[lxc-devel] [lxc/master] confile: add lxc.namespace.share.[namespace], lxc.namespace.keep, lxc.namespace.clone

brauner on Github lxc-bot at linuxcontainers.org
Fri Feb 2 12:43:28 UTC 2018


A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 364 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20180202/955db6b0/attachment.bin>
-------------- next part --------------
From 2fa229da2d29e581e5fcdd9bea7b6eda9420e4b0 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Fri, 2 Feb 2018 11:53:51 +0100
Subject: [PATCH 1/4] confile: lxc.namespace.* -> lxc.namespace.share.*

Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
 doc/lxc.container.conf.sgml.in | 14 +++++++-------
 src/lxc/conf.c                 |  2 +-
 src/lxc/conf.h                 |  4 +++-
 src/lxc/confile.c              | 32 ++++++++++++++++----------------
 src/lxc/start.c                | 20 ++++++++++----------
 src/lxc/tools/arguments.c      |  8 ++++----
 src/tests/share_ns.c           | 10 +++++-----
 7 files changed, 46 insertions(+), 44 deletions(-)

diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in
index 3ae4bfd18..77ecf014a 100644
--- a/doc/lxc.container.conf.sgml.in
+++ b/doc/lxc.container.conf.sgml.in
@@ -1419,7 +1419,7 @@ dev/null proc/kcore none bind,relative 0 0
       <variablelist>
         <varlistentry>
           <term>
-            <option>lxc.namespace.[namespace identifier]</option>
+            <option>lxc.namespace.share.[namespace identifier]</option>
           </term>
           <listitem>
             <para>
@@ -1431,22 +1431,22 @@ dev/null proc/kcore none bind,relative 0 0
 
             <para>
             To inherit the namespace from another process set the
-            <option>lxc.namespace.[namespace identifier]</option> to the PID of
-            the process, e.g. <option>lxc.namespace.net=42</option>.
+            <option>lxc.namespace.share.[namespace identifier]</option> to the PID of
+            the process, e.g. <option>lxc.namespace.share.net=42</option>.
             </para>
 
             <para>
             To inherit the namespace from another container set the 
-            <option>lxc.namespace.[namespace identifier]</option> to the name of
-            the container, e.g. <option>lxc.namespace.pid=c3</option>.
+            <option>lxc.namespace.share.[namespace identifier]</option> to the name of
+            the container, e.g. <option>lxc.namespace.share.pid=c3</option>.
             </para>
 
             <para>
             To inherit the namespace from another container located in a
             different path than the standard liblxc path set the
-            <option>lxc.namespace.[namespace identifier]</option> to the full
+            <option>lxc.namespace.share.[namespace identifier]</option> to the full
             path to the container, e.g.
-            <option>lxc.namespace.user=/opt/c3</option>.
+            <option>lxc.namespace.share.user=/opt/c3</option>.
             </para>
 
             <para>
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index a080bbd7e..71751dee9 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -2582,7 +2582,7 @@ struct lxc_conf *lxc_conf_init(void)
 	new->init_uid = 0;
 	new->init_gid = 0;
 	memset(&new->cgroup_meta, 0, sizeof(struct lxc_cgroup));
-	memset(&new->inherit_ns, 0, sizeof(char *) * LXC_NS_MAX);
+	memset(&new->ns_share, 0, sizeof(char *) * LXC_NS_MAX);
 
 	return new;
 }
diff --git a/src/lxc/conf.h b/src/lxc/conf.h
index 1146a1d4f..3563553a9 100644
--- a/src/lxc/conf.h
+++ b/src/lxc/conf.h
@@ -398,7 +398,9 @@ struct lxc_conf {
 	 */
 	struct lxc_cgroup cgroup_meta;
 
-	char *inherit_ns[LXC_NS_MAX];
+	struct {
+		char *ns_share[LXC_NS_MAX];
+	};
 
 	/* init working directory */
 	char *init_cwd;
diff --git a/src/lxc/confile.c b/src/lxc/confile.c
index 3deec58bf..83fdb8013 100644
--- a/src/lxc/confile.c
+++ b/src/lxc/confile.c
@@ -106,7 +106,7 @@ lxc_config_define(monitor);
 lxc_config_define(mount);
 lxc_config_define(mount_auto);
 lxc_config_define(mount_fstab);
-lxc_config_define(namespace);
+lxc_config_define(namespace_share);
 lxc_config_define(net);
 lxc_config_define(net_flags);
 lxc_config_define(net_hwaddr);
@@ -189,7 +189,7 @@ static struct lxc_config_t config[] = {
 	{ "lxc.mount.auto",                false,                  set_config_mount_auto,                  get_config_mount_auto,                  clr_config_mount_auto,                },
 	{ "lxc.mount.entry",               false,                  set_config_mount,                       get_config_mount,                       clr_config_mount,                     },
 	{ "lxc.mount.fstab",               false,                  set_config_mount_fstab,                 get_config_mount_fstab,                 clr_config_mount_fstab,               },
-	{ "lxc.namespace",                 false,                  set_config_namespace,                   get_config_namespace,                   clr_config_namespace,                 },
+	{ "lxc.namespace.share",           false,                  set_config_namespace_share,             get_config_namespace_share,             clr_config_namespace_share,           },
 
 	/* [START]: REMOVE IN LXC 3.0 */
 	{ "lxc.network.type",              true,                   set_config_network_legacy_type,         get_config_network_legacy_item,         clr_config_network_legacy_item,       },
@@ -2151,21 +2151,21 @@ static int set_config_uts_name(const char *key, const char *value,
 	return 0;
 }
 
-static int set_config_namespace(const char *key, const char *value,
-				struct lxc_conf *lxc_conf, void *data)
+static int set_config_namespace_share(const char *key, const char *value,
+				      struct lxc_conf *lxc_conf, void *data)
 {
 	int ns_idx;
 	const char *namespace;
 
 	if (lxc_config_value_empty(value))
-		return clr_config_namespace(key, lxc_conf, data);
+		return clr_config_namespace_share(key, lxc_conf, data);
 
-	namespace = key + sizeof("lxc.namespace.") - 1;
+	namespace = key + sizeof("lxc.namespace.share.") - 1;
 	ns_idx = lxc_namespace_2_ns_idx(namespace);
 	if (ns_idx < 0)
 		return ns_idx;
 
-	return set_config_string_item(&lxc_conf->inherit_ns[ns_idx], value);
+	return set_config_string_item(&lxc_conf->ns_share[ns_idx], value);
 }
 
 struct parse_line_conf {
@@ -3553,8 +3553,8 @@ static int get_config_noop(const char *key, char *retv, int inlen,
 	return 0;
 }
 
-static int get_config_namespace(const char *key, char *retv, int inlen,
-				struct lxc_conf *c, void *data)
+static int get_config_namespace_share(const char *key, char *retv, int inlen,
+				      struct lxc_conf *c, void *data)
 {
 	int len, ns_idx;
 	const char *namespace;
@@ -3565,12 +3565,12 @@ static int get_config_namespace(const char *key, char *retv, int inlen,
 	else
 		memset(retv, 0, inlen);
 
-	namespace = key + sizeof("lxc.namespace.") - 1;
+	namespace = key + sizeof("lxc.namespace.share.") - 1;
 	ns_idx = lxc_namespace_2_ns_idx(namespace);
 	if (ns_idx < 0)
 		return ns_idx;
 
-	strprint(retv, inlen, "%s", c->inherit_ns[ns_idx]);
+	strprint(retv, inlen, "%s", c->ns_share[ns_idx]);
 
 	return fulllen;
 }
@@ -3957,19 +3957,19 @@ static inline int clr_config_noop(const char *key, struct lxc_conf *c,
 	return 0;
 }
 
-static int clr_config_namespace(const char *key, struct lxc_conf *lxc_conf,
-				void *data)
+static int clr_config_namespace_share(const char *key,
+				      struct lxc_conf *lxc_conf, void *data)
 {
 	int ns_idx;
 	const char *namespace;
 
-	namespace = key + sizeof("lxc.namespace.") - 1;
+	namespace = key + sizeof("lxc.namespace.share.") - 1;
 	ns_idx = lxc_namespace_2_ns_idx(namespace);
 	if (ns_idx < 0)
 		return ns_idx;
 
-	free(lxc_conf->inherit_ns[ns_idx]);
-	lxc_conf->inherit_ns[ns_idx] = NULL;
+	free(lxc_conf->ns_share[ns_idx]);
+	lxc_conf->ns_share[ns_idx] = NULL;
 
 	return 0;
 }
diff --git a/src/lxc/start.c b/src/lxc/start.c
index d79fbe239..8238325a1 100644
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -1334,41 +1334,41 @@ int resolve_clone_flags(struct lxc_handler *handler)
 {
 	handler->clone_flags = CLONE_NEWNS;
 
-	if (!handler->conf->inherit_ns[LXC_NS_USER]) {
+	if (!handler->conf->ns_share[LXC_NS_USER]) {
 		if (!lxc_list_empty(&handler->conf->id_map))
 			handler->clone_flags |= CLONE_NEWUSER;
 	} else {
 		INFO("Inheriting user namespace");
 	}
 
-	if (!handler->conf->inherit_ns[LXC_NS_NET]) {
+	if (!handler->conf->ns_share[LXC_NS_NET]) {
 		if (!lxc_requests_empty_network(handler))
 			handler->clone_flags |= CLONE_NEWNET;
 	} else {
 		INFO("Inheriting net namespace");
 	}
 
-	if (!handler->conf->inherit_ns[LXC_NS_IPC])
+	if (!handler->conf->ns_share[LXC_NS_IPC])
 		handler->clone_flags |= CLONE_NEWIPC;
 	else
 		INFO("Inheriting ipc namespace");
 
-	if (!handler->conf->inherit_ns[LXC_NS_UTS])
+	if (!handler->conf->ns_share[LXC_NS_UTS])
 		handler->clone_flags |= CLONE_NEWUTS;
 	else
 		INFO("Inheriting uts namespace");
 
-	if (!handler->conf->inherit_ns[LXC_NS_PID])
+	if (!handler->conf->ns_share[LXC_NS_PID])
 		handler->clone_flags |= CLONE_NEWPID;
 	else
 		INFO("Inheriting pid namespace");
 
 	if (cgns_supported()) {
-		if (!handler->conf->inherit_ns[LXC_NS_CGROUP])
+		if (!handler->conf->ns_share[LXC_NS_CGROUP])
 			handler->clone_flags |= CLONE_NEWCGROUP;
 		else
 			INFO("Inheriting cgroup namespace");
-	} else if (handler->conf->inherit_ns[LXC_NS_CGROUP]) {
+	} else if (handler->conf->ns_share[LXC_NS_CGROUP]) {
 			return -EINVAL;
 	}
 
@@ -1434,10 +1434,10 @@ static int lxc_spawn(struct lxc_handler *handler)
 	wants_to_map_ids = !lxc_list_empty(id_map);
 
 	for (i = 0; i < LXC_NS_MAX; i++) {
-		if (!conf->inherit_ns[i])
+		if (!conf->ns_share[i])
 			continue;
 
-		handler->nsfd[i] = lxc_inherit_namespace(conf->inherit_ns[i], lxcpath, ns_info[i].proc_name);
+		handler->nsfd[i] = lxc_inherit_namespace(conf->ns_share[i], lxcpath, ns_info[i].proc_name);
 		if (handler->nsfd[i] < 0)
 			return -1;
 
@@ -1561,7 +1561,7 @@ static int lxc_spawn(struct lxc_handler *handler)
 	 * again.
 	 */
 	if (wants_to_map_ids) {
-		if (!handler->conf->inherit_ns[LXC_NS_USER]) {
+		if (!handler->conf->ns_share[LXC_NS_USER]) {
 			ret = lxc_map_ids(id_map, handler->pid);
 			if (ret < 0) {
 				ERROR("Failed to set up id mapping.");
diff --git a/src/lxc/tools/arguments.c b/src/lxc/tools/arguments.c
index 30fb714fd..c0a642ffe 100644
--- a/src/lxc/tools/arguments.c
+++ b/src/lxc/tools/arguments.c
@@ -303,13 +303,13 @@ bool lxc_setup_shared_ns(struct lxc_arguments *args, struct lxc_container *c)
 			continue;
 
 		if (i == LXC_NS_NET)
-			key = "lxc.namespace.net";
+			key = "lxc.namespace.share.net";
 		else if (i == LXC_NS_IPC)
-			key = "lxc.namespace.ipc";
+			key = "lxc.namespace.share.ipc";
 		else if (i == LXC_NS_UTS)
-			key = "lxc.namespace.uts";
+			key = "lxc.namespace.share.uts";
 		else if (i == LXC_NS_PID)
-			key = "lxc.namespace.pid";
+			key = "lxc.namespace.share.pid";
 		else
 			continue;
 
diff --git a/src/tests/share_ns.c b/src/tests/share_ns.c
index 1b5a6b515..70a755946 100644
--- a/src/tests/share_ns.c
+++ b/src/tests/share_ns.c
@@ -80,14 +80,14 @@ void *ns_sharing_wrapper(void *data)
 	}
 
 	/* share ipc namespace by container name */
-	if (!c->set_config_item(c, "lxc.namespace.ipc", "owning-ns")) {
-		lxc_error("Failed to set \"lxc.namespace.ipc=owning-ns\" for container \"%s\"\n", name);
+	if (!c->set_config_item(c, "lxc.namespace.share.ipc", "owning-ns")) {
+		lxc_error("Failed to set \"lxc.namespace.share.ipc=owning-ns\" for container \"%s\"\n", name);
 		goto out;
 	}
 
 	/* clear all network configuration */
 	if (!c->set_config_item(c, "lxc.net", "")) {
-		lxc_error("Failed to set \"lxc.namespace.ipc=owning-ns\" for container \"%s\"\n", name);
+		lxc_error("Failed to set \"lxc.namespace.share.ipc=owning-ns\" for container \"%s\"\n", name);
 		goto out;
 	}
 
@@ -98,8 +98,8 @@ void *ns_sharing_wrapper(void *data)
 
 	sprintf(owning_ns_init_pid, "%d", args->init_pid);
 	/* share net namespace by pid */
-	if (!c->set_config_item(c, "lxc.namespace.net", owning_ns_init_pid)) {
-		lxc_error("Failed to set \"lxc.namespace.net=%s\" for container \"%s\"\n", owning_ns_init_pid, name);
+	if (!c->set_config_item(c, "lxc.namespace.share.net", owning_ns_init_pid)) {
+		lxc_error("Failed to set \"lxc.namespace.share.net=%s\" for container \"%s\"\n", owning_ns_init_pid, name);
 		goto out;
 	}
 

From e70e3b4db542038e7b347df8cb4d4c9f43b449b1 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Fri, 2 Feb 2018 12:38:14 +0100
Subject: [PATCH 2/4] confile: add lxc.namespace.clone

Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
 src/lxc/conf.h    |  1 +
 src/lxc/confile.c | 58 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 59 insertions(+)

diff --git a/src/lxc/conf.h b/src/lxc/conf.h
index 3563553a9..dd62ada5a 100644
--- a/src/lxc/conf.h
+++ b/src/lxc/conf.h
@@ -399,6 +399,7 @@ struct lxc_conf {
 	struct lxc_cgroup cgroup_meta;
 
 	struct {
+		int ns_clone;
 		char *ns_share[LXC_NS_MAX];
 	};
 
diff --git a/src/lxc/confile.c b/src/lxc/confile.c
index 83fdb8013..bfa53f401 100644
--- a/src/lxc/confile.c
+++ b/src/lxc/confile.c
@@ -106,6 +106,7 @@ lxc_config_define(monitor);
 lxc_config_define(mount);
 lxc_config_define(mount_auto);
 lxc_config_define(mount_fstab);
+lxc_config_define(namespace_clone);
 lxc_config_define(namespace_share);
 lxc_config_define(net);
 lxc_config_define(net_flags);
@@ -189,6 +190,7 @@ static struct lxc_config_t config[] = {
 	{ "lxc.mount.auto",                false,                  set_config_mount_auto,                  get_config_mount_auto,                  clr_config_mount_auto,                },
 	{ "lxc.mount.entry",               false,                  set_config_mount,                       get_config_mount,                       clr_config_mount,                     },
 	{ "lxc.mount.fstab",               false,                  set_config_mount_fstab,                 get_config_mount_fstab,                 clr_config_mount_fstab,               },
+	{ "lxc.namespace.clone",           false,                  set_config_namespace_clone,             get_config_namespace_clone,             clr_config_namespace_clone,           },
 	{ "lxc.namespace.share",           false,                  set_config_namespace_share,             get_config_namespace_share,             clr_config_namespace_share,           },
 
 	/* [START]: REMOVE IN LXC 3.0 */
@@ -2151,6 +2153,36 @@ static int set_config_uts_name(const char *key, const char *value,
 	return 0;
 }
 
+static int set_config_namespace_clone(const char *key, const char *value,
+				      struct lxc_conf *lxc_conf, void *data)
+{
+	char *ns, *nsptr, *token;
+	int cloneflag = 0;
+	char *saveptr = NULL;
+
+	if (lxc_config_value_empty(value))
+		return clr_config_namespace_clone(key, lxc_conf, data);
+
+	ns = strdup(value);
+	if (!ns)
+		return -1;
+	nsptr = ns;
+
+	for (; (token = strtok_r(nsptr, " \t", &saveptr)); nsptr = NULL) {
+		token += lxc_char_left_gc(token, strlen(token));
+		token[lxc_char_right_gc(token, strlen(token))] = '\0';
+		cloneflag = lxc_namespace_2_cloneflag(token);
+		if (cloneflag < 0) {
+			free(ns);
+			return -EINVAL;
+		}
+		lxc_conf->ns_clone |= cloneflag;
+	}
+	free(ns);
+
+	return 0;
+}
+
 static int set_config_namespace_share(const char *key, const char *value,
 				      struct lxc_conf *lxc_conf, void *data)
 {
@@ -3553,6 +3585,25 @@ static int get_config_noop(const char *key, char *retv, int inlen,
 	return 0;
 }
 
+static int get_config_namespace_clone(const char *key, char *retv, int inlen,
+				      struct lxc_conf *c, void *data)
+{
+	int i, len;
+	int fulllen = 0;
+
+	if (!retv)
+		inlen = 0;
+	else
+		memset(retv, 0, inlen);
+
+	for (i = 0; i < LXC_NS_MAX; i++) {
+		if (c->ns_clone & ns_info[i].clone_flag)
+			strprint(retv, inlen, "%s\n", ns_info[i].proc_name);
+	}
+
+	return fulllen;
+}
+
 static int get_config_namespace_share(const char *key, char *retv, int inlen,
 				      struct lxc_conf *c, void *data)
 {
@@ -3957,6 +4008,13 @@ static inline int clr_config_noop(const char *key, struct lxc_conf *c,
 	return 0;
 }
 
+static int clr_config_namespace_clone(const char *key,
+				      struct lxc_conf *lxc_conf, void *data)
+{
+	lxc_conf->ns_clone = 0;
+	return 0;
+}
+
 static int clr_config_namespace_share(const char *key,
 				      struct lxc_conf *lxc_conf, void *data)
 {

From 07dded7426862a5603d62bb7ea9ffd735279240a Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Fri, 2 Feb 2018 12:40:55 +0100
Subject: [PATCH 3/4] confile: add lxc.namespace.keep

Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
 src/lxc/conf.h    |  1 +
 src/lxc/confile.c | 58 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 59 insertions(+)

diff --git a/src/lxc/conf.h b/src/lxc/conf.h
index dd62ada5a..701dc6979 100644
--- a/src/lxc/conf.h
+++ b/src/lxc/conf.h
@@ -400,6 +400,7 @@ struct lxc_conf {
 
 	struct {
 		int ns_clone;
+		int ns_keep;
 		char *ns_share[LXC_NS_MAX];
 	};
 
diff --git a/src/lxc/confile.c b/src/lxc/confile.c
index bfa53f401..f1b9ae54f 100644
--- a/src/lxc/confile.c
+++ b/src/lxc/confile.c
@@ -107,6 +107,7 @@ lxc_config_define(mount);
 lxc_config_define(mount_auto);
 lxc_config_define(mount_fstab);
 lxc_config_define(namespace_clone);
+lxc_config_define(namespace_keep);
 lxc_config_define(namespace_share);
 lxc_config_define(net);
 lxc_config_define(net_flags);
@@ -191,6 +192,7 @@ static struct lxc_config_t config[] = {
 	{ "lxc.mount.entry",               false,                  set_config_mount,                       get_config_mount,                       clr_config_mount,                     },
 	{ "lxc.mount.fstab",               false,                  set_config_mount_fstab,                 get_config_mount_fstab,                 clr_config_mount_fstab,               },
 	{ "lxc.namespace.clone",           false,                  set_config_namespace_clone,             get_config_namespace_clone,             clr_config_namespace_clone,           },
+	{ "lxc.namespace.keep",            false,                  set_config_namespace_keep,              get_config_namespace_keep,              clr_config_namespace_keep,            },
 	{ "lxc.namespace.share",           false,                  set_config_namespace_share,             get_config_namespace_share,             clr_config_namespace_share,           },
 
 	/* [START]: REMOVE IN LXC 3.0 */
@@ -2183,6 +2185,36 @@ static int set_config_namespace_clone(const char *key, const char *value,
 	return 0;
 }
 
+static int set_config_namespace_keep(const char *key, const char *value,
+				     struct lxc_conf *lxc_conf, void *data)
+{
+	char *ns, *nsptr, *token;
+	int cloneflag = 0;
+	char *saveptr = NULL;
+
+	if (lxc_config_value_empty(value))
+		return clr_config_namespace_keep(key, lxc_conf, data);
+
+	ns = strdup(value);
+	if (!ns)
+		return -1;
+	nsptr = ns;
+
+	for (; (token = strtok_r(nsptr, " \t", &saveptr)); nsptr = NULL) {
+		token += lxc_char_left_gc(token, strlen(token));
+		token[lxc_char_right_gc(token, strlen(token))] = '\0';
+		cloneflag = lxc_namespace_2_cloneflag(token);
+		if (cloneflag < 0) {
+			free(ns);
+			return -EINVAL;
+		}
+		lxc_conf->ns_keep |= cloneflag;
+	}
+	free(ns);
+
+	return 0;
+}
+
 static int set_config_namespace_share(const char *key, const char *value,
 				      struct lxc_conf *lxc_conf, void *data)
 {
@@ -3604,6 +3636,25 @@ static int get_config_namespace_clone(const char *key, char *retv, int inlen,
 	return fulllen;
 }
 
+static int get_config_namespace_keep(const char *key, char *retv, int inlen,
+				     struct lxc_conf *c, void *data)
+{
+	int i, len;
+	int fulllen = 0;
+
+	if (!retv)
+		inlen = 0;
+	else
+		memset(retv, 0, inlen);
+
+	for (i = 0; i < LXC_NS_MAX; i++) {
+		if (c->ns_keep & ns_info[i].clone_flag)
+			strprint(retv, inlen, "%s\n", ns_info[i].proc_name);
+	}
+
+	return fulllen;
+}
+
 static int get_config_namespace_share(const char *key, char *retv, int inlen,
 				      struct lxc_conf *c, void *data)
 {
@@ -4015,6 +4066,13 @@ static int clr_config_namespace_clone(const char *key,
 	return 0;
 }
 
+static int clr_config_namespace_keep(const char *key, struct lxc_conf *lxc_conf,
+				     void *data)
+{
+	lxc_conf->ns_keep = 0;
+	return 0;
+}
+
 static int clr_config_namespace_share(const char *key,
 				      struct lxc_conf *lxc_conf, void *data)
 {

From 567538120382cc5bd48182beb3837a9c935e8674 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Fri, 2 Feb 2018 13:29:06 +0100
Subject: [PATCH 4/4] start: resolve clone flags

Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
 src/lxc/start.c | 55 +++++++++++++++++++++++--------------------------------
 1 file changed, 23 insertions(+), 32 deletions(-)

diff --git a/src/lxc/start.c b/src/lxc/start.c
index 8238325a1..638653265 100644
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -1332,44 +1332,35 @@ static int lxc_recv_ttys_from_child(struct lxc_handler *handler)
 
 int resolve_clone_flags(struct lxc_handler *handler)
 {
-	handler->clone_flags = CLONE_NEWNS;
+	int i;
+	struct lxc_conf *conf = handler->conf;
 
-	if (!handler->conf->ns_share[LXC_NS_USER]) {
-		if (!lxc_list_empty(&handler->conf->id_map))
-			handler->clone_flags |= CLONE_NEWUSER;
-	} else {
-		INFO("Inheriting user namespace");
-	}
+	for (i = 0; i < LXC_NS_MAX; i++) {
+		if ((conf->ns_clone & ns_info[i].clone_flag) &&
+		    ((conf->ns_keep & ns_info[i].clone_flag) || conf->ns_share[i]))
+			return -EINVAL;
 
-	if (!handler->conf->ns_share[LXC_NS_NET]) {
-		if (!lxc_requests_empty_network(handler))
-			handler->clone_flags |= CLONE_NEWNET;
-	} else {
-		INFO("Inheriting net namespace");
-	}
+		if ((conf->ns_keep & ns_info[i].clone_flag) && conf->ns_share[i])
+			return -EINVAL;
 
-	if (!handler->conf->ns_share[LXC_NS_IPC])
-		handler->clone_flags |= CLONE_NEWIPC;
-	else
-		INFO("Inheriting ipc namespace");
+		if ((conf->ns_clone & ns_info[i].clone_flag) == 0) {
+			if ((conf->ns_keep & ns_info[i].clone_flag) > 0) {
+				INFO("Container will inherit %s namespace", ns_info[i].proc_name);
+				continue;
+			}
 
-	if (!handler->conf->ns_share[LXC_NS_UTS])
-		handler->clone_flags |= CLONE_NEWUTS;
-	else
-		INFO("Inheriting uts namespace");
+			if (conf->ns_share[i]) {
+				INFO("Container will share %s namespace", ns_info[i].proc_name);
+				continue;
+			}
 
-	if (!handler->conf->ns_share[LXC_NS_PID])
-		handler->clone_flags |= CLONE_NEWPID;
-	else
-		INFO("Inheriting pid namespace");
+			handler->clone_flags |= ns_info[i].clone_flag;
+			INFO("Container will create new %s namespace", ns_info[i].proc_name);
+			continue;
+		}
 
-	if (cgns_supported()) {
-		if (!handler->conf->ns_share[LXC_NS_CGROUP])
-			handler->clone_flags |= CLONE_NEWCGROUP;
-		else
-			INFO("Inheriting cgroup namespace");
-	} else if (handler->conf->ns_share[LXC_NS_CGROUP]) {
-			return -EINVAL;
+		handler->clone_flags |= ns_info[i].clone_flag;
+		INFO("Cloning %s namespace", ns_info[i].proc_name);
 	}
 
 	return 0;


More information about the lxc-devel mailing list