Merge pull request #1884 from brauner/2017-10-28/move_tools_to_api_only

src/lxc/commands.c

@@ -835,7 +835,7 @@ static int lxc_cmd_get_name_callback(int fd, struct lxc_cmd_req *req,
 
 	memset(&rsp, 0, sizeof(rsp));
 
-	rsp.data = handler->name;
+	rsp.data = (char *)handler->name;
 	rsp.datalen = strlen(handler->name) + 1;
 	rsp.ret = 0;
 

src/lxc/conf.c

@@ -2461,21 +2461,19 @@ struct lxc_conf *lxc_conf_init(void)
 	lxc_list_init(&new->aliens);
 	lxc_list_init(&new->environment);
 	lxc_list_init(&new->limits);
-	for (i=0; i<NUM_LXC_HOOKS; i++)
+	for (i = 0; i < NUM_LXC_HOOKS; i++)
 		lxc_list_init(&new->hooks[i]);
 	lxc_list_init(&new->groups);
 	new->lsm_aa_profile = NULL;
 	new->lsm_se_context = NULL;
 	new->tmp_umount_proc = 0;
 
-	for (i = 0; i < LXC_NS_MAX; i++)
-		new->inherit_ns_fd[i] = -1;
-
 	/* if running in a new user namespace, init and COMMAND
 	 * default to running as UID/GID 0 when using lxc-execute */
 	new->init_uid = 0;
 	new->init_gid = 0;
 	memset(&new->cgroup_meta, 0, sizeof(struct lxc_cgroup));
+	memset(&new->inherit_ns, 0, sizeof(char *) * LXC_NS_MAX);
 
 	return new;
 }
@@ -3155,7 +3153,7 @@ int lxc_setup_child(struct lxc_handler *handler)
 		return -1;
 	}
 
-	if (lxc_conf->inherit_ns_fd[LXC_NS_UTS] == -1) {
+	if (handler->nsfd[LXC_NS_UTS] == -1) {
 		if (setup_utsname(lxc_conf->utsname)) {
 			ERROR("failed to setup the utsname for '%s'", name);
 			return -1;
@@ -3674,7 +3672,7 @@ int userns_exec_1(struct lxc_conf *conf, int (*fn)(void *), void *data,
 	struct lxc_list *it;
 	struct id_map *map;
 	char c = '1';
-	int ret = -1;
+	int ret = -1, status = -1;
 	struct lxc_list *idmap = NULL, *tmplist = NULL;
 	struct id_map *container_root_uid = NULL, *container_root_gid = NULL,
 		      *host_uid_map = NULL, *host_gid_map = NULL;
@@ -3844,10 +3842,11 @@ int userns_exec_1(struct lxc_conf *conf, int (*fn)(void *), void *data,
 		goto on_error;
 	}
 
+on_error:
 	/* Wait for child to finish. */
-	ret = wait_for_pid(pid);
+	if (pid > 0)
+		status = wait_for_pid(pid);
 
-on_error:
 	if (idmap)
 		lxc_free_idmap(idmap);
 	if (container_root_uid)
@@ -3863,6 +3862,9 @@ on_error:
 		close(p[0]);
 	close(p[1]);
 
+	if (status < 0)
+		ret = -1;
+
 	return ret;
 }
 
@@ -4026,10 +4028,11 @@ int userns_exec_full(struct lxc_conf *conf, int (*fn)(void *), void *data,
 		goto on_error;
 	}
 
+on_error:
 	/* Wait for child to finish. */
+	if (pid > 0)
 		ret = wait_for_pid(pid);
 
-on_error:
 	if (idmap)
 		lxc_free_idmap(idmap);
 	if (host_uid_map && (host_uid_map != container_root_uid))

src/lxc/conf.h

@@ -285,8 +285,6 @@ struct lxc_conf {
 	int loglevel; /* loglevel as specifed in config (if any) */
 	int logfd;
 
-	int inherit_ns_fd[LXC_NS_MAX];
-
 	unsigned int start_auto;
 	unsigned int start_delay;
 	int start_order;
@@ -348,6 +346,8 @@ struct lxc_conf {
 	 * that union.
 	 */
 	struct lxc_cgroup cgroup_meta;
+
+	char *inherit_ns[LXC_NS_MAX];
 };
 
 #ifdef HAVE_TLS

src/lxc/confile.c

@@ -102,6 +102,7 @@ lxc_config_define(monitor);
 lxc_config_define(mount);
 lxc_config_define(mount_auto);
 lxc_config_define(mount_fstab);
+lxc_config_define(namespace);
 lxc_config_define(net);
 lxc_config_define(net_flags);
 lxc_config_define(net_hwaddr);
@@ -178,6 +179,7 @@ static struct lxc_config_t config[] = {
 	{ "lxc.mount.auto",                false,                  set_config_mount_auto,                  get_config_mount_auto,                  clr_config_mount_auto,                },
 	{ "lxc.mount.entry",               false,                  set_config_mount,                       get_config_mount,                       clr_config_mount,                     },
 	{ "lxc.mount.fstab",               false,                  set_config_mount_fstab,                 get_config_mount_fstab,                 clr_config_mount_fstab,               },
+	{ "lxc.namespace",                 false,                  set_config_namespace,                   get_config_namespace,                   clr_config_namespace,                 },
 
 	/* [START]: REMOVE IN LXC 3.0 */
 	{ "lxc.network.type",              true,                   set_config_network_legacy_type,         get_config_network_legacy_item,         clr_config_network_legacy_item,       },
@@ -1976,6 +1978,23 @@ static int set_config_uts_name(const char *key, const char *value,
 	return 0;
 }
 
+static int set_config_namespace(const char *key, const char *value,
+				struct lxc_conf *lxc_conf, void *data)
+{
+	int ns_idx;
+	const char *namespace;
+
+	if (lxc_config_value_empty(value))
+		return clr_config_namespace(key, lxc_conf, data);
+
+	namespace = key + sizeof("lxc.namespace.") - 1;
+	ns_idx = lxc_namespace_2_ns_idx(namespace);
+	if (ns_idx < 0)
+		return ns_idx;
+
+	return set_config_string_item(&lxc_conf->inherit_ns[ns_idx], value);
+}
+
 struct parse_line_conf {
 	struct lxc_conf *conf;
 	bool from_include;
@@ -3268,6 +3287,28 @@ static int get_config_noop(const char *key, char *retv, int inlen,
 	return 0;
 }
 
+static int get_config_namespace(const char *key, char *retv, int inlen,
+				struct lxc_conf *c, void *data)
+{
+	int len, ns_idx;
+	const char *namespace;
+	int fulllen = 0;
+
+	if (!retv)
+		inlen = 0;
+	else
+		memset(retv, 0, inlen);
+
+	namespace = key + sizeof("lxc.namespace.") - 1;
+	ns_idx = lxc_namespace_2_ns_idx(namespace);
+	if (ns_idx < 0)
+		return ns_idx;
+
+	strprint(retv, inlen, "%s", c->inherit_ns[ns_idx]);
+
+	return fulllen;
+}
+
 /* Callbacks to clear config items. */
 static inline int clr_config_personality(const char *key, struct lxc_conf *c,
 					 void *data)
@@ -3606,6 +3647,23 @@ static inline int clr_config_noop(const char *key, struct lxc_conf *c,
 	return 0;
 }
 
+static int clr_config_namespace(const char *key, struct lxc_conf *lxc_conf,
+				void *data)
+{
+	int ns_idx;
+	const char *namespace;
+
+	namespace = key + sizeof("lxc.namespace.") - 1;
+	ns_idx = lxc_namespace_2_ns_idx(namespace);
+	if (ns_idx < 0)
+		return ns_idx;
+
+	free(lxc_conf->inherit_ns[ns_idx]);
+	lxc_conf->inherit_ns[ns_idx] = NULL;
+
+	return 0;
+}
+
 static int get_config_includefiles(const char *key, char *retv, int inlen,
 				   struct lxc_conf *c, void *data)
 {

src/lxc/confile_utils.c

@@ -29,8 +29,9 @@
 #include "confile.h"
 #include "confile_utils.h"
 #include "error.h"
-#include "log.h"
 #include "list.h"
+#include "log.h"
+#include "lxccontainer.h"
 #include "network.h"
 #include "parse.h"
 #include "utils.h"
@@ -700,3 +701,77 @@ bool parse_limit_value(const char **value, rlim_t *res)
 
 	return true;
 }
+
+static int lxc_container_name_to_pid(const char *lxcname_or_pid,
+				     const char *lxcpath)
+{
+	int ret;
+	signed long int pid;
+	char *err = NULL;
+
+	pid = strtol(lxcname_or_pid, &err, 10);
+	if (*err != '\0' || pid < 1) {
+		struct lxc_container *c;
+
+		c = lxc_container_new(lxcname_or_pid, lxcpath);
+		if (!c) {
+			ERROR("\"%s\" is not a valid pid nor a container name",
+			      lxcname_or_pid);
+			return -1;
+		}
+
+		if (!c->may_control(c)) {
+			ERROR("Insufficient privileges to control container "
+			      "\"%s\"", c->name);
+			lxc_container_put(c);
+			return -1;
+		}
+
+		pid = c->init_pid(c);
+		if (pid < 1) {
+			ERROR("Container \"%s\" is not running", c->name);
+			lxc_container_put(c);
+			return -1;
+		}
+
+		lxc_container_put(c);
+	}
+
+	ret = kill(pid, 0);
+	if (ret < 0) {
+		ERROR("%s - Failed to send signal to pid %d", strerror(errno),
+		      (int)pid);
+		return -EPERM;
+	}
+
+	return pid;
+}
+
+int lxc_inherit_namespace(const char *lxcname_or_pid, const char *lxcpath,
+			  const char *namespace)
+{
+	int fd, pid;
+	char *dup, *lastslash;
+
+	lastslash = strrchr(lxcname_or_pid, '/');
+	if (lastslash) {
+		dup = strdup(lxcname_or_pid);
+		if (!dup)
+			return -ENOMEM;
+
+		*lastslash = '\0';
+		pid = lxc_container_name_to_pid(lastslash, dup);
+		free(dup);
+	} else {
+		pid = lxc_container_name_to_pid(lxcname_or_pid, lxcpath);
+	}
+
+	if (pid < 0)
+		return -EINVAL;
+
+	fd = lxc_preserve_ns(pid, namespace);
+	if (fd < 0)
+		return -EINVAL;
+
+	return fd;
+}

src/lxc/confile_utils.h

@@ -86,5 +86,7 @@ extern int lxc_get_conf_str(char *retv, int inlen, const char *value);
 extern int lxc_get_conf_int(struct lxc_conf *c, char *retv, int inlen, int v);
 extern int lxc_get_conf_uint64(struct lxc_conf *c, char *retv, int inlen, uint64_t v);
 extern bool parse_limit_value(const char **value, rlim_t *res);
+extern int lxc_inherit_namespace(const char *lxcname_or_pid,
+				 const char *lxcpath, const char *namespace);
 
 #endif /* __LXC_CONFILE_UTILS_H */

src/lxc/monitor.c

@@ -105,10 +105,10 @@ static void lxc_monitor_fifo_send(struct lxc_msg *msg, const char *lxcpath)
 		/* It is normal for this open() to fail with ENXIO when there is
 		 * no monitor running, so we don't log it.
 		 */
-		if (errno == ENXIO)
+		if (errno == ENXIO || errno == ENOENT)
 			return;
 
-		WARN("Failed to open fifo to send message: %s.", strerror(errno));
+		WARN("%s - Failed to open fifo to send message", strerror(errno));
 		return;
 	}
 

src/lxc/namespace.c

@@ -96,15 +96,26 @@ const struct ns_info ns_info[LXC_NS_MAX] = {
 	[LXC_NS_CGROUP] = {"cgroup", CLONE_NEWCGROUP, "CLONE_NEWCGROUP"}
 };
 
-int lxc_namespace_2_cloneflag(char *namespace)
+int lxc_namespace_2_cloneflag(const char *namespace)
 {
 	int i;
 	for (i = 0; i < LXC_NS_MAX; i++)
 		if (!strcasecmp(ns_info[i].proc_name, namespace))
 			return ns_info[i].clone_flag;
 
-	ERROR("Invalid namespace name: %s.", namespace);
-	return -1;
+	ERROR("Invalid namespace name \"%s\"", namespace);
+	return -EINVAL;
+}
+
+int lxc_namespace_2_ns_idx(const char *namespace)
+{
+	int i;
+	for (i = 0; i < LXC_NS_MAX; i++)
+		if (!strcmp(ns_info[i].proc_name, namespace))
+			return i;
+
+	ERROR("Invalid namespace name \"%s\"", namespace);
+	return -EINVAL;
 }
 
 int lxc_fill_namespace_flags(char *flaglist, int *flags)

src/lxc/namespace.h

@@ -81,7 +81,8 @@ int clone(int (*fn)(void *), void *child_stack,
 
 extern pid_t lxc_clone(int (*fn)(void *), void *arg, int flags);
 
-extern int lxc_namespace_2_cloneflag(char *namespace);
+extern int lxc_namespace_2_cloneflag(const char *namespace);
+extern int lxc_namespace_2_ns_idx(const char *namespace);
 extern int lxc_fill_namespace_flags(char *flaglist, int *flags);
 
 #endif

src/lxc/network.c

@@ -2050,7 +2050,7 @@ int lxc_find_gateway_addresses(struct lxc_handler *handler)
 }
 
 #define LXC_USERNIC_PATH LIBEXECDIR "/lxc/lxc-user-nic"
-static int lxc_create_network_unpriv_exec(const char *lxcpath, char *lxcname,
+static int lxc_create_network_unpriv_exec(const char *lxcpath, const char *lxcname,
 					  struct lxc_netdev *netdev, pid_t pid)
 {
 	int ret;
@@ -2126,13 +2126,13 @@ static int lxc_create_network_unpriv_exec(const char *lxcpath, char *lxcname,
 	if (bytes < 0) {
 		SYSERROR("Failed to read from pipe file descriptor");
 		close(pipefd[0]);
-		return -1;
-	}
+	} else {
 		buffer[bytes - 1] = '\0';
+	}
 
 	ret = wait_for_pid(child);
 	close(pipefd[0]);
-	if (ret != 0) {
+	if (ret != 0 || bytes < 0) {
 		ERROR("lxc-user-nic failed to configure requested network: %s",
 		      buffer[0] != '\0' ? buffer : "(null)");
 		return -1;
@@ -2194,7 +2194,7 @@ static int lxc_create_network_unpriv_exec(const char *lxcpath, char *lxcname,
 	return 0;
 }
 
-static int lxc_delete_network_unpriv_exec(const char *lxcpath, char *lxcname,
+static int lxc_delete_network_unpriv_exec(const char *lxcpath, const char *lxcname,
 					  struct lxc_netdev *netdev,
 					  const char *netns_path)
 {
@@ -2267,19 +2267,18 @@ static int lxc_delete_network_unpriv_exec(const char *lxcpath, char *lxcname,
 	if (bytes < 0) {
 		SYSERROR("Failed to read from pipe file descriptor.");
 		close(pipefd[0]);
-		return -1;
-	}
+	} else {
 		buffer[bytes - 1] = '\0';
+	}
 
-	if (wait_for_pid(child) != 0) {
+	ret = wait_for_pid(child);
+	close(pipefd[0]);
+	if (ret != 0 || bytes < 0) {
 		ERROR("lxc-user-nic failed to delete requested network: %s",
 		      buffer[0] != '\0' ? buffer : "(null)");
-		close(pipefd[0]);
 		return -1;
 	}
 
-	close(pipefd[0]);
-
 	return 0;
 }
 
@@ -2302,14 +2301,14 @@ bool lxc_delete_network_unpriv(struct lxc_handler *handler)
 
 	*netns_path = '\0';
 
-	if (handler->netnsfd < 0) {
+	if (handler->nsfd[LXC_NS_NET] < 0) {
 		DEBUG("Cannot not guarantee safe deletion of network devices. "
 		      "Manual cleanup maybe needed");
 		return false;
 	}
 
 	ret = snprintf(netns_path, sizeof(netns_path), "/proc/%d/fd/%d",
-		       getpid(), handler->netnsfd);
+		       getpid(), handler->nsfd[LXC_NS_NET]);
 	if (ret < 0 || ret >= sizeof(netns_path))
 		return false;
 
@@ -2408,7 +2407,7 @@ int lxc_create_network_priv(struct lxc_handler *handler)
 	return 0;
 }
 
-int lxc_network_move_created_netdev_priv(const char *lxcpath, char *lxcname,
+int lxc_network_move_created_netdev_priv(const char *lxcpath, const char *lxcname,
 					 struct lxc_list *network, pid_t pid)
 {
 	int ret;
@@ -2448,7 +2447,7 @@ int lxc_network_move_created_netdev_priv(const char *lxcpath, char *lxcname,
 	return 0;
 }
 
-int lxc_create_network_unpriv(const char *lxcpath, char *lxcname,
+int lxc_create_network_unpriv(const char *lxcpath, const char *lxcname,
 			      struct lxc_list *network, pid_t pid)
 {
 	struct lxc_list *iterator;
@@ -2621,7 +2620,7 @@ int lxc_restore_phys_nics_to_netns(struct lxc_handler *handler)
 	int oldfd;
 	char ifname[IFNAMSIZ];
 	struct lxc_list *iterator;
-	int netnsfd = handler->netnsfd;
+	int netnsfd = handler->nsfd[LXC_NS_NET];
 	struct lxc_conf *conf = handler->conf;
 
 	/* We need CAP_NET_ADMIN in the parent namespace in order to setns() to

src/lxc/network.h

@@ -263,12 +263,12 @@ extern int setup_private_host_hw_addr(char *veth1);
 extern int netdev_get_mtu(int ifindex);
 extern int lxc_create_network_priv(struct lxc_handler *handler);
 extern int lxc_network_move_created_netdev_priv(const char *lxcpath,
-						char *lxcname,
+						const char *lxcname,
 						struct lxc_list *network,
 						pid_t pid);
 extern void lxc_delete_network(struct lxc_handler *handler);
 extern int lxc_find_gateway_addresses(struct lxc_handler *handler);
-extern int lxc_create_network_unpriv(const char *lxcpath, char *lxcname,
+extern int lxc_create_network_unpriv(const char *lxcpath, const char *lxcname,
 				     struct lxc_list *network, pid_t pid);
 extern int lxc_requests_empty_network(struct lxc_handler *handler);
 extern int lxc_restore_phys_nics_to_netns(struct lxc_handler *handler);

src/lxc/start.c

@@ -155,9 +155,12 @@ static bool preserve_ns(int ns_fd[LXC_NS_MAX], int clone_flags, pid_t pid)
 	for (i = 0; i < LXC_NS_MAX; i++) {
 		if ((clone_flags & ns_info[i].clone_flag) == 0)
 			continue;
+
 		ns_fd[i] = lxc_preserve_ns(pid, ns_info[i].proc_name);
 		if (ns_fd[i] < 0)
 			goto error;
+
+		DEBUG("Preserved %s namespace via fd %d", ns_info[i].proc_name, ns_fd[i]);
 	}
 
 	return true;
@@ -171,23 +174,6 @@ error:
 	return false;
 }
 
-static int attach_ns(const int ns_fd[LXC_NS_MAX]) {
-	int i;
-
-	for (i = 0; i < LXC_NS_MAX; i++) {
-		if (ns_fd[i] < 0)
-			continue;
-
-		if (setns(ns_fd[i], 0) != 0)
-			goto error;
-	}
-	return 0;
-
-error:
-	SYSERROR("Failed to attach %s namespace.", ns_info[i].proc_name);
-	return -1;
-}
-
 static int match_fd(int fd)
 {
 	return (fd == 0 || fd == 1 || fd == 2);
@@ -236,15 +222,6 @@ restart:
 		    (i < len_fds && fd == fds_to_ignore[i]))
 			continue;
 
-		if (conf) {
-			for (i = 0; i < LXC_NS_MAX; i++)
-				if (conf->inherit_ns_fd[i] == fd)
-					break;
-
-			if (i < LXC_NS_MAX)
-				continue;
-		}
-
 		if (current_config && fd == current_config->logfd)
 			continue;
 
@@ -254,10 +231,10 @@ restart:
 		if (closeall) {
 			close(fd);
 			closedir(dir);
-			INFO("Closed inherited fd: %d.", fd);
+			INFO("Closed inherited fd %d", fd);
 			goto restart;
 		}
-		WARN("Inherited fd: %d.", fd);
+		WARN("Inherited fd %d", fd);
 	}
 
 	/* Only enable syslog at this point to avoid the above logging function
@@ -525,9 +502,6 @@ void lxc_free_handler(struct lxc_handler *handler)
 	if (handler->state_socket_pair[1] >= 0)
 		close(handler->state_socket_pair[1]);
 
-	if (handler->name)
-		free(handler->name);
-
 	handler->conf = NULL;
 	free(handler);
 }
@@ -561,11 +535,7 @@ struct lxc_handler *lxc_init_handler(const char *name, struct lxc_conf *conf,
 	for (i = 0; i < LXC_NS_MAX; i++)
 		handler->nsfd[i] = -1;
 
-	handler->name = strdup(name);
-	if (!handler->name) {
-		ERROR("failed to allocate memory");
-		goto on_error;
-	}
+	handler->name = name;
 
 	if (daemonize && !handler->conf->reboot) {
 		/* Create socketpair() to synchronize on daemonized startup.
@@ -729,17 +699,14 @@ void lxc_fini(const char *name, struct lxc_handler *handler)
 
 	while (namespace_count--)
 		free(namespaces[namespace_count]);
+
 	for (i = 0; i < LXC_NS_MAX; i++) {
-		if (handler->nsfd[i] != -1) {
+		if (handler->nsfd[i] < 0)
+			continue;
+
 		close(handler->nsfd[i]);
 		handler->nsfd[i] = -1;
 	}
-	}
-
-	if (handler->netnsfd >= 0) {
-		close(handler->netnsfd);
-		handler->netnsfd = -1;
-	}
 
 	cgroup_destroy(handler);
 
@@ -786,7 +753,6 @@ void lxc_fini(const char *name, struct lxc_handler *handler)
 	if (handler->conf->ephemeral == 1 && handler->conf->reboot != 1)
 		lxc_destroy_container_on_signal(handler, name);
 
-	free(handler->name);
 	free(handler);
 }
 
@@ -804,10 +770,11 @@ void lxc_abort(const char *name, struct lxc_handler *handler)
 
 static int do_start(void *data)
 {
+	int ret;
 	struct lxc_list *iterator;
-	struct lxc_handler *handler = data;
-	int devnull_fd = -1, ret;
 	char path[PATH_MAX];
+	int devnull_fd = -1;
+	struct lxc_handler *handler = data;
 
 	if (sigprocmask(SIG_SETMASK, &handler->oldmask, NULL)) {
 		SYSERROR("Failed to set signal mask.");
@@ -1128,30 +1095,73 @@ void resolve_clone_flags(struct lxc_handler *handler)
 {
 	handler->clone_flags = CLONE_NEWNS;
 
+	if (!handler->conf->inherit_ns[LXC_NS_USER]) {
 		if (!lxc_list_empty(&handler->conf->id_map))
 			handler->clone_flags |= CLONE_NEWUSER;
+	} else {
+		INFO("Inheriting user namespace");
+	}
 
-	if (handler->conf->inherit_ns_fd[LXC_NS_NET] == -1) {
+	if (!handler->conf->inherit_ns[LXC_NS_NET]) {
 		if (!lxc_requests_empty_network(handler))
 			handler->clone_flags |= CLONE_NEWNET;
 	} else {
-		INFO("Inheriting a NET namespace.");
+		INFO("Inheriting net namespace");
 	}
 
-	if (handler->conf->inherit_ns_fd[LXC_NS_IPC] == -1)
+	if (!handler->conf->inherit_ns[LXC_NS_IPC])
 		handler->clone_flags |= CLONE_NEWIPC;
 	else
-		INFO("Inheriting an IPC namespace.");
+		INFO("Inheriting ipc namespace");
 
-	if (handler->conf->inherit_ns_fd[LXC_NS_UTS] == -1)
+	if (!handler->conf->inherit_ns[LXC_NS_UTS])
 		handler->clone_flags |= CLONE_NEWUTS;
 	else
-		INFO("Inheriting a UTS namespace.");
+		INFO("Inheriting uts namespace");
 
-	if (handler->conf->inherit_ns_fd[LXC_NS_PID] == -1)
+	if (!handler->conf->inherit_ns[LXC_NS_PID])
 		handler->clone_flags |= CLONE_NEWPID;
 	else
-		INFO("Inheriting a PID namespace.");
+		INFO("Inheriting pid namespace");
+}
+
+static pid_t lxc_fork_attach_clone(int (*fn)(void *), void *arg, int flags)
+{
+	int i, r, ret;
+	pid_t pid, init_pid;
+	struct lxc_handler *handler = arg;
+
+	pid = fork();
+	if (pid < 0)
+		return -1;
+
+	if (!pid) {
+		for (i = 0; i < LXC_NS_MAX; i++) {
+			if (handler->nsfd[i] < 0)
+				continue;
+
+			ret = setns(handler->nsfd[i], 0);
+			if (ret < 0)
+				exit(EXIT_FAILURE);
+
+			DEBUG("Inherited %s namespace", ns_info[i].proc_name);
+		}
+
+		init_pid = lxc_clone(do_start, handler, flags);
+		ret = lxc_write_nointr(handler->data_sock[1], &init_pid,
+				       sizeof(init_pid));
+		if (ret < 0)
+			exit(EXIT_FAILURE);
+
+		exit(EXIT_SUCCESS);
+	}
+
+	r = lxc_read_nointr(handler->data_sock[0], &init_pid, sizeof(init_pid));
+	ret = wait_for_pid(pid);
+	if (ret < 0 || r < 0)
+		return -1;
+
+	return init_pid;
 }
 
 /* lxc_spawn() performs crucial setup tasks and clone()s the new process which
@@ -1164,20 +1174,27 @@ void resolve_clone_flags(struct lxc_handler *handler)
 static int lxc_spawn(struct lxc_handler *handler)
 {
 	int i, flags, ret;
-	const char *name = handler->name;
 	char pidstr[20];
 	bool wants_to_map_ids;
-	int saved_ns_fd[LXC_NS_MAX];
 	struct lxc_list *id_map;
-	int preserve_mask = 0;
-	bool cgroups_connected = false;
+	const char *name = handler->name;
+	const char *lxcpath = handler->lxcpath;
+	bool cgroups_connected = false, fork_before_clone = false;
+	struct lxc_conf *conf = handler->conf;
 
-	id_map = &handler->conf->id_map;
+	id_map = &conf->id_map;
 	wants_to_map_ids = !lxc_list_empty(id_map);
 
-	for (i = 0; i < LXC_NS_MAX; i++)
-		if (handler->conf->inherit_ns_fd[i] != -1)
-			preserve_mask |= ns_info[i].clone_flag;
+	for (i = 0; i < LXC_NS_MAX; i++) {
+		if (!conf->inherit_ns[i])
+			continue;
+
+		handler->nsfd[i] = lxc_inherit_namespace(conf->inherit_ns[i], lxcpath, ns_info[i].proc_name);
+		if (handler->nsfd[i] < 0)
+			return -1;
+
+		fork_before_clone = true;
+	}
 
 	if (lxc_sync_init(handler))
 		return -1;
@@ -1192,7 +1209,7 @@ static int lxc_spawn(struct lxc_handler *handler)
 	resolve_clone_flags(handler);
 
 	if (handler->clone_flags & CLONE_NEWNET) {
-		if (!lxc_list_empty(&handler->conf->network)) {
+		if (!lxc_list_empty(&conf->network)) {
 
 			/* Find gateway addresses from the link device, which is
 			 * no longer accessible inside the container. Do this
@@ -1233,17 +1250,11 @@ static int lxc_spawn(struct lxc_handler *handler)
 	 * If the container is unprivileged then skip rootfs pinning.
 	 */
 	if (!wants_to_map_ids) {
-		handler->pinfd = pin_rootfs(handler->conf->rootfs.path);
+		handler->pinfd = pin_rootfs(conf->rootfs.path);
 		if (handler->pinfd == -1)
 			INFO("Failed to pin the rootfs for container \"%s\".", handler->name);
 	}
 
-	if (!preserve_ns(saved_ns_fd, preserve_mask, getpid()))
-		goto out_delete_net;
-
-	if (attach_ns(handler->conf->inherit_ns_fd) < 0)
-		goto out_delete_net;
-
 	/* Create a process in a new set of namespaces. */
 	flags = handler->clone_flags;
 	if (handler->clone_flags & CLONE_NEWUSER) {
@@ -1259,21 +1270,24 @@ static int lxc_spawn(struct lxc_handler *handler)
 	if (ret < 0)
 		goto out_delete_net;
 
+	if (fork_before_clone)
+		handler->pid = lxc_fork_attach_clone(do_start, handler, flags | CLONE_PARENT);
+	else
 		handler->pid = lxc_clone(do_start, handler, flags);
 	if (handler->pid < 0) {
 		SYSERROR("Failed to clone a new set of namespaces.");
 		goto out_delete_net;
 	}
+	TRACE("Cloned child process %d", handler->pid);
 
 	for (i = 0; i < LXC_NS_MAX; i++)
 		if (flags & ns_info[i].clone_flag)
-			INFO("Cloned %s.", ns_info[i].flag_name);
+			INFO("Cloned %s", ns_info[i].flag_name);
 
-	if (!preserve_ns(handler->nsfd, handler->clone_flags | preserve_mask, handler->pid))
-		INFO("Failed to preserve namespace for lxc.hook.stop.");
-
-	if (attach_ns(saved_ns_fd))
-		WARN("Failed to restore saved namespaces.");
+	if (!preserve_ns(handler->nsfd, handler->clone_flags & ~CLONE_NEWNET, handler->pid)) {
+		ERROR("Failed to preserve cloned namespaces for lxc.hook.stop");
+		goto out_delete_net;
+	}
 
 	lxc_sync_fini_child(handler);
 
@@ -1283,10 +1297,15 @@ static int lxc_spawn(struct lxc_handler *handler)
 	 * mapped to something else on the host.) later to become a valid uid
 	 * again.
 	 */
-	if (wants_to_map_ids && lxc_map_ids(id_map, handler->pid)) {
+	if (wants_to_map_ids) {
+		if (!handler->conf->inherit_ns[LXC_NS_USER]) {
+			ret = lxc_map_ids(id_map, handler->pid);
+			if (ret < 0) {
 				ERROR("Failed to set up id mapping.");
 				goto out_delete_net;
 			}
+		}
+	}
 
 	if (lxc_sync_wake_child(handler, LXC_SYNC_STARTUP))
 		goto out_delete_net;
@@ -1309,24 +1328,27 @@ static int lxc_spawn(struct lxc_handler *handler)
 	if (!cgroup_chown(handler))
 		goto out_delete_net;
 
-	handler->netnsfd = lxc_preserve_ns(handler->pid, "net");
-	if (handler->netnsfd < 0) {
-		ERROR("Failed to preserve network namespace");
+	/* Now we're ready to preserve the network namespace */
+	ret = lxc_preserve_ns(handler->pid, "net");
+	if (ret < 0) {
+		ERROR("%s - Failed to preserve net namespace", strerror(errno));
 		goto out_delete_net;
 	}
+	handler->nsfd[LXC_NS_NET] = ret;
+	DEBUG("Preserved net namespace via fd %d", ret);
 
 	/* Create the network configuration. */
 	if (handler->clone_flags & CLONE_NEWNET) {
 		if (lxc_network_move_created_netdev_priv(handler->lxcpath,
 							 handler->name,
-							 &handler->conf->network,
+							 &conf->network,
 							 handler->pid)) {
 			ERROR("Failed to create the configured network.");
 			goto out_delete_net;
 		}
 
 		if (lxc_create_network_unpriv(handler->lxcpath, handler->name,
-					      &handler->conf->network,
+					      &conf->network,
 					      handler->pid)) {
 			ERROR("Failed to create the configured network.");
 			goto out_delete_net;
@@ -1344,7 +1366,7 @@ static int lxc_spawn(struct lxc_handler *handler)
 	if (lxc_sync_barrier_child(handler, LXC_SYNC_POST_CONFIGURE))
 		goto out_delete_net;
 
-	if (!lxc_list_empty(&handler->conf->limits) && setup_resource_limits(&handler->conf->limits, handler->pid)) {
+	if (!lxc_list_empty(&conf->limits) && setup_resource_limits(&conf->limits, handler->pid)) {
 		ERROR("failed to setup resource limits for '%s'", name);
 		goto out_delete_net;
 	}
@@ -1366,7 +1388,7 @@ static int lxc_spawn(struct lxc_handler *handler)
 		SYSERROR("Failed to set environment variable: LXC_PID=%s.", pidstr);
 
 	/* Run any host-side start hooks */
-	if (run_lxc_hooks(name, "start-host", handler->conf, handler->lxcpath, NULL)) {
+	if (run_lxc_hooks(name, "start-host", conf, handler->lxcpath, NULL)) {
 		ERROR("Failed to run lxc.hook.start-host for container \"%s\".", name);
 		return -1;
 	}
@@ -1380,6 +1402,14 @@ static int lxc_spawn(struct lxc_handler *handler)
 	if (lxc_sync_barrier_child(handler, LXC_SYNC_READY_START))
 		return -1;
 
+	ret = lxc_preserve_ns(handler->pid, "cgroup");
+	if (ret < 0) {
+		ERROR("%s - Failed to preserve cgroup namespace", strerror(errno));
+		goto out_delete_net;
+	}
+	handler->nsfd[LXC_NS_CGROUP] = ret;
+	DEBUG("Preserved cgroup namespace via fd %d", ret);
+
 	if (lxc_network_recv_name_and_ifindex_from_child(handler) < 0) {
 		ERROR("Failed to receive names and ifindices for network "
 		      "devices from child");
@@ -1391,7 +1421,7 @@ static int lxc_spawn(struct lxc_handler *handler)
 	 * been recorded. The corresponding structs have now all been filled. So
 	 * log them for debugging purposes.
 	 */
-	lxc_log_configured_netdevs(handler->conf);
+	lxc_log_configured_netdevs(conf);
 
 	/* Read tty fds allocated by child. */
 	if (lxc_recv_ttys_from_child(handler) < 0) {
@@ -1427,11 +1457,6 @@ out_abort:
 		handler->pinfd = -1;
 	}
 
-	if (handler->netnsfd >= 0) {
-		close(handler->netnsfd);
-		handler->netnsfd = -1;
-	}
-
 	return -1;
 }
 
@@ -1450,7 +1475,6 @@ int __lxc_start(const char *name, struct lxc_handler *handler,
 	handler->ops = ops;
 	handler->data = data;
 	handler->backgrounded = backgrounded;
-	handler->netnsfd = -1;
 
 	if (!attach_block_device(handler->conf)) {
 		ERROR("Failed to attach block device.");
@@ -1480,6 +1504,11 @@ int __lxc_start(const char *name, struct lxc_handler *handler,
 		ERROR("Failed to spawn container \"%s\".", name);
 		goto out_detach_blockdev;
 	}
+	/* close parent side of data socket */
+	close(handler->data_sock[0]);
+	handler->data_sock[0] = -1;
+	close(handler->data_sock[1]);
+	handler->data_sock[1] = -1;
 
 	handler->conf->reboot = 0;
 

src/lxc/start.h

@@ -40,9 +40,6 @@ struct lxc_handler {
 	/* The clone flags that were requested. */
 	int clone_flags;
 
-	/* File descriptors referring to the network namespace of the container. */
-	int netnsfd;
-
 	/* File descriptor to pin the rootfs for privileged containers. */
 	int pinfd;
 
@@ -67,10 +64,10 @@ struct lxc_handler {
 	/* Socketpair to synchronize processes during container creation. */
 	int sync_sock[2];
 
-	/* The name of the container. */
-	char *name;
+	/* Pointer to the name of the container. Do not free! */
+	const char *name;
 
-	/* The path the container is running in. */
+	/* Pointer to the path the container. Do not free! */
 	const char *lxcpath;
 
 	/* Whether the container's startup process euid is 0. */

src/lxc/tools/lxc_start.c

@@ -89,53 +89,6 @@ err:
 	return err;
 }
 
-static int pid_from_lxcname(const char *lxcname_or_pid, const char *lxcpath) {
-	char *eptr;
-	int pid = strtol(lxcname_or_pid, &eptr, 10);
-	if (*eptr != '\0' || pid < 1) {
-		struct lxc_container *s;
-		s = lxc_container_new(lxcname_or_pid, lxcpath);
-		if (!s) {
-			SYSERROR("'%s' is not a valid pid nor a container name", lxcname_or_pid);
-			return -1;
-		}
-
-		if (!s->may_control(s)) {
-			SYSERROR("Insufficient privileges to control container '%s'", s->name);
-			lxc_container_put(s);
-			return -1;
-		}
-
-		pid = s->init_pid(s);
-		if (pid < 1) {
-			SYSERROR("Is container '%s' running?", s->name);
-			lxc_container_put(s);
-			return -1;
-		}
-
-		lxc_container_put(s);
-	}
-	if (kill(pid, 0) < 0) {
-		SYSERROR("Can't send signal to pid %d", pid);
-		return -1;
-	}
-
-	return pid;
-}
-
-static int open_ns(int pid, const char *ns_proc_name) {
-	int fd;
-	char path[MAXPATHLEN];
-	snprintf(path, MAXPATHLEN, "/proc/%d/ns/%s", pid, ns_proc_name);
-
-	fd = open(path, O_RDONLY);
-	if (fd < 0) {
-		SYSERROR("failed to open %s", path);
-		return -1;
-	}
-	return fd;
-}
-
 static int my_parser(struct lxc_arguments* args, int c, char* arg)
 {
 	switch (c) {
@@ -201,16 +154,18 @@ Options :\n\
 
 int main(int argc, char *argv[])
 {
-	int err = EXIT_FAILURE;
+	int i;
 	struct lxc_conf *conf;
 	struct lxc_log log;
+	const char *lxcpath;
 	char *const *args;
+	struct lxc_container *c;
+	int err = EXIT_FAILURE;
 	char *rcfile = NULL;
 	char *const default_args[] = {
 		"/sbin/init",
 		NULL,
 	};
-	struct lxc_container *c;
 
 	lxc_list_init(&defines);
 
@@ -236,14 +191,13 @@ int main(int argc, char *argv[])
 		exit(err);
 	lxc_log_options_no_override();
 
-	if (access(my_args.lxcpath[0], O_RDONLY) < 0) {
+	lxcpath = my_args.lxcpath[0];
+	if (access(lxcpath, O_RDONLY) < 0) {
 		if (!my_args.quiet)
-			fprintf(stderr, "You lack access to %s\n", my_args.lxcpath[0]);
+			fprintf(stderr, "You lack access to %s\n", lxcpath);
 		exit(err);
 	}
 
-	const char *lxcpath = my_args.lxcpath[0];
-
 	/* REMOVE IN LXC 3.0 */
 	setenv("LXC_UPDATE_CONFIG_FORMAT", "1", 0);
 
@@ -326,16 +280,6 @@ int main(int argc, char *argv[])
 		goto out;
 	}
 
-	if (ensure_path(&conf->console.path, my_args.console) < 0) {
-		ERROR("failed to ensure console path '%s'", my_args.console);
-		goto out;
-	}
-
-	if (ensure_path(&conf->console.log_path, my_args.console_log) < 0) {
-		ERROR("failed to ensure console log '%s'", my_args.console_log);
-		goto out;
-	}
-
 	if (my_args.pidfile != NULL) {
 		if (ensure_path(&c->pidfile, my_args.pidfile) < 0) {
 			ERROR("failed to ensure pidfile '%s'", my_args.pidfile);
@@ -343,19 +287,26 @@ int main(int argc, char *argv[])
 		}
 	}
 
-	int i;
 	for (i = 0; i < LXC_NS_MAX; i++) {
-		if (my_args.share_ns[i] == NULL)
+		const char *key, *value;
+
+		value = my_args.share_ns[i];
+		if (!value)
 			continue;
 
-		int pid = pid_from_lxcname(my_args.share_ns[i], lxcpath);
-		if (pid < 1)
-			goto out;
+		if (i == LXC_NS_NET)
+			key = "lxc.namespace.net";
+		else if (i == LXC_NS_IPC)
+			key = "lxc.namespace.ipc";
+		else if (i == LXC_NS_UTS)
+			key = "lxc.namespace.uts";
+		else if (i == LXC_NS_PID)
+			key = "lxc.namespace.pid";
+		else
+			continue;
 
-		int fd = open_ns(pid, ns_info[i].proc_name);
-		if (fd < 0)
+		if (!c->set_config_item(c, key, value))
 			goto out;
-		conf->inherit_ns_fd[i] = fd;
 	}
 
 	if (!my_args.daemonize) {