[lxc-devel] [lxc/lxc] 2b097b: s390x: Fix seccomp handling of personalities
Branch: refs/heads/master Home: https://github.com/lxc/lxc Commit: 2b097b7b0a2bdd64de887ff8c3582bfed60db27d https://github.com/lxc/lxc/commit/2b097b7b0a2bdd64de887ff8c3582bfed60db27d Author: Stéphane Graber Date: 2016-10-20 (Thu, 20 Oct 2016) Changed paths: M src/lxc/seccomp.c Log Message: --- s390x: Fix seccomp handling of personalities There are no personalities for s390x, so don't list itself as one. Signed-off-by: Stéphane Graber Commit: 0fa4e360f89da0a9e49da5a133af5d87a8df2172 https://github.com/lxc/lxc/commit/0fa4e360f89da0a9e49da5a133af5d87a8df2172 Author: Christian Brauner Date: 2016-10-20 (Thu, 20 Oct 2016) Changed paths: M src/lxc/seccomp.c Log Message: --- Merge pull request #1243 from stgraber/master s390x: Fix seccomp handling of personalities Compare: https://github.com/lxc/lxc/compare/514120e22738...0fa4e360f89d___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [lxc/master] s390x: Fix seccomp handling of personalities
The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/1243
This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.
=== Description (from pull-request) ===
There are no personalities for s390x, so don't list itself as one.
Signed-off-by: Stéphane Graber
From 2b097b7b0a2bdd64de887ff8c3582bfed60db27d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?=
Date: Thu, 20 Oct 2016 16:35:36 -0400
Subject: [PATCH] s390x: Fix seccomp handling of personalities
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
There are no personalities for s390x, so don't list itself as one.
Signed-off-by: Stéphane Graber
---
src/lxc/seccomp.c | 9 -
1 file changed, 9 deletions(-)
diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c
index ccffa9f..57c95b0 100644
--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -378,15 +378,6 @@ static int parse_config_v2(FILE *f, char *line, struct
lxc_conf *conf)
if (!compat_ctx[0] || !compat_ctx[1])
goto bad;
#endif
-#ifdef SCMP_ARCH_S390X
- } else if (native_arch == lxc_seccomp_arch_s390x) {
- cur_rule_arch = lxc_seccomp_arch_all;
- compat_arch[0] = SCMP_ARCH_S390X;
- compat_ctx[0] = get_new_ctx(lxc_seccomp_arch_s390x,
- default_policy_action);
- if (!compat_ctx[0])
- goto bad;
-#endif
}
if (default_policy_action != SCMP_ACT_KILL) {
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [lxc/master] seccomp: check libseccomp version for s390x
The following pull request was submitted through Github. It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/1242 This e-mail was sent by the LXC bot, direct replies will not reach the author unless they happen to be subscribed to this list. === Description (from pull-request) === If libseccomp version is < 2.3 we do not have appropriate s390x support. Signed-off-by: Christian Brauner From 5ef2ebe212ac3bcd937dde4b9f5629bbb3f847e6 Mon Sep 17 00:00:00 2001 From: Christian Brauner Date: Thu, 20 Oct 2016 19:23:14 +0200 Subject: [PATCH] seccomp: check libseccomp version for s390x If libseccomp version is < 2.3 we do not have appropriate s390x support. Signed-off-by: Christian Brauner --- src/lxc/seccomp.c | 6 ++ 1 file changed, 6 insertions(+) diff --git a/src/lxc/seccomp.c b/src/lxc/seccomp.c index ccffa9f..fc8ec0e 100644 --- a/src/lxc/seccomp.c +++ b/src/lxc/seccomp.c @@ -33,6 +33,12 @@ #include "log.h" #include "lxcseccomp.h" +#if SCMP_VER_MAJOR < 2 || (SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR < 3) +#ifdef SCMP_ARCH_S390X +#undef SCMP_ARCH_S390X +#endif +#endif + lxc_log_define(lxc_seccomp, lxc); static int parse_config_v1(FILE *f, struct lxc_conf *conf) ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [lxd/master] Add appveyor config to git
The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/2538
This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.
=== Description (from pull-request) ===
Closes #2537
Signed-off-by: Stéphane Graber
From b074d3cee8b2fec600dbdaf5b5f637ed1b82d1ae Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?=
Date: Thu, 20 Oct 2016 12:24:11 -0400
Subject: [PATCH] Add appveyor config to git
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Closes #2537
Signed-off-by: Stéphane Graber
---
.appveyor.yml | 26 ++
1 file changed, 26 insertions(+)
create mode 100644 .appveyor.yml
diff --git a/.appveyor.yml b/.appveyor.yml
new file mode 100644
index 000..c51c28c
--- /dev/null
+++ b/.appveyor.yml
@@ -0,0 +1,26 @@
+version: '{branch}.{build}'
+image: Visual Studio 2015
+clone_folder: c:\gopath\src\github.com\lxc\lxd
+environment:
+ GOPATH: c:\gopath
+
+install:
+- cmd: >-
+echo %PATH%
+echo %GOPATH%
+set PATH=%GOPATH%\bin;c:\go\bin;%PATH%
+go version
+go env
+
+build_script:
+- cmd: >-
+go get -t -v -d ./...
+go install -v ./lxc
+
+test_script:
+- cmd: >-
+cd c:\gopath\src\github.com\lxc\lxd
+go test ./
+go test ./shared
+go test ./lxc
+lxc version
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [lxd/master] set term to "dumb" on windows
The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/2536
This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.
=== Description (from pull-request) ===
Closes #2288
Signed-off-by: Tycho Andersen
http://ogp.me/ns# fb: http://ogp.me/ns/fb# object:
http://ogp.me/ns/object# article: http://ogp.me/ns/article# profile:
http://ogp.me/ns/profile#";>
https://assets-cdn.github.com/assets/frameworks-c9020771a6e4b810195b987de791bff4abe1e67919fffc787d4422b02a203d5f.css";
media="all" rel="stylesheet" />
https://assets-cdn.github.com/assets/github-5d695a93fa4ee78613c8e772394eae10e6711d76be0777d53950b7ab3fd92b63.css";
media="all" rel="stylesheet" />
https://assets-cdn.github.com/assets/site-4a18dc1c93cc7113ea22c7c6b62826f621b52a57f32caea97c682100ac10de36.css";
media="all" rel="stylesheet" />
set term to "dumb" on windows by tych0 · Pull Request
#2536 · lxc/lxd · GitHub
https://github.com/fluidicon.png";
title="GitHub">
https://avatars3.githubusercontent.com/u/785111?v=3&s=400";
name="twitter:image:src" />
https://avatars3.githubusercontent.com/u/785111?v=3&s=400";
property="og:image" />https://github.com/lxc/lxd/pull/2536";
property="og:url" />
https://api.github.com/_private/browser/stats";>
https://api.github.com/_private/browser/errors";>
https://assets-cdn.github.com/";>
https://assets-cdn.github.com/pinned-octocat.svg"; color="#4078c0">
https://assets-cdn.github.com/favicon.ico";>
span.labelstyle-0052cc, .linked-labelstyle-0052cc { background-color:
#0052cc !important; color: #fff !important;}.labelstyle-0052cc.selected {
background-color: #0052cc !important; color: #fff
!important;}.label-select-menu .labelstyle-0052cc.selected {
background:rgba(0, 82, 204, 0.12) !important; color: #003d99 !important;}
span.labelstyle-006b75, .linked-labelstyle-006b75 { background-color: #006b75
!important; color: #fff !important;}.labelstyle-006b75.selected {
background-color: #006b75 !important; color: #fff
!important;}.label-select-menu .labelstyle-006b75.selected {
background:rgba(0, 107, 117, 0.12) !important; color: #008b99 !important;}
span.labelstyle-eb6420, .linked-labelstyle-eb6420 { background-color: #eb6420
!important; color: #fff !important;}.labelstyle-eb6420.selected {
background-color: #eb6420 !important; color: #fff
!important;}.label-select-menu .labelstyle-eb6420.selected {
background:rgba(235, 100, 32, 0.12) !important; color: #994114 !important;}
span.labelstyle-fbca04, .linked-labelstyle-fbca04 { background-color: #fbca04
!important; color: #332900 !important;}.labelstyle-fbca04.selected {
background-color: #fbca04 !important; color: #332900
!important;}.label-select-menu .labelstyle-fbca04.selected {
background:rgba(251, 202, 4, 0.12) !important; color: #997b02 !important;}
span.labelstyle-009800, .linked-labelstyle-009800 { background-color: #009800
!important; color: #fff !important;}.labelstyle-009800.selected {
background-color: #009800 !important; color: #fff
!important;}.label-select-menu .labelstyle-009800.selected {
background:rgba(0, 152, 0, 0.12) !important; color: #009900 !important;}
span.labelstyle-84b6eb, .linked-labelstyle-84b6eb { background-color: #84b6eb
!important; color: #1c2733 !important;}.labelstyle-84b6eb.selected {
background-color: #84b6eb !important; color: #1c2733
!important;}.label-select-menu .labelstyle-84b6eb.selected {
background:rgba(132, 182, 235, 0.12) !important; color: #557699 !important;}
span.labelstyle-5319e7, .linked-labelstyle-5319e7 { background-color: #5319e7
!important; color: #fff !important;}.labelstyle-5319e7.selected {
background-color: #5319e7 !important; color: #fff
!important;}.label-select-menu .labelstyle-5319e7.selected {
background:rgba(83, 25, 231, 0.12) !important; color: #361099 !important;}
span.labelstyle-d4c5f9, .linked-labelstyle-d4c5f9 { background-color: #d4c5f9
!important; color: #2b2833 !important;}.labelstyle-d4c5f9.selected {
background-color: #d4c5f9 !important; color: #2b2833
!important;}.label-select-menu .labelstyle-d4c5f9.selected {
background:rgba(212, 197, 249, 0.12) !important; color: #827999 !important;}
span.labelstyle-e11d21, .linked-labelstyle-e11d21 { background-color: #e11d21
!important; color: #fff !important;}.labelstyle-e11d21.selected {
background-color: #e11d21 !important; color: #fff
!important;}.label-select-menu .labelstyle-e11d21.selected {
background:rgba(225, 29, 33, 0.12) !important; color: #991316 !important;}
https://github.com/lxc/lxd.git";>
https:
Re: [lxc-devel] please open lxc-cgroup for unprivileged monitoring
On Wed, Oct 19, 2016 at 02:10:59PM +0200, Harald Dunkel wrote: > Hi folks, > > using an unprivileged account for monitoring lxc-cgroup > returns a "permission denied" messages for something that > is world readable in the /cgroup directory. Sample: > > % lxc-cgroup -P /data1/lxc -n jerry1 memory.usage_in_bytes > lxc-cgroup: tools/lxc_cgroup.c: main: 104 Insufficent privileges to control > /data1/lxc:jerry1 > % cat /cgroup/lxc/jerry1/memory.usage_in_bytes > 286883840 > > Following the api I am forced to use root permission or some > hard-to-configure sudo constructs for monitoring. This is > pretty painful. > > Do you think this could be improved? Not easily, because you won't be allowed to talk to the container control socket to ask it its cgroup. ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [lxd/master] add gpu device type
The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/2535
This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.
=== Description (from pull-request) ===
- lxc config device add c1 gpu0 gpu => Pass everything we have
- lxc config device add c1 gpu0 gpu vendor=10de => Pass whatever we have from nvidia
- lxc config device add c1 gpu0 gpu vendor=10de id=1 => Pass the second nvidia GPU
- lxc config device add c1 gpu0 gpu pci=:02:08.0 => Pass whatever GPU is at that PCI address
This parses /sys/bus/pci/devices/* and looks for the drm subfolder. All
subfolders under that, e.g.
card0
controlD64
renderD128
belong to the same PCI address and probably all need to be handed to the
container when the user somehow selects card0.
We then retrieve the vendor ID, and if available the device ID from
/sys/bus/pci/devices/*/vendor
/sys/bus/pci/devices/*/device
The major and minor number for each device can be gathered from the
card0/dev
controlD64/dev
renderD128/dev
files.
If we detect that the vendor ID is Nvidia, we also parse /dev and look for
/dev/nvidia[0-9]+
entries. We thereby associate the correct /dev/nvidia* entry with the correct
/dev/card* entry, e.g. we correlate
/dev/card0
and
/dev/nvidia0.
Finally, we store any residual /dev/nvidia[^0-9]+ mounts that are not cards
because we need to assume that if /dev/nvidia[0-9]+ is requested then the other
files are necessary for correct functionality of that card and need to be
mounted into every container that also mounts that card.
Signed-off-by: Christian Brauner
From 1809909a600fa8a73ab52c40148beef3fe9ac0b5 Mon Sep 17 00:00:00 2001
From: Christian Brauner
Date: Tue, 18 Oct 2016 11:17:27 +0200
Subject: [PATCH 1/2] devices: add gpu device type
- lxc config device add c1 gpu0 gpu => Pass everything we have
- lxc config device add c1 gpu0 gpu vendor=10de => Pass whatever we have from
nvidia
- lxc config device add c1 gpu0 gpu vendor=10de id=1 => Pass the second nvidia
GPU
- lxc config device add c1 gpu0 gpu pci=:02:08.0 => Pass whatever GPU is at
that PCI address
This parses /sys/bus/pci/devices/* and looks for the drm subfolder. All
subfolders under that, e.g.
card0
controlD64
renderD128
belong to the same PCI address and probably all need to be handed to the
container when the user somehow selects card0.
We then retrieve the vendor ID, and if available the device ID from
/sys/bus/pci/devices/*/vendor
/sys/bus/pci/devices/*/device
The major and minor number for each device can be gathered from the
card0/dev
controlD64/dev
renderD128/dev
files.
If we detect that the vendor ID is Nvidia, we also parse /dev and look for
/dev/nvidia[0-9]+
entries. We thereby associate the correct /dev/nvidia* entry with the correct
/dev/card* entry, e.g. we correlate
/dev/card0
and
/dev/nvidia0.
Finally, we store any residual /dev/nvidia[^0-9]+ mounts that are not cards
because we need to assume that if /dev/nvidia[0-9]+ is requested then the other
files are necessary for correct functionality of that card and need to be
mounted into every container that also mounts that card.
Signed-off-by: Christian Brauner
---
lxd/container.go | 22 -
lxd/container_lxc.go | 231 +++
lxd/db_devices.go| 4 +
lxd/devices.go | 211 +-
4 files changed, 449 insertions(+), 19 deletions(-)
diff --git a/lxd/container.go b/lxd/container.go
index dbc19fe..5b8ddcb 100644
--- a/lxd/container.go
+++ b/lxd/container.go
@@ -152,6 +152,23 @@ func containerValidDeviceConfigKey(t, k string) bool {
default:
return false
}
+ case "gpu":
+ switch k {
+ case "vendorid":
+ return true
+ case "id":
+ return true
+ case "mode":
+ return true
+ case "gid":
+ return true
+ case "uid":
+ return true
+ case "pci":
+ return true
+ default:
+ return false
+ }
case "none":
return false
default:
@@ -204,7 +221,7 @@ func containerValidDevices(devices shared.Devices, profile
bool, expanded bool)
return fmt.Errorf("Missing device type for device
'%s'", name)
}
- if !shared.StringInSlice(m["type"], []string{"none", "nic",
"disk", "unix-char", "unix-block", "usb"}) {
+ if !shared.StringInSlice(m["type"], []string{"none", "nic",
"disk", "unix-char", "unix-block", "usb", "gpu"}) {
retur
