kmsg のシンボリックリンクの有効化

From obnox at samba.org Fri Jan 2 19:59:24 2015 From: obnox at samba.org (Michael Adam) Date: Fri, 2 Jan 2015 20:59:24 +0100 Subject: [lxc-devel] [PATCH] fix lxc-fedora template for fedora 21 Message-ID: <20150102195924.GC2958@obnox.de> Hi, And a happy new year to everybody! Is this the correct way to submit a patch? Or is it also possible to simply create a pull request on github? Anyhow, here it is: the fedora template fails for f21 because in f21, a package fedora-repos has been split out of the fedora-release package, and fedora-repos is also required. Attached patch fixes this for me by adding the fedora-repos pacakge if the release is >= 21. Comments / merge appreciated... Thanks, Michael -------------- next part -------------- From c8324559061541e16217e1e9da6886677bbf6516 Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Fri, 2 Jan 2015 20:28:59 +0100 Subject: [PATCH] lxc-fedora: In fedora21, the fedora-repos package is needed. fedora-release has been split into fedora-release and fedora-repos. Signed-off-by: Michael Adam --- templates/lxc-fedora.in | 36 +++++++++++++++++++++++++++++++++++- 1 file changed, 35 insertions(+), 1 deletion(-) diff --git a/templates/lxc-fedora.in b/templates/lxc-fedora.in index 65e9959..2123e69 100644 --- a/templates/lxc-fedora.in +++ b/templates/lxc-fedora.in @@ -823,6 +823,13 @@ download_fedora() PKG_LIST="${PKG_LIST} db4-utils" fi + if [[ ${release} -ge 21 ]] + then + # Since Fedora 21, a separate fedora-repos package is needed. + # Before, the information was conained in fedora-release. + PKG_LIST="${PKG_LIST} fedora-repos" + fi + DOWNLOAD_OK=no # We're splitting the old loop into two loops plus a directory retrival. @@ -851,7 +858,7 @@ download_fedora() RELEASE_URL="$MIRROR_URL/Packages/" fi - echo "Fetching rpm name from $RELEASE_URL..." + echo "Fetching release rpm name from $RELEASE_URL..." # This code is mildly "brittle" in that it assumes a certain directory # page format and parsing HTML. I've done worse. :-P RELEASE_RPM=$(curl -L -f "$RELEASE_URL" | sed -e "/fedora-release-${release}-/!d" -e 's/.*.*//' ) @@ -867,6 +874,24 @@ download_fedora() continue fi + # F21 and newer need fedora-repos in addition to fedora-release. + if [ "$release" -ge "21" ]; then + echo "Fetching repos rpm name from $RELEASE_URL..." + REPOS_RPM=$(curl -L -f "$RELEASE_URL" | sed -e "/fedora-repos-${release}-/!d" -e 's/.*.*//' ) + if [ $? -ne 0 -o "${REPOS_RPM}" = "" ]; then + echo "Failed to identify fedora repos rpm." + continue + fi + + echo "Fetching fedora repos rpm from ${RELEASE_URL}/${REPOS_RPM}..." + curl -L -f "${RELEASE_URL}/${REPOS_RPM}" > ${INSTALL_ROOT}/${REPOS_RPM} + if [ $? -ne 0 ]; then + echo "Failed to download fedora repos rpm ${RELEASE_RPM}." + continue + fi + fi + + DOWNLOAD_OK=yes break done @@ -887,9 +912,18 @@ download_fedora() fedora_bootstrap_mounts ${BOOTSTRAP_CHROOT}rpm --root ${BOOTSTRAP_INSTALL_ROOT} --initdb + # The --nodeps is STUPID but F15 had a bogus dependency on RawHide?!?! ${BOOTSTRAP_CHROOT}rpm --root ${BOOTSTRAP_INSTALL_ROOT} --nodeps -ivh ${BOOTSTRAP_INSTALL_ROOT}/${RELEASE_RPM} + # F21 and newer need fedora-repos in addition to fedora-release... + # Note that fedora-release and fedora-system have a mutual dependency. + # So installing the reops package after the release package we can + # spare one --nodeps. + if [ "$release" -ge "21" ]; then + ${BOOTSTRAP_CHROOT}rpm --root ${BOOTSTRAP_INSTALL_ROOT} -ivh ${BOOTSTRAP_INSTALL_ROOT}/${REPOS_RPM} + fi + # yum will take $basearch from host, so force the arch we want sed -i "s|\$basearch|$basearch|" ${BOOTSTRAP_DIR}/${BOOTSTRAP_INSTALL_ROOT}/etc/yum.repos.d/* -- 2.1.0 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available URL: From obnox at samba.org Fri Jan 2 20:19:50 2015 From: obnox at samba.org (Michael Adam) Date: Fri, 2 Jan 2015 21:19:50 +0100 Subject: [lxc-devel] [PATCH] fix possible 100% cpu loop by fedora template Message-ID: <20150102201950.GD2958@obnox.de> Another patch to the fedora template. My f21 containers ran into a 100% cpu loop for systemd-journald. Here is the explanation: https://lists.linuxcontainers.org/pipermail/lxc-users/2014-October/007907.html I have made the change to set lxc.kmsg = 0 in the generated config if the release is using systemd. Thanks for consideration, Michael -------------- next part -------------- From df7ca9966936bfcf4aa52a46dd39d594e0709ce1 Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Fri, 2 Jan 2015 21:12:21 +0100 Subject: [PATCH] lxc-fedora: when using systemd, set lxc.kmsg = 0 in the config This is to prevent systemd-journald to enter a 100% cpu loop. Signed-off-by: Michael Adam --- templates/lxc-fedora.in | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/templates/lxc-fedora.in b/templates/lxc-fedora.in index 2123e69..adfaab2 100644 --- a/templates/lxc-fedora.in +++ b/templates/lxc-fedora.in @@ -1117,13 +1117,22 @@ lxc.include = @LXCTEMPLATECONFIG@/fedora.common.conf " >> $config_path/config fi + if [ "x$have_systemd" = "x1" ]; then + cat <> $config_path/config +lxc.autodev = 1 +lxc.kmsg = 0 +EOF + else + cat <> $config_path/config +lxc.autodev = 0 +EOF + fi + # Append things which require expansion here... cat <> $config_path/config lxc.arch = $arch lxc.utsname = $utsname -lxc.autodev = $auto_dev - # When using LXC with apparmor, uncomment the next line to run unconfined: #lxc.aa_profile = unconfined @@ -1337,12 +1346,12 @@ if [ -z "$release" ]; then fi fi -# Fedora 15 and above run systemd. We need autodev enabled to keep +# Fedora 15 and above run systemd.We need autodev enabled to keep # systemd from causing problems. +# Also, kmsg must not be mapped to prevent a 100% cpu loop +# in systemd-journald. if [ $release -gt 14 ]; then - auto_dev="1" -else - auto_dev="0" + have_systemd="1" fi if [ "$(id -u)" != "0" ]; then -- 2.1.0 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available URL: From beprojectcriu at gmail.com Sun Jan 4 07:16:07 2015 From: beprojectcriu at gmail.com (beproject criu) Date: Sun, 4 Jan 2015 12:46:07 +0530 Subject: [lxc-devel] Session Leader In-Reply-To: <60E9D0C7-864D-43E4-9D42-E950DED4EFC3@gmail.com> References: <60E9D0C7-864D-43E4-9D42-E950DED4EFC3@gmail.com> Message-ID: Dear LXC Developers, Does anybody have any idea why lxc-start executable does not make init the session leader, whereas lxcapi_start function does call setsid() On Sat, Jan 3, 2015 at 11:55 AM, Ashish Bijlani wrote: > Could you reply to this email and ask LXC developers to help….if anyone > has any idea on this. > > Ask why lxc-start executable does not make init the session leader, > whereas lxcapi_start function does call setsid() > > On Dec 25, 2014, at 10:19 AM, beproject criu > wrote: > > Dear LXC Developers, > > Why init of spawned container is not a session leader?. > Can i change the session leader of lxc container using hooks,etc? > If yes, how do i do it. > > Thanks. > > _______________________________________________ > lxc-devel mailing list > lxc-devel at lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-devel > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From wangzhenaaa7 at gmail.com Mon Jan 5 05:41:33 2015 From: wangzhenaaa7 at gmail.com (zhen wang) Date: Mon, 5 Jan 2015 13:41:33 +0800 Subject: [lxc-devel] cpu.shares doesn't work Message-ID: I have created two containers using docker. When i changed the value of cpu.shares in the associated path of the docker id ,and i have already substituted -1 in the cpu.cfs_quota_us with 50000, I tested a program ,which doesn't use io, the result of test didn't show the setting of cpu.shares work. Example : i set the cpu.shares 128 in one container and the other 1024 and i run the program in the two container concurrently. The time of the program cost is almost the same. Kernel version 2.6.32-431. cpu cores - 2 Thanks. -------------- next part -------------- An HTML attachment was scrubbed... URL: From JOELN at il.ibm.com Mon Jan 5 09:45:28 2015 From: JOELN at il.ibm.com (Joel Nider) Date: Mon, 5 Jan 2015 11:45:28 +0200 Subject: [lxc-devel] Valid Container Names/Identifiers In-Reply-To: <20141218154204.GE1397@ubuntumail> References: <20141216152205.GL23859@dakara> <20141218154204.GE1397@ubuntumail> Message-ID: I was on holidays so I just saw this - I will be happy to put together a patch. Joel Nider Virtualization Research IBM Research and Development Haifa Research Lab Phone: 972-4-829-6326 | Mobile: 972-54-3155635 E-mail: JOELN at il.ibm.com From: Serge Hallyn To: LXC development mailing-list Date: 18/12/2014 05:42 PM Subject: Re: [lxc-devel] Valid Container Names/Identifiers Sent by: "lxc-devel" Agreed. Would you mind coming up with a proposed patch to be stricter at lxcapi_create() and sending it out? Quoting Joel Nider (JOELN at il.ibm.com): > I would strongly suggest to nail this down now since the question came up. > This is the kind of issue that could create security bugs later on (when > different parts of the code check for valid names in different ways, or > don't check at all). Stephane's suggestion of a 64 ASCII character string > that forms a valid Linux hostname sounds good to me - is this formally > defined somewhere? > > Regards, > > Joel > > "lxc-devel" wrote on > 16/12/2014 05:22:05 PM: > > > From: Stéphane Graber > > To: LXC development mailing-list > > Date: 16/12/2014 05:22 PM > > Subject: Re: [lxc-devel] Valid Container Names/Identifiers > > Sent by: "lxc-devel" > > > > On Tue, Dec 16, 2014 at 10:36:13AM +0100, Till Walter wrote: > > > Dear LXC Developers, > > > > > > the manual page of lxc-create states that "The container identifier > > > format is an alphanumeric string". Yet besides [A-Za-z0-9] other > > > characters like underscore are also fine. > > > I had a brief look at the source but did not find any check, e.g., > > > using a regex. Is there any check at all? What are valid container > > > identifiers/names? > > > I am asking because I am using the official python bindings to write a > > > little utility and want to avoid container naming problems that may > > > arise. > > > > > > Best regards, > > > > > > BB > > > > So LXC itself doesn't really have a definition for valid names, however > > since the name is typically used for the container's hostname, you > > should stick to what's considered a valid hostname on Linux. > > > > There's a POSIX RFC for that but IIRC it's basically 64 chars ASCII. > > > > -- > > Stéphane Graber > > Ubuntu developer > > http://www.ubuntu.com > > [attachment "signature.asc" deleted by Joel Nider/Haifa/IBM] > > _______________________________________________ > > lxc-devel mailing list > > lxc-devel at lists.linuxcontainers.org > > http://lists.linuxcontainers.org/listinfo/lxc-devel > > _______________________________________________ > lxc-devel mailing list > lxc-devel at lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-devel _______________________________________________ lxc-devel mailing list lxc-devel at lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel From serge.hallyn at ubuntu.com Mon Jan 5 12:22:06 2015 From: serge.hallyn at ubuntu.com (Serge Hallyn) Date: Mon, 5 Jan 2015 12:22:06 +0000 Subject: [lxc-devel] cpu.shares doesn't work In-Reply-To: References: Message-ID: <20150105122205.GA2090@ubuntumail> Quoting zhen wang (wangzhenaaa7 at gmail.com): > I have created two containers using docker. When i changed the value of docker is not lxc > cpu.shares in the associated path of the docker id ,and i have already > substituted -1 in the cpu.cfs_quota_us with 50000, I tested a program > ,which doesn't use io, the result of test didn't show the setting of > cpu.shares work. Example : > i set the cpu.shares 128 in one container and the other 1024 and i run the > program in the two container concurrently. The time of the program cost is > almost the same. The cpu.shares will only start to make a difference if the cpu is under contention by other cgroups. > Kernel version 2.6.32-431. > cpu cores - 2 > > Thanks. > _______________________________________________ > lxc-devel mailing list > lxc-devel at lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-devel From serge.hallyn at ubuntu.com Mon Jan 5 12:41:47 2015 From: serge.hallyn at ubuntu.com (Serge Hallyn) Date: Mon, 5 Jan 2015 12:41:47 +0000 Subject: [lxc-devel] [PATCH] Also drop caps in unpriv containers In-Reply-To: <1419549445-31359-1-git-send-email-stgraber@ubuntu.com> References: <1419549445-31359-1-git-send-email-stgraber@ubuntu.com> Message-ID: <20150105124147.GB2090@ubuntumail> Quoting Stéphane Graber (stgraber at ubuntu.com): No objection per se, but can you explain why? What is the use case for this? > Signed-off-by: Stéphane Graber > --- > src/lxc/conf.c | 22 ++++++++++------------ > 1 file changed, 10 insertions(+), 12 deletions(-) > > diff --git a/src/lxc/conf.c b/src/lxc/conf.c > index 472eb79..72181dd 100644 > --- a/src/lxc/conf.c > +++ b/src/lxc/conf.c > @@ -4158,20 +4158,18 @@ int lxc_setup(struct lxc_handler *handler) > return -1; > } > > - if (lxc_list_empty(&lxc_conf->id_map)) { > - if (!lxc_list_empty(&lxc_conf->keepcaps)) { > - if (!lxc_list_empty(&lxc_conf->caps)) { > - ERROR("Simultaneously requested dropping and keeping caps"); > - return -1; > - } > - if (dropcaps_except(&lxc_conf->keepcaps)) { > - ERROR("failed to keep requested caps"); > - return -1; > - } > - } else if (setup_caps(&lxc_conf->caps)) { > - ERROR("failed to drop capabilities"); > + if (!lxc_list_empty(&lxc_conf->keepcaps)) { > + if (!lxc_list_empty(&lxc_conf->caps)) { > + ERROR("Simultaneously requested dropping and keeping caps"); > return -1; > } > + if (dropcaps_except(&lxc_conf->keepcaps)) { > + ERROR("failed to keep requested caps"); > + return -1; > + } > + } else if (setup_caps(&lxc_conf->caps)) { > + ERROR("failed to drop capabilities"); > + return -1; > } > > NOTICE("'%s' is setup.", name); > -- > 1.9.1 > > _______________________________________________ > lxc-devel mailing list > lxc-devel at lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-devel From serge.hallyn at ubuntu.com Mon Jan 5 12:43:04 2015 From: serge.hallyn at ubuntu.com (Serge Hallyn) Date: Mon, 5 Jan 2015 12:43:04 +0000 Subject: [lxc-devel] [PATCH] apparmor: Block access to /proc/kcore In-Reply-To: <1419788009-20768-1-git-send-email-stgraber@ubuntu.com> References: <1419788009-20768-1-git-send-email-stgraber@ubuntu.com> Message-ID: <20150105124304.GC2090@ubuntumail> Quoting Stéphane Graber (stgraber at ubuntu.com): > Just like we block access to mem and kmem, there's no good reason for > the container to have access to kcore. > > Reported-by: Marc Schaefer > Signed-off-by: Stéphane Graber Acked-by: Serge E. Hallyn > --- > config/apparmor/abstractions/container-base | 5 +++-- > config/apparmor/abstractions/container-base.in | 5 +++-- > 2 files changed, 6 insertions(+), 4 deletions(-) > > diff --git a/config/apparmor/abstractions/container-base b/config/apparmor/abstractions/container-base > index 2d5fd7a..ac8d4e9 100644 > --- a/config/apparmor/abstractions/container-base > +++ b/config/apparmor/abstractions/container-base > @@ -70,9 +70,10 @@ > mount fstype=efivarfs -> /sys/firmware/efi/efivars/, > > # block some other dangerous paths > - deny @{PROC}/sysrq-trigger rwklx, > - deny @{PROC}/mem rwklx, > + deny @{PROC}/kcore rwklx, > deny @{PROC}/kmem rwklx, > + deny @{PROC}/mem rwklx, > + deny @{PROC}/sysrq-trigger rwklx, > > # deny writes in /sys except for /sys/fs/cgroup, also allow > # fusectl, securityfs and debugfs to be mounted there (read-only) > diff --git a/config/apparmor/abstractions/container-base.in b/config/apparmor/abstractions/container-base.in > index 2065735..235913b 100644 > --- a/config/apparmor/abstractions/container-base.in > +++ b/config/apparmor/abstractions/container-base.in > @@ -70,9 +70,10 @@ > mount fstype=efivarfs -> /sys/firmware/efi/efivars/, > > # block some other dangerous paths > - deny @{PROC}/sysrq-trigger rwklx, > - deny @{PROC}/mem rwklx, > + deny @{PROC}/kcore rwklx, > deny @{PROC}/kmem rwklx, > + deny @{PROC}/mem rwklx, > + deny @{PROC}/sysrq-trigger rwklx, > > # deny writes in /sys except for /sys/fs/cgroup, also allow > # fusectl, securityfs and debugfs to be mounted there (read-only) > -- > 1.9.1 > > _______________________________________________ > lxc-devel mailing list > lxc-devel at lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-devel From stgraber at ubuntu.com Mon Jan 5 12:46:08 2015 From: stgraber at ubuntu.com (=?iso-8859-1?Q?St=E9phane?= Graber) Date: Mon, 5 Jan 2015 07:46:08 -0500 Subject: [lxc-devel] [PATCH] Also drop caps in unpriv containers In-Reply-To: <20150105124147.GB2090@ubuntumail> References: <1419549445-31359-1-git-send-email-stgraber@ubuntu.com> <20150105124147.GB2090@ubuntumail> Message-ID: <20150105124608.GB18786@dakara> On Mon, Jan 05, 2015 at 12:41:47PM +0000, Serge Hallyn wrote: > Quoting Stéphane Graber (stgraber at ubuntu.com): > > No objection per se, but can you explain why? What is the use > case for this? Preventing systemd from thinking it's got cap_sys_module. That's my main use case anyway, also having a lxc.cap.* be silently discarded just feels weird :) > > > Signed-off-by: Stéphane Graber > > --- > > src/lxc/conf.c | 22 ++++++++++------------ > > 1 file changed, 10 insertions(+), 12 deletions(-) > > > > diff --git a/src/lxc/conf.c b/src/lxc/conf.c > > index 472eb79..72181dd 100644 > > --- a/src/lxc/conf.c > > +++ b/src/lxc/conf.c > > @@ -4158,20 +4158,18 @@ int lxc_setup(struct lxc_handler *handler) > > return -1; > > } > > > > - if (lxc_list_empty(&lxc_conf->id_map)) { > > - if (!lxc_list_empty(&lxc_conf->keepcaps)) { > > - if (!lxc_list_empty(&lxc_conf->caps)) { > > - ERROR("Simultaneously requested dropping and keeping caps"); > > - return -1; > > - } > > - if (dropcaps_except(&lxc_conf->keepcaps)) { > > - ERROR("failed to keep requested caps"); > > - return -1; > > - } > > - } else if (setup_caps(&lxc_conf->caps)) { > > - ERROR("failed to drop capabilities"); > > + if (!lxc_list_empty(&lxc_conf->keepcaps)) { > > + if (!lxc_list_empty(&lxc_conf->caps)) { > > + ERROR("Simultaneously requested dropping and keeping caps"); > > return -1; > > } > > + if (dropcaps_except(&lxc_conf->keepcaps)) { > > + ERROR("failed to keep requested caps"); > > + return -1; > > + } > > + } else if (setup_caps(&lxc_conf->caps)) { > > + ERROR("failed to drop capabilities"); > > + return -1; > > } > > > > NOTICE("'%s' is setup.", name); > > -- > > 1.9.1 > > > > _______________________________________________ > > lxc-devel mailing list > > lxc-devel at lists.linuxcontainers.org > > http://lists.linuxcontainers.org/listinfo/lxc-devel > _______________________________________________ > lxc-devel mailing list > lxc-devel at lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-devel -- Stéphane Graber Ubuntu developer http://www.ubuntu.com -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: Digital signature URL: From serge.hallyn at ubuntu.com Mon Jan 5 15:45:04 2015 From: serge.hallyn at ubuntu.com (Serge Hallyn) Date: Mon, 5 Jan 2015 15:45:04 +0000 Subject: [lxc-devel] [PATCH] Also drop caps in unpriv containers In-Reply-To: <20150105124608.GB18786@dakara> References: <1419549445-31359-1-git-send-email-stgraber@ubuntu.com> <20150105124147.GB2090@ubuntumail> <20150105124608.GB18786@dakara> Message-ID: <20150105154504.GB3201@ubuntumail> Quoting Stéphane Graber (stgraber at ubuntu.com): > On Mon, Jan 05, 2015 at 12:41:47PM +0000, Serge Hallyn wrote: > > Quoting Stéphane Graber (stgraber at ubuntu.com): > > > > No objection per se, but can you explain why? What is the use > > case for this? > > Preventing systemd from thinking it's got cap_sys_module. Feh. I don't like it, but ok. > That's my main use case anyway, also having a lxc.cap.* be silently > discarded just feels weird :) > > > > > > Signed-off-by: Stéphane Graber Acked-by: Serge E. Hallyn > > > --- > > > src/lxc/conf.c | 22 ++++++++++------------ > > > 1 file changed, 10 insertions(+), 12 deletions(-) > > > > > > diff --git a/src/lxc/conf.c b/src/lxc/conf.c > > > index 472eb79..72181dd 100644 > > > --- a/src/lxc/conf.c > > > +++ b/src/lxc/conf.c > > > @@ -4158,20 +4158,18 @@ int lxc_setup(struct lxc_handler *handler) > > > return -1; > > > } > > > > > > - if (lxc_list_empty(&lxc_conf->id_map)) { > > > - if (!lxc_list_empty(&lxc_conf->keepcaps)) { > > > - if (!lxc_list_empty(&lxc_conf->caps)) { > > > - ERROR("Simultaneously requested dropping and keeping caps"); > > > - return -1; > > > - } > > > - if (dropcaps_except(&lxc_conf->keepcaps)) { > > > - ERROR("failed to keep requested caps"); > > > - return -1; > > > - } > > > - } else if (setup_caps(&lxc_conf->caps)) { > > > - ERROR("failed to drop capabilities"); > > > + if (!lxc_list_empty(&lxc_conf->keepcaps)) { > > > + if (!lxc_list_empty(&lxc_conf->caps)) { > > > + ERROR("Simultaneously requested dropping and keeping caps"); > > > return -1; > > > } > > > + if (dropcaps_except(&lxc_conf->keepcaps)) { > > > + ERROR("failed to keep requested caps"); > > > + return -1; > > > + } > > > + } else if (setup_caps(&lxc_conf->caps)) { > > > + ERROR("failed to drop capabilities"); > > > + return -1; > > > } > > > > > > NOTICE("'%s' is setup.", name); > > > -- > > > 1.9.1 > > > > > > _______________________________________________ > > > lxc-devel mailing list > > > lxc-devel at lists.linuxcontainers.org > > > http://lists.linuxcontainers.org/listinfo/lxc-devel > > _______________________________________________ > > lxc-devel mailing list > > lxc-devel at lists.linuxcontainers.org > > http://lists.linuxcontainers.org/listinfo/lxc-devel > > -- > Stéphane Graber > Ubuntu developer > http://www.ubuntu.com > _______________________________________________ > lxc-devel mailing list > lxc-devel at lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-devel From serge.hallyn at ubuntu.com Mon Jan 5 15:48:39 2015 From: serge.hallyn at ubuntu.com (Serge Hallyn) Date: Mon, 5 Jan 2015 15:48:39 +0000 Subject: [lxc-devel] Session Leader In-Reply-To: References: <60E9D0C7-864D-43E4-9D42-E950DED4EFC3@gmail.com> Message-ID: <20150105154839.GC3201@ubuntumail> lcxapi_start calls setsid but not from the task which will become the container init. Quoting beproject criu (beprojectcriu at gmail.com): > Dear LXC Developers, > Does anybody have any idea why lxc-start executable does not make init the > session leader, whereas lxcapi_start function does call setsid() > > On Sat, Jan 3, 2015 at 11:55 AM, Ashish Bijlani > wrote: > > > Could you reply to this email and ask LXC developers to help….if anyone > > has any idea on this. > > > > Ask why lxc-start executable does not make init the session leader, > > whereas lxcapi_start function does call setsid() > > > > On Dec 25, 2014, at 10:19 AM, beproject criu > > wrote: > > > > Dear LXC Developers, > > > > Why init of spawned container is not a session leader?. > > Can i change the session leader of lxc container using hooks,etc? > > If yes, how do i do it. > > > > Thanks. > > > > _______________________________________________ > > lxc-devel mailing list > > lxc-devel at lists.linuxcontainers.org > > http://lists.linuxcontainers.org/listinfo/lxc-devel > > > > > > > _______________________________________________ > lxc-devel mailing list > lxc-devel at lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-devel From serge.hallyn at ubuntu.com Mon Jan 5 16:47:17 2015 From: serge.hallyn at ubuntu.com (Serge Hallyn) Date: Mon, 5 Jan 2015 16:47:17 +0000 Subject: [lxc-devel] [PATCH] fix lxc-fedora template for fedora 21 In-Reply-To: <20150102195924.GC2958@obnox.de> References: <20150102195924.GC2958@obnox.de> Message-ID: <20150105164717.GF3201@ubuntumail> Quoting Michael Adam (obnox at samba.org): > Hi, > > And a happy new year to everybody! > > Is this the correct way to submit a patch? Almost - it's perfect, except for please put the patches inline rather than as attachments, if possible. > Or is it also possible to simply create a pull request on github? No for thi sproject I prefer email so that everyone can see them. > Anyhow, here it is: Thanks for the patch. It looks good to me, though I have not tested and don't have any fedora right now. I'm hoping mwarfield will see it and comment if there are any problems, but meanwhile acked belw. > the fedora template fails for f21 because in > f21, a package fedora-repos has been split out > of the fedora-release package, and fedora-repos > is also required. > > Attached patch fixes this for me by adding the > fedora-repos pacakge if the release is >= 21. > > Comments / merge appreciated... > > Thanks, Michael > From c8324559061541e16217e1e9da6886677bbf6516 Mon Sep 17 00:00:00 2001 > From: Michael Adam > Date: Fri, 2 Jan 2015 20:28:59 +0100 > Subject: [PATCH] lxc-fedora: In fedora21, the fedora-repos package is needed. > > fedora-release has been split into fedora-release and fedora-repos. > > Signed-off-by: Michael Adam Acked-by: Serge E. Hallyn > --- > templates/lxc-fedora.in | 36 +++++++++++++++++++++++++++++++++++- > 1 file changed, 35 insertions(+), 1 deletion(-) > > diff --git a/templates/lxc-fedora.in b/templates/lxc-fedora.in > index 65e9959..2123e69 100644 > --- a/templates/lxc-fedora.in > +++ b/templates/lxc-fedora.in > @@ -823,6 +823,13 @@ download_fedora() > PKG_LIST="${PKG_LIST} db4-utils" > fi > > + if [[ ${release} -ge 21 ]] > + then > + # Since Fedora 21, a separate fedora-repos package is needed. > + # Before, the information was conained in fedora-release. > + PKG_LIST="${PKG_LIST} fedora-repos" > + fi > + > DOWNLOAD_OK=no > > # We're splitting the old loop into two loops plus a directory retrival. > @@ -851,7 +858,7 @@ download_fedora() > RELEASE_URL="$MIRROR_URL/Packages/" > fi > > - echo "Fetching rpm name from $RELEASE_URL..." > + echo "Fetching release rpm name from $RELEASE_URL..." > # This code is mildly "brittle" in that it assumes a certain directory > # page format and parsing HTML. I've done worse. :-P > RELEASE_RPM=$(curl -L -f "$RELEASE_URL" | sed -e "/fedora-release-${release}-/!d" -e 's/.*.*//' ) > @@ -867,6 +874,24 @@ download_fedora() > continue > fi > > + # F21 and newer need fedora-repos in addition to fedora-release. > + if [ "$release" -ge "21" ]; then > + echo "Fetching repos rpm name from $RELEASE_URL..." > + REPOS_RPM=$(curl -L -f "$RELEASE_URL" | sed -e "/fedora-repos-${release}-/!d" -e 's/.*.*//' ) > + if [ $? -ne 0 -o "${REPOS_RPM}" = "" ]; then > + echo "Failed to identify fedora repos rpm." > + continue > + fi > + > + echo "Fetching fedora repos rpm from ${RELEASE_URL}/${REPOS_RPM}..." > + curl -L -f "${RELEASE_URL}/${REPOS_RPM}" > ${INSTALL_ROOT}/${REPOS_RPM} > + if [ $? -ne 0 ]; then > + echo "Failed to download fedora repos rpm ${RELEASE_RPM}." > + continue > + fi > + fi > + > + > DOWNLOAD_OK=yes > break > done > @@ -887,9 +912,18 @@ download_fedora() > fedora_bootstrap_mounts > > ${BOOTSTRAP_CHROOT}rpm --root ${BOOTSTRAP_INSTALL_ROOT} --initdb > + > # The --nodeps is STUPID but F15 had a bogus dependency on RawHide?!?! > ${BOOTSTRAP_CHROOT}rpm --root ${BOOTSTRAP_INSTALL_ROOT} --nodeps -ivh ${BOOTSTRAP_INSTALL_ROOT}/${RELEASE_RPM} > > + # F21 and newer need fedora-repos in addition to fedora-release... > + # Note that fedora-release and fedora-system have a mutual dependency. > + # So installing the reops package after the release package we can > + # spare one --nodeps. > + if [ "$release" -ge "21" ]; then > + ${BOOTSTRAP_CHROOT}rpm --root ${BOOTSTRAP_INSTALL_ROOT} -ivh ${BOOTSTRAP_INSTALL_ROOT}/${REPOS_RPM} > + fi > + > # yum will take $basearch from host, so force the arch we want > sed -i "s|\$basearch|$basearch|" ${BOOTSTRAP_DIR}/${BOOTSTRAP_INSTALL_ROOT}/etc/yum.repos.d/* > > -- > 2.1.0 > > _______________________________________________ > lxc-devel mailing list > lxc-devel at lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-devel From serge.hallyn at ubuntu.com Mon Jan 5 16:48:55 2015 From: serge.hallyn at ubuntu.com (Serge Hallyn) Date: Mon, 5 Jan 2015 16:48:55 +0000 Subject: [lxc-devel] [PATCH] fix possible 100% cpu loop by fedora template In-Reply-To: <20150102201950.GD2958@obnox.de> References: <20150102201950.GD2958@obnox.de> Message-ID: <20150105164855.GG3201@ubuntumail> Quoting Michael Adam (obnox at samba.org): > Another patch to the fedora template. > > My f21 containers ran into a 100% cpu loop for systemd-journald. > > Here is the explanation: > https://lists.linuxcontainers.org/pipermail/lxc-users/2014-October/007907.html > > I have made the change to set lxc.kmsg = 0 in the generated > config if the release is using systemd. > > Thanks for consideration, > > Michael > > From df7ca9966936bfcf4aa52a46dd39d594e0709ce1 Mon Sep 17 00:00:00 2001 > From: Michael Adam > Date: Fri, 2 Jan 2015 21:12:21 +0100 > Subject: [PATCH] lxc-fedora: when using systemd, set lxc.kmsg = 0 in the > config > > This is to prevent systemd-journald to enter a 100% cpu loop. > > Signed-off-by: Michael Adam Acked-by: Serge E. Hallyn > --- > templates/lxc-fedora.in | 21 +++++++++++++++------ > 1 file changed, 15 insertions(+), 6 deletions(-) > > diff --git a/templates/lxc-fedora.in b/templates/lxc-fedora.in > index 2123e69..adfaab2 100644 > --- a/templates/lxc-fedora.in > +++ b/templates/lxc-fedora.in > @@ -1117,13 +1117,22 @@ lxc.include = @LXCTEMPLATECONFIG@/fedora.common.conf > " >> $config_path/config > fi > > + if [ "x$have_systemd" = "x1" ]; then > + cat <> $config_path/config > +lxc.autodev = 1 > +lxc.kmsg = 0 > +EOF > + else > + cat <> $config_path/config > +lxc.autodev = 0 > +EOF > + fi > + > # Append things which require expansion here... > cat <> $config_path/config > lxc.arch = $arch > lxc.utsname = $utsname > > -lxc.autodev = $auto_dev > - > # When using LXC with apparmor, uncomment the next line to run unconfined: > #lxc.aa_profile = unconfined > > @@ -1337,12 +1346,12 @@ if [ -z "$release" ]; then > fi > fi > > -# Fedora 15 and above run systemd. We need autodev enabled to keep > +# Fedora 15 and above run systemd.We need autodev enabled to keep > # systemd from causing problems. > +# Also, kmsg must not be mapped to prevent a 100% cpu loop > +# in systemd-journald. > if [ $release -gt 14 ]; then > - auto_dev="1" > -else > - auto_dev="0" > + have_systemd="1" > fi > > if [ "$(id -u)" != "0" ]; then > -- > 2.1.0 > > _______________________________________________ > lxc-devel mailing list > lxc-devel at lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-devel From obnox at samba.org Mon Jan 5 17:56:03 2015 From: obnox at samba.org (Michael Adam) Date: Mon, 5 Jan 2015 18:56:03 +0100 Subject: [lxc-devel] [PATCH] fix lxc-fedora template for fedora 21 In-Reply-To: <20150105164717.GF3201@ubuntumail> References: <20150102195924.GC2958@obnox.de> <20150105164717.GF3201@ubuntumail> Message-ID: <20150105175603.GG2958@obnox.de> On 2015-01-05 at 16:47 +0000, Serge Hallyn wrote: > Quoting Michael Adam (obnox at samba.org): > > > > Is this the correct way to submit a patch? > > Almost - it's perfect, except for please put the patches inline rather > than as attachments, if possible. Like with git-send-email? I can try to set this up, I only always did it the attachment way for samba and related projects. > > Anyhow, here it is: > > Thanks for the patch. It looks good to me, though I have not tested > and don't have any fedora right now. I'm hoping mwarfield will > see it and comment if there are any problems, but meanwhile acked belw. Thanks! I have already notified mhw on IRC and briefly talked to him. Cheers - Michael -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available URL: From serge.hallyn at ubuntu.com Mon Jan 5 20:17:30 2015 From: serge.hallyn at ubuntu.com (Serge Hallyn) Date: Mon, 5 Jan 2015 20:17:30 +0000 Subject: [lxc-devel] [PATCH] fix lxc-fedora template for fedora 21 In-Reply-To: <20150105175603.GG2958@obnox.de> References: <20150102195924.GC2958@obnox.de> <20150105164717.GF3201@ubuntumail> <20150105175603.GG2958@obnox.de> Message-ID: <20150105201730.GN3201@ubuntumail> Quoting Michael Adam (obnox at samba.org): > On 2015-01-05 at 16:47 +0000, Serge Hallyn wrote: > > Quoting Michael Adam (obnox at samba.org): > > > > > > Is this the correct way to submit a patch? > > > > Almost - it's perfect, except for please put the patches inline rather > > than as attachments, if possible. > > Like with git-send-email? > I can try to set this up, I only always did it the attachment > way for samba and related projects. That works too, but usually I just git format-patch to get the patch in a file, then paste the file in. I.e. with vim i do :r 0001-whatever.patch to insert the patch. > > > Anyhow, here it is: > > > > Thanks for the patch. It looks good to me, though I have not tested > > and don't have any fedora right now. I'm hoping mwarfield will > > see it and comment if there are any problems, but meanwhile acked belw. > > Thanks! I have already notified mhw on IRC and briefly > talked to him. > > Cheers - Michael > _______________________________________________ > lxc-devel mailing list > lxc-devel at lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-devel From obnox at samba.org Mon Jan 5 20:29:35 2015 From: obnox at samba.org (Michael Adam) Date: Mon, 5 Jan 2015 21:29:35 +0100 Subject: [lxc-devel] [PATCH] fix lxc-fedora template for fedora 21 In-Reply-To: <20150105201730.GN3201@ubuntumail> References: <20150102195924.GC2958@obnox.de> <20150105164717.GF3201@ubuntumail> <20150105175603.GG2958@obnox.de> <20150105201730.GN3201@ubuntumail> Message-ID: <20150105202935.GI2958@obnox.de> On 2015-01-05 at 20:17 +0000, Serge Hallyn wrote: > Quoting Michael Adam (obnox at samba.org): > > On 2015-01-05 at 16:47 +0000, Serge Hallyn wrote: > > > Quoting Michael Adam (obnox at samba.org): > > > > > > > > Is this the correct way to submit a patch? > > > > > > Almost - it's perfect, except for please put the patches inline rather > > > than as attachments, if possible. > > > > Like with git-send-email? > > I can try to set this up, I only always did it the attachment > > way for samba and related projects. > > That works too, but usually I just git format-patch to get the > patch in a file, then paste the file in. I.e. with vim i do > > :r 0001-whatever.patch > > to insert the patch. Great, that's more convenient for me. Will do so next time. Thanks - Michael -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available URL: From stgraber at ubuntu.com Mon Jan 5 21:26:23 2015 From: stgraber at ubuntu.com (=?iso-8859-1?Q?St=E9phane?= Graber) Date: Mon, 5 Jan 2015 16:26:23 -0500 Subject: [lxc-devel] [PATCH] lxc-alpine: use yaml for detection of latest release In-Reply-To: <1420011105-19139-1-git-send-email-ncopa@alpinelinux.org> References: <1420011105-19139-1-git-send-email-ncopa@alpinelinux.org> Message-ID: <20150105212623.GD18786@dakara> On Wed, Dec 31, 2014 at 08:31:45AM +0100, Natanael Copa wrote: > Alpine Linux provides yaml files with latest release instead of the old > approach with .latest.txt. > > Signed-off-by: Natanael Copa Acked-by: Stéphane Graber > --- > Should also go to 1.0.x stable > > templates/lxc-alpine.in | 9 +++++++-- > 1 file changed, 7 insertions(+), 2 deletions(-) > > diff --git a/templates/lxc-alpine.in b/templates/lxc-alpine.in > index ba27aea..187a032 100644 > --- a/templates/lxc-alpine.in > +++ b/templates/lxc-alpine.in > @@ -28,10 +28,15 @@ get_static_apk () { > > if [ -z "$repository" ]; then > url=http://wiki.alpinelinux.org/cgi-bin/dl.cgi > + yaml_path="latest-stable/releases/$apk_arch/latest-releases.yaml" > if [ -z "$release" ]; then > echo -n "Determining the latest release... " > - release=$($wget $url/.latest.$apk_arch.txt | \ > - cut -d " " -f 3 | cut -d / -f 1 | uniq) > + release=$($wget $url/$yaml_path | \ > + awk '$1 == "branch:" {print $2; exit 0}') > + if [ -z "$release" ]; then > + release=$($wget $url/.latest.$apk_arch.txt | \ > + cut -d " " -f 3 | cut -d / -f 1 | uniq) > + fi > if [ -z "$release" ]; then > echo failed > return 1 > -- > 2.2.1 > > _______________________________________________ > lxc-devel mailing list > lxc-devel at lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-devel -- Stéphane Graber Ubuntu developer http://www.ubuntu.com -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: Digital signature URL: From noreply at github.com Mon Jan 5 21:32:33 2015 From: noreply at github.com (GitHub) Date: Mon, 05 Jan 2015 13:32:33 -0800 Subject: [lxc-devel] [lxc/lxc] 5b75ee: lxc-fedora: when using systemd, set lxc.kmsg = 0 i... Message-ID: <54ab02f129d09_488b3f81c720929c829fe@hookshot-fe5-cp1-prd.iad.github.net.mail> Branch: refs/heads/master Home: https://github.com/lxc/lxc Commit: 5b75ee4747c5f26c52cfb6127b6420f38f4fba88 https://github.com/lxc/lxc/commit/5b75ee4747c5f26c52cfb6127b6420f38f4fba88 Author: Michael Adam Date: 2015-01-05 (Mon, 05 Jan 2015) Changed paths: M templates/lxc-fedora.in Log Message: ----------- lxc-fedora: when using systemd, set lxc.kmsg = 0 in the config This is to prevent systemd-journald to enter a 100% cpu loop. Signed-off-by: Michael Adam Acked-by: Serge E. Hallyn Commit: afc55ed2794ce63714bfcee70b1d0d42d3e8ee05 https://github.com/lxc/lxc/commit/afc55ed2794ce63714bfcee70b1d0d42d3e8ee05 Author: Michael Adam Date: 2015-01-05 (Mon, 05 Jan 2015) Changed paths: M templates/lxc-fedora.in Log Message: ----------- lxc-fedora: In fedora21, the fedora-repos package is needed. fedora-release has been split into fedora-release and fedora-repos. Signed-off-by: Michael Adam Acked-by: Serge E. Hallyn Commit: abf117c398c957b213feebe3fa6dea3107c3a452 https://github.com/lxc/lxc/commit/abf117c398c957b213feebe3fa6dea3107c3a452 Author: Natanael Copa Date: 2015-01-05 (Mon, 05 Jan 2015) Changed paths: M templates/lxc-alpine.in Log Message: ----------- lxc-alpine: use yaml for detection of latest release Alpine Linux provides yaml files with latest release instead of the old approach with .latest.txt. Signed-off-by: Natanael Copa Acked-by: Stéphane Graber Commit: 98b745498bf97637f68311f944903777f3ee1e67 https://github.com/lxc/lxc/commit/98b745498bf97637f68311f944903777f3ee1e67 Author: Stéphane Graber Date: 2015-01-05 (Mon, 05 Jan 2015) Changed paths: M config/apparmor/abstractions/container-base M config/apparmor/abstractions/container-base.in Log Message: ----------- apparmor: Block access to /proc/kcore Just like we block access to mem and kmem, there's no good reason for the container to have access to kcore. Reported-by: Marc Schaefer Signed-off-by: Stéphane Graber Acked-by: Serge E. Hallyn Commit: 97a8f74f0c80ef71305e86fcef4273afd92b377c https://github.com/lxc/lxc/commit/97a8f74f0c80ef71305e86fcef4273afd92b377c Author: Stéphane Graber Date: 2015-01-05 (Mon, 05 Jan 2015) Changed paths: M src/lxc/conf.c Log Message: ----------- Also drop caps in unpriv containers Signed-off-by: Stéphane Graber Acked-by: Serge E. Hallyn Compare: https://github.com/lxc/lxc/compare/d3eccbbf805c...97a8f74f0c80 From G.Jaekel at DNB.DE Thu Jan 8 06:41:14 2015 From: G.Jaekel at DNB.DE (=?UTF-8?B?R3VpZG8gSsOka2Vs?=) Date: Thu, 08 Jan 2015 07:41:14 +0100 Subject: [lxc-devel] Bump: Failure with authorisation of update-manager in Ubuntu Desktop-Container In-Reply-To: References: Message-ID: <54AE268A.8000403@DNB.DE> Hi Dev's, may anyone please help me to solve this issue? Guido On 04.01.2015 20:01, Guido Jäkel wrote on [lxc-user]: >My goal here is to set up a Ubuntu Desktop Container ... >[...] >After a a few tweaks, this already runs very well... >[...]> But now I stuck at an issue concerning the GUI versions of software management: The apt commandline tools work, but the GUI program update-manager shows the error message "You are not allowed to perform this action" and fail to work. However, if i start it with 'gksudo update-manager', there is no such message. > > In the same way, the software-manager or other GUI methods to install/remove software is not working. May anybody please have a hint what might be missing in the container setup or have to be tweaked inside? From obnox at samba.org Thu Jan 8 10:05:16 2015 From: obnox at samba.org (Michael Adam) Date: Thu, 8 Jan 2015 11:05:16 +0100 Subject: [lxc-devel] [PATCHES] add "--mask-tmp" to lxc-fedora, plus some template script fixes Message-ID: <20150108100516.GK2958@obnox.de> Hi, below find the output of "git format-patch --stdout " of a series of trivial patches to fix some minor issues in the template scripts. The final patch adds a new parameter to the fedora template: "--mask-tmp". This is what I actually only wanted to do, but I found some issues in the parsing of options and help text, fixed them while at it and was careless enough to check several other templates for similar flaws. The reason for the --mask-tmp is to be able to prevent systemd from over-mounting /tmp with tmpfs in the container. My current use-case is that I want to be able to use vagrant-cachier with vagrant-lxc. Thanks for review / comments / push, ... Cheers - Michael From a243b74f1cf61d3c400a16a7d6d287f15cc7c99a Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Thu, 8 Jan 2015 09:32:39 +0100 Subject: [PATCH 01/22] lxc-debian: fix parsing of option "--clean": it takes no argument. Signed-off-by: Michael Adam --- templates/lxc-debian.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/lxc-debian.in b/templates/lxc-debian.in index a9a1652..603894f 100644 --- a/templates/lxc-debian.in +++ b/templates/lxc-debian.in @@ -475,7 +475,7 @@ do --) shift 1; break ;; -a|--arch) arch=$2; shift 2;; - -c|--clean) clean=$2; shift 1;; + -c|--clean) clean=1; shift 1;; --mirror) MIRROR=$2; shift 2;; -n|--name) name=$2; shift 2;; --packages) packages=$2; shift 2;; -- 2.1.0 From 9d77c63d5ed19b756b3b0dec7d3d4fa1d9a6a21f Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Thu, 8 Jan 2015 09:38:48 +0100 Subject: [PATCH 02/22] lxc-debian: document "--clean" in the usage. Signed-off-by: Michael Adam --- templates/lxc-debian.in | 1 + 1 file changed, 1 insertion(+) diff --git a/templates/lxc-debian.in b/templates/lxc-debian.in index 603894f..d1e4edd 100644 --- a/templates/lxc-debian.in +++ b/templates/lxc-debian.in @@ -438,6 +438,7 @@ usage() { cat < [-a|--arch] [-c|--clean] [--mirror=] [-r|--release=] [--security-mirror=] +clean: purge the download cache after installation arch: the container architecture (e.g. amd64): defaults to host arch release: the debian release (e.g. wheezy): defaults to current stable mirror: debain mirror to use during installation -- 2.1.0 From fea9ebdef51e1aaae65326accce805c2b8f02bf9 Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Thu, 8 Jan 2015 09:57:34 +0100 Subject: [PATCH 03/22] lxc-debian: document --path in usage Signed-off-by: Michael Adam --- templates/lxc-debian.in | 1 + 1 file changed, 1 insertion(+) diff --git a/templates/lxc-debian.in b/templates/lxc-debian.in index d1e4edd..8fe7d9d 100644 --- a/templates/lxc-debian.in +++ b/templates/lxc-debian.in @@ -439,6 +439,7 @@ usage() cat < [-a|--arch] [-c|--clean] [--mirror=] [-r|--release=] [--security-mirror=] clean: purge the download cache after installation +path: path under which the container will be created arch: the container architecture (e.g. amd64): defaults to host arch release: the debian release (e.g. wheezy): defaults to current stable mirror: debain mirror to use during installation -- 2.1.0 From ad326e531cf2bf8c95ed18721472f40d48ebba2f Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Thu, 8 Jan 2015 09:58:09 +0100 Subject: [PATCH 04/22] lxc-debian: protect possibly unset variable with quotes for -z check Signed-off-by: Michael Adam --- templates/lxc-debian.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/lxc-debian.in b/templates/lxc-debian.in index 8fe7d9d..4ab61e5 100644 --- a/templates/lxc-debian.in +++ b/templates/lxc-debian.in @@ -574,7 +574,7 @@ configure_debian_systemd $path $rootfs post_process ${rootfs} ${release} ${arch} ${hostarch} ${packages} -if [ ! -z $clean ]; then +if [ ! -z "$clean" ]; then clean || exit 1 exit 0 fi -- 2.1.0 From 4b06f77f7d8bde83f8a3d30e066d87e21a94f089 Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Thu, 8 Jan 2015 10:29:23 +0100 Subject: [PATCH 05/22] lxc-ubuntu: document option "--path" in usage text Signed-off-by: Michael Adam --- templates/lxc-ubuntu.in | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/templates/lxc-ubuntu.in b/templates/lxc-ubuntu.in index bbe7f7d..55b54bd 100644 --- a/templates/lxc-ubuntu.in +++ b/templates/lxc-ubuntu.in @@ -673,8 +673,9 @@ usage() $1 -h|--help [-a|--arch] [-b|--bindhome ] [-d|--debug] [-F | --flush-cache] [-r|--release ] [ -S | --auth-key ] [--rootfs ] [--packages ] [-u|--user ] [--password ] - [--mirror ] [--security-mirror ] + [--mirror ] [--security-mirror ] [-p|--path ] release: the ubuntu release (e.g. precise): defaults to host release on ubuntu, otherwise uses latest LTS +path: path under which the container will be created bindhome: bind 's home into the container The ubuntu user will not be created, and will have sudo access. -- 2.1.0 From efcb164003876642b2f55432d80b229848848e4e Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Thu, 8 Jan 2015 10:34:49 +0100 Subject: [PATCH 06/22] lxc-opensuse: fix tab/whitespace mixup in usage text. Signed-off-by: Michael Adam --- templates/lxc-opensuse.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/lxc-opensuse.in b/templates/lxc-opensuse.in index f727250..89971da 100644 --- a/templates/lxc-opensuse.in +++ b/templates/lxc-opensuse.in @@ -403,7 +403,7 @@ do -p|--path) path=$2; shift 2;; --rootfs) rootfs=$2; shift 2;; -n|--name) name=$2; shift 2;; - -r|--release) DISTRO=$2; shift 2;; + -r|--release) DISTRO=$2; shift 2;; -c|--clean) clean=$2; shift 2;; --) shift 1; break ;; *) break ;; -- 2.1.0 From 0f04581821cff394913daa4ff34bbbe41c57710b Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Thu, 8 Jan 2015 10:35:20 +0100 Subject: [PATCH 07/22] lxc-opensuse: fix parsing of option "--clean": it takes no argument Signed-off-by: Michael Adam --- templates/lxc-opensuse.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/lxc-opensuse.in b/templates/lxc-opensuse.in index 89971da..20ffdbd 100644 --- a/templates/lxc-opensuse.in +++ b/templates/lxc-opensuse.in @@ -404,7 +404,7 @@ do --rootfs) rootfs=$2; shift 2;; -n|--name) name=$2; shift 2;; -r|--release) DISTRO=$2; shift 2;; - -c|--clean) clean=$2; shift 2;; + -c|--clean) clean=1; shift 1;; --) shift 1; break ;; *) break ;; esac -- 2.1.0 From 167d90b621fc4340987e8d980e18df8f66afb59e Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Thu, 8 Jan 2015 10:36:06 +0100 Subject: [PATCH 08/22] lxc-opensuse: protect possibly unset variable with quotes in -z check Signed-off-by: Michael Adam --- templates/lxc-opensuse.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/lxc-opensuse.in b/templates/lxc-opensuse.in index 20ffdbd..bb015c8 100644 --- a/templates/lxc-opensuse.in +++ b/templates/lxc-opensuse.in @@ -489,7 +489,7 @@ if [ $? -ne 0 ]; then exit 1 fi -if [ ! -z $clean ]; then +if [ ! -z "$clean" ]; then clean || exit 1 exit 0 fi -- 2.1.0 From 9f7db00ea47e775045aaca2aeccc1779f22d83be Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Thu, 8 Jan 2015 10:40:34 +0100 Subject: [PATCH 09/22] lxc-archlinux: fix paths printed in helptext. Signed-off-by: Michael Adam --- templates/lxc-archlinux.in | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/templates/lxc-archlinux.in b/templates/lxc-archlinux.in index fc6f714..20d0663 100644 --- a/templates/lxc-archlinux.in +++ b/templates/lxc-archlinux.in @@ -193,8 +193,8 @@ usage: Mandatory args: -n,--name container name, used to as an identifier for that container from now on Optional args: - -p,--path path to where the container rootfs will be created (${default_path}) - --rootfs path for actual container rootfs, (${default_path/rootfs) + -p,--path path to where the container rootfs will be created (${default_path}/) + --rootfs path for actual container rootfs, (${default_path//rootfs) -P,--packages preinstall additional packages, comma-separated list -e,--enable_units enable systemd services, comma-separated list -d,--disable_units disable systemd services, comma-separated list -- 2.1.0 From 6f3dc9d73b24512efc28836a240625759e0af9bc Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Thu, 8 Jan 2015 10:43:12 +0100 Subject: [PATCH 10/22] lxc-altlinux: fix parsing of option "--clean": it takes no argument Signed-off-by: Michael Adam --- templates/lxc-altlinux.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/lxc-altlinux.in b/templates/lxc-altlinux.in index 1c5084e..9e78125 100644 --- a/templates/lxc-altlinux.in +++ b/templates/lxc-altlinux.in @@ -398,7 +398,7 @@ do --rootfs) rootfs_path=$2; shift 2;; -n|--name) name=$2; shift 2;; -P|--profile) profile=$2; shift 2;; - -c|--clean) clean=$2; shift 2;; + -c|--clean) clean=1; shift 1;; -R|--release) release=$2; shift 2;; -4|--ipv4) ipv4=$2; shift 2;; -6|--ipv6) ipv6=$2; shift 2;; -- 2.1.0 From 7d58ecd08e7d25da51945caa78d240388efdbbe2 Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Thu, 8 Jan 2015 10:43:52 +0100 Subject: [PATCH 11/22] lxc-altlinux: protect possibly unset variable with quotes for -z check Signed-off-by: Michael Adam --- templates/lxc-altlinux.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/lxc-altlinux.in b/templates/lxc-altlinux.in index 9e78125..ac4527b 100644 --- a/templates/lxc-altlinux.in +++ b/templates/lxc-altlinux.in @@ -478,7 +478,7 @@ if [ $? -ne 0 ]; then exit 1 fi -if [ ! -z $clean ]; then +if [ ! -z "$clean" ]; then clean || exit 1 exit 0 fi -- 2.1.0 From 9e49e0ecc308be0f490f04e358ae7948505b1b75 Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Thu, 8 Jan 2015 10:48:40 +0100 Subject: [PATCH 12/22] lxc-openmandriva: fix parsing of option "--clean": it takes no argument Signed-off-by: Michael Adam --- templates/lxc-openmandriva.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/lxc-openmandriva.in b/templates/lxc-openmandriva.in index 45e2efa..4656177 100644 --- a/templates/lxc-openmandriva.in +++ b/templates/lxc-openmandriva.in @@ -377,7 +377,7 @@ do --rootfs) rootfs_path=$2; shift 2;; -n|--name) name=$2; shift 2;; -P|--profile) profile=$2; shift 2;; - -c|--clean) clean=$2; shift 2;; + -c|--clean) clean=1; shift 1;; -R|--release) release=$2; shift 2;; -A|--arch) arch=$2; shift 2;; -4|--ipv4) ipv4=$2; shift 2;; -- 2.1.0 From 257cfeaa233c24a33d93785956c2969750416869 Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Thu, 8 Jan 2015 10:49:19 +0100 Subject: [PATCH 13/22] lxc-openmandriva: protect possibly unset variable with quotes in -z check Signed-off-by: Michael Adam --- templates/lxc-openmandriva.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/lxc-openmandriva.in b/templates/lxc-openmandriva.in index 4656177..be8023e 100644 --- a/templates/lxc-openmandriva.in +++ b/templates/lxc-openmandriva.in @@ -483,7 +483,7 @@ if [ $? -ne 0 ]; then exit 1 fi -if [ ! -z $clean ]; then +if [ ! -z "$clean" ]; then clean || exit 1 exit 0 fi -- 2.1.0 From baec0433c6d87c2df2b1cd455277d55248882497 Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Thu, 8 Jan 2015 10:01:48 +0100 Subject: [PATCH 14/22] lxc-centos: fix documentation of default value for --path. Use macro @LXCPATH@ not only in code but also in corresponding usage text. Signed-off-by: Michael Adam --- templates/lxc-centos.in | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/templates/lxc-centos.in b/templates/lxc-centos.in index ee88178..7a7f36d 100644 --- a/templates/lxc-centos.in +++ b/templates/lxc-centos.in @@ -671,7 +671,8 @@ usage: Mandatory args: -n,--name container name, used to as an identifier for that container from now on Optional args: - -p,--path path to where the container rootfs will be created, defaults to /var/lib/lxc/name. + -p,--path path to where the container rootfs will be created, defaults to @LXCPATH@/. + -c,--clean clean the cache -R,--release Centos release for the new container. if the host is Centos, then it will defaultto the host's release. --fqdn fully qualified domain name (FQDN) for DNS and system naming -- 2.1.0 From 9d0ed6b06ba00ecfbe9fcbdb47e1f0efd58fbdd1 Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Thu, 8 Jan 2015 10:03:05 +0100 Subject: [PATCH 15/22] lxc-centos: fix parsing of option "--clean": it takes no argument Signed-off-by: Michael Adam --- templates/lxc-centos.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/lxc-centos.in b/templates/lxc-centos.in index 7a7f36d..8b70aa0 100644 --- a/templates/lxc-centos.in +++ b/templates/lxc-centos.in @@ -698,7 +698,7 @@ do -p|--path) path=$2; shift 2;; --rootfs) rootfs=$2; shift 2;; -n|--name) name=$2; shift 2;; - -c|--clean) clean=$2; shift 2;; + -c|--clean) clean=1; shift 1;; -R|--release) release=$2; shift 2;; --repo) repo="$2"; shift 2;; -a|--arch) newarch=$2; shift 2;; -- 2.1.0 From e4a3bc73b6feb23c8ce1c13092175c350d3826fe Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Thu, 8 Jan 2015 10:03:31 +0100 Subject: [PATCH 16/22] lxc-centos: fix tab/space mixup in help text. Signed-off-by: Michael Adam --- templates/lxc-centos.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/lxc-centos.in b/templates/lxc-centos.in index 8b70aa0..94a2170 100644 --- a/templates/lxc-centos.in +++ b/templates/lxc-centos.in @@ -700,7 +700,7 @@ do -n|--name) name=$2; shift 2;; -c|--clean) clean=1; shift 1;; -R|--release) release=$2; shift 2;; - --repo) repo="$2"; shift 2;; + --repo) repo="$2"; shift 2;; -a|--arch) newarch=$2; shift 2;; --fqdn) utsname=$2; shift 2;; --) shift 1; break ;; -- 2.1.0 From 57f4500f73d16a81eb99599b72e1ef62fb3f4277 Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Thu, 8 Jan 2015 10:03:53 +0100 Subject: [PATCH 17/22] lxc-centos: protect possibly unset variable with quotes for -z check Signed-off-by: Michael Adam --- templates/lxc-centos.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/lxc-centos.in b/templates/lxc-centos.in index 94a2170..72ff143 100644 --- a/templates/lxc-centos.in +++ b/templates/lxc-centos.in @@ -888,7 +888,7 @@ fi configure_centos_init -if [ ! -z $clean ]; then +if [ ! -z "$clean" ]; then clean || exit 1 exit 0 fi -- 2.1.0 From 75642717e9638547b1600b9f525d9273b80920e8 Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Thu, 8 Jan 2015 09:59:20 +0100 Subject: [PATCH 18/22] lxc-fedora: fix documentation of default value of --path in usage Signed-off-by: Michael Adam --- templates/lxc-fedora.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/lxc-fedora.in b/templates/lxc-fedora.in index adfaab2..5dbf57f 100644 --- a/templates/lxc-fedora.in +++ b/templates/lxc-fedora.in @@ -1189,7 +1189,7 @@ usage: Mandatory args: -n,--name container name, used to as an identifier for that container from now on Optional args: - -p,--path path to where the container will be created, defaults to @LXCPATH at . The container config will go under @LXCPATH@ in that case + -p,--path path to where the container will be created, defaults to @LXCPATH@/. --rootfs path for actual rootfs. -c,--clean clean the cache -R,--release Fedora release for the new container. if the host is Fedora, then it will default to the host's release. -- 2.1.0 From 30c4cc747533c23a71217e180b104759539e103f Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Thu, 8 Jan 2015 10:00:06 +0100 Subject: [PATCH 19/22] lxc-fedora: fix parsing of option "--clean": it takes no argument Signed-off-by: Michael Adam --- templates/lxc-fedora.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/lxc-fedora.in b/templates/lxc-fedora.in index 5dbf57f..3b9e1e7 100644 --- a/templates/lxc-fedora.in +++ b/templates/lxc-fedora.in @@ -1215,7 +1215,7 @@ do -p|--path) path=$2; shift 2;; --rootfs) rootfs=$2; shift 2;; -n|--name) name=$2; shift 2;; - -c|--clean) clean=$2; shift 2;; + -c|--clean) clean=1; shift 1;; -R|--release) release=$2; shift 2;; -a|--arch) newarch=$2; shift 2;; --fqdn) utsname=$2; shift 2;; -- 2.1.0 From 16fe5ef14f99a026aef1f663d6b2fc8f47e6c323 Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Thu, 8 Jan 2015 10:01:18 +0100 Subject: [PATCH 20/22] lxc-fedora: protect possibly unset variable with quotes for -z check Signed-off-by: Michael Adam --- templates/lxc-fedora.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/lxc-fedora.in b/templates/lxc-fedora.in index 3b9e1e7..4f35b81 100644 --- a/templates/lxc-fedora.in +++ b/templates/lxc-fedora.in @@ -1415,7 +1415,7 @@ then configure_fedora_init fi -if [ ! -z $clean ]; then +if [ ! -z "$clean" ]; then clean || exit 1 exit 0 fi -- 2.1.0 From ec8a837f209dfae827bcf2afbd0406ea888a7300 Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Thu, 8 Jan 2015 10:22:18 +0100 Subject: [PATCH 21/22] lxc-fedora: break overly long lines in the help text. Signed-off-by: Michael Adam --- templates/lxc-fedora.in | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/templates/lxc-fedora.in b/templates/lxc-fedora.in index 4f35b81..823921b 100644 --- a/templates/lxc-fedora.in +++ b/templates/lxc-fedora.in @@ -1184,15 +1184,18 @@ usage() cat < - [-p|--path=] [-c|--clean] [-R|--release=] [--fqdn=] [-a|--arch=] + [-p|--path=] [-c|--clean] [-R|--release=] + [--fqdn=] [-a|--arch=] [-h|--help] Mandatory args: -n,--name container name, used to as an identifier for that container from now on Optional args: - -p,--path path to where the container will be created, defaults to @LXCPATH@/. + -p,--path path to where the container will be created, + defaults to @LXCPATH@/. --rootfs path for actual rootfs. -c,--clean clean the cache - -R,--release Fedora release for the new container. if the host is Fedora, then it will default to the host's release. + -R,--release Fedora release for the new container. + Defaults to host's release if the host is Fedora. --fqdn fully qualified domain name (FQDN) for DNS and system naming -a,--arch Define what arch the container will be [i686,x86_64] -h,--help print this help -- 2.1.0 From 66ce44a145745f4ea439f0a1b3c9809d680f1a9d Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Thu, 8 Jan 2015 10:25:24 +0100 Subject: [PATCH 22/22] lxc-fedora: add a new option --mask-tmp This will configure the container to prevent the standard behaviour of over-mounting /tmp with tmpfs, which can be undesirable in some cases. My personal use case is vagrant-lxc in combination with vagrant-cachier. Signed-off-by: Michael Adam --- templates/lxc-fedora.in | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/templates/lxc-fedora.in b/templates/lxc-fedora.in index 823921b..f4067e8 100644 --- a/templates/lxc-fedora.in +++ b/templates/lxc-fedora.in @@ -372,6 +372,12 @@ configure_fedora_systemd() chroot ${rootfs_path} ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target # Make systemd honor SIGPWR chroot ${rootfs_path} ln -s /usr/lib/systemd/system/halt.target /etc/systemd/system/sigpwr.target + + # if desired, prevent systemd from over-mounting /tmp with tmpfs + if [ $masktmp -eq 1 ]; then + chroot ${rootfs_path} ln -s /dev/null /etc/systemd/system/tmp.mount + fi + #dependency on a device unit fails it specially that we disabled udev # sed -i 's/After=dev-%i.device/After=/' ${rootfs_path}/lib/systemd/system/getty\@.service # @@ -1186,6 +1192,7 @@ usage: $1 -n|--name= [-p|--path=] [-c|--clean] [-R|--release=] [--fqdn=] [-a|--arch=] + [--mask-tmp] [-h|--help] Mandatory args: -n,--name container name, used to as an identifier for that container from now on @@ -1198,18 +1205,21 @@ Optional args: Defaults to host's release if the host is Fedora. --fqdn fully qualified domain name (FQDN) for DNS and system naming -a,--arch Define what arch the container will be [i686,x86_64] + --mask-tmp Prevent systemd from over-mounting /tmp with tmpfs. -h,--help print this help EOF return 0 } -options=$(getopt -o a:hp:n:cR: -l help,path:,rootfs:,name:,clean,release:,arch:,fqdn: -- "$@") +options=$(getopt -o a:hp:n:cR: -l help,path:,rootfs:,name:,clean,release:,arch:,fqdn:,mask-tmp -- "$@") if [ $? -ne 0 ]; then usage $(basename $0) exit 1 fi arch=$(uname -m) +masktmp=0 + eval set -- "$options" while true do @@ -1222,6 +1232,7 @@ do -R|--release) release=$2; shift 2;; -a|--arch) newarch=$2; shift 2;; --fqdn) utsname=$2; shift 2;; + --mask-tmp) masktmp=1; shift 1;; --) shift 1; break ;; *) break ;; esac -- 2.1.0 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available URL: From obnox at samba.org Thu Jan 8 10:16:52 2015 From: obnox at samba.org (Michael Adam) Date: Thu, 8 Jan 2015 11:16:52 +0100 Subject: [lxc-devel] [PATCHES] add "--mask-tmp" to lxc-fedora, plus some template script fixes In-Reply-To: <20150108100516.GK2958@obnox.de> References: <20150108100516.GK2958@obnox.de> Message-ID: <20150108101652.GL2958@obnox.de> For those who prefer it, the patches can also be fetched via git from branch master of https://github.com/obnoxxx/lxc.git Cheers - Michael On 2015-01-08 at 11:05 +0100, Michael Adam wrote: > > Hi, > > below find the output of "git format-patch --stdout " > of a series of trivial patches to fix some minor issues > in the template scripts. > > The final patch adds a new parameter to the fedora > template: "--mask-tmp". This is what I actually only > wanted to do, but I found some issues in the parsing of > options and help text, fixed them while at it and > was careless enough to check several other templates > for similar flaws. > > The reason for the --mask-tmp is to be able to prevent > systemd from over-mounting /tmp with tmpfs in the container. > My current use-case is that I want to be able to use > vagrant-cachier with vagrant-lxc. > > Thanks for review / comments / push, ... > > Cheers - Michael -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available URL: From noreply at github.com Thu Jan 8 16:58:00 2015 From: noreply at github.com (GitHub) Date: Thu, 08 Jan 2015 08:58:00 -0800 Subject: [lxc-devel] [lxc/lxc] 64b4c7: apparmor: Fix slave bind mounts Message-ID: <54aeb718a1734_55283f87a4d5729c8302a@hookshot-fe4-cp1-prd.iad.github.net.mail> Branch: refs/heads/master Home: https://github.com/lxc/lxc Commit: 64b4c7a34b5c0407f3bcddc83f7c061dadb583bb https://github.com/lxc/lxc/commit/64b4c7a34b5c0407f3bcddc83f7c061dadb583bb Author: Martin Pitt Date: 2015-01-08 (Thu, 08 Jan 2015) Changed paths: M config/apparmor/abstractions/start-container Log Message: ----------- apparmor: Fix slave bind mounts The permission to make a mount "slave" is spelt "make-slave", not "slave", see https://launchpad.net/bugs/1401619. Also, we need to make all mounts slave, not just the root dir. https://launchpad.net/bugs/1350947 Commit: bb2afd6038b6271bddf46b0f197a42ba7a3d10f3 https://github.com/lxc/lxc/commit/bb2afd6038b6271bddf46b0f197a42ba7a3d10f3 Author: hallyn Date: 2015-01-08 (Thu, 08 Jan 2015) Changed paths: M config/apparmor/abstractions/start-container Log Message: ----------- Merge pull request #393 from martinpitt/master apparmor: Fix slave bind mounts Compare: https://github.com/lxc/lxc/compare/97a8f74f0c80...bb2afd6038b6 From riyakhanna1983 at gmail.com Fri Jan 9 02:18:03 2015 From: riyakhanna1983 at gmail.com (riya khanna) Date: Thu, 8 Jan 2015 20:18:03 -0600 Subject: [lxc-devel] lxc-start fails Message-ID: Hi, I'm trying to start a container on busy box host. lxc-start --logfile container.log --logpriority info --name L -f lxc.conf -- /init container.log shows the following error: lxc_conf - conf.c:prepare_ramfs_root:1517 - Bad address - Failed to make . rprivate Any idea on what's wrong here? my lxc.conf is as follows. lxc.utsname = container lxc.rootfs = rootfs lxc.mount.entry=none rootfs/proc proc defaults 0 0 lxc.mount.entry=none rootfs/sys sysfs defaults 0 0 lxc.mount.entry=/dev rootfs/dev none bind 0 0 Using lxc version 1.1 mount shows the following rootfs on / type rootfs (rw,size=368960k,nr_inodes=92240) proc on /proc type proc (rw,relatime) sysfs on /sys type sysfs (rw,relatime) none on /sys/fs/cgroup type cgroup (rw,relatime,cpuset,cpu,cpuacct,memory,devices,freezer,blkio,perf_event,debug,clone_children) devpts on /dev/pts type devpts (rw,relatime,mode=600,ptmxmode=000) Looking at the source, the following function fails: int prepare_ramfs_root(char *root) { ... if (mount(".", NULL, NULL, MS_REC | MS_PRIVATE, NULL)) { SYSERROR("Failed to make . rprivate"); return -1; } ... } From serge.hallyn at ubuntu.com Fri Jan 9 14:12:38 2015 From: serge.hallyn at ubuntu.com (Serge Hallyn) Date: Fri, 9 Jan 2015 14:12:38 +0000 Subject: [lxc-devel] lxc-start fails In-Reply-To: References: Message-ID: <20150109141238.GB9897@ubuntumail> Quoting riya khanna (riyakhanna1983 at gmail.com): > Hi, > > I'm trying to start a container on busy box host. > > lxc-start --logfile container.log --logpriority info --name L -f > lxc.conf -- /init > > container.log shows the following error: > lxc_conf - conf.c:prepare_ramfs_root:1517 - Bad address - Failed to > make . rprivate Hm. Well that is an odd line. Does it help if you change line 1517 to read if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) { ? From serge.hallyn at ubuntu.com Fri Jan 9 16:33:42 2015 From: serge.hallyn at ubuntu.com (Serge Hallyn) Date: Fri, 9 Jan 2015 16:33:42 +0000 Subject: [lxc-devel] [PATCH 1/1] set close-all-fds by default Message-ID: <20150109163342.GA10183@ubuntumail> When containers request to be daemonized, close-all-fd is set to true. But when we switched ot daemonize-by-default we didn't set close-all-fd by default. Fix that. In order to do that we have to always have a lxc_conf object. As a consequence, after this patch we can drop a bunch of checks for c->lxc_conf existing. We should consider removing those. This patch does not do that. This should close https://github.com/lxc/lxc/issues/354 Signed-off-by: Serge Hallyn --- src/lxc/lxccontainer.c | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c index 406cead..878c483 100644 --- a/src/lxc/lxccontainer.c +++ b/src/lxc/lxccontainer.c @@ -457,6 +457,14 @@ static bool lxcapi_load_config(struct lxc_container *c, const char *alt_file) return ret; } +static void do_set_daemonize(struct lxc_container *c, bool state) +{ + c->daemonize = state; + /* daemonize implies close_all_fds so set it */ + if (state) + c->lxc_conf->close_all_fds = 1; +} + static bool lxcapi_want_daemonize(struct lxc_container *c, bool state) { if (!c || !c->lxc_conf) @@ -465,10 +473,7 @@ static bool lxcapi_want_daemonize(struct lxc_container *c, bool state) ERROR("Error getting mem lock"); return false; } - c->daemonize = state; - /* daemonize implies close_all_fds so set it */ - if (state == 1) - c->lxc_conf->close_all_fds = 1; + do_set_daemonize(c, state); container_mem_unlock(c); return true; } @@ -4098,7 +4103,9 @@ struct lxc_container *lxc_container_new(const char *name, const char *configpath container_destroy(c); lxcapi_clear_config(c); } - c->daemonize = true; + if (!c->lxc_conf) + c->lxc_conf = lxc_conf_init(); + do_set_daemonize(c, true); c->pidfile = NULL; // assign the member functions -- 2.1.0 From serge.hallyn at ubuntu.com Fri Jan 9 17:04:27 2015 From: serge.hallyn at ubuntu.com (Serge Hallyn) Date: Fri, 9 Jan 2015 17:04:27 +0000 Subject: [lxc-devel] Questions about lxc.autodev In-Reply-To: <20141126213540.GK10205@dakara> References: <20141126213540.GK10205@dakara> Message-ID: <20150109170427.GB10330@ubuntumail> Quoting Stéphane Graber (stgraber at ubuntu.com): > Hello, > > So I'm looking into how to rework lxc.autodev to apply properly to all > the cases we care about: > - Privileged containers started by root > - Unprivileged containers started by privileged root > - Unprivileged containers started by unprivileged root > - Unprivileged containers started by unprivileged user > > My understanding is that autodev currently creates /dev/.lxc and then > uses one directory per-container+lxc-path-hash under there, creates the > devices nodes and uses that as the container's /dev. > > My question is why the /dev/.lxc directory to begin with, wouldn't Ok, after looking back through the code a bit, One advantage of the current method is that it doesn't need to use a tmpfs per container. If the host uses devtmpfs (which most do) then /dev/.lxc can just be a subdir, otherwise it needs to be the single tmpfs mount. This ensures that systemd will see a separate /dev and be happy. Another advantage of the current method is that the host can see the container's /dev more easily. Though I htink the existence of lxc-device suggests that we're ok. I mainly don't want to do anything that makes it harder for our eventual implementation of forwarding hotplug events into containers (as per the presentation at plumbers) > it make more sense to use LXC_PATH//dev, mount a tiny > tmpfs on that and then use it? This would have the advantage of having I guess one question is whether we think one more mount per container can become a scalability issue. Second question is whether systemd is happier if it sees that /dev is on devtmpfs. > the same path for privileged and unprivileged containers and avoid the > ugly lxcpath hash. > > > I believe the following setup would make a bit more sense and offer a > consistent behaviour: > - If not available or not a tmpfs, create LXC_PATH//dev and > mount a tiny tmpfs on it. Chown the path to the container's root uid/gid > and chmod to something sane. > - For all the nodes we care about, attempt to mknod them in there, on > failure, fallback to touch+bind-mount from real /dev. The improved consistency is appealing. > This would allow for the exact same code to be used for all 4 cases, for > the layout and location of the autodev tree to be entirely guessable > without requiring fancy hashing (making it easier for external tools to > interact with the autodev tree). > > As with the current implementation, the tree wouldn't be flushed on > container reboot but it would on container shutdown. > > > Does the above make sense or am I missing something about the design of > current autodev? > > Cheers > > -- > Stéphane Graber > Ubuntu developer > http://www.ubuntu.com > _______________________________________________ > lxc-devel mailing list > lxc-devel at lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-devel From riyakhanna1983 at gmail.com Fri Jan 9 17:07:52 2015 From: riyakhanna1983 at gmail.com (riya khanna) Date: Fri, 9 Jan 2015 11:07:52 -0600 Subject: [lxc-devel] lxc-start fails In-Reply-To: <20150109141238.GB9897@ubuntumail> References: <20150109141238.GB9897@ubuntumail> Message-ID: Yes, that works. Container starts BUT I get the following message: lxc-start: monitor.c: lxc_monitor_open: 213 connect : Connection refused # lxc-start --logfile container.log --logpriority info --name container -f lxc.conf -- /init lxc-start: monitor.c: lxc_monitor_open: 208 connect : backing off 10 lxc-start: monitor.c: lxc_monitor_open: 208 connect : backing off 50 lxc-start: monitor.c: lxc_monitor_open: 208 connect : backing off 100 lxc-start: monitor.c: lxc_monitor_open: 213 connect : Connection refused lxc-start: lxc_start.c: main: 345 The container failed to start. lxc-start: lxc_start.c: main: 347 To get more details, run the container in foreground mode. lxc-start: lxc_start.c: main: 349 Additional information can be obtained by setting the --logfile and --logpriority options. On Fri, Jan 9, 2015 at 8:12 AM, Serge Hallyn wrote: > Quoting riya khanna (riyakhanna1983 at gmail.com): >> Hi, >> >> I'm trying to start a container on busy box host. >> >> lxc-start --logfile container.log --logpriority info --name L -f >> lxc.conf -- /init >> >> container.log shows the following error: >> lxc_conf - conf.c:prepare_ramfs_root:1517 - Bad address - Failed to >> make . rprivate > > Hm. Well that is an odd line. Does it help if you change line 1517 > to read > > if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) { > > ? > _______________________________________________ > lxc-devel mailing list > lxc-devel at lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-devel From serge.hallyn at ubuntu.com Fri Jan 9 17:08:45 2015 From: serge.hallyn at ubuntu.com (Serge Hallyn) Date: Fri, 9 Jan 2015 17:08:45 +0000 Subject: [lxc-devel] Questions about lxc.autodev In-Reply-To: <20150109170427.GB10330@ubuntumail> References: <20141126213540.GK10205@dakara> <20150109170427.GB10330@ubuntumail> Message-ID: <20150109170845.GC10330@ubuntumail> Quoting Serge Hallyn (serge.hallyn at ubuntu.com): > Another advantage of the current method is that the host can see > the container's /dev more easily. Though I htink the existence > of lxc-device suggests that we're ok. I mainly don't want to do > anything that makes it harder for our eventual implementation of > forwarding hotplug events into containers (as per the presentation > at plumbers) This wouldn't help with hotplug, but perhaps we should check for $lxcpath/$name/keepdev, and if it exists then copy of bind-mount any devices which exist there into $lxcpath/$name/dev (if autodev!=0) From stgraber at ubuntu.com Fri Jan 9 17:11:56 2015 From: stgraber at ubuntu.com (=?iso-8859-1?Q?St=E9phane?= Graber) Date: Fri, 9 Jan 2015 12:11:56 -0500 Subject: [lxc-devel] Questions about lxc.autodev In-Reply-To: <20150109170427.GB10330@ubuntumail> References: <20141126213540.GK10205@dakara> <20150109170427.GB10330@ubuntumail> Message-ID: <20150109171156.GA15714@dakara> On Fri, Jan 09, 2015 at 05:04:27PM +0000, Serge Hallyn wrote: > Quoting Stéphane Graber (stgraber at ubuntu.com): > > Hello, > > > > So I'm looking into how to rework lxc.autodev to apply properly to all > > the cases we care about: > > - Privileged containers started by root > > - Unprivileged containers started by privileged root > > - Unprivileged containers started by unprivileged root > > - Unprivileged containers started by unprivileged user > > > > My understanding is that autodev currently creates /dev/.lxc and then > > uses one directory per-container+lxc-path-hash under there, creates the > > devices nodes and uses that as the container's /dev. > > > > My question is why the /dev/.lxc directory to begin with, wouldn't > > Ok, after looking back through the code a bit, > > One advantage of the current method is that it doesn't need to use a > tmpfs per container. If the host uses devtmpfs (which most do) > then /dev/.lxc can just be a subdir, otherwise it needs to be the > single tmpfs mount. This ensures that systemd will see a separate > /dev and be happy. > > Another advantage of the current method is that the host can see > the container's /dev more easily. Though I htink the existence > of lxc-device suggests that we're ok. I mainly don't want to do > anything that makes it harder for our eventual implementation of > forwarding hotplug events into containers (as per the presentation > at plumbers) > > > it make more sense to use LXC_PATH//dev, mount a tiny > > tmpfs on that and then use it? This would have the advantage of having > > I guess one question is whether we think one more mount per container > can become a scalability issue. > > Second question is whether systemd is happier if it sees that /dev is > on devtmpfs. I've been using regular tmpfs for a while now with systemd and it's fine with it. I don't believe it treats devtmpfs any differently than tmpfs. > > > the same path for privileged and unprivileged containers and avoid the > > ugly lxcpath hash. > > > > > > I believe the following setup would make a bit more sense and offer a > > consistent behaviour: > > - If not available or not a tmpfs, create LXC_PATH//dev and > > mount a tiny tmpfs on it. Chown the path to the container's root uid/gid > > and chmod to something sane. > > - For all the nodes we care about, attempt to mknod them in there, on > > failure, fallback to touch+bind-mount from real /dev. > > The improved consistency is appealing. > > > This would allow for the exact same code to be used for all 4 cases, for > > the layout and location of the autodev tree to be entirely guessable > > without requiring fancy hashing (making it easier for external tools to > > interact with the autodev tree). > > > > As with the current implementation, the tree wouldn't be flushed on > > container reboot but it would on container shutdown. > > > > > > Does the above make sense or am I missing something about the design of > > current autodev? > > > > Cheers > > > > -- > > Stéphane Graber > > Ubuntu developer > > http://www.ubuntu.com > > > > > _______________________________________________ > > lxc-devel mailing list > > lxc-devel at lists.linuxcontainers.org > > http://lists.linuxcontainers.org/listinfo/lxc-devel > > _______________________________________________ > lxc-devel mailing list > lxc-devel at lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-devel -- Stéphane Graber Ubuntu developer http://www.ubuntu.com -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: Digital signature URL: From serge.hallyn at ubuntu.com Fri Jan 9 17:17:56 2015 From: serge.hallyn at ubuntu.com (Serge Hallyn) Date: Fri, 9 Jan 2015 17:17:56 +0000 Subject: [lxc-devel] Questions about lxc.autodev In-Reply-To: <20150109171156.GA15714@dakara> References: <20141126213540.GK10205@dakara> <20150109170427.GB10330@ubuntumail> <20150109171156.GA15714@dakara> Message-ID: <20150109171756.GE10330@ubuntumail> Quoting Stéphane Graber (stgraber at ubuntu.com): > On Fri, Jan 09, 2015 at 05:04:27PM +0000, Serge Hallyn wrote: > > Quoting Stéphane Graber (stgraber at ubuntu.com): > > > Hello, > > > > > > So I'm looking into how to rework lxc.autodev to apply properly to all > > > the cases we care about: > > > - Privileged containers started by root > > > - Unprivileged containers started by privileged root > > > - Unprivileged containers started by unprivileged root > > > - Unprivileged containers started by unprivileged user > > > > > > My understanding is that autodev currently creates /dev/.lxc and then > > > uses one directory per-container+lxc-path-hash under there, creates the > > > devices nodes and uses that as the container's /dev. > > > > > > My question is why the /dev/.lxc directory to begin with, wouldn't > > > > Ok, after looking back through the code a bit, > > > > One advantage of the current method is that it doesn't need to use a > > tmpfs per container. If the host uses devtmpfs (which most do) > > then /dev/.lxc can just be a subdir, otherwise it needs to be the > > single tmpfs mount. This ensures that systemd will see a separate > > /dev and be happy. > > > > Another advantage of the current method is that the host can see > > the container's /dev more easily. Though I htink the existence > > of lxc-device suggests that we're ok. I mainly don't want to do > > anything that makes it harder for our eventual implementation of > > forwarding hotplug events into containers (as per the presentation > > at plumbers) > > > > > it make more sense to use LXC_PATH//dev, mount a tiny > > > tmpfs on that and then use it? This would have the advantage of having > > > > I guess one question is whether we think one more mount per container > > can become a scalability issue. > > > > Second question is whether systemd is happier if it sees that /dev is > > on devtmpfs. > > I've been using regular tmpfs for a while now with systemd and it's fine > with it. I don't believe it treats devtmpfs any differently than tmpfs. Cool, thanks for that info. From serge.hallyn at ubuntu.com Fri Jan 9 19:36:14 2015 From: serge.hallyn at ubuntu.com (Serge Hallyn) Date: Fri, 9 Jan 2015 19:36:14 +0000 Subject: [lxc-devel] [PATCH 1/2] autodev: switch strategies Message-ID: <20150109193614.GF10330@ubuntumail> Do not keep container devs under /dev/.lxc. Instead, always keep them in $lxcpath/$lxcname/rootfs.dev. Mount a small tmpfs there, and bind mount it into $mounted_rootfs/dev . The tmpfs is mounted in the container monitor's namespace. This means that at every reboot it will get re-created. It seems to me this better replicates what happens on a real host. If we want devices persisting across reboots, then perhaps we can implement a $lxcpath/$name/keepdev directory containing devices to bind into the container at each startup. Signed-off-by: Serge Hallyn --- src/lxc/conf.c | 324 +++++++++----------------------------------------------- src/lxc/start.c | 1 - 2 files changed, 51 insertions(+), 274 deletions(-) diff --git a/src/lxc/conf.c b/src/lxc/conf.c index 72181dd..822f08d 100644 --- a/src/lxc/conf.c +++ b/src/lxc/conf.c @@ -94,10 +94,7 @@ lxc_log_define(lxc_conf, lxc); -#define MAXHWLEN 18 -#define MAXINDEXLEN 20 -#define MAXMTULEN 16 -#define MAXLINELEN 128 +#define LINELEN 4096 #if HAVE_SYS_CAPABILITY_H #ifndef CAP_SETFCAP @@ -295,9 +292,6 @@ static struct caps_opt caps_opt[] = { static struct caps_opt caps_opt[] = {}; #endif -const char *dev_base_path = "/dev/.lxc"; -const char *dev_user_path = "/dev/.lxc/user"; - static int run_buffer(char *buffer) { struct lxc_popen_FILE *f; @@ -1092,247 +1086,89 @@ fail: } /* - * Check to see if a directory has something mounted on it and, - * if it does, return the fstype. - * - * Code largely based on detect_shared_rootfs below - * - * Returns: # of matching entries in /proc/self/mounts - * if != 0 fstype is filled with the last filesystem value. - * if == 0 no matches found, fstype unchanged. - * - * ToDo: Maybe return the mount options in another parameter... + * Just create a path for /dev under $lxcpath/$name and in rootfs + * If we hit an error, log it but don't fail yet. */ - -#define LINELEN 4096 -#define MAX_FSTYPE_LEN 128 -static int mount_check_fs( const char *dir, char *fstype ) +static void create_devdir(const char *path) { - char buf[LINELEN], *p; - struct stat s; - FILE *f; - int found_fs = 0; - char *p2; - - DEBUG("entering mount_check_fs for %s", dir); - - if ( 0 != access(dir, F_OK) || 0 != stat(dir, &s) || 0 == S_ISDIR(s.st_mode) ) { - return 0; - } - - f = fopen("/proc/self/mounts", "r"); - if (!f) - return 0; - while (fgets(buf, LINELEN, f)) { - p = index(buf, ' '); - if( !p ) - continue; - *p = '\0'; - p2 = p + 1; - - p = index(p2, ' '); - if( !p ) - continue; - *p = '\0'; - - /* Compare the directory in the entry to desired */ - if( strcmp( p2, dir ) ) { - continue; - } - - p2 = p + 1; - p = index( p2, ' '); - if( !p ) - continue; - *p = '\0'; - - ++found_fs; - - if( fstype ) { - strncpy( fstype, p2, MAX_FSTYPE_LEN - 1 ); - fstype [ MAX_FSTYPE_LEN - 1 ] = '\0'; - } - } - - fclose(f); - - DEBUG("mount_check_fs returning %d last %s", found_fs, fstype); - - return found_fs; + int ret = mkdir(path, S_IRWXU | S_IRWXG | S_IRWXO | S_ISVTX); + if (ret) /* Issue an error but don't fail yet! */ + SYSERROR("Unable to create devpath %s", path); + ret = chmod(path, S_IRWXU | S_IRWXG | S_IRWXO | S_ISVTX); + if (ret) + SYSERROR("Failed to chown devpath %s", path); + INFO("Created %s", path); } /* - * Locate a devtmpfs mount (should be on /dev) and create a container - * subdirectory on it which we can then bind mount to the container - * /dev instead of mounting a tmpfs there. + * Create $lxcpath/$name/dev if it does not yet exist. * If we fail, return NULL. * Else return the pointer to the name buffer with the string to * the devtmpfs subdirectory. */ -static char *mk_devtmpfs(const char *name, char *path, const char *lxcpath) +static bool mk_devtmpfs(const char *hostpath, const char *container_path) { - int ret; - struct stat s; - char tmp_path[MAXPATHLEN]; - char fstype[MAX_FSTYPE_LEN]; - uint64_t hash; - - if ( 0 != access(dev_base_path, F_OK) || 0 != stat(dev_base_path, &s) || 0 == S_ISDIR(s.st_mode) ) { - /* This is just making /dev/.lxc it better work or we're done */ - ret = mkdir(dev_base_path, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH); - if ( ret ) { - SYSERROR( "Unable to create /dev/.lxc for autodev" ); - return NULL; - } - } - - /* - * Programmers notes: - * We can not do mounts in this area of code that we want - * to be visible in the host. Consequently, /dev/.lxc must - * be set up earlier if we need a tmpfs mounted there. - * That only affects the rare cases where autodev is enabled - * for a container and devtmpfs is not mounted on /dev in the - * host. In that case, we'll fall back to the old method - * of mounting a tmpfs in the container and have no visibility - * into the container /dev. - */ - if( ! mount_check_fs( "/dev", fstype ) - || strcmp( "devtmpfs", fstype ) ) { - /* Either /dev was not mounted or was not devtmpfs */ - - if ( ! mount_check_fs( "/dev/.lxc", NULL ) ) { - /* - * /dev/.lxc is not already mounted - * Doing a mount here does no good, since - * it's not visible in the host. - */ - - ERROR("/dev/.lxc is not setup - taking fallback" ); - return NULL; - } - } - - if ( 0 != access(dev_user_path, F_OK) || 0 != stat(dev_user_path, &s) || 0 == S_ISDIR(s.st_mode) ) { - /* - * This is making /dev/.lxc/user path for non-priv users. - * If this doesn't work, we'll have to fall back in the - * case of non-priv users. It's mode 1777 like /tmp. - */ - ret = mkdir(dev_user_path, S_IRWXU | S_IRWXG | S_IRWXO | S_ISVTX); - if ( ret ) { - /* Issue an error but don't fail yet! */ - ERROR("Unable to create /dev/.lxc/user"); - } - /* Umask tends to screw us up here */ - chmod(dev_user_path, S_IRWXU | S_IRWXG | S_IRWXO | S_ISVTX); - } - - /* - * Since the container name must be unique within a given - * lxcpath, we're going to use a hash of the path - * /lxcpath/name as our hash name in /dev/.lxc/ - */ - - ret = snprintf(tmp_path, MAXPATHLEN, "%s/%s", lxcpath, name); - if (ret < 0 || ret >= MAXPATHLEN) - return NULL; - - hash = fnv_64a_buf(tmp_path, ret, FNV1A_64_INIT); - - ret = snprintf(tmp_path, MAXPATHLEN, "%s/%s.%016" PRIx64, dev_base_path, name, hash); - if (ret < 0 || ret >= MAXPATHLEN) - return NULL; - - if ( 0 != access(tmp_path, F_OK) || 0 != stat(tmp_path, &s) || 0 == S_ISDIR(s.st_mode) ) { - ret = mkdir(tmp_path, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH); - if ( ret ) { - /* Something must have failed with the dev_base_path... - * Maybe unpriv user. Try dev_user_path now... */ - INFO("Setup in /dev/.lxc failed. Trying /dev/.lxc/user." ); - - ret = snprintf(tmp_path, MAXPATHLEN, "%s/%s.%016" PRIx64, dev_user_path, name, hash); - if (ret < 0 || ret >= MAXPATHLEN) - return NULL; - - if ( 0 != access(tmp_path, F_OK) || 0 != stat(tmp_path, &s) || 0 == S_ISDIR(s.st_mode) ) { - ret = mkdir(tmp_path, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH); - if ( ret ) { - ERROR("Container /dev setup in host /dev failed - taking fallback" ); - return NULL; - } - } - } + if (!dir_exists(hostpath)) + create_devdir(hostpath); + if (!dir_exists(container_path)) + create_devdir(container_path); + if (0 != mount("none", hostpath, "tmpfs", 0, "size=100000,mode=755")) { + SYSERROR("Failed mounting tmpfs onto %s\n", hostpath); + return false; } - - strcpy( path, tmp_path ); - return path; + return true; } -/* - * Do we want to add options for max size of /dev and a file to - * specify which devices to create? - */ static int mount_autodev(const char *name, char *root, const char *lxcpath) { int ret; - struct stat s; - char path[MAXPATHLEN]; - char host_path[MAXPATHLEN]; - char devtmpfs_path[MAXPATHLEN]; + size_t hlen, clen; + char *path, *host_path; INFO("Mounting /dev under %s", root); - ret = snprintf(host_path, MAXPATHLEN, "%s/%s/rootfs.dev", lxcpath, name); - if (ret < 0 || ret > MAXPATHLEN) + /* $(lxcpath) + '/' + $(name) + "/rootfs.dev" + '\0' */ + hlen = strlen(lxcpath) + strlen(name) + 13; + host_path = alloca(hlen); + /* $(root) + "/dev/pts" + '\0' */ + clen = strlen(root) + 9; + path = alloca(clen); + ret = snprintf(host_path, hlen, "%s/%s/rootfs.dev", lxcpath, name); + if (ret < 0 || ret >= hlen) return -1; - ret = snprintf(path, MAXPATHLEN, "%s/dev", root); - if (ret < 0 || ret > MAXPATHLEN) + ret = snprintf(path, clen, "%s/dev", root); + if (ret < 0 || ret >= clen) return -1; - if (mk_devtmpfs( name, devtmpfs_path, lxcpath ) ) { - /* - * Get rid of old links and directoriess - * This could be either a symlink and we remove it, - * or an empty directory and we remove it, - * or non-existent and we don't care, - * or a non-empty directory, and we will then emit an error - * but we will not fail out the process. - */ - unlink( host_path ); - rmdir( host_path ); - ret = symlink(devtmpfs_path, host_path); + /* + * Create $lxcpath/$name/dev and $(mounted_rootfs/dev), and + * mount a small tmpfs onto $lxcpath/$name/dev. + */ + if (!mk_devtmpfs(host_path, path)) + return -1; - if ( ret < 0 ) { - SYSERROR("WARNING: Failed to create symlink '%s'->'%s'", host_path, devtmpfs_path); - } - DEBUG("Bind mounting %s to %s", devtmpfs_path , path ); - ret = mount(devtmpfs_path, path, NULL, MS_BIND, 0 ); - } else { - /* Only mount a tmpfs on here if we don't already a mount */ - if ( ! mount_check_fs( host_path, NULL ) ) { - DEBUG("Mounting tmpfs to %s", host_path ); - ret = mount("none", path, "tmpfs", 0, "size=100000,mode=755"); - } else { - /* This allows someone to manually set up a mount */ - DEBUG("Bind mounting %s to %s", host_path, path ); - ret = mount(host_path , path, NULL, MS_BIND, 0 ); - } - } + /* + * bind mount the tmpfs from $lxcpath/$name/dev onto + * $(mounted_rootfs)/dev. + */ + ret = mount(host_path, path, 0, MS_BIND, NULL); if (ret) { - SYSERROR("Failed to mount /dev at %s", root); + SYSERROR("Failed to bind /dev into container at %s", root); return -1; } - ret = snprintf(path, MAXPATHLEN, "%s/dev/pts", root); - if (ret < 0 || ret >= MAXPATHLEN) + INFO("Bind-mounted %s -> %s", host_path, path); + + ret = snprintf(path, clen, "%s/dev/pts", root); + if (ret < 0 || ret >= clen) return -1; + /* * If we are running on a devtmpfs mapping, dev/pts may already exist. * If not, then create it and exit if that fails... */ - if ( 0 != access(path, F_OK) || 0 != stat(path, &s) || 0 == S_ISDIR(s.st_mode) ) { + if (!dir_exists(path)) { ret = mkdir(path, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH); if (ret) { SYSERROR("Failed to create /dev/pts in container"); @@ -1395,64 +1231,6 @@ static int setup_autodev(const char *root) return 0; } -/* - * Locate allocated devtmpfs mount and purge it. - * path lookup mostly taken from mk_devtmpfs - */ -int lxc_delete_autodev(struct lxc_handler *handler) -{ - int ret; - struct stat s; - struct lxc_conf *lxc_conf = handler->conf; - const char *name = handler->name; - const char *lxcpath = handler->lxcpath; - char tmp_path[MAXPATHLEN]; - uint64_t hash; - - if ( lxc_conf->autodev <= 0 ) - return 0; - - /* don't clean on reboot */ - if ( lxc_conf->reboot == 1 ) - return 0; - - /* - * Use the same logic as mk_devtmpfs to compute candidate - * path for cleanup. - */ - - ret = snprintf(tmp_path, MAXPATHLEN, "%s/%s", lxcpath, name); - if (ret < 0 || ret >= MAXPATHLEN) - return -1; - - hash = fnv_64a_buf(tmp_path, ret, FNV1A_64_INIT); - - /* Probe /dev/.lxc/. */ - ret = snprintf(tmp_path, MAXPATHLEN, "%s/%s.%016" PRIx64, dev_base_path, name, hash); - if (ret < 0 || ret >= MAXPATHLEN) - return -1; - - if ( 0 != access(tmp_path, F_OK) || 0 != stat(tmp_path, &s) || 0 == S_ISDIR(s.st_mode) ) { - /* Probe /dev/.lxc/user/. */ - ret = snprintf(tmp_path, MAXPATHLEN, "%s/%s.%016" PRIx64, dev_user_path, name, hash); - if (ret < 0 || ret >= MAXPATHLEN) - return -1; - - if ( 0 != access(tmp_path, F_OK) || 0 != stat(tmp_path, &s) || 0 == S_ISDIR(s.st_mode) ) { - WARN("Failed to locate autodev /dev/.lxc and /dev/.lxc/user." ); - return -1; - } - } - - /* Do the cleanup */ - INFO("Cleaning %s", tmp_path ); - if ( 0 != lxc_rmdir_onedev(tmp_path, NULL) ) { - ERROR("Failed to cleanup autodev" ); - } - - return 0; -} - static int setup_rootfs(struct lxc_conf *conf) { const struct lxc_rootfs *rootfs = &conf->rootfs; diff --git a/src/lxc/start.c b/src/lxc/start.c index cd78665..98905a3 100644 --- a/src/lxc/start.c +++ b/src/lxc/start.c @@ -477,7 +477,6 @@ void lxc_fini(const char *name, struct lxc_handler *handler) lxc_console_delete(&handler->conf->console); lxc_delete_tty(&handler->conf->tty_info); - lxc_delete_autodev(handler); close(handler->conf->maincmd_fd); handler->conf->maincmd_fd = -1; free(handler->name); -- 2.1.0 From serge.hallyn at ubuntu.com Fri Jan 9 19:38:36 2015 From: serge.hallyn at ubuntu.com (Serge Hallyn) Date: Fri, 9 Jan 2015 19:38:36 +0000 Subject: [lxc-devel] [PATCH 2/2] fill_autodev: bind-mount if mknod fails In-Reply-To: <20150109193614.GF10330@ubuntumail> References: <20150109193614.GF10330@ubuntumail> Message-ID: <20150109193836.GA10641@ubuntumail> First, rename setup_autodev to fill_autodev, since all it does is populate it, not fully set it up. Secondly, if mknod of a device fails, then try bind-mounting it from the host rather than failing immediately. Note that this isn't an urgent patch because the common.userns configuration hook already specifies bind,create=file mount entries for all the devices we would want. Signed-off-by: Serge Hallyn --- src/lxc/conf.c | 25 +++++++++++++++++++++---- 1 file changed, 21 insertions(+), 4 deletions(-) diff --git a/src/lxc/conf.c b/src/lxc/conf.c index 822f08d..665631b 100644 --- a/src/lxc/conf.c +++ b/src/lxc/conf.c @@ -1197,7 +1197,7 @@ static const struct lxc_devs lxc_devs[] = { { "console", S_IFCHR | S_IRUSR | S_IWUSR, 5, 1 }, }; -static int setup_autodev(const char *root) +static int fill_autodev(const char *root) { int ret; char path[MAXPATHLEN]; @@ -1221,8 +1221,25 @@ static int setup_autodev(const char *root) return -1; ret = mknod(path, d->mode, makedev(d->maj, d->min)); if (ret && errno != EEXIST) { - SYSERROR("Error creating %s", d->name); - return -1; + char hostpath[MAXPATHLEN]; + FILE *pathfile; + + // Unprivileged containers cannot create devices, so + // bind mount the device from the host + ret = snprintf(hostpath, MAXPATHLEN, "/dev/%s", d->name); + if (ret < 0 || ret >= MAXPATHLEN) + return -1; + pathfile = fopen(path, "wb"); + if (!pathfile) { + SYSERROR("Failed to create device mount target '%s'", path); + return -1; + } + fclose(pathfile); + if (mount(hostpath, path, 0, MS_BIND, NULL) != 0) { + SYSERROR("Failed bind mounting device %s from host into container", + d->name); + return -1; + } } } umask(cmask); @@ -3889,7 +3906,7 @@ int lxc_setup(struct lxc_handler *handler) ERROR("failed to run autodev hooks for container '%s'.", name); return -1; } - if (setup_autodev(lxc_conf->rootfs.mount)) { + if (fill_autodev(lxc_conf->rootfs.mount)) { ERROR("failed to populate /dev in the container"); return -1; } -- 2.1.0 From serge.hallyn at ubuntu.com Fri Jan 9 20:26:26 2015 From: serge.hallyn at ubuntu.com (Serge Hallyn) Date: Fri, 9 Jan 2015 20:26:26 +0000 Subject: [lxc-devel] [PATCH 1/2] autodev: switch strategies In-Reply-To: <20150109193614.GF10330@ubuntumail> References: <20150109193614.GF10330@ubuntumail> Message-ID: <20150109202626.GB10641@ubuntumail> Quoting Serge Hallyn (serge.hallyn at ubuntu.com): > Do not keep container devs under /dev/.lxc. Instead, always > keep them in $lxcpath/$lxcname/rootfs.dev. Mount a small > tmpfs there, and bind mount it into $mounted_rootfs/dev . > > The tmpfs is mounted in the container monitor's namespace. This > means that at every reboot it will get re-created. It seems to > me this better replicates what happens on a real host. > > If we want devices persisting across reboots, then perhaps we can > implement a $lxcpath/$name/keepdev directory containing devices to > bind into the container at each startup. > > Signed-off-by: Serge Hallyn > --- > src/lxc/conf.c | 324 +++++++++----------------------------------------------- > src/lxc/start.c | 1 - > 2 files changed, 51 insertions(+), 274 deletions(-) > > diff --git a/src/lxc/conf.c b/src/lxc/conf.c > index 72181dd..822f08d 100644 > --- a/src/lxc/conf.c > +++ b/src/lxc/conf.c > @@ -94,10 +94,7 @@ > > lxc_log_define(lxc_conf, lxc); > > -#define MAXHWLEN 18 > -#define MAXINDEXLEN 20 > -#define MAXMTULEN 16 > -#define MAXLINELEN 128 > +#define LINELEN 4096 > > #if HAVE_SYS_CAPABILITY_H > #ifndef CAP_SETFCAP > @@ -295,9 +292,6 @@ static struct caps_opt caps_opt[] = { > static struct caps_opt caps_opt[] = {}; > #endif > > -const char *dev_base_path = "/dev/.lxc"; > -const char *dev_user_path = "/dev/.lxc/user"; > - > static int run_buffer(char *buffer) > { > struct lxc_popen_FILE *f; > @@ -1092,247 +1086,89 @@ fail: > } > > /* > - * Check to see if a directory has something mounted on it and, > - * if it does, return the fstype. > - * > - * Code largely based on detect_shared_rootfs below > - * > - * Returns: # of matching entries in /proc/self/mounts > - * if != 0 fstype is filled with the last filesystem value. > - * if == 0 no matches found, fstype unchanged. > - * > - * ToDo: Maybe return the mount options in another parameter... > + * Just create a path for /dev under $lxcpath/$name and in rootfs > + * If we hit an error, log it but don't fail yet. > */ > - > -#define LINELEN 4096 > -#define MAX_FSTYPE_LEN 128 > -static int mount_check_fs( const char *dir, char *fstype ) > +static void create_devdir(const char *path) > { > - char buf[LINELEN], *p; > - struct stat s; > - FILE *f; > - int found_fs = 0; > - char *p2; > - > - DEBUG("entering mount_check_fs for %s", dir); > - > - if ( 0 != access(dir, F_OK) || 0 != stat(dir, &s) || 0 == S_ISDIR(s.st_mode) ) { > - return 0; > - } > - > - f = fopen("/proc/self/mounts", "r"); > - if (!f) > - return 0; > - while (fgets(buf, LINELEN, f)) { > - p = index(buf, ' '); > - if( !p ) > - continue; > - *p = '\0'; > - p2 = p + 1; > - > - p = index(p2, ' '); > - if( !p ) > - continue; > - *p = '\0'; > - > - /* Compare the directory in the entry to desired */ > - if( strcmp( p2, dir ) ) { > - continue; > - } > - > - p2 = p + 1; > - p = index( p2, ' '); > - if( !p ) > - continue; > - *p = '\0'; > - > - ++found_fs; > - > - if( fstype ) { > - strncpy( fstype, p2, MAX_FSTYPE_LEN - 1 ); > - fstype [ MAX_FSTYPE_LEN - 1 ] = '\0'; > - } > - } > - > - fclose(f); > - > - DEBUG("mount_check_fs returning %d last %s", found_fs, fstype); > - > - return found_fs; > + int ret = mkdir(path, S_IRWXU | S_IRWXG | S_IRWXO | S_ISVTX); > + if (ret) /* Issue an error but don't fail yet! */ > + SYSERROR("Unable to create devpath %s", path); > + ret = chmod(path, S_IRWXU | S_IRWXG | S_IRWXO | S_ISVTX); > + if (ret) > + SYSERROR("Failed to chown devpath %s", path); > + INFO("Created %s", path); > } > > /* > - * Locate a devtmpfs mount (should be on /dev) and create a container > - * subdirectory on it which we can then bind mount to the container > - * /dev instead of mounting a tmpfs there. > + * Create $lxcpath/$name/dev if it does not yet exist. > * If we fail, return NULL. > * Else return the pointer to the name buffer with the string to > * the devtmpfs subdirectory. > */ > > -static char *mk_devtmpfs(const char *name, char *path, const char *lxcpath) > +static bool mk_devtmpfs(const char *hostpath, const char *container_path) > { > - int ret; > - struct stat s; > - char tmp_path[MAXPATHLEN]; > - char fstype[MAX_FSTYPE_LEN]; > - uint64_t hash; > - > - if ( 0 != access(dev_base_path, F_OK) || 0 != stat(dev_base_path, &s) || 0 == S_ISDIR(s.st_mode) ) { > - /* This is just making /dev/.lxc it better work or we're done */ > - ret = mkdir(dev_base_path, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH); > - if ( ret ) { > - SYSERROR( "Unable to create /dev/.lxc for autodev" ); > - return NULL; > - } > - } > - > - /* > - * Programmers notes: > - * We can not do mounts in this area of code that we want > - * to be visible in the host. Consequently, /dev/.lxc must > - * be set up earlier if we need a tmpfs mounted there. > - * That only affects the rare cases where autodev is enabled > - * for a container and devtmpfs is not mounted on /dev in the > - * host. In that case, we'll fall back to the old method > - * of mounting a tmpfs in the container and have no visibility > - * into the container /dev. > - */ > - if( ! mount_check_fs( "/dev", fstype ) > - || strcmp( "devtmpfs", fstype ) ) { > - /* Either /dev was not mounted or was not devtmpfs */ > - > - if ( ! mount_check_fs( "/dev/.lxc", NULL ) ) { > - /* > - * /dev/.lxc is not already mounted > - * Doing a mount here does no good, since > - * it's not visible in the host. > - */ > - > - ERROR("/dev/.lxc is not setup - taking fallback" ); > - return NULL; > - } > - } > - > - if ( 0 != access(dev_user_path, F_OK) || 0 != stat(dev_user_path, &s) || 0 == S_ISDIR(s.st_mode) ) { > - /* > - * This is making /dev/.lxc/user path for non-priv users. > - * If this doesn't work, we'll have to fall back in the > - * case of non-priv users. It's mode 1777 like /tmp. > - */ > - ret = mkdir(dev_user_path, S_IRWXU | S_IRWXG | S_IRWXO | S_ISVTX); > - if ( ret ) { > - /* Issue an error but don't fail yet! */ > - ERROR("Unable to create /dev/.lxc/user"); > - } > - /* Umask tends to screw us up here */ > - chmod(dev_user_path, S_IRWXU | S_IRWXG | S_IRWXO | S_ISVTX); > - } > - > - /* > - * Since the container name must be unique within a given > - * lxcpath, we're going to use a hash of the path > - * /lxcpath/name as our hash name in /dev/.lxc/ > - */ > - > - ret = snprintf(tmp_path, MAXPATHLEN, "%s/%s", lxcpath, name); > - if (ret < 0 || ret >= MAXPATHLEN) > - return NULL; > - > - hash = fnv_64a_buf(tmp_path, ret, FNV1A_64_INIT); > - > - ret = snprintf(tmp_path, MAXPATHLEN, "%s/%s.%016" PRIx64, dev_base_path, name, hash); > - if (ret < 0 || ret >= MAXPATHLEN) > - return NULL; > - > - if ( 0 != access(tmp_path, F_OK) || 0 != stat(tmp_path, &s) || 0 == S_ISDIR(s.st_mode) ) { > - ret = mkdir(tmp_path, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH); > - if ( ret ) { > - /* Something must have failed with the dev_base_path... > - * Maybe unpriv user. Try dev_user_path now... */ > - INFO("Setup in /dev/.lxc failed. Trying /dev/.lxc/user." ); > - > - ret = snprintf(tmp_path, MAXPATHLEN, "%s/%s.%016" PRIx64, dev_user_path, name, hash); > - if (ret < 0 || ret >= MAXPATHLEN) > - return NULL; > - > - if ( 0 != access(tmp_path, F_OK) || 0 != stat(tmp_path, &s) || 0 == S_ISDIR(s.st_mode) ) { > - ret = mkdir(tmp_path, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH); > - if ( ret ) { > - ERROR("Container /dev setup in host /dev failed - taking fallback" ); > - return NULL; > - } > - } > - } > + if (!dir_exists(hostpath)) > + create_devdir(hostpath); > + if (!dir_exists(container_path)) > + create_devdir(container_path); > + if (0 != mount("none", hostpath, "tmpfs", 0, "size=100000,mode=755")) { > + SYSERROR("Failed mounting tmpfs onto %s\n", hostpath); > + return false; > } Ok, actually I'm being a bit silly here. The $lxcpath/$name/rootfs.dev directory is not needed. We can just mount a tmpfs straight onto $(mounted_rootfs)/dev. We do still need to do it here (earlier than fill_autodev) because we want it mounted before other lxc.mount.entry's happen, as they can include device nodes. > - > - strcpy( path, tmp_path ); > - return path; > + return true; > } > > -/* > - * Do we want to add options for max size of /dev and a file to > - * specify which devices to create? > - */ > static int mount_autodev(const char *name, char *root, const char *lxcpath) > { > int ret; > - struct stat s; > - char path[MAXPATHLEN]; > - char host_path[MAXPATHLEN]; > - char devtmpfs_path[MAXPATHLEN]; > + size_t hlen, clen; > + char *path, *host_path; > > INFO("Mounting /dev under %s", root); > > - ret = snprintf(host_path, MAXPATHLEN, "%s/%s/rootfs.dev", lxcpath, name); > - if (ret < 0 || ret > MAXPATHLEN) > + /* $(lxcpath) + '/' + $(name) + "/rootfs.dev" + '\0' */ > + hlen = strlen(lxcpath) + strlen(name) + 13; > + host_path = alloca(hlen); > + /* $(root) + "/dev/pts" + '\0' */ > + clen = strlen(root) + 9; > + path = alloca(clen); > + ret = snprintf(host_path, hlen, "%s/%s/rootfs.dev", lxcpath, name); > + if (ret < 0 || ret >= hlen) > return -1; > > - ret = snprintf(path, MAXPATHLEN, "%s/dev", root); > - if (ret < 0 || ret > MAXPATHLEN) > + ret = snprintf(path, clen, "%s/dev", root); > + if (ret < 0 || ret >= clen) > return -1; > > - if (mk_devtmpfs( name, devtmpfs_path, lxcpath ) ) { > - /* > - * Get rid of old links and directoriess > - * This could be either a symlink and we remove it, > - * or an empty directory and we remove it, > - * or non-existent and we don't care, > - * or a non-empty directory, and we will then emit an error > - * but we will not fail out the process. > - */ > - unlink( host_path ); > - rmdir( host_path ); > - ret = symlink(devtmpfs_path, host_path); > + /* > + * Create $lxcpath/$name/dev and $(mounted_rootfs/dev), and > + * mount a small tmpfs onto $lxcpath/$name/dev. > + */ > + if (!mk_devtmpfs(host_path, path)) > + return -1; > > - if ( ret < 0 ) { > - SYSERROR("WARNING: Failed to create symlink '%s'->'%s'", host_path, devtmpfs_path); > - } > - DEBUG("Bind mounting %s to %s", devtmpfs_path , path ); > - ret = mount(devtmpfs_path, path, NULL, MS_BIND, 0 ); > - } else { > - /* Only mount a tmpfs on here if we don't already a mount */ > - if ( ! mount_check_fs( host_path, NULL ) ) { > - DEBUG("Mounting tmpfs to %s", host_path ); > - ret = mount("none", path, "tmpfs", 0, "size=100000,mode=755"); > - } else { > - /* This allows someone to manually set up a mount */ > - DEBUG("Bind mounting %s to %s", host_path, path ); > - ret = mount(host_path , path, NULL, MS_BIND, 0 ); > - } > - } > + /* > + * bind mount the tmpfs from $lxcpath/$name/dev onto > + * $(mounted_rootfs)/dev. > + */ > + ret = mount(host_path, path, 0, MS_BIND, NULL); > if (ret) { > - SYSERROR("Failed to mount /dev at %s", root); > + SYSERROR("Failed to bind /dev into container at %s", root); > return -1; > } > - ret = snprintf(path, MAXPATHLEN, "%s/dev/pts", root); > - if (ret < 0 || ret >= MAXPATHLEN) > + INFO("Bind-mounted %s -> %s", host_path, path); > + > + ret = snprintf(path, clen, "%s/dev/pts", root); > + if (ret < 0 || ret >= clen) > return -1; > + > /* > * If we are running on a devtmpfs mapping, dev/pts may already exist. > * If not, then create it and exit if that fails... > */ > - if ( 0 != access(path, F_OK) || 0 != stat(path, &s) || 0 == S_ISDIR(s.st_mode) ) { > + if (!dir_exists(path)) { > ret = mkdir(path, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH); > if (ret) { > SYSERROR("Failed to create /dev/pts in container"); > @@ -1395,64 +1231,6 @@ static int setup_autodev(const char *root) > return 0; > } > > -/* > - * Locate allocated devtmpfs mount and purge it. > - * path lookup mostly taken from mk_devtmpfs > - */ > -int lxc_delete_autodev(struct lxc_handler *handler) > -{ > - int ret; > - struct stat s; > - struct lxc_conf *lxc_conf = handler->conf; > - const char *name = handler->name; > - const char *lxcpath = handler->lxcpath; > - char tmp_path[MAXPATHLEN]; > - uint64_t hash; > - > - if ( lxc_conf->autodev <= 0 ) > - return 0; > - > - /* don't clean on reboot */ > - if ( lxc_conf->reboot == 1 ) > - return 0; > - > - /* > - * Use the same logic as mk_devtmpfs to compute candidate > - * path for cleanup. > - */ > - > - ret = snprintf(tmp_path, MAXPATHLEN, "%s/%s", lxcpath, name); > - if (ret < 0 || ret >= MAXPATHLEN) > - return -1; > - > - hash = fnv_64a_buf(tmp_path, ret, FNV1A_64_INIT); > - > - /* Probe /dev/.lxc/. */ > - ret = snprintf(tmp_path, MAXPATHLEN, "%s/%s.%016" PRIx64, dev_base_path, name, hash); > - if (ret < 0 || ret >= MAXPATHLEN) > - return -1; > - > - if ( 0 != access(tmp_path, F_OK) || 0 != stat(tmp_path, &s) || 0 == S_ISDIR(s.st_mode) ) { > - /* Probe /dev/.lxc/user/. */ > - ret = snprintf(tmp_path, MAXPATHLEN, "%s/%s.%016" PRIx64, dev_user_path, name, hash); > - if (ret < 0 || ret >= MAXPATHLEN) > - return -1; > - > - if ( 0 != access(tmp_path, F_OK) || 0 != stat(tmp_path, &s) || 0 == S_ISDIR(s.st_mode) ) { > - WARN("Failed to locate autodev /dev/.lxc and /dev/.lxc/user." ); > - return -1; > - } > - } > - > - /* Do the cleanup */ > - INFO("Cleaning %s", tmp_path ); > - if ( 0 != lxc_rmdir_onedev(tmp_path, NULL) ) { > - ERROR("Failed to cleanup autodev" ); > - } > - > - return 0; > -} > - > static int setup_rootfs(struct lxc_conf *conf) > { > const struct lxc_rootfs *rootfs = &conf->rootfs; > diff --git a/src/lxc/start.c b/src/lxc/start.c > index cd78665..98905a3 100644 > --- a/src/lxc/start.c > +++ b/src/lxc/start.c > @@ -477,7 +477,6 @@ void lxc_fini(const char *name, struct lxc_handler *handler) > > lxc_console_delete(&handler->conf->console); > lxc_delete_tty(&handler->conf->tty_info); > - lxc_delete_autodev(handler); > close(handler->conf->maincmd_fd); > handler->conf->maincmd_fd = -1; > free(handler->name); > -- > 2.1.0 > From serge.hallyn at ubuntu.com Fri Jan 9 21:38:18 2015 From: serge.hallyn at ubuntu.com (Serge Hallyn) Date: Fri, 9 Jan 2015 21:38:18 +0000 Subject: [lxc-devel] [PATCH 1/2] autodev: switch strategies (v2) In-Reply-To: <20150109202626.GB10641@ubuntumail> References: <20150109193614.GF10330@ubuntumail> <20150109202626.GB10641@ubuntumail> Message-ID: <20150109213817.GC10641@ubuntumail> Do not keep container devs under /dev/.lxc. Instead, always keep them in a small tmpfs mounted at $(mounted_root)/dev. The tmpfs is mounted in the container monitor's namespace. This means that at every reboot it will get re-created. It seems to me this better replicates what happens on a real host. If we want devices persisting across reboots, then perhaps we can implement a $lxcpath/$name/keepdev directory containing devices to bind into the container at each startup. Changelog (v2): don't bother with the $lxcpath/$name/rootfs.dev directory, just mount the tmpfs straight into the container. Signed-off-by: Serge Hallyn --- src/lxc/conf.c | 318 ++++++-------------------------------------------------- src/lxc/start.c | 1 - 2 files changed, 31 insertions(+), 288 deletions(-) diff --git a/src/lxc/conf.c b/src/lxc/conf.c index 72181dd..dad79ab 100644 --- a/src/lxc/conf.c +++ b/src/lxc/conf.c @@ -94,10 +94,7 @@ lxc_log_define(lxc_conf, lxc); -#define MAXHWLEN 18 -#define MAXINDEXLEN 20 -#define MAXMTULEN 16 -#define MAXLINELEN 128 +#define LINELEN 4096 #if HAVE_SYS_CAPABILITY_H #ifndef CAP_SETFCAP @@ -295,9 +292,6 @@ static struct caps_opt caps_opt[] = { static struct caps_opt caps_opt[] = {}; #endif -const char *dev_base_path = "/dev/.lxc"; -const char *dev_user_path = "/dev/.lxc/user"; - static int run_buffer(char *buffer) { struct lxc_popen_FILE *f; @@ -1092,247 +1086,55 @@ fail: } /* - * Check to see if a directory has something mounted on it and, - * if it does, return the fstype. - * - * Code largely based on detect_shared_rootfs below - * - * Returns: # of matching entries in /proc/self/mounts - * if != 0 fstype is filled with the last filesystem value. - * if == 0 no matches found, fstype unchanged. - * - * ToDo: Maybe return the mount options in another parameter... + * Just create a path for /dev under $lxcpath/$name and in rootfs + * If we hit an error, log it but don't fail yet. */ - -#define LINELEN 4096 -#define MAX_FSTYPE_LEN 128 -static int mount_check_fs( const char *dir, char *fstype ) +static void create_devdir(const char *path) { - char buf[LINELEN], *p; - struct stat s; - FILE *f; - int found_fs = 0; - char *p2; - - DEBUG("entering mount_check_fs for %s", dir); - - if ( 0 != access(dir, F_OK) || 0 != stat(dir, &s) || 0 == S_ISDIR(s.st_mode) ) { - return 0; - } - - f = fopen("/proc/self/mounts", "r"); - if (!f) - return 0; - while (fgets(buf, LINELEN, f)) { - p = index(buf, ' '); - if( !p ) - continue; - *p = '\0'; - p2 = p + 1; - - p = index(p2, ' '); - if( !p ) - continue; - *p = '\0'; - - /* Compare the directory in the entry to desired */ - if( strcmp( p2, dir ) ) { - continue; - } - - p2 = p + 1; - p = index( p2, ' '); - if( !p ) - continue; - *p = '\0'; - - ++found_fs; - - if( fstype ) { - strncpy( fstype, p2, MAX_FSTYPE_LEN - 1 ); - fstype [ MAX_FSTYPE_LEN - 1 ] = '\0'; - } - } - - fclose(f); - - DEBUG("mount_check_fs returning %d last %s", found_fs, fstype); - - return found_fs; -} - -/* - * Locate a devtmpfs mount (should be on /dev) and create a container - * subdirectory on it which we can then bind mount to the container - * /dev instead of mounting a tmpfs there. - * If we fail, return NULL. - * Else return the pointer to the name buffer with the string to - * the devtmpfs subdirectory. - */ - -static char *mk_devtmpfs(const char *name, char *path, const char *lxcpath) -{ - int ret; - struct stat s; - char tmp_path[MAXPATHLEN]; - char fstype[MAX_FSTYPE_LEN]; - uint64_t hash; - - if ( 0 != access(dev_base_path, F_OK) || 0 != stat(dev_base_path, &s) || 0 == S_ISDIR(s.st_mode) ) { - /* This is just making /dev/.lxc it better work or we're done */ - ret = mkdir(dev_base_path, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH); - if ( ret ) { - SYSERROR( "Unable to create /dev/.lxc for autodev" ); - return NULL; - } - } - - /* - * Programmers notes: - * We can not do mounts in this area of code that we want - * to be visible in the host. Consequently, /dev/.lxc must - * be set up earlier if we need a tmpfs mounted there. - * That only affects the rare cases where autodev is enabled - * for a container and devtmpfs is not mounted on /dev in the - * host. In that case, we'll fall back to the old method - * of mounting a tmpfs in the container and have no visibility - * into the container /dev. - */ - if( ! mount_check_fs( "/dev", fstype ) - || strcmp( "devtmpfs", fstype ) ) { - /* Either /dev was not mounted or was not devtmpfs */ - - if ( ! mount_check_fs( "/dev/.lxc", NULL ) ) { - /* - * /dev/.lxc is not already mounted - * Doing a mount here does no good, since - * it's not visible in the host. - */ - - ERROR("/dev/.lxc is not setup - taking fallback" ); - return NULL; - } - } - - if ( 0 != access(dev_user_path, F_OK) || 0 != stat(dev_user_path, &s) || 0 == S_ISDIR(s.st_mode) ) { - /* - * This is making /dev/.lxc/user path for non-priv users. - * If this doesn't work, we'll have to fall back in the - * case of non-priv users. It's mode 1777 like /tmp. - */ - ret = mkdir(dev_user_path, S_IRWXU | S_IRWXG | S_IRWXO | S_ISVTX); - if ( ret ) { - /* Issue an error but don't fail yet! */ - ERROR("Unable to create /dev/.lxc/user"); - } - /* Umask tends to screw us up here */ - chmod(dev_user_path, S_IRWXU | S_IRWXG | S_IRWXO | S_ISVTX); - } - - /* - * Since the container name must be unique within a given - * lxcpath, we're going to use a hash of the path - * /lxcpath/name as our hash name in /dev/.lxc/ - */ - - ret = snprintf(tmp_path, MAXPATHLEN, "%s/%s", lxcpath, name); - if (ret < 0 || ret >= MAXPATHLEN) - return NULL; - - hash = fnv_64a_buf(tmp_path, ret, FNV1A_64_INIT); - - ret = snprintf(tmp_path, MAXPATHLEN, "%s/%s.%016" PRIx64, dev_base_path, name, hash); - if (ret < 0 || ret >= MAXPATHLEN) - return NULL; - - if ( 0 != access(tmp_path, F_OK) || 0 != stat(tmp_path, &s) || 0 == S_ISDIR(s.st_mode) ) { - ret = mkdir(tmp_path, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH); - if ( ret ) { - /* Something must have failed with the dev_base_path... - * Maybe unpriv user. Try dev_user_path now... */ - INFO("Setup in /dev/.lxc failed. Trying /dev/.lxc/user." ); - - ret = snprintf(tmp_path, MAXPATHLEN, "%s/%s.%016" PRIx64, dev_user_path, name, hash); - if (ret < 0 || ret >= MAXPATHLEN) - return NULL; - - if ( 0 != access(tmp_path, F_OK) || 0 != stat(tmp_path, &s) || 0 == S_ISDIR(s.st_mode) ) { - ret = mkdir(tmp_path, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH); - if ( ret ) { - ERROR("Container /dev setup in host /dev failed - taking fallback" ); - return NULL; - } - } - } - } - - strcpy( path, tmp_path ); - return path; + int ret = mkdir(path, S_IRWXU | S_IRWXG | S_IRWXO | S_ISVTX); + if (ret) /* Issue an error but don't fail yet! */ + SYSERROR("Unable to create devpath %s", path); + ret = chmod(path, S_IRWXU | S_IRWXG | S_IRWXO | S_ISVTX); + if (ret) + SYSERROR("Failed to chown devpath %s", path); + INFO("Created %s", path); } -/* - * Do we want to add options for max size of /dev and a file to - * specify which devices to create? - */ static int mount_autodev(const char *name, char *root, const char *lxcpath) { int ret; - struct stat s; - char path[MAXPATHLEN]; - char host_path[MAXPATHLEN]; - char devtmpfs_path[MAXPATHLEN]; + size_t clen; + char *path; INFO("Mounting /dev under %s", root); - ret = snprintf(host_path, MAXPATHLEN, "%s/%s/rootfs.dev", lxcpath, name); - if (ret < 0 || ret > MAXPATHLEN) - return -1; + /* $(root) + "/dev/pts" + '\0' */ + clen = strlen(root) + 9; + path = alloca(clen); - ret = snprintf(path, MAXPATHLEN, "%s/dev", root); - if (ret < 0 || ret > MAXPATHLEN) + ret = snprintf(path, clen, "%s/dev", root); + if (ret < 0 || ret >= clen) return -1; - if (mk_devtmpfs( name, devtmpfs_path, lxcpath ) ) { - /* - * Get rid of old links and directoriess - * This could be either a symlink and we remove it, - * or an empty directory and we remove it, - * or non-existent and we don't care, - * or a non-empty directory, and we will then emit an error - * but we will not fail out the process. - */ - unlink( host_path ); - rmdir( host_path ); - ret = symlink(devtmpfs_path, host_path); - - if ( ret < 0 ) { - SYSERROR("WARNING: Failed to create symlink '%s'->'%s'", host_path, devtmpfs_path); - } - DEBUG("Bind mounting %s to %s", devtmpfs_path , path ); - ret = mount(devtmpfs_path, path, NULL, MS_BIND, 0 ); - } else { - /* Only mount a tmpfs on here if we don't already a mount */ - if ( ! mount_check_fs( host_path, NULL ) ) { - DEBUG("Mounting tmpfs to %s", host_path ); - ret = mount("none", path, "tmpfs", 0, "size=100000,mode=755"); - } else { - /* This allows someone to manually set up a mount */ - DEBUG("Bind mounting %s to %s", host_path, path ); - ret = mount(host_path , path, NULL, MS_BIND, 0 ); - } + /* Create $(mounted_rootfs/dev), and * mount a small tmpfs onto it */ + if (!dir_exists(path)) + create_devdir(path); + if (0 != mount("none", path, "tmpfs", 0, "size=100000,mode=755")) { + SYSERROR("Failed mounting tmpfs onto %s\n", path); + return false; } - if (ret) { - SYSERROR("Failed to mount /dev at %s", root); - return -1; - } - ret = snprintf(path, MAXPATHLEN, "%s/dev/pts", root); - if (ret < 0 || ret >= MAXPATHLEN) + + INFO("Mounted tmpfs onto %s", path); + + ret = snprintf(path, clen, "%s/dev/pts", root); + if (ret < 0 || ret >= clen) return -1; + /* * If we are running on a devtmpfs mapping, dev/pts may already exist. * If not, then create it and exit if that fails... */ - if ( 0 != access(path, F_OK) || 0 != stat(path, &s) || 0 == S_ISDIR(s.st_mode) ) { + if (!dir_exists(path)) { ret = mkdir(path, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH); if (ret) { SYSERROR("Failed to create /dev/pts in container"); @@ -1395,64 +1197,6 @@ static int setup_autodev(const char *root) return 0; } -/* - * Locate allocated devtmpfs mount and purge it. - * path lookup mostly taken from mk_devtmpfs - */ -int lxc_delete_autodev(struct lxc_handler *handler) -{ - int ret; - struct stat s; - struct lxc_conf *lxc_conf = handler->conf; - const char *name = handler->name; - const char *lxcpath = handler->lxcpath; - char tmp_path[MAXPATHLEN]; - uint64_t hash; - - if ( lxc_conf->autodev <= 0 ) - return 0; - - /* don't clean on reboot */ - if ( lxc_conf->reboot == 1 ) - return 0; - - /* - * Use the same logic as mk_devtmpfs to compute candidate - * path for cleanup. - */ - - ret = snprintf(tmp_path, MAXPATHLEN, "%s/%s", lxcpath, name); - if (ret < 0 || ret >= MAXPATHLEN) - return -1; - - hash = fnv_64a_buf(tmp_path, ret, FNV1A_64_INIT); - - /* Probe /dev/.lxc/. */ - ret = snprintf(tmp_path, MAXPATHLEN, "%s/%s.%016" PRIx64, dev_base_path, name, hash); - if (ret < 0 || ret >= MAXPATHLEN) - return -1; - - if ( 0 != access(tmp_path, F_OK) || 0 != stat(tmp_path, &s) || 0 == S_ISDIR(s.st_mode) ) { - /* Probe /dev/.lxc/user/. */ - ret = snprintf(tmp_path, MAXPATHLEN, "%s/%s.%016" PRIx64, dev_user_path, name, hash); - if (ret < 0 || ret >= MAXPATHLEN) - return -1; - - if ( 0 != access(tmp_path, F_OK) || 0 != stat(tmp_path, &s) || 0 == S_ISDIR(s.st_mode) ) { - WARN("Failed to locate autodev /dev/.lxc and /dev/.lxc/user." ); - return -1; - } - } - - /* Do the cleanup */ - INFO("Cleaning %s", tmp_path ); - if ( 0 != lxc_rmdir_onedev(tmp_path, NULL) ) { - ERROR("Failed to cleanup autodev" ); - } - - return 0; -} - static int setup_rootfs(struct lxc_conf *conf) { const struct lxc_rootfs *rootfs = &conf->rootfs; diff --git a/src/lxc/start.c b/src/lxc/start.c index cd78665..98905a3 100644 --- a/src/lxc/start.c +++ b/src/lxc/start.c @@ -477,7 +477,6 @@ void lxc_fini(const char *name, struct lxc_handler *handler) lxc_console_delete(&handler->conf->console); lxc_delete_tty(&handler->conf->tty_info); - lxc_delete_autodev(handler); close(handler->conf->maincmd_fd); handler->conf->maincmd_fd = -1; free(handler->name); -- 2.1.0 From serge.hallyn at ubuntu.com Fri Jan 9 21:55:39 2015 From: serge.hallyn at ubuntu.com (Serge Hallyn) Date: Fri, 9 Jan 2015 21:55:39 +0000 Subject: [lxc-devel] lxc-start fails In-Reply-To: References: <20150109141238.GB9897@ubuntumail> Message-ID: <20150109215539.GD10641@ubuntumail> Hm. Below are you logged in as root? Did you start the container as root? Can you show "ps -ef | grep lxc" and "id"? Thanks for verifying the below - I'll post a patch for that soon. -serge Quoting riya khanna (riyakhanna1983 at gmail.com): > Yes, that works. Container starts BUT I get the following message: > lxc-start: monitor.c: lxc_monitor_open: 213 connect : Connection refused > > > # lxc-start --logfile container.log --logpriority info --name > container -f lxc.conf -- /init > > lxc-start: monitor.c: lxc_monitor_open: 208 connect : backing off 10 > lxc-start: monitor.c: lxc_monitor_open: 208 connect : backing off 50 > lxc-start: monitor.c: lxc_monitor_open: 208 connect : backing off 100 > > lxc-start: monitor.c: lxc_monitor_open: 213 connect : Connection refused > lxc-start: lxc_start.c: main: 345 The container failed to start. > lxc-start: lxc_start.c: main: 347 To get more details, run the > container in foreground mode. > lxc-start: lxc_start.c: main: 349 Additional information can be > obtained by setting the --logfile and --logpriority options. > > > On Fri, Jan 9, 2015 at 8:12 AM, Serge Hallyn wrote: > > Quoting riya khanna (riyakhanna1983 at gmail.com): > >> Hi, > >> > >> I'm trying to start a container on busy box host. > >> > >> lxc-start --logfile container.log --logpriority info --name L -f > >> lxc.conf -- /init > >> > >> container.log shows the following error: > >> lxc_conf - conf.c:prepare_ramfs_root:1517 - Bad address - Failed to > >> make . rprivate > > > > Hm. Well that is an odd line. Does it help if you change line 1517 > > to read > > > > if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) { > > > > ? > > _______________________________________________ > > lxc-devel mailing list > > lxc-devel at lists.linuxcontainers.org > > http://lists.linuxcontainers.org/listinfo/lxc-devel > _______________________________________________ > lxc-devel mailing list > lxc-devel at lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-devel From serge.hallyn at ubuntu.com Fri Jan 9 22:00:28 2015 From: serge.hallyn at ubuntu.com (Serge Hallyn) Date: Fri, 9 Jan 2015 22:00:28 +0000 Subject: [lxc-devel] [PATCH 1/1] Fix reversed args in mount call Message-ID: <20150109220028.GE10641@ubuntumail> Riya Khanna reported that with a ramfs rootfs the mount to make / rprivate was returning -EFAULT. NULL was being passed as the mount target. Pass "/" instead. Reported-by: riya khanna > Signed-off-by: Serge Hallyn --- src/lxc/conf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/lxc/conf.c b/src/lxc/conf.c index 72181dd..9072002 100644 --- a/src/lxc/conf.c +++ b/src/lxc/conf.c @@ -1513,7 +1513,7 @@ int prepare_ramfs_root(char *root) return -1; } - if (mount(".", NULL, NULL, MS_REC | MS_PRIVATE, NULL)) { + if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) { SYSERROR("Failed to make . rprivate"); return -1; } -- 2.1.0 From riyakhanna1983 at gmail.com Sat Jan 10 01:41:29 2015 From: riyakhanna1983 at gmail.com (riya khanna) Date: Fri, 9 Jan 2015 19:41:29 -0600 Subject: [lxc-devel] lxc-start fails In-Reply-To: <20150109215539.GD10641@ubuntumail> References: <20150109141238.GB9897@ubuntumail> <20150109215539.GD10641@ubuntumail> Message-ID: Yes. Logged in as root. # ps -ef | grep lxc 68 0 0:00 lxc-start -n container -f lxc.conf -d -- /init # id uid=0 gid=0 Thanks for the patch. On Fri, Jan 9, 2015 at 3:55 PM, Serge Hallyn wrote: > Hm. Below are you logged in as root? Did you start the container > as root? Can you show "ps -ef | grep lxc" and "id"? > > Thanks for verifying the below - I'll post a patch for that soon. > > -serge > > Quoting riya khanna (riyakhanna1983 at gmail.com): >> Yes, that works. Container starts BUT I get the following message: >> lxc-start: monitor.c: lxc_monitor_open: 213 connect : Connection refused >> >> >> # lxc-start --logfile container.log --logpriority info --name >> container -f lxc.conf -- /init >> >> lxc-start: monitor.c: lxc_monitor_open: 208 connect : backing off 10 >> lxc-start: monitor.c: lxc_monitor_open: 208 connect : backing off 50 >> lxc-start: monitor.c: lxc_monitor_open: 208 connect : backing off 100 >> >> lxc-start: monitor.c: lxc_monitor_open: 213 connect : Connection refused >> lxc-start: lxc_start.c: main: 345 The container failed to start. >> lxc-start: lxc_start.c: main: 347 To get more details, run the >> container in foreground mode. >> lxc-start: lxc_start.c: main: 349 Additional information can be >> obtained by setting the --logfile and --logpriority options. >> >> >> On Fri, Jan 9, 2015 at 8:12 AM, Serge Hallyn wrote: >> > Quoting riya khanna (riyakhanna1983 at gmail.com): >> >> Hi, >> >> >> >> I'm trying to start a container on busy box host. >> >> >> >> lxc-start --logfile container.log --logpriority info --name L -f >> >> lxc.conf -- /init >> >> >> >> container.log shows the following error: >> >> lxc_conf - conf.c:prepare_ramfs_root:1517 - Bad address - Failed to >> >> make . rprivate >> > >> > Hm. Well that is an odd line. Does it help if you change line 1517 >> > to read >> > >> > if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) { >> > >> > ? >> > _______________________________________________ >> > lxc-devel mailing list >> > lxc-devel at lists.linuxcontainers.org >> > http://lists.linuxcontainers.org/listinfo/lxc-devel >> _______________________________________________ >> lxc-devel mailing list >> lxc-devel at lists.linuxcontainers.org >> http://lists.linuxcontainers.org/listinfo/lxc-devel > _______________________________________________ > lxc-devel mailing list > lxc-devel at lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-devel From riyakhanna1983 at gmail.com Sat Jan 10 01:49:54 2015 From: riyakhanna1983 at gmail.com (riya khanna) Date: Fri, 9 Jan 2015 19:49:54 -0600 Subject: [lxc-devel] Session Leader In-Reply-To: <20150105154839.GC3201@ubuntumail> References: <60E9D0C7-864D-43E4-9D42-E950DED4EFC3@gmail.com> <20150105154839.GC3201@ubuntumail> Message-ID: Why is init not a session leader? I faced an issue with using CRIU because of that. Adding CRIU folks as well. Error (cr-dump.c:1598): A session leader of 74(1) is outside of its pid namespace 68 0 0:00 lxc-start -n container -f lxc.conf -d -- /init 74 0 0:00 /init On Mon, Jan 5, 2015 at 9:48 AM, Serge Hallyn wrote: > lcxapi_start calls setsid but not from the task which will become the > container init. > > Quoting beproject criu (beprojectcriu at gmail.com): >> Dear LXC Developers, >> Does anybody have any idea why lxc-start executable does not make init the >> session leader, whereas lxcapi_start function does call setsid() >> >> On Sat, Jan 3, 2015 at 11:55 AM, Ashish Bijlani >> wrote: >> >> > Could you reply to this email and ask LXC developers to help….if anyone >> > has any idea on this. >> > >> > Ask why lxc-start executable does not make init the session leader, >> > whereas lxcapi_start function does call setsid() >> > >> > On Dec 25, 2014, at 10:19 AM, beproject criu >> > wrote: >> > >> > Dear LXC Developers, >> > >> > Why init of spawned container is not a session leader?. >> > Can i change the session leader of lxc container using hooks,etc? >> > If yes, how do i do it. >> > >> > Thanks. >> > >> > _______________________________________________ >> > lxc-devel mailing list >> > lxc-devel at lists.linuxcontainers.org >> > http://lists.linuxcontainers.org/listinfo/lxc-devel >> > >> > >> > > >> _______________________________________________ >> lxc-devel mailing list >> lxc-devel at lists.linuxcontainers.org >> http://lists.linuxcontainers.org/listinfo/lxc-devel > > _______________________________________________ > lxc-devel mailing list > lxc-devel at lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-devel From tycho.andersen at canonical.com Sat Jan 10 03:30:33 2015 From: tycho.andersen at canonical.com (Tycho Andersen) Date: Fri, 9 Jan 2015 20:30:33 -0700 Subject: [lxc-devel] Session Leader In-Reply-To: References: <60E9D0C7-864D-43E4-9D42-E950DED4EFC3@gmail.com> <20150105154839.GC3201@ubuntumail> Message-ID: <20150110033033.GA17438@hopstrocity> On Fri, Jan 09, 2015 at 07:49:54PM -0600, riya khanna wrote: > Why is init not a session leader? I faced an issue with using CRIU > because of that. Adding CRIU folks as well. How did you call CRIU to do the dump? Tycho > Error (cr-dump.c:1598): A session leader of 74(1) is outside of its > pid namespace > > 68 0 0:00 lxc-start -n container -f lxc.conf -d -- /init > 74 0 0:00 /init > > > On Mon, Jan 5, 2015 at 9:48 AM, Serge Hallyn wrote: > > lcxapi_start calls setsid but not from the task which will become the > > container init. > > > > Quoting beproject criu (beprojectcriu at gmail.com): > >> Dear LXC Developers, > >> Does anybody have any idea why lxc-start executable does not make init the > >> session leader, whereas lxcapi_start function does call setsid() > >> > >> On Sat, Jan 3, 2015 at 11:55 AM, Ashish Bijlani > >> wrote: > >> > >> > Could you reply to this email and ask LXC developers to help….if anyone > >> > has any idea on this. > >> > > >> > Ask why lxc-start executable does not make init the session leader, > >> > whereas lxcapi_start function does call setsid() > >> > > >> > On Dec 25, 2014, at 10:19 AM, beproject criu > >> > wrote: > >> > > >> > Dear LXC Developers, > >> > > >> > Why init of spawned container is not a session leader?. > >> > Can i change the session leader of lxc container using hooks,etc? > >> > If yes, how do i do it. > >> > > >> > Thanks. > >> > > >> > _______________________________________________ > >> > lxc-devel mailing list > >> > lxc-devel at lists.linuxcontainers.org > >> > http://lists.linuxcontainers.org/listinfo/lxc-devel > >> > > >> > > >> > > > > >> _______________________________________________ > >> lxc-devel mailing list > >> lxc-devel at lists.linuxcontainers.org > >> http://lists.linuxcontainers.org/listinfo/lxc-devel > > > > _______________________________________________ > > lxc-devel mailing list > > lxc-devel at lists.linuxcontainers.org > > http://lists.linuxcontainers.org/listinfo/lxc-devel > _______________________________________________ > lxc-devel mailing list > lxc-devel at lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-devel From serge.hallyn at ubuntu.com Sat Jan 10 03:36:47 2015 From: serge.hallyn at ubuntu.com (Serge Hallyn) Date: Sat, 10 Jan 2015 03:36:47 +0000 Subject: [lxc-devel] lxc-start fails In-Reply-To: References: <20150109141238.GB9897@ubuntumail> <20150109215539.GD10641@ubuntumail> Message-ID: <20150110033647.GI10641@ubuntumail> Heh, I hesitate to say this because it's usually the butt of a joke, but could you try rebooting and then starting the container? Start it with the -l info -o container.log options and show us the resulting container.log file. Quoting riya khanna (riyakhanna1983 at gmail.com): > Yes. Logged in as root. > > # ps -ef | grep lxc > 68 0 0:00 lxc-start -n container -f lxc.conf -d -- /init > > # id > uid=0 gid=0 > > Thanks for the patch. > > On Fri, Jan 9, 2015 at 3:55 PM, Serge Hallyn wrote: > > Hm. Below are you logged in as root? Did you start the container > > as root? Can you show "ps -ef | grep lxc" and "id"? > > > > Thanks for verifying the below - I'll post a patch for that soon. > > > > -serge > > > > Quoting riya khanna (riyakhanna1983 at gmail.com): > >> Yes, that works. Container starts BUT I get the following message: > >> lxc-start: monitor.c: lxc_monitor_open: 213 connect : Connection refused > >> > >> > >> # lxc-start --logfile container.log --logpriority info --name > >> container -f lxc.conf -- /init > >> > >> lxc-start: monitor.c: lxc_monitor_open: 208 connect : backing off 10 > >> lxc-start: monitor.c: lxc_monitor_open: 208 connect : backing off 50 > >> lxc-start: monitor.c: lxc_monitor_open: 208 connect : backing off 100 > >> > >> lxc-start: monitor.c: lxc_monitor_open: 213 connect : Connection refused > >> lxc-start: lxc_start.c: main: 345 The container failed to start. > >> lxc-start: lxc_start.c: main: 347 To get more details, run the > >> container in foreground mode. > >> lxc-start: lxc_start.c: main: 349 Additional information can be > >> obtained by setting the --logfile and --logpriority options. > >> > >> > >> On Fri, Jan 9, 2015 at 8:12 AM, Serge Hallyn wrote: > >> > Quoting riya khanna (riyakhanna1983 at gmail.com): > >> >> Hi, > >> >> > >> >> I'm trying to start a container on busy box host. > >> >> > >> >> lxc-start --logfile container.log --logpriority info --name L -f > >> >> lxc.conf -- /init > >> >> > >> >> container.log shows the following error: > >> >> lxc_conf - conf.c:prepare_ramfs_root:1517 - Bad address - Failed to > >> >> make . rprivate > >> > > >> > Hm. Well that is an odd line. Does it help if you change line 1517 > >> > to read > >> > > >> > if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) { > >> > > >> > ? > >> > _______________________________________________ > >> > lxc-devel mailing list > >> > lxc-devel at lists.linuxcontainers.org > >> > http://lists.linuxcontainers.org/listinfo/lxc-devel > >> _______________________________________________ > >> lxc-devel mailing list > >> lxc-devel at lists.linuxcontainers.org > >> http://lists.linuxcontainers.org/listinfo/lxc-devel > > _______________________________________________ > > lxc-devel mailing list > > lxc-devel at lists.linuxcontainers.org > > http://lists.linuxcontainers.org/listinfo/lxc-devel > _______________________________________________ > lxc-devel mailing list > lxc-devel at lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-devel From riyakhanna1983 at gmail.com Sat Jan 10 03:50:23 2015 From: riyakhanna1983 at gmail.com (riya khanna) Date: Fri, 9 Jan 2015 21:50:23 -0600 Subject: [lxc-devel] lxc-start fails In-Reply-To: <20150110033647.GI10641@ubuntumail> References: <20150109141238.GB9897@ubuntumail> <20150109215539.GD10641@ubuntumail> <20150110033647.GI10641@ubuntumail> Message-ID: Sorry about that. container.log below: lxc-start 1420861068.870 WARN lxc_log - log.c:lxc_log_init:316 - lxc_log_init called with log already initialized lxc-start 1420861068.879 WARN lxc_cgfs - cgfs.c:lxc_cgroup_get_container_info:1100 - Not attaching to cgroup cpuset unknown to /usr/local/var/lib/lxc container lxc-start 1420861068.889 INFO lxc_start - start.c:lxc_check_inherited:209 - closed inherited fd 4 lxc-start 1420861068.905 INFO lxc_start - start.c:lxc_check_inherited:209 - closed inherited fd 4 lxc-start 1420861068.911 INFO lxc_lsm - lsm/lsm.c:lsm_init:48 - LSM security driver nop lxc-start 1420861068.912 INFO lxc_monitor - monitor.c:lxc_monitor_sock_name:177 - using monitor sock name lxc/69d2cd1be5952f52//usr/local/var/lib/lxc lxc-start 1420861068.913 ERROR lxc_monitor - monitor.c:lxc_monitor_open:208 - connect : backing off 10 lxc-start 1420861068.918 DEBUG lxc_start - start.c:setup_signal_fd:247 - sigchild handler set lxc-start 1420861068.923 DEBUG lxc_console - console.c:lxc_console_peer_default:536 - no console peer lxc-start 1420861068.923 INFO lxc_start - start.c:lxc_init:443 - 'container' is initialized lxc-start 1420861068.926 DEBUG lxc_start - start.c:__lxc_start:1061 - Not dropping cap_sys_boot or watching utmp lxc-start 1420861068.927 INFO lxc_cgroup - cgroup.c:cgroup_init:65 - cgroup driver cgroupfs initing for container lxc-start 1420861068.932 ERROR lxc_monitor - monitor.c:lxc_monitor_open:208 - connect : backing off 50 lxc-start 1420861068.947 DEBUG lxc_cgfs - cgfs.c:do_setup_cgroup_limits:1913 - cgroup 'devices.allow' set to 'a # allow all first' lxc-start 1420861068.947 INFO lxc_cgfs - cgfs.c:do_setup_cgroup_limits:1917 - cgroup has been setup lxc-start 1420861068.959 DEBUG lxc_conf - conf.c:setup_rootfs:1478 - mounted '/home/riya/rootfs' on '/usr/local/lib/lxc/rootfs' lxc-start 1420861068.959 INFO lxc_conf - conf.c:setup_utsname:900 - 'container' hostname has been setup lxc-start 1420861068.960 DEBUG lxc_conf - conf.c:check_autodev:3784 - Set exec command to /init lxc-start 1420861068.964 DEBUG lxc_conf - conf.c:mount_entry:1974 - mounted 'none' on '/usr/local/lib/lxc/rootfs//proc', type 'proc' lxc-start 1420861068.965 DEBUG lxc_conf - conf.c:mount_entry:1974 - mounted 'none' on '/usr/local/lib/lxc/rootfs//sys', type 'sysfs' lxc-start 1420861068.965 DEBUG lxc_conf - conf.c:mount_entry:1924 - remounting /dev on /usr/local/lib/lxc/rootfs//dev to respect bind or remount options lxc-start 1420861068.965 DEBUG lxc_conf - conf.c:mount_entry:1939 - (at remount) flags for /dev was 0, required extra flags are 0 lxc-start 1420861068.965 DEBUG lxc_conf - conf.c:mount_entry:1948 - mountflags already was 4096, skipping remount lxc-start 1420861068.965 DEBUG lxc_conf - conf.c:mount_entry:1974 - mounted '/dev' on '/usr/local/lib/lxc/rootfs//dev', type 'none' lxc-start 1420861068.965 INFO lxc_conf - conf.c:mount_file_entries:2223 - mount points have been setup lxc-start 1420861068.992 ERROR lxc_monitor - monitor.c:lxc_monitor_open:208 - connect : backing off 100 lxc-start 1420861069.103 ERROR lxc_monitor - monitor.c:lxc_monitor_open:213 - connect : Connection refused lxc-start 1420861069.104 ERROR lxc_start_ui - lxc_start.c:main:345 - The container failed to start. lxc-start 1420861069.104 ERROR lxc_start_ui - lxc_start.c:main:347 - To get more details, run the container in foreground mode. lxc-start 1420861069.104 ERROR lxc_start_ui - lxc_start.c:main:349 - Additional information can be obtained by setting the --logfile and --logpriority options. On Fri, Jan 9, 2015 at 9:36 PM, Serge Hallyn wrote: > Heh, I hesitate to say this because it's usually the butt of a joke, > > but could you try rebooting and then starting the container? Start it with > the -l info -o container.log options and show us the resulting container.log > file. > > Quoting riya khanna (riyakhanna1983 at gmail.com): >> Yes. Logged in as root. >> >> # ps -ef | grep lxc >> 68 0 0:00 lxc-start -n container -f lxc.conf -d -- /init >> >> # id >> uid=0 gid=0 >> >> Thanks for the patch. >> >> On Fri, Jan 9, 2015 at 3:55 PM, Serge Hallyn wrote: >> > Hm. Below are you logged in as root? Did you start the container >> > as root? Can you show "ps -ef | grep lxc" and "id"? >> > >> > Thanks for verifying the below - I'll post a patch for that soon. >> > >> > -serge >> > >> > Quoting riya khanna (riyakhanna1983 at gmail.com): >> >> Yes, that works. Container starts BUT I get the following message: >> >> lxc-start: monitor.c: lxc_monitor_open: 213 connect : Connection refused >> >> >> >> >> >> # lxc-start --logfile container.log --logpriority info --name >> >> container -f lxc.conf -- /init >> >> >> >> lxc-start: monitor.c: lxc_monitor_open: 208 connect : backing off 10 >> >> lxc-start: monitor.c: lxc_monitor_open: 208 connect : backing off 50 >> >> lxc-start: monitor.c: lxc_monitor_open: 208 connect : backing off 100 >> >> >> >> lxc-start: monitor.c: lxc_monitor_open: 213 connect : Connection refused >> >> lxc-start: lxc_start.c: main: 345 The container failed to start. >> >> lxc-start: lxc_start.c: main: 347 To get more details, run the >> >> container in foreground mode. >> >> lxc-start: lxc_start.c: main: 349 Additional information can be >> >> obtained by setting the --logfile and --logpriority options. >> >> >> >> >> >> On Fri, Jan 9, 2015 at 8:12 AM, Serge Hallyn wrote: >> >> > Quoting riya khanna (riyakhanna1983 at gmail.com): >> >> >> Hi, >> >> >> >> >> >> I'm trying to start a container on busy box host. >> >> >> >> >> >> lxc-start --logfile container.log --logpriority info --name L -f >> >> >> lxc.conf -- /init >> >> >> >> >> >> container.log shows the following error: >> >> >> lxc_conf - conf.c:prepare_ramfs_root:1517 - Bad address - Failed to >> >> >> make . rprivate >> >> > >> >> > Hm. Well that is an odd line. Does it help if you change line 1517 >> >> > to read >> >> > >> >> > if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) { >> >> > >> >> > ? >> >> > _______________________________________________ >> >> > lxc-devel mailing list >> >> > lxc-devel at lists.linuxcontainers.org >> >> > http://lists.linuxcontainers.org/listinfo/lxc-devel >> >> _______________________________________________ >> >> lxc-devel mailing list >> >> lxc-devel at lists.linuxcontainers.org >> >> http://lists.linuxcontainers.org/listinfo/lxc-devel >> > _______________________________________________ >> > lxc-devel mailing list >> > lxc-devel at lists.linuxcontainers.org >> > http://lists.linuxcontainers.org/listinfo/lxc-devel >> _______________________________________________ >> lxc-devel mailing list >> lxc-devel at lists.linuxcontainers.org >> http://lists.linuxcontainers.org/listinfo/lxc-devel > _______________________________________________ > lxc-devel mailing list > lxc-devel at lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-devel From riyakhanna1983 at gmail.com Sat Jan 10 03:51:11 2015 From: riyakhanna1983 at gmail.com (riya khanna) Date: Fri, 9 Jan 2015 21:51:11 -0600 Subject: [lxc-devel] Session Leader In-Reply-To: <20150110033033.GA17438@hopstrocity> References: <60E9D0C7-864D-43E4-9D42-E950DED4EFC3@gmail.com> <20150105154839.GC3201@ubuntumail> <20150110033033.GA17438@hopstrocity> Message-ID: criu dump --root /usr/local/lib/lxc/rootfs/root --evasive-devices \ --tcp-established --ext-mount-map /dev:dev --file-locks -n net -n mnt \ -n ipc -n pid -vvv -D data -o dump.log -t 74 I don't have dump.log for that run, but if you want I can rerun and send you dump.log as well. On Fri, Jan 9, 2015 at 9:30 PM, Tycho Andersen wrote: > On Fri, Jan 09, 2015 at 07:49:54PM -0600, riya khanna wrote: >> Why is init not a session leader? I faced an issue with using CRIU >> because of that. Adding CRIU folks as well. > > How did you call CRIU to do the dump? > > Tycho > >> Error (cr-dump.c:1598): A session leader of 74(1) is outside of its >> pid namespace >> >> 68 0 0:00 lxc-start -n container -f lxc.conf -d -- /init >> 74 0 0:00 /init >> >> >> On Mon, Jan 5, 2015 at 9:48 AM, Serge Hallyn wrote: >> > lcxapi_start calls setsid but not from the task which will become the >> > container init. >> > >> > Quoting beproject criu (beprojectcriu at gmail.com): >> >> Dear LXC Developers, >> >> Does anybody have any idea why lxc-start executable does not make init the >> >> session leader, whereas lxcapi_start function does call setsid() >> >> >> >> On Sat, Jan 3, 2015 at 11:55 AM, Ashish Bijlani >> >> wrote: >> >> >> >> > Could you reply to this email and ask LXC developers to help….if anyone >> >> > has any idea on this. >> >> > >> >> > Ask why lxc-start executable does not make init the session leader, >> >> > whereas lxcapi_start function does call setsid() >> >> > >> >> > On Dec 25, 2014, at 10:19 AM, beproject criu >> >> > wrote: >> >> > >> >> > Dear LXC Developers, >> >> > >> >> > Why init of spawned container is not a session leader?. >> >> > Can i change the session leader of lxc container using hooks,etc? >> >> > If yes, how do i do it. >> >> > >> >> > Thanks. >> >> > >> >> > _______________________________________________ >> >> > lxc-devel mailing list >> >> > lxc-devel at lists.linuxcontainers.org >> >> > http://lists.linuxcontainers.org/listinfo/lxc-devel >> >> > >> >> > >> >> > >> > >> >> _______________________________________________ >> >> lxc-devel mailing list >> >> lxc-devel at lists.linuxcontainers.org >> >> http://lists.linuxcontainers.org/listinfo/lxc-devel >> > >> > _______________________________________________ >> > lxc-devel mailing list >> > lxc-devel at lists.linuxcontainers.org >> > http://lists.linuxcontainers.org/listinfo/lxc-devel >> _______________________________________________ >> lxc-devel mailing list >> lxc-devel at lists.linuxcontainers.org >> http://lists.linuxcontainers.org/listinfo/lxc-devel > _______________________________________________ > lxc-devel mailing list > lxc-devel at lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-devel From serge.hallyn at ubuntu.com Sat Jan 10 04:05:05 2015 From: serge.hallyn at ubuntu.com (Serge Hallyn) Date: Sat, 10 Jan 2015 04:05:05 +0000 Subject: [lxc-devel] [PATCHES] add "--mask-tmp" to lxc-fedora, plus some template script fixes In-Reply-To: <20150108101652.GL2958@obnox.de> References: <20150108100516.GK2958@obnox.de> <20150108101652.GL2958@obnox.de> Message-ID: <20150110040505.GJ10641@ubuntumail> Hi, thanks. the trivial ones look almost all correct to me - the only worry I have is about adding -p to the help output. -p is not meant to be used by users, only by lxc-create in calling the templates. It looks like you only added that to the ubuntu template (so that's the only part of those that I object to). Actually a patch to remove '-p|--path' from the help statement in all other templates would be appreciated. The less controversial one is adding mask-tmp to the fedora template. It looks fine to me, but that should go separately to mwarfield, our fedora template maintainer :) -serge Quoting Michael Adam (obnox at samba.org): > For those who prefer it, the patches can also be > fetched via git from branch master of > https://github.com/obnoxxx/lxc.git > > Cheers - Michael > > On 2015-01-08 at 11:05 +0100, Michael Adam wrote: > > > > Hi, > > > > below find the output of "git format-patch --stdout " > > of a series of trivial patches to fix some minor issues > > in the template scripts. > > > > The final patch adds a new parameter to the fedora > > template: "--mask-tmp". This is what I actually only > > wanted to do, but I found some issues in the parsing of > > options and help text, fixed them while at it and > > was careless enough to check several other templates > > for similar flaws. > > > > The reason for the --mask-tmp is to be able to prevent > > systemd from over-mounting /tmp with tmpfs in the container. > > My current use-case is that I want to be able to use > > vagrant-cachier with vagrant-lxc. > > > > Thanks for review / comments / push, ... > > > > Cheers - Michael > _______________________________________________ > lxc-devel mailing list > lxc-devel at lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-devel From serge.hallyn at ubuntu.com Sat Jan 10 04:13:47 2015 From: serge.hallyn at ubuntu.com (Serge Hallyn) Date: Sat, 10 Jan 2015 04:13:47 +0000 Subject: [lxc-devel] lxc-start fails In-Reply-To: References: <20150109141238.GB9897@ubuntumail> <20150109215539.GD10641@ubuntumail> <20150110033647.GI10641@ubuntumail> Message-ID: <20150110041347.GK10641@ubuntumail> > lxc-start 1420861068.913 ERROR lxc_monitor - > monitor.c:lxc_monitor_open:208 - connect : backing off 10 Please tell us more about your system. Busybox based. What sort of kernel, and what sort of security features built in? What does 'netstat -xp | grep lxc' show? If it lists a process, what does /proc/$pid/status and /proc/$pid/attr/current show for both its pid, and your shell ($$) ? From obnox at samba.org Sat Jan 10 12:08:37 2015 From: obnox at samba.org (Michael Adam) Date: Sat, 10 Jan 2015 13:08:37 +0100 Subject: [lxc-devel] [PATCHES] add "--mask-tmp" to lxc-fedora, plus some template script fixes In-Reply-To: <20150110040505.GJ10641@ubuntumail> References: <20150108100516.GK2958@obnox.de> <20150108101652.GL2958@obnox.de> <20150110040505.GJ10641@ubuntumail> Message-ID: <20150110120836.GA8528@obnox.de> Hi Serge, Thanks for your comments. On 2015-01-10 at 04:05 +0000, Serge Hallyn wrote: > Hi, > > thanks. > > the trivial ones look almost all correct to me - the only worry I have > is about adding -p to the help output. -p is not meant to be used by > users, only by lxc-create in calling the templates. It looks like you > only added that to the ubuntu template (so that's the only part of those > that I object to). Not quite: Added to ubuntu and debian templates, because it was not documented there, and fixed the printed paths in archlinux, centos and fedora. It also seems that templates for fedora, centos and friends treat the path parameter differently than debian and ubuntu in that they do provide a default. Debian and ubuntu templates don't and fail if --path is not specified. > Actually a patch to remove '-p|--path' from the > help statement in all other templates would be appreciated. Ok, so the reasoning is that the template script should only be called from lxc-create and that lxc-create adds the --path parameter to the call, correct? > The less controversial one is adding mask-tmp to the fedora template. > It looks fine to me, but that should go separately to mwarfield, our > fedora template maintainer :) I had notified mhw of my patches on irc, but apparently he is currently very busy. For a start, following is an update of the uncontroversial fix patches, i.e. the fix patche without the path ones, and without the mask-tmp patch. Cheers - Michael From d7c0574f6deae345ddaa58e9cd3d85018d1a6908 Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Thu, 8 Jan 2015 09:32:39 +0100 Subject: [PATCH 01/16] lxc-debian: fix parsing of option "--clean": it takes no argument. Signed-off-by: Michael Adam --- templates/lxc-debian.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/lxc-debian.in b/templates/lxc-debian.in index a9a1652..603894f 100644 --- a/templates/lxc-debian.in +++ b/templates/lxc-debian.in @@ -475,7 +475,7 @@ do --) shift 1; break ;; -a|--arch) arch=$2; shift 2;; - -c|--clean) clean=$2; shift 1;; + -c|--clean) clean=1; shift 1;; --mirror) MIRROR=$2; shift 2;; -n|--name) name=$2; shift 2;; --packages) packages=$2; shift 2;; -- 2.1.0 From 31347d5bd8f405f42e17d375de85b92c72963a65 Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Thu, 8 Jan 2015 09:38:48 +0100 Subject: [PATCH 02/16] lxc-debian: document "--clean" in the usage. Signed-off-by: Michael Adam --- templates/lxc-debian.in | 1 + 1 file changed, 1 insertion(+) diff --git a/templates/lxc-debian.in b/templates/lxc-debian.in index 603894f..d1e4edd 100644 --- a/templates/lxc-debian.in +++ b/templates/lxc-debian.in @@ -438,6 +438,7 @@ usage() { cat < [-a|--arch] [-c|--clean] [--mirror=] [-r|--release=] [--security-mirror=] +clean: purge the download cache after installation arch: the container architecture (e.g. amd64): defaults to host arch release: the debian release (e.g. wheezy): defaults to current stable mirror: debain mirror to use during installation -- 2.1.0 From 48f3faa90ee6e599281ca7e09fa6386961db9067 Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Thu, 8 Jan 2015 09:58:09 +0100 Subject: [PATCH 03/16] lxc-debian: protect possibly unset variable with quotes for -z check Signed-off-by: Michael Adam --- templates/lxc-debian.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/lxc-debian.in b/templates/lxc-debian.in index d1e4edd..65093f3 100644 --- a/templates/lxc-debian.in +++ b/templates/lxc-debian.in @@ -573,7 +573,7 @@ configure_debian_systemd $path $rootfs post_process ${rootfs} ${release} ${arch} ${hostarch} ${packages} -if [ ! -z $clean ]; then +if [ ! -z "$clean" ]; then clean || exit 1 exit 0 fi -- 2.1.0 From 4be2378d34aa89b39a04d3379d340212499e0075 Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Thu, 8 Jan 2015 10:34:49 +0100 Subject: [PATCH 04/16] lxc-opensuse: fix tab/whitespace mixup in usage text. Signed-off-by: Michael Adam --- templates/lxc-opensuse.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/lxc-opensuse.in b/templates/lxc-opensuse.in index f727250..89971da 100644 --- a/templates/lxc-opensuse.in +++ b/templates/lxc-opensuse.in @@ -403,7 +403,7 @@ do -p|--path) path=$2; shift 2;; --rootfs) rootfs=$2; shift 2;; -n|--name) name=$2; shift 2;; - -r|--release) DISTRO=$2; shift 2;; + -r|--release) DISTRO=$2; shift 2;; -c|--clean) clean=$2; shift 2;; --) shift 1; break ;; *) break ;; -- 2.1.0 From 9523398ff4a28b3c819c8cd26108807ce64c9330 Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Thu, 8 Jan 2015 10:35:20 +0100 Subject: [PATCH 05/16] lxc-opensuse: fix parsing of option "--clean": it takes no argument Signed-off-by: Michael Adam --- templates/lxc-opensuse.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/lxc-opensuse.in b/templates/lxc-opensuse.in index 89971da..20ffdbd 100644 --- a/templates/lxc-opensuse.in +++ b/templates/lxc-opensuse.in @@ -404,7 +404,7 @@ do --rootfs) rootfs=$2; shift 2;; -n|--name) name=$2; shift 2;; -r|--release) DISTRO=$2; shift 2;; - -c|--clean) clean=$2; shift 2;; + -c|--clean) clean=1; shift 1;; --) shift 1; break ;; *) break ;; esac -- 2.1.0 From 1c847d4c71c79a6bcade46f9743fdb9006fe79bc Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Thu, 8 Jan 2015 10:36:06 +0100 Subject: [PATCH 06/16] lxc-opensuse: protect possibly unset variable with quotes in -z check Signed-off-by: Michael Adam --- templates/lxc-opensuse.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/lxc-opensuse.in b/templates/lxc-opensuse.in index 20ffdbd..bb015c8 100644 --- a/templates/lxc-opensuse.in +++ b/templates/lxc-opensuse.in @@ -489,7 +489,7 @@ if [ $? -ne 0 ]; then exit 1 fi -if [ ! -z $clean ]; then +if [ ! -z "$clean" ]; then clean || exit 1 exit 0 fi -- 2.1.0 From e91db6d594ff522a8915477797138daa26d201a9 Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Thu, 8 Jan 2015 10:43:12 +0100 Subject: [PATCH 07/16] lxc-altlinux: fix parsing of option "--clean": it takes no argument Signed-off-by: Michael Adam --- templates/lxc-altlinux.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/lxc-altlinux.in b/templates/lxc-altlinux.in index 1c5084e..9e78125 100644 --- a/templates/lxc-altlinux.in +++ b/templates/lxc-altlinux.in @@ -398,7 +398,7 @@ do --rootfs) rootfs_path=$2; shift 2;; -n|--name) name=$2; shift 2;; -P|--profile) profile=$2; shift 2;; - -c|--clean) clean=$2; shift 2;; + -c|--clean) clean=1; shift 1;; -R|--release) release=$2; shift 2;; -4|--ipv4) ipv4=$2; shift 2;; -6|--ipv6) ipv6=$2; shift 2;; -- 2.1.0 From 932ec3418d5b3a2c8f8713fd6f86946671e74598 Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Thu, 8 Jan 2015 10:43:52 +0100 Subject: [PATCH 08/16] lxc-altlinux: protect possibly unset variable with quotes for -z check Signed-off-by: Michael Adam --- templates/lxc-altlinux.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/lxc-altlinux.in b/templates/lxc-altlinux.in index 9e78125..ac4527b 100644 --- a/templates/lxc-altlinux.in +++ b/templates/lxc-altlinux.in @@ -478,7 +478,7 @@ if [ $? -ne 0 ]; then exit 1 fi -if [ ! -z $clean ]; then +if [ ! -z "$clean" ]; then clean || exit 1 exit 0 fi -- 2.1.0 From ff67ced9bfb6965f8372138fa9f0ffe300d2fbc3 Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Thu, 8 Jan 2015 10:48:40 +0100 Subject: [PATCH 09/16] lxc-openmandriva: fix parsing of option "--clean": it takes no argument Signed-off-by: Michael Adam --- templates/lxc-openmandriva.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/lxc-openmandriva.in b/templates/lxc-openmandriva.in index 45e2efa..4656177 100644 --- a/templates/lxc-openmandriva.in +++ b/templates/lxc-openmandriva.in @@ -377,7 +377,7 @@ do --rootfs) rootfs_path=$2; shift 2;; -n|--name) name=$2; shift 2;; -P|--profile) profile=$2; shift 2;; - -c|--clean) clean=$2; shift 2;; + -c|--clean) clean=1; shift 1;; -R|--release) release=$2; shift 2;; -A|--arch) arch=$2; shift 2;; -4|--ipv4) ipv4=$2; shift 2;; -- 2.1.0 From 890cb7e0c19da78d8ed5758ea0cce10b790bda39 Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Thu, 8 Jan 2015 10:49:19 +0100 Subject: [PATCH 10/16] lxc-openmandriva: protect possibly unset variable with quotes in -z check Signed-off-by: Michael Adam --- templates/lxc-openmandriva.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/lxc-openmandriva.in b/templates/lxc-openmandriva.in index 4656177..be8023e 100644 --- a/templates/lxc-openmandriva.in +++ b/templates/lxc-openmandriva.in @@ -483,7 +483,7 @@ if [ $? -ne 0 ]; then exit 1 fi -if [ ! -z $clean ]; then +if [ ! -z "$clean" ]; then clean || exit 1 exit 0 fi -- 2.1.0 From 07ce7a2617686de304addbacdec1ae417eb63433 Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Thu, 8 Jan 2015 10:03:05 +0100 Subject: [PATCH 11/16] lxc-centos: fix parsing of option "--clean": it takes no argument Signed-off-by: Michael Adam --- templates/lxc-centos.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/lxc-centos.in b/templates/lxc-centos.in index ee88178..ee34289 100644 --- a/templates/lxc-centos.in +++ b/templates/lxc-centos.in @@ -697,7 +697,7 @@ do -p|--path) path=$2; shift 2;; --rootfs) rootfs=$2; shift 2;; -n|--name) name=$2; shift 2;; - -c|--clean) clean=$2; shift 2;; + -c|--clean) clean=1; shift 1;; -R|--release) release=$2; shift 2;; --repo) repo="$2"; shift 2;; -a|--arch) newarch=$2; shift 2;; -- 2.1.0 From 778477c7a67043c747f20c08a7d9fa0c8fcef43d Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Thu, 8 Jan 2015 10:03:31 +0100 Subject: [PATCH 12/16] lxc-centos: fix tab/space mixup in help text. Signed-off-by: Michael Adam --- templates/lxc-centos.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/lxc-centos.in b/templates/lxc-centos.in index ee34289..6610a1b 100644 --- a/templates/lxc-centos.in +++ b/templates/lxc-centos.in @@ -699,7 +699,7 @@ do -n|--name) name=$2; shift 2;; -c|--clean) clean=1; shift 1;; -R|--release) release=$2; shift 2;; - --repo) repo="$2"; shift 2;; + --repo) repo="$2"; shift 2;; -a|--arch) newarch=$2; shift 2;; --fqdn) utsname=$2; shift 2;; --) shift 1; break ;; -- 2.1.0 From a0a754c78e2b34edd23826c6674501f5b166ffd8 Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Thu, 8 Jan 2015 10:03:53 +0100 Subject: [PATCH 13/16] lxc-centos: protect possibly unset variable with quotes for -z check Signed-off-by: Michael Adam --- templates/lxc-centos.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/lxc-centos.in b/templates/lxc-centos.in index 6610a1b..c7d2b89 100644 --- a/templates/lxc-centos.in +++ b/templates/lxc-centos.in @@ -887,7 +887,7 @@ fi configure_centos_init -if [ ! -z $clean ]; then +if [ ! -z "$clean" ]; then clean || exit 1 exit 0 fi -- 2.1.0 From fbb71f821c9269f2f36119e1b5c526b800e8ffa2 Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Thu, 8 Jan 2015 10:00:06 +0100 Subject: [PATCH 14/16] lxc-fedora: fix parsing of option "--clean": it takes no argument Signed-off-by: Michael Adam --- templates/lxc-fedora.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/lxc-fedora.in b/templates/lxc-fedora.in index adfaab2..7789a02 100644 --- a/templates/lxc-fedora.in +++ b/templates/lxc-fedora.in @@ -1215,7 +1215,7 @@ do -p|--path) path=$2; shift 2;; --rootfs) rootfs=$2; shift 2;; -n|--name) name=$2; shift 2;; - -c|--clean) clean=$2; shift 2;; + -c|--clean) clean=1; shift 1;; -R|--release) release=$2; shift 2;; -a|--arch) newarch=$2; shift 2;; --fqdn) utsname=$2; shift 2;; -- 2.1.0 From 017310aff1f45d6467ab1f88a0696eba9cf0004a Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Thu, 8 Jan 2015 10:01:18 +0100 Subject: [PATCH 15/16] lxc-fedora: protect possibly unset variable with quotes for -z check Signed-off-by: Michael Adam --- templates/lxc-fedora.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/lxc-fedora.in b/templates/lxc-fedora.in index 7789a02..8d8b0b7 100644 --- a/templates/lxc-fedora.in +++ b/templates/lxc-fedora.in @@ -1415,7 +1415,7 @@ then configure_fedora_init fi -if [ ! -z $clean ]; then +if [ ! -z "$clean" ]; then clean || exit 1 exit 0 fi -- 2.1.0 From 854bee3acf6d9bdbe23de4b77fe606d9777df9ef Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Thu, 8 Jan 2015 10:22:18 +0100 Subject: [PATCH 16/16] lxc-fedora: let help text fit into 80 columns by breaking and shortening some lines. Signed-off-by: Michael Adam --- templates/lxc-fedora.in | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/templates/lxc-fedora.in b/templates/lxc-fedora.in index 8d8b0b7..210f2e7 100644 --- a/templates/lxc-fedora.in +++ b/templates/lxc-fedora.in @@ -1184,15 +1184,18 @@ usage() cat < - [-p|--path=] [-c|--clean] [-R|--release=] [--fqdn=] [-a|--arch=] + [-p|--path=] [-c|--clean] [-R|--release=] + [--fqdn=] [-a|--arch=] [-h|--help] Mandatory args: - -n,--name container name, used to as an identifier for that container from now on + -n,--name container name, used to as an identifier for that container Optional args: - -p,--path path to where the container will be created, defaults to @LXCPATH at . The container config will go under @LXCPATH@ in that case + -p,--path path to where the container will be created, + defaults to @LXCPATH at . --rootfs path for actual rootfs. -c,--clean clean the cache - -R,--release Fedora release for the new container. if the host is Fedora, then it will default to the host's release. + -R,--release Fedora release for the new container. + Defaults to host's release if the host is Fedora. --fqdn fully qualified domain name (FQDN) for DNS and system naming -a,--arch Define what arch the container will be [i686,x86_64] -h,--help print this help -- 2.1.0 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available URL: From obnox at samba.org Sat Jan 10 12:12:06 2015 From: obnox at samba.org (Michael Adam) Date: Sat, 10 Jan 2015 13:12:06 +0100 Subject: [lxc-devel] [PATCHES] add "--mask-tmp" to lxc-fedora, plus some template script fixes In-Reply-To: <20150110120836.GA8528@obnox.de> References: <20150108100516.GK2958@obnox.de> <20150108101652.GL2958@obnox.de> <20150110040505.GJ10641@ubuntumail> <20150110120836.GA8528@obnox.de> Message-ID: <20150110121206.GB8528@obnox.de> On 2015-01-10 at 13:08 +0100, Michael Adam wrote: > On 2015-01-10 at 04:05 +0000, Serge Hallyn wrote: > > > The less controversial one is adding mask-tmp to the fedora template. > > It looks fine to me, but that should go separately to mwarfield, our > > fedora template maintainer :) > > I had notified mhw of my patches on irc, but apparently he is > currently very busy. > > For a start, following is an update of the uncontroversial fix > patches, i.e. the fix patche without the path ones, and without > the mask-tmp patch. And here comes the mask-tmp patch. It needs to be applied onto the previous fix-patchset. From 9589dca113535ed2f4faad89db2fab33bb8a9d7e Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Thu, 8 Jan 2015 10:25:24 +0100 Subject: [PATCH] lxc-fedora: add a new option --mask-tmp This will configure the container to prevent the standard behaviour of over-mounting /tmp with tmpfs, which can be undesirable in some cases. My personal use case is vagrant-lxc in combination with vagrant-cachier. Signed-off-by: Michael Adam --- templates/lxc-fedora.in | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/templates/lxc-fedora.in b/templates/lxc-fedora.in index 210f2e7..49e14eb 100644 --- a/templates/lxc-fedora.in +++ b/templates/lxc-fedora.in @@ -372,6 +372,12 @@ configure_fedora_systemd() chroot ${rootfs_path} ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target # Make systemd honor SIGPWR chroot ${rootfs_path} ln -s /usr/lib/systemd/system/halt.target /etc/systemd/system/sigpwr.target + + # if desired, prevent systemd from over-mounting /tmp with tmpfs + if [ $masktmp -eq 1 ]; then + chroot ${rootfs_path} ln -s /dev/null /etc/systemd/system/tmp.mount + fi + #dependency on a device unit fails it specially that we disabled udev # sed -i 's/After=dev-%i.device/After=/' ${rootfs_path}/lib/systemd/system/getty\@.service # @@ -1186,6 +1192,7 @@ usage: $1 -n|--name= [-p|--path=] [-c|--clean] [-R|--release=] [--fqdn=] [-a|--arch=] + [--mask-tmp] [-h|--help] Mandatory args: -n,--name container name, used to as an identifier for that container @@ -1198,18 +1205,21 @@ Optional args: Defaults to host's release if the host is Fedora. --fqdn fully qualified domain name (FQDN) for DNS and system naming -a,--arch Define what arch the container will be [i686,x86_64] + --mask-tmp Prevent systemd from over-mounting /tmp with tmpfs. -h,--help print this help EOF return 0 } -options=$(getopt -o a:hp:n:cR: -l help,path:,rootfs:,name:,clean,release:,arch:,fqdn: -- "$@") +options=$(getopt -o a:hp:n:cR: -l help,path:,rootfs:,name:,clean,release:,arch:,fqdn:,mask-tmp -- "$@") if [ $? -ne 0 ]; then usage $(basename $0) exit 1 fi arch=$(uname -m) +masktmp=0 + eval set -- "$options" while true do @@ -1222,6 +1232,7 @@ do -R|--release) release=$2; shift 2;; -a|--arch) newarch=$2; shift 2;; --fqdn) utsname=$2; shift 2;; + --mask-tmp) masktmp=1; shift 1;; --) shift 1; break ;; *) break ;; esac -- 2.1.0 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available URL: From obnox at samba.org Sat Jan 10 12:18:36 2015 From: obnox at samba.org (Michael Adam) Date: Sat, 10 Jan 2015 13:18:36 +0100 Subject: [lxc-devel] [PATCHES] add "--mask-tmp" to lxc-fedora, plus some template script fixes In-Reply-To: <20150110040505.GJ10641@ubuntumail> References: <20150108100516.GK2958@obnox.de> <20150108101652.GL2958@obnox.de> <20150110040505.GJ10641@ubuntumail> Message-ID: <20150110121836.GC8528@obnox.de> On 2015-01-10 at 04:05 +0000, Serge Hallyn wrote: > > Actually a patch to remove '-p|--path' from the > help statement in all other templates would be appreciated. Ok, I was just about to send such an add-on patchset, but first one more thought: Doesn't the same apply to the -n|--name parameter? And what about the --rootfs switch that some of the templates (like archlinux) take? Cheers - Michael -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available URL: From serge.hallyn at ubuntu.com Sat Jan 10 15:59:18 2015 From: serge.hallyn at ubuntu.com (Serge Hallyn) Date: Sat, 10 Jan 2015 15:59:18 +0000 Subject: [lxc-devel] [PATCHES] add "--mask-tmp" to lxc-fedora, plus some template script fixes In-Reply-To: <20150110121836.GC8528@obnox.de> References: <20150108100516.GK2958@obnox.de> <20150108101652.GL2958@obnox.de> <20150110040505.GJ10641@ubuntumail> <20150110121836.GC8528@obnox.de> Message-ID: <20150110155918.GL10641@ubuntumail> Quoting Michael Adam (obnox at samba.org): > On 2015-01-10 at 04:05 +0000, Serge Hallyn wrote: > > > > Actually a patch to remove '-p|--path' from the > > help statement in all other templates would be appreciated. > > Ok, I was just about to send such an add-on patchset, > but first one more thought: > > Doesn't the same apply to the -n|--name parameter? > > And what about the --rootfs switch that some > of the templates (like archlinux) take? Yup, good point, I think it does. From serge.hallyn at ubuntu.com Sat Jan 10 16:00:44 2015 From: serge.hallyn at ubuntu.com (Serge Hallyn) Date: Sat, 10 Jan 2015 16:00:44 +0000 Subject: [lxc-devel] [PATCHES] add "--mask-tmp" to lxc-fedora, plus some template script fixes In-Reply-To: <20150110121206.GB8528@obnox.de> References: <20150108100516.GK2958@obnox.de> <20150108101652.GL2958@obnox.de> <20150110040505.GJ10641@ubuntumail> <20150110120836.GA8528@obnox.de> <20150110121206.GB8528@obnox.de> Message-ID: <20150110160044.GM10641@ubuntumail> Quoting Michael Adam (obnox at samba.org): > On 2015-01-10 at 13:08 +0100, Michael Adam wrote: > > On 2015-01-10 at 04:05 +0000, Serge Hallyn wrote: > > > > > The less controversial one is adding mask-tmp to the fedora template. > > > It looks fine to me, but that should go separately to mwarfield, our > > > fedora template maintainer :) > > > > I had notified mhw of my patches on irc, but apparently he is > > currently very busy. > > > > For a start, following is an update of the uncontroversial fix > > patches, i.e. the fix patche without the path ones, and without > > the mask-tmp patch. > > And here comes the mask-tmp patch. > It needs to be applied onto the previous fix-patchset. > > > From 9589dca113535ed2f4faad89db2fab33bb8a9d7e Mon Sep 17 00:00:00 2001 > From: Michael Adam > Date: Thu, 8 Jan 2015 10:25:24 +0100 > Subject: [PATCH] lxc-fedora: add a new option --mask-tmp > > This will configure the container to prevent the standard > behaviour of over-mounting /tmp with tmpfs, which can be > undesirable in some cases. > > My personal use case is vagrant-lxc in combination with > vagrant-cachier. > > Signed-off-by: Michael Adam Looks good to me, thanks. Let's give Michael a bit of time to object, but Acked-by: Serge E. Hallyn > --- > templates/lxc-fedora.in | 13 ++++++++++++- > 1 file changed, 12 insertions(+), 1 deletion(-) > > diff --git a/templates/lxc-fedora.in b/templates/lxc-fedora.in > index 210f2e7..49e14eb 100644 > --- a/templates/lxc-fedora.in > +++ b/templates/lxc-fedora.in > @@ -372,6 +372,12 @@ configure_fedora_systemd() > chroot ${rootfs_path} ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target > # Make systemd honor SIGPWR > chroot ${rootfs_path} ln -s /usr/lib/systemd/system/halt.target /etc/systemd/system/sigpwr.target > + > + # if desired, prevent systemd from over-mounting /tmp with tmpfs > + if [ $masktmp -eq 1 ]; then > + chroot ${rootfs_path} ln -s /dev/null /etc/systemd/system/tmp.mount > + fi > + > #dependency on a device unit fails it specially that we disabled udev > # sed -i 's/After=dev-%i.device/After=/' ${rootfs_path}/lib/systemd/system/getty\@.service > # > @@ -1186,6 +1192,7 @@ usage: > $1 -n|--name= > [-p|--path=] [-c|--clean] [-R|--release=] > [--fqdn=] [-a|--arch=] > + [--mask-tmp] > [-h|--help] > Mandatory args: > -n,--name container name, used to as an identifier for that container > @@ -1198,18 +1205,21 @@ Optional args: > Defaults to host's release if the host is Fedora. > --fqdn fully qualified domain name (FQDN) for DNS and system naming > -a,--arch Define what arch the container will be [i686,x86_64] > + --mask-tmp Prevent systemd from over-mounting /tmp with tmpfs. > -h,--help print this help > EOF > return 0 > } > > -options=$(getopt -o a:hp:n:cR: -l help,path:,rootfs:,name:,clean,release:,arch:,fqdn: -- "$@") > +options=$(getopt -o a:hp:n:cR: -l help,path:,rootfs:,name:,clean,release:,arch:,fqdn:,mask-tmp -- "$@") > if [ $? -ne 0 ]; then > usage $(basename $0) > exit 1 > fi > > arch=$(uname -m) > +masktmp=0 > + > eval set -- "$options" > while true > do > @@ -1222,6 +1232,7 @@ do > -R|--release) release=$2; shift 2;; > -a|--arch) newarch=$2; shift 2;; > --fqdn) utsname=$2; shift 2;; > + --mask-tmp) masktmp=1; shift 1;; > --) shift 1; break ;; > *) break ;; > esac > -- > 2.1.0 > > > _______________________________________________ > lxc-devel mailing list > lxc-devel at lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-devel From noreply at github.com Sat Jan 10 16:08:34 2015 From: noreply at github.com (GitHub) Date: Sat, 10 Jan 2015 08:08:34 -0800 Subject: [lxc-devel] [lxc/lxc] e4d4da: lxc-debian: fix parsing of option "--clean": it ta... Message-ID: <54b14e8244e4f_2dfa3f9a5d3e92c05442f@hookshot-fe5-cp1-prd.iad.github.net.mail> Branch: refs/heads/master Home: https://github.com/lxc/lxc Commit: e4d4da621109307eb065ce3578fb1e0753157b74 https://github.com/lxc/lxc/commit/e4d4da621109307eb065ce3578fb1e0753157b74 Author: Michael Adam Date: 2015-01-10 (Sat, 10 Jan 2015) Changed paths: M templates/lxc-debian.in Log Message: ----------- lxc-debian: fix parsing of option "--clean": it takes no argument. Signed-off-by: Michael Adam Signed-off-by: Serge Hallyn Commit: a64da4c358976823cf7dbd9b35b6c4e65e776d32 https://github.com/lxc/lxc/commit/a64da4c358976823cf7dbd9b35b6c4e65e776d32 Author: Michael Adam Date: 2015-01-10 (Sat, 10 Jan 2015) Changed paths: M templates/lxc-debian.in Log Message: ----------- lxc-debian: document "--clean" in the usage. Signed-off-by: Michael Adam Signed-off-by: Serge Hallyn Commit: 227c560065b22f84e4e41724486863c31b77ac01 https://github.com/lxc/lxc/commit/227c560065b22f84e4e41724486863c31b77ac01 Author: Michael Adam Date: 2015-01-10 (Sat, 10 Jan 2015) Changed paths: M templates/lxc-debian.in Log Message: ----------- lxc-debian: protect possibly unset variable with quotes for -z check Signed-off-by: Michael Adam Signed-off-by: Serge Hallyn Commit: 1111674232c2e93ddc2c165f3d43df8fe050ac82 https://github.com/lxc/lxc/commit/1111674232c2e93ddc2c165f3d43df8fe050ac82 Author: Michael Adam Date: 2015-01-10 (Sat, 10 Jan 2015) Changed paths: M templates/lxc-opensuse.in Log Message: ----------- lxc-opensuse: fix tab/whitespace mixup in usage text. Signed-off-by: Michael Adam Signed-off-by: Serge Hallyn Commit: eb4cd29636a136c867c43937670a1c6295cb18b0 https://github.com/lxc/lxc/commit/eb4cd29636a136c867c43937670a1c6295cb18b0 Author: Michael Adam Date: 2015-01-10 (Sat, 10 Jan 2015) Changed paths: M templates/lxc-opensuse.in Log Message: ----------- lxc-opensuse: fix parsing of option "--clean": it takes no argument Signed-off-by: Michael Adam Signed-off-by: Serge Hallyn Commit: b5a285ea8fde10254f3b6d1743cec372a2d01605 https://github.com/lxc/lxc/commit/b5a285ea8fde10254f3b6d1743cec372a2d01605 Author: Michael Adam Date: 2015-01-10 (Sat, 10 Jan 2015) Changed paths: M templates/lxc-opensuse.in Log Message: ----------- lxc-opensuse: protect possibly unset variable with quotes in -z check Signed-off-by: Michael Adam Signed-off-by: Serge Hallyn Commit: 217535de29d88d64ed3b8c7093e23d954b9545ca https://github.com/lxc/lxc/commit/217535de29d88d64ed3b8c7093e23d954b9545ca Author: Michael Adam Date: 2015-01-10 (Sat, 10 Jan 2015) Changed paths: M templates/lxc-altlinux.in Log Message: ----------- lxc-altlinux: fix parsing of option "--clean": it takes no argument Signed-off-by: Michael Adam Signed-off-by: Serge Hallyn Commit: 4986f1c435636a69193ac90452b10075122d9005 https://github.com/lxc/lxc/commit/4986f1c435636a69193ac90452b10075122d9005 Author: Michael Adam Date: 2015-01-10 (Sat, 10 Jan 2015) Changed paths: M templates/lxc-altlinux.in Log Message: ----------- lxc-altlinux: protect possibly unset variable with quotes for -z check Signed-off-by: Michael Adam Signed-off-by: Serge Hallyn Commit: fe9d4df40a978c643285e15dd99a2187a1bcfec9 https://github.com/lxc/lxc/commit/fe9d4df40a978c643285e15dd99a2187a1bcfec9 Author: Michael Adam Date: 2015-01-10 (Sat, 10 Jan 2015) Changed paths: M templates/lxc-openmandriva.in Log Message: ----------- lxc-openmandriva: fix parsing of option "--clean": it takes no argument Signed-off-by: Michael Adam Signed-off-by: Serge Hallyn Commit: c4834f3c12f6a34224a494787a7f3cd4c2147e9d https://github.com/lxc/lxc/commit/c4834f3c12f6a34224a494787a7f3cd4c2147e9d Author: Michael Adam Date: 2015-01-10 (Sat, 10 Jan 2015) Changed paths: M templates/lxc-openmandriva.in Log Message: ----------- lxc-openmandriva: protect possibly unset variable with quotes in -z check Signed-off-by: Michael Adam Signed-off-by: Serge Hallyn Commit: 6976826fed04d006608f87ba902a8517358c15ec https://github.com/lxc/lxc/commit/6976826fed04d006608f87ba902a8517358c15ec Author: Michael Adam Date: 2015-01-10 (Sat, 10 Jan 2015) Changed paths: M templates/lxc-centos.in Log Message: ----------- lxc-centos: fix parsing of option "--clean": it takes no argument Signed-off-by: Michael Adam Signed-off-by: Serge Hallyn Commit: 2ae8252a4f046a8839a70da6a2271e20e8216b99 https://github.com/lxc/lxc/commit/2ae8252a4f046a8839a70da6a2271e20e8216b99 Author: Michael Adam Date: 2015-01-10 (Sat, 10 Jan 2015) Changed paths: M templates/lxc-centos.in Log Message: ----------- lxc-centos: fix tab/space mixup in help text. Signed-off-by: Michael Adam Signed-off-by: Serge Hallyn Commit: a2780518da9102cda2d261bd866237710559d348 https://github.com/lxc/lxc/commit/a2780518da9102cda2d261bd866237710559d348 Author: Michael Adam Date: 2015-01-10 (Sat, 10 Jan 2015) Changed paths: M templates/lxc-centos.in Log Message: ----------- lxc-centos: protect possibly unset variable with quotes for -z check Signed-off-by: Michael Adam Signed-off-by: Serge Hallyn Commit: 98d316e29af90f1b2084fc3c8c4c4e0316b894c5 https://github.com/lxc/lxc/commit/98d316e29af90f1b2084fc3c8c4c4e0316b894c5 Author: Michael Adam Date: 2015-01-10 (Sat, 10 Jan 2015) Changed paths: M templates/lxc-fedora.in Log Message: ----------- lxc-fedora: fix parsing of option "--clean": it takes no argument Signed-off-by: Michael Adam Signed-off-by: Serge Hallyn Commit: 9aed78fad15fe35c53d1a6af8147fca7018e147f https://github.com/lxc/lxc/commit/9aed78fad15fe35c53d1a6af8147fca7018e147f Author: Michael Adam Date: 2015-01-10 (Sat, 10 Jan 2015) Changed paths: M templates/lxc-fedora.in Log Message: ----------- lxc-fedora: protect possibly unset variable with quotes for -z check Signed-off-by: Michael Adam Signed-off-by: Serge Hallyn Commit: fccc348be453c3991db351f336dbe9da8e861e97 https://github.com/lxc/lxc/commit/fccc348be453c3991db351f336dbe9da8e861e97 Author: Michael Adam Date: 2015-01-10 (Sat, 10 Jan 2015) Changed paths: M templates/lxc-fedora.in Log Message: ----------- lxc-fedora: let help text fit into 80 columns by breaking and shortening some lines. Signed-off-by: Michael Adam Signed-off-by: Serge Hallyn Compare: https://github.com/lxc/lxc/compare/bb2afd6038b6...fccc348be453 From serge.hallyn at ubuntu.com Sat Jan 10 16:09:41 2015 From: serge.hallyn at ubuntu.com (Serge Hallyn) Date: Sat, 10 Jan 2015 16:09:41 +0000 Subject: [lxc-devel] [PATCHES] add "--mask-tmp" to lxc-fedora, plus some template script fixes In-Reply-To: <20150110120836.GA8528@obnox.de> References: <20150108100516.GK2958@obnox.de> <20150108101652.GL2958@obnox.de> <20150110040505.GJ10641@ubuntumail> <20150110120836.GA8528@obnox.de> Message-ID: <20150110160941.GN10641@ubuntumail> Quoting Michael Adam (obnox at samba.org): > Hi Serge, > > Thanks for your comments. > > On 2015-01-10 at 04:05 +0000, Serge Hallyn wrote: > > Hi, > > > > thanks. > > > > the trivial ones look almost all correct to me - the only worry I have > > is about adding -p to the help output. -p is not meant to be used by > > users, only by lxc-create in calling the templates. It looks like you > > only added that to the ubuntu template (so that's the only part of those > > that I object to). > > Not quite: Added to ubuntu and debian templates, because it was > not documented there, and fixed the printed paths in archlinux, > centos and fedora. > > It also seems that templates for fedora, centos and friends treat > the path parameter differently than debian and ubuntu in that > they do provide a default. Debian and ubuntu templates don't > and fail if --path is not specified. > > > Actually a patch to remove '-p|--path' from the > > help statement in all other templates would be appreciated. > > Ok, so the reasoning is that the template script should only > be called from lxc-create and that lxc-create adds the --path > parameter to the call, correct? Yeah... Of course there may be people who do run the templates by hand. But we've lost time with bug reports that turned out to be people passing --path to lxc-create and getting unexpected results... I suppose we could detect whether running under lxc-create (maybe look at whether stdin is a tty or just have lxc-create pass a '--noninteractive' argument), and have templates print out the other help only if interactive? > > The less controversial one is adding mask-tmp to the fedora template. > > It looks fine to me, but that should go separately to mwarfield, our > > fedora template maintainer :) > > I had notified mhw of my patches on irc, but apparently he is > currently very busy. > > For a start, following is an update of the uncontroversial fix > patches, i.e. the fix patche without the path ones, and without > the mask-tmp patch. > > Cheers - Michael Looks good, all of them Acked-by: Serge E. Hallyn > From d7c0574f6deae345ddaa58e9cd3d85018d1a6908 Mon Sep 17 00:00:00 2001 > From: Michael Adam > Date: Thu, 8 Jan 2015 09:32:39 +0100 > Subject: [PATCH 01/16] lxc-debian: fix parsing of option "--clean": it takes > no argument. > > Signed-off-by: Michael Adam > --- > templates/lxc-debian.in | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/templates/lxc-debian.in b/templates/lxc-debian.in > index a9a1652..603894f 100644 > --- a/templates/lxc-debian.in > +++ b/templates/lxc-debian.in > @@ -475,7 +475,7 @@ do > --) shift 1; break ;; > > -a|--arch) arch=$2; shift 2;; > - -c|--clean) clean=$2; shift 1;; > + -c|--clean) clean=1; shift 1;; > --mirror) MIRROR=$2; shift 2;; > -n|--name) name=$2; shift 2;; > --packages) packages=$2; shift 2;; > -- > 2.1.0 > > > From 31347d5bd8f405f42e17d375de85b92c72963a65 Mon Sep 17 00:00:00 2001 > From: Michael Adam > Date: Thu, 8 Jan 2015 09:38:48 +0100 > Subject: [PATCH 02/16] lxc-debian: document "--clean" in the usage. > > Signed-off-by: Michael Adam > --- > templates/lxc-debian.in | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/templates/lxc-debian.in b/templates/lxc-debian.in > index 603894f..d1e4edd 100644 > --- a/templates/lxc-debian.in > +++ b/templates/lxc-debian.in > @@ -438,6 +438,7 @@ usage() > { > cat < $1 -h|--help -p|--path= [-a|--arch] [-c|--clean] [--mirror=] [-r|--release=] [--security-mirror=] > +clean: purge the download cache after installation > arch: the container architecture (e.g. amd64): defaults to host arch > release: the debian release (e.g. wheezy): defaults to current stable > mirror: debain mirror to use during installation > -- > 2.1.0 > > > From 48f3faa90ee6e599281ca7e09fa6386961db9067 Mon Sep 17 00:00:00 2001 > From: Michael Adam > Date: Thu, 8 Jan 2015 09:58:09 +0100 > Subject: [PATCH 03/16] lxc-debian: protect possibly unset variable with quotes > for -z check > > Signed-off-by: Michael Adam > --- > templates/lxc-debian.in | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/templates/lxc-debian.in b/templates/lxc-debian.in > index d1e4edd..65093f3 100644 > --- a/templates/lxc-debian.in > +++ b/templates/lxc-debian.in > @@ -573,7 +573,7 @@ configure_debian_systemd $path $rootfs > > post_process ${rootfs} ${release} ${arch} ${hostarch} ${packages} > > -if [ ! -z $clean ]; then > +if [ ! -z "$clean" ]; then > clean || exit 1 > exit 0 > fi > -- > 2.1.0 > > > From 4be2378d34aa89b39a04d3379d340212499e0075 Mon Sep 17 00:00:00 2001 > From: Michael Adam > Date: Thu, 8 Jan 2015 10:34:49 +0100 > Subject: [PATCH 04/16] lxc-opensuse: fix tab/whitespace mixup in usage text. > > Signed-off-by: Michael Adam > --- > templates/lxc-opensuse.in | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/templates/lxc-opensuse.in b/templates/lxc-opensuse.in > index f727250..89971da 100644 > --- a/templates/lxc-opensuse.in > +++ b/templates/lxc-opensuse.in > @@ -403,7 +403,7 @@ do > -p|--path) path=$2; shift 2;; > --rootfs) rootfs=$2; shift 2;; > -n|--name) name=$2; shift 2;; > - -r|--release) DISTRO=$2; shift 2;; > + -r|--release) DISTRO=$2; shift 2;; > -c|--clean) clean=$2; shift 2;; > --) shift 1; break ;; > *) break ;; > -- > 2.1.0 > > > From 9523398ff4a28b3c819c8cd26108807ce64c9330 Mon Sep 17 00:00:00 2001 > From: Michael Adam > Date: Thu, 8 Jan 2015 10:35:20 +0100 > Subject: [PATCH 05/16] lxc-opensuse: fix parsing of option "--clean": it takes > no argument > > Signed-off-by: Michael Adam > --- > templates/lxc-opensuse.in | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/templates/lxc-opensuse.in b/templates/lxc-opensuse.in > index 89971da..20ffdbd 100644 > --- a/templates/lxc-opensuse.in > +++ b/templates/lxc-opensuse.in > @@ -404,7 +404,7 @@ do > --rootfs) rootfs=$2; shift 2;; > -n|--name) name=$2; shift 2;; > -r|--release) DISTRO=$2; shift 2;; > - -c|--clean) clean=$2; shift 2;; > + -c|--clean) clean=1; shift 1;; > --) shift 1; break ;; > *) break ;; > esac > -- > 2.1.0 > > > From 1c847d4c71c79a6bcade46f9743fdb9006fe79bc Mon Sep 17 00:00:00 2001 > From: Michael Adam > Date: Thu, 8 Jan 2015 10:36:06 +0100 > Subject: [PATCH 06/16] lxc-opensuse: protect possibly unset variable with > quotes in -z check > > Signed-off-by: Michael Adam > --- > templates/lxc-opensuse.in | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/templates/lxc-opensuse.in b/templates/lxc-opensuse.in > index 20ffdbd..bb015c8 100644 > --- a/templates/lxc-opensuse.in > +++ b/templates/lxc-opensuse.in > @@ -489,7 +489,7 @@ if [ $? -ne 0 ]; then > exit 1 > fi > > -if [ ! -z $clean ]; then > +if [ ! -z "$clean" ]; then > clean || exit 1 > exit 0 > fi > -- > 2.1.0 > > > From e91db6d594ff522a8915477797138daa26d201a9 Mon Sep 17 00:00:00 2001 > From: Michael Adam > Date: Thu, 8 Jan 2015 10:43:12 +0100 > Subject: [PATCH 07/16] lxc-altlinux: fix parsing of option "--clean": it takes > no argument > > Signed-off-by: Michael Adam > --- > templates/lxc-altlinux.in | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/templates/lxc-altlinux.in b/templates/lxc-altlinux.in > index 1c5084e..9e78125 100644 > --- a/templates/lxc-altlinux.in > +++ b/templates/lxc-altlinux.in > @@ -398,7 +398,7 @@ do > --rootfs) rootfs_path=$2; shift 2;; > -n|--name) name=$2; shift 2;; > -P|--profile) profile=$2; shift 2;; > - -c|--clean) clean=$2; shift 2;; > + -c|--clean) clean=1; shift 1;; > -R|--release) release=$2; shift 2;; > -4|--ipv4) ipv4=$2; shift 2;; > -6|--ipv6) ipv6=$2; shift 2;; > -- > 2.1.0 > > > From 932ec3418d5b3a2c8f8713fd6f86946671e74598 Mon Sep 17 00:00:00 2001 > From: Michael Adam > Date: Thu, 8 Jan 2015 10:43:52 +0100 > Subject: [PATCH 08/16] lxc-altlinux: protect possibly unset variable with > quotes for -z check > > Signed-off-by: Michael Adam > --- > templates/lxc-altlinux.in | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/templates/lxc-altlinux.in b/templates/lxc-altlinux.in > index 9e78125..ac4527b 100644 > --- a/templates/lxc-altlinux.in > +++ b/templates/lxc-altlinux.in > @@ -478,7 +478,7 @@ if [ $? -ne 0 ]; then > exit 1 > fi > > -if [ ! -z $clean ]; then > +if [ ! -z "$clean" ]; then > clean || exit 1 > exit 0 > fi > -- > 2.1.0 > > > From ff67ced9bfb6965f8372138fa9f0ffe300d2fbc3 Mon Sep 17 00:00:00 2001 > From: Michael Adam > Date: Thu, 8 Jan 2015 10:48:40 +0100 > Subject: [PATCH 09/16] lxc-openmandriva: fix parsing of option "--clean": it > takes no argument > > Signed-off-by: Michael Adam > --- > templates/lxc-openmandriva.in | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/templates/lxc-openmandriva.in b/templates/lxc-openmandriva.in > index 45e2efa..4656177 100644 > --- a/templates/lxc-openmandriva.in > +++ b/templates/lxc-openmandriva.in > @@ -377,7 +377,7 @@ do > --rootfs) rootfs_path=$2; shift 2;; > -n|--name) name=$2; shift 2;; > -P|--profile) profile=$2; shift 2;; > - -c|--clean) clean=$2; shift 2;; > + -c|--clean) clean=1; shift 1;; > -R|--release) release=$2; shift 2;; > -A|--arch) arch=$2; shift 2;; > -4|--ipv4) ipv4=$2; shift 2;; > -- > 2.1.0 > > > From 890cb7e0c19da78d8ed5758ea0cce10b790bda39 Mon Sep 17 00:00:00 2001 > From: Michael Adam > Date: Thu, 8 Jan 2015 10:49:19 +0100 > Subject: [PATCH 10/16] lxc-openmandriva: protect possibly unset variable with > quotes in -z check > > Signed-off-by: Michael Adam > --- > templates/lxc-openmandriva.in | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/templates/lxc-openmandriva.in b/templates/lxc-openmandriva.in > index 4656177..be8023e 100644 > --- a/templates/lxc-openmandriva.in > +++ b/templates/lxc-openmandriva.in > @@ -483,7 +483,7 @@ if [ $? -ne 0 ]; then > exit 1 > fi > > -if [ ! -z $clean ]; then > +if [ ! -z "$clean" ]; then > clean || exit 1 > exit 0 > fi > -- > 2.1.0 > > > From 07ce7a2617686de304addbacdec1ae417eb63433 Mon Sep 17 00:00:00 2001 > From: Michael Adam > Date: Thu, 8 Jan 2015 10:03:05 +0100 > Subject: [PATCH 11/16] lxc-centos: fix parsing of option "--clean": it takes > no argument > > Signed-off-by: Michael Adam > --- > templates/lxc-centos.in | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/templates/lxc-centos.in b/templates/lxc-centos.in > index ee88178..ee34289 100644 > --- a/templates/lxc-centos.in > +++ b/templates/lxc-centos.in > @@ -697,7 +697,7 @@ do > -p|--path) path=$2; shift 2;; > --rootfs) rootfs=$2; shift 2;; > -n|--name) name=$2; shift 2;; > - -c|--clean) clean=$2; shift 2;; > + -c|--clean) clean=1; shift 1;; > -R|--release) release=$2; shift 2;; > --repo) repo="$2"; shift 2;; > -a|--arch) newarch=$2; shift 2;; > -- > 2.1.0 > > > From 778477c7a67043c747f20c08a7d9fa0c8fcef43d Mon Sep 17 00:00:00 2001 > From: Michael Adam > Date: Thu, 8 Jan 2015 10:03:31 +0100 > Subject: [PATCH 12/16] lxc-centos: fix tab/space mixup in help text. > > Signed-off-by: Michael Adam > --- > templates/lxc-centos.in | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/templates/lxc-centos.in b/templates/lxc-centos.in > index ee34289..6610a1b 100644 > --- a/templates/lxc-centos.in > +++ b/templates/lxc-centos.in > @@ -699,7 +699,7 @@ do > -n|--name) name=$2; shift 2;; > -c|--clean) clean=1; shift 1;; > -R|--release) release=$2; shift 2;; > - --repo) repo="$2"; shift 2;; > + --repo) repo="$2"; shift 2;; > -a|--arch) newarch=$2; shift 2;; > --fqdn) utsname=$2; shift 2;; > --) shift 1; break ;; > -- > 2.1.0 > > > From a0a754c78e2b34edd23826c6674501f5b166ffd8 Mon Sep 17 00:00:00 2001 > From: Michael Adam > Date: Thu, 8 Jan 2015 10:03:53 +0100 > Subject: [PATCH 13/16] lxc-centos: protect possibly unset variable with quotes > for -z check > > Signed-off-by: Michael Adam > --- > templates/lxc-centos.in | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/templates/lxc-centos.in b/templates/lxc-centos.in > index 6610a1b..c7d2b89 100644 > --- a/templates/lxc-centos.in > +++ b/templates/lxc-centos.in > @@ -887,7 +887,7 @@ fi > > configure_centos_init > > -if [ ! -z $clean ]; then > +if [ ! -z "$clean" ]; then > clean || exit 1 > exit 0 > fi > -- > 2.1.0 > > > From fbb71f821c9269f2f36119e1b5c526b800e8ffa2 Mon Sep 17 00:00:00 2001 > From: Michael Adam > Date: Thu, 8 Jan 2015 10:00:06 +0100 > Subject: [PATCH 14/16] lxc-fedora: fix parsing of option "--clean": it takes > no argument > > Signed-off-by: Michael Adam > --- > templates/lxc-fedora.in | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/templates/lxc-fedora.in b/templates/lxc-fedora.in > index adfaab2..7789a02 100644 > --- a/templates/lxc-fedora.in > +++ b/templates/lxc-fedora.in > @@ -1215,7 +1215,7 @@ do > -p|--path) path=$2; shift 2;; > --rootfs) rootfs=$2; shift 2;; > -n|--name) name=$2; shift 2;; > - -c|--clean) clean=$2; shift 2;; > + -c|--clean) clean=1; shift 1;; > -R|--release) release=$2; shift 2;; > -a|--arch) newarch=$2; shift 2;; > --fqdn) utsname=$2; shift 2;; > -- > 2.1.0 > > > From 017310aff1f45d6467ab1f88a0696eba9cf0004a Mon Sep 17 00:00:00 2001 > From: Michael Adam > Date: Thu, 8 Jan 2015 10:01:18 +0100 > Subject: [PATCH 15/16] lxc-fedora: protect possibly unset variable with quotes > for -z check > > Signed-off-by: Michael Adam > --- > templates/lxc-fedora.in | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/templates/lxc-fedora.in b/templates/lxc-fedora.in > index 7789a02..8d8b0b7 100644 > --- a/templates/lxc-fedora.in > +++ b/templates/lxc-fedora.in > @@ -1415,7 +1415,7 @@ then > configure_fedora_init > fi > > -if [ ! -z $clean ]; then > +if [ ! -z "$clean" ]; then > clean || exit 1 > exit 0 > fi > -- > 2.1.0 > > > From 854bee3acf6d9bdbe23de4b77fe606d9777df9ef Mon Sep 17 00:00:00 2001 > From: Michael Adam > Date: Thu, 8 Jan 2015 10:22:18 +0100 > Subject: [PATCH 16/16] lxc-fedora: let help text fit into 80 columns > > by breaking and shortening some lines. > > Signed-off-by: Michael Adam > --- > templates/lxc-fedora.in | 11 +++++++---- > 1 file changed, 7 insertions(+), 4 deletions(-) > > diff --git a/templates/lxc-fedora.in b/templates/lxc-fedora.in > index 8d8b0b7..210f2e7 100644 > --- a/templates/lxc-fedora.in > +++ b/templates/lxc-fedora.in > @@ -1184,15 +1184,18 @@ usage() > cat < usage: > $1 -n|--name= > - [-p|--path=] [-c|--clean] [-R|--release=] [--fqdn=] [-a|--arch=] > + [-p|--path=] [-c|--clean] [-R|--release=] > + [--fqdn=] [-a|--arch=] > [-h|--help] > Mandatory args: > - -n,--name container name, used to as an identifier for that container from now on > + -n,--name container name, used to as an identifier for that container > Optional args: > - -p,--path path to where the container will be created, defaults to @LXCPATH at . The container config will go under @LXCPATH@ in that case > + -p,--path path to where the container will be created, > + defaults to @LXCPATH at . > --rootfs path for actual rootfs. > -c,--clean clean the cache > - -R,--release Fedora release for the new container. if the host is Fedora, then it will default to the host's release. > + -R,--release Fedora release for the new container. > + Defaults to host's release if the host is Fedora. > --fqdn fully qualified domain name (FQDN) for DNS and system naming > -a,--arch Define what arch the container will be [i686,x86_64] > -h,--help print this help > -- > 2.1.0 > > > > _______________________________________________ > lxc-devel mailing list > lxc-devel at lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-devel From serge.hallyn at ubuntu.com Sat Jan 10 16:13:55 2015 From: serge.hallyn at ubuntu.com (Serge Hallyn) Date: Sat, 10 Jan 2015 16:13:55 +0000 Subject: [lxc-devel] Bump: Failure with authorisation of update-manager in Ubuntu Desktop-Container In-Reply-To: <54AE268A.8000403@DNB.DE> References: <54AE268A.8000403@DNB.DE> Message-ID: <20150110161355.GO10641@ubuntumail> Quoting Guido Jäkel (G.Jaekel at DNB.DE): > Hi Dev's, > > may anyone please help me to solve this issue? > > Guido > > On 04.01.2015 20:01, Guido Jäkel wrote on [lxc-user]: > >My goal here is to set up a Ubuntu Desktop Container ... > >[...] > >After a a few tweaks, this already runs very well... > >[...]> But now I stuck at an issue concerning the GUI versions of software management: The apt commandline tools work, but the GUI program update-manager shows the error message "You are not allowed to perform this action" and fail to work. However, if i start it with 'gksudo update-manager', there is no such message. > > > > In the same way, the software-manager or other GUI methods to install/remove software is not working. May anybody please have a hint what might be missing in the container setup or have to be tweaked inside? So you have ubuntu desktop running in a unprivileged container? Exactly how are you logging in - you have a tty on the host which runs x in the container? vnc? x2go? spice? I assume there's nothing in syslog or /var/log/audit/audit.log? Can you strace update-manager and grep -e "(EPERM|EACCES)" ? -serge From obnox at samba.org Sat Jan 10 17:28:26 2015 From: obnox at samba.org (Michael Adam) Date: Sat, 10 Jan 2015 18:28:26 +0100 Subject: [lxc-devel] [PATCHES] add "--mask-tmp" to lxc-fedora, plus some template script fixes In-Reply-To: <20150110155918.GL10641@ubuntumail> References: <20150108100516.GK2958@obnox.de> <20150108101652.GL2958@obnox.de> <20150110040505.GJ10641@ubuntumail> <20150110121836.GC8528@obnox.de> <20150110155918.GL10641@ubuntumail> Message-ID: <20150110172826.GE8528@obnox.de> On 2015-01-10 at 15:59 +0000, Serge Hallyn wrote: > Quoting Michael Adam (obnox at samba.org): > > On 2015-01-10 at 04:05 +0000, Serge Hallyn wrote: > > > > > > Actually a patch to remove '-p|--path' from the > > > help statement in all other templates would be appreciated. > > > > Ok, I was just about to send such an add-on patchset, > > but first one more thought: > > > > Doesn't the same apply to the -n|--name parameter? > > > > And what about the --rootfs switch that some > > of the templates (like archlinux) take? > > Yup, good point, I think it does. So then, there are two different approaches: 1) document all options for the sake of completeness, marking some of them as "intended for internal use only" 2) hide those internal options from the usage text. I am personally not 100% certain what I would favour, but slightly inclining towards option 1. I am happy to do patches for either variant, but will wait for more comments on that first. Cheers - Michael -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available URL: From riyakhanna1983 at gmail.com Sat Jan 10 17:35:47 2015 From: riyakhanna1983 at gmail.com (riya khanna) Date: Sat, 10 Jan 2015 11:35:47 -0600 Subject: [lxc-devel] lxc-start fails In-Reply-To: <20150110041347.GK10641@ubuntumail> References: <20150109141238.GB9897@ubuntumail> <20150109215539.GD10641@ubuntumail> <20150110033647.GI10641@ubuntumail> <20150110041347.GK10641@ubuntumail> Message-ID: I'm trying to run an android container (as root) on a busy box based host. "netstat -xp | grep lxc" shows nothing Running 3.17 kernel # uname -a Linux (none) 3.17.0-07555-g119c35e #331 PREEMPT armv7l GNU/Linux Using busy box shell # echo $SHELL /bin/sh Thanks for your help! On Fri, Jan 9, 2015 at 10:13 PM, Serge Hallyn wrote: >> lxc-start 1420861068.913 ERROR lxc_monitor - >> monitor.c:lxc_monitor_open:208 - connect : backing off 10 > > Please tell us more about your system. Busybox based. What sort of kernel, > and what sort of security features built in? What does 'netstat -xp | grep lxc' > show? If it lists a process, what does /proc/$pid/status and /proc/$pid/attr/current > show for both its pid, and your shell ($$) ? > _______________________________________________ > lxc-devel mailing list > lxc-devel at lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-devel From riyakhanna1983 at gmail.com Sat Jan 10 17:41:15 2015 From: riyakhanna1983 at gmail.com (riya khanna) Date: Sat, 10 Jan 2015 11:41:15 -0600 Subject: [lxc-devel] lxc-start fails In-Reply-To: References: <20150109141238.GB9897@ubuntumail> <20150109215539.GD10641@ubuntumail> <20150110033647.GI10641@ubuntumail> <20150110041347.GK10641@ubuntumail> Message-ID: Like I said earlier as well, the container _does_ start just fine, but I see these messages: lxc-start: monitor.c: lxc_monitor_open: 208 connect : backing off 10 lxc-start: monitor.c: lxc_monitor_open: 208 connect : backing off 50 lxc-start: monitor.c: lxc_monitor_open: 208 connect : backing off 100 lxc-start: monitor.c: lxc_monitor_open: 213 connect : Connection refused lxc-start: lxc_start.c: main: 345 The container failed to start. lxc-start: lxc_start.c: main: 347 To get more details, run the container in foreground mode. lxc-start: lxc_start.c: main: 349 Additional information can be obtained by setting the --logfile and --logpriority options. On Sat, Jan 10, 2015 at 11:35 AM, riya khanna wrote: > I'm trying to run an android container (as root) on a busy box based host. > > "netstat -xp | grep lxc" shows nothing > > Running 3.17 kernel > > # uname -a > Linux (none) 3.17.0-07555-g119c35e #331 PREEMPT armv7l GNU/Linux > > Using busy box shell > > # echo $SHELL > /bin/sh > > Thanks for your help! > > On Fri, Jan 9, 2015 at 10:13 PM, Serge Hallyn wrote: >>> lxc-start 1420861068.913 ERROR lxc_monitor - >>> monitor.c:lxc_monitor_open:208 - connect : backing off 10 >> >> Please tell us more about your system. Busybox based. What sort of kernel, >> and what sort of security features built in? What does 'netstat -xp | grep lxc' >> show? If it lists a process, what does /proc/$pid/status and /proc/$pid/attr/current >> show for both its pid, and your shell ($$) ? >> _______________________________________________ >> lxc-devel mailing list >> lxc-devel at lists.linuxcontainers.org >> http://lists.linuxcontainers.org/listinfo/lxc-devel From G.Jaekel at DNB.DE Sun Jan 11 11:01:46 2015 From: G.Jaekel at DNB.DE (=?UTF-8?B?R3VpZG8gSsOka2Vs?=) Date: Sun, 11 Jan 2015 12:01:46 +0100 Subject: [lxc-devel] Bump: Failure with authorisation of update-manager in Ubuntu Desktop-Container In-Reply-To: <20150110161355.GO10641@ubuntumail> References: <54AE268A.8000403@DNB.DE> <20150110161355.GO10641@ubuntumail> Message-ID: <54B2581A.9000706@DNB.DE> On 10.01.2015 17:13, Serge Hallyn wrote: > Quoting Guido Jäkel (G.Jaekel at DNB.DE): >> Hi Dev's, >> >> may anyone please help me to solve this issue? >> >> Guido >> >> On 04.01.2015 20:01, Guido Jäkel wrote on [lxc-user]: >>> My goal here is to set up a Ubuntu Desktop Container ... >>> [...] >>> After a a few tweaks, this already runs very well... >>> [...]> But now I stuck at an issue concerning the GUI versions of software management: The apt commandline tools work, but the GUI program update-manager shows the error message "You are not allowed to perform this action" and fail to work. However, if i start it with 'gksudo update-manager', there is no such message. >>> >>> In the same way, the software-manager or other GUI methods to install/remove software is not working. May anybody please have a hint what might be missing in the container setup or have to be tweaked inside? > > So you have ubuntu desktop running in a unprivileged container? Exactly how are > you logging in - you have a tty on the host which runs x in the container? vnc? > x2go? spice? No, this my own Gentoo home server and the Ubuntu container is started by root. It have direct access to the video card (because the host just use the console for emergencies and is managed by ssh), the tty7 and the input dev's (keyboard and mouse). Please refer to my first posting in lxc-user at 2015-01-04 for some details. Actually, this email is written inside the Ubuntu Container. > I assume there's nothing in syslog or /var/log/audit/audit.log? There is no /var/log/audit/ inside the container. I've appended the container's syslog for a startup. The most noticable lines in /var/log/syslog are Jan 11 10:50:04 celly gnome-session[1333]: WARNING: Could not get session id for session. Check that logind is properly installed and pam_systemd is getting used at login. Jan 11 10:50:06 celly gnome-session[1333]: GLib-CRITICAL: g_environ_setenv: assertion 'value != NULL' failed I'm used to maintain Unix servers, but don't have any deeper understanding of desktop mechanisms. But the keywords "gnome session" and "pam" sounds very suspicious to me. > Can you strace update-manager and grep -e "(EPERM|EACCES)" ? Because of the lists atachement limit, I've send to trace to your private mail. Slowed down by the strace, before the error alert box I see a message in the dialog box that it's waiting for authorisation for some time. You meant 'grep -E ...' for sure, I get stat("/root/.synaptic/synaptic.conf", 0x7fff5d4b9aa0) = -1 EACCES (Permission denied) access("/var/cache/apt/", W_OK) = -1 EACCES (Permission denied) open("/var/lib/update-manager/meta-release-lts", O_WRONLY|O_CREAT|O_APPEND|O_CLOEXEC, 0666) = -1 EACCES (Permission denied) open("/var/lib/dpkg/lock", O_RDWR|O_CREAT|O_NOFOLLOW, 0640) = -1 EACCES (Permission denied) access("/var/cache/apt/", W_OK) = -1 EACCES (Permission denied) open("/var/lib/dpkg/lock", O_RDWR|O_CREAT|O_NOFOLLOW, 0640) = -1 EACCES (Permission denied) access("/var/cache/apt/", W_OK) = -1 EACCES (Permission denied) but also the following looks suspect because the name of the container is "celly" and the source of cloning is "nelly". socket(PF_LOCAL, SOCK_STREAM|SOCK_CLOEXEC, 0) = 3 connect(3, {sa_family=AF_LOCAL, sun_path=@"/tmp/.X11-unix/X0"}, 20) = 0 getpeername(3, {sa_family=AF_LOCAL, sun_path=@"/tmp/.X11-unix/X0"}, [20]) = 0 -> uname({sys="Linux", node="celly", ...}) = 0 access("/home/gjaekel/.Xauthority", R_OK) = 0 open("/home/gjaekel/.Xauthority", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0600, st_size=250, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f81e051e000 -> read(4, "\1\0\0\5nelly\0\0011\0\22MIT-MAGIC-COOKIE-1"..., 4096) = 250 read(4, "", 4096) = 0 close(4) Might the problem based on the fact, that i simply just copy to much files? I take a snapshot of the rootfs from running system "nelly" using 'rsync -au ' ... greetings Guido -------------- next part -------------- A non-text attachment was scrubbed... Name: syslog.startup.bz2 Type: application/x-bzip Size: 2872 bytes Desc: not available URL: From serge.hallyn at ubuntu.com Mon Jan 12 20:41:38 2015 From: serge.hallyn at ubuntu.com (Serge Hallyn) Date: Mon, 12 Jan 2015 20:41:38 +0000 Subject: [lxc-devel] [PATCH 1/1] lxc-start-ephemeral: handle the overlayfs workdir option Message-ID: <20150112204138.GU10641@ubuntumail> We fixed this some time ago for basic lxc-start, but never did lxc-start-ephemeral. Since the lxc-start patches were pushed, Miklos has given us a way to detect whether we need the workdir= option. So the bdev.c code could be simplified to check for "overlay\n" in /proc/filesystems just as lxc-start-ephemeral does. This patch doesn't do that. Signed-off-by: Serge Hallyn --- src/lxc/lxc-start-ephemeral.in | 25 ++++++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/src/lxc/lxc-start-ephemeral.in b/src/lxc/lxc-start-ephemeral.in index c999e74..bf3f121 100644 --- a/src/lxc/lxc-start-ephemeral.in +++ b/src/lxc/lxc-start-ephemeral.in @@ -219,6 +219,14 @@ for entry in args.cdir: dst_path = "%s/rootfs/%s" % (dest_path, src_path) overlay_dirs += [(src_path, dst_path)] +# do we have the new overlay fs which requires workdir, or the older +# overlayfs which does not? +have_new_overlay = False +with open("/proc/filesystems", "r") as fd: + for line in fd.readlines(): + if line == "nodev\toverlay\n": + have_new_overlay = True + # Generate pre-mount script with open(os.path.join(dest_path, "pre-mount"), "w+") as fd: os.fchmod(fd.fileno(), 0o755) @@ -231,16 +239,31 @@ LXC_NAME="%s" count = 0 for entry in overlay_dirs: target = "%s/delta%s" % (dest_path, count) + workdir = "%s/work%s" % (dest_path, count) fd.write("mkdir -p %s %s\n" % (target, entry[1])) + if have_new_overlay: + fd.write("mkdir -p %s\n" % workdir) if args.storage_type == "tmpfs": fd.write("mount -n -t tmpfs -o mode=0755 none %s\n" % (target)) + if have_new_overlay: + fd.write("mount -n -t tmpfs -o mode=0755 none %s\n" % (workdir)) fd.write("getfacl -a %s | setfacl --set-file=- %s || true\n" % (entry[0], target)) fd.write("getfacl -a %s | setfacl --set-file=- %s || true\n" % (entry[0], entry[1])) + if have_new_overlay: + fd.write("getfacl -a %s | setfacl --set-file=- %s || true\n" % (entry[0], workdir)) if args.union_type == "overlayfs": - fd.write("mount -n -t overlayfs" + if have_new_overlay: + fd.write("mount -n -t overlayfs" + " -oupperdir=%s,lowerdir=%s,workdir=%s none %s\n" % ( + target, + entry[0], + workdir, + entry[1])) + else: + fd.write("mount -n -t overlayfs" " -oupperdir=%s,lowerdir=%s none %s\n" % ( target, entry[0], -- 2.1.0 From stgraber at ubuntu.com Mon Jan 12 21:21:35 2015 From: stgraber at ubuntu.com (=?iso-8859-1?Q?St=E9phane?= Graber) Date: Mon, 12 Jan 2015 16:21:35 -0500 Subject: [lxc-devel] [PATCH 1/1] set close-all-fds by default In-Reply-To: <20150109163342.GA10183@ubuntumail> References: <20150109163342.GA10183@ubuntumail> Message-ID: <20150112212135.GE24962@dakara> On Fri, Jan 09, 2015 at 04:33:42PM +0000, Serge Hallyn wrote: > When containers request to be daemonized, close-all-fd is > set to true. But when we switched ot daemonize-by-default we didn't > set close-all-fd by default. > > Fix that. In order to do that we have to always have a lxc_conf > object. As a consequence, after this patch we can drop a bunch > of checks for c->lxc_conf existing. We should consider removing > those. This patch does not do that. > > This should close https://github.com/lxc/lxc/issues/354 > > Signed-off-by: Serge Hallyn Acked-by: Stéphane Graber > --- > src/lxc/lxccontainer.c | 17 ++++++++++++----- > 1 file changed, 12 insertions(+), 5 deletions(-) > > diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c > index 406cead..878c483 100644 > --- a/src/lxc/lxccontainer.c > +++ b/src/lxc/lxccontainer.c > @@ -457,6 +457,14 @@ static bool lxcapi_load_config(struct lxc_container *c, const char *alt_file) > return ret; > } > > +static void do_set_daemonize(struct lxc_container *c, bool state) > +{ > + c->daemonize = state; > + /* daemonize implies close_all_fds so set it */ > + if (state) > + c->lxc_conf->close_all_fds = 1; > +} > + > static bool lxcapi_want_daemonize(struct lxc_container *c, bool state) > { > if (!c || !c->lxc_conf) > @@ -465,10 +473,7 @@ static bool lxcapi_want_daemonize(struct lxc_container *c, bool state) > ERROR("Error getting mem lock"); > return false; > } > - c->daemonize = state; > - /* daemonize implies close_all_fds so set it */ > - if (state == 1) > - c->lxc_conf->close_all_fds = 1; > + do_set_daemonize(c, state); > container_mem_unlock(c); > return true; > } > @@ -4098,7 +4103,9 @@ struct lxc_container *lxc_container_new(const char *name, const char *configpath > container_destroy(c); > lxcapi_clear_config(c); > } > - c->daemonize = true; > + if (!c->lxc_conf) > + c->lxc_conf = lxc_conf_init(); > + do_set_daemonize(c, true); > c->pidfile = NULL; > > // assign the member functions > -- > 2.1.0 > > _______________________________________________ > lxc-devel mailing list > lxc-devel at lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-devel -- Stéphane Graber Ubuntu developer http://www.ubuntu.com -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: Digital signature URL: From stgraber at ubuntu.com Mon Jan 12 21:22:02 2015 From: stgraber at ubuntu.com (=?iso-8859-1?Q?St=E9phane?= Graber) Date: Mon, 12 Jan 2015 16:22:02 -0500 Subject: [lxc-devel] [PATCH 1/1] Fix reversed args in mount call In-Reply-To: <20150109220028.GE10641@ubuntumail> References: <20150109220028.GE10641@ubuntumail> Message-ID: <20150112212202.GF24962@dakara> On Fri, Jan 09, 2015 at 10:00:28PM +0000, Serge Hallyn wrote: > Riya Khanna reported that with a ramfs rootfs the mount to make > / rprivate was returning -EFAULT. NULL was being passed as the > mount target. Pass "/" instead. > > Reported-by: riya khanna > > Signed-off-by: Serge Hallyn Acked-by: Stéphane Graber > --- > src/lxc/conf.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/src/lxc/conf.c b/src/lxc/conf.c > index 72181dd..9072002 100644 > --- a/src/lxc/conf.c > +++ b/src/lxc/conf.c > @@ -1513,7 +1513,7 @@ int prepare_ramfs_root(char *root) > return -1; > } > > - if (mount(".", NULL, NULL, MS_REC | MS_PRIVATE, NULL)) { > + if (mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL)) { > SYSERROR("Failed to make . rprivate"); > return -1; > } > -- > 2.1.0 > > _______________________________________________ > lxc-devel mailing list > lxc-devel at lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-devel -- Stéphane Graber Ubuntu developer http://www.ubuntu.com -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: Digital signature URL: From stgraber at ubuntu.com Mon Jan 12 21:25:17 2015 From: stgraber at ubuntu.com (=?iso-8859-1?Q?St=E9phane?= Graber) Date: Mon, 12 Jan 2015 16:25:17 -0500 Subject: [lxc-devel] [PATCH 1/1] lxc-start-ephemeral: handle the overlayfs workdir option In-Reply-To: <20150112204138.GU10641@ubuntumail> References: <20150112204138.GU10641@ubuntumail> Message-ID: <20150112212517.GG24962@dakara> On Mon, Jan 12, 2015 at 08:41:38PM +0000, Serge Hallyn wrote: > We fixed this some time ago for basic lxc-start, but never did > lxc-start-ephemeral. > > Since the lxc-start patches were pushed, Miklos has given us a > way to detect whether we need the workdir= option. So the > bdev.c code could be simplified to check for "overlay\n" in > /proc/filesystems just as lxc-start-ephemeral does. This > patch doesn't do that. > > Signed-off-by: Serge Hallyn > --- > src/lxc/lxc-start-ephemeral.in | 25 ++++++++++++++++++++++++- > 1 file changed, 24 insertions(+), 1 deletion(-) > > diff --git a/src/lxc/lxc-start-ephemeral.in b/src/lxc/lxc-start-ephemeral.in > index c999e74..bf3f121 100644 > --- a/src/lxc/lxc-start-ephemeral.in > +++ b/src/lxc/lxc-start-ephemeral.in > @@ -219,6 +219,14 @@ for entry in args.cdir: > dst_path = "%s/rootfs/%s" % (dest_path, src_path) > overlay_dirs += [(src_path, dst_path)] > > +# do we have the new overlay fs which requires workdir, or the older > +# overlayfs which does not? > +have_new_overlay = False > +with open("/proc/filesystems", "r") as fd: > + for line in fd.readlines(): "for line in fd" should be less memory hungry than reading the whole file, splitting it and storing the result in a list. > + if line == "nodev\toverlay\n": > + have_new_overlay = True Does that mean that we should also be mounting it as "overlay" rather than "overlayfs"? > + > # Generate pre-mount script > with open(os.path.join(dest_path, "pre-mount"), "w+") as fd: > os.fchmod(fd.fileno(), 0o755) > @@ -231,16 +239,31 @@ LXC_NAME="%s" > count = 0 > for entry in overlay_dirs: > target = "%s/delta%s" % (dest_path, count) > + workdir = "%s/work%s" % (dest_path, count) > fd.write("mkdir -p %s %s\n" % (target, entry[1])) > + if have_new_overlay: > + fd.write("mkdir -p %s\n" % workdir) > > if args.storage_type == "tmpfs": > fd.write("mount -n -t tmpfs -o mode=0755 none %s\n" % (target)) > + if have_new_overlay: > + fd.write("mount -n -t tmpfs -o mode=0755 none %s\n" % (workdir)) > > fd.write("getfacl -a %s | setfacl --set-file=- %s || true\n" % (entry[0], target)) > fd.write("getfacl -a %s | setfacl --set-file=- %s || true\n" % (entry[0], entry[1])) > + if have_new_overlay: > + fd.write("getfacl -a %s | setfacl --set-file=- %s || true\n" % (entry[0], workdir)) > > if args.union_type == "overlayfs": > - fd.write("mount -n -t overlayfs" > + if have_new_overlay: > + fd.write("mount -n -t overlayfs" > + " -oupperdir=%s,lowerdir=%s,workdir=%s none %s\n" % ( > + target, > + entry[0], > + workdir, > + entry[1])) > + else: > + fd.write("mount -n -t overlayfs" > " -oupperdir=%s,lowerdir=%s none %s\n" % ( > target, > entry[0], > -- > 2.1.0 > > _______________________________________________ > lxc-devel mailing list > lxc-devel at lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-devel -- Stéphane Graber Ubuntu developer http://www.ubuntu.com -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: Digital signature URL: From stgraber at ubuntu.com Mon Jan 12 21:31:52 2015 From: stgraber at ubuntu.com (=?iso-8859-1?Q?St=E9phane?= Graber) Date: Mon, 12 Jan 2015 16:31:52 -0500 Subject: [lxc-devel] [PATCH 1/2] autodev: switch strategies (v2) In-Reply-To: <20150109213817.GC10641@ubuntumail> References: <20150109193614.GF10330@ubuntumail> <20150109202626.GB10641@ubuntumail> <20150109213817.GC10641@ubuntumail> Message-ID: <20150112213152.GH24962@dakara> On Fri, Jan 09, 2015 at 09:38:18PM +0000, Serge Hallyn wrote: > Do not keep container devs under /dev/.lxc. Instead, always > keep them in a small tmpfs mounted at $(mounted_root)/dev. > > The tmpfs is mounted in the container monitor's namespace. This > means that at every reboot it will get re-created. It seems to > me this better replicates what happens on a real host. > > If we want devices persisting across reboots, then perhaps we can > implement a $lxcpath/$name/keepdev directory containing devices to > bind into the container at each startup. > > Changelog (v2): don't bother with the $lxcpath/$name/rootfs.dev > directory, just mount the tmpfs straight into the container. > > Signed-off-by: Serge Hallyn > --- > src/lxc/conf.c | 318 ++++++-------------------------------------------------- > src/lxc/start.c | 1 - > 2 files changed, 31 insertions(+), 288 deletions(-) > > diff --git a/src/lxc/conf.c b/src/lxc/conf.c > index 72181dd..dad79ab 100644 > --- a/src/lxc/conf.c > +++ b/src/lxc/conf.c > @@ -94,10 +94,7 @@ > > lxc_log_define(lxc_conf, lxc); > > -#define MAXHWLEN 18 > -#define MAXINDEXLEN 20 > -#define MAXMTULEN 16 > -#define MAXLINELEN 128 > +#define LINELEN 4096 > > #if HAVE_SYS_CAPABILITY_H > #ifndef CAP_SETFCAP > @@ -295,9 +292,6 @@ static struct caps_opt caps_opt[] = { > static struct caps_opt caps_opt[] = {}; > #endif > > -const char *dev_base_path = "/dev/.lxc"; > -const char *dev_user_path = "/dev/.lxc/user"; > - > static int run_buffer(char *buffer) > { > struct lxc_popen_FILE *f; > @@ -1092,247 +1086,55 @@ fail: > } > > /* > - * Check to see if a directory has something mounted on it and, > - * if it does, return the fstype. > - * > - * Code largely based on detect_shared_rootfs below > - * > - * Returns: # of matching entries in /proc/self/mounts > - * if != 0 fstype is filled with the last filesystem value. > - * if == 0 no matches found, fstype unchanged. > - * > - * ToDo: Maybe return the mount options in another parameter... > + * Just create a path for /dev under $lxcpath/$name and in rootfs > + * If we hit an error, log it but don't fail yet. > */ > - > -#define LINELEN 4096 > -#define MAX_FSTYPE_LEN 128 > -static int mount_check_fs( const char *dir, char *fstype ) > +static void create_devdir(const char *path) > { > - char buf[LINELEN], *p; > - struct stat s; > - FILE *f; > - int found_fs = 0; > - char *p2; > - > - DEBUG("entering mount_check_fs for %s", dir); > - > - if ( 0 != access(dir, F_OK) || 0 != stat(dir, &s) || 0 == S_ISDIR(s.st_mode) ) { > - return 0; > - } > - > - f = fopen("/proc/self/mounts", "r"); > - if (!f) > - return 0; > - while (fgets(buf, LINELEN, f)) { > - p = index(buf, ' '); > - if( !p ) > - continue; > - *p = '\0'; > - p2 = p + 1; > - > - p = index(p2, ' '); > - if( !p ) > - continue; > - *p = '\0'; > - > - /* Compare the directory in the entry to desired */ > - if( strcmp( p2, dir ) ) { > - continue; > - } > - > - p2 = p + 1; > - p = index( p2, ' '); > - if( !p ) > - continue; > - *p = '\0'; > - > - ++found_fs; > - > - if( fstype ) { > - strncpy( fstype, p2, MAX_FSTYPE_LEN - 1 ); > - fstype [ MAX_FSTYPE_LEN - 1 ] = '\0'; > - } > - } > - > - fclose(f); > - > - DEBUG("mount_check_fs returning %d last %s", found_fs, fstype); > - > - return found_fs; > -} > - > -/* > - * Locate a devtmpfs mount (should be on /dev) and create a container > - * subdirectory on it which we can then bind mount to the container > - * /dev instead of mounting a tmpfs there. > - * If we fail, return NULL. > - * Else return the pointer to the name buffer with the string to > - * the devtmpfs subdirectory. > - */ > - > -static char *mk_devtmpfs(const char *name, char *path, const char *lxcpath) > -{ > - int ret; > - struct stat s; > - char tmp_path[MAXPATHLEN]; > - char fstype[MAX_FSTYPE_LEN]; > - uint64_t hash; > - > - if ( 0 != access(dev_base_path, F_OK) || 0 != stat(dev_base_path, &s) || 0 == S_ISDIR(s.st_mode) ) { > - /* This is just making /dev/.lxc it better work or we're done */ > - ret = mkdir(dev_base_path, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH); > - if ( ret ) { > - SYSERROR( "Unable to create /dev/.lxc for autodev" ); > - return NULL; > - } > - } > - > - /* > - * Programmers notes: > - * We can not do mounts in this area of code that we want > - * to be visible in the host. Consequently, /dev/.lxc must > - * be set up earlier if we need a tmpfs mounted there. > - * That only affects the rare cases where autodev is enabled > - * for a container and devtmpfs is not mounted on /dev in the > - * host. In that case, we'll fall back to the old method > - * of mounting a tmpfs in the container and have no visibility > - * into the container /dev. > - */ > - if( ! mount_check_fs( "/dev", fstype ) > - || strcmp( "devtmpfs", fstype ) ) { > - /* Either /dev was not mounted or was not devtmpfs */ > - > - if ( ! mount_check_fs( "/dev/.lxc", NULL ) ) { > - /* > - * /dev/.lxc is not already mounted > - * Doing a mount here does no good, since > - * it's not visible in the host. > - */ > - > - ERROR("/dev/.lxc is not setup - taking fallback" ); > - return NULL; > - } > - } > - > - if ( 0 != access(dev_user_path, F_OK) || 0 != stat(dev_user_path, &s) || 0 == S_ISDIR(s.st_mode) ) { > - /* > - * This is making /dev/.lxc/user path for non-priv users. > - * If this doesn't work, we'll have to fall back in the > - * case of non-priv users. It's mode 1777 like /tmp. > - */ > - ret = mkdir(dev_user_path, S_IRWXU | S_IRWXG | S_IRWXO | S_ISVTX); > - if ( ret ) { > - /* Issue an error but don't fail yet! */ > - ERROR("Unable to create /dev/.lxc/user"); > - } > - /* Umask tends to screw us up here */ > - chmod(dev_user_path, S_IRWXU | S_IRWXG | S_IRWXO | S_ISVTX); > - } > - > - /* > - * Since the container name must be unique within a given > - * lxcpath, we're going to use a hash of the path > - * /lxcpath/name as our hash name in /dev/.lxc/ > - */ > - > - ret = snprintf(tmp_path, MAXPATHLEN, "%s/%s", lxcpath, name); > - if (ret < 0 || ret >= MAXPATHLEN) > - return NULL; > - > - hash = fnv_64a_buf(tmp_path, ret, FNV1A_64_INIT); > - > - ret = snprintf(tmp_path, MAXPATHLEN, "%s/%s.%016" PRIx64, dev_base_path, name, hash); > - if (ret < 0 || ret >= MAXPATHLEN) > - return NULL; > - > - if ( 0 != access(tmp_path, F_OK) || 0 != stat(tmp_path, &s) || 0 == S_ISDIR(s.st_mode) ) { > - ret = mkdir(tmp_path, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH); > - if ( ret ) { > - /* Something must have failed with the dev_base_path... > - * Maybe unpriv user. Try dev_user_path now... */ > - INFO("Setup in /dev/.lxc failed. Trying /dev/.lxc/user." ); > - > - ret = snprintf(tmp_path, MAXPATHLEN, "%s/%s.%016" PRIx64, dev_user_path, name, hash); > - if (ret < 0 || ret >= MAXPATHLEN) > - return NULL; > - > - if ( 0 != access(tmp_path, F_OK) || 0 != stat(tmp_path, &s) || 0 == S_ISDIR(s.st_mode) ) { > - ret = mkdir(tmp_path, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH); > - if ( ret ) { > - ERROR("Container /dev setup in host /dev failed - taking fallback" ); > - return NULL; > - } > - } > - } > - } > - > - strcpy( path, tmp_path ); > - return path; > + int ret = mkdir(path, S_IRWXU | S_IRWXG | S_IRWXO | S_ISVTX); > + if (ret) /* Issue an error but don't fail yet! */ > + SYSERROR("Unable to create devpath %s", path); > + ret = chmod(path, S_IRWXU | S_IRWXG | S_IRWXO | S_ISVTX); > + if (ret) > + SYSERROR("Failed to chown devpath %s", path); > + INFO("Created %s", path); > } > > -/* > - * Do we want to add options for max size of /dev and a file to > - * specify which devices to create? > - */ > static int mount_autodev(const char *name, char *root, const char *lxcpath) > { > int ret; > - struct stat s; > - char path[MAXPATHLEN]; > - char host_path[MAXPATHLEN]; > - char devtmpfs_path[MAXPATHLEN]; > + size_t clen; > + char *path; > > INFO("Mounting /dev under %s", root); > > - ret = snprintf(host_path, MAXPATHLEN, "%s/%s/rootfs.dev", lxcpath, name); > - if (ret < 0 || ret > MAXPATHLEN) > - return -1; > + /* $(root) + "/dev/pts" + '\0' */ > + clen = strlen(root) + 9; > + path = alloca(clen); > > - ret = snprintf(path, MAXPATHLEN, "%s/dev", root); > - if (ret < 0 || ret > MAXPATHLEN) > + ret = snprintf(path, clen, "%s/dev", root); > + if (ret < 0 || ret >= clen) > return -1; > > - if (mk_devtmpfs( name, devtmpfs_path, lxcpath ) ) { > - /* > - * Get rid of old links and directoriess > - * This could be either a symlink and we remove it, > - * or an empty directory and we remove it, > - * or non-existent and we don't care, > - * or a non-empty directory, and we will then emit an error > - * but we will not fail out the process. > - */ > - unlink( host_path ); > - rmdir( host_path ); > - ret = symlink(devtmpfs_path, host_path); > - > - if ( ret < 0 ) { > - SYSERROR("WARNING: Failed to create symlink '%s'->'%s'", host_path, devtmpfs_path); > - } > - DEBUG("Bind mounting %s to %s", devtmpfs_path , path ); > - ret = mount(devtmpfs_path, path, NULL, MS_BIND, 0 ); > - } else { > - /* Only mount a tmpfs on here if we don't already a mount */ > - if ( ! mount_check_fs( host_path, NULL ) ) { > - DEBUG("Mounting tmpfs to %s", host_path ); > - ret = mount("none", path, "tmpfs", 0, "size=100000,mode=755"); > - } else { > - /* This allows someone to manually set up a mount */ > - DEBUG("Bind mounting %s to %s", host_path, path ); > - ret = mount(host_path , path, NULL, MS_BIND, 0 ); > - } > + /* Create $(mounted_rootfs/dev), and * mount a small tmpfs onto it */ > + if (!dir_exists(path)) > + create_devdir(path); So I'm not sure how others feel but I usually try to have LXC do as little changes to the rootfs as possible. Here, while I agree that /dev pretty much has to exist for any Linux system to make any kind of sense, I think I'd still prefer that we log a WARNING and skip autodev setup entirely in that case (so starting the container without /dev). > + if (0 != mount("none", path, "tmpfs", 0, "size=100000,mode=755")) { Nitpicking but can we be a bit consistent and have those tests the other way around? (mount... != 0) > + SYSERROR("Failed mounting tmpfs onto %s\n", path); > + return false; > } > - if (ret) { > - SYSERROR("Failed to mount /dev at %s", root); > - return -1; > - } > - ret = snprintf(path, MAXPATHLEN, "%s/dev/pts", root); > - if (ret < 0 || ret >= MAXPATHLEN) > + > + INFO("Mounted tmpfs onto %s", path); > + > + ret = snprintf(path, clen, "%s/dev/pts", root); > + if (ret < 0 || ret >= clen) > return -1; > + > /* > * If we are running on a devtmpfs mapping, dev/pts may already exist. > * If not, then create it and exit if that fails... > */ > - if ( 0 != access(path, F_OK) || 0 != stat(path, &s) || 0 == S_ISDIR(s.st_mode) ) { > + if (!dir_exists(path)) { > ret = mkdir(path, S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH); > if (ret) { > SYSERROR("Failed to create /dev/pts in container"); > @@ -1395,64 +1197,6 @@ static int setup_autodev(const char *root) > return 0; > } > > -/* > - * Locate allocated devtmpfs mount and purge it. > - * path lookup mostly taken from mk_devtmpfs > - */ > -int lxc_delete_autodev(struct lxc_handler *handler) > -{ > - int ret; > - struct stat s; > - struct lxc_conf *lxc_conf = handler->conf; > - const char *name = handler->name; > - const char *lxcpath = handler->lxcpath; > - char tmp_path[MAXPATHLEN]; > - uint64_t hash; > - > - if ( lxc_conf->autodev <= 0 ) > - return 0; > - > - /* don't clean on reboot */ > - if ( lxc_conf->reboot == 1 ) > - return 0; > - > - /* > - * Use the same logic as mk_devtmpfs to compute candidate > - * path for cleanup. > - */ > - > - ret = snprintf(tmp_path, MAXPATHLEN, "%s/%s", lxcpath, name); > - if (ret < 0 || ret >= MAXPATHLEN) > - return -1; > - > - hash = fnv_64a_buf(tmp_path, ret, FNV1A_64_INIT); > - > - /* Probe /dev/.lxc/. */ > - ret = snprintf(tmp_path, MAXPATHLEN, "%s/%s.%016" PRIx64, dev_base_path, name, hash); > - if (ret < 0 || ret >= MAXPATHLEN) > - return -1; > - > - if ( 0 != access(tmp_path, F_OK) || 0 != stat(tmp_path, &s) || 0 == S_ISDIR(s.st_mode) ) { > - /* Probe /dev/.lxc/user/. */ > - ret = snprintf(tmp_path, MAXPATHLEN, "%s/%s.%016" PRIx64, dev_user_path, name, hash); > - if (ret < 0 || ret >= MAXPATHLEN) > - return -1; > - > - if ( 0 != access(tmp_path, F_OK) || 0 != stat(tmp_path, &s) || 0 == S_ISDIR(s.st_mode) ) { > - WARN("Failed to locate autodev /dev/.lxc and /dev/.lxc/user." ); > - return -1; > - } > - } > - > - /* Do the cleanup */ > - INFO("Cleaning %s", tmp_path ); > - if ( 0 != lxc_rmdir_onedev(tmp_path, NULL) ) { > - ERROR("Failed to cleanup autodev" ); > - } > - > - return 0; > -} > - > static int setup_rootfs(struct lxc_conf *conf) > { > const struct lxc_rootfs *rootfs = &conf->rootfs; > diff --git a/src/lxc/start.c b/src/lxc/start.c > index cd78665..98905a3 100644 > --- a/src/lxc/start.c > +++ b/src/lxc/start.c > @@ -477,7 +477,6 @@ void lxc_fini(const char *name, struct lxc_handler *handler) > > lxc_console_delete(&handler->conf->console); > lxc_delete_tty(&handler->conf->tty_info); > - lxc_delete_autodev(handler); > close(handler->conf->maincmd_fd); > handler->conf->maincmd_fd = -1; > free(handler->name); > -- > 2.1.0 > > _______________________________________________ > lxc-devel mailing list > lxc-devel at lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-devel -- Stéphane Graber Ubuntu developer http://www.ubuntu.com -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: Digital signature URL: From stgraber at ubuntu.com Mon Jan 12 21:33:43 2015 From: stgraber at ubuntu.com (=?iso-8859-1?Q?St=E9phane?= Graber) Date: Mon, 12 Jan 2015 16:33:43 -0500 Subject: [lxc-devel] [PATCH 2/2] fill_autodev: bind-mount if mknod fails In-Reply-To: <20150109193836.GA10641@ubuntumail> References: <20150109193614.GF10330@ubuntumail> <20150109193836.GA10641@ubuntumail> Message-ID: <20150112213343.GI24962@dakara> On Fri, Jan 09, 2015 at 07:38:36PM +0000, Serge Hallyn wrote: > First, rename setup_autodev to fill_autodev, since all it > does is populate it, not fully set it up. > > Secondly, if mknod of a device fails, then try bind-mounting > it from the host rather than failing immediately. > > Note that this isn't an urgent patch because the common.userns > configuration hook already specifies bind,create=file mount > entries for all the devices we would want. > > Signed-off-by: Serge Hallyn Acked-by: Stéphane Graber > --- > src/lxc/conf.c | 25 +++++++++++++++++++++---- > 1 file changed, 21 insertions(+), 4 deletions(-) > > diff --git a/src/lxc/conf.c b/src/lxc/conf.c > index 822f08d..665631b 100644 > --- a/src/lxc/conf.c > +++ b/src/lxc/conf.c > @@ -1197,7 +1197,7 @@ static const struct lxc_devs lxc_devs[] = { > { "console", S_IFCHR | S_IRUSR | S_IWUSR, 5, 1 }, > }; > > -static int setup_autodev(const char *root) > +static int fill_autodev(const char *root) > { > int ret; > char path[MAXPATHLEN]; > @@ -1221,8 +1221,25 @@ static int setup_autodev(const char *root) > return -1; > ret = mknod(path, d->mode, makedev(d->maj, d->min)); > if (ret && errno != EEXIST) { > - SYSERROR("Error creating %s", d->name); > - return -1; > + char hostpath[MAXPATHLEN]; > + FILE *pathfile; > + > + // Unprivileged containers cannot create devices, so > + // bind mount the device from the host > + ret = snprintf(hostpath, MAXPATHLEN, "/dev/%s", d->name); > + if (ret < 0 || ret >= MAXPATHLEN) > + return -1; > + pathfile = fopen(path, "wb"); > + if (!pathfile) { > + SYSERROR("Failed to create device mount target '%s'", path); > + return -1; > + } > + fclose(pathfile); > + if (mount(hostpath, path, 0, MS_BIND, NULL) != 0) { > + SYSERROR("Failed bind mounting device %s from host into container", > + d->name); > + return -1; > + } > } > } > umask(cmask); > @@ -3889,7 +3906,7 @@ int lxc_setup(struct lxc_handler *handler) > ERROR("failed to run autodev hooks for container '%s'.", name); > return -1; > } > - if (setup_autodev(lxc_conf->rootfs.mount)) { > + if (fill_autodev(lxc_conf->rootfs.mount)) { > ERROR("failed to populate /dev in the container"); > return -1; > } > -- > 2.1.0 > > _______________________________________________ > lxc-devel mailing list > lxc-devel at lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-devel -- Stéphane Graber Ubuntu developer http://www.ubuntu.com -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: Digital signature URL: From noreply at github.com Mon Jan 12 22:17:57 2015 From: noreply at github.com (GitHub) Date: Mon, 12 Jan 2015 14:17:57 -0800 Subject: [lxc-devel] [lxc/lxc] 1f7645: set close-all-fds by default Message-ID: <54b44815c53e_46c33fb03ced72a09228d@hookshot-fe6-cp1-prd.iad.github.net.mail> Branch: refs/heads/master Home: https://github.com/lxc/lxc Commit: 1f76453a74f555e30384591567d87b5b4dac7e21 https://github.com/lxc/lxc/commit/1f76453a74f555e30384591567d87b5b4dac7e21 Author: Serge Hallyn Date: 2015-01-12 (Mon, 12 Jan 2015) Changed paths: M src/lxc/lxccontainer.c Log Message: ----------- set close-all-fds by default When containers request to be daemonized, close-all-fd is set to true. But when we switched ot daemonize-by-default we didn't set close-all-fd by default. Fix that. In order to do that we have to always have a lxc_conf object. As a consequence, after this patch we can drop a bunch of checks for c->lxc_conf existing. We should consider removing those. This patch does not do that. This should close https://github.com/lxc/lxc/issues/354 Signed-off-by: Serge Hallyn