Re: [lxc-devel] [PATCH 2/2] lxc_attach: Clean up cgroup attaching code
Quoting Christian Seiler (christ...@iwakd.de):
> Since lxc_attach now works with two fork()s anyway due to user
> namespaces, the code for attaching to cgroups can be simplified again.
>
> This patch removes the prepare/finish/dispose functions for attaching
> to cgroups and just keeps the lxc_cgroup_attach function.
> ---
(Note - no signed-off-by in this patch. How are you generating them?
I'd recommend either using git-send-email, or get format-patch...)
Thanks, Christian. Unfortunately this will clash badly with my cgroup
update which does the same thing, so while I 100% ack the concept,
Stéphane please do not apply this.
> src/lxc/cgroup.c | 154 ++---
> src/lxc/cgroup.h |3 -
> 2 files changed, 18 insertions(+), 139 deletions(-)
>
> diff --git a/src/lxc/cgroup.c b/src/lxc/cgroup.c
> index 6630d6c..8420e08 100644
> --- a/src/lxc/cgroup.c
> +++ b/src/lxc/cgroup.c
> @@ -259,37 +259,12 @@ static int cgroup_enable_clone_children(const char
> *path)
> return ret;
> }
>
> -static int lxc_one_cgroup_finish_attach(int fd, pid_t pid)
> -{
> - char buf[32];
> - int ret;
> -
> - snprintf(buf, 32, "%ld", (long)pid);
> -
> - ret = write(fd, buf, strlen(buf));
> - if (ret <= 0) {
> - SYSERROR("failed to write pid '%ld' to fd '%d'", (long)pid,
> fd);
> - ret = -1;
> - } else {
> - ret = 0;
> - }
> -
> - close(fd);
> - return ret;
> -}
> -
> -static int lxc_one_cgroup_dispose_attach(int fd)
> -{
> - close(fd);
> - return 0;
> -}
> -
> -static int lxc_one_cgroup_prepare_attach(const char *name,
> - struct mntent *mntent)
> +static int lxc_one_cgroup_attach(const char *name, struct mntent *mntent,
> pid_t pid)
> {
> int fd;
> char tasks[MAXPATHLEN], initcgroup[MAXPATHLEN];
> char *cgmnt = mntent->mnt_dir;
> + char buf[32];
> int flags;
> int rc;
>
> @@ -310,77 +285,26 @@ static int lxc_one_cgroup_prepare_attach(const char
> *name,
> return -1;
> }
>
> - return fd;
> -}
> -
> -static int lxc_one_cgroup_attach(const char *name, struct mntent *mntent,
> pid_t pid)
> -{
> - int fd;
> -
> - fd = lxc_one_cgroup_prepare_attach(name, mntent);
> - if (fd < 0) {
> - return -1;
> - }
> -
> - return lxc_one_cgroup_finish_attach(fd, pid);
> -}
> -
> -int lxc_cgroup_dispose_attach(void *data)
> -{
> - int *fds = data;
> - int ret, err;
> -
> - if (!fds) {
> - return 0;
> - }
> -
> - ret = 0;
> -
> - for (; *fds >= 0; fds++) {
> - err = lxc_one_cgroup_dispose_attach(*fds);
> - if (err) {
> - ret = err;
> - }
> - }
> -
> - free(data);
> -
> - return ret;
> -}
> -
> -int lxc_cgroup_finish_attach(void *data, pid_t pid)
> -{
> - int *fds = data;
> - int err;
> + snprintf(buf, 32, "%ld", (long)pid);
>
> - if (!fds) {
> - return 0;
> + rc = write(fd, buf, strlen(buf));
> + if (rc <= 0) {
> + SYSERROR("failed to write pid '%ld' to fd '%d'", (long)pid, fd);
> + rc = -1;
> + } else {
> + rc = 0;
> }
>
> - for (; *fds >= 0; fds++) {
> - err = lxc_one_cgroup_finish_attach(*fds, pid);
> - if (err) {
> - /* get rid of the rest of them */
> - lxc_cgroup_dispose_attach(data);
> - return -1;
> - }
> - *fds = -1;
> - }
> -
> - free(data);
> -
> - return 0;
> + close(fd);
> + return rc;
> }
>
> -int lxc_cgroup_prepare_attach(const char *name, void **data)
> +int lxc_cgroup_attach(const char *name, pid_t pid)
> {
> struct mntent *mntent;
> FILE *file = NULL;
> - int err = -1;
> int found = 0;
> - int *fds;
> - int i;
> - static const int MAXFDS = 256;
> + int err = 0;
>
> file = setmntent(MTAB, "r");
> if (!file) {
> @@ -388,29 +312,7 @@ int lxc_cgroup_prepare_attach(const char *name, void
> **data)
> return -1;
> }
>
> - /* create a large enough buffer for all practical
> - * use cases
> - */
> - fds = malloc(sizeof(int) * MAXFDS);
> - if (!fds) {
> - err = -1;
> - goto out;
> - }
> - for (i = 0; i < MAXFDS; i++) {
> - fds[i] = -1;
> - }
> -
> - err = 0;
> - i = 0;
> while ((mntent = getmntent(file))) {
> - if (i >= MAXFDS - 1) {
> - ERROR("too many cgroups to attach to, aborting");
> - lxc_cgroup_dispose_attach(fds);
> - errno = ENOMEM;
> - err = -1;
> - goto out;
> - }
> -
> DEBUG("checking '%s' (%s)", mntent->mnt_dir, mntent->mn
Re: [lxc-devel] [PATCH 1/2] lxc_attach: fix break with user namespaces (v3)
Quoting Christian Seiler (christ...@iwakd.de):
> When you clone a new user_ns, the child cannot write to the fds
> opened by the parent. Hnadle this by doing an extra fork. The
> grandparent hangs around and waits for its child to tell it the
> pid of of the grandchild, which will be the one attached to the
> container. The grandparent then moves the grandchild into the
> right cgroup, then waits for the child who in turn is waiting on
> the grandchild to complete.
>
> Secondly, when attaching to a new user namespace, your old uid is
> not valid, so you are uid -1. This patch simply does setid+setuid
> to 0 if that is the case. We probably want to be smarter, but
> for now this allows lxc-attach to work.
>
> Signed-off-by: Christian Seiler
Acked-by: Serge E. Hallyn
Thanks, Christian, this looks good.
> ---
> src/lxc/lxc_attach.c | 178
> ++
> 1 files changed, 150 insertions(+), 28 deletions(-)
>
> diff --git a/src/lxc/lxc_attach.c b/src/lxc/lxc_attach.c
> index e1511ef..1f60266 100644
> --- a/src/lxc/lxc_attach.c
> +++ b/src/lxc/lxc_attach.c
> @@ -28,6 +28,7 @@
> #include
> #include
> #include
> +#include
> #include
>
> #include "attach.h"
> @@ -128,9 +129,9 @@ int main(int argc, char *argv[])
> struct passwd *passwd;
> struct lxc_proc_context_info *init_ctx;
> struct lxc_handler *handler;
> - void *cgroup_data = NULL;
> uid_t uid;
> char *curdir;
> + int cgroup_ipc_sockets[2];
>
> ret = lxc_caps_init();
> if (ret)
> @@ -157,18 +158,6 @@ int main(int argc, char *argv[])
> return -1;
> }
>
> - if (!elevated_privileges) {
> - /* we have to do this now since /sys/fs/cgroup may not
> - * be available inside the container or we may not have
> - * the required permissions anymore
> - */
> - ret = lxc_cgroup_prepare_attach(my_args.name, &cgroup_data);
> - if (ret < 0) {
> - ERROR("failed to prepare attaching to cgroup");
> - return -1;
> - }
> - }
> -
> curdir = getcwd(NULL, 0);
>
> /* determine which namespaces the container was created with
> @@ -184,6 +173,106 @@ int main(int argc, char *argv[])
> }
> }
>
> + /* For the cgroup attaching logic to work in conjunction with pid and
> user namespaces,
> + * we need to have the following hierarchy:
> + *
> + * lxc-attach [process executed externally]
> + * | socketpair(cgroup_ipc_sockets)
> + * | fork() -> child
> + * | | setns()
> + * | | fork()-> grandchild
> + * | | | initialize
> + * | | | signal parent
> + * | |<--|+
> + * | | signal parent |
> + * |<--|-+ |
> + * | add to cgroups| |
> + * | signal child >| |
> + * | | signal child >|
> + * | waitpid() | waitpid() | exec()
> + * | |<--| exit()
> + * |<--| exit()
> + * | exit()
> + *
> + * The rationale is the following: The first parent is needed because
> after
> + * setns() (mount + user namespace) we can't access the cgroup
> filesystem
> + * to add the pid to the corresponding cgroup. Therefore, we need to do
> that
> + * in a process executed on the host, so that's why we need to fork and
> wait
> + * for it to have done some initialization (cgroups may restrict certain
> + * operations so we have to do that in the end) and use IPC for
> signaling.
> + *
> + * Then in the child process we do the setns(). However, a process is
> never
> + * really attached to a pid namespace (never changes its pid, doesn't
> appear
> + * in the pid namespace /proc), only child processes of that process are
> + * truely inside the new pid namespace. That's why we need to fork()
> again
> + * after setns() before performing final initializations, then signal
> our
> + * parent, which signals the primary process, which does cgroup adding,
> + * which then signals to the grandchild that it can exec().
> + */
> + ret = socketpair(PF_LOCAL, SOCK_STREAM, 0, cgroup_ipc_sockets);
> + if (ret < 0) {
> + SYSERROR("could not set up required IPC mechanism for
> attaching");
> + return -1;
> + }
> +
> + pid = fork();
> + if (pid < 0) {
> + SYSERROR("failed to cr
Re: [lxc-devel] [PATCH 2/2] lxc_attach: Clean up cgroup attaching code
Hi Serge, > (Note - no signed-off-by in this patch. How are you generating them? > I'd recommend either using git-send-email, or get format-patch...) Oh, I didn't know git format-patch had a --signoff option, I always added the line manually when committing and this time I just forgot it. ;-) > Thanks, Christian. Unfortunately this will clash badly with my cgroup > update which does the same thing, so while I 100% ack the concept, > Stéphane please do not apply this. Ok, I didn't know you were working on that. Btw. I'll be posting a few other patches w.r.t. attach soon, but they shouldn't touch cgroup.[ch], so they probably will apply correctly regardless. - Christian -- Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH 1/2] lxc_attach: fix break with user namespaces (v3)
Quoting Serge Hallyn (serge.hal...@ubuntu.com): > Quoting Christian Seiler (christ...@iwakd.de): > > When you clone a new user_ns, the child cannot write to the fds > > opened by the parent. Hnadle this by doing an extra fork. The > > grandparent hangs around and waits for its child to tell it the > > pid of of the grandchild, which will be the one attached to the > > container. The grandparent then moves the grandchild into the > > right cgroup, then waits for the child who in turn is waiting on > > the grandchild to complete. > > > > Secondly, when attaching to a new user namespace, your old uid is > > not valid, so you are uid -1. This patch simply does setid+setuid > > to 0 if that is the case. We probably want to be smarter, but > > for now this allows lxc-attach to work. > > > > Signed-off-by: Christian Seiler > > Acked-by: Serge E. Hallyn > > Thanks, Christian, this looks good. And, pushed to staging. I'll be posting my new cgroup patchset (supplanting your patch 2) today. thanks, -serge -- Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH 1/3] lxc-attach: Default to /bin/sh if shell cannot be determined or exec'd
If the NSS implementation of the host and the container is
incompatible, getpwuid() will fail and the shell of the user in the
container cannot be determined. In that case, don't simply fail, but
rather default to /bin/sh. Since this code path is only executed when
attaching to a container without a command argument, this makes the
default behavior of lxc-attach a lot more robust.
Signed-off-by: Christian Seiler
---
src/lxc/lxc_attach.c | 22 --
1 file changed, 16 insertions(+), 6 deletions(-)
diff --git a/src/lxc/lxc_attach.c b/src/lxc/lxc_attach.c
index 1f60266..292b5b5 100644
--- a/src/lxc/lxc_attach.c
+++ b/src/lxc/lxc_attach.c
@@ -438,15 +438,26 @@ int main(int argc, char *argv[])
uid = getuid();
passwd = getpwuid(uid);
- if (!passwd) {
- SYSERROR("failed to get passwd "\
-"entry for uid '%d'", uid);
- return -1;
+
+ if (passwd) {
+ char *const args[] = {
+ passwd->pw_shell,
+ NULL,
+ };
+
+ execvp(args[0], args);
}
+ /* executed if either no passwd entry or execvp fails,
+* we will fall back on /bin/sh as a default shell
+*
+* this will make lxc-attach work better out of the box,
+* esp. when attaching to a container that has an
+* incompatible nss implementation
+*/
{
char *const args[] = {
- passwd->pw_shell,
+ "/bin/sh",
NULL,
};
@@ -454,7 +465,6 @@ int main(int argc, char *argv[])
SYSERROR("failed to exec '%s'", args[0]);
return -1;
}
-
}
return 0;
--
1.7.10.4
--
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH 3/3] lxc-attach: Allow the user to request uid/gid when attaching
This patch implements the -u and -g options for lxc-attach that allows
the user to ask for a specific user and group id when attaching to a
container.
NOTE: DO NOT APPLY THIS PATCH JUST YET, THERE ARE SECURITY IMPLICATIONS
THAT HAVE TO BE CONSIDERED BEFORE DOING SO. THIS IS JUST A DRAFT.
---
src/lxc/lxc_attach.c | 52 +-
1 file changed, 51 insertions(+), 1 deletion(-)
diff --git a/src/lxc/lxc_attach.c b/src/lxc/lxc_attach.c
index 6095b54..d39f5db 100644
--- a/src/lxc/lxc_attach.c
+++ b/src/lxc/lxc_attach.c
@@ -26,6 +26,7 @@
#include
#include
#include
+#include
#include
#include
#include
@@ -55,6 +56,8 @@ static const struct option my_longopts[] = {
{"arch", required_argument, 0, 'a'},
{"namespaces", required_argument, 0, 's'},
{"remount-sys-proc", no_argument, 0, 'R'},
+ {"uid", required_argument, 0, 'u'},
+ {"gid", required_argument, 0, 'g'},
LXC_COMMON_OPTIONS
};
@@ -62,10 +65,13 @@ static int elevated_privileges = 0;
static signed long new_personality = -1;
static int namespace_flags = -1;
static int remount_sys_proc = 0;
+static long requested_uid = -1;
+static long requested_gid = -1;
static int my_parser(struct lxc_arguments* args, int c, char* arg)
{
int ret;
+ char *endptr;
switch (c) {
case 'e': elevated_privileges = 1; break;
@@ -85,6 +91,24 @@ static int my_parser(struct lxc_arguments* args, int c,
char* arg)
/* -s implies -e */
elevated_privileges = 1;
break;
+ case 'u':
+ endptr = NULL;
+ requested_uid = strtol(arg, &endptr, 10);
+ if (requested_uid < 0 || requested_uid == LONG_MAX ||
+ !endptr || *endptr || !*arg) {
+ lxc_error(args, "invalid user id specified: %s", arg);
+ return -1;
+ }
+ break;
+ case 'g':
+ endptr = NULL;
+ requested_gid = strtol(arg, &endptr, 10);
+ if (requested_gid < 0 || requested_gid == LONG_MAX ||
+ !endptr || *endptr || !*arg) {
+ lxc_error(args, "invalid group id specified: %s", arg);
+ return -1;
+ }
+ break;
}
return 0;
@@ -116,7 +140,10 @@ Options :\n\
Remount /sys and /proc if not attaching to the\n\
mount namespace when using -s in order to properly\n\
reflect the correct namespace context. See the\n\
-lxc-attach(1) manual page for details.\n",
+lxc-attach(1) manual page for details.\n\
+ -u, --uid=UID setuid(UID) when entering the container\n\
+ -g, --gid=GID setgid(GID) when entering the container\n",
+
.options = my_longopts,
.parser = my_parser,
.checker = NULL,
@@ -425,6 +452,12 @@ int main(int argc, char *argv[])
*/
(void) lxc_attach_get_init_uidgid(&init_uid, &init_gid);
+ /* if the user whished for different credentials, use
them */
+ if (requested_uid != -1)
+ init_uid = (uid_t) requested_uid;
+ if (requested_gid != -1)
+ init_gid = (gid_t) requested_gid;
+
/* try to set the uid/gid combination */
if (setgid(init_gid)) {
SYSERROR("switching to container gid");
@@ -434,6 +467,23 @@ int main(int argc, char *argv[])
SYSERROR("switching to container uid");
return -1;
}
+ } else {
+ /* by default, with no user namespaces, we don't need
+* setgid()/setuid(), but we should use them if
explicitly
+* requested
+*/
+ if (requested_gid != -1) {
+ if (setgid((gid_t) requested_gid)) {
+ SYSERROR("switching to container gid");
+ return -1;
+ }
+ }
+ if (requested_uid != -1) {
+ if (setuid((uid_t) requested_uid)) {
+ SYSERROR("switching to container uid");
+ return -1;
+ }
+ }
}
if (my_args.argc) {
--
1.7.10.4
--
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free
[lxc-devel] [PATCH 0/3] lxc-attach: Additional improvements
Hi, I've attached three additional patches for possible improvements to lxc-attach. The first two I think should be applied directly, they do the following: 1) Create a sane fallback to /bin/sh if it is impossible to detect the container's shell because of incompatible nss implementations between host and container 2) Detect the user & group id of PID 1 and use that for lxc-attach instead of root, when attaching to user namespaces. The third patch I'm not really sure about the security implications of, so I'm sending it as a draft, but somebody who knows more about the specifics should look over it. 3) Add -u and -g options to lxc-attach to allow the user to specify user and group ids to setuid()/setgid() to when attaching. This feature could be really useful, on the other hand, I have only ever used lxc running as root (never tried lxc-setcap), so I have no idea if this could pose a potential security problem or not. (When running as root, you have all the rights anyway, so then it's fine.) I'd like some feedback on this before I feel comfortable signing off on adding these options. Now if somebody tells me that attach is only possible as root anyway so far, then I don't have any qualms, but I'd rather be safe than sorry. -- Christian -- Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH 2/3] lxc-attach: User namespaces: Use init's user & group id when attaching
When attaching to a container with a user namespace, try to detect the
user and group ids of init via /proc and attach as that same user. Only
if that is unsuccessful, fall back to (0, 0).
Signed-off-by: Christian Seiler
---
src/lxc/attach.c | 53 ++
src/lxc/attach.h |2 ++
src/lxc/lxc_attach.c | 15 ++
3 files changed, 66 insertions(+), 4 deletions(-)
diff --git a/src/lxc/attach.c b/src/lxc/attach.c
index af3d7a0..7845dda 100644
--- a/src/lxc/attach.c
+++ b/src/lxc/attach.c
@@ -275,3 +275,56 @@ int lxc_attach_drop_privs(struct lxc_proc_context_info
*ctx)
return 0;
}
+
+int lxc_attach_get_init_uidgid(uid_t* init_uid, gid_t* init_gid)
+{
+ FILE *proc_file;
+ char proc_fn[MAXPATHLEN];
+ char *line = NULL;
+ size_t line_bufsz = 0;
+ int ret;
+ long value = -1;
+ uid_t uid = (uid_t)-1;
+ gid_t gid = (gid_t)-1;
+
+ /* read capabilities */
+ snprintf(proc_fn, MAXPATHLEN, "/proc/%d/status", 1);
+
+ proc_file = fopen(proc_fn, "r");
+ if (!proc_file)
+ return -1;
+
+ while (getline(&line, &line_bufsz, proc_file) != -1) {
+ /* format is: real, effective, saved set user, fs
+* we only care about real uid
+*/
+ ret = sscanf(line, "Uid: %ld", &value);
+ if (ret != EOF && ret > 0) {
+ uid = (uid_t) value;
+ } else {
+ ret = sscanf(line, "Gid: %ld", &value);
+ if (ret != EOF && ret > 0)
+ gid = (gid_t) value;
+ }
+ if (uid != (uid_t)-1 && gid != (gid_t)-1)
+ break;
+ }
+
+ fclose(proc_file);
+ free(line);
+
+ /* only override arguments if we found something */
+ if (uid != (uid_t)-1)
+ *init_uid = uid;
+ if (gid != (gid_t)-1)
+ *init_gid = gid;
+
+ /* TODO: we should also parse supplementary groups and use
+* setgroups() to set them */
+
+ /* at least some entries were not found, we return error */
+ if (uid == (uid_t)-1 || gid == (gid_t)-1)
+ return -1;
+
+ return 0;
+}
diff --git a/src/lxc/attach.h b/src/lxc/attach.h
index 4d4f719..fc630e2 100644
--- a/src/lxc/attach.h
+++ b/src/lxc/attach.h
@@ -38,4 +38,6 @@ extern int lxc_attach_to_ns(pid_t other_pid, int which);
extern int lxc_attach_remount_sys_proc();
extern int lxc_attach_drop_privs(struct lxc_proc_context_info *ctx);
+extern int lxc_attach_get_init_uidgid(uid_t* init_uid, gid_t* init_gid);
+
#endif
diff --git a/src/lxc/lxc_attach.c b/src/lxc/lxc_attach.c
index 292b5b5..6095b54 100644
--- a/src/lxc/lxc_attach.c
+++ b/src/lxc/lxc_attach.c
@@ -417,13 +417,20 @@ int main(int argc, char *argv[])
lxc_sync_fini(handler);
if (namespace_flags & CLONE_NEWUSER) {
- /* XXX FIXME this should get the uid of the container
init and setuid to that */
- /* XXX FIXME or perhaps try to map in the lxc-attach
caller's uid? */
- if (setgid(0)) {
+ uid_t init_uid = 0;
+ gid_t init_gid = 0;
+
+ /* ignore errors, we will fall back to root in that case
+* (/proc could be not mounted etc.)
+*/
+ (void) lxc_attach_get_init_uidgid(&init_uid, &init_gid);
+
+ /* try to set the uid/gid combination */
+ if (setgid(init_gid)) {
SYSERROR("switching to container gid");
return -1;
}
- if (setuid(0)) {
+ if (setuid(init_uid)) {
SYSERROR("switching to container uid");
return -1;
}
--
1.7.10.4
--
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] lxc-attach: NSS handling
Hi there, I've run into the problem multiple times now that lxc-attach can't detect the default shell of my current user properly, since the NSS implementations of host and container are incompatible. One of the patches I just sent to the list mitigates that by having a fallback - use /bin/sh. The only trouble is that calling any modern shell as /bin/sh will usually not result in a very user-friendly interface. So my idea would actually be to introduce an additional fallback: glibc comes with an additional binary getent(1) that allows one to query the NSS directly. If getpwuid() doesn't work directly, lxc-attach could spawn "getent passwd %d" and parse the output to figure out the correct login shell of the user. That will also not work in all cases, but then we may still fall back on /bin/sh as a last resort. Do you think implementing that is worthwhile? -- Christian -- Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH 2/6] af_unix: make sure to keep useful errno
Signed-off-by: Serge Hallyn
---
src/lxc/af_unix.c | 6 ++
1 file changed, 6 insertions(+)
diff --git a/src/lxc/af_unix.c b/src/lxc/af_unix.c
index 2a34828..f6c65fb 100644
--- a/src/lxc/af_unix.c
+++ b/src/lxc/af_unix.c
@@ -56,12 +56,16 @@ int lxc_af_unix_open(const char *path, int type, int flags)
path[0]?strlen(path):sizeof(addr.sun_path));
if (bind(fd, (struct sockaddr *)&addr, sizeof(addr))) {
+ int tmp = errno;
close(fd);
+ errno = tmp;
return -1;
}
if (type == SOCK_STREAM && listen(fd, 100)) {
+ int tmp = errno;
close(fd);
+ errno = tmp;
return -1;
}
@@ -99,7 +103,9 @@ int lxc_af_unix_connect(const char *path)
path[0]?strlen(path):sizeof(addr.sun_path));
if (connect(fd, (struct sockaddr *)&addr, sizeof(addr))) {
+ int tmp = errno;
close(fd);
+ errno = tmp;
return -1;
}
--
1.8.1.2
--
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH 4/6] c api -> createl: correctly handle 0 template args
Signed-off-by: Serge Hallyn --- src/lxc/lxccontainer.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c index bcfc8b6..3eaf41e 100644 --- a/src/lxc/lxccontainer.c +++ b/src/lxc/lxccontainer.c @@ -692,7 +692,8 @@ static bool lxcapi_createl(struct lxc_container *c, char *t, ...) args[nargs - 1] = arg; } va_end(ap); - args[nargs] = NULL; + if (args) + args[nargs] = NULL; bret = c->create(c, t, args); -- 1.8.1.2 -- Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH 5/6] c api: send lxcpath to destroy command
Signed-off-by: Serge Hallyn
---
src/lxc/lxccontainer.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
index 3eaf41e..404f60a 100644
--- a/src/lxc/lxccontainer.c
+++ b/src/lxc/lxccontainer.c
@@ -791,7 +791,7 @@ static bool lxcapi_destroy(struct lxc_container *c)
if (pid < 0)
return false;
if (pid == 0) { // child
- ret = execlp("lxc-destroy", "lxc-destroy", "-n", c->name, NULL);
+ ret = execlp("lxc-destroy", "lxc-destroy", "-n", c->name, "-P",
c->config_path, NULL);
perror("execl");
exit(1);
}
--
1.8.1.2
--
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH 1/6] lxc-destroy: add --lxc-path argument
Signed-off-by: Serge Hallyn
---
src/lxc/lxc-destroy.in | 20 +---
1 file changed, 13 insertions(+), 7 deletions(-)
diff --git a/src/lxc/lxc-destroy.in b/src/lxc/lxc-destroy.in
index 6464e52..1c68f9d 100644
--- a/src/lxc/lxc-destroy.in
+++ b/src/lxc/lxc-destroy.in
@@ -26,7 +26,7 @@
#
usage() {
-echo "usage: $(basename $0) -n NAME [-f]" >&2
+echo "usage: $(basename $0) -n NAME [-f] [-P lxcpath]" >&2
}
help() {
@@ -35,8 +35,9 @@ help() {
echo "Remove an existing container on the system." >&2
echo >&2
echo "Options:" >&2
-echo " -n NAME specify the name of the container" >&2
-echo " -fstop the container if it is running (rather than abort)"
>&2
+echo " -n NAMEspecify the name of the container" >&2
+echo " -f stop the container if it is running (rather than
abort)" >&2
+echo " -P lxcpath container is in specified lxcpath" >&2
}
usage_err() {
@@ -67,6 +68,11 @@ while [ $# -gt 0 ]; do
lxc_name=$1
shift
;;
+-P|--lxcpath)
+optarg_check "$opt" "$1"
+lxc_path=$1
+shift
+;;
-f)
force=1
;;
@@ -104,12 +110,12 @@ if [ ! -d "$lxc_path/$lxc_name" ]; then
fi
# make sure the container is stopped
-if ! lxc-info -n $lxc_name --state-is "STOPPED"; then
+if ! lxc-info -n $lxc_name -P $lxc_path --state-is "STOPPED"; then
if [ $force -eq 1 ]; then
-lxc-stop -n $lxc_name
-lxc-wait -n $lxc_name -s STOPPED
+lxc-stop -P $lxc_path -n $lxc_name
+lxc-wait -P $lxc_path -n $lxc_name -s STOPPED
else
-echo "$(basename $0): '$lxc_name' $(lxc-info -n $lxc_name -s);
aborted" >&2
+echo "$(basename $0): '$lxc_name' $(lxc-info -P $lxc_path -n $lxc_name
-s); aborted" >&2
exit 1
fi
fi
--
1.8.1.2
--
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH 3/6] userns: handle delayed write errors at fclose
As Kees pointed out, write() errors can be delayed and returned as
close() errors. So don't ignore error on close when writing the
userns id mapping.
Signed-off-by: Serge Hallyn
---
src/lxc/conf.c | 10 ++
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 04ab8b8..7d70c97 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -2447,7 +2447,7 @@ int lxc_assign_network(struct lxc_list *network, pid_t
pid)
int add_id_mapping(enum idtype idtype, pid_t pid, uid_t host_start, uid_t
ns_start, int range)
{
char path[PATH_MAX];
- int ret;
+ int ret, closeret;
FILE *f;
ret = snprintf(path, PATH_MAX, "/proc/%d/%cid_map", pid, idtype ==
ID_TYPE_UID ? 'u' : 'g');
@@ -2462,9 +2462,11 @@ int add_id_mapping(enum idtype idtype, pid_t pid, uid_t
host_start, uid_t ns_sta
}
ret = fprintf(f, "%d %d %d", ns_start, host_start, range);
if (ret < 0)
- perror("write");
- fclose(f);
- return ret < 0 ? ret : 0;
+ SYSERROR("writing id mapping");
+ closeret = fclose(f);
+ if (closeret)
+ SYSERROR("writing id mapping");
+ return ret < 0 ? ret : closeret;
}
int lxc_map_ids(struct lxc_list *idmap, pid_t pid)
--
1.8.1.2
--
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH 6/6] cgroup: improve support for multiple lxcpaths (v3)
Add a monitor command to get the cgroup for a running container. This
allows container r1 started from /var/lib/lxc and container r1 started
from /home/ubuntu/lxcbase to pick unique cgroup directories (which
will be /sys/fs/cgroup/$subsys/lxc/r1 and .../r1-1), and all the lxc-*
tools to get that path over the monitor at lxcpath.
Rework the cgroup code. Before, if /sys/fs/cgroup/$subsys/lxc/r1
already existed, it would be moved to 'deadX', and a new r1 created.
Instead, if r1 exists, use r1-1, r1-2, etc.
I ended up removing both the use of cgroup.clone_children and support
for ns cgroup. Presumably we'll want to put support for ns cgroup
back in for older kernels. Instead of guessing whether or not we
have clone_children support, just always explicitly do the only thing
that feature buys us - set cpuset.{cpus,mems} for newly created cgroups.
Note that upstream kernel is working toward strict hierarchical
limit enforcements, which will be good for us.
NOTE - I am changing the lxc_answer struct size. This means that
upgrades to this version while containers are running will result
in lxc_* commands on pre-running containers will fail.
Changelog: (v3)
implement cgroup attach
fix a subtle bug arising when we lxc_get_cgpath() returned
STOPPED rather than -1 (STOPPED is 0, and 0 meant success).
Rename some functions and add detailed comments above most.
Drop all my lxc_attach changes in favor of those by Christian
Seiler (which are mostly the same, but improved).
Signed-off-by: Serge Hallyn
---
src/lxc/attach.c | 1 -
src/lxc/cgroup.c | 941 -
src/lxc/cgroup.h | 18 +-
src/lxc/commands.c | 11 +
src/lxc/commands.h | 3 +
src/lxc/conf.c | 7 +-
src/lxc/conf.h | 2 +-
src/lxc/freezer.c | 35 +-
src/lxc/lxc.h | 28 +-
src/lxc/lxc_attach.c | 2 +-
src/lxc/lxc_cgroup.c | 4 +-
src/lxc/lxc_unshare.c | 10 -
src/lxc/lxccontainer.c | 4 +-
src/lxc/lxcutmp.c | 2 +-
src/lxc/start.c| 54 ++-
src/lxc/start.h| 2 +-
src/lxc/state.c| 7 +-
src/lxc/stop.c | 3 +-
src/tests/Makefile.am | 4 +-
src/tests/cgpath.c | 164 +
src/tests/lxcpath.c| 2 +-
21 files changed, 774 insertions(+), 530 deletions(-)
create mode 100644 src/tests/cgpath.c
diff --git a/src/lxc/attach.c b/src/lxc/attach.c
index af3d7a0..e0a40bd 100644
--- a/src/lxc/attach.c
+++ b/src/lxc/attach.c
@@ -42,7 +42,6 @@
#include "log.h"
#include "attach.h"
#include "caps.h"
-#include "cgroup.h"
#include "config.h"
#include "apparmor.h"
diff --git a/src/lxc/cgroup.c b/src/lxc/cgroup.c
index 6630d6c..4d7de02 100644
--- a/src/lxc/cgroup.c
+++ b/src/lxc/cgroup.c
@@ -38,6 +38,7 @@
#include "error.h"
#include "config.h"
+#include "commands.h"
#include
#include
@@ -53,11 +54,6 @@ lxc_log_define(lxc_cgroup, lxc);
#define MTAB "/proc/mounts"
-enum {
- CGROUP_NS_CGROUP = 1,
- CGROUP_CLONE_CHILDREN,
-};
-
/* Check if a mount is a cgroup hierarchy for any subsystem.
* Return the first subsystem found (or NULL if none).
*/
@@ -93,22 +89,27 @@ static char *mount_has_subsystem(const struct mntent
*mntent)
/*
* get_init_cgroup: get the cgroup init is in.
- * dsg: preallocated buffer to put the output in
- * subsystem: the exact cgroup subsystem to look up
- * mntent: a mntent (from getmntent) whose mntopts contains the
- * subsystem to look up.
+ * @subsystem: the exact cgroup subsystem to look up (I.e. "freezer")
+ * @mntent: a mntent (from getmntent) whose mntopts contains the subsystem to
+ * look up.
+ * @dsg: preallocated buffer of at least size MAXPATHLEN in which the path will
+ * be copied.
+ * @prependslash: if 1, the path will have a '/' prepended for easy of use by
+ * the caller.
*
* subsystem and mntent can both be NULL, in which case we return
* the first entry in /proc/1/cgroup.
*
- * Returns a pointer to the answer, which may be "".
+ * Returns a pointer to the answer (which is just the passed-in @dsg), which
+ * may be "".
*/
static char *get_init_cgroup(const char *subsystem, struct mntent *mntent,
-char *dsg)
+char *dsg, int prependslash)
{
FILE *f;
char *c, *c2;
char line[MAXPATHLEN];
+ int ret;
*dsg = '\0';
f = fopen("/proc/1/cgroup", "r");
@@ -134,10 +135,18 @@ static char *get_init_cgroup(const char *subsystem,
struct mntent *mntent,
good:
DEBUG("get_init_cgroup: found init cgroup for subsys %s at
%s\n",
subsystem, c2);
- strncpy(dsg, c2, MAXPATHLEN);
- c = &dsg[strlen(dsg)-1];
+ ret = snprintf(dsg, MAXPATHLEN, "%s%s", prependslash ? "/" :
"", c2);
+ if (ret < 0 || ret >= MAXPATHLEN) {
+ WARN("init cgroup path name was too long.");
+
Re: [lxc-devel] [PATCH 0/3] lxc-attach: Additional improvements
Quoting Christian Seiler (christ...@iwakd.de): > Hi, > > I've attached three additional patches for possible improvements to > lxc-attach. > > The first two I think should be applied directly, they do the > following: > > 1) Create a sane fallback to /bin/sh if it is impossible to detect > the container's shell because of incompatible nss implementations > between host and container > > 2) Detect the user & group id of PID 1 and use that for lxc-attach > instead of root, when attaching to user namespaces. > > The third patch I'm not really sure about the security implications of, > so I'm sending it as a draft, but somebody who knows more about the > specifics should look over it. > > 3) Add -u and -g options to lxc-attach to allow the user to specify > user and group ids to setuid()/setgid() to when attaching. > > This feature could be really useful, on the other hand, I have > only ever used lxc running as root (never tried lxc-setcap), so I > have no idea if this could pose a potential security problem or > not. (When running as root, you have all the rights anyway, so > then it's fine.) I'd like some feedback on this before I feel > comfortable signing off on adding these options. > > Now if somebody tells me that attach is only possible as root > anyway so far, then I don't have any qualms, but I'd rather be > safe than sorry. It *should* be safe. You can only attach to namespaces to which you have CAP_SYS_ADMIN, and in there you can only setuid to uids which are valid in that namespace. That said, it's not impossible that there would be subtle implications I've not considered. Let's see what others think. -serge -- Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] lxc-attach: NSS handling
Quoting Christian Seiler (christ...@iwakd.de): > Hi there, > > I've run into the problem multiple times now that lxc-attach can't > detect the default shell of my current user properly, since the NSS > implementations of host and container are incompatible. > > One of the patches I just sent to the list mitigates that by having a > fallback - use /bin/sh. The only trouble is that calling any modern > shell as /bin/sh will usually not result in a very user-friendly interface. > > So my idea would actually be to introduce an additional fallback: glibc > comes with an additional binary getent(1) that allows one to query the > NSS directly. If getpwuid() doesn't work directly, lxc-attach could > spawn "getent passwd %d" and parse the output to figure out the correct > login shell of the user. That will also not work in all cases, but then > we may still fall back on /bin/sh as a last resort. > > Do you think implementing that is worthwhile? Yes. So if you resend the patchset, I'd suggest this patch first, the /bin/sh as default one second, setuids ones next... (Btw, do you have a github tree? Reviewing/acking patches is easier on the list, but for actually pushing patches to staging, going from github tree is much nicer) -serge -- Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH 1/6] lxc-destroy: add --lxc-path argument
On 03/04/2013 03:43 PM, Serge Hallyn wrote:
> Signed-off-by: Serge Hallyn
Do we need a similar update to the manpage or is it using the common
options include?
Acked-by: Stéphane Graber
> ---
> src/lxc/lxc-destroy.in | 20 +---
> 1 file changed, 13 insertions(+), 7 deletions(-)
>
> diff --git a/src/lxc/lxc-destroy.in b/src/lxc/lxc-destroy.in
> index 6464e52..1c68f9d 100644
> --- a/src/lxc/lxc-destroy.in
> +++ b/src/lxc/lxc-destroy.in
> @@ -26,7 +26,7 @@
> #
>
> usage() {
> -echo "usage: $(basename $0) -n NAME [-f]" >&2
> +echo "usage: $(basename $0) -n NAME [-f] [-P lxcpath]" >&2
> }
>
> help() {
> @@ -35,8 +35,9 @@ help() {
> echo "Remove an existing container on the system." >&2
> echo >&2
> echo "Options:" >&2
> -echo " -n NAME specify the name of the container" >&2
> -echo " -fstop the container if it is running (rather than
> abort)" >&2
> +echo " -n NAMEspecify the name of the container" >&2
> +echo " -f stop the container if it is running (rather than
> abort)" >&2
> +echo " -P lxcpath container is in specified lxcpath" >&2
> }
>
> usage_err() {
> @@ -67,6 +68,11 @@ while [ $# -gt 0 ]; do
> lxc_name=$1
> shift
> ;;
> +-P|--lxcpath)
> +optarg_check "$opt" "$1"
> +lxc_path=$1
> +shift
> +;;
> -f)
> force=1
> ;;
> @@ -104,12 +110,12 @@ if [ ! -d "$lxc_path/$lxc_name" ]; then
> fi
>
> # make sure the container is stopped
> -if ! lxc-info -n $lxc_name --state-is "STOPPED"; then
> +if ! lxc-info -n $lxc_name -P $lxc_path --state-is "STOPPED"; then
> if [ $force -eq 1 ]; then
> -lxc-stop -n $lxc_name
> -lxc-wait -n $lxc_name -s STOPPED
> +lxc-stop -P $lxc_path -n $lxc_name
> +lxc-wait -P $lxc_path -n $lxc_name -s STOPPED
> else
> -echo "$(basename $0): '$lxc_name' $(lxc-info -n $lxc_name -s);
> aborted" >&2
> +echo "$(basename $0): '$lxc_name' $(lxc-info -P $lxc_path -n
> $lxc_name -s); aborted" >&2
> exit 1
> fi
> fi
>
--
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
signature.asc
Description: OpenPGP digital signature
--
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH 2/6] af_unix: make sure to keep useful errno
On 03/04/2013 03:43 PM, Serge Hallyn wrote:
> Signed-off-by: Serge Hallyn
Acked-by: Stéphane Graber
> ---
> src/lxc/af_unix.c | 6 ++
> 1 file changed, 6 insertions(+)
>
> diff --git a/src/lxc/af_unix.c b/src/lxc/af_unix.c
> index 2a34828..f6c65fb 100644
> --- a/src/lxc/af_unix.c
> +++ b/src/lxc/af_unix.c
> @@ -56,12 +56,16 @@ int lxc_af_unix_open(const char *path, int type, int
> flags)
> path[0]?strlen(path):sizeof(addr.sun_path));
>
> if (bind(fd, (struct sockaddr *)&addr, sizeof(addr))) {
> + int tmp = errno;
> close(fd);
> + errno = tmp;
> return -1;
> }
>
> if (type == SOCK_STREAM && listen(fd, 100)) {
> + int tmp = errno;
> close(fd);
> + errno = tmp;
> return -1;
> }
>
> @@ -99,7 +103,9 @@ int lxc_af_unix_connect(const char *path)
> path[0]?strlen(path):sizeof(addr.sun_path));
>
> if (connect(fd, (struct sockaddr *)&addr, sizeof(addr))) {
> + int tmp = errno;
> close(fd);
> + errno = tmp;
> return -1;
> }
>
>
--
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
signature.asc
Description: OpenPGP digital signature
--
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH 3/6] userns: handle delayed write errors at fclose
On 03/04/2013 03:43 PM, Serge Hallyn wrote:
> As Kees pointed out, write() errors can be delayed and returned as
> close() errors. So don't ignore error on close when writing the
> userns id mapping.
>
> Signed-off-by: Serge Hallyn
Acked-by: Stéphane Graber
> ---
> src/lxc/conf.c | 10 ++
> 1 file changed, 6 insertions(+), 4 deletions(-)
>
> diff --git a/src/lxc/conf.c b/src/lxc/conf.c
> index 04ab8b8..7d70c97 100644
> --- a/src/lxc/conf.c
> +++ b/src/lxc/conf.c
> @@ -2447,7 +2447,7 @@ int lxc_assign_network(struct lxc_list *network, pid_t
> pid)
> int add_id_mapping(enum idtype idtype, pid_t pid, uid_t host_start, uid_t
> ns_start, int range)
> {
> char path[PATH_MAX];
> - int ret;
> + int ret, closeret;
> FILE *f;
>
> ret = snprintf(path, PATH_MAX, "/proc/%d/%cid_map", pid, idtype ==
> ID_TYPE_UID ? 'u' : 'g');
> @@ -2462,9 +2462,11 @@ int add_id_mapping(enum idtype idtype, pid_t pid,
> uid_t host_start, uid_t ns_sta
> }
> ret = fprintf(f, "%d %d %d", ns_start, host_start, range);
> if (ret < 0)
> - perror("write");
> - fclose(f);
> - return ret < 0 ? ret : 0;
> + SYSERROR("writing id mapping");
> + closeret = fclose(f);
> + if (closeret)
> + SYSERROR("writing id mapping");
> + return ret < 0 ? ret : closeret;
> }
>
> int lxc_map_ids(struct lxc_list *idmap, pid_t pid)
>
--
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
signature.asc
Description: OpenPGP digital signature
--
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH 4/6] c api -> createl: correctly handle 0 template args
On 03/04/2013 03:43 PM, Serge Hallyn wrote: > Signed-off-by: Serge Hallyn Acked-by: Stéphane Graber > --- > src/lxc/lxccontainer.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c > index bcfc8b6..3eaf41e 100644 > --- a/src/lxc/lxccontainer.c > +++ b/src/lxc/lxccontainer.c > @@ -692,7 +692,8 @@ static bool lxcapi_createl(struct lxc_container *c, char > *t, ...) > args[nargs - 1] = arg; > } > va_end(ap); > - args[nargs] = NULL; > + if (args) > + args[nargs] = NULL; > > bret = c->create(c, t, args); > > -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: OpenPGP digital signature -- Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH 5/6] c api: send lxcpath to destroy command
On 03/04/2013 03:43 PM, Serge Hallyn wrote:
> Signed-off-by: Serge Hallyn
Acked-by: Stéphane Graber
> ---
> src/lxc/lxccontainer.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
> index 3eaf41e..404f60a 100644
> --- a/src/lxc/lxccontainer.c
> +++ b/src/lxc/lxccontainer.c
> @@ -791,7 +791,7 @@ static bool lxcapi_destroy(struct lxc_container *c)
> if (pid < 0)
> return false;
> if (pid == 0) { // child
> - ret = execlp("lxc-destroy", "lxc-destroy", "-n", c->name, NULL);
> + ret = execlp("lxc-destroy", "lxc-destroy", "-n", c->name, "-P",
> c->config_path, NULL);
> perror("execl");
> exit(1);
> }
>
--
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
signature.asc
Description: OpenPGP digital signature
--
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH 1/6] lxc-destroy: add --lxc-path argument
Quoting Stéphane Graber (stgra...@ubuntu.com): > On 03/04/2013 03:43 PM, Serge Hallyn wrote: > > Signed-off-by: Serge Hallyn > > Do we need a similar update to the manpage or is it using the common > options include? It's in the list of common options, but it looks like that list is not being included in lxc-destroy. As well it shouldn't, since -o and -l are not supported. So yeah that needs to be added. -serge -- Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] Fwd: Re: lxc-attach: NSS handling
Sorry, I forgot to post to the list... Original-Nachricht Betreff: Re: [lxc-devel] lxc-attach: NSS handling Datum: Tue, 05 Mar 2013 00:01:55 +0100 Von: Christian Seiler An: Serge Hallyn Hi Serge, > So if you resend the patchset, I'd suggest this patch first, the > /bin/sh as default one second, setuids ones next... I've implemented the use of 'getent', which now makes my life a LOT easier (I have quite a few containers lying around with incompatible nss versions) and then manually rebased the previous patches. > (Btw, do you have a github tree? Reviewing/acking patches is easier > on the list, but for actually pushing patches to staging, going from > github tree is much nicer) I've pushed my patches to: https://github.com/chris-se/lxc/tree/attach-fixes-1 I've excluded the -u/-g patch for now (I realized that I should probably include a man page update anyway), but the rest is in there. Do you want me to send a pull request? Regards, Christian -- Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH] lxc-destroy man page: document --lxcpath option
Signed-off-by: Serge Hallyn --- doc/lxc-destroy.sgml.in | 9 + 1 file changed, 9 insertions(+) diff --git a/doc/lxc-destroy.sgml.in b/doc/lxc-destroy.sgml.in index fe06f52..a6431e0 100644 --- a/doc/lxc-destroy.sgml.in +++ b/doc/lxc-destroy.sgml.in @@ -83,6 +83,15 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + + -P, --lxcpath=PATH + + + Use an alternate container path. The default is @LXCPATH@. + + + + -- 1.8.1.2 -- Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
