Skip to content

L
lxc
Unverified Commit 47e55887 by Christian Brauner
Options

lxccontainer: non-functional changes

Signed-off-by: 's avatarChristian Brauner <christian.brauner@ubuntu.com>
parent 7e34710e
Showing with 106 additions and 80 deletions
src/lxc/lxccontainer.c
......@@ -1220,15 +1220,19 @@ static struct lxc_storage *do_storage_create(struct lxc_container *c,
static char *lxcbasename(char *path)
{
char *p = path + strlen(path) - 1;
char *p;
p = path + strlen(path) - 1;
while (*p != '/' && p > path)
p--;
return p;
}
static bool create_run_template(struct lxc_container *c, char *tpath, bool need_null_stdfds,
char *const argv[])
static bool create_run_template(struct lxc_container *c, char *tpath,
bool need_null_stdfds, char *const argv[])
{
int ret;
pid_t pid;
if (!tpath)
......@@ -1241,42 +1245,53 @@ static bool create_run_template(struct lxc_container *c, char *tpath, bool need_
}
if (pid == 0) { /* child */
char *patharg, *namearg, *rootfsarg;
struct lxc_storage *bdev = NULL;
int i;
int ret, len, nargs = 0;
int i, len;
char *namearg, *patharg, *rootfsarg;
char **newargv;
int nargs = 0;
struct lxc_storage *bdev = NULL;
struct lxc_conf *conf = c->lxc_conf;
uid_t euid;
if (need_null_stdfds && null_stdfds() < 0) {
_exit(EXIT_FAILURE);
if (need_null_stdfds) {
ret = null_stdfds();
if (ret < 0)
_exit(EXIT_FAILURE);
}
bdev = storage_init(c->lxc_conf);
if (!bdev) {
ERROR("Error opening rootfs");
ERROR("Failed to initialize storage");
_exit(EXIT_FAILURE);
}
if (geteuid() == 0) {
if (unshare(CLONE_NEWNS) < 0) {
ERROR("error unsharing mounts");
euid = geteuid();
if (euid == 0) {
ret = unshare(CLONE_NEWNS);
if (ret < 0) {
ERROR("Failed to unshare CLONE_NEWNS");
_exit(EXIT_FAILURE);
}
if (detect_shared_rootfs()) {
if (mount(NULL, "/", NULL, MS_SLAVE|MS_REC, NULL)) {
SYSERROR("Failed to make / rslave to run template");
ret = detect_shared_rootfs();
if (ret == 1) {
ret = mount(NULL, "/", NULL, MS_SLAVE | MS_REC, NULL);
if (ret < 0) {
SYSERROR("Failed to make \"/\" rslave");
ERROR("Continuing...");
}
}
}
if (strcmp(bdev->type, "dir") && strcmp(bdev->type, "btrfs")) {
if (geteuid() != 0) {
ERROR("non-root users can only create btrfs and directory-backed containers");
if (strcmp(bdev->type, "dir") != 0 && strcmp(bdev->type, "btrfs") != 0) {
if (euid != 0) {
ERROR("Unprivileged users can only create "
"btrfs and directory-backed containers");
_exit(EXIT_FAILURE);
}
if (!strcmp(bdev->type, "overlay") || !strcmp(bdev->type, "overlayfs")) {
if (strcmp(bdev->type, "overlay") == 0 ||
strcmp(bdev->type, "overlayfs") == 0) {
/* If we create an overlay container we need to
* rsync the contents into
* <container-path>/<container-name>/rootfs.
......@@ -1308,7 +1323,8 @@ static bool create_run_template(struct lxc_container *c, char *tpath, bool need_
return -1;
}
} else {
if (bdev->ops->mount(bdev) < 0) {
ret = bdev->ops->mount(bdev);
if (ret < 0) {
ERROR("Failed to mount rootfs");
_exit(EXIT_FAILURE);
}
......@@ -1320,19 +1336,22 @@ static bool create_run_template(struct lxc_container *c, char *tpath, bool need_
bdev->dest = strdup(src);
}
/*
* create our new array, pre-pend the template name and
* base args
/* Create our new array, pre-pend the template name and base
* args.
*/
if (argv)
for (nargs = 0; argv[nargs]; nargs++) ;
nargs += 4; /* template, path, rootfs and name args */
for (nargs = 0; argv[nargs]; nargs++) {
;
}
/* template, path, rootfs and name args */
nargs += 4;
newargv = malloc(nargs * sizeof(*newargv));
if (!newargv)
_exit(EXIT_FAILURE);
newargv[0] = lxcbasename(tpath);
/* --path */
len = strlen(c->config_path) + strlen(c->name) + strlen("--path=") + 2;
patharg = malloc(len);
if (!patharg)
......@@ -1341,6 +1360,8 @@ static bool create_run_template(struct lxc_container *c, char *tpath, bool need_
if (ret < 0 || ret >= len)
_exit(EXIT_FAILURE);
newargv[1] = patharg;
/* --name */
len = strlen("--name=") + strlen(c->name) + 1;
namearg = malloc(len);
if (!namearg)
......@@ -1350,6 +1371,7 @@ static bool create_run_template(struct lxc_container *c, char *tpath, bool need_
_exit(EXIT_FAILURE);
newargv[2] = namearg;
/* --rootfs */
len = strlen("--rootfs=") + 1 + strlen(bdev->dest);
rootfsarg = malloc(len);
if (!rootfsarg)
......@@ -1362,7 +1384,7 @@ static bool create_run_template(struct lxc_container *c, char *tpath, bool need_
/* add passed-in args */
if (argv)
for (i = 4; i < nargs; i++)
newargv[i] = argv[i-4];
newargv[i] = argv[i - 4];
/* add trailing NULL */
nargs++;
......@@ -1371,25 +1393,23 @@ static bool create_run_template(struct lxc_container *c, char *tpath, bool need_
_exit(EXIT_FAILURE);
newargv[nargs - 1] = NULL;
/*
* If we're running the template in a mapped userns, then
* we prepend the template command with:
* lxc-usernsexec <-m map1> ... <-m mapn> --
* and we append "--mapped-uid x", where x is the mapped uid
* for our geteuid()
/* If we're running the template in a mapped userns, then we
* prepend the template command with: lxc-usernsexec <-m map1>
* ... <-m mapn> -- and we append "--mapped-uid x", where x is
* the mapped uid for our geteuid()
*/
if (!lxc_list_empty(&conf->id_map)) {
int n2args = 1;
char txtuid[20];
char txtgid[20];
char **n2 = malloc(n2args * sizeof(*n2));
int extraargs, hostuid_mapped, hostgid_mapped;
char **n2;
char txtuid[20], txtgid[20];
struct lxc_list *it;
struct id_map *map;
int n2args = 1;
if (!n2) {
SYSERROR("out of memory");
n2 = malloc(n2args * sizeof(*n2));
if (!n2)
_exit(EXIT_FAILURE);
}
newargv[0] = tpath;
tpath = "lxc-usernsexec";
n2[0] = "lxc-usernsexec";
......@@ -1399,96 +1419,102 @@ static bool create_run_template(struct lxc_container *c, char *tpath, bool need_
n2 = realloc(n2, n2args * sizeof(char *));
if (!n2)
_exit(EXIT_FAILURE);
n2[n2args-2] = "-m";
n2[n2args-1] = malloc(200);
if (!n2[n2args-1])
n2[n2args - 2] = "-m";
n2[n2args - 1] = malloc(200);
if (!n2[n2args - 1])
_exit(EXIT_FAILURE);
ret = snprintf(n2[n2args-1], 200, "%c:%lu:%lu:%lu",
map->idtype == ID_TYPE_UID ? 'u' : 'g',
map->nsid, map->hostid, map->range);
ret = snprintf(n2[n2args - 1], 200, "%c:%lu:%lu:%lu",
map->idtype == ID_TYPE_UID ? 'u' : 'g',
map->nsid, map->hostid, map->range);
if (ret < 0 || ret >= 200)
_exit(EXIT_FAILURE);
}
int hostid_mapped = mapped_hostid(geteuid(), conf, ID_TYPE_UID);
int extraargs = hostid_mapped >= 0 ? 1 : 3;
hostuid_mapped = mapped_hostid(geteuid(), conf, ID_TYPE_UID);
extraargs = hostuid_mapped >= 0 ? 1 : 3;
n2 = realloc(n2, (nargs + n2args + extraargs) * sizeof(char *));
if (!n2)
_exit(EXIT_FAILURE);
if (hostid_mapped < 0) {
hostid_mapped = find_unmapped_nsid(conf, ID_TYPE_UID);
if (hostuid_mapped < 0) {
hostuid_mapped = find_unmapped_nsid(conf, ID_TYPE_UID);
n2[n2args++] = "-m";
if (hostid_mapped < 0) {
ERROR("Could not find free uid to map");
if (hostuid_mapped < 0) {
ERROR("Failed to find free uid to map");
_exit(EXIT_FAILURE);
}
n2[n2args++] = malloc(200);
if (!n2[n2args-1]) {
if (!n2[n2args - 1]) {
SYSERROR("out of memory");
_exit(EXIT_FAILURE);
}
ret = snprintf(n2[n2args-1], 200, "u:%d:%d:1",
hostid_mapped, geteuid());
if (ret < 0 || ret >= 200) {
ERROR("string too long");
ret = snprintf(n2[n2args - 1], 200, "u:%d:%d:1",
hostuid_mapped, geteuid());
if (ret < 0 || ret >= 200)
_exit(EXIT_FAILURE);
}
}
int hostgid_mapped = mapped_hostid(getegid(), conf, ID_TYPE_GID);
hostgid_mapped = mapped_hostid(getegid(), conf, ID_TYPE_GID);
extraargs = hostgid_mapped >= 0 ? 1 : 3;
n2 = realloc(n2, (nargs + n2args + extraargs) * sizeof(char *));
if (!n2)
_exit(EXIT_FAILURE);
if (hostgid_mapped < 0) {
hostgid_mapped = find_unmapped_nsid(conf, ID_TYPE_GID);
n2[n2args++] = "-m";
if (hostgid_mapped < 0) {
ERROR("Could not find free uid to map");
ERROR("Failed to find free gid to map");
_exit(EXIT_FAILURE);
}
n2[n2args++] = malloc(200);
if (!n2[n2args-1]) {
if (!n2[n2args - 1]) {
SYSERROR("out of memory");
_exit(EXIT_FAILURE);
}
ret = snprintf(n2[n2args-1], 200, "g:%d:%d:1",
hostgid_mapped, getegid());
if (ret < 0 || ret >= 200) {
ERROR("string too long");
ret = snprintf(n2[n2args - 1], 200, "g:%d:%d:1",
hostgid_mapped, getegid());
if (ret < 0 || ret >= 200)
_exit(EXIT_FAILURE);
}
}
n2[n2args++] = "--";
for (i = 0; i < nargs; i++)
n2[i + n2args] = newargv[i];
n2args += nargs;
/* Finally add "--mapped-uid $uid" to tell template
* what to chown cached images to.
/* Finally add "--mapped-uid $uid" to tell template what
* to chown cached images to.
*/
n2args += 4;
n2 = realloc(n2, n2args * sizeof(char *));
if (!n2) {
SYSERROR("out of memory");
if (!n2)
_exit(EXIT_FAILURE);
}
/* note n2[n2args-1] is NULL */
n2[n2args-5] = "--mapped-uid";
snprintf(txtuid, 20, "%d", hostid_mapped);
n2[n2args-4] = txtuid;
n2[n2args-3] = "--mapped-gid";
n2[n2args - 5] = "--mapped-uid";
snprintf(txtuid, 20, "%d", hostuid_mapped);
n2[n2args - 4] = txtuid;
n2[n2args - 3] = "--mapped-gid";
snprintf(txtgid, 20, "%d", hostgid_mapped);
n2[n2args-2] = txtgid;
n2[n2args-1] = NULL;
n2[n2args - 2] = txtgid;
n2[n2args - 1] = NULL;
free(newargv);
newargv = n2;
}
/* execute */
execvp(tpath, newargv);
SYSERROR("Failed to execute template %s", tpath);
_exit(EXIT_FAILURE);
}
if (wait_for_pid(pid) != 0) {
ERROR("container creation template for %s failed", c->name);
ret = wait_for_pid(pid);
if (ret != 0) {
ERROR("Failed to create container from template");
return false;
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment