The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/8248
This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.
=== Description (from pull-request) ===
Changes made:
- Created a list of safe volatile keys
- Modified checkRestrictionsOnVolatileConfig function to parse through the list of safe volatile keys and skip any keys that were safe and deleted any unsafe volatile keys from the config file instead of failing the copy
From 4fe66fee77a368bf465b796bc8cb2daccae5e582 Mon Sep 17 00:00:00 2001
From: Jeremy Tajonera <jtajon...@utexas.edu>
Date: Fri, 11 Dec 2020 23:11:12 -0600
Subject: [PATCH 1/2] Issue #7896 Smarter handling of `volatile` keys in
restricted projects
---
lxd/project/permissions.go | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/lxd/project/permissions.go b/lxd/project/permissions.go
index 7c320bc2c4..d744db340c 100644
--- a/lxd/project/permissions.go
+++ b/lxd/project/permissions.go
@@ -152,11 +152,29 @@ func checkRestrictionsOnVolatileConfig(project
*api.Project, instanceType instan
return nil
}
+ // List of safe keys
+ safe_keys := [5]string{"volatile.apply_template",
"volatile.base_image", "volatile.last_state.power",
"volatile.DEVNAME.apply_quota", "volatile.DEVNAME.hwaddr"}
+
for key, value := range config {
if !strings.HasPrefix(key, shared.ConfigVolatilePrefix) {
continue
}
+ // Allow given safe volatile keys to be set
+ var isSafeKey bool
+ for _, safe_key := range safe_keys {
+ // If current key is in the safe_key list, break out of
for loop and set isSafeKey to true
+ if safe_key == key {
+ isSafeKey = true
+ break
+ }
+ }
+
+ // If the current key is a safe volatile key, get out of
current iteration
+ if isSafeKey {
+ continue
+ }
+
currentValue, ok := currentConfig[key]
if !ok {
return fmt.Errorf(
From 84bd55bfd087f1b4f3aff50ef8ac0f677fe40a73 Mon Sep 17 00:00:00 2001
From: Jeremy Tajonera <jtajon...@utexas.edu>
Date: Fri, 11 Dec 2020 23:24:07 -0600
Subject: [PATCH 2/2] Issue 7896 - Removed Fail on unsafe key, delete key
instead
---
lxd/project/permissions.go | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
diff --git a/lxd/project/permissions.go b/lxd/project/permissions.go
index d744db340c..89ea97230a 100644
--- a/lxd/project/permissions.go
+++ b/lxd/project/permissions.go
@@ -177,15 +177,13 @@ func checkRestrictionsOnVolatileConfig(project
*api.Project, instanceType instan
currentValue, ok := currentConfig[key]
if !ok {
- return fmt.Errorf(
- "Setting %q on %s %q in project %q is
forbidden",
- key, instanceType, instanceName, project.Name)
+ // Strip any non-allowed volatile key from the config
+ delete(config, key)
}
if currentValue != value {
- return fmt.Errorf(
- "Changing %q on %s %q in project %q is
forbidden",
- key, instanceType, instanceName, project.Name)
+ // Strip any non-allowed volatile key from the config
+ delete(config, key)
}
}
_______________________________________________
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel
