The following pull request was submitted through Github. It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/4076
This e-mail was sent by the LXC bot, direct replies will not reach the author unless they happen to be subscribed to this list. === Description (from pull-request) ===
From dd803cb1ba68871188a6721086237b4d7bdd28dc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Graber?= <[email protected]> Date: Tue, 5 Dec 2017 17:27:25 -0500 Subject: [PATCH 1/3] patches: Skip containers that don't have a devices dir MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Stéphane Graber <[email protected]> --- lxd/patches.go | 1 + 1 file changed, 1 insertion(+) diff --git a/lxd/patches.go b/lxd/patches.go index 9ae7351c7..932fdb56b 100644 --- a/lxd/patches.go +++ b/lxd/patches.go @@ -2521,6 +2521,7 @@ func patchDevicesNewNamingScheme(name string, d *Daemon) error { return err } logger.Debugf("Container \"%s\" does not have on-disk devices", ct) + continue } onDiskDevices, err := devDir.Readdirnames(-1) From cee81d4318c2d1f7437265964a10c62c11a4c6c9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Graber?= <[email protected]> Date: Tue, 5 Dec 2017 17:41:50 -0500 Subject: [PATCH 2/3] doc: Move restrict_devlxd API extension to the end MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Stéphane Graber <[email protected]> --- doc/api-extensions.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/doc/api-extensions.md b/doc/api-extensions.md index 740d6e570..9f9a869ab 100644 --- a/doc/api-extensions.md +++ b/doc/api-extensions.md @@ -32,11 +32,6 @@ A number of new syscalls related container configuration keys were introduced. See [configuration.md](Configuration) for how to use them. -## restrict\_devlxd -A new security.devlxd container configuration key was introduced. -The key controls whether the /dev/lxd interface is made available to the container. -If set to false, this effectively prevents the container from interacting with the LXD daemon. - ## auth\_pki This indicates support for PKI authentication mode. @@ -364,3 +359,8 @@ This adds support for SR-IOV enabled network devices. ## console This adds support to interact with the container console device and console log. + +## restrict\_devlxd +A new security.devlxd container configuration key was introduced. +The key controls whether the /dev/lxd interface is made available to the container. +If set to false, this effectively prevents the container from interacting with the LXD daemon. From 48e91b211cd420daea2331a03c421ba4ec5869a1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Graber?= <[email protected]> Date: Tue, 5 Dec 2017 17:43:07 -0500 Subject: [PATCH 3/3] Allow live enabling/disabling of /dev/lxd MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Stéphane Graber <[email protected]> --- doc/containers.md | 2 +- lxd/container_lxc.go | 17 +++++++++++++++++ test/suites/devlxd.sh | 1 - 3 files changed, 18 insertions(+), 2 deletions(-) diff --git a/doc/containers.md b/doc/containers.md index 362e5303d..95ac3cbe0 100644 --- a/doc/containers.md +++ b/doc/containers.md @@ -45,12 +45,12 @@ raw.apparmor | blob | - | yes raw.idmap | blob | - | no | id\_map | Raw idmap configuration (e.g. "both 1000 1000") raw.lxc | blob | - | no | - | Raw LXC configuration to be appended to the generated one raw.seccomp | blob | - | no | container\_syscall\_filtering | Raw Seccomp configuration +security.devlxd | boolean | true | yes | restrict\_devlxd | Controls the presence of /dev/lxd in the container security.idmap.base | integer | - | no | id\_map\_base | The base host ID to use for the allocation (overrides auto-detection) security.idmap.isolated | boolean | false | no | id\_map | Use an idmap for this container that is unique among containers with isolated set. security.idmap.size | integer | - | no | id\_map | The size of the idmap to use security.nesting | boolean | false | yes | - | Support running lxd (nested) inside the container security.privileged | boolean | false | no | - | Runs the container in privileged mode -security.devlxd | boolean | true | no | - | Controls the presence of /dev/lxd in the container security.syscalls.blacklist | string | - | no | container\_syscall\_filtering | A '\n' separated list of syscalls to blacklist security.syscalls.blacklist\_compat | boolean | false | no | container\_syscall\_filtering | On x86\_64 this enables blocking of compat\_\* syscalls, it is a no-op on other arches security.syscalls.blacklist\_default | boolean | true | no | container\_syscall\_filtering | Enables the default syscall blacklist diff --git a/lxd/container_lxc.go b/lxd/container_lxc.go index 2457ab1f6..98d26bedb 100644 --- a/lxd/container_lxc.go +++ b/lxd/container_lxc.go @@ -3631,6 +3631,23 @@ func (c *containerLXC) Update(args db.ContainerArgs, userRequested bool) error { if err != nil { return err } + } else if key == "security.devlxd" { + if value == "" || shared.IsTrue(value) { + err = c.insertMount(shared.VarPath("devlxd"), "/dev/lxd", "none", syscall.MS_BIND) + if err != nil { + return err + } + } else if c.FileExists("/dev/lxd") == nil { + err = c.removeMount("/dev/lxd") + if err != nil { + return err + } + + err = c.FileRemove("/dev/lxd") + if err != nil { + return err + } + } } else if key == "linux.kernel_modules" && value != "" { for _, module := range strings.Split(value, ",") { module = strings.TrimPrefix(module, " ") diff --git a/test/suites/devlxd.sh b/test/suites/devlxd.sh index 4367fa2ee..d1741ac03 100644 --- a/test/suites/devlxd.sh +++ b/test/suites/devlxd.sh @@ -11,7 +11,6 @@ test_devlxd() { ! lxc exec devlxd -- test -S /dev/lxd/sock lxc config unset devlxd security.devlxd - lxc restart devlxd --force lxc exec devlxd -- test -S /dev/lxd/sock lxc file push "${TEST_DIR}/devlxd-client" devlxd/bin/
_______________________________________________ lxc-devel mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-devel
