[lxc-devel] [lxc/lxc] 40962b: c/r: rework external mountpoint handling v4

GitHub noreply at github.com
Wed Apr 22 16:39:29 UTC 2015


  Branch: refs/heads/master
  Home:   https://github.com/lxc/lxc
  Commit: 40962b642d24f476e5ff59d97ba64cf5730ceb28
      https://github.com/lxc/lxc/commit/40962b642d24f476e5ff59d97ba64cf5730ceb28
  Author: Tycho Andersen <tycho.andersen at canonical.com>
  Date:   2015-04-22 (Wed, 22 Apr 2015)

  Changed paths:
    M src/lxc/lxccontainer.c

  Log Message:
  -----------
  c/r: rework external mountpoint handling v4

CRIU now supports autodetection of external mounts via the --ext-mount-map auto
--enable-external-sharing --enable-external-masters options, so we don't need
to explicitly pass the cgmanager mount or any of the mounts from the config.
This also means that lxcfs mounts (since they are bind mounts from outside the
container) are autodetected, meaning that c/r of containers using lxcfs works.

A further advantage of this patch is that it addresses some of the ugliness
that was in the exec_criu() function. There are other criu options that will
allow us to trim this even further, though.

Finally, with --enable-external-masters, criu understands slave mounts in the
container with shared mounts in the peer group that are outside the namespace.
This allows containers on a systemd host to be dumped and restored correctly.

However, these options have just landed in criu trunk today, and the next
tagged release will be 1.6 on June 1, so we should avoid merging this into any
stable releases until then.

v2: remount / as private before bind mounting the container's directory for
    criu. The problem here is that if / is mounted as shared, even if we
    unshare() the /var/lib/lxc/rootfs mountpoint propagates outside of our
    mount namespace, which is bad, since we don't want to leak mounts. In
    particular, this leak confuses criu the second time it goes to checkpoint
    the container.

v3: whoops, we really want / as MS_SLAVE | MS_REC here, to match what start
    does

v4: rebase onto master for revert of logging patch

Signed-off-by: Tycho Andersen <tycho.andersen at canonical.com>
Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>


  Commit: cba98d127bf490b018a016b792ae05fd2d29c5ee
      https://github.com/lxc/lxc/commit/cba98d127bf490b018a016b792ae05fd2d29c5ee
  Author: Tycho Andersen <tycho.andersen at canonical.com>
  Date:   2015-04-22 (Wed, 22 Apr 2015)

  Changed paths:
    M src/lxc/Makefile.am
    R src/lxc/lxc-restore-net
    M src/lxc/lxccontainer.c

  Log Message:
  -----------
  c/r: use criu option instead of lxc-restore-net

As of criu 1.5, the --veth-pair argument supports an additional parameter that
is the bridge name to attach to. This enables us to get rid of the goofy
action-script hack that passed bridge names as environment variables.

This patch is on top of the systemd/lxcfs mount rework patch, as we probably
want to wait to use 1.5 options until it has been out for a while and is in
distros.

Signed-off-by: Tycho Andersen <tycho.andersen at canonical.com>
Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>


  Commit: e29fe1dd21a58d1deddb3ca3bf3eaf260c525b10
      https://github.com/lxc/lxc/commit/e29fe1dd21a58d1deddb3ca3bf3eaf260c525b10
  Author: Tycho Andersen <tycho.andersen at canonical.com>
  Date:   2015-04-22 (Wed, 22 Apr 2015)

  Changed paths:
    M src/lxc/Makefile.am
    A src/lxc/criu.c
    A src/lxc/criu.h
    M src/lxc/lxccontainer.c

  Log Message:
  -----------
  c/r: move criu code to its own file

Trying to cage the beast that is lxccontainer.c.

Signed-off-by: Tycho Andersen <tycho.andersen at canonical.com>
Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>


  Commit: 8ba5ced736c4e4ca36e3f5fd36614c2682bdc9ba
      https://github.com/lxc/lxc/commit/8ba5ced736c4e4ca36e3f5fd36614c2682bdc9ba
  Author: Tycho Andersen <tycho.andersen at canonical.com>
  Date:   2015-04-22 (Wed, 22 Apr 2015)

  Changed paths:
    M src/lxc/criu.c

  Log Message:
  -----------
  c/r: check version of criu

Note that we allow both a tagged version or a git build that has sufficient
patches for the features we require.

v2: close criu's stderr too

Signed-off-by: Tycho Andersen <tycho.andersen at canonical.com>
Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>


  Commit: dd62857af3f7a267f14bf5769560daea6c3e8dec
      https://github.com/lxc/lxc/commit/dd62857af3f7a267f14bf5769560daea6c3e8dec
  Author: Tycho Andersen <tycho.andersen at canonical.com>
  Date:   2015-04-22 (Wed, 22 Apr 2015)

  Changed paths:
    M src/lxc/criu.c

  Log Message:
  -----------
  c/r: enable hugetlbfs in criu

In vivid containers hugetlbfs is mounted, but it is not one of the hardcoded
fses in criu, so we need to tell criu that it is okay to automount it.

Signed-off-by: Tycho Andersen <tycho.andersen at canonical.com>
Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>


  Commit: 507cee3618237d3776441c882be57429795fee08
      https://github.com/lxc/lxc/commit/507cee3618237d3776441c882be57429795fee08
  Author: Tycho Andersen <tycho.andersen at canonical.com>
  Date:   2015-04-22 (Wed, 22 Apr 2015)

  Changed paths:
    M src/lxc/execute.c
    M src/lxc/lxc.h
    M src/lxc/lxc_execute.c
    M src/lxc/lxccontainer.c
    M src/lxc/start.c
    M src/lxc/start.h

  Log Message:
  -----------
  c/r: re-open fds after clone()

If we don't re-open these after clone, the init process has a pointer to the
parent's /dev/{zero,null}. CRIU seese these and wants to dump the parent's
mount namespace, which is unnecessary. Instead, we should just re-open
stdin/out/err after we do the clone and pivot root, to ensure that we have
pointers to the devcies in init's rootfs instead of the host's.

v2: Only close fds if the container was daemonized. This didn't turn out as
    nicely as described on the list because lxc_start() doesn't actually have
    the struct lxc_container, so it cant see the flag. Instead, we just pass it
    down everywhere.

Signed-off-by: Tycho Andersen <tycho.andersen at canonical.com>
Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>


  Commit: ed52814c776963efdcc9dcda1ec26fc09930ef93
      https://github.com/lxc/lxc/commit/ed52814c776963efdcc9dcda1ec26fc09930ef93
  Author: Bogdan Purcareata <bogdan.purcareata at freescale.com>
  Date:   2015-04-22 (Wed, 22 Apr 2015)

  Changed paths:
    M templates/lxc-busybox.in

  Log Message:
  -----------
  lxc-busybox: add OpenSSH support

Add an additional template parameter for SSH support in the container. Currently
this can be implemented using the Dropbear or OpenSSH utility. The respective
tool needs to be available on the host Linux.

If the parameter is omitted, the template will look for the Dropbear utility on
the host and install it if it is available (legacy behavior).

Adding OpenSSH support has been done following the model in the lxc-sshd
template.

Signed-off-by: Bogdan Purcareata <bogdan.purcareata at freescale.com>
Acked-by: St├ęphane Graber <stgraber at ubuntu.com>


Compare: https://github.com/lxc/lxc/compare/a16f71a1d10b...ed52814c7769


More information about the lxc-devel mailing list