[lxc-devel] [lxc/master] coverity fixes
The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/3568
This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.
=== Description (from pull-request) ===
Signed-off-by: Christian Brauner
From ec0befee9475aa7d6913ee0da24761d66b111797 Mon Sep 17 00:00:00 2001
From: Christian Brauner
Date: Wed, 28 Oct 2020 03:58:54 +0100
Subject: [PATCH 1/4] commands: don't deref after NULL check
Fixes: Coverity 1465657
Signed-off-by: Christian Brauner
---
src/lxc/commands.c | 7 +--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/src/lxc/commands.c b/src/lxc/commands.c
index de09c3aff0..cca09a1261 100644
--- a/src/lxc/commands.c
+++ b/src/lxc/commands.c
@@ -487,9 +487,12 @@ static int lxc_cmd_get_devpts_fd_callback(int fd, struct
lxc_cmd_req *req,
};
int ret;
- if (!handler->conf || handler->conf->devpts_fd < 0)
+ if (!handler->conf || handler->conf->devpts_fd < 0) {
rsp.ret = -EBADF;
- ret = lxc_abstract_unix_send_fds(fd, &handler->conf->devpts_fd, 1,
&rsp, sizeof(rsp));
+ ret = lxc_abstract_unix_send_fds(fd, NULL, 0, &rsp,
sizeof(rsp));
+ } else {
+ ret = lxc_abstract_unix_send_fds(fd, &handler->conf->devpts_fd,
1, &rsp, sizeof(rsp));
+ }
if (ret < 0)
return log_error(LXC_CMD_REAP_CLIENT_FD, "Failed to send devpts
fd");
From 3715d0c03fae815963cbcef66524a2deffda39e0 Mon Sep 17 00:00:00 2001
From: Christian Brauner
Date: Wed, 28 Oct 2020 04:01:19 +0100
Subject: [PATCH 2/4] utils: don't deref after NULL check
Fixes: Coverity 1465855
Signed-off-by: Christian Brauner
---
src/lxc/utils.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/lxc/utils.c b/src/lxc/utils.c
index c02eef1526..561f7685cc 100644
--- a/src/lxc/utils.c
+++ b/src/lxc/utils.c
@@ -1113,7 +1113,7 @@ int safe_mount_beneath(const char *beneath, const char
*src, const char *dst, co
__do_close int beneath_fd = -EBADF;
const char *path = beneath ? beneath : "/";
- beneath_fd = openat(-1, beneath, O_RDONLY | O_CLOEXEC | O_DIRECTORY |
O_PATH);
+ beneath_fd = openat(-1, path, O_RDONLY | O_CLOEXEC | O_DIRECTORY |
O_PATH);
if (beneath_fd < 0)
return log_error_errno(-errno, errno, "Failed to open %s",
path);
From 8ddf34f7a037325565b8cf8ff995cbf573f9932e Mon Sep 17 00:00:00 2001
From: Christian Brauner
Date: Wed, 28 Oct 2020 04:03:31 +0100
Subject: [PATCH 3/4] conf: check snprint return value
Fixes: Coverity 1465854
Signed-off-by: Christian Brauner
---
src/lxc/conf.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 259d3766ab..c258d0b4c5 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -1207,7 +1207,9 @@ static int lxc_fill_autodev(const struct lxc_rootfs
*rootfs)
if (ret < 0) {
const char *mntpt = rootfs->path ? rootfs->mount : NULL;
if (errno == ENOSYS) {
- snprintf(path, sizeof(path), "%s/dev/%s",
mntpt, device->name);
+ ret = snprintf(path, sizeof(path), "%s/dev/%s",
mntpt, device->name);
+ if (ret < 0 || ret >= sizeof(path))
+ return log_error(-1, "Failed to create
device path for %s", device->name);
ret = safe_mount(hostpath, path, 0, MS_BIND,
NULL, rootfs->path ? rootfs->mount : NULL);
}
}
From 0dde733e5a049e695885d733eb98795b0eddbd74 Mon Sep 17 00:00:00 2001
From: Christian Brauner
Date: Wed, 28 Oct 2020 04:04:42 +0100
Subject: [PATCH 4/4] utils: check snprintf return value
Fixes: Coverity 1465853
Signed-off-by: Christian Brauner
---
src/lxc/utils.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/lxc/utils.c b/src/lxc/utils.c
index 561f7685cc..baf80b7f5c 100644
--- a/src/lxc/utils.c
+++ b/src/lxc/utils.c
@@ -1097,7 +1097,9 @@ int __safe_mount_beneath_at(int beneath_fd, const char
*src, const char *dst, co
target_fd = openat2(beneath_fd, dst, &how, sizeof(how));
if (target_fd < 0)
return -errno;
- snprintf(tgt_buf, sizeof(tgt_buf), "/proc/self/fd/%d", target_fd);
+ ret = snprintf(tgt_buf, sizeof(tgt_buf), "/proc/self/fd/%d", target_fd);
+ if (ret < 0 || ret >= sizeof(tgt_buf))
+ return -EIO;
if (!is_empty_string(src_buf))
ret = mount(src_buf, tgt_buf, fstype, flags, data);
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] Errored: lxc/lxc#7928 (master - bf0b9c1)
Build Update for lxc/lxc - Build: #7928 Status: Errored Duration: 6 hrs, 52 mins, and 13 secs Commit: bf0b9c1 (master) Author: Christian Brauner Message: Merge pull request #3567 from blenk92/lxc-attach-selinux lxc-attach: Enable setting the SELinux context View the changeset: https://github.com/lxc/lxc/compare/a093bb0f5c3d...bf0b9c1ed6a9 View the full build log and details: https://travis-ci.org/github/lxc/lxc/builds/739353532?utm_medium=notification&utm_source=email -- You can unsubscribe from build emails from the lxc/lxc repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=1693277&utm_medium=notification&utm_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification&utm_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications. ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [lxd/master] lxd/storage: Lock during the whole image replace
The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/8089
This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.
=== Description (from pull-request) ===
Signed-off-by: Stéphane Graber
From 6b4533a92cfe6eacabe6a1393270b7d7949d2b2c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?=
Date: Tue, 27 Oct 2020 18:23:03 -0400
Subject: [PATCH] lxd/storage: Lock during the whole image replace
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Stéphane Graber
---
lxd/storage/backend_lxd.go | 6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/lxd/storage/backend_lxd.go b/lxd/storage/backend_lxd.go
index b2c1272991..f3d8f83273 100644
--- a/lxd/storage/backend_lxd.go
+++ b/lxd/storage/backend_lxd.go
@@ -1039,6 +1039,11 @@ func (b *lxdBackend) CreateInstanceFromImage(inst
instance.Instance, fingerprint
// by creating a new cached image volume using the pool's
current settings (including volume.size).
if errors.Cause(err) == drivers.ErrCannotBeShrunk {
logger.Debug("Cached image volume is larger than new
volume and cannot be shrunk, regenerating image volume")
+
+ // Lock during the entire process to avoid attempts at
creating while the image is gone.
+ unlock :=
locking.Lock(drivers.OperationLockName(b.name, string(drivers.VolumeTypeImage),
fmt.Sprintf("ReplaceImage_%v", fingerprint)))
+ defer unlock()
+
err = b.DeleteImage(fingerprint, op)
if err != nil {
return err
@@ -1055,7 +1060,6 @@ func (b *lxdBackend) CreateInstanceFromImage(inst
instance.Instance, fingerprint
}
} else if err != nil {
return err
-
}
}
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [lxd/master] Log username on unix queries
The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/8088
This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.
=== Description (from pull-request) ===
From f3c4805b2267aa6e8af890499ee8c72673522b77 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?=
Date: Tue, 27 Oct 2020 18:56:45 -0400
Subject: [PATCH 1/5] shared: Drop GroupId and UserId
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Stéphane Graber
---
shared/util_linux_cgo.go | 97
1 file changed, 97 deletions(-)
diff --git a/shared/util_linux_cgo.go b/shared/util_linux_cgo.go
index 72d0794953..155975d265 100644
--- a/shared/util_linux_cgo.go
+++ b/shared/util_linux_cgo.go
@@ -6,7 +6,6 @@ package shared
import (
"fmt"
"os"
- "unsafe"
// Used by cgo
_ "github.com/lxc/lxd/lxd/include"
@@ -58,102 +57,6 @@ import "C"
const ABSTRACT_UNIX_SOCK_LEN int = C.ABSTRACT_UNIX_SOCK_LEN
-// UserId is an adaption from https://codereview.appspot.com/4589049.
-func UserId(name string) (int, error) {
- var pw C.struct_passwd
- var result *C.struct_passwd
-
- bufSize := C.sysconf(C._SC_GETPW_R_SIZE_MAX)
- if bufSize < 0 {
- bufSize = 4096
- }
-
- buf := C.malloc(C.size_t(bufSize))
- if buf == nil {
- return -1, fmt.Errorf("allocation failed")
- }
- defer C.free(buf)
-
- cname := C.CString(name)
- defer C.free(unsafe.Pointer(cname))
-
-again:
- rv, errno := C.getpwnam_r(cname,
- &pw,
- (*C.char)(buf),
- C.size_t(bufSize),
- &result)
- if rv < 0 {
- // OOM killer will take care of us if we end up doing this too
- // often.
- if errno == unix.ERANGE {
- bufSize *= 2
- tmp := C.realloc(buf, C.size_t(bufSize))
- if tmp == nil {
- return -1, fmt.Errorf("allocation failed")
- }
- buf = tmp
- goto again
- }
- return -1, fmt.Errorf("failed user lookup: %s", unix.Errno(rv))
- }
-
- if result == nil {
- return -1, fmt.Errorf("unknown user %s", name)
- }
-
- return int(C.int(result.pw_uid)), nil
-}
-
-// GroupId is an adaption from https://codereview.appspot.com/4589049.
-func GroupId(name string) (int, error) {
- var grp C.struct_group
- var result *C.struct_group
-
- bufSize := C.sysconf(C._SC_GETGR_R_SIZE_MAX)
- if bufSize < 0 {
- bufSize = 4096
- }
-
- buf := C.malloc(C.size_t(bufSize))
- if buf == nil {
- return -1, fmt.Errorf("allocation failed")
- }
-
- cname := C.CString(name)
- defer C.free(unsafe.Pointer(cname))
-
-again:
- rv, errno := C.getgrnam_r(cname,
- &grp,
- (*C.char)(buf),
- C.size_t(bufSize),
- &result)
- if rv != 0 {
- // OOM killer will take care of us if we end up doing this too
- // often.
- if errno == unix.ERANGE {
- bufSize *= 2
- tmp := C.realloc(buf, C.size_t(bufSize))
- if tmp == nil {
- return -1, fmt.Errorf("allocation failed")
- }
- buf = tmp
- goto again
- }
-
- C.free(buf)
- return -1, fmt.Errorf("failed group lookup: %s", unix.Errno(rv))
- }
- C.free(buf)
-
- if result == nil {
- return -1, fmt.Errorf("unknown group %s", name)
- }
-
- return int(C.int(result.gr_gid)), nil
-}
-
func ReadPid(r *os.File) int {
return int(C.read_pid(C.int(r.Fd(
}
From 30e814b42b0a19355c2bad3a2e971c7bf44c5f5b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?=
Date: Tue, 27 Oct 2020 18:57:23 -0400
Subject: [PATCH 2/5] lxd: Port to os/user
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Stéphane Graber
---
lxd/endpoints/socket.go | 14 ++
lxd/sys/os.go | 24 ++--
2 files changed, 28 insertions(+), 10 deletions(-)
diff --git a/lxd/endpoints/socket.go b/lxd/endpoints/socket.go
index 6eeccba3fc..98a81a2646 100644
--- a/lxd/endpoints/socket.go
+++ b/lxd/endpoints/socket.go
@@ -6,6 +6,7 @@ import (
"fmt"
"net"
"os"
+ "os/user"
"strconv"
"github.com/lxc/lxd/client"
@@ -86,14 +87,19 @@ func socketUnixSetPermissions(path string, mode
[lxc-devel] [lxd/master] lxd/storage/zfs: No need to remove dashes from UUID
The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/8087
This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.
=== Description (from pull-request) ===
Signed-off-by: Stéphane Graber
From 7b5aae3986c7e364e62e12064c73ba439503ddd9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?=
Date: Tue, 27 Oct 2020 17:35:49 -0400
Subject: [PATCH] lxd/storage/zfs: No need to remove dashes from UUID
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Stéphane Graber
---
lxd/storage/drivers/driver_zfs_volumes.go | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lxd/storage/drivers/driver_zfs_volumes.go
b/lxd/storage/drivers/driver_zfs_volumes.go
index 1895fe6a4b..811fb11450 100644
--- a/lxd/storage/drivers/driver_zfs_volumes.go
+++ b/lxd/storage/drivers/driver_zfs_volumes.go
@@ -80,7 +80,7 @@ func (d *zfs) CreateVolume(vol Volume, filler *VolumeFiller,
op *operations.Oper
// be restored in the future and a new cached image
volume will be created instead.
if volSizeBytes > poolVolSizeBytes {
d.logger.Debug("Renaming deleted cached image
volume so that regeneration is used")
- randomVol := NewVolume(d, d.name, vol.volType,
vol.contentType, strings.Replace(uuid.NewRandom().String(), "-", "", -1),
vol.config, vol.poolConfig)
+ randomVol := NewVolume(d, d.name, vol.volType,
vol.contentType, uuid.NewRandom().String(), vol.config, vol.poolConfig)
_, err := shared.RunCommand("/proc/self/exe",
"forkzfs", "--", "rename", d.dataset(vol, true), d.dataset(randomVol, true))
if err != nil {
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [lxc/lxc] 8455e3: lxc-attach: Enable setting the SELinux context
Branch: refs/heads/master Home: https://github.com/lxc/lxc Commit: 8455e39efe383d520ac3936535630079bebdd2ad https://github.com/lxc/lxc/commit/8455e39efe383d520ac3936535630079bebdd2ad Author: Maximilian Blenk Date: 2020-10-27 (Tue, 27 Oct 2020) Changed paths: M src/lxc/attach.c M src/lxc/attach_options.h M src/lxc/tools/lxc_attach.c Log Message: --- lxc-attach: Enable setting the SELinux context Enable lxc-attach to set the SELinux context that the user will end up in when attaching to a container (This can be used to overwrite the context set in the config file). If the option is not used, behavior will be as before Signed-off-by: Maximilian Blenk Commit: bf0b9c1ed6a9ba0ad7103cbc2283f4737bfd99f7 https://github.com/lxc/lxc/commit/bf0b9c1ed6a9ba0ad7103cbc2283f4737bfd99f7 Author: Christian Brauner Date: 2020-10-27 (Tue, 27 Oct 2020) Changed paths: M src/lxc/attach.c M src/lxc/attach_options.h M src/lxc/tools/lxc_attach.c Log Message: --- Merge pull request #3567 from blenk92/lxc-attach-selinux lxc-attach: Enable setting the SELinux context Compare: https://github.com/lxc/lxc/compare/a093bb0f5c3d...bf0b9c1ed6a9 ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [lxc/lxc] 7696c1: Introduce lxc.cgroup.dir.monitor.pivot
Branch: refs/heads/master Home: https://github.com/lxc/lxc Commit: 7696c1f9d1aed98a54bf7acd4c48799c395cdc64 https://github.com/lxc/lxc/commit/7696c1f9d1aed98a54bf7acd4c48799c395cdc64 Author: Ruben Jenster Date: 2020-10-27 (Tue, 27 Oct 2020) Changed paths: M doc/lxc.container.conf.sgml.in M src/lxc/cgroups/cgfsng.c M src/lxc/conf.h M src/lxc/confile.c Log Message: --- Introduce lxc.cgroup.dir.monitor.pivot On termination lxc may fail to remove either lxc.cgroup.dir or lxc.cgroup.dir.monitor, because the monitor process may still be a member of either of these cgroups. The pivot cgroup should not be a member (subpath) of any other container cgroup (dir). because only empty cgroups can be removed. Signed-off-by: Ruben Jenster Commit: a093bb0f5c3d61d3d098ddeea9722a135b95a36e https://github.com/lxc/lxc/commit/a093bb0f5c3d61d3d098ddeea9722a135b95a36e Author: Christian Brauner Date: 2020-10-27 (Tue, 27 Oct 2020) Changed paths: M doc/lxc.container.conf.sgml.in M src/lxc/cgroups/cgfsng.c M src/lxc/conf.h M src/lxc/confile.c Log Message: --- Merge pull request #3563 from Drachenfels-GmbH/cgroup-fixes cgroups: Introduce lxc.cgroup.dir.monitor.pivot - fixes cgroup removal on termination Compare: https://github.com/lxc/lxc/compare/5fd31e375f52...a093bb0f5c3d ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [lxd/master] lxd: Switch to new candid URL
The following pull request was submitted through Github. It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/8086 This e-mail was sent by the LXC bot, direct replies will not reach the author unless they happen to be subscribed to this list. === Description (from pull-request) === Closes #8085 Signed-off-by: Stéphane Graber From 7bad0cbaecdefef16e2c636a5d1a77aa49e54924 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Graber?= Date: Tue, 27 Oct 2020 16:37:45 -0400 Subject: [PATCH] lxd: Switch to new candid URL MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Closes #8085 Signed-off-by: Stéphane Graber --- lxd/daemon.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lxd/daemon.go b/lxd/daemon.go index e04cafc397..52308da8c3 100644 --- a/lxd/daemon.go +++ b/lxd/daemon.go @@ -16,7 +16,7 @@ import ( "sync" "time" - "github.com/CanonicalLtd/candidclient" + "github.com/canonical/candid/candidclient" dqliteclient "github.com/canonical/go-dqlite/client" "github.com/canonical/go-dqlite/driver" "github.com/gorilla/mux" ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [lxc/lxc] beff99: tests: Fix compilation with appamor enabled.
Branch: refs/heads/master Home: https://github.com/lxc/lxc Commit: beff99393906f3bddff186993203a8b9c0ba9dfc https://github.com/lxc/lxc/commit/beff99393906f3bddff186993203a8b9c0ba9dfc Author: Ruben Jenster Date: 2020-10-27 (Tue, 27 Oct 2020) Changed paths: M src/tests/Makefile.am Log Message: --- tests: Fix compilation with appamor enabled. Signed-off-by: Ruben Jenster Commit: 10397a8031bde1b927b9b9c16918907b04349e02 https://github.com/lxc/lxc/commit/10397a8031bde1b927b9b9c16918907b04349e02 Author: Christian Brauner Date: 2020-10-27 (Tue, 27 Oct 2020) Changed paths: M src/tests/Makefile.am Log Message: --- Merge pull request #3565 from Drachenfels-GmbH/test-fixes tests: Fix compilation with appamor enabled. Compare: https://github.com/lxc/lxc/compare/dd8d55091991...10397a8031bd ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [lxc/lxc] 6eb516: lxccontainer: fix lxc_config_item_is_supported
Branch: refs/heads/master Home: https://github.com/lxc/lxc Commit: 6eb516a793edd7c8e37472d00d1fc599f176bb97 https://github.com/lxc/lxc/commit/6eb516a793edd7c8e37472d00d1fc599f176bb97 Author: Ruben Jenster Date: 2020-10-27 (Tue, 27 Oct 2020) Changed paths: M src/lxc/confile.c M src/lxc/confile.h M src/lxc/lxccontainer.c M src/tests/get_item.c Log Message: --- lxccontainer: fix lxc_config_item_is_supported Use exact match instead of longest prefix match to check whether a config item is supported. Signed-off-by: Ruben Jenster Commit: dd8d55091991d7cbbef20b93a06fd500d0d8e4d2 https://github.com/lxc/lxc/commit/dd8d55091991d7cbbef20b93a06fd500d0d8e4d2 Author: Christian Brauner Date: 2020-10-27 (Tue, 27 Oct 2020) Changed paths: M src/lxc/confile.c M src/lxc/confile.h M src/lxc/lxccontainer.c M src/tests/get_item.c Log Message: --- Merge pull request #3564 from Drachenfels-GmbH/fixes lxccontainer: fix lxc_config_item_is_supported Compare: https://github.com/lxc/lxc/compare/c8fe11552a41...dd8d55091991 ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [lxd/master] Instance: Write out updated backup.yaml after rename
The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/8083
This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.
=== Description (from pull-request) ===
Fixes #8071
Signed-off-by: Thomas Parrott
From 74c1e881df63a4d211e674e790459925a321ac5e Mon Sep 17 00:00:00 2001
From: Thomas Parrott
Date: Tue, 27 Oct 2020 17:24:08 +
Subject: [PATCH] lxd/instance/drivers: Write out updated backup.yaml after
rename
Fixes #8071
Signed-off-by: Thomas Parrott
---
lxd/instance/drivers/driver_lxc.go | 5 +
lxd/instance/drivers/driver_qemu.go | 5 +
2 files changed, 10 insertions(+)
diff --git a/lxd/instance/drivers/driver_lxc.go
b/lxd/instance/drivers/driver_lxc.go
index 0efab52699..a89a68e866 100644
--- a/lxd/instance/drivers/driver_lxc.go
+++ b/lxd/instance/drivers/driver_lxc.go
@@ -3747,6 +3747,11 @@ func (c *lxc) Rename(newName string) error {
// Update lease files.
network.UpdateDNSMasqStatic(c.state, "")
+ err = c.UpdateBackupFile()
+ if err != nil {
+ return err
+ }
+
logger.Info("Renamed container", ctxMap)
if c.IsSnapshot() {
diff --git a/lxd/instance/drivers/driver_qemu.go
b/lxd/instance/drivers/driver_qemu.go
index ba1381043a..d5e81b5200 100644
--- a/lxd/instance/drivers/driver_qemu.go
+++ b/lxd/instance/drivers/driver_qemu.go
@@ -2751,6 +2751,11 @@ func (vm *qemu) Rename(newName string) error {
// Update lease files.
network.UpdateDNSMasqStatic(vm.state, "")
+ err = vm.UpdateBackupFile()
+ if err != nil {
+ return err
+ }
+
logger.Info("Renamed instance", ctxMap)
if vm.IsSnapshot() {
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [lxc/lxc] 0ff0d2: seccomp: Fix handling of pseudo syscalls and impro...
Branch: refs/heads/master Home: https://github.com/lxc/lxc Commit: 0ff0d23e4001ec9cadae51b41e834a954ef5026c https://github.com/lxc/lxc/commit/0ff0d23e4001ec9cadae51b41e834a954ef5026c Author: Ruben Jenster Date: 2020-10-27 (Tue, 27 Oct 2020) Changed paths: M src/lxc/seccomp.c Log Message: --- seccomp: Fix handling of pseudo syscalls and improve logging for rule processing. Signed-off-by: Ruben Jenster Commit: 15044cd19c8454b20ee46fdb17dd0c8dd85366b1 https://github.com/lxc/lxc/commit/15044cd19c8454b20ee46fdb17dd0c8dd85366b1 Author: Ruben Jenster Date: 2020-10-27 (Tue, 27 Oct 2020) Changed paths: M src/lxc/seccomp.c Log Message: --- seccomp: Avoid duplicate processing of rules for host native arch. Signed-off-by: Ruben Jenster Commit: 5fd31e375f52a9debb7de5c2112e3df9fd509482 https://github.com/lxc/lxc/commit/5fd31e375f52a9debb7de5c2112e3df9fd509482 Author: Christian Brauner Date: 2020-10-27 (Tue, 27 Oct 2020) Changed paths: M src/lxc/seccomp.c Log Message: --- Merge pull request #3562 from Drachenfels-GmbH/seccomp-fixes seccomp: fix pseudo syscalls, improve logging and avoid duplicate processing Compare: https://github.com/lxc/lxc/compare/10397a8031bd...5fd31e375f52 ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [lxc/master] lxc-attach: Enable setting the SELinux context
The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/3567
This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.
=== Description (from pull-request) ===
Enable lxc-attach to set the SELinux context that the user will end up
in when attaching to a container (This can be used to overwrite the
context set in the config file). If the option is not used, behavior
will be as before
From d5cfc7dc486d3a3dcf3d56d78d1edef8efa39b00 Mon Sep 17 00:00:00 2001
From: Maximilian Blenk
Date: Tue, 27 Oct 2020 10:38:44 +0100
Subject: [PATCH] lxc-attach: Enable setting the SELinux context
Enable lxc-attach to set the SELinux context that the user will end up
in when attaching to a container (This can be used to overwrite the
context set in the config file). If the option is not used, behavior
will be as before
---
src/lxc/attach.c | 5 +++--
src/lxc/attach_options.h | 3 +++
src/lxc/tools/lxc_attach.c | 10 ++
3 files changed, 16 insertions(+), 2 deletions(-)
diff --git a/src/lxc/attach.c b/src/lxc/attach.c
index 9528d54064..13224805c3 100644
--- a/src/lxc/attach.c
+++ b/src/lxc/attach.c
@@ -657,6 +657,7 @@ static int attach_child_main(struct attach_clone_payload
*payload)
bool needs_lsm = (options->namespaces & CLONE_NEWNS) &&
(options->attach_flags & LXC_ATTACH_LSM) &&
init_ctx->lsm_label;
+ char *lsm_label = NULL;
/* A description of the purpose of this functionality is provided in the
* lxc-attach(1) manual page. We have to remount here and not in the
@@ -778,9 +779,9 @@ static int attach_child_main(struct attach_clone_payload
*payload)
/* Change into our new LSM profile. */
on_exec = options->attach_flags & LXC_ATTACH_LSM_EXEC ? true :
false;
-
+ lsm_label = options->lsm_label ? options->lsm_label :
init_ctx->lsm_label;
ret =
init_ctx->lsm_ops->process_label_set_at(init_ctx->lsm_ops, lsm_fd,
-
init_ctx->lsm_label, on_exec);
+ lsm_label,
on_exec);
close(lsm_fd);
if (ret < 0)
goto on_error;
diff --git a/src/lxc/attach_options.h b/src/lxc/attach_options.h
index 63e62d4ff0..cdcd8f8ece 100644
--- a/src/lxc/attach_options.h
+++ b/src/lxc/attach_options.h
@@ -113,6 +113,9 @@ typedef struct lxc_attach_options_t {
/*! File descriptor to log output. */
int log_fd;
+
+ /*! lsm label to set. */
+ char *lsm_label;
} lxc_attach_options_t;
/*! Default attach options to use */
diff --git a/src/lxc/tools/lxc_attach.c b/src/lxc/tools/lxc_attach.c
index a8f493aa71..7c70eae51e 100644
--- a/src/lxc/tools/lxc_attach.c
+++ b/src/lxc/tools/lxc_attach.c
@@ -59,6 +59,7 @@ static char **extra_env;
static ssize_t extra_env_size;
static char **extra_keep;
static ssize_t extra_keep_size;
+static char *selinux_context = NULL;
static const struct option my_longopts[] = {
{"elevated-privileges", optional_argument, 0, 'e'},
@@ -74,6 +75,7 @@ static const struct option my_longopts[] = {
{"rcfile", required_argument, 0, 'f'},
{"uid", required_argument, 0, 'u'},
{"gid", required_argument, 0, 'g'},
+{"context", required_argument, 0, 'c'},
LXC_COMMON_OPTIONS
};
@@ -126,6 +128,8 @@ Options :\n\
Load configuration file FILE\n\
-u, --uid=UID Execute COMMAND with UID inside the container\n\
-g, --gid=GID Execute COMMAND with GID inside the container\n\
+ -c, --context=context\n\
+SELinux Context to transition into\n\
",
.options = my_longopts,
.parser = my_parser,
@@ -201,6 +205,9 @@ static int my_parser(struct lxc_arguments *args, int c,
char *arg)
if (lxc_safe_uint(arg, &args->gid) < 0)
return -1;
break;
+case 'c':
+selinux_context = arg;
+break;
}
return 0;
@@ -353,6 +360,9 @@ int main(int argc, char *argv[])
if (my_args.gid != LXC_INVALID_GID)
attach_options.gid = my_args.gid;
+ // selinux_context will be NULL if not set
+ attach_options.lsm_label = selinux_context;
+
if (command.program) {
ret = c->attach_run_wait(c, &attach_options, command.program,
(const char **)command.argv);
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [lxc-ci/master] Add Fedora 33
The following pull request was submitted through Github. It can be accessed and reviewed at: https://github.com/lxc/lxc-ci/pull/198 This e-mail was sent by the LXC bot, direct replies will not reach the author unless they happen to be subscribed to this list. === Description (from pull-request) === From 02ca12378ef8890337515f819fad64713cc682a4 Mon Sep 17 00:00:00 2001 From: Thomas Hipp Date: Tue, 27 Oct 2020 16:08:02 +0100 Subject: [PATCH 1/2] jenkins/jobs: Add Fedora 33 Signed-off-by: Thomas Hipp --- jenkins/jobs/image-fedora.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/jenkins/jobs/image-fedora.yaml b/jenkins/jobs/image-fedora.yaml index 953032b..5d585f1 100644 --- a/jenkins/jobs/image-fedora.yaml +++ b/jenkins/jobs/image-fedora.yaml @@ -22,6 +22,7 @@ values: - 31 - 32 +- 33 - axis: name: variant From 1e4f57dafc470fdc37fe762c9815bb5447daef8c Mon Sep 17 00:00:00 2001 From: Thomas Hipp Date: Tue, 27 Oct 2020 16:08:48 +0100 Subject: [PATCH 2/2] images: Remove obsolete filters in Fedora Signed-off-by: Thomas Hipp --- images/fedora.yaml | 3 --- 1 file changed, 3 deletions(-) diff --git a/images/fedora.yaml b/images/fedora.yaml index 7cd808e..f4261bb 100644 --- a/images/fedora.yaml +++ b/images/fedora.yaml @@ -114,9 +114,6 @@ files: BindReadOnlyPaths=/sys variants: - default - releases: - - 31 - - 32 types: - container ___ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [lxc/master] tests: Fix compilation with appamor enabled.
The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/3565
This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.
=== Description (from pull-request) ===
Building the tests fails on the current master. This commit should fix it.
```
./configure --enable-doc=yes --enable-api-docs=yes --enable-bash=no --enable-tools=no --enable-commands=no --enable-seccomp=yes --enable-capabilities=yes --enable-apparmor=yes --enable-tests=yes
```
```shell
../lxc/lsm/apparmor.c: In function ‘apparmor_parser_exec’:
../lxc/lsm/apparmor.c:869:55: error: ‘APPARMOR_CACHE_DIR’ undeclared (first use in this function)
869 | execlp("apparmor_parser", "apparmor_parser", cmdbuf, APPARMOR_CACHE_DIR, args->file, NULL);
| ^~
../lxc/lsm/apparmor.c:869:55: note: each undeclared identifier is reported only once for each function it appears in
../lxc/lsm/apparmor.c: In function ‘load_apparmor_profile’:
../lxc/lsm/apparmor.c:968:17: error: ‘APPARMOR_CACHE_DIR’ undeclared (first use in this function)
968 | ret = mkdir_p(APPARMOR_CACHE_DIR, 0755);
| ^~
In file included from ../lxc/lsm/apparmor.c:19:
../lxc/lsm/apparmor.c:970:64: error: expected ‘)’ before ‘APPARMOR_CACHE_DIR’
970 |SYSERROR("Error creating AppArmor profile cache directory " APPARMOR_CACHE_DIR);
|^~
../../src/lxc/log.h:378:22: note: in definition of macro ‘ERROR’
378 | LXC_ERROR(&locinfo, format, ##__VA_ARGS__); \
| ^~
../lxc/lsm/apparmor.c:970:4: note: in expansion of macro ‘SYSERROR’
970 |SYSERROR("Error creating AppArmor profile cache directory " APPARMOR_CACHE_DIR);
|
```
From beff99393906f3bddff186993203a8b9c0ba9dfc Mon Sep 17 00:00:00 2001
From: Ruben Jenster
Date: Fri, 23 Oct 2020 18:26:34 +0200
Subject: [PATCH] tests: Fix compilation with appamor enabled.
Signed-off-by: Ruben Jenster
---
src/tests/Makefile.am | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/tests/Makefile.am b/src/tests/Makefile.am
index 2b66bc9cd5..664c6c47b1 100644
--- a/src/tests/Makefile.am
+++ b/src/tests/Makefile.am
@@ -564,6 +564,7 @@ AM_CFLAGS=-DLXCROOTFSMOUNT=\"$(LXCROOTFSMOUNT)\" \
if ENABLE_APPARMOR
AM_CFLAGS += -DHAVE_APPARMOR
+AM_CFLAGS += -DAPPARMOR_CACHE_DIR=\"$(APPARMOR_CACHE_DIR)\"
endif
if ENABLE_SECCOMP
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [lxc/master] lxccontainer: fix lxc_config_item_is_supported
The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/3564
This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.
=== Description (from pull-request) ===
Use exact match instead of longest prefix match to check whether a config item is supported.
The current implementation matches the longest prefix which does not work when checking for sub-options.
E. g. checking whether `lxc.cgroup.dir.container` is supported will match on `lxc.cgroup.dir`,
and return true even if `lxc.cgroup.dir.container` is not implemented. See the added test-case.
Signed-off-by: Ruben Jenster
From 6eb516a793edd7c8e37472d00d1fc599f176bb97 Mon Sep 17 00:00:00 2001
From: Ruben Jenster
Date: Fri, 23 Oct 2020 18:32:15 +0200
Subject: [PATCH] lxccontainer: fix lxc_config_item_is_supported
Use exact match instead of longest prefix match
to check whether a config item is supported.
Signed-off-by: Ruben Jenster
---
src/lxc/confile.c | 12
src/lxc/confile.h | 3 +++
src/lxc/lxccontainer.c | 2 +-
src/tests/get_item.c | 5 +
4 files changed, 21 insertions(+), 1 deletion(-)
diff --git a/src/lxc/confile.c b/src/lxc/confile.c
index 75587d0ac8..08dd691667 100644
--- a/src/lxc/confile.c
+++ b/src/lxc/confile.c
@@ -278,6 +278,18 @@ static struct lxc_config_t config_jump_table[] = {
static const size_t config_jump_table_size = sizeof(config_jump_table) /
sizeof(struct lxc_config_t);
+struct lxc_config_t *lxc_get_config_exact(const char *key)
+{
+ size_t i;
+
+ for (i = 0; i < config_jump_table_size; i++)
+ if (!strcmp(config_jump_table[i].name, key))
+ return &config_jump_table[i];
+
+ return NULL;
+}
+
+
struct lxc_config_t *lxc_get_config(const char *key)
{
size_t i;
diff --git a/src/lxc/confile.h b/src/lxc/confile.h
index df80f639a3..68d50fc804 100644
--- a/src/lxc/confile.h
+++ b/src/lxc/confile.h
@@ -45,6 +45,9 @@ struct new_config_item {
};
/* Get the jump table entry for the given configuration key. */
+__hidden extern struct lxc_config_t *lxc_get_config_exact(const char *key);
+
+/* Get the jump table entry if entry name is a prefix of the given
configuration key. */
__hidden extern struct lxc_config_t *lxc_get_config(const char *key);
/* List all available config items. */
diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
index 673cf2483d..96aa372e1d 100644
--- a/src/lxc/lxccontainer.c
+++ b/src/lxc/lxccontainer.c
@@ -5749,7 +5749,7 @@ int list_all_containers(const char *lxcpath, char ***nret,
bool lxc_config_item_is_supported(const char *key)
{
- return !!lxc_get_config(key);
+ return !!lxc_get_config_exact(key);
}
bool lxc_has_api_extension(const char *extension)
diff --git a/src/tests/get_item.c b/src/tests/get_item.c
index f2757c29d8..11db5f6738 100644
--- a/src/tests/get_item.c
+++ b/src/tests/get_item.c
@@ -600,6 +600,11 @@ int main(int argc, char *argv[])
goto out;
}
+ if (lxc_config_item_is_supported("lxc.arch.nonsense")) {
+ fprintf(stderr, "%d: failed to detect \"lxc.arch.nonsense\" as
unsupported configuration item\n", __LINE__);
+ goto out;
+ }
+
if (c->set_config_item(c, "lxc.notaconfigkey", "invalid")) {
fprintf(stderr, "%d: Managed to set \"lxc.notaconfigkey\"\n",
__LINE__);
goto out;
___
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel
[lxc-devel] [lxc/master] cgroups: Introduce lxc.cgroup.dir.monitor.pivot - fixes cgroup removal on termination
The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/3563
This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.
=== Description (from pull-request) ===
On termination lxc may fail to remove either `lxc.cgroup.dir` or `lxc.cgroup.dir.monitor`,
because the monitor process may still be a member of either of these cgroups.
The pivot cgroup should not be a member (subpath) of any other container cgroup (dir)
because only empty cgroups can be removed.
Although I've used the newly introduced option `lxc.cgroup.dir.monitor` as prefix this option should work fine
with with either `lxc.cgroup.dir` or `lxc.cgroup.dir.monitor`.
I've discovered this when working on `crio-lxc` - I found the following warning in the log.
```
Oct 07 14:27:20 k8s-cluster2-controller kubelet[3725]: W1007 14:27:20.9062113725 pod_container_manager_linux.go:200] failed to delete cgroup paths for [kubepods besteffort pod2159cf63-66b6-4fa5-88b1-23489e084727] : unable to destroy cgroup paths for cgroup [kubepods besteffort pod2159cf63-66b6-4fa5-88b1-23489e084727] : remove /sys/fs/cgroup/kubepods.slice/kubepods-besteffort.slice/kubepods-besteffort-pod2159cf63_66b6_4fa5_88b1_23489e084727.slice: device or resource busy
```
The lxc config with this option will look like this (for `crio-lxc`):
```
lxc.cgroup.dir.container = kubepods.slice/kubepods-burstable.slice/kubepods-burstable-podcf6a372f_513a_47e3_aa9f_51f72e046812.slice/crio-f591102de92279a1cb2bc405cfd8a738061ffd36a95957297449b69ed0c7dea6.scope
lxc.cgroup.dir.monitor = crio-lxc-monitor.slice/f591102de92279a1cb2bc405cfd8a738061ffd36a95957297449b69ed0c7dea6.scope
lxc.cgroup.dir.monitor.pivot = crio-lxc-monitor.slice
```
From 7696c1f9d1aed98a54bf7acd4c48799c395cdc64 Mon Sep 17 00:00:00 2001
From: Ruben Jenster
Date: Fri, 23 Oct 2020 11:33:38 +0200
Subject: [PATCH] Introduce lxc.cgroup.dir.monitor.pivot
On termination lxc may fail to remove either lxc.cgroup.dir or
lxc.cgroup.dir.monitor,
because the monitor process may still be a member of either of these cgroups.
The pivot cgroup should not be a member (subpath) of any other container cgroup
(dir).
because only empty cgroups can be removed.
Signed-off-by: Ruben Jenster
---
doc/lxc.container.conf.sgml.in | 12
src/lxc/cgroups/cgfsng.c | 5 -
src/lxc/conf.h | 1 +
src/lxc/confile.c | 36 ++
4 files changed, 53 insertions(+), 1 deletion(-)
diff --git a/doc/lxc.container.conf.sgml.in b/doc/lxc.container.conf.sgml.in
index ba25b34130..ac724cebe5 100644
--- a/doc/lxc.container.conf.sgml.in
+++ b/doc/lxc.container.conf.sgml.in
@@ -1604,6 +1604,18 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor,
Boston, MA 02110-1301 USA
+
+
+lxc.cgroup.dir.monitor.pivot
+
+
+
+ On container termination the PID of the monitor process is
attached to this cgroup.
+ This path should not be a subpath of any other configured cgroup
dir to ensure
+ proper removal of other cgroup paths on container termination.
+
+
+
lxc.cgroup.dir.container.inner
diff --git a/src/lxc/cgroups/cgfsng.c b/src/lxc/cgroups/cgfsng.c
index f508c63d36..a699a4445f 100644
--- a/src/lxc/cgroups/cgfsng.c
+++ b/src/lxc/cgroups/cgfsng.c
@@ -1093,7 +1093,10 @@ __cgfsng_ops static void cgfsng_monitor_destroy(struct
cgroup_ops *ops,
goto try_lxc_rm_rf;
}
- if (conf && conf->cgroup_meta.monitor_dir)
+ if (conf && conf->cgroup_meta.monitor_pivot_dir)
+ pivot_path = must_make_path(h->mountpoint,
h->container_base_path,
+
conf->cgroup_meta.monitor_pivot_dir, CGROUP_PIVOT, NULL);
+ else if (conf && conf->cgroup_meta.monitor_dir)
pivot_path = must_make_path(h->mountpoint,
h->container_base_path,
conf->cgroup_meta.monitor_dir, CGROUP_PIVOT, NULL);
else if (conf && conf->cgroup_meta.dir)
diff --git a/src/lxc/conf.h b/src/lxc/conf.h
index ba06d42dc0..907cbdfa52 100644
--- a/src/lxc/conf.h
+++ b/src/lxc/conf.h
@@ -61,6 +61,7 @@ struct lxc_cgroup {
char *controllers;
char *dir;
char *monitor_dir;
+ char *monitor_pivot_dir;
char *container_dir;
char *namespace_dir;
bool relative;
diff --git a/src/lxc/confile.c b/src/lxc/confile.c
index 75587d0ac8..205b980136 100644
--- a/src/lxc/confile.c
+++ b/src/lxc/confile.c
@@ -73,6 +73,7 @@ lxc_config_define(cgroup_con
[lxc-devel] [lxc/master] seccomp: fix pseudo syscalls, improve logging and avoid duplicate processing
The following pull request was submitted through Github. It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/3562 This e-mail was sent by the LXC bot, direct replies will not reach the author unless they happen to be subscribed to this list. === Description (from pull-request) === Hello lxc team, I've added a few more fixes for the seccomp code. Please have a look at the logging output below. I've added logging output for the current master without the changes (`before`) and for the current master including the changes (`after`). ### skip compat archs when syscall is unavailable I've also changed the loglevel from WARN to INFO if a syscall is undefined because this will flood the log in production with a lot of ephemeral containers (`crio-lxc`). E.g If kubernetes/cri-o add a default seccomp profile for kernel 5.n+1 but you're running kernel 5.n, there will likely be new syscalls that are undefined and flood logging. before ``` lxc 20201027075832.580 INFO seccomp - seccomp.c:parse_config_v2:795 - Processing "foobar allow" lxc 20201027075832.580 WARN seccomp - seccomp.c:do_resolve_add_rule:523 - Failed to resolve syscall "foobar" lxc 20201027075832.580 WARN seccomp - seccomp.c:do_resolve_add_rule:524 - This syscall will NOT be handled by seccomp lxc 20201027075832.580 INFO seccomp - seccomp.c:parse_config_v2:990 - Added native rule for arch 0 for foobar action 2147418112(allow) lxc 20201027075832.580 WARN seccomp - seccomp.c:do_resolve_add_rule:523 - Failed to resolve syscall "foobar" lxc 20201027075832.580 WARN seccomp - seccomp.c:do_resolve_add_rule:524 - This syscall will NOT be handled by seccomp lxc 20201027075832.580 INFO seccomp - seccomp.c:parse_config_v2:999 - Added compat rule for arch 1073741827 for foobar action 2147418112(allow) lxc 20201027075832.580 WARN seccomp - seccomp.c:do_resolve_add_rule:523 - Failed to resolve syscall "foobar" lxc 20201027075832.580 WARN seccomp - seccomp.c:do_resolve_add_rule:524 - This syscall will NOT be handled by seccomp lxc 20201027075832.580 INFO seccomp - seccomp.c:parse_config_v2:1009 - Added compat rule for arch 1073741886 for foobar action 2147418112(allow) lxc 20201027075832.580 WARN seccomp - seccomp.c:do_resolve_add_rule:523 - Failed to resolve syscall "foobar" lxc 20201027075832.580 WARN seccomp - seccomp.c:do_resolve_add_rule:524 - This syscall will NOT be handled by seccomp lxc 20201027075832.580 INFO seccomp - seccomp.c:parse_config_v2:1019 - Added native rule for arch -1073741762 for foobar action 2147418112(allow) ``` after ``` lxc 20201023145926.549 INFO seccomp - seccomp.c:parse_config_v2:807 - Processing "foobar allow" lxc 20201023145926.549 INFO seccomp - seccomp.c:do_resolve_add_rule:530 - The syscall[foobar] is is undefined on host native arch ``` ### fix handling of pseudo syscalls before ``` lxc 20201023113416.552 INFO seccomp - seccomp.c:parse_config_v2:796 - Processing "fadvise64_64 allow" lxc 20201023113416.552 DEBUGseccomp - seccomp.c:do_resolve_add_rule:531 - The syscall "fadvise64_64" is a pseudo syscall on hosts native arch. lxc 20201023113416.552 INFO seccomp - seccomp.c:parse_config_v2:991 - Added native rule for arch 0 for fadvise64_64 action 2147418112(allow) lxc 20201023113416.552 INFO seccomp - seccomp.c:parse_config_v2:1000 - Added compat rule for arch 1073741827 for fadvise64_64 action 2147418112(allow) lxc 20201023113416.552 DEBUGseccomp - seccomp.c:do_resolve_add_rule:536 - The syscall "fadvise64_64" nr:-10007 is not supported on compat arch:1073741886 lxc 20201023113416.552 INFO seccomp - seccomp.c:parse_config_v2:1010 - Added compat rule for arch 1073741886 for fadvise64_64 action 2147418112(allow) lxc 20201023113416.552 DEBUGseccomp - seccomp.c:do_resolve_add_rule:536 - The syscall "fadvise64_64" nr:-10007 is not supported on compat arch:-1073741762 lxc 20201023113416.552 INFO seccomp - seccomp.c:parse_config_v2:1020 - Added native rule for arch -1073741762 for fadvise64_64 action 2147418112(allow) ``` after ``` lxc 20201023141507.522 INFO seccomp - seccomp.c:parse_config_v2:807 - Processing "fadvise64_64 allow" lxc 20201023141507.522 DEBUGseccomp - seccomp.c:do_resolve_add_rule:536 - The syscall[-10007:fadvise64_64] is a pseudo syscall and not available on host native arch. lxc 20201023141507.522 INFO seccomp - seccomp.c:do_resolve_add_rule:564 - Adding compat rule for syscall[-10007:fadvise64_64] action[2147418112:allow] arch[1073741827] lxc 20201023141507.522 DEBUGseccomp - seccomp.c:do_resolve_add_rule:541 - The syscall[-10007:fadvise64_64] is not supported on compat arch[1073741886] ``` ### fixes invalid logging before ``` lxc 20201023113416.551 INFO seccomp - seccomp.c:parse_config_v2:796 - Processing "epoll_ctl_old allow" lxc 20201023113416.551 INFO seccomp - seccomp.c:parse_config_v2:991 - Added native rule for arch 0 for epoll_ctl_old action 2147418112(allow) lxc 20
