[libvirt] Add USER support to virt-sandbox-service
This patch set is adding support for UID/GID/USERNAME/USERDIR for use with openshift containers [sandbox PATCH 1/6] Add UID/GID support for use with interactive [sandbox PATCH 2/6] We should not turn on the sanbox shell by [sandbox PATCH 3/6] Only create the destination directory if it does [sandbox PATCH 4/6] Add support for --homedir and --username setting [sandbox PATCH 5/6] Add support for --uid, --gid, --username, [sandbox PATCH 6/6] Update man page to document current
From: Dan Walsh <dwalsh@redhat.com> Openshift Containers will be run with a unique UID and GID --- bin/virt-sandbox-service | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/bin/virt-sandbox-service b/bin/virt-sandbox-service index ad01649..d3dceea 100755 --- a/bin/virt-sandbox-service +++ b/bin/virt-sandbox-service @@ -83,10 +83,16 @@ class Container: self.file_type = file_type def set_uid(self, uid): - self.uid = uid + return self.config.set_userid(uid) def get_uid(self): - return self.uid + return self.config.get_userid(uid) + + def set_gid(self, gid): + return self.config.set_groupid(gid) + + def get_gid(self): + return self.config.get_groupid(gid) def get_config_path(self, name = None): if not name: @@ -846,6 +852,8 @@ def create(args): container.add_network(net) if args.security: container.set_security(args.security) + container.set_uid(args.uid) + container.set_gid(args.gid) container.set_path(args.path) container.set_file_type(args.file_type) if args.imagesize: @@ -1043,6 +1051,9 @@ def gen_create_args(subparser): parser.add_argument("-f", "--filetype", dest="file_type", default=c.get_file_type(), help=_("SELinux file type to assign to content within the sandbox. Default: %s") % c.get_file_type()) + parser.add_argument("-G", "--gid", dest="gid", + default=0, type=int, + help=_("Specify the gid for the container")) parser.add_argument("-i", "--imagesize", dest="imagesize", default = None, action=SizeAction, help=_("create image of this many megabytes.")) @@ -1058,6 +1069,9 @@ def gen_create_args(subparser): action=CheckUnit, dest="unitfiles", default=[], help=_("Systemd Unit file to run within the Service sandbox container. Commands cannot be specified with unit files.")) + parser.add_argument("-U", "--uid", dest="uid", + default=0,type=int, + help=_("Specify the uid for the container")) requires_name(parser) parser.add_argument("command", default=[], nargs="*", -- 1.8.2
On Thu, Apr 18, 2013 at 09:56:56AM -0400, dwalsh@redhat.com wrote:
From: Dan Walsh <dwalsh@redhat.com>
Openshift Containers will be run with a unique UID and GID --- bin/virt-sandbox-service | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-)
ACK Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
From: Dan Walsh <dwalsh@redhat.com> We want to limit the number of processes which run within a container, especially for openshift work loads. Eventually we could add an option if someone wanted to run this shell. --- bin/virt-sandbox-service | 1 - 1 file changed, 1 deletion(-) diff --git a/bin/virt-sandbox-service b/bin/virt-sandbox-service index d3dceea..6524a05 100755 --- a/bin/virt-sandbox-service +++ b/bin/virt-sandbox-service @@ -258,7 +258,6 @@ class Container: def create(self): self.connect() - self.config.set_shell(True) os.mkdir(self.dest) def connect(self): -- 1.8.2
On Thu, Apr 18, 2013 at 09:56:57AM -0400, dwalsh@redhat.com wrote:
From: Dan Walsh <dwalsh@redhat.com>
We want to limit the number of processes which run within a container, especially for openshift work loads. Eventually we could add an option if someone wanted to run this shell. --- bin/virt-sandbox-service | 1 - 1 file changed, 1 deletion(-)
diff --git a/bin/virt-sandbox-service b/bin/virt-sandbox-service index d3dceea..6524a05 100755 --- a/bin/virt-sandbox-service +++ b/bin/virt-sandbox-service @@ -258,7 +258,6 @@ class Container:
def create(self): self.connect() - self.config.set_shell(True) os.mkdir(self.dest)
def connect(self):
NACK This breaks the 'virt-sandbox-service connect' command. You should only disable the shell for LXC based sandboxes. Then you need to also make the 'connect' command use 'lxc-enter-namespace /bin/sh' when given lxc:/// as the URI. Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
From: Dan Walsh <dwalsh@redhat.com> If a user specifies a path that already exists, we should just use the path. --- bin/virt-sandbox-service | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/bin/virt-sandbox-service b/bin/virt-sandbox-service index 6524a05..308b871 100755 --- a/bin/virt-sandbox-service +++ b/bin/virt-sandbox-service @@ -258,7 +258,8 @@ class Container: def create(self): self.connect() - os.mkdir(self.dest) + if not os.path.exists(self.dest): + os.mkdir(self.dest) def connect(self): if not self.conn: -- 1.8.2
On Thu, Apr 18, 2013 at 09:56:58AM -0400, dwalsh@redhat.com wrote:
From: Dan Walsh <dwalsh@redhat.com>
If a user specifies a path that already exists, we should just use the path. --- bin/virt-sandbox-service | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
ACK Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
From: Dan Walsh <dwalsh@redhat.com> Also default --homedir, --username, --gid all off of the --uid settings. But allow the admin to override if required. --- bin/virt-sandbox-service | 33 +++++++++++++++++++++++++++++---- 1 file changed, 29 insertions(+), 4 deletions(-) diff --git a/bin/virt-sandbox-service b/bin/virt-sandbox-service index 308b871..d869e5d 100755 --- a/bin/virt-sandbox-service +++ b/bin/virt-sandbox-service @@ -28,6 +28,7 @@ import exceptions import rpm from subprocess import Popen, PIPE, STDOUT import gettext +import pwd if os.path.exists("/sys/fs/selinux"): import selinux @@ -83,7 +84,7 @@ class Container: self.file_type = file_type def set_uid(self, uid): - return self.config.set_userid(uid) + self.config.set_userid(uid) def get_uid(self): return self.config.get_userid(uid) @@ -94,6 +95,18 @@ class Container: def get_gid(self): return self.config.get_groupid(gid) + def set_username(self, username): + self.config.set_username(username) + + def get_username(self): + return self.config.get_username() + + def set_homedir(self, homedir): + self.config.set_homedir(homedir) + + def get_homedir(self): + return self.config.get_homedir() + def get_config_path(self, name = None): if not name: name = self.name @@ -853,6 +866,14 @@ def create(args): if args.security: container.set_security(args.security) container.set_uid(args.uid) + if not args.homedir: + args.homedir = pwd.getpwuid(args.uid).pw_dir + container.set_homedir(args.homedir) + if not args.username: + args.username = pwd.getpwuid(args.uid).pw_name + container.set_username(args.username) + if not args.gid: + args.gid = args.uid container.set_gid(args.gid) container.set_path(args.path) container.set_file_type(args.file_type) @@ -1051,9 +1072,11 @@ def gen_create_args(subparser): parser.add_argument("-f", "--filetype", dest="file_type", default=c.get_file_type(), help=_("SELinux file type to assign to content within the sandbox. Default: %s") % c.get_file_type()) + parser.add_argument("--homedir", dest="homedir", + help=_("Specify the homedir for the container. Default: UID homedir.")) parser.add_argument("-G", "--gid", dest="gid", - default=0, type=int, - help=_("Specify the gid for the container")) + default=None, type=int, + help=_("Specify the gid for the container. Default: UID.")) parser.add_argument("-i", "--imagesize", dest="imagesize", default = None, action=SizeAction, help=_("create image of this many megabytes.")) @@ -1069,9 +1092,11 @@ def gen_create_args(subparser): action=CheckUnit, dest="unitfiles", default=[], help=_("Systemd Unit file to run within the Service sandbox container. Commands cannot be specified with unit files.")) + parser.add_argument("--username", dest="username", + help=_("Specify the username for the container. Default: UID username.")) parser.add_argument("-U", "--uid", dest="uid", default=0,type=int, - help=_("Specify the uid for the container")) + help=_("Specify the uid for the container. Default: 0.")) requires_name(parser) parser.add_argument("command", default=[], nargs="*", -- 1.8.2
On Thu, Apr 18, 2013 at 09:56:59AM -0400, dwalsh@redhat.com wrote:
From: Dan Walsh <dwalsh@redhat.com>
Also default --homedir, --username, --gid all off of the --uid settings. But allow the admin to override if required. --- bin/virt-sandbox-service | 33 +++++++++++++++++++++++++++++---- 1 file changed, 29 insertions(+), 4 deletions(-)
diff --git a/bin/virt-sandbox-service b/bin/virt-sandbox-service index 308b871..d869e5d 100755 --- a/bin/virt-sandbox-service +++ b/bin/virt-sandbox-service @@ -28,6 +28,7 @@ import exceptions import rpm from subprocess import Popen, PIPE, STDOUT import gettext +import pwd
if os.path.exists("/sys/fs/selinux"): import selinux @@ -83,7 +84,7 @@ class Container: self.file_type = file_type
def set_uid(self, uid): - return self.config.set_userid(uid) + self.config.set_userid(uid)
def get_uid(self): return self.config.get_userid(uid) @@ -94,6 +95,18 @@ class Container: def get_gid(self): return self.config.get_groupid(gid)
+ def set_username(self, username): + self.config.set_username(username) + + def get_username(self): + return self.config.get_username() + + def set_homedir(self, homedir): + self.config.set_homedir(homedir) + + def get_homedir(self): + return self.config.get_homedir() + def get_config_path(self, name = None): if not name: name = self.name @@ -853,6 +866,14 @@ def create(args): if args.security: container.set_security(args.security) container.set_uid(args.uid) + if not args.homedir: + args.homedir = pwd.getpwuid(args.uid).pw_dir + container.set_homedir(args.homedir) + if not args.username: + args.username = pwd.getpwuid(args.uid).pw_name + container.set_username(args.username) + if not args.gid: + args.gid = args.uid
This is wrong - you can't assume the gid + uid match. You need to lookup the default group for the uid in question.
@@ -1051,9 +1072,11 @@ def gen_create_args(subparser): parser.add_argument("-f", "--filetype", dest="file_type", default=c.get_file_type(), help=_("SELinux file type to assign to content within the sandbox. Default: %s") % c.get_file_type()) + parser.add_argument("--homedir", dest="homedir", + help=_("Specify the homedir for the container. Default: UID homedir.")) parser.add_argument("-G", "--gid", dest="gid", - default=0, type=int, - help=_("Specify the gid for the container")) + default=None, type=int, + help=_("Specify the gid for the container. Default: UID."))
That should say "Default: the primary GID for the UID"
parser.add_argument("-i", "--imagesize", dest="imagesize", default = None, action=SizeAction, help=_("create image of this many megabytes.")) @@ -1069,9 +1092,11 @@ def gen_create_args(subparser): action=CheckUnit, dest="unitfiles", default=[], help=_("Systemd Unit file to run within the Service sandbox container. Commands cannot be specified with unit files.")) + parser.add_argument("--username", dest="username", + help=_("Specify the username for the container. Default: UID username.")) parser.add_argument("-U", "--uid", dest="uid", default=0,type=int, - help=_("Specify the uid for the container")) + help=_("Specify the uid for the container. Default: 0."))
Actually the default is the UID of the person invoking the command. We shouldn't assume that is root. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
From: Dan Walsh <dwalsh@redhat.com> Add missing options Itentity fields for new InteractiveContainer --- bin/virt-sandbox-service-bash-completion.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bin/virt-sandbox-service-bash-completion.sh b/bin/virt-sandbox-service-bash-completion.sh index 874ee56..c672fdd 100755 --- a/bin/virt-sandbox-service-bash-completion.sh +++ b/bin/virt-sandbox-service-bash-completion.sh @@ -1,6 +1,6 @@ # This file is part of libvirt-sandbox. # -# Copyright 2012 Dan Walsh +# Copyright 2012-2013 Dan Walsh # # systemd is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by @@ -55,7 +55,7 @@ _virt_sandbox_service () { ) local -A OPTS=( [ALL]='-h --help' - [CREATE]='-u --unitfile -p --path -f --filetype -C --copy -i --imagesize -N --network -s --security' + [CREATE]='-C --copy -f --filetype -G --gid -i --imagesize --homedir -N --network -p --path -s --security -u --unitfile --username -U -uid' [LIST]='-r --running' [RELOAD]='-u --unitfile' [EXECUTE]='-N --noseclabel' -- 1.8.2
On Thu, Apr 18, 2013 at 09:57:00AM -0400, dwalsh@redhat.com wrote:
From: Dan Walsh <dwalsh@redhat.com>
Add missing options Itentity fields for new InteractiveContainer
Typo, I presume you mean 'identity' there, but even so the sentence doesn't really make sense.
--- bin/virt-sandbox-service-bash-completion.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/bin/virt-sandbox-service-bash-completion.sh b/bin/virt-sandbox-service-bash-completion.sh index 874ee56..c672fdd 100755 --- a/bin/virt-sandbox-service-bash-completion.sh +++ b/bin/virt-sandbox-service-bash-completion.sh @@ -1,6 +1,6 @@ # This file is part of libvirt-sandbox. # -# Copyright 2012 Dan Walsh +# Copyright 2012-2013 Dan Walsh
Shouldn't this be copyright "Red Hat, Inc.", or do you realy intend to claim personal copyright on it ?.
# systemd is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by @@ -55,7 +55,7 @@ _virt_sandbox_service () { ) local -A OPTS=( [ALL]='-h --help' - [CREATE]='-u --unitfile -p --path -f --filetype -C --copy -i --imagesize -N --network -s --security' + [CREATE]='-C --copy -f --filetype -G --gid -i --imagesize --homedir -N --network -p --path -s --security -u --unitfile --username -U -uid' [LIST]='-r --running' [RELOAD]='-u --unitfile' [EXECUTE]='-N --noseclabel'
Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
From: Dan Walsh <dwalsh@redhat.com> Also cleanup some formatting issues in man pages. --- bin/virt-sandbox-service-create.pod | 45 ++++++++++++++++++++++++++++++++----- 1 file changed, 40 insertions(+), 5 deletions(-) diff --git a/bin/virt-sandbox-service-create.pod b/bin/virt-sandbox-service-create.pod index fdc44bb..8b9bf95 100644 --- a/bin/virt-sandbox-service-create.pod +++ b/bin/virt-sandbox-service-create.pod @@ -4,7 +4,12 @@ virt-sandbox-service create - Create a Security container =head1 SYNOPSIS - virt-sandbox-service [-c URI] create [-h] [ -u UNIT_FILE ] [ --copy ] [-p PATH] [-N NETWORK-OPTS] [-s SECURITY-OPTS] [-i SIZE] [-n] NAME [ COMMAND ] + virt-sandbox-service [-c URI] create [-h] [-C] [-f FILE_TYPE] + [--homedir HOMEDIR] [-G GID] [-i IMAGESIZE] + [-N NETWORK] [-p PATH] [-s SECURITY] + [-u UNITFILES] [--username USERNAME] + [-U UID] + name [command [command ...]] =head1 DESCRIPTION @@ -24,7 +29,7 @@ The create command can setup a sandbox for running one or more systemd unit file Display help message -=item B<-c> URI, B<--connect URI> +=item B<-c URI>, B<--connect URI> The connection URI for the hypervisor (only LXC or QEMU are supported currently). @@ -37,12 +42,30 @@ Name of the systemd unit file to be to run within the Service Container. Can be Copy content from /etc and /var directories that will be mounted within the container. +=item B<-G GID>, B<--gid GID> + +gid to use within an interactive container. + +Default: C<UID>. + +=item B<-f FILETYPE>, B<--filetype FILETYPE> + +Specify the SELinux file type to use within the container. + +Default: C<svirt_lxc_file_t>. + =item B<-p PATH>, B<--path PATH> Select path to store container content. Default: C</var/lib/libvirt/filesystems>. +=item B<--homedir HOMEDIR> + +Select homedir path to use within an interactive container. + +Default: C<UID's Homedir>. + =item B<-N NETWORK-OPTIONS>, B<--network NETWORK-OPTIONS> Add a network interface to the sandbox. By default the sandbox will @@ -119,10 +142,22 @@ static,label=system_u:system_r:svirt_t:s0:c412,c355 Create file system image file of this size to store container content. -=item B<-u unitfile>, B<--unitfile unitfile> +=item B<-u UNITFILE>, B<--unitfile UNITFILE> systemd Unit file to run within the container +=item B<-U UID>, B<--uid UID> + +uid to use within an interactive container. + +Default: C<0>. + +=item B<--username USERNAME> + +Select username to use within an interactive container. + +Default: C<UID's Username>. + =back =head1 EXAMPLE @@ -134,9 +169,9 @@ Create httpd1 Service container Created sandbox config /etc/libvirt-sandbox/httpd1.sandbox Created unit file /etc/systemd/system/httpd@httpd1.service -Create foobar1 Service container +Create foobar1 Interactive container - # virt-sandbox-service create foobar1 -- /usr/bin/foobar -a -b + # virt-sandbox-service create -U 1234 foobar1 -- /usr/bin/foobar -a -b Created container dir /var/lib/libvirt/filesystems/foobar1 Created sandbox config /etc/libvirt-sandbox/foobar1.sandbox -- 1.8.2
On Thu, Apr 18, 2013 at 09:57:01AM -0400, dwalsh@redhat.com wrote:
From: Dan Walsh <dwalsh@redhat.com>
Also cleanup some formatting issues in man pages. --- bin/virt-sandbox-service-create.pod | 45 ++++++++++++++++++++++++++++++++----- 1 file changed, 40 insertions(+), 5 deletions(-)
diff --git a/bin/virt-sandbox-service-create.pod b/bin/virt-sandbox-service-create.pod index fdc44bb..8b9bf95 100644 --- a/bin/virt-sandbox-service-create.pod +++ b/bin/virt-sandbox-service-create.pod @@ -4,7 +4,12 @@ virt-sandbox-service create - Create a Security container
=head1 SYNOPSIS
- virt-sandbox-service [-c URI] create [-h] [ -u UNIT_FILE ] [ --copy ] [-p PATH] [-N NETWORK-OPTS] [-s SECURITY-OPTS] [-i SIZE] [-n] NAME [ COMMAND ] + virt-sandbox-service [-c URI] create [-h] [-C] [-f FILE_TYPE] + [--homedir HOMEDIR] [-G GID] [-i IMAGESIZE] + [-N NETWORK] [-p PATH] [-s SECURITY] + [-u UNITFILES] [--username USERNAME] + [-U UID] + name [command [command ...]]
=head1 DESCRIPTION
@@ -24,7 +29,7 @@ The create command can setup a sandbox for running one or more systemd unit file
Display help message
-=item B<-c> URI, B<--connect URI> +=item B<-c URI>, B<--connect URI>
The connection URI for the hypervisor (only LXC or QEMU are supported currently). @@ -37,12 +42,30 @@ Name of the systemd unit file to be to run within the Service Container. Can be
Copy content from /etc and /var directories that will be mounted within the container.
+=item B<-G GID>, B<--gid GID> + +gid to use within an interactive container. + +Default: C<UID>.
Should be the primary GID of the user.
@@ -134,9 +169,9 @@ Create httpd1 Service container Created sandbox config /etc/libvirt-sandbox/httpd1.sandbox Created unit file /etc/systemd/system/httpd@httpd1.service
-Create foobar1 Service container +Create foobar1 Interactive container
With the latest changes I pushed, this is referred to as a "Generic" container now, since it isn't really Interactive.
- # virt-sandbox-service create foobar1 -- /usr/bin/foobar -a -b + # virt-sandbox-service create -U 1234 foobar1 -- /usr/bin/foobar -a -b Created container dir /var/lib/libvirt/filesystems/foobar1 Created sandbox config /etc/libvirt-sandbox/foobar1.sandbox
Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
participants (2)
-
Daniel P. Berrange -
dwalsh@redhat.com