The following pull request was submitted through Github. It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/8248
This e-mail was sent by the LXC bot, direct replies will not reach the author unless they happen to be subscribed to this list. === Description (from pull-request) === Changes made: - Created a list of safe volatile keys - Modified checkRestrictionsOnVolatileConfig function to parse through the list of safe volatile keys and skip any keys that were safe and deleted any unsafe volatile keys from the config file instead of failing the copy
From 4fe66fee77a368bf465b796bc8cb2daccae5e582 Mon Sep 17 00:00:00 2001 From: Jeremy Tajonera <jtajon...@utexas.edu> Date: Fri, 11 Dec 2020 23:11:12 -0600 Subject: [PATCH 1/2] Issue #7896 Smarter handling of `volatile` keys in restricted projects --- lxd/project/permissions.go | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/lxd/project/permissions.go b/lxd/project/permissions.go index 7c320bc2c4..d744db340c 100644 --- a/lxd/project/permissions.go +++ b/lxd/project/permissions.go @@ -152,11 +152,29 @@ func checkRestrictionsOnVolatileConfig(project *api.Project, instanceType instan return nil } + // List of safe keys + safe_keys := [5]string{"volatile.apply_template", "volatile.base_image", "volatile.last_state.power", "volatile.DEVNAME.apply_quota", "volatile.DEVNAME.hwaddr"} + for key, value := range config { if !strings.HasPrefix(key, shared.ConfigVolatilePrefix) { continue } + // Allow given safe volatile keys to be set + var isSafeKey bool + for _, safe_key := range safe_keys { + // If current key is in the safe_key list, break out of for loop and set isSafeKey to true + if safe_key == key { + isSafeKey = true + break + } + } + + // If the current key is a safe volatile key, get out of current iteration + if isSafeKey { + continue + } + currentValue, ok := currentConfig[key] if !ok { return fmt.Errorf( From 84bd55bfd087f1b4f3aff50ef8ac0f677fe40a73 Mon Sep 17 00:00:00 2001 From: Jeremy Tajonera <jtajon...@utexas.edu> Date: Fri, 11 Dec 2020 23:24:07 -0600 Subject: [PATCH 2/2] Issue 7896 - Removed Fail on unsafe key, delete key instead --- lxd/project/permissions.go | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/lxd/project/permissions.go b/lxd/project/permissions.go index d744db340c..89ea97230a 100644 --- a/lxd/project/permissions.go +++ b/lxd/project/permissions.go @@ -177,15 +177,13 @@ func checkRestrictionsOnVolatileConfig(project *api.Project, instanceType instan currentValue, ok := currentConfig[key] if !ok { - return fmt.Errorf( - "Setting %q on %s %q in project %q is forbidden", - key, instanceType, instanceName, project.Name) + // Strip any non-allowed volatile key from the config + delete(config, key) } if currentValue != value { - return fmt.Errorf( - "Changing %q on %s %q in project %q is forbidden", - key, instanceType, instanceName, project.Name) + // Strip any non-allowed volatile key from the config + delete(config, key) } }
_______________________________________________ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel