[pve-devel] [PATCH lxc] renamed lxc.start.unshare to lxc.monitor.unshare
Wolfgang Bumiller
w.bumiller at proxmox.com
Mon Nov 30 13:44:29 CET 2015
---
...rmor-add-make-rslave-to-usr.bin.lxc-start.patch | 32 +++++
debian/patches/0001-added-lxc.start.unshare.patch | 118 -------------------
.../patches/0002-Added-lxc.monitor.unshare.patch | 131 +++++++++++++++++++++
debian/patches/series | 3 +-
4 files changed, 165 insertions(+), 119 deletions(-)
create mode 100644 debian/patches/0001-AppArmor-add-make-rslave-to-usr.bin.lxc-start.patch
delete mode 100644 debian/patches/0001-added-lxc.start.unshare.patch
create mode 100644 debian/patches/0002-Added-lxc.monitor.unshare.patch
diff --git a/debian/patches/0001-AppArmor-add-make-rslave-to-usr.bin.lxc-start.patch b/debian/patches/0001-AppArmor-add-make-rslave-to-usr.bin.lxc-start.patch
new file mode 100644
index 0000000..534c3a9
--- /dev/null
+++ b/debian/patches/0001-AppArmor-add-make-rslave-to-usr.bin.lxc-start.patch
@@ -0,0 +1,32 @@
+From a1fd9b6b62051a05bb85fb10dd03342aa231c246 Mon Sep 17 00:00:00 2001
+From: Wolfgang Bumiller <w.bumiller at proxmox.com>
+Date: Fri, 20 Nov 2015 09:52:39 +0100
+Subject: [PATCH v2 lxc 1/2] AppArmor: add make-rslave to usr.bin.lxc-start
+
+The profile already contains
+ mount options=(rw, make-slave) -> **,
+
+Which allows going through all mountpoints with make-slave,
+so it seems to make sense to also allow the directly
+recursive variant with "make-rslave".
+
+Signed-off-by: Wolfgang Bumiller <w.bumiller at proxmox.com>
+---
+ config/apparmor/abstractions/start-container | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/config/apparmor/abstractions/start-container b/config/apparmor/abstractions/start-container
+index b06a84d..eee0c2f 100644
+--- a/config/apparmor/abstractions/start-container
++++ b/config/apparmor/abstractions/start-container
+@@ -15,6 +15,7 @@
+ mount options=bind /dev/pts/ptmx/ -> /dev/ptmx/,
+ mount options=bind /dev/pts/** -> /dev/**,
+ mount options=(rw, make-slave) -> **,
++ mount options=(rw, make-rslave) -> **,
+ mount fstype=debugfs,
+ # allow pre-mount hooks to stage mounts under /var/lib/lxc/<container>/
+ mount -> /var/lib/lxc/{**,},
+--
+2.1.4
+
diff --git a/debian/patches/0001-added-lxc.start.unshare.patch b/debian/patches/0001-added-lxc.start.unshare.patch
deleted file mode 100644
index 1c5bd5a..0000000
--- a/debian/patches/0001-added-lxc.start.unshare.patch
+++ /dev/null
@@ -1,118 +0,0 @@
-From dc54e85c015bf6f2b67b6abcc3fac82e9d927412 Mon Sep 17 00:00:00 2001
-From: Wolfgang Bumiller <w.bumiller at proxmox.com>
-Date: Wed, 18 Nov 2015 14:05:00 +0100
-Subject: [PATCH] added lxc.start.unshare
-
----
- config/apparmor/abstractions/start-container | 1 +
- doc/lxc.container.conf.sgml.in | 12 ++++++++++++
- src/lxc/conf.h | 1 +
- src/lxc/confile.c | 7 +++++++
- src/lxc/lxccontainer.c | 12 ++++++++++++
- 5 files changed, 33 insertions(+)
-
-diff --git a/config/apparmor/abstractions/start-container b/config/apparmor/abstractions/start-container
-index b06a84d..eee0c2f 100644
---- a/config/apparmor/abstractions/start-container
-+++ b/config/apparmor/abstractions/start-container
-@@ -15,6 +15,7 @@
- mount options=bind /dev/pts/ptmx/ -> /dev/ptmx/,
- mount options=bind /dev/pts/** -> /dev/**,
- mount options=(rw, make-slave) -> **,
-+ mount options=(rw, make-rslave) -> **,
- mount fstype=debugfs,
- # allow pre-mount hooks to stage mounts under /var/lib/lxc/<container>/
- mount -> /var/lib/lxc/{**,},
-diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in
-index 90ffefa..7592d5c 100644
---- a/doc/lxc.container.conf.sgml.in
-+++ b/doc/lxc.container.conf.sgml.in
-@@ -1661,6 +1661,18 @@ mknod errno 0
- </varlistentry>
- <varlistentry>
- <term>
-+ <option>lxc.start.unshare</option>
-+ </term>
-+ <listitem>
-+ <para>
-+ If not zero (which is the default) the mount namespace will
-+ be unshared from the host before initializing the container
-+ (before running any pre-start hooks).
-+ </para>
-+ </listitem>
-+ </varlistentry>
-+ <varlistentry>
-+ <term>
- <option>lxc.group</option>
- </term>
- <listitem>
-diff --git a/src/lxc/conf.h b/src/lxc/conf.h
-index 1374d4a..3a83ba3 100644
---- a/src/lxc/conf.h
-+++ b/src/lxc/conf.h
-@@ -344,6 +344,7 @@ struct lxc_conf {
- int start_auto;
- int start_delay;
- int start_order;
-+ int start_unshare;
- struct lxc_list groups;
- int nbd_idx;
-
-diff --git a/src/lxc/confile.c b/src/lxc/confile.c
-index c2eaaa6..b6ed195 100644
---- a/src/lxc/confile.c
-+++ b/src/lxc/confile.c
-@@ -173,6 +173,7 @@ static struct lxc_config_t config[] = {
- { "lxc.start.auto", config_start },
- { "lxc.start.delay", config_start },
- { "lxc.start.order", config_start },
-+ { "lxc.start.unshare", config_start },
- { "lxc.group", config_group },
- { "lxc.environment", config_environment },
- { "lxc.init_cmd", config_init_cmd },
-@@ -1137,6 +1138,10 @@ static int config_start(const char *key, const char *value,
- lxc_conf->start_order = atoi(value);
- return 0;
- }
-+ else if (strcmp(key, "lxc.start.unshare") == 0) {
-+ lxc_conf->start_unshare = atoi(value);
-+ return 0;
-+ }
- SYSERROR("Unknown key: %s", key);
- return -1;
- }
-@@ -2483,6 +2488,8 @@ int lxc_get_config_item(struct lxc_conf *c, const char *key, char *retv,
- return lxc_get_conf_int(c, retv, inlen, c->start_delay);
- else if (strcmp(key, "lxc.start.order") == 0)
- return lxc_get_conf_int(c, retv, inlen, c->start_order);
-+ else if (strcmp(key, "lxc.start.unshare") == 0)
-+ return lxc_get_conf_int(c, retv, inlen, c->start_unshare);
- else if (strcmp(key, "lxc.group") == 0)
- return lxc_get_item_groups(c, retv, inlen);
- else if (strcmp(key, "lxc.seccomp") == 0)
-diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
-index 5207255..074fa57 100644
---- a/src/lxc/lxccontainer.c
-+++ b/src/lxc/lxccontainer.c
-@@ -820,6 +820,18 @@ static bool do_lxcapi_start(struct lxc_container *c, int useinit, char * const a
-
- conf->reboot = 0;
-
-+ /* Unshare the mount namespace if requested */
-+ if (conf->start_unshare) {
-+ if (unshare(CLONE_NEWNS)) {
-+ SYSERROR("failed to unshare mount namespace");
-+ return false;
-+ }
-+ if (mount(NULL, "/", NULL, MS_SLAVE|MS_REC, NULL)) {
-+ SYSERROR("Failed to make / rslave at startup");
-+ return false;
-+ }
-+ }
-+
- reboot:
- if (lxc_check_inherited(conf, daemonize, -1)) {
- ERROR("Inherited fds found");
---
-2.1.4
-
diff --git a/debian/patches/0002-Added-lxc.monitor.unshare.patch b/debian/patches/0002-Added-lxc.monitor.unshare.patch
new file mode 100644
index 0000000..2426811
--- /dev/null
+++ b/debian/patches/0002-Added-lxc.monitor.unshare.patch
@@ -0,0 +1,131 @@
+From ba9a6bc839732929e89a0ebcdb268f83f0e784cb Mon Sep 17 00:00:00 2001
+From: Wolfgang Bumiller <w.bumiller at proxmox.com>
+Date: Fri, 20 Nov 2015 09:57:14 +0100
+Subject: [PATCH v2 lxc 2/2] Added lxc.monitor.unshare
+
+If manual mounting with elevated permissions is required
+this can currently only be done in pre-start hooks or before
+starting LXC. In both cases the mounts would appear in the
+host's namespace.
+With this flag the namespace is unshared before the startup
+sequence, so that mounts performed in the pre-start hook
+don't show up on the host.
+
+Signed-off-by: Wolfgang Bumiller <w.bumiller at proxmox.com>
+---
+ doc/lxc.container.conf.sgml.in | 12 ++++++++++++
+ src/lxc/conf.h | 3 +++
+ src/lxc/confile.c | 15 +++++++++++++++
+ src/lxc/lxccontainer.c | 12 ++++++++++++
+ 4 files changed, 42 insertions(+)
+
+diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in
+index 90ffefa..3b6f698 100644
+--- a/doc/lxc.container.conf.sgml.in
++++ b/doc/lxc.container.conf.sgml.in
+@@ -1661,6 +1661,18 @@ mknod errno 0
+ </varlistentry>
+ <varlistentry>
+ <term>
++ <option>lxc.monitor.unshare</option>
++ </term>
++ <listitem>
++ <para>
++ If not zero the mount namespace will be unshared from the host
++ before initializing the container (before running any pre-start
++ hooks). Default is 0.
++ </para>
++ </listitem>
++ </varlistentry>
++ <varlistentry>
++ <term>
+ <option>lxc.group</option>
+ </term>
+ <listitem>
+diff --git a/src/lxc/conf.h b/src/lxc/conf.h
+index 1374d4a..b0274ec 100644
+--- a/src/lxc/conf.h
++++ b/src/lxc/conf.h
+@@ -347,6 +347,9 @@ struct lxc_conf {
+ struct lxc_list groups;
+ int nbd_idx;
+
++ /* unshare the mount namespace in the monitor */
++ int monitor_unshare;
++
+ /* set to true when rootfs has been setup */
+ bool rootfs_setup;
+
+diff --git a/src/lxc/confile.c b/src/lxc/confile.c
+index c2eaaa6..ce6786c 100644
+--- a/src/lxc/confile.c
++++ b/src/lxc/confile.c
+@@ -103,6 +103,7 @@ static int config_haltsignal(const char *, const char *, struct lxc_conf *);
+ static int config_rebootsignal(const char *, const char *, struct lxc_conf *);
+ static int config_stopsignal(const char *, const char *, struct lxc_conf *);
+ static int config_start(const char *, const char *, struct lxc_conf *);
++static int config_monitor(const char *, const char *, struct lxc_conf *);
+ static int config_group(const char *, const char *, struct lxc_conf *);
+ static int config_environment(const char *, const char *, struct lxc_conf *);
+ static int config_init_cmd(const char *, const char *, struct lxc_conf *);
+@@ -173,6 +174,7 @@ static struct lxc_config_t config[] = {
+ { "lxc.start.auto", config_start },
+ { "lxc.start.delay", config_start },
+ { "lxc.start.order", config_start },
++ { "lxc.monitor.unshare", config_monitor },
+ { "lxc.group", config_group },
+ { "lxc.environment", config_environment },
+ { "lxc.init_cmd", config_init_cmd },
+@@ -1141,6 +1143,17 @@ static int config_start(const char *key, const char *value,
+ return -1;
+ }
+
++static int config_monitor(const char *key, const char *value,
++ struct lxc_conf *lxc_conf)
++{
++ if(strcmp(key, "lxc.monitor.unshare") == 0) {
++ lxc_conf->monitor_unshare = atoi(value);
++ return 0;
++ }
++ SYSERROR("Unknown key: %s", key);
++ return -1;
++}
++
+ static int config_group(const char *key, const char *value,
+ struct lxc_conf *lxc_conf)
+ {
+@@ -2483,6 +2496,8 @@ int lxc_get_config_item(struct lxc_conf *c, const char *key, char *retv,
+ return lxc_get_conf_int(c, retv, inlen, c->start_delay);
+ else if (strcmp(key, "lxc.start.order") == 0)
+ return lxc_get_conf_int(c, retv, inlen, c->start_order);
++ else if (strcmp(key, "lxc.monitor.unshare") == 0)
++ return lxc_get_conf_int(c, retv, inlen, c->monitor_unshare);
+ else if (strcmp(key, "lxc.group") == 0)
+ return lxc_get_item_groups(c, retv, inlen);
+ else if (strcmp(key, "lxc.seccomp") == 0)
+diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
+index 69816da..2804841 100644
+--- a/src/lxc/lxccontainer.c
++++ b/src/lxc/lxccontainer.c
+@@ -820,6 +820,18 @@ static bool do_lxcapi_start(struct lxc_container *c, int useinit, char * const a
+
+ conf->reboot = 0;
+
++ /* Unshare the mount namespace if requested */
++ if (conf->monitor_unshare) {
++ if (unshare(CLONE_NEWNS)) {
++ SYSERROR("failed to unshare mount namespace");
++ return false;
++ }
++ if (mount(NULL, "/", NULL, MS_SLAVE|MS_REC, NULL)) {
++ SYSERROR("Failed to make / rslave at startup");
++ return false;
++ }
++ }
++
+ reboot:
+ if (lxc_check_inherited(conf, daemonize, -1)) {
+ ERROR("Inherited fds found");
+--
+2.1.4
+
diff --git a/debian/patches/series b/debian/patches/series
index 0299687..322f714 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -13,4 +13,5 @@ run-lxcnetaddbr.patch
0005-added-the-unmount-namespace-hook.patch
0006-hooks-put-binary-hooks-in-usr-lib-lxc-hooks.patch
delete_network_show_error.diff
-0001-added-lxc.start.unshare.patch
+0001-AppArmor-add-make-rslave-to-usr.bin.lxc-start.patch
+0002-Added-lxc.monitor.unshare.patch
--
2.1.4
More information about the pve-devel
mailing list