[lxc-devel] [lxc/master] fixes
brauner on Github
lxc-bot at linuxcontainers.org
Thu Mar 5 09:04:41 UTC 2020
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 364 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20200305/8309df6b/attachment-0001.bin>
-------------- next part --------------
From 55171a21aff5db21b5307b4732739e05bff82eb8 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Wed, 4 Mar 2020 15:21:18 +0100
Subject: [PATCH 1/2] af_unix: cleanup
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
src/lxc/af_unix.c | 124 +++++++++++++++++-----------------------------
1 file changed, 46 insertions(+), 78 deletions(-)
diff --git a/src/lxc/af_unix.c b/src/lxc/af_unix.c
index 7f8c88b1a2..12fb1679d3 100644
--- a/src/lxc/af_unix.c
+++ b/src/lxc/af_unix.c
@@ -16,6 +16,7 @@
#include "config.h"
#include "log.h"
+#include "macro.h"
#include "memory_utils.h"
#include "raw_syscalls.h"
#include "utils.h"
@@ -27,14 +28,12 @@
lxc_log_define(af_unix, lxc);
static ssize_t lxc_abstract_unix_set_sockaddr(struct sockaddr_un *addr,
- const char *path)
+ const char *path)
{
size_t len;
- if (!addr || !path) {
- errno = EINVAL;
- return -1;
- }
+ if (!addr || !path)
+ return ret_errno(EINVAL);
/* Clear address structure */
memset(addr, 0, sizeof(*addr));
@@ -44,10 +43,8 @@ static ssize_t lxc_abstract_unix_set_sockaddr(struct sockaddr_un *addr,
len = strlen(&path[1]);
/* do not enforce \0-termination */
- if (len >= INT_MAX || len >= sizeof(addr->sun_path)) {
- errno = ENAMETOOLONG;
- return -1;
- }
+ if (len >= INT_MAX || len >= sizeof(addr->sun_path))
+ return ret_errno(ENAMETOOLONG);
/* do not enforce \0-termination */
memcpy(&addr->sun_path[1], &path[1], len);
@@ -56,7 +53,8 @@ static ssize_t lxc_abstract_unix_set_sockaddr(struct sockaddr_un *addr,
int lxc_abstract_unix_open(const char *path, int type, int flags)
{
- int fd, ret;
+ __do_close_prot_errno int fd = -EBADF;
+ int ret;
ssize_t len;
struct sockaddr_un addr;
@@ -65,36 +63,24 @@ int lxc_abstract_unix_open(const char *path, int type, int flags)
return -1;
if (!path)
- return fd;
+ return move_fd(fd);
len = lxc_abstract_unix_set_sockaddr(&addr, path);
- if (len < 0) {
- int saved_errno = errno;
- close(fd);
- errno = saved_errno;
+ if (len < 0)
return -1;
- }
ret = bind(fd, (struct sockaddr *)&addr,
offsetof(struct sockaddr_un, sun_path) + len + 1);
- if (ret < 0) {
- int saved_errno = errno;
- close(fd);
- errno = saved_errno;
+ if (ret < 0)
return -1;
- }
if (type == SOCK_STREAM) {
ret = listen(fd, 100);
- if (ret < 0) {
- int saved_errno = errno;
- close(fd);
- errno = saved_errno;
+ if (ret < 0)
return -1;
- }
}
- return fd;
+ return move_fd(fd);
}
void lxc_abstract_unix_close(int fd)
@@ -104,7 +90,8 @@ void lxc_abstract_unix_close(int fd)
int lxc_abstract_unix_connect(const char *path)
{
- int fd, ret;
+ __do_close_prot_errno int fd = -EBADF;
+ int ret;
ssize_t len;
struct sockaddr_un addr;
@@ -113,23 +100,15 @@ int lxc_abstract_unix_connect(const char *path)
return -1;
len = lxc_abstract_unix_set_sockaddr(&addr, path);
- if (len < 0) {
- int saved_errno = errno;
- close(fd);
- errno = saved_errno;
+ if (len < 0)
return -1;
- }
ret = connect(fd, (struct sockaddr *)&addr,
offsetof(struct sockaddr_un, sun_path) + len + 1);
- if (ret < 0) {
- int saved_errno = errno;
- close(fd);
- errno = saved_errno;
+ if (ret < 0)
return -1;
- }
- return fd;
+ return move_fd(fd);
}
int lxc_abstract_unix_send_fds_iov(int fd, int *sendfds, int num_sendfds,
@@ -164,11 +143,9 @@ int lxc_abstract_unix_send_fds_iov(int fd, int *sendfds, int num_sendfds,
msg.msg_iov = iov;
msg.msg_iovlen = iovlen;
-again:
- ret = sendmsg(fd, &msg, MSG_NOSIGNAL);
- if (ret < 0)
- if (errno == EINTR)
- goto again;
+ do {
+ ret = sendmsg(fd, &msg, MSG_NOSIGNAL);
+ } while (ret < 0 && errno == EINTR);
return ret;
}
@@ -181,8 +158,7 @@ int lxc_abstract_unix_send_fds(int fd, int *sendfds, int num_sendfds,
.iov_base = data ? data : buf,
.iov_len = data ? size : sizeof(buf),
};
- return lxc_abstract_unix_send_fds_iov(fd, sendfds, num_sendfds, &iov,
- 1);
+ return lxc_abstract_unix_send_fds_iov(fd, sendfds, num_sendfds, &iov, 1);
}
int lxc_unix_send_fds(int fd, int *sendfds, int num_sendfds, void *data,
@@ -197,17 +173,14 @@ static int lxc_abstract_unix_recv_fds_iov(int fd, int *recvfds, int num_recvfds,
__do_free char *cmsgbuf = NULL;
int ret;
struct msghdr msg;
- struct cmsghdr *cmsg = NULL;
size_t cmsgbufsize = CMSG_SPACE(sizeof(struct ucred)) +
CMSG_SPACE(num_recvfds * sizeof(int));
memset(&msg, 0, sizeof(msg));
cmsgbuf = malloc(cmsgbufsize);
- if (!cmsgbuf) {
- errno = ENOMEM;
- return -1;
- }
+ if (!cmsgbuf)
+ return ret_errno(ENOMEM);
msg.msg_control = cmsgbuf;
msg.msg_controllen = cmsgbufsize;
@@ -216,20 +189,18 @@ static int lxc_abstract_unix_recv_fds_iov(int fd, int *recvfds, int num_recvfds,
msg.msg_iovlen = iovlen;
again:
- ret = recvmsg(fd, &msg, 0);
- if (ret < 0) {
- if (errno == EINTR)
- goto again;
+ do {
+ ret = recvmsg(fd, &msg, 0);
+ } while (ret < 0 && errno == EINTR);
+
+ if (!ret)
+ return 0;
- goto out;
- }
- if (ret == 0)
- goto out;
/*
* If SO_PASSCRED is set we will always get a ucred message.
*/
- for (cmsg = CMSG_FIRSTHDR(&msg); cmsg; cmsg = CMSG_NXTHDR(&msg, cmsg)) {
+ for (struct cmsghdr *cmsg = CMSG_FIRSTHDR(&msg); cmsg; cmsg = CMSG_NXTHDR(&msg, cmsg)) {
if (cmsg->cmsg_type != SCM_RIGHTS)
continue;
@@ -241,7 +212,6 @@ static int lxc_abstract_unix_recv_fds_iov(int fd, int *recvfds, int num_recvfds,
break;
}
-out:
return ret;
}
@@ -262,7 +232,9 @@ int lxc_abstract_unix_send_credential(int fd, void *data, size_t size)
struct iovec iov;
struct cmsghdr *cmsg;
struct ucred cred = {
- .pid = lxc_raw_getpid(), .uid = getuid(), .gid = getgid(),
+ .pid = lxc_raw_getpid(),
+ .uid = getuid(),
+ .gid = getgid(),
};
char cmsgbuf[CMSG_SPACE(sizeof(cred))] = {0};
char buf[1] = {0};
@@ -309,7 +281,7 @@ int lxc_abstract_unix_rcv_credential(int fd, void *data, size_t size)
ret = recvmsg(fd, &msg, 0);
if (ret <= 0)
- goto out;
+ return ret;
cmsg = CMSG_FIRSTHDR(&msg);
@@ -317,15 +289,13 @@ int lxc_abstract_unix_rcv_credential(int fd, void *data, size_t size)
cmsg->cmsg_level == SOL_SOCKET &&
cmsg->cmsg_type == SCM_CREDENTIALS) {
memcpy(&cred, CMSG_DATA(cmsg), sizeof(cred));
- if (cred.uid &&
- (cred.uid != getuid() || cred.gid != getgid())) {
- INFO("Message denied for '%d/%d'", cred.uid, cred.gid);
- errno = EACCES;
- return -1;
- }
+
+ if (cred.uid && (cred.uid != getuid() || cred.gid != getgid()))
+ return log_error_errno(-1, EACCES,
+ "Message denied for '%d/%d'",
+ cred.uid, cred.gid);
}
-out:
return ret;
}
@@ -364,10 +334,9 @@ int lxc_unix_connect_type(struct sockaddr_un *addr, int type)
ssize_t len;
fd = socket(AF_UNIX, type | SOCK_CLOEXEC, 0);
- if (fd < 0) {
- SYSERROR("Failed to open new AF_UNIX socket");
- return -1;
- }
+ if (fd < 0)
+ return log_error_errno(-1, errno,
+ "Failed to open new AF_UNIX socket");
if (addr->sun_path[0] == '\0')
len = strlen(&addr->sun_path[1]);
@@ -376,10 +345,9 @@ int lxc_unix_connect_type(struct sockaddr_un *addr, int type)
ret = connect(fd, (struct sockaddr *)addr,
offsetof(struct sockaddr_un, sun_path) + len);
- if (ret < 0) {
- SYSERROR("Failed to bind new AF_UNIX socket");
- return -1;
- }
+ if (ret < 0)
+ return log_error_errno(-1, errno,
+ "Failed to bind new AF_UNIX socket");
return move_fd(fd);
}
From b714b9f29b03e850be1cf0ca06c7337599846701 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Thu, 5 Mar 2020 10:02:12 +0100
Subject: [PATCH 2/2] api-extensions: document cgroup2_devices and cgroup2 api
extensions
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
doc/api-extensions.md | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/doc/api-extensions.md b/doc/api-extensions.md
index 75681a33cd..da7aefa2e5 100644
--- a/doc/api-extensions.md
+++ b/doc/api-extensions.md
@@ -105,3 +105,16 @@ This introduces the ability to specify a `lxc.net.[i].veth.mode` setting, which
In "router" mode static routes are created on the host for the container's IP addresses pointing to
the host side veth interface. In addition to the routes, a static IP neighbour proxy is added to
the host side veth interface for the IPv4 and IPv6 gateway IPs.
+
+
+# cgroup2\_devices
+
+This enables `LXC` to make use of the new devices controller in the unified
+cgroup hierarchy. `LXC` will now create, load, and attach bpf program to the
+cgroup of the container when the controller is available.
+
+# cgroup2
+
+This enables `LXC` to make complete use of the unified cgroup hierarchy. With
+this extension it is possible to run `LXC` containers on systems that use
+a pure unified cgroup layout.
More information about the lxc-devel
mailing list