summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2014-02-10 13:15:42 +0100
committerLennart Poettering <lennart@poettering.net>2014-02-10 13:18:16 +0100
commit8a96d94e4c33173d1426b7e0a6325405804ba224 (patch)
tree3606aea55bb646ca716ee38d0ed9ee3bb420f071
parentdeb678f15a6faf9feb29e18954553f5051788056 (diff)
nspawn: add new --share-system switch to run a container without PID/UTS/IPC namespacing
-rw-r--r--man/systemd-nspawn.xml21
-rw-r--r--src/nspawn/nspawn.c13
2 files changed, 33 insertions, 1 deletions
diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml
index 96ccc5cef7..ca99da4909 100644
--- a/man/systemd-nspawn.xml
+++ b/man/systemd-nspawn.xml
@@ -428,6 +428,27 @@
itself.</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>--share-system</option></term>
+
+ <listitem><para>Allows the container
+ to share certain system facilities
+ with the host. More specifically, this
+ turns off PID namespacing, UTS
+ namespacing and IPC namespacing, and
+ thus allows the guest to see and
+ interact more easily with processes
+ outside of the container. Note that
+ using this option makes it impossible
+ to start up a full Operating System in the
+ container, as an init system cannot
+ operate in this mode. It is only
+ useful to run specific programs or
+ applications this way, without
+ involving an init
+ system in the container.</para></listitem>
+ </varlistentry>
+
</variablelist>
</refsect1>
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index 646c6c02f3..759f9c1aef 100644
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -118,6 +118,7 @@ static char **arg_bind = NULL;
static char **arg_bind_ro = NULL;
static char **arg_setenv = NULL;
static bool arg_quiet = false;
+static bool arg_share_system = false;
static int help(void) {
@@ -138,6 +139,7 @@ static int help(void) {
" Set the SELinux security context to be used by\n"
" API/tmpfs file systems in the container\n"
" --private-network Disable network in container\n"
+ " --share-system Share system namespaces with host\n"
" --read-only Mount the root directory read-only\n"
" --capability=CAP In addition to the default, retain specified\n"
" capability\n"
@@ -167,6 +169,7 @@ static int parse_argv(int argc, char *argv[]) {
ARG_BIND,
ARG_BIND_RO,
ARG_SETENV,
+ ARG_SHARE_SYSTEM
};
static const struct option options[] = {
@@ -189,6 +192,7 @@ static int parse_argv(int argc, char *argv[]) {
{ "selinux-context", required_argument, NULL, 'Z' },
{ "selinux-apifs-context", required_argument, NULL, 'L' },
{ "quiet", no_argument, NULL, 'q' },
+ { "share-system", no_argument, NULL, ARG_SHARE_SYSTEM },
{}
};
@@ -382,6 +386,10 @@ static int parse_argv(int argc, char *argv[]) {
arg_quiet = true;
break;
+ case ARG_SHARE_SYSTEM:
+ arg_share_system = true;
+ break;
+
case '?':
return -EINVAL;
@@ -1267,7 +1275,10 @@ int main(int argc, char *argv[]) {
goto finish;
}
- pid = syscall(__NR_clone, SIGCHLD|CLONE_NEWIPC|CLONE_NEWNS|CLONE_NEWPID|CLONE_NEWUTS|(arg_private_network ? CLONE_NEWNET : 0), NULL);
+ pid = syscall(__NR_clone,
+ SIGCHLD|CLONE_NEWNS|
+ (arg_share_system ? 0 : CLONE_NEWIPC|CLONE_NEWPID|CLONE_NEWUTS)|
+ (arg_private_network ? CLONE_NEWNET : 0), NULL);
if (pid < 0) {
if (errno == EINVAL)
log_error("clone() failed, do you have namespace support enabled in your kernel? (You need UTS, IPC, PID and NET namespacing built in): %m");