[libvirt] [PATCH 0/3] Keeping / Dropping capabilities in lxc containers
Hi all,
I had a request from some users to allow keeping the mknod capability in containers
even thought that may be a security threat for the container and host. After
discussing it with Dan on IRC, here is a patch series that adds a capabilities XML
element in the features section of the domain configuration. It also allows to drop
capabilities that are normally kept.
Coming with this commit are one for the conversion of LXC configuration to domain XML
for the lxc.cap.drop entry, and one commit to extend the documentation.
There is one thing I'm not sure how to do best: I had to list all capabilities into
an
enum for the XML config, and I had to map those to the kernel CAP_* defines. Any
improvement idea is welcomed ;)
Cédric Bosdonnat (3):
lxc: allow to keep or drop capabilities
lxc domain from xml: convert lxc.cap.drop
lxc: update doc to mention features/capabilities/* domain
configuration
docs/drvlxc.html.in | 27 +++
docs/schemas/domaincommon.rng | 196 +++++++++++++++++++++
src/conf/domain_conf.c | 93 +++++++++-
src/conf/domain_conf.h | 47 +++++
src/libvirt_private.syms | 1 +
src/lxc/lxc_cgroup.c | 5 +
src/lxc/lxc_container.c | 90 ++++++++--
src/lxc/lxc_native.c | 27 +++
tests/domainschemadata/domain-caps-features.xml | 28 +++
tests/lxcconf2xmldata/lxcconf2xml-blkiotune.xml | 39 ++++
tests/lxcconf2xmldata/lxcconf2xml-cpusettune.xml | 39 ++++
tests/lxcconf2xmldata/lxcconf2xml-cputune.xml | 39 ++++
tests/lxcconf2xmldata/lxcconf2xml-idmap.xml | 39 ++++
.../lxcconf2xmldata/lxcconf2xml-macvlannetwork.xml | 41 +++++
tests/lxcconf2xmldata/lxcconf2xml-memtune.xml | 39 ++++
tests/lxcconf2xmldata/lxcconf2xml-nonenetwork.xml | 41 +++++
tests/lxcconf2xmldata/lxcconf2xml-nonetwork.xml | 39 ++++
tests/lxcconf2xmldata/lxcconf2xml-physnetwork.xml | 41 +++++
tests/lxcconf2xmldata/lxcconf2xml-simple.xml | 41 +++++
tests/lxcconf2xmldata/lxcconf2xml-vlannetwork.xml | 41 +++++
20 files changed, 935 insertions(+), 18 deletions(-)
create mode 100644 tests/domainschemadata/domain-caps-features.xml
--
1.8.4.5