[libvirt] [PATCH v4 02/10] LXC: enable user namespace only when user set the uidmap

Daniel P. Berrange berrange at redhat.com
Fri Jun 7 11:39:35 UTC 2013 

On Fri, Jun 07, 2013 at 03:12:19PM +0800, Gao feng wrote:
> User namespace will be enabled only when the idmap exist
> in configuration.
> 
> If you want disable user namespace,just remove these
> elements from XML.
> 
> If kernel doesn't support user namespace and idmap exist
> in configuration file, libvirt lxc will start failed and
> return "Kernel doesn't support user namespace" message.
> 
> Signed-off-by: Gao feng <gaofeng at cn.fujitsu.com>
> ---
>  src/lxc/lxc_container.c | 24 ++++++++++++++----------
>  1 file changed, 14 insertions(+), 10 deletions(-)
> 
> diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
> index 181f6c8..5d4da73 100644
> --- a/src/lxc/lxc_container.c
> +++ b/src/lxc/lxc_container.c
> @@ -2018,14 +2018,12 @@ cleanup:
>  
>  static int userns_supported(void)
>  {
> -#if 1
> -    /*
> -     * put off using userns until uid mapping is implemented
> -     */
> -    return 0;
> -#else
>      return lxcContainerAvailable(LXC_CONTAINER_FEATURE_USER) == 0;
> -#endif
> +}
> +
> +static int userns_required(virDomainDefPtr def)
> +{
> +    return def->idmap.uidmap && def->idmap.gidmap;
>  }
>  
>  virArch lxcContainerGetAlt32bitArch(virArch arch)
> @@ -2105,9 +2103,15 @@ int lxcContainerStart(virDomainDefPtr def,
>  
>      cflags = CLONE_NEWPID|CLONE_NEWNS|CLONE_NEWUTS|CLONE_NEWIPC|SIGCHLD;
>  
> -    if (userns_supported()) {
> -        VIR_DEBUG("Enable user namespaces");
> -        cflags |= CLONE_NEWUSER;
> +    if (userns_required(def)) {
> +        if (userns_supported()) {
> +            VIR_DEBUG("Enable user namespace");
> +            cflags |= CLONE_NEWUSER;
> +        } else {
> +            virReportSystemError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
> +                                 _("Kernel doesn't support user namespace"));
> +            return -1;
> +        }
>      }

ACK

Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

More information about the libvir-list mailing list