Re: [lxc-devel] Detecting if you are running in a container
On Tue, 11 Oct 2011, Eric W. Biederman wrote: > da...@lang.hm writes: > >> On Tue, 11 Oct 2011, Eric W. Biederman wrote: >> >>> Theodore Tso writes: >>> >>>> On Oct 11, 2011, at 2:42 AM, Eric W. Biederman wrote: >>>> >>> I admit for a lot of test cases that it makes sense not to use a full >>> set of userspace daemons. At the same time there is not particularly >>> good reason to have a design that doesn't allow you to run a full >>> userspace. >> >> how do you share the display between all the different containers if they are >> trying to run the X server? > > Either X does not start because the hardware it needs is not present or > Xnest or similar gets started. > >> how do you avoid all the containers binding to the same port on the default >> IP >> address? > > Network namespaces. > >> how do you arbitrate dbus across the containers. > > Why should you? because the containers are simulating different machines, and dbus doesn't work arcross different machines. >> when a new USB device gets plugged in, which container gets control of >> it? > > None of them. Although today they may all get the uevent. None of the > containers should have permission to call mknod to mess with it. why would the software inside a container not have the rights to do a mknod inside the container? >> there are a LOT of hard questions when you start talking about running a full >> system inside a container that do not apply for other use of >> containers. > > Not really mostly the answer is that you say no. > > Eric > David Lang -- All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] Detecting if you are running in a container
On Mon, 10 Oct 2011, Matt Helsley wrote: > On Mon, Oct 10, 2011 at 09:32:01PM -0400, Ted Ts'o wrote: >> On Mon, Oct 10, 2011 at 01:59:10PM -0700, Eric W. Biederman wrote: >>> Lennart Poettering writes: >>> >>>> To make a standard distribution run nicely in a Linux container you >>>> usually have to make quite a number of modifications to it and disable >>>> certain things from the boot process. Ideally however, one could simply >>>> boot the same image on a real machine and in a container and would just >>>> do the right thing, fully stateless. And for that you need to be able to >>>> detect containers, and currently you can't. >>> >>> I agree getting to the point where we can run a standard distribution >>> unmodified in a container sounds like a reasonable goal. >> >> Hmm, interesting. It's not clear to me that running a full standard >> distribution in a container is always going to be what everyone wants >> to do. >> >> The whole point of containers versus VM's is that containers are >> lighter weight. And one of the ways that containers can be lighter >> weight is if you don't have to have N copies of udev, dbus, running in >> each container/VM. >> >> If you end up so much overhead to provide the desired security and/or >> performance isolation, then it becomes fair to ask the question >> whether you might as well pay a tad bit more and get even better >> security and isolation by using a VM solution >> >> - Ted > > Yes, it does detract from the unique advantages of using a container. > However, I think the value here is not the effeciency of the initial > system configuration but the fact that it gives users a better place to > start. > > Right now we're effectively asking users to start with non-working > and/or unfamiliar systems and repair them until they work. > > By enabling unmodified distro installs in a container we're starting > at the other end. The choices may not be the most efficient but the > user may begin tuning from a working configuration. They can learn > about and tune those parts that prove significant for their workload. > This is better because in the end it's not just about how efficient the > user can make their containers but how much effort they will spend > achieving and maintainingg that efficiency over time. what's needed isn't a way to run all the daemons, processes and startup scripts that a distro uses in a container without conflicting with the parent, but instead a easy way to create the appropriate config changes in the parent, bind mounts, cgroups, etc for the container and startup the apps that are wanted in the container. This needs to be something with a lot of knowledge and hooks in the parent, so it's not just a matter of adding a way to detect "am I in a container" or not. when I run things in containers, I want to bind mount some things from the parent, I want to configure syslog to listen on /dev/log inside the container, and then I want to starup just the processes I am planning to use inside the container, not all the daemons and other processes that I need to run the service the container is built for. David Lang -- All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] Detecting if you are running in a container
On Tue, 11 Oct 2011, Eric W. Biederman wrote: > Theodore Tso writes: > >> On Oct 11, 2011, at 2:42 AM, Eric W. Biederman wrote: >> >>> I am totally in favor of not starting the entire world. But just >>> like I find it convienient to loopback mount an iso image to see >>> what is on a disk image. It would be handy to be able to just >>> download a distro image and play with it, without doing anything >>> special. >> >> Agreed, but what's wrong with firing up KVM to play with a distro >> image? Personally, I don't consider that "doing something special". > > Then let me flip this around and give a much more practical use case. > Testing. A very interesting number of cases involve how multiple > machines interact. You can test a lot more logical machines interacting > with containers than you can with vms. And you can test on all the > aritectures and platforms linux supports not just the handful that are > well supported by hardware virtualization. but in containers, you are not really testing lots of machines, you are testing lots of processes on the same machine (they share the same kernel) > I admit for a lot of test cases that it makes sense not to use a full > set of userspace daemons. At the same time there is not particularly > good reason to have a design that doesn't allow you to run a full > userspace. how do you share the display between all the different containers if they are trying to run the X server? how do you avoid all the containers binding to the same port on the default IP address? how do you arbitrate dbus across the containers. when a new USB device gets plugged in, which container gets control of it? there are a LOT of hard questions when you start talking about running a full system inside a container that do not apply for other use of containers. David Lang -- All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2d-oct ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH] Only bring up network interface if IFF_UP is set
Each network interface was brought up regardless of the configuration,
as the wrong boolean operator was being used to test the IFF_UP flag.
Signed-off-by: David Ward
---
src/lxc/conf.c |4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 2f66e76..a0c5fee 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -1217,7 +1217,7 @@ static int setup_netdev(struct lxc_netdev *netdev)
/* empty network namespace */
if (!netdev->ifindex) {
- if (netdev->flags | IFF_UP) {
+ if (netdev->flags & IFF_UP) {
err = lxc_device_up("lo");
if (err) {
ERROR("failed to set the loopback up : %s",
@@ -1281,7 +1281,7 @@ static int setup_netdev(struct lxc_netdev *netdev)
}
/* set the network device up */
- if (netdev->flags | IFF_UP) {
+ if (netdev->flags & IFF_UP) {
int err;
err = lxc_device_up(current_ifname);
--
1.7.1
--
Protect Your Site and Customers from Malware Attacks
Learn about various malware tactics and how to avoid them. Understand
malware threats, the impact they can have on your business, and how you
can protect your company and customers by using code signing.
http://p.sf.net/sfu/oracle-sfdevnl
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] fix broadcast compution
Daniel,
On 02/06/2010 03:29 PM, Daniel Lezcano wrote:
>diff --git a/src/lxc/confile.c b/src/lxc/confile.c
>index 4d81ac6..7c72752 100644
>--- a/src/lxc/confile.c
>+++ b/src/lxc/confile.c
>@@ -423,9 +423,8 @@ static int config_network_ipv4(const char *key, char
>*value,
> * prefix and address
> */
> if (!bcast) {
>- inetdev->bcast.s_addr =
>- htonl(INADDR_BROADCAST<< (32 - inetdev->prefix));
>- inetdev->bcast.s_addr&= inetdev->addr.s_addr;
>+ int mask = htonl(INADDR_BROADCAST<< (32 - inetdev->prefix));
>+ inetdev->bcast.s_addr = (inetdev->addr.s_addr& mask) | ~mask;
> }
>
> lxc_list_add(&netdev->ipv4, list);
The following would be a lot simpler:
inetdev->bcast.s_addr = inetdev->addr.s_addr;
inetdev->bcast.s_addr |= htonl(INADDR_BROADCAST>> inetdev->prefix);
David
--
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH] Watch utmp if /var/run is not shared
lxc watches /var/run/utmp in the container to monitor its runlevel, so that
it can stop or "reboot" the container when appropriate. This should not
happen though if the container shares /var/run/utmp with the system (which
should only be the case if the container does not run init).
Currently this is avoided by requiring that the container has a separate
filesystem root (i.e. "lxc.rootfs" is configured) in order to watch utmp.
However it is also sufficient to share the filesystem root, but to re-mount
/var/run so that there is a separate utmp file. (In the case of Upstart,
/etc/init can be re-mounted as well to allow the container to have its own
set of init scripts. The remainder of the filesystem can still be shared.)
With this change, lxc checks the device ID and inode number of /var/run to
see if the container has re-mounted it as a pre-condition of watching utmp.
This replaces the check for "lxc.rootfs" in the configuration.
Signed-off-by: David Ward
---
src/lxc/utmp.c | 21 -
1 files changed, 16 insertions(+), 5 deletions(-)
diff --git a/src/lxc/utmp.c b/src/lxc/utmp.c
index 691c3ef..3356396 100644
--- a/src/lxc/utmp.c
+++ b/src/lxc/utmp.c
@@ -30,6 +30,7 @@
#include
#include
#include
+#include
#include "conf.h"
#include "cgroup.h"
@@ -221,10 +222,7 @@ int lxc_utmp_mainloop_add(struct lxc_epoll_descr *descr,
char path[MAXPATHLEN];
int fd, wd;
struct lxc_utmp *utmp_data;
- struct lxc_conf *conf = handler->conf;
-
- if (!conf->rootfs.path)
- return 0;
+ struct stat container_utmp_stat, system_utmp_stat;
/* We set up a watch for the /var/run directory. We're only interested
* in utmp at the moment, but want to watch for delete and create
@@ -236,11 +234,24 @@ int lxc_utmp_mainloop_add(struct lxc_epoll_descr *descr,
return -1;
}
- if (access(path, F_OK)) {
+ if (stat(path, &container_utmp_stat)) {
WARN("'%s' not found", path);
return 0;
}
+ if (stat("/var/run", &system_utmp_stat)) {
+ WARN("'/var/run' not found");
+ return 0;
+ }
+
+ /* Do not watch the /var/run directory if the container shares it with
+* the system.
+*/
+ if ((container_utmp_stat.st_dev == system_utmp_stat.st_dev)
+ && (container_utmp_stat.st_ino == system_utmp_stat.st_ino)) {
+ return 0;
+ }
+
utmp_data = (struct lxc_utmp *)malloc(sizeof(struct lxc_utmp));
if (NULL == utmp_data) {
--
1.7.4
--
Free Software Download: Index, Search & Analyze Logs and other IT data in
Real-Time with Splunk. Collect, index and harness all the fast moving IT data
generated by your applications, servers and devices whether physical, virtual
or in the cloud. Deliver compliance at lower cost and gain new business
insights. http://p.sf.net/sfu/splunk-dev2dev
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCHv2] Watch utmp if /var/run is not shared
In order to stop or restart a container that runs "init" as its top-level
process, lxc must watch for changes to the "utmp" file (which stores init's
current and previous runlevel) located in /var/run in the container. Because
lxc should only react to the container runlevel (if one exists) and not the
system runlevel, lxc must first check that utmp is not shared between the
container and the system.
Presently, lxc will only watch utmp if the "lxc.rootfs" parameter is set in
the container configuration. However, lxc should also watch utmp if the
filesystem root is shared but "/var/run" has been re-mounted from another
location. (In this scenario, Upstart could be used to control the container
if "/etc/init" has also been re-mounted to a directory that holds Upstart
scripts specifically written for the container.)
With this change, lxc checks to see if "/var/run" is shared between the
container and the system by comparing the device and inode numbers. If not,
lxc will watch utmp. This replaces the check for "lxc.rootfs".
Signed-off-by: David Ward
---
src/lxc/utmp.c | 21 -
1 files changed, 16 insertions(+), 5 deletions(-)
diff --git a/src/lxc/utmp.c b/src/lxc/utmp.c
index 691c3ef..48998ca 100644
--- a/src/lxc/utmp.c
+++ b/src/lxc/utmp.c
@@ -30,6 +30,7 @@
#include
#include
#include
+#include
#include "conf.h"
#include "cgroup.h"
@@ -221,10 +222,7 @@ int lxc_utmp_mainloop_add(struct lxc_epoll_descr *descr,
char path[MAXPATHLEN];
int fd, wd;
struct lxc_utmp *utmp_data;
- struct lxc_conf *conf = handler->conf;
-
- if (!conf->rootfs.path)
- return 0;
+ struct stat container_stat, system_stat;
/* We set up a watch for the /var/run directory. We're only interested
* in utmp at the moment, but want to watch for delete and create
@@ -236,11 +234,24 @@ int lxc_utmp_mainloop_add(struct lxc_epoll_descr *descr,
return -1;
}
- if (access(path, F_OK)) {
+ if (stat(path, &container_stat)) {
WARN("'%s' not found", path);
return 0;
}
+ if (stat("/var/run", &system_stat)) {
+ WARN("'/var/run' not found");
+ return 0;
+ }
+
+ /* Do not watch the /var/run directory if the container shares it with
+* the system.
+*/
+ if ((container_stat.st_dev == system_stat.st_dev)
+ && (container_stat.st_ino == system_stat.st_ino)) {
+ return 0;
+ }
+
utmp_data = (struct lxc_utmp *)malloc(sizeof(struct lxc_utmp));
if (NULL == utmp_data) {
--
1.7.4
--
Free Software Download: Index, Search & Analyze Logs and other IT data in
Real-Time with Splunk. Collect, index and harness all the fast moving IT data
generated by your applications, servers and devices whether physical, virtual
or in the cloud. Deliver compliance at lower cost and gain new business
insights. http://p.sf.net/sfu/splunk-dev2dev
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [Lxc-users] [PATCH] ignore non-lxc configuration line
On Sat, May 14, 2011 at 00:15, Serge Hallyn wrote: > > I'm curious, whatcha got in mind? I don't think you have to have something in mind to implement this. Just that old motto "Be lenient in what you accept" :). -- David Serrano -- Achieve unprecedented app performance and reliability What every C/C++ and Fortran developer should know. Learn how Intel has extended the reach of its next-generation tools to help boost performance applications - inlcuding clusters. http://p.sf.net/sfu/intel-dev2devmay ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [Lxc-users] [PATCH] ignore non-lxc configuration line
On Sat, Jun 4, 2011 at 23:16, Rob Landley wrote: > On 06/02/2011 02:41 PM, Daniel Lezcano wrote: >> >> It will be for the lxc-0.7.5 version. No ETA for the moment. >> I would like to have new feature for lxc before releasing a new version, >> the delta with 0.7.4 are mostly bug fixes. > > Just a random observation, but there would appear to be at least a > couple on the list who consider this to _be_ a new feature. Me among them, FWIW. -- David Serrano -- Simplify data backup and recovery for your virtual environment with vRanger. Installation's a snap, and flexible recovery options mean your data is safe, secure and there when you need it. Discover what all the cheering's about. Get your free trial download today. http://p.sf.net/sfu/quest-dev2dev2 ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] Linux Containers, 2 questions
Hi, Your help would be greatly appreciated. I have two application server nodes on Linux 2.6.18 that handle Live traffic. We have a budget for one new test server. I would like to mimic the Live environment with the idea of the "two" nodes. And so I came across an article on LXC! I see that I need to make my own kernel and have found the same version above on http://www.kernel.org<http://www.kernel.org/>. And I see various LXC builds on sourceforge, but I'm not sure which is the most suitable for 2.6.18. 1. Is it ok to take the latest LXC build? Is there any information linking compatibility between Linux versions and LXC versions? The two Live nodes are under VERITAS VCS. 2. Do you know if VCS will work with Linux Containers? Thanks in advance, David. uname -a Linux xx.yy.ie 2.6.18-128.el5 #1 SMP Wed Dec 17 11:41:38 EST 2008 x86_64 x86_64 x86_64 GNU/Linux ** Meteor Mobile Communications Limited, trading as Meteor. Registered Office: 1 Heuston South Quarter, St. Johns Road, Dublin 8, Ireland. Registered in Ireland: 282645 DISCLAIMER: This email and its attachments contain confidential information and may be legally privileged. The message is intended only for the addressee(s) stated above. If you are not the named addressee(s) or intended recipient please do not use, copy, disseminate or disclose the information to anyone. If you have received this email in error please immediately notify the sender at Meteor and delete the material from any system and destroy any copies. ** -- The demand for IT networking professionals continues to grow, and the demand for specialized networking skills is growing even more rapidly. Take a complimentary Learning@Cisco Self-Assessment and learn about Cisco certifications, training, and career opportunities. http://p.sf.net/sfu/cisco-dev2dev___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] Linux Containers, 2 questions
Hi, Your help would be greatly appreciated. I have two application server nodes on Linux 2.6.18 that handle Live traffic. We have a budget for one new test server. I would like to mimic the Live environment with the idea of the "two" nodes. And so I came across an article on LXC! I see that I need to make my own kernel and have found the same version above on http://www.kernel.org<http://www.kernel.org/>. And I see various LXC builds on sourceforge, but I'm not sure which is the most suitable for 2.6.18. 1. Is it ok to take the latest LXC build? Is there any information linking compatibility between Linux versions and LXC versions? The two Live nodes are under VERITAS VCS. 2. Do you know if VCS will work with Linux Containers? Thanks in advance, David. uname -a Linux xx.yy.ie 2.6.18-128.el5 #1 SMP Wed Dec 17 11:41:38 EST 2008 x86_64 x86_64 x86_64 GNU/Linux ** Meteor Mobile Communications Limited, trading as Meteor. Registered Office: 1 Heuston South Quarter, St. Johns Road, Dublin 8, Ireland. Registered in Ireland: 282645 DISCLAIMER: This email and its attachments contain confidential information and may be legally privileged. The message is intended only for the addressee(s) stated above. If you are not the named addressee(s) or intended recipient please do not use, copy, disseminate or disclose the information to anyone. If you have received this email in error please immediately notify the sender at Meteor and delete the material from any system and destroy any copies. ** -- RSA® Conference 2012 Save $700 by Nov 18 Register now! http://p.sf.net/sfu/rsa-sfdev2dev1___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH 2/9] lxc-attach: use execvp instead of execve
execvp does not require specifying the full path to the executable
(e.g., "ls" instead of "/bin/ls"), making the operation of 'lxc-attach'
consistent with 'lxc-start' and 'lxc-execute'.
Signed-off-by: David Ward
---
src/lxc/lxc_attach.c |6 +++---
1 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/lxc/lxc_attach.c b/src/lxc/lxc_attach.c
index 3571b09..4883327 100644
--- a/src/lxc/lxc_attach.c
+++ b/src/lxc/lxc_attach.c
@@ -89,7 +89,7 @@ Options :\n\
.checker = NULL,
};
-int main(int argc, char *argv[], char *envp[])
+int main(int argc, char *argv[])
{
int ret;
pid_t pid, init_pid;
@@ -212,7 +212,7 @@ int main(int argc, char *argv[], char *envp[])
lxc_sync_fini(handler);
if (my_args.argc) {
- execve(my_args.argv[0], my_args.argv, envp);
+ execvp(my_args.argv[0], my_args.argv);
SYSERROR("failed to exec '%s'", my_args.argv[0]);
return -1;
}
@@ -232,7 +232,7 @@ int main(int argc, char *argv[], char *envp[])
NULL,
};
- execve(args[0], args, envp);
+ execvp(args[0], args);
SYSERROR("failed to exec '%s'", args[0]);
return -1;
}
--
1.7.1
--
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH 6/9] utmp: support non-rootfs configuration
Having a rootfs is not a necessary condition for monitoring utmp, since /var or /var/run can just be remounted inside the container instead. We should rely on the other two conditions already in place to decide whether to monitor the utmp file: - the container was started with 'lxc-start', which indicates that it has a real init process and is expected to write to a utmp file - support for CAP_SYS_BOOT was not found in the kernel, which would otherwise supersede utmp monitoring Signed-off-by: David Ward --- src/lxc/utmp.c |4 1 files changed, 0 insertions(+), 4 deletions(-) diff --git a/src/lxc/utmp.c b/src/lxc/utmp.c index b6469b0..a7b9b52 100644 --- a/src/lxc/utmp.c +++ b/src/lxc/utmp.c @@ -233,10 +233,6 @@ int lxc_utmp_mainloop_add(struct lxc_epoll_descr *descr, char path2[MAXPATHLEN]; int fd, wd; struct lxc_utmp *utmp_data; - struct lxc_conf *conf = handler->conf; - - if (!conf->rootfs.path) - return 0; /* We set up a watch for the /var/run directory. We're only interested * in utmp at the moment, but want to watch for delete and create -- 1.7.1 -- Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2 ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH 3/9] lxc-ls: only list active containers
Originally, lxc-ls listed all containers by printing the directory names in /var/lib/lxc. After commit 65cb447f9b8d1ac8dcf9df24a4f877180444f003, lxc-ls now finds and prints active containers by searching for open UNIX sockets named '/var/lib/lxc//command'. However, all containers are still printed using the old method as well, so now the active containers just get printed twice. Assuming that the intention of the above commit was to only list active containers, do not print the directory names in /var/lib/lxc any longer. Signed-off-by: David Ward --- src/lxc/lxc-ls.in |2 -- 1 files changed, 0 insertions(+), 2 deletions(-) diff --git a/src/lxc/lxc-ls.in b/src/lxc/lxc-ls.in index d200509..b923c56 100644 --- a/src/lxc/lxc-ls.in +++ b/src/lxc/lxc-ls.in @@ -23,8 +23,6 @@ function get_cgroup() mount_point=`echo "$mount_string" |cut -d' ' -f2`; } -ls "$@" $lxcpath - active=$(netstat -xl 2>/dev/null | grep $lxcpath | \ sed -e 's#.*'"$lxcpath/"'\(.*\)/command#\1#'); -- 1.7.1 -- Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2 ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH 5/9] utmp: do not set conf->need_utmp_watch if CAP_SYS_BOOT is not found
If CAP_SYS_BOOT is not found in the kernel, the existing value for
conf->need_utmp_watch should be left intact (which will be '1' for
containers started with 'lxc-start', or '0' for containers started
with 'lxc-execute').
Signed-off-by: David Ward
---
src/lxc/start.c |1 -
1 files changed, 0 insertions(+), 1 deletions(-)
diff --git a/src/lxc/start.c b/src/lxc/start.c
index fc2a1b1..1ee7bdf 100644
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -508,7 +508,6 @@ static int do_start(void *data)
SYSERROR("failed to remove CAP_SYS_BOOT capability");
return -1;
}
- handler->conf->need_utmp_watch = 1;
DEBUG("Dropped cap_sys_boot\n");
} else {
DEBUG("Not dropping cap_sys_boot or watching utmp\n");
--
1.7.1
--
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH 7/9] cgroup: rearrange code blocks
Avoid nesting and improve readability.
Signed-off-by: David Ward
---
src/lxc/cgroup.c | 66 -
1 files changed, 30 insertions(+), 36 deletions(-)
diff --git a/src/lxc/cgroup.c b/src/lxc/cgroup.c
index cc3910a..c915b52 100644
--- a/src/lxc/cgroup.c
+++ b/src/lxc/cgroup.c
@@ -142,6 +142,7 @@ static int get_cgroup_mount(const char *subsystem, char
*mnt)
struct mntent *mntent;
char initcgroup[MAXPATHLEN];
FILE *file = NULL;
+ int ret, err = -1;
file = setmntent(MTAB, "r");
if (!file) {
@@ -150,30 +151,27 @@ static int get_cgroup_mount(const char *subsystem, char
*mnt)
}
while ((mntent = getmntent(file))) {
-
if (strcmp(mntent->mnt_type, "cgroup"))
continue;
- if (!subsystem || hasmntopt_multiple(mntent, subsystem)) {
- int ret;
- ret = snprintf(mnt, MAXPATHLEN, "%s%s/lxc",
- mntent->mnt_dir,
- get_init_cgroup(subsystem, NULL,
- initcgroup));
- if (ret < 0 || ret >= MAXPATHLEN)
- goto fail;
- fclose(file);
- DEBUG("using cgroup mounted at '%s'", mnt);
- return 0;
- }
+ if (subsystem && !hasmntopt_multiple(mntent, subsystem))
+ continue;
+
+ ret = snprintf(mnt, MAXPATHLEN, "%s%s/lxc", mntent->mnt_dir,
+ get_init_cgroup(subsystem, NULL, initcgroup));
+ if (ret < 0 || ret >= MAXPATHLEN)
+ goto fail;
+
+ DEBUG("using cgroup mounted at '%s'", mnt);
+ err = 0;
+ goto out;
};
fail:
DEBUG("Failed to find cgroup for %s\n",
subsystem ? subsystem : "(NULL)");
-
- fclose(file);
-
- return -1;
+out:
+ endmntent(file);
+ return err;
}
int lxc_ns_is_mounted(void)
@@ -398,18 +396,17 @@ int lxc_cgroup_create(const char *name, pid_t pid)
}
while ((mntent = getmntent(file))) {
-
DEBUG("checking '%s' (%s)", mntent->mnt_dir, mntent->mnt_type);
- if (!strcmp(mntent->mnt_type, "cgroup")) {
+ if (strcmp(mntent->mnt_type, "cgroup"))
+ continue;
- INFO("[%d] found cgroup mounted at '%s',opts='%s'",
-++found, mntent->mnt_dir, mntent->mnt_opts);
+ INFO("[%d] found cgroup mounted at '%s',opts='%s'",
+++found, mntent->mnt_dir, mntent->mnt_opts);
- err = lxc_one_cgroup_create(name, mntent, pid);
- if (err)
- goto out;
- }
+ err = lxc_one_cgroup_create(name, mntent, pid);
+ if (err)
+ goto out;
};
if (!found)
@@ -485,7 +482,7 @@ int lxc_cgroup_destroy(const char *name)
{
struct mntent *mntent;
FILE *file = NULL;
- int ret, err = -1;
+ int err = -1;
file = setmntent(MTAB, "r");
if (!file) {
@@ -494,18 +491,15 @@ int lxc_cgroup_destroy(const char *name)
}
while ((mntent = getmntent(file))) {
- if (!strcmp(mntent->mnt_type, "cgroup")) {
- ret = lxc_one_cgroup_destroy(mntent, name);
- if (ret) {
- fclose(file);
- return ret;
- }
- err = 0;
- }
- }
+ if (strcmp(mntent->mnt_type, "cgroup"))
+ continue;
- fclose(file);
+ err = lxc_one_cgroup_destroy(mntent, name);
+ if (err)
+ break;
+ }
+ endmntent(file);
return err;
}
/*
--
1.7.1
--
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH 9/9] cgroup: only touch hierarchies that are bound to subsystems
Obtain a list of subsystems from /proc/cgroups, and ignore hierarchies
that are not bound to any of them (especially the 'systemd' hierarchy:
http://www.freedesktop.org/wiki/Software/systemd/PaxControlGroups ).
Signed-off-by: David Ward
---
src/lxc/cgroup.c | 50 --
1 files changed, 48 insertions(+), 2 deletions(-)
diff --git a/src/lxc/cgroup.c b/src/lxc/cgroup.c
index 06aa1a0..8ccbc50 100644
--- a/src/lxc/cgroup.c
+++ b/src/lxc/cgroup.c
@@ -53,6 +53,39 @@ enum {
CGROUP_CLONE_CHILDREN,
};
+/* Check if a mount is a cgroup hierarchy for any subsystem.
+ * Return the first subsystem found (or NULL if none).
+ */
+static char *mount_has_subsystem(const struct mntent *mntent)
+{
+ FILE *f;
+ char *c, *ret;
+ char line[MAXPATHLEN];
+
+ /* read the list of subsystems from the kernel */
+ f = fopen("/proc/cgroups", "r");
+ if (!f)
+ return 0;
+
+ /* skip the first line, which contains column headings */
+ if (!fgets(line, MAXPATHLEN, f))
+ return 0;
+
+ while (fgets(line, MAXPATHLEN, f)) {
+ c = strchr(line, '\t');
+ if (!c)
+ continue;
+ *c = '\0';
+
+ ret = hasmntopt(mntent, line);
+ if (ret)
+ break;
+ }
+
+ fclose(f);
+ return ret;
+}
+
/*
* get_init_cgroup: get the cgroup init is in.
* dsg: preallocated buffer to put the output in
@@ -124,8 +157,15 @@ static int get_cgroup_mount(const char *subsystem, char
*mnt)
while ((mntent = getmntent(file))) {
if (strcmp(mntent->mnt_type, "cgroup"))
continue;
- if (subsystem && !hasmntopt(mntent, subsystem))
- continue;
+
+ if (subsystem) {
+ if (!hasmntopt(mntent, subsystem))
+ continue;
+ }
+ else {
+ if (!mount_has_subsystem(mntent))
+ continue;
+ }
ret = snprintf(mnt, MAXPATHLEN, "%s%s/lxc", mntent->mnt_dir,
get_init_cgroup(subsystem, NULL, initcgroup));
@@ -252,6 +292,8 @@ int lxc_cgroup_attach(const char *name, pid_t pid)
if (strcmp(mntent->mnt_type, "cgroup"))
continue;
+ if (!mount_has_subsystem(mntent))
+ continue;
INFO("[%d] found cgroup mounted at '%s',opts='%s'",
++found, mntent->mnt_dir, mntent->mnt_opts);
@@ -405,6 +447,8 @@ int lxc_cgroup_create(const char *name, pid_t pid)
if (strcmp(mntent->mnt_type, "cgroup"))
continue;
+ if (!mount_has_subsystem(mntent))
+ continue;
INFO("[%d] found cgroup mounted at '%s',opts='%s'",
++found, mntent->mnt_dir, mntent->mnt_opts);
@@ -502,6 +546,8 @@ int lxc_cgroup_destroy(const char *name)
while ((mntent = getmntent(file))) {
if (strcmp(mntent->mnt_type, "cgroup"))
continue;
+ if (!mount_has_subsystem(mntent))
+ continue;
err = lxc_one_cgroup_destroy(mntent, name);
if (err)
--
1.7.1
--
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH 4/9] lxc-ls: tighten regex search on open sockets
lxc-ls returns a list of active containers by searching for UNIX sockets named '/var/lib/lxc//command'. Make the regular expression tighter for this search, to avoid inadvertently picking up other sockets. Signed-off-by: David Ward --- src/lxc/lxc-ls.in |4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/lxc/lxc-ls.in b/src/lxc/lxc-ls.in index b923c56..ea68971 100644 --- a/src/lxc/lxc-ls.in +++ b/src/lxc/lxc-ls.in @@ -23,8 +23,8 @@ function get_cgroup() mount_point=`echo "$mount_string" |cut -d' ' -f2`; } -active=$(netstat -xl 2>/dev/null | grep $lxcpath | \ - sed -e 's#.*'"$lxcpath/"'\(.*\)/command#\1#'); +active=$(netstat -xl 2>/dev/null | grep "$lxcpath"'/[^/]*/command' | \ + sed -e 's#.*'"$lxcpath"'/\([^/]*\)/command.*#\1#'); if test -n "$active"; then get_cgroup -- 1.7.1 -- Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2 ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH 0/9] Assorted fixes against lxc 0.8.0-rc1
The following patches address a few issues I discovered while building or using lxc, including compatibility with systemd. They were tested on top of lxc 0.8.0-rc1 under Fedora 16. Please let me know if you have any questions or concerns. David Ward (9): use syscall numbers from Linux kernel headers lxc-attach: use execvp instead of execve lxc-ls: only list active containers lxc-ls: tighten regex search on open sockets utmp: do not set conf->need_utmp_watch if CAP_SYS_BOOT is not found utmp: support non-rootfs configuration cgroup: rearrange code blocks lxc-attach: unify code for attaching a pid to a cgroup cgroup: only touch hierarchies that are bound to subsystems config/linux.m4 | 76 - configure.ac |8 +-- src/lxc/Makefile.am | 11 --- src/lxc/attach.c | 113 +-- src/lxc/attach.h |9 --- src/lxc/cgroup.c | 183 +++-- src/lxc/cgroup.h |2 +- src/lxc/lxc-ls.in|6 +- src/lxc/lxc_attach.c | 10 ++-- src/lxc/start.c |1 - src/lxc/utmp.c |4 - 11 files changed, 131 insertions(+), 292 deletions(-) delete mode 100644 config/linux.m4 -- Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2 ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH 1/9] use syscall numbers from Linux kernel headers
__NR_setns is defined in the Linux kernel headers in linux/unistd.h.
The full Linux kernel sources are not necessary for compilation.
Signed-off-by: David Ward
---
config/linux.m4 | 76 ---
configure.ac|8 ++---
src/lxc/Makefile.am | 11 ---
src/lxc/attach.c|3 +-
4 files changed, 4 insertions(+), 94 deletions(-)
delete mode 100644 config/linux.m4
diff --git a/config/linux.m4 b/config/linux.m4
deleted file mode 100644
index a4e9fa8..000
--- a/config/linux.m4
+++ /dev/null
@@ -1,76 +0,0 @@
-AC_DEFUN([AC_LINUX],
-[
- AC_LINUX_DIR()
- AC_LINUX_SRCARCH()
-])
-
-AC_DEFUN([AS_TRY_LINUX_DIR],
- [AC_MSG_CHECKING(for Linux in $1)
-
- if test -f "$1/Makefile" ; then
- result=yes
- $2
- else
- result="not found"
- $3
- fi
-
- AC_MSG_RESULT($result)
-])
-
-AC_DEFUN([AC_LINUX_DIR],
-[
- AC_ARG_WITH([linuxdir],
- [AC_HELP_STRING([--with-linuxdir=DIR],
- [specify path to Linux source directory])],
- [LINUX_DIR="${withval}"],
- [LINUX_DIR=default])
-
- dnl if specified, use the specified one
- if test "${LINUX_DIR}" != "default" ; then
- AS_TRY_LINUX_DIR([${LINUX_DIR}], , AC_MSG_ERROR([Linux dir not
found]) )
- fi
-
- dnl if not specified, first try with previously set LINUX_KERNEL_RELEASE
- if test "${LINUX_DIR}" = "default" ; then
- dir="/lib/modules/$LINUX_KERNEL_RELEASE/build";
- AS_TRY_LINUX_DIR([${dir}], [LINUX_DIR=${dir}], )
- fi
-
- dnl next try using the kernel source dir
- if test "${LINUX_DIR}" = "default" ; then
- dir="/usr/src/linux-$LINUX_KERNEL_RELEASE";
- AS_TRY_LINUX_DIR([${dir}], [LINUX_DIR=${dir}], )
- fi
-
- dnl then try a common default of /usr/src/linux
- if test "${LINUX_DIR}" = "default" ; then
- dir="/usr/src/linux";
- AS_TRY_LINUX_DIR([${dir}], [LINUX_DIR=${dir}], )
- fi
-
- dnl if still nothing found, fail
- if test "${LINUX_DIR}" = "default" ; then
- AC_MSG_WARN([Linux source directory not found])
- fi
-
- AC_SUBST(LINUX_DIR)
-])
-
-AC_DEFUN([AC_LINUX_SRCARCH],[
- AC_MSG_CHECKING(for linux SRCARCH)
-
- case "${host}" in
- i[[3456]]86-*) LINUX_SRCARCH=x86;;
- x86_64-*) LINUX_SRCARCH=x86;;
- powerpc*-*) LINUX_SRCARCH=powerpc;;
- s390*-*) LINUX_SRCARCH=s390;;
- arm*-*) LINUX_SRCARCH=arm;;
- mips*-*) LINUX_SRCARCH=mips;;
- sparc*-*) LINUX_SRCARCH=sparc;;
- *) AC_MSG_ERROR([architecture ${host} not supported]);;
- esac
-
- AC_MSG_RESULT(${LINUX_SRCARCH})
- AC_SUBST(LINUX_SRCARCH)
-])
diff --git a/configure.ac b/configure.ac
index b103599..526d22d 100644
--- a/configure.ac
+++ b/configure.ac
@@ -65,13 +65,13 @@ AC_SUBST(LXCROOTFSMOUNT, "${with_rootfs_path}")
AC_SUBST(LXCINITDIR, ['${libexecdir}/lxc'])
AC_SUBST(LXCTEMPLATEDIR, ['${libdir}/lxc/templates'])
-AC_CHECK_HEADERS([linux/netlink.h linux/genetlink.h],
+AC_CHECK_HEADERS([linux/unistd.h linux/netlink.h linux/genetlink.h],
[],
- AC_MSG_ERROR([netlink headers not found.
Please install the linux kernel headers.]),
+ AC_MSG_ERROR([Please install the Linux kernel
headers.]),
[#include
])
-AC_CHECK_HEADERS([sys/capability.h], [], AC_MSG_ERROR([please install
libcap-devel.]),
+AC_CHECK_HEADERS([sys/capability.h], [], AC_MSG_ERROR([Please install the
libcap development files.]),
[#include
#include ])
AC_CHECK_LIB(cap,cap_set_proc,caplib=yes,caplib=no)
@@ -91,8 +91,6 @@ AC_CHECK_HEADERS([sys/signalfd.h])
AC_PROG_GCC_TRADITIONAL
-AC_LINUX
-
if test "x$GCC" = "xyes"; then
CFLAGS="$CFLAGS -Wall"
fi
diff --git a/src/lxc/Makefile.am b/src/lxc/Makefile.am
index 3a3816e..1c26952 100644
--- a/src/lxc/Makefile.am
+++ b/src/lxc/Makefile.am
@@ -131,14 +131,3 @@ install-exec-local: install-soPROGRAMS
uninstall-local:
$(RM) $(DESTDIR)$(libdir)/liblxc.so*
-
-namespace.c: setns.h
-
-setns.h:
- -$(CC) $(CPPFLAGS) -M -MT$@
$(LINUX_DIR)/arch/$(LINUX_SRCARCH)/include/asm/unistd.h >setns.P
- -$(CPP) $(CPPFLAGS) -dM
$(LINUX_DIR)/arch/$(LINUX_SRCARCH)/include/asm/unistd.h |grep setns > $@
-
-clean-local:
- $(RM) setns.h setns.P
-
--include setns.P
diff --git a/src/lxc/attach.c b/src/lxc/attach.c
index 33da411..0ca8b39 100644
--- a/src/lxc/attach.c
+++ b/src/lxc/attach.c
@@ -30,6 +30,7 @@
#include
#includ
[lxc-devel] [PATCH 8/9] lxc-attach: unify code for attaching a pid to a cgroup
To attach a new pid to the cgroups for an existing container, we can use
the same method that we did when we started the container: iterate over
all the mounted cgroup hierarchies; find the cgroup that pid 1 is in for
each hierarchy; add 'lxc/' to the end of it; then write the pid to
the 'tasks' file in that cgroup. (The only difference is that we do not
create the cgroup again.) Note that we follow exactly the same iteration
pattern to delete our cgroups when a container is shutdown.
There may be situations where additional cgroups hierarchies are mounted
after the container is started, or the cgroup for pid 1 gets reassigned.
But we currently don't handle any of these cases in the shutdown code or
anywhere else, so it doesn't make sense to try to handle these cases for
lxc-attach by itself. Aside from simplifying the code, this change makes
it easier to solve a different problem: ignoring hierarchies that are
not bound to any subsystems (like 'systemd').
Signed-off-by: David Ward
---
src/lxc/attach.c | 110 +
src/lxc/attach.h |9
src/lxc/cgroup.c | 91 +++--
src/lxc/cgroup.h |2 +-
src/lxc/lxc_attach.c |4 +-
5 files changed, 56 insertions(+), 160 deletions(-)
diff --git a/src/lxc/attach.c b/src/lxc/attach.c
index 0ca8b39..a95b3d3 100644
--- a/src/lxc/attach.c
+++ b/src/lxc/attach.c
@@ -60,10 +60,9 @@ struct lxc_proc_context_info
*lxc_proc_get_context_info(pid_t pid)
struct lxc_proc_context_info *info = calloc(1, sizeof(*info));
FILE *proc_file;
char proc_fn[MAXPATHLEN];
- char *line = NULL, *ptr, *ptr2;
+ char *line = NULL;
size_t line_bufsz = 0;
- int ret, found, l;
- int i;
+ int ret, found;
if (!info) {
SYSERROR("Could not allocate memory.");
@@ -114,117 +113,14 @@ struct lxc_proc_context_info
*lxc_proc_get_context_info(pid_t pid)
goto out_error;
}
- /* read cgroups */
- snprintf(proc_fn, MAXPATHLEN, "/proc/%d/cgroup", pid);
-
- proc_file = fopen(proc_fn, "r");
- if (!proc_file) {
- SYSERROR("Could not open %s", proc_fn);
- goto out_error;
- }
-
- /* we don't really know how many cgroup subsystems there are
-* mounted, so we go through the whole file twice */
- i = 0;
- while (getline(&line, &line_bufsz, proc_file) != -1) {
- /* we assume that all lines containing at least two colons
-* are valid */
- ptr = strchr(line, ':');
- if (ptr && strchr(ptr + 1, ':'))
- i++;
- }
-
- rewind(proc_file);
-
- info->cgroups = calloc(i, sizeof(*(info->cgroups)));
- info->cgroups_count = i;
-
- i = 0;
- while (getline(&line, &line_bufsz, proc_file) != -1 && i <
info->cgroups_count) {
- /* format of the lines is:
-* id:subsystems:path, where subsystems are separated by
-* commas and each subsystem may also be of the form
-* name=xxx if it describes a private named hierarchy
-* we will ignore the id in the following */
- ptr = strchr(line, ':');
- ptr2 = ptr ? strchr(ptr + 1, ':') : NULL;
-
- /* ignore invalid lines */
- if (!ptr || !ptr2) continue;
-
- l = strlen(ptr2) - 1;
- if (ptr2[l] == '\n')
- ptr2[l] = '\0';
-
- info->cgroups[i].subsystems = strndup(ptr + 1, ptr2 - (ptr +
1));
- info->cgroups[i].cgroup = strdup(ptr2 + 1);
-
- i++;
- }
-
- free(line);
- fclose(proc_file);
-
return info;
out_error:
- lxc_proc_free_context_info(info);
+ free(info);
free(line);
return NULL;
}
-void lxc_proc_free_context_info(struct lxc_proc_context_info *info)
-{
- if (!info)
- return;
-
- if (info->cgroups) {
- int i;
- for (i = 0; i < info->cgroups_count; i++) {
- free(info->cgroups[i].subsystems);
- free(info->cgroups[i].cgroup);
- }
- }
- free(info->cgroups);
- free(info);
-}
-
-int lxc_attach_proc_to_cgroups(pid_t pid, struct lxc_proc_context_info *ctx)
-{
- int i, ret;
-
- if (!ctx) {
- ERROR("No valid context supplied when asked to attach "
- "process to cgroups.");
- return -1;
- }
-
- for (i = 0; i < ctx->cgroups_count; i++) {
- char *path;
-
-
[lxc-devel] [PATCHv2 02/12] lxc-attach: use execvp instead of execve
execvp does not require specifying the full path to the executable
(e.g., "ls" instead of "/bin/ls"), making the operation of 'lxc-attach'
consistent with 'lxc-start' and 'lxc-execute'.
Signed-off-by: David Ward
---
src/lxc/lxc_attach.c |6 +++---
1 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/lxc/lxc_attach.c b/src/lxc/lxc_attach.c
index 3571b09..4883327 100644
--- a/src/lxc/lxc_attach.c
+++ b/src/lxc/lxc_attach.c
@@ -89,7 +89,7 @@ Options :\n\
.checker = NULL,
};
-int main(int argc, char *argv[], char *envp[])
+int main(int argc, char *argv[])
{
int ret;
pid_t pid, init_pid;
@@ -212,7 +212,7 @@ int main(int argc, char *argv[], char *envp[])
lxc_sync_fini(handler);
if (my_args.argc) {
- execve(my_args.argv[0], my_args.argv, envp);
+ execvp(my_args.argv[0], my_args.argv);
SYSERROR("failed to exec '%s'", my_args.argv[0]);
return -1;
}
@@ -232,7 +232,7 @@ int main(int argc, char *argv[], char *envp[])
NULL,
};
- execve(args[0], args, envp);
+ execvp(args[0], args);
SYSERROR("failed to exec '%s'", args[0]);
return -1;
}
--
1.7.1
--
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCHv2 04/12] utmp: support non-rootfs configuration
Having a rootfs is not a necessary condition for monitoring utmp, since /var or /var/run can just be remounted inside the container instead. We should rely on the other two conditions already in place to decide whether to monitor the utmp file: - the container was started with 'lxc-start', which indicates that it has a real init process and is expected to write to a utmp file - support for CAP_SYS_BOOT was not found in the kernel, which would otherwise supersede utmp monitoring Signed-off-by: David Ward --- src/lxc/utmp.c |4 1 files changed, 0 insertions(+), 4 deletions(-) diff --git a/src/lxc/utmp.c b/src/lxc/utmp.c index b6469b0..a7b9b52 100644 --- a/src/lxc/utmp.c +++ b/src/lxc/utmp.c @@ -233,10 +233,6 @@ int lxc_utmp_mainloop_add(struct lxc_epoll_descr *descr, char path2[MAXPATHLEN]; int fd, wd; struct lxc_utmp *utmp_data; - struct lxc_conf *conf = handler->conf; - - if (!conf->rootfs.path) - return 0; /* We set up a watch for the /var/run directory. We're only interested * in utmp at the moment, but want to watch for delete and create -- 1.7.1 -- Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCHv2 01/12] use syscall numbers from Linux kernel headers
__NR_setns is defined in the Linux kernel headers in linux/unistd.h.
The full Linux kernel sources are not necessary for compilation.
Signed-off-by: David Ward
---
config/linux.m4 | 76 ---
configure.ac|8 ++---
src/lxc/Makefile.am | 11 ---
src/lxc/attach.c|3 +-
4 files changed, 4 insertions(+), 94 deletions(-)
delete mode 100644 config/linux.m4
diff --git a/config/linux.m4 b/config/linux.m4
deleted file mode 100644
index a4e9fa8..000
--- a/config/linux.m4
+++ /dev/null
@@ -1,76 +0,0 @@
-AC_DEFUN([AC_LINUX],
-[
- AC_LINUX_DIR()
- AC_LINUX_SRCARCH()
-])
-
-AC_DEFUN([AS_TRY_LINUX_DIR],
- [AC_MSG_CHECKING(for Linux in $1)
-
- if test -f "$1/Makefile" ; then
- result=yes
- $2
- else
- result="not found"
- $3
- fi
-
- AC_MSG_RESULT($result)
-])
-
-AC_DEFUN([AC_LINUX_DIR],
-[
- AC_ARG_WITH([linuxdir],
- [AC_HELP_STRING([--with-linuxdir=DIR],
- [specify path to Linux source directory])],
- [LINUX_DIR="${withval}"],
- [LINUX_DIR=default])
-
- dnl if specified, use the specified one
- if test "${LINUX_DIR}" != "default" ; then
- AS_TRY_LINUX_DIR([${LINUX_DIR}], , AC_MSG_ERROR([Linux dir not
found]) )
- fi
-
- dnl if not specified, first try with previously set LINUX_KERNEL_RELEASE
- if test "${LINUX_DIR}" = "default" ; then
- dir="/lib/modules/$LINUX_KERNEL_RELEASE/build";
- AS_TRY_LINUX_DIR([${dir}], [LINUX_DIR=${dir}], )
- fi
-
- dnl next try using the kernel source dir
- if test "${LINUX_DIR}" = "default" ; then
- dir="/usr/src/linux-$LINUX_KERNEL_RELEASE";
- AS_TRY_LINUX_DIR([${dir}], [LINUX_DIR=${dir}], )
- fi
-
- dnl then try a common default of /usr/src/linux
- if test "${LINUX_DIR}" = "default" ; then
- dir="/usr/src/linux";
- AS_TRY_LINUX_DIR([${dir}], [LINUX_DIR=${dir}], )
- fi
-
- dnl if still nothing found, fail
- if test "${LINUX_DIR}" = "default" ; then
- AC_MSG_WARN([Linux source directory not found])
- fi
-
- AC_SUBST(LINUX_DIR)
-])
-
-AC_DEFUN([AC_LINUX_SRCARCH],[
- AC_MSG_CHECKING(for linux SRCARCH)
-
- case "${host}" in
- i[[3456]]86-*) LINUX_SRCARCH=x86;;
- x86_64-*) LINUX_SRCARCH=x86;;
- powerpc*-*) LINUX_SRCARCH=powerpc;;
- s390*-*) LINUX_SRCARCH=s390;;
- arm*-*) LINUX_SRCARCH=arm;;
- mips*-*) LINUX_SRCARCH=mips;;
- sparc*-*) LINUX_SRCARCH=sparc;;
- *) AC_MSG_ERROR([architecture ${host} not supported]);;
- esac
-
- AC_MSG_RESULT(${LINUX_SRCARCH})
- AC_SUBST(LINUX_SRCARCH)
-])
diff --git a/configure.ac b/configure.ac
index b103599..526d22d 100644
--- a/configure.ac
+++ b/configure.ac
@@ -65,13 +65,13 @@ AC_SUBST(LXCROOTFSMOUNT, "${with_rootfs_path}")
AC_SUBST(LXCINITDIR, ['${libexecdir}/lxc'])
AC_SUBST(LXCTEMPLATEDIR, ['${libdir}/lxc/templates'])
-AC_CHECK_HEADERS([linux/netlink.h linux/genetlink.h],
+AC_CHECK_HEADERS([linux/unistd.h linux/netlink.h linux/genetlink.h],
[],
- AC_MSG_ERROR([netlink headers not found.
Please install the linux kernel headers.]),
+ AC_MSG_ERROR([Please install the Linux kernel
headers.]),
[#include
])
-AC_CHECK_HEADERS([sys/capability.h], [], AC_MSG_ERROR([please install
libcap-devel.]),
+AC_CHECK_HEADERS([sys/capability.h], [], AC_MSG_ERROR([Please install the
libcap development files.]),
[#include
#include ])
AC_CHECK_LIB(cap,cap_set_proc,caplib=yes,caplib=no)
@@ -91,8 +91,6 @@ AC_CHECK_HEADERS([sys/signalfd.h])
AC_PROG_GCC_TRADITIONAL
-AC_LINUX
-
if test "x$GCC" = "xyes"; then
CFLAGS="$CFLAGS -Wall"
fi
diff --git a/src/lxc/Makefile.am b/src/lxc/Makefile.am
index 3a3816e..1c26952 100644
--- a/src/lxc/Makefile.am
+++ b/src/lxc/Makefile.am
@@ -131,14 +131,3 @@ install-exec-local: install-soPROGRAMS
uninstall-local:
$(RM) $(DESTDIR)$(libdir)/liblxc.so*
-
-namespace.c: setns.h
-
-setns.h:
- -$(CC) $(CPPFLAGS) -M -MT$@
$(LINUX_DIR)/arch/$(LINUX_SRCARCH)/include/asm/unistd.h >setns.P
- -$(CPP) $(CPPFLAGS) -dM
$(LINUX_DIR)/arch/$(LINUX_SRCARCH)/include/asm/unistd.h |grep setns > $@
-
-clean-local:
- $(RM) setns.h setns.P
-
--include setns.P
diff --git a/src/lxc/attach.c b/src/lxc/attach.c
index 33da411..0ca8b39 100644
--- a/src/lxc/attach.c
+++ b/src/lxc/attach.c
@@ -30,6 +30,7 @@
#include
#includ
[lxc-devel] [PATCHv2 05/12] cgroup: rearrange code blocks
Avoid nesting and improve readability.
Signed-off-by: David Ward
---
src/lxc/cgroup.c | 66 -
1 files changed, 30 insertions(+), 36 deletions(-)
diff --git a/src/lxc/cgroup.c b/src/lxc/cgroup.c
index cc3910a..c915b52 100644
--- a/src/lxc/cgroup.c
+++ b/src/lxc/cgroup.c
@@ -142,6 +142,7 @@ static int get_cgroup_mount(const char *subsystem, char
*mnt)
struct mntent *mntent;
char initcgroup[MAXPATHLEN];
FILE *file = NULL;
+ int ret, err = -1;
file = setmntent(MTAB, "r");
if (!file) {
@@ -150,30 +151,27 @@ static int get_cgroup_mount(const char *subsystem, char
*mnt)
}
while ((mntent = getmntent(file))) {
-
if (strcmp(mntent->mnt_type, "cgroup"))
continue;
- if (!subsystem || hasmntopt_multiple(mntent, subsystem)) {
- int ret;
- ret = snprintf(mnt, MAXPATHLEN, "%s%s/lxc",
- mntent->mnt_dir,
- get_init_cgroup(subsystem, NULL,
- initcgroup));
- if (ret < 0 || ret >= MAXPATHLEN)
- goto fail;
- fclose(file);
- DEBUG("using cgroup mounted at '%s'", mnt);
- return 0;
- }
+ if (subsystem && !hasmntopt_multiple(mntent, subsystem))
+ continue;
+
+ ret = snprintf(mnt, MAXPATHLEN, "%s%s/lxc", mntent->mnt_dir,
+ get_init_cgroup(subsystem, NULL, initcgroup));
+ if (ret < 0 || ret >= MAXPATHLEN)
+ goto fail;
+
+ DEBUG("using cgroup mounted at '%s'", mnt);
+ err = 0;
+ goto out;
};
fail:
DEBUG("Failed to find cgroup for %s\n",
subsystem ? subsystem : "(NULL)");
-
- fclose(file);
-
- return -1;
+out:
+ endmntent(file);
+ return err;
}
int lxc_ns_is_mounted(void)
@@ -398,18 +396,17 @@ int lxc_cgroup_create(const char *name, pid_t pid)
}
while ((mntent = getmntent(file))) {
-
DEBUG("checking '%s' (%s)", mntent->mnt_dir, mntent->mnt_type);
- if (!strcmp(mntent->mnt_type, "cgroup")) {
+ if (strcmp(mntent->mnt_type, "cgroup"))
+ continue;
- INFO("[%d] found cgroup mounted at '%s',opts='%s'",
-++found, mntent->mnt_dir, mntent->mnt_opts);
+ INFO("[%d] found cgroup mounted at '%s',opts='%s'",
+++found, mntent->mnt_dir, mntent->mnt_opts);
- err = lxc_one_cgroup_create(name, mntent, pid);
- if (err)
- goto out;
- }
+ err = lxc_one_cgroup_create(name, mntent, pid);
+ if (err)
+ goto out;
};
if (!found)
@@ -485,7 +482,7 @@ int lxc_cgroup_destroy(const char *name)
{
struct mntent *mntent;
FILE *file = NULL;
- int ret, err = -1;
+ int err = -1;
file = setmntent(MTAB, "r");
if (!file) {
@@ -494,18 +491,15 @@ int lxc_cgroup_destroy(const char *name)
}
while ((mntent = getmntent(file))) {
- if (!strcmp(mntent->mnt_type, "cgroup")) {
- ret = lxc_one_cgroup_destroy(mntent, name);
- if (ret) {
- fclose(file);
- return ret;
- }
- err = 0;
- }
- }
+ if (strcmp(mntent->mnt_type, "cgroup"))
+ continue;
- fclose(file);
+ err = lxc_one_cgroup_destroy(mntent, name);
+ if (err)
+ break;
+ }
+ endmntent(file);
return err;
}
/*
--
1.7.1
--
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCHv2 00/12] Assorted fixes against lxc 0.8.0-rc1
v2: Add changes to scripts (including new '--active' flag for lxc-ls) The following patches address a number of different issues I discovered while building or using lxc, including compatibility with systemd. They were tested on top of lxc 0.8.0-rc1 under Fedora 16. Please let me know if you have any questions or concerns. David Ward (12): use syscall numbers from Linux kernel headers lxc-attach: use execvp instead of execve utmp: do not set conf->need_utmp_watch if CAP_SYS_BOOT is not found utmp: support non-rootfs configuration cgroup: rearrange code blocks lxc-attach: unify code for attaching a pid to a cgroup cgroup: only touch hierarchies that are bound to subsystems refresh lxc-ls refresh lxc-netstat rewrite lxc-ps make help consistent for other scripts lxc-setcap/lxc-setuid: add autoconf expansion for $libexecdir config/linux.m4| 76 --- configure.ac |9 +- doc/lxc-ls.sgml.in | 17 ++- src/lxc/Makefile.am| 11 -- src/lxc/attach.c | 113 +--- src/lxc/attach.h |9 -- src/lxc/cgroup.c | 183 -- src/lxc/cgroup.h |2 +- src/lxc/lxc-checkconfig.in | 15 +- src/lxc/lxc-clone.in | 70 +- src/lxc/lxc-create.in | 96 +++--- src/lxc/lxc-destroy.in | 40 -- src/lxc/lxc-ls.in | 112 src/lxc/lxc-netstat.in | 141 +--- src/lxc/lxc-ps.in | 311 +++ src/lxc/lxc-setcap.in | 37 -- src/lxc/lxc-setuid.in | 36 -- src/lxc/lxc_attach.c | 10 +- src/lxc/start.c|1 - src/lxc/utmp.c |4 - 20 files changed, 588 insertions(+), 705 deletions(-) delete mode 100644 config/linux.m4 mode change 100755 => 100644 src/lxc/lxc-checkconfig.in mode change 100755 => 100644 src/lxc/lxc-ps.in -- Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCHv2 08/12] refresh lxc-ls
Add an '--active' option that lists active containers by searching
cgroups. (Otherwise, the directories in /var/lib/lxc are listed.)
Modify the cgroup search to only use hierarchies that contain one
or more subsystems.
Add a '--help' option that prints the command syntax.
Print error messages and help information to stderr.
Update the documentation.
Signed-off-by: David Ward
---
doc/lxc-ls.sgml.in | 17 ++-
src/lxc/lxc-ls.in | 112 +++-
2 files changed, 98 insertions(+), 31 deletions(-)
diff --git a/doc/lxc-ls.sgml.in b/doc/lxc-ls.sgml.in
index 3ffd4f8..d33e9b3 100644
--- a/doc/lxc-ls.sgml.in
+++ b/doc/lxc-ls.sgml.in
@@ -48,7 +48,7 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
02111-1307 USA
- lxc-ls ls option
+ lxc-ls --active ls
option
@@ -67,6 +67,17 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
02111-1307 USA
+ --active
+
+
+
+ List active containers.
+
+
+
+
+
+
ls options
@@ -94,10 +105,10 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
02111-1307 USA
- lxc-ls -1
+ lxc-ls --active -1
- list all the containers and display the list in one column.
+ list active containers and display the list in one column.
diff --git a/src/lxc/lxc-ls.in b/src/lxc/lxc-ls.in
index d200509..15d4653 100644
--- a/src/lxc/lxc-ls.in
+++ b/src/lxc/lxc-ls.in
@@ -1,39 +1,95 @@
#!/bin/bash
+#
+# lxc: linux Container library
+
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Lesser General Public License for more details.
+
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+
localstatedir=@LOCALSTATEDIR@
-lxcpath=@LXCPATH@
+lxc_path=@LXCPATH@
-if [ ! -r $lxcpath ]; then
-exit 0
-fi
+usage()
+{
+ echo "usage: $(basename $0) [--active] [--] [LS_OPTIONS...]" >&2
+}
-function get_cgroup()
+help() {
+ usage
+ echo >&2
+ echo "List containers existing on the system." >&2
+ echo >&2
+ echo " --active list active containers" >&2
+ echo " LS_OPTIONS ls command options (see \`ls --help')" >&2
+}
+
+get_parent_cgroup()
{
- local mount_string
- mount_string=$(mount -t cgroup |grep -E -e '^lxc ')
- if test -n "$mount_string"; then
- mount_point=$(echo $mount_string |cut -d' ' -f3)
- return
- fi
- mount_string=`grep -m1 -E '^[^ \t]+[ \t]+[^ \t]+[ \t]+cgroup'
/proc/self/mounts`;
- if test -z "$mount_string"; then
- echo "failed to find mounted cgroup"
- exit 1
- fi
- mount_point=`echo "$mount_string" |cut -d' ' -f2`;
+ local hierarchies hierarchy fields subsystems init_cgroup mountpoint
+
+ parent_cgroup=""
+
+ # Obtain a list of hierarchies that contain one or more subsystems
+ hierarchies=$(tail -n +2 /proc/cgroups | cut -f 2)
+
+ # Iterate through the list until a suitable hierarchy is found
+ for hierarchy in $hierarchies; do
+ # Obtain information about the init process in the hierarchy
+ fields=$(grep -E "^$hierarchy:" /proc/1/cgroup | head -n 1)
+ if [ -z "$fields" ]; then continue; fi
+ fields=${fields#*:}
+
+ # Get a comma-separated list of the hierarchy's subsystems
+ subsystems=${fields%:*}
+
+ # Get the cgroup of the init process in the hierarchy
+ init_cgroup=${fields#*:}
+
+ # Get the filesystem mountpoint of the hierarchy
+ mountpoint=$(grep -E "^cgroup [^ ]+ [^ ]+ ([^
]+,)?$subsystems(,[^ ]+)? " /proc/self/mounts | cut -d ' ' -f 2)
+ if [ -z "$mountpoint" ]; then continue; fi
+
+ # Return the absolute path to the containers' parent cgroup
+ parent_cgroup="${mountpoint}${init_cgroup%/}/lxc"
+ break
+ done
}
-ls "$@" $lxcpath
+di
[lxc-devel] [PATCHv2 06/12] lxc-attach: unify code for attaching a pid to a cgroup
To attach a new pid to the cgroups for an existing container, we can use
the same method that we did when we started the container: iterate over
all the mounted cgroup hierarchies; find the cgroup that pid 1 is in for
each hierarchy; add 'lxc/' to the end of it; then write the pid to
the 'tasks' file in that cgroup. (The only difference is that we do not
create the cgroup again.) Note that we follow exactly the same iteration
pattern to delete our cgroups when a container is shutdown.
There may be situations where additional cgroups hierarchies are mounted
after the container is started, or the cgroup for pid 1 gets reassigned.
But we currently don't handle any of these cases in the shutdown code or
anywhere else, so it doesn't make sense to try to handle these cases for
lxc-attach by itself. Aside from simplifying the code, this change makes
it easier to solve a different problem: ignoring hierarchies that are
not bound to any subsystems (like 'systemd').
Signed-off-by: David Ward
---
src/lxc/attach.c | 110 +
src/lxc/attach.h |9
src/lxc/cgroup.c | 91 +++--
src/lxc/cgroup.h |2 +-
src/lxc/lxc_attach.c |4 +-
5 files changed, 56 insertions(+), 160 deletions(-)
diff --git a/src/lxc/attach.c b/src/lxc/attach.c
index 0ca8b39..a95b3d3 100644
--- a/src/lxc/attach.c
+++ b/src/lxc/attach.c
@@ -60,10 +60,9 @@ struct lxc_proc_context_info
*lxc_proc_get_context_info(pid_t pid)
struct lxc_proc_context_info *info = calloc(1, sizeof(*info));
FILE *proc_file;
char proc_fn[MAXPATHLEN];
- char *line = NULL, *ptr, *ptr2;
+ char *line = NULL;
size_t line_bufsz = 0;
- int ret, found, l;
- int i;
+ int ret, found;
if (!info) {
SYSERROR("Could not allocate memory.");
@@ -114,117 +113,14 @@ struct lxc_proc_context_info
*lxc_proc_get_context_info(pid_t pid)
goto out_error;
}
- /* read cgroups */
- snprintf(proc_fn, MAXPATHLEN, "/proc/%d/cgroup", pid);
-
- proc_file = fopen(proc_fn, "r");
- if (!proc_file) {
- SYSERROR("Could not open %s", proc_fn);
- goto out_error;
- }
-
- /* we don't really know how many cgroup subsystems there are
-* mounted, so we go through the whole file twice */
- i = 0;
- while (getline(&line, &line_bufsz, proc_file) != -1) {
- /* we assume that all lines containing at least two colons
-* are valid */
- ptr = strchr(line, ':');
- if (ptr && strchr(ptr + 1, ':'))
- i++;
- }
-
- rewind(proc_file);
-
- info->cgroups = calloc(i, sizeof(*(info->cgroups)));
- info->cgroups_count = i;
-
- i = 0;
- while (getline(&line, &line_bufsz, proc_file) != -1 && i <
info->cgroups_count) {
- /* format of the lines is:
-* id:subsystems:path, where subsystems are separated by
-* commas and each subsystem may also be of the form
-* name=xxx if it describes a private named hierarchy
-* we will ignore the id in the following */
- ptr = strchr(line, ':');
- ptr2 = ptr ? strchr(ptr + 1, ':') : NULL;
-
- /* ignore invalid lines */
- if (!ptr || !ptr2) continue;
-
- l = strlen(ptr2) - 1;
- if (ptr2[l] == '\n')
- ptr2[l] = '\0';
-
- info->cgroups[i].subsystems = strndup(ptr + 1, ptr2 - (ptr +
1));
- info->cgroups[i].cgroup = strdup(ptr2 + 1);
-
- i++;
- }
-
- free(line);
- fclose(proc_file);
-
return info;
out_error:
- lxc_proc_free_context_info(info);
+ free(info);
free(line);
return NULL;
}
-void lxc_proc_free_context_info(struct lxc_proc_context_info *info)
-{
- if (!info)
- return;
-
- if (info->cgroups) {
- int i;
- for (i = 0; i < info->cgroups_count; i++) {
- free(info->cgroups[i].subsystems);
- free(info->cgroups[i].cgroup);
- }
- }
- free(info->cgroups);
- free(info);
-}
-
-int lxc_attach_proc_to_cgroups(pid_t pid, struct lxc_proc_context_info *ctx)
-{
- int i, ret;
-
- if (!ctx) {
- ERROR("No valid context supplied when asked to attach "
- "process to cgroups.");
- return -1;
- }
-
- for (i = 0; i < ctx->cgroups_count; i++) {
- char *path;
-
-
[lxc-devel] [PATCHv2 07/12] cgroup: only touch hierarchies that are bound to subsystems
Obtain a list of subsystems from /proc/cgroups, and ignore hierarchies
that are not bound to any of them (especially the 'systemd' hierarchy:
http://www.freedesktop.org/wiki/Software/systemd/PaxControlGroups ).
Signed-off-by: David Ward
---
src/lxc/cgroup.c | 50 --
1 files changed, 48 insertions(+), 2 deletions(-)
diff --git a/src/lxc/cgroup.c b/src/lxc/cgroup.c
index 06aa1a0..8ccbc50 100644
--- a/src/lxc/cgroup.c
+++ b/src/lxc/cgroup.c
@@ -53,6 +53,39 @@ enum {
CGROUP_CLONE_CHILDREN,
};
+/* Check if a mount is a cgroup hierarchy for any subsystem.
+ * Return the first subsystem found (or NULL if none).
+ */
+static char *mount_has_subsystem(const struct mntent *mntent)
+{
+ FILE *f;
+ char *c, *ret;
+ char line[MAXPATHLEN];
+
+ /* read the list of subsystems from the kernel */
+ f = fopen("/proc/cgroups", "r");
+ if (!f)
+ return 0;
+
+ /* skip the first line, which contains column headings */
+ if (!fgets(line, MAXPATHLEN, f))
+ return 0;
+
+ while (fgets(line, MAXPATHLEN, f)) {
+ c = strchr(line, '\t');
+ if (!c)
+ continue;
+ *c = '\0';
+
+ ret = hasmntopt(mntent, line);
+ if (ret)
+ break;
+ }
+
+ fclose(f);
+ return ret;
+}
+
/*
* get_init_cgroup: get the cgroup init is in.
* dsg: preallocated buffer to put the output in
@@ -124,8 +157,15 @@ static int get_cgroup_mount(const char *subsystem, char
*mnt)
while ((mntent = getmntent(file))) {
if (strcmp(mntent->mnt_type, "cgroup"))
continue;
- if (subsystem && !hasmntopt(mntent, subsystem))
- continue;
+
+ if (subsystem) {
+ if (!hasmntopt(mntent, subsystem))
+ continue;
+ }
+ else {
+ if (!mount_has_subsystem(mntent))
+ continue;
+ }
ret = snprintf(mnt, MAXPATHLEN, "%s%s/lxc", mntent->mnt_dir,
get_init_cgroup(subsystem, NULL, initcgroup));
@@ -252,6 +292,8 @@ int lxc_cgroup_attach(const char *name, pid_t pid)
if (strcmp(mntent->mnt_type, "cgroup"))
continue;
+ if (!mount_has_subsystem(mntent))
+ continue;
INFO("[%d] found cgroup mounted at '%s',opts='%s'",
++found, mntent->mnt_dir, mntent->mnt_opts);
@@ -405,6 +447,8 @@ int lxc_cgroup_create(const char *name, pid_t pid)
if (strcmp(mntent->mnt_type, "cgroup"))
continue;
+ if (!mount_has_subsystem(mntent))
+ continue;
INFO("[%d] found cgroup mounted at '%s',opts='%s'",
++found, mntent->mnt_dir, mntent->mnt_opts);
@@ -502,6 +546,8 @@ int lxc_cgroup_destroy(const char *name)
while ((mntent = getmntent(file))) {
if (strcmp(mntent->mnt_type, "cgroup"))
continue;
+ if (!mount_has_subsystem(mntent))
+ continue;
err = lxc_one_cgroup_destroy(mntent, name);
if (err)
--
1.7.1
--
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCHv2 03/12] utmp: do not set conf->need_utmp_watch if CAP_SYS_BOOT is not found
If CAP_SYS_BOOT is not found in the kernel, the existing value for
conf->need_utmp_watch should be left intact (which will be '1' for
containers started with 'lxc-start', or '0' for containers started
with 'lxc-execute').
Signed-off-by: David Ward
---
src/lxc/start.c |1 -
1 files changed, 0 insertions(+), 1 deletions(-)
diff --git a/src/lxc/start.c b/src/lxc/start.c
index fc2a1b1..1ee7bdf 100644
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -508,7 +508,6 @@ static int do_start(void *data)
SYSERROR("failed to remove CAP_SYS_BOOT capability");
return -1;
}
- handler->conf->need_utmp_watch = 1;
DEBUG("Dropped cap_sys_boot\n");
} else {
DEBUG("Not dropping cap_sys_boot or watching utmp\n");
--
1.7.1
--
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCHv2 09/12] refresh lxc-netstat
Modify the cgroup search to only use hierarchies that contain one
or more subsystems.
Change method of bind mounting /proc//net onto /proc/net, to
avoid error "cannot mount block device /proc//net read-only".
Check that user is root. Check that container name is specified
before calling 'exec'.
Update the help information.
Print error messages and help information to stderr.
Make indentation consistent.
Signed-off-by: David Ward
---
src/lxc/lxc-netstat.in | 141 +++-
1 files changed, 91 insertions(+), 50 deletions(-)
diff --git a/src/lxc/lxc-netstat.in b/src/lxc/lxc-netstat.in
index 9e7eec3..cfbca9b 100644
--- a/src/lxc/lxc-netstat.in
+++ b/src/lxc/lxc-netstat.in
@@ -1,21 +1,65 @@
#!/bin/bash
-# set -ex
+
+#
+# lxc: linux Container library
+
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Lesser General Public License for more details.
+
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
usage() {
- echo "usage: $(basename $0) --name [netstat options]"
+ echo "usage: $(basename $0) --name NAME [--] [NETSTAT_OPTIONS...]" >&2
}
help() {
usage
- echo
- echo "execute netstat for the specified container"
- echo "with the added netstat options"
- echo
- echo "Options:"
- echo "name : name of the container"
- echo "help : this current help."
- echo
- echo "to be executed as root."
+ echo >&2
+ echo "Execute 'netstat' for the specified container." >&2
+ echo >&2
+ echo " --name NAME specify the container name" >&2
+ echo " NETSTAT_OPTIONS netstat command options (see \`netstat
--help')" >&2
+}
+
+get_parent_cgroup()
+{
+ local hierarchies hierarchy fields subsystems init_cgroup mountpoint
+
+ parent_cgroup=""
+
+ # Obtain a list of hierarchies that contain one or more subsystems
+ hierarchies=$(tail -n +2 /proc/cgroups | cut -f 2)
+
+ # Iterate through the list until a suitable hierarchy is found
+ for hierarchy in $hierarchies; do
+ # Obtain information about the init process in the hierarchy
+ fields=$(grep -E "^$hierarchy:" /proc/1/cgroup | head -n 1)
+ if [ -z "$fields" ]; then continue; fi
+ fields=${fields#*:}
+
+ # Get a comma-separated list of the hierarchy's subsystems
+ subsystems=${fields%:*}
+
+ # Get the cgroup of the init process in the hierarchy
+ init_cgroup=${fields#*:}
+
+ # Get the filesystem mountpoint of the hierarchy
+ mountpoint=$(grep -E "^cgroup [^ ]+ [^ ]+ ([^
]+,)?$subsystems(,[^ ]+)? " /proc/self/mounts | cut -d ' ' -f 2)
+ if [ -z "$mountpoint" ]; then continue; fi
+
+ # Return the absolute path to the containers' parent cgroup
+ parent_cgroup="${mountpoint}${init_cgroup%/}/lxc"
+ break
+ done
}
exec=""
@@ -25,19 +69,24 @@ if [ $# -eq 0 ]; then
exit 1
fi
-for i in "$@"; do
- case $i in
+while true; do
+ case $1 in
-h|--help)
help; exit 1;;
-n|--name)
name=$2; shift 2;;
--exec)
exec="exec"; shift;;
+ --)
+ shift; break;;
+ *)
+ break;
esac
done
-if [ -z "$exec" ]; then
-exec @BINDIR@/lxc-unshare -s MOUNT -- $0 -n $name --exec "$@"
+if [ "$(id -u)" != "0" ]; then
+ echo "$(basename $0): must be run as root" >&2
+ exit 1
fi
if [ -z "$name" ]; then
@@ -45,51 +94,43 @@ if [ -z "$name" ]; then
exit 1
fi
+if [ -z "$exec" ]; then
+ exec @BINDIR@/lxc-unshare -s MOUNT -- $0 -n $name --exec "$@"
+fi
+
lxc-info -n $name 2>&1 | grep -q 'STOPPED'
if [ $? -eq 0 ]; then
- echo "Container $name is not running"
+ echo "
[lxc-devel] [PATCHv2 10/12] rewrite lxc-ps
Use bash instead of perl; eliminates final lxc dependency on perl
(beneficial for minimal operating system environments).
Modify the cgroup search to only use hierarchies that contain one
or more subsystems.
Maintain column spacing. Expand container name column as necessary.
Properly handle spaces in 'ps' output that are not field separators
(for example, try 'lxc-ps -o pid,args').
Fix file mode in repository.
Signed-off-by: David Ward
---
src/lxc/lxc-ps.in | 311 +++--
1 files changed, 109 insertions(+), 202 deletions(-)
mode change 100755 => 100644 src/lxc/lxc-ps.in
diff --git a/src/lxc/lxc-ps.in b/src/lxc/lxc-ps.in
old mode 100755
new mode 100644
index 2fa7b8b..4ea68e6
--- a/src/lxc/lxc-ps.in
+++ b/src/lxc/lxc-ps.in
@@ -1,9 +1,7 @@
-#!/usr/bin/perl
-#
-# lxc-ps
+#!/bin/bash
+
#
-# Authors:
-# Daniel Lezcano
+# lxc: linux Container library
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
@@ -19,214 +17,123 @@
# License along with this library; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
-#
-# This script allows to
-# display processes information with related container name if available.
-#
-use strict;
-
-
-# Some globals
-
-our $PS_HEADERS; # String containing headers of the ps output
-our $PS_PID_INDEX;# Index of the PID column in the ps headers
-our @PS_LINES;# Output lines of the ps command
-
-our $LXC_DISPLAY = 0; # By default do not display container information
-our %LXC_NAMES; # Specified container names (if any)
-
-sub get_container_names {
- my $ref_names = shift;
- my $lxcpath = '@LXCPATH@';
-
- open(active, "netstat -xa | grep $lxcpath |") or return;
- while() {
- chomp;
- s#.*$lxcpath/(.*)/command.*#$1#;
- push @$ref_names, $_;
- }
- close active;
-}
-
-sub get_cgroup {
- my $ref_cgroup = shift;
- my $mount_string;
-
- $mount_string=`mount -t cgroup |grep -E -e '^lxc '`;
- if ($mount_string) {
-# use the one 'lxc' cgroup mount if it exists
- chomp($mount_string);
- $$ref_cgroup=`echo "$mount_string" |cut -d' ' -f3`;
- chomp($$ref_cgroup);
- }
- # Otherwise (i.e. cgroup-bin) use the first cgroup mount
- $mount_string=`grep -m1 -E '^[^ \t]+[ \t]+[^ \t]+[ \t]+cgroup'
/proc/self/mounts`;
- unless ($mount_string) {
- die "unable to find mounted cgroup" unless $$ref_cgroup;
- }
- chomp($mount_string);
- $$ref_cgroup=`echo "$mount_string" |cut -d' ' -f2`;
- chomp($$ref_cgroup);
- return;
-}
-
-sub get_pids_in_containers {
- my $ref_names = shift;
- my $ref_cgroup = shift;
- my $ref_pids = shift;
- my $init_cgroup = shift;
- my @pidlist;
-
- for (@{$ref_names}) {
- my $task_file = "$$ref_cgroup/$init_cgroup/lxc/$_/tasks";
-
- $LXC_NAMES{$_} = 1;
- open(tasks, "cat $task_file 2>/dev/null |") or next;
- while () {
- chomp $_;
- push @pidlist, $_;
- }
- close tasks;
- }
- $$ref_pids = join(',', @pidlist);
-}
-
-sub reclaim_pid_index {
-my @headers = split " ", $PS_HEADERS;
-for my $i (0 .. $#headers) {
- if ($headers[$i] eq "PID") {
- $PS_PID_INDEX = $i;
- return;
- }
-}
-print "Cannot find ps PID column !\n";
-exit 1;
-}
-
-sub execute_ps {
-open(ps, "ps @_ |") or die "Cannot execute ps command: $!\n";
-
-$PS_HEADERS = ;
-reclaim_pid_index;
-
-while () {
- push @PS_LINES, $_;
-}
-close ps;
+usage()
+{
+ echo "usage: $(basename $0) [--lxc | --name NAME] [--] [PS_OPTIONS...]"
>&2
}
-sub get_init_cgroup {
-my $filename = "/proc/1/cgroup";
-open(LXC, "$filename");
-my @cgroup = ;
-close LXC;
-my $container = '';
-foreach ( @cgroup ) {
-chomp;
-# find the container name after :/
-s/.*:\///o;
-}
-return $container;
+help() {
+ usage
+ echo >&2
+ echo "List current processes with container names." >&2
+ echo >&2
+ echo " --lxc show processes in all containers" >&2
+ echo " --name NAME show processes in the specified container" >&2
+ echo " (multiple containers can be separated by
commas)" >&2
+ echo " PS_OPTIONSps comman
[lxc-devel] [PATCHv2 11/12] make help consistent for other scripts
Display help information in a consistent format.
Print error messages and help information to stderr. Prefix error
messages with the name of the script (for easier debugging as part
of larger scripts).
Allow help information to be printed as a non-root user.
Fix file mode for lxc-checkconfig.in.
Signed-off-by: David Ward
---
src/lxc/lxc-checkconfig.in | 15 +++
src/lxc/lxc-clone.in | 70 +++-
src/lxc/lxc-create.in | 96 ---
src/lxc/lxc-destroy.in | 40 --
src/lxc/lxc-setcap.in | 36 +++-
src/lxc/lxc-setuid.in | 35 ++-
6 files changed, 158 insertions(+), 134 deletions(-)
mode change 100755 => 100644 src/lxc/lxc-checkconfig.in
diff --git a/src/lxc/lxc-checkconfig.in b/src/lxc/lxc-checkconfig.in
old mode 100755
new mode 100644
index 39da910..8c2b5e5
--- a/src/lxc/lxc-checkconfig.in
+++ b/src/lxc/lxc-checkconfig.in
@@ -32,7 +32,7 @@ is_enabled() {
}
if [ ! -f $CONFIG ]; then
-echo "Kernel config $CONFIG not found, looking in other places..."
+echo "Kernel configuration not found at $CONFIG; searching..."
KVER="`uname -r`"
HEADERS_CONFIG="/lib/modules/$KVER/build/.config"
BOOT_CONFIG="/boot/config-$KVER"
@@ -40,15 +40,14 @@ if [ ! -f $CONFIG ]; then
[ -f "${BOOT_CONFIG}" ] && CONFIG=${BOOT_CONFIG}
GREP=grep
if [ ! -f $CONFIG ]; then
-echo
-echo "The kernel configuration can not be retrieved."
-echo "Please recompile with IKCONFIG_PROC, or"
- echo "install the kernel headers, or specify"
- echo "the path to the config file with: CONFIG= lxc-checkconfig"
-echo
+echo "$(basename $0): unable to retrieve kernel configuration" >&2
+echo >&2
+echo "Try recompiling with IKCONFIG_PROC, installing the kernel
headers," >&2
+echo "or specifying the kernel configuration path with:" >&2
+echo " CONFIG= $(basename $0)" >&2
exit 1
else
-echo "Found kernel config file $CONFIG"
+echo "Kernel configuration found at $CONFIG"
fi
fi
diff --git a/src/lxc/lxc-clone.in b/src/lxc/lxc-clone.in
index 386be30..c7413f2 100644
--- a/src/lxc/lxc-clone.in
+++ b/src/lxc/lxc-clone.in
@@ -24,22 +24,24 @@
set -e
usage() {
-echo "usage: lxc-clone -o -n [-s] [-h] [-L fssize] [-v
vgname] [-p lxc_lv_prefix] [-t fstype]"
+echo "usage: $(basename $0) -o ORIG_NAME -n NEW_NAME [-s] [-h] [-L
FS_SIZE]" >&2
+echo "[-v VG_NAME] [-p LV_PREFIX] [-t FS_TYPE]" >&2
}
help() {
usage
-echo
-echo "creates a lxc system object."
-echo
-echo "Options:"
-echo "orig: name of the original container"
-echo "new : name of the new container"
-echo "-s : make the new rootfs a snapshot of the original"
-echo "fssize : size if creating a new fs. By default, 2G"
-echo "vgname : lvm volume group name, lxc by default"
-echo "lvprefix: lvm volume name prefix, none by default, e.g.
--lvprefix=lxc_ then new lxc lv name will be lxc_newname"
-echo "fstype : new container file system type, ext3 by default (only
works for non-snapshot lvm)"
+echo >&2
+echo "Clone an existing container on the system." >&2
+echo >&2
+echo "Options:" >&2
+echo " -o ORIG_NAME specify the name of the original container" >&2
+echo " -n NEW_NAMEspecify the name of the new container" >&2
+echo " -s make the new rootfs a snapshot of the original" >&2
+echo " -L FS_SIZE specify the new filesystem size (default: 2G)" >&2
+echo " -v VG_NAME specify the new LVM volume group name (default:
lxc)" >&2
+echo " -p LV_PREFIX add a prefix to new LVM logical volume names" >&2
+echo " -t FS_TYPE specify the new filesystem type (default: ext3;" >&2
+echo " only works for non-snapshot LVM)" >&2
}
shortoptions='ho:n:sL:v:p:t:'
@@ -62,8 +64,8 @@ fi
eval set -- "$getopt"
while true; do
-case "$1" in
--h|--help)
+case "$1" in
+-h|--help)
help
exit 1
;;
@@ -102,52 +104,46 @@ while true; do
break
;;
*)
-echo $1
usage
exit 1
;;
-esac
+esac
done
if [ -z
[lxc-devel] [PATCHv2 12/12] lxc-setcap/lxc-setuid: add autoconf expansion for $libexecdir
Support new default location for LXCINITDIR. --- configure.ac |1 + src/lxc/lxc-setcap.in |1 + src/lxc/lxc-setuid.in |1 + 3 files changed, 3 insertions(+), 0 deletions(-) diff --git a/configure.ac b/configure.ac index 526d22d..5c47dfc 100644 --- a/configure.ac +++ b/configure.ac @@ -40,6 +40,7 @@ AM_CONDITIONAL([ENABLE_EXAMPLES], [test "x$enable_examples" = "xyes"]) AS_AC_EXPAND(PREFIX, $prefix) AS_AC_EXPAND(LIBDIR, $libdir) AS_AC_EXPAND(BINDIR, $bindir) +AS_AC_EXPAND(LIBEXECDIR, $libexecdir) AS_AC_EXPAND(INCLUDEDIR, $includedir) AS_AC_EXPAND(SYSCONFDIR, $sysconfdir) AS_AC_EXPAND(DATADIR, $datadir) diff --git a/src/lxc/lxc-setcap.in b/src/lxc/lxc-setcap.in index 52d4b48..71e3710 100644 --- a/src/lxc/lxc-setcap.in +++ b/src/lxc/lxc-setcap.in @@ -84,6 +84,7 @@ lxc_dropcaps() shortoptions='hd' longoptions='help' libdir=@LIBDIR@ +libexecdir=@LIBEXECDIR@ localstatedir=@LOCALSTATEDIR@ getopt=$(getopt -o $shortoptions --longoptions $longoptions -- "$@") diff --git a/src/lxc/lxc-setuid.in b/src/lxc/lxc-setuid.in index 0919eac..020dfae 100644 --- a/src/lxc/lxc-setuid.in +++ b/src/lxc/lxc-setuid.in @@ -81,6 +81,7 @@ lxc_dropuid() shortoptions='hd' longoptions='help' libdir=@LIBDIR@ +libexecdir=@LIBEXECDIR@ localstatedir=@LOCALSTATEDIR@ getopt=$(getopt -o $shortoptions --longoptions $longoptions -- "$@") -- 1.7.1 -- Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCHv2 w/SignOff 12/12] lxc-setcap/lxc-setuid: add autoconf expansion for $libexecdir
Support new default location for LXCINITDIR. Signed-off-by: David Ward --- configure.ac |1 + src/lxc/lxc-setcap.in |1 + src/lxc/lxc-setuid.in |1 + 3 files changed, 3 insertions(+), 0 deletions(-) diff --git a/configure.ac b/configure.ac index 526d22d..5c47dfc 100644 --- a/configure.ac +++ b/configure.ac @@ -40,6 +40,7 @@ AM_CONDITIONAL([ENABLE_EXAMPLES], [test "x$enable_examples" = "xyes"]) AS_AC_EXPAND(PREFIX, $prefix) AS_AC_EXPAND(LIBDIR, $libdir) AS_AC_EXPAND(BINDIR, $bindir) +AS_AC_EXPAND(LIBEXECDIR, $libexecdir) AS_AC_EXPAND(INCLUDEDIR, $includedir) AS_AC_EXPAND(SYSCONFDIR, $sysconfdir) AS_AC_EXPAND(DATADIR, $datadir) diff --git a/src/lxc/lxc-setcap.in b/src/lxc/lxc-setcap.in index 52d4b48..71e3710 100644 --- a/src/lxc/lxc-setcap.in +++ b/src/lxc/lxc-setcap.in @@ -84,6 +84,7 @@ lxc_dropcaps() shortoptions='hd' longoptions='help' libdir=@LIBDIR@ +libexecdir=@LIBEXECDIR@ localstatedir=@LOCALSTATEDIR@ getopt=$(getopt -o $shortoptions --longoptions $longoptions -- "$@") diff --git a/src/lxc/lxc-setuid.in b/src/lxc/lxc-setuid.in index 0919eac..020dfae 100644 --- a/src/lxc/lxc-setuid.in +++ b/src/lxc/lxc-setuid.in @@ -81,6 +81,7 @@ lxc_dropuid() shortoptions='hd' longoptions='help' libdir=@LIBDIR@ +libexecdir=@LIBEXECDIR@ localstatedir=@LOCALSTATEDIR@ getopt=$(getopt -o $shortoptions --longoptions $longoptions -- "$@") -- 1.7.1 -- Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCHv3 05/14] cgroup: additional fix for deprecated ns subsystem
When a hierarchy contains the 'ns' subsystem, do not append '/lxc'
to the parent cgroup. Update surrounding comments for consistency.
Signed-off-by: David Ward
---
src/lxc/cgroup.c | 13 +++--
1 files changed, 7 insertions(+), 6 deletions(-)
diff --git a/src/lxc/cgroup.c b/src/lxc/cgroup.c
index 9af199d..e5145f9 100644
--- a/src/lxc/cgroup.c
+++ b/src/lxc/cgroup.c
@@ -305,9 +305,9 @@ static int lxc_one_cgroup_create(const char *name,
char initcgroup[MAXPATHLEN];
int flags, ret;
- /* cgparent is the parent dir,
/sys/fs/cgroup///lxc */
+ /* cgparent is the parent dir, e.g.,
/sys/fs/cgroup///lxc */
/* (remember get_init_cgroup() returns a path starting with '/') */
- /* cgname is the full name,
/sys/fs/cgroup///lxc/name */
+ /* cgname is the full name, e.g.,
/sys/fs/cgroup///lxc/name */
ret = snprintf(cginit, MAXPATHLEN, "%s%s", mntent->mnt_dir,
get_init_cgroup(NULL, mntent, initcgroup));
if (ret < 0 || ret >= MAXPATHLEN) {
@@ -315,7 +315,10 @@ static int lxc_one_cgroup_create(const char *name,
return -1;
}
- ret = snprintf(cgparent, MAXPATHLEN, "%s/lxc", cginit);
+ flags = get_cgroup_flags(mntent);
+
+ ret = snprintf(cgparent, MAXPATHLEN, "%s%s", cginit,
+ (flags & CGROUP_NS_CGROUP) ? "" : "/lxc");
if (ret < 0 || ret >= MAXPATHLEN) {
SYSERROR("Failed creating pathname for cgroup parent (%d)\n",
ret);
return -1;
@@ -326,8 +329,6 @@ static int lxc_one_cgroup_create(const char *name,
return -1;
}
- flags = get_cgroup_flags(mntent);
-
/* Do we have the deprecated ns_cgroup subsystem? */
if (flags & CGROUP_NS_CGROUP) {
WARN("using deprecated ns_cgroup");
@@ -356,7 +357,7 @@ static int lxc_one_cgroup_create(const char *name,
return -1;
}
- /* if /sys/fs/cgroup///lxc does not exist, create
it */
+ /* if cgparent does not exist, create it */
if (access(cgparent, F_OK) && mkdir(cgparent, 0755)) {
SYSERROR("failed to create '%s' directory", cgparent);
return -1;
--
1.7.4.1
--
This SF email is sponsosred by:
Try Windows Azure free for 90 days Click Here
http://p.sf.net/sfu/sfd2d-msazure
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCHv3 12/14] rewrite lxc-ps
Use bash instead of perl; eliminates final lxc dependency on perl
(beneficial for minimal operating system environments).
Modify the cgroup search to only use hierarchies that contain one
or more subsystems. When searching, if a hierarchy contains the
'ns' subsystem, do not append '/lxc' to the parent cgroup.
Maintain column spacing. Expand container name column as necessary.
Properly handle spaces in 'ps' output that are not field separators
(for example, try 'lxc-ps -o pid,args').
Fix file mode in repository.
Signed-off-by: David Ward
---
src/lxc/lxc-ps.in | 329 +++-
1 files changed, 120 insertions(+), 209 deletions(-)
mode change 100755 => 100644 src/lxc/lxc-ps.in
diff --git a/src/lxc/lxc-ps.in b/src/lxc/lxc-ps.in
old mode 100755
new mode 100644
index 2fa7b8b..a9923f0
--- a/src/lxc/lxc-ps.in
+++ b/src/lxc/lxc-ps.in
@@ -1,9 +1,7 @@
-#!/usr/bin/perl
-#
-# lxc-ps
+#!/bin/bash
+
#
-# Authors:
-# Daniel Lezcano
+# lxc: linux Container library
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
@@ -19,214 +17,127 @@
# License along with this library; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
-#
-# This script allows to
-# display processes information with related container name if available.
-#
-use strict;
-
-
-# Some globals
-
-our $PS_HEADERS; # String containing headers of the ps output
-our $PS_PID_INDEX;# Index of the PID column in the ps headers
-our @PS_LINES;# Output lines of the ps command
-
-our $LXC_DISPLAY = 0; # By default do not display container information
-our %LXC_NAMES; # Specified container names (if any)
-
-sub get_container_names {
- my $ref_names = shift;
- my $lxcpath = '@LXCPATH@';
-
- open(active, "netstat -xa | grep $lxcpath |") or return;
- while() {
- chomp;
- s#.*$lxcpath/(.*)/command.*#$1#;
- push @$ref_names, $_;
- }
- close active;
+usage()
+{
+ echo "usage: $(basename $0) [--lxc | --name NAME] [--] [PS_OPTIONS...]"
>&2
}
-sub get_cgroup {
- my $ref_cgroup = shift;
- my $mount_string;
-
- $mount_string=`mount -t cgroup |grep -E -e '^lxc '`;
- if ($mount_string) {
-# use the one 'lxc' cgroup mount if it exists
- chomp($mount_string);
- $$ref_cgroup=`echo "$mount_string" |cut -d' ' -f3`;
- chomp($$ref_cgroup);
- }
- # Otherwise (i.e. cgroup-bin) use the first cgroup mount
- $mount_string=`grep -m1 -E '^[^ \t]+[ \t]+[^ \t]+[ \t]+cgroup'
/proc/self/mounts`;
- unless ($mount_string) {
- die "unable to find mounted cgroup" unless $$ref_cgroup;
- }
- chomp($mount_string);
- $$ref_cgroup=`echo "$mount_string" |cut -d' ' -f2`;
- chomp($$ref_cgroup);
- return;
+help() {
+ usage
+ echo >&2
+ echo "List current processes with container names." >&2
+ echo >&2
+ echo " --lxc show processes in all containers" >&2
+ echo " --name NAME show processes in the specified container" >&2
+ echo " (multiple containers can be separated by
commas)" >&2
+ echo " PS_OPTIONSps command options (see \`ps --help')" >&2
}
-sub get_pids_in_containers {
- my $ref_names = shift;
- my $ref_cgroup = shift;
- my $ref_pids = shift;
- my $init_cgroup = shift;
- my @pidlist;
-
- for (@{$ref_names}) {
- my $task_file = "$$ref_cgroup/$init_cgroup/lxc/$_/tasks";
-
- $LXC_NAMES{$_} = 1;
- open(tasks, "cat $task_file 2>/dev/null |") or next;
- while () {
- chomp $_;
- push @pidlist, $_;
- }
- close tasks;
- }
- $$ref_pids = join(',', @pidlist);
+get_parent_cgroup()
+{
+ local hierarchies hierarchy fields subsystems init_cgroup mountpoint
+
+ parent_cgroup=""
+
+ # Obtain a list of hierarchies that contain one or more subsystems
+ hierarchies=$(tail -n +2 /proc/cgroups | cut -f 2)
+
+ # Iterate through the list until a suitable hierarchy is found
+ for hierarchy in $hierarchies; do
+ # Obtain information about the init process in the hierarchy
+ fields=$(grep -E "^$hierarchy:" /proc/1/cgroup | head -n 1)
+ if [ -z "$fields" ]; then continue; fi
+ fields=${fields#*:}
+
+
[lxc-devel] [PATCHv3 03/14] utmp: do not set conf->need_utmp_watch if CAP_SYS_BOOT is not found
If CAP_SYS_BOOT is not found in the kernel, the existing value for
conf->need_utmp_watch should be left intact (which will be '1' for
containers started with 'lxc-start', or '0' for containers started
with 'lxc-execute').
Signed-off-by: David Ward
---
src/lxc/start.c |3 +--
1 files changed, 1 insertions(+), 2 deletions(-)
diff --git a/src/lxc/start.c b/src/lxc/start.c
index 7af1e37..920ff77 100644
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -632,8 +632,7 @@ int __lxc_start(const char *name, struct lxc_conf *conf,
handler->data = data;
if (must_drop_cap_sys_boot()) {
- handler->conf->need_utmp_watch = 1;
- DEBUG("Dropping cap_sys_boot and watching utmp\n");
+ DEBUG("Dropping cap_sys_boot\n");
} else {
DEBUG("Not dropping cap_sys_boot or watching utmp\n");
handler->conf->need_utmp_watch = 0;
--
1.7.4.1
--
This SF email is sponsosred by:
Try Windows Azure free for 90 days Click Here
http://p.sf.net/sfu/sfd2d-msazure
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCHv3 06/14] lxc-cgroup: use correct terminology
lxc-cgroup gets or sets the value of a state object (such as
'cpuset.cpus'), not the value of a subsystem (which would be
just 'cpuset').
Signed-off-by: David Ward
---
doc/lxc-cgroup.sgml.in | 31 +--
src/lxc/cgroup.c |4 ++--
src/lxc/lxc_cgroup.c | 22 +++---
3 files changed, 30 insertions(+), 27 deletions(-)
diff --git a/doc/lxc-cgroup.sgml.in b/doc/lxc-cgroup.sgml.in
index 5acd313..8062148 100644
--- a/doc/lxc-cgroup.sgml.in
+++ b/doc/lxc-cgroup.sgml.in
@@ -48,8 +48,8 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
02111-1307 USA
- lxc-start -n name
- subsystem value
+ lxc-cgroup -n name
+ state-object value
@@ -58,17 +58,20 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
02111-1307 USA
Description
- lxc-cgroup get or set value from the control
- group associated with the
- container name. If
- no value is specified, the value of
- the subsystem is displayed, otherwise
- it is set. The lxc-cgroup does not assume the
- correctness of the subsystem name, it
- is up to the user to specify the
- right subsystem name.
+ lxc-cgroup gets or sets the value of a
+ state-object (e.g., 'cpuset.cpus')
+ in the container's cgroup for the corresponding subsystem (e.g.,
+ 'cpuset'). If no value is specified, the
+ current value of the state-object is
+ displayed; otherwise it is set.
+
+ Note that lxc-cgroup does not check that the
+ state-object is valid for the running
+ kernel, or that the corresponding subsystem is contained in any
+ mounted cgroup hierarchy.
+
@@ -77,11 +80,11 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
02111-1307 USA
- subsystem
+ state-object
- Specify the subsystem control group name.
+ Specify the state object name.
@@ -92,7 +95,7 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
02111-1307 USA
- Specify the subsystem control group value to be set.
+ Specify the value to assign to the state object.
diff --git a/src/lxc/cgroup.c b/src/lxc/cgroup.c
index e5145f9..f50c74a 100644
--- a/src/lxc/cgroup.c
+++ b/src/lxc/cgroup.c
@@ -531,8 +531,8 @@ int lxc_cgroup_path_get(char **path, const char *subsystem,
const char *name)
static charbuf[MAXPATHLEN];
static charretbuf[MAXPATHLEN];
- /* what lxc_cgroup_set calls subsystem is actually the filename, i.e.
- 'devices.allow'. So for our purposee we trim it */
+ /* lxc_cgroup_set passes a state object for the subsystem,
+* so trim it to just the subsystem part */
if (subsystem) {
snprintf(retbuf, MAXPATHLEN, "%s", subsystem);
char *s = index(retbuf, '.');
diff --git a/src/lxc/lxc_cgroup.c b/src/lxc/lxc_cgroup.c
index d5aa5aa..97769a5 100644
--- a/src/lxc/lxc_cgroup.c
+++ b/src/lxc/lxc_cgroup.c
@@ -36,7 +36,7 @@ lxc_log_define(lxc_cgroup_ui, lxc_cgroup);
static int my_checker(const struct lxc_arguments* args)
{
if (!args->argc) {
- lxc_error(args, "missing cgroup subsystem");
+ lxc_error(args, "missing state object");
return -1;
}
return 0;
@@ -49,13 +49,13 @@ static const struct option my_longopts[] = {
static struct lxc_arguments my_args = {
.progname = "lxc-cgroup",
.help = "\
---name=NAME subsystem [value]\n\
+--name=NAME state-object [value]\n\
\n\
-lxc-cgroup get or set subsystem value of cgroup\n\
-associated with the NAME container\n\
+Get or set the value of a state object (for example, 'cpuset.cpus')\n\
+in the container's cgroup for the corresponding subsystem.\n\
\n\
Options :\n\
- -n, --name=NAME NAME for name of the container",
+ -n, --name=NAME container name",
.options = my_longopts,
.parser = NULL,
.checker = my_checker,
@@ -63,7 +63,7 @@ Options :\n\
int main(int argc, char *argv[])
{
- char *subsystem = NULL, *value = NULL;
+ char *state_object = NULL, *value = NULL;
if (lxc_arguments_parse(&my_args, argc, argv))
return -1;
@@ -72,15 +72,15 @@ int main(int argc, char *argv[])
my_args.progname, my_args.quiet))
return -1;
- subsystem = my_args.argv[0];
+ state_object = my_args.argv[0];
if ((argc) > 1)
value = my_args.argv[1];
if (value) {
- if (lxc_cgroup_set(my_args.name, subsystem, value)) {
+
[lxc-devel] [PATCHv3 09/14] cgroup: only touch hierarchies that are bound to subsystems
Obtain a list of subsystems from /proc/cgroups, and ignore hierarchies
that are not bound to any of them (especially the 'systemd' hierarchy:
http://www.freedesktop.org/wiki/Software/systemd/PaxControlGroups ).
Signed-off-by: David Ward
---
src/lxc/cgroup.c | 50 --
1 files changed, 48 insertions(+), 2 deletions(-)
diff --git a/src/lxc/cgroup.c b/src/lxc/cgroup.c
index 7d91bbc..e124499 100644
--- a/src/lxc/cgroup.c
+++ b/src/lxc/cgroup.c
@@ -53,6 +53,39 @@ enum {
CGROUP_CLONE_CHILDREN,
};
+/* Check if a mount is a cgroup hierarchy for any subsystem.
+ * Return the first subsystem found (or NULL if none).
+ */
+static char *mount_has_subsystem(const struct mntent *mntent)
+{
+ FILE *f;
+ char *c, *ret;
+ char line[MAXPATHLEN];
+
+ /* read the list of subsystems from the kernel */
+ f = fopen("/proc/cgroups", "r");
+ if (!f)
+ return 0;
+
+ /* skip the first line, which contains column headings */
+ if (!fgets(line, MAXPATHLEN, f))
+ return 0;
+
+ while (fgets(line, MAXPATHLEN, f)) {
+ c = strchr(line, '\t');
+ if (!c)
+ continue;
+ *c = '\0';
+
+ ret = hasmntopt(mntent, line);
+ if (ret)
+ break;
+ }
+
+ fclose(f);
+ return ret;
+}
+
/*
* get_init_cgroup: get the cgroup init is in.
* dsg: preallocated buffer to put the output in
@@ -139,8 +172,15 @@ static int get_cgroup_mount(const char *subsystem, char
*mnt)
while ((mntent = getmntent(file))) {
if (strcmp(mntent->mnt_type, "cgroup"))
continue;
- if (subsystem && !hasmntopt(mntent, subsystem))
- continue;
+
+ if (subsystem) {
+ if (!hasmntopt(mntent, subsystem))
+ continue;
+ }
+ else {
+ if (!mount_has_subsystem(mntent))
+ continue;
+ }
flags = get_cgroup_flags(mntent);
ret = snprintf(mnt, MAXPATHLEN, "%s%s%s", mntent->mnt_dir,
@@ -266,6 +306,8 @@ int lxc_cgroup_attach(const char *name, pid_t pid)
if (strcmp(mntent->mnt_type, "cgroup"))
continue;
+ if (!mount_has_subsystem(mntent))
+ continue;
INFO("[%d] found cgroup mounted at '%s',opts='%s'",
++found, mntent->mnt_dir, mntent->mnt_opts);
@@ -420,6 +462,8 @@ int lxc_cgroup_create(const char *name, pid_t pid)
if (strcmp(mntent->mnt_type, "cgroup"))
continue;
+ if (!mount_has_subsystem(mntent))
+ continue;
INFO("[%d] found cgroup mounted at '%s',opts='%s'",
++found, mntent->mnt_dir, mntent->mnt_opts);
@@ -519,6 +563,8 @@ int lxc_cgroup_destroy(const char *name)
while ((mntent = getmntent(file))) {
if (strcmp(mntent->mnt_type, "cgroup"))
continue;
+ if (!mount_has_subsystem(mntent))
+ continue;
err = lxc_one_cgroup_destroy(mntent, name);
if (err)
--
1.7.4.1
--
This SF email is sponsosred by:
Try Windows Azure free for 90 days Click Here
http://p.sf.net/sfu/sfd2d-msazure
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCHv3 02/14] lxc-attach: use execvp instead of execve
execvp does not require specifying the full path to the executable
(e.g., "ls" instead of "/bin/ls"), making the operation of 'lxc-attach'
consistent with 'lxc-start' and 'lxc-execute'.
Signed-off-by: David Ward
---
src/lxc/lxc_attach.c |6 +++---
1 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/lxc/lxc_attach.c b/src/lxc/lxc_attach.c
index 3571b09..4883327 100644
--- a/src/lxc/lxc_attach.c
+++ b/src/lxc/lxc_attach.c
@@ -89,7 +89,7 @@ Options :\n\
.checker = NULL,
};
-int main(int argc, char *argv[], char *envp[])
+int main(int argc, char *argv[])
{
int ret;
pid_t pid, init_pid;
@@ -212,7 +212,7 @@ int main(int argc, char *argv[], char *envp[])
lxc_sync_fini(handler);
if (my_args.argc) {
- execve(my_args.argv[0], my_args.argv, envp);
+ execvp(my_args.argv[0], my_args.argv);
SYSERROR("failed to exec '%s'", my_args.argv[0]);
return -1;
}
@@ -232,7 +232,7 @@ int main(int argc, char *argv[], char *envp[])
NULL,
};
- execve(args[0], args, envp);
+ execvp(args[0], args);
SYSERROR("failed to exec '%s'", args[0]);
return -1;
}
--
1.7.4.1
--
This SF email is sponsosred by:
Try Windows Azure free for 90 days Click Here
http://p.sf.net/sfu/sfd2d-msazure
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCHv3 01/14] use syscall numbers from Linux kernel headers
__NR_setns is defined in the Linux kernel headers in linux/unistd.h.
The full Linux kernel sources are not necessary for compilation.
Signed-off-by: David Ward
---
config/linux.m4 | 76 ---
configure.ac|8 ++---
src/lxc/Makefile.am | 11 ---
src/lxc/attach.c|3 +-
4 files changed, 4 insertions(+), 94 deletions(-)
delete mode 100644 config/linux.m4
diff --git a/config/linux.m4 b/config/linux.m4
deleted file mode 100644
index a4e9fa8..000
--- a/config/linux.m4
+++ /dev/null
@@ -1,76 +0,0 @@
-AC_DEFUN([AC_LINUX],
-[
- AC_LINUX_DIR()
- AC_LINUX_SRCARCH()
-])
-
-AC_DEFUN([AS_TRY_LINUX_DIR],
- [AC_MSG_CHECKING(for Linux in $1)
-
- if test -f "$1/Makefile" ; then
- result=yes
- $2
- else
- result="not found"
- $3
- fi
-
- AC_MSG_RESULT($result)
-])
-
-AC_DEFUN([AC_LINUX_DIR],
-[
- AC_ARG_WITH([linuxdir],
- [AC_HELP_STRING([--with-linuxdir=DIR],
- [specify path to Linux source directory])],
- [LINUX_DIR="${withval}"],
- [LINUX_DIR=default])
-
- dnl if specified, use the specified one
- if test "${LINUX_DIR}" != "default" ; then
- AS_TRY_LINUX_DIR([${LINUX_DIR}], , AC_MSG_ERROR([Linux dir not
found]) )
- fi
-
- dnl if not specified, first try with previously set LINUX_KERNEL_RELEASE
- if test "${LINUX_DIR}" = "default" ; then
- dir="/lib/modules/$LINUX_KERNEL_RELEASE/build";
- AS_TRY_LINUX_DIR([${dir}], [LINUX_DIR=${dir}], )
- fi
-
- dnl next try using the kernel source dir
- if test "${LINUX_DIR}" = "default" ; then
- dir="/usr/src/linux-$LINUX_KERNEL_RELEASE";
- AS_TRY_LINUX_DIR([${dir}], [LINUX_DIR=${dir}], )
- fi
-
- dnl then try a common default of /usr/src/linux
- if test "${LINUX_DIR}" = "default" ; then
- dir="/usr/src/linux";
- AS_TRY_LINUX_DIR([${dir}], [LINUX_DIR=${dir}], )
- fi
-
- dnl if still nothing found, fail
- if test "${LINUX_DIR}" = "default" ; then
- AC_MSG_WARN([Linux source directory not found])
- fi
-
- AC_SUBST(LINUX_DIR)
-])
-
-AC_DEFUN([AC_LINUX_SRCARCH],[
- AC_MSG_CHECKING(for linux SRCARCH)
-
- case "${host}" in
- i[[3456]]86-*) LINUX_SRCARCH=x86;;
- x86_64-*) LINUX_SRCARCH=x86;;
- powerpc*-*) LINUX_SRCARCH=powerpc;;
- s390*-*) LINUX_SRCARCH=s390;;
- arm*-*) LINUX_SRCARCH=arm;;
- mips*-*) LINUX_SRCARCH=mips;;
- sparc*-*) LINUX_SRCARCH=sparc;;
- *) AC_MSG_ERROR([architecture ${host} not supported]);;
- esac
-
- AC_MSG_RESULT(${LINUX_SRCARCH})
- AC_SUBST(LINUX_SRCARCH)
-])
diff --git a/configure.ac b/configure.ac
index e8f0cb5..c2bf4b0 100644
--- a/configure.ac
+++ b/configure.ac
@@ -65,13 +65,13 @@ AC_SUBST(LXCROOTFSMOUNT, "${with_rootfs_path}")
AC_SUBST(LXCINITDIR, ['${libexecdir}/lxc'])
AC_SUBST(LXCTEMPLATEDIR, ['${libdir}/lxc/templates'])
-AC_CHECK_HEADERS([linux/netlink.h linux/genetlink.h],
+AC_CHECK_HEADERS([linux/unistd.h linux/netlink.h linux/genetlink.h],
[],
- AC_MSG_ERROR([netlink headers not found.
Please install the linux kernel headers.]),
+ AC_MSG_ERROR([Please install the Linux kernel
headers.]),
[#include
])
-AC_CHECK_HEADERS([sys/capability.h], [], AC_MSG_ERROR([please install
libcap-devel.]),
+AC_CHECK_HEADERS([sys/capability.h], [], AC_MSG_ERROR([Please install the
libcap development files.]),
[#include
#include ])
AC_CHECK_LIB(cap,cap_set_proc,caplib=yes,caplib=no)
@@ -91,8 +91,6 @@ AC_CHECK_HEADERS([sys/signalfd.h])
AC_PROG_GCC_TRADITIONAL
-AC_LINUX
-
if test "x$GCC" = "xyes"; then
CFLAGS="$CFLAGS -Wall"
fi
diff --git a/src/lxc/Makefile.am b/src/lxc/Makefile.am
index 3a3816e..1c26952 100644
--- a/src/lxc/Makefile.am
+++ b/src/lxc/Makefile.am
@@ -131,14 +131,3 @@ install-exec-local: install-soPROGRAMS
uninstall-local:
$(RM) $(DESTDIR)$(libdir)/liblxc.so*
-
-namespace.c: setns.h
-
-setns.h:
- -$(CC) $(CPPFLAGS) -M -MT$@
$(LINUX_DIR)/arch/$(LINUX_SRCARCH)/include/asm/unistd.h >setns.P
- -$(CPP) $(CPPFLAGS) -dM
$(LINUX_DIR)/arch/$(LINUX_SRCARCH)/include/asm/unistd.h |grep setns > $@
-
-clean-local:
- $(RM) setns.h setns.P
-
--include setns.P
diff --git a/src/lxc/attach.c b/src/lxc/attach.c
index 33da411..0ca8b39 100644
--- a/src/lxc/attach.c
+++ b/src/lxc/attach.c
@@ -30,6 +30,7 @@
#include
#includ
[lxc-devel] [PATCHv3 10/14] refresh lxc-ls
Add an '--active' option that lists active containers by searching
cgroups. (Otherwise, the directories in /var/lib/lxc are listed.)
Modify the cgroup search to only use hierarchies that contain one
or more subsystems. When searching, if a hierarchy contains the
'ns' subsystem, do not append '/lxc' to the parent cgroup.
Add a '--help' option that prints the command syntax.
Print error messages and help information to stderr.
Update the documentation.
Signed-off-by: David Ward
---
doc/lxc-ls.sgml.in | 17 ++-
src/lxc/lxc-ls.in | 119 ++-
2 files changed, 102 insertions(+), 34 deletions(-)
diff --git a/doc/lxc-ls.sgml.in b/doc/lxc-ls.sgml.in
index 3ffd4f8..d33e9b3 100644
--- a/doc/lxc-ls.sgml.in
+++ b/doc/lxc-ls.sgml.in
@@ -48,7 +48,7 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
02111-1307 USA
- lxc-ls ls option
+ lxc-ls --active ls
option
@@ -67,6 +67,17 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
02111-1307 USA
+ --active
+
+
+
+ List active containers.
+
+
+
+
+
+
ls options
@@ -94,10 +105,10 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
02111-1307 USA
- lxc-ls -1
+ lxc-ls --active -1
- list all the containers and display the list in one column.
+ list active containers and display the list in one column.
diff --git a/src/lxc/lxc-ls.in b/src/lxc/lxc-ls.in
index a1ad642..11a3b45 100644
--- a/src/lxc/lxc-ls.in
+++ b/src/lxc/lxc-ls.in
@@ -1,43 +1,100 @@
#!/bin/bash
-localstatedir=@LOCALSTATEDIR@
-lxcpath=@LXCPATH@
+#
+# lxc: linux Container library
-if [ ! -r $lxcpath ]; then
-exit 0
-fi
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Lesser General Public License for more details.
+
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+
+localstatedir=@LOCALSTATEDIR@
+lxc_path=@LXCPATH@
-function get_cgroup()
+usage()
{
- local mount_string
- mount_string=$(mount -t cgroup |grep -E -e '^lxc ')
- if test -n "$mount_string"; then
- mount_point=$(echo $mount_string |cut -d' ' -f3)
- return
- fi
- mount_string=`grep -m1 -E '^[^ \t]+[ \t]+[^ \t]+[ \t]+cgroup'
/proc/self/mounts`;
- if test -z "$mount_string"; then
- echo "failed to find mounted cgroup"
- exit 1
- fi
- mount_point=`echo "$mount_string" |cut -d' ' -f2`;
+ echo "usage: $(basename $0) [--active] [--] [LS_OPTIONS...]" >&2
}
-ls "$@" $lxcpath
+help() {
+ usage
+ echo >&2
+ echo "List containers existing on the system." >&2
+ echo >&2
+ echo " --active list active containers" >&2
+ echo " LS_OPTIONS ls command options (see \`ls --help')" >&2
+}
+
+get_parent_cgroup()
+{
+ local hierarchies hierarchy fields subsystems init_cgroup mountpoint
+
+ parent_cgroup=""
+
+ # Obtain a list of hierarchies that contain one or more subsystems
+ hierarchies=$(tail -n +2 /proc/cgroups | cut -f 2)
-active=$(netstat -xl 2>/dev/null | grep $lxcpath | \
- sed -e 's#.*'"$lxcpath/"'\(.*\)/command#\1#');
+ # Iterate through the list until a suitable hierarchy is found
+ for hierarchy in $hierarchies; do
+ # Obtain information about the init process in the hierarchy
+ fields=$(grep -E "^$hierarchy:" /proc/1/cgroup | head -n 1)
+ if [ -z "$fields" ]; then continue; fi
+ fields=${fields#*:}
-if test -n "$active"; then
- get_cgroup
- if test -n "$mount_point"; then
- # get cgroup for init
- init_cgroup=`cat /proc/1/cgroup | awk -F: '{ print $3 }' | head
-1`
- if [ ! -d $mount_point/$init_cgroup/lxc ]; then
- cd $mount_point/$init_cgroup
+ # Get a comma-separated list of the hierarchy&#x
[lxc-devel] [PATCHv3 00/14] Assorted fixes against lxc 0.8.0-rc2
v3: Rebase onto 0.8.0-rc2; add cgroup fixes to handle ns subsystem; fix terminology in lxc-cgroup v2: Add changes to scripts (including new '--active' flag for lxc-ls) The following patches address a number of different issues I discovered while building or using lxc (these are not feature patches). They were tested on top of lxc 0.8.0-rc2 under both Fedora 14 and Fedora 16. I am submitting them for inclusion in lxc 0.8.0. Please let me know if you have any questions or concerns. David Ward (14): use syscall numbers from Linux kernel headers lxc-attach: use execvp instead of execve utmp: do not set conf->need_utmp_watch if CAP_SYS_BOOT is not found utmp: support non-rootfs configuration cgroup: additional fix for deprecated ns subsystem lxc-cgroup: use correct terminology cgroup: rearrange code blocks lxc-attach: unify code for attaching a pid to a cgroup cgroup: only touch hierarchies that are bound to subsystems refresh lxc-ls refresh lxc-netstat rewrite lxc-ps make help consistent for other scripts lxc-setcap/lxc-setuid: add autoconf expansion for $libexecdir config/linux.m4| 76 -- configure.ac |9 +- doc/lxc-cgroup.sgml.in | 31 +++-- doc/lxc-ls.sgml.in | 17 ++- src/lxc/Makefile.am| 11 -- src/lxc/attach.c | 113 +--- src/lxc/attach.h |9 -- src/lxc/cgroup.c | 210 ++--- src/lxc/cgroup.h |2 +- src/lxc/lxc-checkconfig.in | 15 +- src/lxc/lxc-clone.in | 70 +- src/lxc/lxc-create.in | 96 ++--- src/lxc/lxc-destroy.in | 40 -- src/lxc/lxc-ls.in | 119 src/lxc/lxc-netstat.in | 146 +--- src/lxc/lxc-ps.in | 329 src/lxc/lxc-setcap.in | 37 -- src/lxc/lxc-setuid.in | 36 -- src/lxc/lxc_attach.c | 10 +- src/lxc/lxc_cgroup.c | 22 ++-- src/lxc/start.c|3 +- src/lxc/utmp.c |4 - 22 files changed, 653 insertions(+), 752 deletions(-) delete mode 100644 config/linux.m4 mode change 100755 => 100644 src/lxc/lxc-checkconfig.in mode change 100755 => 100644 src/lxc/lxc-ps.in -- 1.7.4.1 -- This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCHv3 08/14] lxc-attach: unify code for attaching a pid to a cgroup
To attach a new pid to the cgroups for an existing container, we can use
the same method that we did when we started the container: iterate over
all the mounted cgroup hierarchies; find the cgroup that pid 1 is in for
each hierarchy; add 'lxc/' to the end of it; then write the pid to
the 'tasks' file in that cgroup. (The only difference is that we do not
create the cgroup again.) Note that we follow exactly the same iteration
pattern to delete our cgroups when a container is shutdown.
There may be situations where additional cgroups hierarchies are mounted
after the container is started, or the cgroup for pid 1 gets reassigned.
But we currently don't handle any of these cases in the shutdown code or
anywhere else, so it doesn't make sense to try to handle these cases for
lxc-attach by itself. Aside from simplifying the code, this change makes
it easier to solve a different problem: ignoring hierarchies that are
not bound to any subsystems (like 'systemd').
Signed-off-by: David Ward
---
src/lxc/attach.c | 110 +
src/lxc/attach.h |9
src/lxc/cgroup.c | 97 +---
src/lxc/cgroup.h |2 +-
src/lxc/lxc_attach.c |4 +-
5 files changed, 61 insertions(+), 161 deletions(-)
diff --git a/src/lxc/attach.c b/src/lxc/attach.c
index 0ca8b39..a95b3d3 100644
--- a/src/lxc/attach.c
+++ b/src/lxc/attach.c
@@ -60,10 +60,9 @@ struct lxc_proc_context_info
*lxc_proc_get_context_info(pid_t pid)
struct lxc_proc_context_info *info = calloc(1, sizeof(*info));
FILE *proc_file;
char proc_fn[MAXPATHLEN];
- char *line = NULL, *ptr, *ptr2;
+ char *line = NULL;
size_t line_bufsz = 0;
- int ret, found, l;
- int i;
+ int ret, found;
if (!info) {
SYSERROR("Could not allocate memory.");
@@ -114,117 +113,14 @@ struct lxc_proc_context_info
*lxc_proc_get_context_info(pid_t pid)
goto out_error;
}
- /* read cgroups */
- snprintf(proc_fn, MAXPATHLEN, "/proc/%d/cgroup", pid);
-
- proc_file = fopen(proc_fn, "r");
- if (!proc_file) {
- SYSERROR("Could not open %s", proc_fn);
- goto out_error;
- }
-
- /* we don't really know how many cgroup subsystems there are
-* mounted, so we go through the whole file twice */
- i = 0;
- while (getline(&line, &line_bufsz, proc_file) != -1) {
- /* we assume that all lines containing at least two colons
-* are valid */
- ptr = strchr(line, ':');
- if (ptr && strchr(ptr + 1, ':'))
- i++;
- }
-
- rewind(proc_file);
-
- info->cgroups = calloc(i, sizeof(*(info->cgroups)));
- info->cgroups_count = i;
-
- i = 0;
- while (getline(&line, &line_bufsz, proc_file) != -1 && i <
info->cgroups_count) {
- /* format of the lines is:
-* id:subsystems:path, where subsystems are separated by
-* commas and each subsystem may also be of the form
-* name=xxx if it describes a private named hierarchy
-* we will ignore the id in the following */
- ptr = strchr(line, ':');
- ptr2 = ptr ? strchr(ptr + 1, ':') : NULL;
-
- /* ignore invalid lines */
- if (!ptr || !ptr2) continue;
-
- l = strlen(ptr2) - 1;
- if (ptr2[l] == '\n')
- ptr2[l] = '\0';
-
- info->cgroups[i].subsystems = strndup(ptr + 1, ptr2 - (ptr +
1));
- info->cgroups[i].cgroup = strdup(ptr2 + 1);
-
- i++;
- }
-
- free(line);
- fclose(proc_file);
-
return info;
out_error:
- lxc_proc_free_context_info(info);
+ free(info);
free(line);
return NULL;
}
-void lxc_proc_free_context_info(struct lxc_proc_context_info *info)
-{
- if (!info)
- return;
-
- if (info->cgroups) {
- int i;
- for (i = 0; i < info->cgroups_count; i++) {
- free(info->cgroups[i].subsystems);
- free(info->cgroups[i].cgroup);
- }
- }
- free(info->cgroups);
- free(info);
-}
-
-int lxc_attach_proc_to_cgroups(pid_t pid, struct lxc_proc_context_info *ctx)
-{
- int i, ret;
-
- if (!ctx) {
- ERROR("No valid context supplied when asked to attach "
- "process to cgroups.");
- return -1;
- }
-
- for (i = 0; i < ctx->cgroups_count; i++) {
- char *path;
-
-
[lxc-devel] [PATCHv3 11/14] refresh lxc-netstat
Modify the cgroup search to only use hierarchies that contain one
or more subsystems. When searching, if a hierarchy contains the
'ns' subsystem, do not append '/lxc' to the parent cgroup.
Change method of bind mounting /proc//net onto /proc/net, to
avoid error "cannot mount block device /proc//net read-only".
Check that user is root. Check that container name is specified
before calling 'exec'.
Update the help information.
Print error messages and help information to stderr.
Make indentation consistent.
Signed-off-by: David Ward
---
src/lxc/lxc-netstat.in | 146 +++
1 files changed, 96 insertions(+), 50 deletions(-)
diff --git a/src/lxc/lxc-netstat.in b/src/lxc/lxc-netstat.in
index 9e7eec3..113c0da 100644
--- a/src/lxc/lxc-netstat.in
+++ b/src/lxc/lxc-netstat.in
@@ -1,21 +1,70 @@
#!/bin/bash
-# set -ex
+
+#
+# lxc: linux Container library
+
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Lesser General Public License for more details.
+
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
usage() {
- echo "usage: $(basename $0) --name [netstat options]"
+ echo "usage: $(basename $0) --name NAME [--] [NETSTAT_OPTIONS...]" >&2
}
help() {
usage
- echo
- echo "execute netstat for the specified container"
- echo "with the added netstat options"
- echo
- echo "Options:"
- echo "name : name of the container"
- echo "help : this current help."
- echo
- echo "to be executed as root."
+ echo >&2
+ echo "Execute 'netstat' for the specified container." >&2
+ echo >&2
+ echo " --name NAME specify the container name" >&2
+ echo " NETSTAT_OPTIONS netstat command options (see \`netstat
--help')" >&2
+}
+
+get_parent_cgroup()
+{
+ local hierarchies hierarchy fields subsystems init_cgroup mountpoint
+
+ parent_cgroup=""
+
+ # Obtain a list of hierarchies that contain one or more subsystems
+ hierarchies=$(tail -n +2 /proc/cgroups | cut -f 2)
+
+ # Iterate through the list until a suitable hierarchy is found
+ for hierarchy in $hierarchies; do
+ # Obtain information about the init process in the hierarchy
+ fields=$(grep -E "^$hierarchy:" /proc/1/cgroup | head -n 1)
+ if [ -z "$fields" ]; then continue; fi
+ fields=${fields#*:}
+
+ # Get a comma-separated list of the hierarchy's subsystems
+ subsystems=${fields%:*}
+
+ # Get the cgroup of the init process in the hierarchy
+ init_cgroup=${fields#*:}
+
+ # Get the filesystem mountpoint of the hierarchy
+ mountpoint=$(grep -E "^cgroup [^ ]+ [^ ]+ ([^
]+,)?$subsystems(,[^ ]+)? " /proc/self/mounts | cut -d ' ' -f 2)
+ if [ -z "$mountpoint" ]; then continue; fi
+
+ # Return the absolute path to the containers' parent cgroup
+ # (do not append '/lxc' if the hierarchy contains the 'ns'
subsystem)
+ if [[ ",$subsystems," == *,ns,* ]]; then
+ parent_cgroup="${mountpoint}${init_cgroup%/}"
+ else
+ parent_cgroup="${mountpoint}${init_cgroup%/}/lxc"
+ fi
+ break
+ done
}
exec=""
@@ -25,19 +74,24 @@ if [ $# -eq 0 ]; then
exit 1
fi
-for i in "$@"; do
- case $i in
+while true; do
+ case $1 in
-h|--help)
help; exit 1;;
-n|--name)
name=$2; shift 2;;
--exec)
exec="exec"; shift;;
+ --)
+ shift; break;;
+ *)
+ break;
esac
done
-if [ -z "$exec" ]; then
-exec @BINDIR@/lxc-unshare -s MOUNT -- $0 -n $name --exec "$@"
+if [ "$(id -u)" != "0" ]; then
+ echo "$(basename $0): must be run as root" >
[lxc-devel] [PATCHv3 04/14] utmp: support non-rootfs configuration
Having a rootfs is not a necessary condition for monitoring utmp, since /var or /var/run can just be remounted inside the container instead. We should rely on the other two conditions already in place to decide whether to monitor the utmp file: - the container was started with 'lxc-start', which indicates that it has a real init process and is expected to write to a utmp file - support for CAP_SYS_BOOT was not found in the kernel, which would otherwise supersede utmp monitoring Signed-off-by: David Ward --- src/lxc/utmp.c |4 1 files changed, 0 insertions(+), 4 deletions(-) diff --git a/src/lxc/utmp.c b/src/lxc/utmp.c index b6469b0..a7b9b52 100644 --- a/src/lxc/utmp.c +++ b/src/lxc/utmp.c @@ -233,10 +233,6 @@ int lxc_utmp_mainloop_add(struct lxc_epoll_descr *descr, char path2[MAXPATHLEN]; int fd, wd; struct lxc_utmp *utmp_data; - struct lxc_conf *conf = handler->conf; - - if (!conf->rootfs.path) - return 0; /* We set up a watch for the /var/run directory. We're only interested * in utmp at the moment, but want to watch for delete and create -- 1.7.4.1 -- This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCHv3 07/14] cgroup: rearrange code blocks
Avoid nesting and improve readability.
Signed-off-by: David Ward
---
src/lxc/cgroup.c | 70 -
1 files changed, 32 insertions(+), 38 deletions(-)
diff --git a/src/lxc/cgroup.c b/src/lxc/cgroup.c
index f50c74a..8d70951 100644
--- a/src/lxc/cgroup.c
+++ b/src/lxc/cgroup.c
@@ -157,6 +157,7 @@ static int get_cgroup_mount(const char *subsystem, char
*mnt)
struct mntent *mntent;
char initcgroup[MAXPATHLEN];
FILE *file = NULL;
+ int ret, flags, err = -1;
file = setmntent(MTAB, "r");
if (!file) {
@@ -165,32 +166,29 @@ static int get_cgroup_mount(const char *subsystem, char
*mnt)
}
while ((mntent = getmntent(file))) {
-
if (strcmp(mntent->mnt_type, "cgroup"))
continue;
- if (!subsystem || hasmntopt_multiple(mntent, subsystem)) {
- int ret;
- int flags = get_cgroup_flags(mntent);
- ret = snprintf(mnt, MAXPATHLEN, "%s%s%s",
- mntent->mnt_dir,
- get_init_cgroup(subsystem, NULL,
- initcgroup),
- (flags & CGROUP_NS_CGROUP) ? "" :
"/lxc");
- if (ret < 0 || ret >= MAXPATHLEN)
- goto fail;
- fclose(file);
- DEBUG("using cgroup mounted at '%s'", mnt);
- return 0;
- }
+ if (subsystem && !hasmntopt_multiple(mntent, subsystem))
+ continue;
+
+ flags = get_cgroup_flags(mntent);
+ ret = snprintf(mnt, MAXPATHLEN, "%s%s%s", mntent->mnt_dir,
+ get_init_cgroup(subsystem, NULL, initcgroup),
+ (flags & CGROUP_NS_CGROUP) ? "" : "/lxc");
+ if (ret < 0 || ret >= MAXPATHLEN)
+ goto fail;
+
+ DEBUG("using cgroup mounted at '%s'", mnt);
+ err = 0;
+ goto out;
};
fail:
DEBUG("Failed to find cgroup for %s\n",
subsystem ? subsystem : "(NULL)");
-
- fclose(file);
-
- return -1;
+out:
+ endmntent(file);
+ return err;
}
int lxc_ns_is_mounted(void)
@@ -409,18 +407,17 @@ int lxc_cgroup_create(const char *name, pid_t pid)
}
while ((mntent = getmntent(file))) {
-
DEBUG("checking '%s' (%s)", mntent->mnt_dir, mntent->mnt_type);
- if (!strcmp(mntent->mnt_type, "cgroup")) {
+ if (strcmp(mntent->mnt_type, "cgroup"))
+ continue;
- INFO("[%d] found cgroup mounted at '%s',opts='%s'",
-++found, mntent->mnt_dir, mntent->mnt_opts);
+ INFO("[%d] found cgroup mounted at '%s',opts='%s'",
+++found, mntent->mnt_dir, mntent->mnt_opts);
- err = lxc_one_cgroup_create(name, mntent, pid);
- if (err)
- goto out;
- }
+ err = lxc_one_cgroup_create(name, mntent, pid);
+ if (err)
+ goto out;
};
if (!found)
@@ -498,7 +495,7 @@ int lxc_cgroup_destroy(const char *name)
{
struct mntent *mntent;
FILE *file = NULL;
- int ret, err = -1;
+ int err = -1;
file = setmntent(MTAB, "r");
if (!file) {
@@ -507,18 +504,15 @@ int lxc_cgroup_destroy(const char *name)
}
while ((mntent = getmntent(file))) {
- if (!strcmp(mntent->mnt_type, "cgroup")) {
- ret = lxc_one_cgroup_destroy(mntent, name);
- if (ret) {
- fclose(file);
- return ret;
- }
- err = 0;
- }
- }
+ if (strcmp(mntent->mnt_type, "cgroup"))
+ continue;
- fclose(file);
+ err = lxc_one_cgroup_destroy(mntent, name);
+ if (err)
+ break;
+ }
+ endmntent(file);
return err;
}
/*
--
1.7.4.1
--
This SF email is sponsosred by:
Try Windows Azure free for 90 days Click Here
http://p.sf.net/sfu/sfd2d-msazure
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCHv3 13/14] make help consistent for other scripts
Display help information in a consistent format.
Print error messages and help information to stderr. Prefix error
messages with the name of the script (for easier debugging as part
of larger scripts).
Allow help information to be printed as a non-root user.
Fix file mode for lxc-checkconfig.in.
Signed-off-by: David Ward
---
src/lxc/lxc-checkconfig.in | 15 +++
src/lxc/lxc-clone.in | 70 +++-
src/lxc/lxc-create.in | 96 ---
src/lxc/lxc-destroy.in | 40 --
src/lxc/lxc-setcap.in | 36 +++-
src/lxc/lxc-setuid.in | 35 ++-
6 files changed, 158 insertions(+), 134 deletions(-)
mode change 100755 => 100644 src/lxc/lxc-checkconfig.in
diff --git a/src/lxc/lxc-checkconfig.in b/src/lxc/lxc-checkconfig.in
old mode 100755
new mode 100644
index 39da910..8c2b5e5
--- a/src/lxc/lxc-checkconfig.in
+++ b/src/lxc/lxc-checkconfig.in
@@ -32,7 +32,7 @@ is_enabled() {
}
if [ ! -f $CONFIG ]; then
-echo "Kernel config $CONFIG not found, looking in other places..."
+echo "Kernel configuration not found at $CONFIG; searching..."
KVER="`uname -r`"
HEADERS_CONFIG="/lib/modules/$KVER/build/.config"
BOOT_CONFIG="/boot/config-$KVER"
@@ -40,15 +40,14 @@ if [ ! -f $CONFIG ]; then
[ -f "${BOOT_CONFIG}" ] && CONFIG=${BOOT_CONFIG}
GREP=grep
if [ ! -f $CONFIG ]; then
-echo
-echo "The kernel configuration can not be retrieved."
-echo "Please recompile with IKCONFIG_PROC, or"
- echo "install the kernel headers, or specify"
- echo "the path to the config file with: CONFIG= lxc-checkconfig"
-echo
+echo "$(basename $0): unable to retrieve kernel configuration" >&2
+echo >&2
+echo "Try recompiling with IKCONFIG_PROC, installing the kernel
headers," >&2
+echo "or specifying the kernel configuration path with:" >&2
+echo " CONFIG= $(basename $0)" >&2
exit 1
else
-echo "Found kernel config file $CONFIG"
+echo "Kernel configuration found at $CONFIG"
fi
fi
diff --git a/src/lxc/lxc-clone.in b/src/lxc/lxc-clone.in
index 386be30..c7413f2 100644
--- a/src/lxc/lxc-clone.in
+++ b/src/lxc/lxc-clone.in
@@ -24,22 +24,24 @@
set -e
usage() {
-echo "usage: lxc-clone -o -n [-s] [-h] [-L fssize] [-v
vgname] [-p lxc_lv_prefix] [-t fstype]"
+echo "usage: $(basename $0) -o ORIG_NAME -n NEW_NAME [-s] [-h] [-L
FS_SIZE]" >&2
+echo "[-v VG_NAME] [-p LV_PREFIX] [-t FS_TYPE]" >&2
}
help() {
usage
-echo
-echo "creates a lxc system object."
-echo
-echo "Options:"
-echo "orig: name of the original container"
-echo "new : name of the new container"
-echo "-s : make the new rootfs a snapshot of the original"
-echo "fssize : size if creating a new fs. By default, 2G"
-echo "vgname : lvm volume group name, lxc by default"
-echo "lvprefix: lvm volume name prefix, none by default, e.g.
--lvprefix=lxc_ then new lxc lv name will be lxc_newname"
-echo "fstype : new container file system type, ext3 by default (only
works for non-snapshot lvm)"
+echo >&2
+echo "Clone an existing container on the system." >&2
+echo >&2
+echo "Options:" >&2
+echo " -o ORIG_NAME specify the name of the original container" >&2
+echo " -n NEW_NAMEspecify the name of the new container" >&2
+echo " -s make the new rootfs a snapshot of the original" >&2
+echo " -L FS_SIZE specify the new filesystem size (default: 2G)" >&2
+echo " -v VG_NAME specify the new LVM volume group name (default:
lxc)" >&2
+echo " -p LV_PREFIX add a prefix to new LVM logical volume names" >&2
+echo " -t FS_TYPE specify the new filesystem type (default: ext3;" >&2
+echo " only works for non-snapshot LVM)" >&2
}
shortoptions='ho:n:sL:v:p:t:'
@@ -62,8 +64,8 @@ fi
eval set -- "$getopt"
while true; do
-case "$1" in
--h|--help)
+case "$1" in
+-h|--help)
help
exit 1
;;
@@ -102,52 +104,46 @@ while true; do
break
;;
*)
-echo $1
usage
exit 1
;;
-esac
+esac
done
if [ -z
[lxc-devel] [PATCHv3 14/14] lxc-setcap/lxc-setuid: add autoconf expansion for $libexecdir
Support new default location for LXCINITDIR. Signed-off-by: David Ward --- configure.ac |1 + src/lxc/lxc-setcap.in |1 + src/lxc/lxc-setuid.in |1 + 3 files changed, 3 insertions(+), 0 deletions(-) diff --git a/configure.ac b/configure.ac index c2bf4b0..0c8aa69 100644 --- a/configure.ac +++ b/configure.ac @@ -40,6 +40,7 @@ AM_CONDITIONAL([ENABLE_EXAMPLES], [test "x$enable_examples" = "xyes"]) AS_AC_EXPAND(PREFIX, $prefix) AS_AC_EXPAND(LIBDIR, $libdir) AS_AC_EXPAND(BINDIR, $bindir) +AS_AC_EXPAND(LIBEXECDIR, $libexecdir) AS_AC_EXPAND(INCLUDEDIR, $includedir) AS_AC_EXPAND(SYSCONFDIR, $sysconfdir) AS_AC_EXPAND(DATADIR, $datadir) diff --git a/src/lxc/lxc-setcap.in b/src/lxc/lxc-setcap.in index 52d4b48..71e3710 100644 --- a/src/lxc/lxc-setcap.in +++ b/src/lxc/lxc-setcap.in @@ -84,6 +84,7 @@ lxc_dropcaps() shortoptions='hd' longoptions='help' libdir=@LIBDIR@ +libexecdir=@LIBEXECDIR@ localstatedir=@LOCALSTATEDIR@ getopt=$(getopt -o $shortoptions --longoptions $longoptions -- "$@") diff --git a/src/lxc/lxc-setuid.in b/src/lxc/lxc-setuid.in index 0919eac..020dfae 100644 --- a/src/lxc/lxc-setuid.in +++ b/src/lxc/lxc-setuid.in @@ -81,6 +81,7 @@ lxc_dropuid() shortoptions='hd' longoptions='help' libdir=@LIBDIR@ +libexecdir=@LIBEXECDIR@ localstatedir=@LOCALSTATEDIR@ getopt=$(getopt -o $shortoptions --longoptions $longoptions -- "$@") -- 1.7.4.1 -- This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] poor 10G ethernet performance
Hello, My group is measuring network performance of LXC. We can get 9 Gig/sec between the host machine and the other machine. But, between an LXC instance and the other machine, we only get 3.7 Gig/sec. We also measured performance between the LXC instance and its host machine. It is 3.5 Gig/sec. Is it normal? Is there any way to improve the performance? We use Linuxkernel 2.6.38. We used bridge for networking. Thanks, David -- Dr. Dong-In "David" Kang Computer Scientist USC/ISI -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH] lxc-attach: Clear environment and set container=lxc
The child process's environment should be manipulated the same way
by lxc-attach as it would be by lxc-start or lxc-execute.
Signed-off-by: David Ward
---
src/lxc/attach.c | 15 +++
src/lxc/attach.h |1 +
src/lxc/lxc_attach.c |5 +
3 files changed, 21 insertions(+), 0 deletions(-)
diff --git a/src/lxc/attach.c b/src/lxc/attach.c
index 2f32025..12adadb 100644
--- a/src/lxc/attach.c
+++ b/src/lxc/attach.c
@@ -277,6 +277,21 @@ int lxc_attach_drop_privs(struct lxc_proc_context_info
*ctx)
return 0;
}
+int lxc_attach_set_environment()
+{
+ if (clearenv()) {
+ SYSERROR("failed to clear environment");
+ /* don't error out though */
+ }
+
+ if (putenv("container=lxc")) {
+ SYSERROR("failed to set environment variable");
+ return -1;
+ }
+
+ return 0;
+}
+
char *lxc_attach_getpwshell(uid_t uid)
{
/* local variables */
diff --git a/src/lxc/attach.h b/src/lxc/attach.h
index 6bbfb42..404ff4c 100644
--- a/src/lxc/attach.h
+++ b/src/lxc/attach.h
@@ -37,6 +37,7 @@ extern struct lxc_proc_context_info
*lxc_proc_get_context_info(pid_t pid);
extern int lxc_attach_to_ns(pid_t other_pid, int which);
extern int lxc_attach_remount_sys_proc();
extern int lxc_attach_drop_privs(struct lxc_proc_context_info *ctx);
+extern int lxc_attach_set_environment();
extern char *lxc_attach_getpwshell(uid_t uid);
diff --git a/src/lxc/lxc_attach.c b/src/lxc/lxc_attach.c
index 678b76d..7fd76ee 100644
--- a/src/lxc/lxc_attach.c
+++ b/src/lxc/lxc_attach.c
@@ -411,6 +411,11 @@ int main(int argc, char *argv[])
return -1;
}
+ if (lxc_attach_set_environment()) {
+ ERROR("could not set environment");
+ return -1;
+ }
+
/* tell parent we are done setting up the container and wait
* until we have been put in the container's cgroup, if
* applicable */
--
1.7.1
--
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_mar
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] [PATCH] Set all mounts to MS_SLAVE when starting a container without a rootfs
If the filesystem mounts on the host have the MS_SHARED or MS_SLAVE
flag set, and a container without a rootfs is started, then any new
mounts created inside the container are currently propagated into
the host. In addition to mounts placed in the configuration file of
the container or performed manually after startup, the automatic
mounting of /proc by lxc-execute will propagate back into the host,
effectively crippling the entire system. This can be prevented by
setting the MS_SLAVE flag on all mounts (inside the container's own
mount namespace) during startup if a rootfs is not configured.
Signed-off-by: David Ward
---
src/lxc/conf.c |7 ++-
1 files changed, 6 insertions(+), 1 deletions(-)
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 965a0d2..6b3f318 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -1129,8 +1129,13 @@ static int setup_rootfs(struct lxc_conf *conf)
{
const struct lxc_rootfs *rootfs = &conf->rootfs;
- if (!rootfs->path)
+ if (!rootfs->path) {
+ if (mount("", "/", NULL, MS_SLAVE|MS_REC, 0)) {
+ SYSERROR("Failed to make / rslave");
+ return -1;
+ }
return 0;
+ }
if (access(rootfs->mount, F_OK)) {
SYSERROR("failed to access to '%s', check it is present",
--
1.7.1
--
Own the Future-Intel® Level Up Game Demo Contest 2013
Rise to greatness in Intel's independent game demo contest.
Compete for recognition, cash, and the chance to get your game
on Steam. $5K grand prize plus 10 genre and skill prizes.
Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] git tree and man pages
Hi, lxc-developers, I had performed git clone git://lxc.git.sourceforge.net/gitroot/lxc/lxc and under doc I don't see any man pages. for a lxc tar gz I downloaded, they are under doc. Is there a reason man pages are not in git ? DS -- Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] git tree and man pages
Hello, Thanks for the answer. Is there a way to generate the man pages after downloaded the git tree? When I ran "make" the man pages were not generated. regards, David On Thu, Apr 18, 2013 at 2:45 PM, Stéphane Graber wrote: > On 04/18/2013 01:34 PM, David Shwatrz wrote: >> Hi, lxc-developers, >> I had performed >> git clone git://lxc.git.sourceforge.net/gitroot/lxc/lxc >> and under doc I don't see any man pages. >> >> for a lxc tar gz I downloaded, they are under doc. >> >> Is there a reason man pages are not in git ? >> >> >> DS > > The manpages are in git, just not in their compiled form. > > We had a problem in the past that made some of the tar.gz contain the > compiled form as well as the source but I fixed that for 0.9 so the 0.9 > tarball should look pretty much identical to the git tree. > > In short, the man pages are the .sgml.in files, anything else is a > compiled file which gets discarded at build time. > > -- > Stéphane Graber > Ubuntu developer > http://www.ubuntu.com > > > -- > Precog is a next-generation analytics platform capable of advanced > analytics on semi-structured data. The platform includes APIs for building > apps and a phenomenal toolset for data science. Developers can use > our toolset for easy data analysis & visualization. Get a free account! > http://www2.precog.com/precogplatform/slashdotnewsletter > ___ > Lxc-devel mailing list > Lxc-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/lxc-devel > -- Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] git tree and man pages
Hi, Great. After "yum install docbook2X" and ./configure --enable-doc” it worked. rgs DS On Thu, Apr 18, 2013 at 6:31 PM, Stéphane Graber wrote: > On 04/18/2013 05:13 PM, David Shwatrz wrote: >> Hello, >> Thanks for the answer. >> >> Is there a way to generate the man pages after downloaded the >> git tree? When I ran "make" the man pages were not generated. >> >> regards, >> David > > You need to pass --enable-doc to the configure script. > >> >> On Thu, Apr 18, 2013 at 2:45 PM, Stéphane Graber wrote: >>> On 04/18/2013 01:34 PM, David Shwatrz wrote: >>>> Hi, lxc-developers, >>>> I had performed >>>> git clone git://lxc.git.sourceforge.net/gitroot/lxc/lxc >>>> and under doc I don't see any man pages. >>>> >>>> for a lxc tar gz I downloaded, they are under doc. >>>> >>>> Is there a reason man pages are not in git ? >>>> >>>> >>>> DS >>> >>> The manpages are in git, just not in their compiled form. >>> >>> We had a problem in the past that made some of the tar.gz contain the >>> compiled form as well as the source but I fixed that for 0.9 so the 0.9 >>> tarball should look pretty much identical to the git tree. >>> >>> In short, the man pages are the .sgml.in files, anything else is a >>> compiled file which gets discarded at build time. >>> >>> -- >>> Stéphane Graber >>> Ubuntu developer >>> http://www.ubuntu.com >>> >>> >>> -- >>> Precog is a next-generation analytics platform capable of advanced >>> analytics on semi-structured data. The platform includes APIs for building >>> apps and a phenomenal toolset for data science. Developers can use >>> our toolset for easy data analysis & visualization. Get a free account! >>> http://www2.precog.com/precogplatform/slashdotnewsletter >>> ___ >>> Lxc-devel mailing list >>> Lxc-devel@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/lxc-devel >>> > > > -- > Stéphane Graber > Ubuntu developer > http://www.ubuntu.com > > > -- > Precog is a next-generation analytics platform capable of advanced > analytics on semi-structured data. The platform includes APIs for building > apps and a phenomenal toolset for data science. Developers can use > our toolset for easy data analysis & visualization. Get a free account! > http://www2.precog.com/precogplatform/slashdotnewsletter > ___ > Lxc-devel mailing list > Lxc-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/lxc-devel > -- Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] Erroneous "cgroup is not mounted" when using cgconfig (libcgroup)
The 'cgconfig' tool from libcgroup (http://libcg.sourceforge.net) can be used to mount one or more instances of the cgroup virtual filesystem, instead of using the 'mount' command. However, cgconfig does not update /etc/mtab, although the mounted cgroup filesystems do appear in /proc/mounts. (I am using Fedora 13.) Since lxc commands such as 'lxc-execute' just search /etc/mtab to see if any cgroup filesystem is mounted, this causes them to fail with "cgroup is not mounted", even though this is not the case. It seems to me that either: 1) cgconfig should update /etc/mtab, or 2) lxc should search /proc/mounts instead of /etc/mtab (change one line in src/lxc/cgroup.c) Which is the correct solution? Thanks, David -- Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] netns: Issues with deleting virtual interfaces during namespace cleanup
A patch was applied to the kernel in November 2008 that deletes virtual
network interfaces when network namespaces are cleaned up
(d0c082cea6dfb9b674b4f6e1e84025662dbd24e8). A discussion about this
patch took place on the OpenVZ list
(https://lists.linux-foundation.org/pipermail/containers/2008-October/013460.html),
where Daniel Lezcano wrote:
/ After discussing with Benjamin, this patch means an user can no longer
/>/ manage a pool of virtual devices because they will be automatically
/>/ destroyed when the namespace exits. I don't think it is a big concern,
/>/ but just in case I am asking :)
/
I currently have two use cases where this behavior is not desirable:
1. I use a veth pair device to connect two containers together (as
opposed to connecting a container to the host). To do this, I
create the veth pair device manually in the host with iproute2
("ip link add type veth"). Then when I start each container, it
pulls in one of the interfaces of the veth pair device with
"lxc.network.type = phys". When I stop one of the containers, its
interface to the veth pair device is deleted instead of moved back
to the host, so I can not just start the stopped container again
and re-establish the same link.
2. I start a process in the host that creates a TUN/TAP interface,
such as a VPN client. I pull the TUN/TAP interface into the
container with "lxc.network.type = phys". When the container
exits, the TUN/TAP interface is deleted because it is a virtual
interface, while the VPN client process continues to run in the
host. Again I can not just start the container again with the
same connection; I have to restart the VPN client.
It makes sense that virtual network interfaces that get created inside a
container should be deleted when the container exits. However, I feel
that network interfaces from the host that get assigned to the container
should be returned to the host when the container exits, whether they
are physical or virtual.
Can the kernel distinguish between network interfaces that were created
inside the namespace, and network interfaces that were moved there?
David
P.S. should I send this message to the netdev list instead?
smime.p7s
Description: S/MIME Cryptographic Signature
--
Free Software Download: Index, Search & Analyze Logs and other IT data in
Real-Time with Splunk. Collect, index and harness all the fast moving IT data
generated by your applications, servers and devices whether physical, virtual
or in the cloud. Deliver compliance at lower cost and gain new business
insights. http://p.sf.net/sfu/splunk-dev2dev ___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] Watch utmp if /var/run is not shared
The two variables I added have misleading names. I will fix these,
clarify the commit message, and resend shortly.
David
On 02/28/2011 07:08 PM, Ward, David - 0663 - MITLL wrote:
lxc watches /var/run/utmp in the container to monitor its runlevel, so that
it can stop or "reboot" the container when appropriate. This should not
happen though if the container shares /var/run/utmp with the system (which
should only be the case if the container does not run init).
Currently this is avoided by requiring that the container has a separate
filesystem root (i.e. "lxc.rootfs" is configured) in order to watch utmp.
However it is also sufficient to share the filesystem root, but to re-mount
/var/run so that there is a separate utmp file. (In the case of Upstart,
/etc/init can be re-mounted as well to allow the container to have its own
set of init scripts. The remainder of the filesystem can still be shared.)
With this change, lxc checks the device ID and inode number of /var/run to
see if the container has re-mounted it as a pre-condition of watching utmp.
This replaces the check for "lxc.rootfs" in the configuration.
Signed-off-by: David Ward
---
src/lxc/utmp.c | 21 -
1 files changed, 16 insertions(+), 5 deletions(-)
diff --git a/src/lxc/utmp.c b/src/lxc/utmp.c
index 691c3ef..3356396 100644
--- a/src/lxc/utmp.c
+++ b/src/lxc/utmp.c
@@ -30,6 +30,7 @@
#include
#include
#include
+#include
#include "conf.h"
#include "cgroup.h"
@@ -221,10 +222,7 @@ int lxc_utmp_mainloop_add(struct lxc_epoll_descr *descr,
char path[MAXPATHLEN];
int fd, wd;
struct lxc_utmp *utmp_data;
- struct lxc_conf *conf = handler->conf;
-
- if (!conf->rootfs.path)
- return 0;
+ struct stat container_utmp_stat, system_utmp_stat;
/* We set up a watch for the /var/run directory. We're only interested
* in utmp at the moment, but want to watch for delete and create
@@ -236,11 +234,24 @@ int lxc_utmp_mainloop_add(struct lxc_epoll_descr *descr,
return -1;
}
- if (access(path, F_OK)) {
+ if (stat(path,&container_utmp_stat)) {
WARN("'%s' not found", path);
return 0;
}
+ if (stat("/var/run",&system_utmp_stat)) {
+ WARN("'/var/run' not found");
+ return 0;
+ }
+
+ /* Do not watch the /var/run directory if the container shares it with
+* the system.
+*/
+ if ((container_utmp_stat.st_dev == system_utmp_stat.st_dev)
+ && (container_utmp_stat.st_ino == system_utmp_stat.st_ino)) {
+ return 0;
+ }
+
utmp_data = (struct lxc_utmp *)malloc(sizeof(struct lxc_utmp));
if (NULL == utmp_data) {
smime.p7s
Description: S/MIME Cryptographic Signature
--
Free Software Download: Index, Search & Analyze Logs and other IT data in
Real-Time with Splunk. Collect, index and harness all the fast moving IT data
generated by your applications, servers and devices whether physical, virtual
or in the cloud. Deliver compliance at lower cost and gain new business
insights. http://p.sf.net/sfu/splunk-dev2dev ___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH 3/9] lxc-ls: only list active containers
On 03/05/2012 06:01 PM, Daniel Lezcano wrote: On 03/05/2012 02:34 PM, David Ward wrote: Originally, lxc-ls listed all containers by printing the directory names in /var/lib/lxc. After commit 65cb447f9b8d1ac8dcf9df24a4f877180444f003, lxc-ls now finds and prints active containers by searching for open UNIX sockets named '/var/lib/lxc//command'. However, all containers are still printed using the old method as well, so now the active containers just get printed twice. Assuming that the intention of the above commit was to only list active containers, do not print the directory names in /var/lib/lxc any longer. The intention of the above commit was to list also the container which were created on-the-fly and hence not present in the /var/lib/lxc. For example, lxc-execute -n foo sleep 10, does not exists in /var/lib/lxc. I think the correct fix is to remove the duplicate container names. Or just show two list, the running ones and the stopped ones. I added an '--active' flag in the new patch series. With the flag, running containers are shown. Without the flag, containers existing on the filesystem are shown (running or stopped). Let me know if that is okay. David smime.p7s Description: S/MIME Cryptographic Signature -- Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
[lxc-devel] lxc-devel Mailing List for Patches
It's a bit difficult for me to follow patches when they are going to two separate mailing lists. Would it be possible to limit patches to the lxc-devel list, please? I think that is the intended place for them. Also, Daniel I am sure you are very busy, but I just wanted to see if there was any timeline for looking at the patches against 0.8.0-rc2 that have been sent to the lists? As more new patches keep coming in, it might make it more difficult to merge things, or mean that less testing has gone into the merged code. Thanks! David -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] lxc0.8 and hierarchies
On 02/05/12 10:14, Serge Hallyn wrote: > Quoting William Dauchy (wdauchy-re5jqeeqqe8avxtiumw...@public.gmane.org): >> Hello, >> >> I tested lxc0.8 rc1 and saw that cgroups are now created in >> /cgroup/lxc/, so lxc-create will create the cgroups in this directory >> as a cgroups hierarchy. >> It makes the thing unusable when using cgroups capabilities that does >> not support hierarchies. I'm thinking about CONFIG_NETPRIO_CGROUP in >> the last 3.3 kernel which only support cgroups created in /cgroup >> directory. >> Is it a known issue? or is it planned to configure the directory? > > The issue of what to do with control groups which do not support > hierarchies has been discussed on lkml recently. I thought (though > maybe I'm wrong) the decision was that such a subsystem would have > its cgroups available at leaf nodes, i.e. it's /xyz cgroup, if > composed with a devices cgroup which has /abc/xyz, would be > visible at /abc/xyz. IIRC one of the primary drivers of the need > for this was systemd support. > > Putting lxc cgroups under lxc/ is the right thing to do to cooperate > with other programs using cgroups, like libvirt. I don't think we > should punt on that. Rather, I personally think it's reasonable to say > that if you are using a cgroup which has max depth 1, you should mount > it separately. If you then want to use it with lxc, perhaps we should, > for now have a hack which specifis which cgroups do not support > hierarchies, and handle them specially? > > -serge Right now lxc is hard-coded to not create a 'lxc/' directory in a cgroup hierarchy if it contains the (deprecated) 'ns' subsystem. So maybe the code should also check for the 'netprio' subsystem in the same way? I'm not sure if this is relevant to your problem, but last month I sent a patchset that, among other things, fixes lxc to properly handle cgroup hierarchies that do not contain any subsystems (like systemd): http://sourceforge.net/mailarchive/forum.php?thread_name=4F6ADBDA.9040400%40free.fr&forum_name=lxc-devel David -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCHv3 05/14] cgroup: additional fix for deprecated ns subsystem
On 21/03/12 19:28, Ward, David - 0663 - MITLL wrote:
When a hierarchy contains the 'ns' subsystem, do not append '/lxc'
to the parent cgroup. Update surrounding comments for consistency.
Signed-off-by: David Ward
This patch is actually unnecessary. The existing code already handled
the 'ns' subsystem; the sequence of function calls is just a bit
confusing. All other patches in this set are still valid.
David
---
src/lxc/cgroup.c | 13 +++--
1 files changed, 7 insertions(+), 6 deletions(-)
diff --git a/src/lxc/cgroup.c b/src/lxc/cgroup.c
index 9af199d..e5145f9 100644
--- a/src/lxc/cgroup.c
+++ b/src/lxc/cgroup.c
@@ -305,9 +305,9 @@ static int lxc_one_cgroup_create(const char *name,
char initcgroup[MAXPATHLEN];
int flags, ret;
- /* cgparent is the parent dir,
/sys/fs/cgroup///lxc */
+ /* cgparent is the parent dir, e.g.,
/sys/fs/cgroup///lxc */
/* (remember get_init_cgroup() returns a path starting with '/') */
- /* cgname is the full name,
/sys/fs/cgroup///lxc/name */
+ /* cgname is the full name, e.g.,
/sys/fs/cgroup///lxc/name */
ret = snprintf(cginit, MAXPATHLEN, "%s%s", mntent->mnt_dir,
get_init_cgroup(NULL, mntent, initcgroup));
if (ret< 0 || ret>= MAXPATHLEN) {
@@ -315,7 +315,10 @@ static int lxc_one_cgroup_create(const char *name,
return -1;
}
- ret = snprintf(cgparent, MAXPATHLEN, "%s/lxc", cginit);
+ flags = get_cgroup_flags(mntent);
+
+ ret = snprintf(cgparent, MAXPATHLEN, "%s%s", cginit,
+ (flags& CGROUP_NS_CGROUP) ? "" : "/lxc");
if (ret< 0 || ret>= MAXPATHLEN) {
SYSERROR("Failed creating pathname for cgroup parent (%d)\n",
ret);
return -1;
@@ -326,8 +329,6 @@ static int lxc_one_cgroup_create(const char *name,
return -1;
}
- flags = get_cgroup_flags(mntent);
-
/* Do we have the deprecated ns_cgroup subsystem? */
if (flags& CGROUP_NS_CGROUP) {
WARN("using deprecated ns_cgroup");
@@ -356,7 +357,7 @@ static int lxc_one_cgroup_create(const char *name,
return -1;
}
- /* if /sys/fs/cgroup///lxc does not exist, create
it */
+ /* if cgparent does not exist, create it */
if (access(cgparent, F_OK)&& mkdir(cgparent, 0755)) {
SYSERROR("failed to create '%s' directory", cgparent);
return -1;
smime.p7s
Description: S/MIME Cryptographic Signature
--
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] poor 10G ethernet performance
On 11/05/12 10:14, David Kang wrote:
> My group is measuring network performance of LXC.
> We can get 9 Gig/sec between the host machine and the other machine.
> But, between an LXC instance and the other machine, we only get 3.7 Gig/sec.
> We also measured performance between the LXC instance and its host machine.
> It is 3.5 Gig/sec.
> Is it normal?
> Is there any way to improve the performance?
>
> We use Linuxkernel 2.6.38.
> We used bridge for networking.
In the container, could you create a MACVLAN interface in bridge mode
attached to your 10Gb Ethernet interface, instead of going through a
bridge device? I would expect that to perform better.
If you do this and you still want your host to still be able to
participate in the network when the container is started (as you did in
your second test), then you will also need to create a MACVLAN interface
in the host ('ip link add type macvlan ...') and assign your host's IP
address to it instead. This is because you can't directly use your 10Gb
Ethernet interface anymore once or more MACVLAN interfaces are attached
to it.
David
--
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] Shutting down containers properly
On 25/05/12 10:40, Christian Seiler wrote: Hi, my lxc management script uses lxc-stop just for an emergency action called "fored-stop" and it will be also applied, if a normal "stop" (alias "halt") action will timeout after 5min. For this normal shutdown (or reboot) of a container, I'm sending just a SIGPWR (or SIGINT) to the containers init (sysvinit) process. This will result into the same actions as one will call 'poweroff' or 'reboot' inside it. Yes, obviously that also works, but then you need to manually update the inittab of a container and rewire reboot/power failure actions to cause a shutdown as you describe. I'd really prefer shutting down a container just worked out of the box without any strange modifications to /etc/inittab for sysvinit. I really think shutting down containers properly is a functionality that LXC should support out of the box. Actually I believe the burden here ought to be on the container to handle SIGPWR properly...not on lxc to get involved in dealing with subtleties between different init systems that might be running in a container. (And yes, upstart handles SIGPWR with the 'power-status-changed' event: see http://upstart.ubuntu.com/cookbook/upstart_cookbook.pdf ) If existing distros don't handle SIGPWR, then why don't we just modify the lxc-template so that it does? Or even fix the distro itself so that it does? David smime.p7s Description: S/MIME Cryptographic Signature -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] Shutting down containers properly
On 25/05/12 11:28, Ward, David - 0663 - MITLL wrote: On 25/05/12 10:40, Christian Seiler wrote: Hi, my lxc management script uses lxc-stop just for an emergency action called "fored-stop" and it will be also applied, if a normal "stop" (alias "halt") action will timeout after 5min. For this normal shutdown (or reboot) of a container, I'm sending just a SIGPWR (or SIGINT) to the containers init (sysvinit) process. This will result into the same actions as one will call 'poweroff' or 'reboot' inside it. Yes, obviously that also works, but then you need to manually update the inittab of a container and rewire reboot/power failure actions to cause a shutdown as you describe. I'd really prefer shutting down a container just worked out of the box without any strange modifications to /etc/inittab for sysvinit. I really think shutting down containers properly is a functionality that LXC should support out of the box. Actually I believe the burden here ought to be on the container to handle SIGPWR properly...not on lxc to get involved in dealing with subtleties between different init systems that might be running in a container. (And yes, upstart handles SIGPWR with the 'power-status-changed' event: see http://upstart.ubuntu.com/cookbook/upstart_cookbook.pdf ) If existing distros don't handle SIGPWR, then why don't we just modify the lxc-template so that it does? Or even fix the distro itself so that it does? David To be clear, all I'm saying is that there should be a standard interface to shutting down containers (and it seems that others have settled on SIGPWR) -- lxc doesn't need to guess what is running inside it. But I agree that we should still modify lxc-stop to actually use this interface. -- David Ward, Associate Staff Wideband Tactical Networking Group MIT Lincoln Laboratory Office: 781-981-4266 Mobile: 781-999-1925 Fax: 781-981-4583 smime.p7s Description: S/MIME Cryptographic Signature -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] issue with cgroups on very first start of any container after bootstrapping the host
On 21/06/12 05:33, Jäkel, Guido wrote: Hello Developers, using Gentoo's lxc-0.8.0_rc1-r4 with a Kernel gentoo-sources-3.3.5 I observe the following issue concerning the cgroupfs: For reasons of compatibility I have still mounted the controllers of the cgroupfs at a single mountpoint /cgroup/ . This has already been identified and fixed in git. smime.p7s Description: S/MIME Cryptographic Signature -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] issue with cgroups on very first start of any container after bootstrapping the host
On 21/06/12 09:18, Ward, David - 0663 - MITLL wrote: On 21/06/12 05:33, Jäkel, Guido wrote: Hello Developers, using Gentoo's lxc-0.8.0_rc1-r4 with a Kernel gentoo-sources-3.3.5 I observe the following issue concerning the cgroupfs: For reasons of compatibility I have still mounted the controllers of the cgroupfs at a single mountpoint /cgroup/ . This has already been identified and fixed in git. ... sorry disregard that, I thought your single /cgroup mountpoint had the 'ns' subsystem mounted as well (but you're using 3.3.5). Could you try latest git anyway? smime.p7s Description: S/MIME Cryptographic Signature -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] Usability: lxc-ls
On 28/06/12 10:49, Stefan Schlesinger wrote: Hello, I'm new to LXC and have been using OpenVZ until now. Something which I immediately missed, when I played around with the LXC CLI tools the first time, was that neither lxc-ls nor lxc-list provide a nice overview of the current status of your host. To give you an example here is how the vzlist output looks like: CTID NPROC STATUSIP_ADDR HOSTNAME 17915 11 running - git 17918 81 running - rt02 17925 81 running - rt01 17945151 running - puppet02 17964 56 running - monitor01 17968 21 running - ns01 17981193 running - mx01 17988 47 running - wiki01 IMHO it perfectly fulfils two puropses: It shows you a list of running containers with some helpful extra information (needs -a, to list them all) and its nicely parseable by scripts at the same time... Just FYI, current git now allows you to list running containers only with the '--active' flag to lxc-ls. David smime.p7s Description: S/MIME Cryptographic Signature -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] don't leak the rootfs.pin fd into the container
Hi Serge,
This patch seems to have introduced a regression. When I use
lxc-execute with a very simple container (which only sets the utsname),
the terminal input is not forwarded to the application anymore. In
particular, running "lxc-execute -n $CONTAINER -- bash" returns
immediately without opening a shell. (This is with Fedora 18 and kernel
3.8.2.)
David
On 01/17/2013 10:53 AM, Serge Hallyn wrote:
Only the container parent needs to keep that fd open. Close it
as soon as the container's first task is spawned. Else it can
show up in /proc/$$/fd in the container.
Signed-off-by: Serge Hallyn
---
src/lxc/start.c | 12 +++-
src/lxc/start.h | 1 +
2 files changed, 8 insertions(+), 5 deletions(-)
diff --git a/src/lxc/start.c b/src/lxc/start.c
index 90696f6..5083b24 100644
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -575,6 +575,9 @@ static int do_start(void *data)
lxc_sync_fini_parent(handler);
+ /* don't leak the pinfd to the container */
+ close(handler->pinfd);
+
/* Tell the parent task it can begin to configure the
* container and wait for it to finish
*/
@@ -691,7 +694,6 @@ int lxc_spawn(struct lxc_handler *handler)
{
int failed_before_rename = 0;
const char *name = handler->name;
- int pinfd;
if (lxc_sync_init(handler))
return -1;
@@ -735,8 +737,8 @@ int lxc_spawn(struct lxc_handler *handler)
* marking it readonly.
*/
- pinfd = pin_rootfs(handler->conf->rootfs.path);
- if (pinfd == -1) {
+ handler->pinfd = pin_rootfs(handler->conf->rootfs.path);
+ if (handler->pinfd == -1) {
ERROR("failed to pin the container's rootfs");
goto out_abort;
}
@@ -818,8 +820,8 @@ int lxc_spawn(struct lxc_handler *handler)
lxc_sync_fini(handler);
- if (pinfd >= 0)
- close(pinfd);
+ if (handler->pinfd >= 0)
+ close(handler->pinfd);
return 0;
diff --git a/src/lxc/start.h b/src/lxc/start.h
index 4b2e2b5..27688f3 100644
--- a/src/lxc/start.h
+++ b/src/lxc/start.h
@@ -49,6 +49,7 @@ struct lxc_handler {
#if HAVE_APPARMOR
int aa_enabled;
#endif
+ int pinfd;
};
extern struct lxc_handler *lxc_init(const char *name, struct lxc_conf *);
smime.p7s
Description: S/MIME Cryptographic Signature
--
Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester
Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the
endpoint security space. For insight on selecting the right partner to
tackle endpoint security challenges, access the full report.
http://p.sf.net/sfu/symantec-dev2dev___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] don't leak the rootfs.pin fd into the container
On 03/10/2013 11:45 PM, Serge Hallyn wrote:
Quoting Ward, David - 0663 - MITLL (david.w...@ll.mit.edu):
Hi Serge,
This patch seems to have introduced a regression. When I use
lxc-execute with a very simple container (which only sets the
utsname), the terminal input is not forwarded to the application
anymore. In particular, running "lxc-execute -n $CONTAINER -- bash"
returns immediately without opening a shell. (This is with Fedora
18 and kernel 3.8.2.)
Thanks, David. The following patch definately looks like it is
needed. It may or may not fix the bug you're seeing. Can you
confirm?
Serge,
Yes, the patch below fixes the issue for me. Thanks!
Acked-by: David Ward
Subject: [PATCH 1/1] rootfs pin: fix two bugs
1. if there's no rootfs, return -2, not 0.
2. don't close pinfd unconditionally in do_start().
Signed-off-by: Serge Hallyn
---
src/lxc/conf.c | 2 +-
src/lxc/start.c | 3 ++-
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index add3c74..97b4ae4 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -578,7 +578,7 @@ int pin_rootfs(const char *rootfs)
int ret, fd;
if (rootfs == NULL || strlen(rootfs) == 0)
- return 0;
+ return -2;
if (!realpath(rootfs, absrootfs)) {
SYSERROR("failed to get real path for '%s'", rootfs);
diff --git a/src/lxc/start.c b/src/lxc/start.c
index 75d1fd6..51b2f06 100644
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -652,7 +652,8 @@ static int do_start(void *data)
lxc_sync_fini_parent(handler);
/* don't leak the pinfd to the container */
- close(handler->pinfd);
+ if (handler->pinfd >= 0)
+ close(handler->pinfd);
/* Tell the parent task it can begin to configure the
* container and wait for it to finish
smime.p7s
Description: S/MIME Cryptographic Signature
--
Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester
Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the
endpoint security space. For insight on selecting the right partner to
tackle endpoint security challenges, access the full report.
http://p.sf.net/sfu/symantec-dev2dev___
Lxc-devel mailing list
Lxc-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] Remove MAKEDEV call, add autodev hooks, add environment variables for hook scripts.
Michael, Serge, On 01/09/2013 03:38 PM, Michael H. Warfield wrote: 4) clearenv and putenv( "container=lxc" ) calls were moved to just after the "start" hook in the container just prior to actually firing up the container so we could use environment variables prior to that and have them flushed them before firing up init. Nice side effect is that you can define environment variables and then call lxc-start and have them show up in those hooks scripts. Since the call to clearenv() was moved to do_start(), it also gets called when running lxc-execute. If I set up a very simple container with only utsname/network namespaces, and do: lxc-execute -n $CONTAINER -- bash then the PATH and HOME environment variables are no longer propagated into new shell, for example. (In Fedora at least, these environment variables are set in /etc/profile, which does not get sourced by /etc/bashrc or ~/.bashrc by default.) Is this the desired behavior for lxc-execute now, or was it an unintended side-effect? Also keep in mind that if I do: lxc-attach -n $CONTAINER -- bash the environment variables are not cleared there before opening the shell (regardless of whether the container was started with lxc-start or lxc-execute)...this may need to be adjusted. Thanks, David smime.p7s Description: S/MIME Cryptographic Signature -- Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the endpoint security space. For insight on selecting the right partner to tackle endpoint security challenges, access the full report. http://p.sf.net/sfu/symantec-dev2dev___ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] Remove MAKEDEV call, add autodev hooks, add environment variables for hook scripts.
On 03/12/2013 06:12 PM, Michael H. Warfield wrote:
Hey all.
On Tue, 2013-03-12 at 15:55 -0500, Serge Hallyn wrote:
Quoting Ward, David - 0663 - MITLL (david.w...@ll.mit.edu):
Michael, Serge,
On 01/09/2013 03:38 PM, Michael H. Warfield wrote:
4) clearenv and putenv( "container=lxc" ) calls were moved to just after
the "start" hook in the container just prior to actually firing up the
container so we could use environment variables prior to that and have
them flushed them before firing up init. Nice side effect is that you
can define environment variables and then call lxc-start and have them
show up in those hooks scripts.
Since the call to clearenv() was moved to do_start(), it also gets
called when running lxc-execute. If I set up a very simple
container with only utsname/network namespaces, and do:
lxc-execute -n $CONTAINER -- bash
then the PATH and HOME environment variables are no longer
propagated into new shell, for example. (In Fedora at least, these
environment variables are set in /etc/profile, which does not get
sourced by /etc/bashrc or ~/.bashrc by default.)
Is this the desired behavior for lxc-execute now, or was it an
unintended side-effect? Also keep in mind that if I do:
lxc-attach -n $CONTAINER -- bash
the environment variables are not cleared there before opening the
shell (regardless of whether the container was started with
lxc-start or lxc-execute)...this may need to be adjusted.
Hi,
good question. I mean yes that was what we were thinking, but that
doesn't mean it's the right thing. lxc-execute means "set up this
container with a dummy init and run this task in it." I personally
think that should mean a clear environment as set up by a shell in
the container, but I don't use lxc-execute and my opinion shouldn't
mean much.
Others?
I seem to recall some light discussion over some of these points before
we made the changes. Part of that discussion even included some ideas
that we may want to configure environment variables we would pass into
the container environment.
Some variables could make sense while others not so much. If you are
mapping into a different rootfs, how are you sure ${HOME} from the host
is going map properly into the guest or if the ${PATH} variable is
appropriate for in that container. There's a whole lot of LD* varables
and LIB* variables that could come into play.
PIDs and named sockets could be problematical or useless. I'm thinking
here about the ssh-authd and it's gnugp equivalent where the pids and
pipes would make no sense (and potentially open up problems). Other
things, such as TZ, LANG, terminal values or various application
specific variables could make sense.
OTOH... Is "leaking" those variables from the host environment into a
container environment such a good idea (I'm thinking of attach here).
If you're running a Fedora container on an Ubuntu host? The binaries
you are running are in the context and retrieved from the container
space but the environment is inherited from the host space.
I also seem to recall that some of the more recent patches over the last
couple of months had to do with even determining your shell where NSS is
incompatible between the container and the host. Mixing the environment
variables adds more of a chance of unexpected side-effects, wouldn't it?
The fact that this resulted in a behavior change in lxc-execute is
unexpected. The fact that it didn't change lxc-attach raises questions
of consistency.
Thinking of "sudo" for a moment, it allows for defining what set of
environment variables it allows to pass in the environment and I seem to
recall at least a passing mention of that and whether there would be
circumstances under which you would want to do that. Seems there maybe.
I would think we would want to control those circumstances, however.
The specific case in question (that of loading values from /etc/profile)
raises a bit of a point. /etc/profile (and /etc/profile.d/) get loaded
by a login shell. Other things are certainly not set up correctly
within that container wrt a login shell (wtmp, tty, etc).
It's not a clean simple question when you're crossing boundaries like
that.
It sounds like this was not a completely unintentional side-effect
then. I agree that there are many reasons we may not want environment
variables to propagate into a container. It's easy enough to source
/etc/profile in my example, compared to the challenges in dealing with
the other cases.
With respect to "sudo", if you pass it the "-E" flag, it will not clear
your environment variables... does it make sense to have a similar flag
for lxc-execute and lxc-attach? (And I would think the default behavior
for lxc-attach should also be to clear the environment variables.)
David
smime.p7s
Description: S/MIME Cryptographic Signature
-
Re: [lxc-devel] [PATCH 2/2] lxc-attach: Implement --clear-env and --keep-env
On 03/30/2013 10:45 AM, Christian Seiler wrote:
This patch introduces the --clear-env and --keep-env options for
lxc-attach, that allows the user to specify whether the environment
should be passed on inside the container or not.
This is to be expanded upon in later versions, this patch only
introduces the most basic functionality.
Signed-off-by: Christian Seiler
The original intent of my earlier patch was to avoid different default
behavior between lxc-execute and lxc-attach. That no longer holds. Can
we apply these same changes below to lxc-execute please?
David
---
doc/lxc-attach.sgml.in | 33 +
src/lxc/attach.c | 23 +++
src/lxc/attach.h |7 ++-
src/lxc/lxc_attach.c | 22 --
4 files changed, 78 insertions(+), 7 deletions(-)
diff --git a/doc/lxc-attach.sgml.in b/doc/lxc-attach.sgml.in
index 36e1f70..a3bdb44 100644
--- a/doc/lxc-attach.sgml.in
+++ b/doc/lxc-attach.sgml.in
@@ -54,6 +54,8 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
02111-1307 USA
-e
-s namespaces
-R
+ --keep-env
+ --clear-env
-- command
@@ -173,6 +175,37 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
02111-1307 USA
+
+
+ --keep-env
+
+
+
+ Keep the current environment for attached programs. This is
+ the current default behaviour (as of version 0.9), but is
+ is likely to change in the future, since this may leak
+ undesirable information into the container. If you rely on
+ the environment being available for the attached program,
+ please use this option to be future-proof. In addition to
+ current environment variables, container=lxc will be set.
+
+
+
+
+
+
+ --clear-env
+
+
+
+ Clear the environment before attaching, so no undesired
+ environment variables leak into the container. The variable
+ container=lxc will be the only environment with which the
+ attached program starts.
+
+
+
+
diff --git a/src/lxc/attach.c b/src/lxc/attach.c
index 12adadb..5b3ee4f 100644
--- a/src/lxc/attach.c
+++ b/src/lxc/attach.c
@@ -277,11 +277,26 @@ int lxc_attach_drop_privs(struct lxc_proc_context_info
*ctx)
return 0;
}
-int lxc_attach_set_environment()
+int lxc_attach_set_environment(enum lxc_attach_env_policy_t policy, char**
extra_env, char** extra_keep)
{
- if (clearenv()) {
- SYSERROR("failed to clear environment");
- /* don't error out though */
+ /* TODO: implement extra_env, extra_keep
+* Rationale:
+* - extra_env is an array of strings of the form
+*"VAR=VALUE", which are to be set (after clearing or not,
+*depending on the value of the policy variable)
+* - extra_keep is an array of strings of the form
+*"VAR", which are extra environment variables to be kept
+*around after clearing (if that is done, otherwise, the
+*remain anyway)
+*/
+ (void) extra_env;
+ (void) extra_keep;
+
+ if (policy == LXC_ATTACH_CLEAR_ENV) {
+ if (clearenv()) {
+ SYSERROR("failed to clear environment");
+ /* don't error out though */
+ }
}
if (putenv("container=lxc")) {
diff --git a/src/lxc/attach.h b/src/lxc/attach.h
index 404ff4c..151445a 100644
--- a/src/lxc/attach.h
+++ b/src/lxc/attach.h
@@ -34,10 +34,15 @@ struct lxc_proc_context_info {
extern struct lxc_proc_context_info *lxc_proc_get_context_info(pid_t pid);
+typedef enum lxc_attach_env_policy_t {
+ LXC_ATTACH_KEEP_ENV,
+ LXC_ATTACH_CLEAR_ENV
+} lxc_attach_env_policy_t;
+
extern int lxc_attach_to_ns(pid_t other_pid, int which);
extern int lxc_attach_remount_sys_proc();
extern int lxc_attach_drop_privs(struct lxc_proc_context_info *ctx);
-extern int lxc_attach_set_environment();
+extern int lxc_attach_set_environment(enum lxc_attach_env_policy_t policy,
char** extra_env, char** extra_keep);
extern char *lxc_attach_getpwshell(uid_t uid);
diff --git a/src/lxc/lxc_attach.c b/src/lxc/lxc_attach.c
index 7fd76ee..77039fb 100644
--- a/src/lxc/lxc_attach.c
+++ b/src/lxc/lxc_attach.c
@@ -55,6 +55,9 @@ static const struct option my_longopts[] = {
{"arch", required_argument, 0, 'a'},
{"namespaces", required_argument, 0, 's'},
{"remount-sys-proc", no_argument, 0, 'R'},
+ /* TODO: decide upon short option names */
+ {"clear-env", no_argument, 0, 500},
+ {"keep-env", no_argument, 0, 501},
