[lxc-devel] [lxd/master] Pre-shiftfs refactoring and cleanup
stgraber on Github
lxc-bot at linuxcontainers.org
Wed Mar 27 21:55:37 UTC 2019
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 301 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20190327/fcfe0be4/attachment.bin>
-------------- next part --------------
From 0da12addab789267082c6279e0624def452fd717 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Wed, 27 Mar 2019 17:49:33 -0400
Subject: [PATCH 1/4] lxd/storage: Rename shiftRootfs to initialShiftRootfs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
lxd/storage_btrfs.go | 2 +-
lxd/storage_ceph.go | 2 +-
lxd/storage_dir.go | 2 +-
lxd/storage_lvm.go | 2 +-
lxd/storage_shared.go | 2 +-
lxd/storage_zfs.go | 2 +-
6 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/lxd/storage_btrfs.go b/lxd/storage_btrfs.go
index e371848e12..2d1d3bfffd 100644
--- a/lxd/storage_btrfs.go
+++ b/lxd/storage_btrfs.go
@@ -945,7 +945,7 @@ func (s *storageBtrfs) ContainerCreateFromImage(container container, fingerprint
}
if !container.IsPrivileged() {
- err := s.shiftRootfs(container, nil)
+ err := s.initialShiftRootfs(container, nil)
if err != nil {
s.ContainerDelete(container)
return errors.Wrap(err, "Failed to shift rootfs")
diff --git a/lxd/storage_ceph.go b/lxd/storage_ceph.go
index 71f834e249..21e513966d 100644
--- a/lxd/storage_ceph.go
+++ b/lxd/storage_ceph.go
@@ -973,7 +973,7 @@ func (s *storageCeph) ContainerCreateFromImage(container container, fingerprint
}
if !privileged {
- err := s.shiftRootfs(container, nil)
+ err := s.initialShiftRootfs(container, nil)
if err != nil {
logger.Errorf(`Failed to shift rootfs for container "%s": %s`, containerName, err)
return err
diff --git a/lxd/storage_dir.go b/lxd/storage_dir.go
index 6fe7b3e5b1..046fd8d600 100644
--- a/lxd/storage_dir.go
+++ b/lxd/storage_dir.go
@@ -549,7 +549,7 @@ func (s *storageDir) ContainerCreateFromImage(container container, imageFingerpr
}
if !privileged {
- err := s.shiftRootfs(container, nil)
+ err := s.initialShiftRootfs(container, nil)
if err != nil {
return errors.Wrap(err, "Shift rootfs")
}
diff --git a/lxd/storage_lvm.go b/lxd/storage_lvm.go
index 0a9c3adb72..34d521c985 100644
--- a/lxd/storage_lvm.go
+++ b/lxd/storage_lvm.go
@@ -1060,7 +1060,7 @@ func (s *storageLvm) ContainerCreateFromImage(container container, fingerprint s
}
if !container.IsPrivileged() {
- err := s.shiftRootfs(container, nil)
+ err := s.initialShiftRootfs(container, nil)
if err != nil {
return errors.Wrap(err, "Shift rootfs")
}
diff --git a/lxd/storage_shared.go b/lxd/storage_shared.go
index 74f8d19c2e..acea19e4a4 100644
--- a/lxd/storage_shared.go
+++ b/lxd/storage_shared.go
@@ -36,7 +36,7 @@ func (s *storageShared) GetStorageTypeVersion() string {
return s.sTypeVersion
}
-func (s *storageShared) shiftRootfs(c container, skipper func(dir string, absPath string, fi os.FileInfo) bool) error {
+func (s *storageShared) initialShiftRootfs(c container, skipper func(dir string, absPath string, fi os.FileInfo) bool) error {
dpath := c.Path()
rpath := c.RootfsPath()
diff --git a/lxd/storage_zfs.go b/lxd/storage_zfs.go
index 0c0f169f4b..a678121c7e 100644
--- a/lxd/storage_zfs.go
+++ b/lxd/storage_zfs.go
@@ -920,7 +920,7 @@ func (s *storageZfs) ContainerCreateFromImage(container container, fingerprint s
}
if !privileged {
- err = s.shiftRootfs(container, zfsIdmapSetSkipper)
+ err = s.initialShiftRootfs(container, zfsIdmapSetSkipper)
if err != nil {
return err
}
From 1f9a064daeb0a318610cafcc7ba4cd436607f2ae Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Wed, 27 Mar 2019 17:50:24 -0400
Subject: [PATCH 2/4] lxd: Detect shiftfs availability
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
lxd/api_1.0.go | 1 +
lxd/daemon.go | 7 +++++++
lxd/sys/os.go | 1 +
3 files changed, 9 insertions(+)
diff --git a/lxd/api_1.0.go b/lxd/api_1.0.go
index 249691f342..9f87b89c90 100644
--- a/lxd/api_1.0.go
+++ b/lxd/api_1.0.go
@@ -205,6 +205,7 @@ func api10Get(d *Daemon, r *http.Request) Response {
"netnsid_getifaddrs": fmt.Sprintf("%v", d.os.NetnsGetifaddrs),
"uevent_injection": fmt.Sprintf("%v", d.os.UeventInjection),
"unpriv_fscaps": fmt.Sprintf("%v", d.os.VFS3Fscaps),
+ "shiftfs": fmt.Sprintf("%v", d.os.Shiftfs),
}
drivers := readStoragePoolDriversCache()
diff --git a/lxd/daemon.go b/lxd/daemon.go
index 9059174b97..8aabd26614 100644
--- a/lxd/daemon.go
+++ b/lxd/daemon.go
@@ -508,6 +508,13 @@ func (d *Daemon) init() error {
logger.Infof(" - unprivileged file capabilities: no")
}
+ if util.LoadModule("shiftfs") == nil {
+ d.os.Shiftfs = true
+ logger.Infof(" - shiftfs support: yes")
+ } else {
+ logger.Infof(" - shiftfs support: no")
+ }
+
/* Initialize the database */
dump, err := initializeDbObject(d)
if err != nil {
diff --git a/lxd/sys/os.go b/lxd/sys/os.go
index 8625cd804d..4d548734fa 100644
--- a/lxd/sys/os.go
+++ b/lxd/sys/os.go
@@ -61,6 +61,7 @@ type OS struct {
NetnsGetifaddrs bool
UeventInjection bool
VFS3Fscaps bool
+ Shiftfs bool
MockMode bool // If true some APIs will be mocked (for testing)
}
From 05617be0a763f198bc2208f2074eb5c078edc59b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Wed, 27 Mar 2019 17:52:23 -0400
Subject: [PATCH 3/4] lxd/containers: Use LXC hook version 1
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
lxd/container_lxc.go | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/lxd/container_lxc.go b/lxd/container_lxc.go
index 33ff63ad36..e9ddc8154d 100644
--- a/lxd/container_lxc.go
+++ b/lxd/container_lxc.go
@@ -1149,6 +1149,11 @@ func (c *containerLXC) initLXC(config bool) error {
}
// Setup the hooks
+ err = lxcSetConfigItem(cc, "lxc.hook.version", "1")
+ if err != nil {
+ return err
+ }
+
err = lxcSetConfigItem(cc, "lxc.hook.pre-start", fmt.Sprintf("%s callhook %s %d start", c.state.OS.ExecPath, shared.VarPath(""), c.id))
if err != nil {
return err
From 6ab23d786e0ecb8bff3b86bd8f909dd6ca7f7d18 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Wed, 27 Mar 2019 17:53:45 -0400
Subject: [PATCH 4/4] lxd/containers: Fix owner/mode of container path
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
lxd/container_lxc.go | 55 ++++++++++++++++++++------------------------
1 file changed, 25 insertions(+), 30 deletions(-)
diff --git a/lxd/container_lxc.go b/lxd/container_lxc.go
index e9ddc8154d..32b6baa790 100644
--- a/lxd/container_lxc.go
+++ b/lxd/container_lxc.go
@@ -2038,36 +2038,6 @@ func (c *containerLXC) startCommon() (string, error) {
}
}
- var mode os.FileMode
- var uid int64
- var gid int64
-
- if c.IsPrivileged() {
- mode = 0700
- } else {
- mode = 0755
- if idmap != nil {
- uid, gid = idmap.ShiftIntoNs(0, 0)
- }
- }
-
- err = os.Chmod(c.Path(), mode)
- if err != nil {
- return "", err
- }
-
- err = os.Chown(c.Path(), int(uid), int(gid))
- if err != nil {
- return "", err
- }
-
- if ourStart {
- _, err = c.StorageStop()
- if err != nil {
- return "", err
- }
- }
-
c.updateProgress("")
}
@@ -2411,6 +2381,31 @@ func (c *containerLXC) startCommon() (string, error) {
return "", err
}
+ // Undo liblxc modifying container directory ownership
+ err = os.Chown(c.Path(), 0, 0)
+ if err != nil {
+ if ourStart {
+ c.StorageStop()
+ }
+ return "", err
+ }
+
+ // Set right permission to allow traversal
+ var mode os.FileMode
+ if c.IsPrivileged() {
+ mode = 0700
+ } else {
+ mode = 0711
+ }
+
+ err = os.Chmod(c.Path(), mode)
+ if err != nil {
+ if ourStart {
+ c.StorageStop()
+ }
+ return "", err
+ }
+
// Update the backup.yaml file
err = writeBackupFile(c)
if err != nil {
More information about the lxc-devel
mailing list