[pve-devel] [PATCH pve-container] preserve posix capabilities

Wolfgang Bumiller w.bumiller at proxmox.com
Fri Nov 6 10:05:35 CET 2015


POSIX capabilities are stored as security.capability xattr.
The --xattrs option alone won't store anything outside the
usernamespace, so we have to specifically ask for this
capability to be included when calling tar.
Note that we deliberately don't store the entire security
namespace as labeling by xattr is common with some security
modules and possibly a planned apparmor feature, too, so
this way we avoid restoring arbitrary lables from dumps and
templates we might not want.

Since these flags are used in two separate files I moved
them to @$PVE::LXC::COMMON_TAR_FLAGS;

The --acls flag for tar (and -A flag for rsync) have also
been added.
---
 src/PVE/LXC.pm        | 5 +++++
 src/PVE/LXC/Create.pm | 5 +++--
 src/PVE/VZDump/LXC.pm | 6 +++---
 3 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm
index fd9a1af..4bcdcb4 100644
--- a/src/PVE/LXC.pm
+++ b/src/PVE/LXC.pm
@@ -26,6 +26,11 @@ my $nodename = PVE::INotify::nodename();
 
 my $cpuinfo= PVE::ProcFSTools::read_cpuinfo();
 
+our $COMMON_TAR_FLAGS = [ '--totals', '--sparse', '--numeric-owner', '--acls',
+                          '--xattrs',
+                          '--xattrs-include=user.*',
+                          '--xattrs-include=security.capability' ];
+
 cfs_register_file('/lxc/', \&parse_pct_config, \&write_pct_config);
 
 my $rootfs_desc = {
diff --git a/src/PVE/LXC/Create.pm b/src/PVE/LXC/Create.pm
index d6a6a0d..be90d66 100644
--- a/src/PVE/LXC/Create.pm
+++ b/src/PVE/LXC/Create.pm
@@ -33,8 +33,9 @@ sub restore_archive {
 #	PVE::Tools::run_command(['chown', '-R', '100000:100000', $rootdir]);
 #    }
 
-    my $cmd = [@$userns_cmd, 'tar', 'xpf', $archive, '--numeric-owner', '--totals',
-	    '--sparse', '-C', $rootdir];
+    my $cmd = [@$userns_cmd, 'tar', 'xpf', $archive, '--totals',
+               @$PVE::LXC::COMMON_TAR_FLAGS,
+               '-C', $rootdir];
 
     # skip-old-files doesn't have anything to do with time (old/new), but is
     # simply -k (annoyingly also called --keep-old-files) without the 'treat
diff --git a/src/PVE/VZDump/LXC.pm b/src/PVE/VZDump/LXC.pm
index a7fafe9..f138588 100644
--- a/src/PVE/VZDump/LXC.pm
+++ b/src/PVE/VZDump/LXC.pm
@@ -24,7 +24,7 @@ my $rsync_vm = sub {
 
     my $opts = $self->{vzdump}->{opts};
 
-    my $rsync = ['rsync', '--stats', '-X', '--numeric-ids',
+    my $rsync = ['rsync', '--stats', '-X', '-A', '--numeric-ids',
                  '-aH', '--delete', '--no-whole-file', '--inplace',
                  '--one-file-system', '--relative'];
     push @$rsync, "--bwlimit=$opts->{bwlimit}" if $opts->{bwlimit};
@@ -278,8 +278,8 @@ sub archive {
     my $snapdir = $task->{snapdir};
     my $tmpdir = $task->{tmpdir};
 
-    my $tar = ['tar', 'cpf', '-',
-               '--totals', '--sparse', '--numeric-owner', '--xattrs',
+    my $tar = ['tar', 'cpf', '-', '--totals',
+               @$PVE::LXC::COMMON_TAR_FLAGS,
                '--one-file-system', '--warning=no-file-ignored'];
 
     # note: --remove-files does not work because we do not 
-- 
2.1.4




More information about the pve-devel mailing list