[libvirt] [PATCH v3 02/12] LXC: enable user namespace only when user set the uidmap
John Ferlan
jferlan at redhat.com
Wed Jul 3 10:52:19 UTC 2013
On 05/23/2013 12:06 AM, Gao feng wrote:
> User namespace will be enabled only when the idmap exist
> in configuration.
>
> If you want disable user namespace,just remove these
> elements from XML.
>
> If kernel doesn't support user namespace and idmap exist
> in configuration file, libvirt lxc will start failed and
> return "Kernel doesn't support user namespace" message.
>
> Signed-off-by: Gao feng <gaofeng at cn.fujitsu.com>
> ---
> src/lxc/lxc_container.c | 24 ++++++++++++++----------
> 1 file changed, 14 insertions(+), 10 deletions(-)
>
> diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
> index c74e3ca..618252c 100644
> --- a/src/lxc/lxc_container.c
> +++ b/src/lxc/lxc_container.c
> @@ -2029,14 +2029,12 @@ cleanup:
>
> static int userns_supported(void)
> {
> -#if 1
> - /*
> - * put off using userns until uid mapping is implemented
> - */
> - return 0;
> -#else
> return lxcContainerAvailable(LXC_CONTAINER_FEATURE_USER) == 0;
> -#endif
> +}
> +
> +static int userns_required(virDomainDefPtr def)
> +{
> + return def->idmap.uidmap && def->idmap.gidmap;
> }
>
> virArch lxcContainerGetAlt32bitArch(virArch arch)
> @@ -2116,9 +2114,15 @@ int lxcContainerStart(virDomainDefPtr def,
>
> cflags = CLONE_NEWPID|CLONE_NEWNS|CLONE_NEWUTS|CLONE_NEWIPC|SIGCHLD;
>
> - if (userns_supported()) {
> - VIR_DEBUG("Enable user namespaces");
> - cflags |= CLONE_NEWUSER;
> + if (userns_required(def)) {
> + if (userns_supported()) {
> + VIR_DEBUG("Enable user namespace");
> + cflags |= CLONE_NEWUSER;
> + } else {
> + virReportSystemError(VIR_ERR_NO_KERNEL, "%s",
> + _("Kernel doesn't support user namespace"));
> + return -1;
> + }
Since this was pushed yesterday, my overnight Coverity run picked up a
problem (resource leak because stack is not VIR_FREE()'d):
2118 /* allocate a stack for the container */
(1) Event alloc_arg: "virAllocN(void *, size_t, size_t)" allocates memory that is stored into "stack". [details]
(2) Event cond_false: Condition "virAllocN(&stack, 1UL /* sizeof (*stack) */, stacksize) < 0", taking false branch
Also see events: [var_assign][leaked_storage][leaked_storage]
2119 if (VIR_ALLOC_N(stack, stacksize) < 0) {
2120 virReportOOMError();
2121 return -1;
(3) Event if_end: End of if statement
2122 }
(4) Event var_assign: Assigning: "stacktop" = "stack".
Also see events: [alloc_arg][leaked_storage][leaked_storage]
2123 stacktop = stack + stacksize;
2124
2125 cflags = CLONE_NEWPID|CLONE_NEWNS|CLONE_NEWUTS|CLONE_NEWIPC|SIGCHLD;
2126
(5) Event cond_true: Condition "userns_required(def)", taking true branch
2127 if (userns_required(def)) {
(6) Event cond_false: Condition "userns_supported()", taking false branch
2128 if (userns_supported()) {
2129 VIR_DEBUG("Enable user namespace");
2130 cflags |= CLONE_NEWUSER;
(7) Event else_branch: Reached else branch
2131 } else {
2132 virReportSystemError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
2133 _("Kernel doesn't support user namespace"));
(8) Event leaked_storage: Variable "stacktop" going out of scope leaks the storage it points to.
(9) Event leaked_storage: Variable "stack" going out of scope leaks the storage it points to.
Also see events: [alloc_arg][var_assign]
2134 return -1;
John
> }
>
> if (lxcNeedNetworkNamespace(def)) {
>
More information about the libvir-list
mailing list