From nobody Sun Apr 28 22:48:45 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28
as permitted sender) client-ip=209.132.183.28;
envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com;
Authentication-Results: mx.zoho.com;
spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as
permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com;
Return-Path:
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by
mx.zohomail.com
with SMTPS id 1496758327439303.8108671964735;
Tue, 6 Jun 2017 07:12:07 -0700 (PDT)
Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com
[10.5.11.15])
(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
(No client certificate requested)
by mx1.redhat.com (Postfix) with ESMTPS id 7DE8D80488;
Tue, 6 Jun 2017 14:11:56 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
(colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20])
by smtp.corp.redhat.com (Postfix) with ESMTPS id 2E5C417D38;
Tue, 6 Jun 2017 14:11:56 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
(lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
by colo-mx.corp.redhat.com (Postfix) with ESMTP id D6B20180BAFB;
Tue, 6 Jun 2017 14:11:37 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com
[10.5.11.11])
by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
id v56EBb1W024533 for ;
Tue, 6 Jun 2017 10:11:37 -0400
Received: by smtp.corp.redhat.com (Postfix)
id 7FD87189B1; Tue, 6 Jun 2017 14:11:37 +0000 (UTC)
Received: from mx1.redhat.com (ext-mx08.extmail.prod.ext.phx2.redhat.com
[10.5.110.32])
by smtp.corp.redhat.com (Postfix) with ESMTPS id 7A05E60461
for ; Tue, 6 Jun 2017 14:11:34 +0000 (UTC)
Received: from smtp.nue.novell.com (smtp.nue.novell.com [195.135.221.5])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by mx1.redhat.com (Postfix) with ESMTPS id 4639CC0587D6
for ; Tue, 6 Jun 2017 14:11:32 +0000 (UTC)
Received: from laptop.vms (mhy71-2-88-167-63-197.fbx.proxad.net
[88.167.63.197]) by smtp.nue.novell.com with ESMTP (TLS encrypted);
Tue, 06 Jun 2017 16:11:30 +0200
DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 7DE8D80488
Authentication-Results: ext-mx04.extmail.prod.ext.phx2.redhat.com;
dmarc=none (p=none dis=none) header.from=suse.com
Authentication-Results: ext-mx04.extmail.prod.ext.phx2.redhat.com;
spf=pass smtp.mailfrom=libvir-list-bounces@redhat.com
DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 7DE8D80488
DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 4639CC0587D6
Authentication-Results: ext-mx08.extmail.prod.ext.phx2.redhat.com;
dmarc=none (p=none dis=none) header.from=suse.com
Authentication-Results: ext-mx08.extmail.prod.ext.phx2.redhat.com;
spf=pass smtp.mailfrom=cbosdonnat@suse.com
DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 4639CC0587D6
From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?=
To: libvir-list@redhat.com
Date: Tue, 6 Jun 2017 16:11:24 +0200
Message-Id: <20170606141124.13092-1-cbosdonnat@suse.com>
X-Greylist: Sender passed SPF test, Sender IP whitelisted by DNSRBL, ACL 203
matched, not delayed by milter-greylist-4.5.16 (mx1.redhat.com
[10.5.110.32]); Tue, 06 Jun 2017 14:11:33 +0000 (UTC)
X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com
[10.5.110.32]);
Tue, 06 Jun 2017 14:11:33 +0000 (UTC) for IP:'195.135.221.5'
DOMAIN:'smtp.nue.novell.com' HELO:'smtp.nue.novell.com'
FROM:'cbosdonnat@suse.com' RCPT:''
X-RedHat-Spam-Score: -1.501 (BAYES_50, RCVD_IN_DNSWL_MED,
SPF_PASS) 195.135.221.5 smtp.nue.novell.com 195.135.221.5
smtp.nue.novell.com
X-Scanned-By: MIMEDefang 2.78 on 10.5.110.32
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11
X-loop: libvir-list@redhat.com
Cc: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?=
Subject: [libvirt] [PATCH] lxc: add possibility to define init uid/gid
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
List-Unsubscribe: ,
List-Archive:
List-Post:
List-Help:
List-Subscribe: ,
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15
X-Greylist: Sender IP whitelisted,
not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.28]);
Tue, 06 Jun 2017 14:11:58 +0000 (UTC)
X-ZohoMail: RSF_0 Z_629925259 SPT_0
Content-Type: text/plain; charset="utf-8"
Users may want to run the init command of a container as a special
user / group. Allow doing it using and elements.
---
docs/formatdomain.html.in | 6 ++++++
docs/schemas/domaincommon.rng | 12 ++++++++++++
src/conf/domain_conf.c | 19 +++++++++++++++++++
src/conf/domain_conf.h | 2 ++
src/lxc/lxc_container.c | 13 +++++++++++++
tests/lxcxml2xmldata/lxc-inituser.xml | 31 +++++++++++++++++++++++++++++++
tests/lxcxml2xmltest.c | 1 +
7 files changed, 84 insertions(+)
create mode 100644 tests/lxcxml2xmldata/lxc-inituser.xml
diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in
index 7627fd0d0..85d5f4539 100644
--- a/docs/formatdomain.html.in
+++ b/docs/formatdomain.html.in
@@ -334,6 +334,10 @@
To set a custom work directory for the init, use the initdir=
code>
element.
+
+ To run the init command as a given user or group, use the init=
user
+ or initgroup
elements respectively.
+
=20
<os>
@@ -343,6 +347,8 @@
<initarg>emergency.service</initarg>
<initenv name=3D'MYENV'>some value</initenv>
<initdir>/my/custom/cwd</initdir>
+ <inituser uid=3D"1000"/>
+ <initgroup gid=3D"1000"/>
</os>
=20
diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng
index 5a4c4ecf1..385e937e9 100644
--- a/docs/schemas/domaincommon.rng
+++ b/docs/schemas/domaincommon.rng
@@ -400,6 +400,18 @@
[
+
+
+
+ ][
+ ]
+
+
+
+ [
+ ]
+
+
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index 3c2a81f52..21bb104a9 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -16806,6 +16806,18 @@ virDomainDefParseBootOptions(virDomainDefPtr def,
def->os.cmdline =3D virXPathString("string(./os/cmdline[1])", ctxt=
);
def->os.initdir =3D virXPathString("string(./os/initdir[1])", ctxt=
);
=20
+ if (virXPathUInt("string(./os/inituser[1]/@uid)", ctxt, &def->os.i=
nituid) =3D=3D -2) {
+ virReportError(VIR_ERR_XML_ERROR, "%s",
+ _("Failed to parse inituser uid"));
+ goto error;
+ }
+
+ if (virXPathUInt("string(./os/initgroup[1]/@gid)", ctxt, &def->os.=
initgid) =3D=3D -2) {
+ virReportError(VIR_ERR_XML_ERROR, "%s",
+ _("Failed to parse initgroup gid"));
+ goto error;
+ }
+
if ((n =3D virXPathNodeSet("./os/initarg", ctxt, &nodes)) < 0)
goto error;
=20
@@ -24593,6 +24605,13 @@ virDomainDefFormatInternal(virDomainDefPtr def,
if (def->os.initdir)
virBufferEscapeString(buf, "%s\n",
def->os.initdir);
+ if (def->os.inituid)
+ virBufferAsprintf(buf, "\n",
+ def->os.inituid);
+ if (def->os.initgid)
+ virBufferAsprintf(buf, "\n",
+ def->os.initgid);
+
if (def->os.loader)
virDomainLoaderDefFormat(buf, def->os.loader);
virBufferEscapeString(buf, "%s\n",
diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h
index d6b8429c3..6e1997324 100644
--- a/src/conf/domain_conf.h
+++ b/src/conf/domain_conf.h
@@ -1842,6 +1842,8 @@ struct _virDomainOSDef {
char **initargv;
virDomainOSEnvPtr *initenv;
char *initdir;
+ uid_t inituid;
+ gid_t initgid;
char *kernel;
char *initrd;
char *cmdline;
diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
index 8d8e1a735..42bcd25c4 100644
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@@ -247,6 +247,10 @@ static virCommandPtr lxcContainerBuildInitCmd(virDomai=
nDefPtr vmDef,
virCommandAddEnvPair(cmd, "LIBVIRT_LXC_CMDLINE", vmDef->os.cmdline=
);
if (vmDef->os.initdir)
virCommandSetWorkingDirectory(cmd, vmDef->os.initdir);
+ if (vmDef->os.inituid)
+ virCommandSetUID(cmd, vmDef->os.inituid);
+ if (vmDef->os.initgid)
+ virCommandSetGID(cmd, vmDef->os.initgid);
=20
for (i =3D 0; vmDef->os.initenv[i]; i++) {
virCommandAddEnvPair(cmd, vmDef->os.initenv[i]->name,
@@ -2192,6 +2196,15 @@ static int lxcContainerChild(void *data)
goto cleanup;
}
=20
+ /* Change the newly created tty owner to the inituid for
+ * shells to have job control */
+ if (vmDef->os.inituid && chown(ttyPath, vmDef->os.inituid, -1) < 0) {
+ virReportSystemError(errno,
+ _("Failed to change ownership of tty %s"),
+ ttyPath);
+ goto cleanup;
+ }
+
if (lxcContainerResolveAllSymlinks(vmDef) < 0)
goto cleanup;
=20
diff --git a/tests/lxcxml2xmldata/lxc-inituser.xml b/tests/lxcxml2xmldata/l=
xc-inituser.xml
new file mode 100644
index 000000000..61b5db4af
--- /dev/null
+++ b/tests/lxcxml2xmldata/lxc-inituser.xml
@@ -0,0 +1,31 @@
+
+ jessie
+ e21987a5-e98e-9c99-0e35-803e4d9ad1fe
+ 1048576
+ 1048576
+ 1
+
+ /machine
+
+
+ exe
+ /sbin/sh
+
+
+
+
+ destroy
+ restart
+ restart
+
+ /usr/libexec/libvirt_lxc
+
+
+
+
+
+
+
+
diff --git a/tests/lxcxml2xmltest.c b/tests/lxcxml2xmltest.c
index c81b0eace..9b9314cf8 100644
--- a/tests/lxcxml2xmltest.c
+++ b/tests/lxcxml2xmltest.c
@@ -100,6 +100,7 @@ mymain(void)
VIR_DOMAIN_DEF_PARSE_SKIP_OSTYPE_CHECKS);
DO_TEST("initenv");
DO_TEST("initdir");
+ DO_TEST("inituser");
=20
virObjectUnref(caps);
virObjectUnref(xmlopt);
--=20
2.12.2
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list