[libvirt] LXC: Helper function for checking ownership of dir when userns enabled
From: Chen Hanxiao <chenhanxiao@cn.fujitsu.com> If we enable userns, the ownership of dir we provided for containers should match the uid/gid in idmap. Currently, the debug log is very implicit or misleading sometimes. This patch will help clarify this for us when using debug log or virsh. Signed-off-by: Chen Hanxiao <chenhanxiao@cn.fujitsu.com> --- src/lxc/lxc_container.c | 45 +++++++++++++++++++++++++++++++++++++++++++++ 1 files changed, 45 insertions(+), 0 deletions(-) diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c index b910b10..ce17466 100644 --- a/src/lxc/lxc_container.c +++ b/src/lxc/lxc_container.c @@ -1815,6 +1815,48 @@ lxcNeedNetworkNamespace(virDomainDefPtr def) return false; } +/* + * Helper function for helping check + * whether we have enough privilege + * to operate the source dir when userns enabled + * @vmDef: pointer to vm definition structure + * Returns 0 on success or -1 in case of error + */ +static int +lxcContainerUsernsSrcOwnershipCheck(virDomainDefPtr vmDef) +{ + struct stat buf; + int i; + uid_t uid; + gid_t gid; + + for(i=0; i < vmDef->nfss; i++) { + VIR_DEBUG("dst is %s, src is %s", + vmDef->fss[i]->dst, + vmDef->fss[i]->src); + + uid = vmDef->idmap.uidmap[0].target; + gid = vmDef->idmap.gidmap[0].target; + + if (lstat(vmDef->fss[i]->src, &buf) < 0) { + virReportSystemError(errno, _("Cannot access '%s'"), + vmDef->fss[i]->src); + return -1; + } else if(uid != buf.st_uid || gid != buf.st_gid) { + VIR_DEBUG("In userns uid is %d, gid is %d\n", + uid, gid); + errno = EINVAL; + + virReportSystemError(errno, + "[userns] Src dir \"%s\" does not belong to uid/gid:%d/%d", + vmDef->fss[i]->src, uid, gid); + return -1; + } + } + + return 0; +} + /** * lxcContainerStart: * @def: pointer to virtual machine structure @@ -1866,6 +1908,9 @@ int lxcContainerStart(virDomainDefPtr def, if (userns_supported()) { VIR_DEBUG("Enable user namespace"); cflags |= CLONE_NEWUSER; + if(lxcContainerUsernsSrcOwnershipCheck(def) < 0) { + return -1; + } } else { virReportSystemError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", _("Kernel doesn't support user namespace")); -- 1.7.1
On 08/09/2013 01:53 PM, Chen Hanxiao wrote:
From: Chen Hanxiao<chenhanxiao@cn.fujitsu.com>
If we enable userns, the ownership of dir we provided for containers should match the uid/gid in idmap. Currently, the debug log is very implicit or misleading sometimes. This patch will help clarify this for us when using debug log or virsh.
Signed-off-by: Chen Hanxiao<chenhanxiao@cn.fujitsu.com> --- src/lxc/lxc_container.c | 45 +++++++++++++++++++++++++++++++++++++++++++++ 1 files changed, 45 insertions(+), 0 deletions(-)
diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c index b910b10..ce17466 100644 --- a/src/lxc/lxc_container.c +++ b/src/lxc/lxc_container.c @@ -1815,6 +1815,48 @@ lxcNeedNetworkNamespace(virDomainDefPtr def) return false; }
+/* + * Helper function for helping check + * whether we have enough privilege + * to operate the source dir when userns enabled + * @vmDef: pointer to vm definition structure + * Returns 0 on success or -1 in case of error + */ +static int +lxcContainerUsernsSrcOwnershipCheck(virDomainDefPtr vmDef) +{ + struct stat buf; + int i; + uid_t uid; + gid_t gid; + + for(i=0; i< vmDef->nfss; i++) { + VIR_DEBUG("dst is %s, src is %s", + vmDef->fss[i]->dst, + vmDef->fss[i]->src);
indention issue.
+ + uid = vmDef->idmap.uidmap[0].target; + gid = vmDef->idmap.gidmap[0].target; + + if (lstat(vmDef->fss[i]->src,&buf)< 0) { + virReportSystemError(errno, _("Cannot access '%s'"), + vmDef->fss[i]->src);
same as above.
+ return -1; + } else if(uid != buf.st_uid || gid != buf.st_gid) { + VIR_DEBUG("In userns uid is %d, gid is %d\n", + uid, gid);
same as above.
+ errno = EINVAL; + + virReportSystemError(errno, + "[userns] Src dir \"%s\" does not belong to uid/gid:%d/%d", + vmDef->fss[i]->src, uid, gid);
same as above.
+ return -1; + } + } + + return 0; +} + /** * lxcContainerStart: * @def: pointer to virtual machine structure @@ -1866,6 +1908,9 @@ int lxcContainerStart(virDomainDefPtr def, if (userns_supported()) { VIR_DEBUG("Enable user namespace"); cflags |= CLONE_NEWUSER; + if(lxcContainerUsernsSrcOwnershipCheck(def)< 0) { + return -1; + } } else { virReportSystemError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", _("Kernel doesn't support user namespace"));
libvirt/.git/rebase-apply/patch:15: trailing whitespace. * whether we have enough privilege libvirt/.git/rebase-apply/patch:16: trailing whitespace. * to operate the source dir when userns enabled libvirt/.git/rebase-apply/patch:45: trailing whitespace. virReportSystemError(errno, libvirt/.git/rebase-apply/patch:51: trailing whitespace. warning: 4 lines add whitespace errors.
On 08/09/2013 01:53 PM, Chen Hanxiao wrote:
From: Chen Hanxiao<chenhanxiao@cn.fujitsu.com>
If we enable userns, the ownership of dir we provided for containers should match the uid/gid in idmap. Currently, the debug log is very implicit or misleading sometimes. This patch will help clarify this for us when using debug log or virsh.
Signed-off-by: Chen Hanxiao<chenhanxiao@cn.fujitsu.com> --- src/lxc/lxc_container.c | 45 +++++++++++++++++++++++++++++++++++++++++++++ 1 files changed, 45 insertions(+), 0 deletions(-)
diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c index b910b10..ce17466 100644 --- a/src/lxc/lxc_container.c +++ b/src/lxc/lxc_container.c @@ -1815,6 +1815,48 @@ lxcNeedNetworkNamespace(virDomainDefPtr def) return false; }
+/* + * Helper function for helping check + * whether we have enough privilege + * to operate the source dir when userns enabled + * @vmDef: pointer to vm definition structure + * Returns 0 on success or -1 in case of error + */ +static int +lxcContainerUsernsSrcOwnershipCheck(virDomainDefPtr vmDef) +{ + struct stat buf; + int i; + uid_t uid; + gid_t gid; + + for(i=0; i< vmDef->nfss; i++) { + VIR_DEBUG("dst is %s, src is %s", + vmDef->fss[i]->dst, + vmDef->fss[i]->src); + + uid = vmDef->idmap.uidmap[0].target; + gid = vmDef->idmap.gidmap[0].target; + + if (lstat(vmDef->fss[i]->src,&buf)< 0) { + virReportSystemError(errno, _("Cannot access '%s'"), + vmDef->fss[i]->src); + return -1; + } else if(uid != buf.st_uid || gid != buf.st_gid) { + VIR_DEBUG("In userns uid is %d, gid is %d\n", + uid, gid); + errno = EINVAL; + + virReportSystemError(errno, + "[userns] Src dir \"%s\" does not belong to uid/gid:%d/%d", + vmDef->fss[i]->src, uid, gid); + return -1; + } + } + + return 0; +} + /** * lxcContainerStart: * @def: pointer to virtual machine structure @@ -1866,6 +1908,9 @@ int lxcContainerStart(virDomainDefPtr def, if (userns_supported()) { VIR_DEBUG("Enable user namespace"); cflags |= CLONE_NEWUSER; + if(lxcContainerUsernsSrcOwnershipCheck(def)< 0) { + return -1; + } } else { virReportSystemError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", _("Kernel doesn't support user namespace"));
In addition, please run 'make syntax-check' firstly before committing patches. src/lxc/lxc_container.c:1835: for(i=0; i < vmDef->nfss; i++) { src/lxc/lxc_container.c:1847: } else if(uid != buf.st_uid || gid != buf.st_gid) { src/lxc/lxc_container.c:1913: if(lxcContainerUsernsSrcOwnershipCheck(def) < 0) { maint.mk: incorrect whitespace, see HACKING for rules make: *** [bracket-spacing-check] Error 1
participants (2)
-
Alex Jia -
Chen Hanxiao