[lxc-devel] [lxd/master] Pre-shiftfs refactoring and cleanup

stgraber on Github lxc-bot at linuxcontainers.org
Wed Mar 27 21:55:37 UTC 2019


A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 301 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20190327/fcfe0be4/attachment.bin>
-------------- next part --------------
From 0da12addab789267082c6279e0624def452fd717 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Wed, 27 Mar 2019 17:49:33 -0400
Subject: [PATCH 1/4] lxd/storage: Rename shiftRootfs to initialShiftRootfs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
 lxd/storage_btrfs.go  | 2 +-
 lxd/storage_ceph.go   | 2 +-
 lxd/storage_dir.go    | 2 +-
 lxd/storage_lvm.go    | 2 +-
 lxd/storage_shared.go | 2 +-
 lxd/storage_zfs.go    | 2 +-
 6 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/lxd/storage_btrfs.go b/lxd/storage_btrfs.go
index e371848e12..2d1d3bfffd 100644
--- a/lxd/storage_btrfs.go
+++ b/lxd/storage_btrfs.go
@@ -945,7 +945,7 @@ func (s *storageBtrfs) ContainerCreateFromImage(container container, fingerprint
 	}
 
 	if !container.IsPrivileged() {
-		err := s.shiftRootfs(container, nil)
+		err := s.initialShiftRootfs(container, nil)
 		if err != nil {
 			s.ContainerDelete(container)
 			return errors.Wrap(err, "Failed to shift rootfs")
diff --git a/lxd/storage_ceph.go b/lxd/storage_ceph.go
index 71f834e249..21e513966d 100644
--- a/lxd/storage_ceph.go
+++ b/lxd/storage_ceph.go
@@ -973,7 +973,7 @@ func (s *storageCeph) ContainerCreateFromImage(container container, fingerprint
 	}
 
 	if !privileged {
-		err := s.shiftRootfs(container, nil)
+		err := s.initialShiftRootfs(container, nil)
 		if err != nil {
 			logger.Errorf(`Failed to shift rootfs for container "%s": %s`, containerName, err)
 			return err
diff --git a/lxd/storage_dir.go b/lxd/storage_dir.go
index 6fe7b3e5b1..046fd8d600 100644
--- a/lxd/storage_dir.go
+++ b/lxd/storage_dir.go
@@ -549,7 +549,7 @@ func (s *storageDir) ContainerCreateFromImage(container container, imageFingerpr
 	}
 
 	if !privileged {
-		err := s.shiftRootfs(container, nil)
+		err := s.initialShiftRootfs(container, nil)
 		if err != nil {
 			return errors.Wrap(err, "Shift rootfs")
 		}
diff --git a/lxd/storage_lvm.go b/lxd/storage_lvm.go
index 0a9c3adb72..34d521c985 100644
--- a/lxd/storage_lvm.go
+++ b/lxd/storage_lvm.go
@@ -1060,7 +1060,7 @@ func (s *storageLvm) ContainerCreateFromImage(container container, fingerprint s
 	}
 
 	if !container.IsPrivileged() {
-		err := s.shiftRootfs(container, nil)
+		err := s.initialShiftRootfs(container, nil)
 		if err != nil {
 			return errors.Wrap(err, "Shift rootfs")
 		}
diff --git a/lxd/storage_shared.go b/lxd/storage_shared.go
index 74f8d19c2e..acea19e4a4 100644
--- a/lxd/storage_shared.go
+++ b/lxd/storage_shared.go
@@ -36,7 +36,7 @@ func (s *storageShared) GetStorageTypeVersion() string {
 	return s.sTypeVersion
 }
 
-func (s *storageShared) shiftRootfs(c container, skipper func(dir string, absPath string, fi os.FileInfo) bool) error {
+func (s *storageShared) initialShiftRootfs(c container, skipper func(dir string, absPath string, fi os.FileInfo) bool) error {
 	dpath := c.Path()
 	rpath := c.RootfsPath()
 
diff --git a/lxd/storage_zfs.go b/lxd/storage_zfs.go
index 0c0f169f4b..a678121c7e 100644
--- a/lxd/storage_zfs.go
+++ b/lxd/storage_zfs.go
@@ -920,7 +920,7 @@ func (s *storageZfs) ContainerCreateFromImage(container container, fingerprint s
 	}
 
 	if !privileged {
-		err = s.shiftRootfs(container, zfsIdmapSetSkipper)
+		err = s.initialShiftRootfs(container, zfsIdmapSetSkipper)
 		if err != nil {
 			return err
 		}

From 1f9a064daeb0a318610cafcc7ba4cd436607f2ae Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Wed, 27 Mar 2019 17:50:24 -0400
Subject: [PATCH 2/4] lxd: Detect shiftfs availability
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
 lxd/api_1.0.go | 1 +
 lxd/daemon.go  | 7 +++++++
 lxd/sys/os.go  | 1 +
 3 files changed, 9 insertions(+)

diff --git a/lxd/api_1.0.go b/lxd/api_1.0.go
index 249691f342..9f87b89c90 100644
--- a/lxd/api_1.0.go
+++ b/lxd/api_1.0.go
@@ -205,6 +205,7 @@ func api10Get(d *Daemon, r *http.Request) Response {
 		"netnsid_getifaddrs": fmt.Sprintf("%v", d.os.NetnsGetifaddrs),
 		"uevent_injection":   fmt.Sprintf("%v", d.os.UeventInjection),
 		"unpriv_fscaps":      fmt.Sprintf("%v", d.os.VFS3Fscaps),
+		"shiftfs":            fmt.Sprintf("%v", d.os.Shiftfs),
 	}
 
 	drivers := readStoragePoolDriversCache()
diff --git a/lxd/daemon.go b/lxd/daemon.go
index 9059174b97..8aabd26614 100644
--- a/lxd/daemon.go
+++ b/lxd/daemon.go
@@ -508,6 +508,13 @@ func (d *Daemon) init() error {
 		logger.Infof(" - unprivileged file capabilities: no")
 	}
 
+	if util.LoadModule("shiftfs") == nil {
+		d.os.Shiftfs = true
+		logger.Infof(" - shiftfs support: yes")
+	} else {
+		logger.Infof(" - shiftfs support: no")
+	}
+
 	/* Initialize the database */
 	dump, err := initializeDbObject(d)
 	if err != nil {
diff --git a/lxd/sys/os.go b/lxd/sys/os.go
index 8625cd804d..4d548734fa 100644
--- a/lxd/sys/os.go
+++ b/lxd/sys/os.go
@@ -61,6 +61,7 @@ type OS struct {
 	NetnsGetifaddrs         bool
 	UeventInjection         bool
 	VFS3Fscaps              bool
+	Shiftfs                 bool
 
 	MockMode bool // If true some APIs will be mocked (for testing)
 }

From 05617be0a763f198bc2208f2074eb5c078edc59b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Wed, 27 Mar 2019 17:52:23 -0400
Subject: [PATCH 3/4] lxd/containers: Use LXC hook version 1
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
 lxd/container_lxc.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/lxd/container_lxc.go b/lxd/container_lxc.go
index 33ff63ad36..e9ddc8154d 100644
--- a/lxd/container_lxc.go
+++ b/lxd/container_lxc.go
@@ -1149,6 +1149,11 @@ func (c *containerLXC) initLXC(config bool) error {
 	}
 
 	// Setup the hooks
+	err = lxcSetConfigItem(cc, "lxc.hook.version", "1")
+	if err != nil {
+		return err
+	}
+
 	err = lxcSetConfigItem(cc, "lxc.hook.pre-start", fmt.Sprintf("%s callhook %s %d start", c.state.OS.ExecPath, shared.VarPath(""), c.id))
 	if err != nil {
 		return err

From 6ab23d786e0ecb8bff3b86bd8f909dd6ca7f7d18 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Wed, 27 Mar 2019 17:53:45 -0400
Subject: [PATCH 4/4] lxd/containers: Fix owner/mode of container path
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
 lxd/container_lxc.go | 55 ++++++++++++++++++++------------------------
 1 file changed, 25 insertions(+), 30 deletions(-)

diff --git a/lxd/container_lxc.go b/lxd/container_lxc.go
index e9ddc8154d..32b6baa790 100644
--- a/lxd/container_lxc.go
+++ b/lxd/container_lxc.go
@@ -2038,36 +2038,6 @@ func (c *containerLXC) startCommon() (string, error) {
 			}
 		}
 
-		var mode os.FileMode
-		var uid int64
-		var gid int64
-
-		if c.IsPrivileged() {
-			mode = 0700
-		} else {
-			mode = 0755
-			if idmap != nil {
-				uid, gid = idmap.ShiftIntoNs(0, 0)
-			}
-		}
-
-		err = os.Chmod(c.Path(), mode)
-		if err != nil {
-			return "", err
-		}
-
-		err = os.Chown(c.Path(), int(uid), int(gid))
-		if err != nil {
-			return "", err
-		}
-
-		if ourStart {
-			_, err = c.StorageStop()
-			if err != nil {
-				return "", err
-			}
-		}
-
 		c.updateProgress("")
 	}
 
@@ -2411,6 +2381,31 @@ func (c *containerLXC) startCommon() (string, error) {
 		return "", err
 	}
 
+	// Undo liblxc modifying container directory ownership
+	err = os.Chown(c.Path(), 0, 0)
+	if err != nil {
+		if ourStart {
+			c.StorageStop()
+		}
+		return "", err
+	}
+
+	// Set right permission to allow traversal
+	var mode os.FileMode
+	if c.IsPrivileged() {
+		mode = 0700
+	} else {
+		mode = 0711
+	}
+
+	err = os.Chmod(c.Path(), mode)
+	if err != nil {
+		if ourStart {
+			c.StorageStop()
+		}
+		return "", err
+	}
+
 	// Update the backup.yaml file
 	err = writeBackupFile(c)
 	if err != nil {


More information about the lxc-devel mailing list