Re: [libvirt] [PATCH 1/1] lxc: only do CLONE_NEWUSER when kernel supports it
On Mon, Apr 20, 2009 at 11:29:13AM +0100, Daniel P. Berrange wrote:
On Fri, Apr 17, 2009 at 04:50:10PM -0500, Serge E. Hallyn wrote:
> >From 2513f8a7e0654e84570fe0ef2204dabe276b9e4e Mon Sep 17 00:00:00 2001
> From: root <root(a)jaunty.(none)>
> Date: Fri, 17 Apr 2009 16:41:01 -0500
> Subject: [PATCH 1/1] lxc: only do CLONE_NEWUSER when kernel supports it
>
> The ubuntu jaunty kernel is not compiled with USER_NS. Since
> libvirt-lxc always does clone(CLONE_NEWUSER) it gets -EINVAL
> and mysteriously claims to be unable to contact hypervisor.
>
> This patch isn't the right thing to do, but I'm not sure what
> is. User namespaces do (since recently) isolate the in-kernel
> keyring. So the right thing might be to add a flag to the
> xml definition file to specify whether to use a user namespace.
> This patch doesn't do that, rather it always does CLONE_NEWUSER
> if the kernel supports it, and never if not.
I think this patch is sufficient. If it is genuinely important to
support CLONE_NEWUSER then Ubuntu can fix their kernel config,
otherwise simply disabling it in libvirt when not present is fine.
Okay, I wasn't sure.
> diff --git a/src/lxc_container.c b/src/lxc_container.c
> index 67c66bd..8069af7 100644
> --- a/src/lxc_container.c
> +++ b/src/lxc_container.c
> @@ -666,6 +666,11 @@ static int lxcContainerChild( void *data )
> return lxcContainerExecInit(vmDef);
> }
>
> +int userns_supported(void)
> +{
> + return lxcContainerAvailable(LXC_CONTAINER_FEATURE_USER) == 0;
> +}
> +
I will just make that function static since it doesn't need to be
exported.
> /**
> * lxcContainerStart:
> * @driver: pointer to driver structure
> @@ -694,7 +699,10 @@ int lxcContainerStart(virDomainDefPtr def,
> }
> stacktop = stack + stacksize;
>
> - flags =
CLONE_NEWPID|CLONE_NEWNS|CLONE_NEWUTS|CLONE_NEWUSER|CLONE_NEWIPC|SIGCHLD;
> + flags = CLONE_NEWPID|CLONE_NEWNS|CLONE_NEWUTS|CLONE_NEWIPC|SIGCHLD;
> +
> + if (userns_supported())
> + flags |= CLONE_NEWUSER;
>
> if (def->nets != NULL)
> flags |= CLONE_NEWNET;
> @@ -719,13 +727,16 @@ static int lxcContainerDummyChild(void *argv
ATTRIBUTE_UNUSED)
>
> int lxcContainerAvailable(int features)
> {
> - int flags = CLONE_NEWPID|CLONE_NEWNS|CLONE_NEWUTS|CLONE_NEWUSER|
> + int flags = CLONE_NEWPID|CLONE_NEWNS|CLONE_NEWUTS|
> CLONE_NEWIPC|SIGCHLD;
> int cpid;
> char *childStack;
> char *stack;
> int childStatus;
>
> + if (features & LXC_CONTAINER_FEATURE_USER)
> + flags |= CLONE_NEWUSER;
> +
> if (features & LXC_CONTAINER_FEATURE_NET)
> flags |= CLONE_NEWNET;
>
> diff --git a/src/lxc_container.h b/src/lxc_container.h
> index 5d037b0..b99e83e 100644
> --- a/src/lxc_container.h
> +++ b/src/lxc_container.h
> @@ -28,6 +28,7 @@
>
> enum {
> LXC_CONTAINER_FEATURE_NET = (1 << 0),
> + LXC_CONTAINER_FEATURE_USER = (1 << 1),
> };
>
> #define LXC_DEV_MAJ_MEMORY 1
ACK
Okay, will commit !
Daniel
--
Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/
daniel(a)veillard.com | Rpmfind RPM search engine http://rpmfind.net/
http://veillard.com/ | virtualization library http://libvirt.org/