Enable network namespace sharing in lxc-start

src/lxc/arguments.h

@@ -53,6 +53,9 @@ struct lxc_arguments {
 	/* set to 0 to accept only 1 lxcpath, -1 for unlimited */
 	int lxcpath_additional;
 
+	/* for lxc-start */
+	const char *share_net;
+
 	/* for lxc-checkpoint/restart */
 	const char *statefile;
 	int statefd;

src/lxc/conf.c

@@ -2399,6 +2399,9 @@ struct lxc_conf *lxc_conf_init(void)
 	new->lsm_se_context = NULL;
 	new->lsm_umount_proc = 0;
 
+	for (i = 0; i < LXC_NS_MAX; i++)
+		new->inherit_ns_fd[i] = -1;
+
 	return new;
 }
 

src/lxc/conf.h

@@ -318,6 +318,8 @@ struct lxc_conf {
 	// store the config file specified values here.
 	char *logfile;  // the logfile as specifed in config
 	int loglevel;   // loglevel as specifed in config (if any)
+
+	int inherit_ns_fd[LXC_NS_MAX];
 };
 
 int run_lxc_hooks(const char *name, char *hook, struct lxc_conf *conf,

src/lxc/lxc_start.c

@@ -51,6 +51,8 @@
 #include "confile.h"
 #include "arguments.h"
 
+#define OPT_SHARE_NET OPT_USAGE+1
+
 lxc_log_define(lxc_start_ui, lxc_start);
 
 static struct lxc_list defines;
@@ -101,6 +103,7 @@ static int my_parser(struct lxc_arguments* args, int c, char* arg)
 	case 'C': args->close_all_fds = 1; break;
 	case 's': return lxc_config_define_add(&defines, arg);
 	case 'p': args->pidfile = arg; break;
+	case OPT_SHARE_NET: args->share_net = arg; break;
 	}
 	return 0;
 }
@@ -113,6 +116,7 @@ static const struct option my_longopts[] = {
 	{"console-log", required_argument, 0, 'L'},
 	{"close-all-fds", no_argument, 0, 'C'},
 	{"pidfile", required_argument, 0, 'p'},
+	{"share-net", required_argument, 0, OPT_SHARE_NET},
 	LXC_COMMON_OPTIONS
 };
 
@@ -133,7 +137,9 @@ Options :\n\
   -C, --close-all-fds    If any fds are inherited, close them\n\
                          If not specified, exit with failure instead\n\
 		         Note: --daemon implies --close-all-fds\n\
-  -s, --define KEY=VAL   Assign VAL to configuration variable KEY\n",
+  -s, --define KEY=VAL   Assign VAL to configuration variable KEY\n\
+      --share-net=PID    Share a network namespace with another container\n\
+",
 	.options   = my_longopts,
 	.parser    = my_parser,
 	.checker   = NULL,
@@ -249,6 +255,27 @@ int main(int argc, char *argv[])
 		}
 	}
 
+	if (my_args.share_net != NULL) {
+		char *eptr;
+		int fd;
+		int pid = strtol(my_args.share_net, &eptr, 10);
+		if (*eptr != '\0') {
+			SYSERROR("'%s' is not a valid pid number", my_args.share_net);
+			goto out;
+		}
+		char path[MAXPATHLEN];
+		int ret = snprintf(path, MAXPATHLEN, "/proc/%d/ns/net", pid);
+		if (ret < 0 || ret >= MAXPATHLEN)
+			goto out;
+
+		fd = open(path, O_RDONLY);
+		if (fd < 0) {
+			SYSERROR("failed to open %s", path);
+			goto out;
+		}
+		conf->inherit_ns_fd[LXC_NS_NET] = fd;
+	}
+
 	if (my_args.daemonize) {
 		c->want_daemonize(c);
 	}

src/lxc/start.c

@@ -75,6 +75,78 @@
 
 lxc_log_define(lxc_start, lxc);
 
+const struct ns_info ns_info[LXC_NS_MAX] = {
+	[LXC_NS_MNT] = {"mnt", CLONE_NEWNS},
+	[LXC_NS_PID] = {"pid", CLONE_NEWPID},
+	[LXC_NS_UTS] = {"uts", CLONE_NEWUTS},
+	[LXC_NS_IPC] = {"ipc", CLONE_NEWIPC},
+	[LXC_NS_USER] = {"user", CLONE_NEWUSER},
+	[LXC_NS_NET] = {"net", CLONE_NEWNET}
+};
+
+static void close_ns(int ns_fd[LXC_NS_MAX]) {
+	int i;
+
+	process_lock();
+	for (i = 0; i < LXC_NS_MAX; i++) {
+		if (ns_fd[i] > -1) {
+			close(ns_fd[i]);
+			ns_fd[i] = -1;
+		}
+	}
+	process_unlock();
+}
+
+static int preserve_ns(int ns_fd[LXC_NS_MAX], int clone_flags) {
+	int i, saved_errno;
+	char path[MAXPATHLEN];
+
+	if (access("/proc/self/ns", X_OK)) {
+		ERROR("Does this kernel version support 'attach'?");
+		return -1;
+	}
+
+	for (i = 0; i < LXC_NS_MAX; i++)
+		ns_fd[i] = -1;
+
+	for (i = 0; i < LXC_NS_MAX; i++) {
+		if ((clone_flags & ns_info[i].clone_flag) == 0)
+			continue;
+		snprintf(path, MAXPATHLEN, "/proc/self/ns/%s", ns_info[i].proc_name);
+		process_lock();
+		ns_fd[i] = open(path, O_RDONLY | O_CLOEXEC);
+		process_unlock();
+		if (ns_fd[i] < 0)
+			goto error;
+	}
+
+	return 0;
+
+error:
+	saved_errno = errno;
+	close_ns(ns_fd);
+	errno = saved_errno;
+	SYSERROR("failed to open '%s'", path);
+	return -1;
+}
+
+static int attach_ns(const int ns_fd[LXC_NS_MAX]) {
+	int i;
+
+	for (i = 0; i < LXC_NS_MAX; i++) {
+		if (ns_fd[i] < 0)
+			continue;
+
+		if (setns(ns_fd[i], 0) != 0)
+			goto error;
+	}
+	return 0;
+
+error:
+	SYSERROR("failed to set namespace '%s'", ns_info[i].proc_name);
+	return -1;
+}
+
 static int match_fd(int fd)
 {
 	return (fd == 0 || fd == 1 || fd == 2);
@@ -645,6 +717,12 @@ int lxc_spawn(struct lxc_handler *handler)
 	const char *name = handler->name;
 	struct cgroup_meta_data *cgroup_meta = NULL;
 	const char *cgroup_pattern = NULL;
+	int saved_ns_fd[LXC_NS_MAX];
+	int preserve_mask = 0, i;
+
+	for (i = 0; i < LXC_NS_MAX; i++)
+		if (handler->conf->inherit_ns_fd[i] > -1)
+			preserve_mask |= ns_info[i].clone_flag;
 
 	if (lxc_sync_init(handler))
 		return -1;
@@ -654,34 +732,40 @@ int lxc_spawn(struct lxc_handler *handler)
 		INFO("Cloning a new user namespace");
 		handler->clone_flags |= CLONE_NEWUSER;
 	}
-	if (!lxc_list_empty(&handler->conf->network)) {
-
-		handler->clone_flags |= CLONE_NEWNET;
 
-		/* Find gateway addresses from the link device, which is
-		 * no longer accessible inside the container. Do this
-		 * before creating network interfaces, since goto
-		 * out_delete_net does not work before lxc_clone. */
-		if (lxc_find_gateway_addresses(handler)) {
-			ERROR("failed to find gateway addresses");
-			lxc_sync_fini(handler);
-			return -1;
+	if (handler->conf->inherit_ns_fd[LXC_NS_NET] == -1) {
+		if (!lxc_list_empty(&handler->conf->network)) {
+
+			handler->clone_flags |= CLONE_NEWNET;
+
+			/* Find gateway addresses from the link device, which is
+			 * no longer accessible inside the container. Do this
+			 * before creating network interfaces, since goto
+			 * out_delete_net does not work before lxc_clone. */
+			if (lxc_find_gateway_addresses(handler)) {
+				ERROR("failed to find gateway addresses");
+				lxc_sync_fini(handler);
+				return -1;
+			}
+
+			/* that should be done before the clone because we will
+			 * fill the netdev index and use them in the child
+			 */
+			if (lxc_create_network(handler)) {
+				ERROR("failed to create the network IW WAS ERE");
+				lxc_sync_fini(handler);
+				return -1;
+			}
 		}
 
-		/* that should be done before the clone because we will
-		 * fill the netdev index and use them in the child
-		 */
-		if (lxc_create_network(handler)) {
-			ERROR("failed to create the network");
-			lxc_sync_fini(handler);
-			return -1;
+		if (save_phys_nics(handler->conf)) {
+			ERROR("failed to save physical nic info");
+			goto out_abort;
 		}
+	} else {
+		INFO("Inheriting a net namespace");
 	}
 
-	if (save_phys_nics(handler->conf)) {
-		ERROR("failed to save physical nic info");
-		goto out_abort;
-	}
 
 	cgroup_meta = lxc_cgroup_load_meta();
 	if (!cgroup_meta) {
@@ -716,6 +800,9 @@ int lxc_spawn(struct lxc_handler *handler)
 	if (handler->pinfd == -1)
 		INFO("failed to pin the container's rootfs");
 
+	preserve_ns(saved_ns_fd, preserve_mask);
+	attach_ns(handler->conf->inherit_ns_fd);
+
 	/* Create a process in a new set of namespaces */
 	handler->pid = lxc_clone(do_start, handler, handler->clone_flags);
 	if (handler->pid < 0) {
@@ -723,6 +810,8 @@ int lxc_spawn(struct lxc_handler *handler)
 		goto out_delete_net;
 	}
 
+	attach_ns(saved_ns_fd);
+
 	lxc_sync_fini_child(handler);
 
 	if (lxc_sync_wait_child(handler, LXC_SYNC_CONFIGURE))

src/lxc/start.h

@@ -27,6 +27,7 @@
 
 #include <lxc/state.h>
 #include <sys/param.h>
+#include "namespace.h"
 
 struct lxc_conf;
 
@@ -39,6 +40,23 @@ struct lxc_operations {
 
 struct cgroup_desc;
 
+enum {
+	LXC_NS_MNT,
+	LXC_NS_PID,
+	LXC_NS_UTS,
+	LXC_NS_IPC,
+	LXC_NS_USER,
+	LXC_NS_NET,
+	LXC_NS_MAX
+};
+
+struct ns_info {
+	const char *proc_name;
+	int clone_flag;
+};
+
+const struct ns_info ns_info[LXC_NS_MAX];
+
 struct lxc_handler {
 	pid_t pid;
 	char *name;