[lxc-devel] Last e-mail on the old mailing-lists
Hello, This is going to be the last e-mail of the lxc-devel and lxc-users mailing-lists on sourceforge.net. Both lists starting now will live at http://lists.linuxcontainers.org lxc-devel@lists.sourceforge.net = lxc-de...@lists.linuxcontainers.org lxc-us...@lists.sourceforge.net = lxc-us...@lists.linuxcontainers.org The archive will get re-imported in the next few minutes and so will all the existing subscribers. A new password will be generated for you by the system and sent along a welcome e-mail in the coming hours. Once that's all done, I'll be sending an e-mail to both new lists indicating that the move is over. I'll also be updating as many of the places where the old lists are referenced as I can. If you know of some more, please feel free to update them. -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature -- Sponsored by Intel(R) XDK Develop, test and display web and hybrid apps with a single code base. Download it for free now! http://pubads.g.doubleclick.net/gampad/clk?id=111408631iu=/4140/ostg.clktrk___ lxc-devel mailing list lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] lxc-busybox: remove unnecessary bind-mount
On Fri, Dec 06, 2013 at 12:11:29PM +0200, Bogdan Purcareata wrote: Since the line immediately following will mount the entire /sys read-only, hence /sys/kernel/security too. Also, when installing the container template on systems with no securityfs support, starting the container will fail. Did you confirm that the lxc.mount.auto entry actually mounts securityfs on /sys/kernel/security? /sys/kernel/security isn't part of sysfs and needs to be mounted on top of it. If it's not mounted, your proposed change will lead to failure to setup apparmor and an unconfined container on systems supporting it. Instead, I think it'd be better to change that line to simply ro,bind,optional so that failure to mount doesn't cause a failure to start the container. Signed-off-by: Bogdan Purcareata bogdan.purcare...@freescale.com --- templates/lxc-busybox.in | 1 - 1 file changed, 1 deletion(-) diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in index 23d654e..906dc5d 100644 --- a/templates/lxc-busybox.in +++ b/templates/lxc-busybox.in @@ -296,7 +296,6 @@ EOF echo lxc.mount.entry = /$dir $dir none ro,bind 0 0 $path/config fi done -echo lxc.mount.entry = /sys/kernel/security sys/kernel/security none ro,bind 0 0 $path/config echo lxc.mount.auto = proc:mixed sys $path/config } -- 1.7.11.7 -- Sponsored by Intel(R) XDK Develop, test and display web and hybrid apps with a single code base. Download it for free now! http://pubads.g.doubleclick.net/gampad/clk?id=111408631iu=/4140/ostg.clktrk ___ lxc-devel mailing list lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature -- Sponsored by Intel(R) XDK Develop, test and display web and hybrid apps with a single code base. Download it for free now! http://pubads.g.doubleclick.net/gampad/clk?id=111408631iu=/4140/ostg.clktrk___ lxc-devel mailing list lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] doc: Update Japanese lxc.conf(5)
On Fri, Dec 06, 2013 at 03:08:10PM +0900, KATOH Yasufumi wrote: translate the untranslated paragraph Signed-off-by: KATOH Yasufumi ka...@jazz.email.ne.jp Acked-by: Stéphane Graber stgra...@ubuntu.com --- doc/ja/lxc.conf.sgml.in | 3 +++ 1 file changed, 3 insertions(+) diff --git a/doc/ja/lxc.conf.sgml.in b/doc/ja/lxc.conf.sgml.in index ec24e2a..52b4fc8 100644 --- a/doc/ja/lxc.conf.sgml.in +++ b/doc/ja/lxc.conf.sgml.in @@ -1220,8 +1220,11 @@ by KATOH Yasufumi karma at jazz.email.ne.jp /term listitem para + !-- Specify the SELinux context under which the container should be run or commandunconfined_t/command. For example + -- + コンテナが従うべき SELinux コンテキストを指定するか,commandunconfined_t/command を指定します.例えば以下のように設定します. /para programlistinglxc.se_context = unconfined_u:unconfined_r:lxc_t:s0-s0:c0.c1023/programlisting /listitem -- 1.8.4.4 -- Sponsored by Intel(R) XDK Develop, test and display web and hybrid apps with a single code base. Download it for free now! http://pubads.g.doubleclick.net/gampad/clk?id=111408631iu=/4140/ostg.clktrk ___ lxc-devel mailing list lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature -- Sponsored by Intel(R) XDK Develop, test and display web and hybrid apps with a single code base. Download it for free now! http://pubads.g.doubleclick.net/gampad/clk?id=111408631iu=/4140/ostg.clktrk___ lxc-devel mailing list lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] oracle template: fix chcon warning when selinux disabled
On Fri, Dec 06, 2013 at 09:46:19AM -0500, Dwight Engen wrote: Signed-off-by: Dwight Engen dwight.en...@oracle.com Acked-by: Stéphane Graber stgra...@ubuntu.com --- templates/lxc-oracle.in | 13 +++-- 1 files changed, 11 insertions(+), 2 deletions(-) diff --git a/templates/lxc-oracle.in b/templates/lxc-oracle.in index 67e46ab..1338f34 100644 --- a/templates/lxc-oracle.in +++ b/templates/lxc-oracle.in @@ -46,6 +46,15 @@ is_btrfs_subvolume() return 1 } +can_chcon() +{ +if which chcon /dev/null 21; then +selinuxenabled /dev/null 21 +return $? +fi +return 1 +} + # fix up the container_rootfs container_rootfs_configure() { @@ -312,7 +321,7 @@ EOF if [ $container_rootfs != / -a -d $dev_path ]; then rm -rf $dev_path mkdir -p $dev_path -if which chcon /dev/null 21 ; then +if can_chcon; then # ensure symlinks created in /dev have the right context chcon -t device_t $dev_path fi @@ -333,7 +342,7 @@ EOF mknod -m 600 $dev_path/initctl p # set selinux labels same as host -if which chcon /dev/null 21 ; then +if can_chcon; then for node in null zero random urandom pts shm \ tty tty0 tty1 tty2 tty3 tty4 full ; do -- 1.7.1 -- Sponsored by Intel(R) XDK Develop, test and display web and hybrid apps with a single code base. Download it for free now! http://pubads.g.doubleclick.net/gampad/clk?id=111408631iu=/4140/ostg.clktrk ___ lxc-devel mailing list lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature -- Sponsored by Intel(R) XDK Develop, test and display web and hybrid apps with a single code base. Download it for free now! http://pubads.g.doubleclick.net/gampad/clk?id=111408631iu=/4140/ostg.clktrk___ lxc-devel mailing list lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH 2/2] let lxc-monitor command ask a lxc-monitord instance to quit
On Fri, Dec 06, 2013 at 03:36:50PM -0500, Dwight Engen wrote: Once lxc-monitord receives a quit request from lxc-monitor, it will then return from the mainloop every time an event occurs on any of its fds and check if it has any clients left. When there are no more it exits. This allows lxc-monitord to quit immediately instead of waiting the normal 30 seconds for more clients, potentially freeing up lxcpath for unmounting. Signed-off-by: Dwight Engen dwight.en...@oracle.com Acked-by: Stéphane Graber stgra...@ubuntu.com --- doc/lxc-monitor.sgml.in | 22 ++ src/lxc/lxc_monitor.c | 33 +++-- src/lxc/lxc_monitord.c | 18 +++--- 3 files changed, 68 insertions(+), 5 deletions(-) diff --git a/doc/lxc-monitor.sgml.in b/doc/lxc-monitor.sgml.in index abd668a..e57314e 100644 --- a/doc/lxc-monitor.sgml.in +++ b/doc/lxc-monitor.sgml.in @@ -50,6 +50,7 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA cmdsynopsis commandlxc-monitor/command arg choice=opt-n replaceablename/replaceable/arg + arg choice=opt-Q replaceablename/replaceable/arg /cmdsynopsis /refsynopsisdiv @@ -75,6 +76,27 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA /refsect1 + refsect1 +titleOptions/title + +variablelist + varlistentry + term + option-Q, --quit/option + /term + listitem + para + Ask the lxc-monitord daemon on each given commandlxcpath/command + to quit. After receiving this command, lxc-monitord will exit + immediately as soon as it has no clients instead of waiting the + normal 30 seconds for new clients. This is useful if you need to + unmount the filesystem commandlxcpath/command is on. + /para + /listitem + /varlistentry + /variablelist + /refsect1 + commonoptions; refsect1 diff --git a/src/lxc/lxc_monitor.c b/src/lxc/lxc_monitor.c index 4f56308..63ab68b 100644 --- a/src/lxc/lxc_monitor.c +++ b/src/lxc/lxc_monitor.c @@ -35,7 +35,18 @@ lxc_log_define(lxc_monitor_ui, lxc_monitor); +static bool quit_monitord; + +static int my_parser(struct lxc_arguments* args, int c, char* arg) +{ + switch (c) { + case 'Q': quit_monitord = true; break; + } + return 0; +} + static const struct option my_longopts[] = { + {quit, no_argument, 0, 'Q'}, LXC_COMMON_OPTIONS }; @@ -48,10 +59,11 @@ lxc-monitor monitors the state of the NAME container\n\ \n\ Options :\n\ -n, --name=NAME NAME for name of the container\n\ -NAME may be a regular expression, +NAME may be a regular expression\n\ + -Q, --quittell lxc-monitord to quit\n, .name = .*, .options = my_longopts, - .parser = NULL, + .parser = my_parser, .checker = NULL, .lxcpath_additional = -1, }; @@ -74,6 +86,23 @@ int main(int argc, char *argv[]) my_args.progname, my_args.quiet, my_args.lxcpath[0])) return -1; + if (quit_monitord) { + int ret = EXIT_SUCCESS; + for (i = 0; i my_args.lxcpath_cnt; i++) { + int fd; + + fd = lxc_monitor_open(my_args.lxcpath[i]); + if (fd 0) { + ERROR(Unable to open monitor on path:%s, my_args.lxcpath[i]); + ret = EXIT_FAILURE; + continue; + } + write(fd, quit, 4); + close(fd); + } + return ret; + } + len = strlen(my_args.name) + 3; regexp = malloc(len + 3); if (!regexp) { diff --git a/src/lxc/lxc_monitord.c b/src/lxc/lxc_monitord.c index 381b2d6..fc83f01 100644 --- a/src/lxc/lxc_monitord.c +++ b/src/lxc/lxc_monitord.c @@ -29,6 +29,7 @@ #include string.h #include stdlib.h #include fcntl.h +#include sys/epoll.h #include sys/types.h #include sys/stat.h #include sys/param.h @@ -70,6 +71,7 @@ struct lxc_monitor { }; static struct lxc_monitor mon; +static int quit; static int lxc_monitord_fifo_create(struct lxc_monitor *mon) { @@ -135,8 +137,18 @@ static int lxc_monitord_sock_handler(int fd, uint32_t events, void *data, { struct lxc_monitor *mon = data; - lxc_monitord_sockfd_remove(mon, fd); - return 0; + if (events EPOLLIN) { + int rc; + char buf[4]; + + rc = read(fd, buf, sizeof(buf)); + if (rc 0 !strncmp(buf, quit, 4)) + quit = 1; + } + + if (events EPOLLHUP) + lxc_monitord_sockfd_remove(mon, fd); + return quit; } static int lxc_monitord_sock_accept(int fd, uint32_t events
Re: [lxc-devel] [PATCH] busybox template: set mode when creating device nodes
On Fri, Dec 06, 2013 at 04:47:26PM -0500, Dwight Engen wrote: ensure mode 666 is set for tty1 and tty5 Signed-off-by: Dwight Engen dwight.en...@oracle.com Acked-by: Stéphane Graber stgra...@ubuntu.com --- templates/lxc-busybox.in | 22 +- 1 file changed, 9 insertions(+), 13 deletions(-) diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in index 23d654e..97614c6 100644 --- a/templates/lxc-busybox.in +++ b/templates/lxc-busybox.in @@ -72,19 +72,15 @@ $rootfs/usr/lib64 echo /dev/$dev dev/$devnone bind 0 0 $path/fstab done else -mknod tty c 5 0 || res=1 -mknod console c 5 1 || res=1 -chmod 666 tty console || res=1 -mknod tty0 c 4 0 || res=1 -mknod tty1 c 4 0 || res=1 -mknod tty5 c 4 0 || res=1 -chmod 666 tty0|| res=1 -mknod ram0 b 1 0 || res=1 -chmod 600 ram0|| res=1 -mknod null c 1 3 || res=1 -chmod 666 null|| res=1 -mknod urandom c 1 9 || res=1 -chmod 666 urandom || res=1 +mknod -m 666 tty c 5 0 || res=1 +mknod -m 666 console c 5 1 || res=1 +mknod -m 666 tty0 c 4 0 || res=1 +mknod -m 666 tty1 c 4 0 || res=1 +mknod -m 666 tty5 c 4 0 || res=1 +mknod -m 600 ram0 b 1 0 || res=1 +mknod -m 666 null c 1 3 || res=1 +mknod -m 666 zero c 1 5 || res=1 +mknod -m 666 urandom c 1 9 || res=1 fi popd /dev/null -- 1.8.3.1 -- Sponsored by Intel(R) XDK Develop, test and display web and hybrid apps with a single code base. Download it for free now! http://pubads.g.doubleclick.net/gampad/clk?id=111408631iu=/4140/ostg.clktrk ___ lxc-devel mailing list lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature -- Sponsored by Intel(R) XDK Develop, test and display web and hybrid apps with a single code base. Download it for free now! http://pubads.g.doubleclick.net/gampad/clk?id=111408631iu=/4140/ostg.clktrk___ lxc-devel mailing list lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH] lxc_monitor: Check return value of write
Signed-off-by: Stéphane Graber stgra...@ubuntu.com --- src/lxc/lxc_monitor.c | 9 +++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/src/lxc/lxc_monitor.c b/src/lxc/lxc_monitor.c index 63ab68b..92477e2 100644 --- a/src/lxc/lxc_monitor.c +++ b/src/lxc/lxc_monitor.c @@ -93,11 +93,16 @@ int main(int argc, char *argv[]) fd = lxc_monitor_open(my_args.lxcpath[i]); if (fd 0) { - ERROR(Unable to open monitor on path:%s, my_args.lxcpath[i]); + ERROR(Unable to open monitor on path: %s, my_args.lxcpath[i]); ret = EXIT_FAILURE; continue; } - write(fd, quit, 4); + if (write(fd, quit, 4) 0) { + ERROR(Unable to close monitor on path: %s, my_args.lxcpath[i]); + ret = EXIT_FAILURE; + close(fd); + continue; + } close(fd); } return ret; -- 1.8.5.1 -- Sponsored by Intel(R) XDK Develop, test and display web and hybrid apps with a single code base. Download it for free now! http://pubads.g.doubleclick.net/gampad/clk?id=111408631iu=/4140/ostg.clktrk ___ lxc-devel mailing list lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH] Add support for new create=(dir, file) mount option
Just like we already had optional, this adds two new LXC-specific mount flags: - create=dir (will do a mkdir_p on the path) - create=file (will do a mkdir_p on the dirname + a fopen on the path) This was motivated by some of the needed bind-mounts for the unprivileged containers. Signed-off-by: Stéphane Graber stgra...@ubuntu.com --- src/lxc/conf.c | 70 +- 1 file changed, 69 insertions(+), 1 deletion(-) diff --git a/src/lxc/conf.c b/src/lxc/conf.c index 6542ce1..0beb12b 100644 --- a/src/lxc/conf.c +++ b/src/lxc/conf.c @@ -1906,18 +1906,41 @@ static inline int mount_entry_on_systemfs(struct mntent *mntent) unsigned long mntflags; char *mntdata; int ret; + FILE *pathfile = NULL; + char* pathdirname = NULL; if (parse_mntopts(mntent-mnt_opts, mntflags, mntdata) 0) { ERROR(failed to parse mount option '%s', mntent-mnt_opts); return -1; } + if (hasmntopt(mntent, create=dir)) { + if (!mkdir_p(mntent-mnt_dir, 0755)) { + WARN(Failed to create mount target '%s', mntent-mnt_dir); + ret = -1; + } + } + + if (hasmntopt(mntent, create=file) access(mntent-mnt_dir, F_OK)) { + pathdirname = strdup(mntent-mnt_dir); + pathdirname = dirname(pathdirname); + mkdir_p(pathdirname, 0755); + pathfile = fopen(mntent-mnt_dir, wb); + if (!pathfile) { + WARN(Failed to create mount target '%s', mntent-mnt_dir); + ret = -1; + } + else + fclose(pathfile); + } + ret = mount_entry(mntent-mnt_fsname, mntent-mnt_dir, mntent-mnt_type, mntflags, mntdata); if (hasmntopt(mntent, optional) != NULL) ret = 0; + free(pathdirname); free(mntdata); return ret; @@ -1933,6 +1956,8 @@ static int mount_entry_on_absolute_rootfs(struct mntent *mntent, char *mntdata; int r, ret = 0, offset; const char *lxcpath; + FILE *pathfile = NULL; + char *pathdirname = NULL; if (parse_mntopts(mntent-mnt_opts, mntflags, mntdata) 0) { ERROR(failed to parse mount option '%s', mntent-mnt_opts); @@ -1975,6 +2000,25 @@ skipabs: goto out; } + if (hasmntopt(mntent, create=dir)) { + if (!mkdir_p(path, 0755)) { + WARN(Failed to create mount target '%s', path); + ret = -1; + } + } + + if (hasmntopt(mntent, create=file) access(path, F_OK)) { + pathdirname = strdup(path); + pathdirname = dirname(pathdirname); + mkdir_p(pathdirname, 0755); + pathfile = fopen(path, wb); + if (!pathfile) { + WARN(Failed to create mount target '%s', path); + ret = -1; + } + else + fclose(pathfile); + } ret = mount_entry(mntent-mnt_fsname, path, mntent-mnt_type, mntflags, mntdata); @@ -1983,6 +2027,7 @@ skipabs: ret = 0; out: + free(pathdirname); free(mntdata); return ret; } @@ -1994,25 +2039,48 @@ static int mount_entry_on_relative_rootfs(struct mntent *mntent, unsigned long mntflags; char *mntdata; int ret; + FILE *pathfile = NULL; + char *pathdirname = NULL; if (parse_mntopts(mntent-mnt_opts, mntflags, mntdata) 0) { ERROR(failed to parse mount option '%s', mntent-mnt_opts); return -1; } -/* relative to root mount point */ + /* relative to root mount point */ ret = snprintf(path, sizeof(path), %s/%s, rootfs, mntent-mnt_dir); if (ret = sizeof(path)) { ERROR(path name too long); return -1; } + if (hasmntopt(mntent, create=dir)) { + if (!mkdir_p(path, 0755)) { + WARN(Failed to create mount target '%s', path); + ret = -1; + } + } + + if (hasmntopt(mntent, create=file) access(path, F_OK)) { + pathdirname = strdup(path); + pathdirname = dirname(pathdirname); + mkdir_p(pathdirname, 0755); + pathfile = fopen(path, wb); + if (!pathfile) { + WARN(Failed to create mount target '%s', path); + ret = -1; + } + else + fclose(pathfile); + } + ret = mount_entry(mntent-mnt_fsname, path, mntent-mnt_type, mntflags, mntdata); if (hasmntopt(mntent
[lxc-devel] [PATCH] conffile.c: Also clear text entries with no value
Signed-off-by: Stéphane Graber stgra...@ubuntu.com --- src/lxc/confile.c | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/lxc/confile.c b/src/lxc/confile.c index 835153b..5f25e08 100644 --- a/src/lxc/confile.c +++ b/src/lxc/confile.c @@ -216,8 +216,12 @@ static int config_string_item(char **conf_item, const char *value) { char *new_value; - if (!value || strlen(value) == 0) + if (!value || strlen(value) == 0) { + if (*conf_item) + free(*conf_item); + *conf_item = NULL; return 0; + } new_value = strdup(value); if (!new_value) { -- 1.8.5.1 -- Sponsored by Intel(R) XDK Develop, test and display web and hybrid apps with a single code base. Download it for free now! http://pubads.g.doubleclick.net/gampad/clk?id=111408631iu=/4140/ostg.clktrk ___ lxc-devel mailing list lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH] Move some common Ubuntu config
This introduces a new /usr/share/lxc/config directory containing common configuration snippets. The two Ubuntu templates are then simplified to just include the relevant entries avoiding a whole lot of hardcoded cgroup, capabilities and mount points configuration. An extra comment is also added at the top of all generated configuration files telling the user to look at lxc.conf(5) for more information. Signed-off-by: Stéphane Graber stgra...@ubuntu.com --- config/Makefile.am | 16 + config/default.conf.libvirt | 3 - config/default.conf.ubuntu | 3 - config/default.conf.unknown | 1 - config/etc/Makefile.am | 15 config/etc/default.conf.libvirt | 3 + config/etc/default.conf.ubuntu | 3 + config/etc/default.conf.unknown | 1 + config/templates/Makefile.am | 8 +++ config/templates/ubuntu-cloud.common.conf.in | 4 ++ config/templates/ubuntu-cloud.lucid.conf.in | 2 + config/templates/ubuntu-cloud.userns.conf.in | 16 + config/templates/ubuntu.common.conf.in | 48 + config/templates/ubuntu.lucid.conf.in| 2 + configure.ac | 9 +++ src/lxc/lxccontainer.c | 1 + templates/lxc-ubuntu-cloud.in| 102 +-- templates/lxc-ubuntu.in | 87 --- 18 files changed, 178 insertions(+), 146 deletions(-) delete mode 100644 config/default.conf.libvirt delete mode 100644 config/default.conf.ubuntu delete mode 100644 config/default.conf.unknown create mode 100644 config/etc/Makefile.am create mode 100644 config/etc/default.conf.libvirt create mode 100644 config/etc/default.conf.ubuntu create mode 100644 config/etc/default.conf.unknown create mode 100644 config/templates/Makefile.am create mode 100644 config/templates/ubuntu-cloud.common.conf.in create mode 100644 config/templates/ubuntu-cloud.lucid.conf.in create mode 100644 config/templates/ubuntu-cloud.userns.conf.in create mode 100644 config/templates/ubuntu.common.conf.in create mode 100644 config/templates/ubuntu.lucid.conf.in diff --git a/config/Makefile.am b/config/Makefile.am index 81d7709..7ca23eb 100644 --- a/config/Makefile.am +++ b/config/Makefile.am @@ -1,15 +1 @@ -configdir = $(sysconfdir)/lxc -config_DATA = default.conf -distroconf = @LXC_DISTRO_CONF@ - -EXTRA_DIST = default.conf.ubuntu default.conf.libvirt default.conf.unknown - -default.conf: - cp $(distroconf) $@ - -clean-local: - @$(RM) -f default.conf - -distclean-local: - @$(RM) -f default.conf - @$(RM) -f compile config.guess config.sub depcomp install-sh ltmain.sh missing Makefile.in Makefile +SUBDIRS = etc templates diff --git a/config/default.conf.libvirt b/config/default.conf.libvirt deleted file mode 100644 index 6950dca..000 --- a/config/default.conf.libvirt +++ /dev/null @@ -1,3 +0,0 @@ -lxc.network.type = veth -lxc.network.link = virbr0 -lxc.network.flags = up diff --git a/config/default.conf.ubuntu b/config/default.conf.ubuntu deleted file mode 100644 index 0a5ac71..000 --- a/config/default.conf.ubuntu +++ /dev/null @@ -1,3 +0,0 @@ -lxc.network.type = veth -lxc.network.link = lxcbr0 -lxc.network.flags = up diff --git a/config/default.conf.unknown b/config/default.conf.unknown deleted file mode 100644 index 6c88010..000 --- a/config/default.conf.unknown +++ /dev/null @@ -1 +0,0 @@ -lxc.network.type = empty diff --git a/config/etc/Makefile.am b/config/etc/Makefile.am new file mode 100644 index 000..81d7709 --- /dev/null +++ b/config/etc/Makefile.am @@ -0,0 +1,15 @@ +configdir = $(sysconfdir)/lxc +config_DATA = default.conf +distroconf = @LXC_DISTRO_CONF@ + +EXTRA_DIST = default.conf.ubuntu default.conf.libvirt default.conf.unknown + +default.conf: + cp $(distroconf) $@ + +clean-local: + @$(RM) -f default.conf + +distclean-local: + @$(RM) -f default.conf + @$(RM) -f compile config.guess config.sub depcomp install-sh ltmain.sh missing Makefile.in Makefile diff --git a/config/etc/default.conf.libvirt b/config/etc/default.conf.libvirt new file mode 100644 index 000..6950dca --- /dev/null +++ b/config/etc/default.conf.libvirt @@ -0,0 +1,3 @@ +lxc.network.type = veth +lxc.network.link = virbr0 +lxc.network.flags = up diff --git a/config/etc/default.conf.ubuntu b/config/etc/default.conf.ubuntu new file mode 100644 index 000..0a5ac71 --- /dev/null +++ b/config/etc/default.conf.ubuntu @@ -0,0 +1,3 @@ +lxc.network.type = veth +lxc.network.link = lxcbr0 +lxc.network.flags = up diff --git a/config/etc/default.conf.unknown b/config/etc/default.conf.unknown new file mode 100644 index 000..6c88010 --- /dev/null +++ b/config/etc/default.conf.unknown @@ -0,0 +1 @@ +lxc.network.type = empty diff --git a/config/templates/Makefile.am b/config/templates/Makefile.am new file
[lxc-devel] Mailing-list move on Sunday 8th of December
Hello, You are receiving this e-mail because you are currently subscribed to: lxc-devel@lists.sourceforge.net On this coming Sunday (8th of December), all LXC mailing-lists will be moved to a new home at: http://lists.linuxcontainers.org This is the last step of our migration out of sourceforge. The new mailman server is hosted by myself and shared with a few other projects (on other domains). That new server has daily offsite backups and a redundant e-mail infrastructure on two continents. So I'm not expecting any more problem with our lists there than on SourceForge. On Sunday, I'll disable the list on sourceforge, do one last mbox export and load it on the new server. From that point on, any e-mail reaching the old address will simply be rejected with an error indicating the new address (short of having found a way to redirect to the new address...). All of the list history and all subscriptions and settings will stay as they are, so once you have updated your mail filters and aliases everything should be back to normal. Sorry for the inconvenience and looking forward to a SourceForge free world! -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature -- Sponsored by Intel(R) XDK Develop, test and display web and hybrid apps with a single code base. Download it for free now! http://pubads.g.doubleclick.net/gampad/clk?id=111408631iu=/4140/ostg.clktrk___ lxc-devel mailing list lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] making lxcpath a real path?
On Tue, Dec 03, 2013 at 10:00:02AM -0500, Michael H. Warfield wrote: On Tue, 2013-12-03 at 12:49 +0100, Harald Dunkel wrote: Hi folks, do you think it would be possible to make the path set by -P/--lxcpath or in the config file a _real_ path, e.g. lxc-ls -P /data1/lxc:/data2/lxc --fancy ? I'd recommend not using that kind of confusing syntax (e.g. what if I actually have a directory called /data/lxc: ?). Instead if we are to implement such a feature, we should be consistent with what we've been doing in the past and allow for lxcpath to be present multiple times in lxc.conf and for -P to be passed multiple times on the command line of all of our binaries. You had me confused for a brief moment, referring to this as a _real_ path and I had to think about it for a bit. We have a problem with ambiguity in the language where path can mean multiple things. It can mean a singular absolute file system path to a file on a file system or it can mean a delimited set of paths as in the PATH or LD_LIBRARY_PATH environment variables. Both are equally _real_ it's the context of the utilization that makes the difference. One specifies a definitive location while the other describes a search path to be processed. You're suggesting changing the lxcpath from an absolute path to a search path concept. Interesting. Intriguing. But... I see your point and it's an interesting idea. It has possibilities. It also has the potential for ambiguous or confusing behavior for some commands such as lxc-start or lxc-create where you really want to specify a definitive location aot a search path (though, I could see the use for a search for lxc-start (find the first stopped container in a PATH stanza that's can be started - would that be safe?). I guess lxc-create could settle on the first location it could write to (placing user directories earlier in the path to control priority). Worse would be the case of lxc-stop where there were multiple containers with the same name only different lxcpath locations within the greater search string. That could get ugly and non-deterministic. This could certainly be beneficial to things like lxc-ls where containers are scattered between different locations. In that case, it might also be useful to utilize an LXC_PATH environment variable in addition to the -P/--lxcpath command line options and config file options. That's a very interesting idea that I would support if we could work any various ambiguous behaviors for all the commands in a way that did not result in user confusion. One thing I would NOT like to see is a situation where some commands (lxc-ls) take a search path while some commands will only accept an atomic absolute path. That sort of confusion would not end well. This could help to support HA scenarios based on DRBD or a network file system, for example. If one LXC server dies, then a fallback host could take over the abandoned /data2/lxc in parallel to its own /data1/lxc directory. Regards Harri Regards, Mike -- Michael H. Warfield (AI4NB) | (770) 978-7061 | m...@wittsend.com /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0x674627FF| possible worlds. A pessimist is sure of it! -- Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349351iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature -- Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349351iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] making lxcpath a real path?
On Tue, Dec 03, 2013 at 10:57:44AM -0500, Michael H. Warfield wrote: On Tue, 2013-12-03 at 10:20 -0500, Stéphane Graber wrote: On Tue, Dec 03, 2013 at 10:00:02AM -0500, Michael H. Warfield wrote: On Tue, 2013-12-03 at 12:49 +0100, Harald Dunkel wrote: Hi folks, do you think it would be possible to make the path set by -P/--lxcpath or in the config file a _real_ path, e.g. lxc-ls -P /data1/lxc:/data2/lxc --fancy ? I'd recommend not using that kind of confusing syntax (e.g. what if I actually have a directory called /data/lxc: ?). Well, there is plenty of precedence there with the syntax of various PATH environment variables, syntax for NFS (and other) mounts, etc, etc. That's a convention that has been embedded in *NIX that goes back decades preceding even my involvement back in the '80s. That, and you can always escape a delimiter (doubling or \ conventions). Colons are considered reserved even to the extent that IPv6 literals, in many cases, have to be enclosed in square brackets to indicate them. In some commands, the colon is used to delineate an address from a port number even. Using a colon in a file system path is already fraught with gotcha's. You can't have a directory in PATH or LD_LIBRARY_PATH with a : in as part of the absolute path stanza although there are certain heuristics that can be applied to allow it (a PATH stanza is and absolute path and has to begin with a / so a :/ would indicate a delimiter and your example may be coded as /data/lxc::/user/data for /data/lxc: and /user/data say). Arguing over : as a path delimiter, which is a long traditional established practice, is on equal footing with arguing if someone should be allowed to have a / in a file name. The precedent has been set. Which actually reminds me. I did run into some cases where there was some problem with whitespace in some names (an abominable, but common, practice). I won't totally swear that even the Fedora template will handle white space in names and paths cleanly (I need to test that! - On my list). Sure, I never said that using : as a delimiter wasn't common for some specific cases (mostly path environment variables) but it's not consistent with what we've been doing in LXC and until now we've been fortunate enough not to have to add extended parsing for paths in our code and I'd prefer for it to stay that way. Instead if we are to implement such a feature, we should be consistent with what we've been doing in the past and allow for lxcpath to be present multiple times in lxc.conf and for -P to be passed multiple times on the command line of all of our binaries. Yeah, that's a convention that I personally never liked and is inconsistent with so many other *NIX commands. The two syntaxes are not mutually exclusive, either, as each can easily be parsed into the other in an unambiguous format using doubling as an escape (: - ::) if you really consider a : to be an important part of the filename namespace. I could easily do some of the coding for that. The uglier part would actually be in the search logic wherever lxcpath is reference in the code (which I just got done doing in some of my last few patches). The multiple -P options also makes implementing some options and environment variables extremely difficult and there may be some reason for considering that. Particularly, with what Serge is doing with user specific containers, I could easily envision (and desire) an environment variable LXC_PATH which could be set on a user basis in their profiles and they could then use all the commands without repetitively adding the -P option(s). Ok... Yeah, this could also be done with a crap load of aliases as well but that's kinda butt ugly and, really, an environment variable is cleaner and more appropriate to a case like that and a search path makes more sense in that case. My expectation for the userns work was that we'd define a default lxcpath for when LXC is ran as non-root and an alternate location for lxc.conf too. So the user could simply set lxcpath in say .config/lxc/lxc.conf and all commands would respect that (just as they all respect /etc/lxc/lxc.conf at the moment). You had me confused for a brief moment, referring to this as a _real_ path and I had to think about it for a bit. We have a problem with ambiguity in the language where path can mean multiple things. It can mean a singular absolute file system path to a file on a file system or it can mean a delimited set of paths as in the PATH or LD_LIBRARY_PATH environment variables. Both are equally _real_ it's the context of the utilization that makes the difference. One specifies a definitive location while the other describes a search path to be processed. You're suggesting changing the lxcpath from an absolute path to a search path concept. Interesting. Intriguing. But... I see your
Re: [lxc-devel] [PATCH] ubuntu: Fix regression in post-process
On Tue, Dec 03, 2013 at 05:43:47PM -0600, Serge Hallyn wrote: Quoting S.Çağlar Onur (cag...@10ur.org): Hey Stéphane, On Wed, Nov 27, 2013 at 7:49 PM, Stéphane Graber stgra...@ubuntu.com wrote: THe recent reorg of lxc-ubuntu introduced some package installation in post-process but without first disabling service startup. As a result, if the cache is a bit out of date and a ssh update is available, post-process will apply that update (as it does apt-get install ssh vim) which in turn will attemp to start sshd. This will either lead to ssh on the host being restarted or if there's no sshd on the host, will fail the container creation as the postinst will get an error from upstart. The fix is very simply to add the same policy-rc.d trick when running post-process. I'm not sure whether this is the desired outcome (I haven't taken a look at it yet) but it looks like after this change lxc-create -n t -t ubuntu started to take more time (order of couple of minutes) to Can you reproduce this at will - revert the change and it's faster, reapply and it's slower? -serge Yes, lxc-ubuntu is now slower when creating a container as an extra apt-get update run and installation of vim was moved from being done when creating the cache to being done at container creation time. That change was caused by the addition of --packages which allows users to specify extra packages that should be available in the container. I believe at least one problem with that is that ssh is apt-get install'ed both at cache creation time and at container creation time. In most cases this would be a no-op, but if the cache is outdated, then ssh and openssh-server will get upgraded at container creation time, creating an extra delay. I think we should just be dropping ssh from the list of packages installed at creation time (since it's already in the original install) and I'd be happy to change the behaviour so that vim is always installed (as it used to be) and that this extra apt-get update + apt-get install run would only happen when extra packages are actually passed on the command line. -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature -- Sponsored by Intel(R) XDK Develop, test and display web and hybrid apps with a single code base. Download it for free now! http://pubads.g.doubleclick.net/gampad/clk?id=111408631iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] Add LXC version information to version.h
_VERSION_H +#define _VERSION_H + +#define LXC_VERSION_MAJOR @LXC_VERSION_MAJOR@ +#define LXC_VERSION_MINOR @LXC_VERSION_MINOR@ +#define LXC_VERSION_MICRO @LXC_VERSION_MICRO@ +#define LXC_VERSION @LXC_VERSION@ + +/* + * Returns the version number of the library + */ +extern const char *lxc_version(void); + +#endif -- 1.8.3.2 -- Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349351iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature -- Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349351iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH] Reduce public API
This removes all but the following headers from our includes: - attach_options.h - lxccontainer.h - version.h This also removes the duplicate lxc_version function (lxc_get_version has been preferred for a while). lxclock.h is now considered private, the lxc_lock struct has therefore been moved to lxccontainer.h (as it's a dependency of lxc_container) but all other locking functions are now strictly internal. As a result quite a lot of files needed addition of extra includes previously inherited from lxclock.h. Signed-off-by: Stéphane Graber stgra...@ubuntu.com --- src/lxc/Makefile.am| 19 +-- src/lxc/bdev.c | 1 + src/lxc/lxc_config.c | 1 + src/lxc/lxc_create.c | 1 + src/lxc/lxc_snapshot.c | 1 + src/lxc/lxccontainer.c | 3 ++- src/lxc/lxccontainer.h | 21 ++--- src/lxc/lxclock.h | 17 + src/lxc/version.c | 29 - src/lxc/version.h.in | 5 - src/tests/attach.c | 2 ++ src/tests/cgpath.c | 2 ++ src/tests/concurrent.c | 2 ++ src/tests/console.c| 2 ++ src/tests/containertests.c | 1 + src/tests/get_item.c | 1 + src/tests/list.c | 1 + src/tests/lxcpath.c| 1 + src/tests/snapshot.c | 2 ++ src/tests/startone.c | 1 + 20 files changed, 41 insertions(+), 72 deletions(-) delete mode 100644 src/lxc/version.c diff --git a/src/lxc/Makefile.am b/src/lxc/Makefile.am index bf93baa..5369700 100644 --- a/src/lxc/Makefile.am +++ b/src/lxc/Makefile.am @@ -1,23 +1,6 @@ pkginclude_HEADERS = \ - arguments.h \ - attach.h \ attach_options.h \ - bdev.h \ - caps.h \ - cgroup.h \ - conf.h \ - console.h \ - error.h \ - list.h \ - log.h \ lxccontainer.h \ - lxc.h \ - lxclock.h \ - monitor.h \ - namespace.h \ - start.h \ - state.h \ - utils.h \ version.h if IS_BIONIC @@ -87,7 +70,7 @@ liblxc_so_SOURCES = \ lxcutmp.c lxcutmp.h \ lxclock.h lxclock.c \ lxccontainer.c lxccontainer.h \ - version.c version.h \ + version.h \ \ $(LSM_SOURCES) diff --git a/src/lxc/bdev.c b/src/lxc/bdev.c index 03fecfb..249815e 100644 --- a/src/lxc/bdev.c +++ b/src/lxc/bdev.c @@ -47,6 +47,7 @@ #include namespace.h #include parse.h #include utils.h +#include lxclock.h #ifndef BLKGETSIZE64 #define BLKGETSIZE64 _IOR(0x12,114,size_t) diff --git a/src/lxc/lxc_config.c b/src/lxc/lxc_config.c index 21bde64..8a4114d 100644 --- a/src/lxc/lxc_config.c +++ b/src/lxc/lxc_config.c @@ -19,6 +19,7 @@ */ #include stdio.h +#include string.h #include config.h #include lxc/lxccontainer.h diff --git a/src/lxc/lxc_create.c b/src/lxc/lxc_create.c index 754afbf..7399683 100644 --- a/src/lxc/lxc_create.c +++ b/src/lxc/lxc_create.c @@ -23,6 +23,7 @@ #include libgen.h #include unistd.h #include ctype.h +#include fcntl.h #include sys/types.h #include lxc/lxc.h diff --git a/src/lxc/lxc_snapshot.c b/src/lxc/lxc_snapshot.c index d80dd39..f80afe5 100644 --- a/src/lxc/lxc_snapshot.c +++ b/src/lxc/lxc_snapshot.c @@ -24,6 +24,7 @@ #include unistd.h #include ctype.h #include sys/types.h +#include fcntl.h #include lxc/lxc.h #include lxc/log.h diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c index 50796ae..7f54f50 100644 --- a/src/lxc/lxccontainer.c +++ b/src/lxc/lxccontainer.c @@ -50,6 +50,7 @@ #include sched.h #include arpa/inet.h #include libgen.h +#include lxclock.h #if HAVE_IFADDRS_H #include ifaddrs.h @@ -2107,7 +2108,7 @@ const char *lxc_get_default_zfs_root(void) const char *lxc_get_version(void) { - return lxc_version(); + return LXC_VERSION; } static int copy_file(char *old, char *new) diff --git a/src/lxc/lxccontainer.h b/src/lxc/lxccontainer.h index d57aead..832440d 100644 --- a/src/lxc/lxccontainer.h +++ b/src/lxc/lxccontainer.h @@ -22,12 +22,11 @@ #ifndef __LXC_CONTAINER_H #define __LXC_CONTAINER_H -#include lxclock.h #include attach_options.h -#include stdlib.h #include malloc.h - +#include semaphore.h #include stdbool.h +#include stdlib.h #define LXC_CLONE_KEEPNAME(1 0) /*! Do not edit the rootfs to change the hostname */ #define LXC_CLONE_COPYHOOKS (1 1) /*! Copy all hooks into the container directory */ @@ -42,6 +41,22 @@ struct bdev_specs; struct lxc_snapshot; /*! + * LXC Lock +*/ +struct lxc_lock { + short type; //! Lock type + + union { + sem_t *sem; //! Anonymous semaphore (LXC_LOCK_ANON_SEM) + /*! LXC_LOCK_FLOCK details */ + struct { + int fd; //! fd on which a lock is held (if not -1) + char *fname
Re: [lxc-devel] [PATCH 1/1] confile.c: clear entries if no value
On Mon, Dec 02, 2013 at 01:24:10PM -0600, Serge Hallyn wrote: For list configuration entries like capabilities and cgroups entries, if there is a 'key =' value (i.e. lxc.cap.drop =) then clear any loaded entries. Signed-off-by: Serge Hallyn serge.hal...@ubuntu.com Thanks for doing the work! Acked-by: Stéphane Graber stgra...@ubuntu.com --- src/lxc/conf.h| 1 + src/lxc/confile.c | 23 --- 2 files changed, 21 insertions(+), 3 deletions(-) diff --git a/src/lxc/conf.h b/src/lxc/conf.h index 84ffb20..f272c91 100644 --- a/src/lxc/conf.h +++ b/src/lxc/conf.h @@ -353,6 +353,7 @@ extern int lxc_clear_config_keepcaps(struct lxc_conf *c); extern int lxc_clear_cgroups(struct lxc_conf *c, const char *key); extern int lxc_clear_mount_entries(struct lxc_conf *c); extern int lxc_clear_hooks(struct lxc_conf *c, const char *key); +extern int lxc_clear_idmaps(struct lxc_conf *c); /* * Configure the container from inside diff --git a/src/lxc/confile.c b/src/lxc/confile.c index bbb92dd..835153b 100644 --- a/src/lxc/confile.c +++ b/src/lxc/confile.c @@ -295,6 +295,9 @@ static int config_network_type(const char *key, const char *value, struct lxc_netdev *netdev; struct lxc_list *list; + if (!value || strlen(value) == 0) + return lxc_clear_config_network(lxc_conf); + netdev = malloc(sizeof(*netdev)); if (!netdev) { SYSERROR(failed to allocate memory); @@ -865,7 +868,12 @@ static int config_seccomp(const char *key, const char *value, static int config_hook(const char *key, const char *value, struct lxc_conf *lxc_conf) { - char *copy = strdup(value); + char *copy; + + if (!value || strlen(value) == 0) + return lxc_clear_hooks(lxc_conf, key); + + copy = strdup(value); if (!copy) { SYSERROR(failed to dup string '%s', value); return -1; @@ -1062,6 +1070,9 @@ static int config_cgroup(const char *key, const char *value, struct lxc_list *cglist = NULL; struct lxc_cgroup *cgelem = NULL; + if (!value || strlen(value) == 0) + return lxc_clear_cgroups(lxc_conf, key); + subkey = strstr(key, token); if (!subkey) @@ -1123,6 +1134,9 @@ static int config_idmap(const char *key, const char *value, struct lxc_conf *lxc char type; int ret; + if (!value || strlen(value) == 0) + return lxc_clear_idmaps(lxc_conf); + subkey = strstr(key, token); if (!subkey) @@ -1250,6 +1264,9 @@ static int config_mount(const char *key, const char *value, char *mntelem; struct lxc_list *mntlist; + if (!value || strlen(value) == 0) + return lxc_clear_mount_entries(lxc_conf); + subkey = strstr(key, token); if (!subkey) { @@ -1294,7 +1311,7 @@ static int config_cap_keep(const char *key, const char *value, int ret = -1; if (!strlen(value)) - return -1; + return lxc_clear_config_keepcaps(lxc_conf); keepcaps = strdup(value); if (!keepcaps) { @@ -1340,7 +1357,7 @@ static int config_cap_drop(const char *key, const char *value, int ret = -1; if (!strlen(value)) - return -1; + return lxc_clear_config_caps(lxc_conf); dropcaps = strdup(value); if (!dropcaps) { -- 1.8.3.2 -- Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349351iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature -- Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349351iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] Reduce public API
On Mon, Dec 02, 2013 at 01:31:21PM -0600, Serge Hallyn wrote: Quoting Stéphane Graber (stgra...@ubuntu.com): This removes all but the following headers from our includes: - attach_options.h - lxccontainer.h - version.h This also removes the duplicate lxc_version function (lxc_get_version has been preferred for a while). lxclock.h is now considered private, the lxc_lock struct has therefore been moved to lxccontainer.h (as it's a dependency of lxc_container) but all other locking functions are now strictly internal. As a result quite a lot of files needed addition of extra includes previously inherited from lxclock.h. Hm, why did you have to move the struct lxc_lock from lxclock.h to lxccontainer.h? That seems to imply there's a problem elsewhere. What failed without that? The lxc_container struct contains slock and privlock which are both of lxc_lock struct so we need that type defined somewhere publicly accessible. Signed-off-by: Stéphane Graber stgra...@ubuntu.com --- src/lxc/Makefile.am| 19 +-- src/lxc/bdev.c | 1 + src/lxc/lxc_config.c | 1 + src/lxc/lxc_create.c | 1 + src/lxc/lxc_snapshot.c | 1 + src/lxc/lxccontainer.c | 3 ++- src/lxc/lxccontainer.h | 21 ++--- src/lxc/lxclock.h | 17 + src/lxc/version.c | 29 - src/lxc/version.h.in | 5 - src/tests/attach.c | 2 ++ src/tests/cgpath.c | 2 ++ src/tests/concurrent.c | 2 ++ src/tests/console.c| 2 ++ src/tests/containertests.c | 1 + src/tests/get_item.c | 1 + src/tests/list.c | 1 + src/tests/lxcpath.c| 1 + src/tests/snapshot.c | 2 ++ src/tests/startone.c | 1 + 20 files changed, 41 insertions(+), 72 deletions(-) delete mode 100644 src/lxc/version.c diff --git a/src/lxc/Makefile.am b/src/lxc/Makefile.am index bf93baa..5369700 100644 --- a/src/lxc/Makefile.am +++ b/src/lxc/Makefile.am @@ -1,23 +1,6 @@ pkginclude_HEADERS = \ - arguments.h \ - attach.h \ attach_options.h \ - bdev.h \ - caps.h \ - cgroup.h \ - conf.h \ - console.h \ - error.h \ - list.h \ - log.h \ lxccontainer.h \ - lxc.h \ - lxclock.h \ - monitor.h \ - namespace.h \ - start.h \ - state.h \ - utils.h \ version.h if IS_BIONIC @@ -87,7 +70,7 @@ liblxc_so_SOURCES = \ lxcutmp.c lxcutmp.h \ lxclock.h lxclock.c \ lxccontainer.c lxccontainer.h \ - version.c version.h \ + version.h \ \ $(LSM_SOURCES) diff --git a/src/lxc/bdev.c b/src/lxc/bdev.c index 03fecfb..249815e 100644 --- a/src/lxc/bdev.c +++ b/src/lxc/bdev.c @@ -47,6 +47,7 @@ #include namespace.h #include parse.h #include utils.h +#include lxclock.h #ifndef BLKGETSIZE64 #define BLKGETSIZE64 _IOR(0x12,114,size_t) diff --git a/src/lxc/lxc_config.c b/src/lxc/lxc_config.c index 21bde64..8a4114d 100644 --- a/src/lxc/lxc_config.c +++ b/src/lxc/lxc_config.c @@ -19,6 +19,7 @@ */ #include stdio.h +#include string.h #include config.h #include lxc/lxccontainer.h diff --git a/src/lxc/lxc_create.c b/src/lxc/lxc_create.c index 754afbf..7399683 100644 --- a/src/lxc/lxc_create.c +++ b/src/lxc/lxc_create.c @@ -23,6 +23,7 @@ #include libgen.h #include unistd.h #include ctype.h +#include fcntl.h #include sys/types.h #include lxc/lxc.h diff --git a/src/lxc/lxc_snapshot.c b/src/lxc/lxc_snapshot.c index d80dd39..f80afe5 100644 --- a/src/lxc/lxc_snapshot.c +++ b/src/lxc/lxc_snapshot.c @@ -24,6 +24,7 @@ #include unistd.h #include ctype.h #include sys/types.h +#include fcntl.h #include lxc/lxc.h #include lxc/log.h diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c index 50796ae..7f54f50 100644 --- a/src/lxc/lxccontainer.c +++ b/src/lxc/lxccontainer.c @@ -50,6 +50,7 @@ #include sched.h #include arpa/inet.h #include libgen.h +#include lxclock.h #if HAVE_IFADDRS_H #include ifaddrs.h @@ -2107,7 +2108,7 @@ const char *lxc_get_default_zfs_root(void) const char *lxc_get_version(void) { - return lxc_version(); + return LXC_VERSION; } static int copy_file(char *old, char *new) diff --git a/src/lxc/lxccontainer.h b/src/lxc/lxccontainer.h index d57aead..832440d 100644 --- a/src/lxc/lxccontainer.h +++ b/src/lxc/lxccontainer.h @@ -22,12 +22,11 @@ #ifndef __LXC_CONTAINER_H #define __LXC_CONTAINER_H -#include lxclock.h #include attach_options.h -#include stdlib.h #include malloc.h - +#include semaphore.h #include
[lxc-devel] [PATCH] Reduce public API (V2)
This removes all but the following headers from our includes: - attach_options.h - lxccontainer.h - version.h This also removes the duplicate lxc_version function (lxc_get_version has been preferred for a while). lxclock.h is now considered private. As a result quite a lot of files needed addition of extra includes previously inherited from lxclock.h. Signed-off-by: Stéphane Graber stgra...@ubuntu.com --- src/lxc/Makefile.am| 19 +-- src/lxc/bdev.c | 1 + src/lxc/lxc_config.c | 1 + src/lxc/lxc_create.c | 1 + src/lxc/lxc_snapshot.c | 1 + src/lxc/lxccontainer.c | 3 ++- src/lxc/lxccontainer.h | 7 --- src/lxc/version.c | 29 - src/lxc/version.h.in | 5 - src/tests/attach.c | 2 ++ src/tests/cgpath.c | 2 ++ src/tests/concurrent.c | 2 ++ src/tests/console.c| 2 ++ src/tests/containertests.c | 1 + src/tests/get_item.c | 1 + src/tests/list.c | 1 + src/tests/lxcpath.c| 1 + src/tests/snapshot.c | 2 ++ src/tests/startone.c | 1 + 19 files changed, 26 insertions(+), 56 deletions(-) delete mode 100644 src/lxc/version.c diff --git a/src/lxc/Makefile.am b/src/lxc/Makefile.am index bf93baa..5369700 100644 --- a/src/lxc/Makefile.am +++ b/src/lxc/Makefile.am @@ -1,23 +1,6 @@ pkginclude_HEADERS = \ - arguments.h \ - attach.h \ attach_options.h \ - bdev.h \ - caps.h \ - cgroup.h \ - conf.h \ - console.h \ - error.h \ - list.h \ - log.h \ lxccontainer.h \ - lxc.h \ - lxclock.h \ - monitor.h \ - namespace.h \ - start.h \ - state.h \ - utils.h \ version.h if IS_BIONIC @@ -87,7 +70,7 @@ liblxc_so_SOURCES = \ lxcutmp.c lxcutmp.h \ lxclock.h lxclock.c \ lxccontainer.c lxccontainer.h \ - version.c version.h \ + version.h \ \ $(LSM_SOURCES) diff --git a/src/lxc/bdev.c b/src/lxc/bdev.c index 03fecfb..249815e 100644 --- a/src/lxc/bdev.c +++ b/src/lxc/bdev.c @@ -47,6 +47,7 @@ #include namespace.h #include parse.h #include utils.h +#include lxclock.h #ifndef BLKGETSIZE64 #define BLKGETSIZE64 _IOR(0x12,114,size_t) diff --git a/src/lxc/lxc_config.c b/src/lxc/lxc_config.c index 21bde64..8a4114d 100644 --- a/src/lxc/lxc_config.c +++ b/src/lxc/lxc_config.c @@ -19,6 +19,7 @@ */ #include stdio.h +#include string.h #include config.h #include lxc/lxccontainer.h diff --git a/src/lxc/lxc_create.c b/src/lxc/lxc_create.c index 754afbf..7399683 100644 --- a/src/lxc/lxc_create.c +++ b/src/lxc/lxc_create.c @@ -23,6 +23,7 @@ #include libgen.h #include unistd.h #include ctype.h +#include fcntl.h #include sys/types.h #include lxc/lxc.h diff --git a/src/lxc/lxc_snapshot.c b/src/lxc/lxc_snapshot.c index d80dd39..f80afe5 100644 --- a/src/lxc/lxc_snapshot.c +++ b/src/lxc/lxc_snapshot.c @@ -24,6 +24,7 @@ #include unistd.h #include ctype.h #include sys/types.h +#include fcntl.h #include lxc/lxc.h #include lxc/log.h diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c index 50796ae..7f54f50 100644 --- a/src/lxc/lxccontainer.c +++ b/src/lxc/lxccontainer.c @@ -50,6 +50,7 @@ #include sched.h #include arpa/inet.h #include libgen.h +#include lxclock.h #if HAVE_IFADDRS_H #include ifaddrs.h @@ -2107,7 +2108,7 @@ const char *lxc_get_default_zfs_root(void) const char *lxc_get_version(void) { - return lxc_version(); + return LXC_VERSION; } static int copy_file(char *old, char *new) diff --git a/src/lxc/lxccontainer.h b/src/lxc/lxccontainer.h index d57aead..4ad3b66 100644 --- a/src/lxc/lxccontainer.h +++ b/src/lxc/lxccontainer.h @@ -22,12 +22,11 @@ #ifndef __LXC_CONTAINER_H #define __LXC_CONTAINER_H -#include lxclock.h #include attach_options.h -#include stdlib.h #include malloc.h - +#include semaphore.h #include stdbool.h +#include stdlib.h #define LXC_CLONE_KEEPNAME(1 0) /*! Do not edit the rootfs to change the hostname */ #define LXC_CLONE_COPYHOOKS (1 1) /*! Copy all hooks into the container directory */ @@ -41,6 +40,8 @@ struct bdev_specs; struct lxc_snapshot; +struct lxc_lock; + /*! * An LXC container. */ diff --git a/src/lxc/version.c b/src/lxc/version.c deleted file mode 100644 index bfa34bd..000 --- a/src/lxc/version.c +++ /dev/null @@ -1,29 +0,0 @@ -/* - * lxc: linux Container library - * - * (C) Copyright IBM Corp. 2007, 2008 - * - * Authors: - * Daniel Lezcano daniel.lezcano at free.fr - * - * This library is free software; you can redistribute it and/or - * modify it under the terms of the GNU Lesser General Public - * License as published by the Free Software Foundation; either - * version 2.1
Re: [lxc-devel] [PATCH] python3: Allow setting daemonize and close_fds
On Fri, Nov 29, 2013 at 09:27:15AM -0600, Serge Hallyn wrote: Quoting Stéphane Graber (stgra...@ubuntu.com): This extends the list of arguments of start() allowing the user to request the container be started in the foreground and have control on whether fds will be closed or not (daemonize=True implies that too). One problem at the moment however is that while we have functions to set close_fds and daemonize in the API, we don't have functions to unset those flags, so those new parameters will only work on the initial call to start() any further call will use the values of the previous one. I think it'd make sense to change lxcapi slightly to have daemonize and close_fds offer a similar interface, both returning booleans and both accepting a value as a parameter so API users can set the value they want. What would be the point in checking the value as opposed to simply setting the one you want? If unsetting is all we need, we could just add a boolean argument to want_damonize and want_close_all_fds. If there is a good reason to be able to check the values, then we can either add a get_daemonize, or make the second argument to want_daemonize an int, where -1 means unset, 1 means set, and 0 means just give me the return value. Or maybe we want to just add new api fns so as not to change the existing api? I'm feeling indecisive. I don't want to check the values but I want to get error reporting. Currently want_daemonize doesn't return anything so I don't know whether the setting was save or not. want_close_all_fds solves that issue by returning a bool with true meaning that the value was saved and false meaning that something went wrong. Considering that we haven't commited to a stable API yet, I'd think that just adding a second argument to both functions to pass the state we want would be perfectly fine and it'll be trivial to update any code using that. If you're happy with that, I'll send a patch later today doing just that. Signed-off-by: Stéphane Graber stgra...@ubuntu.com Acked-by: Serge E. Hallyn serge.hal...@ubuntu.com --- src/python-lxc/lxc.c | 33 + 1 file changed, 25 insertions(+), 8 deletions(-) diff --git a/src/python-lxc/lxc.c b/src/python-lxc/lxc.c index f850a3d..5a20ff4 100644 --- a/src/python-lxc/lxc.c +++ b/src/python-lxc/lxc.c @@ -1221,13 +1221,21 @@ Container_snapshot_restore(Container *self, PyObject *args, PyObject *kwds) static PyObject * Container_start(Container *self, PyObject *args, PyObject *kwds) { +PyObject *useinit = NULL; +PyObject *daemonize = NULL; +PyObject *close_fds = NULL; + +PyObject *vargs = NULL; char** init_args = {NULL}; -PyObject *useinit = NULL, *retval = NULL, *vargs = NULL; + +PyObject *retval = NULL; int init_useinit = 0, i = 0; -static char *kwlist[] = {useinit, cmd, NULL}; +static char *kwlist[] = {useinit, daemonize, close_fds, + cmd, NULL}; -if (! PyArg_ParseTupleAndKeywords(args, kwds, |OO, kwlist, - useinit, vargs)) +if (! PyArg_ParseTupleAndKeywords(args, kwds, |, kwlist, + useinit, daemonize, close_fds, + vargs)) return NULL; if (useinit useinit == Py_True) { @@ -1241,7 +1249,13 @@ Container_start(Container *self, PyObject *args, PyObject *kwds) } } -self-container-want_daemonize(self-container); +if (close_fds close_fds == Py_True) { +self-container-want_close_all_fds(self-container); +} + +if (!daemonize || daemonize == Py_True) { +self-container-want_daemonize(self-container); +} if (self-container-start(self-container, init_useinit, init_args)) retval = Py_True; @@ -1519,10 +1533,13 @@ static PyMethodDef Container_methods[] = { }, {start, (PyCFunction)Container_start, METH_VARARGS|METH_KEYWORDS, - start(useinit = False, cmd = (,)) - boolean\n + start(useinit = False, daemonize=True, close_fds=False, + cmd = (,)) - boolean\n \n - Start the container, optionally using lxc-init and - an alternate init command, then returns its return code. + Start the container, return True on success.\n + When set useinit will make LXC use lxc-init to start the container.\n + The container can be started in the foreground with daemonize=False.\n + All fds may also be closed by passing close_fds=True. }, {stop, (PyCFunction)Container_stop, METH_NOARGS, -- 1.8.4.4 -- Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how
[lxc-devel] [PATCH] Allow unsetting daemonize and close_fds
As mentioned in a previous commit, this does two changes: - Make want_daemonize return a bool (false on failure, true on success) - Make both want_daemonize and want_close_all_fds take a state argument so the user can choose to unset those flags. This commit also updates all occurences of those two functions. Signed-off-by: Stéphane Graber stgra...@ubuntu.com --- src/lua-lxc/core.c | 2 +- src/lxc/lxc_start.c| 4 ++-- src/lxc/lxccontainer.c | 20 +--- src/lxc/lxccontainer.h | 4 ++-- src/python-lxc/lxc.c | 10 -- src/tests/attach.c | 2 +- src/tests/cgpath.c | 2 +- src/tests/concurrent.c | 2 +- src/tests/console.c| 2 +- src/tests/containertests.c | 2 +- src/tests/createtest.c | 2 +- src/tests/shutdowntest.c | 2 +- 12 files changed, 33 insertions(+), 21 deletions(-) diff --git a/src/lua-lxc/core.c b/src/lua-lxc/core.c index 9492c07..04f2f1d 100644 --- a/src/lua-lxc/core.c +++ b/src/lua-lxc/core.c @@ -156,7 +156,7 @@ static int container_start(lua_State *L) argv[j] = NULL; } -c-want_daemonize(c); +c-want_daemonize(c, 1); lua_pushboolean(L, !!c-start(c, useinit, argv)); return 1; } diff --git a/src/lxc/lxc_start.c b/src/lxc/lxc_start.c index e537846..2a833a6 100644 --- a/src/lxc/lxc_start.c +++ b/src/lxc/lxc_start.c @@ -325,7 +325,7 @@ int main(int argc, char *argv[]) } if (my_args.daemonize) { - c-want_daemonize(c); + c-want_daemonize(c, 1); } if (pid_fp != NULL) { @@ -337,7 +337,7 @@ int main(int argc, char *argv[]) } if (my_args.close_all_fds) - c-want_close_all_fds(c); + c-want_close_all_fds(c, 1); err = c-start(c, 0, args) ? 0 : -1; diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c index 283fbb5..4234760 100644 --- a/src/lxc/lxccontainer.c +++ b/src/lxc/lxccontainer.c @@ -455,29 +455,35 @@ static bool lxcapi_load_config(struct lxc_container *c, const char *alt_file) return ret; } -static void lxcapi_want_daemonize(struct lxc_container *c) +static bool lxcapi_want_daemonize(struct lxc_container *c, int state) { + if (state 1) + return false; if (!c || !c-lxc_conf) - return; + return false; if (container_mem_lock(c)) { ERROR(Error getting mem lock); - return; + return false; } - c-daemonize = 1; + c-daemonize = state; /* daemonize implies close_all_fds so set it */ - c-lxc_conf-close_all_fds = 1; + if (state == 1) + c-lxc_conf-close_all_fds = 1; container_mem_unlock(c); + return true; } -static bool lxcapi_want_close_all_fds(struct lxc_container *c) +static bool lxcapi_want_close_all_fds(struct lxc_container *c, int state) { + if (state 1) + return false; if (!c || !c-lxc_conf) return false; if (container_mem_lock(c)) { ERROR(Error getting mem lock); return false; } - c-lxc_conf-close_all_fds = 1; + c-lxc_conf-close_all_fds = state; container_mem_unlock(c); return true; } diff --git a/src/lxc/lxccontainer.h b/src/lxc/lxccontainer.h index 6044f4d..8333610 100644 --- a/src/lxc/lxccontainer.h +++ b/src/lxc/lxccontainer.h @@ -209,7 +209,7 @@ struct lxc_container { * * \return \c true if container wants to be daemonised, else \c false. */ - void (*want_daemonize)(struct lxc_container *c); + bool (*want_daemonize)(struct lxc_container *c, int state); /*! * \brief Determine whether container wishes all file descriptors @@ -220,7 +220,7 @@ struct lxc_container { * \return \c true if container wants all file descriptors closed, * else \c false. */ - bool (*want_close_all_fds)(struct lxc_container *c); + bool (*want_close_all_fds)(struct lxc_container *c, int state); /*! * \brief Return current config file name. diff --git a/src/python-lxc/lxc.c b/src/python-lxc/lxc.c index b4f1da3..92d79f9 100644 --- a/src/python-lxc/lxc.c +++ b/src/python-lxc/lxc.c @@ -1301,11 +1301,17 @@ Container_start(Container *self, PyObject *args, PyObject *kwds) } if (close_fds close_fds == Py_True) { -self-container-want_close_all_fds(self-container); +self-container-want_close_all_fds(self-container, 1); +} +else { +self-container-want_close_all_fds(self-container, 0); } if (!daemonize || daemonize == Py_True) { -self-container-want_daemonize(self-container); +self-container-want_daemonize(self-container, 1); +} +else { +self-container-want_daemonize(self-container, 0); } if (self-container-start(self-container, init_useinit, init_args
[lxc-devel] [PATCH] Update doxygen doc for previous change
Reported-by: James Hunt james.h...@ubuntu.com Signed-off-by: Stéphane Graber stgra...@ubuntu.com --- src/lxc/lxccontainer.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/lxc/lxccontainer.h b/src/lxc/lxccontainer.h index 8333610..ed340e2 100644 --- a/src/lxc/lxccontainer.h +++ b/src/lxc/lxccontainer.h @@ -206,6 +206,7 @@ struct lxc_container { * from the terminal. * * \param c Container. +* \param state Value for the daemonize bit (0 or 1). * * \return \c true if container wants to be daemonised, else \c false. */ @@ -216,6 +217,7 @@ struct lxc_container { * to be closed on startup. * * \param c Container. +* \param state Value for the close_all_fds bit (0 or 1). * * \return \c true if container wants all file descriptors closed, * else \c false. -- 1.8.4.4 -- Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349351iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] Allow unsetting daemonize and close_fds
On Fri, Nov 29, 2013 at 02:40:35PM -0500, S.Çağlar Onur wrote: On Fri, Nov 29, 2013 at 2:34 PM, Serge Hallyn serge.hal...@ubuntu.com wrote: Quoting Stéphane Graber (stgra...@ubuntu.com): As mentioned in a previous commit, this does two changes: - Make want_daemonize return a bool (false on failure, true on success) - Make both want_daemonize and want_close_all_fds take a state argument so the user can choose to unset those flags. This commit also updates all occurences of those two functions. Signed-off-by: Stéphane Graber stgra...@ubuntu.com Two comments below. With that and James' comments addressed, Acked-by: Serge E. Hallyn serge.hal...@ubuntu.com --- src/lua-lxc/core.c | 2 +- src/lxc/lxc_start.c| 4 ++-- src/lxc/lxccontainer.c | 20 +--- src/lxc/lxccontainer.h | 4 ++-- src/python-lxc/lxc.c | 10 -- src/tests/attach.c | 2 +- src/tests/cgpath.c | 2 +- src/tests/concurrent.c | 2 +- src/tests/console.c| 2 +- src/tests/containertests.c | 2 +- src/tests/createtest.c | 2 +- src/tests/shutdowntest.c | 2 +- 12 files changed, 33 insertions(+), 21 deletions(-) diff --git a/src/lua-lxc/core.c b/src/lua-lxc/core.c index 9492c07..04f2f1d 100644 --- a/src/lua-lxc/core.c +++ b/src/lua-lxc/core.c @@ -156,7 +156,7 @@ static int container_start(lua_State *L) argv[j] = NULL; } -c-want_daemonize(c); +c-want_daemonize(c, 1); lua_pushboolean(L, !!c-start(c, useinit, argv)); return 1; } diff --git a/src/lxc/lxc_start.c b/src/lxc/lxc_start.c index e537846..2a833a6 100644 --- a/src/lxc/lxc_start.c +++ b/src/lxc/lxc_start.c @@ -325,7 +325,7 @@ int main(int argc, char *argv[]) } if (my_args.daemonize) { - c-want_daemonize(c); + c-want_daemonize(c, 1); } if (pid_fp != NULL) { @@ -337,7 +337,7 @@ int main(int argc, char *argv[]) } if (my_args.close_all_fds) - c-want_close_all_fds(c); + c-want_close_all_fds(c, 1); err = c-start(c, 0, args) ? 0 : -1; diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c index 283fbb5..4234760 100644 --- a/src/lxc/lxccontainer.c +++ b/src/lxc/lxccontainer.c @@ -455,29 +455,35 @@ static bool lxcapi_load_config(struct lxc_container *c, const char *alt_file) return ret; } -static void lxcapi_want_daemonize(struct lxc_container *c) +static bool lxcapi_want_daemonize(struct lxc_container *c, int state) { + if (state 1) What about 0? Why we are not passing a bool instead of int? I based this on similar parameters of other API functions (useinit being one). Though looking back now it seems we have a couple of cases where we're also passing bool in such case... I guess another reason would be if we ever wanted to add finer grained options for those two commands as unlikely as it may be :) Serge: Any preference? + return false; if (!c || !c-lxc_conf) - return; + return false; if (container_mem_lock(c)) { ERROR(Error getting mem lock); - return; + return false; } - c-daemonize = 1; + c-daemonize = state; /* daemonize implies close_all_fds so set it */ - c-lxc_conf-close_all_fds = 1; + if (state == 1) + c-lxc_conf-close_all_fds = 1; container_mem_unlock(c); + return true; } -static bool lxcapi_want_close_all_fds(struct lxc_container *c) +static bool lxcapi_want_close_all_fds(struct lxc_container *c, int state) { + if (state 1) Same. + return false; if (!c || !c-lxc_conf) return false; if (container_mem_lock(c)) { ERROR(Error getting mem lock); return false; } - c-lxc_conf-close_all_fds = 1; + c-lxc_conf-close_all_fds = state; container_mem_unlock(c); return true; } diff --git a/src/lxc/lxccontainer.h b/src/lxc/lxccontainer.h index 6044f4d..8333610 100644 --- a/src/lxc/lxccontainer.h +++ b/src/lxc/lxccontainer.h @@ -209,7 +209,7 @@ struct lxc_container { * * \return \c true if container wants to be daemonised, else \c false. */ - void (*want_daemonize)(struct lxc_container *c); + bool (*want_daemonize)(struct lxc_container *c, int state); /*! * \brief Determine whether container wishes all file descriptors @@ -220,7 +220,7 @@ struct lxc_container { * \return \c true if container wants all file descriptors closed, * else \c false. */ - bool (*want_close_all_fds)(struct lxc_container *c); + bool (*want_close_all_fds)(struct lxc_container *c, int state
Re: [lxc-devel] [PATCH] Allow unsetting daemonize and close_fds
On Fri, Nov 29, 2013 at 04:16:46PM -0600, Serge Hallyn wrote: Quoting Stéphane Graber (stgra...@ubuntu.com): On Fri, Nov 29, 2013 at 02:40:35PM -0500, S.Çağlar Onur wrote: On Fri, Nov 29, 2013 at 2:34 PM, Serge Hallyn serge.hal...@ubuntu.com wrote: Quoting Stéphane Graber (stgra...@ubuntu.com): As mentioned in a previous commit, this does two changes: - Make want_daemonize return a bool (false on failure, true on success) - Make both want_daemonize and want_close_all_fds take a state argument so the user can choose to unset those flags. This commit also updates all occurences of those two functions. Signed-off-by: Stéphane Graber stgra...@ubuntu.com Two comments below. With that and James' comments addressed, Acked-by: Serge E. Hallyn serge.hal...@ubuntu.com --- src/lua-lxc/core.c | 2 +- src/lxc/lxc_start.c| 4 ++-- src/lxc/lxccontainer.c | 20 +--- src/lxc/lxccontainer.h | 4 ++-- src/python-lxc/lxc.c | 10 -- src/tests/attach.c | 2 +- src/tests/cgpath.c | 2 +- src/tests/concurrent.c | 2 +- src/tests/console.c| 2 +- src/tests/containertests.c | 2 +- src/tests/createtest.c | 2 +- src/tests/shutdowntest.c | 2 +- 12 files changed, 33 insertions(+), 21 deletions(-) diff --git a/src/lua-lxc/core.c b/src/lua-lxc/core.c index 9492c07..04f2f1d 100644 --- a/src/lua-lxc/core.c +++ b/src/lua-lxc/core.c @@ -156,7 +156,7 @@ static int container_start(lua_State *L) argv[j] = NULL; } -c-want_daemonize(c); +c-want_daemonize(c, 1); lua_pushboolean(L, !!c-start(c, useinit, argv)); return 1; } diff --git a/src/lxc/lxc_start.c b/src/lxc/lxc_start.c index e537846..2a833a6 100644 --- a/src/lxc/lxc_start.c +++ b/src/lxc/lxc_start.c @@ -325,7 +325,7 @@ int main(int argc, char *argv[]) } if (my_args.daemonize) { - c-want_daemonize(c); + c-want_daemonize(c, 1); } if (pid_fp != NULL) { @@ -337,7 +337,7 @@ int main(int argc, char *argv[]) } if (my_args.close_all_fds) - c-want_close_all_fds(c); + c-want_close_all_fds(c, 1); err = c-start(c, 0, args) ? 0 : -1; diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c index 283fbb5..4234760 100644 --- a/src/lxc/lxccontainer.c +++ b/src/lxc/lxccontainer.c @@ -455,29 +455,35 @@ static bool lxcapi_load_config(struct lxc_container *c, const char *alt_file) return ret; } -static void lxcapi_want_daemonize(struct lxc_container *c) +static bool lxcapi_want_daemonize(struct lxc_container *c, int state) { + if (state 1) What about 0? Why we are not passing a bool instead of int? I based this on similar parameters of other API functions (useinit being one). Though looking back now it seems we have a couple of cases where we're also passing bool in such case... I guess another reason would be if we ever wanted to add finer grained options for those two commands as unlikely as it may be :) Serge: Any preference? (I assume this question is now obsolete) -serge It's indeed, for anyone else following, I ended up converting those to bool and changing the type of daemonize to match. -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature -- Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349351iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH] ubuntu: Actually attempt to remove /dev/shm
Signed-off-by: Stéphane Graber stgra...@ubuntu.com --- templates/lxc-ubuntu-cloud.in | 3 ++- templates/lxc-ubuntu.in | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/templates/lxc-ubuntu-cloud.in b/templates/lxc-ubuntu-cloud.in index 3042d89..e97c7e3 100644 --- a/templates/lxc-ubuntu-cloud.in +++ b/templates/lxc-ubuntu-cloud.in @@ -139,8 +139,9 @@ EOF # I'm afraid of doing rm -rf $rootfs/dev/shm, in case it did # get bind mounted to the host's /run/shm. So try to rmdir # it, and in case that fails move it out of the way. +# NOTE: This can only be removed once 12.04 goes out of support if [ ! -L $rootfs/dev/shm ] [ -d $rootfs/run/shm ] [ -e $rootfs/dev/shm ]; then -mv $rootfs/dev/shm $rootfs/dev/shm.bak +rmdir $rootfs/dev/shm 2/dev/null || mv $rootfs/dev/shm $rootfs/dev/shm.bak ln -s /run/shm $rootfs/dev/shm fi diff --git a/templates/lxc-ubuntu.in b/templates/lxc-ubuntu.in index 4e6a54f..8ed9be7 100644 --- a/templates/lxc-ubuntu.in +++ b/templates/lxc-ubuntu.in @@ -541,8 +541,9 @@ EOF # I'm afraid of doing rm -rf $rootfs/dev/shm, in case it did # get bind mounted to the host's /run/shm. So try to rmdir # it, and in case that fails move it out of the way. +# NOTE: This can only be removed once 12.04 goes out of support if [ ! -L $rootfs/dev/shm ] [ -d $rootfs/run/shm ] [ -e $rootfs/dev/shm ]; then -mv $rootfs/dev/shm $rootfs/dev/shm.bak +rmdir $rootfs/dev/shm 2/dev/null || mv $rootfs/dev/shm $rootfs/dev/shm.bak ln -s /run/shm $rootfs/dev/shm fi -- 1.8.4.4 -- Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349351iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH] python3: Add snapshot_* to the binding
Signed-off-by: Stéphane Graber stgra...@ubuntu.com --- src/python-lxc/lxc.c | 127 +++ 1 file changed, 127 insertions(+) diff --git a/src/python-lxc/lxc.c b/src/python-lxc/lxc.c index 050f6ae..f850a3d 100644 --- a/src/python-lxc/lxc.c +++ b/src/python-lxc/lxc.c @@ -1119,6 +1119,106 @@ Container_shutdown(Container *self, PyObject *args, PyObject *kwds) } static PyObject * +Container_snapshot(Container *self, PyObject *args, PyObject *kwds) +{ +char *comment_path = NULL; +static char *kwlist[] = {comment_path, NULL}; +int retval = 0; +int ret = 0; +char newname[20]; + +if (! PyArg_ParseTupleAndKeywords(args, kwds, |s, kwlist, + comment_path)) +return NULL; + +retval = self-container-snapshot(self-container, comment_path); + +if (retval 0) { +Py_RETURN_FALSE; +} + +ret = snprintf(newname, 20, snap%d, retval); +if (ret 0 || ret = 20) +return NULL; + + +return PyUnicode_FromString(newname); +} + +static PyObject * +Container_snapshot_destroy(Container *self, PyObject *args, PyObject *kwds) +{ +char *name = NULL; +static char *kwlist[] = {name, NULL}; + +if (! PyArg_ParseTupleAndKeywords(args, kwds, s|, kwlist, + name)) +return NULL; + +if (self-container-snapshot_destroy(self-container, name)) { +Py_RETURN_TRUE; +} + +Py_RETURN_FALSE; +} + +static PyObject * +Container_snapshot_list(Container *self, PyObject *args, PyObject *kwds) +{ +struct lxc_snapshot *snap; +int snap_count = 0; +PyObject *list = NULL; +int i = 0; + +snap_count = self-container-snapshot_list(self-container, snap); + +if (snap_count 0) { +PyErr_SetString(PyExc_KeyError, Unable to list snapshots); +return NULL; +} + +list = PyTuple_New(snap_count); +for (i = 0; i snap_count; i++) { +PyObject *list_entry = NULL; + +list_entry = PyTuple_New(4); +PyTuple_SET_ITEM(list_entry, 0, + PyUnicode_FromString(snap[i].name)); +PyTuple_SET_ITEM(list_entry, 1, + PyUnicode_FromString(snap[i].comment_pathname)); +PyTuple_SET_ITEM(list_entry, 2, + PyUnicode_FromString(snap[i].timestamp)); +PyTuple_SET_ITEM(list_entry, 3, + PyUnicode_FromString(snap[i].lxcpath)); + +snap[i].free(snap[i]); + +PyTuple_SET_ITEM(list, i, list_entry); +} + +return list; +} + + +static PyObject * +Container_snapshot_restore(Container *self, PyObject *args, PyObject *kwds) +{ +char *name = NULL; +char *newname = NULL; +static char *kwlist[] = {name, newname, NULL}; + +if (! PyArg_ParseTupleAndKeywords(args, kwds, s|s, kwlist, + name, newname)) +return NULL; + +if (self-container-snapshot_restore(self-container, name, newname)) { +Py_RETURN_TRUE; +} + +Py_RETURN_FALSE; +} + +static PyObject * Container_start(Container *self, PyObject *args, PyObject *kwds) { char** init_args = {NULL}; @@ -1390,6 +1490,33 @@ static PyMethodDef Container_methods[] = { unless timeout is set to a positive value, in which case the container will be killed when the timeout is reached. }, +{snapshot, (PyCFunction)Container_snapshot, + METH_VARARGS|METH_KEYWORDS, + snapshot(comment_path = None) - string\n + \n + Snapshot the container and return the snapshot name + (or False on error). +}, +{snapshot_destroy, (PyCFunction)Container_snapshot_destroy, + METH_VARARGS|METH_KEYWORDS, + snapshot_destroy(name) - boolean\n + \n + Destroy a snapshot. +}, +{snapshot_list, (PyCFunction)Container_snapshot_list, + METH_NOARGS, + snapshot_list() - tuple of snapshot tuples\n + \n + List all snapshots for a container. +}, +{snapshot_restore, (PyCFunction)Container_snapshot_restore, + METH_VARARGS|METH_KEYWORDS, + snapshot_restore(name, newname = None) - boolean\n + \n + Restore a container snapshot. If newname is provided a new + container will be created from the snapshot, otherwise an in-place + restore will be attempted. +}, {start, (PyCFunction)Container_start, METH_VARARGS|METH_KEYWORDS, start(useinit = False, cmd = (,)) - boolean\n -- 1.8.4.4 -- Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349351iu=/4140/ostg.clktrk
[lxc-devel] [PATCH] python3: Allow setting daemonize and close_fds
This extends the list of arguments of start() allowing the user to request the container be started in the foreground and have control on whether fds will be closed or not (daemonize=True implies that too). One problem at the moment however is that while we have functions to set close_fds and daemonize in the API, we don't have functions to unset those flags, so those new parameters will only work on the initial call to start() any further call will use the values of the previous one. I think it'd make sense to change lxcapi slightly to have daemonize and close_fds offer a similar interface, both returning booleans and both accepting a value as a parameter so API users can set the value they want. Signed-off-by: Stéphane Graber stgra...@ubuntu.com --- src/python-lxc/lxc.c | 33 + 1 file changed, 25 insertions(+), 8 deletions(-) diff --git a/src/python-lxc/lxc.c b/src/python-lxc/lxc.c index f850a3d..5a20ff4 100644 --- a/src/python-lxc/lxc.c +++ b/src/python-lxc/lxc.c @@ -1221,13 +1221,21 @@ Container_snapshot_restore(Container *self, PyObject *args, PyObject *kwds) static PyObject * Container_start(Container *self, PyObject *args, PyObject *kwds) { +PyObject *useinit = NULL; +PyObject *daemonize = NULL; +PyObject *close_fds = NULL; + +PyObject *vargs = NULL; char** init_args = {NULL}; -PyObject *useinit = NULL, *retval = NULL, *vargs = NULL; + +PyObject *retval = NULL; int init_useinit = 0, i = 0; -static char *kwlist[] = {useinit, cmd, NULL}; +static char *kwlist[] = {useinit, daemonize, close_fds, + cmd, NULL}; -if (! PyArg_ParseTupleAndKeywords(args, kwds, |OO, kwlist, - useinit, vargs)) +if (! PyArg_ParseTupleAndKeywords(args, kwds, |, kwlist, + useinit, daemonize, close_fds, + vargs)) return NULL; if (useinit useinit == Py_True) { @@ -1241,7 +1249,13 @@ Container_start(Container *self, PyObject *args, PyObject *kwds) } } -self-container-want_daemonize(self-container); +if (close_fds close_fds == Py_True) { +self-container-want_close_all_fds(self-container); +} + +if (!daemonize || daemonize == Py_True) { +self-container-want_daemonize(self-container); +} if (self-container-start(self-container, init_useinit, init_args)) retval = Py_True; @@ -1519,10 +1533,13 @@ static PyMethodDef Container_methods[] = { }, {start, (PyCFunction)Container_start, METH_VARARGS|METH_KEYWORDS, - start(useinit = False, cmd = (,)) - boolean\n + start(useinit = False, daemonize=True, close_fds=False, + cmd = (,)) - boolean\n \n - Start the container, optionally using lxc-init and - an alternate init command, then returns its return code. + Start the container, return True on success.\n + When set useinit will make LXC use lxc-init to start the container.\n + The container can be started in the foreground with daemonize=False.\n + All fds may also be closed by passing close_fds=True. }, {stop, (PyCFunction)Container_stop, METH_NOARGS, -- 1.8.4.4 -- Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349351iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH] python3: Use FSConverter for all paths
Signed-off-by: Stéphane Graber stgra...@ubuntu.com --- src/python-lxc/lxc.c | 69 +--- 1 file changed, 60 insertions(+), 9 deletions(-) diff --git a/src/python-lxc/lxc.c b/src/python-lxc/lxc.c index 5a20ff4..b4f1da3 100644 --- a/src/python-lxc/lxc.c +++ b/src/python-lxc/lxc.c @@ -510,16 +510,33 @@ Container_add_device_node(Container *self, PyObject *args, PyObject *kwds) static char *kwlist[] = {src_path, dest_path, NULL}; char *src_path = NULL; char *dst_path = NULL; +PyObject *py_src_path = NULL; +PyObject *py_dst_path = NULL; -if (! PyArg_ParseTupleAndKeywords(args, kwds, s|s, kwlist, - src_path, dst_path)) +if (! PyArg_ParseTupleAndKeywords(args, kwds, O|O, kwlist, + PyUnicode_FSConverter, py_src_path, + PyUnicode_FSConverter, py_dst_path)) return NULL; +if (py_src_path != NULL) { +src_path = PyBytes_AS_STRING(py_src_path); +assert(src_path != NULL); +} + +if (py_dst_path != NULL) { +dst_path = PyBytes_AS_STRING(py_dst_path); +assert(dst_path != NULL); +} + if (self-container-add_device_node(self-container, src_path, dst_path)) { +Py_XDECREF(py_src_path); +Py_XDECREF(py_dst_path); Py_RETURN_TRUE; } +Py_XDECREF(py_src_path); +Py_XDECREF(py_dst_path); Py_RETURN_FALSE; } @@ -611,14 +628,16 @@ Container_clone(Container *self, PyObject *args, PyObject *kwds) char **hookargs = NULL; PyObject *py_hookargs = NULL; +PyObject *py_config_path = NULL; struct lxc_container *new_container = NULL; int i = 0; static char *kwlist[] = {newname, config_path, flags, bdevtype, bdevdata, newsize, hookargs, NULL}; -if (! PyArg_ParseTupleAndKeywords(args, kwds, s|sisskO, kwlist, - newname, config_path, flags, - bdevtype, bdevdata, newsize, +if (! PyArg_ParseTupleAndKeywords(args, kwds, s|OisskO, kwlist, + newname, + PyUnicode_FSConverter, py_config_path, + flags, bdevtype, bdevdata, newsize, py_hookargs)) return NULL; @@ -635,10 +654,17 @@ Container_clone(Container *self, PyObject *args, PyObject *kwds) } } +if (py_config_path != NULL) { +config_path = PyBytes_AS_STRING(py_config_path); +assert(config_path != NULL); +} + new_container = self-container-clone(self-container, newname, config_path, flags, bdevtype, bdevdata, newsize, hookargs); +Py_XDECREF(py_config_path); + if (hookargs) { for (i = 0; i PyTuple_GET_SIZE(py_hookargs); i++) free(hookargs[i]); @@ -1010,16 +1036,33 @@ Container_remove_device_node(Container *self, PyObject *args, PyObject *kwds) static char *kwlist[] = {src_path, dest_path, NULL}; char *src_path = NULL; char *dst_path = NULL; +PyObject *py_src_path = NULL; +PyObject *py_dst_path = NULL; -if (! PyArg_ParseTupleAndKeywords(args, kwds, s|s, kwlist, - src_path, dst_path)) +if (! PyArg_ParseTupleAndKeywords(args, kwds, O|O, kwlist, + PyUnicode_FSConverter, py_src_path, + PyUnicode_FSConverter, py_dst_path)) return NULL; +if (py_src_path != NULL) { +src_path = PyBytes_AS_STRING(py_src_path); +assert(src_path != NULL); +} + +if (py_dst_path != NULL) { +dst_path = PyBytes_AS_STRING(py_dst_path); +assert(dst_path != NULL); +} + if (self-container-remove_device_node(self-container, src_path, dst_path)) { +Py_XDECREF(py_src_path); +Py_XDECREF(py_dst_path); Py_RETURN_TRUE; } +Py_XDECREF(py_src_path); +Py_XDECREF(py_dst_path); Py_RETURN_FALSE; } @@ -1126,13 +1169,21 @@ Container_snapshot(Container *self, PyObject *args, PyObject *kwds) int retval = 0; int ret = 0; char newname[20]; +PyObject *py_comment_path; -if (! PyArg_ParseTupleAndKeywords(args, kwds, |s, kwlist, - comment_path)) +if (! PyArg_ParseTupleAndKeywords(args, kwds, |O, kwlist, + PyUnicode_FSConverter, py_comment_path)) return NULL; +if (py_comment_path != NULL) { +comment_path = PyBytes_AS_STRING(py_comment_path); +assert(comment_path != NULL); +} + retval = self-container-snapshot(self-container
Re: [lxc-devel] [PATCH 1/1] chown_mapped_root: fix assumption that calling uid == guid
On Thu, Nov 28, 2013 at 10:53:13PM -0600, Serge Hallyn wrote: Because if they are not, then we'll fail trying to map that gid into the container. The function doesn't change any gids, but lxc-usernsexec always does setgid(0), so just map getgid() to 0 in the container. Signed-off-by: Serge Hallyn serge.hal...@ubuntu.com Acked-by: Stéphane Graber stgra...@ubuntu.com --- src/lxc/conf.c | 21 ++--- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/src/lxc/conf.c b/src/lxc/conf.c index 534e6e6..290a7bb 100644 --- a/src/lxc/conf.c +++ b/src/lxc/conf.c @@ -3331,19 +3331,26 @@ int chown_mapped_root(char *path, struct lxc_conf *conf) } if (!pid) { int hostuid = geteuid(), ret; - char map1[100], map2[100]; - char *args[] = {lxc-usernsexec, -m, map1, -m, map2, --, chown, - 0, path, NULL}; + char map1[100], map2[100], map3[100]; + char *args[] = {lxc-usernsexec, -m, map1, -m, map2, -m, + map3, --, chown, 0, path, NULL}; - // b:0:rootid:1 - ret = snprintf(map1, 100, b:0:%d:1, rootid); + // u:0:rootid:1 + ret = snprintf(map1, 100, u:0:%d:1, rootid); if (ret 0 || ret = 100) { ERROR(Error uid printing map string); return -1; } - // b:hostuid:hostuid:1 - ret = snprintf(map2, 100, b:%d:%d:1, hostuid, hostuid); + // u:hostuid:hostuid:1 + ret = snprintf(map2, 100, u:%d:%d:1, hostuid, hostuid); + if (ret 0 || ret = 100) { + ERROR(Error uid printing map string); + return -1; + } + + // g:0:hostgid:1 + ret = snprintf(map3, 100, g:0:%d:1, getgid()); if (ret 0 || ret = 100) { ERROR(Error uid printing map string); return -1; -- 1.8.3.2 -- Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349351iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature -- Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349351iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH 1/7] python3: Code style
Drop any tab as spaces are preferred, get everything to fit the 80char limit. Signed-off-by: Stéphane Graber stgra...@ubuntu.com --- src/python-lxc/lxc.c | 65 +++- 1 file changed, 44 insertions(+), 21 deletions(-) diff --git a/src/python-lxc/lxc.c b/src/python-lxc/lxc.c index 9e6f9d9..3924a1b 100644 --- a/src/python-lxc/lxc.c +++ b/src/python-lxc/lxc.c @@ -18,7 +18,8 @@ * * You should have received a copy of the GNU Lesser General Public * License along with this library; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 + * USA */ #include Python.h @@ -319,7 +320,8 @@ Container_create(Container *self, PyObject *args, PyObject *kwds) } } -if (self-container-create(self-container, template_name, NULL, NULL, 0, create_args)) +if (self-container-create(self-container, template_name, NULL, NULL, 0, +create_args)) retval = Py_True; else retval = Py_False; @@ -756,7 +758,8 @@ Container_unfreeze(Container *self, PyObject *args, PyObject *kwds) static PyObject * Container_console(Container *self, PyObject *args, PyObject *kwds) { -static char *kwlist[] = {ttynum, stdinfd, stdoutfd, stderrfd, escape, NULL}; +static char *kwlist[] = {ttynum, stdinfd, stdoutfd, stderrfd, + escape, NULL}; int ttynum = -1, stdinfd = 0, stdoutfd = 1, stderrfd = 2, escape = 1; if (! PyArg_ParseTupleAndKeywords(args, kwds, |i, kwlist, @@ -765,7 +768,7 @@ Container_console(Container *self, PyObject *args, PyObject *kwds) return NULL; if (self-container-console(self-container, ttynum, -stdinfd, stdoutfd, stderrfd, escape) == 0) { +stdinfd, stdoutfd, stderrfd, escape) == 0) { Py_RETURN_TRUE; } Py_RETURN_FALSE; @@ -780,7 +783,8 @@ Container_console_getfd(Container *self, PyObject *args, PyObject *kwds) if (! PyArg_ParseTupleAndKeywords(args, kwds, |i, kwlist, ttynum)) return NULL; -if (self-container-console_getfd(self-container, ttynum, masterfd) 0) { +if (self-container-console_getfd(self-container, ttynum, + masterfd) 0) { PyErr_SetString(PyExc_ValueError, Unable to allocate tty); return NULL; } @@ -812,8 +816,10 @@ struct lxc_attach_python_payload { static int lxc_attach_python_exec(void* _payload) { -struct lxc_attach_python_payload *payload = (struct lxc_attach_python_payload *)_payload; -PyObject *result = PyObject_CallFunctionObjArgs(payload-fn, payload-arg, NULL); +struct lxc_attach_python_payload *payload = +(struct lxc_attach_python_payload *)_payload; +PyObject *result = PyObject_CallFunctionObjArgs(payload-fn, +payload-arg, NULL); if (!result) { PyErr_Print(); @@ -829,7 +835,10 @@ static void lxc_attach_free_options(lxc_attach_options_t *options); static lxc_attach_options_t *lxc_attach_parse_options(PyObject *kwds) { -static char *kwlist[] = {attach_flags, namespaces, personality, initial_cwd, uid, gid, env_policy, extra_env_vars, extra_keep_env, stdin, stdout, stderr, NULL}; +static char *kwlist[] = {attach_flags, namespaces, personality, + initial_cwd, uid, gid, env_policy, + extra_env_vars, extra_keep_env, stdin, + stdout, stderr, NULL}; long temp_uid, temp_gid; int temp_env_policy; PyObject *extra_env_vars_obj = NULL; @@ -859,11 +868,17 @@ static lxc_attach_options_t *lxc_attach_parse_options(PyObject *kwds) /* we need a dummy tuple */ dummy = PyTuple_New(0); -parse_result = PyArg_ParseTupleAndKeywords(dummy, kwds, |iilOlliO, kwlist, - options-attach_flags, options-namespaces, options-personality, - PyUnicode_FSConverter, initial_cwd_obj, temp_uid, temp_gid, - temp_env_policy, extra_env_vars_obj, extra_keep_env_obj, - stdin_obj, stdout_obj, stderr_obj); +parse_result = PyArg_ParseTupleAndKeywords(dummy, kwds, |iilOlliO, + kwlist, options-attach_flags, + options-namespaces, + options-personality, + PyUnicode_FSConverter, + initial_cwd_obj, temp_uid, + temp_gid, temp_env_policy
[lxc-devel] [PATCH 7/7] python3: Add (add|remove)_device_node
Signed-off-by: Stéphane Graber stgra...@ubuntu.com --- src/python-lxc/lxc.c | 50 ++ 1 file changed, 50 insertions(+) diff --git a/src/python-lxc/lxc.c b/src/python-lxc/lxc.c index 43e571d..de02d4b 100644 --- a/src/python-lxc/lxc.c +++ b/src/python-lxc/lxc.c @@ -505,6 +505,25 @@ Container_state(Container *self, void *closure) /* Container Functions */ static PyObject * +Container_add_device_node(Container *self, PyObject *args, PyObject *kwds) +{ +static char *kwlist[] = {src_path, dest_path, NULL}; +char *src_path = NULL; +char *dst_path = NULL; + +if (! PyArg_ParseTupleAndKeywords(args, kwds, s|s, kwlist, + src_path, dst_path)) +return NULL; + +if (self-container-add_device_node(self-container, src_path, + dst_path)) { +Py_RETURN_TRUE; +} + +Py_RETURN_FALSE; +} + +static PyObject * Container_attach_and_possibly_wait(Container *self, PyObject *args, PyObject *kwds, int wait) { @@ -930,6 +949,25 @@ Container_reboot(Container *self, PyObject *args, PyObject *kwds) } static PyObject * +Container_remove_device_node(Container *self, PyObject *args, PyObject *kwds) +{ +static char *kwlist[] = {src_path, dest_path, NULL}; +char *src_path = NULL; +char *dst_path = NULL; + +if (! PyArg_ParseTupleAndKeywords(args, kwds, s|s, kwlist, + src_path, dst_path)) +return NULL; + +if (self-container-remove_device_node(self-container, src_path, +dst_path)) { +Py_RETURN_TRUE; +} + +Py_RETURN_FALSE; +} + +static PyObject * Container_save_config(Container *self, PyObject *args, PyObject *kwds) { static char *kwlist[] = {path, NULL}; @@ -1139,6 +1177,12 @@ static PyGetSetDef Container_getseters[] = { }; static PyMethodDef Container_methods[] = { +{add_device_node, (PyCFunction)Container_add_device_node, + METH_VARARGS|METH_KEYWORDS, + add_device_node(src_path, dest_path) - boolean\n + \n + Pass a new device to the container. +}, {attach, (PyCFunction)Container_attach, METH_VARARGS|METH_KEYWORDS, attach(run, payload) - int\n @@ -1244,6 +1288,12 @@ static PyMethodDef Container_methods[] = { \n Ask the container to reboot. }, +{remove_device_node, (PyCFunction)Container_remove_device_node, + METH_VARARGS|METH_KEYWORDS, + remove_device_node(src_path, dest_path) - boolean\n + \n + Remove a device from the container. +}, {save_config, (PyCFunction)Container_save_config, METH_VARARGS|METH_KEYWORDS, save_config(path = DEFAULT) - boolean\n -- 1.8.4.4 -- Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349351iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH 6/7] python3: Add controllable property to the binding
Signed-off-by: Stéphane Graber stgra...@ubuntu.com --- src/python-lxc/lxc.c | 14 ++ 1 file changed, 14 insertions(+) diff --git a/src/python-lxc/lxc.c b/src/python-lxc/lxc.c index 7c28607..43e571d 100644 --- a/src/python-lxc/lxc.c +++ b/src/python-lxc/lxc.c @@ -456,6 +456,16 @@ Container_config_file_name(Container *self, void *closure) } static PyObject * +Container_controllable(Container *self, void *closure) +{ +if (self-container-may_control(self-container)) { +Py_RETURN_TRUE; +} + +Py_RETURN_FALSE; +} + +static PyObject * Container_defined(Container *self, void *closure) { if (self-container-is_defined(self-container)) { @@ -1101,6 +,10 @@ static PyGetSetDef Container_getseters[] = { (getter)Container_config_file_name, NULL, Path to the container configuration, NULL}, +{controllable, + (getter)Container_controllable, NULL, + Boolean indicating whether the container may be controlled, + NULL}, {defined, (getter)Container_defined, NULL, Boolean indicating whether the container configuration exists, -- 1.8.4.4 -- Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349351iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH 5/7] python3: Add clear_config() to the binding
Signed-off-by: Stéphane Graber stgra...@ubuntu.com --- src/python-lxc/lxc.c | 14 ++ 1 file changed, 14 insertions(+) diff --git a/src/python-lxc/lxc.c b/src/python-lxc/lxc.c index 1ed8cbe..7c28607 100644 --- a/src/python-lxc/lxc.c +++ b/src/python-lxc/lxc.c @@ -546,6 +546,14 @@ Container_attach_wait(Container *self, PyObject *args, PyObject *kwds) } static PyObject * +Container_clear_config(Container *self, PyObject *args, PyObject *kwds) +{ +self-container-clear_config(self-container); + +Py_RETURN_NONE; +} + +static PyObject * Container_clear_config_item(Container *self, PyObject *args, PyObject *kwds) { static char *kwlist[] = {key, NULL}; @@ -1129,6 +1137,12 @@ static PyMethodDef Container_methods[] = { \n Attach to the container. Returns the exit code of the process. }, +{clear_config, (PyCFunction)Container_clear_config, + METH_NOARGS, + clear_config()\n + \n + Clear any container configuration. +}, {clear_config_item, (PyCFunction)Container_clear_config_item, METH_VARARGS|METH_KEYWORDS, clear_config_item(key) - boolean\n -- 1.8.4.4 -- Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349351iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH 3/7] python3: Add reboot() to the binding
Signed-off-by: Stéphane Graber stgra...@ubuntu.com --- src/python-lxc/lxc.c | 16 1 file changed, 16 insertions(+) diff --git a/src/python-lxc/lxc.c b/src/python-lxc/lxc.c index 05fbff8..0604ec7 100644 --- a/src/python-lxc/lxc.c +++ b/src/python-lxc/lxc.c @@ -598,6 +598,16 @@ Container_load_config(Container *self, PyObject *args, PyObject *kwds) } static PyObject * +Container_reboot(Container *self, PyObject *args, PyObject *kwds) +{ +if (self-container-reboot(self-container)) { +Py_RETURN_TRUE; +} + +Py_RETURN_FALSE; +} + +static PyObject * Container_save_config(Container *self, PyObject *args, PyObject *kwds) { static char *kwlist[] = {path, NULL}; @@ -1195,6 +1205,12 @@ static PyMethodDef Container_methods[] = { Read the container configuration from its default location or from an alternative location if provided. }, +{reboot, (PyCFunction)Container_reboot, + METH_NOARGS, + reboot() - boolean\n + \n + Ask the container to reboot. +}, {save_config, (PyCFunction)Container_save_config, METH_VARARGS|METH_KEYWORDS, save_config(path = DEFAULT) - boolean\n -- 1.8.4.4 -- Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349351iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH 4/7] python3: Re-order all functions
This properly regroups the module functions together and then sorts all other functions alphabetically to match the function and property lists. Signed-off-by: Stéphane Graber stgra...@ubuntu.com --- src/python-lxc/lxc.c | 709 ++- 1 file changed, 357 insertions(+), 352 deletions(-) diff --git a/src/python-lxc/lxc.c b/src/python-lxc/lxc.c index 0604ec7..1ed8cbe 100644 --- a/src/python-lxc/lxc.c +++ b/src/python-lxc/lxc.c @@ -31,10 +31,7 @@ #include stdio.h #include sys/wait.h -typedef struct { -PyObject_HEAD -struct lxc_container *container; -} Container; +/* Helper functions */ char** convert_tuple_to_char_pointer_array(PyObject *argv) { @@ -113,50 +110,218 @@ error: return NULL; } -static void -Container_dealloc(Container* self) +struct lxc_attach_python_payload { +PyObject *fn; +PyObject *arg; +}; + +static int lxc_attach_python_exec(void* _payload) { -lxc_container_put(self-container); -Py_TYPE(self)-tp_free((PyObject*)self); +struct lxc_attach_python_payload *payload = +(struct lxc_attach_python_payload *)_payload; +PyObject *result = PyObject_CallFunctionObjArgs(payload-fn, +payload-arg, NULL); + +if (!result) { +PyErr_Print(); +return -1; +} +if (PyLong_Check(result)) +return (int)PyLong_AsLong(result); +else +return -1; } -static PyObject * -Container_new(PyTypeObject *type, PyObject *args, PyObject *kwds) +static void lxc_attach_free_options(lxc_attach_options_t *options); + +static lxc_attach_options_t *lxc_attach_parse_options(PyObject *kwds) { -Container *self; +static char *kwlist[] = {attach_flags, namespaces, personality, + initial_cwd, uid, gid, env_policy, + extra_env_vars, extra_keep_env, stdin, + stdout, stderr, NULL}; +long temp_uid, temp_gid; +int temp_env_policy; +PyObject *extra_env_vars_obj = NULL; +PyObject *extra_keep_env_obj = NULL; +PyObject *stdin_obj = NULL; +PyObject *stdout_obj = NULL; +PyObject *stderr_obj = NULL; +PyObject *initial_cwd_obj = NULL; +PyObject *dummy; +bool parse_result; -self = (Container *)type-tp_alloc(type, 0); +lxc_attach_options_t default_options = LXC_ATTACH_OPTIONS_DEFAULT; +lxc_attach_options_t *options = malloc(sizeof(*options)); -return (PyObject *)self; +if (!options) { +PyErr_SetNone(PyExc_MemoryError); +return NULL; +} +memcpy(options, default_options, sizeof(*options)); + +/* we need some dummy variables because we can't be sure + * the data types match completely */ +temp_uid = -1; +temp_gid = -1; +temp_env_policy = options-env_policy; + +/* we need a dummy tuple */ +dummy = PyTuple_New(0); + +parse_result = PyArg_ParseTupleAndKeywords(dummy, kwds, |iilOlliO, + kwlist, options-attach_flags, + options-namespaces, + options-personality, + PyUnicode_FSConverter, + initial_cwd_obj, temp_uid, + temp_gid, temp_env_policy, + extra_env_vars_obj, + extra_keep_env_obj, + stdin_obj, stdout_obj, + stderr_obj); + +/* immediately get rid of the dummy tuple */ +Py_DECREF(dummy); + +if (!parse_result) { +lxc_attach_free_options(options); +return NULL; +} + +/* duplicate the string, so we don't depend on some random Python object */ +if (initial_cwd_obj != NULL) { +options-initial_cwd = strndup(PyBytes_AsString(initial_cwd_obj), + PyBytes_Size(initial_cwd_obj)); +Py_DECREF(initial_cwd_obj); +} + +/* do the type conversion from the types that match the parse string */ +if (temp_uid != -1) options-uid = (uid_t)temp_uid; +if (temp_gid != -1) options-gid = (gid_t)temp_gid; +options-env_policy = (lxc_attach_env_policy_t)temp_env_policy; + +if (extra_env_vars_obj) +options-extra_env_vars = +convert_tuple_to_char_pointer_array(extra_env_vars_obj); +if (extra_keep_env_obj) +options-extra_keep_env = +convert_tuple_to_char_pointer_array(extra_keep_env_obj); +if (stdin_obj) { +options-stdin_fd = PyObject_AsFileDescriptor(stdin_obj); +if (options-stdin_fd 0) { +lxc_attach_free_options(options); +return NULL; +} +} +if (stdout_obj) { +options-stdout_fd
[lxc-devel] [PATCH 2/7] python3: Sort all method/property lists
Signed-off-by: Stéphane Graber stgra...@ubuntu.com --- src/python-lxc/lxc.c | 60 ++-- 1 file changed, 30 insertions(+), 30 deletions(-) diff --git a/src/python-lxc/lxc.c b/src/python-lxc/lxc.c index 3924a1b..05fbff8 100644 --- a/src/python-lxc/lxc.c +++ b/src/python-lxc/lxc.c @@ -1102,12 +1102,37 @@ static PyGetSetDef Container_getseters[] = { }; static PyMethodDef Container_methods[] = { +{attach, (PyCFunction)Container_attach, + METH_VARARGS|METH_KEYWORDS, + attach(run, payload) - int\n + \n + Attach to the container. Returns the pid of the attached process. +}, +{attach_wait, (PyCFunction)Container_attach_wait, + METH_VARARGS|METH_KEYWORDS, + attach(run, payload) - int\n + \n + Attach to the container. Returns the exit code of the process. +}, {clear_config_item, (PyCFunction)Container_clear_config_item, METH_VARARGS|METH_KEYWORDS, clear_config_item(key) - boolean\n \n Clear the current value of a config key. }, +{console, (PyCFunction)Container_console, + METH_VARARGS|METH_KEYWORDS, + console(ttynum = -1, stdinfd = 0, stdoutfd = 1, stderrfd = 2, + escape = 0) - boolean\n + \n + Attach to container's console. +}, +{console_getfd, (PyCFunction)Container_console_getfd, + METH_VARARGS|METH_KEYWORDS, + console(ttynum = -1) - boolean\n + \n + Attach to container's console. +}, {create, (PyCFunction)Container_create, METH_VARARGS|METH_KEYWORDS, create(template, args = (,)) - boolean\n @@ -1228,31 +1253,6 @@ static PyMethodDef Container_methods[] = { \n Wait for the container to reach a given state or timeout. }, -{console, (PyCFunction)Container_console, - METH_VARARGS|METH_KEYWORDS, - console(ttynum = -1, stdinfd = 0, stdoutfd = 1, stderrfd = 2, - escape = 0) - boolean\n - \n - Attach to container's console. -}, -{console_getfd, (PyCFunction)Container_console_getfd, - METH_VARARGS|METH_KEYWORDS, - console(ttynum = -1) - boolean\n - \n - Attach to container's console. -}, -{attach, (PyCFunction)Container_attach, - METH_VARARGS|METH_KEYWORDS, - attach(run, payload) - int\n - \n - Attach to the container. Returns the pid of the attached process. -}, -{attach_wait, (PyCFunction)Container_attach_wait, - METH_VARARGS|METH_KEYWORDS, - attach(run, payload) - int\n - \n - Attach to the container. Returns the exit code of the process. -}, {NULL, NULL, 0, NULL} }; @@ -1299,14 +1299,14 @@ PyVarObject_HEAD_INIT(NULL, 0) }; static PyMethodDef LXC_methods[] = { -{attach_run_shell, (PyCFunction)LXC_attach_run_shell, METH_O, - Starts up a shell when attaching, to use as the run parameter for - attach or attach_wait}, +{arch_to_personality, (PyCFunction)LXC_arch_to_personality, METH_O, + Returns the process personality of the corresponding architecture}, {attach_run_command, (PyCFunction)LXC_attach_run_command, METH_O, Runs a command when attaching, to use as the run parameter for attach or attach_wait}, -{arch_to_personality, (PyCFunction)LXC_arch_to_personality, METH_O, - Returns the process personality of the corresponding architecture}, +{attach_run_shell, (PyCFunction)LXC_attach_run_shell, METH_O, + Starts up a shell when attaching, to use as the run parameter for + attach or attach_wait}, {get_default_config_path, (PyCFunction)LXC_get_default_config_path, METH_NOARGS, Returns the current LXC config path}, -- 1.8.4.4 -- Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349351iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH] python3: Add clone() to the binding
Signed-off-by: Stéphane Graber stgra...@ubuntu.com --- src/python-lxc/lxc.c | 68 ++ src/python-lxc/lxc/__init__.py | 35 +++--- 2 files changed, 85 insertions(+), 18 deletions(-) diff --git a/src/python-lxc/lxc.c b/src/python-lxc/lxc.c index 8c86323..e9a3455 100644 --- a/src/python-lxc/lxc.c +++ b/src/python-lxc/lxc.c @@ -600,6 +600,61 @@ Container_clear_config_item(Container *self, PyObject *args, PyObject *kwds) } static PyObject * +Container_clone(Container *self, PyObject *args, PyObject *kwds) +{ +char *newname = NULL; +char *config_path = NULL; +int flags = 0; +char *bdevtype = NULL; +char *bdevdata = NULL; +unsigned long newsize = 0; +char **hookargs = NULL; + +PyObject *py_hookargs = NULL; +struct lxc_container *new_container = NULL; +int i = 0; + +static char *kwlist[] = {newname, config_path, flags, bdevtype, + bdevdata, newsize, hookargs, NULL}; +if (! PyArg_ParseTupleAndKeywords(args, kwds, s|sisskO, kwlist, + newname, config_path, flags, + bdevtype, bdevdata, newsize, + py_hookargs)) +return NULL; + +if (py_hookargs) { +if (PyTuple_Check(py_hookargs)) { +hookargs = convert_tuple_to_char_pointer_array(py_hookargs); +if (!hookargs) { +return NULL; +} +} +else { +PyErr_SetString(PyExc_ValueError, hookargs needs to be a tuple); +return NULL; +} +} + +new_container = self-container-clone(self-container, newname, + config_path, flags, bdevtype, + bdevdata, newsize, hookargs); + +if (hookargs) { +for (i = 0; i PyTuple_GET_SIZE(py_hookargs); i++) +free(hookargs[i]); +free(hookargs); +} + +if (new_container == NULL) { +Py_RETURN_FALSE; +} + +lxc_container_put(new_container); + +Py_RETURN_TRUE; +} + +static PyObject * Container_console(Container *self, PyObject *args, PyObject *kwds) { static char *kwlist[] = {ttynum, stdinfd, stdoutfd, stderrfd, @@ -1220,6 +1275,13 @@ static PyMethodDef Container_methods[] = { \n Attach to container's console. }, +{clone, (PyCFunction)Container_clone, + METH_VARARGS|METH_KEYWORDS, + clone(newname, config_path, flags, bdevtype, bdevdata, newsize, + hookargs) - boolean\n + \n + Create a new container based on the current one. +}, {create, (PyCFunction)Container_create, METH_VARARGS|METH_KEYWORDS, create(template, args = (,)) - boolean\n @@ -1468,6 +1530,12 @@ PyInit__lxc(void) PYLXC_EXPORT_CONST(LXC_ATTACH_REMOUNT_PROC_SYS); PYLXC_EXPORT_CONST(LXC_ATTACH_SET_PERSONALITY); +/* clone: clone flags */ +PYLXC_EXPORT_CONST(LXC_CLONE_COPYHOOKS); +PYLXC_EXPORT_CONST(LXC_CLONE_KEEPMACADDR); +PYLXC_EXPORT_CONST(LXC_CLONE_KEEPNAME); +PYLXC_EXPORT_CONST(LXC_CLONE_SNAPSHOT); + #undef PYLXC_EXPORT_CONST return m; diff --git a/src/python-lxc/lxc/__init__.py b/src/python-lxc/lxc/__init__.py index e0d4b51..b900c75 100644 --- a/src/python-lxc/lxc/__init__.py +++ b/src/python-lxc/lxc/__init__.py @@ -22,7 +22,6 @@ # import _lxc -import glob import os import subprocess import stat @@ -247,29 +246,29 @@ class Container(_lxc.Container): return _lxc.Container.create(self, template, tuple(template_args)) -def clone(self, container): +def clone(self, newname, config_path=None, flags=0, bdevtype=None, + bdevdata=None, newsize=0, hookargs=()): -Clone an existing container into a new one. +Clone the current container. -if self.defined: -return False - -if isinstance(container, Container): -source = container +args = {} +args['newname'] = newname +args['flags'] = 0 +args['newsize'] = 0 +args['hookargs'] = hookargs +if config_path: +args['config_path'] = config_path +if bdevtype: +args['bdevtype'] = bdevtype +if bdevdata: +args['bdevdata'] = bdevdata + +if _lxc.Container.clone(self, **args): +return Container(newname, config_path=config_path) else: -source = Container(container) - -if not source.defined: return False -if subprocess.call([lxc-clone, -o, source.name, -n, self.name], - universal_newlines=True) != 0: -return False - -self.load_config() -return True - def console(self, ttynum=-1, stdinfd=0, stdoutfd=1, stderrfd=2, escape=1): Attach to console of running container. -- 1.8.4.4
[lxc-devel] [PATCH] python3: Allow passing create flags
Signed-off-by: Stéphane Graber stgra...@ubuntu.com --- src/python-lxc/lxc.c | 14 +- src/python-lxc/lxc/__init__.py | 23 +++ 2 files changed, 24 insertions(+), 13 deletions(-) diff --git a/src/python-lxc/lxc.c b/src/python-lxc/lxc.c index e9a3455..050f6ae 100644 --- a/src/python-lxc/lxc.c +++ b/src/python-lxc/lxc.c @@ -694,13 +694,14 @@ static PyObject * Container_create(Container *self, PyObject *args, PyObject *kwds) { char* template_name = NULL; +int flags = 0; char** create_args = {NULL}; PyObject *retval = NULL, *vargs = NULL; int i = 0; -static char *kwlist[] = {template, args, NULL}; +static char *kwlist[] = {template, flags, args, NULL}; -if (! PyArg_ParseTupleAndKeywords(args, kwds, s|O, kwlist, - template_name, vargs)) +if (! PyArg_ParseTupleAndKeywords(args, kwds, s|iO, kwlist, + template_name, flags, vargs)) return NULL; if (vargs) { @@ -716,8 +717,8 @@ Container_create(Container *self, PyObject *args, PyObject *kwds) } } -if (self-container-create(self-container, template_name, NULL, NULL, 0, -create_args)) +if (self-container-create(self-container, template_name, NULL, NULL, +flags, create_args)) retval = Py_True; else retval = Py_False; @@ -1536,6 +1537,9 @@ PyInit__lxc(void) PYLXC_EXPORT_CONST(LXC_CLONE_KEEPNAME); PYLXC_EXPORT_CONST(LXC_CLONE_SNAPSHOT); +/* create: create flags */ +PYLXC_EXPORT_CONST(LXC_CREATE_QUIET); + #undef PYLXC_EXPORT_CONST return m; diff --git a/src/python-lxc/lxc/__init__.py b/src/python-lxc/lxc/__init__.py index b900c75..52f0fb4 100644 --- a/src/python-lxc/lxc/__init__.py +++ b/src/python-lxc/lxc/__init__.py @@ -229,22 +229,29 @@ class Container(_lxc.Container): return _lxc.Container.set_config_item(self, key, value) -def create(self, template, args={}): +def create(self, template, flags=0, args=()): Create a new rootfs for the container. template must be a valid template name. -args (optional) is a dictionary of parameters and values to pass -to the template. +flags (optional) is an integer representing the optional +create flags to be passed. + +args (optional) is a tuple of arguments to pass to the +template. It can also be provided as a dict. -template_args = [] -for item in args.items(): -template_args.append(--%s % item[0]) -template_args.append(%s % item[1]) +if isinstance(args, dict): +template_args = [] +for item in args.items(): +template_args.append(--%s % item[0]) +template_args.append(%s % item[1]) +else: +template_args = args -return _lxc.Container.create(self, template, tuple(template_args)) +return _lxc.Container.create(self, template=template, + flags=flags, args=tuple(template_args)) def clone(self, newname, config_path=None, flags=0, bdevtype=None, bdevdata=None, newsize=0, hookargs=()): -- 1.8.4.4 -- Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349351iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH] python3: Export some missing constants
Signed-off-by: Stéphane Graber stgra...@ubuntu.com --- src/python-lxc/lxc/__init__.py | 37 + 1 file changed, 25 insertions(+), 12 deletions(-) diff --git a/src/python-lxc/lxc/__init__.py b/src/python-lxc/lxc/__init__.py index 52f0fb4..eddd198 100644 --- a/src/python-lxc/lxc/__init__.py +++ b/src/python-lxc/lxc/__init__.py @@ -474,19 +474,32 @@ def arch_to_personality(arch): arch = str(arch, 'utf-8') return _lxc.arch_to_personality(arch) -# Some constants for attach -LXC_ATTACH_KEEP_ENV = _lxc.LXC_ATTACH_KEEP_ENV +# namespace flags (no other python lib exports this) +CLONE_NEWIPC = _lxc.CLONE_NEWIPC +CLONE_NEWNET = _lxc.CLONE_NEWNET +CLONE_NEWNS = _lxc.CLONE_NEWNS +CLONE_NEWPID = _lxc.CLONE_NEWPID +CLONE_NEWUSER = _lxc.CLONE_NEWUSER +CLONE_NEWUTS = _lxc.CLONE_NEWUTS + +# attach: environment variable handling LXC_ATTACH_CLEAR_ENV = _lxc.LXC_ATTACH_CLEAR_ENV -LXC_ATTACH_MOVE_TO_CGROUP = _lxc.LXC_ATTACH_MOVE_TO_CGROUP +LXC_ATTACH_KEEP_ENV = _lxc.LXC_ATTACH_KEEP_ENV + +# attach: attach options +LXC_ATTACH_DEFAULT = _lxc.LXC_ATTACH_DEFAULT LXC_ATTACH_DROP_CAPABILITIES = _lxc.LXC_ATTACH_DROP_CAPABILITIES -LXC_ATTACH_SET_PERSONALITY = _lxc.LXC_ATTACH_SET_PERSONALITY -LXC_ATTACH_LSM_NOW = _lxc.LXC_ATTACH_LSM_NOW LXC_ATTACH_LSM_EXEC = _lxc.LXC_ATTACH_LSM_EXEC +LXC_ATTACH_LSM_NOW = _lxc.LXC_ATTACH_LSM_NOW +LXC_ATTACH_MOVE_TO_CGROUP = _lxc.LXC_ATTACH_MOVE_TO_CGROUP LXC_ATTACH_REMOUNT_PROC_SYS = _lxc.LXC_ATTACH_REMOUNT_PROC_SYS -LXC_ATTACH_DEFAULT = _lxc.LXC_ATTACH_DEFAULT -CLONE_NEWUTS = _lxc.CLONE_NEWUTS -CLONE_NEWIPC = _lxc.CLONE_NEWIPC -CLONE_NEWUSER = _lxc.CLONE_NEWUSER -CLONE_NEWPID = _lxc.CLONE_NEWPID -CLONE_NEWNET = _lxc.CLONE_NEWNET -CLONE_NEWNS = _lxc.CLONE_NEWNS +LXC_ATTACH_SET_PERSONALITY = _lxc.LXC_ATTACH_SET_PERSONALITY + +# clone: clone flags +LXC_CLONE_COPYHOOKS = _lxc.LXC_CLONE_COPYHOOKS +LXC_CLONE_KEEPMACADDR = _lxc.LXC_CLONE_KEEPMACADDR +LXC_CLONE_KEEPNAME = _lxc.LXC_CLONE_KEEPNAME +LXC_CLONE_SNAPSHOT = _lxc.LXC_CLONE_SNAPSHOT + +# create: create flags +LXC_CREATE_QUIET = _lxc.LXC_CREATE_QUIET -- 1.8.4.4 -- Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349351iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH] ubuntu: Fix regression in post-process
THe recent reorg of lxc-ubuntu introduced some package installation in post-process but without first disabling service startup. As a result, if the cache is a bit out of date and a ssh update is available, post-process will apply that update (as it does apt-get install ssh vim) which in turn will attemp to start sshd. This will either lead to ssh on the host being restarted or if there's no sshd on the host, will fail the container creation as the postinst will get an error from upstart. The fix is very simply to add the same policy-rc.d trick when running post-process. Signed-off-by: Stéphane Graber stgra...@ubuntu.com --- templates/lxc-ubuntu.in | 10 ++ 1 file changed, 10 insertions(+) diff --git a/templates/lxc-ubuntu.in b/templates/lxc-ubuntu.in index ac39ed2..4e6a54f 100644 --- a/templates/lxc-ubuntu.in +++ b/templates/lxc-ubuntu.in @@ -467,6 +467,13 @@ post_process() release=$2 packages=$3 +# Disable service startup +cat $rootfs/usr/sbin/policy-rc.d EOF +#!/bin/sh +exit 101 +EOF +chmod +x $rootfs/usr/sbin/policy-rc.d + if [ ! -f $rootfs/etc/init/container-detect.conf ]; then # Make sure we have a working resolv.conf cresolvonf=${rootfs}/etc/resolv.conf @@ -538,6 +545,9 @@ post_process() mv $rootfs/dev/shm $rootfs/dev/shm.bak ln -s /run/shm $rootfs/dev/shm fi + +# Re-enable service startup +rm $rootfs/usr/sbin/policy-rc.d } do_bindhome() -- 1.8.4.4 -- Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349351iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] ubuntu: Fix regression in post-process
On Wed, Nov 27, 2013 at 09:14:24PM -0600, Serge Hallyn wrote: Quoting Stéphane Graber (stgra...@ubuntu.com): THe recent reorg of lxc-ubuntu introduced some package installation in post-process but without first disabling service startup. As a result, if the cache is a bit out of date and a ssh update is available, post-process will apply that update (as it does apt-get install ssh vim) which in turn will attemp to start sshd. This will either lead to ssh on the host being restarted or if there's no sshd on the host, will fail the container creation as the postinst will get an error from upstart. The fix is very simply to add the same policy-rc.d trick when running post-process. If we're on a new enough kernel we might want to do all apt-gets in the template by doing lxc-start -d and then lxc-attach. Or we could just do it through lxc-execute I suppose, and always put lxc-init into the container. Unfortunately upstart talks using an abstract unix socket, so the only way to avoid those from messing with the host's upstart is to setup the whole network stack for the container and put it in its network namespace. I very regularly lxc-create containers that won't start immediately post-creation so I don't think relying on lxc-start is really a good idea there. Instead we should just make sure to consistently block service startup just like we would with a standard chroot (and so far we've done that relatively well, I just missed that one case in my review last week ...). Signed-off-by: Stéphane Graber stgra...@ubuntu.com Acked-by: Serge E. Hallyn serge.hal...@ubuntu.com --- templates/lxc-ubuntu.in | 10 ++ 1 file changed, 10 insertions(+) diff --git a/templates/lxc-ubuntu.in b/templates/lxc-ubuntu.in index ac39ed2..4e6a54f 100644 --- a/templates/lxc-ubuntu.in +++ b/templates/lxc-ubuntu.in @@ -467,6 +467,13 @@ post_process() release=$2 packages=$3 +# Disable service startup +cat $rootfs/usr/sbin/policy-rc.d EOF +#!/bin/sh +exit 101 +EOF +chmod +x $rootfs/usr/sbin/policy-rc.d + if [ ! -f $rootfs/etc/init/container-detect.conf ]; then # Make sure we have a working resolv.conf cresolvonf=${rootfs}/etc/resolv.conf @@ -538,6 +545,9 @@ post_process() mv $rootfs/dev/shm $rootfs/dev/shm.bak ln -s /run/shm $rootfs/dev/shm fi + +# Re-enable service startup +rm $rootfs/usr/sbin/policy-rc.d } do_bindhome() -- 1.8.4.4 -- Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349351iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature -- Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349351iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] Added templates/lxc-centos for CentOS containers.
;; +--) shift 1; break ;; +*) break ;; +esac +done + +if [ ! -z $clean -a -z $path ]; then +clean || exit 1 +exit 0 +fi + +if [ -z ${utsname} ]; then +utsname=${name} +fi + +# This follows a standard resolver convention that an FQDN must have +# at least two dots or it is considered a local relative host name. +# If it doesn't, append the dns domain name of the host system. +# +# This changes one significant behavior when running +# lxc_create -n Container_Name without using the +# --fqdn option. +# +# Old behavior: +#utsname and hostname = Container_Name +# New behavior: +#utsname and hostname = Container_Name.Domain_Name + +if [ $(expr $utsname : '.*\..*\.') = 0 ]; then +if [ -n $(dnsdomainname) ]; then +utsname=${utsname}.$(dnsdomainname) +fi +fi + +type yum /dev/null 21 +if [ $? -ne 0 ]; then +echo 'yum' command is missing +exit 1 +fi + +if [ -z $path ]; then +path=$default_path/$name +fi + +if [ -z $release ]; then +if [ $is_centos -a $centos_host_ver ]; then +release=$centos_host_ver +else +echo This is not a centos host and release missing, defaulting to 6 use -R|--release to specify release +release=6 +fi +fi + +# CentOS 7 and above should run systemd. We need autodev enabled to keep +# systemd from causing problems. +if [ $release -gt 6 ]; then +auto_dev=1 +else +auto_dev=0 +fi + +if [ $(id -u) != 0 ]; then +echo This script should be run as 'root' +exit 1 +fi + + +if [ -z $rootfs_path ]; then +rootfs_path=$path/rootfs +# check for 'lxc.rootfs' passed in through default config by lxc-create +if grep -q '^lxc.rootfs' $path/config 2/dev/null ; then +rootfs_path=`grep 'lxc.rootfs =' $path/config | awk -F= '{ print $2 }'` +fi +fi +config_path=$default_path/$name +cache=$cache_base/$release + +revert() +{ +echo Interrupted, so cleaning up +lxc-destroy -n $name +# maybe was interrupted before copy config +rm -rf $path +rm -rf $default_path/$name +echo exiting... +exit 1 +} + +trap revert SIGHUP SIGINT SIGTERM + +copy_configuration +if [ $? -ne 0 ]; then +echo failed write configuration file +exit 1 +fi + +install_centos +if [ $? -ne 0 ]; then +echo failed to install centos +exit 1 +fi + +configure_centos +if [ $? -ne 0 ]; then +echo failed to configure centos for a container +exit 1 +fi + +configure_centos_init + +if [ ! -z $clean ]; then +clean || exit 1 +exit 0 +fi +echo container rootfs and config created, default root password is '$root_password' +echo edit the config file to check/enable networking setup -- 1.8.3.1 -- Michael H. Warfield (AI4NB) | (770) 978-7061 | m...@wittsend.com /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0x674627FF| possible worlds. A pessimist is sure of it! -- Shape the Mobile Experience: Free Subscription Software experts and developers: Be at the forefront of tech innovation. Intel(R) Software Adrenaline delivers strategic insight and game-changing conversations that shape the rapidly evolving mobile landscape. Sign up now. http://pubads.g.doubleclick.net/gampad/clk?id=63431311iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature -- Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349351iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH] python3: Add list_containers to C API
This adds a new list_containers function to the python3 binding and a matching override in __init__.py that adds the as_object parameter. This should be compatible to the previous pure python implementation with the advantage of also listing active non-defined containers (fixing github issue #68). Signed-off-by: Stéphane Graber stgra...@ubuntu.com --- src/python-lxc/lxc.c | 71 -- src/python-lxc/lxc/__init__.py | 22 +++-- 2 files changed, 80 insertions(+), 13 deletions(-) diff --git a/src/python-lxc/lxc.c b/src/python-lxc/lxc.c index e42ed35..9e6f9d9 100644 --- a/src/python-lxc/lxc.c +++ b/src/python-lxc/lxc.c @@ -170,6 +170,65 @@ LXC_get_version(PyObject *self, PyObject *args) return PyUnicode_FromString(lxc_get_version()); } +static PyObject * +LXC_list_containers(PyObject *self, PyObject *args, PyObject *kwds) +{ +char **names = NULL; +PyObject *list = NULL; +int list_count = 0; + +int list_active = 1; +int list_defined = 1; + +PyObject *py_list_active = NULL; +PyObject *py_list_defined = NULL; + +char* config_path = NULL; + +int i = 0; +PyObject *vargs = NULL; +static char *kwlist[] = {active, defined, config_path, NULL}; + +if (! PyArg_ParseTupleAndKeywords(args, kwds, |OOs, kwlist, + py_list_active, + py_list_defined, + config_path, vargs)) +return NULL; + +/* We default to listing everything */ +if (py_list_active py_list_active != Py_True) { +list_active = 0; +} + +if (py_list_defined py_list_defined != Py_True) { +list_defined = 0; +} + +/* Call the right API function based on filters */ +if (list_active == 1 list_defined == 1) +list_count = list_all_containers(config_path, names, NULL); +else if (list_active == 1) +list_count = list_active_containers(config_path, names, NULL); +else if (list_defined == 1) +list_count = list_defined_containers(config_path, names, NULL); + +/* Handle failure */ +if (list_count 0) { +PyErr_SetString(PyExc_ValueError, failure to list containers); +return NULL; +} + +/* Generate the tuple */ +list = PyTuple_New(list_count); +for (i = 0; i list_count; i++) { +PyTuple_SET_ITEM(list, i, PyUnicode_FromString(names[i])); +free(names[i]); +} +free(names); + +return list; +} + // Container properties static PyObject * Container_config_file_name(Container *self, void *closure) @@ -1219,15 +1278,21 @@ PyVarObject_HEAD_INIT(NULL, 0) static PyMethodDef LXC_methods[] = { {attach_run_shell, (PyCFunction)LXC_attach_run_shell, METH_O, - Starts up a shell when attaching, to use as the run parameter for attach or attach_wait}, + Starts up a shell when attaching, to use as the run parameter for + attach or attach_wait}, {attach_run_command, (PyCFunction)LXC_attach_run_command, METH_O, - Runs a command when attaching, to use as the run parameter for attach or attach_wait}, + Runs a command when attaching, to use as the run parameter for attach + or attach_wait}, {arch_to_personality, (PyCFunction)LXC_arch_to_personality, METH_O, Returns the process personality of the corresponding architecture}, -{get_default_config_path, (PyCFunction)LXC_get_default_config_path, METH_NOARGS, +{get_default_config_path, (PyCFunction)LXC_get_default_config_path, + METH_NOARGS, Returns the current LXC config path}, {get_version, (PyCFunction)LXC_get_version, METH_NOARGS, Returns the current LXC library version}, +{list_containers, (PyCFunction)LXC_list_containers, + METH_VARARGS|METH_KEYWORDS, + Returns a list of container names or objects}, {NULL, NULL, 0, NULL} }; diff --git a/src/python-lxc/lxc/__init__.py b/src/python-lxc/lxc/__init__.py index 8ae7852..e0d4b51 100644 --- a/src/python-lxc/lxc/__init__.py +++ b/src/python-lxc/lxc/__init__.py @@ -417,21 +417,23 @@ class Container(_lxc.Container): return _lxc.Container.wait(self, state, timeout) -def list_containers(as_object=False, config_path=None): +def list_containers(active=True, defined=True, +as_object=False, config_path=None): List the containers on the system. -if not config_path: -config_path = default_config_path +if config_path: +entries = _lxc.list_containers(active=active, defined=defined, + config_path=config_path) +else: +entries = _lxc.list_containers(active=active, defined=defined) + +if as_object: +return tuple([Container(name, config_path) for name in entries]) +else: +return entries -containers = [] -for entry in glob.glob(%s/*/config % config_path): -if as_object
Re: [lxc-devel] [PATCH 1/1] lxc-user-nic: dont risk passing EOF
On Fri, Nov 22, 2013 at 08:26:20PM -0600, Serge Hallyn wrote: Signed-off-by: Serge Hallyn serge.hal...@ubuntu.com Acked-by: Stéphane Graber stgra...@ubuntu.com --- src/lxc/lxc_user_nic.c | 26 +- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/src/lxc/lxc_user_nic.c b/src/lxc/lxc_user_nic.c index af1e944..a4ae907 100644 --- a/src/lxc/lxc_user_nic.c +++ b/src/lxc/lxc_user_nic.c @@ -137,16 +137,16 @@ static int get_alloted(char *me, char *intype, char *link) return -1; } -static char *get_eol(char *s) +static char *get_eol(char *s, char *e) { - while (*s *s != '\n') + while (se *s *s != '\n') s++; return s; } -static char *get_eow(char *s) +static char *get_eow(char *s, char *e) { - while (*s !isblank(*s) *s != '\n') + while (se *s !isblank(*s) *s != '\n') s++; return s; } @@ -155,22 +155,22 @@ static char *find_line(char *p, char *e, char *u, char *t, char *l) { char *p1, *p2, *ret; - while (p e (p1 = get_eol(p)) e) { + while (pe (p1 = get_eol(p, e)) e) { ret = p; if (*p == '#') goto next; - while (isblank(*p)) p++; - p2 = get_eow(p); + while (pe isblank(*p)) p++; + p2 = get_eow(p, e); if (!p2 || p2-p != strlen(u) || strncmp(p, u, strlen(u)) != 0) goto next; p = p2+1; - while (isblank(*p)) p++; - p2 = get_eow(p); + while (pe isblank(*p)) p++; + p2 = get_eow(p, e); if (!p2 || p2-p != strlen(t) || strncmp(p, t, strlen(t)) != 0) goto next; p = p2+1; - while (isblank(*p)) p++; - p2 = get_eow(p); + while (pe isblank(*p)) p++; + p2 = get_eow(p, e); if (!p2 || p2-p != strlen(l) || strncmp(p, l, strlen(l)) != 0) goto next; return ret; @@ -329,7 +329,7 @@ static bool cull_entries(int fd, char *me, char *t, char *br) } entry_lines = newe; entry_lines[n].start = p; - entry_lines[n].len = get_eol(p) - entry_lines[n].start; + entry_lines[n].len = get_eol(p, e) - entry_lines[n].start; entry_lines[n].keep = true; n++; if (!get_nic_from_line(p, nic)) @@ -362,7 +362,7 @@ static int count_entries(char *buf, off_t len, char *me, char *t, char *br) int count = 0; while ((buf = find_line(buf, e, me, t, br)) != NULL) { count++; - buf = get_eol(buf)+1; + buf = get_eol(buf, e)+1; if (buf = e) break; } -- 1.8.4.3 -- Shape the Mobile Experience: Free Subscription Software experts and developers: Be at the forefront of tech innovation. Intel(R) Software Adrenaline delivers strategic insight and game-changing conversations that shape the rapidly evolving mobile landscape. Sign up now. http://pubads.g.doubleclick.net/gampad/clk?id=63431311iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature -- Shape the Mobile Experience: Free Subscription Software experts and developers: Be at the forefront of tech innovation. Intel(R) Software Adrenaline delivers strategic insight and game-changing conversations that shape the rapidly evolving mobile landscape. Sign up now. http://pubads.g.doubleclick.net/gampad/clk?id=63431311iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH 1/1] lxc-user-nic: use common code from network.c
On Fri, Nov 22, 2013 at 08:04:59PM -0600, Serge Hallyn wrote: This pulls a lot of common code out of lxc_user_nic.c. It also moves one function from conf.c that was duplicated in lxc_user_nic.c (It removes a DEBUG statement because (a) it doesn't seem actually useful and (b) DEBUG doesn't work in network.c). Also replace the old test of only parsing code with a skeleton for a full test. (Note - the test will need some work, it's just there as do-what-i-mean code example) Signed-off-by: Serge Hallyn serge.hal...@ubuntu.com Wow, this is much cleaner! I'm assuming that those functions you moved over are identical (didn't re-check the code within those) and I didn't do a test-run of the new script but I'm also assuming you did. Thanks for the cleanup! Acked-by: Stéphane Graber stgra...@ubuntu.com --- src/lxc/Makefile.am| 2 +- src/lxc/conf.c | 41 - src/lxc/lxc_user_nic.c | 403 + src/lxc/network.c | 45 - src/lxc/network.h | 4 + src/tests/Makefile.am | 4 +- src/tests/lxc-test-usernic | 126 +++--- 7 files changed, 156 insertions(+), 469 deletions(-) diff --git a/src/lxc/Makefile.am b/src/lxc/Makefile.am index bcb644e..6534381 100644 --- a/src/lxc/Makefile.am +++ b/src/lxc/Makefile.am @@ -222,7 +222,7 @@ lxc_kill_SOURCES = lxc_kill.c lxc_create_SOURCES = lxc_create.c lxc_snapshot_SOURCES = lxc_snapshot.c lxc_usernsexec_SOURCES = lxc_usernsexec.c -lxc_user_nic_SOURCES = lxc_user_nic.c +lxc_user_nic_SOURCES = lxc_user_nic.c network.c network.h install-exec-local: install-soPROGRAMS mkdir -p $(DESTDIR)$(datadir)/lxc diff --git a/src/lxc/conf.c b/src/lxc/conf.c index 4b786b1..860fc5b 100644 --- a/src/lxc/conf.c +++ b/src/lxc/conf.c @@ -2583,47 +2583,6 @@ void lxc_rename_phys_nics_on_shutdown(struct lxc_conf *conf) free(conf-saved_nics); } -static int setup_private_host_hw_addr(char *veth1) -{ - struct ifreq ifr; - int err; - int sockfd; - - process_lock(); - sockfd = socket(AF_INET, SOCK_DGRAM, 0); - process_unlock(); - if (sockfd 0) - return -errno; - - snprintf((char *)ifr.ifr_name, IFNAMSIZ, %s, veth1); - err = ioctl(sockfd, SIOCGIFHWADDR, ifr); - if (err 0) { - process_lock(); - close(sockfd); - process_unlock(); - return -errno; - } - - ifr.ifr_hwaddr.sa_data[0] = 0xfe; - err = ioctl(sockfd, SIOCSIFHWADDR, ifr); - process_lock(); - close(sockfd); - process_unlock(); - if (err 0) - return -errno; - - DEBUG(mac address of host interface '%s' changed to private - %02x:%02x:%02x:%02x:%02x:%02x, veth1, - ifr.ifr_hwaddr.sa_data[0] 0xff, - ifr.ifr_hwaddr.sa_data[1] 0xff, - ifr.ifr_hwaddr.sa_data[2] 0xff, - ifr.ifr_hwaddr.sa_data[3] 0xff, - ifr.ifr_hwaddr.sa_data[4] 0xff, - ifr.ifr_hwaddr.sa_data[5] 0xff); - - return 0; -} - static char *default_rootfs_mount = LXCROOTFSMOUNT; struct lxc_conf *lxc_conf_init(void) diff --git a/src/lxc/lxc_user_nic.c b/src/lxc/lxc_user_nic.c index 952fe14..af1e944 100644 --- a/src/lxc/lxc_user_nic.c +++ b/src/lxc/lxc_user_nic.c @@ -45,51 +45,9 @@ #include linux/rtnetlink.h #include linux/sockios.h #include sys/param.h -#include sched.h #include config.h #include utils.h - -#if ISTEST -#define CONF_FILE /tmp/lxc-usernet -#define DB_FILE /tmp/nics -#else -#define CONF_FILE LXC_USERNIC_CONF -#define DB_FILE LXC_USERNIC_DB -#endif - -#include nl.h - -#ifndef IFLA_LINKMODE -# define IFLA_LINKMODE 17 -#endif - -#ifndef IFLA_LINKINFO -# define IFLA_LINKINFO 18 -#endif - -#ifndef IFLA_NET_NS_PID -# define IFLA_NET_NS_PID 19 -#endif - -#ifndef IFLA_INFO_KIND -# define IFLA_INFO_KIND 1 -#endif - -#ifndef IFLA_VLAN_ID -# define IFLA_VLAN_ID 1 -#endif - -#ifndef IFLA_INFO_DATA -# define IFLA_INFO_DATA 2 -#endif - -#ifndef VETH_INFO_PEER -# define VETH_INFO_PEER 1 -#endif - -#ifndef IFLA_MACVLAN_MODE -# define IFLA_MACVLAN_MODE 1 -#endif +#include network.h void usage(char *me, bool fail) { @@ -146,14 +104,14 @@ static char *get_username(void) */ static int get_alloted(char *me, char *intype, char *link) { - FILE *fin = fopen(CONF_FILE, r); + FILE *fin = fopen(LXC_USERNIC_CONF, r); char *line = NULL; char user[100], type[100], br[100]; size_t len = 0; int n = -1, ret; if (!fin) { - fprintf(stderr, Failed to open %s: %s\n, CONF_FILE, + fprintf(stderr, Failed to open %s: %s\n, LXC_USERNIC_CONF, strerror(errno)); return -1; } @@ -229,11 +187,7 @@ static bool nic_exists(char *nic) int ret; struct stat sb; -#if ISTEST - ret
Re: [lxc-devel] [PATCH 2/2] Fixes for selinux and pam_loginuid.so
On Mon, Nov 25, 2013 at 12:31:30PM -0500, Michael H. Warfield wrote: Fixes for selinux and pam_loginuid.so Just some additional catches for disabling selinux and pam_loginuid.so thanks to Dwight Engen and the Oracle template. Signed-off-by: Michael H. Warfield m...@wittsend.com Might be worth mentioning the addition of the SSH server and client? Anyway, the change itself is fine. Acked-by: Stéphane Graber stgra...@ubuntu.com --- templates/lxc-fedora.in | 23 --- 1 file changed, 20 insertions(+), 3 deletions(-) diff --git a/templates/lxc-fedora.in b/templates/lxc-fedora.in index 9208e88..503 100644 --- a/templates/lxc-fedora.in +++ b/templates/lxc-fedora.in @@ -98,11 +98,24 @@ configure_fedora() mkdir -p $rootfs_path/selinux echo 0 $rootfs_path/selinux/enforce -# This may be related to disabling selinux above but this is -# a known problem and documented in RedHat bugzilla as relating +# Also kill it in the /etc/selinux/config file if it's there... +if [[ -f $rootfs_path/etc/selinux/config ]] +then +sed -i '/^SELINUX=/s/.*/SELINUX=disabled/' $rootfs_path/etc/selinux/config +fi + +# Nice catch from Dwight Engen in the Oracle template. +# Wantonly plagerized here with much appreciation. +if [ -f $rootfs_path/usr/sbin/selinuxenabled ]; then +mv $rootfs_path/usr/sbin/selinuxenabled $rootfs_path/usr/sbin/selinuxenabled.lxcorig +ln -s /bin/false $rootfs_path/usr/sbin/selinuxenabled +fi + +# This is a known problem and documented in RedHat bugzilla as relating # to a problem with auditing enabled. This prevents an error in # the container Cannot make/remove an entry for the specified session sed -i '/^session.*pam_loginuid.so/s/^session/# session/' ${rootfs_path}/etc/pam.d/login +sed -i '/^session.*pam_loginuid.so/s/^session/# session/' ${rootfs_path}/etc/pam.d/sshd # configure the network using the dhcp cat EOF ${rootfs_path}/etc/sysconfig/network-scripts/ifcfg-eth0 @@ -132,6 +145,9 @@ EOF ::1 localhost6.localdomain6 localhost6 EOF +# These mknod's really don't make any sense with modern releases of +# Fedora with systemd, devtmpfs, and autodev enabled. They are left +# here for legacy reasons and older releases with upstart and sysv init. dev_path=${rootfs_path}/dev rm -rf $dev_path mkdir -p $dev_path @@ -187,6 +203,7 @@ EOF return 0 } + configure_fedora_init() { sed -i 's|.sbin.start_udev||' ${rootfs_path}/etc/rc.sysinit @@ -635,7 +652,7 @@ download_fedora() BOOTSTRAP_INSTALL_ROOT=${INSTALL_ROOT} BOOTSTRAP_CHROOT= -PKG_LIST=yum initscripts passwd rsyslog vim-minimal dhclient chkconfig rootfiles policycoreutils fedora-release +PKG_LIST=yum initscripts passwd rsyslog vim-minimal openssh-server openssh-clients dhclient chkconfig rootfiles policycoreutils fedora-release MIRRORLIST_URL=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-$releasearch=$arch; if [[ ${release} -lt 17 ]] -- 1.8.3.1 -- Michael H. Warfield (AI4NB) | (770) 978-7061 | m...@wittsend.com /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0x674627FF| possible worlds. A pessimist is sure of it! -- Shape the Mobile Experience: Free Subscription Software experts and developers: Be at the forefront of tech innovation. Intel(R) Software Adrenaline delivers strategic insight and game-changing conversations that shape the rapidly evolving mobile landscape. Sign up now. http://pubads.g.doubleclick.net/gampad/clk?id=63431311iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature -- Shape the Mobile Experience: Free Subscription Software experts and developers: Be at the forefront of tech innovation. Intel(R) Software Adrenaline delivers strategic insight and game-changing conversations that shape the rapidly evolving mobile landscape. Sign up now. http://pubads.g.doubleclick.net/gampad/clk?id=63431311iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] cgroup management daemon
name [[ pid is sent as a SCM_CREDENTIAL ]] Delete name Delete-force name Kill name I really like the idea, but I have a few comments. I'm not familiar with the dbus, but how will you identify a request made on dbus? I mean will you get its pid? What if the container has its own PID namespace, how will this be handled? DBus is essentially just an IPC protocol that can be used over a variety of medium. In the case of this cgroup manager, we'll be using the DBus protocol on top of a standard UNIX socket. One of the properties of unix sockets is that you can get the uid, gid and pid of your peer. As this information is provided by the kernel, it'll automatically be translated to match your vision of the pid and user tree. That's why we're also planning on abusing SCM_CRED a tiny bit so that when a container or sub-container is asking for a pid to be moved into a cgroup, instead of passing that pid as a standard integer over dbus, it'll instead use the SCM_CRED mechanism, sending a ucred structure instead which will then get magically mapped to the right namespace when accessed by the manager and saving us a whole lot of pid/uid mapping logic in the process. I know that this may sound a bit radical, but I propose that the daemon is using simple unix sockets. The daemon should have an easy way of adding more sockets to newly started containers and each newly created socket should know the base cgroup to which it belongs. This way the daemon can clearly identify which request is limited to what cgroup without many lookups and will be easier to enforce the above mentioned restrictions. So it looks like our current design already follows your recommendation since we're indeed using a standard unix socket, it's just that instead of re-inventing the wheel, we use a standard IPC protocol on top of it. Marian -- Shape the Mobile Experience: Free Subscription Software experts and developers: Be at the forefront of tech innovation. Intel(R) Software Adrenaline delivers strategic insight and game-changing conversations that shape the rapidly evolving mobile landscape. Sign up now. http://pubads.g.doubleclick.net/gampad/clk?id=63431311iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature -- Shape the Mobile Experience: Free Subscription Software experts and developers: Be at the forefront of tech innovation. Intel(R) Software Adrenaline delivers strategic insight and game-changing conversations that shape the rapidly evolving mobile landscape. Sign up now. http://pubads.g.doubleclick.net/gampad/clk?id=63431311iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] cgroup management daemon
On Tue, Nov 26, 2013 at 03:35:22AM +0200, Marian Marinov wrote: On 11/26/2013 02:11 AM, Stéphane Graber wrote: On Tue, Nov 26, 2013 at 02:03:16AM +0200, Marian Marinov wrote: On 11/26/2013 12:43 AM, Serge E. Hallyn wrote: Hi, as i've mentioned several times, I want to write a standalone cgroup management daemon. Basic requirements are that it be a standalone program; that a single instance running on the host be usable from containers nested at any depth; that it not allow escaping ones assigned limits; that it not allow subjegating tasks which do not belong to you; and that, within your limits, you be able to parcel those limits to your tasks as you like. Additionally, Tejun has specified that we do not want users to be too closely tied to the cgroupfs implementation. Therefore commands will be just a hair more general than specifying cgroupfs filenames and values. I may go so far as to avoid specifying specific controllers, as AFAIK there should be no redundancy in features. On the other hand, I don't want to get too general. So I'm basing the API loosely on the lmctfy command line API. One of the driving goals is to enable nested lxc as simply and safely as possible. If this project is a success, then a large chunk of code can be removed from lxc. I'm considering this project a part of the larger lxc project, but given how central it is to systems management that doesn't mean that I'll consider anyone else's needs as less important than our own. This document consists of two parts. The first describes how I intend the daemon (cgmanager) to be structured and how it will enforce the safety requirements. The second describes the commands which clients will be able to send to the manager. The list of controller keys which can be set is very incomplete at this point, serving mainly to show the approach I was thinking of taking. Summary Each 'host' (identified by a separate instance of the linux kernel) will have exactly one running daemon to manage control groups. This daemon will answer cgroup management requests over a dbus socket, located at /sys/fs/cgroup/manager. This socket can be bind-mounted into various containers, so that one daemon can support the whole system. Programs will be able to make cgroup requests using dbus calls, or indirectly by linking against lmctfy which will be modified to use the dbus calls if available. Outline: . A single manager, cgmanager, is started on the host, very early during boot. It has very few dependencies, and requires only /proc, /run, and /sys to be mounted, with /etc ro. It will mount the cgroup hierarchies in a private namespace and set defaults (clone_children, use_hierarchy, sane_behavior, release_agent?) It will open a socket at /sys/fs/cgroup/cgmanager (in a small tmpfs). . A client (requestor 'r') can make cgroup requests over /sys/fs/cgroup/manager using dbus calls. Detailed privilege requirements for r are listed below. . The client request will pertain an existing or new cgroup A. r's privilege over the cgroup must be checked. r is said to have privilege over A if A is owned by r's uid, or if A's owner is mapped into r's user namespace, and r is root in that user namespace. . The client request may pertain a victim task v, which may be moved to a new cgroup. In that case r's privilege over both the cgroup and v must be checked. r is said to have privilege over v if v is mapped in r's pid namespace, v's uid is mapped into r's user ns, and r is root in its userns. Or if r and v have the same uid and v is mapped in r's pid namespace. . r's credentials will be taken from socket's peercred, ensuring that pid and uid are translated. . r passes PID(v) as a SCM_CREDENTIAL, so that cgmanager receives the translated global pid. It will then read UID(v) from /proc/PID(v)/status, which is the global uid, and check /proc/PID(r)/uid_map to see whether UID is mapped there. . dbus-send can be enhanced to send a pid as SCM_CREDENTIAL to have the kernel translate it for the reader. Only 'move task v to cgroup A' will require a SCM_CREDENTIAL to be sent. Privilege requirements by action: * Requestor of an action (r) over a socket may only make changes to cgroups over which it has privilege. * Requestors may be limited to a certain #/depth of cgroups (to limit memory usage) - DEFER? * Cgroup hierarchy is responsible for resource limits * A requestor must either be uid 0 in its userns with victim mapped ito its userns, or the same uid and in same/ancestor pidns as the victim * If r requests creation of cgroup '/x', /x will be interpreted as relative to r's cgroup. r cannot make changes to cgroups not under its own current
Re: [lxc-devel] cgroup management daemon
: 0x674627FF| possible worlds. A pessimist is sure of it! -- Shape the Mobile Experience: Free Subscription Software experts and developers: Be at the forefront of tech innovation. Intel(R) Software Adrenaline delivers strategic insight and game-changing conversations that shape the rapidly evolving mobile landscape. Sign up now. http://pubads.g.doubleclick.net/gampad/clk?id=63431311iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature -- Shape the Mobile Experience: Free Subscription Software experts and developers: Be at the forefront of tech innovation. Intel(R) Software Adrenaline delivers strategic insight and game-changing conversations that shape the rapidly evolving mobile landscape. Sign up now. http://pubads.g.doubleclick.net/gampad/clk?id=63431311iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] LXC live migrate
On Tue, Nov 26, 2013 at 04:04:36AM +0200, Marian Marinov wrote: Hey guys, I just read on LWN about the checkpoint/restore tool: http://lwn.net/Articles/574917/ With this, it seams possible to freeze and restore a whole container from one node to another. I'll give it a try this week to give more details on how it actually works. Marian I think I last tried it with CRIU 0.8 without much success but I took an action item during Ubuntu's planning even last week to try with a newer release and get in touch with Pavel if I'm still having issues. From what we discussed at Linux Plumbers, CRIU should indeed let you dump a full container and restore it on the same machine or on another so long as the filesystem and any other external dependency of the container matches. If I can get this working and they've resolved a few of the known issues (specifically the fact that it'd only build on x86_64), then the plan is to add API calls to LXC's API that'll implement the checkpoint/restore feature using CRIU. -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature -- Shape the Mobile Experience: Free Subscription Software experts and developers: Be at the forefront of tech innovation. Intel(R) Software Adrenaline delivers strategic insight and game-changing conversations that shape the rapidly evolving mobile landscape. Sign up now. http://pubads.g.doubleclick.net/gampad/clk?id=63431311iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH v2] lxcapi_destroy: run in a namespace if we are unprivileged
On Fri, Nov 22, 2013 at 02:39:37PM -0600, Serge Hallyn wrote: This is necessary to have the rights to remove files owned by our subuids. Also update lxc_rmdir_onedev to return 0 on success, -1 on failure. Callers were not consistent in using it correctly, and this is more in keeping with the rest of our code. Signed-off-by: Serge Hallyn serge.hal...@ubuntu.com Acked-by: Stéphane Graber stgra...@ubuntu.com --- src/lxc/bdev.c | 2 +- src/lxc/conf.c | 155 - src/lxc/conf.h | 3 + src/lxc/lxc_destroy.c | 7 --- src/lxc/lxccontainer.c | 28 ++--- src/lxc/utils.c| 10 ++-- 6 files changed, 182 insertions(+), 23 deletions(-) diff --git a/src/lxc/bdev.c b/src/lxc/bdev.c index 6acd29a..03fecfb 100644 --- a/src/lxc/bdev.c +++ b/src/lxc/bdev.c @@ -450,7 +450,7 @@ static int dir_clonepaths(struct bdev *orig, struct bdev *new, const char *oldna static int dir_destroy(struct bdev *orig) { - if (!lxc_rmdir_onedev(orig-src)) + if (lxc_rmdir_onedev(orig-src) 0) return -1; return 0; } diff --git a/src/lxc/conf.c b/src/lxc/conf.c index c8809d2..4b786b1 100644 --- a/src/lxc/conf.c +++ b/src/lxc/conf.c @@ -75,6 +75,7 @@ #include bdev.h #include cgroup.h #include lxclock.h +#include namespace.h #include lsm/lsm.h #if HAVE_SYS_CAPABILITY_H @@ -3810,11 +3811,10 @@ int lxc_clear_config_caps(struct lxc_conf *c) return 0; } -int lxc_clear_idmaps(struct lxc_conf *c) -{ +int lxc_free_idmap(struct lxc_list *id_map) { struct lxc_list *it, *next; - lxc_list_for_each_safe(it, c-id_map, next) { + lxc_list_for_each_safe(it, id_map, next) { lxc_list_del(it); free(it-elem); free(it); @@ -3822,6 +3822,11 @@ int lxc_clear_idmaps(struct lxc_conf *c) return 0; } +int lxc_clear_idmaps(struct lxc_conf *c) +{ + return lxc_free_idmap(c-id_map); +} + int lxc_clear_config_keepcaps(struct lxc_conf *c) { struct lxc_list *it,*next; @@ -3941,3 +3946,147 @@ void lxc_conf_free(struct lxc_conf *conf) lxc_clear_idmaps(conf); free(conf); } + +struct userns_fn_data { + int (*fn)(void *); + void *arg; + int p[2]; +}; + +static int run_userns_fn(void *data) +{ + struct userns_fn_data *d = data; + char c; + // we're not sharing with the parent any more, if it was a thread + + close(d-p[1]); + if (read(d-p[0], c, 1) != 1) + return -1; + close(d-p[0]); + return d-fn(d-arg); +} + +/* + * Add a ID_TYPE_UID entry to an existing lxc_conf, if it is not + * alread there. + * We may want to generalize this to do gids as well as uids, but right now + * it's not necessary. + */ +static struct lxc_list *idmap_add_id(struct lxc_conf *conf, uid_t uid) +{ + int hostid_mapped = mapped_hostid(uid, conf); + struct lxc_list *new = NULL, *tmp, *it, *next; + struct id_map *entry; + + if (hostid_mapped 0) { + hostid_mapped = find_unmapped_nsuid(conf); + if (hostid_mapped 0) { + ERROR(Could not find free uid to map); + return NULL; + } + new = malloc(sizeof(*new)); + if (!new) { + ERROR(Out of memory building id map); + return NULL; + } + entry = malloc(sizeof(*entry)); + if (!entry) { + free(new); + ERROR(Out of memory building idmap entry); + return NULL; + } + new-elem = entry; + entry-idtype = ID_TYPE_UID; + entry-nsid = hostid_mapped; + entry-hostid = (unsigned long)uid; + entry-range = 1; + lxc_list_init(new); + } + lxc_list_for_each_safe(it, conf-id_map, next) { + tmp = malloc(sizeof(*tmp)); + if (!tmp) + goto err; + entry = malloc(sizeof(*entry)); + if (!entry) { + free(tmp); + goto err; + } + memset(entry, 0, sizeof(*entry)); + memcpy(entry, it-elem, sizeof(*entry)); + tmp-elem = entry; + if (!new) { + new = tmp; + lxc_list_init(new); + } else + lxc_list_add_tail(new, tmp); + } + + return new; + +err: + ERROR(Out of memory building a new uid map); + lxc_free_idmap(new); + return NULL; +} + +/* + * Run a function in a new user namespace. + * The caller's euid will be mapped in if it is not already. + */ +int userns_exec_1(struct lxc_conf *conf, int (*fn)(void *), void *data) +{ + int ret, pid; + struct userns_fn_data d
Re: [lxc-devel] [PATCH 1/1] don't fail lxc-init if we couldn't mount proc
On Fri, Nov 22, 2013 at 03:45:40PM -0600, Serge Hallyn wrote: In general proc gets mounted ahead of time, so init shouldn't have to do it. Without this patch, you cannot lxc-execute -n x1 -s lxc.cap.drop=sys_admin /bin/bash (See https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1253669 for a bug about this) Signed-off-by: Serge Hallyn serge.hal...@ubuntu.com Acked-by: Stéphane Graber stgra...@ubuntu.com --- src/lxc/lxc_init.c | 3 +-- src/lxc/utils.c| 8 +++- src/lxc/utils.h| 2 +- 3 files changed, 5 insertions(+), 8 deletions(-) diff --git a/src/lxc/lxc_init.c b/src/lxc/lxc_init.c index 69ae3d8..968c25d 100644 --- a/src/lxc/lxc_init.c +++ b/src/lxc/lxc_init.c @@ -154,8 +154,7 @@ int main(int argc, char *argv[]) sigaction(i, act, NULL); } - if (lxc_setup_fs()) - exit(EXIT_FAILURE); + lxc_setup_fs(); if (lxc_caps_reset()) exit(EXIT_FAILURE); diff --git a/src/lxc/utils.c b/src/lxc/utils.c index e80a782..5bfe9db 100644 --- a/src/lxc/utils.c +++ b/src/lxc/utils.c @@ -150,10 +150,10 @@ static int mount_fs(const char *source, const char *target, const char *type) return 0; } -extern int lxc_setup_fs(void) +extern void lxc_setup_fs(void) { if (mount_fs(proc, /proc, proc)) - return -1; + INFO(failed to remount proc); /* if we can't mount /dev/shm, continue anyway */ if (mount_fs(shmfs, /dev/shm, tmpfs)) @@ -163,14 +163,12 @@ extern int lxc_setup_fs(void) /* Sure, but it's read-only per config :) */ if (access(/dev/mqueue, F_OK) mkdir(/dev/mqueue, 0666)) { DEBUG(failed to create '/dev/mqueue'); - return 0; + return; } /* continue even without posix message queue support */ if (mount_fs(mqueue, /dev/mqueue, mqueue)) INFO(failed to mount /dev/mqueue); - - return 0; } /* borrowed from iproute2 */ diff --git a/src/lxc/utils.h b/src/lxc/utils.h index 9c47560..714e74c 100644 --- a/src/lxc/utils.h +++ b/src/lxc/utils.h @@ -34,7 +34,7 @@ /* returns 1 on success, 0 if there were any failures */ extern int lxc_rmdir_onedev(char *path); -extern int lxc_setup_fs(void); +extern void lxc_setup_fs(void); extern int get_u16(unsigned short *val, const char *arg, int base); extern int mkdir_p(const char *dir, mode_t mode); extern void remove_trailing_slashes(char *p); -- 1.8.3.2 -- Shape the Mobile Experience: Free Subscription Software experts and developers: Be at the forefront of tech innovation. Intel(R) Software Adrenaline delivers strategic insight and game-changing conversations that shape the rapidly evolving mobile landscape. Sign up now. http://pubads.g.doubleclick.net/gampad/clk?id=63431311iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature -- Shape the Mobile Experience: Free Subscription Software experts and developers: Be at the forefront of tech innovation. Intel(R) Software Adrenaline delivers strategic insight and game-changing conversations that shape the rapidly evolving mobile landscape. Sign up now. http://pubads.g.doubleclick.net/gampad/clk?id=63431311iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH 1/1] lxcapi_clone: set the right environment variable for mounted fs
On Thu, Nov 21, 2013 at 09:05:59AM -0600, Serge Hallyn wrote: If the container is dir-backed, we don't actually mount it (to support unprivileged use). So always set the LXC_ROOTFS_MOUNT to bdev-dest, not to the rootfs path specified in the container configuration. This should fix bug http://pad.lv/1253573 Signed-off-by: Serge Hallyn serge.hal...@ubuntu.com Acked-by: Stéphane Graber stgra...@ubuntu.com --- src/lxc/lxccontainer.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c index 11e70cb..c1f99d5 100644 --- a/src/lxc/lxccontainer.c +++ b/src/lxc/lxccontainer.c @@ -2399,7 +2399,7 @@ static int clone_update_rootfs(struct lxc_container *c0, if (setenv(LXC_CONFIG_FILE, conf-rcfile, 1)) { SYSERROR(failed to set environment variable for config path); } - if (setenv(LXC_ROOTFS_MOUNT, conf-rootfs.mount, 1)) { + if (setenv(LXC_ROOTFS_MOUNT, bdev-dest, 1)) { SYSERROR(failed to set environment variable for rootfs mount); } if (setenv(LXC_ROOTFS_PATH, conf-rootfs.path, 1)) { -- 1.8.3.2 -- Shape the Mobile Experience: Free Subscription Software experts and developers: Be at the forefront of tech innovation. Intel(R) Software Adrenaline delivers strategic insight and game-changing conversations that shape the rapidly evolving mobile landscape. Sign up now. http://pubads.g.doubleclick.net/gampad/clk?id=63431311iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature -- Shape the Mobile Experience: Free Subscription Software experts and developers: Be at the forefront of tech innovation. Intel(R) Software Adrenaline delivers strategic insight and game-changing conversations that shape the rapidly evolving mobile landscape. Sign up now. http://pubads.g.doubleclick.net/gampad/clk?id=63431311iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH 1/2] Setup devtmpfs and /dev for autodev bind mounts.
, data); + } + + if (lxc_conf-autodev 0) { + if (mount_autodev(name, lxc_conf-rootfs.mount, lxcpath)) { ERROR(failed to mount /dev in the container); return -1; } @@ -3197,7 +3546,7 @@ int lxc_setup(const char *name, struct lxc_conf *lxc_conf, const char *lxcpath, return -1; } - if (lxc_conf-autodev) { + if (lxc_conf-autodev 0) { if (run_lxc_hooks(name, autodev, lxc_conf, lxcpath, NULL)) { ERROR(failed to run autodev hooks for container '%s'., name); return -1; diff --git a/src/lxc/conf.h b/src/lxc/conf.h index 940d493..090c5b3 100644 --- a/src/lxc/conf.h +++ b/src/lxc/conf.h @@ -356,7 +356,9 @@ extern int lxc_clear_hooks(struct lxc_conf *c, const char *key); struct cgroup_process_info; extern int lxc_setup(const char *name, struct lxc_conf *lxc_conf, - const char *lxcpath, struct cgroup_process_info *cgroup_info); + const char *lxcpath, + struct cgroup_process_info *cgroup_info, + void *data); extern void lxc_rename_phys_nics_on_shutdown(struct lxc_conf *conf); diff --git a/src/lxc/start.c b/src/lxc/start.c index 3b2ba8f..3d2bc86 100644 --- a/src/lxc/start.c +++ b/src/lxc/start.c @@ -553,7 +553,7 @@ static int do_start(void *data) #endif /* Setup the container, ip, names, utsname, ... */ - if (lxc_setup(handler-name, handler-conf, handler-lxcpath, handler-cgroup)) { + if (lxc_setup(handler-name, handler-conf, handler-lxcpath, handler-cgroup, handler-data) ){ ERROR(failed to setup the container); goto out_warn_father; } -- 1.8.3.1 -- Michael H. Warfield (AI4NB) | (770) 978-7061 | m...@wittsend.com /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0x674627FF| possible worlds. A pessimist is sure of it! -- November Webinars for C, C++, Fortran Developers Accelerate application performance with scalable programming models. Explore techniques for threading, error checking, porting, and tuning. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60136231iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel -- Michael H. Warfield (AI4NB) | (770) 978-7061 | m...@wittsend.com /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0x674627FF| possible worlds. A pessimist is sure of it! -- Stéphane Graber Ubuntu developer http://www.canonical.com signature.asc Description: Digital signature -- Shape the Mobile Experience: Free Subscription Software experts and developers: Be at the forefront of tech innovation. Intel(R) Software Adrenaline delivers strategic insight and game-changing conversations that shape the rapidly evolving mobile landscape. Sign up now. http://pubads.g.doubleclick.net/gampad/clk?id=63431311iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH 2/9] lxc_user_nic: don't pass unused arg to get_username()
On Tue, Nov 19, 2013 at 04:17:45PM +, Serge Hallyn wrote: From: Serge Hallyn serge.hal...@ubuntu.com Signed-off-by: Serge Hallyn serge.hal...@ubuntu.com Acked-by: Stéphane Graber stgra...@ubuntu.com --- src/lxc/lxc_user_nic.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/lxc/lxc_user_nic.c b/src/lxc/lxc_user_nic.c index c8513ba..da3ae74 100644 --- a/src/lxc/lxc_user_nic.c +++ b/src/lxc/lxc_user_nic.c @@ -122,7 +122,7 @@ int open_and_lock(char *path) } -char *get_username(char **buf) +char *get_username(void) { struct passwd *pwd = getpwuid(getuid()); @@ -901,13 +901,13 @@ int main(int argc, char *argv[]) { int n, fd; bool gotone = false; - char *me, *buf = alloca(400); + char *me; char *nicname = alloca(40); char *cnic; // created nic name in container is returned here. char *vethname; int pid; - if ((me = get_username(buf)) == NULL) { + if ((me = get_username()) == NULL) { fprintf(stderr, Failed to get username\n); exit(1); } -- 1.8.3.2 -- Shape the Mobile Experience: Free Subscription Software experts and developers: Be at the forefront of tech innovation. Intel(R) Software Adrenaline delivers strategic insight and game-changing conversations that shape the rapidly evolving mobile landscape. Sign up now. http://pubads.g.doubleclick.net/gampad/clk?id=63431311iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature -- Shape the Mobile Experience: Free Subscription Software experts and developers: Be at the forefront of tech innovation. Intel(R) Software Adrenaline delivers strategic insight and game-changing conversations that shape the rapidly evolving mobile landscape. Sign up now. http://pubads.g.doubleclick.net/gampad/clk?id=63431311iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH 1/9] lxc_user_nic: add a check to make sure caller owns target netns
On Tue, Nov 19, 2013 at 04:17:44PM +, Serge Hallyn wrote: From: Serge Hallyn serge.hal...@ubuntu.com Temporarily set our euid back to the calling ruid, so that the access(2) check can succeed based on the euid being the userns creator. Also switch from atoi to strtol Signed-off-by: Serge Hallyn serge.hal...@ubuntu.com Acked-by: Stéphane Graber stgra...@ubuntu.com --- src/lxc/lxc_user_nic.c | 64 +- 1 file changed, 58 insertions(+), 6 deletions(-) diff --git a/src/lxc/lxc_user_nic.c b/src/lxc/lxc_user_nic.c index e4f59fa..c8513ba 100644 --- a/src/lxc/lxc_user_nic.c +++ b/src/lxc/lxc_user_nic.c @@ -540,7 +540,7 @@ int lxc_netdev_delete_by_name(const char *name) #endif -bool create_nic(char *nic, char *br, char *pidstr, char **cnic) +bool create_nic(char *nic, char *br, int pid, char **cnic) { #if ISTEST char path[200]; @@ -556,7 +556,6 @@ bool create_nic(char *nic, char *br, char *pidstr, char **cnic) veth1buf = alloca(IFNAMSIZ); veth2buf = alloca(IFNAMSIZ); int ret; - int pid = atoi(pidstr); ret = snprintf(veth1buf, IFNAMSIZ, %s, nic); if (ret 0 || ret = IFNAMSIZ) { @@ -596,7 +595,7 @@ out_del: * *dest will container the name (lxcuser-%d) which is attached * on the host to the lxc bridge */ -void get_new_nicname(char **dest, char *br, char *pid, char **cnic) +void get_new_nicname(char **dest, char *br, int pid, char **cnic) { int i = 0; // TODO - speed this up. For large installations we won't @@ -679,7 +678,7 @@ int count_entries(char *buf, off_t len, char *me, char *t, char *br) * The dbfile has lines of the format: * user type bridge nicname */ -bool get_nic_if_avail(int fd, char *me, char *pid, char *intype, char *br, int allowed, char **nicname, char **cnic) +bool get_nic_if_avail(int fd, char *me, int pid, char *intype, char *br, int allowed, char **nicname, char **cnic) { off_t len, slen; struct stat sb; @@ -857,6 +856,47 @@ out_err: return -1; } +/* + * If the caller (real uid, not effective uid) may read the + * /proc/pid/net/ns, then it is either the caller's netns or one + * which it created. + */ +static bool may_access_netns(int pid) +{ + int ret; + char s[200]; + uid_t ruid, suid, euid; + bool may_access = false; + + ret = getresuid(ruid, euid, suid); + if (ret) { + fprintf(stderr, Failed to get my uids: %s\n, strerror(errno)); + return false; + } + ret = setresuid(ruid, ruid, euid); + if (ret) { + fprintf(stderr, Failed to set temp uids to (%d,%d,%d): %s\n, + (int)ruid, (int)ruid, (int)euid, strerror(errno)); + return false; + } + ret = snprintf(s, 200, /proc/%d/ns/net, pid); + if (ret 0 || ret = 200) // can't happen + return false; + ret = access(s, R_OK); + if (ret) { + fprintf(stderr, Uid %d may not access %s: %s\n, + (int)ruid, s, strerror(errno)); + } + may_access = ret == 0; + ret = setresuid(ruid, euid, suid); + if (ret) { + fprintf(stderr, Failed to restore uids to (%d,%d,%d): %s\n, + (int)ruid, (int)euid, (int)suid, strerror(errno)); + may_access = false; + } + return may_access; +} + int main(int argc, char *argv[]) { int n, fd; @@ -879,6 +919,13 @@ int main(int argc, char *argv[]) else vethname = eth0; + errno = 0; + pid = (int) strtol(argv[1], NULL, 10); + if (errno) { + fprintf(stderr, Could not read pid: %s\n, argv[1]); + exit(1); + } + if (!create_db_dir(DB_FILE)) { fprintf(stderr, Failed to create directory for db file\n); exit(1); @@ -889,16 +936,21 @@ int main(int argc, char *argv[]) exit(1); } + if (!may_access_netns(pid)) { + fprintf(stderr, User %s may not modify netns for pid %d\n, + me, pid); + exit(1); + } + n = get_alloted(me, argv[2], argv[3]); if (n 0) - gotone = get_nic_if_avail(fd, me, argv[1], argv[2], argv[3], n, nicname, cnic); + gotone = get_nic_if_avail(fd, me, pid, argv[2], argv[3], n, nicname, cnic); close(fd); if (!gotone) { fprintf(stderr, Quota reached\n); exit(1); } - pid = atoi(argv[1]); // Now rename the link if (rename_in_ns(pid, cnic, vethname) 0) { fprintf(stderr, Failed to rename the link\n); -- 1.8.3.2 -- Shape the Mobile Experience: Free Subscription Software experts and developers
Re: [lxc-devel] [PATCH 3/9] lxc_user_nic: report strerror(errno)
On Tue, Nov 19, 2013 at 04:17:46PM +, Serge Hallyn wrote: From: Serge Hallyn serge.hal...@ubuntu.com Signed-off-by: Serge Hallyn serge.hal...@ubuntu.com Acked-by: Stéphane Graber stgra...@ubuntu.com --- src/lxc/lxc_user_nic.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/lxc/lxc_user_nic.c b/src/lxc/lxc_user_nic.c index da3ae74..8c73b55 100644 --- a/src/lxc/lxc_user_nic.c +++ b/src/lxc/lxc_user_nic.c @@ -633,7 +633,7 @@ bool cull_entries(int fd, char *me, char *t, char *br) return true; buf = mmap(NULL, len, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0); if (buf == MAP_FAILED) { - fprintf(stderr, Failed to create mapping: error %d\n, errno); + fprintf(stderr, Failed to create mapping: %s\n, strerror(errno)); return false; } @@ -718,7 +718,7 @@ bool get_nic_if_avail(int fd, char *me, int pid, char *intype, char *br, int all fprintf(stderr, Failed to set new file size\n); buf = mmap(NULL, len + slen, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0); if (buf == MAP_FAILED) { - fprintf(stderr, Failed to create mapping after extending: error %d\n, errno); + fprintf(stderr, Failed to create mapping after extending: %s\n, strerror(errno)); if (lxc_netdev_delete_by_name(*nicname) != 0) fprintf(stderr, Error unlinking %s!\n, *nicname); return false; -- 1.8.3.2 -- Shape the Mobile Experience: Free Subscription Software experts and developers: Be at the forefront of tech innovation. Intel(R) Software Adrenaline delivers strategic insight and game-changing conversations that shape the rapidly evolving mobile landscape. Sign up now. http://pubads.g.doubleclick.net/gampad/clk?id=63431311iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature -- Shape the Mobile Experience: Free Subscription Software experts and developers: Be at the forefront of tech innovation. Intel(R) Software Adrenaline delivers strategic insight and game-changing conversations that shape the rapidly evolving mobile landscape. Sign up now. http://pubads.g.doubleclick.net/gampad/clk?id=63431311iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH 5/9] lxc_user_nic: report failing filename in open_and_lock error cases
On Tue, Nov 19, 2013 at 04:17:48PM +, Serge Hallyn wrote: From: Serge Hallyn serge.hal...@ubuntu.com Signed-off-by: Serge Hallyn serge.hal...@ubuntu.com Acked-by: Stéphane Graber stgra...@ubuntu.com --- src/lxc/lxc_user_nic.c | 6 -- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/lxc/lxc_user_nic.c b/src/lxc/lxc_user_nic.c index 0b82a50..4154e83 100644 --- a/src/lxc/lxc_user_nic.c +++ b/src/lxc/lxc_user_nic.c @@ -105,7 +105,8 @@ int open_and_lock(char *path) fd = open(path, O_RDWR|O_CREAT, S_IWUSR | S_IRUSR); if (fd 0) { - perror(open); + fprintf(stderr, Failed to open %s: %s\n, + path, strerror(errno)); return(fd); } @@ -114,7 +115,8 @@ int open_and_lock(char *path) lk.l_start = 0; lk.l_len = 0; if (fcntl(fd, F_SETLKW, lk) 0) { - perror(fcntl lock); + fprintf(stderr, Failed to lock %s: %s\n, + path, strerror(errno)); return -1; } -- 1.8.3.2 -- Shape the Mobile Experience: Free Subscription Software experts and developers: Be at the forefront of tech innovation. Intel(R) Software Adrenaline delivers strategic insight and game-changing conversations that shape the rapidly evolving mobile landscape. Sign up now. http://pubads.g.doubleclick.net/gampad/clk?id=63431311iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature -- Shape the Mobile Experience: Free Subscription Software experts and developers: Be at the forefront of tech innovation. Intel(R) Software Adrenaline delivers strategic insight and game-changing conversations that shape the rapidly evolving mobile landscape. Sign up now. http://pubads.g.doubleclick.net/gampad/clk?id=63431311iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH 4/9] lxc_user_nic: only exit from main and usage
On Tue, Nov 19, 2013 at 04:17:47PM +, Serge Hallyn wrote: From: Serge Hallyn serge.hal...@ubuntu.com Everywhere else return an error code instead. Signed-off-by: Serge Hallyn serge.hal...@ubuntu.com Acked-by: Stéphane Graber stgra...@ubuntu.com --- src/lxc/lxc_user_nic.c | 21 ++--- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/src/lxc/lxc_user_nic.c b/src/lxc/lxc_user_nic.c index 8c73b55..0b82a50 100644 --- a/src/lxc/lxc_user_nic.c +++ b/src/lxc/lxc_user_nic.c @@ -115,7 +115,7 @@ int open_and_lock(char *path) lk.l_len = 0; if (fcntl(fd, F_SETLKW, lk) 0) { perror(fcntl lock); - exit(1); + return -1; } return fd; @@ -220,17 +220,17 @@ next: bool nic_exists(char *nic) { - char path[200]; + char path[MAXPATHLEN]; int ret; struct stat sb; #if ISTEST - ret = snprintf(path, 200, /tmp/lxcnettest/%s, nic); + ret = snprintf(path, MAXPATHLEN, /tmp/lxcnettest/%s, nic); #else - ret = snprintf(path, 200, /sys/class/net/%s, nic); + ret = snprintf(path, MAXPATHLEN, /sys/class/net/%s, nic); #endif - if (ret 0 || ret = 200) - exit(1); + if (ret 0 || ret = MAXPATHLEN) // should never happen! + return true; ret = stat(path, sb); if (ret != 0) return false; @@ -436,14 +436,14 @@ static int instanciate_veth(char *n1, char **n2) err = snprintf(*n2, IFNAMSIZ, %sp, n1); if (err 0 || err = IFNAMSIZ) { fprintf(stderr, nic name too long\n); - exit(1); + return -1; } err = lxc_veth_create(n1, *n2); if (err) { fprintf(stderr, failed to create %s-%s : %s\n, n1, *n2, strerror(-err)); - exit(1); + return -1; } /* changing the high byte of the mac address to 0xfe, the bridge interface @@ -551,7 +551,6 @@ bool create_nic(char *nic, char *br, int pid, char **cnic) close(fd); return true; #else - // not yet implemented char *veth1buf, *veth2buf; veth1buf = alloca(IFNAMSIZ); veth2buf = alloca(IFNAMSIZ); @@ -560,7 +559,7 @@ bool create_nic(char *nic, char *br, int pid, char **cnic) ret = snprintf(veth1buf, IFNAMSIZ, %s, nic); if (ret 0 || ret = IFNAMSIZ) { fprintf(stderr, host nic name too long\n); - exit(1); + return false; } /* create the nics */ @@ -586,7 +585,7 @@ bool create_nic(char *nic, char *br, int pid, char **cnic) out_del: lxc_netdev_delete_by_name(veth1buf); - exit(1); + return false; #endif } -- 1.8.3.2 -- Shape the Mobile Experience: Free Subscription Software experts and developers: Be at the forefront of tech innovation. Intel(R) Software Adrenaline delivers strategic insight and game-changing conversations that shape the rapidly evolving mobile landscape. Sign up now. http://pubads.g.doubleclick.net/gampad/clk?id=63431311iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature -- Shape the Mobile Experience: Free Subscription Software experts and developers: Be at the forefront of tech innovation. Intel(R) Software Adrenaline delivers strategic insight and game-changing conversations that shape the rapidly evolving mobile landscape. Sign up now. http://pubads.g.doubleclick.net/gampad/clk?id=63431311iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH 6/9] lxc_user_nic: fix get_allotted description.
On Tue, Nov 19, 2013 at 04:17:49PM +, Serge Hallyn wrote: From: Serge Hallyn serge.hal...@ubuntu.com get_allotted doesn't get the list of nic names, only the # of nics allowed to the user. We check the db_file later for existing number of nics. Also close the conf file on success, and print filename and errno if we failed to open conf file. Signed-off-by: Serge Hallyn serge.hal...@ubuntu.com Acked-by: Stéphane Graber stgra...@ubuntu.com --- src/lxc/lxc_user_nic.c | 14 -- 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/src/lxc/lxc_user_nic.c b/src/lxc/lxc_user_nic.c index 4154e83..ff5393e 100644 --- a/src/lxc/lxc_user_nic.c +++ b/src/lxc/lxc_user_nic.c @@ -138,12 +138,10 @@ char *get_username(void) /* The configuration file consists of lines of the form: * - * user type bridge nic-name count + * user type bridge count * - * We simply count the number of lines in the file, making sure that - * every listed nic is still present. Any nics which have disappeared - * is removed when we count, in case the container died a harsh death - * without being able to clean up after itself. + * Return the count entry for the calling user if there is one. Else + * return -1. */ int get_alloted(char *me, char *intype, char *link) { @@ -153,8 +151,11 @@ int get_alloted(char *me, char *intype, char *link) size_t len = 0; int n = -1, ret; - if (!fin) + if (!fin) { + fprintf(stderr, Failed to open %s: %s\n, CONF_FILE, + strerror(errno)); return -1; + } while ((getline(line, len, fin)) != -1) { ret = sscanf(line, %99[^ \t] %99[^ \t] %99[^ \t] %d, user, type, br, n); @@ -168,6 +169,7 @@ int get_alloted(char *me, char *intype, char *link) if (strcmp(link, br) != 0) continue; free(line); + fclose(fin); return n; } fclose(fin); -- 1.8.3.2 -- Shape the Mobile Experience: Free Subscription Software experts and developers: Be at the forefront of tech innovation. Intel(R) Software Adrenaline delivers strategic insight and game-changing conversations that shape the rapidly evolving mobile landscape. Sign up now. http://pubads.g.doubleclick.net/gampad/clk?id=63431311iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature -- Shape the Mobile Experience: Free Subscription Software experts and developers: Be at the forefront of tech innovation. Intel(R) Software Adrenaline delivers strategic insight and game-changing conversations that shape the rapidly evolving mobile landscape. Sign up now. http://pubads.g.doubleclick.net/gampad/clk?id=63431311iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH 7/9] lxc_user_nic: make all fns static for consistency
On Tue, Nov 19, 2013 at 04:17:50PM +, Serge Hallyn wrote: From: Serge Hallyn serge.hal...@ubuntu.com Signed-off-by: Serge Hallyn serge.hal...@ubuntu.com Acked-by: Stéphane Graber stgra...@ubuntu.com --- src/lxc/lxc_user_nic.c | 42 +- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/src/lxc/lxc_user_nic.c b/src/lxc/lxc_user_nic.c index ff5393e..caa20df 100644 --- a/src/lxc/lxc_user_nic.c +++ b/src/lxc/lxc_user_nic.c @@ -98,7 +98,7 @@ void usage(char *me, bool fail) exit(fail ? 1 : 0); } -int open_and_lock(char *path) +static int open_and_lock(char *path) { int fd; struct flock lk; @@ -124,7 +124,7 @@ int open_and_lock(char *path) } -char *get_username(void) +static char *get_username(void) { struct passwd *pwd = getpwuid(getuid()); @@ -143,7 +143,7 @@ char *get_username(void) * Return the count entry for the calling user if there is one. Else * return -1. */ -int get_alloted(char *me, char *intype, char *link) +static int get_alloted(char *me, char *intype, char *link) { FILE *fin = fopen(CONF_FILE, r); char *line = NULL; @@ -178,21 +178,21 @@ int get_alloted(char *me, char *intype, char *link) return -1; } -char *get_eol(char *s) +static char *get_eol(char *s) { while (*s *s != '\n') s++; return s; } -char *get_eow(char *s) +static char *get_eow(char *s) { while (*s !isblank(*s) *s != '\n') s++; return s; } -char *find_line(char *p, char *e, char *u, char *t, char *l) +static char *find_line(char *p, char *e, char *u, char *t, char *l) { char *p1, *p2, *ret; @@ -222,7 +222,7 @@ next: return NULL; } -bool nic_exists(char *nic) +static bool nic_exists(char *nic) { char path[MAXPATHLEN]; int ret; @@ -248,7 +248,7 @@ struct link_req { #if ! ISTEST -int lxc_veth_create(const char *name1, const char *name2) +static int lxc_veth_create(const char *name1, const char *name2) { struct nl_handler nlh; struct nlmsg *nlmsg = NULL, *answer = NULL; @@ -323,7 +323,7 @@ out: return err; } -int lxc_netdev_move(char *ifname, pid_t pid) +static int lxc_netdev_move(char *ifname, pid_t pid) { struct nl_handler nlh; struct nlmsg *nlmsg = NULL; @@ -462,7 +462,7 @@ static int instanciate_veth(char *n1, char **n2) return netdev_set_flag(n1, IFF_UP); } -int lxc_bridge_attach(const char *bridge, const char *ifname) +static int lxc_bridge_attach(const char *bridge, const char *ifname) { int fd, index, err; struct ifreq ifr; @@ -489,7 +489,7 @@ int lxc_bridge_attach(const char *bridge, const char *ifname) return err; } -int lxc_netdev_delete_by_index(int ifindex) +static int lxc_netdev_delete_by_index(int ifindex) { struct nl_handler nlh; struct nlmsg *nlmsg = NULL, *answer = NULL; @@ -524,7 +524,7 @@ out: return err; } -int lxc_netdev_delete_by_name(const char *name) +static int lxc_netdev_delete_by_name(const char *name) { int index; @@ -535,7 +535,7 @@ int lxc_netdev_delete_by_name(const char *name) return lxc_netdev_delete_by_index(index); } #else -int lxc_netdev_delete_by_name(const char *name) +static int lxc_netdev_delete_by_name(const char *name) { char path[200]; sprintf(path, /tmp/lxcnettest/%s, name); @@ -544,7 +544,7 @@ int lxc_netdev_delete_by_name(const char *name) #endif -bool create_nic(char *nic, char *br, int pid, char **cnic) +static bool create_nic(char *nic, char *br, int pid, char **cnic) { #if ISTEST char path[200]; @@ -598,7 +598,7 @@ out_del: * *dest will container the name (lxcuser-%d) which is attached * on the host to the lxc bridge */ -void get_new_nicname(char **dest, char *br, int pid, char **cnic) +static void get_new_nicname(char **dest, char *br, int pid, char **cnic) { int i = 0; // TODO - speed this up. For large installations we won't @@ -611,7 +611,7 @@ void get_new_nicname(char **dest, char *br, int pid, char **cnic) } } -bool get_nic_from_line(char *p, char **nic) +static bool get_nic_from_line(char *p, char **nic) { char user[100], type[100], br[100]; int ret; @@ -622,7 +622,7 @@ bool get_nic_from_line(char *p, char **nic) return true; } -bool cull_entries(int fd, char *me, char *t, char *br) +static bool cull_entries(int fd, char *me, char *t, char *br) { struct stat sb; char *buf, *p, *e, *nic; @@ -663,7 +663,7 @@ bool cull_entries(int fd, char *me, char *t, char *br) return true; } -int count_entries(char *buf, off_t len, char *me, char *t, char *br) +static int count_entries(char *buf, off_t len, char *me, char *t, char *br) { char *e = buf[len]; int count = 0; @@ -681,7
Re: [lxc-devel] [PATCH 9/9] lxc-user-nic: improve cull_entries
On Tue, Nov 19, 2013 at 04:17:52PM +, Serge Hallyn wrote: From: Serge Hallyn serge.hal...@ubuntu.com Signed-off-by: Serge Hallyn serge.hal...@ubuntu.com Acked-by: Stéphane Graber stgra...@ubuntu.com --- src/lxc/lxc_user_nic.c | 42 -- 1 file changed, 32 insertions(+), 10 deletions(-) diff --git a/src/lxc/lxc_user_nic.c b/src/lxc/lxc_user_nic.c index 7d367c1..7ac3020 100644 --- a/src/lxc/lxc_user_nic.c +++ b/src/lxc/lxc_user_nic.c @@ -622,11 +622,19 @@ static bool get_nic_from_line(char *p, char **nic) return true; } +struct entry_line { + char *start; + int len; + bool keep; +}; + static bool cull_entries(int fd, char *me, char *t, char *br) { struct stat sb; char *buf, *p, *e, *nic; off_t len; + struct entry_line *entry_lines = NULL; + int i, n = 0; nic = alloca(100); @@ -643,22 +651,36 @@ static bool cull_entries(int fd, char *me, char *t, char *br) p = buf; e = buf + len; while ((p = find_line(p, e, me, t, br)) != NULL) { + struct entry_line *newe = realloc(entry_lines, n+1); + if (!newe) { + free(entry_lines); + return false; + } + entry_lines = newe; + entry_lines[n].start = p; + entry_lines[n].len = get_eol(p) - entry_lines[n].start; + entry_lines[n].keep = true; + n++; if (!get_nic_from_line(p, nic)) continue; - if (nic !nic_exists(nic)) { - // copy from eol(p)+1..e to p - char *src = get_eol(p) + 1, *dest = p; - int diff = src - p; - while (src e) - *(dest++) = *(src)++; - e -= diff; - } else - p = get_eol(p) + 1; + if (nic !nic_exists(nic)) + entry_lines[n-1].keep = false; + p += entry_lines[n-1].len + 1; if (p = e) break; } + p = buf; + for (i=0; in; i++) { + if (!entry_lines[i].keep) + continue; + memcpy(p, entry_lines[i].start, entry_lines[i].len); + p += entry_lines[i].len; + *p = '\n'; + p++; + } + free(entry_lines); munmap(buf, sb.st_size); - if (ftruncate(fd, e-buf)) + if (ftruncate(fd, p-buf)) fprintf(stderr, Failed to set new file size\n); return true; } -- 1.8.3.2 -- Shape the Mobile Experience: Free Subscription Software experts and developers: Be at the forefront of tech innovation. Intel(R) Software Adrenaline delivers strategic insight and game-changing conversations that shape the rapidly evolving mobile landscape. Sign up now. http://pubads.g.doubleclick.net/gampad/clk?id=63431311iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature -- Shape the Mobile Experience: Free Subscription Software experts and developers: Be at the forefront of tech innovation. Intel(R) Software Adrenaline delivers strategic insight and game-changing conversations that shape the rapidly evolving mobile landscape. Sign up now. http://pubads.g.doubleclick.net/gampad/clk?id=63431311iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH 8/9] lxc_user_nic: initialize cnic to NULL to please compiler
On Tue, Nov 19, 2013 at 04:17:51PM +, Serge Hallyn wrote: From: Serge Hallyn serge.hal...@ubuntu.com Signed-off-by: Serge Hallyn serge.hal...@ubuntu.com Acked-by: Stéphane Graber stgra...@ubuntu.com --- src/lxc/lxc_user_nic.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/lxc/lxc_user_nic.c b/src/lxc/lxc_user_nic.c index caa20df..7d367c1 100644 --- a/src/lxc/lxc_user_nic.c +++ b/src/lxc/lxc_user_nic.c @@ -906,7 +906,7 @@ int main(int argc, char *argv[]) bool gotone = false; char *me; char *nicname = alloca(40); - char *cnic; // created nic name in container is returned here. + char *cnic = NULL; // created nic name in container is returned here. char *vethname; int pid; -- 1.8.3.2 -- Shape the Mobile Experience: Free Subscription Software experts and developers: Be at the forefront of tech innovation. Intel(R) Software Adrenaline delivers strategic insight and game-changing conversations that shape the rapidly evolving mobile landscape. Sign up now. http://pubads.g.doubleclick.net/gampad/clk?id=63431311iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature -- Shape the Mobile Experience: Free Subscription Software experts and developers: Be at the forefront of tech innovation. Intel(R) Software Adrenaline delivers strategic insight and game-changing conversations that shape the rapidly evolving mobile landscape. Sign up now. http://pubads.g.doubleclick.net/gampad/clk?id=63431311iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH] lxc-info: Rework based on mailinglist thread
So this implements the changes we discussed yesterday: - Only one container may be queried at the time - -n is now required once again - -H + a single filter only returns the value - -t/--is-state is now removed Note that -S is considered as more than a single filter, so -H in that case only affects the formatting of the values. For the same reason, I haven't yet implemented the -H + multiple filters case which we said should return a simple key: value output as it wasn't trivial to re-arrange the stats code to print a different format (for the other options, it's just a two lines change in the print functions). Signed-off-by: Stéphane Graber stgra...@ubuntu.com --- doc/ja/lxc-info.sgml.in | 27 --- doc/lxc-info.sgml.in| 21 - src/lxc/lxc-netstat.in | 2 +- src/lxc/lxc-ps.in | 2 +- src/lxc/lxc_info.c | 123 5 files changed, 54 insertions(+), 121 deletions(-) diff --git a/doc/ja/lxc-info.sgml.in b/doc/ja/lxc-info.sgml.in index 4cb8197..394c367 100644 --- a/doc/ja/lxc-info.sgml.in +++ b/doc/ja/lxc-info.sgml.in @@ -58,7 +58,6 @@ by KATOH Yasufumi karma at jazz.email.ne.jp arg choice=opt-s/arg arg choice=opt-p/arg arg choice=opt-i/arg - arg choice=opt-t replaceablestate/replaceable/arg arg choice=opt-S/arg arg choice=opt-H/arg /cmdsynopsis @@ -212,20 +211,6 @@ by KATOH Yasufumi karma at jazz.email.ne.jp /para /listitem /varlistentry - - varlistentry -term - optionoptional-t replaceablestate/replaceable/optional/option -/term -listitem - para -!-- -Check whether the container is in the provided state. --- -コンテナが指定した状態かどうかをチェックする. - /para -/listitem - /varlistentry /variablelist /refsect1 @@ -259,18 +244,6 @@ by KATOH Yasufumi karma at jazz.email.ne.jp /varlistentry varlistentry -termlxc-info -n foo -t RUNNING/term -listitem - para -!-- -exits 0 if foo is RUNNING, 1 otherwise. --- -もしコンテナ foo が RUNNING であれば 0 を返します.それ以外は 1 を返します. - /para -/listitem - /varlistentry - - varlistentry termlxc-info -n foo -c lxc.network.0.veth.pair/term listitem para diff --git a/doc/lxc-info.sgml.in b/doc/lxc-info.sgml.in index 791d780..5f4 100644 --- a/doc/lxc-info.sgml.in +++ b/doc/lxc-info.sgml.in @@ -52,7 +52,6 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA arg choice=opt-s/arg arg choice=opt-p/arg arg choice=opt-i/arg - arg choice=opt-t replaceablestate/replaceable/arg arg choice=opt-S/arg arg choice=opt-H/arg /cmdsynopsis @@ -169,17 +168,6 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA /para /listitem /varlistentry - - varlistentry -term - optionoptional-t replaceablestate/replaceable/optional/option -/term -listitem - para -Check whether the container is in the provided state. - /para -/listitem - /varlistentry /variablelist /refsect1 @@ -207,15 +195,6 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA /varlistentry varlistentry -termlxc-info -n foo -t RUNNING/term -listitem - para -exits 0 if foo is RUNNING, 1 otherwise. - /para -/listitem - /varlistentry - - varlistentry termlxc-info -n foo -c lxc.network.0.veth.pair/term listitem para diff --git a/src/lxc/lxc-netstat.in b/src/lxc/lxc-netstat.in index 2add530..0aecb0c 100644 --- a/src/lxc/lxc-netstat.in +++ b/src/lxc/lxc-netstat.in @@ -117,7 +117,7 @@ if [ -z $exec ]; then exec @BINDIR@/lxc-unshare -s MOUNT -- $0 -n $name -P $lxc_path --exec -- $@ fi -if lxc-info -n $name -P $lxc_path --state-is 'STOPPED'; then +if lxc-wait -n $name -P $lxc_path -s 'STOPPED' -t 0; then echo $(basename $0): container '$name' is not running 2 exit 1 fi diff --git a/src/lxc/lxc-ps.in b/src/lxc/lxc-ps.in index 75d5610..ae57e21 100644 --- a/src/lxc/lxc-ps.in +++ b/src/lxc/lxc-ps.in @@ -116,7 +116,7 @@ for container in ${containers}; do container_field_width=${#container} fi -if ! lxc-info -P $lxc_path -t STOPPED -n $container; then +if ! lxc-wait -P $lxc_path -s STOPPED -n $container -t 0; then initpid=`lxc-info -P $lxc_path -p -n $container | awk -F: '{ print $2 }' | awk '{ print $1 }'` cgroup=`head -n 1 /proc/$initpid/cgroup | awk -F: '{ print $3}'` if [ -f $parent_cgroup/$cgroup/tasks ]; then diff --git a/src/lxc/lxc_info.c b/src/lxc/lxc_info.c index 6c35bbb..11555aa 100644 --- a/src/lxc/lxc_info.c +++ b/src/lxc
[lxc-devel] Sorry for the git mess
Hey everyone, Sorry for the github flood, apparently one should mix up --all and --tags when doing a release or you end up with a dozen extra branch in a matter of seconds... Anyway, that's all fixed and alpha3 has been tagged. Enjoy! -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature -- DreamFactory - Open Source REST JSON Services for HTML5 Native Apps OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access Free app hosting. Or install the open source package on any LAMP server. Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native! http://pubads.g.doubleclick.net/gampad/clk?id=63469471iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] Sorry for the git mess
On Fri, Nov 15, 2013 at 07:48:59PM -0500, S.Çağlar Onur wrote: Hey Stéphane, On Fri, Nov 15, 2013 at 4:12 PM, Stéphane Graber stgra...@ubuntu.com wrote: Hey everyone, Sorry for the github flood, apparently one should mix up --all and --tags when doing a release or you end up with a dozen extra branch in a matter of seconds... Anyway, that's all fixed and alpha3 has been tagged. Enjoy! It looks like you forgot to push configure.ac change (dceb6c80186aceb150a26456343610a43dfddc63) to master [caglar@oOo:~/Projects/lxc(master)] git diff lxc-1.0.0.alpha3..upstream/master diff --git a/configure.ac b/configure.ac index e85e558..6004b35 100644 --- a/configure.ac +++ b/configure.ac @@ -4,7 +4,7 @@ m4_define([lxc_version_major], 1) m4_define([lxc_version_minor], 0) m4_define([lxc_version_micro], 0) -m4_define([lxc_version_beta], [alpha3]) +m4_define([lxc_version_beta], [alpha2]) m4_define([lxc_version_base], [lxc_version_major.lxc_version_minor.lxc_version_micro]) m4_define([lxc_version], Apparently so... not sure how I managed that, but with the mess created by --all, it's possible that I ended up pushing everything but what I actually wanted ;) Anyway, pushed now and github shows what I expected. -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature -- DreamFactory - Open Source REST JSON Services for HTML5 Native Apps OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access Free app hosting. Or install the open source package on any LAMP server. Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native! http://pubads.g.doubleclick.net/gampad/clk?id=63469471iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH 1/1] lxc-start: if we pass in a config file, then don't use any loaded config
On Thu, Nov 14, 2013 at 12:48:41PM -0600, Serge Hallyn wrote: To do this, add a c-clear_config() helper to the api. (this fixes the bug https://bugs.launchpad.net/bugs/1251352) Signed-off-by: Serge Hallyn serge.hal...@ubuntu.com Acked-by: Stéphane Graber stgra...@ubuntu.com --- src/lxc/lxc_start.c| 1 + src/lxc/lxccontainer.c | 16 +++- src/lxc/lxccontainer.h | 2 ++ 3 files changed, 14 insertions(+), 5 deletions(-) diff --git a/src/lxc/lxc_start.c b/src/lxc/lxc_start.c index add2542..fe859db 100644 --- a/src/lxc/lxc_start.c +++ b/src/lxc/lxc_start.c @@ -187,6 +187,7 @@ int main(int argc, char *argv[]) ERROR(Failed to create lxc_container); return err; } + c-clear_config(c); if (!c-load_config(c, rcfile)) { ERROR(Failed to load rcfile); lxc_container_put(c); diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c index 2a70bc7..3cabf0d 100644 --- a/src/lxc/lxccontainer.c +++ b/src/lxc/lxccontainer.c @@ -1151,6 +1151,14 @@ out_error: return true; } +static void lxcapi_clear_config(struct lxc_container *c) +{ + if (c c-lxc_conf) { + lxc_conf_free(c-lxc_conf); + c-lxc_conf = NULL; + } +} + static bool lxcapi_destroy(struct lxc_container *c); /* * lxcapi_create: @@ -1280,9 +1288,7 @@ static bool lxcapi_create(struct lxc_container *c, const char *t, // now clear out the lxc_conf we have, reload from the created // container - if (c-lxc_conf) - lxc_conf_free(c-lxc_conf); - c-lxc_conf = NULL; + lxcapi_clear_config(c); if (t) { if (!prepend_lxc_header(c-configfile, tpath, argv)) { @@ -3093,8 +3099,7 @@ struct lxc_container *lxc_container_new(const char *name, const char *configpath if (ongoing_create(c) == 2) { ERROR(Error: %s creation was not completed, c-name); lxcapi_destroy(c); - lxc_conf_free(c-lxc_conf); - c-lxc_conf = NULL; + lxcapi_clear_config(c); } // assign the member functions @@ -3122,6 +3127,7 @@ struct lxc_container *lxc_container_new(const char *name, const char *configpath c-createl = lxcapi_createl; c-shutdown = lxcapi_shutdown; c-reboot = lxcapi_reboot; + c-clear_config = lxcapi_clear_config; c-clear_config_item = lxcapi_clear_config_item; c-get_config_item = lxcapi_get_config_item; c-get_cgroup_item = lxcapi_get_cgroup_item; diff --git a/src/lxc/lxccontainer.h b/src/lxc/lxccontainer.h index 3a12372..57b8e78 100644 --- a/src/lxc/lxccontainer.h +++ b/src/lxc/lxccontainer.h @@ -85,6 +85,8 @@ struct lxc_container { bool (*reboot)(struct lxc_container *c); /* send SIGPWR. if timeout is not 0 or -1, do a hard stop after timeout seconds */ bool (*shutdown)(struct lxc_container *c, int timeout); + /* completely clear a configuration */ + void (*clear_config)(struct lxc_container *c); /* clear all network or capability items in the in-memory configuration */ bool (*clear_config_item)(struct lxc_container *c, const char *key); /* print a config item to a in-memory string allocated by the caller. Return -- 1.8.3.2 -- DreamFactory - Open Source REST JSON Services for HTML5 Native Apps OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access Free app hosting. Or install the open source package on any LAMP server. Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native! http://pubads.g.doubleclick.net/gampad/clk?id=63469471iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature -- DreamFactory - Open Source REST JSON Services for HTML5 Native Apps OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access Free app hosting. Or install the open source package on any LAMP server. Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native! http://pubads.g.doubleclick.net/gampad/clk?id=63469471iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] introduce lxcapi_add_device_node and lxcapi_remove_device_node to API (v3)
On Wed, Nov 13, 2013 at 12:39:00AM -0500, S.Çağlar Onur wrote: Adding block/char devices to running container is a common operation so provide a common implementation for users to consume. changes since v2; * lets the user set an alternate path inside the container as Stéphane suggested changes since v1; * removed duplicated code Signed-off-by: S.Çağlar Onur cag...@10ur.org Hi, So at first glance the reason why the remove function also take both src and dest path wasn't very obvious though after thinking about it some more, I guess it makes sense to always look for type/major/minor of the source device, so passing only the dest path wouldn't work. And it's possible that at some point we may want to do something again the dest path (like removing it) so it doesn't hurt to have it passed too (though at this point, passing it or not shouldn't make any difference). Acked-by: Stéphane Graber stgra...@ubuntu.com Note that Serge pushed v0 by accident but he then reverted it, so I'll push v3 now. --- src/lxc/lxccontainer.c | 100 + src/lxc/lxccontainer.h | 19 ++ 2 files changed, 119 insertions(+) diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c index 05ca643..2a70bc7 100644 --- a/src/lxc/lxccontainer.c +++ b/src/lxc/lxccontainer.c @@ -49,6 +49,7 @@ #include lxc/namespace.h #include sched.h #include arpa/inet.h +#include libgen.h #if HAVE_IFADDRS_H #include ifaddrs.h @@ -62,6 +63,8 @@ #endif #endif +#define MAX_BUFFER 4096 + lxc_log_define(lxc_container, lxc); static bool file_exists(char *f) @@ -2920,6 +2923,101 @@ static bool lxcapi_may_control(struct lxc_container *c) return lxc_try_cmd(c-name, c-config_path) == 0; } +static bool add_remove_device_node(struct lxc_container *c, char *src_path, char *dest_path, bool add) +{ + int ret; + struct stat st; + char path[MAXPATHLEN]; + char value[MAX_BUFFER]; + char *directory_path = NULL, *p; + + /* make sure container is running */ + if (!c-is_running(c)) { + ERROR(container is not running); + goto out; + } + + /* use src_path if dest_path is NULL otherwise use dest_path */ + p = dest_path ? dest_path : src_path; + + /* prepare the path */ + ret = snprintf(path, MAXPATHLEN, /proc/%d/root/%s, c-init_pid(c), p); + if (ret 0 || ret = MAXPATHLEN) + goto out; + remove_trailing_slashes(path); + + p = add ? src_path : path; + /* make sure we can access p */ + if(access(p, F_OK) 0 || stat(p, st) 0) + goto out; + + /* continue if path is character device or block device */ + if S_ISCHR(st.st_mode) + ret = snprintf(value, MAX_BUFFER, c %d:%d rwm, major(st.st_rdev), minor(st.st_rdev)); + else if S_ISBLK(st.st_mode) + ret = snprintf(value, MAX_BUFFER, b %d:%d rwm, major(st.st_rdev), minor(st.st_rdev)); + else + goto out; + + /* check snprintf return code */ + if (ret 0 || ret = MAX_BUFFER) + goto out; + + directory_path = dirname(strdup(path)); + /* remove path and directory_path (if empty) */ + if(access(path, F_OK) == 0) { + if (unlink(path) 0) { + ERROR(unlink failed); + goto out; + } + if (rmdir(directory_path) 0 errno != ENOTEMPTY) { + ERROR(rmdir failed); + goto out; + } + } + + if (add) { + /* create the missing directories */ + if (mkdir_p(directory_path, 0755) 0) { + ERROR(failed to create directory); + goto out; + } + + /* create the device node */ + if (mknod(path, st.st_mode, st.st_rdev) 0) { + ERROR(mknod failed); +goto out; + } + + /* add device node to device list */ + if (!c-set_cgroup_item(c, devices.allow, value)) { + ERROR(set_cgroup_item failed while adding the device node); + goto out; + } + } else { + /* remove device node from device list */ + if (!c-set_cgroup_item(c, devices.deny, value)) { + ERROR(set_cgroup_item failed while removing the device node); + goto out; + } + } + return true; +out: + if (directory_path) + free(directory_path); + return false; +} + +static bool lxcapi_add_device_node(struct lxc_container *c, char *src_path, char *dest_path) +{ + return add_remove_device_node(c, src_path, dest_path, true); +} + +static bool lxcapi_remove_device_node(struct lxc_container *c, char *src_path, char *dest_path) +{ + return
Re: [lxc-devel] Ubuntu container failure on Fedora...
On Tue, Nov 12, 2013 at 08:31:03AM -0500, Michael H. Warfield wrote: Ok all... Seems like this just started happening in the last few weeks and I'm not sure when... But... My newly created Ubuntu containers are failing to start on my Fedora hosts because of a mount problem. So... What's this, what does it do, and is this really required? [root@hydra mhw]# lxc-create -n Ubuntu -t ubuntu -- --release raring lxc_container: No such file or directory - Failed to make / rslave to run template lxc_container: Continuing... Checking cache download in /var/cache/lxc/raring/rootfs-amd64 ... Copy /var/cache/lxc/raring/rootfs-amd64 to /var/lib/lxc/Ubuntu/rootfs ... Copying rootfs to /var/lib/lxc/Ubuntu/rootfs ... Generating locales... en_US.UTF-8... up-to-date Generation complete. Creating SSH2 RSA key; this may take some time ... Creating SSH2 DSA key; this may take some time ... Creating SSH2 ECDSA key; this may take some time ... ## # The default user is 'ubuntu' with password 'ubuntu'! # Use the 'sudo' command to run tasks as root in the container. ## [root@hydra mhw]# lxc-start -n Ubuntu lxc-start: No such file or directory - failed to mount '/sys/fs/fuse/connections' on '/usr/lib64/lxc/rootfs/sys/fs/fuse/connections' lxc-start: failed to setup the mounts for 'Ubuntu' lxc-start: failed to setup the container lxc-start: invalid sequence number 1. expected 2 lxc-start: failed to spawn 'Ubuntu' [root@hydra mhw]# Now... If I remove this line from /var/lib/lxc/Ubuntu/fstab, then things seem to all work. The container boots and seems to function. /sys/fs/fuse/connections sys/fs/fuse/connections none bind 0 0 What breaks in Ubuntu if I do this? Why is ANY fuse fs being included in a container? Are any hosts expected to have a requirement for user space file system? Ok... Maybe an overlayfs I can understand, but... Regards, Mike -- Michael H. Warfield (AI4NB) | (770) 978-7061 | m...@wittsend.com /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0x674627FF| possible worlds. A pessimist is sure of it! Hi, fuse is allowed in Ubuntu containers because we consider it safe to use (as in, no worse than running as a user on the host). It's needed for at least sshfs and I believe some other workloads that some of our users are running (we allowed fused as a result of several bug reports). It sounds like the line could however be changed to: /sys/fs/fuse/connections sys/fs/fuse/connections none bind,optional 0 0 Which would make LXC ignore the mount failure and should make the container work again for you. -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature -- November Webinars for C, C++, Fortran Developers Accelerate application performance with scalable programming models. Explore techniques for threading, error checking, porting, and tuning. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60136231iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH] lxc-ubuntu*: Mark non-essential mounts optional
Signed-off-by: Stéphane Graber stgra...@ubuntu.com --- templates/lxc-ubuntu-cloud.in | 6 +++--- templates/lxc-ubuntu.in | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/templates/lxc-ubuntu-cloud.in b/templates/lxc-ubuntu-cloud.in index 41f1c70..aeadc2d 100644 --- a/templates/lxc-ubuntu-cloud.in +++ b/templates/lxc-ubuntu-cloud.in @@ -118,9 +118,9 @@ EOF cat EOF $path/fstab procproc procnodev,noexec,nosuid 0 0 sysfs sys sysfs defaults 0 0 -/sys/fs/fuse/connections sys/fs/fuse/connections none bind 0 0 -/sys/kernel/debug sys/kernel/debug none bind 0 0 -/sys/kernel/security sys/kernel/security none bind 0 0 +/sys/fs/fuse/connections sys/fs/fuse/connections none bind,optional 0 0 +/sys/kernel/debug sys/kernel/debug none bind,optional 0 0 +/sys/kernel/security sys/kernel/security none bind,optional 0 0 /sys/fs/pstore sys/fs/pstore none bind,optional 0 0 EOF diff --git a/templates/lxc-ubuntu.in b/templates/lxc-ubuntu.in index 9423f0f..3e296d8 100644 --- a/templates/lxc-ubuntu.in +++ b/templates/lxc-ubuntu.in @@ -427,9 +427,9 @@ EOF cat EOF $path/fstab procproc procnodev,noexec,nosuid 0 0 sysfs sys sysfs defaults 0 0 -/sys/fs/fuse/connections sys/fs/fuse/connections none bind 0 0 -/sys/kernel/debug sys/kernel/debug none bind 0 0 -/sys/kernel/security sys/kernel/security none bind 0 0 +/sys/fs/fuse/connections sys/fs/fuse/connections none bind,optional 0 0 +/sys/kernel/debug sys/kernel/debug none bind,optional 0 0 +/sys/kernel/security sys/kernel/security none bind,optional 0 0 /sys/fs/pstore sys/fs/pstore none bind,optional 0 0 EOF -- 1.8.4.3 -- November Webinars for C, C++, Fortran Developers Accelerate application performance with scalable programming models. Explore techniques for threading, error checking, porting, and tuning. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60136231iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] lxc and network namespace
On Tue, Nov 12, 2013 at 12:11:19PM -0800, Arjun Sambamoorthy wrote: [Trying dev list as there was no response from user list] Hi, I am using lxc with a couple of veths on ubuntu. I'd like to know its network namespace name so that i can dynamically add/remove veths to the netns after the lxc is started. Could this be done in lxc? Also, executing ip netns list returns empty. Why would that be? Any insight or help would be great. Regards, Arjun Network namespaces don't have name, ip netns simply symlinks the net attach point (/proc/PID/ns/net) under /run/netns to give them names and list them. lxc-device already lets you move a network device inside the container. Patches to also allow moving them out of the container are welcome. -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature -- DreamFactory - Open Source REST JSON Services for HTML5 Native Apps OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access Free app hosting. Or install the open source package on any LAMP server. Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native! http://pubads.g.doubleclick.net/gampad/clk?id=63469471iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] introduce lxcapi_add_device_node and lxcapi_remove_device_node to API (v2)
lxc_container *c, char *path); + /* + * Returns true if given device succesfully removed from container + */ + bool (*remove_device_node)(struct lxc_container *c, char *path); }; struct lxc_snapshot { -- 1.8.3.2 -- DreamFactory - Open Source REST JSON Services for HTML5 Native Apps OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access Free app hosting. Or install the open source package on any LAMP server. Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native! http://pubads.g.doubleclick.net/gampad/clk?id=63469471iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature -- DreamFactory - Open Source REST JSON Services for HTML5 Native Apps OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access Free app hosting. Or install the open source package on any LAMP server. Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native! http://pubads.g.doubleclick.net/gampad/clk?id=63469471iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH 1/1] lxc_abstract_unix_connect: accomodate containers started before Oct 28
On Mon, Nov 11, 2013 at 12:34:51PM -0600, Serge Hallyn wrote: commit aae93dd3dd20dd12c6b8f9f0490e2fb877ee3f09 fixed the command socket name to use the right pathlen instead of always passing in the max socket namelen. However, this breaks lxc-info/lxc-list/etc for containers started before that commit. So if the correct command sock name doesn't work, try the preexising one. Note we can probably undo this after awhile. Maybe in august 2014. Signed-off-by: Serge Hallyn serge.hal...@ubuntu.com Acked-by: Stéphane Graber stgra...@ubuntu.com --- src/lxc/af_unix.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/lxc/af_unix.c b/src/lxc/af_unix.c index ab73963..6f0183d 100644 --- a/src/lxc/af_unix.c +++ b/src/lxc/af_unix.c @@ -135,6 +135,9 @@ int lxc_abstract_unix_connect(const char *path) if (connect(fd, (struct sockaddr *)addr, offsetof(struct sockaddr_un, sun_path) + len)) { int tmp = errno; + /* special case to connect to older containers */ + if (connect(fd, (struct sockaddr *)addr, sizeof(addr)) == 0) + return fd; process_lock(); close(fd); process_unlock(); -- 1.8.3.2 -- November Webinars for C, C++, Fortran Developers Accelerate application performance with scalable programming models. Explore techniques for threading, error checking, porting, and tuning. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60136231iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature -- November Webinars for C, C++, Fortran Developers Accelerate application performance with scalable programming models. Explore techniques for threading, error checking, porting, and tuning. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60136231iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH 1/1] api_start: refuse to run undaemonized if multithreaded
On Thu, Nov 07, 2013 at 10:20:33PM -0600, Serge Hallyn wrote: lxc-start is not safe (and doesn't actually make sense) if the task is nto single-threaded. Signed-off-by: Serge Hallyn serge.hal...@ubuntu.com Acked-by: Stéphane Graber stgra...@ubuntu.com --- src/lxc/lxccontainer.c | 37 + 1 file changed, 37 insertions(+) diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c index 05e5405..827cae0 100644 --- a/src/lxc/lxccontainer.c +++ b/src/lxc/lxccontainer.c @@ -506,6 +506,38 @@ static bool wait_on_daemonized_start(struct lxc_container *c) return lxcapi_wait(c, RUNNING, timeout); } +static bool am_single_threaded(void) +{ + struct dirent dirent, *direntp; + DIR *dir; + int count=0; + + process_lock(); + dir = opendir(/proc/self/task); + process_unlock(); + if (!dir) { + INFO(failed to open /proc/self/task); + return false; + } + + while (!readdir_r(dir, dirent, direntp)) { + if (!direntp) + break; + + if (!strcmp(direntp-d_name, .)) + continue; + + if (!strcmp(direntp-d_name, ..)) + continue; + if (++count 1) + break; + } + process_lock(); + closedir(dir); + process_unlock(); + return count == 1; +} + /* * I can't decide if it'd be more convenient for callers if we accept '...', * or a null-terminated array (i.e. execl vs execv) @@ -598,6 +630,11 @@ static bool lxcapi_start(struct lxc_container *c, int useinit, char * const argv open(/dev/null, O_RDWR); open(/dev/null, O_RDWR); setsid(); + } else { + if (!am_single_threaded()) { + ERROR(Cannot start non-daemonized container when threaded); + return false; + } } reboot: -- 1.8.3.2 -- November Webinars for C, C++, Fortran Developers Accelerate application performance with scalable programming models. Explore techniques for threading, error checking, porting, and tuning. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60136231iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature -- November Webinars for C, C++, Fortran Developers Accelerate application performance with scalable programming models. Explore techniques for threading, error checking, porting, and tuning. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60136231iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH RFC] install lxc-user-nic with setuid bit set
On Wed, Nov 06, 2013 at 09:31:35AM -0600, Serge Hallyn wrote: It's worthless without it. However it's a scary thing to do. Before acking this, reviewers may want to take another close look at lxc-user-nic itself :) Can you perhaps try to get someone on the Ubuntu Security team to do a quick audit too? Signed-off-by: Serge Hallyn serge.hal...@ubuntu.com --- src/lxc/Makefile.am | 1 + 1 file changed, 1 insertion(+) diff --git a/src/lxc/Makefile.am b/src/lxc/Makefile.am index 8baf169..d210472 100644 --- a/src/lxc/Makefile.am +++ b/src/lxc/Makefile.am @@ -237,6 +237,7 @@ install-exec-local: install-soPROGRAMS cd $(DESTDIR)$(libdir); \ ln -sf liblxc.so.$(VERSION) liblxc.so.$(firstword $(subst ., ,$(VERSION))); \ ln -sf liblxc.so.$(firstword $(subst ., ,$(VERSION))) liblxc.so + chmod u+s $(DESTDIR)$(bindir)/lxc-user-nic uninstall-local: $(RM) $(DESTDIR)$(libdir)/liblxc.so* -- 1.8.1.2 -- November Webinars for C, C++, Fortran Developers Accelerate application performance with scalable programming models. Explore techniques for threading, error checking, porting, and tuning. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60136231iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature -- November Webinars for C, C++, Fortran Developers Accelerate application performance with scalable programming models. Explore techniques for threading, error checking, porting, and tuning. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60136231iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [RFC 0/2] Enabling unprivileged containers
On Tue, Nov 05, 2013 at 02:12:58PM -0600, Serge Hallyn wrote: With this patchset I am able to create and run ubuntu-cloud containers as non-root user. Note this requires an uptodate ubuntu trusty host to get a userns-enabled kernel. The steps: 1. install uidmap sudo apt-get install uidmap 2. make sure to have a range of allocated subuids, i.e. sudo usermod -v 10-19 -w 10-19 serge 3. make sure to allocate some nics echo serge veth lxcbr0 2 | sudo tee -a /etc/lxc/lxc-usernet 4. set yourseulf up in cgroups which you own: for c in /sys/fs/cgroup/*; do sudo mkdir $c/serge; sudo chown -R serge: $c/serge; if [ `basename $c` = cpuset ]; then echo 0 $c/serge/cpuset.{cpus,mems} fi echo $$ $c/serge/tasks; done 5. write a lxc.conf cat ~/lxc.conf EOF lxc.network.type = veth lxc.network.link = lxcbr0 lxc.network.flags = up lxc.id_map = u 0 10 1 lxc.id_map = g 0 10 1 EOF 6. create an lxcpath for yourself mkdir /home/serge/lxcbase 7. you'll need to make lxc-user-nic setuid-root (as Makefile isn't doing that): sudo chmod u+s /usr/bin/lxc-user-nic Why isn't the Makefile doing that? Now create the container: lxc-create -P /home/serge/lxcbase -n a1 -f /home/serge/lxc.conf -t ubuntu-cloud -- -r saucy and start it: lxc-start -P /home/serge/lxcbase -n a1 You can stop it or open a console: lxc-console -P /home/serge/lxcbase -n a1 lxc-stop -P /home/serge/lxcbase -n a1 -k You can't yet delete such a container very easily. (sudo and lxc-usernsexec being the obvious ways) It's not complete, but it's a start and doesn't (AFAICS) adversely affect privileged use. -serge -- November Webinars for C, C++, Fortran Developers Accelerate application performance with scalable programming models. Explore techniques for threading, error checking, porting, and tuning. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60136231iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature -- November Webinars for C, C++, Fortran Developers Accelerate application performance with scalable programming models. Explore techniques for threading, error checking, porting, and tuning. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60136231iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [RFC 1/2] create_run_template: tell the template what caller's uid was mapped to
On Tue, Nov 05, 2013 at 02:14:33PM -0600, Serge Hallyn wrote: conf.c/conf.h: have replaced bool hostid_is_mapped() with int mapped_hostid() which returns the mapped uid for the caller's uid on the host, or -1 if none create_run_template: pass caller's uid into template. lxc-ubuntu-cloud: 1. accept --mapped-uid argument 2. don't write to devices cgroup - not allowed. 3. if running in userns, use $HOME/.cache 4. chown cached files to the uid to which our caller was mapped 5. ignore /dev when extracting rootfs in a userns Signed-off-by: Serge Hallyn serge.hal...@ubuntu.com There is just one info statement that looks a bit off a bit below, but with that one dropped or properly indented: Acked-by: Stéphane Graber stgra...@ubuntu.com --- src/lxc/conf.c| 6 +++--- src/lxc/conf.h| 2 +- src/lxc/lxccontainer.c| 38 ++ templates/lxc-ubuntu-cloud.in | 25 +++-- 4 files changed, 57 insertions(+), 14 deletions(-) diff --git a/src/lxc/conf.c b/src/lxc/conf.c index 2a47e77..afdaa14 100644 --- a/src/lxc/conf.c +++ b/src/lxc/conf.c @@ -2912,7 +2912,7 @@ uid_t get_mapped_rootid(struct lxc_conf *conf) return (uid_t)-1; } -bool hostid_is_mapped(int id, struct lxc_conf *conf) +int mapped_hostid(int id, struct lxc_conf *conf) { struct lxc_list *it; struct id_map *map; @@ -2921,9 +2921,9 @@ bool hostid_is_mapped(int id, struct lxc_conf *conf) if (map-idtype != ID_TYPE_UID) continue; if (id = map-hostid id map-hostid + map-range) - return true; + return (id - map-hostid) + map-nsid; } - return false; + return -1; } int find_unmapped_nsuid(struct lxc_conf *conf) diff --git a/src/lxc/conf.h b/src/lxc/conf.h index 71399b9..940d493 100644 --- a/src/lxc/conf.h +++ b/src/lxc/conf.h @@ -362,7 +362,7 @@ extern void lxc_rename_phys_nics_on_shutdown(struct lxc_conf *conf); extern uid_t get_mapped_rootid(struct lxc_conf *conf); extern int find_unmapped_nsuid(struct lxc_conf *conf); -extern bool hostid_is_mapped(int id, struct lxc_conf *conf); +extern int mapped_hostid(int id, struct lxc_conf *conf); extern int chown_mapped_root(char *path, struct lxc_conf *conf); extern int ttys_shift_ids(struct lxc_conf *c); #endif diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c index 946133d..594a96d 100644 --- a/src/lxc/lxccontainer.c +++ b/src/lxc/lxccontainer.c @@ -916,20 +916,28 @@ static bool create_run_template(struct lxc_container *c, char *tpath, bool quiet * If we're running the template in a mapped userns, then * we prepend the template command with: * lxc-usernsexec -m map1 ... -m mapn -- + * and we append --mapped-uid x, where x is the mapped uid + * for our geteuid() */ if (geteuid() != 0 !lxc_list_empty(conf-id_map)) { int n2args = 1; + char txtuid[20]; char **n2 = malloc(n2args * sizeof(*n2)); struct lxc_list *it; struct id_map *map; + if (!n2) { + SYSERROR(out of memory); + exit(1); + } newargv[0] = tpath; tpath = lxc-usernsexec; n2[0] = lxc-usernsexec; lxc_list_for_each(it, conf-id_map) { map = it-elem; n2args += 2; - n2 = realloc(n2, n2args * sizeof(*n2)); + n2 = realloc(n2, n2args * sizeof(char *)); +INFO(allocated %d items to n2, n2args); ^ what happened with indentation here? if (!n2) exit(1); n2[n2args-2] = -m; @@ -942,15 +950,15 @@ static bool create_run_template(struct lxc_container *c, char *tpath, bool quiet if (ret 0 || ret = 200) exit(1); } - bool hostid_mapped = hostid_is_mapped(geteuid(), conf); - int extraargs = hostid_mapped ? 1 : 3; - n2 = realloc(n2, (nargs + n2args + extraargs) * sizeof(*n2)); + int hostid_mapped = mapped_hostid(geteuid(), conf); + int extraargs = hostid_mapped = 0 ? 1 : 3; + n2 = realloc(n2, (nargs + n2args + extraargs) * sizeof(char *)); if (!n2) exit(1); - if (!hostid_mapped
Re: [lxc-devel] [PATCH] lua: add cmd_get_config_item to API
On Mon, Nov 04, 2013 at 05:35:07PM -0500, Dwight Engen wrote: Signed-off-by: Dwight Engen dwight.en...@oracle.com I first got pretty confused between get_config_item and cmd_get_config_item but once I got my brain to parse this all properly, it looks fine :) Acked-by: Stéphane Graber stgra...@ubuntu.com --- src/lua-lxc/core.c | 25 + src/lua-lxc/lxc.lua | 8 src/lua-lxc/test/apitest.lua | 7 +++ 3 files changed, 40 insertions(+) diff --git a/src/lua-lxc/core.c b/src/lua-lxc/core.c index ea19cc3..9492c07 100644 --- a/src/lua-lxc/core.c +++ b/src/lua-lxc/core.c @@ -30,6 +30,7 @@ #include unistd.h #include libgen.h #include lxc/lxccontainer.h +#include lxc/commands.h #if LUA_VERSION_NUM 502 #define luaL_newlib(L,l) (lua_newtable(L), luaL_register(L,NULL,l)) @@ -417,6 +418,29 @@ static int lxc_default_config_path_get(lua_State *L) { return 1; } +static int cmd_get_config_item(lua_State *L) +{ +int arg_cnt = lua_gettop(L); +const char *name = luaL_checkstring(L, 1); +const char *key = luaL_checkstring(L, 2); +const char *lxcpath = NULL; +char *value; + +if (arg_cnt 2) + lxcpath = luaL_checkstring(L, 3); + +value = lxc_cmd_get_config_item(name, key, lxcpath); +if (!value) + goto not_found; + +lua_pushstring(L, value); +return 1; + +not_found: +lua_pushnil(L); +return 1; +} + /* utility functions */ static int lxc_util_usleep(lua_State *L) { usleep((useconds_t)luaL_checkunsigned(L, 1)); @@ -432,6 +456,7 @@ static int lxc_util_dirname(lua_State *L) { static luaL_Reg lxc_lib_methods[] = { {version_get, lxc_version_get}, {default_config_path_get, lxc_default_config_path_get}, +{cmd_get_config_item, cmd_get_config_item}, {container_new,container_new}, {usleep, lxc_util_usleep}, {dirname, lxc_util_dirname}, diff --git a/src/lua-lxc/lxc.lua b/src/lua-lxc/lxc.lua index 265e991..44e4bf1 100755 --- a/src/lua-lxc/lxc.lua +++ b/src/lua-lxc/lxc.lua @@ -385,6 +385,14 @@ function M.default_config_path_get() return core.default_config_path_get() end +function M.cmd_get_config_item(name, item, lxcpath) +if (lxcpath) then + return core.cmd_get_config_item(name, item, lxcpath) +else + return core.cmd_get_config_item(name, item) +end +end + lxc_path = core.default_config_path_get() return M diff --git a/src/lua-lxc/test/apitest.lua b/src/lua-lxc/test/apitest.lua index f957ca4..f299b6a 100755 --- a/src/lua-lxc/test/apitest.lua +++ b/src/lua-lxc/test/apitest.lua @@ -217,6 +217,12 @@ function test_container_cgroup() assert(container:set_cgroup_item(memory.limit_in_bytes, -1)) end +function test_container_cmd() +log(0, Test get config from running container...) +veth_pair = lxc.cmd_get_config_item(optarg[n], lxc.network.0.veth.pair) +log(0, veth.pair:%s, veth_pair) +end + function test_config_items() log(0, Test set/clear configuration items...) @@ -325,6 +331,7 @@ test_container_start() test_container_started() test_container_cgroup() +test_container_cmd() test_container_freeze() test_container_frozen() -- 1.8.3.1 -- November Webinars for C, C++, Fortran Developers Accelerate application performance with scalable programming models. Explore techniques for threading, error checking, porting, and tuning. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60136231iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature -- November Webinars for C, C++, Fortran Developers Accelerate application performance with scalable programming models. Explore techniques for threading, error checking, porting, and tuning. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60136231iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH 2/2] add statistics to lxc-info
); + if (!regexp) { + fprintf(stderr, failed to allocate memory); + goto err1; + } + rc = snprintf(regexp, len, ^%s$, my_args.name); + if (rc 0 || rc = len) { + fprintf(stderr, Name too long); + goto err2; + } + + if (regcomp(preg, regexp, REG_NOSUB|REG_EXTENDED)) { + fprintf(stderr, failed to compile the regex '%s', my_args.name); + goto err2; + } + + printed = false; + ct_cnt = list_all_containers(my_args.lxcpath[0], ct_name); + if (ct_cnt 0) + goto err3; + + for (i = 0; i ct_cnt; i++) { + if (regexec(preg, ct_name[i], 0, NULL, 0) == 0) + { + if (printed) + printf(\n); + print_info(ct_name[i], my_args.lxcpath[0]); + printed = true; + } + free(ct_name[i]); + } + if (ct_name) + free(ct_name); + ret = EXIT_SUCCESS; + +err3: + regfree(preg); +err2: + free(regexp); +err1: + return ret; +} diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c index 89b45ed..f16c032 100644 --- a/src/lxc/lxccontainer.c +++ b/src/lxc/lxccontainer.c @@ -3206,3 +3206,50 @@ free_bad: process_unlock(); return -1; } + +int list_all_containers(const char *lxcpath, char ***names) +{ + int all_cnt, active_cnt, i, ret; + char **all_name; + char **active_name; + + all_cnt = list_defined_containers(lxcpath, all_name, NULL); + if (all_cnt 0) + return all_cnt; + + active_cnt = list_active_containers(lxcpath, active_name, NULL); + if (active_cnt 0) { + ret = active_cnt; + goto free_all; + } + + for (i = 0; i active_cnt; i++) { + if (!array_contains(all_name, active_name[i], all_cnt)) { + if (!add_to_array(all_name, active_name[i], all_cnt)) { + ret = -1; + goto free_active; + } + all_cnt++; + } + free(active_name[i]); + active_name[i] = NULL; + } + free(active_name); + + *names = all_name; + return all_cnt; + +free_active: + for (i = 0; i active_cnt; i++) { + if (active_name[i]) + free(active_name[i]); + } + free(active_name); + +free_all: + for (i = 0; i all_cnt; i++) { + free(all_name[i]); + } + free(all_name); + return ret; +} diff --git a/src/lxc/lxccontainer.h b/src/lxc/lxccontainer.h index 762e1b0..d83202b 100644 --- a/src/lxc/lxccontainer.h +++ b/src/lxc/lxccontainer.h @@ -277,6 +277,8 @@ int list_defined_containers(const char *lxcpath, char ***names, struct lxc_conta */ int list_active_containers(const char *lxcpath, char ***names, struct lxc_container ***cret); +int list_all_containers(const char *lxcpath, char ***names); + #if 0 char ** lxc_get_valid_keys(); char ** lxc_get_valid_values(char *key); -- 1.8.3.1 -- November Webinars for C, C++, Fortran Developers Accelerate application performance with scalable programming models. Explore techniques for threading, error checking, porting, and tuning. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60136231iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature -- November Webinars for C, C++, Fortran Developers Accelerate application performance with scalable programming models. Explore techniques for threading, error checking, porting, and tuning. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60136231iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH 1/1] resolve lxcpath and rcfile arguments
On Mon, Nov 04, 2013 at 02:44:44PM -0600, Serge Hallyn wrote: So we don't always have to give full paths. realpath(x,NULL) mallocs memory, but these paths shouldn't get called from the API so not freeing should be ok. What's the reason behind this change? Am I reading this right that this will only affect cases where -P is passed and that the default value won't be resolved? In any case, I suspect this change is incomplete since we also support -P in some of the python tools which wouldn't be resolved, leading to lxc-info and others to fail to find the container (if for example /var/lib/lxc is a symlink to say /data/containers). Signed-off-by: Serge Hallyn serge.hal...@ubuntu.com --- src/lxc/arguments.c | 9 - src/lxc/lxc_execute.c | 10 +++--- src/lxc/lxc_start.c | 9 + 3 files changed, 24 insertions(+), 4 deletions(-) diff --git a/src/lxc/arguments.c b/src/lxc/arguments.c index adcf8fe..65b2284 100644 --- a/src/lxc/arguments.c +++ b/src/lxc/arguments.c @@ -155,6 +155,7 @@ See the %s man page for further information.\n\n, static int lxc_arguments_lxcpath_add(struct lxc_arguments *args, const char *lxcpath) { + char *resolved_path = NULL; if (args-lxcpath_additional != -1 args-lxcpath_cnt args-lxcpath_additional) { fprintf(stderr, This command only accepts %d -P,--lxcpath arguments\n, @@ -168,7 +169,13 @@ static int lxc_arguments_lxcpath_add(struct lxc_arguments *args, lxc_error(args, no memory); return -ENOMEM; } - args-lxcpath[args-lxcpath_cnt++] = lxcpath; + resolved_path = realpath(lxcpath, NULL); + if (!resolved_path) { + perror(realpath); + fprintf(stderr, Error resolving lxcpath %s, lxcpath); + return -1; + } + args-lxcpath[args-lxcpath_cnt++] = resolved_path; return 0; } diff --git a/src/lxc/lxc_execute.c b/src/lxc/lxc_execute.c index 6a54bf6..083b5db 100644 --- a/src/lxc/lxc_execute.c +++ b/src/lxc/lxc_execute.c @@ -105,9 +105,13 @@ int main(int argc, char *argv[]) return -1; /* rcfile is specified in the cli option */ - if (my_args.rcfile) - rcfile = (char *)my_args.rcfile; - else { + if (my_args.rcfile) { + rcfile = realpath((char *)my_args.rcfile, NULL); + if (!rcfile) { + SYSERROR(Failed to resolve file path: %s, my_args.rcfile); + return -1; + } + } else { int rc; rc = asprintf(rcfile, %s/%s/config, my_args.lxcpath[0], my_args.name); diff --git a/src/lxc/lxc_start.c b/src/lxc/lxc_start.c index add2542..7eea26a 100644 --- a/src/lxc/lxc_start.c +++ b/src/lxc/lxc_start.c @@ -173,6 +173,15 @@ int main(int argc, char *argv[]) const char *lxcpath = my_args.lxcpath[0]; + if (my_args.rcfile) { + char *r = realpath(my_args.rcfile, NULL); + if (!r) { + SYSERROR(Failure resolving path: %s, my_args.rcfile); + exit(1); + } + my_args.rcfile = r; + } + /* * rcfile possibilities: * 1. rcfile from random path specified in cli option -- 1.8.1.2 -- November Webinars for C, C++, Fortran Developers Accelerate application performance with scalable programming models. Explore techniques for threading, error checking, porting, and tuning. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60136231iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature -- November Webinars for C, C++, Fortran Developers Accelerate application performance with scalable programming models. Explore techniques for threading, error checking, porting, and tuning. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60136231iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH 1/2] fix cgpath test
On Tue, Oct 29, 2013 at 04:46:16PM -0400, Dwight Engen wrote: Commit 1ea59ad28 sets memory.use_hierarchy, which means that this test cannot use memory.swappiness as its dummy cgroup item to set/unset since writing to it with use_hierarchy set gets -EINVAL. Change test to use memory.soft_limit_in_bytes instead. Signed-off-by: Dwight Engen dwight.en...@oracle.com Acked-by: Stéphane Graber stgra...@ubuntu.com --- src/tests/cgpath.c | 25 - 1 file changed, 8 insertions(+), 17 deletions(-) diff --git a/src/tests/cgpath.c b/src/tests/cgpath.c index 26a79c3..13986cf 100644 --- a/src/tests/cgpath.c +++ b/src/tests/cgpath.c @@ -74,8 +74,8 @@ static int test_running_container(const char *lxcpath, goto err3; } - /* test get/set value using memory.swappiness file */ - ret = lxc_cgroup_get(memory.swappiness, value, sizeof(value), + /* test get/set value using memory.soft_limit_in_bytes file */ + ret = lxc_cgroup_get(memory.soft_limit_in_bytes, value, sizeof(value), c-name, c-config_path); if (ret 0) { TSTERR(lxc_cgroup_get failed); @@ -83,39 +83,30 @@ static int test_running_container(const char *lxcpath, } strcpy(value_save, value); - ret = lxc_cgroup_set(memory.swappiness, 100, c-name, c-config_path); + ret = lxc_cgroup_set(memory.soft_limit_in_bytes, 512M, c-name, c-config_path); if (ret 0) { - TSTERR(lxc_cgroup_set_bypath failed); + TSTERR(lxc_cgroup_set failed %d %d, ret, errno); + getchar(); goto err3; } - ret = lxc_cgroup_get(memory.swappiness, value, sizeof(value), + ret = lxc_cgroup_get(memory.soft_limit_in_bytes, value, sizeof(value), c-name, c-config_path); if (ret 0) { TSTERR(lxc_cgroup_get failed); goto err3; } - if (strcmp(value, 100\n)) { + if (strcmp(value, 536870912\n)) { TSTERR(lxc_cgroup_set_bypath failed to set value %s, value); goto err3; } /* restore original value */ - ret = lxc_cgroup_set(memory.swappiness, value_save, + ret = lxc_cgroup_set(memory.soft_limit_in_bytes, value_save, c-name, c-config_path); if (ret 0) { TSTERR(lxc_cgroup_set failed); goto err3; } - ret = lxc_cgroup_get(memory.swappiness, value, sizeof(value), - c-name, c-config_path); - if (ret 0) { - TSTERR(lxc_cgroup_get failed); - goto err3; - } - if (strcmp(value, value_save)) { - TSTERR(lxc_cgroup_set failed to set value %s, value); - goto err3; - } cgabspath = lxc_cgroup_path_get(freezer, c-name, c-config_path); if (!cgabspath) { -- 1.8.3.1 -- Android is increasing in popularity, but the open development platform that developers love is also attractive to malware creators. Download this white paper to learn more about secure code signing practices that can help keep Android apps secure. http://pubads.g.doubleclick.net/gampad/clk?id=65839951iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature -- Android is increasing in popularity, but the open development platform that developers love is also attractive to malware creators. Download this white paper to learn more about secure code signing practices that can help keep Android apps secure. http://pubads.g.doubleclick.net/gampad/clk?id=65839951iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] fix free() of args to startl
On Tue, Oct 29, 2013 at 02:38:00PM -0400, Dwight Engen wrote: Coverity 1076328 marked this as Use after free, which it isn't really, its actually just free()ing the wrong 2nd, 3rd, etc... pointers. Test by passing two or more args to startl, without this change you get segfault when free()ing the second pointer/arg. Signed-off-by: Dwight Engen dwight.en...@oracle.com Confirmed the crash here with two lines of python :) Acked-by: Stéphane Graber stgra...@ubuntu.com --- src/lxc/lxccontainer.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c index f2f7240..9d537a6 100644 --- a/src/lxc/lxccontainer.c +++ b/src/lxc/lxccontainer.c @@ -641,9 +641,9 @@ static bool lxcapi_startl(struct lxc_container *c, int useinit, ...) out: if (inargs) { - char *arg; - for (arg = *inargs; arg; arg++) - free(arg); + char **arg; + for (arg = inargs; *arg; arg++) + free(*arg); free(inargs); } -- 1.8.3.1 -- Android is increasing in popularity, but the open development platform that developers love is also attractive to malware creators. Download this white paper to learn more about secure code signing practices that can help keep Android apps secure. http://pubads.g.doubleclick.net/gampad/clk?id=65839951iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature -- Android is increasing in popularity, but the open development platform that developers love is also attractive to malware creators. Download this white paper to learn more about secure code signing practices that can help keep Android apps secure. http://pubads.g.doubleclick.net/gampad/clk?id=65839951iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] coverity 1097618: check for NULL return from calloc before deref
On Tue, Oct 29, 2013 at 02:49:16PM -0400, Dwight Engen wrote: Signed-off-by: Dwight Engen dwight.en...@oracle.com Acked-by: Stéphane Graber stgra...@ubuntu.com --- src/lxc/cgroup.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/lxc/cgroup.c b/src/lxc/cgroup.c index cf1605a..6aa4495 100644 --- a/src/lxc/cgroup.c +++ b/src/lxc/cgroup.c @@ -1688,6 +1688,8 @@ char *cgroup_to_absolute_path(struct cgroup_mount_point *mp, const char *path, c len = strlen(mp-mount_point) + strlen(path) + (suffix ? strlen(suffix) : 0); buf = calloc(len + 1, 1); + if (!buf) + return NULL; rv = snprintf(buf, len + 1, %s%s%s, mp-mount_point, path, suffix ? suffix : ); if (rv len) { free(buf); -- 1.8.3.1 -- Android is increasing in popularity, but the open development platform that developers love is also attractive to malware creators. Download this white paper to learn more about secure code signing practices that can help keep Android apps secure. http://pubads.g.doubleclick.net/gampad/clk?id=65839951iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature -- Android is increasing in popularity, but the open development platform that developers love is also attractive to malware creators. Download this white paper to learn more about secure code signing practices that can help keep Android apps secure. http://pubads.g.doubleclick.net/gampad/clk?id=65839951iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] Videos from the container mini-summit at Linux Plumbers 2013
Hello, I remember quite a few of you asking whether the container mini-summit would be recorded and for those to be made available online. Well, this has now been done. We have videos for the following talks: == On the road to LXC 1.0 == Presented by: Stéphane Graber Video: http://www.youtube.com/watch?v=O7JrxIQRWCw == LXC and Android == Presented by: Stéphane Graber Video: http://www.youtube.com/watch?v=XZWy2g9YY30 == Let Me Contain That For You! == Presented by: Rohit Jnagal Video: http://www.youtube.com/watch?v=UdZOSQHFmss == State of CRIU (Checkpoint Restart In Userspace) and integration with LXC == Presented by: Pavel Emlianov Video: http://www.youtube.com/watch?v=d2DkDoz-Oh0 == Device namespace == Presented by: Amir Goldstein and Oren Laadan Video: http://www.youtube.com/watch?v=yGrTCMgBTOI == Fedora/systemd on LXC == Presented by: Michael H Warfield Video: http://www.youtube.com/watch?v=pLj5nvqU86I == Use Cases for Containers in OpenStack == Presented by: Daniel Salinas Video: http://www.youtube.com/watch?v=k0kyd0ozaYM == Containers control tools: can we unify those? == Presented by: Kirill Kolyshkin and Stéphane Graber Video: http://www.youtube.com/watch?v=ern3qWNKbD4 Some of the slides and extra information may also be found here: http://www.linuxplumbersconf.org/2013/ocw/events/LPC2013/tracks/153 Thanks to everyone who participated in this year's container mini-summit and looking forward to seeing you all at another edition! -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60135991iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH 1/1] cgroup: set memory.use_hierarchy
On Fri, Oct 25, 2013 at 12:16:17AM -0500, Serge Hallyn wrote: But don't fail the container start if that fails. Signed-off-by: Serge Hallyn serge.hal...@ubuntu.com Acked-by: Stéphane Graber stgra...@ubuntu.com --- src/lxc/cgroup.c | 22 ++ 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/src/lxc/cgroup.c b/src/lxc/cgroup.c index 5831e4e..cf1605a 100644 --- a/src/lxc/cgroup.c +++ b/src/lxc/cgroup.c @@ -81,7 +81,7 @@ static bool cgroup_devices_has_allow_or_deny(struct lxc_handler *h, char *v, boo static int do_setup_cgroup(struct lxc_handler *h, struct lxc_list *cgroup_settings, bool do_devices); static int cgroup_recursive_task_count(const char *cgroup_path); static int count_lines(const char *fn); -static int handle_clone_children(struct cgroup_mount_point *mp, char *cgroup_path); +static int handle_cgroup_settings(struct cgroup_mount_point *mp, char *cgroup_path); struct cgroup_meta_data *lxc_cgroup_load_meta() { @@ -718,7 +718,7 @@ extern struct cgroup_process_info *lxc_cgroup_create(const char *name, const cha if (lxc_string_in_array(ns, (const char **)h-subsystems)) continue; - if (handle_clone_children(mp, info_ptr-cgroup_path) 0) { + if (handle_cgroup_settings(mp, info_ptr-cgroup_path) 0) { ERROR(Could not set clone_children to 1 for cpuset hierarchy in parent cgroup.); goto out_initial_error; } @@ -838,7 +838,7 @@ extern struct cgroup_process_info *lxc_cgroup_create(const char *name, const cha /* if we didn't create the cgroup, then we have to make sure that * further cgroups will be created properly */ - if (handle_clone_children(mp, info_ptr-cgroup_path) 0) { + if (handle_cgroup_settings(mp, info_ptr-cgroup_path) 0) { ERROR(Could not set clone_children to 1 for cpuset hierarchy in pre-existing cgroup.); goto cleanup_from_error; } @@ -1939,9 +1939,23 @@ int count_lines(const char *fn) return n; } -int handle_clone_children(struct cgroup_mount_point *mp, char *cgroup_path) +int handle_cgroup_settings(struct cgroup_mount_point *mp, char *cgroup_path) { int r, saved_errno = 0; + + /* If this is the memory cgroup, we want to enforce hierarchy. + * But don't fail if for some reason we can't. + */ + if (lxc_string_in_array(memory, (const char **)mp-hierarchy-subsystems)) { + char *cc_path = cgroup_to_absolute_path(mp, cgroup_path, /memory.use_hierarchy); + if (cc_path) { + r = lxc_write_to_file(cc_path, 1, 1, false); + if (r 0) + SYSERROR(failed to set memory.use_hiararchy to 1; continuing); + free(cc_path); + } + } + /* if this is a cpuset hierarchy, we have to set cgroup.clone_children in * the base cgroup, otherwise containers will start with an empty cpuset.mems * and cpuset.cpus and then -- 1.8.3.2 -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60135991iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60135991iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH] lxc-ls: Rewrite nesting code to use the attach API
Signed-off-by: Stéphane Graber stgra...@ubuntu.com --- src/lxc/lxc-ls | 32 +++- 1 file changed, 19 insertions(+), 13 deletions(-) diff --git a/src/lxc/lxc-ls b/src/lxc/lxc-ls index cc0a1e7..9d45400 100644 --- a/src/lxc/lxc-ls +++ b/src/lxc/lxc-ls @@ -35,7 +35,7 @@ import json import lxc import os import re -import subprocess +import tempfile import sys _ = gettext.gettext @@ -89,17 +89,23 @@ def getTerminalSize(): def getSubContainers(container, lxcpath): -attach = ['lxc-attach', '-P', lxcpath, '-R', '-s', 'NETWORK|PID', - '-n', container, - '--', sys.argv[0], --nesting] - with open(os.devnull, w) as fd: -newenv = dict(os.environ) -newenv['NESTED'] = /proc/1/root/%s % lxc.default_config_path -sp = subprocess.Popen(attach, stderr=fd, stdout=subprocess.PIPE, - env=newenv, universal_newlines=True) -sp.wait() -out = sp.stdout.read() +fdnum, path = tempfile.mkstemp() +os.remove(path) + +fd = os.fdopen(fdnum) + +container.attach_wait( +lxc.attach_run_command, [sys.argv[0], --nesting], +attach_flags=(lxc.LXC_ATTACH_REMOUNT_PROC_SYS), +namespaces=(lxc.CLONE_NEWNET + lxc.CLONE_NEWPID), +extra_env_vars=[NESTED=/proc/1/root/%s % +lxc.default_config_path], +stdout=fd) + +fd.seek(0) +out = fd.read() +fd.close() if out: return json.loads(out) return None @@ -213,8 +219,8 @@ for container_name in lxc.list_containers(config_path=lxcpath): containers.append(entry) # Nested containers -if args.nesting: -sub = getSubContainers(container_name, args.lxcpath) +if args.nesting and container.state == RUNNING: +sub = getSubContainers(container, args.lxcpath) if sub: for entry in sub: if 'nesting_parent' not in entry: -- 1.8.3.2 -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60135991iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH 2/3] fix chowning of tty and console uids
On Wed, Oct 23, 2013 at 01:02:58AM +, Serge Hallyn wrote: From: Serge Hallyn serge.hal...@ubuntu.com It needs to be done from the handler, not the container, since the container may not have the rights. Signed-off-by: Serge Hallyn serge.hal...@ubuntu.com Acked-by: Stéphane Graber stgra...@ubuntu.com Changelog: Jul 22: remove hardcoded path for /bin/chown Jul 22: use new lxc-usernsexec Conflicts: src/lxc/lxccontainer.c --- src/lxc/conf.c | 126 +++-- src/lxc/conf.h | 6 +-- src/lxc/lxccontainer.c | 54 + src/lxc/start.c| 10 ++-- 4 files changed, 69 insertions(+), 127 deletions(-) diff --git a/src/lxc/conf.c b/src/lxc/conf.c index 3f7f0ef..bba6379 100644 --- a/src/lxc/conf.c +++ b/src/lxc/conf.c @@ -2858,7 +2858,7 @@ int lxc_map_ids(struct lxc_list *idmap, pid_t pid) * return the host uid to which the container root is mapped, or -1 on * error */ -int get_mapped_rootid(struct lxc_conf *conf) +uid_t get_mapped_rootid(struct lxc_conf *conf) { struct lxc_list *it; struct id_map *map; @@ -2869,9 +2869,9 @@ int get_mapped_rootid(struct lxc_conf *conf) continue; if (map-nsid != 0) continue; - return map-hostid; + return (uid_t) map-hostid; } - return -1; + return (uid_t)-1; } bool hostid_is_mapped(int id, struct lxc_conf *conf) @@ -3020,89 +3020,81 @@ void lxc_delete_tty(struct lxc_tty_info *tty_info) } /* - * given a host uid, return the ns uid if it is mapped. - * if it is not mapped, return the original host id. + * chown_mapped_root: for an unprivileged user with uid X to chown a dir + * to subuid Y, he needs to run chown as root in a userns where + * nsid 0 is mapped to hostuid Y, and nsid Y is mapped to hostuid + * X. That way, the container root is privileged with respect to + * hostuid X, allowing him to do the chown. */ -static int shiftid(struct lxc_conf *c, int uid, enum idtype w) +int chown_mapped_root(char *path, struct lxc_conf *conf) { - struct lxc_list *iterator; - struct id_map *map; - int low, high; + uid_t rootid; + pid_t pid; - lxc_list_for_each(iterator, c-id_map) { - map = iterator-elem; - if (map-idtype != w) - continue; - - low = map-nsid; - high = map-nsid + map-range; - if (uid low || uid = high) - continue; - - return uid - low + map-hostid; + if ((rootid = get_mapped_rootid(conf)) = 0) { + ERROR(No mapping for container root); + return -1; } - - return uid; -} - -/* - * Take a pathname for a file created on the host, and map the uid and gid - * into the container if needed. (Used for ttys) - */ -static int uid_shift_file(char *path, struct lxc_conf *c) -{ - struct stat statbuf; - int newuid, newgid; - - if (stat(path, statbuf)) { - SYSERROR(stat(%s), path); + if (geteuid() == 0) { + if (chown(path, rootid, -1) 0) { + ERROR(Error chowning %s, path); + return -1; + } + return 0; + } + pid = fork(); + if (pid 0) { + SYSERROR(Failed forking); return -1; } + if (!pid) { + int hostuid = geteuid(), ret; + char map1[100], map2[100]; + char *args[] = {lxc-usernsexec, -m, map1, -m, map2, --, chown, + 0, path, NULL}; - newuid = shiftid(c, statbuf.st_uid, ID_TYPE_UID); - newgid = shiftid(c, statbuf.st_gid, ID_TYPE_GID); - if (newuid != statbuf.st_uid || newgid != statbuf.st_gid) { - DEBUG(chowning %s from %d:%d to %d:%d\n, path, (int)statbuf.st_uid, (int)statbuf.st_gid, newuid, newgid); - if (chown(path, newuid, newgid)) { - SYSERROR(chown(%s), path); + // b:0:rootid:1 + ret = snprintf(map1, 100, b:0:%d:1, rootid); + if (ret 0 || ret = 100) { + ERROR(Error uid printing map string); return -1; } + + // b:hostuid:hostuid:1 + ret = snprintf(map2, 100, b:%d:%d:1, hostuid, hostuid); + if (ret 0 || ret = 100) { + ERROR(Error uid printing map string); + return -1; + } + + ret = execvp(lxc-usernsexec, args); + SYSERROR(Failed executing usernsexec); + exit(1); } - return 0; + return wait_for_pid(pid); } -int uid_shift_ttys(int pid, struct lxc_conf *conf) +int ttys_shift_ids(struct lxc_conf *c) { - int i, ret; - struct lxc_tty_info
Re: [lxc-devel] [PATCH 3/3] lxc-busybox: if in userns, don't try to mknod
On Wed, Oct 23, 2013 at 01:02:59AM +, Serge Hallyn wrote: From: Serge Hallyn serge.hal...@ubuntu.com Signed-off-by: Serge Hallyn serge.hal...@ubuntu.com We really should be working on a shared set of functions all templates can source instead of re-inventing the wheel over and over again (thinking about config, fstab, architecture handling, locking, ...) Acked-by: Stéphane Graber stgra...@ubuntu.com --- templates/lxc-busybox.in | 44 +++- 1 file changed, 31 insertions(+), 13 deletions(-) diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in index cbdaaf3..7aa4130 100644 --- a/templates/lxc-busybox.in +++ b/templates/lxc-busybox.in @@ -20,6 +20,17 @@ # License along with this library; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA +am_in_userns() { +[ -e /proc/self/uid_map ] || { echo no; return; } +[ $(wc -l /proc/self/uid_map | awk '{ print $1 }') -eq 1 ] || { echo yes; return; } +line=$(awk '{ print $1 $2 $3 }' /proc/self/uid_map) +[ $line = 0 0 4294967295 ] { echo no; return; } +echo yes +} + +in_userns=0 +[ $(am_in_userns) = yes ] in_userns=1 + install_busybox() { rootfs=$1 @@ -55,19 +66,26 @@ $rootfs/usr/lib64 pushd $rootfs/dev /dev/null || return 1 # minimal devices needed for busybox -mknod tty c 5 0 || res=1 -mknod console c 5 1 || res=1 -chmod 666 tty console || res=1 -mknod tty0 c 4 0 || res=1 -mknod tty1 c 4 0 || res=1 -mknod tty5 c 4 0 || res=1 -chmod 666 tty0|| res=1 -mknod ram0 b 1 0 || res=1 -chmod 600 ram0|| res=1 -mknod null c 1 3 || res=1 -chmod 666 null|| res=1 -mknod urandom c 1 9 || res=1 -chmod 666 urandom || res=1 +if [ $in_userns -eq 1 ]; then +for dev in tty console tty0 tty1 tty5 ram0 null urandom; do +touch $rootfs/dev/$dev +echo /dev/$dev dev/$devnone bind 0 0 $path/fstab +done +else +mknod tty c 5 0 || res=1 +mknod console c 5 1 || res=1 +chmod 666 tty console || res=1 +mknod tty0 c 4 0 || res=1 +mknod tty1 c 4 0 || res=1 +mknod tty5 c 4 0 || res=1 +chmod 666 tty0|| res=1 +mknod ram0 b 1 0 || res=1 +chmod 600 ram0|| res=1 +mknod null c 1 3 || res=1 +chmod 666 null|| res=1 +mknod urandom c 1 9 || res=1 +chmod 666 urandom || res=1 +fi popd /dev/null -- 1.8.1.2 -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60135991iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60135991iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH 4/3] start: use lxc-user-nic if we are not root
On Wed, Oct 23, 2013 at 10:52:37AM -0500, Serge Hallyn wrote: Note this results in nics named things like 'lxcuser-0p'. We'll likely want to pass the requested name to lxc-user-nic, but let's do that in a separate patch. If we're not root, we can't create new network itnerfaces to pass into the container. Instead wait until the container is started, and call lxc-user-nic to create and assign the nics. Signed-off-by: Serge Hallyn serge.hal...@ubuntu.com Acked-by: Stéphane Graber stgra...@ubuntu.com --- src/lxc/conf.c | 39 +++ 1 file changed, 39 insertions(+) diff --git a/src/lxc/conf.c b/src/lxc/conf.c index bba6379..75d6cbf 100644 --- a/src/lxc/conf.c +++ b/src/lxc/conf.c @@ -2687,6 +2687,10 @@ int lxc_create_network(struct lxc_handler *handler) struct lxc_list *network = handler-conf-network; struct lxc_list *iterator; struct lxc_netdev *netdev; + int am_root = (getuid() == 0); + + if (!am_root) + return 0; lxc_list_for_each(iterator, network) { @@ -2738,16 +2742,51 @@ void lxc_delete_network(struct lxc_handler *handler) } } +int unpriv_assign_nic(struct lxc_netdev *netdev, pid_t pid) +{ + pid_t child; + + if (netdev-type != LXC_NET_VETH) { + ERROR(nic type %d not support for unprivileged use, + netdev-type); + return -1; + } + + if ((child = fork()) 0) { + SYSERROR(fork); + return -1; + } + + if (child 0) + return wait_for_pid(child); + + // Call lxc-user-nic pid type bridge + char pidstr[20]; + char *args[] = { lxc-user-nic, pidstr, veth, netdev-link, NULL }; + snprintf(pidstr, 19, %lu, (unsigned long) pid); + pidstr[19] = '\0'; + execvp(lxc-user-nic, args); + SYSERROR(execvp lxc-user-nic); + exit(1); +} + int lxc_assign_network(struct lxc_list *network, pid_t pid) { struct lxc_list *iterator; struct lxc_netdev *netdev; + int am_root = (getuid() == 0); int err; lxc_list_for_each(iterator, network) { netdev = iterator-elem; + if (!am_root) { + if (unpriv_assign_nic(netdev, pid)) + return -1; + // TODO fill in netdev-ifindex and name + continue; + } /* empty network namespace, nothing to move */ if (!netdev-ifindex) continue; -- 1.8.3.2 -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60135991iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60135991iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH] lxc-debian: Add hwaddr handling logic
Signed-off-by: Stéphane Graber stgra...@ubuntu.com --- templates/lxc-debian.in | 7 +++ 1 file changed, 7 insertions(+) diff --git a/templates/lxc-debian.in b/templates/lxc-debian.in index 4dd4910..645fe8d 100644 --- a/templates/lxc-debian.in +++ b/templates/lxc-debian.in @@ -207,6 +207,13 @@ copy_configuration() hostname=$3 arch=$4 +# if there is exactly one veth network entry, make sure it has an +# associated hwaddr. +nics=`grep -e '^lxc\.network\.type[ \t]*=[ \t]*veth' $path/config | wc -l` +if [ $nics -eq 1 ]; then +grep -q ^lxc.network.hwaddr $path/config || sed -i -e /^lxc\.network\.type[ \t]*=[ \t]*veth/a lxc.network.hwaddr = 00:16:3e:$(openssl rand -hex 3| sed 's/\(..\)/\1:/g; s/.$//') $path/config +fi + grep -q ^lxc.rootfs $path/config 2/dev/null || echo lxc.rootfs = $rootfs $path/config cat EOF $path/config lxc.tty = 4 -- 1.8.3.2 -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60135991iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH] clang: Remaining changes
Those are a bit less obvious than those I pushed directly to master. All those changes were required to build LXC under clang here. With this, gcc can be replaced by clang to build LXC so long as you're not using the python3 binding (as python extensions can't be built under clang at the moment). For reference, the clang output for those is: http://paste.ubuntu.com/6292460/ Signed-off-by: Stéphane Graber stgra...@ubuntu.com --- src/lxc/caps.c | 2 +- src/lxc/commands.c | 4 ++-- src/lxc/conf.c | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/src/lxc/caps.c b/src/lxc/caps.c index bcbb859..89b87af 100644 --- a/src/lxc/caps.c +++ b/src/lxc/caps.c @@ -204,7 +204,7 @@ static int _real_caps_last_cap(void) buf[n] = '\0'; result = strtol(buf, ptr, 10); if (!ptr || (*ptr != '\0' *ptr != '\n') || - result == LONG_MIN || result == LONG_MAX) + result == INT_MIN || result == INT_MAX) result = -1; } diff --git a/src/lxc/commands.c b/src/lxc/commands.c index 33821dd..3e44ef3 100644 --- a/src/lxc/commands.c +++ b/src/lxc/commands.c @@ -109,7 +109,7 @@ static const char *lxc_cmd_str(lxc_cmd_t cmd) [LXC_CMD_GET_CONFIG_ITEM] = get_config_item, }; - if (cmd 0 || cmd = LXC_CMD_MAX) + if (cmd = LXC_CMD_MAX) return Unknown cmd; return cmdname[cmd]; } @@ -735,7 +735,7 @@ static int lxc_cmd_process(int fd, struct lxc_cmd_req *req, [LXC_CMD_GET_CONFIG_ITEM] = lxc_cmd_get_config_item_callback, }; - if (req-cmd 0 || req-cmd = LXC_CMD_MAX) { + if (req-cmd = LXC_CMD_MAX) { ERROR(bad cmd %d received, req-cmd); return -1; } diff --git a/src/lxc/conf.c b/src/lxc/conf.c index 208c08b..0724e3f 100644 --- a/src/lxc/conf.c +++ b/src/lxc/conf.c @@ -1948,7 +1948,7 @@ static int setup_caps(struct lxc_list *caps) * we don't */ capid = strtol(drop_entry, ptr, 10); if (!ptr || *ptr != '\0' || - capid == LONG_MIN || capid == LONG_MAX) + capid == INT_MIN || capid == INT_MAX) /* not a valid number */ capid = -1; else if (capid lxc_caps_last_cap()) @@ -2013,7 +2013,7 @@ static int dropcaps_except(struct lxc_list *caps) * we don't */ capid = strtol(keep_entry, ptr, 10); if (!ptr || *ptr != '\0' || - capid == LONG_MIN || capid == LONG_MAX) + capid == INT_MIN || capid == INT_MAX) /* not a valid number */ capid = -1; else if (capid lxc_caps_last_cap()) -- 1.8.3.2 -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60135991iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] apparmor: cache the are-we-enabled decision
On Wed, Oct 23, 2013 at 08:54:13PM -0500, Serge Hallyn wrote: Since we check /sys/kernel/security/ files when deciding whether apparmor is enabled, and that might not be mounted in the container, we cannot re-make the decision at apparmor_process_label_set() time. Luckily we don't have to - just cache the decision made at lsm_apparmor_drv_init(). Signed-off-by: Serge Hallyn serge.hal...@ubuntu.com Acked-by: Stéphane Graber stgra...@ubuntu.com --- src/lxc/lsm/apparmor.c | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c index cf8020d..aaf8056 100644 --- a/src/lxc/lsm/apparmor.c +++ b/src/lxc/lsm/apparmor.c @@ -32,6 +32,9 @@ lxc_log_define(lxc_apparmor, lxc); +/* set by lsm_apparmor_drv_init if true */ +static int aa_enabled = 0; + #define AA_DEF_PROFILE lxc-container-default #define AA_MOUNT_RESTR /sys/kernel/security/apparmor/features/mount/mask #define AA_ENABLED_FILE /sys/module/apparmor/parameters/enabled @@ -139,7 +142,7 @@ static int apparmor_am_unconfined(void) static int apparmor_process_label_set(const char *label, int use_default, int on_exec) { - if (!apparmor_enabled()) + if (!aa_enabled) return 0; if (!label) { @@ -181,5 +184,6 @@ struct lsm_drv *lsm_apparmor_drv_init(void) { if (!apparmor_enabled()) return NULL; + aa_enabled = 1; return apparmor_drv; } -- 1.8.1.2 -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60135991iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60135991iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] clang: Remaining changes
On Wed, Oct 23, 2013 at 11:04:58PM -0500, Serge Hallyn wrote: Quoting Stéphane Graber (stgra...@ubuntu.com): Those are a bit less obvious than those I pushed directly to master. All those changes were required to build LXC under clang here. With this, gcc can be replaced by clang to build LXC so long as you're not using the python3 binding (as python extensions can't be built under clang at the moment). For reference, the clang output for those is: http://paste.ubuntu.com/6292460/ Signed-off-by: Stéphane Graber stgra...@ubuntu.com Acked-by: Serge E. Hallyn serge.hal...@ubuntu.com One comment, --- src/lxc/caps.c | 2 +- src/lxc/commands.c | 4 ++-- src/lxc/conf.c | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/src/lxc/caps.c b/src/lxc/caps.c index bcbb859..89b87af 100644 --- a/src/lxc/caps.c +++ b/src/lxc/caps.c @@ -204,7 +204,7 @@ static int _real_caps_last_cap(void) buf[n] = '\0'; result = strtol(buf, ptr, 10); if (!ptr || (*ptr != '\0' *ptr != '\n') || - result == LONG_MIN || result == LONG_MAX) + result == INT_MIN || result == INT_MAX) Hi Stéphane, probably the original code was my fault, but this is weird. The check doesn't actually guarantee anything, so per the NOTES section in strtoul(3) man page I think we should set errno to 0 before the strtol call, and check errno afterward. Then drop these MIN/MAX checks here, leaving the 0 check below. Your patch wouldn't break anything so if you like we can just apply this and I'll push an update to do the above in the morning. Sounds good. I pushed my patch for now. result = -1; } diff --git a/src/lxc/commands.c b/src/lxc/commands.c index 33821dd..3e44ef3 100644 --- a/src/lxc/commands.c +++ b/src/lxc/commands.c @@ -109,7 +109,7 @@ static const char *lxc_cmd_str(lxc_cmd_t cmd) [LXC_CMD_GET_CONFIG_ITEM] = get_config_item, }; - if (cmd 0 || cmd = LXC_CMD_MAX) + if (cmd = LXC_CMD_MAX) return Unknown cmd; return cmdname[cmd]; } @@ -735,7 +735,7 @@ static int lxc_cmd_process(int fd, struct lxc_cmd_req *req, [LXC_CMD_GET_CONFIG_ITEM] = lxc_cmd_get_config_item_callback, }; - if (req-cmd 0 || req-cmd = LXC_CMD_MAX) { + if (req-cmd = LXC_CMD_MAX) { ERROR(bad cmd %d received, req-cmd); return -1; } diff --git a/src/lxc/conf.c b/src/lxc/conf.c index 208c08b..0724e3f 100644 --- a/src/lxc/conf.c +++ b/src/lxc/conf.c @@ -1948,7 +1948,7 @@ static int setup_caps(struct lxc_list *caps) * we don't */ capid = strtol(drop_entry, ptr, 10); if (!ptr || *ptr != '\0' || - capid == LONG_MIN || capid == LONG_MAX) + capid == INT_MIN || capid == INT_MAX) /* not a valid number */ capid = -1; else if (capid lxc_caps_last_cap()) @@ -2013,7 +2013,7 @@ static int dropcaps_except(struct lxc_list *caps) * we don't */ capid = strtol(keep_entry, ptr, 10); if (!ptr || *ptr != '\0' || - capid == LONG_MIN || capid == LONG_MAX) + capid == INT_MIN || capid == INT_MAX) /* not a valid number */ capid = -1; else if (capid lxc_caps_last_cap()) -- 1.8.3.2 -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60135991iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60135991iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] umount $rootfs/lib on errors as well otherwise system ends up with stalled mounts
On Tue, Oct 22, 2013 at 11:41:31AM -0500, Serge Hallyn wrote: Quoting S.Çağlar Onur (cag...@10ur.org): Hi Serge, Then there must be something else going on cause without this patch I find myself in the situation that I described earlier in this email [1] [1] http://sourceforge.net/mailarchive/message.php?msg_id=31539485 Oh - yeah - but it doesn't show up in /proc/self/mounts does it? What I think we actually need is: From db4e0250bb547f84032584a79dcd84f8ce361ef1 Mon Sep 17 00:00:00 2001 From: Serge Hallyn serge.hal...@ubuntu.com Date: Tue, 22 Oct 2013 11:34:46 -0500 Subject: [PATCH 1/1] lxc-busybox: don't copy temp mounts into mtab Signed-off-by: Serge Hallyn serge.hal...@ubuntu.com Yes, we should never write to mtab when in a separate mount namespace. Acked-by: Stéphane Graber stgra...@ubuntu.com --- templates/lxc-busybox.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in index cbdaaf3..29dc36d 100644 --- a/templates/lxc-busybox.in +++ b/templates/lxc-busybox.in @@ -196,7 +196,7 @@ configure_busybox() cat EOF $CHPASSWD_FILE echo setting root password to \root\ -mount --bind /lib $rootfs/lib +mount -n --bind /lib $rootfs/lib if [ \$? -ne 0 ]; then echo Failed bind-mounting /lib at $rootfs/lib exit 1 -- 1.8.1.2 -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60135991iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60135991iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] install lua module 0644 instead of 0755
On Tue, Oct 22, 2013 at 04:33:34PM -0400, Dwight Engen wrote: Fixes rpmlint error script-without-shebang. Checked other lua modules and none are installed with execute permission. Signed-off-by: Dwight Engen dwight.en...@oracle.com Acked-by: Stéphane Graber stgra...@ubuntu.com --- src/lua-lxc/Makefile.am | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/lua-lxc/Makefile.am b/src/lua-lxc/Makefile.am index 11eabfd..7bbaf61 100644 --- a/src/lua-lxc/Makefile.am +++ b/src/lua-lxc/Makefile.am @@ -3,7 +3,7 @@ if ENABLE_LUA luadir=$(LUA_INSTALL_LMOD) sodir=$(LUA_INSTALL_CMOD)/lxc -lua_SCRIPTS=lxc.lua +lua_DATA=lxc.lua so_PROGRAMS = core.so -- 1.8.3.1 -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60135991iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60135991iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] update rpm .spec file
On Tue, Oct 22, 2013 at 04:33:26PM -0400, Dwight Engen wrote: The following changes were made to fix rpmlint warnings/errors - use %global instead of %define http://fedoraproject.org/wiki/PackagingDrafts/global_preferred_over_define - change Summary to match .deb - update License - do not mention the libcap dependency explicitly, rpm will fill it in - fix Summary, Description for libs and devel packages - pass -q to %setup - add %post for libs to run ldconfig - explicitly name lxc man paths so pkg doesn't own /usr/share/man - mark /etc/lxc/default.conf as a config file In addition, while I was here: - split lua bits into seperate lxc-lua package - change Description to match .deb - remove Version in changelog entries to follow http://fedoraproject.org/wiki/Packaging:Guidelines#Changelogs Signed-off-by: Dwight Engen dwight.en...@oracle.com Acked-by: Stéphane Graber stgra...@ubuntu.com --- lxc.spec.in | 109 +++- 1 file changed, 63 insertions(+), 46 deletions(-) diff --git a/lxc.spec.in b/lxc.spec.in index a0f2c1a..f4bcd8c 100644 --- a/lxc.spec.in +++ b/lxc.spec.in @@ -20,59 +20,62 @@ # License along with this library; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA +%global with_python %{?_with_python: 1} %{?!_with_python: 0} +%global with_lua %{?_with_lua: 1} %{?!_with_lua: 0} + Name: @PACKAGE@ Version: @VERSION@ Release: 1%{?dist} URL: http://linuxcontainers.org Source: http://linuxcontainers.org/downloads/%{name}-%{version}.tar.gz -Summary: %{name} : Linux Container +Summary: Linux Containers userspace tools Group: Applications/System -License: LGPL +License: LGPLv2+ BuildRoot: %{_tmppath}/%{name}-%{version}-build -Requires: libcap openssl rsync +Requires: openssl rsync BuildRequires: libcap libcap-devel docbook2X -%define with_python %{?_with_python: 1} %{?!_with_python: 0} %if %{with_python} Requires: python3 BuildRequires: python3-devel %endif -%define with_lua %{?_with_lua: 1} %{?!_with_lua: 0} -%if %{with_lua} -Requires: lua-filesystem -BuildRequires: lua-devel -%endif - %description - -The package %{name} provides the command lines to create and manage -containers. It contains a full featured container with the isolation -/ virtualization of the pids, the ipc, the utsname, the mount points, -/proc, /sys, the network and it takes into account the control groups. -It is very light, flexible, and provides a set of tools around the -container like the monitoring with asynchronous events notification, -or the freeze of the container. This package is useful to create -Virtual Private Server, or to run isolated applications like bash or -sshd. - -%packagelibs -Summary:runtime library files for %{name} -Group: System Environment/Libraries - -%descriptionlibs +Containers are insulated areas inside a system, which have their own namespace +for filesystem, network, PID, IPC, CPU and memory allocation and which can be +created using the Control Group and Namespace features included in the Linux +kernel. + +This package provides the lxc-* tools, which can be used to start a single +daemon in a container, or to boot an entire containerized system, and to +manage and debug your containers. + +%package libs +Summary: Shared library files for %{name} +Group: System Environment/Libraries +%description libs The %{name}-libs package contains libraries for running %{name} applications. -%package devel -Summary: development library for %{name} -Group: Development/Libraries - -%description devel +%package devel +Summary: Development library for %{name} +Group: Development/Libraries +Requires:%{name} = %{version}-%{release}, pkgconfig +%description devel The %{name}-devel package contains header files and library needed for -development of the linux containers. +development of the Linux containers. + +%if %{with_lua} +%package lua +Summary: Lua bindings for %{name} +Group: System Environment/Libraries +Requires:lua-filesystem +BuildRequires: lua-devel +%description lua +The %{name}-lua package contains %{name} bindings for lua. +%endif %prep -%setup +%setup -q %build PATH=$PATH:/usr/sbin:/sbin %configure $args \ %if %{with_lua} @@ -93,6 +96,8 @@ find %{buildroot} -type f -name '*.la' -exec rm -f {} ';' rm -rf %{buildroot} %post +%post libs -p /sbin/ldconfig +%postun libs -p /sbin/ldconfig %files %defattr(-,root,root) @@ -106,25 +111,33 @@ rm -rf %{buildroot} %attr(4111,root,root) %{_bindir}/lxc-execute %attr(4111,root,root) %{_bindir}/lxc-checkpoint %attr(4111,root,root) %{_bindir}/lxc-restart -%{_mandir}/* +%{_mandir}/man1/lxc* +%{_mandir}/man5/lxc* +%{_mandir}/man7/lxc* +%{_mandir}/ja
Re: [lxc-devel] [website][PATCH] Add section for Oracle Linux
On Mon, Oct 21, 2013 at 10:37:28AM -0400, Dwight Engen wrote: On Fri, 18 Oct 2013 17:24:27 -0400 Stéphane Graber stgra...@ubuntu.com wrote: Hey everyone, Just a quick e-mail to announce that http://linuxcontainers.org is now the official project website! I've setup a redirect from the old SourceForge hosted website, so hopefully everyone will end up on the right one. Anyone can help update the content by submitting patches against: https://github.com/lxc/lxc.github.io There's a bit of room for distros to put links to their packages and other useful resources, so far I've just listed Ubuntu as that's the one I know most, other maintainers, please send me a patch for your distro. Hi Stéphane, thanks for setting this up. Here is a small Oracle Linux section with some pertinent links. Acked-by: Stéphane Graber stgra...@ubuntu.com Applied, thanks! -- Signed-off-by: Dwight Engen dwight.en...@oracle.com --- index.html | 13 + 1 file changed, 13 insertions(+) diff --git a/index.html b/index.html index 756704f..0300fc1 100644 --- a/index.html +++ b/index.html @@ -99,6 +99,19 @@ git clone git://github.com/lxc/lxc /ul /p + h4Oracle/h4 + p + ul + lia href=http://public-yum.oracle.com; + LXC RPMs/a in Public-Yum [ol6_latest] channel/li + lia href=http://www.oracle.com/technetwork/server-storage/linux/downloads/playground-1937163.html; + Latest test/development LXC RPMs/a in Public-Yum + [ol6_playground_latest] channel/li + lia href=http://docs.oracle.com/cd/E37670_01/E37355/html/ol_containers.html; + Oracle Linux Administrator's Solutions Guide chapter about LXC/a/li + /ul + /p + h2How do I use it?/h2 pMore details are available in the individual manpages -- 1.8.3.1 -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60135031iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [lxc/lxc] 07520b: Update maintainers and URLs
On Sun, Oct 20, 2013 at 12:28:05PM +0200, Natanael Copa wrote: On Sat, 19 Oct 2013 21:49:03 -0700 GitHub nore...@github.com wrote: Branch: refs/heads/master Home: https://github.com/lxc/lxc Commit: 07520b2af5495cbde94645d09b523de73047542d Would it be an idea to have a separate mailing list for git commits? I think the mailing list is painfully noisy. -nc Not really. I need both patches and commits on the same mailing-list as I believe both Serge and my workflows involve keeping the threads locally until the commit to the branch at which point we flush the whole thread locally. Having to look at two mailing-lists would make that quite a bit harder and I'm sure we're not the only ones who like to see the actual git commit after some patch received enough acks (as we don't always commit them to git immediately). -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60135031iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [lxc/lxc] 07520b: Update maintainers and URLs
On Mon, Oct 21, 2013 at 01:14:21PM -0500, Serge Hallyn wrote: Quoting Stéphane Graber (stgra...@ubuntu.com): On Sun, Oct 20, 2013 at 12:28:05PM +0200, Natanael Copa wrote: On Sat, 19 Oct 2013 21:49:03 -0700 GitHub nore...@github.com wrote: Branch: refs/heads/master Home: https://github.com/lxc/lxc Commit: 07520b2af5495cbde94645d09b523de73047542d Would it be an idea to have a separate mailing list for git commits? I think the mailing list is painfully noisy. -nc Not really. I need both patches and commits on the same mailing-list as I believe both Serge and my workflows involve keeping the threads locally until the commit to the branch at which point we flush the whole thread locally. Having to look at two mailing-lists would make that quite a bit harder and I'm sure we're not the only ones who like to see the actual git commit after some patch received enough acks (as we don't always commit them to git immediately). Actually my complaint would be different - if I push two or more commits, only the last one gets an email. I think it would be good - informative for everyone - if *every* commit got an email. I really didn't think they've been noisy enough to even mention procmail. -serge All commits are actually mentioned, but github merge them into a single e-mail per push which is indeed slightly annoying, sadly, there's no configuration that I could find to force one e-mail per commit... -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60135991iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH RFC] get rid of '${lxcpath}_anon' idea
On Mon, Oct 21, 2013 at 06:44:03PM -0500, Serge Hallyn wrote: (RFC, but I susepct everyone is in full agreement) The idea was simply misguided. If you provide a custom configuration file, you still should be putting the command sock into the real lxcpath, not an 'anon' one. Signed-off-by: Serge Hallyn serge.hal...@ubuntu.com Acked-by: Stéphane Graber stgra...@ubuntu.com --- src/lxc/lxc_start.c | 9 +++-- 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/src/lxc/lxc_start.c b/src/lxc/lxc_start.c index a894513..2e3c3b3 100644 --- a/src/lxc/lxc_start.c +++ b/src/lxc/lxc_start.c @@ -153,7 +153,6 @@ int main(int argc, char *argv[]) }; FILE *pid_fp = NULL; struct lxc_container *c; - char *anonpath; lxc_list_init(defines); @@ -172,8 +171,8 @@ int main(int argc, char *argv[]) my_args.progname, my_args.quiet, my_args.lxcpath[0])) return err; - anonpath = alloca(strlen(LXCPATH) + 6); - sprintf(anonpath, %s_anon, LXCPATH); + const char *lxcpath = my_args.lxcpath[0]; + /* * rcfile possibilities: * 1. rcfile from random path specified in cli option @@ -183,7 +182,7 @@ int main(int argc, char *argv[]) /* rcfile is specified in the cli option */ if (my_args.rcfile) { rcfile = (char *)my_args.rcfile; - c = lxc_container_new(my_args.name, anonpath); + c = lxc_container_new(my_args.name, lxcpath); if (!c) { ERROR(Failed to create lxc_container); return err; @@ -195,7 +194,6 @@ int main(int argc, char *argv[]) } } else { int rc; - const char *lxcpath = my_args.lxcpath[0]; rc = asprintf(rcfile, %s/%s/config, lxcpath, my_args.name); if (rc == -1) { @@ -208,7 +206,6 @@ int main(int argc, char *argv[]) if (access(rcfile, F_OK)) { free(rcfile); rcfile = NULL; - lxcpath = anonpath; } c = lxc_container_new(my_args.name, lxcpath); if (!c) { -- 1.8.3.2 -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60135991iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60135991iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel