User namespace will be enabled only when the idmap exist
in configuration.
If you want disable user namespace,just remove these
elements from XML.
If kernel doesn't support user namespace and idmap exist
in configuration file, libvirt lxc will start failed and
return "Kernel doesn't support user namespace" message.
Signed-off-by: Gao feng <gaofeng@xxxxxxxxxxxxxx>
---
src/lxc/lxc_container.c | 24 ++++++++++++++----------
1 file changed, 14 insertions(+), 10 deletions(-)
diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
index c74e3ca..618252c 100644
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@@ -2029,14 +2029,12 @@ cleanup:
static int userns_supported(void)
{
-#if 1
- /*
- * put off using userns until uid mapping is implemented
- */
- return 0;
-#else
return lxcContainerAvailable(LXC_CONTAINER_FEATURE_USER) == 0;
-#endif
+}
+
+static int userns_required(virDomainDefPtr def)
+{
+ return def->idmap.uidmap && def->idmap.gidmap;
}
virArch lxcContainerGetAlt32bitArch(virArch arch)
@@ -2116,9 +2114,15 @@ int lxcContainerStart(virDomainDefPtr def,
cflags = CLONE_NEWPID|CLONE_NEWNS|CLONE_NEWUTS|CLONE_NEWIPC|SIGCHLD;
- if (userns_supported()) {
- VIR_DEBUG("Enable user namespaces");
- cflags |= CLONE_NEWUSER;
+ if (userns_required(def)) {
+ if (userns_supported()) {
+ VIR_DEBUG("Enable user namespace");
+ cflags |= CLONE_NEWUSER;
+ } else {
+ virReportSystemError(VIR_ERR_NO_KERNEL, "%s",
+ _("Kernel doesn't support user namespace"));
+ return -1;
+ }
}
if (lxcNeedNetworkNamespace(def)) {
--
1.8.1.4
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list