From b30faa43c28b592febd83a7fd3a58247de6b27bc Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Sat, 6 Apr 2024 21:06:06 +0200 Subject: container: T6208: rename "cap-add" CLI node to "capability" Containers have the ability to add Linux system capabilities to them, this is done using the "set container name cap-add" command. The CLI node sounds off and rather should be "set container name capability" instead as we use and pass a capability to a container and not add/invent new ones. --- interface-definitions/container.xml.in | 4 +- .../include/version/container-version.xml.i | 2 +- smoketest/config-tests/container-simple | 12 ++++++ smoketest/configs/container-simple | 46 ++++++++++++++++++++ src/conf_mode/container.py | 13 +++--- src/migration-scripts/container/1-to-2 | 50 ++++++++++++++++++++++ 6 files changed, 117 insertions(+), 10 deletions(-) create mode 100644 smoketest/config-tests/container-simple create mode 100644 smoketest/configs/container-simple create mode 100755 src/migration-scripts/container/1-to-2 diff --git a/interface-definitions/container.xml.in b/interface-definitions/container.xml.in index 7e1f4811a..94f2e92f5 100644 --- a/interface-definitions/container.xml.in +++ b/interface-definitions/container.xml.in @@ -21,9 +21,9 @@ - + - Container capabilities/permissions + Grant individual Linux capability to container instance net-admin net-bind-service net-raw setpcap sys-admin sys-module sys-time diff --git a/interface-definitions/include/version/container-version.xml.i b/interface-definitions/include/version/container-version.xml.i index 129469cec..ed6e942cd 100644 --- a/interface-definitions/include/version/container-version.xml.i +++ b/interface-definitions/include/version/container-version.xml.i @@ -1,3 +1,3 @@ - + diff --git a/smoketest/config-tests/container-simple b/smoketest/config-tests/container-simple new file mode 100644 index 000000000..299af64cb --- /dev/null +++ b/smoketest/config-tests/container-simple @@ -0,0 +1,12 @@ +set system config-management commit-revisions '50' +set system host-name 'vyos' +set system login user vyos authentication encrypted-password '$6$r/Yw/07NXNY$/ZB.Rjf9jxEV.BYoDyLdH.kH14rU52pOBtrX.4S34qlPt77chflCHvpTCq9a6huLzwaMR50rEICzA5GoIRZlM0' +set system login user vyos authentication plaintext-password '' +set system console device ttyS0 speed '115200' +set container name c01 allow-host-networks +set container name c01 capability 'net-bind-service' +set container name c01 capability 'net-raw' +set container name c01 image 'busybox:stable' +set container name c02 allow-host-networks +set container name c02 capability 'sys-time' +set container name c02 image 'busybox:stable' diff --git a/smoketest/configs/container-simple b/smoketest/configs/container-simple new file mode 100644 index 000000000..05efe05e9 --- /dev/null +++ b/smoketest/configs/container-simple @@ -0,0 +1,46 @@ +container { + name c01 { + allow-host-networks + cap-add net-bind-service + cap-add net-raw + image busybox:stable + } + name c02 { + allow-host-networks + cap-add sys-time + image busybox:stable + } +} +interfaces { + ethernet eth0 { + duplex auto + speed auto + } + ethernet eth1 { + duplex auto + speed auto + } +} +system { + config-management { + commit-revisions 50 + } + console { + device ttyS0 { + speed 115200 + } + } + host-name vyos + login { + user vyos { + authentication { + encrypted-password $6$r/Yw/07NXNY$/ZB.Rjf9jxEV.BYoDyLdH.kH14rU52pOBtrX.4S34qlPt77chflCHvpTCq9a6huLzwaMR50rEICzA5GoIRZlM0 + plaintext-password "" + } + } + } +} + +// Warning: Do not remove the following line. +// vyos-config-version: "broadcast-relay@1:cluster@1:config-management@1:conntrack@3:conntrack-sync@2:container@1:dhcp-relay@2:dhcp-server@6:dhcpv6-server@1:dns-forwarding@3:firewall@5:https@2:interfaces@23:ipoe-server@1:ipsec@5:isis@1:l2tp@3:lldp@1:mdns@1:nat@5:ntp@1:pppoe-server@5:pptp@2:qos@1:quagga@8:rpki@1:salt@1:snmp@2:ssh@2:sstp@3:system@21:vrrp@2:vyos-accel-ppp@2:wanloadbalance@3:webproxy@2:zone-policy@1" +// Release version: 1.3.6 diff --git a/src/conf_mode/container.py b/src/conf_mode/container.py index 910a92a7c..abd2c5f21 100755 --- a/src/conf_mode/container.py +++ b/src/conf_mode/container.py @@ -262,12 +262,11 @@ def generate_run_arguments(name, container_config): restart = container_config['restart'] # Add capability options. Should be in uppercase - cap_add = '' - if 'cap_add' in container_config: - for c in container_config['cap_add']: - c = c.upper() - c = c.replace('-', '_') - cap_add += f' --cap-add={c}' + capabilities = '' + if 'capability' in container_config: + for cap in container_config['capability']: + cap = c.upper().replace('-', '_') + capabilities += f' --cap-add={cap}' # Add a host device to the container /dev/x:/dev/x device = '' @@ -330,7 +329,7 @@ def generate_run_arguments(name, container_config): prop = vol_config['propagation'] volume += f' --volume {svol}:{dvol}:{mode},{prop}' - container_base_cmd = f'--detach --interactive --tty --replace {cap_add} ' \ + container_base_cmd = f'--detach --interactive --tty --replace {capabilities} ' \ f'--memory {memory}m --shm-size {shared_memory}m --memory-swap 0 --restart {restart} ' \ f'--name {name} {hostname} {device} {port} {volume} {env_opt} {label} {uid}' diff --git a/src/migration-scripts/container/1-to-2 b/src/migration-scripts/container/1-to-2 new file mode 100755 index 000000000..408faf978 --- /dev/null +++ b/src/migration-scripts/container/1-to-2 @@ -0,0 +1,50 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2024 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +# T6208: container: rename "cap-add" CLI node to "capability" + +from sys import argv +from sys import exit +from vyos.configtree import ConfigTree + +if len(argv) < 2: + print("Must specify file name!") + exit(1) + +file_name = argv[1] + +with open(file_name, 'r') as f: + config_file = f.read() + +base = ['container', 'name'] +config = ConfigTree(config_file) + +# Check if containers exist and we need to perform image manipulation +if not config.exists(base): + # Nothing to do + exit(0) + +for container in config.list_nodes(base): + cap_path = base + [container, 'cap-add'] + if config.exists(cap_path): + config.rename(cap_path, 'capability') + +try: + with open(file_name, 'w') as f: + f.write(config.to_string()) +except OSError as e: + print(f'Failed to save the modified config: {e}') + exit(1) -- cgit v1.2.3