[libvirt] [PATCH v3 02/12] LXC: enable user namespace only when user set the uidmap

John Ferlan jferlan at redhat.com
Wed Jul 3 10:52:19 UTC 2013


On 05/23/2013 12:06 AM, Gao feng wrote:
> User namespace will be enabled only when the idmap exist
> in configuration.
> 
> If you want disable user namespace,just remove these
> elements from XML.
> 
> If kernel doesn't support user namespace and idmap exist
> in configuration file, libvirt lxc will start failed and
> return "Kernel doesn't support user namespace" message.
> 
> Signed-off-by: Gao feng <gaofeng at cn.fujitsu.com>
> ---
>  src/lxc/lxc_container.c | 24 ++++++++++++++----------
>  1 file changed, 14 insertions(+), 10 deletions(-)
> 
> diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
> index c74e3ca..618252c 100644
> --- a/src/lxc/lxc_container.c
> +++ b/src/lxc/lxc_container.c
> @@ -2029,14 +2029,12 @@ cleanup:
>  
>  static int userns_supported(void)
>  {
> -#if 1
> -    /*
> -     * put off using userns until uid mapping is implemented
> -     */
> -    return 0;
> -#else
>      return lxcContainerAvailable(LXC_CONTAINER_FEATURE_USER) == 0;
> -#endif
> +}
> +
> +static int userns_required(virDomainDefPtr def)
> +{
> +	return def->idmap.uidmap && def->idmap.gidmap;
>  }
>  
>  virArch lxcContainerGetAlt32bitArch(virArch arch)
> @@ -2116,9 +2114,15 @@ int lxcContainerStart(virDomainDefPtr def,
>  
>      cflags = CLONE_NEWPID|CLONE_NEWNS|CLONE_NEWUTS|CLONE_NEWIPC|SIGCHLD;
>  
> -    if (userns_supported()) {
> -        VIR_DEBUG("Enable user namespaces");
> -        cflags |= CLONE_NEWUSER;
> +    if (userns_required(def)) {
> +        if (userns_supported()) {
> +            VIR_DEBUG("Enable user namespace");
> +            cflags |= CLONE_NEWUSER;
> +        } else {
> +            virReportSystemError(VIR_ERR_NO_KERNEL, "%s",
> +                                 _("Kernel doesn't support user namespace"));
> +            return -1;
> +        }

Since this was pushed yesterday, my overnight Coverity run picked up a
problem (resource leak because stack is not VIR_FREE()'d):


2118 	    /* allocate a stack for the container */

(1) Event alloc_arg: 	"virAllocN(void *, size_t, size_t)" allocates memory that is stored into "stack". [details]
(2) Event cond_false: 	Condition "virAllocN(&stack, 1UL /* sizeof (*stack) */, stacksize) < 0", taking false branch
Also see events: 	[var_assign][leaked_storage][leaked_storage]

2119 	    if (VIR_ALLOC_N(stack, stacksize) < 0) {
2120 	        virReportOOMError();
2121 	        return -1;

(3) Event if_end: 	End of if statement

2122 	    }

(4) Event var_assign: 	Assigning: "stacktop" = "stack".
Also see events: 	[alloc_arg][leaked_storage][leaked_storage]

2123 	    stacktop = stack + stacksize;
2124 	
2125 	    cflags = CLONE_NEWPID|CLONE_NEWNS|CLONE_NEWUTS|CLONE_NEWIPC|SIGCHLD;
2126 	

(5) Event cond_true: 	Condition "userns_required(def)", taking true branch

2127 	    if (userns_required(def)) {

(6) Event cond_false: 	Condition "userns_supported()", taking false branch

2128 	        if (userns_supported()) {
2129 	            VIR_DEBUG("Enable user namespace");
2130 	            cflags |= CLONE_NEWUSER;

(7) Event else_branch: 	Reached else branch

2131 	        } else {
2132 	            virReportSystemError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
2133 	                                 _("Kernel doesn't support user namespace"));

(8) Event leaked_storage: 	Variable "stacktop" going out of scope leaks the storage it points to.
(9) Event leaked_storage: 	Variable "stack" going out of scope leaks the storage it points to.
Also see events: 	[alloc_arg][var_assign]

2134 	            return -1;



John


>      }
>  
>      if (lxcNeedNetworkNamespace(def)) {
> 




More information about the libvir-list mailing list