Re: [lxc-devel] LXC container fails to start by complaining that it is unable to unmount the old pivot-root
Andrian Nord wrote: On Mon, Feb 01, 2010 at 01:54:15PM -0500, Michael H. Warfield wrote: On Mon, 2010-02-01 at 19:46 +0200, Ciprian Dorin, Craciun wrote: Hello all! I have a quite strange problem: the container fails to start and complains about being unable to unmount the old pivot root. (What is strange is that I remember that one moth ago the same setup worked (lxc binaries and config file, but maybe 2.6.31 kernel). Now neither the old binaries or the latest ones from Git don't work.) Taken from http://blog.flameeyes.eu/2010/01/31/lxc-s-unpolished-code So what about the 0.6.5 problem? Well the problem came to be because 0.6.5 actually implements a nice feature (contributed by a non-core developer it seems): root pivoting. The idea is to drop access to the old root, so that the guest cannot in any way access the host’s filesystem unless given access to. It’s a very good idea, but there are two problems with it: it doesn’t really do it systematically, but rather with a “try and hope” approach, and it failed under certain conditions, saying that the original root is still busy (note here, since this happens within the cgroup’s mount namespace, it doesn’t matter to the rest of the system). At the end, last night I was able to identify the problem: I had this line in the fstab file used by lxc itself: none /tmp tmpfs size=200m 0 0 What’s wrong with it? The mountpoint. The fstab (and lxc.mount commands) are used without previous validation or handling, so this is not mounting the /tmp for the guest, but the /tmp for the host, within the guest’s mount namespace. The result is that /tmp gets mounted twice (once inherited by the base mount namespace, once within the guest’s namespace, but it’s only unmounted once (as the unmount list keeps each mount point exactly once). This is quite an obvious error on my part, I should have used /media/chroots/tinderbox/tmp as mountpoint, but LXC being unable to catch the mistake in mountpoint (at least warning about it) is a definite problem. That's Gentoo maintainer for lxc ebuilds. May you check if this is source of the problem? Ha ! Let's check ! :) -- The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [patch 03/10] use a mainloop for the console
Use the mainloop to manage io of the console.
Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com
---
src/lxc/lxc_console.c | 163 ++
1 file changed, 88 insertions(+), 75 deletions(-)
Index: lxc/src/lxc/lxc_console.c
===
--- lxc.orig/src/lxc/lxc_console.c
+++ lxc/src/lxc/lxc_console.c
@@ -38,10 +38,10 @@
#include sys/poll.h
#include sys/ioctl.h
-#include lxc/error.h
-#include lxc/lxc.h
-#include lxc/log.h
-
+#include error.h
+#include lxc.h
+#include log.h
+#include mainloop.h
#include arguments.h
lxc_log_define(lxc_console_ui, lxc_console);
@@ -102,7 +102,7 @@ static void sigwinch(int sig)
static int setup_tios(int fd, struct termios *newtios, struct termios *oldtios)
{
- if (isatty(fd)) {
+ if (!isatty(fd)) {
ERROR('%d' is not a tty, fd);
return -1;
}
@@ -132,21 +132,68 @@ static int setup_tios(int fd, struct ter
return 0;
}
+static int stdin_handler(int fd, void *data, struct lxc_epoll_descr *descr)
+{
+ static int wait4q = 0;
+ int *peer = (int *)data;
+ char c;
+
+ if (read(0, c, 1) 0) {
+ SYSERROR(failed to read);
+ return 1;
+ }
+
+ /* we want to exit the console with Ctrl+a q */
+ if (c == my_args.escape) {
+ wait4q = !wait4q;
+ return 0;
+ }
+
+ if (c == 'q' wait4q)
+ return 1;
+
+ wait4q = 0;
+ if (write(*peer, c, 1) 0) {
+ SYSERROR(failed to write);
+ return 1;
+ }
+
+ return 0;
+}
+
+static int master_handler(int fd, void *data, struct lxc_epoll_descr *descr)
+{
+ char buf[1024];
+ int *peer = (int *)data;
+ int r;
+
+ r = read(fd, buf, sizeof(buf));
+ if (r 0) {
+ SYSERROR(failed to read);
+ return 1;
+ }
+ write(*peer, buf, r);
+
+ return 0;
+}
+
int main(int argc, char *argv[])
{
- int wait4q = 0;
- int err;
+ int err, std_in = 1;
+ struct lxc_epoll_descr descr;
struct termios newtios, oldtios;
err = lxc_arguments_parse(my_args, argc, argv);
if (err)
return -1;
- if (lxc_log_init(my_args.log_file, my_args.log_priority,
-my_args.progname, my_args.quiet))
+ err = lxc_log_init(my_args.log_file, my_args.log_priority,
+ my_args.progname, my_args.quiet);
+ if (err)
return -1;
- if (setup_tios(0, newtios, oldtios)) {
+ err = setup_tios(0, newtios, oldtios);
+ if (err) {
ERROR(failed to setup tios);
return -1;
}
@@ -158,77 +205,47 @@ int main(int argc, char *argv[])
fprintf(stderr, \nType Ctrl+%c q to exit the console\n,
'a' + my_args.escape - 1);
- if (setsid())
+ err = setsid();
+ if (err)
INFO(already group leader);
if (signal(SIGWINCH, sigwinch) == SIG_ERR) {
SYSERROR(failed to set SIGWINCH handler);
- return -1;
+ err = -1;
+ goto out;
}
winsz();
- err = 0;
+ err = lxc_mainloop_open(descr);
+ if (err) {
+ ERROR(failed to create mainloop);
+ goto out;
+ }
+
+ err = lxc_mainloop_add_handler(descr, 0, stdin_handler, master);
+ if (err) {
+ ERROR(failed to add handler for the stdin);
+ goto out_mainloop_open;
+ }
+
+ err = lxc_mainloop_add_handler(descr, master, master_handler, std_in);
+ if (err) {
+ ERROR(failed to add handler for the master);
+ goto out_mainloop_open;
+ }
- /* let's proxy the tty */
- for (;;) {
- struct pollfd pfd[2] = {
- { .fd = 0,
- .events = POLLIN|POLLPRI,
- .revents = 0 },
- { .fd = master,
- .events = POLLIN|POLLPRI,
- .revents = 0 },
- };
-
- if (poll(pfd, 2, -1) 0) {
- if (errno == EINTR)
- continue;
- SYSERROR(failed to poll);
- goto out_err;
- }
-
- /* read the stdin and write that to the master
-*/
- if (pfd[0].revents POLLIN) {
- char c;
- if (read(0, c, 1) 0) {
- SYSERROR(failed to read);
- goto out_err;
- }
-
- /* we want to exit the console with Ctrl+a q */
- if (c == my_args.escape
[lxc-devel] [patch 02/10] factor-out-console code
Factore out the console code and encapsulate the code in
functions.
Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com
---
src/lxc/lxc_console.c | 67 --
1 file changed, 43 insertions(+), 24 deletions(-)
Index: lxc/src/lxc/lxc_console.c
===
--- lxc.orig/src/lxc/lxc_console.c
+++ lxc/src/lxc/lxc_console.c
@@ -100,11 +100,43 @@ static void sigwinch(int sig)
winsz();
}
+static int setup_tios(int fd, struct termios *newtios, struct termios *oldtios)
+{
+ if (isatty(fd)) {
+ ERROR('%d' is not a tty, fd);
+ return -1;
+ }
+
+ /* Get current termios */
+ if (tcgetattr(0, oldtios)) {
+ SYSERROR(failed to get current terminal settings);
+ return -1;
+ }
+
+ *newtios = *oldtios;
+
+ /* Remove the echo characters and signal reception, the echo
+* will be done below with master proxying */
+ newtios-c_iflag = ~IGNBRK;
+ newtios-c_iflag = BRKINT;
+ newtios-c_lflag = ~(ECHO|ICANON|ISIG);
+ newtios-c_cc[VMIN] = 1;
+ newtios-c_cc[VTIME] = 0;
+
+ /* Set new attributes */
+ if (tcsetattr(0, TCSAFLUSH, newtios)) {
+ ERROR(failed to set new terminal settings);
+ return -1;
+ }
+
+ return 0;
+}
+
int main(int argc, char *argv[])
{
int wait4q = 0;
int err;
- struct termios tios, oldtios;
+ struct termios newtios, oldtios;
err = lxc_arguments_parse(my_args, argc, argv);
if (err)
@@ -114,27 +146,8 @@ int main(int argc, char *argv[])
my_args.progname, my_args.quiet))
return -1;
- /* Get current termios */
- if (tcgetattr(0, tios)) {
- ERROR(failed to get current terminal settings : %s,
- strerror(errno));
- return -1;
- }
-
- oldtios = tios;
-
- /* Remove the echo characters and signal reception, the echo
-* will be done below with master proxying */
- tios.c_iflag = ~IGNBRK;
- tios.c_iflag = BRKINT;
- tios.c_lflag = ~(ECHO|ICANON|ISIG);
- tios.c_cc[VMIN] = 1;
- tios.c_cc[VTIME] = 0;
-
- /* Set new attributes */
- if (tcsetattr(0, TCSAFLUSH, tios)) {
- ERROR(failed to set new terminal settings : %s,
- strerror(errno));
+ if (setup_tios(0, newtios, oldtios)) {
+ ERROR(failed to setup tios);
return -1;
}
@@ -145,8 +158,14 @@ int main(int argc, char *argv[])
fprintf(stderr, \nType Ctrl+%c q to exit the console\n,
'a' + my_args.escape - 1);
- setsid();
- signal(SIGWINCH, sigwinch);
+ if (setsid())
+ INFO(already group leader);
+
+ if (signal(SIGWINCH, sigwinch) == SIG_ERR) {
+ SYSERROR(failed to set SIGWINCH handler);
+ return -1;
+ }
+
winsz();
err = 0;
--
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [patch 07/10] count the number of tasks in the container
This patch adds a function to count the number of tasks in the
container.
Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com
---
src/lxc/cgroup.c | 27 +++
src/lxc/cgroup.h |2 +-
2 files changed, 28 insertions(+), 1 deletion(-)
Index: lxc/src/lxc/cgroup.c
===
--- lxc.orig/src/lxc/cgroup.c
+++ lxc/src/lxc/cgroup.c
@@ -219,3 +219,30 @@ int lxc_cgroup_get(const char *name, con
close(fd);
return ret;
}
+
+int lxc_cgroup_nrtasks(const char *name)
+{
+ char *nsgroup;
+ char path[MAXPATHLEN];
+ int pid, ret, count = 0;
+ FILE *file;
+
+ ret = lxc_cgroup_path_get(nsgroup, name);
+ if (ret)
+ return -1;
+
+snprintf(path, MAXPATHLEN, %s/tasks, nsgroup);
+
+ file = fopen(path, r);
+ if (!file) {
+ SYSERROR(fopen '%s' failed, path);
+ return -1;
+ }
+
+ while (fscanf(file, %d, pid) != EOF)
+ count++;
+
+ fclose(file);
+
+ return count;
+}
Index: lxc/src/lxc/cgroup.h
===
--- lxc.orig/src/lxc/cgroup.h
+++ lxc/src/lxc/cgroup.h
@@ -29,5 +29,5 @@ struct lxc_handler;
int lxc_rename_nsgroup(const char *name, struct lxc_handler *handler);
int lxc_unlink_nsgroup(const char *name);
int lxc_cgroup_path_get(char **path, const char *name);
-
+int lxc_cgroup_nrtasks(const char *name);
#endif
--
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [patch 05/10] rename network type enum
Use a prefixed enum to avoid conflict later.
Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com
---
src/lxc/conf.c| 14 +++---
src/lxc/conf.h| 12 ++--
src/lxc/confile.c | 10 +-
3 files changed, 18 insertions(+), 18 deletions(-)
Index: lxc/src/lxc/conf.c
===
--- lxc.orig/src/lxc/conf.c
+++ lxc/src/lxc/conf.c
@@ -104,12 +104,12 @@ static int instanciate_vlan(struct lxc_n
static int instanciate_phys(struct lxc_netdev *);
static int instanciate_empty(struct lxc_netdev *);
-static instanciate_cb netdev_conf[MAXCONFTYPE + 1] = {
- [VETH]= instanciate_veth,
- [MACVLAN] = instanciate_macvlan,
- [VLAN]= instanciate_vlan,
- [PHYS]= instanciate_phys,
- [EMPTY] = instanciate_empty,
+static instanciate_cb netdev_conf[LXC_NET_MAXCONFTYPE + 1] = {
+ [LXC_NET_VETH]= instanciate_veth,
+ [LXC_NET_MACVLAN] = instanciate_macvlan,
+ [LXC_NET_VLAN]= instanciate_vlan,
+ [LXC_NET_PHYS]= instanciate_phys,
+ [LXC_NET_EMPTY] = instanciate_empty,
};
static struct mount_opt mount_opt[] = {
@@ -1241,7 +1241,7 @@ int lxc_create_network(struct lxc_list *
netdev = iterator-elem;
- if (netdev-type 0 || netdev-type MAXCONFTYPE) {
+ if (netdev-type 0 || netdev-type LXC_NET_MAXCONFTYPE) {
ERROR(invalid network configuration type '%d',
netdev-type);
return -1;
Index: lxc/src/lxc/conf.h
===
--- lxc.orig/src/lxc/conf.h
+++ lxc/src/lxc/conf.h
@@ -29,12 +29,12 @@
#include lxc/list.h
enum {
- EMPTY,
- VETH,
- MACVLAN,
- PHYS,
- VLAN,
- MAXCONFTYPE,
+ LXC_NET_EMPTY,
+ LXC_NET_VETH,
+ LXC_NET_MACVLAN,
+ LXC_NET_PHYS,
+ LXC_NET_VLAN,
+ LXC_NET_MAXCONFTYPE,
};
/*
Index: lxc/src/lxc/confile.c
===
--- lxc.orig/src/lxc/confile.c
+++ lxc/src/lxc/confile.c
@@ -132,15 +132,15 @@ static int config_network_type(const cha
lxc_list_add(network, list);
if (!strcmp(value, veth))
- netdev-type = VETH;
+ netdev-type = LXC_NET_VETH;
else if (!strcmp(value, macvlan))
- netdev-type = MACVLAN;
+ netdev-type = LXC_NET_MACVLAN;
else if (!strcmp(value, vlan))
- netdev-type = VLAN;
+ netdev-type = LXC_NET_VLAN;
else if (!strcmp(value, phys))
- netdev-type = PHYS;
+ netdev-type = LXC_NET_PHYS;
else if (!strcmp(value, empty))
- netdev-type = EMPTY;
+ netdev-type = LXC_NET_EMPTY;
else {
ERROR(invalid network type %s, value);
return -1;
--
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] read-only container root
Michael Tokarev wrote: lxc-start: No such file or directory - failed to mount a new instance of '/dev/pts' I'm experimenting with a read-only root fs in the container. So far it does not work. First of all, when trying to start a container in a read-only root lxc-start complains: lxc-start: Read-only file system - can't make temporary mountpoint This is in conf.c:setup_rootfs_pivot_root() function. That function uses optional parameter lxc.pivotdir, or creates (and later removes) a temporary directory for pivot_root. Obviously there's no way to create a directory in a read-only filesystem. Why do you need to use a read-only root fs ? But lxc.pivotdir does not work either. In the function mentioned above it is used with leading dot (eg. if I specify lxc.pivotdir=pivot in the config file the pivot_root() syscall will be made to .pivot with leading dot, not to pivot), but later on it is used without that dot, and fails: lxc-start: No such file or directory - failed to open /pivot/proc/mounts lxc-start: No such file or directory - failed to read or parse mount list '/pivot/proc/mounts' lxc-start: failed to pivot_root to '/stage/t' (that's with lxc.pivotdir = pivot in the config file). After symlinking pivot to .pivot it still fails: lxc-start: Device or resource busy - could not unmount old rootfs lxc-start: failed to pivot_root to '/stage/t' It's a bug introduced with the pivot_root feature. Investigation on the way. Ok, so far so good. Next thing is the /dev directory. I prefer to have it in a tmpfs, because of several reasons (one is that the root is mounted with -o nodev), but that fails too unless the directory is pre-populated: lxc-start: No such file or directory - failed to mount a new instance of '/dev/pts' lxc-start: failed to setup the new pts instance That's when specifying: lxc.mount.entry = /dev dev tmpfs noexec,nosuid,mode=0755 in the config file. That creates an empty directory for container's /dev, which is populated later in the startup script. Similar thing happens when I pre-create dev/pts - it fails to bind-mount tty1..tty4. Ok, so your need is to call a script between: lxc.mount.entry = /dev dev tmpfs noexec,nosuid,mode=0755 ... lxc.tty = 4 where the script will populate /dev, right ? mmh, not obvious. So far it works by using a wrapper around lxc-start which mounts tmpfs over dev, fills it with a bunch of standard entries, and executes lxc-start. But this is really getting quite ugly. And the only solution to all this mess is to let to perform the setup from a shell script/command which is called after forking the (filesystem) namespace but before entering the container for real, or _instead_ of entering the container. As was discussed previously. What about the lxc.script configuration line which calls a script at the point it is in the configuration file ? The whole mess started when I realized that bind-mounting host's /dev works perfectly _except_ the syslogging, -- /dev/log does not work with multiple containers, only the container where syslogd (re)started last works, all the rest gives ECONNREFUSED when trying to send any message to /dev/log. /dev/log is an af_unix socket, the network is isolated, the af_unix belongs to the network namespace. It's probable /dev/log is unlinked, created again and binded by syslogd. So as /dev/ is shared between the containers, the last one get the socket. Any process outside of the container trying to access this socket won't be able. -- SOLARIS 10 is the OS for Data Centers - provides features such as DTrace, Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW http://p.sf.net/sfu/solaris-dev2dev ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [GIT] lxc branch, master, updated. 6a3111b87e838561db952255a3770a1e85eb361b
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project lxc. The branch, master has been updated via 6a3111b87e838561db952255a3770a1e85eb361b (commit) via b4f8660eb27d0a93fa23e13795e53d34c5fd8538 (commit) from c08556c6ece8ad8308f7636adb0ad25b60e3a16d (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log - commit 6a3111b87e838561db952255a3770a1e85eb361b Author: Daniel Lezcano dlezc...@fr.ibm.com Date: Wed Feb 24 16:24:55 2010 +0100 add missing cgroup include Fix the warning: start.c: In function âlxc_finiâ: start.c:250: warning: implicit declaration of function âlxc_unlink_nsgroupâ start.c: In function âlxc_spawnâ: start.c:380: warning: implicit declaration of function âlxc_rename_nsgroupâ Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com commit b4f8660eb27d0a93fa23e13795e53d34c5fd8538 Author: Silas Sewell si...@sewell.ch Date: Wed Feb 24 16:24:55 2010 +0100 Add missing stat.h include to start.c The patch fixes a build error on the devel version of Fedora. Signed-off-by: Silas Sewell si...@sewell.ch Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com --- Summary of changes: src/lxc/start.c |2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) hooks/post-receive -- lxc -- Download Intel#174; Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [Lxc-users] child setpgid [...] : No such process
l...@zitta.fr wrote: Le 12/03/2010 13:51, Daniel Lezcano a écrit : l...@zitta.fr wrote: Le 11/03/2010 19:47, Daniel Lezcano a écrit : l...@zitta.fr wrote: I created a new container (karmic), then I type any command there is curious message, but it works: Do you mean you created a system container with karmic inside ? Yes, I'm testing a new version of my provisioning scripts. Can you give the kernel version, the lxc version, the container configuration and the command used to spawn the container ? config as attachment. black provisioning # uname -a Linux black 2.6.31-zen11-lxc-bt #1 ZEN SMP PREEMPT Tue Feb 23 09:13:02 CET 2010 x86_64 Intel(R) Core(TM)2 Quad CPU Q9450 @ 2.66GHz GenuineIntel GNU/Linux black provisioning # eix -I lxc | grep Installed Installed versions: 0.6.4-r2(22:25:37 04/01/2010)(doc -examples) Container started with : lxc-start -d -n mycontainer I access to it via ssh. Just a question, config file is used at once at create? r...@mycontainer:~# ls / -bash: child setpgid (28212 to 28212): No such process bin boot dev etc home lib lib64 media mnt opt proc root sbin selinux srv sys tmp usr var When you are in the container, can you give the ouput of: echo $$ ps axjf yes, I can : r...@mycontainer:~# ls -bash: child setpgid (1905 to 1905): No such process r...@mycontainer:~# echo $$ 74 r...@mycontainer:~# ps axjf -bash: child setpgid (1907 to 1907): No such process PPID PID PGID SID TTY TPGID STAT UID TIME COMMAND 0 1 1 1 ? -1 Ss 0 0:00 /sbin/init 1131010 ? -1 Sl 101 0:00 rsyslogd -c4 1545454 ? -1 Ss 0 0:00 /usr/sbin/sshd 1686868 tty181 Ss 0 0:00 /bin/login -- 68747468 tty181 S0 0:00 \_ -bash 74818168 tty181 R+ 0 0:00 \_ ps axjf Very weird ... Another one :) strace -f -eclone,setpgid bash and then /bin/true (or whatever). -- Download Intel#174; Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] Fixed (hacked) LXC to apply mount options for bind mounts
Ciprian Dorin, Craciun wrote:
On Mon, Mar 8, 2010 at 11:35 PM, Ciprian Dorin, Craciun
ciprian.crac...@gmail.com wrote:
Hello all!
This bug stalked me for a while, but only now it bit me quite
badly... (Lost about an hour of work...)
So the culprit: inside the fstab file for the `lxc.mount` option I
can use options like `ro` together with `bind`. Unfortunately the
kernel just laughs in my face and ignores any options I've put in
there... :) But not any more: I've updated `./src/lxc/conf.c`
(`mount_file_entries` function) so that when it encounters a `bind`
option it executes it twice (one without any extra options, and a
second time with the remount flag set.)
I've marginally (as in my particular case) tested it and it works.
Any other ideas on how to solve this? Any comments?
Ciprian.
P.S.: One question though (both in the patched and unpatched
versions): it seems that if I put two lines inside the fstab, once
with only `bind` options, and a second one with `remount,ro` option it
doesn't work and I receive the error `No such device - failed to
mount`. But this is equivalent with what my patched version is doing
(which works)... Strange...
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 26ddd03..f7c5816 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -801,11 +801,20 @@ static int mount_file_entries(FILE *file)
}
if (mount(mntent-mnt_fsname, mntent-mnt_dir,
- mntent-mnt_type, mntflags, mntdata)) {
+ mntent-mnt_type, mntflags ~MS_REMOUNT,
mntdata)) {
SYSERROR(failed to mount '%s' on '%s',
mntent-mnt_fsname, mntent-mnt_dir);
goto out;
}
+ if ((mntflags MS_REMOUNT == MS_REMOUNT) || (mntflags
MS_BIND == MS_BIND)) {
+ DEBUG (remounting %s on %s to respect bind or
remount options, mntent-mnt_fsname, mntent-mnt_dir);
+ if (mount(mntent-mnt_fsname, mntent-mnt_dir,
+ mntent-mnt_type, mntflags |
MS_REMOUNT, mntdata)) {
+ SYSERROR(failed to mount '%s' on '%s',
+mntent-mnt_fsname,
mntent-mnt_dir);
+ goto out;
+ }
+ }
DEBUG(mounted %s on %s, type %s, mntent-mnt_fsname,
mntent-mnt_dir, mntent-mnt_type);
Forgot to montion that my changeset is also available on Gitorious:
clone-URL
git://gitorious.org/~ciprian.craciun/lxc/ciprian-craciun-patches.git
branch: patches/bind-remount
Or view on-line:
http://gitorious.org/~ciprian.craciun/lxc/ciprian-craciun-patches/commits/patches/bind-remount
Thanks Ciprian for the report.
--
Download Intel#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] share_via_fs patch for 2.6.33 ?
Ryousei Takano wrote: Hi Daniel, On Apr 17, 2010, at 4:10 AM, Daniel Lezcano wrote: Daniel Lezcano wrote: Julian Thomé wrote: Hello mailing list, Daniel Lezcano wrote a patch to make it possible to connect to a unix domain socket, which belongs to another network namespace. The patch from Daniel Lezcano is as follows: I refreshed it against 2.6.33 and put in attachment. Compiled but not tested ;) Hope that helps. That helped ? It is useful for me. I want a handy method to communicate between a container and the host OS. Do you have plan to push it to the mainline kernel? I saw Eric Biederman (Cc'ed) has a pending patchset in http://git.kernel.org/?p=linux/kernel/git/ebiederm/linux-2.6.33-nsfd-v5.git;a=summary where he's addressing the af_unix across namespaces. Eric do you plan to push the patchset to the mainline ? Thanks -- Daniel -- Download Intel#174; Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] Unshare user namespace as well
Mikhail Gusarov wrote:
Unshare user namespace to make sure setrlimit and other per-user limits are
accounted properly in containers
Signed-off-by: Mikhail Gusarov dotted...@dottedmag.net
---
src/lxc/start.c |2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/src/lxc/start.c b/src/lxc/start.c
index 3b5023c..f1ae2fa 100644
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -450,7 +450,7 @@ int lxc_spawn(const char *name, struct lxc_handler
*handler, char *const argv[])
return -1;
}
- clone_flags = CLONE_NEWUTS|CLONE_NEWPID|CLONE_NEWIPC|CLONE_NEWNS;
+ clone_flags =
CLONE_NEWUTS|CLONE_NEWPID|CLONE_NEWIPC|CLONE_NEWNS|CLONE_NEWUSER;
if (!lxc_list_empty(handler-conf-network)) {
clone_flags |= CLONE_NEWNET;
Hi Mikhail,
I am not sure to see all the implications of having this namespace by
default, especially for application containers which can be executed by
non-root user. I think it would make sense to make this flag optional
with the configuration.
--
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] lxc-start leaves temporary pivot dir behind
Ferenc Wagner wrote:
Ferenc Wagner wf...@niif.hu writes:
Daniel Lezcano dlezc...@fr.ibm.com writes:
Ferenc Wagner wrote:
Daniel Lezcano daniel.lezc...@free.fr writes:
Ferenc Wagner wrote:
While playing with lxc-start, I noticed that /tmp is infested by
empty lxc-r* directories: [...] Ok, this name comes from lxc-rootfs
in conf.c:setup_rootfs. After setup_rootfs_pivot_root returns, the
original /tmp is not available anymore, so rmdir(tmpname) at the
bottom of setup_rootfs can't achieve much. Why is this temporary
name needed anyway? Is pivoting impossible without it?
That was put in place with chroot, before pivot_root, so the distro's
scripts can remount their '/' without failing.
Now we have pivot_root, I suppose we can change that to something
cleaner...
Like simply nuking it? Shall I send a patch?
Sure, if we can kill it, I will be glad to take your patch :)
I can't see any reason why lxc-start couldn't do without that temporary
recursive bind mount of the original root. If neither do you, I'll
patch it out and see if it still flies.
For my purposes the patch below works fine. I only run applications,
though, not full systems, so wider testing is definitely needed.
Thanks,
Feri.
From 98b24c13f809f18ab8969fb4d84defe6f812b25c Mon Sep 17 00:00:00 2001
From: Ferenc Wagner wf...@niif.hu
Date: Thu, 6 May 2010 14:47:39 +0200
Subject: [PATCH] no need to use a temporary directory for pivoting
That was put in place before lxc-start started using pivot_root, so
the distro scripts can remount / without problems.
Signed-off-by: Ferenc Wagner wf...@niif.hu
---
src/lxc/conf.c | 28 +++-
1 files changed, 3 insertions(+), 25 deletions(-)
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index b27a11d..4379a32 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -588,37 +588,15 @@ static int setup_rootfs_pivot_root(const char *rootfs,
const char *pivotdir)
static int setup_rootfs(const char *rootfs, const char *pivotdir)
{
- char *tmpname;
- int ret = -1;
-
if (!rootfs)
return 0;
- tmpname = tempnam(/tmp, lxc-rootfs);
- if (!tmpname) {
- SYSERROR(failed to generate temporary name);
- return -1;
- }
-
- if (mkdir(tmpname, 0700)) {
- SYSERROR(failed to create temporary directory '%s', tmpname);
- return -1;
- }
-
- if (mount(rootfs, tmpname, none, MS_BIND|MS_REC, NULL)) {
- SYSERROR(failed to mount '%s'-'%s', rootfs, tmpname);
- goto out;
- }
-
- if (setup_rootfs_pivot_root(tmpname, pivotdir)) {
+ if (setup_rootfs_pivot_root(rootfs, pivotdir)) {
ERROR(failed to pivot_root to '%s', rootfs);
- goto out;
+ return -1;
}
- ret = 0;
-out:
- rmdir(tmpname);
- return ret;
+ return 0;
}
static int setup_pts(int pts)
Thanks, I will test it with another patch I have in my backlog fixing
the pivot_root. I Cc'ed the lxc-devel mailing list which is more
adequate for this kind of discussion.
Thanks again.
-- Daniel
--
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] lxc-unshare woes and signal forwarding in lxc-start
Ferenc Wagner wrote: Daniel Lezcano daniel.lezc...@free.fr writes: Ferenc Wagner wrote: Daniel Lezcano daniel.lezc...@free.fr writes: Ferenc Wagner wrote: I'd like to use lxc-start as a wrapper, invisible to the parent and the (jailed) child. Of course I could hack around this by not exec-ing lxc-start but keeping the shell around, trap all signals and lxc-killing them forward. But it's kind of ugly in my opinion. Ok, got it. I think that makes sense to forward the signals, especially for job management. What signals do you want to forward? Basically all of them. I couldn't find a definitive list of signals used for job control in SGE, but the following is probably a good approximation: SIGTTOU, SIGTTIN, SIGUSR1, SIGUSR2, SIGCONT, SIGWINCH and SIGTSTP. Yes, that could be a good starting point. I was wondering about SIGSTOP being sent to lxc-start which is not forwardable of course, is it a problem ? I suppose not, SIGSTOP and SIGKILL are impossible to use in application- specific ways. On the other hand, SIGXCPU and SIGXFSZ should probably be forwarded, too. Naturally, this business can't be perfected, but a good enough solution could still be valuable. Agree. Looking at the source, the SIGCHLD mechanism could be mimicked, but LXC_TTY_ADD_HANDLER may get in the way. We should remove LXC_TTY_ADD_HANDLER and do everything in the signal handler of SIGCHLD by extending the handler. I have a pending fix changing a bit the signal handler function. Could you please send along your pending fix? I'd like to experiment with signal forwarding, but without stomping on that. Sure, no problem. I noticed something strange: # lxc-start -n jail -s lxc.mount.entry=/ /tmp/jail none bind 0 0 -s lxc.rootfs=/tmp/jail -s lxc.pivotdir=/mnt /bin/sleep 1000 (in another terminal) # lxc-ps --lxc CONTAINERPID TTY TIME CMD jail4173 pts/100:00:00 sleep # kill 4173 (this does not kill the sleep!) # strace -p 4173 Process 4173 attached - interrupt to quit restart_syscall(... resuming interrupted call ... = ? ERESTART_RESTARTBLOCK (To be restarted) --- SIGTERM (Terminated) @ 0 (0) --- Process 4173 detached # lxc-ps --lxc CONTAINERPID TTY TIME CMD jail4173 pts/100:00:00 sleep # fgrep -i sig /proc/4173/status SigQ: 1/16382 SigPnd: SigBlk: SigIgn: SigCgt: # kill -9 4173 That is, the jailed sleep process could be killed by SIGKILL only, even though (according to strace) SIGTERM was delivered and it isn't handled specially. Why does this happen? I sent a separate email for this problem in order to avoid confusion with the signal forwarding discussion. I'm also worried about signals sent to the whole process group: they may be impossible to distinguish from the targeted signals and thus can't propagate correctly. Good point. Maybe we can setpgrp the first process of the container? We've got three options: A) do nothing, as now B) forward to our child C) forward to our child's process group The signal could arrive because it was sent to 1) the PID of lxc-start 2) the process group of lxc-start If we don't put the first process of the container into a new process group (as now), this is what happens: AB C 1 swallowedOKothers also killed 2 OK child gets extraeverybody gets extra If we put the first process of the container into a new process group: AB C 1 swallowedOKothers also killed 2 swallowed only the child killed OK Neither is a clear winner, although the latter is somewhat more symmetrical. I'm not sure about wanting all this configurable... hmm ... Maybe Greg, (it's an expert with signals and processes), has an idea on how to deal with that. -- Daniel -- ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] use defined rootfs mount point regression?
On 05/20/2010 10:40 PM, Nathan Lynch wrote: Hi, $ find /tmp/tmp.zNMDgzalhM -print /tmp/tmp.zNMDgzalhM /tmp/tmp.zNMDgzalhM/proc /tmp/tmp.zNMDgzalhM/dev /tmp/tmp.zNMDgzalhM/dev/shm /tmp/tmp.zNMDgzalhM/bin /tmp/tmp.zNMDgzalhM/bin/true /tmp/tmp.zNMDgzalhM/lib64 /tmp/tmp.zNMDgzalhM/lib64/libutil.so.1 /tmp/tmp.zNMDgzalhM/lib64/ld-linux-x86-64.so.2 /tmp/tmp.zNMDgzalhM/lib64/ld-2.11.1.so /tmp/tmp.zNMDgzalhM/lib64/libc-2.11.1.so /tmp/tmp.zNMDgzalhM/lib64/libc.so.6 /tmp/tmp.zNMDgzalhM/lib64/libutil-2.11.1.so /tmp/tmp.zNMDgzalhM/usr /tmp/tmp.zNMDgzalhM/usr/libexec /tmp/tmp.zNMDgzalhM/usr/libexec/lxc-init /tmp/tmp.zNMDgzalhM/usr/lib64 /tmp/tmp.zNMDgzalhM/usr/lib64/liblxc.so.0.6.5 /tmp/tmp.zNMDgzalhM/usr/lib64/liblxc.so.0 /tmp/tmp.zNMDgzalhM/usr/lib64/liblxc.so $ lxc-execute -n truetest-19794 -s lxc.rootfs=/tmp/tmp.zNMDgzalhM -- /bin/true The above succeeds with lxc 0.6.5 as well as commit 23b7ea6 (add lxc.rootfs.mount config option). With commit b178944 (use defined rootfs mount point), the lxc-execute command fails with: lxc-execute: No such file or directory - failed to access to '/usr/lib64/lxc', check it is present lxc-execute: failed to set rootfs for 'truetest-19794' lxc-execute: failed to setup the container /usr/lib64/lxc does not exist on the host. Is this the intended behavior? Yes, you have to create it. I expect the distro maintainers to update their package %post_install section to create the directory. Here is the thread about this change: http://sourceforge.net/mailarchive/forum.php?thread_name=4BEC269A.1030207%40free.frforum_name=lxc-users Thanks -- Daniel -- ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [GIT] lxc branch, master, updated. b8da590f0e90f70baa2c29488db554d55507db0d
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project lxc. The branch, master has been updated via b8da590f0e90f70baa2c29488db554d55507db0d (commit) from d0817ec91abb63cafda5e1737771020026b98879 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log - commit b8da590f0e90f70baa2c29488db554d55507db0d Author: Michel Normand norm...@fr.ibm.com Date: Thu May 27 14:26:09 2010 +0200 lxc-kill man update about SIGSTOP and SIGKILL Signed-off-by: Michel Normand norm...@fr.ibm.com Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com --- Summary of changes: doc/lxc-kill.sgml.in |6 ++ 1 files changed, 6 insertions(+), 0 deletions(-) hooks/post-receive -- lxc -- ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [GIT] lxc branch, master, updated. 0cd0cf5c1559c1de2eaa471728fde63f0f7a1db2
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project lxc. The branch, master has been updated via 0cd0cf5c1559c1de2eaa471728fde63f0f7a1db2 (commit) from 2ac29abe457c723373031cdfc36720a07f20afb7 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log - commit 0cd0cf5c1559c1de2eaa471728fde63f0f7a1db2 Author: Daniel Lezcano dlezc...@fr.ibm.com Date: Thu May 27 16:27:15 2010 +0200 remove unused field These fields were moved to another structure but not removed from there. Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com --- Summary of changes: src/lxc/start.h |2 -- 1 files changed, 0 insertions(+), 2 deletions(-) hooks/post-receive -- lxc -- ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [GIT] lxc branch, master, updated. d674be08d4b282bb4717c51440811e39d3c2431e
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project lxc. The branch, master has been updated via d674be08d4b282bb4717c51440811e39d3c2431e (commit) via baf6671fd3847865da9b64dc8f8be85d81304840 (commit) from b8da590f0e90f70baa2c29488db554d55507db0d (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log - commit d674be08d4b282bb4717c51440811e39d3c2431e Author: Daniel Lezcano daniel.lezc...@free.fr Date: Thu May 27 14:27:13 2010 +0200 move lxc-init to $libdir/lxc As specified by FHS: /usr/lib includes object files, libraries, and internal binaries that are not intended to be executed directly by users or shell scripts. Applications may use a single subdirectory under /usr/lib. If an application uses a subdirectory, all architecture-dependent data exclusively used by the application must be placed within that subdirectory. Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com commit baf6671fd3847865da9b64dc8f8be85d81304840 Author: Daniel Lezcano daniel.lezc...@free.fr Date: Thu May 27 14:27:13 2010 +0200 change the rootfs mount location and add the README Previous path was $libdir/lxc, changed to $libdir/lxc/rootfs. Added a README file to be placed in this directory, describing the purpose of this empty directory. Having a file to be installed in this directory makes the Makefile to automatically create the directory at install time. Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com --- Summary of changes: configure.ac | 11 +++ doc/Makefile.am|4 ++-- doc/rootfs/Makefile.am |3 +++ doc/rootfs/README |4 src/lxc/Makefile.am|2 +- src/lxc/lxc-setcap.in |4 ++-- src/lxc/lxc_execute.c |2 +- 7 files changed, 20 insertions(+), 10 deletions(-) create mode 100644 doc/rootfs/Makefile.am create mode 100644 doc/rootfs/README hooks/post-receive -- lxc -- ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [GIT] lxc branch, master, updated. b3df193c5035ac866de1e4e9d484431ce707c4ad
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project lxc. The branch, master has been updated via b3df193c5035ac866de1e4e9d484431ce707c4ad (commit) from 0cd0cf5c1559c1de2eaa471728fde63f0f7a1db2 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log - commit b3df193c5035ac866de1e4e9d484431ce707c4ad Author: Daniel Lezcano dlezc...@fr.ibm.com Date: Fri May 28 11:49:25 2010 +0200 fix whitespace Fix whitespace. Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com --- Summary of changes: src/lxc/conf.c|2 +- src/lxc/confile.c |4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) hooks/post-receive -- lxc -- ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [GIT] lxc branch, master, updated. 5045eedff022d8efe004741898254578b146c1eb
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project lxc. The branch, master has been updated via 5045eedff022d8efe004741898254578b146c1eb (commit) via cc6f6dd7d8b7686c705a9ad3a31903b124541d8e (commit) via 2b8b82807ac92976629125d4d6ee75aaaf11012d (commit) via 11eaec4c33ecc441352f486f3d975217585ad8e7 (commit) via 9887d6c6c22613ce9c94f15179719212df4c4d8e (commit) via 396639d4247ffd9aaf09a814305fd1d57fef7b58 (commit) via 8c94bc855199c8dab82ac7db8fa9d6e11f814d26 (commit) from b3df193c5035ac866de1e4e9d484431ce707c4ad (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log - commit 5045eedff022d8efe004741898254578b146c1eb Author: Daniel Lezcano daniel.lezc...@free.fr Date: Fri May 28 17:39:11 2010 +0200 disable rootfs automatic detection Avoid a warning at compile time by disabling temporary the code. Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com commit cc6f6dd7d8b7686c705a9ad3a31903b124541d8e Author: Daniel Lezcano daniel.lezc...@free.fr Date: Fri May 28 17:39:11 2010 +0200 fix pivot umount algorithm Make a function and fix bad parameter to umount. Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com commit 2b8b82807ac92976629125d4d6ee75aaaf11012d Author: Daniel Lezcano daniel.lezc...@free.fr Date: Fri May 28 17:39:11 2010 +0200 change repository url in MAINTAINERS Changed cvs to git url. Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com commit 11eaec4c33ecc441352f486f3d975217585ad8e7 Author: Daniel Lezcano dlezc...@fr.ibm.com Date: Fri May 28 17:39:11 2010 +0200 fix lxc-execute man page On buggy docbook-utils, old syntax leads to a bad formatting. Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com commit 9887d6c6c22613ce9c94f15179719212df4c4d8e Author: Daniel Lezcano dlezc...@fr.ibm.com Date: Fri May 28 17:01:45 2010 +0200 update checkpoint / restart man page Notify the checkpoint / restart commands do nothing for the moment. Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com commit 396639d4247ffd9aaf09a814305fd1d57fef7b58 Author: Daniel Lezcano dlezc...@fr.ibm.com Date: Fri May 28 17:01:45 2010 +0200 update lxc-checkpoint / lxc-restart man Add documentation for checkpoint / restart CLI. Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com commit 8c94bc855199c8dab82ac7db8fa9d6e11f814d26 Author: Greg Kurz gk...@fr.ibm.com Date: Fri May 28 14:29:05 2010 +0200 assertion on lxc_checkpoint() return value Buggy behaviour always deserves an assertion. Signed-off-by: Greg Kurz gk...@fr.ibm.com Signed-off-by: Cedric Le Goater c...@fr.ibm.com Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com --- Summary of changes: MAINTAINERS|2 +- configure.ac |2 + doc/Makefile.am|2 + doc/lxc-checkpoint.sgml.in | 198 + doc/lxc-execute.sgml.in|3 +- doc/lxc-kill.sgml.in | 43 +++--- doc/lxc-restart.sgml.in| 210 src/lxc/conf.c | 114 src/lxc/lxc_checkpoint.c |4 + 9 files changed, 509 insertions(+), 69 deletions(-) create mode 100644 doc/lxc-checkpoint.sgml.in create mode 100644 doc/lxc-restart.sgml.in hooks/post-receive -- lxc -- ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] releasing 0.6.6 soon
On 05/29/2010 01:15 AM, Ferenc Wagner wrote: Daniel Lezcanodaniel.lezc...@free.fr writes: I will release a 0.6.6 version. If someone noticed a bug or has a patch to send, please let me know before I put a tag. I'd really like to see some sort of signal forwarding in lxc-start, and waiting for feedback whether it's OK to reverse the logic (ie. don't catch and forward a specific small set only). It should probably go together with a (tc)setpgrp as Greg suggested, even though we'd still want to forward other signals, and the container may even not have a controlling terminal at all. Inverting the logic sounds good for me. And I agree with Greg too. Shall I quickly put something like this together, or is such stuff out of question for 0.6.6 anyway? Send the patchset, so we can review and see we take it for a 0.6.6. Otherwise I can take it for 0.6.7. IMO, the deliveries are too long and I would like to release more often now. Thanks -- Daniel -- ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [GIT] lxc branch, master, updated. 5fad0874c3ff58afeb5c427a7ef1d211d3c5ce37
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project lxc. The branch, master has been updated via 5fad0874c3ff58afeb5c427a7ef1d211d3c5ce37 (commit) from 0e391e57b0e463720b956cf0fa515e861027c4b0 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log - commit 5fad0874c3ff58afeb5c427a7ef1d211d3c5ce37 Author: Daniel Lezcano dlezc...@fr.ibm.com Date: Tue Jun 1 12:24:17 2010 +0200 fix compilation warning Fix compilation warning: lxc_console.c: In function âmaster_handlerâ: lxc_console.c:175: warning: ignoring return value of âwriteâ, declared with attribute warn_unused_result Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com --- Summary of changes: src/lxc/lxc_console.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) hooks/post-receive -- lxc -- ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH 1/4] ubunutu template
From: Willem Meier wilhelm.me...@fh-kl.de
Ubuntu [lucid] template script.
Allows to create an ubuntu container with the template options.
Signed-off-by: Willem Meier wilhelm.me...@fh-kl.de
Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com
---
configure.ac |1 +
scripts/Makefile.am |1 +
scripts/lxc-ubuntu.in | 327 +
3 files changed, 329 insertions(+), 0 deletions(-)
create mode 100644 scripts/lxc-ubuntu.in
diff --git a/configure.ac b/configure.ac
index e91f69e..1df6ab5 100644
--- a/configure.ac
+++ b/configure.ac
@@ -135,6 +135,7 @@ AC_CONFIG_FILES([
scripts/Makefile
scripts/lxc-debian
+ scripts/lxc-ubuntu
scripts/lxc-busybox
scripts/lxc-fedora
scripts/lxc-sshd
diff --git a/scripts/Makefile.am b/scripts/Makefile.am
index 803a8e0..39d13a3 100644
--- a/scripts/Makefile.am
+++ b/scripts/Makefile.am
@@ -1,5 +1,6 @@
bin_SCRIPTS = \
lxc-debian \
+ lxc-ubuntu \
lxc-fedora \
lxc-busybox \
lxc-sshd
diff --git a/scripts/lxc-ubuntu.in b/scripts/lxc-ubuntu.in
new file mode 100644
index 000..592385e
--- /dev/null
+++ b/scripts/lxc-ubuntu.in
@@ -0,0 +1,327 @@
+#!/bin/bash
+
+#
+# template script for generating ubuntu/lucid container for LXC
+#
+# This script is based on lxc-debian (Daniel Lezcano daniel.lezc...@free.fr)
+#
+
+# Copyright © 2010 Wilhelm Meier
+# Author: Wilhelm Meier wilhelm.me...@fh-kl.de
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2, as
+# published by the Free Software Foundation.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+
+configure_ubuntu()
+{
+rootfs=$1
+hostname=$2
+
+# disable selinux in ubuntu
+mkdir -p $rootfs/selinux
+echo 0 $rootfs/selinux/enforce
+
+ # configure the network using the dhcp
+cat EOF $rootfs/etc/network/interfaces
+auto lo
+iface lo inet loopback
+
+auto eth0
+iface eth0 inet dhcp
+EOF
+
+# set the hostname
+cat EOF $rootfs/etc/hostname
+$hostname
+EOF
+# set minimal hosts
+cat EOF $rootfs/etc/hosts
+127.0.0.1 localhost $hostname
+EOF
+
+# provide the lxc service
+cat EOF $rootfs/etc/init/lxc.conf
+# fake some events needed for correct startup other services
+
+description Container Upstart
+
+start on startup
+
+script
+rm -rf /var/run/*
+/sbin/initctl emit stopped JOB=udevtrigger
+/sbin/initctl emit started JOB=udev
+end script
+EOF
+
+cat EOF $rootfs/lib/init/fstab
+# /lib/init/fstab: lxc system fstab
+none/spu spufs gid=spu,optional
0 0
+none/tmp nonedefaults
0 0
+none/var/run tmpfs
mode=0755,nosuid,showthrough 0 0
+none/var/lock tmpfs
nodev,noexec,nosuid,showthrough 0 0
+none/lib/init/rw tmpfs
mode=0755,nosuid,optional 0 0
+EOF
+
+# reconfigure some services
+chroot $rootfs locale-gen de_DE.UTF-8
+
+# remove pointless services in a container
+chroot $rootfs /usr/sbin/update-rc.d -f ondemand remove
+
+chroot $rootfs /bin/bash -c 'cd /etc/init; for f in $(ls u*.conf); do echo
$f; mv $f $f.orig; done'
+chroot $rootfs /bin/bash -c 'cd /etc/init; for f in $(ls tty[2-9].conf);
do echo $f; mv $f $f.orig; done'
+chroot $rootfs /bin/bash -c 'cd /etc/init; for f in $(ls plymouth*.conf);
do echo $f; mv $f $f.orig; done'
+chroot $rootfs /bin/bash -c 'cd /etc/init; for f in $(ls hwclock*.conf);
do echo $f; mv $f $f.orig; done'
+chroot $rootfs /bin/bash -c 'cd /etc/init; for f in $(ls module*.conf); do
echo $f; mv $f $f.orig; done'
+
+echo Please change root-password !
+
+echo root:root | chroot /usr/local/var/lib/lxc/test/rootfs chpasswd
+}
+
+download_ubuntu()
+{
+
packages=dialog,apt,resolvconf,iproute,inetutils-ping,vim,dhcp3-client,ssh,lsb-release
+
+cache=$1
+arch=$2
+
+# check the mini ubuntu was not already downloaded
+mkdir -p $cache/partial-$arch
+if [ $? -ne 0 ]; then
+ echo Failed to create '$cache/partial-$arch' directory
+ return 1
+fi
+
+# download a mini ubuntu into a cache
+echo Downloading ubuntu minimal ...
+debootstrap --verbose --variant=minbase --components=main,universe
--arch=$arch --include=$packages lucid $cache/partial-$arch
+if [ $? -ne 0
[lxc-devel] [PATCH 2/4] Fix ubuntu template
From: Daniel Lezcano daniel.lezc...@free.fr - Fixed rootfs path. - Removed network section, it should to be passed to the lxc-create configuration option in order to concatenate the configuration files - Generate en_US local instead of de_DE Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com --- scripts/lxc-ubuntu.in | 16 +--- 1 files changed, 5 insertions(+), 11 deletions(-) diff --git a/scripts/lxc-ubuntu.in b/scripts/lxc-ubuntu.in index 592385e..835da0a 100644 --- a/scripts/lxc-ubuntu.in +++ b/scripts/lxc-ubuntu.in @@ -75,7 +75,7 @@ none/lib/init/rw tmpfs mode=0755,nosuid,optio EOF # reconfigure some services -chroot $rootfs locale-gen de_DE.UTF-8 +chroot $rootfs locale-gen en_US.UTF-8 # remove pointless services in a container chroot $rootfs /usr/sbin/update-rc.d -f ondemand remove @@ -86,9 +86,10 @@ EOF chroot $rootfs /bin/bash -c 'cd /etc/init; for f in $(ls hwclock*.conf); do echo $f; mv $f $f.orig; done' chroot $rootfs /bin/bash -c 'cd /etc/init; for f in $(ls module*.conf); do echo $f; mv $f $f.orig; done' -echo Please change root-password ! +echo root:root | chroot $rootfs chpasswd +echo Root password is 'root', please change ! -echo root:root | chroot /usr/local/var/lib/lxc/test/rootfs chpasswd +return 0 } download_ubuntu() @@ -181,16 +182,9 @@ copy_configuration() rootfs=$2 name=$3 -cat EOF $path/config -# Container with network virtualized using the macvlan device driver +cat EOF $path/config lxc.utsname = $name -lxc.network.type = macvlan -lxc.network.flags = up -lxc.network.link = eth1 -lxc.network.hwaddr = 4a:49:43:49:79:03 -lxc.network.macvlan.mode = vepa - lxc.tty = 4 lxc.pts = 1024 lxc.rootfs = $rootfs -- 1.7.0.4 -- ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH 4/4] fix busybox template
Fix various bug with the busybox template: * add a warning when busybox is not statically linked * delete the password for root (chpasswd is not available for all busybox) * add the new pts option Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com --- scripts/lxc-busybox.in | 14 -- 1 files changed, 12 insertions(+), 2 deletions(-) diff --git a/scripts/lxc-busybox.in b/scripts/lxc-busybox.in index 40542d5..5f04dd8 100644 --- a/scripts/lxc-busybox.in +++ b/scripts/lxc-busybox.in @@ -26,6 +26,7 @@ install_busybox() name=$2 res=0 tree=\ +$rootfs/selinux \ $rootfs/dev \ $rootfs/home \ $rootfs/root \ @@ -191,6 +192,13 @@ configure_busybox() return 1 fi +file $(which busybox) | grep -q statically linked +if [ $? -ne 0 ]; then + echo warning : busybox is not statically linked. + echo warning : The template script may not correctly + echo warning : setup the container environment. +fi + # copy busybox in the rootfs cp $(which busybox) $rootfs/bin if [ $? -ne 0 ]; then @@ -206,9 +214,10 @@ configure_busybox() # passwd exec must be setuid chmod +s $rootfs/bin/passwd +touch $rootfs/etc/shadow +chroot $rootfs /bin/passwd -d root -echo root:root | chroot $rootfs chpasswd -echo Root password is 'root', please change ! +echo No password for 'root', please change ! return 0 } @@ -222,6 +231,7 @@ copy_configuration() cat EOF $path/config lxc.utsname = $name lxc.tty = 1 +lxc.pts = 1 lxc.rootfs = $rootfs EOF -- 1.7.0.4 -- ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [GIT] lxc branch, master, updated. c147356ac8a11a6249aa4528b285609058e12b82
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project lxc. The branch, master has been updated via c147356ac8a11a6249aa4528b285609058e12b82 (commit) via 14a198d5a71822a45129a86515535e902b704373 (commit) from 32b37181eabe4778807ffa43e9368254a2564370 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log - commit c147356ac8a11a6249aa4528b285609058e12b82 Author: Greg Kurz gk...@fr.ibm.com Date: Wed Jun 2 15:03:34 2010 +0200 kill white spaces in lxc_init.c Signed-off-by: Greg Kurz gk...@fr.ibm.com Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com commit 14a198d5a71822a45129a86515535e902b704373 Author: Michel Normand norm...@fr.ibm.com Date: Wed Jun 2 15:03:34 2010 +0200 README should not be a copy of lxc man page so rewrite it to its minimum Signed-off-by: Michel Normand norm...@fr.ibm.com Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com --- Summary of changes: README | 345 ++-- src/lxc/lxc_init.c |5 +- 2 files changed, 38 insertions(+), 312 deletions(-) hooks/post-receive -- lxc -- ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [GIT] lxc branch, master, updated. 5b406adb506fff621e03be524b1529f31846b0f7
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project lxc. The branch, master has been updated via 5b406adb506fff621e03be524b1529f31846b0f7 (commit) from c147356ac8a11a6249aa4528b285609058e12b82 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log - commit 5b406adb506fff621e03be524b1529f31846b0f7 Author: Willem Meier wilhelm.me...@fh-kl.de Date: Wed Jun 2 15:18:17 2010 +0200 fixes to the ubuntu template - Make /var/run not a tmpfs - Generate and update locales - Be less verbose - Remove apt-utils package Signed-off-by: Willem Meier wilhelm.me...@fh-kl.de Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com --- Summary of changes: scripts/lxc-ubuntu.in | 16 1 files changed, 8 insertions(+), 8 deletions(-) hooks/post-receive -- lxc -- ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH 0/7] Last minute signal stuff (now in separate mails)
On 06/06/2010 11:07 PM, Ferenc Wagner wrote: Hi, The first part is some tinkering to make lxc compile under Debian Lenny. The dangerous part is the signal forwarding and the process group business I was playing with recently. It contains Greg's idea about setting the foreground process group and also inverts the signal selection logic. Which means it's only slightly tested in its present form, but I wanted to get this out of the door ASAP, so you can get an idea what I'm up to. I'll continue testing it tomorrow and will followup with the results. Regards, Feri. Ferenc Wagner (7): conditional use of new capabilities uint32_t is defined in stdint.h .gitignore new components start child in its own process group, and put it into the foreground lxc-start isn't in the foreground anymore, so TTY signals don't reach it forward signals to the container init generalize the name of the signal handler .gitignore |3 ++ src/lxc/conf.c |4 +++ src/lxc/start.c | 59 ++ src/lxc/utils.h | 27 - 4 files changed, 44 insertions(+), 49 deletions(-) Hi Ferenc, I will takes the fixes not related to the signal forwarding: - [PATCH 1/7] conditional use of new capabilities - [PATCH 2/7] uint32_t is defined in stdint.h - [PATCH 3/7] .gitignore new components Thanks a lot. -- Daniel -- ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [GIT] lxc branch, master, updated. dd04402dd9c26127973dc5836d2befa28496f125
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project lxc.
The branch, master has been updated
via dd04402dd9c26127973dc5836d2befa28496f125 (commit)
via 09d1bd237e75e4b3d915b8ae5f979eb883833563 (commit)
via 9527e566fcb52d851533d41b549e2cf523dfd95b (commit)
via 91e7929dc4a4f826094751348ce730bc33a3e962 (commit)
via b6e91b67178aa06eeae82bb09bd5eee2869689de (commit)
via f1fa1a0866f2dc4ff0fc48f58d8a261b21b7d888 (commit)
via 5bad66ba56376dcf9804e72b70bba16a2462c2fe (commit)
via bc24fe4d8ae55d6b9af5c86a6eafd9ff674507cc (commit)
via c01d62f21b21ba6c2b8b78ab3c2b37cc8f8fd265 (commit)
via d6b1784e1e76426fa0e10c1f3e3f2705d0b62f86 (commit)
via a7405925092586b4a16841f2418fab3620a548df (commit)
from 5b406adb506fff621e03be524b1529f31846b0f7 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -
commit dd04402dd9c26127973dc5836d2befa28496f125
Author: Daniel Lezcano dlezc...@fr.ibm.com
Date: Mon Jun 7 11:33:56 2010 +0200
update .gitignore with new location
Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com
commit 09d1bd237e75e4b3d915b8ae5f979eb883833563
Author: Ferenc Wagner wf...@niif.hu
Date: Mon Jun 7 11:33:56 2010 +0200
uint32_t is defined in stdint.h
Signed-off-by: Ferenc Wagner wf...@niif.hu
Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com
commit 9527e566fcb52d851533d41b549e2cf523dfd95b
Author: Ferenc Wagner wf...@niif.hu
Date: Mon Jun 7 11:33:56 2010 +0200
conditional use of new capabilities
Signed-off-by: Ferenc Wagner wf...@niif.hu
Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com
commit 91e7929dc4a4f826094751348ce730bc33a3e962
Author: Ferenc Wagner wf...@niif.hu
Date: Mon Jun 7 11:33:56 2010 +0200
.gitignore new components
Signed-off-by: Ferenc Wagner wf...@niif.hu
Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com
commit b6e91b67178aa06eeae82bb09bd5eee2869689de
Author: Daniel Lezcano daniel.lezc...@free.fr
Date: Mon Jun 7 11:33:55 2010 +0200
update the fedora template
Update the fedora template in order to call it from the lxc-create
script.
Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com
commit f1fa1a0866f2dc4ff0fc48f58d8a261b21b7d888
Author: Daniel Lezcano daniel.lezc...@free.fr
Date: Mon Jun 7 11:33:55 2010 +0200
generate locales on debian
Let's do like the ubuntu template and generate locales automatically.
Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com
commit 5bad66ba56376dcf9804e72b70bba16a2462c2fe
Author: Daniel Lezcano daniel.lezc...@free.fr
Date: Mon Jun 7 11:33:55 2010 +0200
ubunutu - fix ssh runlevel stop condition
The default ssh upstart configuration makes the daemon to respawn
either if we are shutdowning.
Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com
commit bc24fe4d8ae55d6b9af5c86a6eafd9ff674507cc
Author: Wilhelm Meier wilhelm.me...@fh-kl.de
Date: Mon Jun 7 11:33:55 2010 +0200
few enhancement on the ubuntu template
Improved and cleanup the ubuntu template.
Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com
Signed-off-by: Wilhelm Meier wilhelm.me...@fh-kl.de
commit c01d62f21b21ba6c2b8b78ab3c2b37cc8f8fd265
Author: Daniel Lezcano dlezc...@fr.ibm.com
Date: Mon Jun 7 11:33:55 2010 +0200
move script templates to an adequate place
At present the lxc-{template} scripts are installed in the $bindir.
This is not the right place as specified by the FHS, so they go to
$libdir/lxc/templates.
Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com
commit d6b1784e1e76426fa0e10c1f3e3f2705d0b62f86
Author: Daniel Lezcano daniel.lezc...@free.fr
Date: Mon Jun 7 11:33:55 2010 +0200
add console login in ubuntu
Added console login
Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com
commit a7405925092586b4a16841f2418fab3620a548df
Author: Andrew Phillips andrew.phill...@lmax.com
Date: Mon Jun 7 11:33:55 2010 +0200
Fix spec file
After I resynced to git head I noticed that this commit;
http://lxc.git.sourceforge.net/git/gitweb.cgi?p=lxc/lxc;a=commit;h=d674be08d4b282bb4717c51440811e39d3c2431e
broke the rpm build.
This patch fixes this.
Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com
Signed-off-by: Andrew Phillips andrew.phill...@lmax.com
---
Summary of changes:
.gitignore | 11 +-
Makefile.am |4 +-
configure.ac | 13 +-
lxc.spec.in
Re: [lxc-devel] [PATCH 0/7] Last minute signal stuff (now in separate mails)
On 06/07/2010 12:37 PM, Ferenc Wagner wrote: Daniel Lezcanodaniel.lezc...@free.fr writes: On 06/06/2010 11:07 PM, Ferenc Wagner wrote: The first part is some tinkering to make lxc compile under Debian Lenny. The dangerous part is the signal forwarding and the process group business I was playing with recently. It contains Greg's idea about setting the foreground process group and also inverts the signal selection logic. Which means it's only slightly tested in its present form, but I wanted to get this out of the door ASAP, so you can get an idea what I'm up to. I'll continue testing it tomorrow and will followup with the results. Ferenc Wagner (7): conditional use of new capabilities uint32_t is defined in stdint.h .gitignore new components start child in its own process group, and put it into the foreground lxc-start isn't in the foreground anymore, so TTY signals don't reach it forward signals to the container init generalize the name of the signal handler I will take the fixes not related to the signal forwarding: - [PATCH 1/7] conditional use of new capabilities - [PATCH 2/7] uint32_t is defined in stdint.h - [PATCH 3/7] .gitignore new components Ok, that's the uncontroversial part. Patch 4 has a whitespace error, and patch 5 lost an #endif, so I'll resend them anyway. I wonder how the latter didn't surface on my home machine... But there's another failure I get on my work machine (with my original patchset with the above errors corrected): gcc -I../../src -g -O2 -g -Wall -O2 -Wall -Wl,-E -Wl,-rpath -Wl,/usr/lib/lxc -o lxc-attach lxc_attach.o liblxc.so liblxc.so: undefined reference to `lxc_sync_init' liblxc.so: undefined reference to `lxc_sync_fini_parent' liblxc.so: undefined reference to `lxc_sync_barrier_parent' liblxc.so: undefined reference to `lxc_sync_fini_child' liblxc.so: undefined reference to `lxc_sync_wake_parent' liblxc.so: undefined reference to `lxc_sync_wait_child' liblxc.so: undefined reference to `lxc_sync_fini' liblxc.so: undefined reference to `lxc_sync_barrier_child' collect2: ld returned 1 exit status Have you got an idea what may be wrong here? I'll continue investigation after lunch. Do you have a compilation warning ? -- ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [GIT] lxc branch, master, updated. 79881dc61f912321f3004531711071a051f80220
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project lxc. The branch, master has been updated via 79881dc61f912321f3004531711071a051f80220 (commit) from dd04402dd9c26127973dc5836d2befa28496f125 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log - commit 79881dc61f912321f3004531711071a051f80220 Author: Daniel Lezcano dlezc...@fr.ibm.com Date: Mon Jun 7 13:25:30 2010 +0200 fix ipv6 acast / mcast restriction Pointer comparison is buggy as they are never null. For an ipv6 address configuration, we always zeroed the structure, hence the bcast and acast structure are equal to in6addr_any. Any change of this value means the user specified something different in the configuration file, so we fail gracefully. Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com --- Summary of changes: src/lxc/network.c |4 +++- 1 files changed, 3 insertions(+), 1 deletions(-) hooks/post-receive -- lxc -- ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [GIT] lxc branch, master, updated. 89875e177f53385b556c5e33ec32bf4de4ae5a89
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project lxc. The branch, master has been updated via 89875e177f53385b556c5e33ec32bf4de4ae5a89 (commit) via 7ddc8f2451f714659aa9d1ba720a34a525926be5 (commit) from 79881dc61f912321f3004531711071a051f80220 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log - commit 89875e177f53385b556c5e33ec32bf4de4ae5a89 Author: Daniel Lezcano dlezc...@fr.ibm.com Date: Mon Jun 7 14:31:56 2010 +0200 update .gitignore Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com commit 7ddc8f2451f714659aa9d1ba720a34a525926be5 Author: Daniel Lezcano dlezc...@fr.ibm.com Date: Mon Jun 7 14:31:56 2010 +0200 fix return code Return a negative instead of a positive value. Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com --- Summary of changes: .gitignore| 20 +++- src/lxc/network.c |2 +- 2 files changed, 4 insertions(+), 18 deletions(-) hooks/post-receive -- lxc -- ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH 0/7] Last minute signal stuff (now in separate mails)
On 06/07/2010 03:27 PM, Ferenc Wagner wrote: Daniel Lezcanodaniel.lezc...@free.fr writes: On 06/07/2010 12:37 PM, Ferenc Wagner wrote: there's another failure I get on my work machine (with my original patchset with the above errors corrected): gcc -I../../src -g -O2 -g -Wall -O2 -Wall -Wl,-E -Wl,-rpath -Wl,/usr/lib/lxc -o lxc-attach lxc_attach.o liblxc.so liblxc.so: undefined reference to `lxc_sync_init' liblxc.so: undefined reference to `lxc_sync_fini_parent' liblxc.so: undefined reference to `lxc_sync_barrier_parent' liblxc.so: undefined reference to `lxc_sync_fini_child' liblxc.so: undefined reference to `lxc_sync_wake_parent' liblxc.so: undefined reference to `lxc_sync_wait_child' liblxc.so: undefined reference to `lxc_sync_fini' liblxc.so: undefined reference to `lxc_sync_barrier_child' collect2: ld returned 1 exit status Have you got an idea what may be wrong here? I'll continue investigation after lunch. Do you have a compilation warning ? No real compilation warning, only this: make[2]: Entering directory `/build/wferi-lxc_0.6.6~gitf814275a-1-i386-T7QsnO/lxc-0.6.6~gitf814275a/src' cd .. /bin/sh /build/wferi-lxc_0.6.6~gitf814275a-1-i386-T7QsnO/lxc-0.6.6~gitf814275a/config/missing --run autoheader /build/wferi-lxc_0.6.6~gitf814275a-1-i386-T7QsnO/lxc-0.6.6~gitf814275a/config/missing: line 54: autoheader: command not found WARNING: `autoheader' is missing on your system. You should only need it if you modified `acconfig.h' or `configure.ac'. You might want to install the `Autoconf' and `GNU m4' packages. Grab them from any GNU archive site. touch: cannot touch `[src/config.h].in': No such file or directory rm -f stamp-h1 touch config.h.in It's probably some unfortunate interaction with the Debian build system. If I rerun autogen.sh on the build system (the source is prepared on another system with a different automake version), the build succeeds. This didn't cause problems before. Now I switched to treating the git checkout as the original source, and the problem disappeared. Looks like it's nothing to worry about, after all. ok. -- ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH 4/5] generalize the name of the signal handler
On 06/09/2010 07:56 PM, Ferenc Wagner wrote: Signed-off-by: Ferenc Wagnerwf...@niif.hu +1 -- ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH 1/5] start child in its own process group, and put it into the foreground
On 06/09/2010 07:56 PM, Ferenc Wagner wrote:
Signed-off-by: Ferenc Wagnerwf...@niif.hu
---
src/lxc/start.c | 17 +
1 files changed, 17 insertions(+), 0 deletions(-)
diff --git a/src/lxc/start.c b/src/lxc/start.c
index b69ac88..7bbcf5a 100644
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -463,6 +463,7 @@ int lxc_spawn(struct lxc_handler *handler)
int clone_flags;
int failed_before_rename = 0;
const char *name = handler-name;
+ int ctty;
if (lxc_sync_init(handler))
return -1;
@@ -509,6 +510,22 @@ int lxc_spawn(struct lxc_handler *handler)
}
}
+ if (setpgid(handler-pid, 0)) {
+ SYSERROR(failed to create new process group);
+ goto out_delete_net;
+ }
+ DEBUG(created new process group %d, handler-pid);
+ ctty = open(/dev/tty, O_RDONLY);
+ if (ctty != -1) {
+ int ret = tcsetpgrp(ctty, handler-pid);
+ close(ctty);
+ if (ret) {
+ SYSERROR(failed to set terminal foreground process
group);
+ goto out_delete_net;
+ }
+ DEBUG(set terminal foreground process group);
+ }
Is there a particular reason to do that from the parent and not from the
child ?
/* Tell the child to continue its initialization and wait for
* it to exec or return an error
*/
--
ThinkGeek and WIRED's GeekDad team up for the Ultimate
GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
lucky parental unit. See the prize list and enter to win:
http://p.sf.net/sfu/thinkgeek-promo
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH 2/5] lxc-start isn't in the foreground anymore, so TTY signals don't reach it
On 06/09/2010 07:56 PM, Ferenc Wagner wrote:
Signed-off-by: Ferenc Wagnerwf...@niif.hu
---
src/lxc/start.c |9 -
src/lxc/utils.h | 29 ++---
2 files changed, 2 insertions(+), 36 deletions(-)
Yeah, cleanup ! +1
diff --git a/src/lxc/start.c b/src/lxc/start.c
index 7bbcf5a..ccd8bcd 100644
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -129,9 +129,6 @@ int signalfd(int fd, const sigset_t *mask, int flags)
lxc_log_define(lxc_start, lxc);
-LXC_TTY_HANDLER(SIGINT);
-LXC_TTY_HANDLER(SIGQUIT);
-
static int match_fd(int fd)
{
return (fd == 0 || fd == 1 || fd == 2);
@@ -574,10 +571,6 @@ int __lxc_start(const char *name, struct lxc_conf *conf,
goto out_fini;
}
- /* Avoid signals from terminal */
- LXC_TTY_ADD_HANDLER(SIGINT);
- LXC_TTY_ADD_HANDLER(SIGQUIT);
-
err = lxc_poll(name, handler);
if (err) {
ERROR(mainloop exited with an error);
@@ -589,8 +582,6 @@ int __lxc_start(const char *name, struct lxc_conf *conf,
err = lxc_error_set_and_log(handler-pid, status);
out_fini:
- LXC_TTY_DEL_HANDLER(SIGQUIT);
- LXC_TTY_DEL_HANDLER(SIGINT);
lxc_unlink_nsgroup(name);
lxc_fini(name, handler);
return err;
diff --git a/src/lxc/utils.h b/src/lxc/utils.h
index 114b668..d47c983 100644
--- a/src/lxc/utils.h
+++ b/src/lxc/utils.h
@@ -23,34 +23,9 @@
#ifndef _utils_h
#define _utils_h
-#define LXC_TTY_HANDLER(s) \
- static struct sigaction lxc_tty_sa_##s; \
- static void tty_##s##_handler(int sig, siginfo_t *info, void *ctx) \
- { \
- if (lxc_tty_sa_##s.sa_handler == SIG_DFL || \
- lxc_tty_sa_##s.sa_handler == SIG_IGN) \
- return; \
- (*lxc_tty_sa_##s.sa_sigaction)(sig, info, ctx); \
- }
-
-#define LXC_TTY_ADD_HANDLER(s) \
- do { \
- struct sigaction sa; \
- sa.sa_sigaction = tty_##s##_handler; \
- sa.sa_flags = SA_SIGINFO; \
- sigfillset(sa.sa_mask); \
- /* No error expected with sigaction. */ \
- sigaction(s,sa,lxc_tty_sa_##s); \
- } while (0)
-
-#define LXC_TTY_DEL_HANDLER(s) \
- do { \
- sigaction(s,lxc_tty_sa_##s, NULL); \
- } while (0)
-
-#endif
-
extern int lxc_copy_file(const char *src, const char *dst);
extern int lxc_setup_fs(void);
extern int get_u16(ushort *val, const char *arg, int base);
extern int mkdir_p(const char *dir, mode_t mode);
+
+#endif
--
ThinkGeek and WIRED's GeekDad team up for the Ultimate
GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
lucky parental unit. See the prize list and enter to win:
http://p.sf.net/sfu/thinkgeek-promo
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH 3/5] forward signals to the container init
On 06/09/2010 07:56 PM, Ferenc Wagner wrote: Signed-off-by: Ferenc Wagnerwf...@niif.hu +1 -- ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH 5/5] document rootfs options
On 06/09/2010 07:56 PM, Ferenc Wagner wrote: Signed-off-by: Ferenc Wagnerwf...@niif.hu Great, Thanks ! +1 -- ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [GIT] lxc branch, master, updated. b0badabd2d3ec9c8506651bbb4900cc0ec3f8a16
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project lxc. The branch, master has been updated via b0badabd2d3ec9c8506651bbb4900cc0ec3f8a16 (commit) from 4f9293b1f07722f18023bbec06c2a3719335d8f7 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log - commit b0badabd2d3ec9c8506651bbb4900cc0ec3f8a16 Author: Andrew Phillips andrew.phill...@lmax.com Date: Mon Jun 14 11:34:50 2010 +0200 support shutdown/reboot with upstart within a system container Improve resiliency of utmp.c to removal of /var/run/utmp Add shutdown timer as we transition to shutdown from running to check for the number of tasks remaining. Improve container state handling. We can't rely on the previous runlevel being maintained properly. Signed-off-by: Andrew Phillips andrew.phill...@lmax.com Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com --- Summary of changes: src/lxc/utmp.c | 301 1 files changed, 261 insertions(+), 40 deletions(-) hooks/post-receive -- lxc -- ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [RFC][PATCH][lxc]: unfreeze while stopping
On 06/09/2010 07:29 PM, Sukadev Bhattiprolu wrote: Michel Normand [norm...@fr.ibm.com] wrote: | Le mardi 08 juin 2010 à 19:07 -0700, Sukadev Bhattiprolu a écrit : | I am not too sure, but if user wants to stop a container is there a | reason not to implicitly unfreeze the container and stop ? | | --- | From: Sukadev Bhattiprolusuka...@linux.vnet.ibm.com | Date: Tue, 8 Jun 2010 18:42:00 -0700 | Subject: [PATCH 1/1]: unfreeze while stopping container | | When a container is being stopped, it must also be unfrozen after posting | the SIGKILL. Otherwise if the container is frozen when the SIGKILL is posted, | the SIGKILL will remain pending and the lxc-stop command will block until | lxc-unfreeze is explicitly called). | | For me the lxc-start/lxc-stop and | lxc-freeze/lxc-unfreeze are two sets of commands | that should not be mixed. | | If the container was previously frozen by a lxc-freeze | then the user has to issue a lxc-unfreeze before to issue the lxc-stop. Ok, if that is the design, then we should change the lxc_stop_callback() to send an answer even on success ? Currently on successful stop it expects the socket to close, which will unblock the waiting lxc_stop() caller. But if the container is frozen the lxc_stop() caller waits indefinitely. Its not an issue for the lxc-stop command, but is an issue when lxc-checkpoint calls lxc_stop() (in response to the --kill option). Suka, Can you resend your patch as it is without the RFC prefix and add a note to the man page ? Thanks -- Daniel -- ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH 0/2] some cleanup around lxc-create
On 06/15/2010 01:59 PM, Ferenc Wagner wrote: Hi, I had a go against lxc-create trying to debug the console issue. There is still a serious issue: the template scripts use some 'arch' binary, which isn't present on my system. What is that? Why not use 'uname -m' instead? There is no particular reason for the 'arch' command, 'uname -m' should be ok too and maybe preferable. Ferenc Wagner (2): remove misleading copypaste comment correct template directory documentation doc/lxc-create.sgml.in | 11 ++- src/lxc/lxc-create.in |5 - 2 files changed, 6 insertions(+), 10 deletions(-) Thanks for fixing these nasty things. -- Daniel -- ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH 0/5] Signal stuff v2 and some documentation
On 06/15/2010 04:47 PM, Ferenc Wagner wrote: Daniel Lezcanodaniel.lezc...@free.fr writes: On 06/15/2010 02:13 PM, Ferenc Wagner wrote: Daniel Lezcanodaniel.lezc...@free.fr writes: On 06/10/2010 11:47 PM, Ferenc Wagner wrote: If you provide me with an example (and some description of lxc.console), I can give it some testing and concretize this pure guesswork. lxc-create -n ubuntu -f ~/mynetwork.conf -t ubuntu lxc-start -n ubuntu -s lxc.console=$(tty) -o $(tty) -l DEBUG I'm not there yet, but found something interesting. If lxc-checkconfig reports full green, clone(NEWNS|NEWUTS|NEWIPC|NEWPID|NEWNET) in lxc-start shouldn't fail. Who's wrong here? $ lxc-checkconfig Kernel config /proc/config.gz not found, looking in other places... Found kernel config file /boot/config-2.6.26-2-686 2.6.26 ? Mmmh, You need at least a 2.6.29 for a system container (better to have a 2.6.32). Yeah, it runs with 2.6.32. Btw. what happened in 2.6.29, which made it particularly suitable for running system containers? The network virtualization was merged upstream. Bah ! Looks like the lxc-checkconfig is buggy (fix in attachment). With your fix it indeed misses a couple of things: Network namespace: missing Better to have it for a system container, otherwise the guest system will reconfigure your host network :/ Multiple /dev/pts instances: missing Better to have it but not mandatory until you remove the lxc.pts option. Cgroup memory controller: missing Not mandatory. Macvlan: missing Better to have, it is more flexible to configure the network. but not mandatory. Thanks for the fix! Now let's see why lxc-start gets suspended when I try to type at the console... I think it happens exactly what you described in the previous email, that is if a background process tries to read/write to the tty, then a SIGTTIN / SIGTTOU / is sent to it, where the default action is to stop the process. Interestingly, it stays in S state until I kill the container. I'm afraid the console functionality (is there any documentation for it?) may make lxc-start unsuitable for pushing into the background. After all, it is an interactive foreground process in that case, a real proxy towards some getty (if I understand this console thingie right). Maybe this should be handled differently to application containers. But then I'm not sure how Ctrl-C and similar should be forwarded to a getty... argh. yes, chicken-egg problem. -- ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH 0/5] Signal stuff v2 and some documentation
On 06/15/2010 02:13 PM, Ferenc Wagner wrote:
Daniel Lezcanodaniel.lezc...@free.fr writes:
On 06/10/2010 11:47 PM, Ferenc Wagner wrote:
If you provide me with an example (and some description of
lxc.console), I can give it some testing and concretize this pure
guesswork.
lxc-create -n ubuntu -f ~/mynetwork.conf -t ubuntu
lxc-start -n ubuntu -s lxc.console=$(tty) -o $(tty) -l DEBUG
I'm not there yet, but found something interesting. If lxc-checkconfig
reports full green, clone(NEWNS|NEWUTS|NEWIPC|NEWPID|NEWNET) in
lxc-start shouldn't fail. Who's wrong here?
Cheers,
Feri.
$ lxc-checkconfig
Kernel config /proc/config.gz not found, looking in other places...
Found kernel config file /boot/config-2.6.26-2-686
2.6.26 ? Mmmh, You need at least a 2.6.29 for a system container (better
to have a 2.6.32).
--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: enabled
Network namespace: enabled
Multiple /dev/pts instances: enabled
--- Control groups ---
Cgroup: enabled
Cgroup namespace: enabled
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: enabled
Cgroup cpuset: enabled
--- Misc ---
Veth pair device: enabled
Macvlan: enabled
Vlan: enabled
File capabilities: enabled
Note : Before booting a new kernel, you can check its configuration
usage : CONFIG=/path/to/config /usr/bin/lxc-checkconfig
$ sudo lxc-start -n debian -s lxc.console=$(tty)
lxc-start: failed to clone(0x6c02): Invalid argument
lxc-start: Invalid argument - failed to fork into a new namespace
lxc-start: failed to spawn 'debian'
lxc-start: No such file or directory - failed to remove cgroup '/mnt/debian'
Bah ! Looks like the lxc-checkconfig is buggy (fix in attachment).
---
src/lxc/lxc-checkconfig.in |4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
Index: lxc/src/lxc/lxc-checkconfig.in
===
--- lxc.orig/src/lxc/lxc-checkconfig.in
+++ lxc/src/lxc/lxc-checkconfig.in
@@ -11,8 +11,6 @@ SETCOLOR_NORMAL=echo -en \\033[0;39m
is_set() {
$GREP -q $1=[y|m] $CONFIG
-RES=$?
-
return $?
}
@@ -22,7 +20,7 @@ is_enabled() {
is_set $1
RES=$?
-if [ $RES = 0 ]; then
+if [ $RES -eq 0 ]; then
$SETCOLOR_SUCCESS echo -e enabled $SETCOLOR_NORMAL
else
if [ ! -z $mandatory -a $mandatory = yes ]; then
--
ThinkGeek and WIRED's GeekDad team up for the Ultimate
GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
lucky parental unit. See the prize list and enter to win:
http://p.sf.net/sfu/thinkgeek-promo___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [GIT] lxc branch, master, updated. 0830689d862752819db9552b2ba8ef58fe7cafaa
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project lxc. The branch, master has been updated via 0830689d862752819db9552b2ba8ef58fe7cafaa (commit) via 4d67c1301b9cf6587b0cc2e42f4e61ed6c29097c (commit) via a52c4b8cac552ad37a21c6462da7fe289bf03418 (commit) via 3f9cf2ad5ef063a53d2d5cc3eb05c0bb274732b5 (commit) from b0badabd2d3ec9c8506651bbb4900cc0ec3f8a16 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log - commit 0830689d862752819db9552b2ba8ef58fe7cafaa Author: Panagiotis H.M. Issaris panagio...@gmail.com Date: Wed Jun 16 09:19:15 2010 +0200 Forgotten @LIBEXECDIR@ replacement Forgotten part of commit d674be08d4b282bb4717c51440811e39d3c2431e Signed-off-by: Panagiotis H.M. Issaris ta...@issaris.org Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com commit 4d67c1301b9cf6587b0cc2e42f4e61ed6c29097c Author: Ferenc Wagner wf...@niif.hu Date: Wed Jun 16 09:19:15 2010 +0200 correct template directory documentation Signed-off-by: Ferenc Wagner wf...@niif.hu Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com commit a52c4b8cac552ad37a21c6462da7fe289bf03418 Author: Ferenc Wagner wf...@niif.hu Date: Wed Jun 16 09:19:15 2010 +0200 remove misleading copypaste comment Signed-off-by: Ferenc Wagner wf...@niif.hu Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com commit 3f9cf2ad5ef063a53d2d5cc3eb05c0bb274732b5 Author: Daniel Lezcano daniel.lezc...@free.fr Date: Wed Jun 16 09:19:15 2010 +0200 Fix lxc-checkconfig Fix bad comparison. Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com --- Summary of changes: doc/lxc-create.sgml.in | 11 ++- src/lxc/lxc-checkconfig.in |4 +--- src/lxc/lxc-create.in |5 - templates/lxc-sshd.in |4 ++-- 4 files changed, 9 insertions(+), 15 deletions(-) hooks/post-receive -- lxc -- ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [GIT] lxc tag, lxc-0.7.0, created. f7a5fb7cf5677ea7b8e8ffc4603cff5089771b10
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project lxc. The tag, lxc-0.7.0 has been created at f7a5fb7cf5677ea7b8e8ffc4603cff5089771b10 (commit) - Log - commit f7a5fb7cf5677ea7b8e8ffc4603cff5089771b10 Author: Daniel Lezcano dlezc...@fr.ibm.com Date: Thu Jun 17 14:04:15 2010 +0200 change version number to 0.7.0 Finally, I did it :) Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com --- hooks/post-receive -- lxc -- ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [GIT] lxc branch, master, updated. 8119235833dc0861c34086f639a60546cda2739c
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project lxc. The branch, master has been updated via 8119235833dc0861c34086f639a60546cda2739c (commit) via 70e279574cd07e743d1f6e498d569add3fa6a7de (commit) from f7a5fb7cf5677ea7b8e8ffc4603cff5089771b10 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log - commit 8119235833dc0861c34086f639a60546cda2739c Author: Daniel Lezcano daniel.lezc...@free.fr Date: Thu Jun 17 22:44:23 2010 +0200 fix bad free when reading the configuration file We change the initial pointer when parsing the line, the address we are trying to free is modified in case there are blanks before an option. Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com commit 70e279574cd07e743d1f6e498d569add3fa6a7de Author: Daniel Lezcano daniel.lezc...@fr.ibm.com Date: Thu Jun 17 22:44:23 2010 +0200 fix sshd template Fixed the sshd template example. Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com --- Summary of changes: src/lxc/confile.c | 13 +++-- templates/lxc-sshd.in |6 +++--- 2 files changed, 10 insertions(+), 9 deletions(-) hooks/post-receive -- lxc -- ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [GIT] lxc branch, master, updated. a7dff83460f259c934da8eb2aef0eac5b437b808
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project lxc. The branch, master has been updated via a7dff83460f259c934da8eb2aef0eac5b437b808 (commit) via cd453b38b778652cb341062fbf3c38edefc3a478 (commit) from 8119235833dc0861c34086f639a60546cda2739c (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log - commit a7dff83460f259c934da8eb2aef0eac5b437b808 Author: Daniel Lezcano daniel.lezc...@free.fr Date: Wed Jun 23 00:44:13 2010 +0200 fix /proc not mounted in debian container Mount some systemm fs for the container. By default, /proc is no longer mounted in debian. Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com commit cd453b38b778652cb341062fbf3c38edefc3a478 Author: Daniel Lezcano daniel.lezc...@free.fr Date: Wed Jun 23 00:44:13 2010 +0200 fix default console to /dev/tty Fix default console output fall into the current tty. Otherwise fall to /dev/null if no tty is available. Fix at the same time, Xorg take 100% cpu. Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com --- Summary of changes: src/lxc/console.c | 31 +-- templates/lxc-debian.in |5 + 2 files changed, 34 insertions(+), 2 deletions(-) hooks/post-receive -- lxc -- ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] Fixed (hacked) LXC to apply mount options for bind mounts
On 03/08/2010 10:35 PM, Ciprian Dorin, Craciun wrote: Hello all! This bug stalked me for a while, but only now it bit me quite badly... (Lost about an hour of work...) So the culprit: inside the fstab file for the `lxc.mount` option I can use options like `ro` together with `bind`. Unfortunately the kernel just laughs in my face and ignores any options I've put in there... :) But not any more: I've updated `./src/lxc/conf.c` (`mount_file_entries` function) so that when it encounters a `bind` option it executes it twice (one without any extra options, and a second time with the remount flag set.) I've marginally (as in my particular case) tested it and it works. Any other ideas on how to solve this? Any comments? Ciprian. Sorry for the delay. Hopefully, John remind me to take this patch. I found this paragraph in the mount man page: [ ... ] Note that the filesystem mount options will remain the same as those on the original mount point, and cannot be changed by passing the -o option along with --bind/--rbind. The mount options can be changed by a separate remount command, for example: mount --bind olddir newdir mount -o remount,ro newdir So I think your patch is correct :) Thanks Ciprian. -- Daniel -- ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [GIT] lxc branch, master, updated. 78bdcd081edd6cc20587fb5c531445a2fb20f6d8
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project lxc. The branch, master has been updated via 78bdcd081edd6cc20587fb5c531445a2fb20f6d8 (commit) via e76b8764fa0aa1873724a9e4a8a3ca93c0e5cd70 (commit) from a7dff83460f259c934da8eb2aef0eac5b437b808 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log - commit 78bdcd081edd6cc20587fb5c531445a2fb20f6d8 Author: Daniel Lezcano daniel.lezc...@free.fr Date: Thu Jun 24 09:47:14 2010 +0200 remove bad default console option in ubuntu template Remove this options as by default container console goes to the tty or /dev/null if not available. Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com commit e76b8764fa0aa1873724a9e4a8a3ca93c0e5cd70 Author: Ciprian Dorin, Craciun cipr...@volution.ro Date: Thu Jun 24 09:47:14 2010 +0200 lxc to apply mount options for bind mounts Hello all! This bug stalked me for a while, but only now it bit me quite badly... (Lost about an hour of work...) So the culprit: inside the fstab file for the `lxc.mount` option I can use options like `ro` together with `bind`. Unfortunately the kernel just laughs in my face and ignores any options I've put in there... :) But not any more: I've updated `./src/lxc/conf.c` (`mount_file_entries` function) so that when it encounters a `bind` option it executes it twice (one without any extra options, and a second time with the remount flag set.) I've marginally (as in my particular case) tested it and it works. Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com --- Summary of changes: src/lxc/conf.c | 18 +- templates/lxc-ubuntu.in |2 -- 2 files changed, 17 insertions(+), 3 deletions(-) hooks/post-receive -- lxc -- ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [GIT] lxc tag, lxc-0.7.1, created. 78bdcd081edd6cc20587fb5c531445a2fb20f6d8
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project lxc. The tag, lxc-0.7.1 has been created at 78bdcd081edd6cc20587fb5c531445a2fb20f6d8 (commit) - Log - commit 78bdcd081edd6cc20587fb5c531445a2fb20f6d8 Author: Daniel Lezcano daniel.lezc...@free.fr Date: Thu Jun 24 09:47:14 2010 +0200 remove bad default console option in ubuntu template Remove this options as by default container console goes to the tty or /dev/null if not available. Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com --- hooks/post-receive -- lxc -- ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [GIT] lxc branch, master, updated. ebb9ec72ce494cbee4bb445604d6527fbaefde5b
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project lxc. The branch, master has been updated via ebb9ec72ce494cbee4bb445604d6527fbaefde5b (commit) from 743ecd2efba6b2d2c23a0fdb2fe8958c81c73561 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log - commit ebb9ec72ce494cbee4bb445604d6527fbaefde5b Author: Tushar Gohad tgo...@mvista.com Date: Tue Jul 6 23:45:52 2010 +0200 Minor resource name array fix in src/lxc/namespace.c Signed-off-by: Tushar Gohad tgo...@mvista.com Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com --- Summary of changes: src/lxc/namespace.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) hooks/post-receive -- lxc -- This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH RESENT] - Minor resource name array fix in src/lxc/namespace.c
On 07/06/2010 12:03 AM, Tushar Gohad wrote: Google's mailer sent out the last email with wrong MIME type for the patch attachment. This message should have the patch in correct format. Thanks. Applied, thanks Tushar ! -- This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH 0/5] Signal stuff v2 and some documentation
On 06/09/2010 07:56 PM, Ferenc Wagner wrote: Hi, here are basically the same patches, with some obvious errors corrected and some unrelated documentation added. It actually survived some targeted testing in the past days and seems to behave as expected, ie. # lxc-start -n s -- sh -c trap 'echo TERM' TERM; sleep 10 can be interrupted by Ctrl-C from the terminal (the sleep process does not ignore the SIGINT sent to the foreground process group by the OS), while a # pkill lxc-start does not terminate the sleep as the SIGTERM gets forwarded to the shell only, which reports it after the sleep expires. This forwarding mechanism makes it possible to plug lxc into our batch queueing system. Hi Ferenc, is it your last version or can I investigate with this patchset ? Thanks -- Daniel -- This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [patch -lxc 2/6] add a macro to wrap a privilegied function
This macro is a helper to call a function into a [un]privilegied section.
Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com
---
src/lxc/caps.h | 33 ++---
1 files changed, 30 insertions(+), 3 deletions(-)
diff --git a/src/lxc/caps.h b/src/lxc/caps.h
index bdc248b..6b27648 100644
--- a/src/lxc/caps.h
+++ b/src/lxc/caps.h
@@ -22,7 +22,34 @@
*/
#ifndef _caps_h
#define _caps_h
-int lxc_caps_down(void);
-int lxc_caps_up(void);
-int lxc_caps_init(void);
+
+extern int lxc_caps_down(void);
+extern int lxc_caps_up(void);
+extern int lxc_caps_init(void);
+
+#define lxc_priv(__lxc_function) \
+ ({ \
+ int __ret, __ret2, __errno = 0; \
+ __ret = lxc_caps_up(); \
+ if (__ret) \
+ goto __out; \
+ __ret = __lxc_function; \
+ if (__ret) \
+ __errno = errno;\
+ __ret2 = lxc_caps_down(); \
+ __out: __ret ? errno = __errno,__ret : __ret2; \
+ })
+
+#define lxc_unpriv(__lxc_function) \
+ ({ \
+ int __ret, __ret2, __errno = 0; \
+ __ret = lxc_caps_down();\
+ if (__ret) \
+ goto __out; \
+ __ret = __lxc_function; \
+ if (__ret) \
+ __errno = errno;\
+ __ret2 = lxc_caps_up(); \
+ __out: __ret ? errno = __errno,__ret : __ret2; \
+ })
#endif
--
1.7.0.4
--
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [patch -lxc 5/6] fix console overwrite any file
Prevent to specify a file not belonging to us as the output for the console
Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com
---
src/lxc/console.c | 11 ++-
1 files changed, 6 insertions(+), 5 deletions(-)
diff --git a/src/lxc/console.c b/src/lxc/console.c
index 1ab2b29..edefc41 100644
--- a/src/lxc/console.c
+++ b/src/lxc/console.c
@@ -30,10 +30,10 @@
#include sys/types.h
#include sys/un.h
-#include lxc/log.h
-#include lxc/conf.h
-#include lxc/start.h /* for struct lxc_handler */
-
+#include log.h
+#include conf.h
+#include start.h /* for struct lxc_handler */
+#include caps.h
#include commands.h
#include mainloop.h
#include af_unix.h
@@ -192,7 +192,8 @@ int lxc_create_console(struct lxc_conf *conf)
goto err;
}
- fd = open(console-path, O_CLOEXEC | O_RDWR | O_CREAT | O_APPEND, 0600);
+ fd = lxc_unpriv(open(console-path, O_CLOEXEC | O_RDWR | O_CREAT |
+O_APPEND, 0600));
if (fd 0) {
SYSERROR(failed to open '%s', console-path);
goto err;
--
1.7.0.4
--
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] fix security holes when running lxc as non-root
Thanks all for the feedbacks. The following patchset provides an intermediate solution between all the remarks about the security aspects when running lxc with the capabilities. It has the advantage to be compatible with the setuid bit root set on the lxc-start and lxc-execute. More work has to be done, but I prefer to send these patches now as they are critical in terms of security. -- This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [patch -lxc 6/6] Remove dead code
This function is no longer used.
Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com
---
src/lxc/state.c |8
1 files changed, 0 insertions(+), 8 deletions(-)
diff --git a/src/lxc/state.c b/src/lxc/state.c
index b29ae09..6720011 100644
--- a/src/lxc/state.c
+++ b/src/lxc/state.c
@@ -63,14 +63,6 @@ lxc_state_t lxc_str2state(const char *state)
return -1;
}
-int lxc_rmstate(const char *name)
-{
- char file[MAXPATHLEN];
- snprintf(file, MAXPATHLEN, LXCPATH /%s/state, name);
- unlink(file);
- return 0;
-}
-
static int freezer_state(const char *name)
{
char *nsgroup;
--
1.7.0.4
--
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [patch -lxc 3/6] initialize capabilities for lxc-start and lxc-execute
Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com --- src/lxc/lxc_execute.c |5 - src/lxc/lxc_start.c |4 2 files changed, 8 insertions(+), 1 deletions(-) diff --git a/src/lxc/lxc_execute.c b/src/lxc/lxc_execute.c index c3a0cd7..f480859 100644 --- a/src/lxc/lxc_execute.c +++ b/src/lxc/lxc_execute.c @@ -31,7 +31,7 @@ #include sys/stat.h #include sys/param.h - +#include caps.h #include lxc.h #include log.h #include conf.h @@ -93,6 +93,9 @@ int main(int argc, char *argv[]) lxc_list_init(defines); + if (lxc_caps_init()) + return -1; + if (lxc_arguments_parse(my_args, argc, argv)) return -1; diff --git a/src/lxc/lxc_start.c b/src/lxc/lxc_start.c index 7aa17ff..661764a 100644 --- a/src/lxc/lxc_start.c +++ b/src/lxc/lxc_start.c @@ -41,6 +41,7 @@ #include net/if.h #include log.h +#include caps.h #include lxc.h #include conf.h #include cgroup.h @@ -101,6 +102,9 @@ int main(int argc, char *argv[]) lxc_list_init(defines); + if (lxc_caps_init()) + return err; + if (lxc_arguments_parse(my_args, argc, argv)) return err; -- 1.7.0.4 -- This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [patch -lxc 4/6] fix log appending to any file
With the capabilities, the open of the log file can be done on any
file, making possible to modifify the content of the file.
Let's drop the privilege when opening the file, so we ensure that is
no longer possible.
Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com
---
src/lxc/log.c |6 --
1 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/lxc/log.c b/src/lxc/log.c
index 596ed99..0661360 100644
--- a/src/lxc/log.c
+++ b/src/lxc/log.c
@@ -33,7 +33,8 @@
#include fcntl.h
#include stdlib.h
-#include lxc/log.h
+#include log.h
+#include caps.h
#define LXC_LOG_PREFIX_SIZE32
#define LXC_LOG_BUFFER_SIZE512
@@ -127,7 +128,8 @@ static int log_open(const char *name)
int fd;
int newfd;
- fd = open(name, O_CREAT | O_WRONLY | O_APPEND | O_CLOEXEC, 0666);
+ fd = lxc_unpriv(open(name, O_CREAT | O_WRONLY |
+O_APPEND | O_CLOEXEC, 0666));
if (fd == -1) {
ERROR(failed to open log file \%s\ : %s, name,
strerror(errno));
--
1.7.0.4
--
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [patch -lxc 1/6] remove/restore effective capabilities
This patch adds the functions to drop the 'effective' capabilities and
restore them from the 'permitted' capabilities.
When the command is run as 'root' we do nothing.
When the command is run as 'lambda' user, we drop the effective capabilities
When the command is run as 'root' but real uid is not root, we keep the
capabilies,
switch to real uid, and drop the effective capabilities.
This approach is compatible for root user, lambda + file capabilities
and lambda + setuid.
Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com
---
src/lxc/Makefile.am |5 +-
src/lxc/caps.c | 135 +++
src/lxc/caps.h | 28 +++
3 files changed, 166 insertions(+), 2 deletions(-)
create mode 100644 src/lxc/caps.c
create mode 100644 src/lxc/caps.h
diff --git a/src/lxc/Makefile.am b/src/lxc/Makefile.am
index 3cbd6c0..133f102 100644
--- a/src/lxc/Makefile.am
+++ b/src/lxc/Makefile.am
@@ -5,6 +5,7 @@ pkginclude_HEADERS = \
monitor.h \
utils.h \
namespace.h \
+ caps.h \
lxc.h \
cgroup.h \
conf.h \
@@ -44,6 +45,7 @@ liblxc_so_SOURCES = \
rtnl.c rtnl.h \
genl.c genl.h \
\
+ caps.c caps.h \
mainloop.c mainloop.h \
af_unix.c af_unix.h \
\
@@ -90,7 +92,7 @@ pkglib_PROGRAMS = \
lxc-init
AM_LDFLAGS=-Wl,-E -Wl,-rpath -Wl,$(libdir)
-LDADD=liblxc.so
+LDADD=liblxc.so @CAP_LIBS@
lxc_attach_SOURCES = lxc_attach.c
lxc_cgroup_SOURCES = lxc_cgroup.c
@@ -100,7 +102,6 @@ lxc_execute_SOURCES = lxc_execute.c
lxc_freeze_SOURCES = lxc_freeze.c
lxc_info_SOURCES = lxc_info.c
lxc_init_SOURCES = lxc_init.c
-lxc_init_LDADD = $(LDADD) @CAP_LIBS@
lxc_monitor_SOURCES = lxc_monitor.c
lxc_restart_SOURCES = lxc_restart.c
lxc_start_SOURCES = lxc_start.c
diff --git a/src/lxc/caps.c b/src/lxc/caps.c
new file mode 100644
index 000..2cd79cd
--- /dev/null
+++ b/src/lxc/caps.c
@@ -0,0 +1,135 @@
+/*
+ * lxc: linux Container library
+ *
+ * (C) Copyright IBM Corp. 2007, 2008
+ *
+ * Authors:
+ * Daniel Lezcano dlezcano at fr.ibm.com
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+#define _GNU_SOURCE
+#include unistd.h
+#include sys/prctl.h
+#include sys/capability.h
+
+#include log.h
+
+lxc_log_define(lxc_caps, lxc);
+
+int lxc_caps_down(void)
+{
+ cap_t caps;
+ int ret;
+
+ caps = cap_get_proc();
+ if (!caps) {
+ ERROR(failed to cap_get_proc: %m);
+ return -1;
+ }
+
+ ret = cap_clear_flag(caps, CAP_EFFECTIVE);
+ if (ret) {
+ ERROR(failed to cap_clear_flag: %m);
+ goto out;
+ }
+
+ ret = cap_set_proc(caps);
+ if (ret) {
+ ERROR(failed to cap_set_proc: %m);
+ goto out;
+ }
+
+out:
+ cap_free(caps);
+return 0;
+}
+
+int lxc_caps_up(void)
+{
+ cap_t caps;
+ cap_value_t cap;
+ int ret;
+
+ caps = cap_get_proc();
+ if (!caps) {
+ ERROR(failed to cap_get_proc: %m);
+ return -1;
+ }
+
+ for (cap = 0; cap = CAP_LAST_CAP; cap++) {
+
+ cap_flag_value_t flag;
+
+ ret = cap_get_flag(caps, cap, CAP_PERMITTED, flag);
+ if (ret) {
+ ERROR(failed to cap_get_flag: %m);
+ goto out;
+ }
+
+ ret = cap_set_flag(caps, CAP_EFFECTIVE, 1, cap, flag);
+ if (ret) {
+ ERROR(failed to cap_set_flag: %m);
+ goto out;
+ }
+ }
+
+ ret = cap_set_proc(caps);
+ if (ret) {
+ ERROR(failed to cap_set_proc: %m);
+ goto out;
+ }
+
+out:
+ cap_free(caps);
+return 0;
+}
+
+int lxc_caps_init(void)
+{
+ uid_t uid = getuid();
+ gid_t gid = getgid();
+ uid_t euid = geteuid();
+
+ if (!uid) {
+ INFO(command is run as 'root');
+ return 0;
+ }
+
+ if (uid !euid) {
+ INFO(command is run as setuid root (uid : %d), uid);
+
+ if (prctl(PR_SET_KEEPCAPS, 1)) {
+ ERROR(failed
[lxc-devel] [GIT] lxc branch, master, updated. d1c383f39064969b647fd632f8e6614b49fd6cf2
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project lxc. The branch, master has been updated via d1c383f39064969b647fd632f8e6614b49fd6cf2 (commit) via 371828c4a0a23b61d57889b7deb11390b6ff0f3e (commit) via ba31511e05aa098a22552b1c8da39e80ae4a090c (commit) from ebb9ec72ce494cbee4bb445604d6527fbaefde5b (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log - commit d1c383f39064969b647fd632f8e6614b49fd6cf2 Author: Daniel Lezcano dlezc...@fr.ibm.com Date: Mon Jul 12 15:13:18 2010 +0200 fix compilation warning Add missing include. Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com commit 371828c4a0a23b61d57889b7deb11390b6ff0f3e Author: Sukadev Bhattiprolu suka...@linux.vnet.ibm.com Date: Mon Jul 12 15:13:18 2010 +0200 Must unfreeze while stopping container As pointed out by Dan Smith, when a container is being stopped, it must also be unfrozen after posting the SIGKILL. Otherwise if the container is frozen when the SIGKILL is posted, the SIGKILL will remain pending and the lxc-stop command will block until lxc-unfreeze is explicitly called). (lxc-stop waits for the container to exit and close the socket but since the container is frozen, lxc-stop will block). Signed-off-by: Sukadev Bhattiprolu suka...@linux.vnet.ibm.com Acked-by: Matt Helsley matth...@us.ibm.com Acked-by: Dan Smith da...@us.ibm.com Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com commit ba31511e05aa098a22552b1c8da39e80ae4a090c Author: Sukadev Bhattiprolu suka...@linux.vnet.ibm.com Date: Mon Jul 12 15:13:18 2010 +0200 Ensure frezer state has changed A write to the freezer.state file does not gurantee that the state has changed. To ensure that the freezer state is either FROZEN or THAWED, read the freezer state and if it has not changed, repeat the write. Changelog[v2]: - Minor reorg of code - Comments from Daniel Lezcano: - lseek() before each read/write of freezer.state - Have lxc_freeze_unfreeze() return -1 on error Signed-off-by: Sukadev Bhattiprolu suka...@linux.vnet.ibm.com Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com --- Summary of changes: src/lxc/freezer.c | 50 +++--- src/lxc/stop.c| 11 +-- 2 files changed, 52 insertions(+), 9 deletions(-) hooks/post-receive -- lxc -- This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH 2/2] Must unfreeze while stopping container
On 07/10/2010 04:52 AM, Sukadev Bhattiprolu wrote:
[ ... ]
+ if (!answer.ret) {
+ ret = lxc_unfreeze(handler-name);
+ if (!ret)
+ return 0;
[ ... ]
gcc -DHAVE_CONFIG_H -I. -I../../src -fPIC -DPIC -I../../src -g -O2 -Wall
-MT liblxc_so-stop.o -MD -MP -MF .deps/liblxc_so-stop.Tpo -c -o
liblxc_so-stop.o `test -f 'stop.c' || echo './'`stop.c
stop.c: In function ‘lxc_stop_callback’:
stop.c:87: warning: implicit declaration of function ‘lxc_unfreeze’
It looks like #include lxc.h is missing.
Please in the future check you are not introducing warnings.
Thanks
-- Daniel
--
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH 0/5] Signal stuff v2 and some documentation
On 07/15/2010 10:07 PM, Ferenc Wagner wrote: Daniel Lezcanodaniel.lezc...@free.fr writes: On 06/09/2010 07:56 PM, Ferenc Wagner wrote: here are basically the same patches, with some obvious errors corrected and some unrelated documentation added. It actually survived some targeted testing in the past days and seems to behave as expected, ie. # lxc-start -n s -- sh -c trap 'echo TERM' TERM; sleep 10 can be interrupted by Ctrl-C from the terminal (the sleep process does not ignore the SIGINT sent to the foreground process group by the OS), while a # pkill lxc-start does not terminate the sleep as the SIGTERM gets forwarded to the shell only, which reports it after the sleep expires. This forwarding mechanism makes it possible to plug lxc into our batch queueing system. is it your last version or can I investigate with this patchset ? Yes, this is the version I've been using since I posted it. I haven't ported it to latest git, but it shouldn't be hard. It seems to do what I intended, but obviously interferes with the console handling, but that should be rethought anyway, as I see it. Ok, thanks. I will take the 2 first patches, so signal forwarding is done but without [tc]setpgrp for the moment. I have a couple a patches on top of yours where when lxc-init receives a SIGTERM, it does like the usual 'init' process by sending a kill(-1, SIGTERM) followed by a kill(-1, SIGKILL) if all the processes do not exit after a small amount of time. I just figured out, in your use case, you are using 'lxc-start -n foo prog'. You are getting ride of the child reaping (the kernel reparents orphan processes to the container's init). The purpose of lxc-init is to reap childs, mount /proc, /dev/shm, forward signals to process 2 and support daemons. Maybe you already noticed that, but maybe you should use the 'lxc-execute -n foo prog' (which spawns lxc-init). In this case, it would be more convenient to do [tc]setpgrp in lxc-init, so we solve the problem with the console. Basically, I feel like the container console from the user space PoV should be an alias for a terminal device, just like on a real system. /dev/console isn't virtualized by the kernel, so it shouldn't be accessible from a container, although bind mounting it to some tty is an option in case some program uses it explicitly. That was the first implementation but the '/sbin/init' process calls TIOCSCTTY, borrowing the tty to the current terminal. In any case, the console presented by lxc-start should always be detachable, preferable even detached by default. Yep, I will send a matrix with a lxc-execute vs lxc-start vs start() common function vs console and hopefully we can find a nice way to fix this mess. Thanks Ferenc, -- Daniel -- This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH 1/2]: Ensure freezer state has changed
On 07/15/2010 02:59 AM, Matt Helsley wrote: On Fri, Jul 09, 2010 at 07:51:32PM -0700, Sukadev Bhattiprolu wrote: From: Sukadev Bhattiprolusuka...@linux.vnet.ibm.com Subject: [PATCH 1/2] Ensure frezer state has changed A write to the freezer.state file does not gurantee that the state has changed. To ensure that the freezer state is either FROZEN or THAWED, read the freezer state and if it has not changed, repeat the write. Technically this is only necessary for the THAWED - FROZEN transition. In other words, if we're FROZEN and write THAWED then we don't need to read the state. However, it doesn't hurt to check. Reviewed-by: Matt Helsleymatth...@us.ibm.com Thanks Matt for the comments. Suka, I pushed your patch, but if you have time, that would be nice if you can address Matt's comments. Thanks -- Daniel -- This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [patch -lxc 2/4] generalize the name of the signal handler
From: Ferenc Wagner wf...@niif.hu
Signed-off-by: Ferenc Wagner wf...@niif.hu
Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com
---
src/lxc/start.c | 10 +-
1 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/src/lxc/start.c b/src/lxc/start.c
index 92f44e3..1d4087c 100644
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -190,7 +190,7 @@ int lxc_check_inherited(int fd_to_ignore)
return ret;
}
-static int setup_sigchld_fd(sigset_t *oldmask)
+static int setup_signal_fd(sigset_t *oldmask)
{
sigset_t mask;
int fd;
@@ -222,7 +222,7 @@ static int setup_sigchld_fd(sigset_t *oldmask)
return fd;
}
-static int sigchld_handler(int fd, void *data,
+static int signal_handler(int fd, void *data,
struct lxc_epoll_descr *descr)
{
struct signalfd_siginfo siginfo;
@@ -305,7 +305,7 @@ int lxc_poll(const char *name, struct lxc_handler *handler)
goto out_sigfd;
}
- if (lxc_mainloop_add_handler(descr, sigfd, sigchld_handler, pid)) {
+ if (lxc_mainloop_add_handler(descr, sigfd, signal_handler, pid)) {
ERROR(failed to add handler for the signal);
goto out_mainloop_open;
}
@@ -371,7 +371,7 @@ struct lxc_handler *lxc_init(const char *name, struct
lxc_conf *conf)
/* the signal fd has to be created before forking otherwise
* if the child process exits before we setup the signal fd,
* the event will be lost and the command will be stuck */
- handler-sigfd = setup_sigchld_fd(handler-oldmask);
+ handler-sigfd = setup_signal_fd(handler-oldmask);
if (handler-sigfd 0) {
ERROR(failed to set sigchild fd handler);
goto out_delete_console;
@@ -402,7 +402,7 @@ void lxc_fini(const char *name, struct lxc_handler *handler)
lxc_set_state(name, handler, STOPPING);
lxc_set_state(name, handler, STOPPED);
- /* reset mask set by setup_sigchld_fd */
+ /* reset mask set by setup_signal_fd */
if (sigprocmask(SIG_SETMASK, handler-oldmask, NULL))
WARN(failed to restore sigprocmask);
--
1.7.0.4
--
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [patch -lxc 3/4] lxc-init kills all processes with SIGTERM
When lxc-init receives a SIGTERM, let's kill all the processes of
the pid namespace with kill -1. So the exit of the container will
happen gracefully with processes death cascade.
Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com
---
src/lxc/lxc_init.c | 14 --
1 files changed, 12 insertions(+), 2 deletions(-)
diff --git a/src/lxc/lxc_init.c b/src/lxc/lxc_init.c
index 5e0da5e..d91a3a1 100644
--- a/src/lxc/lxc_init.c
+++ b/src/lxc/lxc_init.c
@@ -154,11 +154,21 @@ int main(int argc, char *argv[])
int orphan = 0;
pid_t waited_pid;
- if (was_interrupted) {
+ switch (was_interrupted) {
+
+ case 0:
+ break;
+
+ case SIGTERM:
+ kill(-1, SIGTERM);
+ break;
+
+ default:
kill(pid, was_interrupted);
- was_interrupted = 0;
+ break;
}
+ was_interrupted = 0;
waited_pid = wait(status);
if (waited_pid 0) {
if (errno == ECHILD)
--
1.7.0.4
--
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [patch -lxc 4/4] lxc-init finishes the remaining processes with SIGKILL
If lxc-init receives a SIGALRM, a timeout, it kills all the processes
of the container with SIGKILL. That will prevent the container to be
stuck when one process ignore the SIGTERM signal.
Each time a process exits, the timeout is resetted.
Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com
---
src/lxc/lxc_init.c | 36 +++-
1 files changed, 31 insertions(+), 5 deletions(-)
diff --git a/src/lxc/lxc_init.c b/src/lxc/lxc_init.c
index d91a3a1..5c264c6 100644
--- a/src/lxc/lxc_init.c
+++ b/src/lxc/lxc_init.c
@@ -82,7 +82,7 @@ int main(int argc, char *argv[])
int err = -1;
char **aargv;
sigset_t mask, omask;
- int i;
+ int i, shutdown = 0;
while (1) {
int ret = getopt_long_only(argc, argv, , options, NULL);
@@ -106,6 +106,10 @@ int main(int argc, char *argv[])
aargv = argv[optind];
argc -= nbargs;
+/*
+* mask all the signals so we are safe to install a
+* signal handler and to fork
+*/
sigfillset(mask);
sigprocmask(SIG_SETMASK, mask, omask);
@@ -113,6 +117,9 @@ int main(int argc, char *argv[])
struct sigaction act;
sigfillset(act.sa_mask);
+ sigdelset(mask, SIGILL);
+ sigdelset(mask, SIGSEGV);
+ sigdelset(mask, SIGBUS);
act.sa_flags = 0;
act.sa_handler = interrupt_handler;
sigaction(i, act, NULL);
@@ -131,8 +138,10 @@ int main(int argc, char *argv[])
if (!pid) {
+ /* restore default signal handlers */
for (i = 1; i NSIG; i++)
signal(i, SIG_DFL);
+
sigprocmask(SIG_SETMASK, omask, NULL);
NOTICE(about to exec '%s', aargv[0]);
@@ -142,6 +151,8 @@ int main(int argc, char *argv[])
exit(err);
}
+ /* let's process the signals now */
+ sigdelset(omask, SIGALRM);
sigprocmask(SIG_SETMASK, omask, NULL);
/* no need of other inherited fds but stderr */
@@ -160,7 +171,15 @@ int main(int argc, char *argv[])
break;
case SIGTERM:
- kill(-1, SIGTERM);
+ if (!shutdown) {
+ shutdown = 1;
+ kill(-1, SIGTERM);
+ alarm(1);
+ }
+ break;
+
+ case SIGALRM:
+ kill(-1, SIGKILL);
break;
default:
@@ -175,13 +194,20 @@ int main(int argc, char *argv[])
goto out;
if (errno == EINTR)
continue;
- ERROR(failed to wait child : %s, strerror(errno));
+
+ ERROR(failed to wait child : %s,
+ strerror(errno));
goto out;
}
+ /* reset timer each time a process exited */
+ if (shutdown)
+ alarm(1);
+
/*
-* keep the exit code of started application (not wrapped pid)
-* and continue to wait for the end of the orphan group.
+* keep the exit code of started application
+* (not wrapped pid) and continue to wait for
+* the end of the orphan group.
*/
if ((waited_pid != pid) || (orphan ==1))
continue;
--
1.7.0.4
--
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [patch -lxc 1/4] forward signals to the container init
From: Ferenc Wagner wf...@niif.hu
Signed-off-by: Ferenc Wagner wf...@niif.hu
Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com
---
src/lxc/start.c | 22 ++
1 files changed, 14 insertions(+), 8 deletions(-)
diff --git a/src/lxc/start.c b/src/lxc/start.c
index dc57bea..92f44e3 100644
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -195,13 +195,13 @@ static int setup_sigchld_fd(sigset_t *oldmask)
sigset_t mask;
int fd;
- if (sigprocmask(SIG_BLOCK, NULL, mask)) {
- SYSERROR(failed to get mask signal);
- return -1;
- }
-
- if (sigaddset(mask, SIGCHLD) || sigprocmask(SIG_BLOCK, mask,
oldmask)) {
- SYSERROR(failed to set mask signal);
+ /* Block everything except serious error signals */
+ if (sigfillset(mask) ||
+ sigdelset(mask, SIGILL) ||
+ sigdelset(mask, SIGSEGV) ||
+ sigdelset(mask, SIGBUS) ||
+ sigprocmask(SIG_BLOCK, mask, oldmask)) {
+ SYSERROR(failed to set signal mask);
return -1;
}
@@ -231,7 +231,7 @@ static int sigchld_handler(int fd, void *data,
ret = read(fd, siginfo, sizeof(siginfo));
if (ret 0) {
- ERROR(failed to read sigchld info);
+ ERROR(failed to read signal info);
return -1;
}
@@ -240,6 +240,12 @@ static int sigchld_handler(int fd, void *data,
return -1;
}
+ if (siginfo.ssi_signo != SIGCHLD) {
+ kill(*pid, siginfo.ssi_signo);
+ INFO(forwarded signal %d to pid %d, siginfo.ssi_signo, *pid);
+ return 0;
+ }
+
if (siginfo.ssi_code == CLD_STOPPED ||
siginfo.ssi_code == CLD_CONTINUED) {
INFO(container init process was stopped/continued);
--
1.7.0.4
--
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [GIT] lxc branch, master, updated. 6f0a42008dab87e1c97bc71319c793315f87a328
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project lxc. The branch, master has been updated via 6f0a42008dab87e1c97bc71319c793315f87a328 (commit) via 6fd1668e7f96c15b8688a0fa955e2c10bbc4785d (commit) via 83ee787579b400ee266d41d95d13913ca47df246 (commit) via f3304a29eb234cf1e90c74f9444f4d4de98e3e3a (commit) from d1c383f39064969b647fd632f8e6614b49fd6cf2 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log - commit 6f0a42008dab87e1c97bc71319c793315f87a328 Author: Daniel Lezcano dlezc...@fr.ibm.com Date: Tue Jul 13 14:51:45 2010 +0200 lxc-init finishes the remaining processes with SIGKILL If lxc-init receives a SIGALRM, a timeout, it kills all the processes of the container with SIGKILL. That will prevent the container to be stuck when one process ignore the SIGTERM signal. Each time a process exits, the timeout is resetted. Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com commit 6fd1668e7f96c15b8688a0fa955e2c10bbc4785d Author: Daniel Lezcano dlezc...@fr.ibm.com Date: Tue Jul 13 14:51:45 2010 +0200 lxc-init kills all processes with SIGTERM When lxc-init receives a SIGTERM, let's kill all the processes of the pid namespace with kill -1. So the exit of the container will happen gracefully with processes death cascade. Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com commit 83ee787579b400ee266d41d95d13913ca47df246 Author: Ferenc Wagner wf...@niif.hu Date: Tue Jul 13 14:51:45 2010 +0200 generalize the name of the signal handler Signed-off-by: Ferenc Wagner wf...@niif.hu Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com commit f3304a29eb234cf1e90c74f9444f4d4de98e3e3a Author: Ferenc Wagner wf...@niif.hu Date: Tue Jul 13 14:51:45 2010 +0200 forward signals to the container init Signed-off-by: Ferenc Wagner wf...@niif.hu Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com --- Summary of changes: src/lxc/lxc_init.c | 48 ++-- src/lxc/start.c| 32 +++- 2 files changed, 61 insertions(+), 19 deletions(-) hooks/post-receive -- lxc -- This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [GIT] lxc branch, master, updated. 1c4a945262b8d110c3f8e0655ca50cb05d383c74
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project lxc. The branch, master has been updated via 1c4a945262b8d110c3f8e0655ca50cb05d383c74 (commit) from 6f0a42008dab87e1c97bc71319c793315f87a328 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log - commit 1c4a945262b8d110c3f8e0655ca50cb05d383c74 Author: Daniel Lezcano dlezc...@fr.ibm.com Date: Mon Jul 19 16:04:41 2010 +0200 Remove dead code This function is no longer used. Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com --- Summary of changes: src/lxc/state.c |8 1 files changed, 0 insertions(+), 8 deletions(-) hooks/post-receive -- lxc -- This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] a container can remount ro the host's mount point
On 04/01/2010 06:42 AM, Michael H. Warfield wrote: Daniel, I'm going to top post here because I've just discovered that we've got a bigger problem here, related to this whole mess. A much bigger problem having to do with bind mounts in general. This is the generalized case here, which results from the observation that, if a host container sets its root directory to ro, then the mount point for the container in the host is set to ro. In fact, this is true of any additional bind mounts in containers! Say I have (and I do have) a couple of partitions which are shared between certain containers, say for common data (somewhat risky, but I eventually want to / hope to make them ro anyways). I was investigating the whole read-only bind mount morass when I encountered this... So in the host, I have a partition, say /export, and I bind mount that into the containers as /export in their space. Maybe I would like to eventually have this as ro in some of them, maybe not. IAC, if I do a remount in any of the containers, the changes are propagated outside of the container to the host and to all the other containers! So if I do a mount -o remount,ro /export in container A, the host and all the other containers now have /export as ro as well. There's all kinds of concern there, beyond merely the potential for mayhem by some practical joker in one container. What if I had some of these mounted ro (with the appropriate patch that was mentioned in another thread, I know you can't do it yet in the released code). Can one container accidentally remount the other containers rw? Yuck! What's worse... If I set that mount ro in the host, I damn well don't want the container to be about to remount it rw merely by doing a remount (that may be another can of worms). Just some thoughts, but this seems to be a mess and may even require some kernel work with those bind mounts to fix. This was tested on a 2.6.32 kernel. It seems to be fixed now. I tried the example you gave and the mount rw option is not propagated to the other containers. Tested on ubuntu 10.04, kernel 2.6.32-23-generic and lxc 0.7.1. Do you confirm Michael ? Thanks -- Daniel -- This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [GIT] lxc branch, master, updated. 7a82e9236d94619a1ad7aa6df9e2f10c81dbc344
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project lxc.
The branch, master has been updated
via 7a82e9236d94619a1ad7aa6df9e2f10c81dbc344 (commit)
via 00dbc43e308bcccf5b2147e7fdb37bf9ca693fdc (commit)
via 28f602ff477f5e5e924f2b931c6034b7df9e9851 (commit)
via 05cda563bff2433c21acf5d13c364d581c34efd6 (commit)
via 0ed9cc8bf7e1afbb7d7f404f6265e4d3b97e (commit)
via 7d40e69bd7fd3e9eaf120be9f749245e7f48f997 (commit)
via b3357a6f5b90f1e342c270de66491afc412c1cf7 (commit)
from 1c4a945262b8d110c3f8e0655ca50cb05d383c74 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -
commit 7a82e9236d94619a1ad7aa6df9e2f10c81dbc344
Author: Daniel Lezcano dlezc...@fr.ibm.com
Date: Tue Jul 20 13:45:44 2010 +0200
provide a script to set uid bit on cli
Some file systems do not support the file posix capabilities.
The following script set the setuid bit root on the different
cli.
Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com
commit 00dbc43e308bcccf5b2147e7fdb37bf9ca693fdc
Author: Daniel Lezcano dlezc...@fr.ibm.com
Date: Tue Jul 20 13:45:44 2010 +0200
fix console overwrite any file
Prevent to specify a file not belonging to us as the output for the console
Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com
commit 28f602ff477f5e5e924f2b931c6034b7df9e9851
Author: Daniel Lezcano dlezc...@fr.ibm.com
Date: Tue Jul 20 13:45:44 2010 +0200
fix log appending to any file
With the capabilities, the open of the log file can be done on any
file, making possible to modifify the content of the file.
Let's drop the privilege when opening the file, so we ensure that is
no longer possible.
Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com
commit 05cda563bff2433c21acf5d13c364d581c34efd6
Author: Daniel Lezcano dlezc...@fr.ibm.com
Date: Tue Jul 20 13:45:44 2010 +0200
move the capabilities function to caps.c
Move the reset of the capabilities to the caps.c file and
initialize correctly the capabilities for lxc-init.
Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com
commit 0ed9cc8bf7e1afbb7d7f404f6265e4d3b97e
Author: Daniel Lezcano dlezc...@fr.ibm.com
Date: Tue Jul 20 13:45:44 2010 +0200
initialize capabilities for lxc-start and lxc-execute
Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com
commit 7d40e69bd7fd3e9eaf120be9f749245e7f48f997
Author: Daniel Lezcano dlezc...@fr.ibm.com
Date: Tue Jul 20 13:45:44 2010 +0200
add a macro to wrap a privilegied function
This macro is a helper to call a function into a [un]privilegied section.
Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com
commit b3357a6f5b90f1e342c270de66491afc412c1cf7
Author: Daniel Lezcano dlezc...@fr.ibm.com
Date: Tue Jul 20 13:45:44 2010 +0200
remove/restore effective capabilities
This patch adds the functions to drop the 'effective' capabilities and
restore them from the 'permitted' capabilities.
When the command is run as 'root' we do nothing.
When the command is run as 'lambda' user, we drop the effective capabilities
When the command is run as 'root' but real uid is not root, we keep the
capabilies,
switch to real uid, and drop the effective capabilities.
This approach is compatible for root user, lambda + file capabilities
and lambda + setuid.
Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com
---
Summary of changes:
configure.ac |1 +
src/lxc/Makefile.am |6 +-
src/lxc/caps.c| 159 +
src/lxc/{monitor.h = caps.h} | 47 -
src/lxc/console.c | 11 ++--
src/lxc/log.c |6 +-
src/lxc/lxc-setuid.in | 104 +++
src/lxc/lxc_execute.c |5 +-
src/lxc/lxc_init.c| 30 ++--
src/lxc/lxc_start.c |4 +
10 files changed, 323 insertions(+), 50 deletions(-)
create mode 100644 src/lxc/caps.c
copy src/lxc/{monitor.h = caps.h} (53%)
create mode 100644 src/lxc/lxc-setuid.in
hooks/post-receive
--
lxc
--
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [patch -lxc 1/2] fix inverted network interface creation
From: Daniel Lezcano daniel.lezc...@free.fr
The list is 'lifo', so when we create the network interfaces, we
do this in the reverse order of the expected one. That is confusing.
Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com
---
src/lxc/confile.c |4 ++--
src/lxc/list.h|5 +
2 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/src/lxc/confile.c b/src/lxc/confile.c
index 127fb37..e2c015d 100644
--- a/src/lxc/confile.c
+++ b/src/lxc/confile.c
@@ -136,7 +136,7 @@ static int config_network_type(const char *key, char *value,
lxc_list_init(list);
list-elem = netdev;
- lxc_list_add(network, list);
+ lxc_list_add_tail(network, list);
if (!strcmp(value, veth))
netdev-type = LXC_NET_VETH;
@@ -178,7 +178,7 @@ static struct lxc_netdev *network_netdev(const char *key,
const char *value,
return NULL;
}
- netdev = lxc_list_first_elem(network);
+ netdev = lxc_list_last_elem(network);
if (!netdev) {
ERROR(no network device defined for '%s' = '%s' option,
key, value);
diff --git a/src/lxc/list.h b/src/lxc/list.h
index eb4fd13..5213e80 100644
--- a/src/lxc/list.h
+++ b/src/lxc/list.h
@@ -30,6 +30,11 @@ static inline void *lxc_list_first_elem(struct lxc_list
*list)
return list-next-elem;
}
+static inline void *lxc_list_last_elem(struct lxc_list *list)
+{
+ return list-prev-elem;
+}
+
static inline int lxc_list_empty(struct lxc_list *list)
{
return list == list-next;
--
1.7.0.4
--
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [GIT] lxc branch, master, updated. e239ff31a5c442ac1d006e836bc622371842dfa0
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project lxc. The branch, master has been updated via e239ff31a5c442ac1d006e836bc622371842dfa0 (commit) via 96bcd56ae258e8e591c94081957a63249d3be48e (commit) via 6168e99d5e04aaff9981803d0c04cc682b6a (commit) via 7ef6e4407307b3712218e68d71090e60a2fb0815 (commit) via 47ed344ad13f5c5cc8e4f801085d93991552c931 (commit) via c70293445742baf4f6a17ef8ab3f523640d6969c (commit) via dc456e995fafae7267e993cb06e54913b76d0a13 (commit) via 5da9e545b50ab173bb558879e65fc734f62e7ac2 (commit) from fb6d9b2f40efabe612b5eea4843cbddf5ce170cc (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log - commit e239ff31a5c442ac1d006e836bc622371842dfa0 Author: Daniel Lezcano dlezc...@fr.ibm.com Date: Fri Jul 23 15:10:38 2010 +0200 Fix bad returned value In case of error the message will be always truncated. We check the message was truncated with the total size received which means the kernel as more info to give. Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com commit 96bcd56ae258e8e591c94081957a63249d3be48e Author: Daniel Lezcano daniel.lezc...@free.fr Date: Fri Jul 23 15:10:38 2010 +0200 Dont' try to remove a physical nic on error Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com commit 6168e99d5e04aaff9981803d0c04cc682b6a Author: Daniel Lezcano daniel.lezc...@free.fr Date: Fri Jul 23 15:10:38 2010 +0200 fix core dump when using physical interface If the physical link is not specified in the configuration the check in if_nametoindex(netdev-link) leads to a segfault. Check the link is specified. Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com Reported-by: Ferenc Wagner wf...@niif.hu commit 7ef6e4407307b3712218e68d71090e60a2fb0815 Author: Daniel Lezcano dlezc...@fr.ibm.com Date: Fri Jul 23 15:10:38 2010 +0200 set rights to lxc-init Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com commit 47ed344ad13f5c5cc8e4f801085d93991552c931 Author: Daniel Lezcano daniel.lezc...@free.fr Date: Fri Jul 23 15:10:38 2010 +0200 fix compilation warning Add missing include Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com commit c70293445742baf4f6a17ef8ab3f523640d6969c Author: Daniel Lezcano dlezc...@fr.ibm.com Date: Fri Jul 23 15:10:38 2010 +0200 initialize the capabilties for attach and unshare Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com commit dc456e995fafae7267e993cb06e54913b76d0a13 Author: Daniel Lezcano dlezc...@fr.ibm.com Date: Fri Jul 23 15:10:38 2010 +0200 fix setuid to attach, create and start Fix the setuid bit root script. Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com commit 5da9e545b50ab173bb558879e65fc734f62e7ac2 Author: Daniel Lezcano dlezc...@fr.ibm.com Date: Fri Jul 23 15:10:38 2010 +0200 fix lxc.spec file Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com --- Summary of changes: lxc.spec.in | 16 +++- src/lxc/conf.c|7 ++- src/lxc/lxc-setcap.in |1 + src/lxc/lxc-setuid.in |7 +++ src/lxc/lxc_attach.c |5 + src/lxc/lxc_unshare.c | 13 + src/lxc/nl.c |8 7 files changed, 47 insertions(+), 10 deletions(-) hooks/post-receive -- lxc -- This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [GIT] lxc branch, master, updated. 9de28746a5edd2b9ba6fbd79956891ed4692e5d5
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project lxc. The branch, master has been updated via 9de28746a5edd2b9ba6fbd79956891ed4692e5d5 (commit) from e239ff31a5c442ac1d006e836bc622371842dfa0 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log - commit 9de28746a5edd2b9ba6fbd79956891ed4692e5d5 Author: Michel Normand norm...@fr.ibm.com Date: Fri Jul 23 17:17:14 2010 +0200 avoid compile warning in src/lxc/console.c src/lxc/console.c:143: warning : return type defaults to âintâ Signed-off-by: Michel Normand norm...@fr.ibm.com Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com --- Summary of changes: src/lxc/console.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) hooks/post-receive -- lxc -- This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] Very slow lxc-start
On 07/25/2010 01:57 PM, Denis Rizaev wrote: Hi guys. In last versions of lxc lxc-start is very slow. On my system with 15 containers it stucks for ~20 seconds before actual container launch begins. With strace i see that it does many umounts in /mnt. Can anyone explain what happens? lxc was not unmounting correctly all the inherited mounted points, that was fixed, so there is more umounts. But there is a regression in the kernel, I noticed the same problem with a 2.6.32-23 kernel from ubuntu. I reported the problem to the ubuntu kernel team: https://lists.ubuntu.com/archives/kernel-team/2010-July/011680.html Hope that helps -- Daniel -- This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [GIT] lxc branch, master, updated. 547467bddbe54b7812f0df0e9c18a2e1b7091036
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project lxc. The branch, master has been updated via 547467bddbe54b7812f0df0e9c18a2e1b7091036 (commit) from 9de28746a5edd2b9ba6fbd79956891ed4692e5d5 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log - commit 547467bddbe54b7812f0df0e9c18a2e1b7091036 Author: Daniel Lezcano dlezc...@fr.ibm.com Date: Mon Jul 26 11:01:20 2010 +0200 version 0.7.2 Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com --- Summary of changes: configure.ac |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) hooks/post-receive -- lxc -- The Palm PDK Hot Apps Program offers developers who use the Plug-In Development Kit to bring their C/C++ apps to Palm for a share of $1 Million in cash or HP Products. Visit us here for more details: http://ad.doubleclick.net/clk;226879339;13503038;l? http://clk.atdmt.com/CRS/go/247765532/direct/01/ ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] cgroup isolation
On 08/27/2010 05:52 PM, Denis Rizaev wrote: Hi folks. I tried to mount cgroup fs in container and was surprised that i can see all cgroups tree. Also i can modify limits for my container and others!! In my opinion container should see only it's own level of cgroup, not whole tree. Is it fundamental design flaw, or i missed something? I think this is something you can prevent with SMACK. There is a documentation here : http://www.ibm.com/developerworks/linux/library/l-lxc-security/ I am not expert in this area, so I don't have too much to say :) Serge (the author of the document) knows much more than me on this. Thanks -- Daniel -- Sell apps to millions through the Intel(R) Atom(Tm) Developer Program Be part of this innovative community and reach millions of netbook users worldwide. Take advantage of special opportunities to increase revenue and speed time-to-market. Join now, and jumpstart your future. http://p.sf.net/sfu/intel-atom-d2d ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] Fedora 13 lxc-debian / lxc-fedora templates
On 09/02/2010 11:43 AM, v1t03k wrote: Hi Guys, I'm testing here right now some lxc template scripts. I have here some troubles with setting up a debian instance on Fedora 13 (2.6.34.6-47.fc13.x86_64). First, I can't setup a lenny system on my Fedora 13 host. I get these errors: I: Configuring apt... I: Configuring openssh-server... I: Configuring perl... I: Configuring libui-dialog-perl... W: Failure while configuring base packages. I: Configuring openssh-server... W: Failure while configuring base packages. W: Failure while configuring base packages. W: Failure while configuring base packages. W: Failure while configuring base packages. Failed to download the rootfs, aborting. Failed to download 'debian base' failed to install debian failed to execute template 'debian' But Debian squeeze is working well. I did two changes to the lxc-debian script: - Change line 93 to dhcpd insteed of dhcp-client for lenny - and line 113 from lenny to squeeze release. Is it a problem of the old glibc on lenny. I can't figure out what the problem is Second, setting up a fedora 10 VM isn't working too. I get similar errors: /bin/bash: /var/cache/lxc/fedora/partial-x86_64/lib64/libc.so.6: version `GLIBC_2.11' not found (required by /bin/bash) /bin/bash: /var/cache/lxc/fedora/partial-x86_64/lib64/libc.so.6: version `GLIBC_2.11' not found (required by /bin/bash) /usr/bin/febootstrap: line 93: 26634 Segmentation fault (core dumped) febootstrap-run $target -- rm -rf /var/cache/yum/febootstrap-updates Failed to download the rootfs, aborting. Failed to download 'fedora base' failed to install fedora failed to execute template 'fedora' I think we should move to the newest releases by the new lxc tools version. There are few things in lxc-fedora script that are not needed for setup a fedora 13 system: - Line 27 changed to: Fedora-13 release - Line 39 changed to: catEOF $rootfs/etc/sysconfig/network-scripts/ifcfg-eth0 DEVICE=eth0 EOF - Deleted the whole section on line 56 - Deleted all lines from 85 to 109 - keepd only these one chroot $rootfs /bin/bash -c 'cd /etc/init; for f in $(ls plymouth*.conf); do mv $f $f.orig; done' Can anybody confirm what we really need for setting up a fedora 13 instance??? Hi Vic, Thanks for investigating. The major problem I see with these scripts is they work on a specific distro but not on another distro depending on the tools version. The scripts are very basic, they don't take care of the host distro version, neither the guest version (eg. the ubuntu template without any parameter to specify karmic or lucid). There is a lot of work to do here with these scripts and perhaps a good idea would be to create first a set of containers (f11, f12, f13, f14, lucid, karmic, lenny, squeeze, opensuse, etc ...) where we can check the different template scripts will work on them and will install correctly a container. Thanks -- Daniel -- This SF.net Dev2Dev email is sponsored by: Show off your parallel programming skills. Enter the Intel(R) Threading Challenge 2010. http://p.sf.net/sfu/intel-thread-sfd ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] LXC-Cgroup memory controller
On 09/07/2010 05:22 PM, jorge espada wrote: Hi Guys I wanna know if it possible to set up a memory controller for each container..if so..how can I do? any examples? Thanks When you start a container, there is a cgroup created automatically where all the processes of the container will belong. In order to modify a cgroup subsystem value use the lxc-cgroup -n name subsys_name value For example : lxc-cgroup -n foo memory.max_usage_in_bytes 268435456 Or specify it in the configuration file to automatically set it up when the container starts. lxc.cgroup.memory.max_usage_in_bytes = 268435456 -- Daniel -- This SF.net Dev2Dev email is sponsored by: Show off your parallel programming skills. Enter the Intel(R) Threading Challenge 2010. http://p.sf.net/sfu/intel-thread-sfd ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH 2/8] use the rootfs mount point for the console
The rootfs is always located in the mount point now, let's
use it.
Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com
---
src/lxc/conf.c |5 +++--
1 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index aae52f4..7755837 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -690,10 +690,11 @@ static int setup_console(const struct lxc_rootfs *rootfs,
if (!rootfs-path)
return 0;
- snprintf(path, sizeof(path), %s/dev/console, rootfs-path);
+ snprintf(path, sizeof(path), %s/dev/console,
+rootfs-mount ? rootfs-mount : LXCROOTFSMOUNT);
if (access(path, F_OK)) {
- WARN(rootfs specified but no console found);
+ WARN(rootfs specified but no console found at '%s', path);
return 0;
}
--
1.7.0.4
--
Virtualization is moving to the mainstream and overtaking non-virtualized
environment for deploying applications. Does it make network security
easier or more difficult to achieve? Read this whitepaper to separate the
two and get a better understanding.
http://p.sf.net/sfu/hp-phase2-d2d
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH 3/8] use the rootfs mount point for the tty's
The rootfs is always located in rootfs-mount, let's use it for
the tty.
Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com
---
src/lxc/conf.c |5 -
1 files changed, 4 insertions(+), 1 deletions(-)
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 7755837..3da522f 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -386,12 +386,15 @@ static int setup_tty(const struct lxc_rootfs *rootfs,
char path[MAXPATHLEN];
int i;
+ if (!rootfs-path)
+ return 0;
+
for (i = 0; i tty_info-nbtty; i++) {
struct lxc_pty_info *pty_info = tty_info-pty_info[i];
snprintf(path, sizeof(path), %s/dev/tty%d,
-rootfs-path ? rootfs-path : , i + 1);
+rootfs-mount ? rootfs-mount : LXCROOTFSMOUNT, i + 1);
/* At this point I can not use the access function
* to check the file is present or not because it fails
--
1.7.0.4
--
Virtualization is moving to the mainstream and overtaking non-virtualized
environment for deploying applications. Does it make network security
easier or more difficult to achieve? Read this whitepaper to separate the
two and get a better understanding.
http://p.sf.net/sfu/hp-phase2-d2d
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH 1/8] mount the rootfs to the mount directory first
Split the rootfs setup by mounting the rootfs to the mount
point. This mount point will be used as the facto place where
the rootfs is placed.
Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com
---
src/lxc/conf.c | 28 +---
1 files changed, 21 insertions(+), 7 deletions(-)
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 8cb8e20..aae52f4 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -593,14 +593,11 @@ static int setup_rootfs_pivot_root(const char *rootfs,
const char *pivotdir)
static int setup_rootfs(const struct lxc_rootfs *rootfs)
{
- char *mpath = LXCROOTFSMOUNT;
+ char *mpath = rootfs-mount ? rootfs-mount : LXCROOTFSMOUNT;
if (!rootfs-path)
return 0;
- if (rootfs-mount)
- mpath = rootfs-mount;
-
if (access(mpath, F_OK)) {
SYSERROR(failed to access to '%s', check it is present,
mpath);
@@ -614,11 +611,23 @@ static int setup_rootfs(const struct lxc_rootfs *rootfs)
DEBUG(mounted '%s' on '%s', rootfs-path, mpath);
+ return 0;
+}
+
+int setup_pivot_root(const struct lxc_rootfs *rootfs)
+{
+ char *mpath = rootfs-mount ? rootfs-mount : LXCROOTFSMOUNT;
+
+ if (!rootfs-path)
+ return 0;
+
if (setup_rootfs_pivot_root(mpath, rootfs-pivot)) {
ERROR(failed to setup pivot root);
return -1;
}
+ DEBUG(pivot rooted to '%s', mpath);
+
return 0;
}
@@ -1457,8 +1466,8 @@ int lxc_setup(const char *name, struct lxc_conf *lxc_conf)
return -1;
}
- if (setup_cgroup(name, lxc_conf-cgroup)) {
- ERROR(failed to setup the cgroups for '%s', name);
+ if (setup_rootfs(lxc_conf-rootfs)) {
+ ERROR(failed to setup rootfs for '%s', name);
return -1;
}
@@ -1472,6 +1481,11 @@ int lxc_setup(const char *name, struct lxc_conf
*lxc_conf)
return -1;
}
+ if (setup_cgroup(name, lxc_conf-cgroup)) {
+ ERROR(failed to setup the cgroups for '%s', name);
+ return -1;
+ }
+
if (setup_console(lxc_conf-rootfs, lxc_conf-console)) {
ERROR(failed to setup the console for '%s', name);
return -1;
@@ -1482,7 +1496,7 @@ int lxc_setup(const char *name, struct lxc_conf *lxc_conf)
return -1;
}
- if (setup_rootfs(lxc_conf-rootfs)) {
+ if (setup_pivot_root(lxc_conf-rootfs)) {
ERROR(failed to set rootfs for '%s', name);
return -1;
}
--
1.7.0.4
--
Virtualization is moving to the mainstream and overtaking non-virtualized
environment for deploying applications. Does it make network security
easier or more difficult to achieve? Read this whitepaper to separate the
two and get a better understanding.
http://p.sf.net/sfu/hp-phase2-d2d
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH 5/8] Use container's proc to setup the utmp watching
The rootfs/var/run/utmp is located in:
/proc/containerinit/root/var/run/utmp, let's use it.
Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com
---
src/lxc/utmp.c | 30 +++---
1 files changed, 19 insertions(+), 11 deletions(-)
diff --git a/src/lxc/utmp.c b/src/lxc/utmp.c
index dca9d72..e6249ce 100644
--- a/src/lxc/utmp.c
+++ b/src/lxc/utmp.c
@@ -82,8 +82,10 @@ static int utmp_handler(int fd, void *data, struct
lxc_epoll_descr *descr)
struct lxc_utmp *utmp_data = (struct lxc_utmp *)data;
- /* we're monitoring a directory. ie-name is not included in
sizeof(struct inotify_event)
-* if we don't read it all at once, read gives us EINVAL, so we read
and cast to struct ie
+ /*
+* we're monitoring a directory. ie-name is not included in
+* sizeof(struct inotify_event) if we don't read it all at once,
+* read gives us EINVAL, so we read and cast to struct ie
*/
char buffer[MAXPATHLEN];
@@ -100,7 +102,13 @@ static int utmp_handler(int fd, void *data, struct
lxc_epoll_descr *descr)
ie = (struct inotify_event *)buffer;
if (ie-len = 0) {
- SYSERROR(inotify event with no name);
+
+ if (ie-mask IN_UNMOUNT) {
+ DEBUG(watched directory removed);
+ goto out;
+ }
+
+ SYSERROR(inotify event with no name (mask %d), ie-mask);
return -1;
}
@@ -161,10 +169,9 @@ static int utmp_get_runlevel(struct lxc_utmp *utmp_data)
struct utmpx *utmpx;
char path[MAXPATHLEN];
struct lxc_handler *handler = utmp_data-handler;
- struct lxc_conf *conf = handler-conf;
- if (snprintf(path, MAXPATHLEN, %s/var/run/utmp, conf-rootfs.path)
- MAXPATHLEN) {
+ if (snprintf(path, MAXPATHLEN, /proc/%d/root/var/run/utmp,
+handler-pid) MAXPATHLEN) {
ERROR(path is too long);
return -1;
}
@@ -211,19 +218,20 @@ static int utmp_get_ntasks(struct lxc_handler *handler)
int lxc_utmp_mainloop_add(struct lxc_epoll_descr *descr,
struct lxc_handler *handler)
{
- struct lxc_conf *conf = handler-conf;
char path[MAXPATHLEN];
int fd, wd;
struct lxc_utmp *utmp_data;
+ struct lxc_conf *conf = handler-conf;
if (!conf-rootfs.path)
return 0;
- /* We set up a watch for the /var/run directory. We're only interested
in
-* utmp at the moment, but want to watch for delete and create events
as well.
+ /* We set up a watch for the /var/run directory. We're only interested
+* in utmp at the moment, but want to watch for delete and create
+* events as well.
*/
- if (snprintf(path, MAXPATHLEN, %s/var/run, conf-rootfs.path)
- MAXPATHLEN) {
+ if (snprintf(path, MAXPATHLEN, /proc/%d/root/var/run,
+handler-pid) MAXPATHLEN) {
ERROR(path is too long);
return -1;
}
--
1.7.0.4
--
Virtualization is moving to the mainstream and overtaking non-virtualized
environment for deploying applications. Does it make network security
easier or more difficult to achieve? Read this whitepaper to separate the
two and get a better understanding.
http://p.sf.net/sfu/hp-phase2-d2d
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH 6/8] Don't display an error in lxc_file_for_each_line
Don't display an error when the callback returns an error different
from zero. A value greater than zero may means stop. Let's the caller
to check the error.
Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com
---
src/lxc/parse.c |4 +---
1 files changed, 1 insertions(+), 3 deletions(-)
diff --git a/src/lxc/parse.c b/src/lxc/parse.c
index ee6b5de..10510c9 100644
--- a/src/lxc/parse.c
+++ b/src/lxc/parse.c
@@ -81,10 +81,8 @@ int lxc_file_for_each_line(const char *file, lxc_file_cb
callback, void *data)
while (getline(line, len, f) != -1) {
err = callback(line, data);
- if (err) {
- ERROR(failed to process '%s', line);
+ if (err)
break;
- }
}
if (line)
--
1.7.0.4
--
Virtualization is moving to the mainstream and overtaking non-virtualized
environment for deploying applications. Does it make network security
easier or more difficult to achieve? Read this whitepaper to separate the
two and get a better understanding.
http://p.sf.net/sfu/hp-phase2-d2d
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH 4/8] Initialize default mount point
Let's initialize rootfs-mount to LXCROOTFSMOUNT. The value
will be overwritten by the configuration in case it is specified.
That will make the code nicer, instead of the ugly rootfs-mount checks.
Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com
---
src/lxc/conf.c | 27 +++
1 files changed, 11 insertions(+), 16 deletions(-)
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 3da522f..dac5b45 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -394,7 +394,7 @@ static int setup_tty(const struct lxc_rootfs *rootfs,
struct lxc_pty_info *pty_info = tty_info-pty_info[i];
snprintf(path, sizeof(path), %s/dev/tty%d,
-rootfs-mount ? rootfs-mount : LXCROOTFSMOUNT, i + 1);
+rootfs-mount, i + 1);
/* At this point I can not use the access function
* to check the file is present or not because it fails
@@ -589,47 +589,42 @@ static int setup_rootfs_pivot_root(const char *rootfs,
const char *pivotdir)
if (remove_pivotdir rmdir(pivotdir))
WARN(can't remove mountpoint '%s': %m, pivotdir);
- INFO(pivoted to '%s', rootfs);
-
return 0;
}
static int setup_rootfs(const struct lxc_rootfs *rootfs)
{
- char *mpath = rootfs-mount ? rootfs-mount : LXCROOTFSMOUNT;
-
if (!rootfs-path)
return 0;
- if (access(mpath, F_OK)) {
+ if (access(rootfs-mount, F_OK)) {
SYSERROR(failed to access to '%s', check it is present,
-mpath);
+rootfs-mount);
return -1;
}
- if (mount(rootfs-path, mpath, none, MS_BIND|MS_REC, NULL)) {
- SYSERROR(failed to mount '%s'-'%s', rootfs-path, mpath);
+ if (mount(rootfs-path, rootfs-mount, none, MS_BIND|MS_REC, NULL)) {
+ SYSERROR(failed to mount '%s'-'%s',
+rootfs-path, rootfs-mount);
return -1;
}
- DEBUG(mounted '%s' on '%s', rootfs-path, mpath);
+ DEBUG(mounted '%s' on '%s', rootfs-path, rootfs-mount);
return 0;
}
int setup_pivot_root(const struct lxc_rootfs *rootfs)
{
- char *mpath = rootfs-mount ? rootfs-mount : LXCROOTFSMOUNT;
-
if (!rootfs-path)
return 0;
- if (setup_rootfs_pivot_root(mpath, rootfs-pivot)) {
+ if (setup_rootfs_pivot_root(rootfs-mount, rootfs-pivot)) {
ERROR(failed to setup pivot root);
return -1;
}
- DEBUG(pivot rooted to '%s', mpath);
+ DEBUG(pivot rooted to '%s', rootfs-mount);
return 0;
}
@@ -693,8 +688,7 @@ static int setup_console(const struct lxc_rootfs *rootfs,
if (!rootfs-path)
return 0;
- snprintf(path, sizeof(path), %s/dev/console,
-rootfs-mount ? rootfs-mount : LXCROOTFSMOUNT);
+ snprintf(path, sizeof(path), %s/dev/console, rootfs-mount);
if (access(path, F_OK)) {
WARN(rootfs specified but no console found at '%s', path);
@@ -1160,6 +1154,7 @@ struct lxc_conf *lxc_conf_init(void)
new-console.master = -1;
new-console.slave = -1;
new-console.name[0] = '\0';
+ new-rootfs.mount = LXCROOTFSMOUNT;
lxc_list_init(new-cgroup);
lxc_list_init(new-network);
lxc_list_init(new-mount_list);
--
1.7.0.4
--
Virtualization is moving to the mainstream and overtaking non-virtualized
environment for deploying applications. Does it make network security
easier or more difficult to achieve? Read this whitepaper to separate the
two and get a better understanding.
http://p.sf.net/sfu/hp-phase2-d2d
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] Erroneous cgroup is not mounted when using cgconfig (libcgroup)
On 10/03/2010 05:06 PM, Ward, David - 0663 - MITLL wrote: The 'cgconfig' tool from libcgroup (http://libcg.sourceforge.net) can be used to mount one or more instances of the cgroup virtual filesystem, instead of using the 'mount' command. However, cgconfig does not update /etc/mtab, although the mounted cgroup filesystems do appear in /proc/mounts. (I am using Fedora 13.) Since lxc commands such as 'lxc-execute' just search /etc/mtab to see if any cgroup filesystem is mounted, this causes them to fail with cgroup is not mounted, even though this is not the case. It seems to me that either: 1) cgconfig should update /etc/mtab, or 2) lxc should search /proc/mounts instead of /etc/mtab (change one line in src/lxc/cgroup.c) Which is the correct solution? The /etc/mtab belongs to the 'mount' command. I don't know libcg well but I don't think it should mount the cgroup. That should be up to the package's post-install script to add the mount point in the fstab and let the system do its job when it starts. That does not prevent the cgconfig to update the fstab instead of mounting things in the back of the administrator. As the location of the fstab can be different depending of the distro, that would makes sense to have the distro package script to update the fstab ... Solution (2) is correct because /etc/mtab is less reliable than /proc/mounts. Thanks -- Daniel -- Virtualization is moving to the mainstream and overtaking non-virtualized environment for deploying applications. Does it make network security easier or more difficult to achieve? Read this whitepaper to separate the two and get a better understanding. http://p.sf.net/sfu/hp-phase2-d2d ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] Commits not showing up in git?
On 10/04/2010 08:49 PM, Scott Bronson wrote: Hi, this commit and about 8 others haven't showed up in SourceForge's git tree. http://lxc.git.sourceforge.net/git/gitweb.cgi?p=lxc/lxc;a=summary Is there another git tree that the project is using? No, I am just waiting a bit in case there are comments about these patches before pushing them. I will do that in a moment. -- Daniel -- Virtualization is moving to the mainstream and overtaking non-virtualized environment for deploying applications. Does it make network security easier or more difficult to achieve? Read this whitepaper to separate the two and get a better understanding. http://p.sf.net/sfu/hp-phase2-d2d ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [GIT] lxc branch, master, updated. 49d3e78dceea24fcdd09529d1c748b69e19ef63f
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project lxc. The branch, master has been updated via 49d3e78dceea24fcdd09529d1c748b69e19ef63f (commit) via a6afdde95c98310c8e947327685a51508743a23a (commit) via b57c2211ebd3a6035a46d357f5849fcc42b03f6c (commit) via 75b08dddec3803d313f48bedcfe91737dcf4239a (commit) via 599916790a66ccab899b1871051c59f54a4dce05 (commit) via 12297168e977151f5d8d2070adc0ef5a2352bbb5 (commit) via bc9bd0e31e1ceebd93316a6e3bb9817ed728a74a (commit) via 466978b083462faa77791aff566a648b51e39d31 (commit) via ac7787080cb77e0532c1ac27fe106873628f494f (commit) from 2a7c16dc03c36473717bbaccd302856bea559740 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log - commit 49d3e78dceea24fcdd09529d1c748b69e19ef63f Author: Daniel Lezcano daniel.lezc...@free.fr Date: Tue Oct 5 10:28:31 2010 +0200 update the lxc.conf man page Update the man page regarding the image or block device supported as a rootfs. Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com commit a6afdde95c98310c8e947327685a51508743a23a Author: Daniel Lezcano daniel.lezc...@free.fr Date: Sun Oct 3 23:09:36 2010 +0200 allow to specify a image or a device block as rootfs This patch allows to specify an image or a block device. The image or the block device is mounted on rootfs-mount. Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com commit b57c2211ebd3a6035a46d357f5849fcc42b03f6c Author: Daniel Lezcano daniel.lezc...@free.fr Date: Sun Oct 3 23:09:36 2010 +0200 add rootfs mount dir variable to pkg-config In the case we use an image for rootfs, if we need to do extra mount from the host to the rootfs, we have to specify the place where the image is mounted. This value is configured by the user with the lxc.rootfs.mount otherwise defaulting to @lxcrootfsmo...@. Let's export this variable to pkg-config, so the user can use it to build a correct path to the rootfs. Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com commit 75b08dddec3803d313f48bedcfe91737dcf4239a Author: Daniel Lezcano daniel.lezc...@free.fr Date: Sun Oct 3 23:09:36 2010 +0200 Don't display an error in lxc_file_for_each_line Don't display an error when the callback returns an error different from zero. A value greater than zero may means stop. Let's the caller to check the error. Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com commit 599916790a66ccab899b1871051c59f54a4dce05 Author: Daniel Lezcano daniel.lezc...@free.fr Date: Sun Oct 3 23:09:35 2010 +0200 Use container's proc to setup the utmp watching The rootfs/var/run/utmp is located in: /proc/containerinit/root/var/run/utmp, let's use it. Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com commit 12297168e977151f5d8d2070adc0ef5a2352bbb5 Author: Daniel Lezcano daniel.lezc...@free.fr Date: Sun Oct 3 23:09:35 2010 +0200 Initialize default mount point Let's initialize rootfs-mount to LXCROOTFSMOUNT. The value will be overwritten by the configuration in case it is specified. That will make the code nicer, instead of the ugly rootfs-mount checks. Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com commit bc9bd0e31e1ceebd93316a6e3bb9817ed728a74a Author: Daniel Lezcano daniel.lezc...@free.fr Date: Sun Oct 3 23:09:35 2010 +0200 use the rootfs mount point for the tty's The rootfs is always located in rootfs-mount, let's use it for the tty. Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com commit 466978b083462faa77791aff566a648b51e39d31 Author: Daniel Lezcano daniel.lezc...@free.fr Date: Sun Oct 3 23:09:35 2010 +0200 use the rootfs mount point for the console The rootfs is always located in the mount point now, let's use it. Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com commit ac7787080cb77e0532c1ac27fe106873628f494f Author: Daniel Lezcano daniel.lezc...@free.fr Date: Sun Oct 3 23:09:35 2010 +0200 mount the rootfs to the mount directory first Split the rootfs setup by mounting the rootfs to the mount point. This mount point will be used as the facto place where the rootfs is placed. Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com --- Summary of changes: doc/lxc.conf.sgml.in | 15 ++- lxc.pc.in|1 + src/lxc/conf.c | 264 ++ src/lxc/parse.c |4 +- src/lxc/utmp.c | 30 -- 5 files changed, 191 insertions(+), 123
Re: [lxc-devel] [PATCH] add lxc.network.veth.script configuration hook
On 10/07/2010 09:30 AM, Stefan Tomanek wrote:
This commit adds an lxc.network.veth.script configuration option to
specify a script to be executed after creating or configuring the pair
of veth devices. The name of the host sided device is passed as first
argument, so the script can be used to configures routes or firewall
rules related to the container.
---
Hi Stefan,
Thanks for your patch. Adding some possibility to hook the configuration
with scripts is a good idea.
I think your patch is too focused on a specific desired feature.
As Michael suggested, a generic option could be used for each network
section, not a veth specific one.
As you pointed, you need to run the script from the instanciate_veth
because it is the only place where the name is used.
I suggest you add a lxc.network.script section where it will be called
from each instanciate_*
Depending of the function you will pass the parameters making sense for
the script.
The function prototype could be with va_args:
static int run_script(const char *name, const char *section, const char
*script, ...)
{
...
execl(script, args, VA_ARGS);
...
}
The script should receive always the two parameters:
$1 : container name
$2 : configuration section : network, pts, etc ...
And the optional parameters depending of the hooks caller:
In your case:
$3 : network type veth, ...
$4 : network link
$5 : guest ifname
$6 : host ifname (in case of veth)
If you can respin your patch to follow that way, that will be nice and
will open the door for more hooks.
But no need to implement more than what you need :)
A few comments below:
src/lxc/conf.c| 30 ++
src/lxc/conf.h| 12 +++-
src/lxc/confile.c | 20
3 files changed, 57 insertions(+), 5 deletions(-)
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index adfe862..be12499 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -29,6 +29,7 @@
#includedirent.h
#includemntent.h
#includeunistd.h
+#includesys/wait.h
#includepty.h
#includesys/types.h
@@ -1061,6 +1062,26 @@ static int setup_ipv6_addr(struct lxc_list *ip, int
ifindex)
return 0;
}
+static int run_network_script(char *script, const char *ifname)
+{
+ INFO(Executing network script '%s' for interface '%s', script,
ifname);
+ int pid = fork();
+ if (pid 0) {
+ ERROR(Error forking);
+ } else if (pid == 0) {
+ // child
use the /* */ format to conform to the Coding Style please.
+ execl(script, script, ifname, (char *) NULL);
A SYSERROR log will help the user to understand why it's script was not
execed.
+ // if an error occurs, we terminate
+ exit(1);
+ } else {
+ // parent
+ int status = 0;
+ waitpid( pid,status, 0 );
Hmm, I am wondering if the return value shouldn't be checked here,
especially for the eintr.
+ return status;
Do we assume the script returns always 0 on success ? and we don't care
about the WIFSIGNALED, ... ?
+ }
+ return 1;
+}
+
static int setup_netdev(struct lxc_netdev *netdev)
{
char ifname[IFNAMSIZ];
@@ -1267,6 +1288,15 @@ static int instanciate_veth(struct lxc_netdev *netdev)
}
}
+ if (netdev-vethscript) {
+ err = run_network_script(netdev-vethscript, veth1);
+ if (err) {
+ ERROR(failed to run script '%s' for interface '%s',
+ veth1, netdev-vethscript);
+ goto out_delete;
+ }
+ }
+
DEBUG(instanciated veth '%s/%s', index is '%d',
veth1, veth2, netdev-ifindex);
diff --git a/src/lxc/conf.h b/src/lxc/conf.h
index b12a346..23cf9f8 100644
--- a/src/lxc/conf.h
+++ b/src/lxc/conf.h
@@ -94,11 +94,12 @@ union netdev_p {
/*
* Defines a structure to configure a network device
- * @link : lxc.network.link, name of bridge or host iface to attach if any
- * @name : lxc.network.name, name of iface on the container side
- * @flags : flag of the network device (IFF_UP, ... )
- * @ipv4 : a list of ipv4 addresses to be set on the network device
- * @ipv6 : a list of ipv6 addresses to be set on the network device
+ * @link : lxc.network.link, name of bridge or host iface to attach if
any
+ * @name : lxc.network.name, name of iface on the container side
+ * @flags : flag of the network device (IFF_UP, ... )
+ * @ipv4 : a list of ipv4 addresses to be set on the network device
+ * @ipv6 : a list of ipv6 addresses to be set on the network device
+ * @vethscript : a script filename to be executed on veth configuration
*/
struct lxc_netdev {
int type;
@@ -111,6 +112,7 @@ struct lxc_netdev {
union netdev_p priv;
struct lxc_list
Re: [lxc-devel] [PATCH] add lxc.network.veth.script configuration hook
On 10/07/2010 03:06 PM, Stefan Tomanek wrote: Dies schrieb Daniel Lezcano (daniel.lezc...@free.fr): * lxc.network.script.pre: IMO, it does not make sense because that means it is the host itself which should be modified, so that fall under the host network configuration umbrella = administrator job :P I cannot think of a fitting example, but I'd like to point at Debian's /etc/network/interfaces that has an even wider variety of hooks: pre-up up post-up pre-down down post-down And all of them are useful in one or another way :-) * lxc.network.script.create Ok * lxc.network.script.post Do you have an example of use case. Does it hurt if we 'merge' the 'post' and 'create' hooks and put the 'create' right after the virtual devices are created ? If it is done before, will fall in the same 'pre' hook case, no ? The post script can be generic for all types of network configuration, while script.create is highly dependent on the type of network setup. Ok, I will play a bit with your patchset when it will be ready to check if there is no something we missed. PS: No need to CC every message to me, that way, mutt does not recognize the mailing list and makes responding awkward :-) Oh, sure. I am so used to reply-all, I can not guarantee that won't happen again :) -- Daniel -- Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today. http://p.sf.net/sfu/beautyoftheweb ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] add lxc.network.script(.pre|.post|) configuration hooks
On 10/08/2010 05:13 PM, Michael Tokarev wrote: Stefan Tomanek wrote: Dies schrieb Daniel Lezcano (daniel.lezc...@free.fr): Are we sure, we want to add these hooks (pre and post) ? I am not against adding them, but IMO it is more sane to add them if needed rather than adding something which may not be used. Well, until now, there was not a single hook, although I desperately needed one. And there are probably people out there who might use these hooks and are not able to add them for themselves. Wouldn't preferable to have these two hooks: lxc.network.script.up lxc.network.script.down (script parameter will need 'name', 'conf section' 'up' | 'down' ... I still advise to split the hooks into generic ones and those specific to the network type. The parameters passed to a script configuring a veth device will be completely different than those passed to a macvlan device; generic commands can then be placed in a different script, while special commands can be handled in specific scripts. Note that the script may receive other parameters, depending on the type of the network device, just the first 3 are fixed. THere's also $ENVIRONMENT $VARIABLES for us. I'd at least propose to use two hooks for setting up the interface, on being called in instanciate_* (.up?), passing the arguments suitable to that network type, as well as one generic (.post-up?) If there's a need, the specific script may call some common code/script by its own, or the reverse. There's no need to do that in lxc. Of if we do, how about adding a _set_ of scripts for each stage ? :) If there is a need for a pre or post hook, we can easily add later: Sure, _we_ probably can, but not the person who might need the patch. There are quite many sysadmins who are masters at shell scripting, but are unable to add such a hook to a C codebase. Not being able to extend the system in an easy fashion would be a huge show stopper for them, just as the lack of scripting was to me. I am not a sysadmin, may be you are right, having the hooks available is good, but I am still not convinced they are needed. I am heavily using kvm, and with the two scripts qemu-ifup and qemu-ifdown I am quite happy :) Anything to be done before or after falls in /etc/network/interfaces. There IS a trivial way to extend system already (when just ONE hook is implemented) - chain your scripts. There's no need to re-implement shell in lxc. Michael, I am not sure I get the idea. Can you elaborate a bit ? In our case, we need the veth name which is available in instanciate_veth, no ? -- Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today. http://p.sf.net/sfu/beautyoftheweb ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH 1/2] fix Coding Style
Fix the coding style, 80 chars lines, etc ...
Fix indentation blocks if ... then ... else ... fi
Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com
---
src/lxc/conf.c | 78
1 files changed, 39 insertions(+), 39 deletions(-)
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 4f1b46c..87d3265 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -186,51 +186,61 @@ static struct caps_opt caps_opt[] = {
{ mac_admin, CAP_MAC_ADMIN },
};
-static int run_script(const char *name, const char *section, const char
*script, ...)
+static int run_script(const char *name, const char *section,
+ const char *script, ...)
{
va_list argp;
int vargc = 4;
+ int status = 0;
+
/* count variable arguments and add 4 for script, container
* and section name as well as the terminating NULL
*/
va_start(argp, script);
while (va_arg(argp, char*)) vargc++;
va_end(argp);
- INFO(Executing script '%s' for container '%s', config section '%s',
script, name, section);
+
+ INFO(Executing script '%s' for container '%s', config section '%s',
+script, name, section);
int pid = fork();
if (pid 0) {
ERROR(Error forking);
- } else if (pid == 0) {
+ return -1;
+ }
+
+if (pid == 0) {
+
/* prepare command line arguments */
char *args[vargc];
int i;
args[0] = strdup(script);
args[1] = strdup(name);
args[2] = strdup(section);
+
va_start(argp, script);
- for (i=3; ivargc; i++) {
+ for (i = 3; i vargc; i++)
args[i] = va_arg(argp, char*);
- }
va_end(argp);
+
args[vargc-1] = (char*) NULL;
execv(script, args);
/* if we cannot exec, we exit this fork */
- SYSERROR(Failed to execute script '%s' for container '%s':
%s, script, name, strerror(errno));
+ SYSERROR(Failed to execute script '%s' for container '%s': %s,
+script, name);
exit(1);
- } else {
- int status = 0;
- waitpid( pid, status, 0 );
- if (status != 0) {
- /* something weird happened */
- SYSERROR(Script '%s' terminated with non-zero exitcode
%d, name, status);
- return -1;
- } else {
- return 0; /* all is well */
- }
}
- return -1;
+
+ waitpid(pid, status, 0);
+ if (status != 0) {
+ /* something weird happened */
+ SYSERROR(Script '%s' terminated with non-zero exitcode %d,
+name, status);
+ return -1;
+ }
+
+ return 0;
}
static int find_fstype_cb(char* buffer, void *data)
@@ -1317,13 +1327,10 @@ static int instanciate_veth(struct lxc_handler
*handler, struct lxc_netdev *netd
}
if (netdev-upscript) {
- err = run_script(handler-name, net, netdev-upscript, up,
veth,
-veth1, (char*) NULL);
- if (err) {
- ERROR(Failed to run script '%s' for container '%s' and
interface '%s',
- netdev-upscript, handler-name, veth1);
+ err = run_script(handler-name, net, netdev-upscript, up,
+veth, veth1, (char*) NULL);
+ if (err)
goto out_delete;
- }
}
DEBUG(instanciated veth '%s/%s', index is '%d',
@@ -1370,13 +1377,10 @@ static int instanciate_macvlan(struct lxc_handler
*handler, struct lxc_netdev *n
}
if (netdev-upscript) {
- err = run_script(handler-name, net, netdev-upscript, up,
macvlan,
-netdev-link, (char*) NULL);
- if (err) {
- ERROR(Failed to run script '%s' for container '%s' and
interface '%s',
- netdev-upscript, handler-name,
netdev-link);
+ err = run_script(handler-name, net, netdev-upscript, up,
+macvlan, netdev-link, (char*) NULL);
+ if (err)
return -1;
- }
}
DEBUG(instanciated macvlan '%s', index is '%d' and mode '%d',
@@ -1433,13 +1437,10 @@ static int instanciate_phys(struct lxc_handler
*handler, struct lxc_netdev *netd
if (netdev-upscript) {
int err;
- err = run_script(handler-name, net, netdev-upscript, up,
phys,
-netdev-link, (char*) NULL);
- if (err
[lxc-devel] [GIT] lxc branch, master, updated. abbfd20baa348ce1b6b26dd9c2627c5e2f500b69
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project lxc. The branch, master has been updated via abbfd20baa348ce1b6b26dd9c2627c5e2f500b69 (commit) via 751d9dcd3904a45fcbad5d253498dadc401736af (commit) via e3b4c4c44ae909ba5073edca975bc42ff007d9c9 (commit) from 49d3e78dceea24fcdd09529d1c748b69e19ef63f (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log - commit abbfd20baa348ce1b6b26dd9c2627c5e2f500b69 Author: Daniel Lezcano daniel.lezc...@free.fr Date: Tue Oct 12 10:52:47 2010 +0200 use popen and redirect script output Change the run_script function to use popen and to redirect the output of the script to the log file. Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com commit 751d9dcd3904a45fcbad5d253498dadc401736af Author: Daniel Lezcano daniel.lezc...@free.fr Date: Tue Oct 12 10:52:47 2010 +0200 fix Coding Style Fix the coding style, 80 chars lines, etc ... Fix indentation blocks if ... then ... else ... fi Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com commit e3b4c4c44ae909ba5073edca975bc42ff007d9c9 Author: Stefan Tomanek stefan.toma...@wertarbyte.de Date: Tue Oct 12 10:52:47 2010 +0200 add lxc.network.script.up configuration hook This commit adds an configuration option to specify a script to be executed after creating and configuring the network used by the container. The following arguments are passed to the script: * container name * config section name (net) Additional arguments depend on the config section employing a script hook; the following are used by the network system: * execution context (up) * network type (empty/veth/macvlan/phys) Depending on the network type, other arguments may be passed: veth/macvlan/phys: * (host-sided) device name Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com --- Summary of changes: src/lxc/conf.c| 119 +++-- src/lxc/conf.h| 19 src/lxc/confile.c | 25 +++ src/lxc/start.c |2 +- 4 files changed, 142 insertions(+), 23 deletions(-) hooks/post-receive -- lxc -- Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today. http://p.sf.net/sfu/beautyoftheweb ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [GIT] lxc tag, lxc-0.7.3, created. acb0e330161f9b02bd0b351e0a8cc193da4de330
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project lxc. The tag, lxc-0.7.3 has been created at acb0e330161f9b02bd0b351e0a8cc193da4de330 (commit) - Log - commit acb0e330161f9b02bd0b351e0a8cc193da4de330 Author: Daniel Lezcano daniel.lezc...@free.fr Date: Tue Oct 26 18:14:47 2010 +0200 set version to 0.7.3 Version 0.7.3 Signed-off-by: Daniel Lezcano daniel.lezc...@free.fr --- hooks/post-receive -- lxc -- Nokia and ATT present the 2010 Calling All Innovators-North America contest Create new apps games for the Nokia N8 for consumers in U.S. and Canada $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store http://p.sf.net/sfu/nokia-dev2dev ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [GIT] lxc branch, master, updated. 968fbd36057db3132c68a63700e42929e5df5e2d
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project lxc. The branch, master has been updated via 968fbd36057db3132c68a63700e42929e5df5e2d (commit) from acb0e330161f9b02bd0b351e0a8cc193da4de330 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log - commit 968fbd36057db3132c68a63700e42929e5df5e2d Author: Sergey S. Kostyliov rathamah...@gmail.com Date: Sat Oct 30 21:41:19 2010 +0200 add support for dirsync mount option Add support for `dirsync' mount option. MS_DIRSYNC is on of the mount(2) mountflags so don't send it as extra mount option to avoid: lxc-start: Invalid argument - failed to mount ... errors. Signed-off-by: Sergey S. Kostyliov rathamah...@gmail.com Signed-off-by: Daniel Lezcano dlezc...@fr.ibm.com --- Summary of changes: src/lxc/conf.c |5 + 1 files changed, 5 insertions(+), 0 deletions(-) hooks/post-receive -- lxc -- Nokia and ATT present the 2010 Calling All Innovators-North America contest Create new apps games for the Nokia N8 for consumers in U.S. and Canada $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store http://p.sf.net/sfu/nokia-dev2dev ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] add support for dirsync mount option
On 10/30/2010 09:05 PM, Sergey S. Kostyliov wrote: Add support for `dirsync' mount option. MS_DIRSYNC is on of the mount(2) mountflags so don't send it as extra mount option to avoid: lxc-start: Invalid argument - failed to mount ... errors. Signed-off-by: Sergey S. Kostyliovrathamah...@gmail.com --- Thanks for the patch ! Applied. -- Nokia and ATT present the 2010 Calling All Innovators-North America contest Create new apps games for the Nokia N8 for consumers in U.S. and Canada $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store http://p.sf.net/sfu/nokia-dev2dev ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [Lxc-users] regular lxc development call?
On 12/02/2010 03:21 PM, Serge E. Hallyn wrote: Quoting Daniel Lezcano (daniel.lezc...@free.fr): On 11/30/2010 04:06 AM, Serge E. Hallyn wrote: Quoting Daniel Lezcano (daniel.lezc...@free.fr): Looks like we'll be starting small anyway, so let's just try skype. Anyone interested in joining, please send me your skype id. What is a good time? I'll just toss thursday at 9:30am US Central time (15:30 UTC) out there. Ok for me. Do we begin January, 6th ? I'm feeling like time is passing us by far too quickly. I realize today is thursday, and really I wouldn't mind a first call today just to get everyone a sense of what everyone else is working on. Otherwise, can we start next week? Or is december just a wash? :( Ok for next week. Do you want me to create a google calendar event ? -- Daniel -- Increase Visibility of Your 3D Game App Earn a Chance To Win $500! Tap into the largest installed PC base get more eyes on your game by optimizing for Intel(R) Graphics Technology. Get started today with the Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs. http://p.sf.net/sfu/intelisp-dev2dev ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] did the new kernel 2.6.36 support a full sysfs namespace for tun/tap device?
On 12/07/2010 11:10 AM, 贺鹏 wrote: Hi, all: did the new kernel 2.6.36 support a full sysfs namespace for tun/tap device? I am not sure, but yes it should. sysfs per namespace is in place since 2.6.35 AFAIR. -- What happens now with your Lotus Notes apps - do you make another costly upgrade, or settle for being marooned without product support? Time to move off Lotus Notes and onto the cloud with Force.com, apps are easier to build, use, and manage than apps on traditional platforms. Sign up for the Lotus Notes Migration Kit to learn more. http://p.sf.net/sfu/salesforce-d2d ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH 1/4] Setting default suite to squeeze in debian template.
On 12/16/2010 04:03 PM, Daniel Baumann wrote: On 12/16/2010 02:56 PM, Daniel Lezcano wrote: Yes that makes sense. I will duplicate in order to apply your patches and then factor out the scripts to a minimal one. i've got another one for LANG where the locales are generated wrongly (will send in a couple of minutes). i'll wait for the debconf integration patches until the minimal is done to avoid double work. do you have an ETA for the split? Maybe before tomorrow, but not it is not sure. -- Lotusphere 2011 Register now for Lotusphere 2011 and learn how to connect the dots, take your collaborative environment to the next level, and enter the era of Social Business. http://p.sf.net/sfu/lotusphere-d2d ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] How does the console work in most recent release?
On 01/05/2011 08:53 AM, Rob Landley wrote: On 01/04/2011 06:52 AM, Daniel Lezcano wrote: On 01/04/2011 09:36 AM, Rob Landley wrote: I'm attempting to write a simple HOWTO for setting up a container with LXC. Unfortunately, console handling is really really brittle and the only way I've gotten it to work is kind of unpleasant to document. Using lxc 0.7.3 (both in debian sid and built from source myself), I can lxc-create a container, and when I run lxc-start it launches init in the container. But the console is screwy. If my init program is just a command shell, the first key I type will crash lxc-start with an I/O error. (Wrapping said shell with a script to redirect stdin/stdout/stderr to various /dev character devices doesn't seem to improve matters.) Using the busybox template and the busybox-i686 binary off of busybox.net, it runs init and connects to the various tty devices, and this somehow prevents lxc-start from crashing. But if I press enter to active this console like it says, the resulting shell prompt is completely unusable. If I'm running from an actual TTY device, then some of the keys I type go to the container and some don't. If my console is connected to a PTY when I run lxc-start (such as if I ssh in and run lxc-start from the ssh session), _none_ of the characters I type go to the shell prompt. To get a usable shell prompt in the container, what I have to do is lxc-start in one window, ssh into the server to get a fresh terminal, and then run lxc-console in that second terminal. That's the only magic sequence I've found so far that works. Hmm, right. I was able to reproduce the problem. I've got two more. (Here's another half-finished documentation file, attached, which may help with the reproduction sequence.) I'm running a KVM instance to host the containers, and I've fed it an e1000 interface as eth0 with the normal -net user, and a tun/tap device on eth1 with 192.168.254.1 associated at the other end. Inside KVM, I'm using this config to set up a container: lxc.utsname = busybox lxc.network.type = phys lxc.network.flags = up lxc.network.link = eth1 #lxc.network.name = eth0 And going: lxc-start -n busybox -f busybox.conf -t busybox Using that (last line of the config intentionally commented out for the moment) I get an eth1 in the container that is indeed the eth1 on the host system (which is a tun/tap device I fed to kvm as a second e1000 device). That's the non-bug behavior. Bug #1: If I exit that container, eth1 vanishes from the world. The container's gone, but it doesn't reappear on the host. (This may be related to the fact that the only way I've found to kill a container is do killall -9 lxc-start. For some reason a normal kill of lxc-start is ignored. However, this still shouldn't leak kernel resources like that.) It is related to the kernel behavior : netdev with a rtnl_link_ops will be automatically deleted when a network namespace is destroyed. The full answer is at net/core/dev.c : Bug #2: When I uncomment that last line of the above busybox.conf, telling it to move eth1 into the container but call it eth0 in there, suddenly the eth0 in the container gets entangled with the eth0 on the host, to the point where dhcp gives it an address. (Which is 10.0.2.16. So it's talking to the VPN that only the host's eth0 should have access to, but it's using a different mac address. Oddly, the host eth0 still seems to work fine, and the two IP addresses can ping each other across the container interface.) This is still using the most recent release version. What is the kernel version ? The attached html file is a long drawn-out reproduction sequence for this. I tried downloading lxc-git to see if this is already fixed, but running autoconf doesn't seem to want to produce a ./configure file for me. (configure.ac:8: error: possibly undefined macro: AM_CONFIG_HEADER) I'm really not an autoconf expert (the whole thing is just a horrible idea at the design level), so have no idea what I'm doing wrong there. Is automake installed on your system ? Maybe the version is too old ... # aptitude show automake Package: automake State: installed Automatically installed: yes Version: 1:1.11.1-1 ... It's what debian sid installs by default when you ask for automake. Rob javascript:void(0); -- Learn how Oracle Real Application Clusters (RAC) One Node allows customers to consolidate database storage, standardize their database environment, and, should the need arise, upgrade to a full multi-node Oracle RAC database without downtime or disruption http://p.sf.net/sfu/oracle-sfdevnl ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
