nspawn: add new --no-net switch to turn off networking in the container
This commit is contained in:
Lennart Poettering
parent
72b9ed828b
commit
a41fe3a293
|
|
@ -1341,7 +1341,8 @@ systemd_cgls_LDADD = \
|
|||
|
||||
systemd_nspawn_SOURCES = \
|
||||
src/nspawn.c \
|
||||
src/cgroup-util.c
|
||||
src/cgroup-util.c \
|
||||
src/loopback-setup.c
|
||||
|
||||
systemd_nspawn_CFLAGS = \
|
||||
$(AM_CFLAGS)
|
||||
|
|
|
|||
|
|
@ -123,6 +123,7 @@
|
|||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><option>--help</option></term>
|
||||
<term><option>-h</option></term>
|
||||
|
||||
<listitem><para>Prints a short help
|
||||
text and exits.</para></listitem>
|
||||
|
|
@ -152,6 +153,16 @@
|
|||
</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--no-net</option></term>
|
||||
|
||||
<listitem><para>Turn off networking in
|
||||
the container. This makes all network
|
||||
interfaces unavailable in the
|
||||
container, with the exception of the
|
||||
loopback device.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
</variablelist>
|
||||
|
||||
</refsect1>
|
||||
|
|
|
|||
26
src/nspawn.c
26
src/nspawn.c
|
|
@ -44,9 +44,11 @@
|
|||
#include "cgroup-util.h"
|
||||
#include "sd-daemon.h"
|
||||
#include "strv.h"
|
||||
#include "loopback-setup.h"
|
||||
|
||||
static char *arg_directory = NULL;
|
||||
static char *arg_user = NULL;
|
||||
static bool arg_no_net = false;
|
||||
|
||||
static int help(void) {
|
||||
|
||||
|
|
@ -54,7 +56,8 @@ static int help(void) {
|
|||
"Spawn a minimal namespace container for debugging, testing and building.\n\n"
|
||||
" -h --help Show this help\n"
|
||||
" -D --directory=NAME Root directory for the container\n"
|
||||
" -u --user=USER Run the command under specified user or uid\n",
|
||||
" -u --user=USER Run the command under specified user or uid\n"
|
||||
" --no-net Disable network in container\n",
|
||||
program_invocation_short_name);
|
||||
|
||||
return 0;
|
||||
|
|
@ -62,11 +65,16 @@ static int help(void) {
|
|||
|
||||
static int parse_argv(int argc, char *argv[]) {
|
||||
|
||||
enum {
|
||||
ARG_NO_NET = 0x100
|
||||
};
|
||||
|
||||
static const struct option options[] = {
|
||||
{ "help", no_argument, NULL, 'h' },
|
||||
{ "directory", required_argument, NULL, 'D' },
|
||||
{ "user", optional_argument, NULL, 'u' },
|
||||
{ NULL, 0, NULL, 0 }
|
||||
{ "help", no_argument, NULL, 'h' },
|
||||
{ "directory", required_argument, NULL, 'D' },
|
||||
{ "user", required_argument, NULL, 'u' },
|
||||
{ "no-net", no_argument, NULL, ARG_NO_NET },
|
||||
{ NULL, 0, NULL, 0 }
|
||||
};
|
||||
|
||||
int c;
|
||||
|
|
@ -100,6 +108,10 @@ static int parse_argv(int argc, char *argv[]) {
|
|||
|
||||
break;
|
||||
|
||||
case ARG_NO_NET:
|
||||
arg_no_net = true;
|
||||
break;
|
||||
|
||||
case '?':
|
||||
return -EINVAL;
|
||||
|
||||
|
|
@ -698,7 +710,7 @@ int main(int argc, char *argv[]) {
|
|||
sigset_add_many(&mask, SIGCHLD, SIGWINCH, SIGTERM, SIGINT, -1);
|
||||
assert_se(sigprocmask(SIG_BLOCK, &mask, NULL) == 0);
|
||||
|
||||
if ((pid = syscall(__NR_clone, SIGCHLD|CLONE_NEWIPC|CLONE_NEWNS|CLONE_NEWPID|CLONE_NEWUTS, NULL)) < 0) {
|
||||
if ((pid = syscall(__NR_clone, SIGCHLD|CLONE_NEWIPC|CLONE_NEWNS|CLONE_NEWPID|CLONE_NEWUTS|(arg_no_net ? CLONE_NEWNET : 0), NULL)) < 0) {
|
||||
log_error("clone() failed: %m");
|
||||
goto finish;
|
||||
}
|
||||
|
|
@ -777,6 +789,8 @@ int main(int argc, char *argv[]) {
|
|||
|
||||
umask(0022);
|
||||
|
||||
loopback_setup();
|
||||
|
||||
if (drop_capabilities() < 0)
|
||||
goto child_fail;
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue