[libvirt] [PATCH v2 2/8] LXC: enable user namespace when user set the uidmap
Gao feng
gaofeng at cn.fujitsu.com
Mon May 13 01:44:07 UTC 2013
On 05/10/2013 06:26 PM, Daniel P. Berrange wrote:
> On Fri, May 10, 2013 at 05:58:11PM +0800, Gao feng wrote:
>> If the idmap exist, the user namespace will be enabled
>> automatically.
>> If you want disable user namespace,just remove these
>> elements from XML.
>>
>> Signed-off-by: Gao feng <gaofeng at cn.fujitsu.com>
>> ---
>> src/lxc/lxc_container.c | 14 ++++----------
>> 1 file changed, 4 insertions(+), 10 deletions(-)
>>
>> diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
>> index 8e1d10a..094f205 100644
>> --- a/src/lxc/lxc_container.c
>> +++ b/src/lxc/lxc_container.c
>> @@ -2030,16 +2030,10 @@ cleanup:
>> return ret;
>> }
>>
>> -static int userns_supported(void)
>> +static int userns_supported(virDomainDefPtr def)
>> {
>> -#if 1
>> - /*
>> - * put off using userns until uid mapping is implemented
>> - */
>> - return 0;
>> -#else
>> - return lxcContainerAvailable(LXC_CONTAINER_FEATURE_USER) == 0;
>> -#endif
>> + return (def->idmap.nuidmap && def->idmap.ngidmap &&
>> + lxcContainerAvailable(LXC_CONTAINER_FEATURE_USER) == 0);
>
>
> No you can't do this - it causes the code to silently ignore the
> reqested idmap if the kernel doesn't support it. If the kernel
> can't support it we must report a fatal error to the user not
> ignore it.
>
>
> You should separate these checks really - userns_supported() to
> check the kernel and 'userns_required(def)' to check fi the config
> requires it.
>
Get it, thanks for your comments :)
Thanks,
Gao
More information about the libvir-list
mailing list