Merge pull request #4740 from monstermunchkin/issues/1600

deletion protection
canonical · Jul 6, 2018 · 48dafdc · 48dafdc
2 parents 99caa0a + 3ef38e5
commit 48dafdc
Show file tree

Hide file tree

Showing 8 changed files with 45 additions and 0 deletions.
diff --git a/doc/api-extensions.md b/doc/api-extensions.md
@@ -536,3 +536,7 @@ This adds the following new endpoint (see [RESTful API](rest-api.md) for details
 ## proxy\_unix\_dac\_properties
 This adds support for gid, uid, and mode properties for non-abstract unix
 sockets.
+
+## container\_protection\_delete
+Enables setting the `security.protection.delete` field which prevents containers
+from being deleted if set to true. Snapshots are not affected by this setting.
diff --git a/doc/containers.md b/doc/containers.md
@@ -69,6 +69,7 @@ security.idmap.isolated                 | boolean   | false         | no
 security.idmap.size                     | integer   | -             | no            | id\_map                              | The size of the idmap to use
 security.nesting                        | boolean   | false         | yes           | -                                    | Support running lxd (nested) inside the container
 security.privileged                     | boolean   | false         | no            | -                                    | Runs the container in privileged mode
+security.protection.delete              | boolean   | false         | yes           | container\_protection\_delete        | Prevents the container from being deleted
 security.syscalls.blacklist             | string    | -             | no            | container\_syscall\_filtering        | A '\n' separated list of syscalls to blacklist
 security.syscalls.blacklist\_compat     | boolean   | false         | no            | container\_syscall\_filtering        | On x86\_64 this enables blocking of compat\_\* syscalls, it is a no-op on other arches
 security.syscalls.blacklist\_default    | boolean   | true          | no            | container\_syscall\_filtering        | Enables the default syscall blacklist

diff --git a/lxd/container.go b/lxd/container.go
@@ -555,6 +555,7 @@ type container interface {
 	IsSnapshot() bool
 	IsStateful() bool
 	IsNesting() bool
+	IsDeleteProtected() bool
 
 	// Hooks
 	OnStart() error

diff --git a/lxd/container_lxc.go b/lxd/container_lxc.go
@@ -4,6 +4,7 @@ import (
 	"archive/tar"
 	"bufio"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io"
 	"io/ioutil"
@@ -3292,6 +3293,12 @@ func (c *containerLXC) Delete() error {
 
 	logger.Info("Deleting container", ctxMap)
 
+	if c.IsDeleteProtected() && !c.IsSnapshot() {
+		err := errors.New("Container is protected")
+		logger.Warn("Failed to delete container", log.Ctx{"name": c.Name(), "err": err})
+		return err
+	}
+
 	// Attempt to initialize storage interface for the container.
 	c.initStorage()
 
@@ -8128,6 +8135,10 @@ func (c *containerLXC) IsSnapshot() bool {
 	return c.cType == db.CTypeSnapshot
 }
 
+func (c *containerLXC) IsDeleteProtected() bool {
+	return shared.IsTrue(c.expandedConfig["security.protection.delete"])
+}
+
 // Various property query functions
 func (c *containerLXC) Architecture() int {
 	return c.architecture

diff --git a/shared/container.go b/shared/container.go
@@ -213,6 +213,8 @@ var KnownContainerConfigKeys = map[string]func(value string) error{
 	"security.devlxd":        IsBool,
 	"security.devlxd.images": IsBool,
 
+	"security.protection.delete": IsBool,
+
 	"security.idmap.base":     IsUint32,
 	"security.idmap.isolated": IsBool,
 	"security.idmap.size":     IsUint32,

diff --git a/shared/version/api.go b/shared/version/api.go
@@ -112,6 +112,7 @@ var APIExtensions = []string{
 	"proxy_tcp_udp_multi_port_handling",
 	"network_state",
 	"proxy_unix_dac_properties",
+	"container_protection_delete",
 }
 
 // APIExtensionsCount returns the number of available API extensions.

diff --git a/test/main.sh b/test/main.sh
@@ -164,6 +164,7 @@ run_test test_remote_admin "remote administration"
 run_test test_remote_usage "remote usage"
 run_test test_basic_usage "basic usage"
 run_test test_security "security features"
+run_test test_security_protection "container protection"
 run_test test_image_expiry "image expiry"
 run_test test_image_list_all_aliases "image list all aliases"
 run_test test_image_auto_update "image auto-update"

diff --git a/test/suites/security.sh b/test/suites/security.sh
@@ -107,3 +107,27 @@ test_security() {
   LXD_DIR="${LXD_DIR}"
   kill_lxd "${LXD_STORAGE_DIR}"
 }
+
+test_security_protection() {
+  ensure_import_testimage
+  ensure_has_localhost_remote "${LXD_ADDR}"
+
+  lxc launch testimage c1
+  lxc stop c1
+  lxc snapshot c1
+  lxc delete c1
+
+  lxc profile set default security.protection.delete true
+
+  lxc launch testimage c1
+  lxc stop c1
+  lxc snapshot c1
+  lxc delete c1/snap0
+  ! lxc delete c1
+
+  # override setting
+  lxc config set c1 security.protection.delete false
+  lxc delete c1
+
+  lxc profile unset default security.protection.delete
+}