Class: OsCtld::UserControl::Supervisor::NamespacedClientHandler

Inherits:
Generic::ClientHandler show all
Defined in:
lib/osctld/user_control/supervisor.rb

Overview

Client handler for commands called from a container's user namespace.

The handler finds appropriate osctld user and passes control to standard client handler.

Instance Attribute Summary

Attributes inherited from Generic::ClientHandler

#opts

Instance Method Summary collapse

Methods inherited from Generic::ClientHandler

#communicate, #error, #error!, #initialize, #ok, #parse, #reply_error, #reply_ok, #request_stop, #send_data, #send_update, #server_version, #socket

Constructor Details

This class inherits a constructor from OsCtld::Generic::ClientHandler

Instance Method Details

#handle_cmd(req) ⇒ Object



25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
# File 'lib/osctld/user_control/supervisor.rb', line 25

def handle_cmd(req)
  return error('invalid input') unless req.is_a?(Hash)

  # For now, allow only ct_autodev
  if !%w(ct_autodev ct_pre_mount ct_post_mount).include?(req[:cmd])
    return error('invalid cmd')
  end

  # Find out which user has connected
  cred = @sock.getsockopt(Socket::SOL_SOCKET, Socket::SO_PEERCRED)
  pid, uid, gid = cred.unpack('LLL')

  # Locate the user in DB using the uid of the caller process' grandparent:
  # - caller: lxc hook
  # - parent: lxc-start, future /sbin/init
  # - grandparent: lxc-start running within the host namespace
  process = OsCtl::Lib::OsProcess.new(pid)
  gpuid = process.grandparent.ruid

  user = DB::Users.get.detect do |u|
    u.pool.name == req[:opts][:pool] && u.ugid == gpuid
  end

  unless user
    log(:warn, "Unable to find user for pid=#{pid},uid=#{uid},gid=#{gid}")
    return error('invalid user')
  end

  # Just to be sure that we have the right user, compare the caller's
  # uid/gid with the user's uid/gid within user namespace.
  {
    uid: [user.uid_map.ns_to_host(0), uid],
    gid: [user.gid_map.ns_to_host(0), gid],
  }.each do |type, ids|
    expected, got = ids

    if expected != got
      log(:warn, "Caller's #{type} does not match the located user: "+
                 "user=#{user.ident}, expected #{type}=#{expected}, "+
                 "got #{type}=#{got}")
      return error('invalid user')
    end
  end

  req[:opts].update(client_pid: pid) if req[:opts].is_a?(Hash)

  # Forward to a real client handler
  log(:info, "Forwarding request to user #{user.ident}")
  handler = ClientHandler.new(@sock, user: user)
  handler.handle_cmd(req)
end

#log_typeObject



77
78
79
# File 'lib/osctld/user_control/supervisor.rb', line 77

def log_type
  self.class.name
end