Gao feng writes:
> cc libvirt-list
>
> On 08/21/2013 01:30 PM, Eric W. Biederman wrote:
>> Gao feng writes:
>>
>>> Unix sockets are private resources of net namespace,
>>> allowing one net namespace to access to other netns's unix
>>> sockets is meaningless.
>>
>> Allowing one net namespace to
On 08/21/2013 03:06 PM, Eric W. Biederman wrote:
> Gao feng writes:
>
>> cc libvirt-list
>>
>> On 08/21/2013 01:30 PM, Eric W. Biederman wrote:
>>> Gao feng writes:
>>>
Unix sockets are private resources of net namespace,
allowing one net namespace to access to other netns's unix
On Wed, Aug 21, 2013 at 11:51:53AM +0200, Kay Sievers wrote:
> On Wed, Aug 21, 2013 at 9:22 AM, Gao feng wrote:
> > On 08/21/2013 03:06 PM, Eric W. Biederman wrote:
>
> >> I suspect libvirt should simply not share /run or any other normally
> >> writable directory with the host. Sharing /run /va
Gao feng writes:
> right now I only take note of the unix socket /run/systemd/private,
> but there may have many similar unix sockets, they can exist in any
> path. the strange problems will still happen.
It could just as easily have been a fifo in the filesystem, and the
result would have been
Hi Serge,
> I'm thinking symbolic link may be the simplest thing to support -
> lxc_container_new() could immediately readlink() to get the real
> container name.
Yes, I agree, I'd find such a thing very useful. However, it should not
only be lxc_container_new but also the utilities not using the
Hello
I've found the following issue running lxc-start on Ubuntu 13.04:
lxc-start: Read-only file system - failed to change apparmor profile
to unconfined
This happens despite "lxc.aa_profile = unconfined" being set in the
container configuration. What happened was that aa_am_unconfined() w
Hi Serge,
>> Having /lxc makes it much easier to sett what's part of a container
>> vs
>> what's part of a user session or whatever else uses cgroups these
>> days.
>
> Note that nothing stops you from simply entering cgroup /lxc by hand
> before executing a container. Right now the code simply
Hi Andre,
> I've found the following issue running lxc-start on Ubuntu 13.04:
>
>lxc-start: Read-only file system - failed to change apparmor
> profile
> to unconfined
I had the same issue when playing around and the following patch that
is already merged in staging fixes it:
https://github
> - When showing names (mostly lxc-ls), always show the
>real name by default, never the alias. So if /var/lib/lxc
>contains the following contents
>foo/
>bar/
>baz -> bar
>then lxc-ls should only show foo and bar. An additional
>option for also s
Quoting Christian Seiler (christ...@iwakd.de):
...
> If I think about that further, I think the initial bind-mount logic is
> already borked. Because if nested LXC breaks in such a way, so will
> many software that uses cgroups and relies on standard behaviour.
>
> I think the correct way for the
Quoting Christian Seiler (christ...@iwakd.de):
> Hi Serge,
>
> > I'm thinking symbolic link may be the simplest thing to support -
> > lxc_container_new() could immediately readlink() to get the real
> > container name.
>
> Yes, I agree, I'd find such a thing very useful. However, it should not
>
Quoting Serge Hallyn (serge.hal...@ubuntu.com):
> Quoting Christian Seiler (christ...@iwakd.de):
> ...
> > If I think about that further, I think the initial bind-mount logic is
> > already borked. Because if nested LXC breaks in such a way, so will
> > many software that uses cgroups and relies on
Hi Serge,
> If we're going to do this, we should do it soon. Would you have time
> in the next few days?
Define 'few'. ;) I should be able to do that until Monday (barring any
emergencies).
> (BTW, if we're going to throw words like b0rked around, I'd prefer to
> reserve that for the refusal to
Quoting Christian Seiler (christ...@iwakd.de):
> Hi Serge,
>
> >If we're going to do this, we should do it soon. Would you have time
> >in the next few days?
>
> Define 'few'. ;) I should be able to do that until Monday (barring any
> emergencies).
>
> >(BTW, if we're going to throw words like
On Tue, 20 Aug 2013 14:15:26 -0500
Serge Hallyn wrote:
[...]
> +static bool mod_rdep(struct lxc_container *c, bool inc)
> +{
> + char path[MAXPATHLEN];
> + int ret, v = 0;
> + FILE *f;
> + bool bret = false;
> +
> + if (container_disk_lock(c))
> + return false;
> +
On Wed, 21 Aug 2013 07:59:11 -0500
Serge Hallyn wrote:
> Quoting Christian Seiler (christ...@iwakd.de):
[...]
> To implement that, we would rename lxc_container_new() to
> lxc_container_new_ln() which takes an extra boolean and dereferences
> the symlink if the boolean is true, have lxc_container
Quoting Dwight Engen (dwight.en...@oracle.com):
> On Tue, 20 Aug 2013 14:15:26 -0500
> Serge Hallyn wrote:
>
> [...]
> > +static bool mod_rdep(struct lxc_container *c, bool inc)
> > +{
> > + char path[MAXPATHLEN];
> > + int ret, v = 0;
> > + FILE *f;
> > + bool bret = false;
> > +
> > +
Hi Serge,
>> 1. What about the naming convention? Stick with /lxc/$name or go
>> with
>> /machine/$name.lxc (see prev. email)? Or I could make that
>> configurable?
>
> $name.lxc or lxc.$name seems good for all cases. It'll benefit
> unprivileged users also. By "/machine/$name.lxc" did
On Wed, 21 Aug 2013 10:47:20 -0500
Serge Hallyn wrote:
> Quoting Dwight Engen (dwight.en...@oracle.com):
> > On Tue, 20 Aug 2013 14:15:26 -0500
> > Serge Hallyn wrote:
> >
> > [...]
> > > +static bool mod_rdep(struct lxc_container *c, bool inc)
> > > +{
> > > + char path[MAXPATHLEN];
> > > + in
Hey Serge,
I'm not opposed the idea but just trying to understand the motivation
behind it. We are doing exactly what you described (daily builds uses
somename-date-buildnumber and two symlinks latest and stable points some
containers) and I'm just using something like following
sudo lxc-clone -o
Quoting Dwight Engen (dwight.en...@oracle.com):
> On Wed, 21 Aug 2013 10:47:20 -0500
> Serge Hallyn wrote:
>
> > Quoting Dwight Engen (dwight.en...@oracle.com):
> > > On Tue, 20 Aug 2013 14:15:26 -0500
> > > Serge Hallyn wrote:
> > >
> > > [...]
> > > > +static bool mod_rdep(struct lxc_containe
Quoting S.Çağlar Onur (cag...@10ur.org):
> Hey Serge,
>
> I'm not opposed the idea but just trying to understand the motivation
> behind it. We are doing exactly what you described (daily builds uses
> somename-date-buildnumber and two symlinks latest and stable points some
> containers) and I'm j
On Wed, 21 Aug 2013 12:18:13 -0500
Serge Hallyn wrote:
> Quoting Dwight Engen (dwight.en...@oracle.com):
> > On Wed, 21 Aug 2013 10:47:20 -0500
> > Serge Hallyn wrote:
> >
> > > Quoting Dwight Engen (dwight.en...@oracle.com):
> > > > On Tue, 20 Aug 2013 14:15:26 -0500
> > > > Serge Hallyn wrot
Signed-off-by: Serge Hallyn
---
src/lxc/lxc_cgroup.c | 31 ---
1 file changed, 20 insertions(+), 11 deletions(-)
diff --git a/src/lxc/lxc_cgroup.c b/src/lxc/lxc_cgroup.c
index 094686d..7f6eb63 100644
--- a/src/lxc/lxc_cgroup.c
+++ b/src/lxc/lxc_cgroup.c
@@ -29,6 +29,7
Quoting Dwight Engen (dwight.en...@oracle.com):
> Ahh yeah, thats probably a good idea. They can also get off if people
> just rm -rf the container (and I'm guilty of doing that sometimes), so
> like you said "best effort".
Drat, that would require an API change to pass a flag to destroy.
Still mi
(Will push in a bit barring any objections)
lvm, btrfs, and zfs snapshots each do an ok job of handling deletions
for us - a btrfs snapshot does fine after the original is removed,
while zfs and lvm will both refuse to allow the original to be deleted
while the snapshot exists.
Overlayfs doesn't
On Wed, 21 Aug 2013 14:35:28 -0500
Serge Hallyn wrote:
> Signed-off-by: Serge Hallyn
Acked-by: Dwight Engen
> ---
> src/lxc/lxc_cgroup.c | 31 ---
> 1 file changed, 20 insertions(+), 11 deletions(-)
>
> diff --git a/src/lxc/lxc_cgroup.c b/src/lxc/lxc_cgroup.c
> i
These are the last of the simpler conversions. Start, execute,
kill, info and attach remain to be done.
Signed-off-by: Serge Hallyn
---
src/lxc/lxc_freeze.c | 26 ++
src/lxc/lxc_unfreeze.c | 26 ++
src/lxc/lxc_wait.c | 15 ---
3
On Wed, 21 Aug 2013 16:53:52 -0500
Serge Hallyn wrote:
> These are the last of the simpler conversions. Start, execute,
> kill, info and attach remain to be done.
>
> Signed-off-by: Serge Hallyn
Looks good to me
Acked-by: Dwight Engen
> ---
> src/lxc/lxc_freeze.c | 26 ++
Quoting Christian Seiler (christ...@iwakd.de):
> Hi Serge,
>
> >> 1. What about the naming convention? Stick with /lxc/$name or
> >>go with
> >>/machine/$name.lxc (see prev. email)? Or I could make that
> >>configurable?
> >
> >$name.lxc or lxc.$name seems good for all cases. It'll benefi
On 08/21/2013 06:42 PM, Eric W. Biederman wrote:
> Gao feng writes:
>
>> right now I only take note of the unix socket /run/systemd/private,
>> but there may have many similar unix sockets, they can exist in any
>> path. the strange problems will still happen.
>
> It could just as easily have be
31 matches
Mail list logo
