From 9dcda91ced3644c256fe0c0fd9b7ca95f6a869d8 Mon Sep 17 00:00:00 2001
From: Liang Ding <dl88250@gmail.com>
Date: Wed, 17 Dec 2014 15:38:02 +0800
Subject: [PATCH] try to use linux namespace to separate wide and client
 program

---
 Dockerfile        |  2 +-
 output/outputs.go | 11 +++++++++++
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index f530b1f..7c94574 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -3,7 +3,7 @@ MAINTAINER Liang Ding <dl88250@gmail.com>
 
 ADD . /wide/gogogo/src/github.com/b3log/wide
 
-RUN useradd wide && chown -R wide:wide /wide
+RUN useradd wide && chown -R wide:wide /wide && wide_runner
 
 USER wide
 
diff --git a/output/outputs.go b/output/outputs.go
index 0707f2b..14e33e9 100644
--- a/output/outputs.go
+++ b/output/outputs.go
@@ -28,6 +28,7 @@ import (
 	"runtime"
 	"strconv"
 	"strings"
+	"syscall"
 	"time"
 
 	"github.com/b3log/wide/conf"
@@ -95,6 +96,16 @@ func RunHandler(w http.ResponseWriter, r *http.Request) {
 
 	cmd := exec.Command(filePath)
 	cmd.Dir = curDir
+	// XXX: keep move with Go 1.4 and later's
+	cmd.SysProcAttr = &syscall.SysProcAttr{}
+	cmd.SysProcAttr.Cloneflags = syscall.CLONE_NEWUSER | syscall.CLONE_NEWNS | syscall.CLONE_NEWUTS | syscall.CLONE_NEWPID | syscall.CLONE_NEWIPC | syscall.CLONE_NEWNET
+	cmd.SysProcAttr.Credential = &syscall.Credential{
+		Uid: 1001, // user: wide_runner
+		Gid: 1001, // gourp: wide_runner
+	}
+
+	cmd.SysProcAttr.UidMappings = []syscall.SysProcIDMap{{ContainerID: 1001, HostID: 1000, Size: 1}}
+	cmd.SysProcAttr.GidMappings = []syscall.SysProcIDMap{{ContainerID: 1001, HostID: 1000, Size: 1}}
 
 	stdout, err := cmd.StdoutPipe()
 	if nil != err {