[lxc-devel] [lxd/master] Bugfixes
stgraber on Github
lxc-bot at linuxcontainers.org
Tue Oct 11 20:14:25 UTC 2016
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 301 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20161011/5c344a94/attachment.bin>
-------------- next part --------------
From 92baf6949134bf1ca66c2cd30f77fdee24662e0f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Tue, 11 Oct 2016 15:40:59 -0400
Subject: [PATCH 1/4] Fix wording of seccomp error message
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
lxd/container.go | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lxd/container.go b/lxd/container.go
index 72849ae..6e0150c 100644
--- a/lxd/container.go
+++ b/lxd/container.go
@@ -54,7 +54,7 @@ func containerValidConfigKey(d *Daemon, key string, value string) error {
return nil
}
}
- return fmt.Errorf("security.syscalls.blacklist_compat is only valid on x86_64")
+ return fmt.Errorf("security.syscalls.blacklist_compat isn't supported on this architecture")
}
return nil
}
From 0500eab878f4e6c0585a3001d4f506f986a739c0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Tue, 11 Oct 2016 15:48:24 -0400
Subject: [PATCH 2/4] Properly validate memory limits
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Closes #2483
Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
shared/container.go | 22 +++++++++++++++++++++-
1 file changed, 21 insertions(+), 1 deletion(-)
diff --git a/shared/container.go b/shared/container.go
index cf558db..4a21a5d 100644
--- a/shared/container.go
+++ b/shared/container.go
@@ -232,7 +232,27 @@ var KnownContainerConfigKeys = map[string]func(value string) error{
"limits.disk.priority": IsPriority,
- "limits.memory": IsAny,
+ "limits.memory": func(value string) error {
+ if value == "" {
+ return nil
+ }
+
+ if strings.HasSuffix(value, "%") {
+ _, err := strconv.ParseInt(strings.TrimSuffix(value, "%"), 10, 64)
+ if err != nil {
+ return err
+ }
+
+ return nil
+ }
+
+ _, err := ParseByteSizeString(value)
+ if err != nil {
+ return err
+ }
+
+ return nil
+ },
"limits.memory.enforce": func(value string) error {
return IsOneOf(value, []string{"soft", "hard"})
},
From 3bde850596f6c1cf5ff54f6c795f3690bc4beebc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Tue, 11 Oct 2016 15:56:46 -0400
Subject: [PATCH 3/4] Properly validate CPU allowance
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
shared/container.go | 38 +++++++++++++++++++++++++++++++++++---
1 file changed, 35 insertions(+), 3 deletions(-)
diff --git a/shared/container.go b/shared/container.go
index 4a21a5d..1e5964c 100644
--- a/shared/container.go
+++ b/shared/container.go
@@ -226,9 +226,41 @@ var KnownContainerConfigKeys = map[string]func(value string) error{
"boot.autostart.priority": IsInt64,
"boot.host_shutdown_timeout": IsInt64,
- "limits.cpu": IsAny,
- "limits.cpu.allowance": IsAny,
- "limits.cpu.priority": IsPriority,
+ "limits.cpu": IsAny,
+ "limits.cpu.allowance": func(value string) error {
+ if value == "" {
+ return nil
+ }
+
+ if strings.HasSuffix(value, "%") {
+ // Percentage based allocation
+ _, err := strconv.Atoi(strings.TrimSuffix(value, "%"))
+ if err != nil {
+ return err
+ }
+
+ return nil
+ }
+
+ // Time based allocation
+ fields := strings.SplitN(value, "/", 2)
+ if len(fields) != 2 {
+ return fmt.Errorf("Invalid allowance: %s", value)
+ }
+
+ _, err := strconv.Atoi(strings.TrimSuffix(fields[0], "ms"))
+ if err != nil {
+ return err
+ }
+
+ _, err = strconv.Atoi(strings.TrimSuffix(fields[1], "ms"))
+ if err != nil {
+ return err
+ }
+
+ return nil
+ },
+ "limits.cpu.priority": IsPriority,
"limits.disk.priority": IsPriority,
From 84910fd8907e88f51fba723dae6f5f2e7135f53f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Tue, 11 Oct 2016 16:11:46 -0400
Subject: [PATCH 4/4] Improve config validation on update
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Run through initLXC as an extra validation step to prevent us getting in
a weird state where the config was committed to DB but LXD can't read it.
Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
lxd/container_lxc.go | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/lxd/container_lxc.go b/lxd/container_lxc.go
index 7d09e06..e67eacc 100644
--- a/lxd/container_lxc.go
+++ b/lxd/container_lxc.go
@@ -2451,6 +2451,7 @@ func (c *containerLXC) Update(args containerArgs, userRequested bool) error {
c.localConfig = oldLocalConfig
c.localDevices = oldLocalDevices
c.profiles = oldProfiles
+ c.c = nil
c.initLXC()
deviceTaskSchedulerTrigger("container", c.name, "changed")
}
@@ -2507,6 +2508,13 @@ func (c *containerLXC) Update(args containerArgs, userRequested bool) error {
return err
}
+ // Run through initLXC to catch anything we missed
+ c.c = nil
+ err = c.initLXC()
+ if err != nil {
+ return err
+ }
+
// If apparmor changed, re-validate the apparmor profile
for _, key := range changedConfig {
if key == "raw.apparmor" || key == "security.nesting" {
@@ -2940,14 +2948,6 @@ func (c *containerLXC) Update(args containerArgs, userRequested bool) error {
networkUpdateStatic(c.daemon)
}
- // Invalidate the go-lxc cache
- c.c = nil
-
- err = c.initLXC()
- if err != nil {
- return err
- }
-
// Success, update the closure to mark that the changes should be kept.
undoChanges = false
More information about the lxc-devel
mailing list