Re: [lxc-devel] Cells open source release
On Sep 19, 2013, at 10:25 AM, shridutt kothari wrote: > Hi Jeremy, > > That sounds awesome, What would be the key use cases we can imagine with this? We discuss several use cases both in our paper, and on our website: http://cells.cs.columbia.edu/. As a quick summary, multiple, isolated, virtual devices on the same phone can allow business professionals to carry a single phone that contains both corporate and personal phones, providing an efficient, high performance BYOD solution. Application developers can use multiple virtual devices to test different applications and configurations. Cells also gives parents a way to isolate applications and settings in a kid-friendly virtual tablet while simultaneously running a full-featured tablet configured with private email addresses and applications on the same physical tablet. Best, -Jeremy -- -- Jeremy C. Andrus PhD Candidate Computer Science Dept. Columbia University e: jere...@cs.columbia.edu w: http://jeremya.com/ l: New York, NY p: 616,439,0522 -- -- LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] Cells open source release
Quoting Jeremy C. Andrus (jere...@cs.columbia.edu): > On Sep 19, 2013, at 10:25 AM, shridutt kothari > wrote: > > > Hi Jeremy, > > > > That sounds awesome, What would be the key use cases we can imagine with > > this? > > We discuss several use cases both in our paper, and on our website: > http://cells.cs.columbia.edu/. > > As a quick summary, multiple, isolated, virtual devices on the same phone can > allow > business professionals to carry a single phone that contains both corporate > and > personal phones, providing an efficient, high performance BYOD solution. > Application > developers can use multiple virtual devices to test different applications and > configurations. Cells also gives parents a way to isolate applications and > settings in a > kid-friendly virtual tablet while simultaneously running a full-featured > tablet configured > with private email addresses and applications on the same physical tablet. In the past I'd thought a device namespace would mainly do something like translate maj:min on host to maj:min in a namespace. But after seeing the demo twice, I agree with the need for an extra "active" vs "inactive" state, with buffering in the "inactive" state. That's something we don't have in any other namespace and sets devicens apart. -- LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [Lxc-users] Working LXC templates? EUREAKA! I think I've got it!
Hey Michael, tried this out on a saucy vm, and it looked good until it died with >receiving incremental file list >fedora-release-19-2.noarch.rpm > >sent 47 bytes received 33329 bytes 9536.00 bytes/sec >total size is 32472 speedup is 0.97 >warning: fedora-release-19-2.noarch.rpm: Header V3 RSA/SHA256 Signature, key >ID fb4b18e6: NOKEY >Preparing... # [100%] >Updating / installing... > 1:fedora-release-19-2 # [100%] >Loaded plugins: fastestmirror, langpacks >Error: Cannot retrieve metalink for repository: fedora/19/x86_64. Please >verify its path and try again >mount: mount point proc does not exist >chroot: failed to run command ‘yum’: No such file or directory > >Build of Installation RTE failed. Temp directory >not removed so it can be investigated. > >Fedora Run Time Environment setup failed >Failed to download 'fedora base' >failed to install fedora >lxc-create: container creation template for f1 failed > >lxc-create: Error creating container f1 Looks like unpacking didn't go right? -serge -- LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] Some important project changes
Hey everyone, So there are quite a few major changes coming to the way the LXC project will is managed and to the infrastructure we use. As most of you probably noticed, Daniel Lezcano has been incredibly busy of late and only had time to do the final review and merge before tagging a release, leaving the rest of the review work to Serge Hallyn and I in the staging branch. After doing that for over a year, we've sat with Daniel here at Plumbers 2013 and agreed that Serge and I would become the new maintainers for the LXC project with Daniel being available as a last resort but no longer being on the critical release path. On top of that change, we're also going to rework the infrastructure of the project, to hopefully make it simpler for everyone. Specifically, the following will happen over the next few days/weeks: - The git master branch from sourceforge will be moved to github - The current staging branch will be merged into the master branch - The staging branch will be removed - The git server on sourceforge will be closed, redirecting to github (if at all possible) - All the bug reports on sourceforge will be moved to github - The bug tracker on sourceforge will be closed, redirecting to github (if at all possible) - The website on lxc.sourceforge.net will be moved to linuxcontainers.org, going through a bit of a redesign in the process. A redirection will be put in place. - A mailman server will be setup on lists.linuxcontainers.org and the two existing mailing-lists will be moved over there (including existing subscribers and mailing-list history). In the end, the plan is to completely stop using sourceforge and instead use github for everything but the mailing-lists which will be handled by our own mailman server. This should make it easier for everyone to get an overview of the project, fork our master branch and contribute changes. The transition will be as seamless as I can possibly make it, I'll be sending an e-mail to this list every time I cross one of those items of the list. Finally, I'd like to thank Daniel for the hard work he's been putting into LXC for over 5 years now and wish him all the best for his new projects! -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature -- LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [Lxc-users] Working LXC templates? EUREAKA! I think I've got it!
After perusing the entire script now, It seems to me that Michael's major contribution is all the parts described in my previous post. In fact, it looks like Michael grafted his good work on to a Fedora setup script. If I'm right, then IMO substantial parts of what I posted about earlier may be removed. There are some good ideas in the later code which I think may be re-organized slightly to allow for modularization to possibly incorporate code that would run on other distros. It's a big read and analysis...Will post again when I've tested some modifications and will likely include some recommendations for restructuring slightly. In fact, I suspect that the error Serge just posted has to do with this "pre-Container" code and isn't really a result of Michael's main body of code so when that is removed to allow Michael's main script to run, it might be successful. Tony On Fri, Sep 20, 2013 at 7:57 AM, Serge Hallyn wrote: > Hey Michael, > > tried this out on a saucy vm, and it looked good until it died with > >>receiving incremental file list >>fedora-release-19-2.noarch.rpm >> >>sent 47 bytes received 33329 bytes 9536.00 bytes/sec >>total size is 32472 speedup is 0.97 >>warning: fedora-release-19-2.noarch.rpm: Header V3 RSA/SHA256 Signature, key >>ID fb4b18e6: NOKEY >>Preparing... # [100%] >>Updating / installing... >> 1:fedora-release-19-2 # [100%] >>Loaded plugins: fastestmirror, langpacks >>Error: Cannot retrieve metalink for repository: fedora/19/x86_64. Please >>verify its path and try again >>mount: mount point proc does not exist >>chroot: failed to run command ‘yum’: No such file or directory >> >>Build of Installation RTE failed. Temp directory >>not removed so it can be investigated. >> >>Fedora Run Time Environment setup failed >>Failed to download 'fedora base' >>failed to install fedora >>lxc-create: container creation template for f1 failed >> >>lxc-create: Error creating container f1 > > Looks like unpacking didn't go right? > > -serge > > -- > LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! > 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint > 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes > Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. > http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk > ___ > Lxc-devel mailing list > Lxc-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/lxc-devel -- LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] lxc-start fails on android
Hi, I am trying to run a busybox based container on android. However, lxc-start fails with the following msgs. Any idea what could be wrong here? Thanks for your time and help! lxc-start 1378915396.741 WARN lxc_start - inherited fd 8 lxc-start 1378915396.744 WARN lxc_start - inherited fd 9 lxc-start 1378915396.746 INFO lxc_apparmor - apparmor_load - apparmor is disabled lxc-start 1378916093.262 DEBUGlxc_console - using '/dev/tty' as console lxc-start 1378916093.263 DEBUGlxc_start - sigchild handler set lxc-start 1378916093.264 INFO lxc_start - 'busybox' is initialized lxc-start 1378916093.273 DEBUGlxc_start - Not dropping cap_sys_boot or watching utmp lxc-start 1378916093.275 INFO lxc_conf - opened /data/lxc/busybox/rootfs.hold as fd 15 lxc-start 1378916093.291 INFO lxc_conf - 'busybox' hostname has been setup lxc-start 1378916093.294 INFO lxc_conf - looking at .37 37 0:1 / / rw,relatime shared:1 - rootfs rootfs rw . lxc-start 1378916093.294 INFO lxc_conf - now p is . /. lxc-start 1378916093.298 ERRORlxc_conf - Invalid argument - Failed to rbind mount / to /data/usr/local/lib/lxc/ro lxc-start 1378916093.301 ERRORlxc_conf - Failed to chroot into slave / lxc-start 1378916093.301 ERRORlxc_conf - failed to setup rootfs for 'busybox' lxc-start 1378916093.304 ERRORlxc_start - failed to setup the container lxc-start 1378916093.305 ERRORlxc_sync - invalid sequence number 1. expected 2 lxc-start 1378916093.307 ERRORlxc_start - failed to spawn 'busybox' -- LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [Lxc-users] Some important project changes
On Fri, Sep 20, 2013 at 9:37 AM, Stéphane Graber wrote: > In the end, the plan is to completely stop using sourceforge and instead > use github for everything but the mailing-lists which will be handled by > our own mailman server. +1 > Finally, I'd like to thank Daniel for the hard work he's been putting > into LXC for over 5 years now and wish him all the best for his new > projects! Hear, hear! - Dan -- LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] Cells open source release
Hi Jeremy, That sounds awesome, What would be the key use cases we can imagine with this? Regards, Shridutt Kothari Impetus Infotech Limited shriduttkoth...@gmail.com On Thursday, September 19, 2013 3:47:47 AM UTC+5:30, Jeremy C. Andrus wrote: > > Hello everyone, > > On behalf of myself and the rest of the Cells team here at Columbia > University, I would like to announce the release of the Cells open > source project: >info: http://cells.cs.columbia.edu/ >code: https://cells-source.cs.columbia.edu/ > > Cells provides multiple, isolated, virtual Android instances runnning > on a single device with support for smartphone and tablet hardware > including 3D graphics, WiFi, touchscreen input, and more. This release > targets the ASUS Nexus 7 (grouper) tablet, and supports essential > Android drivers and subsystems such as Android alarms, frame buffer > earlysuspend, wakelocks (suspend blockers), binder, and logger. > > Users can create, modify, delete, start, and stop instances of Android > (Cells) using a command-line tool called "cell" through the standard > Android adb shell. Users can switch between instances of Android using > a key combo on their device (volume up + volume down on the Nexus 7), > or through the cell command. > > We achieve all this by leveraging containers and namespaces in the > kernel, and by building on recently released kernel patches to support > device namespaces: https://github.com/Cellrox/devns-patches > > Cells is minimally intrusive to the Android open-source project (AOSP) > code base with our Nexus 7 prototype requiring only a few small patches > to the Jelly Bean 4.3 repositories. A list of patches applied on top of > both > AOSP, and the Nexus 7 Tegra kernel can be seen using a search on the > Cells Gerrit Review site: > > https://cells-source.cs.columbia.edu/#/q/status:merged+topic:cells-nexus7,n,z > > We invite anyone interested to download, build, and play with Cells. > We provide a guide on how to download, build, and contribute to the > sources here: >http://cells.cs.columbia.edu/build/ > > We invite you to join the project mailing list and encourage you to ask > questions and discuss the sources on the list: >ce...@lists.cs.columbia.edu >https://lists.cs.columbia.edu/cucslists/listinfo/cells > > Best Regards, > > -Jeremy > > -- > Cells: A Virtual Mobile Smartphone Architecture > Proceedings of the 23rd ACM Symposium on Operating Systems Principles > (SOSP 2011) > [pdf]: http://systems.cs.columbia.edu/files/wpid-cells-sosp2011.pdf -- LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH] fix console deadlocks
These might be a bit controversial. The process lock was held
for some long periods of time for tweaking consoles. These
can deadlock with some of lock holds I introduced recently. I
would argue that if two threads are fighting over the console,
you're gonna have trouble anyway, and the process locks here
weren't saving us from anything. If we want to do a console
lock then we should probably introduce a new lock - maybe held
for the duration of a lxc-start with console or a lxc-console.
Actually that's probably a good idea... But here I just drop
the locks which make lxc-start-ephemeral deadlock.
Signed-off-by: Serge Hallyn
---
src/lxc/console.c | 11 ---
1 file changed, 11 deletions(-)
diff --git a/src/lxc/console.c b/src/lxc/console.c
index a32e9cf..78be403 100644
--- a/src/lxc/console.c
+++ b/src/lxc/console.c
@@ -103,13 +103,10 @@ void lxc_console_sigwinch(int sig)
struct lxc_list *it;
struct lxc_tty_state *ts;
- process_lock();
-
lxc_list_for_each(it, &lxc_ttys) {
ts = it->elem;
lxc_console_winch(ts);
}
- process_unlock();
}
static int lxc_console_cb_sigwinch_fd(int fd, void *cbdata,
@@ -423,7 +420,6 @@ int lxc_console_allocate(struct lxc_conf *conf, int sockfd,
int *ttyreq)
struct lxc_tty_info *tty_info = &conf->tty_info;
struct lxc_console *console = &conf->console;
- process_lock();
if (*ttyreq == 0) {
if (lxc_console_peer_proxy_alloc(console, sockfd) < 0)
goto out;
@@ -458,7 +454,6 @@ out_tty:
tty_info->pty_info[ttynum - 1].busy = sockfd;
masterfd = tty_info->pty_info[ttynum - 1].master;
out:
- process_unlock();
return masterfd;
}
@@ -476,7 +471,6 @@ void lxc_console_free(struct lxc_conf *conf, int fd)
struct lxc_tty_info *tty_info = &conf->tty_info;
struct lxc_console *console = &conf->console;
- process_lock();
for (i = 0; i < tty_info->nbtty; i++) {
if (tty_info->pty_info[i].busy == fd)
tty_info->pty_info[i].busy = 0;
@@ -486,7 +480,6 @@ void lxc_console_free(struct lxc_conf *conf, int fd)
lxc_mainloop_del_handler(console->descr,
console->peerpty.slave);
lxc_console_peer_proxy_free(console);
}
- process_unlock();
}
static void lxc_console_peer_default(struct lxc_console *console)
@@ -713,9 +706,7 @@ int lxc_console(struct lxc_container *c, int ttynum,
return -1;
}
- process_lock();
ttyfd = lxc_cmd_console(c->name, &ttynum, &masterfd, c->config_path);
- process_unlock();
if (ttyfd < 0) {
ret = ttyfd;
goto err1;
@@ -770,9 +761,7 @@ int lxc_console(struct lxc_container *c, int ttynum,
goto err4;
}
- process_lock();
ret = lxc_mainloop(&descr, -1);
- process_unlock();
if (ret) {
ERROR("mainloop returned an error");
goto err4;
--
1.8.3.2
--
LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13.
http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] fix console deadlocks
Quoting Dwight Engen (dwight.en...@oracle.com): > On Fri, 20 Sep 2013 14:48:40 -0500 > Serge Hallyn wrote: > > > These might be a bit controversial. The process lock was held > > for some long periods of time for tweaking consoles. These > > can deadlock with some of lock holds I introduced recently. I > > would argue that if two threads are fighting over the console, > > you're gonna have trouble anyway, and the process locks here > > weren't saving us from anything. If we want to do a console > > Are we sure we can walk/modify the lxc_ttys list lockless? I agree Yeah we do need to lock those. But I don't think there's a rush for it. > threaded console use is "interesting", but I don't think we want list > corruption. Of course we don't want deadlocks either :) So which do you think would be better - introduce a lxc_ttys lock specifically, or introduce a general 'console' mutex which is taken any time we open a console or edit the lxc_ttys? -serge -- LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] fix console deadlocks
On Fri, 20 Sep 2013 15:26:47 -0500 Serge Hallyn wrote: > Quoting Dwight Engen (dwight.en...@oracle.com): > > On Fri, 20 Sep 2013 14:48:40 -0500 > > Serge Hallyn wrote: > > > > > These might be a bit controversial. The process lock was held > > > for some long periods of time for tweaking consoles. These > > > can deadlock with some of lock holds I introduced recently. I > > > would argue that if two threads are fighting over the console, > > > you're gonna have trouble anyway, and the process locks here > > > weren't saving us from anything. If we want to do a console > > > > Are we sure we can walk/modify the lxc_ttys list lockless? I agree > > Yeah we do need to lock those. But I don't think there's a rush for > it. > > > threaded console use is "interesting", but I don't think we want > > list corruption. Of course we don't want deadlocks either :) > > So which do you think would be better - introduce a lxc_ttys lock > specifically, or introduce a general 'console' mutex which is taken > any time we open a console or edit the lxc_ttys? Hmm, good question. I think that lxc_console_allocate() and lxc_console_free() are only called from lxc today when handling commands so they are not going to be used from a threaded context anyways. But the symbols are available so someone could write a threaded program and call them and race on the .busy indicator for example. I think we minimally need the list stuff locked, but I'm not sure what else. I have not really tested multithreaded console use. Just out of curiosity, this is deadlocking because the process lock is already held when console routines are getting called and the process lock mutex isn't recursive? > -serge -- LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [Lxc-users] Working LXC templates? EUREAKA! I think I've got it!
On Tue, 2013-09-17 at 10:26 -0700, Tony Su wrote:
> Regarding
>
> LXC and the use of Linux Bridge devices for configured networking,
> At least on openSUSE, LXC is not configured with any /etc/lxc/* by
> default, and possibly because I also have libvirt configured to
> support LXC (although that is not working on my system).
>
> From what I've seen though, I cannot see why configuring networking
> should be in a general lxc configuration file, or even if it should
> exist I see it as reaasonable to configure within a template(why not
> point the build to a pre-existing virtual network complete with its
> own configuration?).
>
> In any case as I noted before, pointing the Container interface to a
> pre-existing virtual Linux Bridge device instead of a physical
> interface in the template should be nearly trivial. If you wanted to
> support bridge creation and configuration, that'd be a big project
> outside the scope of what I'm describing.
>
>
> yum and chroot. H. From what I can see, at the point you invoke
> yum, nothing has yet been downloaded so any functionality you invoke
> must exist in the HostOS. Despite running in the chroot environment, I
> can't see how yum can work unless it's also present in the HostOS.
> Maybe if I test this on a distro that doesn't support yum natively
> I'll find different, but based purely on perusing the code I can't see
> how it would work otherwise.
> line 155
> chroot ${rootfs_path} yum --releasever=${release} -y install fedora-release
That line is in "config_fedora, called at line 926 after the call to
install_fedora at line 920 where the run time install is downloaded and
run. It should be installed at the time in question or something
earlier has failed. Flow of control definitely needs to be cleaned up.
Regards,
Mike
>
> Requirement for GPG keys
> Again, based at this point purely on perusing and not actually testing
> the code on an appropriately set up system, unless the repo is
> configured without keys or the retrieval utility is configured not to
> require key verification, I don't see how you've avoided this
> requirement, particularly in this case you're using "yum" which is a
> repo client utility. This is aside from verifying the downloaded image
> whose integrity could be verified easily by invoking and comparing
> checksum values if desired. I'd recommend no verification, though
> because it would add maintenance issues. A superior solution might be
> a file transfer transport that automatically does checksum (like
> torrent but that opens up potential issues since some ISPs block
> torrent indiscriminitately).
>
> Regards,
> Tony
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> On Tue, Sep 17, 2013 at 6:34 AM, Michael H. Warfield
> wrote:
> > On Sun, 2013-09-15 at 16:17 -0700, Tony Su wrote:
> >> Hello Michael,
> >>
> >> First a comment on problems with systemd you descrbe.
> >> I probably have run into many of the things you itemized, but since my
> >> time is usually focused on something I'm trying to use LXC and not LXC
> >> itself, I usually just drop any further attempts and move on to find a
> >> workaround(eg consoles) or use a different technology(x server issue).
> >>
> >> Regarding many of the issues you describe though, I wonder if they
> >> couldn't be addressed with more strict enforcement of using namespaces
> >> (and less often cgroups). I've read how namespaces are supposed to be
> >> an extremely powerful means of isolating processes and yet I don't see
> >> any obvious indications it's being done consistently... by either
> >> prepending to standard process or service names (if the goal is to
> >> easily identify the namespace) or using a random string (if the goal
> >> is better security so exploits can't anticipate commonly used
> >> namespaces).
> >>
> >> In fact, I think I see this namespace issue in various parts of the
> >> template you created. If I understand what is happening, there are
> >> numerous places where you create special nodes on the HostOS instead
> >> of
> >> (a) using the existing HostOS nodes but using namespaces to isolate
> >> Container processes
> >> (b) creating nodes entirely within the Container which would make the
> >> Container entirely portable but lose the benefit perhaps of the better
> >> ways nodes are created and mounted today(eg tmpfs in RAM).
> >>
> >> Diving more into your template code, I applaud your effort, it's
> >> significant and no minor effort.
> >>
> >> As of this moment, I've mainly been perusing what I might call "HostOS
> >> Container Pre-Install," the part which precedes the actual
> >> installation and relies on components running in the HostOS only. This
> >> would be your script approx lines 0-410.
> >
> >> 1. I like your method of identifying whether the OS is Fedora, and
> >> additionally whether is ARM or not.
> >
> > That was an effort workin
Re: [lxc-devel] [Lxc-users] Working LXC templates? EUREAKA! I think I've got it!
Hey Serge, On Fri, 2013-09-20 at 09:57 -0500, Serge Hallyn wrote: > Hey Michael, > tried this out on a saucy vm, and it looked good until it died with > >receiving incremental file list > >fedora-release-19-2.noarch.rpm > > > >sent 47 bytes received 33329 bytes 9536.00 bytes/sec > >total size is 32472 speedup is 0.97 > >warning: fedora-release-19-2.noarch.rpm: Header V3 RSA/SHA256 Signature, key > >ID fb4b18e6: NOKEY > >Preparing... # > >[100%] > >Updating / installing... > > 1:fedora-release-19-2 # > > [100%] > >Loaded plugins: fastestmirror, langpacks > >Error: Cannot retrieve metalink for repository: fedora/19/x86_64. Please > >verify its path and try again > >mount: mount point proc does not exist > >chroot: failed to run command ‘yum’: No such file or directory > > > >Build of Installation RTE failed. Temp directory > >not removed so it can be investigated. > > > >Fedora Run Time Environment setup failed > >Failed to download 'fedora base' > >failed to install fedora > >lxc-create: container creation template for f1 failed > > > >lxc-create: Error creating container f1 > Looks like unpacking didn't go right? That looks like the first one I sent out. I caught a couple of typos immediately after that and recent it with an "opps". I'll double check it though. > -serge Regards, Mike -- Michael H. Warfield (AI4NB) | (770) 985-6132 | m...@wittsend.com /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0x674627FF| possible worlds. A pessimist is sure of it! signature.asc Description: This is a digitally signed message part -- LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] fix console deadlocks
Quoting Dwight Engen (dwight.en...@oracle.com): > On Fri, 20 Sep 2013 15:26:47 -0500 > Serge Hallyn wrote: > > > Quoting Dwight Engen (dwight.en...@oracle.com): > > > On Fri, 20 Sep 2013 14:48:40 -0500 > > > Serge Hallyn wrote: > > > > > > > These might be a bit controversial. The process lock was held > > > > for some long periods of time for tweaking consoles. These > > > > can deadlock with some of lock holds I introduced recently. I > > > > would argue that if two threads are fighting over the console, > > > > you're gonna have trouble anyway, and the process locks here > > > > weren't saving us from anything. If we want to do a console > > > > > > Are we sure we can walk/modify the lxc_ttys list lockless? I agree > > > > Yeah we do need to lock those. But I don't think there's a rush for > > it. > > > > > threaded console use is "interesting", but I don't think we want > > > list corruption. Of course we don't want deadlocks either :) > > > > So which do you think would be better - introduce a lxc_ttys lock > > specifically, or introduce a general 'console' mutex which is taken > > any time we open a console or edit the lxc_ttys? > > Hmm, good question. I think that lxc_console_allocate() and > lxc_console_free() are only called from lxc today when handling commands > so they are not going to be used from a threaded context anyways. But > the symbols are available so someone could write a threaded program and > call them and race on the .busy indicator for example. I think we > minimally need the list stuff locked, but I'm not sure what else. I > have not really tested multithreaded console use. > > Just out of curiosity, this is deadlocking because the process lock is > already held when console routines are getting called and the process > lock mutex isn't recursive? At the least lxc_console_allocate() was taking process_lock(), then calling lxc_console_peer_proxy_alloc() which also calls process_lock. I could have decided not to take the lock in lxc_console_peer_proxy_alloc(), but that seems more wrong and be less maintainable. -serge -- LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] fix console deadlocks
On Fri, Sep 20, 2013 at 02:48:40PM -0500, Serge Hallyn wrote:
> These might be a bit controversial. The process lock was held
> for some long periods of time for tweaking consoles. These
> can deadlock with some of lock holds I introduced recently. I
> would argue that if two threads are fighting over the console,
> you're gonna have trouble anyway, and the process locks here
> weren't saving us from anything. If we want to do a console
> lock then we should probably introduce a new lock - maybe held
> for the duration of a lxc-start with console or a lxc-console.
> Actually that's probably a good idea... But here I just drop
> the locks which make lxc-start-ephemeral deadlock.
>
> Signed-off-by: Serge Hallyn
Acked-by: Stéphane Graber
> ---
> src/lxc/console.c | 11 ---
> 1 file changed, 11 deletions(-)
>
> diff --git a/src/lxc/console.c b/src/lxc/console.c
> index a32e9cf..78be403 100644
> --- a/src/lxc/console.c
> +++ b/src/lxc/console.c
> @@ -103,13 +103,10 @@ void lxc_console_sigwinch(int sig)
> struct lxc_list *it;
> struct lxc_tty_state *ts;
>
> - process_lock();
> -
> lxc_list_for_each(it, &lxc_ttys) {
> ts = it->elem;
> lxc_console_winch(ts);
> }
> - process_unlock();
> }
>
> static int lxc_console_cb_sigwinch_fd(int fd, void *cbdata,
> @@ -423,7 +420,6 @@ int lxc_console_allocate(struct lxc_conf *conf, int
> sockfd, int *ttyreq)
> struct lxc_tty_info *tty_info = &conf->tty_info;
> struct lxc_console *console = &conf->console;
>
> - process_lock();
> if (*ttyreq == 0) {
> if (lxc_console_peer_proxy_alloc(console, sockfd) < 0)
> goto out;
> @@ -458,7 +454,6 @@ out_tty:
> tty_info->pty_info[ttynum - 1].busy = sockfd;
> masterfd = tty_info->pty_info[ttynum - 1].master;
> out:
> - process_unlock();
> return masterfd;
> }
>
> @@ -476,7 +471,6 @@ void lxc_console_free(struct lxc_conf *conf, int fd)
> struct lxc_tty_info *tty_info = &conf->tty_info;
> struct lxc_console *console = &conf->console;
>
> - process_lock();
> for (i = 0; i < tty_info->nbtty; i++) {
> if (tty_info->pty_info[i].busy == fd)
> tty_info->pty_info[i].busy = 0;
> @@ -486,7 +480,6 @@ void lxc_console_free(struct lxc_conf *conf, int fd)
> lxc_mainloop_del_handler(console->descr,
> console->peerpty.slave);
> lxc_console_peer_proxy_free(console);
> }
> - process_unlock();
> }
>
> static void lxc_console_peer_default(struct lxc_console *console)
> @@ -713,9 +706,7 @@ int lxc_console(struct lxc_container *c, int ttynum,
> return -1;
> }
>
> - process_lock();
> ttyfd = lxc_cmd_console(c->name, &ttynum, &masterfd, c->config_path);
> - process_unlock();
> if (ttyfd < 0) {
> ret = ttyfd;
> goto err1;
> @@ -770,9 +761,7 @@ int lxc_console(struct lxc_container *c, int ttynum,
> goto err4;
> }
>
> - process_lock();
> ret = lxc_mainloop(&descr, -1);
> - process_unlock();
> if (ret) {
> ERROR("mainloop returned an error");
> goto err4;
> --
> 1.8.3.2
>
>
> --
> LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
> 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
> 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
> Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13.
> http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk
> ___
> Lxc-devel mailing list
> Lxc-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/lxc-devel
--
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
signature.asc
Description: Digital signature
--
LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13.
http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] fix console deadlocks
On Fri, 20 Sep 2013 14:48:40 -0500 Serge Hallyn wrote: > These might be a bit controversial. The process lock was held > for some long periods of time for tweaking consoles. These > can deadlock with some of lock holds I introduced recently. I > would argue that if two threads are fighting over the console, > you're gonna have trouble anyway, and the process locks here > weren't saving us from anything. If we want to do a console Are we sure we can walk/modify the lxc_ttys list lockless? I agree threaded console use is "interesting", but I don't think we want list corruption. Of course we don't want deadlocks either :) -- LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH] Expose underlying close_all_fds config value via API
Being able to set close_all_fds via API would be usefull for the
situations like running an application (let's say web server)
that controls the lifecycle of the container using the LXC API.
We don't want forked process to inherit parent's resource (file, socket, ...)
Signed-off-by: S.Çağlar Onur
---
src/lxc/lxc_start.c| 2 +-
src/lxc/lxccontainer.c | 13 +
src/lxc/lxccontainer.h | 1 +
3 files changed, 15 insertions(+), 1 deletion(-)
diff --git a/src/lxc/lxc_start.c b/src/lxc/lxc_start.c
index dfc514e..a30a9f6 100644
--- a/src/lxc/lxc_start.c
+++ b/src/lxc/lxc_start.c
@@ -265,7 +265,7 @@ int main(int argc, char *argv[])
}
if (my_args.close_all_fds)
- conf->close_all_fds = 1;
+ c->want_close_all_fds(c);
err = c->start(c, 0, args) ? 0 : -1;
diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
index e8dde91..727c680 100644
--- a/src/lxc/lxccontainer.c
+++ b/src/lxc/lxccontainer.c
@@ -456,6 +456,18 @@ static void lxcapi_want_daemonize(struct lxc_container *c)
container_mem_unlock(c);
}
+static void lxcapi_want_close_all_fds(struct lxc_container *c)
+{
+ if (!c || !c->lxc_conf)
+ return;
+ if (container_mem_lock(c)) {
+ ERROR("Error getting mem lock");
+ return;
+ }
+ c->lxc_conf->close_all_fds = 1;
+ container_mem_unlock(c);
+}
+
static bool lxcapi_wait(struct lxc_container *c, const char *state, int
timeout)
{
int ret;
@@ -2682,6 +2694,7 @@ struct lxc_container *lxc_container_new(const char *name,
const char *configpath
c->init_pid = lxcapi_init_pid;
c->load_config = lxcapi_load_config;
c->want_daemonize = lxcapi_want_daemonize;
+ c->want_close_all_fds = lxcapi_want_close_all_fds;
c->start = lxcapi_start;
c->startl = lxcapi_startl;
c->stop = lxcapi_stop;
diff --git a/src/lxc/lxccontainer.h b/src/lxc/lxccontainer.h
index 89b55bd..8b6c6ef 100644
--- a/src/lxc/lxccontainer.h
+++ b/src/lxc/lxccontainer.h
@@ -68,6 +68,7 @@ struct lxc_container {
bool (*startl)(struct lxc_container *c, int useinit, ...);
bool (*stop)(struct lxc_container *c);
void (*want_daemonize)(struct lxc_container *c);
+ void (*want_close_all_fds)(struct lxc_container *c);
// Return current config file name. The result is strdup()d, so free
the result.
char *(*config_file_name)(struct lxc_container *c);
// for wait, timeout == -1 means wait forever, timeout == 0 means don't
wait.
--
1.8.1.2
--
LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13.
http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [lxc/lxc] 6711ff: fix console deadlocks
Branch: refs/heads/staging Home: https://github.com/lxc/lxc Commit: 6711ffc1227d61831b3e990d630b4fc6d3c8177e https://github.com/lxc/lxc/commit/6711ffc1227d61831b3e990d630b4fc6d3c8177e Author: Serge Hallyn Date: 2013-09-20 (Fri, 20 Sep 2013) Changed paths: M src/lxc/console.c Log Message: --- fix console deadlocks Signed-off-by: Serge Hallyn Acked-by: Stéphane Graber -- LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] Expose underlying close_all_fds config value via API
Quoting S.Çağlar Onur (cag...@10ur.org):
> Being able to set close_all_fds via API would be usefull for the
> situations like running an application (let's say web server)
> that controls the lifecycle of the container using the LXC API.
> We don't want forked process to inherit parent's resource (file, socket, ...)
>
> Signed-off-by: S.Çağlar Onur
Thanks, looks good to me.
Acked-by: Serge E. Hallyn
> ---
> src/lxc/lxc_start.c| 2 +-
> src/lxc/lxccontainer.c | 13 +
> src/lxc/lxccontainer.h | 1 +
> 3 files changed, 15 insertions(+), 1 deletion(-)
>
> diff --git a/src/lxc/lxc_start.c b/src/lxc/lxc_start.c
> index dfc514e..a30a9f6 100644
> --- a/src/lxc/lxc_start.c
> +++ b/src/lxc/lxc_start.c
> @@ -265,7 +265,7 @@ int main(int argc, char *argv[])
> }
>
> if (my_args.close_all_fds)
> - conf->close_all_fds = 1;
> + c->want_close_all_fds(c);
>
> err = c->start(c, 0, args) ? 0 : -1;
>
> diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
> index e8dde91..727c680 100644
> --- a/src/lxc/lxccontainer.c
> +++ b/src/lxc/lxccontainer.c
> @@ -456,6 +456,18 @@ static void lxcapi_want_daemonize(struct lxc_container
> *c)
> container_mem_unlock(c);
> }
>
> +static void lxcapi_want_close_all_fds(struct lxc_container *c)
> +{
> + if (!c || !c->lxc_conf)
> + return;
> + if (container_mem_lock(c)) {
> + ERROR("Error getting mem lock");
> + return;
> + }
> + c->lxc_conf->close_all_fds = 1;
> + container_mem_unlock(c);
> +}
> +
> static bool lxcapi_wait(struct lxc_container *c, const char *state, int
> timeout)
> {
> int ret;
> @@ -2682,6 +2694,7 @@ struct lxc_container *lxc_container_new(const char
> *name, const char *configpath
> c->init_pid = lxcapi_init_pid;
> c->load_config = lxcapi_load_config;
> c->want_daemonize = lxcapi_want_daemonize;
> + c->want_close_all_fds = lxcapi_want_close_all_fds;
> c->start = lxcapi_start;
> c->startl = lxcapi_startl;
> c->stop = lxcapi_stop;
> diff --git a/src/lxc/lxccontainer.h b/src/lxc/lxccontainer.h
> index 89b55bd..8b6c6ef 100644
> --- a/src/lxc/lxccontainer.h
> +++ b/src/lxc/lxccontainer.h
> @@ -68,6 +68,7 @@ struct lxc_container {
> bool (*startl)(struct lxc_container *c, int useinit, ...);
> bool (*stop)(struct lxc_container *c);
> void (*want_daemonize)(struct lxc_container *c);
> + void (*want_close_all_fds)(struct lxc_container *c);
> // Return current config file name. The result is strdup()d, so free
> the result.
> char *(*config_file_name)(struct lxc_container *c);
> // for wait, timeout == -1 means wait forever, timeout == 0 means don't
> wait.
> --
> 1.8.1.2
>
>
> --
> LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
> 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
> 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
> Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13.
> http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk
> ___
> Lxc-devel mailing list
> Lxc-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/lxc-devel
--
LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/22/13.
http://pubads.g.doubleclick.net/gampad/clk?id=64545871&iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [lxc/lxc] 130a18: Expose underlying close_all_fds config value via A...
Branch: refs/heads/staging Home: https://github.com/lxc/lxc Commit: 130a188840ae655da41dde4771074ff38abaf46f https://github.com/lxc/lxc/commit/130a188840ae655da41dde4771074ff38abaf46f Author: S.Çağlar Onur Date: 2013-09-20 (Fri, 20 Sep 2013) Changed paths: M src/lxc/lxc_start.c M src/lxc/lxccontainer.c M src/lxc/lxccontainer.h Log Message: --- Expose underlying close_all_fds config value via API Being able to set close_all_fds via API would be usefull for the situations like running an application (let's say web server) that controls the lifecycle of the container using the LXC API. We don't want forked process to inherit parent's resource (file, socket, ...) Signed-off-by: S.Çağlar Onur Acked-by: Serge E. Hallyn -- LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/22/13. http://pubads.g.doubleclick.net/gampad/clk?id=64545871&iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH RFC 0/1] refactor AppArmor into LSM backend, add SELinux support
Quoting Dwight Engen (dwight.en...@oracle.com): > This change proposes to add support to LXC for additional LSMs (Linux > Security Module), namely SELinux. It does so by turning the existing Thanks, Dwight! I do some bikeshed arguing below, but I will do a closer review next week, hopefully monday. > AppArmor calls into generic lsm_* calls, which are then handled by one > of three LSM drivers: AppArmor, SELinux, or a nop driver. Adding a > SMACK driver should be fairly simple. The nop driver is used when LXC > has compiled in support for AppArmor or SELinux but neither is enabled > in the run time environment. > > One minor point of discussion should be whether to keep the aa_profile > configuration item and have a separate selinux_context item, or to use the > approach taken in this patch which is to genericize the name to lsm_label. > Using a single lsm_label implies that the policies will never be used > together, which I believe is likely a safe assumption. You might be right on this, but there are two counter-arguments, and I'm not sure where I stand. The first counter argument is that I might want to share a config or config excerpt (i.e. lxc.include) between several hosts, some of which are apparmor-enabled and some selinux-enabled. Or even migrate or stop-and-move a container between such hosts. Ignoring the labeling issue :) that would not be possible with this setup. Secondly, there *is* on-going work, with a non-zero chance of inclusion, to enable stacking LSMs in the kernel. I doubt that even i that case you'd want to use both to confine the container, but one never knows. You might want to use apparmor to confine the container as seen from the container, while specifying that the contaienr should start as unconfined_t so that the selinux policy in the container can work. (Far-fetched, I agree.) Thirdly, we would at least want lxc.aa_profile to be handled as a valid legacy case so that existing containers don't break > A larger issue is the semantics around when lxc changes profile/context. > Currently, the AppArmor backend uses aa_change_profile() which changes the > profile immediately. No analog exists in SELinux, so the SELinux backend > uses setexeccon_raw() which only takes effect upon exec(2). We could change > the AppArmor backend to use aa_change_onexec() to give them similar > semantics, but this would possibly break callers relying on the "immediate Note that I wanted to use the aa_change_onexec() originally, but did not only because it was broken at the time. > change" behavior (in particular users of the new attach API calling a > function). I don't know how widespread this reliance might be, but I don't > think that model is supportable in SELinux. The current patch does not try > to resolve the difference, I guess one option is to just leave it that way. > Definitely looking for some guidance here. In general "now" vs "on-exec" seem to be the two main ways to change contexts so I think it's fine to support both. > I tested this with Ubuntu to try and make sure I didn't break AppArmor > (in both lxc-start and lxc-attach, cat /proc/self/attr/current show > "lxc-container-default (enforce)"). I've also tested this on > OracleLinux with an in progress SELinux policy module which I can post > if its useful. I've also build tested on Fedora and run unconfined, but > have not written a policy there. -- LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/22/13. http://pubads.g.doubleclick.net/gampad/clk?id=64545871&iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
