Re: [libvirt] [PATCH] lxc / docker containers gives option to inherit the namespaces. Example lxc-start has option [ --share-[net|ipc|uts] name|pid ] where --share-net name|pid means Inherit a network

[Michal Privoznik]

On 03.08.2015 11:25, Daniel P. Berrange wrote:
 On Mon, Aug 03, 2015 at 11:18:51AM +0200, Michal Privoznik wrote:
 On 21.07.2015 17:06, Imran Khan wrote:
 Gentle reminder.  Humble request for another round of review.

 thanks
 imran

 I'm sorry it took so long but I was on a vacation. I'd like to review,
 but the patch is mangled. Can you resend with git send-email?
 
 Look at subject line from the same date:
 
  [libvirt] [PATCH] Inherit namespace feature
 
 I believe that is a clean posting that can be applied

Ah, right. And that one you've reviewed yesterday. I still haven't fully
caught up with the list. Sorry for the noise then.

Michal

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH] lxc / docker containers gives option to inherit the namespaces. Example lxc-start has option [ --share-[net|ipc|uts] name|pid ] where --share-net name|pid means Inherit a network

[Michal Privoznik]

On 21.07.2015 17:06, Imran Khan wrote:
 Gentle reminder.  Humble request for another round of review.
 
 thanks
 imran

I'm sorry it took so long but I was on a vacation. I'd like to review,
but the patch is mangled. Can you resend with git send-email?

Michal

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH] lxc / docker containers gives option to inherit the namespaces. Example lxc-start has option [ --share-[net|ipc|uts] name|pid ] where --share-net name|pid means Inherit a network

[Daniel P. Berrange]

On Mon, Aug 03, 2015 at 11:18:51AM +0200, Michal Privoznik wrote:
 On 21.07.2015 17:06, Imran Khan wrote:
  Gentle reminder.  Humble request for another round of review.
  
  thanks
  imran
 
 I'm sorry it took so long but I was on a vacation. I'd like to review,
 but the patch is mangled. Can you resend with git send-email?

Look at subject line from the same date:

 [libvirt] [PATCH] Inherit namespace feature

I believe that is a clean posting that can be applied

Regards,
Daniel
-- 
|: http://berrange.com  -o-http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org  -o- http://virt-manager.org :|
|: http://autobuild.org   -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org   -o-   http://live.gnome.org/gtk-vnc :|

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH] lxc / docker containers gives option to inherit the namespaces. Example lxc-start has option [ --share-[net|ipc|uts] name|pid ] where --share-net name|pid means Inherit a network

[Imran Khan]

Dear Michal,

Thanks a lot for reviewing the changes.  I really appreciate your ability
to spot very minute errors which have not been spotted by me or my local
reviews.

I have reworked almost all of the review comments you made. and Have sent a
separate email with subject Inherit namespace feature.  But for
convenience i would like to paste the changes here too. Please forgive for
big mail.   To answer some of your questions below:
   1.  Why this feature :
 (imran):  As the latest container technology (lxc-tools  and
docker) already provides sharing of network namespace. We think that this
feature is important to be added in libvirt lxc too.
  please check this link for lxc-start option :[ *--share-[net|ipc|uts]
**name|pid* ]
   http://man7.org/linux/man-pages/man1/lxc-start.1.html
  please check this link for docker --net option :
  https://docs.docker.com/articles/networking/:
--net=container:NAME_or_ID
   2.  Moving open namespace in driver.
 (imran) I have moved the code to driver now.  But regarding the
function i used the readymade functions instead of using internal data
structure because i would end up writing almost same functions again which
i felt was redundant.
   3. Regarding the security:
 (imran) This can always be taken care by adding checks in
pre-install or post-install scripts for libvirt lxc:
  https://libvirt.org/drvlxc.html#security


code snippet


---
 docs/drvlxc.html.in   |  18 +++
 docs/schemas/domaincommon.rng |  42 ++
 src/Makefile.am   |   4 +-
 src/lxc/lxc_conf.c|   2 +-
 src/lxc/lxc_conf.h|  15 +++
 src/lxc/lxc_container.c   | 236
+-
 src/lxc/lxc_domain.c  | 164 ++-
 src/lxc/lxc_domain.h  |   1 +
 tests/lxcxml2xmldata/lxc-sharenet.xml |  33 +
 tests/lxcxml2xmltest.c|   1 +
 10 files changed, 507 insertions(+), 9 deletions(-)
 create mode 100644 tests/lxcxml2xmldata/lxc-sharenet.xml

diff --git a/docs/drvlxc.html.in b/docs/drvlxc.html.in
index a094bd9..d14d4c7 100644
--- a/docs/drvlxc.html.in
+++ b/docs/drvlxc.html.in
@@ -590,6 +590,24 @@ Note that allowing capabilities that are normally
dropped by default can serious
 affect the security of the container and the host.
 /p

+h2a name=shareInherit namespaces/a/h2
+
+p
+Libvirt allows you to inherit the namespace from container/process just
like lxc tools
+or docker provides to share the network namespace. The following can be
used to share
+required namespaces. If we want to share only one then the other
namespaces can be ignored.
+/p
+pre
+lt;domain type='lxc' xmlns:lxc='
http://libvirt.org/schemas/domain/lxc/1.0'gt;
+...
+lt;lxc:namespacegt;
+  lt;lxc:sharenet type='netns' value='red'/gt;
+  lt;lxc:shareuts type='name' value='container1'/gt;
+  lt;lxc:shareipc type='pid' value='12345'/gt;
+lt;/lxc:namespacegt;
+lt;/domaingt;
+/pre
+
 h2a name=usageContainer usage / management/a/h2

 p
diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng
index 1120003..803b327 100644
--- a/docs/schemas/domaincommon.rng
+++ b/docs/schemas/domaincommon.rng
@@ -68,6 +68,9 @@
   ref name='qemucmdline'/
 /optional
 optional
+  ref name='lxcsharens'/
+/optional
+optional
   ref name='keywrap'/
 /optional
   /interleave
@@ -5012,6 +5015,45 @@
 /element
   /define

+  !--
+   Optional hypervisor extensions in their own namespace:
+   LXC
+--
+  define name=lxcsharens
+element name=namespace ns=http://libvirt.org/schemas/domain/lxc/1.0

+  zeroOrMore
+element name=sharenet
+  attribute name=type
+choice
+  valuenetns/value
+  valuename/value
+  valuepid/value
+/choice
+  /attribute
+  attribute name='value'/
+/element
+element name=shareipc
+  attribute name=type
+choice
+  valuename/value
+  valuepid/value
+/choice
+  /attribute
+  attribute name='value'/
+/element
+element name=shareuts
+  attribute name=type
+choice
+  valuename/value
+  valuepid/value
+/choice
+  /attribute
+  attribute name='value'/
+/element
+  /zeroOrMore
+/element
+  /define
+
   define name=metadata
 element name=metadata
   zeroOrMore
diff --git a/src/Makefile.am b/src/Makefile.am
index be63e26..ef96a5a 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -1319,7 +1319,7 @@ libvirt_driver_lxc_impl_la_CFLAGS = \
-I$(srcdir)/access \
-I$(srcdir)/conf \
$(AM_CFLAGS)
-libvirt_driver_lxc_impl_la_LIBADD = $(CAPNG_LIBS) $(LIBNL_LIBS)
$(FUSE_LIBS)

Re: [libvirt] [PATCH] lxc / docker containers gives option to inherit the namespaces. Example lxc-start has option [ --share-[net|ipc|uts] name|pid ] where --share-net name|pid means Inherit a network

[Michal Privoznik]

On 21.05.2015 19:43, ik.nitk wrote:
  This patch tries to add the similar option to libvirt lxc. So to inherit 
 namespace from name
  container c2.
  add this into xml.
  lxc:namespace
  sharenet type='name' value='c2'/
  /lxc:namespace
 
  And to inherit namespace from a pid.
  add this into xml.
  lxc:namespace
  sharenet type='pid' value='10245'/
  /lxc:namespace
 
  And to inherit namespace from a netns.
  add this into xml.
  lxc:namespace
  sharenet type='netns' value='red'/
  /lxc:namespace
 
  Similar options for ipc/uts.
  shareipc/ , shareuts /
 
  The reasong lxc xml namespace is added because this feature is very specific 
 to lxc. Therfore wanted to
  keep it seperated from actual libvirt xml domain.
 
  -imran
 ---

The subject line is just too long. Look at git log to see the style we
use to write commit messages.

  src/Makefile.am |   5 +-
  src/lxc/lxc_conf.c  |   2 +-
  src/lxc/lxc_conf.h  |  23 +
  src/lxc/lxc_container.c | 191 ++--
  src/lxc/lxc_domain.c| 254 
 +++-
  src/lxc/lxc_domain.h|   1 +
  6 files changed, 463 insertions(+), 13 deletions(-)


You are introducing new elements and namespace to the XML. This must
always go hand in hand with RNG schema adjustment and a test case or two
under tests/. I NACK every patch that does not comply with this rule.
But let me review the rest.

 
 diff --git a/src/Makefile.am b/src/Makefile.am
 index 579421d..1a78fde 100644
 --- a/src/Makefile.am
 +++ b/src/Makefile.am
 @@ -1293,7 +1293,8 @@ libvirt_driver_lxc_impl_la_CFLAGS = \
   -I$(srcdir)/access \
   -I$(srcdir)/conf \
   $(AM_CFLAGS)
 -libvirt_driver_lxc_impl_la_LIBADD = $(CAPNG_LIBS) $(LIBNL_LIBS) $(FUSE_LIBS)
 +libvirt_driver_lxc_impl_la_LIBADD = $(CAPNG_LIBS) $(LIBNL_LIBS) 
 $(LIBXML_LIBS) $(FUSE_LIBS)
 +libvirt_driver_lxc_impl_la_LDFLAGS = libvirt-lxc.la

This won't fly. If you need libvirt-lxc.la to be added, you must put it
into LIBADD. Otherwise automake will fail to see the dependency tree. It
happened to me when I was building this with -j5. Although, this won't
be needed at all IMO, but more on that later.

  if WITH_BLKID
  libvirt_driver_lxc_impl_la_CFLAGS += $(BLKID_CFLAGS)
  libvirt_driver_lxc_impl_la_LIBADD += $(BLKID_LIBS)
 @@ -2652,6 +2653,8 @@ libvirt_lxc_LDADD = \
   libvirt-net-rpc.la \
   libvirt_security_manager.la \
   libvirt_conf.la \
 + libvirt.la \
 + libvirt-lxc.la \
   libvirt_util.la \
   ../gnulib/lib/libgnu.la
  if WITH_DTRACE_PROBES
 diff --git a/src/lxc/lxc_conf.c b/src/lxc/lxc_conf.c
 index c393cb5..96a0f47 100644
 --- a/src/lxc/lxc_conf.c
 +++ b/src/lxc/lxc_conf.c
 @@ -213,7 +213,7 @@ lxcDomainXMLConfInit(void)
  {
  return virDomainXMLOptionNew(virLXCDriverDomainDefParserConfig,
   virLXCDriverPrivateDataCallbacks,
 - NULL);
 + virLXCDriverDomainXMLNamespace);
  }
  
  
 diff --git a/src/lxc/lxc_conf.h b/src/lxc/lxc_conf.h
 index 8340b1f..59002e5 100644
 --- a/src/lxc/lxc_conf.h
 +++ b/src/lxc/lxc_conf.h
 @@ -67,6 +67,29 @@ struct _virLXCDriverConfig {
  bool securityRequireConfined;
  };
  
 +
 +typedef enum {
 +VIR_DOMAIN_NAMESPACE_SHARENET = 0,
 +VIR_DOMAIN_NAMESPACE_SHAREIPC,
 +VIR_DOMAIN_NAMESPACE_SHAREUTS,
 +VIR_DOMAIN_NAMESPACE_LAST,
 +} virDomainNamespace;
 +
 +struct ns_info {
 +const char *proc_name;
 +int clone_flag;
 +};
 +
 +extern const struct ns_info ns_info[VIR_DOMAIN_NAMESPACE_LAST];
 +
 +typedef struct _lxcDomainDef lxcDomainDef;
 +typedef lxcDomainDef *lxcDomainDefPtr;
 +struct _lxcDomainDef {
 +int ns_inherit_fd[VIR_DOMAIN_NAMESPACE_LAST];
 +char *ns_type[VIR_DOMAIN_NAMESPACE_LAST];
 +char *ns_val[VIR_DOMAIN_NAMESPACE_LAST];
 +};
 +
  struct _virLXCDriver {
  virMutex lock;
  
 diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
 index 9a9ae5c..a9a7ba0 100644
 --- a/src/lxc/lxc_container.c
 +++ b/src/lxc/lxc_container.c
 @@ -25,8 +25,8 @@
   */
  
  #include config.h
 -

No, we like the extra space here. config.h has a special status.

  #include fcntl.h
 +#include sched.h
  #include limits.h
  #include stdlib.h
  #include stdio.h
 @@ -38,7 +38,6 @@
  #include mntent.h
  #include sys/reboot.h
  #include linux/reboot.h
 -
  /* Yes, we want linux private one, for _syscall2() macro */
  #include linux/unistd.h
  
 @@ -99,6 +98,50 @@ VIR_LOG_INIT(lxc.lxc_container);
  typedef char lxc_message_t;
  #define LXC_CONTINUE_MSG 'c'
  


 +#ifdef __linux__
 +/*
 + * Workaround older glibc. While kernel may support the setns
 + * syscall, the glibc wrapper might not exist. If that's the
 + * case, use our own.
 + */
 +# ifndef __NR_setns
 +#  if defined(__x86_64__)
 +#   define __NR_setns 308
 

Re: [libvirt] [PATCH] lxc / docker containers gives option to inherit the namespaces. Example lxc-start has option [ --share-[net|ipc|uts] name|pid ] where --share-net name|pid means Inherit a network

[Michal Privoznik]

On 21.05.2015 19:43, ik.nitk wrote:
  This patch tries to add the similar option to libvirt lxc. So to inherit 
 namespace from name
  container c2.
  add this into xml.
  lxc:namespace
  sharenet type='name' value='c2'/
  /lxc:namespace
 
  And to inherit namespace from a pid.
  add this into xml.
  lxc:namespace
  sharenet type='pid' value='10245'/
  /lxc:namespace
 
  And to inherit namespace from a netns.
  add this into xml.
  lxc:namespace
  sharenet type='netns' value='red'/
  /lxc:namespace
 
  Similar options for ipc/uts.
  shareipc/ , shareuts /
 
  The reasong lxc xml namespace is added because this feature is very specific 
 to lxc. Therfore wanted to
  keep it seperated from actual libvirt xml domain.
 
  -imran
 ---
  src/Makefile.am |   5 +-
  src/lxc/lxc_conf.c  |   2 +-
  src/lxc/lxc_conf.h  |  23 +
  src/lxc/lxc_container.c | 191 ++--
  src/lxc/lxc_domain.c| 254 
 +++-
  src/lxc/lxc_domain.h|   1 +
  6 files changed, 463 insertions(+), 13 deletions(-)

Unfortunately, we entered freeze and this patch slipped. Sorry. I'll
review after the release.

Michal

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

[libvirt] [PATCH] lxc / docker containers gives option to inherit the namespaces. Example lxc-start has option [ --share-[net|ipc|uts] name|pid ] where --share-net name|pid means Inherit a network nam

[ik.nitk]

 This patch tries to add the similar option to libvirt lxc. So to inherit 
namespace from name
 container c2.
 add this into xml.
 lxc:namespace
 sharenet type='name' value='c2'/
 /lxc:namespace

 And to inherit namespace from a pid.
 add this into xml.
 lxc:namespace
 sharenet type='pid' value='10245'/
 /lxc:namespace

 And to inherit namespace from a netns.
 add this into xml.
 lxc:namespace
 sharenet type='netns' value='red'/
 /lxc:namespace

 Similar options for ipc/uts.
 shareipc/ , shareuts /

 The reasong lxc xml namespace is added because this feature is very specific 
to lxc. Therfore wanted to
 keep it seperated from actual libvirt xml domain.

 -imran
---
 src/Makefile.am |   5 +-
 src/lxc/lxc_conf.c  |   2 +-
 src/lxc/lxc_conf.h  |  23 +
 src/lxc/lxc_container.c | 191 ++--
 src/lxc/lxc_domain.c| 254 +++-
 src/lxc/lxc_domain.h|   1 +
 6 files changed, 463 insertions(+), 13 deletions(-)

diff --git a/src/Makefile.am b/src/Makefile.am
index 579421d..1a78fde 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -1293,7 +1293,8 @@ libvirt_driver_lxc_impl_la_CFLAGS = \
-I$(srcdir)/access \
-I$(srcdir)/conf \
$(AM_CFLAGS)
-libvirt_driver_lxc_impl_la_LIBADD = $(CAPNG_LIBS) $(LIBNL_LIBS) $(FUSE_LIBS)
+libvirt_driver_lxc_impl_la_LIBADD = $(CAPNG_LIBS) $(LIBNL_LIBS) $(LIBXML_LIBS) 
$(FUSE_LIBS)
+libvirt_driver_lxc_impl_la_LDFLAGS = libvirt-lxc.la
 if WITH_BLKID
 libvirt_driver_lxc_impl_la_CFLAGS += $(BLKID_CFLAGS)
 libvirt_driver_lxc_impl_la_LIBADD += $(BLKID_LIBS)
@@ -2652,6 +2653,8 @@ libvirt_lxc_LDADD =   \
libvirt-net-rpc.la \
libvirt_security_manager.la \
libvirt_conf.la \
+   libvirt.la \
+   libvirt-lxc.la \
libvirt_util.la \
../gnulib/lib/libgnu.la
 if WITH_DTRACE_PROBES
diff --git a/src/lxc/lxc_conf.c b/src/lxc/lxc_conf.c
index c393cb5..96a0f47 100644
--- a/src/lxc/lxc_conf.c
+++ b/src/lxc/lxc_conf.c
@@ -213,7 +213,7 @@ lxcDomainXMLConfInit(void)
 {
 return virDomainXMLOptionNew(virLXCDriverDomainDefParserConfig,
  virLXCDriverPrivateDataCallbacks,
- NULL);
+ virLXCDriverDomainXMLNamespace);
 }
 
 
diff --git a/src/lxc/lxc_conf.h b/src/lxc/lxc_conf.h
index 8340b1f..59002e5 100644
--- a/src/lxc/lxc_conf.h
+++ b/src/lxc/lxc_conf.h
@@ -67,6 +67,29 @@ struct _virLXCDriverConfig {
 bool securityRequireConfined;
 };
 
+
+typedef enum {
+VIR_DOMAIN_NAMESPACE_SHARENET = 0,
+VIR_DOMAIN_NAMESPACE_SHAREIPC,
+VIR_DOMAIN_NAMESPACE_SHAREUTS,
+VIR_DOMAIN_NAMESPACE_LAST,
+} virDomainNamespace;
+
+struct ns_info {
+const char *proc_name;
+int clone_flag;
+};
+
+extern const struct ns_info ns_info[VIR_DOMAIN_NAMESPACE_LAST];
+
+typedef struct _lxcDomainDef lxcDomainDef;
+typedef lxcDomainDef *lxcDomainDefPtr;
+struct _lxcDomainDef {
+int ns_inherit_fd[VIR_DOMAIN_NAMESPACE_LAST];
+char *ns_type[VIR_DOMAIN_NAMESPACE_LAST];
+char *ns_val[VIR_DOMAIN_NAMESPACE_LAST];
+};
+
 struct _virLXCDriver {
 virMutex lock;
 
diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
index 9a9ae5c..a9a7ba0 100644
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@@ -25,8 +25,8 @@
  */
 
 #include config.h
-
 #include fcntl.h
+#include sched.h
 #include limits.h
 #include stdlib.h
 #include stdio.h
@@ -38,7 +38,6 @@
 #include mntent.h
 #include sys/reboot.h
 #include linux/reboot.h
-
 /* Yes, we want linux private one, for _syscall2() macro */
 #include linux/unistd.h
 
@@ -99,6 +98,50 @@ VIR_LOG_INIT(lxc.lxc_container);
 typedef char lxc_message_t;
 #define LXC_CONTINUE_MSG 'c'
 
+#ifdef __linux__
+/*
+ * Workaround older glibc. While kernel may support the setns
+ * syscall, the glibc wrapper might not exist. If that's the
+ * case, use our own.
+ */
+# ifndef __NR_setns
+#  if defined(__x86_64__)
+#   define __NR_setns 308
+#  elif defined(__i386__)
+#   define __NR_setns 346
+#  elif defined(__arm__)
+#   define __NR_setns 375
+#  elif defined(__aarch64__)
+#   define __NR_setns 375
+#  elif defined(__powerpc__)
+#   define __NR_setns 350
+#  elif defined(__s390__)
+#   define __NR_setns 339
+#  endif
+# endif
+
+# ifndef HAVE_SETNS
+#  if defined(__NR_setns)
+#   include sys/syscall.h
+
+static inline int setns(int fd, int nstype)
+{
+return syscall(__NR_setns, fd, nstype);
+}
+#  else /* !__NR_setns */
+#   error Please determine the syscall number for setns on your architecture
+#  endif
+# endif
+#else /* !__linux__ */
+static inline int setns(int fd ATTRIBUTE_UNUSED, int nstype ATTRIBUTE_UNUSED)
+{
+virReportSystemError(ENOSYS, %s,
+ _(Namespaces are not supported on this platform.));
+return -1;
+}