[libvirt] [PATCHv4 1/2] lxc: allow to keep or drop capabilities

Cedric Bosdonnat cbosdonnat at suse.com
Wed Jul 23 14:25:11 UTC 2014 

On Wed, 2014-07-23 at 13:23 +0200, Ján Tomko wrote:
> On 07/18/2014 10:02 AM, Cédric Bosdonnat wrote:
> > Added <capabilities> in the <features> section of LXC domains
> > configuration. This section can contain elements named after the
> > capabilities like:
> > 
> >   <mknod state="on"/>, keep CAP_MKNOD capability
> >   <sys_chroot state="off"/> drop CAP_SYS_CHROOT capability
> > 
> > Users can restrict or give more capabilities than the default using
> > this mechanism.
> > ---
> >  docs/drvlxc.html.in                             |  47 +++++
> >  docs/schemas/domaincommon.rng                   | 207 ++++++++++++++++++++
> >  src/conf/domain_conf.c                          | 126 ++++++++++++-
> >  src/conf/domain_conf.h                          |  56 ++++++
> >  src/libvirt_private.syms                        |   3 +
> >  src/lxc/lxc_cgroup.c                            |   8 +
> >  src/lxc/lxc_container.c                         | 241 ++++++++++++++++++++++--
> >  src/util/vircgroup.c                            |  57 +++++-
> >  src/util/vircgroup.h                            |   2 +
> >  tests/domainschemadata/domain-caps-features.xml |  28 +++
> >  10 files changed, 755 insertions(+), 20 deletions(-)
> >  create mode 100644 tests/domainschemadata/domain-caps-features.xml
> > 
> 
> > @@ -11847,6 +11892,22 @@ virDomainDefParseXML(xmlDocPtr xml,
> >              def->features[val] = VIR_DOMAIN_FEATURE_STATE_ON;
> >              break;
> >  
> > +        case VIR_DOMAIN_FEATURE_CAPABILITIES:
> > +            node = ctxt->node;
> > +            ctxt->node = nodes[i];
> > +            if ((tmp = virXPathString("string(./@policy)", ctxt))) {
> > +                if ((def->features[val] = virDomainCapabilitiesPolicyTypeFromString(tmp)) == -1) {
> 
> def->features is described as being of type 'enum virTristateSwitch' (was
> virDomainFeatureState before I pushed the enum cleanup), but you're treating
> it as 'virDomainCapabilitesPolicy' here.
> 
> Could you either
> 1) switch this to virTristateSwitch, using policy='on' / policy='off' instead
> of allow/deny
> 2) document that a different enum is used for this feature in domain_conf.h

Just pushed a commit documenting that in domain_conf.h

--
Cedric

> 3) put the policy in a separate variable
> 
> Thanks,
> 
> Jan
>

More information about the libvir-list mailing list