From: Chen Hanxiao <chenhanxiao@xxxxxxxxxxxxxx> This patch will enable configuring user namespace for LXC containers, etc. Signed-off-by: Chen Hanxiao <chenhanxiao@xxxxxxxxxxxxxx> --- man/virt-install.pod | 14 ++++++++ .../compare/virt-xml-edit-clear-clock.xml | 2 +- .../compare/virt-xml-edit-clear-cpu.xml | 2 +- .../compare/virt-xml-edit-simple-boot.xml | 4 +-- .../compare/virt-xml-edit-simple-cpu.xml | 2 +- .../compare/virt-xml-edit-simple-features.xml | 4 +-- .../compare/virt-xml-edit-simple-metadata.xml | 2 +- .../compare/virt-xml-edit-simple-vcpus.xml | 2 +- .../compare/virt-xml-remove-disk-path.xml | 2 +- tests/clitest.py | 1 + tests/testdriver.xml | 4 +++ tests/xmlparse-xml/change-guest-out.xml | 4 +++ tests/xmlparse.py | 8 +++++ virt-convert | 2 +- virt-install | 1 + virt-xml | 1 + virtinst/__init__.py | 1 + virtinst/cli.py | 25 +++++++++++++++ virtinst/guest.py | 6 ++-- virtinst/userns.py | 37 ++++++++++++++++++++++ 20 files changed, 111 insertions(+), 13 deletions(-) create mode 100644 virtinst/userns.py diff --git a/man/virt-install.pod b/man/virt-install.pod index ff08d72..46039ac 100644 --- a/man/virt-install.pod +++ b/man/virt-install.pod @@ -442,6 +442,20 @@ will default to /bin/sh. Use --boot=? to see a list of all available sub options. Complete details at L<http://libvirt.org/formatdomain.html#elementsOS> +=item --userns=USERNSOPTS + +If the guest configuration declares a UID or GID mapping, +the 'user' namespace will be enabled to apply these. +A suitably configured UID/GID mapping is a pre-requisite to +make containers secure, in the absence of sVirt confinement. + +--usens can be sepicified to enable user namespace for LXC containers + +Example: + --userns user_start=0,user_target=1000,user_count=10,grp_start=0,grp_target=1000,grp_count=10 + +Use -userns=? to see a list of all available sub options. Complete details at L<http://libvirt.org/formatdomain.html#elementsOSContainer> + =back diff --git a/tests/cli-test-xml/compare/virt-xml-edit-clear-clock.xml b/tests/cli-test-xml/compare/virt-xml-edit-clear-clock.xml index db893a7..c98e0c8 100644 --- a/tests/cli-test-xml/compare/virt-xml-edit-clear-clock.xml +++ b/tests/cli-test-xml/compare/virt-xml-edit-clear-clock.xml @@ -9,7 +9,7 @@ <on_poweroff>destroy</on_poweroff> <on_reboot>restart</on_reboot> <on_crash>restart</on_crash> -@@ -321,4 +316,5 @@ +@@ -325,4 +320,5 @@ <address type="isa" iobase="0x505"/> </panic> </devices> diff --git a/tests/cli-test-xml/compare/virt-xml-edit-clear-cpu.xml b/tests/cli-test-xml/compare/virt-xml-edit-clear-cpu.xml index da90fa1..5382971 100644 --- a/tests/cli-test-xml/compare/virt-xml-edit-clear-cpu.xml +++ b/tests/cli-test-xml/compare/virt-xml-edit-clear-cpu.xml @@ -21,7 +21,7 @@ <clock offset="utc"> <timer name="rtc" tickpolicy="catchup"/> <timer name="pit" tickpolicy="delay"/> -@@ -321,4 +304,5 @@ +@@ -325,4 +308,5 @@ <address type="isa" iobase="0x505"/> </panic> </devices> diff --git a/tests/cli-test-xml/compare/virt-xml-edit-simple-boot.xml b/tests/cli-test-xml/compare/virt-xml-edit-simple-boot.xml index 2e85c63..8194918 100644 --- a/tests/cli-test-xml/compare/virt-xml-edit-simple-boot.xml +++ b/tests/cli-test-xml/compare/virt-xml-edit-simple-boot.xml @@ -8,8 +8,8 @@ + <bios useserial="yes"/> + <init>/bin/bash</init> </os> - <features> - <acpi/> + <idmap> + <uid start="0" target="1000" count="10"/> Domain 'test-many-devices' defined successfully. Changes will take effect after the next domain shutdown. \ No newline at end of file diff --git a/tests/cli-test-xml/compare/virt-xml-edit-simple-cpu.xml b/tests/cli-test-xml/compare/virt-xml-edit-simple-cpu.xml index 8da55c2..6e6e6d1 100644 --- a/tests/cli-test-xml/compare/virt-xml-edit-simple-cpu.xml +++ b/tests/cli-test-xml/compare/virt-xml-edit-simple-cpu.xml @@ -9,7 +9,7 @@ <feature policy="require" name="tm2"/> <feature policy="require" name="est"/> <feature policy="require" name="ss"/> -@@ -50,6 +50,7 @@ +@@ -54,6 +54,7 @@ <feature policy="require" name="ds_cpl"/> <feature policy="require" name="xtpr"/> <feature policy="require" name="acpi"/> diff --git a/tests/cli-test-xml/compare/virt-xml-edit-simple-features.xml b/tests/cli-test-xml/compare/virt-xml-edit-simple-features.xml index 8d8b776..039dca2 100644 --- a/tests/cli-test-xml/compare/virt-xml-edit-simple-features.xml +++ b/tests/cli-test-xml/compare/virt-xml-edit-simple-features.xml @@ -1,5 +1,5 @@ - <boot dev="hd"/> - </os> + <gid start="0" target="1000" count="10"/> + </idmap> <features> - <acpi/> - <apic eoi="off"/> diff --git a/tests/cli-test-xml/compare/virt-xml-edit-simple-metadata.xml b/tests/cli-test-xml/compare/virt-xml-edit-simple-metadata.xml index 28817fc..25fc3c6 100644 --- a/tests/cli-test-xml/compare/virt-xml-edit-simple-metadata.xml +++ b/tests/cli-test-xml/compare/virt-xml-edit-simple-metadata.xml @@ -12,7 +12,7 @@ <memory unit="KiB">409600</memory> <currentMemory unit="KiB">204800</currentMemory> <blkiotune> -@@ -321,4 +321,5 @@ +@@ -325,4 +325,5 @@ <address type="isa" iobase="0x505"/> </panic> </devices> diff --git a/tests/cli-test-xml/compare/virt-xml-edit-simple-vcpus.xml b/tests/cli-test-xml/compare/virt-xml-edit-simple-vcpus.xml index c5af43c..26333d0 100644 --- a/tests/cli-test-xml/compare/virt-xml-edit-simple-vcpus.xml +++ b/tests/cli-test-xml/compare/virt-xml-edit-simple-vcpus.xml @@ -6,7 +6,7 @@ <numatune> <memory mode="interleave" placement="auto"/> </numatune> -@@ -50,6 +50,7 @@ +@@ -54,6 +54,7 @@ <feature policy="require" name="ds_cpl"/> <feature policy="require" name="xtpr"/> <feature policy="require" name="acpi"/> diff --git a/tests/cli-test-xml/compare/virt-xml-remove-disk-path.xml b/tests/cli-test-xml/compare/virt-xml-remove-disk-path.xml index 831e0dc..b0b0b95 100644 --- a/tests/cli-test-xml/compare/virt-xml-remove-disk-path.xml +++ b/tests/cli-test-xml/compare/virt-xml-remove-disk-path.xml @@ -9,7 +9,7 @@ <disk type="dir" device="floppy"> <source dir="/tmp"/> <target dev="fdb" bus="fdc"/> -@@ -88,12 +83,6 @@ +@@ -92,12 +87,6 @@ <target dev="hdb" bus="ide"/> <readonly/> <address type="drive" controller="0" bus="0" target="0" unit="1"/> diff --git a/tests/clitest.py b/tests/clitest.py index 0d3cf50..7f575e4 100644 --- a/tests/clitest.py +++ b/tests/clitest.py @@ -460,6 +460,7 @@ c.add_valid("--cpu foobar,+x2apic,+x2apicagain,-distest,forbid=foo,forbid=bar,di c.add_valid("--numatune 1,2,3,5-7,^6") # Simple --numatune c.add_valid("--numatune 1-3,4,mode=strict") # More complex, parser should do the right thing here c.add_valid("--blkiotune weight=100,device_path=/home/test/1.img,device_weight=200") # --blkiotune +c.add_valid("--userns user_start=0,user_target=1000,user_count=10,grp_start=0,grp_target=1000,grp_count=10") # --userns c.add_compare("--connect %(DEFAULTURI)s --cpuset auto --vcpus 2", "cpuset-auto") # --cpuset=auto actually works c.add_invalid("--vcpus 32 --cpuset=969-1000") # Bogus cpuset c.add_invalid("--vcpus 32 --cpuset=autofoo") # Bogus cpuset diff --git a/tests/testdriver.xml b/tests/testdriver.xml index 762f0ae..8dec2b9 100644 --- a/tests/testdriver.xml +++ b/tests/testdriver.xml @@ -74,6 +74,10 @@ <loader>/usr/lib/xen/boot/hvmloader</loader> <boot dev='hd'/> </os> + <idmap> + <uid start='0' target='1000' count='10'/> + <gid start='0' target='1000' count='10'/> + </idmap> <description>Foo bar baz & yeah boii < > yeahfoo </description> diff --git a/tests/xmlparse-xml/change-guest-out.xml b/tests/xmlparse-xml/change-guest-out.xml index ec861ec..2996ba3 100644 --- a/tests/xmlparse-xml/change-guest-out.xml +++ b/tests/xmlparse-xml/change-guest-out.xml @@ -89,4 +89,8 @@ </device> </blkiotune> <bootloader>pygrub</bootloader> + <idmap> + <uid start="0" target="1000" count="10"/> + <gid start="0" target="1000" count="10"/> + </idmap> </domain> diff --git a/tests/xmlparse.py b/tests/xmlparse.py index 834afa8..6ae3d22 100644 --- a/tests/xmlparse.py +++ b/tests/xmlparse.py @@ -197,6 +197,14 @@ class XMLParseTest(unittest.TestCase): check("device_weight", None, 300) check("device_path", None, "/home/1.img") + check = self._make_checker(guest.userns) + check("user_start", None, 0) + check("user_target", None, 1000) + check("user_count", None, 10) + check("grp_start", None, 0) + check("grp_target", None, 1000) + check("grp_count", None, 10) + check = self._make_checker(guest.get_devices("memballoon")[0]) check("model", "virtio", "none") diff --git a/virt-convert b/virt-convert index 98cb6fb..f40aceb 100755 --- a/virt-convert +++ b/virt-convert @@ -44,7 +44,7 @@ from virtconv import VirtConverter ##################### def parse_args(): - desc =_( + desc = _( "Convert an OVF or VMX appliance to native libvirt XML, and run " "the guest.\nThe VM contents are not altered. Disk images are " "copied to the hypervisor\ndefault storage location.\n\n" diff --git a/virt-install b/virt-install index 2a24d41..50a733d 100755 --- a/virt-install +++ b/virt-install @@ -768,6 +768,7 @@ def parse_args(): cli.add_distro_options(insg) cli.add_boot_option(insg) insg.add_argument("--init", help=argparse.SUPPRESS) + cli.add_user_namespace_option(insg) stog = parser.add_argument_group(_("Storage Configuration")) cli.add_disk_option(stog) diff --git a/virt-xml b/virt-xml index 8ca0fc4..32bbb80 100755 --- a/virt-xml +++ b/virt-xml @@ -350,6 +350,7 @@ def parse_args(): cli.vcpu_cli_options(g, editexample=True) cli.add_guest_xml_options(g) cli.add_boot_option(g) + cli.add_user_namespace_option(g) cli.add_fs_option(g) cli.add_device_options(g) diff --git a/virtinst/__init__.py b/virtinst/__init__.py index b9186e0..f1ad552 100644 --- a/virtinst/__init__.py +++ b/virtinst/__init__.py @@ -31,6 +31,7 @@ from virtinst.clock import Clock from virtinst.cpu import CPU, CPUFeature from virtinst.seclabel import Seclabel from virtinst.pm import PM +from virtinst.userns import UserNamespace import virtinst.capabilities as CapabilitiesParser from virtinst.interface import Interface, InterfaceProtocol diff --git a/virtinst/cli.py b/virtinst/cli.py index 6b0c12a..1f8f687 100644 --- a/virtinst/cli.py +++ b/virtinst/cli.py @@ -802,6 +802,13 @@ def add_disk_option(stog, editexample=False): "--disk=?") + editmsg) +def add_user_namespace_option(insg): + insg.add_argument("--userns", + help=_("Enable user namespace for LXC container. Ex.\n" + "--userns user=0,1000,10\n" + "--userns grp=0,1000,10")) + + ############################################# # CLI complex parsing helpers # # (for options like --disk, --network, etc. # @@ -1400,6 +1407,23 @@ class ParserBoot(VirtCLIParser): ###################### +# --userns parsing # +###################### + +class ParserUserns(VirtCLIParser): + def _init_params(self): + self.clear_attr = "userns" + + self.set_param("userns.user_start", "user_start") + self.set_param("userns.user_target", "user_target") + self.set_param("userns.user_count", "user_count") + + self.set_param("userns.grp_start", "grp_start") + self.set_param("userns.grp_target", "grp_target") + self.set_param("userns.grp_count", "grp_count") + + +###################### # --security parsing # ###################### @@ -2129,6 +2153,7 @@ def build_parser_map(options, skip=None, only=None): register_parser("cpu", ParserCPU) register_parser("numatune", ParserNumatune) register_parser("blkiotune", ParserBlkiotune) + register_parser("userns", ParserUserns) register_parser("boot", ParserBoot) register_parser("security", ParserSecurity) register_parser("features", ParserFeatures) diff --git a/virtinst/guest.py b/virtinst/guest.py index d55c2a0..8affbb8 100644 --- a/virtinst/guest.py +++ b/virtinst/guest.py @@ -38,6 +38,7 @@ from virtinst import DomainNumatune from virtinst import DomainBlkiotune from virtinst import DomainFeatures from virtinst import PM +from virtinst import UserNamespace from virtinst.xmlbuilder import XMLBuilder, XMLProperty, XMLChildProperty from virtinst import osdict @@ -91,8 +92,8 @@ class Guest(XMLBuilder): _XML_ROOT_NAME = "domain" _XML_PROP_ORDER = ["type", "name", "uuid", "title", "description", "maxmemory", "memory", "hugepage", "vcpus", "curvcpus", - "numatune", "blkiotune", "bootloader", "os", "features", "cpu", "clock", - "on_poweroff", "on_reboot", "on_crash", "pm", "emulator", "_devices", + "numatune", "blkiotune", "bootloader", "os", "userns", "features", "cpu", + "clock", "on_poweroff", "on_reboot", "on_crash", "pm", "emulator", "_devices", "seclabel"] def __init__(self, *args, **kwargs): @@ -191,6 +192,7 @@ class Guest(XMLBuilder): numatune = XMLChildProperty(DomainNumatune, is_single=True) pm = XMLChildProperty(PM, is_single=True) blkiotune = XMLChildProperty(DomainBlkiotune, is_single=True) + userns = XMLChildProperty(UserNamespace, is_single=True) ############################### diff --git a/virtinst/userns.py b/virtinst/userns.py new file mode 100644 index 0000000..14e44a0 --- /dev/null +++ b/virtinst/userns.py @@ -0,0 +1,37 @@ +# +# Copyright 2014 Fujitsu Limited. +# Chen Hanxiao <chenhanxiao at cn.fujitsu.com> +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, +# MA 02110-1301 USA. + +from virtinst.xmlbuilder import XMLBuilder, XMLProperty + + +class UserNamespace(XMLBuilder): + """ + Class for generating user namespace related XML + """ + _XML_ROOT_NAME = "idmap" + _XML_PROP_ORDER = ["user_start", "user_target", "user_count", + "grp_start", "grp_target", "grp_count"] + + user_start = XMLProperty("./uid/@start", is_int=True) + user_target = XMLProperty("./uid/@target", is_int=True) + user_count = XMLProperty("./uid/@count", is_int=True) + + grp_start = XMLProperty("./gid/@start", is_int=True) + grp_target = XMLProperty("./gid/@target", is_int=True) + grp_count = XMLProperty("./gid/@count", is_int=True) -- 1.8.4.2 _______________________________________________ virt-tools-list mailing list virt-tools-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/virt-tools-list
