[lxc-devel] [PATCH v2] lxc-busybox: check when bind-mounting host libdirs
The patch removes the behavior of automatically mounting /lib and /usr/lib, since this is duplicated a few lines below. It will also remove the risk of failing when one of these entries are not present on the host - e.g. on a 64bit machine. Signed-off-by: Bogdan Purcareata --- templates/lxc-busybox.in | 7 --- 1 file changed, 7 deletions(-) diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in index cb425ec..783e8d6 100644 --- a/templates/lxc-busybox.in +++ b/templates/lxc-busybox.in @@ -240,13 +240,6 @@ lxc.pts = 1 #lxc.aa_profile = unconfined EOF -if [ -d "$rootfs/lib" ]; then -cat <> $path/config -lxc.mount.entry = /lib $rootfs/lib none ro,bind 0 0 -lxc.mount.entry = /usr/lib $rootfs/usr/lib none ro,bind 0 0 -EOF -fi - libdirs="\ lib \ usr/lib \ -- 1.7.11.7 -- AlienVault Unified Security Management (USM) platform delivers complete security visibility with the essential security capabilities. Easily and efficiently configure, manage, and operate all of your security controls from a single console and one unified framework. Download a free trial. http://p.sf.net/sfu/alienvault_d2d ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] create api
Quoting Dwight Engen (dwight.en...@oracle.com): > On Tue, 14 May 2013 14:13:45 -0500 > Serge Hallyn wrote: > > > Hi, > > > > I'd like to rewrite lxc-create to be c (calling out to the c templates > > which continue to be scripts for the most part). Unfortunately right > > now the lxcapi_create() just takes arguments to send to the lxc-create > > script. > > > > I could either dump the existing lxcapi_create function, replace it > > with something close to the lxcapi_clone, and update the current > > callers, or I can write a new function lxcapi_create2, keeping > > lxcapi_create() as calling the c program (which then calls > > lxcapi_create2 :). > > > > The only reason to go with lxcapi_create2 would be for out of tree > > callers (which includes the go bindings). Since we're not at 1.0 yet > > we don't guarantee anything about api stability (for exactly this > > reason), but I thought I'd ask anyway what you all thought. > > I'd vote for trying to keep the API as clean as possible until 1.0, but Sorry, I'm not sure on this - by clean do you mean clean it up, or do you mean keep it unchanged? > then I don't have an out of tree caller to update. This brings up a > question though, with 1.0 we are going to consider stable the > lxcapi_* routines only and not all symbols available from liblxc.so, > correct? > > > -serge > -- AlienVault Unified Security Management (USM) platform delivers complete security visibility with the essential security capabilities. Easily and efficiently configure, manage, and operate all of your security controls from a single console and one unified framework. Download a free trial. http://p.sf.net/sfu/alienvault_d2d ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH v2] lxc-busybox: check when bind-mounting host libdirs
Quoting Bogdan Purcareata (bogdan.purcare...@freescale.com): > The patch removes the behavior of automatically mounting /lib > and /usr/lib, since this is duplicated a few lines below. It will > also remove the risk of failing when one of these entries are not > present on the host - e.g. on a 64bit machine. > > Signed-off-by: Bogdan Purcareata Acked-by: Serge E. Hallyn Thanks! > --- > templates/lxc-busybox.in | 7 --- > 1 file changed, 7 deletions(-) > > diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in > index cb425ec..783e8d6 100644 > --- a/templates/lxc-busybox.in > +++ b/templates/lxc-busybox.in > @@ -240,13 +240,6 @@ lxc.pts = 1 > #lxc.aa_profile = unconfined > EOF > > -if [ -d "$rootfs/lib" ]; then > -cat <> $path/config > -lxc.mount.entry = /lib $rootfs/lib none ro,bind 0 0 > -lxc.mount.entry = /usr/lib $rootfs/usr/lib none ro,bind 0 0 > -EOF > -fi > - > libdirs="\ > lib \ > usr/lib \ > -- > 1.7.11.7 > > > > -- > AlienVault Unified Security Management (USM) platform delivers complete > security visibility with the essential security capabilities. Easily and > efficiently configure, manage, and operate all of your security controls > from a single console and one unified framework. Download a free trial. > http://p.sf.net/sfu/alienvault_d2d > ___ > Lxc-devel mailing list > Lxc-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/lxc-devel -- AlienVault Unified Security Management (USM) platform delivers complete security visibility with the essential security capabilities. Easily and efficiently configure, manage, and operate all of your security controls from a single console and one unified framework. Download a free trial. http://p.sf.net/sfu/alienvault_d2d ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] create api
On Wed, 15 May 2013 08:56:27 -0500 Serge Hallyn wrote: > Quoting Dwight Engen (dwight.en...@oracle.com): > > On Tue, 14 May 2013 14:13:45 -0500 > > Serge Hallyn wrote: > > > > > Hi, > > > > > > I'd like to rewrite lxc-create to be c (calling out to the c > > > templates which continue to be scripts for the most part). > > > Unfortunately right now the lxcapi_create() just takes arguments > > > to send to the lxc-create script. > > > > > > I could either dump the existing lxcapi_create function, replace > > > it with something close to the lxcapi_clone, and update the > > > current callers, or I can write a new function lxcapi_create2, > > > keeping lxcapi_create() as calling the c program (which then calls > > > lxcapi_create2 :). > > > > > > The only reason to go with lxcapi_create2 would be for out of tree > > > callers (which includes the go bindings). Since we're not at 1.0 > > > yet we don't guarantee anything about api stability (for exactly > > > this reason), but I thought I'd ask anyway what you all thought. > > > > I'd vote for trying to keep the API as clean as possible until 1.0, > > but > > Sorry, I'm not sure on this - by clean do you mean clean it up, or do > you mean keep it unchanged? Sorry I wasn't clear: I mean change it so as to keep the API clean and consistent (ie. don't make an lxcapi_create2, just change lxcapi_create until 1.0). > > then I don't have an out of tree caller to update. This brings up a > > question though, with 1.0 we are going to consider stable the > > lxcapi_* routines only and not all symbols available from liblxc.so, > > correct? > > > > > -serge > > -- AlienVault Unified Security Management (USM) platform delivers complete security visibility with the essential security capabilities. Easily and efficiently configure, manage, and operate all of your security controls from a single console and one unified framework. Download a free trial. http://p.sf.net/sfu/alienvault_d2d ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [RFC PATCH] lxc: add clone hook.
Add a clone hook called from api_clone. Pass arguments to it from
lxc_clone.c.
The clone update hook is called while the container's bdev is mounted.
Information about the container is passed in through environment
variables LXC_ROOTFS_PATH, LXC_NAME, The LXC_ROOTFS_MOUNT, and
LXC_CONFIG_FILE.
LXC_ROOTFS_MOUNT=/usr/lib/x86_64-linux-gnu/lxc
LXC_CONFIG_FILE=/var/lib/lxc/demo3/config
LXC_ROOTFS_PATH=/var/lib/lxc/demo3/rootfs
LXC_NAME=demo3
So from the hook, updates to the container should be made under
$LXC_ROOTFS_MOUNT/ .
The hook also receives command line arguments as follows:
First argument is container name, second is always 'lxc', third
is the hook name (always clone), then come the arguments which
were passed to lxc-clone. I.e. when I did:
sudo lxc-clone demo2 demo3 -- hey there dude
the arguments passed in were "demo3 lxc clone hey there dude"
I personally would like to drop the first two arguments. The
name is available as $LXC_NAME, and the section argument ('lxc')
is meaningless. However, doing so risks invalidating existing
hooks.
Soon analogous create and destroy hooks will be added as well.
Signed-off-by: Serge Hallyn
---
src/lxc/conf.c | 63 +-
src/lxc/conf.h | 4 ++--
src/lxc/confile.c | 3 +++
src/lxc/lxc_clone.c| 16 ++---
src/lxc/lxccontainer.c | 55 ++-
src/lxc/lxccontainer.h | 2 +-
src/lxc/start.c| 6 ++---
7 files changed, 113 insertions(+), 36 deletions(-)
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 746a2db..61e45b1 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -173,7 +173,7 @@ return -1;
#endif
char *lxchook_names[NUM_LXC_HOOKS] = {
- "pre-start", "pre-mount", "mount", "autodev", "start", "post-stop" };
+ "pre-start", "pre-mount", "mount", "autodev", "start", "post-stop",
"clone" };
typedef int (*instanciate_cb)(struct lxc_handler *, struct lxc_netdev *);
@@ -336,6 +336,55 @@ static int run_buffer(char *buffer)
return 0;
}
+static int run_script_argv(const char *name, const char *section,
+ const char *script, const char *hook, char **argsin)
+{
+ int ret, i;
+ char *buffer;
+ size_t size = 0;
+
+ INFO("Executing script '%s' for container '%s', config section '%s'",
+script, name, section);
+
+ for (i=0; argsin && argsin[i]; i++)
+ size += strlen(argsin[i]) + 1;
+
+ size += strlen(hook) + 1;
+
+ size += strlen(script);
+ size += strlen(name);
+ size += strlen(section);
+ size += 3;
+
+ if (size > INT_MAX)
+ return -1;
+
+ buffer = alloca(size);
+ if (!buffer) {
+ ERROR("failed to allocate memory");
+ return -1;
+ }
+
+ ret = snprintf(buffer, size, "%s %s %s %s", script, name, section,
hook);
+ if (ret < 0 || ret >= size) {
+ ERROR("Script name too long");
+ return -1;
+ }
+
+ for (i=0; argsin && argsin[i]; i++) {
+ int len = size-ret;
+ int rc;
+ rc = snprintf(buffer + ret, len, " %s", argsin[i]);
+ if (rc < 0 || rc >= len) {
+ ERROR("Script args too long");
+ return -1;
+ }
+ ret += rc;
+ }
+
+ return run_buffer(buffer);
+}
+
static int run_script(const char *name, const char *section,
const char *script, ...)
{
@@ -2752,7 +2801,7 @@ int lxc_setup(const char *name, struct lxc_conf *lxc_conf)
return -1;
}
- if (run_lxc_hooks(name, "pre-mount", lxc_conf)) {
+ if (run_lxc_hooks(name, "pre-mount", lxc_conf, NULL)) {
ERROR("failed to run pre-mount hooks for container '%s'.",
name);
return -1;
}
@@ -2779,13 +2828,13 @@ int lxc_setup(const char *name, struct lxc_conf
*lxc_conf)
return -1;
}
- if (run_lxc_hooks(name, "mount", lxc_conf)) {
+ if (run_lxc_hooks(name, "mount", lxc_conf, NULL)) {
ERROR("failed to run mount hooks for container '%s'.", name);
return -1;
}
if (lxc_conf->autodev) {
- if (run_lxc_hooks(name, "autodev", lxc_conf)) {
+ if (run_lxc_hooks(name, "autodev", lxc_conf, NULL)) {
ERROR("failed to run autodev hooks for container
'%s'.", name);
return -1;
}
@@ -2852,7 +2901,7 @@ int lxc_setup(const char *name, struct lxc_conf *lxc_conf)
return 0;
}
-int run_lxc_hooks(const char *name, char *hook, struct lxc_conf *conf)
+int run_lxc_hooks(const char *name, char *hook, struct lxc_conf *conf, char
*argv[])
{
int which = -1;
struct lxc_list *it;
@@ -2869,12 +2918,14 @@ int run_lxc_hooks(const char *name, char *hook, st
Re: [lxc-devel] [RFC PATCH] lxc: add clone hook.
On 05/15/2013 10:23 AM, Serge Hallyn wrote:
> Add a clone hook called from api_clone. Pass arguments to it from
> lxc_clone.c.
>
> The clone update hook is called while the container's bdev is mounted.
> Information about the container is passed in through environment
> variables LXC_ROOTFS_PATH, LXC_NAME, The LXC_ROOTFS_MOUNT, and
> LXC_CONFIG_FILE.
>
> LXC_ROOTFS_MOUNT=/usr/lib/x86_64-linux-gnu/lxc
> LXC_CONFIG_FILE=/var/lib/lxc/demo3/config
> LXC_ROOTFS_PATH=/var/lib/lxc/demo3/rootfs
> LXC_NAME=demo3
>
> So from the hook, updates to the container should be made under
> $LXC_ROOTFS_MOUNT/ .
>
> The hook also receives command line arguments as follows:
> First argument is container name, second is always 'lxc', third
> is the hook name (always clone), then come the arguments which
> were passed to lxc-clone. I.e. when I did:
>
> sudo lxc-clone demo2 demo3 -- hey there dude
>
> the arguments passed in were "demo3 lxc clone hey there dude"
>
> I personally would like to drop the first two arguments. The
> name is available as $LXC_NAME, and the section argument ('lxc')
> is meaningless. However, doing so risks invalidating existing
> hooks.
>
> Soon analogous create and destroy hooks will be added as well.
I think I'd have preferred storing the command arguments in
LXC_CLONE_ARGS instead of directly in argv. Doing so would allow us to
remove/add other arguments without breaking all existing hooks.
The user could then do "set -- $LXC_CLONE_ARGS" and just use $1... as usual.
But I'm not horribly opposed to the proposed implementation and the rest
looks good.
Acked-by: Stéphane Graber
> Signed-off-by: Serge Hallyn
> ---
> src/lxc/conf.c | 63
> +-
> src/lxc/conf.h | 4 ++--
> src/lxc/confile.c | 3 +++
> src/lxc/lxc_clone.c| 16 ++---
> src/lxc/lxccontainer.c | 55 ++-
> src/lxc/lxccontainer.h | 2 +-
> src/lxc/start.c| 6 ++---
> 7 files changed, 113 insertions(+), 36 deletions(-)
>
> diff --git a/src/lxc/conf.c b/src/lxc/conf.c
> index 746a2db..61e45b1 100644
> --- a/src/lxc/conf.c
> +++ b/src/lxc/conf.c
> @@ -173,7 +173,7 @@ return -1;
> #endif
>
> char *lxchook_names[NUM_LXC_HOOKS] = {
> - "pre-start", "pre-mount", "mount", "autodev", "start", "post-stop" };
> + "pre-start", "pre-mount", "mount", "autodev", "start", "post-stop",
> "clone" };
>
> typedef int (*instanciate_cb)(struct lxc_handler *, struct lxc_netdev *);
>
> @@ -336,6 +336,55 @@ static int run_buffer(char *buffer)
> return 0;
> }
>
> +static int run_script_argv(const char *name, const char *section,
> + const char *script, const char *hook, char **argsin)
> +{
> + int ret, i;
> + char *buffer;
> + size_t size = 0;
> +
> + INFO("Executing script '%s' for container '%s', config section '%s'",
> + script, name, section);
> +
> + for (i=0; argsin && argsin[i]; i++)
> + size += strlen(argsin[i]) + 1;
> +
> + size += strlen(hook) + 1;
> +
> + size += strlen(script);
> + size += strlen(name);
> + size += strlen(section);
> + size += 3;
> +
> + if (size > INT_MAX)
> + return -1;
> +
> + buffer = alloca(size);
> + if (!buffer) {
> + ERROR("failed to allocate memory");
> + return -1;
> + }
> +
> + ret = snprintf(buffer, size, "%s %s %s %s", script, name, section,
> hook);
> + if (ret < 0 || ret >= size) {
> + ERROR("Script name too long");
> + return -1;
> + }
> +
> + for (i=0; argsin && argsin[i]; i++) {
> + int len = size-ret;
> + int rc;
> + rc = snprintf(buffer + ret, len, " %s", argsin[i]);
> + if (rc < 0 || rc >= len) {
> + ERROR("Script args too long");
> + return -1;
> + }
> + ret += rc;
> + }
> +
> + return run_buffer(buffer);
> +}
> +
> static int run_script(const char *name, const char *section,
> const char *script, ...)
> {
> @@ -2752,7 +2801,7 @@ int lxc_setup(const char *name, struct lxc_conf
> *lxc_conf)
> return -1;
> }
>
> - if (run_lxc_hooks(name, "pre-mount", lxc_conf)) {
> + if (run_lxc_hooks(name, "pre-mount", lxc_conf, NULL)) {
> ERROR("failed to run pre-mount hooks for container '%s'.",
> name);
> return -1;
> }
> @@ -2779,13 +2828,13 @@ int lxc_setup(const char *name, struct lxc_conf
> *lxc_conf)
> return -1;
> }
>
> - if (run_lxc_hooks(name, "mount", lxc_conf)) {
> + if (run_lxc_hooks(name, "mount", lxc_conf, NULL)) {
> ERROR("failed to run mount hooks for container '%s'.", name);
> return -1;
> }
>
> if (lxc_conf->autodev) {
> - if (run_lxc_hooks(name, "autodev", lxc_conf)) {
> +
Re: [lxc-devel] create api
Hi Serge, On Tue, May 14, 2013 at 3:13 PM, Serge Hallyn wrote: > Hi, > > I'd like to rewrite lxc-create to be c (calling out to the c templates > which continue to be scripts for the most part). Unfortunately right > now the lxcapi_create() just takes arguments to send to the lxc-create > script. > > I could either dump the existing lxcapi_create function, replace it with > something close to the lxcapi_clone, and update the current callers, or > I can write a new function lxcapi_create2, keeping lxcapi_create() as > calling the c program (which then calls lxcapi_create2 :). > > The only reason to go with lxcapi_create2 would be for out of tree > callers (which includes the go bindings). Since we're not at 1.0 yet we > don't guarantee anything about api stability (for exactly this reason), > but I thought I'd ask anyway what you all thought. > Dumping the existing one and replacing it with something else works for me. Also I'm not aware any other user of go bindings than me and. Any if there are then I guess they shouldn't expect a stable API at this point because of the reasons that you stated. > -serge > > > -- > AlienVault Unified Security Management (USM) platform delivers complete > security visibility with the essential security capabilities. Easily and > efficiently configure, manage, and operate all of your security controls > from a single console and one unified framework. Download a free trial. > http://p.sf.net/sfu/alienvault_d2d > ___ > Lxc-devel mailing list > Lxc-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/lxc-devel > -- S.Çağlar Onur -- AlienVault Unified Security Management (USM) platform delivers complete security visibility with the essential security capabilities. Easily and efficiently configure, manage, and operate all of your security controls from a single console and one unified framework. Download a free trial. http://p.sf.net/sfu/alienvault_d2d___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] lxc-fedora-template: autodev, hostname, ARM archs, Raspberry Pi fixes
Quoting Michael H. Warfield (m...@wittsend.com):
> This took a lot longer for me to get around to it... Sorry.
>
> Patch to the lxc-fedora template.
>
> I didn't get any further comments from my earlier proposal, weeks ago,
> and did get one addition based on comments about properly setting the
> hostname in /etc/hostname, which I've added. I could have broken them
> into separate patches but most are pretty small and minor.
>
> Changes:
>
> * Map armv6l and armv7l architectures to "arm" for yum and repos to
> function properly.
>
> * Detect Fedora Remix distros with no "/etc/fedora-release" file
> (Raspberry Pi) and find proper release versions when "remix" part of the
> file context.
>
> * Change default Fedora container on non-Fedora hosts to Fedora 17.
>
> * Added code for autodev for Fedora systemd containers.
>
> * Added code to set /etc/hostname for Fedora > 14 (systemd).
>
> * Fix a few typos.
>
> Regards,
> Mike
> --
> Michael H. Warfield (AI4NB) | (770) 985-6132 | m...@wittsend.com
>/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
>NIC whois: MHW9 | An optimist believes we live in the best of all
> PGP Key: 0x674627FF| possible worlds. A pessimist is sure of it!
> --
>
> Signed-off-by: Michael H. Warfield
Thanks, Michael.
Acked-by: Serge E. Hallyn
>
> ---
> diff --git a/templates/lxc-fedora.in b/templates/lxc-fedora.in
> index 684bb9c..a828dff 100644
> --- a/templates/lxc-fedora.in
> +++ b/templates/lxc-fedora.in
> @@ -32,12 +32,28 @@ default_path=@LXCPATH@
> root_password=root
>
> # is this fedora?
> -[ -f /etc/fedora-release ] && is_fedora=true
> -
> -if [ "$arch" = "i686" ]; then
> -arch=i386
> +# Alow for weird remixes like the Raspberry Pi
> +if [ -e /etc/redhat-release ]
> +then
> +fedora_host_ver=$( sed -e '/^Fedora /!d' -e
> 's/Fedora.*\srelease\s*\([0-9][0-9]*\)\s.*/\1/' < /etc/redhat-release )
> +if [ "$fedora_host_ver" != "" ]
> +then
> +is_fedora=true
> +fi
> fi
>
> +# Map a few architectures to their generic Fedora repository archs.
> +# The two ARM archs are a bit of a guesstimate for the v5 and v6
> +# archs. V6 should have hardware floating point (Rasberry Pi).
> +# The "arm" arch is safer (no hardware floating point). So
> +# there may be cases where we "get it wrong" for some v6 other
> +# than RPi.
> +case "$arch" in
> +i686) arch=i386 ;;
> +armv3l|armv4l|armv5l) arch=arm ;;
> +armv6l|armv7l|armv8l) arch=armhfp ;;
> +esac
> +
> configure_fedora()
> {
>
> @@ -62,9 +78,15 @@ NETWORKING=yes
> HOSTNAME=${name}
> EOF
>
> +# set hostname on systemd Fedora systems
> +if [ $release -gt 14 ]; then
> +echo "${name}" > ${rootfs_path}/etc/hostname
> +fi
> +
> # set minimal hosts
> cat < $rootfs_path/etc/hosts
> 127.0.0.1 localhost $name
> +::1 localhost6.localdomain6 localhost6
> EOF
>
> dev_path="${rootfs_path}/dev"
> @@ -253,6 +275,8 @@ lxc.tty = 4
> lxc.pts = 1024
> lxc.mount = $config_path/fstab
>
> +lxc.autodev = $auto_dev
> +
> # When using LXC with apparmor, uncomment the next line to run unconfined:
> #lxc.aa_profile = unconfined
>
> @@ -320,7 +344,7 @@ Mandatory args:
> Optional args:
>-p,--path path to where the container rootfs will be created,
> defaults to @LXCPATH@. The container config will go under @LXCPATH@ in that
> case
>-c,--cleanclean the cache
> - -R,--release Fedora release for the new container. if the host is
> Fedora, then it will defaultto the host's release.
> + -R,--release Fedora release for the new container. if the host is
> Fedora, then it will default to the host's release.
>-A,--arch NOT USED YET. Define what arch the container will be
> [i686,x86_64]
>-h,--help print this help
> EOF
> @@ -365,7 +389,7 @@ fi
>
> if [ -n "$needed_pkgs" ]; then
> echo "Missing commands: $needed_pkgs"
> -echo "Please install these using \"sudo apt-get install $needed_pkgs\""
> +echo "Please install these using \"sudo yum install $needed_pkgs\""
> exit 1
> fi
>
> @@ -374,14 +398,22 @@ if [ -z "$path" ]; then
> fi
>
> if [ -z "$release" ]; then
> -if [ "$is_fedora" ]; then
> -release=$(cat /etc/fedora-release |awk '/^Fedora/ {print $3}')
> +if [ "$is_fedora" -a "$fedora_host_ver" ]; then
> +release=$fedora_host_ver
> else
> -echo "This is not a fedora host and release missing, defaulting to
> 14. use -R|--release to specify release"
> -release=14
> +echo "This is not a fedora host and release missing, defaulting to
> 17. use -R|--release to specify release"
> +release=17
> fi
> fi
>
> +# Fedora 15 and above run systemd. We need autodev enabled to keep
> +# systemd from causing problems.
> +if [ $release -gt 14 ]; then
> +auto_dev="1"
> +else
> +auto_dev="0"
> +fi
> +
> if [ "$(id -u)" != "0" ]; then
> echo "This script
Re: [lxc-devel] [RFC PATCH] lxc: add clone hook.
Quoting Stéphane Graber (stgra...@ubuntu.com):
> On 05/15/2013 10:23 AM, Serge Hallyn wrote:
> > Add a clone hook called from api_clone. Pass arguments to it from
> > lxc_clone.c.
> >
> > The clone update hook is called while the container's bdev is mounted.
> > Information about the container is passed in through environment
> > variables LXC_ROOTFS_PATH, LXC_NAME, The LXC_ROOTFS_MOUNT, and
> > LXC_CONFIG_FILE.
> >
> > LXC_ROOTFS_MOUNT=/usr/lib/x86_64-linux-gnu/lxc
> > LXC_CONFIG_FILE=/var/lib/lxc/demo3/config
> > LXC_ROOTFS_PATH=/var/lib/lxc/demo3/rootfs
> > LXC_NAME=demo3
> >
> > So from the hook, updates to the container should be made under
> > $LXC_ROOTFS_MOUNT/ .
> >
> > The hook also receives command line arguments as follows:
> > First argument is container name, second is always 'lxc', third
> > is the hook name (always clone), then come the arguments which
> > were passed to lxc-clone. I.e. when I did:
> >
> > sudo lxc-clone demo2 demo3 -- hey there dude
> >
> > the arguments passed in were "demo3 lxc clone hey there dude"
> >
> > I personally would like to drop the first two arguments. The
> > name is available as $LXC_NAME, and the section argument ('lxc')
> > is meaningless. However, doing so risks invalidating existing
> > hooks.
> >
> > Soon analogous create and destroy hooks will be added as well.
>
> I think I'd have preferred storing the command arguments in
> LXC_CLONE_ARGS instead of directly in argv. Doing so would allow us to
> remove/add other arguments without breaking all existing hooks.
>
> The user could then do "set -- $LXC_CLONE_ARGS" and just use $1... as usual.
>
> But I'm not horribly opposed to the proposed implementation and the rest
> looks good.
Actually,
yeah that would let menot add the argv[] to run_lxc_hooks, and make the
patch quite a bit shorter.
I'll redo it like that.
Please don't apply :)
> Acked-by: Stéphane Graber
>
> > Signed-off-by: Serge Hallyn
> > ---
> > src/lxc/conf.c | 63
> > +-
> > src/lxc/conf.h | 4 ++--
> > src/lxc/confile.c | 3 +++
> > src/lxc/lxc_clone.c| 16 ++---
> > src/lxc/lxccontainer.c | 55 ++-
> > src/lxc/lxccontainer.h | 2 +-
> > src/lxc/start.c| 6 ++---
> > 7 files changed, 113 insertions(+), 36 deletions(-)
> >
> > diff --git a/src/lxc/conf.c b/src/lxc/conf.c
> > index 746a2db..61e45b1 100644
> > --- a/src/lxc/conf.c
> > +++ b/src/lxc/conf.c
> > @@ -173,7 +173,7 @@ return -1;
> > #endif
> >
> > char *lxchook_names[NUM_LXC_HOOKS] = {
> > - "pre-start", "pre-mount", "mount", "autodev", "start", "post-stop" };
> > + "pre-start", "pre-mount", "mount", "autodev", "start", "post-stop",
> > "clone" };
> >
> > typedef int (*instanciate_cb)(struct lxc_handler *, struct lxc_netdev *);
> >
> > @@ -336,6 +336,55 @@ static int run_buffer(char *buffer)
> > return 0;
> > }
> >
> > +static int run_script_argv(const char *name, const char *section,
> > + const char *script, const char *hook, char **argsin)
> > +{
> > + int ret, i;
> > + char *buffer;
> > + size_t size = 0;
> > +
> > + INFO("Executing script '%s' for container '%s', config section '%s'",
> > +script, name, section);
> > +
> > + for (i=0; argsin && argsin[i]; i++)
> > + size += strlen(argsin[i]) + 1;
> > +
> > + size += strlen(hook) + 1;
> > +
> > + size += strlen(script);
> > + size += strlen(name);
> > + size += strlen(section);
> > + size += 3;
> > +
> > + if (size > INT_MAX)
> > + return -1;
> > +
> > + buffer = alloca(size);
> > + if (!buffer) {
> > + ERROR("failed to allocate memory");
> > + return -1;
> > + }
> > +
> > + ret = snprintf(buffer, size, "%s %s %s %s", script, name, section,
> > hook);
> > + if (ret < 0 || ret >= size) {
> > + ERROR("Script name too long");
> > + return -1;
> > + }
> > +
> > + for (i=0; argsin && argsin[i]; i++) {
> > + int len = size-ret;
> > + int rc;
> > + rc = snprintf(buffer + ret, len, " %s", argsin[i]);
> > + if (rc < 0 || rc >= len) {
> > + ERROR("Script args too long");
> > + return -1;
> > + }
> > + ret += rc;
> > + }
> > +
> > + return run_buffer(buffer);
> > +}
> > +
> > static int run_script(const char *name, const char *section,
> > const char *script, ...)
> > {
> > @@ -2752,7 +2801,7 @@ int lxc_setup(const char *name, struct lxc_conf
> > *lxc_conf)
> > return -1;
> > }
> >
> > - if (run_lxc_hooks(name, "pre-mount", lxc_conf)) {
> > + if (run_lxc_hooks(name, "pre-mount", lxc_conf, NULL)) {
> > ERROR("failed to run pre-mount hooks for container '%s'.",
> > name);
> > return -1;
> > }
> > @@ -2779,13 +2828,13 @@ int lxc_setup(const char *name, struct lxc_conf
> > *lx
Re: [lxc-devel] create api
Quoting Dwight Engen (dwight.en...@oracle.com): > On Wed, 15 May 2013 08:56:27 -0500 > Serge Hallyn wrote: > > > Quoting Dwight Engen (dwight.en...@oracle.com): > > > On Tue, 14 May 2013 14:13:45 -0500 > > > Serge Hallyn wrote: > > > > > > > Hi, > > > > > > > > I'd like to rewrite lxc-create to be c (calling out to the c > > > > templates which continue to be scripts for the most part). > > > > Unfortunately right now the lxcapi_create() just takes arguments > > > > to send to the lxc-create script. > > > > > > > > I could either dump the existing lxcapi_create function, replace > > > > it with something close to the lxcapi_clone, and update the > > > > current callers, or I can write a new function lxcapi_create2, > > > > keeping lxcapi_create() as calling the c program (which then calls > > > > lxcapi_create2 :). > > > > > > > > The only reason to go with lxcapi_create2 would be for out of tree > > > > callers (which includes the go bindings). Since we're not at 1.0 > > > > yet we don't guarantee anything about api stability (for exactly > > > > this reason), but I thought I'd ask anyway what you all thought. > > > > > > I'd vote for trying to keep the API as clean as possible until 1.0, > > > but > > > > Sorry, I'm not sure on this - by clean do you mean clean it up, or do > > you mean keep it unchanged? > > Sorry I wasn't clear: I mean change it so as to keep the API clean and > consistent (ie. don't make an lxcapi_create2, just change lxcapi_create > until 1.0). > Thanks, just making sure :) -serge -- AlienVault Unified Security Management (USM) platform delivers complete security visibility with the essential security capabilities. Easily and efficiently configure, manage, and operate all of your security controls from a single console and one unified framework. Download a free trial. http://p.sf.net/sfu/alienvault_d2d ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [RFC PATCH 0/1] allow setting cgroup items before the cgroup is entered
On Tue, 14 May 2013 11:01:04 -0500 Serge Hallyn wrote: > Quoting Dwight Engen (dwight.en...@oracle.com): > > Hi, > > > > I tried to put lxc.cgroup.memory.kmem.limit_in_bytes = 4194304 in a > > config file to test forkbomb prevention. The problem with this is > > that kmem.limit_in_bytes (per the kernel documentation) "cannot be > > set if the cgroup have children, or if there are already tasks in > > the cgroup". Currently, lxc does lxc_cgroup_enter() before doing > > setup_cgroup() in the lxc_spawn() flow and therefore gets -EBUSY. > > > > Commit 544a48a0 leads me to believe that we don't want to move > > setup_cgroup() earlier, so I've refactored it to create an > > additional setup_cgroup_pre_enter() that gets called before > > lxc_cgroup_enter(). Currently it only writes kmem.limit_in_bytes, > > if there are other items that need to be setup pre-enter, they > > could easily be added to the list. This fixes the problem for me. I > > think we are trying to keep lxc from knowing about specific cgroup > > control knobs, but I have not thought of another way to do this. > > Thoughts? > > I think the only problem with configuring cgroups early is that some > block devices which the container might want to mount could be denied. Hi Serge, I think by this you mean having lxc mount a block device into the container that the container won't have a cgroup.devices.allow line for. So I tried putting a line like: lxc.mount.entry = /dev/sda1 mnt none defaults 0 0 in the conf, but this did not work for me even with the current code (setup_cgroup() after lxc_cgroup_enter(), and more importantly after the child has done lxc_setup() and done the mounts). The child is getting "No such device" so I'm confused as to the use case we're trying to make work. Probably I'm simply doing something wrong here to get it mounted. > So perhaps we should do the inverse of what you're doing. Configure > all cgroups right before lxc_cgroup_enter(), except for devices > cgroup, which gets configured after mounts happen? This is easy to do, but I'd like a test case to try out :) > -serge -- AlienVault Unified Security Management (USM) platform delivers complete security visibility with the essential security capabilities. Easily and efficiently configure, manage, and operate all of your security controls from a single console and one unified framework. Download a free trial. http://p.sf.net/sfu/alienvault_d2d ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [RFC PATCH 0/1] allow setting cgroup items before the cgroup is entered
Quoting Dwight Engen (dwight.en...@oracle.com): > On Tue, 14 May 2013 11:01:04 -0500 > Serge Hallyn wrote: > > > Quoting Dwight Engen (dwight.en...@oracle.com): > > > Hi, > > > > > > I tried to put lxc.cgroup.memory.kmem.limit_in_bytes = 4194304 in a > > > config file to test forkbomb prevention. The problem with this is > > > that kmem.limit_in_bytes (per the kernel documentation) "cannot be > > > set if the cgroup have children, or if there are already tasks in > > > the cgroup". Currently, lxc does lxc_cgroup_enter() before doing > > > setup_cgroup() in the lxc_spawn() flow and therefore gets -EBUSY. > > > > > > Commit 544a48a0 leads me to believe that we don't want to move > > > setup_cgroup() earlier, so I've refactored it to create an > > > additional setup_cgroup_pre_enter() that gets called before > > > lxc_cgroup_enter(). Currently it only writes kmem.limit_in_bytes, > > > if there are other items that need to be setup pre-enter, they > > > could easily be added to the list. This fixes the problem for me. I > > > think we are trying to keep lxc from knowing about specific cgroup > > > control knobs, but I have not thought of another way to do this. > > > Thoughts? > > > > I think the only problem with configuring cgroups early is that some > > block devices which the container might want to mount could be denied. > > Hi Serge, I think by this you mean having lxc mount a block device > into the container that the container won't have a > cgroup.devices.allow line for. So I tried putting a line like: > > lxc.mount.entry = /dev/sda1 mnt none defaults 0 0 Can you try specifying the actual fstype instead of none? Of course also make sure that your config has lxc.cgroup.devices.allow = b 8:1 rwm > in the conf, but this did not work for me even with the current code > (setup_cgroup() after lxc_cgroup_enter(), and more importantly after > the child has done lxc_setup() and done the mounts). The child is > getting "No such device" so I'm confused as to the use case we're trying > to make work. Probably I'm simply doing something wrong here to get it > mounted. > > > So perhaps we should do the inverse of what you're doing. Configure > > all cgroups right before lxc_cgroup_enter(), except for devices > > cgroup, which gets configured after mounts happen? > > This is easy to do, but I'd like a test case to try out :) > > > -serge -- AlienVault Unified Security Management (USM) platform delivers complete security visibility with the essential security capabilities. Easily and efficiently configure, manage, and operate all of your security controls from a single console and one unified framework. Download a free trial. http://p.sf.net/sfu/alienvault_d2d ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [RFC PATCH 0/1] allow setting cgroup items before the cgroup is entered
On Wed, 15 May 2013 10:46:13 -0500 Serge Hallyn wrote: > Quoting Dwight Engen (dwight.en...@oracle.com): > > On Tue, 14 May 2013 11:01:04 -0500 > > Serge Hallyn wrote: > > > > > Quoting Dwight Engen (dwight.en...@oracle.com): > > > > Hi, > > > > > > > > I tried to put lxc.cgroup.memory.kmem.limit_in_bytes = 4194304 > > > > in a config file to test forkbomb prevention. The problem with > > > > this is that kmem.limit_in_bytes (per the kernel documentation) > > > > "cannot be set if the cgroup have children, or if there are > > > > already tasks in the cgroup". Currently, lxc does > > > > lxc_cgroup_enter() before doing setup_cgroup() in the > > > > lxc_spawn() flow and therefore gets -EBUSY. > > > > > > > > Commit 544a48a0 leads me to believe that we don't want to move > > > > setup_cgroup() earlier, so I've refactored it to create an > > > > additional setup_cgroup_pre_enter() that gets called before > > > > lxc_cgroup_enter(). Currently it only writes > > > > kmem.limit_in_bytes, if there are other items that need to be > > > > setup pre-enter, they could easily be added to the list. This > > > > fixes the problem for me. I think we are trying to keep lxc > > > > from knowing about specific cgroup control knobs, but I have > > > > not thought of another way to do this. Thoughts? > > > > > > I think the only problem with configuring cgroups early is that > > > some block devices which the container might want to mount could > > > be denied. > > > > Hi Serge, I think by this you mean having lxc mount a block device > > into the container that the container won't have a > > cgroup.devices.allow line for. So I tried putting a line like: > > > > lxc.mount.entry = /dev/sda1 mnt none defaults 0 0 > > Can you try specifying the actual fstype instead of none? Doh! Thanks, yep none was the problem. I initially started with auto, but that wasn't working (doesn't work in mount syscall, only with the mount program). We should probably document that you need to specify the fs type in lxc.conf(5) where it talks about lxc.mount. I can send a patch. > Of course also make sure that your config has > > lxc.cgroup.devices.allow = b 8:1 rwm The current code works either with or without this since we don't setup devices cgroup till after the mounts are done. > > in the conf, but this did not work for me even with the current code > > (setup_cgroup() after lxc_cgroup_enter(), and more importantly after > > the child has done lxc_setup() and done the mounts). The child is > > getting "No such device" so I'm confused as to the use case we're > > trying to make work. Probably I'm simply doing something wrong here > > to get it mounted. > > > > > So perhaps we should do the inverse of what you're doing. > > > Configure all cgroups right before lxc_cgroup_enter(), except for > > > devices cgroup, which gets configured after mounts happen? > > > > This is easy to do, but I'd like a test case to try out :) > > > > > -serge -- AlienVault Unified Security Management (USM) platform delivers complete security visibility with the essential security capabilities. Easily and efficiently configure, manage, and operate all of your security controls from a single console and one unified framework. Download a free trial. http://p.sf.net/sfu/alienvault_d2d ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [RFC PATCH 0/1] allow setting cgroup items before the cgroup is entered
On Wed, 15 May 2013 10:46:13 -0500 Serge Hallyn wrote: > Quoting Dwight Engen (dwight.en...@oracle.com): > > On Tue, 14 May 2013 11:01:04 -0500 > > Serge Hallyn wrote: > > > > > Quoting Dwight Engen (dwight.en...@oracle.com): > > > > Hi, > > > > > > > > I tried to put lxc.cgroup.memory.kmem.limit_in_bytes = 4194304 > > > > in a config file to test forkbomb prevention. The problem with > > > > this is that kmem.limit_in_bytes (per the kernel documentation) > > > > "cannot be set if the cgroup have children, or if there are > > > > already tasks in the cgroup". Currently, lxc does > > > > lxc_cgroup_enter() before doing setup_cgroup() in the > > > > lxc_spawn() flow and therefore gets -EBUSY. > > > > > > > > Commit 544a48a0 leads me to believe that we don't want to move > > > > setup_cgroup() earlier, so I've refactored it to create an > > > > additional setup_cgroup_pre_enter() that gets called before > > > > lxc_cgroup_enter(). Currently it only writes > > > > kmem.limit_in_bytes, if there are other items that need to be > > > > setup pre-enter, they could easily be added to the list. This > > > > fixes the problem for me. I think we are trying to keep lxc > > > > from knowing about specific cgroup control knobs, but I have > > > > not thought of another way to do this. Thoughts? > > > > > > I think the only problem with configuring cgroups early is that > > > some block devices which the container might want to mount could > > > be denied. > > > > Hi Serge, I think by this you mean having lxc mount a block device > > into the container that the container won't have a > > cgroup.devices.allow line for. So I tried putting a line like: > > > > lxc.mount.entry = /dev/sda1 mnt none defaults 0 0 > > Can you try specifying the actual fstype instead of none? > > Of course also make sure that your config has > > lxc.cgroup.devices.allow = b 8:1 rwm > > > in the conf, but this did not work for me even with the current code > > (setup_cgroup() after lxc_cgroup_enter(), and more importantly after > > the child has done lxc_setup() and done the mounts). The child is > > getting "No such device" so I'm confused as to the use case we're > > trying to make work. Probably I'm simply doing something wrong here > > to get it mounted. > > > > > So perhaps we should do the inverse of what you're doing. > > > Configure all cgroups right before lxc_cgroup_enter(), except for > > > devices cgroup, which gets configured after mounts happen? Okay, so the new patch does this. Just to be clear this is preserving the current behavior of being able to mount a device into the container even if the device itself won't be available in the container. I think that is fine, but just wanted to point it out. Patch follows. -- AlienVault Unified Security Management (USM) platform delivers complete security visibility with the essential security capabilities. Easily and efficiently configure, manage, and operate all of your security controls from a single console and one unified framework. Download a free trial. http://p.sf.net/sfu/alienvault_d2d ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH] set non device cgroup items before the cgroup is entered
This allows some special cgroup items such as memory.kmem.limit_in_bytes
to be successfully set, since they must be set before any task is put
into the cgroup.
The devices cgroup is setup later giving the container a chance to mount
file systems before the device it might want to mount from becomes
unavailable.
Signed-off-by: Dwight Engen
---
src/lxc/conf.c | 25 +++--
src/lxc/conf.h | 3 +--
src/lxc/start.c | 10 +++---
3 files changed, 27 insertions(+), 11 deletions(-)
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 746a2db..9877cc3 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -1401,7 +1401,8 @@ static int setup_kmsg(const struct lxc_rootfs *rootfs,
return 0;
}
-int setup_cgroup(const char *cgpath, struct lxc_list *cgroups)
+static int _setup_cgroup(const char *cgpath, struct lxc_list *cgroups,
+ int devices)
{
struct lxc_list *iterator;
struct lxc_cgroup *cg;
@@ -1411,13 +1412,15 @@ int setup_cgroup(const char *cgpath, struct lxc_list
*cgroups)
return 0;
lxc_list_for_each(iterator, cgroups) {
-
cg = iterator->elem;
- if (lxc_cgroup_set_bypath(cgpath, cg->subsystem, cg->value)) {
- ERROR("Error setting %s to %s for %s\n", cg->subsystem,
- cg->value, cgpath);
- goto out;
+ if (devices == !strncmp("devices", cg->subsystem, 7)) {
+ if (lxc_cgroup_set_bypath(cgpath, cg->subsystem,
+ cg->value)) {
+ ERROR("Error setting %s to %s for %s\n",
+ cg->subsystem, cg->value, cgpath);
+ goto out;
+ }
}
DEBUG("cgroup '%s' set to '%s'", cg->subsystem, cg->value);
@@ -1429,6 +1432,16 @@ out:
return ret;
}
+int setup_cgroup_devices(const char *cgpath, struct lxc_list *cgroups)
+{
+ return _setup_cgroup(cgpath, cgroups, 1);
+}
+
+int setup_cgroup(const char *cgpath, struct lxc_list *cgroups)
+{
+ return _setup_cgroup(cgpath, cgroups, 0);
+}
+
static void parse_mntopt(char *opt, unsigned long *flags, char **data)
{
struct mount_opt *mo;
diff --git a/src/lxc/conf.h b/src/lxc/conf.h
index 465b1ec..8180e18 100644
--- a/src/lxc/conf.h
+++ b/src/lxc/conf.h
@@ -287,6 +287,7 @@ struct lxc_conf {
int run_lxc_hooks(const char *name, char *hook, struct lxc_conf *conf);
extern int setup_cgroup(const char *cgpath, struct lxc_list *cgroups);
+extern int setup_cgroup_devices(const char *cgpath, struct lxc_list *cgroups);
extern int detect_shared_rootfs(void);
/*
@@ -313,8 +314,6 @@ extern int lxc_clear_cgroups(struct lxc_conf *c, const char
*key);
extern int lxc_clear_mount_entries(struct lxc_conf *c);
extern int lxc_clear_hooks(struct lxc_conf *c, const char *key);
-extern int setup_cgroup(const char *name, struct lxc_list *cgroups);
-
extern int uid_shift_ttys(int pid, struct lxc_conf *conf);
/*
diff --git a/src/lxc/start.c b/src/lxc/start.c
index fd96d4f..cf5f9bd 100644
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -809,6 +809,11 @@ int lxc_spawn(struct lxc_handler *handler)
if ((handler->cgroup = lxc_cgroup_path_create(NULL, name)) == NULL)
goto out_delete_net;
+ if (setup_cgroup(handler->cgroup, &handler->conf->cgroup)) {
+ ERROR("failed to setup the cgroups for '%s'", name);
+ goto out_delete_net;
+ }
+
if (lxc_cgroup_enter(handler->cgroup, handler->pid) < 0)
goto out_delete_net;
@@ -839,12 +844,11 @@ int lxc_spawn(struct lxc_handler *handler)
if (lxc_sync_barrier_child(handler, LXC_SYNC_POST_CONFIGURE))
goto out_delete_net;
- if (setup_cgroup(handler->cgroup, &handler->conf->cgroup)) {
- ERROR("failed to setup the cgroups for '%s'", name);
+ if (setup_cgroup_devices(handler->cgroup, &handler->conf->cgroup)) {
+ ERROR("failed to setup the devices cgroup for '%s'", name);
goto out_delete_net;
}
-
/* Tell the child to complete its initialization and wait for
* it to exec or return an error. (the child will never
* return LXC_SYNC_POST_CGROUP+1. It will either close the
--
1.8.1.4
--
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH] doc/lxc.conf minor clarifications
Signed-off-by: Dwight Engen --- doc/lxc.conf.sgml.in | 39 +++ 1 file changed, 23 insertions(+), 16 deletions(-) diff --git a/doc/lxc.conf.sgml.in b/doc/lxc.conf.sgml.in index 0a5a52a..509ca2d 100644 --- a/doc/lxc.conf.sgml.in +++ b/doc/lxc.conf.sgml.in @@ -65,8 +65,8 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA The configuration file defines the different system resources to be assigned for the container. At present, the utsname, the - network, the mount points, the root file system and the control - groups are supported. + network, the mount points, the root file system, the user namespace, + and the control groups are supported. @@ -80,7 +80,7 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Allows to set the architecture for the container. For example, set a 32bits architecture for a container running 32bits - binaries on a 64bits host. That fix the container scripts + binaries on a 64bits host. This fixes the container scripts which rely on the architecture to do some work like downloading the packages. @@ -258,7 +258,7 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA specify an action to do for the network. - + up: activates the interface. @@ -448,7 +448,7 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA If the container is configured with a root filesystem and the inittab file is setup to use the console, you may want to specify - where goes the output of this console. + where the output of this console goes. @@ -471,14 +471,14 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Console through the ttys - If the container is configured with a root filesystem and the - inittab file is setup to launch a getty on the ttys. This - option will specify the number of ttys to be available for the - container. The number of getty in the inittab file of the - container should not be greater than the number of ttys - specified in this configuration file, otherwise the excess - getty sessions will die and respawn indefinitly giving - annoying messages on the console. + This option is useful if the container is configured with a root + filesystem and the inittab file is setup to launch a getty on the + ttys. The option specifies the number of ttys to be available for + the container. The number of gettys in the inittab file of the + container should not be greater than the number of ttys specified + in this option, otherwise the excess getty sessions will die and + respawn indefinitely giving annoying messages on the console or in + /var/log/messages. @@ -590,13 +590,20 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA specify a file location in the fstab format, containing the - mount informations. If the rootfs is an image file or a - device block and the fstab is used to mount a point + mount information. If the rootfs is an image file or a + block device and the fstab is used to mount a point somewhere in this rootfs, the path of the rootfs mount point should be prefixed with the @LXCROOTFSMOUNT@ default path or the value of lxc.rootfs.mount if - specified. + specified. Note that when mounting a filesystem from an + image file or block device the third field (fs_vfstype) + cannot be auto as with + + mount +8 + + but must be explicitly specified. -- 1.8.1.4 -- AlienVault Unified Security Management (USM) platform delivers complete security visibility with the essential security capabilities. Easily and efficiently configure, manage, and operate all of your security controls from a single console and one unified framework. Download a free trial. http://p.sf.net/sfu/alienvault_d2d ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH v2] lxc-busybox: check when bind-mounting host libdirs
Quoting Serge Hallyn (serge.hal...@ubuntu.com): > Quoting Bogdan Purcareata (bogdan.purcare...@freescale.com): > > The patch removes the behavior of automatically mounting /lib > > and /usr/lib, since this is duplicated a few lines below. It will > > also remove the risk of failing when one of these entries are not > > present on the host - e.g. on a 64bit machine. > > > > Signed-off-by: Bogdan Purcareata > > Acked-by: Serge E. Hallyn (and applied) -- AlienVault Unified Security Management (USM) platform delivers complete security visibility with the essential security capabilities. Easily and efficiently configure, manage, and operate all of your security controls from a single console and one unified framework. Download a free trial. http://p.sf.net/sfu/alienvault_d2d ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] lxc-fedora-template: autodev, hostname, ARM archs, Raspberry Pi fixes
Quoting Serge Hallyn (serge.hal...@ubuntu.com): > Thanks, Michael. > > Acked-by: Serge E. Hallyn applied -- AlienVault Unified Security Management (USM) platform delivers complete security visibility with the essential security capabilities. Easily and efficiently configure, manage, and operate all of your security controls from a single console and one unified framework. Download a free trial. http://p.sf.net/sfu/alienvault_d2d ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] lxc-alpine: download statically compiled package manager if not available on host
Quoting Kaarle Ritvanen (kaarle.ritva...@datakunkku.fi): ... > +wget="wget -O - $repository/x86" .. > +$wget/apk-tools-static-$apk_version.apk | \ > +tar -Oxz sbin/apk.static > $apk || return 1 > +chmod u+x $apk > + > +apk_opts="$apk_opts --allow-untrusted" > +fi > + > +$apk add -U --initdb --root $rootfs $apk_opts "$@" alpine-base Boy does that scare me though. -- AlienVault Unified Security Management (USM) platform delivers complete security visibility with the essential security capabilities. Easily and efficiently configure, manage, and operate all of your security controls from a single console and one unified framework. Download a free trial. http://p.sf.net/sfu/alienvault_d2d ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [RFC PATCH] lxc: add clone hook.
Quoting Scott Moser (smo...@ubuntu.com):
> On Wed, 15 May 2013, Serge Hallyn wrote:
>
> > > > Soon analogous create and destroy hooks will be added as well.
> > >
> > > I think I'd have preferred storing the command arguments in
> > > LXC_CLONE_ARGS instead of directly in argv. Doing so would allow us to
> > > remove/add other arguments without breaking all existing hooks.
> > >
> > > The user could then do "set -- $LXC_CLONE_ARGS" and just use $1... as
> > > usual.
> > >
> > > But I'm not horribly opposed to the proposed implementation and the rest
> > > looks good.
> >
> > Actually,
> >
> > yeah that would let menot add the argv[] to run_lxc_hooks, and make the
> > patch quite a bit shorter.
> >
> > I'll redo it like that.
>
> I'd really prefer proper arguments.
> In argv you have null terminated strings, a proper array.
>
> In "LXC_CLONE_ARGS" you have to encode the null terminated string in some
> way, forcing the comsumer to unencode it.
> Ie,
> set -- $LXC_CLONE_ARGS
> which is actually insufficient.
> In order to avoid shell expansion, the user has to do something like this:
> eval set -- "${LXC_CLONE_ARGS}"
>
> and you'll have to shell escape the content that you put in there.
Ok, then let's wait a day to think about it, and perhaps go with the
original patch. Because I can't think of a good way to work around
that. (We can't set IFS to '\0' can we...)
Thanks everyone.
--
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH 1/1] cgroup: prevent DOS when a hierachy is mounted multiple times
When starting a container, we walk through all cgroup mounts looking
for a unique directory name we can use for this container. If the
name we are trying is in use, we try another name. If it is not in
use in the first mount we check, we need to check other hierarchies
as it may exist there. But we weren't checking whether we have already
checked a subsystem - so that if freezer was mounted twice, we would
create it in the first mount, see it exists in the second, so start
over trying in the second mount.
To fix this, keep track of which subsystems we have already checked,
and do not re-check.
(See http://pad.lv/1176287 for a bug report)
Note we still need to add, at the next: label, the removal of the
directories we've already created. I'm keeping that for later as
it's far lower priority than this fix, and I don't want to risk
introducing a regression for that.
Signed-off-by: Serge Hallyn
---
src/lxc/cgroup.c | 122 +++
1 file changed, 122 insertions(+)
diff --git a/src/lxc/cgroup.c b/src/lxc/cgroup.c
index 0c93703..a6b5d75 100644
--- a/src/lxc/cgroup.c
+++ b/src/lxc/cgroup.c
@@ -504,6 +504,103 @@ static void set_clone_children(const char *mntdir)
fclose(fout);
}
+static char *get_all_cgroups(void)
+{
+ FILE *f;
+ char *line = NULL, *ret = NULL;
+ size_t len;
+ int first = 1;
+
+ /* read the list of subsystems from the kernel */
+ f = fopen("/proc/cgroups", "r");
+ if (!f)
+ return NULL;
+
+ while (getline(&line, &len, f) != -1) {
+ char *c;
+ int oldlen, newlen, inc;
+
+ /* skip the first line */
+ if (first) {
+ first=0;
+ continue;
+ }
+
+ c = strchr(line, '\t');
+ if (!c)
+ continue;
+ *c = '\0';
+
+ oldlen = ret ? strlen(ret) : 0;
+ newlen = oldlen + strlen(line) + 2;
+ ret = realloc(ret, newlen);
+ if (!ret)
+ goto out;
+ inc = snprintf(ret + oldlen, newlen, ",%s", line);
+ if (inc < 0 || inc >= newlen) {
+ free(ret);
+ ret = NULL;
+ goto out;
+ }
+ }
+
+out:
+ fclose(f);
+ return ret;
+}
+
+static int in_cgroup_list(char *s, char *list)
+{
+ char *token, *str, *saveptr;
+
+ if (!list || !s)
+ return 0;
+
+ for (str = strdupa(list); (token = strtok_r(str, ",", &saveptr)); str =
NULL) {
+ if (strcmp(s, token) == 0)
+ return 1;
+ }
+
+ return 0;
+}
+
+static int have_visited(char *opts, char *visited, char *allcgroups)
+{
+ char *str, *s, *token;
+
+ for (str = strdupa(opts); (token = strtok_r(str, ",", &s)); str = NULL)
{
+ if (!in_cgroup_list(token, allcgroups))
+ continue;
+ if (visited && in_cgroup_list(token, visited))
+ return 1;
+ }
+
+ return 0;
+}
+
+static int record_visited(char *opts, char **visitedp, char *allcgroups)
+{
+ char *s, *token, *str;
+ int oldlen, newlen, ret;
+
+ for (str = strdupa(opts); (token = strtok_r(str, ",", &s)); str = NULL)
{
+ if (!in_cgroup_list(token, allcgroups))
+ continue;
+ if (*visitedp && in_cgroup_list(token, *visitedp))
+ continue;
+ oldlen = (*visitedp) ? strlen(*visitedp) : 0;
+ newlen = oldlen + strlen(token) + 2;
+ (*visitedp) = realloc(*visitedp, newlen);
+ if (!(*visitedp))
+ return -1;
+ ret = snprintf((*visitedp)+oldlen, newlen, ",%s", token);
+ if (ret < 0 || ret >= newlen)
+ return -1;
+ }
+
+ return 0;
+}
+
/*
* Make sure the 'cgroup group' exists, so that we don't have to worry about
* that later.
@@ -592,16 +689,29 @@ char *lxc_cgroup_path_create(const char *lxcgroup, const
char *name)
char tail[12];
FILE *file = NULL;
struct mntent mntent_r;
+ char *allcgroups = get_all_cgroups();
+ char *visited = NULL;
char buf[LARGE_MAXPATHLEN] = {0};
if (create_lxcgroups(lxcgroup) < 0)
return NULL;
+ if (!allcgroups)
+ return NULL;
+
again:
+if (visited) {
+/* we're checking for a new name, so start over with all cgroup
+ * mounts */
+free(visited);
+visited = NULL;
+}
file = setmntent(MTAB, "r");
if (!file) {
SYSERROR("failed to open %s", MTAB);
+if (allcgroups)
+free(allcgroups);
Re: [lxc-devel] [PATCH] doc/lxc.conf minor clarifications
Quoting Dwight Engen (dwight.en...@oracle.com): > Signed-off-by: Dwight Engen Acked-by: Serge E. Hallyn > --- > doc/lxc.conf.sgml.in | 39 +++ > 1 file changed, 23 insertions(+), 16 deletions(-) > > diff --git a/doc/lxc.conf.sgml.in b/doc/lxc.conf.sgml.in > index 0a5a52a..509ca2d 100644 > --- a/doc/lxc.conf.sgml.in > +++ b/doc/lxc.conf.sgml.in > @@ -65,8 +65,8 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA > 02111-1307 USA > >The configuration file defines the different system resources to >be assigned for the container. At present, the utsname, the > - network, the mount points, the root file system and the control > - groups are supported. > + network, the mount points, the root file system, the user namespace, > + and the control groups are supported. > > > > @@ -80,7 +80,7 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA > 02111-1307 USA > > Allows to set the architecture for the container. For example, > set a 32bits architecture for a container running 32bits > - binaries on a 64bits host. That fix the container scripts > + binaries on a 64bits host. This fixes the container scripts > which rely on the architecture to do some work like > downloading the packages. > > @@ -258,7 +258,7 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA > 02111-1307 USA > specify an action to do for the > network. > > - > + > up: activates the interface. > > > @@ -448,7 +448,7 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA > 02111-1307 USA > > If the container is configured with a root filesystem and the > inittab file is setup to use the console, you may want to specify > - where goes the output of this console. > + where the output of this console goes. > > > > @@ -471,14 +471,14 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, > MA 02111-1307 USA > >Console through the ttys > > - If the container is configured with a root filesystem and the > - inittab file is setup to launch a getty on the ttys. This > - option will specify the number of ttys to be available for the > - container. The number of getty in the inittab file of the > - container should not be greater than the number of ttys > - specified in this configuration file, otherwise the excess > - getty sessions will die and respawn indefinitly giving > - annoying messages on the console. > + This option is useful if the container is configured with a root > + filesystem and the inittab file is setup to launch a getty on the > + ttys. The option specifies the number of ttys to be available for > + the container. The number of gettys in the inittab file of the > + container should not be greater than the number of ttys specified > + in this option, otherwise the excess getty sessions will die and > + respawn indefinitely giving annoying messages on the console or in > + /var/log/messages. > > > > @@ -590,13 +590,20 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, > MA 02111-1307 USA > > specify a file location in > the fstab format, containing the > - mount informations. If the rootfs is an image file or a > - device block and the fstab is used to mount a point > + mount information. If the rootfs is an image file or a > + block device and the fstab is used to mount a point > somewhere in this rootfs, the path of the rootfs mount > point should be prefixed with the > @LXCROOTFSMOUNT@ default path or > the value of lxc.rootfs.mount if > - specified. > + specified. Note that when mounting a filesystem from an > + image file or block device the third field (fs_vfstype) > + cannot be auto as with > + > + mount > +8 > + > + but must be explicitly specified. > > > > -- > 1.8.1.4 > > > -- > AlienVault Unified Security Management (USM) platform delivers complete > security visibility with the essential security capabilities. Easily and > efficiently configure, manage, and operate all of your security controls > from a single console and one unified framework. Download a free trial. > http://p.sf.net/sfu/alienvault_d2d > ___ > Lxc-devel mailing list > Lxc-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/lxc-devel -- AlienVault Unified Security Management (USM)
Re: [lxc-devel] [PATCH] set non device cgroup items before the cgroup is entered
Quoting Dwight Engen (dwight.en...@oracle.com):
> This allows some special cgroup items such as memory.kmem.limit_in_bytes
> to be successfully set, since they must be set before any task is put
> into the cgroup.
>
> The devices cgroup is setup later giving the container a chance to mount
> file systems before the device it might want to mount from becomes
> unavailable.
>
> Signed-off-by: Dwight Engen
Acked-by: Serge E. Hallyn
thanks, Dwight.
-serge
> ---
> src/lxc/conf.c | 25 +++--
> src/lxc/conf.h | 3 +--
> src/lxc/start.c | 10 +++---
> 3 files changed, 27 insertions(+), 11 deletions(-)
>
> diff --git a/src/lxc/conf.c b/src/lxc/conf.c
> index 746a2db..9877cc3 100644
> --- a/src/lxc/conf.c
> +++ b/src/lxc/conf.c
> @@ -1401,7 +1401,8 @@ static int setup_kmsg(const struct lxc_rootfs *rootfs,
> return 0;
> }
>
> -int setup_cgroup(const char *cgpath, struct lxc_list *cgroups)
> +static int _setup_cgroup(const char *cgpath, struct lxc_list *cgroups,
> + int devices)
> {
> struct lxc_list *iterator;
> struct lxc_cgroup *cg;
> @@ -1411,13 +1412,15 @@ int setup_cgroup(const char *cgpath, struct lxc_list
> *cgroups)
> return 0;
>
> lxc_list_for_each(iterator, cgroups) {
> -
> cg = iterator->elem;
>
> - if (lxc_cgroup_set_bypath(cgpath, cg->subsystem, cg->value)) {
> - ERROR("Error setting %s to %s for %s\n", cg->subsystem,
> - cg->value, cgpath);
> - goto out;
> + if (devices == !strncmp("devices", cg->subsystem, 7)) {
> + if (lxc_cgroup_set_bypath(cgpath, cg->subsystem,
> + cg->value)) {
> + ERROR("Error setting %s to %s for %s\n",
> + cg->subsystem, cg->value, cgpath);
> + goto out;
> + }
> }
>
> DEBUG("cgroup '%s' set to '%s'", cg->subsystem, cg->value);
> @@ -1429,6 +1432,16 @@ out:
> return ret;
> }
>
> +int setup_cgroup_devices(const char *cgpath, struct lxc_list *cgroups)
> +{
> + return _setup_cgroup(cgpath, cgroups, 1);
> +}
> +
> +int setup_cgroup(const char *cgpath, struct lxc_list *cgroups)
> +{
> + return _setup_cgroup(cgpath, cgroups, 0);
> +}
> +
> static void parse_mntopt(char *opt, unsigned long *flags, char **data)
> {
> struct mount_opt *mo;
> diff --git a/src/lxc/conf.h b/src/lxc/conf.h
> index 465b1ec..8180e18 100644
> --- a/src/lxc/conf.h
> +++ b/src/lxc/conf.h
> @@ -287,6 +287,7 @@ struct lxc_conf {
> int run_lxc_hooks(const char *name, char *hook, struct lxc_conf *conf);
>
> extern int setup_cgroup(const char *cgpath, struct lxc_list *cgroups);
> +extern int setup_cgroup_devices(const char *cgpath, struct lxc_list
> *cgroups);
> extern int detect_shared_rootfs(void);
>
> /*
> @@ -313,8 +314,6 @@ extern int lxc_clear_cgroups(struct lxc_conf *c, const
> char *key);
> extern int lxc_clear_mount_entries(struct lxc_conf *c);
> extern int lxc_clear_hooks(struct lxc_conf *c, const char *key);
>
> -extern int setup_cgroup(const char *name, struct lxc_list *cgroups);
> -
> extern int uid_shift_ttys(int pid, struct lxc_conf *conf);
>
> /*
> diff --git a/src/lxc/start.c b/src/lxc/start.c
> index fd96d4f..cf5f9bd 100644
> --- a/src/lxc/start.c
> +++ b/src/lxc/start.c
> @@ -809,6 +809,11 @@ int lxc_spawn(struct lxc_handler *handler)
> if ((handler->cgroup = lxc_cgroup_path_create(NULL, name)) == NULL)
> goto out_delete_net;
>
> + if (setup_cgroup(handler->cgroup, &handler->conf->cgroup)) {
> + ERROR("failed to setup the cgroups for '%s'", name);
> + goto out_delete_net;
> + }
> +
> if (lxc_cgroup_enter(handler->cgroup, handler->pid) < 0)
> goto out_delete_net;
>
> @@ -839,12 +844,11 @@ int lxc_spawn(struct lxc_handler *handler)
> if (lxc_sync_barrier_child(handler, LXC_SYNC_POST_CONFIGURE))
> goto out_delete_net;
>
> - if (setup_cgroup(handler->cgroup, &handler->conf->cgroup)) {
> - ERROR("failed to setup the cgroups for '%s'", name);
> + if (setup_cgroup_devices(handler->cgroup, &handler->conf->cgroup)) {
> + ERROR("failed to setup the devices cgroup for '%s'", name);
> goto out_delete_net;
> }
>
> -
> /* Tell the child to complete its initialization and wait for
>* it to exec or return an error. (the child will never
>* return LXC_SYNC_POST_CGROUP+1. It will either close the
> --
> 1.8.1.4
>
--
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a
