[libvirt] [PATCH v2]LXC: Helper function for checking ownership of dir when userns enabled

Chen HanXiao chenhanxiao at cn.fujitsu.com
Tue Aug 20 09:52:50 UTC 2013 

Hi
	Any comments?

Thanks

> -----Original Message-----
> From: libvir-list-bounces at redhat.com
[mailto:libvir-list-bounces at redhat.com]
> On Behalf Of Chen HanXiao
> Sent: Wednesday, August 14, 2013 9:30 AM
> To: 'Daniel P. Berrange'
> Cc: libvir-list at redhat.com
> Subject: Re: [libvirt] [PATCH v2]LXC: Helper function for checking
ownership of
> dir when userns enabled
> 
> 
> 
> > -----Original Message-----
> > From: Daniel P. Berrange [mailto:berrange at redhat.com]
> > Sent: Saturday, August 10, 2013 12:54 AM
> > To: Chen Hanxiao
> > Cc: libvir-list at redhat.com
> > Subject: Re: [libvirt] [PATCH v2]LXC: Helper function for checking
ownership of
> > dir when userns enabled
> >
> > On Fri, Aug 09, 2013 at 04:05:58PM +0800, Chen Hanxiao wrote:
> > > From: Chen Hanxiao <chenhanxiao at cn.fujitsu.com>
> > >
> > > If we enable userns, the ownership of dir we provided for containers
> > > should match the uid/gid in idmap.
> > > Currently, the debug log is very implicit or misleading sometimes.
> > > This patch will help clarify this for us when using
> > > debug log or virsh.
> >
> > I do recall hitting some permission issue once, but can't remember
> > just what it was. Can you describe exactly how to reproduce the
> > problem ?
> >
> 
> 1)  Enable user namespace in kernel
> 2)  Add idmap for container
> 3)  Don't change the ownership of devices/ filesystem/ source dir  ( leave
> them to 'root' for instance)
> 4)  Start the container
> 
> Usually I got an input/output error by virsh, which is not a good hint.
> 
> 
> > > Signed-off-by: Chen Hanxiao <chenhanxiao at cn.fujitsu.com>
> > > ---
> > >  src/lxc/lxc_container.c |   46
> > ++++++++++++++++++++++++++++++++++++++++++++++
> > >  1 files changed, 46 insertions(+), 0 deletions(-)
> > >
> > > diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
> > > index b910b10..2ccdc61 100644
> > > --- a/src/lxc/lxc_container.c
> > > +++ b/src/lxc/lxc_container.c
> > > @@ -1815,6 +1815,49 @@ lxcNeedNetworkNamespace(virDomainDefPtr
> > def)
> > >      return false;
> > >  }
> > >
> > > +/*
> > > + * Helper function for helping check
> > > + * whether we have enough privilege
> > > + * to operate the source dir when userns enabled
> > > + * @vmDef: pointer to vm definition structure
> > > + * Returns 0 on success or -1 in case of error
> > > + */
> > > +static int
> > > +lxcContainerUsernsSrcOwnershipCheck(virDomainDefPtr vmDef)
> > > +{
> > > +    struct stat buf;
> > > +    size_t i;
> > > +    uid_t uid;
> > > +    gid_t gid;
> > > +
> > > +    VIR_DEBUG("vmDef->nfss %d", (int)vmDef->nfss);
> > > +    for (i = 0; i < vmDef->nfss; i++) {
> > > +        VIR_DEBUG("dst is %s, src is %s",
> > > +                  vmDef->fss[i]->dst,
> > > +                  vmDef->fss[i]->src);
> > > +
> > > +        uid = vmDef->idmap.uidmap[0].target;
> > > +        gid = vmDef->idmap.gidmap[0].target;
> > > +
> > > +        if (lstat(vmDef->fss[i]->src, &buf) < 0) {
> > > +            virReportSystemError(errno, _("Cannot access '%s'"),
> > > +                                 vmDef->fss[i]->src);
> > > +            return -1;
> > > +        } else if (uid != buf.st_uid || gid != buf.st_gid) {
> > > +            VIR_DEBUG("In userns uid is %d, gid is %d\n",
> > > +                      uid, gid);
> > > +            errno = EINVAL;
> > > +
> > > +            virReportSystemError(errno,
> > > +                                  _("[userns] Src dir '%s' does not
> > belong to uid/gid: %d/%d"),
> > > +                                 vmDef->fss[i]->src, uid, gid);
> > > +            return -1;
> > > +        }
> > > +    }
> > > +
> > > +    return 0;
> > > +}
> > > +
> > >  /**
> > >   * lxcContainerStart:
> > >   * @def: pointer to virtual machine structure
> > > @@ -1866,6 +1909,9 @@ int lxcContainerStart(virDomainDefPtr def,
> > >          if (userns_supported()) {
> > >              VIR_DEBUG("Enable user namespace");
> > >              cflags |= CLONE_NEWUSER;
> > > +            if (lxcContainerUsernsSrcOwnershipCheck(def) < 0) {
> > > +                return -1;
> > > +            }
> > >          } else {
> > >              virReportSystemError(VIR_ERR_CONFIG_UNSUPPORTED,
> > "%s",
> > >                                   _("Kernel doesn't support user
> > namespace"));
> >
> >
> > Daniel
> > --
> > |: http://berrange.com      -o-
> > http://www.flickr.com/photos/dberrange/ :|
> > |: http://libvirt.org              -o-
> > http://virt-manager.org :|
> > |: http://autobuild.org       -o-
> > http://search.cpan.org/~danberr/ :|
> > |: http://entangle-photo.org       -o-
> > http://live.gnome.org/gtk-vnc :|
> 
> 
> 
> --
> libvir-list mailing list
> libvir-list at redhat.com
> https://www.redhat.com/mailman/listinfo/libvir-list

More information about the libvir-list mailing list