Re: [libvirt] [PATCH v2]LXC: Helper function for checking ownership of dir when userns enabled

-----Original Message----- From: libvir-list-bounces(a)redhat.com

On Behalf Of Chen HanXiao Sent: Wednesday, August 14, 2013 9:30 AM To: 'Daniel P. Berrange' Cc: libvir-list(a)redhat.com Subject: Re: [libvirt] [PATCH v2]LXC: Helper function for checking

dir when userns enabled > -----Original Message----- > From: Daniel P. Berrange [mailto:berrange@redhat.com] > Sent: Saturday, August 10, 2013 12:54 AM > To: Chen Hanxiao > Cc: libvir-list(a)redhat.com > Subject: Re: [libvirt] [PATCH v2]LXC: Helper function for checking

> dir when userns enabled > > On Fri, Aug 09, 2013 at 04:05:58PM +0800, Chen Hanxiao wrote: > > From: Chen Hanxiao <chenhanxiao(a)cn.fujitsu.com&gt; > > > > If we enable userns, the ownership of dir we provided for containers > > should match the uid/gid in idmap. > > Currently, the debug log is very implicit or misleading sometimes. > > This patch will help clarify this for us when using > > debug log or virsh. > > I do recall hitting some permission issue once, but can't remember > just what it was. Can you describe exactly how to reproduce the > problem ? > 1) Enable user namespace in kernel 2) Add idmap for container 3) Don't change the ownership of devices/ filesystem/ source dir ( leave them to 'root' for instance) 4) Start the container Usually I got an input/output error by virsh, which is not a good hint. > > Signed-off-by: Chen Hanxiao <chenhanxiao(a)cn.fujitsu.com&gt; > > --- > > src/lxc/lxc_container.c | 46 > ++++++++++++++++++++++++++++++++++++++++++++++ > > 1 files changed, 46 insertions(+), 0 deletions(-) > > > > diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c > > index b910b10..2ccdc61 100644 > > --- a/src/lxc/lxc_container.c > > +++ b/src/lxc/lxc_container.c > > @@ -1815,6 +1815,49 @@ lxcNeedNetworkNamespace(virDomainDefPtr > def) > > return false; > > } > > > > +/* > > + * Helper function for helping check > > + * whether we have enough privilege > > + * to operate the source dir when userns enabled > > + * @vmDef: pointer to vm definition structure > > + * Returns 0 on success or -1 in case of error > > + */ > > +static int > > +lxcContainerUsernsSrcOwnershipCheck(virDomainDefPtr vmDef) > > +{ > > + struct stat buf; > > + size_t i; > > + uid_t uid; > > + gid_t gid; > > + > > + VIR_DEBUG("vmDef->nfss %d", (int)vmDef->nfss); > > + for (i = 0; i < vmDef->nfss; i++) { > > + VIR_DEBUG("dst is %s, src is %s", > > + vmDef->fss[i]->dst, > > + vmDef->fss[i]->src); > > + > > + uid = vmDef->idmap.uidmap[0].target; > > + gid = vmDef->idmap.gidmap[0].target; > > + > > + if (lstat(vmDef->fss[i]->src, &buf) < 0) { > > + virReportSystemError(errno, _("Cannot access '%s'"), > > + vmDef->fss[i]->src); > > + return -1; > > + } else if (uid != buf.st_uid || gid != buf.st_gid) { > > + VIR_DEBUG("In userns uid is %d, gid is %d\n", > > + uid, gid); > > + errno = EINVAL; > > + > > + virReportSystemError(errno, > > + _("[userns] Src dir '%s' does not > belong to uid/gid: %d/%d"), > > + vmDef->fss[i]->src, uid, gid); > > + return -1; > > + } > > + } > > + > > + return 0; > > +} > > + > > /** > > * lxcContainerStart: > > * @def: pointer to virtual machine structure > > @@ -1866,6 +1909,9 @@ int lxcContainerStart(virDomainDefPtr def, > > if (userns_supported()) { > > VIR_DEBUG("Enable user namespace"); > > cflags |= CLONE_NEWUSER; > > + if (lxcContainerUsernsSrcOwnershipCheck(def) < 0) { > > + return -1; > > + } > > } else { > > virReportSystemError(VIR_ERR_CONFIG_UNSUPPORTED, > "%s", > > _("Kernel doesn't support user > namespace")); > > > Daniel > -- > |: http://berrange.com -o- > http://www.flickr.com/photos/dberrange/ :| > |: http://libvirt.org -o- > http://virt-manager.org :| > |: http://autobuild.org -o- > http://search.cpan.org/~danberr/ :| > |: http://entangle-photo.org -o- > http://live.gnome.org/gtk-vnc :| -- libvir-list mailing list libvir-list(a)redhat.com https://www.redhat.com/mailman/listinfo/libvir-list