[libvirt] [RFC PATCH 2/6] LXC: introduce virLXCControllerSetupUserns and lxcContainerSetUserns
Gao feng
gaofeng at cn.fujitsu.com
Mon Mar 11 06:43:37 UTC 2013
On 2013/03/11 14:26, Gao feng wrote:
> This patch introduces new helper function
> virLXCControllerSetupUserns, in this function,
> we set the files uid_map and gid_map of process
> libvirt_lxc.
>
Oops,not libvirt_lxc, it's the init task of container.
> lxcContainerSetUserns is used for creating cred for
> tasks running in container. Since after setuid/setgid,
> we may be a new user. This patch calls lxcContainerSetUserns
> at first to make sure the new created files belong to
> right user.
>
> Signed-off-by: Gao feng <gaofeng at cn.fujitsu.com>
> ---
> src/lxc/lxc_container.c | 55 ++++++++++++++++++++++++++++++----------
> src/lxc/lxc_controller.c | 66 ++++++++++++++++++++++++++++++++++++++++++++++++
> 2 files changed, 107 insertions(+), 14 deletions(-)
>
> diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
> index 1d7bc1e..5c66ae3 100644
> --- a/src/lxc/lxc_container.c
> +++ b/src/lxc/lxc_container.c
> @@ -329,6 +329,29 @@ int lxcContainerWaitForContinue(int control)
>
>
> /**
> + * lxcContainerSetUserns:
> + *
> + * This function calls setuid and setgid to create proper
> + * cred for tasks running in container.
> + *
> + * Returns 0 on success or -1 in case of error
> + */
> +static int lxcContainerSetUserns(virDomainDefPtr def)
> +{
> + if (def->os.userns != VIR_DOMAIN_USER_NS_ENABLED)
> + return 0;
> +
> + if (virSetUIDGID(def->os.uidmap.first,
> + def->os.gidmap.first) < 0) {
> + virReportSystemError(errno, "%s",
> + _("setuid or setgid failed"));
> + return -1;
> + }
> +
> + return 0;
> +}
> +
> +/**
> * lxcContainerRenameAndEnableInterfaces:
> * @nveths: number of interfaces
> * @veths: interface names
> @@ -2221,6 +2244,24 @@ static int lxcContainerChild(void *data)
> }
> }
>
> + if (!virFileExists(vmDef->os.init)) {
> + virReportSystemError(errno,
> + _("cannot find init path '%s' relative to container root"),
> + vmDef->os.init);
> + goto cleanup;
> + }
> +
> + /* Wait for interface devices to show up */
> + if (lxcContainerWaitForContinue(argv->monitor) < 0) {
> + virReportSystemError(errno, "%s",
> + _("Failed to read the container continue message"));
> + goto cleanup;
> + }
> + VIR_DEBUG("Received container continue message");
> +
> + if (lxcContainerSetUserns(vmDef) < 0)
> + goto cleanup;
> +
> VIR_DEBUG("Container TTY path: %s", ttyPath);
>
> ttyfd = open(ttyPath, O_RDWR|O_NOCTTY);
> @@ -2236,20 +2277,6 @@ static int lxcContainerChild(void *data)
> argv->securityDriver) < 0)
> goto cleanup;
>
> - if (!virFileExists(vmDef->os.init)) {
> - virReportSystemError(errno,
> - _("cannot find init path '%s' relative to container root"),
> - vmDef->os.init);
> - goto cleanup;
> - }
> -
> - /* Wait for interface devices to show up */
> - if (lxcContainerWaitForContinue(argv->monitor) < 0) {
> - virReportSystemError(errno, "%s",
> - _("Failed to read the container continue message"));
> - goto cleanup;
> - }
> - VIR_DEBUG("Received container continue message");
>
> /* rename and enable interfaces */
> if (lxcContainerRenameAndEnableInterfaces(!!(vmDef->features &
> diff --git a/src/lxc/lxc_controller.c b/src/lxc/lxc_controller.c
> index 15aa334..f17142f 100644
> --- a/src/lxc/lxc_controller.c
> +++ b/src/lxc/lxc_controller.c
> @@ -1028,6 +1028,69 @@ cleanup2:
> }
>
>
> +/**
> + * virLXCControllerSetupUserns
> + *
> + * Set proc files for user namespace
> + *
> + * Returns 0 on success or -1 in case of error
> + */
> +static int virLXCControllerSetupUserns(virLXCControllerPtr ctrl)
> +{
> + char *uid_map = NULL;
> + char *gid_map = NULL;
> + char *uidmap_value = NULL;
> + char *gidmap_value = NULL;
> + int ret = -1;
> +
> + if (ctrl->def->os.userns != VIR_DOMAIN_USER_NS_ENABLED)
> + return 0;
> +
> + if (virAsprintf(&uid_map, "/proc/%d/uid_map", ctrl->initpid) < 0)
> + goto cleanup;
> +
> + if (virAsprintf(&gid_map, "/proc/%d/gid_map", ctrl->initpid) < 0)
> + goto cleanup;
> +
> + if (virAsprintf(&uidmap_value, "%u %u %u",
> + ctrl->def->os.uidmap.first,
> + ctrl->def->os.uidmap.low_first,
> + ctrl->def->os.uidmap.count) < 0)
> + goto cleanup;
> +
> + if (virAsprintf(&gidmap_value, "%u %u %u",
> + ctrl->def->os.gidmap.first,
> + ctrl->def->os.gidmap.low_first,
> + ctrl->def->os.gidmap.count) < 0)
> + goto cleanup;
> +
> + if (virFileWriteStr(uid_map, uidmap_value, 0) < 0) {
> + if (errno == -ENOENT)
> + virReportSystemError(errno,
> + _("%s doesn't exist, please disable userns"),
> + uid_map);
> + virReportSystemError(errno, _("unable write to %s"), uid_map);
> + goto cleanup;
> + }
> +
> + if (virFileWriteStr(gid_map, gidmap_value, 0) < 0) {
> + if (errno == -ENOENT)
> + virReportSystemError(errno,
> + _("%s doesn't exist, please disable userns"),
> + gid_map);
> + virReportSystemError(errno, _("unable write to %s"), gid_map);
> + goto cleanup;
> + }
> +
> + ret = 0;
> +cleanup:
> + VIR_FREE(uidmap_value);
> + VIR_FREE(gidmap_value);
> + VIR_FREE(uid_map);
> + VIR_FREE(gid_map);
> + return ret;
> +}
> +
>
> /**
> * virLXCControllerMoveInterfaces
> @@ -1454,6 +1517,9 @@ virLXCControllerRun(virLXCControllerPtr ctrl)
> VIR_FORCE_CLOSE(control[1]);
> VIR_FORCE_CLOSE(containerhandshake[1]);
>
> + if (virLXCControllerSetupUserns(ctrl) < 0)
> + goto cleanup;
> +
> if (virLXCControllerMoveInterfaces(ctrl) < 0)
> goto cleanup;
>
>
More information about the libvir-list
mailing list