[Devel] [PATCH v5 3/6] allow local uid and gid to be specified at container creation

Glauber Costa glommer at openvz.org
Fri May 17 09:26:43 PDT 2013


From: Glauber Costa <glommer at parallels.com>

It is a valid use case to run a container with host uid and gid different than
the default. In particular, already deployed versions of vzctl are expected to
have this value unset, effectively meaning they are not expecting user
namespaces to be present. We also deem as a valid use case to run a fully
privileged container, in which case we will explicitly disable user namespaces.

This patch provides and documents a way to do so.

Signed-off-by: Glauber Costa <glommer at parallels.com>
---
 man/vzctl.8.in      | 17 +++++++++++++++++
 src/lib/hooks_ct.c  |  4 ++--
 src/vzctl-actions.c |  2 ++
 src/vzctl.c         |  1 +
 4 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/man/vzctl.8.in b/man/vzctl.8.in
index 20a1856..e233696 100644
--- a/man/vzctl.8.in
+++ b/man/vzctl.8.in
@@ -871,6 +871,8 @@ List of available fields can be obtained using \fB-L\fR option.
 .OP --ipadd addr
 .OP --hostname name
 .OP --name name
+.OP --local_uid uid
+.OP --local_gid gid
 .YS
 .IP "" 4
 Creates a new container area. This operation should be done once, before
@@ -922,6 +924,21 @@ a container. Note that this option can be used multiple times.
 
 You can use \fB--hostname\fR \fIname\fR option to set a host name for
 a container.
+
+When running with an upstream Linux Kernel that supports user namespaces (>=
+3.8), the parameters \fB--local_uid\fR and \fB--local_gid\fR can be used to
+select which \fIuid\fR and \fIgid\fR respectively will be used as a base user
+in the host system. Note that user namespaces provide a 1:1 mapping between
+container users and host users. If these options are not specified, the values
+\fBLOCAL_UID\fR and \fBLOCAL_GID\fR from global configuration file
+\fBvz.conf\fR(5) are used. An explicit \fB--local_uid\fR value of 0 will
+disable user namespace support, and run the container as a privileged user. In
+this case, \fB--local_gid\fR is ignored.
+
+\fBWarning:\fR use \fB--local_uid\fR and \fB--local_gid\fR with care, specially
+when migrating containers. In all situations, the container's files in the
+filesystem needs to be correctly owned by the host-side users.
+
 .IP "\fBdestroy\fR | \fBdelete\fR \fICTID\fR" 4
 Removes a container private area by deleting all files, directories and
 the configuration file of this container.
diff --git a/src/lib/hooks_ct.c b/src/lib/hooks_ct.c
index e71f116..299d43d 100644
--- a/src/lib/hooks_ct.c
+++ b/src/lib/hooks_ct.c
@@ -423,7 +423,7 @@ static int ct_env_create(struct arg_start *arg)
 	clone_flags |= CLONE_NEWNET|CLONE_NEWNS;
 
 	if (!arg->h->can_join_userns) {
-		logger(-1, 0, "WARNING: Running container unprivileged. USER_NS not supported");
+		logger(-1, 0, "WARNING: Running container unprivileged. USER_NS not supported, or runtime disabled");
 
 		userns_p[0] = userns_p[1] = -1;
 	} else {
@@ -844,7 +844,7 @@ int ct_do_open(vps_handler *h, vps_param *param)
 	 * mapped user to own the files, etc. So we also need to find suitable
 	 * configuration in the config files.
 	 */
-	h->can_join_userns = !stat(upath, &st) && local_uid;
+	h->can_join_userns = !stat(upath, &st) && local_uid && (*local_uid != 0);
 	h->is_run = ct_is_run;
 	h->enter = ct_enter;
 	h->destroy = ct_destroy;
diff --git a/src/vzctl-actions.c b/src/vzctl-actions.c
index 0dd2ae7..1ef61d1 100644
--- a/src/vzctl-actions.c
+++ b/src/vzctl-actions.c
@@ -391,6 +391,8 @@ static int parse_create_opt(envid_t veid, int argc, char **argv,
 	{"ve_layout",	required_argument, NULL, PARAM_VE_LAYOUT},
 	{"velayout",	required_argument, NULL, PARAM_VE_LAYOUT},
 	{"diskspace",	required_argument, NULL, PARAM_DISKSPACE},
+	{"local_uid",	required_argument, NULL, PARAM_LOCAL_UID},
+	{"local_gid",	required_argument, NULL, PARAM_LOCAL_GID},
 	{ NULL, 0, NULL, 0 }
 };
 
diff --git a/src/vzctl.c b/src/vzctl.c
index 359bcde..54d66d1 100644
--- a/src/vzctl.c
+++ b/src/vzctl.c
@@ -65,6 +65,7 @@ static void usage(int rc)
 "vzctl create <ctid> [--ostemplate <name>] [--config <name>]\n"
 "   [--layout ploop|simfs] [--hostname <name>] [--name <name>] [--ipadd <addr>]\n"
 "   [--diskspace <kbytes>] [--private <path>] [--root <path>]\n"
+"   [--local_uid <UID>] [--local_gid <GID>]\n"
 "vzctl start <ctid> [--force] [--wait]\n"
 "vzctl destroy | mount | umount | stop | restart | status <ctid>\n"
 #ifdef HAVE_PLOOP
-- 
1.7.11.7




More information about the Devel mailing list