Re: [lxc-devel] [PATCH 1/1] lxc_attach: fix break with user namespaces (v2)

2013-01-21 Thread Serge Hallyn
Quoting Christian Seiler (christ...@iwakd.de): > Hi Serge, > > Just a few quick comments because I'm very interested in the lxc-attach > utility: > > > + ret = lxc_cgroup_prepare_attach(my_args.name, > > &cgroup_data); > > + if (ret < 0) { > > +

Re: [lxc-devel] [PATCH 1/1] lxc_attach: fix break with user namespaces (v2)

2013-01-21 Thread Christian Seiler
Hi Serge, Just a few quick comments because I'm very interested in the lxc-attach utility: > + ret = lxc_cgroup_prepare_attach(my_args.name, > &cgroup_data); > + if (ret < 0) { > + ERROR("failed to prepare attaching to cgroup");

[lxc-devel] [PATCH 1/1] lxc_attach: fix break with user namespaces (v2)

2013-01-21 Thread Serge Hallyn
When you clone a new user_ns, the child cannot write to the fds opened by the parent. Hnadle this by doing an extra fork. The grandparent hangs around and waits for its child to tell it the pid of of the grandchild, which will be the one attached to the container. The grandparent then moves the

Re: [lxc-devel] [PATCH 1/1] lxc_attach: fix break with user namespaces

2013-01-21 Thread Serge Hallyn
Quoting Serge Hallyn (serge.hal...@canonical.com): > When you clone a new user_ns, the child cannot write to the fds > opened by the parent. Hnadle this by doing an extra fork. The > grandparent hangs around and waits for its child to tell it the > pid of of the grandchild, which will be the one

[lxc-devel] [PATCH 1/1] lxc_attach: fix break with user namespaces

2013-01-21 Thread Serge Hallyn
When you clone a new user_ns, the child cannot write to the fds opened by the parent. Hnadle this by doing an extra fork. The grandparent hangs around and waits for its child to tell it the pid of of the grandchild, which will be the one attached to the container. The grandparent then moves the

Re: [lxc-devel] [PATCH] don't leak the rootfs.pin fd into the container

2013-01-21 Thread Stéphane Graber
On 01/17/2013 10:53 AM, Serge Hallyn wrote: > Only the container parent needs to keep that fd open. Close it > as soon as the container's first task is spawned. Else it can > show up in /proc/$$/fd in the container. > > Signed-off-by: Serge Hallyn Acked-by: Stéphane Graber > --- > src/lxc/s