Re: [pve-devel] Proxmox Org on GitHub
The following users were invited. Please let me know when you got access. I also changed public e-mail and billing e-mail to `t.lamprecht`. Kamil On Tue, Jul 21, 2020 at 5:09 PM Martin Maurer wrote: > Hello Kamil, > > Thanks, here is the list of the requested GitHub accounts. > > https://github.com/Fabian-Gruenbichler > https://github.com/Blub > https://github.com/ThomasLamprecht > > > On 7/21/20 3:11 PM, Kamil Trzciński wrote: > > Hi Proxmox Team, > > > > I got a message from Thomas Lamprecht that asked about > > the github proxmox org[0] that I'm owner of. > > > > Thomas indicated that this is confusing to Proxmox users > > the existence of this organisation as some users look > > for sources or help on this organisation, where all > > development happens over mailing list. > > > > Thomas proposed to use this organisation as a read-only mirror > > of `git.proxmox.com` and asked if I would like to hand off > > the ownership. > > > > I would love to! > > > > I propose the following process of transferring > > ownership: > > > > 1. I would like to use this public communication thread for > >the transfer process to make it formal > > 2. I would ask Martin or Dietmar to provide a list of GitHub accounts > >to which I should transfer ownership (feel free to send it privately) > > 3. I will add these member(s) to the GitHub org > > 4. I will ask to confirm that you got access > > 5. I will `Leave` myself from the Org > > > > Thanks for awesome work on this project for that > > many years. > > > > Kamil > > > > [0]: https://github.com/proxmox > > ___ > > pve-devel mailing list > > pve-devel@lists.proxmox.com > > https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel > > > > > > -- > Best Regards, > > Martin Maurer > > mar...@proxmox.com > https://www.proxmox.com > > > Proxmox Server Solutions GmbH > Bräuhausgasse 37, 1050 Vienna, Austria > Commercial register no.: FN 258879 f > Registration office: Handelsgericht Wien > > > ___ > pve-devel mailing list > pve-devel@lists.proxmox.com > https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel > ___ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] Proxmox Org on GitHub
On 22.07.20 11:07, Kamil Trzciński wrote: > The following users were invited. > > Please let me know when you got access. Thanks, I got access and Fabian too. Wolfgang is on vacation this week, so we may not here from him until Monday. Thank you. > > I also changed public e-mail and billing e-mail to `t.lamprecht`. > > Kamil > > On Tue, Jul 21, 2020 at 5:09 PM Martin Maurer wrote: > >> Hello Kamil, >> >> Thanks, here is the list of the requested GitHub accounts. >> >> https://github.com/Fabian-Gruenbichler >> https://github.com/Blub >> https://github.com/ThomasLamprecht >> >> >> On 7/21/20 3:11 PM, Kamil Trzciński wrote: >>> Hi Proxmox Team, >>> >>> I got a message from Thomas Lamprecht that asked about >>> the github proxmox org[0] that I'm owner of. >>> >>> Thomas indicated that this is confusing to Proxmox users >>> the existence of this organisation as some users look >>> for sources or help on this organisation, where all >>> development happens over mailing list. >>> >>> Thomas proposed to use this organisation as a read-only mirror >>> of `git.proxmox.com` and asked if I would like to hand off >>> the ownership. >>> >>> I would love to! >>> >>> I propose the following process of transferring >>> ownership: >>> >>> 1. I would like to use this public communication thread for >>>the transfer process to make it formal >>> 2. I would ask Martin or Dietmar to provide a list of GitHub accounts >>>to which I should transfer ownership (feel free to send it privately) >>> 3. I will add these member(s) to the GitHub org >>> 4. I will ask to confirm that you got access >>> 5. I will `Leave` myself from the Org >>> >>> Thanks for awesome work on this project for that >>> many years. >>> >>> Kamil >>> >>> [0]: https://github.com/proxmox ___ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH docs 2/2] pvecm: Add output for delnode
The output of "pvecm delnode someNode" is "Killing node X". Even though this only says something about an attempt and not about success, it is not "no output is returned". Signed-off-by: Dominic Jäger --- pvecm.adoc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pvecm.adoc b/pvecm.adoc index 9207571..220c09f 100644 --- a/pvecm.adoc +++ b/pvecm.adoc @@ -327,11 +327,11 @@ After powering off the node hp4, we can safely remove it from the cluster. hp1# pvecm delnode hp4 + Killing node 4 -If the operation succeeds no output is returned, just check the node -list again with `pvecm nodes` or `pvecm status`. You should see -something like: +Use `pvecm nodes` or `pvecm status` to check the node list again. It should +look something like: hp1# pvecm status -- 2.20.1 ___ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH docs 1/2] pvecm: Add required -r to rm
/etc/corosync/* includes the directory uidgid.d. Consequentlly, a correct rm call requires -r. Signed-off-by: Dominic Jäger --- pvecm.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pvecm.adoc b/pvecm.adoc index 4bf2f59..9207571 100644 --- a/pvecm.adoc +++ b/pvecm.adoc @@ -414,7 +414,7 @@ Delete the corosync configuration files: [source,bash] rm /etc/pve/corosync.conf -rm /etc/corosync/* +rm -r /etc/corosync/* You can now start the filesystem again as normal service: -- 2.20.1 ___ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] [PATCH docs 1/2] pvecm: Add required -r to rm
On 22.07.20 12:20, Dominic Jäger wrote: > /etc/corosync/* includes the directory uidgid.d. > Consequentlly, a correct rm call requires -r. Does leaving this directory left-over causes any issues? IIRC, I omit the "-r" explicitly as there can be also a directory from a qdevice or other ones, which we do not want to remove - to level corosync/* files where all desired to be removed, thus this rm varian. But, maybe we should rather change it to: # rm -f /etc/corosync/corosync.conf /etc/corosync/authkey to make that more explicit > > Signed-off-by: Dominic Jäger > --- > pvecm.adoc | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/pvecm.adoc b/pvecm.adoc > index 4bf2f59..9207571 100644 > --- a/pvecm.adoc > +++ b/pvecm.adoc > @@ -414,7 +414,7 @@ Delete the corosync configuration files: > [source,bash] > > rm /etc/pve/corosync.conf > -rm /etc/corosync/* > +rm -r /etc/corosync/* > > > You can now start the filesystem again as normal service: > ___ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] applied: [PATCH docs v1] Add section with more infos about ZFS RAID levels
On 21.07.20 14:58, Aaron Lauterer wrote: > This new section explains the performance and failure properties of > mirror and RAIDZ VDEVs as well as the "unexpected" higher space usage by > ZVOLs on a RAIDZ. > > Signed-off-by: Aaron Lauterer > --- > > draft->v1: > * incorporate Stoikos suggestions [0] > * went with lower case vdev as this is the way it is used in the zpool > manpage > * used N-P(arity) in the RAIDZ sizing part > * added a short explanation of vdevs at the beginning and mention the > zpool manpage > > > This is a first version to explain the performance characteristics of the > different RAID levels / vdev types, as well as their failure behavior. > > Additionally it explains the situation why a VM disk (ZVOL) can end up > using quite a bit more space than expected when placed on a pool made of > RAIDZ VDEVs. > > The motivation behind this is, that in the recent past, these things > came up quite a bit. Thus it would be nice to have some documentation > that we can link to and having it in the docs might help users to make > an informed decision from the start. > > I hope I did not mess up any technical details and that it is > understandable enough. > > [0] https://lists.proxmox.com/pipermail/pve-devel/2020-July/044453.html > > local-zfs.adoc | 95 ++ > 1 file changed, 95 insertions(+) > > applied, thanks! ___ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] applied: [PATCH pve-docs] qm: IO Thread: fix typo and reword section
On 21.07.20 09:21, Dylan Whyte wrote: > Fix typo 'isks' => 'disks' > Reword section for better readability. > > Signed-off-by: Dylan Whyte > --- > qm.adoc | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > applied, thanks! ___ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH lxc 1/2] update lxc to include fixes for cgroupv2 setups
This commit fast-forwards 7 commits from upstream/master. The first commit (partially) fixes a missing apparmor rule for /proc/sys/kernel/random/boot_id) The last commit fixes running containers in pure cgroupv2 environments (by premounting cgroup2). It contains one other fix for a netlink bug, which I haven't seen in our support channels, thus assume limited potential for regressions. Signed-off-by: Stoiko Ivanov --- lxc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lxc b/lxc index 538337e..4547e73 16 --- a/lxc +++ b/lxc @@ -1 +1 @@ -Subproject commit 538337ee9dc5ca385cc8d9b6faaac1575c014a1b +Subproject commit 4547e73e3e1c7f7a9fc88da6ac3276d99df1c5ec -- 2.20.1 ___ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH lxc 2/2] apparmor: add rule for allowing remount of boot_id
commit 863845075d3f77d27c91bd9f47d2f8ddc4867bd5 in upstream only partially
fixes the apparmor deny for mounting boot_id (used for example for identifying
different boots with `journalctl`) inside the container.
Tested by editing the profile and replacing it disregarding the cache:
`apparmor_parser -W -T -r /etc/apparmor.d/usr.bin.lxc-start`
Signed-off-by: Stoiko Ivanov
---
...apparmor-Allow-ro-remount-of-boot_id.patch | 26 +++
debian/patches/series | 1 +
2 files changed, 27 insertions(+)
create mode 100644
debian/patches/pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch
diff --git a/debian/patches/pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch
b/debian/patches/pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch
new file mode 100644
index 000..fefc586
--- /dev/null
+++ b/debian/patches/pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch
@@ -0,0 +1,26 @@
+From Mon Sep 17 00:00:00 2001
+From: Stoiko Ivanov
+Date: Wed, 22 Jul 2020 12:17:24 +0200
+Subject: [PATCH lxc] apparmor: Allow ro remount of boot_id
+
+The rule added in 863845075d3f77d27c91bd9f47d2f8ddc4867bd5 did not cover all
+necessary mount calls for /proc/sys/kernel/random/boot_id
+(in src/lxc/conf.c: lxc_setup_boot_id) - the ro remount is missing.
+
+Signed-off-by: Stoiko Ivanov
+---
+ config/apparmor/abstractions/start-container.in | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/config/apparmor/abstractions/start-container.in
b/config/apparmor/abstractions/start-container.in
+index 9998f1121..9f64c2727 100644
+--- a/config/apparmor/abstractions/start-container.in
b/config/apparmor/abstractions/start-container.in
+@@ -22,6 +22,7 @@
+ mount -> /var/lib/lxc/{**,},
+
+ mount /dev/.lxc-boot-id -> /proc/sys/kernel/random/boot_id,
++ mount options=(ro, nosuid, nodev, noexec, remount, bind) ->
/proc/sys/kernel/random/boot_id,
+
+ # required for some pre-mount hooks
+ mount fstype=overlayfs,
diff --git a/debian/patches/series b/debian/patches/series
index ee20ef5..f588081 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
pve/0001-PVE-Config-lxc.service-start-after-a-potential-syslo.patch
pve/0002-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch
pve/0003-PVE-Config-attach-always-use-getent.patch
+pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch
--
2.20.1
___
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH lxc 0/2] fix apparmor rules and improve cgroupv2 experience
This patchset addresses 2 minor inconveniences I ran into, while running my host with 'systemd.unified_cgroup_hierarchy=1': * apparmor mount denies for '/proc/sys/kernel/random/boot_id' (this happens irrespective of the cgroup-layout * having to add `lxc.init.cmd: /lib/systemd/systemd systemd.unified_cgroup_hierarchy=1` to all my container configs (for debian and arch containers at least alpine runs without issues) - see [0] for a discussion of the topic While investigating this I noticed that the fixes for both issues were already on upstream/master (with one small other fix in between) - so instead of cherry-picking both patches I fast-forwarded to the last needed commit. Glad to resend with the patches cherry-picked and added to our patchqueue. I would probably submit the apparmor fix upstream (after a quick check by another set of eyes :) [0] https://github.com/lxc/lxc/issues/3183 Stoiko Ivanov (2): update lxc to include fixes for cgroupv2 setups apparmor: add rule for allowing remount of boot_id ...apparmor-Allow-ro-remount-of-boot_id.patch | 26 +++ debian/patches/series | 1 + lxc | 2 +- 3 files changed, 28 insertions(+), 1 deletion(-) create mode 100644 debian/patches/pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch -- 2.20.1 ___ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] [PATCH v2 qemu-server] Fix #2728: die/warn if target is not a replication target when live-migrating
Ping for this patch
Am 18.05.20 um 09:37 schrieb Fabian Ebner:
Signed-off-by: Fabian Ebner
---
Changes from v1:
* die/warn depending on force (thanks to Thomas and Aaron for the
suggestion)
* don't die/warn if VM is not replicated at all
PVE/API2/Qemu.pm | 13 +
1 file changed, 13 insertions(+)
diff --git a/PVE/API2/Qemu.pm b/PVE/API2/Qemu.pm
index fd51bf3..cb99f78 100644
--- a/PVE/API2/Qemu.pm
+++ b/PVE/API2/Qemu.pm
@@ -3486,6 +3486,19 @@ __PACKAGE__->register_method({
if (PVE::QemuServer::check_running($vmid)) {
die "can't migrate running VM without --online\n" if
!$param->{online};
+
+ my $repl_conf = PVE::ReplicationConfig->new();
+ my $is_replicated = $repl_conf->check_for_existing_jobs($vmid, 1);
+ my $is_replicated_to_target =
defined($repl_conf->find_local_replication_job($vmid, $target));
+ if ($is_replicated && !$is_replicated_to_target) {
+ if ($param->{force}) {
+ warn "WARNING: Node '$target' is not a replication target.
Existing replication " .
+"jobs will fail after migration!\n";
+ } else {
+ die "Cannot live-migrate replicated VM to node '$target' - not a
replication target." .
+ " Use 'force' to override.\n";
+ }
+ }
} else {
warn "VM isn't running. Doing offline migration instead.\n" if
$param->{online};
$param->{online} = 0;
___
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] [PATCH lxc 2/2] apparmor: add rule for allowing remount of boot_id
On 22.07.20 13:05, Stoiko Ivanov wrote:
> commit 863845075d3f77d27c91bd9f47d2f8ddc4867bd5 in upstream only partially
> fixes the apparmor deny for mounting boot_id (used for example for identifying
> different boots with `journalctl`) inside the container.
>
> Tested by editing the profile and replacing it disregarding the cache:
> `apparmor_parser -W -T -r /etc/apparmor.d/usr.bin.lxc-start`
>
was this proposed to upstream as pull request? Did not found it on the
LXC GitHub page.
> Signed-off-by: Stoiko Ivanov
> ---
> ...apparmor-Allow-ro-remount-of-boot_id.patch | 26 +++
> debian/patches/series | 1 +
> 2 files changed, 27 insertions(+)
> create mode 100644
> debian/patches/pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch
>
> diff --git
> a/debian/patches/pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch
> b/debian/patches/pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch
> new file mode 100644
> index 000..fefc586
> --- /dev/null
> +++ b/debian/patches/pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch
> @@ -0,0 +1,26 @@
> +From Mon Sep 17 00:00:00 2001
> +From: Stoiko Ivanov
> +Date: Wed, 22 Jul 2020 12:17:24 +0200
> +Subject: [PATCH lxc] apparmor: Allow ro remount of boot_id
> +
> +The rule added in 863845075d3f77d27c91bd9f47d2f8ddc4867bd5 did not cover all
> +necessary mount calls for /proc/sys/kernel/random/boot_id
> +(in src/lxc/conf.c: lxc_setup_boot_id) - the ro remount is missing.
> +
> +Signed-off-by: Stoiko Ivanov
> +---
> + config/apparmor/abstractions/start-container.in | 1 +
> + 1 file changed, 1 insertion(+)
> +
> +diff --git a/config/apparmor/abstractions/start-container.in
> b/config/apparmor/abstractions/start-container.in
> +index 9998f1121..9f64c2727 100644
> +--- a/config/apparmor/abstractions/start-container.in
> b/config/apparmor/abstractions/start-container.in
> +@@ -22,6 +22,7 @@
> + mount -> /var/lib/lxc/{**,},
> +
> + mount /dev/.lxc-boot-id -> /proc/sys/kernel/random/boot_id,
> ++ mount options=(ro, nosuid, nodev, noexec, remount, bind) ->
> /proc/sys/kernel/random/boot_id,
> +
> + # required for some pre-mount hooks
> + mount fstype=overlayfs,
> diff --git a/debian/patches/series b/debian/patches/series
> index ee20ef5..f588081 100644
> --- a/debian/patches/series
> +++ b/debian/patches/series
> @@ -1,3 +1,4 @@
> pve/0001-PVE-Config-lxc.service-start-after-a-potential-syslo.patch
> pve/0002-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch
> pve/0003-PVE-Config-attach-always-use-getent.patch
> +pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch
>
___
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] [PATCH lxc 2/2] apparmor: add rule for allowing remount of boot_id
On Wed, 22 Jul 2020 13:51:19 +0200
Thomas Lamprecht wrote:
> On 22.07.20 13:05, Stoiko Ivanov wrote:
> > commit 863845075d3f77d27c91bd9f47d2f8ddc4867bd5 in upstream only partially
> > fixes the apparmor deny for mounting boot_id (used for example for
> > identifying
> > different boots with `journalctl`) inside the container.
> >
> > Tested by editing the profile and replacing it disregarding the cache:
> > `apparmor_parser -W -T -r /etc/apparmor.d/usr.bin.lxc-start`
> >
>
> was this proposed to upstream as pull request? Did not found it on the
> LXC GitHub page.
sorry my phrasing in the cover-letter was misleading: I want to make a
pull request upstream for this patch, after somebody else sanity-checks it
-> if it looks ok to you - I'll open the PR.
>
> > Signed-off-by: Stoiko Ivanov
> > ---
> > ...apparmor-Allow-ro-remount-of-boot_id.patch | 26 +++
> > debian/patches/series | 1 +
> > 2 files changed, 27 insertions(+)
> > create mode 100644
> > debian/patches/pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch
> >
> > diff --git
> > a/debian/patches/pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch
> > b/debian/patches/pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch
> > new file mode 100644
> > index 000..fefc586
> > --- /dev/null
> > +++ b/debian/patches/pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch
> > @@ -0,0 +1,26 @@
> > +From Mon Sep 17 00:00:00 2001
> > +From: Stoiko Ivanov
> > +Date: Wed, 22 Jul 2020 12:17:24 +0200
> > +Subject: [PATCH lxc] apparmor: Allow ro remount of boot_id
> > +
> > +The rule added in 863845075d3f77d27c91bd9f47d2f8ddc4867bd5 did not cover
> > all
> > +necessary mount calls for /proc/sys/kernel/random/boot_id
> > +(in src/lxc/conf.c: lxc_setup_boot_id) - the ro remount is missing.
> > +
> > +Signed-off-by: Stoiko Ivanov
> > +---
> > + config/apparmor/abstractions/start-container.in | 1 +
> > + 1 file changed, 1 insertion(+)
> > +
> > +diff --git a/config/apparmor/abstractions/start-container.in
> > b/config/apparmor/abstractions/start-container.in
> > +index 9998f1121..9f64c2727 100644
> > +--- a/config/apparmor/abstractions/start-container.in
> > b/config/apparmor/abstractions/start-container.in
> > +@@ -22,6 +22,7 @@
> > + mount -> /var/lib/lxc/{**,},
> > +
> > + mount /dev/.lxc-boot-id -> /proc/sys/kernel/random/boot_id,
> > ++ mount options=(ro, nosuid, nodev, noexec, remount, bind) ->
> > /proc/sys/kernel/random/boot_id,
> > +
> > + # required for some pre-mount hooks
> > + mount fstype=overlayfs,
> > diff --git a/debian/patches/series b/debian/patches/series
> > index ee20ef5..f588081 100644
> > --- a/debian/patches/series
> > +++ b/debian/patches/series
> > @@ -1,3 +1,4 @@
> > pve/0001-PVE-Config-lxc.service-start-after-a-potential-syslo.patch
> > pve/0002-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch
> > pve/0003-PVE-Config-attach-always-use-getent.patch
> > +pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch
> >
>
___
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] [PATCH lxc 2/2] apparmor: add rule for allowing remount of boot_id
On 22.07.20 13:59, Stoiko Ivanov wrote:
> On Wed, 22 Jul 2020 13:51:19 +0200
> Thomas Lamprecht wrote:
>
>> On 22.07.20 13:05, Stoiko Ivanov wrote:
>>> commit 863845075d3f77d27c91bd9f47d2f8ddc4867bd5 in upstream only partially
>>> fixes the apparmor deny for mounting boot_id (used for example for
>>> identifying
>>> different boots with `journalctl`) inside the container.
>>>
>>> Tested by editing the profile and replacing it disregarding the cache:
>>> `apparmor_parser -W -T -r /etc/apparmor.d/usr.bin.lxc-start`
>>>
>>
>> was this proposed to upstream as pull request? Did not found it on the
>> LXC GitHub page.
>
> sorry my phrasing in the cover-letter was misleading: I want to make a
> pull request upstream for this patch, after somebody else sanity-checks it
> -> if it looks ok to you - I'll open the PR.
>
Haha, and I wanted the reverse: get upstream to review it with their
in-depth knowledge so that I can rely on that check ;-P
>
>>
>>> Signed-off-by: Stoiko Ivanov
>>> ---
>>> ...apparmor-Allow-ro-remount-of-boot_id.patch | 26 +++
>>> debian/patches/series | 1 +
>>> 2 files changed, 27 insertions(+)
>>> create mode 100644
>>> debian/patches/pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch
>>>
>>> diff --git
>>> a/debian/patches/pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch
>>> b/debian/patches/pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch
>>> new file mode 100644
>>> index 000..fefc586
>>> --- /dev/null
>>> +++ b/debian/patches/pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch
>>> @@ -0,0 +1,26 @@
>>> +From Mon Sep 17 00:00:00 2001
>>> +From: Stoiko Ivanov
>>> +Date: Wed, 22 Jul 2020 12:17:24 +0200
>>> +Subject: [PATCH lxc] apparmor: Allow ro remount of boot_id
>>> +
>>> +The rule added in 863845075d3f77d27c91bd9f47d2f8ddc4867bd5 did not cover
>>> all
>>> +necessary mount calls for /proc/sys/kernel/random/boot_id
>>> +(in src/lxc/conf.c: lxc_setup_boot_id) - the ro remount is missing.
>>> +
>>> +Signed-off-by: Stoiko Ivanov
>>> +---
>>> + config/apparmor/abstractions/start-container.in | 1 +
>>> + 1 file changed, 1 insertion(+)
>>> +
>>> +diff --git a/config/apparmor/abstractions/start-container.in
>>> b/config/apparmor/abstractions/start-container.in
>>> +index 9998f1121..9f64c2727 100644
>>> +--- a/config/apparmor/abstractions/start-container.in
>>> b/config/apparmor/abstractions/start-container.in
>>> +@@ -22,6 +22,7 @@
>>> + mount -> /var/lib/lxc/{**,},
>>> +
>>> + mount /dev/.lxc-boot-id -> /proc/sys/kernel/random/boot_id,
>>> ++ mount options=(ro, nosuid, nodev, noexec, remount, bind) ->
>>> /proc/sys/kernel/random/boot_id,
>>> +
>>> + # required for some pre-mount hooks
>>> + mount fstype=overlayfs,
>>> diff --git a/debian/patches/series b/debian/patches/series
>>> index ee20ef5..f588081 100644
>>> --- a/debian/patches/series
>>> +++ b/debian/patches/series
>>> @@ -1,3 +1,4 @@
>>> pve/0001-PVE-Config-lxc.service-start-after-a-potential-syslo.patch
>>> pve/0002-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch
>>> pve/0003-PVE-Config-attach-always-use-getent.patch
>>> +pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch
>>>
>>
>
___
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
Re: [pve-devel] [PATCH lxc 2/2] apparmor: add rule for allowing remount of boot_id
On Wed, 22 Jul 2020 14:09:09 +0200
Thomas Lamprecht wrote:
> On 22.07.20 13:59, Stoiko Ivanov wrote:
> > On Wed, 22 Jul 2020 13:51:19 +0200
> > Thomas Lamprecht wrote:
> >
> >> On 22.07.20 13:05, Stoiko Ivanov wrote:
> >>> commit 863845075d3f77d27c91bd9f47d2f8ddc4867bd5 in upstream only partially
> >>> fixes the apparmor deny for mounting boot_id (used for example for
> >>> identifying
> >>> different boots with `journalctl`) inside the container.
> >>>
> >>> Tested by editing the profile and replacing it disregarding the cache:
> >>> `apparmor_parser -W -T -r /etc/apparmor.d/usr.bin.lxc-start`
> >>>
> >>
> >> was this proposed to upstream as pull request? Did not found it on the
> >> LXC GitHub page.
> >
> > sorry my phrasing in the cover-letter was misleading: I want to make a
> > pull request upstream for this patch, after somebody else sanity-checks it
> > -> if it looks ok to you - I'll open the PR.
> >
>
> Haha, and I wanted the reverse: get upstream to review it with their
> in-depth knowledge so that I can rely on that check ;-P
aye - makes sense - https://github.com/lxc/lxc/pull/3495 :)
>
> >
> >>
> >>> Signed-off-by: Stoiko Ivanov
> >>> ---
> >>> ...apparmor-Allow-ro-remount-of-boot_id.patch | 26 +++
> >>> debian/patches/series | 1 +
> >>> 2 files changed, 27 insertions(+)
> >>> create mode 100644
> >>> debian/patches/pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch
> >>>
> >>> diff --git
> >>> a/debian/patches/pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch
> >>> b/debian/patches/pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch
> >>> new file mode 100644
> >>> index 000..fefc586
> >>> --- /dev/null
> >>> +++ b/debian/patches/pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch
> >>> @@ -0,0 +1,26 @@
> >>> +From Mon Sep 17 00:00:00 2001
> >>> +From: Stoiko Ivanov
> >>> +Date: Wed, 22 Jul 2020 12:17:24 +0200
> >>> +Subject: [PATCH lxc] apparmor: Allow ro remount of boot_id
> >>> +
> >>> +The rule added in 863845075d3f77d27c91bd9f47d2f8ddc4867bd5 did not cover
> >>> all
> >>> +necessary mount calls for /proc/sys/kernel/random/boot_id
> >>> +(in src/lxc/conf.c: lxc_setup_boot_id) - the ro remount is missing.
> >>> +
> >>> +Signed-off-by: Stoiko Ivanov
> >>> +---
> >>> + config/apparmor/abstractions/start-container.in | 1 +
> >>> + 1 file changed, 1 insertion(+)
> >>> +
> >>> +diff --git a/config/apparmor/abstractions/start-container.in
> >>> b/config/apparmor/abstractions/start-container.in
> >>> +index 9998f1121..9f64c2727 100644
> >>> +--- a/config/apparmor/abstractions/start-container.in
> >>> b/config/apparmor/abstractions/start-container.in
> >>> +@@ -22,6 +22,7 @@
> >>> + mount -> /var/lib/lxc/{**,},
> >>> +
> >>> + mount /dev/.lxc-boot-id -> /proc/sys/kernel/random/boot_id,
> >>> ++ mount options=(ro, nosuid, nodev, noexec, remount, bind) ->
> >>> /proc/sys/kernel/random/boot_id,
> >>> +
> >>> + # required for some pre-mount hooks
> >>> + mount fstype=overlayfs,
> >>> diff --git a/debian/patches/series b/debian/patches/series
> >>> index ee20ef5..f588081 100644
> >>> --- a/debian/patches/series
> >>> +++ b/debian/patches/series
> >>> @@ -1,3 +1,4 @@
> >>> pve/0001-PVE-Config-lxc.service-start-after-a-potential-syslo.patch
> >>> pve/0002-PVE-Config-deny-rw-mounting-of-sys-and-proc.patch
> >>> pve/0003-PVE-Config-attach-always-use-getent.patch
> >>> +pve/0004-apparmor-Allow-ro-remount-of-boot_id.patch
> >>>
> >>
> >
>
___
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
