… | |
… | |
6 | |
6 | |
7 | use Linux::Clone; |
7 | use Linux::Clone; |
8 | |
8 | |
9 | =head1 DESCRIPTION |
9 | =head1 DESCRIPTION |
10 | |
10 | |
11 | This module exposes the linux clone(2), unshare(2) and related syscalls to |
11 | This module exposes the linux clone(2), unshare(2) and some related |
12 | Perl. |
12 | syscalls to Perl. |
13 | |
13 | |
14 | =over 4 |
14 | =over 4 |
15 | |
15 | |
16 | =item $retval = unshare $flags |
16 | =item $retval = unshare $flags |
17 | |
17 | |
… | |
… | |
30 | Linux::Clone::NEWPID |
30 | Linux::Clone::NEWPID |
31 | Linux::Clone::NEWUTS |
31 | Linux::Clone::NEWUTS |
32 | Linux::Clone::NEWIPC |
32 | Linux::Clone::NEWIPC |
33 | Linux::Clone::NEWNET |
33 | Linux::Clone::NEWNET |
34 | Linux::Clone::NEWCGROUP |
34 | Linux::Clone::NEWCGROUP |
|
|
35 | Linux::Clone::NEWTIME |
35 | |
36 | |
36 | Example: unshare the network namespace and prove that by calling ifconfig, |
37 | Example: unshare the network namespace and prove that by calling ifconfig, |
37 | showing only an unconfigured lo interface. |
38 | showing only the unconfigured lo interface. |
38 | |
39 | |
39 | Linux::Clone::unshare Linux::Clone::NEWNET |
40 | Linux::Clone::unshare Linux::Clone::NEWNET |
40 | and "unshare: $!"; |
41 | and "unshare: $!"; |
|
|
42 | Linux::Clone::configure_loopback; |
41 | system "ifconfig -a"; |
43 | system "ifconfig"; |
42 | |
44 | |
43 | Example: unshare the network namespace, initialise the loopback interface, |
45 | Example: unshare the network namespace, initialise the loopback interface, |
44 | create a veth interface pair, put one interface into the parent processes |
46 | create a veth interface pair, put one interface into the parent processes |
45 | namespace (use ifconfig -a from another shell), configure the other |
47 | namespace (use ifconfig -a from another shell), configure the other |
46 | interface with 192.168.99.2 -> 192.168.99.1 and start a shell. |
48 | interface with 192.168.99.2 -> 192.168.99.1 and start a shell. |
… | |
… | |
49 | |
51 | |
50 | # unshare our network namespace |
52 | # unshare our network namespace |
51 | Linux::Clone::unshare Linux::Clone::NEWNET |
53 | Linux::Clone::unshare Linux::Clone::NEWNET |
52 | and "unshare: $!"; |
54 | and "unshare: $!"; |
53 | |
55 | |
|
|
56 | Linux::Clone::configure_loopback; |
|
|
57 | |
54 | my $ppid = getppid; |
58 | my $ppid = getppid; |
55 | |
59 | |
56 | system " |
60 | system " |
57 | # configure loopback interface |
|
|
58 | ip link set lo up |
|
|
59 | ip route add 127.0.0.0/8 dev lo |
|
|
60 | |
|
|
61 | # create veth pair |
61 | # create veth pair |
62 | ip link add name veth_master type veth peer name veth_slave |
62 | ip link add name veth_master type veth peer name veth_slave |
63 | |
63 | |
64 | # move veth_master to our parent process' namespace |
64 | # move veth_master to our parent process' namespace |
65 | ip link set veth_master netns $ppid |
65 | ip link set veth_master netns $ppid |
… | |
… | |
88 | use Linux::Clone; |
88 | use Linux::Clone; |
89 | |
89 | |
90 | Linux::Clone::unshare Linux::Clone::NEWNS |
90 | Linux::Clone::unshare Linux::Clone::NEWNS |
91 | and die "unshare: $!"; |
91 | and die "unshare: $!"; |
92 | |
92 | |
93 | # now bind-mount /lib over /etc and ls -l /etc - scary |
93 | # now bind-mount /lib over /etc and ls -l /etc - looks scary |
94 | system "mount -n --bind /lib /etc"; |
94 | system "mount -n --bind /lib /etc"; |
95 | system "ls -l /etc"; |
95 | system "ls -l /etc"; |
96 | |
96 | |
97 | =item $retval = Linux::Clone::clone $coderef, $stacksize, $flags[, $ptid, $tls, $ctid] |
97 | =item $retval = Linux::Clone::clone $coderef, $stacksize, $flags[, $ptid, $tls, $ctid] |
98 | |
98 | |
… | |
… | |
123 | Linux::Clone::VFORK |
123 | Linux::Clone::VFORK |
124 | Linux::Clone::SETTLS (not yet implemented) |
124 | Linux::Clone::SETTLS (not yet implemented) |
125 | Linux::Clone::PARENT_SETTID (not yet implemented) |
125 | Linux::Clone::PARENT_SETTID (not yet implemented) |
126 | Linux::Clone::CHILD_SETTID (not yet implemented) |
126 | Linux::Clone::CHILD_SETTID (not yet implemented) |
127 | Linux::Clone::CHILD_CLEARTID (not yet implemented) |
127 | Linux::Clone::CHILD_CLEARTID (not yet implemented) |
|
|
128 | Linux::Clone::PIDFD (not yet implemented) |
128 | Linux::Clone::DETACHED |
129 | Linux::Clone::DETACHED |
129 | Linux::Clone::UNTRACED |
130 | Linux::Clone::UNTRACED |
130 | Linux::Clone::IO |
131 | Linux::Clone::IO |
|
|
132 | Linux::Clone::CSIGNAL exit signal mask |
131 | |
133 | |
132 | Note that for practical reasons you basically must not use |
134 | Note that for practical reasons you basically must not use |
133 | C<Linux::Clone::VM> or C<Linux::Clone::VFORK>, as perl is unlikely to cope |
135 | C<Linux::Clone::VM> or C<Linux::Clone::VFORK>, as perl is unlikely to cope |
134 | with that. |
136 | with that. |
135 | |
137 | |
… | |
… | |
144 | |
146 | |
145 | Calls setns(2) on the file descriptor (or file handle) C<$fh_or_fd>. If |
147 | Calls setns(2) on the file descriptor (or file handle) C<$fh_or_fd>. If |
146 | C<$nstype> is missing, then C<0> is used. |
148 | C<$nstype> is missing, then C<0> is used. |
147 | |
149 | |
148 | The argument C<$nstype> can be C<0>, C<Linux::Clone::NEWIPC>, |
150 | The argument C<$nstype> can be C<0>, C<Linux::Clone::NEWIPC>, |
149 | C<Linux::Clone::NEWNET>, C<Linux::Clone::NEUTS>, C<Linux::Clone::NEWCGROUP>, |
151 | C<Linux::Clone::NEWNET>, C<Linux::Clone::NEWUTS>, C<Linux::Clone::NEWCGROUP>, |
150 | C<Linux::Clone::NEWNS>, C<Linux::Clone::NEWPID> or C<Linux::Clone::NEWUSER>. |
152 | C<Linux::Clone::NEWNS>, C<Linux::Clone::NEWPID> or C<Linux::Clone::NEWUSER>. |
151 | |
153 | |
152 | =item Linux::Clone::pivot_root $new_root, $old_root |
154 | =item Linux::Clone::pivot_root $new_root, $old_root |
153 | |
155 | |
154 | Calls pivot_root(2) - refer to its manpage for details. |
156 | Calls pivot_root(2) - refer to its manpage for details. |
… | |
… | |
159 | |
161 | |
160 | The following C<$type> constants are available if the kcmp syscall number |
162 | The following C<$type> constants are available if the kcmp syscall number |
161 | was available during compilation: |
163 | was available during compilation: |
162 | |
164 | |
163 | C<Linux::Clone::KCMP_FILE>, C<Linux::Clone::KCMP_VM>, C<Linux::Clone::KCMP_FILES>, |
165 | C<Linux::Clone::KCMP_FILE>, C<Linux::Clone::KCMP_VM>, C<Linux::Clone::KCMP_FILES>, |
164 | C<Linux::Clone::KCMP_FS>, C<Linux::Clone::KCMP_SIGHAND>, C<Linux::Clone::KCMP_IO> and |
166 | C<Linux::Clone::KCMP_FS>, C<Linux::Clone::KCMP_SIGHAND>, C<Linux::Clone::KCMP_IO>, |
165 | C<Linux::Clone::KCMP_SYSVSEM>. |
167 | C<Linux::Clone::KCMP_SYSVSEM> and C<Linux::Clone::KCMP_EPOLL_TFD>. |
166 | |
168 | |
|
|
169 | =item Linux::Clone::configure_loopback |
|
|
170 | |
|
|
171 | Configures a working loopback interface (basically, does the equivalent of |
|
|
172 | "ifconfig lo up" which automatically adds ipv4/ipv6 addresses and routes), |
|
|
173 | which can be useful to get a network namespace going. |
|
|
174 | |
|
|
175 | Dies on error and returns nothing. |
|
|
176 | |
|
|
177 | =item C<ioctl> symbols |
|
|
178 | |
|
|
179 | The following ioctl symbols are also provided by this module (see L<ioctl_ns(8)>). |
|
|
180 | |
|
|
181 | Linux::Clone::NS_GET_USERNS |
|
|
182 | Linux::Clone::NS_GET_PARENT |
|
|
183 | Linux::Clone::NS_GET_NSTYPE |
|
|
184 | Linux::Clone::NS_OWNER_UID |
167 | |
185 | |
168 | =back |
186 | =back |
169 | |
187 | |
170 | =cut |
188 | =cut |
171 | |
189 | |
172 | package Linux::Clone; |
190 | package Linux::Clone; |
173 | |
191 | |
174 | # use common::sense; |
192 | # use common::sense; |
175 | |
193 | |
176 | BEGIN { |
194 | BEGIN { |
177 | our $VERSION = '1.2'; |
195 | our $VERSION = '1.3'; |
178 | |
196 | |
179 | require XSLoader; |
197 | require XSLoader; |
180 | XSLoader::load (__PACKAGE__, $VERSION); |
198 | XSLoader::load (__PACKAGE__, $VERSION); |
181 | } |
199 | } |
182 | |
200 | |
|
|
201 | sub configure_loopback() { |
|
|
202 | siocsifflags "lo" |
|
|
203 | and die "Linux::Clone::configure_looopback: unable to bring up loopback interface: $!\n"; |
|
|
204 | } |
|
|
205 | |
183 | 1; |
206 | 1; |
|
|
207 | |
|
|
208 | =head1 SEE ALSO |
|
|
209 | |
|
|
210 | L<IO::AIO> has some related functions, such as C<pidfd_send_signal>, and |
|
|
211 | some unrelated functions that might be useful. |
|
|
212 | |
|
|
213 | L<namspaces(7)>, L<cgroup_namespaces(7)>, L<pid_namespaces(7)>, |
|
|
214 | L<user_namespaces(7)>, L<time_namespaces(7)>, L<ip-netns(8)>, |
|
|
215 | L<switch_root(8)>, L<ioctl_ns(2)>, L<lsns(8)>Q |
184 | |
216 | |
185 | =head1 AUTHOR |
217 | =head1 AUTHOR |
186 | |
218 | |
187 | Marc Lehmann <schmorp@schmorp.de> |
219 | Marc Lehmann <schmorp@schmorp.de> |
188 | http://home.schmorp.de/ |
220 | http://home.schmorp.de/ |