[lxc-devel] [lxd/master] lxd/storage: Implement security.unmapped

stgraber on Github lxc-bot at linuxcontainers.org
Fri Sep 28 14:27:56 UTC 2018 

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 354 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20180928/fc10e572/attachment.bin>
-------------- next part --------------
From 1c486ee458cdb1a975fe5a092ee7ead9b83488c3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Fri, 28 Sep 2018 16:27:07 +0200
Subject: [PATCH] lxd/storage: Implement security.unmapped
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
 doc/api-extensions.md         |  9 +++++++++
 doc/storage.md                | 15 ++++++++-------
 lxd/storage.go                |  6 ++++++
 lxd/storage_volumes_config.go | 15 +++++++++++++--
 lxd/storage_volumes_utils.go  |  7 +++++++
 shared/version/api.go         |  1 +
 6 files changed, 44 insertions(+), 9 deletions(-)

diff --git a/doc/api-extensions.md b/doc/api-extensions.md
index c902901cb5..93e4a2ec38 100644
--- a/doc/api-extensions.md
+++ b/doc/api-extensions.md
@@ -607,3 +607,12 @@ This adds the following new endpoint (see [RESTful API](rest-api.md) for details
 * `PUT /1.0/storage-pools/<pool>/volumes/<type>/<volume>/snapshots/<name>`
 * `POST /1.0/storage-pools/<pool>/volumes/<type>/<volume>/snapshots/<name>`
 * `DELETE /1.0/storage-pools/<pool>/volumes/<type>/<volume>/snapshots/<name>`
+
+## storage\_unmapped
+Introduces a new `security.unmapped` boolean on storage volumes.
+
+Setting it to true will flush the current map on the volume and prevent
+any further idmap tracking and remapping on the volume.
+
+This can be used to share data between isolated containers after
+attaching it to the container which requires write access.
diff --git a/doc/storage.md b/doc/storage.md
index e355ea9693..58946c6bba 100644
--- a/doc/storage.md
+++ b/doc/storage.md
@@ -37,13 +37,14 @@ lxc storage set [<remote>:]<pool> <key> <value>
 ```
 
 ## Storage volume configuration
-Key                     | Type      | Condition                 | Default                               | API Extension | Description
-:--                     | :---      | :--------                 | :------                               | :------------ | :----------
-size                    | string    | appropriate driver        | same as volume.size                   | storage       | Size of the storage volume
-block.filesystem        | string    | block based driver (lvm)  | same as volume.block.filesystem       | storage       | Filesystem of the storage volume
-block.mount\_options    | string    | block based driver (lvm)  | same as volume.block.mount\_options   | storage       | Mount options for block devices
-zfs.remove\_snapshots   | string    | zfs driver                | same as volume.zfs.remove\_snapshots  | storage       | Remove snapshots as needed
-zfs.use\_refquota       | string    | zfs driver                | same as volume.zfs.zfs\_requota       | storage       | Use refquota instead of quota for space.
+Key                     | Type      | Condition                 | Default                               | API Extension     | Description
+:--                     | :---      | :--------                 | :------                               | :------------     | :----------
+size                    | string    | appropriate driver        | same as volume.size                   | storage           | Size of the storage volume
+block.filesystem        | string    | block based driver (lvm)  | same as volume.block.filesystem       | storage           | Filesystem of the storage volume
+block.mount\_options    | string    | block based driver (lvm)  | same as volume.block.mount\_options   | storage           | Mount options for block devices
+security.unmapped       | bool      | custom volume             | false                                 | storage\_unmapped | Disable id mapping for the volume
+zfs.remove\_snapshots   | string    | zfs driver                | same as volume.zfs.remove\_snapshots  | storage           | Remove snapshots as needed
+zfs.use\_refquota       | string    | zfs driver                | same as volume.zfs.zfs\_requota       | storage           | Use refquota instead of quota for space.
 
 Storage volume configuration keys can be set using the lxc tool with:
 
diff --git a/lxd/storage.go b/lxd/storage.go
index 09878c68ad..3cb20f893b 100644
--- a/lxd/storage.go
+++ b/lxd/storage.go
@@ -411,6 +411,12 @@ func storagePoolVolumeAttachInit(s *state.State, poolName string, volumeName str
 
 	poolVolumePut := st.GetStoragePoolVolumeWritable()
 
+	// Check if unmapped
+	if shared.IsTrue(poolVolumePut.Config["security.unmapped"]) {
+		// No need to look at containers and maps for unmapped volumes
+		return st, nil
+	}
+
 	// get last idmapset
 	var lastIdmap *idmap.IdmapSet
 	if poolVolumePut.Config["volatile.idmap.last"] != "" {
diff --git a/lxd/storage_volumes_config.go b/lxd/storage_volumes_config.go
index 5d59404d45..f45309063c 100644
--- a/lxd/storage_volumes_config.go
+++ b/lxd/storage_volumes_config.go
@@ -49,19 +49,27 @@ func updateStoragePoolVolumeError(unchangeable []string, driverName string) erro
 // property which can be manipulated by setting a root disk device "size"
 // property.
 var changeableStoragePoolVolumeProperties = map[string][]string{
-	"btrfs": {"size"},
+	"btrfs": {
+		"security.unmapped",
+		"size",
+	},
 
 	"ceph": {
 		"block.mount_options",
+		"security.unmapped",
 		"size"},
 
-	"dir": {""},
+	"dir": {
+		"security.unmapped",
+	},
 
 	"lvm": {
 		"block.mount_options",
+		"security.unmapped",
 		"size"},
 
 	"zfs": {
+		"security.unmapped",
 		"size",
 		"zfs.remove_snapshots",
 		"zfs.use_refquota"},
@@ -80,6 +88,9 @@ var storageVolumeConfigKeys = map[string]func(value string) ([]string, error){
 	"block.mount_options": func(value string) ([]string, error) {
 		return []string{"ceph", "lvm"}, shared.IsAny(value)
 	},
+	"security.unmapped": func(value string) ([]string, error) {
+		return supportedPoolTypes, shared.IsBool(value)
+	},
 	"size": func(value string) ([]string, error) {
 		if value == "" {
 			return []string{"btrfs", "ceph", "lvm", "zfs"}, nil
diff --git a/lxd/storage_volumes_utils.go b/lxd/storage_volumes_utils.go
index 54076cab54..fc1e976f33 100644
--- a/lxd/storage_volumes_utils.go
+++ b/lxd/storage_volumes_utils.go
@@ -175,6 +175,13 @@ func storagePoolVolumeUpdate(state *state.State, poolName string, volumeName str
 		s.SetStoragePoolVolumeWritable(&newWritable)
 	}
 
+	// Unset idmap keys if volume is unmapped
+	if shared.IsTrue(newConfig["security.unmapped"]) {
+		delete(newConfig, "volatile.idmap.last")
+		delete(newConfig, "volatile.idmap.next")
+	}
+
+	// Get the pool ID
 	poolID, err := state.Cluster.StoragePoolGetID(poolName)
 	if err != nil {
 		return err
diff --git a/shared/version/api.go b/shared/version/api.go
index 7437a483b5..8aec2553a8 100644
--- a/shared/version/api.go
+++ b/shared/version/api.go
@@ -125,6 +125,7 @@ var APIExtensions = []string{
 	"candid_config",
 	"nvidia_runtime_config",
 	"storage_api_volume_snapshots",
+	"storage_unmapped",
 }
 
 // APIExtensionsCount returns the number of available API extensions.

More information about the lxc-devel mailing list