[lxc-devel] [lxd/master] lxc-to-lxd: switch to using whitelist

brauner on Github lxc-bot at linuxcontainers.org
Thu Dec 1 23:04:02 UTC 2016


A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 605 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20161201/b51dc859/attachment.bin>
-------------- next part --------------
From a3183de11c015cc5d8c96f60dd01b7d06b109780 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Fri, 2 Dec 2016 00:02:07 +0100
Subject: [PATCH] lxc-to-lxd: switch to using whitelist

We keep a whitelist for supported configuration keys. We then perform a check
whether the container sets any unsupported configuration keys. We report the
first unsupported configuration key we found back to the user and the error out.

Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
 scripts/lxc-to-lxd | 127 +++++++++++++++++++++++++++++++++++++++--------------
 1 file changed, 94 insertions(+), 33 deletions(-)

diff --git a/scripts/lxc-to-lxd b/scripts/lxc-to-lxd
index c6a9ae3..d5d8624 100755
--- a/scripts/lxc-to-lxd
+++ b/scripts/lxc-to-lxd
@@ -9,6 +9,80 @@ import subprocess
 import sys
 
 
+supported_keys = [
+        'lxc.arch',
+        'lxc.pts',
+        # 'lxc.tty',
+        # 'lxc.devttydir',
+        # 'lxc.kmsg',
+        'lxc.aa_profile',
+        'lxc.aa_allow_incomplete',
+        # 'lxc.se_context',
+        'lxc.cgroup',
+        # 'lxc.id_map',
+        'lxc.loglevel',
+        # 'lxc.logfile',
+        'lxc.mount.entry',
+        'lxc.mount.auto',
+        'lxc.mount',
+        # 'lxc.rootfs.mount',
+        # 'lxc.rootfs.options',
+        # 'lxc.rootfs.backend',
+        'lxc.rootfs',
+        # 'lxc.pivotdir',
+        'lxc.utsname',
+        # 'lxc.hook.pre-start',
+        # 'lxc.hook.pre-mount',
+        # 'lxc.hook.mount',
+        # 'lxc.hook.autodev',
+        # 'lxc.hook.start',
+        # 'lxc.hook.stop',
+        # 'lxc.hook.post-stop',
+        # 'lxc.hook.clone',
+        # 'lxc.hook.destroy',
+        # 'lxc.hook',
+        'lxc.network.type',
+        'lxc.network.flags',
+        'lxc.network.link',
+        'lxc.network.name',
+        'lxc.network.macvlan.mode',
+        'lxc.network.veth.pair',
+        # 'lxc.network.script.up',
+        # 'lxc.network.script.down',
+        'lxc.network.hwaddr',
+        'lxc.network.mtu',
+        # 'lxc.network.vlan.id',
+        # 'lxc.network.ipv4.gateway',
+        # 'lxc.network.ipv4',
+        # 'lxc.network.ipv6.gateway',
+        # 'lxc.network.ipv6',
+        'lxc.network.',
+        'lxc.network',
+        'lxc.cap.drop',
+        'lxc.cap.keep',
+        # 'lxc.console.logfile',
+        # 'lxc.console',
+        # 'lxc.seccomp',
+        'lxc.include',
+        'lxc.autodev',
+        'lxc.haltsignal',
+        'lxc.rebootsignal',
+        'lxc.stopsignal',
+        'lxc.start.auto',
+        'lxc.start.delay',
+        'lxc.start.order',
+        # 'lxc.monitor.unshare',
+        # 'lxc.group',
+        'lxc.environment',
+        # 'lxc.init_cmd',
+        # 'lxc.init_uid',
+        # 'lxc.init_gid',
+        # 'lxc.ephemeral',
+        # 'lxc.syslog',
+        'lxc.no_new_privs'
+        ]
+
+
 # Unix connection to LXD
 class UnixHTTPConnection(http.client.HTTPConnection):
     def __init__(self, path):
@@ -35,6 +109,16 @@ def config_get(config, key, default=None):
         return result
 
 
+def config_keys(config):
+    keys = []
+    for line in config:
+        fields = line.split("=", 1)
+        if fields[0].strip():
+            keys.append(fields[0].strip())
+
+    return keys
+
+
 # Parse a LXC configuration file, called recursively for includes
 def config_parse(path):
     config = []
@@ -128,6 +212,16 @@ def convert_container(lxd_socket, container_name, args):
     # As some keys can't be queried over the API, parse the config ourselves
     print("Parsing LXC configuration")
     lxc_config = config_parse(container.config_file_name)
+    found_keys = config_keys(lxc_config)
+
+    print("Checking for unsupported LXC configuration keys")
+    diff = list(set(found_keys) - set(supported_keys))
+    for d in diff:
+        if (not d.startswith('lxc.network.') and not
+                d.startswith('lxc.cgroup.')):
+            print("Found at least one unsupported config key: ", d)
+            print("Not importing this container, skipping...")
+            return False
 
     if args.debug:
         print("Container configuration:")
@@ -152,18 +246,6 @@ def convert_container(lxd_socket, container_name, args):
         print("Container name doesn't match lxc.utsname, skipping...")
         return False
 
-    # Detect privileged containers
-    print("Validating container mode")
-    if config_get(lxc_config, "lxc.id_map"):
-        print("Unprivileged containers aren't supported, skipping...")
-        return False
-
-    # Detect hooks in config
-    for line in lxc_config:
-        if line.startswith("lxc.hook."):
-            print("Hooks aren't supported, skipping...")
-            return False
-
     # Extract and valid rootfs key
     print("Validating container rootfs")
     value = config_get(lxc_config, "lxc.rootfs")
@@ -341,27 +423,6 @@ def convert_container(lxd_socket, container_name, args):
         print("Custom capabilities aren't supported, skipping...")
         return False
 
-    # Skip ephemeral
-    print("Processing container ephemeral configuration")
-    value = config_get(lxc_config, "lxc.ephemeral")
-    if value:
-        print("Setting lxc.ephemeral is not supported, skipping...")
-        return False
-
-    # Skip syslog
-    print("Processing container syslog configuration")
-    value = config_get(lxc_config, "lxc.syslog")
-    if value:
-        print("Setting lxc.syslog is not supported, skipping...")
-        return False
-
-    # Skip logfile
-    print("Processing container syslog configuration")
-    value = config_get(lxc_config, "lxc.logfile")
-    if value:
-        print("Setting lxc.logfile is not supported, skipping...")
-        return False
-
     # Setup the container creation request
     new = {'name': container_name,
            'source': {'type': 'none'},


More information about the lxc-devel mailing list