1:53 p.m.
From: Chen Hanxiao <chenhanxiao(a)cn.fujitsu.com>
If we enable userns, the ownership of dir we provided for containers
should match the uid/gid in idmap.
Currently, the debug log is very implicit or misleading sometimes.
This patch will help clarify this for us when using
debug log or virsh.
Signed-off-by: Chen Hanxiao <chenhanxiao(a)cn.fujitsu.com>
---
src/lxc/lxc_container.c | 45 +++++++++++++++++++++++++++++++++++++++++++++
1 files changed, 45 insertions(+), 0 deletions(-)
diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
index b910b10..ce17466 100644
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@@ -1815,6 +1815,48 @@ lxcNeedNetworkNamespace(virDomainDefPtr def)
return false;
}
+/*
+ * Helper function for helping check
+ * whether we have enough privilege
+ * to operate the source dir when userns enabled
+ * @vmDef: pointer to vm definition structure
+ * Returns 0 on success or -1 in case of error
+ */
+static int
+lxcContainerUsernsSrcOwnershipCheck(virDomainDefPtr vmDef)
+{
+ struct stat buf;
+ int i;
+ uid_t uid;
+ gid_t gid;
+
+ for(i=0; i < vmDef->nfss; i++) {
+ VIR_DEBUG("dst is %s, src is %s",
+ vmDef->fss[i]->dst,
+ vmDef->fss[i]->src);
+
+ uid = vmDef->idmap.uidmap[0].target;
+ gid = vmDef->idmap.gidmap[0].target;
+
+ if (lstat(vmDef->fss[i]->src, &buf) < 0) {
+ virReportSystemError(errno, _("Cannot access '%s'"),
+ vmDef->fss[i]->src);
+ return -1;
+ } else if(uid != buf.st_uid || gid != buf.st_gid) {
+ VIR_DEBUG("In userns uid is %d, gid is %d\n",
+ uid, gid);
+ errno = EINVAL;
+
+ virReportSystemError(errno,
+ "[userns] Src dir \"%s\" does not belong to
uid/gid:%d/%d",
+ vmDef->fss[i]->src, uid, gid);
+ return -1;
+ }
+ }
+
+ return 0;
+}
+
/**
* lxcContainerStart:
* @def: pointer to virtual machine structure
@@ -1866,6 +1908,9 @@ int lxcContainerStart(virDomainDefPtr def,
if (userns_supported()) {
VIR_DEBUG("Enable user namespace");
cflags |= CLONE_NEWUSER;
+ if(lxcContainerUsernsSrcOwnershipCheck(def) < 0) {
+ return -1;
+ }
} else {
virReportSystemError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
_("Kernel doesn't support user
namespace"));
--
1.7.1
3:01 p.m.
New subject: [libvirt] LXC: Helper function for checking ownership of dir when userns enabled
On 08/09/2013 01:53 PM, Chen Hanxiao wrote:
From: Chen Hanxiao<chenhanxiao(a)cn.fujitsu.com>
If we enable userns, the ownership of dir we provided for containers
should match the uid/gid in idmap.
Currently, the debug log is very implicit or misleading sometimes.
This patch will help clarify this for us when using
debug log or virsh.
Signed-off-by: Chen Hanxiao<chenhanxiao(a)cn.fujitsu.com>
---
src/lxc/lxc_container.c | 45 +++++++++++++++++++++++++++++++++++++++++++++
1 files changed, 45 insertions(+), 0 deletions(-)
diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
index b910b10..ce17466 100644
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@@ -1815,6 +1815,48 @@ lxcNeedNetworkNamespace(virDomainDefPtr def)
return false;
}
+/*
+ * Helper function for helping check
+ * whether we have enough privilege
+ * to operate the source dir when userns enabled
+ * @vmDef: pointer to vm definition structure
+ * Returns 0 on success or -1 in case of error
+ */
+static int
+lxcContainerUsernsSrcOwnershipCheck(virDomainDefPtr vmDef)
+{
+ struct stat buf;
+ int i;
+ uid_t uid;
+ gid_t gid;
+
+ for(i=0; i< vmDef->nfss; i++) {
+ VIR_DEBUG("dst is %s, src is %s",
+ vmDef->fss[i]->dst,
+ vmDef->fss[i]->src);
indention issue.
+
+ uid = vmDef->idmap.uidmap[0].target;
+ gid = vmDef->idmap.gidmap[0].target;
+
+ if (lstat(vmDef->fss[i]->src,&buf)< 0) {
+ virReportSystemError(errno, _("Cannot access '%s'"),
+ vmDef->fss[i]->src);
same as above.
+ return -1;
+ } else if(uid != buf.st_uid || gid != buf.st_gid) {
+ VIR_DEBUG("In userns uid is %d, gid is %d\n",
+ uid, gid);
same as above.
+ errno = EINVAL;
+
+ virReportSystemError(errno,
+ "[userns] Src dir \"%s\" does not belong to
uid/gid:%d/%d",
+ vmDef->fss[i]->src, uid, gid);
same as above.
+ return -1;
+ }
+ }
+
+ return 0;
+}
+
/**
* lxcContainerStart:
* @def: pointer to virtual machine structure
@@ -1866,6 +1908,9 @@ int lxcContainerStart(virDomainDefPtr def,
if (userns_supported()) {
VIR_DEBUG("Enable user namespace");
cflags |= CLONE_NEWUSER;
+ if(lxcContainerUsernsSrcOwnershipCheck(def)< 0) {
+ return -1;
+ }
} else {
virReportSystemError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
_("Kernel doesn't support user
namespace"));
libvirt/.git/rebase-apply/patch:15: trailing whitespace.
* whether we have enough privilege
libvirt/.git/rebase-apply/patch:16: trailing whitespace.
* to operate the source dir when userns enabled
libvirt/.git/rebase-apply/patch:45: trailing whitespace.
virReportSystemError(errno,
libvirt/.git/rebase-apply/patch:51: trailing whitespace.
warning: 4 lines add whitespace errors.
3:04 p.m.
New subject: [libvirt] LXC: Helper function for checking ownership of dir when userns enabled
On 08/09/2013 01:53 PM, Chen Hanxiao wrote:
From: Chen Hanxiao<chenhanxiao(a)cn.fujitsu.com>
If we enable userns, the ownership of dir we provided for containers
should match the uid/gid in idmap.
Currently, the debug log is very implicit or misleading sometimes.
This patch will help clarify this for us when using
debug log or virsh.
Signed-off-by: Chen Hanxiao<chenhanxiao(a)cn.fujitsu.com>
---
src/lxc/lxc_container.c | 45 +++++++++++++++++++++++++++++++++++++++++++++
1 files changed, 45 insertions(+), 0 deletions(-)
diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
index b910b10..ce17466 100644
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@@ -1815,6 +1815,48 @@ lxcNeedNetworkNamespace(virDomainDefPtr def)
return false;
}
+/*
+ * Helper function for helping check
+ * whether we have enough privilege
+ * to operate the source dir when userns enabled
+ * @vmDef: pointer to vm definition structure
+ * Returns 0 on success or -1 in case of error
+ */
+static int
+lxcContainerUsernsSrcOwnershipCheck(virDomainDefPtr vmDef)
+{
+ struct stat buf;
+ int i;
+ uid_t uid;
+ gid_t gid;
+
+ for(i=0; i< vmDef->nfss; i++) {
+ VIR_DEBUG("dst is %s, src is %s",
+ vmDef->fss[i]->dst,
+ vmDef->fss[i]->src);
+
+ uid = vmDef->idmap.uidmap[0].target;
+ gid = vmDef->idmap.gidmap[0].target;
+
+ if (lstat(vmDef->fss[i]->src,&buf)< 0) {
+ virReportSystemError(errno, _("Cannot access '%s'"),
+ vmDef->fss[i]->src);
+ return -1;
+ } else if(uid != buf.st_uid || gid != buf.st_gid) {
+ VIR_DEBUG("In userns uid is %d, gid is %d\n",
+ uid, gid);
+ errno = EINVAL;
+
+ virReportSystemError(errno,
+ "[userns] Src dir \"%s\" does not belong to
uid/gid:%d/%d",
+ vmDef->fss[i]->src, uid, gid);
+ return -1;
+ }
+ }
+
+ return 0;
+}
+
/**
* lxcContainerStart:
* @def: pointer to virtual machine structure
@@ -1866,6 +1908,9 @@ int lxcContainerStart(virDomainDefPtr def,
if (userns_supported()) {
VIR_DEBUG("Enable user namespace");
cflags |= CLONE_NEWUSER;
+ if(lxcContainerUsernsSrcOwnershipCheck(def)< 0) {
+ return -1;
+ }
} else {
virReportSystemError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
_("Kernel doesn't support user
namespace"));
In addition, please run 'make syntax-check' firstly before committing
patches.
src/lxc/lxc_container.c:1835: for(i=0; i < vmDef->nfss; i++) {
src/lxc/lxc_container.c:1847: } else if(uid != buf.st_uid || gid
!= buf.st_gid) {
src/lxc/lxc_container.c:1913:
if(lxcContainerUsernsSrcOwnershipCheck(def) < 0) {
maint.mk: incorrect whitespace, see HACKING for rules
make: *** [bracket-spacing-check] Error 1
4101
days inactive
4101
days old
2 comments
2 participants
participants (2)
-
Alex Jia -
Chen Hanxiao