mirror of
https://github.com/systemd/systemd.git
synced 2025-01-13 17:18:18 +03:00
nspawn: add new --share-system switch to run a container without PID/UTS/IPC namespacing
This commit is contained in:
parent
deb678f15a
commit
8a96d94e4c
@ -428,6 +428,27 @@
|
||||
itself.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--share-system</option></term>
|
||||
|
||||
<listitem><para>Allows the container
|
||||
to share certain system facilities
|
||||
with the host. More specifically, this
|
||||
turns off PID namespacing, UTS
|
||||
namespacing and IPC namespacing, and
|
||||
thus allows the guest to see and
|
||||
interact more easily with processes
|
||||
outside of the container. Note that
|
||||
using this option makes it impossible
|
||||
to start up a full Operating System in the
|
||||
container, as an init system cannot
|
||||
operate in this mode. It is only
|
||||
useful to run specific programs or
|
||||
applications this way, without
|
||||
involving an init
|
||||
system in the container.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
</variablelist>
|
||||
|
||||
</refsect1>
|
||||
|
@ -118,6 +118,7 @@ static char **arg_bind = NULL;
|
||||
static char **arg_bind_ro = NULL;
|
||||
static char **arg_setenv = NULL;
|
||||
static bool arg_quiet = false;
|
||||
static bool arg_share_system = false;
|
||||
|
||||
static int help(void) {
|
||||
|
||||
@ -138,6 +139,7 @@ static int help(void) {
|
||||
" Set the SELinux security context to be used by\n"
|
||||
" API/tmpfs file systems in the container\n"
|
||||
" --private-network Disable network in container\n"
|
||||
" --share-system Share system namespaces with host\n"
|
||||
" --read-only Mount the root directory read-only\n"
|
||||
" --capability=CAP In addition to the default, retain specified\n"
|
||||
" capability\n"
|
||||
@ -167,6 +169,7 @@ static int parse_argv(int argc, char *argv[]) {
|
||||
ARG_BIND,
|
||||
ARG_BIND_RO,
|
||||
ARG_SETENV,
|
||||
ARG_SHARE_SYSTEM
|
||||
};
|
||||
|
||||
static const struct option options[] = {
|
||||
@ -189,6 +192,7 @@ static int parse_argv(int argc, char *argv[]) {
|
||||
{ "selinux-context", required_argument, NULL, 'Z' },
|
||||
{ "selinux-apifs-context", required_argument, NULL, 'L' },
|
||||
{ "quiet", no_argument, NULL, 'q' },
|
||||
{ "share-system", no_argument, NULL, ARG_SHARE_SYSTEM },
|
||||
{}
|
||||
};
|
||||
|
||||
@ -382,6 +386,10 @@ static int parse_argv(int argc, char *argv[]) {
|
||||
arg_quiet = true;
|
||||
break;
|
||||
|
||||
case ARG_SHARE_SYSTEM:
|
||||
arg_share_system = true;
|
||||
break;
|
||||
|
||||
case '?':
|
||||
return -EINVAL;
|
||||
|
||||
@ -1267,7 +1275,10 @@ int main(int argc, char *argv[]) {
|
||||
goto finish;
|
||||
}
|
||||
|
||||
pid = syscall(__NR_clone, SIGCHLD|CLONE_NEWIPC|CLONE_NEWNS|CLONE_NEWPID|CLONE_NEWUTS|(arg_private_network ? CLONE_NEWNET : 0), NULL);
|
||||
pid = syscall(__NR_clone,
|
||||
SIGCHLD|CLONE_NEWNS|
|
||||
(arg_share_system ? 0 : CLONE_NEWIPC|CLONE_NEWPID|CLONE_NEWUTS)|
|
||||
(arg_private_network ? CLONE_NEWNET : 0), NULL);
|
||||
if (pid < 0) {
|
||||
if (errno == EINVAL)
|
||||
log_error("clone() failed, do you have namespace support enabled in your kernel? (You need UTS, IPC, PID and NET namespacing built in): %m");
|
||||
|
Loading…
Reference in New Issue
Block a user