[libvirt] Reworked patch set to add UID/GID support for containers

newer
[libvirt] [PATCH designer] Adapt...

dwalsh＠redhat.com

18 Apr 2013 18 Apr '13

2:34 p.m.

Combined all UID/GID patches, taken into account Dan Berrange feedback. Now UID will be based off the current UID. Sandbox Shell is no longer used when using LXC containers. Connect will now just execute a shell within the container. [sandbox PATCH 1/6] Add UID/GID support for use with interactive [sandbox PATCH 2/6] We should not turn on the sanbox shell by [sandbox PATCH 3/6] Only create the destination directory if it does

Show replies by date

dwalsh＠redhat.com

18 Apr 18 Apr

2:34 p.m.

New subject: [libvirt] [sandbox PATCH 1/6] Add UID/GID support for use with interactive containers.

From: Dan Walsh <dwalsh@redhat.com> Openshift Containers will be run with a unique UID and GID --- bin/virt-sandbox-service | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/bin/virt-sandbox-service b/bin/virt-sandbox-service index ad01649..d3dceea 100755 --- a/bin/virt-sandbox-service +++ b/bin/virt-sandbox-service @@ -83,10 +83,16 @@ class Container: self.file_type = file_type def set_uid(self, uid): - self.uid = uid + return self.config.set_userid(uid) def get_uid(self): - return self.uid + return self.config.get_userid(uid) + + def set_gid(self, gid): + return self.config.set_groupid(gid) + + def get_gid(self): + return self.config.get_groupid(gid) def get_config_path(self, name = None): if not name: @@ -846,6 +852,8 @@ def create(args): container.add_network(net) if args.security: container.set_security(args.security) + container.set_uid(args.uid) + container.set_gid(args.gid) container.set_path(args.path) container.set_file_type(args.file_type) if args.imagesize: @@ -1043,6 +1051,9 @@ def gen_create_args(subparser): parser.add_argument("-f", "--filetype", dest="file_type", default=c.get_file_type(), help=_("SELinux file type to assign to content within the sandbox. Default: %s") % c.get_file_type()) + parser.add_argument("-G", "--gid", dest="gid", + default=0, type=int, + help=_("Specify the gid for the container")) parser.add_argument("-i", "--imagesize", dest="imagesize", default = None, action=SizeAction, help=_("create image of this many megabytes.")) @@ -1058,6 +1069,9 @@ def gen_create_args(subparser): action=CheckUnit, dest="unitfiles", default=[], help=_("Systemd Unit file to run within the Service sandbox container. Commands cannot be specified with unit files.")) + parser.add_argument("-U", "--uid", dest="uid", + default=0,type=int, + help=_("Specify the uid for the container")) requires_name(parser) parser.add_argument("command", default=[], nargs="*", -- 1.8.2

dwalsh＠redhat.com

2:34 p.m.

New subject: [libvirt] [sandbox PATCH 2/6] We should not turn on the sanbox shell by default.

From: Dan Walsh <dwalsh@redhat.com> We want to limit the number of processes which run within a container, especially for openshift work loads. Eventually we could add an option if someone wanted to run this shell. --- bin/virt-sandbox-service | 1 - 1 file changed, 1 deletion(-) diff --git a/bin/virt-sandbox-service b/bin/virt-sandbox-service index d3dceea..6524a05 100755 --- a/bin/virt-sandbox-service +++ b/bin/virt-sandbox-service @@ -258,7 +258,6 @@ class Container: def create(self): self.connect() - self.config.set_shell(True) os.mkdir(self.dest) def connect(self): -- 1.8.2

Daniel P. Berrange

19 Apr 19 Apr

5:57 a.m.

New subject: [libvirt] [sandbox PATCH 2/6] We should not turn on the sanbox shell by default.

On Thu, Apr 18, 2013 at 02:34:51PM -0400, dwalsh@redhat.com wrote:

...

From: Dan Walsh <dwalsh@redhat.com>

We want to limit the number of processes which run within a container, especially for openshift work loads. Eventually we could add an option if someone wanted to run this shell. --- bin/virt-sandbox-service | 1 - 1 file changed, 1 deletion(-)

diff --git a/bin/virt-sandbox-service b/bin/virt-sandbox-service index d3dceea..6524a05 100755 --- a/bin/virt-sandbox-service +++ b/bin/virt-sandbox-service @@ -258,7 +258,6 @@ class Container:

def create(self): self.connect() - self.config.set_shell(True) os.mkdir(self.dest)

def connect(self):

NACK, you completely ignored all my feedback. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|

dwalsh＠redhat.com

18 Apr 18 Apr

2:34 p.m.

New subject: [libvirt] [sandbox PATCH 3/6] Only create the destination directory if it does not exist.

From: Dan Walsh <dwalsh@redhat.com> If a user specifies a path that already exists, we should just use the path. --- bin/virt-sandbox-service | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/bin/virt-sandbox-service b/bin/virt-sandbox-service index 6524a05..308b871 100755 --- a/bin/virt-sandbox-service +++ b/bin/virt-sandbox-service @@ -258,7 +258,8 @@ class Container: def create(self): self.connect() - os.mkdir(self.dest) + if not os.path.exists(self.dest): + os.mkdir(self.dest) def connect(self): if not self.conn: -- 1.8.2

Daniel P. Berrange

19 Apr 19 Apr

5:58 a.m.

On Thu, Apr 18, 2013 at 02:34:49PM -0400, dwalsh@redhat.com wrote:

...

Combined all UID/GID patches, taken into account Dan Berrange feedback. Now UID will be based off the current UID.

Sandbox Shell is no longer used when using LXC containers. Connect will now just execute a shell within the container.

[sandbox PATCH 1/6] Add UID/GID support for use with interactive [sandbox PATCH 2/6] We should not turn on the sanbox shell by [sandbox PATCH 3/6] Only create the destination directory if it does

What happened to the other 3 patches ? Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|

Daniel J Walsh

7:33 a.m.

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/19/2013 05:58 AM, Daniel P. Berrange wrote:

...

On Thu, Apr 18, 2013 at 02:34:49PM -0400, dwalsh@redhat.com wrote:

...
Combined all UID/GID patches, taken into account Dan Berrange feedback. Now UID will be based off the current UID.

Sandbox Shell is no longer used when using LXC containers. Connect will now just execute a shell within the container.

[sandbox PATCH 1/6] Add UID/GID support for use with interactive [sandbox PATCH 2/6] We should not turn on the sanbox shell by [sandbox PATCH 3/6] Only create the destination directory if it does

What happened to the other 3 patches ?

Daniel

Should have been a new set, just resent. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlFxK6AACgkQrlYvE4MpobNxgwCfS6DmEPjyBo7kKmCJKuJYsRri VXYAoNpUDQCOECcA6h3YUGtIPKlI+EjU =gl8G -----END PGP SIGNATURE-----

4529

Age (days ago)

4530

Last active (days ago)

List overview

Download

6 comments

3 participants

participants (3)

Daniel J Walsh
Daniel P. Berrange
dwalsh＠redhat.com