On Fri, Jun 07, 2013 at 03:12:17PM +0800, Gao feng wrote: > This patchset try to add userns support for libvirt lxc. > Since userns is nearly completed in linux-3.9, the old > kernel doesn't support userns, I add some New XML elements > to let people decide if enable userns.The userns is enabled > only when user configure the XML. > > The format of user namespace related XML file like below: > <idmap> > <uid start='0' target='1000' count='10'> > <gid start='0' target='1000' count='10'> > </idmap> > it means the user in container (which uid:gid is 0:0) will > be mapped to the user in host (uid:gid is 1000:1000), count > is used to form an u/gid range: The users in container which > uid in [start, start + count -1] will be mapped. > > You can have multiple lines to map differnet id ranges, > caution, you must make sure the root user of container has > been mapped. > > This patchset also does the below jobs. > > 1, Because the uninit userns has no right to create devices, > we should create devices for container on host. > 2, Changes the owner of fuse and tty device. > > Change from v3: > 1, fix some bugs that Daniel pointed out > 2, reorder the patchset,introduce virLXCControllerChown first. > 3, rebase > > Change from v2: > 1, Mount tmpfs on /stateDir/domain.dev > 2, Create devices under /stateDir/doamin.dev/ > 3, Mount Move the /.oldroot/stateDir/doamin.dev/ on the /dev/ of container > 4, Enhance the configuration, disallow the semi configuration > > > Gao feng (10): > LXC: Introduce New XML element for user namespace > LXC: enable user namespace only when user set the uidmap > LXC: sort the uidmap/gidmap of domain > LXC: introduce virLXCControllerSetupUserns and lxcContainerSetID > LXC: Creating devices for container on host side > LXC: controller: change the owner of tty devices to the root user of > container > LXC: controller: change the owner of /dev to the root user of > container > LXC: controller: change the owner of devices created on host > LXC: controller: change the owner of /dev/pts and ptmx to the root of > container > LXC: fuse: Change files owner to the root user of container > > docs/formatdomain.html.in | 23 +++++ > docs/schemas/domaincommon.rng | 31 ++++++ > src/conf/domain_conf.c | 115 +++++++++++++++++++++ > src/conf/domain_conf.h | 22 ++++ > src/lxc/lxc_container.c | 173 +++++++++++++++++-------------- > src/lxc/lxc_controller.c | 235 ++++++++++++++++++++++++++++++++++++++++-- > src/lxc/lxc_fuse.c | 4 + > 7 files changed, 516 insertions(+), 87 deletions(-) FYI, this patchset is now merged. I fixed up error reporting in patch 1, and I made a slight change to patch #4, to avoid needlessly moving some functions. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list