[lxc-devel] [lxd/master] actually surface the last used update error
The following pull request was submitted through Github. It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/2615 This e-mail was sent by the LXC bot, direct replies will not reach the author unless they happen to be subscribed to this list. === Description (from pull-request) === Signed-off-by: Tycho Andersen From f7b55179e6799507a4a92c926767cfd6db461fdd Mon Sep 17 00:00:00 2001 From: Tycho Andersen Date: Tue, 15 Nov 2016 11:26:11 -0700 Subject: [PATCH] actually surface the last used update error Signed-off-by: Tycho Andersen --- lxd/container_lxc.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lxd/container_lxc.go b/lxd/container_lxc.go index fec0f2e..d178fdb 100644 --- a/lxd/container_lxc.go +++ b/lxd/container_lxc.go @@ -1470,7 +1470,7 @@ func (c *containerLXC) startCommon() (string, error) { // Update time container was last started err = dbContainerLastUsedUpdate(c.daemon.db, c.id, time.Now().UTC()) if err != nil { - fmt.Printf("Error updating last used: %v", err) + return "", fmt.Errorf("Error updating last used: %v", err) } return configPath, nil ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [lxc/master] lxc-checkpoint: automatically detect if --external or --veth-pair
The following pull request was submitted through Github. It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/1303 This e-mail was sent by the LXC bot, direct replies will not reach the author unless they happen to be subscribed to this list. === Description (from pull-request) === With the criu release 2.8 criu deprecated the --veth-pair command-line option in favor of --external: f2037e6 veth: Make --external support --veth-pair git tag --contains f2037e6d3445fc400 v2.8 With this commit lxc-checkpoint will automatically switch between the new and old command-line option dependent on the detected criu version. For criu version older than 2.8 something like this will be used: --veth-pair eth0=vethYOK6RW@lxcbr0 and starting with criu version 2.8 it will look like this: --external veth[eth0]:vethCRPEYL@lxcbr0 Signed-off-by: Adrian Reber From b202b34ebc51e6df9928f44e5f434d775644af22 Mon Sep 17 00:00:00 2001 From: Adrian Reber Date: Tue, 15 Nov 2016 15:47:31 + Subject: [PATCH] lxc-checkpoint: automatically detect if --external or --veth-pair With the criu release 2.8 criu deprecated the --veth-pair command-line option in favor of --external: f2037e6 veth: Make --external support --veth-pair git tag --contains f2037e6d3445fc400 v2.8 With this commit lxc-checkpoint will automatically switch between the new and old command-line option dependent on the detected criu version. For criu version older than 2.8 something like this will be used: --veth-pair eth0=vethYOK6RW@lxcbr0 and starting with criu version 2.8 it will look like this: --external veth[eth0]:vethCRPEYL@lxcbr0 Signed-off-by: Adrian Reber --- src/lxc/criu.c | 37 - 1 file changed, 32 insertions(+), 5 deletions(-) diff --git a/src/lxc/criu.c b/src/lxc/criu.c index 9523af3..8f96014 100644 --- a/src/lxc/criu.c +++ b/src/lxc/criu.c @@ -58,6 +58,7 @@ #define CRIU_GITID_PATCHLEVEL 0 #define CRIU_IN_FLIGHT_SUPPORT "2.4" +#define CRIU_EXTERNAL_NOT_VETH "2.8" lxc_log_define(lxc_criu, lxc); @@ -482,7 +483,19 @@ static void exec_criu(struct criu_opts *opts) lxc_list_for_each(it, &opts->c->lxc_conf->network) { char eth[128], *veth; + char fmt[16]; struct lxc_netdev *n = it->elem; + bool external_not_veth; + + if (strcmp(opts->criu_version, CRIU_EXTERNAL_NOT_VETH) >= 0) { + /* Since criu version 2.8 the usage of --veth-pair +* has been deprecated: +* git tag --contains f2037e6d3445fc400 +* v2.8 */ + external_not_veth = true; + } else { + external_not_veth = false; + } if (n->name) { if (strlen(n->name) >= sizeof(eth)) @@ -498,10 +511,21 @@ static void exec_criu(struct criu_opts *opts) case LXC_NET_VETH: veth = n->priv.veth_attr.pair; - if (n->link) - ret = snprintf(buf, sizeof(buf), "veth[%s]:%s@%s", eth, veth, n->link); - else - ret = snprintf(buf, sizeof(buf), "veth[%s]:%s", eth, veth); + if (n->link) { + if (external_not_veth) + strncpy(fmt, "veth[%s]:%s@%s", sizeof(fmt)); + else + strncpy(fmt, "%s=%s@%s", sizeof(fmt)); + + ret = snprintf(buf, sizeof(buf), fmt, eth, veth, n->link); + } else { + if (external_not_veth) + strncpy(fmt, "veth[%s]:%s", sizeof(fmt)); + else + strncpy(fmt, "%s=%s", sizeof(fmt)); + + ret = snprintf(buf, sizeof(buf), fmt, eth, veth); + } if (ret < 0 || ret >= sizeof(buf)) goto err; break; @@ -524,7 +548,10 @@ static void exec_criu(struct criu_opts *opts) goto err; } - DECLARE_ARG("--external"); + if (external_not_veth) + DECLARE_ARG("--external"); + else + DECLARE_ARG("--veth-pair"); DECLARE_ARG(buf); netnr++;
[lxc-devel] [lxc/lxc] 657f89: cgroups: use %zu format specifier to print size_t
Branch: refs/heads/master Home: https://github.com/lxc/lxc Commit: 657f890799ad5809ad83a77c69ede2e335835ec4 https://github.com/lxc/lxc/commit/657f890799ad5809ad83a77c69ede2e335835ec4 Author: Christian Brauner Date: 2016-11-15 (Tue, 15 Nov 2016) Changed paths: M src/lxc/cgroups/cgfsng.c Log Message: --- cgroups: use %zu format specifier to print size_t Signed-off-by: Christian Brauner Commit: 471a304df4fff53b8fdf63248c1fdfca56428473 https://github.com/lxc/lxc/commit/471a304df4fff53b8fdf63248c1fdfca56428473 Author: Stéphane Graber Date: 2016-11-15 (Tue, 15 Nov 2016) Changed paths: M src/lxc/cgroups/cgfsng.c Log Message: --- Merge pull request #1301 from brauner/2016-11-15/isolcpus cgroups: use %zu format specifier to print size_t Compare: https://github.com/lxc/lxc/compare/a8bae5522a2d...471a304df4ff___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [lxc/lxc] 9f99a3: lxc-checkpoint: enable dirty memory tracking in cr...
Branch: refs/heads/master Home: https://github.com/lxc/lxc Commit: 9f99a33fa97a81d395b6522fe7bd51e0ef6af454 https://github.com/lxc/lxc/commit/9f99a33fa97a81d395b6522fe7bd51e0ef6af454 Author: Adrian Reber Date: 2016-11-15 (Tue, 15 Nov 2016) Changed paths: M src/lxc/criu.c M src/lxc/tools/lxc_checkpoint.c Log Message: --- lxc-checkpoint: enable dirty memory tracking in criu CRIU supports dirty memory tracking to take incremental checkpoints. Incremental checkpoints are one way of reducing downtime during migration. The first checkpoint dumps all the memory pages and the second (and third, and fourth, ...) only dumps pages which have changed. Most of the necessary code has already been implemented. This just adds the existing functionality to lxc-checkpoint: -p, --pre-dumpOnly pre-dump the memory of the container. Container keeps on running and following checkpoints will only dump the changes. --predump-dir=DIR path to images from previous dump (relative to -D) The following is an example from a container running CentOS 7 with psql and tomcat: # lxc-checkpoint -n c7 -D /tmp/cp -p Container keeps on running # du -h /tmp/cp 229M /tmp/cp Sync initial checkpoint to destination # rsync -a /tmp/cp host2:/tmp/ Sync file-system # rsync -a /var/lib/lxc/c7 host2:/var/lib/lxc/ Final dump; container is stopped # lxc-checkpoint -n c7 -D /tmp/cp --predump-dir=../cp -s # du -h /tmp/cp2 90M/tmp/cp2 After transferring the second (incremental checkpoint) and the changes to the container's file system the container can be restored on the second host by pointing lxc-checkpoint to the second checkpoint directory: # lxc-checkpoint -n c7 -D /tmp/cp2 -r Signed-off-by: Adrian Reber Commit: a8bae5522a2dd4b5064baae13492bae981e9e3ca https://github.com/lxc/lxc/commit/a8bae5522a2dd4b5064baae13492bae981e9e3ca Author: Stéphane Graber Date: 2016-11-15 (Tue, 15 Nov 2016) Changed paths: M src/lxc/criu.c M src/lxc/tools/lxc_checkpoint.c Log Message: --- Merge pull request #1299 from adrianreber/master lxc-checkpoint: enable dirty memory tracking in criu Compare: https://github.com/lxc/lxc/compare/748c52b52c6f...a8bae5522a2d___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [lxc/master] separate the limiting from the namespaced cgroup root
The following pull request was submitted through Github. It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/1302 This e-mail was sent by the LXC bot, direct replies will not reach the author unless they happen to be subscribed to this list. === Description (from pull-request) === When cgroup namespaces are enabled a privileged container with mixed cgroups has full write access to its own root cgroup effectively allowing it to overwrite values written from the outside or configured via lxc.cgroup.*. This patch causes an additional 'inner/' directory to be created in all cgroups if cgroup namespaces and cgfsng are being used in order to combat this. This is a request for comments, it currently has the subdirectory name hardcoded and is non-optional. All of this could of course be made configurable if a "feature" like this is acceptable. It seems to only be necessary for privileged containers which are, well, "privileged" after all, but cgroup limits do seem pointless if they can't be enforced even when it's privileged containers we're dealing with. On the other hand for unprivileged containers maybe this could allow us to make the entire directory the container sees as root cgroup writable by the container? (Not sure about this, currently we only chown `cgroup.procs` and `tasks`, and otherwise the container can only create subdirectories.) PS: I'm not sure whether criu.c needs special code there, but from the host's point of view it's a subdirectory within the container's cgroup, only the point at which `CLONE_NEWCGROUP` is used is moved, so only the container's inner view changes. From 573aa03c27c5cb969a4ccf58e6a63bb89efc861d Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Tue, 15 Nov 2016 09:20:24 +0100 Subject: [PATCH] separate the limiting from the namespaced cgroup root When cgroup namespaces are enabled a privileged container with mixed cgroups has full write access to its own root cgroup effectively allowing it to overwrite values written from the outside or configured via lxc.cgroup.*. This patch causes an additional 'inner/' directory to be created in all cgroups if cgroup namespaces and cgfsng are being used in order to combat this. Signed-off-by: Wolfgang Bumiller --- src/lxc/cgroups/cgfs.c | 15 -- src/lxc/cgroups/cgfsng.c| 70 + src/lxc/cgroups/cgmanager.c | 15 -- src/lxc/cgroups/cgroup.c| 12 src/lxc/cgroups/cgroup.h| 12 src/lxc/criu.c | 2 +- src/lxc/start.c | 21 -- 7 files changed, 113 insertions(+), 34 deletions(-) diff --git a/src/lxc/cgroups/cgfs.c b/src/lxc/cgroups/cgfs.c index 8499200..0152477 100644 --- a/src/lxc/cgroups/cgfs.c +++ b/src/lxc/cgroups/cgfs.c @@ -2383,12 +2383,15 @@ static void cgfs_destroy(void *hdata, struct lxc_conf *conf) free(d); } -static inline bool cgfs_create(void *hdata) +static inline bool cgfs_create(void *hdata, bool inner) { struct cgfs_data *d = hdata; struct cgroup_process_info *i; struct cgroup_meta_data *md; + if (inner) + return true; + if (!d) return false; md = d->meta; @@ -2399,12 +2402,15 @@ static inline bool cgfs_create(void *hdata) return true; } -static inline bool cgfs_enter(void *hdata, pid_t pid) +static inline bool cgfs_enter(void *hdata, pid_t pid, bool inner) { struct cgfs_data *d = hdata; struct cgroup_process_info *i; int ret; + if (inner) + return true; + if (!d) return false; i = d->info; @@ -2646,13 +2652,16 @@ static bool do_cgfs_chown(char *cgroup_path, struct lxc_conf *conf) return true; } -static bool cgfs_chown(void *hdata, struct lxc_conf *conf) +static bool cgfs_chown(void *hdata, struct lxc_conf *conf, bool inner) { struct cgfs_data *d = hdata; struct cgroup_process_info *info_ptr; char *cgpath; bool r = true; + if (inner) + return true; + if (!d) return false; diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c index 1e38335..d156616 100644 --- a/src/lxc/cgroups/cgfsng.c +++ b/src/lxc/cgroups/cgfsng.c @@ -1249,14 +1249,20 @@ struct cgroup_ops *cgfsng_ops_init(void) return &cgfsng_ops; } -static bool create_path_for_hierarchy(struct hierarchy *h, char *cgname) +static bool create_path_for_hierarchy(struct hierarchy *h, char *cgname, bool inner) { - h->fullcgpath = must_make_path(h->mountpoint, h->base_cgroup, cgname, NULL); - if (dir_exists(h->fullcgpath)) // it must not already exist - return false; - if (!handle_cpuset_hierarchy(h, cgname)) - return false; - return mkdir_p(h->fullcgpath, 0755) == 0; + char *path; + if (inner) { + path = must_make_path(h->fullcgpath, "inner", NULL); +