[Devel] [PATCH v3 6/9] allow local uid and gid to be specified at container creation

Kir Kolyshkin kir at openvz.org
Mon May 13 20:09:24 PDT 2013 

On 04/29/2013 10:16 PM, Glauber Costa wrote:
> From: Glauber Costa <glommer at parallels.com>
>
> It is a valid use case to run a container with host uid and gid different than
> the default. In particular, already deployed versions of vzctl are expected to
> have this value unset, effectively meaning they are not expecting user
> namespaces to be present. We also deem as a valid use case to run a fully
> privileged container, in which case we will explicitly disable user namespaces.
>
> This patch provides and documents a way to do so.
>
> Signed-off-by: Glauber Costa <glommer at parallels.com>
> ---
>   man/vzctl.8.in      | 16 ++++++++++++++++
>   src/lib/hooks_ct.c  |  4 ++--
>   src/vzctl-actions.c |  2 ++
>   src/vzctl.c         |  1 +
>   4 files changed, 21 insertions(+), 2 deletions(-)
>
> diff --git a/man/vzctl.8.in b/man/vzctl.8.in
> index 20a1856..d042e20 100644
> --- a/man/vzctl.8.in
> +++ b/man/vzctl.8.in
> @@ -871,6 +871,8 @@ List of available fields can be obtained using \fB-L\fR option.
>   .OP --ipadd addr
>   .OP --hostname name
>   .OP --name name
> +.OP --local_uid uid
> +.OP --local_gid gid
>   .YS
>   .IP "" 4
>   Creates a new container area. This operation should be done once, before
> @@ -922,6 +924,20 @@ a container. Note that this option can be used multiple times.
>   
>   You can use \fB--hostname\fR \fIname\fR option to set a host name for
>   a container.
> +
> +When running with an upstream Linux Kernel that supports user namespaces (>=
> +3.8), the parameters \fB--local_uid\fR and \fB--local_gid\fR can be used to
> +select which \fIuid\fR and \fIgid\fR respectively will be used as a base user
> +in the host system. Note that user namespaces provide a 1:1 mapping between
> +container users and host users. If these options are not specified, the value
> +100000 is used.

This probably comes from an older version of a patchset. We don't have 
compiled-in defaults, do we?

I'd say

If these options are not specified, the values \fBLOCAL_UID\fR and \fBLOCAL_GID\fR
from global configuration file \fBvz.conf\fR(5) are used.


>   An explicit \fB--local_uid\fR value of 0 will disable user
> +namespace support, and run the container as a privileged user. In this case,
> +\fB--local_gid\fR is ignored.
> +
> +\fBWarning:\fR use \fB--local_uid\fR and \fB--local_gid\fR with care, specially
> +when migrating containers. In all situations, the container's files in the
> +filesystem needs to be correctly owned by the host-side users.
> +
>   .IP "\fBdestroy\fR | \fBdelete\fR \fICTID\fR" 4
>   Removes a container private area by deleting all files, directories and
>   the configuration file of this container.
> diff --git a/src/lib/hooks_ct.c b/src/lib/hooks_ct.c
> index b0cb359..a791934 100644
> --- a/src/lib/hooks_ct.c
> +++ b/src/lib/hooks_ct.c
> @@ -393,7 +393,7 @@ static int ct_env_create(struct arg_start *arg)
>   	clone_flags |= CLONE_NEWNET|CLONE_NEWNS;
>   
>   	if (!arg->h->can_join_userns) {
> -		logger(-1, 0, "WARNING: Running container unprivileged. USER_NS not supported");
> +		logger(-1, 0, "WARNING: Running container unprivileged. USER_NS not supported, or runtime disabled");
>   
>   		userns_p[0] = userns_p[1] = -1;
>   	} else {
> @@ -808,7 +808,7 @@ int ct_do_open(vps_handler *h, vps_param *param)
>   	 * mapped user to own the files, etc. So we also need to find suitable
>   	 * configuration in the config files.
>   	 */
> -	h->can_join_userns = !stat(upath, &st) && local_uid;
> +	h->can_join_userns = !stat(upath, &st) && local_uid && (*local_uid != 0);
>   	h->is_run = ct_is_run;
>   	h->enter = ct_enter;
>   	h->destroy = ct_destroy;
> diff --git a/src/vzctl-actions.c b/src/vzctl-actions.c
> index 4627043..3ba5a75 100644
> --- a/src/vzctl-actions.c
> +++ b/src/vzctl-actions.c
> @@ -392,6 +392,8 @@ static int parse_create_opt(envid_t veid, int argc, char **argv,
>   	{"ve_layout",	required_argument, NULL, PARAM_VE_LAYOUT},
>   	{"velayout",	required_argument, NULL, PARAM_VE_LAYOUT},
>   	{"diskspace",	required_argument, NULL, PARAM_DISKSPACE},
> +	{"local_uid",	required_argument, NULL, PARAM_LOCAL_UID},
> +	{"local_gid",	required_argument, NULL, PARAM_LOCAL_GID},
>   	{ NULL, 0, NULL, 0 }
>   };
>   
> diff --git a/src/vzctl.c b/src/vzctl.c
> index 359bcde..54d66d1 100644
> --- a/src/vzctl.c
> +++ b/src/vzctl.c
> @@ -65,6 +65,7 @@ static void usage(int rc)
>   "vzctl create <ctid> [--ostemplate <name>] [--config <name>]\n"
>   "   [--layout ploop|simfs] [--hostname <name>] [--name <name>] [--ipadd <addr>]\n"
>   "   [--diskspace <kbytes>] [--private <path>] [--root <path>]\n"
> +"   [--local_uid <UID>] [--local_gid <GID>]\n"
>   "vzctl start <ctid> [--force] [--wait]\n"
>   "vzctl destroy | mount | umount | stop | restart | status <ctid>\n"
>   #ifdef HAVE_PLOOP

More information about the Devel mailing list