The underscore in the gnt-instance.rst is considered a special character
and caused an error during more extensive testing generating documentation.
Interdiff:
diff --git a/man/gnt-instance.rst b/man/gnt-instance.rst
index eededb8..a4de384 100644
--- a/man/gnt-instance.rst
+++ b/man/gnt-instance.rst
@@ -909,7 +909,7 @@ lxc\_drop\_capabilities
Each value of this option must be in the same form as the
lxc.cap.drop configuration parameter of
**lxc.container.conf**\(5). It is the lower case of the capability
- name without the "CAP_" prefix (e.g., "sys_module,sys_time").
+ name without the "CAP\_" prefix (e.g., "sys_module,sys_time").
See **capabilities**\(7) for more details about Linux capabilities.
Note that some capabilities are required by the LXC container
(see: **lxc.container.conf**\(5)).
As the change is minor, I will include it prior to pushing.
On Mon, Sep 1, 2014 at 6:37 PM, Hrvoje Ribicic <r...@google.com> wrote:
> LGTM, thanks
>
>
>
> On Wed, Aug 27, 2014 at 10:17 PM, Yuto KAWAMURA(kawamuray) <
> kawamuray.dad...@gmail.com> wrote:
>
>> This patch adds the new hvparam "lxc_drop_capabilities" to the LXC
>> hypervisor.
>> This parameter specifies the list of capabilities which should be
>> dropped for the LXC container.
>> The default value of this parameter was hardcoded, but making this
>> parameter a hvparam improves user customizability.
>>
>> Signed-off-by: Yuto KAWAMURA(kawamuray) <kawamuray.dad...@gmail.com>
>> ---
>> lib/hypervisor/hv_lxc.py | 24 +++++++++++++++---------
>> man/gnt-instance.rst | 17 +++++++++++++++++
>> src/Ganeti/Constants.hs | 18 +++++++++++++++---
>> 3 files changed, 47 insertions(+), 12 deletions(-)
>>
>> diff --git a/lib/hypervisor/hv_lxc.py b/lib/hypervisor/hv_lxc.py
>> index 7293659..dfd47e6 100644
>> --- a/lib/hypervisor/hv_lxc.py
>> +++ b/lib/hypervisor/hv_lxc.py
>> @@ -81,14 +81,6 @@ class LXCHypervisor(hv_base.BaseHypervisor):
>> "c 5:2", # /dev/ptmx
>> "c 136:*", # first block of Unix98 PTY slaves
>> ]
>> - _DENIED_CAPABILITIES = [
>> - "mac_override", # Allow MAC configuration or state changes
>> - # TODO: remove sys_admin too, for safety
>> - #"sys_admin", # Perform a range of system administration
>> operations
>> - "sys_boot", # Use reboot(2) and kexec_load(2)
>> - "sys_module", # Load and unload kernel modules
>> - "sys_time", # Set system clock, set real-time (hardware)
>> clock
>> - ]
>> _DIR_MODE = 0755
>> _UNIQ_SUFFIX = ".conf"
>> _STASH_KEY_ALLOCATED_LOOP_DEV = "allocated_loopdev"
>> @@ -96,6 +88,7 @@ class LXCHypervisor(hv_base.BaseHypervisor):
>> PARAMETERS = {
>> constants.HV_CPU_MASK: hv_base.OPT_CPU_MASK_CHECK,
>> constants.HV_LXC_CGROUP_USE: hv_base.NO_CHECK,
>> + constants.HV_LXC_DROP_CAPABILITIES: hv_base.NO_CHECK,
>> constants.HV_LXC_STARTUP_WAIT: hv_base.OPT_NONNEGATIVE_INT_CHECK,
>> }
>>
>> @@ -413,6 +406,19 @@ class LXCHypervisor(hv_base.BaseHypervisor):
>> data.append(info)
>> return data
>>
>> + @classmethod
>> + def _GetInstanceDropCapabilities(cls, hvparams):
>> + """Get and parse the drop capabilities list from the instance
>> hvparams.
>> +
>> + @type hvparams: dict of strings
>> + @param hvparams: instance hvparams
>> + @rtype list(string)
>> + @return list of drop capabilities
>> +
>> + """
>> + drop_caps = hvparams[constants.HV_LXC_DROP_CAPABILITIES]
>> + return drop_caps.split(",")
>> +
>> def _CreateConfigFile(self, instance, sda_dev_path):
>> """Create an lxc.conf file for an instance.
>>
>> @@ -486,7 +492,7 @@ class LXCHypervisor(hv_base.BaseHypervisor):
>> out.append("lxc.network.flags = up")
>>
>> # Capabilities
>> - for cap in self._DENIED_CAPABILITIES:
>> + for cap in self._GetInstanceDropCapabilities(instance.hvparams):
>> out.append("lxc.cap.drop = %s" % cap)
>>
>> return "\n".join(out) + "\n"
>> diff --git a/man/gnt-instance.rst b/man/gnt-instance.rst
>> index 181dc97..2a42ba2 100644
>> --- a/man/gnt-instance.rst
>> +++ b/man/gnt-instance.rst
>> @@ -901,6 +901,23 @@ lxc\_cgroup\_use
>> If this parameter is not specified, a list will be built from info
>> in /proc/cgroups.
>>
>> +lxc\_drop\_capabilities
>> + Valid for the LXC hypervisor.
>> +
>> + This option specifies the list of capabilities which should be
>> + dropped for a LXC container.
>> + Each value of this option must be in the same form as the
>> + lxc.cap.drop configuration parameter of the
>> + **lxc.container.conf**\(5). It is the lower case of the capability
>> + name without the "CAP_" prefix (e.g., "sys_module,sys_time").
>> + See **capabilities**\(7) for more details about Linux capabilities.
>> + Note that some capabilities are required by the LXC container
>> + (see: **lxc.container.conf**\(5)).
>> + Also note that the CAP_SYS_BOOT is required(should not be dropped)
>> + to perform the soft reboot for the LXC container.
>> +
>> + The default value is ``mac_override,sys_boot,sys_module,sys_time``.
>> +
>> The ``-O (--os-parameters)`` option allows customisation of the OS
>> parameters. The actual parameter names and values depend on the OS being
>> used, but the syntax is the same key=value. For example, setting a
>> diff --git a/src/Ganeti/Constants.hs b/src/Ganeti/Constants.hs
>> index 6bc1b9f..c5994d4 100644
>> --- a/src/Ganeti/Constants.hs
>> +++ b/src/Ganeti/Constants.hs
>> @@ -520,6 +520,13 @@ socatUseEscape :: Bool
>> socatUseEscape = AutoConf.socatUseEscape
>>
>> -- * LXC
>> +lxcDropCapabilitiesDefault :: String
>> +lxcDropCapabilitiesDefault =
>> + "mac_override" -- Allow MAC configuration or state changes
>> + ++ ",sys_boot" -- Use reboot(2) and kexec_load(2)
>> + ++ ",sys_module" -- Load and unload kernel modules
>> + ++ ",sys_time" -- Set system clock, set real-time (hardware) clock
>> +
>> lxcStateRunning :: String
>> lxcStateRunning = "RUNNING"
>>
>> @@ -1670,6 +1677,9 @@ hvLxcStartupWait = "lxc_startup_wait"
>> hvLxcCgroupUse :: String
>> hvLxcCgroupUse = "lxc_cgroup_use"
>>
>> +hvLxcDropCapabilities :: String
>> +hvLxcDropCapabilities = "lxc_drop_capabilities"
>> +
>> hvMemPath :: String
>> hvMemPath = "mem_path"
>>
>> @@ -1833,6 +1843,7 @@ hvsParameterTypes = Map.fromList
>> , (hvKvmUseChroot, VTypeBool)
>> , (hvKvmUserShutdown, VTypeBool)
>> , (hvLxcCgroupUse, VTypeString)
>> + , (hvLxcDropCapabilities, VTypeString)
>> , (hvLxcStartupWait, VTypeInt)
>> , (hvMemPath, VTypeString)
>> , (hvMigrationBandwidth, VTypeInt)
>> @@ -3913,9 +3924,10 @@ hvcDefaults =
>> , (Fake, Map.fromList [(hvMigrationMode, PyValueEx htMigrationLive)])
>> , (Chroot, Map.fromList [(hvInitScript, PyValueEx "/ganeti-chroot")])
>> , (Lxc, Map.fromList
>> - [ (hvCpuMask, PyValueEx "")
>> - , (hvLxcCgroupUse, PyValueEx "")
>> - , (hvLxcStartupWait, PyValueEx (30 :: Int))
>> + [ (hvCpuMask, PyValueEx "")
>> + , (hvLxcCgroupUse, PyValueEx "")
>> + , (hvLxcDropCapabilities, PyValueEx lxcDropCapabilitiesDefault)
>> + , (hvLxcStartupWait, PyValueEx (30 :: Int))
>> ])
>> ]
>>
>> --
>> 2.0.4
>>
>>
>
>
> Hrvoje Ribicic
> Ganeti Engineering
> Google Germany GmbH
> Dienerstr. 12, 80331, München
>
> Registergericht und -nummer: Hamburg, HRB 86891
> Sitz der Gesellschaft: Hamburg
> Geschäftsführer: Graham Law, Christine Elizabeth Flores
> Steuernummer: 48/725/00206
> Umsatzsteueridentifikationsnummer: DE813741370
>
Hrvoje Ribicic
Ganeti Engineering
Google Germany GmbH
Dienerstr. 12, 80331, München
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
Steuernummer: 48/725/00206
Umsatzsteueridentifikationsnummer: DE813741370
