[lxc-devel] Passed: lxc/lxc#1760 (lxc-2.0.0.rc4 - db6c925)
Build Update for lxc/lxc - Build: #1760 Status: Passed Duration: 1 minute and 22 seconds Commit: db6c925 (lxc-2.0.0.rc4) Author: Stéphane Graber Message: change version to 2.0.0.rc4 in configure.ac Signed-off-by: Stéphane GraberView the changeset: https://github.com/lxc/lxc/compare/lxc-2.0.0.rc4 View the full build log and details: https://travis-ci.org/lxc/lxc/builds/112183362 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [lxc/lxc] db6c92: change version to 2.0.0.rc4 in configure.ac
Branch: refs/heads/master Home: https://github.com/lxc/lxc Commit: db6c92525ee7df7051378fa0724e59efff8b2760 https://github.com/lxc/lxc/commit/db6c92525ee7df7051378fa0724e59efff8b2760 Author: Stéphane GraberDate: 2016-02-26 (Fri, 26 Feb 2016) Changed paths: M configure.ac Log Message: --- change version to 2.0.0.rc4 in configure.ac Signed-off-by: Stéphane Graber ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [lxc/lxc]
Branch: refs/tags/lxc-2.0.0.rc4 Home: https://github.com/lxc/lxc ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [lxd/master] implement a docker profile
The following pull request was submitted through Github. It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/1672 This e-mail was sent by the LXC bot, direct replies will not reach the author unless they happen to be subscribed to this list. === Description (from pull-request) === so that you can easily launch a container in which you can run docker. Thanks stgraber for the idea. Signed-off-by: Serge HallynFrom f1faa563c9bc6d2a409b5d28d0daf61f7ff0a45e Mon Sep 17 00:00:00 2001 From: Serge Hallyn Date: Fri, 26 Feb 2016 16:07:48 -0800 Subject: [PATCH] implement a docker profile so that you can easily launch a container in which you can run docker. Thanks stgraber for the idea. Signed-off-by: Serge Hallyn --- README.md | 9 + lxd/db.go | 7 ++- lxd/db_profiles.go | 24 3 files changed, 39 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 5ef61c1..2ccbbb3 100644 --- a/README.md +++ b/README.md @@ -273,3 +273,12 @@ Yes. The easiest way to do that is using a privileged container: lxc launch ubuntu priv -c security.privileged=true lxc config device add priv homedir disk source=/home/$USER path=/home/ubuntu + + How can I run docker inside a LXD container? + +Create a container with the migrateable profile: + + lxc launch ubuntu:xenial my-docker-host -p default -p docker + +Then run a version of docker with the needed patches, for instance version +v1.10.0.serge.2 branch of github.com/hallyn/docker. diff --git a/lxd/db.go b/lxd/db.go index c4f6cf5..2938306 100644 --- a/lxd/db.go +++ b/lxd/db.go @@ -181,7 +181,12 @@ func createDb(db *sql.DB) (err error) { } } - return dbProfileCreateDefault(db) + err = dbProfileCreateDefault(db) + if err != nil { + return err + } + + return dbProfileCreateDocker(db) } func dbGetSchema(db *sql.DB) (v int) { diff --git a/lxd/db_profiles.go b/lxd/db_profiles.go index 78cfbad..94c69ed 100644 --- a/lxd/db_profiles.go +++ b/lxd/db_profiles.go @@ -110,6 +110,30 @@ func dbProfileCreateDefault(db *sql.DB) error { return nil } +func dbProfileCreateDocker(db *sql.DB) error { + id, err := dbProfileID(db, "docker") + if err != nil { + return err + } + + if id != -1 { + // docker profile already exists + return nil + } + + config := map[string]string{ + "security.nesting": "true", + "linux.kernel_modules": "overlay, nf_nat",} + fusedev := map[string]string { +"path": "/dev/fuse", +"type": "unix-char", + } + devices := map[string]shared.Device{ "fuse": fusedev, } + +_, err = dbProfileCreate(db, "docker", config, devices) + return err +} + // Get the profile configuration map from the DB func dbProfileConfig(db *sql.DB, name string) (map[string]string, error) { var key, value string ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
Re: [lxc-devel] CGroup Namespaces (v10)
Quoting Alban Crequy (alban.cre...@gmail.com): > Hi, > > On 29 January 2016 at 09:54,wrote: > > Hi, > > > > following is a revised set of the CGroup Namespace patchset which Aditya > > Kali has previously sent. The code can also be found in the cgroupns.v10 > > branch of > > > > https://git.kernel.org/cgit/linux/kernel/git/sergeh/linux-security.git/ > > > > To summarize the semantics: > > > > 1. CLONE_NEWCGROUP re-uses 0x0200, which was previously CLONE_STOPPED > > What's the best way for a userspace application to test at run-time > whether the kernel supports cgroup namespaces? Would you recommend to > test if the file /proc/self/ns/cgroup exists? Yup. ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [lxd/master] Implement initial simplestreams support
The following pull request was submitted through Github. It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/1671 This e-mail was sent by the LXC bot, direct replies will not reach the author unless they happen to be subscribed to this list. === Description (from pull-request) === With this, we get the two simplestreams remote and can interact with the remote image store, copy from it, export from it and start containers from it. The next step will involve implementing sync support into the LXD daemon so that those images can be kept in sync in the background. From 7a9f057e1f5d53320513af4c152cfb242372f1d3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Graber?=Date: Tue, 16 Feb 2016 17:18:57 -0500 Subject: [PATCH 1/3] Implement simplestreams support in the client MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Stéphane Graber --- client.go | 182 +-- config.go | 35 ++- lxc/image.go| 6 +- lxc/remote.go | 34 ++- po/lxd.pot | 99 shared/architectures.go | 18 ++ shared/simplestreams.go | 595 7 files changed, 842 insertions(+), 127 deletions(-) create mode 100644 shared/simplestreams.go diff --git a/client.go b/client.go index 768f27b..c5b1468 100644 --- a/client.go +++ b/client.go @@ -37,6 +37,7 @@ type Client struct { Httphttp.Client websocketDialer websocket.Dialer + simplestreams *shared.SimpleStreams } type ResponseType string @@ -201,6 +202,17 @@ func NewClient(config *Config, remote string) (*Client, error) { return nil, err } c.Config = *config + c.Remote = + + if c.Remote.Protocol == "simplestreams" { + ss, err := shared.SimpleStreamsClient(c.Remote.Addr) + if err != nil { + return nil, err + } + + c.simplestreams = ss + } + return c, nil } @@ -554,42 +566,46 @@ func (c *Client) ListContainers() ([]shared.ContainerInfo, error) { } func (c *Client) CopyImage(image string, dest *Client, copy_aliases bool, aliases []string, public bool, progressHandler func(progress string)) error { - fingerprint := c.GetAlias(image) - if fingerprint == "" { - fingerprint = image + source := shared.Jmap{ + "type":"image", + "mode":"pull", + "server": c.BaseURL, + "protocol":c.Remote.Protocol, + "certificate": c.Certificate, + "fingerprint": image} + + target := c.GetAlias(image) + if target != "" { + image = target } - info, err := c.GetImageInfo(fingerprint) + info, err := c.GetImageInfo(image) if err != nil { return err } - source := shared.Jmap{ - "type":"image", - "mode":"pull", - "server": c.BaseURL, - "certificate": c.Certificate, - "fingerprint": fingerprint} + if c.Remote.Protocol != "simplestreams" { + if !info.Public { + var secret string - if !info.Public { - var secret string + resp, err := c.post("images/"+image+"/secret", nil, Async) + if err != nil { + return err + } - resp, err := c.post("images/"+fingerprint+"/secret", nil, Async) - if err != nil { - return err - } + op, err := resp.MetadataAsOperation() + if err != nil { + return err + } - op, err := resp.MetadataAsOperation() - if err != nil { - return err - } + secret, err = op.Metadata.GetString("secret") + if err != nil { + return err + } - secret, err = op.Metadata.GetString("secret") - if err != nil { - return err + source["secret"] = secret } - - source["secret"] = secret + source["fingerprint"] = image } addresses, err := c.Addresses() @@ -680,11 +696,15 @@ func (c *Client) CopyImage(image string, dest *Client, copy_aliases bool, aliase return err } -func (c *Client) ExportImage(image string, target string) (*Response, string, error) { +func (c *Client) ExportImage(image string, target string) (string, error) { + if c.Remote.Protocol ==
[lxc-devel] [lxd/master] Export image last use and cache state
The following pull request was submitted through Github. It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/1670 This e-mail was sent by the LXC bot, direct replies will not reach the author unless they happen to be subscribed to this list. === Description (from pull-request) === Signed-off-by: Stéphane GraberFrom 83632e4d1ef69d5ec1fc110d1d48141b23addb4c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Graber?= Date: Fri, 26 Feb 2016 17:40:36 -0500 Subject: [PATCH] Export image last use and cache state MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Stéphane Graber --- lxd/db_images.go | 20 +--- shared/image.go | 2 ++ specs/rest-api.md | 2 ++ 3 files changed, 17 insertions(+), 7 deletions(-) diff --git a/lxd/db_images.go b/lxd/db_images.go index 70f58d3..c845b46 100644 --- a/lxd/db_images.go +++ b/lxd/db_images.go @@ -38,7 +38,7 @@ func dbImagesGet(db *sql.DB, public bool) ([]string, error) { // enforced by a UNIQUE constraint in the schema. func dbImageGet(db *sql.DB, fingerprint string, public bool, strictMatching bool) (int, *shared.ImageInfo, error) { var err error - var create, expire, upload *time.Time // These hold the db-returned times + var create, expire, used, upload *time.Time // These hold the db-returned times // The object we'll actually return image := shared.ImageInfo{} @@ -47,8 +47,8 @@ func dbImageGet(db *sql.DB, fingerprint string, public bool, strictMatching bool // These two humongous things will be filled by the call to DbQueryRowScan outfmt := []interface{}{, , , - , , , - , , } + , , , , + , , , } var query string @@ -57,8 +57,8 @@ func dbImageGet(db *sql.DB, fingerprint string, public bool, strictMatching bool inargs = []interface{}{fingerprint} query = ` SELECT -id, fingerprint, filename, size, public, architecture, -creation_date, expiry_date, upload_date +id, fingerprint, filename, size, cached, public, architecture, +creation_date, expiry_date, last_use_date, upload_date FROM images WHERE fingerprint = ?` @@ -66,8 +66,8 @@ func dbImageGet(db *sql.DB, fingerprint string, public bool, strictMatching bool inargs = []interface{}{fingerprint + "%"} query = ` SELECT -id, fingerprint, filename, size, public, architecture, -creation_date, expiry_date, upload_date +id, fingerprint, filename, size, cached, public, architecture, +creation_date, expiry_date, last_use_date, upload_date FROM images WHERE fingerprint LIKE ?` @@ -96,6 +96,12 @@ func dbImageGet(db *sql.DB, fingerprint string, public bool, strictMatching bool image.ExpiryDate = time.Time{} } + if used != nil { + image.LastUsedDate = *used + } else { + image.LastUsedDate = time.Time{} + } + image.Architecture, _ = shared.ArchitectureName(arch) // The upload date is enforced by NOT NULL in the schema, so it can never be nil. diff --git a/shared/image.go b/shared/image.go index c56c997..c2feaaa 100644 --- a/shared/image.go +++ b/shared/image.go @@ -22,6 +22,7 @@ type ImageAlias struct { type ImageInfo struct { Aliases []ImageAlias `json:"aliases"` Architecture string`json:"architecture"` + Cached bool `json:"cached"` Fingerprint string`json:"fingerprint"` Filename string`json:"filename"` Properties map[string]string `json:"properties"` @@ -29,6 +30,7 @@ type ImageInfo struct { Size int64 `json:"size"` CreationDate time.Time `json:"created_at"` ExpiryDate time.Time `json:"expires_at"` + LastUsedDate time.Time `json:"last_used_at"` UploadDate time.Time `json:"uploaded_at"` } diff --git a/specs/rest-api.md b/specs/rest-api.md index 1c82ea7..945115c 100644 --- a/specs/rest-api.md +++ b/specs/rest-api.md @@ -1101,6 +1101,7 @@ Output: } ], "architecture": "x86_64", +"cached": false, "fingerprint": "54c8caac1f61901ed86c68f24af5f5d3672bdc62c71d04f06df3a59e95684473", "filename": "ubuntu-trusty-14.04-amd64-server-20160201.tar.xz", "properties": { @@ -1113,6 +1114,7 @@ Output: "size": 123792592, "created_at": "2016-02-01T21:07:41Z", "expires_at": "1970-01-01T00:00:00Z", +"last_used_at": "1970-01-01T00:00:00Z", "uploaded_at": "2016-02-16T00:44:47Z" }
[lxc-devel] [lxc/lxc] fcca16: cgfs: ignore mount prefix in mountinfo if cgroup n...
Branch: refs/heads/master Home: https://github.com/lxc/lxc Commit: fcca16bc86c3e08439bc4a7b865213689b6e1c12 https://github.com/lxc/lxc/commit/fcca16bc86c3e08439bc4a7b865213689b6e1c12 Author: Serge HallynDate: 2016-02-26 (Fri, 26 Feb 2016) Changed paths: M src/lxc/cgfs.c Log Message: --- cgfs: ignore mount prefix in mountinfo if cgroup namespaces are supported This is not 100% correct, but will suffice until we fix the kernel so that we can distinguish between bind mounts and namespaced cgroupfs mounts. Signed-off-by: Serge Hallyn Commit: 992b78d7157f3e2789c84fc5bfc0748d03cc4d1a https://github.com/lxc/lxc/commit/992b78d7157f3e2789c84fc5bfc0748d03cc4d1a Author: Christian Brauner Date: 2016-02-26 (Fri, 26 Feb 2016) Changed paths: M src/lxc/cgfs.c Log Message: --- Merge pull request #856 from hallyn/2016-02-26/cgfs.cgns.2 cgfs: ignore mount prefix in mountinfo if cgroup namespaces are suppo… Compare: https://github.com/lxc/lxc/compare/5d55659daae5...992b78d7157f___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [lxc/master] cgfs: ignore mount prefix in mountinfo if cgroup namespaces are suppo…
The following pull request was submitted through Github. It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/856 This e-mail was sent by the LXC bot, direct replies will not reach the author unless they happen to be subscribed to this list. === Description (from pull-request) === …rted This is not 100% correct, but will suffice until we fix the kernel so that we can distinguish between bind mounts and namespaced cgroupfs mounts. Signed-off-by: Serge HallynFrom fcca16bc86c3e08439bc4a7b865213689b6e1c12 Mon Sep 17 00:00:00 2001 From: Serge Hallyn Date: Fri, 26 Feb 2016 13:35:24 -0800 Subject: [PATCH] cgfs: ignore mount prefix in mountinfo if cgroup namespaces are supported This is not 100% correct, but will suffice until we fix the kernel so that we can distinguish between bind mounts and namespaced cgroupfs mounts. Signed-off-by: Serge Hallyn --- src/lxc/cgfs.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/lxc/cgfs.c b/src/lxc/cgfs.c index 8c1cb64..16c80eb 100644 --- a/src/lxc/cgfs.c +++ b/src/lxc/cgfs.c @@ -418,6 +418,7 @@ static bool find_hierarchy_mountpts( struct cgroup_meta_data *meta_data, char ** size_t mount_point_capacity = 0; size_t token_capacity = 0; int r; + bool is_cgns = cgns_supported(); proc_self_mountinfo = fopen_cloexec("/proc/self/mountinfo", "r"); /* if for some reason (because of setns() and pid namespace for example), @@ -512,7 +513,7 @@ static bool find_hierarchy_mountpts( struct cgroup_meta_data *meta_data, char ** meta_data->mount_points[mount_point_count++] = mount_point; mount_point->hierarchy = h; - if (is_lxcfs) + if (is_lxcfs || is_cgns) mount_point->mount_prefix = strdup("/"); else mount_point->mount_prefix = strdup(tokens[3]); ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [lxc/lxc] ea439a: fix cgfs failure for unpriv users
Branch: refs/heads/master Home: https://github.com/lxc/lxc Commit: ea439aaca19806baab514e67da20ac527de2f96c https://github.com/lxc/lxc/commit/ea439aaca19806baab514e67da20ac527de2f96c Author: Serge HallynDate: 2016-02-26 (Fri, 26 Feb 2016) Changed paths: M src/lxc/cgfs.c M src/lxc/cgmanager.c M src/lxc/cgroup.c M src/lxc/cgroup.h Log Message: --- fix cgfs failure for unpriv users Cgmanager was taught awhile ago that only some cgroup controllers are crucial. Teach cgfs the same thing. This patch needs improvement, but will fix failure of lxc without cgmanager for unprivileged users for now. In particular, needed improvements include: 1. the check for crucial subsystems needs to include lxc.use 2. we should keep a list of the actually used subsystems so we don't keep trying to chmod and enter after create has found we couldn't use a particular subsystem This fixes unprivileged lxc use. It does not appear to suffice to fix nested unprivilegd lxd usage. Signed-off-by: Serge Hallyn Commit: 5d55659daae5aa70cd579be4bee942a07173440c https://github.com/lxc/lxc/commit/5d55659daae5aa70cd579be4bee942a07173440c Author: Christian Brauner Date: 2016-02-26 (Fri, 26 Feb 2016) Changed paths: M src/lxc/cgfs.c M src/lxc/cgmanager.c M src/lxc/cgroup.c M src/lxc/cgroup.h Log Message: --- Merge pull request #855 from hallyn/2016-02-26/cgfs.crucial fix cgfs failure for unpriv users Compare: https://github.com/lxc/lxc/compare/127ef998ed3d...5d55659daae5___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [lxc/master] fix cgfs failure for unpriv users
The following pull request was submitted through Github. It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/855 This e-mail was sent by the LXC bot, direct replies will not reach the author unless they happen to be subscribed to this list. === Description (from pull-request) === Cgmanager was taught awhile ago that only some cgroup controllers are crucial. Teach cgfs the same thing. This patch needs improvement, but will fix failure of lxc without cgmanager for unprivileged users for now. In particular, needed improvements include: 1. the check for crucial subsystems needs to include lxc.use 2. we should keep a list of the actually used subsystems so we don't keep trying to chmod and enter after create has found we couldn't use a particular subsystem This fixes unprivileged lxc use. It does not appear to suffice to fix nested unprivilegd lxd usage. Signed-off-by: Serge HallynFrom 191b86778d1277228eaeab861e50c1ee8f601b42 Mon Sep 17 00:00:00 2001 From: Serge Hallyn Date: Fri, 26 Feb 2016 20:03:09 + Subject: [PATCH] fix cgfs failure for unpriv users Cgmanager was taught awhile ago that only some cgroup controllers are crucial. Teach cgfs the same thing. This patch needs improvement, but will fix failure of lxc without cgmanager for unprivileged users for now. In particular, needed improvements include: 1. the check for crucial subsystems needs to include lxc.use 2. we should keep a list of the actually used subsystems so we don't keep trying to chmod and enter after create has found we couldn't use a particular subsystem This fixes unprivileged lxc use. It does not appear to suffice to fix nested unprivilegd lxd usage. Signed-off-by: Serge Hallyn --- src/lxc/cgfs.c | 25 - src/lxc/cgmanager.c | 15 --- src/lxc/cgroup.c| 15 +++ src/lxc/cgroup.h| 1 + 4 files changed, 36 insertions(+), 20 deletions(-) diff --git a/src/lxc/cgfs.c b/src/lxc/cgfs.c index e2d8934..8c1cb64 100644 --- a/src/lxc/cgfs.c +++ b/src/lxc/cgfs.c @@ -807,6 +807,17 @@ static char *cgroup_rename_nsgroup(const char *mountpath, const char *oldname, p return newname; } +static bool is_crucial_hierarchy(struct cgroup_hierarchy *h) +{ + char **p; + + for (p = h->subsystems; *p; p++) { + if (is_crucial_cgroup_subsystem(*p)) + return true; + } + return false; +} + /* create a new cgroup */ static struct cgroup_process_info *lxc_cgroupfs_create(const char *name, const char *path_pattern, struct cgroup_meta_data *meta_data, const char *sub_pattern) { @@ -974,8 +985,11 @@ static struct cgroup_process_info *lxc_cgroupfs_create(const char *name, const c current_entire_path = NULL; goto cleanup_name_on_this_level; } else if (r < 0 && errno != EEXIST) { - SYSERROR("Could not create cgroup '%s' in '%s'.", current_entire_path, info_ptr->designated_mount_point->mount_point); - goto cleanup_from_error; + if (is_crucial_hierarchy(info_ptr->hierarchy)) { + SYSERROR("Could not create cgroup '%s' in '%s'.", current_entire_path, info_ptr->designated_mount_point->mount_point); + goto cleanup_from_error; + } + goto skip; } else if (r == 0) { /* successfully created */ r = lxc_grow_array((void ***)_ptr->created_paths, _ptr->created_paths_capacity, info_ptr->created_paths_count + 1, 8); @@ -999,6 +1013,7 @@ static struct cgroup_process_info *lxc_cgroupfs_create(const char *name, const c goto cleanup_from_error; } +skip: /* already existed but path component of pattern didn't contain '%n', * so this is not an error; but then we don't need current_entire_path * anymore... @@ -1180,7 +1195,7 @@ static int lxc_cgroupfs_enter(struct cgroup_process_info *info, pid_t pid, bool r = lxc_write_to_file(cgroup_tasks_fn, pid_buf, strlen(pid_buf), false); free(cgroup_tasks_fn); - if (r < 0) { + if (r < 0 && is_crucial_hierarchy(info_ptr->hierarchy)) { SYSERROR("Could not add pid %lu to cgroup %s: internal error", (unsigned long)pid, cgroup_path); return -1; } @@ -1509,7 +1524,7 @@ static bool cgroupfs_mount_cgroup(void *hdata, const char *root, int type) if (!abs_path) goto
[lxc-devel] [lxd/master] Fix hardcoded architecture path in apparmor profile
The following pull request was submitted through Github. It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/1667 This e-mail was sent by the LXC bot, direct replies will not reach the author unless they happen to be subscribed to this list. === Description (from pull-request) === Surely we also want nesting to work on other architectures :) Signed-off-by: Stéphane GraberFrom 16636f26d7b54d821b6d7ad5847a0c44356013e3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Graber?= Date: Fri, 26 Feb 2016 12:43:44 -0500 Subject: [PATCH] Fix hardcoded architecture path in apparmor profile MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Surely we also want nesting to work on other architectures :) Signed-off-by: Stéphane Graber --- lxd/apparmor.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lxd/apparmor.go b/lxd/apparmor.go index b983834..45fe566 100644 --- a/lxd/apparmor.go +++ b/lxd/apparmor.go @@ -27,8 +27,8 @@ const NESTING_AA_PROFILE = ` pivot_root, mount /var/lib/lxd/shmounts/ -> /var/lib/lxd/shmounts/, mount none -> /var/lib/lxd/shmounts/, - mount fstype=proc -> /usr/lib/x86_64-linux-gnu/lxc/**, - mount fstype=sysfs -> /usr/lib/x86_64-linux-gnu/lxc/**, + mount fstype=proc -> /usr/lib/*/lxc/**, + mount fstype=sysfs -> /usr/lib/*/lxc/**, mount options=(rw,bind), mount options=(rw,rbind), deny /dev/.lxd/proc/** rw, ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [lxc/lxc] fb9d69: lxc-ls: count spaces
Branch: refs/heads/master Home: https://github.com/lxc/lxc Commit: fb9d69f27fa8aa5bad5bde1a46f868d75241a6f5 https://github.com/lxc/lxc/commit/fb9d69f27fa8aa5bad5bde1a46f868d75241a6f5 Author: Christian BraunerDate: 2016-02-26 (Fri, 26 Feb 2016) Changed paths: M src/lxc/lxc_ls.c Log Message: --- lxc-ls: count spaces Otherwise line wrapping might occur too late. Signed-off-by: Christian Brauner Commit: e5712bb4415f887df6fb6b67e0d2f21954ee5614 https://github.com/lxc/lxc/commit/e5712bb4415f887df6fb6b67e0d2f21954ee5614 Author: Stéphane Graber Date: 2016-02-26 (Fri, 26 Feb 2016) Changed paths: M src/lxc/lxc_ls.c Log Message: --- Merge pull request #852 from brauner/bugfix_branch lxc-ls: count spaces Compare: https://github.com/lxc/lxc/compare/c46954935b51...e5712bb4415f___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [lxc/lxc] 6515fa: lxc-alpine: completely rewrite the template script
Branch: refs/heads/master Home: https://github.com/lxc/lxc Commit: 6515faa115664909351ac241763bcb374ff62608 https://github.com/lxc/lxc/commit/6515faa115664909351ac241763bcb374ff62608 Author: Jakub JirutkaDate: 2016-02-26 (Fri, 26 Feb 2016) Changed paths: M config/templates/Makefile.am A config/templates/alpine.common.conf.in A config/templates/alpine.userns.conf.in M configure.ac M templates/lxc-alpine.in Log Message: --- lxc-alpine: completely rewrite the template script New template script is more readable and robust, uses cache and external LXC config file as other templates. Signed-off-by: Jakub Jirutka Commit: 04fa4e125397e022d99cd8448b221caef3c92452 https://github.com/lxc/lxc/commit/04fa4e125397e022d99cd8448b221caef3c92452 Author: Jakub Jirutka Date: 2016-02-26 (Fri, 26 Feb 2016) Changed paths: M templates/lxc-alpine.in Log Message: --- lxc-alpine: make it compatible with ash, replace curl and rsync Now it runs even on minimal Alpine system without bash, curl, openssl or rsync. Signed-off-by: Jakub Jirutka Commit: 5845ac2bb83c2d509cbcb9a869d94b793f18 https://github.com/lxc/lxc/commit/5845ac2bb83c2d509cbcb9a869d94b793f18 Author: Jakub Jirutka Date: 2016-02-26 (Fri, 26 Feb 2016) Changed paths: M templates/lxc-alpine.in Log Message: --- lxc-alpine: remove all bashisms, make it compatible with dash Signed-off-by: Jakub Jirutka Commit: 20f39db782ec0d2197cf3a81e6038fb908159ef6 https://github.com/lxc/lxc/commit/20f39db782ec0d2197cf3a81e6038fb908159ef6 Author: Jakub Jirutka Date: 2016-02-26 (Fri, 26 Feb 2016) Changed paths: M templates/lxc-alpine.in Log Message: --- lxc-alpine: cache APK packages instead of rootfs Signed-off-by: Jakub Jirutka Commit: 1125e053fb0dbaad73437ed02e435f36e766fc2b https://github.com/lxc/lxc/commit/1125e053fb0dbaad73437ed02e435f36e766fc2b Author: Jakub Jirutka Date: 2016-02-26 (Fri, 26 Feb 2016) Changed paths: M templates/lxc-alpine.in Log Message: --- lxc-alpine: allow to install additional packages Signed-off-by: Jakub Jirutka Commit: 127ef998ed3d84b64e075213f5f40a4d472a2c95 https://github.com/lxc/lxc/commit/127ef998ed3d84b64e075213f5f40a4d472a2c95 Author: Christian Brauner Date: 2016-02-26 (Fri, 26 Feb 2016) Changed paths: M config/templates/Makefile.am A config/templates/alpine.common.conf.in A config/templates/alpine.userns.conf.in M configure.ac M templates/lxc-alpine.in Log Message: --- Merge pull request #751 from jirutka/alpine-tmpl Rewrite template script for Alpine Linux Compare: https://github.com/lxc/lxc/compare/e5712bb4415f...127ef998ed3d___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
Re: [lxc-devel] CGroup Namespaces (v10)
Hi, On 29 January 2016 at 09:54,wrote: > Hi, > > following is a revised set of the CGroup Namespace patchset which Aditya > Kali has previously sent. The code can also be found in the cgroupns.v10 > branch of > > https://git.kernel.org/cgit/linux/kernel/git/sergeh/linux-security.git/ > > To summarize the semantics: > > 1. CLONE_NEWCGROUP re-uses 0x0200, which was previously CLONE_STOPPED What's the best way for a userspace application to test at run-time whether the kernel supports cgroup namespaces? Would you recommend to test if the file /proc/self/ns/cgroup exists? Thanks! Alban ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [lxc/lxc] a3e596: doc: Add LXC_CGNS_AWARE env to Korean lxc.containe...
Branch: refs/heads/master Home: https://github.com/lxc/lxc Commit: a3e596c3a54bc3330b6f974e3ebf70c1b6bdd24a https://github.com/lxc/lxc/commit/a3e596c3a54bc3330b6f974e3ebf70c1b6bdd24a Author: Sungbae YooDate: 2016-02-26 (Fri, 26 Feb 2016) Changed paths: M doc/ko/lxc.container.conf.sgml.in Log Message: --- doc: Add LXC_CGNS_AWARE env to Korean lxc.container.conf(5) Update for commit c4cafa0 Signed-off-by: Sungbae Yoo Commit: 1e4fe6112c78b20aa1854dd2b4ef6837d45c9976 https://github.com/lxc/lxc/commit/1e4fe6112c78b20aa1854dd2b4ef6837d45c9976 Author: Sungbae Yoo Date: 2016-02-26 (Fri, 26 Feb 2016) Changed paths: M doc/ko/lxc.container.conf.sgml.in Log Message: --- doc: Add the Korean description of cgns apparmor profile in lxc.container.conf Update for commit 7a126ae Signed-off-by: Sungbae Yoo Commit: eae7ec6edca67f6b7cb53818cce41290b6cd7138 https://github.com/lxc/lxc/commit/eae7ec6edca67f6b7cb53818cce41290b6cd7138 Author: Sungbae Yoo Date: 2016-02-26 (Fri, 26 Feb 2016) Changed paths: M doc/ko/lxc-attach.sgml.in Log Message: --- doc: Update Korean lxc-attach(1) Update for commit e986ea3 Signed-off-by: Sungbae Yoo Commit: 77fbb4d2d9580887b984ee29cf36042d1384de06 https://github.com/lxc/lxc/commit/77fbb4d2d9580887b984ee29cf36042d1384de06 Author: Sungbae Yoo Date: 2016-02-26 (Fri, 26 Feb 2016) Changed paths: M doc/ko/lxc-clone.sgml.in M doc/ko/lxc-start-ephemeral.sgml.in Log Message: --- doc: Update Korean lxc-clone(1) and lxc-start-ephemeral(1) Update for commit 2ae6732. Signed-off-by: Sungbae Yoo Commit: bcd7520a48f77dad266b4a78575cf791439d5c73 https://github.com/lxc/lxc/commit/bcd7520a48f77dad266b4a78575cf791439d5c73 Author: Sungbae Yoo Date: 2016-02-26 (Fri, 26 Feb 2016) Changed paths: M doc/ko/lxc-attach.sgml.in M doc/ko/lxc.container.conf.sgml.in Log Message: --- doc: Add the Korean description that automount is ignored when cgroup namespaces are supported. Update for commit 4608594 Signed-off-by: Sungbae Yoo Commit: c46954935b51f70408d31786d0795872d15b https://github.com/lxc/lxc/commit/c46954935b51f70408d31786d0795872d15b Author: Christian Brauner Date: 2016-02-26 (Fri, 26 Feb 2016) Changed paths: M doc/ko/lxc-attach.sgml.in M doc/ko/lxc-clone.sgml.in M doc/ko/lxc-start-ephemeral.sgml.in M doc/ko/lxc.container.conf.sgml.in Log Message: --- Merge pull request #854 from ysbnim/master Update Korean manuals Compare: https://github.com/lxc/lxc/compare/c753bba61591...c46954935b51___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [lxc/lxc] f025e6: doc: Update Japanese lxc-attach(1)
Branch: refs/heads/master Home: https://github.com/lxc/lxc Commit: f025e64819ea14ea5f87eae652a1666cdcbb640e https://github.com/lxc/lxc/commit/f025e64819ea14ea5f87eae652a1666cdcbb640e Author: KATOH YasufumiDate: 2016-02-26 (Fri, 26 Feb 2016) Changed paths: M doc/ja/lxc-attach.sgml.in Log Message: --- doc: Update Japanese lxc-attach(1) Update the description of pty allocation. Update for commit 478dda7. Signed-off-by: KATOH Yasufumi Commit: c753bba61591a1588d99b34dbff80d402065476a https://github.com/lxc/lxc/commit/c753bba61591a1588d99b34dbff80d402065476a Author: Christian Brauner Date: 2016-02-26 (Fri, 26 Feb 2016) Changed paths: M doc/ja/lxc-attach.sgml.in Log Message: --- Merge pull request #853 from tenforward/japanese_man doc: Update Japanese lxc-attach(1) Compare: https://github.com/lxc/lxc/compare/a71e0967ae9f...c753bba61591___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [lxc/master] Update Korean manuals
The following pull request was submitted through Github. It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/854 This e-mail was sent by the LXC bot, direct replies will not reach the author unless they happen to be subscribed to this list. === Description (from pull-request) === Update Korean lxc-attach, lxc-clone, lxc-start-ephemeral, lxc.container.conf From a3e596c3a54bc3330b6f974e3ebf70c1b6bdd24a Mon Sep 17 00:00:00 2001 From: Sungbae YooDate: Thu, 25 Feb 2016 15:21:10 +0900 Subject: [PATCH 1/5] doc: Add LXC_CGNS_AWARE env to Korean lxc.container.conf(5) Update for commit c4cafa0 Signed-off-by: Sungbae Yoo --- doc/ko/lxc.container.conf.sgml.in | 19 +++ 1 file changed, 19 insertions(+) diff --git a/doc/ko/lxc.container.conf.sgml.in b/doc/ko/lxc.container.conf.sgml.in index 6d2d71c..9522a87 100644 --- a/doc/ko/lxc.container.conf.sgml.in +++ b/doc/ko/lxc.container.conf.sgml.in @@ -2189,6 +2189,25 @@ mknod errno 0 + + + +LXC_CGNS_AWARE + + + + + 이 변수가 지정되지 않았다면, 현재 버전의 lxc는 cgroup 네임스페이스를 지원하지 않는다. 만약 지정되었고 값이 1이라면, lxc는 cgroup 네임스페이스를 지원하는 것이다. 단, kernel에서의 cgroup 네임스페이스 지원을 보장하는 것이 아님에 주의해야 한다. lxcfs 마운트 훅에서 사용된다. + + + + From 1e4fe6112c78b20aa1854dd2b4ef6837d45c9976 Mon Sep 17 00:00:00 2001 From: Sungbae Yoo Date: Thu, 25 Feb 2016 15:39:00 +0900 Subject: [PATCH 2/5] doc: Add the Korean description of cgns apparmor profile in lxc.container.conf Update for commit 7a126ae Signed-off-by: Sungbae Yoo --- doc/ko/lxc.container.conf.sgml.in | 14 -- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/doc/ko/lxc.container.conf.sgml.in b/doc/ko/lxc.container.conf.sgml.in index 9522a87..4b16885 100644 --- a/doc/ko/lxc.container.conf.sgml.in +++ b/doc/ko/lxc.container.conf.sgml.in @@ -1611,9 +1611,11 @@ proc proc proc nodev,noexec,nosuid 0 0 If lxc was compiled and installed with apparmor support, and the host system has apparmor enabled, then the apparmor profile under which the container should be run can be specified in the container - configuration. The default is lxc-container-default. +configuration. The default is lxc-container-default-cgns + if the host kernel is cgroup namespace aware, or + lxc-container-default othewise. --> -lxc가 apparmor를 지원하도록 컴파일된 후 설치되었고, 호스트 시스템에서 apparmor가 활성화되었다면, 컨테이너에서 따라야할 apparmor 프로파일을 컨테이너 설정에서 지정할 수 있다. 기본값은 lxc-container-default이다. +lxc가 apparmor를 지원하도록 컴파일된 후 설치되었고, 호스트 시스템에서 apparmor가 활성화되었다면, 컨테이너에서 따라야할 apparmor 프로파일을 컨테이너 설정에서 지정할 수 있다. 기본값은 호스트 커널이 cgroup 네임스페이스를 지원하면 lxc-container-default-cgns이고, 그렇지 않다면 lxc-container-default이다. @@ -1631,6 +1633,14 @@ proc proc proc nodev,noexec,nosuid 0 0 컨테이너가 apparmor로 인한 제한을 받지 않도록 하려면, 아래와 같이 지정하면 된다. lxc.aa_profile = unconfined + + + apparmor 프로파일이 변경되지 않아야 한다면(중첩 컨테이너 안에 있고, 이미 confined된 경우), 아래와 같이 지정하면 된다. + + lxc.aa_profile = unchanged From eae7ec6edca67f6b7cb53818cce41290b6cd7138 Mon Sep 17 00:00:00 2001 From: Sungbae Yoo Date: Fri, 26 Feb 2016 18:39:09 +0900 Subject: [PATCH 3/5] doc: Update Korean lxc-attach(1) Update for commit e986ea3 Signed-off-by: Sungbae Yoo --- doc/ko/lxc-attach.sgml.in | 38 ++ 1 file changed, 38 insertions(+) diff --git a/doc/ko/lxc-attach.sgml.in b/doc/ko/lxc-attach.sgml.in index f8e23f8..cc244d1 100644 --- a/doc/ko/lxc-attach.sgml.in +++ b/doc/ko/lxc-attach.sgml.in @@ -91,6 +91,29 @@ by Sungbae Yoo 만약 command가 지정되지 않았다면, lxc-attach가 현재 실행 중인 쉘이 컨테이너 안에도 있는지 검사하고 이를 실행한다. 만약 컨테이너 안에 사용자가 존재하지 않거나, nsswitch가 제대로 동작하지 않는 경우에는 이 명령이 실패하게 된다. + + + 이전 버전의 lxc-attach는 단순히 컨테이너의 특정 네임스페이스에 붙어, 쉘을 실행하거나 pseudo 터미널 할당 없이 특정 명령어를 실행하였다. + 이는 다른 특권 수준을 갖는 사용자 영역 컨텍스트 간의 전환후 TIOCSTI ioctl를 호출하여 입력을 가로챌 수 있는 취약점이 있다. + 새로운 버전의 lxc-attach는 쉘이나 명령어를 실행하기 전에, pseudo 터미널 마스터/슬레이브 쌍을 할당하고, 터미널을 가리키고 있던 표준 입출력 파일 디스크립터들은 슬레이브 pseudo 터미널로 붙인다. lxc-attach는 처음에 컨테이너 내부에 pseudo 터미널을 할당한다. 만약 이것이 실패하면, 호스트에 할당하고, 이마저 실패하면 할당을 포기한다. + 터미널을 가리키고 있던 표준 입출력 파일 디스크립터가 아예 없었다면, lxc-attach는 pseudo 터미널 할당을 시도하지 않는다. 단순히 컨테이너 네임스페이스에 붙어 쉘이나 지정한 명령어만 실행할 뿐이다. + @@ -402,6 +425,21 @@ by Sungbae Yoo 이러한 문제를 해결하기 위해, -R 옵션이 제공된다. 해당 옵션은 attach되는 프로세스의 네트워크/pid 네임스페이스를 반영하기 위해 /proc와 /sys를 다시 마운트한다. 호스트의 실제 파일시스템에 방해가 되지 않기 위해 마운트 네임스페이스는 공유되지 않는다(lxc-unshare의 동작과 비슷). /proc와 /sys 파일시스템을 제외하고 호스트 마운트 네임스페이스와 동일한 새로운 마운트 네임스페이스가 주어지게 된다. + + + + 이전 버전의
[lxc-devel] [lxc/master] doc: Update Japanese lxc-attach(1)
The following pull request was submitted through Github. It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/853 This e-mail was sent by the LXC bot, direct replies will not reach the author unless they happen to be subscribed to this list. === Description (from pull-request) === Update the description of pty allocation. Update for commit 478dda7. Signed-off-by: KATOH YasufumiFrom f025e64819ea14ea5f87eae652a1666cdcbb640e Mon Sep 17 00:00:00 2001 From: KATOH Yasufumi Date: Fri, 26 Feb 2016 20:05:09 +0900 Subject: [PATCH] doc: Update Japanese lxc-attach(1) Update the description of pty allocation. Update for commit 478dda7. Signed-off-by: KATOH Yasufumi --- doc/ja/lxc-attach.sgml.in | 24 ++-- 1 file changed, 10 insertions(+), 14 deletions(-) diff --git a/doc/ja/lxc-attach.sgml.in b/doc/ja/lxc-attach.sgml.in index 7c668ee..8c0a865 100644 --- a/doc/ja/lxc-attach.sgml.in +++ b/doc/ja/lxc-attach.sgml.in @@ -94,25 +94,21 @@ by KATOH Yasufumi - 前のバージョンの lxc-attach は、単に指定したコンテナの名前空間にアタッチし、擬似端末 (pseudo terminal) なしで、シェルもしくは指定したコマンドを実行しました。 + 前のバージョンの lxc-attach は、単に指定したコンテナの名前空間にアタッチし、最初に擬似端末 (pseudo terminal) を割り当てないで、シェルもしくは指定したコマンドを実行しました。 これは、異なる特権レベルを持つユーザ空間の実行コンテキストを切り替えた後に、TIOCSTI ioctl の呼び出し経由で擬似入力を行うことに対して脆弱となります。 - 新しいバージョンの lxc-attach は、擬似端末のマスター/スレーブのペアを割り当てようとします。そしてシェルやコマンドを実行する前に、擬似端末のスレーブ側に対して、ターミナルを参照する標準ファイルディスクリプタをアタッチします。 - lxc-attach は、最初にコンテナ内の擬似端末を割り当てようとします。これが失敗した場合、最終的に処理を諦める前に、ホスト上の擬似端末を割り当てようとします。 + 新しいバージョンの lxc-attach は、ホスト上の擬似端末のマスター/スレーブのペアを割り当てようとします。そしてシェルやコマンドを実行する前に、擬似端末のスレーブ側に対して、ターミナルを参照する標準ファイルディスクリプタをアタッチします。 ターミナルを参照する標準ファイルディスクリプタがない場合は、lxc-attach は擬似端末の割り当てを行わないことに注意してください。代わりに、単にコンテナの名前空間にアタッチし、シェルや指定したコマンドを実行します。 ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [lxc/master] lxc-ls: count spaces
The following pull request was submitted through Github. It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/852 This e-mail was sent by the LXC bot, direct replies will not reach the author unless they happen to be subscribed to this list. === Description (from pull-request) === Otherwise line wrapping might occur too late. Signed-off-by: Christian BraunerFrom fb9d69f27fa8aa5bad5bde1a46f868d75241a6f5 Mon Sep 17 00:00:00 2001 From: Christian Brauner Date: Fri, 26 Feb 2016 11:18:47 +0100 Subject: [PATCH] lxc-ls: count spaces Otherwise line wrapping might occur too late. Signed-off-by: Christian Brauner --- src/lxc/lxc_ls.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/lxc/lxc_ls.c b/src/lxc/lxc_ls.c index 26d4a74..1a9969a 100644 --- a/src/lxc/lxc_ls.c +++ b/src/lxc/lxc_ls.c @@ -756,6 +756,7 @@ static void ls_print_names(struct ls *l, struct lengths *lht, len = 0; } else { printf(" "); + len++; } } if (len > 0) ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel