[libvirt] [PATCH v3] lxc: Inherit namespace feature

Thu Aug 27 11:02:03 UTC 2015

On 08/14/2015 08:09 AM, Daniel P. Berrange wrote:
> From: Imran Khan <ik.nitk at gmail.com>
> 
> This patch adds feature for lxc containers to inherit namespaces.
> This is very similar to what lxc-tools or docker provides.  Look
> for "man lxc-start" and you will find that you can pass command
> args as [ --share-[net|ipc|uts] name|pid ]. Or check out docker
> networking option in which you can give --net=container:NAME_or_ID
> as an option for sharing +namespace.
> 
>>From this patch you can add extra libvirt option to share
> namespace in following way.
> 
>   <lxc:namespace>
>     <lxc:sharenet type='netns' value='red'/>
>     <lxc:shareipc type='pid' value='12345'/>
>     <lxc:shareuts type='name' value='container1'/>
>   </lxc:namespace>
> 
> The netns option is specific to sharenet. It can be used to
> inherit from existing network namespace.
> 
> Signed-off-by: Daniel P. Berrange <berrange at redhat.com>
> ---
>  docs/drvlxc.html.in           |  21 ++++++
>  docs/schemas/domaincommon.rng |  42 ++++++++++++
>  po/POTFILES.in                |   1 +
>  src/Makefile.am               |   6 +-
>  src/lxc/lxc_conf.c            |   2 +-
>  src/lxc/lxc_container.c       |  71 ++++++++++++++++++--
>  src/lxc/lxc_container.h       |   2 +
>  src/lxc/lxc_controller.c      |  45 ++++++++++++-
>  src/lxc/lxc_domain.c          | 149 ++++++++++++++++++++++++++++++++++++++++++
>  src/lxc/lxc_domain.h          |  26 ++++++++
>  src/lxc/lxc_process.c         | 149 ++++++++++++++++++++++++++++++++++++++++++
>  tests/lxcxml2xmltest.c        |   1 +
>  12 files changed, 506 insertions(+), 9 deletions(-)
> 
...

Coverity found a resource leak...

> @@ -2342,6 +2378,7 @@ int lxcContainerStart(virDomainDefPtr def,
>                        int *passFDs,
>                        int control,
>                        int handshakefd,
> +                      int *nsInheritFDs,
>                        size_t nttyPaths,
>                        char **ttyPaths)
>  {
> @@ -2359,7 +2396,8 @@ int lxcContainerStart(virDomainDefPtr def,
>          .monitor = control,
>          .nttyPaths = nttyPaths,
>          .ttyPaths = ttyPaths,
> -        .handshakefd = handshakefd
> +        .handshakefd = handshakefd,
> +        .nsInheritFDs = nsInheritFDs,
>      };
>  
>      /* allocate a stack for the container */
> @@ -2368,7 +2406,7 @@ int lxcContainerStart(virDomainDefPtr def,
>  
>      stacktop = stack + stacksize;
>  
> -    cflags = CLONE_NEWPID|CLONE_NEWNS|CLONE_NEWUTS|CLONE_NEWIPC|SIGCHLD;
> +    cflags = CLONE_NEWPID|CLONE_NEWNS|SIGCHLD;
>  
>      if (userns_required(def)) {
>          if (userns_supported()) {
> @@ -2381,10 +2419,31 @@ int lxcContainerStart(virDomainDefPtr def,
>              return -1;
>          }
>      }
> +    if (nsInheritFDs[VIR_LXC_DOMAIN_NAMESPACE_SHARENET] == -1) {
> +        if (lxcNeedNetworkNamespace(def)) {
> +            VIR_DEBUG("Enable network namespaces");
> +            cflags |= CLONE_NEWNET;
> +        }
> +    } else {
> +        if (lxcNeedNetworkNamespace(def)) {
> +            virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
> +                           _("Config askes for inherit net namespace "
> +                             "as well as private network interfaces"));
> +            return -1;

This leaks 'stack'...

Sending a patch shortly.

John

> +        }
> +        VIR_DEBUG("Inheriting a net namespace");
> +    }
>  
> -    if (lxcNeedNetworkNamespace(def)) {
> -        VIR_DEBUG("Enable network namespaces");
> -        cflags |= CLONE_NEWNET;
> +    if (nsInheritFDs[VIR_LXC_DOMAIN_NAMESPACE_SHAREIPC] == -1) {
> +        cflags |= CLONE_NEWIPC;
> +    } else {
> +        VIR_DEBUG("Inheriting an IPC namespace");
> +    }
> +
> +    if (nsInheritFDs[VIR_LXC_DOMAIN_NAMESPACE_SHAREUTS] == -1) {
> +        cflags |= CLONE_NEWUTS;
> +    } else {
> +        VIR_DEBUG("Inheriting a UTS namespace");
>      }
>  
>      VIR_DEBUG("Cloning container init process");