The following pull request was submitted through Github. It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/2281
This e-mail was sent by the LXC bot, direct replies will not reach the author unless they happen to be subscribed to this list. === Description (from pull-request) === Signed-off-by: Christian Brauner <christian.brau...@ubuntu.com>
From d648e178f1b3fa9f261b890157d2ee6e9e5e14fa Mon Sep 17 00:00:00 2001 From: Christian Brauner <christian.brau...@ubuntu.com> Date: Sun, 15 Apr 2018 22:12:51 +0200 Subject: [PATCH 1/3] seccomp: cleanup compat architecture handling Signed-off-by: Christian Brauner <christian.brau...@ubuntu.com> --- src/lxc/seccomp.c | 22 +++++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c index 60118852d..6a4f474c8 100644 --- a/src/lxc/seccomp.c +++ b/src/lxc/seccomp.c @@ -789,24 +789,36 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf) } } + INFO("Merging compat seccomp contexts into main context"); if (compat_ctx[0]) { - INFO("Merging compat seccomp contexts into main context"); - if (compat_arch[0] != native_arch && compat_arch[0] != seccomp_arch_native()) { + if ((compat_arch[0] != native_arch) && + (compat_arch[0] != seccomp_arch_native())) { ret = seccomp_merge(conf->seccomp_ctx, compat_ctx[0]); if (ret < 0) { - ERROR("Failed to merge first compat seccomp context into main context"); + ERROR("Failed to merge first compat seccomp " + "context into main context"); goto bad; } TRACE("Merged first compat seccomp context into main context"); + } else { + seccomp_release(compat_ctx[0]); + compat_ctx[0] = NULL; } + } - if (compat_arch[1] && compat_arch[1] != native_arch && compat_arch[1] != seccomp_arch_native()) { + if (compat_ctx[1]) { + if ((compat_arch[1] != native_arch) && + (compat_arch[1] != seccomp_arch_native())) { ret = seccomp_merge(conf->seccomp_ctx, compat_ctx[1]); if (ret < 0) { - ERROR("Failed to merge first compat seccomp context into main context"); + ERROR("Failed to merge first compat seccomp " + "context into main context"); goto bad; } TRACE("Merged second compat seccomp context into main context"); + } else { + seccomp_release(compat_ctx[1]); + compat_ctx[1] = NULL; } } From 94d56054143a8634852989819acee06bf4aaf9f9 Mon Sep 17 00:00:00 2001 From: Christian Brauner <christian.brau...@ubuntu.com> Date: Sun, 15 Apr 2018 22:39:07 +0200 Subject: [PATCH 2/3] seccomp: improve logging Signed-off-by: Christian Brauner <christian.brau...@ubuntu.com> --- src/lxc/seccomp.c | 48 ++++++++++++++++++++++++++++++------------------ 1 file changed, 30 insertions(+), 18 deletions(-) diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c index 6a4f474c8..084419772 100644 --- a/src/lxc/seccomp.c +++ b/src/lxc/seccomp.c @@ -759,33 +759,45 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf) if (cur_rule_arch == native_arch || cur_rule_arch == lxc_seccomp_arch_native || compat_arch[0] == SCMP_ARCH_NATIVE) { - INFO("Adding native rule for %s action %d(%s)", line, rule.action, - get_action_name(rule.action)); if (!do_resolve_add_rule(SCMP_ARCH_NATIVE, line, conf->seccomp_ctx, &rule)) goto bad_rule; - } - else if (cur_rule_arch != lxc_seccomp_arch_all) { - int arch_index = - cur_rule_arch == lxc_seccomp_arch_mips64n32 || - cur_rule_arch == lxc_seccomp_arch_mipsel64n32 ? 1 : 0; - - INFO("Adding compat-only rule for %s action %d(%s)", line, rule.action, + INFO("Added native rule for arch %d for %s action %d(%s)", + SCMP_ARCH_NATIVE, line, rule.action, get_action_name(rule.action)); + } else if (cur_rule_arch != lxc_seccomp_arch_all) { + int arch_index = 0; + + if ((cur_rule_arch == lxc_seccomp_arch_mips64n32) || + (cur_rule_arch == lxc_seccomp_arch_mipsel64n32)) + arch_index = 1; + if (!do_resolve_add_rule(compat_arch[arch_index], line, compat_ctx[arch_index], &rule)) goto bad_rule; - } - else { - INFO("Adding native rule for %s action %d(%s)", line, rule.action, + INFO("Added compat-only rule for arch %d for %s action %d(%s)", + compat_arch[arch_index], line, rule.action, get_action_name(rule.action)); + } else { if (!do_resolve_add_rule(SCMP_ARCH_NATIVE, line, conf->seccomp_ctx, &rule)) goto bad_rule; - INFO("Adding compat rule for %s action %d(%s)", line, rule.action, + INFO("Added native rule for arch %d for %s action %d(%s)", + SCMP_ARCH_NATIVE, line, rule.action, get_action_name(rule.action)); - if (!do_resolve_add_rule(compat_arch[0], line, compat_ctx[0], &rule)) - goto bad_rule; - if (compat_arch[1] != SCMP_ARCH_NATIVE && - !do_resolve_add_rule(compat_arch[1], line, compat_ctx[1], &rule)) - goto bad_rule; + + if (compat_arch[0] != SCMP_ARCH_NATIVE) { + if (!do_resolve_add_rule(compat_arch[0], line, compat_ctx[0], &rule)) + goto bad_rule; + INFO("Added compat rule for arch %d for %s " + "action %d(%s)", compat_arch[0], line, + rule.action, get_action_name(rule.action)); + } + + if (compat_arch[1] != SCMP_ARCH_NATIVE) { + if (!do_resolve_add_rule(compat_arch[1], line, compat_ctx[1], &rule)) + goto bad_rule; + INFO("Added compat rule for arch %d for %s " + "action %d(%s)", compat_arch[1], line, + rule.action, get_action_name(rule.action)); + } } } From 4160ef02e5bbabbf4f3d0ab002aa8afba4f680a1 Mon Sep 17 00:00:00 2001 From: Christian Brauner <christian.brau...@ubuntu.com> Date: Sun, 15 Apr 2018 22:42:43 +0200 Subject: [PATCH 3/3] tools: document -d/--daemonize for lxc-execute Closes #2280. Signed-off-by: Christian Brauner <christian.brau...@ubuntu.com> --- doc/lxc-execute.sgml.in | 15 +++++++++++++++ src/lxc/tools/lxc_execute.c | 1 + 2 files changed, 16 insertions(+) diff --git a/doc/lxc-execute.sgml.in b/doc/lxc-execute.sgml.in index 4ec7c1b94..20814348d 100644 --- a/doc/lxc-execute.sgml.in +++ b/doc/lxc-execute.sgml.in @@ -50,6 +50,7 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA <cmdsynopsis> <command>lxc-execute</command> <arg choice="req">-n <replaceable>name</replaceable></arg> + <arg choice="opt">-d</arg> <arg choice="opt">-f <replaceable>config_file</replaceable></arg> <arg choice="opt">-s KEY=VAL</arg> <arg choice="opt">-- <replaceable>command</replaceable></arg> @@ -124,6 +125,20 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA </para> </listitem> </varlistentry> + + <varlistentry> + <term> + <option>-d, --daemon</option> + </term> + <listitem> + <para> + Run the container as a daemon. As the container has no + more tty, if an error occurs nothing will be displayed, + the log file can be used to check the error. + </para> + </listitem> + </varlistentry> + <varlistentry> <term><option>--</option></term> <listitem> diff --git a/src/lxc/tools/lxc_execute.c b/src/lxc/tools/lxc_execute.c index 5291dd7a3..5c03b498b 100644 --- a/src/lxc/tools/lxc_execute.c +++ b/src/lxc/tools/lxc_execute.c @@ -104,6 +104,7 @@ and execs COMMAND into this container.\n\ \n\ Options :\n\ -n, --name=NAME NAME of the container\n\ + -d, --daemon Daemonize the container\n\ -f, --rcfile=FILE Load configuration file FILE\n\ -s, --define KEY=VAL Assign VAL to configuration variable KEY\n\ -u, --uid=UID Execute COMMAND with UID inside the container\n\
_______________________________________________ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel