forked from canonical/lxd
/
instance.go
379 lines (304 loc) · 11.8 KB
/
instance.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
package shared
import (
"fmt"
"regexp"
"strconv"
"strings"
"time"
"github.com/pkg/errors"
"gopkg.in/robfig/cron.v2"
"github.com/lxc/lxd/shared/units"
"github.com/lxc/lxd/shared/validate"
)
// InstanceAction indicates the type of action being performed.
type InstanceAction string
// InstanceAction types.
const (
Stop InstanceAction = "stop"
Start InstanceAction = "start"
Restart InstanceAction = "restart"
Freeze InstanceAction = "freeze"
Unfreeze InstanceAction = "unfreeze"
)
// ConfigVolatilePrefix indicates the prefix used for volatile config keys.
const ConfigVolatilePrefix = "volatile."
// IsRootDiskDevice returns true if the given device representation is configured as root disk for
// an instance. It typically get passed a specific entry of api.Instance.Devices.
func IsRootDiskDevice(device map[string]string) bool {
// Root disk devices also need a non-empty "pool" property, but we can't check that here
// because this function is used with clients talking to older servers where there was no
// concept of a storage pool, and also it is used for migrating from old to new servers.
// The validation of the non-empty "pool" property is done inside the disk device itself.
if device["type"] == "disk" && device["path"] == "/" && device["source"] == "" {
return true
}
return false
}
// ErrNoRootDisk means there is no root disk device found.
var ErrNoRootDisk = fmt.Errorf("No root device could be found")
// GetRootDiskDevice returns the instance device that is configured as root disk.
// Returns the device name and device config map.
func GetRootDiskDevice(devices map[string]map[string]string) (string, map[string]string, error) {
var devName string
var dev map[string]string
for n, d := range devices {
if IsRootDiskDevice(d) {
if devName != "" {
return "", nil, fmt.Errorf("More than one root device found")
}
devName = n
dev = d
}
}
if devName != "" {
return devName, dev, nil
}
return "", nil, ErrNoRootDisk
}
// HugePageSizeKeys is a list of known hugepage size configuration keys.
var HugePageSizeKeys = [...]string{"limits.hugepages.64KB", "limits.hugepages.1MB", "limits.hugepages.2MB", "limits.hugepages.1GB"}
// HugePageSizeSuffix contains the list of known hugepage size suffixes.
var HugePageSizeSuffix = [...]string{"64KB", "1MB", "2MB", "1GB"}
// KnownInstanceConfigKeys maps all fully defined, well-known config keys
// to an appropriate checker function, which validates whether or not a
// given value is syntactically legal.
var KnownInstanceConfigKeys = map[string]func(value string) error{
"boot.autostart": validate.Optional(validate.IsBool),
"boot.autostart.delay": validate.Optional(validate.IsInt64),
"boot.autostart.priority": validate.Optional(validate.IsInt64),
"boot.stop.priority": validate.Optional(validate.IsInt64),
"boot.host_shutdown_timeout": validate.Optional(validate.IsInt64),
"limits.cpu": func(value string) error {
if value == "" {
return nil
}
// Validate the character set
match, _ := regexp.MatchString("^[-,0-9]*$", value)
if !match {
return fmt.Errorf("Invalid CPU limit syntax")
}
// Validate first character
if strings.HasPrefix(value, "-") || strings.HasPrefix(value, ",") {
return fmt.Errorf("CPU limit can't start with a separator")
}
// Validate last character
if strings.HasSuffix(value, "-") || strings.HasSuffix(value, ",") {
return fmt.Errorf("CPU limit can't end with a separator")
}
return nil
},
"limits.cpu.allowance": func(value string) error {
if value == "" {
return nil
}
if strings.HasSuffix(value, "%") {
// Percentage based allocation
_, err := strconv.Atoi(strings.TrimSuffix(value, "%"))
if err != nil {
return err
}
return nil
}
// Time based allocation
fields := strings.SplitN(value, "/", 2)
if len(fields) != 2 {
return fmt.Errorf("Invalid allowance: %s", value)
}
_, err := strconv.Atoi(strings.TrimSuffix(fields[0], "ms"))
if err != nil {
return err
}
_, err = strconv.Atoi(strings.TrimSuffix(fields[1], "ms"))
if err != nil {
return err
}
return nil
},
"limits.cpu.priority": validate.Optional(validate.IsPriority),
"limits.disk.priority": validate.Optional(validate.IsPriority),
"limits.hugepages.64KB": validate.Optional(validate.IsSize),
"limits.hugepages.1MB": validate.Optional(validate.IsSize),
"limits.hugepages.2MB": validate.Optional(validate.IsSize),
"limits.hugepages.1GB": validate.Optional(validate.IsSize),
"limits.memory": func(value string) error {
if value == "" {
return nil
}
if strings.HasSuffix(value, "%") {
_, err := strconv.ParseInt(strings.TrimSuffix(value, "%"), 10, 64)
if err != nil {
return err
}
return nil
}
_, err := units.ParseByteSizeString(value)
if err != nil {
return err
}
return nil
},
"limits.memory.enforce": func(value string) error {
return validate.IsOneOf(value, []string{"soft", "hard"})
},
"limits.memory.swap": validate.Optional(validate.IsBool),
"limits.memory.swap.priority": validate.Optional(validate.IsPriority),
"limits.memory.hugepages": validate.Optional(validate.IsBool),
"limits.network.priority": validate.Optional(validate.IsPriority),
"limits.processes": validate.Optional(validate.IsInt64),
"linux.kernel_modules": validate.IsAny,
"migration.incremental.memory": validate.Optional(validate.IsBool),
"migration.incremental.memory.iterations": validate.Optional(validate.IsUint32),
"migration.incremental.memory.goal": validate.Optional(validate.IsUint32),
"migration.stateful": validate.Optional(validate.IsBool),
"nvidia.runtime": validate.Optional(validate.IsBool),
"nvidia.driver.capabilities": validate.IsAny,
"nvidia.require.cuda": validate.IsAny,
"nvidia.require.driver": validate.IsAny,
"security.nesting": validate.Optional(validate.IsBool),
"security.privileged": validate.Optional(validate.IsBool),
"security.devlxd": validate.Optional(validate.IsBool),
"security.devlxd.images": validate.Optional(validate.IsBool),
"security.protection.delete": validate.Optional(validate.IsBool),
"security.protection.shift": validate.Optional(validate.IsBool),
"security.idmap.base": validate.Optional(validate.IsUint32),
"security.idmap.isolated": validate.Optional(validate.IsBool),
"security.idmap.size": validate.Optional(validate.IsUint32),
"security.secureboot": validate.Optional(validate.IsBool),
"security.syscalls.allow": validate.IsAny,
"security.syscalls.blacklist_default": validate.Optional(validate.IsBool),
"security.syscalls.blacklist_compat": validate.Optional(validate.IsBool),
"security.syscalls.blacklist": validate.IsAny,
"security.syscalls.deny_default": validate.Optional(validate.IsBool),
"security.syscalls.deny_compat": validate.Optional(validate.IsBool),
"security.syscalls.deny": validate.IsAny,
"security.syscalls.intercept.bpf": validate.Optional(validate.IsBool),
"security.syscalls.intercept.bpf.devices": validate.Optional(validate.IsBool),
"security.syscalls.intercept.mknod": validate.Optional(validate.IsBool),
"security.syscalls.intercept.mount": validate.Optional(validate.IsBool),
"security.syscalls.intercept.mount.allowed": validate.IsAny,
"security.syscalls.intercept.mount.fuse": validate.IsAny,
"security.syscalls.intercept.mount.shift": validate.Optional(validate.IsBool),
"security.syscalls.intercept.setxattr": validate.Optional(validate.IsBool),
"security.syscalls.whitelist": validate.IsAny,
"snapshots.schedule": func(value string) error {
if value == "" {
return nil
}
if len(strings.Split(value, " ")) != 5 {
return fmt.Errorf("Schedule must be of the form: <minute> <hour> <day-of-month> <month> <day-of-week>")
}
_, err := cron.Parse(fmt.Sprintf("* %s", value))
if err != nil {
return errors.Wrap(err, "Error parsing schedule")
}
return nil
},
"snapshots.schedule.stopped": validate.Optional(validate.IsBool),
"snapshots.pattern": validate.IsAny,
"snapshots.expiry": func(value string) error {
// Validate expression
_, err := GetSnapshotExpiry(time.Time{}, value)
return err
},
// Caller is responsible for full validation of any raw.* value
"raw.apparmor": validate.IsAny,
"raw.idmap": validate.IsAny,
"raw.lxc": validate.IsAny,
"raw.qemu": validate.IsAny,
"raw.seccomp": validate.IsAny,
"volatile.apply_template": validate.IsAny,
"volatile.base_image": validate.IsAny,
"volatile.last_state.idmap": validate.IsAny,
"volatile.last_state.power": validate.IsAny,
"volatile.idmap.base": validate.IsAny,
"volatile.idmap.current": validate.IsAny,
"volatile.idmap.next": validate.IsAny,
"volatile.apply_quota": validate.IsAny,
"volatile.uuid": validate.Optional(validate.IsUUID),
}
// ConfigKeyChecker returns a function that will check whether or not
// a provide value is valid for the associate config key. Returns an
// error if the key is not known. The checker function only performs
// syntactic checking of the value, semantic and usage checking must
// be done by the caller. User defined keys are always considered to
// be valid, e.g. user.* and environment.* keys.
func ConfigKeyChecker(key string) (func(value string) error, error) {
if f, ok := KnownInstanceConfigKeys[key]; ok {
return f, nil
}
if strings.HasPrefix(key, ConfigVolatilePrefix) {
if strings.HasSuffix(key, ".hwaddr") {
return validate.IsAny, nil
}
if strings.HasSuffix(key, ".name") {
return validate.IsAny, nil
}
if strings.HasSuffix(key, ".host_name") {
return validate.IsAny, nil
}
if strings.HasSuffix(key, ".mtu") {
return validate.IsAny, nil
}
if strings.HasSuffix(key, ".created") {
return validate.IsAny, nil
}
if strings.HasSuffix(key, ".id") {
return validate.IsAny, nil
}
if strings.HasSuffix(key, ".vlan") {
return validate.IsAny, nil
}
if strings.HasSuffix(key, ".spoofcheck") {
return validate.IsAny, nil
}
if strings.HasSuffix(key, ".apply_quota") {
return validate.IsAny, nil
}
if strings.HasSuffix(key, ".ceph_rbd") {
return validate.IsAny, nil
}
if strings.HasSuffix(key, ".driver") {
return validate.IsAny, nil
}
if strings.HasSuffix(key, ".uuid") {
return validate.IsAny, nil
}
}
if strings.HasPrefix(key, "environment.") {
return validate.IsAny, nil
}
if strings.HasPrefix(key, "user.") {
return validate.IsAny, nil
}
if strings.HasPrefix(key, "image.") {
return validate.IsAny, nil
}
if strings.HasPrefix(key, "limits.kernel.") &&
(len(key) > len("limits.kernel.")) {
return validate.IsAny, nil
}
return nil, fmt.Errorf("Unknown configuration key: %s", key)
}
// InstanceGetParentAndSnapshotName returns the parent instance name, snapshot name,
// and whether it actually was a snapshot name.
func InstanceGetParentAndSnapshotName(name string) (string, string, bool) {
fields := strings.SplitN(name, SnapshotDelimiter, 2)
if len(fields) == 1 {
return name, "", false
}
return fields[0], fields[1], true
}
// InstanceIncludeWhenCopying is used to decide whether to include a config item or not when copying an instance.
// The remoteCopy argument indicates if the copy is remote (i.e between LXD nodes) as this affects the keys kept.
func InstanceIncludeWhenCopying(configKey string, remoteCopy bool) bool {
if configKey == "volatile.base_image" {
return true // Include volatile.base_image always as it can help optimize copies.
}
if configKey == "volatile.last_state.idmap" && !remoteCopy {
return true // Include volatile.last_state.idmap when doing local copy to avoid needless remapping.
}
if strings.HasPrefix(configKey, ConfigVolatilePrefix) {
return false // Exclude all other volatile keys.
}
return true // Keep all other keys.
}