From 8a96d94e4c33173d1426b7e0a6325405804ba224 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Mon, 10 Feb 2014 13:15:42 +0100 Subject: [PATCH] nspawn: add new --share-system switch to run a container without PID/UTS/IPC namespacing --- man/systemd-nspawn.xml | 21 +++++++++++++++++++++ src/nspawn/nspawn.c | 13 ++++++++++++- 2 files changed, 33 insertions(+), 1 deletion(-) diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml index 96ccc5cef..ca99da490 100644 --- a/man/systemd-nspawn.xml +++ b/man/systemd-nspawn.xml @@ -428,6 +428,27 @@ itself. + + + + Allows the container + to share certain system facilities + with the host. More specifically, this + turns off PID namespacing, UTS + namespacing and IPC namespacing, and + thus allows the guest to see and + interact more easily with processes + outside of the container. Note that + using this option makes it impossible + to start up a full Operating System in the + container, as an init system cannot + operate in this mode. It is only + useful to run specific programs or + applications this way, without + involving an init + system in the container. + + diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index 646c6c02f..759f9c1ae 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -118,6 +118,7 @@ static char **arg_bind = NULL; static char **arg_bind_ro = NULL; static char **arg_setenv = NULL; static bool arg_quiet = false; +static bool arg_share_system = false; static int help(void) { @@ -138,6 +139,7 @@ static int help(void) { " Set the SELinux security context to be used by\n" " API/tmpfs file systems in the container\n" " --private-network Disable network in container\n" + " --share-system Share system namespaces with host\n" " --read-only Mount the root directory read-only\n" " --capability=CAP In addition to the default, retain specified\n" " capability\n" @@ -167,6 +169,7 @@ static int parse_argv(int argc, char *argv[]) { ARG_BIND, ARG_BIND_RO, ARG_SETENV, + ARG_SHARE_SYSTEM }; static const struct option options[] = { @@ -189,6 +192,7 @@ static int parse_argv(int argc, char *argv[]) { { "selinux-context", required_argument, NULL, 'Z' }, { "selinux-apifs-context", required_argument, NULL, 'L' }, { "quiet", no_argument, NULL, 'q' }, + { "share-system", no_argument, NULL, ARG_SHARE_SYSTEM }, {} }; @@ -382,6 +386,10 @@ static int parse_argv(int argc, char *argv[]) { arg_quiet = true; break; + case ARG_SHARE_SYSTEM: + arg_share_system = true; + break; + case '?': return -EINVAL; @@ -1267,7 +1275,10 @@ int main(int argc, char *argv[]) { goto finish; } - pid = syscall(__NR_clone, SIGCHLD|CLONE_NEWIPC|CLONE_NEWNS|CLONE_NEWPID|CLONE_NEWUTS|(arg_private_network ? CLONE_NEWNET : 0), NULL); + pid = syscall(__NR_clone, + SIGCHLD|CLONE_NEWNS| + (arg_share_system ? 0 : CLONE_NEWIPC|CLONE_NEWPID|CLONE_NEWUTS)| + (arg_private_network ? CLONE_NEWNET : 0), NULL); if (pid < 0) { if (errno == EINVAL) log_error("clone() failed, do you have namespace support enabled in your kernel? (You need UTS, IPC, PID and NET namespacing built in): %m"); -- 2.30.2