[lxc-devel] [PATCH 1/1] lxc-usernsexec: add a manpage

Stéphane Graber stgraber at ubuntu.com
Fri Jan 17 23:33:23 UTC 2014


On Fri, Jan 17, 2014 at 03:15:45PM -0600, Serge Hallyn wrote:
> and fix the help output in the program
> 
> Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>

Acked-by: Stéphane Graber <stgraber at ubuntu.com>

> ---
>  configure.ac               |   1 +
>  doc/Makefile.am            |   1 +
>  doc/lxc-usernsexec.sgml.in | 156 +++++++++++++++++++++++++++++++++++++++++++++
>  src/lxc/lxc_usernsexec.c   |   3 +-
>  4 files changed, 159 insertions(+), 2 deletions(-)
>  create mode 100644 doc/lxc-usernsexec.sgml.in
> 
> diff --git a/configure.ac b/configure.ac
> index d8be165..8e1c198 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -592,6 +592,7 @@ AC_CONFIG_FILES([
>  	doc/lxc-unfreeze.sgml
>  	doc/lxc-unshare.sgml
>  	doc/lxc-user-nic.sgml
> +	doc/lxc-usernsexec.sgml
>  	doc/lxc-version.sgml
>  	doc/lxc-wait.sgml
>  
> diff --git a/doc/Makefile.am b/doc/Makefile.am
> index e87c2f8..f548238 100644
> --- a/doc/Makefile.am
> +++ b/doc/Makefile.am
> @@ -38,6 +38,7 @@ man_MANS = \
>  	lxc-unfreeze.1 \
>  	lxc-unshare.1 \
>  	lxc-user-nic.1 \
> +	lxc-usernsexec.1 \
>  	lxc-version.1 \
>  	lxc-wait.1 \
>  	\
> diff --git a/doc/lxc-usernsexec.sgml.in b/doc/lxc-usernsexec.sgml.in
> new file mode 100644
> index 0000000..ca55ed8
> --- /dev/null
> +++ b/doc/lxc-usernsexec.sgml.in
> @@ -0,0 +1,156 @@
> +<!--
> +
> +lxc: linux Container library
> +
> +(C) Copyright IBM Corp. 2007, 2008
> +
> +Authors:
> +Daniel Lezcano <daniel.lezcano at free.fr>
> +Serge Hallyn <serge.hallyn at ubuntu.com>
> +
> +This library is free software; you can redistribute it and/or
> +modify it under the terms of the GNU Lesser General Public
> +License as published by the Free Software Foundation; either
> +version 2.1 of the License, or (at your option) any later version.
> +
> +This library is distributed in the hope that it will be useful,
> +but WITHOUT ANY WARRANTY; without even the implied warranty of
> +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
> +Lesser General Public License for more details.
> +
> +You should have received a copy of the GNU Lesser General Public
> +License along with this library; if not, write to the Free Software
> +Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
> +
> +-->
> +
> +<!DOCTYPE refentry PUBLIC @docdtd@ [
> +
> +<!ENTITY commonoptions SYSTEM "@builddir@/common_options.sgml">
> +<!ENTITY seealso SYSTEM "@builddir@/see_also.sgml">
> +]>
> +
> +<refentry>
> +
> +  <docinfo><date>@LXC_GENERATE_DATE@</date></docinfo>
> +
> +  <refmeta>
> +    <refentrytitle>lxc-usernsexec</refentrytitle>
> +    <manvolnum>1</manvolnum>
> +  </refmeta>
> +
> +  <refnamediv>
> +    <refname>lxc-usernsexec</refname>
> +
> +    <refpurpose>
> +      Run a task as root in a new user namespace.
> +    </refpurpose>
> +  </refnamediv>
> +
> +  <refsynopsisdiv>
> +    <cmdsynopsis>
> +      <command>lxc-unshare</command>
> +      <arg choice="opt">-m <replaceable>uid-map</replaceable></arg>
> +      <arg choice="req">-- command</arg>
> +    </cmdsynopsis>
> +  </refsynopsisdiv>
> +
> +  <refsect1>
> +    <title>Description</title>
> +
> +    <para>
> +      <command>lxc-usernsexec</command> can be used to run a task as root
> +      in a new user namespace.
> +    </para>
> +
> +  </refsect1>
> +
> +  <refsect1>
> +
> +    <title>Options</title>
> +
> +    <variablelist>
> +
> +      <varlistentry>
> +	<term>
> +	  <option>-m <replaceable>uid-map</replaceable></option>
> +	</term>
> +	<listitem>
> +	  <para>
> +	  The uid map to use in the user namespace.  Each map consists of
> +	  four colon-separate values.  First a character 'u', 'g' or 'b' to
> +	  specify whether this map perttains to user ids, group ids, or
> +	  both; next the first userid in the user namespace;  next the
> +	  first userid as seen on the host;  and finally the number of
> +	  ids to be mapped.
> +	  </para>
> +	  <para>
> +	  More than one map can be specified.  If no map is
> +	  specified, then by default the full uid and gid ranges granted
> +	  by /etc/subuid and /etc/subgid will be mapped to the
> +	  uids and gids starting at 0 in the container.
> +	  </para>
> +	  <para>
> +	  Note that <replaceable>lxc-usernsexec</replaceable> always tries
> +	  to setuid and setgid to 0 in the namespace.  Therefore uid 0 in
> +	  the namespace must be mapped.
> +	  </para>
> +	</listitem>
> +      </varlistentry>
> +
> +
> +    </variablelist>
> +
> +  </refsect1>
> +
> +  <refsect1>
> +    <title>Examples</title>
> +      <para>
> +        To spawn a shell with the full allotted subuids mapped into
> +	the container, use 
> +        <programlisting>
> +	  lxc-usernsexec
> +        </programlisting>
> +	To run a different shell than <replaceable>/bin/sh</replaceable>, use
> +        <programlisting>
> +	  lxc-usernsexec -- /bin/bash
> +        </programlisting>
> +      </para>
> +      <para>
> +	If your user id is 1000, root in a container is mapped to 190000, and
> +	you wish to chown a file you own to root in the container, you can use:
> +        <programlisting>
> +	  lxc-usernsexec -m b:0:1000:1 -m b:1:190000:1 -- /bin/chown 1:1 $file
> +        </programlisting>
> +	This maps your userid to root in the user namespace, and 190000 to uid 1.
> +	Since root in the user namespace is privileged over all userids mapped
> +	into the namespace, you are allowed to change the file ownership, which
> +	you could not do on the host using a simple chown.
> +      </para>
> +  </refsect1>
> +
> +  &seealso;
> +
> +  <refsect1>
> +    <title>Author</title>
> +    <para>Serge Hallyn <email>serge.hallyn at ubuntu.com</email></para>
> +  </refsect1>
> +
> +</refentry>
> +
> +<!-- Keep this comment at the end of the file
> +Local variables:
> +mode: sgml
> +sgml-omittag:t
> +sgml-shorttag:t
> +sgml-minimize-attributes:nil
> +sgml-always-quote-attributes:t
> +sgml-indent-step:2
> +sgml-indent-data:t
> +sgml-parent-document:nil
> +sgml-default-dtd-file:nil
> +sgml-exposed-tags:nil
> +sgml-local-catalogs:nil
> +sgml-local-ecat-files:nil
> +End:
> +-->
> diff --git a/src/lxc/lxc_usernsexec.c b/src/lxc/lxc_usernsexec.c
> index 35cd473..8335725 100644
> --- a/src/lxc/lxc_usernsexec.c
> +++ b/src/lxc/lxc_usernsexec.c
> @@ -47,8 +47,7 @@ int unshare(int flags);
>  
>  static void usage(const char *name)
>  {
> -	printf("usage: %s [-h] [-c] [-mnuUip] [-P <pid-file>]"
> -			"[command [arg ..]]\n", name);
> +	printf("usage: %s [-h] [-m <uid-maps>] -- [command [arg ..]]\n", name);
>  	printf("\n");
>  	printf("  -h		this message\n");
>  	printf("\n");
> -- 
> 1.8.5.2
> 
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20140117/d9fba22d/attachment.pgp>


More information about the lxc-devel mailing list