proxmox-mirrors/mirror_lxc
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_lxc synced 2025-08-08 20:35:42 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Use a specific script to set the capabilities

Browse Source 
Instead of having the capabilities to be set automatically,
it will be up to the user to set them through a specific
script 'lxc-setcap'.

After installing the lxc tools, if we want them to be available,
for a non-root user, lxc-setcap will set the needed capabilities.
If, after thinking it, we want to remove the capabilities,
the 'lxc-setcap -d' will do this for us.

Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Acked-by: Guido Trotter <ultrotter@google.com>
This commit is contained in:
Daniel Lezcano 2009-03-24 13:56:37 +01:00
parent 75d09f83b8
commit 237315ff50
5 changed files with 118 additions and 60 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -43,6 +43,7 @@ src/lxc/lxc-init
src/lxc/lxc-ls src/lxc/lxc-ls
src/lxc/lxc-monitor src/lxc/lxc-monitor
src/lxc/lxc-netstat src/lxc/lxc-netstat
src/lxc/lxc-setcap
src/lxc/lxc-ps src/lxc/lxc-ps
src/lxc/lxc-restart src/lxc/lxc-restart
src/lxc/lxc-start src/lxc/lxc-start

13
configure.in
View File

@ -96,7 +96,8 @@ AC_CONFIG_FILES([
src/lxc/lxc-ps src/lxc/lxc-ps
src/lxc/lxc-ls src/lxc/lxc-ls
src/lxc/lxc-netstat src/lxc/lxc-netstat
src/lxc/lxc-checkconfig src/lxc/lxc-checkconfig
src/lxc/lxc-setcap
etc/Makefile etc/Makefile
etc/lxc-macvlan.conf etc/lxc-macvlan.conf
@ -142,12 +143,10 @@ else
Advice: Advice:
------- -------
When installing the tools, it is adviced to install as If you which to have a non root user to use the lxc tools,
root, so the privilege for the commands will be set and you can add the needed capabilities to the tools by invoking
they will be usable by non-root user the 'lxc-setcap' script. To remove the capabilities, use
'lxc-setcap -d'
make && sudo make install
]) ])
fi fi

22
lxc.spec.in
View File

@ -71,29 +71,12 @@ rm -rf %{buildroot}
mkdir -p /var/lxc mkdir -p /var/lxc
chmod ugo+w /var/lxc chmod ugo+w /var/lxc
setcap cap_sys_admin=ep %{_bindir}/lxc-init
setcap cap_sys_admin=ep %{_bindir}/lxc-netstat
setcap cap_sys_admin=ep %{_bindir}/lxc-create
setcap cap_sys_chroot,cap_setpcap,cap_net_admin,cap_net_raw,cap_sys_admin,cap_dac_override=ep \
%{_bindir}/lxc-execute
setcap cap_sys_chroot,cap_setpcap,cap_net_admin,cap_net_raw,cap_sys_admin,cap_dac_override=ep \
%{_bindir}/lxc-start
setcap cap_net_admin,cap_net_raw,cap_sys_admin,cap_dac_override=ep \
%{_bindir}/lxc-restart
setcap cap_net_admin,cap_net_raw,cap_sys_admin,cap_dac_override=ep \
%{_bindir}/lxc-unshare
%files %files
%defattr(-,root,root) %defattr(-,root,root)
%{_sysconfdir}/%{name}/* %{_sysconfdir}/%{name}/*
%{_libdir}/*.so* %{_libdir}/*.so*
%{_bindir}/* %{_bindir}/*
%{_libexecdir}/*
%{_mandir}/* %{_mandir}/*
%files devel %files devel
@ -104,6 +87,9 @@ setcap cap_net_admin,cap_net_raw,cap_sys_admin,cap_dac_override=ep \
%changelog %changelog
* Mon Mar 24 2009 Daniel Lezcano <daniel.lezcano@free.fr> - Version 0.6.1
- Removed capability setting, let the user to do that through "lxc-setcap"
* Mon Feb 16 2009 Daniel Lezcano <daniel.lezcano@free.fr> - Version 0.6.0 * Mon Feb 16 2009 Daniel Lezcano <daniel.lezcano@free.fr> - Version 0.6.0
- Added more capabilities to the executables - Added more capabilities to the executables

39
src/lxc/Makefile.am
View File

@ -54,7 +54,8 @@ bin_SCRIPTS = \
lxc-ps \ lxc-ps \
lxc-netstat \ lxc-netstat \
lxc-ls \ lxc-ls \
lxc-checkconfig lxc-checkconfig \
lxc-setcap
bin_PROGRAMS = \ bin_PROGRAMS = \
lxc-unshare \ lxc-unshare \
@ -128,38 +129,6 @@ lxc_restart_LDADD = liblxc.la
lxc_version_SOURCES = lxc_version.c lxc_version_SOURCES = lxc_version.c
lxc_version_LDADD = liblxc.la lxc_version_LDADD = liblxc.la
install-libexecPROGRAMS:
setcap cap_sys_admin=ep $(libexecdir)/lxc-init
install-exec-local: install-exec-local:
-@export PATH=$$PATH:/sbin:/usr/sbin && \ @mkdir -p $(localstatedir) && mkdir -p $(prefix)/var/lxc && \
mkdir -p $(localstatedir) && \ chmod ugo+rw $(prefix)/var/lxc
\
setcap cap_sys_admin=ep $(bindir)/lxc-create && \
\
setcap cap_sys_chroot,cap_setpcap,cap_net_admin,cap_net_raw,cap_sys_admin,cap_dac_override=ep \
$(bindir)/lxc-execute && \
\
setcap cap_sys_chroot,cap_setpcap,cap_net_admin,cap_net_raw,cap_sys_admin,cap_dac_override=ep \
$(bindir)/lxc-start && \
\
setcap cap_net_admin,cap_net_raw,cap_sys_admin,cap_dac_override=ep \
$(bindir)/lxc-restart && \
\
setcap cap_net_admin,cap_net_raw,cap_sys_admin,cap_dac_override=ep \
$(bindir)/lxc-unshare && \
\
setcap cap_sys_admin=ep \
$(bindir)/lxc-netstat && \
\
mkdir -p $(prefix)/var/lxc && \
chmod ugo+rw $(prefix)/var/lxc || \
(echo && echo && \
echo "*****************************************************************" && \
echo "* *" && \
echo "* The installation failed to set file capabilities, that is ok, *" && \
echo "* but you won't have enough privilege to run the 'lxc' commands *" && \
echo "* and you will need to run them as 'root' yourself. *" && \
echo "* *" && \
echo "*****************************************************************" && \
echo && echo)

103
src/lxc/lxc-setcap.in Normal file
View File

@ -0,0 +1,103 @@
#!/bin/bash
#
# lxc: linux Container library
# Authors:
# Daniel Lezcano <daniel.lezcano@free.fr>
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# Lesser General Public License for more details.
# You should have received a copy of the GNU Lesser General Public
# License along with this library; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
# This script allows to set or remove the capabilities on the lxc tools.
# When the capabilities are set, a non root user can manage the containers.
#
LXC_CREATE_CAPS="cap_sys_admin"
LXC_NETSTAT_CAPS="cap_sys_admin"
LXC_INIT_CAPS="cap_sys_admin"
LXC_UNSHARE_CAPS="cap_net_admin,cap_net_raw,cap_sys_admin,cap_dac_override"
LXC_START_CAPS="cap_sys_chroot,cap_setpcap,cap_net_admin,cap_net_raw,cap_sys_admin,cap_dac_override"
LXC_EXECUTE_CAPS=$LXC_START_CAPS
LXC_RESTART_CAPS=$LXC_START_CAPS
LXC_DROP_CAPS=""
usage()
{
echo "lxc-setcap [-d] : set or remove capabilities on the lxc tools"
}
lxc_setcaps()
{
setcap $LXC_CREATE_CAPS=ep @BINDIR@/lxc-create
setcap $LXC_EXECUTE_CAPS=ep @BINDIR@/lxc-execute
setcap $LXC_START_CAPS=ep @BINDIR@/lxc-start
setcap $LXC_RESTART_CAPS=ep @BINDIR@/lxc-restart
setcap $LXC_UNSHARE_CAPS=ep @BINDIR@/lxc-unshare
setcap $LXC_NETSTAT_CAPS=ep @BINDIR@/lxc-netstat
setcap $LXC_INIT_CAPS=ep @LIBEXECDIR@/lxc-init
}
lxc_dropcaps()
{
setcap -r @BINDIR@/lxc-create
setcap -r @BINDIR@/lxc-execute
setcap -r @BINDIR@/lxc-start
setcap -r @BINDIR@/lxc-restart
setcap -r @BINDIR@/lxc-unshare
setcap -r @BINDIR@/lxc-netstat
setcap -r @LIBEXECDIR@/lxc-init
}
if [ "$(id -u)" != "0" ]; then
echo "You have to be root to run this script"
exit 1
fi
if [ $? != 0 ]; then
usage
exit 1
fi
set -- $(getopt dh $*)
for i in $*; do
case "$1" in
-d)
LXC_DROP_CAPS="yes"
shift
;;
-h)
usage
exit 0
;;
--)
shift
break
;;
*)
usage
exit 1
;;
esac
done;
if [ -z "$LXC_DROP_CAPS" ]; then
lxc_setcaps
else
lxc_dropcaps
fi