[lxc-devel] [lxd/master] Export LXC features in API

stgraber on Github lxc-bot at linuxcontainers.org
Wed May 8 21:18:55 UTC 2019 

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 301 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20190508/8f8c835d/attachment-0001.bin>
-------------- next part --------------
From f33e1ca2f2a0683cbb05a0139e479c4d7f604165 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Wed, 8 May 2019 17:03:32 -0400
Subject: [PATCH 1/5] lxd/sys: Cleanup State struct
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
 lxd/sys/os.go | 50 ++++++++++++++++++++++++++++----------------------
 1 file changed, 28 insertions(+), 22 deletions(-)

diff --git a/lxd/sys/os.go b/lxd/sys/os.go
index e65f4eb173..a880b71214 100644
--- a/lxd/sys/os.go
+++ b/lxd/sys/os.go
@@ -31,25 +31,32 @@ type InotifyInfo struct {
 // OS is a high-level facade for accessing all operating-system
 // level functionality that LXD uses.
 type OS struct {
-	VarDir   string // Data directory (e.g. /var/lib/lxd/).
+	// Directories
 	CacheDir string // Cache directory (e.g. /var/cache/lxd/).
 	LogDir   string // Log directory (e.g. /var/log/lxd).
+	VarDir   string // Data directory (e.g. /var/lib/lxd/).
 
-	// Caches of system characteristics detected at Init() time.
-	Architectures           []int           // Cache of detected system architectures
-	LxcPath                 string          // Path to the $LXD_DIR/containers directory
-	BackingFS               string          // Backing filesystem of $LXD_DIR/containers
-	IdmapSet                *idmap.IdmapSet // Information about user/group ID mapping
-	ExecPath                string          // Absolute path to the LXD executable
-	RunningInUserNS         bool
-	AppArmorAvailable       bool
-	AppArmorStacking        bool
-	AppArmorStacked         bool
-	AppArmorAdmin           bool
-	AppArmorConfined        bool
+	// Daemon environment
+	Architectures   []int           // Cache of detected system architectures
+	BackingFS       string          // Backing filesystem of $LXD_DIR/containers
+	ExecPath        string          // Absolute path to the LXD executable
+	IdmapSet        *idmap.IdmapSet // Information about user/group ID mapping
+	InotifyWatch    InotifyInfo
+	LxcPath         string // Path to the $LXD_DIR/containers directory
+	MockMode        bool   // If true some APIs will be mocked (for testing)
+	RunningInUserNS bool
+
+	// Apparmor features
+	AppArmorAdmin     bool
+	AppArmorAvailable bool
+	AppArmorConfined  bool
+	AppArmorStacked   bool
+	AppArmorStacking  bool
+
+	// Cgroup features
 	CGroupBlkioController   bool
-	CGroupCPUController     bool
 	CGroupCPUacctController bool
+	CGroupCPUController     bool
 	CGroupCPUsetController  bool
 	CGroupDevicesController bool
 	CGroupFreezerController bool
@@ -57,14 +64,13 @@ type OS struct {
 	CGroupNetPrioController bool
 	CGroupPidsController    bool
 	CGroupSwapAccounting    bool
-	InotifyWatch            InotifyInfo
-	NetnsGetifaddrs         bool
-	UeventInjection         bool
-	SeccompListener         bool
-	VFS3Fscaps              bool
-	Shiftfs                 bool
-
-	MockMode bool // If true some APIs will be mocked (for testing)
+
+	// Kernel features
+	NetnsGetifaddrs bool
+	SeccompListener bool
+	Shiftfs         bool
+	UeventInjection bool
+	VFS3Fscaps      bool
 }
 
 // DefaultOS returns a fresh uninitialized OS instance with default values.

From 22650cc76949432a98c822e47ff1450881b965f9 Mon Sep 17 00:00:00 2001
From: Thomas Parrott <thomas.parrott at canonical.com>
Date: Wed, 8 May 2019 11:50:07 +0100
Subject: [PATCH 2/5] lxd/api: Add lxc_features to /1.0

Signed-off-by: Thomas Parrott <thomas.parrott at canonical.com>
---
 lxd/api_1.0.go |  7 +++++++
 lxd/daemon.go  | 11 +++++++++++
 lxd/sys/os.go  |  3 +++
 3 files changed, 21 insertions(+)

diff --git a/lxd/api_1.0.go b/lxd/api_1.0.go
index f06cd18384..c794c2ff6f 100644
--- a/lxd/api_1.0.go
+++ b/lxd/api_1.0.go
@@ -211,6 +211,13 @@ func api10Get(d *Daemon, r *http.Request) Response {
 		"shiftfs":            fmt.Sprintf("%v", d.os.Shiftfs),
 	}
 
+	if d.os.LXCFeatures != nil {
+		env.LXCFeatures = map[string]string{}
+		for k, v := range d.os.LXCFeatures {
+			env.LXCFeatures[k] = fmt.Sprintf("%v", v)
+		}
+	}
+
 	drivers := readStoragePoolDriversCache()
 	for driver, version := range drivers {
 		if env.Storage != "" {
diff --git a/lxd/daemon.go b/lxd/daemon.go
index 3f9d572a7d..966c562baf 100644
--- a/lxd/daemon.go
+++ b/lxd/daemon.go
@@ -21,6 +21,7 @@ import (
 	"github.com/gorilla/mux"
 	"github.com/pkg/errors"
 	"golang.org/x/net/context"
+	"gopkg.in/lxc/go-lxc.v2"
 	"gopkg.in/macaroon-bakery.v2/bakery"
 	"gopkg.in/macaroon-bakery.v2/bakery/checkers"
 	"gopkg.in/macaroon-bakery.v2/bakery/identchecker"
@@ -576,6 +577,16 @@ func (d *Daemon) init() error {
 		logger.Infof(" - shiftfs support: no")
 	}
 
+	// Detect LXC features
+	d.os.LXCFeatures = map[string]bool{}
+	lxcExtensions := []string{
+		"mount_injection_file",
+		"seccomp_notify",
+	}
+	for _, extension := range lxcExtensions {
+		d.os.LXCFeatures[extension] = lxc.HasApiExtension(extension)
+	}
+
 	/* Initialize the database */
 	dump, err := initializeDbObject(d)
 	if err != nil {
diff --git a/lxd/sys/os.go b/lxd/sys/os.go
index a880b71214..8a507f99d7 100644
--- a/lxd/sys/os.go
+++ b/lxd/sys/os.go
@@ -71,6 +71,9 @@ type OS struct {
 	Shiftfs         bool
 	UeventInjection bool
 	VFS3Fscaps      bool
+
+	// LXC features
+	LXCFeatures map[string]bool
 }
 
 // DefaultOS returns a fresh uninitialized OS instance with default values.

From 55292f1d3418f05ff4d9c0cd9c7c3f9354cf1c86 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Wed, 8 May 2019 17:11:40 -0400
Subject: [PATCH 3/5] api: Add lxc_features extension
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
 doc/api-extensions.md | 5 +++++
 shared/version/api.go | 1 +
 2 files changed, 6 insertions(+)

diff --git a/doc/api-extensions.md b/doc/api-extensions.md
index d1d803ca77..4320b8509f 100644
--- a/doc/api-extensions.md
+++ b/doc/api-extensions.md
@@ -757,3 +757,8 @@ migration is required.
 If the kernel supports seccomp-based syscall interception LXD can be notified
 by a container that a registered syscall has been performed. LXD can then
 decide to trigger various actions.
+
+## lxc\_features
+This introduces the `lxc_features` section output from the `lxc info` command
+via the `GET /1.0/` route. It outputs the result of checks for key features being present in the
+underlying LXC library.
diff --git a/shared/version/api.go b/shared/version/api.go
index 8a0ee9b1fb..2064b6f86e 100644
--- a/shared/version/api.go
+++ b/shared/version/api.go
@@ -152,6 +152,7 @@ var APIExtensions = []string{
 	"rbac",
 	"cluster_internal_copy",
 	"seccomp_notify",
+	"lxc_features",
 }
 
 // APIExtensionsCount returns the number of available API extensions.

From 772ef987fe487d23b84fd6f2453193897f722b79 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Wed, 8 May 2019 17:12:46 -0400
Subject: [PATCH 4/5] shared/api: Add lxc_features
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
 shared/api/server.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/shared/api/server.go b/shared/api/server.go
index b2d961179f..c40b44e410 100644
--- a/shared/api/server.go
+++ b/shared/api/server.go
@@ -16,6 +16,9 @@ type ServerEnvironment struct {
 
 	KernelVersion string `json:"kernel_version" yaml:"kernel_version"`
 
+	// API extension: lxc_features
+	LXCFeatures map[string]string `json:"lxc_features" yaml:"lxc_features"`
+
 	// API extension: projects
 	Project string `json:"project" yaml:"project"`
 

From 080b481baf9482f251eaffa6f122c32024e0c48e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Wed, 8 May 2019 17:18:02 -0400
Subject: [PATCH 5/5] lxd: Port from HasApiExtension to LXCFeatures
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
 lxd/container_lxc.go | 8 ++++----
 lxd/seccomp.go       | 5 ++---
 2 files changed, 6 insertions(+), 7 deletions(-)

diff --git a/lxd/container_lxc.go b/lxd/container_lxc.go
index 508a8db697..995b48961d 100644
--- a/lxd/container_lxc.go
+++ b/lxd/container_lxc.go
@@ -1802,7 +1802,7 @@ func (c *containerLXC) initLXC(config bool) error {
 	}
 
 	// Setup shmounts
-	if lxc.HasApiExtension("mount_injection_file") {
+	if c.state.OS.LXCFeatures["mount_injection_file"] {
 		err = lxcSetConfigItem(cc, "lxc.mount.auto", fmt.Sprintf("shmounts:%s:/dev/.lxd-mounts", c.ShmountsPath()))
 	} else {
 		err = lxcSetConfigItem(cc, "lxc.mount.entry", fmt.Sprintf("%s dev/.lxd-mounts none bind,create=dir 0 0", c.ShmountsPath()))
@@ -1811,7 +1811,7 @@ func (c *containerLXC) initLXC(config bool) error {
 		return err
 	}
 
-	if !c.IsPrivileged() && !c.state.OS.RunningInUserNS && lxc.HasApiExtension("seccomp_notify") && c.DaemonState().OS.SeccompListener {
+	if !c.IsPrivileged() && !c.state.OS.RunningInUserNS && c.state.OS.LXCFeatures["seccomp_notify"] && c.DaemonState().OS.SeccompListener {
 		// NOTE: Don't fail in cases where liblxc is recent enough but libseccomp isn't
 		//       when we add mount() support with user-configurable
 		//       options, we will want a hard fail if the user configured it
@@ -6604,7 +6604,7 @@ func (c *containerLXC) insertMount(source, target, fstype string, flags int) err
 		return fmt.Errorf("Can't insert mount into stopped container")
 	}
 
-	if lxc.HasApiExtension("mount_injection_file") {
+	if c.state.OS.LXCFeatures["mount_injection_file"] {
 		cname := projectPrefix(c.Project(), c.Name())
 		configPath := filepath.Join(c.LogPath(), "lxc.conf")
 		if fstype == "" {
@@ -6672,7 +6672,7 @@ func (c *containerLXC) removeMount(mount string) error {
 		return fmt.Errorf("Can't remove mount from stopped container")
 	}
 
-	if lxc.HasApiExtension("mount_injection_file") {
+	if c.state.OS.LXCFeatures["mount_injection_file"] {
 		configPath := filepath.Join(c.LogPath(), "lxc.conf")
 		cname := projectPrefix(c.Project(), c.Name())
 
diff --git a/lxd/seccomp.go b/lxd/seccomp.go
index 90a934a750..a20afe4dfb 100644
--- a/lxd/seccomp.go
+++ b/lxd/seccomp.go
@@ -15,8 +15,6 @@ import (
 
 	"golang.org/x/sys/unix"
 
-	"gopkg.in/lxc/go-lxc.v2"
-
 	"github.com/lxc/lxd/lxd/util"
 	"github.com/lxc/lxd/shared"
 	"github.com/lxc/lxd/shared/logger"
@@ -253,7 +251,8 @@ func getSeccompProfileContent(c container) (string, error) {
 		policy += DEFAULT_SECCOMP_POLICY
 	}
 
-	if !c.IsPrivileged() && !c.DaemonState().OS.RunningInUserNS && lxc.HasApiExtension("seccomp_notify") && c.DaemonState().OS.SeccompListener {
+	os := c.DaemonState().OS
+	if !c.IsPrivileged() && !os.RunningInUserNS && os.LXCFeatures["seccomp_notify"] && os.SeccompListener {
 		policy += SECCOMP_NOTIFY_POLICY
 	}

More information about the lxc-devel mailing list