Change namespaces config to include path for setns

config.go

@@ -10,6 +10,13 @@ type MountConfig mount.MountConfig
 
 type Network network.Network
 
+// Namespace defines configuration for each namespace.  It specifies an
+// alternate path that is able to be joined via setns.
+type Namespace struct {
+	Name string `json:"name"`
+	Path string `json:"path,omitempty"`
+}
+
 // Config defines configuration options for executing a process inside a contained environment.
 type Config struct {
 	// Mount specific options.
@@ -38,7 +45,7 @@ type Config struct {
 
 	// Namespaces specifies the container's namespaces that it should setup when cloning the init process
 	// If a namespace is not provided that namespace is shared from the container's parent process
-	Namespaces map[string]bool `json:"namespaces,omitempty"`
+	Namespaces []Namespace `json:"namespaces,omitempty"`
 
 	// Capabilities specify the capabilities to keep when executing the process inside the container
 	// All capbilities not specified will be dropped from the processes capability mask
@@ -47,9 +54,6 @@ type Config struct {
 	// Networks specifies the container's network setup to be created
 	Networks []*Network `json:"networks,omitempty"`
 
-	// Ipc specifies the container's ipc setup to be created
-	IpcNsPath string `json:"ipc,omitempty"`
-
 	// Routes can be specified to create entries in the route table as the container is started
 	Routes []*Route `json:"routes,omitempty"`
 

config_test.go

@@ -64,12 +64,12 @@ func TestConfigJsonFormat(t *testing.T) {
 		t.Fail()
 	}
 
-	if !container.Namespaces["NEWNET"] {
+	if getNamespaceIndex(container, "NEWNET") == -1 {
 		t.Log("namespaces should contain NEWNET")
 		t.Fail()
 	}
 
-	if container.Namespaces["NEWUSER"] {
+	if getNamespaceIndex(container, "NEWUSER") != -1 {
 		t.Log("namespaces should not contain NEWUSER")
 		t.Fail()
 	}
@@ -158,3 +158,12 @@ func TestSelinuxLabels(t *testing.T) {
 		t.Fatalf("expected mount label %q but received %q", label, container.MountConfig.MountLabel)
 	}
 }
+
+func getNamespaceIndex(config *Config, name string) int {
+	for i, v := range config.Namespaces {
+		if v.Name == name {
+			return i
+		}
+	}
+	return -1
+}

integration/exec_test.go

@@ -4,6 +4,8 @@ import (
 	"os"
 	"strings"
 	"testing"
+
+	"github.com/docker/libcontainer"
 )
 
 func TestExecPS(t *testing.T) {
@@ -55,7 +57,6 @@ func TestIPCPrivate(t *testing.T) {
 	}
 
 	config := newTemplateConfig(rootfs)
-	config.Namespaces["NEWIPC"] = true
 	buffers, exitCode, err := runContainer(config, "", "readlink", "/proc/self/ns/ipc")
 	if err != nil {
 		t.Fatal(err)
@@ -87,7 +88,8 @@ func TestIPCHost(t *testing.T) {
 	}
 
 	config := newTemplateConfig(rootfs)
-	config.Namespaces["NEWIPC"] = false
+	i := getNamespaceIndex(config, "NEWIPC")
+	config.Namespaces = append(config.Namespaces[:i], config.Namespaces[i+1:]...)
 	buffers, exitCode, err := runContainer(config, "", "readlink", "/proc/self/ns/ipc")
 	if err != nil {
 		t.Fatal(err)
@@ -119,8 +121,8 @@ func TestIPCJoinPath(t *testing.T) {
 	}
 
 	config := newTemplateConfig(rootfs)
-	config.Namespaces["NEWIPC"] = false
-	config.IpcNsPath = "/proc/1/ns/ipc"
+	i := getNamespaceIndex(config, "NEWIPC")
+	config.Namespaces[i].Path = "/proc/1/ns/ipc"
 
 	buffers, exitCode, err := runContainer(config, "", "readlink", "/proc/self/ns/ipc")
 	if err != nil {
@@ -148,8 +150,8 @@ func TestIPCBadPath(t *testing.T) {
 	defer remove(rootfs)
 
 	config := newTemplateConfig(rootfs)
-	config.Namespaces["NEWIPC"] = false
-	config.IpcNsPath = "/proc/1/ns/ipcc"
+	i := getNamespaceIndex(config, "NEWIPC")
+	config.Namespaces[i].Path = "/proc/1/ns/ipcc"
 
 	_, _, err = runContainer(config, "", "true")
 	if err == nil {
@@ -177,3 +179,12 @@ func TestRlimit(t *testing.T) {
 		t.Fatalf("expected rlimit to be 1024, got %s", limit)
 	}
 }
+
+func getNamespaceIndex(config *libcontainer.Config, name string) int {
+	for i, v := range config.Namespaces {
+		if v.Name == name {
+			return i
+		}
+	}
+	return -1
+}

integration/template_test.go

@@ -32,12 +32,12 @@ func newTemplateConfig(rootfs string) *libcontainer.Config {
 			"KILL",
 			"AUDIT_WRITE",
 		},
-		Namespaces: map[string]bool{
-			"NEWNS":  true,
-			"NEWUTS": true,
-			"NEWIPC": true,
-			"NEWPID": true,
-			"NEWNET": true,
+		Namespaces: []libcontainer.Namespace{
+			{Name: "NEWNS"},
+			{Name: "NEWUTS"},
+			{Name: "NEWIPC"},
+			{Name: "NEWPID"},
+			{Name: "NEWNET"},
 		},
 		Cgroups: &cgroups.Cgroup{
 			Parent:          "integration",

namespaces/init.go

@@ -13,7 +13,6 @@ import (
 	"github.com/docker/libcontainer"
 	"github.com/docker/libcontainer/apparmor"
 	"github.com/docker/libcontainer/console"
-	"github.com/docker/libcontainer/ipc"
 	"github.com/docker/libcontainer/label"
 	"github.com/docker/libcontainer/mount"
 	"github.com/docker/libcontainer/netlink"
@@ -65,7 +64,10 @@ func Init(container *libcontainer.Config, uncleanRootfs, consolePath string, pip
 	if err := json.NewDecoder(pipe).Decode(&networkState); err != nil {
 		return err
 	}
-
+	// join any namespaces via a path to the namespace fd if provided
+	if err := joinExistingNamespaces(container.Namespaces); err != nil {
+		return err
+	}
 	if consolePath != "" {
 		if err := console.OpenAndDup(consolePath); err != nil {
 			return err
@@ -79,9 +81,7 @@ func Init(container *libcontainer.Config, uncleanRootfs, consolePath string, pip
 			return fmt.Errorf("setctty %s", err)
 		}
 	}
-	if err := ipc.Initialize(container.IpcNsPath); err != nil {
-		return fmt.Errorf("setup IPC %s", err)
-	}
+
 	if err := setupNetwork(container, networkState); err != nil {
 		return fmt.Errorf("setup networking %s", err)
 	}
@@ -308,3 +308,22 @@ func LoadContainerEnvironment(container *libcontainer.Config) error {
 	}
 	return nil
 }
+
+// joinExistingNamespaces gets all the namespace paths specified for the container and
+// does a setns on the namespace fd so that the current process joins the namespace.
+func joinExistingNamespaces(namespaces []libcontainer.Namespace) error {
+	for _, ns := range namespaces {
+		if ns.Path != "" {
+			f, err := os.OpenFile(ns.Path, os.O_RDONLY, 0)
+			if err != nil {
+				return err
+			}
+			err = system.Setns(f.Fd(), uintptr(namespaceInfo[ns.Name]))
+			f.Close()
+			if err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}

namespaces/utils.go

@@ -5,6 +5,8 @@ package namespaces
 import (
 	"os"
 	"syscall"
+
+	"github.com/docker/libcontainer"
 )
 
 type initError struct {
@@ -15,6 +17,15 @@ func (i initError) Error() string {
 	return i.Message
 }
 
+var namespaceInfo = map[string]int{
+	"NEWNET":  syscall.CLONE_NEWNET,
+	"NEWNS":   syscall.CLONE_NEWNS,
+	"NEWUSER": syscall.CLONE_NEWUSER,
+	"NEWIPC":  syscall.CLONE_NEWIPC,
+	"NEWUTS":  syscall.CLONE_NEWUTS,
+	"NEWPID":  syscall.CLONE_NEWPID,
+}
+
 // New returns a newly initialized Pipe for communication between processes
 func newInitPipe() (parent *os.File, child *os.File, err error) {
 	fds, err := syscall.Socketpair(syscall.AF_LOCAL, syscall.SOCK_STREAM|syscall.SOCK_CLOEXEC, 0)
@@ -26,13 +37,9 @@ func newInitPipe() (parent *os.File, child *os.File, err error) {
 
 // GetNamespaceFlags parses the container's Namespaces options to set the correct
 // flags on clone, unshare, and setns
-func GetNamespaceFlags(namespaces map[string]bool) (flag int) {
-	for key, enabled := range namespaces {
-		if enabled {
-			if ns := GetNamespace(key); ns != nil {
-				flag |= ns.Value
-			}
-		}
+func GetNamespaceFlags(namespaces []libcontainer.Namespace) (flag int) {
+	for _, v := range namespaces {
+		flag |= namespaceInfo[v.Name]
 	}
 	return flag
 }