[lxc-devel] [PATCH 3/8] container creation: support unpriv container creation in user namespaces
Stéphane Graber
stgraber at ubuntu.com
Tue Jul 23 08:41:14 UTC 2013
On Mon, Jul 22, 2013 at 10:02:46AM -0500, Serge Hallyn wrote:
> Quoting Stéphane Graber (stgraber at ubuntu.com):
> > On Fri, Jul 19, 2013 at 02:26:50PM +0000, Serge Hallyn wrote:
> > > From: Serge Hallyn <serge.hallyn at ubuntu.com>
> > >
> > > 1. lxcapi_create: don't try to unshare and mount for dir backed containers
> > >
> > > It's unnecessary, and breaks unprivileged lxc-create (since unpriv users
> > > cannot yet unshare(CLONE_NEWNS)).
> > >
> > > 2. api_create: chown rootfs
> > >
> > > chown rootfs to the host uid to which container root will be mapped
> > >
> > > 3. create: run template in a mapped user ns
> > >
> > > 4. use (setuid-root) newxidmap to set id_map if we are not root
> > >
> > > This is needed to be able to set userns mappings as an unprivileged
> > > user, for unprivileged lxc-start.
> > >
> > > Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
> > > ---
> > > src/lxc/conf.c | 107 +++++++++++++++++++++++++++-----
> > > src/lxc/conf.h | 4 ++
> > > src/lxc/lxccontainer.c | 162 +++++++++++++++++++++++++++++++++++++++++++++----
> > > 3 files changed, 244 insertions(+), 29 deletions(-)
> > >
> > > diff --git a/src/lxc/conf.c b/src/lxc/conf.c
> > > index 46320dd..2e202ec 100644
> > > --- a/src/lxc/conf.c
> > > +++ b/src/lxc/conf.c
> > > @@ -2547,6 +2547,11 @@ static int write_id_mapping(enum idtype idtype, pid_t pid, const char *buf,
> > > return ret < 0 ? ret : closeret;
> > > }
> > >
> > > +int do_call_newxid(char *str)
> > > +{
> > > + return system(str);
> > > +}
> > > +
> >
> > Hmm, what? :)
> >
> > Is that meant to evolve into something more than an alias of system()?
>
> Heh, it started out as more. I did at one point almost pull it out, but
> then I wasn't quite sure yet what was going to happen with it in the
> end.
>
> I guess I can squash it.
ok :)
> > > int lxc_map_ids(struct lxc_list *idmap, pid_t pid)
> > > {
> > > struct lxc_list *iterator;
> > > @@ -2554,31 +2559,49 @@ int lxc_map_ids(struct lxc_list *idmap, pid_t pid)
> > > int ret = 0;
> > > enum idtype type;
> > > char *buf = NULL, *pos;
> > > + int am_root = (getuid() == 0);
> > >
> > > for(type = ID_TYPE_UID; type <= ID_TYPE_GID; type++) {
> > > int left, fill;
> > > -
> > > - pos = buf;
> > > - lxc_list_for_each(iterator, idmap) {
> > > - /* The kernel only takes <= 4k for writes to /proc/<nr>/[ug]id_map */
> > > - if (!buf)
> > > - buf = pos = malloc(4096);
> > > + int had_entry = 0;
> > > + if (!buf) {
> > > + buf = pos = malloc(4096);
> > > if (!buf)
> > > return -ENOMEM;
> > > + }
> > > + pos = buf;
> > > + if (!am_root)
> > > + pos += sprintf(buf, "/usr/bin/new%cidmap %d ",
> >
> > May be worth having autoconf figure out the paths for those as they very
> > well may be moved to /bin.
>
> Yeah, these should be done through autoconf.
>
> Well, or we could use execvp as below.
Saw the patch for that, looks reasonable.
> As for usernsexec, we first need to figure out what program we actually
> want to use.
>
> Do we want to ship usernsexec.c with lxc, or do we want to push
> something into coreutils that serves our purpose?
LXC sounds easier for now, we can always make the code use a coreutils
code once we get something similar in there.
>
> Normally I'd prefer the latter, but coreutils in ubuntu seems to be
> lagging - and upstream hasn't done a release lately - so I didn't
> want to deal with it right now.
>
> -serge
--
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20130723/58603870/attachment.pgp>
More information about the lxc-devel
mailing list