Re: [libvirt PATCHv2 3/9] conf: add idmap element to filesystem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 12/13/23 15:47, Ján Tomko wrote:
> Allow the user to manually tweak the ID mapping that will allow
> virtiofsd to run unprivileged.
> 
> Signed-off-by: Ján Tomko <jtomko@xxxxxxxxxx>
> ---
>  docs/formatdomain.rst                         |  8 +++
>  src/conf/domain_conf.c                        | 50 +++++++++++++++++++
>  src/conf/domain_conf.h                        |  1 +
>  src/conf/schemas/domaincommon.rng             |  3 ++
>  .../vhost-user-fs-fd-memory.xml               |  4 ++
>  5 files changed, 66 insertions(+)
> 
> diff --git a/docs/formatdomain.rst b/docs/formatdomain.rst
> index 310d2bc427..96e03a3807 100644
> --- a/docs/formatdomain.rst
> +++ b/docs/formatdomain.rst
> @@ -3548,6 +3548,10 @@ A directory on the host that can be accessed directly from the guest.
>           </binary>
>           <source dir='/path'/>
>           <target dir='mount_tag'/>
> +         <idmap>
> +             <uid start='0' target='100000' count='65535'/>
> +             <gid start='0' target='100000' count='65535'/>
> +         </idmap>
>       </filesystem>
>       <filesystem type='mount'>
>           <driver type='virtiofs' queue='1024'/>
> @@ -3697,6 +3701,10 @@ A directory on the host that can be accessed directly from the guest.
>     Where the ``source`` can be accessed in the guest. For most drivers this is
>     an automatic mount point, but for QEMU/KVM this is merely an arbitrary string
>     tag that is exported to the guest as a hint for where to mount.
> +``idmap``
> +   For ``virtiofs``, an ``idmap`` element can be specified to map IDs in the user
> +   namespace. See the `Container boot`_ section for the syntax of the element.
> +   :since:`Since 10.0.0`

Not a show stopper, but that section does not mention the uid/gid
elements can be repeated multiple times. Might be worth of a follow up
patch.

>  ``readonly``
>     Enables exporting filesystem as a readonly mount for guest, by default
>     read-write access is given (currently only works for QEMU/KVM driver; not
> diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
> index a70a1f29f2..58a985fc5d 100644
> --- a/src/conf/domain_conf.c
> +++ b/src/conf/domain_conf.c
> @@ -2588,6 +2588,8 @@ void virDomainFSDefFree(virDomainFSDef *def)
>      virObjectUnref(def->privateData);
>      g_free(def->binary);
>      g_free(def->sock);
> +    g_free(def->idmap.uidmap);
> +    g_free(def->idmap.gidmap);
>  
>      g_free(def);
>  }
> @@ -8771,6 +8773,9 @@ virDomainFSDefParseXML(virDomainXMLOption *xmlopt,
>          xmlNodePtr binary_lock_node = virXPathNode("./binary/lock", ctxt);
>          xmlNodePtr binary_cache_node = virXPathNode("./binary/cache", ctxt);
>          xmlNodePtr binary_sandbox_node = virXPathNode("./binary/sandbox", ctxt);
> +        ssize_t n;
> +        g_autofree xmlNodePtr *uid_nodes = NULL;
> +        g_autofree xmlNodePtr *gid_nodes = NULL;
>  
>          if (queue_size && virStrToLong_ull(queue_size, NULL, 10, &def->queue_size) < 0) {
>              virReportError(VIR_ERR_XML_ERROR,
> @@ -8816,6 +8821,28 @@ virDomainFSDefParseXML(virDomainXMLOption *xmlopt,
>                             VIR_XML_PROP_NONZERO,
>                             &def->sandbox) < 0)
>              goto error;
> +
> +        if ((n = virXPathNodeSet("./idmap/uid", ctxt, &uid_nodes)) < 0)
> +            return NULL;
> +
> +        if (n) {
> +            def->idmap.uidmap = virDomainIdmapDefParseXML(ctxt, uid_nodes, n);
> +            if (!def->idmap.uidmap)
> +                return NULL;
> +
> +            def->idmap.nuidmap = n;
> +        }
> +
> +        if ((n = virXPathNodeSet("./idmap/gid", ctxt, &gid_nodes)) < 0)
> +            return NULL;
> +
> +        if (n) {
> +            def->idmap.gidmap = virDomainIdmapDefParseXML(ctxt, gid_nodes, n);
> +            if (!def->idmap.gidmap)
> +                return NULL;
> +
> +            def->idmap.ngidmap = n;
> +        }

Another area for improvement: this pattern is repeated now 4 times.
virXPathNodeset() could be moved to virDomainIdmapDefParseXML. But
that's something for future.

>      }
>  
>      if (source == NULL && def->type != VIR_DOMAIN_FS_TYPE_RAM

Michal
_______________________________________________
Devel mailing list -- devel@xxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxx




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux