Hi Any comments? Thanks > -----Original Message----- > From: libvir-list-bounces@xxxxxxxxxx [mailto:libvir-list-bounces@xxxxxxxxxx] > On Behalf Of Chen HanXiao > Sent: Wednesday, August 14, 2013 9:30 AM > To: 'Daniel P. Berrange' > Cc: libvir-list@xxxxxxxxxx > Subject: Re: [PATCH v2]LXC: Helper function for checking ownership of > dir when userns enabled > > > > > -----Original Message----- > > From: Daniel P. Berrange [mailto:berrange@xxxxxxxxxx] > > Sent: Saturday, August 10, 2013 12:54 AM > > To: Chen Hanxiao > > Cc: libvir-list@xxxxxxxxxx > > Subject: Re: [PATCH v2]LXC: Helper function for checking ownership of > > dir when userns enabled > > > > On Fri, Aug 09, 2013 at 04:05:58PM +0800, Chen Hanxiao wrote: > > > From: Chen Hanxiao <chenhanxiao@xxxxxxxxxxxxxx> > > > > > > If we enable userns, the ownership of dir we provided for containers > > > should match the uid/gid in idmap. > > > Currently, the debug log is very implicit or misleading sometimes. > > > This patch will help clarify this for us when using > > > debug log or virsh. > > > > I do recall hitting some permission issue once, but can't remember > > just what it was. Can you describe exactly how to reproduce the > > problem ? > > > > 1) Enable user namespace in kernel > 2) Add idmap for container > 3) Don't change the ownership of devices/ filesystem/ source dir ( leave > them to 'root' for instance) > 4) Start the container > > Usually I got an input/output error by virsh, which is not a good hint. > > > > > Signed-off-by: Chen Hanxiao <chenhanxiao@xxxxxxxxxxxxxx> > > > --- > > > src/lxc/lxc_container.c | 46 > > ++++++++++++++++++++++++++++++++++++++++++++++ > > > 1 files changed, 46 insertions(+), 0 deletions(-) > > > > > > diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c > > > index b910b10..2ccdc61 100644 > > > --- a/src/lxc/lxc_container.c > > > +++ b/src/lxc/lxc_container.c > > > @@ -1815,6 +1815,49 @@ lxcNeedNetworkNamespace(virDomainDefPtr > > def) > > > return false; > > > } > > > > > > +/* > > > + * Helper function for helping check > > > + * whether we have enough privilege > > > + * to operate the source dir when userns enabled > > > + * @vmDef: pointer to vm definition structure > > > + * Returns 0 on success or -1 in case of error > > > + */ > > > +static int > > > +lxcContainerUsernsSrcOwnershipCheck(virDomainDefPtr vmDef) > > > +{ > > > + struct stat buf; > > > + size_t i; > > > + uid_t uid; > > > + gid_t gid; > > > + > > > + VIR_DEBUG("vmDef->nfss %d", (int)vmDef->nfss); > > > + for (i = 0; i < vmDef->nfss; i++) { > > > + VIR_DEBUG("dst is %s, src is %s", > > > + vmDef->fss[i]->dst, > > > + vmDef->fss[i]->src); > > > + > > > + uid = vmDef->idmap.uidmap[0].target; > > > + gid = vmDef->idmap.gidmap[0].target; > > > + > > > + if (lstat(vmDef->fss[i]->src, &buf) < 0) { > > > + virReportSystemError(errno, _("Cannot access '%s'"), > > > + vmDef->fss[i]->src); > > > + return -1; > > > + } else if (uid != buf.st_uid || gid != buf.st_gid) { > > > + VIR_DEBUG("In userns uid is %d, gid is %d\n", > > > + uid, gid); > > > + errno = EINVAL; > > > + > > > + virReportSystemError(errno, > > > + _("[userns] Src dir '%s' does not > > belong to uid/gid: %d/%d"), > > > + vmDef->fss[i]->src, uid, gid); > > > + return -1; > > > + } > > > + } > > > + > > > + return 0; > > > +} > > > + > > > /** > > > * lxcContainerStart: > > > * @def: pointer to virtual machine structure > > > @@ -1866,6 +1909,9 @@ int lxcContainerStart(virDomainDefPtr def, > > > if (userns_supported()) { > > > VIR_DEBUG("Enable user namespace"); > > > cflags |= CLONE_NEWUSER; > > > + if (lxcContainerUsernsSrcOwnershipCheck(def) < 0) { > > > + return -1; > > > + } > > > } else { > > > virReportSystemError(VIR_ERR_CONFIG_UNSUPPORTED, > > "%s", > > > _("Kernel doesn't support user > > namespace")); > > > > > > Daniel > > -- > > |: http://berrange.com -o- > > http://www.flickr.com/photos/dberrange/ :| > > |: http://libvirt.org -o- > > http://virt-manager.org :| > > |: http://autobuild.org -o- > > http://search.cpan.org/~danberr/ :| > > |: http://entangle-photo.org -o- > > http://live.gnome.org/gtk-vnc :| > > > > -- > libvir-list mailing list > libvir-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/libvir-list -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list