From: dlezcano Date: Fri, 24 Oct 2008 20:14:57 +0000 (+0000) Subject: Give the ability to non-root user to play with the containers. This feature X-Git-Tag: lxc-2.1.1~3486 X-Git-Url: https://git.proxmox.com/?a=commitdiff_plain;h=805415fcebeea70abb27025f8ad0518ead78cc08;p=mirror_lxc.git Give the ability to non-root user to play with the containers. This feature relies on the file capabilities, when the lxc commands are installed, the sys/net admin capabilities are given to these files. These capabilities are not available for the application running inside the container. --- diff --git a/configure.in b/configure.in index 98d12c002..d5ee8068d 100644 --- a/configure.in +++ b/configure.in @@ -1,7 +1,7 @@ # -*- Autoconf -*- # Process this file with autoconf to produce a configure script. -AC_INIT([lxc], [0.3.0]) +AC_INIT([lxc], [0.4.0]) AC_CONFIG_SRCDIR([configure.in]) AC_CONFIG_AUX_DIR([config]) @@ -12,6 +12,8 @@ AC_PROG_RANLIB AM_PROG_CC_C_O AC_GNU_SOURCE AC_PROG_LIBTOOL +AC_CHECK_PROG(SETCAP, setcap, yes, no, "/usr/sbin") + AC_CHECK_HEADERS([linux/netlink.h linux/genetlink.h], [], AC_MSG_ERROR([netlink headers not found]), [#include #include @@ -29,7 +31,7 @@ AC_CONFIG_FILES([ src/Makefile src/lxc/Makefile src/lxc/lxc-ps - src/lxc/lxc-checkconfig + src/lxc/lxc-checkconfig etc/Makefile etc/lxc-macvlan.conf etc/lxc-no-netns.conf @@ -41,3 +43,32 @@ AC_CONFIG_FILES([ ]) AC_CONFIG_COMMANDS([default],[[]],[[]]) AC_OUTPUT + +if test "x$SETCAP" = "xno"; then + AC_MSG_NOTICE([ + +Warning: +-------- + +The libcap-2 is not installed. That means the tools to +set the privilege for the lxc commands are not available +and you will need to run these commands as root + +]) + +else + + AC_MSG_NOTICE([ + +Advice: +------- + +When installing the tools, it is adviced to install as +root, so the privilege for the commands will be set and +they will be usable by non-root user + + make && sudo make install + +]) + +fi diff --git a/lxc.spec.in b/lxc.spec.in index f71a520c9..9359daa68 100644 --- a/lxc.spec.in +++ b/lxc.spec.in @@ -50,16 +50,26 @@ Source: %name/%name-%version.tar.gz BuildRoot: %_tmppath/%name-%version-root %description -%name is a set of command line to manage containers + +The package "%name" provides the command lines to create and manage +containers. It contains a full featured container with the isolation +/ virtualization of the pids, the ipc, the utsname, the mount points, +/proc, /sys, the network and it takes into account the control groups. +It is very light, flexible, and provides a set of tools around the +container like the monitoring with asynchronous events notification, +or the freeze of the container. This package is useful to create +Virtual Private Server, or to run isolated applications like bash or +sshd. %package devel Release: %{rel} Summary: development library for %{name} +Requires: libcap Group: Application/System %description devel -The %{name}-devel package contains header files and library needed for development -of containers +The %{name}-devel package contains header files and library needed for +development of containers %prep %setup -q @@ -72,12 +82,32 @@ make -j$ncpus %install rm -rf %{buildroot} + %makeinstall %clean rm -rf %{buildroot} %post +if [ -d /var/lxc ]; then + for i in $(ls -1 /var/lxc); do + chmod -fR go-rwx /var/lxc/$i + done + mv /var/lxc /var/lxc.rpm-$$ +fi + +mkdir -p /var/lxc + +if [ -d /var/lxc.rpm-$$ ]; then + for i in $(ls -1 /var/lxc.rpm-$$); do + cp -a /var/lxc.rpm-$$/$i /var/lxc + done +fi + +chmod ugo+w /var/lxc + +setcap cap_net_admin,cap_net_raw,cap_sys_admin,cap_dac_override=ep %{_bindir}/lxc-execute +setcap cap_net_admin,cap_net_raw,cap_sys_admin,cap_dac_override=ep %{_bindir}/lxc-start %files %defattr(-,root,root) @@ -94,28 +124,6 @@ rm -rf %{buildroot} %changelog -* Thu Oct 9 2008 Daniel Lezcano - Version 0;3.0 -- Added checkpoint/restart API and CLI -- Added cgroup support -- Misc fixes - Details in Changelog file - -* Wed Sep 10 2008 Daniel Lezcano - Version 0.2.1 -- Added lxc-wait command line -- Added tty support for lxc-start -- Fixed rootfs absolute directory -- Improved system containers - -* Fri Sep 5 2008 Daniel Lezcano - Version 0.2.0 -- Fix typos in README -- Added empty container configuration -- Added empty network container configuration -- Added bind option for mount configuration -- Merged lxc and liblxc directories -- Changed monitoring mechanism -- Fixed child process should exit instead of returning on error -- Fixed lxc.h headers can be included in C++ code -- A lot of code cleanup and improvements - * Sun Aug 3 2008 Daniel Lezcano - Version 0.1.0 - Initial RPM release. diff --git a/src/lxc/Makefile.am b/src/lxc/Makefile.am index 53a0fa038..8542183df 100644 --- a/src/lxc/Makefile.am +++ b/src/lxc/Makefile.am @@ -111,3 +111,18 @@ lxc_restart_LDADD = liblxc.la lxc_version_SOURCES = lxc_version.c lxc_version_LDADD = liblxc.la + +install-exec-local: + -@/usr/sbin/setcap cap_net_admin,cap_net_raw,cap_sys_admin,cap_dac_override=ep $(bindir)/lxc-execute 2>&1 > /dev/null && \ + /usr/sbin/setcap cap_net_admin,cap_net_raw,cap_sys_admin,cap_dac_override=ep $(bindir)/lxc-start && \ + mkdir -p $(prefix)/var/lxc && \ + chmod ugo+rw $(prefix)/var/lxc || \ + (echo && echo && \ + echo "*****************************************************************" && \ + echo "* *" && \ + echo "* The installation failed to set file capabilities, that is ok, *" && \ + echo "* but you won't have enough privilege to run the 'lxc' commands *" && \ + echo "* and you will need to run them as 'root' yourself. *" && \ + echo "* *" && \ + echo "*****************************************************************" && \ + echo && echo) \ No newline at end of file diff --git a/src/lxc/destroy.c b/src/lxc/destroy.c index e879a9cd5..9eb206f61 100644 --- a/src/lxc/destroy.c +++ b/src/lxc/destroy.c @@ -31,25 +31,6 @@ #include -static int dir_filter(const struct dirent *dirent) -{ - if (!strcmp(dirent->d_name, ".") || - !strcmp(dirent->d_name, "..")) - return 0; - return 1; -} - -static int is_empty_directory(const char *dirname) -{ - struct dirent **namelist; - int n; - - n = scandir(dirname, &namelist, dir_filter, alphasort); - if (n < 0) - lxc_log_syserror("failed to scan %s directory", dirname); - return n == 0; -} - static int remove_lxc_directory(const char *dirname) { char path[MAXPATHLEN]; @@ -61,13 +42,6 @@ static int remove_lxc_directory(const char *dirname) return -1; } - if (is_empty_directory(LXCPATH)) { - if (rmdir(LXCPATH)) { - lxc_log_syserror("failed to remove %s directory", LXCPATH); - return -1; - } - } - return 0; }