def prepare_unprivileged_config(uid_string, gid_string, network_devices_number, user):
"""
Performs procedures without which unprivileged container creation is impossible
:param uid_string: string with user ids starting "from-to"
:param gid_string: string with group ids starting "from-to"
:param network_devices_number: number of network devices available for unprivileged containers
:param user: user, who gets the devices
:return: None
"""
def split_uids_guids(input_string):
"""
Splits the string in the format "from-to" into two integers list
:param input_string: the string in the format "from-to"
:return: list of numbers
"""
return split_to_function(input_string, '-', int)
ConsoleHelper.__ensure_unprivileged_dirs_exist()
uid_start, uid_stop = split_uids_guids(uid_string)
gid_start, gid_stop = split_uids_guids(gid_string)
uid_count = uid_stop - uid_start
gid_count = gid_stop - gid_start
if not user:
user = getuser()
ConsoleHelper.__assign_uids_to_user(uid_start, uid_stop, user)
ConsoleHelper.__assign_gids_to_user(gid_start, gid_stop, user)
ConsoleHelper.__make_home_dir_executable()
Config.create_dirs_for_unprivileged_container()
if not path.exists(Config.UNPRIVILEGED_CONTAINER_CONFIG_PATH):
copyfile(Config.default_unprivileged_config_resource_path(),
Config.UNPRIVILEGED_CONTAINER_CONFIG_PATH)
with LxcConfig(Config.UNPRIVILEGED_CONTAINER_CONFIG_PATH) as config_file:
config_file.set_value(ConsoleHelper.LXC_ID_MAP_KEY, 'u 0 {0} {1}'.format(uid_start, uid_count))
config_file.append_value(ConsoleHelper.LXC_ID_MAP_KEY, 'g 0 {0} {1}'.format(gid_start, gid_count))
# Adds slots for network devices in unprivileged containers
logged_console_call('echo ' + '"{0} veth lxcbr0 {1}"'.format(user, network_devices_number) +
' | sudo tee -a {0}'.format('/etc/lxc/lxc-usernet'), mute=True)
# Following line gives everyone write permissions into container backing store path
logged_console_call('sudo chmod a+w ' + Config.lxc_backing_store_path(True))
logging.info('Prepared uids {0} and gids {1} for unprivileged usage'.
format(uid_string, gid_string))
def mount_backing_store_device(device, filesystem, unprivileged, option_input_string=''):
"""
Mounts the *device* into a directory considering if container *unprivileged* with a set of options
:param device: device to be mounted
:param filesystem: filesystem of the device
:param unprivileged: if the container is unprivileged
:param option_input_string: string of options
:return: None
"""
mount_path = Config.lxc_backing_store_path(unprivileged)
makedirs(mount_path, exist_ok=True)
option_set = set([option.strip() for option in option_input_string.split()])
if unprivileged:
# Fixes the notification while deleting btrfs backed storage in unpriv. container
# applied to any unpriv. container w/o thinking about backing storage, BAD
# FIXME
option_set.add('user_subvol_rm_allowed')
option_string = '-o {0}'.format(','.join(option_set)) if len(option_set) else ''
logged_console_call('sudo mount -t {0} {1} {2} {3}'.format(filesystem, device, mount_path, option_string))
