[Devel] [PATCH v3 6/9] allow local uid and gid to be specified at container creation
Glauber Costa
glommer at openvz.org
Mon Apr 29 22:16:28 PDT 2013
From: Glauber Costa <glommer at parallels.com>
It is a valid use case to run a container with host uid and gid different than
the default. In particular, already deployed versions of vzctl are expected to
have this value unset, effectively meaning they are not expecting user
namespaces to be present. We also deem as a valid use case to run a fully
privileged container, in which case we will explicitly disable user namespaces.
This patch provides and documents a way to do so.
Signed-off-by: Glauber Costa <glommer at parallels.com>
---
man/vzctl.8.in | 16 ++++++++++++++++
src/lib/hooks_ct.c | 4 ++--
src/vzctl-actions.c | 2 ++
src/vzctl.c | 1 +
4 files changed, 21 insertions(+), 2 deletions(-)
diff --git a/man/vzctl.8.in b/man/vzctl.8.in
index 20a1856..d042e20 100644
--- a/man/vzctl.8.in
+++ b/man/vzctl.8.in
@@ -871,6 +871,8 @@ List of available fields can be obtained using \fB-L\fR option.
.OP --ipadd addr
.OP --hostname name
.OP --name name
+.OP --local_uid uid
+.OP --local_gid gid
.YS
.IP "" 4
Creates a new container area. This operation should be done once, before
@@ -922,6 +924,20 @@ a container. Note that this option can be used multiple times.
You can use \fB--hostname\fR \fIname\fR option to set a host name for
a container.
+
+When running with an upstream Linux Kernel that supports user namespaces (>=
+3.8), the parameters \fB--local_uid\fR and \fB--local_gid\fR can be used to
+select which \fIuid\fR and \fIgid\fR respectively will be used as a base user
+in the host system. Note that user namespaces provide a 1:1 mapping between
+container users and host users. If these options are not specified, the value
+100000 is used. An explicit \fB--local_uid\fR value of 0 will disable user
+namespace support, and run the container as a privileged user. In this case,
+\fB--local_gid\fR is ignored.
+
+\fBWarning:\fR use \fB--local_uid\fR and \fB--local_gid\fR with care, specially
+when migrating containers. In all situations, the container's files in the
+filesystem needs to be correctly owned by the host-side users.
+
.IP "\fBdestroy\fR | \fBdelete\fR \fICTID\fR" 4
Removes a container private area by deleting all files, directories and
the configuration file of this container.
diff --git a/src/lib/hooks_ct.c b/src/lib/hooks_ct.c
index b0cb359..a791934 100644
--- a/src/lib/hooks_ct.c
+++ b/src/lib/hooks_ct.c
@@ -393,7 +393,7 @@ static int ct_env_create(struct arg_start *arg)
clone_flags |= CLONE_NEWNET|CLONE_NEWNS;
if (!arg->h->can_join_userns) {
- logger(-1, 0, "WARNING: Running container unprivileged. USER_NS not supported");
+ logger(-1, 0, "WARNING: Running container unprivileged. USER_NS not supported, or runtime disabled");
userns_p[0] = userns_p[1] = -1;
} else {
@@ -808,7 +808,7 @@ int ct_do_open(vps_handler *h, vps_param *param)
* mapped user to own the files, etc. So we also need to find suitable
* configuration in the config files.
*/
- h->can_join_userns = !stat(upath, &st) && local_uid;
+ h->can_join_userns = !stat(upath, &st) && local_uid && (*local_uid != 0);
h->is_run = ct_is_run;
h->enter = ct_enter;
h->destroy = ct_destroy;
diff --git a/src/vzctl-actions.c b/src/vzctl-actions.c
index 4627043..3ba5a75 100644
--- a/src/vzctl-actions.c
+++ b/src/vzctl-actions.c
@@ -392,6 +392,8 @@ static int parse_create_opt(envid_t veid, int argc, char **argv,
{"ve_layout", required_argument, NULL, PARAM_VE_LAYOUT},
{"velayout", required_argument, NULL, PARAM_VE_LAYOUT},
{"diskspace", required_argument, NULL, PARAM_DISKSPACE},
+ {"local_uid", required_argument, NULL, PARAM_LOCAL_UID},
+ {"local_gid", required_argument, NULL, PARAM_LOCAL_GID},
{ NULL, 0, NULL, 0 }
};
diff --git a/src/vzctl.c b/src/vzctl.c
index 359bcde..54d66d1 100644
--- a/src/vzctl.c
+++ b/src/vzctl.c
@@ -65,6 +65,7 @@ static void usage(int rc)
"vzctl create <ctid> [--ostemplate <name>] [--config <name>]\n"
" [--layout ploop|simfs] [--hostname <name>] [--name <name>] [--ipadd <addr>]\n"
" [--diskspace <kbytes>] [--private <path>] [--root <path>]\n"
+" [--local_uid <UID>] [--local_gid <GID>]\n"
"vzctl start <ctid> [--force] [--wait]\n"
"vzctl destroy | mount | umount | stop | restart | status <ctid>\n"
#ifdef HAVE_PLOOP
--
1.7.11.7
More information about the Devel
mailing list