[pve-container.git] / src / lxc-pve-autodev-hook

#!/usr/bin/perl

use strict;
use warnings;

exit 0 if $ENV{LXC_NAME} && $ENV{LXC_NAME} !~ /^\d+$/;

use File::Path;
use File::Basename;

use PVE::Tools;

my $vmid = $ENV{LXC_NAME};
my $root = $ENV{LXC_ROOTFS_MOUNT};

if (@ARGV != 3 || $ARGV[1] ne 'lxc' || $ARGV[2] ne 'autodev') {
    die "invalid usage, this is an LXC autodev hook\n";
}

if ($vmid ne $ARGV[0]) {
    die "got wrong name: $ARGV[0] while LXC_NAME=$vmid\n";
}

my $devlist_file = "/var/lib/lxc/$vmid/devices";
my $fd;

if (! open $fd, '<', $devlist_file) {
    exit 0 if $!{ENOENT}; # If the list is empty the file might not exist.
    die "failed to open device list: $!\n";
}

sub cgroup_do_write($$) {
    my ($path, $value) = @_;
    my $fd;
    if (!open($fd, '>', $path)) {
	warn "failed to open cgroup file $path: $!\n";
	return 0;
    }
    if (!defined syswrite($fd, $value)) {
	warn "failed to write value $value to cgroup file $path: $!\n";
	return 0;
    }
    close($fd);
    return 1;
}

while (defined(my $line = <$fd>)) {
    if ($line !~ m@^(b):(\d+):(\d+):/dev/(\S+)\s*$@) {
	warn "invalid .pve-devices entry: $line\n";
    }
    my ($type, $major, $minor, $dev) = ($1, $2, $3, $4);

    # Don't break out of $root/dev/
    if ($dev =~ /\.\./) {
	warn "skipping illegal device node entry: $dev\n";
	next;
    }

    # Never expose /dev/loop-control
    if ($major == 10 && $minor == 237) {
	warn "skipping illegal device entry (loop-control) for: $dev\n";
	next;
    }

    my $rel_devpath = "/dev/$dev";
    my $rel_dir = dirname($rel_devpath);
    File::Path::mkpath("$root/$rel_dir");

    PVE::Tools::run_command(['mknod', '-m', '666', "$root/dev/$dev",
                             $type, $major, $minor]);

    if ($dev =~ /^dm-\d+$/) {
	File::Path::mkpath("$root/dev/mapper");
	my $mapped_name = PVE::Tools::file_get_contents("/sys/block/$dev/dm/name");
	chomp $mapped_name;
	symlink("/dev/$dev", "$root/dev/mapper/$mapped_name");
    }

    my $cgbase = "/sys/fs/cgroup/devices/lxc/$vmid";
    my $limitpath = "$cgbase/devices.allow";
    my $nspath = "$cgbase/ns/devices.allow";
    if (!cgroup_do_write($limitpath, "$type $major:$minor rwm")) {
	warn "failed to allow access to device $dev ($major:$minor)\n";
    }
    if (!cgroup_do_write($nspath, "$type $major:$minor rwm")) {
	warn "failed to allow access to device $dev ($major:$minor) inside the namespace\n";
    }
}
close $fd;

exit 0;
Commit	Line	Data
50df544c WB	1	#!/usr/bin/perl
50df544c WB	2
50df544c WB	3	use strict;
	4	use warnings;
	5
	6	exit 0 if $ENV{LXC_NAME} && $ENV{LXC_NAME} !~ /^\d+$/;
	7
55d14e39 WB	8	use File::Path;
	9	use File::Basename;
	10
50df544c WB	11	use PVE::Tools;
	12
	13	my $vmid = $ENV{LXC_NAME};
	14	my $root = $ENV{LXC_ROOTFS_MOUNT};
	15
	16	if (@ARGV != 3 \|\| $ARGV[1] ne 'lxc' \|\| $ARGV[2] ne 'autodev') {
	17	die "invalid usage, this is an LXC autodev hook\n";
	18	}
	19
	20	if ($vmid ne $ARGV[0]) {
	21	die "got wrong name: $ARGV[0] while LXC_NAME=$vmid\n";
	22	}
	23
	24	my $devlist_file = "/var/lib/lxc/$vmid/devices";
74e20aeb	25	my $fd;
50df544c	26
74e20aeb	27	if (! open $fd, '<', $devlist_file) {
50df544c WB	28	exit 0 if $!{ENOENT}; # If the list is empty the file might not exist.
	29	die "failed to open device list: $!\n";
	30	}
	31
7b31bd8c WB	32	sub cgroup_do_write($$) {
	33	my ($path, $value) = @_;
	34	my $fd;
	35	if (!open($fd, '>', $path)) {
	36	warn "failed to open cgroup file $path: $!\n";
	37	return 0;
	38	}
	39	if (!defined syswrite($fd, $value)) {
	40	warn "failed to write value $value to cgroup file $path: $!\n";
	41	return 0;
	42	}
	43	close($fd);
	44	return 1;
	45	}
	46
50df544c WB	47	while (defined(my $line = <$fd>)) {
	48	if ($line !~ m@^(b):(\d+):(\d+):/dev/(\S+)\s*$@) {
	49	warn "invalid .pve-devices entry: $line\n";
	50	}
	51	my ($type, $major, $minor, $dev) = ($1, $2, $3, $4);
	52
	53	# Don't break out of $root/dev/
	54	if ($dev =~ /\.\./) {
	55	warn "skipping illegal device node entry: $dev\n";
	56	next;
	57	}
	58
	59	# Never expose /dev/loop-control
	60	if ($major == 10 && $minor == 237) {
	61	warn "skipping illegal device entry (loop-control) for: $dev\n";
	62	next;
	63	}
	64
55d14e39 WB	65	my $rel_devpath = "/dev/$dev";
	66	my $rel_dir = dirname($rel_devpath);
	67	File::Path::mkpath("$root/$rel_dir");
	68
50df544c WB	69	PVE::Tools::run_command(['mknod', '-m', '666', "$root/dev/$dev",
50df544c WB	70	$type, $major, $minor]);
ada088e6 WB	71
	72	if ($dev =~ /^dm-\d+$/) {
	73	File::Path::mkpath("$root/dev/mapper");
	74	my $mapped_name = PVE::Tools::file_get_contents("/sys/block/$dev/dm/name");
	75	chomp $mapped_name;
	76	symlink("/dev/$dev", "$root/dev/mapper/$mapped_name");
	77	}
7b31bd8c WB	78
	79	my $cgbase = "/sys/fs/cgroup/devices/lxc/$vmid";
	80	my $limitpath = "$cgbase/devices.allow";
	81	my $nspath = "$cgbase/ns/devices.allow";
	82	if (!cgroup_do_write($limitpath, "$type $major:$minor rwm")) {
	83	warn "failed to allow access to device $dev ($major:$minor)\n";
	84	}
	85	if (!cgroup_do_write($nspath, "$type $major:$minor rwm")) {
	86	warn "failed to allow access to device $dev ($major:$minor) inside the namespace\n";
	87	}
50df544c WB	88	}
50df544c WB	89	close $fd;
f067e7ba WB	90
f067e7ba WB	91	exit 0;