Re: [lxc-devel] lxc-start: Invalid argument - pivot_root syscall failed
В Пт, 18/10/2013 в 00:22 +0400, Peter Volkov пишет: > В Чт, 10/10/2013 в 14:47 -0500, Serge Hallyn пишет: > > Quoting Peter Volkov (p...@gentoo.org): > > > I'm using 1.0.0.alpha1 although I've tried with 0.8.0 also and I'm > > > unable to start container with the following error: > > > > > > lxc-start: Invalid argument - pivot_root syscall failed > > > lxc-start: failed to setup pivot root > > > lxc-start: failed to set rootfs for 'repos' > > > lxc-start: failed to setup the container > > > lxc-start: invalid sequence number 1. expected 2 > > > lxc-start: failed to spawn 'repos' > > > > > > I've tried mount --make-private on all mount point I've thought of with > > > no luck. > > > Also I've tried lxc.autodev = 1 also no luck and I guess this is > > > relevant with systemd while this systems uses openrc as init system. > > > > > > Container's conf file: > > > > > > lxc.arch = amd64 > > > lxc.utsname = repos > > > lxc.rootfs = /virt/lxc/repos > > > > > > Distribution Gentoo. Same config works fine on another gentoo system. > > > Although systems are completely different I think important differences > > > are: > > > 1. init system: on laptop I'm using systemd while on server openrc > > > 2. on server I have full system inside ram (system resides inside > > > initramfs and after boot root stays in RAM on rootfs) > > > > I think that's the problem. I could be wrong, but I think it's > > refusing ecause your root doesn't have a parent, i.e. isn't > > mounted somewhere. > > > > I suspect we want detect_shared_rootfs() updated to check for > > your rootfs being mount #1, and also return 1 in that case > > (meaning we will set up an environment in which you can in > > fact pivot_root). > > > > Is such a patch something you could write and test? > > Well, it's not that easy, unfortunately. For tests I just modified > detect_shared_rootfs to return 1, so it'll detect that / is shared. > Tried and lxc-start failed with: > > lxc-start: Invalid argument - failed to mount /usr/local/lib/lxc/rootfs > bind > lxc-start: Failed to chroot into slave / > > and really, if I try manually mount it fails: > # mount -o bind /usr/local/lib/lxc/rootfs /usr/local/lib/lxc/rootfs > mount: wrong fs type, bad option, bad superblock > on /usr/local/lib64/lxc/rootfs, >missing codepage or helper program, or other error >In some cases useful info is found in syslog - try >dmesg | tail or so > > Ok, not a problem, I've added followint in config: > lxc.rootfs.mount = /virt/lxc/pivot_root > /virt/lxc/pivot_root are not on rootfs partion so mount -o bind works as > it should: > # mount -o bind /virt/lxc/pivot_root /virt/lxc/pivot_root > # > > Tried again and now lxc-start fails: > # lxc-start -f repos.conf -n repos -l DEBUG -o lxc-start-debug > lxc-start: Invalid argument - Failed to rbind mount / > to /virt/lxc/pivot_root/root > lxc-start: Failed to chroot into slave / > lxc-start: failed to setup rootfs for 'repos' > lxc-start: failed to setup the container > lxc-start: invalid sequence number 1. expected 2 > lxc-start: failed to spawn 'repos' > > Why does it needs to mount /? I've read the comments before > chroot_into_slave() but I don't understand why we need to do all of > that. Was there any discussion? Well finally I found problem. In Documentation/filesystems/ramfs-rootfs-initramfs.txt it is written: Rootfs is a special instance of ramfs (or tmpfs, if that's enabled), which is always present in 2.6 systems. You can't unmount rootfs for approximately the same reason you can't kill the init process; rather than having special code to check for and handle an empty list, it's smaller and simpler for the kernel to just make sure certain lists can't become empty. So mount --bind is not supposed to work on rootfs. Then I've wrote small init script that creates real 'tmpfs' (as opposed to 'rootfs'), moves system root there and then switch_root there. Now lxc-start works! Cool! :) -- Peter. -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH 1/1] parse.c: don't print error message on callback rv > 0
A callback return value < 0 means there was an error, so print
out an error message. But a rv > 0 is used by the mount_unknown_fs
functions to say "we found the one we want, stop here."
Document this, and only print an error message if rv < 0. Otherwise,
lxc-create -B lvm --fstype ext3 -t ubuntu -n u1
will print an (innocuous) error message about being unable to parse
the config value 'ext3'.
Signed-off-by: Serge Hallyn
---
src/lxc/parse.c | 5 -
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/lxc/parse.c b/src/lxc/parse.c
index 5fca79e..dcf5cf0 100644
--- a/src/lxc/parse.c
+++ b/src/lxc/parse.c
@@ -102,7 +102,10 @@ int lxc_file_for_each_line(const char *file, lxc_file_cb
callback, void *data)
while (getline(&line, &len, f) != -1) {
err = callback(line, data);
if (err) {
- ERROR("Failed to parse config: %s", line);
+ // callback rv > 0 means stop here
+ // callback rv < 0 means error
+ if (err < 0)
+ ERROR("Failed to parse config: %s", line);
break;
}
}
--
1.8.3.2
--
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH 1/1] lxc-test-ubuntu: improve apparmor policy test
Also allow the standard non-nested apparmor policy.
Signed-off-by: Serge Hallyn
---
src/tests/lxc-test-ubuntu | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/tests/lxc-test-ubuntu b/src/tests/lxc-test-ubuntu
index c6573c1..7fa1c89 100755
--- a/src/tests/lxc-test-ubuntu
+++ b/src/tests/lxc-test-ubuntu
@@ -68,7 +68,7 @@ for template in ubuntu ubuntu-cloud; do
# Check apparmor
lxcpid=`lxc-info -n $name -p | awk -F: '{ print $2 }' | awk '{ print
$1}'`
aa=`cat /proc/$lxcpid/attr/current`
- if [ "$aa" != "lxc-container-default-with-nesting (enforce)" ]; then
+ if [ "$aa" != "lxc-container-default-with-nesting (enforce)" -a "$aa"
!= "lxc-container-default (enforce)" ]; then
FAIL " to correctly set apparmor profile (profile is \"$aa\")"
fi
lxc-stop -n $name
--
1.8.3.2
--
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] lxc-start: Invalid argument - pivot_root syscall failed
Quoting Peter Volkov (p...@gentoo.org): > В Пт, 18/10/2013 в 00:22 +0400, Peter Volkov пишет: > > В Чт, 10/10/2013 в 14:47 -0500, Serge Hallyn пишет: > > > Quoting Peter Volkov (p...@gentoo.org): > > > > I'm using 1.0.0.alpha1 although I've tried with 0.8.0 also and I'm > > > > unable to start container with the following error: > > > > > > > > lxc-start: Invalid argument - pivot_root syscall failed > > > > lxc-start: failed to setup pivot root > > > > lxc-start: failed to set rootfs for 'repos' > > > > lxc-start: failed to setup the container > > > > lxc-start: invalid sequence number 1. expected 2 > > > > lxc-start: failed to spawn 'repos' > > > > > > > > I've tried mount --make-private on all mount point I've thought of with > > > > no luck. > > > > Also I've tried lxc.autodev = 1 also no luck and I guess this is > > > > relevant with systemd while this systems uses openrc as init system. > > > > > > > > Container's conf file: > > > > > > > > lxc.arch = amd64 > > > > lxc.utsname = repos > > > > lxc.rootfs = /virt/lxc/repos > > > > > > > > Distribution Gentoo. Same config works fine on another gentoo system. > > > > Although systems are completely different I think important differences > > > > are: > > > > 1. init system: on laptop I'm using systemd while on server openrc > > > > 2. on server I have full system inside ram (system resides inside > > > > initramfs and after boot root stays in RAM on rootfs) > > > > > > I think that's the problem. I could be wrong, but I think it's > > > refusing ecause your root doesn't have a parent, i.e. isn't > > > mounted somewhere. > > > > > > I suspect we want detect_shared_rootfs() updated to check for > > > your rootfs being mount #1, and also return 1 in that case > > > (meaning we will set up an environment in which you can in > > > fact pivot_root). > > > > > > Is such a patch something you could write and test? > > > > Well, it's not that easy, unfortunately. For tests I just modified > > detect_shared_rootfs to return 1, so it'll detect that / is shared. > > Tried and lxc-start failed with: > > > > lxc-start: Invalid argument - failed to mount /usr/local/lib/lxc/rootfs > > bind > > lxc-start: Failed to chroot into slave / > > > > and really, if I try manually mount it fails: > > # mount -o bind /usr/local/lib/lxc/rootfs /usr/local/lib/lxc/rootfs > > mount: wrong fs type, bad option, bad superblock > > on /usr/local/lib64/lxc/rootfs, > >missing codepage or helper program, or other error > >In some cases useful info is found in syslog - try > >dmesg | tail or so > > > > Ok, not a problem, I've added followint in config: > > lxc.rootfs.mount = /virt/lxc/pivot_root > > /virt/lxc/pivot_root are not on rootfs partion so mount -o bind works as > > it should: > > # mount -o bind /virt/lxc/pivot_root /virt/lxc/pivot_root > > # > > > > Tried again and now lxc-start fails: > > # lxc-start -f repos.conf -n repos -l DEBUG -o lxc-start-debug > > lxc-start: Invalid argument - Failed to rbind mount / > > to /virt/lxc/pivot_root/root > > lxc-start: Failed to chroot into slave / > > lxc-start: failed to setup rootfs for 'repos' > > lxc-start: failed to setup the container > > lxc-start: invalid sequence number 1. expected 2 > > lxc-start: failed to spawn 'repos' > > > > Why does it needs to mount /? I've read the comments before > > chroot_into_slave() but I don't understand why we need to do all of > > that. Was there any discussion? > > Well finally I found problem. In > Documentation/filesystems/ramfs-rootfs-initramfs.txt it is written: > > Rootfs is a special instance of ramfs (or tmpfs, if that's enabled), > which is > always present in 2.6 systems. You can't unmount rootfs for > approximately the > same reason you can't kill the init process; rather than having special > code > to check for and handle an empty list, it's smaller and simpler for the > kernel > to just make sure certain lists can't become empty. > > So mount --bind is not supposed to work on rootfs. Then I've wrote small > init script that creates real 'tmpfs' (as opposed to 'rootfs'), moves > system root there and then switch_root there. Now lxc-start works! > Cool! :) Might be worth having lxc check /proc/self/mountinfo to determine if this is the case and give the user some meaningful info. -serge -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH 1/1] parse.c: don't print error message on callback rv > 0
On Fri, Oct 18, 2013 at 10:33:32AM -0500, Serge Hallyn wrote:
> A callback return value < 0 means there was an error, so print
> out an error message. But a rv > 0 is used by the mount_unknown_fs
> functions to say "we found the one we want, stop here."
>
> Document this, and only print an error message if rv < 0. Otherwise,
>
> lxc-create -B lvm --fstype ext3 -t ubuntu -n u1
>
> will print an (innocuous) error message about being unable to parse
> the config value 'ext3'.
>
> Signed-off-by: Serge Hallyn
Acked-by: Stéphane Graber
> ---
> src/lxc/parse.c | 5 -
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/src/lxc/parse.c b/src/lxc/parse.c
> index 5fca79e..dcf5cf0 100644
> --- a/src/lxc/parse.c
> +++ b/src/lxc/parse.c
> @@ -102,7 +102,10 @@ int lxc_file_for_each_line(const char *file, lxc_file_cb
> callback, void *data)
> while (getline(&line, &len, f) != -1) {
> err = callback(line, data);
> if (err) {
> - ERROR("Failed to parse config: %s", line);
> + // callback rv > 0 means stop here
> + // callback rv < 0 means error
> + if (err < 0)
> + ERROR("Failed to parse config: %s", line);
> break;
> }
> }
> --
> 1.8.3.2
>
>
> --
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk
> ___
> Lxc-devel mailing list
> Lxc-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/lxc-devel
--
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
signature.asc
Description: Digital signature
--
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH 1/1] lxc-test-ubuntu: improve apparmor policy test
On Fri, Oct 18, 2013 at 10:43:24AM -0500, Serge Hallyn wrote:
> Also allow the standard non-nested apparmor policy.
>
> Signed-off-by: Serge Hallyn
Acked-by: Stéphane Graber
> ---
> src/tests/lxc-test-ubuntu | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/src/tests/lxc-test-ubuntu b/src/tests/lxc-test-ubuntu
> index c6573c1..7fa1c89 100755
> --- a/src/tests/lxc-test-ubuntu
> +++ b/src/tests/lxc-test-ubuntu
> @@ -68,7 +68,7 @@ for template in ubuntu ubuntu-cloud; do
> # Check apparmor
> lxcpid=`lxc-info -n $name -p | awk -F: '{ print $2 }' | awk '{ print
> $1}'`
> aa=`cat /proc/$lxcpid/attr/current`
> - if [ "$aa" != "lxc-container-default-with-nesting (enforce)" ]; then
> + if [ "$aa" != "lxc-container-default-with-nesting (enforce)" -a "$aa"
> != "lxc-container-default (enforce)" ]; then
> FAIL " to correctly set apparmor profile (profile is \"$aa\")"
> fi
> lxc-stop -n $name
> --
> 1.8.3.2
>
>
> --
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk
> ___
> Lxc-devel mailing list
> Lxc-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/lxc-devel
--
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
signature.asc
Description: Digital signature
--
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH v2 2/2] support setting lsm label at exec or immediately
Quoting Dwight Engen (dwight.en...@oracle.com): > diff --git a/src/lxc/start.c b/src/lxc/start.c > index 7538403..2bf417e 100644 > --- a/src/lxc/start.c > +++ b/src/lxc/start.c > @@ -556,14 +556,10 @@ static int do_start(void *data) > if (lxc_sync_barrier_parent(handler, LXC_SYNC_CGROUP)) > return -1; > > - /* XXX: hmm apparmor switches right away since it uses > - * aa_change_profile() and not aa_change_onexec(). SELinux on the other > - * hand is going to transition on exec(). Is it bad to run the stuff > - * between here and exec() in the more privileged context? > - */ > + /* Set the label to change to when we exec(2) the container's init */ > if (lsm_process_label_set(handler->conf->lsm_aa_profile ? > handler->conf->lsm_aa_profile : > - handler->conf->lsm_se_context, 1) < 0) > + handler->conf->lsm_se_context, 1, 1) < 0) > goto out_warn_father; > lsm_proc_unmount(handler->conf); Hi, This isn't urgent, but it is an issue I noticed yesterday (in your original patch, not in this patch). The original behavior for apparmor was that if aa_profile was not specified, then the default would be used. With this here, if someone leaves lxc.aa_profile unset to get the default, has lxc.se_context set, and starts the container on an apparmor system, then the startup will fail bc it will try to set the se_context as the aa_profile. I guess the simplest way to fix this would be to check drv here and pass in the right context based on which drv is enabled? -serge -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH v2 2/2] support setting lsm label at exec or immediately
Quoting Dwight Engen (dwight.en...@oracle.com):
> - Add attach test cases
>
> - Moved setting of LSM label later to avoid failure of IPC between parent
> and child during attach
>
> Signed-off-by: Dwight Engen
> ---
> v2: detect which lsm to test at runtime vs. compile time
>
> .gitignore | 1 +
> src/lxc/attach.c | 20 ++-
> src/lxc/attach_options.h | 5 +-
> src/lxc/lsm/apparmor.c | 25 +--
> src/lxc/lsm/lsm.c | 4 +-
> src/lxc/lsm/lsm.h | 7 +-
> src/lxc/lsm/nop.c | 3 +-
> src/lxc/lsm/selinux.c | 22 ++-
> src/lxc/lxc_attach.c | 2 +-
> src/lxc/start.c| 8 +-
> src/python-lxc/lxc.c | 3 +-
> src/python-lxc/lxc/__init__.py | 3 +-
> src/tests/Makefile.am | 11 +-
> src/tests/attach.c | 392
> +
> 14 files changed, 463 insertions(+), 43 deletions(-)
> create mode 100644 src/tests/attach.c
>
> diff --git a/.gitignore b/.gitignore
> index df8d5e1..b1223cd 100644
> --- a/.gitignore
> +++ b/.gitignore
> @@ -77,6 +77,7 @@ src/lxc/lxc-user-nic
> src/python-lxc/build/
> src/python-lxc/lxc/__pycache__/
>
> +src/tests/lxc-test-attach
> src/tests/lxc-test-cgpath
> src/tests/lxc-test-clonetest
> src/tests/lxc-test-concurrent
> diff --git a/src/lxc/attach.c b/src/lxc/attach.c
> index 37cefb0..aea0c33 100644
> --- a/src/lxc/attach.c
> +++ b/src/lxc/attach.c
> @@ -918,15 +918,6 @@ int attach_child_main(void* data)
> rexit(-1);
> }
>
> - /* load apparmor profile */
> - if ((options->namespaces & CLONE_NEWNS) && (options->attach_flags &
> LXC_ATTACH_APPARMOR)) {
> - ret = lsm_process_label_set(init_ctx->lsm_label, 0);
> - if (ret < 0) {
> - shutdown(ipc_socket, SHUT_RDWR);
> - rexit(-1);
> - }
> - }
> -
> /* A description of the purpose of this functionality is
>* provided in the lxc-attach(1) manual page. We have to
>* remount here and not in the parent process, otherwise
> @@ -1023,6 +1014,17 @@ int attach_child_main(void* data)
>
> shutdown(ipc_socket, SHUT_RDWR);
> close(ipc_socket);
> +
> + /* set new apparmor profile/selinux context */
> + if ((options->namespaces & CLONE_NEWNS) && (options->attach_flags &
> LXC_ATTACH_LSM)) {
> + int on_exec;
> +
> + on_exec = options->attach_flags & LXC_ATTACH_LSM_EXEC ? 1 : 0;
> + ret = lsm_process_label_set(init_ctx->lsm_label, 0, on_exec);
> + if (ret < 0) {
> + rexit(-1);
> + }
> + }
> lxc_proc_put_context_info(init_ctx);
>
> /* The following is done after the communication socket is
> diff --git a/src/lxc/attach_options.h b/src/lxc/attach_options.h
> index 5291e4f..c8c4d0a 100644
> --- a/src/lxc/attach_options.h
> +++ b/src/lxc/attach_options.h
> @@ -36,10 +36,11 @@ enum {
> LXC_ATTACH_MOVE_TO_CGROUP= 0x0001,
> LXC_ATTACH_DROP_CAPABILITIES = 0x0002,
> LXC_ATTACH_SET_PERSONALITY = 0x0004,
> - LXC_ATTACH_APPARMOR = 0x0008,
> + LXC_ATTACH_LSM_EXEC = 0x0008,
>
> /* the following are off by default */
> LXC_ATTACH_REMOUNT_PROC_SYS = 0x0001,
> + LXC_ATTACH_LSM_NOW = 0x0002,
>
> /* we have 16 bits for things that are on by default
>* and 16 bits that are off by default, that should
> @@ -49,6 +50,8 @@ enum {
> LXC_ATTACH_DEFAULT = 0x
> };
>
> +#define LXC_ATTACH_LSM (LXC_ATTACH_LSM_EXEC | LXC_ATTACH_LSM_NOW)
> +
> typedef struct lxc_attach_options_t lxc_attach_options_t;
> typedef int (*lxc_attach_exec_t)(void* payload);
>
> diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c
> index 146564f..cf8020d 100644
> --- a/src/lxc/lsm/apparmor.c
> +++ b/src/lxc/lsm/apparmor.c
> @@ -130,13 +130,14 @@ static int apparmor_am_unconfined(void)
> *
> * @label : the profile to set
> * @default : use the default profile if label is NULL
> + * @on_exec : the new profile will take effect on exec(2) not immediately
> *
> * Returns 0 on success, < 0 on failure
> *
> - * Notes: This relies on /proc being available. The new context
> - * will take effect immediately.
> + * Notes: This relies on /proc being available.
> */
> -static int apparmor_process_label_set(const char *label, int use_default)
> +static int apparmor_process_label_set(const char *label, int use_default,
> + int on_exec)
> {
> if (!apparmor_enabled())
> return 0;
> @@ -153,15 +154,19 @@ static int apparmor_process_label_set(const char
> *label, int use_default)
> return 0;
> }
>
> - /* XXX: instant instead of aa_change_onexec(), may be used by attach
> - * when usi
Re: [lxc-devel] [PATCH 1/2] add lsm op for getting name of enabled lsm
Quoting Dwight Engen (dwight.en...@oracle.com):
> Signed-off-by: Dwight Engen
> ---
> src/lxc/lsm/lsm.c | 9 -
> src/lxc/lsm/lsm.h | 26 ++
> 2 files changed, 22 insertions(+), 13 deletions(-)
>
> diff --git a/src/lxc/lsm/lsm.c b/src/lxc/lsm/lsm.c
> index f022de9..508d640 100644
> --- a/src/lxc/lsm/lsm.c
> +++ b/src/lxc/lsm/lsm.c
> @@ -62,13 +62,20 @@ void lsm_init(void)
> INFO("Initialized LSM security driver %s", drv->name);
> }
>
> -int lsm_enabled()
> +int lsm_enabled(void)
> {
> if (drv)
> return drv->enabled();
> return 0;
> }
>
> +const char *lsm_name(void)
> +{
> + if (drv)
> + return drv->name;
> + return NULL;
I think it should return "none" here. (I'm not sure your use of the
NULL return in the attach testcase is safe.)
--
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH v2 2/2] support setting lsm label at exec or immediately
Ok, so apart from the two comments I made, Acked-by: Serge E. Hallyn Please feel free to just ack/nack my suggestions, and I'll make those in followup trivial patches and simply apply the patches you've already sent. thanks, -serge -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [lxc/lxc] 6e7e54: Change configure, replacing mandriva by openmandri...
Branch: refs/heads/master Home: https://github.com/lxc/lxc Commit: 6e7e54d902c7d8bb791fdc26303908a94c18be1f https://github.com/lxc/lxc/commit/6e7e54d902c7d8bb791fdc26303908a94c18be1f Author: Alexander Khryukin Date: 2013-10-18 (Fri, 18 Oct 2013) Changed paths: M configure.ac Log Message: --- Change configure, replacing mandriva by openmandriva The latest Mandriva distro release was in 2011 and nowadays distro named OpenMandriva Lx. Signed-off-by: Alexander Khryukin Acked-by: Stéphane Graber -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [lxc/lxc] 8daccd: parse.c: don't print error message on callback rv ...
Branch: refs/heads/master Home: https://github.com/lxc/lxc Commit: 8daccdb4d07d135f65516f095bb63e2bc988f208 https://github.com/lxc/lxc/commit/8daccdb4d07d135f65516f095bb63e2bc988f208 Author: Serge Hallyn Date: 2013-10-18 (Fri, 18 Oct 2013) Changed paths: M src/lxc/parse.c Log Message: --- parse.c: don't print error message on callback rv > 0 A callback return value < 0 means there was an error, so print out an error message. But a rv > 0 is used by the mount_unknown_fs functions to say "we found the one we want, stop here." Document this, and only print an error message if rv < 0. Otherwise, lxc-create -B lvm --fstype ext3 -t ubuntu -n u1 will print an (innocuous) error message about being unable to parse the config value 'ext3'. Signed-off-by: Serge Hallyn Acked-by: Stéphane Graber Commit: 3ca91fb6f4e648f210096765002404e2d8116c8e https://github.com/lxc/lxc/commit/3ca91fb6f4e648f210096765002404e2d8116c8e Author: Serge Hallyn Date: 2013-10-18 (Fri, 18 Oct 2013) Changed paths: M src/tests/lxc-test-ubuntu Log Message: --- lxc-test-ubuntu: also allow the standard non-nested apparmor policy Signed-off-by: Serge Hallyn Acked-by: Stéphane Graber Compare: https://github.com/lxc/lxc/compare/6e7e54d902c7...3ca91fb6f4e6 -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH] lxc-start-ephemeral: Fix broken mount logic
This reworks the mount logic for lxc-start-ephemeral to be as follow:
- Any real (non-bind) entry gets copied to the target fstab
- Any bind-mount from a virtual fs gets copied to the target fstab
- Any remaining bind-mount if confirmed to be valid gets setup as an
overlay.
Extra bind-mounts passed through the -b option are mounted by the
pre-mount script and don't need processing by the fstab generator.
Signed-off-by: Stéphane Graber
---
src/lxc/lxc-start-ephemeral.in | 20 +++-
1 file changed, 11 insertions(+), 9 deletions(-)
diff --git a/src/lxc/lxc-start-ephemeral.in b/src/lxc/lxc-start-ephemeral.in
index af8da80..0f0c398 100644
--- a/src/lxc/lxc-start-ephemeral.in
+++ b/src/lxc/lxc-start-ephemeral.in
@@ -164,30 +164,32 @@ if orig.get_config_item("lxc.mount"):
line.replace(orig.get_config_item("lxc.rootfs"),
dest.get_config_item("lxc.rootfs"))
-# Skip any line that's not a bind mount
fields = line.split()
+
+# Skip invalid entries
if len(fields) < 4:
+continue
+
+# Non-bind mounts are kept as-is
+if "bind" not in fields[3]:
dest_fd.write("%s\n" % line)
continue
-if fields[2] != "bind" and "bind" not in fields[3]:
+# Bind mounts of virtual filesystems are also kept as-is
+src_path = fields[0].split("/")
+if len(src_path) > 1 and src_path[1] in ("proc", "sys"):
dest_fd.write("%s\n" % line)
continue
-# Process any remaining line
+# Skip invalid mount points
dest_mount = os.path.abspath(os.path.join("%s/rootfs/" % (
dest_path), fields[1]))
-if dest_mount == os.path.abspath("%s/rootfs/%s" % (
- dest_path, args.bdir)):
-
-dest_fd.write("%s\n" % line)
-continue
-
if "%s/rootfs/" % dest_path not in dest_mount:
print(_("Skipping mount entry '%s' as it's outside "
"of the container rootfs.") % line)
+# Setup an overlay for anything remaining
overlay_dirs += [(fields[0], dest_mount)]
# Generate pre-mount script
--
1.8.3.2
--
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH 1/2] add lsm op for getting name of enabled lsm
On Fri, 18 Oct 2013 11:19:20 -0500
Serge Hallyn wrote:
> Quoting Dwight Engen (dwight.en...@oracle.com):
> > Signed-off-by: Dwight Engen
> > ---
> > src/lxc/lsm/lsm.c | 9 -
> > src/lxc/lsm/lsm.h | 26 ++
> > 2 files changed, 22 insertions(+), 13 deletions(-)
> >
> > diff --git a/src/lxc/lsm/lsm.c b/src/lxc/lsm/lsm.c
> > index f022de9..508d640 100644
> > --- a/src/lxc/lsm/lsm.c
> > +++ b/src/lxc/lsm/lsm.c
> > @@ -62,13 +62,20 @@ void lsm_init(void)
> > INFO("Initialized LSM security driver %s", drv->name);
> > }
> >
> > -int lsm_enabled()
> > +int lsm_enabled(void)
> > {
> > if (drv)
> > return drv->enabled();
> > return 0;
> > }
> >
> > +const char *lsm_name(void)
> > +{
> > + if (drv)
> > + return drv->name;
> > + return NULL;
>
> I think it should return "none" here. (I'm not sure your use of the
> NULL return in the attach testcase is safe.)
I'm fine with "none" or "nop". I think the attach testcase is safe
because it won't use the name unless lsm_enabled() is true, which it
won't be if the driver is nop or there is no driver.
--
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH v2 1/2] add lsm op for getting name of enabled lsm
Signed-off-by: Dwight Engen
---
v2: return "none" when there is no lsm driver
src/lxc/lsm/lsm.c | 9 -
src/lxc/lsm/lsm.h | 26 ++
2 files changed, 22 insertions(+), 13 deletions(-)
diff --git a/src/lxc/lsm/lsm.c b/src/lxc/lsm/lsm.c
index f022de9..066102b 100644
--- a/src/lxc/lsm/lsm.c
+++ b/src/lxc/lsm/lsm.c
@@ -62,13 +62,20 @@ void lsm_init(void)
INFO("Initialized LSM security driver %s", drv->name);
}
-int lsm_enabled()
+int lsm_enabled(void)
{
if (drv)
return drv->enabled();
return 0;
}
+const char *lsm_name(void)
+{
+ if (drv)
+ return drv->name;
+ return "none";
+}
+
char *lsm_process_label_get(pid_t pid)
{
if (!drv) {
diff --git a/src/lxc/lsm/lsm.h b/src/lxc/lsm/lsm.h
index ee093da..621e1af 100644
--- a/src/lxc/lsm/lsm.h
+++ b/src/lxc/lsm/lsm.h
@@ -37,19 +37,21 @@ struct lsm_drv {
};
#if HAVE_APPARMOR || HAVE_SELINUX
-void lsm_init(void);
-int lsm_enabled(void);
-char *lsm_process_label_get(pid_t pid);
-int lsm_process_label_set(const char *label, int use_default);
-int lsm_proc_mount(struct lxc_conf *lxc_conf);
-void lsm_proc_unmount(struct lxc_conf *lxc_conf);
+voidlsm_init(void);
+int lsm_enabled(void);
+const char *lsm_name(void);
+char *lsm_process_label_get(pid_t pid);
+int lsm_process_label_set(const char *label, int use_default);
+int lsm_proc_mount(struct lxc_conf *lxc_conf);
+voidlsm_proc_unmount(struct lxc_conf *lxc_conf);
#else
-static inline void lsm_init(void) { }
-static inline int lsm_enabled(void) { return 0; }
-static inline char *lsm_process_label_get(pid_t pid) { return NULL; }
-static inline int lsm_process_label_set(char *label, int use_default) {
return 0; }
-static inline int lsm_proc_mount(struct lxc_conf *lxc_conf) { return 0; }
-static inline void lsm_proc_unmount(struct lxc_conf *lxc_conf) { }
+static inline voidlsm_init(void) { }
+static inline int lsm_enabled(void) { return 0; }
+static inline const char *lsm_name(void) { return "none"; }
+static inline char *lsm_process_label_get(pid_t pid) { return NULL; }
+static inline int lsm_process_label_set(char *label, int use_default)
{ return 0; }
+static inline int lsm_proc_mount(struct lxc_conf *lxc_conf) { return
0; }
+static inline voidlsm_proc_unmount(struct lxc_conf *lxc_conf) { }
#endif
#endif
--
1.8.3.1
--
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH] use proper config item depending on which lsm is enabled
On a system with AppArmor enabled, if lxc.se_context is configured but
lxc.aa_profile is not (because the user just wants to use the default
AppArmor profile) lxc was passing the lxc.se_context to be set as the
new AppArmor profile. Determine which configuration item to use based
on which lsm is enabled.
Signed-off-by: Dwight Engen
---
src/lxc/start.c | 9 ++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/src/lxc/start.c b/src/lxc/start.c
index 2bf417e..e46f3a0 100644
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -488,6 +488,7 @@ static int must_drop_cap_sys_boot(struct lxc_conf *conf)
static int do_start(void *data)
{
struct lxc_handler *handler = data;
+ const char *lsm_label = NULL;
if (sigprocmask(SIG_SETMASK, &handler->oldmask, NULL)) {
SYSERROR("failed to set sigprocmask");
@@ -557,9 +558,11 @@ static int do_start(void *data)
return -1;
/* Set the label to change to when we exec(2) the container's init */
- if (lsm_process_label_set(handler->conf->lsm_aa_profile ?
- handler->conf->lsm_aa_profile :
- handler->conf->lsm_se_context, 1, 1) < 0)
+ if (!strcmp(lsm_name(), "AppArmor"))
+ lsm_label = handler->conf->lsm_aa_profile;
+ else if (!strcmp(lsm_name(), "SELinux"))
+ lsm_label = handler->conf->lsm_se_context;
+ if (lsm_process_label_set(lsm_label, 1, 1) < 0)
goto out_warn_father;
lsm_proc_unmount(handler->conf);
--
1.8.3.1
--
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH v2 2/2] support setting lsm label at exec or immediately
On Fri, 18 Oct 2013 11:18:17 -0500
Serge Hallyn wrote:
> Quoting Dwight Engen (dwight.en...@oracle.com):
> > - Add attach test cases
> >
> > - Moved setting of LSM label later to avoid failure of IPC between
> > parent and child during attach
> >
> > Signed-off-by: Dwight Engen
> > ---
> > v2: detect which lsm to test at runtime vs. compile time
> >
> > .gitignore | 1 +
> > src/lxc/attach.c | 20 ++-
> > src/lxc/attach_options.h | 5 +-
> > src/lxc/lsm/apparmor.c | 25 +--
> > src/lxc/lsm/lsm.c | 4 +-
> > src/lxc/lsm/lsm.h | 7 +-
> > src/lxc/lsm/nop.c | 3 +-
> > src/lxc/lsm/selinux.c | 22 ++-
> > src/lxc/lxc_attach.c | 2 +-
> > src/lxc/start.c| 8 +-
> > src/python-lxc/lxc.c | 3 +-
> > src/python-lxc/lxc/__init__.py | 3 +-
> > src/tests/Makefile.am | 11 +-
> > src/tests/attach.c | 392
> > + 14 files changed, 463
> > insertions(+), 43 deletions(-) create mode 100644 src/tests/attach.c
> >
> > diff --git a/.gitignore b/.gitignore
> > index df8d5e1..b1223cd 100644
> > --- a/.gitignore
> > +++ b/.gitignore
> > @@ -77,6 +77,7 @@ src/lxc/lxc-user-nic
> > src/python-lxc/build/
> > src/python-lxc/lxc/__pycache__/
> >
> > +src/tests/lxc-test-attach
> > src/tests/lxc-test-cgpath
> > src/tests/lxc-test-clonetest
> > src/tests/lxc-test-concurrent
> > diff --git a/src/lxc/attach.c b/src/lxc/attach.c
> > index 37cefb0..aea0c33 100644
> > --- a/src/lxc/attach.c
> > +++ b/src/lxc/attach.c
> > @@ -918,15 +918,6 @@ int attach_child_main(void* data)
> > rexit(-1);
> > }
> >
> > - /* load apparmor profile */
> > - if ((options->namespaces & CLONE_NEWNS) &&
> > (options->attach_flags & LXC_ATTACH_APPARMOR)) {
> > - ret = lsm_process_label_set(init_ctx->lsm_label,
> > 0);
> > - if (ret < 0) {
> > - shutdown(ipc_socket, SHUT_RDWR);
> > - rexit(-1);
> > - }
> > - }
> > -
> > /* A description of the purpose of this functionality is
> > * provided in the lxc-attach(1) manual page. We have to
> > * remount here and not in the parent process, otherwise
> > @@ -1023,6 +1014,17 @@ int attach_child_main(void* data)
> >
> > shutdown(ipc_socket, SHUT_RDWR);
> > close(ipc_socket);
> > +
> > + /* set new apparmor profile/selinux context */
> > + if ((options->namespaces & CLONE_NEWNS) &&
> > (options->attach_flags & LXC_ATTACH_LSM)) {
> > + int on_exec;
> > +
> > + on_exec = options->attach_flags &
> > LXC_ATTACH_LSM_EXEC ? 1 : 0;
> > + ret = lsm_process_label_set(init_ctx->lsm_label,
> > 0, on_exec);
> > + if (ret < 0) {
> > + rexit(-1);
> > + }
> > + }
> > lxc_proc_put_context_info(init_ctx);
> >
> > /* The following is done after the communication socket is
> > diff --git a/src/lxc/attach_options.h b/src/lxc/attach_options.h
> > index 5291e4f..c8c4d0a 100644
> > --- a/src/lxc/attach_options.h
> > +++ b/src/lxc/attach_options.h
> > @@ -36,10 +36,11 @@ enum {
> > LXC_ATTACH_MOVE_TO_CGROUP= 0x0001,
> > LXC_ATTACH_DROP_CAPABILITIES = 0x0002,
> > LXC_ATTACH_SET_PERSONALITY = 0x0004,
> > - LXC_ATTACH_APPARMOR = 0x0008,
> > + LXC_ATTACH_LSM_EXEC = 0x0008,
> >
> > /* the following are off by default */
> > LXC_ATTACH_REMOUNT_PROC_SYS = 0x0001,
> > + LXC_ATTACH_LSM_NOW = 0x0002,
> >
> > /* we have 16 bits for things that are on by default
> > * and 16 bits that are off by default, that should
> > @@ -49,6 +50,8 @@ enum {
> > LXC_ATTACH_DEFAULT = 0x
> > };
> >
> > +#define LXC_ATTACH_LSM (LXC_ATTACH_LSM_EXEC | LXC_ATTACH_LSM_NOW)
> > +
> > typedef struct lxc_attach_options_t lxc_attach_options_t;
> > typedef int (*lxc_attach_exec_t)(void* payload);
> >
> > diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c
> > index 146564f..cf8020d 100644
> > --- a/src/lxc/lsm/apparmor.c
> > +++ b/src/lxc/lsm/apparmor.c
> > @@ -130,13 +130,14 @@ static int apparmor_am_unconfined(void)
> > *
> > * @label : the profile to set
> > * @default : use the default profile if label is NULL
> > + * @on_exec : the new profile will take effect on exec(2) not
> > immediately *
> > * Returns 0 on success, < 0 on failure
> > *
> > - * Notes: This relies on /proc being available. The new context
> > - * will take effect immediately.
> > + * Notes: This relies on /proc being available.
> > */
> > -static int apparmor_process_label_set(const char *label, int
> > use_default) +static int apparmor_process_label_set(const char
> > *label, int use_default,
> > + int on_exec)
> > {
> > if (!apparmor_enabled())
> > return 0;
>
Re: [lxc-devel] [PATCH v2 2/2] support setting lsm label at exec or immediately
On Fri, 18 Oct 2013 11:14:07 -0500 Serge Hallyn wrote: > Quoting Dwight Engen (dwight.en...@oracle.com): > > diff --git a/src/lxc/start.c b/src/lxc/start.c > > index 7538403..2bf417e 100644 > > --- a/src/lxc/start.c > > +++ b/src/lxc/start.c > > @@ -556,14 +556,10 @@ static int do_start(void *data) > > if (lxc_sync_barrier_parent(handler, LXC_SYNC_CGROUP)) > > return -1; > > > > - /* XXX: hmm apparmor switches right away since it uses > > -* aa_change_profile() and not aa_change_onexec(). SELinux > > on the other > > -* hand is going to transition on exec(). Is it bad to run > > the stuff > > -* between here and exec() in the more privileged context? > > -*/ > > + /* Set the label to change to when we exec(2) the > > container's init */ if > > (lsm_process_label_set(handler->conf->lsm_aa_profile ? > > handler->conf->lsm_aa_profile : > > - handler->conf->lsm_se_context, > > 1) < 0) > > + handler->conf->lsm_se_context, > > 1, 1) < 0) goto out_warn_father; > > lsm_proc_unmount(handler->conf); > > Hi, > > This isn't urgent, but it is an issue I noticed yesterday (in your > original patch, not in this patch). The original behavior for > apparmor was that if aa_profile was not specified, then the default > would be used. With this here, if someone leaves lxc.aa_profile > unset to get the default, has lxc.se_context set, and starts the > container on an apparmor system, then the startup will fail bc it > will try to set the se_context as the aa_profile. Yeah, I had not considered having both on at the same time, nor have se_context set on an AppArmor system. > I guess the simplest way to fix this would be to check drv here and > pass in the right context based on which drv is enabled? Yep, following is a patch to do that on top of the lsm_name() thing. > -serge -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] lxc-start-ephemeral: Fix broken mount logic
Quoting Stéphane Graber (stgra...@ubuntu.com):
> This reworks the mount logic for lxc-start-ephemeral to be as follow:
> - Any real (non-bind) entry gets copied to the target fstab
> - Any bind-mount from a virtual fs gets copied to the target fstab
> - Any remaining bind-mount if confirmed to be valid gets setup as an
>overlay.
>
> Extra bind-mounts passed through the -b option are mounted by the
> pre-mount script and don't need processing by the fstab generator.
>
> Signed-off-by: Stéphane Graber
Acked-by: Serge E. Hallyn
> ---
> src/lxc/lxc-start-ephemeral.in | 20 +++-
> 1 file changed, 11 insertions(+), 9 deletions(-)
>
> diff --git a/src/lxc/lxc-start-ephemeral.in b/src/lxc/lxc-start-ephemeral.in
> index af8da80..0f0c398 100644
> --- a/src/lxc/lxc-start-ephemeral.in
> +++ b/src/lxc/lxc-start-ephemeral.in
> @@ -164,30 +164,32 @@ if orig.get_config_item("lxc.mount"):
> line.replace(orig.get_config_item("lxc.rootfs"),
> dest.get_config_item("lxc.rootfs"))
>
> -# Skip any line that's not a bind mount
> fields = line.split()
> +
> +# Skip invalid entries
> if len(fields) < 4:
> +continue
> +
> +# Non-bind mounts are kept as-is
> +if "bind" not in fields[3]:
> dest_fd.write("%s\n" % line)
> continue
>
> -if fields[2] != "bind" and "bind" not in fields[3]:
> +# Bind mounts of virtual filesystems are also kept as-is
> +src_path = fields[0].split("/")
> +if len(src_path) > 1 and src_path[1] in ("proc", "sys"):
> dest_fd.write("%s\n" % line)
> continue
>
> -# Process any remaining line
> +# Skip invalid mount points
> dest_mount = os.path.abspath(os.path.join("%s/rootfs/" % (
> dest_path), fields[1]))
>
> -if dest_mount == os.path.abspath("%s/rootfs/%s" % (
> - dest_path, args.bdir)):
> -
> -dest_fd.write("%s\n" % line)
> -continue
> -
> if "%s/rootfs/" % dest_path not in dest_mount:
> print(_("Skipping mount entry '%s' as it's outside "
> "of the container rootfs.") % line)
>
> +# Setup an overlay for anything remaining
> overlay_dirs += [(fields[0], dest_mount)]
>
> # Generate pre-mount script
> --
> 1.8.3.2
>
>
> --
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk
> ___
> Lxc-devel mailing list
> Lxc-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/lxc-devel
--
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [lxc/lxc] 01dae5: lxc-start-ephemeral: Fix broken mount logic
Branch: refs/heads/master Home: https://github.com/lxc/lxc Commit: 01dae5c455f77fe11c5902f899885eddecd84514 https://github.com/lxc/lxc/commit/01dae5c455f77fe11c5902f899885eddecd84514 Author: Stéphane Graber Date: 2013-10-18 (Fri, 18 Oct 2013) Changed paths: M src/lxc/lxc-start-ephemeral.in Log Message: --- lxc-start-ephemeral: Fix broken mount logic This reworks the mount logic for lxc-start-ephemeral to be as follow: - Any real (non-bind) entry gets copied to the target fstab - Any bind-mount from a virtual fs gets copied to the target fstab - Any remaining bind-mount if confirmed to be valid gets setup as an overlay. Extra bind-mounts passed through the -b option are mounted by the pre-mount script and don't need processing by the fstab generator. Signed-off-by: Stéphane Graber Signed-off-by: Serge Hallyn -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH v2 1/2] add lsm op for getting name of enabled lsm
Quoting Dwight Engen (dwight.en...@oracle.com):
> Signed-off-by: Dwight Engen
Thanks. (You're probably right about it having been safe anyway, but
this is more comfortable :)
Acked-by: Serge E. Hallyn
> ---
> v2: return "none" when there is no lsm driver
>
> src/lxc/lsm/lsm.c | 9 -
> src/lxc/lsm/lsm.h | 26 ++
> 2 files changed, 22 insertions(+), 13 deletions(-)
>
> diff --git a/src/lxc/lsm/lsm.c b/src/lxc/lsm/lsm.c
> index f022de9..066102b 100644
> --- a/src/lxc/lsm/lsm.c
> +++ b/src/lxc/lsm/lsm.c
> @@ -62,13 +62,20 @@ void lsm_init(void)
> INFO("Initialized LSM security driver %s", drv->name);
> }
>
> -int lsm_enabled()
> +int lsm_enabled(void)
> {
> if (drv)
> return drv->enabled();
> return 0;
> }
>
> +const char *lsm_name(void)
> +{
> + if (drv)
> + return drv->name;
> + return "none";
> +}
> +
> char *lsm_process_label_get(pid_t pid)
> {
> if (!drv) {
> diff --git a/src/lxc/lsm/lsm.h b/src/lxc/lsm/lsm.h
> index ee093da..621e1af 100644
> --- a/src/lxc/lsm/lsm.h
> +++ b/src/lxc/lsm/lsm.h
> @@ -37,19 +37,21 @@ struct lsm_drv {
> };
>
> #if HAVE_APPARMOR || HAVE_SELINUX
> -void lsm_init(void);
> -int lsm_enabled(void);
> -char *lsm_process_label_get(pid_t pid);
> -int lsm_process_label_set(const char *label, int use_default);
> -int lsm_proc_mount(struct lxc_conf *lxc_conf);
> -void lsm_proc_unmount(struct lxc_conf *lxc_conf);
> +voidlsm_init(void);
> +int lsm_enabled(void);
> +const char *lsm_name(void);
> +char *lsm_process_label_get(pid_t pid);
> +int lsm_process_label_set(const char *label, int use_default);
> +int lsm_proc_mount(struct lxc_conf *lxc_conf);
> +voidlsm_proc_unmount(struct lxc_conf *lxc_conf);
> #else
> -static inline void lsm_init(void) { }
> -static inline int lsm_enabled(void) { return 0; }
> -static inline char *lsm_process_label_get(pid_t pid) { return NULL; }
> -static inline int lsm_process_label_set(char *label, int use_default) {
> return 0; }
> -static inline int lsm_proc_mount(struct lxc_conf *lxc_conf) { return 0; }
> -static inline void lsm_proc_unmount(struct lxc_conf *lxc_conf) { }
> +static inline voidlsm_init(void) { }
> +static inline int lsm_enabled(void) { return 0; }
> +static inline const char *lsm_name(void) { return "none"; }
> +static inline char *lsm_process_label_get(pid_t pid) { return NULL; }
> +static inline int lsm_process_label_set(char *label, int
> use_default) { return 0; }
> +static inline int lsm_proc_mount(struct lxc_conf *lxc_conf) { return
> 0; }
> +static inline voidlsm_proc_unmount(struct lxc_conf *lxc_conf) { }
> #endif
>
> #endif
> --
> 1.8.3.1
>
--
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] lxc-alpine: enable loopback interface by default
On Wed, Oct 16, 2013 at 02:55:31PM +0200, Natanael Copa wrote: > It was probably disabled by a mistake > > Signed-off-by: Natanael Copa Acked-by: Stéphane Graber > --- > templates/lxc-alpine.in | 3 +-- > 1 file changed, 1 insertion(+), 2 deletions(-) > > diff --git a/templates/lxc-alpine.in b/templates/lxc-alpine.in > index 05aec74..5fdf36f 100644 > --- a/templates/lxc-alpine.in > +++ b/templates/lxc-alpine.in > @@ -110,9 +110,8 @@ EOF > grep nameserver /etc/resolv.conf > "$rootfs/etc/resolv.conf" > > # configure the network using the dhcp > -# note that lxc will set up lo interface > cat < $rootfs/etc/network/interfaces > -#auto lo > +auto lo > iface lo inet loopback > > auto eth0 > -- > 1.8.4 > > > -- > October Webinars: Code for Performance > Free Intel webinars can help you accelerate application performance. > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from > the latest Intel processors and coprocessors. See abstracts and register > > http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk > ___ > Lxc-devel mailing list > Lxc-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/lxc-devel -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [lxc/lxc] 3d460a: lxc-alpine: enable loopback interface by default
Branch: refs/heads/master Home: https://github.com/lxc/lxc Commit: 3d460a3856376a043b3fa9addee50f89d21fa747 https://github.com/lxc/lxc/commit/3d460a3856376a043b3fa9addee50f89d21fa747 Author: Natanael Copa Date: 2013-10-18 (Fri, 18 Oct 2013) Changed paths: M templates/lxc-alpine.in Log Message: --- lxc-alpine: enable loopback interface by default It was probably disabled by a mistake Signed-off-by: Natanael Copa Acked-by: Stéphane Graber -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] lxc: Use Jessie and http.debian.net by default in Jessie/Sid?
On Sun, Oct 13, 2013 at 11:04:27AM +0200, Petter Reinholdtsen wrote: > Hi. The Debian maintainer of lxc suggested I contacted this mailing > list, so here is my initial try. :) > > Please check out the patch proposal for the lxc-debian template on > http://bugs.debian.org/725187 > and see if it something you want > to include upstream. This change won't apply upstream since the current version of the template doesn't appear to hardcode the release anymore, instead using the host's version by default or failing with an error telling the user to pass -r . -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] what happened to the autostart proposals?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi folks, there were several proposals on this mailing list about how to start and stop a group of LXC containers, e.g. at boot or shutdown time. Are there any news about this? Regards Harri -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (GNU/Linux) iQEcBAEBCAAGBQJSYX1tAAoJEAqeKp5m04HLUckH/2nFPN2Px08ZoivqeRIBzhG2 5B9YTDqt2gscukA2hFQIKsblPrrEqT4hL/iVwQU0OP95Vq+xZlxAsrbgsHM3dXp4 xm/yyrENtKLjOi9mHWFuYQSaMp2crKG9jXrR1bQ0hVfJ9Qty+IuKeq0RCJCdh179 cU/4kyT8xvk0oTWZM8HXFMHQTzQRgGq4ZcbOAuHQdd0W5WSz92yDjQVpHv72lGHs LeR914bxC4wZgcDnTVH3L0gkWzPcElNNgKAJbPVJgi/mYzu7voRb4v1aEPe75YOV 7/SArT0v7u6RXbUEdvwUo3gluJ12rGkQ2EcdrW5LpMJN9GqDqY/b2HdoBPn4YbU= =Bdx1 -END PGP SIGNATURE- -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [lxc/lxc] 41ca89: add lsm op for getting name of enabled lsm
Branch: refs/heads/master Home: https://github.com/lxc/lxc Commit: 41ca89087a8700aaa7992cbfe9bc8f93da15343b https://github.com/lxc/lxc/commit/41ca89087a8700aaa7992cbfe9bc8f93da15343b Author: Dwight Engen Date: 2013-10-18 (Fri, 18 Oct 2013) Changed paths: M src/lxc/lsm/lsm.c M src/lxc/lsm/lsm.h Log Message: --- add lsm op for getting name of enabled lsm Signed-off-by: Dwight Engen Signed-off-by: Serge Hallyn Commit: 72863294f63e27ac263a774aab37aace20dc1bc5 https://github.com/lxc/lxc/commit/72863294f63e27ac263a774aab37aace20dc1bc5 Author: Dwight Engen Date: 2013-10-18 (Fri, 18 Oct 2013) Changed paths: M .gitignore M src/lxc/attach.c M src/lxc/attach_options.h M src/lxc/lsm/apparmor.c M src/lxc/lsm/lsm.c M src/lxc/lsm/lsm.h M src/lxc/lsm/nop.c M src/lxc/lsm/selinux.c M src/lxc/lxc_attach.c M src/lxc/start.c M src/python-lxc/lxc.c M src/python-lxc/lxc/__init__.py M src/tests/Makefile.am A src/tests/attach.c Log Message: --- support setting lsm label at exec or immediately - Add attach test cases - Moved setting of LSM label later to avoid failure of IPC between parent and child during attach Signed-off-by: Dwight Engen Signed-off-by: Serge Hallyn Commit: e0b6898ab49c1c01fc6e9b0fd4db37b2557dbed6 https://github.com/lxc/lxc/commit/e0b6898ab49c1c01fc6e9b0fd4db37b2557dbed6 Author: Dwight Engen Date: 2013-10-18 (Fri, 18 Oct 2013) Changed paths: M src/lxc/start.c Log Message: --- use proper config item depending on which lsm is enabled On a system with AppArmor enabled, if lxc.se_context is configured but lxc.aa_profile is not (because the user just wants to use the default AppArmor profile) lxc was passing the lxc.se_context to be set as the new AppArmor profile. Determine which configuration item to use based on which lsm is enabled. Signed-off-by: Dwight Engen Signed-off-by: Serge Hallyn Compare: https://github.com/lxc/lxc/compare/3d460a385637...e0b6898ab49c -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] what happened to the autostart proposals?
On Fri, Oct 18, 2013 at 08:26:53PM +0200, Harald Dunkel wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Hi folks, > > there were several proposals on this mailing list about how > to start and stop a group of LXC containers, e.g. at boot or > shutdown time. > > Are there any news about this? > > > Regards > Harri I've been (slowly) working on that. I have a local branch here that adds all the needed options and Serge implemented the functions I needed to list all the containers so I just need to find the time to write the changes for lxc-start and lxc-stop and then we can land this upstream. -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [lxc/lxc] f99c38: Add a --thinpool argument to lxc-create, to use th...
Branch: refs/heads/master Home: https://github.com/lxc/lxc Commit: f99c386b60e7f635c2f95a2e3256f21e751fb50b https://github.com/lxc/lxc/commit/f99c386b60e7f635c2f95a2e3256f21e751fb50b Author: Sidnei da Silva Date: 2013-10-18 (Fri, 18 Oct 2013) Changed paths: M src/lxc/arguments.h M src/lxc/bdev.c M src/lxc/bdev.h M src/lxc/lxc_config.c M src/lxc/lxc_create.c M src/lxc/lxccontainer.c M src/lxc/lxccontainer.h M src/lxc/utils.c M src/lxc/utils.h Log Message: --- Add a --thinpool argument to lxc-create, to use thin pool backed lvm when creating the container. When cloning a container backed by a thin pool, the clone will default to the same thin pool. Commit: 62c70ee2c1b49e7ecd2bfe156a66cbcfc5ecb502 https://github.com/lxc/lxc/commit/62c70ee2c1b49e7ecd2bfe156a66cbcfc5ecb502 Author: Sidnei da Silva Date: 2013-10-18 (Fri, 18 Oct 2013) Changed paths: M doc/lxc-create.sgml.in Log Message: --- Document the new --thinpool option Commit: 55a204f9f4696dc5fca65ddebde3568ee030246d https://github.com/lxc/lxc/commit/55a204f9f4696dc5fca65ddebde3568ee030246d Author: Sidnei da Silva Date: 2013-10-18 (Fri, 18 Oct 2013) Changed paths: M src/lxc/bdev.c Log Message: --- Allocate cmd string with alloca instead of malloc, close popen handle if fgets fails. Compare: https://github.com/lxc/lxc/compare/e0b6898ab49c...55a204f9f469 -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] New LXC website
Hey everyone, Just a quick e-mail to announce that http://linuxcontainers.org is now the official project website! I've setup a redirect from the old SourceForge hosted website, so hopefully everyone will end up on the right one. Anyone can help update the content by submitting patches against: https://github.com/lxc/lxc.github.io There's a bit of room for distros to put links to their packages and other useful resources, so far I've just listed Ubuntu as that's the one I know most, other maintainers, please send me a patch for your distro. -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [lxc/lxc] 6c1b2b: lsm.h: Fix inline definition
Branch: refs/heads/master Home: https://github.com/lxc/lxc Commit: 6c1b2b1db911a340eec609affc037955c93466d3 https://github.com/lxc/lxc/commit/6c1b2b1db911a340eec609affc037955c93466d3 Author: Stéphane Graber Date: 2013-10-18 (Fri, 18 Oct 2013) Changed paths: M src/lxc/lsm/lsm.h Log Message: --- lsm.h: Fix inline definition Signed-off-by: Stéphane Graber -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [lxc/lxc] 0f8f9c: lxccontainer.c: Replace rindex by strrchr (bionic)
Branch: refs/heads/master Home: https://github.com/lxc/lxc Commit: 0f8f9c8aa41b0db9a1896e8eff5a4b810f123cd5 https://github.com/lxc/lxc/commit/0f8f9c8aa41b0db9a1896e8eff5a4b810f123cd5 Author: Stéphane Graber Date: 2013-10-18 (Fri, 18 Oct 2013) Changed paths: M src/lxc/lxccontainer.c Log Message: --- lxccontainer.c: Replace rindex by strrchr (bionic) Signed-off-by: Stéphane Graber -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [lxc/lxc]
Branch: refs/tags/lxc-1.0.0.alpha2 Home: https://github.com/lxc/lxc -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [lxc/lxc] 8b54fb: change version to 1.0.0.alpha2 in configure.ac
Branch: refs/heads/master Home: https://github.com/lxc/lxc Commit: 8b54fb4de8097d719a595c019c08a99bd458de0d https://github.com/lxc/lxc/commit/8b54fb4de8097d719a595c019c08a99bd458de0d Author: Stéphane Graber Date: 2013-10-18 (Fri, 18 Oct 2013) Changed paths: M configure.ac Log Message: --- change version to 1.0.0.alpha2 in configure.ac Signed-off-by: Stéphane Graber -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH] Fix following compile error on ubuntu 12.10
[...]
make[3]: Entering directory `/home/caglar/Projects/lxc/src/tests'
depbase=`echo attach.o | sed 's|[^/]*$|.deps/&|;s|\.o$||'`;\
gcc -DHAVE_CONFIG_H -I. -I../../src-I../../src
-DLXCROOTFSMOUNT=\"/usr/lib/x86_64-linux-gnu/lxc/rootfs\"
-DLXCPATH=\"/var/lib/lxc\" -DLXC_GLOBAL_CONF=\"/etc/lxc/lxc.conf\"
-DLXCINITDIR=\"/usr/libexec\" -DLXC_DEFAULT_CONFIG=\"/etc/lxc/default.conf\"
-g -O2 -Wall -Werror -MT attach.o -MD -MP -MF $depbase.Tpo -c -o attach.o
attach.c &&\
mv -f $depbase.Tpo $depbase.Po
attach.c: In function ‘main’:
attach.c:380:2: error: implicit declaration of function ‘test_lsm_detect’
[-Werror=implicit-function-declaration]
cc1: all warnings being treated as errors
make[3]: *** [attach.o] Error 1
[...]
Signed-off-by: S.Çağlar Onur
---
src/tests/attach.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/tests/attach.c b/src/tests/attach.c
index 54650bd..57a4bdd 100644
--- a/src/tests/attach.c
+++ b/src/tests/attach.c
@@ -31,7 +31,6 @@
fprintf(stderr, "%s:%d " fmt "\n", __FILE__, __LINE__, ##__VA_ARGS__); \
} while (0)
-#if HAVE_APPARMOR || HAVE_SELINUX
static const char *lsm_config_key = NULL;
static const char *lsm_label = NULL;
@@ -53,6 +52,7 @@ static void test_lsm_detect(void)
}
}
+#if HAVE_APPARMOR || HAVE_SELINUX
static void test_attach_lsm_set_config(struct lxc_container *ct)
{
ct->load_config(ct, NULL);
--
1.8.1.2
--
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH] call lxc_container_put when needed in lxc_destroy.c
Signed-off-by: S.Çağlar Onur
---
src/lxc/lxc_destroy.c | 9 -
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/src/lxc/lxc_destroy.c b/src/lxc/lxc_destroy.c
index 9983241..1d1e687 100644
--- a/src/lxc/lxc_destroy.c
+++ b/src/lxc/lxc_destroy.c
@@ -108,5 +108,12 @@ int main(int argc, char *argv[])
c->stop(c);
}
- exit(c->destroy(c) ? 0 : 1);
+ if (!c->destroy(c)) {
+ fprintf(stderr, "Destroying %s failed\n", my_args.name);
+ lxc_container_put(c);
+ exit(1);
+ }
+
+ lxc_container_put(c);
+ return 0;
}
--
1.8.1.2
--
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH] introduce snapshot_destroy
Signed-off-by: S.Çağlar Onur
---
src/lxc/lxccontainer.c | 33 +
src/lxc/lxccontainer.h | 7 +++
2 files changed, 40 insertions(+)
diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
index c46adf3..c8ecef3 100644
--- a/src/lxc/lxccontainer.c
+++ b/src/lxc/lxccontainer.c
@@ -2614,6 +2614,38 @@ static bool lxcapi_snapshot_restore(struct lxc_container
*c, char *snapname, cha
return b;
}
+static bool lxcapi_snapshot_destroy(struct lxc_container *c, char *snapname)
+{
+ int ret;
+ char clonelxcpath[MAXPATHLEN];
+ struct lxc_container *snap = NULL;
+
+ if (!c || !c->name || !c->config_path)
+ return false;
+
+ ret = snprintf(clonelxcpath, MAXPATHLEN, "%ssnaps/%s", c->config_path,
c->name);
+ if (ret < 0 || ret >= MAXPATHLEN)
+ goto err;
+
+ snap = lxc_container_new(snapname, clonelxcpath);
+ if (!snap || !lxcapi_is_defined(snap)) {
+ ERROR("Could not find snapshot %s", snapname);
+ goto err;
+ }
+
+ if (!lxcapi_destroy(snap)) {
+ ERROR("Could not destroy snapshot %s", snapname);
+ goto err;
+ }
+ lxc_container_put(snap);
+
+ return true;
+err:
+ if (snap)
+ lxc_container_put(snap);
+ return false;
+}
+
static bool lxcapi_may_control(struct lxc_container *c)
{
return lxc_try_cmd(c->name, c->config_path) == 0;
@@ -2738,6 +2770,7 @@ struct lxc_container *lxc_container_new(const char *name,
const char *configpath
c->snapshot = lxcapi_snapshot;
c->snapshot_list = lxcapi_snapshot_list;
c->snapshot_restore = lxcapi_snapshot_restore;
+ c->snapshot_destroy = lxcapi_snapshot_destroy;
c->may_control = lxcapi_may_control;
/* we'll allow the caller to update these later */
diff --git a/src/lxc/lxccontainer.h b/src/lxc/lxccontainer.h
index b7dc1a4..762e1b0 100644
--- a/src/lxc/lxccontainer.h
+++ b/src/lxc/lxccontainer.h
@@ -225,6 +225,13 @@ struct lxc_container {
bool (*snapshot_restore)(struct lxc_container *c, char *snapname, char
*newname);
/*
+* snapshot_destroy() will destroy the given snapshot of c
+*
+* Returns true on success, false on failure.
+*/
+ bool (*snapshot_destroy)(struct lxc_container *c, char *snapname);
+
+ /*
* Return false if there is a control socket for the container monitor,
* and the caller may not access it. Return true otherwise.
*/
--
1.8.1.2
--
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH] use snapshot_destroy in tests/snapshot.c and clean up containers after the test run
Signed-off-by: S.Çağlar Onur
---
src/tests/snapshot.c | 18 +++---
1 file changed, 15 insertions(+), 3 deletions(-)
diff --git a/src/tests/snapshot.c b/src/tests/snapshot.c
index 8f16548..1f6d115 100644
--- a/src/tests/snapshot.c
+++ b/src/tests/snapshot.c
@@ -118,13 +118,25 @@ int main(int argc, char *argv[])
goto err;
}
- printf("All tests passed\n");
+ if (!c->snapshot_destroy(c, "snap0")) {
+ fprintf(stderr, "%s: %d: failed to destroy snapshot\n",
__FILE__, __LINE__);
+ goto err;
+ }
+
+ if (!c->destroy(c)) {
+ fprintf(stderr, "%s: %d: failed to destroy container\n",
__FILE__, __LINE__);
+ goto err;
+ }
+
lxc_container_put(c);
- exit(0);
+ try_to_remove();
+ printf("All tests passed\n");
+ exit(0);
err:
lxc_container_put(c);
- fprintf(stderr, "Exiting on error\n");
try_to_remove();
+
+ fprintf(stderr, "Exiting on error\n");
exit(1);
}
--
1.8.1.2
--
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
