[virt-tools-list] [virt-manager PATCH] virt-install: add support for user namespace
Chen Hanxiao
chen_han_xiao at 126.com
Sat Feb 8 17:16:17 UTC 2014
From: Chen Hanxiao <chenhanxiao at cn.fujitsu.com>
This patch will enable configuring user namespace
for LXC containers, etc.
Signed-off-by: Chen Hanxiao <chenhanxiao at cn.fujitsu.com>
---
man/virt-install.pod | 14 ++++++++
.../compare/virt-xml-edit-clear-clock.xml | 2 +-
.../compare/virt-xml-edit-clear-cpu.xml | 2 +-
.../compare/virt-xml-edit-simple-boot.xml | 4 +--
.../compare/virt-xml-edit-simple-cpu.xml | 2 +-
.../compare/virt-xml-edit-simple-features.xml | 4 +--
.../compare/virt-xml-edit-simple-metadata.xml | 2 +-
.../compare/virt-xml-edit-simple-vcpus.xml | 2 +-
.../compare/virt-xml-remove-disk-path.xml | 2 +-
tests/clitest.py | 1 +
tests/testdriver.xml | 4 +++
tests/xmlparse-xml/change-guest-out.xml | 4 +++
tests/xmlparse.py | 8 +++++
virt-convert | 2 +-
virt-install | 1 +
virt-xml | 1 +
virtinst/__init__.py | 1 +
virtinst/cli.py | 25 +++++++++++++++
virtinst/guest.py | 6 ++--
virtinst/userns.py | 37 ++++++++++++++++++++++
20 files changed, 111 insertions(+), 13 deletions(-)
create mode 100644 virtinst/userns.py
diff --git a/man/virt-install.pod b/man/virt-install.pod
index ff08d72..46039ac 100644
--- a/man/virt-install.pod
+++ b/man/virt-install.pod
@@ -442,6 +442,20 @@ will default to /bin/sh.
Use --boot=? to see a list of all available sub options. Complete details at L<http://libvirt.org/formatdomain.html#elementsOS>
+=item --userns=USERNSOPTS
+
+If the guest configuration declares a UID or GID mapping,
+the 'user' namespace will be enabled to apply these.
+A suitably configured UID/GID mapping is a pre-requisite to
+make containers secure, in the absence of sVirt confinement.
+
+--usens can be sepicified to enable user namespace for LXC containers
+
+Example:
+ --userns user_start=0,user_target=1000,user_count=10,grp_start=0,grp_target=1000,grp_count=10
+
+Use -userns=? to see a list of all available sub options. Complete details at L<http://libvirt.org/formatdomain.html#elementsOSContainer>
+
=back
diff --git a/tests/cli-test-xml/compare/virt-xml-edit-clear-clock.xml b/tests/cli-test-xml/compare/virt-xml-edit-clear-clock.xml
index db893a7..c98e0c8 100644
--- a/tests/cli-test-xml/compare/virt-xml-edit-clear-clock.xml
+++ b/tests/cli-test-xml/compare/virt-xml-edit-clear-clock.xml
@@ -9,7 +9,7 @@
<on_poweroff>destroy</on_poweroff>
<on_reboot>restart</on_reboot>
<on_crash>restart</on_crash>
-@@ -321,4 +316,5 @@
+@@ -325,4 +320,5 @@
<address type="isa" iobase="0x505"/>
</panic>
</devices>
diff --git a/tests/cli-test-xml/compare/virt-xml-edit-clear-cpu.xml b/tests/cli-test-xml/compare/virt-xml-edit-clear-cpu.xml
index da90fa1..5382971 100644
--- a/tests/cli-test-xml/compare/virt-xml-edit-clear-cpu.xml
+++ b/tests/cli-test-xml/compare/virt-xml-edit-clear-cpu.xml
@@ -21,7 +21,7 @@
<clock offset="utc">
<timer name="rtc" tickpolicy="catchup"/>
<timer name="pit" tickpolicy="delay"/>
-@@ -321,4 +304,5 @@
+@@ -325,4 +308,5 @@
<address type="isa" iobase="0x505"/>
</panic>
</devices>
diff --git a/tests/cli-test-xml/compare/virt-xml-edit-simple-boot.xml b/tests/cli-test-xml/compare/virt-xml-edit-simple-boot.xml
index 2e85c63..8194918 100644
--- a/tests/cli-test-xml/compare/virt-xml-edit-simple-boot.xml
+++ b/tests/cli-test-xml/compare/virt-xml-edit-simple-boot.xml
@@ -8,8 +8,8 @@
+ <bios useserial="yes"/>
+ <init>/bin/bash</init>
</os>
- <features>
- <acpi/>
+ <idmap>
+ <uid start="0" target="1000" count="10"/>
Domain 'test-many-devices' defined successfully.
Changes will take effect after the next domain shutdown.
\ No newline at end of file
diff --git a/tests/cli-test-xml/compare/virt-xml-edit-simple-cpu.xml b/tests/cli-test-xml/compare/virt-xml-edit-simple-cpu.xml
index 8da55c2..6e6e6d1 100644
--- a/tests/cli-test-xml/compare/virt-xml-edit-simple-cpu.xml
+++ b/tests/cli-test-xml/compare/virt-xml-edit-simple-cpu.xml
@@ -9,7 +9,7 @@
<feature policy="require" name="tm2"/>
<feature policy="require" name="est"/>
<feature policy="require" name="ss"/>
-@@ -50,6 +50,7 @@
+@@ -54,6 +54,7 @@
<feature policy="require" name="ds_cpl"/>
<feature policy="require" name="xtpr"/>
<feature policy="require" name="acpi"/>
diff --git a/tests/cli-test-xml/compare/virt-xml-edit-simple-features.xml b/tests/cli-test-xml/compare/virt-xml-edit-simple-features.xml
index 8d8b776..039dca2 100644
--- a/tests/cli-test-xml/compare/virt-xml-edit-simple-features.xml
+++ b/tests/cli-test-xml/compare/virt-xml-edit-simple-features.xml
@@ -1,5 +1,5 @@
- <boot dev="hd"/>
- </os>
+ <gid start="0" target="1000" count="10"/>
+ </idmap>
<features>
- <acpi/>
- <apic eoi="off"/>
diff --git a/tests/cli-test-xml/compare/virt-xml-edit-simple-metadata.xml b/tests/cli-test-xml/compare/virt-xml-edit-simple-metadata.xml
index 28817fc..25fc3c6 100644
--- a/tests/cli-test-xml/compare/virt-xml-edit-simple-metadata.xml
+++ b/tests/cli-test-xml/compare/virt-xml-edit-simple-metadata.xml
@@ -12,7 +12,7 @@
<memory unit="KiB">409600</memory>
<currentMemory unit="KiB">204800</currentMemory>
<blkiotune>
-@@ -321,4 +321,5 @@
+@@ -325,4 +325,5 @@
<address type="isa" iobase="0x505"/>
</panic>
</devices>
diff --git a/tests/cli-test-xml/compare/virt-xml-edit-simple-vcpus.xml b/tests/cli-test-xml/compare/virt-xml-edit-simple-vcpus.xml
index c5af43c..26333d0 100644
--- a/tests/cli-test-xml/compare/virt-xml-edit-simple-vcpus.xml
+++ b/tests/cli-test-xml/compare/virt-xml-edit-simple-vcpus.xml
@@ -6,7 +6,7 @@
<numatune>
<memory mode="interleave" placement="auto"/>
</numatune>
-@@ -50,6 +50,7 @@
+@@ -54,6 +54,7 @@
<feature policy="require" name="ds_cpl"/>
<feature policy="require" name="xtpr"/>
<feature policy="require" name="acpi"/>
diff --git a/tests/cli-test-xml/compare/virt-xml-remove-disk-path.xml b/tests/cli-test-xml/compare/virt-xml-remove-disk-path.xml
index 831e0dc..b0b0b95 100644
--- a/tests/cli-test-xml/compare/virt-xml-remove-disk-path.xml
+++ b/tests/cli-test-xml/compare/virt-xml-remove-disk-path.xml
@@ -9,7 +9,7 @@
<disk type="dir" device="floppy">
<source dir="/tmp"/>
<target dev="fdb" bus="fdc"/>
-@@ -88,12 +83,6 @@
+@@ -92,12 +87,6 @@
<target dev="hdb" bus="ide"/>
<readonly/>
<address type="drive" controller="0" bus="0" target="0" unit="1"/>
diff --git a/tests/clitest.py b/tests/clitest.py
index 0d3cf50..7f575e4 100644
--- a/tests/clitest.py
+++ b/tests/clitest.py
@@ -460,6 +460,7 @@ c.add_valid("--cpu foobar,+x2apic,+x2apicagain,-distest,forbid=foo,forbid=bar,di
c.add_valid("--numatune 1,2,3,5-7,^6") # Simple --numatune
c.add_valid("--numatune 1-3,4,mode=strict") # More complex, parser should do the right thing here
c.add_valid("--blkiotune weight=100,device_path=/home/test/1.img,device_weight=200") # --blkiotune
+c.add_valid("--userns user_start=0,user_target=1000,user_count=10,grp_start=0,grp_target=1000,grp_count=10") # --userns
c.add_compare("--connect %(DEFAULTURI)s --cpuset auto --vcpus 2", "cpuset-auto") # --cpuset=auto actually works
c.add_invalid("--vcpus 32 --cpuset=969-1000") # Bogus cpuset
c.add_invalid("--vcpus 32 --cpuset=autofoo") # Bogus cpuset
diff --git a/tests/testdriver.xml b/tests/testdriver.xml
index 762f0ae..8dec2b9 100644
--- a/tests/testdriver.xml
+++ b/tests/testdriver.xml
@@ -74,6 +74,10 @@
<loader>/usr/lib/xen/boot/hvmloader</loader>
<boot dev='hd'/>
</os>
+ <idmap>
+ <uid start='0' target='1000' count='10'/>
+ <gid start='0' target='1000' count='10'/>
+ </idmap>
<description>Foo bar baz &
yeah boii < > yeahfoo
</description>
diff --git a/tests/xmlparse-xml/change-guest-out.xml b/tests/xmlparse-xml/change-guest-out.xml
index ec861ec..2996ba3 100644
--- a/tests/xmlparse-xml/change-guest-out.xml
+++ b/tests/xmlparse-xml/change-guest-out.xml
@@ -89,4 +89,8 @@
</device>
</blkiotune>
<bootloader>pygrub</bootloader>
+ <idmap>
+ <uid start="0" target="1000" count="10"/>
+ <gid start="0" target="1000" count="10"/>
+ </idmap>
</domain>
diff --git a/tests/xmlparse.py b/tests/xmlparse.py
index 834afa8..6ae3d22 100644
--- a/tests/xmlparse.py
+++ b/tests/xmlparse.py
@@ -197,6 +197,14 @@ class XMLParseTest(unittest.TestCase):
check("device_weight", None, 300)
check("device_path", None, "/home/1.img")
+ check = self._make_checker(guest.userns)
+ check("user_start", None, 0)
+ check("user_target", None, 1000)
+ check("user_count", None, 10)
+ check("grp_start", None, 0)
+ check("grp_target", None, 1000)
+ check("grp_count", None, 10)
+
check = self._make_checker(guest.get_devices("memballoon")[0])
check("model", "virtio", "none")
diff --git a/virt-convert b/virt-convert
index 98cb6fb..f40aceb 100755
--- a/virt-convert
+++ b/virt-convert
@@ -44,7 +44,7 @@ from virtconv import VirtConverter
#####################
def parse_args():
- desc =_(
+ desc = _(
"Convert an OVF or VMX appliance to native libvirt XML, and run "
"the guest.\nThe VM contents are not altered. Disk images are "
"copied to the hypervisor\ndefault storage location.\n\n"
diff --git a/virt-install b/virt-install
index 2a24d41..50a733d 100755
--- a/virt-install
+++ b/virt-install
@@ -768,6 +768,7 @@ def parse_args():
cli.add_distro_options(insg)
cli.add_boot_option(insg)
insg.add_argument("--init", help=argparse.SUPPRESS)
+ cli.add_user_namespace_option(insg)
stog = parser.add_argument_group(_("Storage Configuration"))
cli.add_disk_option(stog)
diff --git a/virt-xml b/virt-xml
index 8ca0fc4..32bbb80 100755
--- a/virt-xml
+++ b/virt-xml
@@ -350,6 +350,7 @@ def parse_args():
cli.vcpu_cli_options(g, editexample=True)
cli.add_guest_xml_options(g)
cli.add_boot_option(g)
+ cli.add_user_namespace_option(g)
cli.add_fs_option(g)
cli.add_device_options(g)
diff --git a/virtinst/__init__.py b/virtinst/__init__.py
index b9186e0..f1ad552 100644
--- a/virtinst/__init__.py
+++ b/virtinst/__init__.py
@@ -31,6 +31,7 @@ from virtinst.clock import Clock
from virtinst.cpu import CPU, CPUFeature
from virtinst.seclabel import Seclabel
from virtinst.pm import PM
+from virtinst.userns import UserNamespace
import virtinst.capabilities as CapabilitiesParser
from virtinst.interface import Interface, InterfaceProtocol
diff --git a/virtinst/cli.py b/virtinst/cli.py
index 6b0c12a..1f8f687 100644
--- a/virtinst/cli.py
+++ b/virtinst/cli.py
@@ -802,6 +802,13 @@ def add_disk_option(stog, editexample=False):
"--disk=?") + editmsg)
+def add_user_namespace_option(insg):
+ insg.add_argument("--userns",
+ help=_("Enable user namespace for LXC container. Ex.\n"
+ "--userns user=0,1000,10\n"
+ "--userns grp=0,1000,10"))
+
+
#############################################
# CLI complex parsing helpers #
# (for options like --disk, --network, etc. #
@@ -1400,6 +1407,23 @@ class ParserBoot(VirtCLIParser):
######################
+# --userns parsing #
+######################
+
+class ParserUserns(VirtCLIParser):
+ def _init_params(self):
+ self.clear_attr = "userns"
+
+ self.set_param("userns.user_start", "user_start")
+ self.set_param("userns.user_target", "user_target")
+ self.set_param("userns.user_count", "user_count")
+
+ self.set_param("userns.grp_start", "grp_start")
+ self.set_param("userns.grp_target", "grp_target")
+ self.set_param("userns.grp_count", "grp_count")
+
+
+######################
# --security parsing #
######################
@@ -2129,6 +2153,7 @@ def build_parser_map(options, skip=None, only=None):
register_parser("cpu", ParserCPU)
register_parser("numatune", ParserNumatune)
register_parser("blkiotune", ParserBlkiotune)
+ register_parser("userns", ParserUserns)
register_parser("boot", ParserBoot)
register_parser("security", ParserSecurity)
register_parser("features", ParserFeatures)
diff --git a/virtinst/guest.py b/virtinst/guest.py
index d55c2a0..8affbb8 100644
--- a/virtinst/guest.py
+++ b/virtinst/guest.py
@@ -38,6 +38,7 @@ from virtinst import DomainNumatune
from virtinst import DomainBlkiotune
from virtinst import DomainFeatures
from virtinst import PM
+from virtinst import UserNamespace
from virtinst.xmlbuilder import XMLBuilder, XMLProperty, XMLChildProperty
from virtinst import osdict
@@ -91,8 +92,8 @@ class Guest(XMLBuilder):
_XML_ROOT_NAME = "domain"
_XML_PROP_ORDER = ["type", "name", "uuid", "title", "description",
"maxmemory", "memory", "hugepage", "vcpus", "curvcpus",
- "numatune", "blkiotune", "bootloader", "os", "features", "cpu", "clock",
- "on_poweroff", "on_reboot", "on_crash", "pm", "emulator", "_devices",
+ "numatune", "blkiotune", "bootloader", "os", "userns", "features", "cpu",
+ "clock", "on_poweroff", "on_reboot", "on_crash", "pm", "emulator", "_devices",
"seclabel"]
def __init__(self, *args, **kwargs):
@@ -191,6 +192,7 @@ class Guest(XMLBuilder):
numatune = XMLChildProperty(DomainNumatune, is_single=True)
pm = XMLChildProperty(PM, is_single=True)
blkiotune = XMLChildProperty(DomainBlkiotune, is_single=True)
+ userns = XMLChildProperty(UserNamespace, is_single=True)
###############################
diff --git a/virtinst/userns.py b/virtinst/userns.py
new file mode 100644
index 0000000..14e44a0
--- /dev/null
+++ b/virtinst/userns.py
@@ -0,0 +1,37 @@
+#
+# Copyright 2014 Fujitsu Limited.
+# Chen Hanxiao <chenhanxiao at cn.fujitsu.com>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+# MA 02110-1301 USA.
+
+from virtinst.xmlbuilder import XMLBuilder, XMLProperty
+
+
+class UserNamespace(XMLBuilder):
+ """
+ Class for generating user namespace related XML
+ """
+ _XML_ROOT_NAME = "idmap"
+ _XML_PROP_ORDER = ["user_start", "user_target", "user_count",
+ "grp_start", "grp_target", "grp_count"]
+
+ user_start = XMLProperty("./uid/@start", is_int=True)
+ user_target = XMLProperty("./uid/@target", is_int=True)
+ user_count = XMLProperty("./uid/@count", is_int=True)
+
+ grp_start = XMLProperty("./gid/@start", is_int=True)
+ grp_target = XMLProperty("./gid/@target", is_int=True)
+ grp_count = XMLProperty("./gid/@count", is_int=True)
--
1.8.4.2
More information about the virt-tools-list
mailing list