On Fri, Jan 17, 2014 at 03:15:45PM -0600, Serge Hallyn wrote: > and fix the help output in the program > > Signed-off-by: Serge Hallyn <serge.hal...@ubuntu.com>
Acked-by: Stéphane Graber <stgra...@ubuntu.com>
> ---
> configure.ac | 1 +
> doc/Makefile.am | 1 +
> doc/lxc-usernsexec.sgml.in | 156
> +++++++++++++++++++++++++++++++++++++++++++++
> src/lxc/lxc_usernsexec.c | 3 +-
> 4 files changed, 159 insertions(+), 2 deletions(-)
> create mode 100644 doc/lxc-usernsexec.sgml.in
>
> diff --git a/configure.ac b/configure.ac
> index d8be165..8e1c198 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -592,6 +592,7 @@ AC_CONFIG_FILES([
> doc/lxc-unfreeze.sgml
> doc/lxc-unshare.sgml
> doc/lxc-user-nic.sgml
> + doc/lxc-usernsexec.sgml
> doc/lxc-version.sgml
> doc/lxc-wait.sgml
>
> diff --git a/doc/Makefile.am b/doc/Makefile.am
> index e87c2f8..f548238 100644
> --- a/doc/Makefile.am
> +++ b/doc/Makefile.am
> @@ -38,6 +38,7 @@ man_MANS = \
> lxc-unfreeze.1 \
> lxc-unshare.1 \
> lxc-user-nic.1 \
> + lxc-usernsexec.1 \
> lxc-version.1 \
> lxc-wait.1 \
> \
> diff --git a/doc/lxc-usernsexec.sgml.in b/doc/lxc-usernsexec.sgml.in
> new file mode 100644
> index 0000000..ca55ed8
> --- /dev/null
> +++ b/doc/lxc-usernsexec.sgml.in
> @@ -0,0 +1,156 @@
> +<!--
> +
> +lxc: linux Container library
> +
> +(C) Copyright IBM Corp. 2007, 2008
> +
> +Authors:
> +Daniel Lezcano <daniel.lezcano at free.fr>
> +Serge Hallyn <serge.hallyn at ubuntu.com>
> +
> +This library is free software; you can redistribute it and/or
> +modify it under the terms of the GNU Lesser General Public
> +License as published by the Free Software Foundation; either
> +version 2.1 of the License, or (at your option) any later version.
> +
> +This library is distributed in the hope that it will be useful,
> +but WITHOUT ANY WARRANTY; without even the implied warranty of
> +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> +Lesser General Public License for more details.
> +
> +You should have received a copy of the GNU Lesser General Public
> +License along with this library; if not, write to the Free Software
> +Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
> +
> +-->
> +
> +<!DOCTYPE refentry PUBLIC @docdtd@ [
> +
> +<!ENTITY commonoptions SYSTEM "@builddir@/common_options.sgml">
> +<!ENTITY seealso SYSTEM "@builddir@/see_also.sgml">
> +]>
> +
> +<refentry>
> +
> + <docinfo><date>@LXC_GENERATE_DATE@</date></docinfo>
> +
> + <refmeta>
> + <refentrytitle>lxc-usernsexec</refentrytitle>
> + <manvolnum>1</manvolnum>
> + </refmeta>
> +
> + <refnamediv>
> + <refname>lxc-usernsexec</refname>
> +
> + <refpurpose>
> + Run a task as root in a new user namespace.
> + </refpurpose>
> + </refnamediv>
> +
> + <refsynopsisdiv>
> + <cmdsynopsis>
> + <command>lxc-unshare</command>
> + <arg choice="opt">-m <replaceable>uid-map</replaceable></arg>
> + <arg choice="req">-- command</arg>
> + </cmdsynopsis>
> + </refsynopsisdiv>
> +
> + <refsect1>
> + <title>Description</title>
> +
> + <para>
> + <command>lxc-usernsexec</command> can be used to run a task as root
> + in a new user namespace.
> + </para>
> +
> + </refsect1>
> +
> + <refsect1>
> +
> + <title>Options</title>
> +
> + <variablelist>
> +
> + <varlistentry>
> + <term>
> + <option>-m <replaceable>uid-map</replaceable></option>
> + </term>
> + <listitem>
> + <para>
> + The uid map to use in the user namespace. Each map consists of
> + four colon-separate values. First a character 'u', 'g' or 'b' to
> + specify whether this map perttains to user ids, group ids, or
> + both; next the first userid in the user namespace; next the
> + first userid as seen on the host; and finally the number of
> + ids to be mapped.
> + </para>
> + <para>
> + More than one map can be specified. If no map is
> + specified, then by default the full uid and gid ranges granted
> + by /etc/subuid and /etc/subgid will be mapped to the
> + uids and gids starting at 0 in the container.
> + </para>
> + <para>
> + Note that <replaceable>lxc-usernsexec</replaceable> always tries
> + to setuid and setgid to 0 in the namespace. Therefore uid 0 in
> + the namespace must be mapped.
> + </para>
> + </listitem>
> + </varlistentry>
> +
> +
> + </variablelist>
> +
> + </refsect1>
> +
> + <refsect1>
> + <title>Examples</title>
> + <para>
> + To spawn a shell with the full allotted subuids mapped into
> + the container, use
> + <programlisting>
> + lxc-usernsexec
> + </programlisting>
> + To run a different shell than <replaceable>/bin/sh</replaceable>, use
> + <programlisting>
> + lxc-usernsexec -- /bin/bash
> + </programlisting>
> + </para>
> + <para>
> + If your user id is 1000, root in a container is mapped to 190000, and
> + you wish to chown a file you own to root in the container, you can use:
> + <programlisting>
> + lxc-usernsexec -m b:0:1000:1 -m b:1:190000:1 -- /bin/chown 1:1 $file
> + </programlisting>
> + This maps your userid to root in the user namespace, and 190000 to uid
> 1.
> + Since root in the user namespace is privileged over all userids mapped
> + into the namespace, you are allowed to change the file ownership, which
> + you could not do on the host using a simple chown.
> + </para>
> + </refsect1>
> +
> + &seealso;
> +
> + <refsect1>
> + <title>Author</title>
> + <para>Serge Hallyn <email>serge.hal...@ubuntu.com</email></para>
> + </refsect1>
> +
> +</refentry>
> +
> +<!-- Keep this comment at the end of the file
> +Local variables:
> +mode: sgml
> +sgml-omittag:t
> +sgml-shorttag:t
> +sgml-minimize-attributes:nil
> +sgml-always-quote-attributes:t
> +sgml-indent-step:2
> +sgml-indent-data:t
> +sgml-parent-document:nil
> +sgml-default-dtd-file:nil
> +sgml-exposed-tags:nil
> +sgml-local-catalogs:nil
> +sgml-local-ecat-files:nil
> +End:
> +-->
> diff --git a/src/lxc/lxc_usernsexec.c b/src/lxc/lxc_usernsexec.c
> index 35cd473..8335725 100644
> --- a/src/lxc/lxc_usernsexec.c
> +++ b/src/lxc/lxc_usernsexec.c
> @@ -47,8 +47,7 @@ int unshare(int flags);
>
> static void usage(const char *name)
> {
> - printf("usage: %s [-h] [-c] [-mnuUip] [-P <pid-file>]"
> - "[command [arg ..]]\n", name);
> + printf("usage: %s [-h] [-m <uid-maps>] -- [command [arg ..]]\n", name);
> printf("\n");
> printf(" -h this message\n");
> printf("\n");
> --
> 1.8.5.2
>
> _______________________________________________
> lxc-devel mailing list
> lxc-devel@lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel
--
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
signature.asc
Description: Digital signature
_______________________________________________ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
