doc: add lxc.namespace.clone + lxc.namespace.keep

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in
index 506336dee7ab9f679cb1ebc96a42989ad29a8264..ccc6348c422b4f271e4dba13467dddcaabbacf3d 100644 (file)
--- a/doc/lxc.container.conf.sgml.in
+++ b/doc/lxc.container.conf.sgml.in
@@ -1426,11 +1426,70 @@ dev/null proc/kcore none bind,relative 0 0
     </refsect2>
 
     <refsect2>
-      <title>Namespace Inheritance</title>
+      <title>Namespaces</title>
       <para>
-        A namespace can be inherited from another container or process.
+        A namespace can be cloned (<option>lxc.namespace.clone</option>),
+        kept (<option>lxc.namespace.keep</option>) or shared
+        (<option>lxc.namespace.share.[namespace identifier]</option>).
       </para>
       <variablelist>
+        <varlistentry>
+          <term>
+            <option>lxc.namespace.clone</option>
+          </term>
+          <listitem>
+            <para>
+            Specify namespaces which the container is supposed to be created
+            with. The namespaces to create are specified as a space separated
+            list. Each namespace must correspond to one of the standard
+            namespace identifiers as seen in the
+            <filename>/proc/PID/ns</filename> directory.
+            When <option>lxc.namespace.clone</option> is not explicitly set all
+            namespaces supported by the kernel and the current configuration
+            will be used.
+            </para>
+
+            <para>
+            To create a new mount, net and ipc namespace set
+            <option>lxc.namespace.clone=mount net ipc</option>.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>
+            <option>lxc.namespace.keep</option>
+          </term>
+          <listitem>
+            <para>
+            Specify namespaces which the container is supposed to inherit from
+            the process that created it. The namespaces to keep are specified as
+            a space separated list. Each namespace must correspond to one of the
+            standard namespace identifiers as seen in the
+            <filename>/proc/PID/ns</filename> directory.
+            The <option>lxc.namespace.keep</option> is a
+            blacklist option, i.e. it is useful when enforcing that containers
+            must keep a specific set of namespaces.
+            </para>
+
+            <para>
+            To keep the network, user and ipc namespace set
+            <option>lxc.namespace.keep=user net ipc</option>.
+            </para>
+
+            <para>
+            Note that sharing pid namespaces will likely not work with most init
+            systems.
+            </para>
+
+            <para>
+            Note that if the container requests a new user namespace and the
+            container wants to inherit the network namespace it needs to inherit
+            the user namespace as well.
+            </para>
+          </listitem>
+        </varlistentry>
+
         <varlistentry>
           <term>
             <option>lxc.namespace.share.[namespace identifier]</option>

diff --git a/src/lxc/start.c b/src/lxc/start.c
index cd7e221c27b7474e6907620c73d8f41e56fe6d21..6d43c92b2bd38b31fbde455cae6bcdd796125167 100644 (file)
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -1555,7 +1555,7 @@ static int lxc_spawn(struct lxc_handler *handler)
         */
        if (wants_to_map_ids) {
                if (!handler->conf->ns_share[LXC_NS_USER] ||
-                   (handler->conf->ns_keep & CLONE_NEWUSER) > 0) {
+                   (handler->conf->ns_keep & CLONE_NEWUSER) == 0) {
                        ret = lxc_map_ids(id_map, handler->pid);
                        if (ret < 0) {
                                ERROR("Failed to set up id mapping.");