1:34 p.m.
Combined all UID/GID patches, taken into account Dan Berrange feedback.
Now UID will be based off the current UID.
Sandbox Shell is no longer used when using LXC containers. Connect will
now just execute a shell within the container.
[sandbox PATCH 1/6] Add UID/GID support for use with interactive
[sandbox PATCH 2/6] We should not turn on the sanbox shell by
[sandbox PATCH 3/6] Only create the destination directory if it does
1:34 p.m.
New subject: [libvirt] [sandbox PATCH 1/6] Add UID/GID support for use with interactive containers.
From: Dan Walsh <dwalsh(a)redhat.com>
Openshift Containers will be run with a unique UID and GID
---
bin/virt-sandbox-service | 18 ++++++++++++++++--
1 file changed, 16 insertions(+), 2 deletions(-)
diff --git a/bin/virt-sandbox-service b/bin/virt-sandbox-service
index ad01649..d3dceea 100755
--- a/bin/virt-sandbox-service
+++ b/bin/virt-sandbox-service
@@ -83,10 +83,16 @@ class Container:
self.file_type = file_type
def set_uid(self, uid):
- self.uid = uid
+ return self.config.set_userid(uid)
def get_uid(self):
- return self.uid
+ return self.config.get_userid(uid)
+
+ def set_gid(self, gid):
+ return self.config.set_groupid(gid)
+
+ def get_gid(self):
+ return self.config.get_groupid(gid)
def get_config_path(self, name = None):
if not name:
@@ -846,6 +852,8 @@ def create(args):
container.add_network(net)
if args.security:
container.set_security(args.security)
+ container.set_uid(args.uid)
+ container.set_gid(args.gid)
container.set_path(args.path)
container.set_file_type(args.file_type)
if args.imagesize:
@@ -1043,6 +1051,9 @@ def gen_create_args(subparser):
parser.add_argument("-f", "--filetype",
dest="file_type",
default=c.get_file_type(),
help=_("SELinux file type to assign to content within the
sandbox. Default: %s") % c.get_file_type())
+ parser.add_argument("-G", "--gid", dest="gid",
+ default=0, type=int,
+ help=_("Specify the gid for the container"))
parser.add_argument("-i", "--imagesize",
dest="imagesize", default = None,
action=SizeAction,
help=_("create image of this many megabytes."))
@@ -1058,6 +1069,9 @@ def gen_create_args(subparser):
action=CheckUnit,
dest="unitfiles", default=[],
help=_("Systemd Unit file to run within the Service sandbox
container. Commands cannot be specified with unit files."))
+ parser.add_argument("-U", "--uid", dest="uid",
+ default=0,type=int,
+ help=_("Specify the uid for the container"))
requires_name(parser)
parser.add_argument("command", default=[], nargs="*",
--
1.8.2
1:34 p.m.
New subject: [libvirt] [sandbox PATCH 2/6] We should not turn on the sanbox shell by default.
From: Dan Walsh <dwalsh(a)redhat.com>
We want to limit the number of processes which run within a container,
especially for openshift work loads. Eventually we could add an
option if someone wanted to run this shell.
---
bin/virt-sandbox-service | 1 -
1 file changed, 1 deletion(-)
diff --git a/bin/virt-sandbox-service b/bin/virt-sandbox-service
index d3dceea..6524a05 100755
--- a/bin/virt-sandbox-service
+++ b/bin/virt-sandbox-service
@@ -258,7 +258,6 @@ class Container:
def create(self):
self.connect()
- self.config.set_shell(True)
os.mkdir(self.dest)
def connect(self):
--
1.8.2
4:57 a.m.
New subject: [libvirt] [sandbox PATCH 2/6] We should not turn on the sanbox shell by default.
On Thu, Apr 18, 2013 at 02:34:51PM -0400, dwalsh(a)redhat.com wrote:
From: Dan Walsh <dwalsh(a)redhat.com>
We want to limit the number of processes which run within a container,
especially for openshift work loads. Eventually we could add an
option if someone wanted to run this shell.
---
bin/virt-sandbox-service | 1 -
1 file changed, 1 deletion(-)
diff --git a/bin/virt-sandbox-service b/bin/virt-sandbox-service
index d3dceea..6524a05 100755
--- a/bin/virt-sandbox-service
+++ b/bin/virt-sandbox-service
@@ -258,7 +258,6 @@ class Container:
def create(self):
self.connect()
- self.config.set_shell(True)
os.mkdir(self.dest)
def connect(self):
NACK, you completely ignored all my feedback.
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
1:34 p.m.
New subject: [libvirt] [sandbox PATCH 3/6] Only create the destination directory if it does not exist.
From: Dan Walsh <dwalsh(a)redhat.com>
If a user specifies a path that already exists, we should just
use the path.
---
bin/virt-sandbox-service | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/bin/virt-sandbox-service b/bin/virt-sandbox-service
index 6524a05..308b871 100755
--- a/bin/virt-sandbox-service
+++ b/bin/virt-sandbox-service
@@ -258,7 +258,8 @@ class Container:
def create(self):
self.connect()
- os.mkdir(self.dest)
+ if not os.path.exists(self.dest):
+ os.mkdir(self.dest)
def connect(self):
if not self.conn:
--
1.8.2
4:58 a.m.
On Thu, Apr 18, 2013 at 02:34:49PM -0400, dwalsh(a)redhat.com wrote:
Combined all UID/GID patches, taken into account Dan Berrange
feedback.
Now UID will be based off the current UID.
Sandbox Shell is no longer used when using LXC containers. Connect will
now just execute a shell within the container.
[sandbox PATCH 1/6] Add UID/GID support for use with interactive
[sandbox PATCH 2/6] We should not turn on the sanbox shell by
[sandbox PATCH 3/6] Only create the destination directory if it does
What happened to the other 3 patches ?
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
6:33 a.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 04/19/2013 05:58 AM, Daniel P. Berrange wrote:
On Thu, Apr 18, 2013 at 02:34:49PM -0400, dwalsh(a)redhat.com wrote:
> Combined all UID/GID patches, taken into account Dan Berrange feedback.
> Now UID will be based off the current UID.
>
> Sandbox Shell is no longer used when using LXC containers. Connect will
> now just execute a shell within the container.
>
> [sandbox PATCH 1/6] Add UID/GID support for use with interactive [sandbox
> PATCH 2/6] We should not turn on the sanbox shell by [sandbox PATCH 3/6]
> Only create the destination directory if it does
What happened to the other 3 patches ?
Daniel
Should have been a new set, just resent.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlFxK6AACgkQrlYvE4MpobNxgwCfS6DmEPjyBo7kKmCJKuJYsRri
VXYAoNpUDQCOECcA6h3YUGtIPKlI+EjU
=gl8G
-----END PGP SIGNATURE-----
4235
days inactive
4236
days old
6 comments
3 participants
participants (3)
-
Daniel J Walsh -
Daniel P. Berrange -
dwalsh@redhat.com