add lxc-user-nic

It is meant to be run setuid-root to allow unprivileged users to tunnel veths from a host bridge to their containers. The program looks at /etc/lxc/lxc-usernet which has entries of the form user type bridge number The type currently must be veth. Whenver lxc-user-nic creates a nic for a user, it records it in /var/lib/lxc/nics (better location is needed). That way when a container dies lxc-user-nic can cull the dead nic from the list. The -DISTEST allows lxc-user-nic to be compiled so that it uses files under /tmp and doesn't actually create the nic, so that unprivileged users can compile and test the code. lxc-test-usernic is a script which runs a few tests using lxc-usernic-test, which is a version of lxc-user-nic compiled with -DISTEST. The next step, after issues with this code are raised and addressed, is to have lxc-start, when running unprivileged, call out to lxc-user-nic (will have to exec so that setuid-root is honored). On top of my previous unprivileged-creation patchset, that should allow unprivileged users to create and start useful containers. Also update .gitignore. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

add lxc-user-nic
20ab58c7 · Serge Hallyn · 3fb18be9 · 20ab58c7 · 20ab58c7 · 20ab58c7
Commit 20ab58c7 authored Aug 09, 2013 by Serge Hallyn
6 changed files
--- a/.gitignore
+++ b/.gitignore
@@ -67,6 +67,7 @@ src/lxc/lxc-unshare
 src/lxc/lxc-version
 src/lxc/lxc-wait
 src/lxc/legacy/lxc-ls
+src/lxc/lxc-user-nic

 src/python-lxc/build/
 src/python-lxc/lxc/__pycache__/
@@ -84,6 +85,7 @@ src/tests/lxc-test-lxcpath
 src/tests/lxc-test-saveconfig
 src/tests/lxc-test-shutdowntest
 src/tests/lxc-test-startone
+src/tests/lxc-usernic-test

 config/compile
 config/config.guess
@@ -110,3 +112,5 @@ src/stamp-h1

 .pc
 patches
+*.orig
+*.rej
--- a/src/lxc/Makefile.am
+++ b/src/lxc/Makefile.am
@@ -165,7 +165,8 @@ bin_PROGRAMS = \
 	lxc-kill \
 	lxc-config \
 	lxc-destroy \
-	lxc-create
+	lxc-create \
+	lxc-user-nic

 if HAVE_NEWUIDMAP
 bin_PROGRAMS += lxc-usernsexec
@@ -202,6 +203,7 @@ lxc_wait_SOURCES = lxc_wait.c
 lxc_kill_SOURCES = lxc_kill.c
 lxc_create_SOURCES = lxc_create.c
 lxc_usernsexec_SOURCES = lxc_usernsexec.c
+lxc_user_nic_SOURCES = lxc_user_nic.c

 install-exec-local: install-soPROGRAMS
 	mkdir -p $(DESTDIR)$(datadir)/lxc

--- a/src/lxc/lxc_clone.c
+++ b/src/lxc/lxc_clone.c
+/*
+ *
+ * Copyright © 2013 Serge Hallyn <serge.hallyn@ubuntu.com>.
+ * Copyright © 2013 Canonical Ltd.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2, as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
 #include <unistd.h>
 #include <getopt.h>
 #include <signal.h>

--- a/src/lxc/lxc_user_nic.c
+++ b/src/lxc/lxc_user_nic.c
--- a/src/tests/Makefile.am
+++ b/src/tests/Makefile.am
@@ -15,6 +15,8 @@ lxc_test_lxcpath_SOURCES = lxcpath.c
 lxc_test_cgpath_SOURCES = cgpath.c
 lxc_test_clonetest_SOURCES = clonetest.c
 lxc_test_console_SOURCES = console.c
+lxc_usernic_test_SOURCES = ../lxc/lxc_user_nic.c ../lxc/nl.c
+lxc_usernic_test_CFLAGS = -DISTEST

 AM_CFLAGS=-I$(top_srcdir)/src \
 	-DLXCROOTFSMOUNT=\"$(LXCROOTFSMOUNT)\" \
@@ -26,7 +28,9 @@ AM_CFLAGS=-I$(top_srcdir)/src \
 bin_PROGRAMS = lxc-test-containertests lxc-test-locktests lxc-test-startone \
 	lxc-test-destroytest lxc-test-saveconfig lxc-test-createtest \
 	lxc-test-shutdowntest lxc-test-get_item lxc-test-getkeys lxc-test-lxcpath \
-	lxc-test-cgpath lxc-test-clonetest lxc-test-console
+	lxc-test-cgpath lxc-test-clonetest lxc-test-console lxc-usernic-test
+
+bin_SCRIPTS = lxc-test-usernic

 endif


--- a/src/tests/lxc-test-usernic
+++ b/src/tests/lxc-test-usernic
+#!/bin/bash
+
+# lxc: linux Container library
+
+# Authors:
+# Serge Hallyn <serge.hallyn@ubuntu.com>
+#
+# This is a test script for the lxc-user-nic program
+
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+
+conffile="/tmp/lxc-usernet"
+dbfile="/tmp/nics"
+sysfsdir=/tmp/lxcnettest
+
+rm -f $conffile $dbfile
+
+rm -rf $sysfsdir
+mkdir -p $sysfsdir
+
+# there is no conffile, so we have no permissions
+lxc-usernic-test 1111 veth lxcbr0 > /dev/null 2>&1
+if [ $? -eq 0 ]; then
+	echo "Fail: empty conffile should not allow me a nic"
+	exit 1
+fi
+
+cat > $conffile << EOF
+$(id -un) veth lxcbr0 1
+EOF
+
+# Should be allowed one but not two
+lxc-usernic-test 1111 veth lxcbr0 > /dev/null 2>&1
+if [ $? -ne 0 ]; then
+	echo "Failed to get one allowed nic"
+	exit 1
+fi
+
+lxc-usernic-test 1111 veth lxcbr0 > /dev/null 2>&1
+if [ $? -eq 0 ]; then
+	echo "Fail: was able to get a second nic"
+	exit 1
+fi
+
+# now remove the 'existing nic' and make sure we're allowed to create
+# a new one
+lxc-usernic-test 1111 veth lxcbr0 > /dev/null 2>&1
+rm -rf $sysfsdir
+mkdir -p $sysfsdir
+if [ $? -ne 0 ]; then
+	echo "Fail: was unable to get a replacement nic"
+	exit 1
+fi
+
+echo "All tests passed"