[lxc-devel] [lxc/lxc] 11ef02: lxc-oracle: add pts/[1-4] to securetty for libvirt...
Branch: refs/heads/stable-1.0 Home: https://github.com/lxc/lxc Commit: 11ef02339a29ef401eb21c0f38807faa51cf9032 https://github.com/lxc/lxc/commit/11ef02339a29ef401eb21c0f38807faa51cf9032 Author: Dwight Engen dwight.en...@oracle.com Date: 2014-05-20 (Tue, 20 May 2014) Changed paths: M templates/lxc-oracle.in Log Message: --- lxc-oracle: add pts/[1-4] to securetty for libvirt-lxc Don't spawn a getty on /dev/console when running under libvirt-lxc Signed-off-by: Dwight Engen dwight.en...@oracle.com Signed-off-by: Serge Hallyn serge.hal...@ubuntu.com ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
Re: [lxc-devel] [PATCH 2/3] execute: bind init.lxc.static into container
On Mon, May 19, 2014 at 03:51:28PM +, Serge Hallyn wrote: Quoting Stéphane Graber (stgra...@ubuntu.com): On Mon, May 12, 2014 at 06:04:00PM +, Serge Hallyn wrote: Signed-off-by: Serge Hallyn serge.hal...@ubuntu.com So one concern here is that SBINDIR may be pretty much anything and may look pretty awkward in the container, can we have the bind-mount be done with say /lxc.init.static instead and only be done in the last resort case where an existing init couldn't be found? Sure, that sounds good. Your new patch does put it in /lxc.init.static but still appears to do it in all cases (even if it ends up unused). I'd really prefer we only do the bind-mount if we can't detect a suitable init in the rootfs and also remove the bind-mounted file from the rootfs on exit (at least in the non-error path). I'd really like us to make sure that when you use lxc, either for a full fledged container or just for an application container that the rootfs is restored to the way it was when the container exits. That means removing the bind-mount target in this case, restoring the original tty/console nodes, ... --- src/lxc/conf.c | 58 ++ 1 file changed, 58 insertions(+) diff --git a/src/lxc/conf.c b/src/lxc/conf.c index 7427a94..0580f46 100644 --- a/src/lxc/conf.c +++ b/src/lxc/conf.c @@ -3811,6 +3811,61 @@ static void remount_all_slave(void) free(line); } +void lxc_execute_bind_init(struct lxc_conf *conf) +{ + int ret; + char path[PATH_MAX], destpath[PATH_MAX]; + + ret = snprintf(path, PATH_MAX, SBINDIR /init.lxc.static); + if (ret 0 || ret = PATH_MAX) { + WARN(Path name too long searching for lxc.init.static); + return; + } + + if (!file_exists(path)) { + INFO(%s does not exist on host, path); + return; + } + + ret = snprintf(destpath, PATH_MAX, %s%s, conf-rootfs.mount, path); + if (ret 0 || ret = PATH_MAX) { + WARN(Path name too long for container's lxc.init.static); + return; + } + + if (!file_exists(destpath)) { + FILE *pathfile; + char *pathdirname = strdup(path); + + if (!pathdirname) { + SYSERROR(Out of memory binding lxc.init.static into container); + return; + } + pathdirname = dirname(pathdirname); + ret = mkdir_p(pathdirname, 0755); + free(pathdirname); + if (ret 0) { + /* + * this can fail just due to read-only bind mounts. Trust + * that the user knows what they want, log and proceed + */ + WARN(Failed to create %s in container, SBINDIR); + return; + } + pathfile = fopen(destpath, wb); + if (!pathfile) { + SYSERROR(Failed to create mount target '%s', destpath); + return; + } + fclose(pathfile); + } + + ret = mount(path, destpath, none, MS_BIND, NULL); + if (ret 0) + SYSERROR(Failed to bind lxc.init.static into container); + INFO(lxc.init.static bound into container at %s, path); +} + int lxc_setup(struct lxc_handler *handler) { const char *name = handler-name; @@ -3878,6 +3933,9 @@ int lxc_setup(struct lxc_handler *handler) return -1; } + if (lxc_conf-is_execute) + lxc_execute_bind_init(lxc_conf); + /* now mount only cgroup, if wanted; * before, /sys could not have been mounted * (is either mounted automatically or via fstab entries) -- 1.9.1 ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel -- Stéphane Graber Ubuntu developer http://www.ubuntu.com ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] v2 Refactoring lxc-autostart boot process and group handling.
On Mon, May 19, 2014 at 03:57:26PM -0400, Michael H. Warfield wrote: On Mon, 2014-05-19 at 17:22 +0200, Stéphane Graber wrote: On Fri, May 16, 2014 at 02:07:31PM -0400, Michael H. Warfield wrote: Before anyone else spots it... I did miss one spot where I failed to toss a list (cmd_group_lists) on exit. So, some memory checkers will complain about orphaned memory or leaks (even though it's on exit). I'll fix that and add some doco once this has been reviewed further. Hi, I took a quick look at the proposed patch and don't have any issue with it, so please resend with those updates done and I'll do some proper testing and apply it. Thanks! Ok... Ask and yea shall receive. Version 2 of the refactoring autostart patch with Dwight's patch and my other patches adding now the fix for the minor cleanup gotcha I spotted plus I enhanced the documentation in lxc-autostart.sgml.in for group handling. While this was going on, I also pinged Dwight about parameterizing the bootup groups and other options in the startup scripts. Consequently, with his concurrence, I've added some boot time configuration options to the sysvinit/systemd init script and the upstart configuration file for BOOTGROUPS, SHUTDOWNDELAY, OPTIONS, and STOPOPTS. For the former (Oracle, RHEL Fedora, CentOS, et al), it's in /etc/sysconfig/lxc and the later (Ubuntu, Debian, etc) in /etc/default/lxc. I've tested the sysvinit/systemd init script. Someone needs to verify the upstart changes. Attached below the jump. Thanks! Regards, Mike == Executing: ./autogen.sh in /build/git/ + test -d autom4te.cache + aclocal -I config + autoheader + autoconf + automake --add-missing --copy configure.ac:31: installing 'config/compile' configure.ac:30: installing 'config/config.guess' configure.ac:30: installing 'config/config.sub' configure.ac:29: installing 'config/install-sh' configure.ac:29: installing 'config/missing' configure.ac:565: error: required file 'config/init/systemd/lxc.service.in' not found configure.ac:565: error: required file 'config/init/sysvinit/lxc.in' not found src/lua-lxc/Makefile.am: installing 'config/depcomp' + exit 1 == Cleaning up the environment == Exitting with status FAIL Seems like make dist is missing a bunch of files... -- Michael H. Warfield (AI4NB) | (770) 978-7061 | m...@wittsend.com /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0x674627FF| possible worlds. A pessimist is sure of it! -- v2 - Refactoring lxc-autostart boot process and group handling. This is a rollup of 5 earlier patches patching the systemd init to use the sysvinit script, adding an onboot group to the boot set, updating upstart to include the onboot group, and adding documentation for the special boot groups. This adds new functionality to lxc-autostart. *) The -g / --groups option is multiple cummulative entry. This may be mixed freely with the previous comma separated group list convention. Groups are processed in the order they first appear in the aggregated group list. *) The NULL group may be specified in the group list using either a leading comma, a trailing comma, or an embedded comma. *) Booting proceeds in order of the groups specified on the command line then ordered by lxc.start.org and name collalating sequence. *) Default host bootup is now specified as -g onboot, meaning that first the onboot group is booted and then any remaining enabled containers in the NULL group are booted. *) Adds documentation to lxc-autostart for -g processing order and combinations. *) Parameterizes bootgroups, options, and shutdown delay in init scripts and services. From the previous 4 individual patches: Reported-by: CDR vene...@gmail.com Signed-off-by: Dwight Engen dwight.en...@oracle.com - reuse the sysvinit script to ensure that if the lxc is configured to use a bridge setup by libvirt, the bridge will be available before starting the container - made the sysvinit script check for the existance of ifconfig, and fall back to ip link list if available - made the lxc service also dependant on the network.target - autoconfized the paths in the service file and sysvinit script - v2: rename script lxc-autostart to lxc-autostart-helper to avoid confusion From: Michael H. Warfield m...@wittsend.com - This adds a non-null group (onboot) to the sysvinit startup script for autobooting containers. This allows for containers which are in other groups to be included in the autoboot process. This script is used by both the sysvinit systems and the systemd systems. From: Michael H. Warfield m...@wittsend.com - Add the feature to the Upstart init script to boot the onboot group dependent on the start.auto = 1 flag. This brings the the
[lxc-devel] [lxc/lxc] e70212: lxc-devsetup: Don't use [[ because sh does not sup...
Branch: refs/heads/master Home: https://github.com/lxc/lxc Commit: e702123afe1a318c41cb7eb96223ae6ba5d21751 https://github.com/lxc/lxc/commit/e702123afe1a318c41cb7eb96223ae6ba5d21751 Author: ChangZhuo Chen (陳昌倬) czc...@gmail.com Date: 2014-05-20 (Tue, 20 May 2014) Changed paths: M config/init/systemd/lxc-devsetup Log Message: --- lxc-devsetup: Don't use [[ because sh does not support it Signed-off-by: ChangZhuo Chen (陳昌倬) czc...@gmail.com Acked-by: Stéphane Graber stgra...@ubuntu.com ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
Re: [lxc-devel] [RFC PATCH 00/11] Add support for devtmpfs in user namespaces
Quoting Michael H. Warfield (m...@wittsend.com): On Mon, 2014-05-19 at 17:04 -0700, Eric W. Biederman wrote: Seth Forshee seth.fors...@canonical.com writes: What I set out for was feature parity between loop devices in a secure container and loop devices on the host. Since some operations currently check for system-wide CAP_SYS_ADMIN, the only way I see to accomplish this is to push knowledge of the user namespace farther down into the driver stack so the check can instead be for CAP_SYS_ADMIN in the user namespace associated with the device. That said, I suspect our current use cases can get by without these capabilities. Really though I suspect this is just deferring the discussion rather than settling it, and what we'll end up with is little more than a fancy way for userspace to ask the kernel to run mknod on its behalf. A fancy way to ask the kernel to run mknod on its behalf is what /dev/pts is. When I suggested this I did not mean you should forgo making changes to allow partitions and the like. What I itended is that you should find a way to make this safe for users who don't have root capabilities. I like to think in terms of the rootless configurations where root per se is not absolute and everything is framed in terms of capabilities. Which possibly means that mount needs to learn how to keep a more privileged user from using your new loop devices. Not sure I got that one. As user with more privileges may or may not have access dependent on the congruence of the privileges. They're not Yes so in this case by more privileged' he meant a privileged user in a userns which is ancestor to the current userns. It is in fact *more* privileged than any user in the current userns. heiarchial. If someone has that priv then they have access. If they They are in fact implicitly hierarchical due to the hierarchical userns design. do not, they do not. To get to the point where this is really and truly usable I expect to be technically daunting. Most technically non-trivial problems generally are. Ultimately the technical challenge is how do we create a block device that is safe for a user who does not have any capabilities to use, and what can we do with that block device to make it useful. Concur. It boils down to privilege management and access. Absolutely concur. Only when the question is can this kernel functionality which is otherwise safe confuse a preexisting setuid application do namespace or container bits significantly come into play. Ah... Admittedly it's not as late as our conversation at LinuxPlumbers last year in NOLA but... Maybe late at night but I failed to parse the above. Eric Regards, Mike -- Michael H. Warfield (AI4NB) | (770) 978-7061 | m...@wittsend.com /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0x674627FF| possible worlds. A pessimist is sure of it! ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] v2 Refactoring lxc-autostart boot process and group handling.
On Tue, 2014-05-20 at 11:56 +0200, Stéphane Graber wrote: On Mon, May 19, 2014 at 03:57:26PM -0400, Michael H. Warfield wrote: On Mon, 2014-05-19 at 17:22 +0200, Stéphane Graber wrote: On Fri, May 16, 2014 at 02:07:31PM -0400, Michael H. Warfield wrote: Before anyone else spots it... I did miss one spot where I failed to toss a list (cmd_group_lists) on exit. So, some memory checkers will complain about orphaned memory or leaks (even though it's on exit). I'll fix that and add some doco once this has been reviewed further. Hi, I took a quick look at the proposed patch and don't have any issue with it, so please resend with those updates done and I'll do some proper testing and apply it. Thanks! Ok... Ask and yea shall receive. Version 2 of the refactoring autostart patch with Dwight's patch and my other patches adding now the fix for the minor cleanup gotcha I spotted plus I enhanced the documentation in lxc-autostart.sgml.in for group handling. While this was going on, I also pinged Dwight about parameterizing the bootup groups and other options in the startup scripts. Consequently, with his concurrence, I've added some boot time configuration options to the sysvinit/systemd init script and the upstart configuration file for BOOTGROUPS, SHUTDOWNDELAY, OPTIONS, and STOPOPTS. For the former (Oracle, RHEL Fedora, CentOS, et al), it's in /etc/sysconfig/lxc and the later (Ubuntu, Debian, etc) in /etc/default/lxc. I've tested the sysvinit/systemd init script. Someone needs to verify the upstart changes. Attached below the jump. Thanks! Regards, Mike == Executing: ./autogen.sh in /build/git/ + test -d autom4te.cache + aclocal -I config + autoheader + autoconf + automake --add-missing --copy configure.ac:31: installing 'config/compile' configure.ac:30: installing 'config/config.guess' configure.ac:30: installing 'config/config.sub' configure.ac:29: installing 'config/install-sh' configure.ac:29: installing 'config/missing' configure.ac:565: error: required file 'config/init/systemd/lxc.service.in' not found configure.ac:565: error: required file 'config/init/sysvinit/lxc.in' not found src/lua-lxc/Makefile.am: installing 'config/depcomp' + exit 1 == Cleaning up the environment == Exitting with status FAIL Seems like make dist is missing a bunch of files... Crud. Missed them when I did the add and commit. Redoing. Sorry about that... Below the jump... Regards, Mike -- Michael H. Warfield (AI4NB) | (770) 978-7061 | m...@wittsend.com /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0x674627FF| possible worlds. A pessimist is sure of it! -- Added missing files... Accidentally overlooked two new files when building patch set. Signed-off-by: Michael H. Warfield m...@wittsend.com --- config/init/systemd/lxc.service.in | 17 + config/init/sysvinit/lxc.in| 124 + 2 files changed, 141 insertions(+) create mode 100644 config/init/systemd/lxc.service.in create mode 100644 config/init/sysvinit/lxc.in diff --git a/config/init/systemd/lxc.service.in b/config/init/systemd/lxc.service.in new file mode 100644 index 000..5f155b6 --- /dev/null +++ b/config/init/systemd/lxc.service.in @@ -0,0 +1,17 @@ +[Unit] +Description=LXC Container Initialization and Autoboot Code +After=syslog.target network.target + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStartPre=@libexecdir@/lxc/lxc-devsetup +ExecStart=@libexecdir@/lxc/lxc-autostart-helper start +ExecStop=@libexecdir@/lxc/lxc-autostart-helper stop +# Environment=BOOTUP=serial +# Environment=CONSOLETYPE=serial +StandardOutput=syslog +StandardError=syslog + +[Install] +WantedBy=multi-user.target diff --git a/config/init/sysvinit/lxc.in b/config/init/sysvinit/lxc.in new file mode 100644 index 000..1a876a2 --- /dev/null +++ b/config/init/sysvinit/lxc.in @@ -0,0 +1,124 @@ +#!/bin/sh +# +# lxc Start/Stop LXC autoboot containers +# +# chkconfig: 345 99 01 +# description: Starts/Stops all LXC containers configured for autostart. +# +### BEGIN INIT INFO +# Provides: lxc +# Default-Start: 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Bring up/down LXC autostart containers +# Description: Bring up/down LXC autostart containers +### END INIT INFO + +sysconfdir=@SYSCONFDIR@ +bindir=@BINDIR@ +localstatedir=@LOCALSTATEDIR@ + +# These can be overridden in @SYSCONFDIR@/sysconfig/lxc + +# BOOTGROUPS - What groups should start on bootup? +# Comma separated list of groups. +# Leading comma, trailing comma or embedded double +# comma indicates when the NULL group should be run. +# Example (default): boot the onboot group first then the NULL group +BOOTGROUPS=onboot, + +# SHUTDOWNDELAY - Wait time for a container to shut down. +# ner shutdown can result in
Re: [lxc-devel] [PATCH 2/3] execute: bind init.lxc.static into container
Quoting Stéphane Graber (stgra...@ubuntu.com): On Mon, May 19, 2014 at 03:51:28PM +, Serge Hallyn wrote: Quoting Stéphane Graber (stgra...@ubuntu.com): On Mon, May 12, 2014 at 06:04:00PM +, Serge Hallyn wrote: Signed-off-by: Serge Hallyn serge.hal...@ubuntu.com So one concern here is that SBINDIR may be pretty much anything and may look pretty awkward in the container, can we have the bind-mount be done with say /lxc.init.static instead and only be done in the last resort case where an existing init couldn't be found? Sure, that sounds good. Your new patch does put it in /lxc.init.static but still appears to do it in all cases (even if it ends up unused). I'd really prefer we only do the bind-mount if we can't detect a suitable init in the rootfs and also remove the bind-mounted file from the rootfs on exit (at least in the non-error path). I'd really like us to make sure that when you use lxc, either for a full fledged container or just for an application container that the rootfs is restored to the way it was when the container exits. That means removing the bind-mount target in this case, restoring the original tty/console nodes, ... Ok - that should be a pretty simple matter of splitting most of choose_init() into a separate detect_init() which is re-used before we create the lxc.init.static bind mount. I won't get to that today so if anyone wants to feel free. ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [PATCH] add init.lxc.static to .gitignore
Signed-off-by: Serge Hallyn serge.hal...@ubuntu.com --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 8145f81..a69ffde 100644 --- a/.gitignore +++ b/.gitignore @@ -44,6 +44,7 @@ templates/lxc-ubuntu templates/lxc-ubuntu-cloud src/lxc/init.lxc +src/lxc/init.lxc.static src/lxc/lxc-attach src/lxc/lxc-autostart src/lxc/lxc-cgroup -- 1.9.1 ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [PATCH] cgmanager: slow down there (don't always grab abs cgroup path)
When I converted attach and enter to using move_pid_abs, these needed to use the new get_pid_cgroup_abs method to get an absolute path. But for some inexplicable reason I also converted the functions which get and set cgroup properties to use the absolute paths. These are simply not compatible with the cgmanager set_value and get_value methods. This breaks for instance lxc-test-cgpath. So undo that. With this patch lxc-test-cgpath, lxc-test-autotest, and lxc-test-concurrent once again pass in a nested container. Signed-off-by: Serge Hallyn serge.hal...@ubuntu.com --- src/lxc/cgmanager.c | 32 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/src/lxc/cgmanager.c b/src/lxc/cgmanager.c index 9b06d31..3a5525a 100644 --- a/src/lxc/cgmanager.c +++ b/src/lxc/cgmanager.c @@ -714,14 +714,13 @@ static int cgm_get(const char *filename, char *value, size_t len, const char *na return -1; *key = '\0'; - if (!cgm_dbus_connect()) { - ERROR(Error connecting to cgroup manager); + /* use the command interface to look for the cgroup */ + cgroup = lxc_cmd_get_cgroup_path(name, lxcpath, controller); + if (!cgroup) return -1; - } - cgroup = try_get_abs_cgroup(name, lxcpath, controller); - if (!cgroup) { - cgm_dbus_disconnect(); + if (!cgm_dbus_connect()) { + ERROR(Error connecting to cgroup manager); return -1; } @@ -734,12 +733,12 @@ static int cgm_get(const char *filename, char *value, size_t len, const char *na NihError *nerr; nerr = nih_error_get(); nih_free(nerr); - free_abs_cgroup(cgroup); + free(cgroup); cgm_dbus_disconnect(); return -1; } cgm_dbus_disconnect(); - free_abs_cgroup(cgroup); + free(cgroup); newlen = strlen(result); if (!len || !value) { // user queries the size @@ -790,21 +789,22 @@ static int cgm_set(const char *filename, const char *value, const char *name, co return -1; *key = '\0'; - if (!cgm_dbus_connect()) { - ERROR(Error connecting to cgroup manager); - free(cgroup); - return false; - } - cgroup = try_get_abs_cgroup(name, lxcpath, controller); + /* use the command interface to look for the cgroup */ + cgroup = lxc_cmd_get_cgroup_path(name, lxcpath, controller); if (!cgroup) { ERROR(Failed to get cgroup for controller %s for %s:%s, controller, lxcpath, name); - cgm_dbus_disconnect(); return -1; } + + if (!cgm_dbus_connect()) { + ERROR(Error connecting to cgroup manager); + free(cgroup); + return false; + } ret = cgm_do_set(controller, filename, cgroup, value); cgm_dbus_disconnect(); - free_abs_cgroup(cgroup); + free(cgroup); return ret; } -- 1.9.1 ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [PATCH 5/3] configure.ac: don't let -lcgmanager end up in LIBS
AC_SEARCH_LIBS always places the library being queried into LIBS. We don't want that - we were only checking whether a function is available. Not everything (notably not init.lxc.static) needs to link against -lcgmanager. Signed-off-by: Serge Hallyn serge.hal...@ubuntu.com --- configure.ac | 2 ++ 1 file changed, 2 insertions(+) diff --git a/configure.ac b/configure.ac index 8865bc8..8185f3a 100644 --- a/configure.ac +++ b/configure.ac @@ -257,7 +257,9 @@ AM_COND_IF([ENABLE_CGMANAGER], ]) AC_MSG_CHECKING(for get_pid_cgroup_abs_sync) +save_LIBS=$LIBS AC_SEARCH_LIBS([cgmanager_get_pid_cgroup_abs_sync], [cgmanager], [have_abs_cgroups=yes], [have_abs_cgroups=no], [-lnih -lnih-dbus -ldbus-1]) +LIBS=$save_LIBS if test x$have_abs_cgroups = xyes; then AC_DEFINE([HAVE_CGMANAGER_GET_PID_CGROUP_ABS_SYNC], 1, [Have cgmanager_get_pid_cgroup_abs_sync]) AC_MSG_RESULT([yes]) -- 1.9.1 ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
Re: [lxc-devel] lxc on openSUSE: lxc-top not working due to lua?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 First of all, John, thanks for the answer and the link. On 19.05.2014 22:57 Michael H. Warfield wrote: Nice! I love these sorts of discussions. I learn so much shit. I can use that to quiet a whole bunch of duplicate warnings in some other spec files. I learned that it is enough to add e.g. %{_bindir}/lxc/ to get the directory *and* its contents, while %{_bindir}/lxc/* will only get the files and miss the directory. Regards, Johannes - -- Ask a stupid question, and be a fool for 5 minutes. Don't ask, and be a fool for the rest of your life. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with SeaMonkey - http://www.enigmail.net/ iEYEARECAAYFAlN7rAkACgkQzi3gQ/xETbLWgACeNDnjokg2hZzWaRuVwPG4zBUo Vx0An3iLKB2bkqbSmDA26TSKYLlm1Sz5 =y36f -END PGP SIGNATURE- ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
Re: [lxc-devel] lxc on openSUSE: lxc-top not working due to lua?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 18.05.2014 15:27 Michael H. Warfield wrote: Definitely going to check that out. I got the spec to build on the obs, but only for the suses. I get a strange error, has anyone else seen this? Basically suddenly it wants to use /usr/share/lxc instead of the buildroot it has used before... This is the logfile of the failed build for Fedora 19: https://build.opensuse.org/package/live_build_log/home:ojkastl_buildservice:LXC/lxc-vanilla/Fedora_19/i586 This is the logfile of the failed build for Fedora 20: https://build.opensuse.org/package/live_build_log/home:ojkastl_buildservice:LXC/lxc-vanilla/Fedora_20/x86_64 I have no fedora at hand, to test the compilation... Regards, Johannes - -- Is our children learning? (George W. Bush) -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with SeaMonkey - http://www.enigmail.net/ iEYEARECAAYFAlN7sXsACgkQzi3gQ/xETbIxJACfZxKUFsSEb9CgCJhNCcN7UoKe E2EAn16pS+6OsDLQyyqly9MPNPofVk+g =b9G+ -END PGP SIGNATURE- ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
Re: [lxc-devel] lxc on openSUSE: lxc-top not working due to lua?
On Tue, 20 May 2014 21:24:57 +0200 Johannes Kastl m...@ojkastl.de wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 First of all, John, thanks for the answer and the link. On 19.05.2014 22:57 Michael H. Warfield wrote: Nice! I love these sorts of discussions. I learn so much shit. I can use that to quiet a whole bunch of duplicate warnings in some other spec files. I learned that it is enough to add e.g. %{_bindir}/lxc/ to get the directory *and* its contents, while %{_bindir}/lxc/* will only get the files and miss the directory. Not sure where you saw %{_bindir}/lxc, the actual line is %{_bindir}/* because we don't want the lxc package claiming that it owns %{_bindir} but maybe %{_bindir}/ would do that too? rpm -qf on my system shows that %{_bindir} is claimed by the filesystem package. Regards, Johannes - -- Ask a stupid question, and be a fool for 5 minutes. Don't ask, and be a fool for the rest of your life. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with SeaMonkey - http://www.enigmail.net/ iEYEARECAAYFAlN7rAkACgkQzi3gQ/xETbLWgACeNDnjokg2hZzWaRuVwPG4zBUo Vx0An3iLKB2bkqbSmDA26TSKYLlm1Sz5 =y36f -END PGP SIGNATURE- ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [PATCH] lxc-oracle: fix ssh login under libvirt-lxc
Signed-off-by: Dwight Engen dwight.en...@oracle.com --- templates/lxc-oracle.in | 2 ++ 1 file changed, 2 insertions(+) diff --git a/templates/lxc-oracle.in b/templates/lxc-oracle.in index 8a8c821..7a704e6 100644 --- a/templates/lxc-oracle.in +++ b/templates/lxc-oracle.in @@ -129,6 +129,8 @@ EOF fi sed -i 's|session[ \t]*required[ \t]*pam_selinux.so[ \t]*close|#session required pam_selinux.so close|' $container_rootfs/etc/pam.d/login sed -i 's|session[ \t]*required[ \t]*pam_selinux.so[ \t]*open|#session required pam_selinux.so open|' $container_rootfs/etc/pam.d/login +sed -i 's|session[ \t]*required[ \t]*pam_selinux.so[ \t]*close|#session required pam_selinux.so close|' $container_rootfs/etc/pam.d/sshd +sed -i 's|session[ \t]*required[ \t]*pam_selinux.so[ \t]*open|#session required pam_selinux.so open|' $container_rootfs/etc/pam.d/sshd # setting /proc/$$/loginuid doesn't work under user namespace, which # prevents logins from working -- 1.9.0 ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] cgmanager: slow down there (don't always grab abs cgroup path)
On Tue, May 20, 2014 at 11:47:17AM -0500, Serge Hallyn wrote: When I converted attach and enter to using move_pid_abs, these needed to use the new get_pid_cgroup_abs method to get an absolute path. But for some inexplicable reason I also converted the functions which get and set cgroup properties to use the absolute paths. These are simply not compatible with the cgmanager set_value and get_value methods. This breaks for instance lxc-test-cgpath. So undo that. With this patch lxc-test-cgpath, lxc-test-autotest, and lxc-test-concurrent once again pass in a nested container. Signed-off-by: Serge Hallyn serge.hal...@ubuntu.com Acked-by: Stéphane Graber stgra...@ubuntu.com --- src/lxc/cgmanager.c | 32 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/src/lxc/cgmanager.c b/src/lxc/cgmanager.c index 9b06d31..3a5525a 100644 --- a/src/lxc/cgmanager.c +++ b/src/lxc/cgmanager.c @@ -714,14 +714,13 @@ static int cgm_get(const char *filename, char *value, size_t len, const char *na return -1; *key = '\0'; - if (!cgm_dbus_connect()) { - ERROR(Error connecting to cgroup manager); + /* use the command interface to look for the cgroup */ + cgroup = lxc_cmd_get_cgroup_path(name, lxcpath, controller); + if (!cgroup) return -1; - } - cgroup = try_get_abs_cgroup(name, lxcpath, controller); - if (!cgroup) { - cgm_dbus_disconnect(); + if (!cgm_dbus_connect()) { + ERROR(Error connecting to cgroup manager); return -1; } @@ -734,12 +733,12 @@ static int cgm_get(const char *filename, char *value, size_t len, const char *na NihError *nerr; nerr = nih_error_get(); nih_free(nerr); - free_abs_cgroup(cgroup); + free(cgroup); cgm_dbus_disconnect(); return -1; } cgm_dbus_disconnect(); - free_abs_cgroup(cgroup); + free(cgroup); newlen = strlen(result); if (!len || !value) { // user queries the size @@ -790,21 +789,22 @@ static int cgm_set(const char *filename, const char *value, const char *name, co return -1; *key = '\0'; - if (!cgm_dbus_connect()) { - ERROR(Error connecting to cgroup manager); - free(cgroup); - return false; - } - cgroup = try_get_abs_cgroup(name, lxcpath, controller); + /* use the command interface to look for the cgroup */ + cgroup = lxc_cmd_get_cgroup_path(name, lxcpath, controller); if (!cgroup) { ERROR(Failed to get cgroup for controller %s for %s:%s, controller, lxcpath, name); - cgm_dbus_disconnect(); return -1; } + + if (!cgm_dbus_connect()) { + ERROR(Error connecting to cgroup manager); + free(cgroup); + return false; + } ret = cgm_do_set(controller, filename, cgroup, value); cgm_dbus_disconnect(); - free_abs_cgroup(cgroup); + free(cgroup); return ret; } -- 1.9.1 ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] lxc-oracle: fix ssh login under libvirt-lxc
On Tue, May 20, 2014 at 04:46:10PM -0400, Dwight Engen wrote: Signed-off-by: Dwight Engen dwight.en...@oracle.com Acked-by: Stéphane Graber stgra...@ubuntu.com --- templates/lxc-oracle.in | 2 ++ 1 file changed, 2 insertions(+) diff --git a/templates/lxc-oracle.in b/templates/lxc-oracle.in index 8a8c821..7a704e6 100644 --- a/templates/lxc-oracle.in +++ b/templates/lxc-oracle.in @@ -129,6 +129,8 @@ EOF fi sed -i 's|session[ \t]*required[ \t]*pam_selinux.so[ \t]*close|#session required pam_selinux.so close|' $container_rootfs/etc/pam.d/login sed -i 's|session[ \t]*required[ \t]*pam_selinux.so[ \t]*open|#session required pam_selinux.so open|' $container_rootfs/etc/pam.d/login +sed -i 's|session[ \t]*required[ \t]*pam_selinux.so[ \t]*close|#session required pam_selinux.so close|' $container_rootfs/etc/pam.d/sshd +sed -i 's|session[ \t]*required[ \t]*pam_selinux.so[ \t]*open|#session required pam_selinux.so open|' $container_rootfs/etc/pam.d/sshd # setting /proc/$$/loginuid doesn't work under user namespace, which # prevents logins from working -- 1.9.0 ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [lxc/lxc] fd5271: cgmanager: slow down there (don't always grab abs ...
Branch: refs/heads/master Home: https://github.com/lxc/lxc Commit: fd527175ad02cef8a33999865392f30e69c70dfa https://github.com/lxc/lxc/commit/fd527175ad02cef8a33999865392f30e69c70dfa Author: Serge Hallyn serge.hal...@ubuntu.com Date: 2014-05-20 (Tue, 20 May 2014) Changed paths: M src/lxc/cgmanager.c Log Message: --- cgmanager: slow down there (don't always grab abs cgroup path) When I converted attach and enter to using move_pid_abs, these needed to use the new get_pid_cgroup_abs method to get an absolute path. But for some inexplicable reason I also converted the functions which get and set cgroup properties to use the absolute paths. These are simply not compatible with the cgmanager set_value and get_value methods. This breaks for instance lxc-test-cgpath. So undo that. With this patch lxc-test-cgpath, lxc-test-autotest, and lxc-test-concurrent once again pass in a nested container. Signed-off-by: Serge Hallyn serge.hal...@ubuntu.com Acked-by: Stéphane Graber stgra...@ubuntu.com Commit: 5b457f7bd845026582979e7a8c52ba6c53bdb4d8 https://github.com/lxc/lxc/commit/5b457f7bd845026582979e7a8c52ba6c53bdb4d8 Author: Dwight Engen dwight.en...@oracle.com Date: 2014-05-20 (Tue, 20 May 2014) Changed paths: M templates/lxc-oracle.in Log Message: --- lxc-oracle: fix ssh login under libvirt-lxc Signed-off-by: Dwight Engen dwight.en...@oracle.com Acked-by: Stéphane Graber stgra...@ubuntu.com Compare: https://github.com/lxc/lxc/compare/fd4d297dd620...5b457f7bd845___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [PATCH] move bdev_specs struct into lxccontainer.h to allow API users to use it
Signed-off-by: S.Çağlar Onur cag...@10ur.org --- src/lxc/bdev.h | 17 - src/lxc/lxccontainer.h | 18 ++ 2 files changed, 18 insertions(+), 17 deletions(-) diff --git a/src/lxc/bdev.h b/src/lxc/bdev.h index 0893c11..9d03b10 100644 --- a/src/lxc/bdev.h +++ b/src/lxc/bdev.h @@ -33,23 +33,6 @@ struct bdev; -/* - * specifications for how to create a new backing store - */ -struct bdev_specs { - char *fstype; - uint64_t fssize; // fs size in bytes - struct { - char *zfsroot; - } zfs; - struct { - char *vg; - char *lv; - char *thinpool; // lvm thin pool to use, if any - } lvm; - char *dir; -}; - struct bdev_ops { /* detect whether path is of this bdev type */ int (*detect)(const char *path); diff --git a/src/lxc/lxccontainer.h b/src/lxc/lxccontainer.h index ba15ab7..1d0628a 100644 --- a/src/lxc/lxccontainer.h +++ b/src/lxc/lxccontainer.h @@ -758,6 +758,24 @@ struct lxc_snapshot { void (*free)(struct lxc_snapshot *s); }; + +/*! + * \brief Specifications for how to create a new backing store + */ +struct bdev_specs { +char *fstype; /*! Filesystem type */ +uint64_t fssize; /*! Filesystem size in bytes */ +struct { +char *zfsroot; /*! ZFS root path */ +} zfs; +struct { +char *vg; /*! LVM Volume Group name */ +char *lv; /*! LVM Logical Volume name */ +char *thinpool; /*! LVM thin pool to use, if any */ +} lvm; +char *dir; /*! Directory path */ +}; + /*! * \brief Create a new container. * -- 1.9.1 ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel