+ def chcontext(path):
+ retcod = setns.chcontext(path)
+ if retcod != 0:
+ print('WARNING - setns(%s)=>%s (ignored)' % (path, retcod))
+ return retcod
+
+ # Use init_pid and not driver_pid to locate reference namespaces
+ ref_ns = "/proc/%s/ns/" % init_pid
+
+ if True:
+ chcontext(ref_ns+'uts')
+ if True:
+ chcontext(ref_ns+'ipc')
+
+ if (not args.no_pidns):
+ chcontext(ref_ns+'pid')
+ if (not args.no_netns):
+ chcontext(ref_ns+'net')
+ if (not args.no_mntns):
+ chcontext(ref_ns+'mnt')
+
+ proc_mounted = False
+ if (not os.access('/proc/self', 0)):
+ proc_mounted = True
+ setns.proc_mount()
+
+ for (sysctl_file, sysctl_name, sysctl_val) in sysctls:
+ for fn in ["/sbin/sysctl", "/usr/sbin/sysctl", "/bin/sysctl", "/usr/bin/sysctl"]:
+ if os.path.exists(fn):
+ os.system('%s -w %s=%s >/dev/null 2>&1' %
+ (fn, sysctl_name, sysctl_val))
+ break
+ else:
+ print("Error: image does not have a sysctl binary")
+
+ # cgroups is not yet LXC-safe, so we need to use the coarse grained access control