[lxc-devel] [PATCH] doc: Update man pages to the latest information
* lxc-attach(1): Update to the status of kernel 3.8 or higher * lxc-create(1), lxc-destroy(1): Now lxc-ls don't have -l option, so remove * lxc(7): update description of lxc-ls and lxc-info to current version * see-also: fix lxc(1) to lxc(7) Signed-off-by: KATOH Yasufumi ka...@jazz.email.ne.jp --- doc/ja/lxc-attach.sgml.in | 17 - doc/ja/lxc-create.sgml.in | 4 ++-- doc/ja/lxc-destroy.sgml.in | 4 ++-- doc/ja/lxc.sgml.in | 32 +--- doc/ja/see_also.sgml.in| 2 +- doc/lxc-attach.sgml.in | 10 +- doc/lxc-create.sgml.in | 2 +- doc/lxc-destroy.sgml.in| 2 +- doc/lxc.sgml.in| 17 +++-- doc/see_also.sgml.in | 2 +- 10 files changed, 29 insertions(+), 63 deletions(-) diff --git a/doc/ja/lxc-attach.sgml.in b/doc/ja/lxc-attach.sgml.in index 50b9de9..5b8d9f3 100644 --- a/doc/ja/lxc-attach.sgml.in +++ b/doc/ja/lxc-attach.sgml.in @@ -339,13 +339,14 @@ by KATOH Yasufumi karma at jazz.email.ne.jp para !-- Attaching completely (including the pid and mount namespaces) to a - container requires a patched kernel, please see the lxc website for + container requires a kernel of version 3.8 or higher, or a + patched kernel, please see the lxc website for details. commandlxc-attach/command will fail in that case if - used with an unpatched kernel. + used with an unpatched kernel of version 3.7 and prior. -- - (pid とマウント名前空間を含む) コンテナに対する完全なアタッチを行うにはパッチを適用したカーネルが必要となります. + (pid とマウント名前空間を含む) コンテナに対する完全なアタッチを行うには 3.8 以上,もしくはパッチを適用したカーネルが必要となります. 詳しくは lxc のウェブサイトを参照してください. - (訳注: 3.8 カーネルから PID, マウント名前空間に対するアタッチも可能になっている) + パッチが当たっていない 3.8 より小さなバージョンのカーネルを使った場合は,commandlxc-attach/command の実行は失敗するでしょう. /para para !-- @@ -359,12 +360,10 @@ by KATOH Yasufumi karma at jazz.email.ne.jp /para para !-- - Attaching to user namespaces is currently completely unsupported - by the kernel. commandlxc-attach/command should however be able - to do this once once future kernel versions implement this. + Attaching to user namespaces is supported by kernel 3.8 or higher + with enabling user namespace. -- - ユーザ名前空間へのアタッチは,現時点ではカーネルで完全にサポートされていません. - しかし,commandlxc-attach/command は,将来のカーネルがこの機能を実装した時点ですぐに,アタッチが可能になるはずです. + ユーザ名前空間へのアタッチは,ユーザ名前空間機能を有効にした 3.8 以上のカーネルでサポートされます. /para /refsect1 diff --git a/doc/ja/lxc-create.sgml.in b/doc/ja/lxc-create.sgml.in index 297b3f3..54ab639 100644 --- a/doc/ja/lxc-create.sgml.in +++ b/doc/ja/lxc-create.sgml.in @@ -233,11 +233,11 @@ by KATOH Yasufumi karma at jazz.email.ne.jp !-- As the message mention it, you try to create a container but there is a container with the same name. You can use - the commandlxc-ls -l/command command to list the + the commandlxc-ls/command command to list the available containers on the system. -- メッセージの通り,コンテナを作成しようとしたけれども,同じ名前のコンテナが存在しています. -commandlxc-ls -l/command コマンドを使って,システム上に存在する利用可能なコンテナのリストが表示できます. +commandlxc-ls/command コマンドを使って,システム上に存在する利用可能なコンテナのリストが表示できます. /para /listitem /varlistentry diff --git a/doc/ja/lxc-destroy.sgml.in b/doc/ja/lxc-destroy.sgml.in index 6a1b4fa..c10d8b9 100644 --- a/doc/ja/lxc-destroy.sgml.in +++ b/doc/ja/lxc-destroy.sgml.in @@ -123,12 +123,12 @@ by KATOH Yasufumi karma at jazz.email.ne.jp !-- The specified container for destruction was not found. It is probable it does not exists and was already - destroyed.You can use the commandlxc-ls -l/command + destroyed.You can use the commandlxc-ls/command command to list the available containers on the system. -- 破壊するために指定したコンテナが見つかりません. おそらくそのコンテナが存在しないのか,既に破壊された後なのでしょう. -commandlxc-ls -l/command コマンドを使って,システム上に存在するコンテナのリストを得ることができます. +commandlxc-ls/command コマンドを使って,システム上に存在するコンテナのリストを得ることができます. /para /listitem /varlistentry diff --git a/doc/ja/lxc.sgml.in b/doc/ja/lxc.sgml.in index de65331..72fe152 100644 --- a/doc/ja/lxc.sgml.in +++ b/doc/ja/lxc.sgml.in @@ -697,35 +697,15 @@ rootfs para !-- commandlxc-ls/command lists the containers of the - system. The command is a script built on top - of commandls/command, so it accepts the options of the ls - commands, eg: - programlisting - lxc-ls -C1 - /programlisting - will display the containers list in one column or: - programlisting - lxc-ls -l - /programlisting - will display the containers list and their permissions. + system. -- commandlxc-ls/command は,システムのコンテナを一覧します. -このコマンドは commandls/command をうまく利用して作られているスクリプトです. -なので,ls
Re: [lxc-devel] [PATCH 2/2] add lxc.haltsignal for soft shutdown
-Original Message- From: lxc-devel-boun...@lists.linuxcontainers.org [mailto:lxc-devel- boun...@lists.linuxcontainers.org] On Behalf Of Dwight Engen Sent: Friday, January 03, 2014 9:37 PM To: lxc-devel@lists.linuxcontainers.org Subject: [lxc-devel] [PATCH 2/2] add lxc.haltsignal for soft shutdown - use this in the busybox template since busybox's init expects to receive SIGUSR1 to halt Just as a FYI, patch [1] makes busybox init respond to SIGPWR as well. Best regards, Bogdan P. [1] http://git.busybox.net/busybox/commit/?id=760fc6debcba8cb5ca8d8e2252fac3757c453e11 - fix lxc.stopsignal to be output by write_config so lxcapi_clone() and lxcapi_save_config() will output it Signed-off-by: Dwight Engen dwight.en...@oracle.com --- doc/lxc-stop.sgml.in | 13 ++--- src/lxc/conf.h | 3 ++- src/lxc/confile.c| 28 src/lxc/lxccontainer.c | 5 - templates/lxc-busybox.in | 1 + 5 files changed, 41 insertions(+), 9 deletions(-) diff --git a/doc/lxc-stop.sgml.in b/doc/lxc-stop.sgml.in index bdb0ef5..dc002c5 100644 --- a/doc/lxc-stop.sgml.in +++ b/doc/lxc-stop.sgml.in @@ -65,13 +65,12 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA para commandlxc-stop/command reboots, cleanly shuts down, or kills all the processes inside the container. By default, it will - request a clean shutdown of the container (by sending SIGPWR to - the container), wait 60 seconds for the container to exit, and - returns. If the container fails to cleanly exit, then after 60 - seconds the container will be sent the - commandlxc.stopsignal/command to force it to shut down. If - commandlxc.stopsignal/command is not specified, the signal sent is - SIGKILL. + request a clean shutdown of the container by sending + commandlxc.haltsignal/command (defaults to SIGPWR) to + the container's init process, waiting up to 60 seconds for the container + to exit, and then returning. If the container fails to cleanly exit in + 60 seconds, it will be sent the commandlxc.stopsignal/command + (defaults to SIGKILL) to force it to shut down. /para para The optional-W/optional, optional-r/optional, diff --git a/src/lxc/conf.h b/src/lxc/conf.h index e881635..8efd0f3 100644 --- a/src/lxc/conf.h +++ b/src/lxc/conf.h @@ -307,7 +307,8 @@ struct lxc_conf { #endif int maincmd_fd; int autodev; // if 1, mount and fill a /dev at start - int stopsignal; // signal used to stop container + int haltsignal; // signal used to halt container + int stopsignal; // signal used to hard stop container int kmsg; // if 1, create /dev/kmsg symlink char *rcfile; // Copy of the top level rcfile we read diff --git a/src/lxc/confile.c b/src/lxc/confile.c index 0982b3e..d21fbec 100644 --- a/src/lxc/confile.c +++ b/src/lxc/confile.c @@ -90,6 +90,7 @@ static int config_seccomp(const char *, const char *, struct lxc_conf *); static int config_includefile(const char *, const char *, struct lxc_conf *); static int config_network_nic(const char *, const char *, struct lxc_conf *); static int config_autodev(const char *, const char *, struct lxc_conf *); +static int config_haltsignal(const char *, const char *, struct lxc_conf *); static int config_stopsignal(const char *, const char *, struct lxc_conf *); static int config_start(const char *, const char *, struct lxc_conf *); static int config_group(const char *, const char *, struct lxc_conf *); @@ -142,6 +143,7 @@ static struct lxc_config_t config[] = { { lxc.seccomp, config_seccomp }, { lxc.include, config_includefile }, { lxc.autodev, config_autodev }, + { lxc.haltsignal, config_haltsignal }, { lxc.stopsignal, config_stopsignal }, { lxc.start.auto, config_start}, { lxc.start.delay, config_start}, @@ -1108,6 +1110,16 @@ static int rt_sig_num(const char *signame) return sig_n; } +static const char *sig_name(int signum) { + int n; + + for (n = 0; n sizeof(signames) / sizeof((signames)[0]); n++) { + if (n == signames[n].num) + return signames[n].name; + } + return ; +} + static int sig_parse(const char *signame) { int n; @@ -1125,6 +1137,18 @@ static int sig_parse(const char *signame) { return -1; } +static int config_haltsignal(const char *key, const char *value, + struct lxc_conf *lxc_conf) +{ + int sig_n = sig_parse(value); + + if (sig_n 0) + return -1; + lxc_conf-haltsignal = sig_n; + + return 0; +} + static int config_stopsignal(const char
Re: [lxc-devel] [PATCH] configure.ac: add docbook-to-man to dbparsers
Hi, On Mon, 6 Jan 2014 10:53:15 +0800 in message [lxc-devel] [PATCH] configure.ac: add docbook-to-man to dbparsers Qiang Huang-san wrote: Debian and Ubuntu uses docbook2x-man, but some other distr like suse uses docbook-to-man. I think all of them should work on LXC. I guess that docbook-to-man cannot process the sgml that have UTF-8 multibyte character. So this patch is likely to cause error in doc/ja. When docbook-to-man is used, it may need that doc/ja is excluded from target. ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] configure.ac: add docbook-to-man to dbparsers
Hi KATON, On 2014/1/6 18:14, KATOH Yasufumi wrote: Hi, On Mon, 6 Jan 2014 10:53:15 +0800 in message [lxc-devel] [PATCH] configure.ac: add docbook-to-man to dbparsers Qiang Huang-san wrote: Debian and Ubuntu uses docbook2x-man, but some other distr like suse uses docbook-to-man. I think all of them should work on LXC. I guess that docbook-to-man cannot process the sgml that have UTF-8 multibyte character. So this patch is likely to cause error in doc/ja. This patch works fine for ja man page in my box, do you get any real error messages? PS: I use docbook2x-0.8.8-47.15 on SUSE11-sp2. When docbook-to-man is used, it may need that doc/ja is excluded from target. ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] check pthread_atfork and thread-local storage support
On Sat, Jan 04, 2014 at 12:00:04AM -0500, S.Çağlar Onur wrote: This patch; Adds pthread_atfork check to configure.ac and uses it when necessary, Introduces tls.m4 macro for checking thread-local storage support, Puts values array into thread-local storage (lxc_global_config_value@src/lxc/utils.c), Removes static_lock/static_unlock from LXC code, Lastly, it introduces a warning for bionic users about multithreaded usage of LXC. (requires 64b1be2903078ef9e9ba3ffcbc30a4dc9bc5cc6c to be reverted first) Signed-off-by: S.Çağlar Onur cag...@10ur.org Confirmed to restore the bionic build to a working state, thanks! Acked-by: Stéphane Graber stgra...@ubuntu.com --- config/tls.m4 | 14 ++ configure.ac | 15 +++ src/lxc/lxclock.c | 21 ++--- src/lxc/lxclock.h | 10 -- src/lxc/utils.c | 23 +++ 5 files changed, 38 insertions(+), 45 deletions(-) create mode 100644 config/tls.m4 diff --git a/config/tls.m4 b/config/tls.m4 new file mode 100644 index 000..5d1ac59 --- /dev/null +++ b/config/tls.m4 @@ -0,0 +1,14 @@ +# See if we have working TLS. We only check to see if it compiles, and that +# the resulting program actually runs, not whether the resulting TLS variables +# work properly; that check is done at runtime, since we can run binaries +# compiled with __thread on systems without TLS. +AC_DEFUN([LXC_CHECK_TLS], +[ +AC_MSG_CHECKING(for TLS) +AC_RUN_IFELSE([AC_LANG_SOURCE([[ static __thread int val; int main() { return 0; } ]])],[have_tls=yes],[have_tls=no],[have_tls=no ]) +AC_MSG_RESULT($have_tls) +if test $have_tls = yes; then +AC_DEFINE([HAVE_TLS],[1],[Define if the compiler supports __thread]) +AC_DEFINE([thread_local],[__thread],[Define to the compiler TLS keyword]) +fi +]) diff --git a/configure.ac b/configure.ac index 2d24937..af0991d 100644 --- a/configure.ac +++ b/configure.ac @@ -483,6 +483,8 @@ AC_CHECK_HEADERS([sys/signalfd.h pty.h ifaddrs.h sys/capability.h sys/personalit AC_CHECK_FUNCS([setns pivot_root sethostname unshare rand_r confstr]) # Check for some functions +AC_CHECK_LIB(pthread, main) +AC_CHECK_FUNCS(pthread_atfork) AC_CHECK_LIB(util, openpty) AC_CHECK_FUNCS([openpty hasmntopt setmntent endmntent]) AC_CHECK_FUNCS([getline], @@ -502,6 +504,9 @@ AC_SEARCH_LIBS(clock_gettime, [rt]) AC_PROG_GCC_TRADITIONAL AC_PROG_SED +# See if we support thread-local storage. +LXC_CHECK_TLS + if test x$GCC = xyes; then CFLAGS=$CFLAGS -Wall -Werror fi @@ -680,3 +685,13 @@ Debugging: Paths: - Logs in configpath: $enable_configpath_log EOF + +if test x$ac_cv_func_pthread_atfork = xno ; then +cat EOF + +WARNING: Threading not supported on your platform + + You are compiling LXC for bionic target which lacks certain threading related functionality used by LXC API (like pthread_atfork). + Please note that, because of the missing functionality, multithreaded usage of LXC API cause some problems. +EOF +fi diff --git a/src/lxc/lxclock.c b/src/lxc/lxclock.c index b0420bb..3e1b054 100644 --- a/src/lxc/lxclock.c +++ b/src/lxc/lxclock.c @@ -46,7 +46,6 @@ lxc_log_define(lxc_lock, lxc); #ifdef MUTEX_DEBUGGING static pthread_mutex_t thread_mutex = PTHREAD_ERRORCHECK_MUTEX_INITIALIZER_NP; -static pthread_mutex_t static_mutex = PTHREAD_ERRORCHECK_MUTEX_INITIALIZER_NP; static inline void dump_stacktrace(void) { @@ -68,7 +67,6 @@ static inline void dump_stacktrace(void) } #else static pthread_mutex_t thread_mutex = PTHREAD_MUTEX_INITIALIZER; -static pthread_mutex_t static_mutex = PTHREAD_MUTEX_INITIALIZER; static inline void dump_stacktrace(void) {;} #endif @@ -326,28 +324,13 @@ void process_unlock(void) * to unlock the mutex. * This forbids doing fork() while explicitly holding the lock. */ +#ifdef HAVE_PTHREAD_ATFORK __attribute__((constructor)) static void process_lock_setup_atfork(void) { pthread_atfork(process_lock, process_unlock, process_unlock); } - -/* Protects static const values inside the lxc_global_config_value funtion */ -void static_lock(void) -{ - lock_mutex(static_mutex); -} - -void static_unlock(void) -{ - unlock_mutex(static_mutex); -} - -__attribute__((constructor)) -static void static_lock_setup_atfork(void) -{ - pthread_atfork(static_lock, static_unlock, static_unlock); -} +#endif int container_mem_lock(struct lxc_container *c) { diff --git a/src/lxc/lxclock.h b/src/lxc/lxclock.h index 820e819..a02a032 100644 --- a/src/lxc/lxclock.h +++ b/src/lxc/lxclock.h @@ -123,16 +123,6 @@ extern void process_lock(void); */ extern void process_unlock(void); -/*! - * \brief Lock global data. - */ -extern void static_lock(void); - -/*! - * \brief Unlock global data. - */ -extern void static_unlock(void); - struct lxc_container; /*! diff --git
Re: [lxc-devel] [PATCH] doc: Update Japanese lxc-autostart(1)
On Mon, Jan 06, 2014 at 02:45:55PM +0900, KATOH Yasufumi wrote: Update for commit a771fe18d28890cfc545995fb818aa7472744fde Signed-off-by: KATOH Yasufumi ka...@jazz.email.ne.jp Acked-by: Stéphane Graber stgra...@ubuntu.com --- doc/ja/lxc-autostart.sgml.in | 9 ++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/doc/ja/lxc-autostart.sgml.in b/doc/ja/lxc-autostart.sgml.in index 9229e1e..ba55bad 100644 --- a/doc/ja/lxc-autostart.sgml.in +++ b/doc/ja/lxc-autostart.sgml.in @@ -121,10 +121,13 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA listitem para !-- -Only request a clean shutdown, do not kill the -container tasks if the clean shutdown fails. +Request a clean shutdown. If a +optional-t timeout/optional greater than 0 is +given and the container has not shut down within +this period, it will be killed as with the +optional-k kill/optional option. -- - クリーンなシャットダウンのみを要求します.クリーンなシャットダウンに失敗した場合でも,コンテナのタスクを kill しません. + クリーンなシャットダウンを要求します.もし,optional-t timeout/optional が 0 より大きい場合で,コンテナがこの時間内にシャットダウンしない場合は,コンテナは optional-k kill/optional オプションを指定した時のように kill されます. /para /listitem /varlistentry -- 1.8.4.4 ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] doc: Update man pages to the latest information
On Mon, Jan 06, 2014 at 06:05:39PM +0900, KATOH Yasufumi wrote: * lxc-attach(1): Update to the status of kernel 3.8 or higher * lxc-create(1), lxc-destroy(1): Now lxc-ls don't have -l option, so remove * lxc(7): update description of lxc-ls and lxc-info to current version * see-also: fix lxc(1) to lxc(7) Signed-off-by: KATOH Yasufumi ka...@jazz.email.ne.jp Acked-by: Stéphane Graber stgra...@ubuntu.com --- doc/ja/lxc-attach.sgml.in | 17 - doc/ja/lxc-create.sgml.in | 4 ++-- doc/ja/lxc-destroy.sgml.in | 4 ++-- doc/ja/lxc.sgml.in | 32 +--- doc/ja/see_also.sgml.in| 2 +- doc/lxc-attach.sgml.in | 10 +- doc/lxc-create.sgml.in | 2 +- doc/lxc-destroy.sgml.in| 2 +- doc/lxc.sgml.in| 17 +++-- doc/see_also.sgml.in | 2 +- 10 files changed, 29 insertions(+), 63 deletions(-) diff --git a/doc/ja/lxc-attach.sgml.in b/doc/ja/lxc-attach.sgml.in index 50b9de9..5b8d9f3 100644 --- a/doc/ja/lxc-attach.sgml.in +++ b/doc/ja/lxc-attach.sgml.in @@ -339,13 +339,14 @@ by KATOH Yasufumi karma at jazz.email.ne.jp para !-- Attaching completely (including the pid and mount namespaces) to a - container requires a patched kernel, please see the lxc website for + container requires a kernel of version 3.8 or higher, or a + patched kernel, please see the lxc website for details. commandlxc-attach/command will fail in that case if - used with an unpatched kernel. + used with an unpatched kernel of version 3.7 and prior. -- - (pid とマウント名前空間を含む) コンテナに対する完全なアタッチを行うにはパッチを適用したカーネルが必要となります. + (pid とマウント名前空間を含む) コンテナに対する完全なアタッチを行うには 3.8 以上,もしくはパッチを適用したカーネルが必要となります. 詳しくは lxc のウェブサイトを参照してください. - (訳注: 3.8 カーネルから PID, マウント名前空間に対するアタッチも可能になっている) + パッチが当たっていない 3.8 より小さなバージョンのカーネルを使った場合は,commandlxc-attach/command の実行は失敗するでしょう. /para para !-- @@ -359,12 +360,10 @@ by KATOH Yasufumi karma at jazz.email.ne.jp /para para !-- - Attaching to user namespaces is currently completely unsupported - by the kernel. commandlxc-attach/command should however be able - to do this once once future kernel versions implement this. + Attaching to user namespaces is supported by kernel 3.8 or higher + with enabling user namespace. -- - ユーザ名前空間へのアタッチは,現時点ではカーネルで完全にサポートされていません. - しかし,commandlxc-attach/command は,将来のカーネルがこの機能を実装した時点ですぐに,アタッチが可能になるはずです. + ユーザ名前空間へのアタッチは,ユーザ名前空間機能を有効にした 3.8 以上のカーネルでサポートされます. /para /refsect1 diff --git a/doc/ja/lxc-create.sgml.in b/doc/ja/lxc-create.sgml.in index 297b3f3..54ab639 100644 --- a/doc/ja/lxc-create.sgml.in +++ b/doc/ja/lxc-create.sgml.in @@ -233,11 +233,11 @@ by KATOH Yasufumi karma at jazz.email.ne.jp !-- As the message mention it, you try to create a container but there is a container with the same name. You can use - the commandlxc-ls -l/command command to list the + the commandlxc-ls/command command to list the available containers on the system. -- メッセージの通り,コンテナを作成しようとしたけれども,同じ名前のコンテナが存在しています. -commandlxc-ls -l/command コマンドを使って,システム上に存在する利用可能なコンテナのリストが表示できます. +commandlxc-ls/command コマンドを使って,システム上に存在する利用可能なコンテナのリストが表示できます. /para /listitem /varlistentry diff --git a/doc/ja/lxc-destroy.sgml.in b/doc/ja/lxc-destroy.sgml.in index 6a1b4fa..c10d8b9 100644 --- a/doc/ja/lxc-destroy.sgml.in +++ b/doc/ja/lxc-destroy.sgml.in @@ -123,12 +123,12 @@ by KATOH Yasufumi karma at jazz.email.ne.jp !-- The specified container for destruction was not found. It is probable it does not exists and was already - destroyed.You can use the commandlxc-ls -l/command + destroyed.You can use the commandlxc-ls/command command to list the available containers on the system. -- 破壊するために指定したコンテナが見つかりません. おそらくそのコンテナが存在しないのか,既に破壊された後なのでしょう. -commandlxc-ls -l/command コマンドを使って,システム上に存在するコンテナのリストを得ることができます. +commandlxc-ls/command コマンドを使って,システム上に存在するコンテナのリストを得ることができます. /para /listitem /varlistentry diff --git a/doc/ja/lxc.sgml.in b/doc/ja/lxc.sgml.in index de65331..72fe152 100644 --- a/doc/ja/lxc.sgml.in +++ b/doc/ja/lxc.sgml.in @@ -697,35 +697,15 @@ rootfs para !-- commandlxc-ls/command lists the containers of the - system. The command is a script built on top - of commandls/command, so it accepts the options of the ls - commands, eg: - programlisting - lxc-ls -C1 - /programlisting - will display the containers list in one column or: - programlisting - lxc-ls -l - /programlisting - will display the
Re: [lxc-devel] [PATCH 1/2] rename lxc-stop shutdown argument to nokill
On Fri, Jan 03, 2014 at 02:36:43PM -0500, Dwight Engen wrote: This makes the arguments between lxc-stop and lxc-autostart more consistent, so that --shutdown doesn't have two different meanings. Signed-off-by: Dwight Engen dwight.en...@oracle.com Acked-by: Stéphane Graber stgra...@ubuntu.com --- doc/lxc-stop.sgml.in | 26 +++--- src/lxc/arguments.h | 11 +++ src/lxc/lxc_stop.c | 9 + 3 files changed, 27 insertions(+), 19 deletions(-) diff --git a/doc/lxc-stop.sgml.in b/doc/lxc-stop.sgml.in index 09ea5d6..bdb0ef5 100644 --- a/doc/lxc-stop.sgml.in +++ b/doc/lxc-stop.sgml.in @@ -54,7 +54,8 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA arg choice=opt-r/arg arg choice=opt-t replaceabletimeout/replaceable/arg arg choice=opt-k/arg - arg choice=opt-s/arg + arg choice=opt--nokill/arg + arg choice=opt--nolock/arg /cmdsynopsis /refsynopsisdiv @@ -68,11 +69,14 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA the container), wait 60 seconds for the container to exit, and returns. If the container fails to cleanly exit, then after 60 seconds the container will be sent the - commandlxc.stopsignal/command to force it to shut down. + commandlxc.stopsignal/command to force it to shut down. If + commandlxc.stopsignal/command is not specified, the signal sent is + SIGKILL. /para para - The optional-W/optional, optional-r/optional, optional-s/optional - and optional-k/optional options specify the action to perform. + The optional-W/optional, optional-r/optional, + optional-k/optional and optional--nokill/optional + options specify the action to perform. optional-W/optional indicates that after performing the specified action, commandlxc-stop/command should immediately exit, while optional-t TIMEOUT/optional specifies the maximum amount of time @@ -97,25 +101,25 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA varlistentry term - option-s,--shutdown /option + option-k,--kill /option /term listitem para - Only request a clean shutdown, do not kill the container tasks if the - clean shutdown fails. +Rather than requesting a clean shutdown of the container, explicitly +kill all tasks in the container. This is the legacy +commandlxc-stop/command behavior. /para /listitem /varlistentry varlistentry term - option-k,--kill /option + option--nokill/option /term listitem para -Rather than requesting a clean shutdown of the container, explicitly -kill all tasks in the container. This is the legacy -commandlxc-stop/command behavior. + Only request a clean shutdown, do not kill the container tasks if the + clean shutdown fails. /para /listitem /varlistentry diff --git a/src/lxc/arguments.h b/src/lxc/arguments.h index 954ddcc..2fa24c0 100644 --- a/src/lxc/arguments.h +++ b/src/lxc/arguments.h @@ -65,16 +65,19 @@ struct lxc_arguments { int ttynum; char escape; - /* for lxc-wait and lxc-shutdown */ + /* for lxc-wait */ char *states; long timeout; - int nowait; - int reboot; - int hardstop; + + /* for lxc-autostart */ int shutdown; /* for lxc-stop */ + int hardstop; + int nokill; int nolock; + int nowait; + int reboot; /* for lxc-destroy */ int force; diff --git a/src/lxc/lxc_stop.c b/src/lxc/lxc_stop.c index d0cf798..dc4133f 100644 --- a/src/lxc/lxc_stop.c +++ b/src/lxc/lxc_stop.c @@ -34,6 +34,7 @@ #include utils.h #define OPT_NO_LOCK OPT_USAGE+1 +#define OPT_NO_KILL OPT_USAGE+2 static int my_parser(struct lxc_arguments* args, int c, char* arg) { @@ -42,8 +43,8 @@ static int my_parser(struct lxc_arguments* args, int c, char* arg) case 'W': args-nowait = 1; break; case 't': args-timeout = atoi(arg); break; case 'k': args-hardstop = 1; break; - case 's': args-shutdown = 1; break; case OPT_NO_LOCK: args-nolock = 1; break; + case OPT_NO_KILL: args-nokill = 1; break; } return 0; } @@ -53,7 +54,7 @@ static const struct option my_longopts[] = { {nowait, no_argument, 0, 'W'}, {timeout, required_argument, 0, 't'}, {kill, no_argument, 0, 'k'}, - {shutdown, no_argument, 0, 's'}, + {no-kill, no_argument, 0, OPT_NO_KILL}, {no-lock, no_argument, 0, OPT_NO_LOCK}, LXC_COMMON_OPTIONS }; @@ -72,7 +73,7 @@ Options :\n\ -t, --timeout=T wait T seconds before hard-stopping\n\ -k, --killkill container rather than request
[lxc-devel] [lxc/lxc] 19a85f: Use the cgroup name for cpuset for lxc-ps
Branch: refs/heads/master Home: https://github.com/lxc/lxc Commit: 19a85f1f8ffb67afd8df14173e624260bd398f55 https://github.com/lxc/lxc/commit/19a85f1f8ffb67afd8df14173e624260bd398f55 Author: Nick Huber nicholashu...@gmail.com Date: 2014-01-06 (Mon, 06 Jan 2014) Changed paths: M src/lxc/lxc-ps.in Log Message: --- Use the cgroup name for cpuset for lxc-ps On my Ubuntu 13.10 system, lxc-ps was always giving empty output. The output of /proc/$initpid/cgroup was 11:name=systemd:/user/1000.user/c3.session 10:hugetlb:/container 9:perf_event:/container 8:blkio:/container 7:freezer:/container 6:devices:/container 5:memory:/container 4:cpuacct:/container 3:cpu:/container 2:cpuset:/container Using the cpuset line should be a safer option. Signed-off-by: Nick Huber nicholashu...@gmail.com Acked-by: Stéphane Graber stgra...@ubuntu.com ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
Re: [lxc-devel] [PATCH 2/2] add lxc.haltsignal for soft shutdown
On Mon, 6 Jan 2014 09:48:37 -0500 Stéphane Graber stgra...@ubuntu.com wrote: On Fri, Jan 03, 2014 at 02:36:50PM -0500, Dwight Engen wrote: - use this in the busybox template since busybox's init expects to receive SIGUSR1 to halt - fix lxc.stopsignal to be output by write_config so lxcapi_clone() and lxcapi_save_config() will output it Signed-off-by: Dwight Engen dwight.en...@oracle.com The change looks fine but can you update your patch to include the matching manpage (lxc.conf) entry? Sure, forgot about that one, thanks good catch. --- doc/lxc-stop.sgml.in | 13 ++--- src/lxc/conf.h | 3 ++- src/lxc/confile.c| 28 src/lxc/lxccontainer.c | 5 - templates/lxc-busybox.in | 1 + 5 files changed, 41 insertions(+), 9 deletions(-) diff --git a/doc/lxc-stop.sgml.in b/doc/lxc-stop.sgml.in index bdb0ef5..dc002c5 100644 --- a/doc/lxc-stop.sgml.in +++ b/doc/lxc-stop.sgml.in @@ -65,13 +65,12 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA para commandlxc-stop/command reboots, cleanly shuts down, or kills all the processes inside the container. By default, it will - request a clean shutdown of the container (by sending SIGPWR to - the container), wait 60 seconds for the container to exit, and - returns. If the container fails to cleanly exit, then after 60 - seconds the container will be sent the - commandlxc.stopsignal/command to force it to shut down. If - commandlxc.stopsignal/command is not specified, the signal sent is - SIGKILL. + request a clean shutdown of the container by sending + commandlxc.haltsignal/command (defaults to SIGPWR) to + the container's init process, waiting up to 60 seconds for the container + to exit, and then returning. If the container fails to cleanly exit in + 60 seconds, it will be sent the commandlxc.stopsignal/command + (defaults to SIGKILL) to force it to shut down. /para para The optional-W/optional, optional-r/optional, diff --git a/src/lxc/conf.h b/src/lxc/conf.h index e881635..8efd0f3 100644 --- a/src/lxc/conf.h +++ b/src/lxc/conf.h @@ -307,7 +307,8 @@ struct lxc_conf { #endif int maincmd_fd; int autodev; // if 1, mount and fill a /dev at start - int stopsignal; // signal used to stop container + int haltsignal; // signal used to halt container + int stopsignal; // signal used to hard stop container int kmsg; // if 1, create /dev/kmsg symlink char *rcfile; // Copy of the top level rcfile we read diff --git a/src/lxc/confile.c b/src/lxc/confile.c index 0982b3e..d21fbec 100644 --- a/src/lxc/confile.c +++ b/src/lxc/confile.c @@ -90,6 +90,7 @@ static int config_seccomp(const char *, const char *, struct lxc_conf *); static int config_includefile(const char *, const char *, struct lxc_conf *); static int config_network_nic(const char *, const char *, struct lxc_conf *); static int config_autodev(const char *, const char *, struct lxc_conf *); +static int config_haltsignal(const char *, const char *, struct lxc_conf *); static int config_stopsignal(const char *, const char *, struct lxc_conf *); static int config_start(const char *, const char *, struct lxc_conf *); static int config_group(const char *, const char *, struct lxc_conf *); @@ -142,6 +143,7 @@ static struct lxc_config_t config[] = { { lxc.seccomp, config_seccomp }, { lxc.include, config_includefile }, { lxc.autodev, config_autodev }, + { lxc.haltsignal, config_haltsignal }, { lxc.stopsignal, config_stopsignal }, { lxc.start.auto, config_start}, { lxc.start.delay, config_start}, @@ -1108,6 +1110,16 @@ static int rt_sig_num(const char *signame) return sig_n; } +static const char *sig_name(int signum) { + int n; + + for (n = 0; n sizeof(signames) / sizeof((signames)[0]); n++) { + if (n == signames[n].num) + return signames[n].name; + } + return ; +} + static int sig_parse(const char *signame) { int n; @@ -1125,6 +1137,18 @@ static int sig_parse(const char *signame) { return -1; } +static int config_haltsignal(const char *key, const char *value, +struct lxc_conf *lxc_conf) +{ + int sig_n = sig_parse(value); + + if (sig_n 0) + return -1; + lxc_conf-haltsignal = sig_n; + + return 0; +} + static int config_stopsignal(const char *key, const char *value, struct lxc_conf *lxc_conf) { @@ -2119,6 +2143,10 @@ void write_config(FILE *fout, struct lxc_conf *c) fprintf(fout, lxc.pts = %d\n, c-pts); if (c-ttydir)
Re: [lxc-devel] [PATCH 2/2] add lxc-autostart support for sysv init systems
On Mon, Jan 06, 2014 at 11:19:56AM -0500, Dwight Engen wrote: On Fri, 3 Jan 2014 15:07:01 -0500 Stéphane Graber stgra...@ubuntu.com wrote: On Fri, Jan 03, 2014 at 02:00:25PM -0600, Serge Hallyn wrote: Quoting Stéphane Graber (stgra...@ubuntu.com): On Thu, Jan 02, 2014 at 11:09:25AM -0600, Serge Hallyn wrote: Quoting Dwight Engen (dwight.en...@oracle.com): This change updates the way init scripts get installed so that more than one init system can be supported. Instead of installing the systemd service file from the spec file, it should be installed at make install time, so that someone compiling from source also gets the unit file installed. Update the plamo template to use a lock file not named just /var/lock/subsys/lxc since the presence of that file is used by sysv init rc file to know if it should run the K01lxc script. This also makes it consistent with the other templates which use /var/lock/subsys/lxc-$template-name. Signed-off-by: Dwight Engen dwight.en...@oracle.com I have no objection to this, but I'd appreciate Stéphane taking a closer look. This might lead the way to putting the upstart scripts for ubuntu upstream as well, which would be a plus. It also can give us more reasonable and comprehensive testcases if we can know that common distros will have a certain amount of setup. Acked-by: Serge E. Hallyn serge.hal...@ubuntu.com I don't think the current proposal is appropriate. At least in Ubuntu and Debian, we typically want more than one init script to be installed. The way things work in Debian based distros is that init scripts for all supported init daemons are installed and only the relevant ones are used at boot time and by the user (with the service command). As a result, I'd expect an LXC package build on Debian or Ubuntu to include the upstart jobs, sysvinit script and systemd unit in their usual locations. Drat, I just pushed the commit. So having case $with_distro in ubuntu) init_script=upstart,systemd,sysv ;; and the rest geared to support that, could work here? And the same for debian) but yes, that'd be fine I think. I'm also wondering whether non-Debian distros actually have a problem should they all be installed at once, if not, then maybe we can do without the whole --init-script thing and always have them all installed? Yeah, Fedora packaging guidelines [1], [2] want either sysv or systemd, but not both (Packagers MUST NOT include SysV initscripts in addition to systemd unit files, even in a separate $name-sysvinit subpackage as there are corner cases where the initscripts can override the systemd unit files.). So that is why I had only one of them being installed. I can see that it makes sense to install multiple if the distro supports it. As far as the sysv initscript I provided running on multiple distros: It is pretty simple and I tried to make it generic, it has both chkconfig and LSB headers. I will admit that I did only test it on OracleLinux. [1] https://fedoraproject.org/wiki/Packaging:SysVInitScript [2] https://fedoraproject.org/wiki/Packaging:Systemd Weird policy but fair enough, can you then add support for a comma separated list of init systems that Debian, Ubuntu and any similar distro could use? --- configure.ac | 45 +++ lxc.spec.in| 27 +++-- src/lxc/Makefile.am| 44 +- src/lxc/lxc.sysvinit | 64 ++ templates/lxc-plamo.in | 4 ++-- 5 files changed, 174 insertions(+), 10 deletions(-) create mode 100755 src/lxc/lxc.sysvinit diff --git a/configure.ac b/configure.ac index 4c5f002..2d24937 100644 --- a/configure.ac +++ b/configure.ac @@ -70,6 +70,50 @@ AC_MSG_RESULT([$with_distro]) AM_CONDITIONAL([HAVE_DEBIAN], [test x$with_distro = xdebian -o x$with_distro = xubuntu]) AM_CONDITIONAL([DISTRO_UBUNTU], [test x$with_distro = xubuntu]) +# Check for init system type +AC_MSG_CHECKING([for init system type]) +AC_ARG_WITH([init-script], + [AC_HELP_STRING([--with-init-script@:@=TYPE@:@], + [Type of init script to install: sysv, systemd, upstart, +distro, none @:@default=distro@:@])],[],[with_init_script=distro]) +case $with_init_script in + sysv) + init_script=sysv + ;; + systemd) + init_script=systemd + ;; + upstart) + init_script=upstart + ;; + none) + ;; + distro)
Re: [lxc-devel] [PATCH 2/2] add lxc.haltsignal for soft shutdown
On Mon, 6 Jan 2014 10:05:28 + bogdan.purcare...@freescale.com bogdan.purcare...@freescale.com wrote: -Original Message- From: lxc-devel-boun...@lists.linuxcontainers.org [mailto:lxc-devel- boun...@lists.linuxcontainers.org] On Behalf Of Dwight Engen Sent: Friday, January 03, 2014 9:37 PM To: lxc-devel@lists.linuxcontainers.org Subject: [lxc-devel] [PATCH 2/2] add lxc.haltsignal for soft shutdown - use this in the busybox template since busybox's init expects to receive SIGUSR1 to halt Just as a FYI, patch [1] makes busybox init respond to SIGPWR as well. Hi Bogdan, seeing your patch is what reminded me that busybox not shutting down nicely has been bothering me for a while. Its great that your change will fix busybox in the future, but I also wanted older busybox versions to shut down clean now, so that is why I submitted this. Best regards, Bogdan P. [1] http://git.busybox.net/busybox/commit/?id=760fc6debcba8cb5ca8d8e2252fac3757c453e11 - fix lxc.stopsignal to be output by write_config so lxcapi_clone() and lxcapi_save_config() will output it Signed-off-by: Dwight Engen dwight.en...@oracle.com --- doc/lxc-stop.sgml.in | 13 ++--- src/lxc/conf.h | 3 ++- src/lxc/confile.c| 28 src/lxc/lxccontainer.c | 5 - templates/lxc-busybox.in | 1 + 5 files changed, 41 insertions(+), 9 deletions(-) diff --git a/doc/lxc-stop.sgml.in b/doc/lxc-stop.sgml.in index bdb0ef5..dc002c5 100644 --- a/doc/lxc-stop.sgml.in +++ b/doc/lxc-stop.sgml.in @@ -65,13 +65,12 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA para commandlxc-stop/command reboots, cleanly shuts down, or kills all the processes inside the container. By default, it will - request a clean shutdown of the container (by sending SIGPWR to - the container), wait 60 seconds for the container to exit, and - returns. If the container fails to cleanly exit, then after 60 - seconds the container will be sent the - commandlxc.stopsignal/command to force it to shut down. If - commandlxc.stopsignal/command is not specified, the signal sent is - SIGKILL. + request a clean shutdown of the container by sending + commandlxc.haltsignal/command (defaults to SIGPWR) to + the container's init process, waiting up to 60 seconds for the container + to exit, and then returning. If the container fails to cleanly exit in + 60 seconds, it will be sent the commandlxc.stopsignal/command + (defaults to SIGKILL) to force it to shut down. /para para The optional-W/optional, optional-r/optional, diff --git a/src/lxc/conf.h b/src/lxc/conf.h index e881635..8efd0f3 100644 --- a/src/lxc/conf.h +++ b/src/lxc/conf.h @@ -307,7 +307,8 @@ struct lxc_conf { #endif int maincmd_fd; int autodev; // if 1, mount and fill a /dev at start - int stopsignal; // signal used to stop container + int haltsignal; // signal used to halt container + int stopsignal; // signal used to hard stop container int kmsg; // if 1, create /dev/kmsg symlink char *rcfile; // Copy of the top level rcfile we read diff --git a/src/lxc/confile.c b/src/lxc/confile.c index 0982b3e..d21fbec 100644 --- a/src/lxc/confile.c +++ b/src/lxc/confile.c @@ -90,6 +90,7 @@ static int config_seccomp(const char *, const char *, struct lxc_conf *); static int config_includefile(const char *, const char *, struct lxc_conf *); static int config_network_nic(const char *, const char *, struct lxc_conf *); static int config_autodev(const char *, const char *, struct lxc_conf *); +static int config_haltsignal(const char *, const char *, struct lxc_conf *); static int config_stopsignal(const char *, const char *, struct lxc_conf *); static int config_start(const char *, const char *, struct lxc_conf *); static int config_group(const char *, const char *, struct lxc_conf *); @@ -142,6 +143,7 @@ static struct lxc_config_t config[] = { { lxc.seccomp, config_seccomp }, { lxc.include, config_includefile }, { lxc.autodev, config_autodev }, + { lxc.haltsignal, config_haltsignal }, { lxc.stopsignal, config_stopsignal }, { lxc.start.auto, config_start}, { lxc.start.delay, config_start}, @@ -1108,6 +1110,16 @@ static int rt_sig_num(const char *signame) return sig_n; } +static const char *sig_name(int signum) { + int n; + + for (n = 0; n sizeof(signames) / sizeof((signames)[0]); n++) { + if (n == signames[n].num) + return signames[n].name; + } + return ; +} + static int sig_parse(const char *signame) { int n; @@ -1125,6 +1137,18 @@ static int sig_parse(const char
Re: [lxc-devel] [PATCH] hwaddr templating
Quoting Serge Hallyn (serge.hal...@ubuntu.com): Quoting Guillaume ZITTA (l...@zitta.fr): This change introduce mac address templating. By setting lxc.network.hwaddr to something like fe:xx:xx:xx:xx:xx each x will be replaced by a random value. If less significant bit of first byte is templated, it will be set to 0. This chage introduce also a common randinit() function that could be used to initialize random generator. Signed-off-by: gza l...@zitta.fr --- doc/lxc.conf.sgml.in | 4 +++- src/lxc/confile.c| 36 ++-- src/lxc/utils.c | 22 ++ src/lxc/utils.h | 2 ++ 4 files changed, 61 insertions(+), 3 deletions(-) diff --git a/doc/lxc.conf.sgml.in b/doc/lxc.conf.sgml.in index e6d9689..4bbeeeb 100644 --- a/doc/lxc.conf.sgml.in +++ b/doc/lxc.conf.sgml.in @@ -326,7 +326,9 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA the interface mac address is dynamically allocated by default to the virtual interface, but in some cases, this is needed to resolve a mac address conflict or to - always have the same link-local ipv6 address + always have the same link-local ipv6 address. + Any x in address will be replaced by random value, + this allows setting hwaddr templates. /para /listitem /varlistentry diff --git a/src/lxc/confile.c b/src/lxc/confile.c index 0982b3e..3d7554a 100644 --- a/src/lxc/confile.c +++ b/src/lxc/confile.c @@ -508,6 +508,28 @@ static int macvlan_mode(int *valuep, const char *value) return -1; } +static int rand_complete_hwaddr(char *hwaddr) +{ + const char hex[] = 0123456789abcdef; + char *curs = hwaddr; + + randinit(); + + while (*curs != '\0') + { + if ( *curs == 'x' || *curs == 'X' ) { + if (curs - hwaddr == 1) { + //ensure address is unicast + *curs = hex[(rand() 0x0E)]; + } else { + *curs = hex[rand() 0x0F]; + } + } + curs++; + } + return 0; +} + static int config_network_flags(const char *key, const char *value, struct lxc_conf *lxc_conf) { @@ -575,11 +597,21 @@ static int config_network_hwaddr(const char *key, const char *value, { struct lxc_netdev *netdev; - netdev = network_netdev(key, value, lxc_conf-network); + char *newval = strdup(value); Since this is strdup'd, + + rand_complete_hwaddr(newval); + + netdev = network_netdev(key, newval, lxc_conf-network); if (!netdev) this error path needs to free it, return -1; - return config_string_item(netdev-hwaddr, value); + if (!newval || strlen(newval) == 0) { + netdev-hwaddr = NULL; as does this one in the case where newval != NULL. To be less terse: once you add this, it looks good, thanks. ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] hwaddr templating
On Mon, Jan 6, 2014 at 11:46 AM, Serge Hallyn serge.hal...@ubuntu.com wrote: Quoting Serge Hallyn (serge.hal...@ubuntu.com): Quoting Guillaume ZITTA (l...@zitta.fr): This change introduce mac address templating. By setting lxc.network.hwaddr to something like fe:xx:xx:xx:xx:xx each x will be replaced by a random value. If less significant bit of first byte is templated, it will be set to 0. This chage introduce also a common randinit() function that could be used to initialize random generator. Signed-off-by: gza l...@zitta.fr --- doc/lxc.conf.sgml.in | 4 +++- src/lxc/confile.c| 36 ++-- src/lxc/utils.c | 22 ++ src/lxc/utils.h | 2 ++ 4 files changed, 61 insertions(+), 3 deletions(-) diff --git a/doc/lxc.conf.sgml.in b/doc/lxc.conf.sgml.in index e6d9689..4bbeeeb 100644 --- a/doc/lxc.conf.sgml.in +++ b/doc/lxc.conf.sgml.in @@ -326,7 +326,9 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA the interface mac address is dynamically allocated by default to the virtual interface, but in some cases, this is needed to resolve a mac address conflict or to - always have the same link-local ipv6 address + always have the same link-local ipv6 address. + Any x in address will be replaced by random value, + this allows setting hwaddr templates. /para /listitem /varlistentry diff --git a/src/lxc/confile.c b/src/lxc/confile.c index 0982b3e..3d7554a 100644 --- a/src/lxc/confile.c +++ b/src/lxc/confile.c @@ -508,6 +508,28 @@ static int macvlan_mode(int *valuep, const char *value) return -1; } +static int rand_complete_hwaddr(char *hwaddr) +{ + const char hex[] = 0123456789abcdef; + char *curs = hwaddr; + + randinit(); + + while (*curs != '\0') + { + if ( *curs == 'x' || *curs == 'X' ) { + if (curs - hwaddr == 1) { + //ensure address is unicast + *curs = hex[(rand() 0x0E)]; + } else { + *curs = hex[rand() 0x0F]; + } + } + curs++; + } + return 0; +} + static int config_network_flags(const char *key, const char *value, struct lxc_conf *lxc_conf) { @@ -575,11 +597,21 @@ static int config_network_hwaddr(const char *key, const char *value, { struct lxc_netdev *netdev; - netdev = network_netdev(key, value, lxc_conf-network); + char *newval = strdup(value); Since this is strdup'd, + + rand_complete_hwaddr(newval); + + netdev = network_netdev(key, newval, lxc_conf-network); if (!netdev) this error path needs to free it, return -1; - return config_string_item(netdev-hwaddr, value); + if (!newval || strlen(newval) == 0) { + netdev-hwaddr = NULL; as does this one in the case where newval != NULL. To be less terse: once you add this, it looks good, thanks. Guillaume , could you please drop process_lock/process_unlock from the patch while addressing Serge's comment as we no longer need them? ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel -- S.Çağlar Onur cag...@10ur.org ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
Re: [lxc-devel] [PATCH 2/2] add lxc-autostart support for sysv init systems
On Mon, 6 Jan 2014 11:25:11 -0500 Stéphane Graber stgra...@ubuntu.com wrote: On Mon, Jan 06, 2014 at 11:19:56AM -0500, Dwight Engen wrote: On Fri, 3 Jan 2014 15:07:01 -0500 Stéphane Graber stgra...@ubuntu.com wrote: On Fri, Jan 03, 2014 at 02:00:25PM -0600, Serge Hallyn wrote: Quoting Stéphane Graber (stgra...@ubuntu.com): On Thu, Jan 02, 2014 at 11:09:25AM -0600, Serge Hallyn wrote: Quoting Dwight Engen (dwight.en...@oracle.com): This change updates the way init scripts get installed so that more than one init system can be supported. Instead of installing the systemd service file from the spec file, it should be installed at make install time, so that someone compiling from source also gets the unit file installed. Update the plamo template to use a lock file not named just /var/lock/subsys/lxc since the presence of that file is used by sysv init rc file to know if it should run the K01lxc script. This also makes it consistent with the other templates which use /var/lock/subsys/lxc-$template-name. Signed-off-by: Dwight Engen dwight.en...@oracle.com I have no objection to this, but I'd appreciate Stéphane taking a closer look. This might lead the way to putting the upstart scripts for ubuntu upstream as well, which would be a plus. It also can give us more reasonable and comprehensive testcases if we can know that common distros will have a certain amount of setup. Acked-by: Serge E. Hallyn serge.hal...@ubuntu.com I don't think the current proposal is appropriate. At least in Ubuntu and Debian, we typically want more than one init script to be installed. The way things work in Debian based distros is that init scripts for all supported init daemons are installed and only the relevant ones are used at boot time and by the user (with the service command). As a result, I'd expect an LXC package build on Debian or Ubuntu to include the upstart jobs, sysvinit script and systemd unit in their usual locations. Drat, I just pushed the commit. So having case $with_distro in ubuntu) init_script=upstart,systemd,sysv ;; and the rest geared to support that, could work here? And the same for debian) but yes, that'd be fine I think. I'm also wondering whether non-Debian distros actually have a problem should they all be installed at once, if not, then maybe we can do without the whole --init-script thing and always have them all installed? Yeah, Fedora packaging guidelines [1], [2] want either sysv or systemd, but not both (Packagers MUST NOT include SysV initscripts in addition to systemd unit files, even in a separate $name-sysvinit subpackage as there are corner cases where the initscripts can override the systemd unit files.). So that is why I had only one of them being installed. I can see that it makes sense to install multiple if the distro supports it. As far as the sysv initscript I provided running on multiple distros: It is pretty simple and I tried to make it generic, it has both chkconfig and LSB headers. I will admit that I did only test it on OracleLinux. [1] https://fedoraproject.org/wiki/Packaging:SysVInitScript [2] https://fedoraproject.org/wiki/Packaging:Systemd Weird policy but fair enough, can you then add support for a comma separated list of init systems that Debian, Ubuntu and any similar distro could use? Sure, I can look into that. I think part of this is because systemd has some compatibility with sysv init scripts, so if you had both installed maybe it would start the service twice? Not sure how upstart handles that since I thought it had sysv init script compatibility too? --- configure.ac | 45 +++ lxc.spec.in| 27 +++-- src/lxc/Makefile.am| 44 +- src/lxc/lxc.sysvinit | 64 ++ templates/lxc-plamo.in | 4 ++-- 5 files changed, 174 insertions(+), 10 deletions(-) create mode 100755 src/lxc/lxc.sysvinit diff --git a/configure.ac b/configure.ac index 4c5f002..2d24937 100644 --- a/configure.ac +++ b/configure.ac @@ -70,6 +70,50 @@ AC_MSG_RESULT([$with_distro]) AM_CONDITIONAL([HAVE_DEBIAN], [test x$with_distro = xdebian -o x$with_distro = xubuntu]) AM_CONDITIONAL([DISTRO_UBUNTU], [test x$with_distro = xubuntu]) +# Check for init system type +AC_MSG_CHECKING([for init system type]) +AC_ARG_WITH([init-script], + [AC_HELP_STRING([--with-init-script@:@=TYPE@:@], +
Re: [lxc-devel] [PATCH v2] add lxc.haltsignal for soft shutdown
On Mon, Jan 06, 2014 at 12:30:02PM -0500, Dwight Engen wrote: - use this in the busybox template since busybox's init expects to receive SIGUSR1 to halt - fix lxc.stopsignal to be output by write_config so lxcapi_clone() and lxcapi_save_config() will output it Signed-off-by: Dwight Engen dwight.en...@oracle.com Acked-by: Stéphane Graber stgra...@ubuntu.com --- v2: add lxc.conf documentation doc/lxc-stop.sgml.in | 13 ++--- doc/lxc.conf.sgml.in | 33 - src/lxc/conf.h | 3 ++- src/lxc/confile.c| 28 src/lxc/lxccontainer.c | 5 - templates/lxc-busybox.in | 1 + 6 files changed, 69 insertions(+), 14 deletions(-) diff --git a/doc/lxc-stop.sgml.in b/doc/lxc-stop.sgml.in index bdb0ef5..dc002c5 100644 --- a/doc/lxc-stop.sgml.in +++ b/doc/lxc-stop.sgml.in @@ -65,13 +65,12 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA para commandlxc-stop/command reboots, cleanly shuts down, or kills all the processes inside the container. By default, it will - request a clean shutdown of the container (by sending SIGPWR to - the container), wait 60 seconds for the container to exit, and - returns. If the container fails to cleanly exit, then after 60 - seconds the container will be sent the - commandlxc.stopsignal/command to force it to shut down. If - commandlxc.stopsignal/command is not specified, the signal sent is - SIGKILL. + request a clean shutdown of the container by sending + commandlxc.haltsignal/command (defaults to SIGPWR) to + the container's init process, waiting up to 60 seconds for the container + to exit, and then returning. If the container fails to cleanly exit in + 60 seconds, it will be sent the commandlxc.stopsignal/command + (defaults to SIGKILL) to force it to shut down. /para para The optional-W/optional, optional-r/optional, diff --git a/doc/lxc.conf.sgml.in b/doc/lxc.conf.sgml.in index e6d9689..09c8076 100644 --- a/doc/lxc.conf.sgml.in +++ b/doc/lxc.conf.sgml.in @@ -156,13 +156,36 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA /refsect2 refsect2 + titleHalt signal/title + para +Allows one to specify signal name or number, sent by lxc-stop to the +container's init process to cleanly shutdown the container. Different +init systems could use different signals to perform clean shutdown +sequence. This option allows the signal to be specified in kill(1) +fashion, e.g. SIGPWR, SIGRTMIN+14, SIGRTMAX-10 or plain number. The +default signal is SIGPWR. + /para + variablelist +varlistentry + term +optionlxc.haltsignal/option + /term + listitem +para + specify the signal used to halt the container +/para + /listitem +/varlistentry + /variablelist +/refsect2 + +refsect2 titleStop signal/title para -Allows one to specify signal name or number, sent by lxc-stop to -shutdown the container. Different init systems could use -different signals to perform clean shutdown sequence. Option -allows signal to be specified in kill(1) fashion, e.g. -SIGKILL, SIGRTMIN+14, SIGRTMAX-10 or plain number. +Allows one to specify signal name or number, sent by lxc-stop to forcibly +shutdown the container. This option allows signal to be specified in +kill(1) fashion, e.g. SIGKILL, SIGRTMIN+14, SIGRTMAX-10 or plain number. +The default signal is SIGKILL. /para variablelist varlistentry diff --git a/src/lxc/conf.h b/src/lxc/conf.h index e881635..8efd0f3 100644 --- a/src/lxc/conf.h +++ b/src/lxc/conf.h @@ -307,7 +307,8 @@ struct lxc_conf { #endif int maincmd_fd; int autodev; // if 1, mount and fill a /dev at start - int stopsignal; // signal used to stop container + int haltsignal; // signal used to halt container + int stopsignal; // signal used to hard stop container int kmsg; // if 1, create /dev/kmsg symlink char *rcfile; // Copy of the top level rcfile we read diff --git a/src/lxc/confile.c b/src/lxc/confile.c index 0982b3e..d21fbec 100644 --- a/src/lxc/confile.c +++ b/src/lxc/confile.c @@ -90,6 +90,7 @@ static int config_seccomp(const char *, const char *, struct lxc_conf *); static int config_includefile(const char *, const char *, struct lxc_conf *); static int config_network_nic(const char *, const char *, struct lxc_conf *); static int config_autodev(const char *, const char *, struct lxc_conf *); +static int config_haltsignal(const char *, const char *, struct lxc_conf *); static int config_stopsignal(const char *, const char *, struct lxc_conf *); static int config_start(const char *,
[lxc-devel] [lxc/lxc] f0f1d8: add lxc.haltsignal for soft shutdown
Branch: refs/heads/master Home: https://github.com/lxc/lxc Commit: f0f1d8c076ae93d8ecf735c2eeae471e27ca6abd https://github.com/lxc/lxc/commit/f0f1d8c076ae93d8ecf735c2eeae471e27ca6abd Author: Dwight Engen dwight.en...@oracle.com Date: 2014-01-06 (Mon, 06 Jan 2014) Changed paths: M doc/lxc-stop.sgml.in M doc/lxc.conf.sgml.in M src/lxc/conf.h M src/lxc/confile.c M src/lxc/lxccontainer.c M templates/lxc-busybox.in Log Message: --- add lxc.haltsignal for soft shutdown - use this in the busybox template since busybox's init expects to receive SIGUSR1 to halt - fix lxc.stopsignal to be output by write_config so lxcapi_clone() and lxcapi_save_config() will output it Signed-off-by: Dwight Engen dwight.en...@oracle.com Acked-by: Stéphane Graber stgra...@ubuntu.com ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
Re: [lxc-devel] [PATCH 2/2] add lxc-autostart support for sysv init systems
On Mon, 2014-01-06 at 12:08 -0500, Dwight Engen wrote: On Mon, 6 Jan 2014 11:25:11 -0500 Stéphane Graber stgra...@ubuntu.com wrote: On Mon, Jan 06, 2014 at 11:19:56AM -0500, Dwight Engen wrote: On Fri, 3 Jan 2014 15:07:01 -0500 Stéphane Graber stgra...@ubuntu.com wrote: On Fri, Jan 03, 2014 at 02:00:25PM -0600, Serge Hallyn wrote: Quoting Stéphane Graber (stgra...@ubuntu.com): On Thu, Jan 02, 2014 at 11:09:25AM -0600, Serge Hallyn wrote: Quoting Dwight Engen (dwight.en...@oracle.com): This change updates the way init scripts get installed so that more than one init system can be supported. Instead of installing the systemd service file from the spec file, it should be installed at make install time, so that someone compiling from source also gets the unit file installed. Update the plamo template to use a lock file not named just /var/lock/subsys/lxc since the presence of that file is used by sysv init rc file to know if it should run the K01lxc script. This also makes it consistent with the other templates which use /var/lock/subsys/lxc-$template-name. Signed-off-by: Dwight Engen dwight.en...@oracle.com I have no objection to this, but I'd appreciate Stéphane taking a closer look. This might lead the way to putting the upstart scripts for ubuntu upstream as well, which would be a plus. It also can give us more reasonable and comprehensive testcases if we can know that common distros will have a certain amount of setup. Acked-by: Serge E. Hallyn serge.hal...@ubuntu.com I don't think the current proposal is appropriate. At least in Ubuntu and Debian, we typically want more than one init script to be installed. The way things work in Debian based distros is that init scripts for all supported init daemons are installed and only the relevant ones are used at boot time and by the user (with the service command). As a result, I'd expect an LXC package build on Debian or Ubuntu to include the upstart jobs, sysvinit script and systemd unit in their usual locations. Drat, I just pushed the commit. So having case $with_distro in ubuntu) init_script=upstart,systemd,sysv ;; and the rest geared to support that, could work here? And the same for debian) but yes, that'd be fine I think. I'm also wondering whether non-Debian distros actually have a problem should they all be installed at once, if not, then maybe we can do without the whole --init-script thing and always have them all installed? Yeah, Fedora packaging guidelines [1], [2] want either sysv or systemd, but not both (Packagers MUST NOT include SysV initscripts in addition to systemd unit files, even in a separate $name-sysvinit subpackage as there are corner cases where the initscripts can override the systemd unit files.). So that is why I had only one of them being installed. I can see that it makes sense to install multiple if the distro supports it. As far as the sysv initscript I provided running on multiple distros: It is pretty simple and I tried to make it generic, it has both chkconfig and LSB headers. I will admit that I did only test it on OracleLinux. [1] https://fedoraproject.org/wiki/Packaging:SysVInitScript [2] https://fedoraproject.org/wiki/Packaging:Systemd Weird policy but fair enough, can you then add support for a comma separated list of init systems that Debian, Ubuntu and any similar distro could use? Sure, I can look into that. I think part of this is because systemd has some compatibility with sysv init scripts, so if you had both installed maybe it would start the service twice? Not sure how upstart handles that since I thought it had sysv init script compatibility too? It shouldn't start the service twice. If the systemd unit file exists, it should take precedence and not fall back to the sysv init scripts. From reading, it sounds like there may be some unpredictable corner cases. Giving the complexity of systemd, this does not surprise me though I'm at a loss to think of any readily. I'm sure they're buried in some of the inconsistent ways systemd handled certain services... One glaring example in my personal experience is the inconsistent way in which systemd handles IPsec VPN's vs OpenVPN vpn's. IPsec is handled as an entire subsystem and started like this: systemctl start ipsec.service OpenVPN vpn's are handled as connections and started (and enabled) like this: systemctl start open...@canyon.wittsend.com.service That last command is handled by the openvpn@.service (not openvpn.service) file. Sigh... Fresh bait for corner cases. I think they're
Re: [lxc-devel] [PATCH] allow multiple types of init scripts to be configured
On Mon, Jan 06, 2014 at 02:05:12PM -0500, Dwight Engen wrote: Signed-off-by: Dwight Engen dwight.en...@oracle.com Acked-by: Stéphane Graber stgra...@ubuntu.com I'll just tweak the list of init systems a bit setting Ubuntu to only upstart for now and Debian to all of them. I'll also look into upstreaming the Upstart jobs we're currently using over the next few days. --- configure.ac | 42 ++ 1 file changed, 22 insertions(+), 20 deletions(-) diff --git a/configure.ac b/configure.ac index fb61e26..a200460 100644 --- a/configure.ac +++ b/configure.ac @@ -73,21 +73,10 @@ AM_CONDITIONAL([DISTRO_UBUNTU], [test x$with_distro = xubuntu]) # Check for init system type AC_MSG_CHECKING([for init system type]) AC_ARG_WITH([init-script], - [AC_HELP_STRING([--with-init-script@:@=TYPE@:@], - [Type of init script to install: sysv, systemd, upstart, - distro, none @:@default=distro@:@])],[],[with_init_script=distro]) + [AC_HELP_STRING([--with-init-script@:@=TYPE@:@,TYPE,...@:@@:@], + [Type(s) of init script to install: sysv, systemd, upstart, + distro @:@default=distro@:@])],[],[with_init_script=distro]) case $with_init_script in - sysv) - init_script=sysv - ;; - systemd) - init_script=systemd - ;; - upstart) - init_script=upstart - ;; - none) - ;; distro) case $with_distro in fedora) @@ -97,7 +86,7 @@ case $with_init_script in init_script=sysv ;; ubuntu) - init_script=upstart + init_script=sysv,upstart ;; *) echo -n Linux distribution init system unknown, defaulting to sysv @@ -106,12 +95,25 @@ case $with_init_script in esac ;; *) - AC_MSG_ERROR([Unknown init system type $with_init_script]) + init_script=$with_init_script ;; esac -AM_CONDITIONAL([INIT_SCRIPT_SYSV], test $init_script = sysv) -AM_CONDITIONAL([INIT_SCRIPT_SYSTEMD], test $init_script = systemd) -AM_CONDITIONAL([INIT_SCRIPT_UPSTART], test $init_script = upstart) + +# Check valid init systems were given, run in subshell so we don't mess up IFS +(IFS=, ; for init_sys in $init_script; +do + case $init_sys in + none|sysv|systemd|upstart) + ;; + *) + exit 1 + ;; + esac +done) || AC_MSG_ERROR([Unknown init system type in $init_script]) + +AM_CONDITIONAL([INIT_SCRIPT_SYSV], [echo $init_script |grep -q sysv]) +AM_CONDITIONAL([INIT_SCRIPT_SYSTEMD], [echo $init_script |grep -q systemd]) +AM_CONDITIONAL([INIT_SCRIPT_UPSTART], [echo $init_script |grep -q upstart]) AC_MSG_RESULT($init_script) # Allow disabling rpath @@ -659,7 +661,7 @@ cat EOF Environment: - compiler: $CC - distribution: $with_distro - - init script type: $init_script + - init script type(s): $init_script - rpath: $enable_rpath - GnuTLS: $enable_gnutls -- 1.8.3.1 -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [lxc/lxc] 89f79f: allow multiple types of init scripts to be configu...
Branch: refs/heads/master Home: https://github.com/lxc/lxc Commit: 89f79f6baf4c1706391a8beb68e6b1e201d72cb0 https://github.com/lxc/lxc/commit/89f79f6baf4c1706391a8beb68e6b1e201d72cb0 Author: Dwight Engen dwight.en...@oracle.com Date: 2014-01-06 (Mon, 06 Jan 2014) Changed paths: M configure.ac Log Message: --- allow multiple types of init scripts to be configured Signed-off-by: Dwight Engen dwight.en...@oracle.com Acked-by: Stéphane Graber stgra...@ubuntu.com ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [Errored] lxc/lxc#21 (master - 6424619)
Build Update for lxc/lxc - Build: #21 Status: Errored Duration: 10 minutes and 49 seconds Commit: 6424619 (master) Author: Qiang Huang Message: configure.ac: add docbook-to-man to dbparsers Debian and Ubuntu uses docbook2x-man, but some other distr like suse uses docbook-to-man. I think all of them should work on LXC. Signed-off-by: Qiang Huang h.huangqi...@huawei.com Signed-off-by: Serge Hallyn serge.hal...@ubuntu.com View the changeset: https://github.com/lxc/lxc/compare/f0f1d8c076ae...6424619e4090 View the full build log and details: https://travis-ci.org/lxc/lxc/builds/16482172 -- You can configure recipients for build notifications in your .travis.yml file. See http://about.travis-ci.org/docs/user/build-configuration ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [Errored] lxc/lxc#22 (master - 89f79f6)
Build Update for lxc/lxc - Build: #22 Status: Errored Duration: 10 minutes and 38 seconds Commit: 89f79f6 (master) Author: Dwight Engen Message: allow multiple types of init scripts to be configured Signed-off-by: Dwight Engen dwight.en...@oracle.com Acked-by: Stéphane Graber stgra...@ubuntu.com View the changeset: https://github.com/lxc/lxc/compare/6424619e4090...89f79f6baf4c View the full build log and details: https://travis-ci.org/lxc/lxc/builds/16483266 -- You can configure recipients for build notifications in your .travis.yml file. See http://about.travis-ci.org/docs/user/build-configuration ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] disable generating documentation for travis
On Mon, Jan 06, 2014 at 03:05:24PM -0500, S.Çağlar Onur wrote: doxygen and graphviz causes travis vm to download ~400 MB from internet and causes travis builds to timeouts occasionally. Signed-off-by: S.Çağlar Onur cag...@10ur.org Acked-by: Stéphane Graber stgra...@ubuntu.com --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index ee8ab52..3aba29d 100644 --- a/.travis.yml +++ b/.travis.yml @@ -4,7 +4,7 @@ compiler: - clang before_install: - sudo apt-get update -qq - - sudo apt-get install -qq libapparmor-dev libcap-dev libseccomp-dev python3-dev docbook2x libgnutls-dev liblua5.2-dev libselinux1-dev doxygen graphviz + - sudo apt-get install -qq libapparmor-dev libcap-dev libseccomp-dev python3-dev docbook2x libgnutls-dev liblua5.2-dev libselinux1-dev script: ./autogen.sh ./configure --enable-tests make -j4 notifications: email: -- 1.8.3.2 ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] hwaddr templating
Le 06/01/2014 20:01, Serge Hallyn a écrit : Quoting Kent R. Spillner (kspill...@acm.org): On Mon, Jan 06, 2014 at 01:54:14PM +0100, Guillaume ZITTA wrote: This chage introduce also a common randinit() function that could be used to initialize random generator. Is there any reason to always prefer libc rand() over /dev/urandom? I realize the strength of the random numbers in this particular case probably isn't that important but if you want this randinit() to be more generally useful then perhaps it makes sense to change a few things now: I first tried with simple srand(time) and created a container with 3 nic = 3 same hwaddr :-( a minimal strength is necessary. +void randinit(void) +{ +/* +srand pre-seed function based on /dev/urandom +*/ +FILE *f; +process_lock(); +f = fopen(/dev/urandom, r); +process_unlock(); +if (f) { When will this ever fail on Linux? Does Android provide /dev/urandom? For one thing, when you're in a nested container and not allowed to read /dev/urandom :) It works in simple container, why not in nested ? (if cgroup allow it) +unsigned int seed; +int ret = fread(seed, sizeof(seed), 1, f); +if (ret != 1) +seed = time(NULL); +process_lock(); +fclose(f); +process_unlock(); +srand(seed); +} else +srand(time(NULL)); +} When reading this diff it just felt a little strange that when /dev/urandom is working we still only read one byte from it just to seed libc rand(). What if instead of randinit() you introduced a new function that fills a buffer with the requested number of random ints, e.g.: Do we need to worry about draining the entropy pool? Keeping in mind that unprivileged containers are now a reality... If we don't have access to /dev/urandom : What is the alternative to generate more than 1 address in 1 second ? The problem is that 2 parallel launch of lxc-create will generate same hwaddr. can srand(time(NULL)+|getpid()+nicnumber) |limit the chances of collisions ? int lxc_randints(int *buf, size_t count) { FILE *f; f = fopen(/dev/urandom, r); if (f) { int ret; ret = fread(buf, sizeof(int), count, f); /* check ret, handle errors, etc. */ } else { srand(time(NULL)); do { buf[count] = rand(); } while (count--); /* handle errors, etc. */ } return 0; } And then rand_complete_hwaddr becomes something like: static int rand_complete_hwaddr(char *hwaddr) { const char hex[] = 0123456789abcdev; #define MAC_ADDRESS_HEX_DIGITS 12 char buf[MAC_ADDRESS_HEX_DIGITS], *curs = hwaddr; int i = 0; lxc_randints(buf, MAC_ADDRESS_HEX_DIGITS); while (*curs != '\0' i MAC_ADDRESS_HEX_DIGITS) { if (*curs == 'x' || *curs == 'X') { if (curs - hwaddr == 1) *curs = hex[buf[i] 0x0E]; else *curs = hex[buf[i] 0x0F]; } curs++; i++; } return 0; } ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] hwaddr templating (with fixes from comments)
This change introduce mac address templating. By setting lxc.network.hwaddr to something like fe:xx:xx:xx:xx:xx each x will be replaced by a random value. If less significant bit of first byte is templated, it will be set to 0. This change introduce also a common randinit() function that could be used to initialize random generator. Signed-off-by: gza l...@zitta.fr --- doc/lxc.conf.sgml.in | 4 +++- src/lxc/confile.c| 41 ++--- src/lxc/utils.c | 18 ++ src/lxc/utils.h | 2 ++ 4 files changed, 61 insertions(+), 4 deletions(-) diff --git a/doc/lxc.conf.sgml.in b/doc/lxc.conf.sgml.in index e6d9689..4bbeeeb 100644 --- a/doc/lxc.conf.sgml.in +++ b/doc/lxc.conf.sgml.in @@ -326,7 +326,9 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA the interface mac address is dynamically allocated by default to the virtual interface, but in some cases, this is needed to resolve a mac address conflict or to - always have the same link-local ipv6 address + always have the same link-local ipv6 address. + Any x in address will be replaced by random value, + this allows setting hwaddr templates. /para /listitem /varlistentry diff --git a/src/lxc/confile.c b/src/lxc/confile.c index 0982b3e..c83c5bf 100644 --- a/src/lxc/confile.c +++ b/src/lxc/confile.c @@ -508,6 +508,28 @@ static int macvlan_mode(int *valuep, const char *value) return -1; } +static int rand_complete_hwaddr(char *hwaddr) +{ +const char hex[] = 0123456789abcdef; +char *curs = hwaddr; + +randinit(); + +while (*curs != '\0') +{ +if ( *curs == 'x' || *curs == 'X' ) { +if (curs - hwaddr == 1) { +//ensure address is unicast +*curs = hex[(rand() 0x0E)]; +} else { +*curs = hex[rand() 0x0F]; +} +} +curs++; +} +return 0; +} + static int config_network_flags(const char *key, const char *value, struct lxc_conf *lxc_conf) { @@ -575,11 +597,24 @@ static int config_network_hwaddr(const char *key, const char *value, { struct lxc_netdev *netdev; -netdev = network_netdev(key, value, lxc_conf-network); -if (!netdev) +char *newval = strdup(value); + +rand_complete_hwaddr(newval); + +netdev = network_netdev(key, newval, lxc_conf-network); +if (!netdev) { +free(newval); return -1; +}; -return config_string_item(netdev-hwaddr, value); +if (!newval || strlen(newval) == 0) { +free(newval); +netdev-hwaddr = NULL; +return 0; +} + +netdev-hwaddr = newval; +return 0; } static int config_network_vlan_id(const char *key, const char *value, diff --git a/src/lxc/utils.c b/src/lxc/utils.c index 1f9ceea..0451a1d 100644 --- a/src/lxc/utils.c +++ b/src/lxc/utils.c @@ -1108,3 +1108,21 @@ void **lxc_append_null_to_array(void **array, size_t count) } return array; } + +void randinit(void) +{ +/* +srand pre-seed function based on /dev/urandom +*/ +FILE *f; +f = fopen(/dev/urandom, r); +if (f) { +unsigned int seed; +int ret = fread(seed, sizeof(seed), 1, f); +if (ret != 1) +seed = time(NULL); +fclose(f); +srand(seed); +} else +srand(time(NULL)); +} diff --git a/src/lxc/utils.h b/src/lxc/utils.h index 847a613..9018889 100644 --- a/src/lxc/utils.h +++ b/src/lxc/utils.h @@ -265,5 +265,7 @@ extern void lxc_free_array(void **array, lxc_free_fn element_free_fn); extern size_t lxc_array_len(void **array); extern void **lxc_append_null_to_array(void **array, size_t count); +//initialize rand with urandom +extern void randinit(void); #endif -- 1.8.3.2 ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] hwaddr templating
Quoting l...@zitta.fr (l...@zitta.fr): Le 06/01/2014 20:01, Serge Hallyn a écrit : Quoting Kent R. Spillner (kspill...@acm.org): On Mon, Jan 06, 2014 at 01:54:14PM +0100, Guillaume ZITTA wrote: This chage introduce also a common randinit() function that could be used to initialize random generator. Is there any reason to always prefer libc rand() over /dev/urandom? I realize the strength of the random numbers in this particular case probably isn't that important but if you want this randinit() to be more generally useful then perhaps it makes sense to change a few things now: I first tried with simple srand(time) and created a container with 3 nic = 3 same hwaddr :-( a minimal strength is necessary. +void randinit(void) +{ +/* +srand pre-seed function based on /dev/urandom +*/ +FILE *f; +process_lock(); +f = fopen(/dev/urandom, r); +process_unlock(); +if (f) { When will this ever fail on Linux? Does Android provide /dev/urandom? For one thing, when you're in a nested container and not allowed to read /dev/urandom :) It works in simple container, why not in nested ? (if cgroup allow it) Because cgroup can disallow it :) +unsigned int seed; +int ret = fread(seed, sizeof(seed), 1, f); +if (ret != 1) +seed = time(NULL); +process_lock(); +fclose(f); +process_unlock(); +srand(seed); +} else +srand(time(NULL)); +} When reading this diff it just felt a little strange that when /dev/urandom is working we still only read one byte from it just to seed libc rand(). What if instead of randinit() you introduced a new function that fills a buffer with the requested number of random ints, e.g.: Do we need to worry about draining the entropy pool? Keeping in mind that unprivileged containers are now a reality... If we don't have access to /dev/urandom : What is the alternative to generate more than 1 address in 1 second ? The problem is that 2 parallel launch of lxc-create will generate same hwaddr. can srand(time(NULL)+|getpid()+nicnumber) |limit the chances of collisions ? Yeah that should be fine. (Or you might just make sure to only call srand() once, so that getpid() is enough and you can skip nicnumber) -serge ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] hwaddr templating
On Mon, Jan 06, 2014 at 01:01:03PM -0600, Serge Hallyn wrote: When will this ever fail on Linux? Does Android provide /dev/urandom? For one thing, when you're in a nested container and not allowed to read /dev/urandom :) Ahhh, yes, of course! :) Do we need to worry about draining the entropy pool? Keeping in mind that unprivileged containers are now a reality... Hrrrmmm... My suggestion is more wasteful, but the original randinit() can still be abused to drain the pool (albeit more slowly). I wonder how bad it is in reality, however; I assume running containers contribute plenty of entropy back to the host. ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] Setting lxc.console = none causes startup failures for the containers that runs in user namespace
Quoting S.Çağlar Onur (cag...@10ur.org): Setting lxc.console = none causes following failure during startup lxc-start 1389039861.061 INFO lxc_start_ui - using rcfile lxcpath/original/config lxc-start 1389039861.062 INFO lxc_confile - read uid map: type u nsid 0 hostid 26 range 1 lxc-start 1389039861.062 INFO lxc_confile - read uid map: type g nsid 0 hostid 26 range 1 lxc-start 1389039861.062 WARN lxc_log - lxc_log_init called with log already initialized lxc-start 1389039861.065 INFO lxc_lsm - LSM security driver AppArmor lxc-start 1389039861.066 DEBUGlxc_conf - allocated pty '/dev/pts/0' (5/6) lxc-start 1389039861.066 DEBUGlxc_conf - allocated pty '/dev/pts/7' (7/8) lxc-start 1389039861.066 DEBUGlxc_conf - allocated pty '/dev/pts/8' (9/10) lxc-start 1389039861.066 DEBUGlxc_conf - allocated pty '/dev/pts/9' (11/12) lxc-start 1389039861.066 INFO lxc_conf - tty's configured lxc-start 1389039861.066 DEBUGlxc_start - sigchild handler set lxc-start 1389039861.066 ERRORlxc_conf - Error chowning lxc-start 1389039861.066 ERRORlxc_conf - Failed to chown lxc-start 1389039861.066 ERRORlxc_start - Failed to shift tty into container lxc-start 1389039861.066 ERRORlxc_start - failed to initialize the container lxc-start 1389039861.067 INFO lxc_monitor - using monitor sock name lxc/0863ffed81827105/lxcpath fix it by checking the console.name before using it. Signed-off-by: S.Çağlar Onur cag...@10ur.org Acked-by: Serge E. Hallyn serge.hal...@ubuntu.com --- src/lxc/conf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/lxc/conf.c b/src/lxc/conf.c index b7a6ae3..a386d94 100644 --- a/src/lxc/conf.c +++ b/src/lxc/conf.c @@ -3368,7 +3368,7 @@ int ttys_shift_ids(struct lxc_conf *c) } } - if (chown_mapped_root(c-console.name, c) 0) { + if (strcmp(c-console.name, ) !=0 chown_mapped_root(c-console.name, c) 0) { ERROR(Failed to chown %s, c-console.name); return -1; } -- 1.8.3.2 ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [lxc/lxc] 29b10e: Setting lxc.console = none causes startup failures...
Branch: refs/heads/master Home: https://github.com/lxc/lxc Commit: 29b10e4f4755fc4e819187771e58b907daab5476 https://github.com/lxc/lxc/commit/29b10e4f4755fc4e819187771e58b907daab5476 Author: S.Çağlar Onur cag...@10ur.org Date: 2014-01-06 (Mon, 06 Jan 2014) Changed paths: M src/lxc/conf.c Log Message: --- Setting lxc.console = none causes startup failures for the containers that runs in user namespace Setting lxc.console = none causes following failure during startup lxc-start 1389039861.061 INFO lxc_start_ui - using rcfile lxcpath/original/config lxc-start 1389039861.062 INFO lxc_confile - read uid map: type u nsid 0 hostid 26 range 1 lxc-start 1389039861.062 INFO lxc_confile - read uid map: type g nsid 0 hostid 26 range 1 lxc-start 1389039861.062 WARN lxc_log - lxc_log_init called with log already initialized lxc-start 1389039861.065 INFO lxc_lsm - LSM security driver AppArmor lxc-start 1389039861.066 DEBUGlxc_conf - allocated pty '/dev/pts/0' (5/6) lxc-start 1389039861.066 DEBUGlxc_conf - allocated pty '/dev/pts/7' (7/8) lxc-start 1389039861.066 DEBUGlxc_conf - allocated pty '/dev/pts/8' (9/10) lxc-start 1389039861.066 DEBUGlxc_conf - allocated pty '/dev/pts/9' (11/12) lxc-start 1389039861.066 INFO lxc_conf - tty's configured lxc-start 1389039861.066 DEBUGlxc_start - sigchild handler set lxc-start 1389039861.066 ERRORlxc_conf - Error chowning lxc-start 1389039861.066 ERRORlxc_conf - Failed to chown lxc-start 1389039861.066 ERRORlxc_start - Failed to shift tty into container lxc-start 1389039861.066 ERRORlxc_start - failed to initialize the container lxc-start 1389039861.067 INFO lxc_monitor - using monitor sock name lxc/0863ffed81827105/lxcpath fix it by checking the console.name before using it. Signed-off-by: S.Çağlar Onur cag...@10ur.org Signed-off-by: Serge Hallyn serge.hal...@ubuntu.com ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] hwaddr templating
Quoting Kent R. Spillner (kspill...@acm.org): On Mon, Jan 06, 2014 at 06:04:07PM -0600, Kent R. Spillner wrote: Hrrrmmm... My suggestion is more wasteful, but the original randinit() can still be abused to drain the pool (albeit more slowly). I wonder how bad it is in reality, however; I assume running containers contribute plenty of entropy back to the host. Sorry for the self reply, but since my message didn't make it obvious: the last sentence was mostly a reminder to myself to experiment and measure when I get a chance (unless anyone already knows off the top of their head). I don't - thanks, it'll be interesting to know. ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel