Re: [libvirt] [PATCH v3] lxc: Inherit namespace feature

[John Ferlan]

On 08/14/2015 08:09 AM, Daniel P. Berrange wrote:
 From: Imran Khan ik.n...@gmail.com
 
 This patch adds feature for lxc containers to inherit namespaces.
 This is very similar to what lxc-tools or docker provides.  Look
 for man lxc-start and you will find that you can pass command
 args as [ --share-[net|ipc|uts] name|pid ]. Or check out docker
 networking option in which you can give --net=container:NAME_or_ID
 as an option for sharing +namespace.
 
From this patch you can add extra libvirt option to share
 namespace in following way.
 
   lxc:namespace
 lxc:sharenet type='netns' value='red'/
 lxc:shareipc type='pid' value='12345'/
 lxc:shareuts type='name' value='container1'/
   /lxc:namespace
 
 The netns option is specific to sharenet. It can be used to
 inherit from existing network namespace.
 
 Signed-off-by: Daniel P. Berrange berra...@redhat.com
 ---
  docs/drvlxc.html.in   |  21 ++
  docs/schemas/domaincommon.rng |  42 
  po/POTFILES.in|   1 +
  src/Makefile.am   |   6 +-
  src/lxc/lxc_conf.c|   2 +-
  src/lxc/lxc_container.c   |  71 ++--
  src/lxc/lxc_container.h   |   2 +
  src/lxc/lxc_controller.c  |  45 -
  src/lxc/lxc_domain.c  | 149 
 ++
  src/lxc/lxc_domain.h  |  26 
  src/lxc/lxc_process.c | 149 
 ++
  tests/lxcxml2xmltest.c|   1 +
  12 files changed, 506 insertions(+), 9 deletions(-)
 
...

Coverity found a resource leak...

 @@ -2342,6 +2378,7 @@ int lxcContainerStart(virDomainDefPtr def,
int *passFDs,
int control,
int handshakefd,
 +  int *nsInheritFDs,
size_t nttyPaths,
char **ttyPaths)
  {
 @@ -2359,7 +2396,8 @@ int lxcContainerStart(virDomainDefPtr def,
  .monitor = control,
  .nttyPaths = nttyPaths,
  .ttyPaths = ttyPaths,
 -.handshakefd = handshakefd
 +.handshakefd = handshakefd,
 +.nsInheritFDs = nsInheritFDs,
  };
  
  /* allocate a stack for the container */
 @@ -2368,7 +2406,7 @@ int lxcContainerStart(virDomainDefPtr def,
  
  stacktop = stack + stacksize;
  
 -cflags = CLONE_NEWPID|CLONE_NEWNS|CLONE_NEWUTS|CLONE_NEWIPC|SIGCHLD;
 +cflags = CLONE_NEWPID|CLONE_NEWNS|SIGCHLD;
  
  if (userns_required(def)) {
  if (userns_supported()) {
 @@ -2381,10 +2419,31 @@ int lxcContainerStart(virDomainDefPtr def,
  return -1;
  }
  }
 +if (nsInheritFDs[VIR_LXC_DOMAIN_NAMESPACE_SHARENET] == -1) {
 +if (lxcNeedNetworkNamespace(def)) {
 +VIR_DEBUG(Enable network namespaces);
 +cflags |= CLONE_NEWNET;
 +}
 +} else {
 +if (lxcNeedNetworkNamespace(def)) {
 +virReportError(VIR_ERR_CONFIG_UNSUPPORTED, %s,
 +   _(Config askes for inherit net namespace 
 + as well as private network interfaces));
 +return -1;

This leaks 'stack'...

Sending a patch shortly.

John

 +}
 +VIR_DEBUG(Inheriting a net namespace);
 +}
  
 -if (lxcNeedNetworkNamespace(def)) {
 -VIR_DEBUG(Enable network namespaces);
 -cflags |= CLONE_NEWNET;
 +if (nsInheritFDs[VIR_LXC_DOMAIN_NAMESPACE_SHAREIPC] == -1) {
 +cflags |= CLONE_NEWIPC;
 +} else {
 +VIR_DEBUG(Inheriting an IPC namespace);
 +}
 +
 +if (nsInheritFDs[VIR_LXC_DOMAIN_NAMESPACE_SHAREUTS] == -1) {
 +cflags |= CLONE_NEWUTS;
 +} else {
 +VIR_DEBUG(Inheriting a UTS namespace);
  }
  
  VIR_DEBUG(Cloning container init process);

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH v3] lxc: Inherit namespace feature

[Michal Privoznik]

On 14.08.2015 14:09, Daniel P. Berrange wrote:
 From: Imran Khan ik.n...@gmail.com
 
 This patch adds feature for lxc containers to inherit namespaces.
 This is very similar to what lxc-tools or docker provides.  Look
 for man lxc-start and you will find that you can pass command
 args as [ --share-[net|ipc|uts] name|pid ]. Or check out docker
 networking option in which you can give --net=container:NAME_or_ID
 as an option for sharing +namespace.
 
From this patch you can add extra libvirt option to share

s///

 namespace in following way.
 
   lxc:namespace
 lxc:sharenet type='netns' value='red'/
 lxc:shareipc type='pid' value='12345'/
 lxc:shareuts type='name' value='container1'/
   /lxc:namespace
 
 The netns option is specific to sharenet. It can be used to
 inherit from existing network namespace.
 
 Signed-off-by: Daniel P. Berrange berra...@redhat.com
 ---
  docs/drvlxc.html.in   |  21 ++
  docs/schemas/domaincommon.rng |  42 
  po/POTFILES.in|   1 +
  src/Makefile.am   |   6 +-
  src/lxc/lxc_conf.c|   2 +-
  src/lxc/lxc_container.c   |  71 ++--
  src/lxc/lxc_container.h   |   2 +
  src/lxc/lxc_controller.c  |  45 -
  src/lxc/lxc_domain.c  | 149 
 ++
  src/lxc/lxc_domain.h  |  26 
  src/lxc/lxc_process.c | 149 
 ++
  tests/lxcxml2xmltest.c|   1 +
  12 files changed, 506 insertions(+), 9 deletions(-)
 

 diff --git a/src/lxc/lxc_process.c b/src/lxc/lxc_process.c
 index e99b039..9699377 100644
 --- a/src/lxc/lxc_process.c
 +++ b/src/lxc/lxc_process.c
 @@ -359,6 +359,135 @@ char *virLXCProcessSetupInterfaceDirect(virConnectPtr 
 conn,
  return ret;
  }
  
 +static const char *nsInfoLocal[VIR_LXC_DOMAIN_NAMESPACE_LAST] = {
 +[VIR_LXC_DOMAIN_NAMESPACE_SHARENET] = net,
 +[VIR_LXC_DOMAIN_NAMESPACE_SHAREIPC] = ipc,
 +[VIR_LXC_DOMAIN_NAMESPACE_SHAREUTS] = uts,
 +};
 +
 +static int virLXCProcessSetupNamespaceName(virConnectPtr conn, int ns_type, 
 const char *name)
 +{
 +virLXCDriverPtr driver = conn-privateData;
 +int fd = -1;
 +virDomainObjPtr vm;
 +char *path;
 +
 +vm = virDomainObjListFindByName(driver-domains, name);
 +if (!vm) {
 +virReportError(VIR_ERR_NO_DOMAIN,
 +   _(No domain with matching name '%s'), name);
 +return -1;
 +}
 +
 +if (virAsprintf(path, /proc/%lld/ns/%s,
 +(long long int)vm-pid,
 +nsInfoLocal[ns_type])  0)
 +goto cleanup;
 +
 +if ((fd = open(path, O_RDONLY))  0) {
 +virReportSystemError(errno,
 + _(failed to open ns %s),
 + virLXCDomainNamespaceTypeToString(ns_type));
 +goto cleanup;
 +}
 +
 + cleanup:
 +VIR_FREE(path);
 +virObjectUnlock(vm);
 +virObjectUnref(vm);
 +return fd;
 +}
 +
 +
 +static int virLXCProcessSetupNamespacePID(int ns_type, const char *name)
 +{
 +int fd;
 +char *path;
 +
 +if (virAsprintf(path, /proc/%s/ns/%s,
 +name,
 +nsInfoLocal[ns_type])  0)
 +return -1;
 +fd = open(path, O_RDONLY);
 +VIR_FREE(path);
 +if (fd  0) {
 +virReportSystemError(errno,
 + _(failed to open ns %s),
 + virLXCDomainNamespaceTypeToString(ns_type));
 +return -1;
 +}
 +return fd;
 +}
 +
 +
 +static int virLXCProcessSetupNamespaceNet(int ns_type, const char *name)
 +{
 +char *path;
 +int fd;
 +if (ns_type != VIR_LXC_DOMAIN_NAMESPACE_SHARENET) {
 +virReportError(VIR_ERR_CONFIG_UNSUPPORTED, %s

s/$/,/

 +   _('netns' namespace source can only be 
 + used with sharenet));
 +return -1;
 +}
 +
 +if (virAsprintf(path, /var/run/netns/%s, name)  0)
 +return  -1;
 +fd = open(path, O_RDONLY);
 +VIR_FREE(path);
 +if (fd  0) {
 +virReportSystemError(errno,
 + _(failed to open netns %s), name);
 +return -1;
 +}
 +return fd;
 +}
 +
 +


 diff --git a/tests/lxcxml2xmltest.c b/tests/lxcxml2xmltest.c
 index 3e00347..8d824b9 100644
 --- a/tests/lxcxml2xmltest.c
 +++ b/tests/lxcxml2xmltest.c
 @@ -133,6 +133,7 @@ mymain(void)
  DO_TEST(filesystem-root);
  DO_TEST(idmap);
  DO_TEST(capabilities);
 +DO_TEST(sharenet);

Have you forgot to git add tests/lxcxml2xmldata/lxc-sharenet.xml?
I like the idea though. I'm tempted to ACK this if you fix all the small
issues I've raised.

Michal

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

[libvirt] [PATCH v3] lxc: Inherit namespace feature

[Daniel P. Berrange]

From: Imran Khan ik.n...@gmail.com

This patch adds feature for lxc containers to inherit namespaces.
This is very similar to what lxc-tools or docker provides.  Look
for man lxc-start and you will find that you can pass command
args as [ --share-[net|ipc|uts] name|pid ]. Or check out docker
networking option in which you can give --net=container:NAME_or_ID
as an option for sharing +namespace.

From this patch you can add extra libvirt option to share
namespace in following way.

  lxc:namespace
lxc:sharenet type='netns' value='red'/
lxc:shareipc type='pid' value='12345'/
lxc:shareuts type='name' value='container1'/
  /lxc:namespace

The netns option is specific to sharenet. It can be used to
inherit from existing network namespace.

Signed-off-by: Daniel P. Berrange berra...@redhat.com
---
 docs/drvlxc.html.in   |  21 ++
 docs/schemas/domaincommon.rng |  42 
 po/POTFILES.in|   1 +
 src/Makefile.am   |   6 +-
 src/lxc/lxc_conf.c|   2 +-
 src/lxc/lxc_container.c   |  71 ++--
 src/lxc/lxc_container.h   |   2 +
 src/lxc/lxc_controller.c  |  45 -
 src/lxc/lxc_domain.c  | 149 ++
 src/lxc/lxc_domain.h  |  26 
 src/lxc/lxc_process.c | 149 ++
 tests/lxcxml2xmltest.c|   1 +
 12 files changed, 506 insertions(+), 9 deletions(-)

diff --git a/docs/drvlxc.html.in b/docs/drvlxc.html.in
index a094bd9..d6c57c4 100644
--- a/docs/drvlxc.html.in
+++ b/docs/drvlxc.html.in
@@ -590,6 +590,27 @@ Note that allowing capabilities that are normally dropped 
by default can serious
 affect the security of the container and the host.
 /p
 
+h2a name=shareInherit namespaces/a/h2
+
+p
+Libvirt allows you to inherit the namespace from container/process just like 
lxc tools
+or docker provides to share the network namespace. The following can be used 
to share
+required namespaces. If we want to share only one then the other namespaces 
can be ignored.
+The netns option is specific to sharenet. It can be used in cases we want to 
use existing network namespace
+rather than creating new network namespace for the container. In this case 
privnet option will be
+ignored.
+/p
+pre
+lt;domain type='lxc' xmlns:lxc='http://libvirt.org/schemas/domain/lxc/1.0'gt;
+...
+lt;lxc:namespacegt;
+  lt;lxc:sharenet type='netns' value='red'/gt;
+  lt;lxc:shareuts type='name' value='container1'/gt;
+  lt;lxc:shareipc type='pid' value='12345'/gt;
+lt;/lxc:namespacegt;
+lt;/domaingt;
+/pre
+
 h2a name=usageContainer usage / management/a/h2
 
 p
diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng
index 043c975..fa026cd 100644
--- a/docs/schemas/domaincommon.rng
+++ b/docs/schemas/domaincommon.rng
@@ -68,6 +68,9 @@
   ref name='qemucmdline'/
 /optional
 optional
+  ref name='lxcsharens'/
+/optional
+optional
   ref name='keywrap'/
 /optional
   /interleave
@@ -5057,6 +5060,45 @@
 /element
   /define
 
+  !--
+   Optional hypervisor extensions in their own namespace:
+   LXC
+--
+  define name=lxcsharens
+element name=namespace ns=http://libvirt.org/schemas/domain/lxc/1.0;
+  zeroOrMore
+element name=sharenet
+  attribute name=type
+choice
+  valuenetns/value
+  valuename/value
+  valuepid/value
+/choice
+  /attribute
+  attribute name='value'/
+/element
+element name=shareipc
+  attribute name=type
+choice
+  valuename/value
+  valuepid/value
+/choice
+  /attribute
+  attribute name='value'/
+/element
+element name=shareuts
+  attribute name=type
+choice
+  valuename/value
+  valuepid/value
+/choice
+  /attribute
+  attribute name='value'/
+/element
+  /zeroOrMore
+/element
+  /define
+
   define name=metadata
 element name=metadata
   zeroOrMore
diff --git a/po/POTFILES.in b/po/POTFILES.in
index c58a7c1..dcabcc8 100644
--- a/po/POTFILES.in
+++ b/po/POTFILES.in
@@ -85,6 +85,7 @@ src/lxc/lxc_native.c
 src/lxc/lxc_container.c
 src/lxc/lxc_conf.c
 src/lxc/lxc_controller.c
+src/lxc/lxc_domain.c
 src/lxc/lxc_driver.c
 src/lxc/lxc_process.c
 src/libxl/libxl_domain.c
diff --git a/src/Makefile.am b/src/Makefile.am
index c4d49a5..fde11ff 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -1320,7 +1320,11 @@ libvirt_driver_lxc_impl_la_CFLAGS = \
-I$(srcdir)/access \
-I$(srcdir)/conf \
$(AM_CFLAGS)
-libvirt_driver_lxc_impl_la_LIBADD = $(CAPNG_LIBS) $(LIBNL_LIBS) $(FUSE_LIBS)
+libvirt_driver_lxc_impl_la_LIBADD = \
+   $(CAPNG_LIBS) \
+   $(LIBNL_LIBS) \
+