[lxc-devel] [PATCH 4/3] start: use lxc-user-nic if we are not root
Note this results in nics named things like 'lxcuser-0p'. We'll
likely want to pass the requested name to lxc-user-nic, but let's
do that in a separate patch.
If we're not root, we can't create new network itnerfaces to pass
into the container. Instead wait until the container is started,
and call lxc-user-nic to create and assign the nics.
Signed-off-by: Serge Hallyn
---
src/lxc/conf.c | 39 +++
1 file changed, 39 insertions(+)
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index bba6379..75d6cbf 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -2687,6 +2687,10 @@ int lxc_create_network(struct lxc_handler *handler)
struct lxc_list *network = &handler->conf->network;
struct lxc_list *iterator;
struct lxc_netdev *netdev;
+ int am_root = (getuid() == 0);
+
+ if (!am_root)
+ return 0;
lxc_list_for_each(iterator, network) {
@@ -2738,16 +2742,51 @@ void lxc_delete_network(struct lxc_handler *handler)
}
}
+int unpriv_assign_nic(struct lxc_netdev *netdev, pid_t pid)
+{
+ pid_t child;
+
+ if (netdev->type != LXC_NET_VETH) {
+ ERROR("nic type %d not support for unprivileged use",
+ netdev->type);
+ return -1;
+ }
+
+ if ((child = fork()) < 0) {
+ SYSERROR("fork");
+ return -1;
+ }
+
+ if (child > 0)
+ return wait_for_pid(child);
+
+ // Call lxc-user-nic pid type bridge
+ char pidstr[20];
+ char *args[] = { "lxc-user-nic", pidstr, "veth", netdev->link, NULL };
+ snprintf(pidstr, 19, "%lu", (unsigned long) pid);
+ pidstr[19] = '\0';
+ execvp("lxc-user-nic", args);
+ SYSERROR("execvp lxc-user-nic");
+ exit(1);
+}
+
int lxc_assign_network(struct lxc_list *network, pid_t pid)
{
struct lxc_list *iterator;
struct lxc_netdev *netdev;
+ int am_root = (getuid() == 0);
int err;
lxc_list_for_each(iterator, network) {
netdev = iterator->elem;
+ if (!am_root) {
+ if (unpriv_assign_nic(netdev, pid))
+ return -1;
+ // TODO fill in netdev->ifindex and name
+ continue;
+ }
/* empty network namespace, nothing to move */
if (!netdev->ifindex)
continue;
--
1.8.3.2
--
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH] oracle template: restrict writeability in /proc and /sys
Note that since we don't drop CAP_SYS_ADMIN, root in the container can remount proc or sys however they want to, however this at least improves the default situation. Signed-off-by: Dwight Engen --- templates/lxc-oracle.in | 7 +-- 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/templates/lxc-oracle.in b/templates/lxc-oracle.in index ddc6d74..78d99ee 100644 --- a/templates/lxc-oracle.in +++ b/templates/lxc-oracle.in @@ -350,7 +350,7 @@ lxc.utsname = $name lxc.devttydir = lxc lxc.tty = 4 lxc.pts = 1024 -lxc.mount = $cfg_dir/fstab +lxc.mount.auto = proc:mixed sys:ro lxc.hook.clone = @DATADIR@/lxc/hooks/clonehostname # Uncomment these if you don't run anything that needs the capability, and # would like the container to run with less privilege. @@ -404,11 +404,6 @@ lxc.cgroup.devices.allow = c 1:9 rwm # /dev/urandom lxc.cgroup.devices.allow = c 136:* rwm # /dev/tty[1-4] ptys and lxc console lxc.cgroup.devices.allow = c 5:2 rwm # /dev/ptmx pty master EOF - -cat < $cfg_dir/fstab || die "unable to create $cfg_dir/fstab" -procproc proc nodev,noexec,nosuid 0 0 -sysfs sys sysfs defaults 0 0 -EOF } container_rootfs_clone() -- 1.8.3.1 -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH 1/3] container creation: support unpriv container creation in user namespaces
On Wed, Oct 23, 2013 at 01:02:57AM +, Serge Hallyn wrote:
> From: Serge Hallyn
>
> 1. lxcapi_create: don't try to unshare and mount for dir backed containers
>
> It's unnecessary, and breaks unprivileged lxc-create (since unpriv users
> cannot yet unshare(CLONE_NEWNS)).
>
> 2. api_create: chown rootfs
>
> chown rootfs to the host uid to which container root will be mapped
>
> 3. create: run template in a mapped user ns
>
> 4. use (setuid-root) newxidmap to set id_map if we are not root
>
> This is needed to be able to set userns mappings as an unprivileged
> user, for unprivileged lxc-start.
>
> Signed-off-by: Serge Hallyn
Acked-by: Stéphane Graber
> ---
> src/lxc/conf.c | 102 +-
> src/lxc/conf.h | 4 ++
> src/lxc/lxccontainer.c | 164
> -
> 3 files changed, 240 insertions(+), 30 deletions(-)
>
> diff --git a/src/lxc/conf.c b/src/lxc/conf.c
> index 208c08b..3f7f0ef 100644
> --- a/src/lxc/conf.c
> +++ b/src/lxc/conf.c
> @@ -2802,31 +2802,49 @@ int lxc_map_ids(struct lxc_list *idmap, pid_t pid)
> int ret = 0;
> enum idtype type;
> char *buf = NULL, *pos;
> + int am_root = (getuid() == 0);
>
> for(type = ID_TYPE_UID; type <= ID_TYPE_GID; type++) {
> int left, fill;
> -
> - pos = buf;
> - lxc_list_for_each(iterator, idmap) {
> - /* The kernel only takes <= 4k for writes to
> /proc//[ug]id_map */
> - if (!buf)
> - buf = pos = malloc(4096);
> + int had_entry = 0;
> + if (!buf) {
> + buf = pos = malloc(4096);
> if (!buf)
> return -ENOMEM;
> + }
> + pos = buf;
> + if (!am_root)
> + pos += sprintf(buf, "new%cidmap %d ",
> + type == ID_TYPE_UID ? 'u' : 'g',
> + pid);
>
> + lxc_list_for_each(iterator, idmap) {
> + /* The kernel only takes <= 4k for writes to
> /proc//[ug]id_map */
> map = iterator->elem;
> - if (map->idtype == type) {
> - left = 4096 - (pos - buf);
> - fill = snprintf(pos, left, "%lu %lu %lu\n",
> - map->nsid, map->hostid, map->range);
> - if (fill <= 0 || fill >= left)
> - SYSERROR("snprintf failed, too many
> mappings");
> - pos += fill;
> - }
> + if (map->idtype != type)
> + continue;
> +
> + had_entry = 1;
> + left = 4096 - (pos - buf);
> + fill = snprintf(pos, left, " %lu %lu %lu", map->nsid,
> + map->hostid, map->range);
> + if (fill <= 0 || fill >= left)
> + SYSERROR("snprintf failed, too many mappings");
> + pos += fill;
> }
> - if (pos == buf) // no mappings were found
> + if (!had_entry)
> continue;
> - ret = write_id_mapping(type, pid, buf, pos-buf);
> + left = 4096 - (pos - buf);
> + fill = snprintf(pos, left, "\n");
> + if (fill <= 0 || fill >= left)
> + SYSERROR("snprintf failed, too many mappings");
> + pos += fill;
> +
> + if (am_root)
> + ret = write_id_mapping(type, pid, buf, pos-buf);
> + else
> + ret = system(buf);
> +
> if (ret)
> break;
> }
> @@ -2836,6 +2854,58 @@ int lxc_map_ids(struct lxc_list *idmap, pid_t pid)
> return ret;
> }
>
> +/*
> + * return the host uid to which the container root is mapped, or -1 on
> + * error
> + */
> +int get_mapped_rootid(struct lxc_conf *conf)
> +{
> + struct lxc_list *it;
> + struct id_map *map;
> +
> + lxc_list_for_each(it, &conf->id_map) {
> + map = it->elem;
> + if (map->idtype != ID_TYPE_UID)
> + continue;
> + if (map->nsid != 0)
> + continue;
> + return map->hostid;
> + }
> + return -1;
> +}
> +
> +bool hostid_is_mapped(int id, struct lxc_conf *conf)
> +{
> + struct lxc_list *it;
> + struct id_map *map;
> + lxc_list_for_each(it, &conf->id_map) {
> + map = it->elem;
> + if (map->idtype != ID_TYPE_UID)
> + continue;
> + if (id >= map->hostid && id < map->hostid + map->range)
> + return true;
> + }
> + return false;
> +}
> +
> +int find_unmapped_nsuid(str
Re: [lxc-devel] [PATCH 2/3] fix chowning of tty and console uids
On Wed, Oct 23, 2013 at 01:02:58AM +, Serge Hallyn wrote:
> From: Serge Hallyn
>
> It needs to be done from the handler, not the container, since
> the container may not have the rights.
>
> Signed-off-by: Serge Hallyn
Acked-by: Stéphane Graber
> Changelog:
> Jul 22: remove hardcoded path for /bin/chown
> Jul 22: use new lxc-usernsexec
>
> Conflicts:
> src/lxc/lxccontainer.c
> ---
> src/lxc/conf.c | 126
> +++--
> src/lxc/conf.h | 6 +--
> src/lxc/lxccontainer.c | 54 +
> src/lxc/start.c| 10 ++--
> 4 files changed, 69 insertions(+), 127 deletions(-)
>
> diff --git a/src/lxc/conf.c b/src/lxc/conf.c
> index 3f7f0ef..bba6379 100644
> --- a/src/lxc/conf.c
> +++ b/src/lxc/conf.c
> @@ -2858,7 +2858,7 @@ int lxc_map_ids(struct lxc_list *idmap, pid_t pid)
> * return the host uid to which the container root is mapped, or -1 on
> * error
> */
> -int get_mapped_rootid(struct lxc_conf *conf)
> +uid_t get_mapped_rootid(struct lxc_conf *conf)
> {
> struct lxc_list *it;
> struct id_map *map;
> @@ -2869,9 +2869,9 @@ int get_mapped_rootid(struct lxc_conf *conf)
> continue;
> if (map->nsid != 0)
> continue;
> - return map->hostid;
> + return (uid_t) map->hostid;
> }
> - return -1;
> + return (uid_t)-1;
> }
>
> bool hostid_is_mapped(int id, struct lxc_conf *conf)
> @@ -3020,89 +3020,81 @@ void lxc_delete_tty(struct lxc_tty_info *tty_info)
> }
>
> /*
> - * given a host uid, return the ns uid if it is mapped.
> - * if it is not mapped, return the original host id.
> + * chown_mapped_root: for an unprivileged user with uid X to chown a dir
> + * to subuid Y, he needs to run chown as root in a userns where
> + * nsid 0 is mapped to hostuid Y, and nsid Y is mapped to hostuid
> + * X. That way, the container root is privileged with respect to
> + * hostuid X, allowing him to do the chown.
> */
> -static int shiftid(struct lxc_conf *c, int uid, enum idtype w)
> +int chown_mapped_root(char *path, struct lxc_conf *conf)
> {
> - struct lxc_list *iterator;
> - struct id_map *map;
> - int low, high;
> + uid_t rootid;
> + pid_t pid;
>
> - lxc_list_for_each(iterator, &c->id_map) {
> - map = iterator->elem;
> - if (map->idtype != w)
> - continue;
> -
> - low = map->nsid;
> - high = map->nsid + map->range;
> - if (uid < low || uid >= high)
> - continue;
> -
> - return uid - low + map->hostid;
> + if ((rootid = get_mapped_rootid(conf)) <= 0) {
> + ERROR("No mapping for container root");
> + return -1;
> }
> -
> - return uid;
> -}
> -
> -/*
> - * Take a pathname for a file created on the host, and map the uid and gid
> - * into the container if needed. (Used for ttys)
> - */
> -static int uid_shift_file(char *path, struct lxc_conf *c)
> -{
> - struct stat statbuf;
> - int newuid, newgid;
> -
> - if (stat(path, &statbuf)) {
> - SYSERROR("stat(%s)", path);
> + if (geteuid() == 0) {
> + if (chown(path, rootid, -1) < 0) {
> + ERROR("Error chowning %s", path);
> + return -1;
> + }
> + return 0;
> + }
> + pid = fork();
> + if (pid < 0) {
> + SYSERROR("Failed forking");
> return -1;
> }
> + if (!pid) {
> + int hostuid = geteuid(), ret;
> + char map1[100], map2[100];
> + char *args[] = {"lxc-usernsexec", "-m", map1, "-m", map2, "--",
> "chown",
> + "0", path, NULL};
>
> - newuid = shiftid(c, statbuf.st_uid, ID_TYPE_UID);
> - newgid = shiftid(c, statbuf.st_gid, ID_TYPE_GID);
> - if (newuid != statbuf.st_uid || newgid != statbuf.st_gid) {
> - DEBUG("chowning %s from %d:%d to %d:%d\n", path,
> (int)statbuf.st_uid, (int)statbuf.st_gid, newuid, newgid);
> - if (chown(path, newuid, newgid)) {
> - SYSERROR("chown(%s)", path);
> + // "b:0:rootid:1"
> + ret = snprintf(map1, 100, "b:0:%d:1", rootid);
> + if (ret < 0 || ret >= 100) {
> + ERROR("Error uid printing map string");
> return -1;
> }
> +
> + // "b:hostuid:hostuid:1"
> + ret = snprintf(map2, 100, "b:%d:%d:1", hostuid, hostuid);
> + if (ret < 0 || ret >= 100) {
> + ERROR("Error uid printing map string");
> + return -1;
> + }
> +
> + ret = execvp("lxc-usernsexec", args);
> + SYSERROR("Failed executing usernsexec");
> + exit(1);
> }
> - return 0;
> + return wait_for_pid(pid);
> }
>
> -in
Re: [lxc-devel] [PATCH 3/3] lxc-busybox: if in userns, don't try to mknod
On Wed, Oct 23, 2013 at 01:02:59AM +, Serge Hallyn wrote:
> From: Serge Hallyn
>
> Signed-off-by: Serge Hallyn
We really should be working on a shared set of functions all templates
can source instead of re-inventing the wheel over and over again
(thinking about config, fstab, architecture handling, locking, ...)
Acked-by: Stéphane Graber
> ---
> templates/lxc-busybox.in | 44 +++-
> 1 file changed, 31 insertions(+), 13 deletions(-)
>
> diff --git a/templates/lxc-busybox.in b/templates/lxc-busybox.in
> index cbdaaf3..7aa4130 100644
> --- a/templates/lxc-busybox.in
> +++ b/templates/lxc-busybox.in
> @@ -20,6 +20,17 @@
> # License along with this library; if not, write to the Free Software
> # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301
> USA
>
> +am_in_userns() {
> +[ -e /proc/self/uid_map ] || { echo no; return; }
> +[ "$(wc -l /proc/self/uid_map | awk '{ print $1 }')" -eq 1 ] || { echo
> yes; return; }
> +line=$(awk '{ print $1 " " $2 " " $3 }' /proc/self/uid_map)
> +[ "$line" = "0 0 4294967295" ] && { echo no; return; }
> +echo yes
> +}
> +
> +in_userns=0
> +[ $(am_in_userns) = "yes" ] && in_userns=1
> +
> install_busybox()
> {
> rootfs=$1
> @@ -55,19 +66,26 @@ $rootfs/usr/lib64"
> pushd $rootfs/dev > /dev/null || return 1
>
> # minimal devices needed for busybox
> -mknod tty c 5 0 || res=1
> -mknod console c 5 1 || res=1
> -chmod 666 tty console || res=1
> -mknod tty0 c 4 0 || res=1
> -mknod tty1 c 4 0 || res=1
> -mknod tty5 c 4 0 || res=1
> -chmod 666 tty0|| res=1
> -mknod ram0 b 1 0 || res=1
> -chmod 600 ram0|| res=1
> -mknod null c 1 3 || res=1
> -chmod 666 null|| res=1
> -mknod urandom c 1 9 || res=1
> -chmod 666 urandom || res=1
> +if [ $in_userns -eq 1 ]; then
> +for dev in tty console tty0 tty1 tty5 ram0 null urandom; do
> +touch $rootfs/dev/$dev
> +echo "/dev/$dev dev/$devnone bind 0 0" >> $path/fstab
> +done
> +else
> +mknod tty c 5 0 || res=1
> +mknod console c 5 1 || res=1
> +chmod 666 tty console || res=1
> +mknod tty0 c 4 0 || res=1
> +mknod tty1 c 4 0 || res=1
> +mknod tty5 c 4 0 || res=1
> +chmod 666 tty0|| res=1
> +mknod ram0 b 1 0 || res=1
> +chmod 600 ram0|| res=1
> +mknod null c 1 3 || res=1
> +chmod 666 null|| res=1
> +mknod urandom c 1 9 || res=1
> +chmod 666 urandom || res=1
> +fi
>
> popd > /dev/null
>
> --
> 1.8.1.2
>
>
> --
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
> ___
> Lxc-devel mailing list
> Lxc-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/lxc-devel
--
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
signature.asc
Description: Digital signature
--
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH 4/3] start: use lxc-user-nic if we are not root
On Wed, Oct 23, 2013 at 10:52:37AM -0500, Serge Hallyn wrote:
> Note this results in nics named things like 'lxcuser-0p'. We'll
> likely want to pass the requested name to lxc-user-nic, but let's
> do that in a separate patch.
>
> If we're not root, we can't create new network itnerfaces to pass
> into the container. Instead wait until the container is started,
> and call lxc-user-nic to create and assign the nics.
>
> Signed-off-by: Serge Hallyn
Acked-by: Stéphane Graber
> ---
> src/lxc/conf.c | 39 +++
> 1 file changed, 39 insertions(+)
>
> diff --git a/src/lxc/conf.c b/src/lxc/conf.c
> index bba6379..75d6cbf 100644
> --- a/src/lxc/conf.c
> +++ b/src/lxc/conf.c
> @@ -2687,6 +2687,10 @@ int lxc_create_network(struct lxc_handler *handler)
> struct lxc_list *network = &handler->conf->network;
> struct lxc_list *iterator;
> struct lxc_netdev *netdev;
> + int am_root = (getuid() == 0);
> +
> + if (!am_root)
> + return 0;
>
> lxc_list_for_each(iterator, network) {
>
> @@ -2738,16 +2742,51 @@ void lxc_delete_network(struct lxc_handler *handler)
> }
> }
>
> +int unpriv_assign_nic(struct lxc_netdev *netdev, pid_t pid)
> +{
> + pid_t child;
> +
> + if (netdev->type != LXC_NET_VETH) {
> + ERROR("nic type %d not support for unprivileged use",
> + netdev->type);
> + return -1;
> + }
> +
> + if ((child = fork()) < 0) {
> + SYSERROR("fork");
> + return -1;
> + }
> +
> + if (child > 0)
> + return wait_for_pid(child);
> +
> + // Call lxc-user-nic pid type bridge
> + char pidstr[20];
> + char *args[] = { "lxc-user-nic", pidstr, "veth", netdev->link, NULL };
> + snprintf(pidstr, 19, "%lu", (unsigned long) pid);
> + pidstr[19] = '\0';
> + execvp("lxc-user-nic", args);
> + SYSERROR("execvp lxc-user-nic");
> + exit(1);
> +}
> +
> int lxc_assign_network(struct lxc_list *network, pid_t pid)
> {
> struct lxc_list *iterator;
> struct lxc_netdev *netdev;
> + int am_root = (getuid() == 0);
> int err;
>
> lxc_list_for_each(iterator, network) {
>
> netdev = iterator->elem;
>
> + if (!am_root) {
> + if (unpriv_assign_nic(netdev, pid))
> + return -1;
> + // TODO fill in netdev->ifindex and name
> + continue;
> + }
> /* empty network namespace, nothing to move */
> if (!netdev->ifindex)
> continue;
> --
> 1.8.3.2
>
>
> --
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
> ___
> Lxc-devel mailing list
> Lxc-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/lxc-devel
--
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
signature.asc
Description: Digital signature
--
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [lxc/lxc] 9d65a4: Fix segfault on lxc-create when no template specif...
Branch: refs/heads/master Home: https://github.com/lxc/lxc Commit: 9d65a4872917d4bed744aaddafc99046c588e7ae https://github.com/lxc/lxc/commit/9d65a4872917d4bed744aaddafc99046c588e7ae Author: KATOH Yasufumi Date: 2013-10-23 (Wed, 23 Oct 2013) Changed paths: M src/lxc/lxccontainer.c Log Message: --- Fix segfault on lxc-create when no template specified When no template file is specified on lxc-create, recieve segfault. So change not to append header in config when no template is specified. Signed-off-by: KATOH Yasufumi Acked-by: Stéphane Graber -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [lxc/lxc] a1e4c2: template: Fix the container configuration issue in...
Branch: refs/heads/master Home: https://github.com/lxc/lxc Commit: a1e4c206d5373b8ecd7906bff37f2601d65f022c https://github.com/lxc/lxc/commit/a1e4c206d5373b8ecd7906bff37f2601d65f022c Author: KATOH Yasufumi Date: 2013-10-23 (Wed, 23 Oct 2013) Changed paths: M templates/lxc-plamo.in Log Message: --- template: Fix the container configuration issue in lxc-plamo Signed-off-by: KATOH Yasufumi Acked-by: Stéphane Graber -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [lxc/lxc] 09b152: doc: Update Japanese lxc-create(1) for default thi...
Branch: refs/heads/master Home: https://github.com/lxc/lxc Commit: 09b15218a42cb77adcc6033929e3188c53cdc574 https://github.com/lxc/lxc/commit/09b15218a42cb77adcc6033929e3188c53cdc574 Author: KATOH Yasufumi Date: 2013-10-23 (Wed, 23 Oct 2013) Changed paths: M doc/ja/lxc-create.sgml.in Log Message: --- doc: Update Japanese lxc-create(1) for default thin pool name Update for commit 055af165efb08f4dd54608896893bb6928fd472f Signed-off-by: KATOH Yasufumi Acked-by: Stéphane Graber -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH] lxc-debian: Add hwaddr handling logic
Signed-off-by: Stéphane Graber --- templates/lxc-debian.in | 7 +++ 1 file changed, 7 insertions(+) diff --git a/templates/lxc-debian.in b/templates/lxc-debian.in index 4dd4910..645fe8d 100644 --- a/templates/lxc-debian.in +++ b/templates/lxc-debian.in @@ -207,6 +207,13 @@ copy_configuration() hostname=$3 arch=$4 +# if there is exactly one veth network entry, make sure it has an +# associated hwaddr. +nics=`grep -e '^lxc\.network\.type[ \t]*=[ \t]*veth' $path/config | wc -l` +if [ $nics -eq 1 ]; then +grep -q "^lxc.network.hwaddr" $path/config || sed -i -e "/^lxc\.network\.type[ \t]*=[ \t]*veth/a lxc.network.hwaddr = 00:16:3e:$(openssl rand -hex 3| sed 's/\(..\)/\1:/g; s/.$//')" $path/config +fi + grep -q "^lxc.rootfs" $path/config 2>/dev/null || echo "lxc.rootfs = $rootfs" >> $path/config cat <> $path/config lxc.tty = 4 -- 1.8.3.2 -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] lxc-debian: Add hwaddr handling logic
Quoting Stéphane Graber (stgra...@ubuntu.com): > Signed-off-by: Stéphane Graber Acked-by: Serge E. Hallyn > --- > templates/lxc-debian.in | 7 +++ > 1 file changed, 7 insertions(+) > > diff --git a/templates/lxc-debian.in b/templates/lxc-debian.in > index 4dd4910..645fe8d 100644 > --- a/templates/lxc-debian.in > +++ b/templates/lxc-debian.in > @@ -207,6 +207,13 @@ copy_configuration() > hostname=$3 > arch=$4 > > +# if there is exactly one veth network entry, make sure it has an > +# associated hwaddr. > +nics=`grep -e '^lxc\.network\.type[ \t]*=[ \t]*veth' $path/config | wc > -l` > +if [ $nics -eq 1 ]; then > +grep -q "^lxc.network.hwaddr" $path/config || sed -i -e > "/^lxc\.network\.type[ \t]*=[ \t]*veth/a lxc.network.hwaddr = > 00:16:3e:$(openssl rand -hex 3| sed 's/\(..\)/\1:/g; s/.$//')" $path/config > +fi > + > grep -q "^lxc.rootfs" $path/config 2>/dev/null || echo "lxc.rootfs = > $rootfs" >> $path/config > cat <> $path/config > lxc.tty = 4 > -- > 1.8.3.2 > > > -- > October Webinars: Code for Performance > Free Intel webinars can help you accelerate application performance. > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from > the latest Intel processors and coprocessors. See abstracts and register > > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk > ___ > Lxc-devel mailing list > Lxc-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/lxc-devel -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] oracle template: restrict writeability in /proc and /sys
Quoting Dwight Engen (dwight.en...@oracle.com): > Note that since we don't drop CAP_SYS_ADMIN, root in the container can > remount proc or sys however they want to, however this at least improves > the default situation. > > Signed-off-by: Dwight Engen Acked-by: Serge E. Hallyn > --- > templates/lxc-oracle.in | 7 +-- > 1 file changed, 1 insertion(+), 6 deletions(-) > > diff --git a/templates/lxc-oracle.in b/templates/lxc-oracle.in > index ddc6d74..78d99ee 100644 > --- a/templates/lxc-oracle.in > +++ b/templates/lxc-oracle.in > @@ -350,7 +350,7 @@ lxc.utsname = $name > lxc.devttydir = lxc > lxc.tty = 4 > lxc.pts = 1024 > -lxc.mount = $cfg_dir/fstab > +lxc.mount.auto = proc:mixed sys:ro > lxc.hook.clone = @DATADIR@/lxc/hooks/clonehostname > # Uncomment these if you don't run anything that needs the capability, and > # would like the container to run with less privilege. > @@ -404,11 +404,6 @@ lxc.cgroup.devices.allow = c 1:9 rwm # /dev/urandom > lxc.cgroup.devices.allow = c 136:* rwm # /dev/tty[1-4] ptys and lxc > console > lxc.cgroup.devices.allow = c 5:2 rwm # /dev/ptmx pty master > EOF > - > -cat < $cfg_dir/fstab || die "unable to create $cfg_dir/fstab" > -procproc proc nodev,noexec,nosuid 0 0 > -sysfs sys sysfs defaults 0 0 > -EOF > } > > container_rootfs_clone() > -- > 1.8.3.1 > > > -- > October Webinars: Code for Performance > Free Intel webinars can help you accelerate application performance. > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from > the latest Intel processors and coprocessors. See abstracts and register > > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk > ___ > Lxc-devel mailing list > Lxc-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/lxc-devel -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [lxc/lxc] aea1cd: lxc-debian: Add hwaddr handling logic
Branch: refs/heads/master Home: https://github.com/lxc/lxc Commit: aea1cd3cb730117967c9671aa50f68d2b241c39e https://github.com/lxc/lxc/commit/aea1cd3cb730117967c9671aa50f68d2b241c39e Author: Stéphane Graber Date: 2013-10-23 (Wed, 23 Oct 2013) Changed paths: M templates/lxc-debian.in Log Message: --- lxc-debian: Add hwaddr handling logic Signed-off-by: Stéphane Graber Acked-by: Serge E. Hallyn -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [lxc/lxc] 8f47bc: clang: Fix some simple issues
Branch: refs/heads/master Home: https://github.com/lxc/lxc Commit: 8f47bc3f318b84886e86fe3e71e37c9a9d3b79d8 https://github.com/lxc/lxc/commit/8f47bc3f318b84886e86fe3e71e37c9a9d3b79d8 Author: Stéphane Graber Date: 2013-10-23 (Wed, 23 Oct 2013) Changed paths: M src/lxc/confile.c M src/lxc/lxc_monitord.c M src/lxc/monitor.c M src/lxc/version.c M src/lxc/version.h Log Message: --- clang: Fix some simple issues Signed-off-by: Stéphane Graber -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH] apparmor: cache the are-we-enabled decision
Since we check /sys/kernel/security/ files when deciding whether
apparmor is enabled, and that might not be mounted in the container,
we cannot re-make the decision at apparmor_process_label_set() time.
Luckily we don't have to - just cache the decision made at
lsm_apparmor_drv_init().
Signed-off-by: Serge Hallyn
---
src/lxc/lsm/apparmor.c | 6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c
index cf8020d..aaf8056 100644
--- a/src/lxc/lsm/apparmor.c
+++ b/src/lxc/lsm/apparmor.c
@@ -32,6 +32,9 @@
lxc_log_define(lxc_apparmor, lxc);
+/* set by lsm_apparmor_drv_init if true */
+static int aa_enabled = 0;
+
#define AA_DEF_PROFILE "lxc-container-default"
#define AA_MOUNT_RESTR "/sys/kernel/security/apparmor/features/mount/mask"
#define AA_ENABLED_FILE "/sys/module/apparmor/parameters/enabled"
@@ -139,7 +142,7 @@ static int apparmor_am_unconfined(void)
static int apparmor_process_label_set(const char *label, int use_default,
int on_exec)
{
- if (!apparmor_enabled())
+ if (!aa_enabled)
return 0;
if (!label) {
@@ -181,5 +184,6 @@ struct lsm_drv *lsm_apparmor_drv_init(void)
{
if (!apparmor_enabled())
return NULL;
+ aa_enabled = 1;
return &apparmor_drv;
}
--
1.8.1.2
--
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH] clang: Remaining changes
Those are a bit less obvious than those I pushed directly to master.
All those changes were required to build LXC under clang here.
With this, gcc can be replaced by clang to build LXC so long as you're
not using the python3 binding (as python extensions can't be built under
clang at the moment).
For reference, the clang output for those is: http://paste.ubuntu.com/6292460/
Signed-off-by: Stéphane Graber
---
src/lxc/caps.c | 2 +-
src/lxc/commands.c | 4 ++--
src/lxc/conf.c | 4 ++--
3 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/src/lxc/caps.c b/src/lxc/caps.c
index bcbb859..89b87af 100644
--- a/src/lxc/caps.c
+++ b/src/lxc/caps.c
@@ -204,7 +204,7 @@ static int _real_caps_last_cap(void)
buf[n] = '\0';
result = strtol(buf, &ptr, 10);
if (!ptr || (*ptr != '\0' && *ptr != '\n') ||
- result == LONG_MIN || result == LONG_MAX)
+ result == INT_MIN || result == INT_MAX)
result = -1;
}
diff --git a/src/lxc/commands.c b/src/lxc/commands.c
index 33821dd..3e44ef3 100644
--- a/src/lxc/commands.c
+++ b/src/lxc/commands.c
@@ -109,7 +109,7 @@ static const char *lxc_cmd_str(lxc_cmd_t cmd)
[LXC_CMD_GET_CONFIG_ITEM] = "get_config_item",
};
- if (cmd < 0 || cmd >= LXC_CMD_MAX)
+ if (cmd >= LXC_CMD_MAX)
return "Unknown cmd";
return cmdname[cmd];
}
@@ -735,7 +735,7 @@ static int lxc_cmd_process(int fd, struct lxc_cmd_req *req,
[LXC_CMD_GET_CONFIG_ITEM] = lxc_cmd_get_config_item_callback,
};
- if (req->cmd < 0 || req->cmd >= LXC_CMD_MAX) {
+ if (req->cmd >= LXC_CMD_MAX) {
ERROR("bad cmd %d received", req->cmd);
return -1;
}
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 208c08b..0724e3f 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -1948,7 +1948,7 @@ static int setup_caps(struct lxc_list *caps)
* we don't */
capid = strtol(drop_entry, &ptr, 10);
if (!ptr || *ptr != '\0' ||
- capid == LONG_MIN || capid == LONG_MAX)
+ capid == INT_MIN || capid == INT_MAX)
/* not a valid number */
capid = -1;
else if (capid > lxc_caps_last_cap())
@@ -2013,7 +2013,7 @@ static int dropcaps_except(struct lxc_list *caps)
* we don't */
capid = strtol(keep_entry, &ptr, 10);
if (!ptr || *ptr != '\0' ||
- capid == LONG_MIN || capid == LONG_MAX)
+ capid == INT_MIN || capid == INT_MAX)
/* not a valid number */
capid = -1;
else if (capid > lxc_caps_last_cap())
--
1.8.3.2
--
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [lxc/lxc] 336623: oracle template: restrict writeability in /proc an...
Branch: refs/heads/master Home: https://github.com/lxc/lxc Commit: 33662399da0d6d29a2a49b36fe5394741e068ef0 https://github.com/lxc/lxc/commit/33662399da0d6d29a2a49b36fe5394741e068ef0 Author: Dwight Engen Date: 2013-10-23 (Wed, 23 Oct 2013) Changed paths: M templates/lxc-oracle.in Log Message: --- oracle template: restrict writeability in /proc and /sys Note that since we don't drop CAP_SYS_ADMIN, root in the container can remount proc or sys however they want to, however this at least improves the default situation. Signed-off-by: Dwight Engen Acked-by: Serge E. Hallyn -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [lxc/lxc] 7e6966: apparmor: cache the are-we-enabled decision
Branch: refs/heads/master Home: https://github.com/lxc/lxc Commit: 7e6966e57264e993ee7856993cc5ee9ff31969a6 https://github.com/lxc/lxc/commit/7e6966e57264e993ee7856993cc5ee9ff31969a6 Author: Serge Hallyn Date: 2013-10-23 (Wed, 23 Oct 2013) Changed paths: M src/lxc/lsm/apparmor.c Log Message: --- apparmor: cache the are-we-enabled decision Since we check /sys/kernel/security/ files when deciding whether apparmor is enabled, and that might not be mounted in the container, we cannot re-make the decision at apparmor_process_label_set() time. Luckily we don't have to - just cache the decision made at lsm_apparmor_drv_init(). Signed-off-by: Serge Hallyn Acked-by: Stéphane Graber -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] apparmor: cache the are-we-enabled decision
On Wed, Oct 23, 2013 at 08:54:13PM -0500, Serge Hallyn wrote:
> Since we check /sys/kernel/security/ files when deciding whether
> apparmor is enabled, and that might not be mounted in the container,
> we cannot re-make the decision at apparmor_process_label_set() time.
> Luckily we don't have to - just cache the decision made at
> lsm_apparmor_drv_init().
>
> Signed-off-by: Serge Hallyn
Acked-by: Stéphane Graber
> ---
> src/lxc/lsm/apparmor.c | 6 +-
> 1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/src/lxc/lsm/apparmor.c b/src/lxc/lsm/apparmor.c
> index cf8020d..aaf8056 100644
> --- a/src/lxc/lsm/apparmor.c
> +++ b/src/lxc/lsm/apparmor.c
> @@ -32,6 +32,9 @@
>
> lxc_log_define(lxc_apparmor, lxc);
>
> +/* set by lsm_apparmor_drv_init if true */
> +static int aa_enabled = 0;
> +
> #define AA_DEF_PROFILE "lxc-container-default"
> #define AA_MOUNT_RESTR "/sys/kernel/security/apparmor/features/mount/mask"
> #define AA_ENABLED_FILE "/sys/module/apparmor/parameters/enabled"
> @@ -139,7 +142,7 @@ static int apparmor_am_unconfined(void)
> static int apparmor_process_label_set(const char *label, int use_default,
> int on_exec)
> {
> - if (!apparmor_enabled())
> + if (!aa_enabled)
> return 0;
>
> if (!label) {
> @@ -181,5 +184,6 @@ struct lsm_drv *lsm_apparmor_drv_init(void)
> {
> if (!apparmor_enabled())
> return NULL;
> + aa_enabled = 1;
> return &apparmor_drv;
> }
> --
> 1.8.1.2
>
>
> --
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
> ___
> Lxc-devel mailing list
> Lxc-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/lxc-devel
--
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
signature.asc
Description: Digital signature
--
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [lxc/lxc] 97c94a: Fix build failure on sparc
Branch: refs/heads/master Home: https://github.com/lxc/lxc Commit: 97c94afb5758366f5a49536c97e1dcd34c9760d9 https://github.com/lxc/lxc/commit/97c94afb5758366f5a49536c97e1dcd34c9760d9 Author: Stéphane Graber Date: 2013-10-23 (Wed, 23 Oct 2013) Changed paths: M src/lxc/log.c Log Message: --- Fix build failure on sparc Signed-off-by: Thomas Nemeth Acked-by: Stéphane Graber -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH] Use actual length of socket's name for abstract sockets (v2)
The addrlen parameter should be the actual length of socket's name for abstract
sockets. Otherwise socket gets padded with NULLs.
cat /proc/net/unix | grep lxc
[...]
: 0003 0001 03 226548
@lxc/ad055575fe28ddd5//var/lib/lxc^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@
[...]
with this patch;
cat /proc/net/unix | grep lxc
[...]
: 0002 0001 0001 01 109563
@lxc/ad055575fe28ddd5//var/lib/lxc
[...]
Changes since v1:
* checking the length of passed-in string
Signed-off-by: S.Çağlar Onur
---
src/lxc/af_unix.c | 46 ++
src/lxc/monitor.c | 11 ++-
2 files changed, 40 insertions(+), 17 deletions(-)
diff --git a/src/lxc/af_unix.c b/src/lxc/af_unix.c
index 333f05e..4446203 100644
--- a/src/lxc/af_unix.c
+++ b/src/lxc/af_unix.c
@@ -20,6 +20,7 @@
* License along with this library; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*/
+#include
#include
#include
#include
@@ -55,21 +56,22 @@ int lxc_af_unix_open(const char *path, int type, int flags)
return fd;
addr.sun_family = AF_UNIX;
- /* copy entire buffer in case of abstract socket */
- len = sizeof(addr.sun_path);
+ len = path[0] ? strlen(path) : offsetof(struct sockaddr_un, sun_path) +
strlen(&path[1]) + 1;
+ if (len >= sizeof(addr.sun_path)) {
+ process_lock();
+ close(fd);
+ process_unlock();
+ errno = ENAMETOOLONG;
+ return -1;
+ }
+
if (path[0]) {
- len = strlen(path);
- if (len >= sizeof(addr.sun_path)) {
- process_lock();
- close(fd);
- process_unlock();
- errno = ENAMETOOLONG;
- return -1;
- }
+ memcpy(addr.sun_path, path, len);
+ } else {
+ memcpy((char *) &addr.sun_path + 1, &path[1], len);
}
- memcpy(addr.sun_path, path, len);
- if (bind(fd, (struct sockaddr *)&addr, sizeof(addr))) {
+ if (bind(fd, (struct sockaddr *)&addr, len)) {
int tmp = errno;
process_lock();
close(fd);
@@ -109,6 +111,7 @@ int lxc_af_unix_close(int fd)
int lxc_af_unix_connect(const char *path)
{
int fd;
+ size_t len;
struct sockaddr_un addr;
process_lock();
@@ -120,11 +123,22 @@ int lxc_af_unix_connect(const char *path)
memset(&addr, 0, sizeof(addr));
addr.sun_family = AF_UNIX;
- /* copy entire buffer in case of abstract socket */
- memcpy(addr.sun_path, path,
- path[0]?strlen(path):sizeof(addr.sun_path));
+ len = path[0] ? strlen(path) : offsetof(struct sockaddr_un, sun_path) +
strlen(&path[1]) + 1;
+ if (len >= sizeof(addr.sun_path)) {
+ process_lock();
+ close(fd);
+ process_unlock();
+ errno = ENAMETOOLONG;
+ return -1;
+ }
+
+ if (path[0]) {
+ memcpy(addr.sun_path, path, len);
+ } else {
+ memcpy((char *) &addr.sun_path + 1, &path[1], len);
+ }
- if (connect(fd, (struct sockaddr *)&addr, sizeof(addr))) {
+ if (connect(fd, (struct sockaddr *)&addr, len)) {
int tmp = errno;
process_lock();
close(fd);
diff --git a/src/lxc/monitor.c b/src/lxc/monitor.c
index ab567c8..71f2074 100644
--- a/src/lxc/monitor.c
+++ b/src/lxc/monitor.c
@@ -27,6 +27,7 @@
#include
#include
#include
+#include
#include
#include
#include
@@ -194,6 +195,7 @@ int lxc_monitor_open(const char *lxcpath)
struct sockaddr_un addr;
int fd,ret;
int retry,backoff_ms[] = {10, 50, 100};
+ size_t len;
if (lxc_monitor_sock_name(lxcpath, &addr) < 0)
return -1;
@@ -206,8 +208,15 @@ int lxc_monitor_open(const char *lxcpath)
return -1;
}
+ len = offsetof(struct sockaddr_un, sun_path) +
strlen(&addr.sun_path[1]) + 1;
+ if (len >= sizeof(addr.sun_path)) {
+ ret = -1;
+ errno = ENAMETOOLONG;
+ goto err1;
+ }
+
for (retry = 0; retry < sizeof(backoff_ms)/sizeof(backoff_ms[0]);
retry++) {
- ret = connect(fd, (struct sockaddr *)&addr, sizeof(addr));
+ ret = connect(fd, (struct sockaddr *)&addr, len);
if (ret == 0 || errno != ECONNREFUSED)
break;
ERROR("connect : backing off %d", backoff_ms[retry]);
--
1.8.3.2
--
October Webinars: Code for Perf
Re: [lxc-devel] [PATCH] clang: Remaining changes
Quoting Stéphane Graber (stgra...@ubuntu.com):
> Those are a bit less obvious than those I pushed directly to master.
> All those changes were required to build LXC under clang here.
>
> With this, gcc can be replaced by clang to build LXC so long as you're
> not using the python3 binding (as python extensions can't be built under
> clang at the moment).
>
> For reference, the clang output for those is: http://paste.ubuntu.com/6292460/
>
> Signed-off-by: Stéphane Graber
Acked-by: Serge E. Hallyn
One comment,
> ---
> src/lxc/caps.c | 2 +-
> src/lxc/commands.c | 4 ++--
> src/lxc/conf.c | 4 ++--
> 3 files changed, 5 insertions(+), 5 deletions(-)
>
> diff --git a/src/lxc/caps.c b/src/lxc/caps.c
> index bcbb859..89b87af 100644
> --- a/src/lxc/caps.c
> +++ b/src/lxc/caps.c
> @@ -204,7 +204,7 @@ static int _real_caps_last_cap(void)
> buf[n] = '\0';
> result = strtol(buf, &ptr, 10);
> if (!ptr || (*ptr != '\0' && *ptr != '\n') ||
> - result == LONG_MIN || result == LONG_MAX)
> + result == INT_MIN || result == INT_MAX)
Hi Stéphane,
probably the original code was my fault, but this is weird. The
check doesn't actually guarantee anything, so per the NOTES section
in strtoul(3) man page I think we should set errno to 0 before the
strtol call, and check errno afterward. Then drop these MIN/MAX
checks here, leaving the < 0 check below.
Your patch wouldn't break anything so if you like we can just apply
this and I'll push an update to do the above in the morning.
> result = -1;
> }
>
> diff --git a/src/lxc/commands.c b/src/lxc/commands.c
> index 33821dd..3e44ef3 100644
> --- a/src/lxc/commands.c
> +++ b/src/lxc/commands.c
> @@ -109,7 +109,7 @@ static const char *lxc_cmd_str(lxc_cmd_t cmd)
> [LXC_CMD_GET_CONFIG_ITEM] = "get_config_item",
> };
>
> - if (cmd < 0 || cmd >= LXC_CMD_MAX)
> + if (cmd >= LXC_CMD_MAX)
> return "Unknown cmd";
> return cmdname[cmd];
> }
> @@ -735,7 +735,7 @@ static int lxc_cmd_process(int fd, struct lxc_cmd_req
> *req,
> [LXC_CMD_GET_CONFIG_ITEM] = lxc_cmd_get_config_item_callback,
> };
>
> - if (req->cmd < 0 || req->cmd >= LXC_CMD_MAX) {
> + if (req->cmd >= LXC_CMD_MAX) {
> ERROR("bad cmd %d received", req->cmd);
> return -1;
> }
> diff --git a/src/lxc/conf.c b/src/lxc/conf.c
> index 208c08b..0724e3f 100644
> --- a/src/lxc/conf.c
> +++ b/src/lxc/conf.c
> @@ -1948,7 +1948,7 @@ static int setup_caps(struct lxc_list *caps)
> * we don't */
> capid = strtol(drop_entry, &ptr, 10);
> if (!ptr || *ptr != '\0' ||
> - capid == LONG_MIN || capid == LONG_MAX)
> + capid == INT_MIN || capid == INT_MAX)
> /* not a valid number */
> capid = -1;
> else if (capid > lxc_caps_last_cap())
> @@ -2013,7 +2013,7 @@ static int dropcaps_except(struct lxc_list *caps)
> * we don't */
> capid = strtol(keep_entry, &ptr, 10);
> if (!ptr || *ptr != '\0' ||
> - capid == LONG_MIN || capid == LONG_MAX)
> + capid == INT_MIN || capid == INT_MAX)
> /* not a valid number */
> capid = -1;
> else if (capid > lxc_caps_last_cap())
> --
> 1.8.3.2
>
>
> --
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
> ___
> Lxc-devel mailing list
> Lxc-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/lxc-devel
--
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH] Eliminate duplicate entries from list_active_containers (v2)
list_active_containers parses /proc/net/unix which can contain multiple entries
for the same container;
: 0002 0001 0001 01 273672
@/var/lib/lxc/6/command
: 0002 0001 0001 01 274395
@/var/lib/lxc/5/command
: 0002 0001 0001 01 273890
@/var/lib/lxc/4/command
: 0002 0001 0001 01 273141
@/var/lib/lxc/3/command
: 0002 0001 0001 01 273915
@/var/lib/lxc/2/command
: 0002 0001 0001 01 273683
@/var/lib/lxc/1/command
: 0002 0001 0001 01 273074
@/var/lib/lxc/0/command
: 0002 0001 0001 01 273931
@/var/lib/lxc/9/command
: 0002 0001 0001 01 273110
@/var/lib/lxc/8/command
: 0002 0001 0001 01 273390
@/var/lib/lxc/7/command
: 0003 0001 03 275903
@/var/lib/lxc/8/command
: 0003 0001 03 276043
@/var/lib/lxc/1/command
: 0003 0001 03 273301
@/var/lib/lxc/0/command
: 0003 0001 03 275650
@/var/lib/lxc/4/command
On this system list_active_containers returns 14 containers while only 10
containers are running.
Following patch;
* Introduces array_contains function to do a binary search on given
array,
* Starts to sort arrays inside the add_to_clist and add_to_names
functions,
* Consumes array_contains in list_active_containers to eliminate
duplicates,
* Replaces the linear search code in lxcapi_get_interfaces with the new
function.
Changes since v1:
* Do not load containers if a if a container list is not passed in
* Fix possible memory leaks in lxcapi_get_ips and lxcapi_get_interfaces
if realloc fails
Signed-off-by: S.Çağlar Onur
---
src/lxc/lxccontainer.c | 207 ++---
1 file changed, 126 insertions(+), 81 deletions(-)
diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
index 6e6c38c..5b9a14a 100644
--- a/src/lxc/lxccontainer.c
+++ b/src/lxc/lxccontainer.c
@@ -1242,12 +1242,81 @@ out:
return false;
}
+// used by qsort and bsearch functions for comparing names
+static inline int string_cmp(char **first, char **second)
+{
+ return strcmp(*first, *second);
+}
+
+// used by qsort and bsearch functions for comparing container names
+static inline int container_cmp(struct lxc_container **first, struct
lxc_container **second)
+{
+ return strcmp((*first)->name, (*second)->name);
+}
+
+static bool add_to_array(char ***names, char *cname, int pos)
+{
+ char **newnames = realloc(*names, (pos+1) * sizeof(char *));
+ if (!newnames) {
+ ERROR("Out of memory");
+ return false;
+ }
+
+ *names = newnames;
+ newnames[pos] = strdup(cname);
+ if (!newnames[pos])
+ return false;
+
+ // sort the arrray as we will use binary search on it
+ qsort(newnames, pos + 1, sizeof(char *), (int (*)(const void *,const
void *))string_cmp);
+
+ return true;
+}
+
+static bool add_to_clist(struct lxc_container ***list, struct lxc_container
*c, int pos)
+{
+ struct lxc_container **newlist = realloc(*list, (pos+1) * sizeof(struct
lxc_container *));
+ if (!newlist) {
+ ERROR("Out of memory");
+ return false;
+ }
+
+ *list = newlist;
+ newlist[pos] = c;
+
+ // sort the arrray as we will use binary search on it
+ qsort(newlist, pos + 1, sizeof(struct lxc_container *), (int (*)(const
void *,const void *))container_cmp);
+
+ return true;
+}
+
+static char** get_from_array(char ***names, char *cname, int size)
+{
+ return (char **)bsearch(&cname, *names, size, sizeof(char *), (int
(*)(const void *, const void *))string_cmp);
+}
+
+
+static bool array_contains(char ***names, char *cname, int size) {
+ if(get_from_array(names, cname, size) != NULL)
+ return true;
+ return false;
+}
+
+static bool remove_from_array(char ***names, char *cname, int size)
+{
+ char **result = get_from_array(names, cname, size);
+ if (result != NULL) {
+ free(result);
+ return true;
+ }
+ return false;
+}
+
static char** lxcapi_get_interfaces(struct lxc_container *c)
{
- int count = 0, i;
- bool found = false;
+ int i, count = 0;
struct ifaddrs *interfaceArray = NULL, *tempIfAddr = NULL;
- char **interfaces = NULL, **temp;
+ char **interfaces = NULL;
int old_netns = -1, new_netns = -1;
if (!enter_to_ns(c, &old_netns, &new_netns))
@@ -1261,51 +1330,41 @@ static char** lxcapi_get_interfaces(struct
lxc_container *c)
/* Iterate through the interfaces */
Re: [lxc-devel] [PATCH] clang: Remaining changes
On Wed, Oct 23, 2013 at 11:04:58PM -0500, Serge Hallyn wrote:
> Quoting Stéphane Graber (stgra...@ubuntu.com):
> > Those are a bit less obvious than those I pushed directly to master.
> > All those changes were required to build LXC under clang here.
> >
> > With this, gcc can be replaced by clang to build LXC so long as you're
> > not using the python3 binding (as python extensions can't be built under
> > clang at the moment).
> >
> > For reference, the clang output for those is:
> > http://paste.ubuntu.com/6292460/
> >
> > Signed-off-by: Stéphane Graber
>
> Acked-by: Serge E. Hallyn
>
> One comment,
>
> > ---
> > src/lxc/caps.c | 2 +-
> > src/lxc/commands.c | 4 ++--
> > src/lxc/conf.c | 4 ++--
> > 3 files changed, 5 insertions(+), 5 deletions(-)
> >
> > diff --git a/src/lxc/caps.c b/src/lxc/caps.c
> > index bcbb859..89b87af 100644
> > --- a/src/lxc/caps.c
> > +++ b/src/lxc/caps.c
> > @@ -204,7 +204,7 @@ static int _real_caps_last_cap(void)
> > buf[n] = '\0';
> > result = strtol(buf, &ptr, 10);
> > if (!ptr || (*ptr != '\0' && *ptr != '\n') ||
> > - result == LONG_MIN || result == LONG_MAX)
> > + result == INT_MIN || result == INT_MAX)
>
> Hi Stéphane,
>
> probably the original code was my fault, but this is weird. The
> check doesn't actually guarantee anything, so per the NOTES section
> in strtoul(3) man page I think we should set errno to 0 before the
> strtol call, and check errno afterward. Then drop these MIN/MAX
> checks here, leaving the < 0 check below.
>
> Your patch wouldn't break anything so if you like we can just apply
> this and I'll push an update to do the above in the morning.
Sounds good.
I pushed my patch for now.
>
> > result = -1;
> > }
> >
> > diff --git a/src/lxc/commands.c b/src/lxc/commands.c
> > index 33821dd..3e44ef3 100644
> > --- a/src/lxc/commands.c
> > +++ b/src/lxc/commands.c
> > @@ -109,7 +109,7 @@ static const char *lxc_cmd_str(lxc_cmd_t cmd)
> > [LXC_CMD_GET_CONFIG_ITEM] = "get_config_item",
> > };
> >
> > - if (cmd < 0 || cmd >= LXC_CMD_MAX)
> > + if (cmd >= LXC_CMD_MAX)
> > return "Unknown cmd";
> > return cmdname[cmd];
> > }
> > @@ -735,7 +735,7 @@ static int lxc_cmd_process(int fd, struct lxc_cmd_req
> > *req,
> > [LXC_CMD_GET_CONFIG_ITEM] = lxc_cmd_get_config_item_callback,
> > };
> >
> > - if (req->cmd < 0 || req->cmd >= LXC_CMD_MAX) {
> > + if (req->cmd >= LXC_CMD_MAX) {
> > ERROR("bad cmd %d received", req->cmd);
> > return -1;
> > }
> > diff --git a/src/lxc/conf.c b/src/lxc/conf.c
> > index 208c08b..0724e3f 100644
> > --- a/src/lxc/conf.c
> > +++ b/src/lxc/conf.c
> > @@ -1948,7 +1948,7 @@ static int setup_caps(struct lxc_list *caps)
> > * we don't */
> > capid = strtol(drop_entry, &ptr, 10);
> > if (!ptr || *ptr != '\0' ||
> > - capid == LONG_MIN || capid == LONG_MAX)
> > + capid == INT_MIN || capid == INT_MAX)
> > /* not a valid number */
> > capid = -1;
> > else if (capid > lxc_caps_last_cap())
> > @@ -2013,7 +2013,7 @@ static int dropcaps_except(struct lxc_list *caps)
> > * we don't */
> > capid = strtol(keep_entry, &ptr, 10);
> > if (!ptr || *ptr != '\0' ||
> > - capid == LONG_MIN || capid == LONG_MAX)
> > + capid == INT_MIN || capid == INT_MAX)
> > /* not a valid number */
> > capid = -1;
> > else if (capid > lxc_caps_last_cap())
> > --
> > 1.8.3.2
> >
> >
> > --
> > October Webinars: Code for Performance
> > Free Intel webinars can help you accelerate application performance.
> > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
> > from
> > the latest Intel processors and coprocessors. See abstracts and register >
> > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
> > ___
> > Lxc-devel mailing list
> > Lxc-devel@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/lxc-devel
--
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
signature.asc
Description: Digital signature
--
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=601
[lxc-devel] [lxc/lxc] f371ac: clang: Remaining changes
Branch: refs/heads/master Home: https://github.com/lxc/lxc Commit: f371aca939bd8fab254de6f0a63d141f7550cf57 https://github.com/lxc/lxc/commit/f371aca939bd8fab254de6f0a63d141f7550cf57 Author: Stéphane Graber Date: 2013-10-23 (Wed, 23 Oct 2013) Changed paths: M src/lxc/caps.c M src/lxc/commands.c M src/lxc/conf.c Log Message: --- clang: Remaining changes Those are a bit less obvious than those I pushed directly to master. All those changes were required to build LXC under clang here. With this, gcc can be replaced by clang to build LXC so long as you're not using the python3 binding (as python extensions can't be built under clang at the moment). For reference, the clang output for those is: http://paste.ubuntu.com/6292460/ Signed-off-by: Stéphane Graber Acked-by: Serge E. Hallyn -- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
