mirrors/systemd
0
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2024-12-19 07:03:34 +08:00
Code Issues Packages Projects Releases Wiki Activity

nspawn: add new --share-system switch to run a container without PID/UTS/IPC namespacing

Browse Source
This commit is contained in:
Lennart Poettering 2014-02-10 13:15:42 +01:00
parent deb678f15a
commit 8a96d94e4c
2 changed files with 33 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
man/systemd-nspawn.xml
View File

@ -428,6 +428,27 @@
itself.</para></listitem>
</varlistentry>
<varlistentry>
<term><option>--share-system</option></term>
<listitem><para>Allows the container
to share certain system facilities
with the host. More specifically, this
turns off PID namespacing, UTS
namespacing and IPC namespacing, and
thus allows the guest to see and
interact more easily with processes
outside of the container. Note that
using this option makes it impossible
to start up a full Operating System in the
container, as an init system cannot
operate in this mode. It is only
useful to run specific programs or
applications this way, without
involving an init
system in the container.</para></listitem>
</varlistentry>
</variablelist>
</refsect1>

13
src/nspawn/nspawn.c
View File

@ -118,6 +118,7 @@ static char **arg_bind = NULL;
static char **arg_bind_ro = NULL;
static char **arg_setenv = NULL;
static bool arg_quiet = false;
static bool arg_share_system = false;
static int help(void) {
@ -138,6 +139,7 @@ static int help(void) {
" Set the SELinux security context to be used by\n"
" API/tmpfs file systems in the container\n"
" --private-network Disable network in container\n"
" --share-system Share system namespaces with host\n"
" --read-only Mount the root directory read-only\n"
" --capability=CAP In addition to the default, retain specified\n"
" capability\n"
@ -167,6 +169,7 @@ static int parse_argv(int argc, char *argv[]) {
ARG_BIND,
ARG_BIND_RO,
ARG_SETENV,
ARG_SHARE_SYSTEM
};
static const struct option options[] = {
@ -189,6 +192,7 @@ static int parse_argv(int argc, char *argv[]) {
{ "selinux-context", required_argument, NULL, 'Z' },
{ "selinux-apifs-context", required_argument, NULL, 'L' },
{ "quiet", no_argument, NULL, 'q' },
{ "share-system", no_argument, NULL, ARG_SHARE_SYSTEM },
{}
};
@ -382,6 +386,10 @@ static int parse_argv(int argc, char *argv[]) {
arg_quiet = true;
break;
case ARG_SHARE_SYSTEM:
arg_share_system = true;
break;
case '?':
return -EINVAL;
@ -1267,7 +1275,10 @@ int main(int argc, char *argv[]) {
goto finish;
}
pid = syscall(__NR_clone, SIGCHLD|CLONE_NEWIPC|CLONE_NEWNS|CLONE_NEWPID|CLONE_NEWUTS|(arg_private_network ? CLONE_NEWNET : 0), NULL);
pid = syscall(__NR_clone,
SIGCHLD|CLONE_NEWNS|
(arg_share_system ? 0 : CLONE_NEWIPC|CLONE_NEWPID|CLONE_NEWUTS)|
(arg_private_network ? CLONE_NEWNET : 0), NULL);
if (pid < 0) {
if (errno == EINVAL)
log_error("clone() failed, do you have namespace support enabled in your kernel? (You need UTS, IPC, PID and NET namespacing built in): %m");