This patch adds the new hvparam "lxc_drop_capabilities" to the LXC hypervisor. This parameter specifies the list of capabilities should be dropped for the LXC container. The default value of this parameter was hardcoded, but making this parameter as a hvparam is worth for users customizability.
Signed-off-by: Yuto KAWAMURA(kawamuray) <[email protected]> --- lib/hypervisor/hv_lxc.py | 24 +++++++++++++++--------- man/gnt-instance.rst | 17 +++++++++++++++++ src/Ganeti/Constants.hs | 18 +++++++++++++++--- 3 files changed, 47 insertions(+), 12 deletions(-) diff --git a/lib/hypervisor/hv_lxc.py b/lib/hypervisor/hv_lxc.py index 7293659..dfd47e6 100644 --- a/lib/hypervisor/hv_lxc.py +++ b/lib/hypervisor/hv_lxc.py @@ -81,14 +81,6 @@ class LXCHypervisor(hv_base.BaseHypervisor): "c 5:2", # /dev/ptmx "c 136:*", # first block of Unix98 PTY slaves ] - _DENIED_CAPABILITIES = [ - "mac_override", # Allow MAC configuration or state changes - # TODO: remove sys_admin too, for safety - #"sys_admin", # Perform a range of system administration operations - "sys_boot", # Use reboot(2) and kexec_load(2) - "sys_module", # Load and unload kernel modules - "sys_time", # Set system clock, set real-time (hardware) clock - ] _DIR_MODE = 0755 _UNIQ_SUFFIX = ".conf" _STASH_KEY_ALLOCATED_LOOP_DEV = "allocated_loopdev" @@ -96,6 +88,7 @@ class LXCHypervisor(hv_base.BaseHypervisor): PARAMETERS = { constants.HV_CPU_MASK: hv_base.OPT_CPU_MASK_CHECK, constants.HV_LXC_CGROUP_USE: hv_base.NO_CHECK, + constants.HV_LXC_DROP_CAPABILITIES: hv_base.NO_CHECK, constants.HV_LXC_STARTUP_WAIT: hv_base.OPT_NONNEGATIVE_INT_CHECK, } @@ -413,6 +406,19 @@ class LXCHypervisor(hv_base.BaseHypervisor): data.append(info) return data + @classmethod + def _GetInstanceDropCapabilities(cls, hvparams): + """Get and parse the drop capabilities list from the instance hvparams. + + @type hvparams: dict of strings + @param hvparams: instance hvparams + @rtype list(string) + @return list of drop capabilities + + """ + drop_caps = hvparams[constants.HV_LXC_DROP_CAPABILITIES] + return drop_caps.split(",") + def _CreateConfigFile(self, instance, sda_dev_path): """Create an lxc.conf file for an instance. @@ -486,7 +492,7 @@ class LXCHypervisor(hv_base.BaseHypervisor): out.append("lxc.network.flags = up") # Capabilities - for cap in self._DENIED_CAPABILITIES: + for cap in self._GetInstanceDropCapabilities(instance.hvparams): out.append("lxc.cap.drop = %s" % cap) return "\n".join(out) + "\n" diff --git a/man/gnt-instance.rst b/man/gnt-instance.rst index 181dc97..45b708b 100644 --- a/man/gnt-instance.rst +++ b/man/gnt-instance.rst @@ -901,6 +901,23 @@ lxc\_cgroup\_use If this parameter is not specified, a list will be built from info in /proc/cgroups. +lxc\_drop\_capabilities + Valid for the LXC hypervisor. + + This option specifies the list of capabilities should be dropped + for a LXC container. + The each value of this option must be in the form as same as the + lxc.cap.drop configuration parameter of the + **lxc.container.conf**\(5). It is the lower case of the capability + name without the "CAP_" prefix (e.g., "sys_module,sys_time"). + See **capabilities**\(7) for more details about Linux capabilities. + Note that there are required capabilities by the LXC container + (see: **lxc.container.conf**\(5)). + Also note that the CAP_SYS_BOOT is required(should not be dropped) + to perform the soft reboot for the LXC container. + + It is set to ``mac_override,sys_boot,sys_module,sys_time`` by default. + The ``-O (--os-parameters)`` option allows customisation of the OS parameters. The actual parameter names and values depend on the OS being used, but the syntax is the same key=value. For example, setting a diff --git a/src/Ganeti/Constants.hs b/src/Ganeti/Constants.hs index 89459f6..d317361 100644 --- a/src/Ganeti/Constants.hs +++ b/src/Ganeti/Constants.hs @@ -520,6 +520,13 @@ socatUseEscape :: Bool socatUseEscape = AutoConf.socatUseEscape -- * LXC +lxcDropCapabilitiesDefault :: String +lxcDropCapabilitiesDefault = + "mac_override" -- Allow MAC configuration or state changes + ++ ",sys_boot" -- Use reboot(2) and kexec_load(2) + ++ ",sys_module" -- Load and unload kernel modules + ++ ",sys_time" -- Set system clock, set real-time (hardware) clock + lxcStateRunning :: String lxcStateRunning = "RUNNING" @@ -1670,6 +1677,9 @@ hvLxcStartupWait = "lxc_startup_wait" hvLxcCgroupUse :: String hvLxcCgroupUse = "lxc_cgroup_use" +hvLxcDropCapabilities :: String +hvLxcDropCapabilities = "lxc_drop_capabilities" + hvMemPath :: String hvMemPath = "mem_path" @@ -1833,6 +1843,7 @@ hvsParameterTypes = Map.fromList , (hvKvmUseChroot, VTypeBool) , (hvKvmUserShutdown, VTypeBool) , (hvLxcCgroupUse, VTypeString) + , (hvLxcDropCapabilities, VTypeString) , (hvLxcStartupWait, VTypeInt) , (hvMemPath, VTypeString) , (hvMigrationBandwidth, VTypeInt) @@ -3913,9 +3924,10 @@ hvcDefaults = , (Fake, Map.fromList [(hvMigrationMode, PyValueEx htMigrationLive)]) , (Chroot, Map.fromList [(hvInitScript, PyValueEx "/ganeti-chroot")]) , (Lxc, Map.fromList - [ (hvCpuMask, PyValueEx "") - , (hvLxcCgroupUse, PyValueEx "") - , (hvLxcStartupWait, PyValueEx (30 :: Int)) + [ (hvCpuMask, PyValueEx "") + , (hvLxcCgroupUse, PyValueEx "") + , (hvLxcDropCapabilities, PyValueEx lxcDropCapabilitiesDefault) + , (hvLxcStartupWait, PyValueEx (30 :: Int)) ]) ] -- 2.0.4
