[lxc-devel] [lxc/master] bugfixes + improvements
brauner on Github
lxc-bot at linuxcontainers.org
Sun Apr 15 20:44:10 UTC 2018
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 364 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20180415/b5e08547/attachment.bin>
-------------- next part --------------
From d648e178f1b3fa9f261b890157d2ee6e9e5e14fa Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Sun, 15 Apr 2018 22:12:51 +0200
Subject: [PATCH 1/3] seccomp: cleanup compat architecture handling
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
src/lxc/seccomp.c | 22 +++++++++++++++++-----
1 file changed, 17 insertions(+), 5 deletions(-)
diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
index 60118852d..6a4f474c8 100644
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -789,24 +789,36 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
}
}
+ INFO("Merging compat seccomp contexts into main context");
if (compat_ctx[0]) {
- INFO("Merging compat seccomp contexts into main context");
- if (compat_arch[0] != native_arch && compat_arch[0] != seccomp_arch_native()) {
+ if ((compat_arch[0] != native_arch) &&
+ (compat_arch[0] != seccomp_arch_native())) {
ret = seccomp_merge(conf->seccomp_ctx, compat_ctx[0]);
if (ret < 0) {
- ERROR("Failed to merge first compat seccomp context into main context");
+ ERROR("Failed to merge first compat seccomp "
+ "context into main context");
goto bad;
}
TRACE("Merged first compat seccomp context into main context");
+ } else {
+ seccomp_release(compat_ctx[0]);
+ compat_ctx[0] = NULL;
}
+ }
- if (compat_arch[1] && compat_arch[1] != native_arch && compat_arch[1] != seccomp_arch_native()) {
+ if (compat_ctx[1]) {
+ if ((compat_arch[1] != native_arch) &&
+ (compat_arch[1] != seccomp_arch_native())) {
ret = seccomp_merge(conf->seccomp_ctx, compat_ctx[1]);
if (ret < 0) {
- ERROR("Failed to merge first compat seccomp context into main context");
+ ERROR("Failed to merge first compat seccomp "
+ "context into main context");
goto bad;
}
TRACE("Merged second compat seccomp context into main context");
+ } else {
+ seccomp_release(compat_ctx[1]);
+ compat_ctx[1] = NULL;
}
}
From 94d56054143a8634852989819acee06bf4aaf9f9 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Sun, 15 Apr 2018 22:39:07 +0200
Subject: [PATCH 2/3] seccomp: improve logging
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
src/lxc/seccomp.c | 48 ++++++++++++++++++++++++++++++------------------
1 file changed, 30 insertions(+), 18 deletions(-)
diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
index 6a4f474c8..084419772 100644
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -759,33 +759,45 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf)
if (cur_rule_arch == native_arch ||
cur_rule_arch == lxc_seccomp_arch_native ||
compat_arch[0] == SCMP_ARCH_NATIVE) {
- INFO("Adding native rule for %s action %d(%s)", line, rule.action,
- get_action_name(rule.action));
if (!do_resolve_add_rule(SCMP_ARCH_NATIVE, line, conf->seccomp_ctx, &rule))
goto bad_rule;
- }
- else if (cur_rule_arch != lxc_seccomp_arch_all) {
- int arch_index =
- cur_rule_arch == lxc_seccomp_arch_mips64n32 ||
- cur_rule_arch == lxc_seccomp_arch_mipsel64n32 ? 1 : 0;
-
- INFO("Adding compat-only rule for %s action %d(%s)", line, rule.action,
+ INFO("Added native rule for arch %d for %s action %d(%s)",
+ SCMP_ARCH_NATIVE, line, rule.action,
get_action_name(rule.action));
+ } else if (cur_rule_arch != lxc_seccomp_arch_all) {
+ int arch_index = 0;
+
+ if ((cur_rule_arch == lxc_seccomp_arch_mips64n32) ||
+ (cur_rule_arch == lxc_seccomp_arch_mipsel64n32))
+ arch_index = 1;
+
if (!do_resolve_add_rule(compat_arch[arch_index], line, compat_ctx[arch_index], &rule))
goto bad_rule;
- }
- else {
- INFO("Adding native rule for %s action %d(%s)", line, rule.action,
+ INFO("Added compat-only rule for arch %d for %s action %d(%s)",
+ compat_arch[arch_index], line, rule.action,
get_action_name(rule.action));
+ } else {
if (!do_resolve_add_rule(SCMP_ARCH_NATIVE, line, conf->seccomp_ctx, &rule))
goto bad_rule;
- INFO("Adding compat rule for %s action %d(%s)", line, rule.action,
+ INFO("Added native rule for arch %d for %s action %d(%s)",
+ SCMP_ARCH_NATIVE, line, rule.action,
get_action_name(rule.action));
- if (!do_resolve_add_rule(compat_arch[0], line, compat_ctx[0], &rule))
- goto bad_rule;
- if (compat_arch[1] != SCMP_ARCH_NATIVE &&
- !do_resolve_add_rule(compat_arch[1], line, compat_ctx[1], &rule))
- goto bad_rule;
+
+ if (compat_arch[0] != SCMP_ARCH_NATIVE) {
+ if (!do_resolve_add_rule(compat_arch[0], line, compat_ctx[0], &rule))
+ goto bad_rule;
+ INFO("Added compat rule for arch %d for %s "
+ "action %d(%s)", compat_arch[0], line,
+ rule.action, get_action_name(rule.action));
+ }
+
+ if (compat_arch[1] != SCMP_ARCH_NATIVE) {
+ if (!do_resolve_add_rule(compat_arch[1], line, compat_ctx[1], &rule))
+ goto bad_rule;
+ INFO("Added compat rule for arch %d for %s "
+ "action %d(%s)", compat_arch[1], line,
+ rule.action, get_action_name(rule.action));
+ }
}
}
From 4160ef02e5bbabbf4f3d0ab002aa8afba4f680a1 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Sun, 15 Apr 2018 22:42:43 +0200
Subject: [PATCH 3/3] tools: document -d/--daemonize for lxc-execute
Closes #2280.
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
doc/lxc-execute.sgml.in | 15 +++++++++++++++
src/lxc/tools/lxc_execute.c | 1 +
2 files changed, 16 insertions(+)
diff --git a/doc/lxc-execute.sgml.in b/doc/lxc-execute.sgml.in
index 4ec7c1b94..20814348d 100644
--- a/doc/lxc-execute.sgml.in
+++ b/doc/lxc-execute.sgml.in
@@ -50,6 +50,7 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
<cmdsynopsis>
<command>lxc-execute</command>
<arg choice="req">-n <replaceable>name</replaceable></arg>
+ <arg choice="opt">-d</arg>
<arg choice="opt">-f <replaceable>config_file</replaceable></arg>
<arg choice="opt">-s KEY=VAL</arg>
<arg choice="opt">-- <replaceable>command</replaceable></arg>
@@ -124,6 +125,20 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
</para>
</listitem>
</varlistentry>
+
+ <varlistentry>
+ <term>
+ <option>-d, --daemon</option>
+ </term>
+ <listitem>
+ <para>
+ Run the container as a daemon. As the container has no
+ more tty, if an error occurs nothing will be displayed,
+ the log file can be used to check the error.
+ </para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term><option>--</option></term>
<listitem>
diff --git a/src/lxc/tools/lxc_execute.c b/src/lxc/tools/lxc_execute.c
index 5291dd7a3..5c03b498b 100644
--- a/src/lxc/tools/lxc_execute.c
+++ b/src/lxc/tools/lxc_execute.c
@@ -104,6 +104,7 @@ and execs COMMAND into this container.\n\
\n\
Options :\n\
-n, --name=NAME NAME of the container\n\
+ -d, --daemon Daemonize the container\n\
-f, --rcfile=FILE Load configuration file FILE\n\
-s, --define KEY=VAL Assign VAL to configuration variable KEY\n\
-u, --uid=UID Execute COMMAND with UID inside the container\n\
More information about the lxc-devel
mailing list