diff options
| author |   Daniel Lezcano <dlezcano@fr.ibm.com> | 2009-03-24 13:56:37 +0100 |
|---|---|---|
| committer | Daniel Lezcano <dlezcano@fr.ibm.com> | 2009-03-24 16:57:41 +0100 |
| commit | 237315ff5060d06b54f5e2006afde372a62979cd (patch) | |
| tree | 9f3375370d34ca4ba8fd081a3549f971b41cd717 | |
| parent | set mtu for netdev (diff) | |
| download | lxc-237315ff5060d06b54f5e2006afde372a62979cd.tar.gz lxc-237315ff5060d06b54f5e2006afde372a62979cd.tar.bz2 lxc-237315ff5060d06b54f5e2006afde372a62979cd.zip | |
Use a specific script to set the capabilities
Instead of having the capabilities to be set automatically,
it will be up to the user to set them through a specific
script 'lxc-setcap'.
After installing the lxc tools, if we want them to be available,
for a non-root user, lxc-setcap will set the needed capabilities.
If, after thinking it, we want to remove the capabilities,
the 'lxc-setcap -d' will do this for us.
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Acked-by: Guido Trotter <ultrotter@google.com>
| -rw-r--r-- | .gitignore | 1 | ||||
| -rw-r--r-- | configure.in | 13 | ||||
| -rw-r--r-- | lxc.spec.in | 22 | ||||
| -rw-r--r-- | src/lxc/Makefile.am | 39 | ||||
| -rw-r--r-- | src/lxc/lxc-setcap.in | 103 |
5 files changed, 118 insertions, 60 deletions
@@ -43,6 +43,7 @@ src/lxc/lxc-init src/lxc/lxc-ls src/lxc/lxc-monitor src/lxc/lxc-netstat +src/lxc/lxc-setcap src/lxc/lxc-ps src/lxc/lxc-restart src/lxc/lxc-start diff --git a/configure.in b/configure.in index fa94008..0cc2f6e 100644 --- a/configure.in +++ b/configure.in @@ -96,7 +96,8 @@ AC_CONFIG_FILES([ src/lxc/lxc-ps src/lxc/lxc-ls src/lxc/lxc-netstat - src/lxc/lxc-checkconfig + src/lxc/lxc-checkconfig + src/lxc/lxc-setcap etc/Makefile etc/lxc-macvlan.conf @@ -142,12 +143,10 @@ else Advice: ------- -When installing the tools, it is adviced to install as -root, so the privilege for the commands will be set and -they will be usable by non-root user - - make && sudo make install - +If you which to have a non root user to use the lxc tools, +you can add the needed capabilities to the tools by invoking +the 'lxc-setcap' script. To remove the capabilities, use +'lxc-setcap -d' ]) fi diff --git a/lxc.spec.in b/lxc.spec.in index 86832d1..eb3829b 100644 --- a/lxc.spec.in +++ b/lxc.spec.in @@ -71,29 +71,12 @@ rm -rf %{buildroot} mkdir -p /var/lxc chmod ugo+w /var/lxc -setcap cap_sys_admin=ep %{_bindir}/lxc-init - -setcap cap_sys_admin=ep %{_bindir}/lxc-netstat - -setcap cap_sys_admin=ep %{_bindir}/lxc-create - -setcap cap_sys_chroot,cap_setpcap,cap_net_admin,cap_net_raw,cap_sys_admin,cap_dac_override=ep \ - %{_bindir}/lxc-execute - -setcap cap_sys_chroot,cap_setpcap,cap_net_admin,cap_net_raw,cap_sys_admin,cap_dac_override=ep \ - %{_bindir}/lxc-start - -setcap cap_net_admin,cap_net_raw,cap_sys_admin,cap_dac_override=ep \ - %{_bindir}/lxc-restart - -setcap cap_net_admin,cap_net_raw,cap_sys_admin,cap_dac_override=ep \ - %{_bindir}/lxc-unshare - %files %defattr(-,root,root) %{_sysconfdir}/%{name}/* %{_libdir}/*.so* %{_bindir}/* +%{_libexecdir}/* %{_mandir}/* %files devel @@ -104,6 +87,9 @@ setcap cap_net_admin,cap_net_raw,cap_sys_admin,cap_dac_override=ep \ %changelog +* Mon Mar 24 2009 Daniel Lezcano <daniel.lezcano@free.fr> - Version 0.6.1 +- Removed capability setting, let the user to do that through "lxc-setcap" + * Mon Feb 16 2009 Daniel Lezcano <daniel.lezcano@free.fr> - Version 0.6.0 - Added more capabilities to the executables diff --git a/src/lxc/Makefile.am b/src/lxc/Makefile.am index 28b7ac4..1c13c85 100644 --- a/src/lxc/Makefile.am +++ b/src/lxc/Makefile.am @@ -54,7 +54,8 @@ bin_SCRIPTS = \ lxc-ps \ lxc-netstat \ lxc-ls \ - lxc-checkconfig + lxc-checkconfig \ + lxc-setcap bin_PROGRAMS = \ lxc-unshare \ @@ -128,38 +129,6 @@ lxc_restart_LDADD = liblxc.la lxc_version_SOURCES = lxc_version.c lxc_version_LDADD = liblxc.la -install-libexecPROGRAMS: - setcap cap_sys_admin=ep $(libexecdir)/lxc-init - install-exec-local: - -@export PATH=$$PATH:/sbin:/usr/sbin && \ - mkdir -p $(localstatedir) && \ - \ - setcap cap_sys_admin=ep $(bindir)/lxc-create && \ - \ - setcap cap_sys_chroot,cap_setpcap,cap_net_admin,cap_net_raw,cap_sys_admin,cap_dac_override=ep \ - $(bindir)/lxc-execute && \ - \ - setcap cap_sys_chroot,cap_setpcap,cap_net_admin,cap_net_raw,cap_sys_admin,cap_dac_override=ep \ - $(bindir)/lxc-start && \ - \ - setcap cap_net_admin,cap_net_raw,cap_sys_admin,cap_dac_override=ep \ - $(bindir)/lxc-restart && \ - \ - setcap cap_net_admin,cap_net_raw,cap_sys_admin,cap_dac_override=ep \ - $(bindir)/lxc-unshare && \ - \ - setcap cap_sys_admin=ep \ - $(bindir)/lxc-netstat && \ - \ - mkdir -p $(prefix)/var/lxc && \ - chmod ugo+rw $(prefix)/var/lxc || \ - (echo && echo && \ - echo "*****************************************************************" && \ - echo "* *" && \ - echo "* The installation failed to set file capabilities, that is ok, *" && \ - echo "* but you won't have enough privilege to run the 'lxc' commands *" && \ - echo "* and you will need to run them as 'root' yourself. *" && \ - echo "* *" && \ - echo "*****************************************************************" && \ - echo && echo) + @mkdir -p $(localstatedir) && mkdir -p $(prefix)/var/lxc && \ + chmod ugo+rw $(prefix)/var/lxc diff --git a/src/lxc/lxc-setcap.in b/src/lxc/lxc-setcap.in new file mode 100644 index 0000000..df903ba --- /dev/null +++ b/src/lxc/lxc-setcap.in @@ -0,0 +1,103 @@ +#!/bin/bash + +# +# lxc: linux Container library + +# Authors: +# Daniel Lezcano <daniel.lezcano@free.fr> + +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. + +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. + +# You should have received a copy of the GNU Lesser General Public +# License along with this library; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + +# +# This script allows to set or remove the capabilities on the lxc tools. +# When the capabilities are set, a non root user can manage the containers. +# + +LXC_CREATE_CAPS="cap_sys_admin" +LXC_NETSTAT_CAPS="cap_sys_admin" +LXC_INIT_CAPS="cap_sys_admin" +LXC_UNSHARE_CAPS="cap_net_admin,cap_net_raw,cap_sys_admin,cap_dac_override" +LXC_START_CAPS="cap_sys_chroot,cap_setpcap,cap_net_admin,cap_net_raw,cap_sys_admin,cap_dac_override" +LXC_EXECUTE_CAPS=$LXC_START_CAPS +LXC_RESTART_CAPS=$LXC_START_CAPS + +LXC_DROP_CAPS="" + +usage() +{ + echo "lxc-setcap [-d] : set or remove capabilities on the lxc tools" +} + +lxc_setcaps() +{ + setcap $LXC_CREATE_CAPS=ep @BINDIR@/lxc-create + setcap $LXC_EXECUTE_CAPS=ep @BINDIR@/lxc-execute + setcap $LXC_START_CAPS=ep @BINDIR@/lxc-start + setcap $LXC_RESTART_CAPS=ep @BINDIR@/lxc-restart + setcap $LXC_UNSHARE_CAPS=ep @BINDIR@/lxc-unshare + setcap $LXC_NETSTAT_CAPS=ep @BINDIR@/lxc-netstat + setcap $LXC_INIT_CAPS=ep @LIBEXECDIR@/lxc-init +} + +lxc_dropcaps() +{ + setcap -r @BINDIR@/lxc-create + setcap -r @BINDIR@/lxc-execute + setcap -r @BINDIR@/lxc-start + setcap -r @BINDIR@/lxc-restart + setcap -r @BINDIR@/lxc-unshare + setcap -r @BINDIR@/lxc-netstat + setcap -r @LIBEXECDIR@/lxc-init +} + +if [ "$(id -u)" != "0" ]; then + echo "You have to be root to run this script" + exit 1 +fi + + +if [ $? != 0 ]; then + usage + exit 1 +fi + +set -- $(getopt dh $*) + +for i in $*; do + case "$1" in + -d) + LXC_DROP_CAPS="yes" + shift + ;; + -h) + usage + exit 0 + ;; + --) + shift + break + ;; + *) + usage + exit 1 + ;; + esac +done; + +if [ -z "$LXC_DROP_CAPS" ]; then + lxc_setcaps +else + lxc_dropcaps +fi |