[lxc-devel] [RFC lxc 2/2] Added lxc.start.unshare
Wolfgang Bumiller
w.bumiller at proxmox.com
Fri Nov 20 09:18:27 UTC 2015
If manual mounting with elevated permissions is required
this can currently only be done in pre-start hooks or before
starting LXC. In both cases the mounts would appear in the
host's namespace.
With this flag the namespace is unshared before the startup
sequence, so that mounts performed in the pre-start hook
don't show up on the host.
Signed-off-by: Wolfgang Bumiller <w.bumiller at proxmox.com>
---
doc/lxc.container.conf.sgml.in | 12 ++++++++++++
src/lxc/conf.h | 1 +
src/lxc/confile.c | 7 +++++++
src/lxc/lxccontainer.c | 12 ++++++++++++
4 files changed, 32 insertions(+)
diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in
index 90ffefa..7592d5c 100644
--- a/doc/lxc.container.conf.sgml.in
+++ b/doc/lxc.container.conf.sgml.in
@@ -1661,6 +1661,18 @@ mknod errno 0
</varlistentry>
<varlistentry>
<term>
+ <option>lxc.start.unshare</option>
+ </term>
+ <listitem>
+ <para>
+ If not zero (which is the default) the mount namespace will
+ be unshared from the host before initializing the container
+ (before running any pre-start hooks).
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
<option>lxc.group</option>
</term>
<listitem>
diff --git a/src/lxc/conf.h b/src/lxc/conf.h
index 1374d4a..3a83ba3 100644
--- a/src/lxc/conf.h
+++ b/src/lxc/conf.h
@@ -344,6 +344,7 @@ struct lxc_conf {
int start_auto;
int start_delay;
int start_order;
+ int start_unshare;
struct lxc_list groups;
int nbd_idx;
diff --git a/src/lxc/confile.c b/src/lxc/confile.c
index c2eaaa6..b6ed195 100644
--- a/src/lxc/confile.c
+++ b/src/lxc/confile.c
@@ -173,6 +173,7 @@ static struct lxc_config_t config[] = {
{ "lxc.start.auto", config_start },
{ "lxc.start.delay", config_start },
{ "lxc.start.order", config_start },
+ { "lxc.start.unshare", config_start },
{ "lxc.group", config_group },
{ "lxc.environment", config_environment },
{ "lxc.init_cmd", config_init_cmd },
@@ -1137,6 +1138,10 @@ static int config_start(const char *key, const char *value,
lxc_conf->start_order = atoi(value);
return 0;
}
+ else if (strcmp(key, "lxc.start.unshare") == 0) {
+ lxc_conf->start_unshare = atoi(value);
+ return 0;
+ }
SYSERROR("Unknown key: %s", key);
return -1;
}
@@ -2483,6 +2488,8 @@ int lxc_get_config_item(struct lxc_conf *c, const char *key, char *retv,
return lxc_get_conf_int(c, retv, inlen, c->start_delay);
else if (strcmp(key, "lxc.start.order") == 0)
return lxc_get_conf_int(c, retv, inlen, c->start_order);
+ else if (strcmp(key, "lxc.start.unshare") == 0)
+ return lxc_get_conf_int(c, retv, inlen, c->start_unshare);
else if (strcmp(key, "lxc.group") == 0)
return lxc_get_item_groups(c, retv, inlen);
else if (strcmp(key, "lxc.seccomp") == 0)
diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
index 69816da..8dcc541 100644
--- a/src/lxc/lxccontainer.c
+++ b/src/lxc/lxccontainer.c
@@ -820,6 +820,18 @@ static bool do_lxcapi_start(struct lxc_container *c, int useinit, char * const a
conf->reboot = 0;
+ /* Unshare the mount namespace if requested */
+ if (conf->start_unshare) {
+ if (unshare(CLONE_NEWNS)) {
+ SYSERROR("failed to unshare mount namespace");
+ return false;
+ }
+ if (mount(NULL, "/", NULL, MS_SLAVE|MS_REC, NULL)) {
+ SYSERROR("Failed to make / rslave at startup");
+ return false;
+ }
+ }
+
reboot:
if (lxc_check_inherited(conf, daemonize, -1)) {
ERROR("Inherited fds found");
--
2.1.4
More information about the lxc-devel
mailing list