
> + (which will contain the <replaceable>/proc</replaceable> of the
> + container and not the host), the contents of <option>/proc</option>
> + will reflect that of the host and not the container. Analogously,
> + the same issue occurs when reading the contents of
> + <replaceable>/sys/class/net</replaceable> and attaching to just
> + the network namespace.
> + </para>
> + <para>
> + A workaround is to use <command>lxc-unshare</command> to unshare
> + the mount namespace after using <command>lxc-attach</command> with
> + <replaceable>-s PID</replaceable> and/or <replaceable>-s
> + NETWORK</replaceable> and then unmount and then mount again both
> + pseudo-filesystems within that new mount namespace, before
> + executing a program/script that relies on this information to be
> + correct.
> + </para>
> + </refsect1>
> +
> + <refsect1>
> <title>Security</title>
> <para>
> - The <option>-e</option> should be used with care, as it may break
> - the isolation of the containers if used improperly.
> + The <option>-e</option> and <option>-s</option> options should
> + be used with care, as it may break the isolation of the containers
> + if used improperly.
> </para>
> </refsect1>
>
> diff --git a/src/lxc/lxc_attach.c b/src/lxc/lxc_attach.c
> index 10d4a64..4f22752 100644
> --- a/src/lxc/lxc_attach.c
> +++ b/src/lxc/lxc_attach.c
> @@ -40,12 +40,14 @@
> #include "start.h"
> #include "sync.h"
> #include "log.h"
> +#include "namespace.h"
>
> lxc_log_define(lxc_attach_ui, lxc);
>
> static const struct option my_longopts[] = {
> {"elevated-privileges", no_argument, 0, 'e'},
> {"arch", required_argument, 0, 'a'},
> + {"namespaces", required_argument, 0, 's'},
> LXC_COMMON_OPTIONS
> };
>
> @@ -55,6 +57,8 @@ static int namespace_flags = -1;
>
> static int my_parser(struct lxc_arguments* args, int c, char* arg)
> {
> + int ret;
> +
> switch (c) {
> case 'e': elevated_privileges = 1; break;
> case 'a':
> @@ -64,6 +68,14 @@ static int my_parser(struct lxc_arguments* args, int c, char* arg)
> return -1;
> }
> break;
> + case 's':
> + namespace_flags = 0;
> + ret = lxc_fill_namespace_flags(arg, &namespace_flags);
> + if (ret)
> + return -1;
> + /* -s implies -e */
> + elevated_privileges = 1;
> + break;
> }
>
> return 0;
> @@ -84,7 +96,13 @@ Options :\n\
> WARNING: This may leak privleges into the container.\n\
> Use with care.\n\
> -a, --arch=ARCH Use ARCH for program instead of container's own\n\
> - architecture.\n",
> + architecture.\n\
> + -s, --namespaces=FLAGS\n\
> + Don't attach to all the namespaces of the container\n\
> + but just to the following OR'd list of flags:\n\
> + MOUNT, PID, UTSNAME, IPC, USER or NETWORK\n\
> + WARNING: Using -s implies -e, it may therefore\n\
> + leak privileges into the container. Use with care.\n",
> .options = my_longopts,
> .parser = my_parser,
> .checker = NULL,
> --
> 1.7.2.5
>
More information about the lxc-devel
mailing list