[Devel] [PATCH v4 4/7] allow local uid and gid to be specified at container creation

Glauber Costa glommer at openvz.org
Tue May 14 03:52:49 PDT 2013


From: Glauber Costa <glommer at parallels.com>

It is a valid use case to run a container with host uid and gid different than
the default. In particular, already deployed versions of vzctl are expected to
have this value unset, effectively meaning they are not expecting user
namespaces to be present. We also deem as a valid use case to run a fully
privileged container, in which case we will explicitly disable user namespaces.

This patch provides and documents a way to do so.

Signed-off-by: Glauber Costa <glommer at parallels.com>
---
 man/vzctl.8.in      | 17 +++++++++++++++++
 src/lib/hooks_ct.c  | 11 ++++++++---
 src/vzctl-actions.c |  2 ++
 src/vzctl.c         |  1 +
 4 files changed, 28 insertions(+), 3 deletions(-)

diff --git a/man/vzctl.8.in b/man/vzctl.8.in
index 20a1856..e233696 100644
--- a/man/vzctl.8.in
+++ b/man/vzctl.8.in
@@ -871,6 +871,8 @@ List of available fields can be obtained using \fB-L\fR option.
 .OP --ipadd addr
 .OP --hostname name
 .OP --name name
+.OP --local_uid uid
+.OP --local_gid gid
 .YS
 .IP "" 4
 Creates a new container area. This operation should be done once, before
@@ -922,6 +924,21 @@ a container. Note that this option can be used multiple times.
 
 You can use \fB--hostname\fR \fIname\fR option to set a host name for
 a container.
+
+When running with an upstream Linux Kernel that supports user namespaces (>=
+3.8), the parameters \fB--local_uid\fR and \fB--local_gid\fR can be used to
+select which \fIuid\fR and \fIgid\fR respectively will be used as a base user
+in the host system. Note that user namespaces provide a 1:1 mapping between
+container users and host users. If these options are not specified, the values
+\fBLOCAL_UID\fR and \fBLOCAL_GID\fR from global configuration file
+\fBvz.conf\fR(5) are used. An explicit \fB--local_uid\fR value of 0 will
+disable user namespace support, and run the container as a privileged user. In
+this case, \fB--local_gid\fR is ignored.
+
+\fBWarning:\fR use \fB--local_uid\fR and \fB--local_gid\fR with care, specially
+when migrating containers. In all situations, the container's files in the
+filesystem needs to be correctly owned by the host-side users.
+
 .IP "\fBdestroy\fR | \fBdelete\fR \fICTID\fR" 4
 Removes a container private area by deleting all files, directories and
 the configuration file of this container.
diff --git a/src/lib/hooks_ct.c b/src/lib/hooks_ct.c
index f4d8f48..9b2e929 100644
--- a/src/lib/hooks_ct.c
+++ b/src/lib/hooks_ct.c
@@ -418,7 +418,7 @@ static int ct_env_create(struct arg_start *arg)
 	clone_flags |= CLONE_NEWNET|CLONE_NEWNS;
 
 	if (!arg->h->can_join_userns) {
-		logger(-1, 0, "WARNING: Running container unprivileged. USER_NS not supported");
+		logger(-1, 0, "WARNING: Running container unprivileged. USER_NS not supported, or runtime disabled");
 
 		userns_p[0] = userns_p[1] = -1;
 	} else {
@@ -797,7 +797,12 @@ int ct_do_open(vps_handler *h, vps_param *param, vps_param *cmd)
 	char path[STR_SIZE];
 	char upath[STR_SIZE];
 	struct stat st;
-	unsigned long *local_uid = param->res.misc.local_uid;
+	unsigned long *local_uid; 
+ 
+	/* Command line takes precedence, but if it is unset, check global file */ 
+	local_uid = cmd->res.misc.local_uid; 
+	if (!local_uid) 
+		local_uid = param->res.misc.local_uid; 
 
 	ret = container_init();
 	if (ret) {
@@ -838,7 +843,7 @@ int ct_do_open(vps_handler *h, vps_param *param, vps_param *cmd)
 	 * mapped user to own the files, etc. So we also need to find suitable
 	 * configuration in the config files.
 	 */
-	h->can_join_userns = !stat(upath, &st) && local_uid;
+	h->can_join_userns = !stat(upath, &st) && local_uid && (*local_uid != 0);
 	h->is_run = ct_is_run;
 	h->enter = ct_enter;
 	h->destroy = ct_destroy;
diff --git a/src/vzctl-actions.c b/src/vzctl-actions.c
index 7bf15c9..044a0ad 100644
--- a/src/vzctl-actions.c
+++ b/src/vzctl-actions.c
@@ -391,6 +391,8 @@ static int parse_create_opt(envid_t veid, int argc, char **argv,
 	{"ve_layout",	required_argument, NULL, PARAM_VE_LAYOUT},
 	{"velayout",	required_argument, NULL, PARAM_VE_LAYOUT},
 	{"diskspace",	required_argument, NULL, PARAM_DISKSPACE},
+	{"local_uid",	required_argument, NULL, PARAM_LOCAL_UID},
+	{"local_gid",	required_argument, NULL, PARAM_LOCAL_GID},
 	{ NULL, 0, NULL, 0 }
 };
 
diff --git a/src/vzctl.c b/src/vzctl.c
index 359bcde..54d66d1 100644
--- a/src/vzctl.c
+++ b/src/vzctl.c
@@ -65,6 +65,7 @@ static void usage(int rc)
 "vzctl create <ctid> [--ostemplate <name>] [--config <name>]\n"
 "   [--layout ploop|simfs] [--hostname <name>] [--name <name>] [--ipadd <addr>]\n"
 "   [--diskspace <kbytes>] [--private <path>] [--root <path>]\n"
+"   [--local_uid <UID>] [--local_gid <GID>]\n"
 "vzctl start <ctid> [--force] [--wait]\n"
 "vzctl destroy | mount | umount | stop | restart | status <ctid>\n"
 #ifdef HAVE_PLOOP
-- 
1.7.11.7




More information about the Devel mailing list