The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/2281

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
Signed-off-by: Christian Brauner <christian.brau...@ubuntu.com>
From d648e178f1b3fa9f261b890157d2ee6e9e5e14fa Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brau...@ubuntu.com>
Date: Sun, 15 Apr 2018 22:12:51 +0200
Subject: [PATCH 1/3] seccomp: cleanup compat architecture handling

Signed-off-by: Christian Brauner <christian.brau...@ubuntu.com>
---
 src/lxc/seccomp.c | 22 +++++++++++++++++-----
 1 file changed, 17 insertions(+), 5 deletions(-)

diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
index 60118852d..6a4f474c8 100644
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -789,24 +789,36 @@ static int parse_config_v2(FILE *f, char *line, struct 
lxc_conf *conf)
                }
        }
 
+       INFO("Merging compat seccomp contexts into main context");
        if (compat_ctx[0]) {
-               INFO("Merging compat seccomp contexts into main context");
-               if (compat_arch[0] != native_arch && compat_arch[0] != 
seccomp_arch_native()) {
+               if ((compat_arch[0] != native_arch) &&
+                   (compat_arch[0] != seccomp_arch_native())) {
                        ret = seccomp_merge(conf->seccomp_ctx, compat_ctx[0]);
                        if (ret < 0) {
-                               ERROR("Failed to merge first compat seccomp 
context into main context");
+                               ERROR("Failed to merge first compat seccomp "
+                                     "context into main context");
                                goto bad;
                        }
                        TRACE("Merged first compat seccomp context into main 
context");
+               } else {
+                       seccomp_release(compat_ctx[0]);
+                       compat_ctx[0] = NULL;
                }
+       }
 
-               if (compat_arch[1] && compat_arch[1] != native_arch && 
compat_arch[1] != seccomp_arch_native()) {
+       if (compat_ctx[1]) {
+               if ((compat_arch[1] != native_arch) &&
+                   (compat_arch[1] != seccomp_arch_native())) {
                        ret = seccomp_merge(conf->seccomp_ctx, compat_ctx[1]);
                        if (ret < 0) {
-                               ERROR("Failed to merge first compat seccomp 
context into main context");
+                               ERROR("Failed to merge first compat seccomp "
+                                     "context into main context");
                                goto bad;
                        }
                        TRACE("Merged second compat seccomp context into main 
context");
+               } else {
+                       seccomp_release(compat_ctx[1]);
+                       compat_ctx[1] = NULL;
                }
        }
 

From 94d56054143a8634852989819acee06bf4aaf9f9 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brau...@ubuntu.com>
Date: Sun, 15 Apr 2018 22:39:07 +0200
Subject: [PATCH 2/3] seccomp: improve logging

Signed-off-by: Christian Brauner <christian.brau...@ubuntu.com>
---
 src/lxc/seccomp.c | 48 ++++++++++++++++++++++++++++++------------------
 1 file changed, 30 insertions(+), 18 deletions(-)

diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
index 6a4f474c8..084419772 100644
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -759,33 +759,45 @@ static int parse_config_v2(FILE *f, char *line, struct 
lxc_conf *conf)
                if (cur_rule_arch == native_arch ||
                    cur_rule_arch == lxc_seccomp_arch_native ||
                    compat_arch[0] == SCMP_ARCH_NATIVE) {
-                       INFO("Adding native rule for %s action %d(%s)", line, 
rule.action,
-                            get_action_name(rule.action));
                        if (!do_resolve_add_rule(SCMP_ARCH_NATIVE, line, 
conf->seccomp_ctx, &rule))
                                goto bad_rule;
-               }
-               else if (cur_rule_arch != lxc_seccomp_arch_all) {
-                       int arch_index =
-                               cur_rule_arch == lxc_seccomp_arch_mips64n32 ||
-                               cur_rule_arch == lxc_seccomp_arch_mipsel64n32 ? 
1 : 0;
-
-                       INFO("Adding compat-only rule for %s action %d(%s)", 
line, rule.action,
+                       INFO("Added native rule for arch %d for %s action 
%d(%s)",
+                            SCMP_ARCH_NATIVE, line, rule.action,
                             get_action_name(rule.action));
+               } else if (cur_rule_arch != lxc_seccomp_arch_all) {
+                       int arch_index = 0;
+
+                       if ((cur_rule_arch == lxc_seccomp_arch_mips64n32) ||
+                           (cur_rule_arch == lxc_seccomp_arch_mipsel64n32))
+                               arch_index = 1;
+
                        if (!do_resolve_add_rule(compat_arch[arch_index], line, 
compat_ctx[arch_index], &rule))
                                goto bad_rule;
-               }
-               else {
-                       INFO("Adding native rule for %s action %d(%s)", line, 
rule.action,
+                       INFO("Added compat-only rule for arch %d for %s action 
%d(%s)",
+                            compat_arch[arch_index], line, rule.action,
                             get_action_name(rule.action));
+               } else {
                        if (!do_resolve_add_rule(SCMP_ARCH_NATIVE, line, 
conf->seccomp_ctx, &rule))
                                goto bad_rule;
-                       INFO("Adding compat rule for %s action %d(%s)", line, 
rule.action,
+                       INFO("Added native rule for arch %d for %s action 
%d(%s)",
+                            SCMP_ARCH_NATIVE, line, rule.action,
                             get_action_name(rule.action));
-                       if (!do_resolve_add_rule(compat_arch[0], line, 
compat_ctx[0], &rule))
-                               goto bad_rule;
-                       if (compat_arch[1] != SCMP_ARCH_NATIVE &&
-                               !do_resolve_add_rule(compat_arch[1], line, 
compat_ctx[1], &rule))
-                               goto bad_rule;
+
+                       if (compat_arch[0] != SCMP_ARCH_NATIVE) {
+                               if (!do_resolve_add_rule(compat_arch[0], line, 
compat_ctx[0], &rule))
+                                       goto bad_rule;
+                               INFO("Added compat rule for arch %d for %s "
+                                    "action %d(%s)", compat_arch[0], line,
+                                    rule.action, get_action_name(rule.action));
+                       }
+
+                       if (compat_arch[1] != SCMP_ARCH_NATIVE) {
+                               if (!do_resolve_add_rule(compat_arch[1], line, 
compat_ctx[1], &rule))
+                                       goto bad_rule;
+                               INFO("Added compat rule for arch %d for %s "
+                                    "action %d(%s)", compat_arch[1], line,
+                                    rule.action, get_action_name(rule.action));
+                       }
                }
        }
 

From 4160ef02e5bbabbf4f3d0ab002aa8afba4f680a1 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brau...@ubuntu.com>
Date: Sun, 15 Apr 2018 22:42:43 +0200
Subject: [PATCH 3/3] tools: document -d/--daemonize for lxc-execute

Closes #2280.

Signed-off-by: Christian Brauner <christian.brau...@ubuntu.com>
---
 doc/lxc-execute.sgml.in     | 15 +++++++++++++++
 src/lxc/tools/lxc_execute.c |  1 +
 2 files changed, 16 insertions(+)

diff --git a/doc/lxc-execute.sgml.in b/doc/lxc-execute.sgml.in
index 4ec7c1b94..20814348d 100644
--- a/doc/lxc-execute.sgml.in
+++ b/doc/lxc-execute.sgml.in
@@ -50,6 +50,7 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 
02110-1301 USA
     <cmdsynopsis>
       <command>lxc-execute</command>
       <arg choice="req">-n <replaceable>name</replaceable></arg>
+      <arg choice="opt">-d</arg>
       <arg choice="opt">-f <replaceable>config_file</replaceable></arg>
       <arg choice="opt">-s KEY=VAL</arg>
       <arg choice="opt">-- <replaceable>command</replaceable></arg>
@@ -124,6 +125,20 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, 
MA 02110-1301 USA
          </para>
        </listitem>
       </varlistentry>
+
+      <varlistentry>
+       <term>
+         <option>-d, --daemon</option>
+       </term>
+       <listitem>
+         <para>
+           Run the container as a daemon. As the container has no
+           more tty, if an error occurs nothing will be displayed,
+           the log file can be used to check the error.
+         </para>
+       </listitem>
+      </varlistentry>
+
       <varlistentry>
        <term><option>--</option></term>
        <listitem>
diff --git a/src/lxc/tools/lxc_execute.c b/src/lxc/tools/lxc_execute.c
index 5291dd7a3..5c03b498b 100644
--- a/src/lxc/tools/lxc_execute.c
+++ b/src/lxc/tools/lxc_execute.c
@@ -104,6 +104,7 @@ and execs COMMAND into this container.\n\
 \n\
 Options :\n\
   -n, --name=NAME      NAME of the container\n\
+  -d, --daemon         Daemonize the container\n\
   -f, --rcfile=FILE    Load configuration file FILE\n\
   -s, --define KEY=VAL Assign VAL to configuration variable KEY\n\
   -u, --uid=UID        Execute COMMAND with UID inside the container\n\
_______________________________________________
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

Reply via email to