> -----Original Message----- > From: Martin Kletzander [mailto:mkletzan@xxxxxxxxxx] > Sent: Friday, March 20, 2015 6:31 PM > To: Chen, Hanxiao/陈 晗霄 > Cc: libvir-list@xxxxxxxxxx > Subject: Re: [PATCH] LXC: make sure netns been enabled when trying to > enable userns > > On Fri, Mar 20, 2015 at 05:58:22AM -0400, Chen Hanxiao wrote: > >This patch revert commit: > >7dc5dbc879bd0779924b5132a48b731a0bc04a1e > > > > I haven't found this commit in the log, also this is not how reverts > should be done, please use "git revert <commit_id>", it basically > cherry-picks inverted version of that patch, so resolutions may be > done for conflicts, and it will let you amend the commit messsage. > I put a wrong commit ID, sorry for that. I'll resend this by using 'git revert' Thanks for your help. Regards, - Chen > >Discussed at: > >http://www.redhat.com/archives/libvir-list/2015-March/msg01023.html > > > >Signed-off-by: Chen Hanxiao <chenhanxiao@xxxxxxxxxxxxxx> > >--- > > src/lxc/lxc_container.c | 45 ++++++++++++++++----------------------------- > > 1 file changed, 16 insertions(+), 29 deletions(-) > > > >diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c > >index cc20b6d..69a8f2f 100644 > >--- a/src/lxc/lxc_container.c > >+++ b/src/lxc/lxc_container.c > >@@ -934,8 +934,6 @@ static int lxcContainerMountBasicFS(bool userns_enabled, > > { > > size_t i; > > int rc = -1; > >- char* mnt_src = NULL; > >- int mnt_mflags; > > > > VIR_DEBUG("Mounting basic filesystems"); > > > >@@ -944,22 +942,17 @@ static int lxcContainerMountBasicFS(bool userns_enabled, > > virLXCBasicMountInfo const *mnt = &lxcBasicMounts[i]; > > > > /* When enable userns but disable netns, kernel will > >- * forbid us doing a new fresh mount for sysfs. > >- * So we had to do a bind mount for sysfs instead. > >+ * forbid us doing a new fresh mount for sysfs for security reason. > >+ * So we should not allow this. > > */ > >- if (userns_enabled && netns_disabled && > >- STREQ(mnt->src, "sysfs")) { > >- if (VIR_STRDUP(mnt_src, "/sys") < 0) > >- goto cleanup; > >- mnt_mflags = MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_RDONLY|MS_BIND; > >- } else { > >- if (VIR_STRDUP(mnt_src, mnt->src) < 0) > >- goto cleanup; > >- mnt_mflags = mnt->mflags; > >+ if (userns_enabled && netns_disabled) { > >+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", > >+ _("Userns could not be enabled without netns")); > >+ goto cleanup; > > } > > > > VIR_DEBUG("Processing %s -> %s", > >- mnt_src, mnt->dst); > >+ mnt->src, mnt->dst); > > > > if (mnt->skipUnmounted) { > > char *hostdir; > >@@ -976,28 +969,24 @@ static int lxcContainerMountBasicFS(bool userns_enabled, > > if (ret == 0) { > > VIR_DEBUG("Skipping '%s' which isn't mounted in host", > > mnt->dst); > >- VIR_FREE(mnt_src); > > continue; > > } > > } > > > > if (mnt->skipUserNS && userns_enabled) { > > VIR_DEBUG("Skipping due to user ns enablement"); > >- VIR_FREE(mnt_src); > > continue; > > } > > > > /* Skip mounts with missing source without shouting: it may be a > > * missing folder in /proc due to the absence of a kernel feature */ > >- if (STRPREFIX(mnt_src, "/") && !virFileExists(mnt_src)) { > >- VIR_DEBUG("Skipping due to missing source: %s", mnt_src); > >- VIR_FREE(mnt_src); > >+ if (STRPREFIX(mnt->src, "/") && !virFileExists(mnt->src)) { > >+ VIR_DEBUG("Skipping due to missing source: %s", mnt->src); > > continue; > > } > > > > if (mnt->skipNoNetns && netns_disabled) { > > VIR_DEBUG("Skipping due to absence of network namespace"); > >- VIR_FREE(mnt_src); > > continue; > > } > > > >@@ -1015,35 +1004,33 @@ static int lxcContainerMountBasicFS(bool userns_enabled, > > * we mount the filesystem in read-write mode initially, and then do a > > * separate read-only bind mount on top of that. > > */ > >- bindOverReadonly = !!(mnt_mflags & MS_RDONLY); > >+ bindOverReadonly = !!(mnt->mflags & MS_RDONLY); > > > > VIR_DEBUG("Mount %s on %s type=%s flags=%x", > >- mnt_src, mnt->dst, mnt->type, mnt_mflags & ~MS_RDONLY); > >- if (mount(mnt_src, mnt->dst, mnt->type, mnt_mflags & ~MS_RDONLY, NULL) > < 0) { > >+ mnt->src, mnt->dst, mnt->type, mnt->mflags & ~MS_RDONLY); > >+ if (mount(mnt->src, mnt->dst, mnt->type, mnt->mflags & ~MS_RDONLY, NULL) > < 0) { > > virReportSystemError(errno, > > _("Failed to mount %s on %s type %s flags=%x"), > >- mnt_src, mnt->dst, NULLSTR(mnt->type), > >- mnt_mflags & ~MS_RDONLY); > >+ mnt->src, mnt->dst, NULLSTR(mnt->type), > >+ mnt->mflags & ~MS_RDONLY); > > goto cleanup; > > } > > > > if (bindOverReadonly && > >- mount(mnt_src, mnt->dst, NULL, > >+ mount(mnt->src, mnt->dst, NULL, > > MS_BIND|MS_REMOUNT|MS_RDONLY, NULL) < 0) { > > virReportSystemError(errno, > > _("Failed to re-mount %s on %s flags=%x"), > >- mnt_src, mnt->dst, > >+ mnt->src, mnt->dst, > > MS_BIND|MS_REMOUNT|MS_RDONLY); > > goto cleanup; > > } > > > >- VIR_FREE(mnt_src); > > } > > > > rc = 0; > > > > cleanup: > >- VIR_FREE(mnt_src); > > VIR_DEBUG("rc=%d", rc); > > return rc; > > } > >-- > >2.1.0 > > > >-- > >libvir-list mailing list > >libvir-list@xxxxxxxxxx > >https://www.redhat.com/mailman/listinfo/libvir-list -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list