On 08/14/2015 08:09 AM, Daniel P. Berrange wrote:
> From: Imran Khan <ik.nitk@xxxxxxxxx>
>
> This patch adds feature for lxc containers to inherit namespaces.
> This is very similar to what lxc-tools or docker provides. Look
> for "man lxc-start" and you will find that you can pass command
> args as [ --share-[net|ipc|uts] name|pid ]. Or check out docker
> networking option in which you can give --net=container:NAME_or_ID
> as an option for sharing +namespace.
>
>>From this patch you can add extra libvirt option to share
> namespace in following way.
>
> <lxc:namespace>
> <lxc:sharenet type='netns' value='red'/>
> <lxc:shareipc type='pid' value='12345'/>
> <lxc:shareuts type='name' value='container1'/>
> </lxc:namespace>
>
> The netns option is specific to sharenet. It can be used to
> inherit from existing network namespace.
>
> Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
> ---
> docs/drvlxc.html.in | 21 ++++++
> docs/schemas/domaincommon.rng | 42 ++++++++++++
> po/POTFILES.in | 1 +
> src/Makefile.am | 6 +-
> src/lxc/lxc_conf.c | 2 +-
> src/lxc/lxc_container.c | 71 ++++++++++++++++++--
> src/lxc/lxc_container.h | 2 +
> src/lxc/lxc_controller.c | 45 ++++++++++++-
> src/lxc/lxc_domain.c | 149 ++++++++++++++++++++++++++++++++++++++++++
> src/lxc/lxc_domain.h | 26 ++++++++
> src/lxc/lxc_process.c | 149 ++++++++++++++++++++++++++++++++++++++++++
> tests/lxcxml2xmltest.c | 1 +
> 12 files changed, 506 insertions(+), 9 deletions(-)
>
...
Coverity found a resource leak...
> @@ -2342,6 +2378,7 @@ int lxcContainerStart(virDomainDefPtr def,
> int *passFDs,
> int control,
> int handshakefd,
> + int *nsInheritFDs,
> size_t nttyPaths,
> char **ttyPaths)
> {
> @@ -2359,7 +2396,8 @@ int lxcContainerStart(virDomainDefPtr def,
> .monitor = control,
> .nttyPaths = nttyPaths,
> .ttyPaths = ttyPaths,
> - .handshakefd = handshakefd
> + .handshakefd = handshakefd,
> + .nsInheritFDs = nsInheritFDs,
> };
>
> /* allocate a stack for the container */
> @@ -2368,7 +2406,7 @@ int lxcContainerStart(virDomainDefPtr def,
>
> stacktop = stack + stacksize;
>
> - cflags = CLONE_NEWPID|CLONE_NEWNS|CLONE_NEWUTS|CLONE_NEWIPC|SIGCHLD;
> + cflags = CLONE_NEWPID|CLONE_NEWNS|SIGCHLD;
>
> if (userns_required(def)) {
> if (userns_supported()) {
> @@ -2381,10 +2419,31 @@ int lxcContainerStart(virDomainDefPtr def,
> return -1;
> }
> }
> + if (nsInheritFDs[VIR_LXC_DOMAIN_NAMESPACE_SHARENET] == -1) {
> + if (lxcNeedNetworkNamespace(def)) {
> + VIR_DEBUG("Enable network namespaces");
> + cflags |= CLONE_NEWNET;
> + }
> + } else {
> + if (lxcNeedNetworkNamespace(def)) {
> + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
> + _("Config askes for inherit net namespace "
> + "as well as private network interfaces"));
> + return -1;
This leaks 'stack'...
Sending a patch shortly.
John
> + }
> + VIR_DEBUG("Inheriting a net namespace");
> + }
>
> - if (lxcNeedNetworkNamespace(def)) {
> - VIR_DEBUG("Enable network namespaces");
> - cflags |= CLONE_NEWNET;
> + if (nsInheritFDs[VIR_LXC_DOMAIN_NAMESPACE_SHAREIPC] == -1) {
> + cflags |= CLONE_NEWIPC;
> + } else {
> + VIR_DEBUG("Inheriting an IPC namespace");
> + }
> +
> + if (nsInheritFDs[VIR_LXC_DOMAIN_NAMESPACE_SHAREUTS] == -1) {
> + cflags |= CLONE_NEWUTS;
> + } else {
> + VIR_DEBUG("Inheriting a UTS namespace");
> }
>
> VIR_DEBUG("Cloning container init process");
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list