[lxc-devel] Understanding - LXCFS source code to add /sys/power/state as an entry in LXCFS

Souvik Datta sd.souvikdatta at gmail.com
Sat Jun 6 03:04:37 UTC 2020


Thanks Stephane. Yes, I understand your point and completely agree.
However, can you please let me know the issue, why I am not able to
add /sys/power/state in the FUSE?

Thanks and Regards,
Souvik

On 6/6/20, Stéphane Graber <stgraber at stgraber.org> wrote:
> LXCFS' goal is to show accurate resource information in containers.
>
> It's not meant as a security mechanism nor can it be used as one.
> If all you're trying to do is prevent access to /sys/power/state,
> you'll want to use an LSM for this or just use an unprivileged
> container which won't be able to interfere with this in the first
> place.
>
> LXCFS's files can be trivially unmounted from the container revealing
> the file they're hiding. That's perfectly fine as LXCFS is meant to
> provide better data to container and isn't a security mechanism.
>
> On Fri, Jun 5, 2020 at 3:51 AM Souvik Datta <sd.souvikdatta at gmail.com>
> wrote:
>>
>> Thanks Christian.
>> I am using in a VirtualBox inside which I am running lxcfs
>> Distributor ID: Ubuntu
>> Description:    Ubuntu 18.04.4 LTS
>> Release:        18.04
>> Codename:       bionic
>>
>> the source code version of lxcfs that I am using is:- 4.0.0
>>
>> My objective is to prevent the OS, running inside LXC (as privileged
>> system container), from changing the power state of the system and in
>> that respect, I am trying to virtualize the file /sys/power/state
>>
>> Can you kindly provide the siginificance of the following:
>> - What is the significance of "api_extensions"? It seems it not used
>> any where except as console logs as part of liblxcfs.so init function.
>> - Can you please explain, before calling - fuse_main(nargs, newargv,
>> &lxcfs_ops, opts() [in src/lxcfs.c], what is happening in the
>> "constructor" of liblxcfs.so [src/bindings.c] library?
>> I am using Ubuntu
>>
>>
>> - I have made following additions in src/bindings.h and
>> src/sysfs_fuse.c to show /sys/power/state in the fuse FS.
>>
>> In src/bindings.h:-
>> -------------------
>> Added following:-
>>
>>         LXC_TYPE_SYS_POWER,
>>         LXC_TYPE_SYS_POWER_STATE,
>> #define LXC_TYPE_SYS_POWER_STATE_PATH "/sys/power/state"
>>
>> In src/sysfs_fuse.c:-
>> ---------------------
>> Added following:-
>>
>> In function:
>>
>> [1] __lxcfs_fuse_ops int sys_getattr(const char *path, struct stat *sb)
>>
>> #if 1
>>         if (strcmp(path, "/sys/power") == 0) {
>>                 sb->st_mode = S_IFDIR | 00555;
>>                 sb->st_nlink = 2;
>>                 return 0;
>>         }
>>
>>
>>         if (strcmp(path, "/sys/power/state") == 0) {
>>                 sb->st_size = 0;
>>                 sb->st_mode = S_IFREG | 00444;
>>                 sb->st_nlink = 1;
>>                 return 0;
>>         }
>>
>> #endif
>>
>> [2] __lxcfs_fuse_ops int sys_readdir(const char *path, void *buf,
>> fuse_fill_dir_t filler, off_t offset, struct fuse_file_info *fi)
>> #if 1
>>         if (strcmp(path, "/sys/power") == 0) {
>>                 if (filler(buf, ".",            NULL, 0) != 0 ||
>>                     filler(buf, "..",           NULL, 0) != 0 ||
>>                     filler(buf, "state",        NULL, 0) != 0)
>>                         return -ENOENT;
>>
>>                 return 0;
>>         }
>>
>> #endif
>>
>> [3] __lxcfs_fuse_ops int sys_open(const char *path, struct fuse_file_info
>> *fi)
>>
>> #if 1
>>         if (strcmp(path, "/sys/power") == 0)
>>                 type = LXC_TYPE_SYS_POWER;
>>         if (strcmp(path, "/sys/power/state") == 0)
>>                 type = LXC_TYPE_SYS_POWER_STATE;
>> #endif
>>
>> [4] __lxcfs_fuse_ops int sys_access(const char *path, int mask)
>> #if 1
>>
>>         if (strcmp(path, "/sys/power") == 0 &&
>>             access(path, R_OK) == 0)
>>                 return 0;
>> #endif
>>
>> [5] __lxcfs_fuse_ops int sys_releasedir(const char *path, struct
>> fuse_file_info *fi)
>> #if 1
>>         case LXC_TYPE_SYS_POWER:
>>                 lxcfs_info("LXC_TYPE_SYS_POWER -----%s", __func__);
>>                 break;
>>         case LXC_TYPE_SYS_POWER_STATE:
>>                 //Need to take action here
>>                 lxcfs_info("LXC_TYPE_SYS_POWER_STATE -----%s", __func__);
>>                 break;
>>
>> #endif
>>
>> To run my modified liblxcfs.so, I followed these steps:-
>> -------------------------------------------------------
>> 1. I stopped systemd - lxcfs.service
>> 2. From command line, I ran lxcfs binary -
>> $sudo /usr/bin/lxcfs -f /var/lib/lxcfs
>>
>> I verified that fuse file system got mounted at "/var/lib/lxcfs" by
>> running "mount" command. Here is the output of "mount" command:-
>> lxcfs on /var/lib/lxcfs type fuse.lxcfs
>> (rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other)
>>
>> After this when I ran "tree" command on  "/var/lib/lxcfs" -I am not
>> able to see /sys/power/state in the fuse file system although I could
>> see
>> /sys/devices/system/cpu/online
>>
>> Is there any other file/s that I would need to modify to bring in
>> /sys/power/state in the FUSE FS?
>>
>> Thanks and Regards,
>> Souvik
>>
>> On 6/4/20, Christian Brauner <christian.brauner at ubuntu.com> wrote:
>> > On Wed, Jun 03, 2020 at 11:06:23PM +0530, Souvik Datta wrote:
>> >> Hello,
>> >> I am trying to understand the source code of LXCFS. My final objective
>> >> is to add /sys/power/state file as an entry. I understand the changes
>> >> that need to be done in sysfs_fuse.c/h to support this.
>> >>
>> >> To do this, first I am first trying to understand, how the sys entry -
>> >> "/sys/devices/system/cpu/online" has been added in the "target
>> >> directory - /var/lib/lxcfs" but I am not able to figure that out.
>> >>
>> >> Can you please give me some pointers so that I can understand how this
>> >> is achieved?
>> >
>> > Please take a look at:
>> > src/sysfs_fuse.c:sys_read()
>> > The enum and path used to add a file type is defined in
>> > src/bindings.h: enum lxcfs_virt_t
>> >
>> > and then you need to implement the actual virtualization in
>> > sysfs_fuse.{c,h}.
>> >
>> > Christian
>> > _______________________________________________
>> > lxc-devel mailing list
>> > lxc-devel at lists.linuxcontainers.org
>> > http://lists.linuxcontainers.org/listinfo/lxc-devel
>> >
>> _______________________________________________
>> lxc-devel mailing list
>> lxc-devel at lists.linuxcontainers.org
>> http://lists.linuxcontainers.org/listinfo/lxc-devel
>
>
>
> --
> Stéphane
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel
>


More information about the lxc-devel mailing list