[lxc-devel] LXC 1.1.4 has been released!

2015-10-06 Thread Stéphane Graber 
Hello everyone,

The fourth LXC 1.1 bugfix release is now out!

This includes all bugfixes committed to master since the release of LXC 1.1.3.

As usual, the full announcement and changelog may be found at:
https://linuxcontainers.org/lxc/news/

And our tarballs can be downloaded from:
https://linuxcontainers.org/lxc/downloads/


LXC 1.1 is the latest stable release of LXC. Note that this isn't a long
term support release and it will only be supported for a year.

For production environments, we still recommend using LXC 1.0 which we
will be supporting until April 2019.


Stéphane Graber
On behalf of the LXC development team


signature.asc
Description: Digital signature
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [lxc/lxc]

2015-10-06 Thread GitHub 
  Branch: refs/tags/lxc-1.1.4
  Home:   https://github.com/lxc/lxc
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] Passed: lxc/lxc#1282 (lxc-1.1.4 - e9bcaaf)

2015-10-06 Thread Travis CI 
Build Update for lxc/lxc
-

Build: #1282
Status: Passed

Duration: 1 minute and 12 seconds
Commit: e9bcaaf (lxc-1.1.4)
Author: Stéphane Graber
Message: change version to 1.1.4 in configure.ac

Signed-off-by: Stéphane Graber 

View the changeset: https://github.com/lxc/lxc/compare/lxc-1.1.4

View the full build log and details: 
https://travis-ci.org/lxc/lxc/builds/83900058

--

You can configure recipients for build notifications in your .travis.yml file. 
See http://docs.travis-ci.com/user/notifications



___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [lxc/lxc] e9bcaa: change version to 1.1.4 in configure.ac

2015-10-06 Thread GitHub 
  Branch: refs/heads/stable-1.1
  Home:   https://github.com/lxc/lxc
  Commit: e9bcaafeaa73d0f8f0ef8a0190cb74abd8f11db0
  https://github.com/lxc/lxc/commit/e9bcaafeaa73d0f8f0ef8a0190cb74abd8f11db0
  Author: Stéphane Graber 
  Date:   2015-10-06 (Tue, 06 Oct 2015)

  Changed paths:
M configure.ac

  Log Message:
  ---
  change version to 1.1.4 in configure.ac

Signed-off-by: Stéphane Graber 


___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

Re: [lxc-devel] [PATCH v3 7/7] added the unmount-namespace hook

2015-10-06 Thread Serge Hallyn 
Quoting Wolfgang Bumiller (w.bumil...@proxmox.com):
> Signed-off-by: Wolfgang Bumiller 

Hi Wolfgang,

Thanks for resending.

I'm a very forgetful person.  If you could (in the future - don't resend
this one) add a changelog showing what's changed, that would make my
reviews a lot faster :)

Looks good,

Acked-by: Serge E. Hallyn 

Stéphane, this is going to need packaging jujitsu for multiarch
I assume, I'm not sure how we'll handle that.

> ---
>  hooks/Makefile.am |   6 ++
>  hooks/unmount-namespace.c | 213 
> ++
>  2 files changed, 219 insertions(+)
>  create mode 100644 hooks/unmount-namespace.c
> 
> diff --git a/hooks/Makefile.am b/hooks/Makefile.am
> index be55601..ef82083 100644
> --- a/hooks/Makefile.am
> +++ b/hooks/Makefile.am
> @@ -6,4 +6,10 @@ hooks_SCRIPTS = \
>   ubuntu-cloud-prep \
>   squid-deb-proxy-client
>  
> +hooks_PROGRAMS = \
> + unmount-namespace
> +
> +unmount_namespace_SOURCES = \
> + unmount-namespace.c
> +
>  EXTRA_DIST=$(hooks_SCRIPTS)
> diff --git a/hooks/unmount-namespace.c b/hooks/unmount-namespace.c
> new file mode 100644
> index 000..488c9cc
> --- /dev/null
> +++ b/hooks/unmount-namespace.c
> @@ -0,0 +1,213 @@
> +/*
> + * Copyright © 2015 Wolfgang Bumiller .
> + * Copyright © 2015 Proxmox Server Solutions GmbH
> + *
> + * This program is free software; you can redistribute it and/or modify
> + * it under the terms of the GNU General Public License version 2, as
> + * published by the Free Software Foundation.
> + *
> + * This program is distributed in the hope that it will be useful,
> + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> + * GNU General Public License for more details.
> + *
> + * You should have received a copy of the GNU General Public License along
> + * with this program; if not, write to the Free Software Foundation, Inc.,
> + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
> + *
> + * --
> + *
> + * This stop-hook unmounts everything in the container's namespace, and 
> thereby
> + * waits for all calls commands to finish. This is useful when one needs to 
> be
> + * sure that network filesystems are finished unmounting in the namespace
> + * before continuing with other tasks. Without this hook the cleanup of 
> mounts
> + * is done by the kernel in the background after all the references to the
> + * namespaces are gone.
> + */
> +
> +#define _GNU_SOURCE/* setns */
> +#include  /* fdopen, getmntent, endmntent */
> +#include /* malloc, qsort */
> +#include /* close */
> +#include /* strcmp, strncmp, strdup, strerror */
> +#include  /* setns */
> +#include  /* umount2 */
> +#include  /* openat, open */
> +#include   /* openat, open */
> +#include  /* openat, open */
> +#include /* getmntent, endmntent */
> +#include  /* errno */
> +
> +struct mount {
> + char *src; /* currently not used */
> + char *dst;
> + char *fs; /* currently not used */
> +};
> +
> +static void mount_free(struct mount *mnt) {
> + free(mnt->src);
> + free(mnt->dst);
> + free(mnt->fs);
> +}
> +
> +static int mount_cmp_dst(const void *a_, const void *b_) {
> + struct mount *a = (struct mount*)a_;
> + struct mount *b = (struct mount*)b_;
> + return strcmp(b->dst, a->dst); /* swapped order */
> +}
> +
> +/* Unmounting /dev/pts fails, and  so /dev also fails, but /dev is not what
> + * we're interested in. (There might also still be /dev/cgroup mounts).
> + */
> +static int mount_should_error(const struct mount *mnt) {
> + const char *dst = mnt->dst;
> + return !(strncmp(dst, "/dev", 4) == 0 && (dst[4] == 0 || dst[4] == 
> '/'));
> +}
> +
> +/* Read mounts from 'self/mounts' relative to a directory filedescriptor.
> + * Before entering the container we open a handle to /proc on the host as we
> + * need to access /proc/self/mounts and the container's /proc doesn't contain
> + * our /self. We then use openat(2) to avoid having to mount a temporary 
> /proc.
> + */
> +static int read_mounts(int procfd, struct mount **mp, size_t *countp) {
> + int fd;
> + struct mntent *ent;
> + FILE *mf;
> + size_t capacity = 32;
> + size_t count = 0;
> + struct mount *mounts = (struct mount*)malloc(capacity * 
> sizeof(*mounts));
> +
> + if (!mounts) {
> + errno = ENOMEM;
> + return 0;
> + }
> +
> + *mp = NULL;
> + *countp = 0;
> +
> + fd = openat(procfd, "self/mounts", O_RDONLY);
> + if (fd < 0)
> + return 0;
> +
> + mf = fdopen(fd, "r");
> + if (!mf) {
> + int error = errno;
> + close(fd);
> + errno = error;
> + return 0;
> + }
> + while ((ent = getmntent(mf))) {
> + struct mount *new;
> + if (count == capacity)

[lxc-devel] [PATCH v5] Make overlayfs mounts work directly

2015-10-06 Thread Christian Brauner 
When users wanted to mount overlay directories with lxc.mount.entry they had to
create upperdirs and workdirs beforehand in order to mount them. To create it
for them we add the functions mount_entry_create_overlay_dirs() and
mount_entry_create_aufs_dirs() which do this for them. User can now simply
specify e.g.:

lxc.mount.entry = /lower merged overlay 
lowerdir=/lower,upper=/upper,workdir=/workdir,create=dir

and /upper and /workdir will be created for them. /upper and /workdir need to
be absolute paths to directories which are created under the containerdir (e.g.
under $lxcpath/CONTAINERNAME/). Relative mountpoints, mountpoints outside the
containerdir, and mountpoints within the container's rootfs are ignored. (The
latter *might* change in the future should it be considered safe/useful.)

Specifying

lxc.mount.entry = /lower merged overlay 
lowerdir=/lower:/lower2,create=dir

will lead to a read-only overlay mount in accordance with the
kernel-documentation.

Specifying

lxc.mount.entry = /lower merged overlay lowerdir=/lower,create=dir

will fail when no upperdir and workdir options are given.

Signed-off-by: Christian Brauner 
Acked-by: Serge E. Hallyn 
---
 src/lxc/conf.c | 162 -
 1 file changed, 150 insertions(+), 12 deletions(-)

diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 6728c78..5a3209a 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -1815,13 +1815,151 @@ static void cull_mntent_opt(struct mntent *mntent)
}
 }
 
+static int mount_entry_create_overlay_dirs(const struct mntent *mntent,
+  const struct lxc_rootfs *rootfs)
+{
+   char *del = NULL;
+   char *lxcpath = NULL;
+   char *upperdir = NULL;
+   char *workdir = NULL;
+   char **opts = NULL;
+   size_t arrlen = 0;
+   size_t dirlen = 0;
+   size_t i;
+   size_t len = 0;
+   size_t rootfslen = 0;
+
+   if (!rootfs->path)
+   return -1;
+
+   opts = lxc_string_split(mntent->mnt_opts, ',');
+   if (opts)
+   arrlen = lxc_array_len((void **)opts);
+   else
+   return -1;
+
+   for (i = 0; i < arrlen; i++) {
+   if (strstr(opts[i], "upperdir=") && (strlen(opts[i]) > (len = 
strlen("upperdir="
+   upperdir = opts[i] + len;
+   else if (strstr(opts[i], "workdir=") && (strlen(opts[i]) > (len 
= strlen("workdir="
+   workdir = opts[i] + len;
+   }
+
+   lxcpath = strdup(rootfs->path);
+   if (!lxcpath) {
+   lxc_free_array((void **)opts, free);
+   return -1;
+   }
+
+   del = strstr(lxcpath, "/rootfs");
+   if (!del) {
+   free(lxcpath);
+   lxc_free_array((void **)opts, free);
+   return -1;
+   }
+   *del = '\0';
+
+   dirlen = strlen(lxcpath);
+   rootfslen = strlen(rootfs->path);
+
+   /* We neither allow users to create upperdirs and workdirs outside the
+* containerdir nor inside the rootfs. The latter might be debatable. */
+   if (upperdir)
+   if ((strncmp(upperdir, lxcpath, dirlen) == 0) && 
(strncmp(upperdir, rootfs->path, rootfslen) != 0))
+   if (mkdir_p(upperdir, 0755) < 0) {
+   WARN("Failed to create upperdir");
+   }
+
+
+   if (workdir)
+   if ((strncmp(workdir, lxcpath, dirlen) == 0) && 
(strncmp(workdir, rootfs->path, rootfslen) != 0))
+   if (mkdir_p(workdir, 0755) < 0) {
+   WARN("Failed to create workdir");
+   }
+
+   free(lxcpath);
+   lxc_free_array((void **)opts, free);
+   return 0;
+}
+
+static int mount_entry_create_aufs_dirs(const struct mntent *mntent,
+   const struct lxc_rootfs *rootfs)
+{
+   char *del = NULL;
+   char *lxcpath = NULL;
+   char *scratch = NULL;
+   char *tmp = NULL;
+   char *upperdir = NULL;
+   char **opts = NULL;
+   size_t arrlen = 0;
+   size_t i;
+   size_t len = 0;
+
+   if (!rootfs->path)
+   return -1;
+
+   opts = lxc_string_split(mntent->mnt_opts, ',');
+   if (opts)
+   arrlen = lxc_array_len((void **)opts);
+   else
+   return -1;
+
+   for (i = 0; i < arrlen; i++) {
+   if (strstr(opts[i], "br=") && (strlen(opts[i]) > (len = 
strlen("br="
+   tmp = opts[i] + len;
+   }
+   if (!tmp) {
+   lxc_free_array((void **)opts, free);
+   return -1;
+   }
+
+   upperdir = strtok_r(tmp, ":=", );
+   if (!upperdir) {
+   lxc_free_array((void **)opts, free);
+   return -1;
+   }
+
+   lxcpath = strdup(rootfs->path);
+

[lxc-devel] [PATCH v5] Make overlayfs mounts work directly

2015-10-06 Thread Christian Brauner 
No changes apart from the ones Serge requested. Adding
Acked-by: Serge E. Hallyn 
with Serge's permission. (see hist comments to [PATCH v4])

Christian Brauner (1):
  Make overlayfs mounts work directly

 src/lxc/conf.c | 162 -
 1 file changed, 150 insertions(+), 12 deletions(-)

-- 
2.6.1

___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

Re: [lxc-devel] [PATCH v4] Make overlayfs mounts work directly

2015-10-06 Thread Serge Hallyn 
Quoting Christian Brauner (christianvanbrau...@gmail.com):
> When users wanted to mount overlay directories with lxc.mount.entry they had 
> to
> create upperdirs and workdirs beforehand in order to mount them. To create it
> for them we add the functions mount_entry_create_overlay_dirs() and
> mount_entry_create_aufs_dirs() which do this for them. User can now simply
> specify e.g.:
> 
> lxc.mount.entry = /lower merged overlay 
> lowerdir=/lower,upper=/upper,workdir=/workdir,create=dir
> 
> and /upper and /workdir will be created for them. /upper and /workdir need to
> be absolute paths to directories which are created under the containerdir 
> (e.g.
> under $lxcpath/CONTAINERNAME/). Relative mountpoints, mountpoints outside the
> containerdir, and mountpoints within the container's rootfs are ignored. (The
> latter *might* change in the future should it be considered safe/useful.)
> 
> Specifying
> 
> lxc.mount.entry = /lower merged overlay 
> lowerdir=/lower:/lower2,create=dir
> 
> will lead to a read-only overlay mount in accordance with the
> kernel-documentation.
> 
> Specifying
> 
> lxc.mount.entry = /lower merged overlay lowerdir=/lower,create=dir
> 
> will fail when no upperdir and workdir options are given.
> 
> Signed-off-by: Christian Brauner 

Comments below.  If you resend with those fixed and no other changes, please
add my Acked-by: Serge E. Hallyn 

> ---
>  src/lxc/conf.c | 156 
> -
>  1 file changed, 144 insertions(+), 12 deletions(-)
> 
> diff --git a/src/lxc/conf.c b/src/lxc/conf.c
> index 6728c78..0fde952 100644
> --- a/src/lxc/conf.c
> +++ b/src/lxc/conf.c
> @@ -1815,13 +1815,145 @@ static void cull_mntent_opt(struct mntent *mntent)
>   }
>  }
>  
> +static int mount_entry_create_overlay_dirs(const struct mntent *mntent,
> +const struct lxc_rootfs *rootfs)
> +{
> + char *del = NULL;
> + char *lxcpath = NULL;
> + char *upperdir = NULL;
> + char *workdir = NULL;
> + char **opts = NULL;
> + size_t arrlen = 0;
> + size_t dirlen = 0;
> + size_t i;
> + size_t len = 0;
> + size_t rootfslen = 0;
> +
> + if (!rootfs->path)
> + return -1;
> +
> + opts = lxc_string_split(mntent->mnt_opts, ',');
> + if (opts)
> + arrlen = lxc_array_len((void **)opts);
> + else
> + return -1;
> +
> + for (i = 0; i < arrlen; i++) {
> + if (strstr(opts[i], "upperdir=") && (strlen(opts[i]) > (len = 
> strlen("upperdir="
> + upperdir = opts[i] + len;

Note the multiple indent is done for continuation of condition.  The action
should be indented with one tab.

> + else if (strstr(opts[i], "workdir=") && (strlen(opts[i]) > (len 
> = strlen("workdir="
> + workdir = opts[i] + len;
> + }
> +
> + lxcpath = strdup(rootfs->path);
> + if (!lxcpath) {
> + lxc_free_array((void **)opts, free);
> + return -1;
> + }
> +
> + del = strstr(lxcpath, "/rootfs");
> + if (!del)

Why no lxc_free_array and free(path) here?

> + return -1;
> + *del = '\0';
> +
> + dirlen = strlen(lxcpath);
> + rootfslen = strlen(rootfs->path);
> +
> + /* We neither allow users to create upperdirs and workdirs outside the
> +  * containerdir nor inside the rootfs. The latter might be debatable. */
> + if (upperdir)
> + if ((strncmp(upperdir, lxcpath, dirlen) == 0) && 
> (strncmp(upperdir, rootfs->path, rootfslen) != 0))
> + if (mkdir_p(upperdir, 0755) < 0) {
> + WARN("Failed to create upperdir");
> + }
> +
> +
> + if (workdir)
> + if ((strncmp(workdir, lxcpath, dirlen) == 0) && 
> (strncmp(workdir, rootfs->path, rootfslen) != 0))
> + if (mkdir_p(workdir, 0755) < 0) {
> + WARN("Failed to create workdir");
> + }
> +
> + free(lxcpath);
> + lxc_free_array((void **)opts, free);
> + return 0;
> +}
> +
> +static int mount_entry_create_aufs_dirs(const struct mntent *mntent,
> + const struct lxc_rootfs *rootfs)
> +{
> + char *del = NULL;
> + char *lxcpath = NULL;
> + char *scratch = NULL;
> + char *tmp = NULL;
> + char *upperdir = NULL;
> + char **opts = NULL;
> + size_t arrlen = 0;
> + size_t i;
> + size_t len = 0;
> +
> + if (!rootfs->path)
> + return -1;
> +
> + opts = lxc_string_split(mntent->mnt_opts, ',');
> + if (opts)
> + arrlen = lxc_array_len((void **)opts);
> + else
> + return -1;
> +
> + for (i = 0; i < arrlen; i++) {
> + if (strstr(opts[i], "br=") && (strlen(opts[i]) > (len = 
> strlen("br="
> +

Re: [lxc-devel] [PATCH v5] Make overlayfs mounts work directly

2015-10-06 Thread Christian Brauner 
I now wonder if it wouldn't be smarter to force users to specify relative paths
for upper and workdir

lxc.mount.entry = /lower merged overlay 
lowerdir=/lower,upper=upper,workdir=workdir,create=dir

and fill in the missing path in mount_entry_create_*_dirs(). Otherwise these
mounts won't work out of the box when a clone of the container is made and
started... Thoughts?

On Tue, Oct 06, 2015 at 08:38:13PM +0200, Christian Brauner wrote:
> When users wanted to mount overlay directories with lxc.mount.entry they had 
> to
> create upperdirs and workdirs beforehand in order to mount them. To create it
> for them we add the functions mount_entry_create_overlay_dirs() and
> mount_entry_create_aufs_dirs() which do this for them. User can now simply
> specify e.g.:
> 
> lxc.mount.entry = /lower merged overlay 
> lowerdir=/lower,upper=/upper,workdir=/workdir,create=dir
> 
> and /upper and /workdir will be created for them. /upper and /workdir need to
> be absolute paths to directories which are created under the containerdir 
> (e.g.
> under $lxcpath/CONTAINERNAME/). Relative mountpoints, mountpoints outside the
> containerdir, and mountpoints within the container's rootfs are ignored. (The
> latter *might* change in the future should it be considered safe/useful.)
> 
> Specifying
> 
> lxc.mount.entry = /lower merged overlay 
> lowerdir=/lower:/lower2,create=dir
> 
> will lead to a read-only overlay mount in accordance with the
> kernel-documentation.
> 
> Specifying
> 
> lxc.mount.entry = /lower merged overlay lowerdir=/lower,create=dir
> 
> will fail when no upperdir and workdir options are given.
> 
> Signed-off-by: Christian Brauner 
> Acked-by: Serge E. Hallyn 
> ---
>  src/lxc/conf.c | 162 
> -
>  1 file changed, 150 insertions(+), 12 deletions(-)
> 
> diff --git a/src/lxc/conf.c b/src/lxc/conf.c
> index 6728c78..5a3209a 100644
> --- a/src/lxc/conf.c
> +++ b/src/lxc/conf.c
> @@ -1815,13 +1815,151 @@ static void cull_mntent_opt(struct mntent *mntent)
>   }
>  }
>  
> +static int mount_entry_create_overlay_dirs(const struct mntent *mntent,
> +const struct lxc_rootfs *rootfs)
> +{
> + char *del = NULL;
> + char *lxcpath = NULL;
> + char *upperdir = NULL;
> + char *workdir = NULL;
> + char **opts = NULL;
> + size_t arrlen = 0;
> + size_t dirlen = 0;
> + size_t i;
> + size_t len = 0;
> + size_t rootfslen = 0;
> +
> + if (!rootfs->path)
> + return -1;
> +
> + opts = lxc_string_split(mntent->mnt_opts, ',');
> + if (opts)
> + arrlen = lxc_array_len((void **)opts);
> + else
> + return -1;
> +
> + for (i = 0; i < arrlen; i++) {
> + if (strstr(opts[i], "upperdir=") && (strlen(opts[i]) > (len = 
> strlen("upperdir="
> + upperdir = opts[i] + len;
> + else if (strstr(opts[i], "workdir=") && (strlen(opts[i]) > (len 
> = strlen("workdir="
> + workdir = opts[i] + len;
> + }
> +
> + lxcpath = strdup(rootfs->path);
> + if (!lxcpath) {
> + lxc_free_array((void **)opts, free);
> + return -1;
> + }
> +
> + del = strstr(lxcpath, "/rootfs");
> + if (!del) {
> + free(lxcpath);
> + lxc_free_array((void **)opts, free);
> + return -1;
> + }
> + *del = '\0';
> +
> + dirlen = strlen(lxcpath);
> + rootfslen = strlen(rootfs->path);
> +
> + /* We neither allow users to create upperdirs and workdirs outside the
> +  * containerdir nor inside the rootfs. The latter might be debatable. */
> + if (upperdir)
> + if ((strncmp(upperdir, lxcpath, dirlen) == 0) && 
> (strncmp(upperdir, rootfs->path, rootfslen) != 0))
> + if (mkdir_p(upperdir, 0755) < 0) {
> + WARN("Failed to create upperdir");
> + }
> +
> +
> + if (workdir)
> + if ((strncmp(workdir, lxcpath, dirlen) == 0) && 
> (strncmp(workdir, rootfs->path, rootfslen) != 0))
> + if (mkdir_p(workdir, 0755) < 0) {
> + WARN("Failed to create workdir");
> + }
> +
> + free(lxcpath);
> + lxc_free_array((void **)opts, free);
> + return 0;
> +}
> +
> +static int mount_entry_create_aufs_dirs(const struct mntent *mntent,
> + const struct lxc_rootfs *rootfs)
> +{
> + char *del = NULL;
> + char *lxcpath = NULL;
> + char *scratch = NULL;
> + char *tmp = NULL;
> + char *upperdir = NULL;
> + char **opts = NULL;
> + size_t arrlen = 0;
> + size_t i;
> + size_t len = 0;
> +
> + if (!rootfs->path)
> + return -1;
> +
> + opts = lxc_string_split(mntent->mnt_opts, ',');
> + if (opts)
> +

Re: [lxc-devel] [PATCH v3] Make overlayfs mounts work directly

2015-10-06 Thread Christian Brauner 
Updated version (v4) to follow.

On Mon, Oct 05, 2015 at 01:45:53PM +, Serge Hallyn wrote:
> Quoting Christian Brauner (christianvanbrau...@gmail.com):
> > When users wanted to mount overlay directories with lxc.mount.entry they 
> > had to
> > create upperdirs and workdirs beforehand in order to mount them. To create 
> > it
> > for them we add the functions mount_entry_create_overlay_dirs() and
> > mount_entry_create_aufs_dirs() which do this for them. User can now simply
> > specify e.g.:
> > 
> > lxc.mount.entry = /lower merged overlay 
> > lowerdir=/lower,upper=/upper,workdir=/workdir,create=dir
> > 
> > and /upper and /workdir will be created for them. /upper and /workdir need 
> > to
> > be absolute paths to directories which are created under the containerdir 
> > (e.g.
> > $lxcpath/container/). Relative mountpoints and mountpoints within the
> > container's rootfs and outside the containerdir are ignored. (The latter
> > *might* change in the future should it be considered safe/useful.)
> > 
> > Specifying
> > 
> > lxc.mount.entry = /lower merged overlay 
> > lowerdir=/lower:/lower2,create=dir
> > 
> > will lead to a read-only overlay mount in accordance with the
> > kernel-documentation.
> > 
> > Specifying
> > 
> > lxc.mount.entry = /lower merged overlay lowerdir=/lower,create=dir
> > 
> > will fail when no upperdir and workdir options are given.
> > 
> > Signed-off-by: Christian Brauner 
> > ---
> >  src/lxc/conf.c | 153 
> > -
> >  1 file changed, 141 insertions(+), 12 deletions(-)
> > 
> > diff --git a/src/lxc/conf.c b/src/lxc/conf.c
> > index bb4c19f..bb415ba 100644
> > --- a/src/lxc/conf.c
> > +++ b/src/lxc/conf.c
> > @@ -1813,13 +1813,142 @@ static void cull_mntent_opt(struct mntent *mntent)
> > }
> >  }
> >  
> > +static int mount_entry_create_overlay_dirs(const struct mntent *mntent,
> > +  const struct lxc_rootfs *rootfs)
> > +{
> > +   char *containerdir = NULL;
> > +   char *del = NULL;
> > +   char *upperdir = NULL;
> > +   char *workdir = NULL;
> > +   char **opts = NULL;
> > +   size_t arrlen = 0;
> > +   size_t dirlen = 0;
> > +   size_t i;
> > +   size_t len = 0;
> > +   size_t rootfslen = 0;
> > +
> > +   opts = lxc_string_split(mntent->mnt_opts, ',');
> > +   if (opts)
> > +   arrlen = lxc_array_len((void **)opts);
> > +   else
> > +   return -1;
> > +
> > +   for (i = 0; i < arrlen; i++) {
> > +   if (strstr(opts[i], "upperdir=") && (strlen(opts[i]) > (len = 
> > strlen("upperdir="
> > +   upperdir = opts[i] + len;
> > +   else if (strstr(opts[i], "workdir=") && (strlen(opts[i]) > (len 
> > = strlen("workdir="
> > +   workdir = opts[i] + len;
> > +   }
> > +
> > +   containerdir = strdup(rootfs->path);
> > +   if (!containerdir) {
> > +   lxc_free_array((void **)opts, free);
> > +   return -1;
> > +   }
> > +
> > +   if ((del = strstr(containerdir, "/rootfs"))) {
> > +   memmove(del, del + 7, strlen(del) - 7 + 1);
> 
> if rootfs->path happens to be /a/b/c/rootfs/d/e, you'll end up
> making containerpath = /a/b/c/d/e right?  Is that what you want, or
> do you just want to *del = 0; ?
> 
> > +   }
> > +
> > +   dirlen = strlen(containerdir);
> > +   rootfslen = strlen(rootfs->path);
> > +
> > +   /* We neither allow users to create upperdirs and workdirs outside the
> > +* containerdir nor inside the rootfs. The latter might be debatable. */
> > +   if (upperdir)
> > +   if ((strncmp(upperdir, containerdir, dirlen) == 0) && 
> > (strncmp(upperdir, rootfs->path, rootfslen) != 0))
> > +   if (mkdir_p(upperdir, 0755) < 0) {
> > +   WARN("Failed to create upperdir");
> > +   }
> > +
> > +
> > +   if (workdir)
> > +   if ((strncmp(workdir, containerdir, dirlen) == 0) && 
> > (strncmp(workdir, rootfs->path, rootfslen) != 0))
> > +   if (mkdir_p(workdir, 0755) < 0) {
> > +   WARN("Failed to create workdir");
> > +   }
> > +
> > +   free(containerdir);
> > +   lxc_free_array((void **)opts, free);
> > +   return 0;
> > +}
> > +
> > +static int mount_entry_create_aufs_dirs(const struct mntent *mntent,
> > +   const struct lxc_rootfs *rootfs)
> > +{
> > +   char *containerdir = NULL;
> > +   char *del = NULL;
> > +   char *scratch = NULL;
> > +   char *tmp = NULL;
> > +   char *upperdir = NULL;
> > +   char **opts = NULL;
> > +   size_t arrlen = 0;
> > +   size_t dirlen = 0;
> > +   size_t i;
> > +   size_t len = 0;
> > +   size_t rootfslen = 0;
> > +
> > +   opts = lxc_string_split(mntent->mnt_opts, ',');
> > +   if (opts)
> > +   arrlen = lxc_array_len((void **)opts);
> > +   else
> > +   return -1;
> > +
> > +   for (i = 0; i < arrlen; i++) {
> >

[lxc-devel] [PATCH v4] Make overlayfs mounts work directly

2015-10-06 Thread Christian Brauner 
I now included a check whether rootfs->path is empty in
mount_entry_create_overlay_dirs() mount_entry_create_aufs_dirs().

Christian Brauner (1):
  Make overlayfs mounts work directly

 src/lxc/conf.c | 156 -
 1 file changed, 144 insertions(+), 12 deletions(-)

-- 
2.6.1

___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [PATCH v4] Make overlayfs mounts work directly

2015-10-06 Thread Christian Brauner 
When users wanted to mount overlay directories with lxc.mount.entry they had to
create upperdirs and workdirs beforehand in order to mount them. To create it
for them we add the functions mount_entry_create_overlay_dirs() and
mount_entry_create_aufs_dirs() which do this for them. User can now simply
specify e.g.:

lxc.mount.entry = /lower merged overlay 
lowerdir=/lower,upper=/upper,workdir=/workdir,create=dir

and /upper and /workdir will be created for them. /upper and /workdir need to
be absolute paths to directories which are created under the containerdir (e.g.
under $lxcpath/CONTAINERNAME/). Relative mountpoints, mountpoints outside the
containerdir, and mountpoints within the container's rootfs are ignored. (The
latter *might* change in the future should it be considered safe/useful.)

Specifying

lxc.mount.entry = /lower merged overlay 
lowerdir=/lower:/lower2,create=dir

will lead to a read-only overlay mount in accordance with the
kernel-documentation.

Specifying

lxc.mount.entry = /lower merged overlay lowerdir=/lower,create=dir

will fail when no upperdir and workdir options are given.

Signed-off-by: Christian Brauner 
---
 src/lxc/conf.c | 156 -
 1 file changed, 144 insertions(+), 12 deletions(-)

diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 6728c78..0fde952 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -1815,13 +1815,145 @@ static void cull_mntent_opt(struct mntent *mntent)
}
 }
 
+static int mount_entry_create_overlay_dirs(const struct mntent *mntent,
+  const struct lxc_rootfs *rootfs)
+{
+   char *del = NULL;
+   char *lxcpath = NULL;
+   char *upperdir = NULL;
+   char *workdir = NULL;
+   char **opts = NULL;
+   size_t arrlen = 0;
+   size_t dirlen = 0;
+   size_t i;
+   size_t len = 0;
+   size_t rootfslen = 0;
+
+   if (!rootfs->path)
+   return -1;
+
+   opts = lxc_string_split(mntent->mnt_opts, ',');
+   if (opts)
+   arrlen = lxc_array_len((void **)opts);
+   else
+   return -1;
+
+   for (i = 0; i < arrlen; i++) {
+   if (strstr(opts[i], "upperdir=") && (strlen(opts[i]) > (len = 
strlen("upperdir="
+   upperdir = opts[i] + len;
+   else if (strstr(opts[i], "workdir=") && (strlen(opts[i]) > (len 
= strlen("workdir="
+   workdir = opts[i] + len;
+   }
+
+   lxcpath = strdup(rootfs->path);
+   if (!lxcpath) {
+   lxc_free_array((void **)opts, free);
+   return -1;
+   }
+
+   del = strstr(lxcpath, "/rootfs");
+   if (!del)
+   return -1;
+   *del = '\0';
+
+   dirlen = strlen(lxcpath);
+   rootfslen = strlen(rootfs->path);
+
+   /* We neither allow users to create upperdirs and workdirs outside the
+* containerdir nor inside the rootfs. The latter might be debatable. */
+   if (upperdir)
+   if ((strncmp(upperdir, lxcpath, dirlen) == 0) && 
(strncmp(upperdir, rootfs->path, rootfslen) != 0))
+   if (mkdir_p(upperdir, 0755) < 0) {
+   WARN("Failed to create upperdir");
+   }
+
+
+   if (workdir)
+   if ((strncmp(workdir, lxcpath, dirlen) == 0) && 
(strncmp(workdir, rootfs->path, rootfslen) != 0))
+   if (mkdir_p(workdir, 0755) < 0) {
+   WARN("Failed to create workdir");
+   }
+
+   free(lxcpath);
+   lxc_free_array((void **)opts, free);
+   return 0;
+}
+
+static int mount_entry_create_aufs_dirs(const struct mntent *mntent,
+   const struct lxc_rootfs *rootfs)
+{
+   char *del = NULL;
+   char *lxcpath = NULL;
+   char *scratch = NULL;
+   char *tmp = NULL;
+   char *upperdir = NULL;
+   char **opts = NULL;
+   size_t arrlen = 0;
+   size_t i;
+   size_t len = 0;
+
+   if (!rootfs->path)
+   return -1;
+
+   opts = lxc_string_split(mntent->mnt_opts, ',');
+   if (opts)
+   arrlen = lxc_array_len((void **)opts);
+   else
+   return -1;
+
+   for (i = 0; i < arrlen; i++) {
+   if (strstr(opts[i], "br=") && (strlen(opts[i]) > (len = 
strlen("br="
+   tmp = opts[i] + len;
+   }
+   if (!tmp) {
+   lxc_free_array((void **)opts, free);
+   return -1;
+   }
+
+   upperdir = strtok_r(tmp, ":=", );
+   if (!upperdir) {
+   lxc_free_array((void **)opts, free);
+   return -1;
+   }
+
+   lxcpath = strdup(rootfs->path);
+   if (!lxcpath) {
+   lxc_free_array((void **)opts, free);
+   return -1;
+   }
+
+   del =

[lxc-devel] [PATCH] doc: Add lxc.ephemeral in Japanese lxc.container.conf(5)

2015-10-06 Thread KATOH Yasufumi 
Update for commit 4e6eb26

Signed-off-by: KATOH Yasufumi 
---
 doc/ja/lxc.container.conf.sgml.in | 26 ++
 1 file changed, 26 insertions(+)

diff --git a/doc/ja/lxc.container.conf.sgml.in 
b/doc/ja/lxc.container.conf.sgml.in
index e07a3df..45e5c31 100644
--- a/doc/ja/lxc.container.conf.sgml.in
+++ b/doc/ja/lxc.container.conf.sgml.in
@@ -382,6 +382,32 @@ by KATOH Yasufumi 
 
 
 
+  一時的なコンテナ
+  
+
+シャットダウン後にコンテナを削除するかどうかを指定できます。
+  
+  
+
+  
+lxc.ephemeral
+  
+  
+
+  
+  指定できる値は 0 または 1 のみです。この値を 1 に設定すると、シャットダウン後にコンテナを削除します。
+
+  
+
+  
+
+
+
   ネットワーク

[lxc-devel] [PATCH v3 0/7] stop-hook with namespace access

2015-10-06 Thread Wolfgang Bumiller 
Changes to v2:
 - patch 5: turned `namespaces` into an array
   and added Acked-by Serge E. Hallyn
 - patch 7: various things listed by Serge:
   * description comment right below the license header
   * mentioned /dev/cgroup in the mount_should_error query (since it
 returns false for all /dev paths it didn't need new code)
   * read_mounts: check malloc(), realloc() and strdup()
 (With the fact that free() checks its parameter for NULL I just
 checked all 3 strdup()s together at the end.
 I set errno to ENOMEM as the caller uses strerror() on failure.
   * 'break' after finding the 'mnt:' argument

Wolfgang Bumiller (7):
  start.c:preserve_ns: added pid parameter
  preserve container namespace
  added stop-hook entries
  run stop hook between STOPPING and STOPPED states
  pass namespace handles to the stop hook
  document the stop hook
  added the unmount-namespace hook

 doc/lxc.container.conf.sgml.in |  27 +-
 hooks/Makefile.am  |   6 ++
 hooks/unmount-namespace.c  | 213 +
 src/lxc/conf.c |   4 +-
 src/lxc/conf.h |   2 +-
 src/lxc/confile.c  |   3 +
 src/lxc/start.c|  47 -
 src/lxc/start.h|   1 +
 8 files changed, 295 insertions(+), 8 deletions(-)
 create mode 100644 hooks/unmount-namespace.c

-- 
2.1.4


___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [PATCH v3 1/7] start.c:preserve_ns: added pid parameter

2015-10-06 Thread Wolfgang Bumiller 
Signed-off-by: Wolfgang Bumiller 
Acked-by: Serge E. Hallyn 
---
 src/lxc/start.c | 10 ++
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/src/lxc/start.c b/src/lxc/start.c
index 0601333..1a7d5a3 100644
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -124,14 +124,15 @@ static void close_ns(int ns_fd[LXC_NS_MAX]) {
}
 }
 
-static int preserve_ns(int ns_fd[LXC_NS_MAX], int clone_flags) {
+static int preserve_ns(int ns_fd[LXC_NS_MAX], int clone_flags, pid_t pid) {
int i, saved_errno;
char path[MAXPATHLEN];
 
for (i = 0; i < LXC_NS_MAX; i++)
ns_fd[i] = -1;
 
-   if (access("/proc/self/ns", X_OK)) {
+   snprintf(path, MAXPATHLEN, "/proc/%d/ns", pid);
+   if (access(path, X_OK)) {
WARN("Kernel does not support attach; preserve_ns ignored");
return 0;
}
@@ -139,7 +140,8 @@ static int preserve_ns(int ns_fd[LXC_NS_MAX], int 
clone_flags) {
for (i = 0; i < LXC_NS_MAX; i++) {
if ((clone_flags & ns_info[i].clone_flag) == 0)
continue;
-   snprintf(path, MAXPATHLEN, "/proc/self/ns/%s", 
ns_info[i].proc_name);
+   snprintf(path, MAXPATHLEN, "/proc/%d/ns/%s", pid,
+ns_info[i].proc_name);
ns_fd[i] = open(path, O_RDONLY | O_CLOEXEC);
if (ns_fd[i] < 0)
goto error;
@@ -973,7 +975,7 @@ static int lxc_spawn(struct lxc_handler *handler)
INFO("failed to pin the container's rootfs");
}
 
-   if (preserve_ns(saved_ns_fd, preserve_mask) < 0)
+   if (preserve_ns(saved_ns_fd, preserve_mask, getpid()) < 0)
goto out_delete_net;
if (attach_ns(handler->conf->inherit_ns_fd) < 0)
goto out_delete_net;
-- 
2.1.4


___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [PATCH v3 3/7] added stop-hook entries

2015-10-06 Thread Wolfgang Bumiller 
Signed-off-by: Wolfgang Bumiller 
Acked-by: Serge E. Hallyn 
---
 src/lxc/conf.c| 4 +++-
 src/lxc/conf.h| 2 +-
 src/lxc/confile.c | 3 +++
 3 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 0913b22..f81efcd 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -163,7 +163,7 @@ return -1;
 #endif
 
 char *lxchook_names[NUM_LXC_HOOKS] = {
-   "pre-start", "pre-mount", "mount", "autodev", "start", "post-stop", 
"clone", "destroy" };
+   "pre-start", "pre-mount", "mount", "autodev", "start", "stop", 
"post-stop", "clone", "destroy" };
 
 typedef int (*instantiate_cb)(struct lxc_handler *, struct lxc_netdev *);
 
@@ -3878,6 +3878,8 @@ int run_lxc_hooks(const char *name, char *hook, struct 
lxc_conf *conf,
which = LXCHOOK_AUTODEV;
else if (strcmp(hook, "start") == 0)
which = LXCHOOK_START;
+   else if (strcmp(hook, "stop") == 0)
+   which = LXCHOOK_STOP;
else if (strcmp(hook, "post-stop") == 0)
which = LXCHOOK_POSTSTOP;
else if (strcmp(hook, "clone") == 0)
diff --git a/src/lxc/conf.h b/src/lxc/conf.h
index 5aebd91..1374d4a 100644
--- a/src/lxc/conf.h
+++ b/src/lxc/conf.h
@@ -279,7 +279,7 @@ enum {
  */
 enum lxchooks {
LXCHOOK_PRESTART, LXCHOOK_PREMOUNT, LXCHOOK_MOUNT, LXCHOOK_AUTODEV,
-   LXCHOOK_START, LXCHOOK_POSTSTOP, LXCHOOK_CLONE, LXCHOOK_DESTROY,
+   LXCHOOK_START, LXCHOOK_STOP, LXCHOOK_POSTSTOP, LXCHOOK_CLONE, 
LXCHOOK_DESTROY,
NUM_LXC_HOOKS};
 extern char *lxchook_names[NUM_LXC_HOOKS];
 
diff --git a/src/lxc/confile.c b/src/lxc/confile.c
index 670d957..f7d6814 100644
--- a/src/lxc/confile.c
+++ b/src/lxc/confile.c
@@ -137,6 +137,7 @@ static struct lxc_config_t config[] = {
{ "lxc.hook.mount",   config_hook },
{ "lxc.hook.autodev", config_hook },
{ "lxc.hook.start",   config_hook },
+   { "lxc.hook.stop",config_hook },
{ "lxc.hook.post-stop",   config_hook },
{ "lxc.hook.clone",   config_hook },
{ "lxc.hook.destroy", config_hook },
@@ -1085,6 +1086,8 @@ static int config_hook(const char *key, const char *value,
return add_hook(lxc_conf, LXCHOOK_MOUNT, copy);
else if (strcmp(key, "lxc.hook.start") == 0)
return add_hook(lxc_conf, LXCHOOK_START, copy);
+   else if (strcmp(key, "lxc.hook.stop") == 0)
+   return add_hook(lxc_conf, LXCHOOK_STOP, copy);
else if (strcmp(key, "lxc.hook.post-stop") == 0)
return add_hook(lxc_conf, LXCHOOK_POSTSTOP, copy);
else if (strcmp(key, "lxc.hook.clone") == 0)
-- 
2.1.4


___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [PATCH v3 7/7] added the unmount-namespace hook

2015-10-06 Thread Wolfgang Bumiller 
Signed-off-by: Wolfgang Bumiller 
---
 hooks/Makefile.am |   6 ++
 hooks/unmount-namespace.c | 213 ++
 2 files changed, 219 insertions(+)
 create mode 100644 hooks/unmount-namespace.c

diff --git a/hooks/Makefile.am b/hooks/Makefile.am
index be55601..ef82083 100644
--- a/hooks/Makefile.am
+++ b/hooks/Makefile.am
@@ -6,4 +6,10 @@ hooks_SCRIPTS = \
ubuntu-cloud-prep \
squid-deb-proxy-client
 
+hooks_PROGRAMS = \
+   unmount-namespace
+
+unmount_namespace_SOURCES = \
+   unmount-namespace.c
+
 EXTRA_DIST=$(hooks_SCRIPTS)
diff --git a/hooks/unmount-namespace.c b/hooks/unmount-namespace.c
new file mode 100644
index 000..488c9cc
--- /dev/null
+++ b/hooks/unmount-namespace.c
@@ -0,0 +1,213 @@
+/*
+ * Copyright © 2015 Wolfgang Bumiller .
+ * Copyright © 2015 Proxmox Server Solutions GmbH
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2, as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * --
+ *
+ * This stop-hook unmounts everything in the container's namespace, and thereby
+ * waits for all calls commands to finish. This is useful when one needs to be
+ * sure that network filesystems are finished unmounting in the namespace
+ * before continuing with other tasks. Without this hook the cleanup of mounts
+ * is done by the kernel in the background after all the references to the
+ * namespaces are gone.
+ */
+
+#define _GNU_SOURCE/* setns */
+#include  /* fdopen, getmntent, endmntent */
+#include /* malloc, qsort */
+#include /* close */
+#include /* strcmp, strncmp, strdup, strerror */
+#include  /* setns */
+#include  /* umount2 */
+#include  /* openat, open */
+#include   /* openat, open */
+#include  /* openat, open */
+#include /* getmntent, endmntent */
+#include  /* errno */
+
+struct mount {
+   char *src; /* currently not used */
+   char *dst;
+   char *fs; /* currently not used */
+};
+
+static void mount_free(struct mount *mnt) {
+   free(mnt->src);
+   free(mnt->dst);
+   free(mnt->fs);
+}
+
+static int mount_cmp_dst(const void *a_, const void *b_) {
+   struct mount *a = (struct mount*)a_;
+   struct mount *b = (struct mount*)b_;
+   return strcmp(b->dst, a->dst); /* swapped order */
+}
+
+/* Unmounting /dev/pts fails, and  so /dev also fails, but /dev is not what
+ * we're interested in. (There might also still be /dev/cgroup mounts).
+ */
+static int mount_should_error(const struct mount *mnt) {
+   const char *dst = mnt->dst;
+   return !(strncmp(dst, "/dev", 4) == 0 && (dst[4] == 0 || dst[4] == 
'/'));
+}
+
+/* Read mounts from 'self/mounts' relative to a directory filedescriptor.
+ * Before entering the container we open a handle to /proc on the host as we
+ * need to access /proc/self/mounts and the container's /proc doesn't contain
+ * our /self. We then use openat(2) to avoid having to mount a temporary /proc.
+ */
+static int read_mounts(int procfd, struct mount **mp, size_t *countp) {
+   int fd;
+   struct mntent *ent;
+   FILE *mf;
+   size_t capacity = 32;
+   size_t count = 0;
+   struct mount *mounts = (struct mount*)malloc(capacity * 
sizeof(*mounts));
+
+   if (!mounts) {
+   errno = ENOMEM;
+   return 0;
+   }
+
+   *mp = NULL;
+   *countp = 0;
+
+   fd = openat(procfd, "self/mounts", O_RDONLY);
+   if (fd < 0)
+   return 0;
+
+   mf = fdopen(fd, "r");
+   if (!mf) {
+   int error = errno;
+   close(fd);
+   errno = error;
+   return 0;
+   }
+   while ((ent = getmntent(mf))) {
+   struct mount *new;
+   if (count == capacity) {
+   capacity *= 2;
+   new = (struct mount*)realloc(mounts, capacity * 
sizeof(*mounts));
+   if (!new)
+   goto out_alloc_entry;
+   mounts = new;
+   }
+   new = [count++];
+   new->src = strdup(ent->mnt_fsname);
+   new->dst = strdup(ent->mnt_dir);
+   new->fs  = strdup(ent->mnt_type);
+   if (!new->src || !new->dst || !new->fs)
+   goto out_alloc_entry;
+   }
+   endmntent(mf);
+
+   *mp = mounts;
+

[lxc-devel] [PATCH v3 4/7] run stop hook between STOPPING and STOPPED states

2015-10-06 Thread Wolfgang Bumiller 
Signed-off-by: Wolfgang Bumiller 
Acked-by: Serge E. Hallyn 
---
 src/lxc/start.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/lxc/start.c b/src/lxc/start.c
index 87fc32f..a1eb961 100644
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -493,6 +493,8 @@ void lxc_fini(const char *name, struct lxc_handler *handler)
 */
lxc_set_state(name, handler, STOPPING);
 
+   if (run_lxc_hooks(name, "stop", handler->conf, handler->lxcpath, NULL))
+   ERROR("failed to run stop hooks for container '%s'.", name);
for (i = 0; i < LXC_NS_MAX; i++) {
if (handler->nsfd[i] != -1) {
close(handler->nsfd[i]);
-- 
2.1.4


___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [PATCH v3 6/7] document the stop hook

2015-10-06 Thread Wolfgang Bumiller 
Signed-off-by: Wolfgang Bumiller 
Acked-by: Serge E. Hallyn 
---
 doc/lxc.container.conf.sgml.in | 27 +--
 1 file changed, 25 insertions(+), 2 deletions(-)

diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in
index 7b599e5..f1a87e9 100644
--- a/doc/lxc.container.conf.sgml.in
+++ b/doc/lxc.container.conf.sgml.in
@@ -1280,9 +1280,12 @@ mknod errno 0
Container name. 
Section (always 'lxc'). 
The hook type (i.e. 'clone' or 'pre-mount'). 

-   Additional arguments In the
+   Additional arguments. In the
   case of the clone hook, any extra arguments passed to
-  lxc-clone will appear as further arguments to the hook. 

+  lxc-clone will appear as further arguments to the hook.
+  In the case of the stop hook, paths to filedescriptors
+  for each of the container's namespaces along with their types
+  are passed. 
 
 The following environment variables are set:
 
@@ -1379,6 +1382,26 @@ mknod errno 0
   
 
   
+lxc.hook.stop
+  
+  
+
+  A hook to be run in the host's namespace with references
+  to the container's namespaces after the container has been shut
+  down. For each namespace an extra argument is passed to the hook
+  containing the namespace's type and a filename that can be used 
to
+  obtain a file descriptor to the corresponding namespace, 
separated
+  by a colon. The type is the name as it would appear in the
+  /proc/PID/ns directory.
+  For instance for the mount namespace the argument usually looks
+  like mnt:/proc/PID/fd/12.
+
+  
+
+  
+  
+
+  
 lxc.hook.post-stop
   
   
-- 
2.1.4


___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [PATCH v3 5/7] pass namespace handles to the stop hook

2015-10-06 Thread Wolfgang Bumiller 
Signed-off-by: Wolfgang Bumiller 
Acked-by: Serge E. Hallyn 
---
 src/lxc/start.c | 21 +++--
 1 file changed, 19 insertions(+), 2 deletions(-)

diff --git a/src/lxc/start.c b/src/lxc/start.c
index a1eb961..d24b586 100644
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -486,15 +486,32 @@ out_free:
 
 void lxc_fini(const char *name, struct lxc_handler *handler)
 {
-   int i;
+   int i, rc;
+   pid_t self = getpid();
+   char *namespaces[LXC_NS_MAX+1];
+   size_t namespace_count = 0;
 
/* The STOPPING state is there for future cleanup code
 * which can take awhile
 */
lxc_set_state(name, handler, STOPPING);
 
-   if (run_lxc_hooks(name, "stop", handler->conf, handler->lxcpath, NULL))
+   for (i = 0; i < LXC_NS_MAX; i++) {
+   if (handler->nsfd[i] != -1) {
+   rc = asprintf([namespace_count], 
"%s:/proc/%d/fd/%d",
+ ns_info[i].proc_name, self, 
handler->nsfd[i]);
+   if (rc == -1) {
+   SYSERROR("failed to allocate memory");
+   break;
+   }
+   ++namespace_count;
+   }
+   }
+   namespaces[namespace_count] = NULL;
+   if (run_lxc_hooks(name, "stop", handler->conf, handler->lxcpath, 
namespaces))
ERROR("failed to run stop hooks for container '%s'.", name);
+   while (namespace_count--)
+   free(namespaces[namespace_count]);
for (i = 0; i < LXC_NS_MAX; i++) {
if (handler->nsfd[i] != -1) {
close(handler->nsfd[i]);
-- 
2.1.4


___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [PATCH v3 2/7] preserve container namespace

2015-10-06 Thread Wolfgang Bumiller 
Signed-off-by: Wolfgang Bumiller 
Acked-by: Serge E. Hallyn 
---
 src/lxc/start.c | 18 ++
 src/lxc/start.h |  1 +
 2 files changed, 19 insertions(+)

diff --git a/src/lxc/start.c b/src/lxc/start.c
index 1a7d5a3..87fc32f 100644
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -379,6 +379,7 @@ out_sigfd:
 
 struct lxc_handler *lxc_init(const char *name, struct lxc_conf *conf, const 
char *lxcpath)
 {
+   int i;
struct lxc_handler *handler;
 
handler = malloc(sizeof(*handler));
@@ -392,6 +393,9 @@ struct lxc_handler *lxc_init(const char *name, struct 
lxc_conf *conf, const char
handler->lxcpath = lxcpath;
handler->pinfd = -1;
 
+   for (i = 0; i < LXC_NS_MAX; i++)
+   handler->nsfd[i] = -1;
+
lsm_init();
 
handler->name = strdup(name);
@@ -482,10 +486,19 @@ out_free:
 
 void lxc_fini(const char *name, struct lxc_handler *handler)
 {
+   int i;
+
/* The STOPPING state is there for future cleanup code
 * which can take awhile
 */
lxc_set_state(name, handler, STOPPING);
+
+   for (i = 0; i < LXC_NS_MAX; i++) {
+   if (handler->nsfd[i] != -1) {
+   close(handler->nsfd[i]);
+   handler->nsfd[i] = -1;
+   }
+   }
lxc_set_state(name, handler, STOPPED);
 
if (run_lxc_hooks(name, "post-stop", handler->conf, handler->lxcpath, 
NULL))
@@ -996,6 +1009,11 @@ static int lxc_spawn(struct lxc_handler *handler)
goto out_delete_net;
}
 
+   if (preserve_ns(handler->nsfd, handler->clone_flags, handler->pid) < 0) 
{
+   ERROR("failed to store namespace references");
+   goto out_delete_net;
+   }
+
if (attach_ns(saved_ns_fd))
WARN("failed to restore saved namespaces");
 
diff --git a/src/lxc/start.h b/src/lxc/start.h
index f1a41f5..86b19a2 100644
--- a/src/lxc/start.h
+++ b/src/lxc/start.h
@@ -75,6 +75,7 @@ struct lxc_handler {
void *cgroup_data;
int ttysock[2]; // socketpair for child->parent tty fd passing
bool backgrounded; // indicates whether should we close std{in,out,err} 
on start
+   int nsfd[LXC_NS_MAX];
 };
 
 
-- 
2.1.4


___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [PATCH] doc: Add the common and '-s' option in Korean lxc-destroy(1)

2015-10-06 Thread Sungbae Yoo 
Update for commit 3635c5e

Signed-off-by: Sungbae Yoo 

diff --git a/doc/ko/lxc-destroy.sgml.in b/doc/ko/lxc-destroy.sgml.in
index cb5d0b6..5a9cb36 100644
--- a/doc/ko/lxc-destroy.sgml.in
+++ b/doc/ko/lxc-destroy.sgml.in
@@ -57,6 +57,7 @@ by Sungbae Yoo 
   lxc-destroy
   -n name
   -f
+  -s
 
   
 
@@ -80,7 +81,7 @@ by Sungbae Yoo 
 
   

- -f
+ -f, --force


  
@@ -96,13 +97,13 @@ by Sungbae Yoo 
   
 
   
--P, 
--lxcpath=PATH
+-s, --snapshots
 
  
 
-컨테이너 경로를 지정한다. 기본값은 @LXCPATH@이다.
+해당 컨테이너의 모든 스냅샷까지 제거한다.
  
 
   
@@ -111,6 +112,8 @@ by Sungbae Yoo 
 
   
 
+  
+
   
 진단
 
-- 
1.9.1

___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

[lxc-devel] [PATCH] doc: Add the note related mount in Korean lxc.container.conf(5)

2015-10-06 Thread Sungbae Yoo 
Update for commit 592fd47

Signed-off-by: Sungbae Yoo 

diff --git a/doc/ko/lxc.container.conf.sgml.in 
b/doc/ko/lxc.container.conf.sgml.in
index b305680..6d225a8 100644
--- a/doc/ko/lxc.container.conf.sgml.in
+++ b/doc/ko/lxc.container.conf.sgml.in
@@ -1008,6 +1008,23 @@ by Sungbae Yoo 
 이 마운트 포인트들은 컨테이너에서만 보이고 외부에서 실행하는 프로세스들에겐 보이지 않는다.
 이는 예를 들어  /etc, /var, /home을 마운트할 때 유용하다.
   
+  
+
+주의 - 보통 LXC는 마운트 대상과 상대 경로로 된 바인드 마운트 소스들이 컨테이너의 루트 아래에 있도록 보장할 것이다. 
이는 호스트 디렉토리와 파일들을 겹쳐서 마운트하는 유형의 공격을 피하기 위한 것이다. (절대 경로로 된 마운트 소스 내에 존재하는 심볼릭 
링크들은 무시될 것이다.)
+하지만, 만약 컨테이너 설정에서 컨테이너 사용자가 제어할 수 있는, 예를 들어 /home/joe와 같은 디렉토리를 컨테이너 
내의 path에 먼저 마운트 하고 나서,  path 내에 또 
마운트를 하는 경우가 있다면,
+컨테이너 사용자가 자신의 home 디렉토리에 있는 심볼릭링크를 정확한 시간에 조작하여, TOCTTOU (역주 : Time of 
check to time of use) 공격이 가능할 것이다.
+  
   

  
-- 
1.9.1

___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel