Re: [PATCH sandbox] Delete the virt-sandbox-service command

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 2018-03-26 at 15:35 +0100, Daniel P. Berrangé wrote:
> This command attempted to create sandboxed containers for running
> systemd services that exist on the host. This code has proved very
> fragile, however, since it needs heuristics to figure out which dirs
> need to be made private in the container vs shared with the host. Even
> a relatively simple "httpd.service" sandbox no longer works with
> current Fedora.
> 
> Users wanting to sandbox services are better served by using systemd's
> native container functionality, or using Docker container images. The
> virt-sandbox-image tool can even run Docker/virt-builder images directly.
> 
> Signed-off-by: Daniel P. Berrangé <berrange@xxxxxxxxxx>
> ---
>  TODO                                        |   24 -
>  bin/Makefile.am                             |   80 +-
>  bin/virt-sandbox-service                    | 1314 ---------------------------
>  bin/virt-sandbox-service-bash-completion.sh |  141 ---
>  bin/virt-sandbox-service-clone.pod          |  100 --
>  bin/virt-sandbox-service-connect.pod        |   59 --
>  bin/virt-sandbox-service-create.pod         |  264 ------
>  bin/virt-sandbox-service-delete.pod         |   65 --
>  bin/virt-sandbox-service-execute.pod        |   71 --
>  bin/virt-sandbox-service-reload.pod         |   63 --
>  bin/virt-sandbox-service-upgrade.pod        |   74 --
>  bin/virt-sandbox-service-util.c             |  305 -------
>  bin/virt-sandbox-service.logrotate          |    9 -
>  bin/virt-sandbox-service.pod                |   85 --
>  cfg.mk                                      |    2 +-
>  libvirt-sandbox.spec.in                     |    7 -
>  libvirt-sandbox/tests/containers_test.sh    |   37 -
>  po/POTFILES.in                              |    1 -
>  18 files changed, 3 insertions(+), 2698 deletions(-)
>  delete mode 100644 TODO
>  delete mode 100755 bin/virt-sandbox-service
>  delete mode 100755 bin/virt-sandbox-service-bash-completion.sh
>  delete mode 100644 bin/virt-sandbox-service-clone.pod
>  delete mode 100644 bin/virt-sandbox-service-connect.pod
>  delete mode 100644 bin/virt-sandbox-service-create.pod
>  delete mode 100644 bin/virt-sandbox-service-delete.pod
>  delete mode 100644 bin/virt-sandbox-service-execute.pod
>  delete mode 100644 bin/virt-sandbox-service-reload.pod
>  delete mode 100644 bin/virt-sandbox-service-upgrade.pod
>  delete mode 100644 bin/virt-sandbox-service-util.c
>  delete mode 100644 bin/virt-sandbox-service.logrotate
>  delete mode 100644 bin/virt-sandbox-service.pod
>  delete mode 100755 libvirt-sandbox/tests/containers_test.sh
> 
> diff --git a/TODO b/TODO
> deleted file mode 100644
> index fc63361..0000000
> --- a/TODO
> +++ /dev/null
> @@ -1,24 +0,0 @@
> -	 libvirt-sandbox TODO list
> -	 =================
> -
> -systemd-tmpfiles --create needs to be run within the container, before any
> -apps are started, since it will populate /run (Completed)
> -
> -CGROUPFS: integration so libvirt does it rather then systemd within the container
> -	 We need kernel labeling support for cgroupfs so we can allow systemd to write to its section of the
> cgroupfs.
> -
> -SYSLOG:  Currently syslog messages are going no where within the container.
> -If we run a syslog within the container will it get messages from the outside?  Should we just use systemd-
> journal.  I think sysadmins will want to be able to look in /var/log/messages within the container. (systemd-journal
> is now running within a container)
> -
> -EXECUTE:
> -	virt-sandbox-service execute --command "BLAH" does not work.  We need to have the ability to execute any
> random command within the container, and get stdin, stdout, stderror outside the container. (Partially Completed)
> -Still needs kernel to implement missing container namespace files under /proc/PID/ns, Also need a mechanism to get
> the PID of systemd from libvirt.
> -
> -HOSTNAME:
> -	Currently if I execute hostname within the container it sees the name of the host not the name based on the
> container name or the IP Address associated with dhclient. (Completed)
> -
> -virt-sandbox-service connect NAME hangs when you attempt to end the connection.
> -^d should bring you back to the host terminal.
> -
> -Need a mechanism to allow admins to specify additional services to run within
> -the container.  For example you may want to run mysql and apache within the same container. (Completed) You can do
> this using systemctl enabel BLAH
> diff --git a/bin/Makefile.am b/bin/Makefile.am
> index deedcf6..db0a1d1 100644
> --- a/bin/Makefile.am
> +++ b/bin/Makefile.am
> @@ -1,39 +1,12 @@
>  
>  bin_PROGRAMS = virt-sandbox
>  
> -libexec_PROGRAMS = virt-sandbox-service-util
> +bin_SCRIPTS = virt-sandbox-image
>  
> -bin_SCRIPTS = virt-sandbox-service \
> -	virt-sandbox-image
> -
> -virtsandboxcompdir = $(datarootdir)/bash-completion/completions/
> -
> -crondailydir = $(sysconfdir)/cron.daily
> -crondaily_SCRIPTS = virt-sandbox-service.logrotate
> -
> -POD_FILES = \
> -	virt-sandbox-service.pod \
> -	virt-sandbox-service-execute.pod \
> -	virt-sandbox-service-create.pod \
> -	virt-sandbox-service-clone.pod \
> -	virt-sandbox-service-connect.pod \
> -	virt-sandbox-service-delete.pod \
> -	virt-sandbox-service-reload.pod \
> -	virt-sandbox-service-upgrade.pod \
> -	$(NULL)
> -EXTRA_DIST = $(bin_SCRIPTS) $(POD_FILES) virt-sandbox-service-bash-completion.sh virt-sandbox-service.logrotate
> -EXTRA_DIST += virt-sandbox-service-bash-completion.sh
> +EXTRA_DIST = $(bin_SCRIPTS)
>  
>  man1_MANS = \
>  	virt-sandbox.1 \
> -	virt-sandbox-service.1 \
> -	virt-sandbox-service-execute.1 \
> -	virt-sandbox-service-create.1 \
> -	virt-sandbox-service-clone.1 \
> -	virt-sandbox-service-connect.1 \
> -	virt-sandbox-service-delete.1 \
> -	virt-sandbox-service-reload.1 \
> -	virt-sandbox-service-upgrade.1 \
>  	$(NULL)
>  
>  POD2MAN = pod2man -c "Virtualization Support" -r "$(PACKAGE)-$(VERSION)"
> @@ -41,30 +14,6 @@ POD2MAN = pod2man -c "Virtualization Support" -r "$(PACKAGE)-$(VERSION)"
>  virt-sandbox.1: virt-sandbox.c Makefile
>  	$(AM_V_GEN)$(POD2MAN) $< $(srcdir)/$@
>  
> -virt-sandbox-service.1: virt-sandbox-service.pod Makefile
> -	$(AM_V_GEN)$(POD2MAN) $< $(srcdir)/$@
> -
> -virt-sandbox-service-execute.1: virt-sandbox-service-execute.pod Makefile
> -	$(AM_V_GEN)$(POD2MAN) $< $(srcdir)/$@
> -
> -virt-sandbox-service-clone.1: virt-sandbox-service-clone.pod Makefile
> -	$(AM_V_GEN)$(POD2MAN) $< $(srcdir)/$@
> -
> -virt-sandbox-service-create.1: virt-sandbox-service-create.pod Makefile
> -	$(AM_V_GEN)$(POD2MAN) $< $(srcdir)/$@
> -
> -virt-sandbox-service-connect.1: virt-sandbox-service-connect.pod Makefile
> -	$(AM_V_GEN)$(POD2MAN) $< $(srcdir)/$@
> -
> -virt-sandbox-service-delete.1: virt-sandbox-service-delete.pod Makefile
> -	$(AM_V_GEN)$(POD2MAN) $< $(srcdir)/$@
> -
> -virt-sandbox-service-reload.1: virt-sandbox-service-reload.pod Makefile
> -	$(AM_V_GEN)$(POD2MAN) $< $(srcdir)/$@
> -
> -virt-sandbox-service-upgrade.1: virt-sandbox-service-upgrade.pod Makefile
> -	$(AM_V_GEN)$(POD2MAN) $< $(srcdir)/$@
> -
>  CLEANFILES = $(man1_MANS)
>  
>  virt_sandbox_SOURCES = virt-sandbox.c
> @@ -81,28 +30,3 @@ virt_sandbox_LDFLAGS = \
>  		../libvirt-sandbox/libvirt-sandbox-1.0.la \
>  		$(WARN_CFLAGS) \
>  		$(NULL)
> -
> -virt_sandbox_service_util_SOURCES = virt-sandbox-service-util.c
> -virt_sandbox_service_util_CFLAGS = \
> -		$(GIO_UNIX_CFLAGS) \
> -		$(LIBVIRT_GOBJECT_CFLAGS) \
> -		-I$(top_srcdir) \
> -		-DLOCALEDIR="\"$(datadir)/locale"\" \
> -		$(WARN_CFLAGS) \
> -		$(NULL)
> -virt_sandbox_service_util_LDFLAGS = \
> -		$(GIO_UNIX_LIBS) \
> -		$(LIBVIRT_GOBJECT_LIBS) \
> -		../libvirt-sandbox/libvirt-sandbox-1.0.la \
> -		$(WARN_CFLAGS) \
> -		$(NULL)
> -
> -install-data-local:
> -		$(MKDIR_P) $(DESTDIR)$(sysconfdir)/libvirt-sandbox/services
> -		$(MKDIR_P) $(DESTDIR)$(virtsandboxcompdir)
> -		cp $(srcdir)/virt-sandbox-service-bash-completion.sh $(DESTDIR)$(virtsandboxcompdir)/virt-sandbox-
> service
> -
> -uninstall-local:
> -		$(rmdir) $(DESTDIR)$(sysconfdir)/libvirt-sandbox/services ||:
> -		$(rmdir) $(DESTDIR)$(sysconfdir)/libvirt-sandbox ||:
> -		rm -f $(DESTDIR)$(virtsandboxcompdir)/virt-sandbox-service
> diff --git a/bin/virt-sandbox-service b/bin/virt-sandbox-service
> deleted file mode 100755
> index c458716..0000000
> --- a/bin/virt-sandbox-service
> +++ /dev/null
> @@ -1,1314 +0,0 @@
> -#!/usr/bin/env python3
> -#
> -# Authors: Dan Walsh <dwalsh@xxxxxxxxxx>
> -#
> -# Copyright (C) 2012-2013 Red Hat, Inc.
> -#
> -# This program is free software; you can redistribute it and/or modify
> -# it under the terms of the GNU General Public License as published by
> -# the Free Software Foundation; either version 2 of the License, or
> -# (at your option) any later version.
> -#
> -# This program is distributed in the hope that it will be useful,
> -# but WITHOUT ANY WARRANTY; without even the implied warranty of
> -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> -# GNU General Public License for more details.
> -#
> -# You should have received a copy of the GNU General Public License
> -# along with this program; if not, write to the Free Software
> -# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
> -#
> -
> -import gi
> -gi.require_version('LibvirtGConfig', '1.0')
> -from gi.repository import LibvirtGConfig
> -gi.require_version('LibvirtGObject', '1.0')
> -from gi.repository import LibvirtGObject
> -gi.require_version('LibvirtSandbox', '1.0')
> -from gi.repository import LibvirtSandbox
> -from gi.repository import GLib
> -import gi
> -import re
> -import os, sys, shutil, errno, stat
> -import rpm
> -from subprocess import Popen, PIPE, STDOUT
> -import gettext
> -import pwd
> -
> -if os.path.exists("/sys/fs/selinux"):
> -    import selinux
> -else:
> -    selinux = None
> -
> -LibvirtGObject.init_object_check(None)
> -LibvirtSandbox.init_check(None)
> -
> -gettext.bindtextdomain("libvirt-sandbox", "/usr/share/locale")
> -gettext.textdomain("libvirt-sandbox")
> -try:
> -    gettext.install("libvirt-sandbox",
> -                    localedir="/usr/share/locale",
> -                    codeset = 'utf-8')
> -except IOError:
> -    import __builtin__
> -    __builtin__.__dict__['_'] = unicode
> -
> -CONFIG_PATH = "/etc/libvirt-sandbox/services/"
> -def get_config_path(name):
> -    return CONFIG_PATH + name + "/config/sandbox.cfg"
> -
> -def get_legacy_config_path(name):
> -    return CONFIG_PATH + name + ".sandbox"
> -
> -def read_config(name):
> -    path = get_config_path(name)
> -    if not os.path.exists(path):
> -        return None
> -    return LibvirtSandbox.Config.load_from_path(path)
> -
> -# shutil.copytree throws a fit if it finds sockets
> -# or fifos, and has really bad behaviour on block
> -# and character devices too.
> -def copydirtree(src, dst):
> -    filenames = os.listdir(src)
> -    os.makedirs(dst)
> -
> -    for filename in filenames:
> -        srcfilepath = os.path.join(src, filename)
> -        dstfilepath = os.path.join(dst, filename)
> -
> -        st = os.lstat(srcfilepath)
> -        if stat.S_ISDIR(st.st_mode):
> -            copydirtree(srcfilepath, dstfilepath)
> -
> -            os.utime(dstfilepath, (st.st_atime, st.st_mtime))
> -            os.chmod(dstfilepath, stat.S_IMODE(st.st_mode))
> -        elif stat.S_ISREG(st.st_mode):
> -            with open(srcfilepath, 'rb') as fsrc:
> -                with open(dstfilepath, 'wb') as fdst:
> -                    while 1:
> -                        buf = fsrc.read(1024*32)
> -                        if not buf:
> -                            break
> -                        fdst.write(buf)
> -
> -            os.utime(dstfilepath, (st.st_atime, st.st_mtime))
> -            os.chmod(dstfilepath, stat.S_IMODE(st.st_mode))
> -        elif stat.S_ISLNK(st.st_mode):
> -            linkdst = os.readlink(srcfilepath)
> -            os.symlink(linkdst, dstfilepath)
> -        else:
> -            # Ignore all other special files (block/char/sock/fifo)
> -            pass
> -
> -class Container:
> -    DEFAULT_PATH       = "/var/lib/libvirt/filesystems"
> -    DEFAULT_IMAGE      = "/var/lib/libvirt/images/%s.raw"
> -    SELINUX_FILE_TYPE  = "svirt_lxc_file_t"
> -
> -    def __init__(self, name=None, uri = "lxc:///", path = DEFAULT_PATH, config=None, create=False):
> -        self.uri = uri
> -        self.use_image = False
> -        self.size = 10 * MB
> -        self.path = path
> -        self.config = config
> -        if self.config:
> -            self.name = self.config.get_name()
> -        else:
> -            self.name = name
> -        self.dest = "%s/%s" % (self.path, self.name)
> -        self.file_type = self.SELINUX_FILE_TYPE
> -        self.conn = None
> -        self.image = None
> -        self.uid = 0
> -        self.mounts = []
> -
> -    def get_file_type(self):
> -        return self.file_type
> -
> -    def set_file_type(self, file_type):
> -        self.file_type = file_type
> -
> -    def set_uid(self, uid):
> -        self.config.set_userid(uid)
> -
> -    def get_uid(self):
> -        return self.config.get_userid(uid)
> -
> -    def set_gid(self, gid):
> -        self.config.set_groupid(gid)
> -
> -    def get_gid(self):
> -        return self.config.get_groupid(gid)
> -
> -    def set_username(self, username):
> -        self.config.set_username(username)
> -
> -    def get_username(self):
> -        return self.config.get_username()
> -
> -    def set_homedir(self, homedir):
> -        self.config.set_homedir(homedir)
> -
> -    def get_homedir(self):
> -        return self.config.get_homedir()
> -
> -    def set_mounts(self, mounts):
> -        self.mounts = mounts
> -
> -    def get_mounts(self):
> -        return self.mounts
> -
> -    def add_mounts(self):
> -        self.config.add_mount_strv(self.mounts)
> -
> -    def get_config_path(self, name = None):
> -        if not name:
> -            name = self.name
> -        return get_config_path(name)
> -
> -    def get_filesystem_path(self, name = None):
> -        if not name:
> -            name = self.get_name()
> -        return "%s/%s" % (self.path, name)
> -
> -    def get_image_path(self, name = None):
> -        if not name:
> -            name = self.get_name()
> -        return self.DEFAULT_IMAGE % name
> -
> -    def set_image(self, size):
> -        self.use_image = True
> -        self.size = size * MB
> -
> -    def set_path(self, path):
> -        self.path = path
> -        self.dest = "%s/%s" % (self.path, self.name)
> -
> -    def get_name(self):
> -        return self.name
> -
> -    def set_name(self, name):
> -        if self.config:
> -            raise ValueError([_("Cannot modify Name")])
> -        self.name = name
> -        self.dest = "%s/%s" % (self.path, self.name)
> -
> -    def set_security(self, val):
> -        self.config.set_security_opts(val)
> -
> -    def add_network(self, val):
> -        self.config.add_network_opts(val)
> -
> -    def get_security_dynamic(self):
> -        return self.config.get_security_dynamic()
> -
> -    def get_security_label(self):
> -        return self.config.get_security_label()
> -
> -    def set_security_label(self):
> -        if selinux is None:
> -            return
> -
> -        if self.image or self.get_security_dynamic():
> -            return
> -
> -        selabel = self.get_security_label()
> -        if selabel is None:
> -            raise ValueError([_("Missing security label configuration")])
> -        parts = selabel.split(":")
> -        selinux.chcon(self.dest, "system_u:object_r:%s:%s" % (
> -                self.get_file_type(), ":".join(parts[3:])), True)
> -
> -    def gen_filesystems(self):
> -        if self.use_image:
> -            self.image = self.DEFAULT_IMAGE % self.get_name()
> -            mount = LibvirtSandbox.ConfigMountHostImage.new(self.image, self.dest,
> -                                                            LibvirtGConfig.DomainDiskFormat.RAW)
> -            self.config.add_mount(mount)
> -
> -    def fix_stat(self, f):
> -        try:
> -            s = os.stat(f)
> -            path = "%s%s" % (self.dest, f)
> -            os.chown(path, s.st_uid, s.st_gid)
> -            os.chmod(path, s.st_mode)
> -        except OSError as e:
> -            if not e.errno == errno.ENOENT:
> -                raise
> -
> -    def fix_protection(self):
> -        l = len(self.dest)
> -        for root, dirs, files in os.walk(self.dest):
> -            for f in files:
> -                dest = root + "/" + f
> -                self.fix_stat(dest[l:])
> -            for d in dirs:
> -                dest = root + "/" + d
> -                self.fix_stat(dest[l:])
> -
> -    def makedirs(self, d):
> -        try:
> -            path = "%s%s" % (self.dest, d)
> -            os.makedirs(path)
> -        except OSError as e:
> -            if not e.errno == errno.EEXIST:
> -                raise
> -
> -    def makefile(self, f):
> -        self.makedirs(os.path.dirname(f))
> -        try:
> -            path = "%s%s" % (self.dest, f)
> -            fd=open(path, "w")
> -            fd.close()
> -        except OSError as e:
> -            if not e.errno == errno.EEXIST:
> -                raise
> -
> -    def umount(self):
> -        p = Popen(["/bin/umount", self.dest])
> -        p.communicate()
> -        if p.returncode and p.returncode != 0:
> -            raise OSError(_("Failed to unmount image %s from %s") %  (self.image, self.dest))
> -
> -    def create_image(self):
> -        fd = open(self.image, "w")
> -        fd.truncate(self.size)
> -        fd.close()
> -        p = Popen(["/sbin/mkfs","-F", "-t", "ext4", self.image],stdout=PIPE, stderr=PIPE)
> -        p.communicate()
> -        if p.returncode and p.returncode != 0:
> -            raise OSError(_("Failed to build image %s") % self.image )
> -
> -        p = Popen(["/bin/mount", self.image, self.dest])
> -        p.communicate()
> -        if p.returncode and p.returncode != 0:
> -            raise OSError(_("Failed to mount image %s on %s") %  (self.image, self.dest))
> -
> -    def save_config(self):
> -        self.connect()
> -        context = self.context()
> -        context.define()
> -        sys.stdout.write(_("Created sandbox config %s\n") % get_config_path(self.name))
> -
> -    def update_config(self):
> -        self.connect()
> -        context = self.context()
> -        context.undefine()
> -        context.define()
> -        sys.stdout.write(_("Re-created sandbox config %s\n") % get_config_path(self.name))
> -
> -    def delete(self):
> -        self.connect()
> -        self.conn.fetch_domains(None)
> -        dom = self.conn.find_domain_by_name(self.name)
> -        if dom is not None:
> -            info = dom.get_info()
> -            if info.state == LibvirtGObject.DomainState.RUNNING:
> -                raise ValueError([_("Cannot delete running container")])
> -
> -        # Not sure we should remove content
> -        if os.path.exists(self.dest):
> -            shutil.rmtree(self.dest)
> -
> -        image = self.get_image_path()
> -        if os.path.exists(image):
> -            os.remove(image)
> -
> -        context = self.context()
> -        context.undefine()
> -
> -    def get_security_model(self):
> -        model = None
> -
> -        # Make sure we have a connection
> -        self.connect()
> -
> -        # Loop over the security models from the host capabilities
> -        # The first in "selinux" and "apparmor" will be the returned model
> -        # Those two models can't coexist on a machine
> -        configCaps = self.conn.get_capabilities()
> -        hostCaps = configCaps.get_host()
> -        secmodels = hostCaps.get_secmodels()
> -        for secmodel in secmodels:
> -            if secmodel.get_model() == "selinux":
> -                model = "selinux"
> -                break
> -            elif secmodel.get_model() == "apparmor":
> -                model = "apparmor"
> -                break
> -
> -        return model
> -
> -
> -    def create(self):
> -        self.connect()
> -        if self.get_security_model() is not None and \
> -           self.config.get_security_dynamic() and not self.use_image:
> -            raise ValueError([_("Dynamic security label only supported for image based containers")])
> -        if self.uri != "lxc:///":
> -            self.config.set_shell(True)
> -        if not os.path.exists(self.dest):
> -            os.mkdir(self.dest)
> -
> -    def connect(self):
> -        if not self.conn:
> -            self.conn=LibvirtGObject.Connection.new(self.uri)
> -            self.conn.open(None)
> -
> -    def disconnect(self):
> -        if self.conn:
> -            self.conn.close()
> -            self.conn = None
> -
> -    def context(self):
> -        return LibvirtSandbox.ContextService.new(self.conn, self.config)
> -
> -    def add_bind_mount(self, source, dest):
> -        if self.image is None:
> -            mount = LibvirtSandbox.ConfigMountHostBind.new(source, dest)
> -        else:
> -            mount = LibvirtSandbox.ConfigMountGuestBind.new(source, dest)
> -        self.config.add_mount(mount)
> -
> -    def add_ram_mount(self, dest, size):
> -        mount = LibvirtSandbox.ConfigMountRam.new(dest, size);
> -        self.config.add_mount(mount)
> -
> -class GenericContainer(Container):
> -    def __init__(self, name=None, uri = "lxc:///", path = Container.DEFAULT_PATH, config=None, create=False):
> -        Container.__init__(self, name, uri, path, config, create)
> -
> -        if create:
> -            self.config = LibvirtSandbox.ConfigServiceGeneric.new(name)
> -
> -    def gen_filesystems(self):
> -        Container.gen_filesystems(self)
> -        self.add_bind_mount(self.dest, self.path)
> -        self.add_mounts()
> -
> -    def create_generic(self):
> -        Container.create(self)
> -        self.gen_filesystems()
> -
> -        if self.image:
> -            self.create_image()
> -            self.umount()
> -            sys.stdout.write(_("Created sandbox container image %s\n") % self.image)
> -        else:
> -            sys.stdout.write(_("Created sandbox container dir %s\n") % self.dest)
> -        self.save_config()
> -
> -    def create(self):
> -        try:
> -            self.create_generic()
> -        except Exception as e:
> -            try:
> -                self.delete()
> -            except Exception as e2:
> -                pass
> -            raise e
> -
> -    def set_command(self, command):
> -        self.config.set_command(command)
> -
> -
> -def is_template_unit(unit):
> -    return '@' in unit
> -
> -class SystemdContainer(Container):
> -    IGNORE_DIRS        = [ "/var/run/", "/etc/logrotate.d/", "/etc/pam.d" ]
> -    DEFAULT_DIRS       = [ "/etc", "/var" ]
> -    PROFILE_FILES      = [ ".bashrc", ".bash_profile", ".profile" ]
> -    MACHINE_ID         = "/etc/machine-id"
> -    HOSTNAME           = "/etc/hostname"
> -    SYSVINIT_PATH      = "/etc/rc.d"
> -    ANACONDA_WANTS_PATH = "/usr/lib/systemd/system/anaconda.target.wants"
> -    MULTI_USER_WANTS_PATH = "/usr/lib/systemd/system/multi-user.target.wants"
> -    SYSINIT_WANTS_PATH = "/usr/lib/systemd/system/sysinit.target.wants"
> -    SOCKET_WANTS_PATH  = "/usr/lib/systemd/system/sockets.target.wants"
> -    MAKE_SYSTEM_DIRS   = [ "/var/lib/dhclient", "/var/lib/dbus", "/var/log", "/var/spool", "/var/cache", "/var/tmp",
> "/var/lib/nfs/rpc_pipefs", SYSVINIT_PATH, "/lib/lsb" ]
> -    BIND_SYSTEM_DIRS   = [ "/var", "/home", "/root", "/etc/systemd/system", "/etc/rc.d",
> "/usr/lib/systemd/system/basic.target.wants", "/usr/lib/systemd/system/local-fs.target.wants", ANACONDA_WANTS_PATH,
> MULTI_USER_WANTS_PATH, SYSINIT_WANTS_PATH, SOCKET_WANTS_PATH ]
> -    BIND_SYSTEM_FILES  = [ MACHINE_ID, "/etc/fstab", HOSTNAME ]
> -    LOCAL_LINK_FILES   = { SYSINIT_WANTS_PATH : [ "systemd-tmpfiles-setup.service" ] , SOCKET_WANTS_PATH : [
> "dbus.socket", "systemd-journald.socket", "systemd-shutdownd.socket", "systemd-initctl.socket" ] }
> -
> -    DEFAULT_UNIT       = "/etc/systemd/system/%s_sandbox.service"
> -
> -    def __init__(self, name=None, uri = "lxc:///", path = Container.DEFAULT_PATH, config=None, create=False,
> packages=[]):
> -        Container.__init__(self, name, uri, path, config, create)
> -        self.copy = False
> -        self.unit_file_list = []
> -        self.packages = packages
> -        if create:
> -            self.config = LibvirtSandbox.ConfigServiceSystemd.new(name)
> -            self.unitfile = None
> -        else:
> -            self.unitfile = self.get_unit_path()
> -
> -    def follow_units(self):
> -        unitst=""
> -        for i, src in self.unit_file_list:
> -            unitst += "ReloadPropagatedFrom=%s\n" % i
> -
> -        return unitst
> -
> -    def get_unit_path(self, name = None):
> -        if not name:
> -            name = self.get_name()
> -        return self.DEFAULT_UNIT % name
> -
> -    def set_unit_file_list(self, unit_file_list):
> -        self.unit_file_list = unit_file_list
> -
> -    def get_sandboxed_service(self):
> -        return self.unit_file_list[0][0].split(".")[0]
> -
> -    def create_system_unit(self):
> -        self.unitfile = self.get_unit_path()
> -        unit = r"""
> -[Unit]
> -Description=Secure Sandbox Container %(NAME)s
> -Requires=libvirtd.service
> -After=libvirtd.service
> -%(FOLLOW)s
> -[Service]
> -Type=simple
> -ExecStart=/usr/libexec/virt-sandbox-service-util -c %(URI)s -s %(NAME)s
> -ExecReload=/usr/bin/virt-sandbox-service -c %(URI)s reload -u %(RELOAD)s %(NAME)s
> -ExecStop=/usr/bin/virsh -c %(URI)s destroy %(NAME)s
> -
> -[Install]
> -WantedBy=multi-user.target
> -""" % { 'NAME':self.name,
> -        'FOLLOW':self.follow_units(),
> -        'RELOAD': " -u ".join(map(lambda x: x[0], self.unit_file_list)),
> -        'URI': self.uri,
> -        }
> -
> -        fd = open(self.unitfile, "w")
> -        fd.write(unit)
> -        fd.close()
> -        if selinux is not None:
> -            selinux.restorecon(self.unitfile)
> -        sys.stdout.write(_("Created unit file %s\n") %  self.unitfile)
> -
> -    def add_dir(self, newd):
> -        if newd in self.all_dirs:
> -            return
> -        for ignd in self.IGNORE_DIRS:
> -            if newd.startswith(ignd):
> -                return
> -        for defd in self.DEFAULT_DIRS:
> -            if newd.startswith(defd):
> -                self.all_dirs.append(newd)
> -                tmp_dirs = []
> -                for d in self.dirs:
> -                    if newd.startswith(d):
> -                        return
> -                    if not d.startswith(newd):
> -                        tmp_dirs.append(d)
> -                self.dirs = tmp_dirs
> -                self.dirs.append(newd)
> -                break;
> -
> -    def add_file(self, newf):
> -        if newf in self.files:
> -            return
> -        for d in self.IGNORE_DIRS:
> -            if newf.startswith(d):
> -                return
> -        for d in self.DEFAULT_DIRS:
> -            if newf.startswith(d):
> -                self.files.append(newf)
> -                break;
> -
> -    def get_name(self):
> -        if self.config:
> -            return self.config.get_name()
> -        raise ValueError([_("Name not configured")])
> -
> -    def set_copy(self, copy):
> -        self.copy = copy
> -
> -    def get_security_dynamic(self):
> -        return self.config.get_security_dynamic()
> -
> -    def extract_rpms(self):
> -        self.all_dirs = []
> -        self.dirs = []
> -        self.files = []
> -
> -        self.ts = rpm.ts()
> -
> -        nb_packages = 0
> -        for u, src in self.unit_file_list:
> -            rpm_name = self.get_rpm_for_unit(src)
> -            if rpm_name:
> -                self.extract_rpm(rpm_name)
> -                nb_packages += 1
> -
> -        for package in self.packages:
> -            self.extract_rpm(package)
> -            nb_packages += 1
> -
> -        if nb_packages == 0:
> -            raise ValueError([_("Cannot autodetect the package for unit files, please use --package")])
> -
> -    def split_filename(self, filename):
> -        if filename[-4:] == '.rpm':
> -            filename = filename[:-4]
> -
> -        archIndex = filename.rfind('.')
> -        arch = filename[archIndex+1:]
> -
> -        relIndex = filename[:archIndex].rfind('-')
> -        rel = filename[relIndex+1:archIndex]
> -
> -        verIndex = filename[:relIndex].rfind('-')
> -        ver = filename[verIndex+1:relIndex]
> -
> -        epochIndex = filename.find(':')
> -        if epochIndex == -1:
> -            epoch = ''
> -        else:
> -            epoch = filename[:epochIndex]
> -
> -        name = filename[epochIndex + 1:verIndex]
> -        return name, ver, rel, epoch, arch
> -
> -    def get_rpm_for_unit(self, unitfile):
> -        mi = self.ts.dbMatch(rpm.RPMTAG_BASENAMES, unitfile)
> -        try:
> -            h = next(mi);
> -        except StopIteration:
> -            return None
> -        return h['name']
> -
> -
> -    def extract_rpm(self, rpm_name):
> -        mi = self.ts.dbMatch('name', rpm_name)
> -        try:
> -            h = next(mi);
> -        except StopIteration:
> -            raise ValueError([_("Cannot find package named %s") % rpm_name])
> -
> -        for fentry in h.fiFromHeader():
> -            fname = fentry[0]
> -
> -            if os.path.isdir(fname):
> -                self.add_dir(fname)
> -            if os.path.isfile(fname):
> -                self.add_file(fname)
> -
> -        srcrpm = str(h[rpm.RPMTAG_SOURCERPM], encoding='utf-8')
> -        srcrpmbits = self.split_filename(srcrpm)
> -
> -        if srcrpmbits[0] == str(h[rpm.RPMTAG_NAME], encoding='utf-8'):
> -            return
> -
> -        mi = self.ts.dbMatch(rpm.RPMTAG_NAME, srcrpmbits[0])
> -        try:
> -            h = next(mi);
> -        except StopIteration:
> -            raise ValueError([_("Cannot find base package %s") % srcrpmbits[0]])
> -
> -        for fentry in h.fiFromHeader():
> -            fname = fentry[0]
> -
> -            if os.path.isdir(fname):
> -                self.add_dir(fname)
> -            if os.path.isfile(fname):
> -                self.add_file(fname)
> -
> -    def gen_hostname(self):
> -        fd=open(self.dest + self.HOSTNAME, "w")
> -        fd.write("%s\n" % self.name )
> -        fd.close()
> -
> -    def gen_machine_id(self):
> -        uuid_fd = open("/proc/sys/kernel/random/uuid")
> -        uuid = uuid_fd.read().replace("-","").rstrip()
> -        uuid_fd.close()
> -        self.config.set_uuid(uuid)
> -        fd=open(self.dest + self.MACHINE_ID, "w")
> -        fd.write("%s\n" % uuid)
> -        fd.close()
> -
> -        if not self.use_image:
> -            # Link /var/log/journal within the container to /var/log/journal/UUID
> -            # on host.  This will allow the hosts journalctl to easily read
> -            # containers journal information.
> -            jdir = "/var/log/journal/"
> -            jpath = jdir + uuid
> -            if not os.path.exists(self.dest + jpath):
> -                os.makedirs(self.dest + jpath)
> -            if not os.path.exists(jdir):
> -                os.makedirs(jdir)
> -
> -            os.symlink(self.dest + jpath, jpath)
> -
> -    def gen_filesystems(self):
> -        Container.gen_filesystems(self)
> -        # 10 MB /run
> -        mount = LibvirtSandbox.ConfigMountRam.new("/run", 10 * 1024 * 1024);
> -        self.config.add_mount(mount)
> -
> -        # 100 MB /tmp
> -        mount = LibvirtSandbox.ConfigMountRam.new("/tmp", 100 * 1024 * 1024);
> -        self.config.add_mount(mount)
> -
> -        # 100 MB /tmp
> -        mount = LibvirtSandbox.ConfigMountRam.new("/dev/shm", 100 * 1024 * 1024);
> -        self.config.add_mount(mount)
> -
> -        for d in self.BIND_SYSTEM_DIRS:
> -            if d != "/var" and os.path.exists(d):
> -                source = "%s%s" % ( self.dest, d)
> -                self.add_bind_mount(source, d)
> -
> -        for f in self.BIND_SYSTEM_FILES:
> -            if os.path.exists(f):
> -                source = "%s%s" % ( self.dest, f)
> -                self.add_bind_mount(source, f)
> -
> -        for d in self.dirs:
> -            found = False
> -            # Dont add dirs whos parents are in SYSTEM_DIRS
> -            for s in self.BIND_SYSTEM_DIRS:
> -                if d.startswith(s):
> -                    found = True
> -                    break
> -            if not found:
> -                source = "%s%s" % ( self.dest, d)
> -                self.add_bind_mount(source, d)
> -
> -        # /var contains the mounted image if there is an image: should be the
> -        # last thing to mount
> -        self.add_bind_mount("%s/var" % self.dest, "/var")
> -        self.add_mounts()
> -
> -    def get_expanded_unit_template(self, unit):
> -        return unit.replace('@', '@' + self.name)
> -
> -    def create_container_unit(self, src, dest, unit):
> -            if is_template_unit(unit):
> -                shutil.copy(src, dest + "/" + unit)
> -                unit = self.get_expanded_unit_template(unit)
> -                os.symlink(src, dest + "/" + unit)
> -
> -            dropin_dir = "%s/%s.d" % (dest, unit)
> -            if not os.path.exists(dropin_dir):
> -                os.mkdir(dropin_dir)
> -
> -            fd = open(dropin_dir + "/virt-sandbox.conf", "w")
> -            fd.write("""; file placed here by virt-sandbox-service
> -[Service]
> -PrivateTmp=false
> -PrivateNetwork=false
> -""" )
> -            fd.close()
> -
> -    def gen_content(self):
> -        if self.copy:
> -            for d in self.dirs:
> -                copydirtree(d, "%s%s" % (self.dest, d))
> -            for f in self.files:
> -                self.makedirs(os.path.dirname(f))
> -                shutil.copy(f, "%s%s" % (self.dest, f))
> -        else:
> -            for d in self.all_dirs:
> -                self.makedirs(d)
> -            for f in self.files:
> -                self.makedirs(os.path.dirname(f))
> -                self.makefile(f)
> -
> -        for d in self.BIND_SYSTEM_DIRS + self.MAKE_SYSTEM_DIRS:
> -            self.makedirs(d)
> -
> -        for f in self.BIND_SYSTEM_FILES:
> -            self.makefile(f)
> -
> -        destpath = self.dest + self.SYSVINIT_PATH
> -        for i in range(7):
> -            os.mkdir(destpath+("/rc%s.d" % i))
> -
> -        # Copy both /etc/rc.d/init.d/functions and /lib/lsb/init-functions, even
> -        # though the latter is the one recommended
> -        if os.path.exists(self.SYSVINIT_PATH + "/init.d/functions"):
> -            os.mkdir(destpath+"/init.d")
> -            shutil.copy(self.SYSVINIT_PATH + "/init.d/functions" , destpath + "/init.d")
> -
> -        if os.path.exists("/lib/lsb/init-functions"):
> -            shutil.copy("/lib/lsb/init-functions" , self.dest + "/lib/lsb/")
> -
> -        self.gen_machine_id()
> -        self.gen_hostname()
> -
> -        for k in self.LOCAL_LINK_FILES:
> -            for d in self.LOCAL_LINK_FILES[k]:
> -                src = "../%s" % ( d)
> -                dest = "%s%s/%s" % ( self.dest, k, d)
> -                os.symlink(src,dest)
> -
> -        unitdir = "/etc/systemd/system"
> -        tgtdir = unitdir + "/multi-user.target.wants"
> -
> -        self.makedirs(unitdir)
> -        self.makedirs(tgtdir)
> -        os.symlink("/run", self.dest + "/var/run")
> -
> -        for i, src in self.unit_file_list:
> -            self.create_container_unit(src, self.dest + unitdir, i)
> -            if is_template_unit(i):
> -                i = self.get_expanded_unit_template(i)
> -            os.symlink(src, self.dest + tgtdir + "/" + i)
> -
> -        tgtfile = unitdir + "/multi-user.target"
> -        try:
> -            fd = open(self.dest + tgtfile, "w")
> -            fd.write("[Unit]\n")
> -            fd.write("Description=Sandbox multi-user target\n")
> -            fd.close()
> -        except OSError as e:
> -            if not e.errno == errno.EEXIST:
> -                raise
> -
> -        for p in self.PROFILE_FILES:
> -            profile = "/etc/skel/" + p
> -            if os.path.exists(profile):
> -                shutil.copy(profile, self.dest + "/root/")
> -
> -        self.fix_protection()
> -
> -    def delete(self):
> -        try:
> -            uuid = self.config.get_uuid()
> -            if uuid is not None:
> -                jpath = "/var/log/journal/" + uuid
> -                if os.path.lexists(jpath):
> -                    os.remove(jpath)
> -        except Exception as e:
> -            sys.stderr.write("%s: %s\n" % (sys.argv[0], e))
> -            sys.stderr.flush()
> -
> -        Container.delete(self)
> -
> -        if self.unitfile and os.path.exists(self.unitfile):
> -            p = Popen(["/usr/bin/systemctl","disable", self.unitfile],stdout=PIPE, stderr=PIPE)
> -            p.communicate()
> -            if p.returncode and p.returncode != 0:
> -                raise OSError(_("Failed to disable %s unit file") %  self.unitfile)
> -            os.remove(self.unitfile)
> -
> -    def create_systemd(self):
> -        self.extract_rpms()
> -        Container.create(self)
> -        self.gen_filesystems()
> -        if self.image:
> -            self.create_image()
> -            self.gen_content()
> -            self.umount()
> -            sys.stdout.write(_("Created sandbox container image %s\n") % self.image)
> -        else:
> -            self.gen_content()
> -            sys.stdout.write(_("Created sandbox container dir %s\n") % self.dest)
> -        self.set_security_label()
> -        self.create_system_unit()
> -        self.config.set_boot_target("multi-user.target")
> -        self.save_config()
> -
> -    def create(self):
> -        if os.path.exists(self.dest):
> -            raise OSError(_("%s already exists") % self.dest)
> -
> -        try:
> -            self.create_systemd()
> -        except Exception as e:
> -            try:
> -                self.delete()
> -            except Exception as e2:
> -                sys.stderr.write("Cleanup failed: %s\n" % str(e2))
> -            raise
> -
> -    def reload(self, unitfiles):
> -        class Args:
> -            command = []
> -            noseclabel = None
> -            name = self.name
> -            uri = self.uri
> -        args = Args()
> -        args.command = [ "systemctl", "reload" ] + map(lambda x: x[0], unitfiles)
> -        execute(args)
> -
> -MB = int(1000000)
> -
> -def delete(args):
> -    config = read_config(args.name)
> -    if config is None:
> -        sys.stderr.write("Sandbox '%s' does not exist\n" % args.name)
> -        sys.exit(1)
> -
> -    if isinstance(config, gi.repository.LibvirtSandbox.ConfigServiceGeneric):
> -        container = GenericContainer(uri=args.uri, config = config)
> -    else:
> -        container = SystemdContainer(uri=args.uri, config = config)
> -    container.set_path(args.path)
> -    container.delete()
> -
> -def create(args):
> -    if len(args.command) > 0 and len(args.unitfiles) > 0:
> -        raise ValueError([_("Commands cannot be specified with unit files")])
> -
> -    if len(args.command) == 0  and len(args.unitfiles) == 0:
> -        raise ValueError([_("You must specify a command or a unit file")])
> -
> -    if args.packages and len(args.unitfiles) != 1:
> -        raise ValueError([_("Option --package cannot be used without a unit file")])
> -
> -    if len(args.command) > 0:
> -        container = GenericContainer(name = args.name, uri=args.uri, create = True)
> -        container.set_command(args.command)
> -    else:
> -        container = SystemdContainer(name = args.name, uri=args.uri, create = True, packages = args.packages)
> -        container.set_copy(args.copy)
> -        container.set_unit_file_list(args.unitfiles)
> -    for net in args.network:
> -        container.add_network(net)
> -    if args.security:
> -        container.set_security(args.security)
> -    container.set_uid(args.uid)
> -    if not args.homedir:
> -        args.homedir = pwd.getpwuid(args.uid).pw_dir
> -    container.set_homedir(args.homedir)
> -    if not args.username:
> -        args.username = pwd.getpwuid(args.uid).pw_name
> -    container.set_username(args.username)
> -    if not args.gid:
> -        args.gid = pwd.getpwuid(args.uid).pw_gid
> -    container.set_gid(args.gid)
> -    container.set_path(args.path)
> -    container.set_file_type(args.file_type)
> -    container.set_mounts(args.mounts)
> -    if args.imagesize:
> -        container.set_image(args.imagesize)
> -
> -    container.create()
> -
> -def usage(parser, msg):
> -    parser.print_help()
> -
> -    sys.stderr.write("\n%s\n" % msg)
> -    sys.stderr.flush()
> -    sys.exit(1)
> -
> -def sandbox_reload(args):
> -    config = read_config(args.name)
> -    if isinstance(config, gi.repository.LibvirtSandbox.ConfigServiceGeneric):
> -        raise ValueError([_("Generic Containers do not support reload")])
> -    container = SystemdContainer(uri = args.uri, config = config)
> -    container.reload(args.unitfiles)
> -
> -def connect(args):
> -    if args.uri == "lxc:///":
> -        class Args:
> -            command = []
> -            noseclabel = None
> -            name = args.name
> -            uri = args.uri
> -
> -        args = Args()
> -        args.command = [ "/bin/sh" ]
> -        execute(args)
> -        return
> -
> -    print ("""\
> -Connected to %s.
> -Type 'Ctrl + ]' to detach from the console.
> -""" % ( args.name ))
> -    os.execl("/usr/libexec/virt-sandbox-service-util",
> -             "virt-sandbox-service-util",
> -             "-c", args.uri,
> -             "-a", args.name)
> -
> -#
> -# Search Path for command to execute within the container.
> -#
> -def fullpath(cmd):
> -    for i in [ "/", "./", "../" ]:
> -        if cmd.startswith(i):
> -            return cmd
> -    for i in  os.environ["PATH"].split(':'):
> -        f = "%s/%s" % (i, cmd)
> -        if os.access(f, os.X_OK):
> -            return f
> -    return cmd
> -
> -def execute(args):
> -    if args.uri != "lxc:///":
> -        raise ValueError([_("Can only execute commands inside of linux containers.")])
> -
> -    myexec = [ "virsh", "-c", args.uri, "lxc-enter-namespace" ]
> -    if args.noseclabel:
> -        myexec.append("--noseclabel")
> -    myexec.extend([ args.name, "--", fullpath(args.command[0])] +  args.command[1:])
> -    os.execv("/usr/bin/virsh", myexec)
> -
> -def clone(args):
> -    config = read_config(args.source)
> -    if isinstance(config, gi.repository.LibvirtSandbox.ConfigServiceGeneric):
> -        container = GenericContainer(uri=args.uri, config=config)
> -    else:
> -        container = SystemdContainer(uri=args.uri, config=config)
> -    newcontainer = None
> -
> -    container.set_path(args.path)
> -
> -    old_path = container.get_filesystem_path()
> -    new_path = container.get_filesystem_path(args.dest)
> -
> -    if os.path.exists(new_path):
> -        raise OSError(_("%s already exists") % new_path)
> -
> -    try:
> -        fd = open(container.get_config_path(),"r")
> -        recs = fd.read()
> -        fd.close()
> -
> -        newrec = recs.replace(old_path + "/", new_path + "/")
> -        newrec = newrec.replace("name=" + args.source, "name=" + args.dest)
> -        old_image_path = container.get_image_path()
> -        if os.path.exists(old_image_path):
> -            new_image_path = container.get_image_path(args.dest)
> -            newrec = newrec.replace(old_image_path, new_image_path)
> -            shutil.copy(old_image_path, new_image_path)
> -            sys.stdout.write(_("Created sandbox container image %s\n") % new_image_path)
> -            os.mkdir(new_path)
> -        else:
> -            copydirtree(old_path, new_path)
> -            sys.stdout.write(_("Created sandbox container dir %s\n") % new_path)
> -
> -        if isinstance(config, gi.repository.LibvirtSandbox.ConfigServiceGeneric):
> -            newcontainer = GenericContainer(name=args.dest, uri=args.uri, create=True)
> -            newcontainer.set_path(args.path)
> -        else:
> -            fd = open(container.get_unit_path())
> -            recs = fd.read()
> -            fd.close()
> -
> -            new_unit = container.get_unit_path(args.dest)
> -            fd = open(new_unit, "wx")
> -            fd.write(recs.replace(args.source, args.dest))
> -            fd.close()
> -
> -            sys.stdout.write(_("Created unit file %s\n") % new_unit)
> -
> -            config = LibvirtSandbox.Config.load_from_data(newrec)
> -            newcontainer = SystemdContainer(config=config, uri=args.uri)
> -            newcontainer.set_path(args.path)
> -            newcontainer.gen_machine_id()
> -            newcontainer.gen_hostname()
> -
> -        if args.security:
> -            newcontainer.set_security(args.security)
> -        newcontainer.set_security_label()
> -        newcontainer.save_config()
> -    except Exception as e:
> -        if newcontainer is not None:
> -            newcontainer.delete()
> -        raise
> -
> -
> -def upgrade_config_legacy(path):
> -    config = LibvirtSandbox.Config.load_from_path(path)
> -
> -    if isinstance(config, gi.repository.LibvirtSandbox.ConfigServiceGeneric):
> -        container = GenericContainer(uri=args.uri, config=config)
> -    else:
> -        container = SystemdContainer(uri=args.uri, config=config)
> -
> -        fd = open(container.get_unit_path())
> -        unitfile = fd.read()
> -        fd.close()
> -
> -        unitfile = unitfile.replace("/usr/bin/virt-sandbox-service start",
> -                                    "/usr/libexec/virt-sandbox-service-util -c lxc:/// -s")
> -        unitfile = unitfile.replace("/usr/bin/virt-sandbox-service reload",
> -                                    "/usr/bin/virt-sandbox-service -c lxc:/// reload")
> -        unitfile = unitfile.replace("/usr/bin/virt-sandbox-service stop",
> -                                    "/usr/bin/virsh -c lxc:/// destroy")
> -
> -        unitfile = re.sub("WantedBy=.*\.target",
> -                          "WantedBy=multi-user.target",
> -                          unitfile)
> -
> -        os.remove(container.get_unit_path())
> -        fd = open(container.get_unit_path(), "wx")
> -        fd.write(unitfile)
> -        fd.close()
> -
> -        sys.stdout.write(_("Created unit file %s\n") %
> -                         container.get_unit_path())
> -
> -    # Create new config file + libvirt persistent XML config
> -    container.save_config()
> -    # Kill legacy config file
> -    os.remove(path)
> -
> -
> -def upgrade_config_current(path):
> -    config = LibvirtSandbox.Config.load_from_path(path)
> -
> -    if isinstance(config, gi.repository.LibvirtSandbox.ConfigServiceGeneric):
> -        container = GenericContainer(uri=args.uri, config=config)
> -    else:
> -        container = SystemdContainer(uri=args.uri, config=config)
> -
> -    # Create new config file + libvirt persistent XML config
> -    container.update_config()
> -
> -
> -def upgrade_config(args):
> -    newconfigfile = get_config_path(args.name)
> -    oldconfigfile = get_legacy_config_path(args.name)
> -    if os.path.exists(oldconfigfile):
> -        upgrade_config_legacy(oldconfigfile)
> -    elif os.path.exists(newconfigfile):
> -        upgrade_config_current(newconfigfile)
> -    else:
> -        sys.stderr.write("Sandbox '%s' does not exist\n" % args.name)
> -        sys.exit(1)
> -
> -
> -def upgrade_filesystem(args):
> -    # This is where we'd look at RPM DB and upgrade the
> -    # filesystem with new info for the unit files
> -    pass
> -
> -# This function must be capable of reading configs created by
> -# old releases and "fixing" them to work with the new release
> -def upgrade(args):
> -    upgrade_config(args)
> -    upgrade_filesystem(args)
> -
> -import argparse
> -class AddMount(argparse.Action):
> -    def __call__(self, parser, namespace, values, option_string=None):
> -        newval = getattr(namespace, self.dest)
> -        if not newval:
> -            newval = []
> -        for v in values:
> -            newval.append(v)
> -        setattr(namespace, self.dest, newval)
> -
> -class SizeAction(argparse.Action):
> -    def __call__(self, parser, namespace, values, option_string=None):
> -        setattr(namespace, self.dest, int(values))
> -
> -class CheckUnit(argparse.Action):
> -    def __call__(self, parser, namespace, value, option_string=None):
> -        def check_unit(unit):
> -            src = "/etc/systemd/system/" + unit
> -            if os.path.exists(src):
> -                return src
> -            src = "/usr/lib/systemd/system/" + unit
> -            if os.path.exists(src):
> -                return src
> -            return None
> -        src = check_unit(value)
> -        if not src:
> -            src = check_unit(value + ".service")
> -            if src:
> -                value = value + ".service"
> -            else:
> -                raise OSError(_("Requested unit %s does not exist") % value)
> -
> -        unitfiles = getattr(namespace, self.dest)
> -        if unitfiles:
> -            unitfiles.append((value, src))
> -        else:
> -            unitfiles = [ (value, src) ]
> -        setattr(namespace, self.dest, unitfiles)
> -
> -class SetNet(argparse.Action):
> -    def __call__(self, parser, namespace, values, option_string=None):
> -        nets = getattr(namespace, self.dest)
> -        if nets:
> -            nets.append(values)
> -        else:
> -            nets = [values]
> -        setattr(namespace, self.dest, nets)
> -
> -class CheckPackage(argparse.Action):
> -    def __call__(self, parser, namespace, value, option_string=None):
> -        nb_rpm = len(rpm.TransactionSet().dbMatch('name', value))
> -        if nb_rpm == 0:
> -            raise OSError(_("Cannot find %s rpm") % value)
> -        elif nb_rpm > 1:
> -            raise OSError(_("%s rpm is installed more than once") % value)
> -        packages = getattr(namespace, self.dest)
> -        if packages:
> -            packages.append(value)
> -        else:
> -            packages = [ value ]
> -        setattr(namespace, self.dest, packages)
> -
> -def requires_name(parser):
> -    parser.add_argument("name",
> -                        help=_("name of the sandbox container"))
> -
> -def default_security_opts():
> -    if selinux is None:
> -        return None
> -
> -    # XXX vary per URI for kvm/qemu/lxc.
> -    # XXX generate a random category
> -    return "static,label=system_u:system_r:svirt_lxc_net_t:s0"
> -
> -def gen_create_args(subparser):
> -    parser = subparser.add_parser("create",
> -                                  help=_("Create a sandbox container."))
> -
> -    parser.add_argument("-C", "--copy", default=False,
> -                        action="store_true",
> -                        help=_("copy content from the hosts /etc and /var directories that will be mounted within the
> sandbox"))
> -
> -    parser.add_argument("-f", "--filetype", dest="file_type",
> -                        default=c.get_file_type(),
> -                        help=_("SELinux file type to assign to content within the sandbox.  Default: %s") %
> c.get_file_type())
> -    parser.add_argument("--homedir", dest="homedir",
> -                        help=_("Specify the homedir for the container. Default: UID homedir."))
> -    parser.add_argument("-G", "--gid", dest="gid",
> -                        default=None, type=int,
> -                        help=_("Specify the login gid for the container. Default: login GID of the UID."))
> -    parser.add_argument("-i", "--imagesize", dest="imagesize", default = None,
> -                       action=SizeAction,
> -                       help=_("create image of this many megabytes."))
> -    parser.add_argument("-m", "--mount", dest="mounts",default=[], nargs="*", action=AddMount,
> -                        help=_("Mount a filesytem in the sandbox"))
> -    parser.add_argument("-N", "--network", dest="network",
> -                        action=SetNet, default=[],
> -                        help=_("Specify the network configuration"))
> -    parser.add_argument("-p", "--path", dest="path",  default=c.DEFAULT_PATH,
> -                        help=_("select path to store sandbox content.  Default: %s") % c.DEFAULT_PATH)
> -    parser.add_argument("-s", "--security", dest="security",
> -                        default=default_security_opts(),
> -                        help=_("Specify the security model configuration for the sandbox: Defaults to dynamic"))
> -    parser.add_argument("-u", "--unitfile",
> -                        action=CheckUnit,
> -                        dest="unitfiles", default=[],
> -                        help=_("Systemd Unit file to run within the systemd sandbox container. Commands cannot be
> specified with unit files."))
> -    parser.add_argument("-P", "--package",
> -                        action=CheckPackage,
> -                        dest="packages", default=[],
> -                        help=_("RPM package to be used in the container. Default: autodetected from unit files."))
> -    parser.add_argument("--username", dest="username",
> -                        help=_("Specify the username for the container. Default: UID username."))
> -    parser.add_argument("-U", "--uid", dest="uid",
> -                        default=os.getuid(),type=int,
> -                        help=_("Specify the uid for the container: Default to current UID."))
> -
> -    requires_name(parser)
> -    parser.add_argument("command", default=[], nargs="*",
> -                        help=_("Command to run within the generic sandbox container. Commands cannot be specified
> with unit files."))
> -
> -    parser.set_defaults(func=create)
> -
> -def gen_connect_args(subparser):
> -    parser = subparser.add_parser("connect",
> -                                  help=_("Connect to a sandbox container"))
> -    requires_name(parser)
> -    parser.set_defaults(func=connect)
> -
> -def gen_execute_args(subparser):
> -    parser = subparser.add_parser("execute",
> -                                  help=_("Execute a command within a sandbox container. Only available for lxc:///"))
> -    parser.add_argument("-N", "--noseclabel", dest="noseclabel",
> -                        default=False, action="store_true",
> -                        help=_("do not modify the label of the executable process.  By default all commands execute
> with the label of the sandbox"))
> -    requires_name(parser)
> -    parser.add_argument("command", nargs="+",
> -                        help=_("command to execute within the container"))
> -    parser.set_defaults(func=execute)
> -
> -def gen_reload_args(subparser):
> -    parser = subparser.add_parser("reload",
> -                                   help=_("Reload a running sandbox container"))
> -    parser.add_argument("-u", "--unitfile", required=True,
> -                        action=CheckUnit, dest="unitfiles",
> -                        help=_("Systemd Unit file to reload within the sandbox container"))
> -    requires_name(parser)
> -    parser.set_defaults(func=sandbox_reload)
> -
> -def gen_clone_args(subparser):
> -    parser = subparser.add_parser("clone",
> -                                  help=_("Clone an existing sandbox container"))
> -    parser.set_defaults(func=clone)
> -    parser.add_argument("-p", "--path", dest="path",  default=c.DEFAULT_PATH,
> -                        help=_("select path to copy sandbox content from/to.  Default: %s") % c.DEFAULT_PATH)
> -    parser.add_argument("-s", "--security", dest="security",
> -                        default=default_security_opts(),
> -                        help=_("Specify the security model configuration for the sandbox: Defaults to dynamic"))
> -
> -    parser.add_argument("source",
> -                        help=_("source sandbox container name"))
> -    parser.add_argument("dest",
> -                        help=_("dest name of the new sandbox container"))
> -
> -def gen_delete_args(subparser):
> -    parser = subparser.add_parser("delete",
> -                                   help=_("Delete a sandbox container"))
> -    parser.add_argument("-p", "--path", dest="path",  default=c.DEFAULT_PATH,
> -                        help=_("select path to delete sandbox content from.  Default: %s") % c.DEFAULT_PATH)
> -    requires_name(parser)
> -    parser.set_defaults(func=delete)
> -
> -def gen_upgrade_args(subparser):
> -    parser = subparser.add_parser("upgrade",
> -                                   help=_("Upgrade the sandbox container"))
> -    requires_name(parser)
> -    parser.set_defaults(func=upgrade)
> -
> -if __name__ == '__main__':
> -    c = Container()
> -
> -    parser = argparse.ArgumentParser(description='Sandbox Container Tool')
> -    parser.add_argument("-c", "--connect", required=False, dest="uri",  default="lxc:///",
> -                        help=_("libvirt connection URI to use (lxc:/// [default] or qemu:///session)"))
> -
> -    subparser = parser.add_subparsers(help=_("commands"))
> -    gen_create_args(subparser)
> -    gen_clone_args(subparser)
> -    gen_connect_args(subparser)
> -    gen_delete_args(subparser)
> -    gen_execute_args(subparser)
> -    gen_reload_args(subparser)
> -    gen_upgrade_args(subparser)
> -
> -    try:
> -        args = parser.parse_args()
> -        if args.uri[0:3] != "lxc":
> -            sys.stderr.write("%s: only lxc:/// URIs are currently supported\n" % sys.argv[0])
> -            sys.exit(1)
> -        if os.geteuid() != 0:
> -            sys.stderr.write("%s: lxc:/// URIs are only supported when run as root\n" % sys.argv[0])
> -            sys.exit(1)
> -        args.func(args)
> -        sys.exit(0)
> -    except KeyboardInterrupt as e:
> -        sys.exit(0)
> -    except ValueError as e:
> -        sys.stderr.write("%s: %s\n" % (sys.argv[0], e))
> -        sys.stderr.flush()
> -        sys.exit(1)
> -    except IOError as e:
> -        sys.stderr.write("%s: %s: %s\n" % (sys.argv[0], e.filename, e.strerror))
> -        sys.stderr.flush()
> -        sys.exit(1)
> -    except OSError as e:
> -        sys.stderr.write("%s: %s\n" % (sys.argv[0], e))
> -        sys.stderr.flush()
> -        sys.exit(1)
> -    except GLib.GError as e:
> -        sys.stderr.write("%s: %s\n" % (sys.argv[0], e))
> -        sys.stderr.flush()
> -        sys.exit(1)
> diff --git a/bin/virt-sandbox-service-bash-completion.sh b/bin/virt-sandbox-service-bash-completion.sh
> deleted file mode 100755
> index a101f4a..0000000
> --- a/bin/virt-sandbox-service-bash-completion.sh
> +++ /dev/null
> @@ -1,141 +0,0 @@
> -# This file is part of libvirt-sandbox.
> -#
> -# Copyright (C) 2012-2013 Red Hat, Inc.
> -#
> -# systemd is free software; you can redistribute it and/or modify it
> -# under the terms of the GNU General Public License as published by
> -# the Free Software Foundation; either version 2 of the License, or
> -# (at your option) any later version.
> -#
> -# systemd is distributed in the hope that it will be useful, but
> -# WITHOUT ANY WARRANTY; without even the implied warranty of
> -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
> -# General Public License for more details.
> -#
> -# You should have received a copy of the GNU General Public License
> -# along with systemd; If not, see <http://www.gnu.org/licenses/>.
> -#
> -# Authors: Dan Walsh <dwalsh@xxxxxxxxxx>
> -#
> -__contains_word () {
> -    local word=$1; shift
> -    for w in $*; do [[ $w = $word ]] && return 0; done
> -    return 1
> -}
> -
> -ALL_OPTS='-h --help'
> -
> -__get_all_unit_files () {
> -    systemctl list-unit-files --no-legend | cut -d' ' -f 1 | grep -v '@'
> -}
> -
> -__get_all_containers () {
> -    virt-sandbox-service list
> -}
> -
> -__get_all_running_containers () {
> -    virt-sandbox-service list --running
> -}
> -
> -__get_all_file_types () {
> -    seinfo -afile_type -x 2>/dev/null | tail -n +2
> -}
> -
> -_virt_sandbox_service () {
> -    local command=${COMP_WORDS[1]}
> -    local cur=${COMP_WORDS[COMP_CWORD]} prev=${COMP_WORDS[COMP_CWORD-1]}
> -    local verb comps
> -    local -A VERBS=(
> -           [CONNECT]='connect'
> -           [CREATE]='create'
> -           [DELETE]='delete'
> -           [RELOAD]='reload'
> -           [START]='start'
> -           [EXECUTE]='execute'
> -           [STOP]='stop'
> -           [LIST]='list'
> -    )
> -    local -A OPTS=(
> -        [ALL]='-h --help'
> -        [CREATE]='-C --copy -f --filetype -G --gid  -i --imagesize --homedir -m --mount -N --network -p --path -s --
> security -u --unitfile --username -U -uid'
> -        [LIST]='-r --running'
> -        [RELOAD]='-u --unitfile'
> -        [EXECUTE]='-N --noseclabel'
> -    )
> -
> -    for ((i=0; $i <= $COMP_CWORD; i++)); do
> -        if __contains_word "${COMP_WORDS[i]}" ${VERBS[*]} &&
> -         ! __contains_word "${COMP_WORDS[i-1]}" ${OPTS[ARG}]}; then
> -            verb=${COMP_WORDS[i]}
> -            break
> -        fi
> -    done
> -
> -    if test "$verb" = "" && test "$prev" = "virt-sandbox-service" ; then
> -        comps="${VERBS[*]}"
> -        COMPREPLY=( $(compgen -W "$comps" -- "$cur") )
> -        return 0
> -    elif test "$verb" == "list" ; then
> -        if test "$prev" = "-r" || test "$prev" = "--running" ; then
> -        return 0
> -        fi
> -        COMPREPLY=( $(compgen -W "${OPTS[ALL]} ${OPTS[LIST]} " -- "$cur") )
> -        return 0
> -    elif test "$verb" == "delete" ; then
> -        COMPREPLY=( $(compgen -W "${OPTS[ALL]} $( __get_all_containers ) " -- "$cur") )
> -        return 0
> -    elif test "$verb" == "start" ; then
> -        COMPREPLY=( $(compgen -W "${OPTS[ALL]} $( __get_all_containers ) " -- "$cur") )
> -        return 0
> -    elif test "$verb" == "stop" ; then
> -        COMPREPLY=( $(compgen -W "${OPTS[ALL]} $( __get_all_running_containers ) " -- "$cur") )
> -        return 0
> -    elif test "$verb" == "reload" ; then
> -        COMPREPLY=( $(compgen -W "${OPTS[ALL]} ${OPTS[RELOAD]} $( __get_all_running_containers ) " -- "$cur") )
> -        return 0
> -    elif test "$verb" == "connect" ; then
> -        COMPREPLY=( $(compgen -W "${OPTS[ALL]} $( __get_all_running_containers ) " -- "$cur") )
> -        return 0
> -    elif test "$verb" == "execute" ; then
> -        if test "$prev" = "execute"; then
> -            COMPREPLY=( $(compgen -W "${OPTS[ALL]} ${OPTS[EXECUTE]} $( __get_all_running_containers ) " -- "$cur") )
> -        else
> -            COMPREPLY=( $( compgen -c -- "$cur") )
> -        fi
> -        return 0
> -    elif test "$verb" == "create" ; then
> -        if test "$prev" = "-p" || test "$prev" = "--path" ; then
> -        COMPREPLY=( $( compgen -d -- "$cur") )
> -        compopt -o filenames
> -        return 0
> -        elif test "$prev" = "-u" || test "$prev" = "--unitfile" ; then
> -        COMPREPLY=( $(compgen -W "$( __get_all_unit_files ) " -- "$cur") )
> -        return 0
> -        elif test "$prev" = "-f" || test "$prev" = "--filetype" ; then
> -        COMPREPLY=( $(compgen -W "$( __get_all_file_types ) " -- "$cur") )
> -        return 0
> -        elif test "$prev" = "-s" || test "$prev" = "--security" ; then
> -        return 0
> -        elif test "$prev" = "-m" || test "$prev" = "--mount" ; then
> -        return 0
> -        elif test "$prev" = "-n" || test "$prev" = "--network" ; then
> -        return 0
> -        elif test "$prev" = "-i" || test "$prev" = "--imagesize" ; then
> -        return 0
> -        elif __contains_word "$command" ${VERBS[CREATE]} ; then
> -        COMPREPLY=( $(compgen -W "${OPTS[ALL]} ${OPTS[CREATE]}" -- "$cur") )
> -        return 0
> -        elif __contains_word "${COMP_WORDS[i]}" ${VERBS[*]} ; then
> -        COMPREPLY=( $(compgen -W "${OPTS[ALL]}" -- "$cur") )
> -        return 0
> -        fi
> -    else
> -        if ! __contains_word "${prev}" ${VERBS[*]} &&
> -            ! __contains_word "${prev}" ${OPTS[*]}; then
> -        return 0
> -        fi
> -    fi
> -    COMPREPLY=( $(compgen -W "${OPTS[ALL]} $( __get_all_containers ) " -- "$cur") )
> -    return 0
> -}
> -complete -F _virt_sandbox_service virt-sandbox-service
> diff --git a/bin/virt-sandbox-service-clone.pod b/bin/virt-sandbox-service-clone.pod
> deleted file mode 100644
> index e9d997b..0000000
> --- a/bin/virt-sandbox-service-clone.pod
> +++ /dev/null
> @@ -1,100 +0,0 @@
> -=head1 NAME
> -
> -virt-sandbox-service clone - clone an existing Secure container
> -
> -=head1 SYNOPSIS
> -
> -Clone a Security container
> -
> -  virt-sandbox-service [-c URI] clone [-h] [-p PATH] [-s SECURITY-OPTS] SOURCE DEST
> -
> -=head1 DESCRIPTION
> -
> -virt-sandbox-service is used to manage secure sandboxed system services.
> -These applications will be launched via libvirt and run within a virtualization
> -technology such as LinuX Containers (LXC), or optionally QEMU/KVM. The
> -container / virtual machines will be secured by SELinux and resource
> -separated using cgroups.
> -
> -The clone command will clone the SOURCE security sandbox container into the DEST security sandbox container.
> -
> -=head1 OPTIONS
> -
> -=over 4
> -
> -=item B<-h>, B<--help>
> -
> -Display help message
> -
> -=item B<-c> URI, B<--connect URI>
> -
> -The connection URI for the hypervisor (currently only LXC URIs are
> -supported).
> -
> -=item B<-p PATH>, B<--path PATH>
> -
> -Set path to copy container content from/to. This argument must match the value of
> -the C<-p> arg given when creating the original source container.
> -
> -Default: C</var/lib/libvirt/filesystems>.
> -
> -=item B<-s SECURITY-OPTIONS>, B<--security=SECURITY-OPTIONS>
> -
> -Use alternative security options. SECURITY-OPTIONS is a set of key=val pairs,
> -separated by commas. The following options are valid for SELinux
> -
> -=over 4
> -
> -=item dynamic
> -
> -Dynamically allocate an SELinux label, using the default base context.
> -The default base context is system_u:system_r:svirt_lxc_net_t:s0 for LXC,
> -system_u:system_r:svirt_t:s0 for KVM, system_u:system_r:svirt_tcg_t:s0
> -for QEMU.
> -
> -=item dynamic,label=USER:ROLE:TYPE:LEVEL
> -
> -Dynamically allocate an SELinux label, using the base context
> -USER:ROLE:TYPE:LEVEL, instead of the default base context.
> -
> -=item static,label=USER:ROLE:TYPE:LEVEL
> -
> -To set a completely static label. For example,
> -static,label=system_u:system_r:svirt_t:s0:c412,c355
> -
> -=back
> -
> -=back
> -
> -=head1 EXAMPLE
> -
> -Execute /bin/sh in httpd1 container
> -
> - # virt-sandbox-service clone -s static,label=system_u:system_r:svirt_lxc_net_t:s0:c1,c2 httpd1 httpd2
> -
> -=head1 SEE ALSO
> -
> -C<libvirt(8)>, C<selinux(8)>, C<systemd(8)>, C<virt-sandbox-service(1)>
> -
> -=head1 FILES
> -
> -Container content will be stored in subdirectories of
> -/var/lib/libvirt/filesystems, by default.  You can manage the
> -content in these directories outside of the container and
> -processes within the container will see the content.
> -
> -=head1 AUTHORS
> -
> -Daniel Walsh <dwalsh@xxxxxxxxxx>
> -Daniel P. Berrange <dan@xxxxxxxxxxxx>
> -
> -=head1 COPYRIGHT
> -
> -Copyright (C) 2011-2013 Red Hat, Inc.
> -
> -=head1 LICENSE
> -
> -virt-sandbox is distributed under the terms of the GNU LGPL v2+.
> -This is free software; see the source for copying conditions.
> -There is NO warranty; not even for MERCHANTABILITY or FITNESS
> -FOR A PARTICULAR PURPOSE
> diff --git a/bin/virt-sandbox-service-connect.pod b/bin/virt-sandbox-service-connect.pod
> deleted file mode 100644
> index cefa37a..0000000
> --- a/bin/virt-sandbox-service-connect.pod
> +++ /dev/null
> @@ -1,59 +0,0 @@
> -=head1 NAME
> -
> -virt-sandbox-service connect - Connect to a security container console
> -
> -=head1 SYNOPSIS
> -
> -  virt-sandbox-service [-c URI] connect [-h] NAME
> -
> -=head1 DESCRIPTION
> -
> -virt-sandbox-service is used to manage secure sandboxed system services.
> -These applications will be launched via libvirt and run within a virtualization
> -technology such as LinuX Containers (LXC), or optionally QEMU/KVM. The
> -container / virtual machines will be secured by SELinux and resource
> -separated using cgroups.
> -
> -The connect command will connect to the security sandbox container console NAME.
> -
> -=head1 OPTIONS
> -
> -=over 4
> -
> -=item B<-h>, B<--help>
> -
> -Display help message
> -
> -=item B<-c URI>, B<--connect URI>
> -
> -The connection URI for the hypervisor (currently only LXC URIs are
> -supported).
> -
> -=back
> -
> -=head1 EXAMPLE
> -
> -Connect to the in httpd1 container console
> -
> - # virt-sandbox-service connect httpd1
> - #
> -
> -=head1 SEE ALSO
> -
> -C<libvirt(8)>, C<selinux(8)>, C<systemd(8)>, C<virt-sandbox-service(1)>
> -
> -=head1 AUTHORS
> -
> -Daniel Walsh <dwalsh@xxxxxxxxxx>
> -Daniel P. Berrange <dan@xxxxxxxxxxxx>
> -
> -=head1 COPYRIGHT
> -
> -Copyright (C) 2011-2013 Red Hat, Inc.
> -
> -=head1 LICENSE
> -
> -virt-sandbox is distributed under the terms of the GNU LGPL v2+.
> -This is free software; see the source for copying conditions.
> -There is NO warranty; not even for MERCHANTABILITY or FITNESS
> -FOR A PARTICULAR PURPOSE
> diff --git a/bin/virt-sandbox-service-create.pod b/bin/virt-sandbox-service-create.pod
> deleted file mode 100644
> index d2f5fdb..0000000
> --- a/bin/virt-sandbox-service-create.pod
> +++ /dev/null
> @@ -1,264 +0,0 @@
> -=head1 NAME
> -
> -virt-sandbox-service create - Create a Security container
> -
> -=head1 SYNOPSIS
> -
> -  virt-sandbox-service [-c URI] create [-h] [-C] [-f FILE_TYPE]
> -                                   [--homedir HOMEDIR] [-G GID] [-i IMAGESIZE]
> -                                   [[-m TYPE:DST=SRC ] ...]
> -                                   [-N NETWORK] [-p PATH] [-s SECURITY]
> -                                   [[-u UNITFILES] ...] [--username USERNAME]
> -                                   [-U UID] [[-P package] ... ]
> -                                   NAME -- COMMAND [ARG1 [ARG2...]]
> -
> -=head1 DESCRIPTION
> -
> -virt-sandbox-service is used to manage secure sandboxed system services.
> -These applications will be launched via libvirt and run within a virtualization
> -technology such as LinuX Containers (LXC), or optionally QEMU/KVM. The
> -container / virtual machines will be secured by SELinux and resource
> -separated using cgroups.
> -
> -The create command can setup a sandbox for running one or more systemd unit files.
> -It can also setup a sandbox for running a command in an GenericContainer.
> -Specify a unit file to create the SystemdContainer and the command to create an
> -GenericContainer.
> -
> -=head1 OPTIONS
> -
> -=over 4
> -
> -=item B<-h>, B<--help>
> -
> -Display help message
> -
> -=item B<-c URI>, B<--connect URI>
> -
> -The connection URI for the hypervisor (currently only LXC URIs are
> -supported).
> -
> -=item B<-u UNIT_FILE>, B<--unitfile UNIT_FILE>
> -
> -Name of the systemd unit file to be to run within the Systemd Container.
> -Can be repeated if multiple unit files are required within the sandbox.
> -Cannot be specified if you are using a COMMAND. If the unit file end
> -with @, this will be considered as a template, and a instantiated
> -systemd unit will be created, using the name of the container as a
> -instance identifier.
> -
> -=item B<-C>, B<--copy>
> -
> -Copy content from /etc and /var directories that will be mounted within the container.
> -
> -=item B<-G GID>, B<--gid GID>
> -
> -Set login gid to use within the container.
> -
> -Default: C<Login GID of UID>.
> -
> -=item B<-f FILETYPE>, B<--filetype FILETYPE>
> -
> -Set SELinux file type to use within container.
> -
> -Default: C<svirt_lxc_file_t>.
> -
> -=item B<-p PATH>, B<--path PATH>
> -
> -Set path to store container content. NB if this argument is used when creating
> -a container, the exact same argument must also be used when later cloning or
> -deleting the container.
> -
> -Default: C</var/lib/libvirt/filesystems>.
> -
> -=item B<--homedir HOMEDIR>
> -
> -Set homedir path to use within container.
> -
> -Default: C<UID's Homedir>.
> -
> -=item B<-m TYPE:DST=SRC>, B<--mount TYPE:DST=SRC>
> -
> -Sets up a mount inside the sandbox at B<DST> backed by B<SRC>. The
> -meaning of B<SRC> depends on the value of C<TYPE> specified:
> -
> -=over 4
> -
> -=item B<host-bind>
> -
> -If B<TYPE> is B<host-bind>, then B<SRC> is interpreted as the path
> -to a directory on the host filesystem. If C<SRC> is the empty string,
> -then a temporary (empty) directory is created on the host before
> -starting the sandbox and deleted afterwards. The C<--include> option
> -is useful for populating these temporary directories with copies of host
> -files.
> -
> -=item B<host-image>
> -
> -If B<TYPE> is B<host-image>, then B<SRC> is interpreted as the path
> -to a disk image file on the host filesystem. The image should be
> -formatted with a filesystem that can be auto-detected by the sandbox,
> -such as B<ext3>, B<ext4>, etc. The disk image itself should be a raw
> -file, not qcow2 or any other special format
> -
> -=item B<guest-bind>
> -
> -If B<TYPE> is B<guest-bind>, then B<SRC> is interpreted as the path
> -to another directory in the container filesystem.
> -
> -=item B<ram>
> -
> -If B<TYPE> is B<ram>, then B<SRC> is interpreted as specifying the
> -size of the RAM disk in bytes. The suffix B<K>, B<KiB>, B<M>,
> -B<MiB>, B<G>, B<GiB> can used to alter the units from bytes to a
> -coarser level.
> -
> -=back
> -
> -Some examples
> -
> - -m host-bind:/tmp=/var/lib/sandbox/demo/tmp
> - -m host-image:/=/var/lib/sandbox/demo.img
> - -m guest-bind:/home=/tmp/home
> - -m ram:/tmp=500M
> -
> -=item B<-N NETWORK-OPTIONS>, B<--network NETWORK-OPTIONS>
> -
> -Add a network interface to the sandbox. By default the sandbox will
> -only have a loopback interface. This option allows for connectivity
> -to the LAN in some manner. NETWORK-OPTIONS is a set of
> -key=val pairs, separated by commas. The following options are valid
> -
> -=over 4
> -
> -=item dhcp
> -
> -Configure the network interface using dhcp. This key takes no value.
> -No other keys may be specified. eg
> -
> -  -N dhcp,source=default
> -  --network dhcp,source=lan
> -
> -where 'source' is the name of any libvirt virtual network.
> -
> -=item source=NETWORK
> -
> -Set the name of the network to connect the interface to. C<NETWORK>
> -is the name of any libvirt virtual network. See also B<virsh net-list>
> -
> -=item mac=NN:NN:NN:NN:NN:NN
> -
> -Set the MAC address of the network interface, where each NN is a pair
> -of hex digits.
> -
> -=item address=IP-ADDRESS/PREFIX%BROADCAST
> -
> -Configure the network interface with the static IPv4 or IPv6 address
> -B<IP-ADDRESS>. The B<PREFIX> value is the length of the network
> -prefix in B<IP-ADDRESS>. The optional B<BROADCAST> parameter
> -specifies the broadcast address. Some examples
> -
> -  address=192.168.122.1/24
> -  address=192.168.122.1/24%192.168.122.255
> -  address=2001:212::204:2/64
> -
> -=item route=IP-NETWORK/PREFIX%GATEWAY
> -
> -Configure the network interface with the static IPv4 or IPv6 route
> -B<IP-NETWORK>. The B<PREFIX> value is the length of the network
> -prefix in B<IP-NETWORK>. The B<GATEWAY> parameter specifies the
> -address of the gateway for the route. Some examples
> -
> -  route=192.168.122.255/24%192.168.1.1
> -
> -=back
> -
> -=item B<-s SECURITY-OPTIONS>, B<--security=SECURITY-OPTIONS>
> -
> -Use alternative security options. SECURITY-OPTIONS is a set of key=val pairs,
> -separated by commas. The following options are valid for SELinux
> -
> -=over 4
> -
> -=item dynamic
> -
> -Dynamically allocate an SELinux label, using the default base context.
> -The default base context is system_u:system_r:svirt_lxc_net_t:s0 for LXC,
> -system_u:system_r:svirt_t:s0 for KVM, system_u:system_r:svirt_tcg_t:s0
> -for QEMU.
> -
> -=item dynamic,label=USER:ROLE:TYPE:LEVEL
> -
> -Dynamically allocate an SELinux label, using the base context
> -USER:ROLE:TYPE:LEVEL, instead of the default base context.
> -
> -=item static,label=USER:ROLE:TYPE:LEVEL
> -
> -To set a completely static label. For example,
> -static,label=system_u:system_r:svirt_t:s0:c412,c355
> -
> -=back
> -
> -=item B<-i SIZE>, B<--image SIZE>
> -
> -Create file system image file of this size to store container content.
> -
> -=item B<-P PACKAGE>, B<--package PACKAGE>
> -
> -Package(s) to be used within the container.
> -
> -=item B<-U UID>, B<--uid UID>
> -
> -Set uid to use within container.
> -
> -Default: C<CURRENT UID>.
> -
> -=item B<--username USERNAME>
> -
> -Set username to use within container.
> -
> -Default: C<UID's Username>.
> -
> -=back
> -
> -=head1 EXAMPLE
> -
> -Create httpd1 Systemd container
> -
> - # virt-sandbox-service create -C -u httpd.service httpd1
> - Created container dir /var/lib/libvirt/filesystems/httpd1
> - Created sandbox config /etc/libvirt-sandbox/services/httpd1/config/sandbox.cfg
> - Created unit file /etc/systemd/system/httpd@httpd1.service
> -
> -Create foobar1 Generic container
> -
> - # virt-sandbox-service create -U 1234 foobar1 -- /usr/bin/foobar -a -b
> - Created container dir /var/lib/libvirt/filesystems/foobar1
> - Created sandbox config /etc/libvirt-sandbox/services/foobar1/config/sandbox.cfg
> -
> -=head1 SEE ALSO
> -
> -C<libvirt(8)>, C<selinux(8)>, C<systemd(8)>, C<virt-sandbox-service(1)>
> -
> -=head1 FILES
> -
> -Container content will be stored in subdirectories of
> -C</var/lib/libvirt/filesystems>, by default.  You can manage the
> -content in these directories outside of the container and
> -processes within the container will see the content.
> -
> -=head1 AUTHORS
> -
> -Daniel Walsh <dwalsh@xxxxxxxxxx>
> -Daniel P. Berrange <dan@xxxxxxxxxxxx>
> -
> -=head1 COPYRIGHT
> -
> -Copyright (C) 2011-2013 Red Hat, Inc.
> -
> -=head1 LICENSE
> -
> -virt-sandbox is distributed under the terms of the GNU LGPL v2+.
> -This is free software; see the source for copying conditions.
> -There is NO warranty; not even for MERCHANTABILITY or FITNESS
> -FOR A PARTICULAR PURPOSE
> diff --git a/bin/virt-sandbox-service-delete.pod b/bin/virt-sandbox-service-delete.pod
> deleted file mode 100644
> index 3b17b97..0000000
> --- a/bin/virt-sandbox-service-delete.pod
> +++ /dev/null
> @@ -1,65 +0,0 @@
> -=head1 NAME
> -
> -virt-sandbox-service delete - Delete a security container
> -
> -=head1 SYNOPSIS
> -
> -  virt-sandbox-service [-c URI] delete [-h] [-p PATH] NAME
> -
> -=head1 DESCRIPTION
> -
> -virt-sandbox-service is used to manage secure sandboxed system services.
> -These applications will be launched via libvirt and run within a virtualization
> -technology such as LinuX Containers (LXC), or optionally QEMU/KVM. The
> -container / virtual machines will be secured by SELinux and resource
> -separated using cgroups.
> -
> -The delete command will delete a sandbox container.
> -
> -=head1 OPTIONS
> -
> -=over 4
> -
> -=item B<-h>, B<--help>
> -
> -Display help message
> -
> -=item B<-c URI>, B<--connect URI>
> -
> -The connection URI for the hypervisor (currently only LXC URIs are
> -supported).
> -
> -=item B<-p PATH>, B<--path PATH>
> -
> -Set path to delete container content from. This argument must match the value of
> -the C<-p> arg given when creating the original source container.
> -
> -Default: C</var/lib/libvirt/filesystems>.
> -
> -=back
> -
> -=head1 EXAMPLE
> -
> -Delete the httpd1 container
> -
> - # virt-sandbox-service delete httpd1
> -
> -=head1 SEE ALSO
> -
> -C<libvirt(8)>, C<selinux(8)>, C<systemd(8)>, C<virt-sandbox-service(1)>
> -
> -=head1 AUTHORS
> -
> -Daniel Walsh <dwalsh@xxxxxxxxxx>
> -Daniel P. Berrange <dan@xxxxxxxxxxxx>
> -
> -=head1 COPYRIGHT
> -
> -Copyright (C) 2011-2013 Red Hat, Inc.
> -
> -=head1 LICENSE
> -
> -virt-sandbox is distributed under the terms of the GNU LGPL v2+.
> -This is free software; see the source for copying conditions.
> -There is NO warranty; not even for MERCHANTABILITY or FITNESS
> -FOR A PARTICULAR PURPOSE
> diff --git a/bin/virt-sandbox-service-execute.pod b/bin/virt-sandbox-service-execute.pod
> deleted file mode 100644
> index 62771eb..0000000
> --- a/bin/virt-sandbox-service-execute.pod
> +++ /dev/null
> @@ -1,71 +0,0 @@
> -=head1 NAME
> -
> -virt-sandbox-service execute - execute commands inside Secure container
> -
> -=head1 SYNOPSIS
> -
> -Execute a command within a security container
> -
> -  virt-sandbox-service [-c URI] execute [-h] [-N] NAME -- COMMAND [ARG1 [ARG2...]]
> -
> -=head1 DESCRIPTION
> -
> -virt-sandbox-service is used to manage secure sandboxed system services.
> -These applications will be launched via libvirt and run within a virtualization
> -technology such as LinuX Containers (LXC), or optionally QEMU/KVM. The
> -container / virtual machines will be secured by SELinux and resource
> -separated using cgroups.
> -
> -The execute subcommand is used to execute commands within an already running container.
> -
> -=head1 OPTIONS
> -
> -=over 4
> -
> -=item B<-h>, B<--help>
> -
> -Display help message
> -
> -=item B<-c> URI, B<--connect URI>
> -
> -The connection URI for the hypervisor (currently only LXC URIs are
> -supported).
> -
> -=item B<-N>, B<--noseclabel>
> -
> -Execute command within the container.
> -
> -=back
> -
> -=head1 EXAMPLE
> -
> -Execute /bin/sh in httpd1 container
> -
> - # virt-sandbox-service execute httpd1 -- /bin/sh
> -
> -=head1 SEE ALSO
> -
> -C<libvirt(8)>, C<selinux(8)>, C<systemd(8)>, C<virt-sandbox-service(1)>
> -
> -=head1 FILES
> -
> -Container content will be stored in subdirectories of
> -/var/lib/libvirt/filesystems, by default.  You can manage the
> -content in these directories outside of the container and
> -processes within the container will see the content.
> -
> -=head1 AUTHORS
> -
> -Daniel Walsh <dwalsh@xxxxxxxxxx>
> -Daniel P. Berrange <dan@xxxxxxxxxxxx>
> -
> -=head1 COPYRIGHT
> -
> -Copyright (C) 2011-2013 Red Hat, Inc.
> -
> -=head1 LICENSE
> -
> -virt-sandbox is distributed under the terms of the GNU LGPL v2+.
> -This is free software; see the source for copying conditions.
> -There is NO warranty; not even for MERCHANTABILITY or FITNESS
> -FOR A PARTICULAR PURPOSE
> diff --git a/bin/virt-sandbox-service-reload.pod b/bin/virt-sandbox-service-reload.pod
> deleted file mode 100644
> index fe6fbcc..0000000
> --- a/bin/virt-sandbox-service-reload.pod
> +++ /dev/null
> @@ -1,63 +0,0 @@
> -=head1 NAME
> -
> -virt-sandbox-service reload - Reload a security container
> -
> -=head1 SYNOPSIS
> -
> -  virt-sandbox-service [-c URI] reload [-h] -u UNIT_FILE NAME
> -
> -=head1 DESCRIPTION
> -
> -virt-sandbox-service is used to manage secure sandboxed system services.
> -These applications will be launched via libvirt and run within a virtualization
> -technology such as LinuX Containers (LXC), or optionally QEMU/KVM. The
> -container / virtual machines will be secured by SELinux and resource
> -separated using cgroups.
> -
> -The reload command will reload a sandbox container.  This is used when software is updated outside of a container and
> processes within the container need to reload or restart.  For example, if you update your httpd software, and you had
> a running container that was using the httpd service, systemd would send the reload to the container.
> -
> -=head1 OPTIONS
> -
> -=over 4
> -
> -=item B<-h>, B<--help>
> -
> -Display help message
> -
> -=item B<-c URI>, B<--connect URI>
> -
> -The connection URI for the hypervisor (currently only LXC URIs are
> -supported).
> -
> -=item B<-u UNIT_FILE>, B<--unitfile UNIT_FILE>
> -
> -Name of the systemd unit file to reload within the container. Can be repeated
> -if multiple unit files need to be reloaded within the sandbox.
> -
> -=back
> -
> -=head1 EXAMPLE
> -
> -Reload the httpd1 container
> -
> - # virt-sandbox-service reload -u httpd.service httpd1
> -
> -=head1 SEE ALSO
> -
> -C<libvirt(8)>, C<selinux(8)>, C<systemd(8)>, C<virt-sandbox-service(1)>
> -
> -=head1 AUTHORS
> -
> -Daniel Walsh <dwalsh@xxxxxxxxxx>
> -Daniel P. Berrange <dan@xxxxxxxxxxxx>
> -
> -=head1 COPYRIGHT
> -
> -Copyright (C) 2011-2013 Red Hat, Inc.
> -
> -=head1 LICENSE
> -
> -virt-sandbox is distributed under the terms of the GNU LGPL v2+.
> -This is free software; see the source for copying conditions.
> -There is NO warranty; not even for MERCHANTABILITY or FITNESS
> -FOR A PARTICULAR PURPOSE
> diff --git a/bin/virt-sandbox-service-upgrade.pod b/bin/virt-sandbox-service-upgrade.pod
> deleted file mode 100644
> index 76eb428..0000000
> --- a/bin/virt-sandbox-service-upgrade.pod
> +++ /dev/null
> @@ -1,74 +0,0 @@
> -=head1 NAME
> -
> -virt-sandbox-service upgrade - upgrade an existing Secure container
> -
> -=head1 SYNOPSIS
> -
> -Upgrade a Security container
> -
> -  virt-sandbox-service [-c URI] upgrade NAME
> -
> -=head1 DESCRIPTION
> -
> -virt-sandbox-service is used to manage secure sandboxed system services.
> -These applications will be launched via libvirt and run within a virtualization
> -technology such as LinuX Containers (LXC), or optionally QEMU/KVM. The
> -container / virtual machines will be secured by SELinux and resource
> -separated using cgroups.
> -
> -The upgrade command will update the config files for NAME to be compatible
> -with the currently installed software version. NB this works in an upgrade
> -direction only, it is not possible to install older versions of the software
> -and use this command to downgrade the configs.
> -
> -If you have editted the main sandbox configuration file manually, this
> -command can also be used to update the libvirt guest configuration to
> -match it.
> -
> -=head1 OPTIONS
> -
> -=over 4
> -
> -=item B<-h>, B<--help>
> -
> -Display help message
> -
> -=item B<-c URI>, B<--connect URI>
> -
> -The connection URI for the hypervisor (currently only LXC URIs are
> -supported).
> -
> -=back
> -
> -=head1 EXAMPLE
> -
> -Execute /bin/sh in httpd1 container
> -
> - # virt-sandbox-service upgrade httpd
> -
> -=head1 SEE ALSO
> -
> -C<libvirt(8)>, C<selinux(8)>, C<systemd(8)>, C<virt-sandbox-service(1)>
> -
> -=head1 FILES
> -
> -Container content will be stored in subdirectories of
> -/var/lib/libvirt/filesystems, by default.  You can manage the
> -content in these directories outside of the container and
> -processes within the container will see the content.
> -
> -=head1 AUTHORS
> -
> -Daniel Walsh <dwalsh@xxxxxxxxxx>
> -Daniel P. Berrange <dan@xxxxxxxxxxxx>
> -
> -=head1 COPYRIGHT
> -
> -Copyright (C) 2011-2013 Red Hat, Inc.
> -
> -=head1 LICENSE
> -
> -virt-sandbox is distributed under the terms of the GNU LGPL v2+.
> -This is free software; see the source for copying conditions.
> -There is NO warranty; not even for MERCHANTABILITY or FITNESS
> -FOR A PARTICULAR PURPOSE
> diff --git a/bin/virt-sandbox-service-util.c b/bin/virt-sandbox-service-util.c
> deleted file mode 100644
> index a0e090d..0000000
> --- a/bin/virt-sandbox-service-util.c
> +++ /dev/null
> @@ -1,305 +0,0 @@
> -/*
> - * virt-sandbox-service-util.c: libvirt sandbox service util command
> - *
> - * Copyright (C) 2012-2013 Red Hat, Inc.
> - *
> - * This library is free software; you can redistribute it and/or
> - * modify it under the terms of the GNU Lesser General Public
> - * License as published by the Free Software Foundation; either
> - * version 2.1 of the License, or (at your option) any later version.
> - *
> - * This library is distributed in the hope that it will be useful,
> - * but WITHOUT ANY WARRANTY; without even the implied warranty of
> - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
> - * Lesser General Public License for more details.
> - *
> - * You should have received a copy of the GNU Lesser General Public
> - * License along with this library; if not, write to the Free Software
> - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
> - *
> - * Author: Daniel J Walsh <dwalsh@xxxxxxxxxx>
> - * Author: Daniel P. Berrange <berrange@xxxxxxxxxx>
> - */
> -
> -#include <config.h>
> -
> -#include <libvirt-sandbox/libvirt-sandbox.h>
> -#include <glib/gi18n.h>
> -
> -#define STREQ(x,y) (strcmp(x,y) == 0)
> -
> -static gboolean do_close(GVirSandboxConsole *con G_GNUC_UNUSED,
> -                         gboolean error G_GNUC_UNUSED,
> -                         gpointer opaque)
> -{
> -    GMainLoop *loop = opaque;
> -    g_main_loop_quit(loop);
> -    return FALSE;
> -}
> -
> -
> -static void libvirt_sandbox_version(void)
> -{
> -    g_print(_("%s version %s\n"), PACKAGE, VERSION);
> -    exit(EXIT_SUCCESS);
> -}
> -
> -
> -static GVirSandboxContext *libvirt_sandbox_get_context(const char *uri,
> -                                                       const char *name)
> -{
> -    GVirSandboxConfig *config = NULL;
> -    GVirSandboxContextService *ctx = NULL;
> -    GError *err = NULL;
> -    GVirConnection *conn = NULL;
> -    gchar *configfile = NULL;
> -
> -    configfile = g_strdup_printf("/etc/libvirt-sandbox/services/%s/config/sandbox.cfg", name);
> -
> -    if (uri)
> -        conn = gvir_connection_new(uri);
> -    else
> -        conn = gvir_connection_new("lxc:///");
> -
> -    if (!gvir_connection_open(conn, NULL, &err)) {
> -        g_printerr(_("Unable to open connection: %s\n"),
> -                   err && err->message ? err->message : _("unknown"));
> -        goto cleanup;
> -    }
> -
> -    if (!(config = gvir_sandbox_config_load_from_path(configfile, &err))) {
> -        g_printerr(_("Unable to read config file %s: %s\n"), configfile,
> -                   err && err->message ? err->message : _("unknown"));
> -        goto cleanup;
> -    }
> -
> -    if (!(ctx = gvir_sandbox_context_service_new(conn, GVIR_SANDBOX_CONFIG_SERVICE(config)))) {
> -        g_printerr(_("Unable to create new context service: %s\n"),
> -                   err && err->message ? err->message : _("unknown"));
> -        goto cleanup;
> -    }
> -
> -cleanup:
> -    g_free(configfile);
> -    if (conn)
> -        g_object_unref(conn);
> -    if (config)
> -        g_object_unref(config);
> -
> -    return ctx ? GVIR_SANDBOX_CONTEXT(ctx) : NULL;
> -}
> -
> -static int container_start(const char *uri, const char *name, GMainLoop *loop)
> -{
> -    int ret = EXIT_FAILURE;
> -    GError *err = NULL;
> -    GVirSandboxConsole *con = NULL;
> -    GVirSandboxContext *ctx = NULL;
> -
> -    if (!(ctx = libvirt_sandbox_get_context(uri, name)))
> -        goto cleanup;
> -
> -    if (!(gvir_sandbox_context_start(ctx, &err))) {
> -        g_printerr(_("Unable to start container: %s\n"),
> -                   err && err->message ? err->message : _("unknown"));
> -        goto cleanup;
> -    }
> -
> -    if (!(con = gvir_sandbox_context_get_log_console(ctx, &err)))  {
> -        g_printerr(_("Unable to get log console for container: %s\n"),
> -                   err && err->message ? err->message : _("unknown"));
> -        goto cleanup;
> -    }
> -
> -    gvir_sandbox_console_set_direct(con, TRUE);
> -
> -    g_signal_connect(con, "closed", (GCallback)do_close, loop);
> -
> -    if (gvir_sandbox_console_attach_stderr(con, &err) < 0) {
> -        g_printerr(_("Unable to attach console to stderr in the container: %s\n"),
> -                   err && err->message ? err->message : _("unknown"));
> -        goto cleanup;
> -    }
> -
> -    /* Stop holding open libvirt connection */
> -    if (gvir_sandbox_console_isolate(con, &err) < 0) {
> -        g_printerr(_("Unable to disconnect console from libvirt: %s\n"),
> -                   err && err->message ? err->message : _("unknown"));
> -        goto cleanup;
> -    }
> -
> -    gvir_sandbox_context_detach(ctx, NULL);
> -    g_object_unref(ctx);
> -    ctx = NULL;
> -
> -    g_main_loop_run(loop);
> -
> -    ret = EXIT_SUCCESS;
> -
> -cleanup:
> -    if (ctx)
> -        g_object_unref(ctx);
> -    if (con)
> -        g_object_unref(con);
> -    return ret;
> -}
> -
> -static int container_attach(const char *uri, const char *name, GMainLoop *loop)
> -{
> -    int ret = EXIT_FAILURE;
> -    GError *err = NULL;
> -    GVirSandboxConsole *con = NULL;
> -    GVirSandboxContext *ctx = NULL;
> -
> -    if (!(ctx = libvirt_sandbox_get_context(uri, name)))
> -        goto cleanup;
> -
> -    if (!(gvir_sandbox_context_attach(ctx, &err))) {
> -        g_printerr(_("Unable to attach to container: %s\n"),
> -                   err && err->message ? err->message : _("unknown"));
> -        goto cleanup;
> -    }
> -
> -    if (!(con = gvir_sandbox_context_get_shell_console(ctx, &err)))  {
> -        g_printerr(_("Unable to get shell console for container: %s\n"),
> -                   err && err->message ? err->message : _("unknown"));
> -        goto cleanup;
> -    }
> -
> -    gvir_sandbox_console_set_direct(con, TRUE);
> -
> -    g_signal_connect(con, "closed", (GCallback)do_close, loop);
> -
> -    if (!(gvir_sandbox_console_attach_stdio(con, &err))) {
> -        g_printerr(_("Unable to attach to container: %s\n"),
> -                   err && err->message ? err->message : _("unknown"));
> -        goto cleanup;
> -    }
> -
> -    /* Stop holding open libvirt connection */
> -    if (gvir_sandbox_console_isolate(con, &err) < 0) {
> -        g_printerr(_("Unable to disconnect console from libvirt: %s\n"),
> -                   err && err->message ? err->message : _("unknown"));
> -        goto cleanup;
> -    }
> -
> -    gvir_sandbox_context_detach(ctx, NULL);
> -
> -    g_object_unref(ctx);
> -    ctx = NULL;
> -
> -    g_main_loop_run(loop);
> -
> -    ret = EXIT_SUCCESS;
> -
> -cleanup:
> -    if (ctx)
> -        g_object_unref(ctx);
> -    if (con)
> -        g_object_unref(con);
> -    return ret;
> -}
> -
> -
> -static int (*container_func)(const char *uri, const char *name, GMainLoop *loop) = NULL;
> -
> -static gboolean libvirt_lxc_start(const gchar *option_name,
> -                                  const gchar *value,
> -                                  const gpointer *data,
> -                                  const GError **error)
> -
> -{
> -    if (container_func) return FALSE;
> -    container_func = container_start;
> -    return TRUE;
> -}
> -
> -static gboolean libvirt_lxc_attach(const gchar *option_name,
> -                                   const gchar *value,
> -                                   const gpointer *data,
> -                                   const GError **error)
> -
> -{
> -    if (container_func) return FALSE;
> -    container_func = container_attach;
> -    return TRUE;
> -}
> -
> -int main(int argc, char **argv)
> -{
> -    GError *err = NULL;
> -    GMainLoop *loop = NULL;
> -    int ret = EXIT_FAILURE;
> -    pid_t pid = 0;
> -    gchar *uri = NULL;
> -
> -    gchar **cmdargs = NULL;
> -    GOptionContext *context;
> -    GOptionEntry options[] = {
> -        { "version", 'V', G_OPTION_FLAG_NO_ARG, G_OPTION_ARG_CALLBACK,
> -          libvirt_sandbox_version, N_("Display version information"), NULL },
> -        { "start", 's', G_OPTION_FLAG_NO_ARG, G_OPTION_ARG_CALLBACK,
> -          libvirt_lxc_start, N_("Start a container"), NULL },
> -        { "attach", 'a', G_OPTION_FLAG_NO_ARG, G_OPTION_ARG_CALLBACK,
> -          libvirt_lxc_attach, N_("Attach to a container"), NULL },
> -        { "pid", 'p', 0, G_OPTION_ARG_INT, &pid,
> -          N_("Pid of process in container to which the command will run"), "PID"},
> -        { "connect", 'c', 0, G_OPTION_ARG_STRING, &uri,
> -          N_("Connect to hypervisor Default:'lxc:///'"), "URI"},
> -        { G_OPTION_REMAINING, '\0', 0, G_OPTION_ARG_STRING_ARRAY, &cmdargs,
> -          NULL, "CONTAINER_NAME" },
> -        { NULL, 0, 0, G_OPTION_ARG_NONE, NULL, NULL, NULL }
> -    };
> -    const char *help_msg = N_("Run 'virt-sandbox-service-util --help' to see a full list of available command line
> options\n");
> -
> -    setlocale(LC_ALL, "");
> -    bindtextdomain(PACKAGE, LOCALEDIR);
> -    bind_textdomain_codeset(PACKAGE, "UTF-8");
> -    textdomain(PACKAGE);
> -
> -    if (!gvir_sandbox_init_check(&argc, &argv, &err))
> -        exit(EXIT_FAILURE);
> -
> -    context = g_option_context_new (_("- Libvirt Sandbox Service"));
> -    g_option_context_add_main_entries (context, options, NULL);
> -    g_option_context_parse (context, &argc, &argv, &err);
> -
> -    if (err) {
> -        g_printerr("%s\n%s\n",
> -                   err->message,
> -                   gettext(help_msg));
> -        goto cleanup;
> -    }
> -
> -    if ( container_func == NULL ) {
> -        g_printerr(_("Invalid command: You must specify --start or --attach\n%s"),
> -                   gettext(help_msg));
> -        goto cleanup;
> -    }
> -
> -    if (!cmdargs || !cmdargs[0] ) {
> -        g_printerr(_("Invalid command CONTAINER_NAME required: %s"),
> -                   gettext(help_msg));
> -        goto cleanup;
> -    }
> -
> -    g_option_context_free(context);
> -
> -    g_set_application_name(_("Libvirt Sandbox Service"));
> -
> -    loop = g_main_loop_new(g_main_context_default(), 1);
> -    ret = container_func(uri, cmdargs[0], loop);
> -    g_main_loop_unref(loop);
> -
> -cleanup:
> -    exit(ret);
> -}
> -
> -/*
> - * Local variables:
> - *  c-indent-level: 4
> - *  c-basic-offset: 4
> - *  indent-tabs-mode: nil
> - *  tab-width: 8
> - * End:
> - */
> diff --git a/bin/virt-sandbox-service.logrotate b/bin/virt-sandbox-service.logrotate
> deleted file mode 100644
> index 6bb7d68..0000000
> --- a/bin/virt-sandbox-service.logrotate
> +++ /dev/null
> @@ -1,9 +0,0 @@
> -#!/bin/sh
> -for name in `/usr/bin/virsh -c lxc:/// -q list | awk '{print $2}'`
> -do
> -    if test -d "/etc/libvirt-sandbox/services/$name"
> -    then
> -        /usr/bin/virt-sandbox-service -c lxc:/// execute $name -- /etc/cron.daily/logrotate
> -    fi
> -done
> -exit 0
> diff --git a/bin/virt-sandbox-service.pod b/bin/virt-sandbox-service.pod
> deleted file mode 100644
> index e6f0739..0000000
> --- a/bin/virt-sandbox-service.pod
> +++ /dev/null
> @@ -1,85 +0,0 @@
> -=head1 NAME
> -
> -virt-sandbox-service - Secure container tool
> -
> -=head1 SYNOPSIS
> -
> -  {create,clone,connect,delete,execute,reload,upgrade}
> -
> -  commands:
> -
> -    create              create a sandbox container
> -
> -    clone               Clone an existing sandbox container
> -
> -    connect             Connect to a sandbox container
> -
> -    delete              Delete a sandbox container
> -
> -    execute             Execute a command within a sandbox container
> -
> -    reload              Reload a running sandbox container
> -
> -    upgrade             Upgrade an existing sandbox container
> -
> -=head1 DESCRIPTION
> -
> -virt-sandbox-service is used to provision secure sandboxed system services.
> -These applications will be launched via libvirt and run within a virtualization
> -technology such as LinuX Containers (LXC), or optionally QEMU/KVM. The
> -container / virtual machines will be secured by SELinux and resource
> -separated using cgroups.
> -
> -By default, it will use the libvirt LXC driver, with the C<lxc:///> URI.
> -This is different from libvirt's normal behaviour, which is to probe
> -for the best URI to use. Thus if using C<virsh> to get a list of containers,
> -one must specify an explicit URI for it, C<virsh -c lxc:///>. Alternatively
> -the C<LIBVIRT_DEFAULT_URI> environment variable can be set, or the config
> -file C</etc/libvirt/libvirt.conf> can have a default URI set.
> -
> -=head1 OPTIONS
> -
> -=over 4
> -
> -=item B<-h>, B<--help>
> -
> -Display help message
> -
> -=item B<-c URI>, B<--connect URI>
> -
> -The connection URI for the hypervisor (currently only LXC URIs are
> -supported).
> -
> -=back
> -
> -=head1 SEE ALSO
> -
> -C<libvirt(8)>, C<selinux(8)>, C<systemd(8)>, C<virt-sandbox(1)>,
> -C<virt-sandbox-service-create(1)>, C<virt-sandbox-service-clone(1)>,
> -C<virt-sandbox-service-connect(1)>, C<virt-sandbox-service-delete(1)>,
> -C<virt-sandbox-service-execute(1)>, C<virt-sandbox-service-reload(1)>,
> -C<virt-sandbox-service-upgrade(1)>
> -
> -=head1 FILES
> -
> -Container content will be stored in subdirectories of
> -/var/lib/libvirt/filesystems, by default.  You can manage the
> -content in these directories outside of the container and
> -processes within the container will see the content.
> -
> -=head1 AUTHORS
> -
> -Daniel Walsh <dwalsh@xxxxxxxxxx>
> -
> -Daniel P. Berrange <dan@xxxxxxxxxxxx>
> -
> -=head1 COPYRIGHT
> -
> -Copyright (C) 2011-2013 Red Hat, Inc.
> -
> -=head1 LICENSE
> -
> -virt-sandbox is distributed under the terms of the GNU LGPL v2+.
> -This is free software; see the source for copying conditions.
> -There is NO warranty; not even for MERCHANTABILITY or FITNESS
> -FOR A PARTICULAR PURPOSE
> diff --git a/cfg.mk b/cfg.mk
> index 37e5050..39b54f6 100644
> --- a/cfg.mk
> +++ b/cfg.mk
> @@ -129,6 +129,6 @@ prev_version_file = /dev/null
>  
>  exclude_file_name_regexp--sc_libvirt_unmarked_diagnostics = ^libvirt-sandbox/tests
>  
> -exclude_file_name_regexp--sc_bindtextdomain = ^(libvirt-sandbox/tests)|(libvirt-sandbox/libvirt-sandbox-init-
> *)|(bin/virt-sandbox.c)|(bin/virt-sandbox-service-util.c)
> +exclude_file_name_regexp--sc_bindtextdomain = ^(libvirt-sandbox/tests)|(libvirt-sandbox/libvirt-sandbox-init-
> *)|(bin/virt-sandbox.c)
>  
>  exclude_file_name_regexp--sc_preprocessor_indentation = ^*/*.[ch]
> diff --git a/libvirt-sandbox.spec.in b/libvirt-sandbox.spec.in
> index f5868c1..125a361 100644
> --- a/libvirt-sandbox.spec.in
> +++ b/libvirt-sandbox.spec.in
> @@ -101,17 +101,10 @@ rm -rf $RPM_BUILD_ROOT
>  
>  %files
>  %defattr(-,root,root,-)
> -%{_datadir}/bash-completion/completions/virt-sandbox-service
> -%config(noreplace) %{_sysconfdir}/cron.daily/virt-sandbox-service.logrotate
> -%dir %{_sysconfdir}/libvirt-sandbox/services
>  %{_bindir}/virt-sandbox
> -%{_bindir}/virt-sandbox-service
>  %{_bindir}/virt-sandbox-image
> -%{_libexecdir}/virt-sandbox-service-util
>  %{python3_sitelib}/libvirt_sandbox
>  %{_mandir}/man1/virt-sandbox.1*
> -%{_mandir}/man1/virt-sandbox-service.1*
> -%{_mandir}/man1/virt-sandbox-service-*.1*
>  
>  %files libs -f %{name}.lang
>  %defattr(-,root,root,-)
> diff --git a/libvirt-sandbox/tests/containers_test.sh b/libvirt-sandbox/tests/containers_test.sh
> deleted file mode 100755
> index 9b2a716..0000000
> --- a/libvirt-sandbox/tests/containers_test.sh
> +++ /dev/null
> @@ -1,37 +0,0 @@
> -#!/bin/bash
> -#
> -# Simple script to setup hundreds of containers at the same time
> -#
> -# In order to create 100 containers execute
> -# containers_test.sh create apache 100
> -# Start
> -# containers_test.sh start apache 100
> -# Stop
> -# containers_test.sh stop apache 100
> -# Delete
> -# containers_test.sh delete apache 100
> -#
> -
> -create() {
> -    virt-sandbox-service create -C -l s0:c$2 -u httpd.service $1
> -}
> -
> -delete() {
> -    virt-sandbox-service delete $1
> -}
> -
> -start() {
> -    systemctl start httpd@$1.service
> -}
> -
> -stop() {
> -    systemctl stop httpd@$1.service
> -}
> -
> -command=$1
> -name=$2
> -repeat=$3
> -for i in $(seq 1 $repeat)
> -do
> -    eval $command $name$i $i
> -done
> diff --git a/po/POTFILES.in b/po/POTFILES.in
> index 724c49c..6c500b2 100644
> --- a/po/POTFILES.in
> +++ b/po/POTFILES.in
> @@ -1,5 +1,4 @@
>  bin/virt-sandbox.c
> -bin/virt-sandbox-service-util.c
>  libvirt-sandbox/libvirt-sandbox-builder-initrd.c
>  libvirt-sandbox/libvirt-sandbox-builder-machine.c
>  libvirt-sandbox/libvirt-sandbox-config.c

ACK, but would be good to also remove the 'bin/virt-sandbox-service-util'
entry in .gitignore.

--
Cedric

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux