[lxc-devel] [lxc/master] [confile] Add config for populate devices.
lifeng68 on Github
lxc-bot at linuxcontainers.org
Mon Feb 12 08:12:49 UTC 2018
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 479 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20180212/49705de6/attachment.bin>
-------------- next part --------------
From c79187df805fffe61b3b467646f54eb6d4f2bfc9 Mon Sep 17 00:00:00 2001
From: LiFeng <lifeng68 at huawei.com>
Date: Mon, 12 Feb 2018 11:39:07 -0500
Subject: [PATCH] [confile] Add config for populate devices.
Signed-off-by: LiFeng <lifeng68 at huawei.com>
---
doc/lxc.container.conf.sgml.in | 23 ++++++++
src/lxc/conf.c | 102 +++++++++++++++++++++++++++++++++++
src/lxc/conf.h | 26 ++++++++-
src/lxc/confile.c | 120 +++++++++++++++++++++++++++++++++++++++++
src/tests/get_item.c | 45 ++++++++++++++++
src/tests/parse_config_file.c | 7 +++
6 files changed, 322 insertions(+), 1 deletion(-)
diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in
index ccc6348c4..6e63f369f 100644
--- a/doc/lxc.container.conf.sgml.in
+++ b/doc/lxc.container.conf.sgml.in
@@ -1604,6 +1604,29 @@ dev/null proc/kcore none bind,relative 0 0
</variablelist>
</refsect2>
+ <refsect2>
+ <title>Populate devices</title>
+ <para>
+ Specify the devices on host to be populated into the container.
+ For instance, you can populate the block device '/dev/sda' on host into the container.
+ </para>
+ <variablelist>
+ <varlistentry>
+ <term>
+ <option>lxc.populate.device</option>
+ </term>
+ <listitem>
+ <para>
+ Seven values must be provided. First The absolute path of the device in the container.
+ Next a character, either 'b', or 'c', to specify the device type.
+ Next is the major device number. Next is the minor device number.
+ Next is the filemode of the device. Finally, user and group ownership of the devive.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect2>
+
<refsect2>
<title>Apparmor profile</title>
<para>
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 05b17a499..1abc56be1 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -1256,6 +1256,82 @@ static int lxc_fill_autodev(const struct lxc_rootfs *rootfs)
return 0;
}
+static int setup_populate_devs(const struct lxc_rootfs *rootfs, struct lxc_list *devs)
+{
+ int ret;
+ char *pathdirname;
+ char path[MAXPATHLEN];
+ mode_t cmask;
+ mode_t file_mode = 0;
+ struct lxc_populate_devs *dev_elem;
+ struct lxc_list *it;
+
+ INFO("Populating devices into container");
+ cmask = umask(S_IXUSR | S_IXGRP | S_IXOTH);
+ lxc_list_for_each(it, devs) {
+ dev_elem = it->elem;
+
+ ret = snprintf(path, MAXPATHLEN, "%s/%s", rootfs->path ? rootfs->mount : "", dev_elem->name);
+ if (ret < 0 || ret >= MAXPATHLEN)
+ return -1;
+
+ /* create any missing directories */
+ pathdirname = strdup(path);
+ pathdirname = dirname(pathdirname);
+ ret = mkdir_p(pathdirname, 0755);
+ free(pathdirname);
+ if (ret < 0) {
+ WARN("Failed to create target directory");
+ return -1;
+ }
+
+ if (!strcmp(dev_elem->type, "c")) {
+ file_mode = dev_elem->file_mode | S_IFCHR;
+ } else if (!strcmp(dev_elem->type, "b")) {
+ file_mode = dev_elem->file_mode | S_IFBLK;
+ } else {
+ ERROR("Failed to parse devices type '%s'", dev_elem->type);
+ return -1;
+ }
+
+ ret = mknod(path, file_mode, makedev(dev_elem->maj, dev_elem->min));
+ if (ret && errno != EEXIST) {
+ SYSERROR("Failed to mknod '%s':'%d':'%d':'%d'", dev_elem->name,
+ file_mode, dev_elem->maj, dev_elem->min);
+
+ char hostpath[MAXPATHLEN];
+ FILE *pathfile;
+
+ // Unprivileged containers cannot create devices, so
+ // try to bind mount the device from the host
+ ret = snprintf(hostpath, MAXPATHLEN, "/dev/%s", dev_elem->name);
+ if (ret < 0 || ret >= MAXPATHLEN)
+ return -1;
+ pathfile = fopen(path, "wb");
+ if (!pathfile) {
+ SYSERROR("Failed to create device mount target '%s'", path);
+ return -1;
+ }
+ fclose(pathfile);
+ if (safe_mount(hostpath, path, 0, MS_BIND, NULL,
+ rootfs->path ? rootfs->mount : NULL) != 0) {
+ SYSERROR("Failed bind mounting device %s from host into container",
+ dev_elem->name);
+ return -1;
+ }
+ }
+ if (chown(path, dev_elem->uid, dev_elem->gid) < 0) {
+ ERROR("Error chowning %s", path);
+ return -1;
+ }
+ }
+ umask(cmask);
+
+ INFO("Populated devices into container /dev");
+ return 0;
+}
+
+
static int lxc_setup_rootfs(struct lxc_conf *conf)
{
int ret;
@@ -2585,6 +2661,8 @@ struct lxc_conf *lxc_conf_init(void)
memset(&new->cgroup_meta, 0, sizeof(struct lxc_cgroup));
memset(&new->ns_share, 0, sizeof(char *) * LXC_NS_MAX);
+ lxc_list_init(&new->populate_devs);
+
return new;
}
@@ -3290,6 +3368,14 @@ int lxc_setup(struct lxc_handler *handler)
ERROR("failed to populate /dev in the container");
return -1;
}
+ /* setup devices which will be populated in the container.
+ */
+ if (!lxc_list_empty(&lxc_conf->populate_devs)) {
+ if (setup_populate_devs(&lxc_conf->rootfs, &lxc_conf->populate_devs)) {
+ ERROR("Failed to setup devices in the container");
+ return -1;
+ }
+ }
}
if (!lxc_list_empty(&lxc_conf->mount_list) && setup_mount_entries(lxc_conf, &lxc_conf->rootfs, &lxc_conf->mount_list, name, lxcpath)) {
@@ -3573,6 +3659,21 @@ int lxc_clear_procs(struct lxc_conf *c, const char *key)
return 0;
}
+int lxc_clear_devices(struct lxc_conf *c)
+{
+ struct lxc_list *it,*next;
+
+ lxc_list_for_each_safe(it, &c->populate_devs, next) {
+ struct lxc_populate_devs *dev_elem = it->elem;
+ lxc_list_del(it);
+ free(dev_elem->name);
+ free(dev_elem->type);
+ free(dev_elem);
+ free(it);
+ }
+ return 0;
+}
+
int lxc_clear_groups(struct lxc_conf *c)
{
struct lxc_list *it,*next;
@@ -3711,6 +3812,7 @@ void lxc_conf_free(struct lxc_conf *conf)
lxc_clear_limits(conf, "lxc.prlimit");
lxc_clear_sysctls(conf, "lxc.sysctl");
lxc_clear_procs(conf, "lxc.proc");
+ lxc_clear_devices(conf);
free(conf->cgroup_meta.dir);
free(conf->cgroup_meta.controllers);
free(conf);
diff --git a/src/lxc/conf.h b/src/lxc/conf.h
index c5f27336a..96aeded33 100644
--- a/src/lxc/conf.h
+++ b/src/lxc/conf.h
@@ -207,6 +207,27 @@ struct lxc_rootfs {
char *bdev_type;
};
+/*
+ * Defines a structure to store the devices which will
+ * be populated in container
+ * @name : the target device name in container
+ * @type : the type of target device "c" or "b"
+ * @mode : file mode for the device
+ * @maj : major number for the device
+ * @min : minor number for the device
+ * @uid : owner uid for the device
+ * @gid : owner gid for the device
+ */
+struct lxc_populate_devs {
+ char *name;
+ char *type;
+ mode_t file_mode;
+ int maj;
+ int min;
+ uid_t uid;
+ gid_t gid;
+};
+
/*
* Automatic mounts for LXC to perform inside the container
*/
@@ -415,6 +436,9 @@ struct lxc_conf {
/* procs */
struct lxc_list procs;
+
+ /* populate devices*/
+ struct lxc_list populate_devs;
};
extern int write_id_mapping(enum idtype idtype, pid_t pid, const char *buf,
@@ -479,5 +503,5 @@ extern int setup_sysctl_parameters(struct lxc_list *sysctls);
extern int lxc_clear_sysctls(struct lxc_conf *c, const char *key);
extern int setup_proc_filesystem(struct lxc_list *procs, pid_t pid);
extern int lxc_clear_procs(struct lxc_conf *c, const char *key);
-
+extern int lxc_clear_devices(struct lxc_conf *c);
#endif /* __LXC_CONF_H */
diff --git a/src/lxc/confile.c b/src/lxc/confile.c
index 66b7615fe..53a537e64 100644
--- a/src/lxc/confile.c
+++ b/src/lxc/confile.c
@@ -144,6 +144,7 @@ lxc_config_define(tty_dir);
lxc_config_define(uts_name);
lxc_config_define(sysctl);
lxc_config_define(proc);
+lxc_config_define(populate_device);
static struct lxc_config_t config[] = {
{ "lxc.arch", set_config_personality, get_config_personality, clr_config_personality, },
@@ -228,6 +229,7 @@ static struct lxc_config_t config[] = {
{ "lxc.uts.name", set_config_uts_name, get_config_uts_name, clr_config_uts_name, },
{ "lxc.sysctl", set_config_sysctl, get_config_sysctl, clr_config_sysctl, },
{ "lxc.proc", set_config_proc, get_config_proc, clr_config_proc, },
+ { "lxc.populate.device", set_config_populate_device, get_config_populate_device, clr_config_populate_device, },
};
struct signame {
@@ -1623,6 +1625,89 @@ static int set_config_proc(const char *key, const char *value,
return -1;
}
+static int set_config_populate_device(const char *key, const char *value,
+ struct lxc_conf *lxc_conf, void *data)
+{
+ int ret = 0, major = 0, minor = 0;
+ uid_t uid = (uid_t)-1;
+ gid_t gid = (gid_t)-1;
+ char name[PATH_MAX] = {0};
+ char type[2] = {0};
+ char *replace_value = NULL;
+ mode_t filemode = 0;
+ struct lxc_list *iter;
+ struct lxc_list *dev_list = NULL;
+ struct lxc_populate_devs *dev_elem = NULL;
+
+ if (lxc_config_value_empty(value))
+ return lxc_clear_devices(lxc_conf);
+
+ /* lxc.populate.device = PATH_IN_CONTAINER:DEVICETYPE:MAJOR:MINOR:MODE:UID:GID
+ * For e.g. lxc.populate.device = /dev/sda:b:8:0:0666:0:0
+ */
+ ret = sscanf(value, "%[^:]:%2[^:]:%i:%i:%i:%u:%u", name, type, &major, &minor, &filemode, &uid, &gid);
+ if (ret != 7)
+ return -1;
+
+ /* find existing list element */
+ lxc_list_for_each(iter, &lxc_conf->populate_devs) {
+ dev_elem = iter->elem;
+
+ if (strcmp(name, dev_elem->name) != 0)
+ continue;
+
+ replace_value = strdup(type);
+ if (!replace_value)
+ return -1;
+
+ free(dev_elem->type);
+ dev_elem->type = replace_value;
+ dev_elem->file_mode = filemode;
+ dev_elem->maj = major;
+ dev_elem->min = minor;
+ dev_elem->uid = (uid_t)uid;
+ dev_elem->gid = (gid_t)gid;
+ return 0;
+ }
+
+ /* allocate list element */
+ dev_list = malloc(sizeof(*dev_list));
+ if (!dev_list)
+ goto on_error;
+
+ dev_elem = malloc(sizeof(*dev_elem));
+ if (!dev_elem)
+ goto on_error;
+ memset(dev_elem, 0, sizeof(*dev_elem));
+
+ dev_elem->name = strdup(name);
+ if (!dev_elem->name)
+ goto on_error;
+
+ dev_elem->type = strdup(type);
+ if (!dev_elem->type)
+ goto on_error;
+
+ dev_elem->file_mode = filemode;
+ dev_elem->maj = major;
+ dev_elem->min = minor;
+
+ lxc_list_add_elem(dev_list, dev_elem);
+
+ lxc_list_add_tail(&lxc_conf->populate_devs, dev_list);
+
+ return 0;
+
+on_error:
+ free(dev_list);
+ if (dev_elem) {
+ free(dev_elem->name);
+ free(dev_elem->type);
+ free(dev_elem);
+ }
+ return -1;
+}
+
static int set_config_idmaps(const char *key, const char *value,
struct lxc_conf *lxc_conf, void *data)
{
@@ -3554,6 +3639,35 @@ static int get_config_proc(const char *key, char *retv, int inlen,
return fulllen;
}
+/* If you ask for 'lxc.populate.device', then all populate device
+ * entries will be printed, in 'lxc.populate.device = path_in_container:type:major:minor:mode:uid:gid' format.
+ * For e.g. lxc.populate.device = /dev/sda:b:8:0:0666:0:0
+ */
+static int get_config_populate_device(const char *key, char *retv, int inlen,
+ struct lxc_conf *c, void *data)
+{
+ int len;
+ struct lxc_list *it;
+ int fulllen = 0;
+
+ if (!retv)
+ inlen = 0;
+ else
+ memset(retv, 0, inlen);
+
+ if (strcmp(key, "lxc.populate.device") != 0)
+ return -1;
+
+ lxc_list_for_each(it, &c->populate_devs) {
+ struct lxc_populate_devs *elem = it->elem;
+ strprint(retv, inlen, "lxc.populate.device = %s:%s:%d:%d:%o:%u:%u\n",
+ elem->name, elem->type, elem->maj,
+ elem->min, elem->file_mode, elem->uid, elem->gid);
+ }
+
+ return fulllen;
+}
+
static int get_config_namespace_clone(const char *key, char *retv, int inlen,
struct lxc_conf *c, void *data)
{
@@ -3977,6 +4091,12 @@ static inline int clr_config_sysctl(const char *key, struct lxc_conf *c,
return lxc_clear_sysctls(c, key);
}
+static inline int clr_config_populate_device(const char *key, struct lxc_conf *c,
+ void *data)
+{
+ return lxc_clear_devices(c);
+}
+
static inline int clr_config_proc(const char *key, struct lxc_conf *c,
void *data)
{
diff --git a/src/tests/get_item.c b/src/tests/get_item.c
index e7667c482..81c8c7e86 100644
--- a/src/tests/get_item.c
+++ b/src/tests/get_item.c
@@ -552,6 +552,51 @@ int main(int argc, char *argv[])
goto out;
}
+#define POPULATE_DEVICE_SDA1 "lxc.populate.device = /dev/sda1:b:8:1:0666:0:0\n"
+#define ALL_POPULATE_DEVICE "lxc.populate.device = /dev/sda:b:8:0:0666:0:0\n" POPULATE_DEVICE_SDA1
+
+ ret = c->get_config_item(c, "lxc.populate.device", v3, 2047);
+ if (ret != 0) {
+ fprintf(stderr, "%d: get_config_item(populate.device) returned %d\n", __LINE__, ret);
+ goto out;
+ }
+
+ if (!c->set_config_item(c, "lxc.populate.device", "/dev/sda:b:8:0:0666:0:0")) {
+ fprintf(stderr, "%d: failed to set lxc.populate.device = /dev/sda:b:8:0:0666:0:0\n", __LINE__);
+ goto out;
+ }
+ ret = c->get_config_item(c, "lxc.populate.device", v2, 255);
+ if (ret < 0) {
+ fprintf(stderr, "%d: get_config_item(lxc.populate.device) returned %d\n", __LINE__, ret);
+ goto out;
+ }
+ if (strcmp(v2, "/dev/sda:b:8:0:0666:0:0")) {
+ fprintf(stderr, "%d: lxc.populate.device returned wrong value: %d %s not /dev/sda:b:8:0:0666:0:0\n", __LINE__, ret, v2);
+ goto out;
+ }
+ printf("lxc.populate.device returned: %d %s\n", ret, v2);
+
+ if (!c->set_config_item(c, "lxc.populate.device", "/dev/sda1:b:8:1:0666:0:0")) {
+ fprintf(stderr, "%d: failed to set lxc.populate.device = /dev/sda1:b:8:1:0666:0:0\n", __LINE__);
+ goto out;
+ }
+
+ ret = c->get_config_item(c, "lxc.populate.device", v3, 2047);
+ if (ret != sizeof(ALL_POPULATE_DEVICE)-1) {
+ fprintf(stderr, "%d: get_config_item(lxc.populate.device) returned %d\n", __LINE__, ret);
+ goto out;
+ }
+ if (strcmp(v3, ALL_POPULATE_DEVICE)) {
+ fprintf(stderr, "%d: lxc.populate.device returned wrong value: %d %s not %d %s\n", __LINE__, ret, v3, (int)sizeof(ALL_POPULATE_DEVICE) - 1, ALL_POPULATE_DEVICE);
+ goto out;
+ }
+ printf("lxc.populate.device returned %d %s\n", ret, v3);
+
+ if (!c->clear_config_item(c, "lxc.populate.device")) {
+ fprintf(stderr, "%d: failed clearing lxc.populate.device\n", __LINE__);
+ goto out;
+ }
+
printf("All get_item tests passed\n");
fret = EXIT_SUCCESS;
out:
diff --git a/src/tests/parse_config_file.c b/src/tests/parse_config_file.c
index aad4d32b6..7568e800e 100644
--- a/src/tests/parse_config_file.c
+++ b/src/tests/parse_config_file.c
@@ -726,6 +726,13 @@ int main(int argc, char *argv[])
goto non_test_error;
}
+ /* lxc.populate.device */
+ if (set_get_compare_clear_save_load(c, "lxc.populate.device", "/dev/sda:b:8:0:0666:0:0", tmpf,
+ true) < 0) {
+ lxc_error("%s\n", "lxc.populate.device");
+ goto non_test_error;
+ }
+
/* lxc.proc */
if (set_get_compare_clear_save_load(c, "lxc.proc.oom_score_adj", "10", tmpf,
true) < 0) {
More information about the lxc-devel
mailing list