Re: [Lxc-users] Piping output of lxc-monitor to a file without buffering

2012-09-07 Thread Ken Elkabany
On Thu, Sep 6, 2012 at 11:13 PM, Fajar A. Nugraha  wrote:

> On Fri, Sep 7, 2012 at 7:46 AM, Ken Elkabany  wrote:
> > Hi,
> >
> > The following outputs container state changes to the terminal as
> expected:
> >
> > $ lxc-monitor -n container-1
> >
> > However, the following outputs the same state changes to a file only
> after a
> > certain buffer size has been reached:
> >
> > $ lxc-monitor -n container-1 &> output
> >
> > This is problematic because it means that live monitoring cannot be done
> by
> > a separate program. The buffering delays messages, potentially
> indefinitely.
> >
> > Is there a way around this?
>
> (optional: start a screen session)
> $ script -f /path/to/your-logfile.txt
> $ lxc-monitor -n container-1
>
> ... and on other terminal
> $ tail -f /path/to/your-logfile.txt
>
> --
> Fajar
>

Unfortunately, in my application there won't be any open terminals. I
simply used that as an example to illustrate my point.

Ken
--
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/___
Lxc-users mailing list
Lxc-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-users


Re: [Lxc-users] Hard links to fifos not permitted in ephemeral containers? (was: Re: selinux trouble in lxc?)

2012-09-07 Thread Serge Hallyn
Quoting Dan Kegel (d...@kegel.com):
> On Fri, Sep 7, 2012 at 4:01 PM, Dan Kegel  wrote:
> >>   mkfifo /tmp/fifo
> >>   ln /tmp/fifo /tmp/fifo2
> >> fails with "operation not permitted".
> >>
> > Aha.  Starting with 'lxc-start' yields a system which can do the ln.
> > Starting with 'lxc-start-ephemeral' yields a system which can't.
> > Has nothing to do with /tmp.
> >
> > Is overlayfs at fault?
> 
> I see there are several rumored sources of restrictions on hardlinks, e.g.
> https://lkml.org/lkml/2011/5/19/384
> https://lkml.org/lkml/2012/2/21/397
> 
> And I see this is a known issue:
> http://comments.gmane.org/gmane.linux.ubuntu.devel/34948
> 
> Happily, using the -U aufs option to lxc-start-ephemeral seems to work
> around the problem, at least in my little test.  I'll know soon if it fixes
> my real system.
> 
> But I was not able to find a bug for this issue in launchpad.  Should
> I file one?

There are several other bugs in overlayfs which are not hurriedly
getting fixed.  If you have a testcase to show that it's definately
an overlayfs bug, you might just take it o lkml.

But yeah, filing a bug against 'linux' (the kernel package) saying
it's an overlayfs bugs would be good.

thanks,
-serge

--
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
___
Lxc-users mailing list
Lxc-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-users


Re: [Lxc-users] Hard links to fifos not permitted in ephemeral containers? (was: Re: selinux trouble in lxc?)

2012-09-07 Thread Dan Kegel
On Fri, Sep 7, 2012 at 4:01 PM, Dan Kegel  wrote:
>>   mkfifo /tmp/fifo
>>   ln /tmp/fifo /tmp/fifo2
>> fails with "operation not permitted".
>>
> Aha.  Starting with 'lxc-start' yields a system which can do the ln.
> Starting with 'lxc-start-ephemeral' yields a system which can't.
> Has nothing to do with /tmp.
>
> Is overlayfs at fault?

I see there are several rumored sources of restrictions on hardlinks, e.g.
https://lkml.org/lkml/2011/5/19/384
https://lkml.org/lkml/2012/2/21/397

And I see this is a known issue:
http://comments.gmane.org/gmane.linux.ubuntu.devel/34948

Happily, using the -U aufs option to lxc-start-ephemeral seems to work
around the problem, at least in my little test.  I'll know soon if it fixes
my real system.

But I was not able to find a bug for this issue in launchpad.  Should
I file one?
- Dan

--
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
___
Lxc-users mailing list
Lxc-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-users


[Lxc-users] Hard links to fifos not permitted in ephemeral containers? (was: Re: selinux trouble in lxc?)

2012-09-07 Thread Dan Kegel
On Fri, Sep 7, 2012 at 3:47 PM, Dan Kegel  wrote:
> I just discovered that, inside my lxc ubuntu 10.04 container, doing
>   mkfifo /tmp/fifo
>   ln /tmp/fifo /tmp/fifo2
> fails with "operation not permitted".
>
> This makes the app I'm trying to run vewwy vewwy mad, and it
> creates approximately alph null fifos in /tmp as revenge.
>
> Where is this restriction coming from?

Aha.  Starting with 'lxc-start' yields a system which can do the ln.
Starting with 'lxc-start-ephemeral' yields a system which can't.
Has nothing to do with /tmp.

Is overlayfs at fault?
- Dan

--
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
___
Lxc-users mailing list
Lxc-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-users


[Lxc-users] selinux trouble in lxc?

2012-09-07 Thread Dan Kegel
I just discovered that, inside my lxc ubuntu 10.04 container, doing
  mkfifo /tmp/fifo
  ln /tmp/fifo /tmp/fifo2
fails with "operation not permitted".

This makes the app I'm trying to run vewwy vewwy mad, and it
creates approximately alph null fifos in /tmp as revenge.

Where is this restriction coming from?

--
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
___
Lxc-users mailing list
Lxc-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-users


Re: [Lxc-users] Ephemeral disk space redux: adding --overlaydir option to lxc-start-ephemeral?

2012-09-07 Thread Dan Kegel
On Fri, Sep 7, 2012 at 1:51 PM, Stéphane Graber  wrote:
> I have now pushed lxc-start-ephemeral to the github staging branch as a
> python3 script using the new LXC API rather than as a shell script.

Woot!

> I'll add myself a todo item to port your change to the python version.
>
> Looking at it, it shouldn't be too difficult to do, though I'm not sure
> how that option should work when you have more than one overlayfs (when
> you have bind mount entries in the source container's fstab).

Another wrinkle: I have since discovered that badly behaved
client systems can produce overlay directories that are hard to
clean up (e.g. it takes too long to delete the million fifos one left
behind in /tmp), so I may change the script to create a filesytem
using loopback mount on a file.   This is getting kind of complex,
especially the cleanup!
- Dan

--
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
___
Lxc-users mailing list
Lxc-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-users


Re: [Lxc-users] Ephemeral disk space redux: adding --overlaydir option to lxc-start-ephemeral?

2012-09-07 Thread Stéphane Graber
On 12-09-05 07:02 PM, Dan Kegel wrote:
> On Wed, Sep 5, 2012 at 3:25 PM, Dan Kegel  wrote:
>> I see Florian asked this a few weeks ago:
>> So that's one more requirement discovered: I need lxc-start-ephemeral
>> to support nontrivial amounts of disk storage, more than will
>> fit in tmpfs.
>>
>> Maybe I'll add an argument "--overlaydir PATH" for where to store the files;
>> if that's set, setup_container() will use that rather than doing
>> OVERLAY_DIR=`mktemp -d /tmp/lxc-lp-XXX`
>> sudo mount -t tmpfs none $OVERLAY_DIR
>>
>> For safety, I would create a subdirectory inside the specified directory,
>> and use that for $OVERLAY_DIR.  That would let me clean up
>> that directory before and after runs without worrying about
>> accidentally destroying the host system if the user makes a typo.
> 
> Kinda like the attached patch.  (It's a little dirty.  I'll try to
> send a clean one
> once I've actually used it in production for a while.)

Hi Dan,

Sorry for not replying to this e-mail earlier.

I have now pushed lxc-start-ephemeral to the github staging branch as a
python3 script using the new LXC API rather than as a shell script.

I'll add myself a todo item to port your change to the python version.

Looking at it, it shouldn't be too difficult to do, though I'm not sure
how that option should work when you have more than one overlayfs (when
you have bind mount entries in the source container's fstab).


-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com



signature.asc
Description: OpenPGP digital signature
--
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/___
Lxc-users mailing list
Lxc-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-users


[Lxc-users] lxc staging branch on github

2012-09-07 Thread Stéphane Graber
Hello everyone,

As you probably noticed Serge and I have been trying to keep up with all
the changes going to the lxc-users and lxc-devel mailing lists with some
varying success.

For quite a while now Serge has been maintaining a separate git branch
on github where he'd merge the changes that we're using in Ubuntu and
then regularly ask Daniel to review the branch and merge into the master
branch on sourceforge.

To try and make this all a bit more official, I took ownership of the
lxc project on github at: https://github.com/lxc
We now have an lxc repository at: https://github.com/lxc/lxc

With the main branch being called "staging" and containing what used to
be in Serge's tree.
This should now make it pretty easy to contributors to branch and send
over pull requests.

We'll continue monitoring the mailing-lists and merging the changes
proposed on there as soon as it seems we reached an agreement.


It'd be great if anyone who submitted changes on the mailing-list or
through any other mean could check that their changes are in the staging
tree and if not, re-submit the change so we can include it.


@Daniel: Please let me know if you have a github account so I can add
you to the project admins.

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com



signature.asc
Description: OpenPGP digital signature
--
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/___
Lxc-users mailing list
Lxc-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-users


Re: [Lxc-users] lxc, CIFS mounts, MySQL SSL and apparmor

2012-09-07 Thread TuxRaiderPen
On Thursday, September 06, 2012 09:25:54 you wrote:
> > [ 2828.314451] type=1400 audit(1346445533.683:25): apparmor="DENIED"
> > operation="mount" info="failed type match" error=-13 parent=5073
> > profile="lxc- container-default" name="/mnt/wxdata/" pid=5074
> > comm="mount.cifs" fstype="cifs" srcname="//192.168.0.10/Share"
> > flags="rw"
> 
> I haven't tried this, but it sure looks like this should be fixed with your
> rule.
> 
> > Short of turning apparmor off, which is my next step...
> 
> Well it's certainly worth trying turning apparmor off (just with
> lxc.aa_profile = unconfined) to make sure it's the problem.  The
> network filesystems are still persnickity in containers, and I'm
> not even sure cifs will work at all.
> 
> > Any apparmor guru's know how to remove this block ? ? ?

lxc.aa_profile=unconfined

in the container profile, does allow the CIFS/Samba mount to work

stoping and starting the container DOES NOT allow the mount to work with the 
rule change I made.

Any ideas on changes to the rules for apparmor  ?

And still *no joy* on the MySQL SSL front, still "DISABLED" which means that 
something esle is not enabled or blocking it, as "NO" would mean MySQL didn't 
support SSL. So it appears apparmor is not the culprit here as its disabled.


--
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
___
Lxc-users mailing list
Lxc-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-users


Re: [Lxc-users] Using VMware as a test-bed for hosting lxc containers. [SOLVED]

2012-09-07 Thread Peter-Frank Spierenburg

Greetings,
Apologies for being a bonehead. the routing table in the container was problem 
#1, plus it turns out that I also forgot to turn on ip routing inside the vm. 
DOH!
Anyway, thanks so much for your help.
Have a good day.

> Date: Fri, 7 Sep 2012 11:35:06 +0700
> Subject: Re: [Lxc-users] Using VMware as a test-bed for hosting lxc 
> containers.
> From: l...@fajar.net
> To: spier...@hotmail.com
> CC: lxc-users@lists.sourceforge.net
> 
> On Fri, Sep 7, 2012 at 11:29 AM, Peter-Frank Spierenburg
>  wrote:
> > Anyway, I am having trouble convincing the lxc guests to talk to the network
> > outside the box hosting the vm hosting the container.
> 
> If you use latest ubuntu it'll work out of the box.
> 
> > I've also got iptables configured to do the masquerading for the br0 device:
> 
> I usually just let lxc or libvirt create lxcbr0/virbr0, with the
> necessary rules. Much simpler that way.
> 
> 
> > Finally, one of the lxc containers:
> >
> > eth0  Link encap:Ethernet  HWaddr 00:16:3e:38:88:bb
> >   inet addr:192.168.2.1  Bcast:192.168.2.255  Mask:255.255.255.0
> 
> 
> > Kernel IP routing table
> > Destination Gateway Genmask Flags Metric RefUse
> > Iface
> > 0.0.0.0 192.168.2.1 0.0.0.0 UG0  00 eth0
> 
> 
> And you're wondering why it DOESN't work? seriusly?
> Hint: check the ip address on eth0 and the gateway.
> 
> -- 
> Fajar
  --
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/___
Lxc-users mailing list
Lxc-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-users