Adds user namespace support to libcontainer #304
Conversation
|
yay, i tried with a custom Dockerfile that has go 1.4 and it seems to work. |
|
@dqminh Thanks for testing it out! :) |
| @@ -58,14 +58,17 @@ func InitializeMountNamespace(rootfs, console string, sysReadonly bool, mountCon | |||
| return fmt.Errorf("create device nodes %s", err) | |||
There was a problem hiding this comment.
mknod isn't allowed in a non-root userns
There was a problem hiding this comment.
The setup process is run in the root userns. The init is started (cloning into userns) and then waits for setup to run and set things up. Setup joins all the namespaces of init except userns. Thanks for taking a look. Feedback and suggestions appreciated.
There was a problem hiding this comment.
@mrunalp Sorry, I don't get the idea with a setup process. Which actions can't be done from userns? Could you elaborate? Maybe you can add a comment before the SetupContainer() function.
LoadContainerEnvironment(), apparmor.ApplyProfile(), label.SetProcessLabel() affect only a current process. Now we call them for the setup process and don't call for the init process. Where are these parameters applied to the init process?
Thanks.
There was a problem hiding this comment.
You are right about SetProcessLabel and ApplyProfile. I have to move them to init. I was aware but missed moving them back. I will post an updated patch with more comments. Thanks.
Sent from my iPhone
On Jan 13, 2015, at 12:29 AM, Andrew Vagin notifications@github.com wrote:
In mount/init.go:
@@ -58,14 +58,17 @@ func InitializeMountNamespace(rootfs, console string, sysReadonly bool, mountCon
return fmt.Errorf("create device nodes %s", err)
@mrunalp Sorry, I don't get the idea with a setup process. Which actions can't be done from userns? Could you elaborate? Maybe you can add a comment before the SetupContainer() function.
LoadContainerEnvironment(), apparmor.ApplyProfile(), label.SetProcessLabel() affect only a current process. Now we call them for the setup process and don't call for the init process. Where are these parameters applied to the init process?
Thanks.—
Reply to this email directly or view it on GitHub.
|
@avagin Yes, we need to add support for userns to nsenter. I was thinking of doing that in follow on patches after this one gets in. |
mrunalp
force-pushed
the
feature/user_namespaces
branch
2 times, most recently
from
95746d1 to
ce7d276
Compare
|
This is looking good, just installed Go 1.4 for testing |
|
Cool, I will rebase it and address comments. |
mrunalp
force-pushed
the
feature/user_namespaces
branch
from
be4b381 to
6647d5b
Compare
|
Ping anyone? :) |
|
@mrunalp Hah, sorry, will review now. |
| @@ -21,7 +21,7 @@ func Setup(rootfs, consolePath, mountLabel string) error { | |||
| return err | |||
| } | |||
|
|
|||
| if err := os.Chown(consolePath, 0, 0); err != nil { | |||
| if err := os.Chown(consolePath, hostRootUid, hostRootUid); err != nil { | |||
There was a problem hiding this comment.
Is this always true, that hostRootUid == hostRootGid?
There was a problem hiding this comment.
We could make that assumption since it doesn't make sense to have separate uid/gid mappings. (Even though we have exposed that).
There was a problem hiding this comment.
I think we can pass down hostRootGid as well.
|
@LK4D4 Any more comments? :) |
| return err | ||
| } | ||
| if consolePath != "" { | ||
| if err := console.OpenAndDup("/dev/console"); err != nil { |
There was a problem hiding this comment.
Should this be consolePath instead of hard coded /dev/console?
There was a problem hiding this comment.
The mount setup is done before we reach here to setup /dev/console and the original consolePath isn't available anymore.
mrunalp
force-pushed
the
feature/user_namespaces
branch
from
465f07f to
4dd5396
Compare
| // to perform these operations. | ||
| func SetupContainer(container *libcontainer.Config, args []string) error { | ||
| consolePath := "" | ||
| dataPath := args[0] |
There was a problem hiding this comment.
Shouldn't this just be parameters of the function?
Signed-off-by: Mrunal Patel <mrunalp@gmail.com> (github: mrunalp) Adds sample configuration to test user namespaces. Signed-off-by: Mrunal Patel <mrunalp@gmail.com> (github: mrunalp) Rebases to master. Signed-off-by: Mrunal Patel <mrunalp@gmail.com> (github: mrunalp) Fixes integration tests. Signed-off-by: Mrunal Patel <mrunalp@gmail.com> (github: mrunalp) Move selinux labeling, apparmor profile and restrict kernel files back to init. Signed-off-by: Mrunal Patel <mrunalp@gmail.com> (github: mrunalp) Separate the code paths for userns and default cases. Signed-off-by: Mrunal Patel <mrunalp@gmail.com> (github: mrunalp) tty not required for setup Signed-off-by: Mrunal Patel <mrunalp@gmail.com> (github: mrunalp) Cleanup and address review comments. Signed-off-by: Mrunal Patel <mrunalp@gmail.com> (github: mrunalp) Remove debug logs and other cleanup. Signed-off-by: Mrunal Patel <mrunalp@gmail.com> (github: mrunalp) Use function paramaters for SetupContainer. Signed-off-by: Mrunal Patel <mrunalp@gmail.com> (github: mrunalp)
mrunalp
force-pushed
the
feature/user_namespaces
branch
from
7ad27ca to
b0eece8
Compare
|
LGTM |
|
LGTM |
Adds user namespace support to libcontainer
|
Really looking forward to this. Out of impatience when can we expect to make use of |
|
@brauner Don't know when that will land, but work has started on basic docker integration. Keep an eye on the PRs :) |
|
@mrunalp excellent! :) |
|
This is great! Can you please link a relevant PR from Docker to this one? |
|
@slafs We will link when we create it :) |
The build will fail as this depends on golang 1.4
I am sending the PR, hoping to get people to test it and give feedback.
There are still log statements for debugging that I will clean up (but keeping them now to make it easier to catch issues).
@crosbymichael @vmarmol @rjnagal PTAL and try it out :)