[lxc-devel] [lxd/master] lxd/storage: Implement security.unmapped
stgraber on Github
lxc-bot at linuxcontainers.org
Fri Sep 28 14:27:56 UTC 2018
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 354 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20180928/fc10e572/attachment.bin>
-------------- next part --------------
From 1c486ee458cdb1a975fe5a092ee7ead9b83488c3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Fri, 28 Sep 2018 16:27:07 +0200
Subject: [PATCH] lxd/storage: Implement security.unmapped
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
doc/api-extensions.md | 9 +++++++++
doc/storage.md | 15 ++++++++-------
lxd/storage.go | 6 ++++++
lxd/storage_volumes_config.go | 15 +++++++++++++--
lxd/storage_volumes_utils.go | 7 +++++++
shared/version/api.go | 1 +
6 files changed, 44 insertions(+), 9 deletions(-)
diff --git a/doc/api-extensions.md b/doc/api-extensions.md
index c902901cb5..93e4a2ec38 100644
--- a/doc/api-extensions.md
+++ b/doc/api-extensions.md
@@ -607,3 +607,12 @@ This adds the following new endpoint (see [RESTful API](rest-api.md) for details
* `PUT /1.0/storage-pools/<pool>/volumes/<type>/<volume>/snapshots/<name>`
* `POST /1.0/storage-pools/<pool>/volumes/<type>/<volume>/snapshots/<name>`
* `DELETE /1.0/storage-pools/<pool>/volumes/<type>/<volume>/snapshots/<name>`
+
+## storage\_unmapped
+Introduces a new `security.unmapped` boolean on storage volumes.
+
+Setting it to true will flush the current map on the volume and prevent
+any further idmap tracking and remapping on the volume.
+
+This can be used to share data between isolated containers after
+attaching it to the container which requires write access.
diff --git a/doc/storage.md b/doc/storage.md
index e355ea9693..58946c6bba 100644
--- a/doc/storage.md
+++ b/doc/storage.md
@@ -37,13 +37,14 @@ lxc storage set [<remote>:]<pool> <key> <value>
```
## Storage volume configuration
-Key | Type | Condition | Default | API Extension | Description
-:-- | :--- | :-------- | :------ | :------------ | :----------
-size | string | appropriate driver | same as volume.size | storage | Size of the storage volume
-block.filesystem | string | block based driver (lvm) | same as volume.block.filesystem | storage | Filesystem of the storage volume
-block.mount\_options | string | block based driver (lvm) | same as volume.block.mount\_options | storage | Mount options for block devices
-zfs.remove\_snapshots | string | zfs driver | same as volume.zfs.remove\_snapshots | storage | Remove snapshots as needed
-zfs.use\_refquota | string | zfs driver | same as volume.zfs.zfs\_requota | storage | Use refquota instead of quota for space.
+Key | Type | Condition | Default | API Extension | Description
+:-- | :--- | :-------- | :------ | :------------ | :----------
+size | string | appropriate driver | same as volume.size | storage | Size of the storage volume
+block.filesystem | string | block based driver (lvm) | same as volume.block.filesystem | storage | Filesystem of the storage volume
+block.mount\_options | string | block based driver (lvm) | same as volume.block.mount\_options | storage | Mount options for block devices
+security.unmapped | bool | custom volume | false | storage\_unmapped | Disable id mapping for the volume
+zfs.remove\_snapshots | string | zfs driver | same as volume.zfs.remove\_snapshots | storage | Remove snapshots as needed
+zfs.use\_refquota | string | zfs driver | same as volume.zfs.zfs\_requota | storage | Use refquota instead of quota for space.
Storage volume configuration keys can be set using the lxc tool with:
diff --git a/lxd/storage.go b/lxd/storage.go
index 09878c68ad..3cb20f893b 100644
--- a/lxd/storage.go
+++ b/lxd/storage.go
@@ -411,6 +411,12 @@ func storagePoolVolumeAttachInit(s *state.State, poolName string, volumeName str
poolVolumePut := st.GetStoragePoolVolumeWritable()
+ // Check if unmapped
+ if shared.IsTrue(poolVolumePut.Config["security.unmapped"]) {
+ // No need to look at containers and maps for unmapped volumes
+ return st, nil
+ }
+
// get last idmapset
var lastIdmap *idmap.IdmapSet
if poolVolumePut.Config["volatile.idmap.last"] != "" {
diff --git a/lxd/storage_volumes_config.go b/lxd/storage_volumes_config.go
index 5d59404d45..f45309063c 100644
--- a/lxd/storage_volumes_config.go
+++ b/lxd/storage_volumes_config.go
@@ -49,19 +49,27 @@ func updateStoragePoolVolumeError(unchangeable []string, driverName string) erro
// property which can be manipulated by setting a root disk device "size"
// property.
var changeableStoragePoolVolumeProperties = map[string][]string{
- "btrfs": {"size"},
+ "btrfs": {
+ "security.unmapped",
+ "size",
+ },
"ceph": {
"block.mount_options",
+ "security.unmapped",
"size"},
- "dir": {""},
+ "dir": {
+ "security.unmapped",
+ },
"lvm": {
"block.mount_options",
+ "security.unmapped",
"size"},
"zfs": {
+ "security.unmapped",
"size",
"zfs.remove_snapshots",
"zfs.use_refquota"},
@@ -80,6 +88,9 @@ var storageVolumeConfigKeys = map[string]func(value string) ([]string, error){
"block.mount_options": func(value string) ([]string, error) {
return []string{"ceph", "lvm"}, shared.IsAny(value)
},
+ "security.unmapped": func(value string) ([]string, error) {
+ return supportedPoolTypes, shared.IsBool(value)
+ },
"size": func(value string) ([]string, error) {
if value == "" {
return []string{"btrfs", "ceph", "lvm", "zfs"}, nil
diff --git a/lxd/storage_volumes_utils.go b/lxd/storage_volumes_utils.go
index 54076cab54..fc1e976f33 100644
--- a/lxd/storage_volumes_utils.go
+++ b/lxd/storage_volumes_utils.go
@@ -175,6 +175,13 @@ func storagePoolVolumeUpdate(state *state.State, poolName string, volumeName str
s.SetStoragePoolVolumeWritable(&newWritable)
}
+ // Unset idmap keys if volume is unmapped
+ if shared.IsTrue(newConfig["security.unmapped"]) {
+ delete(newConfig, "volatile.idmap.last")
+ delete(newConfig, "volatile.idmap.next")
+ }
+
+ // Get the pool ID
poolID, err := state.Cluster.StoragePoolGetID(poolName)
if err != nil {
return err
diff --git a/shared/version/api.go b/shared/version/api.go
index 7437a483b5..8aec2553a8 100644
--- a/shared/version/api.go
+++ b/shared/version/api.go
@@ -125,6 +125,7 @@ var APIExtensions = []string{
"candid_config",
"nvidia_runtime_config",
"storage_api_volume_snapshots",
+ "storage_unmapped",
}
// APIExtensionsCount returns the number of available API extensions.
More information about the lxc-devel
mailing list