nspawn: add new --share-system switch to run a container without PID/UTS/IPC namespacing

diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml
index 96ccc5cef7f2e85866b0277d1bdfeba27bfc04fe..ca99da4909cac88b654779a86d0508945ec53f64 100644 (file)
--- a/man/systemd-nspawn.xml
+++ b/man/systemd-nspawn.xml
@@ -428,6 +428,27 @@
                                 itself.</para></listitem>
                         </varlistentry>
 
+                        <varlistentry>
+                                <term><option>--share-system</option></term>
+
+                                <listitem><para>Allows the container
+                                to share certain system facilities
+                                with the host. More specifically, this
+                                turns off PID namespacing, UTS
+                                namespacing and IPC namespacing, and
+                                thus allows the guest to see and
+                                interact more easily with processes
+                                outside of the container. Note that
+                                using this option makes it impossible
+                                to start up a full Operating System in the
+                                container, as an init system cannot
+                                operate in this mode. It is only
+                                useful to run specific programs or
+                                applications this way, without
+                                involving an init
+                                system in the container.</para></listitem>
+                        </varlistentry>
+
                 </variablelist>
 
         </refsect1>

diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index 646c6c02f387063e03e91c664ada0abe6331b27d..759f9c1aef046729ced5bfdadac8ab3066dda296 100644 (file)
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -118,6 +118,7 @@ static char **arg_bind = NULL;
 static char **arg_bind_ro = NULL;
 static char **arg_setenv = NULL;
 static bool arg_quiet = false;
+static bool arg_share_system = false;
 
 static int help(void) {
 
@@ -138,6 +139,7 @@ static int help(void) {
                "                            Set the SELinux security context to be used by\n"
                "                            API/tmpfs file systems in the container\n"
                "     --private-network      Disable network in container\n"
+               "     --share-system         Share system namespaces with host\n"
                "     --read-only            Mount the root directory read-only\n"
                "     --capability=CAP       In addition to the default, retain specified\n"
                "                            capability\n"
@@ -167,6 +169,7 @@ static int parse_argv(int argc, char *argv[]) {
                 ARG_BIND,
                 ARG_BIND_RO,
                 ARG_SETENV,
+                ARG_SHARE_SYSTEM
         };
 
         static const struct option options[] = {
@@ -189,6 +192,7 @@ static int parse_argv(int argc, char *argv[]) {
                 { "selinux-context",       required_argument, NULL, 'Z'                 },
                 { "selinux-apifs-context", required_argument, NULL, 'L'                 },
                 { "quiet",                 no_argument,       NULL, 'q'                 },
+                { "share-system",          no_argument,       NULL, ARG_SHARE_SYSTEM    },
                 {}
         };
 
@@ -382,6 +386,10 @@ static int parse_argv(int argc, char *argv[]) {
                         arg_quiet = true;
                         break;
 
+                case ARG_SHARE_SYSTEM:
+                        arg_share_system = true;
+                        break;
+
                 case '?':
                         return -EINVAL;
 
@@ -1267,7 +1275,10 @@ int main(int argc, char *argv[]) {
                         goto finish;
                 }
 
-                pid = syscall(__NR_clone, SIGCHLD|CLONE_NEWIPC|CLONE_NEWNS|CLONE_NEWPID|CLONE_NEWUTS|(arg_private_network ? CLONE_NEWNET : 0), NULL);
+                pid = syscall(__NR_clone,
+                              SIGCHLD|CLONE_NEWNS|
+                              (arg_share_system ? 0 : CLONE_NEWIPC|CLONE_NEWPID|CLONE_NEWUTS)|
+                              (arg_private_network ? CLONE_NEWNET : 0), NULL);
                 if (pid < 0) {
                         if (errno == EINVAL)
                                 log_error("clone() failed, do you have namespace support enabled in your kernel? (You need UTS, IPC, PID and NET namespacing built in): %m");