From: Christian Brauner <christian.brauner@ubuntu.com>
Date: Mon, 5 Feb 2018 17:32:00 +0000 (+0100)
Subject: doc: add lxc.namespace.clone + lxc.namespace.keep
X-Git-Tag: lxc-3.0.0.beta1~44^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=46186acdb011208db4e34beeca513391eb00aa8b;p=thirdparty%2Flxc.git

doc: add lxc.namespace.clone + lxc.namespace.keep

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---

diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in
index 506336dee..ccc6348c4 100644
--- a/doc/lxc.container.conf.sgml.in
+++ b/doc/lxc.container.conf.sgml.in
@@ -1426,11 +1426,70 @@ dev/null proc/kcore none bind,relative 0 0
     </refsect2>
 
     <refsect2>
-      <title>Namespace Inheritance</title>
+      <title>Namespaces</title>
       <para>
-        A namespace can be inherited from another container or process.
+        A namespace can be cloned (<option>lxc.namespace.clone</option>),
+        kept (<option>lxc.namespace.keep</option>) or shared
+        (<option>lxc.namespace.share.[namespace identifier]</option>).
       </para>
       <variablelist>
+        <varlistentry>
+          <term>
+            <option>lxc.namespace.clone</option>
+          </term>
+          <listitem>
+            <para>
+            Specify namespaces which the container is supposed to be created
+            with. The namespaces to create are specified as a space separated
+            list. Each namespace must correspond to one of the standard
+            namespace identifiers as seen in the
+            <filename>/proc/PID/ns</filename> directory.
+            When <option>lxc.namespace.clone</option> is not explicitly set all
+            namespaces supported by the kernel and the current configuration
+            will be used.
+            </para>
+
+            <para>
+            To create a new mount, net and ipc namespace set
+            <option>lxc.namespace.clone=mount net ipc</option>.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>
+            <option>lxc.namespace.keep</option>
+          </term>
+          <listitem>
+            <para>
+            Specify namespaces which the container is supposed to inherit from
+            the process that created it. The namespaces to keep are specified as
+            a space separated list. Each namespace must correspond to one of the
+            standard namespace identifiers as seen in the
+            <filename>/proc/PID/ns</filename> directory.
+            The <option>lxc.namespace.keep</option> is a
+            blacklist option, i.e. it is useful when enforcing that containers
+            must keep a specific set of namespaces.
+            </para>
+
+            <para>
+            To keep the network, user and ipc namespace set
+            <option>lxc.namespace.keep=user net ipc</option>.
+            </para>
+
+            <para>
+            Note that sharing pid namespaces will likely not work with most init
+            systems.
+            </para>
+
+            <para>
+            Note that if the container requests a new user namespace and the
+            container wants to inherit the network namespace it needs to inherit
+            the user namespace as well.
+            </para>
+          </listitem>
+        </varlistentry>
+
         <varlistentry>
           <term>
             <option>lxc.namespace.share.[namespace identifier]</option>
diff --git a/src/lxc/start.c b/src/lxc/start.c
index cd7e221c2..6d43c92b2 100644
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -1555,7 +1555,7 @@ static int lxc_spawn(struct lxc_handler *handler)
 	 */
 	if (wants_to_map_ids) {
 		if (!handler->conf->ns_share[LXC_NS_USER] ||
-		    (handler->conf->ns_keep & CLONE_NEWUSER) > 0) {
+		    (handler->conf->ns_keep & CLONE_NEWUSER) == 0) {
 			ret = lxc_map_ids(id_map, handler->pid);
 			if (ret < 0) {
 				ERROR("Failed to set up id mapping.");