diff options
| author | Lennart Poettering <lennart@poettering.net> | 2014-02-10 13:15:42 +0100 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2014-02-10 13:18:16 +0100 |
| commit | 8a96d94e4c33173d1426b7e0a6325405804ba224 (patch) | |
| tree | 3606aea55bb646ca716ee38d0ed9ee3bb420f071 | |
| parent | deb678f15a6faf9feb29e18954553f5051788056 (diff) | |
nspawn: add new --share-system switch to run a container without PID/UTS/IPC namespacing
| -rw-r--r-- | man/systemd-nspawn.xml | 21 | ||||
| -rw-r--r-- | src/nspawn/nspawn.c | 13 |
2 files changed, 33 insertions, 1 deletions
diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml index 96ccc5cef..ca99da490 100644 --- a/man/systemd-nspawn.xml +++ b/man/systemd-nspawn.xml @@ -428,6 +428,27 @@ itself.</para></listitem> </varlistentry> + <varlistentry> + <term><option>--share-system</option></term> + + <listitem><para>Allows the container + to share certain system facilities + with the host. More specifically, this + turns off PID namespacing, UTS + namespacing and IPC namespacing, and + thus allows the guest to see and + interact more easily with processes + outside of the container. Note that + using this option makes it impossible + to start up a full Operating System in the + container, as an init system cannot + operate in this mode. It is only + useful to run specific programs or + applications this way, without + involving an init + system in the container.</para></listitem> + </varlistentry> + </variablelist> </refsect1> diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index 646c6c02f..759f9c1ae 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -118,6 +118,7 @@ static char **arg_bind = NULL; static char **arg_bind_ro = NULL; static char **arg_setenv = NULL; static bool arg_quiet = false; +static bool arg_share_system = false; static int help(void) { @@ -138,6 +139,7 @@ static int help(void) { " Set the SELinux security context to be used by\n" " API/tmpfs file systems in the container\n" " --private-network Disable network in container\n" + " --share-system Share system namespaces with host\n" " --read-only Mount the root directory read-only\n" " --capability=CAP In addition to the default, retain specified\n" " capability\n" @@ -167,6 +169,7 @@ static int parse_argv(int argc, char *argv[]) { ARG_BIND, ARG_BIND_RO, ARG_SETENV, + ARG_SHARE_SYSTEM }; static const struct option options[] = { @@ -189,6 +192,7 @@ static int parse_argv(int argc, char *argv[]) { { "selinux-context", required_argument, NULL, 'Z' }, { "selinux-apifs-context", required_argument, NULL, 'L' }, { "quiet", no_argument, NULL, 'q' }, + { "share-system", no_argument, NULL, ARG_SHARE_SYSTEM }, {} }; @@ -382,6 +386,10 @@ static int parse_argv(int argc, char *argv[]) { arg_quiet = true; break; + case ARG_SHARE_SYSTEM: + arg_share_system = true; + break; + case '?': return -EINVAL; @@ -1267,7 +1275,10 @@ int main(int argc, char *argv[]) { goto finish; } - pid = syscall(__NR_clone, SIGCHLD|CLONE_NEWIPC|CLONE_NEWNS|CLONE_NEWPID|CLONE_NEWUTS|(arg_private_network ? CLONE_NEWNET : 0), NULL); + pid = syscall(__NR_clone, + SIGCHLD|CLONE_NEWNS| + (arg_share_system ? 0 : CLONE_NEWIPC|CLONE_NEWPID|CLONE_NEWUTS)| + (arg_private_network ? CLONE_NEWNET : 0), NULL); if (pid < 0) { if (errno == EINVAL) log_error("clone() failed, do you have namespace support enabled in your kernel? (You need UTS, IPC, PID and NET namespacing built in): %m"); |