date:20130711

Re: [lxc-devel] Howto user namespaces?

2013-07-11 Thread Rui Xiang

On 2013/7/9 23:58, Serge Hallyn wrote:
> Quoting Rui Xiang (rui.xi...@huawei.com):
>> On 2013/7/5 19:48, Serge Hallyn wrote:
>>> Quoting Rui Xiang (rui.xi...@huawei.com):
 The same issue troubles me. I try to start the container by these ways 

...

>>  
>> After setting lxc.tty = 0, the result was error too:
>>   lxc-start: Operation not permitted - failed to set mode '020644' to 
>> '/dev/pts/1'.
>>
>> So ashamed that I have no better ways to solve it now. :(
> 
> Hi,
> 
> When you do
> 
>   lxc.id_map = u 0 1 2000
>   lxc.id_map = g 0 1 2000
> 
> The container will run with uid 0 in the container being mapped to 1
> on the host.  What I don't see is where you have shifted the uids of the
> container's files.

Ah.., forgot to say that I used chown to the rootfs of this container:
 # chown 1 ./rootfs

> If you look at https://code.launchpad.net/~serge-hallyn/+junk/nsexec ,
> there are two programs of interest.  uidmapshift.c will do the uid
> shifting (so for instance root owned files in the container will become
> owned by 1).  The container-userns-convert script will use the
> uidmapshift.c program as well as add the lxc.id_map files to the
> container configuration.  I usually just do
> 
>   container-userns-convert containername 1
> 
> So you'll definately need to use the uidmapshift program to chown your
> files, though to be honest your error sounds to me like a different
> problem.  But just to be sure, please let me know what you see after
> shifting the container uids.

After using container-userns-convert script and uidmapshift program to chown 
rootfs, I can run container successfully. But in the container, I found the 
files attribute like :
drwxr-xr-x   2 1 1  4096 Jul 11 11:47 bin
drwxr-xr-x   2 1 1  4096 Jul 11 11:47 boot
drwxr-xr-x   8 1 1  4096 Jul 11 12:28 dev
drwxr-xr-x  67 1 1  4096 Jul 11 12:28 etc
drwxr-xr-x   2 1 1  4096 Jul 11 11:47 home
drwxr-xr-x   9 1 1  4096 Jul 11 11:47 lib
drwxr-xr-x   7 1 1  4096 Jul 11 11:47 lib64
drwxr-xr-x   2 1 1  4096 Jul 11 11:47 media
drwxr-xr-x   2 1 1  4096 Jul 11 11:47 mnt
drwxr-xr-x   2 1 1  4096 Jul 11 11:47 opt
dr-xr-xr-x 255 root  root  0 Jul 11 12:28 proc
drwxr-xr-x   4 1 1  4096 Jul 11 11:47 root
drwxr-xr-x   3 1 1 12288 Jul 11 11:47 sbin
drwxr-xr-x   2 1 1  4096 Jul 11 11:47 selinux
drwxr-xr-x   4 1 1  4096 Jul 11 11:47 srv
dr-xr-xr-x  12 root  root  0 Jul 11 12:28 sys
drwxr-xr-t   4 1 1  4096 Jul 11 12:28 tmp
drwxr-xr-x  13 1 1  4096 Jul 11 11:47 usr
drwxr-xr-x  14 1 1  4096 Jul 11 11:47 var

and I can set some proc files that are not isolated with host.
IMO, the container is still problematic obvious, right ?

thanks.



--
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel

Re: [lxc-devel] 0.9.x versions before 1.0

2013-07-11 Thread Serge Hallyn

Quoting Stéphane Graber (stgra...@ubuntu.com):
> To add to the "you broke my lxc-create" list, the new version also
> dropped the fancy header I introduced a while back (showing the template
> name, the arguments passed to it and the checksum of the template used
> at the time.
> 
> An example was:
> # Template used to create this container: ubuntu
> # Parameters passed to the template: -a amd64 -r precise
> # Template script checksum (SHA-1): b1f15036868c53cca0698f1efcadd88dfefaee9b

So as it stands, when you clone a container etc the comments
get dropped.  When you use the API to add a config item and
rewrite it, you lose comments.

How should we handle this?

One thing we could do is have 'lxc.header' and 'lxc.footer'
statements which are ignored like comments but which get
reinserted whenever we write out the config.

Or, we could simply have the lxcapi_create() function manually
prepend your fancy header as the very last thing it does, and
keep everything else the same.

Preference?

-serge

--
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel

Re: [lxc-devel] Howto user namespaces?

2013-07-11 Thread Serge Hallyn

Quoting Rui Xiang (rui.xi...@huawei.com):
> On 2013/7/9 23:58, Serge Hallyn wrote:
> > Quoting Rui Xiang (rui.xi...@huawei.com):
> >> On 2013/7/5 19:48, Serge Hallyn wrote:
> >>> Quoting Rui Xiang (rui.xi...@huawei.com):
>  The same issue troubles me. I try to start the container by these ways 
> 
> ...
> 
> >>  
> >> After setting lxc.tty = 0, the result was error too:
> >>   lxc-start: Operation not permitted - failed to set mode '020644' to 
> >> '/dev/pts/1'.
> >>
> >> So ashamed that I have no better ways to solve it now. :(
> > 
> > Hi,
> > 
> > When you do
> > 
> >   lxc.id_map = u 0 1 2000
> >   lxc.id_map = g 0 1 2000
> > 
> > The container will run with uid 0 in the container being mapped to 1
> > on the host.  What I don't see is where you have shifted the uids of the
> > container's files.
> 
> Ah.., forgot to say that I used chown to the rootfs of this container:
>  # chown 1 ./rootfs
> 
> > If you look at https://code.launchpad.net/~serge-hallyn/+junk/nsexec ,
> > there are two programs of interest.  uidmapshift.c will do the uid
> > shifting (so for instance root owned files in the container will become
> > owned by 1).  The container-userns-convert script will use the
> > uidmapshift.c program as well as add the lxc.id_map files to the
> > container configuration.  I usually just do
> > 
> > container-userns-convert containername 1
> > 
> > So you'll definately need to use the uidmapshift program to chown your
> > files, though to be honest your error sounds to me like a different
> > problem.  But just to be sure, please let me know what you see after
> > shifting the container uids.
> 
> After using container-userns-convert script and uidmapshift program to chown 
> rootfs, I can run container successfully. But in the container, I found the 
> files attribute like :
> drwxr-xr-x   2 1 1  4096 Jul 11 11:47 bin
> drwxr-xr-x   2 1 1  4096 Jul 11 11:47 boot
> drwxr-xr-x   8 1 1  4096 Jul 11 12:28 dev
> drwxr-xr-x  67 1 1  4096 Jul 11 12:28 etc
> drwxr-xr-x   2 1 1  4096 Jul 11 11:47 home
> drwxr-xr-x   9 1 1  4096 Jul 11 11:47 lib
> drwxr-xr-x   7 1 1  4096 Jul 11 11:47 lib64
> drwxr-xr-x   2 1 1  4096 Jul 11 11:47 media
> drwxr-xr-x   2 1 1  4096 Jul 11 11:47 mnt
> drwxr-xr-x   2 1 1  4096 Jul 11 11:47 opt
> dr-xr-xr-x 255 root  root  0 Jul 11 12:28 proc
> drwxr-xr-x   4 1 1  4096 Jul 11 11:47 root
> drwxr-xr-x   3 1 1 12288 Jul 11 11:47 sbin
> drwxr-xr-x   2 1 1  4096 Jul 11 11:47 selinux
> drwxr-xr-x   4 1 1  4096 Jul 11 11:47 srv
> dr-xr-xr-x  12 root  root  0 Jul 11 12:28 sys
> drwxr-xr-t   4 1 1  4096 Jul 11 12:28 tmp
> drwxr-xr-x  13 1 1  4096 Jul 11 11:47 usr
> drwxr-xr-x  14 1 1  4096 Jul 11 11:47 var

Could you make sure that proc and sys exist and get chowned before
you ever try to start the container?

> and I can set some proc files that are not isolated with host.

Could you be more precise?  What do you mean by this?

> IMO, the container is still problematic obvious, right ?

Not sure what 'problematic obvious' means.  But so far AFAIK only
Dwight and I ever test these, so I do expect problems.

-serge

--
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel

Re: [lxc-devel] 0.9.x versions before 1.0

2013-07-11 Thread Stéphane Graber

On Thu, Jul 11, 2013 at 09:22:47AM -0500, Serge Hallyn wrote:
> Quoting Stéphane Graber (stgra...@ubuntu.com):
> > To add to the "you broke my lxc-create" list, the new version also
> > dropped the fancy header I introduced a while back (showing the template
> > name, the arguments passed to it and the checksum of the template used
> > at the time.
> > 
> > An example was:
> > # Template used to create this container: ubuntu
> > # Parameters passed to the template: -a amd64 -r precise
> > # Template script checksum (SHA-1): b1f15036868c53cca0698f1efcadd88dfefaee9b
> 
> So as it stands, when you clone a container etc the comments
> get dropped.  When you use the API to add a config item and
> rewrite it, you lose comments.
> 
> How should we handle this?
> 
> One thing we could do is have 'lxc.header' and 'lxc.footer'
> statements which are ignored like comments but which get
> reinserted whenever we write out the config.
> 
> Or, we could simply have the lxcapi_create() function manually
> prepend your fancy header as the very last thing it does, and
> keep everything else the same.
> 
> Preference?
> 
> -serge

It's true that we loose any comment with save_config() and that's fine
as people calling this through the API aren't too likely to actually
read the file by hand anyway.

My problem is the regression on initial config file creation where we
still get the layout and comments inserted by the template but no longer
have the header.

So I think it'd be good enough to have this header generated and
prepended only when the config file is first created (initial
lxcapi_create()) (which I believe is the second option your proposed).

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com


signature.asc
Description: Digital signature
--
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel

Re: [lxc-devel] 0.9.x versions before 1.0

2013-07-11 Thread Dwight Engen

On Thu, 11 Jul 2013 09:22:47 -0500
Serge Hallyn  wrote:

> Quoting Stéphane Graber (stgra...@ubuntu.com):
> > To add to the "you broke my lxc-create" list, the new version also
> > dropped the fancy header I introduced a while back (showing the
> > template name, the arguments passed to it and the checksum of the
> > template used at the time.
> > 
> > An example was:
> > # Template used to create this container: ubuntu
> > # Parameters passed to the template: -a amd64 -r precise
> > # Template script checksum (SHA-1):
> > b1f15036868c53cca0698f1efcadd88dfefaee9b
> 
> So as it stands, when you clone a container etc the comments
> get dropped.  When you use the API to add a config item and
> rewrite it, you lose comments.

Hi Serge, I also noticed that when you clone the lxc.id_map items get
dropped as well. Maybe this is intentional though, I guess the clone
should really get some new, unique range but we'd have to figure out
what that range is and also shift the ids in the rootfs so that seems
like not an easy problem.

> How should we handle this?
> 
> One thing we could do is have 'lxc.header' and 'lxc.footer'
> statements which are ignored like comments but which get
> reinserted whenever we write out the config.
> 
> Or, we could simply have the lxcapi_create() function manually
> prepend your fancy header as the very last thing it does, and
> keep everything else the same.
> 
> Preference?
> 
> -serge


--
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel

Re: [lxc-devel] [PATCH RFC] Accomodate stricter devices cgroup rules

2013-07-11 Thread Serge Hallyn

Quoting Serge Hallyn (serge.hal...@ubuntu.com):
> 3.10 kernel comes with proper hierarchical enforcement of devices
> cgroup.  To keep that code somewhat sane, certain things are not
> allowed.  Switching from default-allow to default-deny and vice versa
> are not allowed when there are children cgroups.  (This *could* be
> simplified in the kernel by checking that all child cgroups are
> unpopulated, but that has not yet been done and may be rejected)
> 
> The mountcgroup hook causes lxc-start to break with 3.10 kernels, because
> you cannot write 'a' to devices.deny once you have a child cgroup.  With
> this patch, (a) lxcpath is passed to hooks, (b) the cgroup mount hook sets
> the container's devices cgroup, and (c) setup_cgroup() during lxc startup
> ignores failures to write to devices subsystem if we are already in a
> child of the container's new cgroup.
> 
> ((a) is not really related to this bug, but is definately needed.
> The followup work of making the other hooks use the passed-in lxcpath
> is still to be done)
> 
> Signed-off-by: Serge Hallyn 

I've gone ahead and pushed this for now.

I need to spend time working on the nestable cgroup manager which
would completely obsolete this issue.

--
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel

[lxc-devel] [PATCH] lxc_create: add outfile option

2013-07-11 Thread Serge Hallyn

lxc-create ... -o -

will send template output to standard output (the old default).

lxc-create ... without any -o will hide template output.

lxc-create -o /tmp/xxx will send template output to the file
/tmp/xxx.

Reported-by: "S.Çağlar Onur" 
Signed-off-by: Serge Hallyn 
---
 src/lxc/arguments.h  |2 +-
 src/lxc/lxc_create.c |   22 ++
 2 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/src/lxc/arguments.h b/src/lxc/arguments.h
index 3d1df70..6ab88fc 100644
--- a/src/lxc/arguments.h
+++ b/src/lxc/arguments.h
@@ -81,7 +81,7 @@ struct lxc_arguments {
char *fstype;
unsigned long fssize;
char *lvname, *vgname;
-   char *zfsroot, *lowerdir, *dir;
+   char *zfsroot, *lowerdir, *dir, *outfile;
 
/* remaining arguments */
char *const *argv;
diff --git a/src/lxc/lxc_create.c b/src/lxc/lxc_create.c
index 6d8ca01..32805f4 100644
--- a/src/lxc/lxc_create.c
+++ b/src/lxc/lxc_create.c
@@ -68,6 +68,7 @@ static int my_parser(struct lxc_arguments* args, int c, char* 
arg)
case '3': args->fssize = get_fssize(arg); break;
case '4': args->zfsroot = arg; break;
case '5': args->dir = arg; break;
+   case '6': args->outfile = arg; break;
}
return 0;
 }
@@ -82,6 +83,7 @@ static const struct option my_longopts[] = {
{"fssize", required_argument, 0, '3'},
{"zfsroot", required_argument, 0, '4'},
{"dir", required_argument, 0, '5'},
+   {"outfile", required_argument, 0, '6'},
LXC_COMMON_OPTIONS
 };
 
@@ -134,6 +136,9 @@ Options :\n\
   --fssize=SIZE Create filesystem of size SIZE\n\
 (Default: 1G))\n\
   --dir=DIR Place rootfs directory under DIR\n\
+  --outfile=FILEPrint template output to FILE\n\
+Use '-' to indicate stdout\n\
+If unspecified, output is hidden\n\
   --zfsroot=PATHCreate zfs under given zfsroot\n\
 (Default: tank/lxc))\n",
.options  = my_longopts,
@@ -228,6 +233,23 @@ int main(int argc, char *argv[])
 
if (strcmp(my_args.bdevtype, "_unset") == 0)
my_args.bdevtype = NULL;
+
+   /* redirect output if requested */
+   if (!my_args.outfile) {
+   close(0); close(1); close(2);
+   open("/dev/zero", O_RDONLY);
+   open("/dev/null", O_RDWR);
+   open("/dev/null", O_RDWR);
+   } else if (strcmp(my_args.outfile, "-") != 0) {
+   mode_t mode = S_IRUSR | S_IWUSR | S_IRGRP;
+   close(0); close(1); close(2);
+   open("/dev/zero", O_RDONLY);
+   if (open(my_args.outfile, O_RDWR | O_CREAT, mode) < 0 ||
+   open(my_args.outfile, O_RDWR) < 0) {
+   SYSERROR("Error opening %s\n", my_args.outfile);
+   exit(1);
+   }
+   }
if (!c->create(c, my_args.template, my_args.bdevtype, &spec, 
&argv[optind])) {
ERROR("Error creating container %s", c->name);
lxc_container_put(c);
-- 
1.7.9.5


--
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel

Re: [lxc-devel] [PATCH] lxc_create: add outfile option

2013-07-11 Thread Dwight Engen

On Thu, 11 Jul 2013 14:48:21 -0500
Serge Hallyn  wrote:

> lxc-create ... -o -
> 
> will send template output to standard output (the old default).
> 
> lxc-create ... without any -o will hide template output.
> 
> lxc-create -o /tmp/xxx will send template output to the file
> /tmp/xxx.

I like having a -o for lxc-create, but I'm not sure we should change the
default of lxc-create to not show the template output. For interactive
use it can be quite useful, whereas I think silent certainly makes sense
for the API (which is what I think Çağlars original concern was).

Maybe the API should take fds which we can dup2() onto 0,1,2 of the
forked create process to handle both cases? (and would allow the API to
capture the output if so desired)

On a related note, I guess we should make sure that all of the
templates are non-interactive, especially if we're going to give
them /dev/zero for stdin. Just thought I'd mention it given that the
ssh one for example was asking for a passphrase until just recently ;)

> Reported-by: "S.Çağlar Onur" 
> Signed-off-by: Serge Hallyn 
> ---
>  src/lxc/arguments.h  |2 +-
>  src/lxc/lxc_create.c |   22 ++
>  2 files changed, 23 insertions(+), 1 deletion(-)
> 
> diff --git a/src/lxc/arguments.h b/src/lxc/arguments.h
> index 3d1df70..6ab88fc 100644
> --- a/src/lxc/arguments.h
> +++ b/src/lxc/arguments.h
> @@ -81,7 +81,7 @@ struct lxc_arguments {
>   char *fstype;
>   unsigned long fssize;
>   char *lvname, *vgname;
> - char *zfsroot, *lowerdir, *dir;
> + char *zfsroot, *lowerdir, *dir, *outfile;
>  
>   /* remaining arguments */
>   char *const *argv;
> diff --git a/src/lxc/lxc_create.c b/src/lxc/lxc_create.c
> index 6d8ca01..32805f4 100644
> --- a/src/lxc/lxc_create.c
> +++ b/src/lxc/lxc_create.c
> @@ -68,6 +68,7 @@ static int my_parser(struct lxc_arguments* args,
> int c, char* arg) case '3': args->fssize = get_fssize(arg); break;
>   case '4': args->zfsroot = arg; break;
>   case '5': args->dir = arg; break;
> + case '6': args->outfile = arg; break;
>   }
>   return 0;
>  }
> @@ -82,6 +83,7 @@ static const struct option my_longopts[] = {
>   {"fssize", required_argument, 0, '3'},
>   {"zfsroot", required_argument, 0, '4'},
>   {"dir", required_argument, 0, '5'},
> + {"outfile", required_argument, 0, '6'},
>   LXC_COMMON_OPTIONS
>  };
>  
> @@ -134,6 +136,9 @@ Options :\n\
>--fssize=SIZE Create filesystem of size SIZE\n\
>  (Default: 1G))\n\
>--dir=DIR Place rootfs directory under DIR\n\
> +  --outfile=FILEPrint template output to FILE\n\
> +Use '-' to indicate stdout\n\
> +If unspecified, output is hidden\n\
>--zfsroot=PATHCreate zfs under given zfsroot\n\
>  (Default: tank/lxc))\n",
>   .options  = my_longopts,
> @@ -228,6 +233,23 @@ int main(int argc, char *argv[])
>  
>   if (strcmp(my_args.bdevtype, "_unset") == 0)
>   my_args.bdevtype = NULL;
> +
> + /* redirect output if requested */
> + if (!my_args.outfile) {
> + close(0); close(1); close(2);
> + open("/dev/zero", O_RDONLY);
> + open("/dev/null", O_RDWR);
> + open("/dev/null", O_RDWR);
> + } else if (strcmp(my_args.outfile, "-") != 0) {
> + mode_t mode = S_IRUSR | S_IWUSR | S_IRGRP;
> + close(0); close(1); close(2);
> + open("/dev/zero", O_RDONLY);
> + if (open(my_args.outfile, O_RDWR | O_CREAT, mode) <
> 0 ||
> + open(my_args.outfile, O_RDWR) < 0) {
> + SYSERROR("Error opening %s\n",
> my_args.outfile);
> + exit(1);
> + }
> + }
>   if (!c->create(c, my_args.template, my_args.bdevtype, &spec,
> &argv[optind])) { ERROR("Error creating container %s", c->name);
>   lxc_container_put(c);


--
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel

Re: [lxc-devel] [PATCH] lxc_create: add outfile option

2013-07-11 Thread Serge Hallyn

Quoting Dwight Engen (dwight.en...@oracle.com):
> On Thu, 11 Jul 2013 14:48:21 -0500
> Serge Hallyn  wrote:
> 
> > lxc-create ... -o -
> > 
> > will send template output to standard output (the old default).
> > 
> > lxc-create ... without any -o will hide template output.
> > 
> > lxc-create -o /tmp/xxx will send template output to the file
> > /tmp/xxx.
> 
> I like having a -o for lxc-create, but I'm not sure we should change the

Sorry, that was wrong in my commit msg.

only '--outfile' works (because 'o' is used by the common options for
logfile output)

> default of lxc-create to not show the template output. For interactive

We could swap the meanings so that '--outfile -' means on output, and
not listing '--outfile' shows the output on stdout.

> use it can be quite useful, whereas I think silent certainly makes sense
> for the API (which is what I think Çağlars original concern was).

Oh, hm, yeah.  So my approach actually doesn't suffice.  I was
thinking callers could do the same thing, but that's somewhat
silly.

> Maybe the API should take fds which we can dup2() onto 0,1,2 of the
> forked create process to handle both cases? (and would allow the API to
> capture the output if so desired)

pass in an int* which is either NULL or contains 3 ints (i.e.
-1, 10, 10 if 10 is an output file)?

> On a related note, I guess we should make sure that all of the
> templates are non-interactive, especially if we're going to give
> them /dev/zero for stdin. Just thought I'd mention it given that the
> ssh one for example was asking for a passphrase until just recently ;)
> 
> > Reported-by: "S.Çağlar Onur" 
> > Signed-off-by: Serge Hallyn 
> > ---
> >  src/lxc/arguments.h  |2 +-
> >  src/lxc/lxc_create.c |   22 ++
> >  2 files changed, 23 insertions(+), 1 deletion(-)
> > 
> > diff --git a/src/lxc/arguments.h b/src/lxc/arguments.h
> > index 3d1df70..6ab88fc 100644
> > --- a/src/lxc/arguments.h
> > +++ b/src/lxc/arguments.h
> > @@ -81,7 +81,7 @@ struct lxc_arguments {
> > char *fstype;
> > unsigned long fssize;
> > char *lvname, *vgname;
> > -   char *zfsroot, *lowerdir, *dir;
> > +   char *zfsroot, *lowerdir, *dir, *outfile;
> >  
> > /* remaining arguments */
> > char *const *argv;
> > diff --git a/src/lxc/lxc_create.c b/src/lxc/lxc_create.c
> > index 6d8ca01..32805f4 100644
> > --- a/src/lxc/lxc_create.c
> > +++ b/src/lxc/lxc_create.c
> > @@ -68,6 +68,7 @@ static int my_parser(struct lxc_arguments* args,
> > int c, char* arg) case '3': args->fssize = get_fssize(arg); break;
> > case '4': args->zfsroot = arg; break;
> > case '5': args->dir = arg; break;
> > +   case '6': args->outfile = arg; break;
> > }
> > return 0;
> >  }
> > @@ -82,6 +83,7 @@ static const struct option my_longopts[] = {
> > {"fssize", required_argument, 0, '3'},
> > {"zfsroot", required_argument, 0, '4'},
> > {"dir", required_argument, 0, '5'},
> > +   {"outfile", required_argument, 0, '6'},
> > LXC_COMMON_OPTIONS
> >  };
> >  
> > @@ -134,6 +136,9 @@ Options :\n\
> >--fssize=SIZE Create filesystem of size SIZE\n\
> >  (Default: 1G))\n\
> >--dir=DIR Place rootfs directory under DIR\n\
> > +  --outfile=FILEPrint template output to FILE\n\
> > +Use '-' to indicate stdout\n\
> > +If unspecified, output is hidden\n\
> >--zfsroot=PATHCreate zfs under given zfsroot\n\
> >  (Default: tank/lxc))\n",
> > .options  = my_longopts,
> > @@ -228,6 +233,23 @@ int main(int argc, char *argv[])
> >  
> > if (strcmp(my_args.bdevtype, "_unset") == 0)
> > my_args.bdevtype = NULL;
> > +
> > +   /* redirect output if requested */
> > +   if (!my_args.outfile) {
> > +   close(0); close(1); close(2);
> > +   open("/dev/zero", O_RDONLY);
> > +   open("/dev/null", O_RDWR);
> > +   open("/dev/null", O_RDWR);
> > +   } else if (strcmp(my_args.outfile, "-") != 0) {
> > +   mode_t mode = S_IRUSR | S_IWUSR | S_IRGRP;
> > +   close(0); close(1); close(2);
> > +   open("/dev/zero", O_RDONLY);
> > +   if (open(my_args.outfile, O_RDWR | O_CREAT, mode) <
> > 0 ||
> > +   open(my_args.outfile, O_RDWR) < 0) {
> > +   SYSERROR("Error opening %s\n",
> > my_args.outfile);
> > +   exit(1);
> > +   }
> > +   }
> > if (!c->create(c, my_args.template, my_args.bdevtype, &spec,
> > &argv[optind])) { ERROR("Error creating container %s", c->name);
> > lxc_container_put(c);
> 

--
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/

Re: [lxc-devel] [PATCH] lxc_create: add outfile option

2013-07-11 Thread Dwight Engen

On Thu, 11 Jul 2013 15:40:10 -0500
Serge Hallyn  wrote:

> Quoting Dwight Engen (dwight.en...@oracle.com):
> > On Thu, 11 Jul 2013 14:48:21 -0500
> > Serge Hallyn  wrote:
> > 
> > > lxc-create ... -o -
> > > 
> > > will send template output to standard output (the old default).
> > > 
> > > lxc-create ... without any -o will hide template output.
> > > 
> > > lxc-create -o /tmp/xxx will send template output to the file
> > > /tmp/xxx.
> > 
> > I like having a -o for lxc-create, but I'm not sure we should
> > change the
> 
> Sorry, that was wrong in my commit msg.
> 
> only '--outfile' works (because 'o' is used by the common options for
> logfile output)
> 
> > default of lxc-create to not show the template output. For
> > interactive
> 
> We could swap the meanings so that '--outfile -' means on output, and
> not listing '--outfile' shows the output on stdout.

Sorry, I'm not getting the difference between --outfile - and just
getting output on stdout? My main concern was that lxc-create without
any extra args do what it does today (shows output).
 
> > use it can be quite useful, whereas I think silent certainly makes
> > sense for the API (which is what I think Çağlars original concern
> > was).
> 
> Oh, hm, yeah.  So my approach actually doesn't suffice.  I was
> thinking callers could do the same thing, but that's somewhat
> silly.
> 
> > Maybe the API should take fds which we can dup2() onto 0,1,2 of the
> > forked create process to handle both cases? (and would allow the
> > API to capture the output if so desired)
> 
> pass in an int* which is either NULL or contains 3 ints (i.e.
> -1, 10, 10 if 10 is an output file)?

Yeah I think that would work, or 3 separate ints like we do for
lxcapi_console(). Either way, if the caller passes -1, does that mean we
would use the callers existing stdin,out,err i.e. don't dup2() that fd
at all, or that we will ensure stdin,out,err are /dev/null? The later is
probably easier for API callers and lxc-create can just pass the fd's
it wants.

> > On a related note, I guess we should make sure that all of the
> > templates are non-interactive, especially if we're going to give
> > them /dev/zero for stdin. Just thought I'd mention it given that the
> > ssh one for example was asking for a passphrase until just
> > recently ;)
> > 
> > > Reported-by: "S.Çağlar Onur" 
> > > Signed-off-by: Serge Hallyn 
> > > ---
> > >  src/lxc/arguments.h  |2 +-
> > >  src/lxc/lxc_create.c |   22 ++
> > >  2 files changed, 23 insertions(+), 1 deletion(-)
> > > 
> > > diff --git a/src/lxc/arguments.h b/src/lxc/arguments.h
> > > index 3d1df70..6ab88fc 100644
> > > --- a/src/lxc/arguments.h
> > > +++ b/src/lxc/arguments.h
> > > @@ -81,7 +81,7 @@ struct lxc_arguments {
> > >   char *fstype;
> > >   unsigned long fssize;
> > >   char *lvname, *vgname;
> > > - char *zfsroot, *lowerdir, *dir;
> > > + char *zfsroot, *lowerdir, *dir, *outfile;
> > >  
> > >   /* remaining arguments */
> > >   char *const *argv;
> > > diff --git a/src/lxc/lxc_create.c b/src/lxc/lxc_create.c
> > > index 6d8ca01..32805f4 100644
> > > --- a/src/lxc/lxc_create.c
> > > +++ b/src/lxc/lxc_create.c
> > > @@ -68,6 +68,7 @@ static int my_parser(struct lxc_arguments* args,
> > > int c, char* arg) case '3': args->fssize = get_fssize(arg); break;
> > >   case '4': args->zfsroot = arg; break;
> > >   case '5': args->dir = arg; break;
> > > + case '6': args->outfile = arg; break;
> > >   }
> > >   return 0;
> > >  }
> > > @@ -82,6 +83,7 @@ static const struct option my_longopts[] = {
> > >   {"fssize", required_argument, 0, '3'},
> > >   {"zfsroot", required_argument, 0, '4'},
> > >   {"dir", required_argument, 0, '5'},
> > > + {"outfile", required_argument, 0, '6'},
> > >   LXC_COMMON_OPTIONS
> > >  };
> > >  
> > > @@ -134,6 +136,9 @@ Options :\n\
> > >--fssize=SIZE Create filesystem of size SIZE\n\
> > >  (Default: 1G))\n\
> > >--dir=DIR Place rootfs directory under DIR\n\
> > > +  --outfile=FILEPrint template output to FILE\n\
> > > +Use '-' to indicate stdout\n\
> > > +If unspecified, output is hidden\n\
> > >--zfsroot=PATHCreate zfs under given zfsroot\n\
> > >  (Default: tank/lxc))\n",
> > >   .options  = my_longopts,
> > > @@ -228,6 +233,23 @@ int main(int argc, char *argv[])
> > >  
> > >   if (strcmp(my_args.bdevtype, "_unset") == 0)
> > >   my_args.bdevtype = NULL;
> > > +
> > > + /* redirect output if requested */
> > > + if (!my_args.outfile) {
> > > + close(0); close(1); close(2);
> > > + open("/dev/zero", O_RDONLY);
> > > + open("/dev/null", O_RDWR);
> > > + open("/dev/null", O_RDWR);
> > > + } else if (strcmp(my_args.outfile, "-") != 0) {
> > > + mode_t mode = S_IRUSR | S_IWUSR | S_IRGRP;
> > > + close(0); close(1); close(2);
> > > + open("/dev/zero", O_RDONLY);
> > > + if (open(my_args.outfile, O_RDWR | O_C

Re: [lxc-devel] [PATCH] lxc_create: add outfile option

2013-07-11 Thread Serge Hallyn

Quoting Dwight Engen (dwight.en...@oracle.com):
> On Thu, 11 Jul 2013 15:40:10 -0500
> Serge Hallyn  wrote:
> 
> > Quoting Dwight Engen (dwight.en...@oracle.com):
> > > On Thu, 11 Jul 2013 14:48:21 -0500
> > > Serge Hallyn  wrote:
> > > 
> > > > lxc-create ... -o -
> > > > 
> > > > will send template output to standard output (the old default).
> > > > 
> > > > lxc-create ... without any -o will hide template output.
> > > > 
> > > > lxc-create -o /tmp/xxx will send template output to the file
> > > > /tmp/xxx.
> > > 
> > > I like having a -o for lxc-create, but I'm not sure we should
> > > change the
> > 
> > Sorry, that was wrong in my commit msg.
> > 
> > only '--outfile' works (because 'o' is used by the common options for
> > logfile output)
> > 
> > > default of lxc-create to not show the template output. For
> > > interactive
> > 
> > We could swap the meanings so that '--outfile -' means on output, and
> > not listing '--outfile' shows the output on stdout.
> 
> Sorry, I'm not getting the difference between --outfile - and just
> getting output on stdout? My main concern was that lxc-create without
> any extra args do what it does today (shows output).

With this current patch:

lxc-create with no extra args does not show output
"lxc-create --outfile -" shows output to stdout

I'm suggesting we just flip those.

> > > use it can be quite useful, whereas I think silent certainly makes
> > > sense for the API (which is what I think Çağlars original concern
> > > was).
> > 
> > Oh, hm, yeah.  So my approach actually doesn't suffice.  I was
> > thinking callers could do the same thing, but that's somewhat
> > silly.
> > 
> > > Maybe the API should take fds which we can dup2() onto 0,1,2 of the
> > > forked create process to handle both cases? (and would allow the
> > > API to capture the output if so desired)
> > 
> > pass in an int* which is either NULL or contains 3 ints (i.e.
> > -1, 10, 10 if 10 is an output file)?
> 
> Yeah I think that would work, or 3 separate ints like we do for
> lxcapi_console(). Either way, if the caller passes -1, does that mean we
> would use the callers existing stdin,out,err i.e. don't dup2() that fd

I was thinking -1 would mean leave that fd alone, but

> at all, or that we will ensure stdin,out,err are /dev/null? The later is
> probably easier for API callers and lxc-create can just pass the fd's
> it wants.

Agreed, that seems to make sense.

--
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel

Re: [lxc-devel] 0.9.x versions before 1.0

2013-07-11 Thread Serge Hallyn

Quoting Dwight Engen (dwight.en...@oracle.com):
> On Thu, 11 Jul 2013 09:22:47 -0500
> Serge Hallyn  wrote:
> 
> > Quoting Stéphane Graber (stgra...@ubuntu.com):
> > > To add to the "you broke my lxc-create" list, the new version also
> > > dropped the fancy header I introduced a while back (showing the
> > > template name, the arguments passed to it and the checksum of the
> > > template used at the time.
> > > 
> > > An example was:
> > > # Template used to create this container: ubuntu
> > > # Parameters passed to the template: -a amd64 -r precise
> > > # Template script checksum (SHA-1):
> > > b1f15036868c53cca0698f1efcadd88dfefaee9b
> > 
> > So as it stands, when you clone a container etc the comments
> > get dropped.  When you use the API to add a config item and
> > rewrite it, you lose comments.
> 
> Hi Serge, I also noticed that when you clone the lxc.id_map items get
> dropped as well. Maybe this is intentional though, I guess the clone
> should really get some new, unique range but we'd have to figure out
> what that range is and also shift the ids in the rootfs so that seems
> like not an easy problem.

I did not do this intentionally.  I think this is a bug (missing block
of code) in the save_config code.

I think it woudl be better to have lxc-clone maintain the uid mappings,
then have a separate minimal utility (or api function) to shift the
uids.  Really the 'container-userns-convert' script should become an
api function and should shift from any uid mapping to any other (not
just non-mapped to newly mapped).

--
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel

Re: [lxc-devel] [PATCH] lxc_create: add outfile option

2013-07-11 Thread Dwight Engen

On Thu, 11 Jul 2013 16:22:11 -0500
Serge Hallyn  wrote:

> Quoting Dwight Engen (dwight.en...@oracle.com):
> > On Thu, 11 Jul 2013 15:40:10 -0500
> > Serge Hallyn  wrote:
> > 
> > > Quoting Dwight Engen (dwight.en...@oracle.com):
> > > > On Thu, 11 Jul 2013 14:48:21 -0500
> > > > Serge Hallyn  wrote:
> > > > 
> > > > > lxc-create ... -o -
> > > > > 
> > > > > will send template output to standard output (the old
> > > > > default).
> > > > > 
> > > > > lxc-create ... without any -o will hide template output.
> > > > > 
> > > > > lxc-create -o /tmp/xxx will send template output to the file
> > > > > /tmp/xxx.
> > > > 
> > > > I like having a -o for lxc-create, but I'm not sure we should
> > > > change the
> > > 
> > > Sorry, that was wrong in my commit msg.
> > > 
> > > only '--outfile' works (because 'o' is used by the common options
> > > for logfile output)
> > > 
> > > > default of lxc-create to not show the template output. For
> > > > interactive
> > > 
> > > We could swap the meanings so that '--outfile -' means on output,
> > > and not listing '--outfile' shows the output on stdout.
> > 
> > Sorry, I'm not getting the difference between --outfile - and just
> > getting output on stdout? My main concern was that lxc-create
> > without any extra args do what it does today (shows output).
> 
> With this current patch:
> 
>   lxc-create with no extra args does not show output
>   "lxc-create --outfile -" shows output to stdout
> 
> I'm suggesting we just flip those.

Ahh, yep, I'd like it better flipped then as the no args case won't
change today's behavior, but if others feel strongly I don't really
care too much. So this is what I think you're proposing:

 lxc-create with no extra args -> shows output on stdout
 lxc-create --outfile --> shows output on stdout
 lxc-create --outfile /tmp/xxx -> output in /tmp/xxx

> > > > use it can be quite useful, whereas I think silent certainly
> > > > makes sense for the API (which is what I think Çağlars original
> > > > concern was).
> > > 
> > > Oh, hm, yeah.  So my approach actually doesn't suffice.  I was
> > > thinking callers could do the same thing, but that's somewhat
> > > silly.
> > > 
> > > > Maybe the API should take fds which we can dup2() onto 0,1,2 of
> > > > the forked create process to handle both cases? (and would
> > > > allow the API to capture the output if so desired)
> > > 
> > > pass in an int* which is either NULL or contains 3 ints (i.e.
> > > -1, 10, 10 if 10 is an output file)?
> > 
> > Yeah I think that would work, or 3 separate ints like we do for
> > lxcapi_console(). Either way, if the caller passes -1, does that
> > mean we would use the callers existing stdin,out,err i.e. don't
> > dup2() that fd
> 
> I was thinking -1 would mean leave that fd alone, but
> 
> > at all, or that we will ensure stdin,out,err are /dev/null? The
> > later is probably easier for API callers and lxc-create can just
> > pass the fd's it wants.
> 
> Agreed, that seems to make sense.


--
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel

Re: [lxc-devel] 0.9.x versions before 1.0

2013-07-11 Thread Dwight Engen

On Thu, 11 Jul 2013 16:24:43 -0500
Serge Hallyn  wrote:

> Quoting Dwight Engen (dwight.en...@oracle.com):
> > On Thu, 11 Jul 2013 09:22:47 -0500
> > Serge Hallyn  wrote:
> > 
> > > Quoting Stéphane Graber (stgra...@ubuntu.com):
> > > > To add to the "you broke my lxc-create" list, the new version
> > > > also dropped the fancy header I introduced a while back
> > > > (showing the template name, the arguments passed to it and the
> > > > checksum of the template used at the time.
> > > > 
> > > > An example was:
> > > > # Template used to create this container: ubuntu
> > > > # Parameters passed to the template: -a amd64 -r precise
> > > > # Template script checksum (SHA-1):
> > > > b1f15036868c53cca0698f1efcadd88dfefaee9b
> > > 
> > > So as it stands, when you clone a container etc the comments
> > > get dropped.  When you use the API to add a config item and
> > > rewrite it, you lose comments.
> > 
> > Hi Serge, I also noticed that when you clone the lxc.id_map items
> > get dropped as well. Maybe this is intentional though, I guess the
> > clone should really get some new, unique range but we'd have to
> > figure out what that range is and also shift the ids in the rootfs
> > so that seems like not an easy problem.
> 
> I did not do this intentionally.  I think this is a bug (missing block
> of code) in the save_config code.
> 
> I think it woudl be better to have lxc-clone maintain the uid
> mappings, then have a separate minimal utility (or api function) to
> shift the uids.  Really the 'container-userns-convert' script should
> become an api function and should shift from any uid mapping to any
> other (not just non-mapped to newly mapped).

Yeah that makes sense to be able to shift independent of lxc-clone, but
I was thinking it would also be nice if the thing that is doing the
shift could automatically find a large enough hole in the id space, so
that (maybe with a flag to lxc-clone?) when a container (that has
id_mappings) is cloned it could be shifted so as not to share id space
with the parent. Where the 'map' of the whole space comes from so we can
find holes though is the tricky part (all the configs in all lxcpath's +
the new shadow-utils dbs? ug).

I think for now having lxc-clone just maintain the mapping and manually
managing the chunks of id space is fine.

--
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel

Re: [lxc-devel] 0.9.x versions before 1.0

2013-07-11 Thread Serge Hallyn

Quoting Dwight Engen (dwight.en...@oracle.com):
> On Thu, 11 Jul 2013 16:24:43 -0500
> Serge Hallyn  wrote:
> 
> > Quoting Dwight Engen (dwight.en...@oracle.com):
> > > On Thu, 11 Jul 2013 09:22:47 -0500
> > > Serge Hallyn  wrote:
> > > 
> > > > Quoting Stéphane Graber (stgra...@ubuntu.com):
> > > > > To add to the "you broke my lxc-create" list, the new version
> > > > > also dropped the fancy header I introduced a while back
> > > > > (showing the template name, the arguments passed to it and the
> > > > > checksum of the template used at the time.
> > > > > 
> > > > > An example was:
> > > > > # Template used to create this container: ubuntu
> > > > > # Parameters passed to the template: -a amd64 -r precise
> > > > > # Template script checksum (SHA-1):
> > > > > b1f15036868c53cca0698f1efcadd88dfefaee9b
> > > > 
> > > > So as it stands, when you clone a container etc the comments
> > > > get dropped.  When you use the API to add a config item and
> > > > rewrite it, you lose comments.
> > > 
> > > Hi Serge, I also noticed that when you clone the lxc.id_map items
> > > get dropped as well. Maybe this is intentional though, I guess the
> > > clone should really get some new, unique range but we'd have to
> > > figure out what that range is and also shift the ids in the rootfs
> > > so that seems like not an easy problem.
> > 
> > I did not do this intentionally.  I think this is a bug (missing block
> > of code) in the save_config code.
> > 
> > I think it woudl be better to have lxc-clone maintain the uid
> > mappings, then have a separate minimal utility (or api function) to
> > shift the uids.  Really the 'container-userns-convert' script should
> > become an api function and should shift from any uid mapping to any
> > other (not just non-mapped to newly mapped).
> 
> Yeah that makes sense to be able to shift independent of lxc-clone, but
> I was thinking it would also be nice if the thing that is doing the
> shift could automatically find a large enough hole in the id space, so
> that (maybe with a flag to lxc-clone?) when a container (that has
> id_mappings) is cloned it could be shifted so as not to share id space

Consider snapshot clones.  Those can't very well be uid-shifted without
a huge cost.  We can exempt those (or just let the user beware), but
the number of possibilities is become larger and larger.

I'm not saying we can't reconsider this later, just that I'd rather
punt on it for now.  And if we find later on that

c = lxc.Container("a1");
c2 = c.clone(...);
c2.idshift(newrange);

is clunky enough to integrate idshift straight into clone, we can do it
then.

Hell I can't even get lxc-create right :)

> with the parent. Where the 'map' of the whole space comes from so we can
> find holes though is the tricky part (all the configs in all lxcpath's +
> the new shadow-utils dbs? ug).
> 
> I think for now having lxc-clone just maintain the mapping and manually
> managing the chunks of id space is fine.

--
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel

Re: [lxc-devel] [PATCH] lxc_create: add outfile option

2013-07-11 Thread S . Çağlar Onur

Hi,


On Thu, Jul 11, 2013 at 5:39 PM, Dwight Engen wrote:

> On Thu, 11 Jul 2013 16:22:11 -0500
> Serge Hallyn  wrote:
>
> > Quoting Dwight Engen (dwight.en...@oracle.com):
> > > On Thu, 11 Jul 2013 15:40:10 -0500
> > > Serge Hallyn  wrote:
> > >
> > > > Quoting Dwight Engen (dwight.en...@oracle.com):
> > > > > On Thu, 11 Jul 2013 14:48:21 -0500
> > > > > Serge Hallyn  wrote:
> > > > >
> > > > > > lxc-create ... -o -
> > > > > >
> > > > > > will send template output to standard output (the old
> > > > > > default).
> > > > > >
> > > > > > lxc-create ... without any -o will hide template output.
> > > > > >
> > > > > > lxc-create -o /tmp/xxx will send template output to the file
> > > > > > /tmp/xxx.
> > > > >
> > > > > I like having a -o for lxc-create, but I'm not sure we should
> > > > > change the
> > > >
> > > > Sorry, that was wrong in my commit msg.
> > > >
> > > > only '--outfile' works (because 'o' is used by the common options
> > > > for logfile output)
> > > >
> > > > > default of lxc-create to not show the template output. For
> > > > > interactive
> > > >
> > > > We could swap the meanings so that '--outfile -' means on output,
> > > > and not listing '--outfile' shows the output on stdout.
> > >
> > > Sorry, I'm not getting the difference between --outfile - and just
> > > getting output on stdout? My main concern was that lxc-create
> > > without any extra args do what it does today (shows output).
> >
> > With this current patch:
> >
> >   lxc-create with no extra args does not show output
> >   "lxc-create --outfile -" shows output to stdout
> >
> > I'm suggesting we just flip those.
>
> Ahh, yep, I'd like it better flipped then as the no args case won't
> change today's behavior, but if others feel strongly I don't really
> care too much. So this is what I think you're proposing:
>
>  lxc-create with no extra args -> shows output on stdout
>  lxc-create --outfile --> shows output on stdout
>  lxc-create --outfile /tmp/xxx -> output in /tmp/xxx


What about adding a quiet parameter instead? It can silence the output and
default will write to stdout, this way people who wants output file can
redirect stdout to file as well


> > > > > use it can be quite useful, whereas I think silent certainly
> > > > > makes sense for the API (which is what I think Çağlars original
> > > > > concern was).
> > > >
> > > > Oh, hm, yeah.  So my approach actually doesn't suffice.  I was
> > > > thinking callers could do the same thing, but that's somewhat
> > > > silly.
> > > >
> > > > > Maybe the API should take fds which we can dup2() onto 0,1,2 of
> > > > > the forked create process to handle both cases? (and would
> > > > > allow the API to capture the output if so desired)
> > > >
> > > > pass in an int* which is either NULL or contains 3 ints (i.e.
> > > > -1, 10, 10 if 10 is an output file)?
> > >
> > > Yeah I think that would work, or 3 separate ints like we do for
> > > lxcapi_console(). Either way, if the caller passes -1, does that
> > > mean we would use the callers existing stdin,out,err i.e. don't
> > > dup2() that fd
> >
> > I was thinking -1 would mean leave that fd alone, but
> >
> > > at all, or that we will ensure stdin,out,err are /dev/null? The
> > > later is probably easier for API callers and lxc-create can just
> > > pass the fd's it wants.
> >
> > Agreed, that seems to make sense.
>
>


-- 
S.Çağlar Onur 
--
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel

Re: [lxc-devel] Howto user namespaces?

2013-07-11 Thread Rui Xiang

On 2013/7/11 22:26, Serge Hallyn wrote:
> Quoting Rui Xiang (rui.xi...@huawei.com):
>> On 2013/7/9 23:58, Serge Hallyn wrote:
>>> Quoting Rui Xiang (rui.xi...@huawei.com):
 On 2013/7/5 19:48, Serge Hallyn wrote:
> Quoting Rui Xiang (rui.xi...@huawei.com):
>> The same issue troubles me. I try to start the container by these ways 
>>
>> ...
>>
  
 After setting lxc.tty = 0, the result was error too:
   lxc-start: Operation not permitted - failed to set mode '020644' to 
 '/dev/pts/1'.

 So ashamed that I have no better ways to solve it now. :(
>>>
>>> Hi,
>>>
>>> When you do
>>>
>>>   lxc.id_map = u 0 1 2000
>>>   lxc.id_map = g 0 1 2000
>>>
>>> The container will run with uid 0 in the container being mapped to 1
>>> on the host.  What I don't see is where you have shifted the uids of the
>>> container's files.
>>
>> Ah.., forgot to say that I used chown to the rootfs of this container:
>>  # chown 1 ./rootfs
>>
>>> If you look at https://code.launchpad.net/~serge-hallyn/+junk/nsexec ,
>>> there are two programs of interest.  uidmapshift.c will do the uid
>>> shifting (so for instance root owned files in the container will become
>>> owned by 1).  The container-userns-convert script will use the
>>> uidmapshift.c program as well as add the lxc.id_map files to the
>>> container configuration.  I usually just do
>>>
>>> container-userns-convert containername 1
>>>
>>> So you'll definately need to use the uidmapshift program to chown your
>>> files, though to be honest your error sounds to me like a different
>>> problem.  But just to be sure, please let me know what you see after
>>> shifting the container uids.
>>
>> After using container-userns-convert script and uidmapshift program to chown 
>> rootfs, I can run container successfully. But in the container, I found the 
>> files attribute like :
>> drwxr-xr-x   2 1 1  4096 Jul 11 11:47 bin
>> drwxr-xr-x   2 1 1  4096 Jul 11 11:47 boot
>> drwxr-xr-x   8 1 1  4096 Jul 11 12:28 dev
>> drwxr-xr-x  67 1 1  4096 Jul 11 12:28 etc
>> drwxr-xr-x   2 1 1  4096 Jul 11 11:47 home
>> drwxr-xr-x   9 1 1  4096 Jul 11 11:47 lib
>> drwxr-xr-x   7 1 1  4096 Jul 11 11:47 lib64
>> drwxr-xr-x   2 1 1  4096 Jul 11 11:47 media
>> drwxr-xr-x   2 1 1  4096 Jul 11 11:47 mnt
>> drwxr-xr-x   2 1 1  4096 Jul 11 11:47 opt
>> dr-xr-xr-x 255 root  root  0 Jul 11 12:28 proc
>> drwxr-xr-x   4 1 1  4096 Jul 11 11:47 root
>> drwxr-xr-x   3 1 1 12288 Jul 11 11:47 sbin
>> drwxr-xr-x   2 1 1  4096 Jul 11 11:47 selinux
>> drwxr-xr-x   4 1 1  4096 Jul 11 11:47 srv
>> dr-xr-xr-x  12 root  root  0 Jul 11 12:28 sys
>> drwxr-xr-t   4 1 1  4096 Jul 11 12:28 tmp
>> drwxr-xr-x  13 1 1  4096 Jul 11 11:47 usr
>> drwxr-xr-x  14 1 1  4096 Jul 11 11:47 var
> 
> Could you make sure that proc and sys exist and get chowned before
> you ever try to start the container?
> 

Yes, sure. Before I started the container, the files status liked:
 # ll
  drwxr-xr-x  2 xiangrui nstest  4096 Jul 11 19:47 bin
  drwxr-xr-x  2 xiangrui nstest  4096 Jul 11 19:47 boot
  ...
  drwxr-xr-x  2 xiangrui nstest  4096 Jul 11 19:47 proc
  drwxr-xr-x  2 xiangrui nstest  4096 Jul 11 19:47 sys

>> and I can set some proc files that are not isolated with host.
> 
> Could you be more precise?  What do you mean by this?
> 

In my view, user in container have no permission to access and set proc file 
like /proc/sys/vm/dirty_ratio because the proc files are not isolated 
with host, right?

>> IMO, the container is still problematic obvious, right ?
> 
> Not sure what 'problematic obvious' means.  But so far AFAIK only
> Dwight and I ever test these, so I do expect problems.
> 

Means that the container I created is still problematic obviously, but
 not shows lxc sources certainly have any problems. :) I can't confirm 
what cause this container unavailability yet, 


Thanks.




--
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel

[lxc-devel] [PATCH 1/1] lxc_create: prepend pretty header to config file

2013-07-11 Thread Serge Hallyn

Define a sha1sum_file() function in utils.c (which requires configure.ac
to check for -lcrypto and -lssl).  Use that in lxcapi_create to write out
the sha1sum of the template being used.

Signed-off-by: Serge Hallyn 
---
 configure.ac   |2 +
 src/lxc/Makefile.am|2 +-
 src/lxc/lxccontainer.c |  109 ++--
 src/lxc/utils.c|   36 
 src/lxc/utils.h|2 +
 5 files changed, 146 insertions(+), 5 deletions(-)

diff --git a/configure.ac b/configure.ac
index 4567001..a7de8c8 100644
--- a/configure.ac
+++ b/configure.ac
@@ -105,6 +105,8 @@ if test "$enable_apparmor" = "check" ; then
 fi
 AM_CONDITIONAL([ENABLE_APPARMOR], [test "x$enable_apparmor" = "xyes"])
 
+AC_CHECK_LIB([crypto], [EVP_get_digestbyname], [], AC_MSG_ERROR([You must 
install the ssl and crypto libraries]))
+
 AM_COND_IF([ENABLE_APPARMOR],
[AC_CHECK_HEADER([sys/apparmor.h],[],[AC_MSG_ERROR([You must install 
the AppArmor development package in order to compile lxc])])
AC_CHECK_LIB([apparmor], [aa_change_profile],[],[AC_MSG_ERROR([You must 
install the AppArmor development package in order to compile lxc])])
diff --git a/src/lxc/Makefile.am b/src/lxc/Makefile.am
index 18469a1..fa090c4 100644
--- a/src/lxc/Makefile.am
+++ b/src/lxc/Makefile.am
@@ -116,7 +116,7 @@ liblxc_so_LDFLAGS = \
-shared \
-Wl,-soname,liblxc.so.$(firstword $(subst ., ,$(VERSION)))
 
-liblxc_so_LDADD = $(CAP_LIBS) $(APPARMOR_LIBS) $(SECCOMP_LIBS)
+liblxc_so_LDADD = $(CAP_LIBS) $(APPARMOR_LIBS) $(SECCOMP_LIBS) -lssl -lcrypto
 
 bin_SCRIPTS = \
lxc-ps \
diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
index 4ff9d35..4b26051 100644
--- a/src/lxc/lxccontainer.c
+++ b/src/lxc/lxccontainer.c
@@ -862,6 +862,102 @@ static bool create_run_template(struct lxc_container *c, 
char *tpath,
return true;
 }
 
+bool prepend_lxc_header(char *path, const char *t, char *const argv[])
+{
+   size_t flen;
+   char *contents, *tpath;
+   int i, md_len;
+   FILE *f;
+   unsigned char md_value[EVP_MAX_MD_SIZE];
+   bool have_tpath = false;
+
+   if ((f = fopen(path, "r")) == NULL) {
+   SYSERROR("Opening old config");
+   return false;
+   }
+   if (fseek(f, 0, SEEK_END) < 0) {
+   SYSERROR("Seeking to end of old config file");
+   fclose(f);
+   return false;
+   }
+   if ((flen = ftell(f)) < 0) {
+   SYSERROR("telling size of old config");
+   fclose(f);
+   return false;
+   }
+   if (fseek(f, 0, SEEK_SET) < 0) {
+   SYSERROR("rewinding old config");
+   fclose(f);
+   return false;
+   }
+   if ((contents = malloc(flen + 1)) == NULL) {
+   SYSERROR("out of memory");
+   fclose(f);
+   return false;
+   }
+   if (fread(contents, 1, flen, f) != flen) {
+   SYSERROR("Reading old config");
+   free(contents);
+   fclose(f);
+   return false;
+   }
+   contents[flen] = '\0';
+   if (fclose(f) < 0) {
+   SYSERROR("closing old config");
+   free(contents);
+   return false;
+   }
+
+   if ((tpath = get_template_path(t)) < 0) {
+   ERROR("bad template: %s\n", t);
+   free(contents);
+   return false;
+   }
+
+   if (tpath) {
+   have_tpath = true;
+   md_len = sha1sum_file(tpath, md_value);
+   free(tpath);
+   if (md_len < 0) {
+   free(contents);
+   return false;
+   }
+   }
+
+   if ((f = fopen(path, "w")) == NULL) {
+   SYSERROR("reopening config for writing");
+   free(contents);
+   return false;
+   }
+   fprintf(f, "# Template used to create this container: %s\n", t);
+   if (argv) {
+   fprintf(f, "# Parameters passed to the template:");
+   while (*argv) {
+   fprintf(f, " %s", *argv);
+   argv++;
+   }
+   fprintf(f, "\n");
+   }
+   if (have_tpath) {
+   fprintf(f, "# Template script checksum (SHA-1): ");
+   for (i=0; ilxc_conf)
lxc_conf_free(c->lxc_conf);
c->lxc_conf = NULL;
+
+   if (!prepend_lxc_header(c->configfile, tpath, argv)) {
+   ERROR("Error prepending header to configuration file");
+   goto out_unlock;
+   }
bret = load_config_locked(c, c->configfile);
 
 out_unlock:
@@ -1612,13 +1713,13 @@ static int update_name_and_paths(const char *path, 
struct lxc_container *oldc,
}
flen = ftell(f);
if (flen < 0) {
-   fclose(f);
SYSERROR("telling size of old config");
+

Re: [lxc-devel] [PATCH] lxc_create: add outfile option

2013-07-11 Thread Serge Hallyn

Quoting S.Çağlar Onur (cag...@10ur.org):
> Hi,
> 
> 
> On Thu, Jul 11, 2013 at 5:39 PM, Dwight Engen wrote:
> 
> > On Thu, 11 Jul 2013 16:22:11 -0500
> > Serge Hallyn  wrote:
> >
> > > Quoting Dwight Engen (dwight.en...@oracle.com):
> > > > On Thu, 11 Jul 2013 15:40:10 -0500
> > > > Serge Hallyn  wrote:
> > > >
> > > > > Quoting Dwight Engen (dwight.en...@oracle.com):
> > > > > > On Thu, 11 Jul 2013 14:48:21 -0500
> > > > > > Serge Hallyn  wrote:
> > > > > >
> > > > > > > lxc-create ... -o -
> > > > > > >
> > > > > > > will send template output to standard output (the old
> > > > > > > default).
> > > > > > >
> > > > > > > lxc-create ... without any -o will hide template output.
> > > > > > >
> > > > > > > lxc-create -o /tmp/xxx will send template output to the file
> > > > > > > /tmp/xxx.
> > > > > >
> > > > > > I like having a -o for lxc-create, but I'm not sure we should
> > > > > > change the
> > > > >
> > > > > Sorry, that was wrong in my commit msg.
> > > > >
> > > > > only '--outfile' works (because 'o' is used by the common options
> > > > > for logfile output)
> > > > >
> > > > > > default of lxc-create to not show the template output. For
> > > > > > interactive
> > > > >
> > > > > We could swap the meanings so that '--outfile -' means on output,
> > > > > and not listing '--outfile' shows the output on stdout.
> > > >
> > > > Sorry, I'm not getting the difference between --outfile - and just
> > > > getting output on stdout? My main concern was that lxc-create
> > > > without any extra args do what it does today (shows output).
> > >
> > > With this current patch:
> > >
> > >   lxc-create with no extra args does not show output
> > >   "lxc-create --outfile -" shows output to stdout
> > >
> > > I'm suggesting we just flip those.
> >
> > Ahh, yep, I'd like it better flipped then as the no args case won't
> > change today's behavior, but if others feel strongly I don't really
> > care too much. So this is what I think you're proposing:
> >
> >  lxc-create with no extra args -> shows output on stdout
> >  lxc-create --outfile --> shows output on stdout
> >  lxc-create --outfile /tmp/xxx -> output in /tmp/xxx
> 
> 
> What about adding a quiet parameter instead? It can silence the output and
> default will write to stdout, this way people who wants output file can
> redirect stdout to file as well

If by 'instead' you mean not passing in fds at all and just adding
a quiet parameter, and by redirect stdout you mean 'lxc-create ... >
outout', then I like that better for being simpler to do.

But I'll do whichever of those is preferred.  Will passing in fds add
flexbility that anyone actually will *want*?  (My feeling tbh is no)

-serge

--
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel

Re: [lxc-devel] Howto user namespaces?

Re: [lxc-devel] 0.9.x versions before 1.0

Re: [lxc-devel] Howto user namespaces?

Re: [lxc-devel] 0.9.x versions before 1.0

Re: [lxc-devel] 0.9.x versions before 1.0

Re: [lxc-devel] [PATCH RFC] Accomodate stricter devices cgroup rules

[lxc-devel] [PATCH] lxc_create: add outfile option

Re: [lxc-devel] [PATCH] lxc_create: add outfile option

Re: [lxc-devel] [PATCH] lxc_create: add outfile option

Re: [lxc-devel] [PATCH] lxc_create: add outfile option

Re: [lxc-devel] [PATCH] lxc_create: add outfile option

Re: [lxc-devel] 0.9.x versions before 1.0

Re: [lxc-devel] [PATCH] lxc_create: add outfile option

Re: [lxc-devel] 0.9.x versions before 1.0

Re: [lxc-devel] 0.9.x versions before 1.0

Re: [lxc-devel] [PATCH] lxc_create: add outfile option

Re: [lxc-devel] Howto user namespaces?

[lxc-devel] [PATCH 1/1] lxc_create: prepend pretty header to config file

Re: [lxc-devel] [PATCH] lxc_create: add outfile option

19 matches

Site Navigation

Mail list logo

Footer information