[lxc-devel] [RFC lxc 2/2] Added lxc.start.unshare

Serge Hallyn serge.hallyn at ubuntu.com
Fri Nov 20 16:24:46 UTC 2015 

Quoting Wolfgang Bumiller (w.bumiller at proxmox.com):
> If manual mounting with elevated permissions is required
> this can currently only be done in pre-start hooks or before
> starting LXC. In both cases the mounts would appear in the
> host's namespace.
> With this flag the namespace is unshared before the startup
> sequence, so that mounts performed in the pre-start hook
> don't show up on the host.
> 
> Signed-off-by: Wolfgang Bumiller <w.bumiller at proxmox.com>

Hi,

ack on the code.  But I want to bikeshed on the name.  'lxc.start.unshare'
makes it sound like the container won't be unshared by default.  How
about either lxc.monitor.unshare or lxc.early_unshare?  Do you have any
other ideas?

> ---
>  doc/lxc.container.conf.sgml.in | 12 ++++++++++++
>  src/lxc/conf.h                 |  1 +
>  src/lxc/confile.c              |  7 +++++++
>  src/lxc/lxccontainer.c         | 12 ++++++++++++
>  4 files changed, 32 insertions(+)
> 
> diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in
> index 90ffefa..7592d5c 100644
> --- a/doc/lxc.container.conf.sgml.in
> +++ b/doc/lxc.container.conf.sgml.in
> @@ -1661,6 +1661,18 @@ mknod errno 0
>          </varlistentry>
>          <varlistentry>
>            <term>
> +            <option>lxc.start.unshare</option>
> +          </term>
> +          <listitem>
> +            <para>
> +              If not zero (which is the default) the mount namespace will
> +              be unshared from the host before initializing the container
> +              (before running any pre-start hooks).
> +            </para>
> +          </listitem>
> +        </varlistentry>
> +        <varlistentry>
> +          <term>
>              <option>lxc.group</option>
>            </term>
>            <listitem>
> diff --git a/src/lxc/conf.h b/src/lxc/conf.h
> index 1374d4a..3a83ba3 100644
> --- a/src/lxc/conf.h
> +++ b/src/lxc/conf.h
> @@ -344,6 +344,7 @@ struct lxc_conf {
>  	int start_auto;
>  	int start_delay;
>  	int start_order;
> +	int start_unshare;
>  	struct lxc_list groups;
>  	int nbd_idx;
>  
> diff --git a/src/lxc/confile.c b/src/lxc/confile.c
> index c2eaaa6..b6ed195 100644
> --- a/src/lxc/confile.c
> +++ b/src/lxc/confile.c
> @@ -173,6 +173,7 @@ static struct lxc_config_t config[] = {
>  	{ "lxc.start.auto",           config_start                },
>  	{ "lxc.start.delay",          config_start                },
>  	{ "lxc.start.order",          config_start                },
> +	{ "lxc.start.unshare",        config_start                },
>  	{ "lxc.group",                config_group                },
>  	{ "lxc.environment",          config_environment          },
>  	{ "lxc.init_cmd",             config_init_cmd             },
> @@ -1137,6 +1138,10 @@ static int config_start(const char *key, const char *value,
>  		lxc_conf->start_order = atoi(value);
>  		return 0;
>  	}
> +	else if (strcmp(key, "lxc.start.unshare") == 0) {
> +		lxc_conf->start_unshare = atoi(value);
> +		return 0;
> +	}
>  	SYSERROR("Unknown key: %s", key);
>  	return -1;
>  }
> @@ -2483,6 +2488,8 @@ int lxc_get_config_item(struct lxc_conf *c, const char *key, char *retv,
>  		return lxc_get_conf_int(c, retv, inlen, c->start_delay);
>  	else if (strcmp(key, "lxc.start.order") == 0)
>  		return lxc_get_conf_int(c, retv, inlen, c->start_order);
> +	else if (strcmp(key, "lxc.start.unshare") == 0)
> +		return lxc_get_conf_int(c, retv, inlen, c->start_unshare);
>  	else if (strcmp(key, "lxc.group") == 0)
>  		return lxc_get_item_groups(c, retv, inlen);
>  	else if (strcmp(key, "lxc.seccomp") == 0)
> diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
> index 69816da..8dcc541 100644
> --- a/src/lxc/lxccontainer.c
> +++ b/src/lxc/lxccontainer.c
> @@ -820,6 +820,18 @@ static bool do_lxcapi_start(struct lxc_container *c, int useinit, char * const a
>  
>  	conf->reboot = 0;
>  
> +	/* Unshare the mount namespace if requested */
> +	if (conf->start_unshare) {
> +		if (unshare(CLONE_NEWNS)) {
> +			SYSERROR("failed to unshare mount namespace");
> +			return false;
> +		}
> +		if (mount(NULL, "/", NULL, MS_SLAVE|MS_REC, NULL)) {
> +			SYSERROR("Failed to make / rslave at startup");
> +			return false;
> +		}
> +	}
> +
>  reboot:
>  	if (lxc_check_inherited(conf, daemonize, -1)) {
>  		ERROR("Inherited fds found");
> -- 
> 2.1.4
> 
> 
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel

More information about the lxc-devel mailing list