LGTM, thanks
On Wed, Aug 27, 2014 at 10:17 PM, Yuto KAWAMURA(kawamuray) < [email protected]> wrote: > This patch adds the new hvparam "lxc_drop_capabilities" to the LXC > hypervisor. > This parameter specifies the list of capabilities which should be > dropped for the LXC container. > The default value of this parameter was hardcoded, but making this > parameter a hvparam improves user customizability. > > Signed-off-by: Yuto KAWAMURA(kawamuray) <[email protected]> > --- > lib/hypervisor/hv_lxc.py | 24 +++++++++++++++--------- > man/gnt-instance.rst | 17 +++++++++++++++++ > src/Ganeti/Constants.hs | 18 +++++++++++++++--- > 3 files changed, 47 insertions(+), 12 deletions(-) > > diff --git a/lib/hypervisor/hv_lxc.py b/lib/hypervisor/hv_lxc.py > index 7293659..dfd47e6 100644 > --- a/lib/hypervisor/hv_lxc.py > +++ b/lib/hypervisor/hv_lxc.py > @@ -81,14 +81,6 @@ class LXCHypervisor(hv_base.BaseHypervisor): > "c 5:2", # /dev/ptmx > "c 136:*", # first block of Unix98 PTY slaves > ] > - _DENIED_CAPABILITIES = [ > - "mac_override", # Allow MAC configuration or state changes > - # TODO: remove sys_admin too, for safety > - #"sys_admin", # Perform a range of system administration > operations > - "sys_boot", # Use reboot(2) and kexec_load(2) > - "sys_module", # Load and unload kernel modules > - "sys_time", # Set system clock, set real-time (hardware) > clock > - ] > _DIR_MODE = 0755 > _UNIQ_SUFFIX = ".conf" > _STASH_KEY_ALLOCATED_LOOP_DEV = "allocated_loopdev" > @@ -96,6 +88,7 @@ class LXCHypervisor(hv_base.BaseHypervisor): > PARAMETERS = { > constants.HV_CPU_MASK: hv_base.OPT_CPU_MASK_CHECK, > constants.HV_LXC_CGROUP_USE: hv_base.NO_CHECK, > + constants.HV_LXC_DROP_CAPABILITIES: hv_base.NO_CHECK, > constants.HV_LXC_STARTUP_WAIT: hv_base.OPT_NONNEGATIVE_INT_CHECK, > } > > @@ -413,6 +406,19 @@ class LXCHypervisor(hv_base.BaseHypervisor): > data.append(info) > return data > > + @classmethod > + def _GetInstanceDropCapabilities(cls, hvparams): > + """Get and parse the drop capabilities list from the instance > hvparams. > + > + @type hvparams: dict of strings > + @param hvparams: instance hvparams > + @rtype list(string) > + @return list of drop capabilities > + > + """ > + drop_caps = hvparams[constants.HV_LXC_DROP_CAPABILITIES] > + return drop_caps.split(",") > + > def _CreateConfigFile(self, instance, sda_dev_path): > """Create an lxc.conf file for an instance. > > @@ -486,7 +492,7 @@ class LXCHypervisor(hv_base.BaseHypervisor): > out.append("lxc.network.flags = up") > > # Capabilities > - for cap in self._DENIED_CAPABILITIES: > + for cap in self._GetInstanceDropCapabilities(instance.hvparams): > out.append("lxc.cap.drop = %s" % cap) > > return "\n".join(out) + "\n" > diff --git a/man/gnt-instance.rst b/man/gnt-instance.rst > index 181dc97..2a42ba2 100644 > --- a/man/gnt-instance.rst > +++ b/man/gnt-instance.rst > @@ -901,6 +901,23 @@ lxc\_cgroup\_use > If this parameter is not specified, a list will be built from info > in /proc/cgroups. > > +lxc\_drop\_capabilities > + Valid for the LXC hypervisor. > + > + This option specifies the list of capabilities which should be > + dropped for a LXC container. > + Each value of this option must be in the same form as the > + lxc.cap.drop configuration parameter of the > + **lxc.container.conf**\(5). It is the lower case of the capability > + name without the "CAP_" prefix (e.g., "sys_module,sys_time"). > + See **capabilities**\(7) for more details about Linux capabilities. > + Note that some capabilities are required by the LXC container > + (see: **lxc.container.conf**\(5)). > + Also note that the CAP_SYS_BOOT is required(should not be dropped) > + to perform the soft reboot for the LXC container. > + > + The default value is ``mac_override,sys_boot,sys_module,sys_time``. > + > The ``-O (--os-parameters)`` option allows customisation of the OS > parameters. The actual parameter names and values depend on the OS being > used, but the syntax is the same key=value. For example, setting a > diff --git a/src/Ganeti/Constants.hs b/src/Ganeti/Constants.hs > index 6bc1b9f..c5994d4 100644 > --- a/src/Ganeti/Constants.hs > +++ b/src/Ganeti/Constants.hs > @@ -520,6 +520,13 @@ socatUseEscape :: Bool > socatUseEscape = AutoConf.socatUseEscape > > -- * LXC > +lxcDropCapabilitiesDefault :: String > +lxcDropCapabilitiesDefault = > + "mac_override" -- Allow MAC configuration or state changes > + ++ ",sys_boot" -- Use reboot(2) and kexec_load(2) > + ++ ",sys_module" -- Load and unload kernel modules > + ++ ",sys_time" -- Set system clock, set real-time (hardware) clock > + > lxcStateRunning :: String > lxcStateRunning = "RUNNING" > > @@ -1670,6 +1677,9 @@ hvLxcStartupWait = "lxc_startup_wait" > hvLxcCgroupUse :: String > hvLxcCgroupUse = "lxc_cgroup_use" > > +hvLxcDropCapabilities :: String > +hvLxcDropCapabilities = "lxc_drop_capabilities" > + > hvMemPath :: String > hvMemPath = "mem_path" > > @@ -1833,6 +1843,7 @@ hvsParameterTypes = Map.fromList > , (hvKvmUseChroot, VTypeBool) > , (hvKvmUserShutdown, VTypeBool) > , (hvLxcCgroupUse, VTypeString) > + , (hvLxcDropCapabilities, VTypeString) > , (hvLxcStartupWait, VTypeInt) > , (hvMemPath, VTypeString) > , (hvMigrationBandwidth, VTypeInt) > @@ -3913,9 +3924,10 @@ hvcDefaults = > , (Fake, Map.fromList [(hvMigrationMode, PyValueEx htMigrationLive)]) > , (Chroot, Map.fromList [(hvInitScript, PyValueEx "/ganeti-chroot")]) > , (Lxc, Map.fromList > - [ (hvCpuMask, PyValueEx "") > - , (hvLxcCgroupUse, PyValueEx "") > - , (hvLxcStartupWait, PyValueEx (30 :: Int)) > + [ (hvCpuMask, PyValueEx "") > + , (hvLxcCgroupUse, PyValueEx "") > + , (hvLxcDropCapabilities, PyValueEx lxcDropCapabilitiesDefault) > + , (hvLxcStartupWait, PyValueEx (30 :: Int)) > ]) > ] > > -- > 2.0.4 > > Hrvoje Ribicic Ganeti Engineering Google Germany GmbH Dienerstr. 12, 80331, München Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Geschäftsführer: Graham Law, Christine Elizabeth Flores Steuernummer: 48/725/00206 Umsatzsteueridentifikationsnummer: DE813741370
