def prepare_unprivileged_config(uid_string, gid_string, network_devices_number, user): """ Performs procedures without which unprivileged container creation is impossible :param uid_string: string with user ids starting "from-to" :param gid_string: string with group ids starting "from-to" :param network_devices_number: number of network devices available for unprivileged containers :param user: user, who gets the devices :return: None """ def split_uids_guids(input_string): """ Splits the string in the format "from-to" into two integers list :param input_string: the string in the format "from-to" :return: list of numbers """ return split_to_function(input_string, '-', int) ConsoleHelper.__ensure_unprivileged_dirs_exist() uid_start, uid_stop = split_uids_guids(uid_string) gid_start, gid_stop = split_uids_guids(gid_string) uid_count = uid_stop - uid_start gid_count = gid_stop - gid_start if not user: user = getuser() ConsoleHelper.__assign_uids_to_user(uid_start, uid_stop, user) ConsoleHelper.__assign_gids_to_user(gid_start, gid_stop, user) ConsoleHelper.__make_home_dir_executable() Config.create_dirs_for_unprivileged_container() if not path.exists(Config.UNPRIVILEGED_CONTAINER_CONFIG_PATH): copyfile(Config.default_unprivileged_config_resource_path(), Config.UNPRIVILEGED_CONTAINER_CONFIG_PATH) with LxcConfig(Config.UNPRIVILEGED_CONTAINER_CONFIG_PATH) as config_file: config_file.set_value(ConsoleHelper.LXC_ID_MAP_KEY, 'u 0 {0} {1}'.format(uid_start, uid_count)) config_file.append_value(ConsoleHelper.LXC_ID_MAP_KEY, 'g 0 {0} {1}'.format(gid_start, gid_count)) # Adds slots for network devices in unprivileged containers logged_console_call('echo ' + '"{0} veth lxcbr0 {1}"'.format(user, network_devices_number) + ' | sudo tee -a {0}'.format('/etc/lxc/lxc-usernet'), mute=True) # Following line gives everyone write permissions into container backing store path logged_console_call('sudo chmod a+w ' + Config.lxc_backing_store_path(True)) logging.info('Prepared uids {0} and gids {1} for unprivileged usage'. format(uid_string, gid_string))
def mount_backing_store_device(device, filesystem, unprivileged, option_input_string=''): """ Mounts the *device* into a directory considering if container *unprivileged* with a set of options :param device: device to be mounted :param filesystem: filesystem of the device :param unprivileged: if the container is unprivileged :param option_input_string: string of options :return: None """ mount_path = Config.lxc_backing_store_path(unprivileged) makedirs(mount_path, exist_ok=True) option_set = set([option.strip() for option in option_input_string.split()]) if unprivileged: # Fixes the notification while deleting btrfs backed storage in unpriv. container # applied to any unpriv. container w/o thinking about backing storage, BAD # FIXME option_set.add('user_subvol_rm_allowed') option_string = '-o {0}'.format(','.join(option_set)) if len(option_set) else '' logged_console_call('sudo mount -t {0} {1} {2} {3}'.format(filesystem, device, mount_path, option_string))