The following pull request was submitted through Github. It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/2676
This e-mail was sent by the LXC bot, direct replies will not reach the author unless they happen to be subscribed to this list. === Description (from pull-request) === We keep a whitelist for supported configuration keys. We then perform a check whether the container sets any unsupported configuration keys. We report the first unsupported configuration key we found back to the user and the error out. Signed-off-by: Christian Brauner <christian.brau...@ubuntu.com>
From a3183de11c015cc5d8c96f60dd01b7d06b109780 Mon Sep 17 00:00:00 2001 From: Christian Brauner <christian.brau...@ubuntu.com> Date: Fri, 2 Dec 2016 00:02:07 +0100 Subject: [PATCH] lxc-to-lxd: switch to using whitelist We keep a whitelist for supported configuration keys. We then perform a check whether the container sets any unsupported configuration keys. We report the first unsupported configuration key we found back to the user and the error out. Signed-off-by: Christian Brauner <christian.brau...@ubuntu.com> --- scripts/lxc-to-lxd | 127 +++++++++++++++++++++++++++++++++++++++-------------- 1 file changed, 94 insertions(+), 33 deletions(-) diff --git a/scripts/lxc-to-lxd b/scripts/lxc-to-lxd index c6a9ae3..d5d8624 100755 --- a/scripts/lxc-to-lxd +++ b/scripts/lxc-to-lxd @@ -9,6 +9,80 @@ import subprocess import sys +supported_keys = [ + 'lxc.arch', + 'lxc.pts', + # 'lxc.tty', + # 'lxc.devttydir', + # 'lxc.kmsg', + 'lxc.aa_profile', + 'lxc.aa_allow_incomplete', + # 'lxc.se_context', + 'lxc.cgroup', + # 'lxc.id_map', + 'lxc.loglevel', + # 'lxc.logfile', + 'lxc.mount.entry', + 'lxc.mount.auto', + 'lxc.mount', + # 'lxc.rootfs.mount', + # 'lxc.rootfs.options', + # 'lxc.rootfs.backend', + 'lxc.rootfs', + # 'lxc.pivotdir', + 'lxc.utsname', + # 'lxc.hook.pre-start', + # 'lxc.hook.pre-mount', + # 'lxc.hook.mount', + # 'lxc.hook.autodev', + # 'lxc.hook.start', + # 'lxc.hook.stop', + # 'lxc.hook.post-stop', + # 'lxc.hook.clone', + # 'lxc.hook.destroy', + # 'lxc.hook', + 'lxc.network.type', + 'lxc.network.flags', + 'lxc.network.link', + 'lxc.network.name', + 'lxc.network.macvlan.mode', + 'lxc.network.veth.pair', + # 'lxc.network.script.up', + # 'lxc.network.script.down', + 'lxc.network.hwaddr', + 'lxc.network.mtu', + # 'lxc.network.vlan.id', + # 'lxc.network.ipv4.gateway', + # 'lxc.network.ipv4', + # 'lxc.network.ipv6.gateway', + # 'lxc.network.ipv6', + 'lxc.network.', + 'lxc.network', + 'lxc.cap.drop', + 'lxc.cap.keep', + # 'lxc.console.logfile', + # 'lxc.console', + # 'lxc.seccomp', + 'lxc.include', + 'lxc.autodev', + 'lxc.haltsignal', + 'lxc.rebootsignal', + 'lxc.stopsignal', + 'lxc.start.auto', + 'lxc.start.delay', + 'lxc.start.order', + # 'lxc.monitor.unshare', + # 'lxc.group', + 'lxc.environment', + # 'lxc.init_cmd', + # 'lxc.init_uid', + # 'lxc.init_gid', + # 'lxc.ephemeral', + # 'lxc.syslog', + 'lxc.no_new_privs' + ] + + # Unix connection to LXD class UnixHTTPConnection(http.client.HTTPConnection): def __init__(self, path): @@ -35,6 +109,16 @@ def config_get(config, key, default=None): return result +def config_keys(config): + keys = [] + for line in config: + fields = line.split("=", 1) + if fields[0].strip(): + keys.append(fields[0].strip()) + + return keys + + # Parse a LXC configuration file, called recursively for includes def config_parse(path): config = [] @@ -128,6 +212,16 @@ def convert_container(lxd_socket, container_name, args): # As some keys can't be queried over the API, parse the config ourselves print("Parsing LXC configuration") lxc_config = config_parse(container.config_file_name) + found_keys = config_keys(lxc_config) + + print("Checking for unsupported LXC configuration keys") + diff = list(set(found_keys) - set(supported_keys)) + for d in diff: + if (not d.startswith('lxc.network.') and not + d.startswith('lxc.cgroup.')): + print("Found at least one unsupported config key: ", d) + print("Not importing this container, skipping...") + return False if args.debug: print("Container configuration:") @@ -152,18 +246,6 @@ def convert_container(lxd_socket, container_name, args): print("Container name doesn't match lxc.utsname, skipping...") return False - # Detect privileged containers - print("Validating container mode") - if config_get(lxc_config, "lxc.id_map"): - print("Unprivileged containers aren't supported, skipping...") - return False - - # Detect hooks in config - for line in lxc_config: - if line.startswith("lxc.hook."): - print("Hooks aren't supported, skipping...") - return False - # Extract and valid rootfs key print("Validating container rootfs") value = config_get(lxc_config, "lxc.rootfs") @@ -341,27 +423,6 @@ def convert_container(lxd_socket, container_name, args): print("Custom capabilities aren't supported, skipping...") return False - # Skip ephemeral - print("Processing container ephemeral configuration") - value = config_get(lxc_config, "lxc.ephemeral") - if value: - print("Setting lxc.ephemeral is not supported, skipping...") - return False - - # Skip syslog - print("Processing container syslog configuration") - value = config_get(lxc_config, "lxc.syslog") - if value: - print("Setting lxc.syslog is not supported, skipping...") - return False - - # Skip logfile - print("Processing container syslog configuration") - value = config_get(lxc_config, "lxc.logfile") - if value: - print("Setting lxc.logfile is not supported, skipping...") - return False - # Setup the container creation request new = {'name': container_name, 'source': {'type': 'none'},
_______________________________________________ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel