The following pull request was submitted through Github. It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/4740
This e-mail was sent by the LXC bot, direct replies will not reach the author unless they happen to be subscribed to this list. === Description (from pull-request) === This resolves #1600
From 06bcecd692d234b2b9e0d75b98a81ee9f83cc5b3 Mon Sep 17 00:00:00 2001 From: Thomas Hipp <[email protected]> Date: Thu, 5 Jul 2018 16:10:15 +0200 Subject: [PATCH 1/3] lxd: Add deletion protection Signed-off-by: Thomas Hipp <[email protected]> --- lxd/container.go | 1 + lxd/container_lxc.go | 11 +++++++++++ shared/container.go | 2 ++ 3 files changed, 14 insertions(+) diff --git a/lxd/container.go b/lxd/container.go index ec707af95..2e4f6c440 100644 --- a/lxd/container.go +++ b/lxd/container.go @@ -555,6 +555,7 @@ type container interface { IsSnapshot() bool IsStateful() bool IsNesting() bool + IsDeleteProtected() bool // Hooks OnStart() error diff --git a/lxd/container_lxc.go b/lxd/container_lxc.go index 5d647dd9d..2b20819d8 100644 --- a/lxd/container_lxc.go +++ b/lxd/container_lxc.go @@ -4,6 +4,7 @@ import ( "archive/tar" "bufio" "encoding/json" + "errors" "fmt" "io" "io/ioutil" @@ -3292,6 +3293,12 @@ func (c *containerLXC) Delete() error { logger.Info("Deleting container", ctxMap) + if c.IsDeleteProtected() && !c.IsSnapshot() { + err := errors.New("Container is protected") + logger.Warn("Failed to delete container", log.Ctx{"name": c.Name(), "err": err}) + return err + } + // Attempt to initialize storage interface for the container. c.initStorage() @@ -8128,6 +8135,10 @@ func (c *containerLXC) IsSnapshot() bool { return c.cType == db.CTypeSnapshot } +func (c *containerLXC) IsDeleteProtected() bool { + return shared.IsTrue(c.expandedConfig["security.protection.delete"]) +} + // Various property query functions func (c *containerLXC) Architecture() int { return c.architecture diff --git a/shared/container.go b/shared/container.go index b4ce32974..e0e29f5bb 100644 --- a/shared/container.go +++ b/shared/container.go @@ -213,6 +213,8 @@ var KnownContainerConfigKeys = map[string]func(value string) error{ "security.devlxd": IsBool, "security.devlxd.images": IsBool, + "security.protection.delete": IsBool, + "security.idmap.base": IsUint32, "security.idmap.isolated": IsBool, "security.idmap.size": IsUint32, From edcdf551f632fe2c4cfb3afae4c5ef199d7111de Mon Sep 17 00:00:00 2001 From: Thomas Hipp <[email protected]> Date: Thu, 5 Jul 2018 16:10:43 +0200 Subject: [PATCH 2/3] doc: Add deletion protection Signed-off-by: Thomas Hipp <[email protected]> --- doc/api-extensions.md | 4 ++++ doc/containers.md | 1 + 2 files changed, 5 insertions(+) diff --git a/doc/api-extensions.md b/doc/api-extensions.md index bb9f921d5..a16527207 100644 --- a/doc/api-extensions.md +++ b/doc/api-extensions.md @@ -536,3 +536,7 @@ This adds the following new endpoint (see [RESTful API](rest-api.md) for details ## proxy\_unix\_dac\_properties This adds support for gid, uid, and mode properties for non-abstract unix sockets. + +## container\_protection\_delete +Enables setting the `security.protection.delete` field which prevents containers +from being deleted if set to true. Snapshots are not affected by this setting. diff --git a/doc/containers.md b/doc/containers.md index b1866d913..849432cfd 100644 --- a/doc/containers.md +++ b/doc/containers.md @@ -69,6 +69,7 @@ security.idmap.isolated | boolean | false | no security.idmap.size | integer | - | no | id\_map | The size of the idmap to use security.nesting | boolean | false | yes | - | Support running lxd (nested) inside the container security.privileged | boolean | false | no | - | Runs the container in privileged mode +security.protection.delete | boolean | false | yes | container\_protection\_delete | Prevents the container from being deleted security.syscalls.blacklist | string | - | no | container\_syscall\_filtering | A '\n' separated list of syscalls to blacklist security.syscalls.blacklist\_compat | boolean | false | no | container\_syscall\_filtering | On x86\_64 this enables blocking of compat\_\* syscalls, it is a no-op on other arches security.syscalls.blacklist\_default | boolean | true | no | container\_syscall\_filtering | Enables the default syscall blacklist From 66711b632a22be90b2c8244c70865a51278abcd1 Mon Sep 17 00:00:00 2001 From: Thomas Hipp <[email protected]> Date: Thu, 5 Jul 2018 16:55:21 +0200 Subject: [PATCH 3/3] test: Add deletion protection Signed-off-by: Thomas Hipp <[email protected]> --- test/main.sh | 1 + test/suites/container_protection.sh | 21 +++++++++++++++++++++ 2 files changed, 22 insertions(+) create mode 100644 test/suites/container_protection.sh diff --git a/test/main.sh b/test/main.sh index ed534c6d8..ccea3b948 100755 --- a/test/main.sh +++ b/test/main.sh @@ -216,6 +216,7 @@ run_test test_clustering_publish "clustering publish" run_test test_clustering_profiles "clustering profiles" run_test test_clustering_join_api "clustering join api" #run_test test_clustering_upgrade "clustering upgrade" +run_test test_container_protection "container protection" # shellcheck disable=SC2034 TEST_RESULT=success diff --git a/test/suites/container_protection.sh b/test/suites/container_protection.sh new file mode 100644 index 000000000..7eb304be1 --- /dev/null +++ b/test/suites/container_protection.sh @@ -0,0 +1,21 @@ +test_container_protection() { + ensure_import_testimage + ensure_has_localhost_remote "${LXD_ADDR}" + + lxc launch testimage c1 + lxc stop c1 + lxc snapshot c1 + lxc delete c1 + + lxc profile set default security.protection.delete true + + lxc launch testimage c1 + lxc stop c1 + lxc snapshot c1 + lxc delete c1/snap0 + ! lxc delete c1 + + # override setting + lxc config set c1 security.protection.delete false + lxc delete c1 +}
_______________________________________________ lxc-devel mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-devel
