[lxc-devel] [lxd/master] Image properties
stgraber on Github
lxc-bot at linuxcontainers.org
Mon Nov 14 22:10:58 UTC 2016
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 301 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20161114/1741f451/attachment.bin>
-------------- next part --------------
From 896325ec531e675770559f8651627628e3c11c3c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Mon, 14 Nov 2016 16:29:32 -0500
Subject: [PATCH 1/2] doc: Fix formatting
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
doc/configuration.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/doc/configuration.md b/doc/configuration.md
index f0915c9..d8ed066 100644
--- a/doc/configuration.md
+++ b/doc/configuration.md
@@ -94,7 +94,7 @@ security.syscalls.blacklist\_default | boolean | true | no
security.syscalls.blacklist\_compat | boolean | false | no | container\_syscall\_filtering | On x86\_64 this enables blocking of compat\_\* syscalls, it is a no-op on other arches
security.syscalls.blacklist | string | - | no | container\_syscall\_filtering | A '\n' separated list of syscalls to blacklist
security.syscalls.whitelist | string | - | no | container\_syscall\_filtering | A '\n' separated list of syscalls to whitelist (mutually exclusive with security.syscalls.blacklist\*)
-user.\* | string | - | n/a | - |Free form user key/value storage (can be used in search)
+user.\* | string | - | n/a | - | Free form user key/value storage (can be used in search)
The following volatile keys are currently internally used by LXD:
From dd98f13bce7553e116a2a0658185a81066af5cea Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Mon, 14 Nov 2016 17:07:12 -0500
Subject: [PATCH 2/2] Store image properties in container properties
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This effectively snapshots all source image properties into a new
"image" config key namespace on the container.
This can then be used to filter containers in "lxc list" and everywhere else.
Closes #2594
Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
doc/api-extensions.md | 3 +++
doc/configuration.md | 1 +
lxd/api_1.0.go | 1 +
lxd/container.go | 17 +++++++++++++++++
lxd/container_lxc.go | 10 +++++++++-
shared/container.go | 4 ++++
6 files changed, 35 insertions(+), 1 deletion(-)
diff --git a/doc/api-extensions.md b/doc/api-extensions.md
index 7ec021c..fc592c4 100644
--- a/doc/api-extensions.md
+++ b/doc/api-extensions.md
@@ -153,3 +153,6 @@ later.
## gpu\_devices
Enables adding GPUs to a container.
+
+## container\_image\_properties
+Introduces a new "image" config key space. Read-only, includes the properties of the parent image.
diff --git a/doc/configuration.md b/doc/configuration.md
index d8ed066..16aba91 100644
--- a/doc/configuration.md
+++ b/doc/configuration.md
@@ -59,6 +59,7 @@ The key/value configuration is namespaced with the following namespaces
currently supported:
- boot (boot related options, timing, dependencies, ...)
- environment (environment variables)
+ - image (copy of the image properties at time of creation)
- limits (resource limits)
- raw (raw container configuration overrides)
- security (security policies)
diff --git a/lxd/api_1.0.go b/lxd/api_1.0.go
index 7e8f369..c4654e2 100644
--- a/lxd/api_1.0.go
+++ b/lxd/api_1.0.go
@@ -76,6 +76,7 @@ func api10Get(d *Daemon, r *http.Request) Response {
"certificate_update",
"container_exec_signal_handling",
"gpu_devices",
+ "container_image_properties",
},
"api_status": "stable",
diff --git a/lxd/container.go b/lxd/container.go
index 3a36626..95e9c12 100644
--- a/lxd/container.go
+++ b/lxd/container.go
@@ -187,6 +187,10 @@ func containerValidConfig(d *Daemon, config map[string]string, profile bool, exp
return fmt.Errorf("Volatile keys can only be set on containers.")
}
+ if profile && strings.HasPrefix(k, "image.") {
+ return fmt.Errorf("Image keys can only be set on containers.")
+ }
+
err := containerValidConfigKey(d, k, v)
if err != nil {
return err
@@ -454,6 +458,19 @@ func containerCreateEmptySnapshot(d *Daemon, args containerArgs) (container, err
}
func containerCreateFromImage(d *Daemon, args containerArgs, hash string) (container, error) {
+ // Get the image properties
+ _, img, err := dbImageGet(d.db, hash, false, false)
+ if err != nil {
+ return nil, err
+ }
+
+ // Set the "image.*" keys
+ if img.Properties != nil {
+ for k, v := range img.Properties {
+ args.Config[fmt.Sprintf("image.%s", k)] = v
+ }
+ }
+
// Create the container
c, err := containerCreateInternal(d, args)
if err != nil {
diff --git a/lxd/container_lxc.go b/lxd/container_lxc.go
index f71dc3b..fec0f2e 100644
--- a/lxd/container_lxc.go
+++ b/lxd/container_lxc.go
@@ -2435,18 +2435,26 @@ func (c *containerLXC) Update(args containerArgs, userRequested bool) error {
}
}
- // Check that volatile wasn't modified
+ // Check that volatile and image keys weren't modified
if userRequested {
for k, v := range args.Config {
if strings.HasPrefix(k, "volatile.") && c.localConfig[k] != v {
return fmt.Errorf("Volatile keys are read-only.")
}
+
+ if strings.HasPrefix(k, "image.") && c.localConfig[k] != v {
+ return fmt.Errorf("Image keys are read-only.")
+ }
}
for k, v := range c.localConfig {
if strings.HasPrefix(k, "volatile.") && args.Config[k] != v {
return fmt.Errorf("Volatile keys are read-only.")
}
+
+ if strings.HasPrefix(k, "image.") && args.Config[k] != v {
+ return fmt.Errorf("Image keys are read-only.")
+ }
}
}
diff --git a/shared/container.go b/shared/container.go
index f5f4432..36964c7 100644
--- a/shared/container.go
+++ b/shared/container.go
@@ -347,5 +347,9 @@ func ConfigKeyChecker(key string) (func(value string) error, error) {
return IsAny, nil
}
+ if strings.HasPrefix(key, "image.") {
+ return IsAny, nil
+ }
+
return nil, fmt.Errorf("Bad key: %s", key)
}
More information about the lxc-devel
mailing list