[lxc-devel] [PATCH v3 4/6] lxc-unshare: Move functions to determine clone flags from command line options to namespace.c
In order to be able to reuse code in lxc-attach, the functions
lxc_namespace_2_cloneflag and lxc_fill_namespace_flags are moved from
lxc_unshare.c to namespace.c.
Signed-off-by: Christian Seiler
Cc: Daniel Lezcano
Cc: Serge Hallyn
---
src/lxc/lxc_unshare.c | 45 -
src/lxc/namespace.c | 45 +
src/lxc/namespace.h |3 +++
3 files changed, 48 insertions(+), 45 deletions(-)
diff --git a/src/lxc/lxc_unshare.c b/src/lxc/lxc_unshare.c
index 0baccb0..fda2ed8 100644
--- a/src/lxc/lxc_unshare.c
+++ b/src/lxc/lxc_unshare.c
@@ -85,51 +85,6 @@ static uid_t lookup_user(const char *optarg)
return uid;
}
-static char *namespaces_list[] = {
- "MOUNT", "PID", "UTSNAME", "IPC",
- "USER", "NETWORK"
-};
-static int cloneflags_list[] = {
- CLONE_NEWNS, CLONE_NEWPID, CLONE_NEWUTS, CLONE_NEWIPC,
- CLONE_NEWUSER, CLONE_NEWNET
-};
-
-static int lxc_namespace_2_cloneflag(char *namespace)
-{
- int i, len;
- len = sizeof(namespaces_list)/sizeof(namespaces_list[0]);
- for (i = 0; i < len; i++)
- if (!strcmp(namespaces_list[i], namespace))
- return cloneflags_list[i];
-
- ERROR("invalid namespace name %s", namespace);
- return -1;
-}
-
-static int lxc_fill_namespace_flags(char *flaglist, int *flags)
-{
- char *token, *saveptr = NULL;
- int aflag;
-
- if (!flaglist) {
- ERROR("need at least one namespace to unshare");
- return -1;
- }
-
- token = strtok_r(flaglist, "|", &saveptr);
- while (token) {
-
- aflag = lxc_namespace_2_cloneflag(token);
- if (aflag < 0)
- return -1;
-
- *flags |= aflag;
-
- token = strtok_r(NULL, "|", &saveptr);
- }
- return 0;
-}
-
struct start_arg {
char ***args;
diff --git a/src/lxc/namespace.c b/src/lxc/namespace.c
index 3e6fc3a..3fa027b 100644
--- a/src/lxc/namespace.c
+++ b/src/lxc/namespace.c
@@ -69,3 +69,48 @@ pid_t lxc_clone(int (*fn)(void *), void *arg, int flags)
return ret;
}
+
+static char *namespaces_list[] = {
+ "MOUNT", "PID", "UTSNAME", "IPC",
+ "USER", "NETWORK"
+};
+static int cloneflags_list[] = {
+ CLONE_NEWNS, CLONE_NEWPID, CLONE_NEWUTS, CLONE_NEWIPC,
+ CLONE_NEWUSER, CLONE_NEWNET
+};
+
+int lxc_namespace_2_cloneflag(char *namespace)
+{
+ int i, len;
+ len = sizeof(namespaces_list)/sizeof(namespaces_list[0]);
+ for (i = 0; i < len; i++)
+ if (!strcmp(namespaces_list[i], namespace))
+ return cloneflags_list[i];
+
+ ERROR("invalid namespace name %s", namespace);
+ return -1;
+}
+
+int lxc_fill_namespace_flags(char *flaglist, int *flags)
+{
+ char *token, *saveptr = NULL;
+ int aflag;
+
+ if (!flaglist) {
+ ERROR("need at least one namespace to unshare");
+ return -1;
+ }
+
+ token = strtok_r(flaglist, "|", &saveptr);
+ while (token) {
+
+ aflag = lxc_namespace_2_cloneflag(token);
+ if (aflag < 0)
+ return -1;
+
+ *flags |= aflag;
+
+ token = strtok_r(NULL, "|", &saveptr);
+ }
+ return 0;
+}
diff --git a/src/lxc/namespace.h b/src/lxc/namespace.h
index 5442dd3..04e81bb 100644
--- a/src/lxc/namespace.h
+++ b/src/lxc/namespace.h
@@ -50,4 +50,7 @@
extern pid_t lxc_clone(int (*fn)(void *), void *arg, int flags);
+extern int lxc_namespace_2_cloneflag(char *namespace);
+extern int lxc_fill_namespace_flags(char *flaglist, int *flags);
+
#endif
--
1.7.2.5
--
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH v3 0/6] Partial namespaces for lxc-attach
Hi there, this is my third (and hopefully final :)) patch series for partial namespaces in lxc-attach. I've made the following changes to the previous versions: - Split up the patches a tiny bit more, should make the changes a bit clearer. - I actually encountered a problem with pid namespaces that I introduced when I first added cgroup attaching support to lxc-attach: For pid namespaces, only the children of the process doing setns() are really 100% in the namespace, so the process doing setns() won't get a new pid and if that process remounts /proc, it will still show the host's and not the container's contents. So I've changed it up a bit to make the setns() call again before the fork() - but then I had to adapt the cgroup logic. The current solution is the simplest I could come up with. This is the patch #2. - lxc-start now has a command interface (patch #1) that is used to retrieve the clone flags and to attach only to those namespaces when running lxc-attach without any parameters (patch #3) Regards, Christian -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH v3 1/6] lxc-start: Add command to retrieve the clone flags used to start the container.
Add the LXC_COMMAND_CLONE_FLAGS that retrieves the flags passed to clone(2)
when the container was started. This allows external programs to determine
which namespaces the container was unshared from.
Signed-off-by: Christian Seiler
Cc: Daniel Lezcano
Cc: Serge Hallyn
---
src/lxc/commands.c | 30 ++
src/lxc/commands.h |2 ++
src/lxc/start.c| 34 --
src/lxc/start.h|1 +
4 files changed, 57 insertions(+), 10 deletions(-)
diff --git a/src/lxc/commands.c b/src/lxc/commands.c
index 1d488ae..3e551ee 100644
--- a/src/lxc/commands.c
+++ b/src/lxc/commands.c
@@ -148,11 +148,32 @@ pid_t get_init_pid(const char *name)
return command.answer.pid;
}
+int lxc_get_clone_flags(const char *name)
+{
+ struct lxc_command command = {
+ .request = { .type = LXC_COMMAND_CLONE_FLAGS },
+ };
+
+ int ret, stopped = 0;
+
+ ret = lxc_command(name, &command, &stopped);
+ if (ret < 0 && stopped)
+ return -1;
+
+ if (ret < 0) {
+ ERROR("failed to send command");
+ return -1;
+ }
+
+ return command.answer.ret;
+}
+
extern void lxc_console_remove_fd(int, struct lxc_tty_info *);
extern int lxc_console_callback(int, struct lxc_request *, struct lxc_handler
*);
extern int lxc_stop_callback(int, struct lxc_request *, struct lxc_handler *);
extern int lxc_state_callback(int, struct lxc_request *, struct lxc_handler
*);
extern int lxc_pid_callback(int, struct lxc_request *, struct lxc_handler *);
+extern int lxc_clone_flags_callback(int, struct lxc_request *, struct
lxc_handler *);
static int trigger_command(int fd, struct lxc_request *request,
struct lxc_handler *handler)
@@ -160,10 +181,11 @@ static int trigger_command(int fd, struct lxc_request
*request,
typedef int (*callback)(int, struct lxc_request *, struct lxc_handler
*);
callback cb[LXC_COMMAND_MAX] = {
- [LXC_COMMAND_TTY] = lxc_console_callback,
- [LXC_COMMAND_STOP] = lxc_stop_callback,
- [LXC_COMMAND_STATE] = lxc_state_callback,
- [LXC_COMMAND_PID] = lxc_pid_callback,
+ [LXC_COMMAND_TTY] = lxc_console_callback,
+ [LXC_COMMAND_STOP]= lxc_stop_callback,
+ [LXC_COMMAND_STATE] = lxc_state_callback,
+ [LXC_COMMAND_PID] = lxc_pid_callback,
+ [LXC_COMMAND_CLONE_FLAGS] = lxc_clone_flags_callback,
};
if (request->type < 0 || request->type >= LXC_COMMAND_MAX)
diff --git a/src/lxc/commands.h b/src/lxc/commands.h
index d5c013f..3b0ac9a 100644
--- a/src/lxc/commands.h
+++ b/src/lxc/commands.h
@@ -28,6 +28,7 @@ enum {
LXC_COMMAND_STOP,
LXC_COMMAND_STATE,
LXC_COMMAND_PID,
+ LXC_COMMAND_CLONE_FLAGS,
LXC_COMMAND_MAX,
};
@@ -48,6 +49,7 @@ struct lxc_command {
};
extern pid_t get_init_pid(const char *name);
+extern int lxc_get_clone_flags(const char *name);
extern int lxc_command(const char *name, struct lxc_command *command,
int *stopped);
diff --git a/src/lxc/start.c b/src/lxc/start.c
index 920ff77..7e9913f 100644
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -277,6 +277,29 @@ int lxc_pid_callback(int fd, struct lxc_request *request,
return 0;
}
+int lxc_clone_flags_callback(int fd, struct lxc_request *request,
+struct lxc_handler *handler)
+{
+ struct lxc_answer answer;
+ int ret;
+
+ answer.pid = 0;
+ answer.ret = handler->clone_flags;
+
+ ret = send(fd, &answer, sizeof(answer), 0);
+ if (ret < 0) {
+ WARN("failed to send answer to the peer");
+ return -1;
+ }
+
+ if (ret != sizeof(answer)) {
+ ERROR("partial answer sent");
+ return -1;
+ }
+
+ return 0;
+}
+
int lxc_set_state(const char *name, struct lxc_handler *handler, lxc_state_t
state)
{
handler->state = state;
@@ -531,17 +554,16 @@ out_warn_father:
int lxc_spawn(struct lxc_handler *handler)
{
- int clone_flags;
int failed_before_rename = 0;
const char *name = handler->name;
if (lxc_sync_init(handler))
return -1;
- clone_flags = CLONE_NEWUTS|CLONE_NEWPID|CLONE_NEWIPC|CLONE_NEWNS;
+ handler->clone_flags =
CLONE_NEWUTS|CLONE_NEWPID|CLONE_NEWIPC|CLONE_NEWNS;
if (!lxc_list_empty(&handler->conf->network)) {
- clone_flags |= CLONE_NEWNET;
+ handler->clone_flags |= CLONE_NEWNET;
/* Find gateway addresses from the link device, which is
* no longer accessible inside the container. Do this
@@ -564,7 +586,7 @@ int lxc_spawn(struct lxc_handler *handler)
}
/* Create a process in a new set of namespaces */
- handler->pid = lxc
[lxc-devel] [PATCH v3 2/6] lxc-attach: Remodel cgroup attach logic and attach to namespaces again in parent process
With the introduction of lxc-attach's functionality to attach to cgroups,
the setns() calls were put in the child process after the fork() and not the
parent process before the fork() so the parent process remained outside the
namespaces and could add the child to the correct cgroup.
Unfortunately, the pid namespace really affects only children of the current
process and not the process itself, which has several drawbacks: The
attached program does not have a pid inside the container and the context
that is used when remounting /proc from that process is wrong. Thus, the
previous logic of first setting the namespaces and then forking so the child
process (which then exec()s to the desired program) is a real member of the
container.
However, inside the container, there is no guarantee that the cgroup
filesystem is still be mounted and that we are allowed to write to it (which
is why the setns() was moved in the first place).
To work around both problems, we separate the cgroup attach functionality
into two parts: Preparing the attach process, which just opens the tasks
files of all cgroups and keeps the file descriptors open and the writing to
those fds part. This allows us to open all the tasks files in lxc_attach,
then call setns(), then fork, in the child process close them completely and
in the parent process just write the pid of the child process to all those
fds.
Signed-off-by: Christian Seiler
Cc: Daniel Lezcano
Cc: Serge Hallyn
---
src/lxc/cgroup.c | 152 -
src/lxc/cgroup.h |3 +
src/lxc/lxc_attach.c | 62 +++-
3 files changed, 186 insertions(+), 31 deletions(-)
diff --git a/src/lxc/cgroup.c b/src/lxc/cgroup.c
index e124499..f1461f4 100644
--- a/src/lxc/cgroup.c
+++ b/src/lxc/cgroup.c
@@ -254,13 +254,37 @@ static int cgroup_enable_clone_children(const char *path)
return ret;
}
-static int lxc_one_cgroup_attach(const char *name,
-struct mntent *mntent, pid_t pid)
+static int lxc_one_cgroup_finish_attach(int fd, pid_t pid)
{
- FILE *f;
+ char buf[32];
+ int ret;
+
+ snprintf(buf, 32, "%ld", (long)pid);
+
+ ret = write(fd, buf, strlen(buf));
+ if (ret <= 0) {
+ SYSERROR("failed to write pid '%ld' to fd '%d'", (long)pid, fd);
+ ret = -1;
+ } else {
+ ret = 0;
+ }
+
+ close(fd);
+ return ret;
+}
+
+static int lxc_one_cgroup_dispose_attach(int fd)
+{
+ close(fd);
+ return 0;
+}
+
+static int lxc_one_cgroup_prepare_attach(const char *name, struct mntent
*mntent)
+{
+ int fd;
char tasks[MAXPATHLEN], initcgroup[MAXPATHLEN];
char *cgmnt = mntent->mnt_dir;
- int flags, ret = 0;
+ int flags;
flags = get_cgroup_flags(mntent);
@@ -269,31 +293,83 @@ static int lxc_one_cgroup_attach(const char *name,
(flags & CGROUP_NS_CGROUP) ? "" : "/lxc",
name);
- f = fopen(tasks, "w");
- if (!f) {
+ fd = open(tasks, O_WRONLY);
+ if (fd < 0) {
SYSERROR("failed to open '%s'", tasks);
return -1;
}
- if (fprintf(f, "%d", pid) <= 0) {
- SYSERROR("failed to write pid '%d' to '%s'", pid, tasks);
- ret = -1;
+ return fd;
+}
+
+static int lxc_one_cgroup_attach(const char *name, struct mntent *mntent,
pid_t pid)
+{
+ int fd;
+
+ fd = lxc_one_cgroup_prepare_attach(name, mntent);
+ if (fd < 0) {
+ return -1;
}
- fclose(f);
+ return lxc_one_cgroup_finish_attach(fd, pid);
+}
+
+int lxc_cgroup_dispose_attach(void *data)
+{
+ int *fds = data;
+ int ret, err;
+
+ if (!fds) {
+ return 0;
+ }
+
+ ret = 0;
+
+ for (; *fds >= 0; fds++) {
+ err = lxc_one_cgroup_dispose_attach(*fds);
+ if (err) {
+ ret = err;
+ }
+ }
+
+ free(data);
return ret;
}
-/*
- * for each mounted cgroup, attach a pid to the cgroup for the container
- */
-int lxc_cgroup_attach(const char *name, pid_t pid)
+int lxc_cgroup_finish_attach(void *data, pid_t pid)
+{
+ int *fds = data;
+ int err;
+
+ if (!fds) {
+ return 0;
+ }
+
+ for (; *fds >= 0; fds++) {
+ err = lxc_one_cgroup_finish_attach(*fds, pid);
+ if (err) {
+ /* get rid of the rest of them */
+ lxc_cgroup_dispose_attach(data);
+ return -1;
+ }
+ *fds = -1;
+ }
+
+ free(data);
+
+ return 0;
+}
+
+int lxc_cgroup_prepare_attach(const char *name, void **data)
{
struct mntent *mntent;
FILE *file = NULL;
int err = -1;
int found = 0;
+ int *fds;
+ int i;
+ static const int MAXFDS
[lxc-devel] [PATCH v3 3/6] lxc-attach: Detect which namespaces to attach to dynamically
Use the command interface to contact lxc-start to receive the set of
flags passed to clone() when starting the container. This allows lxc-attach
to determine which namespaces were used for the container and select only
those to attach to.
Signed-off-by: Christian Seiler
Cc: Daniel Lezcano
Cc: Serge Hallyn
---
src/lxc/attach.c | 42 +-
src/lxc/attach.h |2 +-
src/lxc/lxc_attach.c | 16 +++-
3 files changed, 53 insertions(+), 7 deletions(-)
diff --git a/src/lxc/attach.c b/src/lxc/attach.c
index a95b3d3..37e667f 100644
--- a/src/lxc/attach.c
+++ b/src/lxc/attach.c
@@ -121,13 +121,22 @@ out_error:
return NULL;
}
-int lxc_attach_to_ns(pid_t pid)
+int lxc_attach_to_ns(pid_t pid, int which)
{
char path[MAXPATHLEN];
- char *ns[] = { "pid", "mnt", "net", "ipc", "uts" };
- const int size = sizeof(ns) / sizeof(char *);
+ /* according to
,
+* the file for user namepsaces in /proc/$pid/ns will be called
+* 'user' once the kernel supports it
+*/
+ static char *ns[] = { "mnt", "pid", "uts", "ipc", "user", "net" };
+ static int flags[] = {
+ CLONE_NEWNS, CLONE_NEWPID, CLONE_NEWUTS, CLONE_NEWIPC,
+ CLONE_NEWUSER, CLONE_NEWNET
+ };
+ static const int size = sizeof(ns) / sizeof(char *);
int fd[size];
- int i;
+ int i, j, saved_errno;
+
snprintf(path, MAXPATHLEN, "/proc/%d/ns", pid);
if (access(path, X_OK)) {
@@ -136,16 +145,39 @@ int lxc_attach_to_ns(pid_t pid)
}
for (i = 0; i < size; i++) {
+ /* ignore if we are not supposed to attach to that
+* namespace
+*/
+ if (which != -1 && !(which & flags[i])) {
+ fd[i] = -1;
+ continue;
+ }
+
snprintf(path, MAXPATHLEN, "/proc/%d/ns/%s", pid, ns[i]);
fd[i] = open(path, O_RDONLY);
if (fd[i] < 0) {
+ saved_errno = errno;
+
+ /* close all already opened file descriptors before
+* we return an error, so we don't leak them
+*/
+ for (j = 0; j < i; j++)
+ close(fd[j]);
+
+ errno = saved_errno;
SYSERROR("failed to open '%s'", path);
return -1;
}
}
for (i = 0; i < size; i++) {
- if (setns(fd[i], 0)) {
+ if (fd[i] >= 0 && setns(fd[i], 0) != 0) {
+ saved_errno = errno;
+
+ for (j = i; j < size; j++)
+ close(fd[j]);
+
+ errno = saved_errno;
SYSERROR("failed to set namespace '%s'", ns[i]);
return -1;
}
diff --git a/src/lxc/attach.h b/src/lxc/attach.h
index 2d46c83..d96fdae 100644
--- a/src/lxc/attach.h
+++ b/src/lxc/attach.h
@@ -33,7 +33,7 @@ struct lxc_proc_context_info {
extern struct lxc_proc_context_info *lxc_proc_get_context_info(pid_t pid);
-extern int lxc_attach_to_ns(pid_t other_pid);
+extern int lxc_attach_to_ns(pid_t other_pid, int which);
extern int lxc_attach_drop_privs(struct lxc_proc_context_info *ctx);
#endif
diff --git a/src/lxc/lxc_attach.c b/src/lxc/lxc_attach.c
index e4f604b..10d4a64 100644
--- a/src/lxc/lxc_attach.c
+++ b/src/lxc/lxc_attach.c
@@ -51,6 +51,7 @@ static const struct option my_longopts[] = {
static int elevated_privileges = 0;
static signed long new_personality = -1;
+static int namespace_flags = -1;
static int my_parser(struct lxc_arguments* args, int c, char* arg)
{
@@ -139,11 +140,24 @@ int main(int argc, char *argv[])
curdir = get_current_dir_name();
+ /* determine which namespaces the container was created with
+* by asking lxc-start
+*/
+ if (namespace_flags == -1) {
+ namespace_flags = lxc_get_clone_flags(my_args.name);
+ /* call failed */
+ if (namespace_flags == -1) {
+ ERROR("failed to automatically determine the "
+ "namespaces which the container unshared");
+ return -1;
+ }
+ }
+
/* we need to attach before we fork since certain namespaces
* (such as pid namespaces) only really affect children of the
* current process and not the process itself
*/
- ret = lxc_attach_to_ns(init_pid);
+ ret = lxc_attach_to_ns(init_pid, namespace_flags);
if (ret < 0) {
ERROR("failed to enter the namespace");
return -1;
--
1.7.2.5
-
[lxc-devel] [PATCH v3 5/6] lxc-attach: Add -s option to select namespaces to attach to
This patch allows the user to select any list of namespaces (network, pid, mount, uts, ipc, user) that lxc-attach should use when attaching to the container; all other namespaces will not be attached to. This allows the user to for example attach to just the network namespace and use the host's (and not the container's) network tools to reconfigure the network of the container. Signed-off-by: Christian Seiler Cc: Daniel Lezcano Cc: Serge Hallyn --- doc/lxc-attach.sgml.in | 98 +-- src/lxc/lxc_attach.c | 20 +- 2 files changed, 112 insertions(+), 6 deletions(-) diff --git a/doc/lxc-attach.sgml.in b/doc/lxc-attach.sgml.in index 7092f16..035cd27 100644 --- a/doc/lxc-attach.sgml.in +++ b/doc/lxc-attach.sgml.in @@ -49,7 +49,8 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA lxc-attach -n name -a -arch -e +arch -e -s +namespaces -- command @@ -122,6 +123,29 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + + + -s, --namespaces namespaces + + + + Specify the namespaces to attach to, as a pipe-separated liste, + e.g. NETWORK|IPC. Allowed values are + MOUNT, PID, + UTSNAME, IPC, + USER and + NETWORK. This allows one to change + the context of the process to e.g. the network namespace of the + container while retaining the other namespaces as those of the + host. + + + Important: This option implies + -e. + + + + @@ -144,19 +168,83 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA To deactivate the network link eth1 of a running container that -does not have the NET_ADMIN capability, use the -e -option to use increased capabilities: +does not have the NET_ADMIN capability, use either the +-e option to use increased capabilities, +assuming the ip tool is installed: lxc-attach -n container -e -- /sbin/ip link delete eth1 +Or, alternatively, use the -s to use the +tools installed on the host outside the container: + + lxc-attach -n container -s NETWORK -- /sbin/ip link delete eth1 + +Compatibility + + Attaching completely (including the pid and mount namespaces) to a + container requires a patched kernel, please see the lxc website for + details. lxc-attach will fail in that case if + used with an unpatched kernel. + + + Nevertheless, it will succeed on an unpatched kernel of version 3.0 + or higher if the -s option is used to restrict the + namespaces that the process is to be attached to to one or more of + NETWORK, IPC + and UTSNAME. + + + Attaching to user namespaces is currently completely unsupported + by the kernel. lxc-attach should however be able + to do this once once future kernel versions implement this. + + + + +Notes + + The Linux /proc and + /sys filesystems contain information + about some quantities that are affected by namespaces, such as + the directories named after process ids in + /proc or the network interface infromation + in /sys/class/net. The namespace of the + process mounting the pseudo-filesystems determines what information + is shown, not the namespace of the process + accessing /proc or + /sys. + + + If one uses the -s option to only attach to + the pid namespace of a container, but not its mount namespace + (which will contain the /proc of the + container and not the host), the contents of /proc + will reflect that of the host and not the container. Analogously, + the same issue occurs when reading the contents of + /sys/class/net and attaching to just + the network namespace. + + + A workaround is to use lxc-unshare to unshare + the mount namespace after using lxc-attach with + -s PID and/or -s + NETWORK and then unmount and then mount again both + pseudo-filesystems within that new mount namespace, before + executing a program/script that relies on this information to be + correct. + + + + Security - The -e should be used with care, as it may break - the isolation of the containers if used improperly. + The -e and -s options should + be used with care, as it may break the isolation of the containers + if used improperly. diff --git a/src/lxc/lxc_attach.c b/src/lxc/lxc_attach.c index 10d4a64..4f22752 100644 --- a/src/lxc/lxc_attach.c +++ b/src/lxc/lxc_attach.c @@ -40,12 +40,14 @@ #include "start.h" #include "sync.h" #include "log.h" +
[lxc-devel] [PATCH v3 6/6] lxc-attach: Add -R option to remount /sys and /proc when only partially attaching
When attaching to only some namespaces of the container but not the mount
namespace, the contents of /sys and /proc of the host system do not properly
reflect the context of the container's pid and/or network namespaces, and
possibly others.
The introduced -R option adds the possibility to additionally unshare the
mount namespace (when it is not being attached) and remount /sys and /proc
in order for those filesystems to properly reflect the container's context
even when only attaching to some of the namespaces.
Signed-off-by: Christian Seiler
Acked-by: Serge Hallyn
Cc: Daniel Lezcano
---
doc/lxc-attach.sgml.in | 44 +++-
src/lxc/attach.c | 44
src/lxc/attach.h |1 +
src/lxc/lxc_attach.c | 22 +-
4 files changed, 101 insertions(+), 10 deletions(-)
diff --git a/doc/lxc-attach.sgml.in b/doc/lxc-attach.sgml.in
index 035cd27..1724393 100644
--- a/doc/lxc-attach.sgml.in
+++ b/doc/lxc-attach.sgml.in
@@ -50,7 +50,7 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
02111-1307 USA
lxc-attach -n
name -a
arch -e -s
-namespaces
+namespaces -R
-- command
@@ -146,7 +146,30 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
02111-1307 USA
-
+
+
+ -R, --remount-sys-proc
+
+
+
+ When using -s and the mount namespace is not
+ included, this flag will cause lxc-attach
+ to remount /proc and
+ /sys to reflect the current other
+ namespace contexts.
+
+
+ Please see the Notes section for more
+ details.
+
+
+ This option will be ignored if one tries to attach to the
+ mount namespace anyway.
+
+
+
+
+
@@ -229,13 +252,16 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
02111-1307 USA
the network namespace.
- A workaround is to use lxc-unshare to unshare
- the mount namespace after using lxc-attach with
- -s PID and/or -s
- NETWORK and then unmount and then mount again both
- pseudo-filesystems within that new mount namespace, before
- executing a program/script that relies on this information to be
- correct.
+ To work around this problem, the -R flag provides
+ the option to remount /proc and
+ /sys in order for them to reflect the
+ network/pid namespace context of the attached process. In order
+ not to interfere with the host's actual filesystem, the mount
+ namespace will be unshared (like lxc-unshare
+ does) before this is done, esentially giving the process a new
+ mount namespace, which is identical to the hosts's mount namespace
+ except for the /proc and
+ /sys filesystems.
diff --git a/src/lxc/attach.c b/src/lxc/attach.c
index 37e667f..ec0e083 100644
--- a/src/lxc/attach.c
+++ b/src/lxc/attach.c
@@ -30,6 +30,7 @@
#include
#include
#include
+#include
#include
#if !HAVE_DECL_PR_CAPBSET_DROP
@@ -188,6 +189,49 @@ int lxc_attach_to_ns(pid_t pid, int which)
return 0;
}
+int lxc_attach_remount_sys_proc()
+{
+ int ret;
+
+ ret = unshare(CLONE_NEWNS);
+ if (ret < 0) {
+ SYSERROR("failed to unshare mount namespace");
+ return -1;
+ }
+
+ /* assume /proc is always mounted, so remount it */
+ ret = umount2("/proc", MNT_DETACH);
+ if (ret < 0) {
+ SYSERROR("failed to unmount /proc");
+ return -1;
+ }
+
+ ret = mount("none", "/proc", "proc", 0, NULL);
+ if (ret < 0) {
+ SYSERROR("failed to remount /proc");
+ return -1;
+ }
+
+ /* try to umount /sys - if it's not a mount point,
+* we'll get EINVAL, then we ignore it because it
+* may not have been mounted in the first place
+*/
+ ret = umount2("/sys", MNT_DETACH);
+ if (ret < 0 && errno != EINVAL) {
+ SYSERROR("failed to unmount /sys");
+ return -1;
+ } else if (ret == 0) {
+ /* remount it */
+ ret = mount("none", "/sys", "sysfs", 0, NULL);
+ if (ret < 0) {
+ SYSERROR("failed to remount /sys");
+ return -1;
+ }
+ }
+
+ return 0;
+}
+
int lxc_attach_drop_privs(struct lxc_proc_context_info *ctx)
{
int last_cap = lxc_caps_last_cap();
diff --git a/src/lxc/attach.h b/src/lxc/attach.h
index d96fdae..aab47e3 100644
--- a/src/lxc/attach.h
+++ b/src/lxc/attach.h
@@ -34,6 +34,7 @@ struct lxc_proc_context_info {
extern struct lxc_proc_context_info *lxc_proc_get_context_info(pid_t pid);
extern int lxc_attach_to_ns(pid_t other_pid, int which);
+extern int lxc_attach_remount_sys_proc();
ext
Re: [lxc-devel] [PATCH v3 1/6] lxc-start: Add command to retrieve the clone flags used to start the container.
Quoting Christian Seiler (christ...@iwakd.de):
> Add the LXC_COMMAND_CLONE_FLAGS that retrieves the flags passed to clone(2)
> when the container was started. This allows external programs to determine
> which namespaces the container was unshared from.
>
> Signed-off-by: Christian Seiler
> Cc: Daniel Lezcano
> Cc: Serge Hallyn
Acked-by: Serge Hallyn
> ---
> src/lxc/commands.c | 30 ++
> src/lxc/commands.h |2 ++
> src/lxc/start.c| 34 --
> src/lxc/start.h|1 +
> 4 files changed, 57 insertions(+), 10 deletions(-)
>
> diff --git a/src/lxc/commands.c b/src/lxc/commands.c
> index 1d488ae..3e551ee 100644
> --- a/src/lxc/commands.c
> +++ b/src/lxc/commands.c
> @@ -148,11 +148,32 @@ pid_t get_init_pid(const char *name)
> return command.answer.pid;
> }
>
> +int lxc_get_clone_flags(const char *name)
> +{
> + struct lxc_command command = {
> + .request = { .type = LXC_COMMAND_CLONE_FLAGS },
> + };
> +
> + int ret, stopped = 0;
> +
> + ret = lxc_command(name, &command, &stopped);
> + if (ret < 0 && stopped)
> + return -1;
> +
> + if (ret < 0) {
> + ERROR("failed to send command");
> + return -1;
> + }
> +
> + return command.answer.ret;
> +}
> +
> extern void lxc_console_remove_fd(int, struct lxc_tty_info *);
> extern int lxc_console_callback(int, struct lxc_request *, struct
> lxc_handler *);
> extern int lxc_stop_callback(int, struct lxc_request *, struct lxc_handler
> *);
> extern int lxc_state_callback(int, struct lxc_request *, struct lxc_handler
> *);
> extern int lxc_pid_callback(int, struct lxc_request *, struct lxc_handler
> *);
> +extern int lxc_clone_flags_callback(int, struct lxc_request *, struct
> lxc_handler *);
>
> static int trigger_command(int fd, struct lxc_request *request,
> struct lxc_handler *handler)
> @@ -160,10 +181,11 @@ static int trigger_command(int fd, struct lxc_request
> *request,
> typedef int (*callback)(int, struct lxc_request *, struct lxc_handler
> *);
>
> callback cb[LXC_COMMAND_MAX] = {
> - [LXC_COMMAND_TTY] = lxc_console_callback,
> - [LXC_COMMAND_STOP] = lxc_stop_callback,
> - [LXC_COMMAND_STATE] = lxc_state_callback,
> - [LXC_COMMAND_PID] = lxc_pid_callback,
> + [LXC_COMMAND_TTY] = lxc_console_callback,
> + [LXC_COMMAND_STOP]= lxc_stop_callback,
> + [LXC_COMMAND_STATE] = lxc_state_callback,
> + [LXC_COMMAND_PID] = lxc_pid_callback,
> + [LXC_COMMAND_CLONE_FLAGS] = lxc_clone_flags_callback,
> };
>
> if (request->type < 0 || request->type >= LXC_COMMAND_MAX)
> diff --git a/src/lxc/commands.h b/src/lxc/commands.h
> index d5c013f..3b0ac9a 100644
> --- a/src/lxc/commands.h
> +++ b/src/lxc/commands.h
> @@ -28,6 +28,7 @@ enum {
> LXC_COMMAND_STOP,
> LXC_COMMAND_STATE,
> LXC_COMMAND_PID,
> + LXC_COMMAND_CLONE_FLAGS,
> LXC_COMMAND_MAX,
> };
>
> @@ -48,6 +49,7 @@ struct lxc_command {
> };
>
> extern pid_t get_init_pid(const char *name);
> +extern int lxc_get_clone_flags(const char *name);
>
> extern int lxc_command(const char *name, struct lxc_command *command,
> int *stopped);
> diff --git a/src/lxc/start.c b/src/lxc/start.c
> index 920ff77..7e9913f 100644
> --- a/src/lxc/start.c
> +++ b/src/lxc/start.c
> @@ -277,6 +277,29 @@ int lxc_pid_callback(int fd, struct lxc_request *request,
> return 0;
> }
>
> +int lxc_clone_flags_callback(int fd, struct lxc_request *request,
> + struct lxc_handler *handler)
> +{
> + struct lxc_answer answer;
> + int ret;
> +
> + answer.pid = 0;
> + answer.ret = handler->clone_flags;
> +
> + ret = send(fd, &answer, sizeof(answer), 0);
> + if (ret < 0) {
> + WARN("failed to send answer to the peer");
> + return -1;
> + }
> +
> + if (ret != sizeof(answer)) {
> + ERROR("partial answer sent");
> + return -1;
> + }
> +
> + return 0;
> +}
> +
> int lxc_set_state(const char *name, struct lxc_handler *handler, lxc_state_t
> state)
> {
> handler->state = state;
> @@ -531,17 +554,16 @@ out_warn_father:
>
> int lxc_spawn(struct lxc_handler *handler)
> {
> - int clone_flags;
> int failed_before_rename = 0;
> const char *name = handler->name;
>
> if (lxc_sync_init(handler))
> return -1;
>
> - clone_flags = CLONE_NEWUTS|CLONE_NEWPID|CLONE_NEWIPC|CLONE_NEWNS;
> + handler->clone_flags =
> CLONE_NEWUTS|CLONE_NEWPID|CLONE_NEWIPC|CLONE_NEWNS;
> if (!lxc_list_empty(&handler->conf->network)) {
>
> - clone_flags |= CLONE_NEWNET;
> + handler->clone_flags |= CLONE_NEWNET;
>
> /* Find gateway addresses from the
Re: [lxc-devel] [PATCH v3 4/6] lxc-unshare: Move functions to determine clone flags from command line options to namespace.c
Quoting Christian Seiler (christ...@iwakd.de):
> In order to be able to reuse code in lxc-attach, the functions
> lxc_namespace_2_cloneflag and lxc_fill_namespace_flags are moved from
> lxc_unshare.c to namespace.c.
>
> Signed-off-by: Christian Seiler
> Cc: Daniel Lezcano
> Cc: Serge Hallyn
Acked-by: Serge Hallyn
> ---
> src/lxc/lxc_unshare.c | 45 -
> src/lxc/namespace.c | 45 +
> src/lxc/namespace.h |3 +++
> 3 files changed, 48 insertions(+), 45 deletions(-)
>
> diff --git a/src/lxc/lxc_unshare.c b/src/lxc/lxc_unshare.c
> index 0baccb0..fda2ed8 100644
> --- a/src/lxc/lxc_unshare.c
> +++ b/src/lxc/lxc_unshare.c
> @@ -85,51 +85,6 @@ static uid_t lookup_user(const char *optarg)
> return uid;
> }
>
> -static char *namespaces_list[] = {
> - "MOUNT", "PID", "UTSNAME", "IPC",
> - "USER", "NETWORK"
> -};
> -static int cloneflags_list[] = {
> - CLONE_NEWNS, CLONE_NEWPID, CLONE_NEWUTS, CLONE_NEWIPC,
> - CLONE_NEWUSER, CLONE_NEWNET
> -};
> -
> -static int lxc_namespace_2_cloneflag(char *namespace)
> -{
> - int i, len;
> - len = sizeof(namespaces_list)/sizeof(namespaces_list[0]);
> - for (i = 0; i < len; i++)
> - if (!strcmp(namespaces_list[i], namespace))
> - return cloneflags_list[i];
> -
> - ERROR("invalid namespace name %s", namespace);
> - return -1;
> -}
> -
> -static int lxc_fill_namespace_flags(char *flaglist, int *flags)
> -{
> - char *token, *saveptr = NULL;
> - int aflag;
> -
> - if (!flaglist) {
> - ERROR("need at least one namespace to unshare");
> - return -1;
> - }
> -
> - token = strtok_r(flaglist, "|", &saveptr);
> - while (token) {
> -
> - aflag = lxc_namespace_2_cloneflag(token);
> - if (aflag < 0)
> - return -1;
> -
> - *flags |= aflag;
> -
> - token = strtok_r(NULL, "|", &saveptr);
> - }
> - return 0;
> -}
> -
>
> struct start_arg {
> char ***args;
> diff --git a/src/lxc/namespace.c b/src/lxc/namespace.c
> index 3e6fc3a..3fa027b 100644
> --- a/src/lxc/namespace.c
> +++ b/src/lxc/namespace.c
> @@ -69,3 +69,48 @@ pid_t lxc_clone(int (*fn)(void *), void *arg, int flags)
>
> return ret;
> }
> +
> +static char *namespaces_list[] = {
> + "MOUNT", "PID", "UTSNAME", "IPC",
> + "USER", "NETWORK"
> +};
> +static int cloneflags_list[] = {
> + CLONE_NEWNS, CLONE_NEWPID, CLONE_NEWUTS, CLONE_NEWIPC,
> + CLONE_NEWUSER, CLONE_NEWNET
> +};
> +
> +int lxc_namespace_2_cloneflag(char *namespace)
> +{
> + int i, len;
> + len = sizeof(namespaces_list)/sizeof(namespaces_list[0]);
> + for (i = 0; i < len; i++)
> + if (!strcmp(namespaces_list[i], namespace))
> + return cloneflags_list[i];
> +
> + ERROR("invalid namespace name %s", namespace);
> + return -1;
> +}
> +
> +int lxc_fill_namespace_flags(char *flaglist, int *flags)
> +{
> + char *token, *saveptr = NULL;
> + int aflag;
> +
> + if (!flaglist) {
> + ERROR("need at least one namespace to unshare");
> + return -1;
> + }
> +
> + token = strtok_r(flaglist, "|", &saveptr);
> + while (token) {
> +
> + aflag = lxc_namespace_2_cloneflag(token);
> + if (aflag < 0)
> + return -1;
> +
> + *flags |= aflag;
> +
> + token = strtok_r(NULL, "|", &saveptr);
> + }
> + return 0;
> +}
> diff --git a/src/lxc/namespace.h b/src/lxc/namespace.h
> index 5442dd3..04e81bb 100644
> --- a/src/lxc/namespace.h
> +++ b/src/lxc/namespace.h
> @@ -50,4 +50,7 @@
>
> extern pid_t lxc_clone(int (*fn)(void *), void *arg, int flags);
>
> +extern int lxc_namespace_2_cloneflag(char *namespace);
> +extern int lxc_fill_namespace_flags(char *flaglist, int *flags);
> +
> #endif
> --
> 1.7.2.5
>
--
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH v3 3/6] lxc-attach: Detect which namespaces to attach to dynamically
Quoting Christian Seiler (christ...@iwakd.de):
> Use the command interface to contact lxc-start to receive the set of
> flags passed to clone() when starting the container. This allows lxc-attach
> to determine which namespaces were used for the container and select only
> those to attach to.
>
> Signed-off-by: Christian Seiler
> Cc: Daniel Lezcano
> Cc: Serge Hallyn
Looks nice, thanks.
Acked-by: Serge Hallyn
> ---
> src/lxc/attach.c | 42 +-
> src/lxc/attach.h |2 +-
> src/lxc/lxc_attach.c | 16 +++-
> 3 files changed, 53 insertions(+), 7 deletions(-)
>
> diff --git a/src/lxc/attach.c b/src/lxc/attach.c
> index a95b3d3..37e667f 100644
> --- a/src/lxc/attach.c
> +++ b/src/lxc/attach.c
> @@ -121,13 +121,22 @@ out_error:
> return NULL;
> }
>
> -int lxc_attach_to_ns(pid_t pid)
> +int lxc_attach_to_ns(pid_t pid, int which)
> {
> char path[MAXPATHLEN];
> - char *ns[] = { "pid", "mnt", "net", "ipc", "uts" };
> - const int size = sizeof(ns) / sizeof(char *);
> + /* according to
> ,
> + * the file for user namepsaces in /proc/$pid/ns will be called
> + * 'user' once the kernel supports it
> + */
> + static char *ns[] = { "mnt", "pid", "uts", "ipc", "user", "net" };
> + static int flags[] = {
> + CLONE_NEWNS, CLONE_NEWPID, CLONE_NEWUTS, CLONE_NEWIPC,
> + CLONE_NEWUSER, CLONE_NEWNET
> + };
> + static const int size = sizeof(ns) / sizeof(char *);
> int fd[size];
> - int i;
> + int i, j, saved_errno;
> +
>
> snprintf(path, MAXPATHLEN, "/proc/%d/ns", pid);
> if (access(path, X_OK)) {
> @@ -136,16 +145,39 @@ int lxc_attach_to_ns(pid_t pid)
> }
>
> for (i = 0; i < size; i++) {
> + /* ignore if we are not supposed to attach to that
> + * namespace
> + */
> + if (which != -1 && !(which & flags[i])) {
> + fd[i] = -1;
> + continue;
> + }
> +
> snprintf(path, MAXPATHLEN, "/proc/%d/ns/%s", pid, ns[i]);
> fd[i] = open(path, O_RDONLY);
> if (fd[i] < 0) {
> + saved_errno = errno;
> +
> + /* close all already opened file descriptors before
> + * we return an error, so we don't leak them
> + */
> + for (j = 0; j < i; j++)
> + close(fd[j]);
> +
> + errno = saved_errno;
> SYSERROR("failed to open '%s'", path);
> return -1;
> }
> }
>
> for (i = 0; i < size; i++) {
> - if (setns(fd[i], 0)) {
> + if (fd[i] >= 0 && setns(fd[i], 0) != 0) {
> + saved_errno = errno;
> +
> + for (j = i; j < size; j++)
> + close(fd[j]);
> +
> + errno = saved_errno;
> SYSERROR("failed to set namespace '%s'", ns[i]);
> return -1;
> }
> diff --git a/src/lxc/attach.h b/src/lxc/attach.h
> index 2d46c83..d96fdae 100644
> --- a/src/lxc/attach.h
> +++ b/src/lxc/attach.h
> @@ -33,7 +33,7 @@ struct lxc_proc_context_info {
>
> extern struct lxc_proc_context_info *lxc_proc_get_context_info(pid_t pid);
>
> -extern int lxc_attach_to_ns(pid_t other_pid);
> +extern int lxc_attach_to_ns(pid_t other_pid, int which);
> extern int lxc_attach_drop_privs(struct lxc_proc_context_info *ctx);
>
> #endif
> diff --git a/src/lxc/lxc_attach.c b/src/lxc/lxc_attach.c
> index e4f604b..10d4a64 100644
> --- a/src/lxc/lxc_attach.c
> +++ b/src/lxc/lxc_attach.c
> @@ -51,6 +51,7 @@ static const struct option my_longopts[] = {
>
> static int elevated_privileges = 0;
> static signed long new_personality = -1;
> +static int namespace_flags = -1;
>
> static int my_parser(struct lxc_arguments* args, int c, char* arg)
> {
> @@ -139,11 +140,24 @@ int main(int argc, char *argv[])
>
> curdir = get_current_dir_name();
>
> + /* determine which namespaces the container was created with
> + * by asking lxc-start
> + */
> + if (namespace_flags == -1) {
> + namespace_flags = lxc_get_clone_flags(my_args.name);
> + /* call failed */
> + if (namespace_flags == -1) {
> + ERROR("failed to automatically determine the "
> + "namespaces which the container unshared");
> + return -1;
> + }
> + }
> +
> /* we need to attach before we fork since certain namespaces
>* (such as pid namespaces) only really affect children of the
>* current process and not the process itself
>*/
> - ret = lxc_attach_to_ns(init_pid);
> + ret = lxc_atta
Re: [lxc-devel] [PATCH v3 5/6] lxc-attach: Add -s option to select namespaces to attach to
Quoting Christian Seiler (christ...@iwakd.de): > This patch allows the user to select any list of namespaces (network, pid, > mount, uts, ipc, user) that lxc-attach should use when attaching to the > container; all other namespaces will not be attached to. > > This allows the user to for example attach to just the network namespace and > use the host's (and not the container's) network tools to reconfigure the > network of the container. > > Signed-off-by: Christian Seiler > Cc: Daniel Lezcano > Cc: Serge Hallyn Acked-by: Serge Hallyn > --- > doc/lxc-attach.sgml.in | 98 +-- > src/lxc/lxc_attach.c | 20 +- > 2 files changed, 112 insertions(+), 6 deletions(-) > > diff --git a/doc/lxc-attach.sgml.in b/doc/lxc-attach.sgml.in > index 7092f16..035cd27 100644 > --- a/doc/lxc-attach.sgml.in > +++ b/doc/lxc-attach.sgml.in > @@ -49,7 +49,8 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA > 02111-1307 USA > > lxc-attach -n > name -a > -arch -e > +arch -e -s > +namespaces > -- command > > > @@ -122,6 +123,29 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA > 02111-1307 USA > > > > + > + > + -s, --namespaces > namespaces > + > + > + > + Specify the namespaces to attach to, as a pipe-separated liste, > + e.g. NETWORK|IPC. Allowed values are > + MOUNT, PID, > + UTSNAME, IPC, > + USER and > + NETWORK. This allows one to change > + the context of the process to e.g. the network namespace of the > + container while retaining the other namespaces as those of the > + host. > + > + > + Important: This option implies > + -e. > + > + > + > + > > > > @@ -144,19 +168,83 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, > MA 02111-1307 USA > > > To deactivate the network link eth1 of a running container that > -does not have the NET_ADMIN capability, use the -e > -option to use increased capabilities: > +does not have the NET_ADMIN capability, use either the > +-e option to use increased capabilities, > +assuming the ip tool is installed: > >lxc-attach -n container -e -- /sbin/ip link delete eth1 > > +Or, alternatively, use the -s to use the > +tools installed on the host outside the container: > + > + lxc-attach -n container -s NETWORK -- /sbin/ip link delete eth1 > + > > > > > +Compatibility > + > + Attaching completely (including the pid and mount namespaces) to a > + container requires a patched kernel, please see the lxc website for > + details. lxc-attach will fail in that case if > + used with an unpatched kernel. > + > + > + Nevertheless, it will succeed on an unpatched kernel of version 3.0 > + or higher if the -s option is used to restrict the > + namespaces that the process is to be attached to to one or more of > + NETWORK, IPC > + and UTSNAME. > + > + > + Attaching to user namespaces is currently completely unsupported > + by the kernel. lxc-attach should however be able > + to do this once once future kernel versions implement this. > + > + > + > + > +Notes > + > + The Linux /proc and > + /sys filesystems contain information > + about some quantities that are affected by namespaces, such as > + the directories named after process ids in > + /proc or the network interface infromation > + in /sys/class/net. The namespace of the > + process mounting the pseudo-filesystems determines what information > + is shown, not the namespace of the process > + accessing /proc or > + /sys. > + > + > + If one uses the -s option to only attach to > + the pid namespace of a container, but not its mount namespace > + (which will contain the /proc of the > + container and not the host), the contents of /proc > + will reflect that of the host and not the container. Analogously, > + the same issue occurs when reading the contents of > + /sys/class/net and attaching to just > + the network namespace. > + > + > + A workaround is to use lxc-unshare to unshare > + the mount namespace after using lxc-attach with > + -s PID and/or -s > + NETWORK and then unmount and then mount again both > + pseudo-filesystems within that new mount namespace, before > + executing a program/script that relies on this information to be > + correct. > + > + > + > + > Security > > - The -e should be used with care, as it may break > - the isolation of the containers if used improperly. > + The -e and -s options should > +
Re: [lxc-devel] [PATCH v3 6/6] lxc-attach: Add -R option to remount /sys and /proc when only partially attaching
Quoting Christian Seiler (christ...@iwakd.de):
> When attaching to only some namespaces of the container but not the mount
> namespace, the contents of /sys and /proc of the host system do not properly
> reflect the context of the container's pid and/or network namespaces, and
> possibly others.
>
> The introduced -R option adds the possibility to additionally unshare the
> mount namespace (when it is not being attached) and remount /sys and /proc
> in order for those filesystems to properly reflect the container's context
> even when only attaching to some of the namespaces.
>
> Signed-off-by: Christian Seiler
> Acked-by: Serge Hallyn
Note there is no reason to resend this patch for this, but do you think
it would be worthwhile to warn if the user specified -R, but CLONE_NEWNS
was already in the mount flags?
> Cc: Daniel Lezcano
> ---
> doc/lxc-attach.sgml.in | 44 +++-
> src/lxc/attach.c | 44
> src/lxc/attach.h |1 +
> src/lxc/lxc_attach.c | 22 +-
> 4 files changed, 101 insertions(+), 10 deletions(-)
>
> diff --git a/doc/lxc-attach.sgml.in b/doc/lxc-attach.sgml.in
> index 035cd27..1724393 100644
> --- a/doc/lxc-attach.sgml.in
> +++ b/doc/lxc-attach.sgml.in
> @@ -50,7 +50,7 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
> 02111-1307 USA
> lxc-attach -n
> name -a
> arch -e -s
> -namespaces
> +namespaces -R
> -- command
>
>
> @@ -146,7 +146,30 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
> 02111-1307 USA
>
>
>
> -
> +
> +
> + -R, --remount-sys-proc
> +
> +
> +
> + When using -s and the mount namespace is not
> + included, this flag will cause lxc-attach
> + to remount /proc and
> + /sys to reflect the current other
> + namespace contexts.
> +
> +
> + Please see the Notes section for more
> + details.
> +
> +
> + This option will be ignored if one tries to attach to the
> + mount namespace anyway.
> +
> +
> +
> +
> +
>
>
>
> @@ -229,13 +252,16 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston,
> MA 02111-1307 USA
>the network namespace.
>
>
> - A workaround is to use lxc-unshare to unshare
> - the mount namespace after using lxc-attach with
> - -s PID and/or -s
> - NETWORK and then unmount and then mount again both
> - pseudo-filesystems within that new mount namespace, before
> - executing a program/script that relies on this information to be
> - correct.
> + To work around this problem, the -R flag provides
> + the option to remount /proc and
> + /sys in order for them to reflect the
> + network/pid namespace context of the attached process. In order
> + not to interfere with the host's actual filesystem, the mount
> + namespace will be unshared (like lxc-unshare
> + does) before this is done, esentially giving the process a new
> + mount namespace, which is identical to the hosts's mount namespace
> + except for the /proc and
> + /sys filesystems.
>
>
>
> diff --git a/src/lxc/attach.c b/src/lxc/attach.c
> index 37e667f..ec0e083 100644
> --- a/src/lxc/attach.c
> +++ b/src/lxc/attach.c
> @@ -30,6 +30,7 @@
> #include
> #include
> #include
> +#include
> #include
>
> #if !HAVE_DECL_PR_CAPBSET_DROP
> @@ -188,6 +189,49 @@ int lxc_attach_to_ns(pid_t pid, int which)
> return 0;
> }
>
> +int lxc_attach_remount_sys_proc()
> +{
> + int ret;
> +
> + ret = unshare(CLONE_NEWNS);
> + if (ret < 0) {
> + SYSERROR("failed to unshare mount namespace");
> + return -1;
> + }
> +
> + /* assume /proc is always mounted, so remount it */
> + ret = umount2("/proc", MNT_DETACH);
> + if (ret < 0) {
> + SYSERROR("failed to unmount /proc");
> + return -1;
> + }
> +
> + ret = mount("none", "/proc", "proc", 0, NULL);
> + if (ret < 0) {
> + SYSERROR("failed to remount /proc");
> + return -1;
> + }
> +
> + /* try to umount /sys - if it's not a mount point,
> + * we'll get EINVAL, then we ignore it because it
> + * may not have been mounted in the first place
> + */
> + ret = umount2("/sys", MNT_DETACH);
> + if (ret < 0 && errno != EINVAL) {
> + SYSERROR("failed to unmount /sys");
> + return -1;
> + } else if (ret == 0) {
> + /* remount it */
> + ret = mount("none", "/sys", "sysfs", 0, NULL);
> + if (ret < 0) {
> + SYSERROR("failed to remount /sys");
> + return -1;
> + }
> + }
> +
> + return 0;
> +}
> +
> int lxc_attach_drop_privs(struct lxc_proc_conte
Re: [lxc-devel] [PATCH v3 6/6] lxc-attach: Add -R option to remount /sys and /proc when only partially attaching
Hi Serge, > Note there is no reason to resend this patch for this, Actually, there were some trivial changes here due to patch #2, which reordered some code in lxc_attach.c - that's why I resent it. Now it should be trivial to apply all of the 6 patches to the current master branch, before you'd have had to do a bit of merging. > but do you think it would be worthwhile to warn if the user specified > -R, but CLONE_NEWNS was already in the mount flags? I don't think its necessary (this is a very specialized feature anyway), but I don't really care, so if you think this should be done, I can update the patch. Regards, Christian -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH] Always close all inherited fds and drop --close-all-fds
Hello, Here is a suggestion to always close all inherited fds and get rid of the existing --close-all-fds (-C) parameter from lxc-start. This came up during an IRC discussion with Serge on LXC's current behavior regarding fds. The current code prints a warning if the user uses lxc-start and inherits an fd (that used to be a critical error) but doesn't actually close it. That's unless lxc-start is called with either -d or -C, with either of these, the warning becomes a notice and the inherited fds are closed. I can't think of a case where we want lxc-start to inherit an fd, so I think it makes sense to do away with that option and just make it the default. Stéphane Graber (1): Remove --close-all-fds (-C) from lxc-start and always close any inherited fd. doc/lxc-start.sgml.in | 15 --- src/lxc/arguments.h |3 --- src/lxc/conf.h|1 - src/lxc/lxc_start.c | 10 +- src/lxc/start.c | 10 ++ 5 files changed, 3 insertions(+), 36 deletions(-) -- 1.7.9.5 -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH] Remove --close-all-fds (-C) from lxc-start and always close any inherited fd.
This changes the default behaviour from complaining about it but not closing
the inherited fds to logging an INFO entry and closing them automatically.
That's the same as always calling lxc-start with --close-all-fds.
Signed-off-by: Stéphane Graber
Cc: Daniel Lezcano
Cc: Serge Hallyn
---
doc/lxc-start.sgml.in | 15 ---
src/lxc/arguments.h |3 ---
src/lxc/conf.h|1 -
src/lxc/lxc_start.c | 10 +-
src/lxc/start.c | 10 ++
5 files changed, 3 insertions(+), 36 deletions(-)
diff --git a/doc/lxc-start.sgml.in b/doc/lxc-start.sgml.in
index 4504d58..08f1e81 100644
--- a/doc/lxc-start.sgml.in
+++ b/doc/lxc-start.sgml.in
@@ -147,21 +147,6 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
02111-1307 USA
-
-
- -C,
- --close-all-fds
-
-
-
- If any file descriptors are inherited, close them. If this option
- is not specified, then lxc-start will exit with
- failure instead. Note: --daemon implies
- --close-all-fds.
-
-
-
-
diff --git a/src/lxc/arguments.h b/src/lxc/arguments.h
index 40f0d6c..6a2ffc6 100644
--- a/src/lxc/arguments.h
+++ b/src/lxc/arguments.h
@@ -58,9 +58,6 @@ struct lxc_arguments {
/* for lxc-wait */
char *states;
- /* close fds from parent? */
- int close_all_fds;
-
/* remaining arguments */
char *const *argv;
int argc;
diff --git a/src/lxc/conf.h b/src/lxc/conf.h
index 09f55cb..24e7c43 100644
--- a/src/lxc/conf.h
+++ b/src/lxc/conf.h
@@ -215,7 +215,6 @@ struct lxc_conf {
struct lxc_console console;
struct lxc_rootfs rootfs;
char *ttydir;
- int close_all_fds;
};
/*
diff --git a/src/lxc/lxc_start.c b/src/lxc/lxc_start.c
index 7559444..fdd4c72 100644
--- a/src/lxc/lxc_start.c
+++ b/src/lxc/lxc_start.c
@@ -58,9 +58,8 @@ static int my_parser(struct lxc_arguments* args, int c, char*
arg)
{
switch (c) {
case 'c': args->console = arg; break;
- case 'd': args->daemonize = 1; args->close_all_fds = 1; break;
+ case 'd': args->daemonize = 1; break;
case 'f': args->rcfile = arg; break;
- case 'C': args->close_all_fds = 1; break;
case 's': return lxc_config_define_add(&defines, arg);
}
return 0;
@@ -71,7 +70,6 @@ static const struct option my_longopts[] = {
{"rcfile", required_argument, 0, 'f'},
{"define", required_argument, 0, 's'},
{"console", required_argument, 0, 'c'},
- {"close-all-fds", no_argument, 0, 'C'},
LXC_COMMON_OPTIONS
};
@@ -87,9 +85,6 @@ Options :\n\
-d, --daemon daemonize the container\n\
-f, --rcfile=FILELoad configuration file FILE\n\
-c, --console=FILE Set the file output for the container console\n\
- -C, --close-all-fds If any fds are inherited, close them\n\
- If not specified, exit with failure instead\n\
- Note: --daemon implies --close-all-fds\n\
-s, --define KEY=VAL Assign VAL to configuration variable KEY\n",
.options = my_longopts,
.parser= my_parser,
@@ -204,9 +199,6 @@ int main(int argc, char *argv[])
return err;
}
- if (my_args.close_all_fds)
- conf->close_all_fds = 1;
-
err = lxc_start(my_args.name, args, conf);
/*
diff --git a/src/lxc/start.c b/src/lxc/start.c
index 920ff77..ddc0923 100644
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -140,7 +140,6 @@ int lxc_check_inherited(struct lxc_conf *conf, int
fd_to_ignore)
int fd, fddir;
DIR *dir;
-restart:
dir = opendir("/proc/self/fd");
if (!dir) {
WARN("failed to open directory: %m");
@@ -167,13 +166,8 @@ restart:
if (match_fd(fd))
continue;
- if (conf->close_all_fds) {
- close(fd);
- closedir(dir);
- INFO("closed inherited fd %d", fd);
- goto restart;
- }
- WARN("inherited fd %d", fd);
+ close(fd);
+ INFO("closed inherited fd %d", fd);
}
closedir(dir); /* cannot fail */
--
1.7.9.5
--
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] Remove --close-all-fds (-C) from lxc-start and always close any inherited fd.
Quoting Stéphane Graber (stgra...@ubuntu.com):
> This changes the default behaviour from complaining about it but not closing
> the inherited fds to logging an INFO entry and closing them automatically.
> That's the same as always calling lxc-start with --close-all-fds.
>
> Signed-off-by: Stéphane Graber
> Cc: Daniel Lezcano
> Cc: Serge Hallyn
Acked-by: Serge Hallyn
thanks,
-serge
>
> ---
> doc/lxc-start.sgml.in | 15 ---
> src/lxc/arguments.h |3 ---
> src/lxc/conf.h|1 -
> src/lxc/lxc_start.c | 10 +-
> src/lxc/start.c | 10 ++
> 5 files changed, 3 insertions(+), 36 deletions(-)
>
> diff --git a/doc/lxc-start.sgml.in b/doc/lxc-start.sgml.in
> index 4504d58..08f1e81 100644
> --- a/doc/lxc-start.sgml.in
> +++ b/doc/lxc-start.sgml.in
> @@ -147,21 +147,6 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
> 02111-1307 USA
>
>
>
> -
> -
> - -C,
> - --close-all-fds
> -
> -
> -
> - If any file descriptors are inherited, close them. If this option
> - is not specified, then lxc-start will exit with
> - failure instead. Note: --daemon implies
> - --close-all-fds.
> -
> -
> -
> -
>
>
>
> diff --git a/src/lxc/arguments.h b/src/lxc/arguments.h
> index 40f0d6c..6a2ffc6 100644
> --- a/src/lxc/arguments.h
> +++ b/src/lxc/arguments.h
> @@ -58,9 +58,6 @@ struct lxc_arguments {
> /* for lxc-wait */
> char *states;
>
> - /* close fds from parent? */
> - int close_all_fds;
> -
> /* remaining arguments */
> char *const *argv;
> int argc;
> diff --git a/src/lxc/conf.h b/src/lxc/conf.h
> index 09f55cb..24e7c43 100644
> --- a/src/lxc/conf.h
> +++ b/src/lxc/conf.h
> @@ -215,7 +215,6 @@ struct lxc_conf {
> struct lxc_console console;
> struct lxc_rootfs rootfs;
> char *ttydir;
> - int close_all_fds;
> };
>
> /*
> diff --git a/src/lxc/lxc_start.c b/src/lxc/lxc_start.c
> index 7559444..fdd4c72 100644
> --- a/src/lxc/lxc_start.c
> +++ b/src/lxc/lxc_start.c
> @@ -58,9 +58,8 @@ static int my_parser(struct lxc_arguments* args, int c,
> char* arg)
> {
> switch (c) {
> case 'c': args->console = arg; break;
> - case 'd': args->daemonize = 1; args->close_all_fds = 1; break;
> + case 'd': args->daemonize = 1; break;
> case 'f': args->rcfile = arg; break;
> - case 'C': args->close_all_fds = 1; break;
> case 's': return lxc_config_define_add(&defines, arg);
> }
> return 0;
> @@ -71,7 +70,6 @@ static const struct option my_longopts[] = {
> {"rcfile", required_argument, 0, 'f'},
> {"define", required_argument, 0, 's'},
> {"console", required_argument, 0, 'c'},
> - {"close-all-fds", no_argument, 0, 'C'},
> LXC_COMMON_OPTIONS
> };
>
> @@ -87,9 +85,6 @@ Options :\n\
>-d, --daemon daemonize the container\n\
>-f, --rcfile=FILELoad configuration file FILE\n\
>-c, --console=FILE Set the file output for the container console\n\
> - -C, --close-all-fds If any fds are inherited, close them\n\
> - If not specified, exit with failure instead\n\
> -Note: --daemon implies --close-all-fds\n\
>-s, --define KEY=VAL Assign VAL to configuration variable KEY\n",
> .options = my_longopts,
> .parser= my_parser,
> @@ -204,9 +199,6 @@ int main(int argc, char *argv[])
> return err;
> }
>
> - if (my_args.close_all_fds)
> - conf->close_all_fds = 1;
> -
> err = lxc_start(my_args.name, args, conf);
>
> /*
> diff --git a/src/lxc/start.c b/src/lxc/start.c
> index 920ff77..ddc0923 100644
> --- a/src/lxc/start.c
> +++ b/src/lxc/start.c
> @@ -140,7 +140,6 @@ int lxc_check_inherited(struct lxc_conf *conf, int
> fd_to_ignore)
> int fd, fddir;
> DIR *dir;
>
> -restart:
> dir = opendir("/proc/self/fd");
> if (!dir) {
> WARN("failed to open directory: %m");
> @@ -167,13 +166,8 @@ restart:
> if (match_fd(fd))
> continue;
>
> - if (conf->close_all_fds) {
> - close(fd);
> - closedir(dir);
> - INFO("closed inherited fd %d", fd);
> - goto restart;
> - }
> - WARN("inherited fd %d", fd);
> + close(fd);
> + INFO("closed inherited fd %d", fd);
> }
>
> closedir(dir); /* cannot fail */
> --
> 1.7.9.5
>
--
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/5012226
[lxc-devel] [PATCH 1/1] lxc-ubuntu.in: drop duplicate code
Commits 15da01b3938d7ba45472e6c9d3b183a94dd86ca9 and
2e44ed1e647d9fd1544b7ad855bda22ca71abd12 conflicted and resulted in
some duplicate functionality. Drop the poorer version of that block.
Signed-off-by: Serge Hallyn
---
templates/lxc-ubuntu.in | 28
1 file changed, 28 deletions(-)
diff --git a/templates/lxc-ubuntu.in b/templates/lxc-ubuntu.in
index 3e84e74..822554f 100644
--- a/templates/lxc-ubuntu.in
+++ b/templates/lxc-ubuntu.in
@@ -160,34 +160,6 @@ download_ubuntu()
return 1
fi
-echo "Installing updates"
-if [ -z "$MIRROR" ]; then
-MIRROR="http://archive.ubuntu.com/ubuntu";
-fi
-cat >> "$1/partial-${arch}/etc/apt/sources.list" << EOF
-deb $MIRROR ${release}-updates main universe
-deb http://security.ubuntu.com/ubuntu ${release}-security main universe
-EOF
-chroot "$1/partial-${arch}" apt-get update
-if [ $? -ne 0 ]; then
-echo "Failed to update the apt cache"
-return 1
-fi
-cat > "$1/partial-${arch}"/usr/sbin/policy-rc.d << EOF
-#!/bin/sh
-exit 101
-EOF
-chmod +x "$1/partial-${arch}"/usr/sbin/policy-rc.d
-
-chroot "$1/partial-${arch}" apt-get dist-upgrade -y
-ret=$?
-
-rm -f "$1/partial-${arch}"/usr/sbin/policy-rc.d
-if [ $ret -ne 0 ]; then
-echo "Failed to upgrade the cache"
-return 1
-fi
-
# Serge isn't sure whether we should avoid doing this when
# $release == `distro-info -d`
echo "Installing updates"
--
1.7.9.5
--
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH 1/1] lxc-ubuntu.in: drop duplicate code
On 05/24/2012 03:22 PM, Serge Hallyn wrote:
> Commits 15da01b3938d7ba45472e6c9d3b183a94dd86ca9 and
> 2e44ed1e647d9fd1544b7ad855bda22ca71abd12 conflicted and resulted in
> some duplicate functionality. Drop the poorer version of that block.
>
> Signed-off-by: Serge Hallyn
Looks good.
Acked-by: Stéphane Graber
> ---
> templates/lxc-ubuntu.in | 28
> 1 file changed, 28 deletions(-)
>
> diff --git a/templates/lxc-ubuntu.in b/templates/lxc-ubuntu.in
> index 3e84e74..822554f 100644
> --- a/templates/lxc-ubuntu.in
> +++ b/templates/lxc-ubuntu.in
> @@ -160,34 +160,6 @@ download_ubuntu()
> return 1
> fi
>
> -echo "Installing updates"
> -if [ -z "$MIRROR" ]; then
> -MIRROR="http://archive.ubuntu.com/ubuntu";
> -fi
> -cat >> "$1/partial-${arch}/etc/apt/sources.list" << EOF
> -deb $MIRROR ${release}-updates main universe
> -deb http://security.ubuntu.com/ubuntu ${release}-security main universe
> -EOF
> -chroot "$1/partial-${arch}" apt-get update
> -if [ $? -ne 0 ]; then
> -echo "Failed to update the apt cache"
> -return 1
> -fi
> -cat > "$1/partial-${arch}"/usr/sbin/policy-rc.d << EOF
> -#!/bin/sh
> -exit 101
> -EOF
> -chmod +x "$1/partial-${arch}"/usr/sbin/policy-rc.d
> -
> -chroot "$1/partial-${arch}" apt-get dist-upgrade -y
> -ret=$?
> -
> -rm -f "$1/partial-${arch}"/usr/sbin/policy-rc.d
> -if [ $ret -ne 0 ]; then
> -echo "Failed to upgrade the cache"
> -return 1
> -fi
> -
> # Serge isn't sure whether we should avoid doing this when
> # $release == `distro-info -d`
> echo "Installing updates"
--
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
signature.asc
Description: OpenPGP digital signature
--
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] Getting some hooks into the container configuration
One of the common feature request I've heard about LXC, especially from people who are used to OpenVZ is having a variety of hooks where they can run their own script at various point of the container lifetime. I had a quick look at what was available on OpenVZ and worked on a list of hooks that I think would be useful to our users: - mount: Is run after the rootfs and any fstab entry for the container have been mounted but before the container is started - start: Is run after the container init is started - stop: Is run after the container died - umount: Is run before the rootfs and any fstab entry for the container are unmounted At least the mount and umount ones can be quite useful to implement features like the ephemeral containers where you want to stack an overlayfs container or setup bind mounts based on a script output. All of these scripts run outside of the container's namespaces. The above list is meant to make it easy for anyone coming from OpenVZ to convert their setup to LXC. Potential other hooks include pre-start and post-stop, running even before LXC mounts/umounts the rootfs but I'm not sure I'm seeing a use case for these right know (where they wouldn't work as "mount" hooks). These would be configurable in the container as: lxc.hook. = Does that sound good to everyone? Are there other hooks we should make sure we implement? Anything else I missed? Thanks -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: OpenPGP digital signature -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
