Re: [systemd-devel] Add User to group video
On Thu, May 7, 2015 at 12:30 PM, Martin Vogt mvo...@gmail.com wrote: Hello, I try to give any user rw permissions on /dev/nvidia*. Usually this is done by adding the user to group video, but here the group is configured on NIS and I cannot change it. AFAIK, secondary groups are merged from all sources, so it is possible to have the same group in both NIS and /etc/group. So my idea was, to add every user to group video during login. (Or change the permissions to 666 on /dev/nvidia*) That's possible using PAM, but see Simon's answer for a much better solution (using udev ACLs). -- Mantas Mikulėnas graw...@gmail.com ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] Dependency on timers.target
Hello, I have a systemd timer (sensors-logger.timer) which requires another service (carbonCache.service) to be active: [Unit] Requires=carbonCache.service After=carbonCache.service Description=Log hardware sensors to graphite. [Timer] OnCalendar=*-*-* *:*:00 I noticed the following systemd warnings in my journal: Found ordering cycle on basic.target/start Found dependency on timers.target/start Found dependency on sensors-logger.timer/start Found dependency on carbonCache.service/start Found dependency on basic.target/start Breaking ordering cycle by deleting job timers.target/start Job timers.target/start deleted to break ordering cycle starting with basic.target/start Found ordering cycle on basic.target/start Found dependency on timers.target/start Found dependency on sensors-logger.timer/start Found dependency on carbonCache.service/start Found dependency on basic.target/start Unable to break cycle Requested transaction contains an unfixable cyclic ordering dependency: Transaction order is cyclic. See system logs for details. Apparantly timers.target has a dependency on sensors-logger.timer. However I didn't specify this. Is this done automatically by systemd? If so, is it possible to disable this and is it wise to do so? I'm running systemd-217. Cheers, Bas ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Add User to group video
On 07/05/15 10:30, Martin Vogt wrote: I try to give any user rw permissions on /dev/nvidia*. Usually this is done by adding the user to group video, but here the group is configured on NIS and I cannot change it. On a modern Linux system you should instead be able to tag those devices as user-accessible, as is done for the analogous nodes in the open-source video drivers in /lib/udev/rules.d/70-uaccess.rules: SUBSYSTEM==drm, KERNEL==card*|renderD*, TAG+=uaccess which results in the logged-in users (according to systemd-logind) getting device access via ACLs: % getfacl /dev/dri/card0 getfacl: Removing leading '/' from absolute path names # file: dev/dri/card0 # owner: root # group: video user::rw- user:smcv:rw- # -- this group::rw- mask::rw- other::--- See e.g. http://enotty.pipebreaker.pl/2012/05/23/linux-automatic-user-acl-management/ S ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH] udev: Restore udevadm settle timeout
On 20.04.2015 10:33, David Herrmann wrote: Hi On Sat, Apr 11, 2015 at 9:38 PM, Nir Soffer nir...@gmail.com wrote: On Sat, Apr 11, 2015 at 1:36 PM, David Herrmann dh.herrm...@gmail.com wrote: @@ -139,6 +142,9 @@ static int adm_settle(struct udev *udev, int argc, char *argv[]) { break; } +if (now(CLOCK_MONOTONIC) = deadline) +break; + Previous udevadm allowed timeout=0 to disable this. I added the condition. Hi David, I think the handling of timeout=0 is incorrect now. The manual says: A value of 0 will check if the queue is empty and always return immediately. In udev-147 (used on rhel6), this was the behavior. If timeout was 0, is_timeout was set and settle was returning with rc=1. This behavior changed in: http://git.kernel.org/cgit/linux/hotplug/udev.git/commit/?id=ead7c62ab7641e150c6d668f939c102a6771ce60 After this commit, zero timeout results in unlimited wait. Since this patch did not change the manual or the online help, and the commit message says: udevadm: settle - kill alarm(), I guess this was unintended change. I don't see the use case for disabling the timeout, so it seems that we should fix this, restoring the behavior before this commit. What do you think? Ok, this is on me, sorry for that. I tried to keep the behavior from before the code-removal. I wasn't aware that this was not how it is documented. I'm actually not sure whether that was an intended change. It does not look like it was, indeed. Maybe Kay or Tom know more.. I have no idea whether timeout=0 is used in the wild. Oh, dracut makes use of udevadm settle --timeout=0 all the time ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH] udev: Restore udevadm settle timeout
Hi On Thu, May 7, 2015 at 10:53 AM, Harald Hoyer harald.ho...@gmail.com wrote: On 20.04.2015 10:33, David Herrmann wrote: Hi On Sat, Apr 11, 2015 at 9:38 PM, Nir Soffer nir...@gmail.com wrote: On Sat, Apr 11, 2015 at 1:36 PM, David Herrmann dh.herrm...@gmail.com wrote: @@ -139,6 +142,9 @@ static int adm_settle(struct udev *udev, int argc, char *argv[]) { break; } +if (now(CLOCK_MONOTONIC) = deadline) +break; + Previous udevadm allowed timeout=0 to disable this. I added the condition. Hi David, I think the handling of timeout=0 is incorrect now. The manual says: A value of 0 will check if the queue is empty and always return immediately. In udev-147 (used on rhel6), this was the behavior. If timeout was 0, is_timeout was set and settle was returning with rc=1. This behavior changed in: http://git.kernel.org/cgit/linux/hotplug/udev.git/commit/?id=ead7c62ab7641e150c6d668f939c102a6771ce60 After this commit, zero timeout results in unlimited wait. Since this patch did not change the manual or the online help, and the commit message says: udevadm: settle - kill alarm(), I guess this was unintended change. I don't see the use case for disabling the timeout, so it seems that we should fix this, restoring the behavior before this commit. What do you think? Ok, this is on me, sorry for that. I tried to keep the behavior from before the code-removal. I wasn't aware that this was not how it is documented. I'm actually not sure whether that was an intended change. It does not look like it was, indeed. Maybe Kay or Tom know more.. I have no idea whether timeout=0 is used in the wild. Oh, dracut makes use of udevadm settle --timeout=0 all the time --timeout was ignored for udevadm-settle since 213, effectively running with an infinite timeout under all circumstances. This was a regression of: udev: remove seqnum API and all assumptions about seqnums (commit 9ea28c55) The 3 fixes to make --timeout work properly again, are: udev: restore udevadm settle timeout (commit 0736455b) udev: settle should return immediately when timeout is 0 (commit bf23b9f8) udev: Fix ping timeout when settle timeout is 0 (commit 7375b3c4) All are queued up for 219. Thanks David ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] Add User to group video
Hello, I try to give any user rw permissions on /dev/nvidia*. Usually this is done by adding the user to group video, but here the group is configured on NIS and I cannot change it. So my idea was, to add every user to group video during login. (Or change the permissions to 666 on /dev/nvidia*) Changing the permission with udev seems not to be possible, my experiments showed that writing a udev.rule like 99-z-nvidia.rules: KERNEL==nvidia*, MODE=0777 is not executed at all. I always end up with MODE=0660. So is there a possibilty that every users who logs in, gets the group video? regards, Martin ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH 0/5] systemd-importd - support for pulling from V2 Dkr registries
On 8 May 2015 at 01:46, Pavel Odvody podv...@redhat.com wrote: - To access the V2 registry we need to send a special User-Agent docker/1.6.0 Is this really required? Can we request they change something server side? ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] [PATCH 4/5] import/pull: Tag replaced with reference
Signed-off-by: Pavel Odvody podv...@redhat.com --- src/import/pull.c | 28 +--- 1 file changed, 17 insertions(+), 11 deletions(-) diff --git a/src/import/pull.c b/src/import/pull.c index ef7b035..8054612 100644 --- a/src/import/pull.c +++ b/src/import/pull.c @@ -227,7 +227,7 @@ static void on_dkr_finished(DkrPull *pull, int error, void *userdata) { static int pull_dkr(int argc, char *argv[], void *userdata) { _cleanup_(dkr_pull_unrefp) DkrPull *pull = NULL; _cleanup_event_unref_ sd_event *event = NULL; -const char *name, *tag, *local; +const char *name, *reference, *local, *digest; int r; if (!arg_dkr_index_url) { @@ -240,13 +240,19 @@ static int pull_dkr(int argc, char *argv[], void *userdata) { return -EINVAL; } -tag = strchr(argv[1], ':'); -if (tag) { -name = strndupa(argv[1], tag - argv[1]); -tag++; +digest = strchr(argv[1], '@'); +if (digest) { +reference = digest + 1; +name = strndupa(argv[1], digest - argv[1]); +} + +reference = strchr(argv[1], ':'); +if (reference) { +name = strndupa(argv[1], reference - argv[1]); +reference++; } else { name = argv[1]; -tag = latest; +reference = latest; } if (!dkr_name_is_valid(name)) { @@ -254,8 +260,8 @@ static int pull_dkr(int argc, char *argv[], void *userdata) { return -EINVAL; } -if (!dkr_tag_is_valid(tag)) { -log_error(Tag name '%s' is not valid., tag); +if (!dkr_ref_is_valid(reference)) { +log_error(Tag name '%s' is not valid., reference); return -EINVAL; } @@ -288,9 +294,9 @@ static int pull_dkr(int argc, char *argv[], void *userdata) { } } -log_info(Pulling '%s' with tag '%s', saving as '%s'., name, tag, local); +log_info(Pulling '%s' with reference '%s', saving as '%s'., name, reference, local); } else -log_info(Pulling '%s' with tag '%s'., name, tag); +log_info(Pulling '%s' with reference '%s'., name, reference); r = sd_event_default(event); if (r 0) @@ -304,7 +310,7 @@ static int pull_dkr(int argc, char *argv[], void *userdata) { if (r 0) return log_error_errno(r, Failed to allocate puller: %m); -r = dkr_pull_start(pull, name, tag, local, arg_force); +r = dkr_pull_start(pull, name, reference, local, arg_force, PULL_V2); if (r 0) return log_error_errno(r, Failed to pull image: %m); -- 2.1.0 signature.asc Description: This is a digitally signed message part ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] [PATCH 0/5] systemd-importd - support for pulling from V2 Dkr registries
Hi, the attached series of patches add support for pulling from V2 docker registries, so let me break down first what happened to the format since V1 - Image is now defined by a JSON manifest - contains fields like name, tag, schemaVersion ... - and fsLayers - which is an array of sha256 references to a *content-addressable FS layers* - the manifest is now also signed using JWS/JWT (ECDSA p-256 mostly) - Authentication/Authorization now bearer token only - To access the V2 registry we need to send a special User-Agent docker/1.6.0 - The whole manifest can be hashed using sha256 to obtain a digest, which provides an immutable global identifier of the image, and can be used instead of a tag when pulling the image (the REST API endpoints are the same). So far so good, now what's in the patches, besides the V2 workflow - lightweight JSON parser, written around json_tokenize - I've renamed 'tag' to 'reference' to accommodate for the digest semantics - all layers are saved in a directory .dkr-$imageid - image id is resolved from the v1 compatibility section of the manifest - since the layers are now CAS, we can't assume that the order, or mere presence of certain layers will be preserved throughout multitude of images/manifests, and therefore due to the incremental nature of BTRFS snapshots we need to throw any intermediary snapshots away. - small bugfix for the JSON tokenizer (it'd choke after reading any digit) This is the bare minimum to pullrun V2 images, since the signature is now embedded in the manifest, it could now support --verify=signature. However, I've got one open question - how do we support V1/V2 concurrently (this patch makes V2 the default and only)? Docker first pings the V2 endpoint and then falls back to V1, but I think that this is sub optimal, since --verify=signature makes sense only with V2, so I think something like --dkr-pull-strategy=v1|v2 as an argument would be the best? Thanks, Pavel Pavel Odvody (5): shared/import-util: tag renamed to reference to support v2 pull by digest shared/json: JSON parser + number tokenizer bugfix test/test-json: Tests for the JSON parser and the tokenizer bugfix import/pull: Tag replaced with reference import/pull-dkr: V2 Image specification + manifest support src/import/pull-dkr.c| 531 +-- src/import/pull-dkr.h| 48 - src/import/pull.c| 28 ++- src/shared/import-util.c | 19 ++ src/shared/import-util.h | 1 + src/shared/json.c| 437 +- src/shared/json.h| 36 src/test/test-json.c | 16 ++ 8 files changed, 1034 insertions(+), 82 deletions(-) -- 2.1.0 signature.asc Description: This is a digitally signed message part ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] [PATCH 3/5] test/test-json: Tests for the JSON parser and the tokenizer bugfix
Signed-off-by: Pavel Odvody podv...@redhat.com --- src/test/test-json.c | 16 1 file changed, 16 insertions(+) diff --git a/src/test/test-json.c b/src/test/test-json.c index 24dc700..745eeb0 100644 --- a/src/test/test-json.c +++ b/src/test/test-json.c @@ -72,6 +72,17 @@ static void test_one(const char *data, ...) { va_end(ap); } +static void test_file(const char *data) { +json_variant *v = NULL; +int r = json_parse(data, v); + +assert_se(r == 0); +assert_se(v != NULL); +assert_se(v-type == JSON_VARIANT_OBJECT); + +json_variant_unref(v); +} + int main(int argc, char *argv[]) { test_one(x, -EINVAL); @@ -102,5 +113,10 @@ int main(int argc, char *argv[]) { test_one(\\\udc00\\udc00\, -EINVAL); test_one(\\\ud801\\udc37\, JSON_STRING, \xf0\x90\x90\xb7, JSON_END); +test_one([1, 2], JSON_ARRAY_OPEN, JSON_INTEGER, 1, JSON_COMMA, JSON_INTEGER, 2, JSON_ARRAY_CLOSE, JSON_END); + +test_file({\k\: \v\, \foo\: [1, 2, 3], \bar\: {\zap\: null}}); +test_file({\mutant\: [1, null, \1\, {\1\: [1, \1\]}], \blah\: 1.27}); + return 0; } -- 2.1.0 signature.asc Description: This is a digitally signed message part ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] [PATCH 1/5] shared/import-util: tag renamed to reference to support v2 pull by digest
Signed-off-by: Pavel Odvody podv...@redhat.com --- src/shared/import-util.c | 19 +++ src/shared/import-util.h | 1 + 2 files changed, 20 insertions(+) diff --git a/src/shared/import-util.c b/src/shared/import-util.c index 660d92a..f2fb6d0 100644 --- a/src/shared/import-util.c +++ b/src/shared/import-util.c @@ -150,6 +150,25 @@ int raw_strip_suffixes(const char *p, char **ret) { return 0; } +bool dkr_ref_is_valid(const char *ref) { +const char *colon; + +if (isempty(ref)) +return false; + +colon = strchr(ref, ':'); +if (!colon) +return filename_is_valid(ref); + +else if (!startswith(ref, sha256)) +return false; + +else if (!in_charset(colon + 1, 0123456789abcdef)) +return false; + +return true; +} + bool dkr_name_is_valid(const char *name) { const char *slash, *p; diff --git a/src/shared/import-util.h b/src/shared/import-util.h index ff155b0..8f47f91 100644 --- a/src/shared/import-util.h +++ b/src/shared/import-util.h @@ -44,4 +44,5 @@ int raw_strip_suffixes(const char *name, char **ret); bool dkr_name_is_valid(const char *name); bool dkr_id_is_valid(const char *id); +bool dkr_ref_is_valid(const char *ref); #define dkr_tag_is_valid(tag) filename_is_valid(tag) -- 2.1.0 signature.asc Description: This is a digitally signed message part ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] [PATCH 2/5] shared/json: JSON parser + number tokenizer bugfix
Signed-off-by: Pavel Odvody podv...@redhat.com --- src/shared/json.c | 437 -- src/shared/json.h | 36 + 2 files changed, 463 insertions(+), 10 deletions(-) diff --git a/src/shared/json.c b/src/shared/json.c index 45c8ece..00d5fce 100644 --- a/src/shared/json.c +++ b/src/shared/json.c @@ -21,17 +21,173 @@ #include sys/types.h #include math.h - #include macro.h -#include util.h #include utf8.h #include json.h -enum { -STATE_NULL, -STATE_VALUE, -STATE_VALUE_POST, -}; +int json_variant_new(json_variant **ret, int type) { +json_variant *v; +assert(!*ret); +v = new0(json_variant, 1); +if (!v) +return -ENOMEM; +v-type = type; +v-size = 0; +v-obj = NULL; +*ret = v; +return 0; +} + +static int json_variant_deep_copy(json_variant *ret, json_variant *variant) { +assert(ret); +assert(variant); + +ret-type = variant-type; +ret-size = variant-size; + +if (variant-type == JSON_VARIANT_STRING) { +ret-string = strndup(variant-string, variant-size); +if (!ret-string) +return -ENOMEM; +} else if (variant-type == JSON_VARIANT_ARRAY || variant-type == JSON_VARIANT_OBJECT) { +ret-obj = new0(json_variant, variant-size); +if (!ret-obj) +return -ENOMEM; + +for (unsigned i = 0; i variant-size; ++i) { +int r; +r = json_variant_deep_copy(ret-obj[i], variant-obj[i]); +if (r 0) +return r; +} +} +else +ret-value = variant-value; + +return 0; +} + +static json_variant *json_object_unref(json_variant *variant); + +static json_variant *json_variant_unref_inner(json_variant *variant) { +if (!variant) +return NULL; + +if (variant-type == JSON_VARIANT_ARRAY || variant-type == JSON_VARIANT_OBJECT) +return json_object_unref(variant); + +else if (variant-type == JSON_VARIANT_STRING) +free(variant-string); + +return NULL; +} + +static json_variant *json_raw_unref(json_variant *variant, size_t size) { +if (!variant) +return NULL; + +for (size_t i = 0; i size; ++i) +json_variant_unref_inner(variant[i]); + +free(variant); +return NULL; +} + +static json_variant *json_object_unref(json_variant *variant) { +assert(variant); +if (!variant-obj) +return NULL; + +for (unsigned i = 0; i variant-size; ++i) +json_variant_unref_inner(variant-obj[i]); + +free(variant-obj); +return NULL; +} + +static json_variant **json_variant_array_unref(json_variant **variant) { +size_t i = 0; +json_variant *p = NULL; + +if (!variant) +return NULL; + +while((p = (variant[i++])) != NULL) { +if (p-type == JSON_VARIANT_STRING) + free(p-string); +free(p); +} + +free(variant); + +return NULL; +} +DEFINE_TRIVIAL_CLEANUP_FUNC(json_variant **, json_variant_array_unref); + +json_variant *json_variant_unref(json_variant *variant) { +if (!variant) +return NULL; + +if (variant-type == JSON_VARIANT_ARRAY || variant-type == JSON_VARIANT_OBJECT) +return json_object_unref(variant); + +else if (variant-type == JSON_VARIANT_STRING) +free(variant-string); + +free(variant); + +return NULL; +} + +char *json_variant_string(json_variant *variant){ +assert(variant); +assert(variant-type == JSON_VARIANT_STRING); + +return variant-string; +} + +bool json_variant_bool(json_variant *variant) { +assert(variant); +assert(variant-type == JSON_VARIANT_BOOLEAN); + +return variant-value.boolean; +} + +intmax_t json_variant_integer(json_variant *variant) { +assert(variant); +assert(variant-type == JSON_VARIANT_INTEGER); + +return variant-value.integer; +} + +double json_variant_real(json_variant *variant) { +assert(variant); +assert(variant-type == JSON_VARIANT_REAL); + +return variant-value.real; +} + +json_variant *json_variant_element(json_variant *variant, unsigned index) { +assert(variant); +assert(variant-type == JSON_VARIANT_ARRAY || variant-type == JSON_VARIANT_OBJECT); +assert(index variant-size); +assert(variant-obj); + +return variant-obj[index]; +} + +json_variant *json_variant_value(json_variant *variant, const char *key) { +assert(variant); +assert(variant-type == JSON_VARIANT_OBJECT); + +for
Re: [systemd-devel] [PATCH 5/5] import/pull-dkr: V2 Image specification + manifest support
07.05.2015 18:47, Pavel Odvody пишет: Signed-off-by: Pavel Odvody podv...@redhat.com --- src/import/pull-dkr.c | 531 -- src/import/pull-dkr.h | 48 - 2 files changed, 518 insertions(+), 61 deletions(-) diff --git a/src/import/pull-dkr.c b/src/import/pull-dkr.c index 0eefec5..408b795 100644 --- a/src/import/pull-dkr.c +++ b/src/import/pull-dkr.c @@ -61,9 +61,10 @@ struct DkrPull { PullJob *layer_job; char *name; -char *tag; +char *reference; char *id; +char *response_digest; char *response_token; char **response_registries; @@ -87,7 +88,11 @@ struct DkrPull { #define PROTOCOL_PREFIX https://; #define HEADER_TOKEN X-Do /* the HTTP header for the auth token */ cker-Token: -#define HEADER_REGISTRY X-Do /*the HTTP header for the registry */ cker-Endpoints: +#define HEADER_REGISTRY X-Do /* the HTTP header for the registry */ cker-Endpoints: +#define HEADER_DIGEST Do /* the HTTP header for the manifest digest */ cker-Content-Digest: +#define HEADER_USER_AGENT_V2 User-Agent: do /* otherwise we get load-balanced(!) to a V1 registyry */ cker/1.6.0 +#define HEADER_BEARER_REALM https://auth.doc; /* URL which we query for a bearer token */ ker.io/token +#define HEADER_BEARER_SERVICE registry.doc /* the service we query the token for */ ker.io #define LAYERS_MAX 2048 @@ -117,7 +122,7 @@ DkrPull* dkr_pull_unref(DkrPull *i) { } free(i-name); -free(i-tag); +free(i-reference); free(i-id); free(i-response_token); free(i-response_registries); @@ -416,10 +421,25 @@ static int dkr_pull_add_token(DkrPull *i, PullJob *j) { return 0; } +static int dkr_pull_add_bearer_token(DkrPull *i, PullJob *j) { +const char *t = NULL; + +assert(i); +assert(j); + +if (i-response_token) +t = strjoina(Authorization: Bearer , i-response_token); + +j-request_header = curl_slist_new(HEADER_USER_AGENT_V2, Accept: application/json, t, NULL); +if (!j-request_header) +return -ENOMEM; + +return 0; +} + static bool dkr_pull_is_done(DkrPull *i) { assert(i); assert(i-images_job); - if (i-images_job-state != PULL_JOB_DONE) return false; @@ -429,7 +449,7 @@ static bool dkr_pull_is_done(DkrPull *i) { if (!i-ancestry_job || i-ancestry_job-state != PULL_JOB_DONE) return false; -if (!i-json_job || i-json_job-state != PULL_JOB_DONE) +if (i-json_job i-json_job-state != PULL_JOB_DONE) return false; if (i-layer_job i-layer_job-state != PULL_JOB_DONE) @@ -441,8 +461,9 @@ static bool dkr_pull_is_done(DkrPull *i) { return true; } -static int dkr_pull_make_local_copy(DkrPull *i) { +static int dkr_pull_make_local_copy(DkrPull *i, enum PullStrategy strategy) { int r; +_cleanup_free_ char *p = NULL; assert(i); @@ -455,10 +476,30 @@ static int dkr_pull_make_local_copy(DkrPull *i) { return log_oom(); } -r = pull_make_local_copy(i-final_path, i-image_root, i-local, i-force_local); +if (strategy == PULL_V2) { +r = path_get_parent(i-image_root, p); +if (r 0) +return r; +} + +r = pull_make_local_copy(i-final_path, p ?: i-image_root, i-local, i-force_local); if (r 0) return r; +if (strategy == PULL_V2) { +char **k = NULL; +STRV_FOREACH(k, i-ancestry) { +char *d = strjoina(i-image_root, /.dkr-, *k, NULL); +r = btrfs_subvol_remove(d, false); +if (r 0) + return r; +} + +r = rmdir(i-image_root); +if (r 0) +return r; +} + return 0; } @@ -516,6 +557,68 @@ static void dkr_pull_job_on_progress(PullJob *j) { DKR_DOWNLOADING); } +static void dkr_pull_job_on_finished_v2(PullJob *j); + +static int dkr_pull_pull_layer_v2(DkrPull *i) { +_cleanup_free_ char *path = NULL; +const char *url, *layer = NULL; +int r; + +assert(i); +assert(!i-layer_job); +assert(!i-temp_path); +assert(!i-final_path); + +for (;;) { +layer = dkr_pull_current_layer(i); +if (!layer) +return 0; /* no more layers */ + +path = strjoin(i-image_root, /.dkr-, layer, NULL); +if (!path) +return log_oom(); + +if (laccess(path, F_OK) 0) { +
Re: [systemd-devel] [PATCH 5/5] import/pull-dkr: V2 Image specification + manifest support
On Thu, 2015-05-07 at 18:58 +0300, Reverend Homer wrote: 07.05.2015 18:47, Pavel Odvody пишет: Signed-off-by: Pavel Odvody podv...@redhat.com --- src/import/pull-dkr.c | 531 -- src/import/pull-dkr.h | 48 - 2 files changed, 518 insertions(+), 61 deletions(-) diff --git a/src/import/pull-dkr.c b/src/import/pull-dkr.c index 0eefec5..408b795 100644 --- a/src/import/pull-dkr.c +++ b/src/import/pull-dkr.c @@ -61,9 +61,10 @@ struct DkrPull { PullJob *layer_job; char *name; -char *tag; +char *reference; char *id; +char *response_digest; char *response_token; char **response_registries; @@ -87,7 +88,11 @@ struct DkrPull { #define PROTOCOL_PREFIX https://; #define HEADER_TOKEN X-Do /* the HTTP header for the auth token */ cker-Token: -#define HEADER_REGISTRY X-Do /*the HTTP header for the registry */ cker-Endpoints: +#define HEADER_REGISTRY X-Do /* the HTTP header for the registry */ cker-Endpoints: +#define HEADER_DIGEST Do /* the HTTP header for the manifest digest */ cker-Content-Digest: +#define HEADER_USER_AGENT_V2 User-Agent: do /* otherwise we get load-balanced(!) to a V1 registyry */ cker/1.6.0 +#define HEADER_BEARER_REALM https://auth.doc; /* URL which we query for a bearer token */ ker.io/token +#define HEADER_BEARER_SERVICE registry.doc /* the service we query the token for */ ker.io #define LAYERS_MAX 2048 @@ -117,7 +122,7 @@ DkrPull* dkr_pull_unref(DkrPull *i) { } free(i-name); -free(i-tag); +free(i-reference); free(i-id); free(i-response_token); free(i-response_registries); @@ -416,10 +421,25 @@ static int dkr_pull_add_token(DkrPull *i, PullJob *j) { return 0; } +static int dkr_pull_add_bearer_token(DkrPull *i, PullJob *j) { +const char *t = NULL; + +assert(i); +assert(j); + +if (i-response_token) +t = strjoina(Authorization: Bearer , i-response_token); + +j-request_header = curl_slist_new(HEADER_USER_AGENT_V2, Accept: application/json, t, NULL); +if (!j-request_header) +return -ENOMEM; + +return 0; +} + static bool dkr_pull_is_done(DkrPull *i) { assert(i); assert(i-images_job); - if (i-images_job-state != PULL_JOB_DONE) return false; @@ -429,7 +449,7 @@ static bool dkr_pull_is_done(DkrPull *i) { if (!i-ancestry_job || i-ancestry_job-state != PULL_JOB_DONE) return false; -if (!i-json_job || i-json_job-state != PULL_JOB_DONE) +if (i-json_job i-json_job-state != PULL_JOB_DONE) return false; if (i-layer_job i-layer_job-state != PULL_JOB_DONE) @@ -441,8 +461,9 @@ static bool dkr_pull_is_done(DkrPull *i) { return true; } -static int dkr_pull_make_local_copy(DkrPull *i) { +static int dkr_pull_make_local_copy(DkrPull *i, enum PullStrategy strategy) { int r; +_cleanup_free_ char *p = NULL; assert(i); @@ -455,10 +476,30 @@ static int dkr_pull_make_local_copy(DkrPull *i) { return log_oom(); } -r = pull_make_local_copy(i-final_path, i-image_root, i-local, i-force_local); +if (strategy == PULL_V2) { +r = path_get_parent(i-image_root, p); +if (r 0) +return r; +} + +r = pull_make_local_copy(i-final_path, p ?: i-image_root, i-local, i-force_local); if (r 0) return r; +if (strategy == PULL_V2) { +char **k = NULL; +STRV_FOREACH(k, i-ancestry) { +char *d = strjoina(i-image_root, /.dkr-, *k, NULL); +r = btrfs_subvol_remove(d, false); +if (r 0) + return r; +} + +r = rmdir(i-image_root); +if (r 0) +return r; +} + return 0; } @@ -516,6 +557,68 @@ static void dkr_pull_job_on_progress(PullJob *j) { DKR_DOWNLOADING); } +static void dkr_pull_job_on_finished_v2(PullJob *j); + +static int dkr_pull_pull_layer_v2(DkrPull *i) { +_cleanup_free_ char *path = NULL; +const char *url, *layer = NULL; +int r; + +assert(i); +assert(!i-layer_job); +assert(!i-temp_path); +assert(!i-final_path); + +for (;;) { +layer =
[systemd-devel] [PATCH 5/5] import/pull-dkr: V2 Image specification + manifest support
Signed-off-by: Pavel Odvody podv...@redhat.com --- src/import/pull-dkr.c | 531 -- src/import/pull-dkr.h | 48 - 2 files changed, 518 insertions(+), 61 deletions(-) diff --git a/src/import/pull-dkr.c b/src/import/pull-dkr.c index 0eefec5..408b795 100644 --- a/src/import/pull-dkr.c +++ b/src/import/pull-dkr.c @@ -61,9 +61,10 @@ struct DkrPull { PullJob *layer_job; char *name; -char *tag; +char *reference; char *id; +char *response_digest; char *response_token; char **response_registries; @@ -87,7 +88,11 @@ struct DkrPull { #define PROTOCOL_PREFIX https://; #define HEADER_TOKEN X-Do /* the HTTP header for the auth token */ cker-Token: -#define HEADER_REGISTRY X-Do /*the HTTP header for the registry */ cker-Endpoints: +#define HEADER_REGISTRY X-Do /* the HTTP header for the registry */ cker-Endpoints: +#define HEADER_DIGEST Do /* the HTTP header for the manifest digest */ cker-Content-Digest: +#define HEADER_USER_AGENT_V2 User-Agent: do /* otherwise we get load-balanced(!) to a V1 registyry */ cker/1.6.0 +#define HEADER_BEARER_REALM https://auth.doc; /* URL which we query for a bearer token */ ker.io/token +#define HEADER_BEARER_SERVICE registry.doc /* the service we query the token for */ ker.io #define LAYERS_MAX 2048 @@ -117,7 +122,7 @@ DkrPull* dkr_pull_unref(DkrPull *i) { } free(i-name); -free(i-tag); +free(i-reference); free(i-id); free(i-response_token); free(i-response_registries); @@ -416,10 +421,25 @@ static int dkr_pull_add_token(DkrPull *i, PullJob *j) { return 0; } +static int dkr_pull_add_bearer_token(DkrPull *i, PullJob *j) { +const char *t = NULL; + +assert(i); +assert(j); + +if (i-response_token) +t = strjoina(Authorization: Bearer , i-response_token); + +j-request_header = curl_slist_new(HEADER_USER_AGENT_V2, Accept: application/json, t, NULL); +if (!j-request_header) +return -ENOMEM; + +return 0; +} + static bool dkr_pull_is_done(DkrPull *i) { assert(i); assert(i-images_job); - if (i-images_job-state != PULL_JOB_DONE) return false; @@ -429,7 +449,7 @@ static bool dkr_pull_is_done(DkrPull *i) { if (!i-ancestry_job || i-ancestry_job-state != PULL_JOB_DONE) return false; -if (!i-json_job || i-json_job-state != PULL_JOB_DONE) +if (i-json_job i-json_job-state != PULL_JOB_DONE) return false; if (i-layer_job i-layer_job-state != PULL_JOB_DONE) @@ -441,8 +461,9 @@ static bool dkr_pull_is_done(DkrPull *i) { return true; } -static int dkr_pull_make_local_copy(DkrPull *i) { +static int dkr_pull_make_local_copy(DkrPull *i, enum PullStrategy strategy) { int r; +_cleanup_free_ char *p = NULL; assert(i); @@ -455,10 +476,30 @@ static int dkr_pull_make_local_copy(DkrPull *i) { return log_oom(); } -r = pull_make_local_copy(i-final_path, i-image_root, i-local, i-force_local); +if (strategy == PULL_V2) { +r = path_get_parent(i-image_root, p); +if (r 0) +return r; +} + +r = pull_make_local_copy(i-final_path, p ?: i-image_root, i-local, i-force_local); if (r 0) return r; +if (strategy == PULL_V2) { +char **k = NULL; +STRV_FOREACH(k, i-ancestry) { +char *d = strjoina(i-image_root, /.dkr-, *k, NULL); +r = btrfs_subvol_remove(d, false); +if (r 0) + return r; +} + +r = rmdir(i-image_root); +if (r 0) +return r; +} + return 0; } @@ -516,6 +557,68 @@ static void dkr_pull_job_on_progress(PullJob *j) { DKR_DOWNLOADING); } +static void dkr_pull_job_on_finished_v2(PullJob *j); + +static int dkr_pull_pull_layer_v2(DkrPull *i) { +_cleanup_free_ char *path = NULL; +const char *url, *layer = NULL; +int r; + +assert(i); +assert(!i-layer_job); +assert(!i-temp_path); +assert(!i-final_path); + +for (;;) { +layer = dkr_pull_current_layer(i); +if (!layer) +return 0; /* no more layers */ + +path = strjoin(i-image_root, /.dkr-, layer, NULL); +if (!path) +return log_oom(); + +if (laccess(path, F_OK) 0) { +if (errno == ENOENT) +break; + +return
[systemd-devel] No hackfest at Linux Plumbers Conference
Heya! I have been asked recently whether there'll be a systemd hackfest at the Linux Plumbers Conference in Seattle this year. I have talked to some of the other core systemd hackers about this today, and all of them indicated they do not intend to attend this year's LPC. (I myself will not attend either.) We hence decided not to organize a hackfest there this year. Note that there will be coverage of the boot/init topic at LPC even without a systemd hackfest, as John Mehaffey, Kate Stewart, Matthew Wilson are organizing a boot/init MC. As next systemd event we hope to organize a proper systemd conference-cum-hackfest later this year or early next year, most likely in Berlin, Germany. One day of presentations with another day (or two) of hacking. Most likely we'll call this event Das Bootvergnügen. Lennart -- Lennart Poettering, Red Hat ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Add User to group video
On Thu, 07.05.15 11:30, Martin Vogt (mvo...@gmail.com) wrote: Hello, I try to give any user rw permissions on /dev/nvidia*. Usually this is done by adding the user to group video, but here the group is configured on NIS and I cannot change it. Please note that with systemd/udev we do not support setups where system groups are not available locally unconditionally. If you store system groups on NIS/LDAP or some other network service then this basically voids the warranty for systemd. Lennart -- Lennart Poettering, Red Hat ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Add User to group video
On Thu, May 7, 2015 at 11:44 AM, Simon McVittie simon.mcvit...@collabora.co.uk wrote: On 07/05/15 10:30, Martin Vogt wrote: I try to give any user rw permissions on /dev/nvidia*. Usually this is done by adding the user to group video, but here the group is configured on NIS and I cannot change it. On a modern Linux system you should instead be able to tag those devices as user-accessible, as is done for the analogous nodes in the open-source video drivers in /lib/udev/rules.d/70-uaccess.rules: SUBSYSTEM==drm, KERNEL==card*|renderD*, TAG+=uaccess which results in the logged-in users (according to systemd-logind) getting device access via ACLs: Thanks, it works on local login, but how do I do it with ssh? http://lists.freedesktop.org/archives/consolekit/2010-February.txt ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel