On Fri, Aug 09, 2013 at 04:05:58PM +0800, Chen Hanxiao wrote: > From: Chen Hanxiao <chenhanxiao@xxxxxxxxxxxxxx> > > If we enable userns, the ownership of dir we provided for containers > should match the uid/gid in idmap. > Currently, the debug log is very implicit or misleading sometimes. > This patch will help clarify this for us when using > debug log or virsh. > > v2: syntax-check clean > > Signed-off-by: Chen Hanxiao <chenhanxiao@xxxxxxxxxxxxxx> > --- > src/lxc/lxc_container.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++ > 1 files changed, 46 insertions(+), 0 deletions(-) > > diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c > index b910b10..2ccdc61 100644 > --- a/src/lxc/lxc_container.c > +++ b/src/lxc/lxc_container.c > @@ -1815,6 +1815,49 @@ lxcNeedNetworkNamespace(virDomainDefPtr def) > return false; > } > > +/* > + * Helper function for helping check > + * whether we have enough privilege > + * to operate the source dir when userns enabled > + * @vmDef: pointer to vm definition structure > + * Returns 0 on success or -1 in case of error > + */ > +static int > +lxcContainerUsernsSrcOwnershipCheck(virDomainDefPtr vmDef) > +{ > + struct stat buf; > + size_t i; > + uid_t uid; > + gid_t gid; > + > + VIR_DEBUG("vmDef->nfss %d", (int)vmDef->nfss); > + for (i = 0; i < vmDef->nfss; i++) { > + VIR_DEBUG("dst is %s, src is %s", > + vmDef->fss[i]->dst, > + vmDef->fss[i]->src); > + > + uid = vmDef->idmap.uidmap[0].target; > + gid = vmDef->idmap.gidmap[0].target; > + > + if (lstat(vmDef->fss[i]->src, &buf) < 0) { > + virReportSystemError(errno, _("Cannot access '%s'"), > + vmDef->fss[i]->src); > + return -1; > + } else if (uid != buf.st_uid || gid != buf.st_gid) { Comparing the uid/gid owner of a file is not an accurate check. For example, a file could have ACLs set which allow access even when the uid/gid do not match. I think we should focus on improving the error messages reported when we hit the actual problem rather than trying to pre-guess the problem and potentially get it wrong. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list