[lxc-devel] new tag on stable-3.0 to mark CVE-2019-5736 as resolved?

Hi folks, AFAICS stable-2.0 has got a new tag 2.0.11, including a fix for CVE-2019-5736. There is no new tag on stable-3.0, even though the fix appears to be in, too. Wouldn't it be reasonable to introduce new tags, esp. if a CVE has been fixed on a LTS branch? Is there something missing on

[lxc-devel] improving compatibility with RHEL 7.4 in templates/lxc-centos.in

), waiting for systemd-remount-fs startup script Of course it still works for RHEL 6, CentOS 6 and 7 as well. I did not verify earlier CentOS or RHEL releases. Signed-off-by: Harald Dunkel <harald.dun...@aixigo.de> Index: lxc-2.0.9/templates/lxc-cen

Re: [lxc-devel] lxc-stop: umount issue?

Hi Christian, On 12/11/17 4:17 PM, Christian Brauner wrote: What is the container's config file? liblxc itself does not know what drbd devices are and cannot create such containers. So I expect your container's config file to contain a line like: lxc.rootfs = /data1//rootfs Here is a

Re: [lxc-devel] lxc-stop: umount issue?

Hi Serge, On 12/11/17 4:40 AM, Serge E. Hallyn wrote: Quoting Harald Dunkel (ha...@afaics.de): On 12/07/17 22:30, Serge E. Hallyn wrote: What filesystem are you using? ext4 on a drbd block device: /dev/drbd1 /data1 ext4 rw,noatime,stripe=256,data=ordered 0 0 I have to think drbd would

Re: [lxc-devel] lxc-stop: umount issue?

On 12/07/17 22:30, Serge E. Hallyn wrote: > > What filesystem are you using? ext4 on a drbd block device: /dev/drbd1 /data1 ext4 rw,noatime,stripe=256,data=ordered 0 0 Regards Harri signature.asc Description: OpenPGP digital signature ___

[lxc-devel] lxc-stop: umount issue?

Hi folks, If a LXC server ran for several weeks and if I try to stop a container, then the server gets stuck for a few minutes (see attachment). Please note the : [8541088.226013] Task dump for CPU 31: [8541088.226015] mount R : This might be common for all incidents of this kind,

Re: [lxc-devel] lxc-create: file-based capabilities are lost

On Sat, 29 Jul 2017 14:06:17 +0200 Christian Brauner wrote: > Merged the patch today. Thanks guys! > Would it be possible to merge this change into the 2.0 branch as well? Thanx very much Harri ___ lxc-devel mailing

Re: [lxc-devel] lxc-create: file-based capabilities are lost

PS: On Thu, 27 Jul 2017 08:45:49 -0500 "Serge E. Hallyn" wrote: > > It looks like these were done by commit > 44d397891e691ab994a69766cc72e57265b62da1, > and lxc-2.0.0 does have that commit. > 44d397891e691ab994a69766cc72e57265b62da1 was created on Mon Dec 3 09:53:10

Re: [lxc-devel] lxc-create: file-based capabilities are lost

I verified this on github: % cd /tmp % git clone git://github.com/lxc/lxc Cloning into 'lxc'... remote: Counting objects: 38059, done. remote: Compressing objects: 100% (30/30), done. remote: Total 38059 (delta 19), reused 31 (delta 14), pack-reused 38015 Receiving objects: 100% (38059/38059),

Re: [lxc-devel] lxc-create: file-based capabilities are lost

Hi Serge, apparently all these fixes have been lost on the 2.0 branch: {hdunkel@dpcl082:lxc (stable-2.0) 507} grep rsync templates/* | grep rootfs templates/lxc-altlinux.in:rsync -Ha $cache/rootfs/ $rootfs_path/ templates/lxc-centos.in:rsync -a $cache/rootfs/ $rootfs_path/

Re: [lxc-devel] config/init/common/lxc-containers.in broken if number of bridges > 1, patch included

Is there anything missing? Some feedback would be highly appreciated. Harri On 02/21/2017 04:29 PM, Harald Dunkel wrote: > Hi folks, > > if /etc/lxc/default.conf defines 2 or more bridges, then > I get a ton of warnings: > > # service lxc restart > [] St

[lxc-devel] config/init/common/lxc-containers.in broken if number of bridges > 1, patch included

Nitzsch Signed-off-by: Harald Dunkel <harald.dun...@aixigo.de> Index: lxc-1.1.5.1/config/init/common/lxc-containers.in === --- lxc-1.1.5.1.orig/config/init/common/lxc-containers.in +++ lxc-1.1.5.1/config/init/common/lxc-contain

Re: [lxc-devel] please open lxc-cgroup for unprivileged monitoring

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi Serge, On 10/21/16 16:56, Serge E. Hallyn wrote: > Quoting Harald Dunkel (harald.dun...@aixigo.de): >> On 10/20/2016 03:39 PM, Serge E. Hallyn wrote: >>> On Wed, Oct 19, 2016 at 02:10:59PM +0200, Harald Dunkel wrote: >>&g

Re: [lxc-devel] please open lxc-cgroup for unprivileged monitoring

Hi Serge, On 10/21/2016 04:56 PM, Serge E. Hallyn wrote: > > lxc-cgroup talks to the container to find out the cgroup it is running > in. There could for instance be several containers called 'c1' (in > different lxcpaths), which could be running in cgroups c1, c1.0, and c1.1. > And for each

[lxc-devel] please open lxc-cgroup for unprivileged monitoring

Hi folks, using an unprivileged account for monitoring lxc-cgroup returns a "permission denied" messages for something that is world readable in the /cgroup directory. Sample: % lxc-cgroup -P /data1/lxc -n jerry1 memory.usage_in_bytes lxc-cgroup: tools/lxc_cgroup.c: main: 104 Insufficent

Re: [lxc-devel] lxc-create: file-based capabilities are lost

Hi Serge, On 06/15/16 19:00, Serge E. Hallyn wrote: > Quoting Harald Dunkel (harald.dun...@aixigo.de): >> >> Using "rsync -SHaAX" in lxc-debian it works (on Jessie). >> Attached you can find a suggested patch for all (lxc 1.1.5). > > Thanks this looks go

Re: [lxc-devel] lxc-create: file-based capabilities are lost

Hi Serge, On 06/14/16 17:10, Serge E. Hallyn wrote: > > Well I notice that copy_debian() rsyncs without -X. Does > adding -X fix it for you? Using "rsync -SHaAX" in lxc-debian it works (on Jessie). Attached you can find a suggested patch for all (lxc 1.1.5). Thanx for your help Harri Index:

[lxc-devel] lxc.device instead of lxc-device?

Hi folks, would it be possible to have an option "lxc.device" in the config file, e.g. lxc.autodev = 1 lxc.device = /dev/vg00/lv01 lxc.device = /dev/vg00/lv02 It should make the block devices available to the client, similar to the lxc-device script, but before init and

Re: [lxc-devel] symbolic link for /var/lib/lxc

Hi Serge, On 07/23/15 15:12, Serge Hallyn wrote: Quoting Harald Dunkel (harald.dun...@aixigo.de): My suggestion would be to use the real lxcpath (resolving all the symlinks and .. and .) for constructing the abstract socket name. Well that's true, perhaps lxc should do a realpath

Re: [lxc-devel] symbolic link for /var/lib/lxc

Hi Serge, On 07/22/15 22:55, Serge Hallyn wrote: Quoting Harald Dunkel (harald.dun...@aixigo.de): This looks pretty fragile to me. Shouldn't lxc report the same state for both paths, no matter what? No, because when you start the container, it listens on a abstract unix socket, i.e. @/var

[lxc-devel] symbolic link for /var/lib/lxc

Hi folks, please consider this: # ls -al /var/lib/lxc lrwxrwxrwx 1 root root 11 Aug 11 2014 /var/lib/lxc - /export/lxc # lxc-ls --fancy NAME STATEIPV4 IPV6 GROUPS AUTOSTART - lxchost01 RUNNING

[lxc-devel] wishlist item: lxc-info --short?

Hi folks, to avoid postprocessing the output of lxc-info, it would be nice to have an option --short, e.g. # lxc-info -n sample -c lxc.start.auto --short 1 My first guess was that '-q' did the trick, but it didn't. Just a suggestion, of course. Regards Harri

[lxc-devel] lxc 1.1.2: lxc-ls vs lxc-ls -P /var/lib/lxc

Hi folks, I get a weird effect on running lxc-ls without root: {hdunkel@dpcl082:~ 507} lxc-ls {hdunkel@dpcl082:~ 508} echo $? 0 {hdunkel@dpcl082:~ 509} lxc-ls -P /var/lib/lxc .jessiedebbuild template.blog .mini lxc0 .squeeze oraclient

Re: [lxc-devel] ignore hidden container directories?

On 04/13/15 14:54, Serge Hallyn wrote: Can you give us an example? Sure, here is a sample session: # lxc-create -P /data1/lxc -n sample42 -t debian -- -r jessie debootstrap is /usr/sbin/debootstrap Checking cache download in /var/cache/lxc/debian/rootfs-jessie-amd64 ... Copying rootfs to

Re: [lxc-devel] lxc 1.1.2: lxc-ls vs lxc-ls -P /var/lib/lxc

On 04/14/15 15:41, Stéphane Graber wrote: Ever since LXC 1.0.0 (so over a year now), lxc-ls run as non-root lists unprivileged containers stored in ~/.local/share/lxc/ Sorry, I didn't know. Do you think a message like % lxc-ls ~/.local/share/lxc: no such directory or

[lxc-devel] ignore hidden container directories?

Hi folks, lxc-ls implies a certain similarity to Unix' ls command, some releases ago lxc stopped to ignore hidden container directories. Did this happen on purpose? Is there a common config option for lxc to bring back the expected behavior wrt hidden directories? Regards Harri

Re: [lxc-devel] LXC 1.1 rc1 has been released

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 01/21/15 22:27, Stéphane Graber wrote: Hey everyone, So after doing a fair amount of additional manual testing on it, I've just released LXC 1.1 rc1. That means that from now on, we won't be taking new features and will instead work on

Re: [lxc-devel] [PATCH] lxc-debian: support systemd as PID 1

On Fri, 21 Nov 2014 04:41:00 + Serge Hallyn serge.hal...@ubuntu.com wrote: Michael and/or Stéphane may have other comments , but as you say this will not regress non-systemd hosts so looks like a step in the right direction to me, thanks. I wonder if this could go to the stable-1.0

Re: [lxc-devel] [PATCH] fix the expansion of libexecdir when not explicitly passed to configure

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi folks, The patch seems to work. Do you think it would be reasonable to include this fix on the stable-1.0 branch as well? Thanx anyway. Keep on your good work Harri -BEGIN PGP SIGNATURE- Version: GnuPG v1

[lxc-devel] systemd support: generated lxc.service file broken?

Hi folks, if I build the top of the 1.0.4 branch on Debian, then the generated lxc.service file contains bad ExecStart* and ExecStop options: % ./autogen.sh ; configure; make : : % grep ^Exec config/init/systemd/lxc.service ExecStartPre=${exec_prefix}/libexec/lxc/lxc-devsetup

Re: [lxc-devel] multiple lxc container path directories?

Hi Michael, On 06/08/14 18:59, Michael H. Warfield wrote: I see, reviewing my notes now, that you were the one who brought it up back in December last year. Funny too that I just got done doing something very very similar for lxc-autostart and the -g/--groups parameter (which is a comma

[lxc-devel] multiple lxc container path directories?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi folks currently I've got 3 container paths on some hosts: /var/lib/lxclocal containers /data1/lxc network services /data2/lxc network services /data1 and /data2 are part of a high availability setup (using

Re: [lxc-devel] [RFC] lxc-start: daemonize by default

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 05/02/14 16:29, Serge Hallyn wrote: That won't show you the startup msgs as it will attach you to tty1, not /dev/console. Surely the alias was just a vague description. The point is being able to detach from the console, after the

[lxc-devel] Fedora20 container doesn't start

Hi folks, I tried the fedora template, but it seems the generated image (Fedora 19 or 20) doesn't start. lxc-start returns immediately without any message on stderr. Attached is the debug log file for Fedora 20. lxc is rc2 of this morning. Host is Debian (sid) with kernel 3.13.3. Creating and

Re: [lxc-devel] [PATCH] create fd, stdin, stdout, stderr symlinks in /dev

That was fast. Thanx very much. Keep on your good work Harri ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] Centos template: symlink for /dev/fd missing?

Hi folks, Problem in LXC (beta4) running a Centos 6.5 client: # cat (echo hello) cat: /dev/fd/63: No such file or directory On a real host /dev/fd is a symlink pointing to /proc/self/fd. AFAICS only the altlinux template creates this symlink. Debian seems to provide the link on

Re: [lxc-devel] [PATCH] support a custom CentOS repository

On 02/04/14 14:53, Serge Hallyn wrote: Thanks everyone. I guess my main question was whether '--repo' would conflict with the 'additional repos' interpretation (sort of like proxy vs. ppa in ubuntu, where one is for fast local mirror while the other is for testing upgraded packages before

Re: [lxc-devel] [PATCH] support a custom CentOS repository

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi folks, On 02/04/14 02:18, Serge Hallyn wrote: It looks fine to me, but I'm not quite sure whether users ordinarily would want such a repo to be an additional repo or a replacement for the centos one. Michael, does this look good to you?

[lxc-devel] [PATCH] support a custom CentOS repository

This change introduces a flag --repo to the lxc-centos template to allow using a local repository (e.g. a loop mounted installer iso on your web server). Signed-off-by: Harald Dunkel ha...@afaics.de --- templates/lxc-centos.in | 14 -- 1 file changed, 12 insertions(+), 2 deletions

[lxc-devel] is there a default group to stop all containers?

Hi folks, AFAICS lxc-autostart -s ignores all containers unless they match a group or are set to autostart or something. What would you suggest to stop the rest, e.g. at shutdown time of the server? Is there a default group without saying? Of course I tried lxc-autostart -s -a. No luck.