[Devel] vzmigrate for PermitRootLogin=no

2010-09-07 Thread gregwm 
i wasn't willing to enable PermitRootLogin, so i added a sudo feature to my
copy of vzmigrate, to gain root on the target server via sudo.  is this of
any interest to others?
___
Devel mailing list
Devel@openvz.org
https://openvz.org/mailman/listinfo/devel

[Devel] Re: [PATCH 1/3] cgroup : add clone_children control file

2010-09-07 Thread Daniel Lezcano 
On 09/07/2010 11:22 PM, Paul Menage wrote:
> On Tue, Sep 7, 2010 at 2:13 PM, Daniel Lezcano  wrote:
>
>> The clone_children option behaves like the release-agent mount option no ?
>>  
> Not quite, since it can be controlled on a per-cgroup basis.
>
>
>> We can mount with a specific release agent and change it at runtime. IMHO it
>> would be better to give a chance to the administrator to set its system with
>> the mount option instead of force him to write post mount scripts. An
>> alternative would be to set this cgroup option *only* via the mount option,
>> but I am not sure it is good as it may be an unresolvable constraint for a
>> system wanting to use the cgroups with and without this option (same kind of
>> constraint we have with the ns_cgroup).
>>
>> I am favorable to keep the mount option and the ability to change it for
>> another cgroup.
>>  
> OK, lets mostly keep the current patch, but lose the flag stored at
> mount-time and just report the mount option based on the current value
> of the root cgroup's flag.
>

Ok, will resend a new version.

Thanks for reviewing the patchset.

   -- Daniel
___
Containers mailing list
contain...@lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers

___
Devel mailing list
Devel@openvz.org
https://openvz.org/mailman/listinfo/devel

[Devel] Re: [PATCH 1/3] cgroup : add clone_children control file

2010-09-07 Thread Paul Menage 
On Tue, Sep 7, 2010 at 2:13 PM, Daniel Lezcano  wrote:
>
> The clone_children option behaves like the release-agent mount option no ?

Not quite, since it can be controlled on a per-cgroup basis.

> We can mount with a specific release agent and change it at runtime. IMHO it
> would be better to give a chance to the administrator to set its system with
> the mount option instead of force him to write post mount scripts. An
> alternative would be to set this cgroup option *only* via the mount option,
> but I am not sure it is good as it may be an unresolvable constraint for a
> system wanting to use the cgroups with and without this option (same kind of
> constraint we have with the ns_cgroup).
>
> I am favorable to keep the mount option and the ability to change it for
> another cgroup.

OK, lets mostly keep the current patch, but lose the flag stored at
mount-time and just report the mount option based on the current value
of the root cgroup's flag.

Paul
___
Containers mailing list
contain...@lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers

___
Devel mailing list
Devel@openvz.org
https://openvz.org/mailman/listinfo/devel

[Devel] Re: [PATCH 1/3] cgroup : add clone_children control file

2010-09-07 Thread Daniel Lezcano 
On 09/07/2010 10:26 PM, Paul Menage wrote:
> On Tue, Sep 7, 2010 at 1:23 PM, Daniel Lezcano  wrote:
>
>>> This bit is awkward - you're storing the original value of the
>>> clone_children flag to report in the mount options, but this isn't
>>> necessarily the current state. Might it be better to not store this
>>> and just report the current value of the root cgroup's
>>> CGRP_CLONE_CHILDREN flag?
>>>
>>>
>> Sure. Shall I do the same as the release agent mount option ?
>>  
> I think so - the slight problem with this new flag is that it's
> possible for the root cgroup to have one setting for clone_children
> and all its children to have a different setting. But I guess we can
> live with that. (Or maybe simply not make the default clone_children
> value a mount option, but require it to be set on the root cgroup
> after mounting?)
>

The clone_children option behaves like the release-agent mount option no 
? We can mount with a specific release agent and change it at runtime. 
IMHO it would be better to give a chance to the administrator to set its 
system with the mount option instead of force him to write post mount 
scripts. An alternative would be to set this cgroup option *only* via 
the mount option, but I am not sure it is good as it may be an 
unresolvable constraint for a system wanting to use the cgroups with and 
without this option (same kind of constraint we have with the ns_cgroup).

I am favorable to keep the mount option and the ability to change it for 
another cgroup.

   -- Daniel

___
Containers mailing list
contain...@lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers

___
Devel mailing list
Devel@openvz.org
https://openvz.org/mailman/listinfo/devel

[Devel] Re: [PATCH 1/3] cgroup : add clone_children control file

2010-09-07 Thread Paul Menage 
On Tue, Sep 7, 2010 at 1:23 PM, Daniel Lezcano  wrote:
>> This bit is awkward - you're storing the original value of the
>> clone_children flag to report in the mount options, but this isn't
>> necessarily the current state. Might it be better to not store this
>> and just report the current value of the root cgroup's
>> CGRP_CLONE_CHILDREN flag?
>>
>
> Sure. Shall I do the same as the release agent mount option ?

I think so - the slight problem with this new flag is that it's
possible for the root cgroup to have one setting for clone_children
and all its children to have a different setting. But I guess we can
live with that. (Or maybe simply not make the default clone_children
value a mount option, but require it to be set on the root cgroup
after mounting?)

Paul
___
Containers mailing list
contain...@lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers

___
Devel mailing list
Devel@openvz.org
https://openvz.org/mailman/listinfo/devel

[Devel] Re: [PATCH 2/3] cgroup : make the mount options parsing more accurate

2010-09-07 Thread Daniel Lezcano 
On 09/07/2010 09:38 PM, Paul Menage wrote:
> On Sat, Sep 4, 2010 at 12:31 AM, Daniel Lezcano  
> wrote:
>
>> The actual code does not detect 'all' with one subsystem name, which
>> is IMHO mutually exclusive and when an option is specified even if it
>> is not a subsystem name, we have to specify the 'all' option with the
>> other option.
>> eg:
>>   not detected : mount -t cgroup -o all,freezer cgroup /cgroup
>>   not flexible : mount -t cgroup -o noprefix,all cgroup /cgroup
>>
>> This patch fix this and makes the code a bit more clear by replacing
>> 'else if' indentation by 'continue' blocks in the loop.
>>  
> Can you fix this description to be clearer about the new behaviour of the 
> code?
>
> Reviewed-by: Paul Menage
>

Sure no problem.

Thanks for the review.
   -- Daniel
___
Containers mailing list
contain...@lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers

___
Devel mailing list
Devel@openvz.org
https://openvz.org/mailman/listinfo/devel

[Devel] Re: [PATCH 1/3] cgroup : add clone_children control file

2010-09-07 Thread Daniel Lezcano 
On 09/07/2010 09:34 PM, Paul Menage wrote:
> On Sat, Sep 4, 2010 at 12:31 AM, Daniel Lezcano  
> wrote:
>
>> @@ -229,6 +229,7 @@ inline int cgroup_is_removed(const struct cgroup *cgrp)
>>   /* bits in struct cgroupfs_root flags field */
>>   enum {
>> ROOT_NOPREFIX, /* mounted subsystems have no named prefix */
>> +   ROOT_CLONE_CHILDREN, /* mounted subsystems will inherit from parent 
>> */
>>   };
>>  
> This bit is awkward - you're storing the original value of the
> clone_children flag to report in the mount options, but this isn't
> necessarily the current state. Might it be better to not store this
> and just report the current value of the root cgroup's
> CGRP_CLONE_CHILDREN flag?
>

Sure. Shall I do the same as the release agent mount option ?

Thanks
   -- Daniel
___
Containers mailing list
contain...@lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers

___
Devel mailing list
Devel@openvz.org
https://openvz.org/mailman/listinfo/devel

[Devel] C/R and stdio redirection

2010-09-07 Thread Sukadev Bhattiprolu 

Suppose we create a container and redirect its stdout/stderr as follows:

lxc-execute -name foo -- /path/to/app > /tmp/xyz.out 2>&1

If we attempt to checkpoint the container 'foo', we fail bc one of the
fds in the application refers to /tmp/xyz.out, which is also in use
outside the container (specifically sys_checkpoint() fails due to the
"alien mount ns" check in ckpt_fill_fname()).

It can be argued, 'foo' is not a strict container (since it shares the
fd with another container).  For this reason, we currently need the
CHECKPOINT_SUBTREE flag in lxc-checkpoint.

We initially thought that solving mount-namespaces will solve this, but
realized that they are both separate problems. Mount-namespace C/R addresses
preserving the mounts within the container and /tmp/xyz.out is outside
the container.

So if an application container needs to redirect stdio as above, we should
either 
a) disable/ignore the alien-mount-ns check or 

b) try and start the application something like:

$ cat /tmp/wrapper
/path/to/app > /tmp/xyz.out 2>&1

$ lxc-execute --name foo --  /tmp/wrapper

with the difference being /tmp/xyz.out is now inside the container's /tmp
filesystem rather than in the parent container.

Maybe we can go with approach 'a' above only if CHECKPOINT_SUBTREE is also
set - we had discussed this before and considered it hacky.

Or are there other solutions to this stdio redirection issue ?

Thanks,

Sukadev
___
Containers mailing list
contain...@lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers

___
Devel mailing list
Devel@openvz.org
https://openvz.org/mailman/listinfo/devel

[Devel] Re: [PATCH 2/3] cgroup : make the mount options parsing more accurate

2010-09-07 Thread Paul Menage 
On Sat, Sep 4, 2010 at 12:31 AM, Daniel Lezcano  wrote:
> The actual code does not detect 'all' with one subsystem name, which
> is IMHO mutually exclusive and when an option is specified even if it
> is not a subsystem name, we have to specify the 'all' option with the
> other option.
> eg:
>  not detected : mount -t cgroup -o all,freezer cgroup /cgroup
>  not flexible : mount -t cgroup -o noprefix,all cgroup /cgroup
>
> This patch fix this and makes the code a bit more clear by replacing
> 'else if' indentation by 'continue' blocks in the loop.

Can you fix this description to be clearer about the new behaviour of the code?

Reviewed-by: Paul Menage 
___
Containers mailing list
contain...@lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers

___
Devel mailing list
Devel@openvz.org
https://openvz.org/mailman/listinfo/devel

[Devel] Re: [PATCH 1/3] cgroup : add clone_children control file

2010-09-07 Thread Paul Menage 
On Sat, Sep 4, 2010 at 12:31 AM, Daniel Lezcano  wrote:
> @@ -229,6 +229,7 @@ inline int cgroup_is_removed(const struct cgroup *cgrp)
>  /* bits in struct cgroupfs_root flags field */
>  enum {
>        ROOT_NOPREFIX, /* mounted subsystems have no named prefix */
> +       ROOT_CLONE_CHILDREN, /* mounted subsystems will inherit from parent */
>  };

This bit is awkward - you're storing the original value of the
clone_children flag to report in the mount options, but this isn't
necessarily the current state. Might it be better to not store this
and just report the current value of the root cgroup's
CGRP_CLONE_CHILDREN flag?

Paul
___
Containers mailing list
contain...@lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers

___
Devel mailing list
Devel@openvz.org
https://openvz.org/mailman/listinfo/devel