[libvirt] [PATCH 0/3] Keeping / Dropping capabilities in lxc containers

Thu, 12 Jun 2014 00:11:30 -0700 

Hi all,

I had a request from some users to allow keeping the mknod capability in 
containers
even thought that may be a security threat for the container and host. After
discussing it with Dan on IRC, here is a patch series that adds a capabilities 
XML
element in the features section of the domain configuration. It also allows to 
drop
capabilities that are normally kept.

Coming with this commit are one for the conversion of LXC configuration to 
domain XML
for the lxc.cap.drop entry, and one commit to extend the documentation.

There is one thing I'm not sure how to do best: I had to list all capabilities 
into an
enum for the XML config, and I had to map those to the kernel CAP_* defines. Any
improvement idea is welcomed ;)

Cédric Bosdonnat (3):
  lxc: allow to keep or drop capabilities
  lxc domain from xml: convert lxc.cap.drop
  lxc: update doc to mention features/capabilities/* domain
    configuration

 docs/drvlxc.html.in                                |  27 +++
 docs/schemas/domaincommon.rng                      | 196 +++++++++++++++++++++
 src/conf/domain_conf.c                             |  93 +++++++++-
 src/conf/domain_conf.h                             |  47 +++++
 src/libvirt_private.syms                           |   1 +
 src/lxc/lxc_cgroup.c                               |   5 +
 src/lxc/lxc_container.c                            |  90 ++++++++--
 src/lxc/lxc_native.c                               |  27 +++
 tests/domainschemadata/domain-caps-features.xml    |  28 +++
 tests/lxcconf2xmldata/lxcconf2xml-blkiotune.xml    |  39 ++++
 tests/lxcconf2xmldata/lxcconf2xml-cpusettune.xml   |  39 ++++
 tests/lxcconf2xmldata/lxcconf2xml-cputune.xml      |  39 ++++
 tests/lxcconf2xmldata/lxcconf2xml-idmap.xml        |  39 ++++
 .../lxcconf2xmldata/lxcconf2xml-macvlannetwork.xml |  41 +++++
 tests/lxcconf2xmldata/lxcconf2xml-memtune.xml      |  39 ++++
 tests/lxcconf2xmldata/lxcconf2xml-nonenetwork.xml  |  41 +++++
 tests/lxcconf2xmldata/lxcconf2xml-nonetwork.xml    |  39 ++++
 tests/lxcconf2xmldata/lxcconf2xml-physnetwork.xml  |  41 +++++
 tests/lxcconf2xmldata/lxcconf2xml-simple.xml       |  41 +++++
 tests/lxcconf2xmldata/lxcconf2xml-vlannetwork.xml  |  41 +++++
 20 files changed, 935 insertions(+), 18 deletions(-)
 create mode 100644 tests/domainschemadata/domain-caps-features.xml

-- 
1.8.4.5

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Reply via email to