lxc: Move lxcContainerAvailable to virprocess

Other drivers (like qemu) would like to know if the namespaces
are available therefore it makes sense to move this function to
a shared module.

At the same time, this function had some default namespaces that
are checked with every call. It is not necessary - let callers
pass just those namespaces they are interested in.

With the move the function is renamed to
virProcessNamespaceAvailable.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>

diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index 9c74d35c4533d58f0538e97a4599410489f767d3..d02d23b3595c5e500c64ab503451b33f6ea71267 100644 (file)
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -2275,6 +2275,7 @@ virProcessGetPids;
 virProcessGetStartTime;
 virProcessKill;
 virProcessKillPainfully;
+virProcessNamespaceAvailable;
 virProcessRunInMountNamespace;
 virProcessSchedPolicyTypeFromString;
 virProcessSchedPolicyTypeToString;

diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
index 32c0c3a4a596b2fa937f16c785890ca6ac79d8ec..e5619b16838f0cf343c008fc0a3be0c1b33315ff 100644 (file)
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@@ -27,7 +27,6 @@
 #include <config.h>
 
 #include <fcntl.h>
-#include <sched.h>
 #include <limits.h>
 #include <stdlib.h>
 #include <stdio.h>
@@ -2265,7 +2264,7 @@ static int lxcContainerChild(void *data)
 
 static int userns_supported(void)
 {
-    return lxcContainerAvailable(LXC_CONTAINER_FEATURE_USER) == 0;
+    return virProcessNamespaceAvailable(VIR_PROCESS_NAMESPACE_USER) == 0;
 }
 
 static int userns_required(virDomainDefPtr def)
@@ -2399,47 +2398,6 @@ int lxcContainerStart(virDomainDefPtr def,
     return pid;
 }
 
-ATTRIBUTE_NORETURN static int
-lxcContainerDummyChild(void *argv ATTRIBUTE_UNUSED)
-{
-    _exit(0);
-}
-
-int lxcContainerAvailable(int features)
-{
-    int flags = CLONE_NEWPID|CLONE_NEWNS|CLONE_NEWUTS|
-        CLONE_NEWIPC|SIGCHLD;
-    int cpid;
-    char *childStack;
-    char *stack;
-    int stacksize = getpagesize() * 4;
-
-    if (features & LXC_CONTAINER_FEATURE_USER)
-        flags |= CLONE_NEWUSER;
-
-    if (features & LXC_CONTAINER_FEATURE_NET)
-        flags |= CLONE_NEWNET;
-
-    if (VIR_ALLOC_N(stack, stacksize) < 0)
-        return -1;
-
-    childStack = stack + stacksize;
-
-    cpid = clone(lxcContainerDummyChild, childStack, flags, NULL);
-    VIR_FREE(stack);
-    if (cpid < 0) {
-        char ebuf[1024] ATTRIBUTE_UNUSED;
-        VIR_DEBUG("clone call returned %s, container support is not enabled",
-                  virStrerror(errno, ebuf, sizeof(ebuf)));
-        return -1;
-    } else if (virProcessWait(cpid, NULL, false) < 0) {
-        return -1;
-    }
-
-    VIR_DEBUG("container support is enabled");
-    return 0;
-}
-
 int lxcContainerChown(virDomainDefPtr def, const char *path)
 {
     uid_t uid;

diff --git a/src/lxc/lxc_container.h b/src/lxc/lxc_container.h
index 33eaab49c4793bcf84a970eb9426bf0473d0c9c1..e0f508d4a546684319d05db495057b27fa868051 100644 (file)
--- a/src/lxc/lxc_container.h
+++ b/src/lxc/lxc_container.h
@@ -28,11 +28,6 @@
 # include "lxc_domain.h"
 # include "security/security_manager.h"
 
-enum {
-    LXC_CONTAINER_FEATURE_NET = (1 << 0),
-    LXC_CONTAINER_FEATURE_USER = (1 << 1),
-};
-
 # define LXC_DEV_MAJ_MEMORY  1
 # define LXC_DEV_MIN_NULL    3
 # define LXC_DEV_MIN_ZERO    5
@@ -65,8 +60,6 @@ int lxcContainerStart(virDomainDefPtr def,
                       size_t nttyPaths,
                       char **ttyPaths);
 
-int lxcContainerAvailable(int features);
-
 int lxcContainerSetupHostdevCapsMakePath(const char *dev);
 
 virArch lxcContainerGetAlt32bitArch(virArch arch);

diff --git a/src/lxc/lxc_driver.c b/src/lxc/lxc_driver.c
index 04a4b8c2a60274c382bff52d98a2a32024547b3b..a2c1052c65fe13de121456b3733890c5ce493cdb 100644 (file)
--- a/src/lxc/lxc_driver.c
+++ b/src/lxc/lxc_driver.c
@@ -1575,7 +1575,7 @@ static int lxcCheckNetNsSupport(void)
     if (virRun(argv, &ip_rc) < 0 || ip_rc == 255)
         return 0;
 
-    if (lxcContainerAvailable(LXC_CONTAINER_FEATURE_NET) < 0)
+    if (virProcessNamespaceAvailable(VIR_PROCESS_NAMESPACE_NET) < 0)
         return 0;
 
     return 1;
@@ -1633,7 +1633,10 @@ static int lxcStateInitialize(bool privileged,
     }
 
     /* Check that this is a container enabled kernel */
-    if (lxcContainerAvailable(0) < 0) {
+    if (virProcessNamespaceAvailable(VIR_PROCESS_NAMESPACE_MNT |
+                                     VIR_PROCESS_NAMESPACE_PID |
+                                     VIR_PROCESS_NAMESPACE_UTS |
+                                     VIR_PROCESS_NAMESPACE_IPC) < 0) {
         VIR_INFO("LXC support not available in this kernel, disabling driver");
         return 0;
     }

diff --git a/src/util/virprocess.c b/src/util/virprocess.c
index 1ebe863fb56c87e059f8a0da4e61bfd840486f3f..f5c7ebb96f2d853eb635d53bee31ccde589c039e 100644 (file)
--- a/src/util/virprocess.c
+++ b/src/util/virprocess.c
@@ -1183,6 +1183,78 @@ virProcessSetupPrivateMountNS(void)
 }
 #endif /* !defined(HAVE_SYS_MOUNT_H) || !defined(HAVE_UNSHARE) */
 
+#if defined(__linux__)
+ATTRIBUTE_NORETURN static int
+virProcessDummyChild(void *argv ATTRIBUTE_UNUSED)
+{
+    _exit(0);
+}
+
+/**
+ * virProcessNamespaceAvailable:
+ * @ns: what namespaces to check (bitwise-OR of virProcessNamespaceFlags)
+ *
+ * Check if given list of namespaces (@ns) is available.
+ * If not, appropriate error message is produced.
+ *
+ * Returns: 0 on success (all the namespaces from @flags are available),
+ *         -1 on error (with error message reported).
+ */
+int
+virProcessNamespaceAvailable(unsigned int ns)
+{
+    int flags = 0;
+    int cpid;
+    char *childStack;
+    char *stack;
+    int stacksize = getpagesize() * 4;
+
+    if (ns & VIR_PROCESS_NAMESPACE_MNT)
+        flags |= CLONE_NEWNS;
+    if (ns & VIR_PROCESS_NAMESPACE_IPC)
+        flags |= CLONE_NEWIPC;
+    if (ns & VIR_PROCESS_NAMESPACE_NET)
+        flags |= CLONE_NEWNET;
+    if (ns & VIR_PROCESS_NAMESPACE_PID)
+        flags |= CLONE_NEWPID;
+    if (ns & VIR_PROCESS_NAMESPACE_USER)
+        flags |= CLONE_NEWUSER;
+    if (ns & VIR_PROCESS_NAMESPACE_UTS)
+        flags |= CLONE_NEWUTS;
+
+    /* Signal parent as soon as the child dies. RIP. */
+    flags |= SIGCHLD;
+
+    if (VIR_ALLOC_N(stack, stacksize) < 0)
+        return -1;
+
+    childStack = stack + stacksize;
+
+    cpid = clone(virProcessDummyChild, childStack, flags, NULL);
+    VIR_FREE(stack);
+    if (cpid < 0) {
+        char ebuf[1024] ATTRIBUTE_UNUSED;
+        VIR_DEBUG("clone call returned %s, container support is not enabled",
+                  virStrerror(errno, ebuf, sizeof(ebuf)));
+        return -1;
+    } else if (virProcessWait(cpid, NULL, false) < 0) {
+        return -1;
+    }
+
+    VIR_DEBUG("All namespaces (%x) are enabled", ns);
+    return 0;
+}
+
+#else /* !defined(__linux__) */
+
+int
+virProcessNamespaceAvailable(unsigned int ns ATTRIBUTE_UNUSED)
+{
+    virReportSystemError(ENOSYS, "%s",
+                         _("Namespaces are not supported on this platform."));
+    return -1;
+}
+#endif /* !defined(__linux__) */
 
 /**
  * virProcessExitWithStatus:

diff --git a/src/util/virprocess.h b/src/util/virprocess.h
index c76a1fbc530e3691de537391335f75324e10c96a..3c5a8827728863e3837f31cf60de550e7558af11 100644 (file)
--- a/src/util/virprocess.h
+++ b/src/util/virprocess.h
@@ -95,5 +95,15 @@ int virProcessSetupPrivateMountNS(void);
 int virProcessSetScheduler(pid_t pid,
                            virProcessSchedPolicy policy,
                            int priority);
+typedef enum {
+    VIR_PROCESS_NAMESPACE_MNT = (1 << 1),
+    VIR_PROCESS_NAMESPACE_IPC = (1 << 2),
+    VIR_PROCESS_NAMESPACE_NET = (1 << 3),
+    VIR_PROCESS_NAMESPACE_PID = (1 << 4),
+    VIR_PROCESS_NAMESPACE_USER = (1 << 5),
+    VIR_PROCESS_NAMESPACE_UTS = (1 << 6),
+} virProcessNamespaceFlags;
+
+int virProcessNamespaceAvailable(unsigned int ns);
 
 #endif /* __VIR_PROCESS_H__ */