[lxc-devel] [lxc/lxc] bf5afa: doc: Update Japanese lxc-clone(1) and lxc-start-ep...
Branch: refs/heads/master Home: https://github.com/lxc/lxc Commit: bf5afa6e6b681d1f5cf3ac6fd4ebc855b0a8f5dc https://github.com/lxc/lxc/commit/bf5afa6e6b681d1f5cf3ac6fd4ebc855b0a8f5dc Author: KATOH Yasufumi Date: 2016-02-25 (Thu, 25 Feb 2016) Changed paths: M doc/ja/lxc-clone.sgml.in M doc/ja/lxc-start-ephemeral.sgml.in Log Message: --- doc: Update Japanese lxc-clone(1) and lxc-start-ephemeral(1) describe that lxc-clone and lxc-start-ephemeral have been deprecated in those man pages. Update for commit 2ae6732. Signed-off-by: KATOH Yasufumi Commit: cd548c9d861481a723d091a622ff321e70737cce https://github.com/lxc/lxc/commit/cd548c9d861481a723d091a622ff321e70737cce Author: KATOH Yasufumi Date: 2016-02-25 (Thu, 25 Feb 2016) Changed paths: M doc/ja/lxc.container.conf.sgml.in Log Message: --- doc: Update Japanese lxc.container.conf(5) - Add the description that automount is ignored when cgroup namespaces are supported. Update for commit 4608594. - Unify terminology of translation Signed-off-by: KATOH Yasufumi Commit: fa79f0a4e3fc3a99cf806f3076baa640709ba06d https://github.com/lxc/lxc/commit/fa79f0a4e3fc3a99cf806f3076baa640709ba06d Author: Christian Brauner Date: 2016-02-25 (Thu, 25 Feb 2016) Changed paths: M doc/ja/lxc-clone.sgml.in M doc/ja/lxc-start-ephemeral.sgml.in M doc/ja/lxc.container.conf.sgml.in Log Message: --- Merge pull request #847 from tenforward/japanese_man Update Japanese man Compare: https://github.com/lxc/lxc/compare/9e89a0ba52db...fa79f0a4e3fc___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [lxc/master] Update Japanese man
The following pull request was submitted through Github. It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/847 This e-mail was sent by the LXC bot, direct replies will not reach the author unless they happen to be subscribed to this list. === Description (from pull-request) === * Update lxc-clone(1) and lxc-start-ephemeral(1) as those have been deprecated. * Update lxc.container.conf(5) about cgroup namespace. From bf5afa6e6b681d1f5cf3ac6fd4ebc855b0a8f5dc Mon Sep 17 00:00:00 2001 From: KATOH Yasufumi Date: Thu, 25 Feb 2016 15:15:41 +0900 Subject: [PATCH 1/2] doc: Update Japanese lxc-clone(1) and lxc-start-ephemeral(1) describe that lxc-clone and lxc-start-ephemeral have been deprecated in those man pages. Update for commit 2ae6732. Signed-off-by: KATOH Yasufumi --- doc/ja/lxc-clone.sgml.in | 5 +++-- doc/ja/lxc-start-ephemeral.sgml.in | 4 ++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/doc/ja/lxc-clone.sgml.in b/doc/ja/lxc-clone.sgml.in index ef6bdf7..9e68910 100644 --- a/doc/ja/lxc-clone.sgml.in +++ b/doc/ja/lxc-clone.sgml.in @@ -352,9 +352,10 @@ by KATOH Yasufumi 注意 - lxc-copy が lxc-clone の後継コマンドとなります。 + lxc-clone は lxc-copy に置き換えられ、廃止される予定です。 diff --git a/doc/ja/lxc-start-ephemeral.sgml.in b/doc/ja/lxc-start-ephemeral.sgml.in index b54a06f..0124f48 100644 --- a/doc/ja/lxc-start-ephemeral.sgml.in +++ b/doc/ja/lxc-start-ephemeral.sgml.in @@ -283,10 +283,10 @@ by KATOH Yasufumi 注意 - lxc-copy が lxc-start-ephemeral コマンドの後継コマンドとなります。 + lxc-start-ephemeral は lxc-copy に置き換えられ、廃止される予定です。 From cd548c9d861481a723d091a622ff321e70737cce Mon Sep 17 00:00:00 2001 From: KATOH Yasufumi Date: Thu, 25 Feb 2016 15:38:30 +0900 Subject: [PATCH 2/2] doc: Update Japanese lxc.container.conf(5) - Add the description that automount is ignored when cgroup namespaces are supported. Update for commit 4608594. - Unify terminology of translation Signed-off-by: KATOH Yasufumi --- doc/ja/lxc.container.conf.sgml.in | 15 --- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/doc/ja/lxc.container.conf.sgml.in b/doc/ja/lxc.container.conf.sgml.in index b28d37e..467c1f7 100644 --- a/doc/ja/lxc.container.conf.sgml.in +++ b/doc/ja/lxc.container.conf.sgml.in @@ -1401,6 +1401,15 @@ proc proc proc nodev,noexec,nosuid 0 0 + + + cgroup 名前空間が有効の場合、cgroup の自動マウントの指定はどれも無視されます。これは、コンテナが自身でファイルシステムをマウントするため、自動マウントがコンテナの init を混乱させる可能性があるためです。 + lxc が apparmor サポートでコンパイルされ、インストールされている場合で、ホストで apparmor が有効な場合、コンテナが従って動くべき apparmor プロファイルは、コンテナの設定で指定することが可能です。 -デフォルトは、ホストのカーネルで cgroup namespace が使える場合は lxc-container-default-cgnsです。使えない場合は lxc-container-default です。 +デフォルトは、ホストのカーネルで cgroup 名前空間が使える場合は lxc-container-default-cgnsです。使えない場合は lxc-container-default です。 @@ -2269,8 +2278,8 @@ mknod errno 0 cgroup namespaces are enabled in the kernel. This is used by the lxcfs mount hook. --> - この変数が設定されていない場合、お使いのバージョンの LXC は cgroup namespace を扱えません。設定されている場合、この値は 1 に設定されています。そして、cgroup namespace を扱えます。 - この変数はカーネルで cgroup namespace が有効であることは保証しません。この変数は lxcfs のマウントフックが使います。 + この変数が設定されていない場合、お使いのバージョンの LXC は cgroup 名前空間を扱えません。設定されている場合、この値は 1 に設定されています。そして、cgroup 名前空間を扱えます。 + この変数はカーネルで cgroup 名前空間が有効であることは保証しません。この変数は lxcfs のマウントフックが使います。 ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
Re: [lxc-devel] cgroup V2 and LXC
Quoting Christian Brauner (christianvanbrau...@gmail.com): > On Mon, Feb 15, 2016 at 07:48:05PM +, Serge Hallyn wrote: > > Quoting Christian Brauner (christian.brau...@mailbox.org): > > > On Wed, Feb 10, 2016 at 05:45:48PM +, Serge Hallyn wrote: > > > > Quoting Christian Brauner (christian.brau...@mailbox.org): > > > > > On Mon, Feb 01, 2016 at 04:56:08AM +, Serge Hallyn wrote: > > > > > > Quoting Kevin Wilson (wkev...@gmail.com): > > > > > > > Hi, LXC developers, > > > > > > > > > > > > > > The latest kernel release (4.4) includes initial support to > > > > > > > cgroup v2 > > > > > > > with 2 controllers (memory and io). Also it seems that the PIDs > > > > > > > controller works in cgroup v2, but I do not know if it is > > > > > > > officially > > > > > > > supported in v2. > > > > > > > > > > > > > > Is there any intention to replace the existing cgroup v1 usage in > > > > > > > LXC > > > > > > > by cgroup v2 ? or at least to enable working with both of them ? > > > > > > > > > > > > > > Regards, > > > > > > > Kevin > > > > > > > > > > > > Replace, no, support, yes. I've added support for it to cgmanager, > > > > > > and have > > > > > > used lxc with the unified hierarchy through cgmanager. Without > > > > > > cgmanager > > > > > > it will currently definately not work. It's worth discussing how > > > > > > we should > > > > > > handle it - and how init wants us to handle it. With cgmanager I > > > > > > actually > > > > > > built in the support so that you could treat it as a legacy > > > > > > hierarchy, and > > > > > > upstart was happy with that since it used cgmanager. Systemd will > > > > > > not be > > > > > > happy with that, and it will be a problem. The only exception to > > > > > > the "no > > > > > > tasks in a non-leaf node" rule is for the / cgroup. So lxc would > > > > > > need to > > > > > > place init in say /lxc/c1/.leaf, and systemd would have to accept > > > > > > that > > > > > > /lxc/c1 is the container's cgroup. A few possibilities: > > > > > > > > > > > > 1. maybe if we place systemd in /lxc/c1/init.scope it will be happy > > > > > Well, here is how I thought it could go (sticking to systemd > > > > > specifics here): > > > > > - create a slice for all lxc "lxc.slice" (similar to > > > > > "machine.slice" of > > > > > systemd-nspawn backed containers) > > > > > - "lxc.slice" contains a scope for each container (e.g. > > > > > "c1.scope" > > > > > - "c1.scope" contains an "init.scope" > > > > > - "init.scope" only contains the PID of "/sbin/init" as seen > > > > > from the > > > > > host (obviously) > > > > > > > > So if we are creating container c1, are you talking about > > > > > > > > /lxc/c1/lxc.slice/c1.scope/init.scope > > > > > > > > or are you talking about a host-global > > > > > > > > /lxc.slice > > > Yes, you have lxc.slice then you have all your machines under this. This > > > is what > > > systemd-nspawn does if I'm not mistaken. > > > > with container-specific > > > > > > > > /lxc.slice/c1.scope > > > > > > > > per container? > > > > > > > > ? > > > Yes. > > > > This doesn't seem to address the problem. Where we put these on the host > > doesn't > > matter. The question is, we create container c1, in which cgroup do we put > > the > > init process? > > > > Assume we create /lxc/c1 on the host as we do now. This becomes / in the > > container's > > cgroup namespace. Where do we put init? If we put it into (namespaced) /, > > then > > systemd will not be able to create any cgroups. So we should probably put > > it into > > /init.scope. This is fine with cgroup namespaces since it can see it is in > > '/init.scope' > > (or '/' if an unprivileged container couldn't create a cgroup for some > > controllers). > > But if we do not have cgroup namespaces, systemd sees it is running in > > perhaps > > /user.slice/user-1000.slice/session-c6.scope/lxc/lxdvm1/lxc/c1/init.scope. > > In that > > case we want systemd to recognize init.scope and create services under > > /user.slice/user-1000.slice/session-c6.scope/lxc/lxdvm1/lxc/c1. > > > > > > > - All other processes are put in another slice > > > > > "c1-something.slice" > > > > > > > > Which other processes? > > > Well, all processes, systemd starts are either put in system.slice or > > > user.slice. All other things we start in the container (let it be e.g. > > > vim) is > > > put in a session.slice (e.g. session-0.slice, session-1000.slice). > > > > wc -l /sys/fs/cgroup/memory/tasks > > 548 > This is output from a legacy cgroup. (The tasks file is removed in cgroup > unified hierarchy, no?) I was talking about unified cgroups. Oh, of course. > A typical layout for a container BB running a unified cgroup system inside on > a > host running a unified cgroup system with systemd-nspawn: > > /sys/fs/cgroup/machine.slice/: > - non-leaf node --> cgroup.procs empty > > /sys/fs/cgroup/machi
[lxc-devel] Passed: lxc/lxc#1733 (lxc-2.0.0.rc3 - 9e89a0b)
Build Update for lxc/lxc - Build: #1733 Status: Passed Duration: 1 minute and 7 seconds Commit: 9e89a0b (lxc-2.0.0.rc3) Author: Stéphane Graber Message: change version to 2.0.0.rc3 in configure.ac Signed-off-by: Stéphane Graber View the changeset: https://github.com/lxc/lxc/compare/lxc-2.0.0.rc3 View the full build log and details: https://travis-ci.org/lxc/lxc/builds/111649748 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [lxc/lxc]
Branch: refs/tags/lxc-2.0.0.rc3 Home: https://github.com/lxc/lxc ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [lxc/lxc] 9e89a0: change version to 2.0.0.rc3 in configure.ac
Branch: refs/heads/master Home: https://github.com/lxc/lxc Commit: 9e89a0ba52dbfaae38c80ae19a26e51c0031d53e https://github.com/lxc/lxc/commit/9e89a0ba52dbfaae38c80ae19a26e51c0031d53e Author: Stéphane Graber Date: 2016-02-24 (Wed, 24 Feb 2016) Changed paths: M configure.ac Log Message: --- change version to 2.0.0.rc3 in configure.ac Signed-off-by: Stéphane Graber ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [lxc/lxc] 460859: cgfs: do not automount if cgroup namespaces are su...
Branch: refs/heads/master Home: https://github.com/lxc/lxc Commit: 4608594e1dce0efdf3412103d95d31763598ea0d https://github.com/lxc/lxc/commit/4608594e1dce0efdf3412103d95d31763598ea0d Author: Serge Hallyn Date: 2016-02-24 (Wed, 24 Feb 2016) Changed paths: M doc/lxc.container.conf.sgml.in M src/lxc/cgfs.c Log Message: --- cgfs: do not automount if cgroup namespaces are supported In that case containers will be able to mount cgroup filesystems for themselves as they do on a host. This fixes inability to start systemd based containers on cgns-enabled kernels with cgmanager not running. I've tested debian jessie, busybox, ubuntu trusty and xenial, all of which booted ok. However if there are some setups which require premounted cgroupfs (i.e. they don't mount if they detect being in a container), this may cause trouble. Signed-off-by: Serge Hallyn Commit: e80ca772adc7791a858120249cf9b7a82a3d6579 https://github.com/lxc/lxc/commit/e80ca772adc7791a858120249cf9b7a82a3d6579 Author: Stéphane Graber Date: 2016-02-24 (Wed, 24 Feb 2016) Changed paths: M doc/lxc.container.conf.sgml.in M src/lxc/cgfs.c Log Message: --- Merge pull request #846 from hallyn/2016-02-24/cgns.auto cgfs: do not automount if cgroup namespaces are supported Compare: https://github.com/lxc/lxc/compare/4f97fce4b370...e80ca772adc7___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [lxc/lxc] 2ae673: mark lxc-clone & lxc-start-ephemeral as deprecated
Branch: refs/heads/master Home: https://github.com/lxc/lxc Commit: 2ae6732f6b351ddbd299678fec2c43d02faef5e0 https://github.com/lxc/lxc/commit/2ae6732f6b351ddbd299678fec2c43d02faef5e0 Author: Christian Brauner Date: 2016-02-24 (Wed, 24 Feb 2016) Changed paths: M doc/lxc-clone.sgml.in M doc/lxc-start-ephemeral.sgml.in M src/lxc/lxc-start-ephemeral.in M src/lxc/lxc_clone.c Log Message: --- mark lxc-clone & lxc-start-ephemeral as deprecated - add deprecation not to man pages - print deprecation info to stderr when the executables are invoked Signed-off-by: Christian Brauner Commit: d0a6bd39400a6d14cfec94ad647f3af1bda1e321 https://github.com/lxc/lxc/commit/d0a6bd39400a6d14cfec94ad647f3af1bda1e321 Author: Christian Brauner Date: 2016-02-24 (Wed, 24 Feb 2016) Changed paths: M config/bash/lxc.in M configure.ac M doc/Makefile.am M doc/ja/Makefile.am M doc/ko/Makefile.am M src/lxc/Makefile.am M src/lxc/arguments.h M src/tests/lxc-test-cloneconfig M src/tests/lxc-test-snapdeps M src/tests/lxc-test-unpriv Log Message: --- configure.ac: add --enable-deprecated flag - lxc-clone and lxc-start-ephemeral are marked deprecated. We add a --enable-deprecated flag to configure.ac allowing us to enable these deprecated executables - update tests to use lxc-copy instead of lxc-clone Signed-off-by: Christian Brauner Commit: 4f97fce4b3701b206a0033f2477d7cfc2bde5e14 https://github.com/lxc/lxc/commit/4f97fce4b3701b206a0033f2477d7cfc2bde5e14 Author: Stéphane Graber Date: 2016-02-24 (Wed, 24 Feb 2016) Changed paths: M config/bash/lxc.in M configure.ac M doc/Makefile.am M doc/ja/Makefile.am M doc/ko/Makefile.am M doc/lxc-clone.sgml.in M doc/lxc-start-ephemeral.sgml.in M src/lxc/Makefile.am M src/lxc/arguments.h M src/lxc/lxc-start-ephemeral.in M src/lxc/lxc_clone.c M src/tests/lxc-test-cloneconfig M src/tests/lxc-test-snapdeps M src/tests/lxc-test-unpriv Log Message: --- Merge pull request #844 from brauner/2016-02-22/manpage_update configure.ac: add --enable-deprecated flag Compare: https://github.com/lxc/lxc/compare/55290b833352...4f97fce4b370___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [lxc/master] cgfs: do not automount if cgroup namespaces are supported
The following pull request was submitted through Github. It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/846 This e-mail was sent by the LXC bot, direct replies will not reach the author unless they happen to be subscribed to this list. === Description (from pull-request) === In that case containers will be able to mount cgroup filesystems for themselves as they do on a host. This fixes inability to start systemd based containers on cgns-enabled kernels with cgmanager not running. I've tested debianjessie, busybox, ubuntu trusty and xenial, all of which booted ok. However if there are some setups which require premounted cgroupfs (i.e. they don't mount if they detect being in a container), this may cause trouble. Signed-off-by: Serge Hallyn From f48ef3ae257e98834d2aa2a98c302316bd5adcd3 Mon Sep 17 00:00:00 2001 From: Serge Hallyn Date: Wed, 24 Feb 2016 17:00:35 -0800 Subject: [PATCH] cgfs: do not automount if cgroup namespaces are supported In that case containers will be able to mount cgroup filesystems for themselves as they do on a host. This fixes inability to start systemd based containers on cgns-enabled kernels with cgmanager not running. I've tested debianjessie, busybox, ubuntu trusty and xenial, all of which booted ok. However if there are some setups which require premounted cgroupfs (i.e. they don't mount if they detect being in a container), this may cause trouble. Signed-off-by: Serge Hallyn --- src/lxc/cgfs.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/lxc/cgfs.c b/src/lxc/cgfs.c index d41e74c..97a4e6d 100644 --- a/src/lxc/cgfs.c +++ b/src/lxc/cgfs.c @@ -1356,6 +1356,9 @@ static bool cgroupfs_mount_cgroup(void *hdata, const char *root, int type) struct cgroup_process_info *info, *base_info; int r, saved_errno = 0; + if (cgns_supported()) + return true; + cgfs_d = hdata; if (!cgfs_d) return false; ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [lxd/master] websocket: fix panic() on concurrent writes
The following pull request was submitted through Github. It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/1651 This e-mail was sent by the LXC bot, direct replies will not reach the author unless they happen to be subscribed to this list. === Description (from pull-request) === We were panic()ing sometimes (see below) on current writes. Let's not do that. panic: concurrent write to websocket connection goroutine 429 [running]: github.com/gorilla/websocket.(*Conn).flushFrame(0x504d5a70, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0) /lxd/build/tmp.39Rjv1YQMz/go/src/github.com/gorilla/websocket/conn.go:450 +0x516 github.com/gorilla/websocket.(*Conn).NextWriter(0x504d5a70, 0x8, 0x0, 0x0, 0x0, 0x0) /lxd/build/tmp.39Rjv1YQMz/go/src/github.com/gorilla/websocket/conn.go:378 +0x7c github.com/gorilla/websocket.(*Conn).WriteMessage(0x504d5a70, 0x8, 0x509ac9e0, 0x2, 0x2, 0x0, 0x0) /lxd/build/tmp.39Rjv1YQMz/go/src/github.com/gorilla/websocket/conn.go:585 +0x37 main.(*migrationFields).disconnect(0x505755c0) /lxd/build/tmp.39Rjv1YQMz/go/src/github.com/lxc/lxd/lxd/migrate.go:93 +0x1ba main.(*migrationSink).do(0x505755c0, 0x0, 0x0) /lxd/build/tmp.39Rjv1YQMz/go/src/github.com/lxc/lxd/lxd/migrate.go:638 +0x6ae main.(*migrationSink).(main.do)-fm(0x0, 0x0) /lxd/build/tmp.39Rjv1YQMz/go/src/github.com/lxc/lxd/lxd/migrate.go:442 +0x2c main.createFromMigration.func1(0x50890070, 0x0, 0x0) /lxd/build/tmp.39Rjv1YQMz/go/src/github.com/lxc/lxd/lxd/containers_post.go:244 +0x3e3 main.(*operation).Run.func1(0x50890070, 0x50650300) /lxd/build/tmp.39Rjv1YQMz/go/src/github.com/lxc/lxd/lxd/operations.go:110 +0x31 created by main.(*operation).Run /lxd/build/tmp.39Rjv1YQMz/go/src/github.com/lxc/lxd/lxd/operations.go:135 +0xe2 Signed-off-by: Tycho Andersen From 83b3ae5be39d461cb58fa1d01067e5e2b0646464 Mon Sep 17 00:00:00 2001 From: Tycho Andersen Date: Wed, 24 Feb 2016 16:18:15 -0700 Subject: [PATCH] websocket: fix panic() on concurrent writes We were panic()ing sometimes (see below) on current writes. Let's not do that. panic: concurrent write to websocket connection goroutine 429 [running]: github.com/gorilla/websocket.(*Conn).flushFrame(0x504d5a70, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0) /lxd/build/tmp.39Rjv1YQMz/go/src/github.com/gorilla/websocket/conn.go:450 +0x516 github.com/gorilla/websocket.(*Conn).NextWriter(0x504d5a70, 0x8, 0x0, 0x0, 0x0, 0x0) /lxd/build/tmp.39Rjv1YQMz/go/src/github.com/gorilla/websocket/conn.go:378 +0x7c github.com/gorilla/websocket.(*Conn).WriteMessage(0x504d5a70, 0x8, 0x509ac9e0, 0x2, 0x2, 0x0, 0x0) /lxd/build/tmp.39Rjv1YQMz/go/src/github.com/gorilla/websocket/conn.go:585 +0x37 main.(*migrationFields).disconnect(0x505755c0) /lxd/build/tmp.39Rjv1YQMz/go/src/github.com/lxc/lxd/lxd/migrate.go:93 +0x1ba main.(*migrationSink).do(0x505755c0, 0x0, 0x0) /lxd/build/tmp.39Rjv1YQMz/go/src/github.com/lxc/lxd/lxd/migrate.go:638 +0x6ae main.(*migrationSink).(main.do)-fm(0x0, 0x0) /lxd/build/tmp.39Rjv1YQMz/go/src/github.com/lxc/lxd/lxd/migrate.go:442 +0x2c main.createFromMigration.func1(0x50890070, 0x0, 0x0) /lxd/build/tmp.39Rjv1YQMz/go/src/github.com/lxc/lxd/lxd/containers_post.go:244 +0x3e3 main.(*operation).Run.func1(0x50890070, 0x50650300) /lxd/build/tmp.39Rjv1YQMz/go/src/github.com/lxc/lxd/lxd/operations.go:110 +0x31 created by main.(*operation).Run /lxd/build/tmp.39Rjv1YQMz/go/src/github.com/lxc/lxd/lxd/operations.go:135 +0xe2 Signed-off-by: Tycho Andersen --- lxd/migrate.go | 31 +-- 1 file changed, 29 insertions(+), 2 deletions(-) diff --git a/lxd/migrate.go b/lxd/migrate.go index 254ad4d..e6ec1a1 100644 --- a/lxd/migrate.go +++ b/lxd/migrate.go @@ -16,6 +16,7 @@ import ( "path" "path/filepath" "strings" + "sync" "time" "github.com/golang/protobuf/proto" @@ -31,6 +32,7 @@ type migrationFields struct { controlSecret string controlConn *websocket.Conn + controlLock sync.Mutex criuSecret string criuConn *websocket.Conn @@ -42,6 +44,19 @@ type migrationFields struct { } func (c *migrationFields) send(m proto.Message) error { + /* gorilla websocket doesn't allow concurrent writes, and +* panic()s if it sees them (which is reasonable). If e.g. we +* happen to fail, get scheduled, start our write, then get +* unscheduled before the write is bit to a new thread which is +* receiving an error from the other side (due to our previous +* close), we can engage in these concurrent writes, which +* casuses the whole daemon to panic. +* +* Instead, let's lock sends to the controlConn so that we only ever +* write one message at the time. +*/ + c.controlLock.Lock() + defer c.controlLock.Unlock() w, err := c.controlConn.NextWriter(websocket.BinaryMessage) if err != nil { return err @@ -85,16 +100,28 @@ func (c *migrationFields) recv(m
[lxc-devel] [lxd/master] Go tool vet lxc/*.
The following pull request was submitted through Github. It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/1650 This e-mail was sent by the LXC bot, direct replies will not reach the author unless they happen to be subscribed to this list. === Description (from pull-request) === Signed-off-by: Rene Jochum From a8cb69735dafbd4468cc731c81ac6e27d02553fa Mon Sep 17 00:00:00 2001 From: Rene Jochum Date: Thu, 25 Feb 2016 00:02:04 +0100 Subject: [PATCH] Go tool vet lxc/*. Signed-off-by: Rene Jochum --- lxc/copy.go | 116 +- lxc/list.go | 38 +-- lxc/remote.go | 58 ++--- 3 files changed, 106 insertions(+), 106 deletions(-) diff --git a/lxc/copy.go b/lxc/copy.go index 39e4651..a451919 100644 --- a/lxc/copy.go +++ b/lxc/copy.go @@ -84,82 +84,82 @@ func (c *copyCmd) copyContainer(config *lxd.Config, sourceResource string, destR } return source.WaitForSuccess(cp.Operation) - } else { - dest, err := lxd.NewClient(config, destRemote) - if err != nil { - return err - } + } + + dest, err := lxd.NewClient(config, destRemote) + if err != nil { + return err + } + + sourceProfs := shared.NewStringSet(status.Profiles) + destProfs, err := dest.ListProfiles() + if err != nil { + return err + } + + if !sourceProfs.IsSubset(shared.NewStringSet(destProfs)) { + return fmt.Errorf(i18n.G("not all the profiles from the source exist on the target")) + } - sourceProfs := shared.NewStringSet(status.Profiles) - destProfs, err := dest.ListProfiles() + if ephemeral == -1 { + ct, err := source.ContainerInfo(sourceName) if err != nil { return err } - if !sourceProfs.IsSubset(shared.NewStringSet(destProfs)) { - return fmt.Errorf(i18n.G("not all the profiles from the source exist on the target")) + if ct.Ephemeral { + ephemeral = 1 + } else { + ephemeral = 0 } + } - if ephemeral == -1 { - ct, err := source.ContainerInfo(sourceName) - if err != nil { - return err - } - - if ct.Ephemeral { - ephemeral = 1 - } else { - ephemeral = 0 - } - } + sourceWSResponse, err := source.GetMigrationSourceWS(sourceName) + if err != nil { + return err + } - sourceWSResponse, err := source.GetMigrationSourceWS(sourceName) - if err != nil { - return err - } + secrets := map[string]string{} - secrets := map[string]string{} + op, err := sourceWSResponse.MetadataAsOperation() + if err != nil { + return err + } - op, err := sourceWSResponse.MetadataAsOperation() - if err != nil { - return err - } + for k, v := range *op.Metadata { + secrets[k] = v.(string) + } - for k, v := range *op.Metadata { - secrets[k] = v.(string) - } + addresses, err := source.Addresses() + if err != nil { + return err + } - addresses, err := source.Addresses() + /* Since we're trying a bunch of different network ports that +* may be invalid, we can get "bad handshake" errors when the +* websocket code tries to connect. If the first error is a +* real error, but the subsequent errors are only network +* errors, we should try to report the first real error. Of +* course, if all the errors are websocket errors, let's just +* report that. +*/ + for _, addr := range addresses { + var migration *lxd.Response + + sourceWSUrl := "https://"; + addr + sourceWSResponse.Operation + migration, err = dest.MigrateFrom(destName, sourceWSUrl, source.Certificate, secrets, status.Architecture, status.Config, status.Devices, status.Profiles, baseImage, ephemeral == 1) if err != nil { - return err + continue } - /* Since we're trying a bunch of different network ports that -* may be invalid, we can get "bad handshake" errors when the -* websocket code tries to connect. If the first error is a -* real error, but the sub
[lxc-devel] [lxd/master] Add upgrade procedure to README
The following pull request was submitted through Github. It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/1649 This e-mail was sent by the LXC bot, direct replies will not reach the author unless they happen to be subscribed to this list. === Description (from pull-request) === Wording can be changed. This was just confusing for me since I thought both binaries ship together in the `lxd` package, however `lxc` is a separate package `lxd-client`. From d8f070310d5e2c303cba838ef417dd7740e4b515 Mon Sep 17 00:00:00 2001 From: Jaime Pillora Date: Thu, 25 Feb 2016 09:30:58 +1100 Subject: [PATCH] Add upgrade procedure to README --- README.md | 7 +++ 1 file changed, 7 insertions(+) diff --git a/README.md b/README.md index 378c264..5ef61c1 100644 --- a/README.md +++ b/README.md @@ -119,6 +119,13 @@ this by: lxc remote add local 127.0.0.1:8443 wget --no-check-certificate https://127.0.0.1:8443/1.0 --certificate=$HOME/.config/lxc/client.crt --private-key=$HOME/.config/lxc/client.key -O - -q +## Upgrading + +The `lxd` and `lxc` (`lxd-client`) binaries should be upgraded at the same time with: + +apt-get update +apt-get install lxd lxd-client + ## Support and discussions We use the LXC mailing-lists for developer and user discussions, you can ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [lxd/master] Export and use the address scope
The following pull request was submitted through Github. It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/1648 This e-mail was sent by the LXC bot, direct replies will not reach the author unless they happen to be subscribed to this list. === Description (from pull-request) === Signed-off-by: Stéphane Graber From ba613e076ca598a16cc2a7262289c8c8273a31a7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Graber?= Date: Wed, 24 Feb 2016 15:26:45 -0500 Subject: [PATCH] Export and use the address scope MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Stéphane Graber --- lxc/list.go | 8 lxd/main.go | 18 ++ shared/container.go | 1 + specs/rest-api.md | 27 ++- 4 files changed, 45 insertions(+), 9 deletions(-) diff --git a/lxc/list.go b/lxc/list.go index 949222e..06b227e 100644 --- a/lxc/list.go +++ b/lxc/list.go @@ -374,6 +374,10 @@ func (c *listCmd) IP4ColumnData(cInfo shared.ContainerInfo, cState *shared.Conta } for _, addr := range net.Addresses { + if shared.StringInSlice(addr.Scope, []string{"link", "local"}) { + continue + } + if addr.Family == "inet" { ipv4s = append(ipv4s, fmt.Sprintf("%s (%s)", addr.Address, netName)) } @@ -394,6 +398,10 @@ func (c *listCmd) IP6ColumnData(cInfo shared.ContainerInfo, cState *shared.Conta } for _, addr := range net.Addresses { + if shared.StringInSlice(addr.Scope, []string{"link", "local"}) { + continue + } + if addr.Family == "inet6" { ipv6s = append(ipv6s, fmt.Sprintf("%s (%s)", addr.Address, netName)) } diff --git a/lxd/main.go b/lxd/main.go index 2a49ecd..5446033 100644 --- a/lxd/main.go +++ b/lxd/main.go @@ -871,10 +871,28 @@ func printnet() error { family = "inet6" } + scope := "global" + if strings.HasPrefix(fields[0], "127") { + scope = "local" + } + + if fields[0] == "::1" { + scope = "local" + } + + if strings.HasPrefix(fields[0], "169.254") { + scope = "link" + } + + if strings.HasPrefix(fields[0], "fe80:") { + scope = "link" + } + address := shared.ContainerStateNetworkAddress{} address.Family = family address.Address = fields[0] address.Netmask = fields[1] + address.Scope = scope network.Addresses = append(network.Addresses, address) } diff --git a/shared/container.go b/shared/container.go index b7605b6..58bcd8d 100644 --- a/shared/container.go +++ b/shared/container.go @@ -39,6 +39,7 @@ type ContainerStateNetworkAddress struct { Family string `json:"family"` Address string `json:"address"` Netmask string `json:"netmask"` + Scope string `json:"scope"` } type ContainerStateNetworkCounters struct { diff --git a/specs/rest-api.md b/specs/rest-api.md index fe4b4b5..621aca4 100644 --- a/specs/rest-api.md +++ b/specs/rest-api.md @@ -643,12 +643,14 @@ HTTP code for this should be 202 (Accepted). { "family": "inet", "address": "10.0.3.27", -"netmask": "24" +"netmask": "24", +"scope": "global" }, { "family": "inet6", "address": "fe80::216:3eff:feec:65a8", -"netmask": "64" +"netmask": "64", +"scope": "link" } ], "counters": { @@ -668,12 +670,14 @@ HTTP code for this should be 202 (Accepted). { "family": "inet", "address": "127.0.0.1", -"netmask": "8
[lxc-devel] [lxc/master] configure.ac: add --enable-deprecated flag
The following pull request was submitted through Github. It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/844 This e-mail was sent by the LXC bot, direct replies will not reach the author unless they happen to be subscribed to this list. === Description (from pull-request) === From 880dd6a5f96a222a06d9b803fcb5947e0dec2aa7 Mon Sep 17 00:00:00 2001 From: Christian Brauner Date: Wed, 24 Feb 2016 00:02:49 +0100 Subject: [PATCH 1/2] mark lxc-clone & lxc-start-ephemeral as deprecated - add deprecation not to man pages - print deprecation info to stderr when the executables are invoked Signed-off-by: Christian Brauner --- doc/lxc-clone.sgml.in | 3 ++- doc/lxc-start-ephemeral.sgml.in | 2 +- src/lxc/lxc-start-ephemeral.in | 4 src/lxc/lxc_clone.c | 2 ++ 4 files changed, 9 insertions(+), 2 deletions(-) diff --git a/doc/lxc-clone.sgml.in b/doc/lxc-clone.sgml.in index 42c119c..f134b80 100644 --- a/doc/lxc-clone.sgml.in +++ b/doc/lxc-clone.sgml.in @@ -278,7 +278,8 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA Notes -lxc-clone is superseded by lxc-copy. +lxc-clone is deprecated in favor of +lxc-copy. diff --git a/doc/lxc-start-ephemeral.sgml.in b/doc/lxc-start-ephemeral.sgml.in index 6db4059..6831578 100644 --- a/doc/lxc-start-ephemeral.sgml.in +++ b/doc/lxc-start-ephemeral.sgml.in @@ -230,7 +230,7 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA Notes -lxc-start-ephemeral is superseded by +lxc-start-ephemeral is deprecated in favor of lxc-copy. diff --git a/src/lxc/lxc-start-ephemeral.in b/src/lxc/lxc-start-ephemeral.in index 8d33775..b39aaba 100644 --- a/src/lxc/lxc-start-ephemeral.in +++ b/src/lxc/lxc-start-ephemeral.in @@ -36,6 +36,10 @@ import tempfile _ = gettext.gettext gettext.textdomain("lxc-start-ephemeral") +def printstderr(*args): +print("lxc-start-ephemeral is deprecated in favor of lxc-copy\n", *args, file = sys.stderr) + +printstderr() # Other functions def randomMAC(): diff --git a/src/lxc/lxc_clone.c b/src/lxc/lxc_clone.c index e88c18b..6bd2226 100644 --- a/src/lxc/lxc_clone.c +++ b/src/lxc/lxc_clone.c @@ -121,6 +121,8 @@ int main(int argc, char *argv[]) int c; bool ret; + fprintf(stderr, "lxc-clone is deprecated in favor of lxc-copy.\n\n"); + if (argc < 3) usage(argv[0]); From 2fb8e25d77c9962cc707b9d5de4f61fd23a7c265 Mon Sep 17 00:00:00 2001 From: Christian Brauner Date: Wed, 24 Feb 2016 19:28:12 +0100 Subject: [PATCH 2/2] configure.ac: add --enable-deprecated flag - lxc-clone and lxc-start-ephemeral are marked deprecated. We add a --enable-deprecated flag to configure.ac allowing us to enable these deprecated executables - update tests to use lxc-copy instead of lxc-clone Signed-off-by: Christian Brauner --- config/bash/lxc.in | 2 +- configure.ac | 7 +++ doc/Makefile.am| 5 +++-- doc/ja/Makefile.am | 5 +++-- doc/ko/Makefile.am | 5 +++-- src/lxc/Makefile.am| 12 ++-- src/lxc/arguments.h| 2 +- src/tests/lxc-test-cloneconfig | 2 +- src/tests/lxc-test-snapdeps| 4 ++-- src/tests/lxc-test-unpriv | 2 +- 10 files changed, 32 insertions(+), 14 deletions(-) diff --git a/config/bash/lxc.in b/config/bash/lxc.in index 344d5cb..7dcf302 100644 --- a/config/bash/lxc.in +++ b/config/bash/lxc.in @@ -98,6 +98,6 @@ _have lxc-start && { complete -o default -F _lxc_generic_t lxc-create -complete -o default -F _lxc_generic_o lxc-clone +complete -o default -F _lxc_generic_o lxc-copy complete -o default -F _lxc_generic_o lxc-start-ephemeral } diff --git a/configure.ac b/configure.ac index 68d89b2..fd2c569 100644 --- a/configure.ac +++ b/configure.ac @@ -147,6 +147,13 @@ if test "x$with_systemdsystemunitdir" != "xno"; then AC_SUBST([SYSTEMD_UNIT_DIR], [$with_systemdsystemunitdir]) fi +# Allow enabling deprecated executables +AC_ARG_ENABLE([deprecated], + [AC_HELP_STRING([--enable-deprecated], + [enable deprecated executables [default=no]])], + [], [enable_deprecated=false]) +AM_CONDITIONAL([ENABLE_DEPRECATED], [test "x$enable_deprecated" = "xyes"]) + # Allow disabling rpath AC_ARG_ENABLE([rpath], [AC_HELP_STRING([--enable-rpath], [set rpath in executables [default=no]])], diff --git a/doc/Makefile.am b/doc/Makefile.am index c309ef8..09ded03 100644 --- a/doc/Makefile.am +++ b/doc/Makefile.am @@ -21,7 +21,6 @@ man_MANS = \ lxc-cgroup.1 \ lxc-checkconfig.1 \ lxc-checkpoint.1 \ - lxc-clone.1 \ lxc-config.1 \ lxc-console.1 \ lxc-copy.1 \ @@ -50,8 +49,10 @@ man_MANS = \ \ lxc.7 +if ENABLE_DEPRECATED if ENABLE_PYTHON -man_MANS += lxc-start-ephemeral.1 +man_MANS += lxc-start-ephemeral.1 lxc-clone.
[lxc-devel] [lxd/master] Update lxc.mount.auto based on situation
The following pull request was submitted through Github. It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/1646 This e-mail was sent by the LXC bot, direct replies will not reach the author unless they happen to be subscribed to this list. === Description (from pull-request) === Signed-off-by: Stéphane Graber From 1373eae0dc7cf1c4638be6a0f9e0ed6809c17441 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Graber?= Date: Wed, 24 Feb 2016 13:41:45 -0500 Subject: [PATCH] Update lxc.mount.auto based on situation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Stéphane Graber --- lxd/container_lxc.go | 16 +++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/lxd/container_lxc.go b/lxd/container_lxc.go index 08fd352..f2a8dd2 100644 --- a/lxd/container_lxc.go +++ b/lxd/container_lxc.go @@ -285,7 +285,21 @@ func (c *containerLXC) initLXC() error { return err } - err = lxcSetConfigItem(cc, "lxc.mount.auto", "cgroup:mixed proc:mixed sys:mixed") + // Set an appropriate /proc, /sys/ and /sys/fs/cgroup + mounts := []string{} + if c.IsPrivileged() && !runningInUserns { + mounts = append(mounts, "proc:mixed") + mounts = append(mounts, "sys:mixed") + } else { + mounts = append(mounts, "proc:rw") + mounts = append(mounts, "sys:rw") + } + + if !shared.PathExists("/proc/self/ns/cgroup") { + mounts = append(mounts, "cgroup:mixed") + } + + err = lxcSetConfigItem(cc, "lxc.mount.auto", strings.Join(mounts, " ")) if err != nil { return err } ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [lxd/master] shared: export limit parsing function
The following pull request was submitted through Github. It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/1647 This e-mail was sent by the LXC bot, direct replies will not reach the author unless they happen to be subscribed to this list. === Description (from pull-request) === For other golang clients who want to figure out the memory from a LXD limit in string format from the config, this is useful. Signed-off-by: Tycho Andersen From 83af6cf8a98cff8750085a69951d125648684d36 Mon Sep 17 00:00:00 2001 From: Tycho Andersen Date: Wed, 24 Feb 2016 11:45:21 -0700 Subject: [PATCH] shared: export limit parsing function For other golang clients who want to figure out the memory from a LXD limit in string format from the config, this is useful. Signed-off-by: Tycho Andersen --- lxd/container.go | 2 +- lxd/container_lxc.go | 6 +++--- lxd/db_update.go | 4 ++-- lxd/devices.go | 51 +++ shared/util.go | 47 +++ 5 files changed, 56 insertions(+), 54 deletions(-) diff --git a/lxd/container.go b/lxd/container.go index 9dc714e..df99790 100644 --- a/lxd/container.go +++ b/lxd/container.go @@ -618,7 +618,7 @@ func containerConfigureInternal(c container) error { continue } - size, err := deviceParseBytes(m["size"]) + size, err := shared.ParseSizeString(m["size"]) if err != nil { return err } diff --git a/lxd/container_lxc.go b/lxd/container_lxc.go index 9983067..241f5fc 100644 --- a/lxd/container_lxc.go +++ b/lxd/container_lxc.go @@ -470,7 +470,7 @@ func (c *containerLXC) initLXC() error { valueInt = int64((memoryTotal / 100) * percent) } else { - valueInt, err = deviceParseBytes(memory) + valueInt, err = shared.ParseSizeString(memory) if err != nil { return err } @@ -1883,7 +1883,7 @@ func (c *containerLXC) Update(args containerArgs, userRequested bool) error { } if m["size"] != oldRootfsSize { - size, err := deviceParseBytes(m["size"]) + size, err := shared.ParseSizeString(m["size"]) if err != nil { undoChanges() return err @@ -1986,7 +1986,7 @@ func (c *containerLXC) Update(args containerArgs, userRequested bool) error { memory = fmt.Sprintf("%d", int64((memoryTotal/100)*percent)) } else { - valueInt, err := deviceParseBytes(memory) + valueInt, err := shared.ParseSizeString(memory) if err != nil { undoChanges() return err diff --git a/lxd/db_update.go b/lxd/db_update.go index 579825c..c43ade8 100644 --- a/lxd/db_update.go +++ b/lxd/db_update.go @@ -84,7 +84,7 @@ func dbUpdateFromV18(db *sql.DB) error { value += "B" // Deal with completely broken values - _, err = deviceParseBytes(value) + _, err = shared.ParseSizeString(value) if err != nil { shared.Debugf("Invalid container memory limit, id=%d value=%s, removing.", id, value) _, err = db.Exec("DELETE FROM containers_config WHERE id=?;", id) @@ -121,7 +121,7 @@ func dbUpdateFromV18(db *sql.DB) error { value += "B" // Deal with completely broken values - _, err = deviceParseBytes(value) + _, err = shared.ParseSizeString(value) if err != nil { shared.Debugf("Invalid profile memory limit, id=%d value=%s, removing.", id, value) _, err = db.Exec("DELETE FROM profiles_config WHERE id=?;", id) diff --git a/lxd/devices.go b/lxd/devices.go index 9f54271..770a5dc 100644 --- a/lxd/devices.go +++ b/lxd/devices.go @@ -656,51 +656,6 @@ func deviceParseBits(input string) (int64, error) { return valueInt * multiplicator, nil } -func deviceParseBytes(input string) (int64, error) { - if input == "" { - return 0, nil - } - - if len(input) < 3 { - return -1, fmt.Errorf("Invalid value: %s", input) - } - - // Extract the suffix - suffix := input[len(input)-2:] - - // Extract the value - value := input[0 : len(input)-2] - valueInt, err := strconv.ParseInt(value, 10, 64) - if err != nil { - return -1,
[lxc-devel] [lxd/master] Allow setting lxc.network.X.ipv{4, 6}[.gateway]
The following pull request was submitted through Github. It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/1645 This e-mail was sent by the LXC bot, direct replies will not reach the author unless they happen to be subscribed to this list. === Description (from pull-request) === This is absolutely unsupported (just like anything through raw.lxc) but when restricted to only numbered interface and only those two keys, this shouldn't conflict with LXD's one network handling. Note that finding the right interface index is left to the user to figure out, LXD doesn't in any way guarantee LXC configuration ordering to be consistent across restarts. Closes #1259 Signed-off-by: Stéphane Graber From 43aad2f61f3b90633d919379ec86b2b1f8f1939b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Graber?= Date: Wed, 24 Feb 2016 12:25:19 -0500 Subject: [PATCH] Allow setting lxc.network.X.ipv{4,6}[.gateway] MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This is absolutely unsupported (just like anything through raw.lxc) but when restricted to only numbered interface and only those two keys, this shouldn't conflict with LXD's one network handling. Note that finding the right interface index is left to the user to figure out, LXD doesn't in any way guarantee LXC configuration ordering to be consistent across restarts. Closes #1259 Signed-off-by: Stéphane Graber --- lxd/container_lxc.go | 23 --- 1 file changed, 20 insertions(+), 3 deletions(-) diff --git a/lxd/container_lxc.go b/lxd/container_lxc.go index 9983067..08fd352 100644 --- a/lxd/container_lxc.go +++ b/lxd/container_lxc.go @@ -63,13 +63,24 @@ func lxcValidConfig(rawLxc string) error { return fmt.Errorf("Invalid raw.lxc line: %s", line) } + key := strings.ToLower(strings.Trim(membs[0], " \t")) + // Blacklist some keys - if strings.ToLower(strings.Trim(membs[0], " \t")) == "lxc.logfile" { + if key == "lxc.logfile" { return fmt.Errorf("Setting lxc.logfile is not allowed") } - if strings.HasPrefix(strings.ToLower(strings.Trim(membs[0], " \t")), "lxc.network.") { - return fmt.Errorf("Setting lxc.network keys is not allowed") + if strings.HasPrefix(key, "lxc.network.") { + fields := strings.Split(key, ".") + if len(fields) == 4 && shared.StringInSlice(fields[3], []string{"ipv4", "ipv6"}) { + continue + } + + if len(fields) == 5 && shared.StringInSlice(fields[3], []string{"ipv4", "ipv6"}) && fields[4] == "gateway" { + continue + } + + return fmt.Errorf("Only interface-specific ipv4/ipv6 lxc.network keys are allowed") } } @@ -675,6 +686,12 @@ func (c *containerLXC) initLXC() error { return err } } + + err = lxcSetConfigItem(cc, "lxc.network.flags", "up") + if err != nil { + return err + } + if shared.StringInSlice(m["nictype"], []string{"bridged", "physical", "macvlan"}) { err = lxcSetConfigItem(cc, "lxc.network.link", m["parent"]) if err != nil { ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
Re: [lxc-devel] run lxc with another kernel
On Wed, Feb 24, 2016 at 02:25:36PM +, mansour amini wrote: > HelloI want to run my lxc machine with another kernel that my host have > it.Can I do that? > Thanks No, the definition of a container is specifically that it's a system sharing the host's kernel. -- Stéphane Graber Ubuntu developer http://www.ubuntu.com signature.asc Description: PGP signature ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] run lxc with another kernel
HelloI want to run my lxc machine with another kernel that my host have it.Can I do that? Thanks___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [lxd/master] LXD client API tweaks
The following pull request was submitted through Github. It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/1644 This e-mail was sent by the LXC bot, direct replies will not reach the author unless they happen to be subscribed to this list. === Description (from pull-request) === This is a bugfix version of @tych0's rebase of @jameinel's branch. Closes #1633 Closes #1643 From d4d4c43397d39921b029785bf5b0158434a5f87f Mon Sep 17 00:00:00 2001 From: John Arbash Meinel Date: Tue, 23 Feb 2016 18:25:13 +0400 Subject: [PATCH 1/7] Rework lxd.NewClient so we don't need a disk cache. This adds a new interface NewClientFromInfo which lets API clients decide how they want to track the information that they need, and just supply that information when they go to connect. NewClient still uses the disk cache, but shares all of the actual setting up of connections via NewClientFromInfo. Signed-off-by: John Arbash Meinel --- client.go | 231 +- shared/network.go | 63 --- 2 files changed, 210 insertions(+), 84 deletions(-) diff --git a/client.go b/client.go index d63c75d..97e2099 100644 --- a/client.go +++ b/client.go @@ -142,7 +142,7 @@ func HoistResponse(r *http.Response, rtype ResponseType) (*Response, error) { return resp, nil } -func readMyCert(configDir string) (string, string, error) { +func ensureMyCert(configDir string) (string, string, error) { certf := path.Join(configDir, "client.crt") keyf := path.Join(configDir, "client.key") @@ -153,94 +153,181 @@ func readMyCert(configDir string) (string, string, error) { // NewClient returns a new LXD client. func NewClient(config *Config, remote string) (*Client, error) { - c := Client{ - Config: *config, - Http: http.Client{}, - } - - c.Name = remote - if remote == "" { return nil, fmt.Errorf("A remote name must be provided.") } - if r, ok := config.Remotes[remote]; ok { - if r.Addr[0:5] == "unix:" { - if r.Addr == "unix://" { - r.Addr = fmt.Sprintf("unix:%s", shared.VarPath("unix.socket")) - } - - c.BaseURL = "http://unix.socket"; - c.BaseWSURL = "ws://unix.socket" - c.Transport = "unix" - uDial := func(networ, addr string) (net.Conn, error) { - var err error - var raddr *net.UnixAddr - if r.Addr[7:] == "unix://" { - raddr, err = net.ResolveUnixAddr("unix", r.Addr[7:]) - } else { - raddr, err = net.ResolveUnixAddr("unix", r.Addr[5:]) - } - if err != nil { - return nil, err - } - return net.DialUnix("unix", nil, raddr) - } - c.Http.Transport = &http.Transport{Dial: uDial} - c.websocketDialer.NetDial = uDial - c.Remote = &r - - st, err := c.ServerStatus() + r, ok := config.Remotes[remote] + if !ok { + return nil, fmt.Errorf("unknown remote name: %q", remote) + } + info := ConnectInfo{ + Name: remote, + Addr: r.Addr, + } + if r.Addr[0:5] != "unix:" { + certf, keyf, err := ensureMyCert(config.ConfigDir) + if err != nil { + return nil, err + } + certBytes, err := ioutil.ReadFile(certf) + if err != nil { + return nil, err + } + keyBytes, err := ioutil.ReadFile(keyf) + if err != nil { + return nil, err + } + info.ClientPEMCert = string(certBytes) + info.ClientPEMKey = string(keyBytes) + serverCertPath := config.ServerCertPath(remote) + if shared.PathExists(serverCertPath) { + cert, err := shared.ReadCert(serverCertPath) if err != nil { return nil, err } - c.Certificate = st.Environment.Certificate + + info.ServerPEMCert = string(pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: cert.Raw})) + } + } + c, err := NewClientFromInfo(info) + if err != nil { + return nil, err + } + c.Config = *config + return c, nil +} + +// ConnectInfo contains the information we need to connect to a specific LXD se
[lxc-devel] [lxd/master] Lxd simple client nomerge
The following pull request was submitted through Github. It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/1643 This e-mail was sent by the LXC bot, direct replies will not reach the author unless they happen to be subscribed to this list. === Description (from pull-request) === This is just a rebase instead of a merge of #1633 :) From 57d5b5c3b36175425037c13ec123a64099acce8e Mon Sep 17 00:00:00 2001 From: John Arbash Meinel Date: Tue, 23 Feb 2016 18:25:13 +0400 Subject: [PATCH 1/6] Rework lxd.NewClient so we don't need a disk cache. This adds a new interface NewClientFromInfo which lets API clients decide how they want to track the information that they need, and just supply that information when they go to connect. NewClient still uses the disk cache, but shares all of the actual setting up of connections via NewClientFromInfo. Signed-off-by: John Arbash Meinel --- client.go | 231 +- shared/network.go | 63 --- 2 files changed, 210 insertions(+), 84 deletions(-) diff --git a/client.go b/client.go index d63c75d..97e2099 100644 --- a/client.go +++ b/client.go @@ -142,7 +142,7 @@ func HoistResponse(r *http.Response, rtype ResponseType) (*Response, error) { return resp, nil } -func readMyCert(configDir string) (string, string, error) { +func ensureMyCert(configDir string) (string, string, error) { certf := path.Join(configDir, "client.crt") keyf := path.Join(configDir, "client.key") @@ -153,94 +153,181 @@ func readMyCert(configDir string) (string, string, error) { // NewClient returns a new LXD client. func NewClient(config *Config, remote string) (*Client, error) { - c := Client{ - Config: *config, - Http: http.Client{}, - } - - c.Name = remote - if remote == "" { return nil, fmt.Errorf("A remote name must be provided.") } - if r, ok := config.Remotes[remote]; ok { - if r.Addr[0:5] == "unix:" { - if r.Addr == "unix://" { - r.Addr = fmt.Sprintf("unix:%s", shared.VarPath("unix.socket")) - } - - c.BaseURL = "http://unix.socket"; - c.BaseWSURL = "ws://unix.socket" - c.Transport = "unix" - uDial := func(networ, addr string) (net.Conn, error) { - var err error - var raddr *net.UnixAddr - if r.Addr[7:] == "unix://" { - raddr, err = net.ResolveUnixAddr("unix", r.Addr[7:]) - } else { - raddr, err = net.ResolveUnixAddr("unix", r.Addr[5:]) - } - if err != nil { - return nil, err - } - return net.DialUnix("unix", nil, raddr) - } - c.Http.Transport = &http.Transport{Dial: uDial} - c.websocketDialer.NetDial = uDial - c.Remote = &r - - st, err := c.ServerStatus() + r, ok := config.Remotes[remote] + if !ok { + return nil, fmt.Errorf("unknown remote name: %q", remote) + } + info := ConnectInfo{ + Name: remote, + Addr: r.Addr, + } + if r.Addr[0:5] != "unix:" { + certf, keyf, err := ensureMyCert(config.ConfigDir) + if err != nil { + return nil, err + } + certBytes, err := ioutil.ReadFile(certf) + if err != nil { + return nil, err + } + keyBytes, err := ioutil.ReadFile(keyf) + if err != nil { + return nil, err + } + info.ClientPEMCert = string(certBytes) + info.ClientPEMKey = string(keyBytes) + serverCertPath := config.ServerCertPath(remote) + if shared.PathExists(serverCertPath) { + cert, err := shared.ReadCert(serverCertPath) if err != nil { return nil, err } - c.Certificate = st.Environment.Certificate + + info.ServerPEMCert = string(pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: cert.Raw})) + } + } + c, err := NewClientFromInfo(info) + if err != nil { + return nil, err + } + c.Config = *config + return c, nil +} + +// ConnectInfo contains the information we need to connect to a specific LXD server +type ConnectInfo struct { + //
[lxc-devel] [lxd/master] tests: get rid of commented out code
The following pull request was submitted through Github. It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/1642 This e-mail was sent by the LXC bot, direct replies will not reach the author unless they happen to be subscribed to this list. === Description (from pull-request) === Rather than go through another reivew cycle, here's my only comment for PR #1641. Signed-off-by: Tycho Andersen From b4aa90acd2de296a5941b0eb4b475ef6c32a7629 Mon Sep 17 00:00:00 2001 From: Tycho Andersen Date: Wed, 24 Feb 2016 07:45:36 -0700 Subject: [PATCH] tests: get rid of commented out code Rather than go through another reivew cycle, here's my only comment for PR #1641. Signed-off-by: Tycho Andersen --- shared/util_test.go | 1 - 1 file changed, 1 deletion(-) diff --git a/shared/util_test.go b/shared/util_test.go index ef0209a..33e12b7 100644 --- a/shared/util_test.go +++ b/shared/util_test.go @@ -91,7 +91,6 @@ func TestReadLastNLines(t *testing.T) { t.Error(err) return } - // fmt.Println(lines) split = strings.Split(lines, "\n") for i := 0; i < 100; i++ { ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [lxc/lxc] b6acc6: doc: Update Japanese lxc-attach(1)
Branch: refs/heads/master Home: https://github.com/lxc/lxc Commit: b6acc629c0094fed0e451694e7a07a926847972b https://github.com/lxc/lxc/commit/b6acc629c0094fed0e451694e7a07a926847972b Author: KATOH Yasufumi Date: 2016-02-24 (Wed, 24 Feb 2016) Changed paths: M doc/ja/lxc-attach.sgml.in Log Message: --- doc: Update Japanese lxc-attach(1) Update for commit e986ea3 Signed-off-by: KATOH Yasufumi Commit: 23a3ea07e85565e2280a86fbbfe2dc6bc955c6ac https://github.com/lxc/lxc/commit/23a3ea07e85565e2280a86fbbfe2dc6bc955c6ac Author: KATOH Yasufumi Date: 2016-02-24 (Wed, 24 Feb 2016) Changed paths: M doc/ja/lxc-clone.sgml.in M doc/ja/lxc-start-ephemeral.sgml.in Log Message: --- doc: Update Japanese lxc-clone(1) and lxc-start-ephemeral(1) Update for commit 02e5d92 Signed-off-by: KATOH Yasufumi Commit: 55290b833352eed66ff48dc3925955e14436ea05 https://github.com/lxc/lxc/commit/55290b833352eed66ff48dc3925955e14436ea05 Author: Christian Brauner Date: 2016-02-24 (Wed, 24 Feb 2016) Changed paths: M doc/ja/lxc-attach.sgml.in M doc/ja/lxc-clone.sgml.in M doc/ja/lxc-start-ephemeral.sgml.in Log Message: --- Merge pull request #843 from tenforward/japanese_man Update Japanese man Compare: https://github.com/lxc/lxc/compare/e60242adf9c7...55290b833352___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [lxc/master] Update Japanese man
The following pull request was submitted through Github. It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/843 This e-mail was sent by the LXC bot, direct replies will not reach the author unless they happen to be subscribed to this list. === Description (from pull-request) === Update * lxc-attach(1) * lxc-clone(1) * lxc-start-ephemeral(1) From b6acc629c0094fed0e451694e7a07a926847972b Mon Sep 17 00:00:00 2001 From: KATOH Yasufumi Date: Wed, 24 Feb 2016 18:04:05 +0900 Subject: [PATCH 1/2] doc: Update Japanese lxc-attach(1) Update for commit e986ea3 Signed-off-by: KATOH Yasufumi --- doc/ja/lxc-attach.sgml.in | 39 +++ 1 file changed, 39 insertions(+) diff --git a/doc/ja/lxc-attach.sgml.in b/doc/ja/lxc-attach.sgml.in index 6ebc03c..7c668ee 100644 --- a/doc/ja/lxc-attach.sgml.in +++ b/doc/ja/lxc-attach.sgml.in @@ -91,6 +91,30 @@ by KATOH Yasufumi もし command が指定されていない場合、lxc-attach コマンドを実行したユーザのデフォルトシェルをコンテナ内で調べて実行します。 もしコンテナ内にユーザが存在しない場合や、コンテナで nsswitch 機構が働いていない場合はこの動作は失敗します。 + + + 前のバージョンの lxc-attach は、単に指定したコンテナの名前空間にアタッチし、擬似端末 (pseudo terminal) なしで、シェルもしくは指定したコマンドを実行しました。 + これは、異なる特権レベルを持つユーザ空間の実行コンテキストを切り替えた後に、TIOCSTI ioctl の呼び出し経由で擬似入力を行うことに対して脆弱となります。 + 新しいバージョンの lxc-attach は、擬似端末のマスター/スレーブのペアを割り当てようとします。そしてシェルやコマンドを実行する前に、擬似端末のスレーブ側に対して、ターミナルを参照する標準ファイルディスクリプタをアタッチします。 + lxc-attach は、最初にコンテナ内の擬似端末を割り当てようとします。これが失敗した場合、最終的に処理を諦める前に、ホスト上の擬似端末を割り当てようとします。 + ターミナルを参照する標準ファイルディスクリプタがない場合は、lxc-attach は擬似端末の割り当てを行わないことに注意してください。代わりに、単にコンテナの名前空間にアタッチし、シェルや指定したコマンドを実行します。 + @@ -418,6 +442,21 @@ by KATOH Yasufumi これにより、アタッチするプロセスのネットワーク/pid 名前空間のコンテキストを反映させることができます。ホストの実際のファイルシステムに影響を与えないために、実行前にはマウント名前空間は unshare されます (lxc-unshare のように)。 これは、/proc と /sys ファイルシステム以外はホストのマウント名前空間と同じである、新しいマウント名前空間がプロセスに与えられるということです。 + + + 以前のバージョンの lxc-attach は、いくつかの重要なサブシステムに対して、書き込み可能な cgroup 内に配置することなしに、ユーザがコンテナの名前空間にアタッチできたバグがありました。 + 新しいバージョンの lxc-attach は、このような重要なサブシステムに対して、ユーザが書き込み可能な cgroup 内にいるかどうかをチェックします。 + したがって、ユーザによっては lxc-attach は不意に失敗するかもしれません (例えば、非特権ユーザが、ログイン時に重要であるサブシステムの書き込み可能な cgroup に配置されていないようなシステムで)。しかし、この振る舞いは正しく、よりセキュアです。 + From 23a3ea07e85565e2280a86fbbfe2dc6bc955c6ac Mon Sep 17 00:00:00 2001 From: KATOH Yasufumi Date: Wed, 24 Feb 2016 18:04:40 +0900 Subject: [PATCH 2/2] doc: Update Japanese lxc-clone(1) and lxc-start-ephemeral(1) Update for commit 02e5d92 Signed-off-by: KATOH Yasufumi --- doc/ja/lxc-clone.sgml.in | 10 ++ doc/ja/lxc-start-ephemeral.sgml.in | 11 +++ 2 files changed, 21 insertions(+) diff --git a/doc/ja/lxc-clone.sgml.in b/doc/ja/lxc-clone.sgml.in index 23e5dc7..ef6bdf7 100644 --- a/doc/ja/lxc-clone.sgml.in +++ b/doc/ja/lxc-clone.sgml.in @@ -348,6 +348,16 @@ by KATOH Yasufumi + +注意 + + + lxc-copy が lxc-clone の後継コマンドとなります。 + + + &seealso; diff --git a/doc/ja/lxc-start-ephemeral.sgml.in b/doc/ja/lxc-start-ephemeral.sgml.in index 0fb6738..b54a06f 100644 --- a/doc/ja/lxc-start-ephemeral.sgml.in +++ b/doc/ja/lxc-start-ephemeral.sgml.in @@ -279,6 +279,17 @@ by KATOH Yasufumi + +注意 + + + lxc-copy が lxc-start-ephemeral コマンドの後継コマンドとなります。 + + + &seealso; ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel