[lxc-devel] [PATCH 1/1] lxc-usernsexec: add a manpage

Fri Jan 17 21:15:45 UTC 2014

and fix the help output in the program

Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
---
 configure.ac               |   1 +
 doc/Makefile.am            |   1 +
 doc/lxc-usernsexec.sgml.in | 156 +++++++++++++++++++++++++++++++++++++++++++++
 src/lxc/lxc_usernsexec.c   |   3 +-
 4 files changed, 159 insertions(+), 2 deletions(-)
 create mode 100644 doc/lxc-usernsexec.sgml.in

diff --git a/configure.ac b/configure.ac
index d8be165..8e1c198 100644
--- a/configure.ac
+++ b/configure.ac
@@ -592,6 +592,7 @@ AC_CONFIG_FILES([
 	doc/lxc-unfreeze.sgml
 	doc/lxc-unshare.sgml
 	doc/lxc-user-nic.sgml
+	doc/lxc-usernsexec.sgml
 	doc/lxc-version.sgml
 	doc/lxc-wait.sgml
 
diff --git a/doc/Makefile.am b/doc/Makefile.am
index e87c2f8..f548238 100644
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
@@ -38,6 +38,7 @@ man_MANS = \
 	lxc-unfreeze.1 \
 	lxc-unshare.1 \
 	lxc-user-nic.1 \
+	lxc-usernsexec.1 \
 	lxc-version.1 \
 	lxc-wait.1 \
 	\
diff --git a/doc/lxc-usernsexec.sgml.in b/doc/lxc-usernsexec.sgml.in
new file mode 100644
index 0000000..ca55ed8
--- /dev/null
+++ b/doc/lxc-usernsexec.sgml.in
@@ -0,0 +1,156 @@
+<!--
+
+lxc: linux Container library
+
+(C) Copyright IBM Corp. 2007, 2008
+
+Authors:
+Daniel Lezcano <daniel.lezcano at free.fr>
+Serge Hallyn <serge.hallyn at ubuntu.com>
+
+This library is free software; you can redistribute it and/or
+modify it under the terms of the GNU Lesser General Public
+License as published by the Free Software Foundation; either
+version 2.1 of the License, or (at your option) any later version.
+
+This library is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+Lesser General Public License for more details.
+
+You should have received a copy of the GNU Lesser General Public
+License along with this library; if not, write to the Free Software
+Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+
+-->
+
+<!DOCTYPE refentry PUBLIC @docdtd@ [
+
+<!ENTITY commonoptions SYSTEM "@builddir@/common_options.sgml">
+<!ENTITY seealso SYSTEM "@builddir@/see_also.sgml">
+]>
+
+<refentry>
+
+  <docinfo><date>@LXC_GENERATE_DATE@</date></docinfo>
+
+  <refmeta>
+    <refentrytitle>lxc-usernsexec</refentrytitle>
+    <manvolnum>1</manvolnum>
+  </refmeta>
+
+  <refnamediv>
+    <refname>lxc-usernsexec</refname>
+
+    <refpurpose>
+      Run a task as root in a new user namespace.
+    </refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>lxc-unshare</command>
+      <arg choice="opt">-m <replaceable>uid-map</replaceable></arg>
+      <arg choice="req">-- command</arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>Description</title>
+
+    <para>
+      <command>lxc-usernsexec</command> can be used to run a task as root
+      in a new user namespace.
+    </para>
+
+  </refsect1>
+
+  <refsect1>
+
+    <title>Options</title>
+
+    <variablelist>
+
+      <varlistentry>
+	<term>
+	  <option>-m <replaceable>uid-map</replaceable></option>
+	</term>
+	<listitem>
+	  <para>
+	  The uid map to use in the user namespace.  Each map consists of
+	  four colon-separate values.  First a character 'u', 'g' or 'b' to
+	  specify whether this map perttains to user ids, group ids, or
+	  both; next the first userid in the user namespace;  next the
+	  first userid as seen on the host;  and finally the number of
+	  ids to be mapped.
+	  </para>
+	  <para>
+	  More than one map can be specified.  If no map is
+	  specified, then by default the full uid and gid ranges granted
+	  by /etc/subuid and /etc/subgid will be mapped to the
+	  uids and gids starting at 0 in the container.
+	  </para>
+	  <para>
+	  Note that <replaceable>lxc-usernsexec</replaceable> always tries
+	  to setuid and setgid to 0 in the namespace.  Therefore uid 0 in
+	  the namespace must be mapped.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+
+    </variablelist>
+
+  </refsect1>
+
+  <refsect1>
+    <title>Examples</title>
+      <para>
+        To spawn a shell with the full allotted subuids mapped into
+	the container, use 
+        <programlisting>
+	  lxc-usernsexec
+        </programlisting>
+	To run a different shell than <replaceable>/bin/sh</replaceable>, use
+        <programlisting>
+	  lxc-usernsexec -- /bin/bash
+        </programlisting>
+      </para>
+      <para>
+	If your user id is 1000, root in a container is mapped to 190000, and
+	you wish to chown a file you own to root in the container, you can use:
+        <programlisting>
+	  lxc-usernsexec -m b:0:1000:1 -m b:1:190000:1 -- /bin/chown 1:1 $file
+        </programlisting>
+	This maps your userid to root in the user namespace, and 190000 to uid 1.
+	Since root in the user namespace is privileged over all userids mapped
+	into the namespace, you are allowed to change the file ownership, which
+	you could not do on the host using a simple chown.
+      </para>
+  </refsect1>
+
+  &seealso;
+
+  <refsect1>
+    <title>Author</title>
+    <para>Serge Hallyn <email>serge.hallyn at ubuntu.com</email></para>
+  </refsect1>
+
+</refentry>
+
+<!-- Keep this comment at the end of the file
+Local variables:
+mode: sgml
+sgml-omittag:t
+sgml-shorttag:t
+sgml-minimize-attributes:nil
+sgml-always-quote-attributes:t
+sgml-indent-step:2
+sgml-indent-data:t
+sgml-parent-document:nil
+sgml-default-dtd-file:nil
+sgml-exposed-tags:nil
+sgml-local-catalogs:nil
+sgml-local-ecat-files:nil
+End:
+-->
diff --git a/src/lxc/lxc_usernsexec.c b/src/lxc/lxc_usernsexec.c
index 35cd473..8335725 100644
--- a/src/lxc/lxc_usernsexec.c
+++ b/src/lxc/lxc_usernsexec.c
@@ -47,8 +47,7 @@ int unshare(int flags);
 
 static void usage(const char *name)
 {
-	printf("usage: %s [-h] [-c] [-mnuUip] [-P <pid-file>]"
-			"[command [arg ..]]\n", name);
+	printf("usage: %s [-h] [-m <uid-maps>] -- [command [arg ..]]\n", name);
 	printf("\n");
 	printf("  -h		this message\n");
 	printf("\n");
-- 
1.8.5.2

