Commit aa33cee3 authored by Kirill Smelkov's avatar Kirill Smelkov

Allow to only unshare (slapns -U) without creating separate chroot

It is handy to reuse slapns uid setup, because e.g. `unshare -U...` does
not allow to use newuidmap & friends, and so with just unshare it is
hard to create a user namespace where e.g. screen will work (openpty
wants to chown(:tty), gid(tty)=5)
parent a150da84
...@@ -139,14 +139,18 @@ def idmap_trysetup_viashadow(kind, pid): ...@@ -139,14 +139,18 @@ def idmap_trysetup_viashadow(kind, pid):
def main(): def main():
slappart = sys.argv[1] slappart = sys.argv[1]
# create directories inside container unshareonly = (slappart == "-U")
dirv = ["/proc", "/sys", if unshareonly:
"/bin", "/sbin", "/lib", "/lib64", "/usr/bin", "/usr/lib", slappart = ""
"/etc", if not unshareonly:
"/tmp", "/run", # create directories inside container
] dirv = ["/proc", "/sys",
for _ in dirv: "/bin", "/sbin", "/lib", "/lib64", "/usr/bin", "/usr/lib",
mkdir_p(slappart + _) "/etc",
"/tmp", "/run",
]
for _ in dirv:
mkdir_p(slappart + _)
# find out my uid/gid # find out my uid/gid
uid = os.getuid() uid = os.getuid()
...@@ -208,17 +212,18 @@ def main(): ...@@ -208,17 +212,18 @@ def main():
mount("none", slappart + "/tmp", "tmpfs") mount("none", slappart + "/tmp", "tmpfs")
mount("none", slappart + "/run", "tmpfs") mount("none", slappart + "/run", "tmpfs")
# read-only bind mount bin, lib, ... from SR if not unshareonly:
# FIXME stub: here we bind from base system for now # read-only bind mount bin, lib, ... from SR
bind("/bin", slappart + "/bin", MS_RDONLY) # FIXME stub: here we bind from base system for now
bind("/sbin", slappart + "/sbin", MS_RDONLY) bind("/bin", slappart + "/bin", MS_RDONLY)
bind("/lib", slappart + "/lib", MS_RDONLY) bind("/sbin", slappart + "/sbin", MS_RDONLY)
bind("/lib64", slappart + "/lib64", MS_RDONLY) bind("/lib", slappart + "/lib", MS_RDONLY)
bind("/usr/bin", slappart + "/usr/bin", MS_RDONLY) bind("/lib64", slappart + "/lib64", MS_RDONLY)
bind("/usr/lib", slappart + "/usr/lib", MS_RDONLY) bind("/usr/bin", slappart + "/usr/bin", MS_RDONLY)
bind("/usr/lib", slappart + "/usr/lib", MS_RDONLY)
# XXX we need to setup some small /etc/{passwd,group} - else e.g. screen is not working # XXX we need to setup some small /etc/{passwd,group} - else e.g. screen is not working
bind("/etc", slappart + "/etc", MS_RDONLY) bind("/etc", slappart + "/etc", MS_RDONLY)
# XXX sysfs and proc are somehow special - mount succeeds only after fork # XXX sysfs and proc are somehow special - mount succeeds only after fork
pid = os.fork() pid = os.fork()
...@@ -235,9 +240,10 @@ def main(): ...@@ -235,9 +240,10 @@ def main():
os.system("/sbin/ifconfig lo 127.0.0.1") # XXX at least loopback works os.system("/sbin/ifconfig lo 127.0.0.1") # XXX at least loopback works
# chroot to container # chroot to container
slappart = abspath(slappart) if not unshareonly:
os.chdir(slappart) slappart = abspath(slappart)
os.chroot(slappart) os.chdir(slappart)
os.chroot(slappart) # XXX -> try pivot_root
# FIXME stub: -> $SHELL # FIXME stub: -> $SHELL
os.execv("/bin/bash", ["bash"]) os.execv("/bin/bash", ["bash"])
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment