Re: [lxc-devel] Bug#620921: Detecting a non-root container
On Apr 06, Daniel Lezcano wrote: > I would not rely on that because lxc may evolve to not use the cgroup if > not present. > > If you use upstart, you can check the 'container=lxc' env variable in > the udev init script in order to know if you are in a container. > Otherwise for sysvrc init, I don't know how to handle that. If the container does not support handling uevents then /sys/kernel/uevent_helper should not exist. This is how openvz behaves. -- ciao, Marco signature.asc Description: Digital signature -- Xperia(TM) PLAY It's a major breakthrough. An authentic gaming smartphone on the nation's most reliable network. And it wants your games. http://p.sf.net/sfu/verizon-sfdev___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH] namespace: check stack allocation for clone succeeds
---
src/lxc/namespace.c |7 ++-
1 files changed, 6 insertions(+), 1 deletions(-)
diff --git a/src/lxc/namespace.c b/src/lxc/namespace.c
index 8263fe7..5928eaa 100644
--- a/src/lxc/namespace.c
+++ b/src/lxc/namespace.c
@@ -67,9 +67,14 @@ pid_t lxc_clone(int (*fn)(void *), void *arg, int flags)
};
long stack_size = sysconf(_SC_PAGESIZE);
- void *stack = alloca(stack_size) + stack_size;
+ void *stack = alloca(stack_size);
pid_t ret;
+ if (stack == NULL)
+ ERROR("failed to allocate memory");
+
+ stack += stack_size;
+
#ifdef __ia64__
ret = __clone2(do_clone, stack,
stack_size, flags | SIGCHLD, &clone_arg);
--
1.7.0.4
--
Xperia(TM) PLAY
It's a major breakthrough. An authentic gaming
smartphone on the nation's most reliable network.
And it wants your games.
http://p.sf.net/sfu/verizon-sfdev
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] namespace: check stack allocation for clone succeeds
On Mon, 2011-04-11 at 12:42 -0400, Michael Santos wrote:
> ---
> src/lxc/namespace.c |7 ++-
> 1 files changed, 6 insertions(+), 1 deletions(-)
>
> diff --git a/src/lxc/namespace.c b/src/lxc/namespace.c
> index 8263fe7..5928eaa 100644
> --- a/src/lxc/namespace.c
> +++ b/src/lxc/namespace.c
> @@ -67,9 +67,14 @@ pid_t lxc_clone(int (*fn)(void *), void *arg, int flags)
> };
>
> long stack_size = sysconf(_SC_PAGESIZE);
> - void *stack = alloca(stack_size) + stack_size;
> + void *stack = alloca(stack_size);
> pid_t ret;
>
> + if (stack == NULL)
> + ERROR("failed to allocate memory");
> +
> + stack += stack_size;
> +
Please see the man page, in particular "Notes on the GNU Version" and
"BUGS", for why this patch doesn't really make sense.
http://www.kernel.org/doc/man-pages/online/pages/man3/alloca.3.html
--
Xperia(TM) PLAY
It's a major breakthrough. An authentic gaming
smartphone on the nation's most reliable network.
And it wants your games.
http://p.sf.net/sfu/verizon-sfdev
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] namespace: check stack allocation for clone succeeds
On Mon, Apr 11, 2011 at 12:42:49PM -0500, Nathan Lynch wrote:
> On Mon, 2011-04-11 at 12:42 -0400, Michael Santos wrote:
> > ---
> > src/lxc/namespace.c |7 ++-
> > 1 files changed, 6 insertions(+), 1 deletions(-)
> >
> > diff --git a/src/lxc/namespace.c b/src/lxc/namespace.c
> > index 8263fe7..5928eaa 100644
> > --- a/src/lxc/namespace.c
> > +++ b/src/lxc/namespace.c
> > @@ -67,9 +67,14 @@ pid_t lxc_clone(int (*fn)(void *), void *arg, int flags)
> > };
> >
> > long stack_size = sysconf(_SC_PAGESIZE);
> > - void *stack = alloca(stack_size) + stack_size;
> > + void *stack = alloca(stack_size);
> > pid_t ret;
> >
> > + if (stack == NULL)
> > + ERROR("failed to allocate memory");
> > +
> > + stack += stack_size;
> > +
>
> Please see the man page, in particular "Notes on the GNU Version" and
> "BUGS", for why this patch doesn't really make sense.
>
> http://www.kernel.org/doc/man-pages/online/pages/man3/alloca.3.html
And I was sure I checked the man page and it said NULL is returned :)
Thank you for the correction!
--
Forrester Wave Report - Recovery time is now measured in hours and minutes
not days. Key insights are discussed in the 2010 Forrester Wave Report as
part of an in-depth evaluation of disaster recovery service providers.
Forrester found the best-in-class provider in terms of services and vision.
Read this report now! http://p.sf.net/sfu/ibm-webcastpromo
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] Status of usability of lxc
On Wed, 2011-04-06 at 08:08 -0500, Rob Landley wrote: > On 04/06/2011 05:43 AM, Daniel Lezcano wrote: > > On 03/22/2011 10:20 AM, Nathan McSween wrote: > >> Can I get a quick rundown of what is implemented w.r.t UID/GID > >> containerization, is it safe yet to give containerized root to an > >> everyday user without huge security issues? > > > > Nope, it is not secure at all for a root user inside the container. > > Any idea what's missing? > > Rob "echo b > /proc/sysrq-trigger" in a LXC container will force-reboot your host :) There are some tricks that can be used to limit that issue but LXC will need proper isolation of /proc /sys (and others) before we can even think of giving root access to containers. -- Stéphane Graber Ubuntu developer http://www.ubuntu.com -- Forrester Wave Report - Recovery time is now measured in hours and minutes not days. Key insights are discussed in the 2010 Forrester Wave Report as part of an in-depth evaluation of disaster recovery service providers. Forrester found the best-in-class provider in terms of services and vision. Read this report now! http://p.sf.net/sfu/ibm-webcastpromo ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
