[libvirt] [PATCH 1/1] lxc: only do CLONE_NEWUSER when kernel supports it
Daniel Veillard
veillard at redhat.com
Mon Apr 20 12:20:30 UTC 2009
On Mon, Apr 20, 2009 at 11:29:13AM +0100, Daniel P. Berrange wrote:
> On Fri, Apr 17, 2009 at 04:50:10PM -0500, Serge E. Hallyn wrote:
> > >From 2513f8a7e0654e84570fe0ef2204dabe276b9e4e Mon Sep 17 00:00:00 2001
> > From: root <root at jaunty.(none)>
> > Date: Fri, 17 Apr 2009 16:41:01 -0500
> > Subject: [PATCH 1/1] lxc: only do CLONE_NEWUSER when kernel supports it
> >
> > The ubuntu jaunty kernel is not compiled with USER_NS. Since
> > libvirt-lxc always does clone(CLONE_NEWUSER) it gets -EINVAL
> > and mysteriously claims to be unable to contact hypervisor.
> >
> > This patch isn't the right thing to do, but I'm not sure what
> > is. User namespaces do (since recently) isolate the in-kernel
> > keyring. So the right thing might be to add a flag to the
> > xml definition file to specify whether to use a user namespace.
> > This patch doesn't do that, rather it always does CLONE_NEWUSER
> > if the kernel supports it, and never if not.
>
> I think this patch is sufficient. If it is genuinely important to
> support CLONE_NEWUSER then Ubuntu can fix their kernel config,
> otherwise simply disabling it in libvirt when not present is fine.
Okay, I wasn't sure.
> > diff --git a/src/lxc_container.c b/src/lxc_container.c
> > index 67c66bd..8069af7 100644
> > --- a/src/lxc_container.c
> > +++ b/src/lxc_container.c
> > @@ -666,6 +666,11 @@ static int lxcContainerChild( void *data )
> > return lxcContainerExecInit(vmDef);
> > }
> >
> > +int userns_supported(void)
> > +{
> > + return lxcContainerAvailable(LXC_CONTAINER_FEATURE_USER) == 0;
> > +}
> > +
I will just make that function static since it doesn't need to be
exported.
> > /**
> > * lxcContainerStart:
> > * @driver: pointer to driver structure
> > @@ -694,7 +699,10 @@ int lxcContainerStart(virDomainDefPtr def,
> > }
> > stacktop = stack + stacksize;
> >
> > - flags = CLONE_NEWPID|CLONE_NEWNS|CLONE_NEWUTS|CLONE_NEWUSER|CLONE_NEWIPC|SIGCHLD;
> > + flags = CLONE_NEWPID|CLONE_NEWNS|CLONE_NEWUTS|CLONE_NEWIPC|SIGCHLD;
> > +
> > + if (userns_supported())
> > + flags |= CLONE_NEWUSER;
> >
> > if (def->nets != NULL)
> > flags |= CLONE_NEWNET;
> > @@ -719,13 +727,16 @@ static int lxcContainerDummyChild(void *argv ATTRIBUTE_UNUSED)
> >
> > int lxcContainerAvailable(int features)
> > {
> > - int flags = CLONE_NEWPID|CLONE_NEWNS|CLONE_NEWUTS|CLONE_NEWUSER|
> > + int flags = CLONE_NEWPID|CLONE_NEWNS|CLONE_NEWUTS|
> > CLONE_NEWIPC|SIGCHLD;
> > int cpid;
> > char *childStack;
> > char *stack;
> > int childStatus;
> >
> > + if (features & LXC_CONTAINER_FEATURE_USER)
> > + flags |= CLONE_NEWUSER;
> > +
> > if (features & LXC_CONTAINER_FEATURE_NET)
> > flags |= CLONE_NEWNET;
> >
> > diff --git a/src/lxc_container.h b/src/lxc_container.h
> > index 5d037b0..b99e83e 100644
> > --- a/src/lxc_container.h
> > +++ b/src/lxc_container.h
> > @@ -28,6 +28,7 @@
> >
> > enum {
> > LXC_CONTAINER_FEATURE_NET = (1 << 0),
> > + LXC_CONTAINER_FEATURE_USER = (1 << 1),
> > };
> >
> > #define LXC_DEV_MAJ_MEMORY 1
>
> ACK
Okay, will commit !
Daniel
--
Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/
daniel at veillard.com | Rpmfind RPM search engine http://rpmfind.net/
http://veillard.com/ | virtualization library http://libvirt.org/
More information about the libvir-list
mailing list