Re: [libvirt] [PATCHv4 1/2] lxc: allow to keep or drop capabilities
On 07/18/2014 10:02 AM, Cédric Bosdonnat wrote:
Added <capabilities> in the <features> section of LXC
domains
configuration. This section can contain elements named after the
capabilities like:
<mknod state="on"/>, keep CAP_MKNOD capability
<sys_chroot state="off"/> drop CAP_SYS_CHROOT capability
Users can restrict or give more capabilities than the default using
this mechanism.
---
docs/drvlxc.html.in | 47 +++++
docs/schemas/domaincommon.rng | 207 ++++++++++++++++++++
src/conf/domain_conf.c | 126 ++++++++++++-
src/conf/domain_conf.h | 56 ++++++
src/libvirt_private.syms | 3 +
src/lxc/lxc_cgroup.c | 8 +
src/lxc/lxc_container.c | 241 ++++++++++++++++++++++--
src/util/vircgroup.c | 57 +++++-
src/util/vircgroup.h | 2 +
tests/domainschemadata/domain-caps-features.xml | 28 +++
10 files changed, 755 insertions(+), 20 deletions(-)
create mode 100644 tests/domainschemadata/domain-caps-features.xml
@@ -11847,6 +11892,22 @@ virDomainDefParseXML(xmlDocPtr xml,
def->features[val] = VIR_DOMAIN_FEATURE_STATE_ON;
break;
+ case VIR_DOMAIN_FEATURE_CAPABILITIES:
+ node = ctxt->node;
+ ctxt->node = nodes[i];
+ if ((tmp = virXPathString("string(./@policy)", ctxt))) {
+ if ((def->features[val] =
virDomainCapabilitiesPolicyTypeFromString(tmp)) == -1) {
def->features is described as being of type 'enum virTristateSwitch' (was
virDomainFeatureState before I pushed the enum cleanup), but you're treating
it as 'virDomainCapabilitesPolicy' here.
Could you either
1) switch this to virTristateSwitch, using policy='on' / policy='off'
instead
of allow/deny
2) document that a different enum is used for this feature in domain_conf.h
3) put the policy in a separate variable
Thanks,
Jan
Attachments:
- signature.asc (application/pgp-signature — 836 bytes)