Re: [lxc-devel] [PATCH] Add support for new create=(dir, file) mount option
Quoting Stéphane Graber (stgra...@ubuntu.com):
Just like we already had optional, this adds two new LXC-specific
mount flags:
- create=dir (will do a mkdir_p on the path)
- create=file (will do a mkdir_p on the dirname + a fopen on the path)
This was motivated by some of the needed bind-mounts for the
unprivileged containers.
Signed-off-by: Stéphane Graber stgra...@ubuntu.com
Hopefully someone finds time to commonize the code :)
Acked-by: Serge E. Hallyn serge.hal...@ubuntu.com
---
src/lxc/conf.c | 70
+-
1 file changed, 69 insertions(+), 1 deletion(-)
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 6542ce1..0beb12b 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -1906,18 +1906,41 @@ static inline int mount_entry_on_systemfs(struct
mntent *mntent)
unsigned long mntflags;
char *mntdata;
int ret;
+ FILE *pathfile = NULL;
+ char* pathdirname = NULL;
if (parse_mntopts(mntent-mnt_opts, mntflags, mntdata) 0) {
ERROR(failed to parse mount option '%s', mntent-mnt_opts);
return -1;
}
+ if (hasmntopt(mntent, create=dir)) {
+ if (!mkdir_p(mntent-mnt_dir, 0755)) {
+ WARN(Failed to create mount target '%s',
mntent-mnt_dir);
+ ret = -1;
+ }
+ }
+
+ if (hasmntopt(mntent, create=file) access(mntent-mnt_dir, F_OK)) {
+ pathdirname = strdup(mntent-mnt_dir);
+ pathdirname = dirname(pathdirname);
+ mkdir_p(pathdirname, 0755);
+ pathfile = fopen(mntent-mnt_dir, wb);
+ if (!pathfile) {
+ WARN(Failed to create mount target '%s',
mntent-mnt_dir);
+ ret = -1;
+ }
+ else
+ fclose(pathfile);
+ }
+
ret = mount_entry(mntent-mnt_fsname, mntent-mnt_dir,
mntent-mnt_type, mntflags, mntdata);
if (hasmntopt(mntent, optional) != NULL)
ret = 0;
+ free(pathdirname);
free(mntdata);
return ret;
@@ -1933,6 +1956,8 @@ static int mount_entry_on_absolute_rootfs(struct mntent
*mntent,
char *mntdata;
int r, ret = 0, offset;
const char *lxcpath;
+ FILE *pathfile = NULL;
+ char *pathdirname = NULL;
if (parse_mntopts(mntent-mnt_opts, mntflags, mntdata) 0) {
ERROR(failed to parse mount option '%s', mntent-mnt_opts);
@@ -1975,6 +2000,25 @@ skipabs:
goto out;
}
+ if (hasmntopt(mntent, create=dir)) {
+ if (!mkdir_p(path, 0755)) {
+ WARN(Failed to create mount target '%s', path);
+ ret = -1;
+ }
+ }
+
+ if (hasmntopt(mntent, create=file) access(path, F_OK)) {
+ pathdirname = strdup(path);
+ pathdirname = dirname(pathdirname);
+ mkdir_p(pathdirname, 0755);
+ pathfile = fopen(path, wb);
+ if (!pathfile) {
+ WARN(Failed to create mount target '%s', path);
+ ret = -1;
+ }
+ else
+ fclose(pathfile);
+ }
ret = mount_entry(mntent-mnt_fsname, path, mntent-mnt_type,
mntflags, mntdata);
@@ -1983,6 +2027,7 @@ skipabs:
ret = 0;
out:
+ free(pathdirname);
free(mntdata);
return ret;
}
@@ -1994,25 +2039,48 @@ static int mount_entry_on_relative_rootfs(struct
mntent *mntent,
unsigned long mntflags;
char *mntdata;
int ret;
+ FILE *pathfile = NULL;
+ char *pathdirname = NULL;
if (parse_mntopts(mntent-mnt_opts, mntflags, mntdata) 0) {
ERROR(failed to parse mount option '%s', mntent-mnt_opts);
return -1;
}
-/* relative to root mount point */
+ /* relative to root mount point */
ret = snprintf(path, sizeof(path), %s/%s, rootfs, mntent-mnt_dir);
if (ret = sizeof(path)) {
ERROR(path name too long);
return -1;
}
+ if (hasmntopt(mntent, create=dir)) {
+ if (!mkdir_p(path, 0755)) {
+ WARN(Failed to create mount target '%s', path);
+ ret = -1;
+ }
+ }
+
+ if (hasmntopt(mntent, create=file) access(path, F_OK)) {
+ pathdirname = strdup(path);
+ pathdirname = dirname(pathdirname);
+ mkdir_p(pathdirname, 0755);
+ pathfile = fopen(path, wb);
+ if (!pathfile) {
+ WARN(Failed to create mount target '%s', path);
+ ret = -1;
+ }
+ else
+ fclose(pathfile);
+ }
+
ret = mount_entry(mntent-mnt_fsname,
Re: [lxc-devel] [PATCH] conffile.c: Also clear text entries with no value
Quoting Stéphane Graber (stgra...@ubuntu.com):
Signed-off-by: Stéphane Graber stgra...@ubuntu.com
Acked-by: Serge E. Hallyn serge.hal...@ubuntu.com
---
src/lxc/confile.c | 6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/src/lxc/confile.c b/src/lxc/confile.c
index 835153b..5f25e08 100644
--- a/src/lxc/confile.c
+++ b/src/lxc/confile.c
@@ -216,8 +216,12 @@ static int config_string_item(char **conf_item, const
char *value)
{
char *new_value;
- if (!value || strlen(value) == 0)
+ if (!value || strlen(value) == 0) {
+ if (*conf_item)
+ free(*conf_item);
+ *conf_item = NULL;
return 0;
+ }
new_value = strdup(value);
if (!new_value) {
--
1.8.5.1
--
Sponsored by Intel(R) XDK
Develop, test and display web and hybrid apps with a single code base.
Download it for free now!
http://pubads.g.doubleclick.net/gampad/clk?id=111408631iu=/4140/ostg.clktrk
___
lxc-devel mailing list
lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
--
Sponsored by Intel(R) XDK
Develop, test and display web and hybrid apps with a single code base.
Download it for free now!
http://pubads.g.doubleclick.net/gampad/clk?id=111408631iu=/4140/ostg.clktrk
___
lxc-devel mailing list
lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] Move some common Ubuntu config
Quoting Stéphane Graber (stgra...@ubuntu.com): This introduces a new /usr/share/lxc/config directory containing common configuration snippets. The two Ubuntu templates are then simplified to just include the relevant entries avoiding a whole lot of hardcoded cgroup, capabilities and mount points configuration. An extra comment is also added at the top of all generated configuration files telling the user to look at lxc.conf(5) for more information. Signed-off-by: Stéphane Graber stgra...@ubuntu.com Very nice. Long patch, but didn't see any problems. Acked-by: Serge E. Hallyn serge.hal...@ubuntu.com --- config/Makefile.am | 16 + config/default.conf.libvirt | 3 - config/default.conf.ubuntu | 3 - config/default.conf.unknown | 1 - config/etc/Makefile.am | 15 config/etc/default.conf.libvirt | 3 + config/etc/default.conf.ubuntu | 3 + config/etc/default.conf.unknown | 1 + config/templates/Makefile.am | 8 +++ config/templates/ubuntu-cloud.common.conf.in | 4 ++ config/templates/ubuntu-cloud.lucid.conf.in | 2 + config/templates/ubuntu-cloud.userns.conf.in | 16 + config/templates/ubuntu.common.conf.in | 48 + config/templates/ubuntu.lucid.conf.in| 2 + configure.ac | 9 +++ src/lxc/lxccontainer.c | 1 + templates/lxc-ubuntu-cloud.in| 102 +-- templates/lxc-ubuntu.in | 87 --- 18 files changed, 178 insertions(+), 146 deletions(-) delete mode 100644 config/default.conf.libvirt delete mode 100644 config/default.conf.ubuntu delete mode 100644 config/default.conf.unknown create mode 100644 config/etc/Makefile.am create mode 100644 config/etc/default.conf.libvirt create mode 100644 config/etc/default.conf.ubuntu create mode 100644 config/etc/default.conf.unknown create mode 100644 config/templates/Makefile.am create mode 100644 config/templates/ubuntu-cloud.common.conf.in create mode 100644 config/templates/ubuntu-cloud.lucid.conf.in create mode 100644 config/templates/ubuntu-cloud.userns.conf.in create mode 100644 config/templates/ubuntu.common.conf.in create mode 100644 config/templates/ubuntu.lucid.conf.in diff --git a/config/Makefile.am b/config/Makefile.am index 81d7709..7ca23eb 100644 --- a/config/Makefile.am +++ b/config/Makefile.am @@ -1,15 +1 @@ -configdir = $(sysconfdir)/lxc -config_DATA = default.conf -distroconf = @LXC_DISTRO_CONF@ - -EXTRA_DIST = default.conf.ubuntu default.conf.libvirt default.conf.unknown - -default.conf: - cp $(distroconf) $@ - -clean-local: - @$(RM) -f default.conf - -distclean-local: - @$(RM) -f default.conf - @$(RM) -f compile config.guess config.sub depcomp install-sh ltmain.sh missing Makefile.in Makefile +SUBDIRS = etc templates diff --git a/config/default.conf.libvirt b/config/default.conf.libvirt deleted file mode 100644 index 6950dca..000 --- a/config/default.conf.libvirt +++ /dev/null @@ -1,3 +0,0 @@ -lxc.network.type = veth -lxc.network.link = virbr0 -lxc.network.flags = up diff --git a/config/default.conf.ubuntu b/config/default.conf.ubuntu deleted file mode 100644 index 0a5ac71..000 --- a/config/default.conf.ubuntu +++ /dev/null @@ -1,3 +0,0 @@ -lxc.network.type = veth -lxc.network.link = lxcbr0 -lxc.network.flags = up diff --git a/config/default.conf.unknown b/config/default.conf.unknown deleted file mode 100644 index 6c88010..000 --- a/config/default.conf.unknown +++ /dev/null @@ -1 +0,0 @@ -lxc.network.type = empty diff --git a/config/etc/Makefile.am b/config/etc/Makefile.am new file mode 100644 index 000..81d7709 --- /dev/null +++ b/config/etc/Makefile.am @@ -0,0 +1,15 @@ +configdir = $(sysconfdir)/lxc +config_DATA = default.conf +distroconf = @LXC_DISTRO_CONF@ + +EXTRA_DIST = default.conf.ubuntu default.conf.libvirt default.conf.unknown + +default.conf: + cp $(distroconf) $@ + +clean-local: + @$(RM) -f default.conf + +distclean-local: + @$(RM) -f default.conf + @$(RM) -f compile config.guess config.sub depcomp install-sh ltmain.sh missing Makefile.in Makefile diff --git a/config/etc/default.conf.libvirt b/config/etc/default.conf.libvirt new file mode 100644 index 000..6950dca --- /dev/null +++ b/config/etc/default.conf.libvirt @@ -0,0 +1,3 @@ +lxc.network.type = veth +lxc.network.link = virbr0 +lxc.network.flags = up diff --git a/config/etc/default.conf.ubuntu b/config/etc/default.conf.ubuntu new file mode 100644 index 000..0a5ac71 --- /dev/null +++ b/config/etc/default.conf.ubuntu @@ -0,0 +1,3 @@ +lxc.network.type = veth +lxc.network.link = lxcbr0 +lxc.network.flags = up diff --git
Re: [lxc-devel] Mailing-list move on Sunday 8th of December
Quoting Stéphane Graber (stgra...@ubuntu.com): Hello, You are receiving this e-mail because you are currently subscribed to: lxc-devel@lists.sourceforge.net On this coming Sunday (8th of December), all LXC mailing-lists will be moved to a new home at: http://lists.linuxcontainers.org This is the last step of our migration out of sourceforge. The new mailman server is hosted by myself and shared with a few other projects \o/ - thanks, Stéphane. Huge improvement. -serge -- Sponsored by Intel(R) XDK Develop, test and display web and hybrid apps with a single code base. Download it for free now! http://pubads.g.doubleclick.net/gampad/clk?id=111408631iu=/4140/ostg.clktrk ___ lxc-devel mailing list lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] cgroup management daemon
Quoting Tim Hockin (thoc...@google.com): If this daemon works as advertised, we will explore moving all write traffic to use it. I still have concerns that this can't handle read traffic at the scale we need. Tejun, I am not sure why chown came back into the conversation. This is a replacement for that. Because the daemon is chowning directories and files. That's how the daemon decides whether clients have access. -serge -- Sponsored by Intel(R) XDK Develop, test and display web and hybrid apps with a single code base. Download it for free now! http://pubads.g.doubleclick.net/gampad/clk?id=111408631iu=/4140/ostg.clktrk ___ lxc-devel mailing list lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] cgroup management daemon
Quoting Victor Marmol (vmar...@google.com): I thought we were going to use chown in the initial version to enforce the ownership/permissions on the hierarchy. Only the cgroup manager has access to the hierarchy, but it tries to access the hierarchy as the user that sent the request. It was only meant to be a for now solution while the real one rolls out. It may also have gotten thrown out since last I heard :) Actually that part wasn't meant as a for now solution. It can of course be thrown away in favor of having the daemon store all this information, but I'm seeing no advantages to that right now. There are other things which the daemon can eventually try to keep track of, if we don't decide they belong in a higher layer. -serge -- Sponsored by Intel(R) XDK Develop, test and display web and hybrid apps with a single code base. Download it for free now! http://pubads.g.doubleclick.net/gampad/clk?id=111408631iu=/4140/ostg.clktrk ___ lxc-devel mailing list lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] making lxcpath a real path?
Exporting the LXCPATH itself to hook scripts seems good. I don't see the value in having multiple LXCPATHs in the hook scripts. As for allowing ':'-separated paths in LXCPATH, it shouldn't interfere with anything we have now, so if someone wants to work on the patch I'll look at it, but really I don't see advantages to it. And I do see negatives. Think about user jschmoe who has LXCPATH=/home/jschmoe/lxcbase:/var/lib/lxc. Now sudo'd to root he does an lxc-create. It'll end up in /home/jschmoe/lxcbase instead of /var/lib/lxc. I haven't *really* thought through it though, so a well-written patch with a good description would be fine. More useful IMO would be per-user lxc.conf and default.conf files in a standard location. So $HOME/.local/share/lxc/lxc.conf has LXCPATH=$HOME/lxcbase, and $HOME/.local/share/lxc/default.conf has appropriate lxc.idmap entries. A patch like that would also be very welcome. -serge -- Sponsored by Intel(R) XDK Develop, test and display web and hybrid apps with a single code base. Download it for free now! http://pubads.g.doubleclick.net/gampad/clk?id=111408631iu=/4140/ostg.clktrk ___ lxc-devel mailing list lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] add destroy option to lxc-snapshot
Quoting S.Çağlar Onur (cag...@10ur.org):
Signed-off-by: S.Çağlar Onur cag...@10ur.org
Acked-by: Serge Hallyn serge.hal...@ubuntu.com
---
src/lxc/lxc_snapshot.c | 22 +++---
1 file changed, 19 insertions(+), 3 deletions(-)
diff --git a/src/lxc/lxc_snapshot.c b/src/lxc/lxc_snapshot.c
index f80afe5..1de5671 100644
--- a/src/lxc/lxc_snapshot.c
+++ b/src/lxc/lxc_snapshot.c
@@ -41,6 +41,7 @@ char *snapshot;
#define DO_SNAP 0
#define DO_LIST 1
#define DO_RESTORE 2
+#define DO_DESTROY 3
int action;
int print_comments;
char *commentfile;
@@ -100,7 +101,7 @@ int do_list_snapshots(struct lxc_container *c)
return 0;
}
-int do_restore_snapshots(struct lxc_container *c, char *snap, char *new)
+int do_restore_snapshots(struct lxc_container *c)
{
if (c-snapshot_restore(c, snapshot, newname))
return 0;
@@ -109,11 +110,21 @@ int do_restore_snapshots(struct lxc_container *c, char
*snap, char *new)
return -1;
}
+int do_destroy_snapshots(struct lxc_container *c)
+{
+ if (c-snapshot_destroy(c, snapshot))
+ return 0;
+
+ ERROR(Error destroying snapshot %s, snapshot);
+ return -1;
+}
+
static int my_parser(struct lxc_arguments* args, int c, char* arg)
{
switch (c) {
case 'L': action = DO_LIST; break;
case 'r': snapshot = arg; action = DO_RESTORE; break;
+ case 'd': snapshot = arg; action = DO_DESTROY; break;
case 'c': commentfile = arg; break;
case 'C': print_comments = true; break;
}
@@ -123,6 +134,7 @@ static int my_parser(struct lxc_arguments* args, int c,
char* arg)
static const struct option my_longopts[] = {
{list, no_argument, 0, 'L'},
{restore, required_argument, 0, 'r'},
+ {destroy, required_argument, 0, 'd'},
{comment, required_argument, 0, 'c'},
{showcomments, no_argument, 0, 'C'},
LXC_COMMON_OPTIONS
@@ -141,7 +153,8 @@ Options :\n\
-L, --list list snapshots\n\
-C, --showcomments show snapshot comments in list\n\
-c, --comment=file add file as a comment\n\
- -r, --restore=name restore snapshot name, i.e. 'snap0'\n,
+ -r, --restore=name restore snapshot name, i.e. 'snap0'\n\
+ -d, --destroy=name destroy snapshot name, i.e. 'snap0'\n,
.options = my_longopts,
.parser = my_parser,
.checker = NULL,
@@ -202,7 +215,10 @@ int main(int argc, char *argv[])
ret = do_list_snapshots(c);
break;
case DO_RESTORE:
- ret = do_restore_snapshots(c, snapshot, newname);
+ ret = do_restore_snapshots(c);
+ break;
+ case DO_DESTROY:
+ ret = do_destroy_snapshots(c);
break;
}
--
1.8.3.2
--
Sponsored by Intel(R) XDK
Develop, test and display web and hybrid apps with a single code base.
Download it for free now!
http://pubads.g.doubleclick.net/gampad/clk?id=111408631iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
--
Sponsored by Intel(R) XDK
Develop, test and display web and hybrid apps with a single code base.
Download it for free now!
http://pubads.g.doubleclick.net/gampad/clk?id=111408631iu=/4140/ostg.clktrk
___
lxc-devel mailing list
lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] ubuntu: Fix regression in post-process
Quoting S.Çağlar Onur (cag...@10ur.org): Hey Stéphane, On Wed, Nov 27, 2013 at 7:49 PM, Stéphane Graber stgra...@ubuntu.com wrote: THe recent reorg of lxc-ubuntu introduced some package installation in post-process but without first disabling service startup. As a result, if the cache is a bit out of date and a ssh update is available, post-process will apply that update (as it does apt-get install ssh vim) which in turn will attemp to start sshd. This will either lead to ssh on the host being restarted or if there's no sshd on the host, will fail the container creation as the postinst will get an error from upstart. The fix is very simply to add the same policy-rc.d trick when running post-process. I'm not sure whether this is the desired outcome (I haven't taken a look at it yet) but it looks like after this change lxc-create -n t -t ubuntu started to take more time (order of couple of minutes) to Can you reproduce this at will - revert the change and it's faster, reapply and it's slower? -serge -- Sponsored by Intel(R) XDK Develop, test and display web and hybrid apps with a single code base. Download it for free now! http://pubads.g.doubleclick.net/gampad/clk?id=111408631iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] cgroup management daemon
Quoting Tejun Heo (t...@kernel.org):
Hello, guys.
Sorry about the delay.
On Mon, Nov 25, 2013 at 10:43:35PM +, Serge E. Hallyn wrote:
Additionally, Tejun has specified that we do not want users to be
too closely tied to the cgroupfs implementation. Therefore
commands will be just a hair more general than specifying cgroupfs
filenames and values. I may go so far as to avoid specifying
specific controllers, as AFAIK there should be no redundancy in
features. On the other hand, I don't want to get too general.
So I'm basing the API loosely on the lmctfy command line API.
One of the reasons for not exposing knobs as-is is that the knobs we
currently have aren't consistent. The weight values have different
ranges, some combinations of values don't make much sense, and so on.
The user can cope with it but it'd probably be better to expose
something which doesn't lead to mistakes too easily.
For the moment, for prototype (github.com/hallyn/cgmanager), I'm just
going with filenames/values.
When the bulk of the work is done, we can either (or both) (a) introduce
a thin abstraction layer over the key/values, or/and (b) whitelist
some of the filenames and filter some values.
I know the upstart folks don't want to have to wait long for a
specification... I'll hopefully make a final decision on this next
week.
The above addresses
* creating cgroups
* chowning cgroups
* setting cgroup limits
* moving tasks into cgroups
. but does not address a 'cgexec group -- command' type of behavior.
* To handle that (specifically for upstart), recommend that r do:
if (!pid) {
request_reclassify(cgroup, getpid());
do_execve();
}
. alternatively, the daemon could, if kernel is new enough, setns to
the requestor's namespaces to execute a command in a new cgroup.
The new command would be daemonized to that pid namespaces' pid 1.
So, IIUC, cgroup hierarchy management - creation and removal of
cgroups and assignments of tasks will go through while configuring
control knobs will be delegated to the cgroup owner, right?
Not sure what you mean, but I think the answer is no. Everything
goes through the manager. The manager doesn't try to enforce that,
but by default the cgroup filesystems will only be mounted in the
manager's private mnt_ns, and containers at least will not be
allowed to mount cgroup fstype.
Hmmm... the plan is to allow delegating task assignments in the
sub-hierarchy but require CAP_X for writes to knobs (not reads). This
stems from the fact that, especially with unified hierarchy, those
operations will be cgroup-core proper operations which are gonna be
relatively safer and that task organizations in the subhierarchy and
monitoring knobs are likely to be higher frequency operation than
enabling and configuring controllers.
Should be ok for this.
As I communicated multiple times before, delegating write access to
control knobs to untrusted domain has always been a security risk and
is likely to continue to remain so. Also, organizationally, a
Then that will need to be address with per-key blacklisting and/or
per-value filtering in the manager.
Which is my way of saying: can we please have a list of the security
issues so we can handle them? :) (I've asked several times before
but haven't seen a list or anyone offering to make one)
cgroup's control knobs belong to the parent not the cgroup itself.
After thinking awhile I think this makes perfect sense. I haven't
implemented set_value yet, and when I do I think I'll implement this
guideline.
That probably is why you were thinking about putting an extra cgroup
inbetween for isolation, but the root problem there is that those
knobs belong to the parent, not the directory itself.
Yup.
Security is in most part logistics - it's about getting all the
details right, and we don't either design or implement each knob with
security in mind and DoSing them has always been pretty easy, so I
don't think delegating write accesses to knobs is a good idea.
If you, for whatever reason, can trust the delegatee, which I believe
is the case for google, it's fine. If you're trying to delegate to a
container which you don't have any control over, it isn't a good idea.
Another thing to consider is due to both the fundamental characterics
of hierarchy and implementation issues, things will become expensive
if nesting gets beyond several layers (if controllers are enabled,
that is) and the controllers in general will be implemented and
optimized with limited level of nesting in mind. IOW, building, say,
8 level deep hierarchy in the host and then doing the same thing
inside the container with controllers enabled won't make a very happy
Yes, I very much want to avoid that.
system. It probably is something to keep in mind when laying out how
the whole thing eventually would look like.
Long-term we will want
Re: [lxc-devel] cgroup management daemon
Quoting Tejun Heo (t...@kernel.org): Hello, Serge. On Tue, Dec 03, 2013 at 06:03:44PM -0600, Serge Hallyn wrote: As I communicated multiple times before, delegating write access to control knobs to untrusted domain has always been a security risk and is likely to continue to remain so. Also, organizationally, a Then that will need to be address with per-key blacklisting and/or per-value filtering in the manager. Which is my way of saying: can we please have a list of the security issues so we can handle them? :) (I've asked several times before but haven't seen a list or anyone offering to make one) Unfortunately, for now, please consider everything blacklisted. Yes, it is true that some knobs should be mostly safe but given the level of changes we're going through and the difficulty of properly auditing anything for delegation to untrusted environment, I don't feel comfortable at all about delegating through chown. It is an accidental feature which happened just because it uses filesystem as its interface and it is no where near the top of the todo list. It has never worked properly and won't in any foreseeable future. cgroup's control knobs belong to the parent not the cgroup itself. After thinking awhile I think this makes perfect sense. I haven't implemented set_value yet, and when I do I think I'll implement this guideline. I'm kinda confused here. You say *everything* is gonna go through the manager and then talks about chowning directories. Don't the two conflict? No. I expect the user - except in the google case - to either have access to no cgroupfs mounts, or readonly mounts. -serge -- Sponsored by Intel(R) XDK Develop, test and display web and hybrid apps with a single code base. Download it for free now! http://pubads.g.doubleclick.net/gampad/clk?id=111408631iu=/4140/ostg.clktrk ___ lxc-devel mailing list lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] Add LXC version information to version.h
Quoting S.Çağlar Onur (cag...@10ur.org): Hey Stéphane, On Mon, Dec 2, 2013 at 10:34 AM, Stéphane Graber stgra...@ubuntu.com wrote: On Sun, Dec 01, 2013 at 11:14:17PM -0500, S.Çağlar Onur wrote: So that applications can get the LXC version number at compile time. This can be used to make applications/bindings that support compiling against multiple versions of LXC. So I guess that information would indeed be useful to some external software/bindings. However I think we have to be careful there as my plan was to seriously cut back in the number of public headers. The goal for 1.0 is for liblxc1 to be the only bits we export for out of tree use, currently, that'd be lxccontainer.h and its rdepends so: - lxccontainer.h - lxclock.h - attach_options.h Everything else would be available only for in-tree use. I see, that sounds like a good plan to me. I guess we could have lxccontainer.h include version.h and then ship version.h. Looking at it again, especially in view of your changes, I suspect we could kill version.c and the lxc_version function and simply have lxccontainer.c return LXC_VERSION. (That'd avoid both lxccontainer.h and version.h exporting the same function with two different names). Actually I'm not completely sure we should even export lxclock, is there any cases where we expect external users to want to mess with our locks? shudder I think we don't need it. I would expect no one to use it externally. -serge -- Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349351iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH 1/1] confile.c: clear entries if no value
For list configuration entries like capabilities and cgroups
entries, if there is a 'key =' value (i.e. lxc.cap.drop =)
then clear any loaded entries.
Signed-off-by: Serge Hallyn serge.hal...@ubuntu.com
---
src/lxc/conf.h| 1 +
src/lxc/confile.c | 23 ---
2 files changed, 21 insertions(+), 3 deletions(-)
diff --git a/src/lxc/conf.h b/src/lxc/conf.h
index 84ffb20..f272c91 100644
--- a/src/lxc/conf.h
+++ b/src/lxc/conf.h
@@ -353,6 +353,7 @@ extern int lxc_clear_config_keepcaps(struct lxc_conf *c);
extern int lxc_clear_cgroups(struct lxc_conf *c, const char *key);
extern int lxc_clear_mount_entries(struct lxc_conf *c);
extern int lxc_clear_hooks(struct lxc_conf *c, const char *key);
+extern int lxc_clear_idmaps(struct lxc_conf *c);
/*
* Configure the container from inside
diff --git a/src/lxc/confile.c b/src/lxc/confile.c
index bbb92dd..835153b 100644
--- a/src/lxc/confile.c
+++ b/src/lxc/confile.c
@@ -295,6 +295,9 @@ static int config_network_type(const char *key, const char
*value,
struct lxc_netdev *netdev;
struct lxc_list *list;
+ if (!value || strlen(value) == 0)
+ return lxc_clear_config_network(lxc_conf);
+
netdev = malloc(sizeof(*netdev));
if (!netdev) {
SYSERROR(failed to allocate memory);
@@ -865,7 +868,12 @@ static int config_seccomp(const char *key, const char
*value,
static int config_hook(const char *key, const char *value,
struct lxc_conf *lxc_conf)
{
- char *copy = strdup(value);
+ char *copy;
+
+ if (!value || strlen(value) == 0)
+ return lxc_clear_hooks(lxc_conf, key);
+
+ copy = strdup(value);
if (!copy) {
SYSERROR(failed to dup string '%s', value);
return -1;
@@ -1062,6 +1070,9 @@ static int config_cgroup(const char *key, const char
*value,
struct lxc_list *cglist = NULL;
struct lxc_cgroup *cgelem = NULL;
+ if (!value || strlen(value) == 0)
+ return lxc_clear_cgroups(lxc_conf, key);
+
subkey = strstr(key, token);
if (!subkey)
@@ -1123,6 +1134,9 @@ static int config_idmap(const char *key, const char
*value, struct lxc_conf *lxc
char type;
int ret;
+ if (!value || strlen(value) == 0)
+ return lxc_clear_idmaps(lxc_conf);
+
subkey = strstr(key, token);
if (!subkey)
@@ -1250,6 +1264,9 @@ static int config_mount(const char *key, const char
*value,
char *mntelem;
struct lxc_list *mntlist;
+ if (!value || strlen(value) == 0)
+ return lxc_clear_mount_entries(lxc_conf);
+
subkey = strstr(key, token);
if (!subkey) {
@@ -1294,7 +1311,7 @@ static int config_cap_keep(const char *key, const char
*value,
int ret = -1;
if (!strlen(value))
- return -1;
+ return lxc_clear_config_keepcaps(lxc_conf);
keepcaps = strdup(value);
if (!keepcaps) {
@@ -1340,7 +1357,7 @@ static int config_cap_drop(const char *key, const char
*value,
int ret = -1;
if (!strlen(value))
- return -1;
+ return lxc_clear_config_caps(lxc_conf);
dropcaps = strdup(value);
if (!dropcaps) {
--
1.8.3.2
--
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349351iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] Reduce public API
Quoting Stéphane Graber (stgra...@ubuntu.com):
On Mon, Dec 02, 2013 at 01:31:21PM -0600, Serge Hallyn wrote:
Quoting Stéphane Graber (stgra...@ubuntu.com):
This removes all but the following headers from our includes:
- attach_options.h
- lxccontainer.h
- version.h
This also removes the duplicate lxc_version function (lxc_get_version
has been preferred for a while).
lxclock.h is now considered private, the lxc_lock struct has therefore
been moved to lxccontainer.h (as it's a dependency of lxc_container) but
all other locking functions are now strictly internal.
As a result quite a lot of files needed addition of extra includes
previously inherited from lxclock.h.
Hm, why did you have to move the struct lxc_lock from lxclock.h
to lxccontainer.h? That seems to imply there's a problem
elsewhere. What failed without that?
The lxc_container struct contains slock and privlock which are both of
lxc_lock struct so we need that type defined somewhere publicly accessible.
Is it enough to just put in a forward declaration:
struct lxc_lock;
Signed-off-by: Stéphane Graber stgra...@ubuntu.com
---
src/lxc/Makefile.am| 19 +--
src/lxc/bdev.c | 1 +
src/lxc/lxc_config.c | 1 +
src/lxc/lxc_create.c | 1 +
src/lxc/lxc_snapshot.c | 1 +
src/lxc/lxccontainer.c | 3 ++-
src/lxc/lxccontainer.h | 21 ++---
src/lxc/lxclock.h | 17 +
src/lxc/version.c | 29 -
src/lxc/version.h.in | 5 -
src/tests/attach.c | 2 ++
src/tests/cgpath.c | 2 ++
src/tests/concurrent.c | 2 ++
src/tests/console.c| 2 ++
src/tests/containertests.c | 1 +
src/tests/get_item.c | 1 +
src/tests/list.c | 1 +
src/tests/lxcpath.c| 1 +
src/tests/snapshot.c | 2 ++
src/tests/startone.c | 1 +
20 files changed, 41 insertions(+), 72 deletions(-)
delete mode 100644 src/lxc/version.c
diff --git a/src/lxc/Makefile.am b/src/lxc/Makefile.am
index bf93baa..5369700 100644
--- a/src/lxc/Makefile.am
+++ b/src/lxc/Makefile.am
@@ -1,23 +1,6 @@
pkginclude_HEADERS = \
- arguments.h \
- attach.h \
attach_options.h \
- bdev.h \
- caps.h \
- cgroup.h \
- conf.h \
- console.h \
- error.h \
- list.h \
- log.h \
lxccontainer.h \
- lxc.h \
- lxclock.h \
- monitor.h \
- namespace.h \
- start.h \
- state.h \
- utils.h \
version.h
if IS_BIONIC
@@ -87,7 +70,7 @@ liblxc_so_SOURCES = \
lxcutmp.c lxcutmp.h \
lxclock.h lxclock.c \
lxccontainer.c lxccontainer.h \
- version.c version.h \
+ version.h \
\
$(LSM_SOURCES)
diff --git a/src/lxc/bdev.c b/src/lxc/bdev.c
index 03fecfb..249815e 100644
--- a/src/lxc/bdev.c
+++ b/src/lxc/bdev.c
@@ -47,6 +47,7 @@
#include namespace.h
#include parse.h
#include utils.h
+#include lxclock.h
#ifndef BLKGETSIZE64
#define BLKGETSIZE64 _IOR(0x12,114,size_t)
diff --git a/src/lxc/lxc_config.c b/src/lxc/lxc_config.c
index 21bde64..8a4114d 100644
--- a/src/lxc/lxc_config.c
+++ b/src/lxc/lxc_config.c
@@ -19,6 +19,7 @@
*/
#include stdio.h
+#include string.h
#include config.h
#include lxc/lxccontainer.h
diff --git a/src/lxc/lxc_create.c b/src/lxc/lxc_create.c
index 754afbf..7399683 100644
--- a/src/lxc/lxc_create.c
+++ b/src/lxc/lxc_create.c
@@ -23,6 +23,7 @@
#include libgen.h
#include unistd.h
#include ctype.h
+#include fcntl.h
#include sys/types.h
#include lxc/lxc.h
diff --git a/src/lxc/lxc_snapshot.c b/src/lxc/lxc_snapshot.c
index d80dd39..f80afe5 100644
--- a/src/lxc/lxc_snapshot.c
+++ b/src/lxc/lxc_snapshot.c
@@ -24,6 +24,7 @@
#include unistd.h
#include ctype.h
#include sys/types.h
+#include fcntl.h
#include lxc/lxc.h
#include lxc/log.h
diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
index 50796ae..7f54f50 100644
--- a/src/lxc/lxccontainer.c
+++ b/src/lxc/lxccontainer.c
@@ -50,6 +50,7 @@
#include sched.h
#include arpa/inet.h
#include libgen.h
+#include lxclock.h
#if HAVE_IFADDRS_H
#include ifaddrs.h
@@ -2107,7 +2108,7 @@ const char *lxc_get_default_zfs_root(void)
const char *lxc_get_version(void)
{
- return lxc_version();
+ return LXC_VERSION;
}
static int copy_file(char *old, char *new)
diff --git a/src/lxc/lxccontainer.h b/src/lxc/lxccontainer.h
index d57aead..832440d 100644
--- a/src/lxc/lxccontainer.h
+++ b/src/lxc
Re: [lxc-devel] [PATCH] Reduce public API (V2)
Quoting Stéphane Graber (stgra...@ubuntu.com):
This removes all but the following headers from our includes:
- attach_options.h
- lxccontainer.h
- version.h
This also removes the duplicate lxc_version function (lxc_get_version
has been preferred for a while).
lxclock.h is now considered private.
As a result quite a lot of files needed addition of extra includes
previously inherited from lxclock.h.
Signed-off-by: Stéphane Graber stgra...@ubuntu.com
Thanks!
Acked-by: Serge E. Hallyn serge.hal...@ubuntu.com
---
src/lxc/Makefile.am| 19 +--
src/lxc/bdev.c | 1 +
src/lxc/lxc_config.c | 1 +
src/lxc/lxc_create.c | 1 +
src/lxc/lxc_snapshot.c | 1 +
src/lxc/lxccontainer.c | 3 ++-
src/lxc/lxccontainer.h | 7 ---
src/lxc/version.c | 29 -
src/lxc/version.h.in | 5 -
src/tests/attach.c | 2 ++
src/tests/cgpath.c | 2 ++
src/tests/concurrent.c | 2 ++
src/tests/console.c| 2 ++
src/tests/containertests.c | 1 +
src/tests/get_item.c | 1 +
src/tests/list.c | 1 +
src/tests/lxcpath.c| 1 +
src/tests/snapshot.c | 2 ++
src/tests/startone.c | 1 +
19 files changed, 26 insertions(+), 56 deletions(-)
delete mode 100644 src/lxc/version.c
diff --git a/src/lxc/Makefile.am b/src/lxc/Makefile.am
index bf93baa..5369700 100644
--- a/src/lxc/Makefile.am
+++ b/src/lxc/Makefile.am
@@ -1,23 +1,6 @@
pkginclude_HEADERS = \
- arguments.h \
- attach.h \
attach_options.h \
- bdev.h \
- caps.h \
- cgroup.h \
- conf.h \
- console.h \
- error.h \
- list.h \
- log.h \
lxccontainer.h \
- lxc.h \
- lxclock.h \
- monitor.h \
- namespace.h \
- start.h \
- state.h \
- utils.h \
version.h
if IS_BIONIC
@@ -87,7 +70,7 @@ liblxc_so_SOURCES = \
lxcutmp.c lxcutmp.h \
lxclock.h lxclock.c \
lxccontainer.c lxccontainer.h \
- version.c version.h \
+ version.h \
\
$(LSM_SOURCES)
diff --git a/src/lxc/bdev.c b/src/lxc/bdev.c
index 03fecfb..249815e 100644
--- a/src/lxc/bdev.c
+++ b/src/lxc/bdev.c
@@ -47,6 +47,7 @@
#include namespace.h
#include parse.h
#include utils.h
+#include lxclock.h
#ifndef BLKGETSIZE64
#define BLKGETSIZE64 _IOR(0x12,114,size_t)
diff --git a/src/lxc/lxc_config.c b/src/lxc/lxc_config.c
index 21bde64..8a4114d 100644
--- a/src/lxc/lxc_config.c
+++ b/src/lxc/lxc_config.c
@@ -19,6 +19,7 @@
*/
#include stdio.h
+#include string.h
#include config.h
#include lxc/lxccontainer.h
diff --git a/src/lxc/lxc_create.c b/src/lxc/lxc_create.c
index 754afbf..7399683 100644
--- a/src/lxc/lxc_create.c
+++ b/src/lxc/lxc_create.c
@@ -23,6 +23,7 @@
#include libgen.h
#include unistd.h
#include ctype.h
+#include fcntl.h
#include sys/types.h
#include lxc/lxc.h
diff --git a/src/lxc/lxc_snapshot.c b/src/lxc/lxc_snapshot.c
index d80dd39..f80afe5 100644
--- a/src/lxc/lxc_snapshot.c
+++ b/src/lxc/lxc_snapshot.c
@@ -24,6 +24,7 @@
#include unistd.h
#include ctype.h
#include sys/types.h
+#include fcntl.h
#include lxc/lxc.h
#include lxc/log.h
diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
index 50796ae..7f54f50 100644
--- a/src/lxc/lxccontainer.c
+++ b/src/lxc/lxccontainer.c
@@ -50,6 +50,7 @@
#include sched.h
#include arpa/inet.h
#include libgen.h
+#include lxclock.h
#if HAVE_IFADDRS_H
#include ifaddrs.h
@@ -2107,7 +2108,7 @@ const char *lxc_get_default_zfs_root(void)
const char *lxc_get_version(void)
{
- return lxc_version();
+ return LXC_VERSION;
}
static int copy_file(char *old, char *new)
diff --git a/src/lxc/lxccontainer.h b/src/lxc/lxccontainer.h
index d57aead..4ad3b66 100644
--- a/src/lxc/lxccontainer.h
+++ b/src/lxc/lxccontainer.h
@@ -22,12 +22,11 @@
#ifndef __LXC_CONTAINER_H
#define __LXC_CONTAINER_H
-#include lxclock.h
#include attach_options.h
-#include stdlib.h
#include malloc.h
-
+#include semaphore.h
#include stdbool.h
+#include stdlib.h
#define LXC_CLONE_KEEPNAME(1 0) /*! Do not edit the rootfs to
change the hostname */
#define LXC_CLONE_COPYHOOKS (1 1) /*! Copy all hooks into the
container directory */
@@ -41,6 +40,8 @@ struct bdev_specs;
struct lxc_snapshot;
+struct lxc_lock;
+
/*!
* An LXC container.
*/
diff --git a/src/lxc/version.c b/src/lxc/version.c
deleted file mode 100644
index bfa34bd..000
--- a/src/lxc/version.c
+++ /dev/null
@@ -1,29 +0,0 @@
-/*
- * lxc: linux Container library
- *
- * (C) Copyright IBM Corp. 2007, 2008
- *
- * Authors:
- * Daniel Lezcano daniel.lezcano
Re: [lxc-devel] [PATCH] python3: Add snapshot_* to the binding
Quoting Stéphane Graber (stgra...@ubuntu.com):
Signed-off-by: Stéphane Graber stgra...@ubuntu.com
Acked-by: Serge E. Hallyn serge.hal...@ubuntu.com
---
src/python-lxc/lxc.c | 127
+++
1 file changed, 127 insertions(+)
diff --git a/src/python-lxc/lxc.c b/src/python-lxc/lxc.c
index 050f6ae..f850a3d 100644
--- a/src/python-lxc/lxc.c
+++ b/src/python-lxc/lxc.c
@@ -1119,6 +1119,106 @@ Container_shutdown(Container *self, PyObject *args,
PyObject *kwds)
}
static PyObject *
+Container_snapshot(Container *self, PyObject *args, PyObject *kwds)
+{
+char *comment_path = NULL;
+static char *kwlist[] = {comment_path, NULL};
+int retval = 0;
+int ret = 0;
+char newname[20];
+
+if (! PyArg_ParseTupleAndKeywords(args, kwds, |s, kwlist,
+ comment_path))
+return NULL;
+
+retval = self-container-snapshot(self-container, comment_path);
+
+if (retval 0) {
+Py_RETURN_FALSE;
+}
+
+ret = snprintf(newname, 20, snap%d, retval);
+if (ret 0 || ret = 20)
+return NULL;
+
+
+return PyUnicode_FromString(newname);
+}
+
+static PyObject *
+Container_snapshot_destroy(Container *self, PyObject *args, PyObject *kwds)
+{
+char *name = NULL;
+static char *kwlist[] = {name, NULL};
+
+if (! PyArg_ParseTupleAndKeywords(args, kwds, s|, kwlist,
+ name))
+return NULL;
+
+if (self-container-snapshot_destroy(self-container, name)) {
+Py_RETURN_TRUE;
+}
+
+Py_RETURN_FALSE;
+}
+
+static PyObject *
+Container_snapshot_list(Container *self, PyObject *args, PyObject *kwds)
+{
+struct lxc_snapshot *snap;
+int snap_count = 0;
+PyObject *list = NULL;
+int i = 0;
+
+snap_count = self-container-snapshot_list(self-container, snap);
+
+if (snap_count 0) {
+PyErr_SetString(PyExc_KeyError, Unable to list snapshots);
+return NULL;
+}
+
+list = PyTuple_New(snap_count);
+for (i = 0; i snap_count; i++) {
+PyObject *list_entry = NULL;
+
+list_entry = PyTuple_New(4);
+PyTuple_SET_ITEM(list_entry, 0,
+ PyUnicode_FromString(snap[i].name));
+PyTuple_SET_ITEM(list_entry, 1,
+ PyUnicode_FromString(snap[i].comment_pathname));
+PyTuple_SET_ITEM(list_entry, 2,
+ PyUnicode_FromString(snap[i].timestamp));
+PyTuple_SET_ITEM(list_entry, 3,
+ PyUnicode_FromString(snap[i].lxcpath));
+
+snap[i].free(snap[i]);
+
+PyTuple_SET_ITEM(list, i, list_entry);
+}
+
+return list;
+}
+
+
+static PyObject *
+Container_snapshot_restore(Container *self, PyObject *args, PyObject *kwds)
+{
+char *name = NULL;
+char *newname = NULL;
+static char *kwlist[] = {name, newname, NULL};
+
+if (! PyArg_ParseTupleAndKeywords(args, kwds, s|s, kwlist,
+ name, newname))
+return NULL;
+
+if (self-container-snapshot_restore(self-container, name, newname)) {
+Py_RETURN_TRUE;
+}
+
+Py_RETURN_FALSE;
+}
+
+static PyObject *
Container_start(Container *self, PyObject *args, PyObject *kwds)
{
char** init_args = {NULL};
@@ -1390,6 +1490,33 @@ static PyMethodDef Container_methods[] = {
unless timeout is set to a positive value, in which case
the container will be killed when the timeout is reached.
},
+{snapshot, (PyCFunction)Container_snapshot,
+ METH_VARARGS|METH_KEYWORDS,
+ snapshot(comment_path = None) - string\n
+ \n
+ Snapshot the container and return the snapshot name
+ (or False on error).
+},
+{snapshot_destroy, (PyCFunction)Container_snapshot_destroy,
+ METH_VARARGS|METH_KEYWORDS,
+ snapshot_destroy(name) - boolean\n
+ \n
+ Destroy a snapshot.
+},
+{snapshot_list, (PyCFunction)Container_snapshot_list,
+ METH_NOARGS,
+ snapshot_list() - tuple of snapshot tuples\n
+ \n
+ List all snapshots for a container.
+},
+{snapshot_restore, (PyCFunction)Container_snapshot_restore,
+ METH_VARARGS|METH_KEYWORDS,
+ snapshot_restore(name, newname = None) - boolean\n
+ \n
+ Restore a container snapshot. If newname is provided a new
+ container will be created from the snapshot, otherwise an in-place
+ restore will be attempted.
+},
{start, (PyCFunction)Container_start,
METH_VARARGS|METH_KEYWORDS,
start(useinit = False, cmd = (,)) - boolean\n
--
1.8.4.4
--
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their
Re: [lxc-devel] [PATCH] python3: Allow setting daemonize and close_fds
Quoting Stéphane Graber (stgra...@ubuntu.com):
This extends the list of arguments of start() allowing the user to
request the container be started in the foreground and have control on
whether fds will be closed or not (daemonize=True implies that too).
One problem at the moment however is that while we have functions to set
close_fds and daemonize in the API, we don't have functions to unset
those flags, so those new parameters will only work on the initial call
to start() any further call will use the values of the previous one.
I think it'd make sense to change lxcapi slightly to have daemonize and
close_fds offer a similar interface, both returning booleans and both
accepting a value as a parameter so API users can set the value they
want.
What would be the point in checking the value as opposed to simply
setting the one you want?
If unsetting is all we need, we could just add a boolean argument to
want_damonize and want_close_all_fds. If there is a good reason to
be able to check the values, then we can either add a get_daemonize,
or make the second argument to want_daemonize an int, where -1 means
unset, 1 means set, and 0 means just give me the return value.
Or maybe we want to just add new api fns so as not to change the
existing api? I'm feeling indecisive.
Signed-off-by: Stéphane Graber stgra...@ubuntu.com
Acked-by: Serge E. Hallyn serge.hal...@ubuntu.com
---
src/python-lxc/lxc.c | 33 +
1 file changed, 25 insertions(+), 8 deletions(-)
diff --git a/src/python-lxc/lxc.c b/src/python-lxc/lxc.c
index f850a3d..5a20ff4 100644
--- a/src/python-lxc/lxc.c
+++ b/src/python-lxc/lxc.c
@@ -1221,13 +1221,21 @@ Container_snapshot_restore(Container *self, PyObject
*args, PyObject *kwds)
static PyObject *
Container_start(Container *self, PyObject *args, PyObject *kwds)
{
+PyObject *useinit = NULL;
+PyObject *daemonize = NULL;
+PyObject *close_fds = NULL;
+
+PyObject *vargs = NULL;
char** init_args = {NULL};
-PyObject *useinit = NULL, *retval = NULL, *vargs = NULL;
+
+PyObject *retval = NULL;
int init_useinit = 0, i = 0;
-static char *kwlist[] = {useinit, cmd, NULL};
+static char *kwlist[] = {useinit, daemonize, close_fds,
+ cmd, NULL};
-if (! PyArg_ParseTupleAndKeywords(args, kwds, |OO, kwlist,
- useinit, vargs))
+if (! PyArg_ParseTupleAndKeywords(args, kwds, |, kwlist,
+ useinit, daemonize, close_fds,
+ vargs))
return NULL;
if (useinit useinit == Py_True) {
@@ -1241,7 +1249,13 @@ Container_start(Container *self, PyObject *args,
PyObject *kwds)
}
}
-self-container-want_daemonize(self-container);
+if (close_fds close_fds == Py_True) {
+self-container-want_close_all_fds(self-container);
+}
+
+if (!daemonize || daemonize == Py_True) {
+self-container-want_daemonize(self-container);
+}
if (self-container-start(self-container, init_useinit, init_args))
retval = Py_True;
@@ -1519,10 +1533,13 @@ static PyMethodDef Container_methods[] = {
},
{start, (PyCFunction)Container_start,
METH_VARARGS|METH_KEYWORDS,
- start(useinit = False, cmd = (,)) - boolean\n
+ start(useinit = False, daemonize=True, close_fds=False,
+ cmd = (,)) - boolean\n
\n
- Start the container, optionally using lxc-init and
- an alternate init command, then returns its return code.
+ Start the container, return True on success.\n
+ When set useinit will make LXC use lxc-init to start the container.\n
+ The container can be started in the foreground with daemonize=False.\n
+ All fds may also be closed by passing close_fds=True.
},
{stop, (PyCFunction)Container_stop,
METH_NOARGS,
--
1.8.4.4
--
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349351iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
--
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, PHP application. Start your 15-day FREE TRIAL of AppDynamics
Re: [lxc-devel] [PATCH] python3: Use FSConverter for all paths
Quoting Stéphane Graber (stgra...@ubuntu.com):
Signed-off-by: Stéphane Graber stgra...@ubuntu.com
After a brief look at http://docs.python.org/3.1/c-api/unicode.html I
suppose it looks good...
Acked-by: Serge E. Hallyn serge.hal...@ubuntu.com
---
src/python-lxc/lxc.c | 69
+---
1 file changed, 60 insertions(+), 9 deletions(-)
diff --git a/src/python-lxc/lxc.c b/src/python-lxc/lxc.c
index 5a20ff4..b4f1da3 100644
--- a/src/python-lxc/lxc.c
+++ b/src/python-lxc/lxc.c
@@ -510,16 +510,33 @@ Container_add_device_node(Container *self, PyObject
*args, PyObject *kwds)
static char *kwlist[] = {src_path, dest_path, NULL};
char *src_path = NULL;
char *dst_path = NULL;
+PyObject *py_src_path = NULL;
+PyObject *py_dst_path = NULL;
-if (! PyArg_ParseTupleAndKeywords(args, kwds, s|s, kwlist,
- src_path, dst_path))
+if (! PyArg_ParseTupleAndKeywords(args, kwds, O|O, kwlist,
+ PyUnicode_FSConverter, py_src_path,
+ PyUnicode_FSConverter, py_dst_path))
return NULL;
+if (py_src_path != NULL) {
+src_path = PyBytes_AS_STRING(py_src_path);
+assert(src_path != NULL);
+}
+
+if (py_dst_path != NULL) {
+dst_path = PyBytes_AS_STRING(py_dst_path);
+assert(dst_path != NULL);
+}
+
if (self-container-add_device_node(self-container, src_path,
dst_path)) {
+Py_XDECREF(py_src_path);
+Py_XDECREF(py_dst_path);
Py_RETURN_TRUE;
}
+Py_XDECREF(py_src_path);
+Py_XDECREF(py_dst_path);
Py_RETURN_FALSE;
}
@@ -611,14 +628,16 @@ Container_clone(Container *self, PyObject *args,
PyObject *kwds)
char **hookargs = NULL;
PyObject *py_hookargs = NULL;
+PyObject *py_config_path = NULL;
struct lxc_container *new_container = NULL;
int i = 0;
static char *kwlist[] = {newname, config_path, flags, bdevtype,
bdevdata, newsize, hookargs, NULL};
-if (! PyArg_ParseTupleAndKeywords(args, kwds, s|sisskO, kwlist,
- newname, config_path, flags,
- bdevtype, bdevdata, newsize,
+if (! PyArg_ParseTupleAndKeywords(args, kwds, s|OisskO, kwlist,
+ newname,
+ PyUnicode_FSConverter, py_config_path,
+ flags, bdevtype, bdevdata, newsize,
py_hookargs))
return NULL;
@@ -635,10 +654,17 @@ Container_clone(Container *self, PyObject *args,
PyObject *kwds)
}
}
+if (py_config_path != NULL) {
+config_path = PyBytes_AS_STRING(py_config_path);
+assert(config_path != NULL);
+}
+
new_container = self-container-clone(self-container, newname,
config_path, flags, bdevtype,
bdevdata, newsize, hookargs);
+Py_XDECREF(py_config_path);
+
if (hookargs) {
for (i = 0; i PyTuple_GET_SIZE(py_hookargs); i++)
free(hookargs[i]);
@@ -1010,16 +1036,33 @@ Container_remove_device_node(Container *self,
PyObject *args, PyObject *kwds)
static char *kwlist[] = {src_path, dest_path, NULL};
char *src_path = NULL;
char *dst_path = NULL;
+PyObject *py_src_path = NULL;
+PyObject *py_dst_path = NULL;
-if (! PyArg_ParseTupleAndKeywords(args, kwds, s|s, kwlist,
- src_path, dst_path))
+if (! PyArg_ParseTupleAndKeywords(args, kwds, O|O, kwlist,
+ PyUnicode_FSConverter, py_src_path,
+ PyUnicode_FSConverter, py_dst_path))
return NULL;
+if (py_src_path != NULL) {
+src_path = PyBytes_AS_STRING(py_src_path);
+assert(src_path != NULL);
+}
+
+if (py_dst_path != NULL) {
+dst_path = PyBytes_AS_STRING(py_dst_path);
+assert(dst_path != NULL);
+}
+
if (self-container-remove_device_node(self-container, src_path,
dst_path)) {
+Py_XDECREF(py_src_path);
+Py_XDECREF(py_dst_path);
Py_RETURN_TRUE;
}
+Py_XDECREF(py_src_path);
+Py_XDECREF(py_dst_path);
Py_RETURN_FALSE;
}
@@ -1126,13 +1169,21 @@ Container_snapshot(Container *self, PyObject *args,
PyObject *kwds)
int retval = 0;
int ret = 0;
char newname[20];
+PyObject *py_comment_path;
-if (! PyArg_ParseTupleAndKeywords(args, kwds, |s, kwlist,
- comment_path))
+if (!
Re: [lxc-devel] [PATCH] Update doxygen doc for previous change
Quoting Stéphane Graber (stgra...@ubuntu.com):
Reported-by: James Hunt james.h...@ubuntu.com
Signed-off-by: Stéphane Graber stgra...@ubuntu.com
Ah, thanks.
Acked-by: Serge E. Hallyn serge.hal...@ubuntu.com
---
src/lxc/lxccontainer.h | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/lxc/lxccontainer.h b/src/lxc/lxccontainer.h
index 8333610..ed340e2 100644
--- a/src/lxc/lxccontainer.h
+++ b/src/lxc/lxccontainer.h
@@ -206,6 +206,7 @@ struct lxc_container {
* from the terminal.
*
* \param c Container.
+ * \param state Value for the daemonize bit (0 or 1).
*
* \return \c true if container wants to be daemonised, else \c false.
*/
@@ -216,6 +217,7 @@ struct lxc_container {
* to be closed on startup.
*
* \param c Container.
+ * \param state Value for the close_all_fds bit (0 or 1).
*
* \return \c true if container wants all file descriptors closed,
* else \c false.
--
1.8.4.4
--
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349351iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
--
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349351iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] Allow unsetting daemonize and close_fds
Quoting Stéphane Graber (stgra...@ubuntu.com):
On Fri, Nov 29, 2013 at 02:40:35PM -0500, S.Çağlar Onur wrote:
On Fri, Nov 29, 2013 at 2:34 PM, Serge Hallyn serge.hal...@ubuntu.com
wrote:
Quoting Stéphane Graber (stgra...@ubuntu.com):
As mentioned in a previous commit, this does two changes:
- Make want_daemonize return a bool (false on failure, true on success)
- Make both want_daemonize and want_close_all_fds take a state
argument so the user can choose to unset those flags.
This commit also updates all occurences of those two functions.
Signed-off-by: Stéphane Graber stgra...@ubuntu.com
Two comments below. With that and James' comments addressed,
Acked-by: Serge E. Hallyn serge.hal...@ubuntu.com
---
src/lua-lxc/core.c | 2 +-
src/lxc/lxc_start.c| 4 ++--
src/lxc/lxccontainer.c | 20 +---
src/lxc/lxccontainer.h | 4 ++--
src/python-lxc/lxc.c | 10 --
src/tests/attach.c | 2 +-
src/tests/cgpath.c | 2 +-
src/tests/concurrent.c | 2 +-
src/tests/console.c| 2 +-
src/tests/containertests.c | 2 +-
src/tests/createtest.c | 2 +-
src/tests/shutdowntest.c | 2 +-
12 files changed, 33 insertions(+), 21 deletions(-)
diff --git a/src/lua-lxc/core.c b/src/lua-lxc/core.c
index 9492c07..04f2f1d 100644
--- a/src/lua-lxc/core.c
+++ b/src/lua-lxc/core.c
@@ -156,7 +156,7 @@ static int container_start(lua_State *L)
argv[j] = NULL;
}
-c-want_daemonize(c);
+c-want_daemonize(c, 1);
lua_pushboolean(L, !!c-start(c, useinit, argv));
return 1;
}
diff --git a/src/lxc/lxc_start.c b/src/lxc/lxc_start.c
index e537846..2a833a6 100644
--- a/src/lxc/lxc_start.c
+++ b/src/lxc/lxc_start.c
@@ -325,7 +325,7 @@ int main(int argc, char *argv[])
}
if (my_args.daemonize) {
- c-want_daemonize(c);
+ c-want_daemonize(c, 1);
}
if (pid_fp != NULL) {
@@ -337,7 +337,7 @@ int main(int argc, char *argv[])
}
if (my_args.close_all_fds)
- c-want_close_all_fds(c);
+ c-want_close_all_fds(c, 1);
err = c-start(c, 0, args) ? 0 : -1;
diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
index 283fbb5..4234760 100644
--- a/src/lxc/lxccontainer.c
+++ b/src/lxc/lxccontainer.c
@@ -455,29 +455,35 @@ static bool lxcapi_load_config(struct
lxc_container *c, const char *alt_file)
return ret;
}
-static void lxcapi_want_daemonize(struct lxc_container *c)
+static bool lxcapi_want_daemonize(struct lxc_container *c, int state)
{
+ if (state 1)
What about 0?
Why we are not passing a bool instead of int?
I based this on similar parameters of other API functions (useinit being
one). Though looking back now it seems we have a couple of cases where
we're also passing bool in such case...
I guess another reason would be if we ever wanted to add finer grained
options for those two commands as unlikely as it may be :)
Serge: Any preference?
(I assume this question is now obsolete)
-serge
--
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349351iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH 1/1] chown_mapped_root: fix assumption that calling uid == guid
Because if they are not, then we'll fail trying to map that
gid into the container.
The function doesn't change any gids, but lxc-usernsexec always does
setgid(0), so just map getgid() to 0 in the container.
Signed-off-by: Serge Hallyn serge.hal...@ubuntu.com
---
src/lxc/conf.c | 21 ++---
1 file changed, 14 insertions(+), 7 deletions(-)
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 534e6e6..290a7bb 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -3331,19 +3331,26 @@ int chown_mapped_root(char *path, struct lxc_conf *conf)
}
if (!pid) {
int hostuid = geteuid(), ret;
- char map1[100], map2[100];
- char *args[] = {lxc-usernsexec, -m, map1, -m, map2, --,
chown,
-0, path, NULL};
+ char map1[100], map2[100], map3[100];
+ char *args[] = {lxc-usernsexec, -m, map1, -m, map2, -m,
+map3, --, chown, 0, path, NULL};
- // b:0:rootid:1
- ret = snprintf(map1, 100, b:0:%d:1, rootid);
+ // u:0:rootid:1
+ ret = snprintf(map1, 100, u:0:%d:1, rootid);
if (ret 0 || ret = 100) {
ERROR(Error uid printing map string);
return -1;
}
- // b:hostuid:hostuid:1
- ret = snprintf(map2, 100, b:%d:%d:1, hostuid, hostuid);
+ // u:hostuid:hostuid:1
+ ret = snprintf(map2, 100, u:%d:%d:1, hostuid, hostuid);
+ if (ret 0 || ret = 100) {
+ ERROR(Error uid printing map string);
+ return -1;
+ }
+
+ // g:0:hostgid:1
+ ret = snprintf(map3, 100, g:0:%d:1, getgid());
if (ret 0 || ret = 100) {
ERROR(Error uid printing map string);
return -1;
--
1.8.3.2
--
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349351iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH 2/7] python3: Sort all method/property lists
Quoting Stéphane Graber (stgra...@ubuntu.com):
Signed-off-by: Stéphane Graber stgra...@ubuntu.com
Acked-by: Serge E. Hallyn serge.hal...@ubuntu.com
---
src/python-lxc/lxc.c | 60
++--
1 file changed, 30 insertions(+), 30 deletions(-)
diff --git a/src/python-lxc/lxc.c b/src/python-lxc/lxc.c
index 3924a1b..05fbff8 100644
--- a/src/python-lxc/lxc.c
+++ b/src/python-lxc/lxc.c
@@ -1102,12 +1102,37 @@ static PyGetSetDef Container_getseters[] = {
};
static PyMethodDef Container_methods[] = {
+{attach, (PyCFunction)Container_attach,
+ METH_VARARGS|METH_KEYWORDS,
+ attach(run, payload) - int\n
+ \n
+ Attach to the container. Returns the pid of the attached process.
+},
+{attach_wait, (PyCFunction)Container_attach_wait,
+ METH_VARARGS|METH_KEYWORDS,
+ attach(run, payload) - int\n
+ \n
+ Attach to the container. Returns the exit code of the process.
+},
{clear_config_item, (PyCFunction)Container_clear_config_item,
METH_VARARGS|METH_KEYWORDS,
clear_config_item(key) - boolean\n
\n
Clear the current value of a config key.
},
+{console, (PyCFunction)Container_console,
+ METH_VARARGS|METH_KEYWORDS,
+ console(ttynum = -1, stdinfd = 0, stdoutfd = 1, stderrfd = 2,
+ escape = 0) - boolean\n
+ \n
+ Attach to container's console.
+},
+{console_getfd, (PyCFunction)Container_console_getfd,
+ METH_VARARGS|METH_KEYWORDS,
+ console(ttynum = -1) - boolean\n
+ \n
+ Attach to container's console.
+},
{create, (PyCFunction)Container_create,
METH_VARARGS|METH_KEYWORDS,
create(template, args = (,)) - boolean\n
@@ -1228,31 +1253,6 @@ static PyMethodDef Container_methods[] = {
\n
Wait for the container to reach a given state or timeout.
},
-{console, (PyCFunction)Container_console,
- METH_VARARGS|METH_KEYWORDS,
- console(ttynum = -1, stdinfd = 0, stdoutfd = 1, stderrfd = 2,
- escape = 0) - boolean\n
- \n
- Attach to container's console.
-},
-{console_getfd, (PyCFunction)Container_console_getfd,
- METH_VARARGS|METH_KEYWORDS,
- console(ttynum = -1) - boolean\n
- \n
- Attach to container's console.
-},
-{attach, (PyCFunction)Container_attach,
- METH_VARARGS|METH_KEYWORDS,
- attach(run, payload) - int\n
- \n
- Attach to the container. Returns the pid of the attached process.
-},
-{attach_wait, (PyCFunction)Container_attach_wait,
- METH_VARARGS|METH_KEYWORDS,
- attach(run, payload) - int\n
- \n
- Attach to the container. Returns the exit code of the process.
-},
{NULL, NULL, 0, NULL}
};
@@ -1299,14 +1299,14 @@ PyVarObject_HEAD_INIT(NULL, 0)
};
static PyMethodDef LXC_methods[] = {
-{attach_run_shell, (PyCFunction)LXC_attach_run_shell, METH_O,
- Starts up a shell when attaching, to use as the run parameter for
- attach or attach_wait},
+{arch_to_personality, (PyCFunction)LXC_arch_to_personality, METH_O,
+ Returns the process personality of the corresponding architecture},
{attach_run_command, (PyCFunction)LXC_attach_run_command, METH_O,
Runs a command when attaching, to use as the run parameter for attach
or attach_wait},
-{arch_to_personality, (PyCFunction)LXC_arch_to_personality, METH_O,
- Returns the process personality of the corresponding architecture},
+{attach_run_shell, (PyCFunction)LXC_attach_run_shell, METH_O,
+ Starts up a shell when attaching, to use as the run parameter for
+ attach or attach_wait},
{get_default_config_path, (PyCFunction)LXC_get_default_config_path,
METH_NOARGS,
Returns the current LXC config path},
--
1.8.4.4
--
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349351iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
--
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349351iu=/4140/ostg.clktrk
Re: [lxc-devel] [PATCH 1/7] python3: Code style
Quoting Stéphane Graber (stgra...@ubuntu.com):
Drop any tab as spaces are preferred, get everything to fit the 80char
limit.
Signed-off-by: Stéphane Graber stgra...@ubuntu.com
Acked-by: Serge E. Hallyn serge.hal...@ubuntu.com
---
src/python-lxc/lxc.c | 65
+++-
1 file changed, 44 insertions(+), 21 deletions(-)
diff --git a/src/python-lxc/lxc.c b/src/python-lxc/lxc.c
index 9e6f9d9..3924a1b 100644
--- a/src/python-lxc/lxc.c
+++ b/src/python-lxc/lxc.c
@@ -18,7 +18,8 @@
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301
USA
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301
+ * USA
*/
#include Python.h
@@ -319,7 +320,8 @@ Container_create(Container *self, PyObject *args,
PyObject *kwds)
}
}
-if (self-container-create(self-container, template_name, NULL, NULL,
0, create_args))
+if (self-container-create(self-container, template_name, NULL, NULL,
0,
+create_args))
retval = Py_True;
else
retval = Py_False;
@@ -756,7 +758,8 @@ Container_unfreeze(Container *self, PyObject *args,
PyObject *kwds)
static PyObject *
Container_console(Container *self, PyObject *args, PyObject *kwds)
{
-static char *kwlist[] = {ttynum, stdinfd, stdoutfd, stderrfd,
escape, NULL};
+static char *kwlist[] = {ttynum, stdinfd, stdoutfd, stderrfd,
+ escape, NULL};
int ttynum = -1, stdinfd = 0, stdoutfd = 1, stderrfd = 2, escape = 1;
if (! PyArg_ParseTupleAndKeywords(args, kwds, |i, kwlist,
@@ -765,7 +768,7 @@ Container_console(Container *self, PyObject *args,
PyObject *kwds)
return NULL;
if (self-container-console(self-container, ttynum,
- stdinfd, stdoutfd, stderrfd, escape) == 0) {
+stdinfd, stdoutfd, stderrfd, escape) == 0) {
Py_RETURN_TRUE;
}
Py_RETURN_FALSE;
@@ -780,7 +783,8 @@ Container_console_getfd(Container *self, PyObject *args,
PyObject *kwds)
if (! PyArg_ParseTupleAndKeywords(args, kwds, |i, kwlist, ttynum))
return NULL;
-if (self-container-console_getfd(self-container, ttynum, masterfd)
0) {
+if (self-container-console_getfd(self-container, ttynum,
+ masterfd) 0) {
PyErr_SetString(PyExc_ValueError, Unable to allocate tty);
return NULL;
}
@@ -812,8 +816,10 @@ struct lxc_attach_python_payload {
static int lxc_attach_python_exec(void* _payload)
{
-struct lxc_attach_python_payload *payload = (struct
lxc_attach_python_payload *)_payload;
-PyObject *result = PyObject_CallFunctionObjArgs(payload-fn,
payload-arg, NULL);
+struct lxc_attach_python_payload *payload =
+(struct lxc_attach_python_payload *)_payload;
+PyObject *result = PyObject_CallFunctionObjArgs(payload-fn,
+payload-arg, NULL);
if (!result) {
PyErr_Print();
@@ -829,7 +835,10 @@ static void lxc_attach_free_options(lxc_attach_options_t
*options);
static lxc_attach_options_t *lxc_attach_parse_options(PyObject *kwds)
{
-static char *kwlist[] = {attach_flags, namespaces, personality,
initial_cwd, uid, gid, env_policy, extra_env_vars,
extra_keep_env, stdin, stdout, stderr, NULL};
+static char *kwlist[] = {attach_flags, namespaces, personality,
+ initial_cwd, uid, gid, env_policy,
+ extra_env_vars, extra_keep_env, stdin,
+ stdout, stderr, NULL};
long temp_uid, temp_gid;
int temp_env_policy;
PyObject *extra_env_vars_obj = NULL;
@@ -859,11 +868,17 @@ static lxc_attach_options_t
*lxc_attach_parse_options(PyObject *kwds)
/* we need a dummy tuple */
dummy = PyTuple_New(0);
-parse_result = PyArg_ParseTupleAndKeywords(dummy, kwds,
|iilOlliO, kwlist,
- options-attach_flags,
options-namespaces, options-personality,
- PyUnicode_FSConverter,
initial_cwd_obj, temp_uid, temp_gid,
- temp_env_policy,
extra_env_vars_obj, extra_keep_env_obj,
- stdin_obj, stdout_obj,
stderr_obj);
+parse_result = PyArg_ParseTupleAndKeywords(dummy, kwds, |iilOlliO,
+ kwlist,
options-attach_flags,
+ options-namespaces,
+ options-personality,
+
Re: [lxc-devel] [PATCH 3/7] python3: Add reboot() to the binding
Quoting Stéphane Graber (stgra...@ubuntu.com):
Signed-off-by: Stéphane Graber stgra...@ubuntu.com
Acked-by: Serge E. Hallyn serge.hal...@ubuntu.com
---
src/python-lxc/lxc.c | 16
1 file changed, 16 insertions(+)
diff --git a/src/python-lxc/lxc.c b/src/python-lxc/lxc.c
index 05fbff8..0604ec7 100644
--- a/src/python-lxc/lxc.c
+++ b/src/python-lxc/lxc.c
@@ -598,6 +598,16 @@ Container_load_config(Container *self, PyObject *args,
PyObject *kwds)
}
static PyObject *
+Container_reboot(Container *self, PyObject *args, PyObject *kwds)
+{
+if (self-container-reboot(self-container)) {
+Py_RETURN_TRUE;
+}
+
+Py_RETURN_FALSE;
+}
+
+static PyObject *
Container_save_config(Container *self, PyObject *args, PyObject *kwds)
{
static char *kwlist[] = {path, NULL};
@@ -1195,6 +1205,12 @@ static PyMethodDef Container_methods[] = {
Read the container configuration from its default
location or from an alternative location if provided.
},
+{reboot, (PyCFunction)Container_reboot,
+ METH_NOARGS,
+ reboot() - boolean\n
+ \n
+ Ask the container to reboot.
+},
{save_config, (PyCFunction)Container_save_config,
METH_VARARGS|METH_KEYWORDS,
save_config(path = DEFAULT) - boolean\n
--
1.8.4.4
--
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349351iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
--
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349351iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH 4/7] python3: Re-order all functions
Quoting Stéphane Graber (stgra...@ubuntu.com):
This properly regroups the module functions together and then sorts all
other functions alphabetically to match the function and property lists.
Signed-off-by: Stéphane Graber stgra...@ubuntu.com
Acked-by: Serge E. Hallyn serge.hal...@ubuntu.com
---
src/python-lxc/lxc.c | 709
++-
1 file changed, 357 insertions(+), 352 deletions(-)
diff --git a/src/python-lxc/lxc.c b/src/python-lxc/lxc.c
index 0604ec7..1ed8cbe 100644
--- a/src/python-lxc/lxc.c
+++ b/src/python-lxc/lxc.c
@@ -31,10 +31,7 @@
#include stdio.h
#include sys/wait.h
-typedef struct {
-PyObject_HEAD
-struct lxc_container *container;
-} Container;
+/* Helper functions */
char**
convert_tuple_to_char_pointer_array(PyObject *argv) {
@@ -113,50 +110,218 @@ error:
return NULL;
}
-static void
-Container_dealloc(Container* self)
+struct lxc_attach_python_payload {
+PyObject *fn;
+PyObject *arg;
+};
+
+static int lxc_attach_python_exec(void* _payload)
{
-lxc_container_put(self-container);
-Py_TYPE(self)-tp_free((PyObject*)self);
+struct lxc_attach_python_payload *payload =
+(struct lxc_attach_python_payload *)_payload;
+PyObject *result = PyObject_CallFunctionObjArgs(payload-fn,
+payload-arg, NULL);
+
+if (!result) {
+PyErr_Print();
+return -1;
+}
+if (PyLong_Check(result))
+return (int)PyLong_AsLong(result);
+else
+return -1;
}
-static PyObject *
-Container_new(PyTypeObject *type, PyObject *args, PyObject *kwds)
+static void lxc_attach_free_options(lxc_attach_options_t *options);
+
+static lxc_attach_options_t *lxc_attach_parse_options(PyObject *kwds)
{
-Container *self;
+static char *kwlist[] = {attach_flags, namespaces, personality,
+ initial_cwd, uid, gid, env_policy,
+ extra_env_vars, extra_keep_env, stdin,
+ stdout, stderr, NULL};
+long temp_uid, temp_gid;
+int temp_env_policy;
+PyObject *extra_env_vars_obj = NULL;
+PyObject *extra_keep_env_obj = NULL;
+PyObject *stdin_obj = NULL;
+PyObject *stdout_obj = NULL;
+PyObject *stderr_obj = NULL;
+PyObject *initial_cwd_obj = NULL;
+PyObject *dummy;
+bool parse_result;
-self = (Container *)type-tp_alloc(type, 0);
+lxc_attach_options_t default_options = LXC_ATTACH_OPTIONS_DEFAULT;
+lxc_attach_options_t *options = malloc(sizeof(*options));
-return (PyObject *)self;
+if (!options) {
+PyErr_SetNone(PyExc_MemoryError);
+return NULL;
+}
+memcpy(options, default_options, sizeof(*options));
+
+/* we need some dummy variables because we can't be sure
+ * the data types match completely */
+temp_uid = -1;
+temp_gid = -1;
+temp_env_policy = options-env_policy;
+
+/* we need a dummy tuple */
+dummy = PyTuple_New(0);
+
+parse_result = PyArg_ParseTupleAndKeywords(dummy, kwds, |iilOlliO,
+ kwlist,
options-attach_flags,
+ options-namespaces,
+ options-personality,
+ PyUnicode_FSConverter,
+ initial_cwd_obj, temp_uid,
+ temp_gid, temp_env_policy,
+ extra_env_vars_obj,
+ extra_keep_env_obj,
+ stdin_obj, stdout_obj,
+ stderr_obj);
+
+/* immediately get rid of the dummy tuple */
+Py_DECREF(dummy);
+
+if (!parse_result) {
+lxc_attach_free_options(options);
+return NULL;
+}
+
+/* duplicate the string, so we don't depend on some random Python object
*/
+if (initial_cwd_obj != NULL) {
+options-initial_cwd = strndup(PyBytes_AsString(initial_cwd_obj),
+ PyBytes_Size(initial_cwd_obj));
+Py_DECREF(initial_cwd_obj);
+}
+
+/* do the type conversion from the types that match the parse string */
+if (temp_uid != -1) options-uid = (uid_t)temp_uid;
+if (temp_gid != -1) options-gid = (gid_t)temp_gid;
+options-env_policy = (lxc_attach_env_policy_t)temp_env_policy;
+
+if (extra_env_vars_obj)
+options-extra_env_vars =
+convert_tuple_to_char_pointer_array(extra_env_vars_obj);
+if (extra_keep_env_obj)
+options-extra_keep_env =
+convert_tuple_to_char_pointer_array(extra_keep_env_obj);
+if (stdin_obj) {
+
Re: [lxc-devel] [PATCH 5/7] python3: Add clear_config() to the binding
Quoting Stéphane Graber (stgra...@ubuntu.com):
Signed-off-by: Stéphane Graber stgra...@ubuntu.com
Acked-by: Serge E. Hallyn serge.hal...@ubuntu.com
---
src/python-lxc/lxc.c | 14 ++
1 file changed, 14 insertions(+)
diff --git a/src/python-lxc/lxc.c b/src/python-lxc/lxc.c
index 1ed8cbe..7c28607 100644
--- a/src/python-lxc/lxc.c
+++ b/src/python-lxc/lxc.c
@@ -546,6 +546,14 @@ Container_attach_wait(Container *self, PyObject *args,
PyObject *kwds)
}
static PyObject *
+Container_clear_config(Container *self, PyObject *args, PyObject *kwds)
+{
+self-container-clear_config(self-container);
+
+Py_RETURN_NONE;
+}
+
+static PyObject *
Container_clear_config_item(Container *self, PyObject *args, PyObject *kwds)
{
static char *kwlist[] = {key, NULL};
@@ -1129,6 +1137,12 @@ static PyMethodDef Container_methods[] = {
\n
Attach to the container. Returns the exit code of the process.
},
+{clear_config, (PyCFunction)Container_clear_config,
+ METH_NOARGS,
+ clear_config()\n
+ \n
+ Clear any container configuration.
+},
{clear_config_item, (PyCFunction)Container_clear_config_item,
METH_VARARGS|METH_KEYWORDS,
clear_config_item(key) - boolean\n
--
1.8.4.4
--
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349351iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
--
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349351iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] python3: Add clone() to the binding
Quoting Stéphane Graber (stgra...@ubuntu.com):
Signed-off-by: Stéphane Graber stgra...@ubuntu.com
Thanks. I've only tested basic clone so far, but it looks good and
if I run into any problems with the bdevtype etc we can fix those later.
Acked-by: Serge E. Hallyn serge.hal...@ubuntu.com
---
src/python-lxc/lxc.c | 68
++
src/python-lxc/lxc/__init__.py | 35 +++---
2 files changed, 85 insertions(+), 18 deletions(-)
diff --git a/src/python-lxc/lxc.c b/src/python-lxc/lxc.c
index 8c86323..e9a3455 100644
--- a/src/python-lxc/lxc.c
+++ b/src/python-lxc/lxc.c
@@ -600,6 +600,61 @@ Container_clear_config_item(Container *self, PyObject
*args, PyObject *kwds)
}
static PyObject *
+Container_clone(Container *self, PyObject *args, PyObject *kwds)
+{
+char *newname = NULL;
+char *config_path = NULL;
+int flags = 0;
+char *bdevtype = NULL;
+char *bdevdata = NULL;
+unsigned long newsize = 0;
+char **hookargs = NULL;
+
+PyObject *py_hookargs = NULL;
+struct lxc_container *new_container = NULL;
+int i = 0;
+
+static char *kwlist[] = {newname, config_path, flags, bdevtype,
+ bdevdata, newsize, hookargs, NULL};
+if (! PyArg_ParseTupleAndKeywords(args, kwds, s|sisskO, kwlist,
+ newname, config_path, flags,
+ bdevtype, bdevdata, newsize,
+ py_hookargs))
+return NULL;
+
+if (py_hookargs) {
+if (PyTuple_Check(py_hookargs)) {
+hookargs = convert_tuple_to_char_pointer_array(py_hookargs);
+if (!hookargs) {
+return NULL;
+}
+}
+else {
+PyErr_SetString(PyExc_ValueError, hookargs needs to be a
tuple);
+return NULL;
+}
+}
+
+new_container = self-container-clone(self-container, newname,
+ config_path, flags, bdevtype,
+ bdevdata, newsize, hookargs);
+
+if (hookargs) {
+for (i = 0; i PyTuple_GET_SIZE(py_hookargs); i++)
+free(hookargs[i]);
+free(hookargs);
+}
+
+if (new_container == NULL) {
+Py_RETURN_FALSE;
+}
+
+lxc_container_put(new_container);
+
+Py_RETURN_TRUE;
+}
+
+static PyObject *
Container_console(Container *self, PyObject *args, PyObject *kwds)
{
static char *kwlist[] = {ttynum, stdinfd, stdoutfd, stderrfd,
@@ -1220,6 +1275,13 @@ static PyMethodDef Container_methods[] = {
\n
Attach to container's console.
},
+{clone, (PyCFunction)Container_clone,
+ METH_VARARGS|METH_KEYWORDS,
+ clone(newname, config_path, flags, bdevtype, bdevdata, newsize,
+ hookargs) - boolean\n
+ \n
+ Create a new container based on the current one.
+},
{create, (PyCFunction)Container_create,
METH_VARARGS|METH_KEYWORDS,
create(template, args = (,)) - boolean\n
@@ -1468,6 +1530,12 @@ PyInit__lxc(void)
PYLXC_EXPORT_CONST(LXC_ATTACH_REMOUNT_PROC_SYS);
PYLXC_EXPORT_CONST(LXC_ATTACH_SET_PERSONALITY);
+/* clone: clone flags */
+PYLXC_EXPORT_CONST(LXC_CLONE_COPYHOOKS);
+PYLXC_EXPORT_CONST(LXC_CLONE_KEEPMACADDR);
+PYLXC_EXPORT_CONST(LXC_CLONE_KEEPNAME);
+PYLXC_EXPORT_CONST(LXC_CLONE_SNAPSHOT);
+
#undef PYLXC_EXPORT_CONST
return m;
diff --git a/src/python-lxc/lxc/__init__.py b/src/python-lxc/lxc/__init__.py
index e0d4b51..b900c75 100644
--- a/src/python-lxc/lxc/__init__.py
+++ b/src/python-lxc/lxc/__init__.py
@@ -22,7 +22,6 @@
#
import _lxc
-import glob
import os
import subprocess
import stat
@@ -247,29 +246,29 @@ class Container(_lxc.Container):
return _lxc.Container.create(self, template, tuple(template_args))
-def clone(self, container):
+def clone(self, newname, config_path=None, flags=0, bdevtype=None,
+ bdevdata=None, newsize=0, hookargs=()):
-Clone an existing container into a new one.
+Clone the current container.
-if self.defined:
-return False
-
-if isinstance(container, Container):
-source = container
+args = {}
+args['newname'] = newname
+args['flags'] = 0
+args['newsize'] = 0
+args['hookargs'] = hookargs
+if config_path:
+args['config_path'] = config_path
+if bdevtype:
+args['bdevtype'] = bdevtype
+if bdevdata:
+args['bdevdata'] = bdevdata
+
+if _lxc.Container.clone(self, **args):
+return Container(newname, config_path=config_path)
else:
-source = Container(container)
-
-if not source.defined:
Re: [lxc-devel] [PATCH] python3: Export some missing constants
Quoting Stéphane Graber (stgra...@ubuntu.com): Signed-off-by: Stéphane Graber stgra...@ubuntu.com Acked-by: Serge E. Hallyn serge.hal...@ubuntu.com --- src/python-lxc/lxc/__init__.py | 37 + 1 file changed, 25 insertions(+), 12 deletions(-) diff --git a/src/python-lxc/lxc/__init__.py b/src/python-lxc/lxc/__init__.py index 52f0fb4..eddd198 100644 --- a/src/python-lxc/lxc/__init__.py +++ b/src/python-lxc/lxc/__init__.py @@ -474,19 +474,32 @@ def arch_to_personality(arch): arch = str(arch, 'utf-8') return _lxc.arch_to_personality(arch) -# Some constants for attach -LXC_ATTACH_KEEP_ENV = _lxc.LXC_ATTACH_KEEP_ENV +# namespace flags (no other python lib exports this) +CLONE_NEWIPC = _lxc.CLONE_NEWIPC +CLONE_NEWNET = _lxc.CLONE_NEWNET +CLONE_NEWNS = _lxc.CLONE_NEWNS +CLONE_NEWPID = _lxc.CLONE_NEWPID +CLONE_NEWUSER = _lxc.CLONE_NEWUSER +CLONE_NEWUTS = _lxc.CLONE_NEWUTS + +# attach: environment variable handling LXC_ATTACH_CLEAR_ENV = _lxc.LXC_ATTACH_CLEAR_ENV -LXC_ATTACH_MOVE_TO_CGROUP = _lxc.LXC_ATTACH_MOVE_TO_CGROUP +LXC_ATTACH_KEEP_ENV = _lxc.LXC_ATTACH_KEEP_ENV + +# attach: attach options +LXC_ATTACH_DEFAULT = _lxc.LXC_ATTACH_DEFAULT LXC_ATTACH_DROP_CAPABILITIES = _lxc.LXC_ATTACH_DROP_CAPABILITIES -LXC_ATTACH_SET_PERSONALITY = _lxc.LXC_ATTACH_SET_PERSONALITY -LXC_ATTACH_LSM_NOW = _lxc.LXC_ATTACH_LSM_NOW LXC_ATTACH_LSM_EXEC = _lxc.LXC_ATTACH_LSM_EXEC +LXC_ATTACH_LSM_NOW = _lxc.LXC_ATTACH_LSM_NOW +LXC_ATTACH_MOVE_TO_CGROUP = _lxc.LXC_ATTACH_MOVE_TO_CGROUP LXC_ATTACH_REMOUNT_PROC_SYS = _lxc.LXC_ATTACH_REMOUNT_PROC_SYS -LXC_ATTACH_DEFAULT = _lxc.LXC_ATTACH_DEFAULT -CLONE_NEWUTS = _lxc.CLONE_NEWUTS -CLONE_NEWIPC = _lxc.CLONE_NEWIPC -CLONE_NEWUSER = _lxc.CLONE_NEWUSER -CLONE_NEWPID = _lxc.CLONE_NEWPID -CLONE_NEWNET = _lxc.CLONE_NEWNET -CLONE_NEWNS = _lxc.CLONE_NEWNS +LXC_ATTACH_SET_PERSONALITY = _lxc.LXC_ATTACH_SET_PERSONALITY + +# clone: clone flags +LXC_CLONE_COPYHOOKS = _lxc.LXC_CLONE_COPYHOOKS +LXC_CLONE_KEEPMACADDR = _lxc.LXC_CLONE_KEEPMACADDR +LXC_CLONE_KEEPNAME = _lxc.LXC_CLONE_KEEPNAME +LXC_CLONE_SNAPSHOT = _lxc.LXC_CLONE_SNAPSHOT + +# create: create flags +LXC_CREATE_QUIET = _lxc.LXC_CREATE_QUIET -- 1.8.4.4 -- Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349351iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel -- Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349351iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] python3: Allow passing create flags
Quoting Stéphane Graber (stgra...@ubuntu.com):
Signed-off-by: Stéphane Graber stgra...@ubuntu.com
Acked-by: Serge E. Hallyn serge.hal...@ubuntu.com
---
src/python-lxc/lxc.c | 14 +-
src/python-lxc/lxc/__init__.py | 23 +++
2 files changed, 24 insertions(+), 13 deletions(-)
diff --git a/src/python-lxc/lxc.c b/src/python-lxc/lxc.c
index e9a3455..050f6ae 100644
--- a/src/python-lxc/lxc.c
+++ b/src/python-lxc/lxc.c
@@ -694,13 +694,14 @@ static PyObject *
Container_create(Container *self, PyObject *args, PyObject *kwds)
{
char* template_name = NULL;
+int flags = 0;
char** create_args = {NULL};
PyObject *retval = NULL, *vargs = NULL;
int i = 0;
-static char *kwlist[] = {template, args, NULL};
+static char *kwlist[] = {template, flags, args, NULL};
-if (! PyArg_ParseTupleAndKeywords(args, kwds, s|O, kwlist,
- template_name, vargs))
+if (! PyArg_ParseTupleAndKeywords(args, kwds, s|iO, kwlist,
+ template_name, flags, vargs))
return NULL;
if (vargs) {
@@ -716,8 +717,8 @@ Container_create(Container *self, PyObject *args,
PyObject *kwds)
}
}
-if (self-container-create(self-container, template_name, NULL, NULL,
0,
-create_args))
+if (self-container-create(self-container, template_name, NULL, NULL,
+flags, create_args))
retval = Py_True;
else
retval = Py_False;
@@ -1536,6 +1537,9 @@ PyInit__lxc(void)
PYLXC_EXPORT_CONST(LXC_CLONE_KEEPNAME);
PYLXC_EXPORT_CONST(LXC_CLONE_SNAPSHOT);
+/* create: create flags */
+PYLXC_EXPORT_CONST(LXC_CREATE_QUIET);
+
#undef PYLXC_EXPORT_CONST
return m;
diff --git a/src/python-lxc/lxc/__init__.py b/src/python-lxc/lxc/__init__.py
index b900c75..52f0fb4 100644
--- a/src/python-lxc/lxc/__init__.py
+++ b/src/python-lxc/lxc/__init__.py
@@ -229,22 +229,29 @@ class Container(_lxc.Container):
return _lxc.Container.set_config_item(self, key, value)
-def create(self, template, args={}):
+def create(self, template, flags=0, args=()):
Create a new rootfs for the container.
template must be a valid template name.
-args (optional) is a dictionary of parameters and values to
pass
-to the template.
+flags (optional) is an integer representing the optional
+create flags to be passed.
+
+args (optional) is a tuple of arguments to pass to the
+template. It can also be provided as a dict.
-template_args = []
-for item in args.items():
-template_args.append(--%s % item[0])
-template_args.append(%s % item[1])
+if isinstance(args, dict):
+template_args = []
+for item in args.items():
+template_args.append(--%s % item[0])
+template_args.append(%s % item[1])
+else:
+template_args = args
-return _lxc.Container.create(self, template, tuple(template_args))
+return _lxc.Container.create(self, template=template,
+ flags=flags, args=tuple(template_args))
def clone(self, newname, config_path=None, flags=0, bdevtype=None,
bdevdata=None, newsize=0, hookargs=()):
--
1.8.4.4
--
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349351iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
--
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349351iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] ubuntu: Fix regression in post-process
Quoting Stéphane Graber (stgra...@ubuntu.com):
THe recent reorg of lxc-ubuntu introduced some package installation in
post-process but without first disabling service startup.
As a result, if the cache is a bit out of date and a ssh update is
available, post-process will apply that update (as it does apt-get
install ssh vim) which in turn will attemp to start sshd. This will
either lead to ssh on the host being restarted or if there's no sshd on
the host, will fail the container creation as the postinst will get an
error from upstart.
The fix is very simply to add the same policy-rc.d trick when running
post-process.
If we're on a new enough kernel we might want to do all apt-gets
in the template by doing lxc-start -d and then lxc-attach. Or
we could just do it through lxc-execute I suppose, and always
put lxc-init into the container.
Signed-off-by: Stéphane Graber stgra...@ubuntu.com
Acked-by: Serge E. Hallyn serge.hal...@ubuntu.com
---
templates/lxc-ubuntu.in | 10 ++
1 file changed, 10 insertions(+)
diff --git a/templates/lxc-ubuntu.in b/templates/lxc-ubuntu.in
index ac39ed2..4e6a54f 100644
--- a/templates/lxc-ubuntu.in
+++ b/templates/lxc-ubuntu.in
@@ -467,6 +467,13 @@ post_process()
release=$2
packages=$3
+# Disable service startup
+cat $rootfs/usr/sbin/policy-rc.d EOF
+#!/bin/sh
+exit 101
+EOF
+chmod +x $rootfs/usr/sbin/policy-rc.d
+
if [ ! -f $rootfs/etc/init/container-detect.conf ]; then
# Make sure we have a working resolv.conf
cresolvonf=${rootfs}/etc/resolv.conf
@@ -538,6 +545,9 @@ post_process()
mv $rootfs/dev/shm $rootfs/dev/shm.bak
ln -s /run/shm $rootfs/dev/shm
fi
+
+# Re-enable service startup
+rm $rootfs/usr/sbin/policy-rc.d
}
do_bindhome()
--
1.8.4.4
--
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349351iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
--
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349351iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] python3: Add list_containers to C API
Quoting Stéphane Graber (stgra...@ubuntu.com):
This adds a new list_containers function to the python3 binding and a
matching override in __init__.py that adds the as_object parameter.
This should be compatible to the previous pure python implementation
with the advantage of also listing active non-defined containers (fixing
github issue #68).
Signed-off-by: Stéphane Graber stgra...@ubuntu.com
Looks good to my uneducated eye.
Acked-by: Serge E. Hallyn serge.hal...@ubuntu.com
---
src/python-lxc/lxc.c | 71
--
src/python-lxc/lxc/__init__.py | 22 +++--
2 files changed, 80 insertions(+), 13 deletions(-)
diff --git a/src/python-lxc/lxc.c b/src/python-lxc/lxc.c
index e42ed35..9e6f9d9 100644
--- a/src/python-lxc/lxc.c
+++ b/src/python-lxc/lxc.c
@@ -170,6 +170,65 @@ LXC_get_version(PyObject *self, PyObject *args)
return PyUnicode_FromString(lxc_get_version());
}
+static PyObject *
+LXC_list_containers(PyObject *self, PyObject *args, PyObject *kwds)
+{
+char **names = NULL;
+PyObject *list = NULL;
+int list_count = 0;
+
+int list_active = 1;
+int list_defined = 1;
+
+PyObject *py_list_active = NULL;
+PyObject *py_list_defined = NULL;
+
+char* config_path = NULL;
+
+int i = 0;
+PyObject *vargs = NULL;
+static char *kwlist[] = {active, defined, config_path, NULL};
+
+if (! PyArg_ParseTupleAndKeywords(args, kwds, |OOs, kwlist,
+ py_list_active,
+ py_list_defined,
+ config_path, vargs))
+return NULL;
+
+/* We default to listing everything */
+if (py_list_active py_list_active != Py_True) {
+list_active = 0;
+}
+
+if (py_list_defined py_list_defined != Py_True) {
+list_defined = 0;
+}
+
+/* Call the right API function based on filters */
+if (list_active == 1 list_defined == 1)
+list_count = list_all_containers(config_path, names, NULL);
+else if (list_active == 1)
+list_count = list_active_containers(config_path, names, NULL);
+else if (list_defined == 1)
+list_count = list_defined_containers(config_path, names, NULL);
+
+/* Handle failure */
+if (list_count 0) {
+PyErr_SetString(PyExc_ValueError, failure to list containers);
+return NULL;
+}
+
+/* Generate the tuple */
+list = PyTuple_New(list_count);
+for (i = 0; i list_count; i++) {
+PyTuple_SET_ITEM(list, i, PyUnicode_FromString(names[i]));
+free(names[i]);
+}
+free(names);
+
+return list;
+}
+
// Container properties
static PyObject *
Container_config_file_name(Container *self, void *closure)
@@ -1219,15 +1278,21 @@ PyVarObject_HEAD_INIT(NULL, 0)
static PyMethodDef LXC_methods[] = {
{attach_run_shell, (PyCFunction)LXC_attach_run_shell, METH_O,
- Starts up a shell when attaching, to use as the run parameter for
attach or attach_wait},
+ Starts up a shell when attaching, to use as the run parameter for
+ attach or attach_wait},
{attach_run_command, (PyCFunction)LXC_attach_run_command, METH_O,
- Runs a command when attaching, to use as the run parameter for attach
or attach_wait},
+ Runs a command when attaching, to use as the run parameter for attach
+ or attach_wait},
{arch_to_personality, (PyCFunction)LXC_arch_to_personality, METH_O,
Returns the process personality of the corresponding architecture},
-{get_default_config_path, (PyCFunction)LXC_get_default_config_path,
METH_NOARGS,
+{get_default_config_path, (PyCFunction)LXC_get_default_config_path,
+ METH_NOARGS,
Returns the current LXC config path},
{get_version, (PyCFunction)LXC_get_version, METH_NOARGS,
Returns the current LXC library version},
+{list_containers, (PyCFunction)LXC_list_containers,
+ METH_VARARGS|METH_KEYWORDS,
+ Returns a list of container names or objects},
{NULL, NULL, 0, NULL}
};
diff --git a/src/python-lxc/lxc/__init__.py b/src/python-lxc/lxc/__init__.py
index 8ae7852..e0d4b51 100644
--- a/src/python-lxc/lxc/__init__.py
+++ b/src/python-lxc/lxc/__init__.py
@@ -417,21 +417,23 @@ class Container(_lxc.Container):
return _lxc.Container.wait(self, state, timeout)
-def list_containers(as_object=False, config_path=None):
+def list_containers(active=True, defined=True,
+as_object=False, config_path=None):
List the containers on the system.
-if not config_path:
-config_path = default_config_path
+if config_path:
+entries = _lxc.list_containers(active=active, defined=defined,
+ config_path=config_path)
+else:
+entries = _lxc.list_containers(active=active,
Re: [lxc-devel] /proc/cpuinfo per cgroup
Quoting Marian Marinov (m...@yuhu.biz): Hi guys, I'm using LXC containers for some of my teaching and I want to have /proc/cpuinfo and /proc/memory based on the cgroup limits that I have set. The idea is that if one container is limited to a cpuset of 0-1 it should see only the first two cores and not all the cores on the machine. The same thing is needed for the memory. I simply want my students see the actual resources that they have. Does any of you have any suggestions? I'm planning to patch the kernel. As far as I can see it, I need to patch the following files: ./tile/kernel/proc.c ./sh/kernel/cpu/proc.c ./x86/kernel/cpu/proc.c ./mips/kernel/proc.c Actually the c_start function. Hi, patching the kernel would be a good exercise. Historically that hasn't been acceptable upstream - but then tastes and politics change pretty frequently, and what was nacked one year can be enthusiastically accepted two years later... now the alternative is to use fuse to have userspace change what is shown in those files. Daniel Lezcano years ago had one working. The code for that is up at https://github.com/hallyn/procfs, however it won't work or even compile as is. But if you can whip that into a working shape we could hopefully figure out how to ship it with lxc. -serge -- Shape the Mobile Experience: Free Subscription Software experts and developers: Be at the forefront of tech innovation. Intel(R) Software Adrenaline delivers strategic insight and game-changing conversations that shape the rapidly evolving mobile landscape. Sign up now. http://pubads.g.doubleclick.net/gampad/clk?id=63431311iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] add lxc-usernsexec to .gitignore
Quoting S.Çağlar Onur (cag...@10ur.org): Signed-off-by: S.Çağlar Onur cag...@10ur.org Oh yeah, noticed it for a moment last night then forgot. Thanks. Acked-by: Serge E. Hallyn serge.hal...@ubuntu.com --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 82b144a..b3eff27 100644 --- a/.gitignore +++ b/.gitignore @@ -68,6 +68,7 @@ src/lxc/lxc-start-ephemeral src/lxc/lxc-stop src/lxc/lxc-unfreeze src/lxc/lxc-unshare +src/lxc/lxc-usernsexec src/lxc/lxc-version src/lxc/lxc-wait src/lxc/legacy/lxc-ls -- 1.8.3.2 -- Shape the Mobile Experience: Free Subscription Software experts and developers: Be at the forefront of tech innovation. Intel(R) Software Adrenaline delivers strategic insight and game-changing conversations that shape the rapidly evolving mobile landscape. Sign up now. http://pubads.g.doubleclick.net/gampad/clk?id=63431311iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel -- Shape the Mobile Experience: Free Subscription Software experts and developers: Be at the forefront of tech innovation. Intel(R) Software Adrenaline delivers strategic insight and game-changing conversations that shape the rapidly evolving mobile landscape. Sign up now. http://pubads.g.doubleclick.net/gampad/clk?id=63431311iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH 1/1] lxcapi_destroy: run in a namespace if we are unprivileged
This is necessary to have the rights to remove files owned by our subuids.
Also fix up a wrong return value from lxc_rmdir_onedev(). It's
expected to return -1 on error, not 1.
Signed-off-by: Serge Hallyn serge.hal...@ubuntu.com
---
src/lxc/conf.c | 155 -
src/lxc/conf.h | 3 +
src/lxc/lxc_destroy.c | 7 ---
src/lxc/lxccontainer.c | 28 ++---
src/lxc/utils.c| 2 +-
5 files changed, 177 insertions(+), 18 deletions(-)
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index c8809d2..4b786b1 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -75,6 +75,7 @@
#include bdev.h
#include cgroup.h
#include lxclock.h
+#include namespace.h
#include lsm/lsm.h
#if HAVE_SYS_CAPABILITY_H
@@ -3810,11 +3811,10 @@ int lxc_clear_config_caps(struct lxc_conf *c)
return 0;
}
-int lxc_clear_idmaps(struct lxc_conf *c)
-{
+int lxc_free_idmap(struct lxc_list *id_map) {
struct lxc_list *it, *next;
- lxc_list_for_each_safe(it, c-id_map, next) {
+ lxc_list_for_each_safe(it, id_map, next) {
lxc_list_del(it);
free(it-elem);
free(it);
@@ -3822,6 +3822,11 @@ int lxc_clear_idmaps(struct lxc_conf *c)
return 0;
}
+int lxc_clear_idmaps(struct lxc_conf *c)
+{
+ return lxc_free_idmap(c-id_map);
+}
+
int lxc_clear_config_keepcaps(struct lxc_conf *c)
{
struct lxc_list *it,*next;
@@ -3941,3 +3946,147 @@ void lxc_conf_free(struct lxc_conf *conf)
lxc_clear_idmaps(conf);
free(conf);
}
+
+struct userns_fn_data {
+ int (*fn)(void *);
+ void *arg;
+ int p[2];
+};
+
+static int run_userns_fn(void *data)
+{
+ struct userns_fn_data *d = data;
+ char c;
+ // we're not sharing with the parent any more, if it was a thread
+
+ close(d-p[1]);
+ if (read(d-p[0], c, 1) != 1)
+ return -1;
+ close(d-p[0]);
+ return d-fn(d-arg);
+}
+
+/*
+ * Add a ID_TYPE_UID entry to an existing lxc_conf, if it is not
+ * alread there.
+ * We may want to generalize this to do gids as well as uids, but right now
+ * it's not necessary.
+ */
+static struct lxc_list *idmap_add_id(struct lxc_conf *conf, uid_t uid)
+{
+ int hostid_mapped = mapped_hostid(uid, conf);
+ struct lxc_list *new = NULL, *tmp, *it, *next;
+ struct id_map *entry;
+
+ if (hostid_mapped 0) {
+ hostid_mapped = find_unmapped_nsuid(conf);
+ if (hostid_mapped 0) {
+ ERROR(Could not find free uid to map);
+ return NULL;
+ }
+ new = malloc(sizeof(*new));
+ if (!new) {
+ ERROR(Out of memory building id map);
+ return NULL;
+ }
+ entry = malloc(sizeof(*entry));
+ if (!entry) {
+ free(new);
+ ERROR(Out of memory building idmap entry);
+ return NULL;
+ }
+ new-elem = entry;
+ entry-idtype = ID_TYPE_UID;
+ entry-nsid = hostid_mapped;
+ entry-hostid = (unsigned long)uid;
+ entry-range = 1;
+ lxc_list_init(new);
+ }
+ lxc_list_for_each_safe(it, conf-id_map, next) {
+ tmp = malloc(sizeof(*tmp));
+ if (!tmp)
+ goto err;
+ entry = malloc(sizeof(*entry));
+ if (!entry) {
+ free(tmp);
+ goto err;
+ }
+ memset(entry, 0, sizeof(*entry));
+ memcpy(entry, it-elem, sizeof(*entry));
+ tmp-elem = entry;
+ if (!new) {
+ new = tmp;
+ lxc_list_init(new);
+ } else
+ lxc_list_add_tail(new, tmp);
+ }
+
+ return new;
+
+err:
+ ERROR(Out of memory building a new uid map);
+ lxc_free_idmap(new);
+ return NULL;
+}
+
+/*
+ * Run a function in a new user namespace.
+ * The caller's euid will be mapped in if it is not already.
+ */
+int userns_exec_1(struct lxc_conf *conf, int (*fn)(void *), void *data)
+{
+ int ret, pid;
+ struct userns_fn_data d;
+ char c = '1';
+ int p[2];
+ struct lxc_list *idmap;
+
+ process_lock();
+ ret = pipe(p);
+ process_unlock();
+ if (ret 0) {
+ SYSERROR(opening pipe);
+ return -1;
+ }
+ d.fn = fn;
+ d.arg = data;
+ d.p[0] = p[0];
+ d.p[1] = p[1];
+ pid = lxc_clone(run_userns_fn, d, CLONE_NEWUSER);
+ if (pid 0)
+ goto err;
+ process_lock();
+ close(p[0]);
+ process_unlock();
+ p[0] = -1;
+
+ if ((idmap = idmap_add_id(conf, geteuid())) == NULL) {
+ ERROR(Error adding
Re: [lxc-devel] [PATCH 1/1] lxcapi_destroy: run in a namespace if we are unprivileged
Quoting Serge Hallyn (serge.hal...@ubuntu.com): This is necessary to have the rights to remove files owned by our subuids. Also fix up a wrong return value from lxc_rmdir_onedev(). It's expected to return -1 on error, not 1. Eh, hold on, let me fix up all the callers. I made a mess. -- Shape the Mobile Experience: Free Subscription Software experts and developers: Be at the forefront of tech innovation. Intel(R) Software Adrenaline delivers strategic insight and game-changing conversations that shape the rapidly evolving mobile landscape. Sign up now. http://pubads.g.doubleclick.net/gampad/clk?id=63431311iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH v2] lxcapi_destroy: run in a namespace if we are unprivileged
This is necessary to have the rights to remove files owned by our subuids.
Also update lxc_rmdir_onedev to return 0 on success, -1 on failure.
Callers were not consistent in using it correctly, and this is more
in keeping with the rest of our code.
Signed-off-by: Serge Hallyn serge.hal...@ubuntu.com
---
src/lxc/bdev.c | 2 +-
src/lxc/conf.c | 155 -
src/lxc/conf.h | 3 +
src/lxc/lxc_destroy.c | 7 ---
src/lxc/lxccontainer.c | 28 ++---
src/lxc/utils.c| 10 ++--
6 files changed, 182 insertions(+), 23 deletions(-)
diff --git a/src/lxc/bdev.c b/src/lxc/bdev.c
index 6acd29a..03fecfb 100644
--- a/src/lxc/bdev.c
+++ b/src/lxc/bdev.c
@@ -450,7 +450,7 @@ static int dir_clonepaths(struct bdev *orig, struct bdev
*new, const char *oldna
static int dir_destroy(struct bdev *orig)
{
- if (!lxc_rmdir_onedev(orig-src))
+ if (lxc_rmdir_onedev(orig-src) 0)
return -1;
return 0;
}
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index c8809d2..4b786b1 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -75,6 +75,7 @@
#include bdev.h
#include cgroup.h
#include lxclock.h
+#include namespace.h
#include lsm/lsm.h
#if HAVE_SYS_CAPABILITY_H
@@ -3810,11 +3811,10 @@ int lxc_clear_config_caps(struct lxc_conf *c)
return 0;
}
-int lxc_clear_idmaps(struct lxc_conf *c)
-{
+int lxc_free_idmap(struct lxc_list *id_map) {
struct lxc_list *it, *next;
- lxc_list_for_each_safe(it, c-id_map, next) {
+ lxc_list_for_each_safe(it, id_map, next) {
lxc_list_del(it);
free(it-elem);
free(it);
@@ -3822,6 +3822,11 @@ int lxc_clear_idmaps(struct lxc_conf *c)
return 0;
}
+int lxc_clear_idmaps(struct lxc_conf *c)
+{
+ return lxc_free_idmap(c-id_map);
+}
+
int lxc_clear_config_keepcaps(struct lxc_conf *c)
{
struct lxc_list *it,*next;
@@ -3941,3 +3946,147 @@ void lxc_conf_free(struct lxc_conf *conf)
lxc_clear_idmaps(conf);
free(conf);
}
+
+struct userns_fn_data {
+ int (*fn)(void *);
+ void *arg;
+ int p[2];
+};
+
+static int run_userns_fn(void *data)
+{
+ struct userns_fn_data *d = data;
+ char c;
+ // we're not sharing with the parent any more, if it was a thread
+
+ close(d-p[1]);
+ if (read(d-p[0], c, 1) != 1)
+ return -1;
+ close(d-p[0]);
+ return d-fn(d-arg);
+}
+
+/*
+ * Add a ID_TYPE_UID entry to an existing lxc_conf, if it is not
+ * alread there.
+ * We may want to generalize this to do gids as well as uids, but right now
+ * it's not necessary.
+ */
+static struct lxc_list *idmap_add_id(struct lxc_conf *conf, uid_t uid)
+{
+ int hostid_mapped = mapped_hostid(uid, conf);
+ struct lxc_list *new = NULL, *tmp, *it, *next;
+ struct id_map *entry;
+
+ if (hostid_mapped 0) {
+ hostid_mapped = find_unmapped_nsuid(conf);
+ if (hostid_mapped 0) {
+ ERROR(Could not find free uid to map);
+ return NULL;
+ }
+ new = malloc(sizeof(*new));
+ if (!new) {
+ ERROR(Out of memory building id map);
+ return NULL;
+ }
+ entry = malloc(sizeof(*entry));
+ if (!entry) {
+ free(new);
+ ERROR(Out of memory building idmap entry);
+ return NULL;
+ }
+ new-elem = entry;
+ entry-idtype = ID_TYPE_UID;
+ entry-nsid = hostid_mapped;
+ entry-hostid = (unsigned long)uid;
+ entry-range = 1;
+ lxc_list_init(new);
+ }
+ lxc_list_for_each_safe(it, conf-id_map, next) {
+ tmp = malloc(sizeof(*tmp));
+ if (!tmp)
+ goto err;
+ entry = malloc(sizeof(*entry));
+ if (!entry) {
+ free(tmp);
+ goto err;
+ }
+ memset(entry, 0, sizeof(*entry));
+ memcpy(entry, it-elem, sizeof(*entry));
+ tmp-elem = entry;
+ if (!new) {
+ new = tmp;
+ lxc_list_init(new);
+ } else
+ lxc_list_add_tail(new, tmp);
+ }
+
+ return new;
+
+err:
+ ERROR(Out of memory building a new uid map);
+ lxc_free_idmap(new);
+ return NULL;
+}
+
+/*
+ * Run a function in a new user namespace.
+ * The caller's euid will be mapped in if it is not already.
+ */
+int userns_exec_1(struct lxc_conf *conf, int (*fn)(void *), void *data)
+{
+ int ret, pid;
+ struct userns_fn_data d;
+ char c = '1';
+ int p[2];
+ struct lxc_list *idmap;
+
+ process_lock();
+ ret = pipe(p
[lxc-devel] [PATCH 1/1] don't fail lxc-init if we couldn't mount proc
In general proc gets mounted ahead of time, so init shouldn't
have to do it. Without this patch, you cannot
lxc-execute -n x1 -s lxc.cap.drop=sys_admin /bin/bash
(See https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1253669 for
a bug about this)
Signed-off-by: Serge Hallyn serge.hal...@ubuntu.com
---
src/lxc/lxc_init.c | 3 +--
src/lxc/utils.c| 8 +++-
src/lxc/utils.h| 2 +-
3 files changed, 5 insertions(+), 8 deletions(-)
diff --git a/src/lxc/lxc_init.c b/src/lxc/lxc_init.c
index 69ae3d8..968c25d 100644
--- a/src/lxc/lxc_init.c
+++ b/src/lxc/lxc_init.c
@@ -154,8 +154,7 @@ int main(int argc, char *argv[])
sigaction(i, act, NULL);
}
- if (lxc_setup_fs())
- exit(EXIT_FAILURE);
+ lxc_setup_fs();
if (lxc_caps_reset())
exit(EXIT_FAILURE);
diff --git a/src/lxc/utils.c b/src/lxc/utils.c
index e80a782..5bfe9db 100644
--- a/src/lxc/utils.c
+++ b/src/lxc/utils.c
@@ -150,10 +150,10 @@ static int mount_fs(const char *source, const char
*target, const char *type)
return 0;
}
-extern int lxc_setup_fs(void)
+extern void lxc_setup_fs(void)
{
if (mount_fs(proc, /proc, proc))
- return -1;
+ INFO(failed to remount proc);
/* if we can't mount /dev/shm, continue anyway */
if (mount_fs(shmfs, /dev/shm, tmpfs))
@@ -163,14 +163,12 @@ extern int lxc_setup_fs(void)
/* Sure, but it's read-only per config :) */
if (access(/dev/mqueue, F_OK) mkdir(/dev/mqueue, 0666)) {
DEBUG(failed to create '/dev/mqueue');
- return 0;
+ return;
}
/* continue even without posix message queue support */
if (mount_fs(mqueue, /dev/mqueue, mqueue))
INFO(failed to mount /dev/mqueue);
-
- return 0;
}
/* borrowed from iproute2 */
diff --git a/src/lxc/utils.h b/src/lxc/utils.h
index 9c47560..714e74c 100644
--- a/src/lxc/utils.h
+++ b/src/lxc/utils.h
@@ -34,7 +34,7 @@
/* returns 1 on success, 0 if there were any failures */
extern int lxc_rmdir_onedev(char *path);
-extern int lxc_setup_fs(void);
+extern void lxc_setup_fs(void);
extern int get_u16(unsigned short *val, const char *arg, int base);
extern int mkdir_p(const char *dir, mode_t mode);
extern void remove_trailing_slashes(char *p);
--
1.8.3.2
--
Shape the Mobile Experience: Free Subscription
Software experts and developers: Be at the forefront of tech innovation.
Intel(R) Software Adrenaline delivers strategic insight and game-changing
conversations that shape the rapidly evolving mobile landscape. Sign up now.
http://pubads.g.doubleclick.net/gampad/clk?id=63431311iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH 1/1] lxc-user-nic: use common code from network.c
This pulls a lot of common code out of lxc_user_nic.c. It also
moves one function from conf.c that was duplicated in lxc_user_nic.c
(It removes a DEBUG statement because (a) it doesn't seem actually
useful and (b) DEBUG doesn't work in network.c).
Also replace the old test of only parsing code with a skeleton for
a full test. (Note - the test will need some work, it's just there
as do-what-i-mean code example)
Signed-off-by: Serge Hallyn serge.hal...@ubuntu.com
---
src/lxc/Makefile.am| 2 +-
src/lxc/conf.c | 41 -
src/lxc/lxc_user_nic.c | 403 +
src/lxc/network.c | 45 -
src/lxc/network.h | 4 +
src/tests/Makefile.am | 4 +-
src/tests/lxc-test-usernic | 126 +++---
7 files changed, 156 insertions(+), 469 deletions(-)
diff --git a/src/lxc/Makefile.am b/src/lxc/Makefile.am
index bcb644e..6534381 100644
--- a/src/lxc/Makefile.am
+++ b/src/lxc/Makefile.am
@@ -222,7 +222,7 @@ lxc_kill_SOURCES = lxc_kill.c
lxc_create_SOURCES = lxc_create.c
lxc_snapshot_SOURCES = lxc_snapshot.c
lxc_usernsexec_SOURCES = lxc_usernsexec.c
-lxc_user_nic_SOURCES = lxc_user_nic.c
+lxc_user_nic_SOURCES = lxc_user_nic.c network.c network.h
install-exec-local: install-soPROGRAMS
mkdir -p $(DESTDIR)$(datadir)/lxc
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 4b786b1..860fc5b 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -2583,47 +2583,6 @@ void lxc_rename_phys_nics_on_shutdown(struct lxc_conf
*conf)
free(conf-saved_nics);
}
-static int setup_private_host_hw_addr(char *veth1)
-{
- struct ifreq ifr;
- int err;
- int sockfd;
-
- process_lock();
- sockfd = socket(AF_INET, SOCK_DGRAM, 0);
- process_unlock();
- if (sockfd 0)
- return -errno;
-
- snprintf((char *)ifr.ifr_name, IFNAMSIZ, %s, veth1);
- err = ioctl(sockfd, SIOCGIFHWADDR, ifr);
- if (err 0) {
- process_lock();
- close(sockfd);
- process_unlock();
- return -errno;
- }
-
- ifr.ifr_hwaddr.sa_data[0] = 0xfe;
- err = ioctl(sockfd, SIOCSIFHWADDR, ifr);
- process_lock();
- close(sockfd);
- process_unlock();
- if (err 0)
- return -errno;
-
- DEBUG(mac address of host interface '%s' changed to private
- %02x:%02x:%02x:%02x:%02x:%02x, veth1,
- ifr.ifr_hwaddr.sa_data[0] 0xff,
- ifr.ifr_hwaddr.sa_data[1] 0xff,
- ifr.ifr_hwaddr.sa_data[2] 0xff,
- ifr.ifr_hwaddr.sa_data[3] 0xff,
- ifr.ifr_hwaddr.sa_data[4] 0xff,
- ifr.ifr_hwaddr.sa_data[5] 0xff);
-
- return 0;
-}
-
static char *default_rootfs_mount = LXCROOTFSMOUNT;
struct lxc_conf *lxc_conf_init(void)
diff --git a/src/lxc/lxc_user_nic.c b/src/lxc/lxc_user_nic.c
index 952fe14..af1e944 100644
--- a/src/lxc/lxc_user_nic.c
+++ b/src/lxc/lxc_user_nic.c
@@ -45,51 +45,9 @@
#include linux/rtnetlink.h
#include linux/sockios.h
#include sys/param.h
-#include sched.h
#include config.h
#include utils.h
-
-#if ISTEST
-#define CONF_FILE /tmp/lxc-usernet
-#define DB_FILE /tmp/nics
-#else
-#define CONF_FILE LXC_USERNIC_CONF
-#define DB_FILE LXC_USERNIC_DB
-#endif
-
-#include nl.h
-
-#ifndef IFLA_LINKMODE
-# define IFLA_LINKMODE 17
-#endif
-
-#ifndef IFLA_LINKINFO
-# define IFLA_LINKINFO 18
-#endif
-
-#ifndef IFLA_NET_NS_PID
-# define IFLA_NET_NS_PID 19
-#endif
-
-#ifndef IFLA_INFO_KIND
-# define IFLA_INFO_KIND 1
-#endif
-
-#ifndef IFLA_VLAN_ID
-# define IFLA_VLAN_ID 1
-#endif
-
-#ifndef IFLA_INFO_DATA
-# define IFLA_INFO_DATA 2
-#endif
-
-#ifndef VETH_INFO_PEER
-# define VETH_INFO_PEER 1
-#endif
-
-#ifndef IFLA_MACVLAN_MODE
-# define IFLA_MACVLAN_MODE 1
-#endif
+#include network.h
void usage(char *me, bool fail)
{
@@ -146,14 +104,14 @@ static char *get_username(void)
*/
static int get_alloted(char *me, char *intype, char *link)
{
- FILE *fin = fopen(CONF_FILE, r);
+ FILE *fin = fopen(LXC_USERNIC_CONF, r);
char *line = NULL;
char user[100], type[100], br[100];
size_t len = 0;
int n = -1, ret;
if (!fin) {
- fprintf(stderr, Failed to open %s: %s\n, CONF_FILE,
+ fprintf(stderr, Failed to open %s: %s\n, LXC_USERNIC_CONF,
strerror(errno));
return -1;
}
@@ -229,11 +187,7 @@ static bool nic_exists(char *nic)
int ret;
struct stat sb;
-#if ISTEST
- ret = snprintf(path, MAXPATHLEN, /tmp/lxcnettest/%s, nic);
-#else
ret = snprintf(path, MAXPATHLEN, /sys/class/net/%s, nic);
-#endif
if (ret 0 || ret = MAXPATHLEN) // should never happen!
return true;
ret = stat(path, sb);
@@ -242,198 +196,6 @@ static bool nic_exists(char *nic)
return true;
}
-struct link_req {
- struct nlmsg nlmsg;
- struct ifinfomsg
[lxc-devel] [PATCH 1/1] lxc-user-nic: dont risk passing EOF
Signed-off-by: Serge Hallyn serge.hal...@ubuntu.com
---
src/lxc/lxc_user_nic.c | 26 +-
1 file changed, 13 insertions(+), 13 deletions(-)
diff --git a/src/lxc/lxc_user_nic.c b/src/lxc/lxc_user_nic.c
index af1e944..a4ae907 100644
--- a/src/lxc/lxc_user_nic.c
+++ b/src/lxc/lxc_user_nic.c
@@ -137,16 +137,16 @@ static int get_alloted(char *me, char *intype, char *link)
return -1;
}
-static char *get_eol(char *s)
+static char *get_eol(char *s, char *e)
{
- while (*s *s != '\n')
+ while (se *s *s != '\n')
s++;
return s;
}
-static char *get_eow(char *s)
+static char *get_eow(char *s, char *e)
{
- while (*s !isblank(*s) *s != '\n')
+ while (se *s !isblank(*s) *s != '\n')
s++;
return s;
}
@@ -155,22 +155,22 @@ static char *find_line(char *p, char *e, char *u, char
*t, char *l)
{
char *p1, *p2, *ret;
- while (p e (p1 = get_eol(p)) e) {
+ while (pe (p1 = get_eol(p, e)) e) {
ret = p;
if (*p == '#')
goto next;
- while (isblank(*p)) p++;
- p2 = get_eow(p);
+ while (pe isblank(*p)) p++;
+ p2 = get_eow(p, e);
if (!p2 || p2-p != strlen(u) || strncmp(p, u, strlen(u)) != 0)
goto next;
p = p2+1;
- while (isblank(*p)) p++;
- p2 = get_eow(p);
+ while (pe isblank(*p)) p++;
+ p2 = get_eow(p, e);
if (!p2 || p2-p != strlen(t) || strncmp(p, t, strlen(t)) != 0)
goto next;
p = p2+1;
- while (isblank(*p)) p++;
- p2 = get_eow(p);
+ while (pe isblank(*p)) p++;
+ p2 = get_eow(p, e);
if (!p2 || p2-p != strlen(l) || strncmp(p, l, strlen(l)) != 0)
goto next;
return ret;
@@ -329,7 +329,7 @@ static bool cull_entries(int fd, char *me, char *t, char
*br)
}
entry_lines = newe;
entry_lines[n].start = p;
- entry_lines[n].len = get_eol(p) - entry_lines[n].start;
+ entry_lines[n].len = get_eol(p, e) - entry_lines[n].start;
entry_lines[n].keep = true;
n++;
if (!get_nic_from_line(p, nic))
@@ -362,7 +362,7 @@ static int count_entries(char *buf, off_t len, char *me,
char *t, char *br)
int count = 0;
while ((buf = find_line(buf, e, me, t, br)) != NULL) {
count++;
- buf = get_eol(buf)+1;
+ buf = get_eol(buf, e)+1;
if (buf = e)
break;
}
--
1.8.4.3
--
Shape the Mobile Experience: Free Subscription
Software experts and developers: Be at the forefront of tech innovation.
Intel(R) Software Adrenaline delivers strategic insight and game-changing
conversations that shape the rapidly evolving mobile landscape. Sign up now.
http://pubads.g.doubleclick.net/gampad/clk?id=63431311iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH 1/1] lxcapi_clone: set the right environment variable for mounted fs
If the container is dir-backed, we don't actually mount it (to
support unprivileged use). So always set the LXC_ROOTFS_MOUNT
to bdev-dest, not to the rootfs path specified in the container
configuration.
This should fix bug http://pad.lv/1253573
Signed-off-by: Serge Hallyn serge.hal...@ubuntu.com
---
src/lxc/lxccontainer.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
index 11e70cb..c1f99d5 100644
--- a/src/lxc/lxccontainer.c
+++ b/src/lxc/lxccontainer.c
@@ -2399,7 +2399,7 @@ static int clone_update_rootfs(struct lxc_container *c0,
if (setenv(LXC_CONFIG_FILE, conf-rcfile, 1)) {
SYSERROR(failed to set environment variable for config
path);
}
- if (setenv(LXC_ROOTFS_MOUNT, conf-rootfs.mount, 1)) {
+ if (setenv(LXC_ROOTFS_MOUNT, bdev-dest, 1)) {
SYSERROR(failed to set environment variable for rootfs
mount);
}
if (setenv(LXC_ROOTFS_PATH, conf-rootfs.path, 1)) {
--
1.8.3.2
--
Shape the Mobile Experience: Free Subscription
Software experts and developers: Be at the forefront of tech innovation.
Intel(R) Software Adrenaline delivers strategic insight and game-changing
conversations that shape the rapidly evolving mobile landscape. Sign up now.
http://pubads.g.doubleclick.net/gampad/clk?id=63431311iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH 2/2] Support files for systemd on Fedora.
Thanks, Michael. I'll go ahead and apply the patch.
-serge
Quoting Michael H. Warfield (m...@wittsend.com):
On Wed, 2013-11-20 at 23:12 -0500, Michael H. Warfield wrote:
On Wed, 2013-11-20 at 21:39 -0600, Serge Hallyn wrote:
Quoting Michael H. Warfield (m...@wittsend.com):
Added a file lxc.service for a systemd service file.
Added a file lxc-devsetup to setup /dev/ on startup to support autodev
in containers.
Service file references lxc-devsetup as an ExecStartPre command. The
lxc-devsetup script is not dependent on systemd or Fedora and can
be used at bootup on any system.
Modified lxc.spec.in to install the two new files on Fedora. The
systemd
specific code in the lxc.spec file may need some review and
conditionalize
for systemd on non-systemd rpm-based systems.
Will systemd care that the lxc-startup specified in ExecStart and
ExecStop doesn't exist?
Not that I know of. And if it does, it's easy enough to stub off. But
that would be good to test.
Let me qualify that a little bit. I realized my first answer was a bit
short.
If the ExecStart command does not exist, systemd will complain that the
service failed if you try and start the service. But, the service is
not enabled but default and, even if it was, has no fatal impact on
the over all systemd operation. The logs will inform the user the
startup command doesn't exist. No harm no foul and no negative impact.
So, if this is installed, as is, on a target system, it has no impact at
ll on anything until one of the two commands are run...
systemctl start lxc.service
and/or
systemctl enable lxc.service
In the case of the former, it will say the service failed and that the
ExecStart command does not exist. No harm done and it informs the admin
where he need to plug in his startup script.
In the case of the later, rebooting the system will attempt to start
lxc.service at boot time and fail but the failure will be informative
and will not disrupt the boot process. Recurse back to case 1.
Both of these cases are where I want to be right now. Once Stéphane has
his pieces ready, we can glue them together with that ExecStart shim.
ITMT, it gives us the framework on Fedora for setting up systemd and lxc
to cooperate and others (such as myself) can use their own ExecStart
scripts until these other pieces are ready.
Regards,
Mike
---
lxc.spec.in | 8
src/lxc/lxc-devsetup | 26 ++
src/lxc/lxc.service | 18 ++
3 files changed, 52 insertions(+)
create mode 100755 src/lxc/lxc-devsetup
create mode 100644 src/lxc/lxc.service
diff --git a/lxc.spec.in b/lxc.spec.in
index a6c96a2..3ef5881 100644
--- a/lxc.spec.in
+++ b/lxc.spec.in
@@ -102,6 +102,11 @@ rm -rf %{buildroot}
make install DESTDIR=%{buildroot}
find %{buildroot} -type f -name '*.la' -exec rm -f {} ';'
+# Install some of our systemd stuff...
+install -d -m 755 %{buildroot}/lib/systemd/system
+install -c -m 644 src/lxc/lxc.service %{buildroot}/lib/systemd/system
+install -c -m 755 src/lxc/lxc-devsetup
%{buildroot}/%{_libexecdir}/%{name}
+
%clean
rm -rf %{buildroot}
@@ -131,6 +136,8 @@ rm -rf %{buildroot}
%{_datadir}/lxc/*
%config(noreplace) %{_sysconfdir}/lxc/*
+/lib/systemd/system/*
+
%files libs
%defattr(-,root,root)
%{_libdir}/*.so.*
@@ -140,6 +147,7 @@ rm -rf %{buildroot}
%endif
%{_localstatedir}/*
%attr(4555,root,root) %{_libexecdir}/%{name}/lxc-init
+%attr(555,root,root) %{_libexecdir}/%{name}/lxc-devsetup
%if %{with_lua}
%files lua
diff --git a/src/lxc/lxc-devsetup b/src/lxc/lxc-devsetup
new file mode 100755
index 000..583a001
--- /dev/null
+++ b/src/lxc/lxc-devsetup
@@ -0,0 +1,26 @@
+#!/bin/sh -
+
+# lxc.devsetup - Setup host /dev for container /dev subdirectories.
+
+if [[ ! -d /dev/.lxc ]]
+then
+echo Creating /dev/.lxc
+mkdir /dev/.lxc
+chmod 755 /dev/.lxc
+fi
+
+if grep -q /dev devtmpfs /proc/self/mounts
+then
+echo /dev is devtmpfs
+else
+echo /dev is not devtmpfs - mounting tmpfs on .lxc
+mount -t tmpfs tmpfs /dev/.lxc
+fi
+
+if [[ ! -d /dev/.lxc/user ]]
+then
+echo Creating /dev/.lxc/user
+mkdir /dev/.lxc/user
+chmod 1777 /dev/.lxc/user
+fi
+
diff --git a/src/lxc/lxc.service b/src/lxc/lxc.service
new file mode 100644
index 000..d3d3238
--- /dev/null
+++ b/src/lxc/lxc.service
@@ -0,0 +1,18 @@
+[Unit]
+Description=LXC Container Initialization and Autoboot Code
+After=syslog.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStartPre=/usr/libexec/lxc/lxc-devsetup
+ExecStart
[lxc-devel] [PATCH 1/1] remove HAVE_NEWUIDMAP and NEWUIDMAP
Always build lxc-usernsexec. Else we require having uidmap installed on the build host for no good reason. And we never actually used the NEWUIDMAP path we detected. Signed-off-by: Serge Hallyn serge.hal...@ubuntu.com --- configure.ac| 4 src/lxc/Makefile.am | 11 ++- 2 files changed, 2 insertions(+), 13 deletions(-) diff --git a/configure.ac b/configure.ac index e85e558..5091d69 100644 --- a/configure.ac +++ b/configure.ac @@ -64,10 +64,6 @@ AC_MSG_RESULT([$with_distro]) AM_CONDITIONAL([HAVE_DEBIAN], [test x$with_distro = xdebian -o x$with_distro = xubuntu]) AM_CONDITIONAL([DISTRO_UBUNTU], [test x$with_distro = xubuntu]) -# Detect the newuidmap tool (required for userns) -AC_CHECK_PROG([NEWUIDMAP], [newuidmap], [newuidmap]) -AM_CONDITIONAL([HAVE_NEWUIDMAP], [test -n $NEWUIDMAP]) - # Allow disabling rpath AC_ARG_ENABLE([rpath], [AC_HELP_STRING([--disable-rpath], [do not set rpath in executables])], diff --git a/src/lxc/Makefile.am b/src/lxc/Makefile.am index 8baf169..59f3810 100644 --- a/src/lxc/Makefile.am +++ b/src/lxc/Makefile.am @@ -124,10 +124,6 @@ if ENABLE_SELINUX AM_CFLAGS += -DHAVE_SELINUX endif -if HAVE_NEWUIDMAP -AM_CFLAGS += -DHAVE_NEWUIDMAP -endif - if USE_CONFIGPATH_LOGS AM_CFLAGS += -DUSE_CONFIGPATH_LOGS endif @@ -190,11 +186,8 @@ bin_PROGRAMS = \ lxc-destroy \ lxc-create \ lxc-user-nic \ - lxc-snapshot - -if HAVE_NEWUIDMAP -bin_PROGRAMS += lxc-usernsexec -endif + lxc-snapshot \ + lxc-usernsexec pkglibexec_PROGRAMS = \ lxc-init -- 1.8.4.3 -- Shape the Mobile Experience: Free Subscription Software experts and developers: Be at the forefront of tech innovation. Intel(R) Software Adrenaline delivers strategic insight and game-changing conversations that shape the rapidly evolving mobile landscape. Sign up now. http://pubads.g.doubleclick.net/gampad/clk?id=63431311iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] lxc-attach: elevate specific privileges
Quoting Nikola Kotur (kotn...@gmail.com): On Tue, 19 Nov 2013 15:48:36 -0600 Serge Hallyn serge.hal...@ubuntu.com wrote: Quoting Nikola Kotur (kotn...@gmail.com): There are scenarios in which we want to execute process with specific privileges elevated. thanks for submitting this patch. No objection overall, however there are a few existing places where elevated_privileges is set to 1 which you are not updating. Thanks for the review and for catching this. I will update the patch and resend it (along with a signed-off-by). I also notice that currently it seems broken as the manpage says that -R should imply -e, but i don't see where that is enforced any more. Actually, it's not -R that implies -e, it's the -s option (specifying which namespaces to attach to). Well huh. I was sure I saw a comment about -R implying -e, but I don't see it now, so that's fine :) And if you have a bit of time I'd appreciate if you could explain why should we elevate privileges for attaching to specific namespace? Seems to me that it is unrelated, since I should be able to enter NETWORK ns TBH I'm not sure. It was like that since the start of the -s feature, which is commit e13eeea2db3743bf8d3fe2833e069a80e2c4102c, but I don't see the rationale for it in the git history or mailing list. Christian? while not elevating cgroup, for example? I haven't thought it through, but I could imagine it being a problem if attach tries to enter you into the container's LSM domain while you're only in its ipc namespace. You might not (with a strict selinux policy) be able to read any host files, and therefore execute anything. But I suspect there's a simpler rationale. -serge -- Shape the Mobile Experience: Free Subscription Software experts and developers: Be at the forefront of tech innovation. Intel(R) Software Adrenaline delivers strategic insight and game-changing conversations that shape the rapidly evolving mobile landscape. Sign up now. http://pubads.g.doubleclick.net/gampad/clk?id=63431311iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] lxc-attach: elevate specific privileges
Quoting Christian Seiler (christ...@iwakd.de): Hi there, And if you have a bit of time I'd appreciate if you could explain why should we elevate privileges for attaching to specific namespace? Seems to me that it is unrelated, since I should be able to enter NETWORK ns while not elevating cgroup, for example? Since I added those options back in the day, a bit of a rationale: If I run lxc-attach without any further options, my expectation is that the process spawned sees nothing different compared to a process spawned from within the container. This is the case. Now if I specify that I only want to attach to the network namespace, then the spawned process is in a weird state: mount, pid, user, ipc and uts namespaces are all still those of the host, but the network namespace now is different. In some sense this already implies that the privileges of that process are 'elevated' compared to the privileges of a process in the container - it has access to the host in the other namespaces. For this reason, moving that process into the cgroup, dropping capabilities and loading the corresponding LSM context seem out of place, for this reason, I made -s imply -e. However, with your patch (which makes sense since my rewrite of the API), I think one could give the user the option of not evelating the other privileges. And while I do think that because of the above rationale having elevation being the default state when using -s, what do you think of the following proposal? - default = all privs dropped - only -s specified = no privs dropped - -e specified without argument = no privs dropped - -e NONE specified (regardless of -s) = all privs dropped - -e ALL specified (regardless of -s) = no privs dropped - -e A|B|C specified (regardless of -s) = A, B and C privs elevated, the rest dropped What do you (and Stephane and Serge) think? Sounds good. Thanks, -serge -- Shape the Mobile Experience: Free Subscription Software experts and developers: Be at the forefront of tech innovation. Intel(R) Software Adrenaline delivers strategic insight and game-changing conversations that shape the rapidly evolving mobile landscape. Sign up now. http://pubads.g.doubleclick.net/gampad/clk?id=63431311iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] lxc-attach: elevate specific privileges
Quoting Christian Seiler (christ...@iwakd.de): Hi, assuming this compiles and does the right thing at runtime (I haven't had time to test it, but from reading the source it looks fine) and as discussed in this thread you will slightly improve it later: Am 20.11.2013 15:07, schrieb Nikola Kotur: There are scenarios in which we want to execute process with specific privileges elevated. An example for this might be executing a process inside the container securely, with capabilities dropped, but not in container's cgroup so that we can have per process restrictions inside single container. Similar to namespaces, privileges to be elevated can be OR'd: lxc-attach --elevated-privileges='CAP|CGROUP' ... Backward compatibility with previous versions is retained. In case no privileges are specified behaviour is the same as before: all of them are elevated. Signed-off-by: Nikola Kotur kotn...@gmail.com Acked-By: Christian Seiler christ...@iwakd.de Thanks, guys, applied. -- Shape the Mobile Experience: Free Subscription Software experts and developers: Be at the forefront of tech innovation. Intel(R) Software Adrenaline delivers strategic insight and game-changing conversations that shape the rapidly evolving mobile landscape. Sign up now. http://pubads.g.doubleclick.net/gampad/clk?id=63431311iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH 1/2] Setup devtmpfs and /dev for autodev bind mounts.
Quoting Michael H. Warfield (m...@wittsend.com):
On Tue, 2013-11-19 at 14:53 -0600, Serge Hallyn wrote:
Quoting Michael H. Warfield (m...@wittsend.com):
If autodev is not specifically set to 0 or 1, attempts to determine if
systemd is being utilized and forces autodev=1 to prevent host system
conflicts and collisions.
If autodev is enabled and the host /dev is mounted with devtmpfs
or /dev/.lxc is mounted with another file system...
Each container created by a privileged user gets a /dev directory
mapped off the host /dev here:
/dev/.lxc/${name}.$( hash $lxcpath/$name )
Each container created by a non-privileged user gets a /dev/directory
mapped off the host /dev here:
/dev/.lxc/user/${name}.$( hash $lxcpath/$name )
The /dev/.lxc/user is mode 1777 to allow unpriv access.
The /dev/.lxc/{containerdev} is bind mounted into the container /dev.
Fallback on failure is to mount tmpfs into the container /dev.
A symlink is created from $lxcpath/$name/rootfs.dev back to the /dev
relative directory to provid a code consistent reference for updating
container devs.
Hi Michael,
I haven't run it, but looking over the code in detail, it looks good
to me. I know Stéphane in the past has objected to trying to autodetect
systemd based containers. IMO it'd be fine to expect the templates to
set lxc.autodev, as I worry about building distro-detecting hacks into
core lxc, but unless Stéphane objects I don't care enough in this case
to nack it.
Did you consider this patch good enough to apply, or was this still an
RFC? I'm happy either way.
I do consider it ready, which is why I, belatedly, signed off on it.
Hi Stéphane,
Please let me know if you're ok with the check_autodev() below.
-serge
Acked-by: Serge E. Hallyn serge.hal...@ubuntu.com
Regards,
Mike
---
src/lxc/conf.c | 369
++--
src/lxc/conf.h | 4 +-
src/lxc/start.c | 2 +-
3 files changed, 363 insertions(+), 12 deletions(-)
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index a756731..d17cb2a 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -29,6 +29,7 @@
#include string.h
#include dirent.h
#include unistd.h
+#include inttypes.h
#include sys/wait.h
#include sys/syscall.h
#include time.h
@@ -1164,20 +1165,275 @@ static int setup_rootfs_pivot_root(const char
*rootfs, const char *pivotdir)
return 0;
}
+
+/*
+ * Note: This is a verbatum copy of what is in monitor.c. We're just
+ * usint it here to generate a safe subdirectory in /dev/ for the
+ * containers /dev/
+ */
+
+/* Note we don't use SHA-1 here as we don't want to depend on
HAVE_GNUTLS.
+ * FNV has good anti collision properties and we're not worried
+ * about pre-image resistance or one-way-ness, we're just trying to make
+ * the name unique in the 108 bytes of space we have.
+ */
+#define FNV1A_64_INIT ((uint64_t)0xcbf29ce484222325ULL)
+static uint64_t fnv_64a_buf(void *buf, size_t len, uint64_t hval)
+{
+ unsigned char *bp;
+
+ for(bp = buf; bp (unsigned char *)buf + len; bp++)
+ {
+ /* xor the bottom with the current octet */
+ hval ^= (uint64_t)*bp;
+
+ /* gcc optimised:
+ * multiply by the 64 bit FNV magic prime mod 2^64
+ */
+ hval += (hval 1) + (hval 4) + (hval 5) +
+ (hval 7) + (hval 8) + (hval 40);
+ }
+
+ return hval;
+}
+
+/*
+ * Check to see if a directory has something mounted on it and,
+ * if it does, return the fstype.
+ *
+ * Code largely based on detect_shared_rootfs below
+ *
+ * Returns: # of matching entries in /proc/self/mounts
+ * if != 0 fstype is filled with the last filesystem value.
+ * if == 0 no matches found, fstype unchanged.
+ *
+ * ToDo: Maybe return the mount options in another parameter...
+ */
+
+#define LINELEN 4096
+#define MAX_FSTYPE_LEN 128
+int mount_check_fs( const char *dir, char *fstype )
+{
+ char buf[LINELEN], *p;
+ struct stat s;
+ FILE *f;
+ int found_fs = 0;
+ char *p2;
+
+ DEBUG(entering mount_check_fs for %s\n, dir);
+
+ if ( 0 != access(dir, F_OK) || 0 != stat(dir, s) || 0 ==
S_ISDIR(s.st_mode) ) {
+ return 0;
+ }
+
+ process_lock();
+ f = fopen(/proc/self/mounts, r);
+ process_unlock();
+ if (!f)
+ return 0;
+ while ((p = fgets(buf, LINELEN, f))) {
+ p = index(buf, ' ');
+ if( !p )
+ continue;
+ *p = '\0';
+ p2 = p + 1;
+
+ p = index(p2, ' ');
+ if( !p )
+ continue;
+ *p = '\0';
+
+ /* Compare the directory in the entry to desired
Re: [lxc-devel] [PATCH 2/2] Support files for systemd on Fedora.
Quoting Michael H. Warfield (m...@wittsend.com):
Added a file lxc.service for a systemd service file.
Added a file lxc-devsetup to setup /dev/ on startup to support autodev
in containers.
Service file references lxc-devsetup as an ExecStartPre command. The
lxc-devsetup script is not dependent on systemd or Fedora and can
be used at bootup on any system.
Modified lxc.spec.in to install the two new files on Fedora. The systemd
specific code in the lxc.spec file may need some review and conditionalize
for systemd on non-systemd rpm-based systems.
Will systemd care that the lxc-startup specified in ExecStart and
ExecStop doesn't exist?
---
lxc.spec.in | 8
src/lxc/lxc-devsetup | 26 ++
src/lxc/lxc.service | 18 ++
3 files changed, 52 insertions(+)
create mode 100755 src/lxc/lxc-devsetup
create mode 100644 src/lxc/lxc.service
diff --git a/lxc.spec.in b/lxc.spec.in
index a6c96a2..3ef5881 100644
--- a/lxc.spec.in
+++ b/lxc.spec.in
@@ -102,6 +102,11 @@ rm -rf %{buildroot}
make install DESTDIR=%{buildroot}
find %{buildroot} -type f -name '*.la' -exec rm -f {} ';'
+# Install some of our systemd stuff...
+install -d -m 755 %{buildroot}/lib/systemd/system
+install -c -m 644 src/lxc/lxc.service %{buildroot}/lib/systemd/system
+install -c -m 755 src/lxc/lxc-devsetup %{buildroot}/%{_libexecdir}/%{name}
+
%clean
rm -rf %{buildroot}
@@ -131,6 +136,8 @@ rm -rf %{buildroot}
%{_datadir}/lxc/*
%config(noreplace) %{_sysconfdir}/lxc/*
+/lib/systemd/system/*
+
%files libs
%defattr(-,root,root)
%{_libdir}/*.so.*
@@ -140,6 +147,7 @@ rm -rf %{buildroot}
%endif
%{_localstatedir}/*
%attr(4555,root,root) %{_libexecdir}/%{name}/lxc-init
+%attr(555,root,root) %{_libexecdir}/%{name}/lxc-devsetup
%if %{with_lua}
%files lua
diff --git a/src/lxc/lxc-devsetup b/src/lxc/lxc-devsetup
new file mode 100755
index 000..583a001
--- /dev/null
+++ b/src/lxc/lxc-devsetup
@@ -0,0 +1,26 @@
+#!/bin/sh -
+
+# lxc.devsetup - Setup host /dev for container /dev subdirectories.
+
+if [[ ! -d /dev/.lxc ]]
+then
+echo Creating /dev/.lxc
+mkdir /dev/.lxc
+chmod 755 /dev/.lxc
+fi
+
+if grep -q /dev devtmpfs /proc/self/mounts
+then
+echo /dev is devtmpfs
+else
+echo /dev is not devtmpfs - mounting tmpfs on .lxc
+mount -t tmpfs tmpfs /dev/.lxc
+fi
+
+if [[ ! -d /dev/.lxc/user ]]
+then
+echo Creating /dev/.lxc/user
+mkdir /dev/.lxc/user
+chmod 1777 /dev/.lxc/user
+fi
+
diff --git a/src/lxc/lxc.service b/src/lxc/lxc.service
new file mode 100644
index 000..d3d3238
--- /dev/null
+++ b/src/lxc/lxc.service
@@ -0,0 +1,18 @@
+[Unit]
+Description=LXC Container Initialization and Autoboot Code
+After=syslog.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStartPre=/usr/libexec/lxc/lxc-devsetup
+ExecStart=/usr/libexec/lxc/lxc-startup start
+ExecStop=/usr/libexec/lxc/lxc-startup stop
+# Environment=BOOTUP=serial
+# Environment=CONSOLETYPE=serial
+StandardOutput=syslog
+StandardError=syslog
+
+[Install]
+WantedBy=multi-user.target
+
--
1.8.3.1
--
Michael H. Warfield (AI4NB) | (770) 978-7061 | m...@wittsend.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0x674627FF| possible worlds. A pessimist is sure of it!
--
November Webinars for C, C++, Fortran Developers
Accelerate application performance with scalable programming models. Explore
techniques for threading, error checking, porting, and tuning. Get the most
from the latest Intel processors and coprocessors. See abstracts and register
http://pubads.g.doubleclick.net/gampad/clk?id=60136231iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
--
Shape the Mobile Experience: Free Subscription
Software experts and developers: Be at the forefront of tech innovation.
Intel(R) Software Adrenaline delivers strategic insight and game-changing
conversations that shape the rapidly evolving mobile landscape. Sign up now.
http://pubads.g.doubleclick.net/gampad/clk?id=63431311iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH 3/9] lxc_user_nic: report strerror(errno)
From: Serge Hallyn serge.hal...@ubuntu.com
Signed-off-by: Serge Hallyn serge.hal...@ubuntu.com
---
src/lxc/lxc_user_nic.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/lxc/lxc_user_nic.c b/src/lxc/lxc_user_nic.c
index da3ae74..8c73b55 100644
--- a/src/lxc/lxc_user_nic.c
+++ b/src/lxc/lxc_user_nic.c
@@ -633,7 +633,7 @@ bool cull_entries(int fd, char *me, char *t, char *br)
return true;
buf = mmap(NULL, len, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0);
if (buf == MAP_FAILED) {
- fprintf(stderr, Failed to create mapping: error %d\n, errno);
+ fprintf(stderr, Failed to create mapping: %s\n,
strerror(errno));
return false;
}
@@ -718,7 +718,7 @@ bool get_nic_if_avail(int fd, char *me, int pid, char
*intype, char *br, int all
fprintf(stderr, Failed to set new file size\n);
buf = mmap(NULL, len + slen, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0);
if (buf == MAP_FAILED) {
- fprintf(stderr, Failed to create mapping after extending:
error %d\n, errno);
+ fprintf(stderr, Failed to create mapping after extending:
%s\n, strerror(errno));
if (lxc_netdev_delete_by_name(*nicname) != 0)
fprintf(stderr, Error unlinking %s!\n, *nicname);
return false;
--
1.8.3.2
--
Shape the Mobile Experience: Free Subscription
Software experts and developers: Be at the forefront of tech innovation.
Intel(R) Software Adrenaline delivers strategic insight and game-changing
conversations that shape the rapidly evolving mobile landscape. Sign up now.
http://pubads.g.doubleclick.net/gampad/clk?id=63431311iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH 2/9] lxc_user_nic: don't pass unused arg to get_username()
From: Serge Hallyn serge.hal...@ubuntu.com
Signed-off-by: Serge Hallyn serge.hal...@ubuntu.com
---
src/lxc/lxc_user_nic.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/lxc/lxc_user_nic.c b/src/lxc/lxc_user_nic.c
index c8513ba..da3ae74 100644
--- a/src/lxc/lxc_user_nic.c
+++ b/src/lxc/lxc_user_nic.c
@@ -122,7 +122,7 @@ int open_and_lock(char *path)
}
-char *get_username(char **buf)
+char *get_username(void)
{
struct passwd *pwd = getpwuid(getuid());
@@ -901,13 +901,13 @@ int main(int argc, char *argv[])
{
int n, fd;
bool gotone = false;
- char *me, *buf = alloca(400);
+ char *me;
char *nicname = alloca(40);
char *cnic; // created nic name in container is returned here.
char *vethname;
int pid;
- if ((me = get_username(buf)) == NULL) {
+ if ((me = get_username()) == NULL) {
fprintf(stderr, Failed to get username\n);
exit(1);
}
--
1.8.3.2
--
Shape the Mobile Experience: Free Subscription
Software experts and developers: Be at the forefront of tech innovation.
Intel(R) Software Adrenaline delivers strategic insight and game-changing
conversations that shape the rapidly evolving mobile landscape. Sign up now.
http://pubads.g.doubleclick.net/gampad/clk?id=63431311iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH 1/9] lxc_user_nic: add a check to make sure caller owns target netns
From: Serge Hallyn serge.hal...@ubuntu.com
Temporarily set our euid back to the calling ruid, so that the
access(2) check can succeed based on the euid being the userns
creator.
Also switch from atoi to strtol
Signed-off-by: Serge Hallyn serge.hal...@ubuntu.com
---
src/lxc/lxc_user_nic.c | 64 +-
1 file changed, 58 insertions(+), 6 deletions(-)
diff --git a/src/lxc/lxc_user_nic.c b/src/lxc/lxc_user_nic.c
index e4f59fa..c8513ba 100644
--- a/src/lxc/lxc_user_nic.c
+++ b/src/lxc/lxc_user_nic.c
@@ -540,7 +540,7 @@ int lxc_netdev_delete_by_name(const char *name)
#endif
-bool create_nic(char *nic, char *br, char *pidstr, char **cnic)
+bool create_nic(char *nic, char *br, int pid, char **cnic)
{
#if ISTEST
char path[200];
@@ -556,7 +556,6 @@ bool create_nic(char *nic, char *br, char *pidstr, char
**cnic)
veth1buf = alloca(IFNAMSIZ);
veth2buf = alloca(IFNAMSIZ);
int ret;
- int pid = atoi(pidstr);
ret = snprintf(veth1buf, IFNAMSIZ, %s, nic);
if (ret 0 || ret = IFNAMSIZ) {
@@ -596,7 +595,7 @@ out_del:
* *dest will container the name (lxcuser-%d) which is attached
* on the host to the lxc bridge
*/
-void get_new_nicname(char **dest, char *br, char *pid, char **cnic)
+void get_new_nicname(char **dest, char *br, int pid, char **cnic)
{
int i = 0;
// TODO - speed this up. For large installations we won't
@@ -679,7 +678,7 @@ int count_entries(char *buf, off_t len, char *me, char *t,
char *br)
* The dbfile has lines of the format:
* user type bridge nicname
*/
-bool get_nic_if_avail(int fd, char *me, char *pid, char *intype, char *br, int
allowed, char **nicname, char **cnic)
+bool get_nic_if_avail(int fd, char *me, int pid, char *intype, char *br, int
allowed, char **nicname, char **cnic)
{
off_t len, slen;
struct stat sb;
@@ -857,6 +856,47 @@ out_err:
return -1;
}
+/*
+ * If the caller (real uid, not effective uid) may read the
+ * /proc/pid/net/ns, then it is either the caller's netns or one
+ * which it created.
+ */
+static bool may_access_netns(int pid)
+{
+ int ret;
+ char s[200];
+ uid_t ruid, suid, euid;
+ bool may_access = false;
+
+ ret = getresuid(ruid, euid, suid);
+ if (ret) {
+ fprintf(stderr, Failed to get my uids: %s\n, strerror(errno));
+ return false;
+ }
+ ret = setresuid(ruid, ruid, euid);
+ if (ret) {
+ fprintf(stderr, Failed to set temp uids to (%d,%d,%d): %s\n,
+ (int)ruid, (int)ruid, (int)euid,
strerror(errno));
+ return false;
+ }
+ ret = snprintf(s, 200, /proc/%d/ns/net, pid);
+ if (ret 0 || ret = 200) // can't happen
+ return false;
+ ret = access(s, R_OK);
+ if (ret) {
+ fprintf(stderr, Uid %d may not access %s: %s\n,
+ (int)ruid, s, strerror(errno));
+ }
+ may_access = ret == 0;
+ ret = setresuid(ruid, euid, suid);
+ if (ret) {
+ fprintf(stderr, Failed to restore uids to (%d,%d,%d): %s\n,
+ (int)ruid, (int)euid, (int)suid,
strerror(errno));
+ may_access = false;
+ }
+ return may_access;
+}
+
int main(int argc, char *argv[])
{
int n, fd;
@@ -879,6 +919,13 @@ int main(int argc, char *argv[])
else
vethname = eth0;
+ errno = 0;
+ pid = (int) strtol(argv[1], NULL, 10);
+ if (errno) {
+ fprintf(stderr, Could not read pid: %s\n, argv[1]);
+ exit(1);
+ }
+
if (!create_db_dir(DB_FILE)) {
fprintf(stderr, Failed to create directory for db file\n);
exit(1);
@@ -889,16 +936,21 @@ int main(int argc, char *argv[])
exit(1);
}
+ if (!may_access_netns(pid)) {
+ fprintf(stderr, User %s may not modify netns for pid %d\n,
+ me, pid);
+ exit(1);
+ }
+
n = get_alloted(me, argv[2], argv[3]);
if (n 0)
- gotone = get_nic_if_avail(fd, me, argv[1], argv[2], argv[3], n,
nicname, cnic);
+ gotone = get_nic_if_avail(fd, me, pid, argv[2], argv[3], n,
nicname, cnic);
close(fd);
if (!gotone) {
fprintf(stderr, Quota reached\n);
exit(1);
}
- pid = atoi(argv[1]);
// Now rename the link
if (rename_in_ns(pid, cnic, vethname) 0) {
fprintf(stderr, Failed to rename the link\n);
--
1.8.3.2
--
Shape the Mobile Experience: Free Subscription
Software experts and developers: Be at the forefront of tech innovation.
Intel(R) Software Adrenaline delivers strategic insight and game-changing
conversations
[lxc-devel] [PATCH 5/9] lxc_user_nic: report failing filename in open_and_lock error cases
From: Serge Hallyn serge.hal...@ubuntu.com
Signed-off-by: Serge Hallyn serge.hal...@ubuntu.com
---
src/lxc/lxc_user_nic.c | 6 --
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/lxc/lxc_user_nic.c b/src/lxc/lxc_user_nic.c
index 0b82a50..4154e83 100644
--- a/src/lxc/lxc_user_nic.c
+++ b/src/lxc/lxc_user_nic.c
@@ -105,7 +105,8 @@ int open_and_lock(char *path)
fd = open(path, O_RDWR|O_CREAT, S_IWUSR | S_IRUSR);
if (fd 0) {
- perror(open);
+ fprintf(stderr, Failed to open %s: %s\n,
+ path, strerror(errno));
return(fd);
}
@@ -114,7 +115,8 @@ int open_and_lock(char *path)
lk.l_start = 0;
lk.l_len = 0;
if (fcntl(fd, F_SETLKW, lk) 0) {
- perror(fcntl lock);
+ fprintf(stderr, Failed to lock %s: %s\n,
+ path, strerror(errno));
return -1;
}
--
1.8.3.2
--
Shape the Mobile Experience: Free Subscription
Software experts and developers: Be at the forefront of tech innovation.
Intel(R) Software Adrenaline delivers strategic insight and game-changing
conversations that shape the rapidly evolving mobile landscape. Sign up now.
http://pubads.g.doubleclick.net/gampad/clk?id=63431311iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] lxc-user-nic improvements
Seth (cc:d) was kind enough to provide some feedback on the ugliest bits of lxc-user-nic. This patchset aims address it. -- Shape the Mobile Experience: Free Subscription Software experts and developers: Be at the forefront of tech innovation. Intel(R) Software Adrenaline delivers strategic insight and game-changing conversations that shape the rapidly evolving mobile landscape. Sign up now. http://pubads.g.doubleclick.net/gampad/clk?id=63431311iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH 7/9] lxc_user_nic: make all fns static for consistency
From: Serge Hallyn serge.hal...@ubuntu.com
Signed-off-by: Serge Hallyn serge.hal...@ubuntu.com
---
src/lxc/lxc_user_nic.c | 42 +-
1 file changed, 21 insertions(+), 21 deletions(-)
diff --git a/src/lxc/lxc_user_nic.c b/src/lxc/lxc_user_nic.c
index ff5393e..caa20df 100644
--- a/src/lxc/lxc_user_nic.c
+++ b/src/lxc/lxc_user_nic.c
@@ -98,7 +98,7 @@ void usage(char *me, bool fail)
exit(fail ? 1 : 0);
}
-int open_and_lock(char *path)
+static int open_and_lock(char *path)
{
int fd;
struct flock lk;
@@ -124,7 +124,7 @@ int open_and_lock(char *path)
}
-char *get_username(void)
+static char *get_username(void)
{
struct passwd *pwd = getpwuid(getuid());
@@ -143,7 +143,7 @@ char *get_username(void)
* Return the count entry for the calling user if there is one. Else
* return -1.
*/
-int get_alloted(char *me, char *intype, char *link)
+static int get_alloted(char *me, char *intype, char *link)
{
FILE *fin = fopen(CONF_FILE, r);
char *line = NULL;
@@ -178,21 +178,21 @@ int get_alloted(char *me, char *intype, char *link)
return -1;
}
-char *get_eol(char *s)
+static char *get_eol(char *s)
{
while (*s *s != '\n')
s++;
return s;
}
-char *get_eow(char *s)
+static char *get_eow(char *s)
{
while (*s !isblank(*s) *s != '\n')
s++;
return s;
}
-char *find_line(char *p, char *e, char *u, char *t, char *l)
+static char *find_line(char *p, char *e, char *u, char *t, char *l)
{
char *p1, *p2, *ret;
@@ -222,7 +222,7 @@ next:
return NULL;
}
-bool nic_exists(char *nic)
+static bool nic_exists(char *nic)
{
char path[MAXPATHLEN];
int ret;
@@ -248,7 +248,7 @@ struct link_req {
#if ! ISTEST
-int lxc_veth_create(const char *name1, const char *name2)
+static int lxc_veth_create(const char *name1, const char *name2)
{
struct nl_handler nlh;
struct nlmsg *nlmsg = NULL, *answer = NULL;
@@ -323,7 +323,7 @@ out:
return err;
}
-int lxc_netdev_move(char *ifname, pid_t pid)
+static int lxc_netdev_move(char *ifname, pid_t pid)
{
struct nl_handler nlh;
struct nlmsg *nlmsg = NULL;
@@ -462,7 +462,7 @@ static int instanciate_veth(char *n1, char **n2)
return netdev_set_flag(n1, IFF_UP);
}
-int lxc_bridge_attach(const char *bridge, const char *ifname)
+static int lxc_bridge_attach(const char *bridge, const char *ifname)
{
int fd, index, err;
struct ifreq ifr;
@@ -489,7 +489,7 @@ int lxc_bridge_attach(const char *bridge, const char
*ifname)
return err;
}
-int lxc_netdev_delete_by_index(int ifindex)
+static int lxc_netdev_delete_by_index(int ifindex)
{
struct nl_handler nlh;
struct nlmsg *nlmsg = NULL, *answer = NULL;
@@ -524,7 +524,7 @@ out:
return err;
}
-int lxc_netdev_delete_by_name(const char *name)
+static int lxc_netdev_delete_by_name(const char *name)
{
int index;
@@ -535,7 +535,7 @@ int lxc_netdev_delete_by_name(const char *name)
return lxc_netdev_delete_by_index(index);
}
#else
-int lxc_netdev_delete_by_name(const char *name)
+static int lxc_netdev_delete_by_name(const char *name)
{
char path[200];
sprintf(path, /tmp/lxcnettest/%s, name);
@@ -544,7 +544,7 @@ int lxc_netdev_delete_by_name(const char *name)
#endif
-bool create_nic(char *nic, char *br, int pid, char **cnic)
+static bool create_nic(char *nic, char *br, int pid, char **cnic)
{
#if ISTEST
char path[200];
@@ -598,7 +598,7 @@ out_del:
* *dest will container the name (lxcuser-%d) which is attached
* on the host to the lxc bridge
*/
-void get_new_nicname(char **dest, char *br, int pid, char **cnic)
+static void get_new_nicname(char **dest, char *br, int pid, char **cnic)
{
int i = 0;
// TODO - speed this up. For large installations we won't
@@ -611,7 +611,7 @@ void get_new_nicname(char **dest, char *br, int pid, char
**cnic)
}
}
-bool get_nic_from_line(char *p, char **nic)
+static bool get_nic_from_line(char *p, char **nic)
{
char user[100], type[100], br[100];
int ret;
@@ -622,7 +622,7 @@ bool get_nic_from_line(char *p, char **nic)
return true;
}
-bool cull_entries(int fd, char *me, char *t, char *br)
+static bool cull_entries(int fd, char *me, char *t, char *br)
{
struct stat sb;
char *buf, *p, *e, *nic;
@@ -663,7 +663,7 @@ bool cull_entries(int fd, char *me, char *t, char *br)
return true;
}
-int count_entries(char *buf, off_t len, char *me, char *t, char *br)
+static int count_entries(char *buf, off_t len, char *me, char *t, char *br)
{
char *e = buf[len];
int count = 0;
@@ -681,7 +681,7 @@ int count_entries(char *buf, off_t len, char *me, char *t,
char *br)
* The dbfile has lines of the format:
* user type bridge nicname
*/
-bool get_nic_if_avail(int fd, char *me
[lxc-devel] [PATCH 4/9] lxc_user_nic: only exit from main and usage
From: Serge Hallyn serge.hal...@ubuntu.com
Everywhere else return an error code instead.
Signed-off-by: Serge Hallyn serge.hal...@ubuntu.com
---
src/lxc/lxc_user_nic.c | 21 ++---
1 file changed, 10 insertions(+), 11 deletions(-)
diff --git a/src/lxc/lxc_user_nic.c b/src/lxc/lxc_user_nic.c
index 8c73b55..0b82a50 100644
--- a/src/lxc/lxc_user_nic.c
+++ b/src/lxc/lxc_user_nic.c
@@ -115,7 +115,7 @@ int open_and_lock(char *path)
lk.l_len = 0;
if (fcntl(fd, F_SETLKW, lk) 0) {
perror(fcntl lock);
- exit(1);
+ return -1;
}
return fd;
@@ -220,17 +220,17 @@ next:
bool nic_exists(char *nic)
{
- char path[200];
+ char path[MAXPATHLEN];
int ret;
struct stat sb;
#if ISTEST
- ret = snprintf(path, 200, /tmp/lxcnettest/%s, nic);
+ ret = snprintf(path, MAXPATHLEN, /tmp/lxcnettest/%s, nic);
#else
- ret = snprintf(path, 200, /sys/class/net/%s, nic);
+ ret = snprintf(path, MAXPATHLEN, /sys/class/net/%s, nic);
#endif
- if (ret 0 || ret = 200)
- exit(1);
+ if (ret 0 || ret = MAXPATHLEN) // should never happen!
+ return true;
ret = stat(path, sb);
if (ret != 0)
return false;
@@ -436,14 +436,14 @@ static int instanciate_veth(char *n1, char **n2)
err = snprintf(*n2, IFNAMSIZ, %sp, n1);
if (err 0 || err = IFNAMSIZ) {
fprintf(stderr, nic name too long\n);
- exit(1);
+ return -1;
}
err = lxc_veth_create(n1, *n2);
if (err) {
fprintf(stderr, failed to create %s-%s : %s\n, n1, *n2,
strerror(-err));
- exit(1);
+ return -1;
}
/* changing the high byte of the mac address to 0xfe, the bridge
interface
@@ -551,7 +551,6 @@ bool create_nic(char *nic, char *br, int pid, char **cnic)
close(fd);
return true;
#else
- // not yet implemented
char *veth1buf, *veth2buf;
veth1buf = alloca(IFNAMSIZ);
veth2buf = alloca(IFNAMSIZ);
@@ -560,7 +559,7 @@ bool create_nic(char *nic, char *br, int pid, char **cnic)
ret = snprintf(veth1buf, IFNAMSIZ, %s, nic);
if (ret 0 || ret = IFNAMSIZ) {
fprintf(stderr, host nic name too long\n);
- exit(1);
+ return false;
}
/* create the nics */
@@ -586,7 +585,7 @@ bool create_nic(char *nic, char *br, int pid, char **cnic)
out_del:
lxc_netdev_delete_by_name(veth1buf);
- exit(1);
+ return false;
#endif
}
--
1.8.3.2
--
Shape the Mobile Experience: Free Subscription
Software experts and developers: Be at the forefront of tech innovation.
Intel(R) Software Adrenaline delivers strategic insight and game-changing
conversations that shape the rapidly evolving mobile landscape. Sign up now.
http://pubads.g.doubleclick.net/gampad/clk?id=63431311iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH 1/2] Setup devtmpfs and /dev for autodev bind mounts.
Quoting Michael H. Warfield (m...@wittsend.com):
If autodev is not specifically set to 0 or 1, attempts to determine if
systemd is being utilized and forces autodev=1 to prevent host system
conflicts and collisions.
If autodev is enabled and the host /dev is mounted with devtmpfs
or /dev/.lxc is mounted with another file system...
Each container created by a privileged user gets a /dev directory
mapped off the host /dev here:
/dev/.lxc/${name}.$( hash $lxcpath/$name )
Each container created by a non-privileged user gets a /dev/directory
mapped off the host /dev here:
/dev/.lxc/user/${name}.$( hash $lxcpath/$name )
The /dev/.lxc/user is mode 1777 to allow unpriv access.
The /dev/.lxc/{containerdev} is bind mounted into the container /dev.
Fallback on failure is to mount tmpfs into the container /dev.
A symlink is created from $lxcpath/$name/rootfs.dev back to the /dev
relative directory to provid a code consistent reference for updating
container devs.
Hi Michael,
I haven't run it, but looking over the code in detail, it looks good
to me. I know Stéphane in the past has objected to trying to autodetect
systemd based containers. IMO it'd be fine to expect the templates to
set lxc.autodev, as I worry about building distro-detecting hacks into
core lxc, but unless Stéphane objects I don't care enough in this case
to nack it.
Did you consider this patch good enough to apply, or was this still an
RFC? I'm happy either way.
Acked-by: Serge E. Hallyn serge.hal...@ubuntu.com
---
src/lxc/conf.c | 369
++--
src/lxc/conf.h | 4 +-
src/lxc/start.c | 2 +-
3 files changed, 363 insertions(+), 12 deletions(-)
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index a756731..d17cb2a 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -29,6 +29,7 @@
#include string.h
#include dirent.h
#include unistd.h
+#include inttypes.h
#include sys/wait.h
#include sys/syscall.h
#include time.h
@@ -1164,20 +1165,275 @@ static int setup_rootfs_pivot_root(const char
*rootfs, const char *pivotdir)
return 0;
}
+
+/*
+ * Note: This is a verbatum copy of what is in monitor.c. We're just
+ * usint it here to generate a safe subdirectory in /dev/ for the
+ * containers /dev/
+ */
+
+/* Note we don't use SHA-1 here as we don't want to depend on HAVE_GNUTLS.
+ * FNV has good anti collision properties and we're not worried
+ * about pre-image resistance or one-way-ness, we're just trying to make
+ * the name unique in the 108 bytes of space we have.
+ */
+#define FNV1A_64_INIT ((uint64_t)0xcbf29ce484222325ULL)
+static uint64_t fnv_64a_buf(void *buf, size_t len, uint64_t hval)
+{
+ unsigned char *bp;
+
+ for(bp = buf; bp (unsigned char *)buf + len; bp++)
+ {
+ /* xor the bottom with the current octet */
+ hval ^= (uint64_t)*bp;
+
+ /* gcc optimised:
+ * multiply by the 64 bit FNV magic prime mod 2^64
+ */
+ hval += (hval 1) + (hval 4) + (hval 5) +
+ (hval 7) + (hval 8) + (hval 40);
+ }
+
+ return hval;
+}
+
+/*
+ * Check to see if a directory has something mounted on it and,
+ * if it does, return the fstype.
+ *
+ * Code largely based on detect_shared_rootfs below
+ *
+ * Returns: # of matching entries in /proc/self/mounts
+ * if != 0 fstype is filled with the last filesystem value.
+ * if == 0 no matches found, fstype unchanged.
+ *
+ * ToDo: Maybe return the mount options in another parameter...
+ */
+
+#define LINELEN 4096
+#define MAX_FSTYPE_LEN 128
+int mount_check_fs( const char *dir, char *fstype )
+{
+ char buf[LINELEN], *p;
+ struct stat s;
+ FILE *f;
+ int found_fs = 0;
+ char *p2;
+
+ DEBUG(entering mount_check_fs for %s\n, dir);
+
+ if ( 0 != access(dir, F_OK) || 0 != stat(dir, s) || 0 ==
S_ISDIR(s.st_mode) ) {
+ return 0;
+ }
+
+ process_lock();
+ f = fopen(/proc/self/mounts, r);
+ process_unlock();
+ if (!f)
+ return 0;
+ while ((p = fgets(buf, LINELEN, f))) {
+ p = index(buf, ' ');
+ if( !p )
+ continue;
+ *p = '\0';
+ p2 = p + 1;
+
+ p = index(p2, ' ');
+ if( !p )
+ continue;
+ *p = '\0';
+
+ /* Compare the directory in the entry to desired */
+ if( strcmp( p2, dir ) ) {
+ continue;
+ }
+
+ p2 = p + 1;
+ p = index( p2, ' ');
+ if( !p )
+ continue;
+ *p = '\0';
+
+ ++found_fs;
+
+ if( fstype ) {
+ strncpy( fstype, p2, MAX_FSTYPE_LEN - 1 );
+ fstype [ MAX_FSTYPE_LEN - 1 ] = '\0';
+
Re: [lxc-devel] [PATCH 2/2] Support files for systemd on Fedora.
Quoting Michael H. Warfield (m...@wittsend.com):
Added a file lxc.service for a systemd service file.
Added a file lxc-devsetup to setup /dev/ on startup to support autodev
in containers.
Service file references lxc-devsetup as an ExecStartPre command. The
lxc-devsetup script is not dependent on systemd or Fedora and can
be used at bootup on any system.
Modified lxc.spec.in to install the two new files on Fedora. The systemd
specific code in the lxc.spec file may need some review and conditionalize
for systemd on non-systemd rpm-based systems.
I'm fine with the idea, but will leave it to Stéphane to say whether
this interferes with his autostart work. If it does, then the autostart
work should do this. If not, then we can push this (along with an
equivalent upstart and perhaps sysvinit job)
---
lxc.spec.in | 8
src/lxc/lxc-devsetup | 26 ++
src/lxc/lxc.service | 18 ++
3 files changed, 52 insertions(+)
create mode 100755 src/lxc/lxc-devsetup
create mode 100644 src/lxc/lxc.service
diff --git a/lxc.spec.in b/lxc.spec.in
index a6c96a2..3ef5881 100644
--- a/lxc.spec.in
+++ b/lxc.spec.in
@@ -102,6 +102,11 @@ rm -rf %{buildroot}
make install DESTDIR=%{buildroot}
find %{buildroot} -type f -name '*.la' -exec rm -f {} ';'
+# Install some of our systemd stuff...
+install -d -m 755 %{buildroot}/lib/systemd/system
+install -c -m 644 src/lxc/lxc.service %{buildroot}/lib/systemd/system
+install -c -m 755 src/lxc/lxc-devsetup %{buildroot}/%{_libexecdir}/%{name}
+
%clean
rm -rf %{buildroot}
@@ -131,6 +136,8 @@ rm -rf %{buildroot}
%{_datadir}/lxc/*
%config(noreplace) %{_sysconfdir}/lxc/*
+/lib/systemd/system/*
+
%files libs
%defattr(-,root,root)
%{_libdir}/*.so.*
@@ -140,6 +147,7 @@ rm -rf %{buildroot}
%endif
%{_localstatedir}/*
%attr(4555,root,root) %{_libexecdir}/%{name}/lxc-init
+%attr(555,root,root) %{_libexecdir}/%{name}/lxc-devsetup
%if %{with_lua}
%files lua
diff --git a/src/lxc/lxc-devsetup b/src/lxc/lxc-devsetup
new file mode 100755
index 000..583a001
--- /dev/null
+++ b/src/lxc/lxc-devsetup
@@ -0,0 +1,26 @@
+#!/bin/sh -
+
+# lxc.devsetup - Setup host /dev for container /dev subdirectories.
+
+if [[ ! -d /dev/.lxc ]]
+then
+echo Creating /dev/.lxc
+mkdir /dev/.lxc
+chmod 755 /dev/.lxc
+fi
+
+if grep -q /dev devtmpfs /proc/self/mounts
+then
+echo /dev is devtmpfs
+else
+echo /dev is not devtmpfs - mounting tmpfs on .lxc
+mount -t tmpfs tmpfs /dev/.lxc
+fi
+
+if [[ ! -d /dev/.lxc/user ]]
+then
+echo Creating /dev/.lxc/user
+mkdir /dev/.lxc/user
+chmod 1777 /dev/.lxc/user
+fi
+
diff --git a/src/lxc/lxc.service b/src/lxc/lxc.service
new file mode 100644
index 000..d3d3238
--- /dev/null
+++ b/src/lxc/lxc.service
@@ -0,0 +1,18 @@
+[Unit]
+Description=LXC Container Initialization and Autoboot Code
+After=syslog.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStartPre=/usr/libexec/lxc/lxc-devsetup
+ExecStart=/usr/libexec/lxc/lxc-startup start
+ExecStop=/usr/libexec/lxc/lxc-startup stop
+# Environment=BOOTUP=serial
+# Environment=CONSOLETYPE=serial
+StandardOutput=syslog
+StandardError=syslog
+
+[Install]
+WantedBy=multi-user.target
+
--
1.8.3.1
--
Michael H. Warfield (AI4NB) | (770) 978-7061 | m...@wittsend.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0x674627FF| possible worlds. A pessimist is sure of it!
--
November Webinars for C, C++, Fortran Developers
Accelerate application performance with scalable programming models. Explore
techniques for threading, error checking, porting, and tuning. Get the most
from the latest Intel processors and coprocessors. See abstracts and register
http://pubads.g.doubleclick.net/gampad/clk?id=60136231iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
--
Shape the Mobile Experience: Free Subscription
Software experts and developers: Be at the forefront of tech innovation.
Intel(R) Software Adrenaline delivers strategic insight and game-changing
conversations that shape the rapidly evolving mobile landscape. Sign up now.
http://pubads.g.doubleclick.net/gampad/clk?id=63431311iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH 1/4] oracle template: further disable selinux in ol5 container
Quoting Dwight Engen (dwight.en...@oracle.com):
Signed-off-by: Dwight Engen dwight.en...@oracle.com
Acked-by: Serge E. Hallyn serge.hal...@ubuntu.com
---
templates/lxc-oracle.in | 15 +--
1 file changed, 13 insertions(+), 2 deletions(-)
diff --git a/templates/lxc-oracle.in b/templates/lxc-oracle.in
index 78d99ee..106150c 100644
--- a/templates/lxc-oracle.in
+++ b/templates/lxc-oracle.in
@@ -51,11 +51,17 @@ container_rootfs_configure()
{
echo Configuring container for Oracle Linux
$container_release_major.$container_release_minor
-# disable selinux. init in OL 5 honors /etc/selinux/config. note that
+# disable selinux in the guest. The policy in the container isn't
+# likely to match the hosts (unless host == guest exactly) and the
+# kernel can only be enforcing one policy.
+#
+# The OL 5 init honors /etc/selinux/config, but note that
# this doesnt actually disable it if it's enabled in the host, since
# libselinux::is_selinux_enabled() in the guest will check
# /proc/filesystems and see selinuxfs, thus reporting that it is on
-# (ie. check the output of sestatus in the guest)
+# (ie. check the output of sestatus in the guest). We also replace
+# /usr/sbin/selinuxenabled with a symlink to /bin/false so that init
+# scripts (ie. mcstransd) that call that think selinux is disabled.
mkdir -p $container_rootfs/selinux
echo 0 $container_rootfs/selinux/enforce
if [ -e $container_rootfs/etc/selinux/config ]; then
@@ -68,6 +74,11 @@ container_rootfs_configure()
sed -i 's|session[ \t]*required[ \t]*pam_selinux.so[ \t]*open|#session
required pam_selinux.so open|' $container_rootfs/etc/pam.d/login
sed -i 's|session[ \t]*required[ \t]*pam_loginuid.so|#session required
pam_loginuid.so|' $container_rootfs/etc/pam.d/login
+if [ -f $container_rootfs/usr/sbin/selinuxenabled ]; then
+mv $container_rootfs/usr/sbin/selinuxenabled
$container_rootfs/usr/sbin/selinuxenabled.lxcorig
+ln -s /bin/false $container_rootfs/usr/sbin/selinuxenabled
+fi
+
# silence error in checking for selinux
sed -i 's|cat /proc/self/attr/current|cat /proc/self/attr/current
2/dev/null|' $container_rootfs/etc/rc.sysinit
sed -i 's|cat /proc/self/attr/current|cat /proc/self/attr/current
2/dev/null|' $container_rootfs/etc/rc.d/rc.sysinit
--
1.8.3.1
--
Shape the Mobile Experience: Free Subscription
Software experts and developers: Be at the forefront of tech innovation.
Intel(R) Software Adrenaline delivers strategic insight and game-changing
conversations that shape the rapidly evolving mobile landscape. Sign up now.
http://pubads.g.doubleclick.net/gampad/clk?id=63431311iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
--
Shape the Mobile Experience: Free Subscription
Software experts and developers: Be at the forefront of tech innovation.
Intel(R) Software Adrenaline delivers strategic insight and game-changing
conversations that shape the rapidly evolving mobile landscape. Sign up now.
http://pubads.g.doubleclick.net/gampad/clk?id=63431311iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH 2/4] oracle template: prevent mingetty from calling vhangup(2)
Quoting Dwight Engen (dwight.en...@oracle.com): This is needed when using the user namespace since the kernel check does not allow user_ns root to successfully call vhangup(2), and mingetty will quit in this case. Signed-off-by: Dwight Engen dwight.en...@oracle.com Acked-by: Serge E. Hallyn serge.hal...@ubuntu.com --- templates/lxc-oracle.in | 8 ++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/templates/lxc-oracle.in b/templates/lxc-oracle.in index 106150c..d3d6ff9 100644 --- a/templates/lxc-oracle.in +++ b/templates/lxc-oracle.in @@ -226,6 +226,9 @@ EOF echo # For libvirt/Virtual Machine Monitor $container_rootfs/etc/securetty echo pts/0$container_rootfs/etc/securetty +# prevent mingetty from calling vhangup(2) since it fails with userns +sed -i 's|mingetty|mingetty --nohangup|' $container_rootfs/etc/init/tty.conf + # dont try to unmount /dev/lxc devices sed -i 's| $1 !~ /^\\/dev\\/ram/|\\ $2 !~ /^\\/dev\\/lxc/ \\ $1 !~ /^\\/dev\\/ram/|' $container_rootfs/etc/init.d/halt @@ -234,7 +237,8 @@ EOF # start a getty on /dev/console, /dev/tty[1-4] if [ $container_release_major = 4 -o $container_release_major = 5 ]; then -sed -i '/1:2345:respawn/i cns:2345:respawn:/sbin/mingetty console' $container_rootfs/etc/inittab +sed -i 's|mingetty|mingetty --nohangup|' $container_rootfs/etc/inittab +sed -i '/1:2345:respawn/i cns:2345:respawn:/sbin/mingetty --nohangup console' $container_rootfs/etc/inittab sed -i '/5:2345:respawn/d' $container_rootfs/etc/inittab sed -i '/6:2345:respawn/d' $container_rootfs/etc/inittab fi @@ -250,7 +254,7 @@ start on stopped rc RUNLEVEL=[2345] stop on runlevel [!2345] respawn -exec /sbin/mingetty /dev/console +exec /sbin/mingetty --nohangup /dev/console EOF fi -- 1.8.3.1 -- Shape the Mobile Experience: Free Subscription Software experts and developers: Be at the forefront of tech innovation. Intel(R) Software Adrenaline delivers strategic insight and game-changing conversations that shape the rapidly evolving mobile landscape. Sign up now. http://pubads.g.doubleclick.net/gampad/clk?id=63431311iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel -- Shape the Mobile Experience: Free Subscription Software experts and developers: Be at the forefront of tech innovation. Intel(R) Software Adrenaline delivers strategic insight and game-changing conversations that shape the rapidly evolving mobile landscape. Sign up now. http://pubads.g.doubleclick.net/gampad/clk?id=63431311iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH 3/4] oracle template: don't clear console tty
Quoting Dwight Engen (dwight.en...@oracle.com): This allows the boot messages to be seen which are useful for monitoring container startup. Signed-off-by: Dwight Engen dwight.en...@oracle.com Acked-by: Serge E. Hallyn serge.hal...@ubuntu.com --- templates/lxc-oracle.in | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/lxc-oracle.in b/templates/lxc-oracle.in index d3d6ff9..e86f261 100644 --- a/templates/lxc-oracle.in +++ b/templates/lxc-oracle.in @@ -238,7 +238,7 @@ EOF # start a getty on /dev/console, /dev/tty[1-4] if [ $container_release_major = 4 -o $container_release_major = 5 ]; then sed -i 's|mingetty|mingetty --nohangup|' $container_rootfs/etc/inittab -sed -i '/1:2345:respawn/i cns:2345:respawn:/sbin/mingetty --nohangup console' $container_rootfs/etc/inittab +sed -i '/1:2345:respawn/i cns:2345:respawn:/sbin/mingetty --nohangup --noclear console' $container_rootfs/etc/inittab sed -i '/5:2345:respawn/d' $container_rootfs/etc/inittab sed -i '/6:2345:respawn/d' $container_rootfs/etc/inittab fi @@ -254,7 +254,7 @@ start on stopped rc RUNLEVEL=[2345] stop on runlevel [!2345] respawn -exec /sbin/mingetty --nohangup /dev/console +exec /sbin/mingetty --nohangup --noclear /dev/console EOF fi -- 1.8.3.1 -- Shape the Mobile Experience: Free Subscription Software experts and developers: Be at the forefront of tech innovation. Intel(R) Software Adrenaline delivers strategic insight and game-changing conversations that shape the rapidly evolving mobile landscape. Sign up now. http://pubads.g.doubleclick.net/gampad/clk?id=63431311iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel -- Shape the Mobile Experience: Free Subscription Software experts and developers: Be at the forefront of tech innovation. Intel(R) Software Adrenaline delivers strategic insight and game-changing conversations that shape the rapidly evolving mobile landscape. Sign up now. http://pubads.g.doubleclick.net/gampad/clk?id=63431311iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH 4/4] oracle template: fix pam login failures under user namespace
Quoting Dwight Engen (dwight.en...@oracle.com): Signed-off-by: Dwight Engen dwight.en...@oracle.com Acked-by: Serge E. Hallyn serge.hal...@ubuntu.com --- templates/lxc-oracle.in | 9 + 1 file changed, 9 insertions(+) diff --git a/templates/lxc-oracle.in b/templates/lxc-oracle.in index e86f261..8770e70 100644 --- a/templates/lxc-oracle.in +++ b/templates/lxc-oracle.in @@ -72,6 +72,10 @@ container_rootfs_configure() fi sed -i 's|session[ \t]*required[ \t]*pam_selinux.so[ \t]*close|#session required pam_selinux.so close|' $container_rootfs/etc/pam.d/login sed -i 's|session[ \t]*required[ \t]*pam_selinux.so[ \t]*open|#session required pam_selinux.so open|' $container_rootfs/etc/pam.d/login + +# setting /proc/$$/loginuid doesn't work under user namespace, which +# prevents logins from working +sed -i 's|session[ \t]*required[ \t]*pam_loginuid.so|#session required pam_loginuid.so|' $container_rootfs/etc/pam.d/sshd sed -i 's|session[ \t]*required[ \t]*pam_loginuid.so|#session required pam_loginuid.so|' $container_rootfs/etc/pam.d/login if [ -f $container_rootfs/usr/sbin/selinuxenabled ]; then @@ -83,6 +87,11 @@ container_rootfs_configure() sed -i 's|cat /proc/self/attr/current|cat /proc/self/attr/current 2/dev/null|' $container_rootfs/etc/rc.sysinit sed -i 's|cat /proc/self/attr/current|cat /proc/self/attr/current 2/dev/null|' $container_rootfs/etc/rc.d/rc.sysinit +# on ol4 pam_limits prevents logins when using user namespaces +if [ $container_release_major = 4 ]; then +sed -i 's|session[ \t]*required[ \t]*/lib/security/\$ISA/pam_limits.so|#session required /lib/security/$ISA/pam_limits.so|' $container_rootfs/etc/pam.d/system-auth +fi + # configure the network to use dhcp. we set DHCP_HOSTNAME so the guest # will report its name and be resolv'able by the hosts dnsmasq cat EOF $container_rootfs/etc/sysconfig/network-scripts/ifcfg-eth0 -- 1.8.3.1 -- Shape the Mobile Experience: Free Subscription Software experts and developers: Be at the forefront of tech innovation. Intel(R) Software Adrenaline delivers strategic insight and game-changing conversations that shape the rapidly evolving mobile landscape. Sign up now. http://pubads.g.doubleclick.net/gampad/clk?id=63431311iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel -- Shape the Mobile Experience: Free Subscription Software experts and developers: Be at the forefront of tech innovation. Intel(R) Software Adrenaline delivers strategic insight and game-changing conversations that shape the rapidly evolving mobile landscape. Sign up now. http://pubads.g.doubleclick.net/gampad/clk?id=63431311iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] fix memory leaks reported by cppcheck in src/lxc/conf.c (v2)
Quoting S.Çağlar Onur (cag...@10ur.org):
This also fixes possible crashes due to passing NULL to strlen function
Changes since v1;
* Fixed a typo spotted by Serge
Signed-off-by: S.Çağlar Onur cag...@10ur.org
Thanks.
Acked-by: Serge E. Hallyn serge.hal...@ubuntu.com
---
src/lxc/conf.c | 28 +++-
1 file changed, 19 insertions(+), 9 deletions(-)
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index dec1c05..caf92c4 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -2425,23 +2425,26 @@ static int instanciate_veth(struct lxc_handler
*handler, struct lxc_netdev *netd
return -1;
}
veth1 = mkifname(veth1buf);
+ if (!veth1) {
+ ERROR(failed to allocate a temporary name);
+ return -1;
+ }
/* store away for deconf */
memcpy(netdev-priv.veth_attr.veth1, veth1, IFNAMSIZ);
}
snprintf(veth2buf, sizeof(veth2buf), vethXX);
veth2 = mkifname(veth2buf);
-
- if (!strlen(veth1) || !strlen(veth2)) {
+ if (!veth2) {
ERROR(failed to allocate a temporary name);
- return -1;
+ goto out_delete;
}
err = lxc_veth_create(veth1, veth2);
if (err) {
ERROR(failed to create %s-%s : %s, veth1, veth2,
strerror(-err));
- return -1;
+ goto out_delete;
}
/* changing the high byte of the mac address to 0xfe, the bridge
interface
@@ -2500,6 +2503,10 @@ static int instanciate_veth(struct lxc_handler
*handler, struct lxc_netdev *netd
out_delete:
lxc_netdev_delete_by_name(veth1);
+ if (!netdev-priv.veth_attr.pair veth1)
+ free(veth1);
+ if(veth2)
+ free(veth2);
return -1;
}
@@ -2537,7 +2544,7 @@ static int instanciate_macvlan(struct lxc_handler
*handler, struct lxc_netdev *n
return -1;
peer = mkifname(peerbuf);
- if (!strlen(peer)) {
+ if (!peer) {
ERROR(failed to make a temporary name);
return -1;
}
@@ -2547,27 +2554,30 @@ static int instanciate_macvlan(struct lxc_handler
*handler, struct lxc_netdev *n
if (err) {
ERROR(failed to create macvlan interface '%s' on '%s' : %s,
peer, netdev-link, strerror(-err));
- return -1;
+ goto out;
}
netdev-ifindex = if_nametoindex(peer);
if (!netdev-ifindex) {
ERROR(failed to retrieve the index for %s, peer);
- lxc_netdev_delete_by_name(peer);
- return -1;
+ goto out;
}
if (netdev-upscript) {
err = run_script(handler-name, net, netdev-upscript, up,
macvlan, netdev-link, (char*) NULL);
if (err)
- return -1;
+ goto out;
}
DEBUG(instanciated macvlan '%s', index is '%d' and mode '%d',
peer, netdev-ifindex, netdev-priv.macvlan_attr.mode);
return 0;
+out:
+ lxc_netdev_delete_by_name(peer);
+ free(peer);
+ return -1;
}
static int shutdown_macvlan(struct lxc_handler *handler, struct lxc_netdev
*netdev)
--
1.8.3.2
--
Shape the Mobile Experience: Free Subscription
Software experts and developers: Be at the forefront of tech innovation.
Intel(R) Software Adrenaline delivers strategic insight and game-changing
conversations that shape the rapidly evolving mobile landscape. Sign up now.
http://pubads.g.doubleclick.net/gampad/clk?id=63431311iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
--
Shape the Mobile Experience: Free Subscription
Software experts and developers: Be at the forefront of tech innovation.
Intel(R) Software Adrenaline delivers strategic insight and game-changing
conversations that shape the rapidly evolving mobile landscape. Sign up now.
http://pubads.g.doubleclick.net/gampad/clk?id=63431311iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] fix memory leaks reported by cppcheck in src/lxc/bdev.c
Quoting S.Çağlar Onur (cag...@10ur.org):
Signed-off-by: S.Çağlar Onur cag...@10ur.org
Acked-by: Serge E. Hallyn serge.hal...@ubuntu.com
---
src/lxc/bdev.c | 6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/src/lxc/bdev.c b/src/lxc/bdev.c
index c7e5e5e..6acd29a 100644
--- a/src/lxc/bdev.c
+++ b/src/lxc/bdev.c
@@ -962,8 +962,10 @@ static int lvm_snapshot(const char *orig, const char
*path, unsigned long size)
// check if the original lv is backed by a thin pool, in which case we
// cannot specify a size that's different from the original size.
ret = lvm_is_thin_volume(orig);
- if (ret == -1)
+ if (ret == -1) {
+ free(pathdup);
return -1;
+ }
if (!ret) {
ret = execlp(lvcreate, lvcreate, -s, -L, sz, -n, lv,
orig, (char *)NULL);
@@ -1282,6 +1284,7 @@ static int btrfs_subvolume_create(const char *path)
p = strrchr(newfull, '/');
if (!p) {
ERROR(bad path: %s, path);
+ free(newfull);
return -1;
}
*p = '\0';
@@ -1418,6 +1421,7 @@ static int btrfs_destroy(struct bdev *orig)
p = strrchr(newfull, '/');
if (!p) {
ERROR(bad path: %s, path);
+ free(newfull);
return -1;
}
*p = '\0';
--
1.8.3.2
--
DreamFactory - Open Source REST JSON Services for HTML5 Native Apps
OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access
Free app hosting. Or install the open source package on any LAMP server.
Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native!
http://pubads.g.doubleclick.net/gampad/clk?id=63469471iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
--
DreamFactory - Open Source REST JSON Services for HTML5 Native Apps
OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access
Free app hosting. Or install the open source package on any LAMP server.
Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native!
http://pubads.g.doubleclick.net/gampad/clk?id=63469471iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] add missing paranthesis (v2)
Quoting S.Çağlar Onur (cag...@10ur.org): Signed-off-by: S.Çağlar Onur cag...@10ur.org Acked-by: Serge E. Hallyn serge.hal...@ubuntu.com --- src/lxc/lxccontainer.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c index 3cabf0d..11e70cb 100644 --- a/src/lxc/lxccontainer.c +++ b/src/lxc/lxccontainer.c @@ -2958,9 +2958,9 @@ static bool add_remove_device_node(struct lxc_container *c, char *src_path, char goto out; /* continue if path is character device or block device */ - if S_ISCHR(st.st_mode) + if (S_ISCHR(st.st_mode)) ret = snprintf(value, MAX_BUFFER, c %d:%d rwm, major(st.st_rdev), minor(st.st_rdev)); - else if S_ISBLK(st.st_mode) + else if (S_ISBLK(st.st_mode)) ret = snprintf(value, MAX_BUFFER, b %d:%d rwm, major(st.st_rdev), minor(st.st_rdev)); else goto out; -- 1.8.3.2 -- DreamFactory - Open Source REST JSON Services for HTML5 Native Apps OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access Free app hosting. Or install the open source package on any LAMP server. Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native! http://pubads.g.doubleclick.net/gampad/clk?id=63469471iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel -- DreamFactory - Open Source REST JSON Services for HTML5 Native Apps OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access Free app hosting. Or install the open source package on any LAMP server. Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native! http://pubads.g.doubleclick.net/gampad/clk?id=63469471iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] fix memory leaks reported by cppcheck in src/lxc/lxc_monitor.c. Since this is a cli tool it doesn't really matter but might silence some warnings for debugging
Quoting S.Çağlar Onur (cag...@10ur.org):
Signed-off-by: S.Çağlar Onur cag...@10ur.org
Acked-by: Serge E. Hallyn serge.hal...@ubuntu.com
---
src/lxc/lxc_monitor.c | 10 --
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/src/lxc/lxc_monitor.c b/src/lxc/lxc_monitor.c
index 0c27723..4f56308 100644
--- a/src/lxc/lxc_monitor.c
+++ b/src/lxc/lxc_monitor.c
@@ -89,8 +89,10 @@ int main(int argc, char *argv[])
if (regcomp(preg, regexp, REG_NOSUB|REG_EXTENDED)) {
ERROR(failed to compile the regex '%s', my_args.name);
+ free(regexp);
return -1;
}
+ free(regexp);
if (my_args.lxcpath_cnt FD_SETSIZE) {
ERROR(too many paths requested, only the first %d will be
monitored, FD_SETSIZE);
@@ -104,8 +106,10 @@ int main(int argc, char *argv[])
lxc_monitord_spawn(my_args.lxcpath[i]);
fd = lxc_monitor_open(my_args.lxcpath[i]);
- if (fd 0)
+ if (fd 0) {
+ regfree(preg);
return -1;
+ }
FD_SET(fd, rfds);
if (fd nfds)
nfds = fd;
@@ -118,8 +122,10 @@ int main(int argc, char *argv[])
for (;;) {
memcpy(rfds, rfds_save, sizeof(rfds));
- if (lxc_monitor_read_fdset(rfds, nfds, msg, -1) 0)
+ if (lxc_monitor_read_fdset(rfds, nfds, msg, -1) 0) {
+ regfree(preg);
return -1;
+ }
msg.name[sizeof(msg.name)-1] = '\0';
if (regexec(preg, msg.name, 0, NULL, 0))
--
1.8.3.2
--
DreamFactory - Open Source REST JSON Services for HTML5 Native Apps
OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access
Free app hosting. Or install the open source package on any LAMP server.
Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native!
http://pubads.g.doubleclick.net/gampad/clk?id=63469471iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
--
DreamFactory - Open Source REST JSON Services for HTML5 Native Apps
OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access
Free app hosting. Or install the open source package on any LAMP server.
Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native!
http://pubads.g.doubleclick.net/gampad/clk?id=63469471iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] free previously allocated memory if realloc fails in src/lxc/lsm/apparmor.c
Quoting S.Çağlar Onur (cag...@10ur.org):
Signed-off-by: S.Çağlar Onur cag...@10ur.org
Acked-by: Serge E. Hallyn serge.hal...@ubuntu.com
---
src/lxc/lsm/apparmor.c | 8 +---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c
index aaf8056..f7f2ff9 100644
--- a/src/lxc/lsm/apparmor.c
+++ b/src/lxc/lsm/apparmor.c
@@ -68,7 +68,7 @@ static char *apparmor_process_label_get(pid_t pid)
{
char path[100], *space;
int ret;
- char *buf = NULL;
+ char *buf = NULL, *newbuf;
int sz = 0;
FILE *f;
@@ -88,14 +88,16 @@ again:
return NULL;
}
sz += 1024;
- buf = realloc(buf, sz);
- if (!buf) {
+ newbuf = realloc(buf, sz);
+ if (!newbuf) {
+ free(buf);
ERROR(out of memory);
process_lock();
fclose(f);
process_unlock();
return NULL;
}
+ buf = newbuf;
memset(buf, 0, sz);
ret = fread(buf, 1, sz - 1, f);
process_lock();
--
1.8.3.2
--
DreamFactory - Open Source REST JSON Services for HTML5 Native Apps
OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access
Free app hosting. Or install the open source package on any LAMP server.
Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native!
http://pubads.g.doubleclick.net/gampad/clk?id=63469471iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
--
DreamFactory - Open Source REST JSON Services for HTML5 Native Apps
OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access
Free app hosting. Or install the open source package on any LAMP server.
Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native!
http://pubads.g.doubleclick.net/gampad/clk?id=63469471iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] p is a pointer and cannot be negative so check if it is NULL
Quoting S.Çağlar Onur (cag...@10ur.org):
Signed-off-by: S.Çağlar Onur cag...@10ur.org
Acked-by: Serge E. Hallyn serge.hal...@ubuntu.com
---
src/lxc/utils.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/lxc/utils.c b/src/lxc/utils.c
index 3fab9ae..e2d2639 100644
--- a/src/lxc/utils.c
+++ b/src/lxc/utils.c
@@ -483,7 +483,7 @@ int sha1sum_file(char *fnam, unsigned char *digest)
process_lock();
f = fopen_cloexec(fnam, r);
process_unlock();
- if (f 0) {
+ if (!f) {
SYSERROR(Error opening template);
return -1;
}
--
1.8.3.2
--
DreamFactory - Open Source REST JSON Services for HTML5 Native Apps
OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access
Free app hosting. Or install the open source package on any LAMP server.
Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native!
http://pubads.g.doubleclick.net/gampad/clk?id=63469471iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
--
DreamFactory - Open Source REST JSON Services for HTML5 Native Apps
OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access
Free app hosting. Or install the open source package on any LAMP server.
Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native!
http://pubads.g.doubleclick.net/gampad/clk?id=63469471iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] fix memory leaks reported by cppcheck in src/lxc/conf.c, this also fixes possible crashes due to passing NULL to strlen
Quoting S.Çağlar Onur (cag...@10ur.org):
Signed-off-by: S.Çağlar Onur cag...@10ur.org
Hi,
please try to keep a single, one-line description as the
subject, with the longer patch description in the body. It
will keep git history much neater.
One question below,
---
src/lxc/conf.c | 28 +++-
1 file changed, 19 insertions(+), 9 deletions(-)
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index dec1c05..1af50e2 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -2425,23 +2425,26 @@ static int instanciate_veth(struct lxc_handler
*handler, struct lxc_netdev *netd
return -1;
}
veth1 = mkifname(veth1buf);
+ if (!veth1) {
+ ERROR(failed to allocate a temporary name);
+ return -1;
+ }
/* store away for deconf */
memcpy(netdev-priv.veth_attr.veth1, veth1, IFNAMSIZ);
}
snprintf(veth2buf, sizeof(veth2buf), vethXX);
veth2 = mkifname(veth2buf);
-
- if (!strlen(veth1) || !strlen(veth2)) {
+ if (!veth2) {
ERROR(failed to allocate a temporary name);
- return -1;
+ goto out_delete;
}
err = lxc_veth_create(veth1, veth2);
if (err) {
ERROR(failed to create %s-%s : %s, veth1, veth2,
strerror(-err));
- return -1;
+ goto out_delete;
}
/* changing the high byte of the mac address to 0xfe, the bridge
interface
@@ -2500,6 +2503,10 @@ static int instanciate_veth(struct lxc_handler
*handler, struct lxc_netdev *netd
out_delete:
lxc_netdev_delete_by_name(veth1);
+ if (!netdev-priv.veth_attr.pair veth2)
Did you mean to check for veth1 here?
+ free(veth1);
+ if(veth2)
+ free(veth2);
return -1;
}
@@ -2537,7 +2544,7 @@ static int instanciate_macvlan(struct lxc_handler
*handler, struct lxc_netdev *n
return -1;
peer = mkifname(peerbuf);
- if (!strlen(peer)) {
+ if (!peer) {
ERROR(failed to make a temporary name);
return -1;
}
@@ -2547,27 +2554,30 @@ static int instanciate_macvlan(struct lxc_handler
*handler, struct lxc_netdev *n
if (err) {
ERROR(failed to create macvlan interface '%s' on '%s' : %s,
peer, netdev-link, strerror(-err));
- return -1;
+ goto out;
}
netdev-ifindex = if_nametoindex(peer);
if (!netdev-ifindex) {
ERROR(failed to retrieve the index for %s, peer);
- lxc_netdev_delete_by_name(peer);
- return -1;
+ goto out;
}
if (netdev-upscript) {
err = run_script(handler-name, net, netdev-upscript, up,
macvlan, netdev-link, (char*) NULL);
if (err)
- return -1;
+ goto out;
}
DEBUG(instanciated macvlan '%s', index is '%d' and mode '%d',
peer, netdev-ifindex, netdev-priv.macvlan_attr.mode);
return 0;
+out:
+lxc_netdev_delete_by_name(peer);
+free(peer);
+ return -1;
}
static int shutdown_macvlan(struct lxc_handler *handler, struct lxc_netdev
*netdev)
--
1.8.3.2
--
DreamFactory - Open Source REST JSON Services for HTML5 Native Apps
OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access
Free app hosting. Or install the open source package on any LAMP server.
Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native!
http://pubads.g.doubleclick.net/gampad/clk?id=63469471iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
--
DreamFactory - Open Source REST JSON Services for HTML5 Native Apps
OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access
Free app hosting. Or install the open source package on any LAMP server.
Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native!
http://pubads.g.doubleclick.net/gampad/clk?id=63469471iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] fix memory leaks reported by cppcheck in src/lxc/conf.c, this also fixes possible crashes due to passing NULL to strlen
Quoting S.Çağlar Onur (cag...@10ur.org):
Hi Serge,
On Mon, Nov 18, 2013 at 10:52 AM, Serge Hallyn serge.hal...@ubuntu.com
wrote:
Quoting S.Çağlar Onur (cag...@10ur.org):
Signed-off-by: S.Çağlar Onur cag...@10ur.org
Hi,
please try to keep a single, one-line description as the
subject, with the longer patch description in the body. It
will keep git history much neater.
Sure, will do!
One question below,
---
src/lxc/conf.c | 28 +++-
1 file changed, 19 insertions(+), 9 deletions(-)
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index dec1c05..1af50e2 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -2425,23 +2425,26 @@ static int instanciate_veth(struct lxc_handler
*handler, struct lxc_netdev *netd
return -1;
}
veth1 = mkifname(veth1buf);
+ if (!veth1) {
+ ERROR(failed to allocate a temporary name);
+ return -1;
+ }
/* store away for deconf */
memcpy(netdev-priv.veth_attr.veth1, veth1, IFNAMSIZ);
}
snprintf(veth2buf, sizeof(veth2buf), vethXX);
veth2 = mkifname(veth2buf);
-
- if (!strlen(veth1) || !strlen(veth2)) {
+ if (!veth2) {
ERROR(failed to allocate a temporary name);
- return -1;
+ goto out_delete;
}
err = lxc_veth_create(veth1, veth2);
if (err) {
ERROR(failed to create %s-%s : %s, veth1, veth2,
strerror(-err));
- return -1;
+ goto out_delete;
}
/* changing the high byte of the mac address to 0xfe, the bridge
interface
@@ -2500,6 +2503,10 @@ static int instanciate_veth(struct lxc_handler
*handler, struct lxc_netdev *netd
out_delete:
lxc_netdev_delete_by_name(veth1);
+ if (!netdev-priv.veth_attr.pair veth2)
Did you mean to check for veth1 here?
Ah yes it suppose to be veth1, do you want me to send a new version?
Sure, that'll be easiest (for me :).
thanks,
-serge
+ free(veth1);
+ if(veth2)
+ free(veth2);
return -1;
}
@@ -2537,7 +2544,7 @@ static int instanciate_macvlan(struct lxc_handler
*handler, struct lxc_netdev *n
return -1;
peer = mkifname(peerbuf);
- if (!strlen(peer)) {
+ if (!peer) {
ERROR(failed to make a temporary name);
return -1;
}
@@ -2547,27 +2554,30 @@ static int instanciate_macvlan(struct lxc_handler
*handler, struct lxc_netdev *n
if (err) {
ERROR(failed to create macvlan interface '%s' on '%s' : %s,
peer, netdev-link, strerror(-err));
- return -1;
+ goto out;
}
netdev-ifindex = if_nametoindex(peer);
if (!netdev-ifindex) {
ERROR(failed to retrieve the index for %s, peer);
- lxc_netdev_delete_by_name(peer);
- return -1;
+ goto out;
}
if (netdev-upscript) {
err = run_script(handler-name, net, netdev-upscript,
up,
macvlan, netdev-link, (char*) NULL);
if (err)
- return -1;
+ goto out;
}
DEBUG(instanciated macvlan '%s', index is '%d' and mode '%d',
peer, netdev-ifindex, netdev-priv.macvlan_attr.mode);
return 0;
+out:
+lxc_netdev_delete_by_name(peer);
+free(peer);
+ return -1;
}
static int shutdown_macvlan(struct lxc_handler *handler, struct
lxc_netdev *netdev)
--
1.8.3.2
--
DreamFactory - Open Source REST JSON Services for HTML5 Native Apps
OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access
Free app hosting. Or install the open source package on any LAMP server.
Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native!
http://pubads.g.doubleclick.net/gampad/clk?id=63469471iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
--
S.Çağlar Onur cag...@10ur.org
--
Shape the Mobile Experience: Free Subscription
Software experts and developers: Be at the forefront of tech innovation.
Intel(R) Software Adrenaline delivers strategic insight and game-changing
conversations that shape the rapidly evolving mobile landscape. Sign up now.
http://pubads.g.doubleclick.net/gampad/clk?id=63431311iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel
Re: [lxc-devel] [PATCH] setup_netdev: re-read ifindex in LXC_NET_PHYS case
Quoting Bogdan Purcareata (bogdan.purcare...@freescale.com):
When moving an interface from the host netns to a container's,
the ifindex might not remain the same. This happens when the
index of the host interface is already assigned to another interface
in the new netns.
For veth/vlan/macvlan, virtual interfaces are first created on the host,
and then moved in the container. Since they are created after all other
interfaces are discovered, there is no chance for its assigned ifindex
to be already present in a freshly created netns, because it's a greater
number.
However, when moving a physical interface, there is a chance that its
ifindex in the host netns is not free in the new netns. The patch
forces ifindex re-read for the LXC_NET_PHYS case to update the
lxc_netdev structure.
Signed-off-by: Bogdan Purcareata bogdan.purcare...@freescale.com
Thanks. I wasn't ignoring your previous email, was rather still
considering :)
Acked-by: Serge E. Hallyn serge.hal...@ubuntu.com
Though really, in this case we should skip the subsequent
index_to_name, but that's not needed for correctness.
---
src/lxc/conf.c | 8
1 file changed, 8 insertions(+)
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 6b3f318..08b0d0f 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -1846,6 +1846,14 @@ static int setup_netdev(struct lxc_netdev *netdev)
return 0;
}
+ /* get the new ifindex in case of physical netdev */
+ if (netdev-type == LXC_NET_PHYS)
+ if (!(netdev-ifindex = if_nametoindex(netdev-link))) {
+ ERROR(failed to get ifindex for %s,
+ netdev-link);
+ return -1;
+ }
+
/* retrieve the name of the interface */
if (!if_indextoname(netdev-ifindex, current_ifname)) {
ERROR(no interface corresponding to index '%d',
--
1.7.11.7
--
DreamFactory - Open Source REST JSON Services for HTML5 Native Apps
OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access
Free app hosting. Or install the open source package on any LAMP server.
Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native!
http://pubads.g.doubleclick.net/gampad/clk?id=63469471iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
--
DreamFactory - Open Source REST JSON Services for HTML5 Native Apps
OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access
Free app hosting. Or install the open source package on any LAMP server.
Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native!
http://pubads.g.doubleclick.net/gampad/clk?id=63469471iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] gather all locking related code into src/lxc/lxclock.c
Quoting S.Çağlar Onur (cag...@10ur.org):
Signed-off-by: S.Çağlar Onur cag...@10ur.org
Thanks.
Acked-by: Serge E. Hallyn serge.hal...@ubuntu.com
---
src/lxc/lxclock.c | 74
+--
src/lxc/lxclock.h | 3 +++
src/lxc/utils.c | 57 +-
3 files changed, 65 insertions(+), 69 deletions(-)
diff --git a/src/lxc/lxclock.c b/src/lxc/lxclock.c
index 3857ff0..64823d2 100644
--- a/src/lxc/lxclock.c
+++ b/src/lxc/lxclock.c
@@ -31,6 +31,10 @@
#include lxc/log.h
#include lxc/lxccontainer.h
+#ifdef MUTEX_DEBUGGING
+#include execinfo.h
+#endif
+
#define OFLAG (O_CREAT | O_RDWR)
#define SEMMODE 0660
#define SEMVALUE 1
@@ -40,10 +44,55 @@ lxc_log_define(lxc_lock, lxc);
#ifdef MUTEX_DEBUGGING
pthread_mutex_t thread_mutex = PTHREAD_ERRORCHECK_MUTEX_INITIALIZER_NP;
+pthread_mutex_t static_mutex = PTHREAD_ERRORCHECK_MUTEX_INITIALIZER_NP;
+
+inline void dump_stacktrace(void)
+{
+ void *array[MAX_STACKDEPTH];
+ size_t size;
+ char **strings;
+ size_t i;
+
+ size = backtrace(array, MAX_STACKDEPTH);
+ strings = backtrace_symbols(array, size);
+
+ // Using fprintf here as our logging module is not thread safe
+ fprintf(stderr, \tObtained %zd stack frames.\n, size);
+
+ for (i = 0; i size; i++)
+ fprintf(stderr, \t\t%s\n, strings[i]);
+
+ free (strings);
+}
#else
pthread_mutex_t thread_mutex = PTHREAD_MUTEX_INITIALIZER;
+pthread_mutex_t static_mutex = PTHREAD_MUTEX_INITIALIZER;
+
+inline void dump_stacktrace(void) {;}
#endif
+void lock_mutex(pthread_mutex_t *l)
+{
+ int ret;
+
+ if ((ret = pthread_mutex_lock(l)) != 0) {
+ fprintf(stderr, pthread_mutex_lock returned:%d %s, ret,
strerror(ret));
+ dump_stacktrace();
+ exit(1);
+ }
+}
+
+void unlock_mutex(pthread_mutex_t *l)
+{
+ int ret;
+
+ if ((ret = pthread_mutex_unlock(l)) != 0) {
+ fprintf(stderr, pthread_mutex_lock returned:%d %s, ret,
strerror(ret));
+ dump_stacktrace();
+ exit(1);
+ }
+}
+
static char *lxclock_name(const char *p, const char *n)
{
int ret;
@@ -267,24 +316,23 @@ void lxc_putlock(struct lxc_lock *l)
void process_lock(void)
{
- int ret;
-
- if ((ret = pthread_mutex_lock(thread_mutex)) != 0) {
- ERROR(pthread_mutex_lock returned:%d %s, ret, strerror(ret));
- dump_stacktrace();
- exit(1);
- }
+ lock_mutex(thread_mutex);
}
void process_unlock(void)
{
- int ret;
+ unlock_mutex(thread_mutex);
+}
- if ((ret = pthread_mutex_unlock(thread_mutex)) != 0) {
- ERROR(pthread_mutex_unlock returned:%d %s, ret,
strerror(ret));
- dump_stacktrace();
- exit(1);
- }
+/* Protects static const values inside the lxc_global_config_value funtion */
+void static_lock(void)
+{
+ lock_mutex(static_mutex);
+}
+
+void static_unlock(void)
+{
+ unlock_mutex(static_mutex);
}
int container_mem_lock(struct lxc_container *c)
diff --git a/src/lxc/lxclock.h b/src/lxc/lxclock.h
index dcdf79d..12ba827 100644
--- a/src/lxc/lxclock.h
+++ b/src/lxc/lxclock.h
@@ -87,6 +87,9 @@ extern void lxc_putlock(struct lxc_lock *l);
extern void process_lock(void);
extern void process_unlock(void);
+extern void static_lock(void);
+extern void static_unlock(void);
+
struct lxc_container;
extern int container_mem_lock(struct lxc_container *c);
extern void container_mem_unlock(struct lxc_container *c);
diff --git a/src/lxc/utils.c b/src/lxc/utils.c
index 4bc2c35..3fab9ae 100644
--- a/src/lxc/utils.c
+++ b/src/lxc/utils.c
@@ -39,11 +39,6 @@
#include sys/types.h
#include sys/wait.h
#include assert.h
-#include pthread.h
-
-#ifdef MUTEX_DEBUGGING
-#include execinfo.h
-#endif
#ifndef HAVE_GETLINE
#ifdef HAVE_FGETLN
@@ -59,57 +54,6 @@
lxc_log_define(lxc_utils, lxc);
-
-#ifdef MUTEX_DEBUGGING
-static pthread_mutex_t static_mutex =
PTHREAD_ERRORCHECK_MUTEX_INITIALIZER_NP;
-
-inline void dump_stacktrace(void)
-{
- void *array[MAX_STACKDEPTH];
- size_t size;
- char **strings;
- size_t i;
-
- size = backtrace(array, MAX_STACKDEPTH);
- strings = backtrace_symbols(array, size);
-
- // Using fprintf here as our logging module is not thread safe
- fprintf(stderr, \tObtained %zd stack frames.\n, size);
-
- for (i = 0; i size; i++)
- fprintf(stderr, \t\t%s\n, strings[i]);
-
- free (strings);
-}
-#else
-static pthread_mutex_t static_mutex = PTHREAD_MUTEX_INITIALIZER;
-
-inline void dump_stacktrace(void) {;}
-#endif
-
-/* Protects static const values inside the lxc_global_config_value funtion */
-static void static_lock(void)
-{
- int ret;
-
- if ((ret = pthread_mutex_lock(static_mutex))
[lxc-devel] [PATCH 1/1] lxc-start: if we pass in a config file, then don't use any loaded config
To do this, add a c-clear_config() helper to the api.
(this fixes the bug https://bugs.launchpad.net/bugs/1251352)
Signed-off-by: Serge Hallyn serge.hal...@ubuntu.com
---
src/lxc/lxc_start.c| 1 +
src/lxc/lxccontainer.c | 16 +++-
src/lxc/lxccontainer.h | 2 ++
3 files changed, 14 insertions(+), 5 deletions(-)
diff --git a/src/lxc/lxc_start.c b/src/lxc/lxc_start.c
index add2542..fe859db 100644
--- a/src/lxc/lxc_start.c
+++ b/src/lxc/lxc_start.c
@@ -187,6 +187,7 @@ int main(int argc, char *argv[])
ERROR(Failed to create lxc_container);
return err;
}
+ c-clear_config(c);
if (!c-load_config(c, rcfile)) {
ERROR(Failed to load rcfile);
lxc_container_put(c);
diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
index 2a70bc7..3cabf0d 100644
--- a/src/lxc/lxccontainer.c
+++ b/src/lxc/lxccontainer.c
@@ -1151,6 +1151,14 @@ out_error:
return true;
}
+static void lxcapi_clear_config(struct lxc_container *c)
+{
+ if (c c-lxc_conf) {
+ lxc_conf_free(c-lxc_conf);
+ c-lxc_conf = NULL;
+ }
+}
+
static bool lxcapi_destroy(struct lxc_container *c);
/*
* lxcapi_create:
@@ -1280,9 +1288,7 @@ static bool lxcapi_create(struct lxc_container *c, const
char *t,
// now clear out the lxc_conf we have, reload from the created
// container
- if (c-lxc_conf)
- lxc_conf_free(c-lxc_conf);
- c-lxc_conf = NULL;
+ lxcapi_clear_config(c);
if (t) {
if (!prepend_lxc_header(c-configfile, tpath, argv)) {
@@ -3093,8 +3099,7 @@ struct lxc_container *lxc_container_new(const char *name,
const char *configpath
if (ongoing_create(c) == 2) {
ERROR(Error: %s creation was not completed, c-name);
lxcapi_destroy(c);
- lxc_conf_free(c-lxc_conf);
- c-lxc_conf = NULL;
+ lxcapi_clear_config(c);
}
// assign the member functions
@@ -3122,6 +3127,7 @@ struct lxc_container *lxc_container_new(const char *name,
const char *configpath
c-createl = lxcapi_createl;
c-shutdown = lxcapi_shutdown;
c-reboot = lxcapi_reboot;
+ c-clear_config = lxcapi_clear_config;
c-clear_config_item = lxcapi_clear_config_item;
c-get_config_item = lxcapi_get_config_item;
c-get_cgroup_item = lxcapi_get_cgroup_item;
diff --git a/src/lxc/lxccontainer.h b/src/lxc/lxccontainer.h
index 3a12372..57b8e78 100644
--- a/src/lxc/lxccontainer.h
+++ b/src/lxc/lxccontainer.h
@@ -85,6 +85,8 @@ struct lxc_container {
bool (*reboot)(struct lxc_container *c);
/* send SIGPWR. if timeout is not 0 or -1, do a hard stop after
timeout seconds */
bool (*shutdown)(struct lxc_container *c, int timeout);
+ /* completely clear a configuration */
+ void (*clear_config)(struct lxc_container *c);
/* clear all network or capability items in the in-memory configuration
*/
bool (*clear_config_item)(struct lxc_container *c, const char *key);
/* print a config item to a in-memory string allocated by the caller.
Return
--
1.8.3.2
--
DreamFactory - Open Source REST JSON Services for HTML5 Native Apps
OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access
Free app hosting. Or install the open source package on any LAMP server.
Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native!
http://pubads.g.doubleclick.net/gampad/clk?id=63469471iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] Rethinking lxc-info a bit
Quoting Stéphane Graber (stgra...@ubuntu.com): Hello, We recently got reports of the recent changes to lxc-info breaking existing scripts. In my own case, I have a host with several containers where a backup script uses 'lxc-info -n $container -p | awk ...' to get the init pid, then rsyncs from /proc/$pid/root/$path to /decrypted_backup/$name/$path. The fix was trivial (once diagnosed), but I don't know how many people have scripts built into their infrastructure depending on this. In the past, lxc-info -n www -p would have shown pid: $pid I always thought the 'pid:\t' was silly in that case. OTOH, getting rid of it now would, again, break existing scripts. While discusing those issues, I noticed a few points that I think are worth discussing and addressing, I'm going to postpone alpha3 until that's done as the current state of things would break quite a bunch of scripts. == confusing -n behaviour == Since Dwight's last change, -n now accepts a regular expression, which I believe is the only case where it does. That seems fairly unintuitive and redundant with what lxc-list for example provides. Is there anything which lxc-list would not suffice for? This also brought on the next problem. == change of behaviour when one of the filter is passed == In the past, someone could do lxc-info -n p1 -p and trivially retrieve the PID. The new behaviour instead returns: Name: p1 Pid:19446 Even though I didn't ask for the container's name. pid was also renamed to Pid, breaking anyone attempting to grep for the entry. == --state-is option is redundant == The state-is option always seemed a bit odd to me, in fact, it's absolutely identical to lxc-wait -t 0 -n name -s STATE and I don't really think it has its place in lxc-info. I'd suggest we just remove it entirely (yes, that'll break some scripts). I'm sorry I didn't think about those problems when reviewing the recent changes to lxc-info, but hopefully it's not too late to correct some of that. So my suggestion for lxc-info in LXC 1.0 are: - Only support one container and make -n mandatory, fail with an error if the container can't be found. - Drop --state-is entirely and tell anyone who used it to use lxc-wait instead. - Only print Name: if none of the filters are passed - Make the combination of -H + a single filter only return that value, so that lxc-info -n p1 -P -H will just return 19446 without any formatting. Recommend doing that to anyone parsing lxc-info's output. Sounds good to me. Perhaps we should have a transition guide for 1.0? Where would that belong? - Have -H also apply to the general formatting, simply printing key: value when passed. With those done, there will still be breakage for users of alpha2 upgrading to alpha3, but that should at least ensure no more surprises after that point and a more script friendly command. Thoughts? -- Stéphane Graber Ubuntu developer http://www.ubuntu.com -- DreamFactory - Open Source REST JSON Services for HTML5 Native Apps OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access Free app hosting. Or install the open source package on any LAMP server. Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native! http://pubads.g.doubleclick.net/gampad/clk?id=63469471iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel -- DreamFactory - Open Source REST JSON Services for HTML5 Native Apps OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access Free app hosting. Or install the open source package on any LAMP server. Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native! http://pubads.g.doubleclick.net/gampad/clk?id=63469471iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] Protect global variables in log module via mutex
Quoting S.Çağlar Onur (cag...@10ur.org): Hi Serge, On Mon, Nov 11, 2013 at 4:04 PM, Serge Hallyn serge.hal...@ubuntu.com wrote: Quoting S.Çağlar Onur (cag...@10ur.org): Log module contains multiple global variables so protect them introducing a new mutex and serialize accessing log functions. Also gather all locking related code into src/lxc/lxclock.c Signed-off-by: S.Çağlar Onur cag...@10ur.org Really the log stuff should be re-thought. What should happen right now if two threads both call lxcapi_start() on containers with lxc.logfile entries? Perhaps we need two sets of log info. One for the program being used, and one for the running container. Anything done after src/lxc/start.c:lxc_start() logs to the container log info - that's anyhthing relating to container setup, container monitor stuff, hooks, and the running of the container. Anything else is done to the global log info - as that'll be shared by all threads. Agreed. Hopefully someone finds this interesting enough to write a patch :) In the meantime - the infrastructure of this patch seems good, but I don't think it really achieves protection of those variables. log_fname and lxc_log_fd especially, because __lxc_log_set_file() can close/free them concurrent with other __lxc_log_set_file() runs and concurrent with lxc_log_get_file(). What do you think would be the best way to achieve that? Hmmm just an idea without giving lots of thought but considering the Sorry, by 'to achieve that' i just meant to actually protect log_fname and lxc_log_fd from stale accesses from another thread after one thread has freed/closed them. But, objective above what about storing those variables in container struct, adding a new method to API like c-log(c, MESSAGE, LEVEL) (or some helpers like APIERROR(c, MESSAGE), APIWARNING etc) and re-using parts of the log module there. Come to think of it, do we really need to have a global/shared logging at all? What do you think making the whole logging thing to container specific? That would solve the problem altogether :) (Well, once we make sure to access them only from under container_mem_lock()). The first problem is that there are things that are done without us being in the context of a container - especially when we're setting up to create a container, or trying to get info about a container which is not defined. The second problem is that INFO(), ERROR() and friends will need to be redefined to find the per-container logging info, which could be tough. But I'll definately look at any patch trying to solve this. -serge -- November Webinars for C, C++, Fortran Developers Accelerate application performance with scalable programming models. Explore techniques for threading, error checking, porting, and tuning. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60136231iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] fix multithreaded create()
Quoting Dwight Engen (dwight.en...@oracle.com):
We were calling save_config() twice within the create() flow, each
from a different process. Depending on order of scheduling, sometimes
the data from the first save_config() (which was just the stuff from
LXC_DEFAULT_CONFIG) would overwrite the config we wanted (the full
config), causing a truncated config file which would then cause lxc
to segfault once it read it back in because no rootfs.path was set.
This fixes it by only calling save_config() once in the create()
flow. A rejected alternative was to call fsync(fileno(fout)) before
the fclose in save_config.
Signed-off-by: Dwight Engen dwight.en...@oracle.com
Acked-by: Serge E. Hallyn serge.hal...@ubuntu.com
---
src/lxc/lxccontainer.c | 20
1 file changed, 12 insertions(+), 8 deletions(-)
diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
index c7b2f5e..05ca643 100644
--- a/src/lxc/lxccontainer.c
+++ b/src/lxc/lxccontainer.c
@@ -1192,16 +1192,19 @@ static bool lxcapi_create(struct lxc_container *c,
const char *t,
if (lxcapi_is_defined(c) c-lxc_conf c-lxc_conf-rootfs.path
access(c-lxc_conf-rootfs.path, F_OK) == 0 tpath) {
ERROR(Container %s:%s already exists, c-config_path,
c-name);
- free(tpath);
- return false;
+ goto free_tpath;
}
- /* Save the loaded configuration to disk */
- if (!c-save_config(c, NULL)) {
- ERROR(failed to save starting configuration for %s\n,
c-name);
- goto out;
+ if (!c-lxc_conf) {
+ if (!c-load_config(c, LXC_DEFAULT_CONFIG)) {
+ ERROR(Error loading default configuration file %s\n,
LXC_DEFAULT_CONFIG);
+ goto free_tpath;
+ }
}
+ if (!create_container_dir(c))
+ goto free_tpath;
+
/*
* either template or rootfs.path should be set.
* if both template and rootfs.path are set, template is setup as
rootfs.path.
@@ -1290,10 +1293,11 @@ out_unlock:
if (partial_fd = 0)
remove_partial(c, partial_fd);
out:
- if (tpath)
- free(tpath);
if (!ret c)
lxcapi_destroy(c);
+free_tpath:
+ if (tpath)
+ free(tpath);
return ret;
}
--
1.8.3.1
--
DreamFactory - Open Source REST JSON Services for HTML5 Native Apps
OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access
Free app hosting. Or install the open source package on any LAMP server.
Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native!
http://pubads.g.doubleclick.net/gampad/clk?id=63469471iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
--
DreamFactory - Open Source REST JSON Services for HTML5 Native Apps
OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access
Free app hosting. Or install the open source package on any LAMP server.
Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native!
http://pubads.g.doubleclick.net/gampad/clk?id=63469471iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] lxc-ubuntu*: Mark non-essential mounts optional
Quoting Stéphane Graber (stgra...@ubuntu.com): Signed-off-by: Stéphane Graber stgra...@ubuntu.com Acked-by: Serge E. Hallyn serge.hal...@ubuntu.com --- templates/lxc-ubuntu-cloud.in | 6 +++--- templates/lxc-ubuntu.in | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/templates/lxc-ubuntu-cloud.in b/templates/lxc-ubuntu-cloud.in index 41f1c70..aeadc2d 100644 --- a/templates/lxc-ubuntu-cloud.in +++ b/templates/lxc-ubuntu-cloud.in @@ -118,9 +118,9 @@ EOF cat EOF $path/fstab procproc procnodev,noexec,nosuid 0 0 sysfs sys sysfs defaults 0 0 -/sys/fs/fuse/connections sys/fs/fuse/connections none bind 0 0 -/sys/kernel/debug sys/kernel/debug none bind 0 0 -/sys/kernel/security sys/kernel/security none bind 0 0 +/sys/fs/fuse/connections sys/fs/fuse/connections none bind,optional 0 0 +/sys/kernel/debug sys/kernel/debug none bind,optional 0 0 +/sys/kernel/security sys/kernel/security none bind,optional 0 0 /sys/fs/pstore sys/fs/pstore none bind,optional 0 0 EOF diff --git a/templates/lxc-ubuntu.in b/templates/lxc-ubuntu.in index 9423f0f..3e296d8 100644 --- a/templates/lxc-ubuntu.in +++ b/templates/lxc-ubuntu.in @@ -427,9 +427,9 @@ EOF cat EOF $path/fstab procproc procnodev,noexec,nosuid 0 0 sysfs sys sysfs defaults 0 0 -/sys/fs/fuse/connections sys/fs/fuse/connections none bind 0 0 -/sys/kernel/debug sys/kernel/debug none bind 0 0 -/sys/kernel/security sys/kernel/security none bind 0 0 +/sys/fs/fuse/connections sys/fs/fuse/connections none bind,optional 0 0 +/sys/kernel/debug sys/kernel/debug none bind,optional 0 0 +/sys/kernel/security sys/kernel/security none bind,optional 0 0 /sys/fs/pstore sys/fs/pstore none bind,optional 0 0 EOF -- 1.8.4.3 -- November Webinars for C, C++, Fortran Developers Accelerate application performance with scalable programming models. Explore techniques for threading, error checking, porting, and tuning. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60136231iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel -- DreamFactory - Open Source REST JSON Services for HTML5 Native Apps OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access Free app hosting. Or install the open source package on any LAMP server. Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native! http://pubads.g.doubleclick.net/gampad/clk?id=63469471iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] add process_lock()/unlock() in save_config()
Quoting Dwight Engen (dwight.en...@oracle.com): On Tue, 12 Nov 2013 14:42:54 -0600 Serge Hallyn serge.hal...@ubuntu.com wrote: Quoting Dwight Engen (dwight.en...@oracle.com): This is likely unnecessary, but is consistent with other uses of fopen()/fclose() in lxc. Signed-off-by: Dwight Engen dwight.en...@oracle.com Do you think, regardless of your other fix, that it would still be worth adding an fsync? Hmm, good question. I guess its possible lxcapi_save_config() could be called by two different user processes for the same container and we'd They'd be protected by container_mem_lock(), but I think you've shown that's not enough. Which might mean that what we need is to always fsync c-configfile at end of container_mem_lock()... wind up with a similar situation. Seems like we're trying to use the disk lock to protect against that, but it wasn't enough so maybe we do need the fflush and fsync in there too. I think I'd have to write a test to show the corruption and also then that the fflush and fsync fixes it like it did for the create() flow to convince myself :) Acked-by: Serge E. Hallyn serge.hal...@ubuntu.com --- src/lxc/lxccontainer.c | 4 1 file changed, 4 insertions(+) diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c index ede0113..c7b2f5e 100644 --- a/src/lxc/lxccontainer.c +++ b/src/lxc/lxccontainer.c @@ -1696,11 +1696,15 @@ static bool lxcapi_save_config(struct lxc_container *c, const char *alt_file) if (lret) return false; + process_lock(); fout = fopen(alt_file, w); + process_unlock(); if (!fout) goto out; write_config(fout, c-lxc_conf); + process_lock(); fclose(fout); + process_unlock(); ret = true; out: -- 1.8.3.1 -- DreamFactory - Open Source REST JSON Services for HTML5 Native Apps OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access Free app hosting. Or install the open source package on any LAMP server. Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native! http://pubads.g.doubleclick.net/gampad/clk?id=63469471iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel -- DreamFactory - Open Source REST JSON Services for HTML5 Native Apps OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access Free app hosting. Or install the open source package on any LAMP server. Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native! http://pubads.g.doubleclick.net/gampad/clk?id=63469471iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] add process_lock()/unlock() in save_config()
Quoting Dwight Engen (dwight.en...@oracle.com): On Tue, 12 Nov 2013 14:42:54 -0600 Serge Hallyn serge.hal...@ubuntu.com wrote: Quoting Dwight Engen (dwight.en...@oracle.com): This is likely unnecessary, but is consistent with other uses of fopen()/fclose() in lxc. Signed-off-by: Dwight Engen dwight.en...@oracle.com Do you think, regardless of your other fix, that it would still be worth adding an fsync? Hmm, good question. I guess its possible lxcapi_save_config() could be called by two different user processes for the same container and we'd wind up with a similar situation. Seems like we're trying to use the disk lock to protect against that, Heh, yeah, that too. Even worse. ...but it wasn't enough so maybe we do -- DreamFactory - Open Source REST JSON Services for HTML5 Native Apps OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access Free app hosting. Or install the open source package on any LAMP server. Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native! http://pubads.g.doubleclick.net/gampad/clk?id=63469471iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] Protect global variables in log module via mutex
Quoting S.Çağlar Onur (cag...@10ur.org):
Log module contains multiple global variables so protect them introducing a
new mutex and serialize accessing log functions.
Also gather all locking related code into src/lxc/lxclock.c
Signed-off-by: S.Çağlar Onur cag...@10ur.org
Really the log stuff should be re-thought. What should happen right
now if two threads both call lxcapi_start() on containers with
lxc.logfile entries? Perhaps we need two sets of log info. One for
the program being used, and one for the running container. Anything
done after src/lxc/start.c:lxc_start() logs to the container log info -
that's anyhthing relating to container setup, container monitor stuff,
hooks, and the running of the container. Anything else is done to
the global log info - as that'll be shared by all threads.
Hopefully someone finds this interesting enough to write a patch :)
In the meantime - the infrastructure of this patch seems good, but
I don't think it really achieves protection of those variables.
log_fname and lxc_log_fd especially, because __lxc_log_set_file()
can close/free them concurrent with other __lxc_log_set_file()
runs and concurrent with lxc_log_get_file().
What do you think would be the best way to achieve that?
---
src/lxc/log.c | 16 ++
src/lxc/log.h | 4 +++
src/lxc/lxclock.c | 87
++-
src/lxc/lxclock.h | 5
src/lxc/utils.c | 57 +---
5 files changed, 100 insertions(+), 69 deletions(-)
diff --git a/src/lxc/log.c b/src/lxc/log.c
index d6ce361..8a5c511 100644
--- a/src/lxc/log.c
+++ b/src/lxc/log.c
@@ -265,11 +265,15 @@ static int __lxc_log_set_file(const char *fname, int
create_dirs)
return -1;
}
+ log_lock();
lxc_log_fd = log_open(fname);
+ log_unlock();
if (lxc_log_fd == -1)
return -1;
+ log_lock();
log_fname = strdup(fname);
+ log_unlock();
return 0;
}
@@ -306,15 +310,19 @@ extern int lxc_log_init(const char *name, const char
*file,
return -1;
}
+ log_lock();
lxc_loglevel_specified = 1;
lxc_priority = lxc_log_priority_to_int(priority);
+ log_unlock();
}
+ log_lock();
lxc_log_category_lxc.priority = lxc_priority;
lxc_log_category_lxc.appender = log_appender_logfile;
if (!quiet)
lxc_log_category_lxc.appender-next = log_appender_stderr;
+ log_unlock();
if (prefix)
lxc_log_set_prefix(prefix);
@@ -322,7 +330,9 @@ extern int lxc_log_init(const char *name, const char
*file,
if (file) {
if (strcmp(file, none) == 0)
return 0;
+ log_lock();
lxc_logfile_specified = 1;
+ log_unlock();
ret = __lxc_log_set_file(file, 1);
} else {
ret = -1;
@@ -368,8 +378,10 @@ extern int lxc_log_set_level(int level)
ERROR(invalid log priority %d, level);
return -1;
}
+ log_lock();
lxc_loglevel_specified = 1;
lxc_log_category_lxc.priority = level;
+ log_unlock();
return 0;
}
@@ -397,7 +409,9 @@ extern int lxc_log_set_file(const char *fname)
{
if (lxc_logfile_specified)
return 0;
+ log_lock();
lxc_logfile_specified = 1;
+ log_unlock();
return __lxc_log_set_file(fname, 0);
}
@@ -408,8 +422,10 @@ extern const char *lxc_log_get_file(void)
extern void lxc_log_set_prefix(const char *prefix)
{
+ log_lock();
strncpy(log_prefix, prefix, sizeof(log_prefix));
log_prefix[sizeof(log_prefix) - 1] = 0;
+ log_unlock();
}
extern const char *lxc_log_get_prefix(void)
diff --git a/src/lxc/log.h b/src/lxc/log.h
index d3c40fb..59e8dd6 100644
--- a/src/lxc/log.h
+++ b/src/lxc/log.h
@@ -30,6 +30,8 @@
#include string.h
#include stdbool.h
+#include lxclock.h
+
#ifndef O_CLOEXEC
#define O_CLOEXEC 0200
#endif
@@ -183,6 +185,7 @@ static inline void LXC_##PRIORITY(struct lxc_log_locinfo
*, \
static inline void LXC_##PRIORITY(struct lxc_log_locinfo* locinfo, \
const char* format, ...) \
{\
+ log_lock(); \
if (lxc_log_priority_is_enabled(acategory, \
LXC_LOG_PRIORITY_##PRIORITY)) { \
struct lxc_log_event evt = {\
@@ -200,6 +203,7 @@ static inline void LXC_##PRIORITY(struct lxc_log_locinfo*
locinfo,\
__lxc_log(acategory, evt); \
va_end(va_ref);
Re: [lxc-devel] [PATCH] add modes argument to lxc-test-concurrent
Quoting Dwight Engen (dwight.en...@oracle.com):
- This allows testing independently the modes with/without threading
Signed-off-by: Dwight Engen dwight.en...@oracle.com
Acked-by: Serge E. Hallyn serge.hal...@ubuntu.com
---
src/tests/concurrent.c | 34 +-
1 file changed, 25 insertions(+), 9 deletions(-)
diff --git a/src/tests/concurrent.c b/src/tests/concurrent.c
index 16e93d6..76fae87 100644
--- a/src/tests/concurrent.c
+++ b/src/tests/concurrent.c
@@ -36,6 +36,7 @@ static struct option options[] = {
{ iterations, required_argument, NULL, 'i' },
{ template,required_argument, NULL, 't' },
{ delay, required_argument, NULL, 'd' },
+{ modes, required_argument, NULL, 'm' },
{ quiet, no_argument, NULL, 'q' },
{ help,no_argument, NULL, '?' },
{ 0, 0, 0, 0 },
@@ -44,13 +45,14 @@ static struct option options[] = {
static void usage(void) {
fprintf(stderr, Usage: lxc-test-concurrent [OPTION]...\n\n
Common options :\n
- -j, --threads=N Threads to run concurrently\n
- (default: 5, use 1 for no threading)\n
- -i, --iterations=N Number times to run the test (default: 1)\n
- -t, --template=t Template to use (default: busybox)\n
- -d, --delay=NDelay in seconds between start and stop\n
- -q, --quiet Don't produce any output\n
- -?, --help Give this help list\n
+ -j, --threads=N Threads to run concurrently\n
+ (default: 5, use 1 for no
threading)\n
+ -i, --iterations=N Number times to run the test
(default: 1)\n
+ -t, --template=t Template to use (default: busybox)\n
+ -d, --delay=NDelay in seconds between start and
stop\n
+ -m, --modes=mode,mode,... Modes to run (create, start, stop,
destroy)\n
+ -q, --quiet Don't produce any output\n
+ -?, --help Give this help list\n
\n
Mandatory or optional arguments to long options are also mandatory
or optional\n
for any corresponding short options.\n\n);
@@ -135,11 +137,12 @@ int main(int argc, char *argv[]) {
pthread_t *threads;
struct thread_args *args;
-char *modes[] = {create, start, stop, destroy, NULL};
+char *modes_default[] = {create, start, stop, destroy, NULL};
+char **modes = modes_default;
pthread_attr_init(attr);
-while ((opt = getopt_long(argc, argv, j:i:t:d:q, options, NULL)) !=
-1) {
+while ((opt = getopt_long(argc, argv, j:i:t:d:m:q, options, NULL)) !=
-1) {
switch(opt) {
case 'j':
nthreads = atoi(optarg);
@@ -156,6 +159,19 @@ int main(int argc, char *argv[]) {
case 'q':
quiet = 1;
break;
+case 'm': {
+char *mode_tok, *tok, *saveptr;
+
+modes = NULL;
+for (i = 0, mode_tok = optarg;
+ (tok = strtok_r(mode_tok, ,, saveptr));
+i++, mode_tok = NULL) {
+modes = realloc(modes, sizeof(*modes) * (i+2));
+modes[i] = tok;
+ }
+modes[i] = NULL;
+break;
+ }
default: /* '?' */
usage();
exit(EXIT_FAILURE);
--
1.8.3.1
--
November Webinars for C, C++, Fortran Developers
Accelerate application performance with scalable programming models. Explore
techniques for threading, error checking, porting, and tuning. Get the most
from the latest Intel processors and coprocessors. See abstracts and register
http://pubads.g.doubleclick.net/gampad/clk?id=60136231iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] replace redundant creat() with open()
Quoting S.Çağlar Onur (cag...@10ur.org):
creat() is equivalent to open() with flags equal to O_CREAT|O_WRONLY|O_TRUNC
Hi,
I'm confused - what is redundant in the use of creat()? If there is an
improvement here then I don't understand what it is. Otherwise I'd
argue creat() is more concise and clearer about its intent.
Signed-off-by: S.Çağlar Onur cag...@10ur.org
---
src/lxc/bdev.c | 2 +-
src/lxc/conf.c | 6 +++---
src/lxc/lxc_start.c | 2 +-
3 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/src/lxc/bdev.c b/src/lxc/bdev.c
index c7e5e5e..0194ccd 100644
--- a/src/lxc/bdev.c
+++ b/src/lxc/bdev.c
@@ -1594,7 +1594,7 @@ static int do_loop_create(const char *path, unsigned
long size, const char *fsty
int fd, ret;
// create the new loopback file.
process_lock();
- fd = creat(path, S_IRUSR|S_IWUSR);
+ fd = open(path, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR|S_IWUSR);
process_unlock();
if (fd 0)
return -1;
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index a756731..dc34568 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -909,7 +909,7 @@ static int setup_tty(const struct lxc_rootfs *rootfs,
return -1;
}
process_lock();
- ret = creat(lxcpath, 0660);
+ ret = open(lxcpath, O_CREAT|O_WRONLY|O_TRUNC, 0660);
process_unlock();
if (ret==-1 errno != EEXIST) {
SYSERROR(error creating %s\n, lxcpath);
@@ -945,7 +945,7 @@ static int setup_tty(const struct lxc_rootfs *rootfs,
/* If we populated /dev, then we need to create
/dev/ttyN */
if (access(path, F_OK)) {
process_lock();
- ret = creat(path, 0660);
+ ret = open(path, O_CREAT|O_WRONLY|O_TRUNC,
0660);
process_unlock();
if (ret==-1) {
SYSERROR(error creating %s\n, path);
@@ -1546,7 +1546,7 @@ static int setup_ttydir_console(const struct lxc_rootfs
*rootfs,
}
process_lock();
- ret = creat(lxcpath, 0660);
+ ret = open(lxcpath, O_CREAT|O_WRONLY|O_TRUNC, 0660);
process_unlock();
if (ret==-1 errno != EEXIST) {
SYSERROR(error %d creating %s\n, errno, lxcpath);
diff --git a/src/lxc/lxc_start.c b/src/lxc/lxc_start.c
index add2542..f8fc6d4 100644
--- a/src/lxc/lxc_start.c
+++ b/src/lxc/lxc_start.c
@@ -62,7 +62,7 @@ static int ensure_path(char **confpath, const char *path)
if (path) {
if (access(path, W_OK)) {
- fd = creat(path, 0600);
+ fd = open(path, O_CREAT|O_WRONLY|O_TRUNC, 0600);
if (fd 0 errno != EEXIST) {
SYSERROR(failed to create '%s', path);
goto err;
--
1.8.3.2
--
November Webinars for C, C++, Fortran Developers
Accelerate application performance with scalable programming models. Explore
techniques for threading, error checking, porting, and tuning. Get the most
from the latest Intel processors and coprocessors. See abstracts and register
http://pubads.g.doubleclick.net/gampad/clk?id=60136231iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
--
November Webinars for C, C++, Fortran Developers
Accelerate application performance with scalable programming models. Explore
techniques for threading, error checking, porting, and tuning. Get the most
from the latest Intel processors and coprocessors. See abstracts and register
http://pubads.g.doubleclick.net/gampad/clk?id=60136231iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] lxc_user_nic: remove duplicate code
Quoting Qiang Huang (h.huangqi...@huawei.com):
It's a duplicate of util.h.
Signed-off-by: Qiang Huang h.huangqi...@huawei.com
Acked-by: Serge E. Hallyn serge.hal...@ubuntu.com
Yup, thanks. Stéphane had already mentioned it. I had put the
setns bit in there while trying to figure out why SYS_setns
was coming up undefined, and failed to remove it when this did
not fix it...
---
src/lxc/lxc_user_nic.c | 20
1 file changed, 20 deletions(-)
diff --git a/src/lxc/lxc_user_nic.c b/src/lxc/lxc_user_nic.c
index dc35e55..e4f59fa 100644
--- a/src/lxc/lxc_user_nic.c
+++ b/src/lxc/lxc_user_nic.c
@@ -49,25 +49,6 @@
#include config.h
#include utils.h
-#ifndef HAVE_GETLINE
-#ifdef HAVE_FGETLN
-#include ../include/getline.h
-#endif
-#endif
-
-/* Define setns() if missing from the C library */
-#ifndef HAVE_SETNS
-static inline int setns(int fd, int nstype)
-{
-#ifdef __NR_setns
- return syscall(__NR_setns, fd, nstype);
-#else
- errno = ENOSYS;
- return -1;
-#endif
-}
-#endif
-
#if ISTEST
#define CONF_FILE /tmp/lxc-usernet
#define DB_FILE /tmp/nics
@@ -76,7 +57,6 @@ static inline int setns(int fd, int nstype)
#define DB_FILE LXC_USERNIC_DB
#endif
-
#include nl.h
#ifndef IFLA_LINKMODE
--
1.8.3
--
November Webinars for C, C++, Fortran Developers
Accelerate application performance with scalable programming models. Explore
techniques for threading, error checking, porting, and tuning. Get the most
from the latest Intel processors and coprocessors. See abstracts and register
http://pubads.g.doubleclick.net/gampad/clk?id=60136231iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] coverity 1126129: don't try to print c-name when c is NULL
Quoting Dwight Engen (dwight.en...@oracle.com):
I accidentally introduced this with the change to lxc-info (commit
b9d957c3).
Signed-off-by: Dwight Engen dwight.en...@oracle.com
Acked-by: Serge E. Hallyn serge.hal...@ubuntu.com
---
src/lxc/lxc_info.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/src/lxc/lxc_info.c b/src/lxc/lxc_info.c
index ba43f37..6c35bbb 100644
--- a/src/lxc/lxc_info.c
+++ b/src/lxc/lxc_info.c
@@ -255,10 +255,8 @@ static int print_info(const char *name, const char
*lxcpath)
struct lxc_container *c;
c = lxc_container_new(name, lxcpath);
- if (!c) {
- fprintf(stderr, Insufficent privileges to control %s\n,
c-name);
+ if (!c)
return -1;
- }
if (!c-may_control(c)) {
fprintf(stderr, Insufficent privileges to control %s\n,
c-name);
--
1.8.3.1
--
November Webinars for C, C++, Fortran Developers
Accelerate application performance with scalable programming models. Explore
techniques for threading, error checking, porting, and tuning. Get the most
from the latest Intel processors and coprocessors. See abstracts and register
http://pubads.g.doubleclick.net/gampad/clk?id=60136231iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
--
November Webinars for C, C++, Fortran Developers
Accelerate application performance with scalable programming models. Explore
techniques for threading, error checking, porting, and tuning. Get the most
from the latest Intel processors and coprocessors. See abstracts and register
http://pubads.g.doubleclick.net/gampad/clk?id=60136231iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] CLONE_PARENT after setns(CLONE_NEWPID)
Quoting Oleg Nesterov (o...@redhat.com): Hi Serge, On 11/06, Serge Hallyn wrote: Hi Oleg, commit 40a0d32d1eaffe6aac7324ca92604b6b3977eb0e : fork: unify and tighten up CLONE_NEWUSER/CLONE_NEWPID checks breaks lxc-attach in 3.12. That code forks a child which does setns() and then does a clone(CLONE_PARENT). That way the grandchild can be in the right namespaces (which the child was not) and be a child of the original task, which is the monitor. Thanks... Yes, this is what 40a0d32d1ea explicitly tries to disallow. Is there a real danger in allowing CLONE_PARENT when current-nsproxy-pidns_for_children is not our pidns, or was this done out of an over-abundance of caution? I am not sure... This all was based on the long discussion, and it was decided that the CLONE_PARENT check should be consistent wrt CLONE_NEWPID and pidns_for_children != task_active_pid_ns(). So apart from peers seeing the new task as having pid 0, and sigchild going to the grandparent, are there any other side effects? Is ptrace an issue? (I took a quick look but it doesn't seem like it) If not, then I very much think we should continue to allow this. -serge -- November Webinars for C, C++, Fortran Developers Accelerate application performance with scalable programming models. Explore techniques for threading, error checking, porting, and tuning. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60136231iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] CLONE_PARENT after setns(CLONE_NEWPID)
Quoting Eric W. Biederman (ebied...@xmission.com): Oleg Nesterov o...@redhat.com writes: Hi Serge, On 11/06, Serge Hallyn wrote: Hi Oleg, commit 40a0d32d1eaffe6aac7324ca92604b6b3977eb0e : fork: unify and tighten up CLONE_NEWUSER/CLONE_NEWPID checks breaks lxc-attach in 3.12. That code forks a child which does setns() and then does a clone(CLONE_PARENT). That way the grandchild can be in the right namespaces (which the child was not) and be a child of the original task, which is the monitor. Serge that is a clever trick to get around the limitation that we can not change the pid namespace of our current process. Given the challenging relaying of signals etc I can see why you would use this. At the same time it makes me a little sad to see new users of CLONE_PARENT. With CLONE_THREAD in existence the original reasons for CLONE_PARENT are gone now. Having used bash as an init process I know it can handle unexpeted children. However using CLONE_PARENT in this way still seems a little dodgy. Or am I misunderstanding why you are using CLONE_PARENT? FWIW Christian (cc:d from the start) was the author of that code, so he can correct me if i mis-speak, but IIUC the design is: 1. pid X is the first process running lxc-attach. It will be a monitor for the process which is entered into the container 2. pid X forks pid Y, which does setns(). Now if it is setns()ing into a pidns, it won't itself be in the new pidns, which is not satisfactory. So 3. pid Y clones pid Z with CLONE_PARENT. Y exists. Z continues, as a full member of the container, and a child of the monitor process. So yes, as you said it's exactly to work around the fact that pid Y can't change its own pidns. -serge -- November Webinars for C, C++, Fortran Developers Accelerate application performance with scalable programming models. Explore techniques for threading, error checking, porting, and tuning. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60136231iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH 1/1] resolve lxcpath and rcfile arguments
Quoting Stéphane Graber (stgra...@ubuntu.com):
On Mon, Nov 04, 2013 at 02:44:44PM -0600, Serge Hallyn wrote:
So we don't always have to give full paths.
realpath(x,NULL) mallocs memory, but these paths shouldn't get called
from the API so not freeing should be ok.
What's the reason behind this change?
Simply that as I test unprivileged lxc I'm having to do
lxc-create -t ubuntu-cloud -P /home/serge/lxcbase -f
/home/serge/lxc.conf -n a1 -- -r saucy
lxc-start -P /home/serge/lxcbase -n a1
lxc-stop -P /home/serge/lxcbase -n a1 -K
and it gets a bit old. But maybe (in the fresh light of morning) I'm better
off adding a per-user lxc.conf file that specifies default lxcpath and
lxc.conf to use.
Am I reading this right that this will only affect cases where -P is
passed and that the default value won't be resolved?
In any case, I suspect this change is incomplete since we also support
-P in some of the python tools which wouldn't be resolved, leading to
lxc-info and others to fail to find the container (if for example
/var/lib/lxc is a symlink to say /data/containers).
Signed-off-by: Serge Hallyn serge.hal...@ubuntu.com
---
src/lxc/arguments.c | 9 -
src/lxc/lxc_execute.c | 10 +++---
src/lxc/lxc_start.c | 9 +
3 files changed, 24 insertions(+), 4 deletions(-)
diff --git a/src/lxc/arguments.c b/src/lxc/arguments.c
index adcf8fe..65b2284 100644
--- a/src/lxc/arguments.c
+++ b/src/lxc/arguments.c
@@ -155,6 +155,7 @@ See the %s man page for further information.\n\n,
static int lxc_arguments_lxcpath_add(struct lxc_arguments *args,
const char *lxcpath)
{
+ char *resolved_path = NULL;
if (args-lxcpath_additional != -1
args-lxcpath_cnt args-lxcpath_additional) {
fprintf(stderr, This command only accepts %d -P,--lxcpath
arguments\n,
@@ -168,7 +169,13 @@ static int lxc_arguments_lxcpath_add(struct
lxc_arguments *args,
lxc_error(args, no memory);
return -ENOMEM;
}
- args-lxcpath[args-lxcpath_cnt++] = lxcpath;
+ resolved_path = realpath(lxcpath, NULL);
+ if (!resolved_path) {
+ perror(realpath);
+ fprintf(stderr, Error resolving lxcpath %s, lxcpath);
+ return -1;
+ }
+ args-lxcpath[args-lxcpath_cnt++] = resolved_path;
return 0;
}
diff --git a/src/lxc/lxc_execute.c b/src/lxc/lxc_execute.c
index 6a54bf6..083b5db 100644
--- a/src/lxc/lxc_execute.c
+++ b/src/lxc/lxc_execute.c
@@ -105,9 +105,13 @@ int main(int argc, char *argv[])
return -1;
/* rcfile is specified in the cli option */
- if (my_args.rcfile)
- rcfile = (char *)my_args.rcfile;
- else {
+ if (my_args.rcfile) {
+ rcfile = realpath((char *)my_args.rcfile, NULL);
+ if (!rcfile) {
+ SYSERROR(Failed to resolve file path: %s,
my_args.rcfile);
+ return -1;
+ }
+ } else {
int rc;
rc = asprintf(rcfile, %s/%s/config, my_args.lxcpath[0],
my_args.name);
diff --git a/src/lxc/lxc_start.c b/src/lxc/lxc_start.c
index add2542..7eea26a 100644
--- a/src/lxc/lxc_start.c
+++ b/src/lxc/lxc_start.c
@@ -173,6 +173,15 @@ int main(int argc, char *argv[])
const char *lxcpath = my_args.lxcpath[0];
+ if (my_args.rcfile) {
+ char *r = realpath(my_args.rcfile, NULL);
+ if (!r) {
+ SYSERROR(Failure resolving path: %s, my_args.rcfile);
+ exit(1);
+ }
+ my_args.rcfile = r;
+ }
+
/*
* rcfile possibilities:
* 1. rcfile from random path specified in cli option
--
1.8.1.2
--
November Webinars for C, C++, Fortran Developers
Accelerate application performance with scalable programming models. Explore
techniques for threading, error checking, porting, and tuning. Get the most
from the latest Intel processors and coprocessors. See abstracts and
register
http://pubads.g.doubleclick.net/gampad/clk?id=60136231iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
--
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
--
November Webinars for C, C++, Fortran Developers
Accelerate application performance with scalable programming models. Explore
techniques for threading, error checking, porting, and tuning. Get the most
from the latest Intel processors and coprocessors. See abstracts and register
http://pubads.g.doubleclick.net/gampad/clk?id=60136231iu=/4140/ostg.clktrk
[lxc-devel] [RFC 2/2] lxc-user-nic: rename nic inside container to desired name
To do so we do a quick setns into the container's netns. This
(unexpectedly) turns out cleaner than trying to rename it from
lxc_setup(), because we don't know the original nic name in
the container until we created it which we do in the parent
after the init has been cloned.
Signed-off-by: Serge Hallyn serge.hal...@ubuntu.com
---
src/lxc/conf.c | 2 +-
src/lxc/lxc_user_nic.c | 168 +
2 files changed, 158 insertions(+), 12 deletions(-)
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index afdaa14..5e1e18d 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -2761,7 +2761,7 @@ int unpriv_assign_nic(struct lxc_netdev *netdev, pid_t
pid)
// Call lxc-user-nic pid type bridge
char pidstr[20];
- char *args[] = { lxc-user-nic, pidstr, veth, netdev-link, NULL };
+ char *args[] = { lxc-user-nic, pidstr, veth, netdev-link,
netdev-name, NULL };
snprintf(pidstr, 19, %lu, (unsigned long) pid);
pidstr[19] = '\0';
execvp(lxc-user-nic, args);
diff --git a/src/lxc/lxc_user_nic.c b/src/lxc/lxc_user_nic.c
index bc1c268..dc35e55 100644
--- a/src/lxc/lxc_user_nic.c
+++ b/src/lxc/lxc_user_nic.c
@@ -17,6 +17,7 @@
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
+#define _GNU_SOURCE /* See feature_test_macros(7) */
#include stdio.h
#include stdlib.h
#include stdbool.h
@@ -27,6 +28,7 @@
#include sys/file.h
#include alloca.h
#include string.h
+#include sched.h
#include sys/mman.h
#include sys/socket.h
#include errno.h
@@ -39,9 +41,13 @@
#include net/if_arp.h
#include netinet/in.h
#include linux/if_bridge.h
+#include linux/netlink.h
#include linux/rtnetlink.h
#include linux/sockios.h
+#include sys/param.h
+#include sched.h
#include config.h
+#include utils.h
#ifndef HAVE_GETLINE
#ifdef HAVE_FGETLN
@@ -49,6 +55,19 @@
#endif
#endif
+/* Define setns() if missing from the C library */
+#ifndef HAVE_SETNS
+static inline int setns(int fd, int nstype)
+{
+#ifdef __NR_setns
+ return syscall(__NR_setns, fd, nstype);
+#else
+ errno = ENOSYS;
+ return -1;
+#endif
+}
+#endif
+
#if ISTEST
#define CONF_FILE /tmp/lxc-usernet
#define DB_FILE /tmp/nics
@@ -94,7 +113,8 @@
void usage(char *me, bool fail)
{
- fprintf(stderr, Usage: %s pid type bridge\n, me);
+ fprintf(stderr, Usage: %s pid type bridge nicname\n, me);
+ fprintf(stderr, nicname is the name to use inside the container\n);
exit(fail ? 1 : 0);
}
@@ -237,12 +257,13 @@ bool nic_exists(char *nic)
return true;
}
-#if ! ISTEST
struct link_req {
struct nlmsg nlmsg;
struct ifinfomsg ifinfomsg;
};
+#if ! ISTEST
+
int lxc_veth_create(const char *name1, const char *name2)
{
struct nl_handler nlh;
@@ -539,7 +560,7 @@ int lxc_netdev_delete_by_name(const char *name)
#endif
-bool create_nic(char *nic, char *br, char *pidstr)
+bool create_nic(char *nic, char *br, char *pidstr, char **cnic)
{
#if ISTEST
char path[200];
@@ -559,7 +580,7 @@ bool create_nic(char *nic, char *br, char *pidstr)
ret = snprintf(veth1buf, IFNAMSIZ, %s, nic);
if (ret 0 || ret = IFNAMSIZ) {
- fprintf(stderr, nic name too long\n);
+ fprintf(stderr, host nic name too long\n);
exit(1);
}
@@ -581,6 +602,7 @@ bool create_nic(char *nic, char *br, char *pidstr)
fprintf(stderr, Error moving %s to netns %d\n, veth2buf, pid);
goto out_del;
}
+ *cnic = strdup(veth2buf);
return true;
out_del:
@@ -589,14 +611,19 @@ out_del:
#endif
}
-void get_new_nicname(char **dest, char *br, char *pid)
+/*
+ * Get a new nic.
+ * *dest will container the name (lxcuser-%d) which is attached
+ * on the host to the lxc bridge
+ */
+void get_new_nicname(char **dest, char *br, char *pid, char **cnic)
{
int i = 0;
// TODO - speed this up. For large installations we won't
// want n stats for every nth container startup.
while (1) {
sprintf(*dest, lxcuser-%d, i);
- if (!nic_exists(*dest) create_nic(*dest, br, pid))
+ if (!nic_exists(*dest) create_nic(*dest, br, pid, cnic))
return;
i++;
}
@@ -672,7 +699,7 @@ int count_entries(char *buf, off_t len, char *me, char *t,
char *br)
* The dbfile has lines of the format:
* user type bridge nicname
*/
-bool get_nic_if_avail(int fd, char *me, char *pid, char *intype, char *br, int
allowed, char **nicname)
+bool get_nic_if_avail(int fd, char *me, char *pid, char *intype, char *br, int
allowed, char **nicname, char **cnic)
{
off_t len, slen;
struct stat sb;
@@ -696,7 +723,7 @@ bool get_nic_if_avail(int fd, char *me, char *pid, char
*intype, char *br, int a
}
- get_new_nicname(nicname, br, pid);
+ get_new_nicname(nicname, br, pid, cnic
[lxc-devel] [RFC 1/2] create_run_template: tell the template what caller's uid was mapped to
conf.c/conf.h: have replaced bool hostid_is_mapped() with int mapped_hostid()
which returns the mapped uid for the caller's uid on the host, or -1 if
none
create_run_template: pass caller's uid into template.
lxc-ubuntu-cloud:
1. accept --mapped-uid argument
2. don't write to devices cgroup - not allowed.
3. if running in userns, use $HOME/.cache
4. chown cached files to the uid to which our caller was
mapped
5. ignore /dev when extracting rootfs in a userns
Signed-off-by: Serge Hallyn serge.hal...@ubuntu.com
---
src/lxc/conf.c| 6 +++---
src/lxc/conf.h| 2 +-
src/lxc/lxccontainer.c| 38 ++
templates/lxc-ubuntu-cloud.in | 25 +++--
4 files changed, 57 insertions(+), 14 deletions(-)
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 2a47e77..afdaa14 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -2912,7 +2912,7 @@ uid_t get_mapped_rootid(struct lxc_conf *conf)
return (uid_t)-1;
}
-bool hostid_is_mapped(int id, struct lxc_conf *conf)
+int mapped_hostid(int id, struct lxc_conf *conf)
{
struct lxc_list *it;
struct id_map *map;
@@ -2921,9 +2921,9 @@ bool hostid_is_mapped(int id, struct lxc_conf *conf)
if (map-idtype != ID_TYPE_UID)
continue;
if (id = map-hostid id map-hostid + map-range)
- return true;
+ return (id - map-hostid) + map-nsid;
}
- return false;
+ return -1;
}
int find_unmapped_nsuid(struct lxc_conf *conf)
diff --git a/src/lxc/conf.h b/src/lxc/conf.h
index 71399b9..940d493 100644
--- a/src/lxc/conf.h
+++ b/src/lxc/conf.h
@@ -362,7 +362,7 @@ extern void lxc_rename_phys_nics_on_shutdown(struct
lxc_conf *conf);
extern uid_t get_mapped_rootid(struct lxc_conf *conf);
extern int find_unmapped_nsuid(struct lxc_conf *conf);
-extern bool hostid_is_mapped(int id, struct lxc_conf *conf);
+extern int mapped_hostid(int id, struct lxc_conf *conf);
extern int chown_mapped_root(char *path, struct lxc_conf *conf);
extern int ttys_shift_ids(struct lxc_conf *c);
#endif
diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
index 946133d..594a96d 100644
--- a/src/lxc/lxccontainer.c
+++ b/src/lxc/lxccontainer.c
@@ -916,20 +916,28 @@ static bool create_run_template(struct lxc_container *c,
char *tpath, bool quiet
* If we're running the template in a mapped userns, then
* we prepend the template command with:
* lxc-usernsexec -m map1 ... -m mapn --
+* and we append --mapped-uid x, where x is the mapped uid
+* for our geteuid()
*/
if (geteuid() != 0 !lxc_list_empty(conf-id_map)) {
int n2args = 1;
+ char txtuid[20];
char **n2 = malloc(n2args * sizeof(*n2));
struct lxc_list *it;
struct id_map *map;
+ if (!n2) {
+ SYSERROR(out of memory);
+ exit(1);
+ }
newargv[0] = tpath;
tpath = lxc-usernsexec;
n2[0] = lxc-usernsexec;
lxc_list_for_each(it, conf-id_map) {
map = it-elem;
n2args += 2;
- n2 = realloc(n2, n2args * sizeof(*n2));
+ n2 = realloc(n2, n2args * sizeof(char *));
+INFO(allocated %d items to n2, n2args);
if (!n2)
exit(1);
n2[n2args-2] = -m;
@@ -942,15 +950,15 @@ static bool create_run_template(struct lxc_container *c,
char *tpath, bool quiet
if (ret 0 || ret = 200)
exit(1);
}
- bool hostid_mapped = hostid_is_mapped(geteuid(), conf);
- int extraargs = hostid_mapped ? 1 : 3;
- n2 = realloc(n2, (nargs + n2args + extraargs) *
sizeof(*n2));
+ int hostid_mapped = mapped_hostid(geteuid(), conf);
+ int extraargs = hostid_mapped = 0 ? 1 : 3;
+ n2 = realloc(n2, (nargs + n2args + extraargs) *
sizeof(char *));
if (!n2)
exit(1);
- if (!hostid_mapped) {
- int free_id = find_unmapped_nsuid(conf);
+ if (hostid_mapped 0) {
+ hostid_mapped = find_unmapped_nsuid(conf);
n2[n2args++] = -m;
- if (free_id 0
Re: [lxc-devel] [PATCH v2 2/4] tests list: refactor and add test for list_all_containers()
Quoting Dwight Engen (dwight.en...@oracle.com):
Signed-off-by: Dwight Engen dwight.en...@oracle.com
Acked-by: Serge E. Hallyn serge.hal...@ubuntu.com
---
src/tests/list.c | 97
+---
1 file changed, 36 insertions(+), 61 deletions(-)
diff --git a/src/tests/list.c b/src/tests/list.c
index a061542..af41e7f 100644
--- a/src/tests/list.c
+++ b/src/tests/list.c
@@ -21,90 +21,53 @@
#include stdlib.h
#include lxc/lxccontainer.h
-int main(int argc, char *argv[])
+static void test_list_func(const char *lxcpath, const char *type,
+int (*func)(const char *path, char ***names,
+struct lxc_container ***cret))
{
- char *lxcpath = NULL;
+ int i, n, n2;
struct lxc_container **clist;
char **names;
- int i, n, n2;
-
- if (argc 1)
- lxcpath = argv[1];
- printf(Counting defined containers only\n);
- n = list_defined_containers(lxcpath, NULL, NULL);
- printf(Found %d defined containers\n, n);
- printf(Looking for defined containers only\n);
- n2 = list_defined_containers(lxcpath, NULL, clist);
+ printf(%-10s Counting containers\n, type);
+ n = func(lxcpath, NULL, NULL);
+ printf(%-10s Counted %d containers\n, type, n);
+ printf(%-10s Get container struct only\n, type);
+ n2 = func(lxcpath, NULL, clist);
if (n2 != n)
printf(Warning: first call returned %d, second %d\n, n, n2);
- for (i=0; in2; i++) {
+ for (i = 0; i n2; i++) {
struct lxc_container *c = clist[i];
- printf(Found defined container %s\n, c-name);
+ printf(%-10s Got container struct %s\n, type, c-name);
lxc_container_put(c);
}
- if (n2 0)
+ if (n2 0) {
free(clist);
-
- printf(Looking for defined names only\n);
- n2 = list_defined_containers(lxcpath, names, NULL);
- if (n2 != n)
- printf(Warning: first call returned %d, second %d\n, n, n2);
- for (i=0; in2; i++) {
- printf(Found defined container %s\n, names[i]);
- free(names[i]);
+ clist = NULL;
}
- if (n2 0)
- free(names);
- printf(Looking for defined names and containers\n);
- n2 = list_defined_containers(lxcpath, names, clist);
+ printf(%-10s Get names only\n, type);
+ n2 = func(lxcpath, names, NULL);
if (n2 != n)
printf(Warning: first call returned %d, second %d\n, n, n2);
- for (i=0; in2; i++) {
- struct lxc_container *c = clist[i];
- printf(Found defined container %s, name was %s\n, c-name,
names[i]);
+ for (i = 0; i n2; i++) {
+ printf(%-10s Got container name %s\n, type, names[i]);
free(names[i]);
- lxc_container_put(c);
}
if (n2 0) {
free(names);
- free(clist);
+ names = NULL;
}
-
- printf(Counting active containers only\n);
- n = list_active_containers(lxcpath, NULL, NULL);
- printf(Found %d active containers\n, n);
- printf(Looking for active containers only\n);
- n2 = list_active_containers(lxcpath, NULL, clist);
+ printf(%-10s Get names and containers\n, type);
+ n2 = func(lxcpath, names, clist);
if (n2 != n)
printf(Warning: first call returned %d, second %d\n, n, n2);
- for (i=0; in2; i++) {
- printf(Found active container %s\n, clist[i]-name);
- lxc_container_put(clist[i]);
- }
- if (n2 0)
- free(clist);
-
- printf(Looking for active names only\n);
- n2 = list_active_containers(lxcpath, names, NULL);
- if (n2 != n)
- printf(Warning: first call returned %d, second %d\n, n, n2);
- for (i=0; in2; i++) {
- printf(Found active container %s\n, names[i]);
- free(names[i]);
- }
- if (n2 0)
- free(names);
-
- printf(Looking for active names and containers\n);
- n2 = list_active_containers(lxcpath, names, clist);
- if (n2 != n)
- printf(Warning: first call returned %d, second %d\n, n, n2);
- for (i=0; in2; i++) {
+ for (i = 0; i n2; i++) {
struct lxc_container *c = clist[i];
- printf(Found active container %s, name was %s\n, c-name,
names[i]);
+ printf(%-10s Got container struct %s, name %s\n, type,
c-name, names[i]);
+ if (strcmp(c-name, names[i]))
+ fprintf(stderr, ERROR: name mismatch!\n);
free(names[i]);
lxc_container_put(c);
}
@@ -112,6 +75,18 @@ int main(int argc, char *argv[])
free(names);
free(clist);
}
+}
+
+int main(int argc, char *argv[])
+{
+ char *lxcpath =
Re: [lxc-devel] [PATCH v2 3/4] fix leak in list_active_containers()
Quoting Dwight Engen (dwight.en...@oracle.com):
Found by running the lxc-test-list test with valgrind. The names were
put into a local array, and never freed in the success case where the
caller didn't want the names returned and in the early out failure case.
Note we don't need to check the return from remove_from_array() because
we just successfully added the name above.
Signed-off-by: Dwight Engen dwight.en...@oracle.com
Acked-by: Serge E. Hallyn serge.hal...@ubuntu.com
---
src/lxc/lxccontainer.c | 72
--
1 file changed, 35 insertions(+), 37 deletions(-)
diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
index d7d3273..d57b23c 100644
--- a/src/lxc/lxccontainer.c
+++ b/src/lxc/lxccontainer.c
@@ -19,6 +19,7 @@
*/
#define _GNU_SOURCE
+#include assert.h
#include stdarg.h
#include pthread.h
#include unistd.h
@@ -3096,12 +3097,13 @@ free_bad:
return -1;
}
-int list_active_containers(const char *lxcpath, char ***names, struct
lxc_container ***cret)
+int list_active_containers(const char *lxcpath, char ***nret,
+struct lxc_container ***cret)
{
- int i, cfound = 0, nfound = 0;
+ int i, ret = -1, cret_cnt = 0, ct_name_cnt = 0;
int lxcpath_len;
char *line = NULL;
- char **unique_names = NULL;
+ char **ct_name = NULL;
size_t len = 0;
struct lxc_container *c;
@@ -3111,8 +3113,8 @@ int list_active_containers(const char *lxcpath, char
***names, struct lxc_contai
if (cret)
*cret = NULL;
- if (names)
- *names = NULL;
+ if (nret)
+ *nret = NULL;
process_lock();
FILE *f = fopen(/proc/net/unix, r);
@@ -3140,27 +3142,22 @@ int list_active_containers(const char *lxcpath, char
***names, struct lxc_contai
continue;
*p2 = '\0';
- if (array_contains(unique_names, p, nfound))
+ if (array_contains(ct_name, p, ct_name_cnt))
continue;
- if (!add_to_array(unique_names, p, nfound))
- goto free_bad;
+ if (!add_to_array(ct_name, p, ct_name_cnt))
+ goto free_cret_list;
- cfound++;
+ ct_name_cnt++;
- if (!cret) {
- nfound++;
+ if (!cret)
continue;
- }
c = lxc_container_new(p, lxcpath);
if (!c) {
INFO(Container %s:%s is running but could not be
loaded,
lxcpath, p);
- if (names) {
- if(!remove_from_array(unique_names, p,
cfound--))
- goto free_bad;
- }
+ remove_from_array(ct_name, p, ct_name_cnt--);
continue;
}
@@ -3170,42 +3167,43 @@ int list_active_containers(const char *lxcpath, char
***names, struct lxc_contai
* fact that the command socket exists.
*/
- if (!add_to_clist(cret, c, nfound, true)) {
+ if (!add_to_clist(cret, c, cret_cnt, true)) {
lxc_container_put(c);
- goto free_bad;
+ goto free_cret_list;
}
- nfound++;
+ cret_cnt++;
}
- if (names)
- *names = unique_names;
-
- if (line)
- free(line);
-
- process_lock();
- fclose(f);
- process_unlock();
- return nfound;
+ assert(!nret || !cret || cret_cnt == ct_name_cnt);
+ ret = ct_name_cnt;
+ if (nret)
+ *nret = ct_name;
+ else
+ goto free_ct_name;
+ goto out;
-free_bad:
- if (names *names) {
- for (i=0; icfound; i++)
- free((*names)[i]);
- free(*names);
- }
+free_cret_list:
if (cret *cret) {
- for (i=0; infound; i++)
+ for (i = 0; i cret_cnt; i++)
lxc_container_put((*cret)[i]);
free(*cret);
}
+
+free_ct_name:
+ if (ct_name) {
+ for (i = 0; i ct_name_cnt; i++)
+ free(ct_name[i]);
+ free(ct_name);
+ }
+
+out:
if (line)
free(line);
process_lock();
fclose(f);
process_unlock();
- return -1;
+ return ret;
}
int list_all_containers(const char *lxcpath, char ***nret,
--
1.8.3.1
--
November Webinars for C, C++, Fortran Developers
Accelerate application performance with scalable programming models. Explore
techniques for threading, error checking, porting, and
Re: [lxc-devel] [PATCH v2 1/4] add list_all_containers(), returns defined and active containers
Quoting Serge Hallyn (serge.hal...@ubuntu.com):
Quoting Dwight Engen (dwight.en...@oracle.com):
Signed-off-by: Dwight Engen dwight.en...@oracle.com
Hi,
One comment below:
fwiw there's no resulting error so
Acked-by: Serge E. Hallyn serge.hal...@ubuntu.com
but if you don't see any reason not to i'll pull the qsort out.
---
src/lxc/lxccontainer.c | 97
+++---
src/lxc/lxccontainer.h | 10 ++
2 files changed, 103 insertions(+), 4 deletions(-)
diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
index 89b45ed..d7d3273 100644
--- a/src/lxc/lxccontainer.c
+++ b/src/lxc/lxccontainer.c
@@ -1403,7 +1403,7 @@ static bool add_to_array(char ***names, char *cname,
int pos)
return true;
}
-static bool add_to_clist(struct lxc_container ***list, struct
lxc_container *c, int pos)
+static bool add_to_clist(struct lxc_container ***list, struct
lxc_container *c, int pos, bool sort)
{
struct lxc_container **newlist = realloc(*list, (pos+1) * sizeof(struct
lxc_container *));
if (!newlist) {
@@ -1415,7 +1415,8 @@ static bool add_to_clist(struct lxc_container
***list, struct lxc_container *c,
newlist[pos] = c;
// sort the arrray as we will use binary search on it
- qsort(newlist, pos + 1, sizeof(struct lxc_container *), (int (*)(const
void *,const void *))container_cmp);
+ if (sort)
+ qsort(newlist, pos + 1, sizeof(struct lxc_container *), (int
(*)(const void *,const void *))container_cmp);
return true;
}
@@ -3066,7 +3067,7 @@ int list_defined_containers(const char *lxcpath, char
***names, struct lxc_conta
continue;
}
- if (!add_to_clist(cret, c, nfound)) {
+ if (!add_to_clist(cret, c, nfound, true)) {
lxc_container_put(c);
goto free_bad;
}
@@ -3169,7 +3170,7 @@ int list_active_containers(const char *lxcpath, char
***names, struct lxc_contai
* fact that the command socket exists.
*/
- if (!add_to_clist(cret, c, nfound)) {
+ if (!add_to_clist(cret, c, nfound, true)) {
lxc_container_put(c);
goto free_bad;
}
@@ -3206,3 +3207,91 @@ free_bad:
process_unlock();
return -1;
}
+
+int list_all_containers(const char *lxcpath, char ***nret,
+ struct lxc_container ***cret)
+{
+ int i, ret, active_cnt, ct_cnt, ct_list_cnt;
+ char **active_name;
+ char **ct_name;
+ struct lxc_container **ct_list = NULL;
+
+ ct_cnt = list_defined_containers(lxcpath, ct_name, NULL);
+ if (ct_cnt 0)
+ return ct_cnt;
+
+ active_cnt = list_active_containers(lxcpath, active_name, NULL);
+ if (active_cnt 0) {
+ ret = active_cnt;
+ goto free_ct_name;
+ }
+
+ for (i = 0; i active_cnt; i++) {
+ if (!array_contains(ct_name, active_name[i], ct_cnt)) {
+ if (!add_to_array(ct_name, active_name[i], ct_cnt)) {
+ ret = -1;
+ goto free_active_name;
+ }
+ ct_cnt++;
+ }
+ free(active_name[i]);
+ active_name[i] = NULL;
+ }
+ free(active_name);
+ active_name = NULL;
+ active_cnt = 0;
+
+ qsort(ct_name, ct_cnt, sizeof(char *),
+ (int (*)(const void *,const void *))string_cmp);
Is this qsort needed? list_defined_containers() and the add_to_array()s
above should each be keeping ct_name ordered if I'm thinking right.
+
+ for (i = 0, ct_list_cnt = 0; i ct_cnt cret; i++) {
+ struct lxc_container *c;
+
+ c = lxc_container_new(ct_name[i], lxcpath);
+ if (!c) {
+ WARN(Container %s:%s could not be loaded, lxcpath,
ct_name[i]);
+ remove_from_array(ct_name, ct_name[i], ct_cnt--);
+ continue;
+ }
+
+ if (!add_to_clist(ct_list, c, ct_list_cnt, false)) {
+ lxc_container_put(c);
+ ret = -1;
+ goto free_ct_list;
+ }
+ ct_list_cnt++;
+ }
+
+ if (cret)
+ *cret = ct_list;
+
+ if (nret)
+ *nret = ct_name;
+ else {
+ ret = ct_cnt;
+ goto free_ct_name;
+ }
+ return ct_cnt;
+
+free_ct_list:
+ for (i = 0; i ct_list_cnt; i++) {
+ lxc_container_put(ct_list[i]);
+ }
+ if (ct_list)
+ free(ct_list);
+
+free_active_name:
+ for (i = 0; i active_cnt; i++) {
+ if (active_name[i])
+ free(active_name[i]);
+ }
+ if (active_name)
+ free(active_name
Re: [lxc-devel] [PATCH] make sure to check c-lxc_conf is not NULL before dereferencing it.
Quoting S.Çağlar Onur (cag...@10ur.org):
Signed-off-by: S.Çağlar Onur cag...@10ur.org
Acked-by: Serge E. Hallyn serge.hal...@ubuntu.com
---
src/lxc/lxccontainer.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
index a9d97ad..362b429 100644
--- a/src/lxc/lxccontainer.c
+++ b/src/lxc/lxccontainer.c
@@ -441,7 +441,7 @@ static bool lxcapi_load_config(struct lxc_container *c,
const char *alt_file)
static void lxcapi_want_daemonize(struct lxc_container *c)
{
- if (!c)
+ if (!c || !c-lxc_conf)
return;
if (container_mem_lock(c)) {
ERROR(Error getting mem lock);
--
1.8.3.2
--
Android is increasing in popularity, but the open development platform that
developers love is also attractive to malware creators. Download this white
paper to learn more about secure code signing practices that can help keep
Android apps secure.
http://pubads.g.doubleclick.net/gampad/clk?id=65839951iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
--
Android is increasing in popularity, but the open development platform that
developers love is also attractive to malware creators. Download this white
paper to learn more about secure code signing practices that can help keep
Android apps secure.
http://pubads.g.doubleclick.net/gampad/clk?id=65839951iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH 1/3] add [gs]et_cgroup_item to lua api
Quoting Dwight Engen (dwight.en...@gmail.com):
fix up api test to run and add test for new [gs]et_cgroup_item
Signed-off-by: Dwight Engen dwight.en...@oracle.com
For the set,
Acked-by: Serge E. Hallyn serge.hal...@ubuntu.com
---
src/lua-lxc/core.c | 35 +++
src/lua-lxc/lxc.lua | 16
src/lua-lxc/test/apitest.lua | 13 +
3 files changed, 64 insertions(+)
diff --git a/src/lua-lxc/core.c b/src/lua-lxc/core.c
index 002e8bf..ea19cc3 100644
--- a/src/lua-lxc/core.c
+++ b/src/lua-lxc/core.c
@@ -282,6 +282,29 @@ static int container_clear_config_item(lua_State *L)
return 1;
}
+static int container_get_cgroup_item(lua_State *L)
+{
+struct lxc_container *c = lua_unboxpointer(L, 1, CONTAINER_TYPENAME);
+const char *key = luaL_checkstring(L, 2);
+int len;
+char *value;
+
+len = c-get_cgroup_item(c, key, NULL, 0);
+if (len = 0)
+ goto not_found;
+
+value = alloca(sizeof(char)*len + 1);
+if (c-get_cgroup_item(c, key, value, len + 1) != len)
+ goto not_found;
+
+lua_pushstring(L, value);
+return 1;
+
+not_found:
+lua_pushnil(L);
+return 1;
+}
+
static int container_get_config_item(lua_State *L)
{
struct lxc_container *c = lua_unboxpointer(L, 1, CONTAINER_TYPENAME);
@@ -305,6 +328,16 @@ not_found:
return 1;
}
+static int container_set_cgroup_item(lua_State *L)
+{
+struct lxc_container *c = lua_unboxpointer(L, 1, CONTAINER_TYPENAME);
+const char *key = luaL_checkstring(L, 2);
+const char *value = luaL_checkstring(L, 3);
+
+lua_pushboolean(L, !!c-set_cgroup_item(c, key, value));
+return 1;
+}
+
static int container_set_config_item(lua_State *L)
{
struct lxc_container *c = lua_unboxpointer(L, 1, CONTAINER_TYPENAME);
@@ -361,6 +394,8 @@ static luaL_Reg lxc_container_methods[] =
{config_file_name, container_config_file_name},
{load_config, container_load_config},
{save_config, container_save_config},
+{get_cgroup_item, container_get_cgroup_item},
+{set_cgroup_item, container_set_cgroup_item},
{get_config_path, container_get_config_path},
{set_config_path, container_set_config_path},
{get_config_item, container_get_config_item},
diff --git a/src/lua-lxc/lxc.lua b/src/lua-lxc/lxc.lua
index aa80a95..7c9580e 100755
--- a/src/lua-lxc/lxc.lua
+++ b/src/lua-lxc/lxc.lua
@@ -189,6 +189,10 @@ function container:clear_config_item(key)
return self.core:clear_config_item(key)
end
+function container:get_cgroup_item(key)
+return self.core:get_cgroup_item(key)
+end
+
function container:get_config_item(key)
local value
local vals = {}
@@ -209,6 +213,10 @@ function container:get_config_item(key)
return vals
end
+function container:set_cgroup_item(key, value)
+return self.core:set_cgroup_item(key, value)
+end
+
function container:set_config_item(key, value)
return self.core:set_config_item(key, value)
end
@@ -410,6 +418,14 @@ function M.containers_running(names_only)
return containers
end
+function M.version_get()
+return core.version_get()
+end
+
+function M.default_config_path_get()
+return core.default_config_path_get()
+end
+
lxc_path = core.default_config_path_get()
cgroup_path = cgroup_path_get()
diff --git a/src/lua-lxc/test/apitest.lua b/src/lua-lxc/test/apitest.lua
index 1365f91..f957ca4 100755
--- a/src/lua-lxc/test/apitest.lua
+++ b/src/lua-lxc/test/apitest.lua
@@ -206,6 +206,17 @@ function test_container_in_cfglist(should_find)
end
end
+function test_container_cgroup()
+log(0, Test get/set cgroup items...)
+
+max_mem = container:get_cgroup_item(memory.max_usage_in_bytes)
+saved_limit = container:get_cgroup_item(memory.limit_in_bytes)
+assert(saved_limit ~= max_mem)
+assert(container:set_cgroup_item(memory.limit_in_bytes, max_mem))
+assert(container:get_cgroup_item(memory.limit_in_bytes) ~= saved_limit)
+assert(container:set_cgroup_item(memory.limit_in_bytes, -1))
+end
+
function test_config_items()
log(0, Test set/clear configuration items...)
@@ -313,6 +324,8 @@ test_config_network(0)
test_container_start()
test_container_started()
+test_container_cgroup()
+
test_container_freeze()
test_container_frozen()
test_container_unfreeze()
--
1.8.3.1
--
Android is increasing in popularity, but the open development platform that
developers love is also attractive to malware creators. Download this white
paper to learn more about secure code signing practices that can help keep
Android apps secure.
http://pubads.g.doubleclick.net/gampad/clk?id=65839951iu=/4140/ostg.clktrk
[lxc-devel] [PATCH RFC] create_run_template: tell the template what caller's uid was mapped to
This is still RFC at the conceptual level.
Problem: when creating containers unprivileged, we run the template in a
new user ns. For instance if I have
lxc.id_map = u 0 10 1
lxc.id_map = g 0 10 1
in my lxc.conf and do
lxc-create -f lxc.conf -P ~/lxcbase -t ubuntu-cloud -n a1,
then the ubuntu-cloud template is run as root in a user ns where
root is mapped to 10 on the host. Any files it creates are
owned by uid 10, which can become inconvenient.
I've considered splitting the templates up into two separate runs. One
run as the calling uid in the host uid namespace to fetch and cache the
image/tarball/whatever. The next, in a mapped user namespace as root in
that namespace, to only extract and configure the container rootfs.
What I'm doing here is passing the namespace uid to which the caller's
uid (on the host) is mapped, to the template. The ubuntu-cloud template
then chowns the cached images to that user. This doesn't clean
everything up perfectly - the ubuntu-cloudimg-query has cached some
info as well.
# ls -l .cache
drwxrwxr-x 5 serge 10 4096 Nov 4 18:03 lxc
-rw-r--r-- 1 serge serge 0 Oct 21 21:21 motd.legal-displayed
drwxrwxr-x 2 10 10 4096 Nov 4 17:58 ubuntu-cloudimg-query
This suggests that there will always be side effects resulting in
mis-owned files, and trying to fix those will just become unmaintainable
in itself.
I do also have a patch which splits the template calls into two (one
for caching), which I wrote on friday, but I wasn't happy with that
either. So I'm sending this out for comment. Failing any brilliant
ideas, I will probably combine the two patches and just aim for the
cleanest result with ubuntu-cloud and cirros templates.
Signed-off-by: Serge Hallyn serge.hal...@ubuntu.com
---
src/lxc/conf.c| 6 +++---
src/lxc/conf.h| 2 +-
src/lxc/lxccontainer.c| 38 ++
templates/lxc-ubuntu-cloud.in | 19 +--
4 files changed, 51 insertions(+), 14 deletions(-)
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 2a47e77..afdaa14 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -2912,7 +2912,7 @@ uid_t get_mapped_rootid(struct lxc_conf *conf)
return (uid_t)-1;
}
-bool hostid_is_mapped(int id, struct lxc_conf *conf)
+int mapped_hostid(int id, struct lxc_conf *conf)
{
struct lxc_list *it;
struct id_map *map;
@@ -2921,9 +2921,9 @@ bool hostid_is_mapped(int id, struct lxc_conf *conf)
if (map-idtype != ID_TYPE_UID)
continue;
if (id = map-hostid id map-hostid + map-range)
- return true;
+ return (id - map-hostid) + map-nsid;
}
- return false;
+ return -1;
}
int find_unmapped_nsuid(struct lxc_conf *conf)
diff --git a/src/lxc/conf.h b/src/lxc/conf.h
index 71399b9..940d493 100644
--- a/src/lxc/conf.h
+++ b/src/lxc/conf.h
@@ -362,7 +362,7 @@ extern void lxc_rename_phys_nics_on_shutdown(struct
lxc_conf *conf);
extern uid_t get_mapped_rootid(struct lxc_conf *conf);
extern int find_unmapped_nsuid(struct lxc_conf *conf);
-extern bool hostid_is_mapped(int id, struct lxc_conf *conf);
+extern int mapped_hostid(int id, struct lxc_conf *conf);
extern int chown_mapped_root(char *path, struct lxc_conf *conf);
extern int ttys_shift_ids(struct lxc_conf *c);
#endif
diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
index 946133d..594a96d 100644
--- a/src/lxc/lxccontainer.c
+++ b/src/lxc/lxccontainer.c
@@ -916,20 +916,28 @@ static bool create_run_template(struct lxc_container *c,
char *tpath, bool quiet
* If we're running the template in a mapped userns, then
* we prepend the template command with:
* lxc-usernsexec -m map1 ... -m mapn --
+* and we append --mapped-uid x, where x is the mapped uid
+* for our geteuid()
*/
if (geteuid() != 0 !lxc_list_empty(conf-id_map)) {
int n2args = 1;
+ char txtuid[20];
char **n2 = malloc(n2args * sizeof(*n2));
struct lxc_list *it;
struct id_map *map;
+ if (!n2) {
+ SYSERROR(out of memory);
+ exit(1);
+ }
newargv[0] = tpath;
tpath = lxc-usernsexec;
n2[0] = lxc-usernsexec;
lxc_list_for_each(it, conf-id_map) {
map = it-elem;
n2args += 2;
- n2 = realloc(n2, n2args * sizeof(*n2));
+ n2 = realloc(n2, n2args * sizeof(char *));
+INFO(allocated %d items to n2, n2args);
if (!n2
[lxc-devel] [PATCH 1/1] resolve lxcpath and rcfile arguments
So we don't always have to give full paths.
realpath(x,NULL) mallocs memory, but these paths shouldn't get called
from the API so not freeing should be ok.
Signed-off-by: Serge Hallyn serge.hal...@ubuntu.com
---
src/lxc/arguments.c | 9 -
src/lxc/lxc_execute.c | 10 +++---
src/lxc/lxc_start.c | 9 +
3 files changed, 24 insertions(+), 4 deletions(-)
diff --git a/src/lxc/arguments.c b/src/lxc/arguments.c
index adcf8fe..65b2284 100644
--- a/src/lxc/arguments.c
+++ b/src/lxc/arguments.c
@@ -155,6 +155,7 @@ See the %s man page for further information.\n\n,
static int lxc_arguments_lxcpath_add(struct lxc_arguments *args,
const char *lxcpath)
{
+ char *resolved_path = NULL;
if (args-lxcpath_additional != -1
args-lxcpath_cnt args-lxcpath_additional) {
fprintf(stderr, This command only accepts %d -P,--lxcpath
arguments\n,
@@ -168,7 +169,13 @@ static int lxc_arguments_lxcpath_add(struct lxc_arguments
*args,
lxc_error(args, no memory);
return -ENOMEM;
}
- args-lxcpath[args-lxcpath_cnt++] = lxcpath;
+ resolved_path = realpath(lxcpath, NULL);
+ if (!resolved_path) {
+ perror(realpath);
+ fprintf(stderr, Error resolving lxcpath %s, lxcpath);
+ return -1;
+ }
+ args-lxcpath[args-lxcpath_cnt++] = resolved_path;
return 0;
}
diff --git a/src/lxc/lxc_execute.c b/src/lxc/lxc_execute.c
index 6a54bf6..083b5db 100644
--- a/src/lxc/lxc_execute.c
+++ b/src/lxc/lxc_execute.c
@@ -105,9 +105,13 @@ int main(int argc, char *argv[])
return -1;
/* rcfile is specified in the cli option */
- if (my_args.rcfile)
- rcfile = (char *)my_args.rcfile;
- else {
+ if (my_args.rcfile) {
+ rcfile = realpath((char *)my_args.rcfile, NULL);
+ if (!rcfile) {
+ SYSERROR(Failed to resolve file path: %s,
my_args.rcfile);
+ return -1;
+ }
+ } else {
int rc;
rc = asprintf(rcfile, %s/%s/config, my_args.lxcpath[0],
my_args.name);
diff --git a/src/lxc/lxc_start.c b/src/lxc/lxc_start.c
index add2542..7eea26a 100644
--- a/src/lxc/lxc_start.c
+++ b/src/lxc/lxc_start.c
@@ -173,6 +173,15 @@ int main(int argc, char *argv[])
const char *lxcpath = my_args.lxcpath[0];
+ if (my_args.rcfile) {
+ char *r = realpath(my_args.rcfile, NULL);
+ if (!r) {
+ SYSERROR(Failure resolving path: %s, my_args.rcfile);
+ exit(1);
+ }
+ my_args.rcfile = r;
+ }
+
/*
* rcfile possibilities:
* 1. rcfile from random path specified in cli option
--
1.8.1.2
--
November Webinars for C, C++, Fortran Developers
Accelerate application performance with scalable programming models. Explore
techniques for threading, error checking, porting, and tuning. Get the most
from the latest Intel processors and coprocessors. See abstracts and register
http://pubads.g.doubleclick.net/gampad/clk?id=60136231iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [Not A Patch] [POC] Proof of concept code for using devtmpfs for autodev and more...
Quoting Michael H. Warfield (m...@wittsend.com): On Thu, 2013-10-31 at 13:00 -0500, Serge Hallyn wrote: Quoting Michael H. Warfield (m...@wittsend.com): I did incorporate your suggestion of using the hash of the rootfs path as the subdirectory under the hosts /dev/ for the container. I also (Printed this out to look it over, just putting all my comments together here) : 1. I think if /dev is not devtmpfs, we should just bail on this. Sort of concur and I think I even made a remark in some of the code about checking for that. I'm of two schools of thought here. 1) Mount our own instance of devtmpfs in a private area under our control. My problem with this is that the devtmpfs mount is something of which there can only be one instance, and I don't think lxc should be usurping that from some potential other (certainly fugly, but it's their machine) use. Also, AIUI the main motivation for this is to have udev rules eventually know how to forward devices into containers? That won't be happening in this case. Well, I guess it will still give you the persistent devices you want. Anyway - there are the things I'm considering, but you're the one experimenting so do what you feel will be most useful :) 2) Bail entirely. This would be a fall back, in any case, if we didn't have devtmpfs available to us (is that possible with modern kernels?). Yes, CONFIG_DEVTMPFS still exists and doesn't appear to get automatically set, so it can be turned off. 2. You say in comments that you're using the cgroup name, but it seems you're actually just using the container name? I thought I was. Maybe I misunderstood... 3. The cgroup name used to be unique, but now each mounted cgroupfs can actually have a different name for the same container (if some of them didn't get cleaned out well). Ok... One of my problems in that particular area of code is knowing where to get at some things that are not in the lxc_conf. I thought the name parameter was the cgroup name but apparently not. I could use some guidance there. I'm just thinking out loud here, so this may not be better, but how about 1. create /dev/.lxc as you're doing 2. (if container is going to use this) create /dev/.lxc/$nonce. We can use hash($lxcpath/$lxcname), or just mkstemp(), or just an increasing integer. Well, I was ok with what you said about using the hash of the rootfs real path, which is what corresponded to what you had in container.c for Ok - I'm good with that. the monitor socket. All things being equal, I'd like to stick with that. As a convention, I also like sticking in a symlink for the container name pointing at that hash name. That has some advantages for diagnostic purposes to poke around in the containers /dev without having to go through headstands figuring out where it is. 3. Create $lxcpath/$lxcname/.dev (if the container needs it) and shared-bind-mount /dev/.lxc/$nonce onto it. Now we can tell which /dev/.lxc/* is mounted by looking at the mount table. Hmmm... Ok... I think I see where you're going with that. I'll have to think on that one. Weeell, I guess it's not necessary if you use /dev/.lxc/$(sha1sum $lxcpath/$lxcname). 4. slave-bind-bind mount $lxcpath/$lxcname/.dev into the starting container's /dev. Not sure whether we should have lxc.autodev = 2 mean use this scheme, but I'd be fine with basically always doing this so long as /dev/ is devtmpfs and lxc.autodev is set for the container. (So making the container's /dev a tmpfs would just be a fallback). Thoughts? Definitely 3 and 4 are worth doing. I'm not so sure about 2. Since we're already using the hash of the rootfs path for the monitor socket, I don't see a problem keeping that here, at least for now. But there is the little details of having that hashing code in two source files now. Should that be moved to a common source file? I do have one other niggle, and I'm surprised you didn't ding me on that (since you expressed concerns earlier). The automatic autodev detection I didn't look closely enough :) But if we can make this good enough, then perhaps it'll be ok to make it the default behavior whenever devtmpfs is available. (In that case, using a single tmpfs mounted onto /dev/.lxc if /dev is not devtmpfs may be the best backup solution). If we do that, we'll need to consider what to do about templates that want to create specific devices. Right now I'm feeling like I'd rather go whole hog after your solution rather than have 30 separate possible cases for /dev setup. Yours is also the only design with a possibility for user-space solution to the devices namespace problem. That's worth pursuing. is in there. I did see in at least one other spot where we detect a potentially hazardous condition and bail. So there's some reasonable precedence for some safety checking. Someone in another threat
Re: [lxc-devel] [Not A Patch] [POC] Proof of concept code for using devtmpfs for autodev and more...
Quoting Michael H. Warfield (m...@wittsend.com): On Thu, 2013-10-31 at 13:00 -0500, Serge Hallyn wrote: Quoting Michael H. Warfield (m...@wittsend.com): I did incorporate your suggestion of using the hash of the rootfs path as the subdirectory under the hosts /dev/ for the container. I also (Printed this out to look it over, just putting all my comments together here) : 1. I think if /dev is not devtmpfs, we should just bail on this. 2. You say in comments that you're using the cgroup name, but it seems you're actually just using the container name? Ok... I'm going to experiment with this a bit but check me on this... In the routine lxc_setup() the first parameter is name. Is that the cgroup name or just the container name? I take it, from your remark, this is just the container name and the unique cgroup name may be something different. Correct. But if you're using $(echo $lxcpath.$lxcname | sha1sum) why do you need the cgroup name? Is that something I should be pulling out of the cgroup info structure? Yes. I don't know offhand where though. -serge -- Android is increasing in popularity, but the open development platform that developers love is also attractive to malware creators. Download this white paper to learn more about secure code signing practices that can help keep Android apps secure. http://pubads.g.doubleclick.net/gampad/clk?id=65839951iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [Not A Patch] [POC] Proof of concept code for using devtmpfs for autodev and more...
Quoting Michael H. Warfield (m...@wittsend.com): The only place that's being used is in creating a symlink... /dev/.lxc/$name - /dev/.lxc/$pathhash I use it for the same reason you wanted the extra bind mounts to $lxcpath/$lxcname.dev. In your case, you wanted to see the dev mappings Oh - gotcha. Well in that case I'd say just create your own unique $name.$index. that should be enough info. Oh now unprivileged container creation of course will not be able to do this as I won't be able to create /dev/.lxc/anything as uid 1000. in the mount tables, in my case I was going for them in the symlinks in /dev/. It's so I can correlate a cgroup name and browsing the cgroups with the same name in /dev/.lxc. Is that something I should be pulling out of the cgroup info structure? Yes. I don't know offhand where though. K I'll look into that deeper. Right now I'm going to play with this whole idea of two containers with the same name and see how all that works. I'm also trying to figure out where those rootfsproc and rootfssys subdirectories in /var/lib/lxc/$name/ are being creating. I'm having a I don't know either. I don't have them. Could it be the fedora template somewhere along the way? My first thought was the new automounting stuff, but I don't see it there... -serge -- Android is increasing in popularity, but the open development platform that developers love is also attractive to malware creators. Download this white paper to learn more about secure code signing practices that can help keep Android apps secure. http://pubads.g.doubleclick.net/gampad/clk?id=65839951iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [Not A Patch] [POC] Proof of concept code for using devtmpfs for autodev and more...
Quoting Michael H. Warfield (m...@wittsend.com): On Fri, 2013-11-01 at 15:03 -0500, Serge Hallyn wrote: Quoting Michael H. Warfield (m...@wittsend.com): The only place that's being used is in creating a symlink... /dev/.lxc/$name - /dev/.lxc/$pathhash I use it for the same reason you wanted the extra bind mounts to $lxcpath/$lxcname.dev. In your case, you wanted to see the dev mappings Oh - gotcha. Well in that case I'd say just create your own unique $name.$index. that should be enough info. Oh now unprivileged container creation of course will not be able to do this as I won't be able to create /dev/.lxc/anything as uid 1000. Oh, we're going to have to look into that then. We're doing other privileged operations like the bind mounts... Hmmm... It may have to bind mounts are ok. we can do this in a private mntns. That's how I currently get around our inability to mknod in a userns - I bind mount devices from the host into the container's /dev. -serge -- Android is increasing in popularity, but the open development platform that developers love is also attractive to malware creators. Download this white paper to learn more about secure code signing practices that can help keep Android apps secure. http://pubads.g.doubleclick.net/gampad/clk?id=65839951iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] ignore tags files that can be created via make ctags target
Quoting S.Çağlar Onur (cag...@10ur.org): Signed-off-by: S.Çağlar Onur cag...@10ur.org Acked-by: Serge E. Hallyn serge.hal...@ubuntu.com --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 8901fc7..82b144a 100644 --- a/.gitignore +++ b/.gitignore @@ -128,3 +128,4 @@ src/stamp-h1 patches *.orig *.rej +tags -- 1.8.3.2 -- Android is increasing in popularity, but the open development platform that developers love is also attractive to malware creators. Download this white paper to learn more about secure code signing practices that can help keep Android apps secure. http://pubads.g.doubleclick.net/gampad/clk?id=65839951iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel -- Android is increasing in popularity, but the open development platform that developers love is also attractive to malware creators. Download this white paper to learn more about secure code signing practices that can help keep Android apps secure. http://pubads.g.doubleclick.net/gampad/clk?id=65839951iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] valgrind drd tool shows conflicting stores happening at lxc_global_config_value@src/lxc/utils.c (v2)
Quoting S.Çağlar Onur (cag...@10ur.org):
Conflict occurs between following lines
[...]
269 if (values[i])
270 return values[i];
[...]
and
[...]
309 /* could not find value, use default */
310 values[i] = (*ptr)[1];
[...]
fix it using a specific lock dedicated to that problem as Serge suggested.
Also introduce a new autoconf parameter (--enable-mutex-debugging) to convert
mutexes to error reporting type and to provide a stacktrace when locking
fails.
Signed-off-by: S.Çağlar Onur cag...@10ur.org
Thanks.
Acked-by: Serge E. Hallyn serge.hal...@ubuntu.com
(Just a note - you appear to have expand-tab set in your editor,
as you're replacing some tabs with spaces in this patch.)
---
configure.ac | 9 ++
src/lxc/cgroup.c | 2 +-
src/lxc/lxclock.c | 17 +--
src/lxc/start.c | 2 +-
src/lxc/utils.c | 90
---
src/lxc/utils.h | 5 +++-
6 files changed, 115 insertions(+), 10 deletions(-)
diff --git a/configure.ac b/configure.ac
index 9fedf55..6004b35 100644
--- a/configure.ac
+++ b/configure.ac
@@ -178,6 +178,15 @@ AM_COND_IF([ENABLE_PYTHON],
PKG_CHECK_MODULES([PYTHONDEV], [python3 = 3.2],[],[AC_MSG_ERROR([You
must install python3-dev])])
AC_DEFINE_UNQUOTED([ENABLE_PYTHON], 1, [Python3 is available])])
+# Enable dumping stack traces
+AC_ARG_ENABLE([mutex-debugging],
+ [AC_HELP_STRING([--enable-mutex-debugging], [Makes mutexes to report
error and provide stack trace])],
+ [enable_mutex_debugging=yes], [enable_mutex_debugging=no])
+AM_CONDITIONAL([MUTEX_DEBUGGING], [test x$enable_mutex_debugging = xyes])
+
+AM_COND_IF([MUTEX_DEBUGGING],
+ AC_DEFINE_UNQUOTED([MUTEX_DEBUGGING], 1, [Enabling mutex debugging]))
+
# Not in older autoconf versions
# AS_VAR_COPY(DEST, SOURCE)
# -
diff --git a/src/lxc/cgroup.c b/src/lxc/cgroup.c
index 01ed040..1e1e72a 100644
--- a/src/lxc/cgroup.c
+++ b/src/lxc/cgroup.c
@@ -91,7 +91,7 @@ struct cgroup_meta_data *lxc_cgroup_load_meta()
int saved_errno;
errno = 0;
- cgroup_use = lxc_global_config_value(cgroup.use);
+ cgroup_use = default_cgroup_use();
if (!cgroup_use errno != 0)
return NULL;
if (cgroup_use) {
diff --git a/src/lxc/lxclock.c b/src/lxc/lxclock.c
index d403bcc..3857ff0 100644
--- a/src/lxc/lxclock.c
+++ b/src/lxc/lxclock.c
@@ -18,15 +18,15 @@
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
02110-1301 USA
*/
-#include pthread.h
+#define _GNU_SOURCE
#include lxclock.h
#include malloc.h
#include stdio.h
#include errno.h
#include unistd.h
#include fcntl.h
-#define _GNU_SOURCE
#include stdlib.h
+#include pthread.h
#include lxc/utils.h
#include lxc/log.h
#include lxc/lxccontainer.h
@@ -38,7 +38,11 @@
lxc_log_define(lxc_lock, lxc);
+#ifdef MUTEX_DEBUGGING
+pthread_mutex_t thread_mutex = PTHREAD_ERRORCHECK_MUTEX_INITIALIZER_NP;
+#else
pthread_mutex_t thread_mutex = PTHREAD_MUTEX_INITIALIZER;
+#endif
static char *lxclock_name(const char *p, const char *n)
{
@@ -267,13 +271,20 @@ void process_lock(void)
if ((ret = pthread_mutex_lock(thread_mutex)) != 0) {
ERROR(pthread_mutex_lock returned:%d %s, ret, strerror(ret));
+ dump_stacktrace();
exit(1);
}
}
void process_unlock(void)
{
- pthread_mutex_unlock(thread_mutex);
+ int ret;
+
+ if ((ret = pthread_mutex_unlock(thread_mutex)) != 0) {
+ ERROR(pthread_mutex_unlock returned:%d %s, ret,
strerror(ret));
+ dump_stacktrace();
+ exit(1);
+ }
}
int container_mem_lock(struct lxc_container *c)
diff --git a/src/lxc/start.c b/src/lxc/start.c
index 1cadc09..58e1194 100644
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -695,7 +695,7 @@ int lxc_spawn(struct lxc_handler *handler)
* default value is available
*/
if (getuid() == 0)
- cgroup_pattern = lxc_global_config_value(cgroup.pattern);
+ cgroup_pattern = default_cgroup_pattern();
if (!cgroup_pattern)
cgroup_pattern = %n;
diff --git a/src/lxc/utils.c b/src/lxc/utils.c
index 9e2e326..590482e 100644
--- a/src/lxc/utils.c
+++ b/src/lxc/utils.c
@@ -21,7 +21,8 @@
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301
USA
*/
-#define _GNU_SOURCE
+#include config.h
+
#include errno.h
#include unistd.h
#include stdlib.h
@@ -38,6 +39,8 @@
#include sys/types.h
#include sys/wait.h
#include assert.h
+#include pthread.h
+#include execinfo.h
#ifndef HAVE_GETLINE
#ifdef HAVE_FGETLN
@@ -49,8 +52,61 @@
#include log.h
#include lxclock.h
+#define MAX_STACKDEPTH 25
+
lxc_log_define(lxc_utils, lxc);
+
+#ifdef MUTEX_DEBUGGING
+static pthread_mutex_t
