Re: [lxc-devel] odd freezer cgroup behavior
On Wed, Oct 28, 2015 at 11:55:32AM +0100, Christian Brauner wrote: > On Wed, Oct 28, 2015 at 04:08:09PM +0900, Tycho Andersen wrote: > > Hi all, > > > > I'm seeing some (what seems to me to be) odd behavior, where only a > > task's init process is in its freezer cgroup: > > > > firedrill:~ sudo lxc-info -n proposed > > Name: proposed > > State: RUNNING > > PID:10959 > > IP: 10.0.3.176 > > IP: 10.0.4.1 > > CPU use:2.77 seconds > > BlkIO use: 0 bytes > > Memory use: 24.42 MiB > > KMem use: 0 bytes > > Link: vethM6Q3GG > > TX bytes: 1.01 KiB > > RX bytes: 3.66 KiB > > Total bytes: 4.67 KiB > > firedrill:~ cat /sys/fs/cgroup/freezer/lxc/proposed/tasks > > 10959 > > > > I vaguely recall something like this before, but I don't remember how it was > > resolved. Surely all of the tasks in the container should live in the > > freezer > > cgroup? > > > > Note that this doesn't seem to happen with LXD (even with privileged > > containers). Haven't had time to investigate further. > > Could this be by any chance related to a kernel bug? I don't see this > behaviour > at all (neither priv nor unpriv): I suppose so; I'm on, Linux firedrill 4.2.0-10-generic #12-Ubuntu SMP Tue Sep 15 19:43:01 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux (i.e. ubuntu wily with the latest kernel + lxc). It seems odd to me that the children aren't here, but perhaps I'm misunderstanding how freezer is supposed to work. Tycho > Archlinux > Kernel 4.2.5 > lxc 1.1.4 > lxcfs 0.11 > cgmanager 0.39 > ___ > lxc-devel mailing list > lxc-devel@lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-devel ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
Re: [lxc-devel] Security Issue in LxC
On Mon, Oct 26, 2015 at 06:36:05PM +, Jesse Hertz wrote: > Hello, > > I have a security issue in LxC I’d like to report. What is the correct avenue > to report it to? > > Best, > -jh Hi, Either GPG-encrypted to both serge.hal...@ubuntu.com and stgra...@ubuntu.com or reported at https://launchpad.net/ubuntu/+source/lxc/+filebug, making sure to mark it as a security issue so that it's only visible to us and the Ubuntu security team. Thanks! -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] Security Issue in LxC
Hello, I have a security issue in LxC I’d like to report. What is the correct avenue to report it to? Best, -jh signature.asc Description: Message signed with OpenPGP using GPGMail ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [RFC lxc] hooks: put binary hooks into $libdir/lxc/hooks
Packaging standards usually request arch-dependent binaries to be in the corresponding libdir, i.e. on debian unmount-namespace should be in /usr/lib/x86_64-linux-gnu/lxc/hooks/unmount-namespace. Putting it /usr/share will cause the 'lintian' tool to complain with: E: lxc-pve: arch-dependent-file-in-usr-share usr/share/lxc/hooks/unmount-namespace Here's a patch to change the directory accordingly. Wolfgang Bumiller (1): hooks: put binary hooks into $libdir/lxc/hooks configure.ac | 1 + hooks/Makefile.am | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) -- 2.1.4 ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [RFC lxc] hooks: put binary hooks into $libdir/lxc/hooks
Signed-off-by: Wolfgang Bumiller --- configure.ac | 1 + hooks/Makefile.am | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index 874b446..29706cc 100644 --- a/configure.ac +++ b/configure.ac @@ -539,6 +539,7 @@ AS_AC_EXPAND(LXCROOTFSMOUNT, "$with_rootfs_path") AS_AC_EXPAND(LXCTEMPLATEDIR, "$datadir/lxc/templates") AS_AC_EXPAND(LXCTEMPLATECONFIG, "$datadir/lxc/config") AS_AC_EXPAND(LXCHOOKDIR, "$datadir/lxc/hooks") +AS_AC_EXPAND(LXCLIBHOOKDIR, "$libdir/lxc/hooks") AS_AC_EXPAND(LXCINITDIR, "$libexecdir") AS_AC_EXPAND(LOGPATH, "$with_log_path") AS_AC_EXPAND(RUNTIME_PATH, "$with_runtime_path") diff --git a/hooks/Makefile.am b/hooks/Makefile.am index 499a2c4..263f62c 100644 --- a/hooks/Makefile.am +++ b/hooks/Makefile.am @@ -1,4 +1,5 @@ hooksdir=@LXCHOOKDIR@ +libhooksdir=@LXCLIBHOOKDIR@ hooks_SCRIPTS = \ clonehostname \ @@ -6,7 +7,7 @@ hooks_SCRIPTS = \ ubuntu-cloud-prep \ squid-deb-proxy-client -hooks_PROGRAMS = \ +libhooks_PROGRAMS = \ unmount-namespace unmount_namespace_SOURCES = \ -- 2.1.4 ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] lxc-net: switch After target to network-online.target
* Serge Hallyn [2015-10-27 20:05]: > Otherwise it may start too early and end up taking 10.0.3.1 even > though eth0 was eventually going to end up on 10.0.3.x. > > https://bugs.launchpad.net/juju-core/+bug/1510619 > > Reported-by: Ryan Harper > Cc: Martin Pitt > Signed-off-by: Serge Hallyn > --- > config/init/systemd/lxc-net.service.in | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/config/init/systemd/lxc-net.service.in > b/config/init/systemd/lxc-net.service.in > index 0467c0f..1b8ef99 100644 > --- a/config/init/systemd/lxc-net.service.in > +++ b/config/init/systemd/lxc-net.service.in > @@ -1,6 +1,6 @@ > [Unit] > Description=LXC network bridge setup > -After=network.target > +After=network-online.target > Before=lxc.service This was discovered on a trusty host (x86-64): # lxc package sets up an lxcbr0 @ 10.0.3.1 1. sudo apt-get install lxc uvtool uvtool-libvirt 2. uvt-simplestreams-libvirt --verbose sync release=wily arch=amd64 3. uvt-kvm create --memory 1024 --cpu 1 --disk 20 --bridge lxcbr0 \ --password mypass wily-test-lxc release=wily 4. virsh console wily-test-lxc 5. login (ubuntu/mypass) 6. ifconfig lxcbr0 To test the above with (after completing 1-6) 1. modify /lib/systemd/system/lxc-net.service with the above change 2. sudo systemctl daemon-reload 3. sudo rm -f /etc/default/lxc-net 4. sudo rm -rf /var/lib/cloud/instances/* 5. sudo reboot After rebooting and logging in: 1. ifconfig lxcbr0 This time lxcbr0 is on 10.0.4.1 instead. Tested-by: Ryan Harper -- Ryan Harper Canonical, Ltd. pgp_POzqqQbl6.pgp Description: PGP signature ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
Re: [lxc-devel] odd freezer cgroup behavior
On Wed, Oct 28, 2015 at 04:08:09PM +0900, Tycho Andersen wrote: > Hi all, > > I'm seeing some (what seems to me to be) odd behavior, where only a > task's init process is in its freezer cgroup: > > firedrill:~ sudo lxc-info -n proposed > Name: proposed > State: RUNNING > PID:10959 > IP: 10.0.3.176 > IP: 10.0.4.1 > CPU use:2.77 seconds > BlkIO use: 0 bytes > Memory use: 24.42 MiB > KMem use: 0 bytes > Link: vethM6Q3GG > TX bytes: 1.01 KiB > RX bytes: 3.66 KiB > Total bytes: 4.67 KiB > firedrill:~ cat /sys/fs/cgroup/freezer/lxc/proposed/tasks > 10959 > > I vaguely recall something like this before, but I don't remember how it was > resolved. Surely all of the tasks in the container should live in the freezer > cgroup? > > Note that this doesn't seem to happen with LXD (even with privileged > containers). Haven't had time to investigate further. Could this be by any chance related to a kernel bug? I don't see this behaviour at all (neither priv nor unpriv): Archlinux Kernel 4.2.5 lxc 1.1.4 lxcfs 0.11 cgmanager 0.39 signature.asc Description: PGP signature ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] odd freezer cgroup behavior
Hi all, I'm seeing some (what seems to me to be) odd behavior, where only a task's init process is in its freezer cgroup: firedrill:~ sudo lxc-info -n proposed Name: proposed State: RUNNING PID:10959 IP: 10.0.3.176 IP: 10.0.4.1 CPU use:2.77 seconds BlkIO use: 0 bytes Memory use: 24.42 MiB KMem use: 0 bytes Link: vethM6Q3GG TX bytes: 1.01 KiB RX bytes: 3.66 KiB Total bytes: 4.67 KiB firedrill:~ cat /sys/fs/cgroup/freezer/lxc/proposed/tasks 10959 I vaguely recall something like this before, but I don't remember how it was resolved. Surely all of the tasks in the container should live in the freezer cgroup? Note that this doesn't seem to happen with LXD (even with privileged containers). Haven't had time to investigate further. Thanks, Tycho ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel