7:09 a.m.
From: Imran Khan <ik.nitk(a)gmail.com>
This patch adds feature for lxc containers to inherit namespaces.
This is very similar to what lxc-tools or docker provides. Look
for "man lxc-start" and you will find that you can pass command
args as [ --share-[net|ipc|uts] name|pid ]. Or check out docker
networking option in which you can give --net=container:NAME_or_ID
as an option for sharing +namespace.
From this patch you can add extra libvirt option to share
namespace in following way.
<lxc:namespace>
<lxc:sharenet type='netns' value='red'/>
<lxc:shareipc type='pid' value='12345'/>
<lxc:shareuts type='name' value='container1'/>
</lxc:namespace>
The netns option is specific to sharenet. It can be used to
inherit from existing network namespace.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
---
docs/drvlxc.html.in | 21 ++++++
docs/schemas/domaincommon.rng | 42 ++++++++++++
po/POTFILES.in | 1 +
src/Makefile.am | 6 +-
src/lxc/lxc_conf.c | 2 +-
src/lxc/lxc_container.c | 71 ++++++++++++++++++--
src/lxc/lxc_container.h | 2 +
src/lxc/lxc_controller.c | 45 ++++++++++++-
src/lxc/lxc_domain.c | 149 ++++++++++++++++++++++++++++++++++++++++++
src/lxc/lxc_domain.h | 26 ++++++++
src/lxc/lxc_process.c | 149 ++++++++++++++++++++++++++++++++++++++++++
tests/lxcxml2xmltest.c | 1 +
12 files changed, 506 insertions(+), 9 deletions(-)
diff --git a/docs/drvlxc.html.in b/docs/drvlxc.html.in
index a094bd9..d6c57c4 100644
--- a/docs/drvlxc.html.in
+++ b/docs/drvlxc.html.in
@@ -590,6 +590,27 @@ Note that allowing capabilities that are normally dropped by default
can serious
affect the security of the container and the host.
</p>
+<h2><a name="share">Inherit namespaces</a></h2>
+
+<p>
+Libvirt allows you to inherit the namespace from container/process just like lxc tools
+or docker provides to share the network namespace. The following can be used to share
+required namespaces. If we want to share only one then the other namespaces can be
ignored.
+The netns option is specific to sharenet. It can be used in cases we want to use existing
network namespace
+rather than creating new network namespace for the container. In this case privnet option
will be
+ignored.
+</p>
+<pre>
+<domain type='lxc'
xmlns:lxc='http://libvirt.org/schemas/domain/lxc/1.0'>
+...
+<lxc:namespace>
+ <lxc:sharenet type='netns' value='red'/>
+ <lxc:shareuts type='name' value='container1'/>
+ <lxc:shareipc type='pid' value='12345'/>
+</lxc:namespace>
+</domain>
+</pre>
+
<h2><a name="usage">Container usage /
management</a></h2>
<p>
diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng
index 043c975..fa026cd 100644
--- a/docs/schemas/domaincommon.rng
+++ b/docs/schemas/domaincommon.rng
@@ -68,6 +68,9 @@
<ref name='qemucmdline'/>
</optional>
<optional>
+ <ref name='lxcsharens'/>
+ </optional>
+ <optional>
<ref name='keywrap'/>
</optional>
</interleave>
@@ -5057,6 +5060,45 @@
</element>
</define>
+ <!--
+ Optional hypervisor extensions in their own namespace:
+ LXC
+ -->
+ <define name="lxcsharens">
+ <element name="namespace"
ns="http://libvirt.org/schemas/domain/lxc/1.0">
+ <zeroOrMore>
+ <element name="sharenet">
+ <attribute name="type">
+ <choice>
+ <value>netns</value>
+ <value>name</value>
+ <value>pid</value>
+ </choice>
+ </attribute>
+ <attribute name='value'/>
+ </element>
+ <element name="shareipc">
+ <attribute name="type">
+ <choice>
+ <value>name</value>
+ <value>pid</value>
+ </choice>
+ </attribute>
+ <attribute name='value'/>
+ </element>
+ <element name="shareuts">
+ <attribute name="type">
+ <choice>
+ <value>name</value>
+ <value>pid</value>
+ </choice>
+ </attribute>
+ <attribute name='value'/>
+ </element>
+ </zeroOrMore>
+ </element>
+ </define>
+
<define name="metadata">
<element name="metadata">
<zeroOrMore>
diff --git a/po/POTFILES.in b/po/POTFILES.in
index c58a7c1..dcabcc8 100644
--- a/po/POTFILES.in
+++ b/po/POTFILES.in
@@ -85,6 +85,7 @@ src/lxc/lxc_native.c
src/lxc/lxc_container.c
src/lxc/lxc_conf.c
src/lxc/lxc_controller.c
+src/lxc/lxc_domain.c
src/lxc/lxc_driver.c
src/lxc/lxc_process.c
src/libxl/libxl_domain.c
diff --git a/src/Makefile.am b/src/Makefile.am
index c4d49a5..fde11ff 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -1320,7 +1320,11 @@ libvirt_driver_lxc_impl_la_CFLAGS = \
-I$(srcdir)/access \
-I$(srcdir)/conf \
$(AM_CFLAGS)
-libvirt_driver_lxc_impl_la_LIBADD = $(CAPNG_LIBS) $(LIBNL_LIBS) $(FUSE_LIBS)
+libvirt_driver_lxc_impl_la_LIBADD = \
+ $(CAPNG_LIBS) \
+ $(LIBNL_LIBS) \
+ $(LIBXML_LIBS) \
+ $(FUSE_LIBS)
if WITH_BLKID
libvirt_driver_lxc_impl_la_CFLAGS += $(BLKID_CFLAGS)
libvirt_driver_lxc_impl_la_LIBADD += $(BLKID_LIBS)
diff --git a/src/lxc/lxc_conf.c b/src/lxc/lxc_conf.c
index b689b92..8ada531 100644
--- a/src/lxc/lxc_conf.c
+++ b/src/lxc/lxc_conf.c
@@ -213,7 +213,7 @@ lxcDomainXMLConfInit(void)
{
return virDomainXMLOptionNew(&virLXCDriverDomainDefParserConfig,
&virLXCDriverPrivateDataCallbacks,
- NULL);
+ &virLXCDriverDomainXMLNamespace);
}
diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
index 11e9514..d52f57e 100644
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@@ -27,6 +27,7 @@
#include <config.h>
#include <fcntl.h>
+#include <sched.h>
#include <limits.h>
#include <stdlib.h>
#include <stdio.h>
@@ -38,7 +39,6 @@
#include <mntent.h>
#include <sys/reboot.h>
#include <linux/reboot.h>
-
/* Yes, we want linux private one, for _syscall2() macro */
#include <linux/unistd.h>
@@ -111,6 +111,7 @@ struct __lxc_child_argv {
size_t nttyPaths;
char **ttyPaths;
int handshakefd;
+ int *nsInheritFDs;
};
static int lxcContainerMountFSBlock(virDomainFSDefPtr fs,
@@ -2144,6 +2145,35 @@ static int lxcContainerDropCapabilities(virDomainDefPtr def
ATTRIBUTE_UNUSED,
/**
+ * lxcAttach_ns:
+ * @ns_fd: array of namespaces to attach
+ */
+static int lxcAttachNS(int *ns_fd)
+{
+ size_t i;
+
+ for (i = 0; i < VIR_LXC_DOMAIN_NAMESPACE_LAST; i++) {
+ if (ns_fd[i] < 0)
+ continue;
+ VIR_DEBUG("Setting into namespace\n");
+ /* We get EINVAL if new NS is same as the current
+ * NS, or if the fd namespace doesn't match the
+ * type passed to setns()'s second param. Since we
+ * pass 0, we know the EINVAL is harmless
+ */
+ if (setns(ns_fd[i], 0) < 0 &&
+ errno != EINVAL) {
+ virReportSystemError(errno, _("failed to set namespace
'%s'"),
+ virLXCDomainNamespaceTypeToString(i));
+ return -1;
+ }
+ VIR_FORCE_CLOSE(ns_fd[i]);
+ }
+ return 0;
+}
+
+
+/**
* lxcContainerChild:
* @data: pointer to container arguments
*
@@ -2172,6 +2202,12 @@ static int lxcContainerChild(void *data)
goto cleanup;
}
+ if (lxcAttachNS(argv->nsInheritFDs) < 0) {
+ virReportError(VIR_ERR_SYSTEM_ERROR, "%s",
+ _("failed to attach the namespace"));
+ return -1;
+ }
+
/* Wait for controller to finish setup tasks, including
* things like move of network interfaces, uid/gid mapping
*/
@@ -2342,6 +2378,7 @@ int lxcContainerStart(virDomainDefPtr def,
int *passFDs,
int control,
int handshakefd,
+ int *nsInheritFDs,
size_t nttyPaths,
char **ttyPaths)
{
@@ -2359,7 +2396,8 @@ int lxcContainerStart(virDomainDefPtr def,
.monitor = control,
.nttyPaths = nttyPaths,
.ttyPaths = ttyPaths,
- .handshakefd = handshakefd
+ .handshakefd = handshakefd,
+ .nsInheritFDs = nsInheritFDs,
};
/* allocate a stack for the container */
@@ -2368,7 +2406,7 @@ int lxcContainerStart(virDomainDefPtr def,
stacktop = stack + stacksize;
- cflags = CLONE_NEWPID|CLONE_NEWNS|CLONE_NEWUTS|CLONE_NEWIPC|SIGCHLD;
+ cflags = CLONE_NEWPID|CLONE_NEWNS|SIGCHLD;
if (userns_required(def)) {
if (userns_supported()) {
@@ -2381,10 +2419,31 @@ int lxcContainerStart(virDomainDefPtr def,
return -1;
}
}
+ if (nsInheritFDs[VIR_LXC_DOMAIN_NAMESPACE_SHARENET] == -1) {
+ if (lxcNeedNetworkNamespace(def)) {
+ VIR_DEBUG("Enable network namespaces");
+ cflags |= CLONE_NEWNET;
+ }
+ } else {
+ if (lxcNeedNetworkNamespace(def)) {
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+ _("Config askes for inherit net namespace "
+ "as well as private network interfaces"));
+ return -1;
+ }
+ VIR_DEBUG("Inheriting a net namespace");
+ }
- if (lxcNeedNetworkNamespace(def)) {
- VIR_DEBUG("Enable network namespaces");
- cflags |= CLONE_NEWNET;
+ if (nsInheritFDs[VIR_LXC_DOMAIN_NAMESPACE_SHAREIPC] == -1) {
+ cflags |= CLONE_NEWIPC;
+ } else {
+ VIR_DEBUG("Inheriting an IPC namespace");
+ }
+
+ if (nsInheritFDs[VIR_LXC_DOMAIN_NAMESPACE_SHAREUTS] == -1) {
+ cflags |= CLONE_NEWUTS;
+ } else {
+ VIR_DEBUG("Inheriting a UTS namespace");
}
VIR_DEBUG("Cloning container init process");
diff --git a/src/lxc/lxc_container.h b/src/lxc/lxc_container.h
index 67292ab..33eaab4 100644
--- a/src/lxc/lxc_container.h
+++ b/src/lxc/lxc_container.h
@@ -25,6 +25,7 @@
# define LXC_CONTAINER_H
# include "lxc_conf.h"
+# include "lxc_domain.h"
# include "security/security_manager.h"
enum {
@@ -60,6 +61,7 @@ int lxcContainerStart(virDomainDefPtr def,
int *passFDs,
int control,
int handshakefd,
+ int *nsInheritFDs,
size_t nttyPaths,
char **ttyPaths);
diff --git a/src/lxc/lxc_controller.c b/src/lxc/lxc_controller.c
index 48a3597..19190dd 100644
--- a/src/lxc/lxc_controller.c
+++ b/src/lxc/lxc_controller.c
@@ -119,6 +119,8 @@ struct _virLXCController {
size_t npassFDs;
int *passFDs;
+ int *nsFDs;
+
size_t nconsoles;
virLXCControllerConsolePtr consoles;
char *devptmx;
@@ -2391,6 +2393,7 @@ virLXCControllerRun(virLXCControllerPtr ctrl)
ctrl->passFDs,
control[1],
containerhandshake[1],
+ ctrl->nsFDs,
ctrl->nconsoles,
containerTTYPaths)) < 0)
goto cleanup;
@@ -2400,6 +2403,9 @@ virLXCControllerRun(virLXCControllerPtr ctrl)
for (i = 0; i < ctrl->npassFDs; i++)
VIR_FORCE_CLOSE(ctrl->passFDs[i]);
+ for (i = 0; i < VIR_LXC_DOMAIN_NAMESPACE_LAST; i++)
+ VIR_FORCE_CLOSE(ctrl->nsFDs[i]);
+
if (virLXCControllerSetupCgroupLimits(ctrl) < 0)
goto cleanup;
@@ -2468,6 +2474,7 @@ int main(int argc, char *argv[])
const char *name = NULL;
size_t nveths = 0;
char **veths = NULL;
+ int ns_fd[VIR_LXC_DOMAIN_NAMESPACE_LAST];
int handshakeFd = -1;
bool bg = false;
const struct option options[] = {
@@ -2478,6 +2485,9 @@ int main(int argc, char *argv[])
{ "passfd", 1, NULL, 'p' },
{ "handshakefd", 1, NULL, 's' },
{ "security", 1, NULL, 'S' },
+ { "share-net", 1, NULL, 'N' },
+ { "share-ipc", 1, NULL, 'I' },
+ { "share-uts", 1, NULL, 'U' },
{ "help", 0, NULL, 'h' },
{ 0, 0, 0, 0 },
};
@@ -2489,6 +2499,9 @@ int main(int argc, char *argv[])
size_t i;
const char *securityDriver = "none";
+ for (i = 0; i < VIR_LXC_DOMAIN_NAMESPACE_LAST; i++)
+ ns_fd[i] = -1;
+
if (setlocale(LC_ALL, "") == NULL ||
bindtextdomain(PACKAGE, LOCALEDIR) == NULL ||
textdomain(PACKAGE) == NULL ||
@@ -2504,7 +2517,7 @@ int main(int argc, char *argv[])
while (1) {
int c;
- c = getopt_long(argc, argv, "dn:v:p:m:c:s:h:S:",
+ c = getopt_long(argc, argv, "dn:v:p:m:c:s:h:S:N:I:U:",
options, NULL);
if (c == -1)
@@ -2552,6 +2565,30 @@ int main(int argc, char *argv[])
}
break;
+ case 'N':
+ if (virStrToLong_i(optarg, NULL, 10,
&ns_fd[VIR_LXC_DOMAIN_NAMESPACE_SHARENET]) < 0) {
+ fprintf(stderr, "malformed --share-net argument '%s'",
+ optarg);
+ goto cleanup;
+ }
+ break;
+
+ case 'I':
+ if (virStrToLong_i(optarg, NULL, 10,
&ns_fd[VIR_LXC_DOMAIN_NAMESPACE_SHAREIPC]) < 0) {
+ fprintf(stderr, "malformed --share-ipc argument '%s'",
+ optarg);
+ goto cleanup;
+ }
+ break;
+
+ case 'U':
+ if (virStrToLong_i(optarg, NULL, 10,
&ns_fd[VIR_LXC_DOMAIN_NAMESPACE_SHAREUTS]) < 0) {
+ fprintf(stderr, "malformed --share-uts argument '%s'",
+ optarg);
+ goto cleanup;
+ }
+ break;
+
case 'S':
securityDriver = optarg;
break;
@@ -2569,6 +2606,9 @@ int main(int argc, char *argv[])
fprintf(stderr, " -v VETH, --veth VETH\n");
fprintf(stderr, " -s FD, --handshakefd FD\n");
fprintf(stderr, " -S NAME, --security NAME\n");
+ fprintf(stderr, " -N FD, --share-net FD\n");
+ fprintf(stderr, " -I FD, --share-ipc FD\n");
+ fprintf(stderr, " -U FD, --share-uts FD\n");
fprintf(stderr, " -h, --help\n");
fprintf(stderr, "\n");
goto cleanup;
@@ -2621,6 +2661,9 @@ int main(int argc, char *argv[])
ctrl->passFDs = passFDs;
ctrl->npassFDs = npassFDs;
+ for (i = 0; i < VIR_LXC_DOMAIN_NAMESPACE_LAST; i++)
+ ctrl->nsFDs[i] = ns_fd[i];
+
for (i = 0; i < nttyFDs; i++) {
if (virLXCControllerAddConsole(ctrl, ttyFDs[i]) < 0)
goto cleanup;
diff --git a/src/lxc/lxc_domain.c b/src/lxc/lxc_domain.c
index 2f377d8..e3da9f0 100644
--- a/src/lxc/lxc_domain.c
+++ b/src/lxc/lxc_domain.c
@@ -26,8 +26,13 @@
#include "viralloc.h"
#include "virlog.h"
#include "virerror.h"
+#include <libxml/xpathInternals.h>
+#include "virstring.h"
+#include "virutil.h"
+#include "virfile.h"
#define VIR_FROM_THIS VIR_FROM_LXC
+#define LXC_NAMESPACE_HREF "http://libvirt.org/schemas/domain/lxc/1.0"
VIR_LOG_INIT("lxc.lxc_domain");
@@ -41,6 +46,150 @@ static void *virLXCDomainObjPrivateAlloc(void)
return priv;
}
+VIR_ENUM_IMPL(virLXCDomainNamespace,
+ VIR_LXC_DOMAIN_NAMESPACE_LAST,
+ "sharenet",
+ "shareipc",
+ "shareuts")
+
+VIR_ENUM_IMPL(virLXCDomainNamespaceSource,
+ VIR_LXC_DOMAIN_NAMESPACE_SOURCE_LAST,
+ "none",
+ "name",
+ "pid",
+ "netns")
+
+static void
+lxcDomainDefNamespaceFree(void *nsdata)
+{
+ size_t i;
+ lxcDomainDefPtr lxcDef = nsdata;
+ for (i = 0; i < VIR_LXC_DOMAIN_NAMESPACE_LAST; i++)
+ VIR_FREE(lxcDef->ns_val[i]);
+ VIR_FREE(nsdata);
+}
+
+static int
+lxcDomainDefNamespaceParse(xmlDocPtr xml ATTRIBUTE_UNUSED,
+ xmlNodePtr root ATTRIBUTE_UNUSED,
+ xmlXPathContextPtr ctxt,
+ void **data)
+{
+ lxcDomainDefPtr lxcDef = NULL;
+ xmlNodePtr *nodes = NULL;
+ bool uses_lxc_ns = false;
+ xmlNodePtr node;
+ int feature;
+ int n;
+ char *tmp = NULL;
+ size_t i;
+
+ if (xmlXPathRegisterNs(ctxt, BAD_CAST "lxc", BAD_CAST LXC_NAMESPACE_HREF)
< 0) {
+ virReportError(VIR_ERR_INTERNAL_ERROR,
+ _("Failed to register xml namespace '%s'"),
+ LXC_NAMESPACE_HREF);
+ return -1;
+ }
+
+ if (VIR_ALLOC(lxcDef) < 0)
+ return -1;
+
+ node = ctxt->node;
+ if ((n = virXPathNodeSet("./lxc:namespace/*", ctxt, &nodes)) < 0)
+ goto error;
+ uses_lxc_ns |= n > 0;
+
+ for (i = 0; i < n; i++) {
+ if ((feature = virLXCDomainNamespaceTypeFromString(
+ (const char *) nodes[i]->name)) < 0) {
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
+ _("unsupported Namespace feature: %s"),
+ nodes[i]->name);
+ goto error;
+ }
+
+ ctxt->node = nodes[i];
+
+ if (!(tmp = virXMLPropString(nodes[i], "type"))) {
+ virReportError(VIR_ERR_INTERNAL_ERROR,
+ "%s", _("No lxc environment type
specified"));
+ goto error;
+ }
+ if ((lxcDef->ns_source[feature] =
+ virLXCDomainNamespaceSourceTypeFromString(tmp)) < 0) {
+ virReportError(VIR_ERR_INTERNAL_ERROR,
+ _("Unknown LXC namespace source '%s'"),
+ tmp);
+ VIR_FREE(tmp);
+ goto error;
+ }
+ VIR_FREE(tmp);
+
+ if (!(lxcDef->ns_val[feature] =
+ virXMLPropString(nodes[i], "value"))) {
+ virReportError(VIR_ERR_INTERNAL_ERROR,
+ "%s", _("No lxc environment type
specified"));
+ goto error;
+ }
+ }
+ VIR_FREE(nodes);
+ ctxt->node = node;
+ if (uses_lxc_ns)
+ *data = lxcDef;
+ else
+ VIR_FREE(lxcDef);
+ return 0;
+ error:
+ VIR_FREE(nodes);
+ lxcDomainDefNamespaceFree(lxcDef);
+ return -1;
+}
+
+
+static int
+lxcDomainDefNamespaceFormatXML(virBufferPtr buf,
+ void *nsdata)
+{
+ lxcDomainDefPtr lxcDef = nsdata;
+ size_t i;
+
+ if (!lxcDef)
+ return 0;
+
+ virBufferAddLit(buf, "<lxc:namespace>\n");
+ virBufferAdjustIndent(buf, 2);
+
+ for (i = 0; i < VIR_LXC_DOMAIN_NAMESPACE_LAST; i++) {
+ if (lxcDef->ns_source[i] == VIR_LXC_DOMAIN_NAMESPACE_SOURCE_NONE)
+ continue;
+
+ virBufferAsprintf(buf, "<lxc:%s type='%s'
value='%s'/>\n",
+ virLXCDomainNamespaceTypeToString(i),
+ virLXCDomainNamespaceSourceTypeToString(
+ lxcDef->ns_source[i]),
+ lxcDef->ns_val[i]);
+ }
+
+ virBufferAdjustIndent(buf, -2);
+ virBufferAddLit(buf, "</lxc:namespace>\n");
+ return 0;
+}
+
+static const char *
+lxcDomainDefNamespaceHref(void)
+{
+ return "xmlns:lxc='" LXC_NAMESPACE_HREF "'";
+}
+
+
+virDomainXMLNamespace virLXCDriverDomainXMLNamespace = {
+ .parse = lxcDomainDefNamespaceParse,
+ .free = lxcDomainDefNamespaceFree,
+ .format = lxcDomainDefNamespaceFormatXML,
+ .href = lxcDomainDefNamespaceHref,
+};
+
+
static void virLXCDomainObjPrivateFree(void *data)
{
virLXCDomainObjPrivatePtr priv = data;
diff --git a/src/lxc/lxc_domain.h b/src/lxc/lxc_domain.h
index 751aece..2119c78 100644
--- a/src/lxc/lxc_domain.h
+++ b/src/lxc/lxc_domain.h
@@ -27,6 +27,31 @@
# include "lxc_conf.h"
# include "lxc_monitor.h"
+typedef enum {
+ VIR_LXC_DOMAIN_NAMESPACE_SHARENET = 0,
+ VIR_LXC_DOMAIN_NAMESPACE_SHAREIPC,
+ VIR_LXC_DOMAIN_NAMESPACE_SHAREUTS,
+ VIR_LXC_DOMAIN_NAMESPACE_LAST,
+} virLXCDomainNamespace;
+
+typedef enum {
+ VIR_LXC_DOMAIN_NAMESPACE_SOURCE_NONE,
+ VIR_LXC_DOMAIN_NAMESPACE_SOURCE_NAME,
+ VIR_LXC_DOMAIN_NAMESPACE_SOURCE_PID,
+ VIR_LXC_DOMAIN_NAMESPACE_SOURCE_NETNS,
+
+ VIR_LXC_DOMAIN_NAMESPACE_SOURCE_LAST,
+} virLXCDomainNamespaceSource;
+
+VIR_ENUM_DECL(virLXCDomainNamespace)
+VIR_ENUM_DECL(virLXCDomainNamespaceSource)
+
+typedef struct _lxcDomainDef lxcDomainDef;
+typedef lxcDomainDef *lxcDomainDefPtr;
+struct _lxcDomainDef {
+ int ns_source[VIR_LXC_DOMAIN_NAMESPACE_LAST]; /* virLXCDomainNamespaceSource */
+ char *ns_val[VIR_LXC_DOMAIN_NAMESPACE_LAST];
+};
typedef struct _virLXCDomainObjPrivate virLXCDomainObjPrivate;
typedef virLXCDomainObjPrivate *virLXCDomainObjPrivatePtr;
@@ -41,6 +66,7 @@ struct _virLXCDomainObjPrivate {
virCgroupPtr cgroup;
};
+extern virDomainXMLNamespace virLXCDriverDomainXMLNamespace;
extern virDomainXMLPrivateDataCallbacks virLXCDriverPrivateDataCallbacks;
extern virDomainDefParserConfig virLXCDriverDomainDefParserConfig;
diff --git a/src/lxc/lxc_process.c b/src/lxc/lxc_process.c
index e99b039..9699377 100644
--- a/src/lxc/lxc_process.c
+++ b/src/lxc/lxc_process.c
@@ -359,6 +359,135 @@ char *virLXCProcessSetupInterfaceDirect(virConnectPtr conn,
return ret;
}
+static const char *nsInfoLocal[VIR_LXC_DOMAIN_NAMESPACE_LAST] = {
+ [VIR_LXC_DOMAIN_NAMESPACE_SHARENET] = "net",
+ [VIR_LXC_DOMAIN_NAMESPACE_SHAREIPC] = "ipc",
+ [VIR_LXC_DOMAIN_NAMESPACE_SHAREUTS] = "uts",
+};
+
+static int virLXCProcessSetupNamespaceName(virConnectPtr conn, int ns_type, const char
*name)
+{
+ virLXCDriverPtr driver = conn->privateData;
+ int fd = -1;
+ virDomainObjPtr vm;
+ char *path;
+
+ vm = virDomainObjListFindByName(driver->domains, name);
+ if (!vm) {
+ virReportError(VIR_ERR_NO_DOMAIN,
+ _("No domain with matching name '%s'"), name);
+ return -1;
+ }
+
+ if (virAsprintf(&path, "/proc/%lld/ns/%s",
+ (long long int)vm->pid,
+ nsInfoLocal[ns_type]) < 0)
+ goto cleanup;
+
+ if ((fd = open(path, O_RDONLY)) < 0) {
+ virReportSystemError(errno,
+ _("failed to open ns %s"),
+ virLXCDomainNamespaceTypeToString(ns_type));
+ goto cleanup;
+ }
+
+ cleanup:
+ VIR_FREE(path);
+ virObjectUnlock(vm);
+ virObjectUnref(vm);
+ return fd;
+}
+
+
+static int virLXCProcessSetupNamespacePID(int ns_type, const char *name)
+{
+ int fd;
+ char *path;
+
+ if (virAsprintf(&path, "/proc/%s/ns/%s",
+ name,
+ nsInfoLocal[ns_type]) < 0)
+ return -1;
+ fd = open(path, O_RDONLY);
+ VIR_FREE(path);
+ if (fd < 0) {
+ virReportSystemError(errno,
+ _("failed to open ns %s"),
+ virLXCDomainNamespaceTypeToString(ns_type));
+ return -1;
+ }
+ return fd;
+}
+
+
+static int virLXCProcessSetupNamespaceNet(int ns_type, const char *name)
+{
+ char *path;
+ int fd;
+ if (ns_type != VIR_LXC_DOMAIN_NAMESPACE_SHARENET) {
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s"
+ _("'netns' namespace source can only be "
+ "used with sharenet"));
+ return -1;
+ }
+
+ if (virAsprintf(&path, "/var/run/netns/%s", name) < 0)
+ return -1;
+ fd = open(path, O_RDONLY);
+ VIR_FREE(path);
+ if (fd < 0) {
+ virReportSystemError(errno,
+ _("failed to open netns %s"), name);
+ return -1;
+ }
+ return fd;
+}
+
+
+/**
+ * virLXCProcessSetupNamespaces:
+ * @conn: pointer to connection
+ * @def: pointer to virtual machines namespaceData
+ * @nsFDs: out parameter to store the namespace FD
+ *
+ * Opens the specified namespace that needs to be shared and
+ * will moved into the container namespace later after clone has been called.
+ *
+ * Returns 0 on success or -1 in case of error
+ */
+static int virLXCProcessSetupNamespaces(virConnectPtr conn,
+ lxcDomainDefPtr lxcDef,
+ int *nsFDs)
+{
+ size_t i;
+
+ for (i = 0; i < VIR_LXC_DOMAIN_NAMESPACE_LAST; i++)
+ nsFDs[i] = -1;
+ /*If there are no namespace to be opened just return success*/
+ if (lxcDef == NULL)
+ return 0;
+
+ for (i = 0; i < VIR_LXC_DOMAIN_NAMESPACE_LAST; i++) {
+ switch (lxcDef->ns_source[i]) {
+ case VIR_LXC_DOMAIN_NAMESPACE_SOURCE_NONE:
+ continue;
+ case VIR_LXC_DOMAIN_NAMESPACE_SOURCE_NAME:
+ if ((nsFDs[i] = virLXCProcessSetupNamespaceName(conn, i,
lxcDef->ns_val[i])) < 0)
+ return -1;
+ break;
+ case VIR_LXC_DOMAIN_NAMESPACE_SOURCE_PID:
+ if ((nsFDs[i] = virLXCProcessSetupNamespacePID(i, lxcDef->ns_val[i])) <
0)
+ return -1;
+ break;
+ case VIR_LXC_DOMAIN_NAMESPACE_SOURCE_NETNS:
+ if ((nsFDs[i] = virLXCProcessSetupNamespaceNet(i, lxcDef->ns_val[i])) <
0)
+ return -1;
+ break;
+ }
+ }
+
+ return 0;
+}
/**
* virLXCProcessSetupInterfaces:
@@ -764,6 +893,7 @@ virLXCProcessBuildControllerCmd(virLXCDriverPtr driver,
char **veths,
int *ttyFDs,
size_t nttyFDs,
+ int *nsInheritFDs,
int *files,
size_t nfiles,
int handshakefd,
@@ -825,6 +955,19 @@ virLXCProcessBuildControllerCmd(virLXCDriverPtr driver,
virCommandPassFD(cmd, files[i], 0);
}
+ for (i = 0; i < VIR_LXC_DOMAIN_NAMESPACE_LAST; i++) {
+ if (nsInheritFDs[i] > 0) {
+ char *tmp = NULL;
+ if (virAsprintf(&tmp, "--share-%s",
+ nsInfoLocal[i]) < 0)
+ goto cleanup;
+ virCommandAddArg(cmd, tmp);
+ virCommandAddArgFormat(cmd, "%d", nsInheritFDs[i]);
+ virCommandPassFD(cmd, nsInheritFDs[i], 0);
+ VIR_FREE(tmp);
+ }
+ }
+
virCommandAddArgPair(cmd, "--security",
virSecurityManagerGetModel(driver->securityManager));
@@ -1032,6 +1175,7 @@ int virLXCProcessStart(virConnectPtr conn,
off_t pos = -1;
char ebuf[1024];
char *timestamp;
+ int nsInheritFDs[VIR_LXC_DOMAIN_NAMESPACE_LAST];
virCommandPtr cmd = NULL;
virLXCDomainObjPrivatePtr priv = vm->privateData;
virCapsPtr caps = NULL;
@@ -1204,6 +1348,10 @@ int virLXCProcessStart(virConnectPtr conn,
if (virLXCProcessSetupInterfaces(conn, vm->def, &nveths, &veths) < 0)
goto cleanup;
+ VIR_DEBUG("Setting up namespaces if any");
+ if (virLXCProcessSetupNamespaces(conn, vm->def->namespaceData, nsInheritFDs)
< 0)
+ goto cleanup;
+
VIR_DEBUG("Preparing to launch");
if ((logfd = open(logfile, O_WRONLY | O_APPEND | O_CREAT,
S_IRUSR|S_IWUSR)) < 0) {
@@ -1223,6 +1371,7 @@ int virLXCProcessStart(virConnectPtr conn,
vm,
nveths, veths,
ttyFDs, nttyFDs,
+ nsInheritFDs,
files, nfiles,
handshakefds[1],
&logfd,
diff --git a/tests/lxcxml2xmltest.c b/tests/lxcxml2xmltest.c
index 3e00347..8d824b9 100644
--- a/tests/lxcxml2xmltest.c
+++ b/tests/lxcxml2xmltest.c
@@ -133,6 +133,7 @@ mymain(void)
DO_TEST("filesystem-root");
DO_TEST("idmap");
DO_TEST("capabilities");
+ DO_TEST("sharenet");
virObjectUnref(caps);
virObjectUnref(xmlopt);
--
2.4.3
6:23 p.m.
On 14.08.2015 14:09, Daniel P. Berrange wrote:
From: Imran Khan <ik.nitk(a)gmail.com>
This patch adds feature for lxc containers to inherit namespaces.
This is very similar to what lxc-tools or docker provides. Look
for "man lxc-start" and you will find that you can pass command
args as [ --share-[net|ipc|uts] name|pid ]. Or check out docker
networking option in which you can give --net=container:NAME_or_ID
as an option for sharing +namespace.
>From this patch you can add extra libvirt option to share
s/>//
namespace in following way.
<lxc:namespace>
<lxc:sharenet type='netns' value='red'/>
<lxc:shareipc type='pid' value='12345'/>
<lxc:shareuts type='name' value='container1'/>
</lxc:namespace>
The netns option is specific to sharenet. It can be used to
inherit from existing network namespace.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
---
docs/drvlxc.html.in | 21 ++++++
docs/schemas/domaincommon.rng | 42 ++++++++++++
po/POTFILES.in | 1 +
src/Makefile.am | 6 +-
src/lxc/lxc_conf.c | 2 +-
src/lxc/lxc_container.c | 71 ++++++++++++++++++--
src/lxc/lxc_container.h | 2 +
src/lxc/lxc_controller.c | 45 ++++++++++++-
src/lxc/lxc_domain.c | 149 ++++++++++++++++++++++++++++++++++++++++++
src/lxc/lxc_domain.h | 26 ++++++++
src/lxc/lxc_process.c | 149 ++++++++++++++++++++++++++++++++++++++++++
tests/lxcxml2xmltest.c | 1 +
12 files changed, 506 insertions(+), 9 deletions(-)
diff --git a/src/lxc/lxc_process.c b/src/lxc/lxc_process.c
index e99b039..9699377 100644
--- a/src/lxc/lxc_process.c
+++ b/src/lxc/lxc_process.c
@@ -359,6 +359,135 @@ char *virLXCProcessSetupInterfaceDirect(virConnectPtr conn,
return ret;
}
+static const char *nsInfoLocal[VIR_LXC_DOMAIN_NAMESPACE_LAST] = {
+ [VIR_LXC_DOMAIN_NAMESPACE_SHARENET] = "net",
+ [VIR_LXC_DOMAIN_NAMESPACE_SHAREIPC] = "ipc",
+ [VIR_LXC_DOMAIN_NAMESPACE_SHAREUTS] = "uts",
+};
+
+static int virLXCProcessSetupNamespaceName(virConnectPtr conn, int ns_type, const char
*name)
+{
+ virLXCDriverPtr driver = conn->privateData;
+ int fd = -1;
+ virDomainObjPtr vm;
+ char *path;
+
+ vm = virDomainObjListFindByName(driver->domains, name);
+ if (!vm) {
+ virReportError(VIR_ERR_NO_DOMAIN,
+ _("No domain with matching name '%s'"), name);
+ return -1;
+ }
+
+ if (virAsprintf(&path, "/proc/%lld/ns/%s",
+ (long long int)vm->pid,
+ nsInfoLocal[ns_type]) < 0)
+ goto cleanup;
+
+ if ((fd = open(path, O_RDONLY)) < 0) {
+ virReportSystemError(errno,
+ _("failed to open ns %s"),
+ virLXCDomainNamespaceTypeToString(ns_type));
+ goto cleanup;
+ }
+
+ cleanup:
+ VIR_FREE(path);
+ virObjectUnlock(vm);
+ virObjectUnref(vm);
+ return fd;
+}
+
+
+static int virLXCProcessSetupNamespacePID(int ns_type, const char *name)
+{
+ int fd;
+ char *path;
+
+ if (virAsprintf(&path, "/proc/%s/ns/%s",
+ name,
+ nsInfoLocal[ns_type]) < 0)
+ return -1;
+ fd = open(path, O_RDONLY);
+ VIR_FREE(path);
+ if (fd < 0) {
+ virReportSystemError(errno,
+ _("failed to open ns %s"),
+ virLXCDomainNamespaceTypeToString(ns_type));
+ return -1;
+ }
+ return fd;
+}
+
+
+static int virLXCProcessSetupNamespaceNet(int ns_type, const char *name)
+{
+ char *path;
+ int fd;
+ if (ns_type != VIR_LXC_DOMAIN_NAMESPACE_SHARENET) {
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s"
s/$/,/
+ _("'netns' namespace source can
only be "
+ "used with sharenet"));
+ return -1;
+ }
+
+ if (virAsprintf(&path, "/var/run/netns/%s", name) < 0)
+ return -1;
+ fd = open(path, O_RDONLY);
+ VIR_FREE(path);
+ if (fd < 0) {
+ virReportSystemError(errno,
+ _("failed to open netns %s"), name);
+ return -1;
+ }
+ return fd;
+}
+
+
diff --git a/tests/lxcxml2xmltest.c b/tests/lxcxml2xmltest.c
index 3e00347..8d824b9 100644
--- a/tests/lxcxml2xmltest.c
+++ b/tests/lxcxml2xmltest.c
@@ -133,6 +133,7 @@ mymain(void)
DO_TEST("filesystem-root");
DO_TEST("idmap");
DO_TEST("capabilities");
+ DO_TEST("sharenet");
Have you forgot to git add tests/lxcxml2xmldata/lxc-sharenet.xml?
I like the idea though. I'm tempted to ACK this if you fix all the small
issues I've raised.
Michal
5:40 a.m.
Thanks to Daniel for making additional changes. And Thanks Michal for
review it again.
This patch has some functionality breakages. I am working on it. will send
the new patch soon
-imran
On Thu, Aug 20, 2015 at 4:53 AM, Michal Privoznik <mprivozn(a)redhat.com>
wrote:
On 14.08.2015 14:09, Daniel P. Berrange wrote:
> From: Imran Khan <ik.nitk(a)gmail.com>
>
> This patch adds feature for lxc containers to inherit namespaces.
> This is very similar to what lxc-tools or docker provides. Look
> for "man lxc-start" and you will find that you can pass command
> args as [ --share-[net|ipc|uts] name|pid ]. Or check out docker
> networking option in which you can give --net=container:NAME_or_ID
> as an option for sharing +namespace.
>
>>From this patch you can add extra libvirt option to share
s/>//
> namespace in following way.
>
> <lxc:namespace>
> <lxc:sharenet type='netns' value='red'/>
> <lxc:shareipc type='pid' value='12345'/>
> <lxc:shareuts type='name' value='container1'/>
> </lxc:namespace>
>
> The netns option is specific to sharenet. It can be used to
> inherit from existing network namespace.
>
> Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
> ---
> docs/drvlxc.html.in | 21 ++++++
> docs/schemas/domaincommon.rng | 42 ++++++++++++
> po/POTFILES.in | 1 +
> src/Makefile.am | 6 +-
> src/lxc/lxc_conf.c | 2 +-
> src/lxc/lxc_container.c | 71 ++++++++++++++++++--
> src/lxc/lxc_container.h | 2 +
> src/lxc/lxc_controller.c | 45 ++++++++++++-
> src/lxc/lxc_domain.c | 149
++++++++++++++++++++++++++++++++++++++++++
> src/lxc/lxc_domain.h | 26 ++++++++
> src/lxc/lxc_process.c | 149
++++++++++++++++++++++++++++++++++++++++++
> tests/lxcxml2xmltest.c | 1 +
> 12 files changed, 506 insertions(+), 9 deletions(-)
>
> diff --git a/src/lxc/lxc_process.c b/src/lxc/lxc_process.c
> index e99b039..9699377 100644
> --- a/src/lxc/lxc_process.c
> +++ b/src/lxc/lxc_process.c
> @@ -359,6 +359,135 @@ char
*virLXCProcessSetupInterfaceDirect(virConnectPtr conn,
> return ret;
> }
>
> +static const char *nsInfoLocal[VIR_LXC_DOMAIN_NAMESPACE_LAST] = {
> + [VIR_LXC_DOMAIN_NAMESPACE_SHARENET] = "net",
> + [VIR_LXC_DOMAIN_NAMESPACE_SHAREIPC] = "ipc",
> + [VIR_LXC_DOMAIN_NAMESPACE_SHAREUTS] = "uts",
> +};
> +
> +static int virLXCProcessSetupNamespaceName(virConnectPtr conn, int
ns_type, const char *name)
> +{
> + virLXCDriverPtr driver = conn->privateData;
> + int fd = -1;
> + virDomainObjPtr vm;
> + char *path;
> +
> + vm = virDomainObjListFindByName(driver->domains, name);
> + if (!vm) {
> + virReportError(VIR_ERR_NO_DOMAIN,
> + _("No domain with matching name '%s'"),
name);
> + return -1;
> + }
> +
> + if (virAsprintf(&path, "/proc/%lld/ns/%s",
> + (long long int)vm->pid,
> + nsInfoLocal[ns_type]) < 0)
> + goto cleanup;
> +
> + if ((fd = open(path, O_RDONLY)) < 0) {
> + virReportSystemError(errno,
> + _("failed to open ns %s"),
> +
virLXCDomainNamespaceTypeToString(ns_type));
> + goto cleanup;
> + }
> +
> + cleanup:
> + VIR_FREE(path);
> + virObjectUnlock(vm);
> + virObjectUnref(vm);
> + return fd;
> +}
> +
> +
> +static int virLXCProcessSetupNamespacePID(int ns_type, const char *name)
> +{
> + int fd;
> + char *path;
> +
> + if (virAsprintf(&path, "/proc/%s/ns/%s",
> + name,
> + nsInfoLocal[ns_type]) < 0)
> + return -1;
> + fd = open(path, O_RDONLY);
> + VIR_FREE(path);
> + if (fd < 0) {
> + virReportSystemError(errno,
> + _("failed to open ns %s"),
> +
virLXCDomainNamespaceTypeToString(ns_type));
> + return -1;
> + }
> + return fd;
> +}
> +
> +
> +static int virLXCProcessSetupNamespaceNet(int ns_type, const char *name)
> +{
> + char *path;
> + int fd;
> + if (ns_type != VIR_LXC_DOMAIN_NAMESPACE_SHARENET) {
> + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s"
s/$/,/
> + _("'netns' namespace source can only be "
> + "used with sharenet"));
> + return -1;
> + }
> +
> + if (virAsprintf(&path, "/var/run/netns/%s", name) < 0)
> + return -1;
> + fd = open(path, O_RDONLY);
> + VIR_FREE(path);
> + if (fd < 0) {
> + virReportSystemError(errno,
> + _("failed to open netns %s"), name);
> + return -1;
> + }
> + return fd;
> +}
> +
> +
> diff --git a/tests/lxcxml2xmltest.c b/tests/lxcxml2xmltest.c
> index 3e00347..8d824b9 100644
> --- a/tests/lxcxml2xmltest.c
> +++ b/tests/lxcxml2xmltest.c
> @@ -133,6 +133,7 @@ mymain(void)
> DO_TEST("filesystem-root");
> DO_TEST("idmap");
> DO_TEST("capabilities");
> + DO_TEST("sharenet");
Have you forgot to git add tests/lxcxml2xmldata/lxc-sharenet.xml?
I like the idea though. I'm tempted to ACK this if you fix all the small
issues I've raised.
Michal
8:50 a.m.
Have tested the code changes. here are the logs. Please review the patch
sent in another mail.
Really appreciate the efforts to make the code very efficient.
test logs:
imran@imran-VirtualBox:~/programming/libvirt$
imran@imran-VirtualBox:~/programming/libvirt$
imran@imran-VirtualBox:~/programming/libvirt$ sudo ./run ./tools/virsh -c
lxc:/// create ../lxc/cn-02.xml
Domain cn02 created from ../lxc/cn-02.xml
imran@imran-VirtualBox:~/programming/libvirt$
imran@imran-VirtualBox:~/programming/libvirt$
imran@imran-VirtualBox:~/programming/libvirt$ cat ../lxc/share_lxc.xml |
grep -A 3 -B 3 share
<type>exe</type>
</os>
<lxc:namespace>
<lxc:sharenet type='name' value='cn02'/>
</lxc:namespace>
<vcpu>1</vcpu>
<clock offset='utc'/>
imran@imran-VirtualBox:~/programming/libvirt$
imran@imran-VirtualBox:~/programming/libvirt$
imran@imran-VirtualBox:~/programming/libvirt$ sudo ./run ./tools/virsh -c
lxc:/// list
Id Name State
----------------------------------------------------
6828 cn02 running
imran@imran-VirtualBox:~/programming/libvirt$
imran@imran-VirtualBox:~/programming/libvirt$
imran@imran-VirtualBox:~/programming/libvirt$ sudo ./run ./tools/virsh -c
lxc:/// create ../lxc/share_lxc.xml Domain cn-03 created from
../lxc/share_lxc.xml
imran@imran-VirtualBox:~/programming/libvirt$ sudo ./run ./tools/virsh -c
lxc:/// list
Id Name State
----------------------------------------------------
6828 cn02 running
8774 cn-03 running
imran@imran-VirtualBox:~/programming/libvirt$ sudo ./run ./tools/virsh -c
lxc:/// lxc-enter-namespace cn02 --noseclabel /sbin/ifconfig eth0
eth0 Link encap:Ethernet HWaddr 52:54:00:a7:e5:3d
inet addr:192.168.122.183 Bcast:192.168.122.255
Mask:255.255.255.0
inet6 addr: fe80::5054:ff:fea7:e53d/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:105 errors:0 dropped:2 overruns:0 frame:0
TX packets:58 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:14169 (14.1 KB) TX bytes:32554 (32.5 KB)
imran@imran-VirtualBox:~/programming/libvirt$
imran@imran-VirtualBox:~/programming/libvirt$
imran@imran-VirtualBox:~/programming/libvirt$ sudo ./run ./tools/virsh -c
lxc:/// lxc-enter-namespace cn-03 --noseclabel /sbin/ifconfig eth0
eth0 Link encap:Ethernet HWaddr 52:54:00:a7:e5:3d
inet addr:192.168.122.183 Bcast:192.168.122.255
Mask:255.255.255.0
inet6 addr: fe80::5054:ff:fea7:e53d/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:114 errors:0 dropped:2 overruns:0 frame:0
TX packets:64 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:15289 (15.2 KB) TX bytes:40891 (40.8 KB)
imran@imran-VirtualBox:~/programming/libvirt$
imran@imran-VirtualBox:~/programming/libvirt$ sudo ./run ./tools/virsh -c
lxc:/// destroy cn02
Domain cn02 destroyed
imran@imran-VirtualBox:~/programming/libvirt$ sudo ./run ./tools/virsh -c
lxc:/// lxc-enter-namespace cn-03 --noseclabel /sbin/ifconfig eth0
eth0: error fetching interface information: Device not found
error: internal error: Child process (10238) unexpected exit status 1
imran@imran-VirtualBox:~/programming/libvirt$
imran@imran-VirtualBox:~/programming/libvirt$ sudo ip netns exec red
ifconfig
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:32 errors:0 dropped:0 overruns:0 frame:0
TX packets:32 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2528 (2.5 KB) TX bytes:2528 (2.5 KB)
imran@imran-VirtualBox:~/programming/libvirt$
imran@imran-VirtualBox:~/programming/libvirt$
imran@imran-VirtualBox:~/programming/libvirt$ sudo ./run ./tools/virsh -c
lxc:/// list
Id Name State
----------------------------------------------------
8774 cn-03 running
imran@imran-VirtualBox:~/programming/libvirt$ sudo ./run ./tools/virsh -c
lxc:/// destroy cn-03
Domain cn-03 destroyed
imran@imran-VirtualBox:~/programming/libvirt$
imran@imran-VirtualBox:~/programming/libvirt$ cat ../lxc/share_lxc.xml |
grep -A 3 -B 3 share
<type>exe</type>
</os>
<lxc:namespace>
<lxc:sharenet type='netns' value='red'/>
</lxc:namespace>
<vcpu>1</vcpu>
<clock offset='utc'/>
imran@imran-VirtualBox:~/programming/libvirt$
imran@imran-VirtualBox:~/programming/libvirt$ sudo ./run ./tools/virsh -c
lxc:/// create ../lxc/share_lxc.xml
Domain cn-03 created from ../lxc/share_lxc.xml
imran@imran-VirtualBox:~/programming/libvirt$ sudo ./run ./tools/virsh -c
lxc:/// lxc-enter-namespace cn-03 --noseclabel /sbin/ifconfig
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:48 errors:0 dropped:0 overruns:0 frame:0
TX packets:48 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3792 (3.7 KB) TX bytes:3792 (3.7 KB)
imran@imran-VirtualBox:~/programming/libvirt$ sudo ./run ./tools/virsh -c
lxc:/// destroy cn-03Domain cn-03 destroyed
imran@imran-VirtualBox:~/programming/libvirt$
imran@imran-VirtualBox:~/programming/libvirt$
imran@imran-VirtualBox:~/programming/libvirt$ sudo ip netns exec red
ifconfig lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:48 errors:0 dropped:0 overruns:0 frame:0
TX packets:48 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3792 (3.7 KB) TX bytes:3792 (3.7 KB)
imran@imran-VirtualBox:~/programming/libvirt$ cat ../lxc/share_lxc.xml |
grep -A 3 -B 3 share<type>exe</type>
</os>
<lxc:namespace>
<lxc:sharenet type='pid' value='1'/>
</lxc:namespace>
<vcpu>1</vcpu>
<clock offset='utc'/>
imran@imran-VirtualBox:~/programming/libvirt$ sudo ./run ./tools/virsh -c
lxc:/// create ../lxc/share_lxc.xml Domain cn-03 created from
../lxc/share_lxc.xml
imran@imran-VirtualBox:~/programming/libvirt$ ifconfig eth0
eth0 Link encap:Ethernet HWaddr 08:00:27:a8:fd:bf
inet addr:10.0.2.15 Bcast:10.0.2.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fea8:fdbf/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:178204 errors:13 dropped:0 overruns:0 frame:0
TX packets:88943 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:251962232 (251.9 MB) TX bytes:4930611 (4.9 MB)
Interrupt:19 Base address:0xd020
imran@imran-VirtualBox:~/programming/libvirt$ sudo ./run ./tools/virsh -c
lxc:/// lxc-enter-namespace cn-03 --noseclabel /sbin/ifconfig eth0
eth0 Link encap:Ethernet HWaddr 08:00:27:a8:fd:bf
inet addr:10.0.2.15 Bcast:10.0.2.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fea8:fdbf/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:178204 errors:13 dropped:0 overruns:0 frame:0
TX packets:88943 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:251962232 (251.9 MB) TX bytes:4930611 (4.9 MB)
Interrupt:19 Base address:0xd020
imran@imran-VirtualBox:~/programming/libvirt$ sudo ./run ./tools/virsh -c
lxc:/// destroy cn-03
Domain cn-03 destroyed
imran@imran-VirtualBox:~/programming/libvirt$ ifconfig eth0
eth0 Link encap:Ethernet HWaddr 08:00:27:a8:fd:bf
inet addr:10.0.2.15 Bcast:10.0.2.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fea8:fdbf/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:178204 errors:13 dropped:0 overruns:0 frame:0
TX packets:88943 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:251962232 (251.9 MB) TX bytes:4930611 (4.9 MB)
Interrupt:19 Base address:0xd020
imran@imran-VirtualBox:~/programming/libvirt$
On Thu, Aug 20, 2015 at 4:10 PM, Imran Khan <ik.nitk(a)gmail.com> wrote:
Thanks to Daniel for making additional changes. And Thanks Michal
for
review it again.
This patch has some functionality breakages. I am working on it. will send
the new patch soon
-imran
On Thu, Aug 20, 2015 at 4:53 AM, Michal Privoznik <mprivozn(a)redhat.com>
wrote:
> On 14.08.2015 14:09, Daniel P. Berrange wrote:
> > From: Imran Khan <ik.nitk(a)gmail.com>
> >
> > This patch adds feature for lxc containers to inherit namespaces.
> > This is very similar to what lxc-tools or docker provides. Look
> > for "man lxc-start" and you will find that you can pass command
> > args as [ --share-[net|ipc|uts] name|pid ]. Or check out docker
> > networking option in which you can give --net=container:NAME_or_ID
> > as an option for sharing +namespace.
> >
> >>From this patch you can add extra libvirt option to share
>
> s/>//
>
> > namespace in following way.
> >
> > <lxc:namespace>
> > <lxc:sharenet type='netns' value='red'/>
> > <lxc:shareipc type='pid' value='12345'/>
> > <lxc:shareuts type='name' value='container1'/>
> > </lxc:namespace>
> >
> > The netns option is specific to sharenet. It can be used to
> > inherit from existing network namespace.
> >
> > Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
> > ---
> > docs/drvlxc.html.in | 21 ++++++
> > docs/schemas/domaincommon.rng | 42 ++++++++++++
> > po/POTFILES.in | 1 +
> > src/Makefile.am | 6 +-
> > src/lxc/lxc_conf.c | 2 +-
> > src/lxc/lxc_container.c | 71 ++++++++++++++++++--
> > src/lxc/lxc_container.h | 2 +
> > src/lxc/lxc_controller.c | 45 ++++++++++++-
> > src/lxc/lxc_domain.c | 149
> ++++++++++++++++++++++++++++++++++++++++++
> > src/lxc/lxc_domain.h | 26 ++++++++
> > src/lxc/lxc_process.c | 149
> ++++++++++++++++++++++++++++++++++++++++++
> > tests/lxcxml2xmltest.c | 1 +
> > 12 files changed, 506 insertions(+), 9 deletions(-)
> >
>
> > diff --git a/src/lxc/lxc_process.c b/src/lxc/lxc_process.c
> > index e99b039..9699377 100644
> > --- a/src/lxc/lxc_process.c
> > +++ b/src/lxc/lxc_process.c
> > @@ -359,6 +359,135 @@ char
> *virLXCProcessSetupInterfaceDirect(virConnectPtr conn,
> > return ret;
> > }
> >
> > +static const char *nsInfoLocal[VIR_LXC_DOMAIN_NAMESPACE_LAST] = {
> > + [VIR_LXC_DOMAIN_NAMESPACE_SHARENET] = "net",
> > + [VIR_LXC_DOMAIN_NAMESPACE_SHAREIPC] = "ipc",
> > + [VIR_LXC_DOMAIN_NAMESPACE_SHAREUTS] = "uts",
> > +};
> > +
> > +static int virLXCProcessSetupNamespaceName(virConnectPtr conn, int
> ns_type, const char *name)
> > +{
> > + virLXCDriverPtr driver = conn->privateData;
> > + int fd = -1;
> > + virDomainObjPtr vm;
> > + char *path;
> > +
> > + vm = virDomainObjListFindByName(driver->domains, name);
> > + if (!vm) {
> > + virReportError(VIR_ERR_NO_DOMAIN,
> > + _("No domain with matching name
'%s'"), name);
> > + return -1;
> > + }
> > +
> > + if (virAsprintf(&path, "/proc/%lld/ns/%s",
> > + (long long int)vm->pid,
> > + nsInfoLocal[ns_type]) < 0)
> > + goto cleanup;
> > +
> > + if ((fd = open(path, O_RDONLY)) < 0) {
> > + virReportSystemError(errno,
> > + _("failed to open ns %s"),
> > +
> virLXCDomainNamespaceTypeToString(ns_type));
> > + goto cleanup;
> > + }
> > +
> > + cleanup:
> > + VIR_FREE(path);
> > + virObjectUnlock(vm);
> > + virObjectUnref(vm);
> > + return fd;
> > +}
> > +
> > +
> > +static int virLXCProcessSetupNamespacePID(int ns_type, const char
> *name)
> > +{
> > + int fd;
> > + char *path;
> > +
> > + if (virAsprintf(&path, "/proc/%s/ns/%s",
> > + name,
> > + nsInfoLocal[ns_type]) < 0)
> > + return -1;
> > + fd = open(path, O_RDONLY);
> > + VIR_FREE(path);
> > + if (fd < 0) {
> > + virReportSystemError(errno,
> > + _("failed to open ns %s"),
> > +
> virLXCDomainNamespaceTypeToString(ns_type));
> > + return -1;
> > + }
> > + return fd;
> > +}
> > +
> > +
> > +static int virLXCProcessSetupNamespaceNet(int ns_type, const char
> *name)
> > +{
> > + char *path;
> > + int fd;
> > + if (ns_type != VIR_LXC_DOMAIN_NAMESPACE_SHARENET) {
> > + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s"
>
> s/$/,/
>
> > + _("'netns' namespace source can only be
"
> > + "used with sharenet"));
> > + return -1;
> > + }
> > +
> > + if (virAsprintf(&path, "/var/run/netns/%s", name) < 0)
> > + return -1;
> > + fd = open(path, O_RDONLY);
> > + VIR_FREE(path);
> > + if (fd < 0) {
> > + virReportSystemError(errno,
> > + _("failed to open netns %s"), name);
> > + return -1;
> > + }
> > + return fd;
> > +}
> > +
> > +
>
>
> > diff --git a/tests/lxcxml2xmltest.c b/tests/lxcxml2xmltest.c
> > index 3e00347..8d824b9 100644
> > --- a/tests/lxcxml2xmltest.c
> > +++ b/tests/lxcxml2xmltest.c
> > @@ -133,6 +133,7 @@ mymain(void)
> > DO_TEST("filesystem-root");
> > DO_TEST("idmap");
> > DO_TEST("capabilities");
> > + DO_TEST("sharenet");
>
> Have you forgot to git add tests/lxcxml2xmldata/lxc-sharenet.xml?
> I like the idea though. I'm tempted to ACK this if you fix all the small
> issues I've raised.
>
> Michal
>
2:48 a.m.
Hello experts,
Gentle reminder !
thanks a lot for all the help !!
-imran
On Thu, Aug 20, 2015 at 7:20 PM, Imran Khan <ik.nitk(a)gmail.com> wrote:
Have tested the code changes. here are the logs. Please review the
patch
sent in another mail.
Really appreciate the efforts to make the code very efficient.
test logs:
imran@imran-VirtualBox:~/programming/libvirt$
imran@imran-VirtualBox:~/programming/libvirt$
imran@imran-VirtualBox:~/programming/libvirt$ sudo ./run ./tools/virsh -c
lxc:/// create ../lxc/cn-02.xml
Domain cn02 created from ../lxc/cn-02.xml
imran@imran-VirtualBox:~/programming/libvirt$
imran@imran-VirtualBox:~/programming/libvirt$
imran@imran-VirtualBox:~/programming/libvirt$ cat ../lxc/share_lxc.xml |
grep -A 3 -B 3 share
<type>exe</type>
</os>
<lxc:namespace>
<lxc:sharenet type='name' value='cn02'/>
</lxc:namespace>
<vcpu>1</vcpu>
<clock offset='utc'/>
imran@imran-VirtualBox:~/programming/libvirt$
imran@imran-VirtualBox:~/programming/libvirt$
imran@imran-VirtualBox:~/programming/libvirt$ sudo ./run ./tools/virsh -c
lxc:/// list
Id Name State
----------------------------------------------------
6828 cn02 running
imran@imran-VirtualBox:~/programming/libvirt$
imran@imran-VirtualBox:~/programming/libvirt$
imran@imran-VirtualBox:~/programming/libvirt$ sudo ./run ./tools/virsh -c
lxc:/// create ../lxc/share_lxc.xml Domain cn-03 created from
../lxc/share_lxc.xml
imran@imran-VirtualBox:~/programming/libvirt$ sudo ./run ./tools/virsh -c
lxc:/// list
Id Name State
----------------------------------------------------
6828 cn02 running
8774 cn-03 running
imran@imran-VirtualBox:~/programming/libvirt$ sudo ./run ./tools/virsh -c
lxc:/// lxc-enter-namespace cn02 --noseclabel /sbin/ifconfig eth0
eth0 Link encap:Ethernet HWaddr 52:54:00:a7:e5:3d
inet addr:192.168.122.183 Bcast:192.168.122.255
Mask:255.255.255.0
inet6 addr: fe80::5054:ff:fea7:e53d/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:105 errors:0 dropped:2 overruns:0 frame:0
TX packets:58 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:14169 (14.1 KB) TX bytes:32554 (32.5 KB)
imran@imran-VirtualBox:~/programming/libvirt$
imran@imran-VirtualBox:~/programming/libvirt$
imran@imran-VirtualBox:~/programming/libvirt$ sudo ./run ./tools/virsh -c
lxc:/// lxc-enter-namespace cn-03 --noseclabel /sbin/ifconfig eth0
eth0 Link encap:Ethernet HWaddr 52:54:00:a7:e5:3d
inet addr:192.168.122.183 Bcast:192.168.122.255
Mask:255.255.255.0
inet6 addr: fe80::5054:ff:fea7:e53d/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:114 errors:0 dropped:2 overruns:0 frame:0
TX packets:64 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:15289 (15.2 KB) TX bytes:40891 (40.8 KB)
imran@imran-VirtualBox:~/programming/libvirt$
imran@imran-VirtualBox:~/programming/libvirt$ sudo ./run ./tools/virsh -c
lxc:/// destroy cn02
Domain cn02 destroyed
imran@imran-VirtualBox:~/programming/libvirt$ sudo ./run ./tools/virsh -c
lxc:/// lxc-enter-namespace cn-03 --noseclabel /sbin/ifconfig eth0
eth0: error fetching interface information: Device not found
error: internal error: Child process (10238) unexpected exit status 1
imran@imran-VirtualBox:~/programming/libvirt$
imran@imran-VirtualBox:~/programming/libvirt$ sudo ip netns exec red
ifconfig
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:32 errors:0 dropped:0 overruns:0 frame:0
TX packets:32 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2528 (2.5 KB) TX bytes:2528 (2.5 KB)
imran@imran-VirtualBox:~/programming/libvirt$
imran@imran-VirtualBox:~/programming/libvirt$
imran@imran-VirtualBox:~/programming/libvirt$ sudo ./run ./tools/virsh -c
lxc:/// list
Id Name State
----------------------------------------------------
8774 cn-03 running
imran@imran-VirtualBox:~/programming/libvirt$ sudo ./run ./tools/virsh -c
lxc:/// destroy cn-03
Domain cn-03 destroyed
imran@imran-VirtualBox:~/programming/libvirt$
imran@imran-VirtualBox:~/programming/libvirt$ cat ../lxc/share_lxc.xml |
grep -A 3 -B 3 share
<type>exe</type>
</os>
<lxc:namespace>
<lxc:sharenet type='netns' value='red'/>
</lxc:namespace>
<vcpu>1</vcpu>
<clock offset='utc'/>
imran@imran-VirtualBox:~/programming/libvirt$
imran@imran-VirtualBox:~/programming/libvirt$ sudo ./run ./tools/virsh -c
lxc:/// create ../lxc/share_lxc.xml
Domain cn-03 created from ../lxc/share_lxc.xml
imran@imran-VirtualBox:~/programming/libvirt$ sudo ./run ./tools/virsh -c
lxc:/// lxc-enter-namespace cn-03 --noseclabel /sbin/ifconfig
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:48 errors:0 dropped:0 overruns:0 frame:0
TX packets:48 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3792 (3.7 KB) TX bytes:3792 (3.7 KB)
imran@imran-VirtualBox:~/programming/libvirt$ sudo ./run ./tools/virsh -c
lxc:/// destroy cn-03Domain cn-03 destroyed
imran@imran-VirtualBox:~/programming/libvirt$
imran@imran-VirtualBox:~/programming/libvirt$
imran@imran-VirtualBox:~/programming/libvirt$ sudo ip netns exec red
ifconfig lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:48 errors:0 dropped:0 overruns:0 frame:0
TX packets:48 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3792 (3.7 KB) TX bytes:3792 (3.7 KB)
imran@imran-VirtualBox:~/programming/libvirt$ cat ../lxc/share_lxc.xml |
grep -A 3 -B 3 share<type>exe</type>
</os>
<lxc:namespace>
<lxc:sharenet type='pid' value='1'/>
</lxc:namespace>
<vcpu>1</vcpu>
<clock offset='utc'/>
imran@imran-VirtualBox:~/programming/libvirt$ sudo ./run ./tools/virsh -c
lxc:/// create ../lxc/share_lxc.xml Domain cn-03 created from
../lxc/share_lxc.xml
imran@imran-VirtualBox:~/programming/libvirt$ ifconfig eth0
eth0 Link encap:Ethernet HWaddr 08:00:27:a8:fd:bf
inet addr:10.0.2.15 Bcast:10.0.2.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fea8:fdbf/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:178204 errors:13 dropped:0 overruns:0 frame:0
TX packets:88943 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:251962232 (251.9 MB) TX bytes:4930611 (4.9 MB)
Interrupt:19 Base address:0xd020
imran@imran-VirtualBox:~/programming/libvirt$ sudo ./run ./tools/virsh -c
lxc:/// lxc-enter-namespace cn-03 --noseclabel /sbin/ifconfig eth0
eth0 Link encap:Ethernet HWaddr 08:00:27:a8:fd:bf
inet addr:10.0.2.15 Bcast:10.0.2.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fea8:fdbf/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:178204 errors:13 dropped:0 overruns:0 frame:0
TX packets:88943 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:251962232 (251.9 MB) TX bytes:4930611 (4.9 MB)
Interrupt:19 Base address:0xd020
imran@imran-VirtualBox:~/programming/libvirt$ sudo ./run ./tools/virsh -c
lxc:/// destroy cn-03
Domain cn-03 destroyed
imran@imran-VirtualBox:~/programming/libvirt$ ifconfig eth0
eth0 Link encap:Ethernet HWaddr 08:00:27:a8:fd:bf
inet addr:10.0.2.15 Bcast:10.0.2.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fea8:fdbf/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:178204 errors:13 dropped:0 overruns:0 frame:0
TX packets:88943 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:251962232 (251.9 MB) TX bytes:4930611 (4.9 MB)
Interrupt:19 Base address:0xd020
imran@imran-VirtualBox:~/programming/libvirt$
On Thu, Aug 20, 2015 at 4:10 PM, Imran Khan <ik.nitk(a)gmail.com> wrote:
> Thanks to Daniel for making additional changes. And Thanks Michal for
> review it again.
> This patch has some functionality breakages. I am working on it. will
> send the new patch soon
>
> -imran
>
> On Thu, Aug 20, 2015 at 4:53 AM, Michal Privoznik <mprivozn(a)redhat.com>
> wrote:
>
>> On 14.08.2015 14:09, Daniel P. Berrange wrote:
>> > From: Imran Khan <ik.nitk(a)gmail.com>
>> >
>> > This patch adds feature for lxc containers to inherit namespaces.
>> > This is very similar to what lxc-tools or docker provides. Look
>> > for "man lxc-start" and you will find that you can pass command
>> > args as [ --share-[net|ipc|uts] name|pid ]. Or check out docker
>> > networking option in which you can give --net=container:NAME_or_ID
>> > as an option for sharing +namespace.
>> >
>> >>From this patch you can add extra libvirt option to share
>>
>> s/>//
>>
>> > namespace in following way.
>> >
>> > <lxc:namespace>
>> > <lxc:sharenet type='netns' value='red'/>
>> > <lxc:shareipc type='pid' value='12345'/>
>> > <lxc:shareuts type='name' value='container1'/>
>> > </lxc:namespace>
>> >
>> > The netns option is specific to sharenet. It can be used to
>> > inherit from existing network namespace.
>> >
>> > Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
>> > ---
>> > docs/drvlxc.html.in | 21 ++++++
>> > docs/schemas/domaincommon.rng | 42 ++++++++++++
>> > po/POTFILES.in | 1 +
>> > src/Makefile.am | 6 +-
>> > src/lxc/lxc_conf.c | 2 +-
>> > src/lxc/lxc_container.c | 71 ++++++++++++++++++--
>> > src/lxc/lxc_container.h | 2 +
>> > src/lxc/lxc_controller.c | 45 ++++++++++++-
>> > src/lxc/lxc_domain.c | 149
>> ++++++++++++++++++++++++++++++++++++++++++
>> > src/lxc/lxc_domain.h | 26 ++++++++
>> > src/lxc/lxc_process.c | 149
>> ++++++++++++++++++++++++++++++++++++++++++
>> > tests/lxcxml2xmltest.c | 1 +
>> > 12 files changed, 506 insertions(+), 9 deletions(-)
>> >
>>
>> > diff --git a/src/lxc/lxc_process.c b/src/lxc/lxc_process.c
>> > index e99b039..9699377 100644
>> > --- a/src/lxc/lxc_process.c
>> > +++ b/src/lxc/lxc_process.c
>> > @@ -359,6 +359,135 @@ char
>> *virLXCProcessSetupInterfaceDirect(virConnectPtr conn,
>> > return ret;
>> > }
>> >
>> > +static const char *nsInfoLocal[VIR_LXC_DOMAIN_NAMESPACE_LAST] = {
>> > + [VIR_LXC_DOMAIN_NAMESPACE_SHARENET] = "net",
>> > + [VIR_LXC_DOMAIN_NAMESPACE_SHAREIPC] = "ipc",
>> > + [VIR_LXC_DOMAIN_NAMESPACE_SHAREUTS] = "uts",
>> > +};
>> > +
>> > +static int virLXCProcessSetupNamespaceName(virConnectPtr conn, int
>> ns_type, const char *name)
>> > +{
>> > + virLXCDriverPtr driver = conn->privateData;
>> > + int fd = -1;
>> > + virDomainObjPtr vm;
>> > + char *path;
>> > +
>> > + vm = virDomainObjListFindByName(driver->domains, name);
>> > + if (!vm) {
>> > + virReportError(VIR_ERR_NO_DOMAIN,
>> > + _("No domain with matching name
'%s'"), name);
>> > + return -1;
>> > + }
>> > +
>> > + if (virAsprintf(&path, "/proc/%lld/ns/%s",
>> > + (long long int)vm->pid,
>> > + nsInfoLocal[ns_type]) < 0)
>> > + goto cleanup;
>> > +
>> > + if ((fd = open(path, O_RDONLY)) < 0) {
>> > + virReportSystemError(errno,
>> > + _("failed to open ns %s"),
>> > +
>> virLXCDomainNamespaceTypeToString(ns_type));
>> > + goto cleanup;
>> > + }
>> > +
>> > + cleanup:
>> > + VIR_FREE(path);
>> > + virObjectUnlock(vm);
>> > + virObjectUnref(vm);
>> > + return fd;
>> > +}
>> > +
>> > +
>> > +static int virLXCProcessSetupNamespacePID(int ns_type, const char
>> *name)
>> > +{
>> > + int fd;
>> > + char *path;
>> > +
>> > + if (virAsprintf(&path, "/proc/%s/ns/%s",
>> > + name,
>> > + nsInfoLocal[ns_type]) < 0)
>> > + return -1;
>> > + fd = open(path, O_RDONLY);
>> > + VIR_FREE(path);
>> > + if (fd < 0) {
>> > + virReportSystemError(errno,
>> > + _("failed to open ns %s"),
>> > +
>> virLXCDomainNamespaceTypeToString(ns_type));
>> > + return -1;
>> > + }
>> > + return fd;
>> > +}
>> > +
>> > +
>> > +static int virLXCProcessSetupNamespaceNet(int ns_type, const char
>> *name)
>> > +{
>> > + char *path;
>> > + int fd;
>> > + if (ns_type != VIR_LXC_DOMAIN_NAMESPACE_SHARENET) {
>> > + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s"
>>
>> s/$/,/
>>
>> > + _("'netns' namespace source can only be
"
>> > + "used with sharenet"));
>> > + return -1;
>> > + }
>> > +
>> > + if (virAsprintf(&path, "/var/run/netns/%s", name) <
0)
>> > + return -1;
>> > + fd = open(path, O_RDONLY);
>> > + VIR_FREE(path);
>> > + if (fd < 0) {
>> > + virReportSystemError(errno,
>> > + _("failed to open netns %s"),
name);
>> > + return -1;
>> > + }
>> > + return fd;
>> > +}
>> > +
>> > +
>>
>>
>> > diff --git a/tests/lxcxml2xmltest.c b/tests/lxcxml2xmltest.c
>> > index 3e00347..8d824b9 100644
>> > --- a/tests/lxcxml2xmltest.c
>> > +++ b/tests/lxcxml2xmltest.c
>> > @@ -133,6 +133,7 @@ mymain(void)
>> > DO_TEST("filesystem-root");
>> > DO_TEST("idmap");
>> > DO_TEST("capabilities");
>> > + DO_TEST("sharenet");
>>
>> Have you forgot to git add tests/lxcxml2xmldata/lxc-sharenet.xml?
>> I like the idea though. I'm tempted to ACK this if you fix all the small
>> issues I've raised.
>>
>> Michal
>>
>
>
6:02 a.m.
On 08/14/2015 08:09 AM, Daniel P. Berrange wrote:
From: Imran Khan <ik.nitk(a)gmail.com>
This patch adds feature for lxc containers to inherit namespaces.
This is very similar to what lxc-tools or docker provides. Look
for "man lxc-start" and you will find that you can pass command
args as [ --share-[net|ipc|uts] name|pid ]. Or check out docker
networking option in which you can give --net=container:NAME_or_ID
as an option for sharing +namespace.
>From this patch you can add extra libvirt option to share
namespace in following way.
<lxc:namespace>
<lxc:sharenet type='netns' value='red'/>
<lxc:shareipc type='pid' value='12345'/>
<lxc:shareuts type='name' value='container1'/>
</lxc:namespace>
The netns option is specific to sharenet. It can be used to
inherit from existing network namespace.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
---
docs/drvlxc.html.in | 21 ++++++
docs/schemas/domaincommon.rng | 42 ++++++++++++
po/POTFILES.in | 1 +
src/Makefile.am | 6 +-
src/lxc/lxc_conf.c | 2 +-
src/lxc/lxc_container.c | 71 ++++++++++++++++++--
src/lxc/lxc_container.h | 2 +
src/lxc/lxc_controller.c | 45 ++++++++++++-
src/lxc/lxc_domain.c | 149 ++++++++++++++++++++++++++++++++++++++++++
src/lxc/lxc_domain.h | 26 ++++++++
src/lxc/lxc_process.c | 149 ++++++++++++++++++++++++++++++++++++++++++
tests/lxcxml2xmltest.c | 1 +
12 files changed, 506 insertions(+), 9 deletions(-)
...
Coverity found a resource leak...
@@ -2342,6 +2378,7 @@ int lxcContainerStart(virDomainDefPtr def,
int *passFDs,
int control,
int handshakefd,
+ int *nsInheritFDs,
size_t nttyPaths,
char **ttyPaths)
{
@@ -2359,7 +2396,8 @@ int lxcContainerStart(virDomainDefPtr def,
.monitor = control,
.nttyPaths = nttyPaths,
.ttyPaths = ttyPaths,
- .handshakefd = handshakefd
+ .handshakefd = handshakefd,
+ .nsInheritFDs = nsInheritFDs,
};
/* allocate a stack for the container */
@@ -2368,7 +2406,7 @@ int lxcContainerStart(virDomainDefPtr def,
stacktop = stack + stacksize;
- cflags = CLONE_NEWPID|CLONE_NEWNS|CLONE_NEWUTS|CLONE_NEWIPC|SIGCHLD;
+ cflags = CLONE_NEWPID|CLONE_NEWNS|SIGCHLD;
if (userns_required(def)) {
if (userns_supported()) {
@@ -2381,10 +2419,31 @@ int lxcContainerStart(virDomainDefPtr def,
return -1;
}
}
+ if (nsInheritFDs[VIR_LXC_DOMAIN_NAMESPACE_SHARENET] == -1) {
+ if (lxcNeedNetworkNamespace(def)) {
+ VIR_DEBUG("Enable network namespaces");
+ cflags |= CLONE_NEWNET;
+ }
+ } else {
+ if (lxcNeedNetworkNamespace(def)) {
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+ _("Config askes for inherit net namespace "
+ "as well as private network interfaces"));
+ return -1;
This leaks 'stack'...
Sending a patch shortly.
John
+ }
+ VIR_DEBUG("Inheriting a net namespace");
+ }
- if (lxcNeedNetworkNamespace(def)) {
- VIR_DEBUG("Enable network namespaces");
- cflags |= CLONE_NEWNET;
+ if (nsInheritFDs[VIR_LXC_DOMAIN_NAMESPACE_SHAREIPC] == -1) {
+ cflags |= CLONE_NEWIPC;
+ } else {
+ VIR_DEBUG("Inheriting an IPC namespace");
+ }
+
+ if (nsInheritFDs[VIR_LXC_DOMAIN_NAMESPACE_SHAREUTS] == -1) {
+ cflags |= CLONE_NEWUTS;
+ } else {
+ VIR_DEBUG("Inheriting a UTS namespace");
}
VIR_DEBUG("Cloning container init process");
3378
days inactive
3391
days old
5 comments
4 participants
participants (4)
-
Daniel P. Berrange -
Imran Khan -
John Ferlan -
Michal Privoznik