[libvirt] [PATCH v4 04/10] LXC: introduce virLXCControllerSetupUserns and lxcContainerSetID
Gao feng
gaofeng at cn.fujitsu.com
Fri Jun 7 07:12:21 UTC 2013
This patch introduces new helper function
virLXCControllerSetupUserns, in this function,
we set the files uid_map and gid_map of the init
task of container.
lxcContainerSetID is used for creating cred for
tasks running in container. Since after setuid/setgid,
we may be a new user. This patch calls lxcContainerSetUserns
at first to make sure the new created files belong to
right user.
Signed-off-by: Gao feng <gaofeng at cn.fujitsu.com>
---
src/lxc/lxc_container.c | 63 +++++++++++++++++++++++++++++------------
src/lxc/lxc_controller.c | 74 ++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 119 insertions(+), 18 deletions(-)
diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
index 5d4da73..4b782bb 100644
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@@ -335,6 +335,30 @@ int lxcContainerWaitForContinue(int control)
/**
+ * lxcContainerSetID:
+ *
+ * This function calls setuid and setgid to create proper
+ * cred for tasks running in container.
+ *
+ * Returns 0 on success or -1 in case of error
+ */
+static int lxcContainerSetID(virDomainDefPtr def)
+{
+ /* Only call virSetUIDGID when user namespace is enabled
+ * for this container. And user namespace is only enabled
+ * when nuidmap&ngidmap is not zero */
+
+ if (def->idmap.nuidmap && virSetUIDGID(0, 0) < 0) {
+ virReportSystemError(errno, "%s",
+ _("setuid or setgid failed"));
+ return -1;
+ }
+
+ return 0;
+}
+
+
+/**
* lxcContainerRenameAndEnableInterfaces:
* @nveths: number of interfaces
* @veths: interface names
@@ -1926,6 +1950,27 @@ static int lxcContainerChild(void *data)
cmd = lxcContainerBuildInitCmd(vmDef);
virCommandWriteArgLog(cmd, 1);
+ if (lxcContainerResolveSymlinks(vmDef) < 0)
+ goto cleanup;
+
+ if (!virFileExists(vmDef->os.init)) {
+ virReportSystemError(errno,
+ _("cannot find init path '%s' relative to container root"),
+ vmDef->os.init);
+ goto cleanup;
+ }
+
+ /* Wait for interface devices to show up */
+ if (lxcContainerWaitForContinue(argv->monitor) < 0) {
+ virReportSystemError(errno, "%s",
+ _("Failed to read the container continue message"));
+ goto cleanup;
+ }
+ VIR_DEBUG("Received container continue message");
+
+ if (lxcContainerSetID(vmDef) < 0)
+ goto cleanup;
+
root = virDomainGetRootFilesystem(vmDef);
if (argv->nttyPaths) {
@@ -1951,29 +1996,11 @@ static int lxcContainerChild(void *data)
goto cleanup;
}
- if (lxcContainerResolveSymlinks(vmDef) < 0)
- goto cleanup;
-
if (lxcContainerSetupPivotRoot(vmDef, root,
argv->ttyPaths, argv->nttyPaths,
argv->securityDriver) < 0)
goto cleanup;
- if (!virFileExists(vmDef->os.init)) {
- virReportSystemError(errno,
- _("cannot find init path '%s' relative to container root"),
- vmDef->os.init);
- goto cleanup;
- }
-
- /* Wait for interface devices to show up */
- if (lxcContainerWaitForContinue(argv->monitor) < 0) {
- virReportSystemError(errno, "%s",
- _("Failed to read the container continue message"));
- goto cleanup;
- }
- VIR_DEBUG("Received container continue message");
-
/* rename and enable interfaces */
if (lxcContainerRenameAndEnableInterfaces(!!(vmDef->features &
(1 << VIR_DOMAIN_FEATURE_PRIVNET)),
diff --git a/src/lxc/lxc_controller.c b/src/lxc/lxc_controller.c
index dfe686b..ef41efb 100644
--- a/src/lxc/lxc_controller.c
+++ b/src/lxc/lxc_controller.c
@@ -1122,6 +1122,77 @@ cleanup2:
}
+static int
+virLXCControllerSetupUsernsMap(virDomainIdMapEntryPtr map,
+ int num,
+ char *path)
+{
+ virBuffer map_value = VIR_BUFFER_INITIALIZER;
+ int i, ret = -1;
+
+ for (i = 0; i < num; i++)
+ virBufferAsprintf(&map_value, "%u %u %u\n",
+ map[i].start, map[i].target, map[i].count);
+
+ if (virBufferError(&map_value))
+ goto no_memory;
+
+ if (virFileWriteStr(path, virBufferCurrentContent(&map_value), 0) < 0) {
+ virReportSystemError(errno, _("unable write to %s"), path);
+ goto cleanup;
+ }
+
+ ret = 0;
+cleanup:
+ virBufferFreeAndReset(&map_value);
+ return ret;
+
+no_memory:
+ virReportOOMError();
+ goto cleanup;
+}
+
+/**
+ * virLXCControllerSetupUserns
+ *
+ * Set proc files for user namespace
+ *
+ * Returns 0 on success or -1 in case of error
+ */
+static int virLXCControllerSetupUserns(virLXCControllerPtr ctrl)
+{
+ char *uid_map = NULL;
+ char *gid_map = NULL;
+ int ret = -1;
+
+ /* User namespace is disabled for container */
+ if (ctrl->def->idmap.nuidmap == 0)
+ return 0;
+
+ if (virAsprintf(&uid_map, "/proc/%d/uid_map", ctrl->initpid) < 0)
+ goto cleanup;
+
+ if (virLXCControllerSetupUsernsMap(ctrl->def->idmap.uidmap,
+ ctrl->def->idmap.nuidmap,
+ uid_map) < 0)
+ goto cleanup;
+
+ if (virAsprintf(&gid_map, "/proc/%d/gid_map", ctrl->initpid) < 0)
+ goto cleanup;
+
+ if (virLXCControllerSetupUsernsMap(ctrl->def->idmap.gidmap,
+ ctrl->def->idmap.ngidmap,
+ gid_map) < 0)
+ goto cleanup;
+
+ ret = 0;
+cleanup:
+ VIR_FREE(uid_map);
+ VIR_FREE(gid_map);
+ return ret;
+}
+
+
/**
* virLXCControllerMoveInterfaces
@@ -1544,6 +1615,9 @@ virLXCControllerRun(virLXCControllerPtr ctrl)
VIR_FORCE_CLOSE(control[1]);
VIR_FORCE_CLOSE(containerhandshake[1]);
+ if (virLXCControllerSetupUserns(ctrl) < 0)
+ goto cleanup;
+
if (virLXCControllerMoveInterfaces(ctrl) < 0)
goto cleanup;
--
1.8.1.4
More information about the libvir-list
mailing list