登录 注册
开源 企业版 高校版 私有云 Gitee AI NEW
扫描微信二维码支付
取消
支付完成
Watch
不关注 关注所有动态 仅关注版本发行动态 关注但不提醒动态
1 Star 0 Fork 43

gaohuatao / lxc

forked from src-openEuler / lxc 
代码 Issues 0 Pull Requests 0 Wiki 统计 流水线
服务
加入 Gitee
与超过 1200万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
该仓库未声明开源许可证文件(LICENSE),使用请关注具体项目描述及其代码上游依赖。
项目仓库所选许可证以仓库主分支所使用许可证为准
克隆/下载
0026-Supporting-UID-GID-configuration.patch 8.25 KB
一键复制 编辑 原始数据 按行查看 历史
lifeng_isula 提交于 2020-04-23 11:50 . lxc: update lxc to 4.0.1
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306
From 61bfa0ce515288897b93640507e48f09f0d78010 Mon Sep 17 00:00:00 2001

From: wujing <wujing50@huawei.com>

Date: Tue, 14 Apr 2020 23:17:04 -0400

Subject: [PATCH 26/49] Supporting UID GID configuration



Signed-off-by: wujing <wujing50@huawei.com>

---

 src/lxc/attach.c           | 16 ++++++++

 src/lxc/conf.c             | 19 ++++++++-

 src/lxc/conf.h             |  4 ++

 src/lxc/start.c            |  8 ++++

 src/lxc/tools/lxc_attach.c | 99 +++++++++++++++++++++++++++++++++++++++++++---

 5 files changed, 139 insertions(+), 7 deletions(-)



diff --git a/src/lxc/attach.c b/src/lxc/attach.c

index 33946bb..c77b929 100644

--- a/src/lxc/attach.c

+++ b/src/lxc/attach.c

@@ -749,8 +749,10 @@ static int attach_child_main(struct attach_clone_payload *payload)

 			goto on_error;

 	}

 

+#ifndef HAVE_ISULAD

 	if (!lxc_setgroups(0, NULL) && errno != EPERM)

 		goto on_error;

+#endif

 

 	if (options->namespaces & CLONE_NEWUSER) {

 		/* Check whether nsuid 0 has a mapping. */

@@ -892,6 +894,12 @@ static int attach_child_main(struct attach_clone_payload *payload)

 	if (new_gid == ns_root_gid)

 		new_gid = LXC_INVALID_GID;

 

+#ifdef HAVE_ISULAD

+	if (!lxc_setgroups(init_ctx->container->lxc_conf->init_groups_len,

+			init_ctx->container->lxc_conf->init_groups))

+		goto on_error;

+#endif

+

 	/* Make sure that the processes STDIO is correctly owned by the user that we are switching to */

 	ret = fix_stdio_permissions(new_uid);

 	if (ret)

@@ -1058,6 +1066,14 @@ int lxc_attach(struct lxc_container *container, lxc_attach_exec_t exec_function,

 	}

 	conf = init_ctx->container->lxc_conf;

 

+#ifdef HAVE_ISULAD

+	// always switch uid and gid for attach

+	if (options->uid == -1)

+		options->uid = init_ctx->container->lxc_conf->init_uid;

+	if (options->gid == -1)

+		options->gid = init_ctx->container->lxc_conf->init_gid;

+#endif

+

 	if (!fetch_seccomp(init_ctx->container, options))

 		WARN("Failed to get seccomp policy");

 

diff --git a/src/lxc/conf.c b/src/lxc/conf.c

index 71fd6f9..43ef067 100644

--- a/src/lxc/conf.c

+++ b/src/lxc/conf.c

@@ -5100,6 +5100,7 @@ void lxc_conf_free(struct lxc_conf *conf)

 		close(conf->exit_fd);

 	}

 	lxc_clear_init_args(conf);

+	lxc_clear_init_groups(conf);

 	lxc_clear_populate_devices(conf);

 	lxc_clear_rootfs_masked_paths(conf);

 	lxc_clear_rootfs_ro_paths(conf);

@@ -5919,11 +5920,25 @@ struct lxc_list *sort_cgroup_settings(struct lxc_list *cgroup_settings)

 /*isulad clear init args*/

 int lxc_clear_init_args(struct lxc_conf *lxc_conf)

 {

-	size_t i;

+	int i;

 

-	for (i = 0; i < lxc_conf->init_argc; i++)

+	for (i = 0; i < lxc_conf->init_argc; i++) {

 		free(lxc_conf->init_argv[i]);

+		lxc_conf->init_argv[i] = NULL;

+	}

 	free(lxc_conf->init_argv);

+	lxc_conf->init_argv = NULL;

+	lxc_conf->init_argc = 0;

+

+	return 0;

+}

+

+/*isulad clear init groups*/

+int lxc_clear_init_groups(struct lxc_conf *lxc_conf)

+{

+	free(lxc_conf->init_groups);

+	lxc_conf->init_groups = NULL;

+	lxc_conf->init_groups_len = 0;

 

 	return 0;

 }

diff --git a/src/lxc/conf.h b/src/lxc/conf.h

index 61c3383..879e427 100644

--- a/src/lxc/conf.h

+++ b/src/lxc/conf.h

@@ -451,6 +451,9 @@ struct lxc_conf {

 	char **init_argv;

 	size_t init_argc;

 

+	gid_t *init_groups;

+	size_t init_groups_len;

+

 	/* populate devices*/

 	struct lxc_list populate_devs;

 	mode_t umask;  //umask value

@@ -548,6 +551,7 @@ extern int parse_mntopts(const char *mntopts, unsigned long *mntflags,

 #ifdef HAVE_ISULAD

 // isulad add

 int lxc_clear_init_args(struct lxc_conf *lxc_conf);

+int lxc_clear_init_groups(struct lxc_conf *lxc_conf);

 int lxc_clear_populate_devices(struct lxc_conf *c);

 int lxc_clear_rootfs_masked_paths(struct lxc_conf *c);

 int lxc_clear_rootfs_ro_paths(struct lxc_conf *c);

diff --git a/src/lxc/start.c b/src/lxc/start.c

index 4f45776..e2311ec 100644

--- a/src/lxc/start.c

+++ b/src/lxc/start.c

@@ -1685,8 +1685,16 @@ static int do_start(void *data)

 		#if HAVE_LIBCAP

 		if (lxc_proc_cap_is_set(CAP_SETGID, CAP_EFFECTIVE))

 		#endif

+		#ifdef HAVE_ISULAD

+			/* isulad: set groups for init process, and before we set uid and gid */

+			if (!lxc_setgroups(handler->conf->init_groups_len, handler->conf->init_groups)) {

+				ERROR("Can not set groups");

+				goto out_warn_father;

+				}

+		#else

 			if (!lxc_setgroups(0, NULL))

 				goto out_warn_father;

+		#endif

 

 	if (!lxc_switch_uid_gid(new_uid, new_gid))

 		goto out_warn_father;

diff --git a/src/lxc/tools/lxc_attach.c b/src/lxc/tools/lxc_attach.c

index 47ac2f2..b068c9a 100644

--- a/src/lxc/tools/lxc_attach.c

+++ b/src/lxc/tools/lxc_attach.c

@@ -72,9 +72,11 @@ static const struct option my_longopts[] = {

 	{"set-var", required_argument, 0, 'v'},

 	{"pty-log", required_argument, 0, 'L'},

 	{"rcfile", required_argument, 0, 'f'},

+#ifndef HAVE_ISULAD

 	{"uid", required_argument, 0, 'u'},

 	{"gid", required_argument, 0, 'g'},

-#ifdef HAVE_ISULAD

+#else

+	{"user", required_argument, 0, 'u'},

 	{"in-fifo", required_argument, 0, OPT_INPUT_FIFO}, /* isulad add terminal fifos*/

 	{"out-fifo", required_argument, 0, OPT_OUTPUT_FIFO},

 	{"err-fifo", required_argument, 0, OPT_STDERR_FIFO},

@@ -130,9 +132,18 @@ Options :\n\

                     multiple times.\n\

   -f, --rcfile=FILE\n\

                     Load configuration file FILE\n\

+"

+#ifndef HAVE_ISULAD

+"\

   -u, --uid=UID     Execute COMMAND with UID inside the container\n\

   -g, --gid=GID     Execute COMMAND with GID inside the container\n\

-",

+"

+#else

+"\

+  --user        User ID (format: UID[:GID])\n\

+"

+#endif

+,

 	.options      = my_longopts,

 	.parser       = my_parser,

 	.checker      = NULL,

@@ -142,6 +153,71 @@ Options :\n\

 	.gid          = LXC_INVALID_GID,

 };

 

+#ifdef HAVE_ISULAD

+static int parse_user_id(const char *username, char **uid, char **gid, char **tmp_dup)

+{

+	char *tmp = NULL;

+	char *pdot = NULL;

+

+	if (uid == NULL || gid == NULL || tmp_dup == NULL) {

+		return -1;

+	}

+

+	if (username != NULL) {

+		tmp = strdup(username);

+		if (tmp == NULL) {

+			ERROR("Failed to duplicate user name");

+			return -1;

+		}

+

+		// for free tmp in caller

+		*tmp_dup = tmp;

+		pdot = strstr(tmp, ":");

+		if (pdot != NULL) {

+			*pdot = '\0';

+			if (pdot != tmp) {

+				// uid found

+				*uid = tmp;

+			}

+

+			if (*(pdot + 1) != '\0') {

+				// gid found

+				*gid = pdot + 1;

+			}

+		} else {

+			// No : found

+			if (*tmp != '\0') {

+				*uid = tmp;

+			}

+		}

+	}

+

+	return 0;

+}

+

+static int get_attach_uid_gid(const char *username, uid_t *user_id, gid_t *group_id)

+{

+	char *tmp = NULL;

+	char *uid = NULL;

+	char *gid = NULL;

+

+	// parse uid and gid by username

+	if (parse_user_id(username, &uid, &gid, &tmp) != 0) {

+		return -1;

+	}

+

+	if (uid != NULL) {

+		*user_id = (unsigned int)atoll(uid);

+	}

+	if (gid != NULL) {

+		*group_id = (unsigned int)atoll(gid);

+	}

+

+	free(tmp);

+	return 0;

+}

+#endif

+

 static int my_parser(struct lxc_arguments *args, int c, char *arg)

 {

 	int ret;

@@ -199,6 +275,7 @@ static int my_parser(struct lxc_arguments *args, int c, char *arg)

 	case 'f':

 		args->rcfile = arg;

 		break;

+#ifndef HAVE_ISULAD

 	case 'u':

 		if (lxc_safe_uint(arg, &args->uid) < 0)

 			return -1;

@@ -207,7 +284,13 @@ static int my_parser(struct lxc_arguments *args, int c, char *arg)

 		if (lxc_safe_uint(arg, &args->gid) < 0)

 			return -1;

 		break;

-#ifdef HAVE_ISULAD

+#else

+	case 'u':

+		if (get_attach_uid_gid(arg, &args->uid, &args->gid) != 0) {

+			ERROR("Failed to get attach user U/GID");

+			return -1;

+		}

+		break;

 	case OPT_INPUT_FIFO:

 		args->terminal_fifos[0] = arg;

 		break;

@@ -286,7 +369,7 @@ static int lxc_attach_create_log_file(const char *log_file)

 

 #ifdef HAVE_ISULAD

 // isulad: send '128 + signal' if container is killed by signal.

-#define ExitSignalOffset 128

+#define EXIT_SIGNAL_OFFSET 128

 

 /*isulad: attach with terminal*/

 static int do_attach_foreground(struct lxc_container *c, lxc_attach_command_t *command,

@@ -316,7 +399,7 @@ static int do_attach_foreground(struct lxc_container *c, lxc_attach_command_t *c

 

 	if (WIFSIGNALED(ret)) {

 		signal = WTERMSIG(ret);

-		wexit = ExitSignalOffset + signal;

+		wexit = EXIT_SIGNAL_OFFSET + signal;

 	}

 out:

 	if (c->lxc_conf->errmsg)

@@ -515,6 +598,12 @@ int main(int argc, char *argv[])

 		}

 	}

 

+	if (my_args.uid != LXC_INVALID_UID)

+		attach_options.uid = my_args.uid;

+

+	if (my_args.gid != LXC_INVALID_GID)

+		attach_options.gid = my_args.gid;

+

 	attach_options.suffix = my_args.suffix;

 

 	/* isulad: add do attach background */

-- 

1.8.3.1
1
https://gitee.com/gaohuatao/lxc.git
git@gitee.com:gaohuatao/lxc.git
gaohuatao
lxc
lxc
master
点此查找更多帮助

搜索帮助

Git 命令在线学习 如何在 Gitee 导入 GitHub 仓库
Git 仓库基础操作
企业版和社区版功能对比
SSH 公钥设置
如何处理代码冲突
仓库体积过大,如何减小?
如何找回被删除的仓库数据
Gitee 产品配额说明
GitHub仓库快速导入Gitee及同步更新
什么是 Release(发行版)
将 PHP 项目自动发布到 packagist.org
评论
仓库举报
回到顶部