[lxc-devel] [ACK for the set] [PATCH v2 lxc 2/2] Added lxc.monitor.unshare

Serge Hallyn serge.hallyn at ubuntu.com
Mon Nov 30 16:41:48 UTC 2015 

Quoting Wolfgang Bumiller (w.bumiller at proxmox.com):
> If manual mounting with elevated permissions is required
> this can currently only be done in pre-start hooks or before
> starting LXC. In both cases the mounts would appear in the
> host's namespace.
> With this flag the namespace is unshared before the startup
> sequence, so that mounts performed in the pre-start hook
> don't show up on the host.
> 
> Signed-off-by: Wolfgang Bumiller <w.bumiller at proxmox.com>

Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>

Note we should probably point out in the manpage that this
will only work for containers started by root.  Can you send
a separate patch for that?

> ---
>  doc/lxc.container.conf.sgml.in | 12 ++++++++++++
>  src/lxc/conf.h                 |  3 +++
>  src/lxc/confile.c              | 15 +++++++++++++++
>  src/lxc/lxccontainer.c         | 12 ++++++++++++
>  4 files changed, 42 insertions(+)
> 
> diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in
> index 90ffefa..3b6f698 100644
> --- a/doc/lxc.container.conf.sgml.in
> +++ b/doc/lxc.container.conf.sgml.in
> @@ -1661,6 +1661,18 @@ mknod errno 0
>          </varlistentry>
>          <varlistentry>
>            <term>
> +            <option>lxc.monitor.unshare</option>
> +          </term>
> +          <listitem>
> +            <para>
> +              If not zero the mount namespace will be unshared from the host
> +              before initializing the container (before running any pre-start
> +              hooks). Default is 0.
> +            </para>
> +          </listitem>
> +        </varlistentry>
> +        <varlistentry>
> +          <term>
>              <option>lxc.group</option>
>            </term>
>            <listitem>
> diff --git a/src/lxc/conf.h b/src/lxc/conf.h
> index 1374d4a..b0274ec 100644
> --- a/src/lxc/conf.h
> +++ b/src/lxc/conf.h
> @@ -347,6 +347,9 @@ struct lxc_conf {
>  	struct lxc_list groups;
>  	int nbd_idx;
>  
> +	/* unshare the mount namespace in the monitor */
> +	int monitor_unshare;
> +
>  	/* set to true when rootfs has been setup */
>  	bool rootfs_setup;
>  
> diff --git a/src/lxc/confile.c b/src/lxc/confile.c
> index c2eaaa6..ce6786c 100644
> --- a/src/lxc/confile.c
> +++ b/src/lxc/confile.c
> @@ -103,6 +103,7 @@ static int config_haltsignal(const char *, const char *, struct lxc_conf *);
>  static int config_rebootsignal(const char *, const char *, struct lxc_conf *);
>  static int config_stopsignal(const char *, const char *, struct lxc_conf *);
>  static int config_start(const char *, const char *, struct lxc_conf *);
> +static int config_monitor(const char *, const char *, struct lxc_conf *);
>  static int config_group(const char *, const char *, struct lxc_conf *);
>  static int config_environment(const char *, const char *, struct lxc_conf *);
>  static int config_init_cmd(const char *, const char *, struct lxc_conf *);
> @@ -173,6 +174,7 @@ static struct lxc_config_t config[] = {
>  	{ "lxc.start.auto",           config_start                },
>  	{ "lxc.start.delay",          config_start                },
>  	{ "lxc.start.order",          config_start                },
> +	{ "lxc.monitor.unshare",      config_monitor              },
>  	{ "lxc.group",                config_group                },
>  	{ "lxc.environment",          config_environment          },
>  	{ "lxc.init_cmd",             config_init_cmd             },
> @@ -1141,6 +1143,17 @@ static int config_start(const char *key, const char *value,
>  	return -1;
>  }
>  
> +static int config_monitor(const char *key, const char *value,
> +			  struct lxc_conf *lxc_conf)
> +{
> +	if(strcmp(key, "lxc.monitor.unshare") == 0) {
> +		lxc_conf->monitor_unshare = atoi(value);
> +		return 0;
> +	}
> +	SYSERROR("Unknown key: %s", key);
> +	return -1;
> +}
> +
>  static int config_group(const char *key, const char *value,
>  		      struct lxc_conf *lxc_conf)
>  {
> @@ -2483,6 +2496,8 @@ int lxc_get_config_item(struct lxc_conf *c, const char *key, char *retv,
>  		return lxc_get_conf_int(c, retv, inlen, c->start_delay);
>  	else if (strcmp(key, "lxc.start.order") == 0)
>  		return lxc_get_conf_int(c, retv, inlen, c->start_order);
> +	else if (strcmp(key, "lxc.monitor.unshare") == 0)
> +		return lxc_get_conf_int(c, retv, inlen, c->monitor_unshare);
>  	else if (strcmp(key, "lxc.group") == 0)
>  		return lxc_get_item_groups(c, retv, inlen);
>  	else if (strcmp(key, "lxc.seccomp") == 0)
> diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
> index 69816da..2804841 100644
> --- a/src/lxc/lxccontainer.c
> +++ b/src/lxc/lxccontainer.c
> @@ -820,6 +820,18 @@ static bool do_lxcapi_start(struct lxc_container *c, int useinit, char * const a
>  
>  	conf->reboot = 0;
>  
> +	/* Unshare the mount namespace if requested */
> +	if (conf->monitor_unshare) {
> +		if (unshare(CLONE_NEWNS)) {
> +			SYSERROR("failed to unshare mount namespace");
> +			return false;
> +		}
> +		if (mount(NULL, "/", NULL, MS_SLAVE|MS_REC, NULL)) {
> +			SYSERROR("Failed to make / rslave at startup");
> +			return false;
> +		}
> +	}
> +
>  reboot:
>  	if (lxc_check_inherited(conf, daemonize, -1)) {
>  		ERROR("Inherited fds found");
> -- 
> 2.1.4
> 
> 
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel

More information about the lxc-devel mailing list