lxc_attach.c revision 13f5be6276100761eaeddd77b7b55fbec6b0c9ab
20N/A * lxc: linux Container library 20N/A * (C) Copyright IBM Corp. 2007, 2010 20N/A * This library is free software; you can redistribute it and/or 20N/A * modify it under the terms of the GNU Lesser General Public 20N/A * License as published by the Free Software Foundation; either 20N/A * version 2.1 of the License, or (at your option) any later version. 20N/A * This library is distributed in the hope that it will be useful, 20N/A * but WITHOUT ANY WARRANTY; without even the implied warranty of 20N/A * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 20N/A * Lesser General Public License for more details. 20N/A * You should have received a copy of the GNU Lesser General Public 20N/A * License along with this library; if not, write to the Free Software 20N/A * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 382N/AExecute the specified command - enter the container NAME\n\ 382N/A -n, --name=NAME NAME for name of the container\n\ 382N/A -e, --elevated-privileges\n\ 382N/A Use elevated privileges (capabilities, cgroup\n\ 30N/A restrictions) instead of those of the container.\n\ 382N/A WARNING: This may leak privleges into the container.\n\ 382N/A -a, --arch=ARCH Use ARCH for program instead of container's own\n\ 382N/A -s, --namespaces=FLAGS\n\ 382N/A Don't attach to all the namespaces of the container\n\ 382N/A but just to the following OR'd list of flags:\n\ 258N/A MOUNT, PID, UTSNAME, IPC, USER or NETWORK\n\ 382N/A WARNING: Using -s implies -e, it may therefore\n\ 382N/A leak privileges into the container. Use with care.\n\ 382N/A -R, --remount-sys-proc\n\ 382N/A Remount /sys and /proc if not attaching to the\n\ 30N/A mount namespace when using -s in order to properly\n\ 54N/A reflect the correct namespace context. See the\n\ 382N/A lxc-attach(1) manual page for details.\n",
382N/A /* TODO: add cmdline arg to set lxcpath */ 382N/A * be available inside the container or we may not have 382N/A * the required permissions anymore 382N/A /* determine which namespaces the container was created with 382N/A "namespaces which the container unshared");
382N/A /* we need to attach before we fork since certain namespaces 382N/A * (such as pid namespaces) only really affect children of the 382N/A * current process and not the process itself 382N/A /* hack: we need sync.h infrastructure - and that needs a handler */ 382N/A ERROR(
"failed to initialize synchronization socket");
/* wait until the child has done configuring itself before * we put it in a cgroup that potentially limits these /* now that we are done with all privileged operations, * we can add ourselves to the cgroup. Since we smuggled in * the fds earlier, we still have write permission /* since setns() for pid namespaces only really * affects child processes, the pid we have is * still valid outside the container, so this is ERROR(
"failed to attach process to cgroup");
/* tell the child we are done initializing */ /* A description of the purpose of this functionality is * provided in the lxc-attach(1) manual page. We have to * remount here and not in the parent process, otherwise * /proc may not properly reflect the new pid namespace. ERROR(
"could not ensure correct architecture: %s",
ERROR(
"could not drop privileges");
/* tell parent we are done setting up the container and wait * until we have been put in the container's cgroup, if "entry for uid '%d'",
uid);