Added lxc.monitor.unshare

If manual mounting with elevated permissions is required
this can currently only be done in pre-start hooks or before
starting LXC. In both cases the mounts would appear in the
host's namespace.
With this flag the namespace is unshared before the startup
sequence, so that mounts performed in the pre-start hook
don't show up on the host.

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in
index 7a8c6e056764e7d5c084e078e7ffc1c76476d90c..b19eec9423ff18aa834d20503f9ba9902ae53b22 100644 (file)
--- a/doc/lxc.container.conf.sgml.in
+++ b/doc/lxc.container.conf.sgml.in
@@ -1671,6 +1671,18 @@ mknod errno 0
             </para>
           </listitem>
         </varlistentry>
+        <varlistentry>
+          <term>
+            <option>lxc.monitor.unshare</option>
+          </term>
+          <listitem>
+            <para>
+              If not zero the mount namespace will be unshared from the host
+              before initializing the container (before running any pre-start
+              hooks). Default is 0.
+            </para>
+          </listitem>
+        </varlistentry>
         <varlistentry>
           <term>
             <option>lxc.group</option>

diff --git a/src/lxc/conf.h b/src/lxc/conf.h
index 1374d4a79be331bd8ee13a0701bed6fcfc2c2b0d..b0274ec4d3c1e31e796fe0a32c74ea9211aea5a8 100644 (file)
--- a/src/lxc/conf.h
+++ b/src/lxc/conf.h
@@ -347,6 +347,9 @@ struct lxc_conf {
        struct lxc_list groups;
        int nbd_idx;
 
+       /* unshare the mount namespace in the monitor */
+       int monitor_unshare;
+
        /* set to true when rootfs has been setup */
        bool rootfs_setup;
 

diff --git a/src/lxc/confile.c b/src/lxc/confile.c
index c2eaaa6ce2d6f14f19e9d092fafccadfdf183513..ce6786ceab064938ec14ce985b027fdccb7c457e 100644 (file)
--- a/src/lxc/confile.c
+++ b/src/lxc/confile.c
@@ -103,6 +103,7 @@ static int config_haltsignal(const char *, const char *, struct lxc_conf *);
 static int config_rebootsignal(const char *, const char *, struct lxc_conf *);
 static int config_stopsignal(const char *, const char *, struct lxc_conf *);
 static int config_start(const char *, const char *, struct lxc_conf *);
+static int config_monitor(const char *, const char *, struct lxc_conf *);
 static int config_group(const char *, const char *, struct lxc_conf *);
 static int config_environment(const char *, const char *, struct lxc_conf *);
 static int config_init_cmd(const char *, const char *, struct lxc_conf *);
@@ -173,6 +174,7 @@ static struct lxc_config_t config[] = {
        { "lxc.start.auto",           config_start                },
        { "lxc.start.delay",          config_start                },
        { "lxc.start.order",          config_start                },
+       { "lxc.monitor.unshare",      config_monitor              },
        { "lxc.group",                config_group                },
        { "lxc.environment",          config_environment          },
        { "lxc.init_cmd",             config_init_cmd             },
@@ -1141,6 +1143,17 @@ static int config_start(const char *key, const char *value,
        return -1;
 }
 
+static int config_monitor(const char *key, const char *value,
+                         struct lxc_conf *lxc_conf)
+{
+       if(strcmp(key, "lxc.monitor.unshare") == 0) {
+               lxc_conf->monitor_unshare = atoi(value);
+               return 0;
+       }
+       SYSERROR("Unknown key: %s", key);
+       return -1;
+}
+
 static int config_group(const char *key, const char *value,
                      struct lxc_conf *lxc_conf)
 {
@@ -2483,6 +2496,8 @@ int lxc_get_config_item(struct lxc_conf *c, const char *key, char *retv,
                return lxc_get_conf_int(c, retv, inlen, c->start_delay);
        else if (strcmp(key, "lxc.start.order") == 0)
                return lxc_get_conf_int(c, retv, inlen, c->start_order);
+       else if (strcmp(key, "lxc.monitor.unshare") == 0)
+               return lxc_get_conf_int(c, retv, inlen, c->monitor_unshare);
        else if (strcmp(key, "lxc.group") == 0)
                return lxc_get_item_groups(c, retv, inlen);
        else if (strcmp(key, "lxc.seccomp") == 0)

diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
index 69816da23644a20bdc220f841de03556c044bf0e..2804841894eb44d831b9faa9d82414f373b5776e 100644 (file)
--- a/src/lxc/lxccontainer.c
+++ b/src/lxc/lxccontainer.c
@@ -820,6 +820,18 @@ static bool do_lxcapi_start(struct lxc_container *c, int useinit, char * const a
 
        conf->reboot = 0;
 
+       /* Unshare the mount namespace if requested */
+       if (conf->monitor_unshare) {
+               if (unshare(CLONE_NEWNS)) {
+                       SYSERROR("failed to unshare mount namespace");
+                       return false;
+               }
+               if (mount(NULL, "/", NULL, MS_SLAVE|MS_REC, NULL)) {
+                       SYSERROR("Failed to make / rslave at startup");
+                       return false;
+               }
+       }
+
 reboot:
        if (lxc_check_inherited(conf, daemonize, -1)) {
                ERROR("Inherited fds found");