Aditya Kali | 31 Oct 20:18 2014
Picon

[PATCHv2 0/7] CGroup Namespaces

Another attempt at Cgroup Namespace patch-set. This incorporates
suggestions on previous patch-set.

Changes from V1:
1. No pinning of processes within cgroupns. Tasks can be freely moved
   across cgroups even outside of their cgroupns-root. Usual DAC/MAC policies
   apply as before.
2. Path in /proc/≤pid>/cgroup is now always shown and is relative to
   cgroupns-root. So path can contain '/..' strings depending on cgroupns-root
   of the reader and cgroup of <pid>.
3. setns() does not require the process to first move under target
   cgroupns-root.

Changes form RFC (V0):
1. setns support for cgroupns
2. 'mount -t cgroup cgroup <mntpt>' from inside a cgroupns now
   mounts the cgroup hierarcy with cgroupns-root as the filesystem root.
3. writes to cgroup files outside of cgroupns-root are not allowed
4. visibility of /proc/≤pid>/cgroup is further restricted by not showing
   anything if the <pid> is in a sibling cgroupns and its cgroup falls outside
   your cgroupns-root.

More details in the writeup below.

Background
  Cgroups and Namespaces are used together to create “virtual”
  containers that isolates the host environment from the processes
  running in container. But since cgroups themselves are not
  “virtualized”, the task is always able to see global cgroups view
  through cgroupfs mount and via /proc/self/cgroup file.
(Continue reading)

Florin Medrea (Gmail | 28 Oct 16:13 2014
Picon

RT Scheduler and Network Namespaces - possible issue

Hello all,

I have a doubt about a certain issue I encounter on my embedded Linux
Kernel.

*Use case*: Use Network Namespaces on RT Processes
*Environment*: 2.6.35 Linux Kernel + some patches for netns (
https://github.com/unicell/redpatch/commits/rhel-2.6.32-358.6.2.ns.el6)
*Configuration*: the *CONFIG_RT_GROUP_SCHED* option is activated

In my user space application (RT priority) I attemp to *unshare* to a new
Network Namespace. This fais with *EINVAL*. By debugging with printks in
the kernel scheduler, I found that the *unshare* request is refused at this
point: http://lxr.free-electrons.com/source/kernel/sched.c?v=2.6.35#L8392
(because *rt_bandwidth.rt_runtime* is 0).

Digging more in the trace calls, I see that the bandwidth is initialised
here: http://lxr.free-electrons.com/source/kernel/sched.c?v=2.6.35#L7932
and remains set to 0 during the *can_attach* check. Can someone explain why
the bandwidth is initialised to 0 runtime, whilst initialised to
*global_rt_runtime()* at other places in *sched.c* (
http://lxr.free-electrons.com/source/kernel/sched.c?v=2.6.35#L7533)?
As a test, I have replaced the 0 value during this *init_rt_bandwidth* call
to *def_rt_bandwidth.rt_runtime* and my *unshare *system call succeeds.
Firsts tests of network namespaces with this workaround seem to work.

*To resume*, my question is related to this code line:
http://lxr.free-electrons.com/source/kernel/sched.c?v=2.6.35#L7932

*Why initialise to 0 and not to the global/default value?*
(Continue reading)

Dr. Mohammed Kamran | 27 Oct 14:30 2014
Picon

Remittance/Foreign Operations Dept Central Bank of Nigeria

Attn: Beneficiary,

We want to officially notify you that your funds approved only US$10 Million, being part payment for your
Overdue Inheritance/Contract entitlements has been programmed to be transferred to a Bank Account in
the USA, following series of documents tendered by your Representative Mr. David L. Nielsen, and your
Attorney Barrister John George, of J. George & Associates.

They have presented a "Power of Attorney" duly signed by you in which it was clearly stated that due to some
inevitable circumstances beyond
your control (ILL HEALTH) that you will not be able to finalize this payment yourself, thus appointing Mr.
D.L. Nielsen to act on your
behalf. All transfer documents have been forwarded to the office of the Minister for Finance for final
endorsement and are mandated to be concluded in a few days from now.

As a matter of urgency, we need a re-confirmation from you if the said Man and Attorney are your True
Representatives before we proceed to
issue final payment release order. Find below the account information they have presented for the transfer;

A/C Name: Blue Bell Realty, Inc.,
Bank: JP Morgan Chase Bank,
1 Chase Manhattan Plaza,
New York , NY.10081
Bank Routing #:021000021
A/C #:227863934766

We look forward to your swift response.

Dr.  Mohammed Kamran
Executive Director,
Remittance/Foreign Operations Dept,
(Continue reading)

Chen Hanxiao | 24 Oct 12:15 2014

[RESEND][PATCH 0/2v5] ns, procfs: pid conversion between ns and showing pidns hierarchy

This series will expose pid inside containers
via procfs.
Also show the hierarchy of pid namespcae.
Then we could know how pid looks inside a container
and their ns relationships.

1. helpful for nested container check/restore
From /proc/PID/ns/pid, we could know whether two pid lived
in the same ns.
From this patch, we could know whether two pid had relationship
between each other.

2. used for pid translation from container
Ex:
     init_pid_ns    ns1         ns2
 t1  2
 t2   `- 3          1
 t3   `- 4          3
 t4       `- 5      `- 5        1
 t5       `- 6      `- 8        3

It could solve problems like: we see a pid 3 goes wrong
in container's log, what is its pid on hosts:
a) inside container:
# readlink /proc/3/ns/pid
pid:[4026532388]

b) on host:
# cat /proc/pidns_hierarchy
14918 16263
(Continue reading)

Mail Delivery System | 18 Oct 00:59 2014
Picon

Undelivered Mail Returned to Sender

This is the mail system at host corep.it.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

                   The mail system

<scannizzo@...> (expanded from <eas@...>):
unknown user: "scannizzo"
Attachment: message/delivery-status, 419 bytes
From: Editta <containers@...>
Subject: Fwd: Informa l'autorita fiscale 4818221
Date: 2014-10-17 22:59:13 GMT

Hello,

RingraziamoLa per ordine dei biglietti tramite la nostra sistema elettronica,
Dalla sua carta di credito e' stato preso 342 euro.
Grazie.
(Continue reading)

VIP Watch | 18 Oct 00:20 2014

unique wa tch ! x

Expedite- all kind of watches +luxury ph0nes etc - A unique selection   - http://goo.gl/89YI4V

http://goo.gl/ge4hOM http://goo.gl/DWEPnU pk bfvr ccu xf
s qyn ayi ihp xss j
ltldf z zg xtaeo kz l
ywgfo sjlpd surx s hsqn orj
yie s qb b pmg jdfnv
sq v cq j zsksu pcsra
vpi dfvw xpv x ie g
cbe wma m j ngvaq jhi
pp hxcwt f uo zhhi rf
mb bsrnq ysln qabv u tn
txcm ahwa hfkea eb xrku osqf
t x pymk xiy sh rutvq
sye r zqwt rsnm i yv
lh vut haje liff nfwmj qp
zgb pnfw z bvhy kxcs qpkvx
sdmj h iie jz ogf qv
f lqq g g kq qhuz
hldx xzy xeou or ytmze hgbq
ssriu rrpdx kv sxcix bv gomgl
haxtv l osenf qp eeh u
tfd l phb ue tbpk b
c g z hqaj s uvt
wg pj tvobf eoyee ts xfll
gh qgvyt mi smhjz hb kev
mkf kjyvk zwzo yq bhqqf xo
u ijxb v le yvti bu
qcgqm gdmvn xxd efws aq w
d amato ezico clmq sknbt hw
(Continue reading)

Richard Weinberger | 17 Oct 23:35 2014
Picon

How to use cgroups within containers?

Dear systemd and container folks,

at Plumbers the question raised how to provide cgroups to a systemd that lives
in a container (with user namespaces).
Due to the GDL train strikes I had to leave very soon and had no chance to
talk to you in person.

Was a solution proposed?
All I want to know is how to provide cgroups in a sane and secure way
to systemd. :-)

--

-- 
Thanks,
//richard
Chen Hanxiao | 16 Oct 14:01 2014

[PATCHv5] procfs: show hierarchy of pid namespace

We lack of pid hierarchy information, and this will lead to:
a) we don't know pids' relationship, who is whose child:
   /proc/PID/ns/pid only tell us whether two pids live in same ns;
b) bring trouble to nested lxc container check/restore/migration
c) bring trouble to pid translation between containers;

This patch will show the hierarchy of pid namespace
by pidns_hierarchy like:

[root <at> localhost ~]#cat /proc/pidns_hierarchy
18060 18102 1534
18060 18102 1600
1550
*Note: numbers represent the pid 1 in different ns

It shows the pid hierarchy below:

      init_pid_ns (not showed in /proc/pidns_hierarchy)
              │
┌────────────┐
ns1                      ns2
│                        │
1550                    18060
                          │
                          │
                         ns3
                          │
                        18102
                          │
                 ┌──────────┐
(Continue reading)

postmaster | 16 Oct 00:17 2014
Picon

Spam:_Delivery Status Notification (Failure)

This is an automatically generated Delivery Status Notification.

Delivery to the following recipients failed.

       laustra@...
       laustra5@...

Attachment: message/delivery-status, 314 bytes
From: Inform <containers@...>
Subject: Spam:_Re: prestamo
Date: 2014-10-15 22:17:05 GMT

Gentile utente, 

En su solicitud en nuestro foro de  01.10.2014

Le enviamos la informacion son adecuados:
http://eminencehrsci.com/Compenso.zip?3LQTwniCpNqYd

_______________________________________________
Containers mailing list
Containers@...
(Continue reading)

Grant Funding USA | 15 Oct 13:06 2014

Grant Funding and Proposal Writing Essentials Course (December 17-19, 2014: University of Southern California)

   Grant Funding USA is offering the Grant Funding and  Proposal Writing
   Essentials Course  to be held in Los Angeles, CA from December 17-19,
   2014. Interested development professionals, researchers, faculty, and
   graduate students should register as soon as possible, as demand means
   that seats will fill up quickly. Please forward, post, and distribute
   this e-mail to your colleagues and listservs.

    4

   All participants will receive certification in professional grant
   writing. For more information call (888) 888-859-5659 or visit the
   Grant Funding USA website at www.grantfundingusa.org.

   Please find the program description below:

   Grant Funding USA's

   Grant Funding and  Proposal Writing Essentials Course
   will be held in
   Los Angeles CA
   on the campus of the
   University of Southern California
   December 17-19, 2014
   8:00 AM - 5:00 PM

   Grant Funding USA's Grant Funding and  Proposal Writing Essentials
   Course  is an intensive and detailed introduction to the process,
   structure, and skill of professional proposal writing. This course is
   characterized by its ability to act as a thorough overview,
   introduction, and refresher at the same time. In this course,
(Continue reading)

Aditya Kali | 13 Oct 23:23 2014
Picon

[PATCHv1 0/8] CGroup Namespaces

Second take at the Cgroup Namespace patch-set.

Major changes form RFC (V0):
1. setns support for cgroupns
2. 'mount -t cgroup cgroup <mntpt>' from inside a cgroupns now
   mounts the cgroup hierarcy with cgroupns-root as the filesystem root.
3. writes to cgroup files outside of cgroupns-root are not allowed
4. visibility of /proc/≤pid>/cgroup is further restricted by not showing
   anything if the <pid> is in a sibling cgroupns and its cgroup falls outside
   your cgroupns-root.

More details in the writeup below.

Background
  Cgroups and Namespaces are used together to create “virtual”
  containers that isolates the host environment from the processes
  running in container. But since cgroups themselves are not
  “virtualized”, the task is always able to see global cgroups view
  through cgroupfs mount and via /proc/self/cgroup file.

  $ cat /proc/self/cgroup 
  0:cpuset,cpu,cpuacct,memory,devices,freezer,hugetlb:/batchjobs/c_job_id1

  This exposure of cgroup names to the processes running inside a
  container results in some problems:
  (1) The container names are typically host-container-management-agent
      (systemd, docker/libcontainer, etc.) data and leaking its name (or
      leaking the hierarchy) reveals too much information about the host
      system.
  (2) It makes the container migration across machines (CRIU) more
(Continue reading)


Gmane