[virt-tools-list] [virt-manager PATCH] virt-install: add support for user namespace

Sun Feb 9 13:56:42 UTC 2014

On 02/08/2014 12:16 PM, Chen Hanxiao wrote:
> From: Chen Hanxiao <chenhanxiao at cn.fujitsu.com>
> 
> This patch will enable configuring user namespace
> for LXC containers, etc.
> 

Some comments below

> Signed-off-by: Chen Hanxiao <chenhanxiao at cn.fujitsu.com>
> ---
>  man/virt-install.pod                               | 14 ++++++++
>  .../compare/virt-xml-edit-clear-clock.xml          |  2 +-
>  .../compare/virt-xml-edit-clear-cpu.xml            |  2 +-
>  .../compare/virt-xml-edit-simple-boot.xml          |  4 +--
>  .../compare/virt-xml-edit-simple-cpu.xml           |  2 +-
>  .../compare/virt-xml-edit-simple-features.xml      |  4 +--
>  .../compare/virt-xml-edit-simple-metadata.xml      |  2 +-
>  .../compare/virt-xml-edit-simple-vcpus.xml         |  2 +-
>  .../compare/virt-xml-remove-disk-path.xml          |  2 +-
>  tests/clitest.py                                   |  1 +
>  tests/testdriver.xml                               |  4 +++
>  tests/xmlparse-xml/change-guest-out.xml            |  4 +++
>  tests/xmlparse.py                                  |  8 +++++
>  virt-convert                                       |  2 +-
>  virt-install                                       |  1 +
>  virt-xml                                           |  1 +
>  virtinst/__init__.py                               |  1 +
>  virtinst/cli.py                                    | 25 +++++++++++++++
>  virtinst/guest.py                                  |  6 ++--
>  virtinst/userns.py                                 | 37 ++++++++++++++++++++++
>  20 files changed, 111 insertions(+), 13 deletions(-)
>  create mode 100644 virtinst/userns.py
> 
> diff --git a/man/virt-install.pod b/man/virt-install.pod
> index ff08d72..46039ac 100644
> --- a/man/virt-install.pod
> +++ b/man/virt-install.pod
> @@ -442,6 +442,20 @@ will default to /bin/sh.
>  
>  Use --boot=? to see a list of all available sub options. Complete details at L<http://libvirt.org/formatdomain.html#elementsOS>
>  
> +=item --userns=USERNSOPTS
> +

I'd prefer to have this option just map to the libvirt XML name. So --idmap,
uid_* and gid_*. Same with the UserNamespace object and its members.

> +If the guest configuration declares a UID or GID mapping,
> +the 'user' namespace will be enabled to apply these.
> +A suitably configured UID/GID mapping is a pre-requisite to
> +make containers secure, in the absence of sVirt confinement.
> +
> +--usens can be sepicified to enable user namespace for LXC containers
> +

--userns can be specified

> +Example:
> +    --userns user_start=0,user_target=1000,user_count=10,grp_start=0,grp_target=1000,grp_count=10
> +
> +Use -userns=? to see a list of all available sub options. Complete details at L<http://libvirt.org/formatdomain.html#elementsOSContainer>
> +

Missing a -,  should be --userns=?

Also if you wanted to add a libvirt patch, the docs there have a few minor errors:

- needs a space after the comma
- capitalize The at beginning of second sentence
- capitalize 'id'
- container being allowed -> container are allowed

- Cole