Users may want to run the init command of a container as a special user / group. This is achieved by adding <inituser> and <initgroup> elements. Note that the user can either provide a name or an ID to specify the user / group to be used. This commit also fixes a side effect of being able to run the command as a non-root user: the user needs rights on the tty to allow shell job control. --- docs/formatdomain.html.in | 7 +++++ docs/schemas/domaincommon.rng | 14 ++++++++++ src/conf/domain_conf.c | 9 ++++++ src/conf/domain_conf.h | 2 ++ src/lxc/lxc_container.c | 52 +++++++++++++++++++++++++++++++++++ tests/lxcxml2xmldata/lxc-inituser.xml | 31 +++++++++++++++++++++ tests/lxcxml2xmltest.c | 1 + 7 files changed, 116 insertions(+) create mode 100644 tests/lxcxml2xmldata/lxc-inituser.xml diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in index e79a9d5be..f9a5177e0 100644 --- a/docs/formatdomain.html.in +++ b/docs/formatdomain.html.in @@ -334,6 +334,11 @@ To set a custom work directory for the init, use the <code>initdir</code> element. </p> + <p> + To run the init command as a given user or group, use the <code>inituser</code> + or <code>initgroup</code> elements respectively. Both elements can be provided + either a user (resp. group) id or a name. + </p> <pre> <os> @@ -343,6 +348,8 @@ <initarg>emergency.service</initarg> <initenv name='MYENV'>some value</initenv> <initdir>/my/custom/cwd</initdir> + <inituser>tester</inituser> + <initgroup>1000</initgroup> </os> </pre> diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng index 06fe62305..0b8294a9d 100644 --- a/docs/schemas/domaincommon.rng +++ b/docs/schemas/domaincommon.rng @@ -400,6 +400,20 @@ <ref name="absFilePath"/> </element> </optional> + <optional> + <element name="inituser"> + <choice> + <ref name="unsignedInt"/> + <ref name="genericName"/> + </choice> + </element> + <element name="initgroup"> + <choice> + <ref name="unsignedInt"/> + <ref name="genericName"/> + </choice> + </element> + </optional> </interleave> </element> </define> diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c index 7835852f1..82c413e98 100644 --- a/src/conf/domain_conf.c +++ b/src/conf/domain_conf.c @@ -2871,6 +2871,8 @@ void virDomainDefFree(virDomainDefPtr def) for (i = 0; def->os.initenv && def->os.initenv[i]; i++) VIR_FREE(def->os.initenv[i]); VIR_FREE(def->os.initdir); + VIR_FREE(def->os.inituser); + VIR_FREE(def->os.initgroup); VIR_FREE(def->os.initenv); VIR_FREE(def->os.kernel); VIR_FREE(def->os.initrd); @@ -17023,6 +17025,8 @@ virDomainDefParseBootOptions(virDomainDefPtr def, def->os.init = virXPathString("string(./os/init[1])", ctxt); def->os.cmdline = virXPathString("string(./os/cmdline[1])", ctxt); def->os.initdir = virXPathString("string(./os/initdir[1])", ctxt); + def->os.inituser = virXPathString("string(./os/inituser[1])", ctxt); + def->os.initgroup = virXPathString("string(./os/initgroup[1])", ctxt); if ((n = virXPathNodeSet("./os/initarg", ctxt, &nodes)) < 0) goto error; @@ -24907,6 +24911,11 @@ virDomainDefFormatInternal(virDomainDefPtr def, if (def->os.initdir) virBufferEscapeString(buf, "<initdir>%s</initdir>\n", def->os.initdir); + if (def->os.inituser) + virBufferAsprintf(buf, "<inituser>%s</inituser>\n", def->os.inituser); + if (def->os.initgroup) + virBufferAsprintf(buf, "<initgroup>%s</initgroup>\n", def->os.initgroup); + if (def->os.loader) virDomainLoaderDefFormat(buf, def->os.loader); virBufferEscapeString(buf, "<kernel>%s</kernel>\n", diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h index 4d41de2a4..bbffcda61 100644 --- a/src/conf/domain_conf.h +++ b/src/conf/domain_conf.h @@ -1853,6 +1853,8 @@ struct _virDomainOSDef { char **initargv; virDomainOSEnvPtr *initenv; char *initdir; + char *inituser; + char *initgroup; char *kernel; char *initrd; char *cmdline; diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c index 8d8e1a735..6309abe4b 100644 --- a/src/lxc/lxc_container.c +++ b/src/lxc/lxc_container.c @@ -2110,6 +2110,55 @@ static int lxcAttachNS(int *ns_fd) return 0; } +/** + * lxcContainerSetUserGroup: + * @cmd: command to update + * @vmDef: domain definition for the container + * @ttyPath: guest path to the tty + * + * Set the command UID and GID. As this function attempts at + * converting the user/group name into uid/gid, it needs to + * be called after the pivot root is done. + * + * The owner of the tty is also changed to the given user. + */ +static int lxcContainerSetUserGroup(virCommandPtr cmd, + virDomainDefPtr vmDef, + const char *ttyPath) +{ + uid_t uid; + gid_t gid; + + if (vmDef->os.inituser) { + if (virGetUserID(vmDef->os.inituser, &uid) < 0) { + virReportError(VIR_ERR_INTERNAL_ERROR, _("User %s doesn't exist"), + vmDef->os.inituser); + return -1; + } + virCommandSetUID(cmd, uid); + + /* Change the newly created tty owner to the inituid for + * shells to have job control. */ + if (chown(ttyPath, uid, -1) < 0) { + virReportSystemError(errno, + _("Failed to change ownership of tty %s"), + ttyPath); + return -1; + } + } + + if (vmDef->os.initgroup) { + if (virGetGroupID(vmDef->os.initgroup, &gid) < 0) { + virReportError(VIR_ERR_INTERNAL_ERROR, _("Group %s doesn't exist"), + vmDef->os.initgroup); + return -1; + } + virCommandSetGID(cmd, gid); + } + + return 0; +} + /** * lxcContainerChild: @@ -2208,6 +2257,9 @@ static int lxcContainerChild(void *data) goto cleanup; } + if (lxcContainerSetUserGroup(cmd, vmDef, argv->ttyPaths[0]) < 0) + goto cleanup; + /* rename and enable interfaces */ if (lxcContainerRenameAndEnableInterfaces(vmDef, argv->nveths, diff --git a/tests/lxcxml2xmldata/lxc-inituser.xml b/tests/lxcxml2xmldata/lxc-inituser.xml new file mode 100644 index 000000000..08338a2b7 --- /dev/null +++ b/tests/lxcxml2xmldata/lxc-inituser.xml @@ -0,0 +1,31 @@ +<domain type='lxc'> + <name>jessie</name> + <uuid>e21987a5-e98e-9c99-0e35-803e4d9ad1fe</uuid> + <memory unit='KiB'>1048576</memory> + <currentMemory unit='KiB'>1048576</currentMemory> + <vcpu placement='static'>1</vcpu> + <resource> + <partition>/machine</partition> + </resource> + <os> + <type arch='x86_64'>exe</type> + <init>/sbin/sh</init> + <inituser>tester</inituser> + <initgroup>1234</initgroup> + </os> + <clock offset='utc'/> + <on_poweroff>destroy</on_poweroff> + <on_reboot>restart</on_reboot> + <on_crash>restart</on_crash> + <devices> + <emulator>/usr/libexec/libvirt_lxc</emulator> + <filesystem type='mount' accessmode='passthrough'> + <source dir='/mach/jessie'/> + <target dir='/'/> + </filesystem> + <console type='pty'> + <target type='lxc' port='0'/> + </console> + </devices> + <seclabel type='none'/> +</domain> diff --git a/tests/lxcxml2xmltest.c b/tests/lxcxml2xmltest.c index c81b0eace..9b9314cf8 100644 --- a/tests/lxcxml2xmltest.c +++ b/tests/lxcxml2xmltest.c @@ -100,6 +100,7 @@ mymain(void) VIR_DOMAIN_DEF_PARSE_SKIP_OSTYPE_CHECKS); DO_TEST("initenv"); DO_TEST("initdir"); + DO_TEST("inituser"); virObjectUnref(caps); virObjectUnref(xmlopt); -- 2.12.2 -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list