2 * lxc: linux Container library
4 * (C) Copyright IBM Corp. 2007, 2010
7 * Daniel Lezcano <daniel.lezcano at free.fr>
9 * This library is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU Lesser General Public
11 * License as published by the Free Software Foundation; either
12 * version 2.1 of the License, or (at your option) any later version.
14 * This library is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 * Lesser General Public License for more details.
19 * You should have received a copy of the GNU Lesser General Public
20 * License along with this library; if not, write to the Free Software
21 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
32 #include <sys/ioctl.h>
34 #include <sys/types.h>
37 #include <lxc/lxccontainer.h>
39 #include "arguments.h"
40 #include "tool_utils.h"
42 static const struct option my_longopts
[] = {
43 {"elevated-privileges", optional_argument
, 0, 'e'},
44 {"arch", required_argument
, 0, 'a'},
45 {"namespaces", required_argument
, 0, 's'},
46 {"remount-sys-proc", no_argument
, 0, 'R'},
47 /* TODO: decide upon short option names */
48 {"clear-env", no_argument
, 0, 500},
49 {"keep-env", no_argument
, 0, 501},
50 {"keep-var", required_argument
, 0, 502},
51 {"set-var", required_argument
, 0, 'v'},
52 {"pty-log", required_argument
, 0, 'L'},
53 {"rcfile", required_argument
, 0, 'f'},
57 static int elevated_privileges
= 0;
58 static signed long new_personality
= -1;
59 static int namespace_flags
= -1;
60 static int remount_sys_proc
= 0;
61 static lxc_attach_env_policy_t env_policy
= LXC_ATTACH_KEEP_ENV
;
62 static char **extra_env
= NULL
;
63 static ssize_t extra_env_size
= 0;
64 static char **extra_keep
= NULL
;
65 static ssize_t extra_keep_size
= 0;
67 static int add_to_simple_array(char ***array
, ssize_t
*capacity
, char *value
)
75 for (; (*array
)[count
]; count
++);
77 /* we have to reallocate */
78 if (count
>= *capacity
- 1) {
79 ssize_t new_capacity
= ((count
+ 1) / 32 + 1) * 32;
80 char **new_array
= realloc((void*)*array
, sizeof(char *) * new_capacity
);
83 memset(&new_array
[count
], 0, sizeof(char*)*(new_capacity
- count
));
85 *capacity
= new_capacity
;
91 (*array
)[count
] = value
;
95 static int my_parser(struct lxc_arguments
* args
, int c
, char* arg
)
103 ret
= lxc_fill_elevated_privileges(arg
, &elevated_privileges
);
107 case 'R': remount_sys_proc
= 1; break;
109 new_personality
= lxc_config_parse_arch(arg
);
110 if (new_personality
< 0) {
111 lxc_error(args
, "invalid architecture specified: %s", arg
);
118 /* The identifiers for namespaces used with lxc-attach as given
119 * on the manpage do not align with the standard identifiers.
120 * This affects network, mount, and uts namespaces. The standard
121 * identifiers are: "mnt", "uts", and "net" whereas lxc-attach
122 * uses "MOUNT", "UTSNAME", and "NETWORK". So let's use some
123 * cheap memmove()s to replace them by their standard
124 * identifiers. Let's illustrate this with an example:
131 * dest: del + 1 == OUNT|PID
132 * src: del + 3 == NT|PID
134 while ((del
= strstr(arg
, "MOUNT")))
135 memmove(del
+ 1, del
+ 3, strlen(del
) - 2);
137 for (it
= (char *[]){"NETWORK", "UTSNAME", NULL
}; it
&& *it
; it
++)
138 while ((del
= strstr(arg
, *it
)))
139 memmove(del
+ 3, del
+ 7, strlen(del
) - 6);
141 ret
= lxc_fill_namespace_flags(arg
, &namespace_flags
);
145 lxc_fill_elevated_privileges(NULL
, &elevated_privileges
);
147 case 500: /* clear-env */
148 env_policy
= LXC_ATTACH_CLEAR_ENV
;
150 case 501: /* keep-env */
151 env_policy
= LXC_ATTACH_KEEP_ENV
;
153 case 502: /* keep-var */
154 ret
= add_to_simple_array(&extra_keep
, &extra_keep_size
, arg
);
156 lxc_error(args
, "memory allocation error");
161 ret
= add_to_simple_array(&extra_env
, &extra_env_size
, arg
);
163 lxc_error(args
, "memory allocation error");
168 args
->console_log
= arg
;
178 static struct lxc_arguments my_args
= {
179 .progname
= "lxc-attach",
181 --name=NAME [-- COMMAND]\n\
183 Execute the specified COMMAND - enter the container NAME\n\
186 -n, --name=NAME NAME of the container\n\
187 -e, --elevated-privileges=PRIVILEGES\n\
188 Use elevated privileges instead of those of the\n\
189 container. If you don't specify privileges to be\n\
190 elevated as OR'd list: CAP, CGROUP and LSM (capabilities,\n\
191 cgroup and restrictions, respectively) then all of them\n\
193 WARNING: This may leak privileges into the container.\n\
195 -a, --arch=ARCH Use ARCH for program instead of container's own\n\
197 -s, --namespaces=FLAGS\n\
198 Don't attach to all the namespaces of the container\n\
199 but just to the following OR'd list of flags:\n\
200 MOUNT, PID, UTSNAME, IPC, USER or NETWORK.\n\
201 WARNING: Using -s implies -e with all privileges\n\
202 elevated, it may therefore leak privileges into the\n\
203 container. Use with care.\n\
204 -R, --remount-sys-proc\n\
205 Remount /sys and /proc if not attaching to the\n\
206 mount namespace when using -s in order to properly\n\
207 reflect the correct namespace context. See the\n\
208 lxc-attach(1) manual page for details.\n\
209 --clear-env Clear all environment variables before attaching.\n\
210 The attached shell/program will start with only\n\
211 container=lxc set.\n\
212 --keep-env Keep all current environment variables. This\n\
213 is the current default behaviour, but is likely to\n\
214 change in the future.\n\
215 -L, --pty-log=FILE\n\
216 Log pty output to FILE\n\
217 -v, --set-var Set an additional variable that is seen by the\n\
218 attached program in the container. May be specified\n\
220 --keep-var Keep an additional environment variable. Only\n\
221 applicable if --clear-env is specified. May be used\n\
224 Load configuration file FILE\n\
226 .options
= my_longopts
,
231 static bool stdfd_is_pty(void)
233 if (isatty(STDIN_FILENO
))
235 if (isatty(STDOUT_FILENO
))
237 if (isatty(STDERR_FILENO
))
243 int lxc_attach_create_log_file(const char *log_file
)
247 fd
= open(log_file
, O_CLOEXEC
| O_RDWR
| O_CREAT
| O_APPEND
, 0600);
249 fprintf(stderr
, "Failed to open log file \"%s\"\n", log_file
);
256 int main(int argc
, char *argv
[])
262 lxc_attach_options_t attach_options
= LXC_ATTACH_OPTIONS_DEFAULT
;
263 lxc_attach_command_t command
= (lxc_attach_command_t
){.program
= NULL
};
269 r
= lxc_arguments_parse(&my_args
, argc
, argv
);
273 if (!my_args
.log_file
)
274 my_args
.log_file
= "none";
276 log
.name
= my_args
.name
;
277 log
.file
= my_args
.log_file
;
278 log
.level
= my_args
.log_priority
;
279 log
.prefix
= my_args
.progname
;
280 log
.quiet
= my_args
.quiet
;
281 log
.lxcpath
= my_args
.lxcpath
[0];
282 r
= lxc_log_init(&log
);
287 if (access(my_args
.lxcpath
[0], O_RDONLY
) < 0) {
289 fprintf(stderr
, "You lack access to %s\n", my_args
.lxcpath
[0]);
294 struct lxc_container
*c
= lxc_container_new(my_args
.name
, my_args
.lxcpath
[0]);
298 if (my_args
.rcfile
) {
300 if (!c
->load_config(c
, my_args
.rcfile
)) {
301 fprintf(stderr
, "Failed to load rcfile\n");
302 lxc_container_put(c
);
305 c
->configfile
= strdup(my_args
.rcfile
);
306 if (!c
->configfile
) {
307 fprintf(stderr
, "Out of memory setting new config filename\n");
308 lxc_container_put(c
);
313 if (!c
->may_control(c
)) {
314 fprintf(stderr
, "Insufficent privileges to control %s\n", c
->name
);
315 lxc_container_put(c
);
319 if (remount_sys_proc
)
320 attach_options
.attach_flags
|= LXC_ATTACH_REMOUNT_PROC_SYS
;
321 if (elevated_privileges
)
322 attach_options
.attach_flags
&= ~(elevated_privileges
);
324 attach_options
.attach_flags
|= LXC_ATTACH_TERMINAL
;
325 attach_options
.namespaces
= namespace_flags
;
326 attach_options
.personality
= new_personality
;
327 attach_options
.env_policy
= env_policy
;
328 attach_options
.extra_env_vars
= extra_env
;
329 attach_options
.extra_keep_env
= extra_keep
;
331 if (my_args
.argc
> 0) {
332 command
.program
= my_args
.argv
[0];
333 command
.argv
= (char**)my_args
.argv
;
336 if (my_args
.console_log
) {
337 attach_options
.log_fd
= lxc_attach_create_log_file(my_args
.console_log
);
338 if (attach_options
.log_fd
< 0)
343 ret
= c
->attach(c
, lxc_attach_run_command
, &command
, &attach_options
, &pid
);
345 ret
= c
->attach(c
, lxc_attach_run_shell
, NULL
, &attach_options
, &pid
);
350 ret
= lxc_wait_for_pid_status(pid
);
355 wexit
= WEXITSTATUS(ret
);
357 lxc_container_put(c
);