The following pull request was submitted through Github. It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/2484
This e-mail was sent by the LXC bot, direct replies will not reach the author unless they happen to be subscribed to this list. === Description (from pull-request) ===
From 92baf6949134bf1ca66c2cd30f77fdee24662e0f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgra...@ubuntu.com> Date: Tue, 11 Oct 2016 15:40:59 -0400 Subject: [PATCH 1/4] Fix wording of seccomp error message MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Stéphane Graber <stgra...@ubuntu.com> --- lxd/container.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lxd/container.go b/lxd/container.go index 72849ae..6e0150c 100644 --- a/lxd/container.go +++ b/lxd/container.go @@ -54,7 +54,7 @@ func containerValidConfigKey(d *Daemon, key string, value string) error { return nil } } - return fmt.Errorf("security.syscalls.blacklist_compat is only valid on x86_64") + return fmt.Errorf("security.syscalls.blacklist_compat isn't supported on this architecture") } return nil } From 0500eab878f4e6c0585a3001d4f506f986a739c0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgra...@ubuntu.com> Date: Tue, 11 Oct 2016 15:48:24 -0400 Subject: [PATCH 2/4] Properly validate memory limits MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Closes #2483 Signed-off-by: Stéphane Graber <stgra...@ubuntu.com> --- shared/container.go | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/shared/container.go b/shared/container.go index cf558db..4a21a5d 100644 --- a/shared/container.go +++ b/shared/container.go @@ -232,7 +232,27 @@ var KnownContainerConfigKeys = map[string]func(value string) error{ "limits.disk.priority": IsPriority, - "limits.memory": IsAny, + "limits.memory": func(value string) error { + if value == "" { + return nil + } + + if strings.HasSuffix(value, "%") { + _, err := strconv.ParseInt(strings.TrimSuffix(value, "%"), 10, 64) + if err != nil { + return err + } + + return nil + } + + _, err := ParseByteSizeString(value) + if err != nil { + return err + } + + return nil + }, "limits.memory.enforce": func(value string) error { return IsOneOf(value, []string{"soft", "hard"}) }, From 3bde850596f6c1cf5ff54f6c795f3690bc4beebc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgra...@ubuntu.com> Date: Tue, 11 Oct 2016 15:56:46 -0400 Subject: [PATCH 3/4] Properly validate CPU allowance MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Stéphane Graber <stgra...@ubuntu.com> --- shared/container.go | 38 +++++++++++++++++++++++++++++++++++--- 1 file changed, 35 insertions(+), 3 deletions(-) diff --git a/shared/container.go b/shared/container.go index 4a21a5d..1e5964c 100644 --- a/shared/container.go +++ b/shared/container.go @@ -226,9 +226,41 @@ var KnownContainerConfigKeys = map[string]func(value string) error{ "boot.autostart.priority": IsInt64, "boot.host_shutdown_timeout": IsInt64, - "limits.cpu": IsAny, - "limits.cpu.allowance": IsAny, - "limits.cpu.priority": IsPriority, + "limits.cpu": IsAny, + "limits.cpu.allowance": func(value string) error { + if value == "" { + return nil + } + + if strings.HasSuffix(value, "%") { + // Percentage based allocation + _, err := strconv.Atoi(strings.TrimSuffix(value, "%")) + if err != nil { + return err + } + + return nil + } + + // Time based allocation + fields := strings.SplitN(value, "/", 2) + if len(fields) != 2 { + return fmt.Errorf("Invalid allowance: %s", value) + } + + _, err := strconv.Atoi(strings.TrimSuffix(fields[0], "ms")) + if err != nil { + return err + } + + _, err = strconv.Atoi(strings.TrimSuffix(fields[1], "ms")) + if err != nil { + return err + } + + return nil + }, + "limits.cpu.priority": IsPriority, "limits.disk.priority": IsPriority, From 84910fd8907e88f51fba723dae6f5f2e7135f53f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgra...@ubuntu.com> Date: Tue, 11 Oct 2016 16:11:46 -0400 Subject: [PATCH 4/4] Improve config validation on update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Run through initLXC as an extra validation step to prevent us getting in a weird state where the config was committed to DB but LXD can't read it. Signed-off-by: Stéphane Graber <stgra...@ubuntu.com> --- lxd/container_lxc.go | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/lxd/container_lxc.go b/lxd/container_lxc.go index 7d09e06..e67eacc 100644 --- a/lxd/container_lxc.go +++ b/lxd/container_lxc.go @@ -2451,6 +2451,7 @@ func (c *containerLXC) Update(args containerArgs, userRequested bool) error { c.localConfig = oldLocalConfig c.localDevices = oldLocalDevices c.profiles = oldProfiles + c.c = nil c.initLXC() deviceTaskSchedulerTrigger("container", c.name, "changed") } @@ -2507,6 +2508,13 @@ func (c *containerLXC) Update(args containerArgs, userRequested bool) error { return err } + // Run through initLXC to catch anything we missed + c.c = nil + err = c.initLXC() + if err != nil { + return err + } + // If apparmor changed, re-validate the apparmor profile for _, key := range changedConfig { if key == "raw.apparmor" || key == "security.nesting" { @@ -2940,14 +2948,6 @@ func (c *containerLXC) Update(args containerArgs, userRequested bool) error { networkUpdateStatic(c.daemon) } - // Invalidate the go-lxc cache - c.c = nil - - err = c.initLXC() - if err != nil { - return err - } - // Success, update the closure to mark that the changes should be kept. undoChanges = false
_______________________________________________ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel