[pve-devel] [PATCH lxc] add lxc.start.unshare patch

Thu Nov 19 10:03:46 CET 2015

---
 debian/patches/0001-added-lxc.start.unshare.patch | 118 ++++++++++++++++++++++
 debian/patches/series                             |   1 +
 2 files changed, 119 insertions(+)
 create mode 100644 debian/patches/0001-added-lxc.start.unshare.patch

diff --git a/debian/patches/0001-added-lxc.start.unshare.patch b/debian/patches/0001-added-lxc.start.unshare.patch
new file mode 100644
index 0000000..1c5bd5a
--- /dev/null
+++ b/debian/patches/0001-added-lxc.start.unshare.patch
@@ -0,0 +1,118 @@
+From dc54e85c015bf6f2b67b6abcc3fac82e9d927412 Mon Sep 17 00:00:00 2001
+From: Wolfgang Bumiller <w.bumiller at proxmox.com>
+Date: Wed, 18 Nov 2015 14:05:00 +0100
+Subject: [PATCH] added lxc.start.unshare
+
+---
+ config/apparmor/abstractions/start-container |  1 +
+ doc/lxc.container.conf.sgml.in               | 12 ++++++++++++
+ src/lxc/conf.h                               |  1 +
+ src/lxc/confile.c                            |  7 +++++++
+ src/lxc/lxccontainer.c                       | 12 ++++++++++++
+ 5 files changed, 33 insertions(+)
+
+diff --git a/config/apparmor/abstractions/start-container b/config/apparmor/abstractions/start-container
+index b06a84d..eee0c2f 100644
+--- a/config/apparmor/abstractions/start-container
++++ b/config/apparmor/abstractions/start-container
+@@ -15,6 +15,7 @@
+   mount options=bind /dev/pts/ptmx/ -> /dev/ptmx/,
+   mount options=bind /dev/pts/** -> /dev/**,
+   mount options=(rw, make-slave) -> **,
++  mount options=(rw, make-rslave) -> **,
+   mount fstype=debugfs,
+   # allow pre-mount hooks to stage mounts under /var/lib/lxc/<container>/
+   mount -> /var/lib/lxc/{**,},
+diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in
+index 90ffefa..7592d5c 100644
+--- a/doc/lxc.container.conf.sgml.in
++++ b/doc/lxc.container.conf.sgml.in
+@@ -1661,6 +1661,18 @@ mknod errno 0
+         </varlistentry>
+         <varlistentry>
+           <term>
++            <option>lxc.start.unshare</option>
++          </term>
++          <listitem>
++            <para>
++              If not zero (which is the default) the mount namespace will
++              be unshared from the host before initializing the container
++              (before running any pre-start hooks).
++            </para>
++          </listitem>
++        </varlistentry>
++        <varlistentry>
++          <term>
+             <option>lxc.group</option>
+           </term>
+           <listitem>
+diff --git a/src/lxc/conf.h b/src/lxc/conf.h
+index 1374d4a..3a83ba3 100644
+--- a/src/lxc/conf.h
++++ b/src/lxc/conf.h
+@@ -344,6 +344,7 @@ struct lxc_conf {
+ 	int start_auto;
+ 	int start_delay;
+ 	int start_order;
++	int start_unshare;
+ 	struct lxc_list groups;
+ 	int nbd_idx;
+ 
+diff --git a/src/lxc/confile.c b/src/lxc/confile.c
+index c2eaaa6..b6ed195 100644
+--- a/src/lxc/confile.c
++++ b/src/lxc/confile.c
+@@ -173,6 +173,7 @@ static struct lxc_config_t config[] = {
+ 	{ "lxc.start.auto",           config_start                },
+ 	{ "lxc.start.delay",          config_start                },
+ 	{ "lxc.start.order",          config_start                },
++	{ "lxc.start.unshare",        config_start                },
+ 	{ "lxc.group",                config_group                },
+ 	{ "lxc.environment",          config_environment          },
+ 	{ "lxc.init_cmd",             config_init_cmd             },
+@@ -1137,6 +1138,10 @@ static int config_start(const char *key, const char *value,
+ 		lxc_conf->start_order = atoi(value);
+ 		return 0;
+ 	}
++	else if (strcmp(key, "lxc.start.unshare") == 0) {
++		lxc_conf->start_unshare = atoi(value);
++		return 0;
++	}
+ 	SYSERROR("Unknown key: %s", key);
+ 	return -1;
+ }
+@@ -2483,6 +2488,8 @@ int lxc_get_config_item(struct lxc_conf *c, const char *key, char *retv,
+ 		return lxc_get_conf_int(c, retv, inlen, c->start_delay);
+ 	else if (strcmp(key, "lxc.start.order") == 0)
+ 		return lxc_get_conf_int(c, retv, inlen, c->start_order);
++	else if (strcmp(key, "lxc.start.unshare") == 0)
++		return lxc_get_conf_int(c, retv, inlen, c->start_unshare);
+ 	else if (strcmp(key, "lxc.group") == 0)
+ 		return lxc_get_item_groups(c, retv, inlen);
+ 	else if (strcmp(key, "lxc.seccomp") == 0)
+diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
+index 5207255..074fa57 100644
+--- a/src/lxc/lxccontainer.c
++++ b/src/lxc/lxccontainer.c
+@@ -820,6 +820,18 @@ static bool do_lxcapi_start(struct lxc_container *c, int useinit, char * const a
+ 
+ 	conf->reboot = 0;
+ 
++	/* Unshare the mount namespace if requested */
++	if (conf->start_unshare) {
++		if (unshare(CLONE_NEWNS)) {
++			SYSERROR("failed to unshare mount namespace");
++			return false;
++		}
++		if (mount(NULL, "/", NULL, MS_SLAVE|MS_REC, NULL)) {
++			SYSERROR("Failed to make / rslave at startup");
++			return false;
++		}
++	}
++
+ reboot:
+ 	if (lxc_check_inherited(conf, daemonize, -1)) {
+ 		ERROR("Inherited fds found");
+-- 
+2.1.4
+
diff --git a/debian/patches/series b/debian/patches/series
index 7c870d1..0299687 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -13,3 +13,4 @@ run-lxcnetaddbr.patch
 0005-added-the-unmount-namespace-hook.patch
 0006-hooks-put-binary-hooks-in-usr-lib-lxc-hooks.patch
 delete_network_show_error.diff
+0001-added-lxc.start.unshare.patch
-- 
2.1.4



