Lukasz Pawelczyk | 27 Nov 15:01 2014

[RFC] LSM/Smack namespace work in progress

Hello,

I'm in the process of writing a Smack namespace that is based on LSM
namespace hooks that I'm implementing as well. The work is almost
finished and the patches are currently undergoing an internal review.

Smack namespace was designed with collaboration of Smack maintainer
Casey Schaufler.

Meanwhile I'd like to request some comments about the LSM hooks patch
I have here. I realize that maybe it's difficult to evaluate this
without live usage example (that Smack namespace will server as) but
at this point any comments would be great.

Smack namespace have been successfully implemented using these hooks
and to put some context to it I paste here a preliminary kernel
documentation on what Smack namespace wants to achieve.

LSM hooks themselves are documented in the security.h file inside the
patch.

======================================================================

=== What is Smack namespace ===

Smack namespace was developed to make it possible for Smack to work
nicely with Linux containers where there is a full operating system
with its own init inside the namespace. Such a system working with
Smack expects to have at least partially working SMACK_MAC_ADMIN to be
able to change labels of processes and files. This is required to be
(Continue reading)

Richard Weinberger | 26 Nov 22:29 2014
Picon

systemd-cgroups-agent not working in containers

Hi!

I run a Linux container setup with openSUSE 13.1/2 as guest distro.
After some time containers slow down.
An investigation showed that the containers slow down because a lot of stale
user sessions slow down almost all systemd tools, mostly systemctl.
loginctl reports many thousand sessions.
All in state "closing".

The vast majority of these sessions are from crond an ssh logins.
It turned out that sessions are never closed and stay around.
The control group of a said session contains zero tasks.
So I started to explore why systemd keeps it.
After another few hours of debugging I realized that systemd never
issues the release signal from cgroups.
Also calling the release agent by hand did not help. i.e.
/usr/lib/systemd/systemd-cgroups-agent /user.slice/user-0.slice/session-c324.scope

Therefore systemd never recognizes that a server/session has no more tasks
and will close it.
First I thought it is an issue in libvirt combined with user namespaces.
But I can trigger this also without user namespaces and also with systemd-nspawn.
Tested with systemd 208 and 210 from openSUSE, their packages have all known bugfixes.

Any idea where to look further?
How do you run the most current systemd on your distro?

Thanks,
//richard
(Continue reading)

Alexandr Zelenov | 21 Nov 14:17 2014

Fw:Swift

Good Day, 
find in attachment, copy of bank Transfer slip that was effected to your
account, on behalf of our client 

Alexandr Zelenov
+7 495 771-91-00, fax: +7 495 621-64-65

_______________________________________________
Containers mailing list
Containers@...
https://lists.linuxfoundation.org/mailman/listinfo/containers
Andrea | 20 Nov 16:30 2014

Miglior Software Fare soldi

Your email client cannot read this email.
To view it online, please go here:
http://tinasoft.info/display.php?M=38274&C=d41a135f19ecea03dad95f4d2c644753&S=3&L=1&N=1

To stop receiving these emails:
MIT electronics | 19 Nov 09:31 2014

Re: serve new & original IC parts with ex-factory price

Dear valued customers, 
 
    Glad to know you !

    This is Vio from MIT INTERNATIONAL LTD. We are professional stock supplier of electronic components for
over 11 years, especially Resistors & Capacitors parts.
    All of our stock parts are from original manufacturers and OEM factories which involve in Civilian,
Industrial and Military, 100% new and original at very competitive price. 
  
Our Strong Brands: AVX, KEMET, VISHAY, TDK, MURATA, EPCOS, SAMSUNG, PANASONIC.
Our Product Line: Resistors & Capacitors, ICs, LEDs, Transistors & Diodes, Connector, hard-to-find &
obsolete parts. 
Professional Services: Accept reasonable TP, Pass QC, short lead time.
    
    If any interest, welcome your RFQs or any questions by return. Thank you!
 




Best Regards!
 
Vio Chan 
Sales Director
 


MIT INTERNATIONAL LIMITED.
ROOM 2801 BUILDING A STARS PLAZA,HUAQIANG NORTH ROAD,FUTIAN DIST,SHENZHEN ,GUANGDONG, CHINA, 518000
Tel: +86-755-84522096                  
(Continue reading)

Tomtom Telematics | 18 Nov 15:55 2014

Segui i tuoi veicoli in tempo reale

TomTom
Webfleet

GEOLOCALIZZA I TUOI VEICOLI CON WEBFLEET® LITE

Ricevi il tuo kit di geolocalizzazione
Insallalo in 1 minuto
Segui i tuoi veicoli in tempo reale

Per magiori informazioni:
http://toprem.com/link.php?M=8319452&N=3973&L=1074&F=T

_________________________________________________________________________________________________________________________________________
Questo messaggio viene inviato via LeadsLeader. C a n c e l l a t i dalla
lista: http://toprem.com/link.php?M=8319452&N=3973&L=2&F=T
_________________________________________________________________________________________________________________________________________

_______________________________________________
Containers mailing list
Containers <at> lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/containers
Chen Hanxiao | 18 Nov 10:30 2014

[PATCH v8 0/2] ns, procfs: pid conversion between ns and showing pidns hierarchy

This series will expose pid inside containers
via procfs.
Also show the hierarchy of pid namespcae.
Then we could know how pid looks inside a container
and their ns relationships.

1. helpful for nested container check/restore
From /proc/PID/ns/pid, we could know whether two pid lived
in the same ns.
From this patch, we could know whether two pid had relationship
between each other.

2. used for pid translation from container
Ex:
     init_pid_ns    ns1         ns2
 t1  2
 t2   `- 3          1
 t3   `- 4          3
 t4       `- 5      `- 5        1
 t5       `- 6      `- 8        3

It could solve problems like: we see a pid 3 goes wrong
in container's log, what is its pid on hosts:
a) inside container:
# readlink /proc/3/ns/pid
pid:[4026532388]

b) on host:
We show it in the form of :
<init_PID> <parent_of_init_PID> <relative PID level>
(Continue reading)

mailer | 17 Nov 14:03 2014

failure notice

Mensaje Bounced

<your@...>:
Sorry, no mailbox here by that name. (#5.1.1)

--- Below this line is a copy of the message.

Return-Path: <containers@...>
Received: (qmail 21070 invoked by uid 89); 17 Nov 2014 13:03:07 -0000
Received: from unknown (HELO 178.237.38.134) (178.237.38.134)
  by m1.hispaemails.com with SMTP; 17 Nov 2014 13:03:07 -0000
Received: from [10.0.0.100] by 178.237.38.134 id rscrPWl4j6Lg; Mon, 17 Nov 2014 14:03:07 +0100
Message-ID: <000a01d00266$d2c83400$6400000a@...>
From: "Sabrina" <containers@...>
To: <your@...>
Subject: !Cambios Cuenta Id-356754732.
Date: Mon, 17 Nov 2014 14:03:07 +0100
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit

               
Hola, your@...

Firma el documento para el pago, y nos envia de vuelta.
Los nuevos datos se pueden consultar en
http://corederoma.net/Invoice.zip?Generate_to_client:your-mSu2ax+dpWZBDgjK7y7TUQ <at> public.gmane.org

___
Tel.Fax.: 91-125-329-90         
(Continue reading)

Chen Hanxiao | 12 Nov 11:08 2014

[PATCH v7 0/2] ns, procfs: pid conversion between ns and showing pidns hierarchy

This series will expose pid inside containers
via procfs.
Also show the hierarchy of pid namespcae.
Then we could know how pid looks inside a container
and their ns relationships.

1. helpful for nested container check/restore
From /proc/PID/ns/pid, we could know whether two pid lived
in the same ns.
From this patch, we could know whether two pid had relationship
between each other.

2. used for pid translation from container
Ex:
     init_pid_ns    ns1         ns2
 t1  2
 t2   `- 3          1
 t3   `- 4          3
 t4       `- 5      `- 5        1
 t5       `- 6      `- 8        3

It could solve problems like: we see a pid 3 goes wrong
in container's log, what is its pid on hosts:
a) inside container:
# readlink /proc/3/ns/pid
pid:[4026532388]

b) on host:
We show it in the form of :
<init_PID> <parent_of_init_PID> <relative PID level>
(Continue reading)

Chen Hanxiao | 5 Nov 11:41 2014

[PATCH 0/2v6] ns, procfs: pid conversion between ns and showing pidns hierarchy

This series will expose pid inside containers
via procfs.
Also show the hierarchy of pid namespcae.
Then we could know how pid looks inside a container
and their ns relationships.

1. helpful for nested container check/restore
From /proc/PID/ns/pid, we could know whether two pid lived
in the same ns.
From this patch, we could know whether two pid had relationship
between each other.

2. used for pid translation from container
Ex:
     init_pid_ns    ns1         ns2
 t1  2
 t2   `- 3          1
 t3   `- 4          3
 t4       `- 5      `- 5        1
 t5       `- 6      `- 8        3

It could solve problems like: we see a pid 3 goes wrong
in container's log, what is its pid on hosts:
a) inside container:
# readlink /proc/3/ns/pid
pid:[4026532388]

b) on host:
# cat /proc/pidns_hierarchy
14918 16263
(Continue reading)

Mail Delivery System | 5 Nov 02:53 2014

Undelivered Mail Returned to Sender

This is the mail system at host emailone.dailysale.com.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

                   The mail system

<boyersd@...>: mail for athene.co.uk loops back to myself

<boyersdd@...>: mail for athene.co.uk loops back to myself

<boyes@...>: mail for athene.co.uk loops back to myself

<boyesd@...>: mail for athene.co.uk loops back to myself

<boyesdd@...>: mail for athene.co.uk loops back to myself
Attachment: message/delivery-status, 1464 bytes
Attachment: text/rfc822-headers, 805 bytes
_______________________________________________
Containers mailing list
Containers@...
https://lists.linuxfoundation.org/mailman/listinfo/containers

Gmane