Commit aa33cee3 authored by Kirill Smelkov's avatar Kirill Smelkov

Allow to only unshare (slapns -U) without creating separate chroot

It is handy to reuse slapns uid setup, because e.g. `unshare -U...` does
not allow to use newuidmap & friends, and so with just unshare it is
hard to create a user namespace where e.g. screen will work (openpty
wants to chown(:tty), gid(tty)=5)
parent a150da84
......@@ -139,14 +139,18 @@ def idmap_trysetup_viashadow(kind, pid):
def main():
slappart = sys.argv[1]
# create directories inside container
dirv = ["/proc", "/sys",
"/bin", "/sbin", "/lib", "/lib64", "/usr/bin", "/usr/lib",
"/etc",
"/tmp", "/run",
]
for _ in dirv:
mkdir_p(slappart + _)
unshareonly = (slappart == "-U")
if unshareonly:
slappart = ""
if not unshareonly:
# create directories inside container
dirv = ["/proc", "/sys",
"/bin", "/sbin", "/lib", "/lib64", "/usr/bin", "/usr/lib",
"/etc",
"/tmp", "/run",
]
for _ in dirv:
mkdir_p(slappart + _)
# find out my uid/gid
uid = os.getuid()
......@@ -208,17 +212,18 @@ def main():
mount("none", slappart + "/tmp", "tmpfs")
mount("none", slappart + "/run", "tmpfs")
# read-only bind mount bin, lib, ... from SR
# FIXME stub: here we bind from base system for now
bind("/bin", slappart + "/bin", MS_RDONLY)
bind("/sbin", slappart + "/sbin", MS_RDONLY)
bind("/lib", slappart + "/lib", MS_RDONLY)
bind("/lib64", slappart + "/lib64", MS_RDONLY)
bind("/usr/bin", slappart + "/usr/bin", MS_RDONLY)
bind("/usr/lib", slappart + "/usr/lib", MS_RDONLY)
if not unshareonly:
# read-only bind mount bin, lib, ... from SR
# FIXME stub: here we bind from base system for now
bind("/bin", slappart + "/bin", MS_RDONLY)
bind("/sbin", slappart + "/sbin", MS_RDONLY)
bind("/lib", slappart + "/lib", MS_RDONLY)
bind("/lib64", slappart + "/lib64", MS_RDONLY)
bind("/usr/bin", slappart + "/usr/bin", MS_RDONLY)
bind("/usr/lib", slappart + "/usr/lib", MS_RDONLY)
# XXX we need to setup some small /etc/{passwd,group} - else e.g. screen is not working
bind("/etc", slappart + "/etc", MS_RDONLY)
# XXX we need to setup some small /etc/{passwd,group} - else e.g. screen is not working
bind("/etc", slappart + "/etc", MS_RDONLY)
# XXX sysfs and proc are somehow special - mount succeeds only after fork
pid = os.fork()
......@@ -235,9 +240,10 @@ def main():
os.system("/sbin/ifconfig lo 127.0.0.1") # XXX at least loopback works
# chroot to container
slappart = abspath(slappart)
os.chdir(slappart)
os.chroot(slappart)
if not unshareonly:
slappart = abspath(slappart)
os.chdir(slappart)
os.chroot(slappart) # XXX -> try pivot_root
# FIXME stub: -> $SHELL
os.execv("/bin/bash", ["bash"])
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment