Quoting Wolfgang Bumiller (w.bumil...@proxmox.com):
> If manual mounting with elevated permissions is required
> this can currently only be done in pre-start hooks or before
> starting LXC. In both cases the mounts would appear in the
> host's namespace.
> With this flag the namespace is unshared before the startup
> sequence, so that mounts performed in the pre-start hook
> don't show up on the host.
>
> Signed-off-by: Wolfgang Bumiller <w.bumil...@proxmox.com>
Acked-by: Serge E. Hallyn <serge.hal...@ubuntu.com>
Note we should probably point out in the manpage that this
will only work for containers started by root. Can you send
a separate patch for that?
> ---
> doc/lxc.container.conf.sgml.in | 12 ++++++++++++
> src/lxc/conf.h | 3 +++
> src/lxc/confile.c | 15 +++++++++++++++
> src/lxc/lxccontainer.c | 12 ++++++++++++
> 4 files changed, 42 insertions(+)
>
> diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in
> index 90ffefa..3b6f698 100644
> --- a/doc/lxc.container.conf.sgml.in
> +++ b/doc/lxc.container.conf.sgml.in
> @@ -1661,6 +1661,18 @@ mknod errno 0
> </varlistentry>
> <varlistentry>
> <term>
> + <option>lxc.monitor.unshare</option>
> + </term>
> + <listitem>
> + <para>
> + If not zero the mount namespace will be unshared from the host
> + before initializing the container (before running any pre-start
> + hooks). Default is 0.
> + </para>
> + </listitem>
> + </varlistentry>
> + <varlistentry>
> + <term>
> <option>lxc.group</option>
> </term>
> <listitem>
> diff --git a/src/lxc/conf.h b/src/lxc/conf.h
> index 1374d4a..b0274ec 100644
> --- a/src/lxc/conf.h
> +++ b/src/lxc/conf.h
> @@ -347,6 +347,9 @@ struct lxc_conf {
> struct lxc_list groups;
> int nbd_idx;
>
> + /* unshare the mount namespace in the monitor */
> + int monitor_unshare;
> +
> /* set to true when rootfs has been setup */
> bool rootfs_setup;
>
> diff --git a/src/lxc/confile.c b/src/lxc/confile.c
> index c2eaaa6..ce6786c 100644
> --- a/src/lxc/confile.c
> +++ b/src/lxc/confile.c
> @@ -103,6 +103,7 @@ static int config_haltsignal(const char *, const char *,
> struct lxc_conf *);
> static int config_rebootsignal(const char *, const char *, struct lxc_conf
> *);
> static int config_stopsignal(const char *, const char *, struct lxc_conf *);
> static int config_start(const char *, const char *, struct lxc_conf *);
> +static int config_monitor(const char *, const char *, struct lxc_conf *);
> static int config_group(const char *, const char *, struct lxc_conf *);
> static int config_environment(const char *, const char *, struct lxc_conf *);
> static int config_init_cmd(const char *, const char *, struct lxc_conf *);
> @@ -173,6 +174,7 @@ static struct lxc_config_t config[] = {
> { "lxc.start.auto", config_start },
> { "lxc.start.delay", config_start },
> { "lxc.start.order", config_start },
> + { "lxc.monitor.unshare", config_monitor },
> { "lxc.group", config_group },
> { "lxc.environment", config_environment },
> { "lxc.init_cmd", config_init_cmd },
> @@ -1141,6 +1143,17 @@ static int config_start(const char *key, const char
> *value,
> return -1;
> }
>
> +static int config_monitor(const char *key, const char *value,
> + struct lxc_conf *lxc_conf)
> +{
> + if(strcmp(key, "lxc.monitor.unshare") == 0) {
> + lxc_conf->monitor_unshare = atoi(value);
> + return 0;
> + }
> + SYSERROR("Unknown key: %s", key);
> + return -1;
> +}
> +
> static int config_group(const char *key, const char *value,
> struct lxc_conf *lxc_conf)
> {
> @@ -2483,6 +2496,8 @@ int lxc_get_config_item(struct lxc_conf *c, const char
> *key, char *retv,
> return lxc_get_conf_int(c, retv, inlen, c->start_delay);
> else if (strcmp(key, "lxc.start.order") == 0)
> return lxc_get_conf_int(c, retv, inlen, c->start_order);
> + else if (strcmp(key, "lxc.monitor.unshare") == 0)
> + return lxc_get_conf_int(c, retv, inlen, c->monitor_unshare);
> else if (strcmp(key, "lxc.group") == 0)
> return lxc_get_item_groups(c, retv, inlen);
> else if (strcmp(key, "lxc.seccomp") == 0)
> diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
> index 69816da..2804841 100644
> --- a/src/lxc/lxccontainer.c
> +++ b/src/lxc/lxccontainer.c
> @@ -820,6 +820,18 @@ static bool do_lxcapi_start(struct lxc_container *c, int
> useinit, char * const a
>
> conf->reboot = 0;
>
> + /* Unshare the mount namespace if requested */
> + if (conf->monitor_unshare) {
> + if (unshare(CLONE_NEWNS)) {
> + SYSERROR("failed to unshare mount namespace");
> + return false;
> + }
> + if (mount(NULL, "/", NULL, MS_SLAVE|MS_REC, NULL)) {
> + SYSERROR("Failed to make / rslave at startup");
> + return false;
> + }
> + }
> +
> reboot:
> if (lxc_check_inherited(conf, daemonize, -1)) {
> ERROR("Inherited fds found");
> --
> 2.1.4
>
>
> _______________________________________________
> lxc-devel mailing list
> lxc-devel@lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel
_______________________________________________
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel
