Merge pull request #1939 from brauner/2017-11-22/more_elaborate_confi…

…g_update_message doc: documents lxc.namespace.[namespace identifier] + confile: improve legacy update message
lxc · Nov 23, 2017 · a122de3 · a122de3
2 parents b151c7e + f3c9f12
commit a122de3
Show file tree

Hide file tree

Showing 2 changed files with 63 additions and 1 deletion.
diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in
@@ -1277,6 +1277,65 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
       </variablelist>
     </refsect2>
 
+    <refsect2>
+      <title>Namespace Inheritance</title>
+      <para>
+        The capabilities can be dropped in the container if this one
+        is run as root.
+      </para>
+      <variablelist>
+        <varlistentry>
+          <term>
+            <option>lxc.namespace.[namespace identifier]</option>
+          </term>
+          <listitem>
+            <para>
+            Specify a namespace to inherit from another container or process.
+            The <option>[namespace identifier]</option> suffix needs to be
+            replaced with one of the namespaces that appear in the
+            <filename>/proc/PID/ns</filename> directory.
+            </para>
+
+            <para>
+            To inherit the namespace from another process set the
+            <option>lxc.namespace.[namespace identifier]</option> to the PID of
+            the process, e.g. <option>lxc.namespace.net=42</option>.
+            </para>
+
+            <para>
+            To inherit the namespace from another container set the 
+            <option>lxc.namespace.[namespace identifier]</option> to the name of
+            the container, e.g. <option>lxc.namespace.pid=c3</option>.
+            </para>
+
+            <para>
+            To inherit the namespace from another container located in a
+            different path than the standard liblxc path set the
+            <option>lxc.namespace.[namespace identifier]</option> to the full
+            path to the container, e.g.
+            <option>lxc.namespace.user=/opt/c3</option>.
+            </para>
+
+            <para>
+            In order to inherit namespaces the caller needs to have sufficient
+            privilege over the process or container.
+            </para>
+
+            <para>
+            Note that sharing pid namespaces between system containers will
+            likely not work with most init systems.
+            </para>
+
+            <para>
+            Note that if two processes are in different user namespaces and one
+            process wants to inherit the other's network namespace it usually
+            needs to inherit the user namespace as well.
+            </para>
+          </listitem>
+        </varlistentry>
+      </variablelist>
+    </refsect2>
+
     <refsect2>
       <title>Resource limits</title>
       <para>

diff --git a/src/lxc/confile.c b/src/lxc/confile.c
@@ -2115,7 +2115,10 @@ static int parse_line(char *buffer, void *data)
 			 */
 			fprintf(stderr, "The configuration file contains "
 					"legacy configuration keys.\nPlease "
-					"update your configuration file!\n");
+					"update your configuration file!\nThe "
+					"update script lxc-update-config -c "
+					"<path-to-config> can be used for "
+					"this.\n");
 		}
 	}
 	/* [END]: REMOVE IN LXC 3.0 */