[lxc-devel] [PATCH 4/3] start: use lxc-user-nic if we are not root
Serge Hallyn
serge.hallyn at ubuntu.com
Wed Oct 23 15:52:37 UTC 2013
Note this results in nics named things like 'lxcuser-0p'. We'll
likely want to pass the requested name to lxc-user-nic, but let's
do that in a separate patch.
If we're not root, we can't create new network itnerfaces to pass
into the container. Instead wait until the container is started,
and call lxc-user-nic to create and assign the nics.
Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
---
src/lxc/conf.c | 39 +++++++++++++++++++++++++++++++++++++++
1 file changed, 39 insertions(+)
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index bba6379..75d6cbf 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -2687,6 +2687,10 @@ int lxc_create_network(struct lxc_handler *handler)
struct lxc_list *network = &handler->conf->network;
struct lxc_list *iterator;
struct lxc_netdev *netdev;
+ int am_root = (getuid() == 0);
+
+ if (!am_root)
+ return 0;
lxc_list_for_each(iterator, network) {
@@ -2738,16 +2742,51 @@ void lxc_delete_network(struct lxc_handler *handler)
}
}
+int unpriv_assign_nic(struct lxc_netdev *netdev, pid_t pid)
+{
+ pid_t child;
+
+ if (netdev->type != LXC_NET_VETH) {
+ ERROR("nic type %d not support for unprivileged use",
+ netdev->type);
+ return -1;
+ }
+
+ if ((child = fork()) < 0) {
+ SYSERROR("fork");
+ return -1;
+ }
+
+ if (child > 0)
+ return wait_for_pid(child);
+
+ // Call lxc-user-nic pid type bridge
+ char pidstr[20];
+ char *args[] = { "lxc-user-nic", pidstr, "veth", netdev->link, NULL };
+ snprintf(pidstr, 19, "%lu", (unsigned long) pid);
+ pidstr[19] = '\0';
+ execvp("lxc-user-nic", args);
+ SYSERROR("execvp lxc-user-nic");
+ exit(1);
+}
+
int lxc_assign_network(struct lxc_list *network, pid_t pid)
{
struct lxc_list *iterator;
struct lxc_netdev *netdev;
+ int am_root = (getuid() == 0);
int err;
lxc_list_for_each(iterator, network) {
netdev = iterator->elem;
+ if (!am_root) {
+ if (unpriv_assign_nic(netdev, pid))
+ return -1;
+ // TODO fill in netdev->ifindex and name
+ continue;
+ }
/* empty network namespace, nothing to move */
if (!netdev->ifindex)
continue;
--
1.8.3.2
More information about the lxc-devel
mailing list