[lxc-devel] [PATCH 0/3] lxc-debian: some improvements
The first patch defines a default password for root. The two following ones are copied from lxc-ubuntu to allow to flush cache and to support btrfs snapshot of the cache. Laurent Vivier (3): lxc-debian: define a password for root lxc-debian: add --flush-cache lxc-debian: add btrfs support templates/lxc-debian.in | 73 - 1 file changed, 66 insertions(+), 7 deletions(-) -- 2.5.5 ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [PATCH 3/3] lxc-debian: add btrfs support
copied from lxc-ubuntu.in Signed-off-by: Laurent Vivier --- templates/lxc-debian.in | 55 - 1 file changed, 50 insertions(+), 5 deletions(-) diff --git a/templates/lxc-debian.in b/templates/lxc-debian.in index 6c4eb81..f620fb8 100644 --- a/templates/lxc-debian.in +++ b/templates/lxc-debian.in @@ -257,10 +257,45 @@ configure_debian_systemd() return 0 } +# Check if given path is in a btrfs partition +is_btrfs() +{ +[ -e $1 -a $(stat -f -c '%T' $1) = "btrfs" ] +} + +# Check if given path is the root of a btrfs subvolume +is_btrfs_subvolume() +{ +[ -d $1 -a $(stat -f -c '%T' $1) = "btrfs" -a $(stat -c '%i' $1) -eq 256 ] +} + +try_mksubvolume() +{ +path=$1 +[ -d $path ] && return 0 +mkdir -p $(dirname $path) +if which btrfs >/dev/null 2>&1 && is_btrfs $(dirname $path); then +btrfs subvolume create $path +else +mkdir -p $path +fi +} + +try_rmsubvolume() +{ +path=$1 +[ -d $path ] || return 0 +if which btrfs >/dev/null 2>&1 && is_btrfs_subvolume $path; then +btrfs subvolume delete $path +else +rm -rf $path +fi +} + cleanup() { -rm -rf $cache/partial-$release-$arch -rm -rf $cache/rootfs-$release-$arch +try_rmsubvolume $cache/partial-$release-$arch +try_rmsubvolume $cache/rootfs-$release-$arch } download_debian() @@ -306,7 +341,7 @@ openssh-server | gpg --import --no-default-keyring --keyring=${releasekeyring} fi # check the mini debian was not already downloaded -mkdir -p "$cache/partial-$release-$arch" +try_mksubvolume "$cache/partial-$release-$arch" if [ $? -ne 0 ]; then echo "Failed to create '$cache/partial-$release-$arch' directory" return 1 @@ -362,8 +397,18 @@ copy_debian() # make a local copy of the minidebian echo -n "Copying rootfs to $rootfs..." -mkdir -p $rootfs -rsync -Ha "$cache/rootfs-$release-$arch"/ $rootfs/ || return 1 +try_mksubvolume $rootfs +if which btrfs >/dev/null 2>&1 && \ + is_btrfs_subvolume "$cache/rootfs-$release-$arch" && \ + is_btrfs_subvolume $rootfs; then + realrootfs=$(dirname $config)/rootfs + [ "$rootfs" = "$realrootfs" ] || umount $rootfs || return 1 + btrfs subvolume delete $realrootfs || return 1 + btrfs subvolume snapshot "$cache/rootfs-$release-$arch" $realrootfs || return 1 + [ "$rootfs" = "$realrootfs" ] || mount --bind $realrootfs $rootfs || return 1 +else +rsync -Ha "$cache/rootfs-$release-$arch"/ $rootfs/ || return 1 +fi return 0 } -- 2.5.5 ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [PATCH 1/3] lxc-debian: define a password for root
Signed-off-by: Laurent Vivier --- templates/lxc-debian.in | 4 1 file changed, 4 insertions(+) diff --git a/templates/lxc-debian.in b/templates/lxc-debian.in index 56953b6..5dc4e0b 100644 --- a/templates/lxc-debian.in +++ b/templates/lxc-debian.in @@ -163,6 +163,10 @@ EOF echo "Timezone in container is not configured. Adjust it manually." fi +echo "root:root" | chroot $rootfs chpasswd +chroot $rootfs passwd -e root +echo "Root password is 'root', please change !" + return 0 } -- 2.5.5 ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [PATCH 2/3] lxc-debian: add --flush-cache
copied from lxc-ubuntu.in Signed-off-by: Laurent Vivier --- templates/lxc-debian.in | 14 -- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/templates/lxc-debian.in b/templates/lxc-debian.in index 5dc4e0b..6c4eb81 100644 --- a/templates/lxc-debian.in +++ b/templates/lxc-debian.in @@ -375,6 +375,7 @@ install_debian() cache="$4/debian" interpreter="$5" interpreter_path="$6" +flushcache=$7 mkdir -p $LOCALSTATEDIR/lock/subsys/ ( flock -x 9 @@ -383,6 +384,11 @@ install_debian() return 1 fi +if [ $flushcache -eq 1 ]; then +echo "Flushing cache..." +cleanup +fi + echo "Checking cache download in $cache/rootfs-$release-$arch ... " if [ ! -e "$cache/rootfs-$release-$arch" ]; then download_debian $cache $arch $release "$interpreter" "$interpreter_path" @@ -547,6 +553,7 @@ Usage: $1 -h|--help -p|--path= [-c|--clean] [-a|--arch=] [-r|--relea [--mirror=] [--security-mirror=] [--package=] [-I|--interpreter-path=] + [-F | --flush-cache] Options : @@ -567,6 +574,7 @@ Options : --enable-non-free include also Debian's contrib and non-free repositories. -I|--interpreter-path=INTERPRETER-PATH Path of the binfmt interpreter to copy to the rootfs + -F | --flush-cache Flush the debian release cache Environment variables: @@ -579,7 +587,7 @@ EOF return 0 } -options=$(getopt -o hp:n:a:r:cI: -l arch:,clean,help,enable-non-free,mirror:,name:,packages:,path:,release:,rootfs:,security-mirror:,interpreter-path: -- "$@") +options=$(getopt -o hp:n:a:r:cI:F -l arch:,clean,help,enable-non-free,mirror:,name:,packages:,path:,release:,rootfs:,security-mirror:,interpreter-path:,flush-cache -- "$@") if [ $? -ne 0 ]; then usage $(basename $0) exit 1 @@ -596,6 +604,7 @@ elif [ "$arch" = "armv7l" ]; then fi hostarch=$arch mainonly=1 +flushcache=0 while true do @@ -615,6 +624,7 @@ do -r|--release) release=$2; shift 2;; --rootfs) rootfs=$2; shift 2;; --security-mirror) SECURITY_MIRROR=$2; shift 2;; +-F|--flush-cache) flushcache=1; shift 1;; *)break ;; esac done @@ -701,7 +711,7 @@ else num_tty=4 fi -install_debian $rootfs $release $arch $LXC_CACHE_PATH "$interpreter" "$interpreter_path" +install_debian $rootfs $release $arch $LXC_CACHE_PATH "$interpreter" "$interpreter_path" $flushcache if [ $? -ne 0 ]; then echo "failed to install debian" exit 1 -- 2.5.5 ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [lxd/master] Bugfixes
The following pull request was submitted through Github. It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/2130 This e-mail was sent by the LXC bot, direct replies will not reach the author unless they happen to be subscribed to this list. === Description (from pull-request) === From b2039dd030efb39ef011df51ee90aaf81d838e63 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Graber?= Date: Thu, 16 Jun 2016 15:56:59 -0400 Subject: [PATCH 1/4] Fail to add an existing certificate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Stéphane Graber --- lxd/certificates.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lxd/certificates.go b/lxd/certificates.go index a0502aa..f40ae02 100644 --- a/lxd/certificates.go +++ b/lxd/certificates.go @@ -141,7 +141,7 @@ func certificatesPost(d *Daemon, r *http.Request) Response { fingerprint := certGenerateFingerprint(cert) for _, existingCert := range d.clientCerts { if fingerprint == certGenerateFingerprint(&existingCert) { - return EmptySyncResponse + return BadRequest(fmt.Errorf("Certificate already in trust store")) } } From 8555723c814bc0b00b03ad8213cfb9d73819ca77 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Graber?= Date: Thu, 16 Jun 2016 16:25:13 -0400 Subject: [PATCH 2/4] Fix failure to restore on btrfs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Closes #2058 Signed-off-by: Stéphane Graber --- lxd/storage_btrfs.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lxd/storage_btrfs.go b/lxd/storage_btrfs.go index 2710c0c..f1b6a7d 100644 --- a/lxd/storage_btrfs.go +++ b/lxd/storage_btrfs.go @@ -249,7 +249,7 @@ func (s *storageBtrfs) ContainerRestore( } else { // Remove the backup, we made if s.isSubvolume(sourceBackupPath) { - return s.subvolDelete(sourceBackupPath) + return s.subvolsDelete(sourceBackupPath) } os.RemoveAll(sourceBackupPath) } From 129040d89359484376808fe8e542ea8aa993db16 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Graber?= Date: Thu, 16 Jun 2016 16:40:08 -0400 Subject: [PATCH 3/4] Set Location on sync POST requests MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Closes #2092 Signed-off-by: Stéphane Graber --- lxd/certificates.go | 17 - lxd/images.go | 4 ++-- lxd/profiles.go | 4 ++-- lxd/response.go | 10 ++ 4 files changed, 22 insertions(+), 13 deletions(-) diff --git a/lxd/certificates.go b/lxd/certificates.go index f40ae02..021b48f 100644 --- a/lxd/certificates.go +++ b/lxd/certificates.go @@ -96,20 +96,25 @@ func saveCert(d *Daemon, host string, cert *x509.Certificate) error { } func certificatesPost(d *Daemon, r *http.Request) Response { + // Parse the request req := certificatesPostBody{} - if err := shared.ReadToJSON(r.Body, &req); err != nil { return BadRequest(err) } + // Access check + if !d.isTrustedClient(r) && d.PasswordCheck(req.Password) != nil { + return Forbidden + } + if req.Type != "client" { return BadRequest(fmt.Errorf("Unknown request type %s", req.Type)) } + // Extract the certificate var cert *x509.Certificate var name string if req.Certificate != "" { - data, err := base64.StdEncoding.DecodeString(req.Certificate) if err != nil { return BadRequest(err) @@ -120,9 +125,7 @@ func certificatesPost(d *Daemon, r *http.Request) Response { return BadRequest(err) } name = req.Name - } else if r.TLS != nil { - if len(r.TLS.PeerCertificates) < 1 { return BadRequest(fmt.Errorf("No client certificate provided")) } @@ -145,10 +148,6 @@ func certificatesPost(d *Daemon, r *http.Request) Response { } } - if !d.isTrustedClient(r) && d.PasswordCheck(req.Password) != nil { - return Forbidden - } - err := saveCert(d, name, cert) if err != nil { return SmartError(err) @@ -156,7 +155,7 @@ func certificatesPost(d *Daemon, r *http.Request) Response { d.clientCerts = append(d.clientCerts, *cert) - return EmptySyncResponse + return SyncResponseLocation(true, nil, fmt.Sprintf("/%s/certificates/%s", shared.APIVersion, fingerprint)) } var certificatesCmd = Command{ diff --git a/lxd/images.go b/lxd/images.go index 8118d8f..b5d8e31 100644 --- a/lxd/images.go +++ b/lxd/images.go @@ -1093,7 +1093,7 @@ func aliasesPost
[lxc-devel] [lxd/master] Implement ETag support
The following pull request was submitted through Github. It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/2129 This e-mail was sent by the LXC bot, direct replies will not reach the author unless they happen to be subscribed to this list. === Description (from pull-request) === Closes #120 Signed-off-by: Stéphane Graber From 771194b6d95a7b913565bce8a6314eb15d21abab Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Graber?= Date: Thu, 16 Jun 2016 12:17:52 -0400 Subject: [PATCH] Implement ETag support MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Closes #120 Signed-off-by: Stéphane Graber --- doc/api_extensions.md | 13 + doc/rest-api.md | 10 +- lxd/api_1.0.go| 9 +++-- lxd/container.go | 2 +- lxd/container_get.go | 4 ++-- lxd/container_lxc.go | 13 - lxd/container_put.go | 8 lxd/container_snapshot.go | 4 ++-- lxd/containers_get.go | 2 +- lxd/images.go | 38 ++ lxd/profiles.go | 20 +--- lxd/response.go | 28 +++- lxd/util.go | 30 ++ 13 files changed, 139 insertions(+), 42 deletions(-) diff --git a/doc/api_extensions.md b/doc/api_extensions.md index 7f05af5..567c1a6 100644 --- a/doc/api_extensions.md +++ b/doc/api_extensions.md @@ -46,3 +46,16 @@ It is a timestamp of the last time the container was started. If a container has been created but not started yet, last\_used\_at field will be 1970-01-01T00:00:00Z + +## etag +Add support for the ETag header on all relevant endpoints. + +This adds the following HTTP header on answers to GET: + - ETag (SHA-256 of user modifiable content) + +And adds support for the following HTTP header on PUT requests: + - If-Match (ETag value retrieved through previous GET) + +This makes it possible to GET a LXD object, modify it and PUT it without +risking to hit a race condition where LXD or another client modified the +object in the mean time. diff --git a/doc/rest-api.md b/doc/rest-api.md index a1390cc..b617b35 100644 --- a/doc/rest-api.md +++ b/doc/rest-api.md @@ -257,7 +257,7 @@ Return value (if guest or untrusted): "public": false,# Whether the server should be treated as a public (read-only) remote by the client } -### PUT +### PUT (ETag supported) * Description: Updates the server configuration or other properties * Authentication: trusted * Operation: sync @@ -557,7 +557,7 @@ Output: } -### PUT +### PUT (ETag supported) * Description: update container configuration or restore snapshot * Authentication: trusted * Operation: async @@ -1231,7 +1231,7 @@ Input (none at present): HTTP code for this should be 202 (Accepted). -### PUT +### PUT (ETag supported) * Description: Updates the image properties * Authentication: trusted * Operation: sync @@ -1335,7 +1335,7 @@ Output: "target": "c9b6e738fae75286d52f497415463a8ecc61bbcb046536f220d797b0e500a41f" } -### PUT +### PUT (ETag supported) * Description: Updates the alias target or description * Authentication: trusted * Operation: sync @@ -1537,7 +1537,7 @@ Output: } } -### PUT +### PUT (ETag supported) * Description: update the profile * Authentication: trusted * Operation: sync diff --git a/lxd/api_1.0.go b/lxd/api_1.0.go index 6ede473..45306ec 100644 --- a/lxd/api_1.0.go +++ b/lxd/api_1.0.go @@ -60,6 +60,7 @@ func api10Get(d *Daemon, r *http.Request) Response { "container_syscall_filtering", "auth_pki", "container_last_used_at", + "etag", }, "api_status": "stable", @@ -148,7 +149,7 @@ func api10Get(d *Daemon, r *http.Request) Response { body["public"] = false } - return SyncResponse(true, body) + return SyncResponseETag(true, body, body["config"]) } type apiPut struct { @@ -161,8 +162,12 @@ func api10Put(d *Daemon, r *http.Request) Response { return InternalError(err) } - req := apiPut{} + err = etagCheck(r, oldConfig) + if err != nil { + return PreconditionFailed(err) + } + req := apiPut{} if err := shared.ReadToJSON(r.Body, &req); err != nil { return BadRequest(err) } diff --git a/lxd/container.go b/lxd/container.go index f4a6307..ecd74e1 100644 --- a/lxd/container.go +++ b/lxd/container.go @@ -402,7 +402,7 @@ type container interface { Exec(command []string, env map[string]string, stdin *os.File, stdout *os.File, stderr *os.File) (int, error) // Status - Render() (interface{}, error) + Render() (interface{}, interface{}, error) RenderState() (*shared.Container
[lxc-devel] [lxd/master] similar to lxc delete, add a -f shortcut to lxc stop
The following pull request was submitted through Github. It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/2128 This e-mail was sent by the LXC bot, direct replies will not reach the author unless they happen to be subscribed to this list. === Description (from pull-request) === Signed-off-by: Tycho Andersen From 3c55598a3a45a1cfea32aebb6eae72b2ba1f4745 Mon Sep 17 00:00:00 2001 From: Tycho Andersen Date: Thu, 16 Jun 2016 08:32:00 -0600 Subject: [PATCH] similar to lxc delete, add a -f shortcut to lxc stop Signed-off-by: Tycho Andersen --- lxc/action.go | 1 + 1 file changed, 1 insertion(+) diff --git a/lxc/action.go b/lxc/action.go index 1cf6a13..dfb3044 100644 --- a/lxc/action.go +++ b/lxc/action.go @@ -34,6 +34,7 @@ lxc %s [...]`), c.name, c.name) func (c *actionCmd) flags() { if c.hasTimeout { gnuflag.IntVar(&c.timeout, "timeout", -1, i18n.G("Time to wait for the container before killing it.")) + gnuflag.BoolVar(&c.force, "f", false, i18n.G("Force the container to shutdown.")) gnuflag.BoolVar(&c.force, "force", false, i18n.G("Force the container to shutdown.")) } gnuflag.BoolVar(&c.stateful, "stateful", false, i18n.G("Store the container state (only for stop).")) ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
Re: [lxc-devel] lxc-create: file-based capabilities are lost
Hi Serge, On 06/15/16 19:00, Serge E. Hallyn wrote: > Quoting Harald Dunkel (harald.dun...@aixigo.de): >> >> Using "rsync -SHaAX" in lxc-debian it works (on Jessie). >> Attached you can find a suggested patch for all (lxc 1.1.5). > > Thanks this looks good. Do you mind sending a signed-off-by? > See attachment. This change is based upon the stable-1.1 branch. I kicked out one of the changes of my previous post, though. The fedora template uses rsync on squashfs. This is too hot for me to touch. Regards Harri From b6c4371f038013121a753080ad9062f1896566f8 Mon Sep 17 00:00:00 2001 From: Harald Dunkel Date: Thu, 16 Jun 2016 11:26:03 +0200 Subject: [PATCH] use "rsync -SHaAX" to copy the cached rootfs into place Signed-off-by: Harald Dunkel --- templates/lxc-altlinux.in | 2 +- templates/lxc-centos.in | 2 +- templates/lxc-debian.in | 2 +- templates/lxc-fedora.in | 2 +- templates/lxc-openmandriva.in | 2 +- templates/lxc-opensuse.in | 2 +- templates/lxc-ubuntu.in | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/templates/lxc-altlinux.in b/templates/lxc-altlinux.in index 8b4168c..3412772 100644 --- a/templates/lxc-altlinux.in +++ b/templates/lxc-altlinux.in @@ -208,7 +208,7 @@ copy_altlinux() #cp -a $cache/rootfs-$arch $rootfs_path || return 1 # i prefer rsync (no reason really) mkdir -p $rootfs_path -rsync -Ha $cache/rootfs/ $rootfs_path/ +rsync -SHaAX $cache/rootfs/ $rootfs_path/ return 0 } diff --git a/templates/lxc-centos.in b/templates/lxc-centos.in index 1a27cd3..1e04b10 100644 --- a/templates/lxc-centos.in +++ b/templates/lxc-centos.in @@ -512,7 +512,7 @@ copy_centos() #cp -a $cache/rootfs-$arch $rootfs_path || return 1 # i prefer rsync (no reason really) mkdir -p $rootfs_path -rsync -a $cache/rootfs/ $rootfs_path/ +rsync -SHaAX $cache/rootfs/ $rootfs_path/ echo return 0 } diff --git a/templates/lxc-debian.in b/templates/lxc-debian.in index 54393ca..33fe1ec 100644 --- a/templates/lxc-debian.in +++ b/templates/lxc-debian.in @@ -283,7 +283,7 @@ copy_debian() # make a local copy of the minidebian echo -n "Copying rootfs to $rootfs..." mkdir -p $rootfs -rsync -Ha "$cache/rootfs-$release-$arch"/ $rootfs/ || return 1 +rsync -SHaAX "$cache/rootfs-$release-$arch"/ $rootfs/ || return 1 return 0 } diff --git a/templates/lxc-fedora.in b/templates/lxc-fedora.in index f6e5be5..624e755 100644 --- a/templates/lxc-fedora.in +++ b/templates/lxc-fedora.in @@ -1015,7 +1015,7 @@ copy_fedora() #cp -a $cache/rootfs-$basearch $rootfs_path || return 1 # i prefer rsync (no reason really) mkdir -p $rootfs_path -rsync -Ha $cache/rootfs/ $rootfs_path/ +rsync -SHaAX $cache/rootfs/ $rootfs_path/ echo return 0 } diff --git a/templates/lxc-openmandriva.in b/templates/lxc-openmandriva.in index 6123c5e..2b690b6 100644 --- a/templates/lxc-openmandriva.in +++ b/templates/lxc-openmandriva.in @@ -155,7 +155,7 @@ copy_openmandriva() echo -n "Copying rootfs to $rootfs_path ..." mkdir -p $rootfs_path -rsync -Ha $cache/rootfs/ $rootfs_path/ +rsync -SHaAX $cache/rootfs/ $rootfs_path/ return 0 } diff --git a/templates/lxc-opensuse.in b/templates/lxc-opensuse.in index d4e2b28..a69c451 100644 --- a/templates/lxc-opensuse.in +++ b/templates/lxc-opensuse.in @@ -221,7 +221,7 @@ copy_opensuse() # make a local copy of the mini opensuse echo "Copying rootfs to $rootfs ..." mkdir -p $rootfs -rsync -Ha $cache/rootfs-$arch/ $rootfs/ || return 1 +rsync -SHaAX $cache/rootfs-$arch/ $rootfs/ || return 1 return 0 } diff --git a/templates/lxc-ubuntu.in b/templates/lxc-ubuntu.in index 55199dc..5085bf9 100644 --- a/templates/lxc-ubuntu.in +++ b/templates/lxc-ubuntu.in @@ -413,7 +413,7 @@ copy_ubuntu() btrfs subvolume snapshot $cache/rootfs-$arch $realrootfs || return 1 [ "$rootfs" = "$realrootfs" ] || mount --bind $realrootfs $rootfs || return 1 else - rsync -Ha $cache/rootfs-$arch/ $rootfs/ || return 1 + rsync -SHaAX $cache/rootfs-$arch/ $rootfs/ || return 1 fi return 0 } -- 2.8.1 signature.asc Description: OpenPGP digital signature ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel