[lxc-devel] [lxd/master] deletion protection

monstermunchkin on Github lxc-bot at linuxcontainers.org
Thu Jul 5 15:00:16 UTC 2018


A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 321 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20180705/9aa9af50/attachment.bin>
-------------- next part --------------
From 06bcecd692d234b2b9e0d75b98a81ee9f83cc5b3 Mon Sep 17 00:00:00 2001
From: Thomas Hipp <thomas.hipp at canonical.com>
Date: Thu, 5 Jul 2018 16:10:15 +0200
Subject: [PATCH 1/3] lxd: Add deletion protection

Signed-off-by: Thomas Hipp <thomas.hipp at canonical.com>
---
 lxd/container.go     |  1 +
 lxd/container_lxc.go | 11 +++++++++++
 shared/container.go  |  2 ++
 3 files changed, 14 insertions(+)

diff --git a/lxd/container.go b/lxd/container.go
index ec707af95..2e4f6c440 100644
--- a/lxd/container.go
+++ b/lxd/container.go
@@ -555,6 +555,7 @@ type container interface {
 	IsSnapshot() bool
 	IsStateful() bool
 	IsNesting() bool
+	IsDeleteProtected() bool
 
 	// Hooks
 	OnStart() error
diff --git a/lxd/container_lxc.go b/lxd/container_lxc.go
index 5d647dd9d..2b20819d8 100644
--- a/lxd/container_lxc.go
+++ b/lxd/container_lxc.go
@@ -4,6 +4,7 @@ import (
 	"archive/tar"
 	"bufio"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io"
 	"io/ioutil"
@@ -3292,6 +3293,12 @@ func (c *containerLXC) Delete() error {
 
 	logger.Info("Deleting container", ctxMap)
 
+	if c.IsDeleteProtected() && !c.IsSnapshot() {
+		err := errors.New("Container is protected")
+		logger.Warn("Failed to delete container", log.Ctx{"name": c.Name(), "err": err})
+		return err
+	}
+
 	// Attempt to initialize storage interface for the container.
 	c.initStorage()
 
@@ -8128,6 +8135,10 @@ func (c *containerLXC) IsSnapshot() bool {
 	return c.cType == db.CTypeSnapshot
 }
 
+func (c *containerLXC) IsDeleteProtected() bool {
+	return shared.IsTrue(c.expandedConfig["security.protection.delete"])
+}
+
 // Various property query functions
 func (c *containerLXC) Architecture() int {
 	return c.architecture
diff --git a/shared/container.go b/shared/container.go
index b4ce32974..e0e29f5bb 100644
--- a/shared/container.go
+++ b/shared/container.go
@@ -213,6 +213,8 @@ var KnownContainerConfigKeys = map[string]func(value string) error{
 	"security.devlxd":        IsBool,
 	"security.devlxd.images": IsBool,
 
+	"security.protection.delete": IsBool,
+
 	"security.idmap.base":     IsUint32,
 	"security.idmap.isolated": IsBool,
 	"security.idmap.size":     IsUint32,

From edcdf551f632fe2c4cfb3afae4c5ef199d7111de Mon Sep 17 00:00:00 2001
From: Thomas Hipp <thomas.hipp at canonical.com>
Date: Thu, 5 Jul 2018 16:10:43 +0200
Subject: [PATCH 2/3] doc: Add deletion protection

Signed-off-by: Thomas Hipp <thomas.hipp at canonical.com>
---
 doc/api-extensions.md | 4 ++++
 doc/containers.md     | 1 +
 2 files changed, 5 insertions(+)

diff --git a/doc/api-extensions.md b/doc/api-extensions.md
index bb9f921d5..a16527207 100644
--- a/doc/api-extensions.md
+++ b/doc/api-extensions.md
@@ -536,3 +536,7 @@ This adds the following new endpoint (see [RESTful API](rest-api.md) for details
 ## proxy\_unix\_dac\_properties
 This adds support for gid, uid, and mode properties for non-abstract unix
 sockets.
+
+## container\_protection\_delete
+Enables setting the `security.protection.delete` field which prevents containers
+from being deleted if set to true. Snapshots are not affected by this setting.
diff --git a/doc/containers.md b/doc/containers.md
index b1866d913..849432cfd 100644
--- a/doc/containers.md
+++ b/doc/containers.md
@@ -69,6 +69,7 @@ security.idmap.isolated                 | boolean   | false         | no
 security.idmap.size                     | integer   | -             | no            | id\_map                              | The size of the idmap to use
 security.nesting                        | boolean   | false         | yes           | -                                    | Support running lxd (nested) inside the container
 security.privileged                     | boolean   | false         | no            | -                                    | Runs the container in privileged mode
+security.protection.delete              | boolean   | false         | yes           | container\_protection\_delete        | Prevents the container from being deleted
 security.syscalls.blacklist             | string    | -             | no            | container\_syscall\_filtering        | A '\n' separated list of syscalls to blacklist
 security.syscalls.blacklist\_compat     | boolean   | false         | no            | container\_syscall\_filtering        | On x86\_64 this enables blocking of compat\_\* syscalls, it is a no-op on other arches
 security.syscalls.blacklist\_default    | boolean   | true          | no            | container\_syscall\_filtering        | Enables the default syscall blacklist

From 66711b632a22be90b2c8244c70865a51278abcd1 Mon Sep 17 00:00:00 2001
From: Thomas Hipp <thomas.hipp at canonical.com>
Date: Thu, 5 Jul 2018 16:55:21 +0200
Subject: [PATCH 3/3] test: Add deletion protection

Signed-off-by: Thomas Hipp <thomas.hipp at canonical.com>
---
 test/main.sh                        |  1 +
 test/suites/container_protection.sh | 21 +++++++++++++++++++++
 2 files changed, 22 insertions(+)
 create mode 100644 test/suites/container_protection.sh

diff --git a/test/main.sh b/test/main.sh
index ed534c6d8..ccea3b948 100755
--- a/test/main.sh
+++ b/test/main.sh
@@ -216,6 +216,7 @@ run_test test_clustering_publish "clustering publish"
 run_test test_clustering_profiles "clustering profiles"
 run_test test_clustering_join_api "clustering join api"
 #run_test test_clustering_upgrade "clustering upgrade"
+run_test test_container_protection "container protection"
 
 # shellcheck disable=SC2034
 TEST_RESULT=success
diff --git a/test/suites/container_protection.sh b/test/suites/container_protection.sh
new file mode 100644
index 000000000..7eb304be1
--- /dev/null
+++ b/test/suites/container_protection.sh
@@ -0,0 +1,21 @@
+test_container_protection() {
+  ensure_import_testimage
+  ensure_has_localhost_remote "${LXD_ADDR}"
+
+  lxc launch testimage c1
+  lxc stop c1
+  lxc snapshot c1
+  lxc delete c1
+
+  lxc profile set default security.protection.delete true
+
+  lxc launch testimage c1
+  lxc stop c1
+  lxc snapshot c1
+  lxc delete c1/snap0
+  ! lxc delete c1
+
+  # override setting
+  lxc config set c1 security.protection.delete false
+  lxc delete c1
+}


More information about the lxc-devel mailing list