[lxc-devel] [lxd/master] lxc-to-lxd: switch to using whitelist
brauner on Github
lxc-bot at linuxcontainers.org
Thu Dec 1 23:04:02 UTC 2016
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 605 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20161201/b51dc859/attachment.bin>
-------------- next part --------------
From a3183de11c015cc5d8c96f60dd01b7d06b109780 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Fri, 2 Dec 2016 00:02:07 +0100
Subject: [PATCH] lxc-to-lxd: switch to using whitelist
We keep a whitelist for supported configuration keys. We then perform a check
whether the container sets any unsupported configuration keys. We report the
first unsupported configuration key we found back to the user and the error out.
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
scripts/lxc-to-lxd | 127 +++++++++++++++++++++++++++++++++++++++--------------
1 file changed, 94 insertions(+), 33 deletions(-)
diff --git a/scripts/lxc-to-lxd b/scripts/lxc-to-lxd
index c6a9ae3..d5d8624 100755
--- a/scripts/lxc-to-lxd
+++ b/scripts/lxc-to-lxd
@@ -9,6 +9,80 @@ import subprocess
import sys
+supported_keys = [
+ 'lxc.arch',
+ 'lxc.pts',
+ # 'lxc.tty',
+ # 'lxc.devttydir',
+ # 'lxc.kmsg',
+ 'lxc.aa_profile',
+ 'lxc.aa_allow_incomplete',
+ # 'lxc.se_context',
+ 'lxc.cgroup',
+ # 'lxc.id_map',
+ 'lxc.loglevel',
+ # 'lxc.logfile',
+ 'lxc.mount.entry',
+ 'lxc.mount.auto',
+ 'lxc.mount',
+ # 'lxc.rootfs.mount',
+ # 'lxc.rootfs.options',
+ # 'lxc.rootfs.backend',
+ 'lxc.rootfs',
+ # 'lxc.pivotdir',
+ 'lxc.utsname',
+ # 'lxc.hook.pre-start',
+ # 'lxc.hook.pre-mount',
+ # 'lxc.hook.mount',
+ # 'lxc.hook.autodev',
+ # 'lxc.hook.start',
+ # 'lxc.hook.stop',
+ # 'lxc.hook.post-stop',
+ # 'lxc.hook.clone',
+ # 'lxc.hook.destroy',
+ # 'lxc.hook',
+ 'lxc.network.type',
+ 'lxc.network.flags',
+ 'lxc.network.link',
+ 'lxc.network.name',
+ 'lxc.network.macvlan.mode',
+ 'lxc.network.veth.pair',
+ # 'lxc.network.script.up',
+ # 'lxc.network.script.down',
+ 'lxc.network.hwaddr',
+ 'lxc.network.mtu',
+ # 'lxc.network.vlan.id',
+ # 'lxc.network.ipv4.gateway',
+ # 'lxc.network.ipv4',
+ # 'lxc.network.ipv6.gateway',
+ # 'lxc.network.ipv6',
+ 'lxc.network.',
+ 'lxc.network',
+ 'lxc.cap.drop',
+ 'lxc.cap.keep',
+ # 'lxc.console.logfile',
+ # 'lxc.console',
+ # 'lxc.seccomp',
+ 'lxc.include',
+ 'lxc.autodev',
+ 'lxc.haltsignal',
+ 'lxc.rebootsignal',
+ 'lxc.stopsignal',
+ 'lxc.start.auto',
+ 'lxc.start.delay',
+ 'lxc.start.order',
+ # 'lxc.monitor.unshare',
+ # 'lxc.group',
+ 'lxc.environment',
+ # 'lxc.init_cmd',
+ # 'lxc.init_uid',
+ # 'lxc.init_gid',
+ # 'lxc.ephemeral',
+ # 'lxc.syslog',
+ 'lxc.no_new_privs'
+ ]
+
+
# Unix connection to LXD
class UnixHTTPConnection(http.client.HTTPConnection):
def __init__(self, path):
@@ -35,6 +109,16 @@ def config_get(config, key, default=None):
return result
+def config_keys(config):
+ keys = []
+ for line in config:
+ fields = line.split("=", 1)
+ if fields[0].strip():
+ keys.append(fields[0].strip())
+
+ return keys
+
+
# Parse a LXC configuration file, called recursively for includes
def config_parse(path):
config = []
@@ -128,6 +212,16 @@ def convert_container(lxd_socket, container_name, args):
# As some keys can't be queried over the API, parse the config ourselves
print("Parsing LXC configuration")
lxc_config = config_parse(container.config_file_name)
+ found_keys = config_keys(lxc_config)
+
+ print("Checking for unsupported LXC configuration keys")
+ diff = list(set(found_keys) - set(supported_keys))
+ for d in diff:
+ if (not d.startswith('lxc.network.') and not
+ d.startswith('lxc.cgroup.')):
+ print("Found at least one unsupported config key: ", d)
+ print("Not importing this container, skipping...")
+ return False
if args.debug:
print("Container configuration:")
@@ -152,18 +246,6 @@ def convert_container(lxd_socket, container_name, args):
print("Container name doesn't match lxc.utsname, skipping...")
return False
- # Detect privileged containers
- print("Validating container mode")
- if config_get(lxc_config, "lxc.id_map"):
- print("Unprivileged containers aren't supported, skipping...")
- return False
-
- # Detect hooks in config
- for line in lxc_config:
- if line.startswith("lxc.hook."):
- print("Hooks aren't supported, skipping...")
- return False
-
# Extract and valid rootfs key
print("Validating container rootfs")
value = config_get(lxc_config, "lxc.rootfs")
@@ -341,27 +423,6 @@ def convert_container(lxd_socket, container_name, args):
print("Custom capabilities aren't supported, skipping...")
return False
- # Skip ephemeral
- print("Processing container ephemeral configuration")
- value = config_get(lxc_config, "lxc.ephemeral")
- if value:
- print("Setting lxc.ephemeral is not supported, skipping...")
- return False
-
- # Skip syslog
- print("Processing container syslog configuration")
- value = config_get(lxc_config, "lxc.syslog")
- if value:
- print("Setting lxc.syslog is not supported, skipping...")
- return False
-
- # Skip logfile
- print("Processing container syslog configuration")
- value = config_get(lxc_config, "lxc.logfile")
- if value:
- print("Setting lxc.logfile is not supported, skipping...")
- return False
-
# Setup the container creation request
new = {'name': container_name,
'source': {'type': 'none'},
More information about the lxc-devel
mailing list