[lxc-devel] [lxc/lxc] 2b097b: s390x: Fix seccomp handling of personalities
Branch: refs/heads/master Home: https://github.com/lxc/lxc Commit: 2b097b7b0a2bdd64de887ff8c3582bfed60db27d https://github.com/lxc/lxc/commit/2b097b7b0a2bdd64de887ff8c3582bfed60db27d Author: Stéphane Graber Date: 2016-10-20 (Thu, 20 Oct 2016) Changed paths: M src/lxc/seccomp.c Log Message: --- s390x: Fix seccomp handling of personalities There are no personalities for s390x, so don't list itself as one. Signed-off-by: Stéphane Graber Commit: 0fa4e360f89da0a9e49da5a133af5d87a8df2172 https://github.com/lxc/lxc/commit/0fa4e360f89da0a9e49da5a133af5d87a8df2172 Author: Christian Brauner Date: 2016-10-20 (Thu, 20 Oct 2016) Changed paths: M src/lxc/seccomp.c Log Message: --- Merge pull request #1243 from stgraber/master s390x: Fix seccomp handling of personalities Compare: https://github.com/lxc/lxc/compare/514120e22738...0fa4e360f89d___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [lxc/master] s390x: Fix seccomp handling of personalities
The following pull request was submitted through Github. It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/1243 This e-mail was sent by the LXC bot, direct replies will not reach the author unless they happen to be subscribed to this list. === Description (from pull-request) === There are no personalities for s390x, so don't list itself as one. Signed-off-by: Stéphane Graber From 2b097b7b0a2bdd64de887ff8c3582bfed60db27d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Graber?= Date: Thu, 20 Oct 2016 16:35:36 -0400 Subject: [PATCH] s390x: Fix seccomp handling of personalities MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit There are no personalities for s390x, so don't list itself as one. Signed-off-by: Stéphane Graber --- src/lxc/seccomp.c | 9 - 1 file changed, 9 deletions(-) diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c index ccffa9f..57c95b0 100644 --- a/src/lxc/seccomp.c +++ b/src/lxc/seccomp.c @@ -378,15 +378,6 @@ static int parse_config_v2(FILE *f, char *line, struct lxc_conf *conf) if (!compat_ctx[0] || !compat_ctx[1]) goto bad; #endif -#ifdef SCMP_ARCH_S390X - } else if (native_arch == lxc_seccomp_arch_s390x) { - cur_rule_arch = lxc_seccomp_arch_all; - compat_arch[0] = SCMP_ARCH_S390X; - compat_ctx[0] = get_new_ctx(lxc_seccomp_arch_s390x, - default_policy_action); - if (!compat_ctx[0]) - goto bad; -#endif } if (default_policy_action != SCMP_ACT_KILL) { ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [lxc/master] seccomp: check libseccomp version for s390x
The following pull request was submitted through Github. It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/1242 This e-mail was sent by the LXC bot, direct replies will not reach the author unless they happen to be subscribed to this list. === Description (from pull-request) === If libseccomp version is < 2.3 we do not have appropriate s390x support. Signed-off-by: Christian Brauner From 5ef2ebe212ac3bcd937dde4b9f5629bbb3f847e6 Mon Sep 17 00:00:00 2001 From: Christian Brauner Date: Thu, 20 Oct 2016 19:23:14 +0200 Subject: [PATCH] seccomp: check libseccomp version for s390x If libseccomp version is < 2.3 we do not have appropriate s390x support. Signed-off-by: Christian Brauner --- src/lxc/seccomp.c | 6 ++ 1 file changed, 6 insertions(+) diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c index ccffa9f..fc8ec0e 100644 --- a/src/lxc/seccomp.c +++ b/src/lxc/seccomp.c @@ -33,6 +33,12 @@ #include "log.h" #include "lxcseccomp.h" +#if SCMP_VER_MAJOR < 2 || (SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR < 3) +#ifdef SCMP_ARCH_S390X +#undef SCMP_ARCH_S390X +#endif +#endif + lxc_log_define(lxc_seccomp, lxc); static int parse_config_v1(FILE *f, struct lxc_conf *conf) ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [lxd/master] Add appveyor config to git
The following pull request was submitted through Github. It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/2538 This e-mail was sent by the LXC bot, direct replies will not reach the author unless they happen to be subscribed to this list. === Description (from pull-request) === Closes #2537 Signed-off-by: Stéphane Graber From b074d3cee8b2fec600dbdaf5b5f637ed1b82d1ae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Graber?= Date: Thu, 20 Oct 2016 12:24:11 -0400 Subject: [PATCH] Add appveyor config to git MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Closes #2537 Signed-off-by: Stéphane Graber --- .appveyor.yml | 26 ++ 1 file changed, 26 insertions(+) create mode 100644 .appveyor.yml diff --git a/.appveyor.yml b/.appveyor.yml new file mode 100644 index 000..c51c28c --- /dev/null +++ b/.appveyor.yml @@ -0,0 +1,26 @@ +version: '{branch}.{build}' +image: Visual Studio 2015 +clone_folder: c:\gopath\src\github.com\lxc\lxd +environment: + GOPATH: c:\gopath + +install: +- cmd: >- +echo %PATH% +echo %GOPATH% +set PATH=%GOPATH%\bin;c:\go\bin;%PATH% +go version +go env + +build_script: +- cmd: >- +go get -t -v -d ./... +go install -v ./lxc + +test_script: +- cmd: >- +cd c:\gopath\src\github.com\lxc\lxd +go test ./ +go test ./shared +go test ./lxc +lxc version ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [lxd/master] set term to "dumb" on windows
The following pull request was submitted through Github. It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/2536 This e-mail was sent by the LXC bot, direct replies will not reach the author unless they happen to be subscribed to this list. === Description (from pull-request) === Closes #2288 Signed-off-by: Tycho Andersen http://ogp.me/ns# fb: http://ogp.me/ns/fb# object: http://ogp.me/ns/object# article: http://ogp.me/ns/article# profile: http://ogp.me/ns/profile#";> https://assets-cdn.github.com/assets/frameworks-c9020771a6e4b810195b987de791bff4abe1e67919fffc787d4422b02a203d5f.css"; media="all" rel="stylesheet" /> https://assets-cdn.github.com/assets/github-5d695a93fa4ee78613c8e772394eae10e6711d76be0777d53950b7ab3fd92b63.css"; media="all" rel="stylesheet" /> https://assets-cdn.github.com/assets/site-4a18dc1c93cc7113ea22c7c6b62826f621b52a57f32caea97c682100ac10de36.css"; media="all" rel="stylesheet" /> set term to "dumb" on windows by tych0 · Pull Request #2536 · lxc/lxd · GitHub https://github.com/fluidicon.png"; title="GitHub"> https://avatars3.githubusercontent.com/u/785111?v=3&s=400"; name="twitter:image:src" /> https://avatars3.githubusercontent.com/u/785111?v=3&s=400"; property="og:image" />https://github.com/lxc/lxd/pull/2536"; property="og:url" /> https://api.github.com/_private/browser/stats";> https://api.github.com/_private/browser/errors";> https://assets-cdn.github.com/";> https://assets-cdn.github.com/pinned-octocat.svg"; color="#4078c0"> https://assets-cdn.github.com/favicon.ico";> span.labelstyle-0052cc, .linked-labelstyle-0052cc { background-color: #0052cc !important; color: #fff !important;}.labelstyle-0052cc.selected { background-color: #0052cc !important; color: #fff !important;}.label-select-menu .labelstyle-0052cc.selected { background:rgba(0, 82, 204, 0.12) !important; color: #003d99 !important;} span.labelstyle-006b75, .linked-labelstyle-006b75 { background-color: #006b75 !important; color: #fff !important;}.labelstyle-006b75.selected { background-color: #006b75 !important; color: #fff !important;}.label-select-menu .labelstyle-006b75.selected { background:rgba(0, 107, 117, 0.12) !important; color: #008b99 !important;} span.labelstyle-eb6420, .linked-labelstyle-eb6420 { background-color: #eb6420 !important; color: #fff !important;}.labelstyle-eb6420.selected { background-color: #eb6420 !important; color: #fff !important;}.label-select-menu .labelstyle-eb6420.selected { background:rgba(235, 100, 32, 0.12) !important; color: #994114 !important;} span.labelstyle-fbca04, .linked-labelstyle-fbca04 { background-color: #fbca04 !important; color: #332900 !important;}.labelstyle-fbca04.selected { background-color: #fbca04 !important; color: #332900 !important;}.label-select-menu .labelstyle-fbca04.selected { background:rgba(251, 202, 4, 0.12) !important; color: #997b02 !important;} span.labelstyle-009800, .linked-labelstyle-009800 { background-color: #009800 !important; color: #fff !important;}.labelstyle-009800.selected { background-color: #009800 !important; color: #fff !important;}.label-select-menu .labelstyle-009800.selected { background:rgba(0, 152, 0, 0.12) !important; color: #009900 !important;} span.labelstyle-84b6eb, .linked-labelstyle-84b6eb { background-color: #84b6eb !important; color: #1c2733 !important;}.labelstyle-84b6eb.selected { background-color: #84b6eb !important; color: #1c2733 !important;}.label-select-menu .labelstyle-84b6eb.selected { background:rgba(132, 182, 235, 0.12) !important; color: #557699 !important;} span.labelstyle-5319e7, .linked-labelstyle-5319e7 { background-color: #5319e7 !important; color: #fff !important;}.labelstyle-5319e7.selected { background-color: #5319e7 !important; color: #fff !important;}.label-select-menu .labelstyle-5319e7.selected { background:rgba(83, 25, 231, 0.12) !important; color: #361099 !important;} span.labelstyle-d4c5f9, .linked-labelstyle-d4c5f9 { background-color: #d4c5f9 !important; color: #2b2833 !important;}.labelstyle-d4c5f9.selected { background-color: #d4c5f9 !important; color: #2b2833 !important;}.label-select-menu .labelstyle-d4c5f9.selected { background:rgba(212, 197, 249, 0.12) !important; color: #827999 !important;} span.labelstyle-e11d21, .linked-labelstyle-e11d21 { background-color: #e11d21 !important; color: #fff !important;}.labelstyle-e11d21.selected { background-color: #e11d21 !important; color: #fff !important;}.label-select-menu .labelstyle-e11d21.selected { background:rgba(225, 29, 33, 0.12) !important; color: #991316 !important;} https://github.com/lxc/lxd.git";> https:
Re: [lxc-devel] please open lxc-cgroup for unprivileged monitoring
On Wed, Oct 19, 2016 at 02:10:59PM +0200, Harald Dunkel wrote: > Hi folks, > > using an unprivileged account for monitoring lxc-cgroup > returns a "permission denied" messages for something that > is world readable in the /cgroup directory. Sample: > > % lxc-cgroup -P /data1/lxc -n jerry1 memory.usage_in_bytes > lxc-cgroup: tools/lxc_cgroup.c: main: 104 Insufficent privileges to control > /data1/lxc:jerry1 > % cat /cgroup/lxc/jerry1/memory.usage_in_bytes > 286883840 > > Following the api I am forced to use root permission or some > hard-to-configure sudo constructs for monitoring. This is > pretty painful. > > Do you think this could be improved? Not easily, because you won't be allowed to talk to the container control socket to ask it its cgroup. ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [lxd/master] add gpu device type
The following pull request was submitted through Github. It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/2535 This e-mail was sent by the LXC bot, direct replies will not reach the author unless they happen to be subscribed to this list. === Description (from pull-request) === - lxc config device add c1 gpu0 gpu => Pass everything we have - lxc config device add c1 gpu0 gpu vendor=10de => Pass whatever we have from nvidia - lxc config device add c1 gpu0 gpu vendor=10de id=1 => Pass the second nvidia GPU - lxc config device add c1 gpu0 gpu pci=:02:08.0 => Pass whatever GPU is at that PCI address This parses /sys/bus/pci/devices/* and looks for the drm subfolder. All subfolders under that, e.g. card0 controlD64 renderD128 belong to the same PCI address and probably all need to be handed to the container when the user somehow selects card0. We then retrieve the vendor ID, and if available the device ID from /sys/bus/pci/devices/*/vendor /sys/bus/pci/devices/*/device The major and minor number for each device can be gathered from the card0/dev controlD64/dev renderD128/dev files. If we detect that the vendor ID is Nvidia, we also parse /dev and look for /dev/nvidia[0-9]+ entries. We thereby associate the correct /dev/nvidia* entry with the correct /dev/card* entry, e.g. we correlate /dev/card0 and /dev/nvidia0. Finally, we store any residual /dev/nvidia[^0-9]+ mounts that are not cards because we need to assume that if /dev/nvidia[0-9]+ is requested then the other files are necessary for correct functionality of that card and need to be mounted into every container that also mounts that card. Signed-off-by: Christian Brauner From 1809909a600fa8a73ab52c40148beef3fe9ac0b5 Mon Sep 17 00:00:00 2001 From: Christian Brauner Date: Tue, 18 Oct 2016 11:17:27 +0200 Subject: [PATCH 1/2] devices: add gpu device type - lxc config device add c1 gpu0 gpu => Pass everything we have - lxc config device add c1 gpu0 gpu vendor=10de => Pass whatever we have from nvidia - lxc config device add c1 gpu0 gpu vendor=10de id=1 => Pass the second nvidia GPU - lxc config device add c1 gpu0 gpu pci=:02:08.0 => Pass whatever GPU is at that PCI address This parses /sys/bus/pci/devices/* and looks for the drm subfolder. All subfolders under that, e.g. card0 controlD64 renderD128 belong to the same PCI address and probably all need to be handed to the container when the user somehow selects card0. We then retrieve the vendor ID, and if available the device ID from /sys/bus/pci/devices/*/vendor /sys/bus/pci/devices/*/device The major and minor number for each device can be gathered from the card0/dev controlD64/dev renderD128/dev files. If we detect that the vendor ID is Nvidia, we also parse /dev and look for /dev/nvidia[0-9]+ entries. We thereby associate the correct /dev/nvidia* entry with the correct /dev/card* entry, e.g. we correlate /dev/card0 and /dev/nvidia0. Finally, we store any residual /dev/nvidia[^0-9]+ mounts that are not cards because we need to assume that if /dev/nvidia[0-9]+ is requested then the other files are necessary for correct functionality of that card and need to be mounted into every container that also mounts that card. Signed-off-by: Christian Brauner --- lxd/container.go | 22 - lxd/container_lxc.go | 231 +++ lxd/db_devices.go| 4 + lxd/devices.go | 211 +- 4 files changed, 449 insertions(+), 19 deletions(-) diff --git a/lxd/container.go b/lxd/container.go index dbc19fe..5b8ddcb 100644 --- a/lxd/container.go +++ b/lxd/container.go @@ -152,6 +152,23 @@ func containerValidDeviceConfigKey(t, k string) bool { default: return false } + case "gpu": + switch k { + case "vendorid": + return true + case "id": + return true + case "mode": + return true + case "gid": + return true + case "uid": + return true + case "pci": + return true + default: + return false + } case "none": return false default: @@ -204,7 +221,7 @@ func containerValidDevices(devices shared.Devices, profile bool, expanded bool) return fmt.Errorf("Missing device type for device '%s'", name) } - if !shared.StringInSlice(m["type"], []string{"none", "nic", "disk", "unix-char", "unix-block", "usb"}) { + if !shared.StringInSlice(m["type"], []string{"none", "nic", "disk", "unix-char", "unix-block", "usb", "gpu"}) { retur