[lxc-devel] [PATCH] doc: Add lxc.ephemeral in Korean lxc.container.conf(5)
Update for commit 4e6eb26 Signed-off-by: Sungbae Yoo diff --git a/doc/ko/lxc.container.conf.sgml.in b/doc/ko/lxc.container.conf.sgml.in index 6d225a8..f06e559 100644 --- a/doc/ko/lxc.container.conf.sgml.in +++ b/doc/ko/lxc.container.conf.sgml.in @@ -369,6 +369,32 @@ by Sungbae Yoo + 임시 컨테이너 + + +컨테이너가 종료될 때, 해당 컨테이너를 제거할지 여부를 지정할 수 있다. + + + + +lxc.ephemeral + + + + + 지정 가능한 값은 0 또는 1이다. 1로 설정하면, 컨테이너를 종료할 때 해당 컨테이너를 제거한다. + + + + + + + 네트워크
[lxc-devel] [PATCH] Make mount_entry_create_*_dirs() more robust
The mount_entry_create_*_dirs() functions currently assume that the rootfs of
the container is actually named "rootfs". This has the consequence that
del = strstr(lxcpath, "/rootfs");
if (!del) {
free(lxcpath);
lxc_free_array((void **)opts, free);
return -1;
}
*del = '\0';
will return NULL when the rootfs of a container is not actually named "rootfs".
This means the we return -1 and do not create the necessary upperdir/workdir
directories required for the overlay/aufs mount to work. Hence, let's not make
that assumption. We now pass lxc_path and lxc_name to
mount_entry_create_*_dirs() and create the path directly. To prevent failure we
also have mount_entry_create_*_dirs() check that lxc_name and lxc_path are not
empty when they are passed in.
Signed-off-by: Christian Brauner
---
src/lxc/conf.c | 91 ++
1 file changed, 41 insertions(+), 50 deletions(-)
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 0e3421b..16a62f8 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -1816,20 +1816,22 @@ static void cull_mntent_opt(struct mntent *mntent)
}
static int mount_entry_create_overlay_dirs(const struct mntent *mntent,
- const struct lxc_rootfs *rootfs)
+ const struct lxc_rootfs *rootfs,
+ const char *lxc_name,
+ const char *lxc_path)
{
- char *del = NULL;
- char *lxcpath = NULL;
+ char lxcpath[MAXPATHLEN];
char *upperdir = NULL;
char *workdir = NULL;
char **opts = NULL;
+ int ret = 0;
size_t arrlen = 0;
size_t dirlen = 0;
size_t i;
size_t len = 0;
size_t rootfslen = 0;
- if (!rootfs->path)
+ if (!rootfs->path || !lxc_name || !lxc_path)
return -1;
opts = lxc_string_split(mntent->mnt_opts, ',');
@@ -1845,19 +1847,11 @@ static int mount_entry_create_overlay_dirs(const struct
mntent *mntent,
workdir = opts[i] + len;
}
- lxcpath = strdup(rootfs->path);
- if (!lxcpath) {
- lxc_free_array((void **)opts, free);
- return -1;
- }
-
- del = strstr(lxcpath, "/rootfs");
- if (!del) {
- free(lxcpath);
+ ret = snprintf(lxcpath, MAXPATHLEN, "%s/%s", lxc_path, lxc_name);
+ if (ret < 0 || ret >= MAXPATHLEN) {
lxc_free_array((void **)opts, free);
return -1;
}
- *del = '\0';
dirlen = strlen(lxcpath);
rootfslen = strlen(rootfs->path);
@@ -1877,25 +1871,26 @@ static int mount_entry_create_overlay_dirs(const struct
mntent *mntent,
WARN("Failed to create workdir");
}
- free(lxcpath);
lxc_free_array((void **)opts, free);
return 0;
}
static int mount_entry_create_aufs_dirs(const struct mntent *mntent,
- const struct lxc_rootfs *rootfs)
+ const struct lxc_rootfs *rootfs,
+ const char *lxc_name,
+ const char *lxc_path)
{
- char *del = NULL;
- char *lxcpath = NULL;
+ char lxcpath[MAXPATHLEN];
char *scratch = NULL;
char *tmp = NULL;
char *upperdir = NULL;
char **opts = NULL;
+ int ret = 0;
size_t arrlen = 0;
size_t i;
size_t len = 0;
- if (!rootfs->path)
+ if (!rootfs->path || !lxc_name || !lxc_path)
return -1;
opts = lxc_string_split(mntent->mnt_opts, ',');
@@ -1919,19 +1914,11 @@ static int mount_entry_create_aufs_dirs(const struct
mntent *mntent,
return -1;
}
- lxcpath = strdup(rootfs->path);
- if (!lxcpath) {
- lxc_free_array((void **)opts, free);
- return -1;
- }
-
- del = strstr(lxcpath, "/rootfs");
- if (!del) {
- free(lxcpath);
+ ret = snprintf(lxcpath, MAXPATHLEN, "%s/%s", lxc_path, lxc_name);
+ if (ret < 0 || ret >= MAXPATHLEN) {
lxc_free_array((void **)opts, free);
return -1;
}
- *del = '\0';
/* We neither allow users to create upperdirs outside the containerdir
* nor inside the rootfs. The latter might be debatable. */
@@ -1940,23 +1927,24 @@ static int mount_entry_create_aufs_dirs(const struct
mntent *mntent,
WARN("Failed to create upperdir");
}
- free(lxcpath);
lxc_free_array((void **)opts, free);
return 0;
}
+
static int mount_entry_create_dir_file(const struct mntent *mntent,
- const cha
Re: [lxc-devel] [PATCH v5] Make overlayfs mounts work directly
Fair enough. Should we then adapt do_lxcapi_clone() to replace any mountentries
that involve references to the original container with the name of the new
container or should we just have users do it manually? (Because currently the
presence of any lxc.mount.entry = ... overlay ... will prevent clones from
working out of the box... Maybe I'm just being pedantic here...)
On Wed, Oct 07, 2015 at 01:20:35PM +, Serge Hallyn wrote:
> mount targets when relative are relative to the mounted rootfs dir
> (with absolute paths under the *not-mounted* rootfs dir being auto-
> translated to being under the mounted rootfs dir).
>
> These paths would be relative to the containerdir. I think that's too
> confusing.
>
> Quoting Christian Brauner (christianvanbrau...@gmail.com):
> > I now wonder if it wouldn't be smarter to force users to specify relative
> > paths
> > for upper and workdir
> >
> > lxc.mount.entry = /lower merged overlay
> > lowerdir=/lower,upper=upper,workdir=workdir,create=dir
> >
> > and fill in the missing path in mount_entry_create_*_dirs(). Otherwise these
> > mounts won't work out of the box when a clone of the container is made and
> > started... Thoughts?
> >
> > On Tue, Oct 06, 2015 at 08:38:13PM +0200, Christian Brauner wrote:
> > > When users wanted to mount overlay directories with lxc.mount.entry they
> > > had to
> > > create upperdirs and workdirs beforehand in order to mount them. To
> > > create it
> > > for them we add the functions mount_entry_create_overlay_dirs() and
> > > mount_entry_create_aufs_dirs() which do this for them. User can now simply
> > > specify e.g.:
> > >
> > > lxc.mount.entry = /lower merged overlay
> > > lowerdir=/lower,upper=/upper,workdir=/workdir,create=dir
> > >
> > > and /upper and /workdir will be created for them. /upper and /workdir
> > > need to
> > > be absolute paths to directories which are created under the containerdir
> > > (e.g.
> > > under $lxcpath/CONTAINERNAME/). Relative mountpoints, mountpoints outside
> > > the
> > > containerdir, and mountpoints within the container's rootfs are ignored.
> > > (The
> > > latter *might* change in the future should it be considered safe/useful.)
> > >
> > > Specifying
> > >
> > > lxc.mount.entry = /lower merged overlay
> > > lowerdir=/lower:/lower2,create=dir
> > >
> > > will lead to a read-only overlay mount in accordance with the
> > > kernel-documentation.
> > >
> > > Specifying
> > >
> > > lxc.mount.entry = /lower merged overlay lowerdir=/lower,create=dir
> > >
> > > will fail when no upperdir and workdir options are given.
> > >
> > > Signed-off-by: Christian Brauner
> > > Acked-by: Serge E. Hallyn
> > > ---
> > > src/lxc/conf.c | 162
> > > -
> > > 1 file changed, 150 insertions(+), 12 deletions(-)
> > >
> > > diff --git a/src/lxc/conf.c b/src/lxc/conf.c
> > > index 6728c78..5a3209a 100644
> > > --- a/src/lxc/conf.c
> > > +++ b/src/lxc/conf.c
> > > @@ -1815,13 +1815,151 @@ static void cull_mntent_opt(struct mntent
> > > *mntent)
> > > }
> > > }
> > >
> > > +static int mount_entry_create_overlay_dirs(const struct mntent *mntent,
> > > +const struct lxc_rootfs *rootfs)
> > > +{
> > > + char *del = NULL;
> > > + char *lxcpath = NULL;
> > > + char *upperdir = NULL;
> > > + char *workdir = NULL;
> > > + char **opts = NULL;
> > > + size_t arrlen = 0;
> > > + size_t dirlen = 0;
> > > + size_t i;
> > > + size_t len = 0;
> > > + size_t rootfslen = 0;
> > > +
> > > + if (!rootfs->path)
> > > + return -1;
> > > +
> > > + opts = lxc_string_split(mntent->mnt_opts, ',');
> > > + if (opts)
> > > + arrlen = lxc_array_len((void **)opts);
> > > + else
> > > + return -1;
> > > +
> > > + for (i = 0; i < arrlen; i++) {
> > > + if (strstr(opts[i], "upperdir=") && (strlen(opts[i]) > (len =
> > > strlen("upperdir="
> > > + upperdir = opts[i] + len;
> > > + else if (strstr(opts[i], "workdir=") && (strlen(opts[i]) > (len
> > > = strlen("workdir="
> > > + workdir = opts[i] + len;
> > > + }
> > > +
> > > + lxcpath = strdup(rootfs->path);
> > > + if (!lxcpath) {
> > > + lxc_free_array((void **)opts, free);
> > > + return -1;
> > > + }
> > > +
> > > + del = strstr(lxcpath, "/rootfs");
> > > + if (!del) {
> > > + free(lxcpath);
> > > + lxc_free_array((void **)opts, free);
> > > + return -1;
> > > + }
> > > + *del = '\0';
> > > +
> > > + dirlen = strlen(lxcpath);
> > > + rootfslen = strlen(rootfs->path);
> > > +
> > > + /* We neither allow users to create upperdirs and workdirs outside the
> > > + * containerdir nor inside the rootfs. The latter might be debatable. */
> > > + if (upperdir)
> > > + if ((strncmp(upperdir, lxcpath, dirlen) == 0) &&
> > > (strncmp(upperdir, rootfs->path, rootfslen) != 0))
> > > + if (mkdir_p(upperdir,
[lxc-devel] [lxc/lxc] 5406bd: Make overlayfs mounts work directly
Branch: refs/heads/stable-1.1 Home: https://github.com/lxc/lxc Commit: 5406bd2ce3b64083c99dcb4f05429392258af3a6 https://github.com/lxc/lxc/commit/5406bd2ce3b64083c99dcb4f05429392258af3a6 Author: Christian Brauner Date: 2015-10-07 (Wed, 07 Oct 2015) Changed paths: M src/lxc/conf.c Log Message: --- Make overlayfs mounts work directly When users wanted to mount overlay directories with lxc.mount.entry they had to create upperdirs and workdirs beforehand in order to mount them. To create it for them we add the functions mount_entry_create_overlay_dirs() and mount_entry_create_aufs_dirs() which do this for them. User can now simply specify e.g.: lxc.mount.entry = /lower merged overlay lowerdir=/lower,upper=/upper,workdir=/workdir,create=dir and /upper and /workdir will be created for them. /upper and /workdir need to be absolute paths to directories which are created under the containerdir (e.g. under $lxcpath/CONTAINERNAME/). Relative mountpoints, mountpoints outside the containerdir, and mountpoints within the container's rootfs are ignored. (The latter *might* change in the future should it be considered safe/useful.) Specifying lxc.mount.entry = /lower merged overlay lowerdir=/lower:/lower2,create=dir will lead to a read-only overlay mount in accordance with the kernel-documentation. Specifying lxc.mount.entry = /lower merged overlay lowerdir=/lower,create=dir will fail when no upperdir and workdir options are given. Signed-off-by: Christian Brauner Acked-by: Serge E. Hallyn Commit: 5b657f6bfee3d6b238a37ad2f3dcac37a224a333 https://github.com/lxc/lxc/commit/5b657f6bfee3d6b238a37ad2f3dcac37a224a333 Author: Wolfgang Bumiller Date: 2015-10-07 (Wed, 07 Oct 2015) Changed paths: M src/lxc/start.c Log Message: --- start.c:preserve_ns: added pid parameter Signed-off-by: Wolfgang Bumiller Acked-by: Serge E. Hallyn Commit: 8cecbd386123dfcb291b96b23a38fb9d74d2ea3b https://github.com/lxc/lxc/commit/8cecbd386123dfcb291b96b23a38fb9d74d2ea3b Author: Wolfgang Bumiller Date: 2015-10-07 (Wed, 07 Oct 2015) Changed paths: M src/lxc/start.c M src/lxc/start.h Log Message: --- preserve container namespace Signed-off-by: Wolfgang Bumiller Acked-by: Serge E. Hallyn Compare: https://github.com/lxc/lxc/compare/e9bcaafeaa73...8cecbd386123___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [lxc/lxc] 6e46cc: Make overlayfs mounts work directly
Branch: refs/heads/master Home: https://github.com/lxc/lxc Commit: 6e46cc0dca6662b66bb9bd9f0b340bf6c86c13df https://github.com/lxc/lxc/commit/6e46cc0dca6662b66bb9bd9f0b340bf6c86c13df Author: Christian Brauner Date: 2015-10-07 (Wed, 07 Oct 2015) Changed paths: M src/lxc/conf.c Log Message: --- Make overlayfs mounts work directly When users wanted to mount overlay directories with lxc.mount.entry they had to create upperdirs and workdirs beforehand in order to mount them. To create it for them we add the functions mount_entry_create_overlay_dirs() and mount_entry_create_aufs_dirs() which do this for them. User can now simply specify e.g.: lxc.mount.entry = /lower merged overlay lowerdir=/lower,upper=/upper,workdir=/workdir,create=dir and /upper and /workdir will be created for them. /upper and /workdir need to be absolute paths to directories which are created under the containerdir (e.g. under $lxcpath/CONTAINERNAME/). Relative mountpoints, mountpoints outside the containerdir, and mountpoints within the container's rootfs are ignored. (The latter *might* change in the future should it be considered safe/useful.) Specifying lxc.mount.entry = /lower merged overlay lowerdir=/lower:/lower2,create=dir will lead to a read-only overlay mount in accordance with the kernel-documentation. Specifying lxc.mount.entry = /lower merged overlay lowerdir=/lower,create=dir will fail when no upperdir and workdir options are given. Signed-off-by: Christian Brauner Acked-by: Serge E. Hallyn Commit: 035a38fc935ae9f9062e100be7d26bec350f6789 https://github.com/lxc/lxc/commit/035a38fc935ae9f9062e100be7d26bec350f6789 Author: Wolfgang Bumiller Date: 2015-10-07 (Wed, 07 Oct 2015) Changed paths: M src/lxc/start.c Log Message: --- start.c:preserve_ns: added pid parameter Signed-off-by: Wolfgang Bumiller Acked-by: Serge E. Hallyn Commit: b6b2b194a8cac6a58ab5bcee8d8af92b1a3b6642 https://github.com/lxc/lxc/commit/b6b2b194a8cac6a58ab5bcee8d8af92b1a3b6642 Author: Wolfgang Bumiller Date: 2015-10-07 (Wed, 07 Oct 2015) Changed paths: M src/lxc/start.c M src/lxc/start.h Log Message: --- preserve container namespace Signed-off-by: Wolfgang Bumiller Acked-by: Serge E. Hallyn Commit: 52492063b7865b460f5669a28027a5e17f0a5a09 https://github.com/lxc/lxc/commit/52492063b7865b460f5669a28027a5e17f0a5a09 Author: Wolfgang Bumiller Date: 2015-10-07 (Wed, 07 Oct 2015) Changed paths: M src/lxc/conf.c M src/lxc/conf.h M src/lxc/confile.c Log Message: --- added stop-hook entries Signed-off-by: Wolfgang Bumiller Acked-by: Serge E. Hallyn Commit: 8438bfbda7ce927d74438d0ed3cd7df314cb0758 https://github.com/lxc/lxc/commit/8438bfbda7ce927d74438d0ed3cd7df314cb0758 Author: Wolfgang Bumiller Date: 2015-10-07 (Wed, 07 Oct 2015) Changed paths: M src/lxc/start.c Log Message: --- run stop hook between STOPPING and STOPPED states Signed-off-by: Wolfgang Bumiller Acked-by: Serge E. Hallyn Commit: b3286b628b2a178d2f775a6d75ef1c0e7fe75ca6 https://github.com/lxc/lxc/commit/b3286b628b2a178d2f775a6d75ef1c0e7fe75ca6 Author: Wolfgang Bumiller Date: 2015-10-07 (Wed, 07 Oct 2015) Changed paths: M src/lxc/start.c Log Message: --- pass namespace handles to the stop hook Signed-off-by: Wolfgang Bumiller Acked-by: Serge E. Hallyn Commit: 0a2b5ab1e79912cd6afa52c829a3444da701a828 https://github.com/lxc/lxc/commit/0a2b5ab1e79912cd6afa52c829a3444da701a828 Author: Wolfgang Bumiller Date: 2015-10-07 (Wed, 07 Oct 2015) Changed paths: M doc/lxc.container.conf.sgml.in Log Message: --- document the stop hook Signed-off-by: Wolfgang Bumiller Acked-by: Serge E. Hallyn Commit: b73f115f4142791d17bb51692367f2774fef0f39 https://github.com/lxc/lxc/commit/b73f115f4142791d17bb51692367f2774fef0f39 Author: Wolfgang Bumiller Date: 2015-10-07 (Wed, 07 Oct 2015) Changed paths: M hooks/Makefile.am A hooks/unmount-namespace.c Log Message: --- added the unmount-namespace hook Signed-off-by: Wolfgang Bumiller Acked-by: Serge E. Hallyn Commit: 7346eb3aabd7accc70b9255e811d502f4fa0868f https://github.com/lxc/lxc/commit/7346eb3aabd7accc70b9255e811d502f4fa0868f Author: KATOH Yasufumi Date: 2015-10-07 (Wed, 07 Oct 2015) Changed paths: M doc/ja/lxc.container.conf.sgml.in Log Message: --- doc: Add lxc.ephemeral in Japanese lxc.container.conf(5) Update for commit 4e6eb26 Signed-off-by: KATOH Yasufumi Acked-by: Stéphane Graber Commit: 5901bc791907c6c51f5c808f6b6a1c215dc9d472 https://github.com/lxc/lxc/commit/5901bc791907c6c51f5c808f6b6a1c215dc9d472 Author: Sungbae Yoo Date: 2015-10-07 (Wed, 07 Oct 2015) Changed paths: M doc/ko/lxc-destroy.sgml.in Log Message: --- doc: Add the co
Re: [lxc-devel] [PATCH] doc: Add the note related mount in Korean lxc.container.conf(5)
On Tue, Oct 06, 2015 at 06:29:01PM +0900, Sungbae Yoo wrote: > Update for commit 592fd47 > > Signed-off-by: Sungbae Yoo Acked-by: Stéphane Graber > > diff --git a/doc/ko/lxc.container.conf.sgml.in > b/doc/ko/lxc.container.conf.sgml.in > index b305680..6d225a8 100644 > --- a/doc/ko/lxc.container.conf.sgml.in > +++ b/doc/ko/lxc.container.conf.sgml.in > @@ -1008,6 +1008,23 @@ by Sungbae Yoo > 이 마운트 포인트들은 컨테이너에서만 보이고 외부에서 실행하는 프로세스들에겐 보이지 않는다. > 이는 예를 들어 /etc, /var, /home을 마운트할 때 유용하다. > > + > + > +주의 - 보통 LXC는 마운트 대상과 상대 경로로 된 바인드 마운트 소스들이 컨테이너의 루트 아래에 있도록 보장할 것이다. > 이는 호스트 디렉토리와 파일들을 겹쳐서 마운트하는 유형의 공격을 피하기 위한 것이다. (절대 경로로 된 마운트 소스 내에 존재하는 심볼릭 > 링크들은 무시될 것이다.) > +하지만, 만약 컨테이너 설정에서 컨테이너 사용자가 제어할 수 있는, 예를 들어 /home/joe와 같은 디렉토리를 컨테이너 > 내의 path에 먼저 마운트 하고 나서, path 내에 또 > 마운트를 하는 경우가 있다면, > +컨테이너 사용자가 자신의 home 디렉토리에 있는 심볼릭링크를 정확한 시간에 조작하여, TOCTTOU (역주 : Time > of check to time of use) 공격이 가능할 것이다. > + > > > > -- > 1.9.1 > > ___ > lxc-devel mailing list > lxc-devel@lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-devel -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] doc: Add the common and '-s' option in Korean lxc-destroy(1)
On Tue, Oct 06, 2015 at 06:26:49PM +0900, Sungbae Yoo wrote: > Update for commit 3635c5e > > Signed-off-by: Sungbae Yoo Acked-by: Stéphane Graber > > diff --git a/doc/ko/lxc-destroy.sgml.in b/doc/ko/lxc-destroy.sgml.in > index cb5d0b6..5a9cb36 100644 > --- a/doc/ko/lxc-destroy.sgml.in > +++ b/doc/ko/lxc-destroy.sgml.in > @@ -57,6 +57,7 @@ by Sungbae Yoo >lxc-destroy >-n name >-f > + -s > > > > @@ -80,7 +81,7 @@ by Sungbae Yoo > > > > - -f > + -f, --force > > > > @@ -96,13 +97,13 @@ by Sungbae Yoo > > > > --P, > --lxcpath=PATH > +-s, --snapshots > > > > -컨테이너 경로를 지정한다. 기본값은 @LXCPATH@이다. > +해당 컨테이너의 모든 스냅샷까지 제거한다. > > > > @@ -111,6 +112,8 @@ by Sungbae Yoo > > > > + &commonoptions; > + > > 진단 > > -- > 1.9.1 > > ___ > lxc-devel mailing list > lxc-devel@lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-devel -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] doc: Add lxc.ephemeral in Japanese lxc.container.conf(5)
On Tue, Oct 06, 2015 at 04:26:31PM +0900, KATOH Yasufumi wrote: > Update for commit 4e6eb26 > > Signed-off-by: KATOH Yasufumi Acked-by: Stéphane Graber > --- > doc/ja/lxc.container.conf.sgml.in | 26 ++ > 1 file changed, 26 insertions(+) > > diff --git a/doc/ja/lxc.container.conf.sgml.in > b/doc/ja/lxc.container.conf.sgml.in > index e07a3df..45e5c31 100644 > --- a/doc/ja/lxc.container.conf.sgml.in > +++ b/doc/ja/lxc.container.conf.sgml.in > @@ -382,6 +382,32 @@ by KATOH Yasufumi > > > > + 一時的なコンテナ > + > + > +シャットダウン後にコンテナを削除するかどうかを指定できます。 > + > + > + > + > +lxc.ephemeral > + > + > + > + > + 指定できる値は 0 または 1 のみです。この値を 1 に設定すると、シャットダウン後にコンテナを削除します。 > + > + > + > + > + > + > + >ネットワーク > > 2.2.1 > > ___ > lxc-devel mailing list > lxc-devel@lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-devel -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: Digital signature ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
Re: [lxc-devel] [PATCH v5] Make overlayfs mounts work directly
Thanks Christian. Quoting Christian Brauner (christianvanbrau...@gmail.com): > No changes apart from the ones Serge requested. Adding > Acked-by: Serge E. Hallyn > with Serge's permission. (see hist comments to [PATCH v4]) > > Christian Brauner (1): > Make overlayfs mounts work directly > > src/lxc/conf.c | 162 > - > 1 file changed, 150 insertions(+), 12 deletions(-) > > -- > 2.6.1 > > ___ > lxc-devel mailing list > lxc-devel@lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-devel ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
Re: [lxc-devel] [PATCH v5] Make overlayfs mounts work directly
mount targets when relative are relative to the mounted rootfs dir
(with absolute paths under the *not-mounted* rootfs dir being auto-
translated to being under the mounted rootfs dir).
These paths would be relative to the containerdir. I think that's too
confusing.
Quoting Christian Brauner (christianvanbrau...@gmail.com):
> I now wonder if it wouldn't be smarter to force users to specify relative
> paths
> for upper and workdir
>
> lxc.mount.entry = /lower merged overlay
> lowerdir=/lower,upper=upper,workdir=workdir,create=dir
>
> and fill in the missing path in mount_entry_create_*_dirs(). Otherwise these
> mounts won't work out of the box when a clone of the container is made and
> started... Thoughts?
>
> On Tue, Oct 06, 2015 at 08:38:13PM +0200, Christian Brauner wrote:
> > When users wanted to mount overlay directories with lxc.mount.entry they
> > had to
> > create upperdirs and workdirs beforehand in order to mount them. To create
> > it
> > for them we add the functions mount_entry_create_overlay_dirs() and
> > mount_entry_create_aufs_dirs() which do this for them. User can now simply
> > specify e.g.:
> >
> > lxc.mount.entry = /lower merged overlay
> > lowerdir=/lower,upper=/upper,workdir=/workdir,create=dir
> >
> > and /upper and /workdir will be created for them. /upper and /workdir need
> > to
> > be absolute paths to directories which are created under the containerdir
> > (e.g.
> > under $lxcpath/CONTAINERNAME/). Relative mountpoints, mountpoints outside
> > the
> > containerdir, and mountpoints within the container's rootfs are ignored.
> > (The
> > latter *might* change in the future should it be considered safe/useful.)
> >
> > Specifying
> >
> > lxc.mount.entry = /lower merged overlay
> > lowerdir=/lower:/lower2,create=dir
> >
> > will lead to a read-only overlay mount in accordance with the
> > kernel-documentation.
> >
> > Specifying
> >
> > lxc.mount.entry = /lower merged overlay lowerdir=/lower,create=dir
> >
> > will fail when no upperdir and workdir options are given.
> >
> > Signed-off-by: Christian Brauner
> > Acked-by: Serge E. Hallyn
> > ---
> > src/lxc/conf.c | 162
> > -
> > 1 file changed, 150 insertions(+), 12 deletions(-)
> >
> > diff --git a/src/lxc/conf.c b/src/lxc/conf.c
> > index 6728c78..5a3209a 100644
> > --- a/src/lxc/conf.c
> > +++ b/src/lxc/conf.c
> > @@ -1815,13 +1815,151 @@ static void cull_mntent_opt(struct mntent *mntent)
> > }
> > }
> >
> > +static int mount_entry_create_overlay_dirs(const struct mntent *mntent,
> > + const struct lxc_rootfs *rootfs)
> > +{
> > + char *del = NULL;
> > + char *lxcpath = NULL;
> > + char *upperdir = NULL;
> > + char *workdir = NULL;
> > + char **opts = NULL;
> > + size_t arrlen = 0;
> > + size_t dirlen = 0;
> > + size_t i;
> > + size_t len = 0;
> > + size_t rootfslen = 0;
> > +
> > + if (!rootfs->path)
> > + return -1;
> > +
> > + opts = lxc_string_split(mntent->mnt_opts, ',');
> > + if (opts)
> > + arrlen = lxc_array_len((void **)opts);
> > + else
> > + return -1;
> > +
> > + for (i = 0; i < arrlen; i++) {
> > + if (strstr(opts[i], "upperdir=") && (strlen(opts[i]) > (len =
> > strlen("upperdir="
> > + upperdir = opts[i] + len;
> > + else if (strstr(opts[i], "workdir=") && (strlen(opts[i]) > (len
> > = strlen("workdir="
> > + workdir = opts[i] + len;
> > + }
> > +
> > + lxcpath = strdup(rootfs->path);
> > + if (!lxcpath) {
> > + lxc_free_array((void **)opts, free);
> > + return -1;
> > + }
> > +
> > + del = strstr(lxcpath, "/rootfs");
> > + if (!del) {
> > + free(lxcpath);
> > + lxc_free_array((void **)opts, free);
> > + return -1;
> > + }
> > + *del = '\0';
> > +
> > + dirlen = strlen(lxcpath);
> > + rootfslen = strlen(rootfs->path);
> > +
> > + /* We neither allow users to create upperdirs and workdirs outside the
> > +* containerdir nor inside the rootfs. The latter might be debatable. */
> > + if (upperdir)
> > + if ((strncmp(upperdir, lxcpath, dirlen) == 0) &&
> > (strncmp(upperdir, rootfs->path, rootfslen) != 0))
> > + if (mkdir_p(upperdir, 0755) < 0) {
> > + WARN("Failed to create upperdir");
> > + }
> > +
> > +
> > + if (workdir)
> > + if ((strncmp(workdir, lxcpath, dirlen) == 0) &&
> > (strncmp(workdir, rootfs->path, rootfslen) != 0))
> > + if (mkdir_p(workdir, 0755) < 0) {
> > + WARN("Failed to create workdir");
> > + }
> > +
> > + free(lxcpath);
> > + lxc_free_array((void **)opts, free);
> > + return 0;
> > +}
> > +
> > +static int mount_entry_create_aufs_dirs(const struct mntent *mntent,
> > +
Re: [lxc-devel] [PATCH v3 7/7] added the unmount-namespace hook
On Tue, Oct 06, 2015 at 06:18:06PM +, Serge Hallyn wrote:
> Quoting Wolfgang Bumiller (w.bumil...@proxmox.com):
> > Signed-off-by: Wolfgang Bumiller
>
> Hi Wolfgang,
>
> Thanks for resending.
>
> I'm a very forgetful person. If you could (in the future - don't resend
> this one) add a changelog showing what's changed, that would make my
> reviews a lot faster :)
>
> Looks good,
>
> Acked-by: Serge E. Hallyn
>
> Stéphane, this is going to need packaging jujitsu for multiarch
> I assume, I'm not sure how we'll handle that.
So, as it turns out, hooks are currently in the main lxc package which
is arch-dependent, so while that's quite possibly the wrong place for
them to be, this change won't need any packaging change right now :)
>
> > ---
> > hooks/Makefile.am | 6 ++
> > hooks/unmount-namespace.c | 213
> > ++
> > 2 files changed, 219 insertions(+)
> > create mode 100644 hooks/unmount-namespace.c
> >
> > diff --git a/hooks/Makefile.am b/hooks/Makefile.am
> > index be55601..ef82083 100644
> > --- a/hooks/Makefile.am
> > +++ b/hooks/Makefile.am
> > @@ -6,4 +6,10 @@ hooks_SCRIPTS = \
> > ubuntu-cloud-prep \
> > squid-deb-proxy-client
> >
> > +hooks_PROGRAMS = \
> > + unmount-namespace
> > +
> > +unmount_namespace_SOURCES = \
> > + unmount-namespace.c
> > +
> > EXTRA_DIST=$(hooks_SCRIPTS)
> > diff --git a/hooks/unmount-namespace.c b/hooks/unmount-namespace.c
> > new file mode 100644
> > index 000..488c9cc
> > --- /dev/null
> > +++ b/hooks/unmount-namespace.c
> > @@ -0,0 +1,213 @@
> > +/*
> > + * Copyright © 2015 Wolfgang Bumiller .
> > + * Copyright © 2015 Proxmox Server Solutions GmbH
> > + *
> > + * This program is free software; you can redistribute it and/or modify
> > + * it under the terms of the GNU General Public License version 2, as
> > + * published by the Free Software Foundation.
> > + *
> > + * This program is distributed in the hope that it will be useful,
> > + * but WITHOUT ANY WARRANTY; without even the implied warranty of
> > + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> > + * GNU General Public License for more details.
> > + *
> > + * You should have received a copy of the GNU General Public License along
> > + * with this program; if not, write to the Free Software Foundation, Inc.,
> > + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
> > + *
> > + * --
> > + *
> > + * This stop-hook unmounts everything in the container's namespace, and
> > thereby
> > + * waits for all calls commands to finish. This is useful when one needs
> > to be
> > + * sure that network filesystems are finished unmounting in the namespace
> > + * before continuing with other tasks. Without this hook the cleanup of
> > mounts
> > + * is done by the kernel in the background after all the references to the
> > + * namespaces are gone.
> > + */
> > +
> > +#define _GNU_SOURCE/* setns */
> > +#include /* fdopen, getmntent, endmntent */
> > +#include /* malloc, qsort */
> > +#include /* close */
> > +#include /* strcmp, strncmp, strdup, strerror */
> > +#include /* setns */
> > +#include /* umount2 */
> > +#include /* openat, open */
> > +#include /* openat, open */
> > +#include /* openat, open */
> > +#include /* getmntent, endmntent */
> > +#include /* errno */
> > +
> > +struct mount {
> > + char *src; /* currently not used */
> > + char *dst;
> > + char *fs; /* currently not used */
> > +};
> > +
> > +static void mount_free(struct mount *mnt) {
> > + free(mnt->src);
> > + free(mnt->dst);
> > + free(mnt->fs);
> > +}
> > +
> > +static int mount_cmp_dst(const void *a_, const void *b_) {
> > + struct mount *a = (struct mount*)a_;
> > + struct mount *b = (struct mount*)b_;
> > + return strcmp(b->dst, a->dst); /* swapped order */
> > +}
> > +
> > +/* Unmounting /dev/pts fails, and so /dev also fails, but /dev is not what
> > + * we're interested in. (There might also still be /dev/cgroup mounts).
> > + */
> > +static int mount_should_error(const struct mount *mnt) {
> > + const char *dst = mnt->dst;
> > + return !(strncmp(dst, "/dev", 4) == 0 && (dst[4] == 0 || dst[4] ==
> > '/'));
> > +}
> > +
> > +/* Read mounts from 'self/mounts' relative to a directory filedescriptor.
> > + * Before entering the container we open a handle to /proc on the host as
> > we
> > + * need to access /proc/self/mounts and the container's /proc doesn't
> > contain
> > + * our /self. We then use openat(2) to avoid having to mount a temporary
> > /proc.
> > + */
> > +static int read_mounts(int procfd, struct mount **mp, size_t *countp) {
> > + int fd;
> > + struct mntent *ent;
> > + FILE *mf;
> > + size_t capacity = 32;
> > + size_t count = 0;
> > + struct mount *mounts = (struct mount*)malloc(capacity *
> > sizeof(*mounts));
> > +
> > + if (!mounts) {
> > + errno = ENOMEM;
> > + return 0;
> > + }
> > +
> > +
