Add the LXC_COMMAND_CLONE_FLAGS that retrieves the flags passed to clone(2)
when the container was started. This allows external programs to determine
which namespaces the container was unshared from.
Signed-off-by: Christian Seiler <christ...@iwakd.de>
Cc: Daniel Lezcano <daniel.lezc...@free.fr>
Cc: Serge Hallyn <serge.hal...@canonical.com>
---
src/lxc/commands.c | 30 ++++++++++++++++++++++++++----
src/lxc/commands.h | 2 ++
src/lxc/start.c | 34 ++++++++++++++++++++++++++++------
src/lxc/start.h | 1 +
4 files changed, 57 insertions(+), 10 deletions(-)
diff --git a/src/lxc/commands.c b/src/lxc/commands.c
index cce24db..dc93815 100644
--- a/src/lxc/commands.c
+++ b/src/lxc/commands.c
@@ -154,11 +154,32 @@ pid_t get_init_pid(const char *name)
return command.answer.pid;
}
+int lxc_get_clone_flags(const char *name)
+{
+ struct lxc_command command = {
+ .request = { .type = LXC_COMMAND_CLONE_FLAGS },
+ };
+
+ int ret, stopped = 0;
+
+ ret = lxc_command(name, &command, &stopped);
+ if (ret < 0 && stopped)
+ return -1;
+
+ if (ret < 0) {
+ ERROR("failed to send command");
+ return -1;
+ }
+
+ return command.answer.ret;
+}
+
extern void lxc_console_remove_fd(int, struct lxc_tty_info *);
extern int lxc_console_callback(int, struct lxc_request *, struct lxc_handler
*);
extern int lxc_stop_callback(int, struct lxc_request *, struct lxc_handler *);
extern int lxc_state_callback(int, struct lxc_request *, struct lxc_handler
*);
extern int lxc_pid_callback(int, struct lxc_request *, struct lxc_handler *);
+extern int lxc_clone_flags_callback(int, struct lxc_request *, struct
lxc_handler *);
static int trigger_command(int fd, struct lxc_request *request,
struct lxc_handler *handler)
@@ -166,10 +187,11 @@ static int trigger_command(int fd, struct lxc_request
*request,
typedef int (*callback)(int, struct lxc_request *, struct lxc_handler
*);
callback cb[LXC_COMMAND_MAX] = {
- [LXC_COMMAND_TTY] = lxc_console_callback,
- [LXC_COMMAND_STOP] = lxc_stop_callback,
- [LXC_COMMAND_STATE] = lxc_state_callback,
- [LXC_COMMAND_PID] = lxc_pid_callback,
+ [LXC_COMMAND_TTY] = lxc_console_callback,
+ [LXC_COMMAND_STOP] = lxc_stop_callback,
+ [LXC_COMMAND_STATE] = lxc_state_callback,
+ [LXC_COMMAND_PID] = lxc_pid_callback,
+ [LXC_COMMAND_CLONE_FLAGS] = lxc_clone_flags_callback,
};
if (request->type < 0 || request->type >= LXC_COMMAND_MAX)
diff --git a/src/lxc/commands.h b/src/lxc/commands.h
index d5c013f..3b0ac9a 100644
--- a/src/lxc/commands.h
+++ b/src/lxc/commands.h
@@ -28,6 +28,7 @@ enum {
LXC_COMMAND_STOP,
LXC_COMMAND_STATE,
LXC_COMMAND_PID,
+ LXC_COMMAND_CLONE_FLAGS,
LXC_COMMAND_MAX,
};
@@ -48,6 +49,7 @@ struct lxc_command {
};
extern pid_t get_init_pid(const char *name);
+extern int lxc_get_clone_flags(const char *name);
extern int lxc_command(const char *name, struct lxc_command *command,
int *stopped);
diff --git a/src/lxc/start.c b/src/lxc/start.c
index 48e9962..7dfe1ba 100644
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -278,6 +278,29 @@ int lxc_pid_callback(int fd, struct lxc_request *request,
return 0;
}
+int lxc_clone_flags_callback(int fd, struct lxc_request *request,
+ struct lxc_handler *handler)
+{
+ struct lxc_answer answer;
+ int ret;
+
+ answer.pid = 0;
+ answer.ret = handler->clone_flags;
+
+ ret = send(fd, &answer, sizeof(answer), 0);
+ if (ret < 0) {
+ WARN("failed to send answer to the peer");
+ return -1;
+ }
+
+ if (ret != sizeof(answer)) {
+ ERROR("partial answer sent");
+ return -1;
+ }
+
+ return 0;
+}
+
int lxc_set_state(const char *name, struct lxc_handler *handler, lxc_state_t
state)
{
handler->state = state;
@@ -542,7 +565,6 @@ out_warn_father:
int lxc_spawn(struct lxc_handler *handler)
{
- int clone_flags;
int failed_before_rename = 0;
const char *name = handler->name;
int pinfd;
@@ -550,10 +572,10 @@ int lxc_spawn(struct lxc_handler *handler)
if (lxc_sync_init(handler))
return -1;
- clone_flags = CLONE_NEWUTS|CLONE_NEWPID|CLONE_NEWIPC|CLONE_NEWNS;
+ handler->clone_flags =
CLONE_NEWUTS|CLONE_NEWPID|CLONE_NEWIPC|CLONE_NEWNS;
if (!lxc_list_empty(&handler->conf->network)) {
- clone_flags |= CLONE_NEWNET;
+ handler->clone_flags |= CLONE_NEWNET;
/* Find gateway addresses from the link device, which is
* no longer accessible inside the container. Do this
@@ -587,7 +609,7 @@ int lxc_spawn(struct lxc_handler *handler)
}
/* Create a process in a new set of namespaces */
- handler->pid = lxc_clone(do_start, handler, clone_flags);
+ handler->pid = lxc_clone(do_start, handler, handler->clone_flags);
if (handler->pid < 0) {
SYSERROR("failed to fork into a new namespace");
goto out_delete_net;
@@ -605,7 +627,7 @@ int lxc_spawn(struct lxc_handler *handler)
goto out_delete_net;
/* Create the network configuration */
- if (clone_flags & CLONE_NEWNET) {
+ if (handler->clone_flags & CLONE_NEWNET) {
if (lxc_assign_network(&handler->conf->network, handler->pid)) {
ERROR("failed to create the configured network");
goto out_delete_net;
@@ -635,7 +657,7 @@ int lxc_spawn(struct lxc_handler *handler)
return 0;
out_delete_net:
- if (clone_flags & CLONE_NEWNET)
+ if (handler->clone_flags & CLONE_NEWNET)
lxc_delete_network(&handler->conf->network);
out_abort:
lxc_abort(name, handler);
diff --git a/src/lxc/start.h b/src/lxc/start.h
index 0e12aba..4b2e2b5 100644
--- a/src/lxc/start.h
+++ b/src/lxc/start.h
@@ -39,6 +39,7 @@ struct lxc_handler {
pid_t pid;
char *name;
lxc_state_t state;
+ int clone_flags;
int sigfd;
sigset_t oldmask;
struct lxc_conf *conf;
--
1.7.8.6
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
