Re: [lxc-devel] [PATCH RFC 0/1] refactor AppArmor into LSM backend, add SELinux support
On Sat, 21 Sep 2013 00:32:42 -0500 Serge Hallyn wrote: > Quoting Dwight Engen (dwight.en...@oracle.com): > > This change proposes to add support to LXC for additional LSMs > > (Linux Security Module), namely SELinux. It does so by turning the > > existing > > Thanks, Dwight! > > I do some bikeshed arguing below, but I will do a closer review next > week, hopefully monday. Okay, thanks! > > AppArmor calls into generic lsm_* calls, which are then handled by > > one of three LSM drivers: AppArmor, SELinux, or a nop driver. > > Adding a SMACK driver should be fairly simple. The nop driver is > > used when LXC has compiled in support for AppArmor or SELinux but > > neither is enabled in the run time environment. > > > > One minor point of discussion should be whether to keep the > > aa_profile configuration item and have a separate selinux_context > > item, or to use the approach taken in this patch which is to > > genericize the name to lsm_label. Using a single lsm_label implies > > that the policies will never be used together, which I believe is > > likely a safe assumption. > > You might be right on this, but there are two counter-arguments, and > I'm not sure where I stand. The first counter argument is that I > might want to share a config or config excerpt (i.e. lxc.include) > between several hosts, some of which are apparmor-enabled and some > selinux-enabled. Or even migrate or stop-and-move a container between > such hosts. Ignoring the labeling issue :) that would not be possible > with this setup. Secondly, there *is* on-going work, with a non-zero > chance of inclusion, to enable stacking LSMs in the kernel. I doubt > that even i that case you'd want to use both to confine the > container, but one never knows. You might want to use apparmor to > confine the container as seen from the container, while specifying > that the contaienr should start as unconfined_t so that the selinux > policy in the container can work. (Far-fetched, I agree.) I wasn't sure which way to go on this either. I think you have good points there so I'm fine with having the config items be separate :) Another thing to point out is that I think its nice if lxc always knows how to parse those config items, even if it wasn't compiled with AppArmor or SELinux, that way if you are given a config from a machine that did have it, it won't barf parsing it and cloning would pass it through. If you disagree, I can put them back behind #ifdefs. I had seen that there was some thought to stacking LSMs, so I guess we shouldn't rule that out in case it does happen. > Thirdly, we would at least want lxc.aa_profile to be handled as a > valid legacy case so that existing containers don't break > > > A larger issue is the semantics around when lxc changes > > profile/context. Currently, the AppArmor backend uses > > aa_change_profile() which changes the profile immediately. No > > analog exists in SELinux, so the SELinux backend uses > > setexeccon_raw() which only takes effect upon exec(2). We could > > change the AppArmor backend to use aa_change_onexec() to give them > > similar semantics, but this would possibly break callers relying on > > the "immediate > > Note that I wanted to use the aa_change_onexec() originally, but did > not only because it was broken at the time. Ahh, I saw that but I didn't know why you opted to use the non-exec version. > > change" behavior (in particular users of the new attach API calling > > a function). I don't know how widespread this reliance might be, > > but I don't think that model is supportable in SELinux. The current > > patch does not try to resolve the difference, I guess one option is > > to just leave it that way. Definitely looking for some guidance > > here. > > In general "now" vs "on-exec" seem to be the two main ways to change > contexts so I think it's fine to support both. You mean that its fine that the two backends behave a bit differently? We can't support "now" in SELinux as far as I can see. -- LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/22/13. http://pubads.g.doubleclick.net/gampad/clk?id=64545871&iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] Expose underlying close_all_fds config value via API
Actually I think there is no reason not to return a result to the caller,
I'll send an incremental patch to do that.
On Sat, Sep 21, 2013 at 12:47 AM, Serge Hallyn wrote:
> Quoting S.Çağlar Onur (cag...@10ur.org):
> > Being able to set close_all_fds via API would be usefull for the
> > situations like running an application (let's say web server)
> > that controls the lifecycle of the container using the LXC API.
> > We don't want forked process to inherit parent's resource (file, socket,
> ...)
> >
> > Signed-off-by: S.Çağlar Onur
>
> Thanks, looks good to me.
>
> Acked-by: Serge E. Hallyn
>
> > ---
> > src/lxc/lxc_start.c| 2 +-
> > src/lxc/lxccontainer.c | 13 +
> > src/lxc/lxccontainer.h | 1 +
> > 3 files changed, 15 insertions(+), 1 deletion(-)
> >
> > diff --git a/src/lxc/lxc_start.c b/src/lxc/lxc_start.c
> > index dfc514e..a30a9f6 100644
> > --- a/src/lxc/lxc_start.c
> > +++ b/src/lxc/lxc_start.c
> > @@ -265,7 +265,7 @@ int main(int argc, char *argv[])
> > }
> >
> > if (my_args.close_all_fds)
> > - conf->close_all_fds = 1;
> > + c->want_close_all_fds(c);
> >
> > err = c->start(c, 0, args) ? 0 : -1;
> >
> > diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
> > index e8dde91..727c680 100644
> > --- a/src/lxc/lxccontainer.c
> > +++ b/src/lxc/lxccontainer.c
> > @@ -456,6 +456,18 @@ static void lxcapi_want_daemonize(struct
> lxc_container *c)
> > container_mem_unlock(c);
> > }
> >
> > +static void lxcapi_want_close_all_fds(struct lxc_container *c)
> > +{
> > + if (!c || !c->lxc_conf)
> > + return;
> > + if (container_mem_lock(c)) {
> > + ERROR("Error getting mem lock");
> > + return;
> > + }
> > + c->lxc_conf->close_all_fds = 1;
> > + container_mem_unlock(c);
> > +}
> > +
> > static bool lxcapi_wait(struct lxc_container *c, const char *state, int
> timeout)
> > {
> > int ret;
> > @@ -2682,6 +2694,7 @@ struct lxc_container *lxc_container_new(const char
> *name, const char *configpath
> > c->init_pid = lxcapi_init_pid;
> > c->load_config = lxcapi_load_config;
> > c->want_daemonize = lxcapi_want_daemonize;
> > + c->want_close_all_fds = lxcapi_want_close_all_fds;
> > c->start = lxcapi_start;
> > c->startl = lxcapi_startl;
> > c->stop = lxcapi_stop;
> > diff --git a/src/lxc/lxccontainer.h b/src/lxc/lxccontainer.h
> > index 89b55bd..8b6c6ef 100644
> > --- a/src/lxc/lxccontainer.h
> > +++ b/src/lxc/lxccontainer.h
> > @@ -68,6 +68,7 @@ struct lxc_container {
> > bool (*startl)(struct lxc_container *c, int useinit, ...);
> > bool (*stop)(struct lxc_container *c);
> > void (*want_daemonize)(struct lxc_container *c);
> > + void (*want_close_all_fds)(struct lxc_container *c);
> > // Return current config file name. The result is strdup()d, so
> free the result.
> > char *(*config_file_name)(struct lxc_container *c);
> > // for wait, timeout == -1 means wait forever, timeout == 0 means
> don't wait.
> > --
> > 1.8.1.2
> >
> >
> >
> --
> > LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
> > 1,500+ hours of tutorials including VisualStudio 2012, Windows 8,
> SharePoint
> > 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack
> includes
> > Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13.
> >
> http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk
> > ___
> > Lxc-devel mailing list
> > Lxc-devel@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/lxc-devel
>
--
S.Çağlar Onur
--
LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/22/13.
http://pubads.g.doubleclick.net/gampad/clk?id=64545871&iu=/4140/ostg.clktrk___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH] return the result of the lxcapi_want_close_all_fds call to the caller
Signed-off-by: S.Çağlar Onur
---
src/lxc/lxccontainer.c | 7 ---
src/lxc/lxccontainer.h | 2 +-
2 files changed, 5 insertions(+), 4 deletions(-)
diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
index 727c680..5c49b8b 100644
--- a/src/lxc/lxccontainer.c
+++ b/src/lxc/lxccontainer.c
@@ -456,16 +456,17 @@ static void lxcapi_want_daemonize(struct lxc_container *c)
container_mem_unlock(c);
}
-static void lxcapi_want_close_all_fds(struct lxc_container *c)
+static bool lxcapi_want_close_all_fds(struct lxc_container *c)
{
if (!c || !c->lxc_conf)
- return;
+ return false;
if (container_mem_lock(c)) {
ERROR("Error getting mem lock");
- return;
+ return false;
}
c->lxc_conf->close_all_fds = 1;
container_mem_unlock(c);
+ return true;
}
static bool lxcapi_wait(struct lxc_container *c, const char *state, int
timeout)
diff --git a/src/lxc/lxccontainer.h b/src/lxc/lxccontainer.h
index 8b6c6ef..225fb39 100644
--- a/src/lxc/lxccontainer.h
+++ b/src/lxc/lxccontainer.h
@@ -68,7 +68,7 @@ struct lxc_container {
bool (*startl)(struct lxc_container *c, int useinit, ...);
bool (*stop)(struct lxc_container *c);
void (*want_daemonize)(struct lxc_container *c);
- void (*want_close_all_fds)(struct lxc_container *c);
+ bool (*want_close_all_fds)(struct lxc_container *c);
// Return current config file name. The result is strdup()d, so free
the result.
char *(*config_file_name)(struct lxc_container *c);
// for wait, timeout == -1 means wait forever, timeout == 0 means don't
wait.
--
1.8.1.2
--
LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/22/13.
http://pubads.g.doubleclick.net/gampad/clk?id=64545871&iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] Proposal for use of config includes by templates
Hey everyone,
So one recuring problem we've had in Ubuntu is that changes to the
distribution's userspace sometimes requires changes to the default LXC
fstab.
So far we've been updating the two Ubuntu templates every time that
happened and told our users to add the new entries to their existing
configuration.
That's sub-optimal since it forces users to update the configuration of
all their existing containers and leads to a fair amount of bug reports
we could have avoided.
After talking this over with Serge a week or so ago, we came up with the
idea that we should ship those common bits outside of the template
generate configuration and instead have the template add a lxc.include
statement including those common bits.
So a minimal configuration for an Ubuntu container would look like:
---
# Template used to create this container: /usr/share/lxc/templates/lxc-ubuntu
# Parameters passed to the template: -r saucy -a amd64
lxc.network.type = veth
lxc.network.hwaddr = MAC
lxc.network.flags = up
lxc.network.link = BRIDGE
lxc.rootfs = PATH
lxc.mount = PATH
lxc.utsname = tpl-saucy-amd64
lxc.arch = amd64
# When using LXC with apparmor, uncomment the next line to run unconfined:
#lxc.aa_profile = unconfined
# To support container nesting on an Ubuntu host, uncomment next two lines:
#lxc.aa_profile = lxc-container-default-with-nesting
#lxc.hook.mount = /usr/share/lxc/hooks/mountcgroups
# Including standard configuration options
lxc.include = /usr/share/lxc/configs/ubuntu-common
---
"ubuntu-common" would then contain:
---
lxc.pivotdir = lxc_putold
lxc.devttydir = lxc
lxc.tty = 4
lxc.pts = 1024
lxc.cap.drop = sys_module mac_admin mac_override sys_time
lxc.cgroup.devices.deny = a
# Allow any mknod (but not using the node)
lxc.cgroup.devices.allow = c *:* m
lxc.cgroup.devices.allow = b *:* m
# /dev/null and zero
lxc.cgroup.devices.allow = c 1:3 rwm
lxc.cgroup.devices.allow = c 1:5 rwm
# consoles
lxc.cgroup.devices.allow = c 5:1 rwm
lxc.cgroup.devices.allow = c 5:0 rwm
# /dev/{,u}random
lxc.cgroup.devices.allow = c 1:9 rwm
lxc.cgroup.devices.allow = c 1:8 rwm
lxc.cgroup.devices.allow = c 136:* rwm
lxc.cgroup.devices.allow = c 5:2 rwm
# rtc
lxc.cgroup.devices.allow = c 254:0 rm
# fuse
lxc.cgroup.devices.allow = c 10:229 rwm
# tun
lxc.cgroup.devices.allow = c 10:200 rwm
# full
lxc.cgroup.devices.allow = c 1:7 rwm
# hpet
lxc.cgroup.devices.allow = c 10:228 rwm
# kvm
lxc.cgroup.devices.allow = c 10:232 rwm
---
Not represented above but also part of this, the fstab file we currently
generate would disappear by default and be replaced by equivalent
lxc.mount entries in the common-ubuntu file.
That way, if we need to add/remove capabilities, mounts, cgroup config,
... we can simply push it to the common config and all containers will
automatically benefit from it.
I think this scheme would benefit most distributions and we should
probably introduce those in the upstream git branch in a standard way
(-common and -version) where -version (like
ubuntu-12.04) would be used to add per-version settings when required.
Taking Ubuntu as an example where we currently support 10.04, 12.04,
12.10, 13.04 and 13.10, the ubuntu-13.04 file would contain something like:
lxc.include = /usr/share/lxc/configs/ubuntu-common
lxc.include = /usr/share/lxc/configs/ubuntu-10.04
lxc.include = /usr/share/lxc/configs/ubuntu-12.10
lxc.include = /usr/share/lxc/configs/ubuntu-13.04
lxc.include = /usr/share/lxc/configs/ubuntu-13.10
Thereby keeping config duplication to a minimum.
So any thoughts on that? Do the other template maintainers think it's
something that'd be useful for them and that they'd use? Are there
common cases I didn't think in my proposal?
--
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
signature.asc
Description: Digital signature
--
LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/22/13.
http://pubads.g.doubleclick.net/gampad/clk?id=64545871&iu=/4140/ostg.clktrk___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH 4/4] doc: Fixed my first name
Signed-off-by: Stéphane Graber --- doc/ja/lxc-checkconfig.sgml.in | 2 +- doc/ja/lxc-device.sgml.in | 2 +- doc/ja/lxc-info.sgml.in| 2 +- doc/ja/lxc-netstat.sgml.in | 2 +- doc/ja/lxc-start-ephemeral.sgml.in | 3 +-- doc/ja/lxc-version.sgml.in | 2 +- 6 files changed, 6 insertions(+), 7 deletions(-) diff --git a/doc/ja/lxc-checkconfig.sgml.in b/doc/ja/lxc-checkconfig.sgml.in index 04a0453..e53ea25 100644 --- a/doc/ja/lxc-checkconfig.sgml.in +++ b/doc/ja/lxc-checkconfig.sgml.in @@ -3,7 +3,7 @@ (C) Copyright Canonical Ltd. 2013 Authors: -St辿phane Graber +Stéphane Graber This library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public diff --git a/doc/ja/lxc-device.sgml.in b/doc/ja/lxc-device.sgml.in index 10d0ecb..d982370 100644 --- a/doc/ja/lxc-device.sgml.in +++ b/doc/ja/lxc-device.sgml.in @@ -3,7 +3,7 @@ (C) Copyright Canonical Ltd. 2013 Authors: -St辿phane Graber +Stéphane Graber This library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public diff --git a/doc/ja/lxc-info.sgml.in b/doc/ja/lxc-info.sgml.in index 61aecbb..bd2b559 100644 --- a/doc/ja/lxc-info.sgml.in +++ b/doc/ja/lxc-info.sgml.in @@ -3,7 +3,7 @@ (C) Copyright Canonical Ltd. 2013 Authors: -St辿phane Graber +Stéphane Graber This library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public diff --git a/doc/ja/lxc-netstat.sgml.in b/doc/ja/lxc-netstat.sgml.in index 5779444..ea542e8 100644 --- a/doc/ja/lxc-netstat.sgml.in +++ b/doc/ja/lxc-netstat.sgml.in @@ -3,7 +3,7 @@ (C) Copyright Canonical Ltd. 2013 Authors: -St辿phane Graber +Stéphane Graber This library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public diff --git a/doc/ja/lxc-start-ephemeral.sgml.in b/doc/ja/lxc-start-ephemeral.sgml.in index c8dc82d..6491a21 100644 --- a/doc/ja/lxc-start-ephemeral.sgml.in +++ b/doc/ja/lxc-start-ephemeral.sgml.in @@ -1,10 +1,9 @@ -
[lxc-devel] [PATCH 2/4] Add some missing comments to configure.ac
Signed-off-by: Stéphane Graber
---
configure.ac | 4
1 file changed, 4 insertions(+)
diff --git a/configure.ac b/configure.ac
index 6c74dcd..a523583 100644
--- a/configure.ac
+++ b/configure.ac
@@ -52,6 +52,7 @@ esac
AC_MSG_RESULT([$with_distro])
AM_CONDITIONAL([HAVE_DEBIAN], [test x"$with_distro" = "xdebian" -o
x"$with_distro" = "xubuntu"])
+# Detect the newuidmap tool (required for userns)
AC_CHECK_PROG([NEWUIDMAP], [newuidmap], [newuidmap])
AM_CONDITIONAL([HAVE_NEWUIDMAP], [test -n "$NEWUIDMAP"])
@@ -242,12 +243,14 @@ AC_ARG_WITH([global-conf],
[global lxc configuration file]
)], [], [with_global_conf=['${sysconfdir}/lxc/lxc.conf']])
+# The path of the userns network configuration file
AC_ARG_WITH([usernic-conf],
[AC_HELP_STRING(
[--with-usernic-conf],
[user network interface configuration file]
)], [], [with_usernic_conf=['${sysconfdir}/lxc/lxc-usernet']])
+# The path of the runtime usernic database
AC_ARG_WITH([usernic-db],
[AC_HELP_STRING(
[--with-usernic-db],
@@ -260,6 +263,7 @@ AC_ARG_WITH([rootfs-path],
[--with-rootfs-path=dir],
[lxc rootfs mount point]
)], [], [with_rootfs_path=['${libdir}/lxc/rootfs']])
+
# cgroup pattern specification
AC_ARG_WITH([cgroup-pattern],
[AC_HELP_STRING(
--
1.8.3.2
--
LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/22/13.
http://pubads.g.doubleclick.net/gampad/clk?id=64545871&iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH 1/4] Consistently use for the API
The API header was included in a variety of ways before, standardize
those to "include " as this will always work both in
tree and on a system with the headers installed.
Signed-off-by: Stéphane Graber
---
src/lxc/bdev.h | 2 +-
src/lxc/console.c | 2 +-
src/lxc/lxc_clone.c| 2 +-
src/lxc/lxc_config.c | 2 +-
src/lxc/lxc_console.c | 2 +-
src/lxc/lxc_create.c | 2 +-
src/lxc/lxc_destroy.c | 2 +-
src/lxc/lxc_snapshot.c | 2 +-
src/lxc/lxc_start.c| 2 +-
src/lxc/lxccontainer.c | 2 +-
src/tests/cgpath.c | 2 +-
src/tests/clonetest.c | 2 +-
src/tests/concurrent.c | 2 +-
src/tests/console.c| 2 +-
src/tests/containertests.c | 2 +-
src/tests/createtest.c | 2 +-
src/tests/destroytest.c| 2 +-
src/tests/get_item.c | 2 +-
src/tests/getkeys.c| 2 +-
src/tests/lxcpath.c| 2 +-
src/tests/saveconfig.c | 2 +-
src/tests/shutdowntest.c | 2 +-
src/tests/snapshot.c | 2 +-
src/tests/startone.c | 2 +-
24 files changed, 24 insertions(+), 24 deletions(-)
diff --git a/src/lxc/bdev.h b/src/lxc/bdev.h
index f9d9a0c..a603d9e 100644
--- a/src/lxc/bdev.h
+++ b/src/lxc/bdev.h
@@ -29,7 +29,7 @@
*/
#include "config.h"
-#include "lxccontainer.h"
+#include
struct bdev;
diff --git a/src/lxc/console.c b/src/lxc/console.c
index 78be403..d854dbb 100644
--- a/src/lxc/console.c
+++ b/src/lxc/console.c
@@ -31,7 +31,7 @@
#include
#include
-#include "lxccontainer.h"
+#include
#include "log.h"
#include "conf.h"
#include "config.h"
diff --git a/src/lxc/lxc_clone.c b/src/lxc/lxc_clone.c
index 8b5c6e9..e0be9da 100644
--- a/src/lxc/lxc_clone.c
+++ b/src/lxc/lxc_clone.c
@@ -32,7 +32,7 @@
#include "lxc.h"
#include "conf.h"
#include "state.h"
-#include "lxccontainer.h"
+#include
lxc_log_define(lxc_clone, lxc);
diff --git a/src/lxc/lxc_config.c b/src/lxc/lxc_config.c
index b3f2ed8..c90be7d 100644
--- a/src/lxc/lxc_config.c
+++ b/src/lxc/lxc_config.c
@@ -20,7 +20,7 @@
#include
#include "config.h"
-#include "lxccontainer.h"
+#include
struct lxc_config_items {
char *name;
diff --git a/src/lxc/lxc_console.c b/src/lxc/lxc_console.c
index 28ad772..ea1e999 100644
--- a/src/lxc/lxc_console.c
+++ b/src/lxc/lxc_console.c
@@ -38,7 +38,7 @@
#include
#include
-#include "../lxc/lxccontainer.h"
+#include
#include "error.h"
#include "lxc.h"
#include "log.h"
diff --git a/src/lxc/lxc_create.c b/src/lxc/lxc_create.c
index 4f205e8..f577e30 100644
--- a/src/lxc/lxc_create.c
+++ b/src/lxc/lxc_create.c
@@ -17,7 +17,7 @@
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
-#include "../lxc/lxccontainer.h"
+#include
#include
#include
diff --git a/src/lxc/lxc_destroy.c b/src/lxc/lxc_destroy.c
index 0724eb8..a1f73ca 100644
--- a/src/lxc/lxc_destroy.c
+++ b/src/lxc/lxc_destroy.c
@@ -17,7 +17,7 @@
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
-#include "../lxc/lxccontainer.h"
+#include
#include
#include
diff --git a/src/lxc/lxc_snapshot.c b/src/lxc/lxc_snapshot.c
index 0177f5d..c21563f 100644
--- a/src/lxc/lxc_snapshot.c
+++ b/src/lxc/lxc_snapshot.c
@@ -17,7 +17,7 @@
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
-#include "../lxc/lxccontainer.h"
+#include
#include
#include
diff --git a/src/lxc/lxc_start.c b/src/lxc/lxc_start.c
index a30a9f6..a894513 100644
--- a/src/lxc/lxc_start.c
+++ b/src/lxc/lxc_start.c
@@ -43,7 +43,7 @@
#include "log.h"
#include "caps.h"
#include "lxc.h"
-#include "lxccontainer.h"
+#include
#include "conf.h"
#include "cgroup.h"
#include "utils.h"
diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
index 727c680..44f68cc 100644
--- a/src/lxc/lxccontainer.c
+++ b/src/lxc/lxccontainer.c
@@ -31,7 +31,7 @@
#include "config.h"
#include "lxc.h"
#include "state.h"
-#include "lxccontainer.h"
+#include
#include "conf.h"
#include "confile.h"
#include "console.h"
diff --git a/src/tests/cgpath.c b/src/tests/cgpath.c
index f9aaced..26a79c3 100644
--- a/src/tests/cgpath.c
+++ b/src/tests/cgpath.c
@@ -16,7 +16,7 @@
* with this program; if not, write to the Free Software Foundation, Inc.,
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
-#include "../lxc/lxccontainer.h"
+#include
#include
#include
diff --git a/src/tests/clonetest.c b/src/tests/clonetest.c
index da3ce75..b04ab3c 100644
--- a/src/tests/clonetest.c
+++ b/src/tests/clonetest.c
@@ -16,7 +16,7 @@
* with this program; if not, write to the Free Software Foundation, Inc.,
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
-#include "../lxc/lxccontainer.h"
+#include
#include
#include
diff --git a/src/tests/concurrent.c b/src/tests/concurrent.c
index c8a1368..6673f3a 100644
--- a/src/tests/concurrent.c
+++ b/src/tests/concurrent.c
@@ -23,7 +23,7 @@
#define _GNU_SOURCE
#include
-#include "../lxc/lxccontainer.h"
+#include
static int nthreads =
[lxc-devel] [PATCH 3/4] doc: Make everything use the @docdtd@ variable
Signed-off-by: Stéphane Graber --- doc/ja/legacy/lxc-ls.sgml.in | 2 +- doc/ja/lxc-attach.sgml.in | 2 +- doc/ja/lxc-cgroup.sgml.in | 2 +- doc/ja/lxc-checkconfig.sgml.in | 2 +- doc/ja/lxc-checkpoint.sgml.in | 2 +- doc/ja/lxc-clone.sgml.in | 2 +- doc/ja/lxc-console.sgml.in | 2 +- doc/ja/lxc-create.sgml.in | 2 +- doc/ja/lxc-destroy.sgml.in | 2 +- doc/ja/lxc-device.sgml.in | 2 +- doc/ja/lxc-execute.sgml.in | 2 +- doc/ja/lxc-freeze.sgml.in | 2 +- doc/ja/lxc-info.sgml.in| 2 +- doc/ja/lxc-kill.sgml.in| 2 +- doc/ja/lxc-ls.sgml.in | 2 +- doc/ja/lxc-monitor.sgml.in | 2 +- doc/ja/lxc-netstat.sgml.in | 2 +- doc/ja/lxc-ps.sgml.in | 2 +- doc/ja/lxc-restart.sgml.in | 2 +- doc/ja/lxc-shutdown.sgml.in| 2 +- doc/ja/lxc-start-ephemeral.sgml.in | 2 +- doc/ja/lxc-start.sgml.in | 2 +- doc/ja/lxc-stop.sgml.in| 2 +- doc/ja/lxc-top.sgml.in | 2 +- doc/ja/lxc-unfreeze.sgml.in| 2 +- doc/ja/lxc-unshare.sgml.in | 2 +- doc/ja/lxc-version.sgml.in | 2 +- doc/ja/lxc-wait.sgml.in| 2 +- doc/ja/lxc.conf.sgml.in| 2 +- doc/ja/lxc.sgml.in | 2 +- 30 files changed, 30 insertions(+), 30 deletions(-) diff --git a/doc/ja/legacy/lxc-ls.sgml.in b/doc/ja/legacy/lxc-ls.sgml.in index 980b7ba..077d4fa 100644 --- a/doc/ja/legacy/lxc-ls.sgml.in +++ b/doc/ja/legacy/lxc-ls.sgml.in @@ -27,7 +27,7 @@ by KATOH Yasufumi --> -http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd"; [ + ]> diff --git a/doc/ja/lxc-attach.sgml.in b/doc/ja/lxc-attach.sgml.in index 9fa14ca..0d75d3e 100644 --- a/doc/ja/lxc-attach.sgml.in +++ b/doc/ja/lxc-attach.sgml.in @@ -26,7 +26,7 @@ by KATOH Yasufumi --> -http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd"; [ + diff --git a/doc/ja/lxc-cgroup.sgml.in b/doc/ja/lxc-cgroup.sgml.in index 45cf6e6..8e77d20 100644 --- a/doc/ja/lxc-cgroup.sgml.in +++ b/doc/ja/lxc-cgroup.sgml.in @@ -26,7 +26,7 @@ by KATOH Yasufumi --> -http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd"; [ + diff --git a/doc/ja/lxc-checkconfig.sgml.in b/doc/ja/lxc-checkconfig.sgml.in index 4e0ac44..04a0453 100644 --- a/doc/ja/lxc-checkconfig.sgml.in +++ b/doc/ja/lxc-checkconfig.sgml.in @@ -24,7 +24,7 @@ by KATOH Yasufumi --> -http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd"; [ + ]> diff --git a/doc/ja/lxc-checkpoint.sgml.in b/doc/ja/lxc-checkpoint.sgml.in index 7308120..bcb761d 100644 --- a/doc/ja/lxc-checkpoint.sgml.in +++ b/doc/ja/lxc-checkpoint.sgml.in @@ -26,7 +26,7 @@ by KATOH Yasufumi --> -http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd"; [ + diff --git a/doc/ja/lxc-clone.sgml.in b/doc/ja/lxc-clone.sgml.in index 7c64287..54cef22 100644 --- a/doc/ja/lxc-clone.sgml.in +++ b/doc/ja/lxc-clone.sgml.in @@ -27,7 +27,7 @@ by KATOH Yasufumi --> -http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd"; [ + diff --git a/doc/ja/lxc-console.sgml.in b/doc/ja/lxc-console.sgml.in index 4d69aff..5fc2728 100644 --- a/doc/ja/lxc-console.sgml.in +++ b/doc/ja/lxc-console.sgml.in @@ -26,7 +26,7 @@ by KATOH Yasufumi --> -http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd"; [ + diff --git a/doc/ja/lxc-create.sgml.in b/doc/ja/lxc-create.sgml.in index 9713abd..275203a 100644 --- a/doc/ja/lxc-create.sgml.in +++ b/doc/ja/lxc-create.sgml.in @@ -26,7 +26,7 @@ by KATOH Yasufumi --> -http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd"; [ + diff --git a/doc/ja/lxc-destroy.sgml.in b/doc/ja/lxc-destroy.sgml.in index e82bcfb..a962708 100644 --- a/doc/ja/lxc-destroy.sgml.in +++ b/doc/ja/lxc-destroy.sgml.in @@ -26,7 +26,7 @@ by KATOH Yasufumi --> -http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd"; [ + diff --git a/doc/ja/lxc-device.sgml.in b/doc/ja/lxc-device.sgml.in index d46582e..10d0ecb 100644 --- a/doc/ja/lxc-device.sgml.in +++ b/doc/ja/lxc-device.sgml.in @@ -24,7 +24,7 @@ by KATOH Yasufumi --> -http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd"; [ + ]> diff --git a/doc/ja/lxc-execute.sgml.in b/doc/ja/lxc-execute.sgml.in index ec016fb..50826d8 100644 --- a/doc/ja/lxc-execute.sgml.in +++ b/doc/ja/lxc-execute.sgml.in @@ -26,7 +26,7 @@ by KATOH Yasufumi --> -http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd"; [ + diff --git a/doc/ja/lxc-freeze.sgml.in b/doc/ja/lxc-freeze.sgml.in index 84d0916..f651102 100644 --- a/doc/ja/lxc-freeze.sgml.in +++ b/doc/ja/lxc-freeze.sgml.in @@ -26,7 +26,7 @@ by KATOH Yasufumi --> -http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd"; [ + diff --git a/doc/ja/lxc-info.sgml.in b/doc/ja/lxc-info.sgml.in index 1c7a7b4..61aecbb 100644 --- a/doc/ja/lxc-info.sgml.in +++ b/doc/ja/lxc-info.sgml.in @@ -24,7 +24,7 @@ by KATOH Yasufumi --> -http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd"; [ + diff --git a/doc/ja/lxc-kill.sgml.in b/doc
[lxc-devel] [lxc/lxc]
Branch: refs/heads/staging Home: https://github.com/lxc/lxc -- LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/22/13. http://pubads.g.doubleclick.net/gampad/clk?id=64545871&iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [lxc/lxc]
Branch: refs/heads/master Home: https://github.com/lxc/lxc -- LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/22/13. http://pubads.g.doubleclick.net/gampad/clk?id=64545871&iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [lxc/lxc]
Branch: refs/heads/upstream-master Home: https://github.com/lxc/lxc -- LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/22/13. http://pubads.g.doubleclick.net/gampad/clk?id=64545871&iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] lxc-create: conside create succeed when container is already created
On 2013/9/17 21:41, Serge Hallyn wrote: > Quoting Qiang Huang (h.huangqi...@huawei.com): >> On 2013/9/17 11:27, Serge Hallyn wrote: >>> Quoting Qiang Huang (h.huangqi...@huawei.com): On 2013/9/16 12:23, Stéphane Graber wrote: > On Mon, Sep 16, 2013 at 11:37:02AM +0800, Qiang Huang wrote: >> Sometimes we use: >> lxc-create -n xxx -f config >> to copy config to the default lxcpath with the rootfs already >> exist. >> But we will get error right now, so fix this. > > Hmm, I'm not sure I understand. > > Running "lxc-create -n xxx -f config" when xxx already exists is an > error and should return an error code so the current code seems > perfectly right to me. Well, it did works this way in the former lxc_create version. We used to use LXC this way: - We made a template(rootfs, config and fstab) manually. >>> >>> >From here, can you just write a script 'lxc-homebrew' which >>> copies the rootfs+config+fstab into place, and call >>> >>> lxc-create -t homebrew -n c1 >>> >>> ? >>> >>> If you want to just copy the stuff in by hand, you can >>> do that. You don't *have* to run lxc-create if you've done >>> everything by hand. >> >> OK, thanks Serge. >> >> So we are still not supposed to use lxc-create without -t option? > > I just don't see the point, and I worry that people using the > common case will end up accidentally deleting existing container > data. > > Well, the current code says > > /* container is already created if we have a config and rootfs.path > is accessible */ > if (lxcapi_is_defined(c) && c->lxc_conf && c->lxc_conf->rootfs.path > && access(c->lxc_conf->rootfs.path, F_OK) == 0) > goto out; > > Maybe what we want to do is add a '&& access(c->configfile, F_OK) to that > test? I think that would give you what you want, and I think it's what > I really meant to say. Yes, add a '&& access(c->configfile, F_OK) to that test will make the lxc-create -n xxx -f config successful, but I don't quite understand the logic here, in what situation will this test fail? > >> Is lxc-create only used for creating templates? > > For running template scripts. Near as I can tell the only thing > you want lxc-create to do is to copy a file (the config file). Yes, and that is what the old version of lxc-create can do, but it can't now. And add that test seems not enough, because after create, lxc-start -n xxx will fail, because we create an empty rootfs in /usr/local/var/lib/lxc/xxx, and one item of the config in that dir is changed to lxc.rootfs = /usr/local/var/lib/lxc/xxx/rootfs > That just seems like way overkill. So what do you think about this? Should I make a patch to change this, so we can use lxc-create -n xxx -f config to create a container with the rootfs already exist? > > -serge > > . > -- LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/22/13. http://pubads.g.doubleclick.net/gampad/clk?id=64545871&iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [lxc/lxc] edfb9a: factor out networking configuration code
Branch: refs/heads/stable-0.7.4 Home: https://github.com/lxc/lxc Commit: edfb9a57cf23369aeece9d829bb2930dfd404abc https://github.com/lxc/lxc/commit/edfb9a57cf23369aeece9d829bb2930dfd404abc Author: Daniel Lezcano Date: 2011-03-06 (Sun, 06 Mar 2011) Changed paths: M src/lxc/conf.c M src/lxc/network.c M src/lxc/network.h Log Message: --- factor out networking configuration code Change the name of the functions and factor some of them. Signed-off-by: Daniel Lezcano Commit: b693b38534f9046fcb3872033d953eb20c67e358 https://github.com/lxc/lxc/commit/b693b38534f9046fcb3872033d953eb20c67e358 Author: Daniel Lezcano Date: 2011-03-06 (Sun, 06 Mar 2011) Changed paths: M src/lxc/conf.c M src/lxc/network.c M src/lxc/network.h Log Message: --- rename physical device to the original name Signed-off-by: Daniel Lezcano Commit: 525ff3a55575dd376f95f6d54b3521e481f1e3d7 https://github.com/lxc/lxc/commit/525ff3a55575dd376f95f6d54b3521e481f1e3d7 Author: Daniel Lezcano Date: 2011-03-06 (Sun, 06 Mar 2011) Changed paths: M configure.ac Log Message: --- lxc-0.7.4.1 Signed-off-by: Daniel Lezcano Commit: c232d084125ee97ba3d22409bae9f1217e9dba9f https://github.com/lxc/lxc/commit/c232d084125ee97ba3d22409bae9f1217e9dba9f Author: Daniel Lezcano Date: 2011-03-14 (Mon, 14 Mar 2011) Changed paths: M src/lxc/conf.c Log Message: --- fix mount path Signed-off-by: Daniel Lezcano Commit: 7be9485c5262f5c30c6c41abd94c4ba13eb0e58f https://github.com/lxc/lxc/commit/7be9485c5262f5c30c6c41abd94c4ba13eb0e58f Author: Michael Santos Date: 2011-03-16 (Wed, 16 Mar 2011) Changed paths: M src/lxc/lxc_monitor.c Log Message: --- Exit if allocation fails Signed-off-by: Michael Santos Signed-off-by: Daniel Lezcano Commit: 4b85e81b3d6a9210de09c56224437099abab9eff https://github.com/lxc/lxc/commit/4b85e81b3d6a9210de09c56224437099abab9eff Author: Michael Santos Date: 2011-03-16 (Wed, 16 Mar 2011) Changed paths: M src/lxc/monitor.c Log Message: --- Ensure monitored container name is null terminated regexec() expects a null terminated name. Signed-off-by: Michael Santos Signed-off-by: Daniel Lezcano Commit: 326afe510cccb9406f0d1e3563d71aef91083b80 https://github.com/lxc/lxc/commit/326afe510cccb9406f0d1e3563d71aef91083b80 Author: Cedric Le Goater Date: 2011-04-06 (Wed, 06 Apr 2011) Changed paths: M src/lxc/namespace.c Log Message: --- lxc-attach: fix access permissions of /proc/$pid/ns Signed-off-by: Cedric Le Goater Signed-off-by: Daniel Lezcano Commit: 434d05fc6a8f38c29606780fab9df4fa3706fc25 https://github.com/lxc/lxc/commit/434d05fc6a8f38c29606780fab9df4fa3706fc25 Author: Greg Kurz Date: 2011-04-06 (Wed, 06 Apr 2011) Changed paths: M src/lxc/log.c Log Message: --- lxc: default log appender on stderr The default appender for logs is currently the file one: this make macros from log.h unusable as long as lxc_log_init() hasn't been called. This prevents errors from even being printed on stderr in lxc_caps_init() for example. Let's make stderr the default appender. Signed-off-by: Greg Kurz Signed-off-by: Daniel Lezcano Commit: c6a46e86d4befbed2b35cb7fb97053fe6da8c8ab https://github.com/lxc/lxc/commit/c6a46e86d4befbed2b35cb7fb97053fe6da8c8ab Author: Serge E. Hallyn Date: 2011-05-06 (Fri, 06 May 2011) Changed paths: M templates/lxc-lucid.in M templates/lxc-maverick.in M templates/lxc-natty.in Log Message: --- templates: don't put devpts in $confdir/container/fstab src/lxc/conf.c will explicitly mount it anyway. Furthermore, the fstab entry, which is getting processed first, did not specify -o newinstance. This can cause the host's devpts entry mount options to change, as in https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/607636. I believe the lenny, fedora, and debian templates also will need an update. Signed-off-by: Serge Hallyn Signed-off-by: Daniel Lezcano Commit: ed57edc0ad52692272cab13e132bd58fc9635ea5 https://github.com/lxc/lxc/commit/ed57edc0ad52692272cab13e132bd58fc9635ea5 Author: Daniel Lezcano Date: 2011-05-06 (Fri, 06 May 2011) Changed paths: M templates/lxc-debian.in M templates/lxc-fedora.in M templates/lxc-lenny.in Log Message: --- templates: don't put devpts in $confdir/container/fstab src/lxc/conf.c will explicitly mount it anyway. Furthermore, the fstab entry, which is getting processed first, did not specify -o newinstance. This can cause the host's devpts entry mount options to change, as in https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/607636. Signed-off-by: Daniel Lezcano Commit: b3c7b19a0de4a7ba74e6d46a01dccbc75c9a3c20 https://github.com/lxc/lxc/commit/b3c7b19a0de4a7ba74e6
