Quoting Stéphane Graber (stgra...@ubuntu.com):
> This removes any existing uid check in the python3 binding and tools,
> replacing those by .controllable where appropriate.
>
> Extra checks are also added to make lxc-ls work as a user, returning as
> much information as can possibly be retrieved.
>
> Signed-off-by: Stéphane Graber <stgra...@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hal...@ubuntu.com>
> ---
> src/lxc/lxc-device | 11 ++++-----
> src/lxc/lxc-ls | 51
> +++++++++++++++++++++++++++++-------------
> src/lxc/lxc-start-ephemeral.in | 5 -----
> src/python-lxc/lxc/__init__.py | 3 ---
> 4 files changed, 41 insertions(+), 29 deletions(-)
>
> diff --git a/src/lxc/lxc-device b/src/lxc/lxc-device
> index 9d24248..78be6ab 100644
> --- a/src/lxc/lxc-device
> +++ b/src/lxc/lxc-device
> @@ -66,14 +66,10 @@ subparser_add.add_argument(dest="name", metavar="NAME",
> nargs="?",
> args = parser.parse_args()
>
> # Some basic checks
> +## Check for valid action
> if not hasattr(args, "action"):
> parser.error(_("You must specify an action."))
>
> -## The user needs to be uid 0
> -if not os.geteuid() == 0:
> - parser.error(_("You must be root to run this script. Try running: sudo
> %s"
> - % (sys.argv[0])))
> -
> ## Don't rename if no alternative name
> if not args.name:
> args.name = args.device
> @@ -81,6 +77,11 @@ if not args.name:
> ## Check that the container is ready
> container = lxc.Container(args.container, args.lxcpath)
>
> +## Check that we have control over the container
> +if not container.controllable:
> + parser.error("Insufficent privileges to control: %s" % container.name)
> +
> +## Check that the container is running
> if not container.running:
> parser.error("The container must be running.")
>
> diff --git a/src/lxc/lxc-ls b/src/lxc/lxc-ls
> index 26c9684..b058bd0 100755
> --- a/src/lxc/lxc-ls
> +++ b/src/lxc/lxc-ls
> @@ -123,8 +123,7 @@ parser.add_argument("-P", "--lxcpath", dest="lxcpath",
> metavar="PATH",
> default=lxc.default_config_path)
>
> parser.add_argument("--active", action="store_true",
> - help=_("list only active containers "
> - "(same as --running --frozen)"))
> + help=_("list only active containers"))
>
> parser.add_argument("--frozen", dest="state", action="append_const",
> const="FROZEN", help=_("list only frozen containers"))
> @@ -153,7 +152,7 @@ args = parser.parse_args()
> if args.active:
> if not args.state:
> args.state = []
> - args.state += ["RUNNING", "FROZEN"]
> + args.state += ["RUNNING", "FROZEN", "UNKNOWN"]
>
> # If the output is piped, default to --one
> if not sys.stdout.isatty():
> @@ -166,25 +165,27 @@ lxcpath = os.environ.get('NESTED', args.lxcpath)
> args.fancy_format = args.fancy_format.strip().split(",")
>
> # Basic checks
> -## The user needs to be uid 0
> -if not os.geteuid() == 0 and (args.fancy or args.state):
> - parser.error(_("You must be root to access advanced container
> properties. "
> - "Try running: sudo %s"
> - % (sys.argv[0])))
> +## Check for setns
> +SUPPORT_SETNS = os.path.exists("/proc/self/ns")
> +SUPPORT_SETNS_NET = False
> +SUPPORT_SETNS_PID = False
> +if SUPPORT_SETNS:
> + SUPPORT_SETNS_NET = os.path.exists("/proc/self/ns/net")
> + SUPPORT_SETNS_PID = os.path.exists("/proc/self/ns/pid")
>
> ## Nesting requires setns to pid and net ns
> if args.nesting:
> - if not os.path.exists("/proc/self/ns/"):
> + if not SUPPORT_SETNS:
> parser.error(_("Showing nested containers requires setns support "
> "which your kernel doesn't support."))
>
> - if not "pid" in os.listdir("/proc/self/ns/"):
> + if not SUPPORT_SETNS_NET:
> parser.error(_("Showing nested containers requires setns to the "
> - "PID namespace which your kernel doesn't support."))
> + "network namespace which your kernel doesn't
> support."))
>
> - if not "net" in os.listdir("/proc/self/ns/"):
> + if not SUPPORT_SETNS_PID:
> parser.error(_("Showing nested containers requires setns to the "
> - "network namespace which your kernel doesn't
> support."))
> + "PID namespace which your kernel doesn't support."))
>
> # List of containers, stored as dictionaries
> containers = []
> @@ -203,8 +204,13 @@ for container_name in
> lxc.list_containers(config_path=lxcpath):
>
> container = lxc.Container(container_name, args.lxcpath)
>
> + if container.controllable:
> + state = container.state
> + else:
> + state = 'UNKNOWN'
> +
> # Filter by status
> - if args.state and container.state not in args.state:
> + if args.state and state not in args.state:
> continue
>
> # Nothing more is needed if we're not printing some fancy output
> @@ -214,17 +220,30 @@ for container_name in
> lxc.list_containers(config_path=lxcpath):
>
> # Some extra field we may want
> if 'state' in args.fancy_format or args.nesting:
> - entry['state'] = container.state
> + entry['state'] = state
>
> if 'pid' in args.fancy_format or args.nesting:
> entry['pid'] = "-"
> - if container.init_pid != -1:
> + if state == 'UNKNOWN':
> + entry['pid'] = state
> + elif container.init_pid != -1:
> entry['pid'] = str(container.init_pid)
>
> # Get the IPs
> for family, protocol in {'inet': 'ipv4', 'inet6': 'ipv6'}.items():
> if protocol in args.fancy_format or args.nesting:
> entry[protocol] = "-"
> +
> + if state == 'UNKNOWN':
> + entry[protocol] = state
> + continue
> +
> + # FIXME: We should get get_ips working as non-root
> + if container.running and (not SUPPORT_SETNS_NET \
> + or os.geteuid() != 0):
> + entry[protocol] = 'UNKNOWN'
> + continue
> +
> ips = container.get_ips(family=family)
> if ips:
> entry[protocol] = ", ".join(ips)
> diff --git a/src/lxc/lxc-start-ephemeral.in b/src/lxc/lxc-start-ephemeral.in
> index 0f0c398..118b1b5 100644
> --- a/src/lxc/lxc-start-ephemeral.in
> +++ b/src/lxc/lxc-start-ephemeral.in
> @@ -118,11 +118,6 @@ if not args.storage_type:
> if args.keep_data and args.storage_type == "tmpfs":
> parser.error(_("You can't use -k with the tmpfs storage type."))
>
> -## The user needs to be uid 0
> -if not os.geteuid() == 0:
> - parser.error(_("You must be root to run this script. Try running: sudo
> %s"
> - % (sys.argv[0])))
> -
> # Load the orig container
> orig = lxc.Container(args.orig, args.lxcpath)
> if not orig.defined:
> diff --git a/src/python-lxc/lxc/__init__.py b/src/python-lxc/lxc/__init__.py
> index c3d840c..e708781 100644
> --- a/src/python-lxc/lxc/__init__.py
> +++ b/src/python-lxc/lxc/__init__.py
> @@ -150,9 +150,6 @@ class Container(_lxc.Container):
> Creates a new Container instance.
> """
>
> - if os.geteuid() != 0:
> - raise Exception("Running as non-root.")
> -
> if config_path:
> _lxc.Container.__init__(self, name, config_path)
> else:
> --
> 1.8.5.1
>
> _______________________________________________
> lxc-devel mailing list
> lxc-devel@lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel
_______________________________________________
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel
