From: Dan Walsh <dwa...@redhat.com>
Openshift Containers will be run with a unique UID and GID
---
bin/virt-sandbox-service | 43 +++++++++++++++++++++--
bin/virt-sandbox-service-bash-completion.sh | 8 +++--
bin/virt-sandbox-service-create.pod | 53 ++++++++++++++++++++++++-----
3 files changed, 90 insertions(+), 14 deletions(-)
diff --git a/bin/virt-sandbox-service b/bin/virt-sandbox-service
index a99fe7e..31aa6a1 100755
--- a/bin/virt-sandbox-service
+++ b/bin/virt-sandbox-service
@@ -28,6 +28,7 @@ import exceptions
import rpm
from subprocess import Popen, PIPE, STDOUT
import gettext
+import pwd
if os.path.exists("/sys/fs/selinux"):
import selinux
@@ -83,10 +84,28 @@ class Container:
self.file_type = file_type
def set_uid(self, uid):
- self.uid = uid
+ self.config.set_userid(uid)
def get_uid(self):
- return self.uid
+ return self.config.get_userid(uid)
+
+ def set_gid(self, gid):
+ self.config.set_groupid(gid)
+
+ def get_gid(self):
+ return self.config.get_groupid(gid)
+
+ def set_username(self, username):
+ self.config.set_username(username)
+
+ def get_username(self):
+ return self.config.get_username()
+
+ def set_homedir(self, homedir):
+ self.config.set_homedir(homedir)
+
+ def get_homedir(self):
+ return self.config.get_homedir()
def get_config_path(self, name = None):
if not name:
@@ -755,6 +774,16 @@ def create(args):
container.add_network(net)
if args.security:
container.set_security(args.security)
+ container.set_uid(args.uid)
+ if not args.homedir:
+ args.homedir = pwd.getpwuid(args.uid).pw_dir
+ container.set_homedir(args.homedir)
+ if not args.username:
+ args.username = pwd.getpwuid(args.uid).pw_name
+ container.set_username(args.username)
+ if not args.gid:
+ args.gid = pwd.getpwuid(args.uid).pw_gid
+ container.set_gid(args.gid)
container.set_path(args.path)
container.set_file_type(args.file_type)
if args.imagesize:
@@ -952,6 +981,11 @@ def gen_create_args(subparser):
parser.add_argument("-f", "--filetype", dest="file_type",
default=c.get_file_type(),
help=_("SELinux file type to assign to content within
the sandbox. Default: %s") % c.get_file_type())
+ parser.add_argument("--homedir", dest="homedir",
+ help=_("Specify the homedir for the container.
Default: UID homedir."))
+ parser.add_argument("-G", "--gid", dest="gid",
+ default=None, type=int,
+ help=_("Specify the login gid for the container.
Default: login GID of the UID."))
parser.add_argument("-i", "--imagesize", dest="imagesize", default = None,
action=SizeAction,
help=_("create image of this many megabytes."))
@@ -967,6 +1001,11 @@ def gen_create_args(subparser):
action=CheckUnit,
dest="unitfiles", default=[],
help=_("Systemd Unit file to run within the systemd
sandbox container. Commands cannot be specified with unit files."))
+ parser.add_argument("--username", dest="username",
+ help=_("Specify the username for the container.
Default: UID username."))
+ parser.add_argument("-U", "--uid", dest="uid",
+ default=os.getuid(),type=int,
+ help=_("Specify the uid for the container: Default to
current UID."))
requires_name(parser)
parser.add_argument("command", default=[], nargs="*",
diff --git a/bin/virt-sandbox-service-bash-completion.sh
b/bin/virt-sandbox-service-bash-completion.sh
index 874ee56..8f2b6d0 100755
--- a/bin/virt-sandbox-service-bash-completion.sh
+++ b/bin/virt-sandbox-service-bash-completion.sh
@@ -1,6 +1,6 @@
# This file is part of libvirt-sandbox.
#
-# Copyright 2012 Dan Walsh
+# Copyright (C) 2012-2013 Red Hat, Inc.
#
# systemd is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
@@ -14,7 +14,9 @@
#
# You should have received a copy of the GNU General Public License
# along with systemd; If not, see <http://www.gnu.org/licenses/>.
-
+#
+# Authors: Dan Walsh <dwa...@redhat.com>
+#
__contains_word () {
local word=$1; shift
for w in $*; do [[ $w = $word ]] && return 0; done
@@ -55,7 +57,7 @@ _virt_sandbox_service () {
)
local -A OPTS=(
[ALL]='-h --help'
- [CREATE]='-u --unitfile -p --path -f --filetype -C --copy -i
--imagesize -N --network -s --security'
+ [CREATE]='-C --copy -f --filetype -G --gid -i --imagesize --homedir
-N --network -p --path -s --security -u --unitfile --username -U -uid'
[LIST]='-r --running'
[RELOAD]='-u --unitfile'
[EXECUTE]='-N --noseclabel'
diff --git a/bin/virt-sandbox-service-create.pod
b/bin/virt-sandbox-service-create.pod
index fdc44bb..af942cb 100644
--- a/bin/virt-sandbox-service-create.pod
+++ b/bin/virt-sandbox-service-create.pod
@@ -4,7 +4,12 @@ virt-sandbox-service create - Create a Security container
=head1 SYNOPSIS
- virt-sandbox-service [-c URI] create [-h] [ -u UNIT_FILE ] [ --copy ] [-p
PATH] [-N NETWORK-OPTS] [-s SECURITY-OPTS] [-i SIZE] [-n] NAME [ COMMAND ]
+ virt-sandbox-service [-c URI] create [-h] [-C] [-f FILE_TYPE]
+ [--homedir HOMEDIR] [-G GID] [-i IMAGESIZE]
+ [-N NETWORK] [-p PATH] [-s SECURITY]
+ [-u UNITFILES] [--username USERNAME]
+ [-U UID]
+ name [command [command ...]]
=head1 DESCRIPTION
@@ -14,7 +19,7 @@ technology such as LinuX Containers (LXC), or optionally
QEMU/KVM. The
container / virtual machines will be secured by SELinux and resource
separated using cgroups.
-The create command can setup a sandbox for running one or more systemd unit
files. It can also setup a sandbox for running a command in an
InteractiveContainer. Specify a unit file to create the ServiceContainer and
the command to create an InteractiveContainer.
+The create command can setup a sandbox for running one or more systemd unit
files. It can also setup a sandbox for running a command in an
GenericContainer. Specify a unit file to create the SystemdContainer and the
command to create an GenericContainer.
=head1 OPTIONS
@@ -24,25 +29,43 @@ The create command can setup a sandbox for running one or
more systemd unit file
Display help message
-=item B<-c> URI, B<--connect URI>
+=item B<-c URI>, B<--connect URI>
The connection URI for the hypervisor (only LXC or QEMU are
supported currently).
=item B<-u UNIT_FILE>, B<--unitfile UNIT_FILE>
-Name of the systemd unit file to be to run within the Service Container. Can
be repeated if multiple unit files are required within the sandbox. Cannot be
specified if you are using a COMMAND.
+Name of the systemd unit file to be to run within the Systemd Container. Can
be repeated if multiple unit files are required within the sandbox. Cannot be
specified if you are using a COMMAND.
=item B<-C>, B<--copy>
Copy content from /etc and /var directories that will be mounted within the
container.
+=item B<-G GID>, B<--gid GID>
+
+Set login gid to use within the container.
+
+Default: C<Login GID of UID>.
+
+=item B<-f FILETYPE>, B<--filetype FILETYPE>
+
+Set SELinux file type to use within container.
+
+Default: C<svirt_lxc_file_t>.
+
=item B<-p PATH>, B<--path PATH>
-Select path to store container content.
+Set path to store container content.
Default: C</var/lib/libvirt/filesystems>.
+=item B<--homedir HOMEDIR>
+
+Set homedir path to use within container.
+
+Default: C<UID's Homedir>.
+
=item B<-N NETWORK-OPTIONS>, B<--network NETWORK-OPTIONS>
Add a network interface to the sandbox. By default the sandbox will
@@ -119,24 +142,36 @@ static,label=system_u:system_r:svirt_t:s0:c412,c355
Create file system image file of this size to store container content.
-=item B<-u unitfile>, B<--unitfile unitfile>
+=item B<-u UNITFILE>, B<--unitfile UNITFILE>
systemd Unit file to run within the container
+=item B<-U UID>, B<--uid UID>
+
+Set uid to use within container.
+
+Default: C<CURRENT UID>.
+
+=item B<--username USERNAME>
+
+Set username to use within container.
+
+Default: C<UID's Username>.
+
=back
=head1 EXAMPLE
-Create httpd1 Service container
+Create httpd1 Systemd container
# virt-sandbox-service create -C -u httpd.service httpd1
Created container dir /var/lib/libvirt/filesystems/httpd1
Created sandbox config /etc/libvirt-sandbox/httpd1.sandbox
Created unit file /etc/systemd/system/httpd@httpd1.service
-Create foobar1 Service container
+Create foobar1 Generic container
- # virt-sandbox-service create foobar1 -- /usr/bin/foobar -a -b
+ # virt-sandbox-service create -U 1234 foobar1 -- /usr/bin/foobar -a -b
Created container dir /var/lib/libvirt/filesystems/foobar1
Created sandbox config /etc/libvirt-sandbox/foobar1.sandbox
--
1.8.2
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
