From nobody Sat May 4 09:23:44 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1522074927064829.0161571668699; Mon, 26 Mar 2018 07:35:27 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 626BD99D55; Mon, 26 Mar 2018 14:35:25 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 34C6719E05; Mon, 26 Mar 2018 14:35:25 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id C04B24CA9A; Mon, 26 Mar 2018 14:35:24 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id w2QEZNJF029956 for ; Mon, 26 Mar 2018 10:35:23 -0400 Received: by smtp.corp.redhat.com (Postfix) id 4769E2026E04; Mon, 26 Mar 2018 14:35:23 +0000 (UTC) Received: from t460.redhat.com (unknown [10.33.36.42]) by smtp.corp.redhat.com (Postfix) with ESMTP id 037752026E03; Mon, 26 Mar 2018 14:35:20 +0000 (UTC) From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: libvir-list@redhat.com Date: Mon, 26 Mar 2018 15:35:16 +0100 Message-Id: <20180326143516.3586-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-loop: libvir-list@redhat.com Cc: Cedric Bosdonnat Subject: [libvirt] [PATCH sandbox] Delete the virt-sandbox-service command X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.38]); Mon, 26 Mar 2018 14:35:25 +0000 (UTC) X-ZohoMail: RSF_0 Z_629925259 SPT_0 This command attempted to create sandboxed containers for running systemd services that exist on the host. This code has proved very fragile, however, since it needs heuristics to figure out which dirs need to be made private in the container vs shared with the host. Even a relatively simple "httpd.service" sandbox no longer works with current Fedora. Users wanting to sandbox services are better served by using systemd's native container functionality, or using Docker container images. The virt-sandbox-image tool can even run Docker/virt-builder images directly. Signed-off-by: Daniel P. Berrang=C3=A9 --- TODO | 24 - bin/Makefile.am | 80 +- bin/virt-sandbox-service | 1314 -----------------------= ---- bin/virt-sandbox-service-bash-completion.sh | 141 --- bin/virt-sandbox-service-clone.pod | 100 -- bin/virt-sandbox-service-connect.pod | 59 -- bin/virt-sandbox-service-create.pod | 264 ------ bin/virt-sandbox-service-delete.pod | 65 -- bin/virt-sandbox-service-execute.pod | 71 -- bin/virt-sandbox-service-reload.pod | 63 -- bin/virt-sandbox-service-upgrade.pod | 74 -- bin/virt-sandbox-service-util.c | 305 ------- bin/virt-sandbox-service.logrotate | 9 - bin/virt-sandbox-service.pod | 85 -- cfg.mk | 2 +- libvirt-sandbox.spec.in | 7 - libvirt-sandbox/tests/containers_test.sh | 37 - po/POTFILES.in | 1 - 18 files changed, 3 insertions(+), 2698 deletions(-) delete mode 100644 TODO delete mode 100755 bin/virt-sandbox-service delete mode 100755 bin/virt-sandbox-service-bash-completion.sh delete mode 100644 bin/virt-sandbox-service-clone.pod delete mode 100644 bin/virt-sandbox-service-connect.pod delete mode 100644 bin/virt-sandbox-service-create.pod delete mode 100644 bin/virt-sandbox-service-delete.pod delete mode 100644 bin/virt-sandbox-service-execute.pod delete mode 100644 bin/virt-sandbox-service-reload.pod delete mode 100644 bin/virt-sandbox-service-upgrade.pod delete mode 100644 bin/virt-sandbox-service-util.c delete mode 100644 bin/virt-sandbox-service.logrotate delete mode 100644 bin/virt-sandbox-service.pod delete mode 100755 libvirt-sandbox/tests/containers_test.sh diff --git a/TODO b/TODO deleted file mode 100644 index fc63361..0000000 --- a/TODO +++ /dev/null @@ -1,24 +0,0 @@ - libvirt-sandbox TODO list - =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D - -systemd-tmpfiles --create needs to be run within the container, before any -apps are started, since it will populate /run (Completed) - -CGROUPFS: integration so libvirt does it rather then systemd within the co= ntainer - We need kernel labeling support for cgroupfs so we can allow systemd to = write to its section of the cgroupfs. - -SYSLOG: Currently syslog messages are going no where within the container. -If we run a syslog within the container will it get messages from the outs= ide? Should we just use systemd-journal. I think sysadmins will want to b= e able to look in /var/log/messages within the container. (systemd-journal = is now running within a container) - -EXECUTE: - virt-sandbox-service execute --command "BLAH" does not work. We need to = have the ability to execute any random command within the container, and ge= t stdin, stdout, stderror outside the container. (Partially Completed) -Still needs kernel to implement missing container namespace files under /p= roc/PID/ns, Also need a mechanism to get the PID of systemd from libvirt. - -HOSTNAME: - Currently if I execute hostname within the container it sees the name of = the host not the name based on the container name or the IP Address associa= ted with dhclient. (Completed) - -virt-sandbox-service connect NAME hangs when you attempt to end the connec= tion. -^d should bring you back to the host terminal. - -Need a mechanism to allow admins to specify additional services to run wit= hin -the container. For example you may want to run mysql and apache within th= e same container. (Completed) You can do this using systemctl enabel BLAH diff --git a/bin/Makefile.am b/bin/Makefile.am index deedcf6..db0a1d1 100644 --- a/bin/Makefile.am +++ b/bin/Makefile.am @@ -1,39 +1,12 @@ =20 bin_PROGRAMS =3D virt-sandbox =20 -libexec_PROGRAMS =3D virt-sandbox-service-util +bin_SCRIPTS =3D virt-sandbox-image =20 -bin_SCRIPTS =3D virt-sandbox-service \ - virt-sandbox-image - -virtsandboxcompdir =3D $(datarootdir)/bash-completion/completions/ - -crondailydir =3D $(sysconfdir)/cron.daily -crondaily_SCRIPTS =3D virt-sandbox-service.logrotate - -POD_FILES =3D \ - virt-sandbox-service.pod \ - virt-sandbox-service-execute.pod \ - virt-sandbox-service-create.pod \ - virt-sandbox-service-clone.pod \ - virt-sandbox-service-connect.pod \ - virt-sandbox-service-delete.pod \ - virt-sandbox-service-reload.pod \ - virt-sandbox-service-upgrade.pod \ - $(NULL) -EXTRA_DIST =3D $(bin_SCRIPTS) $(POD_FILES) virt-sandbox-service-bash-compl= etion.sh virt-sandbox-service.logrotate -EXTRA_DIST +=3D virt-sandbox-service-bash-completion.sh +EXTRA_DIST =3D $(bin_SCRIPTS) =20 man1_MANS =3D \ virt-sandbox.1 \ - virt-sandbox-service.1 \ - virt-sandbox-service-execute.1 \ - virt-sandbox-service-create.1 \ - virt-sandbox-service-clone.1 \ - virt-sandbox-service-connect.1 \ - virt-sandbox-service-delete.1 \ - virt-sandbox-service-reload.1 \ - virt-sandbox-service-upgrade.1 \ $(NULL) =20 POD2MAN =3D pod2man -c "Virtualization Support" -r "$(PACKAGE)-$(VERSION)" @@ -41,30 +14,6 @@ POD2MAN =3D pod2man -c "Virtualization Support" -r "$(PA= CKAGE)-$(VERSION)" virt-sandbox.1: virt-sandbox.c Makefile $(AM_V_GEN)$(POD2MAN) $< $(srcdir)/$@ =20 -virt-sandbox-service.1: virt-sandbox-service.pod Makefile - $(AM_V_GEN)$(POD2MAN) $< $(srcdir)/$@ - -virt-sandbox-service-execute.1: virt-sandbox-service-execute.pod Makefile - $(AM_V_GEN)$(POD2MAN) $< $(srcdir)/$@ - -virt-sandbox-service-clone.1: virt-sandbox-service-clone.pod Makefile - $(AM_V_GEN)$(POD2MAN) $< $(srcdir)/$@ - -virt-sandbox-service-create.1: virt-sandbox-service-create.pod Makefile - $(AM_V_GEN)$(POD2MAN) $< $(srcdir)/$@ - -virt-sandbox-service-connect.1: virt-sandbox-service-connect.pod Makefile - $(AM_V_GEN)$(POD2MAN) $< $(srcdir)/$@ - -virt-sandbox-service-delete.1: virt-sandbox-service-delete.pod Makefile - $(AM_V_GEN)$(POD2MAN) $< $(srcdir)/$@ - -virt-sandbox-service-reload.1: virt-sandbox-service-reload.pod Makefile - $(AM_V_GEN)$(POD2MAN) $< $(srcdir)/$@ - -virt-sandbox-service-upgrade.1: virt-sandbox-service-upgrade.pod Makefile - $(AM_V_GEN)$(POD2MAN) $< $(srcdir)/$@ - CLEANFILES =3D $(man1_MANS) =20 virt_sandbox_SOURCES =3D virt-sandbox.c @@ -81,28 +30,3 @@ virt_sandbox_LDFLAGS =3D \ ../libvirt-sandbox/libvirt-sandbox-1.0.la \ $(WARN_CFLAGS) \ $(NULL) - -virt_sandbox_service_util_SOURCES =3D virt-sandbox-service-util.c -virt_sandbox_service_util_CFLAGS =3D \ - $(GIO_UNIX_CFLAGS) \ - $(LIBVIRT_GOBJECT_CFLAGS) \ - -I$(top_srcdir) \ - -DLOCALEDIR=3D"\"$(datadir)/locale"\" \ - $(WARN_CFLAGS) \ - $(NULL) -virt_sandbox_service_util_LDFLAGS =3D \ - $(GIO_UNIX_LIBS) \ - $(LIBVIRT_GOBJECT_LIBS) \ - ../libvirt-sandbox/libvirt-sandbox-1.0.la \ - $(WARN_CFLAGS) \ - $(NULL) - -install-data-local: - $(MKDIR_P) $(DESTDIR)$(sysconfdir)/libvirt-sandbox/services - $(MKDIR_P) $(DESTDIR)$(virtsandboxcompdir) - cp $(srcdir)/virt-sandbox-service-bash-completion.sh $(DESTDIR)$(virtsan= dboxcompdir)/virt-sandbox-service - -uninstall-local: - $(rmdir) $(DESTDIR)$(sysconfdir)/libvirt-sandbox/services ||: - $(rmdir) $(DESTDIR)$(sysconfdir)/libvirt-sandbox ||: - rm -f $(DESTDIR)$(virtsandboxcompdir)/virt-sandbox-service diff --git a/bin/virt-sandbox-service b/bin/virt-sandbox-service deleted file mode 100755 index c458716..0000000 --- a/bin/virt-sandbox-service +++ /dev/null @@ -1,1314 +0,0 @@ -#!/usr/bin/env python3 -# -# Authors: Dan Walsh -# -# Copyright (C) 2012-2013 Red Hat, Inc. -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. -# - -import gi -gi.require_version('LibvirtGConfig', '1.0') -from gi.repository import LibvirtGConfig -gi.require_version('LibvirtGObject', '1.0') -from gi.repository import LibvirtGObject -gi.require_version('LibvirtSandbox', '1.0') -from gi.repository import LibvirtSandbox -from gi.repository import GLib -import gi -import re -import os, sys, shutil, errno, stat -import rpm -from subprocess import Popen, PIPE, STDOUT -import gettext -import pwd - -if os.path.exists("/sys/fs/selinux"): - import selinux -else: - selinux =3D None - -LibvirtGObject.init_object_check(None) -LibvirtSandbox.init_check(None) - -gettext.bindtextdomain("libvirt-sandbox", "/usr/share/locale") -gettext.textdomain("libvirt-sandbox") -try: - gettext.install("libvirt-sandbox", - localedir=3D"/usr/share/locale", - codeset =3D 'utf-8') -except IOError: - import __builtin__ - __builtin__.__dict__['_'] =3D unicode - -CONFIG_PATH =3D "/etc/libvirt-sandbox/services/" -def get_config_path(name): - return CONFIG_PATH + name + "/config/sandbox.cfg" - -def get_legacy_config_path(name): - return CONFIG_PATH + name + ".sandbox" - -def read_config(name): - path =3D get_config_path(name) - if not os.path.exists(path): - return None - return LibvirtSandbox.Config.load_from_path(path) - -# shutil.copytree throws a fit if it finds sockets -# or fifos, and has really bad behaviour on block -# and character devices too. -def copydirtree(src, dst): - filenames =3D os.listdir(src) - os.makedirs(dst) - - for filename in filenames: - srcfilepath =3D os.path.join(src, filename) - dstfilepath =3D os.path.join(dst, filename) - - st =3D os.lstat(srcfilepath) - if stat.S_ISDIR(st.st_mode): - copydirtree(srcfilepath, dstfilepath) - - os.utime(dstfilepath, (st.st_atime, st.st_mtime)) - os.chmod(dstfilepath, stat.S_IMODE(st.st_mode)) - elif stat.S_ISREG(st.st_mode): - with open(srcfilepath, 'rb') as fsrc: - with open(dstfilepath, 'wb') as fdst: - while 1: - buf =3D fsrc.read(1024*32) - if not buf: - break - fdst.write(buf) - - os.utime(dstfilepath, (st.st_atime, st.st_mtime)) - os.chmod(dstfilepath, stat.S_IMODE(st.st_mode)) - elif stat.S_ISLNK(st.st_mode): - linkdst =3D os.readlink(srcfilepath) - os.symlink(linkdst, dstfilepath) - else: - # Ignore all other special files (block/char/sock/fifo) - pass - -class Container: - DEFAULT_PATH =3D "/var/lib/libvirt/filesystems" - DEFAULT_IMAGE =3D "/var/lib/libvirt/images/%s.raw" - SELINUX_FILE_TYPE =3D "svirt_lxc_file_t" - - def __init__(self, name=3DNone, uri =3D "lxc:///", path =3D DEFAULT_PA= TH, config=3DNone, create=3DFalse): - self.uri =3D uri - self.use_image =3D False - self.size =3D 10 * MB - self.path =3D path - self.config =3D config - if self.config: - self.name =3D self.config.get_name() - else: - self.name =3D name - self.dest =3D "%s/%s" % (self.path, self.name) - self.file_type =3D self.SELINUX_FILE_TYPE - self.conn =3D None - self.image =3D None - self.uid =3D 0 - self.mounts =3D [] - - def get_file_type(self): - return self.file_type - - def set_file_type(self, file_type): - self.file_type =3D file_type - - def set_uid(self, uid): - self.config.set_userid(uid) - - def get_uid(self): - return self.config.get_userid(uid) - - def set_gid(self, gid): - self.config.set_groupid(gid) - - def get_gid(self): - return self.config.get_groupid(gid) - - def set_username(self, username): - self.config.set_username(username) - - def get_username(self): - return self.config.get_username() - - def set_homedir(self, homedir): - self.config.set_homedir(homedir) - - def get_homedir(self): - return self.config.get_homedir() - - def set_mounts(self, mounts): - self.mounts =3D mounts - - def get_mounts(self): - return self.mounts - - def add_mounts(self): - self.config.add_mount_strv(self.mounts) - - def get_config_path(self, name =3D None): - if not name: - name =3D self.name - return get_config_path(name) - - def get_filesystem_path(self, name =3D None): - if not name: - name =3D self.get_name() - return "%s/%s" % (self.path, name) - - def get_image_path(self, name =3D None): - if not name: - name =3D self.get_name() - return self.DEFAULT_IMAGE % name - - def set_image(self, size): - self.use_image =3D True - self.size =3D size * MB - - def set_path(self, path): - self.path =3D path - self.dest =3D "%s/%s" % (self.path, self.name) - - def get_name(self): - return self.name - - def set_name(self, name): - if self.config: - raise ValueError([_("Cannot modify Name")]) - self.name =3D name - self.dest =3D "%s/%s" % (self.path, self.name) - - def set_security(self, val): - self.config.set_security_opts(val) - - def add_network(self, val): - self.config.add_network_opts(val) - - def get_security_dynamic(self): - return self.config.get_security_dynamic() - - def get_security_label(self): - return self.config.get_security_label() - - def set_security_label(self): - if selinux is None: - return - - if self.image or self.get_security_dynamic(): - return - - selabel =3D self.get_security_label() - if selabel is None: - raise ValueError([_("Missing security label configuration")]) - parts =3D selabel.split(":") - selinux.chcon(self.dest, "system_u:object_r:%s:%s" % ( - self.get_file_type(), ":".join(parts[3:])), True) - - def gen_filesystems(self): - if self.use_image: - self.image =3D self.DEFAULT_IMAGE % self.get_name() - mount =3D LibvirtSandbox.ConfigMountHostImage.new(self.image, = self.dest, - LibvirtGConfig= .DomainDiskFormat.RAW) - self.config.add_mount(mount) - - def fix_stat(self, f): - try: - s =3D os.stat(f) - path =3D "%s%s" % (self.dest, f) - os.chown(path, s.st_uid, s.st_gid) - os.chmod(path, s.st_mode) - except OSError as e: - if not e.errno =3D=3D errno.ENOENT: - raise - - def fix_protection(self): - l =3D len(self.dest) - for root, dirs, files in os.walk(self.dest): - for f in files: - dest =3D root + "/" + f - self.fix_stat(dest[l:]) - for d in dirs: - dest =3D root + "/" + d - self.fix_stat(dest[l:]) - - def makedirs(self, d): - try: - path =3D "%s%s" % (self.dest, d) - os.makedirs(path) - except OSError as e: - if not e.errno =3D=3D errno.EEXIST: - raise - - def makefile(self, f): - self.makedirs(os.path.dirname(f)) - try: - path =3D "%s%s" % (self.dest, f) - fd=3Dopen(path, "w") - fd.close() - except OSError as e: - if not e.errno =3D=3D errno.EEXIST: - raise - - def umount(self): - p =3D Popen(["/bin/umount", self.dest]) - p.communicate() - if p.returncode and p.returncode !=3D 0: - raise OSError(_("Failed to unmount image %s from %s") % (self= .image, self.dest)) - - def create_image(self): - fd =3D open(self.image, "w") - fd.truncate(self.size) - fd.close() - p =3D Popen(["/sbin/mkfs","-F", "-t", "ext4", self.image],stdout= =3DPIPE, stderr=3DPIPE) - p.communicate() - if p.returncode and p.returncode !=3D 0: - raise OSError(_("Failed to build image %s") % self.image ) - - p =3D Popen(["/bin/mount", self.image, self.dest]) - p.communicate() - if p.returncode and p.returncode !=3D 0: - raise OSError(_("Failed to mount image %s on %s") % (self.ima= ge, self.dest)) - - def save_config(self): - self.connect() - context =3D self.context() - context.define() - sys.stdout.write(_("Created sandbox config %s\n") % get_config_pat= h(self.name)) - - def update_config(self): - self.connect() - context =3D self.context() - context.undefine() - context.define() - sys.stdout.write(_("Re-created sandbox config %s\n") % get_config_= path(self.name)) - - def delete(self): - self.connect() - self.conn.fetch_domains(None) - dom =3D self.conn.find_domain_by_name(self.name) - if dom is not None: - info =3D dom.get_info() - if info.state =3D=3D LibvirtGObject.DomainState.RUNNING: - raise ValueError([_("Cannot delete running container")]) - - # Not sure we should remove content - if os.path.exists(self.dest): - shutil.rmtree(self.dest) - - image =3D self.get_image_path() - if os.path.exists(image): - os.remove(image) - - context =3D self.context() - context.undefine() - - def get_security_model(self): - model =3D None - - # Make sure we have a connection - self.connect() - - # Loop over the security models from the host capabilities - # The first in "selinux" and "apparmor" will be the returned model - # Those two models can't coexist on a machine - configCaps =3D self.conn.get_capabilities() - hostCaps =3D configCaps.get_host() - secmodels =3D hostCaps.get_secmodels() - for secmodel in secmodels: - if secmodel.get_model() =3D=3D "selinux": - model =3D "selinux" - break - elif secmodel.get_model() =3D=3D "apparmor": - model =3D "apparmor" - break - - return model - - - def create(self): - self.connect() - if self.get_security_model() is not None and \ - self.config.get_security_dynamic() and not self.use_image: - raise ValueError([_("Dynamic security label only supported for= image based containers")]) - if self.uri !=3D "lxc:///": - self.config.set_shell(True) - if not os.path.exists(self.dest): - os.mkdir(self.dest) - - def connect(self): - if not self.conn: - self.conn=3DLibvirtGObject.Connection.new(self.uri) - self.conn.open(None) - - def disconnect(self): - if self.conn: - self.conn.close() - self.conn =3D None - - def context(self): - return LibvirtSandbox.ContextService.new(self.conn, self.config) - - def add_bind_mount(self, source, dest): - if self.image is None: - mount =3D LibvirtSandbox.ConfigMountHostBind.new(source, dest) - else: - mount =3D LibvirtSandbox.ConfigMountGuestBind.new(source, dest) - self.config.add_mount(mount) - - def add_ram_mount(self, dest, size): - mount =3D LibvirtSandbox.ConfigMountRam.new(dest, size); - self.config.add_mount(mount) - -class GenericContainer(Container): - def __init__(self, name=3DNone, uri =3D "lxc:///", path =3D Container.= DEFAULT_PATH, config=3DNone, create=3DFalse): - Container.__init__(self, name, uri, path, config, create) - - if create: - self.config =3D LibvirtSandbox.ConfigServiceGeneric.new(name) - - def gen_filesystems(self): - Container.gen_filesystems(self) - self.add_bind_mount(self.dest, self.path) - self.add_mounts() - - def create_generic(self): - Container.create(self) - self.gen_filesystems() - - if self.image: - self.create_image() - self.umount() - sys.stdout.write(_("Created sandbox container image %s\n") % s= elf.image) - else: - sys.stdout.write(_("Created sandbox container dir %s\n") % sel= f.dest) - self.save_config() - - def create(self): - try: - self.create_generic() - except Exception as e: - try: - self.delete() - except Exception as e2: - pass - raise e - - def set_command(self, command): - self.config.set_command(command) - - -def is_template_unit(unit): - return '@' in unit - -class SystemdContainer(Container): - IGNORE_DIRS =3D [ "/var/run/", "/etc/logrotate.d/", "/etc/pam.d= " ] - DEFAULT_DIRS =3D [ "/etc", "/var" ] - PROFILE_FILES =3D [ ".bashrc", ".bash_profile", ".profile" ] - MACHINE_ID =3D "/etc/machine-id" - HOSTNAME =3D "/etc/hostname" - SYSVINIT_PATH =3D "/etc/rc.d" - ANACONDA_WANTS_PATH =3D "/usr/lib/systemd/system/anaconda.target.wants" - MULTI_USER_WANTS_PATH =3D "/usr/lib/systemd/system/multi-user.target.w= ants" - SYSINIT_WANTS_PATH =3D "/usr/lib/systemd/system/sysinit.target.wants" - SOCKET_WANTS_PATH =3D "/usr/lib/systemd/system/sockets.target.wants" - MAKE_SYSTEM_DIRS =3D [ "/var/lib/dhclient", "/var/lib/dbus", "/var/l= og", "/var/spool", "/var/cache", "/var/tmp", "/var/lib/nfs/rpc_pipefs", SYS= VINIT_PATH, "/lib/lsb" ] - BIND_SYSTEM_DIRS =3D [ "/var", "/home", "/root", "/etc/systemd/syste= m", "/etc/rc.d", "/usr/lib/systemd/system/basic.target.wants", "/usr/lib/sy= stemd/system/local-fs.target.wants", ANACONDA_WANTS_PATH, MULTI_USER_WANTS_= PATH, SYSINIT_WANTS_PATH, SOCKET_WANTS_PATH ] - BIND_SYSTEM_FILES =3D [ MACHINE_ID, "/etc/fstab", HOSTNAME ] - LOCAL_LINK_FILES =3D { SYSINIT_WANTS_PATH : [ "systemd-tmpfiles-setu= p.service" ] , SOCKET_WANTS_PATH : [ "dbus.socket", "systemd-journald.socke= t", "systemd-shutdownd.socket", "systemd-initctl.socket" ] } - - DEFAULT_UNIT =3D "/etc/systemd/system/%s_sandbox.service" - - def __init__(self, name=3DNone, uri =3D "lxc:///", path =3D Container.= DEFAULT_PATH, config=3DNone, create=3DFalse, packages=3D[]): - Container.__init__(self, name, uri, path, config, create) - self.copy =3D False - self.unit_file_list =3D [] - self.packages =3D packages - if create: - self.config =3D LibvirtSandbox.ConfigServiceSystemd.new(name) - self.unitfile =3D None - else: - self.unitfile =3D self.get_unit_path() - - def follow_units(self): - unitst=3D"" - for i, src in self.unit_file_list: - unitst +=3D "ReloadPropagatedFrom=3D%s\n" % i - - return unitst - - def get_unit_path(self, name =3D None): - if not name: - name =3D self.get_name() - return self.DEFAULT_UNIT % name - - def set_unit_file_list(self, unit_file_list): - self.unit_file_list =3D unit_file_list - - def get_sandboxed_service(self): - return self.unit_file_list[0][0].split(".")[0] - - def create_system_unit(self): - self.unitfile =3D self.get_unit_path() - unit =3D r""" -[Unit] -Description=3DSecure Sandbox Container %(NAME)s -Requires=3Dlibvirtd.service -After=3Dlibvirtd.service -%(FOLLOW)s -[Service] -Type=3Dsimple -ExecStart=3D/usr/libexec/virt-sandbox-service-util -c %(URI)s -s %(NAME)s -ExecReload=3D/usr/bin/virt-sandbox-service -c %(URI)s reload -u %(RELOAD)s= %(NAME)s -ExecStop=3D/usr/bin/virsh -c %(URI)s destroy %(NAME)s - -[Install] -WantedBy=3Dmulti-user.target -""" % { 'NAME':self.name, - 'FOLLOW':self.follow_units(), - 'RELOAD': " -u ".join(map(lambda x: x[0], self.unit_file_list)), - 'URI': self.uri, - } - - fd =3D open(self.unitfile, "w") - fd.write(unit) - fd.close() - if selinux is not None: - selinux.restorecon(self.unitfile) - sys.stdout.write(_("Created unit file %s\n") % self.unitfile) - - def add_dir(self, newd): - if newd in self.all_dirs: - return - for ignd in self.IGNORE_DIRS: - if newd.startswith(ignd): - return - for defd in self.DEFAULT_DIRS: - if newd.startswith(defd): - self.all_dirs.append(newd) - tmp_dirs =3D [] - for d in self.dirs: - if newd.startswith(d): - return - if not d.startswith(newd): - tmp_dirs.append(d) - self.dirs =3D tmp_dirs - self.dirs.append(newd) - break; - - def add_file(self, newf): - if newf in self.files: - return - for d in self.IGNORE_DIRS: - if newf.startswith(d): - return - for d in self.DEFAULT_DIRS: - if newf.startswith(d): - self.files.append(newf) - break; - - def get_name(self): - if self.config: - return self.config.get_name() - raise ValueError([_("Name not configured")]) - - def set_copy(self, copy): - self.copy =3D copy - - def get_security_dynamic(self): - return self.config.get_security_dynamic() - - def extract_rpms(self): - self.all_dirs =3D [] - self.dirs =3D [] - self.files =3D [] - - self.ts =3D rpm.ts() - - nb_packages =3D 0 - for u, src in self.unit_file_list: - rpm_name =3D self.get_rpm_for_unit(src) - if rpm_name: - self.extract_rpm(rpm_name) - nb_packages +=3D 1 - - for package in self.packages: - self.extract_rpm(package) - nb_packages +=3D 1 - - if nb_packages =3D=3D 0: - raise ValueError([_("Cannot autodetect the package for unit fi= les, please use --package")]) - - def split_filename(self, filename): - if filename[-4:] =3D=3D '.rpm': - filename =3D filename[:-4] - - archIndex =3D filename.rfind('.') - arch =3D filename[archIndex+1:] - - relIndex =3D filename[:archIndex].rfind('-') - rel =3D filename[relIndex+1:archIndex] - - verIndex =3D filename[:relIndex].rfind('-') - ver =3D filename[verIndex+1:relIndex] - - epochIndex =3D filename.find(':') - if epochIndex =3D=3D -1: - epoch =3D '' - else: - epoch =3D filename[:epochIndex] - - name =3D filename[epochIndex + 1:verIndex] - return name, ver, rel, epoch, arch - - def get_rpm_for_unit(self, unitfile): - mi =3D self.ts.dbMatch(rpm.RPMTAG_BASENAMES, unitfile) - try: - h =3D next(mi); - except StopIteration: - return None - return h['name'] - - - def extract_rpm(self, rpm_name): - mi =3D self.ts.dbMatch('name', rpm_name) - try: - h =3D next(mi); - except StopIteration: - raise ValueError([_("Cannot find package named %s") % rpm_name= ]) - - for fentry in h.fiFromHeader(): - fname =3D fentry[0] - - if os.path.isdir(fname): - self.add_dir(fname) - if os.path.isfile(fname): - self.add_file(fname) - - srcrpm =3D str(h[rpm.RPMTAG_SOURCERPM], encoding=3D'utf-8') - srcrpmbits =3D self.split_filename(srcrpm) - - if srcrpmbits[0] =3D=3D str(h[rpm.RPMTAG_NAME], encoding=3D'utf-8'= ): - return - - mi =3D self.ts.dbMatch(rpm.RPMTAG_NAME, srcrpmbits[0]) - try: - h =3D next(mi); - except StopIteration: - raise ValueError([_("Cannot find base package %s") % srcrpmbit= s[0]]) - - for fentry in h.fiFromHeader(): - fname =3D fentry[0] - - if os.path.isdir(fname): - self.add_dir(fname) - if os.path.isfile(fname): - self.add_file(fname) - - def gen_hostname(self): - fd=3Dopen(self.dest + self.HOSTNAME, "w") - fd.write("%s\n" % self.name ) - fd.close() - - def gen_machine_id(self): - uuid_fd =3D open("/proc/sys/kernel/random/uuid") - uuid =3D uuid_fd.read().replace("-","").rstrip() - uuid_fd.close() - self.config.set_uuid(uuid) - fd=3Dopen(self.dest + self.MACHINE_ID, "w") - fd.write("%s\n" % uuid) - fd.close() - - if not self.use_image: - # Link /var/log/journal within the container to /var/log/journ= al/UUID - # on host. This will allow the hosts journalctl to easily read - # containers journal information. - jdir =3D "/var/log/journal/" - jpath =3D jdir + uuid - if not os.path.exists(self.dest + jpath): - os.makedirs(self.dest + jpath) - if not os.path.exists(jdir): - os.makedirs(jdir) - - os.symlink(self.dest + jpath, jpath) - - def gen_filesystems(self): - Container.gen_filesystems(self) - # 10 MB /run - mount =3D LibvirtSandbox.ConfigMountRam.new("/run", 10 * 1024 * 10= 24); - self.config.add_mount(mount) - - # 100 MB /tmp - mount =3D LibvirtSandbox.ConfigMountRam.new("/tmp", 100 * 1024 * 1= 024); - self.config.add_mount(mount) - - # 100 MB /tmp - mount =3D LibvirtSandbox.ConfigMountRam.new("/dev/shm", 100 * 1024= * 1024); - self.config.add_mount(mount) - - for d in self.BIND_SYSTEM_DIRS: - if d !=3D "/var" and os.path.exists(d): - source =3D "%s%s" % ( self.dest, d) - self.add_bind_mount(source, d) - - for f in self.BIND_SYSTEM_FILES: - if os.path.exists(f): - source =3D "%s%s" % ( self.dest, f) - self.add_bind_mount(source, f) - - for d in self.dirs: - found =3D False - # Dont add dirs whos parents are in SYSTEM_DIRS - for s in self.BIND_SYSTEM_DIRS: - if d.startswith(s): - found =3D True - break - if not found: - source =3D "%s%s" % ( self.dest, d) - self.add_bind_mount(source, d) - - # /var contains the mounted image if there is an image: should be = the - # last thing to mount - self.add_bind_mount("%s/var" % self.dest, "/var") - self.add_mounts() - - def get_expanded_unit_template(self, unit): - return unit.replace('@', '@' + self.name) - - def create_container_unit(self, src, dest, unit): - if is_template_unit(unit): - shutil.copy(src, dest + "/" + unit) - unit =3D self.get_expanded_unit_template(unit) - os.symlink(src, dest + "/" + unit) - - dropin_dir =3D "%s/%s.d" % (dest, unit) - if not os.path.exists(dropin_dir): - os.mkdir(dropin_dir) - - fd =3D open(dropin_dir + "/virt-sandbox.conf", "w") - fd.write("""; file placed here by virt-sandbox-service -[Service] -PrivateTmp=3Dfalse -PrivateNetwork=3Dfalse -""" ) - fd.close() - - def gen_content(self): - if self.copy: - for d in self.dirs: - copydirtree(d, "%s%s" % (self.dest, d)) - for f in self.files: - self.makedirs(os.path.dirname(f)) - shutil.copy(f, "%s%s" % (self.dest, f)) - else: - for d in self.all_dirs: - self.makedirs(d) - for f in self.files: - self.makedirs(os.path.dirname(f)) - self.makefile(f) - - for d in self.BIND_SYSTEM_DIRS + self.MAKE_SYSTEM_DIRS: - self.makedirs(d) - - for f in self.BIND_SYSTEM_FILES: - self.makefile(f) - - destpath =3D self.dest + self.SYSVINIT_PATH - for i in range(7): - os.mkdir(destpath+("/rc%s.d" % i)) - - # Copy both /etc/rc.d/init.d/functions and /lib/lsb/init-functions= , even - # though the latter is the one recommended - if os.path.exists(self.SYSVINIT_PATH + "/init.d/functions"): - os.mkdir(destpath+"/init.d") - shutil.copy(self.SYSVINIT_PATH + "/init.d/functions" , destpat= h + "/init.d") - - if os.path.exists("/lib/lsb/init-functions"): - shutil.copy("/lib/lsb/init-functions" , self.dest + "/lib/lsb/= ") - - self.gen_machine_id() - self.gen_hostname() - - for k in self.LOCAL_LINK_FILES: - for d in self.LOCAL_LINK_FILES[k]: - src =3D "../%s" % ( d) - dest =3D "%s%s/%s" % ( self.dest, k, d) - os.symlink(src,dest) - - unitdir =3D "/etc/systemd/system" - tgtdir =3D unitdir + "/multi-user.target.wants" - - self.makedirs(unitdir) - self.makedirs(tgtdir) - os.symlink("/run", self.dest + "/var/run") - - for i, src in self.unit_file_list: - self.create_container_unit(src, self.dest + unitdir, i) - if is_template_unit(i): - i =3D self.get_expanded_unit_template(i) - os.symlink(src, self.dest + tgtdir + "/" + i) - - tgtfile =3D unitdir + "/multi-user.target" - try: - fd =3D open(self.dest + tgtfile, "w") - fd.write("[Unit]\n") - fd.write("Description=3DSandbox multi-user target\n") - fd.close() - except OSError as e: - if not e.errno =3D=3D errno.EEXIST: - raise - - for p in self.PROFILE_FILES: - profile =3D "/etc/skel/" + p - if os.path.exists(profile): - shutil.copy(profile, self.dest + "/root/") - - self.fix_protection() - - def delete(self): - try: - uuid =3D self.config.get_uuid() - if uuid is not None: - jpath =3D "/var/log/journal/" + uuid - if os.path.lexists(jpath): - os.remove(jpath) - except Exception as e: - sys.stderr.write("%s: %s\n" % (sys.argv[0], e)) - sys.stderr.flush() - - Container.delete(self) - - if self.unitfile and os.path.exists(self.unitfile): - p =3D Popen(["/usr/bin/systemctl","disable", self.unitfile],st= dout=3DPIPE, stderr=3DPIPE) - p.communicate() - if p.returncode and p.returncode !=3D 0: - raise OSError(_("Failed to disable %s unit file") % self.= unitfile) - os.remove(self.unitfile) - - def create_systemd(self): - self.extract_rpms() - Container.create(self) - self.gen_filesystems() - if self.image: - self.create_image() - self.gen_content() - self.umount() - sys.stdout.write(_("Created sandbox container image %s\n") % s= elf.image) - else: - self.gen_content() - sys.stdout.write(_("Created sandbox container dir %s\n") % sel= f.dest) - self.set_security_label() - self.create_system_unit() - self.config.set_boot_target("multi-user.target") - self.save_config() - - def create(self): - if os.path.exists(self.dest): - raise OSError(_("%s already exists") % self.dest) - - try: - self.create_systemd() - except Exception as e: - try: - self.delete() - except Exception as e2: - sys.stderr.write("Cleanup failed: %s\n" % str(e2)) - raise - - def reload(self, unitfiles): - class Args: - command =3D [] - noseclabel =3D None - name =3D self.name - uri =3D self.uri - args =3D Args() - args.command =3D [ "systemctl", "reload" ] + map(lambda x: x[0], u= nitfiles) - execute(args) - -MB =3D int(1000000) - -def delete(args): - config =3D read_config(args.name) - if config is None: - sys.stderr.write("Sandbox '%s' does not exist\n" % args.name) - sys.exit(1) - - if isinstance(config, gi.repository.LibvirtSandbox.ConfigServiceGeneri= c): - container =3D GenericContainer(uri=3Dargs.uri, config =3D config) - else: - container =3D SystemdContainer(uri=3Dargs.uri, config =3D config) - container.set_path(args.path) - container.delete() - -def create(args): - if len(args.command) > 0 and len(args.unitfiles) > 0: - raise ValueError([_("Commands cannot be specified with unit files"= )]) - - if len(args.command) =3D=3D 0 and len(args.unitfiles) =3D=3D 0: - raise ValueError([_("You must specify a command or a unit file")]) - - if args.packages and len(args.unitfiles) !=3D 1: - raise ValueError([_("Option --package cannot be used without a uni= t file")]) - - if len(args.command) > 0: - container =3D GenericContainer(name =3D args.name, uri=3Dargs.uri,= create =3D True) - container.set_command(args.command) - else: - container =3D SystemdContainer(name =3D args.name, uri=3Dargs.uri,= create =3D True, packages =3D args.packages) - container.set_copy(args.copy) - container.set_unit_file_list(args.unitfiles) - for net in args.network: - container.add_network(net) - if args.security: - container.set_security(args.security) - container.set_uid(args.uid) - if not args.homedir: - args.homedir =3D pwd.getpwuid(args.uid).pw_dir - container.set_homedir(args.homedir) - if not args.username: - args.username =3D pwd.getpwuid(args.uid).pw_name - container.set_username(args.username) - if not args.gid: - args.gid =3D pwd.getpwuid(args.uid).pw_gid - container.set_gid(args.gid) - container.set_path(args.path) - container.set_file_type(args.file_type) - container.set_mounts(args.mounts) - if args.imagesize: - container.set_image(args.imagesize) - - container.create() - -def usage(parser, msg): - parser.print_help() - - sys.stderr.write("\n%s\n" % msg) - sys.stderr.flush() - sys.exit(1) - -def sandbox_reload(args): - config =3D read_config(args.name) - if isinstance(config, gi.repository.LibvirtSandbox.ConfigServiceGeneri= c): - raise ValueError([_("Generic Containers do not support reload")]) - container =3D SystemdContainer(uri =3D args.uri, config =3D config) - container.reload(args.unitfiles) - -def connect(args): - if args.uri =3D=3D "lxc:///": - class Args: - command =3D [] - noseclabel =3D None - name =3D args.name - uri =3D args.uri - - args =3D Args() - args.command =3D [ "/bin/sh" ] - execute(args) - return - - print ("""\ -Connected to %s. -Type 'Ctrl + ]' to detach from the console. -""" % ( args.name )) - os.execl("/usr/libexec/virt-sandbox-service-util", - "virt-sandbox-service-util", - "-c", args.uri, - "-a", args.name) - -# -# Search Path for command to execute within the container. -# -def fullpath(cmd): - for i in [ "/", "./", "../" ]: - if cmd.startswith(i): - return cmd - for i in os.environ["PATH"].split(':'): - f =3D "%s/%s" % (i, cmd) - if os.access(f, os.X_OK): - return f - return cmd - -def execute(args): - if args.uri !=3D "lxc:///": - raise ValueError([_("Can only execute commands inside of linux con= tainers.")]) - - myexec =3D [ "virsh", "-c", args.uri, "lxc-enter-namespace" ] - if args.noseclabel: - myexec.append("--noseclabel") - myexec.extend([ args.name, "--", fullpath(args.command[0])] + args.co= mmand[1:]) - os.execv("/usr/bin/virsh", myexec) - -def clone(args): - config =3D read_config(args.source) - if isinstance(config, gi.repository.LibvirtSandbox.ConfigServiceGeneri= c): - container =3D GenericContainer(uri=3Dargs.uri, config=3Dconfig) - else: - container =3D SystemdContainer(uri=3Dargs.uri, config=3Dconfig) - newcontainer =3D None - - container.set_path(args.path) - - old_path =3D container.get_filesystem_path() - new_path =3D container.get_filesystem_path(args.dest) - - if os.path.exists(new_path): - raise OSError(_("%s already exists") % new_path) - - try: - fd =3D open(container.get_config_path(),"r") - recs =3D fd.read() - fd.close() - - newrec =3D recs.replace(old_path + "/", new_path + "/") - newrec =3D newrec.replace("name=3D" + args.source, "name=3D" + arg= s.dest) - old_image_path =3D container.get_image_path() - if os.path.exists(old_image_path): - new_image_path =3D container.get_image_path(args.dest) - newrec =3D newrec.replace(old_image_path, new_image_path) - shutil.copy(old_image_path, new_image_path) - sys.stdout.write(_("Created sandbox container image %s\n") % n= ew_image_path) - os.mkdir(new_path) - else: - copydirtree(old_path, new_path) - sys.stdout.write(_("Created sandbox container dir %s\n") % new= _path) - - if isinstance(config, gi.repository.LibvirtSandbox.ConfigServiceGe= neric): - newcontainer =3D GenericContainer(name=3Dargs.dest, uri=3Dargs= .uri, create=3DTrue) - newcontainer.set_path(args.path) - else: - fd =3D open(container.get_unit_path()) - recs =3D fd.read() - fd.close() - - new_unit =3D container.get_unit_path(args.dest) - fd =3D open(new_unit, "wx") - fd.write(recs.replace(args.source, args.dest)) - fd.close() - - sys.stdout.write(_("Created unit file %s\n") % new_unit) - - config =3D LibvirtSandbox.Config.load_from_data(newrec) - newcontainer =3D SystemdContainer(config=3Dconfig, uri=3Dargs.= uri) - newcontainer.set_path(args.path) - newcontainer.gen_machine_id() - newcontainer.gen_hostname() - - if args.security: - newcontainer.set_security(args.security) - newcontainer.set_security_label() - newcontainer.save_config() - except Exception as e: - if newcontainer is not None: - newcontainer.delete() - raise - - -def upgrade_config_legacy(path): - config =3D LibvirtSandbox.Config.load_from_path(path) - - if isinstance(config, gi.repository.LibvirtSandbox.ConfigServiceGeneri= c): - container =3D GenericContainer(uri=3Dargs.uri, config=3Dconfig) - else: - container =3D SystemdContainer(uri=3Dargs.uri, config=3Dconfig) - - fd =3D open(container.get_unit_path()) - unitfile =3D fd.read() - fd.close() - - unitfile =3D unitfile.replace("/usr/bin/virt-sandbox-service start= ", - "/usr/libexec/virt-sandbox-service-uti= l -c lxc:/// -s") - unitfile =3D unitfile.replace("/usr/bin/virt-sandbox-service reloa= d", - "/usr/bin/virt-sandbox-service -c lxc:= /// reload") - unitfile =3D unitfile.replace("/usr/bin/virt-sandbox-service stop", - "/usr/bin/virsh -c lxc:/// destroy") - - unitfile =3D re.sub("WantedBy=3D.*\.target", - "WantedBy=3Dmulti-user.target", - unitfile) - - os.remove(container.get_unit_path()) - fd =3D open(container.get_unit_path(), "wx") - fd.write(unitfile) - fd.close() - - sys.stdout.write(_("Created unit file %s\n") % - container.get_unit_path()) - - # Create new config file + libvirt persistent XML config - container.save_config() - # Kill legacy config file - os.remove(path) - - -def upgrade_config_current(path): - config =3D LibvirtSandbox.Config.load_from_path(path) - - if isinstance(config, gi.repository.LibvirtSandbox.ConfigServiceGeneri= c): - container =3D GenericContainer(uri=3Dargs.uri, config=3Dconfig) - else: - container =3D SystemdContainer(uri=3Dargs.uri, config=3Dconfig) - - # Create new config file + libvirt persistent XML config - container.update_config() - - -def upgrade_config(args): - newconfigfile =3D get_config_path(args.name) - oldconfigfile =3D get_legacy_config_path(args.name) - if os.path.exists(oldconfigfile): - upgrade_config_legacy(oldconfigfile) - elif os.path.exists(newconfigfile): - upgrade_config_current(newconfigfile) - else: - sys.stderr.write("Sandbox '%s' does not exist\n" % args.name) - sys.exit(1) - - -def upgrade_filesystem(args): - # This is where we'd look at RPM DB and upgrade the - # filesystem with new info for the unit files - pass - -# This function must be capable of reading configs created by -# old releases and "fixing" them to work with the new release -def upgrade(args): - upgrade_config(args) - upgrade_filesystem(args) - -import argparse -class AddMount(argparse.Action): - def __call__(self, parser, namespace, values, option_string=3DNone): - newval =3D getattr(namespace, self.dest) - if not newval: - newval =3D [] - for v in values: - newval.append(v) - setattr(namespace, self.dest, newval) - -class SizeAction(argparse.Action): - def __call__(self, parser, namespace, values, option_string=3DNone): - setattr(namespace, self.dest, int(values)) - -class CheckUnit(argparse.Action): - def __call__(self, parser, namespace, value, option_string=3DNone): - def check_unit(unit): - src =3D "/etc/systemd/system/" + unit - if os.path.exists(src): - return src - src =3D "/usr/lib/systemd/system/" + unit - if os.path.exists(src): - return src - return None - src =3D check_unit(value) - if not src: - src =3D check_unit(value + ".service") - if src: - value =3D value + ".service" - else: - raise OSError(_("Requested unit %s does not exist") % valu= e) - - unitfiles =3D getattr(namespace, self.dest) - if unitfiles: - unitfiles.append((value, src)) - else: - unitfiles =3D [ (value, src) ] - setattr(namespace, self.dest, unitfiles) - -class SetNet(argparse.Action): - def __call__(self, parser, namespace, values, option_string=3DNone): - nets =3D getattr(namespace, self.dest) - if nets: - nets.append(values) - else: - nets =3D [values] - setattr(namespace, self.dest, nets) - -class CheckPackage(argparse.Action): - def __call__(self, parser, namespace, value, option_string=3DNone): - nb_rpm =3D len(rpm.TransactionSet().dbMatch('name', value)) - if nb_rpm =3D=3D 0: - raise OSError(_("Cannot find %s rpm") % value) - elif nb_rpm > 1: - raise OSError(_("%s rpm is installed more than once") % value) - packages =3D getattr(namespace, self.dest) - if packages: - packages.append(value) - else: - packages =3D [ value ] - setattr(namespace, self.dest, packages) - -def requires_name(parser): - parser.add_argument("name", - help=3D_("name of the sandbox container")) - -def default_security_opts(): - if selinux is None: - return None - - # XXX vary per URI for kvm/qemu/lxc. - # XXX generate a random category - return "static,label=3Dsystem_u:system_r:svirt_lxc_net_t:s0" - -def gen_create_args(subparser): - parser =3D subparser.add_parser("create", - help=3D_("Create a sandbox container.")) - - parser.add_argument("-C", "--copy", default=3DFalse, - action=3D"store_true", - help=3D_("copy content from the hosts /etc and /va= r directories that will be mounted within the sandbox")) - - parser.add_argument("-f", "--filetype", dest=3D"file_type", - default=3Dc.get_file_type(), - help=3D_("SELinux file type to assign to content w= ithin the sandbox. Default: %s") % c.get_file_type()) - parser.add_argument("--homedir", dest=3D"homedir", - help=3D_("Specify the homedir for the container. D= efault: UID homedir.")) - parser.add_argument("-G", "--gid", dest=3D"gid", - default=3DNone, type=3Dint, - help=3D_("Specify the login gid for the container.= Default: login GID of the UID.")) - parser.add_argument("-i", "--imagesize", dest=3D"imagesize", default = =3D None, - action=3DSizeAction, - help=3D_("create image of this many megabytes.")) - parser.add_argument("-m", "--mount", dest=3D"mounts",default=3D[], nar= gs=3D"*", action=3DAddMount, - help=3D_("Mount a filesytem in the sandbox")) - parser.add_argument("-N", "--network", dest=3D"network", - action=3DSetNet, default=3D[], - help=3D_("Specify the network configuration")) - parser.add_argument("-p", "--path", dest=3D"path", default=3Dc.DEFAUL= T_PATH, - help=3D_("select path to store sandbox content. D= efault: %s") % c.DEFAULT_PATH) - parser.add_argument("-s", "--security", dest=3D"security", - default=3Ddefault_security_opts(), - help=3D_("Specify the security model configuration= for the sandbox: Defaults to dynamic")) - parser.add_argument("-u", "--unitfile", - action=3DCheckUnit, - dest=3D"unitfiles", default=3D[], - help=3D_("Systemd Unit file to run within the syst= emd sandbox container. Commands cannot be specified with unit files.")) - parser.add_argument("-P", "--package", - action=3DCheckPackage, - dest=3D"packages", default=3D[], - help=3D_("RPM package to be used in the container.= Default: autodetected from unit files.")) - parser.add_argument("--username", dest=3D"username", - help=3D_("Specify the username for the container. = Default: UID username.")) - parser.add_argument("-U", "--uid", dest=3D"uid", - default=3Dos.getuid(),type=3Dint, - help=3D_("Specify the uid for the container: Defau= lt to current UID.")) - - requires_name(parser) - parser.add_argument("command", default=3D[], nargs=3D"*", - help=3D_("Command to run within the generic sandbo= x container. Commands cannot be specified with unit files.")) - - parser.set_defaults(func=3Dcreate) - -def gen_connect_args(subparser): - parser =3D subparser.add_parser("connect", - help=3D_("Connect to a sandbox container= ")) - requires_name(parser) - parser.set_defaults(func=3Dconnect) - -def gen_execute_args(subparser): - parser =3D subparser.add_parser("execute", - help=3D_("Execute a command within a san= dbox container. Only available for lxc:///")) - parser.add_argument("-N", "--noseclabel", dest=3D"noseclabel", - default=3DFalse, action=3D"store_true", - help=3D_("do not modify the label of the executabl= e process. By default all commands execute with the label of the sandbox")) - requires_name(parser) - parser.add_argument("command", nargs=3D"+", - help=3D_("command to execute within the container"= )) - parser.set_defaults(func=3Dexecute) - -def gen_reload_args(subparser): - parser =3D subparser.add_parser("reload", - help=3D_("Reload a running sandbox cont= ainer")) - parser.add_argument("-u", "--unitfile", required=3DTrue, - action=3DCheckUnit, dest=3D"unitfiles", - help=3D_("Systemd Unit file to reload within the s= andbox container")) - requires_name(parser) - parser.set_defaults(func=3Dsandbox_reload) - -def gen_clone_args(subparser): - parser =3D subparser.add_parser("clone", - help=3D_("Clone an existing sandbox cont= ainer")) - parser.set_defaults(func=3Dclone) - parser.add_argument("-p", "--path", dest=3D"path", default=3Dc.DEFAUL= T_PATH, - help=3D_("select path to copy sandbox content from= /to. Default: %s") % c.DEFAULT_PATH) - parser.add_argument("-s", "--security", dest=3D"security", - default=3Ddefault_security_opts(), - help=3D_("Specify the security model configuration= for the sandbox: Defaults to dynamic")) - - parser.add_argument("source", - help=3D_("source sandbox container name")) - parser.add_argument("dest", - help=3D_("dest name of the new sandbox container")) - -def gen_delete_args(subparser): - parser =3D subparser.add_parser("delete", - help=3D_("Delete a sandbox container")) - parser.add_argument("-p", "--path", dest=3D"path", default=3Dc.DEFAUL= T_PATH, - help=3D_("select path to delete sandbox content fr= om. Default: %s") % c.DEFAULT_PATH) - requires_name(parser) - parser.set_defaults(func=3Ddelete) - -def gen_upgrade_args(subparser): - parser =3D subparser.add_parser("upgrade", - help=3D_("Upgrade the sandbox container= ")) - requires_name(parser) - parser.set_defaults(func=3Dupgrade) - -if __name__ =3D=3D '__main__': - c =3D Container() - - parser =3D argparse.ArgumentParser(description=3D'Sandbox Container To= ol') - parser.add_argument("-c", "--connect", required=3DFalse, dest=3D"uri",= default=3D"lxc:///", - help=3D_("libvirt connection URI to use (lxc:/// [= default] or qemu:///session)")) - - subparser =3D parser.add_subparsers(help=3D_("commands")) - gen_create_args(subparser) - gen_clone_args(subparser) - gen_connect_args(subparser) - gen_delete_args(subparser) - gen_execute_args(subparser) - gen_reload_args(subparser) - gen_upgrade_args(subparser) - - try: - args =3D parser.parse_args() - if args.uri[0:3] !=3D "lxc": - sys.stderr.write("%s: only lxc:/// URIs are currently supporte= d\n" % sys.argv[0]) - sys.exit(1) - if os.geteuid() !=3D 0: - sys.stderr.write("%s: lxc:/// URIs are only supported when run= as root\n" % sys.argv[0]) - sys.exit(1) - args.func(args) - sys.exit(0) - except KeyboardInterrupt as e: - sys.exit(0) - except ValueError as e: - sys.stderr.write("%s: %s\n" % (sys.argv[0], e)) - sys.stderr.flush() - sys.exit(1) - except IOError as e: - sys.stderr.write("%s: %s: %s\n" % (sys.argv[0], e.filename, e.stre= rror)) - sys.stderr.flush() - sys.exit(1) - except OSError as e: - sys.stderr.write("%s: %s\n" % (sys.argv[0], e)) - sys.stderr.flush() - sys.exit(1) - except GLib.GError as e: - sys.stderr.write("%s: %s\n" % (sys.argv[0], e)) - sys.stderr.flush() - sys.exit(1) diff --git a/bin/virt-sandbox-service-bash-completion.sh b/bin/virt-sandbox= -service-bash-completion.sh deleted file mode 100755 index a101f4a..0000000 --- a/bin/virt-sandbox-service-bash-completion.sh +++ /dev/null @@ -1,141 +0,0 @@ -# This file is part of libvirt-sandbox. -# -# Copyright (C) 2012-2013 Red Hat, Inc. -# -# systemd is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# systemd is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with systemd; If not, see . -# -# Authors: Dan Walsh -# -__contains_word () { - local word=3D$1; shift - for w in $*; do [[ $w =3D $word ]] && return 0; done - return 1 -} - -ALL_OPTS=3D'-h --help' - -__get_all_unit_files () { - systemctl list-unit-files --no-legend | cut -d' ' -f 1 | grep -v '@' -} - -__get_all_containers () { - virt-sandbox-service list -} - -__get_all_running_containers () { - virt-sandbox-service list --running -} - -__get_all_file_types () { - seinfo -afile_type -x 2>/dev/null | tail -n +2 -} - -_virt_sandbox_service () { - local command=3D${COMP_WORDS[1]} - local cur=3D${COMP_WORDS[COMP_CWORD]} prev=3D${COMP_WORDS[COMP_CWORD-1= ]} - local verb comps - local -A VERBS=3D( - [CONNECT]=3D'connect' - [CREATE]=3D'create' - [DELETE]=3D'delete' - [RELOAD]=3D'reload' - [START]=3D'start' - [EXECUTE]=3D'execute' - [STOP]=3D'stop' - [LIST]=3D'list' - ) - local -A OPTS=3D( - [ALL]=3D'-h --help' - [CREATE]=3D'-C --copy -f --filetype -G --gid -i --imagesize --hom= edir -m --mount -N --network -p --path -s --security -u --unitfile --userna= me -U -uid' - [LIST]=3D'-r --running' - [RELOAD]=3D'-u --unitfile' - [EXECUTE]=3D'-N --noseclabel' - ) - - for ((i=3D0; $i <=3D $COMP_CWORD; i++)); do - if __contains_word "${COMP_WORDS[i]}" ${VERBS[*]} && - ! __contains_word "${COMP_WORDS[i-1]}" ${OPTS[ARG}]}; then - verb=3D${COMP_WORDS[i]} - break - fi - done - - if test "$verb" =3D "" && test "$prev" =3D "virt-sandbox-service" ; th= en - comps=3D"${VERBS[*]}" - COMPREPLY=3D( $(compgen -W "$comps" -- "$cur") ) - return 0 - elif test "$verb" =3D=3D "list" ; then - if test "$prev" =3D "-r" || test "$prev" =3D "--running" ; then - return 0 - fi - COMPREPLY=3D( $(compgen -W "${OPTS[ALL]} ${OPTS[LIST]} " -- "$cur"= ) ) - return 0 - elif test "$verb" =3D=3D "delete" ; then - COMPREPLY=3D( $(compgen -W "${OPTS[ALL]} $( __get_all_containers )= " -- "$cur") ) - return 0 - elif test "$verb" =3D=3D "start" ; then - COMPREPLY=3D( $(compgen -W "${OPTS[ALL]} $( __get_all_containers )= " -- "$cur") ) - return 0 - elif test "$verb" =3D=3D "stop" ; then - COMPREPLY=3D( $(compgen -W "${OPTS[ALL]} $( __get_all_running_cont= ainers ) " -- "$cur") ) - return 0 - elif test "$verb" =3D=3D "reload" ; then - COMPREPLY=3D( $(compgen -W "${OPTS[ALL]} ${OPTS[RELOAD]} $( __get_= all_running_containers ) " -- "$cur") ) - return 0 - elif test "$verb" =3D=3D "connect" ; then - COMPREPLY=3D( $(compgen -W "${OPTS[ALL]} $( __get_all_running_cont= ainers ) " -- "$cur") ) - return 0 - elif test "$verb" =3D=3D "execute" ; then - if test "$prev" =3D "execute"; then - COMPREPLY=3D( $(compgen -W "${OPTS[ALL]} ${OPTS[EXECUTE]} $( _= _get_all_running_containers ) " -- "$cur") ) - else - COMPREPLY=3D( $( compgen -c -- "$cur") ) - fi - return 0 - elif test "$verb" =3D=3D "create" ; then - if test "$prev" =3D "-p" || test "$prev" =3D "--path" ; then - COMPREPLY=3D( $( compgen -d -- "$cur") ) - compopt -o filenames - return 0 - elif test "$prev" =3D "-u" || test "$prev" =3D "--unitfile" ; then - COMPREPLY=3D( $(compgen -W "$( __get_all_unit_files ) " -- "$cur")= ) - return 0 - elif test "$prev" =3D "-f" || test "$prev" =3D "--filetype" ; then - COMPREPLY=3D( $(compgen -W "$( __get_all_file_types ) " -- "$cur")= ) - return 0 - elif test "$prev" =3D "-s" || test "$prev" =3D "--security" ; then - return 0 - elif test "$prev" =3D "-m" || test "$prev" =3D "--mount" ; then - return 0 - elif test "$prev" =3D "-n" || test "$prev" =3D "--network" ; then - return 0 - elif test "$prev" =3D "-i" || test "$prev" =3D "--imagesize" ; then - return 0 - elif __contains_word "$command" ${VERBS[CREATE]} ; then - COMPREPLY=3D( $(compgen -W "${OPTS[ALL]} ${OPTS[CREATE]}" -- "$cur= ") ) - return 0 - elif __contains_word "${COMP_WORDS[i]}" ${VERBS[*]} ; then - COMPREPLY=3D( $(compgen -W "${OPTS[ALL]}" -- "$cur") ) - return 0 - fi - else - if ! __contains_word "${prev}" ${VERBS[*]} && - ! __contains_word "${prev}" ${OPTS[*]}; then - return 0 - fi - fi - COMPREPLY=3D( $(compgen -W "${OPTS[ALL]} $( __get_all_containers ) " -= - "$cur") ) - return 0 -} -complete -F _virt_sandbox_service virt-sandbox-service diff --git a/bin/virt-sandbox-service-clone.pod b/bin/virt-sandbox-service-= clone.pod deleted file mode 100644 index e9d997b..0000000 --- a/bin/virt-sandbox-service-clone.pod +++ /dev/null @@ -1,100 +0,0 @@ -=3Dhead1 NAME - -virt-sandbox-service clone - clone an existing Secure container - -=3Dhead1 SYNOPSIS - -Clone a Security container - - virt-sandbox-service [-c URI] clone [-h] [-p PATH] [-s SECURITY-OPTS] SO= URCE DEST - -=3Dhead1 DESCRIPTION - -virt-sandbox-service is used to manage secure sandboxed system services. -These applications will be launched via libvirt and run within a virtualiz= ation -technology such as LinuX Containers (LXC), or optionally QEMU/KVM. The -container / virtual machines will be secured by SELinux and resource -separated using cgroups. - -The clone command will clone the SOURCE security sandbox container into th= e DEST security sandbox container. - -=3Dhead1 OPTIONS - -=3Dover 4 - -=3Ditem B<-h>, B<--help> - -Display help message - -=3Ditem B<-c> URI, B<--connect URI> - -The connection URI for the hypervisor (currently only LXC URIs are -supported). - -=3Ditem B<-p PATH>, B<--path PATH> - -Set path to copy container content from/to. This argument must match the v= alue of -the C<-p> arg given when creating the original source container. - -Default: C. - -=3Ditem B<-s SECURITY-OPTIONS>, B<--security=3DSECURITY-OPTIONS> - -Use alternative security options. SECURITY-OPTIONS is a set of key=3Dval p= airs, -separated by commas. The following options are valid for SELinux - -=3Dover 4 - -=3Ditem dynamic - -Dynamically allocate an SELinux label, using the default base context. -The default base context is system_u:system_r:svirt_lxc_net_t:s0 for LXC, -system_u:system_r:svirt_t:s0 for KVM, system_u:system_r:svirt_tcg_t:s0 -for QEMU. - -=3Ditem dynamic,label=3DUSER:ROLE:TYPE:LEVEL - -Dynamically allocate an SELinux label, using the base context -USER:ROLE:TYPE:LEVEL, instead of the default base context. - -=3Ditem static,label=3DUSER:ROLE:TYPE:LEVEL - -To set a completely static label. For example, -static,label=3Dsystem_u:system_r:svirt_t:s0:c412,c355 - -=3Dback - -=3Dback - -=3Dhead1 EXAMPLE - -Execute /bin/sh in httpd1 container - - # virt-sandbox-service clone -s static,label=3Dsystem_u:system_r:svirt_lx= c_net_t:s0:c1,c2 httpd1 httpd2 - -=3Dhead1 SEE ALSO - -C, C, C, C - -=3Dhead1 FILES - -Container content will be stored in subdirectories of -/var/lib/libvirt/filesystems, by default. You can manage the -content in these directories outside of the container and -processes within the container will see the content. - -=3Dhead1 AUTHORS - -Daniel Walsh -Daniel P. Berrange - -=3Dhead1 COPYRIGHT - -Copyright (C) 2011-2013 Red Hat, Inc. - -=3Dhead1 LICENSE - -virt-sandbox is distributed under the terms of the GNU LGPL v2+. -This is free software; see the source for copying conditions. -There is NO warranty; not even for MERCHANTABILITY or FITNESS -FOR A PARTICULAR PURPOSE diff --git a/bin/virt-sandbox-service-connect.pod b/bin/virt-sandbox-servic= e-connect.pod deleted file mode 100644 index cefa37a..0000000 --- a/bin/virt-sandbox-service-connect.pod +++ /dev/null @@ -1,59 +0,0 @@ -=3Dhead1 NAME - -virt-sandbox-service connect - Connect to a security container console - -=3Dhead1 SYNOPSIS - - virt-sandbox-service [-c URI] connect [-h] NAME - -=3Dhead1 DESCRIPTION - -virt-sandbox-service is used to manage secure sandboxed system services. -These applications will be launched via libvirt and run within a virtualiz= ation -technology such as LinuX Containers (LXC), or optionally QEMU/KVM. The -container / virtual machines will be secured by SELinux and resource -separated using cgroups. - -The connect command will connect to the security sandbox container console= NAME. - -=3Dhead1 OPTIONS - -=3Dover 4 - -=3Ditem B<-h>, B<--help> - -Display help message - -=3Ditem B<-c URI>, B<--connect URI> - -The connection URI for the hypervisor (currently only LXC URIs are -supported). - -=3Dback - -=3Dhead1 EXAMPLE - -Connect to the in httpd1 container console - - # virt-sandbox-service connect httpd1 - # - -=3Dhead1 SEE ALSO - -C, C, C, C - -=3Dhead1 AUTHORS - -Daniel Walsh -Daniel P. Berrange - -=3Dhead1 COPYRIGHT - -Copyright (C) 2011-2013 Red Hat, Inc. - -=3Dhead1 LICENSE - -virt-sandbox is distributed under the terms of the GNU LGPL v2+. -This is free software; see the source for copying conditions. -There is NO warranty; not even for MERCHANTABILITY or FITNESS -FOR A PARTICULAR PURPOSE diff --git a/bin/virt-sandbox-service-create.pod b/bin/virt-sandbox-service= -create.pod deleted file mode 100644 index d2f5fdb..0000000 --- a/bin/virt-sandbox-service-create.pod +++ /dev/null @@ -1,264 +0,0 @@ -=3Dhead1 NAME - -virt-sandbox-service create - Create a Security container - -=3Dhead1 SYNOPSIS - - virt-sandbox-service [-c URI] create [-h] [-C] [-f FILE_TYPE] - [--homedir HOMEDIR] [-G GID] [-i IMAGES= IZE] - [[-m TYPE:DST=3DSRC ] ...] - [-N NETWORK] [-p PATH] [-s SECURITY] - [[-u UNITFILES] ...] [--username USERNA= ME] - [-U UID] [[-P package] ... ] - NAME -- COMMAND [ARG1 [ARG2...]] - -=3Dhead1 DESCRIPTION - -virt-sandbox-service is used to manage secure sandboxed system services. -These applications will be launched via libvirt and run within a virtualiz= ation -technology such as LinuX Containers (LXC), or optionally QEMU/KVM. The -container / virtual machines will be secured by SELinux and resource -separated using cgroups. - -The create command can setup a sandbox for running one or more systemd uni= t files. -It can also setup a sandbox for running a command in an GenericContainer. -Specify a unit file to create the SystemdContainer and the command to crea= te an -GenericContainer. - -=3Dhead1 OPTIONS - -=3Dover 4 - -=3Ditem B<-h>, B<--help> - -Display help message - -=3Ditem B<-c URI>, B<--connect URI> - -The connection URI for the hypervisor (currently only LXC URIs are -supported). - -=3Ditem B<-u UNIT_FILE>, B<--unitfile UNIT_FILE> - -Name of the systemd unit file to be to run within the Systemd Container. -Can be repeated if multiple unit files are required within the sandbox. -Cannot be specified if you are using a COMMAND. If the unit file end -with @, this will be considered as a template, and a instantiated -systemd unit will be created, using the name of the container as a -instance identifier. - -=3Ditem B<-C>, B<--copy> - -Copy content from /etc and /var directories that will be mounted within th= e container. - -=3Ditem B<-G GID>, B<--gid GID> - -Set login gid to use within the container. - -Default: C. - -=3Ditem B<-f FILETYPE>, B<--filetype FILETYPE> - -Set SELinux file type to use within container. - -Default: C. - -=3Ditem B<-p PATH>, B<--path PATH> - -Set path to store container content. NB if this argument is used when crea= ting -a container, the exact same argument must also be used when later cloning = or -deleting the container. - -Default: C. - -=3Ditem B<--homedir HOMEDIR> - -Set homedir path to use within container. - -Default: C. - -=3Ditem B<-m TYPE:DST=3DSRC>, B<--mount TYPE:DST=3DSRC> - -Sets up a mount inside the sandbox at B backed by B. The -meaning of B depends on the value of C specified: - -=3Dover 4 - -=3Ditem B - -If B is B, then B is interpreted as the path -to a directory on the host filesystem. If C is the empty string, -then a temporary (empty) directory is created on the host before -starting the sandbox and deleted afterwards. The C<--include> option -is useful for populating these temporary directories with copies of host -files. - -=3Ditem B - -If B is B, then B is interpreted as the path -to a disk image file on the host filesystem. The image should be -formatted with a filesystem that can be auto-detected by the sandbox, -such as B, B, etc. The disk image itself should be a raw -file, not qcow2 or any other special format - -=3Ditem B - -If B is B, then B is interpreted as the path -to another directory in the container filesystem. - -=3Ditem B - -If B is B, then B is interpreted as specifying the -size of the RAM disk in bytes. The suffix B, B, B, -B, B, B can used to alter the units from bytes to a -coarser level. - -=3Dback - -Some examples - - -m host-bind:/tmp=3D/var/lib/sandbox/demo/tmp - -m host-image:/=3D/var/lib/sandbox/demo.img - -m guest-bind:/home=3D/tmp/home - -m ram:/tmp=3D500M - -=3Ditem B<-N NETWORK-OPTIONS>, B<--network NETWORK-OPTIONS> - -Add a network interface to the sandbox. By default the sandbox will -only have a loopback interface. This option allows for connectivity -to the LAN in some manner. NETWORK-OPTIONS is a set of -key=3Dval pairs, separated by commas. The following options are valid - -=3Dover 4 - -=3Ditem dhcp - -Configure the network interface using dhcp. This key takes no value. -No other keys may be specified. eg - - -N dhcp,source=3Ddefault - --network dhcp,source=3Dlan - -where 'source' is the name of any libvirt virtual network. - -=3Ditem source=3DNETWORK - -Set the name of the network to connect the interface to. C -is the name of any libvirt virtual network. See also B - -=3Ditem mac=3DNN:NN:NN:NN:NN:NN - -Set the MAC address of the network interface, where each NN is a pair -of hex digits. - -=3Ditem address=3DIP-ADDRESS/PREFIX%BROADCAST - -Configure the network interface with the static IPv4 or IPv6 address -B. The B value is the length of the network -prefix in B. The optional B parameter -specifies the broadcast address. Some examples - - address=3D192.168.122.1/24 - address=3D192.168.122.1/24%192.168.122.255 - address=3D2001:212::204:2/64 - -=3Ditem route=3DIP-NETWORK/PREFIX%GATEWAY - -Configure the network interface with the static IPv4 or IPv6 route -B. The B value is the length of the network -prefix in B. The B parameter specifies the -address of the gateway for the route. Some examples - - route=3D192.168.122.255/24%192.168.1.1 - -=3Dback - -=3Ditem B<-s SECURITY-OPTIONS>, B<--security=3DSECURITY-OPTIONS> - -Use alternative security options. SECURITY-OPTIONS is a set of key=3Dval p= airs, -separated by commas. The following options are valid for SELinux - -=3Dover 4 - -=3Ditem dynamic - -Dynamically allocate an SELinux label, using the default base context. -The default base context is system_u:system_r:svirt_lxc_net_t:s0 for LXC, -system_u:system_r:svirt_t:s0 for KVM, system_u:system_r:svirt_tcg_t:s0 -for QEMU. - -=3Ditem dynamic,label=3DUSER:ROLE:TYPE:LEVEL - -Dynamically allocate an SELinux label, using the base context -USER:ROLE:TYPE:LEVEL, instead of the default base context. - -=3Ditem static,label=3DUSER:ROLE:TYPE:LEVEL - -To set a completely static label. For example, -static,label=3Dsystem_u:system_r:svirt_t:s0:c412,c355 - -=3Dback - -=3Ditem B<-i SIZE>, B<--image SIZE> - -Create file system image file of this size to store container content. - -=3Ditem B<-P PACKAGE>, B<--package PACKAGE> - -Package(s) to be used within the container. - -=3Ditem B<-U UID>, B<--uid UID> - -Set uid to use within container. - -Default: C. - -=3Ditem B<--username USERNAME> - -Set username to use within container. - -Default: C. - -=3Dback - -=3Dhead1 EXAMPLE - -Create httpd1 Systemd container - - # virt-sandbox-service create -C -u httpd.service httpd1 - Created container dir /var/lib/libvirt/filesystems/httpd1 - Created sandbox config /etc/libvirt-sandbox/services/httpd1/config/sandbo= x.cfg - Created unit file /etc/systemd/system/httpd@httpd1.service - -Create foobar1 Generic container - - # virt-sandbox-service create -U 1234 foobar1 -- /usr/bin/foobar -a -b - Created container dir /var/lib/libvirt/filesystems/foobar1 - Created sandbox config /etc/libvirt-sandbox/services/foobar1/config/sandb= ox.cfg - -=3Dhead1 SEE ALSO - -C, C, C, C - -=3Dhead1 FILES - -Container content will be stored in subdirectories of -C, by default. You can manage the -content in these directories outside of the container and -processes within the container will see the content. - -=3Dhead1 AUTHORS - -Daniel Walsh -Daniel P. Berrange - -=3Dhead1 COPYRIGHT - -Copyright (C) 2011-2013 Red Hat, Inc. - -=3Dhead1 LICENSE - -virt-sandbox is distributed under the terms of the GNU LGPL v2+. -This is free software; see the source for copying conditions. -There is NO warranty; not even for MERCHANTABILITY or FITNESS -FOR A PARTICULAR PURPOSE diff --git a/bin/virt-sandbox-service-delete.pod b/bin/virt-sandbox-service= -delete.pod deleted file mode 100644 index 3b17b97..0000000 --- a/bin/virt-sandbox-service-delete.pod +++ /dev/null @@ -1,65 +0,0 @@ -=3Dhead1 NAME - -virt-sandbox-service delete - Delete a security container - -=3Dhead1 SYNOPSIS - - virt-sandbox-service [-c URI] delete [-h] [-p PATH] NAME - -=3Dhead1 DESCRIPTION - -virt-sandbox-service is used to manage secure sandboxed system services. -These applications will be launched via libvirt and run within a virtualiz= ation -technology such as LinuX Containers (LXC), or optionally QEMU/KVM. The -container / virtual machines will be secured by SELinux and resource -separated using cgroups. - -The delete command will delete a sandbox container. - -=3Dhead1 OPTIONS - -=3Dover 4 - -=3Ditem B<-h>, B<--help> - -Display help message - -=3Ditem B<-c URI>, B<--connect URI> - -The connection URI for the hypervisor (currently only LXC URIs are -supported). - -=3Ditem B<-p PATH>, B<--path PATH> - -Set path to delete container content from. This argument must match the va= lue of -the C<-p> arg given when creating the original source container. - -Default: C. - -=3Dback - -=3Dhead1 EXAMPLE - -Delete the httpd1 container - - # virt-sandbox-service delete httpd1 - -=3Dhead1 SEE ALSO - -C, C, C, C - -=3Dhead1 AUTHORS - -Daniel Walsh -Daniel P. Berrange - -=3Dhead1 COPYRIGHT - -Copyright (C) 2011-2013 Red Hat, Inc. - -=3Dhead1 LICENSE - -virt-sandbox is distributed under the terms of the GNU LGPL v2+. -This is free software; see the source for copying conditions. -There is NO warranty; not even for MERCHANTABILITY or FITNESS -FOR A PARTICULAR PURPOSE diff --git a/bin/virt-sandbox-service-execute.pod b/bin/virt-sandbox-servic= e-execute.pod deleted file mode 100644 index 62771eb..0000000 --- a/bin/virt-sandbox-service-execute.pod +++ /dev/null @@ -1,71 +0,0 @@ -=3Dhead1 NAME - -virt-sandbox-service execute - execute commands inside Secure container - -=3Dhead1 SYNOPSIS - -Execute a command within a security container - - virt-sandbox-service [-c URI] execute [-h] [-N] NAME -- COMMAND [ARG1 [A= RG2...]] - -=3Dhead1 DESCRIPTION - -virt-sandbox-service is used to manage secure sandboxed system services. -These applications will be launched via libvirt and run within a virtualiz= ation -technology such as LinuX Containers (LXC), or optionally QEMU/KVM. The -container / virtual machines will be secured by SELinux and resource -separated using cgroups. - -The execute subcommand is used to execute commands within an already runni= ng container. - -=3Dhead1 OPTIONS - -=3Dover 4 - -=3Ditem B<-h>, B<--help> - -Display help message - -=3Ditem B<-c> URI, B<--connect URI> - -The connection URI for the hypervisor (currently only LXC URIs are -supported). - -=3Ditem B<-N>, B<--noseclabel> - -Execute command within the container. - -=3Dback - -=3Dhead1 EXAMPLE - -Execute /bin/sh in httpd1 container - - # virt-sandbox-service execute httpd1 -- /bin/sh - -=3Dhead1 SEE ALSO - -C, C, C, C - -=3Dhead1 FILES - -Container content will be stored in subdirectories of -/var/lib/libvirt/filesystems, by default. You can manage the -content in these directories outside of the container and -processes within the container will see the content. - -=3Dhead1 AUTHORS - -Daniel Walsh -Daniel P. Berrange - -=3Dhead1 COPYRIGHT - -Copyright (C) 2011-2013 Red Hat, Inc. - -=3Dhead1 LICENSE - -virt-sandbox is distributed under the terms of the GNU LGPL v2+. -This is free software; see the source for copying conditions. -There is NO warranty; not even for MERCHANTABILITY or FITNESS -FOR A PARTICULAR PURPOSE diff --git a/bin/virt-sandbox-service-reload.pod b/bin/virt-sandbox-service= -reload.pod deleted file mode 100644 index fe6fbcc..0000000 --- a/bin/virt-sandbox-service-reload.pod +++ /dev/null @@ -1,63 +0,0 @@ -=3Dhead1 NAME - -virt-sandbox-service reload - Reload a security container - -=3Dhead1 SYNOPSIS - - virt-sandbox-service [-c URI] reload [-h] -u UNIT_FILE NAME - -=3Dhead1 DESCRIPTION - -virt-sandbox-service is used to manage secure sandboxed system services. -These applications will be launched via libvirt and run within a virtualiz= ation -technology such as LinuX Containers (LXC), or optionally QEMU/KVM. The -container / virtual machines will be secured by SELinux and resource -separated using cgroups. - -The reload command will reload a sandbox container. This is used when sof= tware is updated outside of a container and processes within the container = need to reload or restart. For example, if you update your httpd software,= and you had a running container that was using the httpd service, systemd = would send the reload to the container. - -=3Dhead1 OPTIONS - -=3Dover 4 - -=3Ditem B<-h>, B<--help> - -Display help message - -=3Ditem B<-c URI>, B<--connect URI> - -The connection URI for the hypervisor (currently only LXC URIs are -supported). - -=3Ditem B<-u UNIT_FILE>, B<--unitfile UNIT_FILE> - -Name of the systemd unit file to reload within the container. Can be repea= ted -if multiple unit files need to be reloaded within the sandbox. - -=3Dback - -=3Dhead1 EXAMPLE - -Reload the httpd1 container - - # virt-sandbox-service reload -u httpd.service httpd1 - -=3Dhead1 SEE ALSO - -C, C, C, C - -=3Dhead1 AUTHORS - -Daniel Walsh -Daniel P. Berrange - -=3Dhead1 COPYRIGHT - -Copyright (C) 2011-2013 Red Hat, Inc. - -=3Dhead1 LICENSE - -virt-sandbox is distributed under the terms of the GNU LGPL v2+. -This is free software; see the source for copying conditions. -There is NO warranty; not even for MERCHANTABILITY or FITNESS -FOR A PARTICULAR PURPOSE diff --git a/bin/virt-sandbox-service-upgrade.pod b/bin/virt-sandbox-servic= e-upgrade.pod deleted file mode 100644 index 76eb428..0000000 --- a/bin/virt-sandbox-service-upgrade.pod +++ /dev/null @@ -1,74 +0,0 @@ -=3Dhead1 NAME - -virt-sandbox-service upgrade - upgrade an existing Secure container - -=3Dhead1 SYNOPSIS - -Upgrade a Security container - - virt-sandbox-service [-c URI] upgrade NAME - -=3Dhead1 DESCRIPTION - -virt-sandbox-service is used to manage secure sandboxed system services. -These applications will be launched via libvirt and run within a virtualiz= ation -technology such as LinuX Containers (LXC), or optionally QEMU/KVM. The -container / virtual machines will be secured by SELinux and resource -separated using cgroups. - -The upgrade command will update the config files for NAME to be compatible -with the currently installed software version. NB this works in an upgrade -direction only, it is not possible to install older versions of the softwa= re -and use this command to downgrade the configs. - -If you have editted the main sandbox configuration file manually, this -command can also be used to update the libvirt guest configuration to -match it. - -=3Dhead1 OPTIONS - -=3Dover 4 - -=3Ditem B<-h>, B<--help> - -Display help message - -=3Ditem B<-c URI>, B<--connect URI> - -The connection URI for the hypervisor (currently only LXC URIs are -supported). - -=3Dback - -=3Dhead1 EXAMPLE - -Execute /bin/sh in httpd1 container - - # virt-sandbox-service upgrade httpd - -=3Dhead1 SEE ALSO - -C, C, C, C - -=3Dhead1 FILES - -Container content will be stored in subdirectories of -/var/lib/libvirt/filesystems, by default. You can manage the -content in these directories outside of the container and -processes within the container will see the content. - -=3Dhead1 AUTHORS - -Daniel Walsh -Daniel P. Berrange - -=3Dhead1 COPYRIGHT - -Copyright (C) 2011-2013 Red Hat, Inc. - -=3Dhead1 LICENSE - -virt-sandbox is distributed under the terms of the GNU LGPL v2+. -This is free software; see the source for copying conditions. -There is NO warranty; not even for MERCHANTABILITY or FITNESS -FOR A PARTICULAR PURPOSE diff --git a/bin/virt-sandbox-service-util.c b/bin/virt-sandbox-service-uti= l.c deleted file mode 100644 index a0e090d..0000000 --- a/bin/virt-sandbox-service-util.c +++ /dev/null @@ -1,305 +0,0 @@ -/* - * virt-sandbox-service-util.c: libvirt sandbox service util command - * - * Copyright (C) 2012-2013 Red Hat, Inc. - * - * This library is free software; you can redistribute it and/or - * modify it under the terms of the GNU Lesser General Public - * License as published by the Free Software Foundation; either - * version 2.1 of the License, or (at your option) any later version. - * - * This library is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * Lesser General Public License for more details. - * - * You should have received a copy of the GNU Lesser General Public - * License along with this library; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-13= 01 USA - * - * Author: Daniel J Walsh - * Author: Daniel P. Berrange - */ - -#include - -#include -#include - -#define STREQ(x,y) (strcmp(x,y) =3D=3D 0) - -static gboolean do_close(GVirSandboxConsole *con G_GNUC_UNUSED, - gboolean error G_GNUC_UNUSED, - gpointer opaque) -{ - GMainLoop *loop =3D opaque; - g_main_loop_quit(loop); - return FALSE; -} - - -static void libvirt_sandbox_version(void) -{ - g_print(_("%s version %s\n"), PACKAGE, VERSION); - exit(EXIT_SUCCESS); -} - - -static GVirSandboxContext *libvirt_sandbox_get_context(const char *uri, - const char *name) -{ - GVirSandboxConfig *config =3D NULL; - GVirSandboxContextService *ctx =3D NULL; - GError *err =3D NULL; - GVirConnection *conn =3D NULL; - gchar *configfile =3D NULL; - - configfile =3D g_strdup_printf("/etc/libvirt-sandbox/services/%s/confi= g/sandbox.cfg", name); - - if (uri) - conn =3D gvir_connection_new(uri); - else - conn =3D gvir_connection_new("lxc:///"); - - if (!gvir_connection_open(conn, NULL, &err)) { - g_printerr(_("Unable to open connection: %s\n"), - err && err->message ? err->message : _("unknown")); - goto cleanup; - } - - if (!(config =3D gvir_sandbox_config_load_from_path(configfile, &err))= ) { - g_printerr(_("Unable to read config file %s: %s\n"), configfile, - err && err->message ? err->message : _("unknown")); - goto cleanup; - } - - if (!(ctx =3D gvir_sandbox_context_service_new(conn, GVIR_SANDBOX_CONF= IG_SERVICE(config)))) { - g_printerr(_("Unable to create new context service: %s\n"), - err && err->message ? err->message : _("unknown")); - goto cleanup; - } - -cleanup: - g_free(configfile); - if (conn) - g_object_unref(conn); - if (config) - g_object_unref(config); - - return ctx ? GVIR_SANDBOX_CONTEXT(ctx) : NULL; -} - -static int container_start(const char *uri, const char *name, GMainLoop *l= oop) -{ - int ret =3D EXIT_FAILURE; - GError *err =3D NULL; - GVirSandboxConsole *con =3D NULL; - GVirSandboxContext *ctx =3D NULL; - - if (!(ctx =3D libvirt_sandbox_get_context(uri, name))) - goto cleanup; - - if (!(gvir_sandbox_context_start(ctx, &err))) { - g_printerr(_("Unable to start container: %s\n"), - err && err->message ? err->message : _("unknown")); - goto cleanup; - } - - if (!(con =3D gvir_sandbox_context_get_log_console(ctx, &err))) { - g_printerr(_("Unable to get log console for container: %s\n"), - err && err->message ? err->message : _("unknown")); - goto cleanup; - } - - gvir_sandbox_console_set_direct(con, TRUE); - - g_signal_connect(con, "closed", (GCallback)do_close, loop); - - if (gvir_sandbox_console_attach_stderr(con, &err) < 0) { - g_printerr(_("Unable to attach console to stderr in the container:= %s\n"), - err && err->message ? err->message : _("unknown")); - goto cleanup; - } - - /* Stop holding open libvirt connection */ - if (gvir_sandbox_console_isolate(con, &err) < 0) { - g_printerr(_("Unable to disconnect console from libvirt: %s\n"), - err && err->message ? err->message : _("unknown")); - goto cleanup; - } - - gvir_sandbox_context_detach(ctx, NULL); - g_object_unref(ctx); - ctx =3D NULL; - - g_main_loop_run(loop); - - ret =3D EXIT_SUCCESS; - -cleanup: - if (ctx) - g_object_unref(ctx); - if (con) - g_object_unref(con); - return ret; -} - -static int container_attach(const char *uri, const char *name, GMainLoop *= loop) -{ - int ret =3D EXIT_FAILURE; - GError *err =3D NULL; - GVirSandboxConsole *con =3D NULL; - GVirSandboxContext *ctx =3D NULL; - - if (!(ctx =3D libvirt_sandbox_get_context(uri, name))) - goto cleanup; - - if (!(gvir_sandbox_context_attach(ctx, &err))) { - g_printerr(_("Unable to attach to container: %s\n"), - err && err->message ? err->message : _("unknown")); - goto cleanup; - } - - if (!(con =3D gvir_sandbox_context_get_shell_console(ctx, &err))) { - g_printerr(_("Unable to get shell console for container: %s\n"), - err && err->message ? err->message : _("unknown")); - goto cleanup; - } - - gvir_sandbox_console_set_direct(con, TRUE); - - g_signal_connect(con, "closed", (GCallback)do_close, loop); - - if (!(gvir_sandbox_console_attach_stdio(con, &err))) { - g_printerr(_("Unable to attach to container: %s\n"), - err && err->message ? err->message : _("unknown")); - goto cleanup; - } - - /* Stop holding open libvirt connection */ - if (gvir_sandbox_console_isolate(con, &err) < 0) { - g_printerr(_("Unable to disconnect console from libvirt: %s\n"), - err && err->message ? err->message : _("unknown")); - goto cleanup; - } - - gvir_sandbox_context_detach(ctx, NULL); - - g_object_unref(ctx); - ctx =3D NULL; - - g_main_loop_run(loop); - - ret =3D EXIT_SUCCESS; - -cleanup: - if (ctx) - g_object_unref(ctx); - if (con) - g_object_unref(con); - return ret; -} - - -static int (*container_func)(const char *uri, const char *name, GMainLoop = *loop) =3D NULL; - -static gboolean libvirt_lxc_start(const gchar *option_name, - const gchar *value, - const gpointer *data, - const GError **error) - -{ - if (container_func) return FALSE; - container_func =3D container_start; - return TRUE; -} - -static gboolean libvirt_lxc_attach(const gchar *option_name, - const gchar *value, - const gpointer *data, - const GError **error) - -{ - if (container_func) return FALSE; - container_func =3D container_attach; - return TRUE; -} - -int main(int argc, char **argv) -{ - GError *err =3D NULL; - GMainLoop *loop =3D NULL; - int ret =3D EXIT_FAILURE; - pid_t pid =3D 0; - gchar *uri =3D NULL; - - gchar **cmdargs =3D NULL; - GOptionContext *context; - GOptionEntry options[] =3D { - { "version", 'V', G_OPTION_FLAG_NO_ARG, G_OPTION_ARG_CALLBACK, - libvirt_sandbox_version, N_("Display version information"), NULL= }, - { "start", 's', G_OPTION_FLAG_NO_ARG, G_OPTION_ARG_CALLBACK, - libvirt_lxc_start, N_("Start a container"), NULL }, - { "attach", 'a', G_OPTION_FLAG_NO_ARG, G_OPTION_ARG_CALLBACK, - libvirt_lxc_attach, N_("Attach to a container"), NULL }, - { "pid", 'p', 0, G_OPTION_ARG_INT, &pid, - N_("Pid of process in container to which the command will run"),= "PID"}, - { "connect", 'c', 0, G_OPTION_ARG_STRING, &uri, - N_("Connect to hypervisor Default:'lxc:///'"), "URI"}, - { G_OPTION_REMAINING, '\0', 0, G_OPTION_ARG_STRING_ARRAY, &cmdargs, - NULL, "CONTAINER_NAME" }, - { NULL, 0, 0, G_OPTION_ARG_NONE, NULL, NULL, NULL } - }; - const char *help_msg =3D N_("Run 'virt-sandbox-service-util --help' to= see a full list of available command line options\n"); - - setlocale(LC_ALL, ""); - bindtextdomain(PACKAGE, LOCALEDIR); - bind_textdomain_codeset(PACKAGE, "UTF-8"); - textdomain(PACKAGE); - - if (!gvir_sandbox_init_check(&argc, &argv, &err)) - exit(EXIT_FAILURE); - - context =3D g_option_context_new (_("- Libvirt Sandbox Service")); - g_option_context_add_main_entries (context, options, NULL); - g_option_context_parse (context, &argc, &argv, &err); - - if (err) { - g_printerr("%s\n%s\n", - err->message, - gettext(help_msg)); - goto cleanup; - } - - if ( container_func =3D=3D NULL ) { - g_printerr(_("Invalid command: You must specify --start or --attac= h\n%s"), - gettext(help_msg)); - goto cleanup; - } - - if (!cmdargs || !cmdargs[0] ) { - g_printerr(_("Invalid command CONTAINER_NAME required: %s"), - gettext(help_msg)); - goto cleanup; - } - - g_option_context_free(context); - - g_set_application_name(_("Libvirt Sandbox Service")); - - loop =3D g_main_loop_new(g_main_context_default(), 1); - ret =3D container_func(uri, cmdargs[0], loop); - g_main_loop_unref(loop); - -cleanup: - exit(ret); -} - -/* - * Local variables: - * c-indent-level: 4 - * c-basic-offset: 4 - * indent-tabs-mode: nil - * tab-width: 8 - * End: - */ diff --git a/bin/virt-sandbox-service.logrotate b/bin/virt-sandbox-service.= logrotate deleted file mode 100644 index 6bb7d68..0000000 --- a/bin/virt-sandbox-service.logrotate +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/sh -for name in `/usr/bin/virsh -c lxc:/// -q list | awk '{print $2}'` -do - if test -d "/etc/libvirt-sandbox/services/$name" - then - /usr/bin/virt-sandbox-service -c lxc:/// execute $name -- /etc/cro= n.daily/logrotate - fi -done -exit 0 diff --git a/bin/virt-sandbox-service.pod b/bin/virt-sandbox-service.pod deleted file mode 100644 index e6f0739..0000000 --- a/bin/virt-sandbox-service.pod +++ /dev/null @@ -1,85 +0,0 @@ -=3Dhead1 NAME - -virt-sandbox-service - Secure container tool - -=3Dhead1 SYNOPSIS - - {create,clone,connect,delete,execute,reload,upgrade} - - commands: - - create create a sandbox container - - clone Clone an existing sandbox container - - connect Connect to a sandbox container - - delete Delete a sandbox container - - execute Execute a command within a sandbox container - - reload Reload a running sandbox container - - upgrade Upgrade an existing sandbox container - -=3Dhead1 DESCRIPTION - -virt-sandbox-service is used to provision secure sandboxed system services. -These applications will be launched via libvirt and run within a virtualiz= ation -technology such as LinuX Containers (LXC), or optionally QEMU/KVM. The -container / virtual machines will be secured by SELinux and resource -separated using cgroups. - -By default, it will use the libvirt LXC driver, with the C URI. -This is different from libvirt's normal behaviour, which is to probe -for the best URI to use. Thus if using C to get a list of container= s, -one must specify an explicit URI for it, C. Alternatively -the C environment variable can be set, or the config -file C can have a default URI set. - -=3Dhead1 OPTIONS - -=3Dover 4 - -=3Ditem B<-h>, B<--help> - -Display help message - -=3Ditem B<-c URI>, B<--connect URI> - -The connection URI for the hypervisor (currently only LXC URIs are -supported). - -=3Dback - -=3Dhead1 SEE ALSO - -C, C, C, C, -C, C, -C, C, -C, C, -C - -=3Dhead1 FILES - -Container content will be stored in subdirectories of -/var/lib/libvirt/filesystems, by default. You can manage the -content in these directories outside of the container and -processes within the container will see the content. - -=3Dhead1 AUTHORS - -Daniel Walsh - -Daniel P. Berrange - -=3Dhead1 COPYRIGHT - -Copyright (C) 2011-2013 Red Hat, Inc. - -=3Dhead1 LICENSE - -virt-sandbox is distributed under the terms of the GNU LGPL v2+. -This is free software; see the source for copying conditions. -There is NO warranty; not even for MERCHANTABILITY or FITNESS -FOR A PARTICULAR PURPOSE diff --git a/cfg.mk b/cfg.mk index 37e5050..39b54f6 100644 --- a/cfg.mk +++ b/cfg.mk @@ -129,6 +129,6 @@ prev_version_file =3D /dev/null =20 exclude_file_name_regexp--sc_libvirt_unmarked_diagnostics =3D ^libvirt-san= dbox/tests =20 -exclude_file_name_regexp--sc_bindtextdomain =3D ^(libvirt-sandbox/tests)|(= libvirt-sandbox/libvirt-sandbox-init-*)|(bin/virt-sandbox.c)|(bin/virt-sand= box-service-util.c) +exclude_file_name_regexp--sc_bindtextdomain =3D ^(libvirt-sandbox/tests)|(= libvirt-sandbox/libvirt-sandbox-init-*)|(bin/virt-sandbox.c) =20 exclude_file_name_regexp--sc_preprocessor_indentation =3D ^*/*.[ch] diff --git a/libvirt-sandbox.spec.in b/libvirt-sandbox.spec.in index f5868c1..125a361 100644 --- a/libvirt-sandbox.spec.in +++ b/libvirt-sandbox.spec.in @@ -101,17 +101,10 @@ rm -rf $RPM_BUILD_ROOT =20 %files %defattr(-,root,root,-) -%{_datadir}/bash-completion/completions/virt-sandbox-service -%config(noreplace) %{_sysconfdir}/cron.daily/virt-sandbox-service.logrotate -%dir %{_sysconfdir}/libvirt-sandbox/services %{_bindir}/virt-sandbox -%{_bindir}/virt-sandbox-service %{_bindir}/virt-sandbox-image -%{_libexecdir}/virt-sandbox-service-util %{python3_sitelib}/libvirt_sandbox %{_mandir}/man1/virt-sandbox.1* -%{_mandir}/man1/virt-sandbox-service.1* -%{_mandir}/man1/virt-sandbox-service-*.1* =20 %files libs -f %{name}.lang %defattr(-,root,root,-) diff --git a/libvirt-sandbox/tests/containers_test.sh b/libvirt-sandbox/tes= ts/containers_test.sh deleted file mode 100755 index 9b2a716..0000000 --- a/libvirt-sandbox/tests/containers_test.sh +++ /dev/null @@ -1,37 +0,0 @@ -#!/bin/bash -# -# Simple script to setup hundreds of containers at the same time -# -# In order to create 100 containers execute -# containers_test.sh create apache 100 -# Start -# containers_test.sh start apache 100 -# Stop -# containers_test.sh stop apache 100 -# Delete -# containers_test.sh delete apache 100 -# - -create() { - virt-sandbox-service create -C -l s0:c$2 -u httpd.service $1 -} - -delete() { - virt-sandbox-service delete $1 -} - -start() { - systemctl start httpd@$1.service -} - -stop() { - systemctl stop httpd@$1.service -} - -command=3D$1 -name=3D$2 -repeat=3D$3 -for i in $(seq 1 $repeat) -do - eval $command $name$i $i -done diff --git a/po/POTFILES.in b/po/POTFILES.in index 724c49c..6c500b2 100644 --- a/po/POTFILES.in +++ b/po/POTFILES.in @@ -1,5 +1,4 @@ bin/virt-sandbox.c -bin/virt-sandbox-service-util.c libvirt-sandbox/libvirt-sandbox-builder-initrd.c libvirt-sandbox/libvirt-sandbox-builder-machine.c libvirt-sandbox/libvirt-sandbox-config.c --=20 2.14.3 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list