Allow to only unshare (slapns -U) without creating separate chroot

It is handy to reuse slapns uid setup, because e.g. `unshare -U...` does not allow to use newuidmap & friends, and so with just unshare it is hard to create a user namespace where e.g. screen will work (openpty wants to chown(:tty), gid(tty)=5)

Allow to only unshare (slapns -U) without creating separate chroot
It is handy to reuse slapns uid setup, because e.g. `unshare -U...` does not allow to use newuidmap & friends, and so with just unshare it is hard to create a user namespace where e.g. screen will work (openpty wants to chown(:tty), gid(tty)=5)
aa33cee3 · Kirill Smelkov · a150da84 · aa33cee3
Commit aa33cee3 authored Oct 23, 2018 by Kirill Smelkov
Hide whitespace changes
Inline Side-by-side

Showing with 27 additions and 21 deletions

slapns.py slapns.py +27 -21

No files found.
--- a/slapns.py
+++ b/slapns.py
@@ -139,14 +139,18 @@ def idmap_trysetup_viashadow(kind, pid):
 def main():
    slappart = sys.argv[1]

-    # create directories inside container
-    dirv = ["/proc", "/sys",
-            "/bin", "/sbin", "/lib", "/lib64", "/usr/bin", "/usr/lib",
-            "/etc",
-            "/tmp", "/run",
-            ]
-    for _ in dirv:
-        mkdir_p(slappart + _)
+    unshareonly = (slappart == "-U")
+    if unshareonly:
+        slappart = ""
+    if not unshareonly:
+        # create directories inside container
+        dirv = ["/proc", "/sys",
+                "/bin", "/sbin", "/lib", "/lib64", "/usr/bin", "/usr/lib",
+                "/etc",
+                "/tmp", "/run",
+                ]
+        for _ in dirv:
+            mkdir_p(slappart + _)

    # find out my uid/gid
    uid = os.getuid()
@@ -208,17 +212,18 @@ def main():
    mount("none", slappart + "/tmp", "tmpfs")
    mount("none", slappart + "/run", "tmpfs")

-    # read-only bind mount bin, lib, ... from SR
-    # FIXME stub: here we bind from base system for now
-    bind("/bin",    slappart + "/bin",  MS_RDONLY)
-    bind("/sbin",   slappart + "/sbin", MS_RDONLY)
-    bind("/lib",    slappart + "/lib",  MS_RDONLY)
-    bind("/lib64",  slappart + "/lib64", MS_RDONLY)
-    bind("/usr/bin", slappart + "/usr/bin", MS_RDONLY)
-    bind("/usr/lib", slappart + "/usr/lib", MS_RDONLY)
+    if not unshareonly:
+        # read-only bind mount bin, lib, ... from SR
+        # FIXME stub: here we bind from base system for now
+        bind("/bin",    slappart + "/bin",  MS_RDONLY)
+        bind("/sbin",   slappart + "/sbin", MS_RDONLY)
+        bind("/lib",    slappart + "/lib",  MS_RDONLY)
+        bind("/lib64",  slappart + "/lib64", MS_RDONLY)
+        bind("/usr/bin", slappart + "/usr/bin", MS_RDONLY)
+        bind("/usr/lib", slappart + "/usr/lib", MS_RDONLY)

-    # XXX we need to setup some small /etc/{passwd,group} - else e.g. screen is not working
-    bind("/etc", slappart + "/etc", MS_RDONLY)
+        # XXX we need to setup some small /etc/{passwd,group} - else e.g. screen is not working
+        bind("/etc", slappart + "/etc", MS_RDONLY)

    # XXX sysfs and proc are somehow special - mount succeeds only after fork
    pid = os.fork()
@@ -235,9 +240,10 @@ def main():
    os.system("/sbin/ifconfig lo 127.0.0.1")    # XXX at least loopback works

    # chroot to container
-    slappart = abspath(slappart)
-    os.chdir(slappart)
-    os.chroot(slappart)
+    if not unshareonly:
+        slappart = abspath(slappart)
+        os.chdir(slappart)
+        os.chroot(slappart) # XXX -> try pivot_root

    # FIXME stub: -> $SHELL
    os.execv("/bin/bash", ["bash"])