From 39fd32080205aebe8a59936b9b6a76ae04b6f047 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sat, 12 Mar 2016 07:32:19 +0100 Subject: Adding capability and drop-capability config option. Signed-off-by: Daniel Baumann --- lib/container/create | 16 ++++++++++++++-- lib/container/start | 26 +++++++++++++++++++++++++- share/config/container.conf.in | 2 ++ share/man/container-create.1.txt | 6 ++++++ 4 files changed, 47 insertions(+), 3 deletions(-) diff --git a/lib/container/create b/lib/container/create index cfee91a..3411832 100755 --- a/lib/container/create +++ b/lib/container/create @@ -25,7 +25,7 @@ MACHINES="/var/lib/machines" Parameters () { - LONG_OPTIONS="name:,cnt.autostart:,bind:,script:" + LONG_OPTIONS="name:,cnt.autostart:,bind:,capability:,drop-capability:script:" OPTIONS="n:,b:,c:,d:,s:" PARAMETERS="$(getopt --longoptions ${LONG_OPTIONS} --name=${COMMAND} --options ${OPTIONS} --shell sh -- ${@})" @@ -56,6 +56,16 @@ Parameters () shift 2 ;; + -c|--capability) + CAPABILITY="${2}" + shift 2 + ;; + + -d|--drop-capability) + DROP_CAPABILITY="${2}" + shift 2 + ;; + -s|--script) SCRIPT="${2}" shift 2 @@ -76,7 +86,7 @@ Parameters () Usage () { - echo "Usage: container ${COMMAND} -n|--name NAME [--cnt.autostart=true|false|FQDN] [-b|--bind DIRECTORY:DIRECTORY[:OPTIONS]] [-s|--script SCRIPT] [-- SCRIPT_OPTIONS]" >&2 + echo "Usage: container ${COMMAND} -n|--name NAME [--cnt.autostart=true|false|FQDN] [-b|--bind DIRECTORY:DIRECTORY[:OPTIONS]] [-c|--capability CAPABILITY[,CAPABILITY]] [-d|--drop-capability DROP_CAPABILITY[,DROP_CAPABILITY]] [-s|--script SCRIPT] [-- SCRIPT_OPTIONS]" >&2 exit 1 } @@ -121,7 +131,9 @@ sed -e "s|@CNT_AUTOSTART@|${CNT_AUTOSTART}|g" \ -e "s|@NAME@|${NAME}|g" \ -e "s|@BIND@|${BIND}|g" \ -e "s|@BOOT@|yes|g" \ + -e "s|@CAPABILITY@|${CAPABILITY}|g" \ -e "s|@DIRECTORY@|${MACHINES}/${NAME}|g" \ + -e "s|@DROP_CAPABILITY@|${DROP_CAPABILITY}|g" \ -e "s|@MACHINE@|${NAME}|g" \ -e "s|@NETWORK_VETH@|yes|g" \ -e "s|@NETWORK_BRIDGE@|br0|g" \ diff --git a/lib/container/start b/lib/container/start index dc84f94..0588db5 100755 --- a/lib/container/start +++ b/lib/container/start @@ -156,9 +156,33 @@ then ;; esac + CAPABILITY="$(awk -F= '/^capability=/ { print $2 }' ${CONFIG}/${NAME}.conf)" + + case "${CAPABILITY}" in + "") + CAPABILITY="" + ;; + + *) + CAPABILITY="--capability=${CAPABILITY}" + ;; + esac + DIRECTORY="$(awk -F= '/^directory=/ { print $2 }' ${CONFIG}/${NAME}.conf || echo ${MACHINES}/${NAMES})" DIRECTORY="--directory ${DIRECTORY}" + DROP_CAPABILITY="$(awk -F= '/^drop-capability=/ { print $2 }' ${CONFIG}/${NAME}.conf)" + + case "${DROP_CAPABILITY}" in + "") + DROP_CAPABILITY="" + ;; + + *) + DROP_CAPABILITY="--drop-capability=${DROP_CAPABILITY}" + ;; + esac + MACHINE="--machine=${NAME}" NETWORK_BRIDGE="$(awk -F= '/^network-bridge=/ { print $2 }' ${CONFIG}/${NAME}.conf)" @@ -211,4 +235,4 @@ then fi # Run -${SETARCH} systemd-nspawn ${BIND} ${BOOT} ${DIRECTORY} ${MACHINE} ${NETWORK_BRIDGE} ${NETWORK_VETH} ${LINK_JOURNAL} ${REGISTER} +${SETARCH} systemd-nspawn ${BIND} ${BOOT} ${CAPABILITY} ${DIRECTORY} ${DROP_CAPABILITY} ${MACHINE} ${NETWORK_BRIDGE} ${NETWORK_VETH} ${LINK_JOURNAL} ${REGISTER} diff --git a/share/config/container.conf.in b/share/config/container.conf.in index 5b52c7d..6d91860 100644 --- a/share/config/container.conf.in +++ b/share/config/container.conf.in @@ -4,7 +4,9 @@ cnt.autostart=@CNT_AUTOSTART@ bind=@BIND@ boot=@BOOT@ +capability=@CAPABILITY@ directory=@DIRECTORY@ +drop-capability=@DROP_CAPABILITY@ machine=@MACHINE@ network-veth=@NETWORK_VETH@ network-bridge=@NETWORK_BRIDGE@ diff --git a/share/man/container-create.1.txt b/share/man/container-create.1.txt index 8d9bd06..5277f22 100644 --- a/share/man/container-create.1.txt +++ b/share/man/container-create.1.txt @@ -44,6 +44,12 @@ The following container-create options are available: *-n, --name='NAME'*:: Specify container name. +*-c, --capability='CAPABILITY'*:: + Specify capabilities to grant, see capabilities(7). + +*-d, --drop-capability='DROP_CAPABILITY'*:: + Specify capabilities to drop, see capabilities(7). + *-s, --script='SCRIPT'*:: Specify container creation script, defaults to debootstrap. -- cgit v1.2.3