LGTM, thanks
On Wed, Aug 27, 2014 at 10:17 PM, Yuto KAWAMURA(kawamuray) < [email protected]> wrote: > This patch adds a new hvparam "lxc_devices" to the LXC hypervisor. > This parameter specifies the access control list for direct device > access from inside the LXC container. > The default value of this parameter was hardcoded, but making this > parameter an hvparam is worthwhile for users customizability. > > Signed-off-by: Yuto KAWAMURA(kawamuray) <[email protected]> > --- > lib/hypervisor/hv_lxc.py | 18 ++++-------------- > man/gnt-instance.rst | 23 +++++++++++++++++++++++ > src/Ganeti/Constants.hs | 20 ++++++++++++++++++++ > 3 files changed, 47 insertions(+), 14 deletions(-) > > diff --git a/lib/hypervisor/hv_lxc.py b/lib/hypervisor/hv_lxc.py > index f24f5a4..58acfac 100644 > --- a/lib/hypervisor/hv_lxc.py > +++ b/lib/hypervisor/hv_lxc.py > @@ -70,18 +70,6 @@ class LXCHypervisor(hv_base.BaseHypervisor): > "lxc-wait", > ] > > - _DEVS = [ > - "c 1:3", # /dev/null > - "c 1:5", # /dev/zero > - "c 1:7", # /dev/full > - "c 1:8", # /dev/random > - "c 1:9", # /dev/urandom > - "c 1:10", # /dev/aio > - "c 5:0", # /dev/tty > - "c 5:1", # /dev/console > - "c 5:2", # /dev/ptmx > - "c 136:*", # first block of Unix98 PTY slaves > - ] > _DIR_MODE = 0755 > _UNIQ_SUFFIX = ".conf" > _STASH_KEY_ALLOCATED_LOOP_DEV = "allocated_loopdev" > @@ -89,6 +77,7 @@ class LXCHypervisor(hv_base.BaseHypervisor): > PARAMETERS = { > constants.HV_CPU_MASK: hv_base.OPT_CPU_MASK_CHECK, > constants.HV_LXC_CGROUP_USE: hv_base.NO_CHECK, > + constants.HV_LXC_DEVICES: hv_base.NO_CHECK, > constants.HV_LXC_DROP_CAPABILITIES: hv_base.NO_CHECK, > constants.HV_LXC_STARTUP_WAIT: hv_base.OPT_NONNEGATIVE_INT_CHECK, > } > @@ -518,8 +507,9 @@ class LXCHypervisor(hv_base.BaseHypervisor): > # Device control > # deny direct device access > out.append("lxc.cgroup.devices.deny = a") > - for devinfo in self._DEVS: > - out.append("lxc.cgroup.devices.allow = %s rw" % devinfo) > + dev_specs = instance.hvparams[constants.HV_LXC_DEVICES] > + for dev_spec in dev_specs.split(","): > + out.append("lxc.cgroup.devices.allow = %s" % dev_spec) > > # Networking > for idx, nic in enumerate(instance.nics): > diff --git a/man/gnt-instance.rst b/man/gnt-instance.rst > index 2a42ba2..5e0fe49 100644 > --- a/man/gnt-instance.rst > +++ b/man/gnt-instance.rst > @@ -918,6 +918,29 @@ lxc\_drop\_capabilities > > The default value is ``mac_override,sys_boot,sys_module,sys_time``. > > +lxc\_devices > + Valid for the LXC hypervisor. > + > + This option specifies the list of devices that can be accessed > + from inside of the LXC container. > + Each value of this option must have the same form as the > + lxc.cgroup.devices.allow configuration parameter of > + **lxc.container.conf**\(5). It consists of the type(a: all, > + b: block, c: character), the major-minor pair, and the access type > + sequence(r: read, w: write, m: mknod), e.g. "c 1:3 rw". > + If you'd like to allow the LXC container to access /dev/null and > + /dev/zero with read-write access, you can set this parameter to: > + "c 1:3 rw,c 1:5 rw". > + The LXC hypervisor drops all direct device access by default, so > + if you want to allow the LXC container to access an additional > + device which is not included in the default value of this > + parameter, you have to set this parameter manually. > + > + By default, this parameter contains (/dev/null, /dev/zero, > + /dev/full, /dev/random, /dev/urandom, /dev/aio, /dev/tty, > + /dev/console, /dev/ptmx and first block of Unix98 PTY slaves) with > + read-writable(rw) access. > + > The ``-O (--os-parameters)`` option allows customisation of the OS > parameters. The actual parameter names and values depend on the OS being > used, but the syntax is the same key=value. For example, setting a > diff --git a/src/Ganeti/Constants.hs b/src/Ganeti/Constants.hs > index c5994d4..3dec5f5 100644 > --- a/src/Ganeti/Constants.hs > +++ b/src/Ganeti/Constants.hs > @@ -520,6 +520,21 @@ socatUseEscape :: Bool > socatUseEscape = AutoConf.socatUseEscape > > -- * LXC > +-- If you are trying to change the value of these default constants, you > also > +-- need to edit the default value declaration in man/gnt-instance.rst. > +lxcDevicesDefault :: String > +lxcDevicesDefault = > + "c 1:3 rw" -- /dev/null > + ++ ",c 1:5 rw" -- /dev/zero > + ++ ",c 1:7 rw" -- /dev/full > + ++ ",c 1:8 rw" -- /dev/random > + ++ ",c 1:9 rw" -- /dev/urandom > + ++ ",c 1:10 rw" -- /dev/aio > + ++ ",c 5:0 rw" -- /dev/tty > + ++ ",c 5:1 rw" -- /dev/console > + ++ ",c 5:2 rw" -- /dev/ptmx > + ++ ",c 136:* rw" -- first block of Unix98 PTY slaves > + > lxcDropCapabilitiesDefault :: String > lxcDropCapabilitiesDefault = > "mac_override" -- Allow MAC configuration or state changes > @@ -1677,6 +1692,9 @@ hvLxcStartupWait = "lxc_startup_wait" > hvLxcCgroupUse :: String > hvLxcCgroupUse = "lxc_cgroup_use" > > +hvLxcDevices :: String > +hvLxcDevices = "lxc_devices" > + > hvLxcDropCapabilities :: String > hvLxcDropCapabilities = "lxc_drop_capabilities" > > @@ -1843,6 +1861,7 @@ hvsParameterTypes = Map.fromList > , (hvKvmUseChroot, VTypeBool) > , (hvKvmUserShutdown, VTypeBool) > , (hvLxcCgroupUse, VTypeString) > + , (hvLxcDevices, VTypeString) > , (hvLxcDropCapabilities, VTypeString) > , (hvLxcStartupWait, VTypeInt) > , (hvMemPath, VTypeString) > @@ -3926,6 +3945,7 @@ hvcDefaults = > , (Lxc, Map.fromList > [ (hvCpuMask, PyValueEx "") > , (hvLxcCgroupUse, PyValueEx "") > + , (hvLxcDevices, PyValueEx lxcDevicesDefault) > , (hvLxcDropCapabilities, PyValueEx lxcDropCapabilitiesDefault) > , (hvLxcStartupWait, PyValueEx (30 :: Int)) > ]) > -- > 2.0.4 > > Hrvoje Ribicic Ganeti Engineering Google Germany GmbH Dienerstr. 12, 80331, München Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Geschäftsführer: Graham Law, Christine Elizabeth Flores Steuernummer: 48/725/00206 Umsatzsteueridentifikationsnummer: DE813741370
