[lxc-devel] [nova-lxd/master] Update requirements
The following pull request was submitted through Github. It can be accessed and reviewed at: https://github.com/lxc/nova-lxd/pull/106 This e-mail was sent by the LXC bot, direct replies will not reach the author unless they happen to be subscribed to this list. === Description (from pull-request) === Signed-off-by: Chuck Shorthttp://ogp.me/ns# fb: http://ogp.me/ns/fb# object: http://ogp.me/ns/object# article: http://ogp.me/ns/article# profile: http://ogp.me/ns/profile#;> https://assets-cdn.github.com/assets/github-8a53a53d5feade5191874a5bbafa52ba0d8f6eeb48011f6b311788fdb747b804.css; media="all" rel="stylesheet" /> https://assets-cdn.github.com/assets/github2-e3a5b81e0737b90f1e6ff8e852b921f7ad8a4426c85776cf0b780295ffad25ac.css; media="all" rel="stylesheet" /> https://assets-cdn.github.com/assets/frameworks-ee521b8e9facac68ff27e93fc3ae0f8ed811d7bf9e434e84f4b9ea227780b084.js; rel="preload" /> https://assets-cdn.github.com/assets/github-863d0e4c2905010278cfd87e9c7c738e812530db73c36c274a185354977a2e41.js; rel="preload" /> Update requirements by zulcss · Pull Request #106 · lxc/nova-lxd · GitHub https://github.com/fluidicon.png; title="GitHub"> https://avatars1.githubusercontent.com/u/319235?v=3s=400; name="twitter:image:src" /> https://avatars1.githubusercontent.com/u/319235?v=3s=400; property="og:image" />https://github.com/lxc/nova-lxd/pull/106; property="og:url" /> https://api.github.com/_private/browser/stats;> https://api.github.com/_private/browser/errors;> https://assets-cdn.github.com/;> https://assets-cdn.github.com/pinned-octocat.svg; color="#4078c0"> https://assets-cdn.github.com/favicon.ico;> span.labelstyle-fc2929, .linked-labelstyle-fc2929 { background-color: #fc2929 !important; color: #fff !important;}.labelstyle-fc2929.selected { background-color: #fc2929 !important; color: #fff !important;}.label-select-menu .labelstyle-fc2929.selected { background:rgba(252, 41, 41, 0.12) !important; color: #991818 !important;} span.labelstyle-cc, .linked-labelstyle-cc { background-color: #cc !important; color: #33 !important;}.labelstyle-cc.selected { background-color: #cc !important; color: #33 !important;}.label-select-menu .labelstyle-cc.selected { background:rgba(204, 204, 204, 0.12) !important; color: #99 !important;} span.labelstyle-84b6eb, .linked-labelstyle-84b6eb { background-color: #84b6eb !important; color: #1c2733 !important;}.labelstyle-84b6eb.selected { background-color: #84b6eb !important; color: #1c2733 !important;}.label-select-menu .labelstyle-84b6eb.selected { background:rgba(132, 182, 235, 0.12) !important; color: #557699 !important;} span.labelstyle-159818, .linked-labelstyle-159818 { background-color: #159818 !important; color: #fff !important;}.labelstyle-159818.selected { background-color: #159818 !important; color: #fff !important;}.label-select-menu .labelstyle-159818.selected { background:rgba(21, 152, 24, 0.12) !important; color: #159918 !important;} span.labelstyle-e6e6e6, .linked-labelstyle-e6e6e6 { background-color: #e6e6e6 !important; color: #33 !important;}.labelstyle-e6e6e6.selected { background-color: #e6e6e6 !important; color: #33 !important;}.label-select-menu .labelstyle-e6e6e6.selected { background:rgba(230, 230, 230, 0.12) !important; color: #99 !important;} span.labelstyle-cc317c, .linked-labelstyle-cc317c { background-color: #cc317c !important; color: #fff !important;}.labelstyle-cc317c.selected { background-color: #cc317c !important; color: #fff !important;}.label-select-menu .labelstyle-cc317c.selected { background:rgba(204, 49, 124, 0.12) !important; color: #99245c !important;} span.labelstyle-ff, .linked-labelstyle-ff { background-color: #ff !important; color: #33 !important;}.labelstyle-ff.selected { background-color: #ff !important; color: #33 !important;}.label-select-menu .labelstyle-ff.selected { background:rgba(255, 255, 255, 0.12) !important; color: #99 !important;} https://github.com/lxc/nova-lxd.git;> https://github.com/lxc/nova-lxd/commits/master.atom; rel="alternate" title="Recent Commits to nova-lxd:master" type="application/atom+xml"> Skip to content https://github.com/; data-ga-click="(Logged out) Header, go to homepage, icon:logo-wordmark"> Sign up Sign in This repository Explore Features
Re: [lxc-devel] cgroup V2 and LXC
Quoting Christian Brauner (christian.brau...@mailbox.org): > On Mon, Feb 01, 2016 at 04:56:08AM +, Serge Hallyn wrote: > > Quoting Kevin Wilson (wkev...@gmail.com): > > > Hi, LXC developers, > > > > > > The latest kernel release (4.4) includes initial support to cgroup v2 > > > with 2 controllers (memory and io). Also it seems that the PIDs > > > controller works in cgroup v2, but I do not know if it is officially > > > supported in v2. > > > > > > Is there any intention to replace the existing cgroup v1 usage in LXC > > > by cgroup v2 ? or at least to enable working with both of them ? > > > > > > Regards, > > > Kevin > > > > Replace, no, support, yes. I've added support for it to cgmanager, and have > > used lxc with the unified hierarchy through cgmanager. Without cgmanager > > it will currently definately not work. It's worth discussing how we should > > handle it - and how init wants us to handle it. With cgmanager I actually > > built in the support so that you could treat it as a legacy hierarchy, and > > upstart was happy with that since it used cgmanager. Systemd will not be > > happy with that, and it will be a problem. The only exception to the "no > > tasks in a non-leaf node" rule is for the / cgroup. So lxc would need to > > place init in say /lxc/c1/.leaf, and systemd would have to accept that > > /lxc/c1 is the container's cgroup. A few possibilities: > > > > 1. maybe if we place systemd in /lxc/c1/init.scope it will be happy > Well, here is how I thought it could go (sticking to systemd specifics here): > - create a slice for all lxc "lxc.slice" (similar to "machine.slice" > of > systemd-nspawn backed containers) > - "lxc.slice" contains a scope for each container (e.g. "c1.scope" > - "c1.scope" contains an "init.scope" > - "init.scope" only contains the PID of "/sbin/init" as seen from the > host (obviously) So if we are creating container c1, are you talking about /lxc/c1/lxc.slice/c1.scope/init.scope or are you talking about a host-global /lxc.slice with container-specific /lxc.slice/c1.scope per container? ? > - All other processes are put in another slice "c1-something.slice" Which other processes? AFAIK all other processes will be created by systemd. The q is what will it do. If we put systemd in /lxc.slice/c1.scope/init.scope, will it take that as its cgroup root and try to create and move itself into /lxc.slice/c1.scope/init.scope ? If so it will fail since it cannot create a cgroup while it is in it. So I think I've convinced myself that we need to collaborate with systemd on this. Perhaps we can agree with it on a default cgroup in which it should be started to tell it "this is the leaf cgroup for your init". So if it sees it is in /a/b/c/.cg_leaf, then it will know that /a/b/c is its root. > If we do not want to create scopes we are left with the option of > forcing "init" in a separate cgroup from the rest of the containers > processes. > > Christian > > > > 2. maybe we can teach systemd to accept being in a leaf node > > 3. maybe we can build an exception into cgroup namespaces such that > > a cgns root also is an exception to the no-tasks-in-non-leaf-nodes > > rule. But I doubt that will fly. > > ___ > > lxc-devel mailing list > > lxc-devel@lists.linuxcontainers.org > > http://lists.linuxcontainers.org/listinfo/lxc-devel ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
Re: [lxc-devel] [PATCH] selftests/cgroupns: new test for cgroup namespaces
On Sun, Jan 31, 2016 at 06:48:12PM +0100, Alban Crequy wrote: > From: Alban Crequy> > This adds the selftest "cgroupns_test" in order to test the CGroup > Namespace patchset. > > cgroupns_test creates two child processes. They perform a list of > actions defined by the array cgroupns_test. This array can easily be > extended to more scenarios without adding much code. They are > synchronized with eventfds to ensure only one action is performed at a > time. > > The memory is shared between the processes (CLONE_VM) so each child > process can know the pid of their siblings without extra IPC. > > The output explains the scenario being played. Short extract: > > > current cgroup: /user.slice/user-0.slice/session-1.scope > > child process #0: check that process #self (pid=482) has cgroup > > /user.slice/user-0.slice/session-1.scope > > child process #0: unshare cgroupns > > child process #0: move process #self (pid=482) to cgroup > > cgroup-a/subcgroup-a > > child process #0: join parent cgroupns > > The test does not change the mount namespace and does not mount any > new cgroup2 filesystem. Therefore this does not test that the cgroup2 > mount is correctly rooted to the cgroupns root at mount time. > > Signed-off-by: Alban Crequy Thanks, Alban! > Acked-by: Serge E. Hallyn > > --- > > Changelog: > 20160131 - rebase on sergeh/cgroupns.v10 and fix conflicts > > 20160115 - Detect where cgroup2 is mounted, don't assume >/sys/fs/cgroup (suggested by sergeh) > - Check more error conditions (from krnowak's review) > - Coding style (from krnowak's review) > - Update error message for Linux >= 4.5 (from krnowak's >review) > > 20160104 - Fix coding style (from sergeh's review) > - Fix printf formatting (from sergeh's review) > - Fix parsing of /proc/pid/cgroup (from sergeh's review) > - Fix concatenation of cgroup paths > > 20151219 - First version > > This patch is available in the cgroupns.v10-tests branch of > https://github.com/kinvolk/linux.git > It is rebased on top of Serge Hallyn's cgroupns.v10 branch of > https://git.kernel.org/cgit/linux/kernel/git/sergeh/linux-security.git/ > > Test results: > > - SUCCESS on kernel cgroupns.v10 booted with > systemd.unified_cgroup_hierarchy=1 > - SUCCESS on kernel cgroupns.v10 booted with > systemd.unified_cgroup_hierarchy=0 > --- > tools/testing/selftests/Makefile | 1 + > tools/testing/selftests/cgroupns/Makefile| 11 + > tools/testing/selftests/cgroupns/cgroupns_test.c | 445 > +++ > 3 files changed, 457 insertions(+) > create mode 100644 tools/testing/selftests/cgroupns/Makefile > create mode 100644 tools/testing/selftests/cgroupns/cgroupns_test.c > > diff --git a/tools/testing/selftests/Makefile > b/tools/testing/selftests/Makefile > index b04afc3..b373135 100644 > --- a/tools/testing/selftests/Makefile > +++ b/tools/testing/selftests/Makefile > @@ -1,5 +1,6 @@ > TARGETS = breakpoints > TARGETS += capabilities > +TARGETS += cgroupns > TARGETS += cpu-hotplug > TARGETS += efivarfs > TARGETS += exec > diff --git a/tools/testing/selftests/cgroupns/Makefile > b/tools/testing/selftests/cgroupns/Makefile > new file mode 100644 > index 000..0fdbe0a > --- /dev/null > +++ b/tools/testing/selftests/cgroupns/Makefile > @@ -0,0 +1,11 @@ > +CFLAGS += -I../../../../usr/include/ > +CFLAGS += -I../../../../include/uapi/ > + > +all: cgroupns_test > + > +TEST_PROGS := cgroupns_test > + > +include ../lib.mk > + > +clean: > + $(RM) cgroupns_test > diff --git a/tools/testing/selftests/cgroupns/cgroupns_test.c > b/tools/testing/selftests/cgroupns/cgroupns_test.c > new file mode 100644 > index 000..71e2336 > --- /dev/null > +++ b/tools/testing/selftests/cgroupns/cgroupns_test.c > @@ -0,0 +1,445 @@ > +#define _GNU_SOURCE > + > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > +#include > + > +#include > +#include > + > +#include "../kselftest.h" > + > +#define STACK_SIZE 65536 > + > +static char cgroup_mountpoint[4096]; > +static char root_cgroup[4096]; > + > +#define CHILDREN_COUNT 2 > +typedef struct { > + pid_t pid; > + uint8_t *stack; > + int start_semfd; > + int end_semfd; > +} cgroupns_child_t; > +cgroupns_child_t children[CHILDREN_COUNT]; > + > +typedef enum { > + UNSHARE_CGROUPNS, > + JOIN_CGROUPNS, > + CHECK_CGROUP, > + CHECK_CGROUP_WITH_ROOT_PREFIX, > + MOVE_CGROUP, > + MOVE_CGROUP_WITH_ROOT_PREFIX, > +} cgroupns_action_t; > + > +static const struct { > + int actor_id; > + cgroupns_action_t action; > + int target_id; > + char *path; > +} cgroupns_tests[] = { > + { 0, CHECK_CGROUP_WITH_ROOT_PREFIX, -1, "/"}, > + { 0,
Re: [lxc-devel] cgroup V2 and LXC
On Wed, Feb 10, 2016 at 05:45:48PM +, Serge Hallyn wrote: > Quoting Christian Brauner (christian.brau...@mailbox.org): > > On Mon, Feb 01, 2016 at 04:56:08AM +, Serge Hallyn wrote: > > > Quoting Kevin Wilson (wkev...@gmail.com): > > > > Hi, LXC developers, > > > > > > > > The latest kernel release (4.4) includes initial support to cgroup v2 > > > > with 2 controllers (memory and io). Also it seems that the PIDs > > > > controller works in cgroup v2, but I do not know if it is officially > > > > supported in v2. > > > > > > > > Is there any intention to replace the existing cgroup v1 usage in LXC > > > > by cgroup v2 ? or at least to enable working with both of them ? > > > > > > > > Regards, > > > > Kevin > > > > > > Replace, no, support, yes. I've added support for it to cgmanager, and > > > have > > > used lxc with the unified hierarchy through cgmanager. Without cgmanager > > > it will currently definately not work. It's worth discussing how we > > > should > > > handle it - and how init wants us to handle it. With cgmanager I > > > actually > > > built in the support so that you could treat it as a legacy hierarchy, and > > > upstart was happy with that since it used cgmanager. Systemd will not be > > > happy with that, and it will be a problem. The only exception to the "no > > > tasks in a non-leaf node" rule is for the / cgroup. So lxc would need to > > > place init in say /lxc/c1/.leaf, and systemd would have to accept that > > > /lxc/c1 is the container's cgroup. A few possibilities: > > > > > > 1. maybe if we place systemd in /lxc/c1/init.scope it will be happy > > Well, here is how I thought it could go (sticking to systemd specifics > > here): > > - create a slice for all lxc "lxc.slice" (similar to > > "machine.slice" of > > systemd-nspawn backed containers) > > - "lxc.slice" contains a scope for each container (e.g. "c1.scope" > > - "c1.scope" contains an "init.scope" > > - "init.scope" only contains the PID of "/sbin/init" as seen from > > the > > host (obviously) > > So if we are creating container c1, are you talking about > > /lxc/c1/lxc.slice/c1.scope/init.scope > > or are you talking about a host-global > > /lxc.slice Yes, you have lxc.slice then you have all your machines under this. This is what systemd-nspawn does if I'm not mistaken. > > with container-specific > > /lxc.slice/c1.scope > > per container? > > ? Yes. > > > - All other processes are put in another slice "c1-something.slice" > > Which other processes? Well, all processes, systemd starts are either put in system.slice or user.slice. All other things we start in the container (let it be e.g. vim) is put in a session.slice (e.g. session-0.slice, session-1000.slice). > > AFAIK all other processes will be created by systemd. The q is what will it > do. If we put systemd in /lxc.slice/c1.scope/init.scope, will it take that > as its cgroup root and try to create and move itself into > /lxc.slice/c1.scope/init.scope ? If so it will fail since it cannot create a > cgroup while it is in it. I don't think so but I need to test that again. Time to boot unified. > > So I think I've convinced myself that we need to collaborate with systemd > on this. Perhaps we can agree with it on a default cgroup in which it should > be started to tell it "this is the leaf cgroup for your init". So if it sees > it is in /a/b/c/.cg_leaf, then it will know that /a/b/c is its root. I thought the same that's why I started to read some of the code. fwiw, systemd-nspawn already works with the unified cgroup hierarchy and I think nesting works as well. But I'm not completely sure how nspawn handles nesting. > > > If we do not want to create scopes we are left with the option of > > forcing "init" in a separate cgroup from the rest of the containers > > processes. > > > > Christian > > > > > > > 2. maybe we can teach systemd to accept being in a leaf node > > > 3. maybe we can build an exception into cgroup namespaces such that > > > a cgns root also is an exception to the no-tasks-in-non-leaf-nodes > > > rule. But I doubt that will fly. > > > ___ > > > lxc-devel mailing list > > > lxc-devel@lists.linuxcontainers.org > > > http://lists.linuxcontainers.org/listinfo/lxc-devel ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [lxc/lxc] 2c5f2e: lxc-destroy: deal with ephemeral containers
Branch: refs/heads/master Home: https://github.com/lxc/lxc Commit: 2c5f2edeb91100b8debfec90624cd1fe20ee5a8d https://github.com/lxc/lxc/commit/2c5f2edeb91100b8debfec90624cd1fe20ee5a8d Author: Christian BraunerDate: 2016-02-10 (Wed, 10 Feb 2016) Changed paths: M src/lxc/lxc_destroy.c M src/lxc/start.c Log Message: --- lxc-destroy: deal with ephemeral containers - Ephemeral containers are destroyed on shutdown so we do not destroy them. - Destroy ephemeral containers with clones: first destroy all the clones, then destroy the container. - Ephemeral containers with snapshots cannot be easily handled but we can probably trust that no one will try to make snapshots of an ephemeral container. Signed-off-by: Christian Brauner Commit: bad548de3ba42d501fe8604debadcce4031dda34 https://github.com/lxc/lxc/commit/bad548de3ba42d501fe8604debadcce4031dda34 Author: Serge Hallyn Date: 2016-02-10 (Wed, 10 Feb 2016) Changed paths: M src/lxc/lxc_destroy.c M src/lxc/start.c Log Message: --- Merge pull request #813 from brauner/2016-02-01/lxc_destroy_ephemeral lxc-destroy: deal with ephemeral containers Compare: https://github.com/lxc/lxc/compare/cd30b4fa22e6...bad548de3ba4___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
Re: [lxc-devel] Packaging lxc 1.0.x for CentOS 7
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, Am 08.02.16 schrieb Nehal J Wani: > When I compiled lxc from source on CentOS 7, I had to edit the > file: /usr/local/etc/sysconfig/lxc and change the value > USE_LXC_BRIDGE to 'true' and then type: > /usr/local/libexec/lxc/lxc-net start Sure that you compiled a 1.0.x? I only get this file when compiling 1.1.x releases... Johannes -BEGIN PGP SIGNATURE- Version: GnuPG v2 Comment: Using GnuPG with SeaMonkey - http://www.enigmail.net/ iEYEARECAAYFAla7iToACgkQzi3gQ/xETbKJ1gCeMN12JHCzZj9A1sL9clNeHQ5S s7AAnR/ou8L+WTTO07UKOLSZUi99syon =MKDr -END PGP SIGNATURE- ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
Re: [lxc-devel] Packaging lxc 1.0.x for CentOS 7
Oh, I also did: mkdir /usr/local/var/lib/misc/ Yes, I tested it on both, lxc-2.0.0.beta2 and lxc-1.1.5 On Thu, Feb 11, 2016 at 12:32 AM, Johannes Kastlwrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Hi, > > Am 08.02.16 schrieb Nehal J Wani: >> When I compiled lxc from source on CentOS 7, I had to edit the >> file: /usr/local/etc/sysconfig/lxc and change the value >> USE_LXC_BRIDGE to 'true' and then type: >> /usr/local/libexec/lxc/lxc-net start > > Sure that you compiled a 1.0.x? I only get this file when compiling > 1.1.x releases... > > Johannes > > -BEGIN PGP SIGNATURE- > Version: GnuPG v2 > Comment: Using GnuPG with SeaMonkey - http://www.enigmail.net/ > > iEYEARECAAYFAla7iToACgkQzi3gQ/xETbKJ1gCeMN12JHCzZj9A1sL9clNeHQ5S > s7AAnR/ou8L+WTTO07UKOLSZUi99syon > =MKDr > -END PGP SIGNATURE- > ___ > lxc-devel mailing list > lxc-devel@lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-devel -- Nehal J Wani ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel