Re: [libvirt] [PATCH v3 02/12] LXC: enable user namespace only when user set the uidmap
On 05/23/2013 12:06 AM, Gao feng wrote:
User namespace will be enabled only when the idmap exist
in configuration.
If you want disable user namespace,just remove these
elements from XML.
If kernel doesn't support user namespace and idmap exist
in configuration file, libvirt lxc will start failed and
return "Kernel doesn't support user namespace" message.
Signed-off-by: Gao feng <gaofeng(a)cn.fujitsu.com>
---
src/lxc/lxc_container.c | 24 ++++++++++++++----------
1 file changed, 14 insertions(+), 10 deletions(-)
diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
index c74e3ca..618252c 100644
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@@ -2029,14 +2029,12 @@ cleanup:
static int userns_supported(void)
{
-#if 1
- /*
- * put off using userns until uid mapping is implemented
- */
- return 0;
-#else
return lxcContainerAvailable(LXC_CONTAINER_FEATURE_USER) == 0;
-#endif
+}
+
+static int userns_required(virDomainDefPtr def)
+{
+ return def->idmap.uidmap && def->idmap.gidmap;
}
virArch lxcContainerGetAlt32bitArch(virArch arch)
@@ -2116,9 +2114,15 @@ int lxcContainerStart(virDomainDefPtr def,
cflags = CLONE_NEWPID|CLONE_NEWNS|CLONE_NEWUTS|CLONE_NEWIPC|SIGCHLD;
- if (userns_supported()) {
- VIR_DEBUG("Enable user namespaces");
- cflags |= CLONE_NEWUSER;
+ if (userns_required(def)) {
+ if (userns_supported()) {
+ VIR_DEBUG("Enable user namespace");
+ cflags |= CLONE_NEWUSER;
+ } else {
+ virReportSystemError(VIR_ERR_NO_KERNEL, "%s",
+ _("Kernel doesn't support user
namespace"));
+ return -1;
+ }
Since this was pushed yesterday, my overnight Coverity run picked up a
problem (resource leak because stack is not VIR_FREE()'d):
2118 /* allocate a stack for the container */
(1) Event alloc_arg: "virAllocN(void *, size_t, size_t)" allocates memory that
is stored into "stack". [details]
(2) Event cond_false: Condition "virAllocN(&stack, 1UL /* sizeof (*stack) */,
stacksize) < 0", taking false branch
Also see events: [var_assign][leaked_storage][leaked_storage]
2119 if (VIR_ALLOC_N(stack, stacksize) < 0) {
2120 virReportOOMError();
2121 return -1;
(3) Event if_end: End of if statement
2122 }
(4) Event var_assign: Assigning: "stacktop" = "stack".
Also see events: [alloc_arg][leaked_storage][leaked_storage]
2123 stacktop = stack + stacksize;
2124
2125 cflags = CLONE_NEWPID|CLONE_NEWNS|CLONE_NEWUTS|CLONE_NEWIPC|SIGCHLD;
2126
(5) Event cond_true: Condition "userns_required(def)", taking true branch
2127 if (userns_required(def)) {
(6) Event cond_false: Condition "userns_supported()", taking false branch
2128 if (userns_supported()) {
2129 VIR_DEBUG("Enable user namespace");
2130 cflags |= CLONE_NEWUSER;
(7) Event else_branch: Reached else branch
2131 } else {
2132 virReportSystemError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
2133 _("Kernel doesn't support user
namespace"));
(8) Event leaked_storage: Variable "stacktop" going out of scope leaks the
storage it points to.
(9) Event leaked_storage: Variable "stack" going out of scope leaks the storage
it points to.
Also see events: [alloc_arg][var_assign]
2134 return -1;
John
}
if (lxcNeedNetworkNamespace(def)) {