[lxc-devel] [PATCH 4/8] ubuntu-cloud: changes to support unprivileged use
Stéphane Graber
stgraber at ubuntu.com
Sun Jul 21 08:44:24 UTC 2013
On Fri, Jul 19, 2013 at 02:26:51PM +0000, Serge Hallyn wrote:
> From: Serge Hallyn <serge.hallyn at ubuntu.com>
>
> don't try to lock if using a specified tarball
>
> The lock/subsys/lxc-ubuntu-cloud lock is to protect the tarballs
> managed under /var/cache/lxc/cloud-$release. Don't lock if we've
> been handed a tarball.
>
> fake device creation
>
> Unprivileged users can't create devices, so bind mount null, tty, urandom
> and console from the host.
>
> Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
Looks fine with just one small change needed (see below):
Acked-by: Stéphane Graber <stgraber at ubuntu.com>
> ---
> templates/lxc-ubuntu-cloud.in | 39 +++++++++++++++++++++++++++++++++++----
> 1 file changed, 35 insertions(+), 4 deletions(-)
>
> diff --git a/templates/lxc-ubuntu-cloud.in b/templates/lxc-ubuntu-cloud.in
> index 480ef14..ca868fd 100644
> --- a/templates/lxc-ubuntu-cloud.in
> +++ b/templates/lxc-ubuntu-cloud.in
> @@ -25,6 +25,18 @@ if [ -r /etc/default/lxc ]; then
> . /etc/default/lxc
> fi
>
> +am_in_userns() {
> + [ -e /proc/self/uid_map ] || { echo no; return; }
> + [ "$(wc -l /proc/self/uid_map | awk '{ print $1 }')" -eq 1 ] || { echo yes; return; }
> + line=$(awk '{ print $1 " " $2 " " $3 }' /proc/self/uid_map)
> + [ "$line" = "0 0 4294967295" ] && { echo no; return; }
> + echo yes
> +}
> +
> +in_userns=0
> +[ $(am_in_userns) = "yes" ] && in_userns=1
> +echo "am_in_userns returns $(am_in_userns)" >> /tmp/xa
> +
> copy_configuration()
> {
> path=$1
> @@ -101,6 +113,17 @@ sysfs sys sysfs defaults 0 0
> /sys/kernel/security sys/kernel/security none bind 0 0
> EOF
>
> + # unprivileged user can't mknod these. One day we may allow
> + # that in the kernel, but not right now. So let's just bind
> + # mount the files from the host.
> + if [ $in_userns -eq 1 ]; then
> + echo "found myself in_userns" >> /tmp/xa
That looks like a debug message that should be removed before applying
to staging.
> + for dev in null tty urandom console; do
> + touch $rootfs/dev/$dev
> + echo "/dev/$dev dev/$dev none bind 0 0" >> $path/fstab
> + done
> + fi
> +
> # rmdir /dev/shm for containers that have /run/shm
> # I'm afraid of doing rm -rf $rootfs/dev/shm, in case it did
> # get bind mounted to the host's /run/shm. So try to rmdir
> @@ -341,9 +364,7 @@ build_root_tgz()
> trap SIGTERM
> }
>
> -mkdir -p @LOCALSTATEDIR@/lock/subsys/
> -(
> - flock -x 200
> +do_extract_rootfs() {
>
> cd $cache
> if [ $flushcache -eq 1 ]; then
> @@ -418,7 +439,17 @@ EOF
> echo "If you do not have a meta-data service, this container will likely be useless."
>
> fi
> -) 200>@LOCALSTATEDIR@/lock/subsys/lxc-ubuntu-cloud
> +}
> +
> +if [ -n "$tarball" ]; then
> + do_extract_rootfs
> +else
> + mkdir -p @LOCALSTATEDIR@/lock/subsys/
> + (
> + flock -x 200
> + do_extract_rootfs
> + ) 200>@LOCALSTATEDIR@/lock/subsys/lxc-ubuntu-cloud
> +fi
>
> copy_configuration $path $rootfs $name $arch $release
>
> --
> 1.8.3.2
>
>
> ------------------------------------------------------------------------------
> See everything from the browser to the database with AppDynamics
> Get end-to-end visibility with application monitoring from AppDynamics
> Isolate bottlenecks and diagnose root cause in seconds.
> Start your free trial of AppDynamics Pro today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> _______________________________________________
> Lxc-devel mailing list
> Lxc-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/lxc-devel
--
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20130721/c83ee0bf/attachment.pgp>
More information about the lxc-devel
mailing list