[lxc-devel] [lxd/master] deletion protection
monstermunchkin on Github
lxc-bot at linuxcontainers.org
Thu Jul 5 15:00:16 UTC 2018
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 321 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20180705/9aa9af50/attachment.bin>
-------------- next part --------------
From 06bcecd692d234b2b9e0d75b98a81ee9f83cc5b3 Mon Sep 17 00:00:00 2001
From: Thomas Hipp <thomas.hipp at canonical.com>
Date: Thu, 5 Jul 2018 16:10:15 +0200
Subject: [PATCH 1/3] lxd: Add deletion protection
Signed-off-by: Thomas Hipp <thomas.hipp at canonical.com>
---
lxd/container.go | 1 +
lxd/container_lxc.go | 11 +++++++++++
shared/container.go | 2 ++
3 files changed, 14 insertions(+)
diff --git a/lxd/container.go b/lxd/container.go
index ec707af95..2e4f6c440 100644
--- a/lxd/container.go
+++ b/lxd/container.go
@@ -555,6 +555,7 @@ type container interface {
IsSnapshot() bool
IsStateful() bool
IsNesting() bool
+ IsDeleteProtected() bool
// Hooks
OnStart() error
diff --git a/lxd/container_lxc.go b/lxd/container_lxc.go
index 5d647dd9d..2b20819d8 100644
--- a/lxd/container_lxc.go
+++ b/lxd/container_lxc.go
@@ -4,6 +4,7 @@ import (
"archive/tar"
"bufio"
"encoding/json"
+ "errors"
"fmt"
"io"
"io/ioutil"
@@ -3292,6 +3293,12 @@ func (c *containerLXC) Delete() error {
logger.Info("Deleting container", ctxMap)
+ if c.IsDeleteProtected() && !c.IsSnapshot() {
+ err := errors.New("Container is protected")
+ logger.Warn("Failed to delete container", log.Ctx{"name": c.Name(), "err": err})
+ return err
+ }
+
// Attempt to initialize storage interface for the container.
c.initStorage()
@@ -8128,6 +8135,10 @@ func (c *containerLXC) IsSnapshot() bool {
return c.cType == db.CTypeSnapshot
}
+func (c *containerLXC) IsDeleteProtected() bool {
+ return shared.IsTrue(c.expandedConfig["security.protection.delete"])
+}
+
// Various property query functions
func (c *containerLXC) Architecture() int {
return c.architecture
diff --git a/shared/container.go b/shared/container.go
index b4ce32974..e0e29f5bb 100644
--- a/shared/container.go
+++ b/shared/container.go
@@ -213,6 +213,8 @@ var KnownContainerConfigKeys = map[string]func(value string) error{
"security.devlxd": IsBool,
"security.devlxd.images": IsBool,
+ "security.protection.delete": IsBool,
+
"security.idmap.base": IsUint32,
"security.idmap.isolated": IsBool,
"security.idmap.size": IsUint32,
From edcdf551f632fe2c4cfb3afae4c5ef199d7111de Mon Sep 17 00:00:00 2001
From: Thomas Hipp <thomas.hipp at canonical.com>
Date: Thu, 5 Jul 2018 16:10:43 +0200
Subject: [PATCH 2/3] doc: Add deletion protection
Signed-off-by: Thomas Hipp <thomas.hipp at canonical.com>
---
doc/api-extensions.md | 4 ++++
doc/containers.md | 1 +
2 files changed, 5 insertions(+)
diff --git a/doc/api-extensions.md b/doc/api-extensions.md
index bb9f921d5..a16527207 100644
--- a/doc/api-extensions.md
+++ b/doc/api-extensions.md
@@ -536,3 +536,7 @@ This adds the following new endpoint (see [RESTful API](rest-api.md) for details
## proxy\_unix\_dac\_properties
This adds support for gid, uid, and mode properties for non-abstract unix
sockets.
+
+## container\_protection\_delete
+Enables setting the `security.protection.delete` field which prevents containers
+from being deleted if set to true. Snapshots are not affected by this setting.
diff --git a/doc/containers.md b/doc/containers.md
index b1866d913..849432cfd 100644
--- a/doc/containers.md
+++ b/doc/containers.md
@@ -69,6 +69,7 @@ security.idmap.isolated | boolean | false | no
security.idmap.size | integer | - | no | id\_map | The size of the idmap to use
security.nesting | boolean | false | yes | - | Support running lxd (nested) inside the container
security.privileged | boolean | false | no | - | Runs the container in privileged mode
+security.protection.delete | boolean | false | yes | container\_protection\_delete | Prevents the container from being deleted
security.syscalls.blacklist | string | - | no | container\_syscall\_filtering | A '\n' separated list of syscalls to blacklist
security.syscalls.blacklist\_compat | boolean | false | no | container\_syscall\_filtering | On x86\_64 this enables blocking of compat\_\* syscalls, it is a no-op on other arches
security.syscalls.blacklist\_default | boolean | true | no | container\_syscall\_filtering | Enables the default syscall blacklist
From 66711b632a22be90b2c8244c70865a51278abcd1 Mon Sep 17 00:00:00 2001
From: Thomas Hipp <thomas.hipp at canonical.com>
Date: Thu, 5 Jul 2018 16:55:21 +0200
Subject: [PATCH 3/3] test: Add deletion protection
Signed-off-by: Thomas Hipp <thomas.hipp at canonical.com>
---
test/main.sh | 1 +
test/suites/container_protection.sh | 21 +++++++++++++++++++++
2 files changed, 22 insertions(+)
create mode 100644 test/suites/container_protection.sh
diff --git a/test/main.sh b/test/main.sh
index ed534c6d8..ccea3b948 100755
--- a/test/main.sh
+++ b/test/main.sh
@@ -216,6 +216,7 @@ run_test test_clustering_publish "clustering publish"
run_test test_clustering_profiles "clustering profiles"
run_test test_clustering_join_api "clustering join api"
#run_test test_clustering_upgrade "clustering upgrade"
+run_test test_container_protection "container protection"
# shellcheck disable=SC2034
TEST_RESULT=success
diff --git a/test/suites/container_protection.sh b/test/suites/container_protection.sh
new file mode 100644
index 000000000..7eb304be1
--- /dev/null
+++ b/test/suites/container_protection.sh
@@ -0,0 +1,21 @@
+test_container_protection() {
+ ensure_import_testimage
+ ensure_has_localhost_remote "${LXD_ADDR}"
+
+ lxc launch testimage c1
+ lxc stop c1
+ lxc snapshot c1
+ lxc delete c1
+
+ lxc profile set default security.protection.delete true
+
+ lxc launch testimage c1
+ lxc stop c1
+ lxc snapshot c1
+ lxc delete c1/snap0
+ ! lxc delete c1
+
+ # override setting
+ lxc config set c1 security.protection.delete false
+ lxc delete c1
+}
More information about the lxc-devel
mailing list