On 08/14/2015 08:09 AM, Daniel P. Berrange wrote:
From: Imran Khan <ik.nitk@gmail.com>
This patch adds feature for lxc containers to inherit namespaces. This is very similar to what lxc-tools or docker provides. Look for "man lxc-start" and you will find that you can pass command args as [ --share-[net|ipc|uts] name|pid ]. Or check out docker networking option in which you can give --net=container:NAME_or_ID as an option for sharing +namespace.
From this patch you can add extra libvirt option to share namespace in following way.
<lxc:namespace> <lxc:sharenet type='netns' value='red'/> <lxc:shareipc type='pid' value='12345'/> <lxc:shareuts type='name' value='container1'/> </lxc:namespace>
The netns option is specific to sharenet. It can be used to inherit from existing network namespace.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com> --- docs/drvlxc.html.in | 21 ++++++ docs/schemas/domaincommon.rng | 42 ++++++++++++ po/POTFILES.in | 1 + src/Makefile.am | 6 +- src/lxc/lxc_conf.c | 2 +- src/lxc/lxc_container.c | 71 ++++++++++++++++++-- src/lxc/lxc_container.h | 2 + src/lxc/lxc_controller.c | 45 ++++++++++++- src/lxc/lxc_domain.c | 149 ++++++++++++++++++++++++++++++++++++++++++ src/lxc/lxc_domain.h | 26 ++++++++ src/lxc/lxc_process.c | 149 ++++++++++++++++++++++++++++++++++++++++++ tests/lxcxml2xmltest.c | 1 + 12 files changed, 506 insertions(+), 9 deletions(-)
... Coverity found a resource leak...
@@ -2342,6 +2378,7 @@ int lxcContainerStart(virDomainDefPtr def, int *passFDs, int control, int handshakefd, + int *nsInheritFDs, size_t nttyPaths, char **ttyPaths) { @@ -2359,7 +2396,8 @@ int lxcContainerStart(virDomainDefPtr def, .monitor = control, .nttyPaths = nttyPaths, .ttyPaths = ttyPaths, - .handshakefd = handshakefd + .handshakefd = handshakefd, + .nsInheritFDs = nsInheritFDs, };
/* allocate a stack for the container */ @@ -2368,7 +2406,7 @@ int lxcContainerStart(virDomainDefPtr def,
stacktop = stack + stacksize;
- cflags = CLONE_NEWPID|CLONE_NEWNS|CLONE_NEWUTS|CLONE_NEWIPC|SIGCHLD; + cflags = CLONE_NEWPID|CLONE_NEWNS|SIGCHLD;
if (userns_required(def)) { if (userns_supported()) { @@ -2381,10 +2419,31 @@ int lxcContainerStart(virDomainDefPtr def, return -1; } } + if (nsInheritFDs[VIR_LXC_DOMAIN_NAMESPACE_SHARENET] == -1) { + if (lxcNeedNetworkNamespace(def)) { + VIR_DEBUG("Enable network namespaces"); + cflags |= CLONE_NEWNET; + } + } else { + if (lxcNeedNetworkNamespace(def)) { + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", + _("Config askes for inherit net namespace " + "as well as private network interfaces")); + return -1;
This leaks 'stack'... Sending a patch shortly. John
+ } + VIR_DEBUG("Inheriting a net namespace"); + }
- if (lxcNeedNetworkNamespace(def)) { - VIR_DEBUG("Enable network namespaces"); - cflags |= CLONE_NEWNET; + if (nsInheritFDs[VIR_LXC_DOMAIN_NAMESPACE_SHAREIPC] == -1) { + cflags |= CLONE_NEWIPC; + } else { + VIR_DEBUG("Inheriting an IPC namespace"); + } + + if (nsInheritFDs[VIR_LXC_DOMAIN_NAMESPACE_SHAREUTS] == -1) { + cflags |= CLONE_NEWUTS; + } else { + VIR_DEBUG("Inheriting a UTS namespace"); }
VIR_DEBUG("Cloning container init process");