Browse files

Give the ability to non-root user to play with the containers. This f…

…eature

relies on the file capabilities, when the lxc commands are installed, the
sys/net admin capabilities are given to these files. These capabilities are
not available for the application running inside the container.
  • Loading branch information...
1 parent 96c9f96 commit 805415fcebeea70abb27025f8ad0518ead78cc08 dlezcano committed Oct 24, 2008
Showing with 81 additions and 53 deletions.
  1. +33 −2 configure.in
  2. +33 −25 lxc.spec.in
  3. +15 −0 src/lxc/Makefile.am
  4. +0 −26 src/lxc/destroy.c
View
35 configure.in
@@ -1,7 +1,7 @@
# -*- Autoconf -*-
# Process this file with autoconf to produce a configure script.
-AC_INIT([lxc], [0.3.0])
+AC_INIT([lxc], [0.4.0])
AC_CONFIG_SRCDIR([configure.in])
AC_CONFIG_AUX_DIR([config])
@@ -12,6 +12,8 @@ AC_PROG_RANLIB
AM_PROG_CC_C_O
AC_GNU_SOURCE
AC_PROG_LIBTOOL
+AC_CHECK_PROG(SETCAP, setcap, yes, no, "/usr/sbin")
+
AC_CHECK_HEADERS([linux/netlink.h linux/genetlink.h], [], AC_MSG_ERROR([netlink headers not found]),
[#include <linux/types.h>
#include <bits/sockaddr.h>
@@ -29,7 +31,7 @@ AC_CONFIG_FILES([
src/Makefile
src/lxc/Makefile
src/lxc/lxc-ps
- src/lxc/lxc-checkconfig
+ src/lxc/lxc-checkconfig
etc/Makefile
etc/lxc-macvlan.conf
etc/lxc-no-netns.conf
@@ -41,3 +43,32 @@ AC_CONFIG_FILES([
])
AC_CONFIG_COMMANDS([default],[[]],[[]])
AC_OUTPUT
+
+if test "x$SETCAP" = "xno"; then
+ AC_MSG_NOTICE([
+
+Warning:
+--------
+
+The libcap-2 is not installed. That means the tools to
+set the privilege for the lxc commands are not available
+and you will need to run these commands as root
+
+])
+
+else
+
+ AC_MSG_NOTICE([
+
+Advice:
+-------
+
+When installing the tools, it is adviced to install as
+root, so the privilege for the commands will be set and
+they will be usable by non-root user
+
+ make && sudo make install
+
+])
+
+fi
View
58 lxc.spec.in
@@ -50,16 +50,26 @@ Source: %name/%name-%version.tar.gz
BuildRoot: %_tmppath/%name-%version-root
%description
-%name is a set of command line to manage containers
+
+The package "%name" provides the command lines to create and manage
+containers. It contains a full featured container with the isolation
+/ virtualization of the pids, the ipc, the utsname, the mount points,
+/proc, /sys, the network and it takes into account the control groups.
+It is very light, flexible, and provides a set of tools around the
+container like the monitoring with asynchronous events notification,
+or the freeze of the container. This package is useful to create
+Virtual Private Server, or to run isolated applications like bash or
+sshd.
%package devel
Release: %{rel}
Summary: development library for %{name}
+Requires: libcap
Group: Application/System
%description devel
-The %{name}-devel package contains header files and library needed for development
-of containers
+The %{name}-devel package contains header files and library needed for
+development of containers
%prep
%setup -q
@@ -72,12 +82,32 @@ make -j$ncpus
%install
rm -rf %{buildroot}
+
%makeinstall
%clean
rm -rf %{buildroot}
%post
+if [ -d /var/lxc ]; then
+ for i in $(ls -1 /var/lxc); do
+ chmod -fR go-rwx /var/lxc/$i
+ done
+ mv /var/lxc /var/lxc.rpm-$$
+fi
+
+mkdir -p /var/lxc
+
+if [ -d /var/lxc.rpm-$$ ]; then
+ for i in $(ls -1 /var/lxc.rpm-$$); do
+ cp -a /var/lxc.rpm-$$/$i /var/lxc
+ done
+fi
+
+chmod ugo+w /var/lxc
+
+setcap cap_net_admin,cap_net_raw,cap_sys_admin,cap_dac_override=ep %{_bindir}/lxc-execute
+setcap cap_net_admin,cap_net_raw,cap_sys_admin,cap_dac_override=ep %{_bindir}/lxc-start
%files
%defattr(-,root,root)
@@ -94,28 +124,6 @@ rm -rf %{buildroot}
%changelog
-* Thu Oct 9 2008 Daniel Lezcano <dlezcano@fr.ibm.com> - Version 0;3.0
-- Added checkpoint/restart API and CLI
-- Added cgroup support
-- Misc fixes - Details in Changelog file
-
-* Wed Sep 10 2008 Daniel Lezcano <dlezcano@fr.ibm.com> - Version 0.2.1
-- Added lxc-wait command line
-- Added tty support for lxc-start
-- Fixed rootfs absolute directory
-- Improved system containers
-
-* Fri Sep 5 2008 Daniel Lezcano <dlezcano@fr.ibm.com> - Version 0.2.0
-- Fix typos in README
-- Added empty container configuration
-- Added empty network container configuration
-- Added bind option for mount configuration
-- Merged lxc and liblxc directories
-- Changed monitoring mechanism
-- Fixed child process should exit instead of returning on error
-- Fixed lxc.h headers can be included in C++ code
-- A lot of code cleanup and improvements
-
* Sun Aug 3 2008 Daniel Lezcano <dlezcano@fr.ibm.com> - Version 0.1.0
- Initial RPM release.
View
15 src/lxc/Makefile.am
@@ -111,3 +111,18 @@ lxc_restart_LDADD = liblxc.la
lxc_version_SOURCES = lxc_version.c
lxc_version_LDADD = liblxc.la
+
+install-exec-local:
+ -@/usr/sbin/setcap cap_net_admin,cap_net_raw,cap_sys_admin,cap_dac_override=ep $(bindir)/lxc-execute 2>&1 > /dev/null && \
+ /usr/sbin/setcap cap_net_admin,cap_net_raw,cap_sys_admin,cap_dac_override=ep $(bindir)/lxc-start && \
+ mkdir -p $(prefix)/var/lxc && \
+ chmod ugo+rw $(prefix)/var/lxc || \
+ (echo && echo && \
+ echo "*****************************************************************" && \
+ echo "* *" && \
+ echo "* The installation failed to set file capabilities, that is ok, *" && \
+ echo "* but you won't have enough privilege to run the 'lxc' commands *" && \
+ echo "* and you will need to run them as 'root' yourself. *" && \
+ echo "* *" && \
+ echo "*****************************************************************" && \
+ echo && echo)
View
26 src/lxc/destroy.c
@@ -31,25 +31,6 @@
#include <lxc/lxc.h>
-static int dir_filter(const struct dirent *dirent)
-{
- if (!strcmp(dirent->d_name, ".") ||
- !strcmp(dirent->d_name, ".."))
- return 0;
- return 1;
-}
-
-static int is_empty_directory(const char *dirname)
-{
- struct dirent **namelist;
- int n;
-
- n = scandir(dirname, &namelist, dir_filter, alphasort);
- if (n < 0)
- lxc_log_syserror("failed to scan %s directory", dirname);
- return n == 0;
-}
-
static int remove_lxc_directory(const char *dirname)
{
char path[MAXPATHLEN];
@@ -61,13 +42,6 @@ static int remove_lxc_directory(const char *dirname)
return -1;
}
- if (is_empty_directory(LXCPATH)) {
- if (rmdir(LXCPATH)) {
- lxc_log_syserror("failed to remove %s directory", LXCPATH);
- return -1;
- }
- }
-
return 0;
}

0 comments on commit 805415f

Please sign in to comment.