From 46186acdb011208db4e34beeca513391eb00aa8b Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner@ubuntu.com>
Date: Mon, 5 Feb 2018 18:32:00 +0100
Subject: [PATCH] doc: add lxc.namespace.clone + lxc.namespace.keep

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---
 doc/lxc.container.conf.sgml.in | 63 ++++++++++++++++++++++++++++++++--
 src/lxc/start.c                |  2 +-
 2 files changed, 62 insertions(+), 3 deletions(-)

diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in
index 506336dee..ccc6348c4 100644
--- a/doc/lxc.container.conf.sgml.in
+++ b/doc/lxc.container.conf.sgml.in
@@ -1426,11 +1426,70 @@ dev/null proc/kcore none bind,relative 0 0
     </refsect2>
 
     <refsect2>
-      <title>Namespace Inheritance</title>
+      <title>Namespaces</title>
       <para>
-        A namespace can be inherited from another container or process.
+        A namespace can be cloned (<option>lxc.namespace.clone</option>),
+        kept (<option>lxc.namespace.keep</option>) or shared
+        (<option>lxc.namespace.share.[namespace identifier]</option>).
       </para>
       <variablelist>
+        <varlistentry>
+          <term>
+            <option>lxc.namespace.clone</option>
+          </term>
+          <listitem>
+            <para>
+            Specify namespaces which the container is supposed to be created
+            with. The namespaces to create are specified as a space separated
+            list. Each namespace must correspond to one of the standard
+            namespace identifiers as seen in the
+            <filename>/proc/PID/ns</filename> directory.
+            When <option>lxc.namespace.clone</option> is not explicitly set all
+            namespaces supported by the kernel and the current configuration
+            will be used.
+            </para>
+
+            <para>
+            To create a new mount, net and ipc namespace set
+            <option>lxc.namespace.clone=mount net ipc</option>.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>
+            <option>lxc.namespace.keep</option>
+          </term>
+          <listitem>
+            <para>
+            Specify namespaces which the container is supposed to inherit from
+            the process that created it. The namespaces to keep are specified as
+            a space separated list. Each namespace must correspond to one of the
+            standard namespace identifiers as seen in the
+            <filename>/proc/PID/ns</filename> directory.
+            The <option>lxc.namespace.keep</option> is a
+            blacklist option, i.e. it is useful when enforcing that containers
+            must keep a specific set of namespaces.
+            </para>
+
+            <para>
+            To keep the network, user and ipc namespace set
+            <option>lxc.namespace.keep=user net ipc</option>.
+            </para>
+
+            <para>
+            Note that sharing pid namespaces will likely not work with most init
+            systems.
+            </para>
+
+            <para>
+            Note that if the container requests a new user namespace and the
+            container wants to inherit the network namespace it needs to inherit
+            the user namespace as well.
+            </para>
+          </listitem>
+        </varlistentry>
+
         <varlistentry>
           <term>
             <option>lxc.namespace.share.[namespace identifier]</option>
diff --git a/src/lxc/start.c b/src/lxc/start.c
index cd7e221c2..6d43c92b2 100644
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -1555,7 +1555,7 @@ static int lxc_spawn(struct lxc_handler *handler)
 	 */
 	if (wants_to_map_ids) {
 		if (!handler->conf->ns_share[LXC_NS_USER] ||
-		    (handler->conf->ns_keep & CLONE_NEWUSER) > 0) {
+		    (handler->conf->ns_keep & CLONE_NEWUSER) == 0) {
 			ret = lxc_map_ids(id_map, handler->pid);
 			if (ret < 0) {
 				ERROR("Failed to set up id mapping.");
-- 
2.47.2