Add support for disks backed by plain files in LXC

By using a loopback device, disks backed by plain files can
be made available to LXC containers. We make no attempt to
auto-detect format if <driver type="raw"/> is not set,
instead we unconditionally treat that as meaning raw. This
is to avoid the security issues inherent with format
auto-detection
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>
上级 f0bfb630
master openEuler-20.03-LTS openEuler-20.09 v1.0.4-maint v1.0.5-maint v1.0.6-maint v1.1.0-maint v1.1.1-maint v1.1.2-maint v1.1.3-maint v1.1.4-maint v1.2.0-maint v1.2.1-maint v1.2.10-maint v1.2.11-maint v1.2.12-maint v1.2.13-maint v1.2.14-maint v1.2.15-maint v1.2.16-maint v1.2.17-maint v1.2.18-maint v1.2.19-maint v1.2.2-maint v1.2.20-maint v1.2.21-maint v1.2.3-maint v1.2.4-maint v1.2.5-maint v1.2.6-maint v1.2.7-maint v1.2.8-maint v1.2.9-maint v1.3.0-maint v1.3.1-maint v1.3.2-maint v1.3.3-maint v1.3.4-maint v1.3.5-maint v2.0-maint v2.1-maint v2.2-maint v3.0-maint v3.2-maint v3.7-maint v4.1-maint v4.10-maint v4.2-maint v4.3-maint v4.4-maint v4.5-maint v4.6-maint v4.7-maint v4.8-maint v4.9-maint v5.0-maint v5.1-maint v5.1.0-maint v5.2-maint v5.3-maint v6.5.0-rc2 v6.5.0-rc1 v6.4.0 v6.4.0-rc1 v6.3.0 v6.3.0-rc1 v6.2.0 v6.2.0-rc1 v6.1.0 v6.1.0-rc2 v6.1.0-rc1 v6.0.0 v6.0.0-rc2 v6.0.0-rc1 v5.10.0 v5.10.0-rc2 v5.10.0-rc1 v5.9.0 v5.9.0-rc1 v5.8.0 v5.8.0-rc2 v5.8.0-rc1 v5.7.0 v5.7.0-rc2 v5.7.0-rc1 v5.6.0 v5.6.0-rc2 v5.6.0-rc1 v5.5.0 v5.5.0-rc2 v5.5.0-rc1 v5.4.0 v5.4.0-rc2 v5.4.0-rc1 v5.3.0 v5.3.0-rc2 v5.3.0-rc1 v5.2.0 v5.2.0-rc2 v5.2.0-rc1 v5.1.0 v5.1.0-rc2 v5.1.0-rc1 v5.0.0 v5.0.0-rc2 v5.0.0-rc1 v4.10.0 v4.10.0-rc2 v4.10.0-rc1 v4.9.0 v4.9.0-rc1 v4.8.0 v4.8.0-rc2 v4.8.0-rc1 v4.7.0 v4.7.0-rc2 v4.7.0-rc1 v4.6.0 v4.6.0-rc2 v4.6.0-rc1 v4.5.0 v4.5.0-rc2 v4.5.0-rc1 v4.4.0 v4.4.0-rc2 v4.4.0-rc1 v4.3.0 v4.3.0-rc2 v4.3.0-rc1 v4.2.0 v4.2.0-rc2 v4.2.0-rc1 v4.1.0 v4.1.0-rc2 v4.1.0-rc1 v4.0.0 v4.0.0-rc2 v4.0.0-rc1 v3.10.0 v3.10.0-rc2 v3.10.0-rc1 v3.9.0 v3.9.0-rc2 v3.9.0-rc1 v3.8.0 v3.8.0-rc1 v3.7.0 v3.7.0-rc2 v3.7.0-rc1 v3.6.0 v3.6.0-rc2 v3.6.0-rc1 v3.5.0 v3.5.0-rc2 v3.5.0-rc1 v3.4.0 v3.4.0-rc2 v3.4.0-rc1 v3.3.0 v3.3.0-rc2 v3.3.0-rc1 v3.2.1 v3.2.0 v3.2.0-rc2 v3.2.0-rc1 v3.1.0 v3.1.0-rc2 v3.1.0-rc1 v3.0.0 v3.0.0-rc2 v3.0.0-rc1 v2.5.0 v2.5.0-rc2 v2.5.0-rc1 v2.4.0 v2.4.0-rc2 v2.4.0-rc1 v2.3.0 v2.3.0-rc2 v2.3.0-rc1 v2.2.1 v2.2.0 v2.2.0-rc2 v2.2.0-rc1 v2.1.0 v2.1.0-rc1 v2.0.0 v2.0.0-rc2 v2.0.0-rc1 v1.3.5 v1.3.5-rc1 v1.3.4 v1.3.4-rc2 v1.3.4-rc1 v1.3.3.3 v1.3.3.2 v1.3.3.1 v1.3.3 v1.3.3-rc2 v1.3.3-rc1 v1.3.2 v1.3.2-rc2 v1.3.2-rc1 v1.3.1 v1.3.1-rc2 v1.3.1-rc1 v1.3.0 v1.3.0-rc2 v1.3.0-rc1 v1.2.21 v1.2.21-rc2 v1.2.21-rc1 v1.2.20 v1.2.20-rc2 v1.2.20-rc1 v1.2.19 v1.2.19-rc2 v1.2.19-rc1 v1.2.18.4 v1.2.18.3 v1.2.18.2 v1.2.18.1 v1.2.18 v1.2.18-rc2 v1.2.18-rc1 v1.2.17 v1.2.17-rc2 v1.2.17-rc1 v1.2.16 v1.2.16-rc2 v1.2.16-rc1 v1.2.15 v1.2.15-rc2 v1.2.15-rc1 v1.2.14 v1.2.14-rc2 v1.2.14-rc1 v1.2.13.2 v1.2.13.1 v1.2.13 v1.2.13-rc2 v1.2.13-rc1 v1.2.12 v1.2.12-rc2 v1.2.12-rc1 v1.2.11 v1.2.11-rc2 v1.2.11-rc1 v1.2.10 v1.2.10-rc2 v1.2.10-rc1 v1.2.9.3 v1.2.9.2 v1.2.9.1 v1.2.9 v1.2.9-rc2 v1.2.9-rc1 v1.2.8 v1.2.8-rc2 v1.2.8-rc1 v1.2.7 v1.2.7-rc2 v1.2.7-rc1 v1.2.6 v1.2.6-rc2 v1.2.6-rc1 v1.2.5 v1.2.5-rc2 v1.2.5-rc1 v1.2.4 v1.2.4-rc2 v1.2.4-rc1 v1.2.3 v1.2.3-rc2 v1.2.3-rc1 v1.2.2 v1.2.2-rc2 v1.2.2-rc1 v1.2.1 v1.2.1-rc2 v1.2.1-rc1 v1.2.0 v1.2.0-rc2 v1.2.0-rc1 v1.1.4 v1.1.4-rc2 v1.1.4-rc1 v1.1.3.9 v1.1.3.8 v1.1.3.7 v1.1.3.6 v1.1.3.5 v1.1.3.4 v1.1.3.3 v1.1.3.2 v1.1.3.1 v1.1.3 v1.1.3-rc2 v1.1.3-rc1 v1.1.2 v1.1.2-rc2 v1.1.2-rc1 v1.1.1 v1.1.1-rc2 v1.1.1-rc1 v1.1.0 v1.1.0-rc2 v1.1.0-rc1 v1.0.6 v1.0.6-rc2 v1.0.6-rc1 v1.0.5.9 v1.0.5.8 v1.0.5.7 v1.0.5.6 v1.0.5.5 v1.0.5.4 v1.0.5.3 v1.0.5.2 v1.0.5.1 v1.0.5 v1.0.5-rc1 v1.0.4 v1.0.4-rc2 v1.0.4-rc1 CVE-2017-1000256 CVE-2017-2635 CVE-2016-5008 CVE-2015-5313 CVE-2015-5247-3 CVE-2015-5247-2 CVE-2015-5247-1 CVE-2015-0236-2 CVE-2015-0236-1 CVE-2014-8136 CVE-2014-8135 CVE-2014-8131-2 CVE-2014-8131-1 CVE-2014-7823 CVE-2014-3657 CVE-2014-3633 CVE-2014-1447-2 CVE-2014-1447-1 CVE-2014-0179 CVE-2014-0028 CVE-2013-7336 CVE-2013-6458-4 CVE-2013-6458-3 CVE-2013-6458-2 CVE-2013-6458-1 CVE-2013-6457 CVE-2013-6436 CVE-2013-5651 CVE-2013-4401 CVE-2013-4400-3 CVE-2013-4400-2 CVE-2013-4400-1 CVE-2013-4399 CVE-2013-4311 CVE-2013-4297 CVE-2013-4296 CVE-2013-4292 CVE-2013-4291 CVE-2013-4239 CVE-2013-4154 CVE-2013-4153 CVE-2013-2230 CVE-2013-2218 CVE-2013-1962
无相关合并请求
......@@ -356,7 +356,7 @@ static int virLXCControllerValidateConsoles(virLXCControllerPtr ctrl)
}
static int virLXCControllerSetupLoopDevice(virDomainFSDefPtr fs)
static int virLXCControllerSetupLoopDeviceFS(virDomainFSDefPtr fs)
{
int lofd;
char *loname = NULL;
......@@ -377,6 +377,27 @@ static int virLXCControllerSetupLoopDevice(virDomainFSDefPtr fs)
}
static int virLXCControllerSetupLoopDeviceDisk(virDomainDiskDefPtr disk)
{
int lofd;
char *loname = NULL;
if ((lofd = virFileLoopDeviceAssociate(disk->src, &loname)) < 0)
return -1;
/*
* We now change it into a block device type, so that
* the rest of container setup 'just works'
*/
disk->type = VIR_DOMAIN_DISK_TYPE_BLOCK;
VIR_FREE(disk->src);
disk->src = loname;
loname = NULL;
return lofd;
}
static int virLXCControllerSetupLoopDevices(virLXCControllerPtr ctrl)
{
size_t i;
......@@ -389,7 +410,7 @@ static int virLXCControllerSetupLoopDevices(virLXCControllerPtr ctrl)
if (fs->type != VIR_DOMAIN_FS_TYPE_FILE)
continue;
fd = virLXCControllerSetupLoopDevice(fs);
fd = virLXCControllerSetupLoopDeviceFS(fs);
if (fd < 0)
goto cleanup;
......@@ -402,6 +423,48 @@ static int virLXCControllerSetupLoopDevices(virLXCControllerPtr ctrl)
ctrl->loopDevFds[ctrl->nloopDevs - 1] = fd;
}
for (i = 0 ; i < ctrl->def->ndisks ; i++) {
virDomainDiskDefPtr disk = ctrl->def->disks[i];
int fd;
if (disk->type != VIR_DOMAIN_DISK_TYPE_FILE)
continue;
switch (disk->format) {
/* We treat 'none' as meaning 'raw' since we
* don't want to go into the auto-probing
* business for security reasons
*/
case VIR_STORAGE_FILE_RAW:
case VIR_STORAGE_FILE_NONE:
if (disk->driverName &&
STRNEQ(disk->driverName, "loop")) {
virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
_("disk driver %s is not supported"),
disk->driverName);
goto cleanup;
}
fd = virLXCControllerSetupLoopDeviceDisk(disk);
if (fd < 0)
goto cleanup;
default:
virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
_("disk format %s is not supported"),
virStorageFileFormatTypeToString(disk->format));
goto cleanup;
}
VIR_DEBUG("Saving loop fd %d", fd);
if (VIR_EXPAND_N(ctrl->loopDevFds, ctrl->nloopDevs, 1) < 0) {
VIR_FORCE_CLOSE(fd);
virReportOOMError();
goto cleanup;
}
ctrl->loopDevFds[ctrl->nloopDevs - 1] = fd;
}
VIR_DEBUG("Setup all loop devices");
ret = 0;
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册