[lxc-devel] [lxd/master] blacklist lxc.syslog and lxc.ephemeral

[brauner on Github]

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 688 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20161125/453115f4/attachment.bin>
-------------- next part --------------
From 54afb7cf8572e8513f8d9032fecd081cc26d3b49 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Fri, 25 Nov 2016 20:30:19 +0100
Subject: [PATCH] blacklist lxc.syslog and lxc.ephemeral

- lxc.syslog: syslog() calls localtime() internally given that LXD is
	      multithreaded disallow it for now.
- lxc.ephemeral: Destroys containers on shutdown via the LXC API but this job
		 should __only__ be done by LXD. If not, then we end up with
		 containers in the database that have been destroyed already.

Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
 lxd/container_lxc.go | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/lxd/container_lxc.go b/lxd/container_lxc.go
index 2880b9d..a5bf86b 100644
--- a/lxd/container_lxc.go
+++ b/lxd/container_lxc.go
@@ -137,6 +137,14 @@ func lxcValidConfig(rawLxc string) error {
 			return fmt.Errorf("Setting lxc.logfile is not allowed")
 		}
 
+		if key == "lxc.syslog" {
+			return fmt.Errorf("Setting lxc.syslog is not allowed")
+		}
+
+		if key == "lxc.ephemeral" {
+			return fmt.Errorf("Setting lxc.ephemeral is not allowed")
+		}
+
 		if strings.HasPrefix(key, "lxc.network.") {
 			fields := strings.Split(key, ".")
 			if len(fields) == 4 && shared.StringInSlice(fields[3], []string{"ipv4", "ipv6"}) {