Add option to disable setting host ACL on a share (#79)

* Add option to disable setting host ACL on a share This option defaults to True if not set so the existing behaviour stays the same. * Add some documentation about set_host_acl * Fix typo in set_host_acl documentation * Fix syntax for note was incorrect in conf.rst * Fixing grammar in shared folders docs
lxdock · May 15, 2017 · 6962c97 · 6962c97
1 parent 5cec815
commit 6962c97
Show file tree

Hide file tree

Showing 4 changed files with 38 additions and 1 deletion.
diff --git a/docs/conf.rst b/docs/conf.rst
@@ -265,6 +265,12 @@ of shared items. Each shared item should define a ``source`` (a path on your hos
   shares:
     - source: /path/to/my/workspace/project/
       dest: /myshare
+      set_host_acl: true
+
+.. note::
+
+  The ``set_host_acl`` parameter is optional and defaults to true when left out,
+  please refer to :doc:`usage/shared_folders` for more information.
 
 shell
 -----

diff --git a/docs/usage/shared_folders.rst b/docs/usage/shared_folders.rst
@@ -58,3 +58,31 @@ and will have read/write access to the shared folders:
     - name: test01
     - name: test02
       home: /opt/test02
+
+Disabling ACL support on shares
+-------------------------------
+
+By default ACLs will be turned on for all shares, however it is also possible to disable this
+functionality on a per-share basis.  One reason you might want to do this, is when you are
+using privileged containers and ensuring the container user matches the uid and gid
+of the host system.  This allows a share to be mapped without the use of ACLs, however the
+user should be aware of the security implications of making shares world-writable. This
+may be acceptable for development only containers for example.
+
+.. code-block:: yaml
+
+  name: myproject
+  image: ubuntu/xenial
+  privileged: yes
+
+  shares:
+    - source: .
+      dest: /myshare
+      set_host_acl: false
+
+  users:
+    - name: test01
+
+In this example, the Ansible provisioner can be used to change the uid and gid of
+the test01 user after it has been created by LXDock. How to implement this is
+up to the user, as LXDock does not provide a uid and gid option when creating users.
diff --git a/lxdock/conf/schema.py b/lxdock/conf/schema.py
@@ -20,6 +20,7 @@
         # The existence of the source directory will be checked!
         'source': IsDir(),
         'dest': str,
+        'set_host_acl': bool,
     }],
     'shell': {
         'user': str,

diff --git a/lxdock/container.py b/lxdock/container.py
@@ -394,7 +394,9 @@ def _setup_shares(self):
 
         for i, share in enumerate(self.options.get('shares', []), start=1):
             source = os.path.join(self.homedir, share['source'])
-            if source not in existing_sources:
+            # It is possible to disable setting host side ACL but by default it is always enabled.
+            set_host_acl = share.get('set_host_acl', True)
+            if set_host_acl and source not in existing_sources:
                 logger.info('Setting host-side ACL for {}'.format(source))
                 self._host.give_current_user_access_to_share(source)
                 if not self.is_privileged: