GitHub | 25 May 17:51 2015

[lxc/lxc] 998541: macvlan: add 'passthru' mode

  Branch: refs/heads/master
  Home:   https://github.com/lxc/lxc
  Commit: 9985416197e02a7094aa9b457564a2fede721a24
      https://github.com/lxc/lxc/commit/9985416197e02a7094aa9b457564a2fede721a24
  Author: Eric Leblond <eric@...>
  Date:   2015-05-23 (Sat, 23 May 2015)

  Changed paths:
    M src/lxc/conf.h
    M src/lxc/confile.c

  Log Message:
  -----------
  macvlan: add 'passthru' mode

In setup where we want to sniff with an IDS from inside a container
we can use the 'passthru' mode of macvlan. This was not accessible
from the config and this patch fixes the issue.

Signed-off-by: Eric Leblond <eric@...>

  Commit: c15ea60706591a97d5c66137b74587549ef4d7e3
      https://github.com/lxc/lxc/commit/c15ea60706591a97d5c66137b74587549ef4d7e3
  Author: Eric Leblond <eric@...>
  Date:   2015-05-25 (Mon, 25 May 2015)

  Changed paths:
    M doc/lxc.container.conf.sgml.in

  Log Message:
(Continue reading)

GitHub | 25 May 17:07 2015

[lxc/lxc] 37cf71: config : add lxc.hook.destroy option

  Branch: refs/heads/master
  Home:   https://github.com/lxc/lxc
  Commit: 37cf711b2887dbce0921eb653b8bc7cb27a02fee
      https://github.com/lxc/lxc/commit/37cf711b2887dbce0921eb653b8bc7cb27a02fee
  Author: Sungbae Yoo <sungbae.yoo@...>
  Date:   2015-05-14 (Thu, 14 May 2015)

  Changed paths:
    M doc/lxc.container.conf.sgml.in
    M src/lxc/conf.c
    M src/lxc/conf.h
    M src/lxc/confile.c
    M src/lxc/lxccontainer.c

  Log Message:
  -----------
  config : add lxc.hook.destroy option

Signed-off-by: Sungbae Yoo <sungbae.yoo@...>

  Commit: fc2d798a9060f25cee25f42a9fc35c3acfba89fc
      https://github.com/lxc/lxc/commit/fc2d798a9060f25cee25f42a9fc35c3acfba89fc
  Author: Stéphane Graber <stgraber@...>
  Date:   2015-05-25 (Mon, 25 May 2015)

  Changed paths:
    M doc/lxc.container.conf.sgml.in
    M src/lxc/conf.c
    M src/lxc/conf.h
    M src/lxc/confile.c
(Continue reading)

GitHub | 25 May 17:06 2015

[lxc/lxc] 6a6981: Change lxc-clone to use 'rsync -aH' instead of jus...

  Branch: refs/heads/master
  Home:   https://github.com/lxc/lxc
  Commit: 6a698162954cd7d1448675b5c4350e4eaf861298
      https://github.com/lxc/lxc/commit/6a698162954cd7d1448675b5c4350e4eaf861298
  Author: Erik B. Andersen <erik.b.andersen@...>
  Date:   2015-05-14 (Thu, 14 May 2015)

  Changed paths:
    M src/lxc/bdev.c

  Log Message:
  -----------
  Change lxc-clone to use 'rsync -aH' instead of just 'rsync -a' for cloning to fix Launchpad Bug #1441307.

Signed-off-by: Erik B. Andersen <erik.b.andersen@...>

  Commit: 378da5aa9fc7cd5a86bb54bca5cd37bdc258391f
      https://github.com/lxc/lxc/commit/378da5aa9fc7cd5a86bb54bca5cd37bdc258391f
  Author: Stéphane Graber <stgraber@...>
  Date:   2015-05-25 (Mon, 25 May 2015)

  Changed paths:
    M src/lxc/bdev.c

  Log Message:
  -----------
  Merge pull request #526 from Azendale/master

Change lxc-clone to use 'rsync -aH' instead of just 'rsync -a'

(Continue reading)

GitHub | 25 May 17:05 2015

[lxc/lxc] 02d25a: Easy to read tiemstamp in log

  Branch: refs/heads/master
  Home:   https://github.com/lxc/lxc
  Commit: 02d25a9ea585a858db477b7966a369c71434fbad
      https://github.com/lxc/lxc/commit/02d25a9ea585a858db477b7966a369c71434fbad
  Author: Stéphane Graber <stgraber@...>
  Date:   2015-05-25 (Mon, 25 May 2015)

  Changed paths:
    M src/lxc/log.c

  Log Message:
  -----------
  Easy to read tiemstamp in log

Signed-off-by: Gyeongmin Kim <gyeongmintwo@...>
Acked-by: Stéphane Graber <stgraber@...>

_______________________________________________
lxc-devel mailing list
lxc-devel <at> lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel
KATOH Yasufumi | 21 May 10:36 2015
Picon

[PATCH] aufs: Support unprivileged clone, mount

Current aufs supports FS_USERNS_MOUNT by using allow_userns module
parameter. It allows root in userns to mount aufs.

This patch allows an unprivileged container to use aufs. The value of
xino option is changed to /dev/shm/aufs.xino that an unpriv user can
write.

Signed-off-by: KATOH Yasufumi <karma <at> jazz.email.ne.jp>
---
 src/lxc/bdev.c | 68 ++++++++++++++++++++++++++++++++--------------------------
 1 file changed, 38 insertions(+), 30 deletions(-)

diff --git a/src/lxc/bdev.c b/src/lxc/bdev.c
index 61bbe6d..f0a13a9 100644
--- a/src/lxc/bdev.c
+++ b/src/lxc/bdev.c
 <at>  <at>  -2557,12 +2557,12  <at>  <at>  static int aufs_detect(const char *path)
 //
 static int aufs_mount(struct bdev *bdev)
 {
-	char *options, *dup, *lower, *upper, *rundir;
+	char *options, *dup, *lower, *upper;
 	int len;
 	unsigned long mntflags;
 	char *mntdata;
-	char *runpath;
 	int ret;
+	const char *xinopath = "/dev/shm/aufs.xino";

 	if (strcmp(bdev->type, "aufs"))
(Continue reading)

Serge Hallyn | 17 May 22:15 2015

[PATCH RFC] cgroups: use cgfs when possible

Because it is easier on the host.  When creating many containers,
reducing the load on the cgroup manager can greatly reduce the
cpu usage.  Until now, we have used cgmanager whenever we could.
Now we use cgfs when we can, and switch to cgmanager if needed.

At cgroup init, we first check whether we can use cgfs.  If we
can, we use it rather than cgmanager.  This means that cgfs needs
to actually check whether it can be used.  We do this by making
sure that every needed hierarchy has a writeable mountpoint.

We also now need to have cgfs call cgmanager's mount_setup(), as
any nested use of cgroups may well need to be using cgmanager.

This requires a patch to the lxcfs mount hook to avoid failure
on mkdir.  (A better fix would be nice, but this suffices to make
things work)

This also gets rid of the cgroup_driver enum, which wasn't
actually used anywhere.

Signed-off-by: Serge Hallyn <serge.hallyn <at> ubuntu.com>
---
 src/lxc/cgfs.c      | 46 +++++++++++++++++++++++++++++++++++++++++-----
 src/lxc/cgmanager.c |  3 +--
 src/lxc/cgroup.c    | 12 ++++--------
 src/lxc/cgroup.h    | 10 +++-------
 4 files changed, 49 insertions(+), 22 deletions(-)

diff --git a/src/lxc/cgfs.c b/src/lxc/cgfs.c
index fcb3cde..fe7b06d 100644
(Continue reading)

Serge Hallyn | 17 May 15:04 2015

[PATCH 1/1] attach: mount a sane prox for LSM setup

To set lsm labels, a namespace-local proc mount is needed.

If a container does not have a lxc.mount.auto = proc set, then
tasks in the container do not have a correct /proc mount until
init feels like doing the mount.  At startup we handlie this
by mounting a temporary /proc if needed.  We weren't doing this
at attach, though, so that

lxc-start -n $container
lxc-wait -t 5 -s RUNNING -n $container
lxc-attach -n $container -- uname -a

could in a racy way fail with something like

lxc-attach: lsm/apparmor.c: apparmor_process_label_set: 183 No such file or directory - failed to
change apparmor profile to lxc-container-default

Thanks to Chris Townsend for finding this bug at
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1452451

Signed-off-by: Serge Hallyn <serge.hallyn <at> ubuntu.com>
---
 src/lxc/attach.c |  8 ++++++++
 src/lxc/conf.c   | 44 +-------------------------------------------
 src/lxc/utils.c  | 43 +++++++++++++++++++++++++++++++++++++++++++
 src/lxc/utils.h  |  1 +
 4 files changed, 53 insertions(+), 43 deletions(-)

diff --git a/src/lxc/attach.c b/src/lxc/attach.c
index 69dafd4..731d7a6 100644
(Continue reading)

GitHub | 17 May 14:31 2015

[lxc/lxc] a73077: coverity: free 'result' in error case.

  Branch: refs/heads/master
  Home:   https://github.com/lxc/lxc
  Commit: a73077478d731b9e9f1832244e1432a9283b7db0
      https://github.com/lxc/lxc/commit/a73077478d731b9e9f1832244e1432a9283b7db0
  Author: Serge Hallyn <serge.hallyn@...>
  Date:   2015-05-17 (Sun, 17 May 2015)

  Changed paths:
    M src/lxc/conf.c

  Log Message:
  -----------
  coverity: free 'result' in error case.

Signed-off-by: Serge Hallyn <serge.hallyn@...>

_______________________________________________
lxc-devel mailing list
lxc-devel <at> lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel
Eric W. Biederman | 16 May 07:03 2015

Re: Working with glibc (PID/TID caches).

"Carlos O'Donell" <carlos <at> redhat.com> writes:

> On 08/06/2014 05:46 PM, Serge Hallyn wrote:
>> Quoting Eric W. Biederman (ebiederm <at> xmission.com):
>>> Serge Hallyn <serge.hallyn <at> ubuntu.com> writes:
>
> Reviving this super-old discussion because it went in a direction
> that I didn't expect.
>
>>>> Quoting Eric W. Biederman (ebiederm <at> xmission.com):
>>>>> It would be nice if at least malloc and C++ new were safe (and
>>>>> documented as safe) after fork in a pthread environment.  That would go
>>>>> a long ways to allowing running interesting set up code without having
>>>>> to jump through hoops.
>>>>
>>>> I'm pretty sure malloc is in fact thread-safe.  For some time I was
>>>> paranoid about file table operations (like fopen) and mutexed them
>>>> all, but we eventually realized that those are also thread-safe.
>>>
>>> The dangerous part I was referring to is what happens when someone
>>> holds a mutex and calls fork(3) or clone(3).
>>>
>>> I had missed the existence of pthread_atfork and malloc in glibc
>>> very clearly has atfork handlers so malloc should be safe after
>>> fork(3).
>
> Correct.
>
>>> However I justed tested it and clone(3) without CLONE_VM does not
>>> call the atfork handlers which is a nasty problem to work with.
(Continue reading)

Eric W. Biederman | 16 May 07:53 2015

Re: Working with glibc (PID/TID caches).

"Carlos O'Donell" <carlos <at> redhat.com> writes:

> On 05/16/2015 01:03 AM, Eric W. Biederman wrote:
>>> Such reasons would help inform a new API design.
>> 
>> So we could specify flags that create namespaces aka: CLONE_NEWNS,
>> CLONE_NEWUTS, CLONE_NEWIPC, CLONE_NEWUSER, CLONE_NEWPID, CLONE_NEWNET
>> 
>> We are talking about container creation after all.
>> 
>> At the same time since we are creating a new virtual address space it
>> would be handy if we didn't need to do all of the work to set up a new
>> stack as the existing stack is perfectly functional.
>
> Agreed.
>
> Ricky Zhou brought this up on libc-alpha on 2014-11-20 [1].
>
> We discussed a new clone wrapper alternative that does more of
> what you want including:
>
> * Reset pid cache.
> * Manage stack for you (somehow).
Without CLONE_VM you can just reuse the stack (unless you are using
the libc clone wrapper).
> * Must not set CLONE_VM, but allow other flags.
Yes the kernel should take care of any other illegal combinations.x

> However, the basic question remains: Are you using clone for
> performance reasons to avoid fork or exec? Why use raw clone?
(Continue reading)

GitHub | 15 May 00:16 2015

[lxc/lxc] e0bc10: Use POSIX-compliant function names in bash complet...

  Branch: refs/heads/master
  Home:   https://github.com/lxc/lxc
  Commit: e0bc1067693e30644f60071f0fc861a84fb3fbb6
      https://github.com/lxc/lxc/commit/e0bc1067693e30644f60071f0fc861a84fb3fbb6
  Author: Lucas Werkmeister <mail@...>
  Date:   2015-05-14 (Thu, 14 May 2015)

  Changed paths:
    M config/bash/lxc.in

  Log Message:
  -----------
  Use POSIX-compliant function names in bash completion

When running in posix mode (for example, because it was invoked as `sh`,
or with the --posix option), bash rejects the function names previously
used because they contain hyphens, which are not legal POSIX names, and
exits immediately.

This is a particularly serious problem on a system in which the
following three conditions hold:

1. The `sh` executable is provided by bash, e. g. via a symlink
2. Gnome Display Manager is used to launch X sessions
3. Bash completion is loaded in the (system or user) profile file
   instead of in the bashrc file

In that case, GDM's Xsession script (run with `sh`, i. e., bash in posix
mode) sources the profile files, thus causing the shell to load the bash
completion files. Upon encountering the non-POSIX-compliant function
(Continue reading)


Gmane