When Libvirt creates LXC container with enabled user namespace the ownership of files in the container should be mapped to the specified target UID/GID. The implementation of the mapping is inspired by the tool uidmapshift: http://bazaar.launchpad.net/%7Eserge-hallyn/+junk/nsexec/view/head:/uidmapshift.c Mapping values can be specified with the flags: --idmap Map both UIDs/GIDs --uidmap Map UIDs --gidmap Map GIDs Each of these flags can be specified multiple times. Example: virt-bootstrap docker://fedora /tmp/foo --uidmap 0:1000:10 --gidmap 0:1000:10 Will map the ownership of files with UIDs/GIDs: 0-9 to 1000-1009 The same result can be achived with: virt-bootstrap docker://fedora /tmp/foo --idmap 0:1000:10 Multiple mapping values can be specified as follows: virt_bootstrap.py docker://ubuntu /tmp/foo --idmap 0:1000:10 --idmap 500:1500:10 This will map the UID/GIDs: 0-9 to 1000-1009 and 500-509 to 1500-1509 --- src/virtBootstrap/virt_bootstrap.py | 127 ++++++++++++++++++++++++++++++++++-- 1 file changed, 122 insertions(+), 5 deletions(-) diff --git a/src/virtBootstrap/virt_bootstrap.py b/src/virtBootstrap/virt_bootstrap.py index 3989a03..5506445 100755 --- a/src/virtBootstrap/virt_bootstrap.py +++ b/src/virtBootstrap/virt_bootstrap.py @@ -69,12 +69,108 @@ def get_source(source_type): raise Exception("Invalid image URL scheme: '%s'" % source_type) +# The implementation for remapping ownership of all files inside a +# container's rootfs is inspired by the tool uidmapshift: +# +# Original author: Serge Hallyn <serge.hallyn@xxxxxxxxxx> +# Original license: GPLv2 +# http://bazaar.launchpad.net/%7Eserge-hallyn/+junk/nsexec/view/head:/uidmapshift.c + +def get_map_id(old_id, opts): + """ + Calculate new map_id. + """ + if old_id >= opts['first'] and old_id < opts['last']: + return old_id + opts['offset'] + return -1 + + +def parse_idmap(idmap): + """ + Parse user input to 'start', 'target' and 'count' values. + + Example: + ['0:1000:10', '500:500:10'] + is converted to: + [[0, 1000, 10], [500, 500, 10]] + """ + if not isinstance(idmap, list) or idmap == []: + return None + try: + idmap_list = [] + for x in idmap: + start, target, count = x.split(':') + idmap_list.append([int(start), int(target), int(count)]) + + return idmap_list + except Exception: + raise ValueError("Invalid UID/GID mapping value: %s" % idmap) + + +def get_mapping_opts(mapping): + """ + Get range options from UID/GID mapping + """ + start = mapping[0] if mapping[0] > -1 else 0 + target = mapping[1] if mapping[1] > -1 else 0 + count = mapping[2] if mapping[2] > -1 else 1 + + opts = { + 'first': start, + 'last': start + count, + 'offset': target - start + } + return opts + + +def map_id(path, map_uid, map_gid): + """ + Remapping ownership of all files inside a container's rootfs. + + map_gid and map_uid: Contain integers in a list with format: + [<start>, <target>, <count>] + """ + if map_uid: + uid_opts = get_mapping_opts(map_uid) + if map_gid: + gid_opts = get_mapping_opts(map_gid) + + for root, _ignore, files in os.walk(os.path.realpath(path)): + for name in [root] + files: + file_path = os.path.join(root, name) + + stat_info = os.lstat(file_path) + old_uid = stat_info.st_uid + old_gid = stat_info.st_gid + + new_uid = get_map_id(old_uid, uid_opts) if map_uid else -1 + new_gid = get_map_id(old_gid, gid_opts) if map_gid else -1 + os.lchown(file_path, new_uid, new_gid) + + +def mapping_uid_gid(dest, uid_map, gid_map): + """ + Mapping ownership for each uid_map and gid_map. + """ + len_diff = len(uid_map) - len(gid_map) + + if len_diff < 0: + uid_map += [None] * abs(len_diff) + elif len_diff > 0: + gid_map += [None] * len_diff + + for uid, gid in zip(uid_map, gid_map): + map_id(dest, uid, gid) + + # pylint: disable=too-many-arguments def bootstrap(uri, dest, fmt='dir', username=None, password=None, root_password=None, + uid_map=None, + gid_map=None, not_secure=False, no_cache=False, progress_cb=None): @@ -104,9 +200,14 @@ def bootstrap(uri, dest, no_cache=no_cache, progress=prog).unpack(dest) - if fmt == "dir" and root_password is not None: - logger.info("Setting password of the root account") - utils.set_root_password(dest, root_password) + if fmt == "dir": + if root_password is not None: + logger.info("Setting password of the root account") + utils.set_root_password(dest, root_password) + + if uid_map or gid_map: + logger.info("Mapping UID/GID") + mapping_uid_gid(dest, uid_map, gid_map) def set_logging_conf(loglevel=None): @@ -156,6 +257,15 @@ def main(): help=_("Password for accessing the source registry")) parser.add_argument("--root-password", default=None, help=_("Set root password")) + parser.add_argument("--uidmap", default=None, action='append', + metavar="<start>:<target>:<count>", + help=_("Map UIDs")) + parser.add_argument("--gidmap", default=None, action='append', + metavar="<start>:<target>:<count>", + help=_("Map GIDs")) + parser.add_argument("--idmap", default=None, action='append', + metavar="<start>:<target>:<count>", + help=_("Map both UIDs/GIDs")) parser.add_argument("--no-cache", action="store_true", help=_("Do not store downloaded Docker images")) parser.add_argument("-f", "--format", default='dir', @@ -170,8 +280,6 @@ def main(): const=utils.write_progress, help=_("Show only progress information")) - # TODO add UID / GID mapping parameters - try: args = parser.parse_args() @@ -179,6 +287,13 @@ def main(): # Configure logging lovel/format set_logging_conf(args.loglevel) + uid_map = parse_idmap(args.idmap) if args.idmap else [] + gid_map = list(uid_map) if args.idmap else [] + if args.uidmap: + uid_map += parse_idmap(args.uidmap) + if args.gidmap: + gid_map += parse_idmap(args.gidmap) + # do the job here! bootstrap(uri=args.uri, dest=args.dest, @@ -186,6 +301,8 @@ def main(): username=args.username, password=args.password, root_password=args.root_password, + uid_map=uid_map, + gid_map=gid_map, not_secure=args.not_secure, no_cache=args.no_cache, progress_cb=args.status_only) -- 2.9.4 _______________________________________________ virt-tools-list mailing list virt-tools-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/virt-tools-list
