[pve-devel] [RFC pve-container 3/6] added the unprivileged flag

Thu, 12 Nov 2015 05:00:54 -0800 

This flag (like lxc.id_map entries) should only be set at
create-time in order to make sure the container's filesystem
has the correct ownerships and permissions.
For this reason modification is not allowed via the API.

An unprivileged containers defines lxc.id_map properties,
and includes $ostype.userns.conf in addition to
$ostype.common.conf in its lxc config.
---
 src/PVE/API2/LXC.pm   |  5 +++++
 src/PVE/LXC.pm        | 22 ++++++++++++++++++++++
 src/PVE/LXC/Create.pm |  4 ++--
 3 files changed, 29 insertions(+), 2 deletions(-)

diff --git a/src/PVE/API2/LXC.pm b/src/PVE/API2/LXC.pm
index a4e80ec..165e327 100644
--- a/src/PVE/API2/LXC.pm
+++ b/src/PVE/API2/LXC.pm
@@ -162,6 +162,9 @@ __PACKAGE__->register_method({
 
        my $same_container_exists = -f $basecfg_fn;
 
+       # 'unprivileged' is read-only, so we can't pass it to update_pct_config
+       my $unprivileged = extract_param($param, 'unprivileged');
+
        my $restore = extract_param($param, 'restore');
 
        if ($restore) {
@@ -263,6 +266,8 @@ __PACKAGE__->register_method({
 
        PVE::LXC::update_pct_config($vmid, $conf, 0, $no_disk_param);
 
+       $conf->{unprivileged} = 1 if $unprivileged;
+
        my $check_vmid_usage = sub {
            if ($force) {
                die "can't overwrite running container\n"
diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm
index f38c5bd..07ac4fc 100644
--- a/src/PVE/LXC.pm
+++ b/src/PVE/LXC.pm
@@ -192,6 +192,12 @@ my $confdesc = {
        description => "Sets the protection flag of the container. This will 
prevent the remove operation. This will prevent the CT or CT's disk 
remove/update operation.",
        default => 0,
     },
+    unprivileged => {
+       optional => 1,
+       type => 'boolean',
+       description => "Makes the container run as unprivileged user. (Should 
not be modified manually.)",
+       default => 0,
+    },
 };
 
 my $valid_lxc_conf_keys = {
@@ -1050,13 +1056,25 @@ sub update_lxc_config {
     die "missing 'arch' - internal error" if !$conf->{arch};
     $raw .= "lxc.arch = $conf->{arch}\n";
 
+    my $unprivileged = $conf->{unprivileged};
+    my $custom_idmap = grep { $_->[0] eq 'lxc.id_map' } @{$conf->{lxc}};
+
     my $ostype = $conf->{ostype} || die "missing 'ostype' - internal error";
     if ($ostype =~ /^(?:debian | ubuntu | centos | archlinux)$/x) {
        $raw .= "lxc.include = /usr/share/lxc/config/$ostype.common.conf\n";
+       if ($unprivileged || $custom_idmap) {
+           $raw .= "lxc.include = /usr/share/lxc/config/$ostype.userns.conf\n"
+       }
     } else {
        die "implement me";
     }
 
+    # Should we read them from /etc/subuid?
+    if ($unprivileged && !$custom_idmap) {
+       $raw .= "lxc.id_map = u 0 100000 65536\n";
+       $raw .= "lxc.id_map = g 0 100000 65536\n";
+    }
+
     if (!has_dev_console($conf)) {
        $raw .= "lxc.console = none\n";
        $raw .= "lxc.cgroup.devices.deny = c 5:1 rwm\n";
@@ -1224,6 +1242,8 @@ sub update_pct_config {
                my $mountpoint = parse_ct_mountpoint($conf->{$opt});
                add_unused_volume($conf, $mountpoint->{volume});
                delete $conf->{$opt};
+           } elsif ($opt eq 'unprivileged') {
+               die "unable to delete read-only option: '$opt'\n";
            } else {
                die "implement me"
            }
@@ -1296,6 +1316,8 @@ sub update_pct_config {
         } elsif ($opt eq 'rootfs') {
            check_protection($conf, "can't update CT $vmid drive '$opt'");
            die "implement me: $opt";
+       } elsif ($opt eq 'unprivileged') {
+           die "unable to modify read-only option: '$opt'\n";
        } else {
            die "implement me: $opt";
        }
diff --git a/src/PVE/LXC/Create.pm b/src/PVE/LXC/Create.pm
index 5f76b88..441b445 100644
--- a/src/PVE/LXC/Create.pm
+++ b/src/PVE/LXC/Create.pm
@@ -157,7 +157,7 @@ sub restore_and_configure {
            my $oldconf = PVE::LXC::parse_pct_config("/lxc/$vmid.conf", $raw);
 
            foreach my $key (keys %$oldconf) {
-               next if $key eq 'digest' || $key eq 'rootfs' || $key eq 
'snapshots';
+               next if $key eq 'digest' || $key eq 'rootfs' || $key eq 
'snapshots' || $key eq 'unprivileged';
                $conf->{$key} = $oldconf->{$key} if !defined($conf->{$key});
            }
            unlink($pct_cfg_fn);
@@ -198,7 +198,7 @@ sub create_rootfs {
        PVE::LXC::destroy_lxc_container($storage_cfg, $vmid, $old_conf);
 
        # do not copy all settings to restored container
-       foreach my $opt (qw(rootfs digest snapshots arch ostype)) {
+       foreach my $opt (qw(rootfs digest snapshots arch ostype unprivileged)) {
            delete $old_conf->{$opt};
        }
        foreach my $opt (keys %$old_conf) {
-- 
2.1.4


_______________________________________________
pve-devel mailing list
pve-devel@pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Reply via email to