[lxc-devel] [lxd/master] Allow security.devlxd to be changed live
stgraber on Github
lxc-bot at linuxcontainers.org
Tue Dec 5 22:45:11 UTC 2017
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 301 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20171205/3e2fa2eb/attachment.bin>
-------------- next part --------------
From dd803cb1ba68871188a6721086237b4d7bdd28dc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Tue, 5 Dec 2017 17:27:25 -0500
Subject: [PATCH 1/3] patches: Skip containers that don't have a devices dir
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
lxd/patches.go | 1 +
1 file changed, 1 insertion(+)
diff --git a/lxd/patches.go b/lxd/patches.go
index 9ae7351c7..932fdb56b 100644
--- a/lxd/patches.go
+++ b/lxd/patches.go
@@ -2521,6 +2521,7 @@ func patchDevicesNewNamingScheme(name string, d *Daemon) error {
return err
}
logger.Debugf("Container \"%s\" does not have on-disk devices", ct)
+ continue
}
onDiskDevices, err := devDir.Readdirnames(-1)
From cee81d4318c2d1f7437265964a10c62c11a4c6c9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Tue, 5 Dec 2017 17:41:50 -0500
Subject: [PATCH 2/3] doc: Move restrict_devlxd API extension to the end
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
doc/api-extensions.md | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/doc/api-extensions.md b/doc/api-extensions.md
index 740d6e570..9f9a869ab 100644
--- a/doc/api-extensions.md
+++ b/doc/api-extensions.md
@@ -32,11 +32,6 @@ A number of new syscalls related container configuration keys were introduced.
See [configuration.md](Configuration) for how to use them.
-## restrict\_devlxd
-A new security.devlxd container configuration key was introduced.
-The key controls whether the /dev/lxd interface is made available to the container.
-If set to false, this effectively prevents the container from interacting with the LXD daemon.
-
## auth\_pki
This indicates support for PKI authentication mode.
@@ -364,3 +359,8 @@ This adds support for SR-IOV enabled network devices.
## console
This adds support to interact with the container console device and console log.
+
+## restrict\_devlxd
+A new security.devlxd container configuration key was introduced.
+The key controls whether the /dev/lxd interface is made available to the container.
+If set to false, this effectively prevents the container from interacting with the LXD daemon.
From 48e91b211cd420daea2331a03c421ba4ec5869a1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Tue, 5 Dec 2017 17:43:07 -0500
Subject: [PATCH 3/3] Allow live enabling/disabling of /dev/lxd
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
doc/containers.md | 2 +-
lxd/container_lxc.go | 17 +++++++++++++++++
test/suites/devlxd.sh | 1 -
3 files changed, 18 insertions(+), 2 deletions(-)
diff --git a/doc/containers.md b/doc/containers.md
index 362e5303d..95ac3cbe0 100644
--- a/doc/containers.md
+++ b/doc/containers.md
@@ -45,12 +45,12 @@ raw.apparmor | blob | - | yes
raw.idmap | blob | - | no | id\_map | Raw idmap configuration (e.g. "both 1000 1000")
raw.lxc | blob | - | no | - | Raw LXC configuration to be appended to the generated one
raw.seccomp | blob | - | no | container\_syscall\_filtering | Raw Seccomp configuration
+security.devlxd | boolean | true | yes | restrict\_devlxd | Controls the presence of /dev/lxd in the container
security.idmap.base | integer | - | no | id\_map\_base | The base host ID to use for the allocation (overrides auto-detection)
security.idmap.isolated | boolean | false | no | id\_map | Use an idmap for this container that is unique among containers with isolated set.
security.idmap.size | integer | - | no | id\_map | The size of the idmap to use
security.nesting | boolean | false | yes | - | Support running lxd (nested) inside the container
security.privileged | boolean | false | no | - | Runs the container in privileged mode
-security.devlxd | boolean | true | no | - | Controls the presence of /dev/lxd in the container
security.syscalls.blacklist | string | - | no | container\_syscall\_filtering | A '\n' separated list of syscalls to blacklist
security.syscalls.blacklist\_compat | boolean | false | no | container\_syscall\_filtering | On x86\_64 this enables blocking of compat\_\* syscalls, it is a no-op on other arches
security.syscalls.blacklist\_default | boolean | true | no | container\_syscall\_filtering | Enables the default syscall blacklist
diff --git a/lxd/container_lxc.go b/lxd/container_lxc.go
index 2457ab1f6..98d26bedb 100644
--- a/lxd/container_lxc.go
+++ b/lxd/container_lxc.go
@@ -3631,6 +3631,23 @@ func (c *containerLXC) Update(args db.ContainerArgs, userRequested bool) error {
if err != nil {
return err
}
+ } else if key == "security.devlxd" {
+ if value == "" || shared.IsTrue(value) {
+ err = c.insertMount(shared.VarPath("devlxd"), "/dev/lxd", "none", syscall.MS_BIND)
+ if err != nil {
+ return err
+ }
+ } else if c.FileExists("/dev/lxd") == nil {
+ err = c.removeMount("/dev/lxd")
+ if err != nil {
+ return err
+ }
+
+ err = c.FileRemove("/dev/lxd")
+ if err != nil {
+ return err
+ }
+ }
} else if key == "linux.kernel_modules" && value != "" {
for _, module := range strings.Split(value, ",") {
module = strings.TrimPrefix(module, " ")
diff --git a/test/suites/devlxd.sh b/test/suites/devlxd.sh
index 4367fa2ee..d1741ac03 100644
--- a/test/suites/devlxd.sh
+++ b/test/suites/devlxd.sh
@@ -11,7 +11,6 @@ test_devlxd() {
! lxc exec devlxd -- test -S /dev/lxd/sock
lxc config unset devlxd security.devlxd
- lxc restart devlxd --force
lxc exec devlxd -- test -S /dev/lxd/sock
lxc file push "${TEST_DIR}/devlxd-client" devlxd/bin/
More information about the lxc-devel
mailing list